chore: auto-commit uncommitted changes

hans/INFRASTRUCTURE-OVERVIEW.md

@@ -5,61 +5,69 @@
 
 ---
 
-## 1. Hub — Zurich SOC (82.22.36.202)
+## 1. HQ — Hans NOC Node (185.218.204.47)
 
 | Field | Value |
 |-------|-------|
-| **Provider** | Hostkey (Switzerland, likely Equinix ZH) |
+| **Provider** | Hostkey (Switzerland, Zürich) |
-| **IP** | 82.22.36.202 |
+| **IP** | 185.218.204.47 |
-| **DNS** | zurich.inou.com |
+| **DNS** | noc.vault1984.com |
-| **Specs** | 4 vCPU / 6 GB RAM / 120 GB SSD |
+| **Specs** | 4 vCPU / 6 GB RAM / 120 GB SSD (vm.mini) |
-| **Cost** | Existing (already paid — inou.com infrastructure) |
+| **Cost** | €3.90/mo |
 | **WireGuard role** | Hub — 10.84.0.1/24, UDP 51820 |
 
-### Services Running on Hub
+This is the **vault1984 control plane and NOC node** — dedicated to vault1984 infrastructure only. It is NOT an AWS instance.
+
+### Services Running on HQ
 
 | Service | Port / Address | Purpose |
 |---------|---------------|---------|
 | **WireGuard hub** | UDP 51820 / 10.84.0.1 | Fleet management network |
-| **Caddy** | 443 (public) | Reverse proxy + auto-TLS |
+| **OpenClaw NOC agent** | internal | Receives deploy commands, executes, reports back |
-| **Stalwart mail** | 25/465/587/143/993/995 | @jongsma.me, @inou.com, @vault1984.com |
 | **Uptime Kuma** | localhost:3001 → `soc.vault1984.com` | Fleet monitoring dashboard |
-| **ntfy** | localhost:2586 → `ntfy.inou.com` | Push alerts (`vault1984-alerts`) |
+| **ntfy** | push alerts | `vault1984-alerts` topic |
-| **Git server** | SSH (git user) | vault1984.git, vault1984-web.git, others |
 
-> **Note:** SSH on the hub is public (normal sshd). Spoke nodes have SSH on WireGuard only — port 22 is NOT reachable from the public internet.
+> **Note:** Stalwart mail, Git server, and inou.com infrastructure run on the separate Zurich inou.com server (82.22.36.202). Hans is vault1984-only.
+
+> **SSH on spoke nodes:** Spoke nodes have SSH on WireGuard only — port 22 is NOT reachable from the public internet.
 
 ---
 
-## 2. Spoke Nodes — 16-Node Global Fleet
+## 2. Spoke Nodes — 21-Region Global Fleet
 
-### Vultr Plan: VX1 ✅ Confirmed
+### Platform: AWS EC2 t4g.nano ✅ Approved
-**$2.50/mo** — 1 vCPU, 512 MB RAM, 10 GB SSD, 500 GB transfer  
+**~$3/mo** — ARM/Graviton, 2 vCPU, 0.5 GB RAM  
-*(Source: INFRASTRUCTURE.md — "All Vultr nodes: VX1 tier — 1 vCPU, 512 MB RAM, 10 GB SSD, 0.5 TB bandwidth @ $2.50/mo")*
+One binary per region. No database sync, no replication — each node is independent.
+
+> **Deployment method:** TBD — likely Terraform or manual AWS Console for initial rollout. Not yet decided; do not assume automation tooling exists.
 
 ### Full Node Table
 
-| # | Node Name | City | Provider | Plan | WG IP | Cost/mo | Status |
+| # | Node Name | Region / City | AWS Region | Provider | WG IP | Cost/mo | Status |
-|---|-----------|------|----------|------|-------|---------|--------|
+|---|-----------|---------------|------------|----------|-------|---------|--------|
-| 1 | `zurich` | Zürich, CH | Hostkey (existing) | 4vCPU/6GB/120GB | 10.84.0.2 | $0 (existing) | ⏸️ Spoke not yet deployed |
+| HQ | `zurich` | Zürich, CH | — (Hostkey) | Hostkey Hans | 10.84.0.1 | €3.90 | 🔄 NOC live, spoke TBD |
-| 2 | `frankfurt` | Frankfurt, DE | Vultr | VX1 $2.50 | 10.84.0.3 | $2.50 | ❌ Not provisioned |
+| 1 | `virginia` | N. Virginia, US | us-east-1 | AWS t4g.nano | 10.84.0.2 | ~$3 | ❌ Not provisioned |
-| 3 | `newjersey` | New Jersey, US | Vultr | VX1 $2.50 | 10.84.0.4 | $2.50 | ❌ Not provisioned |
+| 2 | `ncalifornia` | N. California, US | us-west-1 | AWS t4g.nano | 10.84.0.3 | ~$3 | ❌ Not provisioned |
-| 4 | `siliconvalley` | Silicon Valley, US | Vultr | VX1 $2.50 | 10.84.0.5 | $2.50 | ❌ Not provisioned |
+| 3 | `montreal` | Montreal, CA | ca-central-1 | AWS t4g.nano | 10.84.0.4 | ~$3 | ❌ Not provisioned |
-| 5 | `dallas` | Dallas, US | Vultr | VX1 $2.50 | 10.84.0.6 | $2.50 | ❌ Not provisioned |
+| 4 | `mexicocity` | Mexico City, MX | mx-central-1 | AWS t4g.nano | 10.84.0.5 | ~$3 | ❌ Not provisioned |
-| 6 | `london` | London, UK | Vultr | VX1 $2.50 | 10.84.0.7 | $2.50 | ❌ Not provisioned |
+| 5 | `saopaulo` | São Paulo, BR | sa-east-1 | AWS t4g.nano | 10.84.0.6 | ~$3 | ❌ Not provisioned |
-| 7 | `warsaw` | Warsaw, PL | Vultr | VX1 $2.50 | 10.84.0.8 | $2.50 | ❌ Not provisioned |
+| 6 | `london` | London, UK | eu-west-2 | AWS t4g.nano | 10.84.0.7 | ~$3 | ❌ Not provisioned |
-| 8 | `tokyo` | Tokyo, JP | Vultr | VX1 $2.50 | 10.84.0.9 | $2.50 | ❌ Not provisioned |
+| 7 | `paris` | Paris, FR | eu-west-3 | AWS t4g.nano | 10.84.0.8 | ~$3 | ❌ Not provisioned |
-| 9 | `seoul` | Seoul, KR | Vultr | VX1 $2.50 | 10.84.0.10 | $2.50 | ❌ Not provisioned |
+| 8 | `frankfurt` | Frankfurt, DE | eu-central-1 | AWS t4g.nano | 10.84.0.9 | ~$3 | ❌ Not provisioned |
-| 10 | `mumbai` | Mumbai, IN | Vultr | VX1 $2.50 | 10.84.0.11 | $2.50 | ❌ Not provisioned |
+| 9 | `spain` | Spain, ES | eu-south-2 | AWS t4g.nano | 10.84.0.10 | ~$3 | ❌ Not provisioned |
-| 11 | `saopaulo` | São Paulo, BR | Vultr | VX1 $2.50 | 10.84.0.12 | $2.50 | ❌ Not provisioned |
+| 10 | `stockholm` | Stockholm, SE | eu-north-1 | AWS t4g.nano | 10.84.0.11 | ~$3 | ❌ Not provisioned |
-| 12 | `sydney` | Sydney, AU | Vultr | VX1 $2.50 | 10.84.0.13 | $2.50 | ❌ Not provisioned |
+| 11 | `uae` | UAE | me-central-1 | AWS t4g.nano | 10.84.0.12 | ~$3 | ❌ Not provisioned |
-| 13 | `johannesburg` | Johannesburg, ZA | Vultr | VX1 $2.50 | 10.84.0.14 | $2.50 | ❌ Not provisioned |
+| 12 | `telaviv` | Tel Aviv, IL | il-central-1 | AWS t4g.nano | 10.84.0.13 | ~$3 | ❌ Not provisioned |
-| 14 | `telaviv` | Tel Aviv, IL | Vultr | VX1 $2.50 | 10.84.0.15 | $2.50 | ❌ Not provisioned |
+| 13 | `capetown` | Cape Town, ZA | af-south-1 | AWS t4g.nano | 10.84.0.14 | ~$3 | ❌ Not provisioned |
-| 15 | `dubai` | Dubai, AE | Hostkey | ~$5–8/mo (vm.mini class) | 10.84.0.16 | ~$6.50 | ⏸️ Decision pending |
+| 14 | `mumbai` | Mumbai, IN | ap-south-1 | AWS t4g.nano | 10.84.0.15 | ~$3 | ❌ Not provisioned |
-| 16 | `istanbul` | Istanbul, TR | TBD (Hostkey preferred; Vultr has no TR) | TBD | 10.84.0.17 | ~$3.90 est. | ⏸️ Provider TBD |
+| 15 | `singapore` | Singapore, SG | ap-southeast-1 | AWS t4g.nano | 10.84.0.16 | ~$3 | ❌ Not provisioned |
+| 16 | `jakarta` | Jakarta, ID | ap-southeast-3 | AWS t4g.nano | 10.84.0.17 | ~$3 | ❌ Not provisioned |
+| 17 | `malaysia` | Kuala Lumpur, MY | ap-southeast-5 | AWS t4g.nano | 10.84.0.18 | ~$3 | ❌ Not provisioned |
+| 18 | `sydney` | Sydney, AU | ap-southeast-2 | AWS t4g.nano | 10.84.0.19 | ~$3 | ❌ Not provisioned |
+| 19 | `seoul` | Seoul, KR | ap-northeast-2 | AWS t4g.nano | 10.84.0.20 | ~$3 | ❌ Not provisioned |
+| 20 | `hongkong` | Hong Kong | ap-east-1 | AWS t4g.nano | 10.84.0.21 | ~$3 | ❌ Not provisioned |
 
-> **Istanbul note:** Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini at ~€3.90/mo. Warsaw covers Istanbul at ~30ms if deferred.  
+> **Why Graviton/ARM?** AWS t4g.nano is ARM-based (Graviton2). Unique in the market at this price point — GCP doesn't offer ARM below t2a-standard-1 (1 vCPU, 4 GB RAM). vault1984 Go binary cross-compiles to `linux/arm64` cleanly.
-> **Dubai note:** INFRASTRUCTURE.md lists Dubai as Hostkey at ~$5–8/mo. Order not yet placed — pending Johan's decision.
 
 ---
 
@@ -68,23 +76,23 @@
 Every spoke node runs the same minimal stack — deliberately so. No drift by design.
 
 ```
-[Vultr/Hostkey VPS]
+[AWS EC2 t4g.nano]
 ├── NixOS (declarative, reproducible, 2 generations max)
 ├── vault1984 binary (Go, ~15 MB, ports :80 + :443)
 │   ├── Built-in autocert (Let's Encrypt via golang.org/x/crypto/acme/autocert)
 │   ├── Kuma push heartbeat (every 30s to soc.vault1984.com)
 │   └── vault1984.db (SQLite + WAL)
-└── WireGuard spoke → hub (10.84.0.1:51820)
+└── WireGuard spoke → hub (10.84.0.1:51820, Hans HQ)
     └── SSH binds to WireGuard IP only (10.84.0.x:22)
 ```
 
 **Public ports:** 80, 443 only.  
-**NOT public:** Port 22 (SSH reachable only via WireGuard tunnel from Zurich hub).
+**NOT public:** Port 22 (SSH reachable only via WireGuard tunnel from Hans HQ).
 
 ### Heartbeat Payload (every 30s, vault1984 → Kuma)
 ```json
 {
-  "node": "tokyo",
+  "node": "singapore",
   "ram_mb": 142,      "disk_pct": 31.2,   "cpu_pct": 2.1,
   "db_size_mb": 12,   "db_integrity": true,
   "active_sessions": 3, "req_1h": 847,     "err_1h": 2,
@@ -103,22 +111,22 @@ Each node gets its own subdomain under `vault1984.com`:
 
 | Node | FQDN | Type | Points to |
 |------|------|------|-----------|
-| zurich | zurich.vault1984.com | A | 82.22.36.202 |
+| zurich (HQ) | noc.vault1984.com | A | 185.218.204.47 |
-| frankfurt | frankfurt.vault1984.com | A | (Vultr IP, TBD) |
+| virginia | virginia.vault1984.com | A | (AWS IP, TBD) |
-| newjersey | newjersey.vault1984.com | A | (Vultr IP, TBD) |
+| ncalifornia | ncalifornia.vault1984.com | A | (AWS IP, TBD) |
-| … | … | A | (Vultr IP, TBD) |
+| montreal | montreal.vault1984.com | A | (AWS IP, TBD) |
-| dubai | dubai.vault1984.com | A | (Hostkey IP, TBD) |
+| … | … | A | (AWS IP, TBD) |
 
 All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).  
 **DNS-only mode** — no Cloudflare proxying. vault1984 is a password vault; routing through third-party proxies defeats the trust model.
 
 ### vault1984.com Root
-- **vault1984.com** → **New Jersey** node (primary; largest US East market)  
+- **vault1984.com** → **Virginia** node (primary; largest US East market)  
 - `www.vault1984.com` → same (or 301 → apex)
 - **Option: Cloudflare Load Balancer GeoDNS** → $5/mo — latency-based routing across all nodes. Johan decides post-pilot.
 
 ### SOC Domain
-- `soc.vault1984.com` → 82.22.36.202 (Caddy → Kuma:3001) — internal status dashboard
+- `soc.vault1984.com` → 185.218.204.47 (Hans HQ → Kuma:3001) — internal status dashboard
 
 ---
 
@@ -126,12 +134,12 @@ All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).
 
 | # | Milestone | Deadline | Status | Notes |
 |---|-----------|----------|--------|-------|
-| **M1** | Zurich SOC ready (WireGuard hub + Kuma + `soc.vault1984.com`) | Mon Mar 2, EOD | 🔄 In progress | WireGuard hub + Kuma configured on Zurich; fleet Kuma monitors need creation when nodes go live. Hans server (185.218.204.47) live as NOC node. |
+| **M1** | Hans HQ ready (WireGuard hub + OC NOC + `soc.vault1984.com`) | Mon Mar 2, EOD | 🔄 In progress | OpenClaw NOC live on Hans. WireGuard hub + Kuma fleet monitors need creation when nodes go live. |
-| **M2** | NixOS config + deploy tooling in `vault1984/infra/` | Tue Mar 3, EOD | 🔄 In progress | **TODAY** — Hans executing. Includes base.nix, 16 node vars, provision.sh, deploy.sh, healthcheck.sh, vault1984 telemetry push goroutine. |
+| **M2** | NixOS config + deploy tooling in `vault1984/infra/` | Tue Mar 3, EOD | 🔄 In progress | **TODAY** — Hans executing. Includes base.nix, node vars, provision scripts, vault1984 telemetry push goroutine. Deployment method (Terraform vs manual AWS Console) TBD. |
-| **M3** | Pilot: 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | ❌ Not started | Blocked on M2 completion + Vultr API key. |
+| **M3** | Pilot: 3 nodes live (Virginia + 2 others) | Wed Mar 4, noon | ❌ Not started | Blocked on M2 completion + AWS account/credentials setup. |
 | **M4** | Go/No-Go review | Wed Mar 4, EOD | ❌ Not started | Johan reviews pilot. |
-| **M5** | Full 16-node fleet live | Thu Mar 5, EOD | ❌ Not started | 4 batches of ~4 nodes. Blocked on M4 green light + Vultr API key. |
+| **M5** | Full 20-region AWS fleet live | Thu Mar 5, EOD | ❌ Not started | 4 batches. Blocked on M4 green light + AWS account/credentials. |
-| **M6** | DNS, TLS, health checks verified across all 16 | Thu Mar 5, EOD | ❌ Not started | Follows M5. |
+| **M6** | DNS, TLS, health checks verified across all nodes | Thu Mar 5, EOD | ❌ Not started | Follows M5. |
 | **M7** | 🚀 Go-live — vault1984.com routes to fleet | **Fri Mar 6, noon** | ❌ Not started | Johan + James final sign-off. |
 
 ---
@@ -142,25 +150,25 @@ All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).
 
 | Component | Nodes | Unit Cost | Monthly |
 |-----------|-------|-----------|---------|
-| Zurich hub (Hostkey) | 1 | Existing (inou.com infra) | $0 incremental |
+| Hans HQ (Hostkey Zürich) | 1 | €3.90/mo | **~$4** |
-| Vultr VX1 nodes | 13 | $2.50/mo | **$32.50** |
+| AWS t4g.nano (20 regions) | 20 | ~$3/mo | **~$60** |
-| Dubai (Hostkey, ~vm.mini) | 1 | ~$5–8/mo est. | **~$6.50** |
+| **Total fleet** | **21** | — | **~$64/mo** |
-| Istanbul (Hostkey est.) | 1 | ~€3.90/mo est. | **~$4.25** |
-| **Total fleet** | **16** | — | **~$43/mo** |
 
-> Zurich hub cost is shared with inou.com, Stalwart mail, and other services — not charged to vault1984 budget.
+> Approximate total: **~$64–67/mo** (EUR/USD fluctuation). Well under the $100/mo budget.
+
+> The inou.com Zurich server (82.22.36.202) is separate infrastructure — not charged to vault1984 budget.
 
 ### Remaining Budget
 - Budget ceiling: **$100/mo**
-- Fleet spend: **~$43/mo**
+- Fleet spend: **~$64–67/mo**
-- Reserve for upgrades: **~$57/mo** (use when individual nodes see demand)
+- Reserve for upgrades: **~$33–36/mo** (use when individual nodes see demand)
 
 ### Node Upgrade Path (when needed)
 | Tier | Specs | Cost |
 |------|-------|------|
-| VX1 (current) | 1 vCPU / 512MB / 10GB | $2.50/mo |
+| t4g.nano (current) | 2 vCPU / 0.5 GB / ARM | ~$3/mo |
-| Next tier | 1 vCPU / 1GB / 25GB / 1TB | $6/mo |
+| t4g.micro | 2 vCPU / 1 GB / ARM | ~$6/mo |
-| Mid tier | 2 vCPU / 2GB / 50GB / 2TB | $12/mo |
+| t4g.small | 2 vCPU / 2 GB / ARM | ~$12/mo |
 
 ---
 
@@ -168,9 +176,10 @@ All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).
 
 | Blocker | Owner | Impact | Notes |
 |---------|-------|--------|-------|
-| **Vultr API key** | 🔴 Johan (pending) | Blocks M3, M5 — cannot provision any VPS | Was due Mon Mar 2 AM. Still outstanding as of Tue Mar 3. Hans cannot provision 13 nodes without it. |
+| **AWS account / credentials setup** | 🔴 Johan (pending) | Blocks M3, M5 — cannot provision any EC2 instances | No AWS account configured yet. Needed before any spoke can be provisioned. |
-| **Dubai decision** | 🟡 Johan | Blocks Dubai node (15th spoke) | Option A: Order Hostkey Dubai (~$5–8/mo). Option B: Cover Gulf region with Tel Aviv (~40ms). Option C: Defer to post-launch. Warsaw covers Istanbul at 30ms if Istanbul also deferred. |
+| **AWS deployment method** | 🟡 James/Hans | Blocks M2 tooling finalization | Likely Terraform or manual AWS Console. Not yet decided — do not build automation assuming either approach. |
-| **Istanbul provider** | 🟡 James/Hans | Blocks 16th spoke | Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini ~€3.90/mo. Low urgency — Warsaw covers at ~30ms. |
+
+> **No longer a blocker:** ~~Vultr API key~~ — Vultr removed from architecture entirely.
 
 ---
 
@@ -181,6 +190,7 @@ All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).
 3. **No public SSH.** Every spoke node: SSH on WireGuard interface only. Public internet sees 80+443, nothing else.
 4. **NixOS everywhere.** Declarative = zero drift. One config file per node, checked into repo. Roll back any node in seconds.
 5. **Nodes are independent.** No replication. User vault lives on one node. Scale up single nodes when demand warrants.
+6. **ARM/Graviton only.** AWS t4g.nano — cheapest viable ARM compute in the market. vault1984 Go binary compiles to `linux/arm64` cleanly.
 
 ---
 

memory/claude-usage.json

@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-03T17:00:01.444170Z",
+  "last_updated": "2026-03-03T23:00:01.313752Z",
   "source": "api",
-  "session_percent": 0,
+  "session_percent": 7,
-  "session_resets": null,
+  "session_resets": "2026-03-04T03:00:00.270947+00:00",
-  "weekly_percent": 79,
+  "weekly_percent": 84,
-  "weekly_resets": "2026-03-06T03:00:00.388794+00:00",
+  "weekly_resets": "2026-03-06T03:00:00.270963+00:00",
-  "sonnet_percent": 85
+  "sonnet_percent": 90
 }

memory/git-audit-lastfull.txt

@@ -1 +1 @@
-1772470929
+1772557329

memory/heartbeat-state.json

@@ -14,8 +14,8 @@
   "lastDocInbox": "2026-02-25T22:01:42.532628Z",
   "lastTechScan": 1772550203,
   "lastMemoryReview": "2026-03-02T17:04:00Z",
-  "lastIntraDayXScan": "2026-03-03T04:03:00Z",
+  "lastIntraDayXScan": "2026-03-03T20:32:00Z",
-  "lastInouSuggestion": "2026-03-02T17:03:49.016Z",
+  "lastInouSuggestion": "2026-03-03T17:32:22.857Z",
   "lastEmail": 1772132453,
   "pendingBriefingItems": [
     {