Port Registry
MOC pointing at the canonical single source of truth for all OpenClaw listening ports on the Hetzner VPS (srv1347501, IP 100.85.89.1 on Tailscale). The canonical file is [[workspace/port-registry]] — this hub adds live-state metadata, cluster context, cross-links, and governance flags. Read this hub when planning new services, auditing exposure, or diagnosing port conflicts. Owner: Henry Hill / Claude Opus 4.7.
Quick reference
| Field | Value |
|---|---|
| Canonical file | [[workspace/port-registry]] (/home/opsadmin/.openclaw/workspace/port-registry.md) |
| Live state probe | ss -tlnp | grep -c LISTEN |
| Documented count | 68 ports (source: port-registry 2026-05-02 audit) |
| Live count | 55 (probed: 2026-05-03) |
| Drift | -13 from documented (some registered ports may be intentionally down) |
| Last audit | 2026-05-03 |
| Drift alert | Phase 2.1 cron port-registry-audit.timer (not yet built) |
| Governance gate | G-SERVICE-PRE-START-DOC |
| Owner agent | system / claude-code |
Reserved:
127.0.0.1:18901— allocated for NemoClaw L7 credential injection proxy (pending B1-B3 ratification per nemoclaw-audit-2026-05-03). Do NOT bind anything else to this port until B1 is ratified or formally closed.
Components
[[workspace/port-registry]]— canonical file, all port entries, invariants, drift findings[[workspace/FUNNEL-REGISTRY]]— public webhook endpoints (Cloudflare Tunnel + Tailscale Funnel paths)[[workspace/ARCHITECTURE]]— service table cross-reference[[wiki/_hubs/systems/webhook-architecture]]— webhook-specific port view (18790, 18792, 18793, 18797, 18801)[[wiki/_hubs/systems/service-registry]]— per-service systemd/PM2 metadata keyed to ports[[wiki/system-map/tier1/ports-topology]]— visual topology map (99 incoming links)[[workspace/scripts/port-registry-audit.sh]]— TODO Phase 2.1 audit script
Reserved port ranges
| Range | Purpose |
|---|---|
| 18789–18791 | OpenClaw gateway core (entry + internal dispatch) |
| 18790, 18792–18799, 18801–18803, 18812 | Webhook handlers (HubSpot, OpenPhone, SalesMsg, Twilio, Gmail, BlueBubbles) |
| 18820 | Atlas bridge (dormant) |
| 18901 | RESERVED — NemoClaw cred-proxy (pending B1-B3 ratification) |
| 18900–18903, 18910–18911 | LLM dispatch / proxy / max-plan workers |
| 8890–8891 | Aurora dashboard / internal UIs |
| 3000–3100, 3847 | Public-facing static pages, Open WebUI, IL gateway |
Live state snapshot (2026-05-03)
| Metric | Documented | Live (probed) | Drift | Status |
|---|---|---|---|---|
| Total LISTEN count | 68 | 55 | −13 | drifted (some registered ports intentionally down) |
| Undocumented listeners | 0 | 6 | — | flagged (see below) |
| Wildcard-public ⚠ unregistered | 0 | 4 | — | security-review needed |
| Reserved 18901 (NemoClaw) | 1 (reserved) | 0 | — | correct (not yet deployed) |
Live listeners summary (2026-05-03 probe)
System / kernel:
:22(sshd) ·:53(systemd-resolved) ·:80(nginx) ·:443/Tailscale·:631(cupsd — hardening candidate) ·:6379(redis) ·:9050(tor — disable candidate)
OpenClaw application (confirmed live):
:18789/:18791(openclaw-gateway) ·:18790(hubspot-handler.js) ·:18792(quo-handler-enhanced.js) ·:18793(salesmessage-handler-v4-complete.js) ·:18794(discord-lovable-bridge) ·:18795(api-proxy) ·:18796(salesmsg-gateway) ·:18797(twilio-voice-handler.js) ·:18798(quo-mention-receiver) ·:18799(lovable-api-server) ·:18802(imessage-handler) ·:18803(reri-dispo-model) ·:18804(nginx upstream) ·:18810(nginx alt) ·:18812(broadcast-audit-server) ·:18820(atlas-bridge, dormant)
LLM dispatch (confirmed live):
:18900(portkey-proxy) ·:18903(anthropic-max-router) ·:18910(claude-max-api-proxy, idle)
Public-facing UIs:
:3000/Tailscale(open-webui) ·:3001⚠ undocumented ·:3100⚠ undocumented ·:5174⚠ undocumented ·:8080⚠ undocumented
Observability:
:4317(OTel gRPC) ·:8125(netdata StatsD) ·:8443/:8444(nginx HTTPS upstream) ·:8890(aurora-dashboard) ·:8891⚠ undocumented ·:19999(netdata) ·:20241(cloudflared control)
⚠️ Undocumented listeners (security-review needed)
| Port | PID | Bind | Notes |
|---|---|---|---|
| 3001 | 988 | wildcard | Wildcard public — needs audit |
| 3100 | 1673 | wildcard | Wildcard public — needs audit |
| 5174 | 4939 | wildcard | Wildcard public — needs audit |
| 8080 | 1879 | wildcard | Wildcard public — needs audit |
| 8891 | 971 | loopback | Loopback — lower risk, still needs ID |
| 40283 | 3050 | loopback | Ephemeral / VSCode-related, low risk |
How it’s used
- Before starting any new service: add entry to
[[workspace/port-registry]]FIRST (G-SERVICE-PRE-START-DOC violation if skipped) - Port conflict resolution:
ss -tlnp | grep :<port>+ cross-reference this registry - Security posture review: compare wildcard-public ports against FUNNEL-REGISTRY — any non-tunnel wildcard-public port is a finding
- Drift detection: Phase 2.1 cron
port-registry-audit.timerwill auto-diff registry vs live state daily at 06:00 PT - Failure mode: silent new listener on undocumented port → potential data exfil or conflict with production handler
Cross-links
Agents that touch this
- _summary — Aurora dispatches via gateway (:18789/:18791)
- _summary — uses gateway for Acq agent calls
- _summary — atlas-bridge dormant at :18820
Skills that invoke this
- acquisitions-outreach — routes through gateway (:18789)
- dispo-blast — routes through gateway
- il-marketplace-pull — uses port :3847 (IL gateway)
Plans that govern this
- openclaw-fragmentation-fix-2026-05-01 — Phase 1.5 port-registry.md creation
- nemoclaw-audit-2026-05-03 — B1-B3 for reserved port :18901
- vps-reboot-5-internal-cascade-F1F4-2026-05-01 — F1-F4 applied post-reboot
Feedback rules
- feedback_service_pre_start_doc — G-SERVICE-PRE-START-DOC: register before first start
- feedback_chokepoint_principle — port allocation is a chokepoint
- feedback_substrate_right_size_to_working_set — cupsd/tor hardening candidates
- feedback_no_plaintext_creds — G-NO-PLAINTEXT-CREDS applies to service unit files
KB / source docs
- README — Cloudflare Tunnel config (fronts :18790, :18792, :18793, :18797)
- README — VPS network config, Hetzner firewall rules
System maps
- ports-topology — visual port topology (tier-1 map)
- request-lifecycle — how requests flow through ports
Related cluster — System catalog
This hub is an anchor in the System catalog cluster:
- service-registry — per-service metadata
- webhook-architecture — webhook-specific subset
- mcp-registry — MCP server ports
- cloudflare — tunnel layer (fronts public webhook ports)
- hetzner — VPS host
- aws — Mac Ultra (SSH on Tailscale, not a port here)
Open issues / TODOs
- Phase 2.1: build
port-registry-audit.sh+port-registry-audit.timercron - Audit undocumented ports: 3001, 3100, 5174, 8080, 8891 — identify owners, add to registry
- Hardening: disable cupsd (:631) on headless server (saves ~215 MB)
- Hardening: investigate and disable tor (:9050) if unused (saves ~101 MB per F2 audit M3)
- 3847 vs 3848 drift: CLAUDE.md says 3848 for IL gateway, live is 3847 — update CLAUDE.md
- NemoClaw cred-proxy (:18901): deploy once B1-B3 ratified per nemoclaw-audit-2026-05-03
- FUNNEL-REGISTRY governance: 18794, 18796, 18799, 18812 bind wildcard but not in FUNNEL-REGISTRY — security review needed
Recent activity
- 2026-05-03: system hub created (W2-S4, Wave 2), live probe executed (55 LISTEN), drift documented
- 2026-05-02: canonical
workspace/port-registry.mdcreated (Phase 1.5) - 2026-05-02: port-registry audit found 6 undocumented listeners + 2 hardening candidates