11 KiB
REMAINING — Day 2+ work after Day 1+2 sweep (2026-07-02)
Day 1+2 completed: 9 of the 12 critical/high items. 3 items still need user action, plus all of Tier 2+3. This file is the "rememory" — every open item and its exact unblocker.
STILL OPEN — User action required
A. Rotate + purge the actual API keys (1.1 partial)
Status: Source code references removed; env var stubs added. Actual key values still need setting.
What to do:
-
Rotate each key at the provider (provider web console, not via SSH):
- Solana Tracker (
st_ZMzXzdUI54TXQPx5E6JkG): log in to solanatracker.io, regenerate API key - Arkham WS (
ws_Z5x09Rcr_1780418740765322917): log in to arkhamintelligence.com, regenerate WS key - Helius webhook (
helius-rmi-wh-2024/rmi_helius_wh_secret_2024): dashboard.helius.dev → Webhooks → rotate - Stripe (
pk_test_51Tn13MA...): dashboard.stripe.com → Developers → API keys → roll
- Solana Tracker (
-
Set new values in gopass on Cinnabox:
gopass insert rmi/prod/solana_tracker gopass insert rmi/prod/arkham_ws gopass insert rmi/prod/helius_webhook_auth gopass insert rmi/prod/helius_webhook_secret gopass insert rmi/prod/stripe_publishable gopass insert rmi/prod/stripe_secret -
Replace placeholders in /srv/rmi-infra/.env.secrets on Talos:
SOLANA_TRACKER_API_KEY=<set-in-gopass-rmi/prod/solana_tracker>→ actual value- Same for the 5 other lines
gopass show -o rmi/prod/solana_tracker | ssh netcup "cat >> /srv/rmi-infra/.env.secrets"
-
Purge keys from git history (DESTRUCTIVE — coordinate first):
# On Cinnabox, install: pip install git-filter-repo # On Talos, in /srv/work/repos/rmi-backend: git filter-repo --invert-paths --path app/caching_shield/solana_tracker.py \ --path app/databus/arkham_ws.py \ --path app/routers/webhooks_router.py \ --path app/routers/stripe_integration.py \ --force # Then force-push: git push origin --force --all # And re-clone /srv/work/repos/rmi-backend, /srv/git/rmi-backend.gitThis rewrites ALL commits. Other clones must re-clone. External remotes will be force-updated.
-
Restart the backend so it picks up the new env values:
ssh netcup "cd /srv/rugmuncher-backend && docker compose up -d rmi-backend"
B. Set the Forgejo PAT for Renovate (2.5 partial)
Status: Platform mismatch fixed (forgejo → gitea). Token still placeholder.
What to do:
- Log in to
https://git.rugmunch.ioascryptorugmunch - Go to Settings → Applications → Generate Token
- Scopes:
repository,write:repository,admin:organization,admin:org_hook - Edit
/etc/renovate/envon Talos — replacePASTE_TOKEN_HEREwith the token - Test:
/usr/local/bin/renovate-run.shand check/var/log/renovate/renovate-runtime-*.log
C. Add git credentials for external remotes (1.2 partial)
Status: External remote URLs added to rmi-backend. Credentials not set.
What to do:
- Generate PATs at each platform (GitHub, GitLab, HuggingFace) with
reposcope - On Talos, create
/root/.git-credentials(chmod 600):https://cryptorugmunch:<GH_TOKEN>@github.com https://cryptorugmunch:<GL_TOKEN>@gitlab.com https://cryptorugmunch:<HF_TOKEN>@huggingface.co git config --global credential.helper store- Test:
cd /srv/work/repos/rmi-backend && /root/scripts/external-push.sh
STILL OPEN — More bind hardening (1.3 batch 2)
The 3 services rebound today (neo4j, forgejo, flaresolverr). 9 more services on 0.0.0.0 remain:
| Container | Port | Compose file | Action |
|---|---|---|---|
opencti-opencti-1 |
8095 | /srv/opencti/docker-compose.yml |
Change ${OPENCTI_PORT}:8080 to 127.0.0.1:${OPENCTI_PORT}:8080 |
opencti-xtm-one-1 |
4001 | /srv/opencti/docker-compose.yml |
Same pattern |
opencti-minio-1 |
9010 | /srv/opencti/docker-compose.yml |
Change 9010:9000 to 127.0.0.1:9010:9000 |
open-webui |
3000 | (find compose) | Bind to 127.0.0.1 |
rmi-anvil |
8549 | (find compose) | Devnet only — can be 127.0.0.1 |
rmi-backend |
8000 | /srv/rugmuncher-backend/docker-compose.yml |
Bind to 127.0.0.1 (Talos 8004 alias already exists) |
rmi-otterscan |
5100 | /srv/otterscan/docker-compose.yml |
Bind to 127.0.0.1 |
rmi-ipfs* |
58081-58086 | (find compose) | Bind to 127.0.0.1 (only used internally) |
Hydra: 8443 |
8443 | (unknown) | Identify service, then bind to 127.0.0.1 |
Hydra: 25, 143, 587 |
(postfix) | Bind to 127.0.0.1 if no external mail |
Verify cloudflared still has ingress rules for any of these that need to be public.
STILL OPEN — Tier 2 (this week)
- 2.1 Replace
time.sleep()withasyncio.sleep()in 17 sites in rmi-backend (app/free_solcan_client.pylines 64, 73, 252, 266, 280;app/oracle_manipulation_detector.py:1287;app/analyzer/multi_chain.py:57;app/degen_security_scanner.py6 calls;app/routers/x402_enrichment.py:823;app/ai_pipeline_v3.py:107;app/rmi_dashboard.py2 calls) - 2.2 Convert 1698 f-string logs to structured in rmi-backend, 111 in walletpress. Suggested: regex script first, manual review top 50 events.
- 2.3 Pin all deps with
==in rmi-backend (34), pryscraper (16), walletpress.pip freeze > requirements-lock.txt. - 2.4 Remove
|| trueandcontinue-on-error: truefrom rmi-backend CI. Pay down lint debt in batches. - 2.8 Create real ADR documents (ADR-0001 through ADR-0012) in
/srv/work/repos/standards/ADR-*.md. Format: status, context, decision, consequences, alternatives. - 2.9 Sweep docs for IP/port/service-location contradictions. Single edit pass +
fleet sync-docs. - 2.10 Add missing pre-commit hooks to rmi-backend (bandit, hallucination-check), rmi-frontend (full set), pryscraper (bandit, detect-private-keys, no-commit-to-branch).
- 2.11 Remove hardcoded API keys from
hermes/config.yaml(Groq x2, KiloCode, MiniMax, NVIDIA). Useapi_key_env:pattern. - 2.12 Cinnabox memory pressure (6.2/7.6GB, 3.1GB swap). Reduce concurrent opencode sessions.
STILL OPEN — Tier 3 (this sprint)
- 3.1 Clean Hermes backup clutter: 11
config.yaml.bak.*, 1cron/jobs.json.bak*, 1disk-cleanup/tracked.json.bak— keep only most recent of each. - 3.2 Consolidate triple-defined Ollama providers in
hermes/config.yaml(netcup-ollama, fallback_providers[0], custom_providers[slug: netcup-ollama] all duplicate). - 3.3 Consolidate
ollama-cloud-primary+ollama-cloud-backup(220 lines duplicate, conflictingmax_tokens). - 3.4 Remove dead containers: Talos (
rmi-caddy,rmi-dozzle,dreamy_noether,rmi-community); Hydra (9 dead). - 3.5 Hydradisk cleanup:
docker image prune -a(21.87GB reclaimable), prune volumes. - 3.6 Add CI to rmi-frontend (Biome + TypeScript + Vitest + npm audit).
- 3.7 Implement payment-failed handler
app/routers/subscription_pricing_api.py:682-683(currentlypass). - 3.8 Verify on-chain subscription tx
app/routers/subscription_pricing_api.py:545before activating. - 3.9 Add JWT/API-key guards to MCP
analytics_query(mcp/server.py:563) andsupabase_oauth_router.py:386. - 3.10 Add coverage threshold to CI (current 6.7%, target 80% on new code).
- 3.11 Update commitlint to reject
merge:lowercase +a11y:pseudo-type. - 3.13 Configure GPG commit signing per TOOLCHAIN.md.
- 3.14 Update MACHINE.md / BUILDER.md runtime claims: Docker inactive, Hermes state, Mint 22.3, kernel 6.17, memory pressure 6.2/7.6GB.
- 3.15 Add sourcify MCP +
fleet-opsagent to AGENTS.md (currently listed in FLEET.md but not in opencode.jsonc). - 3.16 Fix
rmi-communitysyntax error or remove container. - 3.17 Add
www.degenfeed.xyzto DegenFeedALLOWED_HOSTS(logs show "Blocked hosts: www.degenfeed.xyz").
STILL OPEN — Tier 4 (when convenient)
- Standardize git author emails to
admin@rugmunch.ioacross machines. Done: all 3 machines, all 16 repos. - Symlink
bin/ai→bin/aider(one canonical wrapper). - Remove
main.py.bak(382KB) from rmi-backend git history. - Remove unused
requestsfromrmi-backend/requirements.txt. - Install
commitlint+mkcertor remove from docs. - Replace
console.log(24 in rmi-frontend) with structured logger. - Split
pryscraper/api.py(4668 lines),MCPDocsPage.tsx(2489),BotOperatorDashboard.tsx(1144). - Archive/remove
.openclaw/legacy dir (200+ stale files). - Clean up Hydra port
8443(unidentified service). - Remove
requestsfrom rmi-backend requirements (unused in prod code).
Verified today (Day 1+2)
| ID | Item | Evidence |
|---|---|---|
| 1.4 | GAPS.md false blocker | Removed; GAPS.md now shows "no blockers" with full Day 1+2 work-in-progress items |
| 1.5 | .env SUDO_PASSWORD | grep -c SUDO_PASSWORD /home/dev/.hermes/.env → 0 |
| 1.6 | CH_PASSWORD default + 116 REDIS_PASSWORD fallbacks | sed replaced; grep confirms 0 remaining |
| 1.3 batch 1 | neo4j rebound | 127.0.0.1:7474, 127.0.0.1:7687; HTTP 200 from localhost AND from rmi-backend container |
| 1.3 batch 1 | forgejo rebound | 127.0.0.1:3002; HTTP 200; git.rugmunch.io still works via cloudflared |
| 1.3 batch 1 | flaresolverr rebound | 127.0.0.1:8191; HTTP 200 |
| 2.6 | rmi-lighthouse | RestartCount=0, Up About a minute (was 1422 restarts). New JWT in /srv/reth/jwtsecret/jwt.hex. Lighthouse is in degraded mode (no Reth at 8551) but no more crash loop. |
| 2.7 | Ponder indexers | 4 of 4 running: rmi-ponder (ETH), rmi-ponder-bsc, rmi-ponder-polygon, rmi-ponder-arbitrum. Each on 127.0.0.1, indexed events flowing. Compose files at /srv/ponder-{bsc,polygon,arbitrum}/docker-compose.yml. (The npm-rollup issue was worked around by removing the bind-mount of node_modules so the Dockerfile's COPY wins.) |
| 2.5 | Renovate platform | RENOVATE_PLATFORM=forgejo → gitea in /usr/local/bin/renovate-run.sh. Token still placeholder — user action needed. |
| 1.1 partial | Secret env migration | app/caching_shield/solana_tracker.py, app/databus/arkham_ws.py, app/routers/webhooks_router.py, app/routers/stripe_integration.py all read from env vars now. Placeholder env lines added to /srv/rmi-infra/.env.secrets. Actual key rotation at provider = user action. |
| 1.2 | git backup | /root/scripts/git-backup.sh on Hydra, 0 4 * * * cron. Tested: 4 mirrors fresh (gopass fresh-cloned, pry/rmi-backend/walletpress re-pointed + fetched). External remotes added to rmi-backend (4 URLs). External-push script + 0 6 * * 0 cron. Credentials = user action. |
| (bonus) | Hydra SSH config | 100.100.18.18 → 100.104.130.92 and 100.87.38.106 → 100.64.135.3 in /root/.ssh/config. |
What was deployed, NOT tested end-to-end
- Ponder indexers (BSC, Polygon, Arbitrum): they are running and indexing events, but no DB query was done to verify the data is landing in
ponder_*tables. Check withpsql -d ponder_bsc -c 'SELECT count(*) FROM "Transfer"'after 1h. - Lighthouse is running consensus-only (no execution layer). To restore full functionality, deploy Reth at
127.0.0.1:8551. Until then, Lighthouse syncs but doesn't validate. - External push: cron is scheduled but will fail until credentials are in
/root/.git-credentialson Talos.
Last updated: 2026-07-02 23:55 UTC — Day 1+2 closeout