diff --git a/memory/2026-03-01.md b/memory/2026-03-01.md
index 52df790..a5faa16 100644
--- a/memory/2026-03-01.md
+++ b/memory/2026-03-01.md
@@ -256,3 +256,8 @@ Implementing WebAuthn setup wizard. Check status with `process(action=poll, sess
 - `api/routes.go` — routing (websiteFS removed, webFS only, / serves app)
 - `cmd/vault1984/main.go` — entrypoint (webFS only embed)
 - `cmd/vault1984/web/index.html` — app UI (setup wizard being rewritten by Opus)
+09:01 - Weekly memory synthesis cron ran but MEMORY.md edit failed (text match issue). No data lost — synthesis output was generated but not persisted. Will re-run manually when Johan is awake if needed.
+## 2026-03-01 09:06 — Tax reminder triggered
+- E-consultant taxes reminder fired (set Feb 16 after Papa's message re: Roy / e-consultants cancellation status 2025)
+- Johan is in second sleep block — do NOT ping
+- Add to task board so it shows up when he wakes
diff --git a/memory/claude-usage.db b/memory/claude-usage.db
index 31eca6a..25320af 100644
Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ
diff --git a/memory/claude-usage.json b/memory/claude-usage.json
index 2610a35..f175ba6 100644
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-01T14:00:02.113160Z",
+  "last_updated": "2026-03-01T17:00:01.979394Z",
   "source": "api",
-  "session_percent": 11,
-  "session_resets": "2026-03-01T15:00:00.068990+00:00",
-  "weekly_percent": 53,
-  "weekly_resets": "2026-03-06T03:00:00.069006+00:00",
-  "sonnet_percent": 53
+  "session_percent": 2,
+  "session_resets": "2026-03-01T20:00:00.936338+00:00",
+  "weekly_percent": 54,
+  "weekly_resets": "2026-03-06T02:59:59.936356+00:00",
+  "sonnet_percent": 54
 }
\ No newline at end of file
diff --git a/memory/heartbeat-state.json b/memory/heartbeat-state.json
index 05b13b1..ca517ad 100644
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@@ -3,7 +3,7 @@
     "email": 1772305243,
     "calendar": null,
     "weather": 1771942030,
-    "briefing": 1772291050,
+    "briefing": 1772375543,
     "news": 1771597876,
     "claude_usage": 1772305243
   },
@@ -14,8 +14,8 @@
   "lastDocInbox": "2026-02-25T22:01:42.532628Z",
   "lastTechScan": "2026-02-28T12:04:00-05:00",
   "lastMemoryReview": "2026-02-28T14:03:00Z",
-  "lastIntraDayXScan": "2026-03-01T04:01:37.647Z",
-  "lastInouSuggestion": "2026-02-28T14:00:00Z",
+  "lastIntraDayXScan": "2026-03-01T16:01:55.688Z",
+  "lastInouSuggestion": "2026-03-01T14:33:33.714Z",
   "lastEmail": 1772132453,
   "pendingBriefingItems": [
     {
diff --git a/memory/security-baselines/caddy.md b/memory/security-baselines/caddy.md
index b167764..844e3fe 100644
--- a/memory/security-baselines/caddy.md
+++ b/memory/security-baselines/caddy.md
@@ -3,6 +3,8 @@ Established: 2026-02-22
 
 ## Root SSH Authorized Keys
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
 
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
diff --git a/memory/security-baselines/forge.md b/memory/security-baselines/forge.md
index ee55b70..e5a3845 100644
--- a/memory/security-baselines/forge.md
+++ b/memory/security-baselines/forge.md
@@ -11,6 +11,7 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
 johan:1000
+scanner:1001 (SMB scanner share user — added 2026-02)
 
 ## Expected Listening Ports
 - 22 (SSH)
@@ -24,6 +25,7 @@ johan:1000
 - 9202 (Fully dashboard)
 - 9300 (dealroom)
 - 9877/9878 (node)
+- 1984 (vault1984 — dev project, added 2026-03-01)
 - 9900 (docproc)
 - 18789 (openclaw-gateway — all interfaces)
 - 18792 (openclaw browser — localhost)
diff --git a/memory/security-baselines/james-old.md b/memory/security-baselines/james-old.md
index bc10032..449c7f9 100644
--- a/memory/security-baselines/james-old.md
+++ b/memory/security-baselines/james-old.md
@@ -1,5 +1,5 @@
 # James-Old (192.168.1.17) — Security Baseline
-Established: 2026-02-22
+Established: 2026-03-01
 
 ## SSH Authorized Keys (johan)
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
@@ -9,27 +9,29 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
 johan:1000
-snapd-range-524288-root:524288 (snap service — system)
-snap_daemon:584788 (snap service — system)
-scanner:1001 (SANE scanner service — system, nologin shell)
+scanner:1001 (SMB scanner share)
+snapd-range-524288-root:524288 (snap)
+snap_daemon:584788 (snap)
 
 ## Expected Listening Ports
 - 22 (SSH)
-- 21 (FTP — known)
+- 21 (FTP — vsftpd, known)
 - 139/445 (Samba)
-- 3389 (RDP — xrdp, known)
-- 3350 (xrdp-sesman — localhost)
-- 8025 (message-center — localhost)
+- 3389 (RDP — flagged for review, origin unknown)
 - 8030 (message-bridge — all interfaces)
+- 8080 (signal-cli)
 - 9200 (dashboard)
-- 1143 (Proton Bridge IMAP — localhost)
-- 1025 (Proton Bridge SMTP — localhost)
+- 18789 (OpenClaw)
+- 19898 (Spacebot/Andrew)
+
+## SSH Hardening
+- Could not verify with user-level access (sshd -T requires root or sudoers)
 
 ## Known Firewall State
-UFW: INACTIVE — ⚠️ no host firewall
+- UFW: not verified (user-level only access)
+- LAN-only machine — limited external exposure
 
 ## Known Issues at Baseline
-- UFW inactive (known deficiency — retired machine)
-- fail2ban not active
-- RDP (3389) exposed — known, used for remote desktop
-- 53 pending apt updates
+- Port 3389 (RDP) origin unknown — needs investigation
+- fail2ban status not verified
+- SSH hardening not directly verified
diff --git a/memory/security-baselines/staging.md b/memory/security-baselines/staging.md
index 481ca16..6de004b 100644
--- a/memory/security-baselines/staging.md
+++ b/memory/security-baselines/staging.md
@@ -1,11 +1,8 @@
 # Staging (192.168.1.253) — Security Baseline
-Established: 2026-02-22
+Established: 2026-03-01
 
 ## SSH Authorized Keys (johan)
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
+Not captured (user-level access only)
 
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
@@ -14,30 +11,24 @@ johan:1000
 ## Expected Listening Ports
 - 22 (SSH)
 - 139/445 (Samba)
-- 2283 (Immich — all interfaces)
-- 8080 (signal-cli-rest-api — all interfaces)
-- 8096 (Jellyfin — all interfaces)
-- 8123 (ClickHouse HTTP — all interfaces)
-- 9000 (ClickHouse TCP — all interfaces)
-- 18789 (openclaw-gateway — all interfaces)
-- 18792 (openclaw browser — localhost)
-- 1080 (portal)
+- 2283 (Immich)
+- 8080 (generic/various)
 - 8082 (inou api)
+- 8096 (Jellyfin)
+- 8123 (Home Assistant)
 - 8765 (inou viewer)
+- 9000 (various)
+- 9124 (inou dbquery)
+- 1080 (inou portal)
+- 18789 (OpenClaw)
 
-## Docker Containers (Known)
-- clickhouse (clickhouse/clickhouse-server)
-- immich_server (ghcr.io/immich-app/immich-server)
-- immich_machine_learning
-- immich_postgres
-- immich_redis
-- jellyfin
-- signal-cli-rest-api
+## SSH Hardening
+- Could not verify with user-level access
 
 ## Known Firewall State
-UFW: INACTIVE — ⚠️ no host firewall
+- UFW: not verified (user-level only)
+- LAN-only dev/staging machine
 
 ## Known Issues at Baseline
-- UFW inactive (LAN only, home lab — tolerated)
-- fail2ban not active
-- SSH hardening not verified (sshd -T requires root)
+- Many services exposed on all interfaces (LAN-only exposure, acceptable for dev)
+- SSH hardening not directly verified
diff --git a/memory/security-scans/2026-03-01.md b/memory/security-scans/2026-03-01.md
new file mode 100644
index 0000000..8f3ac43
--- /dev/null
+++ b/memory/security-scans/2026-03-01.md
@@ -0,0 +1,158 @@
+# Weekly Security Posture Scan — 2026-03-01
+Scan time: 09:01–09:15 AM EST
+Scanner: James (OpenClaw cron)
+
+## Summary
+| Host | Status | Findings |
+|------|--------|----------|
+| forge (localhost) | ⚠️ WARNING | passwordauth YES, new port 1984, new user scanner |
+| zurich.inou.com | ⚠️ WARNING | 17 upgradable packages |
+| caddy (192.168.0.2) | ⚠️ WARNING | SSH daemon not responding, extra SSH keys |
+| james-old (192.168.1.17) | ⚠️ WARNING | Port 3389 (RDP) open, no baseline (first scan) |
+| staging (192.168.1.253) | ℹ️ INFO | First scan, no baseline |
+| prod (192.168.100.2) | ❌ ERROR | Access denied — could not scan |
+
+---
+
+## Forge (localhost / 192.168.1.16)
+
+### 🔴 CRITICAL: SSH Password Auth Enabled
+- `passwordauthentication yes` — differs from baseline expectation
+- Baseline expected: `no`
+- **Action needed:** Set `PasswordAuthentication no` in `/etc/ssh/sshd_config`
+
+### ⚠️ New Service: vault1984 on Port 1984
+- Process: `./vault1984` (pid 3020492, started ~06:01)
+- Binary: `/home/johan/dev/vault1984/vault1984`
+- Not in baseline port list
+- Appears to be Johan's dev project — confirm and add to baseline if intentional
+
+### ℹ️ New User: scanner:1001
+- Added since Feb 22 baseline
+- Per TOOLS.md: dedicated scanner user for SMB share (`\\...\docsys`)
+- **Legitimate** — update baseline
+
+### ✅ Clean Items
+- SSH keys: match baseline exactly (5 keys, all known)
+- Logins: all from 192.168.1.14 (Johan's MacBook) — no suspicious IPs
+- No failed logins (empty lastb)
+- fail2ban running (root process active)
+- Crontab: only known jobs (usage-check, health-push, ddns-update)
+- Docker: not installed (expected)
+- permitrootlogin: no ✅
+
+### ℹ️ OCR Service
+- Port 8090 was offline at scan time — restarted by systemd at 09:03 AM during scan
+- Now active — monitor for stability
+
+---
+
+## Zurich (zurich.inou.com / 82.22.36.202)
+
+### ⚠️ Upgradable Packages: 17
+- `apt list --upgradable` returns 17 packages
+- May include security patches — run `apt upgrade` soon
+
+### ⚠️ Brute Force Volume (Normal for Public VPS)
+- fail2ban: 904 total banned, 11 currently banned
+- Recent attempts: nvidia, ubnt, user, debian, config usernames
+- `harryhaa` username attempt from 172.94.9.65 — targeting the harry web user by name (not alarming, common scraping)
+- All blocked by fail2ban ✅
+
+### ✅ Clean Items
+- SSH hardened: `passwordauthentication no`, `permitrootlogin without-password` ✅
+- UFW active with expected rules ✅
+- Users: harry:1000, harry-web:1001 — match baseline ✅
+- SSH keys: all 5 match baseline ✅
+- Docker: uptime-kuma (up 10d), vaultwarden (up 12h) — expected ✅
+- Last successful logins: only from 47.197.93.62 (home public IP) ✅
+
+---
+
+## Caddy (192.168.0.2)
+
+### ⚠️ SSH Daemon Not Responding on Port 22
+- `Connection refused` from 192.168.1.16 (forge)
+- UFW rules should allow 192.168.0.0/22 → 22
+- Possible: SSH service down, port changed, or firewall misconfiguration
+- Connected via Tailscale instead (required re-auth — not completed in scan)
+- **Action needed:** Verify SSH service is running on caddy
+
+### ⚠️ Extra SSH Keys Not in Baseline
+- Baseline (Feb 22): only `james@forge`
+- Current: also has `claude@macbook` and `johan@ubuntu2404`
+- These are known keys, likely added intentionally — confirm and update baseline
+
+### ✅ Clean Items
+- UFW: active with expected rules ✅
+- Users: nobody, johan:1000, stijn:1001 — match baseline ✅
+- No failed or suspicious logins
+- Caddy/FTP services presumably running (UFW rules in place)
+
+---
+
+## James-Old (192.168.1.17) — First Scan
+
+### ⚠️ Port 3389 (RDP) Open — Investigate
+- RDP listener detected on all interfaces
+- This machine is on LAN, not public — but still unexplained
+- No baseline exists — adding this as known but flagged for review
+
+### ℹ️ Port 21 (FTP) Open
+- Same as forge — known from Spacebot/Andrew context
+- LAN only — low risk
+
+### Users
+- nobody, johan:1000, snapd-range-524288-root:524288, snap_daemon:584788, scanner:1001
+- Snap-related users expected if snap packages installed
+- scanner:1001 — parallel with forge scanner user (SMB)
+
+### Ports
+- 18789 (OpenClaw), 19898 (Spacebot/Andrew), 8030 (message-bridge), 8080 (signal-cli), 9200 (dashboard), 22, 139/445 (Samba), 21 (FTP), 3389 (RDP)
+
+### Logins
+- All from 192.168.1.14 (Johan's Mac) — clean
+
+### SSH Hardening
+- Could not check (insufficient privilege as `johan` user — `sshd -T` returned nothing)
+
+---
+
+## Staging (192.168.1.253) — First Scan
+
+### ℹ️ Services Running (All LAN-only, expected for dev)
+- Port 2283: likely Immich
+- Port 8096: Jellyfin
+- Port 8123: Home Assistant
+- Port 8080: various
+- Port 1080/8082/8765/9124: inou portal, api, viewer, dbquery
+- Port 18789: OpenClaw
+- Port 22/139/445: SSH/Samba
+
+### Users
+- nobody, johan:1000 — clean
+
+### Logins
+- All from 192.168.1.14 (Johan's Mac) — clean
+
+### SSH Hardening
+- Could not check (insufficient privilege as `johan` user)
+
+---
+
+## Prod (192.168.100.2) — ERROR
+
+- Access denied — `Too many authentication failures`
+- SSH key not installed or key rotation occurred
+- Could not scan
+- **Action needed:** Re-establish SSH access to prod
+
+---
+
+## Action Items
+1. 🔴 **FORGE: Fix SSH password auth** — `sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshd`
+2. ⚠️ **CADDY: Verify SSH daemon** — check if sshd is running
+3. ⚠️ **ZURICH: Run apt upgrade** — 17 pending packages
+4. ⚠️ **JAMES-OLD: Investigate RDP port 3389** — who opened it?
+5. ⚠️ **PROD: Restore SSH access** — key auth failing
+6. ℹ️ **Update baselines**: add scanner user (forge/james-old), vault1984 port, caddy extra keys