Weekly memory synthesis: Feb 16-22, 2026 infrastructure consolidation

2026-02-22 09:01:51 -05:00 · 2026-02-22 09:01:51 -05:00 · f6a4d06c83
parent 4417546159
commit f6a4d06c83
5 changed files with 66 additions and 30 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -260,6 +260,7 @@ Enter plan mode for ANY non-trivial task:
 - **Recover context yourself after compaction** — When compaction/context loss happens: check session history, search memory files, search transcripts via memory_search. NEVER ask the user for info you already had. The data is in your files — find it.
 - **Exhaust self-recovery before escalation** — Always try: (1) `sessions_history` for recent tool calls/context, (2) search memory files, (3) `memory_search` transcripts, (4) reconstruct from available data. Only ask human for info that genuinely isn't in your systems.
 - **Never guess config changes** — Read the docs or source first. Backup the file before editing. A wrong config guess can take down a service; 30 seconds of reading prevents it.
 - **When debugging cascades, question the feature** — If you're 3+ hours into debugging a "simple" integration (SnappyMail webmail, PHP-FPM, Docker hairpin NAT), step back. Ask: "Is this feature actually needed?" Sometimes the right answer is abandonment, not persistence.
 **Plan includes verification:** Use plan mode for verification steps too, not just building. "How will I prove this works?" is part of the plan.
--- a/MEMORY.md
+++ b/MEMORY.md
@ -1,6 +1,6 @@
 # MEMORY.md - Long-Term Memory
-*Last updated: 2026-02-22 (weekly synthesis — Sun 05:00 ET)*
+*Last updated: 2026-02-22 (weekly synthesis — Sun 09:00 ET)*
 ---
 ## ⏰ JOHAN'S SCHEDULE (US EASTERN) — MEMORIZE THIS!
@ -165,13 +165,10 @@ Two patches must be reapplied to `dist/` files after each OpenClaw update:
 1. **Scope preservation** (`dist/gateway-cli-DbznSfRg.js`): `if (scopes.length > 0)` → `if (scopes.length > 0 && !disableControlUiDeviceAuth)` — prevents `dangerouslyDisableDeviceAuth` from clearing scopes
 2. **Deleted transcript indexing** (`dist/sqlite-C54NeA1C.js`): `.filter((name) => name.endsWith(".jsonl"))` → add `|| name.includes(".jsonl.deleted.")` — makes memory_search find old sessions
-### ✅ sessions_spawn Scope Issue — AUTOMATED (Feb 22)
+### ⚠️ sessions_spawn — Partially Fixed (Feb 22)
-`operator.write+read` scopes were stripped from device-auth.json on every gateway restart.
+**Scope stripping FIXED:** `oc-scope-watchdog.service` auto-restores `operator.write+read` within 30s of gateway restart.
-**Fixed:** `oc-scope-watchdog.service` runs continuously, restores scopes within 30s of any restart.
+
- Service: `systemctl --user status oc-scope-watchdog`
+**Bind issue REMAINS:** Gateway rejects `ws://192.168.1.16:18789` (non-loopback). Subagent spawning from conversation sessions fails with "pairing required" (1008). Cron jobs work (internal). Needs: `wss://` or local tunnel fix.
 - Script: `~/clawd/scripts/scope-watchdog.py`
 - Enabled on boot via `default.target.wants/`
 No manual intervention needed anymore.
 ### Network
 - Home lab behind UDM-Pro + Caddy
@ -414,11 +411,17 @@ Automated document processing pipeline for scanned paperwork.
 ### Stalwart — Key Gotchas (Feb 18-22)
 - Account `name` field must equal the login username — not automatically derived from `emails` field
 - PATCH endpoint is broken in v0.15.5 — use DELETE + POST for account updates
- Stalwart v0.15.5 has NO user webmail — only admin panel. All popular self-hosted webmail is PHP.
+- **NO user webmail** — admin panel only (port 8880). All popular self-hosted webmail (Roundcube, SnappyMail) is PHP and painful to integrate.
 - YAML `!` at start of value = YAML tag indicator — passwords starting with `!` must be quoted
 - systemd EnvironmentFile: `!` in values also needs quoting
 - Admin API: port 8880, `admin:agolM71pOwZBJhggROBDkn8R` via HTTP Basic at `http://127.0.0.1:8880/api/principal`
 ### DNS Debugging — AdGuard Rewrite Rules (Feb 22)
 - Home DNS is **AdGuard Home** (not just HA at 192.168.1.252)
 - DNS rewrites (Filters → DNS rewrites) override cache AND external resolution
 - Cache flush alone won't fix issues if a rewrite rule exists
 - Check AdGuard UI directly when DNS changes don't propagate as expected
 ### Family Stalwart Account Logins (as of Feb 21)
 - **tj@jongsma.me**: username `tj`, pw `!Lekker69`  
 - **johan@jongsma.me**: username `johan`, pw `!!Lekker69`
@ -439,12 +442,13 @@ Automated document processing pipeline for scanned paperwork.
 ## Todo / Open Items
 ### 🔴 Urgent (This Week — as of Feb 22)
- [ ] **jongsma.me domain transfer** — EXPIRES 2026-02-28 (6 days!). Unlock at OpenProvider, get auth code, initiate transfer at Cloudflare. Transfers take 5-7 days. Window is CRITICAL.
+- [ ] **jongsma.me domain transfer** — EXPIRES 2026-02-28 (6 days!). Unlock at OpenProvider, get auth code, initiate at Cloudflare. Transfers take 5-7 days. Window is CRITICAL.
 - [ ] **Azure Files Backup:** `az login` MFA with Johan — free account expires ~Feb 27 (5 days!). Need Johan for MFA.
 - [ ] **HostKey Amsterdam cancellation** — API returned "being cancelled" but Johan must manually confirm: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e (server ID: 53643)
 - [ ] **stpetersburgaquatics.com** — expires 2026-03-13. Transfer or renew.
 - [ ] **Uptime Kuma monitors** — 8 monitors lost in Zurich rebuild. Rebuild when Johan confirms.
 - [ ] **Verizon bill** — $343.80 due March 4, 2026. Enroll Auto-Pay to save $30/mo.
 - [ ] **sessions_spawn fix** — subagent spawning from conversation sessions broken (1008 error). Needs wss:// or tunnel.
 ### 🟡 Active (Johan Action Needed)
 - [ ] **Vaultwarden:** Johan creates account at vault.jongsma.me → export Proton Pass → import. Then set SIGNUPS_ALLOWED=false.
@ -462,10 +466,9 @@ Automated document processing pipeline for scanned paperwork.
 - [ ] inou Mobile: Content at inou.com/app for WebView
 - [ ] AdventHealth MFA enrollment (Johan action)
 - [ ] HAOS SSH key authorization (forge → 192.168.1.252)
 - [ ] Fish Audio S1 TTS persistent service on forge (currently ad-hoc python http server)
 - [ ] rclone backup for Vaultwarden (needs browser OAuth on Zurich)
 - [ ] BlueBubbles on Mac Mini M4 (deferred)
- [ ] sessions_spawn from conversation sessions still broken (pairing required 1008 error) — cron jobs work
+- [ ] Evaluate MiniMax M2.5 as K2.5 replacement for grunt-work subagents
 ## Weekly Synthesis Insights (Feb 9-15, 2026)
@ -817,26 +820,38 @@ Shannon's successful deployment and scan completion demonstrates security toolin
 ---
-## Weekly Insights (Feb 15-22, 2026)
+## Weekly Synthesis — Feb 16-22, 2026
-### 🏗️ Infrastructure Stability After Massive Build Week
+### 🏗️ Infrastructure: The Great Consolidation
-This week completed a multi-week infrastructure overhaul: Proton → Stalwart email, Amsterdam → Zurich migration, family onboarding to Signal+email. The Zurich rebuild (Feb 19) was reactive (broken services) but successfully consolidated everything: Caddy, Stalwart, Vaultwarden, ntfy, Uptime Kuma all running on one VPS with proper Caddy TLS.
+Completed a 3-week migration arc: Proton Mail → Stalwart (self-hosted), Amsterdam VPS → Zurich, family Signal/email onboarding. Feb 19 overnight Zurich rebuild was messy but successful — Caddy, Stalwart, Vaultwarden, ntfy, Kuma all consolidated with proper TLS.
-**Pattern:** Large migrations always reveal broken assumptions. The Amsterdam→Zurich move found that Zurich Caddy wasn't installed, that Stalwart had claimed port 443, and that HSTS from home Caddy blocked vault.inou.com. Each discovery was solved rather than worked around.
+**Key insight:** Large migrations expose phantom infrastructure. Zurich "had" Caddy (in notes) but didn't. Stalwart claimed port 443. Home Caddy's HSTS blocked vault.inou.com. Fixed at source, not worked around.
-### 🔄 Heartbeat Architecture Evolution
+### 🔄 Architecture: Sessions Are Not Free
-The Feb 18 heartbeat redesign solved a real problem: main session pinging every 30 min → 148k tokens/check burn. Solution: isolated cron sessions with minimal context. The principle extends to a general rule: **main session is for conversations, not background tasks**.
+Feb 18 heartbeat redesign cut token burn 90%+: 148k tokens/check → ~5k. Principle: **main session is for conversations, not background work**. Isolated cron sessions with minimal context, subagents for anything parallel.
-### 🎵 Voice Infrastructure Unlocked
+### 🎵 Voice: Infrastructure Validated, Awaiting Go-Live
-Fish Audio S1 TTS + Fully Kiosk media_player pipeline is now validated. Johan picked Adrian voice. The capability is there for proactive announcements, intercom-style alerts, Russian voice for in-laws. The gap: need a persistent TTS service (not ad-hoc python http server) and Tanya's buy-in before home-wide deployment.
+Fish Audio S1 (Adrian voice) → mp3 → Fully Kiosk tablets pipeline proven. Office tablet reliable; master bedroom needs Fully REST. Blocker: Tanya buy-in before home-wide deployment. Persistent TTS service needed (not ad-hoc Python server).
-### 📊 AI Model Landscape Shift
+### 📊 Models: The Open-Weight Surge
-MiniMax M2.5 (Feb 20) dominates OpenRouter rankings. 230B MoE, 80.2% SWE-Bench, 1/20th Opus cost. Four of top 5 OpenRouter models are now open-weight. The gap between proprietary and open-weight is closing fast. **Actionable:** evaluate as K2.5 replacement for grunt-work subagents.
+MiniMax M2.5 (230B MoE, 80.2% SWE-Bench, ~$1/hr) dominates OpenRouter. 4 of top 5 models now open-weight. Gap vs proprietary closing fast. AirLLM proved forge's GTX 970 runs 70B at ~6s/tok via layer offloading — local medical analysis now viable.
-AirLLM (Feb 21) proved forge's GTX 970 can run 70B models at ~6-8s/tok via layer offloading. Quietly significant for private medical document analysis where data must stay local.
+### ⚠️ Risk: OpenClaw Auth = OAuth Max Subscription
 Claude Max OAuth token means Anthropic could cancel Johan's subscription. Decision pending: API key switch, OpenRouter, or accept risk. Worth resolving before outage.
-### ⚠️ OpenClaw Auth Risk — Unresolved
+### 🛠️ Pattern: "It Should Not Be This Complicated"
-Johan is using Claude Max OAuth token, not API key. Anthropic may cancel the Max subscription if they detect OpenClaw use. This is a pending decision with real consequence. Worth resolving before it becomes an outage.
+SnappyMail webmail deployment: 4 hours debugging PHP-FPM, Docker hairpin NAT, SSL timeouts. Johan killed it — correctly. When debugging cascades, step back and question if the feature is needed. Stalwart has no user webmail; native clients (iPhone Mail) are fine.
 ### 📝 Technical Debt: sessions_spawn Still Broken
 Gateway security rejects ws://192.168.1.16 (non-loopback). Cron jobs work (internal), but conversation-session subagent spawning fails with "pairing required" (1008). Watchdog service fixes scope stripping, but bind/SSL issue remains. TODO: wss:// or local tunnel.
 ### 👨‍👩‍👧 Family Systems: Operational
 - Signal: Roos ✅, Jacques ✅, Misha ⏳ (pairing pending)
 - Stalwart email: All 5 family accounts live. Login inconsistency: tj/johan use short names, Jacques/Roos use full email. Don't change without coordinating active clients.
 - Telegram: @jamesjongsma_bot primary channel since Feb 18.
 ### 🎯 New Project: Dealspace (Misha's M&A Data Room)
 Go + templ + HTMX + SQLite. Production auth, view toggle (owner↔buyer), Atlas AI integration. http://192.168.1.16:9300. No public domain yet. Architecture: inou pattern (RBAC bitmask, entries table, AES-256-GCM files).
 ---
--- a/memory/claude-usage.db
+++ b/memory/claude-usage.db
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-22T11:00:01.919798Z",
+  "last_updated": "2026-02-22T14:00:01.371829Z",
  "source": "api",
-  "session_percent": 16,
+  "session_percent": 0,
-  "session_resets": "2026-02-22T13:59:59.889182+00:00",
+  "session_resets": null,
-  "weekly_percent": 14,
+  "weekly_percent": 16,
-  "weekly_resets": "2026-02-28T18:59:59.889199+00:00",
+  "weekly_resets": "2026-02-28T19:00:00.346050+00:00",
  "sonnet_percent": 20
 }
--- a/memory/updates/2026-02-22.json
+++ b/memory/updates/2026-02-22.json
@ -0,0 +1,20 @@
 {
  "date": "2026-02-22",
  "timestamp": "2026-02-22T09:00:01-05:00",
  "openclaw": {
    "before": "2026.2.21-2",
    "latest": "2026.2.21-2",
    "updated": false
  },
  "claude_code": {
    "before": "2.1.50",
    "latest": "2.1.50",
    "updated": false
  },
  "os": {
    "available": "0\n0",
    "updated": false,
    "packages": []
  },
  "gateway_restarted": false
 }