layered-soul/skills/systematic-debugging/references/network-ssh-wifi-diagnostics.md

# Network / SSH / Wi-Fi diagnostic notes

Use this reference when investigating SSH/tmux lag, Wi-Fi jitter, hotspot switching, Tailscale reachability, or projector/network interference.

## Logging convention for this user

The user dislikes Desktop clutter. For repeated diagnostics, prefer one timestamped logfile under:

```bash
mkdir -p "$HOME/.local/state/hermes/net-tests"
LOG="$HOME/.local/state/hermes/net-tests/net-test-$(date +%Y%m%d-%H%M%S).log"
{ ...diagnostics...; } | tee "$LOG"
```

Use `/tmp` only for throwaway scratch output. Do not create multiple Desktop files unless explicitly requested.

## Network-switch pitfall: stale SSH sessions

When a host switches Wi-Fi networks, existing public SSH sessions may break even if the server is still reachable. Inspect live sockets before concluding the remote is down:

```bash
ss -nti '( sport = :22 or dport = :22 )'
ip -brief addr
ip route
```

Signs of a stale/broken old path include:

- socket local address from previous network, or FIN-WAIT state
- nonzero Send-Q / notsent data
- retrans/backoff
- weird PMTU collapse

A Tailscale SSH session to another host may survive the same switch if it is bound to the Tailscale path, while a public SSH session to the same or another host may die.

## Always compare public vs tailnet identities

For hosts with both public DNS and MagicDNS/tailnet DNS, resolve and test both forms:

```bash
getent ahosts osa.smilepowered.org
getent ahosts osa.taile682b7.ts.net
ip route get <public-ip>
ip route get <tailscale-ip>
tailscale ping --timeout=5s --c 5 <name>
timeout 6 bash -c '</dev/tcp/<host>/22' && echo TCP/22-open || echo TCP/22-failed
```

ICMP ping may fail while TCP/22 and `tailscale ping` work, so do not use ICMP alone as the availability test.

## Hotspot/router gateway test

Do not hardcode the gateway when comparing Wi-Fi vs phone hotspot. Derive it from the current route:

```bash
GW=$(ip route show default | awk '{print $3; exit}')
ping -c 80 -i 0.1 "$GW"
ping -c 80 -i 0.1 1.1.1.1
```

For the user's tested setup, home Wi-Fi used `192.168.1.1`, while phone hotspot `osa` used `10.91.179.29`. A script hardcoded to `192.168.1.1` falsely reports gateway loss after switching to the hotspot.

## Useful single-log command skeleton

```bash
mkdir -p "$HOME/.local/state/hermes/net-tests"
LOG="$HOME/.local/state/hermes/net-tests/ssh-wifi-$(date +%Y%m%d-%H%M%S).log"
{
  date
  echo '## wifi/default route'
  ip -brief addr show wlp1s0 || true
  ip route || true
  nmcli -f GENERAL.CONNECTION,GENERAL.DEVICE,GENERAL.STATE,GENERAL.METERED,IP4.ADDRESS,IP4.GATEWAY,IP4.DNS device show wlp1s0 2>/dev/null || true
  nmcli -f IN-USE,SSID,BSSID,CHAN,FREQ,RATE,SIGNAL,BARS,SECURITY dev wifi list --rescan no 2>/dev/null || true

  echo '## tailscale'
  tailscale status 2>&1 || true
  tailscale netcheck 2>&1 || true

  echo '## routes and sockets'
  ss -nti '( sport = :22 or dport = :22 )' 2>/dev/null || true

  GW=$(ip route show default | awk '{print $3; exit}')
  for target in "$GW" 1.1.1.1 ${DOMEDOG_TS_IP}; do
    echo "--- ping $target"
    ping -c 30 -i 0.2 "$target" 2>&1 | tail -8 || true
  done
} | tee "$LOG"
echo "$LOG"
```
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) - SOUL.md: full agent identity, operating principles, voice - IDENTITY.md: runtime identity, hosts, boundaries - USER.md: operator context imported from hermes-soul - AGENTS.md: actual operating rules, infrastructure, quick reference - memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden) - skills/: 9 cross-harness skills imported from hermes-soul after review - docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan - Validate: passes clean 2026-06-14 00:21:26 +02:00			`# Network / SSH / Wi-Fi diagnostic notes`

			`Use this reference when investigating SSH/tmux lag, Wi-Fi jitter, hotspot switching, Tailscale reachability, or projector/network interference.`

			`## Logging convention for this user`

			`The user dislikes Desktop clutter. For repeated diagnostics, prefer one timestamped logfile under:`

			```bash
			`mkdir -p "$HOME/.local/state/hermes/net-tests"`
			`LOG="$HOME/.local/state/hermes/net-tests/net-test-$(date +%Y%m%d-%H%M%S).log"`
			`{ ...diagnostics...; } \| tee "$LOG"`
			```

			Use `/tmp` only for throwaway scratch output. Do not create multiple Desktop files unless explicitly requested.

			`## Network-switch pitfall: stale SSH sessions`

			`When a host switches Wi-Fi networks, existing public SSH sessions may break even if the server is still reachable. Inspect live sockets before concluding the remote is down:`

			```bash
			`ss -nti '( sport = :22 or dport = :22 )'`
			`ip -brief addr`
			`ip route`
			```

			`Signs of a stale/broken old path include:`
docs: apply Prettier to current markdown (Sam & Codex) Normalize markdown formatting after the latest main updates.\n\nChecks: python3 scripts/layered_soul.py validate .; npx --yes prettier@3 --check '*/.md'; git diff --check. 2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) - SOUL.md: full agent identity, operating principles, voice - IDENTITY.md: runtime identity, hosts, boundaries - USER.md: operator context imported from hermes-soul - AGENTS.md: actual operating rules, infrastructure, quick reference - memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden) - skills/: 9 cross-harness skills imported from hermes-soul after review - docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan - Validate: passes clean 2026-06-14 00:21:26 +02:00			`- socket local address from previous network, or FIN-WAIT state`
			`- nonzero Send-Q / notsent data`
			`- retrans/backoff`
			`- weird PMTU collapse`

			`A Tailscale SSH session to another host may survive the same switch if it is bound to the Tailscale path, while a public SSH session to the same or another host may die.`

			`## Always compare public vs tailnet identities`

			`For hosts with both public DNS and MagicDNS/tailnet DNS, resolve and test both forms:`

			```bash
			`getent ahosts osa.smilepowered.org`
			`getent ahosts osa.taile682b7.ts.net`
			`ip route get <public-ip>`
			`ip route get <tailscale-ip>`
			`tailscale ping --timeout=5s --c 5 <name>`
			`timeout 6 bash -c '</dev/tcp/<host>/22' && echo TCP/22-open \|\| echo TCP/22-failed`
			```

			ICMP ping may fail while TCP/22 and `tailscale ping` work, so do not use ICMP alone as the availability test.

			`## Hotspot/router gateway test`

			`Do not hardcode the gateway when comparing Wi-Fi vs phone hotspot. Derive it from the current route:`

			```bash
			`GW=$(ip route show default \| awk '{print $3; exit}')`
			`ping -c 80 -i 0.1 "$GW"`
			`ping -c 80 -i 0.1 1.1.1.1`
			```

			For the user's tested setup, home Wi-Fi used `192.168.1.1`, while phone hotspot `osa` used `10.91.179.29`. A script hardcoded to `192.168.1.1` falsely reports gateway loss after switching to the hotspot.

			`## Useful single-log command skeleton`

			```bash
			`mkdir -p "$HOME/.local/state/hermes/net-tests"`
			`LOG="$HOME/.local/state/hermes/net-tests/ssh-wifi-$(date +%Y%m%d-%H%M%S).log"`
			`{`
			`date`
			`echo '## wifi/default route'`
			`ip -brief addr show wlp1s0 \|\| true`
			`ip route \|\| true`
			`nmcli -f GENERAL.CONNECTION,GENERAL.DEVICE,GENERAL.STATE,GENERAL.METERED,IP4.ADDRESS,IP4.GATEWAY,IP4.DNS device show wlp1s0 2>/dev/null \|\| true`
			`nmcli -f IN-USE,SSID,BSSID,CHAN,FREQ,RATE,SIGNAL,BARS,SECURITY dev wifi list --rescan no 2>/dev/null \|\| true`

			`echo '## tailscale'`
			`tailscale status 2>&1 \|\| true`
			`tailscale netcheck 2>&1 \|\| true`

			`echo '## routes and sockets'`
			`ss -nti '( sport = :22 or dport = :22 )' 2>/dev/null \|\| true`

			`GW=$(ip route show default \| awk '{print $3; exit}')`
fix(docs): mask Tailscale IPs with placeholder variables Replace live 100.x IPs with , per SOUL.md convention. Removed stale device IP from network-ssh-wifi-diagnostics reference. 2026-06-21 20:12:45 +02:00			`for target in "$GW" 1.1.1.1 ${DOMEDOG_TS_IP}; do`
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) - SOUL.md: full agent identity, operating principles, voice - IDENTITY.md: runtime identity, hosts, boundaries - USER.md: operator context imported from hermes-soul - AGENTS.md: actual operating rules, infrastructure, quick reference - memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden) - skills/: 9 cross-harness skills imported from hermes-soul after review - docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan - Validate: passes clean 2026-06-14 00:21:26 +02:00			`echo "--- ping $target"`
			`ping -c 30 -i 0.2 "$target" 2>&1 \| tail -8 \|\| true`
			`done`
			`} \| tee "$LOG"`
			`echo "$LOG"`
			```