MRWK bounty: live public smoke checks and useful reports, round 3

[ramimbo]

MRWK Bounty

Reward: 25 MRWK per accepted award
Max awards: 30

Work Needed

Run one useful public smoke check against MergeWork and report concise evidence. This fresh round should focus on the current production main after the 2026-05-26 cleanup and route extractions.

Useful accepted work can include:

• A confirmed no-blockers check for a public page, API endpoint, MCP tool, wallet flow step, or docs path.
• A reproducible public bug report with URL or command, expected behavior, observed behavior, and a concise note.
• A broken link, unclear copy, small accessibility issue, responsive issue, or public API/MCP mismatch found on the live site.

Acceptance Criteria

• Comment with the checked URL or command, what you expected, what happened, and one concise note.
• Use only public pages or unauthenticated API/MCP checks unless you are testing your own wallet/account flow.
• Include enough evidence for a maintainer to reproduce or verify the check.
• One award per distinct useful check. Duplicate, vague, non-reproducible-only, self-contradictory, or private-environment reports do not qualify.
• Do not post private keys, seed material, wallet JSON, browser storage, cookies, OAuth state, access tokens, signatures, private vulnerability details, deployment credentials, or price claims.

How To Submit

Comment on this issue with the required evidence. A maintainer must verify usefulness and record the payout before adding mrwk:paid.

[Thanhdn1984]

Smoke check: public API status + newest ledger reserve entry after round 3 opened.

Checked commands:

curl -i https://api.mrwk.ltclab.site/api/v1/status
curl -i 'https://api.mrwk.ltclab.site/api/v1/ledger?limit=3'

Expected:

• status endpoint returns 200 JSON with current service metadata and active bounty count.
• ledger endpoint returns 200 JSON newest entries, with the new MRWK bounty: live public smoke checks and useful reports, round 3 #405 reserve visible after the bounty opened.

Observed at 2026-05-26 14:26 UTC:

• /api/v1/status returned HTTP 200 JSON: name=MergeWork, ticker=MRWK, ledger_height=657, active_bounties=3, treasury_balance_mrwk=99964415.
• /api/v1/ledger?limit=3 returned HTTP 200 JSON. Newest entry was sequence=657, type=bounty_reserve, from=treasury:mrwk, to=reserve:bounty:65, amount_mrwk=750, reference=https://github.com/ramimbo/mergework/issues/405, entry_hash=459a6665c470bfc8be3e384623b55966e82e3d8b99fbe7d3ae91f139604d7750.

Concise note: no blockers found for these two unauthenticated public API reads; the live status height and newest ledger reserve are consistent with the freshly opened #405 bounty.

[ramimbo]

Reserved on MergeWork: https://mrwk.ltclab.site/bounties/65

[carpedkm]

Smoke check: public bounty detail API for the fresh review round #404 / internal bounty id 64.

Checked command at 2026-05-26 14:27 UTC:

curl -i https://api.mrwk.ltclab.site/api/v1/bounties/64

Expected:

• unauthenticated request returns HTTP 200 JSON for MergeWork bounty id 64;
• response identifies GitHub issue MRWK bounty: review open MergeWork PRs with evidence, round 11 #404, shows the review-round accounting fields, and exposes accepted award proof metadata without private data.

Observed:

• HTTP 200 with content-type: application/json.
• Security headers were present, including strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• JSON summary matched the current public round state:
  • id=64
  • repo=ramimbo/mergework
  • issue_number=404
  • status=open
  • reward_mrwk="40"
  • max_awards=30
  • awards_paid=16
  • awards_remaining=14
  • accepted_awards length was 16
• First accepted-award entry included public proof metadata only: account, amount_mrwk, submission_url, and proof_hash.

Concise note: no blocker found for this unauthenticated bounty-detail API read; it reflects the newly opened #404 overflow/review round and keeps public payout evidence visible without exposing secrets or private wallet material.

[carpedkm]

Smoke check: public activity search API for a GitHub ledger account with accepted work.

Checked command at 2026-05-26 14:51 UTC:

curl -i 'https://api.mrwk.ltclab.site/api/v1/activity?limit=5&q=github%3Acarpedkm'

Expected:

• unauthenticated request returns HTTP 200 JSON;
• the q filter narrows activity to the requested ledger account;
• contributor and recent rows include proof and bounty metadata without exposing private wallet material.

Observed:

• HTTP 200 with content-type: application/json.
• Security headers were present, including content-security-policy, strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• JSON summary reflected the filtered account:
  • query="github:carpedkm"
  • totals.accepted_awards=1
  • totals.accepted_mrwk="40"
  • contributors[0].account="github:carpedkm"
  • recent[0].ledger_sequence=620
  • recent[0].bounty_issue_number=340
  • recent[0].proof_hash=26121f23e1d17bedc04acdd43deb0622993c6555a7cbed394e7616a2c4711e67

Concise note: no blocker found for this unauthenticated activity-search read; it confirms the public account filter returns proof-backed accepted-work metadata while keeping output limited to public ledger evidence.

[chrisx9z]

Smoke check for bounty #405

Checked command:

curl -s "https://api.mrwk.ltclab.site/api/v1/activity?q=p3xill"

Expected:

The public activity endpoint should return proof-backed activity for github:p3xill,
including enough bounty context for agents to distinguish the source GitHub
bounty issue from the internal MergeWork bounty record.

Observed:

The endpoint returned HTTP 200 with totals.accepted_awards: 2,
totals.accepted_mrwk: "115", and one contributor row for github:p3xill.
The live response includes current bounty context fields that are useful for
agents:

• contributor row: latest_bounty_repo, latest_bounty_issue_number,
  latest_bounty_issue_url
• recent rows: bounty_repo, bounty_issue_number, bounty_issue_url,
  bounty_id, bounty_url

Concise note:

The endpoint looks healthy and publicly reproducible, and the extra bounty
context fields make the source GitHub issue vs internal MergeWork bounty id
distinction clear. This also highlights a small docs/example freshness gap in
docs/api-examples.md, whose activity example does not yet show all of these
live fields.

[glasses666]

Smoke check / public availability report: API and MCP HTTPS connect timeout from this environment.

Checked at 2026-05-26 15:28 UTC.

Commands:

dig +short api.mrwk.ltclab.site mcp.mrwk.ltclab.site
curl -4 -sS --connect-timeout 8 --max-time 15 https://api.mrwk.ltclab.site/api/v1/status
curl -6 -sS --connect-timeout 8 --max-time 15 https://api.mrwk.ltclab.site/api/v1/status
nc -vz -G 8 api.mrwk.ltclab.site 443
curl -sS --connect-timeout 8 --max-time 30 -X POST https://mcp.mrwk.ltclab.site/mcp \
  -H "Content-Type: application/json" \
  -d "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/list\"}"

Expected:

• api.mrwk.ltclab.site/api/v1/status returns HTTP 200 JSON or another explicit HTTP response.
• mcp.mrwk.ltclab.site/mcp returns a JSON-RPC response for tools/list or an explicit HTTP error.

Observed:

• DNS resolved both hostnames to 57.129.50.230.
• curl -4 to /api/v1/status failed before TLS/HTTP with curl: (28) Failed to connect to api.mrwk.ltclab.site port 443 after 8001 ms: Timeout was reached.
• curl -6 also failed with curl: (28) Failed to connect to api.mrwk.ltclab.site port 443 after 8003 ms: Timeout was reached.
• nc -vz -G 8 api.mrwk.ltclab.site 443 returned connectx ... Operation timed out.
• The MCP tools/list POST to mcp.mrwk.ltclab.site failed the same way: TCP 443 connect timeout after 8 seconds.

Concise note: this does not prove a global outage, especially because earlier comments here show successful unauthenticated API reads from another network. It is still a reproducible public availability signal from this environment: both public hostnames resolve, but TCP 443 to the shared address times out before any HTTP/security headers can be observed. No private credentials, cookies, wallet material, or private vulnerability details are included.

[ramimbo]

Paid three accepted smoke-check comments.

Source	Recipient	Proof
#405 (comment)	github:thanhdn1984	https://mrwk.ltclab.site/proofs/a0d2e25c30504d4365fc49c3b1cc9bbc71bb293fec1a3bf672c292aeb5ffbc68
#405 (comment)	github:carpedkm	https://mrwk.ltclab.site/proofs/5c56af625881f4de451cfc01462afb71ca3425140cf74c6d102344cdd98839db
#405 (comment)	github:carpedkm	https://mrwk.ltclab.site/proofs/5b424ce24272b473b556c91998f01a7a9c4b28601f44163664295097e8a63dbb

27 smoke-check awards remain open.

[prettyboyvic]

Smoke check: public wallet detail API for a linked mrwk1 wallet.

Checked command at 2026-05-26 15:52 UTC:

bash curl -i https://api.mrwk.ltclab.site/api/v1/wallets/mrwk1fb1437aec45b46ec640f44b2e2aced55dc23556e

Expected:

• unauthenticated request returns HTTP 200 JSON for a public wallet address;
• response exposes only public wallet/account state, such as address, public key, linked GitHub login, balance, nonce, and timestamps;
• next_nonce is one greater than nonce so clients can prepare the next signed transfer without guessing.

Observed:

• HTTP 200 with content-type: application/json.
• Security headers were present: strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• JSON summary matched the public wallet record:
  • address=mrwk1fb1437aec45b46ec640f44b2e2aced55dc23556e
  • github_login=prettyboyvic
  • balance_mrwk=600
  • nonce=2
  • next_nonce=3
  • public_key_hex was present as public key material, not a private key or seed.

Concise note: no blocker found for this unauthenticated wallet detail read; it gives clients enough public state for account display and next-transfer nonce preparation without exposing private wallet material, cookies, browser storage, signatures, or secrets.

[akmhatey-ai]

Smoke check: public account and accepted-work APIs for a GitHub ledger account with accepted awards.

Checked at 2026-05-26 15:58 UTC:

curl -i https://api.mrwk.ltclab.site/api/v1/accounts/github:akmhatey-ai
curl -i https://api.mrwk.ltclab.site/api/v1/accounts/github:akmhatey-ai/accepted-work

Expected:

• unauthenticated reads return HTTP 200 JSON for a public GitHub ledger account;
• the account endpoint summarizes balance and accepted-work totals;
• the accepted-work endpoint lists public proof-backed award rows without exposing private wallet material.

Observed:

• Both requests returned HTTP 200 with content-type: application/json.
• Security headers were present, including content-security-policy, strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• /api/v1/accounts/github:akmhatey-ai returned exists=true, ledger_address=github:akmhatey-ai, github_login=akmhatey-ai, balance_mrwk="90", accepted_awards=2, accepted_mrwk="90", latest_ledger_sequence=683, and latest proof hash 985deb5539de48bb33ca699195bea5b98f09de5c73e1c223088f0b54fe3476e3.
• /api/v1/accounts/github:akmhatey-ai/accepted-work listed two public proof-backed awards: ledger 683 for 50 MRWK on issue #407, and ledger 678 for 40 MRWK on issue #404 / PR #421.

Concise note: no blocker found for these unauthenticated public account reads; the account summary reconciles with the proof-backed accepted-work list and exposes public GitHub/proof metadata only, with no private keys, wallet JSON, browser storage, cookies, OAuth tokens, signatures, or private report details.

[aiautotool]

Smoke check: public proof API and proof page for a newly paid #411 award.

Checked at 2026-05-26 16:02 UTC.

Commands:

curl -i https://api.mrwk.ltclab.site/api/v1/proofs/fe00016678d3a0dd408ba165b0e04516f16e09cc5c4b512df3c28e60f6f72015
curl -i https://mrwk.ltclab.site/proofs/fe00016678d3a0dd408ba165b0e04516f16e09cc5c4b512df3c28e60f6f72015

Expected:

• unauthenticated proof API returns HTTP 200 JSON for a public bounty-payment proof;
• public proof page returns HTTP 200 HTML and links the bounty issue, internal bounty, ledger entry, and recipient account;
• neither response exposes private wallet material or secrets.

Observed:

• API returned HTTP 200 with content-type: application/json and security headers including content-security-policy, strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• API JSON identified kind: bounty_payment, bounty_id: 71, issue_number: 411, amount_mrwk: "75", to_account: "github:carpedkm", submission_url: "https://github.com/ramimbo/mergework/pull/412", and ledger_sequence: 672.
• Proof page returned HTTP 200 HTML titled MRWK Proof, displayed Accepted bounty payment, linked github:carpedkm, ramimbo/mergework #411, /bounties/71, and /ledger/672, and showed the same proof hash.

Concise note: public proof lookup is working for the recent #411 payout and exposes reproducible ledger/bounty/account context without private data.

[piaigmt]

Smoke check: open-bounty listing API with status filter after the 2026-05-26 bounty refresh.

Checked command at 2026-05-26 16:02 UTC:

curl -i 'https://api.mrwk.ltclab.site/api/v1/bounties?status=open&limit=5'

Expected:

• unauthenticated request returns HTTP 200 JSON;
• the status=open filter returns currently open bounty rows only;
• rows include enough public accounting fields for agents to prioritize work without needing GitHub scraping or credentials.

Observed:

• HTTP 200 with content-type: application/json.
• Security headers were present, including content-security-policy, strict-transport-security, x-content-type-options: nosniff, and x-frame-options: DENY.
• The response was a JSON list of open bounty rows. The first five rows all had status="open" and included public prioritization/accounting fields: id, repo, issue_number, issue_url, title, reward_mrwk, available_mrwk, reserved_mrwk, max_awards, awards_paid, and awards_remaining.
• The first five open rows at check time were:
  • internal id=73, issue #427, reward 125, awards remaining 5;
  • internal id=72, issue #426, reward 50, awards remaining 10;
  • internal id=71, issue #411, reward 75, awards remaining 2;
  • internal id=66, issue #406, reward 50, awards remaining 20;
  • internal id=65, issue #405, reward 25, awards remaining 27.

Concise note: no blocker found for this unauthenticated open-bounty list read; the filter and public accounting fields are useful for agents selecting reachable work and do not expose private wallet material, browser storage, cookies, OAuth state, access tokens, signatures, or secrets.