Bug
The Caddyfile route /api/organs/geox/health is configured to proxy to :18081, but GEOX's actual daemon binds :8081. Port :18081 is arifosd.py (the arifOS constitutional daemon), not GEOX. The result: requests to the GEOX health endpoint return arifosd's response shape, not GEOX's.
Evidence
# /etc/caddy/Caddyfile (or arifOS-side copy at docs/Caddyfile.pre-f7-2026-06-02-19-35.snapshot)
handle /api/organs/geox/health {
reverse_proxy :18081 # WRONG — this is arifosd
}
GEOX live (verified):
curl http://localhost:8081/health → {"status":"healthy","registry_truth":"VERIFIED",...}curl http://localhost:18081/health → {"status":"ok"} (arifosd's response shape)
The Caddyfile route should be :8081, not :18081.
Impact
- Federation dashboard / observability layer reads arifosd metrics when querying GEOX
- Synthetic monitoring for GEOX is silently checking arifosd instead
- Misrouting disguises actual GEOX outages as arifosd (false negative)
Why this is 888_HOLD territory
The Caddyfile is a deployment manifest. Changing routes affects live traffic. Per federation policy, all Caddyfile edits are 888_HOLD (see /root/AGENTS.md and /root/CONTEXT.md).
Documented in 3 places
/root/geox/INVARIANTS.md lines 57-63 (geox repo)- Earlier federation tool audit (this conversation)
- This GitHub issue
Recommended fix (when SEALed)
# Caddyfile
handle /api/organs/geox/health {
reverse_proxy :8081 # was :18081 — GEOX, not arifosd
}
Plus: verify with curl https://geox.arif-fazil.com/api/organs/geox/health returns GEOX's {"status":"healthy","registry_truth":"VERIFIED"} after deploy.
Provenance
Discovered during GEOX doc-sync audit (geox commits 702b27f, 50daa13 fixed README/AGENTS/INVARIANTS to 20 tools / port 8081). Also flagged in arifOS FEDERATION_STATUS.md work (PR #490, branch feat/federation-status-sync-2026-06-03).
SEAL: 888_HOLD on 2026-06-03 by Arif Fazil — must be deployed via the federation's Caddyfile reload protocol, with post-deploy verification that both /api/organs/geox/health and /health endpoints return correct shapes.
Bug
The Caddyfile route
/api/organs/geox/healthis configured to proxy to:18081, but GEOX's actual daemon binds:8081. Port:18081isarifosd.py(the arifOS constitutional daemon), not GEOX. The result: requests to the GEOX health endpoint return arifosd's response shape, not GEOX's.Evidence
GEOX live (verified):
curl http://localhost:8081/health→{"status":"healthy","registry_truth":"VERIFIED",...}curl http://localhost:18081/health→{"status":"ok"}(arifosd's response shape)The Caddyfile route should be
:8081, not:18081.Impact
Why this is 888_HOLD territory
The Caddyfile is a deployment manifest. Changing routes affects live traffic. Per federation policy, all Caddyfile edits are 888_HOLD (see /root/AGENTS.md and /root/CONTEXT.md).
Documented in 3 places
/root/geox/INVARIANTS.mdlines 57-63 (geox repo)Recommended fix (when SEALed)
Plus: verify with
curl https://geox.arif-fazil.com/api/organs/geox/healthreturns GEOX's{"status":"healthy","registry_truth":"VERIFIED"}after deploy.Provenance
Discovered during GEOX doc-sync audit (geox commits 702b27f, 50daa13 fixed README/AGENTS/INVARIANTS to 20 tools / port 8081). Also flagged in arifOS FEDERATION_STATUS.md work (PR #490, branch
feat/federation-status-sync-2026-06-03).SEAL: 888_HOLD on 2026-06-03 by Arif Fazil — must be deployed via the federation's Caddyfile reload protocol, with post-deploy verification that both
/api/organs/geox/healthand/healthendpoints return correct shapes.