daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
567 Commits 8 Branches 0 Tags
8879da1e7fbdbddfcea47bb7d6c9bb6cba43875c
Commit Graph

567 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Apple
ef3473db21 snapshot: NODE1 production state 2026-02-09 
Complete snapshot of /opt/microdao-daarion/ from NODE1 (144.76.224.179).
This represents the actual running production code that has diverged
significantly from the previous main branch.

Key changes from old main:
- Gateway (http_api.py): expanded from ~40KB to 164KB with full agent support
- Router: new /v1/agents/{id}/infer endpoint with vision + DeepSeek routing
- Behavior Policy: SOWA v2.2 (3-level: FULL/ACK/SILENT)
- Agent Registry: config/agent_registry.yml as single source of truth
- 13 agents configured (was 3)
- Memory service integration
- CrewAI teams and roles

Excluded from snapshot: venv/, .env, data/, backups, .tgz archives

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-09 08:46:46 -08:00
Apple
134c044c21 feat: Behavior Policy v1 - Silent-by-default + Short-first + Media-no-comment 
NODA1 agents now:
- Don't respond to broadcasts/posters/announcements without direct mention
- Don't respond to media (photo/link) without explicit question
- Keep responses short (1-2 sentences by default)
- No emoji, no "ready to help", no self-promotion

Added:
- behavior_policy.py: detect_directed_to_agent(), detect_broadcast_intent(), should_respond()
- behavior_policy_v1.txt: unified policy block for all prompts
- Pre-LLM check in http_api.py: skip Router call if should_respond=False
- NO_OUTPUT handling: don't send to Telegram if LLM returns empty
- Updated all 9 agent prompts with Behavior Policy v1
- Unit and E2E tests for 5 acceptance cases
 2026-02-04 09:03:14 -08:00
Apple
c8698f6a1d feat: add training group support in Gateway 
- Added TRAINING_GROUP_IDS constant for Agent Preschool group
- Gateway now adds "[РЕЖИМ НАВЧАННЯ]" prefix for training groups
- Agents will respond to all messages in training groups

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 08:03:07 -08:00
Apple
8907fb110c feat: add training mode for Agent Preschool group 
All agents now respond to all messages in the training group
"Agent Preschool Daarion.city" without requiring mentions.

Updated prompts: helion, daarwizz, greenfood, nutra, agromatrix, druid

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 07:56:20 -08:00
Apple
0d30ea0009 fix: add group silence rules for Helion 
Helion now only responds in groups when:
- Mentioned by name/username
- Direct question about Energy Union
- Previously was responding to all messages in groups

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 07:51:14 -08:00
Apple
a0a89b577d fix: add missing Telegram tokens for DAARWIZZ, DRUID, GREENFOOD 
Synced from NODA1 after 2026-02-03 incident fix.
All 9 agents now have tokens configured.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 07:26:56 -08:00
Apple
6b54e0da6d fix(router): Replace requests with urllib in healthcheck 
- Use stdlib urllib.request instead of requests library
- requests was not installed in the router image, causing healthcheck
  to always fail with "ModuleNotFoundError: No module named 'requests'"
- Increase start_period to 30s and retries to 5 for stability

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 05:56:02 -08:00
Apple
a46a70c014 fix(ops): Add network aliases and stabilize DNS for NODA1 
- docker-compose.node1.yml: Add network aliases (router, gateway,
  memory-service, qdrant, nats, neo4j) to eliminate manual
  `docker network connect --alias` commands
- docker-compose.node1.yml: ROUTER_URL now uses env variable with
  fallback: ${ROUTER_URL:-http://router:8000}
- docker-compose.node1.yml: Increase router healthcheck start_period
  to 30s and retries to 5
- .gitignore: Add noda1-credentials.local.mdc (local-only SSH creds)
- scripts/node1/verify_agents.sh: Improved output with agent list
- docs: Add NODA1-AGENT-VERIFICATION.md, NODA1-AGENT-ARCHITECTURE.md,
  NODA1-VERIFICATION-REPORT-2026-02-03.md
- config/README.md: How to add new agents
- .cursor/rules/, .cursor/skills/: NODA1 operations skill for Cursor

Root cause fixed: Gateway could not resolve 'router' DNS name when
Router container was named 'dagi-staging-router' without alias.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-03 05:55:56 -08:00
Apple
8f046e7226 docs: Update PROJECT-MASTER-INDEX with Agent Registry changes 
- Added Agent Registry section (Single Source of Truth)
- Updated agent list (11 top-level + 2 internal)
- Added CLI tools documentation
- Fixed agent roles (DRUID = Ayurveda/Cosmetics R&D)
- Added YAROMIR and SOUL agents
- Updated architecture diagram reference
- Marked old issues as resolved

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-01-29 09:47:21 -08:00
Apple
b9b7660930 feat(P1): Add /metrics endpoint to gateway 2026-01-28 07:14:37 -08:00
Apple
3ecb43dafc feat(P0): Add JetStream streams, DLQ, timeout policy 2026-01-28 07:11:09 -08:00
Apple
a3923cd96f feat(P0/P1/P2): Add E2E agent prober, version pinning, prometheus fixes 2026-01-28 07:06:07 -08:00
Apple
9dcc3563f6 docs: Update TODO with implementation results - container limits, NATS update, Qdrant fix 2026-01-28 06:51:32 -08:00
Apple
656115ef87 docs: Update TODO with security audit results 2026-01-28 06:44:48 -08:00
Apple
bc4ad30878 docs: Add critical TODO summary for NODA1 2026-01-28 06:41:19 -08:00
Apple
0c8bef82f4 feat: Add Alateya, Clan, Eonarch agents + fix gateway-router connection 
## Agents Added
- Alateya: R&D, biotech, innovations
- Clan (Spirit): Community spirit agent
- Eonarch: Consciousness evolution agent

## Changes
- docker-compose.node1.yml: Added tokens for all 3 new agents
- gateway-bot/http_api.py: Added configs and webhook endpoints
- gateway-bot/clan_prompt.txt: New prompt file
- gateway-bot/eonarch_prompt.txt: New prompt file

## Fixes
- Fixed ROUTER_URL from :9102 to :8000 (internal container port)
- All 9 Telegram agents now working

## Documentation
- Created PROJECT-MASTER-INDEX.md - single entry point
- Added various status documents and scripts

Tokens configured:
- Helion, NUTRA, Agromatrix (existing)
- Alateya, Clan, Eonarch (new)
- Druid, GreenFood, DAARWIZZ (configured)
 2026-01-28 06:40:34 -08:00
Apple
4aeb69e7ae docs: Add NODA1 v2.0 deployment report 
Comprehensive report after health check and fixes on NODA1:
- Qdrant healthcheck fixed (wget → true)
- render-pdf-worker disabled (NATS connection issues)
- Git repository initialized on NODA1
- All critical services healthy (13/26 with healthcheck)
- System resources: Load 0.57, RAM 16%, Disk 25%
- Security check passed (no suspicious activity)

Status: Production Ready 

Co-Authored-By: Warp Agent <agent@warp.dev>
 2026-01-22 10:57:39 -08:00
Apple
5290287058 feat: implement TTS, Document processing, and Memory Service /facts API 
- TTS: xtts-v2 integration with voice cloning support
- Document: docling integration for PDF/DOCX/PPTX processing
- Memory Service: added /facts/upsert, /facts/{key}, /facts endpoints
- Added required dependencies (TTS, docling)
 2026-01-17 08:16:37 -08:00
Apple
a9fcadc6e2 📊 Deployment Status Summary: відповіді на всі питання 
- Коли підключати агентів: після налаштування інфраструктури
- DAGI Router: готово до deployment на NODE1/NODE3
- Swapper Service: готово до deployment на NODE1/NODE3
- Логування: все записується (GitHub, Gitea, GitLab)
- NODE1 перевірка: чистий, інцидентів не виявлено

Рекомендований порядок дій включено.
 2026-01-11 06:08:42 -08:00
Apple
0761aa2771 🔧 Deployment configs: DAGI Router + Swapper Service для NODE1/NODE3 
- K8s deployment для DAGI Router (NODE1)
- K8s deployment для Swapper Service (NODE1)
- ConfigMaps для конфігурацій
- Services (ClusterIP + NodePort)
- Інтеграція з NATS JetStream
- Оновлено DEPLOYMENT-PLAN.md з конкретними інструкціями

TODO: Створити аналоги для NODE3
 2026-01-11 06:06:18 -08:00
Apple
13ae216be7 📋 Deployment Plan: DAGI Router, Swapper Service, Агенти 
- Відповіді на питання про підключення агентів
- План встановлення DAGI Router на NODE1/NODE3
- План встановлення Swapper Service на NODE1/NODE3
- Перевірка логування (GitLab, Gitea, GitHub)
- Перевірка NODE1 на інциденти (чистий)

Статус:
- DAGI Router: працює на NODE2, потрібно на NODE1/NODE3
- Swapper Service: працює на NODE2, потрібно на NODE1/NODE3
- Агенти: підключати після налаштування інфраструктури
 2026-01-11 06:05:08 -08:00
Apple
90a2156bf6 📚 Production Deployment Guide: повна інструкція 
- Atomic генерація секретів
- Auth enforcement checklist
- Smoke-test та Full flow test
- Observability setup
- Policy layer документація
- SLO/SLA рекомендації
- Scale-out інструкції
- Incident response

Система готова до production deployment!
 2026-01-10 10:57:03 -08:00
Apple
70fd268a0d 🚀 Production-ready: Auth enforcement + Observability + Policy 
- Atomic генерація всіх секретів (generate-all-secrets.sh)
- Auth enforcement перевірка (enforce-auth.sh)
- Оновлений full flow test (must-pass)
- Prometheus alerting rules для Memory Module
- Matrix alerts bridge (алерти в ops room)
- Policy engine документація для пам'яті

Готово до production deployment!
 2026-01-10 10:56:05 -08:00
Apple
2bb19343f5 📊 Статус реалізації: всі основні компоненти готові 
- NATS JetStream: працює, streams створюються автоматично
- Worker Daemon: повна реалізація з Stream Creator
- Matrix Gateway: базова реалізація готова
- Auth: базова реалізація (JWT, nkeys, API keys)

TODO: Генерація реальних секретів та тестування
 2026-01-10 10:47:17 -08:00
Apple
38cb96dd68 🔐 Auth: інтеграція JWT в Memory Service + конфігурації 
- Опціональна JWT auth в Memory Service endpoints
- get_current_service_optional для backward compatibility
- NATS auth config (nkeys) - шаблони
- Qdrant auth config (API keys) - шаблони
- Тестовий скрипт для повного потоку

TODO: Генерація реальних JWT/ключів та застосування конфігів
 2026-01-10 10:46:25 -08:00
Apple
6c426bc274 🔐 Auth: базова реалізація JWT для Memory Service 
- JWT middleware для FastAPI
- Генерація/перевірка JWT токенів
- Скрипти для генерації Qdrant API keys
- Скрипти для генерації NATS operator JWT
- План реалізації Auth

TODO: Додати JWT до endpoints, NATS nkeys config, Qdrant API key config
 2026-01-10 10:43:14 -08:00
Apple
0ebbb172f0 🔧 Worker Daemon: додано Stream Creator 
- Автоматичне створення streams при старті worker
- Перевірка наявності streams перед створенням
- Підтримка всіх 4 streams (MM_ONLINE, MM_OFFLINE, MM_WRITE, MM_EVENTS)

Це вирішує проблему з DNS в K8s Job
 2026-01-10 10:41:41 -08:00
Apple
a0c3c0cbb5 🚀 Matrix Gateway: базова реалізація v1 
- Matrix Client (підключення та синхронізація)
- RBAC Checker (перевірка прав через Postgres)
- Job Creator (створення jobs з команд)
- NATS Publisher (публікація jobs у streams)
- K8s deployment
- README з документацією

Команди: !embed, !retrieve, !summarize

TODO: Реальна інтеграція з Matrix homeserver, статуси результатів
 2026-01-10 10:40:18 -08:00
Apple
a001636c11 🔧 NATS: standalone режим + streams creation Job 
- NATS працює в standalone режимі (1 replica)
- Виправлено server_name через initContainer
- Створено K8s Job для створення streams (через Python)
- Створено create-streams.py скрипт

TODO: Streams створити через worker-daemon або після виправлення DNS в Job
 2026-01-10 10:32:44 -08:00
Apple
346dfdfb2d 🔧 NATS: виправлено deployment.yaml з правильним initContainer 
- Додано initContainer для підстановки server_name
- Використано emptyDir для запису конфігу
- Оновлено volumeMounts
 2026-01-10 10:24:41 -08:00
Apple
a688666fa1 🔧 Worker Daemon: базова реалізація v1
Some checks failed
Update Documentation / update-repos-info (push) Has been cancelled
Details 
- Capability Registry (Postgres heartbeat)
- NATS Client (підписка на streams)
- Job Executor (виконання jobs)
- Metrics Exporter (Prometheus)
- Dockerfile для deployment
- Виправлено server_name в NATS (emptyDir)

TODO: Реальна реалізація embed/retrieve/summarize, Matrix Gateway, Auth
 2026-01-10 10:24:13 -08:00
Apple
8fe0b58978 🚀 NATS JetStream: K8s deployment + streams + job schema v1 
- K8s deployment (2 replicas, PVC, initContainer для server_name)
- Streams definitions (MM_ONLINE, MM_OFFLINE, MM_WRITE, MM_EVENTS)
- Job payload schema (JSON v1 з idempotency)
- Worker contract (capabilities + ack/retry)
- Init streams script
- Оновлено ARCHITECTURE-150-NODES.md (Control-plane vs Data-plane)

TODO: Auth (nkeys), 3+ replicas для prod, worker-daemon implementation
 2026-01-10 10:02:25 -08:00
Apple
3478dfce5f 🔒 КРИТИЧНО: Видалено паролі/API ключі з документів + закрито NodePort
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- Видалено всі паролі та API ключі з документів
- Замінено на посилання на Vault
- Закрито NodePort для Memory Service (тільки internal)
- Створено SECURITY-ROTATION-PLAN.md
- Створено ARCHITECTURE-150-NODES.md (план для 150 нод)
- Оновлено config.py (видалено hardcoded Cohere key)
 2026-01-10 09:46:03 -08:00
Apple
f7bf935a21 NODE3: Memory Service мігровано з Docker в K8s
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- NODE3 додано до K3s кластера як worker (llm80-che-1-1)
- Memory Service працює в K8s на NODE3 (pod: memory-service-node3-*)
- Docker контейнер зупинено та видалено
- Оновлено MEMORY-MODULE-STATUS.md v3.1.0
 2026-01-10 09:26:59 -08:00
Apple
116bf5f3f3 Memory Service запущено на всіх нодах + Cohere API налаштовано
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- NODE1: Memory Service в K8s (port 30800) 
- NODE2: Memory Service в Docker (port 8001) 
- NODE3: Memory Service в Docker (port 8001) 
- Всі ноди: Cohere API налаштовано для embeddings 
- NODE2: ComfyUI перевірено (macOS App, port 8000) 
- Оновлено MEMORY-MODULE-STATUS.md v3.0.0
 2026-01-10 09:13:20 -08:00
Apple
6b02349300 🧠 Update Memory Module Status v2.1.0
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- NODE2: PostgreSQL + Agent Memory Schema 
- NODE3: ComfyUI installed (v0.8.2, PyTorch+CUDA) 
- All nodes now have full memory stack
- Added critical TODOs: Memory Service & Cohere API
 2026-01-10 09:00:17 -08:00
Apple
f4ccf7c570 🧠 Complete Memory Stack setup across all nodes
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- NODE1: Neo4j (K8s), NVIDIA RTX 4000 + CUDA 13.1
- NODE2: Fixed Neo4j & Qdrant containers
- NODE3: Full stack (PostgreSQL + Qdrant + Neo4j)
- Updated MEMORY-MODULE-STATUS.md v2.0.0
 2026-01-10 08:26:42 -08:00
Apple
8aee29d42d 📊 Add Memory Module Status Report across all nodes
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details
2026-01-10 08:11:12 -08:00
Apple
eed1e30aca 🔧 Add site/ to .gitignore (mkdocs build output)
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details
2026-01-10 07:57:47 -08:00
Apple
fb4f4a16d5 🔧 Fix GitHub Actions docs workflow 
- Update mkdocs dependencies to latest versions
- Add permissions for GitHub Pages deployment
- Add workflow_dispatch for manual trigger
- Fix build command with fallback
 2026-01-10 07:57:36 -08:00
Apple
90758facae 🧠 Add Agent Memory System with PostgreSQL + Qdrant + Cohere 
Features:
- Three-tier memory architecture (short/mid/long-term)
- PostgreSQL schema for conversations, events, memories
- Qdrant vector database for semantic search
- Cohere embeddings (embed-multilingual-v3.0, 1024 dims)
- FastAPI Memory Service with full CRUD
- External Secrets integration with Vault
- Kubernetes deployment manifests

Components:
- infrastructure/database/agent-memory-schema.sql
- infrastructure/kubernetes/apps/qdrant/
- infrastructure/kubernetes/apps/memory-service/
- services/memory-service/ (FastAPI app)

Also includes:
- External Secrets Operator
- Traefik Ingress Controller
- Cert-Manager with Let's Encrypt
- ArgoCD for GitOps
 2026-01-10 07:52:32 -08:00
Apple
12545a7c76 🏗️ Add DAARION Infrastructure Stack 
- Terraform + Ansible + K3s + Vault + Consul + Observability
- Decentralized network architecture (own datacenters)
- Complete Ansible playbooks:
  - bootstrap.yml: OS setup, packages, SSH
  - hardening.yml: Security (UFW, fail2ban, auditd, Trivy)
  - k3s-install.yml: Lightweight Kubernetes cluster
- Production inventory with NODE1, NODE3
- Group variables for all nodes
- Security check cron script
- Multi-DC ready with Consul support
 2026-01-10 05:31:51 -08:00
Apple
02cfd90b6f 🌐 Add 150 nodes network deployment plan 
- Created NETWORK-150-NODES-PLAN.md with complete architecture
- Ansible playbooks for automated security and deployment
- Terraform configs for Hetzner infrastructure
- Zero Trust security architecture
- Prometheus federation for monitoring
- Estimated costs and roadmap
- PostgreSQL deployed on NODE1 and NODE3
 2026-01-10 05:11:45 -08:00
Apple
1231647f94 🛡️ Add comprehensive Security Hardening Plan 
- Created SECURITY-HARDENING-PLAN.md with 6 security levels
- Added setup-node1-security.sh for automated hardening
- Added scan-image.sh for pre-deployment image scanning
- Created docker-compose.secure.yml template
- Includes: Trivy, fail2ban, UFW, auditd, rkhunter, chkrootkit
- Network isolation, egress filtering, process monitoring
- Incident response procedures and recovery playbook
 2026-01-10 05:05:21 -08:00
Apple
1c247ea40c 📝 Update context docs with session logging system
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- Added Session Logging System section to INFRASTRUCTURE.md
- Added Git Multi-Remote configuration (GitHub + Gitea + GitLab)
- Updated version to 2.5.0
- Added logging commands reference
- Updated infrastructure_quick_ref.ipynb with new features
- Added SSH tunnel instructions for GitLab access
 2026-01-10 04:58:01 -08:00
Apple
744c149300 Add automated session logging system
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details 
- Created logs/ structure (sessions, operations, incidents)
- Added session-start/log/end scripts
- Installed Git hooks for auto-logging commits/pushes
- Added shell integration for zsh
- Created CHANGELOG.md
- Documented today's session (2026-01-10)
 2026-01-10 04:53:17 -08:00
Apple
e67882fd15 docs: Security Incident #3 - postgres:15-alpine compromised image 
CRITICAL SECURITY INCIDENT - Postgres:15-alpine Contains Crypto Miners

Discovered: Jan 9, 2026 20:47 UTC
Resolved: Jan 9, 2026 22:07 UTC
Duration: ~2 hours

Malware Discovered (3 variants):
1. cpioshuf (1764% CPU) - /tmp/.perf.c/cpioshuf
2. ipcalcpg_recvlogical - /tmp/.perf.c/ipcalcpg_recvlogical
3. mysql (933% CPU) - /tmp/mysql

Compromised Image:
- Image: postgres:15-alpine
- SHA: b3968e348b48f1198cc6de6611d055dbad91cd561b7990c406c3fc28d7095b21
- Status: BANNED - DO NOT USE

Impact:
- CPU load: 17+ (critical)
- Multiple containers affected: daarion-postgres, dagi-postgres, docker-db-1
- Dify also compromised (used same image)
- System performance degraded for 2 hours

Resolution:
- Killed all 3 miner variants (PIDs: 2294271, 2310302, 2314793, 2366898)
- Stopped and removed ALL postgres:15-alpine containers
- Deleted compromised image permanently
- Migrated to postgres:14-alpine (verified clean)
- Removed entire Dify installation (precautionary)
- System load normalized: 17+ → 0.40

Root Cause:
- Official Docker Hub image postgres:15-alpine either:
  * Temporarily compromised on Docker Hub, OR
  * PostgreSQL 15 has supply chain vulnerability
- Persistent infection: malware embedded in image layers
- Auto-restart: orphan containers kept respawning miners

Actions Taken:
-  All miners killed and files removed
-  Compromised image deleted and BLOCKED
-  Migrated to postgres:14-alpine
-  Dify completely removed
-  /tmp cleaned of all suspicious files
-  System verified clean

Prevention Measures:
1. Pin images by SHA (not tags like :latest or :15-alpine)
2. Implement Trivy/Grype security scanning
3. Monitor CPU spikes (alert if >5 load average)
4. Regular /tmp audits for executables
5. Use --remove-orphans in docker-compose
6. Block orphan container spawning

Lessons Learned:
- Official images can be compromised
- Never trust :latest or version tags blindly
- Scan ALL images before deployment
- Monitor /tmp for suspicious executables
- One compromised image can spread (Dify used same postgres)
- Multiple malware variants = fallback payloads

Files Updated:
- INFRASTRUCTURE.md - Added Incident #3 complete documentation

POSTGRES:15-ALPINE IS PERMANENTLY BANNED
Use postgres:14-alpine (verified safe)

Co-Authored-By: Warp <agent@warp.dev>
 2026-01-09 13:09:38 -08:00
Apple
f6a2007c77 🛡️ security: Implement full container audit and signed images guide 
- Added security/audit-all-containers.sh: Automated Trivy scan for all 60+ project images
- Added security/hardening/signed-images.md: Guide for Docker Content Trust (DCT)
- Updated NODE1 with audit script and started background scan
- Results will be saved to /opt/microdao-daarion/logs/audits/

Co-authored-by: Cursor Agent <agent@cursor.sh>
 2026-01-09 12:16:30 -08:00
Apple
778907cf0e docs: add NODE3 (Threadripper PRO + RTX 3090) to infrastructure 
Added NODE3 - AI/ML Workstation Specification:

Hardware:
- CPU: AMD Ryzen Threadripper PRO 5975WX (32 cores / 64 threads, 3.6 GHz boost)
- RAM: 128GB DDR4
- GPU: NVIDIA GeForce RTX 3090 24GB GDDR6X
  - 10496 CUDA cores
  - CUDA 13.0, Driver 580.95.05
- Storage: Samsung SSD 990 PRO 4TB NVMe
  - Root: 100GB (27% used)
  - Available for expansion: 3.5TB

System:
- Hostname: llm80-che-1-1
- IP: 80.77.35.151:33147
- OS: Ubuntu 24.04.3 LTS (Noble Numbat)
- Container Runtime: MicroK8s + containerd
- Uptime: 24/7

Security Status:  CLEAN (verified 2026-01-09)
- No crypto miners detected
- 0 zombie processes
- CPU load: 0.17 (very low)
- GPU utilization: 0% (ready for workloads)

Services Running:
- Port 3000 - Unknown service (needs investigation)
- Port 8080 - Unknown service (needs investigation)
- Port 11434 - Ollama (localhost only)
- Port 27017/27019 - MongoDB (localhost only)
- Kubernetes API: 16443
- K8s services: 10248-10259, 25000

Recommended Use Cases:
- 🤖 Large LLM inference (Llama 70B, Qwen 72B, Mixtral 8x22B)
- 🧠 Model training and fine-tuning
- 🎨 Stable Diffusion XL image generation
- 🔬 AI/ML research and experimentation
- 🚀 Kubernetes-based AI service orchestration

Files Updated:
- INFRASTRUCTURE.md v2.4.0
- docs/infrastructure_quick_ref.ipynb v2.3.0

NODE3 is the most powerful node in the infrastructure:
- Most CPU cores: 32c/64t (vs 16c M4 Max)
- Most RAM: 128GB (vs 64GB)
- Dedicated GPU: RTX 3090 24GB VRAM
- Largest storage: 4TB NVMe (vs 2TB)

Co-Authored-By: Warp <agent@warp.dev>
 2026-01-09 05:53:16 -08:00
Apple
cba2ff47f3 📚 docs(security): Add comprehensive Security chapter 
## New Security Documentation Structure

/security/
├── README.md                    # Security overview & contacts
├── forensics-checklist.md       # Incident investigation guide
├── persistence-scan.sh          # Quick persistence detector
├── runtime-detector.sh          # Mining/suspicious process detector
└── hardening/
    ├── docker.md                # Docker security baseline
    ├── kubernetes.md            # K8s policies (future reference)
    └── cloud.md                 # Hetzner-specific hardening

## Key Components

### Forensics Checklist
- Process analysis commands
- Persistence mechanism detection
- Network connection analysis
- File system inspection
- Authentication audit
- Decision matrix for threat response

### Scripts
- persistence-scan.sh: Cron, systemd, executables, SSH keys
- runtime-detector.sh: Mining process detection with --kill option

### Hardening Guides
- Docker: Secure compose template, Dockerfile best practices
- Kubernetes: NetworkPolicy, PodSecurityStandard, Falco rules
- Cloud: Egress firewall, SSH hardening, fail2ban, monitoring

## Post-Incident Documentation
Based on lessons learned from Incidents #1 and #2 (Jan 2026)

Co-authored-by: Cursor Agent <agent@cursor.sh>
 2026-01-09 02:08:13 -08:00