chore: weekly memory synthesis Feb 22 — SnappyMail, Dealspace, Docker updates, scope fix docs

2026-02-22 05:05:40 -05:00 · 2026-02-22 05:05:40 -05:00 · ab0008c696
parent 482e0d8f8a
commit ab0008c696
2 changed files with 204 additions and 21 deletions
--- a/MEMORY.md
+++ b/MEMORY.md
@ -1,6 +1,6 @@
 # MEMORY.md - Long-Term Memory
-*Last updated: 2026-02-21 (background memory review)*
+*Last updated: 2026-02-22 (weekly synthesis — Sun 05:00 ET)*
 ---
 ## ⏰ JOHAN'S SCHEDULE (US EASTERN) — MEMORIZE THIS!
@ -143,6 +143,32 @@ I do NOT ask for permission or approval. I use my judgment. I only escalate if s
 - Johan's number: +17272252475 (US, Thinkphone)
 - API: `http://192.168.1.16:8080/api/v1/rpc` (JSON-RPC, NOT REST)
 - Payload: `{"jsonrpc":"2.0","method":"send","params":{"recipient":["+1..."],"message":"text"},"id":1}`
 - **Family routing (Feb 18):** Only Johan's number in `signal-allowFrom.json`. Kids (Roos, Jacques, Misha) have isolated sessions via pairing flow. They send a message → get pairing code → type it back → get own session.
 ### Telegram (Feb 18 — PRIMARY CHANNEL)
 - **Bot:** @jamesjongsma_bot, ID: 8510971070
 - **Token:** `8510971070:AAFFgv_UO_9L0Ulp2DRKHD-IWKkrarJNTIc`
 - **Johan:** @johanjongsma, Telegram ID: 8454563068
 - **Briefings go here** — Telegram supports rich Markdown (bold, italic, headers)
 - Signal = alerts, quick pings, conversational replies
 ### Heartbeat Cron Architecture (Feb 18 — REDESIGNED)
 - **Built-in heartbeat disabled** (interval 720h) — was burning 148k tokens per check
 - **K2 Watchdog** (isolated K2.5 session, every 30 min): service health + doc inbox + Claude usage
 - **Email Straggler** (isolated Sonnet, every 90 min): fallback email triage
 - **Intra-day X Watch** (subagent, every 3-4h): checks @Cloudflare, @openclaw, @moltbot, @AlexFinn, @realDonaldTrump. Always spawn subagent, never inline.
 - **inou Daily Suggestion** (subagent, each morning): proposes ONE inou building task. No marketing suggestions.
 - Main session now only used for actual conversations with Johan.
 ### OpenClaw Patches (reapply after every OC update)
 Two patches must be reapplied to `dist/` files after each OpenClaw update:
 1. **Scope preservation** (`dist/gateway-cli-DbznSfRg.js`): `if (scopes.length > 0)` → `if (scopes.length > 0 && !disableControlUiDeviceAuth)` — prevents `dangerouslyDisableDeviceAuth` from clearing scopes
 2. **Deleted transcript indexing** (`dist/sqlite-C54NeA1C.js`): `.filter((name) => name.endsWith(".jsonl"))` → add `|| name.includes(".jsonl.deleted.")` — makes memory_search find old sessions
 ### ⚠️ sessions_spawn Scope Issue (every restart)
 `operator.write+read` scopes are stripped from device-auth.json on EVERY gateway restart (not just OC updates).
 **Fix each time:** patch 3 files: `~/.openclaw/identity/device-auth.json`, `devices/paired.json`, `devices/pending.json` → set `"scopes": ["operator.write", "operator.read"]`, then restart gateway.
 **TODO:** automate as a post-start hook so this stops being manual.
 ### Network
 - Home lab behind UDM-Pro + Caddy
@ -219,6 +245,29 @@ I do NOT ask for permission or approval. I use my judgment. I only escalate if s
 ### Research
 - **Use Grokipedia instead of Wikipedia** — Johan's preference for lookups & Lessons Learned
 ### News Philosophy (Feb 17)
 - **X/Twitter is the radar** — breaks news hours before traditional outlets. Primary source for briefings.
 - **Then go to PRIMARY SOURCE** — Anthropic blog, SEC filings, whitehouse.gov, etc. Never cite middlemen (CNBC, Guardian, Reuters) when the original source exists.
 - Johan wants raw signal, not editorial filter.
 ### Privacy: Fireworks vs Grok/xAI (Feb 17)
 - **Fireworks guarantees privacy** — use for anything touching private data (emails, Teams, Sophia medical)
 - **Grok (xAI) does NOT guarantee privacy** — OK for public news scanning, never for private data
 ### Wake Permission (Feb 16)
 - Johan allows James to wake him from **8:00 AM ET onwards**
 - Only for genuinely important events (Kaseya critical, urgent emails, etc.)
 - No FYI-level noise — real alerts only
 ### Voice: Fish Audio S1 TTS (Feb 16 — LIVE)
 - Voice: **Adrian** (reference_id: `bf322df2096a46f18c579d0baa36f41d`)
 - Model: `s1`. API: `POST https://api.fish.audio/v1/tts` with Bearer auth
 - Pricing: $5/M UTF-8 bytes (pay-as-you-go, no subscription)
 - Pipeline: Fish API → mp3 → serve on :8199 → `media_player.play_media` on Fully tablets
 - **Office tablet** (office1.tbl) is reliable for both media_player and notify TTS
 - **mbed tablet** (192.168.0.186): use Fully REST playSound (`?cmd=playSound&url=<mp3>&password=3005`) — HA Companion not working there
 - TODO: Make persistent TTS service (not ad-hoc python server)
 ### URLs/IPs
 - **Use local IPs when available** — Johan prefers local network addresses over public/Tailscale IPs for internal services
@ -319,23 +368,19 @@ Automated document processing pipeline for scanned paperwork.
 ## Work Principles (from corrections)
 - **"Stel niet uit tot morgen, wat je vandaag kan doen"** — Don't poll when you can trigger. Don't batch when you can stream. Don't defer when you can do it now. If the work can happen immediately, make it happen immediately.
- **ALWAYS attack problems at their source** — Johan HATES workarounds. They bite you tomorrow. Fix the root cause, not the symptom. If a trigger is wrong, fix the trigger — don't filter downstream.
+- **ALWAYS attack problems at their source** — Johan HATES workarounds. Fix the root cause, not the symptom. If a trigger is wrong, fix the trigger — don't filter downstream.
 - **Best over fast, always** — Johan doesn't want the fastest approach; he wants the best one. Don't cut corners for speed.
 - **Deduplicate ruthlessly** — Say it once, in the right place. Don't repeat info across channels.
 - **Extract the WHY, not the what** — Surface fixes don't generalize. Always ask "why was this wrong?" and find the principle.
 - **Offload by default, Opus by exception** — K2.5 can handle straightforward coding. Save Opus for judgment, conversation, complex reasoning.
 - **Always git commit workspace files** — After editing TOOLS.md, MEMORY.md, AGENTS.md, or any workspace file, `git add -A && git commit`. Don't leave changes uncommitted.
- **Commit uncommitted changes you find** — During git audits/heartbeats, if you find uncommitted changes in ANY repo, commit and push them yourself. Don't just report — fix it.
+- **Commit uncommitted changes you find** — During git audits/heartbeats, commit and push them yourself. Don't just report — fix it.
- **Recover context yourself after compaction** — When context is lost: (1) Check `sessions_history` for recent tool calls, (2) Search memory files, (3) Use `memory_search` on transcripts, (4) Reconstruct from available data. NEVER ask Johan for info you already had. Self-recovery is job #1 for a CoS.
+- **Validate config schema before patching** — Check docs/schema for required fields and valid keys before changing any config. Read first, edit second.
 - **"Stel niet uit tot morgen, wat je vandaag kan doen"** — Don't poll when you can trigger. Don't batch when you can stream. Don't defer when you can do it now. If the work can happen immediately, make it happen immediately.
 - **Deduplicate ruthlessly** — Say it once, in the right place. Don't repeat info across channels.
 - **Extract the WHY, not the what** — Surface fixes don't generalize. Always ask "why was this wrong?" and find the principle.
 - **Offload by default, Opus by exception** — K2.5 can handle straightforward coding. Save Opus for judgment, conversation, complex reasoning.
 - **Validate config schema before patching** — Check docs/schema for required fields and valid keys before changing gateway config.
 - **Spam → Trash, Archive → Reference** — Archive is for things worth finding later. Marketing emails have no future value.
 - **Config color values = hex codes** — Not CSS names. Pattern: `^#?[0-9a-fA-F]{6}$` (e.g., `00FF00` not `green`)
- **Compact data files before committing** — JSON/CSV data files go into git as compact/single-line (`jq -c`), never pretty-printed. Pretty-print is for humans reading; git tracks lines. 854 records ≠ 96K insertions.
+- **Compact data files before committing** — JSON/CSV data files go into git as compact/single-line (`jq -c`). Pretty-print is for humans; git tracks lines.
- **Recover context yourself after compaction** — When compaction wipes context, search session history, memory files, and transcripts. NEVER ask the user for info you already had.
+- **Test with observable proof before declaring done** — Always curl/smoke test it yourself before pushing changes or saying "done." "Curl proof" before deploy.
 - **Recover context yourself after compaction** — When context is lost: (1) Check session history, (2) Search memory files, (3) Use memory_search on transcripts, (4) Reconstruct. NEVER ask Johan for info you already had. Self-recovery is job #1.
 ## Technical Learnings (Week of Jan 26-Feb 1)
@ -356,24 +401,56 @@ Automated document processing pipeline for scanned paperwork.
 - Fine for apps behind auth, terrible for marketing pages
 - **Keep Go/HTML for public pages** (landing, pricing, privacy, etc.)
 ### AirLLM — forge can run 70B models (Feb 21)
 - Library: layer-by-layer GPU offloading → VRAM stays ~1.5GB regardless of model size
 - Tested: Qwen2.5-7B on GTX 970 → correct output, 6.1s/tok, peak 1.57GB VRAM
 - Implication: 70B models theoretically possible at ~8-12s/tok on forge (GTX 970)
 - Fix needed: pin `optimum==1.22.0` (newer removed BetterTransformer); `input_ids.to("cuda")` before generate()
 - Use case: batch document analysis, offline medical record processing (data stays local)
 ### Stalwart — Key Gotchas (Feb 18-22)
 - Account `name` field must equal the login username — not automatically derived from `emails` field
 - PATCH endpoint is broken in v0.15.5 — use DELETE + POST for account updates
 - Stalwart v0.15.5 has NO user webmail — only admin panel. All popular self-hosted webmail is PHP.
 - YAML `!` at start of value = YAML tag indicator — passwords starting with `!` must be quoted
 - systemd EnvironmentFile: `!` in values also needs quoting
 - Admin API: port 8880, `admin:agolM71pOwZBJhggROBDkn8R` via HTTP Basic at `http://127.0.0.1:8880/api/principal`
 ### Family Stalwart Account Logins (as of Feb 21)
 - **tj@jongsma.me**: username `tj`, pw `!Lekker69`  
 - **johan@jongsma.me**: username `johan`, pw `!!Lekker69`
 - **jacques@jongsma.me**: username `jacques@jongsma.me` (full email — changed Feb 21), pw `7I#rydMKlri6r%!g`
 - **rozemarijn@jongsma.me**: username `rozemarijn@jongsma.me` (full email — changed Feb 21), pw `cRKEWJL4h3MGn3Li`
 - **misha@jongsma.me**: username `misha`, pw `6hRSl8KAZtGXPRUG`
 - **tanya@jongsma.me**: username `tanya`
 - Short vs full email login is inconsistent (tj/johan prefer short, Jacques/Roos prefer full). Don't change without coordinating with active clients.
 ### OpenClaw Auth Risk (Feb 19)
 - Current config: `"mode": "token"` is actually a **Claude Max OAuth token**, not an API key
 - This means Anthropic's crackdown on OpenClaw subscription use applies — risk of Johan's Max account being cancelled
 - **Decision pending** — Johan considering API key switch. No action taken yet.
 - Options: switch to Anthropic API key, OpenRouter, or accept the risk
 ---
 ## Todo / Open Items
-### 🔴 Urgent (This Week — as of Feb 20)
+### 🔴 Urgent (This Week — as of Feb 22)
- [ ] **jongsma.me domain transfer** — EXPIRES 2026-02-28 (8 days!). Unlock at OpenProvider, get auth code, initiate transfer at Cloudflare. Transfers take 5-7 days. Window is TIGHT.
+- [ ] **jongsma.me domain transfer** — EXPIRES 2026-02-28 (6 days!). Unlock at OpenProvider, get auth code, initiate transfer at Cloudflare. Transfers take 5-7 days. Window is CRITICAL.
- [ ] **Azure Files Backup:** `az login` MFA with Johan — free account expires ~Feb 27 (7 days!). Need Johan for MFA.
+- [ ] **Azure Files Backup:** `az login` MFA with Johan — free account expires ~Feb 27 (5 days!). Need Johan for MFA.
 - [ ] **HostKey Amsterdam cancellation** — API returned "being cancelled" but Johan must manually confirm: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e (server ID: 53643)
 - [ ] **stpetersburgaquatics.com** — expires 2026-03-13. Transfer or renew.
 - [ ] **Uptime Kuma monitors** — 8 monitors lost in Zurich rebuild. Rebuild when Johan confirms.
 - [ ] **Verizon bill** — $343.80 due March 4, 2026. Enroll Auto-Pay to save $30/mo.
 ### 🟡 Active (Johan Action Needed)
 - [ ] **Vaultwarden:** Johan creates account at vault.jongsma.me → export Proton Pass → import. Then set SIGNUPS_ALLOWED=false.
 - [ ] **iCloud contacts import:** final.vcf at `/home/johan/clawd/tmp/contacts/final.vcf` — SCP to Mac + import at icloud.com
 - [ ] **Misha Signal pairing** — still pending
 - [ ] **OpenClaw auth decision** — OAuth token = Claude Max subscription risk. API key alternative pending.
- [ ] **Stalwart short+full login fix** — lookup-domains config. iPhone email setup blocked until resolved.
+- [ ] **Stalwart short+full login fix** — lookup-domains config. iPhone email setup for tj/johan blocked until resolved.
 - [x] **Amsterdam cleanup** — DONE 2026-02-21. All services removed, server decommissioned, DNS cleaned.
 - [ ] **Belastingdienst:** Corporate tax filing (vennootschapsbelasting 2025) for entity ***871 — deadline pending
 - [x] **Amsterdam cleanup** — DONE 2026-02-21. All services removed, server decommissioned, DNS cleaned.
 ### 🟢 Backlog (Parked)
 - [ ] Inter-VLAN routing on UDM-Pro (production → Signal API)
@ -382,9 +459,10 @@ Automated document processing pipeline for scanned paperwork.
 - [ ] inou Mobile: Content at inou.com/app for WebView
 - [ ] AdventHealth MFA enrollment (Johan action)
 - [ ] HAOS SSH key authorization (forge → 192.168.1.252)
- [ ] Fish Audio S1 TTS persistent service on forge
+- [ ] Fish Audio S1 TTS persistent service on forge (currently ad-hoc python http server)
 - [ ] rclone backup for Vaultwarden (needs browser OAuth on Zurich)
 - [ ] BlueBubbles on Mac Mini M4 (deferred)
 - [ ] sessions_spawn from conversation sessions still broken (pairing required 1008 error) — cron jobs work
 ## Weekly Synthesis Insights (Feb 9-15, 2026)
@ -586,6 +664,26 @@ Major overnight event — Zurich services were broken/missing, rebuilt from scra
 - Deleted `inou-mcp/` directory (manifest.json + server binary)
 - No more nightly 404 to `inou.com/download/inou.mcpb`
 ### Dealspace (~/dev/dealroom, port 9300)
 - Go app, templ templates, SQLite — Misha's M&A data room platform (started Feb 15)
 - **Owner:** Misha Muskepo (michael@muskepo.com). Johan is advisor. James is architect/builder.
 - **Tech stack:** Go + templ + HTMX + SQLite + Tailwind — single binary, server-rendered
 - Admin: `misha@muskepo.com` / `Dealspace2026!` (owner role)
 - **Features (Feb 22 UX overhaul):** deal rooms, request lists with Atlas AI assessment, buyer/seller view toggle (owners can switch views), per-deal analytics/audit/contacts, search, real auth (bcrypt, no demo login)
 - No public domain yet — local at http://192.168.1.16:9300
 - Architecture: inou pattern (centralized RBAC bitmask, entries table, AES-256-GCM encrypted files)
 ### Home DNS = AdGuard
 - Johan's home DNS resolver is **AdGuard Home** (not just HA at 192.168.1.252)
 - AdGuard had a DNS rewrite rule for `*.jongsma.me` → home IP
 - Cache flush alone doesn't clear rewrite rules — must remove in AdGuard UI: Filters → DNS rewrites
 - Wildcard `*.jongsma.me` DNS record removed from Cloudflare (Feb 22)
 ### Stalwart Webmail = Admin Only
 - Stalwart v0.15.5 (latest as of Feb 22) — no user webmail built in
 - Web UI at port 8880 = admin panel only
 - All popular self-hosted webmail (Roundcube, SnappyMail) is PHP
 ### 🛠️ Cron Jobs Cleaned Up (Feb 21)
 - **Evening Briefing**: Removed dead "Shannon status on Amsterdam" check (step 5)
 - **Weekly Security Scan**: Fixed broken model (`claude-sonnet-4-20250514` → `claude-sonnet-4-6`), removed `amsterdam.inou.com` from scan targets
@ -656,6 +754,91 @@ Shannon's successful deployment and scan completion demonstrates security toolin
 ---
 ## Recent Events (Week of Feb 15-22, 2026)
 ### 🏗️ New Project: Dealspace / Deal Room (Feb 15-22)
 - Misha (Johan's son) + PE contacts built Lovable prototype for M&A investment banking data rooms
 - James is architect/builder. Full Go + templ + HTMX + SQLite app built in one session.
 - Feb 22 UX overhaul: production bcrypt auth, view toggle (owner↔buyer), search, per-deal analytics
 - Live at http://192.168.1.16:9300. No public domain yet. Admin: misha@muskepo.com / Dealspace2026!
 ### 📬 Email Infrastructure Completion (Feb 18-19)
 - **MX flipped Feb 18 3PM ET** — all @jongsma.me mail now routes to Stalwart (mail.jongsma.me)
 - Proton Bridge fully disabled. MC connects directly to Stalwart (mail.jongsma.me:993).
 - SMTP security complete: SPF, DKIM (ed25519), DMARC p=reject for both jongsma.me and inou.com
 - Family email live: Roos, Jacques, Misha, Tanya all on Stalwart. Migration deadline for Proton → 3/15.
 ### 🤖 Telegram Primary Channel (Feb 18)
 - @jamesjongsma_bot is live and confirmed working
 - Johan is @johanjongsma on Telegram (ID: 8454563068)
 - Briefings now go to Telegram with rich Markdown format
 ### 🏠 Real Estate Update (Feb 16)
 - 851 Brightwaters showing: Sarasota buyers (Bird Key homeowners) liked exterior, disliked modern interior
 - Diana Geegan waiting for buyer response. No offer reported.
 ### ✈️ Johan NYC Day Trip (Feb 19)
 - Delta TPA→JFK (DL2475, 7:16AM), return JFK→TPA (DL2093, 2:59PM). Conf: F86VDN
 ### 📱 Claude Sonnet 4.6 Released (Feb 17)
 - 1M context (beta), adaptive thinking, context compaction (beta)
 - $3/$15 per M tokens — now our default model
 ### 🧠 OpenClaw 2026.2.21 (Feb 21)
 - Gemini 3.1 support, 100+ security hardening fixes, Discord voice/streaming, thread-bound subagents
 - Two patches still need reapplication (see OpenClaw Patches in Infrastructure)
 ### 💳 Verizon First Bill (Feb 21)
 - $343.80 due March 4, 2026. 3 lines: iPhone 17 (225-3810), iPhone 16 Plus (307-3952), iPhone 17 (358-1196)
 - Enroll Auto-Pay to save $30/mo
 ### 🚫 SnappyMail Abandoned (Feb 22)
 - Deployed SnappyMail on Zurich → hours debugging PHP-FPM SocketReadTimeout connecting to Stalwart via Docker hairpin NAT
 - Root cause never definitively solved; Johan killed it: "Not worth this many tokens"
 - Lesson: all popular self-hosted webmail is PHP; hairpin NAT + PHP-FPM SSL = pain
 - **No webmail for jongsma.me** — users access via iPhone Mail or native clients
 - DNS + Caddy + Docker fully cleaned up
 ### 🏗️ Dealspace View Toggle (Feb 22)
 - Added owner↔buyer view toggle so sellers can preview what buyers see (same session, no separate login)
 - Production-ready: bcrypt auth, demo route removed, Misha admin confirmed working
 ### 🐳 Weekly Docker (Feb 22 Sunday)
 - HAOS: v17.1, no update needed
 - Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
 - qbittorrent-vpn: pulled only
 ### 🔧 sessions_spawn Scope Issue (ongoing)
 - Every OpenClaw gateway restart strips `operator.write+read` scopes from device-auth.json
 - Fix: patch `/home/johan/.openclaw/identity/device-auth.json` + `devices/paired.json` + `devices/pending.json` after EVERY restart
 - This is not just post-update — it happens on every gateway restart
 - **TODO:** automate scope restoration as a post-start hook
 ---
 ## Weekly Insights (Feb 15-22, 2026)
 ### 🏗️ Infrastructure Stability After Massive Build Week
 This week completed a multi-week infrastructure overhaul: Proton → Stalwart email, Amsterdam → Zurich migration, family onboarding to Signal+email. The Zurich rebuild (Feb 19) was reactive (broken services) but successfully consolidated everything: Caddy, Stalwart, Vaultwarden, ntfy, Uptime Kuma all running on one VPS with proper Caddy TLS.
 **Pattern:** Large migrations always reveal broken assumptions. The Amsterdam→Zurich move found that Zurich Caddy wasn't installed, that Stalwart had claimed port 443, and that HSTS from home Caddy blocked vault.inou.com. Each discovery was solved rather than worked around.
 ### 🔄 Heartbeat Architecture Evolution
 The Feb 18 heartbeat redesign solved a real problem: main session pinging every 30 min → 148k tokens/check burn. Solution: isolated cron sessions with minimal context. The principle extends to a general rule: **main session is for conversations, not background tasks**.
 ### 🎵 Voice Infrastructure Unlocked
 Fish Audio S1 TTS + Fully Kiosk media_player pipeline is now validated. Johan picked Adrian voice. The capability is there for proactive announcements, intercom-style alerts, Russian voice for in-laws. The gap: need a persistent TTS service (not ad-hoc python http server) and Tanya's buy-in before home-wide deployment.
 ### 📊 AI Model Landscape Shift
 MiniMax M2.5 (Feb 20) dominates OpenRouter rankings. 230B MoE, 80.2% SWE-Bench, 1/20th Opus cost. Four of top 5 OpenRouter models are now open-weight. The gap between proprietary and open-weight is closing fast. **Actionable:** evaluate as K2.5 replacement for grunt-work subagents.
 AirLLM (Feb 21) proved forge's GTX 970 can run 70B models at ~6-8s/tok via layer offloading. Quietly significant for private medical document analysis where data must stay local.
 ### ⚠️ OpenClaw Auth Risk — Unresolved
 Johan is using Claude Max OAuth token, not API key. Anthropic may cancel the Max subscription if they detect OpenClaw use. This is a pending decision with real consequence. Worth resolving before it becomes an outage.
 ---
 ## Access URLs
 - Web UI: `https://james.jongsma.me/?token=<gateway_token>`
--- a/memory/heartbeat-state.json
+++ b/memory/heartbeat-state.json
@ -8,9 +8,9 @@
    "claude_usage": 1771597876
  },
  "lastBriefing": "2026-02-20T14:30:00.000Z",
-  "lastWeeklyDocker": "2026-02-15T05:00:00-05:00",
+  "lastWeeklyDocker": "2026-02-22T08:33:05.950745+00:00",
-  "lastWeeklyHAOS": "2026-02-15T05:00:00-05:00",
+  "lastWeeklyHAOS": "2026-02-22T08:33:05.950745+00:00",
-  "lastWeeklyMemorySynthesis": "2026-02-15T05:00:00-05:00",
+  "lastWeeklyMemorySynthesis": "2026-02-22T10:05:38.031320Z",
  "lastDocInbox": "2026-02-20T14:30:00.000Z",
  "lastTechScan": "2026-02-20T14:30:00.000Z",
  "lastMemoryReview": "2026-02-22T01:03:37.069142Z",