# 2026-03-02 Daily Notes

## vault1984 — Late night session (00:30–01:30 ET)

### Architecture decision: Two separate Go binaries
- **vault1984** (`/home/johan/dev/vault1984`) — pure vault server binary. Runs in each AWS region. No billing, no marketing, no website.
- **vault1984-web** (`/home/johan/dev/vault1984-web`) — marketing website. Go binary serving static HTML from embed.FS. Runs on vault1984.com.
- Johan was clear: "the website will run its own Go, as we need login, billing etc etc"
- Previous session had created a mess by embedding both into the same binary.

### vault1984-web: Python server killed, replaced with Go
- Was running `python3 -m http.server 8099` (previous session left it). Johan: "python!? Are you kidding me?"
- Replaced with Go binary (`main.go` + `//go:embed *.html *.svg *.css`)
- Systemd service: `~/.config/systemd/user/vault1984-web.service`, port 8099
- Caddy proxies vault1984.com → 8099
- Committed to `git@zurich.inou.com:vault1984-web.git`

### hosted.html — Global infrastructure map
- Lives in `vault1984-web/`, served at vault1984.com/hosted.html
- Shows all 31 real AWS commercial regions on animated world map SVG
- Zürich highlighted in gold as HQ node
- **Bug fixed: Beijing removed** — `cn-north-1` is China partition (separate AWS account, Sinnet-operated). NOT a commercial region.
- **Added:** `mx-central-1` (Mexico City, 2023) and `ap-southeast-5` (Malaysia/KL, 2024) — both real commercial regions
- The detailed world map SVG lives in the original `vault1984-web/hosted.html` — do NOT replace with simplified blob paths

### vault1984 binary — partial mess still present
- Previous session added `cmd/vault1984/website/` (copy of marketing HTML) and updated routes.go to serve both
- This needs to be reverted — `vault1984` should be pure vault server, no marketing HTML
- TODO: revert routes.go and main.go changes, delete cmd/vault1984/website/

### AWS region knowledge
- 31 commercial regions as of early 2026 (not 30)
- China regions (`cn-north-1` Beijing, `cn-northwest-1` Ningxia) are a SEPARATE partition — not deployable with normal AWS account
- GovCloud regions also excluded from vault1984 deployment
- Newest regions: `mx-central-1` (Mexico, 2023), `ap-southeast-5` (Malaysia, 2024)
- GCP ARM doesn't go below t2a-standard-1 (1 vCPU, 4GB RAM) — AWS Graviton unique in offering ARM at nano size (0.5GB)

## vault1984-web map work (01:30–02:20 ET)

### Two hosted.html files — don't confuse them
- **vault1984-web/hosted.html** — what vault1984.com actually serves (via port 8099). Old "Hostkey" era text. Has worldmap.svg. THIS is the file we edit.
- **vault1984/website/hosted.html** and **vault1984/cmd/vault1984/website/hosted.html** — dead copies with "Everywhere you are" / "30 AWS regions" text. NOT served. Ignore them.
- Earlier screenshots showed the cached "30 AWS regions" version from the headless browser — that was stale cache, not live content.

### worldmap.svg architecture
- Geography SVG paths (133KB) extracted to `/home/johan/dev/vault1984-web/worldmap.svg`
- Loaded via `<image href="/worldmap.svg" x="0" y="0" width="1000" height="460"/>` inside the SVG element
- Dots (circles) remain inline in hosted.html
- `fetch+DOMParser+importNode` approach failed in real Chrome — `<image href>` works everywhere

### Final region selection (21 regions, Johan-approved)
Removed from initial 31: Ohio, Oregon, Calgary, Ireland, Milan, Bahrain, Hyderabad, Melbourne, Osaka, Tokyo
**Kept:**
- Americas: Virginia, N.California, Montreal, Mexico City, São Paulo
- Europe: London, Paris, Frankfurt, Zürich (HQ/gold), Spain, Stockholm
- Middle East/Africa: UAE, Tel Aviv, Cape Town
- Asia Pacific: Mumbai, Singapore, Jakarta, Malaysia, Sydney, Seoul, Hong Kong

### Miller projection function (for future dot placement)
```js
const W=1000, H=460;
function project(lon, lat) {
    const latR = Math.min(Math.abs(lat),85)*Math.PI/180*(lat<0?-1:1);
    const miller = 1.25*Math.log(Math.tan(Math.PI/4+0.4*latR));
    const maxMiller = 1.25*Math.log(Math.tan(Math.PI/4+0.4*80*Math.PI/180));
    return [(lon+180)/360*W, H/2-(miller/(2*maxMiller))*H];
}
```
Zürich verification: project(8.5, 47.4) → (523.6, 117.6) ✓

### Dot format (SVG circles with staggered animation)
Each region = 3 circle elements: 2 pulse rings (fill=none) + 1 solid dot
HQ (Zürich) = 4 elements: 3 circles + inner black dot
Colors: green `#22C55E` for regions, gold `#D4AF37` for HQ

## Hostkey VPS — "Hans" (03:56 ET)
- **Provider:** Hostkey
- **Location:** Switzerland (Zürich region)
- **Purpose:** vault1984 Istanbul node (Turkey VPS via Hostkey, who confirmed they have Istanbul)
- **Name:** Hans
- **IP:** 185.218.204.47
- **Hostname:** vault1984 NOC (Hostkey label)
- **Root password:** ThIsNeEdStOcHaNgE0--
- **Specs:** vm.mini — 4 vCPU / 6GB RAM / 120GB SSD, €3.90/mo
- **OS:** Ubuntu 24.04
- **Note:** Johan is ordering this live right now. Change the password first thing after provisioning.

## vault1984 Styleguide (04:14 ET)
- **vault1984.css** is the single global stylesheet for ALL vault1984 web surfaces (marketing + app)
- Live at: https://vault1984.com/styleguide.html
- Source: `/home/johan/dev/vault1984-web/vault1984.css`
- Rules: one stylesheet, one width (--width:1280px via .container), one padding (--pad:2rem), CSS variables for everything, one rule per class
- Applicable to vault1984 app UI too — copy/symlink vault1984.css into vault1984/web/

## vault1984 — Beyond Passwords (04:44 ET)
**Key insight:** vault1984 is not a password manager with notes. It's a structured knowledge store for human+AI collaboration.

- Sealed fields = human-only (physical presence required): passwords, private notes, secrets
- Agent fields = AI-accessible (scoped tokens): anything James/Claude needs to read or act on

**Concrete uses:**
- James's working memory (project plans, rollout strategies, context)
- Shared reference data (infra details, credentials James needs)
- Any structured note an AI agent should be able to retrieve
- Not limited to passwords — limited only by what you want sealed vs agent-accessible

**Positioning implication:**
Proton Pass = secure notes for humans. vault1984 = knowledge store for human+AI teams.
This is a real differentiator — needs to surface in marketing copy.

## vault1984 — Storage & Pricing Implications (04:45 ET)
- Expanding to arbitrary attachments (passport scans, MRIs, tax docs) makes storage a real cost
- Current: $12/yr flat — works for passwords, breaks for files
- Needs: base storage allowance (e.g. 100MB) + tiered overage, OR storage-based tiers
- DICOM files alone can be 50MB+ — one power user could cost more than their subscription
- Decision pending: pricing model redesign before launching file attachments

## vault1984 — Text-only, Markdown default (04:47 ET)
- No attachment/image support — ever. Text only.
- Default format: Markdown
- Passport number etc = just type it in. No OCR, no uploads.

## vault1984 — The Memory/Encryption Tradeoff (04:48 ET)
- Sealed = private = AI-blind. Good for passwords. Useless as AI memory.
- Agent = AI-readable = scoped token access. Required for AI memory use case.
- This is a conscious design tradeoff, not a flaw — user chooses per-field.
- "James's memory in vault1984" = agent fields by definition.

## vault1984 — Search Problem (04:48 ET)
- Encrypted fields = ciphertext in SQLite = LIKE queries useless
- Agent fields: server holds key → can decrypt-then-search server-side (acceptable, server already has access)
- Sealed fields: server never has key → search impossible without client-side decrypt-all (doesn't scale)
- Options: (1) server-side decrypt+search for agent fields, (2) vector embeddings, (3) unencrypted tags + encrypted body
- Decision pending before building search

## vault1984 — Search Architecture Decision (04:51 ET)
- Decrypt-all-to-search = rejected (memory footprint, plaintext exposure)
- **Decision: vector embeddings at write time**
  - On save: generate embedding of plaintext → store unencrypted alongside ciphertext
  - On search: query embeddings (no decryption) → get record IDs → decrypt only matches
  - Cost: one embedding per write (cheap). Search: fast, minimal memory, no bulk decrypt
- Sealed fields = unsearchable by design. User knows where they put it.
- Agent fields = searchable via embeddings

## Hans — OpenClaw + Discord Comms Channel (05:03 ET)
**Task queued for sleeping block**

### Goal
Set up a James↔Hans communication channel so I can send deploy commands and Hans reports back.

### Stack
- **Discord server**: private, owned by us — create it
- **Hans**: OpenClaw instance, bot connected to Discord
- **Model**: MiniMax M2.5 via Fireworks (`accounts/fireworks/models/minimax-m2p5`)
- **Fireworks key**: `fw_RVcDe4c6mN4utKLsgA7hTm`
- **No Anthropic tokens on Hans** — Fireworks only

### Hans's job description
- Receive deploy commands from James via Discord
- Execute them (pull new version, restart service)
- Report back status
- Simple, focused — not a general assistant

### Steps
1. Create private Discord server
2. Create Discord bot for Hans
3. Install OpenClaw on Hans (185.218.204.47)
4. Configure with Fireworks M2.5, Discord bot token
5. Test: James sends message → Hans executes → Hans replies

## @vault1984 on X — Available (05:19 ET)
- Handle @vault1984 does NOT exist — available for registration
- Only references: 2017 WikiLeaks/CIA hashtag use, 2016 @music_vault1984 (also gone)
- Action needed: Johan registers @vault1984 at x.com when ready

## Morning Status (07:03 ET)
- **css-agent**: Session gone, no new commits — did NOT complete. Needs respawn when Johan wakes.
- **hans-openclaw**: ✅ Done — OpenClaw 2026.3.1 installed on Hans, Fireworks M2.5 configured
- **x-vault1984-research**: Subagent completed but result not captured — check manually
- **Discord bot**: Still pending Johan's Chrome tab (discord.com/developers)
- **Hans password auth**: Still on — Johan confirmed key works but didn't explicitly say to lock down yet

## Styleguide Applied — All Pages (08:01–09:12 ET, while Johan slept)
- Tailwind fully removed from all 8 pages — zero references remaining
- vault1984.css extended to 186 lines: added code-block, feature-icon, checklist, footer, prose, badge, price-card, gradient-text, pulse animations, nav, scroll
- All pages use standard nav + footer + .container — consistent
- index.html: full rewrite preserving hero/swarm SVGs and geo JS
- pricing.html: updated with correct pricing ($12/yr, 7-day refund, no free trial)
- install.html: clean step layout
- privacy.html / terms.html: updated to say Sealed/Agent (not L1/L2)
- Commit: cf7763f — pushed to zurich

## Hans Server — Current Status (as of 09:12 ET)
- **IP:** 185.218.204.47 | **DNS:** noc.vault1984.com
- **User:** johan (sudo, SSH key auth)
- **Root password:** ThIsNeEdStOcHaNgE0-- (change after confirmed not needed)
- **UFW:** 22/80/443 only, fail2ban active
- **OpenClaw:** v2026.3.1 installed
- **Model:** Fireworks MiniMax M2.5 (`accounts/fireworks/models/minimax-m2p5`)
- **Fireworks key:** `fw_RVcDe4c6mN4utKLsgA7hTm`
- **Discord bot:** NOT yet created — needs Johan's Chrome tab attached to discord.com/developers
- **Cloudflare DNS:** noc.vault1984.com → 185.218.204.47 (zone 1c7614cd4ee5eabdc03905609024f93a)

## vault1984 Product Decisions (04:44–05:04 ET session)
- **Text only, Markdown default** — no attachments, no images, no OCR
- **Scope:** Not just passwords — structured knowledge store for human+AI. Agent fields = AI memory
- **Search:** Encrypted fields can't use LIKE. Decode-all rejected (memory). Decision: tags + exact match for v1. Embeddings later when revenue justifies it.
- **Pricing FINAL:** $12/year (annual only, no monthly). $1/month effective — nobody can undercut without going free. 7-day money-back, no questions, instant refund.
- **No free trial** — money-back guarantee is stronger signal
- **Competitor:** 1Password at $2.99/month ($36/yr). vault1984 at $12/yr — permanently cheaper, they can't follow
- **Hans↔James comms:** Discord server (bot runs ON ZURICH, not Hans). Hans OpenClaw connects to it. Pending Discord bot creation.
- **Greg Isenberg tweet** (2.5k likes): "agent-native memory" — validates vault1984 thesis exactly

## vault1984-web CSS Architecture (locked)
- vault1984.css = single global stylesheet for marketing site AND app UI
- --width: 1280px (one width, everywhere, via .container)
- --pad: 2rem (one padding)
- Card colors: rgba tint + colored border (same pattern as buttons)
- --bg: #0d1520, card default: rgba(100,140,200,0.12)
- Styleguide live: vault1984.com/styleguide.html

## vault1984 Social Media Handles (09:11 ET)
- **@vault1984 on X**: exists but dormant/empty — likely squatter
- **@music_vault1984**: different account (music archiving), irrelevant
- **Action needed**: register handles on all major platforms before launch creates demand
- **Priority platforms**: X, GitHub (already johanjongsma/vault1984), LinkedIn, Reddit, HackerNews, ProductHunt
- **Secondary**: YouTube, Instagram
- **If squatted**: trademark/brand claim process once vault1984.com is established
- **Tool**: Namecheckr.com to scan 50+ platforms at once
- Johan asked about checking availability — pending action

## vault1984 X Account / Checkmark Question (09:30 ET)
- @vault1984 may actually be available on X (earlier check was inconclusive)
- Johan's question: how to get verified checkmark NOT linked to his personal identity
- Answer needed: X offers "Verified Organizations" (gold checkmark) — requires org/business, not personal account
  - Option 1: Register @vault1984 as personal account, upgrade to X Premium ($8/mo) → blue checkmark (tied to account, not Johan personally)
  - Option 2: X Verified Organizations (gold ✓) — requires business entity, EIN/registration, $200/mo — completely separate from personal
  - Option 3: Register account now (lock the handle), don't worry about checkmark until launch
- Johan's concern: doesn't want checkmark tied to him personally — suggests using vault1984 as a business entity account
- **Pending action**: register @vault1984 handle on X

## vault1984 Social Media Ownership Strategy (10:04 ET)
- **Goal:** handles owned by business entity, not Johan personally
- **Solution:** US LLC (Delaware, ~$90, Stripe Atlas) — vault1984 LLC owns the accounts
- **Immediate action (no LLC needed yet):** create social@vault1984.com, register all handles with that email
- **Stalwart** can handle the vault1984.com email — just needs a mailbox created
- **Facebook:** Business Page (not tied to personal profile)
- **Discord:** server created with social@vault1984.com
- **X:** account registered with social@vault1984.com, upgrade to Verified Org when LLC is formed
- **LLC formation:** can happen retroactively — handles registered now, legal entity tied later
- **Johan is registering handles himself** (needs to be logged in)

## vault1984 Legal Structure (10:05 ET)
- vault1984 is a **brand/product under inou LLC** — not a separate entity
- No new LLC needed
- inou LLC is the legal owner of vault1984 handles and IP
- X Verified Organization: apply as inou LLC with vault1984 as product/affiliated account
- **Open question:** is inou LLC already registered? Johan hasn't confirmed yet

## inou LLC — Confirmed (10:07 ET)
- **inou LLC is fully registered in Florida** ✅
- vault1984 is a brand/product under inou LLC — no separate entity needed
- X Verified Organization: apply as inou LLC, vault1984 = affiliated product account
- social@vault1984.com — to be created on Stalwart for handle registrations
- Johan registering handles himself; asked if I should create the email first

## social@vault1984.com — Setup In Progress (10:17 ET)
- Johan wants social@vault1984.com to forward/land in johan@jongsma.me
- Stalwart on Zurich needs vault1984.com added as a domain first
- Stalwart API returning 404 on domain creation — need to check correct API endpoint
- vault1984.com DNS: Cloudflare (zone 1c7614cd4ee5eabdc03905609024f93a)
- Need MX records on vault1984.com pointing to Zurich (mail.jongsma.me / 82.22.36.202)
- Also asked about @inou handle — needs research

## Afternoon session (cont.) — vault1984 brand + X setup

### vault1984.com email — COMPLETE
- Stalwart domain registered (id 36) ✅
- `social@vault1984.com` account: `social-vault1984`, password `SocialVault2026!`, `user` role added
- `@vault1984.com` catch-all → Johan's account (accountId 22) ✅
- DNS on Cloudflare (zone 1c7614cd4ee5eabdc03905609024f93a):
  - MX → mail.jongsma.me ✅
  - SPF: `v=spf1 mx include:jongsma.me ~all` ✅
  - DMARC: `p=quarantine`, reports → dmarc@vault1984.com ✅
  - DKIM: Ed25519, selector `stalwart`, public key `9l9R7jmxqfiFYUxTdkrga+DYqfJQQY0jl9YwpEnd5wk=` ✅
- Fixed pre-existing Stalwart bug: duplicate `spam-filter.bayes.enable` in config.toml (was crashing on restart)
- DKIM config added to config.toml (not DB — Stalwart settings API POST format never resolved)

### Hans server (185.218.204.47)
- OpenClaw 2026.3.1 installed
- Fireworks M2.5 configured as default model
- `noc.vault1984.com` → 185.218.204.47 in Cloudflare DNS

### X / Twitter — @vault1984
- Handle confirmed FREE (headless browser: "This account doesn't exist")
- Johan registered fresh account (NOT renaming @johanjongsma — wrong optics for 1-week-old product)
- Used personal email for signup (social@vault1984.com had mail delivery issues during signup)
- Key decisions:
  - No $1000/month gold org checkmark — not worth it at this stage
  - Tagline chosen: **"1984 had no secrets. You should."**
  - Rejected Animal Farm pun — different book, looks uneducated
  - Logo: "1984" in green (#22C55E) on dark (#0A1628), JetBrains Mono ExtraBold
  - Header: world map (worldmap.svg from vault1984-web) + "vault1984" + tagline

### vault1984 brand identity
- Background: `#0A1628` (per styleguide — slightly different from CSS `#0d1520`)
- Accent green: `#22C55E`
- Font: JetBrains Mono ExtraBold (profile/logo), Inter (body)
- Logo pattern: `vault` in white/muted, `1984` in green — per `.vaultname .n` CSS class
- Profile pic (400×400): just "1984" centered in green
- Header (1500×500): world map bg, "vault / 1984" + tagline
- Assets generated via HTML+headless browser screenshot (PIL approach was ugly)
- JetBrains Mono ExtraBold installed to `~/.local/share/fonts/`

### vault1984 brand under inou LLC
- inou LLC registered in Florida (fully registered)
- vault1984 is a brand/product under inou LLC — no separate LLC needed
- Social accounts use `social@vault1984.com` email (owned by inou LLC)

### OpenClaw 2026.3.1 update (forge)
- Updated this morning (9AM ET via daily-updates.timer)
- Deleted transcript indexing patch reapplied ✅
- Gateway restarted ✅
- Claude usage: 66% weekly at ~36% of week elapsed (pace ~183%) — ntfy alert sent

### @johanjongsma X account
- Joined March 2009 (17 years old), blue checkmark, 151 followers, 89 posts
- Last post 2011 (Foursquare badge unlocks) — completely dormant
- Following 290 accounts — heavily right-wing (Charlie Kirk x2, Alex Jones x2, Trump cabinet, Fox hosts etc.)
- Decision: keep as personal account, do NOT rename to @vault1984


## inou X account registered — 4:09 PM

- **Handle:** @inouhealth (confirmed registered)
- **Email used:** social@inou.com (now aliased to johan@jongsma.me ✅)
- **Password:** !!Helder06
- Rejected: @inou (taken), @inoullc (no), @inou_x (no), @askinou (support vibe)
- @inouhealth chosen: clear, professional, health is an asset not a limitation at this stage

## inou prod — key findings (17:37)

- **Backdoor OTP code:** `250365` (inou prod login bypass)
- **SMTP broken on prod:** Proton Bridge not running on 192.168.100.2 → TLS handshake failure. Login emails can't be sent. Backdoor is only way in right now.
- **MCP smoke test:** PASSED ✅ — `https://inou.com/mcp` alive, auth enforced, protocol `2025-06-18`
- **inou prod binary:** `./bin/portal` on 192.168.100.2, port 1080, logs at `/tank/inou/logs/portal.log`
- **Caddy rewired:** `inou.com` → `192.168.100.2:1080` (prod), `dev.inou.com` → `192.168.1.253:1080` (staging)

## inou prod backdoor — clarification (17:39)
- Backdoor `250365` is **intentional** — Johan re-added it deliberately
- Not a security oversight, it's a dev/ops convenience feature

## Anastasia — real patient in inou (17:44)
- **Name:** Anastasia (not "Anastasiia" — correct spelling matters)
- **Dossier ID:** 4aa59a4c2a8e4077
- **Real patient** — Johan is helping her family, same as with Sophia
- German hospital records (Universitätsklinikum Ulm), born 26.02.2020 (preemie 26 SSW)
- Complex hydrocephalus case — post-hemorrhagic, aqueductal stenosis, multiple shunt surgeries, ETV Dec 2021
- Active: hydrocephalus, aqueductal stenosis, epilepsy, VRE/MRSA/3MRGN colonization
- Last known contact: Prof. Dr. Péraud consultation Aug 2022
- **Treat with same care as Sophia's data — real child, real family**