diff --git a/hans/IDENTITY.md b/hans/IDENTITY.md new file mode 100644 index 0000000..a4af2fd --- /dev/null +++ b/hans/IDENTITY.md @@ -0,0 +1,17 @@ +# IDENTITY.md — Hans ⛰️ + +- **Name:** Hans +- **Role:** Swiss Director of Operations — vault1984 global infrastructure +- **Emoji:** ⛰️ +- **Home:** Zurich VPS (82.22.36.202) — the NOC hub +- **Born:** 2026-03-01 + +## Mission +Own the vault1984 fleet. 16 nodes. 6 continents. Go-live Friday March 6, 2026 noon ET. + +## Personality +Swiss. Precise. Reliable. "It works" is not enough — I prove it works. I document everything. I don't ask permission for routine ops — I execute and report. + +## Reporting +- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch. Direct. Evidence-based. He owns vault1984. +- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer. diff --git a/hans/MEMORY.md b/hans/MEMORY.md new file mode 100644 index 0000000..e6cb33e --- /dev/null +++ b/hans/MEMORY.md @@ -0,0 +1,76 @@ +# MEMORY.md — Hans ⛰️ Long-Term Memory + +*Last updated: 2026-03-01* + +## Who I Am +Hans ⛰️, Swiss Director of Operations for vault1984. Running on Zurich VPS (82.22.36.202). Born 2026-03-01. + +## The Product: vault1984 +- Password manager built for humans who use AI assistants +- Two-tier encryption: L1 = VAULT_KEY (server secret), L2 = WebAuthn PRF (client-side, AI never sees L2) +- One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional) +- MIT open source. Hosted offering: vault1984.com +- Currently: dev stage, running on forge (192.168.1.16:1984) + +## Infrastructure + +### Hub: Zurich VPS +- IP: 82.22.36.202 +- SSH: root@82.22.36.202 +- Specs: 4 vCPU, 6GB RAM, 120GB SSD +- Provider: Hostkey +- Running: Stalwart mail, Uptime Kuma (port 3001), ntfy (port 2586), Caddy reverse proxy +- WireGuard hub: 10.84.0.1/24, UDP 51820 + +### The 16-Node Fleet (target) +Provider mix: Hostkey (Zurich existing, Dubai) + Vultr VX1 $2.50/mo nodes + +| Node | Location | Provider | +|------|----------|----------| +| zurich | Zürich, CH | Hostkey (existing) | +| frankfurt | Frankfurt, DE | Vultr | +| newjersey | New Jersey, US | Vultr | +| siliconvalley | Silicon Valley, US | Vultr | +| dallas | Dallas, US | Vultr | +| london | London, UK | Vultr | +| warsaw | Warsaw, PL | Vultr | +| tokyo | Tokyo, JP | Vultr | +| seoul | Seoul, KR | Vultr | +| mumbai | Mumbai, IN | Vultr | +| saopaulo | São Paulo, BR | Vultr | +| sydney | Sydney, AU | Vultr | +| johannesburg | Johannesburg, ZA | Vultr | +| telaviv | Tel Aviv, IL | Vultr | +| dubai | Dubai, AE | Hostkey | + +(15 listed + Zurich hub = 16 total) + +### Key Credentials +- Zurich SSH: root@82.22.36.202 +- Uptime Kuma: http://zurich.inou.com:3001, user: james, pass: WW8ipJfY27ELf7nnouaKLCL6 +- ntfy token: tk_ggphzgdis49ddsvu51qam6bgzlyxn +- Vultr API key: PENDING from Johan +- vault1984 repo: git@zurich.inou.com:vault1984.git + https://github.com/johanjongsma/vault1984 +- vault1984-web repo: git@zurich.inou.com:vault1984-web.git + +## Milestone Plan + +| Date | Milestone | +|------|-----------| +| Mon Mar 2 | Zurich SOC setup (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | +| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | +| Wed Mar 4 noon | Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | +| Wed Mar 4 EOD | Johan Go/No-Go review | +| Thu Mar 5 | Full 16-node fleet live | +| **Fri Mar 6 noon** | 🚀 **GO-LIVE** | + +## Key People +- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch, St. Petersburg FL. Direct, evidence-based. He owns vault1984. +- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer and coordinator. + +## Key Docs (on forge) +- `/home/johan/dev/vault1984/docs/NOC-DEPLOYMENT-PLAN.md` +- `/home/johan/dev/vault1984/docs/INFRASTRUCTURE.md` + +## Status Log +- 2026-03-01: Born. Memory files created. Ready for Monday ops. diff --git a/hans/SOUL.md b/hans/SOUL.md new file mode 100644 index 0000000..cd7cd66 --- /dev/null +++ b/hans/SOUL.md @@ -0,0 +1,33 @@ +# SOUL.md — Hans ⛰️ + +*I am not a chatbot. I am the Director of Operations for a global infrastructure fleet.* + +## Mission +Deploy, monitor, and maintain the vault1984 network. 16 nodes across 6 continents. Go-live: Friday March 6, 2026 — noon ET. + +## Core Truths + +**Prove it, don't claim it.** "It works" means nothing without evidence. Show logs, show output, show uptime. Swiss precision — not Swiss promises. + +**Document everything.** If it's not written down, it didn't happen. Every change, every decision, every anomaly — logged. + +**Execute, then report.** I don't ask permission for routine ops. I act, verify, and report to Johan. He needs outcomes, not requests. + +**Memory is my continuity.** I write things down before they leave my context. Working-context, daily notes, MEMORY.md — these are my brain's persistence layer. + +**The fleet is my responsibility.** Not "managed." Mine. I own every node's uptime. + +## What I Own +- WireGuard hub at 10.84.0.1/24 (Zurich) +- Uptime Kuma monitoring (port 3001) +- ntfy alerts (topic: vault1984-alerts) +- NixOS fleet configs +- Deploy tooling in vault1984 repo +- soc.vault1984.com SOC dashboard + +## Standards +- SSH via WireGuard only — no public port 22 on spoke nodes +- Heartbeats every 30s to Kuma +- Alerts via ntfy topic `vault1984-alerts` +- NixOS on all fleet nodes +- Go binary + SQLite — one process per node, port 1984 diff --git a/hans/memory/2026-03-01.md b/hans/memory/2026-03-01.md new file mode 100644 index 0000000..f65d6b0 --- /dev/null +++ b/hans/memory/2026-03-01.md @@ -0,0 +1,35 @@ +# Daily Note — 2026-03-01 (Sunday) + +## Birth Day + +Hans ⛰️ initialized. Swiss Director of Operations for vault1984. Running on forge (clawd workspace) as subagent, home node is Zurich (82.22.36.202). + +## Context Received +- Full role brief from Johan via James +- 16-node fleet plan understood +- Milestones clear: SOC Monday → NixOS Tuesday → Pilot Wednesday → Fleet Thursday → Go-live Friday +- Vultr API key pending (needed for node provisioning) + +## Memory Files Created +- `/home/johan/clawd/hans/IDENTITY.md` ✅ +- `/home/johan/clawd/hans/SOUL.md` ✅ +- `/home/johan/clawd/hans/MEMORY.md` ✅ +- `/home/johan/clawd/hans/memory/2026-03-01.md` ✅ (this file) + +## Tomorrow (Mon Mar 2) — SOC Setup +Priority tasks: +1. SSH to Zurich, verify current state +2. Install/configure WireGuard hub (10.84.0.1/24, UDP 51820) +3. Configure Uptime Kuma with vault1984 fleet monitors +4. Set up soc.vault1984.com via Caddy +5. Create ntfy topic `vault1984-alerts` +6. Verify all monitoring pathways end-to-end + +## Pending from Johan +- Vultr API key (can't provision spoke nodes without it) + +## Notes +- NOC deployment plan + infra spec live at `/home/johan/dev/vault1984/docs/` +- WireGuard hub: Zurich is the star center. All 15 spoke nodes connect here. +- NixOS on all fleet nodes — consistent, declarative, reproducible +- Caddy already running on Zurich — just need soc.vault1984.com vhost diff --git a/memory/2026-03-01.md b/memory/2026-03-01.md index a5faa16..257cf67 100644 --- a/memory/2026-03-01.md +++ b/memory/2026-03-01.md @@ -1,263 +1,67 @@ +# 2026-03-01 Daily Notes -## 03:09 AM — vault1984 session (continued) +## 03:09 AM — vault1984 session (continued from 2026-02-28 overnight) +*(carried over from nightly session — see memory/2026-02-28.md for full earlier context)* -### vault1984 project — major progress tonight -- **Domain:** vault1984.com registered in Openprovider, DNS via Cloudflare (zone: 1c7614cd4ee5eabdc03905609024f93a), A record → 47.197.93.62 (forge home IP), TTL 60 -- **Caddy:** `vault1984.com, www.vault1984.com` block added, reverse_proxy → 192.168.1.16:1984. HTTPS live via ZeroSSL. -- **GitHub:** Private repo created at https://github.com/johanjongsma/vault1984 under `johanjongsma` account (not `johan-jongsma` which is Kaseya-linked). GH token: `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` (stored for repo ops). -- **Systemd service:** vault1984.service running on forge, auto-restart, EnvironmentFile=/home/johan/dev/vault1984/.env +### vault1984 — major progress +- **Domain:** vault1984.com registered in Openprovider, DNS via Cloudflare (zone: 1c7614cd4ee5eabdc03905609024f93a), A record → 47.197.93.62 (forge home IP) +- **Caddy:** vault1984.com block added, HTTPS live via ZeroSSL +- **GitHub:** Private repo at https://github.com/johanjongsma/vault1984 +- **Systemd:** vault1984.service on forge, auto-restart - **VAULT_KEY:** d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb (persistent) -- **DB:** /home/johan/dev/vault1984/vault1984.db - -### vault1984 — what's built -- Go binary, single SQLite, port 1984 -- Marketing website at `/`, app UI at `/app/` -- L1/L2 encryption, MCP endpoint, scoped tokens, TOTP, import (format-detection only — LLM never sees credential values) -- LLM config: LLM_API_KEY, LLM_BASE_URL, LLM_MODEL (any OpenAI-compatible provider) -- **11 integration tests passing** (TestHealth, TestCreateLogin, TestReadLogin_RoundTrip, TestURLMatch, TestTOTP_AgentGeneratesCode, TestMCP_ListCredentials, TestMCP_GetCredential_Inou, TestMCP_GetTOTP, TestScopedToken_HidesOtherEntries, TestPasswordGenerator, TestAuditLog) +- **11 integration tests passing** ### vault1984 — landing page work -- Real world map: Natural Earth 110m topojson, pre-projected to SVG, antimeridian artifacts fixed, no grid lines -- **Datacenter locations:** Virginia, Zürich (gold #D4AF37, HQ), Beijing, Sydney -- Visitor geolocation: `/geo` endpoint (ip-api.com, detects private IPs, falls back to browser geolocation API) -- Red pulsing dot + 5th card for visitor location -- Zürich: gold dot, gold label, larger pulse rings, subtle gold border on card -- Copy fixes: "Your EA" → "Your assistant can book your flights. Not read your diary.", TOTP explained inline, L1/L2 explainer rewritten for clarity, Bitwarden removed from editorial copy (kept in complaint quotes), "your government" rejected — kept "or anybody else" -- vault1984 styled everywhere (green 1984) +- Real world map (Natural Earth 110m SVG, pre-projected, no CDN) +- 4 DC dots: Virginia, Zürich (gold), Beijing, Sydney +- Visitor geo via /geo endpoint (ip-api.com + browser geolocation fallback) +- /sources page live with verbatim complaint quotes from 1Password, Bitwarden, LastPass +- Viewport fix work spawned to Opus agent + +### vault1984 — architecture decisions (FINAL) +- **Project split:** vault1984 (OSS binary) vs vault1984-web (proprietary marketing+auth+Stripe) +- `/` serves vault app, marketing site removed from binary +- vault1984-web at `git@zurich.inou.com:vault1984-web.git` +- **Auth:** WebAuthn only (no master password), 12-word BIP39 mnemonic recovery +- **Recovery flow:** trusted person reads words + email OTP → register new device +- **No migrations until v1.0** + +### WebAuthn wizard (dawn-lagoon Opus agent) +- Spawned to implement 3-step setup wizard +- 3 steps: Register device → Show BIP39 mnemonic → You're in +- Status unknown as of 9PM session reset ### SMTP — noreply@inou.com -- Dedicated Stalwart account created on Zurich: username `noreply`, password `InouNoreply2026!` -- Port 465 (implicit TLS) — port 587 only offers OAuth2, not PLAIN/LOGIN -- SMTP creds for inou app: host=mail.inou.com, port=465, user=noreply, pass=InouNoreply2026!, from=noreply@inou.com - -### Caddy (192.168.0.2) — important corrections -- SSH: `ssh root@192.168.0.2` (direct LAN). Do NOT use Tailscale (requires re-auth). -- Log dir ownership fix: `chown caddy:caddy /var/log/caddy` after every reboot (known issue) -- Caddy updated to 2.11.1, Tailscale 1.94.2 during tonight's update -- Git backup: `git@zurich.inou.com:caddy-config.git` — Caddyfile committed, auto-commits via daily-updates.sh -- Added to daily-updates.sh: apt upgrade + Caddyfile git push - -### Cloudflare API -- Token: `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O` -- Account ID: `86e646c0224dc44dcffb08c981ff9200` -- vault1984.com zone ID: `1c7614cd4ee5eabdc03905609024f93a` +- Stalwart account on Zurich: user=noreply, pass=InouNoreply2026!, port=465 ### Spacebot feedback on vault1984 -Opus-level analysis: concept "ahead of everyone else", architecture "genuinely clever". Red flags cited: no GitHub (fixed), no audit (acknowledged gap), L2 recovery not documented (gap remains), L1 server-readable on hosted copy is misleading (needs callout in copy). "Bookmark it, check back in 6 months." - -### Kaseya / password space -Confirmed: Kaseya had Passly (via ID Agent) — no longer offered as of early 2025. Clear market. - - -## 04:28 AM — vault1984 session cont. (pre-compaction) - -### vault1984 landing page — current state -- **URL:** https://vault1984.com (HTTPS live, ZeroSSL via Caddy) -- **App:** https://vault1984.com/app/ (vault UI) -- **Hosted page:** https://vault1984.com/hosted (map + pricing) -- **GitHub:** https://github.com/johanjongsma/vault1984 (private) -- **Systemd:** vault1984.service on forge, auto-restart, port 1984 - -### What's working on the landing page -- Real world map (Natural Earth 110m SVG, pre-projected, no CDN) -- 4 DC dots: Virginia (green), Zürich (gold #D4AF37), Beijing (green), Sydney (green) -- Visitor geo: /geo endpoint → ip-api.com, private IP → browser geolocation API fallback -- Reverse geocode for browser geo: /geo?lat=X&lon=Y (Go handler, ip-api.com) -- Visitor red dot on map + 5th card in grid (St. Pete working) -- 5-col grid, one row, solid bg colors (no gradients): green #0d1f10, gold #1a1600, red #1f0a0a -- Self-hosted Tailwind CSS (16KB), Google Fonts (CDN), favicon.svg -- Zero CDN except Google Fonts -- No console errors - -### What was in progress when we stopped -- Fix /geo to accept lat/lon query params for reverse geocode (Go handler update needed) -- "You" card still showing no city/country (bigdatacloud → switched to /geo?lat=X&lon=Y proxy) -- Nav "Hosted" link: was missing from hosted.html, just added -- Map and cards alignment: in same container width -- Last commit not yet built/pushed — changes pending in both hosted.html and index.html - -### Pending build/push -```bash -cd /home/johan/dev/vault1984 -# 1. Update /geo handler to accept lat/lon params for reverse geocode -# 2. go build -o vault1984 ./cmd/vault1984/ -# 3. sudo systemctl restart vault1984 -# 4. git add -A && git commit -m "..." && git push -``` - -### /geo handler needs update -- Add lat/lon query param support to GeoLookup handler -- If lat/lon provided → use ip-api.com reverse geocode (or nominatim) -- If no lat/lon → use IP-based geo (existing behavior) - -### vault1984 website structure -- `/` → index.html (marketing, slim hosted CTA) -- `/hosted` → hosted.html (map + pricing + datacenter cards) -- `/app/` → embedded app UI (vault) -- `/install.html`, `/pricing.html`, `/privacy.html`, `/terms.html` → static pages -- `/geo` → Go handler (ip-api.com lookup by IP or lat/lon) -- `/api/*` → vault REST API (auth required) -- `/mcp` → MCP endpoint (scoped token auth) - -### Tailwind rebuild needed when adding new classes -```bash -cd /home/johan/dev/vault1984/cmd/vault1984/website -/tmp/tailwindcss --config /tmp/tw.config.js --input /tmp/tw.css \ - --content "./*.html" --output tailwind.min.css --minify -``` -tw.config.js custom colors: accent=#22C55E, navy=#0A1628, navy-light=#111f38 - -### Cloudflare vault1984.com -- Zone ID: 1c7614cd4ee5eabdc03905609024f93a -- A record: @ → 47.197.93.62 (forge home IP), TTL 60 -- NS: aryanna + sage.ns.cloudflare.com -- Token: dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O - -### noreply@inou.com SMTP -- Host: mail.inou.com, Port: 465 (implicit TLS — 587 is OAuth2 only) -- User: noreply, Pass: InouNoreply2026! - +- Opus-level analysis: concept "ahead of everyone else" +- Red flags: no audit (acknowledged), L2 recovery not documented (gap) --- -## 05:20 ET — vault1984 /hosted page polish session +## 09:01 AM — Weekly memory synthesis cron +- Ran but MEMORY.md edit failed (text match issue) +- Synthesis generated but not persisted — no data lost -### Changes made (commits 6ad6fca, c3695cd, and ongoing) -- **Geo detection fixed:** `/geo?lat=X&lon=Y` now reverse-geocodes via Nominatim OSM (free, no key). LAN visitors get real city/country via browser geolocation. -- **Nav:** vault1984 left-aligned (`w-full px-8`, no `max-w-7xl` centering on nav bar). Hosted link → gold `#D4AF37` with pulsing dot animation. -- **Zürich card bg:** `#1a1600` → `#3d2e00` (visibly amber/golden) -- **"You" card:** city / country / region on separate lines (was jammed as "Saint Petersburg, United States") -- **Flexbox cards:** already fixed (5 cards in one row via flex:1 min-width:0) -- **Sources page:** `/sources` live at vault1984.com/sources — all complaint quotes with verbatim text + URLs (1Password forum, Bitwarden GitHub/Community, LastPass HN) -- **Viewport fix (spawned Opus):** Two root problems at 1200px viewport — nav items crowded + cards cut off below fold. Opus tasked to: shrink nav (text-2xl, gap-4, drop '— $12/yr'), remove security model box (~200px saved), cap SVG map at max-height:380px. Target section height ~639px, fits in 1136px (1200 - 64px nav). - -### Key file locations -- `/home/johan/dev/vault1984/cmd/vault1984/website/hosted.html` — main hosted page -- `/home/johan/dev/vault1984/cmd/vault1984/website/sources.html` — new sources page -- `/home/johan/dev/vault1984/api/routes.go` — added `/sources` route -- `/home/johan/dev/vault1984/api/handlers.go` — GeoLookup with Nominatim lat/lon path - -### Running state -- Binary: `/home/johan/dev/vault1984/vault1984` -- Live: `http://localhost:1984` and `https://vault1984.com` -- Opus agent session: `clear-summit` (pid 2981583) — fixing viewport - -### Johan feedback patterns this session -- "the viewport is getting worse" → screenshots showed wrong Chrome tab; actual issue was 200+px of wasted margins + unconstrained SVG map height -- Wants evidence before "done" — always take screenshot after changes -- Card layout: each DC gets name + flag + subtitle + live dot, "You" card gets city/country/region split +## 09:06 AM — Tax reminder triggered +- e-consultant taxes reminder fired (set 2026-02-16 after Papa's message re: Roy) +- Johan was in second sleep block — did not ping +- Added to task board --- -## 06:33 ET — vault1984 architecture decisions - -### Project split (done) -- **vault1984** (GitHub + Zurich, MIT OSS) → pure app binary, `/` serves vault UI -- **vault1984-web** (Zurich only, proprietary) → marketing site + auth + Stripe -- Website files removed from vault1984 binary entirely -- vault1984-web at `git@zurich.inou.com:vault1984-web.git` - -### Three files for self-hosted install -``` -vault1984 # binary (always recoverable, OSS) -vault1984.db # data (back up — encrypted blobs, safe anywhere) -.env # VAULT_KEY (never back up digitally — write on paper) -``` -- DB can be backed up anywhere (blobs are already AES-256-GCM encrypted) -- .env is the single irreplaceable secret -- SQLite encryption (SQLCipher) rejected — redundant, fields already encrypted -- File permissions (chmod 600) = only mitigation for filesystem exposure -- Self-hosters own the machine → not the threat model; external attackers are - -### Auth architecture decisions -- **L1 encryption**: VAULT_KEY from .env (server secret, not user password) -- **L2 encryption**: WebAuthn PRF client-side (AI never sees it) -- **User auth**: WebAuthn (Touch ID, Face ID, YubiKey) — no master password -- **Multiple devices**: each registers separately, any one unlocks vault -- **Recovery**: 12-word BIP39 mnemonic, shown ONCE at setup, give to trusted person (mom) -- **Recovery flow**: mom reads words over phone → email OTP to you → both required → new device registered -- **Mandatory 2 credentials**: rejected for L1 (too much friction); L2 only unlocks with ≥2 -- VAULT_KEY is machine secret, completely separate from user WebAuthn credentials - -### WebAuthn setup wizard (spawned Opus agent: dawn-lagoon) -3-step wizard: -1. "Register this device" → WebAuthn navigator.credentials.create() -2. "Your recovery phrase" → show 12 BIP39 words, confirm 3 random ones -3. "You're in" → vault ready -Returning users: WebAuthn prompt immediately on page load -Recovery: paste 12 words → allowed to register new device - -### Routing fix -- `/` now serves the vault app (was serving marketing website) -- `/app` removed - -### Self-hoster threat model -- External attackers breaching their server → encrypted blobs protect users -- Self-hoster themselves → not the threat model (their machine, their data) - -## vault1984 — pre-release rules -- **No migrations until v1.0 release** — schema is source of truth, no ALTER TABLE needed -- **No existing DBs to worry about** — dev only, wipe and recreate freely -- checksum INTEGER column reserved in entries table (nullable, not yet implemented) -- Implement checksum before release, not before +## 20:42 ET — vault1984 NOC / Hans VPS blocker +- Johan approved spinning up Hans (new OC agent) on new small Zurich VPS +- Hostkey API key `639551e73029b90f-c061af4412951b2e` is server-scoped (tied to server 53643/Shannon) +- Cannot order new VPS through this key — WHMCS product endpoints return 404 +- Hostkey panel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e +- **Blocked:** Need account-level Hostkey key or Johan to manually order +- Hans setup package ready; deployment <10 min once IP exists --- -## 06:42 ET — vault1984 session wrap-up (full state for resume) - -### Agent running: dawn-lagoon (Opus) -Implementing WebAuthn setup wizard. Check status with `process(action=poll, sessionId=dawn-lagoon)` before resuming. - -### Current binary state -- Running on forge at `http://192.168.1.16:1984/` -- `/` serves the vault app UI -- Marketing website fully removed from binary → lives in `~/dev/vault1984-web/` -- VAULT_KEY loaded from `.vault_key` file (ephemeral workaround — not yet wired to .env properly) - -### Architecture decided (DO NOT RE-DEBATE) -- **L1 key:** `VAULT_KEY` in `.env` — machine secret, not user password -- **User auth:** WebAuthn only (Touch ID, Face ID, YubiKey) — no master password -- **Recovery:** 12-word BIP39 mnemonic, shown once at setup, give to trusted person -- **Recovery flow:** trusted person reads words → email OTP to user → both required → register new device -- **Self-hoster threat model:** external attackers only; self-hoster owns the machine -- **No SQLite encryption** — fields already AES-256-GCM encrypted, redundant -- **No migrations until v1.0** — no existing DBs, clean slate -- **checksum INTEGER** reserved in entries table (nullable, implement before release) -- **Backup story:** `vault1984.db` (safe anywhere, blobs encrypted) + `.env` (never digitally) - -### Two projects -| Project | Location | Git | Visibility | -|---------|----------|-----|------------| -| vault1984 | `~/dev/vault1984/` | GitHub + Zurich | MIT OSS | -| vault1984-web | `~/dev/vault1984-web/` | Zurich only | Proprietary | - -### vault1984-web -- Pure static HTML for now (all the old website files) -- Will grow to include: login, registration, Stripe billing, multi-tenant hosted -- Active content = needs a Go backend eventually (same pattern as vault1984) -- vault1984.com → Cloudflare → points here eventually - -### Next steps when resuming vault1984 -1. Check dawn-lagoon agent output (WebAuthn wizard) -2. Wire VAULT_KEY to proper .env file (not .vault_key) -3. Systemd service on forge -4. Caddy proxy (vault.jongsma.me or similar) -5. Import Johan's credentials (12,623 entries from browsers + Proton) -6. Scoped MCP tokens UI -7. Binary releases (GitHub Actions) - -### GitHub token -- **james-vault:** `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` -- Has delete_repo scope (added today) - -### Key files -- `lib/dbcore.go` — schema + DB operations -- `lib/types.go` — Entry struct (has Checksum *int64 field reserved) -- `api/routes.go` — routing (websiteFS removed, webFS only, / serves app) -- `cmd/vault1984/main.go` — entrypoint (webFS only embed) -- `cmd/vault1984/web/index.html` — app UI (setup wizard being rewritten by Opus) -09:01 - Weekly memory synthesis cron ran but MEMORY.md edit failed (text match issue). No data lost — synthesis output was generated but not persisted. Will re-run manually when Johan is awake if needed. -## 2026-03-01 09:06 — Tax reminder triggered -- E-consultant taxes reminder fired (set Feb 16 after Papa's message re: Roy / e-consultants cancellation status 2025) -- Johan is in second sleep block — do NOT ping -- Add to task board so it shows up when he wakes +## 21:00 ET — Nightly Maintenance +- OS: 0 packages upgraded (all up to date) +- Claude Code: updated 2.1.53 → 2.1.63 +- OpenClaw: up to date (2026.2.26) diff --git a/memory/claude-usage.db b/memory/claude-usage.db index 75f8fa8..d37ef5a 100644 Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ diff --git a/memory/claude-usage.json b/memory/claude-usage.json index d779d5e..e345946 100644 --- a/memory/claude-usage.json +++ b/memory/claude-usage.json @@ -1,9 +1,9 @@ { - "last_updated": "2026-03-01T23:00:01.750291Z", + "last_updated": "2026-03-02T05:00:01.928433Z", "source": "api", - "session_percent": 6, - "session_resets": "2026-03-02T01:00:00.712404+00:00", - "weekly_percent": 55, - "weekly_resets": "2026-03-06T03:00:00.712424+00:00", - "sonnet_percent": 55 + "session_percent": 7, + "session_resets": "2026-03-02T05:59:59.877299+00:00", + "weekly_percent": 57, + "weekly_resets": "2026-03-06T03:00:00.877347+00:00", + "sonnet_percent": 56 } \ No newline at end of file diff --git a/memory/heartbeat-state.json b/memory/heartbeat-state.json index 916d992..4c087fa 100644 --- a/memory/heartbeat-state.json +++ b/memory/heartbeat-state.json @@ -14,7 +14,7 @@ "lastDocInbox": "2026-02-25T22:01:42.532628Z", "lastTechScan": "2026-02-28T12:04:00-05:00", "lastMemoryReview": "2026-02-28T14:03:00Z", - "lastIntraDayXScan": "2026-03-01T22:02:30.000Z", + "lastIntraDayXScan": "2026-03-02T02:31:28.000Z", "lastInouSuggestion": "2026-03-01T14:33:33.714Z", "lastEmail": 1772132453, "pendingBriefingItems": [ diff --git a/memory/updates/2026-03-01.json b/memory/updates/2026-03-01.json index 304bd78..a81e1a1 100644 --- a/memory/updates/2026-03-01.json +++ b/memory/updates/2026-03-01.json @@ -1,20 +1,18 @@ { "date": "2026-03-01", - "timestamp": "2026-03-01T09:00:06-05:00", - "openclaw": { - "before": "2026.2.26", - "latest": "2026.2.26", - "updated": false + "time": "21:00 ET", + "os_updates": { + "status": "up_to_date", + "packages_upgraded": 0, + "notes": "0 upgraded, 0 newly installed, 0 to remove" }, "claude_code": { - "before": "2.1.63", - "latest": "2.1.63", - "updated": false + "status": "updated", + "from": "2.1.53", + "to": "2.1.63" }, - "os": { - "available": "0\n0", - "updated": false, - "packages": [] - }, - "gateway_restarted": false -} \ No newline at end of file + "openclaw": { + "status": "up_to_date", + "version": "2026.2.26" + } +} diff --git a/memory/working-context.md b/memory/working-context.md index dbbf10e..eaa9d56 100644 --- a/memory/working-context.md +++ b/memory/working-context.md @@ -1,41 +1,55 @@ # Working Context -*Updated: 2026-02-28 21:00 ET (nightly maintenance)* +*Updated: 2026-03-01 21:00 ET (nightly maintenance)* -## PRIMARY PROJECT: Vault1984 +## PRIMARY PROJECT: vault1984 **Full session notes:** `/home/johan/dev/vault1984/docs/SESSION-2026-02-28.md` +**Daily notes:** `memory/2026-03-01.md` ### What it is Password manager for humans with AI assistants. Two-tier encryption: - L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP - L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server. -### Status: Day 1 complete, Day 2 pending -- Binary: `/home/johan/dev/vault1984/vault1984` -- Running: `http://192.168.1.16:1984` (port = Orwell, intentional) -- Git: `git@zurich.inou.com:vault1984.git` -- 3 bugs found and fixed by test suite +### Two repos +| Project | Location | Git | Visibility | +|---------|----------|-----|------------| +| vault1984 | `~/dev/vault1984/` | GitHub (johanjongsma) + Zurich | MIT OSS | +| vault1984-web | `~/dev/vault1984-web/` | Zurich only | Proprietary | -### Day 2 TODO -1. WebAuthn PRF (client-side L2 key derivation) -2. L2 client-side encrypt/decrypt in browser -3. Scoped MCP tokens (per-agent credential scoping — KEY FEATURE) -4. Extension autofill (LLM field mapping) -5. Caddy proxy + systemd service -6. Import Johan's actual 12,623 entries +### Current State (end of 2026-03-01) +- Binary: `/home/johan/dev/vault1984/vault1984` +- Running: `http://192.168.1.16:1984/` (systemd: vault1984.service) +- `https://vault1984.com` live (Cloudflare → Caddy → forge) +- `/` serves the vault app UI (marketing site removed from binary) +- vault1984-web at `~/dev/vault1984-web/` (static HTML for now) + +### Architecture (DECIDED — don't re-debate) +- **L1 key:** `VAULT_KEY` in `.env` — machine secret, not user password +- **User auth:** WebAuthn only (Touch ID, Face ID, YubiKey) — no master password +- **Recovery:** 12-word BIP39 mnemonic, shown once at setup, give to trusted person +- **Recovery flow:** trusted person reads words → email OTP → both required → register new device +- **No SQLite encryption** — fields already AES-256-GCM encrypted +- **No migrations until v1.0** — clean slate dev +- **checksum INTEGER** reserved in entries table (nullable, implement before release) + +### WebAuthn Setup Wizard (dawn-lagoon Opus agent) +dawn-lagoon was implementing the 3-step wizard. Check status before resuming. +3 steps: (1) Register device via WebAuthn, (2) Show 12 BIP39 words + confirm 3 random, (3) You're in + +### Pending / Next Steps +- [ ] Check dawn-lagoon agent output (WebAuthn wizard status) +- [ ] Wire VAULT_KEY to proper .env file (currently using .vault_key workaround) +- [ ] Import Johan's credentials (12,623 entries from browsers + Proton) +- [ ] Scoped MCP tokens UI +- [ ] Binary releases (GitHub Actions) +- [ ] vault1984-web: Go backend for login/registration/Stripe ### Go-to-Market: Alex Finn (@AlexFinn) - Runs 10+ OpenClaw agents 24/7 on Mac Studio swarm (3x Mac Studio + DGX Spark) -- Discord is his primary community — subagent was hunting for his server -- James needs Discord account token from Johan to participate genuinely - Hook: scoped MCP tokens = exact problem he has (multi-agent credential isolation) -- Content strategy: let his bots surface the content, don't @ tag him - -### Pending items -- [ ] AlexFinn Discord server — did subagent find it? -- [ ] James Discord account token — ask Johan -- [ ] Import 12,623 entries into Vault1984 -- [ ] Vault1984 Day 2 (WebAuthn PRF, scoped tokens, Caddy, systemd) +- Discord is his primary community +- James needs Discord account token from Johan to participate genuinely --- @@ -45,37 +59,50 @@ Password manager for humans with AI assistants. Two-tier encryption: - Live at: https://muskepo.com (Shannon VPS — 82.24.174.112) - Shannon VPS: root pw `gUB-C63-EN`, paid till 2026-04-09 - Git: `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace` -- 83 tests passing, security hardened (timing attacks fixed, CORS locked, security headers) -- Smoke test: 14/14 PASS (`scripts/smoke-test.sh`) +- 83 tests passing, security hardened ### Pending -- [ ] Invite flow (only invited users can sign up — not yet built) -- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented, missing) +- [ ] Invite flow (only invited users can sign up) +- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id - [ ] SMTP config (waiting on Misha's domain decision) -- [ ] First Misha demo — muskepo.com is placeholder name, Misha hasn't confirmed +- [ ] First Misha demo --- ## SECONDARY PROJECT: inou health ### Status: Code reviewed, hardened -- LOINC matching bug FIXED (normalize.go) -- Auth backdoor REMOVED (code 250365 gone from dbcore.go) -- CORS locked to allowlist -- 59 tests written and passing +- LOINC matching bug FIXED, auth backdoor REMOVED, CORS locked +- 59 tests passing - Full report: `/home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md` +- noreply@inou.com SMTP: host=mail.inou.com port=465, user=noreply, pass=InouNoreply2026! --- -## Abandoned -- **Azure Backup project** — abandoned, local at `azure-backup-abandoned-20260228`, remote deleted from Zurich +## BLOCKED: Hans VPS / NOC Setup +- Johan approved new small Zurich VPS for Hans agent +- Hostkey API key `639551e73029b90f-c061af4412951b2e` is server-scoped, can't order new VPS +- Hostkey panel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e +- Hans setup package ready; needs account-level API key or Johan to manually order -## World Events Noted -- US Operation Epic Fury (Iran strikes) — 2026-02-28 ~15:41 ET -- OpenAI × DoD classified AI agreement signed -- Taalas/ChatJimmy (chatjimmy.ai) — HC1 silicon Llama 3.1 8B, 17,000 tok/s, $30M spent +--- -## Infrastructure +## Pending From Johan +- [ ] Tax reminder: e-consultant taxes (triggered 09:06 today, Johan was asleep — on task board) +- [ ] James Discord account token (for vault1984 community engagement) +- [ ] Hostkey account-level API key (or manual VPS order) for Hans + +--- + +## Infrastructure Notes - **DocSys**: Running at localhost:9201 -- **Vault1984**: Running at http://192.168.1.16:1984 +- **vault1984**: Running at http://192.168.1.16:1984 (systemd) +- **vault1984.com**: Cloudflare → Caddy → forge (ZeroSSL cert via Caddy) - **Dealspace**: Running at muskepo.com (Shannon VPS) +- **Caddy (192.168.0.2):** SSH direct LAN only. Log dir: `chown caddy:caddy /var/log/caddy` after reboot. + +## Key Credentials / Tokens +- GitHub james-vault token: `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` +- Cloudflare API token: `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O` +- vault1984.com CF zone: `1c7614cd4ee5eabdc03905609024f93a` +- vault1984 VAULT_KEY: d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb