docs: comprehensive update — bring all Agent OS docs current for LLM onboarding

All files were 5-7 weeks stale. Updated brain.md (complete service/agent/VPN/cron
inventory), identity.md (current expertise + infra context), CLAUDE.md (full agent
ecosystem table, Citadel tool registry, gotchas), README.md (LLM quick-start guide),
all memory files (current projects, decisions, constraints, persistent facts), and
infra-monitor skill.md (current container list with criticality tiers).

Also fixed: git remote switched from HTTP+embedded-token to SSH, removed references
to decommissioned services (Netbird, WireGuard, Flowise, Zabbix), corrected Ollama
IP (172.27.40.20), TrueNAS IP (172.27.40.220), and added 20+ services/agents that
were built since the last commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

memory/persistent.md

@@ -1,18 +1,44 @@
 # Persistent Memory
 
 Facts that don't expire. If you'd have to re-explain it to a new agent every time, it belongs here.
-Last updated: 2026-04-30
+Last updated: 2026-06-19
 
 ---
 
 ## Infrastructure decisions
 - RustDesk is self-hosted on 172.27.40.3 — clients connect to local server not public relay
-- Netbird signal+management both route through NPM on port 443 — exposedAddress in /opt/stacks/netbird/config.yaml must be https://netbird.nxm.co.za:443 (caddy-netbird on :8443 exists but is not used externally)
+- NPM handles all SSL termination — internal services use HTTP, NPM adds HTTPS
 - Headscale v0.28: all write operations require numeric user ID, not username
 - Tailscale on Windows overrides DNS — disconnect before testing split DNS changes
-- Servers running Tailscale must run `sudo tailscale set --accept-dns=false` before joining Netbird
+- Docker Compose only — no Kubernetes, no Swarm
+- Docker → OPNsense API: HTTP 400 from Docker proxy network — always run OPNsense API scripts from the host
+- All internal subdomains: gray-cloud CNAME → opnsense.nxm.co.za in Cloudflare. Proxied = 523 error.
+- OPNsense split DNS: all subdomains resolve to 172.27.40.3 internally via Unbound host overrides
+
+## Decommissioned services (do not reference)
+- **Netbird:** Fully removed from server 2026-05-28. Orphaned clients on mwp/coetzee/b0qxxx/fwlaw firewalls pending removal.
+- **WireGuard (N2W):** Fully removed 2026-05-30. Replaced by OpenVPN S2S.
+- **Flowise:** Replaced by Open WebUI 2026-05-01.
+- **Zabbix:** No longer running (monitoring moved to Grafana + InfluxDB + Telegraf).
 
 ## Agent OS build state
-- Phase 1-2 (file structure + NFS + identity interview): not yet started
-- First skill to build: infra-monitor (Docker health + agent watchdog)
-- Notifications target: Home Assistant at 172.27.10.6
+- Phase 1-2 complete (file structure + identity interview)
+- Phase 3 (infra-monitor skill): spec written but stale, not yet implemented
+- Notifications target: Raven at http://raven-notify:8400 (Discord + Gmail)
+- All agent logs write to `/opt/agent-os/logs/<agent>/last-run.json`
+
+## Credential policy
+- All API keys and passwords: `~/.nxm-keys` (chmod 600)
+- Never write credential values into output, logs, docs, or config files
+- Reference credential location instead
+
+## VPN topology
+- **Headscale** (self-hosted Tailscale): remote access for admin devices
+- **OpenVPN S2S:** site-to-site for client firewalls (bezhuis/mwp/coetzee done, fwlaw pending)
+- Hub tunnel IPs: bezhuis=172.16.17.2, mwp=172.16.17.3, coetzee=172.16.17.4
+
+## Ollama
+- Host: 172.27.40.20 (Windows 11 Pro, NxM-AI), Vulkan GPU
+- Models: gemma4, llama3.1:8b, phi4
+- Auto-starts via Scheduled Task (S4U + AtStartup)
+- Used by: hodor-gateway, sam-research, qyburn-coder, Open WebUI