ariffazil/arif-os-readiness-debugging
hermes-backup/daily/2026-04-28_203212/skills/devops/arif-os-readiness-debugging/SKILL.md
arifOS endpoint/container debugging protocol — runtime witness before infrastructure speculation
development
Updated May 1, 2026
$ install --global
skillsauthnpx skillsauth add ariffazil/openclaw-workspace arif-os-readiness-debuggingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 1, 2026, 4:07 AM137.6s1 file scanned
SKILL.md
- name:
- arif-os-readiness-debugging
- description:
- arifOS endpoint/container debugging protocol — runtime witness before infrastructure speculation
- tags:
- [debugging, runbook, arifOS]
- version:
- 1.0.0
- author:
- arifOS Constitutional Federation
- created:
- 2026-04-28
- trigger_on:
- ["endpoint down", "container issue", "deployment problem", "/ready partial", "Caddy 502", "network unreachable"]
arifOS Readiness Debugging Protocol
Core Rule
Never debug infrastructure until the constitutional readiness surface has been read.
Authority order (highest to lowest):
/ready— constitutional readiness (14 checks, authoritative)/status.json— federation status/health— service health- Running Caddyfile inside container
- Container logs
- Listener/network diagnostics
- iptables/firewall
Diagnostic Chain
1. curl -s https://mcp.arif-fazil.com/ready
→ If status: pass → readiness is NOT the issue
→ If status: partial → READ the failures list
2. If /ready names a failing check (e.g., forge_dry_run_check):
→ Treat that as primary until disproven
→ Inspect source code for that check's implementation
→ Do NOT assume Docker bind / networking
3. If /ready passes but public endpoint fails:
→ Inspect Caddyfile inside running container:
docker exec caddy cat /etc/caddy/Caddyfile
→ Check Caddy logs:
docker logs caddy --tail 20
→ Verify reverse_proxy directives point to correct container service name
4. Only after /ready is clean AND the failure still persists:
→ docker exec <container> cat /proc/net/tcp (decode hex IP:port)
→ Check Docker network membership:
docker inspect <container> --format '{{json .NetworkSettings.Networks}}'
→ docker exec caddy nc -vz <target-service> <port>
→ docker exec caddy curl -v --connect-timeout 5 http://<target>:PORT/endpoint
Common Pitfalls
- Jumping to Docker networking before /ready — wastes 30-60 min on ghost bugs
- Using
ssornetstatwithout checking if they're installed — these are often absent → Usecat /proc/net/tcp+ Python decode instead - Trusting secondary sources — always verify disk/API directly, never trust docs
- Forgetting
ssisn't in minimal containers — probe first withwhich ss || which netstat
Decode TCP Table (when /proc/net/tcp is the only option)
import socket
STATE = {0x01:'ESTABLISHED', 0x06:'TIME_WAIT', 0x08:'CLOSE_WAIT', 0x0A:'LISTEN', 0x0B:'LISTEN'}
with open('/proc/net/tcp') as f:
for i, line in enumerate(f):
if i == 0: continue
p = line.split()
if len(p) < 10: continue
lip, lport = p[1].split(':')
rport = int(lport, 16)
state = int(p[3], 16)
ip = socket.inet_ntoa(bytes.fromhex(lip)[::-1])
sn = STATE.get(state, hex(state))
if rport == 8080 or state == 0x0A:
print(f'{sn} {ip}:{rport}')
The arifOS Debugging Mantra
"I have not yet proven transport failure. First witness /ready. Second witness Caddy route. Third witness container listener. Only then decide."
Verification Steps After a Redeploy
# 1. Wait for healthy
sleep 8 && docker ps --filter name=arifosmcp --format "{{.Status}}"
# 2. Check /ready
curl -s https://mcp.arif-fazil.com/ready | python3 -c "
import json,sys; d=json.load(sys.stdin)
print(f'Status: {d[\"status\"]}')
[print(f' {k}: {v[\"verdict\"]}') for k,v in d['checks'].items()]
print(f'Failures: {d[\"failures\"]}')
"
# 3. Check public endpoint
curl -s https://mcp.arif-fazil.com/health | python3 -m json.tool | head -10
curl -s https://mcp.arif-fazil.com/status.json | python3 -m json.tool | head -10
Related Skills
ariffazil/AAA Agentic Governance (AAA-Cockpit, canonical)
development
VerifiedTrustedCommunity
Governed intelligence skill for AAA as the abstraction, attestation, and abduction control plane across arifOS, APEX, A-FORGE, GEOX, WEALTH, WELL, and the ariffazil profile repository. Use when the user asks to explain or design AAA, route agentic work, reduce chaos/entropy in an arifOS federation task, create AREP/task declarations, classify risk, plan multi-repo changes, review governance boundaries, or translate human intent into evidence-backed, authority-safe, recursively agentic workflows. Provides deterministic F1-F13 floor checking, bounded abduction, and FederationReceipt composition.
SKILL.mdUpdated Jun 6, 2026
ariffazil/skill-trigger-linter
development
VerifiedTrustedCommunity
Check every skill’s “use when” and “do not use when” clauses for collisions, missing negatives, and vague verbs like “help,” “assist,” or “improve.” Load when linting, reviewing, or validating trigger boundaries.
SKILL.mdUpdated May 27, 2026
ariffazil/skill-creator
development
VerifiedTrustedCommunity
Bootstrap, design, and package new skills. Load when capturing user intent for a new skill or drafting its initial instruction framework.
SKILL.mdUpdated May 27, 2026
ariffazil/Federation Service Health Triage
content-media
VerifiedTrustedCommunity
Diagnose which federation services are up, down, or drifting. Produce a prioritized remediation plan.
SKILL.mdUpdated May 27, 2026