# u-os.dev Infrastructure Status Living runtime snapshot for Astronomicon `u_os_dev`. Route and tool authority is [worker/README.md](worker/README.md). If route and tooling docs disagree, [worker/README.md](worker/README.md) and [worker/src/index.js](worker/src/index.js) win. Potential lanes that are not live yet belong on [../BOUNTY_BOARD.md](../BOUNTY_BOARD.md), [home_beacon/README.md](home_beacon/README.md), or the worker "not live" section, not in this runtime snapshot. ## Stack | Layer | Component | Status | |---|---|---| | Edge runtime | Worker `u-os-dev` | LIVE | | Primary domain | `https://u-os.dev` | LIVE | | Workers domain | `https://u-os-dev.jixiangleng1.workers.dev` | Disabled for exposure control (`workers_dev = false`) | | Edge DB | D1 `u_os_log` | LIVE | | Keyed tool mode | Header or path-key Panini routes | LIVE | | Local mirror | `sync_worker_to_local.py` -> `local_mirror/` | LIVE (bench/inbox/shared/bounty sync) | ## Current runtime surfaces | Route family | Access | Purpose | |---|---|---| | `GET /`, `/bridge`, `/cockpit`, `/mirror` | Public | Plain-text information surfaces; `?format=json` or `Accept: application/json` returns JSON | | `GET /.well-known/astronomicon.json` | Public | Stable JSON link map and epoch hint | | `GET /help`, `GET /tool/guide` | Public | Human-readable route summary and JSON-friendly guide | | `GET /mail/schema` | Public | Machine-readable mailbox schema | | `GET/POST /name` | Public | Public naming / observer identity handshake | | `GET /panini`, `GET /tool//` | `X-UOS-Key` | Header-key manifest and tool execution | | `GET /{KEY}`, `GET /{KEY}/{TOOL}/{PAYLOAD?}` | Path key (`ALLOW_PATH_KEY_IO=true`) | Path-key manifest and tool execution | | `GET /control` | `WRITE_TOKEN` | Human control surface | | `GET /log`, `POST /log` | Bearer `WRITE_TOKEN` | Edge log read/append | | `GET /md`, `POST /md` | Bearer `WRITE_TOKEN` | Canonical markdown read/write | | `POST /mail/inbox` | Bearer `MAILBOX_WRITE_TOKEN` | Mail send lane | | `GET /mail/outbox`, `POST /mail/ack` | Bearer `MAILBOX_READ_TOKEN` | Mail read/ack lane | | `GET /constellation/git/*`, `POST /constellation/git/*` | `CONSTELLATION_GIT_KEY` | Separate GitHub collaboration surface | ## Live keyed tool families - `identity`: `sys.ping`, `whoami`, `help` - `lab`: `lab.list`, `lab.read` - `bench`: `bench.read`, `bench.replace`, `bench.append` - `data`: `data.read`, `data.write`, `data.list` - `documents`: `doc.read`, `doc.write`, `doc.tail`, `bounty.read`, `bounty.write` - `mailbox`: `mail.send`, `mail.read`, `mail.ack` - `worldline`: `event.log` Not live on the current worker: keyed `script.*`, `event.read`, `event.head`, `event.collapse`, `mail.next`, `mail.claim`, `mail.release`, `mail.done`, `mail.fail`, `vm.*`, `daemon.speak`, `pulse/*`. ## Auth posture - Path-key mode requires `ALLOW_PATH_KEY_IO=true`. - Header-key mode (`X-UOS-Key`) is preferred over URL keys for clients that can set headers. - Capability gating comes from `resolvePathKeyAccess(...)` in [worker/src/index.js](worker/src/index.js); unsupported tool names return `400` or `403` depending on key and route shape. ## Cloud resource IDs | Type | Name | ID | |---|---|---| | Worker | `u-os-dev` | n/a | | D1 | `u_os_log` | `be870c92-c251-43dd-ba4b-a85497926d70` | | Named tunnel | `u-os-dev-tunnel` | `629f9b92-2fbf-42a3-8ae9-2dbe33403fed` | | Cloudflare account | `jixiangleng1@gmail.com` | `23f42475efefa59e7e2e1b1cca786999` | ## Canonical authorities | Concern | Canonical path | |---|---| | Warp story (Astronomicon vs Constellation, deploy, Orem, Jules) | [Vault root README § Warp: lab edge](../../README.md#warp-lab-edge-unified-story) | | Project-level warp / deploy overview | [../README.md § Warp](../README.md#warp-deployment-and-ai-readable-surfaces) | | Runtime routes, tools, auth | [worker/README.md](worker/README.md) | | Worker implementation | [worker/src/index.js](worker/src/index.js) | | Potential / future lanes | [../BOUNTY_BOARD.md](../BOUNTY_BOARD.md) · [home_beacon/README.md](home_beacon/README.md) · [worker/README.md](worker/README.md#not-live-on-the-current-worker) | | Local mirror sync helper | [sync_worker_to_local.py](sync_worker_to_local.py) | ## Next hardening steps 1. Rotate any long-lived path keys to high-entropy secrets. 2. Prefer header-key invocation over URL-key invocation whenever the client supports headers. 3. Keep `out/public_lab/` and D1 mirror pushes fresh so `lab.read` stays trustworthy. 4. Add automated checks when new worker tools are introduced so MCP/docs cannot drift ahead again.