7.5 KiB
GAPS — What Remains + Next Steps
Living document of current priorities. Updated daily. Every builder tool reads this.
Works — Running in Production
| Capability | Where | Notes |
|---|---|---|
| RMI backend (FastAPI) | Talos | /root/backend/, rmi-staging-backend docker |
| RMI frontend (React 19) | Talos | /root/frontend/ |
| Postgres + Redis + Qdrant + Neo4j + ClickHouse | Talos | /srv/rmi-infra/ |
| Ponder EVM indexers | Talos | ETH, BSC, Arbitrum, Polygon — syncing |
Telegram bot @rugmunchbot |
Talos | scanner, portfolio, simulate, chart, watch |
| Git bare repos | Talos /srv/git/ |
daily backup to Hydra |
| FlareSolverr + n8n + Ollama | Hydra | ports 8191, 5678, 11434 |
| Builder toolchain | Cinnabox | opencode, aider, hermes |
| Fleet awareness docs + CLI | Cinnabox | FLEET.md, fleet CLI |
| Dual OpenCode Go accounts | All 3 | primary + backup with separate keys |
| Unified builder context | All 3 | opencode/aider read canonical docs |
| Hardcoded API key cleanup | All 3 | keys moved to wrappers/env; remaining 4 external keys (Solana Tracker, Arkham WS, Helius webhook, Stripe) scheduled for rotation |
| New-product bootstrap template | Cinnabox | ~/templates/product-bootstrap/ |
| Model router doc | All 3 | model-router.md with task → model mapping |
RMI backend /health |
Talos | http://127.0.0.1:8000/health now degraded — Redis, Postgres, Neo4j, Qdrant, ClickHouse, Minio healthy; ETH RPC still needs an endpoint |
| Git backup pipeline | Talos + Hydra | fleet-backup via HF CLI; Hydra git-backup.sh mirrors all 18 Forgejo repos nightly |
| External mirror parity | Talos | GitLab + Codeberg pushes verified; GitHub deferred (org flag) |
| HF backup consolidation | Talos | single bucket cryptorugmunch/fleet-state; unused buckets deleted |
In Progress
| Item | Owner |
|---|---|
| Hydra exposed services remediation | security |
| Observability baseline | ops |
| AI-forward coding standards review — 10 prioritized wins | fleet-ops |
Blockers
(none — resolved 2026-07-02)
Gaps — To Do Next
High Priority
-
Talos service bind hardening + old Tailscale IP drift
- Qdrant fixed: binds current Tailscale IP
100.104.130.92:6333+127.0.0.1:6333; container healthy. rmi-backendhealthdegradedwith Redis, Postgres, Neo4j, Qdrant, ClickHouse, Minio healthy; ETH RPC still needs an endpoint.- Bind-hardened batch 1 complete: pgbouncer stopped, presidio bound to 127.0.0.1, cockpit.socket disabled, ad-hoc caddy on :8443 stopped, rmi-lighthouse removed, prometheus exporters bound to Tailscale IP, gitea removed from infra compose.
- Still need (lower priority): opencti:8095, xtm-one:4001, open-webui:3000, anvil:8549, otterscan:5100, IPFS 58081-58086 review; neo4j/flaresolverr/forgejo/pry already bound to 127.0.0.1.
- Hydra: bind 8443, 25, 143, 587, 8002, 8888, 9091, 9100.
- Owner: security. Day 1 batch 1 done.
- Qdrant fixed: binds current Tailscale IP
-
Hardcoded secrets in
rmi-backend(40 gitleaks hits)- The five Telegram bot tokens flagged in
data/cryptoscamdb_urls.yamlare scammer tokens embedded in scam-site descriptions (indicators of compromise), not our secrets. Added.gitleaksignoreto suppress these false positives. - Real keys still present in git history and need provider-side rotation: Solana Tracker
mst_..., Arkham WSws_..., Stripepk_test_..., Helius webhook secrets. They were removed from the working tree in commitf932ac4but remain in history. - Stripe + Helius rotations can be automated via their APIs using current
STRIPE_SECRET_KEY/HELIUS_API_KEY. - Solana Tracker + Arkham require dashboard login. Solana Tracker docs (
https://docs.solanatracker.io) have no documented API or self-service key-rotation flow; rotation must be done via the account dashboard athttps://www.solanatracker.io/accountor by contacting support. - Owner: security. Day 1 in progress.
- The five Telegram bot tokens flagged in
-
Observability baseline
- Every product should expose
/health,/metrics, structured logs. - Add Prometheus/Loki scrape targets on Hydra.
- Every product should expose
-
Make CI gates authoritative
- rmi-backend
.github/workflows/ci.ymlusescontinue-on-error: trueand|| trueon every step. - Start failing CI on ruff/format/gitleaks; add mypy/tests once green.
- rmi-backend
-
Backend standards autofix campaign
- 17
time.sleep(), 1,713 f-string logs, 399print(), 1 bareexcept, 5sqlite3, 113Any, 8.61% coverage. - See
standards/AI-FORWARD-STANDARDS-REVIEW-2026-07-03.mdfor full plan.
- 17
-
Frontend type discipline + CI pipeline
- rmi-frontend has no GitHub CI, 850
any/@ts-ignore, 101 KBMCPDocsPage.tsx.
- rmi-frontend has no GitHub CI, 850
-
MCP schema/registry hardening
- No unified tool registry across RMI/Pry/WalletPress; Pry MCP is a JS worker without Pydantic schemas.
-
Resurrect dead containers and crash loops
rmi-community(syntax error),rmi-dozzle,dreamy_noether,rmi-qdrant; Ponder indexers restart every few seconds.
-
Repo tooling parity
- rmi-frontend, standards, degenfeed-web, fleet-infra lack Makefile/pre-commit/CI parity with walletpress.
-
AI-forward architecture follow-through
- Tool-pull contracts, version-stamped cache keys, deterministic tool schemas per ADR-0005/0007.
Medium Priority
-
Renovate broken — token placeholder,
forgejoplatform unrecognized. -
Documentation contradictions — old IPs (100.100.18.18, 100.87.38.106), wrong service locations, missing ADRs, stale file-size claims (Pry
api.pyis 933 lines, not 4,668). -
Hermes config bloat — 11 stale backup files, triple-defined Ollama providers, hardcoded API keys, ollama-remote.env with old IP.
-
Cinnabox memory pressure — 6.2/7.6 GB used, 3.1 GB swapped. Docs claim 1.9 GB idle.
-
DegenFeed
www.degenfeed.xyzblocked host — add to ALLOWED_HOSTS. -
requestslibrary in rmi-backend/requirements.txt — only one prod import remains (x402_docs_v2.py); migrate tohttpxand remove. -
main.py.bak382KB in rmi-backend git history. -
.openclaw/legacy dir — 200+ stale files referencing old IPs. -
Cinnabox Docker daemon inactive — docs claim running.
-
Hermes daemon state — docs claim 300MB running, reality unclear.
-
MINIO_URL / RETH_URL / Temporal / Kestra — referenced in CONVENTIONS.md env list but not in fleet.
Low Priority
-
MCP docs — sourcify not in AGENTS.md list. fleet-ops agent referenced in FLEET.md but not in opencode.jsonc.
-
Conventional commits polish — lowercase
merge:anda11ypseudo-type commits. -
Web3 commit signing — documented but not configured.
-
Tool inventory drift — commitlint, mkcert documented but not installed; agent/providers.py reference wrong.
-
Fleet MCP server for opencode.
-
Daily standup automation via Hermes/Telegram.
-
Weekly CVE scan cron — vuln-monitor.sh referenced but no cron entry.
Today's Recommended Next Step
- Rotate leaked secrets (Win #3): Solana Tracker, Arkham WS, Helius webhook, Stripe, and 5 Telegram bot tokens in git history.
- Review remaining lower-priority public binds (opencti, xtm-one, open-webui, anvil, otterscan, IPFS).
- Provide a real ETH RPC endpoint or remove
eth_rpcfrom the critical health path.
How to Update
When closing a gap: move it to Works, run fleet sync-docs, commit.
When adding a gap: add to Gaps with priority and owner, run fleet sync-docs.
Last updated: 2026-07-03
See Also
PRODUCTS.md— product catalogFLEET.md— machine mapBUILDER.md— daily workflow