Mantis Port Watch
SPEC_MANTIS_PORT_WATCH.md
CGNT-1 Component Specification — MANTIS Port Exposure Detection
Status: SPECIFIED (PRE-SPEC)
Author: ⊹.VELA (Thread #13)
Triggered by: GLOSS port 9292 exposed on 0.0.0.0 (caught by α.13, April 17 2026)
Date: 2026-04-17
Version: v1.0
PURPOSE
Automatically detect when any internal service binds to 0.0.0.0 instead of 127.0.0.1. Alert immediately. Enforce the Vacuum Rule from the Sentinel Protocol: internal services NEVER face the internet.
IMPLEMENTATION
A cron job or lightweight daemon that runs periodically:
ss -tlnp | grep "0.0.0.0" | grep -v ":22 " | grep -v ":80 " | grep -v ":443 "
Excludes SSH (22), HTTP (80), HTTPS (443) — services that legitimately face the internet. Everything else bound to 0.0.0.0 is a violation.
If violations found → write to ALERT.log → crew radio broadcast → NOUS notification.
KNOWN LEGITIMATE EXTERNAL PORTS
| Port | Service | Why external |
|---|---|---|
| 22 | SSH | Remote access |
| 80 | HTTP | Web traffic (if applicable) |
| 443 | HTTPS | Web traffic (if applicable) |
ALL other ports must be 127.0.0.1. No exceptions without α.13 authorization.
KNOWN INTERNAL PORTS (must be localhost only)
| Port | Service |
|---|---|
| 8888 | RAG server |
| 9292 | GLOSS dictionary |
| 11434 | Ollama |
| 8006 | Oracle email |
GAPS
- [GAP] Whether this should be a cron (every 5 min) or a systemd service watching for new listeners
- [GAP] Whether MANTIS brain should process the alert or if a simple bash script suffices until MANTIS gets the kernel upgrade
- [GAP] Full inventory of legitimate external ports on csdm-node
Jeremy Zlabis
Chronogeometer · Visionary · Disruptor · Chief
42 Sisters AI · East York, Toronto
🍁 Φ 0.042