diff --git a/memory/2026-02-22.md b/memory/2026-02-22.md
new file mode 100644
index 0000000..52096aa
--- /dev/null
+++ b/memory/2026-02-22.md
@@ -0,0 +1,51 @@
+# Daily Notes — 2026-02-22
+
+## Infrastructure
+
+### Webmail (abandoned)
+- Set up SnappyMail Docker on Zurich → hours of debugging → nuked it
+- Root cause chain: AdGuard rewrite rule (*.jongsma.me → home IP) → hairpin NAT in container → wrong domain config fallback to localhost:143
+- Lesson: all popular self-hosted webmail is PHP; Stalwart's "web UI" is admin-only, not user webmail
+- Final state: webmail.jongsma.me DNS deleted, Caddy entry removed, SnappyMail fully nuked
+- Stalwart is on latest (v0.15.5) — no upgrade needed
+
+### DNS
+- Removed wildcard `*.jongsma.me → 47.197.93.62` from Cloudflare
+- AdGuard had a DNS rewrite for `*.jongsma.me` — Johan had to remove it manually
+- Johan's home DNS is AdGuard, not just HA at 192.168.1.252
+
+### Forge reboot
+- Rebooted cleanly, all services came back via linger
+
+## Dealspace (~/dev/dealroom, port 9300)
+- Major UX overhaul: 14 changes including closing probability removal, new stat cards, last accessed, New Room modal, search, per-deal analytics/audit/contacts, request lists grouped by deal (commit eb103b4)
+- Production auth: bcrypt, demo login removed, Misha admin account created
+- Email: `misha@muskepo.com` / `Dealspace2026!` (owner role)
+- Buyer account (misha.buyer@muskepo.com) created as workaround, then replaced by view toggle feature
+- View toggle feature: owner/admin can switch between seller and buyer view within same session (agent briny-mist running ~1AM)
+- No public domain yet — accessible at http://192.168.1.16:9300
+
+## Email / Stalwart
+- Family email accounts use short usernames from migration: rozemarijn, jacques, misha, tanya
+- Full addresses (rozemarijn@jongsma.me etc.) work for receiving but login uses short names
+- MC connectors connect directly to Stalwart IMAP on mail.jongsma.me:993
+
+## Verizon bill processed
+- $343.80 due March 4, 2026 — first bill on new account
+- 3 lines: iPhone 17 (225-3810, Johan), iPhone 16 Plus (307-3952), iPhone 17 (358-1196)
+- Auto Pay saves $30/mo if enrolled
+- Record: ~/documents/records/bills/verizon-2026-02-21.md
+
+## Sessions spawn
+- Still blocked: "pairing required" (1008) error
+- Gateway bind fixed to custom/0.0.0.0 but agent-to-agent auth still needed
+- Cron jobs work; only sessions_spawn from conversation sessions fails
+
+## HostKey cancellation
+- Amsterdam VPS (53643) — Johan needs to manually cancel: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e
+
+## Corrections to remember
+- Don't assume Stalwart has user webmail — it doesn't, admin panel only
+- Check for DNS rewrite rules (AdGuard) not just cache when DNS issues persist
+- "It should not be so complicated" — when debugging gets multi-step, step back and ask if the feature is even needed
+- Test features end-to-end myself before reporting "done"
diff --git a/memory/claude-usage.db b/memory/claude-usage.db
index 167bea6..fa76683 100644
Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ
diff --git a/memory/claude-usage.json b/memory/claude-usage.json
index 3f448ad..b00c57a 100644
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-22T05:00:01.585569Z",
+  "last_updated": "2026-02-22T11:00:01.919798Z",
   "source": "api",
-  "session_percent": 3,
-  "session_resets": "2026-02-22T09:00:00.553732+00:00",
-  "weekly_percent": 7,
-  "weekly_resets": "2026-02-28T19:00:00.553751+00:00",
-  "sonnet_percent": 16
+  "session_percent": 16,
+  "session_resets": "2026-02-22T13:59:59.889182+00:00",
+  "weekly_percent": 14,
+  "weekly_resets": "2026-02-28T18:59:59.889199+00:00",
+  "sonnet_percent": 20
 }
\ No newline at end of file
diff --git a/scripts/restore-oc-scopes.py b/scripts/restore-oc-scopes.py
new file mode 100755
index 0000000..d3cc2af
--- /dev/null
+++ b/scripts/restore-oc-scopes.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+"""
+Restores operator.write + operator.read scopes to OpenClaw device-auth files.
+Run after every gateway start to work around OC stripping scopes on restart.
+"""
+import json, glob, sys, os, time
+
+# Give gateway a moment to write its files
+time.sleep(2)
+
+BASE = os.path.expanduser('~/.openclaw')
+SCOPES = ['operator.write', 'operator.read']
+
+def fix(path):
+    try:
+        with open(path) as f:
+            d = json.load(f)
+        if isinstance(d, list):
+            changed = False
+            for item in d:
+                if isinstance(item, dict) and item.get('scopes') != SCOPES:
+                    item['scopes'] = SCOPES
+                    changed = True
+            if changed:
+                with open(path, 'w') as f:
+                    json.dump(d, f, indent=2)
+                print(f'Fixed (list): {path}')
+        elif isinstance(d, dict):
+            if d.get('scopes') != SCOPES:
+                d['scopes'] = SCOPES
+                with open(path, 'w') as f:
+                    json.dump(d, f, indent=2)
+                print(f'Fixed: {path}')
+            else:
+                print(f'OK: {path}')
+    except Exception as e:
+        print(f'Skip {path}: {e}')
+
+fix(f'{BASE}/identity/device-auth.json')
+for p in glob.glob(f'{BASE}/devices/*.json'):
+    fix(p)
+
+print('Scope restoration complete.')