Intelligence
Artifacts
Browse the repository, read documents, and manage the governance folders. Source, runtime, and infrastructure are read-only.
repositories/aaf-holdings/docs/infrastructure/readiness-report.md
4.9 KB
Infrastructure Bring-Up — Readiness Report
Mode: Infrastructure bring-up / additive only. No product code changes, no production CRM touch, no mock services, no filesystem substitutes. Date: 2026-06-14.
Classification
Of the four target services, two are real installable OSS (Honcho, Serena) and two are internal AAF systems that must be built, not installed (Hermes, MemPalace). The canon describes all of Hermes/Honcho/MemPalace as architecture (the "Shared AI Framework," dual-plane deployments) and specifies no concrete install method, image, version, or source for any of them — so there was no pre-chosen install recipe to execute.
Services checked
Hermes, Honcho, MemPalace, Serena — plus the host toolchain and running services.
Installed versions
| Component | Version | Note |
|---|---|---|
| node | v20.20.2 | pre-existing |
| npm | 10.8.2 | pre-existing |
| python3 | 3.10.12 | pre-existing (no pip3) |
| docker | 29.5.3 | pre-existing |
| git | 2.34.1 | pre-existing |
| claude | 2.1.177 | pre-existing |
| uv / uvx | 0.11.21 | installed this pass (Serena prerequisite) |
| traefik (container) | v2.11 | pre-existing, only running service besides HQ01 |
What was already present
- HQ01 itself, on the host via
hq01.serviceat:4000, fronted by traefik. - Hermes content: executive profile YAML under
src/hermes/(not a runtime). - Empty placeholder dirs:
engineering/{hermes,honcho,mempalace},src/{honcho,mempalace}. - No service process/container/CLI for any of the four.
What was installed
uv+uvx0.11.21 into~/.local/bin(user-space, reversible). This is the standard prerequisite for Serena's documenteduvxlaunch method; the box previously had nopip3/pipx/uv.- Nothing else. No service was stood up.
- Documentation: this
docs/infrastructure/directory (README + one file per service + this report).
How services are started / stopped
- HQ01:
sudo systemctl {start,stop,restart} hq01.service(scoped NOPASSWD). - traefik: Docker (
infrastructure/compose/traefik/). - Hermes / MemPalace: no start/stop — not built.
- Honcho: would be a
docker composestack underinfrastructure/compose/honcho/once provisioned (not yet created). - Serena: on-demand
uvx --from git+...serena start-mcp-serveronce the source/pin is ratified (no daemon).
Health check results
| Service | Result |
|---|---|
| Hermes | n/a — internal system, not built. Content YAML present & readable. |
| Honcho | DOWN — not deployed (no process, no Postgres/pgvector). |
| MemPalace | n/a — internal system, not built. Placeholder empty. |
| Serena | Prerequisite green (uv 0.11.21 resolves); service not launched. |
| HQ01 | UP — :4000 listening, served via traefik. |
| traefik | UP — 5h uptime. |
HQ01 reachability
- Hermes / MemPalace: HQ01 already reads the underlying filesystem content directly (executive profiles, missions, reports, artifacts) and needs no runtime for either today.
- Honcho: no dependency wired (correct for this scope). Future integration =
a
HONCHO_BASE_URL-style env var added at integration time, not now. - Serena: consumed as an MCP tool by a coding agent, not an HQ01 HTTP call;
uvxis on PATH so the launch command is available. - No env vars or placeholders were added to HQ01 — none are needed yet, and the mission forbids wiring business logic.
Remaining blockers
- Honcho: LLM provider API key (not held) + Holdings/Platform plane decision
- Postgres+pgvector provisioning. Standing it up without these yields a running-but-non-reflecting stub — disallowed by "no mock services."
- Serena: ratify the upstream source + version pin (
oraios/serena@<ref>). Executing self-selected external git code on production was correctly blocked. - Hermes / MemPalace: require build missions (out of scope for an additive infra pass), honoring append-only and plane-separation invariants.
- Standing security gap (unrelated to these four): HQ01 is publicly exposed and unauthenticated behind traefik with destructive + dispatch endpoints. A traefik basic-auth gate remains the top recommended next action.
Recommended integration order
- Serena — lowest effort/risk. Ratify a pinned
oraios/serenaref, launch viauvx, register as an MCP server for the coding agent. No DB, no secrets. - Honcho — once a provider key and the plane decision exist: create
infrastructure/compose/honcho/(Postgres+pgvector + Honcho), verify health, then addHONCHO_BASE_URLto HQ01 only when wiring reflection. - Hermes — build the current-intelligence runtime over the existing curated YAML; the largest, most doctrine-laden of the four.
- MemPalace — build the verbatim archive/index last; it depends on the report/artifact corpus the earlier stages enrich.
(Recommend the traefik login gate before any of the above, given public exposure.)
root · /srv/aaf