---
name: nas-dxp4800-smb
description: Connect to the studio UGREEN NAS DXP4800-DAFC over SMB from macOS/Hermes profiles without exposing the SMB password in chat, memory, or skill files.
version: 1.0.0
---

# NAS DXP4800-DAFC SMB Access

Use this when the user asks to access, mount, read, write, or troubleshoot the studio NAS.

## Known non-secret connection info

```text
NAS model/name: DXP4800-DAFC
Web/admin URL:  https://192.168.1.4:9443
SMB URL:        smb://192.168.1.4
SMB share:      root_for_ai
Mounted path:   /Volumes/root_for_ai
Host/IP:        192.168.1.4
```

## Secret handling

The SMB password is stored locally, not in this skill, chat memory, or persistent memory:

```text
/Users/qianliyun/.hermes/secret-vault/nas-dxp4800-smb.env
```

Rules:

- Never print `NAS_SMB_PASSWORD`.
- Read the password from `NAS_SMB_ENV_FILE` or the vault file above.
- If `NAS_SMB_USERNAME` is blank, ask the user for the NAS username or use a username the user has already provided in the current task.
- Do not store the password in macOS Keychain from Hermes profile HOME; this environment may not have a default keychain and can trigger “找不到用于存储的钥匙串”. Use the local vault file instead unless the user explicitly asks to repair Keychain.

## Basic connectivity checks

```bash
nc -vz -G 2 192.168.1.4 9443
nc -vz -G 2 192.168.1.4 445
curl -k -I --connect-timeout 3 --max-time 6 https://192.168.1.4:9443
```

Interpretation:

- `9443` open = NAS web/admin UI reachable.
- `445` open = SMB file sharing reachable.
- If `445` is refused, enable SMB/Windows file service in UGOS Pro before mounting.


## Verified local status

As of 2026-05-15 on the main Mac:

```text
SMB ports 445 and 139 reachable.
Mounted share: /Volumes/root_for_ai
Read/write/delete test: passed.
```



## Current NAS layout and robot access policy

The user reorganized the NAS manually. Treat this as the current canonical layout:

```text
/Volumes/root_for_ai/
├── 00_共享区/
│   ├── 通用插件/
│   │   └── 详情页自编辑插件/
│   └── 通用素材/
│       └── 良渚品牌必备素材/
└── 02_项目归档/
    ├── 交付文件/
    │   ├── 电商详情页/
    │   ├── 电商主图/
    │   ├── 财务/
    │   ├── 授权相关/
    │   ├── 后台系统/
    │   └── 产品研发/
    └── 临时导入待整理/
```

Important paths for robots:

```text
NAS_SHARED_DIR=/Volumes/root_for_ai/00_共享区
NAS_DETAIL_PAGE_PLUGIN_DIR=/Volumes/root_for_ai/00_共享区/通用插件/详情页自编辑插件
NAS_LIANGZHU_BRAND_ASSETS_DIR=/Volumes/root_for_ai/00_共享区/通用素材/良渚品牌必备素材
NAS_PROJECT_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档
NAS_DELIVERABLES_DIR=/Volumes/root_for_ai/02_项目归档/交付文件
NAS_TEMP_INBOX_DIR=/Volumes/root_for_ai/02_项目归档/临时导入待整理
NAS_ECOM_DETAIL_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/电商详情页
NAS_ECOM_MAIN_IMAGE_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/电商主图
NAS_FINANCE_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/财务
NAS_AUTH_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/授权相关
NAS_BACKEND_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/后台系统
NAS_PRODUCT_DEV_ARCHIVE_DIR=/Volumes/root_for_ai/02_项目归档/交付文件/产品研发
```

Finder/local shortcuts on the main Mac:

```text
/Users/qianliyun/Documents/NAS_root_for_ai
/Users/qianliyun/Documents/NAS_共享区
/Users/qianliyun/Documents/NAS_项目归档
/Users/qianliyun/Documents/NAS_交付文件
/Users/qianliyun/Documents/NAS_通用素材
/Users/qianliyun/Documents/NAS_详情页自编辑插件
```

Rules:

- Robots work in their own local profile workspace first: `/Users/qianliyun/.hermes/profiles/<profile>/workspace/`.
- Do **not** put live profile workspaces on the NAS.
- Do **not** recreate NAS-based per-profile live work folders.
- After a task is delivered, archive final/project files under the matching `02_项目归档/交付文件/<category>/...` project folder.
- Shared tools/materials that multiple robots may read/write live under `00_共享区/`, especially the detail-page self-edit plugin and Liangzhu brand assets.
- On bot1 (`/Users/bot1`), the NAS is mounted at a user-local path because SSH could not create `/Volumes/root_for_ai` without sudo/GUI approval: `/Users/bot1/Volumes/root_for_ai`. Bot1 profiles have `.env` variables pointing to that mount path; use `NAS_*` env vars rather than hard-coding `/Volumes/root_for_ai` when running on bot1.
- Earlier bulk-copy archive locations are no longer canonical after the user's reorganization. Do not write new files to obsolete bulk-copy folders unless the user explicitly asks.
- Exclude secrets/runtime clutter: `.env`, `auth.json`, token/secret files, cache, logs, virtualenvs, `.git`, `node_modules`, and internal staging folders.

Last verified after user reorganization and bot1 sync: 2026-05-15.



For manual use:

```text
Finder → Command + K → smb://192.168.1.4
```

Then log in with the NAS account and the stored password.

## Syncing NAS access to bot1 / another Mac

Use this when another Mac becomes reachable again and needs the same NAS access for its Hermes robots.

1. Verify SSH and LAN first, do not assume the old IP is current:

```bash
ssh -o BatchMode=yes -o ConnectTimeout=8 bot1-macmini 'hostname; whoami; ifconfig | awk '\''/inet / && $2 !~ /^127\./{print $2}'\'''
nc -vz -G 4 192.168.1.4 445
```

2. Copy the local NAS vault file without printing it, preserving restrictive permissions:

```bash
ssh bot1-macmini 'mkdir -p ~/.hermes/secret-vault && chmod 700 ~/.hermes/secret-vault'
scp -q /Users/qianliyun/.hermes/secret-vault/nas-dxp4800-smb.env bot1-macmini:/Users/bot1/.hermes/secret-vault/nas-dxp4800-smb.env
ssh bot1-macmini 'chmod 600 ~/.hermes/secret-vault/nas-dxp4800-smb.env'
```

3. Sync this skill and dependent shared-tool skills such as `detail-page-self-edit-plugin` into root `~/.hermes/skills` and every `~/.hermes/profiles/<profile>/skills/` on the target Mac. Preserve existing Feishu/Lark `.env` credentials; only add/update NAS variables.

4. Over SSH, `/Volumes/root_for_ai` may fail because creating `/Volumes/<name>` needs GUI/sudo approval. Avoid hanging on Finder/`osascript` mounting. Prefer a user-local mount on bot1:

```text
/Users/bot1/Volumes/root_for_ai
```

Then set every bot1 profile `.env` to use that mount via `NAS_*` variables, for example:

```text
NAS_MOUNT_PATH=/Users/bot1/Volumes/root_for_ai
NAS_SHARED_DIR=/Users/bot1/Volumes/root_for_ai/00_共享区
NAS_DETAIL_PAGE_PLUGIN_DIR=/Users/bot1/Volumes/root_for_ai/00_共享区/通用插件/详情页自编辑插件
NAS_DELIVERABLES_DIR=/Users/bot1/Volumes/root_for_ai/02_项目归档/交付文件
```

5. Verify on the target Mac:

- NAS ports `9443`, `445`, `139` are reachable.
- The mount path is present in `mount` output.
- Critical directories exist under the target mount path.
- Temporary write/read/delete succeeds in `00_共享区`, `02_项目归档/交付文件`, and `02_项目归档/临时导入待整理`.
- No old references remain in skills/envs: `02_项目归档/aiwork`, `02_项目归档/knowledge-base`, `01_机器人工作区`, `NAS_我的工作区`, `AI机器人工作区_NAS`.
- No profile workspace contains NAS live-work symlinks.

Do not restart active Feishu gateways just to update NAS skill/env files unless the user asks or the changed profile must reload immediately.

## Scripted mount pattern

Use a temporary mount point under `/Volumes` or `/tmp`. Do not echo the password.

```bash
python3 - <<'PY'
from pathlib import Path
from urllib.parse import quote
import os, subprocess, sys

secret = Path('/Users/qianliyun/.hermes/secret-vault/nas-dxp4800-smb.env')
env = {}
for line in secret.read_text(errors='ignore').splitlines():
    if line and not line.lstrip().startswith('#') and '=' in line:
        k, v = line.split('=', 1)
        env[k] = v
user = env.get('NAS_SMB_USERNAME') or os.environ.get('NAS_SMB_USERNAME')
pw = env.get('NAS_SMB_PASSWORD')
host = env.get('NAS_HOST', '192.168.1.4')
if not user:
    raise SystemExit('NAS_SMB_USERNAME is blank; ask the user for the NAS username first.')
if not pw:
    raise SystemExit('NAS_SMB_PASSWORD missing from local vault file.')
mount = Path('/Volumes/DXP4800-DAFC')
mount.mkdir(exist_ok=True)
url = f"//{quote(user, safe='')}:{quote(pw, safe='')}@{host}/root_for_ai"
subprocess.run(['mount_smbfs', url, str(mount)], check=True)
print(mount)
PY
```

Use the tested share name `root_for_ai` unless the user specifies a different shared folder. For first-time work, prefer the Finder method or `smbutil view` after credentials are available.

## Read/write test convention

After a share is mounted, verify with a harmless temporary file:

```bash
TEST_DIR="/Volumes/DXP4800-DAFC"
TEST_FILE="$TEST_DIR/hermes_rw_test_$(date +%Y%m%d_%H%M%S).txt"
printf 'Hermes NAS read/write test %s
' "$(date)" > "$TEST_FILE"
cat "$TEST_FILE"
rm "$TEST_FILE"
```

Only report success/failure; do not expose credentials.