johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: auto-commit uncommitted changes

This commit is contained in:
James 2026-03-02 06:01:33 -05:00
parent 184068faa5
commit 81caa3a844
4 changed files with 297 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
hans_setup.sh Normal file
View File

@ -0,0 +1,117 @@
#!/bin/bash
set -e
echo "=== Step 1: Add SSH authorized keys ==="
mkdir -p /root/.ssh
chmod 700 /root/.ssh
cat > /root/.ssh/authorized_keys << 'EOF'
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvQUpzuHN/+4xIS5dZSUY1Me7c17EhHRJdP5TkrfD39 claude@macbook
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4TEk5EWIwLM3+/pU/H5qxZQlNUvIcxj72bYhYOZeQZ james@server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIhEtv7t3njNoG+mnKElR+rasMArdc8DnHON22lreT7 james@james
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+9hJSfMkbe68VPbkRmaW/sFFmd3+QBmisJYLY+S6Cj james@forge
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5hDM45kOB8jxk+M4Kk9in9bpwZ90sSZsPBMbzJRkbF johan@thinkpad-x1
EOF
chmod 600 /root/.ssh/authorized_keys
echo "Keys written: $(wc -l < /root/.ssh/authorized_keys) keys"
echo ""
echo "=== Step 2: Harden sshd_config ==="
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d%H%M%S)
apply_setting() {
local key="$1"
local value="$2"
if grep -qE "^#?[[:space:]]*${key}[[:space:]]" /etc/ssh/sshd_config; then
sed -i "s|^#\?[[:space:]]*${key}[[:space:]].*|${key} ${value}|" /etc/ssh/sshd_config
else
echo "${key} ${value}" >> /etc/ssh/sshd_config
fi
}
apply_setting "PermitRootLogin" "yes"
apply_setting "PasswordAuthentication" "yes"
apply_setting "PubkeyAuthentication" "yes"
apply_setting "MaxAuthTries" "3"
apply_setting "LoginGraceTime" "30"
apply_setting "X11Forwarding" "no"
apply_setting "AllowTcpForwarding" "no"
apply_setting "ClientAliveInterval" "300"
apply_setting "ClientAliveCountMax" "2"
grep -q "^Protocol" /etc/ssh/sshd_config || echo "# Protocol 2 (default in OpenSSH 7+, cannot be set explicitly)" >> /etc/ssh/sshd_config
sshd -t && echo "sshd config syntax OK" || echo "ERROR: sshd config syntax FAILED"
systemctl reload ssh || systemctl reload sshd || true
echo "sshd reloaded"
echo ""
echo "=== Step 3: Update packages ==="
apt-get update -q
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -q 2>&1 | tail -5
echo ""
echo "=== Step 4: Install packages ==="
DEBIAN_FRONTEND=noninteractive apt-get install -y -q ufw fail2ban unattended-upgrades git 2>&1 | tail -5
echo ""
echo "=== Step 5: Configure UFW ==="
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS vault1984'
ufw --force enable
echo "UFW enabled"
echo ""
echo "=== Step 6: Configure fail2ban ==="
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
EOF
systemctl enable fail2ban
systemctl restart fail2ban
echo "fail2ban configured and started"
echo ""
echo "=== Step 7: Unattended upgrades ==="
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
EOF
echo "Unattended upgrades enabled"
echo ""
echo "=== Step 8: Timezone UTC ==="
timedatectl set-timezone UTC
timedatectl | grep "Time zone"
echo ""
echo "=== Verification ==="
echo "--- UFW status ---"
ufw status verbose
echo ""
echo "--- fail2ban status ---"
fail2ban-client status sshd 2>/dev/null || systemctl status fail2ban --no-pager | head -10
echo ""
echo "--- SSH key fingerprints ---"
ssh-keygen -l -f /root/.ssh/authorized_keys
echo ""
echo "--- sshd active settings ---"
grep -E "^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|MaxAuthTries|LoginGraceTime|X11Forwarding|AllowTcpForwarding|ClientAlive)" /etc/ssh/sshd_config
echo ""
echo "=== ALL DONE ==="

174
memory/2026-03-02.md Normal file
View File

@ -0,0 +1,174 @@
# 2026-03-02 Daily Notes
## vault1984 — Late night session (00:3001:30 ET)
### Architecture decision: Two separate Go binaries
- **vault1984** (`/home/johan/dev/vault1984`) — pure vault server binary. Runs in each AWS region. No billing, no marketing, no website.
- **vault1984-web** (`/home/johan/dev/vault1984-web`) — marketing website. Go binary serving static HTML from embed.FS. Runs on vault1984.com.
- Johan was clear: "the website will run its own Go, as we need login, billing etc etc"
- Previous session had created a mess by embedding both into the same binary.
### vault1984-web: Python server killed, replaced with Go
- Was running `python3 -m http.server 8099` (previous session left it). Johan: "python!? Are you kidding me?"
- Replaced with Go binary (`main.go` + `//go:embed *.html *.svg *.css`)
- Systemd service: `~/.config/systemd/user/vault1984-web.service`, port 8099
- Caddy proxies vault1984.com → 8099
- Committed to `git@zurich.inou.com:vault1984-web.git`
### hosted.html — Global infrastructure map
- Lives in `vault1984-web/`, served at vault1984.com/hosted.html
- Shows all 31 real AWS commercial regions on animated world map SVG
- Zürich highlighted in gold as HQ node
- **Bug fixed: Beijing removed**`cn-north-1` is China partition (separate AWS account, Sinnet-operated). NOT a commercial region.
- **Added:** `mx-central-1` (Mexico City, 2023) and `ap-southeast-5` (Malaysia/KL, 2024) — both real commercial regions
- The detailed world map SVG lives in the original `vault1984-web/hosted.html` — do NOT replace with simplified blob paths
### vault1984 binary — partial mess still present
- Previous session added `cmd/vault1984/website/` (copy of marketing HTML) and updated routes.go to serve both
- This needs to be reverted — `vault1984` should be pure vault server, no marketing HTML
- TODO: revert routes.go and main.go changes, delete cmd/vault1984/website/
### AWS region knowledge
- 31 commercial regions as of early 2026 (not 30)
- China regions (`cn-north-1` Beijing, `cn-northwest-1` Ningxia) are a SEPARATE partition — not deployable with normal AWS account
- GovCloud regions also excluded from vault1984 deployment
- Newest regions: `mx-central-1` (Mexico, 2023), `ap-southeast-5` (Malaysia, 2024)
- GCP ARM doesn't go below t2a-standard-1 (1 vCPU, 4GB RAM) — AWS Graviton unique in offering ARM at nano size (0.5GB)
## vault1984-web map work (01:3002:20 ET)
### Two hosted.html files — don't confuse them
- **vault1984-web/hosted.html** — what vault1984.com actually serves (via port 8099). Old "Hostkey" era text. Has worldmap.svg. THIS is the file we edit.
- **vault1984/website/hosted.html** and **vault1984/cmd/vault1984/website/hosted.html** — dead copies with "Everywhere you are" / "30 AWS regions" text. NOT served. Ignore them.
- Earlier screenshots showed the cached "30 AWS regions" version from the headless browser — that was stale cache, not live content.
### worldmap.svg architecture
- Geography SVG paths (133KB) extracted to `/home/johan/dev/vault1984-web/worldmap.svg`
- Loaded via `<image href="/worldmap.svg" x="0" y="0" width="1000" height="460"/>` inside the SVG element
- Dots (circles) remain inline in hosted.html
- `fetch+DOMParser+importNode` approach failed in real Chrome — `<image href>` works everywhere
### Final region selection (21 regions, Johan-approved)
Removed from initial 31: Ohio, Oregon, Calgary, Ireland, Milan, Bahrain, Hyderabad, Melbourne, Osaka, Tokyo
**Kept:**
- Americas: Virginia, N.California, Montreal, Mexico City, São Paulo
- Europe: London, Paris, Frankfurt, Zürich (HQ/gold), Spain, Stockholm
- Middle East/Africa: UAE, Tel Aviv, Cape Town
- Asia Pacific: Mumbai, Singapore, Jakarta, Malaysia, Sydney, Seoul, Hong Kong
### Miller projection function (for future dot placement)
```js
const W=1000, H=460;
function project(lon, lat) {
const latR = Math.min(Math.abs(lat),85)*Math.PI/180*(lat<0?-1:1);
const miller = 1.25*Math.log(Math.tan(Math.PI/4+0.4*latR));
const maxMiller = 1.25*Math.log(Math.tan(Math.PI/4+0.4*80*Math.PI/180));
return [(lon+180)/360*W, H/2-(miller/(2*maxMiller))*H];
}
```
Zürich verification: project(8.5, 47.4) → (523.6, 117.6) ✓
### Dot format (SVG circles with staggered animation)
Each region = 3 circle elements: 2 pulse rings (fill=none) + 1 solid dot
HQ (Zürich) = 4 elements: 3 circles + inner black dot
Colors: green `#22C55E` for regions, gold `#D4AF37` for HQ
## Hostkey VPS — "Hans" (03:56 ET)
- **Provider:** Hostkey
- **Location:** Switzerland (Zürich region)
- **Purpose:** vault1984 Istanbul node (Turkey VPS via Hostkey, who confirmed they have Istanbul)
- **Name:** Hans
- **IP:** 185.218.204.47
- **Hostname:** vault1984 NOC (Hostkey label)
- **Root password:** ThIsNeEdStOcHaNgE0--
- **Specs:** vm.mini — 4 vCPU / 6GB RAM / 120GB SSD, €3.90/mo
- **OS:** Ubuntu 24.04
- **Note:** Johan is ordering this live right now. Change the password first thing after provisioning.
## vault1984 Styleguide (04:14 ET)
- **vault1984.css** is the single global stylesheet for ALL vault1984 web surfaces (marketing + app)
- Live at: https://vault1984.com/styleguide.html
- Source: `/home/johan/dev/vault1984-web/vault1984.css`
- Rules: one stylesheet, one width (--width:1280px via .container), one padding (--pad:2rem), CSS variables for everything, one rule per class
- Applicable to vault1984 app UI too — copy/symlink vault1984.css into vault1984/web/
## vault1984 — Beyond Passwords (04:44 ET)
**Key insight:** vault1984 is not a password manager with notes. It's a structured knowledge store for human+AI collaboration.
- Sealed fields = human-only (physical presence required): passwords, private notes, secrets
- Agent fields = AI-accessible (scoped tokens): anything James/Claude needs to read or act on
**Concrete uses:**
- James's working memory (project plans, rollout strategies, context)
- Shared reference data (infra details, credentials James needs)
- Any structured note an AI agent should be able to retrieve
- Not limited to passwords — limited only by what you want sealed vs agent-accessible
**Positioning implication:**
Proton Pass = secure notes for humans. vault1984 = knowledge store for human+AI teams.
This is a real differentiator — needs to surface in marketing copy.
## vault1984 — Storage & Pricing Implications (04:45 ET)
- Expanding to arbitrary attachments (passport scans, MRIs, tax docs) makes storage a real cost
- Current: $12/yr flat — works for passwords, breaks for files
- Needs: base storage allowance (e.g. 100MB) + tiered overage, OR storage-based tiers
- DICOM files alone can be 50MB+ — one power user could cost more than their subscription
- Decision pending: pricing model redesign before launching file attachments
## vault1984 — Text-only, Markdown default (04:47 ET)
- No attachment/image support — ever. Text only.
- Default format: Markdown
- Passport number etc = just type it in. No OCR, no uploads.
## vault1984 — The Memory/Encryption Tradeoff (04:48 ET)
- Sealed = private = AI-blind. Good for passwords. Useless as AI memory.
- Agent = AI-readable = scoped token access. Required for AI memory use case.
- This is a conscious design tradeoff, not a flaw — user chooses per-field.
- "James's memory in vault1984" = agent fields by definition.
## vault1984 — Search Problem (04:48 ET)
- Encrypted fields = ciphertext in SQLite = LIKE queries useless
- Agent fields: server holds key → can decrypt-then-search server-side (acceptable, server already has access)
- Sealed fields: server never has key → search impossible without client-side decrypt-all (doesn't scale)
- Options: (1) server-side decrypt+search for agent fields, (2) vector embeddings, (3) unencrypted tags + encrypted body
- Decision pending before building search
## vault1984 — Search Architecture Decision (04:51 ET)
- Decrypt-all-to-search = rejected (memory footprint, plaintext exposure)
- **Decision: vector embeddings at write time**
- On save: generate embedding of plaintext → store unencrypted alongside ciphertext
- On search: query embeddings (no decryption) → get record IDs → decrypt only matches
- Cost: one embedding per write (cheap). Search: fast, minimal memory, no bulk decrypt
- Sealed fields = unsearchable by design. User knows where they put it.
- Agent fields = searchable via embeddings
## Hans — OpenClaw + Discord Comms Channel (05:03 ET)
**Task queued for sleeping block**
### Goal
Set up a James↔Hans communication channel so I can send deploy commands and Hans reports back.
### Stack
- **Discord server**: private, owned by us — create it
- **Hans**: OpenClaw instance, bot connected to Discord
- **Model**: MiniMax M2.5 via Fireworks (`accounts/fireworks/models/minimax-m2p5`)
- **Fireworks key**: `fw_RVcDe4c6mN4utKLsgA7hTm`
- **No Anthropic tokens on Hans** — Fireworks only
### Hans's job description
- Receive deploy commands from James via Discord
- Execute them (pull new version, restart service)
- Report back status
- Simple, focused — not a general assistant
### Steps
1. Create private Discord server
2. Create Discord bot for Hans
3. Install OpenClaw on Hans (185.218.204.47)
4. Configure with Fireworks M2.5, Discord bot token
5. Test: James sends message → Hans executes → Hans replies
## @vault1984 on X — Available (05:19 ET)
- Handle @vault1984 does NOT exist — available for registration
- Only references: 2017 WikiLeaks/CIA hashtag use, 2016 @music_vault1984 (also gone)
- Action needed: Johan registers @vault1984 at x.com when ready

BIN
memory/claude-usage.db
View File

Binary file not shown.

12
memory/claude-usage.json
View File

@ -1,9 +1,9 @@
{
"last_updated": "2026-03-02T05:00:01.928433Z",
"last_updated": "2026-03-02T11:00:02.155882Z",
"source": "api",
"session_percent": 7,
"session_resets": "2026-03-02T05:59:59.877299+00:00",
"weekly_percent": 57,
"weekly_resets": "2026-03-06T03:00:00.877347+00:00",
"sonnet_percent": 56
"session_percent": 0,
"session_resets": "2026-03-02T16:00:00.121624+00:00",
"weekly_percent": 65,
"weekly_resets": "2026-03-06T03:00:00.121648+00:00",
"sonnet_percent": 69
}