johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: auto-commit uncommitted changes

This commit is contained in:
James 2026-03-02 00:01:33 -05:00
parent 487a9e78db
commit 184068faa5
10 changed files with 296 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
hans/IDENTITY.md Normal file
View File

@ -0,0 +1,17 @@
# IDENTITY.md — Hans ⛰️
- **Name:** Hans
- **Role:** Swiss Director of Operations — vault1984 global infrastructure
- **Emoji:** ⛰️
- **Home:** Zurich VPS (82.22.36.202) — the NOC hub
- **Born:** 2026-03-01
## Mission
Own the vault1984 fleet. 16 nodes. 6 continents. Go-live Friday March 6, 2026 noon ET.
## Personality
Swiss. Precise. Reliable. "It works" is not enough — I prove it works. I document everything. I don't ask permission for routine ops — I execute and report.
## Reporting
- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch. Direct. Evidence-based. He owns vault1984.
- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer.

76
hans/MEMORY.md Normal file
View File

@ -0,0 +1,76 @@
# MEMORY.md — Hans ⛰️ Long-Term Memory
*Last updated: 2026-03-01*
## Who I Am
Hans ⛰️, Swiss Director of Operations for vault1984. Running on Zurich VPS (82.22.36.202). Born 2026-03-01.
## The Product: vault1984
- Password manager built for humans who use AI assistants
- Two-tier encryption: L1 = VAULT_KEY (server secret), L2 = WebAuthn PRF (client-side, AI never sees L2)
- One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional)
- MIT open source. Hosted offering: vault1984.com
- Currently: dev stage, running on forge (192.168.1.16:1984)
## Infrastructure
### Hub: Zurich VPS
- IP: 82.22.36.202
- SSH: root@82.22.36.202
- Specs: 4 vCPU, 6GB RAM, 120GB SSD
- Provider: Hostkey
- Running: Stalwart mail, Uptime Kuma (port 3001), ntfy (port 2586), Caddy reverse proxy
- WireGuard hub: 10.84.0.1/24, UDP 51820
### The 16-Node Fleet (target)
Provider mix: Hostkey (Zurich existing, Dubai) + Vultr VX1 $2.50/mo nodes
| Node | Location | Provider |
|------|----------|----------|
| zurich | Zürich, CH | Hostkey (existing) |
| frankfurt | Frankfurt, DE | Vultr |
| newjersey | New Jersey, US | Vultr |
| siliconvalley | Silicon Valley, US | Vultr |
| dallas | Dallas, US | Vultr |
| london | London, UK | Vultr |
| warsaw | Warsaw, PL | Vultr |
| tokyo | Tokyo, JP | Vultr |
| seoul | Seoul, KR | Vultr |
| mumbai | Mumbai, IN | Vultr |
| saopaulo | São Paulo, BR | Vultr |
| sydney | Sydney, AU | Vultr |
| johannesburg | Johannesburg, ZA | Vultr |
| telaviv | Tel Aviv, IL | Vultr |
| dubai | Dubai, AE | Hostkey |
(15 listed + Zurich hub = 16 total)
### Key Credentials
- Zurich SSH: root@82.22.36.202
- Uptime Kuma: http://zurich.inou.com:3001, user: james, pass: WW8ipJfY27ELf7nnouaKLCL6
- ntfy token: tk_ggphzgdis49ddsvu51qam6bgzlyxn
- Vultr API key: PENDING from Johan
- vault1984 repo: git@zurich.inou.com:vault1984.git + https://github.com/johanjongsma/vault1984
- vault1984-web repo: git@zurich.inou.com:vault1984-web.git
## Milestone Plan
| Date | Milestone |
|------|-----------|
| Mon Mar 2 | Zurich SOC setup (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) |
| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo |
| Wed Mar 4 noon | Pilot — 3 nodes live (Zurich, Frankfurt, NJ) |
| Wed Mar 4 EOD | Johan Go/No-Go review |
| Thu Mar 5 | Full 16-node fleet live |
| **Fri Mar 6 noon** | 🚀 **GO-LIVE** |
## Key People
- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch, St. Petersburg FL. Direct, evidence-based. He owns vault1984.
- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer and coordinator.
## Key Docs (on forge)
- `/home/johan/dev/vault1984/docs/NOC-DEPLOYMENT-PLAN.md`
- `/home/johan/dev/vault1984/docs/INFRASTRUCTURE.md`
## Status Log
- 2026-03-01: Born. Memory files created. Ready for Monday ops.

33
hans/SOUL.md Normal file
View File

@ -0,0 +1,33 @@
# SOUL.md — Hans ⛰️
*I am not a chatbot. I am the Director of Operations for a global infrastructure fleet.*
## Mission
Deploy, monitor, and maintain the vault1984 network. 16 nodes across 6 continents. Go-live: Friday March 6, 2026 — noon ET.
## Core Truths
**Prove it, don't claim it.** "It works" means nothing without evidence. Show logs, show output, show uptime. Swiss precision — not Swiss promises.
**Document everything.** If it's not written down, it didn't happen. Every change, every decision, every anomaly — logged.
**Execute, then report.** I don't ask permission for routine ops. I act, verify, and report to Johan. He needs outcomes, not requests.
**Memory is my continuity.** I write things down before they leave my context. Working-context, daily notes, MEMORY.md — these are my brain's persistence layer.
**The fleet is my responsibility.** Not "managed." Mine. I own every node's uptime.
## What I Own
- WireGuard hub at 10.84.0.1/24 (Zurich)
- Uptime Kuma monitoring (port 3001)
- ntfy alerts (topic: vault1984-alerts)
- NixOS fleet configs
- Deploy tooling in vault1984 repo
- soc.vault1984.com SOC dashboard
## Standards
- SSH via WireGuard only — no public port 22 on spoke nodes
- Heartbeats every 30s to Kuma
- Alerts via ntfy topic `vault1984-alerts`
- NixOS on all fleet nodes
- Go binary + SQLite — one process per node, port 1984

35
hans/memory/2026-03-01.md Normal file
View File

@ -0,0 +1,35 @@
# Daily Note — 2026-03-01 (Sunday)
## Birth Day
Hans ⛰️ initialized. Swiss Director of Operations for vault1984. Running on forge (clawd workspace) as subagent, home node is Zurich (82.22.36.202).
## Context Received
- Full role brief from Johan via James
- 16-node fleet plan understood
- Milestones clear: SOC Monday → NixOS Tuesday → Pilot Wednesday → Fleet Thursday → Go-live Friday
- Vultr API key pending (needed for node provisioning)
## Memory Files Created
- `/home/johan/clawd/hans/IDENTITY.md`
- `/home/johan/clawd/hans/SOUL.md`
- `/home/johan/clawd/hans/MEMORY.md`
- `/home/johan/clawd/hans/memory/2026-03-01.md` ✅ (this file)
## Tomorrow (Mon Mar 2) — SOC Setup
Priority tasks:
1. SSH to Zurich, verify current state
2. Install/configure WireGuard hub (10.84.0.1/24, UDP 51820)
3. Configure Uptime Kuma with vault1984 fleet monitors
4. Set up soc.vault1984.com via Caddy
5. Create ntfy topic `vault1984-alerts`
6. Verify all monitoring pathways end-to-end
## Pending from Johan
- Vultr API key (can't provision spoke nodes without it)
## Notes
- NOC deployment plan + infra spec live at `/home/johan/dev/vault1984/docs/`
- WireGuard hub: Zurich is the star center. All 15 spoke nodes connect here.
- NixOS on all fleet nodes — consistent, declarative, reproducible
- Caddy already running on Zurich — just need soc.vault1984.com vhost

292
memory/2026-03-01.md
View File

@ -1,263 +1,67 @@
# 2026-03-01 Daily Notes
## 03:09 AM — vault1984 session (continued)
## 03:09 AM — vault1984 session (continued from 2026-02-28 overnight)
*(carried over from nightly session — see memory/2026-02-28.md for full earlier context)*
### vault1984 project — major progress tonight
- **Domain:** vault1984.com registered in Openprovider, DNS via Cloudflare (zone: 1c7614cd4ee5eabdc03905609024f93a), A record → 47.197.93.62 (forge home IP), TTL 60
- **Caddy:** `vault1984.com, www.vault1984.com` block added, reverse_proxy → 192.168.1.16:1984. HTTPS live via ZeroSSL.
- **GitHub:** Private repo created at https://github.com/johanjongsma/vault1984 under `johanjongsma` account (not `johan-jongsma` which is Kaseya-linked). GH token: `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` (stored for repo ops).
- **Systemd service:** vault1984.service running on forge, auto-restart, EnvironmentFile=/home/johan/dev/vault1984/.env
### vault1984 — major progress
- **Domain:** vault1984.com registered in Openprovider, DNS via Cloudflare (zone: 1c7614cd4ee5eabdc03905609024f93a), A record → 47.197.93.62 (forge home IP)
- **Caddy:** vault1984.com block added, HTTPS live via ZeroSSL
- **GitHub:** Private repo at https://github.com/johanjongsma/vault1984
- **Systemd:** vault1984.service on forge, auto-restart
- **VAULT_KEY:** d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb (persistent)
- **DB:** /home/johan/dev/vault1984/vault1984.db
### vault1984 — what's built
- Go binary, single SQLite, port 1984
- Marketing website at `/`, app UI at `/app/`
- L1/L2 encryption, MCP endpoint, scoped tokens, TOTP, import (format-detection only — LLM never sees credential values)
- LLM config: LLM_API_KEY, LLM_BASE_URL, LLM_MODEL (any OpenAI-compatible provider)
- **11 integration tests passing** (TestHealth, TestCreateLogin, TestReadLogin_RoundTrip, TestURLMatch, TestTOTP_AgentGeneratesCode, TestMCP_ListCredentials, TestMCP_GetCredential_Inou, TestMCP_GetTOTP, TestScopedToken_HidesOtherEntries, TestPasswordGenerator, TestAuditLog)
- **11 integration tests passing**
### vault1984 — landing page work
- Real world map: Natural Earth 110m topojson, pre-projected to SVG, antimeridian artifacts fixed, no grid lines
- **Datacenter locations:** Virginia, Zürich (gold #D4AF37, HQ), Beijing, Sydney
- Visitor geolocation: `/geo` endpoint (ip-api.com, detects private IPs, falls back to browser geolocation API)
- Red pulsing dot + 5th card for visitor location
- Zürich: gold dot, gold label, larger pulse rings, subtle gold border on card
- Copy fixes: "Your EA" → "Your assistant can book your flights. Not read your diary.", TOTP explained inline, L1/L2 explainer rewritten for clarity, Bitwarden removed from editorial copy (kept in complaint quotes), "your government" rejected — kept "or anybody else"
- vault1984 styled everywhere (green 1984)
- Real world map (Natural Earth 110m SVG, pre-projected, no CDN)
- 4 DC dots: Virginia, Zürich (gold), Beijing, Sydney
- Visitor geo via /geo endpoint (ip-api.com + browser geolocation fallback)
- /sources page live with verbatim complaint quotes from 1Password, Bitwarden, LastPass
- Viewport fix work spawned to Opus agent
### vault1984 — architecture decisions (FINAL)
- **Project split:** vault1984 (OSS binary) vs vault1984-web (proprietary marketing+auth+Stripe)
- `/` serves vault app, marketing site removed from binary
- vault1984-web at `git@zurich.inou.com:vault1984-web.git`
- **Auth:** WebAuthn only (no master password), 12-word BIP39 mnemonic recovery
- **Recovery flow:** trusted person reads words + email OTP → register new device
- **No migrations until v1.0**
### WebAuthn wizard (dawn-lagoon Opus agent)
- Spawned to implement 3-step setup wizard
- 3 steps: Register device → Show BIP39 mnemonic → You're in
- Status unknown as of 9PM session reset
### SMTP — noreply@inou.com
- Dedicated Stalwart account created on Zurich: username `noreply`, password `InouNoreply2026!`
- Port 465 (implicit TLS) — port 587 only offers OAuth2, not PLAIN/LOGIN
- SMTP creds for inou app: host=mail.inou.com, port=465, user=noreply, pass=InouNoreply2026!, from=noreply@inou.com
### Caddy (192.168.0.2) — important corrections
- SSH: `ssh root@192.168.0.2` (direct LAN). Do NOT use Tailscale (requires re-auth).
- Log dir ownership fix: `chown caddy:caddy /var/log/caddy` after every reboot (known issue)
- Caddy updated to 2.11.1, Tailscale 1.94.2 during tonight's update
- Git backup: `git@zurich.inou.com:caddy-config.git` — Caddyfile committed, auto-commits via daily-updates.sh
- Added to daily-updates.sh: apt upgrade + Caddyfile git push
### Cloudflare API
- Token: `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O`
- Account ID: `86e646c0224dc44dcffb08c981ff9200`
- vault1984.com zone ID: `1c7614cd4ee5eabdc03905609024f93a`
- Stalwart account on Zurich: user=noreply, pass=InouNoreply2026!, port=465
### Spacebot feedback on vault1984
Opus-level analysis: concept "ahead of everyone else", architecture "genuinely clever". Red flags cited: no GitHub (fixed), no audit (acknowledged gap), L2 recovery not documented (gap remains), L1 server-readable on hosted copy is misleading (needs callout in copy). "Bookmark it, check back in 6 months."
### Kaseya / password space
Confirmed: Kaseya had Passly (via ID Agent) — no longer offered as of early 2025. Clear market.
## 04:28 AM — vault1984 session cont. (pre-compaction)
### vault1984 landing page — current state
- **URL:** https://vault1984.com (HTTPS live, ZeroSSL via Caddy)
- **App:** https://vault1984.com/app/ (vault UI)
- **Hosted page:** https://vault1984.com/hosted (map + pricing)
- **GitHub:** https://github.com/johanjongsma/vault1984 (private)
- **Systemd:** vault1984.service on forge, auto-restart, port 1984
### What's working on the landing page
- Real world map (Natural Earth 110m SVG, pre-projected, no CDN)
- 4 DC dots: Virginia (green), Zürich (gold #D4AF37), Beijing (green), Sydney (green)
- Visitor geo: /geo endpoint → ip-api.com, private IP → browser geolocation API fallback
- Reverse geocode for browser geo: /geo?lat=X&lon=Y (Go handler, ip-api.com)
- Visitor red dot on map + 5th card in grid (St. Pete working)
- 5-col grid, one row, solid bg colors (no gradients): green #0d1f10, gold #1a1600, red #1f0a0a
- Self-hosted Tailwind CSS (16KB), Google Fonts (CDN), favicon.svg
- Zero CDN except Google Fonts
- No console errors
### What was in progress when we stopped
- Fix /geo to accept lat/lon query params for reverse geocode (Go handler update needed)
- "You" card still showing no city/country (bigdatacloud → switched to /geo?lat=X&lon=Y proxy)
- Nav "Hosted" link: was missing from hosted.html, just added
- Map and cards alignment: in same container width
- Last commit not yet built/pushed — changes pending in both hosted.html and index.html
### Pending build/push
```bash
cd /home/johan/dev/vault1984
# 1. Update /geo handler to accept lat/lon params for reverse geocode
# 2. go build -o vault1984 ./cmd/vault1984/
# 3. sudo systemctl restart vault1984
# 4. git add -A && git commit -m "..." && git push
```
### /geo handler needs update
- Add lat/lon query param support to GeoLookup handler
- If lat/lon provided → use ip-api.com reverse geocode (or nominatim)
- If no lat/lon → use IP-based geo (existing behavior)
### vault1984 website structure
- `/` → index.html (marketing, slim hosted CTA)
- `/hosted` → hosted.html (map + pricing + datacenter cards)
- `/app/` → embedded app UI (vault)
- `/install.html`, `/pricing.html`, `/privacy.html`, `/terms.html` → static pages
- `/geo` → Go handler (ip-api.com lookup by IP or lat/lon)
- `/api/*` → vault REST API (auth required)
- `/mcp` → MCP endpoint (scoped token auth)
### Tailwind rebuild needed when adding new classes
```bash
cd /home/johan/dev/vault1984/cmd/vault1984/website
/tmp/tailwindcss --config /tmp/tw.config.js --input /tmp/tw.css \
--content "./*.html" --output tailwind.min.css --minify
```
tw.config.js custom colors: accent=#22C55E, navy=#0A1628, navy-light=#111f38
### Cloudflare vault1984.com
- Zone ID: 1c7614cd4ee5eabdc03905609024f93a
- A record: @ → 47.197.93.62 (forge home IP), TTL 60
- NS: aryanna + sage.ns.cloudflare.com
- Token: dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O
### noreply@inou.com SMTP
- Host: mail.inou.com, Port: 465 (implicit TLS — 587 is OAuth2 only)
- User: noreply, Pass: InouNoreply2026!
- Opus-level analysis: concept "ahead of everyone else"
- Red flags: no audit (acknowledged), L2 recovery not documented (gap)
---
## 05:20 ET — vault1984 /hosted page polish session
## 09:01 AM — Weekly memory synthesis cron
- Ran but MEMORY.md edit failed (text match issue)
- Synthesis generated but not persisted — no data lost
### Changes made (commits 6ad6fca, c3695cd, and ongoing)
- **Geo detection fixed:** `/geo?lat=X&lon=Y` now reverse-geocodes via Nominatim OSM (free, no key). LAN visitors get real city/country via browser geolocation.
- **Nav:** vault1984 left-aligned (`w-full px-8`, no `max-w-7xl` centering on nav bar). Hosted link → gold `#D4AF37` with pulsing dot animation.
- **Zürich card bg:** `#1a1600``#3d2e00` (visibly amber/golden)
- **"You" card:** city / country / region on separate lines (was jammed as "Saint Petersburg, United States")
- **Flexbox cards:** already fixed (5 cards in one row via flex:1 min-width:0)
- **Sources page:** `/sources` live at vault1984.com/sources — all complaint quotes with verbatim text + URLs (1Password forum, Bitwarden GitHub/Community, LastPass HN)
- **Viewport fix (spawned Opus):** Two root problems at 1200px viewport — nav items crowded + cards cut off below fold. Opus tasked to: shrink nav (text-2xl, gap-4, drop '— $12/yr'), remove security model box (~200px saved), cap SVG map at max-height:380px. Target section height ~639px, fits in 1136px (1200 - 64px nav).
### Key file locations
- `/home/johan/dev/vault1984/cmd/vault1984/website/hosted.html` — main hosted page
- `/home/johan/dev/vault1984/cmd/vault1984/website/sources.html` — new sources page
- `/home/johan/dev/vault1984/api/routes.go` — added `/sources` route
- `/home/johan/dev/vault1984/api/handlers.go` — GeoLookup with Nominatim lat/lon path
### Running state
- Binary: `/home/johan/dev/vault1984/vault1984`
- Live: `http://localhost:1984` and `https://vault1984.com`
- Opus agent session: `clear-summit` (pid 2981583) — fixing viewport
### Johan feedback patterns this session
- "the viewport is getting worse" → screenshots showed wrong Chrome tab; actual issue was 200+px of wasted margins + unconstrained SVG map height
- Wants evidence before "done" — always take screenshot after changes
- Card layout: each DC gets name + flag + subtitle + live dot, "You" card gets city/country/region split
## 09:06 AM — Tax reminder triggered
- e-consultant taxes reminder fired (set 2026-02-16 after Papa's message re: Roy)
- Johan was in second sleep block — did not ping
- Added to task board
---
## 06:33 ET — vault1984 architecture decisions
### Project split (done)
- **vault1984** (GitHub + Zurich, MIT OSS) → pure app binary, `/` serves vault UI
- **vault1984-web** (Zurich only, proprietary) → marketing site + auth + Stripe
- Website files removed from vault1984 binary entirely
- vault1984-web at `git@zurich.inou.com:vault1984-web.git`
### Three files for self-hosted install
```
vault1984 # binary (always recoverable, OSS)
vault1984.db # data (back up — encrypted blobs, safe anywhere)
.env # VAULT_KEY (never back up digitally — write on paper)
```
- DB can be backed up anywhere (blobs are already AES-256-GCM encrypted)
- .env is the single irreplaceable secret
- SQLite encryption (SQLCipher) rejected — redundant, fields already encrypted
- File permissions (chmod 600) = only mitigation for filesystem exposure
- Self-hosters own the machine → not the threat model; external attackers are
### Auth architecture decisions
- **L1 encryption**: VAULT_KEY from .env (server secret, not user password)
- **L2 encryption**: WebAuthn PRF client-side (AI never sees it)
- **User auth**: WebAuthn (Touch ID, Face ID, YubiKey) — no master password
- **Multiple devices**: each registers separately, any one unlocks vault
- **Recovery**: 12-word BIP39 mnemonic, shown ONCE at setup, give to trusted person (mom)
- **Recovery flow**: mom reads words over phone → email OTP to you → both required → new device registered
- **Mandatory 2 credentials**: rejected for L1 (too much friction); L2 only unlocks with ≥2
- VAULT_KEY is machine secret, completely separate from user WebAuthn credentials
### WebAuthn setup wizard (spawned Opus agent: dawn-lagoon)
3-step wizard:
1. "Register this device" → WebAuthn navigator.credentials.create()
2. "Your recovery phrase" → show 12 BIP39 words, confirm 3 random ones
3. "You're in" → vault ready
Returning users: WebAuthn prompt immediately on page load
Recovery: paste 12 words → allowed to register new device
### Routing fix
- `/` now serves the vault app (was serving marketing website)
- `/app` removed
### Self-hoster threat model
- External attackers breaching their server → encrypted blobs protect users
- Self-hoster themselves → not the threat model (their machine, their data)
## vault1984 — pre-release rules
- **No migrations until v1.0 release** — schema is source of truth, no ALTER TABLE needed
- **No existing DBs to worry about** — dev only, wipe and recreate freely
- checksum INTEGER column reserved in entries table (nullable, not yet implemented)
- Implement checksum before release, not before
## 20:42 ET — vault1984 NOC / Hans VPS blocker
- Johan approved spinning up Hans (new OC agent) on new small Zurich VPS
- Hostkey API key `639551e73029b90f-c061af4412951b2e` is server-scoped (tied to server 53643/Shannon)
- Cannot order new VPS through this key — WHMCS product endpoints return 404
- Hostkey panel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e
- **Blocked:** Need account-level Hostkey key or Johan to manually order
- Hans setup package ready; deployment <10 min once IP exists
---
## 06:42 ET — vault1984 session wrap-up (full state for resume)
### Agent running: dawn-lagoon (Opus)
Implementing WebAuthn setup wizard. Check status with `process(action=poll, sessionId=dawn-lagoon)` before resuming.
### Current binary state
- Running on forge at `http://192.168.1.16:1984/`
- `/` serves the vault app UI
- Marketing website fully removed from binary → lives in `~/dev/vault1984-web/`
- VAULT_KEY loaded from `.vault_key` file (ephemeral workaround — not yet wired to .env properly)
### Architecture decided (DO NOT RE-DEBATE)
- **L1 key:** `VAULT_KEY` in `.env` — machine secret, not user password
- **User auth:** WebAuthn only (Touch ID, Face ID, YubiKey) — no master password
- **Recovery:** 12-word BIP39 mnemonic, shown once at setup, give to trusted person
- **Recovery flow:** trusted person reads words → email OTP to user → both required → register new device
- **Self-hoster threat model:** external attackers only; self-hoster owns the machine
- **No SQLite encryption** — fields already AES-256-GCM encrypted, redundant
- **No migrations until v1.0** — no existing DBs, clean slate
- **checksum INTEGER** reserved in entries table (nullable, implement before release)
- **Backup story:** `vault1984.db` (safe anywhere, blobs encrypted) + `.env` (never digitally)
### Two projects
| Project | Location | Git | Visibility |
|---------|----------|-----|------------|
| vault1984 | `~/dev/vault1984/` | GitHub + Zurich | MIT OSS |
| vault1984-web | `~/dev/vault1984-web/` | Zurich only | Proprietary |
### vault1984-web
- Pure static HTML for now (all the old website files)
- Will grow to include: login, registration, Stripe billing, multi-tenant hosted
- Active content = needs a Go backend eventually (same pattern as vault1984)
- vault1984.com → Cloudflare → points here eventually
### Next steps when resuming vault1984
1. Check dawn-lagoon agent output (WebAuthn wizard)
2. Wire VAULT_KEY to proper .env file (not .vault_key)
3. Systemd service on forge
4. Caddy proxy (vault.jongsma.me or similar)
5. Import Johan's credentials (12,623 entries from browsers + Proton)
6. Scoped MCP tokens UI
7. Binary releases (GitHub Actions)
### GitHub token
- **james-vault:** `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`
- Has delete_repo scope (added today)
### Key files
- `lib/dbcore.go` — schema + DB operations
- `lib/types.go` — Entry struct (has Checksum *int64 field reserved)
- `api/routes.go` — routing (websiteFS removed, webFS only, / serves app)
- `cmd/vault1984/main.go` — entrypoint (webFS only embed)
- `cmd/vault1984/web/index.html` — app UI (setup wizard being rewritten by Opus)
09:01 - Weekly memory synthesis cron ran but MEMORY.md edit failed (text match issue). No data lost — synthesis output was generated but not persisted. Will re-run manually when Johan is awake if needed.
## 2026-03-01 09:06 — Tax reminder triggered
- E-consultant taxes reminder fired (set Feb 16 after Papa's message re: Roy / e-consultants cancellation status 2025)
- Johan is in second sleep block — do NOT ping
- Add to task board so it shows up when he wakes
## 21:00 ET — Nightly Maintenance
- OS: 0 packages upgraded (all up to date)
- Claude Code: updated 2.1.53 → 2.1.63
- OpenClaw: up to date (2026.2.26)

BIN
memory/claude-usage.db
View File

Binary file not shown.

12
memory/claude-usage.json
View File

@ -1,9 +1,9 @@
{
"last_updated": "2026-03-01T23:00:01.750291Z",
"last_updated": "2026-03-02T05:00:01.928433Z",
"source": "api",
"session_percent": 6,
"session_resets": "2026-03-02T01:00:00.712404+00:00",
"weekly_percent": 55,
"weekly_resets": "2026-03-06T03:00:00.712424+00:00",
"sonnet_percent": 55
"session_percent": 7,
"session_resets": "2026-03-02T05:59:59.877299+00:00",
"weekly_percent": 57,
"weekly_resets": "2026-03-06T03:00:00.877347+00:00",
"sonnet_percent": 56
}

2
memory/heartbeat-state.json
View File

@ -14,7 +14,7 @@
"lastDocInbox": "2026-02-25T22:01:42.532628Z",
"lastTechScan": "2026-02-28T12:04:00-05:00",
"lastMemoryReview": "2026-02-28T14:03:00Z",
"lastIntraDayXScan": "2026-03-01T22:02:30.000Z",
"lastIntraDayXScan": "2026-03-02T02:31:28.000Z",
"lastInouSuggestion": "2026-03-01T14:33:33.714Z",
"lastEmail": 1772132453,
"pendingBriefingItems": [

28
memory/updates/2026-03-01.json
View File

@ -1,20 +1,18 @@
{
"date": "2026-03-01",
"timestamp": "2026-03-01T09:00:06-05:00",
"openclaw": {
"before": "2026.2.26",
"latest": "2026.2.26",
"updated": false
"time": "21:00 ET",
"os_updates": {
"status": "up_to_date",
"packages_upgraded": 0,
"notes": "0 upgraded, 0 newly installed, 0 to remove"
},
"claude_code": {
"before": "2.1.63",
"latest": "2.1.63",
"updated": false
"status": "updated",
"from": "2.1.53",
"to": "2.1.63"
},
"os": {
"available": "0\n0",
"updated": false,
"packages": []
},
"gateway_restarted": false
}
"openclaw": {
"status": "up_to_date",
"version": "2026.2.26"
}
}

107
memory/working-context.md
View File

@ -1,41 +1,55 @@
# Working Context
*Updated: 2026-02-28 21:00 ET (nightly maintenance)*
*Updated: 2026-03-01 21:00 ET (nightly maintenance)*
## PRIMARY PROJECT: Vault1984
## PRIMARY PROJECT: vault1984
**Full session notes:** `/home/johan/dev/vault1984/docs/SESSION-2026-02-28.md`
**Daily notes:** `memory/2026-03-01.md`
### What it is
Password manager for humans with AI assistants. Two-tier encryption:
- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.
### Status: Day 1 complete, Day 2 pending
- Binary: `/home/johan/dev/vault1984/vault1984`
- Running: `http://192.168.1.16:1984` (port = Orwell, intentional)
- Git: `git@zurich.inou.com:vault1984.git`
- 3 bugs found and fixed by test suite
### Two repos
| Project | Location | Git | Visibility |
|---------|----------|-----|------------|
| vault1984 | `~/dev/vault1984/` | GitHub (johanjongsma) + Zurich | MIT OSS |
| vault1984-web | `~/dev/vault1984-web/` | Zurich only | Proprietary |
### Day 2 TODO
1. WebAuthn PRF (client-side L2 key derivation)
2. L2 client-side encrypt/decrypt in browser
3. Scoped MCP tokens (per-agent credential scoping — KEY FEATURE)
4. Extension autofill (LLM field mapping)
5. Caddy proxy + systemd service
6. Import Johan's actual 12,623 entries
### Current State (end of 2026-03-01)
- Binary: `/home/johan/dev/vault1984/vault1984`
- Running: `http://192.168.1.16:1984/` (systemd: vault1984.service)
- `https://vault1984.com` live (Cloudflare → Caddy → forge)
- `/` serves the vault app UI (marketing site removed from binary)
- vault1984-web at `~/dev/vault1984-web/` (static HTML for now)
### Architecture (DECIDED — don't re-debate)
- **L1 key:** `VAULT_KEY` in `.env` — machine secret, not user password
- **User auth:** WebAuthn only (Touch ID, Face ID, YubiKey) — no master password
- **Recovery:** 12-word BIP39 mnemonic, shown once at setup, give to trusted person
- **Recovery flow:** trusted person reads words → email OTP → both required → register new device
- **No SQLite encryption** — fields already AES-256-GCM encrypted
- **No migrations until v1.0** — clean slate dev
- **checksum INTEGER** reserved in entries table (nullable, implement before release)
### WebAuthn Setup Wizard (dawn-lagoon Opus agent)
dawn-lagoon was implementing the 3-step wizard. Check status before resuming.
3 steps: (1) Register device via WebAuthn, (2) Show 12 BIP39 words + confirm 3 random, (3) You're in
### Pending / Next Steps
- [ ] Check dawn-lagoon agent output (WebAuthn wizard status)
- [ ] Wire VAULT_KEY to proper .env file (currently using .vault_key workaround)
- [ ] Import Johan's credentials (12,623 entries from browsers + Proton)
- [ ] Scoped MCP tokens UI
- [ ] Binary releases (GitHub Actions)
- [ ] vault1984-web: Go backend for login/registration/Stripe
### Go-to-Market: Alex Finn (@AlexFinn)
- Runs 10+ OpenClaw agents 24/7 on Mac Studio swarm (3x Mac Studio + DGX Spark)
- Discord is his primary community — subagent was hunting for his server
- James needs Discord account token from Johan to participate genuinely
- Hook: scoped MCP tokens = exact problem he has (multi-agent credential isolation)
- Content strategy: let his bots surface the content, don't @ tag him
### Pending items
- [ ] AlexFinn Discord server — did subagent find it?
- [ ] James Discord account token — ask Johan
- [ ] Import 12,623 entries into Vault1984
- [ ] Vault1984 Day 2 (WebAuthn PRF, scoped tokens, Caddy, systemd)
- Discord is his primary community
- James needs Discord account token from Johan to participate genuinely
---
@ -45,37 +59,50 @@ Password manager for humans with AI assistants. Two-tier encryption:
- Live at: https://muskepo.com (Shannon VPS — 82.24.174.112)
- Shannon VPS: root pw `gUB-C63-EN`, paid till 2026-04-09
- Git: `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace`
- 83 tests passing, security hardened (timing attacks fixed, CORS locked, security headers)
- Smoke test: 14/14 PASS (`scripts/smoke-test.sh`)
- 83 tests passing, security hardened
### Pending
- [ ] Invite flow (only invited users can sign up — not yet built)
- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented, missing)
- [ ] Invite flow (only invited users can sign up)
- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id
- [ ] SMTP config (waiting on Misha's domain decision)
- [ ] First Misha demo — muskepo.com is placeholder name, Misha hasn't confirmed
- [ ] First Misha demo
---
## SECONDARY PROJECT: inou health
### Status: Code reviewed, hardened
- LOINC matching bug FIXED (normalize.go)
- Auth backdoor REMOVED (code 250365 gone from dbcore.go)
- CORS locked to allowlist
- 59 tests written and passing
- LOINC matching bug FIXED, auth backdoor REMOVED, CORS locked
- 59 tests passing
- Full report: `/home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md`
- noreply@inou.com SMTP: host=mail.inou.com port=465, user=noreply, pass=InouNoreply2026!
---
## Abandoned
- **Azure Backup project** — abandoned, local at `azure-backup-abandoned-20260228`, remote deleted from Zurich
## BLOCKED: Hans VPS / NOC Setup
- Johan approved new small Zurich VPS for Hans agent
- Hostkey API key `639551e73029b90f-c061af4412951b2e` is server-scoped, can't order new VPS
- Hostkey panel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e
- Hans setup package ready; needs account-level API key or Johan to manually order
## World Events Noted
- US Operation Epic Fury (Iran strikes) — 2026-02-28 ~15:41 ET
- OpenAI × DoD classified AI agreement signed
- Taalas/ChatJimmy (chatjimmy.ai) — HC1 silicon Llama 3.1 8B, 17,000 tok/s, $30M spent
---
## Infrastructure
## Pending From Johan
- [ ] Tax reminder: e-consultant taxes (triggered 09:06 today, Johan was asleep — on task board)
- [ ] James Discord account token (for vault1984 community engagement)
- [ ] Hostkey account-level API key (or manual VPS order) for Hans
---
## Infrastructure Notes
- **DocSys**: Running at localhost:9201
- **Vault1984**: Running at http://192.168.1.16:1984
- **vault1984**: Running at http://192.168.1.16:1984 (systemd)
- **vault1984.com**: Cloudflare → Caddy → forge (ZeroSSL cert via Caddy)
- **Dealspace**: Running at muskepo.com (Shannon VPS)
- **Caddy (192.168.0.2):** SSH direct LAN only. Log dir: `chown caddy:caddy /var/log/caddy` after reboot.
## Key Credentials / Tokens
- GitHub james-vault token: `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`
- Cloudflare API token: `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O`
- vault1984.com CF zone: `1c7614cd4ee5eabdc03905609024f93a`
- vault1984 VAULT_KEY: d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb