Ports Topology — Full Audit

Overview

This map covers EVERY listening TCP port on the VPS, all 16 active user-systemd services, all 8 PM2 processes, and all 41 disabled user-systemd units (kept here for reference per Henry’s Q5 directive). Verified by 3 parallel Sonnet sub-agents on 2026-05-04 ~12:20 UTC.

At a glance: 48 listening ports · 8 PM2 procs · 16 active systemd-user services · 41 disabled systemd-user units · 1 webhook DOWN (18801 Gmail Push) · 6 drift findings.

---

Diagram — Live ports by exposure zone

graph TB
    classDef pub fill:#fee,stroke:#c33,color:#000
    classDef tail fill:#ddf,stroke:#33c,color:#000
    classDef loop fill:#dfd,stroke:#3c3,color:#000
    classDef pm2 fill:#fec,stroke:#c93,color:#000
    classDef down fill:#999,stroke:#600,color:#fff,stroke-dasharray: 5 5
    classDef nginx fill:#ffd,stroke:#993,color:#000

    INET[Internet]
    CF[Cloudflare Tunnel<br/>webhook.reri.co]
    TS[Tailscale Tailnet<br/>100.85.89.1]

    subgraph webhooks_pub["Public Webhook Handlers (Cloudflare-fronted)"]
        P18790["**:18790** hubspot-handler<br/>PM2: hubspot"]:::pm2
        P18793["**:18793** salesmessage-handler<br/>PM2: salesmsg"]:::pm2
        P18797["**:18797** twilio-voice-handler<br/>PM2: twilio"]:::pm2
        P18792["**:18792** quo-handler-enhanced<br/>systemd: openphone-webhook"]:::loop
        P18801["**:18801** gmail-push-handler<br/>NOT RUNNING — provider unwired"]:::down
    end

    subgraph webhooks_tail["Tailscale-only Handlers"]
        P18802["**:18802** imessage-handler<br/>systemd: imessage-webhook"]:::tail
    end

    subgraph core["OpenClaw Core (loopback)"]
        P18789["**:18789** openclaw-gateway<br/>Go binary"]:::loop
        P18791["**:18791** gateway Quo dispatch<br/>same Go binary"]:::loop
        P18795["**:18795** api-proxy<br/>internal proxy-server.js"]:::loop
        P18798["**:18798** quo-mention-receiver<br/>Aurora WS trigger"]:::loop
        P18820["**:18820** hubspot-webhook-bridge<br/>NOT 'Atlas dormant'"]:::loop
    end

    subgraph llm["LLM Dispatch (loopback)"]
        P18900["**:18900** portkey-proxy<br/>per-agent cost attribution"]:::loop
        P18903["**:18903** anthropic-max-router<br/>teamsteph Max plan ⚠ wildcard bind"]:::pub
        P18910["**:18910** claude-max-api-proxy<br/>teamsteph"]:::loop
        P18911["**:18911** RESERVED<br/>henryRERI Max plan"]:::down
    end

    subgraph wildcard["Wildcard-public (no CF, no FUNNEL)"]
        P18794["**:18794** discord-lovable-bridge<br/>PM2 ⚠"]:::pm2
        P18796["**:18796** salesmsg-openclaw-gateway<br/>internal SMS gateway ⚠"]:::pub
        P18799["**:18799** lovable-api-server<br/>PM2 ⚠"]:::pm2
        P18812["**:18812** broadcast-audit<br/>response audit UI ⚠"]:::pub
        P3001["**:3001** openphone-webhook-receiver<br/>workspace-dispo fork ⚠"]:::pub
        P3100["**:3100** ops-dashboard<br/>static serve"]:::pub
        P8080["**:8080** code-server@opsadmin<br/>VSCode in browser"]:::pub
    end

    subgraph nginx_zone["nginx-fronted"]
        P80["**:80** nginx HTTP redirect"]:::nginx
        P443ts["**:443** tailscaled TLS<br/>Tailscale-only"]:::tail
        P8443["**:8443** nginx upstream"]:::nginx
        P8444["**:8444** nginx upstream alt"]:::nginx
        P18804["**:18804** nginx fronts :18803<br/>RERI Dispo Model"]:::nginx
        P18810["**:18810** nginx alt vhost ⚠ 500"]:::nginx
        P18803["**:18803** reri-dispo-model<br/>landing page"]:::loop
    end

    subgraph aurora_internal["Aurora internal services"]
        P3847["**:3847** aurora-webhook<br/>NOT 'IL gateway 3848'"]:::loop
        P8890["**:8890** aurora-dashboard"]:::loop
        P8891["**:8891** deals-api"]:::loop
    end

    subgraph infra["Infra / Observability (loopback)"]
        P6379["**:6379** redis"]:::loop
        P19999["**:19999** netdata UI"]:::loop
        P20241["**:20241** cloudflared control"]:::loop
        P4317["**:4317** otel-plugin gRPC"]:::loop
        P8125["**:8125** netdata StatsD"]:::loop
        P53["**:53** systemd-resolved"]:::loop
        P9050["**:9050** tor SOCKS<br/>retire candidate"]:::loop
        P65529["**:65529** monarx-agent<br/>Hostinger security"]:::loop
        P631["**:631** cupsd<br/>retire candidate"]:::pub
        P22["**:22** sshd<br/>Tailscale-fronted"]:::pub
    end

    subgraph open_webui["UI services"]
        P3000["**:3000** open-webui<br/>Tailscale-only"]:::tail
    end

    INET --> CF
    INET --> TS

    CF -->|HMAC v1| P18790
    CF -->|HMAC v1| P18792
    CF -->|"?secret query token"| P18793
    CF -->|HMAC-SHA1| P18797
    CF -.->|"DOWN — 502s"| P18801

    TS -->|query token| P18802
    TS --> P3000
    TS --> P443ts
    TS --> P22

    P18790 --> P18789
    P18792 --> P18789
    P18793 --> P18789
    P18797 --> P18789
    P18802 --> P18789
    P18789 --> P18900
    P18900 -->|virtual-key per agent| AN[Anthropic / OpenAI / Moonshot]
    P18900 -.->|local shortcut| P18903
    P18789 --> P18791
    P18900 --- P6379

    P80 --> P18804
    P18804 --> P18803

Read this when: troubleshooting webhook connectivity, adding a new service per G-SERVICE-PRE-START-DOC, or verifying which handlers are CF-fronted vs loopback-only.

---

Live port inventory (48 ports — verified 2026-05-04)

Public webhook handlers (CF Tunnel-fronted)

Port	PID	User	Process	Manager	Health	Notes
18790	1926	opsadmin	hubspot-handler.js	PM2 id=3	200	HubSpot + DocuSign + Make + OAuth callback
18792	4072	opsadmin	quo-handler-enhanced.js	systemd-user openphone-webhook	200	OpenPhone/Quo SMS + calls
18793	1918	opsadmin	salesmessage-handler-v4-complete.js	PM2 id=2	200	SalesMsg (query-token auth, NOT HMAC)
18797	1909	opsadmin	twilio-voice-handler.js	PM2 id=1	200	Twilio voice + SMS (HMAC-SHA1 dual-host)
18801	—	—	gmail-push-handler.js	(none — DOWN)	000	🚨 NOT RUNNING — provider unwired
18802	2328	opsadmin	imessage-handler.js	systemd-user imessage-webhook	200	BlueBubbles, Tailscale-only

OpenClaw core (loopback)

Port	PID	User	Process	Manager	Health	Notes
18789	3514	opsadmin	openclaw-gateway (Go)	systemd-user openclaw-gateway	TCP	Central LLM dispatch
18791	3514	opsadmin	openclaw-gateway (same)	systemd-user openclaw-gateway	401	Internal Quo dispatch
18795	979	opsadmin	api-proxy/proxy-server.js	systemd-system openclaw-api-proxy	200	Internal API proxy
18798	2347	opsadmin	quo-mention-receiver.js	systemd-user quo-mention-receiver	200	Aurora Quo trigger
18820	971	opsadmin	hubspot-webhook-bridge.js	systemd-system hubspot-webhook-bridge	200	⚠ NOT “Atlas dormant” — CLAUDE.md drift

LLM dispatch

Port	PID	User	Process	Manager	Health	Notes
18900	2340	opsadmin	portkey-proxy/proxy.js	systemd-user portkey-proxy	200	Per-agent cost attribution
18903	2272	opsadmin	anthropic-max-router	systemd-user anthropic-max-router	200	⚠ binds wildcard, registry says loopback
18910	2305	opsadmin	claude-max-api-proxy	systemd-user claude-max-api-proxy@teamsteph	200	teamsteph Max plan
18911	reserved	—	—	—	—	Reserved for henryRERI Max plan

Wildcard-public (no CF, no FUNNEL — ⚠ governance gaps)

Port	PID	User	Process	Manager	Health	Notes
18794	964	opsadmin	discord-lovable-bridge.js	PM2 id=7	200 (no /health)	⚠ wildcard bind, no FUNNEL entry
18796	9377	opsadmin	salesmsg-openclaw-gateway.js	systemd-system salesmsg-gateway	200	⚠ internal SMS gateway, wildcard
18799	1904	opsadmin	lovable-api-server.js	PM2 id=0	200	⚠ wildcard bind
18812	2277	opsadmin	broadcast-audit-server.js	systemd-user broadcast-audit	404	⚠ wildcard bind
3001	980	opsadmin	workspace-dispo/openphone-webhook-receiver.js	systemd-system openphone-dispo-webhook?	200	⚠ duplicate openphone path?
3100	2309	opsadmin	serve -s dist -l 3100	systemd-user ops-dashboard	200	static UI
8080	1911	opsadmin	code-server	systemd-system code-server@opsadmin	401	⚠ wildcard bind

nginx-fronted

Port	PID	User	Process	Manager	Health	Notes
80	1036+	www-data	nginx	systemd-system	401	HTTP entry
443	998	root	tailscaled	systemd-system	TCP	Tailscale TLS
8443	1036+	www-data	nginx	systemd-system	400	upstream
8444	1036+	www-data	nginx	systemd-system	404	upstream alt
18803	2345	opsadmin	reri-dispo-model/server.js	systemd-user reri-dispo-page	200	Behind nginx :18804
18804	1036+	www-data	nginx fronts :18803	systemd-system	200	RERI Dispo Model
18810	1036+	www-data	nginx alt vhost	systemd-system	500	⚠ misconfigured upstream

Aurora internal

Port	PID	User	Process	Manager	Health	Notes
3847	956	opsadmin	aurora webhook-server.js	systemd-system aurora-webhook	200	⚠ CLAUDE.md says 3848 IL gateway — WRONG
8890	955	opsadmin	dashboard-server.py	systemd-system aurora-dashboard	404	Python dashboard
8891	963	opsadmin	api-server.js	systemd-system deals-api	404	deals API

Infra / observability (loopback)

Port	PID	User	Process	Manager	Notes
22	1030	root	sshd	systemd	Tailscale-fronted
53	887	systemd-resolve	systemd-resolved	systemd	DNS
631	2578	root	cupsd	systemd	⚠ retire candidate (215 MB)
4317	3762	netdata	otel-plugin	systemd	OpenTelemetry gRPC
6379	984	redis	redis-server	systemd	Cache
8125	976	netdata	netdata StatsD	systemd	Metrics
9050	1094	debian-tor	tor SOCKS	systemd	⚠ retire candidate (101 MB)
19999	976	netdata	netdata UI	systemd	Loopback HTTP
20241	959	root	cloudflared control	systemd	Tunnel control plane
65529	1009	root	monarx-agent	systemd	Hostinger security agent

UI

Port	PID	User	Process	Manager	Notes
3000	2293	opsadmin	open-webui	systemd-user openwebui	Tailscale-only

Ephemeral (VSCode Remote-SSH session)

Port	Process	Notes
5174	playwright-mcp (npx session)	ephemeral
41255 / 50408 / 60704	VSCode extension host children	ephemeral
46043	VSCode command-shell	ephemeral
58306 / 63551	tailscaled control + IPv6	infra-internal

---

All 41 disabled user-systemd units (Q5 — for reference)

Bucket A — Enable now (6 — drift / governance gaps)

Unit	ExecStart (≤80)	Bucket reason
regen-plan-index + .timer	tools/regen-plan-index.sh	G-PLAN-INDEX-REQUIRED governance gap
tool-calls-health-check.timer	scripts/tool-calls-health-check.js	POSTGRES-CHOKEPOINT-1 / G-DRIFT-LIVE gap
omni-contact-resolver.timer	scripts/workers/contact-resolver.js	Pipeline gap (linker runs, resolver doesn’t)
gmail-attachment-sync.timer	scripts/gmail-attachment-sync.js	Daily 03:00 PDF→HubSpot sync never fires
deal-outreach-auto-approver	scripts/workers/deal-outreach-auto-approver.js	Service disabled, timer firing every 10 min — paperwork drift
omni-conversation-linker	scripts/workers/conversation-linker.js	Same — service disabled, timer firing hourly

Bucket B — Keep disabled (timer-driven oneshots) (22)

acquisitions-perplexity-intel, atlas-perplexity-intel, audit-weekly-triage, coordinate-plans-heartbeat, dispo-perplexity-intel, email-deal-intake, email-signal-stage-updater ⚠ (--dry-run baked in), escrow-deadline-reminder, gmail-email-harvest, gmail-label-worker, investorlift-cookie-refresh, master-env-backup, openclaw-vault-pull, openclaw-vault-sync, osil-outcome-refresh, osil-reflexion-runner, osil-trajectory-capture, perplexity-daily-summary, perplexity-intel-cleanup, perplexity-kb-refresh, research-perplexity-intel, vendor-audit-url-verify, vendor-audit-weekly.

All timers active and firing today. Cosmetic-only enable pass would make systemctl is-enabled honest.

Bucket C — Keep disabled (manual on-demand) (6)

Unit	Blocked on
bettertrading-daemon (port 18798 conflict?)	”Activate BetterTrading stack” decision
bettertrading-dashboard ⚠ no package.json at WorkingDir root	Same
dispo-email-ui (port 18798)	TC ops on-demand
dispo-template-watcher	Airtable→SalesMsg workflow validation
investorlift-gateway (port 3848 if enabled)	Phase 1.5 confirms IL SSH-to-Mac is the active pattern
prediction-ingestor	”Activate BetterTrading stack”

Bucket D — Retire candidates (7)

Unit	Why retire
betterfiles-chat	Zero history, plan refs are April migration audits only
code-server (port 8080)	VS Code Remote-SSH is the active dev pattern
ollama-bridge	Plan ref is ARCHIVED; superseded by Portkey routing
openphone-dispo-webhook (port 3001)	Workspace-dispo fork; conflicts with active port-18792 handler
property-view-watcher	Only plan ref is in _archived/
systemd-tmpfiles-setup	System-scope unit miscreated in user scope
trigger-dev-worker	npx trigger.dev@latest dev mode = version drift risk

---

⚠ Drift findings (CLAUDE.md vs live)

#	CLAUDE.md / registry says	Live state	Severity
D1	3848 → InvestorLift Gateway → investorlift-gateway-server.js	Port 3847 is aurora-webhook.service (webhook-server.js); IL gateway is in Bucket C disabled	HIGH — wrong port AND wrong process
D2	18820 → Atlas iMessage bridge — dormant 2+ months	Live PID 971 is hubspot-webhook-bridge.js (HubSpot bridge, not Atlas)	HIGH — wrong attribution
D3	18790 → systemd hubspot-webhook.service	Live manager is PM2 id=3 (matches FUNNEL-REGISTRY, conflicts CLAUDE.md)	MEDIUM — manager mislabel
D4	port-registry.md says 18903 loopback-only	Live binds wildcard (0.0.0.0+IPv6)	MEDIUM — security gap (Max router exposed)
D5	FUNNEL-REGISTRY /webhook/gmail-push approved-pending-harden	Handler DOWN; provider unwired; status stale	HIGH — silent failure path
D6	nginx :18810 expected to serve content	Returns 500	LOW — broken vhost
D7	port-registry.md OpenPhone webhook (one entry)	TWO live processes: openphone-webhook.service (user, :18792, canonical) + openphone-webhook system unit (:3001, workspace-dispo fork)	MEDIUM — duplicate naming
D8	CLAUDE.md port map = 9 rows	48 live ports	KNOWN — port-registry.md (Phase 1.5) is the canonical replacement; CLAUDE.md row count remains intentionally condensed

---

Drift fixes (proposed — no edits made)

Each is a one-line registry / map change, not a service action. Awaiting Henry approval per action gate.

1. D1 fix — CLAUDE.md port-map: change 3848 | InvestorLift Gateway → 3847 | Aurora Webhook (webhook-server.js). Add (InvestorLift Gateway disabled — see Bucket C) note.
2. D2 fix — CLAUDE.md port-map: change 18820 | Atlas iMessage bridge → 18820 | HubSpot Webhook Bridge (hubspot-webhook-bridge.js).
3. D3 fix — CLAUDE.md port-map: change 18790 → systemd hubspot-webhook.service → 18790 → PM2 (hubspot).
4. D4 fix — Investigate why anthropic-max-router binds wildcard; either restrict to loopback or update port-registry.md to acknowledge (and add firewall rule).
5. D5 fix — FUNNEL-REGISTRY: change Gmail Push status to pending-provider-config until GCP setup completes (per Q4-revised). Or remove if Henry picks B-pivot.
6. D6 fix — Investigate nginx vhost for :18810 — may be a stale upstream pointing to a dead service.
7. D7 fix — port-registry.md: add explicit row for the workspace-dispo openphone receiver at :3001; flag as Bucket D retire-candidate.

---

Related

• request-lifecycle — message path through these ports
• agents-tier-structure — agents live behind :18789
• governance-gates-network — G-SERVICE-PRE-START-DOC + G-PLAN-INDEX-REQUIRED gate new ports
• port-registry.md — canonical source (Phase 1.5)
• FUNNEL-REGISTRY.md — public webhook paths
• CLAUDE.md — Webhook Service Port Map (condensed view, with D1-D3 drift)