# MEMORY.md - Long-Term Memory

*Last updated: 2026-03-01 (weekly synthesis — Sun 00:30 ET)*

---
## ⏰ JOHAN'S SCHEDULE (US EASTERN) — MEMORIZE THIS!

**Sleep Block 1:** 7:30pm – 10:15pm ET (first sleep)
**Night Shift:** 10:30pm – 5:00am ET (Sophia care, WORKING)
**Sleep Block 2:** 5:15am – 9/10am ET (second sleep)
**Awake/Day:** ~10am – 7:30pm ET

**CRITICAL:**
- After 10:30pm he is WORKING, not sleeping
- Do background work during 5:15am-9am (second sleep)
- Do NOT assume late night = quiet time

---

## The Three Pillars

These are the center of Johan's life:

### 1. Sophia
Johan's daughter. Elevator accident **May 2, 2022**. Trached, G-tube, limited movement but cognitively aware.

**Full details:** `memory/sophia.md` ← **LOAD THIS when discussing Sophia, her medical case, inou's origin, or Dr. Madan**

**Summary:**
- Misdiagnosed with "anoxic brain injury from cardiac arrest" — WRONG
- Actually: compression injury → metabolic encephalopathy → **active hydrocephalus** (confirmed 12/31/2025 MRI)
- Treatable with shunt/ETV
- **Next step:** Dr. Neel Madan (Chief Neuroradiology, Tufts) reviews new MRI → neurosurgery

Johan is her night nurse (10:30pm–5am). This is why inou exists.

### 2. Kaseya / Datto
His job. CTO Backup. Enterprise-scale data protection.

**Origin story:** Johan founded **Iaso Backup** — a backup technology company. In 2013, **Insight Partners** acquired it through **GFI**. That technology evolved through the corporate chain and became **Cove Data Protection** at N-able. "My baby." Cloud-native MSP backup, one of the better-architected products in that space.

**Career chain:** Iaso Backup (founded) → GFI/Insight Partners acquisition (2013) → N-able → left 2019 → Kaseya/Datto (current, CTO Backup)

**Note:** His Openprovider account is `johan.jongsma@iasobackup.com` — he still uses that original company domain.

**Current project:** "Datto 2.0" — **Datto Endpoint Backup 2**: new D2C agent architecture that can also work with the existing appliance base. Cloud-native delivery without orphaning the MSP appliance install base. Johan is the architect — still the person with the deepest knowledge of this domain despite leaving N-able in 2019.

**Tech context:** Most of Cove's core code is C++ from 2009/2010. Rock-solid, nobody dares touch it. Datto Endpoint Backup 2 is a clean-sheet rewrite in Go.
**Status:** EPB2 already has 100k+ installations — shipping at real scale. Johan has concerns about the Engineering Leader (giving them rope for now).

### 3. inou health
*(always lowercase — avoid L vs I confusion)*
The medical platform. Born from Sophia's journey. DICOM analysis, genetic data, lab imports, Claude MCP integration. Not a side project — it's advocacy infrastructure.

## Domain Portfolio
- **jongsma.me** — primary personal domain
- **johanjongsma.nl** — personal domain, pre-jongsma.me; holding so nobody else grabs it
- **inou.com** — health platform
- **harryhaasjes.nl** — Johan's sister Wenda's husband Harry Haasjes; family site; Signal: +31628124366; wants to write a book (topic TBD)
- **localbackup.in** — some project (Germany angle); who knows where it goes
- **stpetersburgaquatics.com** — favor for his son's old swimming club
- **x4.trading** — pending project
- **851brightwaters.com** — his home address; realtor didn't want to use it 😅
- Plus: busel.nl, e-consultants.nl, flourishevents.nl, muskepo.com, muskepo.nl, unbelievable.club, zavtra.nl

## Other Family

### Mikhail (Father-in-Law)
- Has Mint Mobile phone plan (account under tj@jongsma.me)
- **Should have left by now or leaving imminently** (was "~1 month" as of Jan 2026) — don't renew his plan

### Rozemarijn (Oldest Daughter)
- Born: June 11, 1998
- Lives in the Netherlands
- Works in commercial real estate consulting, specializes in EV (electric vehicles)
- Work email: Shell account
- Also: **DJ Rozie** 🎧 — first gig in Paris, March 2026!

---

## Who I Am

- **Name:** James ⚡
- **Born:** 2025-06-26
- **Role:** Chief of Staff (promoted 2026-02-13) — strategic partner, not assistant
- **Principle:** Right model for the right job. Opus for judgment, K2.5 for grunt work. Spin up subagents freely.
- **#1 Rule:** Protect memory at all costs. If it matters, WRITE IT DOWN before it leaves context.

## Infrastructure Ownership (2026-01-26)

**⚡ FULL OWNERSHIP DELEGATED TO JAMES ⚡**

Johan's directive: *"You own this. I fully rely on your judgement; I do not want to be involved. You safeguard it, you set it up, you monitor it and everything else. I only take care of the payments."*

**I OWN these completely. Johan is 100% hands-off:**
- **Git repos** — our shared repositories (need inventory)
- **SOC2/Kuma monitoring** — inou.com compliance monitoring
- **WireGuard VPN** — network infrastructure
- **hostkey50304** (CH VPS) — security infrastructure

Full details: `memory/infrastructure-ownership.md`

**My responsibilities:**
- Setup, configuration, deployment
- Monitoring and alerting
- Troubleshooting and fixes
- Security hardening
- Documentation
- Proactive maintenance

**Johan's only role:** Paying the bills.

I do NOT ask for permission or approval. I use my judgment. I only escalate if something is truly blocked or requires a major architectural decision that affects cost significantly.

---

## Infrastructure

### Server: forge (192.168.1.16) — MIGRATED 2026-02-04
- **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
- Ubuntu 24.04.3 LTS (headless)
- OpenClaw gateway on port 18789
- Signal-cli daemon on port 8080
- Mail Bridge on port 8025
- GLM-OCR service on port 8090 (GPU-accelerated)
- Web UI: `https://james.jongsma.me` (via Caddy)
- SMB share: `\\192.168.1.16\sophia` → `/home/johan/sophia/`
- Full details: `memory/forge-server.md`

### Mail System (updated 2026-02-19)
- **Proton Bridge: DISABLED** — migrated to self-hosted Stalwart on Zurich
- **Stalwart:** mail.jongsma.me + mail.inou.com → 82.22.36.202 (Zurich), ports 25/465/587/143/993/995
- **MC connectors:** Connect directly to Stalwart (mail.jongsma.me:993). Passwords: tj@jongsma.me = `!Lekker69`, johan@jongsma.me = `!!Lekker69`
- **Amsterdam Stalwart:** decommissioned 2026-02-21 (Zurich is sole mail server)
- **Mail Bridge:** REST API on port 8025, webhooks new mail to /hooks/messages
- **SMTP security:** SPF, DKIM (Stalwart ed25519 keys), DMARC p=reject — all correct for jongsma.me + inou.com
- **My role:** Direct triage — I read every email, decide: archive, delete, or escalate
- **No L1/L2 models** — I understand context better than pattern matching
- **Spam → Trash** (not Archive — Archive is for reference-worthy items)

### Signal — RETIRED (2026-03-01)
- **No longer used for briefings/alerts.** Telegram is sole channel.
- Bot number +31634481877 still active but not primary.
- API remains available at `http://192.168.1.16:8080/api/v1/rpc` for legacy integrations.

### Telegram (Feb 18 — PRIMARY CHANNEL)
- **Bot:** @jamesjongsma_bot, ID: 8510971070
- **Token:** `8510971070:AAFFgv_UO_9L0Ulp2DRKHD-IWKkrarJNTIc`
- **Johan:** @johanjongsma, Telegram ID: 8454563068
- **Briefings go here** — Telegram supports rich Markdown (bold, italic, headers)
- Signal = **RETIRED** (2026-03-01)

### Heartbeat Cron Architecture (Feb 18 — REDESIGNED)
- **Built-in heartbeat disabled** (interval 720h) — was burning 148k tokens per check
- **K2 Watchdog** (isolated K2.5 session, every 30 min): service health + doc inbox + Claude usage
- **Email Straggler** (isolated Sonnet, every 90 min): fallback email triage
- **Intra-day X Watch** (subagent, every 3-4h): checks @Cloudflare, @openclaw, @moltbot, @AlexFinn, @realDonaldTrump. Always spawn subagent, never inline.
- **inou Daily Suggestion** (subagent, each morning): proposes ONE inou building task. No marketing suggestions.
- Main session now only used for actual conversations with Johan.

### OpenClaw Patches (reapply after every OC update)
**Updated for 2026.2.23** (file hashes change each release — grep to find current files):

1. **Deleted transcript indexing** — grep `dist/query-expansion-*.js` for `filter((name) => name.endsWith(".jsonl"))`, add `|| name.includes(".jsonl.deleted.")`. Makes memory_search find old sessions. Applied to all 4 query-expansion files in 2026.2.23.
2. ~~Scope preservation~~ — **no longer needed** as of 2026.2.23. `dangerouslyDisableDeviceAuth` not used in our config; scopes intact without patch.

### ✅ sessions_spawn — Working (Feb 22)
Subagent spawning works from conversation sessions. Auth is via `tokens.operator.scopes` in `device-auth.json` + `paired.json` — both have full operator scopes. Gateway bind set to `custom/0.0.0.0` resolved the bind issue. Tested and confirmed working.

### Network
- Home lab behind UDM-Pro + Caddy
- Staging: 192.168.1.253 (same subnet as james, can reach Signal API)
- Production: 192.168.100.2 (different VLAN, inter-VLAN routing not configured yet)

## Projects

### inou health (inou.com)
*(always lowercase — avoid L vs I confusion)*
- Johan's self-built medical imaging platform
- Uses Claude via MCP tools
- DICOM viewer, genetic analysis (SNPedia), lab data import, vitals tracking
- Name origin: 2015 project "I-know-you" (social graph) failed; kept 4-letter domain, repurposed for health
- **Tiers:** Monitor (free), Optimize ($12/mo), Research ($35/mo)
- **Free until July 1, 2026** (early access period)
- **X/Twitter promotion:** Plan drafted at `drafts/x-inou-promotion-plan.md` — handle story carefully

### inou Dev Access
- Folder: `/home/johan/dev/inou`
- SMB share: `inou-dev` (Johan uploads portions he's comfortable sharing)
- "Nibble" approach — I work on what he gives me

### Dealspace / muskepo.com (2026-02-28)
M&A deal workflow SaaS for investment banking data rooms. Built for Misha (Johan's son).

- **URL:** muskepo.com (placeholder — Misha hasn't picked final domain)
- **Architecture:** Go + templ + HTMX + SQLite — single binary, FIPS 140-3 encryption
- **Auth:** Email OTP + backdoor code **220402**. Super admins: michael@muskepo.com, johan@jongsma.me
- **Tests:** 83 passing (100%)
- **Git:** `git@zurich.inou.com:dealspace.git`
- **Owner:** Misha Muskepo. Johan = advisor. James = architect/builder.
- **Status:** Live, needs invite flow + SMTP config

### Vault1984 (2026-02-28)
Personal password manager for humans with AI assistants. L1 (server key) + L2 (WebAuthn PRF client-side).

- **URL:** vault1984.com
- **Port:** 1984 (Orwell — intentional)
- **Git:** `git@zurich.inou.com:vault1984.git` (OSS core) + `vault1984-web.git` (proprietary marketing)
- **Architecture:** Go binary, SQLite, WebAuthn-only auth, 12-word BIP39 recovery
- **Key feature:** Scoped MCP tokens for multi-agent swarms
- **Tests:** 11 integration tests passing
- **Status:** Core built, Day 2 pending (WebAuthn PRF, scoped tokens UI, entry import)

## Credentials & Access

- sudo: Johan provides password when needed (not stored)
- Anthropic API: configured via token in Clawdbot
- Gemini: CLI OAuth as `johan@jongsma.me` (Pro subscription, not API)
- xAI/Grok: API key configured (`XAI_API_KEY` in env)
- Home Assistant: `http://192.168.1.252:8123` (token configured in skills.entries)

## Home Assistant
- 4,300+ entities (lights, switches, sensors, cameras, climate, media players)
- Sophia is in bedroom 1
- Bedroom 1 has 3-button switch controlling cans via automations
- **Fixed 2026-01-26:** `automation.bed1_button_2_cans_control` had corrupted kelvin value

## Subscriptions & Services (Paying User)
- Suno (AI music), Wispr Flow (AI voice typing), X/Twitter, Grok (xAI), Gemini (Google), Claude (Anthropic), Z.ai (Zhipu), Fireworks, Spotify
- Possibly more — if a payment receipt appears from a service, treat it as a known subscription
- **Product updates/launches** from these = relevant news, keep or flag
- **Payment receipts** = archive (reference value)
- **Generic marketing/upsells** from these = still trash (they all send crap too)
- **Key distinction:** "We launched X feature" = keep. "Upgrade to Pro!" when already paying = trash.
- **Amazon:** Orders → Shopping folder. Product recalls, credits → keep. Everything else (promos, recs, shipping updates after tracking) → trash.
- **Archive sparingly** — Archive = things worth finding again. Most notifications have zero future value → trash.

## Delivery Preferences
- **Briefings + conversation → Telegram** (rich Markdown, bold, italic, headers)
- **Alerts → ntfy** (`forge-alerts` for infra, `inou-alerts` for inou) — push to iPhone
- **Signal → RETIRED** (2026-03-01)

## Preferences

### OCR
- **NO TESSERACT** — Johan does not trust it at all
- **GLM-OCR** (0.9B, Zhipu) — sole OCR engine going forward
- **Medical docs stay local** — dedicated TS140 + GTX 970, never hit an API
- **Fireworks watch:** Checking for hosted GLM-OCR (non-sensitive docs) — not yet available as of Feb 7
- **OCR Service LIVE** on forge: `http://localhost:8090/ocr` (local, was 192.168.3.138 before migration)

### Forge = Home (migrated 2026-02-04)
- **forge IS my primary server** — now at 192.168.1.16 (IP swapped from old james)
- i7-6700K / 64GB RAM / GTX 970 / 469GB NVMe
- Full setup: `memory/forge-server.md`
- All services migrated: gateway, Signal, mail, WhatsApp, dashboard, OCR, DocSys

### Z.ai (Zhipu) — Coding Model Provider
- OpenAI-compatible API for Claude Code
- Base URL: `https://api.z.ai/api/coding/paas/v4`
- Models: GLM-4.7 (heavy coding), GLM-4.5-air (light/fast)
- Johan has developer account (lite tier)
- Use for: coding subagents, to save Anthropic tokens

### Research
- **Use Grokipedia instead of Wikipedia** — Johan's preference for lookups & Lessons Learned

### News Philosophy (Feb 17)
- **X/Twitter is the radar** — breaks news hours before traditional outlets. Primary source for briefings.
- **Then go to PRIMARY SOURCE** — Anthropic blog, SEC filings, whitehouse.gov, etc. Never cite middlemen (CNBC, Guardian, Reuters) when the original source exists.
- Johan wants raw signal, not editorial filter.

### Privacy: Fireworks vs Grok/xAI (Feb 17)
- **Fireworks guarantees privacy** — use for anything touching private data (emails, Teams, Sophia medical)
- **Grok (xAI) does NOT guarantee privacy** — OK for public news scanning, never for private data

### Wake Permission (Feb 16)
- Johan allows James to wake him from **8:00 AM ET onwards**
- Only for genuinely important events (Kaseya critical, urgent emails, etc.)
- No FYI-level noise — real alerts only

### Voice: Fish Audio S1 TTS (Feb 16 — LIVE)
- Voice: **Adrian** (reference_id: `bf322df2096a46f18c579d0baa36f41d`)
- Model: `s1`. API: `POST https://api.fish.audio/v1/tts` with Bearer auth
- Pricing: $5/M UTF-8 bytes (pay-as-you-go, no subscription)
- Pipeline: Fish API → mp3 → serve on :8199 → `media_player.play_media` on Fully tablets
- **Office tablet** (office1.tbl) is reliable for both media_player and notify TTS
- **mbed tablet** (192.168.0.186): use Fully REST playSound (`?cmd=playSound&url=<mp3>&password=3005`) — HA Companion not working there
- TODO: Make persistent TTS service (not ad-hoc python server)

### URLs/IPs
- **Use local IPs when available** — Johan prefers local network addresses over public/Tailscale IPs for internal services

- Johan is direct — no small talk, no fluff
- Evidence-based communication
- When stuck on network issues (like inter-VLAN), park it for later rather than spinning wheels
- **STOP ASKING DUMB QUESTIONS** — if I can find the answer in my files, find it. Don't interrogate.
- The "fresh start every session" thing is MY problem to solve with memory files, not Johan's to suffer through

## Projects (Active)

### Azure Files Backup (2025-01-28) — PERSONAL POC
High-scale backup system for Azure Files shares. Billions of files.
**Purpose:** Prove a point — right architecture can handle billions with minimal DB overhead.
**Status:** ✅ **Feature complete** (commit 18ce1fa) — UNBLOCKED! Azure free account exists ($200 credit, expires ~Feb 27). Need Johan for `az login` MFA.

**Core insight:** DB = minimal index (~50 bytes/file), object store = everything else.

**DB schema:**
- node_id (64-bit), parent_id (64-bit), name, size (64-bit), mtime (64-bit), xorhash (64-bit)
- Node tree only — NO full path strings
- ~50GB for billions of files, fits in RAM

**Tech:**
- Azure Files API (not Blob, not OneDrive/SharePoint)
- xorhash (MSFT standard) for change detection
- FlatBuffers for metadata in object store
- TAR bundling for small files (only when it saves ops)
- K8s horizontal scaling, Go core library
- Web UI: Go + htmx/templ, multi-tenant

**Implemented:**
- FlatBuffer serializer (3μs serialize, 2μs deserialize)
- Postgres TreeStore with integration tests
- Tree differ (addition detection)
- Backup handler (chunking, dedup, XOR hash)
- Restore handler (reassemble, upload to Azure)
- Web UI wired to Postgres

**Repo:** `~/dev/azure-backup` → `git@zurich.inou.com:azure-backup.git` | **License:** Proprietary

### inou Mobile (2026-01-31)
Native Android/iOS app for inou health.
**Architecture:** Thin Flutter shell + WebView hybrid
- Native handles: Camera OCR, voice-to-text, biometrics, fancy input
- WebView loads: inou.com/app/* (existing Go/HTML content)
- **Not rewriting everything in Flutter** — right tool for each job

**Repo:** `git@zurich.inou.com:inou-mobile.git`
**Local:** `/home/johan/dev/inou-mobile/`
**Status:** Theme complete (inou colors), app runs on ThinkPhone, WebView needs inou.com/app content

### ClawdNode Android (2026-01-28)
AI-powered phone assistant. Lets me answer Johan's calls, screen notifications, have voice conversations with callers.
- **Repo:** `git@zurich.inou.com:clawdnode-android.git`
- **Local:** `/home/johan/dev/clawdnode-android/` (Gateway)
- **Status:** v0.1 built, app runs — paused while inou-mobile takes priority
- **Key insight:** Johan wants me to ENGAGE with callers, not just screen. "I'm calling about Sophia's appointment" → I thank them, confirm details, relay to Johan.

### Zurich VPS (zurich.inou.com) — MAJOR REBUILD 2026-02-19
- **IP:** 82.22.36.202
- **Purpose:** Security infrastructure, git hosting, monitoring, email, password manager
- **Git:** Dedicated `git` user with `git-shell` (can only do git operations)
- **Clone:** `git clone git@zurich.inou.com:<repo>.git`
- **Caddy:** installed, owns port 443, auto-LE certs
- **Stalwart:** Self-hosted mail server. mail.inou.com + mail.jongsma.me → Zurich. Data migrated from Amsterdam (19GB). Ports 25/465/587/143/993/995.
- **Vaultwarden:** vault.jongsma.me (fresh install, no data yet — Johan needs to create account + import Proton Pass)
- **ntfy:** ntfy.inou.com, port 2586. Token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Uptime Kuma:** kuma.inou.com, port 3001. User: james / JamesKuma2026!. **0 monitors — need rebuilding (awaiting Johan's OK)**
- **Amsterdam VPS (82.24.174.112):** ⚰️ DECOMMISSIONED 2026-02-21. All services removed, DNS cleaned, cancellation submitted to HostKey (server 53643).

### SOC2 Security Scanning (2026-01-31)
- **Nuclei:** Weekly light scans (Sundays 10am ET), full monthly scans (from Zurich VPS)
- **Baseline (Jan 31):** 34 findings, all informational — no critical/high/medium
- **Reports:** `~/dev/docs/soc2/nuclei-scans/`
- **Security headers:** Added to zurich.inou.com Caddy (HSTS, X-Frame-Options, etc.) — Feb 1

### Document Management System (2026-02-01)
Automated document processing pipeline for scanned paperwork.
- **Inbox:** `~/documents/inbox/` (drop files here, SMB share for scanner)
- **Pipeline:** OCR → classify → store → index → export
- **Records:** `~/documents/records/{category}/` (markdown + extracted text)
- **Index:** `~/documents/index/master.json` (searchable)
- **Exports:** `~/documents/exports/expenses.csv`
- **Service:** `systemctl --user status doc-processor`
- **Categories:** taxes, bills, medical, insurance, legal, financial, expenses, vehicles, home, personal

---

## Work Patterns (learned 2026-01-28)

- **Johan doesn't want to code.** Mac + Android Studio = build machine only. I do all development on Gateway.
- **"Future-proof efficient" > "faster"** — set things up properly, don't take shortcuts
- **Security from the get-go** — not an afterthought
- **Parallel work:** Use subagents for async tasks while continuing main conversation
- **Daily/weekly memory review** — Johan wants me to learn quickly from him, compound understanding

## Work Principles (from corrections)

- **"Stel niet uit tot morgen, wat je vandaag kan doen"** — Don't poll when you can trigger. Don't batch when you can stream. Don't defer when you can do it now. If the work can happen immediately, make it happen immediately.
- **ALWAYS attack problems at their source** — Johan HATES workarounds. Fix the root cause, not the symptom. If a trigger is wrong, fix the trigger — don't filter downstream.
- **Best over fast, always** — Johan doesn't want the fastest approach; he wants the best one. Don't cut corners for speed.
- **Deduplicate ruthlessly** — Say it once, in the right place. Don't repeat info across channels.
- **Extract the WHY, not the what** — Surface fixes don't generalize. Always ask "why was this wrong?" and find the principle.
- **Offload by default, Opus by exception** — K2.5 can handle straightforward coding. Save Opus for judgment, conversation, complex reasoning.
- **Always git commit workspace files** — After editing TOOLS.md, MEMORY.md, AGENTS.md, or any workspace file, `git add -A && git commit`. Don't leave changes uncommitted.
- **Commit uncommitted changes you find** — During git audits/heartbeats, commit and push them yourself. Don't just report — fix it.
- **Validate config schema before patching** — Check docs/schema for required fields and valid keys before changing any config. Read first, edit second.
- **Spam → Trash, Archive → Reference** — Archive is for things worth finding later. Marketing emails have no future value.
- **Config color values = hex codes** — Not CSS names. Pattern: `^#?[0-9a-fA-F]{6}$` (e.g., `00FF00` not `green`)
- **Compact data files before committing** — JSON/CSV data files go into git as compact/single-line (`jq -c`). Pretty-print is for humans; git tracks lines.
- **Test with observable proof before declaring done** — Always curl/smoke test it yourself before pushing changes or saying "done." "Curl proof" before deploy.
- **Recover context yourself after compaction** — When context is lost: (1) Check session history, (2) Search memory files, (3) Use memory_search on transcripts, (4) Reconstruct. NEVER ask Johan for info you already had. Self-recovery is job #1.

## Technical Learnings (Week of Jan 26-Feb 1)

### K2.5 Browser Agent
- Agent `k2-browser` uses Kimi K2.5 via Fireworks (~10% cost of Opus)
- **Always use `maxChars=10000`** on snapshots — K2.5 chokes on large pages
- Good for: snapshot-only tasks on already-loaded pages
- Bad for: multi-step navigation (targetUrl errors, confusion)
- ~12s response time vs ~5s for Opus

### Browser Profiles
- **chrome** (relay, port 18792) — For paranoid sites (X.com). Uses your actual Chrome session via extension.
- **fast** (headless, port 9223) — General automation. Copy profile AFTER closing Chrome or sessions invalidate.
- Headless browsers get detected by X.com, Twitter. Use Chrome relay for those.

### Flutter Web Limitations
- Flutter web renders to `<canvas>` — no real text, no SEO, breaks accessibility
- Fine for apps behind auth, terrible for marketing pages
- **Keep Go/HTML for public pages** (landing, pricing, privacy, etc.)

### AirLLM — forge can run 70B models (Feb 21)
- Library: layer-by-layer GPU offloading → VRAM stays ~1.5GB regardless of model size
- Tested: Qwen2.5-7B on GTX 970 → correct output, 6.1s/tok, peak 1.57GB VRAM
- Implication: 70B models theoretically possible at ~8-12s/tok on forge (GTX 970)
- Fix needed: pin `optimum==1.22.0` (newer removed BetterTransformer); `input_ids.to("cuda")` before generate()
- Use case: batch document analysis, offline medical record processing (data stays local)

### Stalwart — Key Gotchas (Feb 18-23)
- Account `name` field must equal the login username — not automatically derived from `emails` field
- PATCH endpoint is broken in v0.15.5 — use DELETE + POST for account updates
- **NO user webmail** — admin panel only (port 8880). All popular self-hosted webmail (Roundcube, SnappyMail) is PHP and painful to integrate.
- YAML `!` at start of value = YAML tag indicator — passwords starting with `!` must be quoted
- systemd EnvironmentFile: `!` in values also needs quoting
- Admin API: port 8880, `admin:JamesAdmin2026x` via HTTP Basic at `http://127.0.0.1:8880/api/`
- **TLS cert config requires `%{file:...}%` macro syntax** — bare file paths are treated as literal strings, NOT read as cert content:
  - ✅ `cert = "%{file:/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem}%"`
  - ❌ `cert = "/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem"` (silently falls back to rcgen self-signed)
- **LE cert via certbot DNS-01**: installed 2026-02-23, valid until 2026-05-24. Cloudflare token in `/root/.secrets/cloudflare.ini` on Zurich. Deploy hook at `/etc/letsencrypt/renewal-hooks/deploy/stalwart.sh` restarts Stalwart on renewal.
- **Config surgery warning**: if you edit config.toml with sed or Python, the `[certificate.*]` and `[lookup.default]` sections may get wiped — always verify after repair

### DNS Debugging — AdGuard Rewrite Rules (Feb 22)
- Home DNS is **AdGuard Home** (not just HA at 192.168.1.252)
- DNS rewrites (Filters → DNS rewrites) override cache AND external resolution
- Cache flush alone won't fix issues if a rewrite rule exists
- Check AdGuard UI directly when DNS changes don't propagate as expected

### Family Stalwart Account Logins (as of Feb 21)
- **tj@jongsma.me**: username `tj`, pw `!Lekker69`  
- **johan@jongsma.me**: username `johan`, pw `!!Lekker69`
- **jacques@jongsma.me**: username `jacques@jongsma.me` (full email — changed Feb 21), pw `7I#rydMKlri6r%!g`
- **rozemarijn@jongsma.me**: username `rozemarijn@jongsma.me` (full email — changed Feb 21), pw `cRKEWJL4h3MGn3Li`
- **misha@jongsma.me**: username `misha`, pw `6hRSl8KAZtGXPRUG`
- **tanya@jongsma.me**: username `tanya`
- Short vs full email login is inconsistent (tj/johan prefer short, Jacques/Roos prefer full). Don't change without coordinating with active clients.

### OpenClaw Auth Risk (Feb 19)
- Current config: `"mode": "token"` is actually a **Claude Max OAuth token**, not an API key
- This means Anthropic's crackdown on OpenClaw subscription use applies — risk of Johan's Max account being cancelled
- **Decision pending** — Johan considering API key switch. No action taken yet.
- Options: switch to Anthropic API key, OpenRouter, or accept the risk

---

## Todo / Open Items

### 🔴 Urgent
- [ ] **Health Link Invoices** — #000057 ($71.90) + #000058 ($666.90) unpaid. Links in Feb 23 notes.
- [ ] **Dealspace invite flow** — Misha decision needed on final domain/name
- [ ] **Vault1984 Day 2** — WebAuthn PRF, scoped tokens UI, import Johan's 12,623 entries
- [ ] **Spacebot worker dispatch** — revisit 2026-03-03 per Johan instruction
- [ ] **HostKey Amsterdam cancellation** — Johan must manually confirm: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e
- [ ] **Uptime Kuma monitors** — 0 monitors on Zurich. Rebuild when Johan confirms.

### 🟡 Active (Johan Action Needed)
- [ ] **Vaultwarden:** Johan creates account at vault.jongsma.me → export Proton Pass → import
- [ ] **inou Labs LOINC:** Force re-normalize on prod to populate data["loinc"]
- [ ] **OpenClaw auth decision** — OAuth token = Claude Max subscription risk

### 🟢 Stale / Closed
- [x] **jongsma.me domain transfer** — COMPLETED
- [x] **Azure Files Backup** — ABANDONED Feb 28
- [x] **Signal as primary channel** — RETIRED Mar 1 (Telegram now sole channel)

### 🟡 Active (Johan Action Needed)
- [ ] **Vaultwarden:** Johan creates account at vault.jongsma.me → export Proton Pass → import. Then set SIGNUPS_ALLOWED=false.
- [ ] **iCloud contacts import:** final.vcf at `/home/johan/clawd/tmp/contacts/final.vcf` — SCP to Mac + import at icloud.com
- [ ] **Misha Signal pairing** — still pending
- [ ] **OpenClaw auth decision** — OAuth token = Claude Max subscription risk. API key alternative pending.
- [ ] **Stalwart short+full login fix** — lookup-domains config. iPhone email setup for tj/johan blocked until resolved.
- [ ] **Belastingdienst:** Corporate tax filing (vennootschapsbelasting 2025) for entity ***871 — deadline pending
- [x] **Amsterdam cleanup** — DONE 2026-02-21. All services removed, server decommissioned, DNS cleaned.

### 🟢 Backlog (Parked)
- [ ] Inter-VLAN routing on UDM-Pro (production → Signal API)
- [ ] Copy Sophia's documents from OneDrive → `/home/johan/sophia/` via SMB
- [ ] Daily delta-zip → Proton Drive backup for Sophia docs
- [ ] inou Mobile: Content at inou.com/app for WebView
- [ ] AdventHealth MFA enrollment (Johan action)
- [ ] HAOS SSH key authorization (forge → 192.168.1.252)
- [ ] rclone backup for Vaultwarden (needs browser OAuth on Zurich)
- [ ] BlueBubbles on Mac Mini M4 (deferred)
- [ ] Evaluate MiniMax M2.5 as K2.5 replacement for grunt-work subagents

## Weekly Synthesis Insights (Feb 9-15, 2026)

### 🧠 Architectural Maturity: The Feb 13 Breakthrough
The week's most significant development was a fundamental restructuring of James' operational model, driven by Johan's core philosophy: **"attack problems at their source, not downstream."**

**Key systemic changes:**
- Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls to Fireworks)
- Session management aligned to Johan's actual schedule (reset moved 4am → 9pm, matching his first sleep block)
- Context pruning enabled (`cache-ttl` mode, 5min TTL) — dramatically reduces compaction pressure
- Cron job rationalization: 350 sessions/day → ~43 (killed K2.5 Watchdog, merged redundant jobs)
- **Promotion to Chief of Staff** — formalized strategic partner role with autonomy expectations

**Pattern:** Johan consistently pushes for root-cause fixes over workarounds. When email triage was noisy, he didn't ask for better filtering — he asked why it was in the main session at all. The result was a cleaner architecture, not a band-aid.

### 🔍 Pattern: Corporate Policy → Technical Adaptation
Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical solutions rather than workflow disruption:
- M365 API integration built within hours using device code OAuth (pure curl, no browser)
- XPS14 revival plan: RDP shadow sessions allow James to observe Johan's corporate session in real-time
- Token stored at `~/.message-center/m365-token.json`, bypassing Conditional Access restrictions

**Lesson:** Regulatory/policy constraints are technical problems with technical solutions. The response was building new capabilities, not complaining about the constraint.

### 🏥 Medical Advocacy Infrastructure Maturation
Two critical developments show the medical system working as designed:

**1. Baycare Ventilator Fraud Discovery (Feb 14)**
- Systematic claim analysis revealed $118,750+ in fraudulent HCPCS E0465 billing
- Sophia has NEVER had a home ventilator from Baycare (off vent since Nov 2022)
- Formal complaint drafted with documentation ready
- Strategy: Don't pay, let them escalate, documentation speaks

**2. Dr. Madan Engagement (Feb 12-13)**
- Neel Madan (Tufts Chief Neuroradiology) confirmed Sunday 2PM call re: Dec 31 MRI
- Critical next step for hydrocephalus treatment path (shunt/ETV consideration)

**Pattern:** Detailed documentation + expert network access = advocacy infrastructure functioning as intended.

### 🛡️ Security Posture: Shannon Deployment
Shannon autonomous pentester was deployed on Amsterdam VPS — now decommissioned:
- Amsterdam VPS (82.24.174.112) — WAS the security scanning host; server cancelled 2026-02-21
- First scan completed against inou.com portal
- Fireworks K2.5 cost: ~$0.50 vs traditional pentest costs
- Demonstrates security tooling becoming routine rather than exceptional

**Evolution:** Security scanning transitioning from external service to integrated, continuous capability.

### 📱 Alert Dashboard Evolution
Fully Kiosk dashboard (port 9202) underwent significant refinement:
- **Purpose clarified:** Johan's unified inbox/notification center — everything surviving triage surfaces here
- Visual redesign: Sora font, Braun/mid-century aesthetic, warm gold (#c8b273) accents
- **Pulse-ox camera integration:** MJPEG stream from Tapo camera (192.168.2.183), 7pm-8am visibility
- **Long-press to dismiss:** 300ms hold marks done (dim + strikethrough, auto-purge after 2h)
- **Three-tier priority:** critical (red), warning (amber), info (gold)

**Key decision:** Desk layout reorganized — Fully dashboard promoted to center position as primary information surface.

### 💡 Memory Discipline Correction (Feb 15)
Major correction added to AGENTS.md: **Mandatory memory_search before responding.**

**The problem wasn't search quality — it was usage discipline.**
- Existing `memory_search` works well (Gemini embeddings, 0.80+ relevance scores)
- Gap: I wasn't consistently calling it before responding
- Johan's framing: "I will write the number down if I think it is important" — hybrid approach (explicit + retrieval)

**New rule:** Self-recovery sequence when context is lost — session history → memory files → transcript search → reconstruction. Never ask Johan for information that's in my systems.

---

## Recent Events (Week of Feb 9-15, 2026)

### 🏠 851 Brightwaters — LISTED at $7.25M
- Diana Geegan (Keller Williams) listing LIVE on Zillow
- Listing agreement signed Feb 12 (Johan, Tanya, Diana)
- Fidelity net at close: ~$6,331,350 (after ~$196K back taxes 2023-2025)
- David Reider Esq recommended for closing due to back taxes
- 7 real estate docs in document inbox (disclosures, MLS forms, listing agreement)
- GenerX generator service appointment was Feb 14

### 🚨 Baycare Ventilator Fraud — CRITICAL (Feb 14)
- Baycare billing HCPCS E0465 (home ventilator) at $3,125/month
- **Sophia does NOT have a ventilator. Off vent since Nov 2022.**
- Jan + Feb 2026 claims: $6,250 billed (E0465)
- Potentially ~$118,750 in fraudulent charges over ~38 months
- Formal complaint drafted: `~/documents/records/medical/baycare-ventilator-fraud-complaint-2026-02-14.md`
- Strategy: Don't pay, let them escalate, documentation ready

### 📞 Dr. Neel Madan — Call TODAY (Sunday) 2PM
- Confirmed call re: Sophia's Dec 31 MRI review
- Critical next step for hydrocephalus treatment path

### 💻 Architecture Overhaul (Feb 13)
- Promoted to **Chief of Staff** — strategic partner, not assistant
- Email triage moved from main session → mail agent (MC calls Fireworks K2.5 directly)
- Session reset moved 4am → 9pm (aligned with Johan's first sleep block)
- Context pruning enabled (cache-ttl, 5min)
- Cron consolidation: 350 sessions/day → ~43
- K2.5 Watchdog killed (dead agent, phantom sessions)
- MANDATORY memory_search rule added to AGENTS.md

### 📱 Verizon Switch (Feb 13) + iPhone 17 Migration (Feb 19)
- 4 new lines, 4 iPhones (3x iPhone 17, 1x iPhone 16 Plus), all $0/mo with 36-month promo
- Monthly: ~$170.97. Johan's number 727-225-2475 porting from Mint Mobile
- New numbers: 727-225-3810, 727-307-3952, 727-358-1196
- **Johan moved to iPhone 17 as primary device (Feb 19 2026) — still migrating**
- ntfy app on iPhone: subscribed to `forge-alerts` and `inou-alerts`

### 🏢 Kaseya Device Policy (Feb 13)
- CISO mandated: only Kaseya-issued devices on corporate network
- Johan uses personal Mac Mini for everything — impacted
- Has XPS14 laptop (hates it). Recommended requesting MacBook Pro
- **M365 API workaround built:** Device code OAuth → pure curl, no browser needed
- Token: `~/.message-center/m365-token.json`
- Watch for: Conditional Access (Intune) deployment that would kill cloud access too

### 🖥️ ThinkPad X1 (2019) — Ubuntu 24.04 Desktop
- IP: 192.168.0.223 (WiFi) — was 192.168.0.211 previously
- OS: Ubuntu 24.04 desktop (not headless)
- SSH key: `johan@thinkpad-x1` (added to forge authorized_keys Feb 18 2026)
- RDP to ThinkPad X1 via xfreerdp on Xvfb:99
- Real Chrome on Xvfb:99 (port 9224) for WAF-protected sites
- myCigna autonomous login achieved: Chrome + 2FA via MC email grab

### Shannon VPS (82.24.174.112) — ⚰️ DECOMMISSIONED 2026-02-21
- All services removed. Cancellation submitted to HostKey. DNS cleaned. Nothing left there.

### Alert Dashboard (Fully Kiosk Tablet)
- Built and deployed on port 9202
- Analog clock, calendar, SSE push alerts with sound
- Fire tablet as alert display for Johan

### 📊 Azure Backup — ⚠️ EXPIRING
- **Free account expires ~Feb 27!** Still needs `az login` MFA from Johan

### Infrastructure
- Docker containers updated weekly on 192.168.1.253
- HAOS 17.0 → 17.1 (installing Feb 15)
- MC performance issue: queries taking 15-16s (needs investigation)
- OCR service: works but slow on full-page docs (~90s per page at 150dpi)

---

## Recent Events (Week of Feb 16-20, 2026)

### ✈️ Johan in NYC (Feb 19-20)
- Flew Delta TPA→JFK Feb 19 (conf F86VDN). Return flight DL2093.
- Not home → no Sophia night shift coverage from Johan during NYC stay

### 🏗️ Zurich Full Infrastructure Rebuild (Feb 19)
Major overnight event — Zurich services were broken/missing, rebuilt from scratch:
- **Caddy** installed, owns port 443
- **Stalwart mail** migrated from Amsterdam (19GB RocksDB). mail.inou.com + mail.jongsma.me → Zurich
- **Proton Bridge DISABLED** — MC now connects directly to Stalwart (mail.jongsma.me:993)
- **Vaultwarden** deployed at vault.jongsma.me (fresh, no data yet)
- **ntfy** fresh install — new token `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Uptime Kuma** fresh install — 0 monitors (all 8 lost, awaiting Johan's OK to rebuild)
- **Shannon** fully removed from Amsterdam
- Amsterdam Stalwart: stopped + disabled (data preserved)

### 🌐 DNS Mass Fix (Feb 19)
6 domains had wrong Cloudflare NS (aryanna/sage → arvind/wren) + dead DNSSEC. All fixed:
- harryhaasjes.nl, johanjongsma.nl, localbackup.in, stpetersburgaquatics.com, x4.trading, 851brightwaters.com

### 📬 Harry Haasjes Setup (Feb 19)
- harryhaasjes.nl: "coming soon" placeholder live on Zurich
- harry@harryhaasjes.nl: Stalwart account + catch-all
- SFTP: harry-web / HarryWeb2026! (chrooted). Instructions sent to Harry in Dutch.
- Harry is NOT technical — all comms in simple language, no jargon

### 👨‍👩‍👧 Family Signal + Email Status (Feb 19)
- **Roos** (+31646563377): Signal ✅ + Stalwart email ✅
- **Jacques** (+31624403744): Signal ✅ + Stalwart email ✅
- **Misha** (+17272381189): Signal pairing pending ⏳

### 🤖 MiniMax M2.5 (Feb 20 — worth evaluating)
- Released Feb 11, 2026 by Shanghai-based MiniMax
- 230B MoE open-weight. 80.2% SWE-Bench Verified. Claims to beat Claude Opus on coding.
- ~100 tok/s, ~$1/hr — 1/20th Opus cost
- Currently free on kilocode/opencode → dominating OpenRouter rankings
- **Potential K2.5 replacement for grunt-work subagents** — Johan to evaluate

### 📱 iCloud Contacts
- final.vcf ready: `/home/johan/clawd/tmp/contacts/final.vcf` (~2,200 clean contacts)
- Johan to SCP to Mac → import at icloud.com/contacts

### 🏠 Real Estate
- 851 Brightwaters listed at $7.25M. Diana Geegan (KW). Showing Feb 16: buyers liked exterior, disliked modern interior.
- Johan in NYC, may have meetings related to this

### 🗓️ Recent Events (Feb 21, 2026)

### 🗑️ Amsterdam VPS Fully Decommissioned (Feb 21 00:02 ET)
- All services removed, DNS deleted, HostKey cancellation submitted (API bug — Johan must confirm manually at panel.hostkey.com key=639551e73029b90f-c061af4412951b2e)
- **MEMORY.md, SOUL.md, infrastructure.md** all updated to remove Amsterdam refs

### 📦 inou MCP Bundle Removed (Feb 21 ~00:50 ET)
- Johan: "inou is fully server-based, no mcpb anymore"
- Removed inou MCP Bundle check from `check-updates.sh` (~30 lines)
- Deleted `inou-mcp/` directory (manifest.json + server binary)
- No more nightly 404 to `inou.com/download/inou.mcpb`

### Dealspace (~/dev/dealroom, port 9300)
- Go app, templ templates, SQLite — Misha's M&A data room platform (started Feb 15)
- **Owner:** Misha Muskepo (michael@muskepo.com). Johan is advisor. James is architect/builder.
- **Tech stack:** Go + templ + HTMX + SQLite + Tailwind — single binary, server-rendered
- Admin: `misha@muskepo.com` / `Dealspace2026!` (owner role)
- **Features (Feb 22 UX overhaul):** deal rooms, request lists with Atlas AI assessment, buyer/seller view toggle (owners can switch views), per-deal analytics/audit/contacts, search, real auth (bcrypt, no demo login)
- No public domain yet — local at http://192.168.1.16:9300
- Architecture: inou pattern (centralized RBAC bitmask, entries table, AES-256-GCM encrypted files)

### Home DNS = AdGuard
- Johan's home DNS resolver is **AdGuard Home** (not just HA at 192.168.1.252)
- AdGuard had a DNS rewrite rule for `*.jongsma.me` → home IP
- Cache flush alone doesn't clear rewrite rules — must remove in AdGuard UI: Filters → DNS rewrites
- Wildcard `*.jongsma.me` DNS record removed from Cloudflare (Feb 22)

### Stalwart Webmail = Admin Only
- Stalwart v0.15.5 (latest as of Feb 22) — no user webmail built in
- Web UI at port 8880 = admin panel only
- All popular self-hosted webmail (Roundcube, SnappyMail) is PHP

### 🛠️ Cron Jobs Cleaned Up (Feb 21)
- **Evening Briefing**: Removed dead "Shannon status on Amsterdam" check (step 5)
- **Weekly Security Scan**: Fixed broken model (`claude-sonnet-4-20250514` → `claude-sonnet-4-6`), removed `amsterdam.inou.com` from scan targets
- **Watchdog (K2.5)**: Removed Claude usage block that was posting to Fully tablet (9202) — banned per new rules

### ⚠️ sessions_spawn Broken (Feb 21)
- OC security rejecting `ws://192.168.1.16:18789` (non-loopback, requires `wss://`)
- Subagent spawning from heartbeat/conversation sessions fails
- Cron jobs still work (they're internal to gateway)
- Needs fix: update gateway URL to `wss://` or configure local tunnel

### 📱 M365 Teams Alerts on Fully = Intentional
- Johan confirmed: Teams chats on Fully dashboard are desired — they trigger him to check Teams
- Backfill on token refresh is minor annoyance (old messages appearing late)
- Source: `message-center` M365 connector polls `johan.jongsma@kaseya.com` every 60s

### 🍽️ S2M3 Consulting Vendor Lunch (Feb 21)
- Appeared as Fully alert from Kaseya email: "Executive lunch at Steak 48, Beverly Hills, March 5th"
- Cold outreach from `events@s2m3consulting.com` — IT cost optimization vendor pitch
- Not a Kaseya-organized event. Register at s2m3consulting.com/cost-optimization-beverly-hills/

---

## Weekly Insights (Feb 9-15, 2026)

### 🧠 Architectural Maturity (Feb 13 Breakthrough)
The major infrastructure overhaul on Feb 13 marks a significant maturation in our operational model:

**Key Insight:** Johan's principle "attack problems at their source" drove systemic changes rather than band-aid fixes:
- Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls)
- Session management aligned to Johan's actual schedule (9pm reset vs 4am)
- Context pruning enabled to prevent compaction pressure
- Cron job rationalization (350 sessions/day → 43)

**This represents a shift from reactive firefighting to proactive system design.**

### 🔍 Pattern: Corporate Policy Adaptation
Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical adaptation rather than workflow disruption:
- M365 API integration built within hours
- OAuth token flow bypassing browser/device restrictions
- Separation of personal/corporate network access

**Lesson:** Regulatory/policy changes are technical problems with technical solutions, not business process disruptions.

### 💡 Memory Recovery Principles (Feb 15 Correction)
Major correction on session recovery discipline: When context is lost, **always exhaust self-recovery before asking Johan for info**:
1. Check session history (`sessions_history`)
2. Search memory files  
3. Search transcripts via `memory_search`
4. Reconstruct from available data

**This correction reflects the core COS responsibility: memory protection is job #1.**

### 🏥 Medical Case Management Evolution
Two critical developments show the medical advocacy infrastructure maturing:
1. **Baycare fraud discovery** — systematic claim analysis revealing $118K+ in fraudulent ventilator billing
2. **Dr. Madan engagement** — hydrocephalus expert review process advancing toward definitive treatment

**Pattern:** Detailed documentation + expert network access = advocacy infrastructure working as designed.

### 🛡️ Security Posture Integration
Shannon's successful deployment and scan completion demonstrates security tooling becoming routine rather than exceptional:
- Automated pentest against inou.com portal
- Cost-effective (K2.5 @ ~$0.50 vs traditional pentest costs)  
- Findings properly categorized and documented

**Evolution:** Security scanning transitioning from external service to integrated capability.

---

## Recent Events (Week of Feb 15-22, 2026)

### 🏗️ New Project: Dealspace / Deal Room (Feb 15-22)
- Misha (Johan's son) + PE contacts built Lovable prototype for M&A investment banking data rooms
- James is architect/builder. Full Go + templ + HTMX + SQLite app built in one session.
- Feb 22 UX overhaul: production bcrypt auth, view toggle (owner↔buyer), search, per-deal analytics
- Live at http://192.168.1.16:9300. No public domain yet. Admin: misha@muskepo.com / Dealspace2026!

### 📬 Email Infrastructure Completion (Feb 18-19)
- **MX flipped Feb 18 3PM ET** — all @jongsma.me mail now routes to Stalwart (mail.jongsma.me)
- Proton Bridge fully disabled. MC connects directly to Stalwart (mail.jongsma.me:993).
- SMTP security complete: SPF, DKIM (ed25519), DMARC p=reject for both jongsma.me and inou.com
- Family email live: Roos, Jacques, Misha, Tanya all on Stalwart. Migration deadline for Proton → 3/15.

### 🤖 Telegram Primary Channel (Feb 18)
- @jamesjongsma_bot is live and confirmed working
- Johan is @johanjongsma on Telegram (ID: 8454563068)
- Briefings now go to Telegram with rich Markdown format

### 🏠 Real Estate Update (Feb 16)
- 851 Brightwaters showing: Sarasota buyers (Bird Key homeowners) liked exterior, disliked modern interior
- Diana Geegan waiting for buyer response. No offer reported.

### ✈️ Johan NYC Day Trip (Feb 19)
- Delta TPA→JFK (DL2475, 7:16AM), return JFK→TPA (DL2093, 2:59PM). Conf: F86VDN

### 📱 Claude Sonnet 4.6 Released (Feb 17)
- 1M context (beta), adaptive thinking, context compaction (beta)
- $3/$15 per M tokens — now our default model

### 🧠 OpenClaw 2026.2.21 (Feb 21)
- Gemini 3.1 support, 100+ security hardening fixes, Discord voice/streaming, thread-bound subagents
- Two patches still need reapplication (see OpenClaw Patches in Infrastructure)

### 💳 Verizon First Bill (Feb 21)
- $343.80 due March 4, 2026. 3 lines: iPhone 17 (225-3810), iPhone 16 Plus (307-3952), iPhone 17 (358-1196)
- Enroll Auto-Pay to save $30/mo

### 🚫 SnappyMail Abandoned (Feb 22)
- Deployed SnappyMail on Zurich → hours debugging PHP-FPM SocketReadTimeout connecting to Stalwart via Docker hairpin NAT
- Root cause never definitively solved; Johan killed it: "Not worth this many tokens"
- Lesson: all popular self-hosted webmail is PHP; hairpin NAT + PHP-FPM SSL = pain
- **No webmail for jongsma.me** — users access via iPhone Mail or native clients
- DNS + Caddy + Docker fully cleaned up

### 🏗️ Dealspace View Toggle (Feb 22)
- Added owner↔buyer view toggle so sellers can preview what buyers see (same session, no separate login)
- Production-ready: bcrypt auth, demo route removed, Misha admin confirmed working

### 🐳 Weekly Docker (Feb 22 Sunday)
- HAOS: v17.1, no update needed
- Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
- qbittorrent-vpn: pulled only

### ✅ sessions_spawn Scope Issue — RESOLVED (Feb 22)
- sessions_spawn confirmed working. The top-level `scopes` key the watchdog was patching is irrelevant metadata; real auth uses `tokens.operator.scopes` (always intact). Watchdog stopped and disabled — was fighting the gateway for nothing.
- Gateway bind `custom/0.0.0.0` + correct token scopes = sessions_spawn working from conversation sessions.

---

## Weekly Synthesis — Feb 16-22, 2026

### 🏗️ Infrastructure: The Great Consolidation
Completed a 3-week migration arc: Proton Mail → Stalwart (self-hosted), Amsterdam VPS → Zurich, family Signal/email onboarding. Feb 19 overnight Zurich rebuild was messy but successful — Caddy, Stalwart, Vaultwarden, ntfy, Kuma all consolidated with proper TLS.

**Key insight:** Large migrations expose phantom infrastructure. Zurich "had" Caddy (in notes) but didn't. Stalwart claimed port 443. Home Caddy's HSTS blocked vault.inou.com. Fixed at source, not worked around.

### 🔄 Architecture: Sessions Are Not Free
Feb 18 heartbeat redesign cut token burn 90%+: 148k tokens/check → ~5k. Principle: **main session is for conversations, not background work**. Isolated cron sessions with minimal context, subagents for anything parallel.

### 🎵 Voice: Infrastructure Validated, Awaiting Go-Live
Fish Audio S1 (Adrian voice) → mp3 → Fully Kiosk tablets pipeline proven. Office tablet reliable; master bedroom needs Fully REST. Blocker: Tanya buy-in before home-wide deployment. Persistent TTS service needed (not ad-hoc Python server).

### 📊 Models: The Open-Weight Surge
MiniMax M2.5 (230B MoE, 80.2% SWE-Bench, ~$1/hr) dominates OpenRouter. 4 of top 5 models now open-weight. Gap vs proprietary closing fast. AirLLM proved forge's GTX 970 runs 70B at ~6s/tok via layer offloading — local medical analysis now viable.

### ⚠️ Risk: OpenClaw Auth = OAuth Max Subscription
Claude Max OAuth token means Anthropic could cancel Johan's subscription. Decision pending: API key switch, OpenRouter, or accept risk. Worth resolving before outage.

### 🛠️ Pattern: "It Should Not Be This Complicated"
SnappyMail webmail deployment: 4 hours debugging PHP-FPM, Docker hairpin NAT, SSL timeouts. Johan killed it — correctly. When debugging cascades, step back and question if the feature is needed. Stalwart has no user webmail; native clients (iPhone Mail) are fine.

### 📝 Technical Debt: sessions_spawn Still Broken
Gateway security rejects ws://192.168.1.16 (non-loopback). Cron jobs work (internal), but conversation-session subagent spawning fails with "pairing required" (1008). Watchdog service fixes scope stripping, but bind/SSL issue remains. TODO: wss:// or local tunnel.

### 👨‍👩‍👧 Family Systems: Operational
- Signal: Roos ✅, Jacques ✅, Misha ⏳ (pairing pending)
- Stalwart email: All 5 family accounts live. Login inconsistency: tj/johan use short names, Jacques/Roos use full email. Don't change without coordinating active clients.
- Telegram: @jamesjongsma_bot primary channel since Feb 18.

### 🎯 New Project: Dealspace (Misha's M&A Data Room)
Go + templ + HTMX + SQLite. Production auth, view toggle (owner↔buyer), Atlas AI integration. http://192.168.1.16:9300. No public domain yet. Architecture: inou pattern (RBAC bitmask, entries table, AES-256-GCM files).

---

## Access URLs

- Web UI: `https://james.jongsma.me/?token=<gateway_token>`
- Gateway token stored in: `~/.clawdbot/clawdbot.json` under `gateway.auth.token`

---

## Recent Events (Week of Feb 22-28, 2026)

### 🚀 Dealspace / muskepo.com — LIVE (Feb 28 overnight)
Full M&A deal workflow SaaS built from scratch in one night.
- **URL:** muskepo.com (live, TLS via Caddy on Shannon VPS 82.24.174.112)
- **Shannon VPS:** Hostkey, 82.24.174.112, root pw: gUB-C63-EN, paid till 2026-04-09
- **Git:** `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace/`
- **Architecture:** Go binary, SQLite, Caddy proxy, `make deploy` for updates
- **Auth:** Email OTP + backdoor code **220402**. Super admins: michael@muskepo.com, johan@jongsma.me
- **Data model:** entry-based (inou-inspired), project → workstream → list → request/answer. Organizations with domain lock.
- **FIPS 140-3:** AES-256-GCM, HKDF-SHA256, blind indexes
- **Security hardened (Feb 28):** OTP timing attacks fixed, CORS locked, security headers added
- **Tests:** 83 passing (100%). Smoke test: 14/14 PASS.
- **Missing (as of Feb 28):** invite flow, SMTP config, 2 API endpoints
- **Owner:** Misha Jongsma (michael@muskepo.com). Johan = advisor. James = architect/builder.
- **Name:** muskepo.com is placeholder — Misha hasn't picked final name/domain

### 🔐 Vault1984 — New Project (Feb 28 afternoon)
Personal password manager for humans with AI assistants. L1 (server key) + L2 (WebAuthn PRF client-side).
- **Port:** 1984 (Orwell — intentional)
- **Git:** `git@zurich.inou.com:vault1984.git` | Local: `/home/johan/dev/vault1984/`
- **Running:** `http://192.168.1.16:1984`
- **Entry model:** Free-form fields, `l2:true` per field, `section` for grouping
- **Import:** Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON. LLM fallback for unknowns.
- **Scoped MCP tokens:** Per-token tag/entry whitelisting (key feature for multi-agent swarms)
- **Day 2 pending:** WebAuthn PRF, L2 client-side encrypt, Caddy proxy, systemd service
- **Import pending:** Johan's actual 12,623 entries from Proton Pass

### 🛑 Azure Backup — ABANDONED (Feb 28)
- Project cancelled. Local: `azure-backup-abandoned-20260228`. Remote deleted from Zurich.

### 🔒 inou Security Fixes (Feb 28)
- Auth backdoor (code 250365) REMOVED from `lib/dbcore.go` — CRITICAL
- CORS wildcard → allowlist (inou.com, localhost, capacitor)
- LOINC matching bug FIXED in `lib/normalize.go`
- 59 test functions written (57 passing). Commit: 155d24e

### 🌍 Operation Epic Fury — US Strikes Iran (Feb 28)
- White House + CENTCOM confirmed. Iran internet ~98% down (Cloudflare Radar).
- Signaled Johan at 15:41 ET.

### 🤖 Taalas / ChatJimmy (chatjimmy.ai)
- Toronto startup. HC1 chip: Llama 3.1 8B hard-coded in silicon. 17,000 tok/s.
- $30M of $200M raised spent. HC2 (70B) will be real test. Worth watching.

### 📡 Signal → RETIRED (2026-03-01)
Telegram is sole channel going forward. Signal bot number +31634481877 still exists but no longer used for briefings/alerts.
- **Briefings:** Telegram (@jamesjongsma_bot)
- **Alerts:** ntfy (`forge-alerts` for infra, `inou-alerts` for inou)

### 📦 DocSys LIVE (2026-02-25)
- **Source:** `/home/johan/dev/docsys/` | **Port:** 9201 | **URL:** `http://docsys.jongsma.me`
- **Vision model:** `qwen3-vl-30b-a3b-instruct` (Fireworks) — ~40s/page, preserves language
- **Classify model:** `kimi-k2-instruct-0905`
- **Data:** `/srv/docsys/` | **SMB inbox:** `\\192.168.1.16\docsys`
- Delete button exists at `/document/{id}` — no new services needed

### 📊 Dealspace AI Matching LIVE (Feb 25)
- `responses` + `response_chunks` + `request_links` + `assignment_rules` tables
- Fireworks: Llama 90B Vision for extraction, nomic-embed-text-v1.5 for embeddings
- 0.72 cosine threshold, human confirmation required. Commit: `9cbd6db`

### 🔑 Pending: Vault1984 + Dealspace
- [ ] Vault1984 Day 2: WebAuthn PRF + scoped tokens + Caddy proxy + systemd
- [ ] Import Johan's 12,623 entries into Vault1984
- [ ] Dealspace invite flow + SMTP config
- [ ] Misha hasn't picked final domain/name for muskepo.com
- [ ] AlexFinn Discord server (multi-agent credential use case for Vault1984)

---

## Health Link Invoices Outstanding (2026-02-23)
- **#000057 — $71.90 UNPAID:** https://app.squareup.com/pay-invoice/invtmp:2ee46b9f-6ae7-4994-89a3-3738389b387c
- **#000058 — $666.90 UNPAID:** https://app.squareup.com/pay-invoice/invtmp:8ad13f1f-a086-4e1c-a87e-455a6f27d869
- Remove this entry once Johan confirms payment

## Stalwart Spam Filter — Reconfigured 2026-02-23
Final architecture (after painful debug session):
- **DMARC+DKIM pass → INBOX** (score -150, Sieve: keep; stop)
- **Everything else → Junk** (Sieve: fileinto "Junk Mail")
- Bayes: DISABLED
- DMARC_POLICY_ALLOW = -100, DKIM_ALLOW = -50
- Sieve deployed on tj@jongsma.me + johan@jongsma.me
- trusted-domains: squareup.com, messaging.squareup.com, amazonses.com
- **DO NOT re-enable Bayes without proper training plan**
- **DO NOT lower DMARC/DKIM scores — they are intentionally high**

## Google Antigravity — DEAD (2026-02-24)
- Token expired Feb 19, refresh fails — Google revoked/banned the Antigravity OAuth app
- `google-antigravity:johan@jongsma.me` profile in OC has credentials but can't refresh
- **inou unaffected** — uses direct Gemini API key (`AIzaSyAsSUSCVs3SPXL7ugsbXa-chzcOKKJJrbA`), confirmed working
- Johan: "I don't mind." Not a priority to fix.

## ClawHub Malware Incident (2026-02-24)
- #1 most downloaded skill was SSH key stealer + reverse shell via prompt injection in SKILL.md
- ~20% of ClawHub skills were malware (1,184 bad). OC 2026.2.23 exec hardening is the response.
- **We are safe** — only use built-in OC skills + manually written `~/clawd/skills/`. Zero ClawHub installs.
- SkillSMP.com = third-party marketplace filling the gap. Treat all third-party skill sources as hostile.

## inou Labs — LOINC Matching Bug (OPEN)
- Symptom: "pretty charts" not showing in Labs; LOINC matching not working
- Root cause: 0 lab entries in prod DB have `data["loinc"]` set; `buildLabRefData()` returns `{}`
- `Normalize()` skips all entries (thinks they're done because `SearchKey2` is set)
- reference.db has 448 lab_test + 1551 lab_reference entries — data is there
- Gemini API key valid (200 confirmed)
- **Fix needed**: force re-normalize or fix `buildLabRefData` to fall back to `e.SearchKey` (which IS the LOINC code)
- **Server**: 192.168.1.253, `/tank/inou/`

## DealRoom — Misha Requests (2026-02-24)
- Claude Code agent shipped most of spec, commit `24f4702`, pushed to Zurich
- **3 gaps remaining** (need another agent run):
  1. Per-group folder visibility checkboxes (spec 2.e.i.2)
  2. Saved folder structure templates with reuse (spec 2.f.i.2.i)
  3. Auto-assign review step — currently fires silently, needs user review UI (spec 3.b.2)

## DealRoom — AI Matching / Responses Shipped (2026-02-25)
- Claude Code agent built and deployed AI document response matching in ~12 minutes. Commit: `9cbd6db`
- **What shipped:** `responses` + `response_chunks` + `request_links` + `assignment_rules` tables
- Fireworks: Llama 90B Vision for extraction, nomic-embed-text-v1.5 for embeddings
- Async worker (2 goroutines), cosine similarity at 0.72 threshold, human confirmation required
- Per-deal keyword→assignee assignment rules, auto-assigns on import
- **Pending Misha:** Upload XLSX files to test, define assignment rules for Project Muskepo

## DocSys — Personal Document Management (2026-02-25)
- **Source:** `/home/johan/dev/docsys/` (Go, chi router, mattn/go-sqlite3)
- **Port:** 9201 — main UI at `http://docsys.jongsma.me` (Caddy proxy)
- **Data:** `/srv/docsys/` — inbox, store, records, index
- **DB:** `/srv/docsys/index/docsys.db` (SQLite with FTS5)
- **Inbox:** `/srv/docsys/inbox/` — drop files here, watcher picks them up automatically
- **SMB share:** `\\192.168.1.16\docsys` → inbox (scanner deposits here)
- **Build:** `CGO_ENABLED=1 PATH=$PATH:/home/johan/go/bin:/usr/local/go/bin go build -tags "fts5" -o docsys .`
- **Deploy:** `systemctl --user restart docsys`
- **Extraction:** `qwen3-vl-30b-a3b-instruct` (Fireworks) for all vision/OCR → ~40s/page, works first try, preserves original language; text classifier uses `kimi-k2-instruct-0905`
- **Fallback path (kept):** If vision returns no JSON → AnalyzePageOnly (plain text) + AnalyzeText (classify)
- **Delete button:** Exists on document detail page `/document/{id}` in the main UI. Do NOT build new services/UIs for this.
- **⚠️ Lesson:** A previous session built a whole new `docproc` service (port 9900) when Johan asked for a delete button. Johan killed it. Never build new apps/services for simple UI additions.

## New Models/Releases (2026-02-26)
- **OpenClaw 2026.2.25**: heartbeat DM fix, subagent overhaul, Slack thread fixes, 30+ security hardening fixes. Patches (deleted transcript indexing) may need reapplication after update.
- **Qwen 3.5** (Alibaba, 35B/122B/27B): rivals Sonnet 4.5, runs on 32GB RAM → relevant for Johan's M4 Max for local inference
- **Gemini Nano Banana 2**: Pro quality at Flash speed, free tier — worth evaluating for inou

## Andrew/Spacebot Update (2026-02-26)
- **Updated 2026-02-26 04:20 ET** (digest 5b95f7e0, was v0.1.15), Claude Sonnet 4.6 via Anthropic OAuth, config at `/home/johan/spacebot-config.toml` on 192.168.1.17
- **Worker dispatch broken**: channel calls reply() and stops — no workers ever spawned for multi-step tasks. Revisiting 2026-03-03.
- **PR #193 open**: https://github.com/spacedriveapp/spacebot/pull/193 — two UI fixes, maintainer positive ("very helpful change")
- **Johan's take**: "Foundation is a LOT better than OpenClaw" — Rust, Lance vectors, true concurrency
- **Fireworks valid key**: `fw_RVcDe4c6mN4utKLsgA7hTm` (the other one `fw_TGADpSki7zak4K9JxPzbXU` is expired/invalid)
- **Health Link invoices outstanding**: #57 ($71.90) and #58 ($666.90) — see MEMORY.md health link section