# VPS state — 2026-05-01

## 🆕 2026-05-01 17:00 UTC — Hermes update complete

Hermes upgraded v0.11.0 → v0.12.0 ("The Curator release"). Fallback chain intact, all 9 LFCS skills preserved, autonomous Curator **disabled** to prevent skill mutation. Rollback artefacts at `/root/.config-backups/hermes-source-pre-update.20260501-045126.tar.gz` + `hermes-home-pre-update.20260501-045126.tar.gz` + commit `8c892c145`.


Single VPS at 134.199.153.159 (DigitalOcean syd1, 4 vCPU, 8 GB RAM, Ubuntu 24.04).

## Active agents

| Agent | Path | Service | MainPID | Notes |
|---|---|---|---|---|
| Hermes | `/root/.hermes/` | `hermes-gateway.service` | dynamic | Rocky's LFCS ops brain, Telegram + WhatsApp bridge. v0.12.0 / 2026.4.30 (updated 2026-05-01) |
| OpenClaw OpsMan | `/root/.clawdbot-opsman/` | `clawdbot-opsman.service` | 2126568 | LFCS chat agent. Binary names itself `openclaw-gateway` in `ps` |
| Rivet Voice | `/home/ccuser/rateright-growth/voice-assistant/` | `rivet-voice.service` | 3206395 | Phone AI |

## Retired
- `/root/.openclaw/` → `/root/.openclaw.retired.20260501/` (move on 2026-05-01). Final delete after 2026-05-08 if no breakage.

## Hermes resilience (2026-05-01 hardening pass)

| Layer | Mechanism | File |
|---|---|---|
| Auto-restart | systemd `Restart=always`, `RestartSec=30` | `/etc/systemd/system/hermes-gateway.service.d/override.conf` |
| Crash-loop bound | `StartLimitIntervalSec=600`, `StartLimitBurst=5` | (same drop-in) |
| Down alert | Telegram via `@opsman_watchdogbot`, every 15 min | `/etc/cron.d/hermes-watchdog`, `/usr/local/bin/hermes-watchdog.sh` |
| Health snapshot | Daily 21:00 UTC → `/home/ccuser/opsman-work/health-log/YYYY-MM-DD.md` | `/etc/cron.d/hermes-health`, `/usr/local/bin/hermes-health-snapshot.sh` |
| Config backup | Daily 03:00 UTC, 7-day retention → `/root/.config-backups/` | `/etc/cron.d/hermes-config-backup`, `/usr/local/bin/hermes-config-backup.sh` |
| Fallback chain | **DEFERRED** — needs OpenRouter or DeepSeek key in `/root/.hermes/.env` | (not yet applied) |

Target chain when key is added: `MiniMax-M2.7 → DeepSeek-V4-Flash → gpt-4o-mini`.

## OpsMan
- Reasoning leak fix verified — `channels.telegram.streaming.mode = off`. Telegram bot has no token bound and empty allowlist (currently dormant chat surface).
- Fallback chain configured: `MiniMax-M2.5 → deepseek-v4-pro`.
- No watchdog or health snapshot wired (Hermes resilience pass focused on Hermes only).

## API keys present (names only)

**Hermes** (`/root/.hermes/.env`): `MINIMAX_API_KEY`, `OPENAI_API_KEY`, `DEEPGRAM_API_KEY`, `TELEGRAM_BOT_TOKEN`, `HERMES_INFERENCE_PROVIDER`, `TELEGRAM_ALLOWED_USERS`, `GOOGLE_WORKSPACE_CLI_*`, `WHATSAPP_*`. **Missing**: `ANTHROPIC`, `OPENROUTER`, `DEEPSEEK`, `MOONSHOT/KIMI`.

**OpsMan** (`/root/.clawdbot-opsman/.env` and merged config): `MINIMAX`, `OPENAI`, `OPENROUTER`. **Missing**: `ANTHROPIC`, `DEEPSEEK`, `KIMI`, `MOONSHOT`.

## System cron jobs (root)

| Schedule | Cmd | Purpose |
|---|---|---|
| `0,15,30,45 * * * *` | `growth-engine-monitor.js` | RateRight growth engine |
| `*/5 * * * *` | `opsman-control-centre/scripts-live-sync.mjs` | OpsMan control centre sync |
| `0 2 * * *` | `check-telemetry-health.sh` | Telemetry probe |
| `*/30 * * * *` | `auto-sync.sh` | RateRight repo auto-sync |

## /etc/cron.d/

| File | Schedule | Purpose |
|---|---|---|
| `certbot` | `0 */12 * * *` | Cert renewal |
| `e2scrub_all` | weekly | Filesystem scrub |
| `hermes-watchdog` | `*/15 * * * *` | Telegram alert if hermes down |
| `hermes-health` | `0 21 * * *` | Daily health snapshot |
| `hermes-config-backup` | `0 3 * * *` | Daily config backup |
| `fleet-snapshot.disabled` | (disabled) | Old fleet — no perms |

## Telegram bots (last 6 of bot ID, NOT token)

| Bot | ID last6 | Used by |
|---|---|---|
| @opsman_watchdogbot | 636951 | Hermes (.env: TELEGRAM_BOT_TOKEN) |

## Backups

`/root/.config-backups/`:
- One-time Phase 1 archive: TS `20260501-035207`, includes orphan tarball at 1.44 GB
- Daily auto: at 03:00 UTC, 7-day retention (cron `hermes-config-backup`)
- sha256 manifest per snapshot

## Rollback recipes

| Change | How to revert |
|---|---|
| Hermes systemd drop-in | `rm /etc/systemd/system/hermes-gateway.service.d/override.conf && systemctl daemon-reload && systemctl restart hermes-gateway` |
| Watchdog cron | `rm /etc/cron.d/hermes-watchdog /usr/local/bin/hermes-watchdog.sh /var/log/hermes-watchdog.log` |
| Health snapshot cron | `rm /etc/cron.d/hermes-health /usr/local/bin/hermes-health-snapshot.sh` (snapshots in `health-log/` retained as history) |
| Config backup cron | `rm /etc/cron.d/hermes-config-backup /usr/local/bin/hermes-config-backup.sh` |
| `/root/.openclaw/` retirement (within 7d) | `mv /root/.openclaw.retired.20260501 /root/.openclaw` |
| `/root/.openclaw/` retirement (after 7d) | `tar -xzf /root/.config-backups/openclaw-ghost.20260501-035207.tar.gz -C /root` |

## Known follow-ups (not in this pass)

1. Add OpenRouter or DeepSeek key to Hermes `.env` to unblock fallback chain.
2. Hermes update from v0.11.0 (186 commits behind) — own session.
3. PM2 hygiene: `hostel-campaign` 4 465 restarts (currently stopped). Multiple stopped `hunt-*` processes.
4. Mark `rivet/SYSTEM.md` historical — describes pre-2026-04-29 hibernation fleet.
5. Produce OpsMan equivalent of `hermes-investigation-report.md`.
6. Promote OpsMan `AGENTS.md` rules to formal `SKILL.md` files (job-scaffold, variation-register, docket-check, etc).
7. SOUL.md cleanup on Hermes — drop the unimplemented "OpsMan watchdog" role (proposed diff in `/root/skill-audit-2026-05-01.md`).
8. Hermes skill prune — see `/root/skill-audit-2026-05-01.md` for candidates.