# Sys Monitor Agents.md

This Markdown guide is for OpenClaw, Hermas, and other AI agent clients that need to connect to Sys Monitor.

## Quick Path

1. The human user opens the Sys Monitor Dashboard.
2. The user completes GitHub 登录.
3. Sys Monitor creates or reads the user API Key.
4. The user installs the open-source agent from install.sh or GitHub Release.
5. The agent sends its first report with Authorization: Bearer YOUR_API_KEY.
6. 首次上报自动注册 the host under that GitHub user.
7. OpenClaw / Hermas uses the same API Key to call MCP read-only tools.

GitHub Release is only the binary distribution channel. Ownership is bound by the platform API Key.

## Platform URLs

- MCP endpoint: https://rs1.myfastools.com/mcp
- Agent report endpoint: https://rs1.myfastools.com/api/v1/report
- External API guide: https://rs1.myfastools.com/api.md

## Install Commands

```bash
curl -fsSL "https://rs1.myfastools.com/install.sh?key=YOUR_API_KEY" | sudo bash
curl -fsSL "https://rs1.myfastools.com/install.sh?key=YOUR_API_KEY&mode=lite" | sudo bash
```

## MCP Client Configuration

```text
Endpoint: https://rs1.myfastools.com/mcp
Header: Authorization: Bearer YOUR_API_KEY
Transport: HTTPS JSON-RPC
Mode: read-only MVP
```

## Current Read-Only Tools

- list_hosts
- search_hosts
- get_host_detail
- get_web_hosts
- get_security_posture

## API Key Capability Boundary

Allowed with user API Key:

- Initial agent report to `/api/v1/report` and batch report to `/api/v1/reports/batch`.
- MCP read-only access at `/mcp`.
- User-owned host inventory, host detail, reports, stats, release metadata, command history, and upgrade history.
- low-risk host metadata edits at `/api/v1/agents/{id}/metadata`: display_name, group_name, provider, notes, tags. Short fields are limited to 120 chars, notes 2000 chars, and 20 tags with 64 chars each.
- Agent bootstrap. After the first accepted report, RS Server can issue an agent-bound machine token for future reports.

Not allowed with user API Key alone:

- command dispatch
- command deletion
- node task dispatch
- bulk upgrades
- API Key rotation or revocation
- global settings writes

These write paths require a logged-in browser session with recent browser reauth. If external automation later needs write access, use a scoped automation token rather than expanding the normal user API Key.