chore: auto-commit uncommitted changes

2026-03-01 00:01:38 -05:00 · 2026-03-01 00:01:38 -05:00 · 8e7c5750c8
parent ea5b2efa9a
commit 8e7c5750c8
7 changed files with 156 additions and 47 deletions
--- a/HEARTBEAT.md
+++ b/HEARTBEAT.md
@ -376,7 +376,7 @@ Only ping if: IRS correspondence, something urgent, or can't categorize.

 **Pace = (weekly_percent / time_elapsed_percent) × 100**
 e.g. 60% used at 50% of the week = pace 120% (burning too fast). 60% used at 80% of the week = pace 75% (fine).
-Week runs Sat 2PM → Sat 2PM ET. Sat 7AM–2PM excluded (dead zone, Johan asleep).
+Week runs Thu 10PM → Thu 10PM ET (Anthropic changed reset window — previously Sat 2PM).

 **Alert rules — read carefully:**
 - **Pace ≤ 100%:** NOT an alert. Tracking correctly. Mention in briefing, nothing more.
--- a/memory/2026-02-28.md
+++ b/memory/2026-02-28.md
@ -166,3 +166,73 @@ All 6 agents completed successfully. Johan was sleeping during second sleep bloc
 ### Key fixes summary
 - Dealspace: 4 security fixes, 83 tests, smoke test script, request import live
 - inou: LOINC matching bug fixed, auth backdoor removed, CORS locked, 59 tests written
+
+---
+
+## Afternoon Session (14:00–18:00 ET)
+
+### Vault1984 — New Project Born
+Built a personal password manager for humans with AI assistants. Designed and shipped Day 1 in one afternoon.
+
+**The insight (Johan's EA analogy):**
+> "My EA has access to company files, not my private drawer. Different key, kept on me."
+
+**Architecture:**
+- One Go binary, one SQLite file, port **1984** (Orwell — intentional)
+- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
+- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.
+- No email/SMS fallback for L2 (would break security model)
+- Recovery: printed BIP39 mnemonic only
+
+**Entry model:** No separate tables. Everything is an entry with free-form fields. `l2:true` per field, `section` for grouping, `kind` for type hint.
+
+**Import:** Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON parsed natively in Go. LLM fallback (Fireworks, chunked) for unknown formats. Handles 12,623 entries. Date-based collision resolution (newest `timePasswordChanged`/`modifyTime`/`revisionDate` wins; Chrome has no timestamps → existing wins).
+
+**Name evolution:** Started as ClawVault → renamed Vault1984 (stands alone, not Claw-specific)
+
+**Git:** `git@zurich.inou.com:vault1984.git` | Local: `/home/johan/dev/vault1984/` | Running: `http://192.168.1.16:1984`
+
+**3 bugs fixed from test suite:**
+- L2 fields leaked plaintext to web API → stripped for web+MCP actors
+- `words=4` passphrase generator ignored N → fixed
+- `?q=` on `/api/entries` ignored → delegates to search
+
+**Day 2 pending:** WebAuthn PRF, L2 client-side encrypt/decrypt, scoped MCP tokens, extension autofill, Caddy proxy, systemd service
+
+### Scoped MCP Tokens (KEY FEATURE)
+For multi-agent swarms: per-token tag/entry whitelisting. Agent 1 gets `["social","twitter"]`, Agent 2 gets `["dev","github"]`. One compromise = one agent's scope. Added to SPEC.md.
+
+### Go-to-Market: Alex Finn
+- @AlexFinn runs 10+ OpenClaw agents 24/7 on Mac Studio swarm
+- He uses bots to scan X — don't tag him, make content his bots surface
+- Keywords: OpenClaw, MCP, credentials, multi-agent, swarm, autonomous
+- Discord is his primary community — subagent hunting for his server
+- James needs Discord account to participate genuinely
+- Hook: scoped tokens solving the exact multi-agent credential problem he has
+
+### Assets created
+- `docs/README.md`, `docs/X-ANNOUNCEMENT.md` (3 options + 6-tweet thread)
+- `docs/KILLER-FEATURES.md` (14 features, 3 tiers)
+- `docs/RESEARCH.md` (Chrome complaints, CC/Codex MCP config, community channels)
+- `docs/SESSION-2026-02-28.md` (full session notes)
+
+### Azure Backup — Abandoned
+Johan abandoned the Azure Files project.
+- Local: `azure-backup-abandoned-20260228` (kept recoverable)
+- Remote: `azure-backup.git` deleted from Zurich
+
+### Taalas / ChatJimmy (chatjimmy.ai)
+Toronto startup, stealth last week. HC1 chip: Llama 3.1 8B hard-coded into silicon. 17,000 tok/s. $30M of $200M spent. Model got boxes puzzle answer right by accident, wrong reasoning. HC2 (70B) will be the real test. Watch this company.
+
+### Breaking News: US Strikes Iran
+Operation Epic Fury. Confirmed by White House + CENTCOM. Iran internet ~98% down (Cloudflare Radar). Signaled Johan at 15:41 ET.
+
+### OpenAI × DoD
+Signed classified AI deployment agreement. OpenAI retains safety stack. Explicitly stated Anthropic should NOT be flagged as supply chain risk.
+
+### Pending (carry to tomorrow)
+- [ ] AlexFinn Discord server found?
+- [ ] James Discord account — ask Johan
+- [ ] Import Johan's actual 12,623 entries into Vault1984
+- [ ] Vault1984 Day 2: WebAuthn PRF + scoped tokens
+- [ ] Caddy proxy + systemd for Vault1984
--- a/memory/claude-usage.db
+++ b/memory/claude-usage.db
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-28T23:00:02.828215Z",
+  "last_updated": "2026-03-01T05:00:02.046165Z",
  "source": "api",
-  "session_percent": 29,
-  "session_resets": "2026-03-01T00:00:00.255782+00:00",
-  "weekly_percent": 33,
-  "weekly_resets": "2026-03-06T03:00:00.255798+00:00",
-  "sonnet_percent": 27
+  "session_percent": 0,
+  "session_resets": null,
+  "weekly_percent": 38,
+  "weekly_resets": "2026-03-06T03:00:00.008306+00:00",
+  "sonnet_percent": 31
 }
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@ -14,7 +14,7 @@
  "lastDocInbox": "2026-02-25T22:01:42.532628Z",
  "lastTechScan": "2026-02-28T12:04:00-05:00",
  "lastMemoryReview": "2026-02-28T14:03:00Z",
-  "lastIntraDayXScan": "2026-02-28T20:42:09.814Z",
+  "lastIntraDayXScan": "2026-03-01T04:01:37.647Z",
  "lastInouSuggestion": "2026-02-28T14:00:00Z",
  "lastEmail": 1772132453,
  "pendingBriefingItems": [
--- a/memory/updates/2026-02-28.json
+++ b/memory/updates/2026-02-28.json
@ -1,20 +1,28 @@
 {
  "date": "2026-02-28",
-  "timestamp": "2026-02-28T09:00:06-05:00",
-  "openclaw": {
-    "before": "2026.2.26",
-    "latest": "2026.2.26",
-    "updated": false
+  "time": "21:00 ET",
+  "os_updates": {
+    "status": "up_to_date",
+    "upgraded": 0,
+    "details": "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded"
  },
  "claude_code": {
-    "before": "2.1.63",
-    "latest": "2.1.63",
-    "updated": false
+    "previous": "2.1.53",
+    "current": "2.1.63",
+    "updated": true
  },
-  "os": {
-    "available": "0\n0",
+  "openclaw": {
+    "version": "2026.2.26",
    "updated": false,
-    "packages": []
+    "status": "up_to_date"
  },
-  "gateway_restarted": false
+  "session_cleanup": {
+    "cron_run_keys_removed": 78,
+    "active_jsonl_files": 91,
+    "sessions_json_updated": true
+  },
+  "memory_updated": {
+    "working_context": true,
+    "daily_note": true
+  }
 }
--- a/memory/working-context.md
+++ b/memory/working-context.md
@ -1,5 +1,5 @@
 # Working Context
-*Updated: 2026-02-28 17:57 ET*
+*Updated: 2026-02-28 21:00 ET (nightly maintenance)*

 ## PRIMARY PROJECT: Vault1984

@ -7,44 +7,75 @@

 ### What it is
 Password manager for humans with AI assistants. Two-tier encryption:
- L1: server key, AI (James) can read — API keys, SSH, TOTP
- L2: client-side WebAuthn PRF only (Touch ID / Titan Key) — card numbers, CVV, passport, NEVER on server
+- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
+- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.

 ### Status: Day 1 complete, Day 2 pending
 - Binary: `/home/johan/dev/vault1984/vault1984`
- Running: `http://192.168.1.16:1984` (port 1984 = Orwell, intentional)
+- Running: `http://192.168.1.16:1984` (port = Orwell, intentional)
 - Git: `git@zurich.inou.com:vault1984.git`
 - 3 bugs found and fixed by test suite

 ### Day 2 TODO
 1. WebAuthn PRF (client-side L2 key derivation)
 2. L2 client-side encrypt/decrypt in browser
-3. Scoped MCP tokens (per-agent credential scoping — KEY FEATURE for multi-agent use)
+3. Scoped MCP tokens (per-agent credential scoping — KEY FEATURE)
 4. Extension autofill (LLM field mapping)
 5. Caddy proxy + systemd service
 6. Import Johan's actual 12,623 entries

-### Go-to-Market
-**Goal: Get Alex Finn (@AlexFinn) to adopt Vault1984**
- He runs 10+ OpenClaw agents 24/7 on a swarm (3x Mac Studio, DGX Spark)
- He's a Discord power user — subagent searching for his server
- Strategy: James joins his Discord, participates genuinely, Vault1984 comes up naturally
- James needs Discord account — Johan to provide token
- Content angle: "10 agents, each scoped to exactly what it needs" — scoped MCP tokens
+### Go-to-Market: Alex Finn (@AlexFinn)
+- Runs 10+ OpenClaw agents 24/7 on Mac Studio swarm (3x Mac Studio + DGX Spark)
+- Discord is his primary community — subagent was hunting for his server
+- James needs Discord account token from Johan to participate genuinely
+- Hook: scoped MCP tokens = exact problem he has (multi-agent credential isolation)
+- Content strategy: let his bots surface the content, don't @ tag him

-### Assets ready
- `docs/README.md` — project readme
- `docs/X-ANNOUNCEMENT.md` — 3 options + full thread
- `docs/KILLER-FEATURES.md` — 14 features
- `docs/RESEARCH.md` — Chrome complaints, CC/Codex MCP config, community channels
- `docs/SESSION-2026-02-28.md` — full session notes
+### Pending items
+- [ ] AlexFinn Discord server — did subagent find it?
+- [ ] James Discord account token — ask Johan
+- [ ] Import 12,623 entries into Vault1984
+- [ ] Vault1984 Day 2 (WebAuthn PRF, scoped tokens, Caddy, systemd)

-## Other Active
- **Dealspace/muskepo.com**: Live at 82.24.174.112, Shannon VPS
+---
+
+## SECONDARY PROJECT: Dealspace (muskepo.com)
+
+### Status: Live, hardened, tests passing
+- Live at: https://muskepo.com (Shannon VPS — 82.24.174.112)
+- Shannon VPS: root pw `gUB-C63-EN`, paid till 2026-04-09
+- Git: `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace`
+- 83 tests passing, security hardened (timing attacks fixed, CORS locked, security headers)
+- Smoke test: 14/14 PASS (`scripts/smoke-test.sh`)
+
+### Pending
+- [ ] Invite flow (only invited users can sign up — not yet built)
+- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented, missing)
+- [ ] SMTP config (waiting on Misha's domain decision)
+- [ ] First Misha demo — muskepo.com is placeholder name, Misha hasn't confirmed
+
+---
+
+## SECONDARY PROJECT: inou health
+
+### Status: Code reviewed, hardened
+- LOINC matching bug FIXED (normalize.go)
+- Auth backdoor REMOVED (code 250365 gone from dbcore.go)
+- CORS locked to allowlist
+- 59 tests written and passing
+- Full report: `/home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md`
+
+---
+
+## Abandoned
+- **Azure Backup project** — abandoned, local at `azure-backup-abandoned-20260228`, remote deleted from Zurich
+
+## World Events Noted
+- US Operation Epic Fury (Iran strikes) — 2026-02-28 ~15:41 ET
+- OpenAI × DoD classified AI agreement signed
+- Taalas/ChatJimmy (chatjimmy.ai) — HC1 silicon Llama 3.1 8B, 17,000 tok/s, $30M spent
+
+## Infrastructure
 - **DocSys**: Running at localhost:9201
- **inou**: Code review done, LOINC fixed, backdoor removed
- **Azure backup**: ABANDONED — deleted from Zurich, local at azure-backup-abandoned-20260228
-
-## Pending Subagents
- vault1984-research (Chrome complaints etc) — may still be running
- alexfinn-discord — searching for his Discord server
+- **Vault1984**: Running at http://192.168.1.16:1984
+- **Dealspace**: Running at muskepo.com (Shannon VPS)