# Hermes Full Status Report — Diagnostic Checklist

Run this when Rocky asks for a full status report on the Hermes installation. Produces the 10-point numbered report format.

## Command sequence

```bash
# 1. Version + update status
hermes version
hermes update --status 2>/dev/null | head -10

# 2. Model + provider + API keys
hermes status 2>/dev/null | grep -A 30 "API Keys"
hermes model 2>/dev/null | head -20

# 3. Messaging channels
hermes status 2>/dev/null | grep -A 15 "Messaging"
hermes pairing list 2>/dev/null

# 4. Skills + toolsets
ls ~/.hermes/skills/
grep -E "toolsets|disabled" ~/.hermes/config.yaml | head -10

# 5. MCP servers
cat ~/.hermes/config.yaml | grep -A 20 "^mcp"
# Test Airtable connection (read PAT from .env inline to avoid storing it):
python3 -c "
import urllib.request, json, re
env = open('/root/.hermes/.env').read()
pat = re.search(r'AIRTABLE_API_KEY=(\S+)', env)
if not pat: exit('no PAT found')
req = urllib.request.Request('https://api.airtable.com/v0/meta/bases',
    headers={'Authorization': 'Bearer ' + pat.group(1)})
r = urllib.request.urlopen(req, timeout=5)
d = json.loads(r.read())
[print(b['name'], b['id']) for b in d.get('bases',[])]
"

# 6. Cron + webhooks + hooks
hermes cron list 2>/dev/null
# This VPS uses system cron (not hermes cron) for health/digest jobs:
crontab -l 2>/dev/null | grep -vE "^#|^$"
for f in /etc/cron.d/*; do [ -f "$f" ] && [ "$(basename $f)" != ".placeholder" ] && echo "=== $f ===" && grep -vE "^#|^$" "$f"; done

# 7. Approvals mode
grep -E 'approval|cron_mode' ~/.hermes/config.yaml

# 8. Memory
wc -l ~/.hermes/memories/MEMORY.md ~/.hermes/memories/USER.md 2>/dev/null

# 9. Terminal backend
grep "backend" ~/.hermes/config.yaml
grep "sudo" ~/.hermes/config.yaml

# 10. Dashboard exposure check
ss -tlnp | grep 9119
curl -s -I http://100.116.48.82:9119 2>&1 | head -5
# Confirm: should show 302 redirect to /login (auth gate working)
# If HTTP 200 with HTML body: auth not set, dashboard is open
```

## Output format

```
1. Hermes install
- Version: vX.Y (YYYY.M.D) · upstream HASH
- Install method: pip/source/git
- Update status: N commits behind — 'hermes update' available

2. Model & API keys
- Default: MODEL/PROVIDER
- Fallback: list
- Keys set: list ✓
- Keys NOT set: list ✗

3. Messaging channels
- Telegram: configured ✓, connected ✓ (home chat ID: XXXXXXXX)
- WhatsApp: configured, disconnected ✗
- All others: not configured

4. Skills & toolsets
- N skills installed
- Toolsets: enabled list, disabled list

5. MCP servers
- server: enabled, command, connection test PASS/FAIL

6. Cron, webhooks, hooks
- Hermes cron: N active ✓ (expected: 0 — system cron handles VPS jobs)
- System cron jobs: list (hermes-health, vault-curator, etc.)
- Webhooks: none
- Hooks: none

7. Approvals mode
- cron_mode: deny/allow/off
- global: value

8. Memory
- Provider: flat file
- MEMORY.md: N lines, X% of budget
- USER.md: N lines, X% of budget

9. Terminal backend & host access
- Backend: local/docker/ssh
- Sudo: enabled/disabled

10. Security flags
- Dashboard bound to: IP:port (Tailscale-only ✓ or exposed ✗)
- Auth set: yes/no (verify: curl should 302 to /login)
- chmod 600 on sensitive files: done/needed
- Cron deny: yes/no
- Outdated install: yes (N commits behind) / no ✓
```

## Known VPS quirks (Rocky's installation)

- Hermes cron jobs are 0 — the VPS uses `/etc/cron.d/` system cron for health snapshots, vault curation, and digest scripts. Don't try to manage these via `hermes cron`.
- Dashboard runs as `hermes-dashboard.service` (systemd), NOT under the gateway.
- Gateway runs as `hermes-gateway.service` (systemd).
- Both are independent processes.
- SSH credentials are NOT stored in MEMORY.md — reference by name only.
- Airtable MCP is wired for OpsMan (OpenClaw), not Hermes directly. Hermes must proxy via OpsMan for Airtable writes.

## Security audit checklist

After every security-relevant config change, verify:
1. Dashboard auth: `curl -s -I http://100.116.48.82:9119` → must 302 to /login
2. `allowed_chats` in config.yaml → must be set to Rocky's Telegram chat ID
3. `approvals.mode` → must be `ask` or `smart`, not `off`
4. `cron_mode` → must be `deny`
5. `chmod 600` on: `~/.hermes/.env`, `~/.hermes/config.yaml`, `~/.hermes/google_token.json`
6. MEMORY.md: no raw SSH keys, passwords, or secrets — name-only references