⚙ Hermes Infrastructure Audit

graphlab.info · VPS srv1632845 · 177.7.52.251 · June 3, 2026
READ-ONLY 2026-06-03 DeepSeek Pro 56 services running

Stack: DNS (graphlab.info → 177.7.52.251) → Caddy (TLS) → VONDER (proxy router on :10276) → 20+ backend services. All backends on localhost, Caddy handles public HTTPS, Tailscale for private access.

VPS: 96GB disk (68% used), Ubuntu 22.04, Linux 6.8.0, Hermes v0.15.1 (126 commits behind), 34 skill categories, 112 SKILL.md files.

User systemd: 2 gateways (omega + mirror) on ports 8643/3978. Platform integrations: Telegram, Discord, API server, webhooks, Teams.

📋 Table of Contents

01Architecture Summary 02Port Map 03Service Map 04Reverse Proxy Routing 05Problems & Risks 06Recommended Target Architecture 07Cleanup Plan 08Current Architecture Diagram 09Recommended Architecture Diagram

1. Architecture Summary

Ingress
Caddy (ports 80/443) — Let's Encrypt TLS
Edge Router
VONDER (:10276) — Python HTTP proxy server
Internal Network
localhost only (127.0.0.1) — except Caddy and SSH
Private Access
Tailscale (100.67.155.37) — 2 Macs, 1 iPhone connected
Firewall
UFW inactive. iptables: default DROP on INPUT, rule to block :8643 from non-Tailscale
Hermes Gateway
User systemd, omega profile, :8643 (API) + :8644 (webhooks) + :3978 (Teams)

Ingress Channels:

ChannelPortRouteAuth
Caddy (graphlab.info)80 → 443→ VONDER :10276Let's Encrypt
Caddy (vault.graphlab.info)443→ Vaultwarden :10273Let's Encrypt
Tailscale SSH22→ Direct SSHSSH key
WARP (Cloudflare)Outbound tunnel (active)Cloudflare
CloudflaredInactive — stoppedJWT token

Flow: User → graphlab.info:443 → Caddy (TLS termination) → localhost:10276 (VONDER) → path routing → backend :PORT

2. Port Map

PortProcessBindPurpose
22sshd0.0.0.0SSH — both IPv4 and IPv6
25postfix/master127.0.0.1SMTP (local only)
80caddy*:80HTTP redirect to HTTPS
443caddy*:443HTTPS — graphlab.info + vault.graphlab.info
445smbd0.0.0.0Samba file sharing
631cupsd0.0.0.0CUPS printing service
2019caddy127.0.0.1Caddy admin API
3001node (uptime-kuma)127.0.0.1Uptime Kuma dashboard
3210node (hermes-mod)127.0.0.1Hermes Mod — Skin Studio
3978hermes (gateway)0.0.0.0Teams bot adapter
4422sshd0.0.0.0Secondary SSH port
8643hermes (gateway)0.0.0.0Hermes Gateway — API + messaging
8644hermes (gateway)0.0.0.0Hermes Gateway — webhooks
8765python3127.0.0.1Signs365 Pricing Engine
8777python0.0.0.0WeatherBet Dashboard API
8787python127.0.0.1Hermes WebUI
8795uvicorn127.0.0.1Sentinel Political Intelligence Backend
8888docker-proxy127.0.0.1SearXNG search (Docker)
9050tor127.0.0.1Tor SOCKS proxy
9119hermes (dashboard)127.0.0.1Hermes Dashboard
10272node (HCI)127.0.0.1Hermes Control Interface (Vite)
10273docker-proxy127.0.0.1Vaultwarden (Docker)
10276python3 (VONDER)127.0.0.1VONDER — central proxy router
10278python3127.0.0.1V3 SALVe Vectorizer
10281python3127.0.0.1Print Broker Quote Engine
10282python3 (Aether)127.0.0.1Aether Engine — trading analysis
10284node127.0.0.1UA Dashboard (Understand Anything)
10285ttyd127.0.0.1Web terminal (auth: kyle/terminal2026)
10286filebrowser127.0.0.1File browser (noauth mode)
10287uvicorn (TIB)127.0.0.1TIB original (INACTIVE)
10289uvicorn (TIB3)127.0.0.1TIB3 — merged TIB dashboard
10290vibe-trading127.0.0.1Vibe-Trading API Server
10291uvicorn (TIB4)127.0.0.1TIB4 — TradingAgents collector
10292python3127.0.0.1SIGN WORKS (Zak) Pricing
10293python3127.0.0.1Aether Web CLI
10294python3127.0.0.1Options Finder Dashboard
10295python3127.0.0.1Options Accuracy Tracker
MEDIUM

Port 8777 (WeatherBet API) on 0.0.0.0

Exposed to the world without auth. Only proxied through VONDER/graphlab, but direct IP:port access is possible. Should bind to 127.0.0.1.

MEDIUM

Ports 8643, 8644, 3978 on 0.0.0.0

Gateway API, webhooks, and Teams bot all on 0.0.0.0. Rule #2 in iptables blocks non-tailscale0 :8643 traffic. But :8644 (webhooks) and :3978 (Teams) have no explicit iptables blocks. Webhooks on public IP is expected (needs to receive POST from services), but :3978 should also be locked down.

3. Service Map

Systemd Services — System Scope

ServicePortStatusBackend/Notes
vonder-api.service10276ACTIVEVONDER proxy — central router (Python ThreadingHTTPServer)
caddy.service80, 443ACTIVECaddy v2 — TLS + reverse proxy
hermes-control.service10272ACTIVEHermes Control Interface (Node Vite)
hermes-dashboard.service9119ACTIVEHermes Agent Dashboard (hermes --profile omega dashboard)
hermes-webui.service8787ACTIVEHermes Web UI (Python server)
hermes-mod.service3210ACTIVEHermes Mod — Skin Studio Web UI
aether.service10282ACTIVEAether Engine — trading analysis + brain
aether-cli.service10293ACTIVEAether Web CLI terminal
options-finder.service10294ACTIVEOptions Strategy Finder dashboard
options-tracker.service10295ACTIVEOptions Accuracy Tracker API
sentinel-backend.service8795ACTIVESentinel Political Intelligence (FastAPI+SQLAlchemy)
vibe-trading.service10290ACTIVEVibe-Trading API + Swarm (MCP)
tib3.service10289ACTIVETIB3 — merged TIB dashboard (6 collectors)
tib4.service10291ACTIVETIB4 — TradingAgents collector
tib.service10287INACTIVETIB original — stopped, disabled (merged into TIB3)
weatherbot.serviceACTIVEWeatherBet bot (Polymarket trading, no HTTP)
weatherbet-api.service8777ACTIVEWeatherBet Dashboard API
print-broker-quote.service10281ACTIVEPrint Broker Quote Engine
zak-quote.service10292ACTIVESIGN WORKS (Zak) Pricing Calculator
signs365-pricing.service8765ACTIVESigns365 Pricing Engine
vectorizer-v3.service10278ACTIVEV3 SALVe Vectorizer
filebrowser.service10286ACTIVEFile Browser (noauth)
ttyd.service10285ACTIVEWeb terminal
ua-dashboard.service10284ACTIVEUnderstand Anything Dashboard
warp-svc.serviceACTIVECloudflare WARP client

User Systemd Services

ServicePortStatusNotes
hermes-gateway-omega.service8643, 8644, 3978ACTIVEMain gateway — messaging, API, webhooks, Teams
hermes-gateway-mirror.serviceACTIVEMirror profile — silent observer

Docker Containers

ContainerImagePortStatus
searxngsearxng/searxng:latest127.0.0.1:8888→8080UP 3d
uptime-kumalouislam/uptime-kuma:13001 (host)UP 3d
vaultwardenvaultwarden/server:latest127.0.0.1:10273→80UP 3d
discovery-dashboard-api-1discovery-dashboard-apiUP 3d

Cron Jobs

ScheduleCommandPurpose
0 1 * * *gbrain-dream-wrapper.shGBrain nightly digest
0 9 * * 0bun run gbrain doctorGBrain weekly health check
0 * * * *hermes-sentinelSentinel update hourly
5 1 * * *hermes-veritasVeritas nightly verification
*/5 * * * *duckdns/duck.shDuckDNS IP update
0 4 * * *backup.sh (restic)Restic backup

4. Reverse Proxy Routing

Caddy Routes

Domain/PathTargetType
graphlab.info /*localhost:10276 (VONDER)reverse_proxy
graphlab.info /terminal/*localhost:10285 (ttyd)reverse_proxy (direct)
graphlab.info /signworks/*/root/signworks.htmlstatic files
graphlab.info /socket.io/*localhost:3001 (Uptime Kuma)reverse_proxy (WebSocket)
vault.graphlab.info /*localhost:10273 (Vaultwarden)reverse_proxy

VONDER Proxy Routes (path → port)

PathTarget PortBackend
/:10276 (static)graphlab-site/ index.html → landing page
/terminal/*:10285ttyd web terminal
/weatherbet/api/*:8777WeatherBet Dashboard API
/weatherbet-api/*:8777WeatherBet API (POST)
/files/*:10286File Browser
/sentinel*:8795Sentinel backend
/webhooks*:8644Hermes webhooks
/quote/*:10281Print Broker Quote
/zak/*:10292SIGN WORKS Pricing
/signs365/*:8765Signs365 Pricing
/webui/*:8787Hermes WebUI
/options2*:10294Options Finder
/brief*:10294Options Finder (brief view)
/brief/accuracy*:10295Options Tracker
/trading*:10282Aether Engine
/cli*:10293Aether Web CLI
/dashboard/*:9119Hermes Dashboard
/achievements*:9119Hermes Achievements plugin
/hci*:10272Hermes Control Interface (Vite SPA)
/tib3*:10289TIB3 Dashboard
/tib4*:10291TIB4 Dashboard
/tib* (301):10289Redirect to TIB3
/tib2* (301):10289Redirect to TIB3
/vibe*:10290Vibe-Trading
/uptime*:3001Uptime Kuma
/vectorize*:10278V3 Vectorizer
/api/stats, /api/gbrain, etc.:10276VONDER native endpoints
/api/* (catchall):8643Hermes Gateway API
/banks/*:9998DEAD — port 9998 not listening
/hindsight*:8887DEAD — Hindsight was removed (replaced by OB1)
/fleming*:9998DEAD — port 9998 not listening
MEDIUM

Dead Routes in VONDER — /banks, /hindsight, /fleming

Three route prefixes proxied to ports/backends that no longer exist. /banks → :9998 (nothing listening), /hindsight → :8887 (Hindsight removed), /fleming → :9998. These should be cleaned up or serve 404s directly.

5. Problems & Risks

CRITICAL

UFW Inactive — No Firewall

UFW is completely disabled. The only protection is iptables rules: default DROP on INPUT with a single explicit block on :8643 from non-Tailscale sources. Ports 3978 (Teams), 8644 (webhooks), 8777 (WeatherBet), 445 (Samba), 631 (CUPS) are all accessible from 0.0.0.0. The box relies entirely on Caddy TLS and obscurity.

HIGH

Hermes Gateway 126 Commits Behind

v0.15.1 is installed but 126 commits behind upstream. This could miss bug fixes, security patches, and feature improvements. Run 'hermes update' to catch up (may trigger post-update hook for TUI overlay).

HIGH

WeatherBot Secrets in systemd Unit

Polymarket private key, IPRoyal proxy credentials, and Visual Crossing API key are all hardcoded as Environment= directives in the weatherbot.service unit file. Visible via 'systemctl cat weatherbot.service' to anyone with access. Should be moved to an EnvironmentFile.

HIGH

File Browser With No Auth

filebrowser.service runs with --noauth flag, bound to 127.0.0.1. While only accessible via VONDER proxy, anyone who can reach VONDER (anyone on the internet via graphlab.info/files) gets full file access. Should add auth or remove the public route.

HIGH

Dead /banks, /hindsight, /fleming Routes

Three routing prefixes point to ports that don't exist (9998, 8887). /hindsight was replaced by OB1. These routes should be removed from VONDER to prevent confusion.

MEDIUM

Old MacBook Air Still on Tailscale but Offline

Tailscale shows kyles-macbook-air (100.101.43.38, M3) as offline, last seen 1h ago. This machine was replaced by the M5 MacBook Pro. The Tailscale node should be expired.

MEDIUM

CUPS and Samba on Public Interface

CUPS (port 631) and Samba (port 445) are bound to 0.0.0.0. These are printer/file sharing services with no business being accessible from the public internet on a VPS. CUPS is especially concerning — bound to 0.0.0.0 with no firewall.

MEDIUM

WeatherBet API on 0.0.0.0

Port 8777 binds to all interfaces. While proxied through VONDER, direct IP:port access bypasses VONDER entirely. Should bind to 127.0.0.1 and change systemd --host directive.

MEDIUM

Disk at 68% (66/96GB)

/dev/sda1 is 66GB used out of 96GB. Hermes session store is 734MB, logs 26MB, skills 9.5MB. Accumulating session data and Docker image layers will continue growing. Monitor monthly.

LOW

DuckDNS Still Active

duck.sh cron runs every 5 minutes updating a DuckDNS record. This was likely used before graphlab.info was configured. Should be cleaned up if no subdomain is active.

LOW

vault.graphlab.info DNS Not Resolving

'dig +short vault.graphlab.info' returns empty. Caddy config and VONDER proxy both reference it, but no A record exists in DNS.

LOW

Cloudflared Service Installed but Inactive

cloudflared service is installed with a tunnel token but marked inactive. WARP (warp-svc) is active instead. Duplicate Cloudflare tooling — should pick one and clean up the other.

LOW

TIB Original Service Disabled But Still Wired

tib.service (original TIB on port 10287) is inactive/disabled but VONDER still has routes for /tib (301 to TIB3) and /tib2/api POST (→:10287). These work since the redirect never hits the dead backend, but the dead service should be cleaned up from VONDER.

6. Recommended Target Architecture

  1. Enable UFW — allow only 22, 80, 443, tailscale0. Block everything else at the host level. This is the single biggest security win.
  2. Bind all services to 127.0.0.1 — fix WeatherBet API (:8777 → 127.0.0.1), and confirm gateway webhooks/Teams don't need public bind (webhooks do need it for receiving POSTs).
  3. Move WeatherBot secrets to EnvironmentFile — remove API keys and proxy credentials from systemd unit file.
  4. Update Hermes Agent — catch up 126 commits. The TUI overlay hooks should survive a reset --hard.
  5. Clean up dead VONDER routes — remove /banks, /hindsight, /fleming from proxy routing.
  6. Remove dead services — TIB original (tib.service), Cloudflared, old MacBook Air Tailscale node.
  7. Add vault.graphlab.info DNS record — point to 177.7.52.251.
  8. Add auth to File Browser or remove public route — /files should not be accessible without auth.
  9. Block CUPS and Samba at firewall level — these have zero reason to be on the public interface of a VPS.

7. Step-by-Step Cleanup Plan

Phase 1 — Security (15 minutes)

  1. Enable UFW: allow 22, 80, 443, tailscale0 subnet, default deny incoming
  2. Fix WeatherBet API bind: edit weatherbet-api.service to --host 127.0.0.1
  3. Remove CUPS/Samba public exposure via UFW rules
  4. Add UFW rule for tailscale0 interface: allow to any port

Phase 2 — Secrets & Hygiene (10 minutes)

  1. Create /opt/weatherbot/.env with all secrets
  2. Edit weatherbot.service: add EnvironmentFile= and remove inline Environment= lines
  3. Reload systemd, restart weatherbot

Phase 3 — Dead Code Cleanup (10 minutes)

  1. Remove /banks, /hindsight, /fleming routes from vonder_api.py
  2. Disable cloudflared service if not needed
  3. Remove DuckDNS cron if no active subdomain
  4. Remove TIB original route from VONDER if no longer needed

Phase 4 — Hermes Update (15 minutes)

  1. Verify TUI overlay restore.py works
  2. Run 'hermes update'
  3. Verify gateway restarted correctly on :8643
  4. Run 'hermes status' to confirm all OK

Phase 5 — DNS & Verification (10 minutes)

  1. Add A record for vault.graphlab.info
  2. Expire old MacBook Air from Tailscale admin console
  3. Curl all major public routes to ensure they still 200
  4. Check weatherbot and health watchdog still healthy

8. Current Architecture Diagram

┌─────────────────────────────────────────────────────────────────────┐
│                         INTERNET                                     │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │ :80 → :443   │  │ Tailscale    │  │ SSHD         │              │
│  │ graphlab.info│  │ 100.67.155.37│  │ :22 / :4422  │              │
│  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘              │
│         │                 │                 │                       │
└─────────┼─────────────────┼─────────────────┼───────────────────────┘
          │                 │                 │
          ▼                 ▼                 ▼
┌─────────────────────────────────────────────────────────────────────┐
│                         CADDY (TLS)                                 │
│  graphlab.info → 127.0.0.1:10276                                    │
│  vault.graphlab.info → 127.0.0.1:10273                               │
│  /terminal/* → 127.0.0.1:10285                                       │
│  /signworks/* → /root/signworks.html                                 │
│  /socket.io/* → 127.0.0.1:3001                                       │
└──────────────────────┬──────────────────────────────────────────────┘
                       │
                       ▼
┌─────────────────────────────────────────────────────────────────────┐
│                    VONDER PROXY (:10276)                            │
│  Python ThreadingHTTPServer — path-based routing                    │
│                                                                     │
│  ┌──────────┬──────────┬──────────┬──────────┬──────────┐          │
│  │TRADING   │PRICING   │HERMES    │DATA      │DEAD      │          │
│  ├──────────┼──────────┼──────────┼──────────┼──────────┤          │
│  │:10282    │:10281    │:8643     │:10289    │:9998     │          │
│  │ Aether   │ Quote    │ Gateway  │ TIB3     │ /banks   │          │
│  │:10293    │:10292    │:9119     │:10291    │:8887     │          │
│  │ CLI      │ S.WORKS  │ Dashboard│ TIB4     │ /hindsight│         │
│  │:10290    │:8765     │:10272    │:10284    │:9998     │          │
│  │ Vibe-T   │ Signs365 │ HCI      │ UA       │ /fleming │          │
│  │:8777     │:10294    │:8787     │:10278    │          │          │
│  │ WxBet    │ OptFind  │ WebUI    │ Vector   │          │          │
│  │:10295    │:8795     │:3001     │:10286    │          │          │
│  │ OptTrack │ Sentinel │ Kuma     │ Files    │          │          │
│  └──────────┴──────────┴──────────┴──────────┴──────────┘          │
└─────────────────────────────────────────────────────────────────────┘
                       │
         ┌─────────────┼─────────────┐
         ▼             ▼             ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│  DOCKER      │ │  SYSTEMD     │ │  CRON        │
├──────────────┤ ├──────────────┤ ├──────────────┤
│ SearXNG:8888 │ │ weatherbot   │ │ gbrain 1AM   │
│ Vault:10273  │ │ hermes-ctrl  │ │ sentinel hrly │
│ Kuma:3001    │ │ hermes-dash  │ │ veritas 1AM  │
│ Discovery    │ │ aether       │ │ duckdns 5min │
│ (internal)   │ │ vibe-trading │ │ backup 4AM   │
│              │ │ options-find │ │              │
│              │ │ sentinel-bk  │ │              │
│              │ │ tib3/tib4    │ │              │
│              │ │ vectorizer   │ │              │
└──────────────┘ └──────────────┘ └──────────────┘

9. Recommended Architecture Diagram

┌──────────────────────────────────────────────────────────────────────┐
│                          INTERNET                                     │
│   ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐   │
│   │ Caddy :80→:443  │   │ Tailscale SSHD  │   │ 0.0.0.0:8644    │   │
│   │ graphlab.info   │   │ 100.67.155.37   │   │ (webhooks only) │   │
│   │ vault.          │   │ port 22         │   │                 │   │
│   └────────┬────────┘   └────────┬────────┘   └────────┬────────┘   │
│            │                     │                      │            │
└────────────┼─────────────────────┼──────────────────────┼────────────┘
             │                     │                      │
             │               ┌─────┴─────┐                │
             │               │  UFW      │                │
             │               │ ALLOW:    │                │
             │               │ 22, 80,   │                │
             │               │ 443, ts   │                │
             │               └───────────┘                │
             ▼                                            │
┌──────────────────────────┐                             │
│    VONDER PROXY (:10276) │                             │
│  Clean routes — no dead  │                             │
│  paths                   │                             │
└─────────┬────────────────┘                             │
          │                                              │
          ▼                                              ▼
┌───────────────────┐  ┌─ ─ ─ ─ ─ ─ ┐  ┌───────────────────┐
│ ALL BACKENDS      │  │  REMOVED     │  │ HERMES GATEWAY   │
│ (127.0.0.1 only)  │  │             │  │ (:8643 local)     │
├───────────────────┤  │ /banks      │  │ (:8644 public)    │
│ Aether (:10282)   │  │ /hindsight  │  │ (:3978 locked)    │
│ Quote (:10281)    │  │ /fleming    │  └───────────────────┘
│ TIB3 (:10289)     │  │ DuckDNS     │
│ TIB4 (:10291)     │  │ Cloudflared │
│ Vibe (:10290)     │  │ Old Mac     │
│ WeatherBet (:8777)│   ─ ─ ─ ─ ─ ─ ┘
│ Signs365 (:8765)  │
│ Options (:10294)  │
│ Sentinel (:8795)  │
│ HCI (:10272)      │
│ WebUI (:8787)     │
│ Dashboard (:9119) │
│ Kuma (:3001)      │
└───────────────────┘

📋 Appendix: System Info

Hostnamesrv1632845
OSLinux 6.8.0-117-generic x86_64, Ubuntu
Public IP177.7.52.251
Tailscale IP100.67.155.37
Disk96GB (66GB used, 68%)
Hermes Versionv0.15.1 (2026.5.29) — 126 commits behind
Hermes Profilesomega, trader, mirror (3)
Skills112 SKILL.md files in 35 categories
Gateways2 user services (omega + mirror)
Docker4 containers (SearXNG, Vaultwarden, Kuma, Discovery)
FirewallUFW inactive — iptables with minimal rules
DNSgraphlab.info → 177.7.52.251 · vault.graphlab.info — no A record
Tailscale NodesVPS (Linux), iPhone, MacBook Air (offline), MacBook Pro (M5)

Report generated June 3, 2026 · Read-only audit · No changes made