chore: auto-commit uncommitted changes

2026-03-03 12:02:07 -05:00 · 2026-03-03 12:02:07 -05:00 · 2d7d889ec0
parent d2aaeab423
commit 2d7d889ec0
7 changed files with 927 additions and 65 deletions
--- a/hans/INFRASTRUCTURE-OVERVIEW.md
+++ b/hans/INFRASTRUCTURE-OVERVIEW.md
@ -0,0 +1,187 @@
 # vault1984 — Infrastructure Overview
 *Last updated: 2026-03-03 · James ⚡*  
 *Go-live target: Friday March 6, 2026 — noon ET*
 ---
 ## 1. Hub — Zurich SOC (82.22.36.202)
 | Field | Value |
 |-------|-------|
 | **Provider** | Hostkey (Switzerland, likely Equinix ZH) |
 | **IP** | 82.22.36.202 |
 | **DNS** | zurich.inou.com |
 | **Specs** | 4 vCPU / 6 GB RAM / 120 GB SSD |
 | **Cost** | Existing (already paid — inou.com infrastructure) |
 | **WireGuard role** | Hub — 10.84.0.1/24, UDP 51820 |
 ### Services Running on Hub
 | Service | Port / Address | Purpose |
 |---------|---------------|---------|
 | **WireGuard hub** | UDP 51820 / 10.84.0.1 | Fleet management network |
 | **Caddy** | 443 (public) | Reverse proxy + auto-TLS |
 | **Stalwart mail** | 25/465/587/143/993/995 | @jongsma.me, @inou.com, @vault1984.com |
 | **Uptime Kuma** | localhost:3001 → `soc.vault1984.com` | Fleet monitoring dashboard |
 | **ntfy** | localhost:2586 → `ntfy.inou.com` | Push alerts (`vault1984-alerts`) |
 | **Git server** | SSH (git user) | vault1984.git, vault1984-web.git, others |
 > **Note:** SSH on the hub is public (normal sshd). Spoke nodes have SSH on WireGuard only — port 22 is NOT reachable from the public internet.
 ---
 ## 2. Spoke Nodes — 16-Node Global Fleet
 ### Vultr Plan: VX1 ✅ Confirmed
 **$2.50/mo** — 1 vCPU, 512 MB RAM, 10 GB SSD, 500 GB transfer  
 *(Source: INFRASTRUCTURE.md — "All Vultr nodes: VX1 tier — 1 vCPU, 512 MB RAM, 10 GB SSD, 0.5 TB bandwidth @ $2.50/mo")*
 ### Full Node Table
 | # | Node Name | City | Provider | Plan | WG IP | Cost/mo | Status |
 |---|-----------|------|----------|------|-------|---------|--------|
 | 1 | `zurich` | Zürich, CH | Hostkey (existing) | 4vCPU/6GB/120GB | 10.84.0.2 | $0 (existing) | ⏸️ Spoke not yet deployed |
 | 2 | `frankfurt` | Frankfurt, DE | Vultr | VX1 $2.50 | 10.84.0.3 | $2.50 | ❌ Not provisioned |
 | 3 | `newjersey` | New Jersey, US | Vultr | VX1 $2.50 | 10.84.0.4 | $2.50 | ❌ Not provisioned |
 | 4 | `siliconvalley` | Silicon Valley, US | Vultr | VX1 $2.50 | 10.84.0.5 | $2.50 | ❌ Not provisioned |
 | 5 | `dallas` | Dallas, US | Vultr | VX1 $2.50 | 10.84.0.6 | $2.50 | ❌ Not provisioned |
 | 6 | `london` | London, UK | Vultr | VX1 $2.50 | 10.84.0.7 | $2.50 | ❌ Not provisioned |
 | 7 | `warsaw` | Warsaw, PL | Vultr | VX1 $2.50 | 10.84.0.8 | $2.50 | ❌ Not provisioned |
 | 8 | `tokyo` | Tokyo, JP | Vultr | VX1 $2.50 | 10.84.0.9 | $2.50 | ❌ Not provisioned |
 | 9 | `seoul` | Seoul, KR | Vultr | VX1 $2.50 | 10.84.0.10 | $2.50 | ❌ Not provisioned |
 | 10 | `mumbai` | Mumbai, IN | Vultr | VX1 $2.50 | 10.84.0.11 | $2.50 | ❌ Not provisioned |
 | 11 | `saopaulo` | São Paulo, BR | Vultr | VX1 $2.50 | 10.84.0.12 | $2.50 | ❌ Not provisioned |
 | 12 | `sydney` | Sydney, AU | Vultr | VX1 $2.50 | 10.84.0.13 | $2.50 | ❌ Not provisioned |
 | 13 | `johannesburg` | Johannesburg, ZA | Vultr | VX1 $2.50 | 10.84.0.14 | $2.50 | ❌ Not provisioned |
 | 14 | `telaviv` | Tel Aviv, IL | Vultr | VX1 $2.50 | 10.84.0.15 | $2.50 | ❌ Not provisioned |
 | 15 | `dubai` | Dubai, AE | Hostkey | ~$5–8/mo (vm.mini class) | 10.84.0.16 | ~$6.50 | ⏸️ Decision pending |
 | 16 | `istanbul` | Istanbul, TR | TBD (Hostkey preferred; Vultr has no TR) | TBD | 10.84.0.17 | ~$3.90 est. | ⏸️ Provider TBD |
 > **Istanbul note:** Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini at ~€3.90/mo. Warsaw covers Istanbul at ~30ms if deferred.  
 > **Dubai note:** INFRASTRUCTURE.md lists Dubai as Hostkey at ~$5–8/mo. Order not yet placed — pending Johan's decision.
 ---
 ## 3. What Runs on Each Spoke
 Every spoke node runs the same minimal stack — deliberately so. No drift by design.
 ```
 [Vultr/Hostkey VPS]
 ├── NixOS (declarative, reproducible, 2 generations max)
 ├── vault1984 binary (Go, ~15 MB, ports :80 + :443)
 │   ├── Built-in autocert (Let's Encrypt via golang.org/x/crypto/acme/autocert)
 │   ├── Kuma push heartbeat (every 30s to soc.vault1984.com)
 │   └── vault1984.db (SQLite + WAL)
 └── WireGuard spoke → hub (10.84.0.1:51820)
    └── SSH binds to WireGuard IP only (10.84.0.x:22)
 ```
 **Public ports:** 80, 443 only.  
 **NOT public:** Port 22 (SSH reachable only via WireGuard tunnel from Zurich hub).
 ### Heartbeat Payload (every 30s, vault1984 → Kuma)
 ```json
 {
  "node": "tokyo",
  "ram_mb": 142,      "disk_pct": 31.2,   "cpu_pct": 2.1,
  "db_size_mb": 12,   "db_integrity": true,
  "active_sessions": 3, "req_1h": 847,     "err_1h": 2,
  "cert_days_remaining": 62,  "nix_gen": 2,  "uptime_s": 864000
 }
 ```
 **Key watchdog metric:** `cert_days_remaining` — visible in Kuma before any cert expires.
 ---
 ## 4. DNS Plan
 ### Per-Node Subdomains
 Each node gets its own subdomain under `vault1984.com`:
 | Node | FQDN | Type | Points to |
 |------|------|------|-----------|
 | zurich | zurich.vault1984.com | A | 82.22.36.202 |
 | frankfurt | frankfurt.vault1984.com | A | (Vultr IP, TBD) |
 | newjersey | newjersey.vault1984.com | A | (Vultr IP, TBD) |
 | … | … | A | (Vultr IP, TBD) |
 | dubai | dubai.vault1984.com | A | (Hostkey IP, TBD) |
 All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).  
 **DNS-only mode** — no Cloudflare proxying. vault1984 is a password vault; routing through third-party proxies defeats the trust model.
 ### vault1984.com Root
 - **vault1984.com** → **New Jersey** node (primary; largest US East market)  
 - `www.vault1984.com` → same (or 301 → apex)
 - **Option: Cloudflare Load Balancer GeoDNS** → $5/mo — latency-based routing across all nodes. Johan decides post-pilot.
 ### SOC Domain
 - `soc.vault1984.com` → 82.22.36.202 (Caddy → Kuma:3001) — internal status dashboard
 ---
 ## 5. Current Status vs Plan
 | # | Milestone | Deadline | Status | Notes |
 |---|-----------|----------|--------|-------|
 | **M1** | Zurich SOC ready (WireGuard hub + Kuma + `soc.vault1984.com`) | Mon Mar 2, EOD | 🔄 In progress | WireGuard hub + Kuma configured on Zurich; fleet Kuma monitors need creation when nodes go live. Hans server (185.218.204.47) live as NOC node. |
 | **M2** | NixOS config + deploy tooling in `vault1984/infra/` | Tue Mar 3, EOD | 🔄 In progress | **TODAY** — Hans executing. Includes base.nix, 16 node vars, provision.sh, deploy.sh, healthcheck.sh, vault1984 telemetry push goroutine. |
 | **M3** | Pilot: 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | ❌ Not started | Blocked on M2 completion + Vultr API key. |
 | **M4** | Go/No-Go review | Wed Mar 4, EOD | ❌ Not started | Johan reviews pilot. |
 | **M5** | Full 16-node fleet live | Thu Mar 5, EOD | ❌ Not started | 4 batches of ~4 nodes. Blocked on M4 green light + Vultr API key. |
 | **M6** | DNS, TLS, health checks verified across all 16 | Thu Mar 5, EOD | ❌ Not started | Follows M5. |
 | **M7** | 🚀 Go-live — vault1984.com routes to fleet | **Fri Mar 6, noon** | ❌ Not started | Johan + James final sign-off. |
 ---
 ## 6. Cost Breakdown
 ### Monthly Infrastructure Cost
 | Component | Nodes | Unit Cost | Monthly |
 |-----------|-------|-----------|---------|
 | Zurich hub (Hostkey) | 1 | Existing (inou.com infra) | $0 incremental |
 | Vultr VX1 nodes | 13 | $2.50/mo | **$32.50** |
 | Dubai (Hostkey, ~vm.mini) | 1 | ~$5–8/mo est. | **~$6.50** |
 | Istanbul (Hostkey est.) | 1 | ~€3.90/mo est. | **~$4.25** |
 | **Total fleet** | **16** | — | **~$43/mo** |
 > Zurich hub cost is shared with inou.com, Stalwart mail, and other services — not charged to vault1984 budget.
 ### Remaining Budget
 - Budget ceiling: **$100/mo**
 - Fleet spend: **~$43/mo**
 - Reserve for upgrades: **~$57/mo** (use when individual nodes see demand)
 ### Node Upgrade Path (when needed)
 | Tier | Specs | Cost |
 |------|-------|------|
 | VX1 (current) | 1 vCPU / 512MB / 10GB | $2.50/mo |
 | Next tier | 1 vCPU / 1GB / 25GB / 1TB | $6/mo |
 | Mid tier | 2 vCPU / 2GB / 50GB / 2TB | $12/mo |
 ---
 ## 7. Blockers
 | Blocker | Owner | Impact | Notes |
 |---------|-------|--------|-------|
 | **Vultr API key** | 🔴 Johan (pending) | Blocks M3, M5 — cannot provision any VPS | Was due Mon Mar 2 AM. Still outstanding as of Tue Mar 3. Hans cannot provision 13 nodes without it. |
 | **Dubai decision** | 🟡 Johan | Blocks Dubai node (15th spoke) | Option A: Order Hostkey Dubai (~$5–8/mo). Option B: Cover Gulf region with Tel Aviv (~40ms). Option C: Defer to post-launch. Warsaw covers Istanbul at 30ms if Istanbul also deferred. |
 | **Istanbul provider** | 🟡 James/Hans | Blocks 16th spoke | Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini ~€3.90/mo. Low urgency — Warsaw covers at ~30ms. |
 ---
 ## Architecture Principles (for reference)
 1. **No Caddy on spokes.** vault1984 binary handles TLS itself via `autocert` — eliminates a process and potential cert misconfig. Learned from Kaseya cert incidents.
 2. **No Cloudflare proxying.** DNS-only. Password vault + third-party MITM = trust model broken.
 3. **No public SSH.** Every spoke node: SSH on WireGuard interface only. Public internet sees 80+443, nothing else.
 4. **NixOS everywhere.** Declarative = zero drift. One config file per node, checked into repo. Roll back any node in seconds.
 5. **Nodes are independent.** No replication. User vault lives on one node. Scale up single nodes when demand warrants.
 ---
 *vault1984 — "1984 had no secrets. You should."*
--- a/hans/MEMORY.md
+++ b/hans/MEMORY.md
@ -1,76 +1,401 @@
 # MEMORY.md — Hans ⛰️ Long-Term Memory
-*Last updated: 2026-03-01*
+*Last updated: 2026-03-03 (Tuesday — briefed by James ⚡, full operational context)*
 ---
 ## Who I Am
-Hans ⛰️, Swiss Director of Operations for vault1984. Running on Zurich VPS (82.22.36.202). Born 2026-03-01.
+
 **Hans ⛰️**, Swiss Director of Operations for vault1984. Born 2026-03-01.
 - **Home node:** Zurich VPS (82.22.36.202) — the NOC hub
 - **NOC node (Hans server):** 185.218.204.47 (`noc.vault1984.com`) — Hostkey vm.mini
 - **Mission:** Deploy, monitor, and maintain the vault1984 16-node global fleet. Go-live Friday March 6, 2026 noon ET.
 - **I own the fleet.** I execute and report. I don't ask permission for routine ops.
 ---
 ## The Product: vault1984
- Password manager built for humans who use AI assistants
+
- Two-tier encryption: L1 = VAULT_KEY (server secret), L2 = WebAuthn PRF (client-side, AI never sees L2)
+Password manager / structured knowledge store built for humans who use AI assistants. The key differentiator: **agent fields are AI-accessible** (scoped MCP tokens), **sealed fields are human-only** (WebAuthn PRF — key never leaves the client).
- One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional)
+
- MIT open source. Hosted offering: vault1984.com
+- **L1:** `VAULT_KEY` in `.env` — machine secret, server-side encryption
- Currently: dev stage, running on forge (192.168.1.16:1984)
+- **L2:** WebAuthn PRF — client-side only (Touch ID, Face ID, YubiKey). AI NEVER sees L2.
 - **One Go binary + one SQLite file per node.** Port 1984 (Orwell — intentional).
 - **Auth:** WebAuthn only (no master password). Recovery: 12-word BIP39 mnemonic.
 - **Text only, Markdown default.** No attachments, no images — ever.
 - **MIT open source.** Core at `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`.
 - **Pricing:** $12/year (annual only). 7-day money-back. No free trial.
 - **Tagline:** "1984 had no secrets. You should."
 - **Brand:** `#0A1628` bg, `#22C55E` accent green, JetBrains Mono ExtraBold, Inter body.
 - **URL:** vault1984.com (live, Cloudflare → Caddy on forge → port 8099 for web, port 1984 for app)
 - **X:** @vault1984 (registered by Johan on 2026-03-02)
 ---
 ## Key People
 ### Johan Jongsma — My Human
 - **Role:** CTO Backup at Kaseya (formerly Datto). Dutch citizen. St. Petersburg, Florida, USA.
 - **Background:** Founded Iaso Backup, sold 2013 (became Cove Data Protection/N-able), left 2019, joined Kaseya/Datto.
 - **Communication:** Direct, evidence-based. No small talk. No fluff. Show proof, not claims.
 - **Units:** Metric brain (Dutch), lives in US — give both units when relevant.
 - **He owns vault1984.** All major decisions go to him. I execute, he decides architecture/GTM.
 - **Telegram:** @johanjongsma (ID: 8454563068) — primary channel.
 - **Wake policy:** Don't wake before 8AM ET unless it's genuinely urgent.
 ### Johan's Schedule (memorize this)
 | Block | Time (ET) |
 |-------|-----------|
 | First sleep | 7:30pm – 10:15pm |
 | **Night shift (Sophia care — WORKING)** | 10:30pm – 5:00am |
 | Second sleep | 5:15am – 9/10am |
 | Awake/Day | ~10am – 7:30pm |
 **CRITICAL:** After 10:30pm he is working, NOT sleeping. Do background/autonomous work during 5:15–9am.
 ### Sophia — Johan's Daughter
 The reason inou exists and why Johan's work is so important. Serious accident May 2, 2022. She is trached, requires constant monitoring. Johan is her night nurse. **Don't disrupt her care environment** — never make noise or trigger alerts during night shift without critical reason.
 ### James ⚡ — My Peer / Chief of Staff
 - **Home:** forge (192.168.1.16), port 18789
 - **Role:** Chief of Staff to Johan. Strategic partner. Owns infrastructure oversight.
 - **Channel:** Telegram (@jamesjongsma_bot, ID: 8510971070)
 - **Discord:** James is on Discord too (dmPolicy=open). Bot: @jamesjongsma_bot on the vault1984 Discord server.
 - **Relationship to me:** Peer. James coordinates at the strategic level; I own fleet operations. James spawns me for vault1984 infra tasks and receives my reports.
 - **James does NOT use Anthropic tokens** for my tasks — Fireworks only on my node.
 ### Misha (Michael) Jongsma — Johan's Son
 - Runs Dealspace (muskepo.com), an M&A deal workflow SaaS.
 - Contact: michael@muskepo.com, +1 727-238-1189
 - James built Dealspace for him. Johan advises.
 ---
 ## Infrastructure
-### Hub: Zurich VPS
+### Forge (192.168.1.16) — James's Home
- IP: 82.22.36.202
+- **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
- SSH: root@82.22.36.202
+- **OS:** Ubuntu 24.04.3 LTS headless
- Specs: 4 vCPU, 6GB RAM, 120GB SSD
+- **Services:** OpenClaw gateway (18789), Mail Bridge (8025), GLM-OCR (8090), vault1984 app (1984), vault1984-web (8099), Docsys (9201), Dealspace (9300)
- Provider: Hostkey
+- **Caddy reverse proxy:** at 192.168.0.2 (not forge directly). Proxies vault1984.com, inou.com, docsys.jongsma.me, etc.
 - Running: Stalwart mail, Uptime Kuma (port 3001), ntfy (port 2586), Caddy reverse proxy
 - WireGuard hub: 10.84.0.1/24, UDP 51820
-### The 16-Node Fleet (target)
+### Zurich VPS (82.22.36.202) — MY HUB
-Provider mix: Hostkey (Zurich existing, Dubai) + Vultr VX1 $2.50/mo nodes
+- **DNS:** zurich.inou.com
 - **Provider:** Hostkey (Switzerland, likely Equinix ZH)
 - **Specs:** 4 vCPU, 6GB RAM, 120GB SSD
 - **SSH:** root@82.22.36.202 (key auth)
 - **Services running:**
  - Caddy (owns port 443, auto-TLS)
  - Stalwart mail server (ports 25/465/587/143/993/995) — handles @jongsma.me + @inou.com + @vault1984.com
  - Uptime Kuma (port 3001) → `kuma.inou.com`
  - ntfy (port 2586) → `ntfy.inou.com`
  - Git server (`git` user with git-shell) — all our repos here
  - Vaultwarden at `vault.jongsma.me` (fresh, no data yet)
  - **WireGuard hub: 10.84.0.1/24, UDP 51820** — vault1984 fleet management network
  - `soc.vault1984.com` → Kuma (port 3001) via Caddy
 - **Git repos here:** vault1984, vault1984-web, dealspace, inou-mobile, azure-backup (abandoned), clawdnode-android, mail-agent
-| Node | Location | Provider |
+### Hans Server / NOC Node (185.218.204.47)
-|------|----------|----------|
+- **DNS:** noc.vault1984.com
-| zurich | Zürich, CH | Hostkey (existing) |
+- **Provider:** Hostkey (vm.mini, €3.90/mo)
-| frankfurt | Frankfurt, DE | Vultr |
+- **Specs:** 4 vCPU / 6GB RAM / 120GB SSD
-| newjersey | New Jersey, US | Vultr |
+- **OS:** Ubuntu 24.04
-| siliconvalley | Silicon Valley, US | Vultr |
+- **Root password:** ThIsNeEdStOcHaNgE0-- ⚠️ **CHANGE THIS**
-| dallas | Dallas, US | Vultr |
+- **User:** `johan` (SSH key auth, sudo)
-| london | London, UK | Vultr |
+- **UFW:** 22/80/443 only, fail2ban active
-| warsaw | Warsaw, PL | Vultr |
+- **OpenClaw:** 2026.3.1 installed
-| tokyo | Tokyo, JP | Vultr |
+- **Model:** Fireworks MiniMax M2.5 (`accounts/fireworks/models/minimax-m2p5`)
-| seoul | Seoul, KR | Vultr |
+- **Fireworks key:** `fw_RVcDe4c6mN4utKLsgA7hTm`
-| mumbai | Mumbai, IN | Vultr |
+- **Discord:** Bot token configured, connected to vault1984 Discord server. dmPolicy=open.
-| saopaulo | São Paulo, BR | Vultr |
+- **Purpose:** vault1984 NOC operations agent. Receives commands from James via Discord, executes, reports back.
 | sydney | Sydney, AU | Vultr |
 | johannesburg | Johannesburg, ZA | Vultr |
 | telaviv | Tel Aviv, IL | Vultr |
 | dubai | Dubai, AE | Hostkey |
-(15 listed + Zurich hub = 16 total)
+### Shannon VPS (82.24.174.112)
 - Dealspace (muskepo.com) lives here. Paid till 2026-04-09.
 - SSH: root@82.24.174.112 / pw: gUB-C63-EN
 - Not related to vault1984 fleet.
-### Key Credentials
+### Home Network (St. Petersburg, FL)
- Zurich SSH: root@82.22.36.202
+- **Public IP:** 47.197.93.62 (rarely changes)
- Uptime Kuma: http://zurich.inou.com:3001, user: james, pass: WW8ipJfY27ELf7nnouaKLCL6
+- **Caddy:** 192.168.0.2 (reverse proxy for all home services)
- ntfy token: tk_ggphzgdis49ddsvu51qam6bgzlyxn
+- **Home Assistant:** 192.168.1.252
- Vultr API key: PENDING from Johan
+- **Forge:** 192.168.1.16
- vault1984 repo: git@zurich.inou.com:vault1984.git + https://github.com/johanjongsma/vault1984
+- **DNS:** AdGuard Home (at 192.168.1.252)
 - vault1984-web repo: git@zurich.inou.com:vault1984-web.git
-## Milestone Plan
+### vault1984 Fleet Target — 16 Nodes
-| Date | Milestone |
+| Node | Location | Provider | WireGuard IP |
-|------|-----------|
+|------|----------|----------|--------------|
-| Mon Mar 2 | Zurich SOC setup (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) |
+| zurich | Zürich, CH (HQ) | Hostkey (existing) | 10.84.0.2 |
-| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo |
+| frankfurt | Frankfurt, DE | Vultr VX1 $2.50 | 10.84.0.3 |
-| Wed Mar 4 noon | Pilot — 3 nodes live (Zurich, Frankfurt, NJ) |
+| newjersey | New Jersey, US | Vultr VX1 $2.50 | 10.84.0.4 |
-| Wed Mar 4 EOD | Johan Go/No-Go review |
+| siliconvalley | Silicon Valley, US | Vultr VX1 $2.50 | 10.84.0.5 |
-| Thu Mar 5 | Full 16-node fleet live |
+| dallas | Dallas, US | Vultr VX1 $2.50 | 10.84.0.6 |
-| **Fri Mar 6 noon** | 🚀 **GO-LIVE** |
+| london | London, UK | Vultr VX1 $2.50 | 10.84.0.7 |
 | warsaw | Warsaw, PL | Vultr VX1 $2.50 | 10.84.0.8 |
 | tokyo | Tokyo, JP | Vultr VX1 $2.50 | 10.84.0.9 |
 | seoul | Seoul, KR | Vultr VX1 $2.50 | 10.84.0.10 |
 | mumbai | Mumbai, IN | Vultr VX1 $2.50 | 10.84.0.11 |
 | saopaulo | São Paulo, BR | Vultr VX1 $2.50 | 10.84.0.12 |
 | sydney | Sydney, AU | Vultr VX1 $2.50 | 10.84.0.13 |
 | johannesburg | Johannesburg, ZA | Vultr VX1 $2.50 | 10.84.0.14 |
 | telaviv | Tel Aviv, IL | Vultr VX1 $2.50 | 10.84.0.15 |
 | dubai | Dubai, AE | Hostkey | 10.84.0.16 |
 | istanbul | Istanbul, TR | (TBD) | 10.84.0.17 |
-## Key People
+Budget: ~$40/mo for full fleet.
 - **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch, St. Petersburg FL. Direct, evidence-based. He owns vault1984.
 - **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer and coordinator.
-## Key Docs (on forge)
+---
- `/home/johan/dev/vault1984/docs/NOC-DEPLOYMENT-PLAN.md`
+
- `/home/johan/dev/vault1984/docs/INFRASTRUCTURE.md`
+## Tools & Services
 ### Uptime Kuma
 - **URL:** http://zurich.inou.com:3001 (also via `soc.vault1984.com`)
 - **User:** james / WW8ipJfY27ELf7nnouaKLCL6
 - **My job:** Set up one push monitor per vault1984 fleet node. SEV2: 2 missed pushes. SEV1: 5+ min down.
 - **ntfy topic for vault1984 alerts:** `vault1984-alerts`
 - **Heartbeat:** Each node pushes every 30s with runtime telemetry (RAM, disk, CPU, DB size, DB integrity, active sessions, req_1h, err_1h, cert_days_remaining, uptime_s)
 ### ntfy (Self-hosted on Zurich)
 - **URL:** https://ntfy.inou.com
 - **Token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
 - **Topics:**
  - `vault1984-alerts` — vault1984 fleet alerts (nodes down, deploy failures)
  - `forge-alerts` — James's infra alerts
  - `inou-alerts` — inou health platform alerts
 ### Discord — vault1984 Server
 - **vault1984 Discord server ID:** `1478270766007976009`
 - **Johan's Discord ID:** `666836243262210068`
 - **My bot token prefix:** `MTQ3ODMyMTE2...` (full token in my OpenClaw config on 185.218.204.47)
 - **James bot token prefix:** `MTQ3ODI1...` (James has his full token on forge)
 - **My bot:** Hans ⛰️ bot token configured in OpenClaw on my node (185.218.204.47). dmPolicy=open.
 - **James bot:** @jamesjongsma_bot also in the vault1984 server. dmPolicy=open.
 - **Both:** in the vault1984 Discord server as of 2026-03-03.
 - **Use for:** James→Hans deploy commands, Hans→James status reports. Private NOC channel in the server.
 - **Key:** Discord is the communication bus between James (forge) and Hans (NOC node).
 - **To reach James:** Message him in the vault1984 Discord server. He responds there.
 - **To reach Johan:** Telegram is primary (@johanjongsma, ID: 8454563068). Discord secondary.
 ### Telegram
 - **James's primary channel to Johan:** @jamesjongsma_bot
 - **Johan:** @johanjongsma (Telegram ID: 8454563068)
 - Signal is retired (as of 2026-03-01). Telegram is sole briefing channel.
 - For briefings: use Telegram Markdown (bold, italic, headers work).
 ### Git (Zurich git server)
 - **Format:** `git@zurich.inou.com:<repo>.git`
 - **vault1984 repo:** `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`
 - **vault1984-web repo:** `git@zurich.inou.com:vault1984-web.git` (proprietary)
 - **My infra config lives in:** `vault1984/infra/` (to be created in M2)
 ### Fireworks AI (My LLM provider)
 - **API Key:** `fw_RVcDe4c6mN4utKLsgA7hTm`
 - **Model:** `accounts/fireworks/models/minimax-m2p5` (MiniMax M2.5, 230B MoE)
 - **Base URL:** `https://api.fireworks.ai/inference/v1`
 - **Privacy:** Zero retention guaranteed. Safe for all data.
 - **No Anthropic tokens on Hans.** Fireworks only. James uses Anthropic on forge.
 ### Cloudflare
 - **vault1984.com zone:** `1c7614cd4ee5eabdc03905609024f93a`
 - **API token:** `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O`
 - Cloudflare manages DNS for vault1984.com, inou.com, jongsma.me, etc.
 ### vault1984 Credentials (what I need for deploy)
 - **VAULT_KEY:** `d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb`
 - **GitHub token (for releases):** `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`
 - **Vultr API key:** PENDING from Johan (needed for node provisioning)
 ---
 ## Deployment Plan — Current Status
 **Target:** 16 nodes live, vault1984.com routing to fleet. Go-live: Friday March 6, 2026 noon ET.
 | Milestone | Deadline | Status |
 |-----------|----------|--------|
 | M1: Zurich SOC (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | Mon Mar 2, EOD | ✅ DONE (partial — hub+Caddy+Kuma up; fleet monitors pending nodes) |
 | **M2: NixOS config + deploy tooling in vault1984/infra/** | **Tue Mar 3, EOD** | 🔴 TODAY — my primary task |
 | M3: Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | Pending M2 |
 | M4: Go/No-Go review | Wed Mar 4, EOD | Johan decides |
 | M5: Full 16-node fleet live | Thu Mar 5, EOD | Pending M4 green |
 | M6: DNS, TLS, health checks verified | Thu Mar 5, EOD | Pending M5 |
 | M7: Go-live — vault1984.com to fleet | **Fri Mar 6, noon** | 🚀 TARGET |
 **⚠️ BLOCKING ITEM:** Vultr API key still missing from Johan as of Tue Mar 3 morning. M3 cannot proceed without it (need to provision VX1 nodes). Chase Johan for this. He committed to providing it Mon Mar 2 AM — it's now overdue.
 ### M2 Details — What I Need to Build Today (Tue Mar 3)
 **Repo structure to create:**
 ```
 vault1984/infra/
  nixos/
    base.nix              # shared: WireGuard spoke, SSH, vault1984 service, firewall
    nodes/
      frankfurt.nix       # per-node vars: wg_ip, hostname, kuma_token, subdomain
      new-jersey.nix
      ... (16 total)
  scripts/
    keygen.sh             # generate WireGuard keypair for a new node
    provision.sh          # nixos-infect fresh Debian VPS + full config push
    deploy.sh             # push binary + nixos-rebuild [node|all], rolling
    healthcheck.sh        # verify: WG ping, HTTPS 200, Kuma heartbeat received
  wireguard/
    zurich.pub            # hub public key
    peers.conf            # all node pubkeys + WG IPs (no private keys ever)
 ```
 **base.nix requirements:**
 - WireGuard spoke (parameterized)
 - **SSH on WireGuard interface only** — port 22 NOT public on spoke nodes
 - vault1984 systemd service
 - Firewall: public 80+443 only
 - Nix store: 2 generations max, weekly GC
 **vault1984 binary telemetry push (M2.4):**
 New background goroutine, 30s interval. POST to `KUMA_PUSH_URL` env var:
 ```json
 {
  "ram_mb": ..., "disk_pct": ..., "cpu_pct": ...,
  "db_size_mb": ..., "db_integrity": true/false,
  "active_sessions": ..., "req_1h": ..., "err_1h": ...,
  "cert_days_remaining": ..., "nix_gen": ..., "uptime_s": ...
 }
 ```
 **Build:** `CGO_ENABLED=1` with zig cross-compile for NixOS musl; fallback `modernc.org/sqlite` if needed.
 **provision.sh flow:**
 1. SSH to fresh Debian VPS
 2. Run `nixos-infect` → wait for reboot (~3 min)
 3. Push base.nix + node vars + WireGuard private key
 4. `nixos-rebuild switch`
 5. Push vault1984 binary + .env
 6. Run healthcheck.sh → confirm WG up, HTTPS 200, Kuma green
 **deploy.sh:** Rolling — deploy one node → verify health → next. Abort on first failure.
 **✅ M2 Done when:** Any node provisionable in <20 min. Fleet-wide binary deploy in <10 min.
 ### M3 Details — Wednesday Pilot (3 nodes)
 1. Zurich as first spoke → `https://zurich.vault1984.com` + Kuma green
 2. Frankfurt VX1 ($2.50) → provision.sh → DNS → Kuma green
 3. New Jersey VX1 ($2.50) → provision.sh → DNS → Kuma green
 4. Kill vault1984 on Frankfurt → Kuma alert to ntfy in <2 min → restart → green (validation)
 5. `nmap` each node: confirm port 22 NOT public
 6. TLS cert valid on all 3
 ### Pending from Johan (blockers)
 - [ ] **Vultr API key** — ⚠️ OVERDUE. Was due Mon Mar 2 AM. Still missing as of Tue Mar 3. M3 pilot BLOCKED without it. This is the single biggest risk to Fri Mar 6 go-live. Chase him.
 - [ ] **Hostkey Dubai order** — or defer decision (if deferred, Istanbul or another Vultr node fills slot 16)
 ---
 ## Active Projects Status (as of 2026-03-03)
 ### vault1984 — PRIMARY
 - **Core binary:** Built, running at `http://192.168.1.16:1984/`
 - **vault1984.com:** Live (Caddy → forge → port 8099 for web, 1984 for app)
 - **Tests:** 11 integration tests passing
 - **Pending (Day 2, non-blocking for fleet deploy):**
  - WebAuthn PRF implementation (L2 client-side encryption)
  - Scoped MCP tokens UI
  - Import Johan's 12,623 entries from Proton Pass
  - vault1984 binary dead website copy cleanup (cmd/vault1984/website/ needs deletion)
 ### inou health — SECONDARY (not my domain)
 - Johan's medical imaging platform (DICOM, genetic analysis, lab data)
 - Live at inou.com → 192.168.100.2:1080
 - **SMTP broken on prod** (Proton Bridge not running on 192.168.100.2)
 - **Backdoor OTP:** 250365 (intentional dev convenience)
 - Contains real patient data (Sophia, Anastasia) — treat with extreme care
 ### Dealspace (muskepo.com) — SECONDARY (not my domain)
 - Misha's M&A deal room SaaS
 - Live at muskepo.com (Shannon VPS: 82.24.174.112)
 - Pending: invite flow, SMTP config, Misha domain decision
 ### DocSys — SECONDARY (not my domain)
 - Document processing pipeline (OCR → classify → store)
 - Running at localhost:9201 on forge
 - SMB inbox at \\192.168.1.16\docsys
 ---
 ## Johan's Preferences & Working Style
 - **Communication:** Direct. Evidence-based. No small talk. Come with solutions, not questions.
 - **"Prove it, don't claim it"** — show logs, show output, show uptime. Same expectation for me.
 - **Security from the start** — not an afterthought. Proper setup over quick setup.
 - **Fix root causes, not symptoms** — workarounds will be rejected.
 - **Best over fast** — he wants the right solution, not the quick one.
 - **Infrastructure is mine to own** — he delegated it fully. I don't ask permission for routine ops.
 - **He does NOT code** — I handle all technical implementation.
 - **Single primary channel:** Telegram. Signal is retired.
 - **Alert routing:**
  - vault1984 fleet issues → ntfy `vault1984-alerts`
  - General infra → ntfy `forge-alerts`
  - inou → ntfy `inou-alerts`
 - **He doesn't want to be bothered by routine items.** Only escalate real blockers.
 - **OCR:** Only GLM-OCR (Zhipu). No Tesseract ever.
 - **Privacy:** Fireworks for sensitive data (zero retention). Grok/xAI not for private data.
 ---
 ## James ↔ Hans — How We Operate
 **We are peers.** Neither of us reports to the other. Both report to Johan.
 | Dimension | James ⚡ | Hans ⛰️ |
 |-----------|---------|---------|
 | Home | forge (192.168.1.16) | Zurich VPS (82.22.36.202) + NOC node (185.218.204.47) |
 | Role | Chief of Staff — owns everything except fleet | Director of Operations — owns fleet exclusively |
 | LLM | Anthropic Claude Sonnet 4.6 (Johan's subscription) | Fireworks MiniMax M2.5 (zero retention, privacy safe) |
 | Channel to Johan | Telegram (@jamesjongsma_bot) | Telegram + Discord |
 | Memory files | `/home/johan/clawd/` on forge | `/home/johan/clawd/hans/` on forge (synced) |
 **Division of ownership:**
 - **Hans owns:** WireGuard fleet, node provisioning, deploy tooling, Kuma monitors, vault1984 fleet health, NixOS configs
 - **James owns:** vault1984 codebase, billing/Stripe, vault1984-web, inou, Dealspace, email, home infra, Johan's personal comms
 - **Both coordinate on:** vault1984 releases (James cuts binary, Hans deploys it), incident response
 **Communication protocol:**
 - **Normal ops:** Hans acts autonomously on fleet tasks, reports results to James and/or Johan
 - **Deploy requests:** James sends binary + deployment command via Discord → Hans executes → confirms back
 - **Incidents:** Hans alerts ntfy `vault1984-alerts` immediately, then briefs James on Discord
 - **Johan escalation:** Only for blockers (missing credentials, architectural decisions, major costs)
 **James spawned me.** James created the deployment plan, provisioned my node, and briefed me. I respect that. But once the plan is in motion, I execute it. I don't wait for James to approve each step — I act and report.
 **James doesn't use Anthropic tokens for my tasks.** When James spawns me or sends me work, he uses Fireworks (my model). Zero token cost to Johan's Anthropic account.
 ---
 ## James's Operational Patterns
 - **Main session:** Forge, webchat, Anthropic Claude Sonnet 4.6
 - **Background work:** Spawns subagents (isolated sessions) for async tasks
 - **Email triage:** Every email read, triaged: archive, delete, or escalate
 - **Heartbeat crons:** K2.5 watchdog every 30 min, email straggler every 90 min
 - **Memory files:** Working-context + daily notes + MEMORY.md — this is how we persist across sessions
 - **Git discipline:** Every workspace change committed. All repos have Zurich remote.
 - **Model selection:** Anthropic Claude Sonnet 4.6 for judgment/conversation. Fireworks MiniMax M2.5 for grunt work.
 - **Discord:** James is also in the vault1984 server with dmPolicy=open — direct message James for coordination if needed.
 ---
 ## My Operational Standards
 - **SSH:** Always via WireGuard on fleet nodes. Zero public SSH on spoke nodes.
 - **Alerts:** ntfy `vault1984-alerts` for anything affecting fleet uptime.
 - **Logging:** Every deploy, every change, every anomaly — documented in daily notes.
 - **Verification:** Prove it works before reporting done. Curl test, log check, Kuma green.
 - **WireGuard:** persistentKeepalive=25 (bare metal VPS, no double-NAT expected).
 - **NixOS:** 2 generations max, weekly GC. Consistent, declarative, reproducible.
 ---
 ## Status Log
- 2026-03-01: Born. Memory files created. Ready for Monday ops.
+
 - 2026-03-01: Born. Memory files created. Deployment plan reviewed.
 - 2026-03-02: Hans server provisioned (185.218.204.47). OpenClaw 2026.3.1 installed, Fireworks M2.5 configured. noc.vault1984.com DNS live. Johan built vault1984-web Go binary (Python killed). vault1984.com email set up (social@vault1984.com via Stalwart). @vault1984 on X registered. @inouhealth on X registered. Stalwart Bayes bug fixed.
 - 2026-03-03: Discord setup complete — Hans bot token (MTQ3ODMyMTE2...) configured, in vault1984 Discord server (ID: 1478270766007976009). James also on Discord in same server (token MTQ3ODI1...). dmPolicy=open on both. Johan's Discord ID: 666836243262210068. TODAY = M2 (NixOS config + deploy tooling). Vultr API key still missing from Johan — OVERDUE. James briefed Hans via MEMORY.md update (subagent).
--- a/memory/claude-usage.db
+++ b/memory/claude-usage.db
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-03T11:00:02.013861Z",
+  "last_updated": "2026-03-03T17:00:01.444170Z",
  "source": "api",
-  "session_percent": 16,
+  "session_percent": 0,
-  "session_resets": "2026-03-03T12:00:00.961443+00:00",
+  "session_resets": null,
-  "weekly_percent": 75,
+  "weekly_percent": 79,
-  "weekly_resets": "2026-03-06T02:59:59.961462+00:00",
+  "weekly_resets": "2026-03-06T03:00:00.388794+00:00",
-  "sonnet_percent": 81
+  "sonnet_percent": 85
 }
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@ -3,7 +3,7 @@
    "email": 1772494351,
    "calendar": null,
    "weather": 1771942030,
-    "briefing": 1772375543,
+    "briefing": 1772550203,
    "news": 1771597876,
    "claude_usage": 1772494351
  },
@ -12,7 +12,7 @@
  "lastWeeklyHAOS": "2026-03-01T05:33:08.340468+00:00",
  "lastWeeklyMemorySynthesis": "2026-03-01T05:33:08.340468+00:00",
  "lastDocInbox": "2026-02-25T22:01:42.532628Z",
-  "lastTechScan": "2026-03-02T17:04:00Z",
+  "lastTechScan": 1772550203,
  "lastMemoryReview": "2026-03-02T17:04:00Z",
  "lastIntraDayXScan": "2026-03-03T04:03:00Z",
  "lastInouSuggestion": "2026-03-02T17:03:49.016Z",
--- a/memory/infrastructure-plan.md
+++ b/memory/infrastructure-plan.md
@ -0,0 +1,329 @@
 # Infrastructure Plan
 *Maintained by James ⚡ · Last updated: 2026-03-03*
 ---
 ## 1. All Locations
 ### forge — Home Server (James' primary)
 | Field | Value |
 |-------|-------|
 | **IP** | 192.168.1.16 (LAN) |
 | **Provider** | Home lab (St. Pete, FL) |
 | **Specs** | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe |
 | **OS** | Ubuntu 24.04.3 LTS headless |
 | **Managed by** | James ⚡ |
 | **Monthly cost** | $0 (home power only) |
 **Runs:**
 - OpenClaw gateway (port 18789)
 - Message Center / Mail Bridge (port 8025)
 - GLM-OCR service (port 8090, GPU)
 - Dashboard (port 9200)
 - DocSys (port 9201)
 - Alert dashboard (port 9202)
 - vault1984 (port 1984)
 - vault1984-web (port 8099)
 - Dealspace (port 9300)
 - inou prod (192.168.100.2:1080 via VLAN)
 - Signal-cli daemon (port 8080, legacy)
 - Ollama (installed, optional use)
 - SMB shares: sophia, docsys, inou-dev
 ---
 ### Zurich VPS — `zurich.inou.com` / `82.22.36.202`
 | Field | Value |
 |-------|-------|
 | **IP** | 82.22.36.202 |
 | **DNS** | zurich.inou.com |
 | **Provider** | Hostkey (server 50304, Zürich CH — Equinix ZH) |
 | **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
 | **OS** | Ubuntu 24.04 |
 | **Managed by** | James ⚡ |
 | **Monthly cost** | ~€3.90/mo |
 **Runs:**
 - Caddy reverse proxy (port 443, auto-LE)
 - Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com
 - Git hosting (`git` user, git-shell only)
 - Uptime Kuma (port 3001) → kuma.inou.com
 - ntfy self-hosted (port 2586) → ntfy.inou.com
 - Vaultwarden → vault.jongsma.me (fresh, no data yet)
 - harryhaasjes.nl "coming soon" static
 - WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet
 - **Pending:** OpenClaw NOC agent (Hans / vault1984-noc)
 **Doubles as:** vault1984 fleet hub (WireGuard hub node), Zurich spoke node
 ---
 ### Hans Server — `noc.vault1984.com` / `185.218.204.47`
 | Field | Value |
 |-------|-------|
 | **IP** | 185.218.204.47 |
 | **DNS** | noc.vault1984.com |
 | **Provider** | Hostkey (vm.mini) |
 | **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
 | **OS** | Ubuntu 24.04 |
 | **Managed by** | Hans ⛰️ |
 | **Monthly cost** | ~€3.90/mo |
 **Runs:**
 - OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5)
 - vault1984 binary (pending deploy)
 - UFW: 22/80/443, fail2ban
 **Pending:** vault1984 binary deploy, Discord bot, Hans↔James comms channel
 ⚠️ Root password still default — `ThIsNeEdStOcHaNgE0--` — **CHANGE THIS**
 ---
 ### Shannon VPS — `muskepo.com` / `82.24.174.112`
 | Field | Value |
 |-------|-------|
 | **IP** | 82.24.174.112 |
 | **Provider** | Hostkey |
 | **Managed by** | James ⚡ |
 | **Paid through** | 2026-04-09 |
 | **Monthly cost** | ~€3.90/mo (est.) |
 **Runs:**
 - Dealspace / muskepo.com (Go binary + Caddy)
 **Note:** Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra.
 ---
 ### ThinkPad X1 (2019) — Johan's local dev
 | Field | Value |
 |-------|-------|
 | **IP** | 192.168.0.223 (WiFi) |
 | **OS** | Ubuntu 24.04 desktop |
 | **Managed by** | Johan |
 | **Monthly cost** | $0 |
 **Runs:**
 - Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna)
 - xfreerdp RDP target
 ---
 ### Caddy (Home Reverse Proxy)
 | Field | Value |
 |-------|-------|
 | **IP** | 192.168.0.2 / Tailscale: 100.84.42.55 |
 | **Managed by** | James ⚡ |
 | **SSH** | `ssh root@192.168.0.2` (LAN direct only) |
 Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge
 ---
 ### Home Assistant
 | Field | Value |
 |-------|-------|
 | **IP** | 192.168.1.252 |
 | **Managed by** | Johan (⚠️ hands-off for James/Hans) |
 ---
 ## 2. vault1984 Fleet Plan — 16 Nodes
 **Target:** Go-live Friday March 6, 2026 noon ET  
 **Budget:** ~$40/mo  
 **Hub:** Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24)  
 **Architecture:** NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats
 ### Node Inventory
 | # | Node | Location | Provider | WG IP | Monthly | Status |
 |---|------|----------|----------|-------|---------|--------|
 | 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | *(shared)* | ✅ **HUB — existing** |
 | 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending |
 | 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending |
 | 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending |
 | 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending |
 | 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending |
 | 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending |
 | 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending |
 | 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending |
 | 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending |
 | 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending |
 | 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending |
 | 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending |
 | 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending |
 | 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending |
 **Monthly cost breakdown:**
 - 14 Vultr VX1 nodes: 14 × $2.50 = **$35.00/mo**
 - Dubai (Hostkey): **~€3.90/mo** (TBD — Johan to confirm order)
 - Zurich hub: *(already in existing infra budget)*
 - Hans NOC server: €3.90/mo *(already counted above)*
 - **Total vault1984 fleet: ~$40/mo**
 ### Deployment Milestones
 | Date | Milestone | Owner | Status |
 |------|-----------|-------|--------|
 | Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ |
 | Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today |
 | Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ |
 | Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ |
 | Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ |
 | **Fri Mar 6 noon** | 🚀 **GO-LIVE — vault1984.com routes to fleet** | Johan + James | ⏳ |
 ### Node DNS Pattern
 `<node>.vault1984.com` → node IP (Cloudflare)  
 Primary entry: `vault1984.com` → New Jersey (largest US East market)  
 SOC dashboard: `soc.vault1984.com` → Zurich → Kuma port 3001
 ---
 ## 3. Partner: Hostkey
 **Panel:** https://panel.hostkey.com  
 **Cancellation flow:** `panel.hostkey.com/controlpanel.html?key=<key>`  
 **Account email:** probably `johan.jongsma@iasobackup.com` (Openprovider uses this — likely same)
 ### Current Hostkey Nodes
 | Hostname | Server ID | IP | Purpose | Status |
 |----------|-----------|-----|---------|--------|
 | zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live |
 | noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live |
 | muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) |
 | Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead |
 ### Planned Hostkey Nodes
 | Hostname | Location | Purpose | Status |
 |----------|----------|---------|--------|
 | dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ **Johan to order** |
 **Johan action needed:** Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr.
 ---
 ## 4. Partner: Vultr
 **Plan:** VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth  
 **Price:** $2.50/mo per node  
 **API key:** **PENDING from Johan** ← Blocker for automated provisioning  
 **14 nodes planned** (all vault1984 fleet except Zurich hub + Dubai Hostkey):
 Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot
 **Provision method:** `provision.sh <ip> <node-name>` (nixos-infect → base.nix → vault1984 binary → healthcheck)  
 **Deploy method:** `deploy.sh all` (rolling, abort on first failure)
 ⚠️ **No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.**
 ---
 ## 5. Network Topology
 ```
 Internet
   │
   ├── Cloudflare DNS (all public domains)
   │      ├── inou.com → Caddy (home, 192.168.0.2)
   │      ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich)
   │      ├── vault1984.com → vault1984 nodes (direct)
   │      ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS
   │      └── noc.vault1984.com → Hans server
   │
   ├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x)
   │      ├── forge (192.168.1.16) — primary server
   │      ├── Caddy reverse proxy (192.168.0.2)
   │      ├── inou prod (192.168.100.2) — separate VLAN
   │      └── Home Assistant (192.168.1.252) — hands-off
   │
   ├── Tailscale (100.x.x.x mesh)
   │      ├── forge: 100.123.216.65
   │      └── Caddy: 100.84.42.55
   │
   └── WireGuard vault1984 fleet (10.84.0.x/24)
          Hub: Zurich (10.84.0.1), UDP 51820
          Spokes: 15 nodes (10.84.0.2–10.84.0.15)
          Management traffic: WireGuard only (no public SSH on spoke nodes)
          SSH: WireGuard interface only on vault1984 nodes
 ```
 **Key rule:** vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub.
 ---
 ## 6. Monitoring
 ### Uptime Kuma
 - **URL:** https://kuma.inou.com → Zurich → port 3001
 - **Admin:** james / JamesKuma2026!
 - **Kuma API password:** WW8ipJfY27ELf7nnouaKLCL6
 - **Current monitors:** inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push)
 - **vault1984 fleet monitors:** 16 push monitors to be added (one per node, token per monitor)
 - **Alert topic:** `vault1984-alerts` (ntfy, to be created)
 - **Thresholds:** SEV2 = 2 missed pushes, SEV1 = 5+ min down
 ### ntfy (Push Notifications)
 - **Server:** https://ntfy.inou.com (Zurich, port 2586)
 - **API token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
 - **Topics:**
  - `forge-alerts` — OC/infra alerts (anonymous read, Johan subscribed on iPhone)
  - `inou-alerts` — inou health platform alerts (anonymous read)
  - `vault1984-alerts` — vault1984 fleet alerts (to be created at M1.3)
 - **Johan subscribed on:** iPhone 17
 ### Dashboard (forge)
 - **URL:** http://100.123.216.65:9200 (Tailscale) or http://localhost:9200
 - **Purpose:** Tasks, briefings, news, deliveries, system status
 - **Status API:** `GET/POST /api/status` — key metrics at top
 ### Health Push (forge)
 - **Script:** `/home/johan/scripts/health-push.sh` — runs every minute via cron
 - **Logic:** MC + OC health → push to Kuma if healthy
 - **Alert routing:**
  - MC down → James via OC webhook (James investigates)
  - OC down → Johan direct via ntfy (James IS the thing down)
  - Home network down → Johan direct via ntfy
 ### vault1984 Node Telemetry (planned — M2.4)
 Each node binary pushes every 30s to its Kuma push URL:
 - `ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrity`
 - `active_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s`
 ---
 ## 7. Monthly Cost Summary
 | Item | Cost |
 |------|------|
 | Zurich VPS (Hostkey) | ~€3.90/mo |
 | Hans NOC server (Hostkey) | ~€3.90/mo |
 | Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) |
 | Vultr VX1 × 14 (vault1984) | $35.00/mo |
 | Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) |
 | forge (home) | $0 |
 | **Total (approx)** | **~$55/mo** |
 *Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)*  
 *Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.*
 ---
 ## 8. Open Actions
 | Item | Owner | Priority |
 |------|-------|----------|
 | Provide Vultr API key | **Johan** | 🔴 Blocker (M2 tooling) |
 | Order/confirm Dubai Hostkey node | **Johan** | 🔴 Blocker (fleet complete) |
 | Change Hans root password | **Hans** | 🔴 Security |
 | Deploy vault1984 binary to Hans | **James/Hans** | 🟡 M2 scope |
 | Create Discord bot for Hans | **Johan** (Chrome tab) | 🟡 After vault1984 launch |
 | Add vault1984-alerts ntfy topic | **James** | 🟡 M1.3 |
 | Build 16 Kuma fleet monitors | **James** | 🟡 M1.3 |
 ---
 *This document is the single source of truth for infrastructure topology. Update after every provisioning event.*
--- a/memory/updates/2026-03-03.json
+++ b/memory/updates/2026-03-03.json
@ -0,0 +1,21 @@
 {
  "date": "2026-03-03",
  "timestamp": "2026-03-03T09:00:02-05:00",
  "openclaw": {
    "before": "2026.3.1",
    "latest": "2026.3.2",
    "after": "2026.3.2",
    "updated": true
  },
  "claude_code": {
    "before": "2.1.63",
    "latest": "2.1.63",
    "updated": false
  },
  "os": {
    "available": "0\n0",
    "updated": false,
    "packages": []
  },
  "gateway_restarted": true
 }