---
vault_clearance: EUCLID
halo:
  classification: EUCLID
  confidence: HIGH
  front: "16_Project_Constellation"
  custodian: "Architect"
  created: 2026-03-27
  updated: 2026-03-28
  wing: CONDITIONAL
  containment: "FORM — full-stack cultivator bar, WING pipeline, project×tools matrix; homonym Worker lane in README"
---
# FORM — Federated Operations Recruiting Map

**BOOK:** [BOOK.md](BOOK.md) — sparse; add vendor/regional citations when survey rows need DOIs.

> **F**ederated **O**perations **R**ecruiting **M**ap.
> This document is the **max-orthodox deployment cultivator** we must **match on paper** and **beat on fit**: a named enterprise reference stack vs **our** constellation of platforms, explicit **WING → provable outcome** binding for CI-backed work, and a **01–16 cultivator-cohort project × tools** matrix (the federated recruiting map’s **matrix scope**). The **full numbered research ring** is **`01`–`33`** on disk plus `99_Archive`; see vault [`_VAULT_STATE.md`](../_VAULT_STATE.md). For the living map of points and thrones, see [README.md](README.md).

**FORM protocol template:** [FORM_PROTOCOL.md](../FORM_PROTOCOL.md) §2 (sections A–H below). **Figures:** [§3 Figures](#3-figures-form_protocol-3) (architecture diagram + matrix). **Cited orthodox apex toolbar (10/15/17/08/16):** [FORM_ORTHODOX_APEX_TOOLING.md](FORM_ORTHODOX_APEX_TOOLING.md).

---

## Max-orthodox reference stack (“NP-complete cultivator”)

In [FORM_PROTOCOL.md](../FORM_PROTOCOL.md) §5, **“NP-complete orthodox cultivator”** means the **strongest conventional full suite** you can assemble from vendor defaults and best-practice playbooks—not Cook–Levin completeness. Here is the **explicit composite bar** no single lab is assumed to run end-to-end, but **enterprise greenfield** teams approach:

| Layer | Orthodox default | What it optimizes |
|-------|-------------------|-------------------|
| **Identity** | Org-wide IdP (Okta, Entra ID, IAM Identity Center); SSO into GitHub Enterprise, cloud consoles, SaaS | One throat to choke; audit trail; offboarding |
| **CI/CD** | Protected branches, required status checks, merge queue (optional), signed artifacts, immutable tags | **Provable** integration state before merge |
| **Secrets** | Central secret manager (HashiCorp Vault, AWS Secrets Manager, GCP SM); rotation; no long-lived PATs in repos | Blast-radius reduction |
| **Observability** | Unified logs / metrics / traces; paging; SLOs | Incident response |
| **IaC & policy** | Terraform / Pulumi / CloudFormation; policy-as-code (OPA, SCPs); drift detection | Repeatability + guardrails |
| **Data & region** | KMS, residency rules, cloud audit logs | Compliance narrative |

**TheLab contrast (one paragraph):** Sovereign ground truth stays in **git + vault triad** ([README.md](../README.md)); [u-os.dev](https://u-os.dev) is **broadcast / weather**, not silent replacement of canon ([README.md](../README.md) Gellar field). [THRONES.md](../THRONES.md) and scoped keys compartmentalize **exterior** agents. Worker **Constellation Git** is a **narrow** GitHub API lane ([worker README](../08_Project_Astronomicon/u_os_dev/worker/README.md)), not a full hyperscaler control plane.

---

## A — The two paradigms (full axis table)

| Axis | Orthodox (max cultivator) | Constellation (ours) |
|------|---------------------------|----------------------|
| **Philosophy** | One cloud or one vendor suite; identity and CI unified | **Named points** — each platform admitted for a capability; map in [README.md](README.md) |
| **Free parameters** | Regions, IAM roles, integration tiles, forgotten service accounts | Throne seats, `BENCH_KEYS_JSON` slots, export allowlists, **homonym discipline** (project 16 vs Worker Git “Constellation”) |
| **Tools** | IdP + GHE + cloud native CI + SM + SIEM + IaC | Vault + GitHub + Zenodo + GCP VM + [u-os.dev](../08_Project_Astronomicon/u_os_dev/) Worker + MCP bridge |
| **Output** | Audit-ready enterprise narrative; tickets closed | **Cartography** — README + STATUS + boards; WING tied to **observable** CI where applicable |
| **Runtime** | 24/7 on-call, paging | Lab cadence; Samarkand **on demand**; Jules/watcher **scoped** |
| **Provenance** | Vendor audit logs | Commits, [WORLDLINE.md](../WORLDLINE.md), `.event_log.jsonl`, worldline ([03 Technomancer](../03_Project_Technomancer/README.md)) |

---

## B — Head-to-head (eight axes)

| Axis | Orthodox | Constellation |
|------|----------|---------------|
| **Identity blast radius** | Single IdP compromise may cascade | Compartmentalized keys; throne / bench namespaces |
| **CI truth** | Required checks + merge gates are default | Same **proof ladder** — but must be **explicit** in lab culture ([README.md](README.md) WING contract) |
| **Secret cardinality** | Central vault; rotation policies | Fewer cloud accounts; **more** bespoke keys — **discipline** via grep + boards |
| **Onboarding time** | Fast with IT + templates | Slower: must read vault README + 08 docs |
| **Cross-project tool discoverability** | Service catalog / IT | [README.md](../README.md) §6 + this matrix + `sys.help` on keys |
| **Data classification enforcement** | DLP, labels, IAM boundaries | [HALO_PROTOCOL.md](../HALO_PROTOCOL.md) Layer 2 + `vault_clearance` on edge mirror |
| **Cost predictability** | Reserved instances, budgets | Named VM; monitor Samarkand; [RESOURCE_MAP.md](../08_Project_Astronomicon/u_os_dev/RESOURCE_MAP.md) |
| **Exterior agent ergonomics** | Enterprise MCP / API gateways | Panini + [astronomicon_mcp](../08_Project_Astronomicon/u_os_dev/astronomicon_mcp/README.md); ChatGPT URL limits are **client-side**, not Worker |

---

## C — The murder board (where orthodox fails — extended)

1. **Imaginary automation** — “Jules / cron will fix it” without a **terminal** Actions URL or `conclusion` ([README.md](README.md) anti-patterns).
2. **Credential cancer** — every new SaaS star adds a secret without a row in the map.
3. **Homonym collisions** — Worker **Constellation** Git lane vs **this project** — confused routing ([README.md](../README.md) homonym alert).
4. **Lighthouse glare** — public GitHub without HALO / WING discipline.
5. **Vendor console as system of record** — truth lives in a dashboard that git does not mirror.
6. **Opaque IAM** — nobody can answer “who can exfiltrate bucket X?” without reading 200 JSON files.
7. **Dispatch theater** — `workflows.dispatch` returns 200; work never verified ([README.md](README.md) execution contract).

**Countermoves:** Tables; required checks; poll `checks` / `actions`; SAFE-only on Microsoft surfaces; Gate Cities for merge canon ([README.md](../README.md)).

---

## D — What we take from orthodox (honestly)

| From orthodox | Why | Into Constellation how |
|---------------|-----|------------------------|
| **OAuth / least scope** | Fewer passwords | Per-throne keys; Constellation Git key separate from Panini ([worker README](../08_Project_Astronomicon/u_os_dev/worker/README.md)) |
| **Branch protection + required checks** | Provable CI | [README.md](README.md) closed loop; `GET /constellation/git/checks` |
| **IaC** | Repeatability | Pin in `u_os_dev` when adopted; [DEPLOYMENT.md](../08_Project_Astronomicon/DEPLOYMENT.md) story |
| **Cost dashboards** | Survival | Samarkand on/off discipline |
| **Artifact signing** | Integrity | ShadowSuite / Words policy where applicable ([15](../15_Project_ShadowsOfSight/README.md), [11](../11_Project_WordsOfTomorrow/README.md)) |

---

## E — The proof — concrete comparisons to run

1. **Checks before WING:** For any GitHub-bound “ready” claim, `GET .../constellation/git/checks?repo=owner/repo&ref=<sha>` shows required checks satisfied (or document exception).
2. **Actions to terminal state:** After `workflows.dispatch`, poll `GET .../constellation/git/actions?repo=...` until run `conclusion` ∈ {`success`,`failure`,`cancelled`} — not dispatch HTTP 200 alone ([README.md](README.md)).
3. **Point audit:** Each Core / Lighthouse row in [README.md](README.md) has owner + link or STATUS.
4. **Secret grep:** No raw tokens in Constellation or 08 docs (policy).
5. **Public lab freshness:** `export_script.py` + `push_public_lab_to_edge.py` — `lab.list` matches expected paths ([THRONE_ONBOARDING.md](../08_Project_Astronomicon/u_os_dev/THRONE_ONBOARDING.md)).
6. **MCP tier-B chain:** Local MCP env with `ASTRONOMICON_KEY` → `panini_manifest` → one read tool (`lab.read` or `bench.read`) — credentials only in MCP `env` ([astronomicon_mcp README](../08_Project_Astronomicon/u_os_dev/astronomicon_mcp/README.md)).
7. **Zenodo:** Dry-run DOI path — no RESTRICTED bundle posted by mistake.

---

## F — Global cultivator survey (three “regions”)

| Region / archetype | Exemplar stack | Optimizes for | TheLab stance |
|--------------------|----------------|---------------|---------------|
| **Hyperscaler default** | AWS Org + Control Tower + IAM Identity Center + CodePipeline + CloudTrail | Single-cloud governance | **WATCH** — we use GCP piecemeal (Samarkand), not full landing zone |
| **GitHub-native software shop** | GHE + Actions + branch protection + OIDC to cloud roles | Shipping velocity with CI truth | **ADOPT** — execution contract + Constellation Git API ([worker README](../08_Project_Astronomicon/u_os_dev/worker/README.md)) |
| **Academic bioinformatics HPC** | Slurm + module farm + shared NFS + publication DOIs | Long jobs + papers | **EVALUATE** — Symphony uses **methods/** + GCP VM; Zenodo for outputs; no campus cluster |

---

## G — Adoption priority (from [README.md](README.md) current gaps)

| Priority | Gap | Candidate | Action |
|--------|-----|-----------|--------|
| 🔴 NOW | Long-running compute without SSH babysitting | Jules + GitHub Actions | Wire health + **terminal** run URL into mailbox / bounty close |
| 🔴 NOW | Offsite encrypted backup of KETER data | GCS client-side encryption | Design + Words alignment |
| 🟡 NEXT | Protein structure (UHRF1 / DNMT1) | Web Claude + AlphaFold API | Scoped investigation |
| 🟡 NEXT | Literature monitoring | Perplexity scheduled search | Evaluate cost / HALO |
| 🟢 LATER | Ancient DNA comparative | Ensembl + UCSC APIs | Map to BloodyEchoes |
| 🟢 LATER | Wet lab LIMS | BenchSci / custom | Low priority |

---

## H — Final assessment

Enterprise **max cultivator** wins **first-hour onboarding**, **central audit dashboards**, and **default CI gates** for teams who already live in one vendor. TheLab wins **cartographic honesty** (every external point named), **compartmentalized trust** (vault + scoped keys), and **WING bound to observable outcomes** where GitHub is the lighthouse — at the cost of **higher cognitive load** (README discipline, homonym vigilance). This FORM is **CONDITIONAL**: it is complete when every **§E** proof has been run at least once in a documented session.

---

## WING deployment pipeline (full stack, GitHub-first)

**WING** = readiness to share ([WING_PROTOCOL.md](../WING_PROTOCOL.md)). **Constellation** (this project’s map) is **where** sharing lands for many artifacts — **GitHub** first. The failure mode is mistaking **intent** or **trigger** for **proof**.

### Figure 1 — WING proof ladder (mermaid)

```mermaid
flowchart LR
  intent[Intent]
  trigger[Trigger]
  proof[ProvableOutcome]
  wingGate[WINGReadiness]
  intent --> trigger
  trigger --> proof
  proof --> wingGate
```

| Stage | Human / agent action | **Not** proof |
|-------|----------------------|---------------|
| **Intent** | Issue, comment, label | Ticket exists |
| **Trigger** | Push, PR, `workflows.dispatch` | Run **queued** only |
| **Proof** | Required checks green **or** workflow `conclusion` terminal | — |
| **WING** | Maintainer accepts share / Zenodo / paper — **after** proof where CI applies | “Dispatch returned 200” |

**Closed loop (minimum):** Branch protection on `main`; after dispatch, poll **`GET /constellation/git/actions?repo=owner/repo`** or **`GET /constellation/git/checks?repo=owner/repo&ref=...`** per [worker README § Constellation](../08_Project_Astronomicon/u_os_dev/worker/README.md). Worker implementation: [`constellation-git.js`](../08_Project_Astronomicon/u_os_dev/worker/src/constellation-git.js). Full prose: [README.md](README.md) § “WING → Constellation — execution contract”.

**Worker routes (reference):** `GET /constellation/git/checks`, `GET /constellation/git/actions`, `POST /constellation/git/workflows.dispatch` — base URL `https://u-os.dev` (see worker README for auth headers).

---

## 1 — Figure: Lab architecture (data flow)

**Figure 2 — Sovereign vault + warp + lighthouses (mermaid)**

```mermaid
flowchart TB
  subgraph vault [Vault_git]
    README[README_BOUNTY_SESSION]
    Techno[Technomancer_event_log]
    Daemon[Daemon_songs]
    Symphony[10_methods_data]
  end
  subgraph edge [u_os_dev_Worker]
    Panini[Panini_tools]
    ConstGit[Constellation_Git_API]
    D1[D1_log_shared_files]
  end
  subgraph cloud [Cloud]
    GH[GitHub]
    GCP[GCP_Samarkand]
  end
  vault --> Techno
  Daemon --> vault
  edge --> D1
  Panini --> D1
  ConstGit --> GH
  Symphony --> GCP
  Techno -.->|mirror_export| edge
  GH -.->|clone_CI| vault
```

Exterior thrones (scoped keys) hit **edge** only — not the full vault filesystem ([THRONE_ONBOARDING.md](../08_Project_Astronomicon/u_os_dev/THRONE_ONBOARDING.md)).

---

## 2 — Project × WING × tools matrix (01–16)

| # | Sovereign workspace | WING surface (where readiness is judged) | Edge / Panini relevance | Constellation points |
|---|----------------------|-------------------------------------------|-------------------------|----------------------|
| 01 | `01_Project_World/` | Theory / code release via repo | `lab.read` if mirrored | GitHub |
| 02 | `02_Project_Triage/` | Screenplay / production | Optional mirror for protocol docs | GitHub; future production platforms |
| 03 | `03_Project_Technomancer/` | Recorder correctness; adapters | `event.*`, warp integration | GitHub; 08 |
| 04 | `04_Project_Constitution/` | Public drafts | Mirror SAFE docs | GitHub |
| 05 | `05_Project_LENG/` | Paper / Zenodo / supplements | Mirror public HALO docs | GitHub, Zenodo |
| 06 | `06_Project_Daemon/` | Graph tests; releases | Mirror registry-linked docs (e.g. Symphony `BOOK.md` §5) | GitHub |
| 07 | `07_Project_Command/` | Training corpus / V11 | Mirror SAFE excerpts | GitHub |
| 08 | `08_Project_Astronomicon/` | **Worker deploy**; STATUS | **Full** Panini; MCP; Constellation Git | u-os.dev, D1, Cloudflare |
| 09 | `09_Project_Gardener/` | Triple theory publication | Mirror | GitHub |
| 10 | `10_Project_DiscordIntoSymphony/` | Methods paper; GEM reproducibility | Indirect (data plane); not Worker owner | GitHub, Zenodo, CellxGene, GEO, **GCP** |
| 11 | `11_Project_WordsOfTomorrow/` | Policy / encryption workflow | Clearance docs in mirror | GitHub |
| 12 | `12_Project_BloodyEchoes/` | Genomic claims | Mirror | GEO, Ensembl, UCSC |
| 13 | `13_Project_MemoryOfMind/` | Theory notes | Mirror | GitHub |
| 14 | `14_Project_ListeningCathedral/` | Agent bodies; MCP experiments | **Mailbox**, `vm.*`, Panini for agents | 08, GitHub |
| 15 | `15_Project_ShadowsOfSight/` | Local integrity; seals | Mostly vault-local | GitHub for tooling |
| 16 | `16_Project_Constellation/` | This map + recruitment | Meta — docs only | All lighthouses |

**Spot checks:** **08** owns Worker code — pipeline **bytes** for genomics live under **10** ([08 FORM](../08_Project_Astronomicon/FORM.md)). **10** uses **Samarkand** for heavy compute; edge is not a batch cluster. **14** is the **body** layer for agent tool loops; **16** is the **map** — do not confuse with Worker route `/constellation/git`.

---

## 3 — Figures (FORM_PROTOCOL §3)

1. **Overview / architecture** — [Figure 2](#1--figure-lab-architecture-data-flow) (mermaid).
2. **Composition / matrix** — [Project matrix](#2--project--wing--tools-matrix-0116) (table); optional: Core vs Lighthouses vs Constellations vs Thrones from [README.md](README.md).

---

## Master documentation index (auth, keys, routing — no secrets here)

| Need | Read first |
|------|------------|
| Vault law + warp story + deploy pointer | [README.md](../README.md) § Lab infrastructure → Warp: lab edge |
| 08 runtime, Gate Cities, AI-readable surfaces | [08_Project_Astronomicon/README.md](../08_Project_Astronomicon/README.md) § Warp, deployment, and AI-readable surfaces |
| Worker routes, Panini, **Constellation Git**, headers | [08_Project_Astronomicon/u_os_dev/worker/README.md](../08_Project_Astronomicon/u_os_dev/worker/README.md) |
| Throne onboarding, `lab.read` vs `data.read`, clearance | [THRONE_ONBOARDING.md](../08_Project_Astronomicon/u_os_dev/THRONE_ONBOARDING.md), [HALO_PROTOCOL.md](../HALO_PROTOCOL.md) Layer 2 |
| Local MCP → Worker, tool tiers A–F | [astronomicon_mcp/README.md](../08_Project_Astronomicon/u_os_dev/astronomicon_mcp/README.md) |
| Cursor / Claude bootstrap | [CLAUDE.md](../CLAUDE.md) |
| Conflict rule | If docs disagree, **[README.md](../README.md) wins** ([CLAUDE.md](../CLAUDE.md)) |

Secrets live in Cloudflare Worker dashboard and local MCP `env` only — **never** in this vault as plaintext keys.

---

## Cross-reference

- **ListeningCathedral (14)** designs **bodies**; **Constellation (16)** maps **where souls work** — [README.md](README.md).
- **Project 17** (CerberusLantern) appears in [FORM_PROTOCOL.md](../FORM_PROTOCOL.md) §5 registry. The **full vault ring** lists **17** (and **`01`–`33`**) in [README.md](../README.md) §6 — CerberusLantern is **not** in **this** FORM’s **01–16** matrix table — optional future row for that matrix.

---

*FORM — Federated Operations Recruiting Map. Many stars; one chart — and a proof ladder for WING.*