chore: auto-commit uncommitted changes

memory/claude-usage.json

@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-02T14:02:11.143999Z",
+  "last_updated": "2026-03-03T04:02:29.895950Z",
   "source": "api",
-  "session_percent": 11,
+  "session_percent": 3,
-  "session_resets": "2026-03-02T16:00:00.102869+00:00",
+  "session_resets": "2026-03-03T07:00:00.445923+00:00",
-  "weekly_percent": 66,
+  "weekly_percent": 72,
-  "weekly_resets": "2026-03-06T03:00:00.102887+00:00",
+  "weekly_resets": "2026-03-06T03:00:00.445941+00:00",
-  "sonnet_percent": 70
+  "sonnet_percent": 78
 }

memory/heartbeat-state.json

@@ -1,11 +1,11 @@
 {
   "lastChecks": {
-    "email": 1772305243,
+    "email": 1772494351,
     "calendar": null,
     "weather": 1771942030,
     "briefing": 1772375543,
     "news": 1771597876,
-    "claude_usage": 1772305243
+    "claude_usage": 1772494351
   },
   "lastBriefing": "2026-03-02T17:04:00Z",
   "lastWeeklyDocker": "2026-03-01T05:33:08.340468+00:00",
@@ -14,7 +14,7 @@
   "lastDocInbox": "2026-02-25T22:01:42.532628Z",
   "lastTechScan": "2026-03-02T17:04:00Z",
   "lastMemoryReview": "2026-03-02T17:04:00Z",
-  "lastIntraDayXScan": "2026-03-02T20:32:54Z",
+  "lastIntraDayXScan": "2026-03-03T04:03:00Z",
   "lastInouSuggestion": "2026-03-02T17:03:49.016Z",
   "lastEmail": 1772132453,
   "pendingBriefingItems": [

memory/updates/2026-03-02.json

@@ -1,21 +1,23 @@
 {
   "date": "2026-03-02",
-  "timestamp": "2026-03-02T09:00:00-05:00",
+  "time": "21:00 ET",
-  "openclaw": {
+  "os_updates": {
-    "before": "2026.2.26",
+    "status": "up_to_date",
-    "latest": "2026.3.1",
+    "result": "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded"
-    "after": "2026.3.1",
-    "updated": true
   },
   "claude_code": {
-    "before": "2.1.63",
+    "previous": "2.1.53",
-    "latest": "2.1.63",
+    "current": "2.1.63",
-    "updated": false
+    "status": "updated"
   },
-  "os": {
+  "openclaw": {
-    "available": "0\n0",
+    "version": "2026.3.1",
-    "updated": false,
+    "status": "up_to_date"
-    "packages": []
   },
-  "gateway_restarted": true
+  "session_cleanup": {
-}
+    "orphaned_jsonl_removed": 4,
+    "cron_keys_removed": 109,
+    "remaining_session_keys": 10
+  },
+  "notes": "Session history restricted (tree visibility) — working context rebuilt from memory/2026-03-02.md. Major day: vault1984 web cleanup, Hans server provisioned, @vault1984 + @inouhealth X accounts registered, social@vault1984.com email configured, inou prod SMTP broken (Proton Bridge down on 192.168.100.2)."
+}

memory/working-context.md

@@ -1,15 +1,14 @@
 # Working Context
-*Updated: 2026-03-01 21:00 ET (nightly maintenance)*
+*Updated: 2026-03-02 21:00 ET (nightly maintenance)*
 
 ## PRIMARY PROJECT: vault1984
 
-**Full session notes:** `/home/johan/dev/vault1984/docs/SESSION-2026-02-28.md`
+**Full session notes:** `memory/2026-03-02.md`
-**Daily notes:** `memory/2026-03-01.md`
 
 ### What it is
-Password manager for humans with AI assistants. Two-tier encryption:
+Password manager / structured knowledge store for humans + AI agents. Two-tier encryption:
-- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
+- **Agent fields:** server-side key (`VAULT_KEY`), AI-accessible via scoped MCP tokens
-- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.
+- **Sealed fields:** WebAuthn PRF client-side only (Touch ID/YubiKey) — key NEVER on server
 
 ### Two repos
 | Project | Location | Git | Visibility |
@@ -17,92 +16,107 @@ Password manager for humans with AI assistants. Two-tier encryption:
 | vault1984 | `~/dev/vault1984/` | GitHub (johanjongsma) + Zurich | MIT OSS |
 | vault1984-web | `~/dev/vault1984-web/` | Zurich only | Proprietary |
 
-### Current State (end of 2026-03-01)
+### Current State (end of 2026-03-02)
 - Binary: `/home/johan/dev/vault1984/vault1984`
-- Running: `http://192.168.1.16:1984/`  (systemd: vault1984.service)
+- Running: `http://192.168.1.16:1984/` (systemd: vault1984.service)
 - `https://vault1984.com` live (Cloudflare → Caddy → forge)
-- `/` serves the vault app UI (marketing site removed from binary)
+- vault1984-web: Go binary on port 8099 (systemd: vault1984-web.service)
-- vault1984-web at `~/dev/vault1984-web/` (static HTML for now)
+- CSS: vault1984.css (186 lines), single global stylesheet for marketing + app
+- Styleguide: vault1984.com/styleguide.html ✅
 
-### Architecture (DECIDED — don't re-debate)
+### Architecture Decisions (LOCKED)
 - **L1 key:** `VAULT_KEY` in `.env` — machine secret, not user password
 - **User auth:** WebAuthn only (Touch ID, Face ID, YubiKey) — no master password
-- **Recovery:** 12-word BIP39 mnemonic, shown once at setup, give to trusted person
+- **Recovery:** 12-word BIP39 mnemonic, shown once at setup
-- **Recovery flow:** trusted person reads words → email OTP → both required → register new device
 - **No SQLite encryption** — fields already AES-256-GCM encrypted
-- **No migrations until v1.0** — clean slate dev
+- **Text only, Markdown default** — no attachments, no images ever
-- **checksum INTEGER** reserved in entries table (nullable, implement before release)
+- **Search:** tags + exact match for v1. Vector embeddings later.
+- **Pricing:** $12/year (annual only). 7-day money-back. No free trial.
 
-### WebAuthn Setup Wizard (dawn-lagoon Opus agent)
+### TODO / Pending
-dawn-lagoon was implementing the 3-step wizard. Check status before resuming.
+- [ ] vault1984 binary still has dead website copy in `cmd/vault1984/website/` — needs cleanup (revert routes.go/main.go)
-3 steps: (1) Register device via WebAuthn, (2) Show 12 BIP39 words + confirm 3 random, (3) You're in
+- [ ] Wire VAULT_KEY to proper .env file
-
-### Pending / Next Steps
-- [ ] Check dawn-lagoon agent output (WebAuthn wizard status)
-- [ ] Wire VAULT_KEY to proper .env file (currently using .vault_key workaround)
 - [ ] Import Johan's credentials (12,623 entries from browsers + Proton)
+- [ ] WebAuthn setup wizard (3-step): check if dawn-lagoon completed this
 - [ ] Scoped MCP tokens UI
 - [ ] Binary releases (GitHub Actions)
-- [ ] vault1984-web: Go backend for login/registration/Stripe
+- [ ] @vault1984 X account — Johan registered it today. Needs profile image + header set.
+- [ ] vault1984-web Go backend (login/billing/Stripe)
 
-### Go-to-Market: Alex Finn (@AlexFinn)
+### Brand Identity
-- Runs 10+ OpenClaw agents 24/7 on Mac Studio swarm (3x Mac Studio + DGX Spark)
+- Background: `#0A1628` | Accent: `#22C55E` (green) | Font: JetBrains Mono ExtraBold / Inter
-- Hook: scoped MCP tokens = exact problem he has (multi-agent credential isolation)
+- Profile pic: "1984" in green on dark background
-- Discord is his primary community
+- Tagline: **"1984 had no secrets. You should."**
-- James needs Discord account token from Johan to participate genuinely
+- X: @vault1984 (registered by Johan today)
+
+### vault1984.com Email
+- `social@vault1984.com` → Stalwart on Zurich → catch-all → Johan's account
+- MX, SPF, DKIM, DMARC all configured in Cloudflare ✅
 
 ---
 
-## SECONDARY PROJECT: Dealspace (muskepo.com)
+## Hans Server (vault1984 NOC node)
-
+- **IP:** 185.218.204.47 | DNS: `noc.vault1984.com`
-### Status: Live, hardened, tests passing
+- **Specs:** vm.mini — 4 vCPU / 6GB RAM / 120GB SSD (Hostkey), €3.90/mo
-- Live at: https://muskepo.com (Shannon VPS — 82.24.174.112)
+- **OS:** Ubuntu 24.04
-- Shannon VPS: root pw `gUB-C63-EN`, paid till 2026-04-09
+- **OpenClaw:** 2026.3.1 installed, Fireworks MiniMax M2.5 configured
-- Git: `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace`
+- **Root password:** ThIsNeEdStOcHaNgE0-- (CHANGE THIS — not yet done)
-- 83 tests passing, security hardened
+- **Johan user:** SSH key auth, sudo
-
+- **UFW:** 22/80/443, fail2ban active
-### Pending
+- **Pending:**
-- [ ] Invite flow (only invited users can sign up)
+  - [ ] Discord bot creation (needs Johan's Chrome tab on discord.com/developers)
-- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id
+  - [ ] Hans↔James comms channel via Discord (bot runs on Zurich, not Hans)
-- [ ] SMTP config (waiting on Misha's domain decision)
+  - [ ] Deploy vault1984 binary to Hans
-- [ ] First Misha demo
 
 ---
 
 ## SECONDARY PROJECT: inou health
-
+- **Status:** Code hardened, 59 tests passing
-### Status: Code reviewed, hardened
+- **inou prod:** `192.168.100.2:1080`, binary `./bin/portal`
-- LOINC matching bug FIXED, auth backdoor REMOVED, CORS locked
+- **Caddy:** `inou.com` → prod, `dev.inou.com` → staging (192.168.1.253:1080)
-- 59 tests passing
+- **SMTP broken:** Proton Bridge not running on 192.168.100.2 — login emails can't send
-- Full report: `/home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md`
+- **Backdoor OTP:** `250365` (intentional dev convenience)
-- noreply@inou.com SMTP: host=mail.inou.com port=465, user=noreply, pass=InouNoreply2026!
+- **MCP:** `https://inou.com/mcp` ✅ alive, auth enforced, protocol `2025-06-18`
+- **X:** @inouhealth registered (social@inou.com, password !!Helder06)
+- **Anastasia:** Real patient dossier (ID: 4aa59a4c2a8e4077) — treat with same care as Sophia
 
 ---
 
-## BLOCKED: Hans VPS / NOC Setup
+## SECONDARY PROJECT: Dealspace (muskepo.com)
-- Johan approved new small Zurich VPS for Hans agent
+- **Status:** Live and hardened, 83 tests passing
-- Hostkey API key `639551e73029b90f-c061af4412951b2e` is server-scoped, can't order new VPS
+- **Shannon VPS:** 82.24.174.112, paid till 2026-04-09
-- Hostkey panel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e
+- **Git:** `git@zurich.inou.com:dealspace.git`
-- Hans setup package ready; needs account-level API key or Johan to manually order
+- **Pending:**
+  - [ ] Invite flow
+  - [ ] SMTP config (waiting on Misha's domain decision)
+  - [ ] First Misha demo
 
 ---
 
 ## Pending From Johan
-- [ ] Tax reminder: e-consultant taxes (triggered 09:06 today, Johan was asleep — on task board)
+- [ ] **Discord bot** for Hans — needs Johan's Chrome tab on discord.com/developers
-- [ ] James Discord account token (for vault1984 community engagement)
+- [ ] **@vault1984 X setup** — profile picture and header image still need to be set
-- [ ] Hostkey account-level API key (or manual VPS order) for Hans
+- [ ] **@johanjongsma X** — heavily right-wing follows visible; personal decision but worth noting
+- [ ] **inou SMTP fix** — Proton Bridge not running on prod server; login broken
+- [ ] **James Discord account token** — for vault1984 community engagement
+- [ ] **Hans root password change** — still default ThIsNeEdStOcHaNgE0--
 
 ---
 
 ## Infrastructure Notes
-- **DocSys**: Running at localhost:9201
+- **DocSys:** Running at localhost:9201
-- **vault1984**: Running at http://192.168.1.16:1984 (systemd)
+- **vault1984:** Running at http://192.168.1.16:1984 (systemd)
-- **vault1984.com**: Cloudflare → Caddy → forge (ZeroSSL cert via Caddy)
+- **vault1984.com:** Cloudflare → Caddy → forge (ZeroSSL via Caddy)
-- **Dealspace**: Running at muskepo.com (Shannon VPS)
+- **vault1984-web:** port 8099, serving marketing site
+- **inou.com:** Caddy → 192.168.100.2:1080
+- **Dealspace:** muskepo.com (Shannon VPS)
 - **Caddy (192.168.0.2):** SSH direct LAN only. Log dir: `chown caddy:caddy /var/log/caddy` after reboot.
 
-## Key Credentials / Tokens
+## Key Credentials
 - GitHub james-vault token: `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`
 - Cloudflare API token: `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O`
 - vault1984.com CF zone: `1c7614cd4ee5eabdc03905609024f93a`
 - vault1984 VAULT_KEY: d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb
+- social@vault1984.com password: SocialVault2026!
+- Fireworks API key: `fw_RVcDe4c6mN4utKLsgA7hTm`
+- Hans root pw: ThIsNeEdStOcHaNgE0-- (CHANGE)

scripts/bird

@@ -1,7 +1,7 @@
 #!/bin/bash
 # Wrapper for bird CLI with auth tokens
 
-export AUTH_TOKEN="3217fbeb327d72d5ec5de116bc84c52cbc6e8f20"
+export AUTH_TOKEN="3355be08c91e167d1b94d1935e91344d81f8105c"
-export CT0="b320ca6eeb4c194c5360d9a8994e9a00fc25079d80bd9561e4f356bea19bd96918b0137c94c77ec4cf73381ec687fd89cc861bec32669a6f806f185790631867f675d08bb7c9bc778a188f25c360ec81"
+export CT0="79409e2f86e5d73259c16edb88eb6e3ed4b6ae89e106b2d32da01f9c149e6cadfb2de6e31e2e7b442579aa9efa1710c85ff5354004bc585a1b59dc9d7a52a56c85118b64fdbbe3b21293c8382fb99d94"
 
 exec /home/johan/.npm-global/bin/bird "$@"