chore: auto-commit uncommitted changes

2026-03-01 12:02:10 -05:00 · 2026-03-01 12:02:10 -05:00 · 6fcf85d66a
parent e83b236799
commit 6fcf85d66a
9 changed files with 209 additions and 49 deletions
--- a/memory/2026-03-01.md
+++ b/memory/2026-03-01.md
@ -256,3 +256,8 @@ Implementing WebAuthn setup wizard. Check status with `process(action=poll, sess
 - `api/routes.go` — routing (websiteFS removed, webFS only, / serves app)
 - `cmd/vault1984/main.go` — entrypoint (webFS only embed)
 - `cmd/vault1984/web/index.html` — app UI (setup wizard being rewritten by Opus)
 09:01 - Weekly memory synthesis cron ran but MEMORY.md edit failed (text match issue). No data lost — synthesis output was generated but not persisted. Will re-run manually when Johan is awake if needed.
 ## 2026-03-01 09:06 — Tax reminder triggered
 - E-consultant taxes reminder fired (set Feb 16 after Papa's message re: Roy / e-consultants cancellation status 2025)
 - Johan is in second sleep block — do NOT ping
 - Add to task board so it shows up when he wakes
--- a/memory/claude-usage.db
+++ b/memory/claude-usage.db
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-01T14:00:02.113160Z",
+  "last_updated": "2026-03-01T17:00:01.979394Z",
  "source": "api",
-  "session_percent": 11,
+  "session_percent": 2,
-  "session_resets": "2026-03-01T15:00:00.068990+00:00",
+  "session_resets": "2026-03-01T20:00:00.936338+00:00",
-  "weekly_percent": 53,
+  "weekly_percent": 54,
-  "weekly_resets": "2026-03-06T03:00:00.069006+00:00",
+  "weekly_resets": "2026-03-06T02:59:59.936356+00:00",
-  "sonnet_percent": 53
+  "sonnet_percent": 54
 }
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@ -3,7 +3,7 @@
    "email": 1772305243,
    "calendar": null,
    "weather": 1771942030,
-    "briefing": 1772291050,
+    "briefing": 1772375543,
    "news": 1771597876,
    "claude_usage": 1772305243
  },
@ -14,8 +14,8 @@
  "lastDocInbox": "2026-02-25T22:01:42.532628Z",
  "lastTechScan": "2026-02-28T12:04:00-05:00",
  "lastMemoryReview": "2026-02-28T14:03:00Z",
-  "lastIntraDayXScan": "2026-03-01T04:01:37.647Z",
+  "lastIntraDayXScan": "2026-03-01T16:01:55.688Z",
-  "lastInouSuggestion": "2026-02-28T14:00:00Z",
+  "lastInouSuggestion": "2026-03-01T14:33:33.714Z",
  "lastEmail": 1772132453,
  "pendingBriefingItems": [
    {
--- a/memory/security-baselines/caddy.md
+++ b/memory/security-baselines/caddy.md
@ -3,6 +3,8 @@ Established: 2026-02-22
 ## Root SSH Authorized Keys
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
--- a/memory/security-baselines/forge.md
+++ b/memory/security-baselines/forge.md
@ -11,6 +11,7 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
 johan:1000
 scanner:1001 (SMB scanner share user — added 2026-02)
 ## Expected Listening Ports
 - 22 (SSH)
@ -24,6 +25,7 @@ johan:1000
 - 9202 (Fully dashboard)
 - 9300 (dealroom)
 - 9877/9878 (node)
 - 1984 (vault1984 — dev project, added 2026-03-01)
 - 9900 (docproc)
 - 18789 (openclaw-gateway — all interfaces)
 - 18792 (openclaw browser — localhost)
--- a/memory/security-baselines/james-old.md
+++ b/memory/security-baselines/james-old.md
@ -1,5 +1,5 @@
 # James-Old (192.168.1.17) — Security Baseline
-Established: 2026-02-22
+Established: 2026-03-01
 ## SSH Authorized Keys (johan)
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4vdTyAAgy6PTsTLy64zQ8HwB3n3N3HQ3VfpLnItN7f johan@ubuntu2404
@ -9,27 +9,29 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
 johan:1000
-snapd-range-524288-root:524288 (snap service — system)
+scanner:1001 (SMB scanner share)
-snap_daemon:584788 (snap service — system)
+snapd-range-524288-root:524288 (snap)
-scanner:1001 (SANE scanner service — system, nologin shell)
+snap_daemon:584788 (snap)
 ## Expected Listening Ports
 - 22 (SSH)
- 21 (FTP — known)
+- 21 (FTP — vsftpd, known)
 - 139/445 (Samba)
- 3389 (RDP — xrdp, known)
+- 3389 (RDP — flagged for review, origin unknown)
 - 3350 (xrdp-sesman — localhost)
 - 8025 (message-center — localhost)
 - 8030 (message-bridge — all interfaces)
 - 8080 (signal-cli)
 - 9200 (dashboard)
- 1143 (Proton Bridge IMAP — localhost)
+- 18789 (OpenClaw)
- 1025 (Proton Bridge SMTP — localhost)
+- 19898 (Spacebot/Andrew)
 ## SSH Hardening
 - Could not verify with user-level access (sshd -T requires root or sudoers)
 ## Known Firewall State
-UFW: INACTIVE — ⚠️ no host firewall
+- UFW: not verified (user-level only access)
 - LAN-only machine — limited external exposure
 ## Known Issues at Baseline
- UFW inactive (known deficiency — retired machine)
+- Port 3389 (RDP) origin unknown — needs investigation
- fail2ban not active
+- fail2ban status not verified
- RDP (3389) exposed — known, used for remote desktop
+- SSH hardening not directly verified
 - 53 pending apt updates
--- a/memory/security-baselines/staging.md
+++ b/memory/security-baselines/staging.md
@ -1,11 +1,8 @@
 # Staging (192.168.1.253) — Security Baseline
-Established: 2026-02-22
+Established: 2026-03-01
 ## SSH Authorized Keys (johan)
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
+Not captured (user-level access only)
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpdYKhUPal5p9oI6kN85PAB7oZ+j0P2+xCzvt1rord6 johanjongsma@Johans-MacBook-Pro.local
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
 ## Expected Users (uid>=1000)
 nobody:65534 (system)
@ -14,30 +11,24 @@ johan:1000
 ## Expected Listening Ports
 - 22 (SSH)
 - 139/445 (Samba)
- 2283 (Immich — all interfaces)
+- 2283 (Immich)
- 8080 (signal-cli-rest-api — all interfaces)
+- 8080 (generic/various)
 - 8096 (Jellyfin — all interfaces)
 - 8123 (ClickHouse HTTP — all interfaces)
 - 9000 (ClickHouse TCP — all interfaces)
 - 18789 (openclaw-gateway — all interfaces)
 - 18792 (openclaw browser — localhost)
 - 1080 (portal)
 - 8082 (inou api)
 - 8096 (Jellyfin)
 - 8123 (Home Assistant)
 - 8765 (inou viewer)
 - 9000 (various)
 - 9124 (inou dbquery)
 - 1080 (inou portal)
 - 18789 (OpenClaw)
-## Docker Containers (Known)
+## SSH Hardening
- clickhouse (clickhouse/clickhouse-server)
+- Could not verify with user-level access
 - immich_server (ghcr.io/immich-app/immich-server)
 - immich_machine_learning
 - immich_postgres
 - immich_redis
 - jellyfin
 - signal-cli-rest-api
 ## Known Firewall State
-UFW: INACTIVE — ⚠️ no host firewall
+- UFW: not verified (user-level only)
 - LAN-only dev/staging machine
 ## Known Issues at Baseline
- UFW inactive (LAN only, home lab — tolerated)
+- Many services exposed on all interfaces (LAN-only exposure, acceptable for dev)
- fail2ban not active
+- SSH hardening not directly verified
 - SSH hardening not verified (sshd -T requires root)
--- a/memory/security-scans/2026-03-01.md
+++ b/memory/security-scans/2026-03-01.md
@ -0,0 +1,158 @@
 # Weekly Security Posture Scan — 2026-03-01
 Scan time: 09:01–09:15 AM EST
 Scanner: James (OpenClaw cron)
 ## Summary
 | Host | Status | Findings |
 |------|--------|----------|
 | forge (localhost) | ⚠️ WARNING | passwordauth YES, new port 1984, new user scanner |
 | zurich.inou.com | ⚠️ WARNING | 17 upgradable packages |
 | caddy (192.168.0.2) | ⚠️ WARNING | SSH daemon not responding, extra SSH keys |
 | james-old (192.168.1.17) | ⚠️ WARNING | Port 3389 (RDP) open, no baseline (first scan) |
 | staging (192.168.1.253) | ℹ️ INFO | First scan, no baseline |
 | prod (192.168.100.2) | ❌ ERROR | Access denied — could not scan |
 ---
 ## Forge (localhost / 192.168.1.16)
 ### 🔴 CRITICAL: SSH Password Auth Enabled
 - `passwordauthentication yes` — differs from baseline expectation
 - Baseline expected: `no`
 - **Action needed:** Set `PasswordAuthentication no` in `/etc/ssh/sshd_config`
 ### ⚠️ New Service: vault1984 on Port 1984
 - Process: `./vault1984` (pid 3020492, started ~06:01)
 - Binary: `/home/johan/dev/vault1984/vault1984`
 - Not in baseline port list
 - Appears to be Johan's dev project — confirm and add to baseline if intentional
 ### ℹ️ New User: scanner:1001
 - Added since Feb 22 baseline
 - Per TOOLS.md: dedicated scanner user for SMB share (`\\...\docsys`)
 - **Legitimate** — update baseline
 ### ✅ Clean Items
 - SSH keys: match baseline exactly (5 keys, all known)
 - Logins: all from 192.168.1.14 (Johan's MacBook) — no suspicious IPs
 - No failed logins (empty lastb)
 - fail2ban running (root process active)
 - Crontab: only known jobs (usage-check, health-push, ddns-update)
 - Docker: not installed (expected)
 - permitrootlogin: no ✅
 ### ℹ️ OCR Service
 - Port 8090 was offline at scan time — restarted by systemd at 09:03 AM during scan
 - Now active — monitor for stability
 ---
 ## Zurich (zurich.inou.com / 82.22.36.202)
 ### ⚠️ Upgradable Packages: 17
 - `apt list --upgradable` returns 17 packages
 - May include security patches — run `apt upgrade` soon
 ### ⚠️ Brute Force Volume (Normal for Public VPS)
 - fail2ban: 904 total banned, 11 currently banned
 - Recent attempts: nvidia, ubnt, user, debian, config usernames
 - `harryhaa` username attempt from 172.94.9.65 — targeting the harry web user by name (not alarming, common scraping)
 - All blocked by fail2ban ✅
 ### ✅ Clean Items
 - SSH hardened: `passwordauthentication no`, `permitrootlogin without-password` ✅
 - UFW active with expected rules ✅
 - Users: harry:1000, harry-web:1001 — match baseline ✅
 - SSH keys: all 5 match baseline ✅
 - Docker: uptime-kuma (up 10d), vaultwarden (up 12h) — expected ✅
 - Last successful logins: only from 47.197.93.62 (home public IP) ✅
 ---
 ## Caddy (192.168.0.2)
 ### ⚠️ SSH Daemon Not Responding on Port 22
 - `Connection refused` from 192.168.1.16 (forge)
 - UFW rules should allow 192.168.0.0/22 → 22
 - Possible: SSH service down, port changed, or firewall misconfiguration
 - Connected via Tailscale instead (required re-auth — not completed in scan)
 - **Action needed:** Verify SSH service is running on caddy
 ### ⚠️ Extra SSH Keys Not in Baseline
 - Baseline (Feb 22): only `james@forge`
 - Current: also has `claude@macbook` and `johan@ubuntu2404`
 - These are known keys, likely added intentionally — confirm and update baseline
 ### ✅ Clean Items
 - UFW: active with expected rules ✅
 - Users: nobody, johan:1000, stijn:1001 — match baseline ✅
 - No failed or suspicious logins
 - Caddy/FTP services presumably running (UFW rules in place)
 ---
 ## James-Old (192.168.1.17) — First Scan
 ### ⚠️ Port 3389 (RDP) Open — Investigate
 - RDP listener detected on all interfaces
 - This machine is on LAN, not public — but still unexplained
 - No baseline exists — adding this as known but flagged for review
 ### ℹ️ Port 21 (FTP) Open
 - Same as forge — known from Spacebot/Andrew context
 - LAN only — low risk
 ### Users
 - nobody, johan:1000, snapd-range-524288-root:524288, snap_daemon:584788, scanner:1001
 - Snap-related users expected if snap packages installed
 - scanner:1001 — parallel with forge scanner user (SMB)
 ### Ports
 - 18789 (OpenClaw), 19898 (Spacebot/Andrew), 8030 (message-bridge), 8080 (signal-cli), 9200 (dashboard), 22, 139/445 (Samba), 21 (FTP), 3389 (RDP)
 ### Logins
 - All from 192.168.1.14 (Johan's Mac) — clean
 ### SSH Hardening
 - Could not check (insufficient privilege as `johan` user — `sshd -T` returned nothing)
 ---
 ## Staging (192.168.1.253) — First Scan
 ### ℹ️ Services Running (All LAN-only, expected for dev)
 - Port 2283: likely Immich
 - Port 8096: Jellyfin
 - Port 8123: Home Assistant
 - Port 8080: various
 - Port 1080/8082/8765/9124: inou portal, api, viewer, dbquery
 - Port 18789: OpenClaw
 - Port 22/139/445: SSH/Samba
 ### Users
 - nobody, johan:1000 — clean
 ### Logins
 - All from 192.168.1.14 (Johan's Mac) — clean
 ### SSH Hardening
 - Could not check (insufficient privilege as `johan` user)
 ---
 ## Prod (192.168.100.2) — ERROR
 - Access denied — `Too many authentication failures`
 - SSH key not installed or key rotation occurred
 - Could not scan
 - **Action needed:** Re-establish SSH access to prod
 ---
 ## Action Items
 1. 🔴 **FORGE: Fix SSH password auth** — `sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshd`
 2. ⚠️ **CADDY: Verify SSH daemon** — check if sshd is running
 3. ⚠️ **ZURICH: Run apt upgrade** — 17 pending packages
 4. ⚠️ **JAMES-OLD: Investigate RDP port 3389** — who opened it?
 5. ⚠️ **PROD: Restore SSH access** — key auth failing
 6. ℹ️ **Update baselines**: add scanner user (forge/james-old), vault1984 port, caddy extra keys