Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ariffazil/arifos-three-surface-audit

Name: arifos-three-surface-audit
Author: ariffazil

hermes-skills/arifos/arifos-three-surface-audit/SKILL.md

npx skillsauth add ariffazil/openclaw-workspace arifos-three-surface-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

arifOS Three-Surface Architecture Audit & Build

When to use

Audit or build the three public surfaces: arif-fazil.com, arifos.arif-fazil.com, aaa.arif-fazil.com. Run this when deploying new endpoints, checking for documentation drift, or verifying protocol compliance.

What each surface owns

| Surface | Canonical job | Must have | |---------|--------------|-----------| | arif-fazil.com | Human identity root | /, /000, /999, /llms.txt, cross-links to MCP + A2A | | arifos.arif-fazil.com | MCP Observatory + Streamable HTTP /mcp | /mcp (POST+GET), /mcp-server-card.json, /observatory/, /api/catalog/{tools,resources,prompts}, /api/status/summary | | aaa.arif-fazil.com | A2A Agent Gateway | /.well-known/agent-card.json, /skills, /validator, message:send + message:stream endpoints | | mcp.arif-fazil.com | Migration alias only | 308 redirect to arifos.arif-fazil.com/mcp/ |

Caddyfile locations (in priority order)

/root/arifOS/Caddyfile — active on VPS (arifOS compose stack)
/root/compose/Caddyfile — federation stack
/root/Caddyfile — standalone

Caddyfile patterns

Subdomain with static files + API routes

arifos.arif-fazil.com {
    root * /var/www/html/arif/observatory
    file_server

    @arifosAPI {
        header Authorization *Bearer*
        header Content-Type application/json
    }
    handle /api/* {
        reverse_proxy localhost:8888
    }
}

AAA subdomain (A2A gateway)

aaa.arif-fazil.com {
    root * /var/www/html/aaa
    file_server

    @a2aRPC {
        header Content-Type application/json
    }
    handle /message:send* {
        reverse_proxy localhost:9999
    }
    handle /message:stream* {
        reverse_proxy localhost:9999
    }
}

Migration alias (redirect, no static files)

mcp.arif-fazil.com {
    redir https://arifos.arif-fazil.com/mcp/ 308
}

Critical Caddyfile gotcha

handle PATH matches exactly — handle /api does NOT match /api/foo. Use named matchers with header conditions instead:

@myapi {
    path /api/*
}
handle @myapi {
    reverse_proxy localhost:8888
}

Root problem: documentation drift

Hand-curated tool counts, protocol versions, and capability lists drift from live runtime. Every catalog endpoint must be generated from runtime, never hand-written.

The minimum live-generated endpoints needed:

GET /api/catalog/tools — from tools/list MCP call
GET /api/catalog/resources — from resources/list MCP call
GET /api/catalog/prompts — from prompts/list MCP call
GET /api/status/summary — from /health + runtime vitals

A2A version discrepancy check

The blueprint flagged: federation-health.json says "A2A v0.3.0" but mcp.arif-fazil.com says "Planned". If /federation-health.json returns HTML, it means the static JSON file is missing from the doc root. Check:

curl -s "https://arif-fazil.com/federation-health.json" | jq .

Build order

Create doc root: mkdir -p /var/www/html/aaa /var/www/html/arif/observatory/api
Write static files (Agent Card, homepage, skills page, validator)
Write runtime catalog server (Python HTTP sidecar for /api/ endpoints)
Update Caddyfile with subdomain blocks
docker exec caddy caddy reload or docker restart caddy
Purge Cloudflare cache if Cloudflare is proxying
Verify all endpoints with curl (no --max-time suppress errors, check exit codes)

Verification commands

# All three surfaces
curl -s https://aaa.arif-fazil.com/ -o /dev/null -w "%{http_code}\n"
curl -s https://arifos.arif-fazil.com/observatory/ -o /dev/null -w "%{http_code}\n"
curl -s https://mcp.arif-fazil.com/ -o /dev/null -w "%{http_code} %{redirect_url}\n"

# Protocol contracts
curl -s https://aaa.arif-fazil.com/.well-known/agent-card.json | jq .
curl -s https://arifos.arif-fazil.com/mcp-server-card.json | jq .

# Runtime catalogs
curl -s https://arifos.arif-fazil.com/api/mcp/tools.json | jq '.tools | length'
curl -s https://arifos.arif-fazil.com/api/catalog/resources | jq .
curl -s https://arifos.arif-fazil.com/api/status/summary | jq .

# A2A endpoints
curl -s https://aaa.arif-fazil.com/a2a -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"message:send","params":{...},"id":1}' \
  -w "\nHTTP %{http_code}"

Cloudflare cache purge

If Cloudflare is proxying and returning stale 404s after Caddy reload:

# Get Cloudflare Zone ID from dashboard, then:
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"files":["https://arifos.arif-fazil.com/observatory/","https://arifos.arif-fazil.com/mcp-server-card.json"]}'

If token lacks purge rights, use Cloudflare dashboard → Caching → Purge Everything.

ariffazil/arifos-three-surface-audit

hermes-skills/arifos/arifos-three-surface-audit/SKILL.md

Audit and build the three public surfaces — arif-fazil.com (human root), arifos.arif-fazil.com (MCP Observatory), aaa.arif-fazil.com (A2A gateway). Verify protocol contracts, Caddyfile routing, and documentation drift.

tools

Updated May 12, 2026

$ install --global

skillsauth

npx skillsauth add ariffazil/openclaw-workspace arifos-three-surface-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 1, 2026, 4:07 AM149.6s1 file scanned

SKILL.md

name:: arifos-three-surface-audit
description:: Audit and build the three public surfaces — arif-fazil.com (human root), arifos.arif-fazil.com (MCP Observatory), aaa.arif-fazil.com (A2A gateway). Verify protocol contracts, Caddyfile routing, and documentation drift.
triggers:: ["arifOS surface", "three surfaces", "MCP Observatory", "A2A gateway", "documentation drift", "Caddyfile", "server card", "agent card"]

arifOS Three-Surface Architecture Audit & Build

When to use

What each surface owns

Caddyfile locations (in priority order)

/root/arifOS/Caddyfile — active on VPS (arifOS compose stack)
/root/compose/Caddyfile — federation stack
/root/Caddyfile — standalone

Caddyfile patterns

Subdomain with static files + API routes

arifos.arif-fazil.com {
    root * /var/www/html/arif/observatory
    file_server

    @arifosAPI {
        header Authorization *Bearer*
        header Content-Type application/json
    }
    handle /api/* {
        reverse_proxy localhost:8888
    }
}

AAA subdomain (A2A gateway)

aaa.arif-fazil.com {
    root * /var/www/html/aaa
    file_server

    @a2aRPC {
        header Content-Type application/json
    }
    handle /message:send* {
        reverse_proxy localhost:9999
    }
    handle /message:stream* {
        reverse_proxy localhost:9999
    }
}

Migration alias (redirect, no static files)

mcp.arif-fazil.com {
    redir https://arifos.arif-fazil.com/mcp/ 308
}

Critical Caddyfile gotcha

handle PATH matches exactly — handle /api does NOT match /api/foo. Use named matchers with header conditions instead:

@myapi {
    path /api/*
}
handle @myapi {
    reverse_proxy localhost:8888
}

Root problem: documentation drift

Hand-curated tool counts, protocol versions, and capability lists drift from live runtime. Every catalog endpoint must be generated from runtime, never hand-written.

The minimum live-generated endpoints needed:

GET /api/catalog/tools — from tools/list MCP call
GET /api/catalog/resources — from resources/list MCP call
GET /api/catalog/prompts — from prompts/list MCP call
GET /api/status/summary — from /health + runtime vitals

A2A version discrepancy check

curl -s "https://arif-fazil.com/federation-health.json" | jq .

Build order

Create doc root: mkdir -p /var/www/html/aaa /var/www/html/arif/observatory/api
Write static files (Agent Card, homepage, skills page, validator)
Write runtime catalog server (Python HTTP sidecar for /api/ endpoints)
Update Caddyfile with subdomain blocks
docker exec caddy caddy reload or docker restart caddy
Purge Cloudflare cache if Cloudflare is proxying
Verify all endpoints with curl (no --max-time suppress errors, check exit codes)

Verification commands

# All three surfaces
curl -s https://aaa.arif-fazil.com/ -o /dev/null -w "%{http_code}\n"
curl -s https://arifos.arif-fazil.com/observatory/ -o /dev/null -w "%{http_code}\n"
curl -s https://mcp.arif-fazil.com/ -o /dev/null -w "%{http_code} %{redirect_url}\n"

# Protocol contracts
curl -s https://aaa.arif-fazil.com/.well-known/agent-card.json | jq .
curl -s https://arifos.arif-fazil.com/mcp-server-card.json | jq .

# Runtime catalogs
curl -s https://arifos.arif-fazil.com/api/mcp/tools.json | jq '.tools | length'
curl -s https://arifos.arif-fazil.com/api/catalog/resources | jq .
curl -s https://arifos.arif-fazil.com/api/status/summary | jq .

# A2A endpoints
curl -s https://aaa.arif-fazil.com/a2a -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"message:send","params":{...},"id":1}' \
  -w "\nHTTP %{http_code}"

Cloudflare cache purge

If Cloudflare is proxying and returning stale 404s after Caddy reload:

# Get Cloudflare Zone ID from dashboard, then:
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"files":["https://arifos.arif-fazil.com/observatory/","https://arifos.arif-fazil.com/mcp-server-card.json"]}'

If token lacks purge rights, use Cloudflare dashboard → Caching → Purge Everything.

Related Skills

ariffazil/AAA Agentic Governance (AAA-Cockpit, canonical)

development

VerifiedTrustedCommunity

Governed intelligence skill for AAA as the abstraction, attestation, and abduction control plane across arifOS, APEX, A-FORGE, GEOX, WEALTH, WELL, and the ariffazil profile repository. Use when the user asks to explain or design AAA, route agentic work, reduce chaos/entropy in an arifOS federation task, create AREP/task declarations, classify risk, plan multi-repo changes, review governance boundaries, or translate human intent into evidence-backed, authority-safe, recursively agentic workflows. Provides deterministic F1-F13 floor checking, bounded abduction, and FederationReceipt composition.

SKILL.mdUpdated Jun 6, 2026

ariffazil/AAA Agentic Governance (AAA-Cockpit, canonical)

ariffazil/skill-trigger-linter

development

VerifiedTrustedCommunity

Check every skill’s “use when” and “do not use when” clauses for collisions, missing negatives, and vague verbs like “help,” “assist,” or “improve.” Load when linting, reviewing, or validating trigger boundaries.

SKILL.mdUpdated May 27, 2026

ariffazil/skill-trigger-linter

ariffazil/skill-creator

development

VerifiedTrustedCommunity

Bootstrap, design, and package new skills. Load when capturing user intent for a new skill or drafting its initial instruction framework.

SKILL.mdUpdated May 27, 2026

ariffazil/skill-creator

ariffazil/Federation Service Health Triage

content-media

VerifiedTrustedCommunity

Diagnose which federation services are up, down, or drifting. Produce a prioritized remediation plan.

SKILL.mdUpdated May 27, 2026

ariffazil/Federation Service Health Triage

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ariffazil/openclaw-workspace.git

# Copy into Claude Code skills folder (global)
cp -r openclaw-workspace/hermes-skills/arifos/arifos-three-surface-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ariffazil/openclaw-workspace

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT