admin/agent-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
agent-os/memory/constraints.md
T
Claude Code 6cebab9a4a docs: comprehensive update — bring all Agent OS docs current for LLM onboarding 
All files were 5-7 weeks stale. Updated brain.md (complete service/agent/VPN/cron
inventory), identity.md (current expertise + infra context), CLAUDE.md (full agent
ecosystem table, Citadel tool registry, gotchas), README.md (LLM quick-start guide),
all memory files (current projects, decisions, constraints, persistent facts), and
infra-monitor skill.md (current container list with criticality tiers).

Also fixed: git remote switched from HTTP+embedded-token to SSH, removed references
to decommissioned services (Netbird, WireGuard, Flowise, Zabbix), corrected Ollama
IP (172.27.40.20), TrueNAS IP (172.27.40.220), and added 20+ services/agents that
were built since the last commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 17:15:45 +00:00

2.2 KiB
Raw Permalink Blame History

Constraints

Hard limits agents must respect. Never work around these without explicit user confirmation. Last updated: 2026-06-19

Destructive actions

  • Never delete or overwrite files without explicit confirmation
  • Never restart or stop services without explicit confirmation
  • Never drop, reset, or modify databases without explicit confirmation
  • Never force push to git or bypass hooks
  • Never run pfctl commands on OPNsense (risk of locking out remote access)

Credentials

  • All credentials live in ~/.nxm-keys (chmod 600) — ONLY location
  • Never store credentials in output files, logs, generated markdown, .env files, or code
  • Reference the file location, never the values
  • TrueNAS IPs: 172.27.40.220 (Servers40 data) / 172.27.6.221 (management/API)

Infrastructure

  • Linux server (172.27.40.3) has no GPU — never schedule LLM inference to run locally there
  • Ollama runs on 172.27.40.20 (Windows 11 Pro) — not on the Docker host
  • Docker Compose only — no Kubernetes, no Swarm
  • Docker proxy network (172.22.0.0/16) cannot reach OPNsense API at 172.27.6.1 — always run OPNsense API scripts from the host
  • NPM handles SSL termination — internal services always use HTTP

Agent-specific

  • maester-reports: restart clears in-memory cache → re-parses all evidence PDFs via Claude Opus vision (Anthropic API cost). Avoid unnecessary restarts.
  • NocoDB: RvDM personal birthday DB ONLY — never suggest for any Nexum project. Nexum data layer = Directus.
  • Open WebUI → Citadel MCP: auth_type must be none. Empty bearer key generates illegal header → silent connection failure.
  • Qyburn task specs: never embed code in the description field — use plain English only (14b models explain code instead of writing it)

External communication

  • Never send any external message (email, webhook, Discord notification) without explicit confirmation
  • Notifications always route through Raven (http://raven-notify:8400)
  • Never expose services publicly without confirming NPM + Cloudflare + firewall implications

Naming

  • S2S = always suggest Site-to-Site VPN (not Road Warrior) for permanent infrastructure endpoints
  • Use .50+ IP range for non-firewall infrastructure devices on S2S tunnels
Reference in New Issue View Git Blame Copy Permalink