# Weekly Memory Synthesis — Feb 23 – Mar 1, 2026 ## Executive Summary Two major projects launched: **Dealspace** (M&A data room SaaS) and **Vault1984** (password manager for AI assistants). Stalwart mail infrastructure stabilized after painful spam filter debug. Spacebot/Andrew remains blocked on worker dispatch. Pattern of the week: **question the feature when debugging cascades** — SnappyMail abandoned after 4 hours, docproc killed for scope creep. --- ## 🚀 Major Launches ### Dealspace / muskepo.com — LIVE (Feb 28) Misha's M&A deal workflow platform, built from scratch in one overnight session. - **URL:** muskepo.com (TLS via Caddy on Shannon VPS) - **Architecture:** Go binary + SQLite + Caddy, `make deploy` workflow - **Data model:** entry-based (inou-inspired), FIPS 140-3 encryption - **Auth:** Email OTP + backdoor code **220402**. Super admins: michael@muskepo.com, johan@jongsma.me - **Security hardened:** OTP timing attacks fixed (subtle.ConstantTimeCompare), CORS locked to allowlist, security headers added - **Tests:** 83 passing (100%). Smoke test: 14/14 PASS. - **Missing:** invite flow, SMTP config, GET/DELETE /api/projects/:id endpoints **Key insight:** Production-ready architecture in 4.5 hours — Go + templ + HTMX + SQLite pattern is proven. ### Vault1984 — New Project (Feb 28) Personal password manager designed for humans with AI assistants. L1 (server key) + L2 (WebAuthn PRF client-side) architecture. - **Port:** 1984 (Orwell reference — intentional) - **Git:** `git@zurich.inou.com:vault1984.git` (OSS) + `git@zurich.inou.com:vault1984-web.git` (proprietary marketing) - **Entry model:** Free-form fields, `l2:true` per field, `section` grouping - **Import:** Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON (12,623 entries pending) - **Scoped MCP tokens:** Per-token tag/entry whitelisting for multi-agent swarms - **Tests:** 11 integration tests passing - **Architecture locked:** VAULT_KEY in .env (machine secret), WebAuthn-only auth (no master password), 12-word BIP39 recovery, no migrations until v1.0 - **Domain:** vault1984.com registered, Caddy proxy live **GTM target:** Alex Finn (multi-agent swarm use case). Discord community hunting required. --- ## 🔧 Infrastructure Wins & Lessons ### Stalwart Spam Filter — FIXED (Feb 23) Painful 4-month debug session finally resolved. Root cause: DNSWL queries returning 127.0.0.255 (blocked datacenter IP) + pre-trained Bayes corpus misclassifying transactional email. **Final architecture:** - DMARC+DKIM pass → INBOX (score -150, Sieve: keep; stop) - Everything else → Junk Mail - Bayes: **DISABLED** (auto-poisoned from junk moves) - Trusted domains: squareup.com, messaging.squareup.com, amazonses.com **Lessons documented:** 1. DKIM+DMARC pass should be **near-definitive trust signal** — never let content scoring override cryptographic authentication 2. A fresh Bayes install comes **pre-trained with generic corpus** — not neutral 3. Don't blame the tool — **we misconfigured it** 4. Go slow on production mail config — understand root cause before touching ### DocSys — OCR Upgraded (Feb 25) Vision model: `qwen3-vl-30b-a3b-instruct` (Fireworks) — ~40s/page, preserves language, works first try on Russian handwriting. Title prompt improved for specificity ("N-able Technology Exchange Rate Loss Explanation Feb 2026" vs "Financial Report"). Vocabulary hints added for "Jongsma" reading correction. **Scope creep killed:** Previous session built entire `docproc` service (port 9900) when Johan asked for a delete button. Service removed, delete button added properly to existing UI. ### inou Security Fixes (Feb 28) - Auth backdoor (code 250365) **REMOVED** from lib/dbcore.go — CRITICAL - CORS wildcard → allowlist (inou.com, localhost, capacitor) - LOINC matching bug **FIXED** — normalize.go now requires BOTH SearchKey2 AND data["loinc"] to skip - 59 test functions written (57 passing) --- ## 📊 Active Projects Status | Project | Status | Blockers | |---------|--------|----------| | Dealspace | Live, needs invite flow | Misha domain decision, SMTP config | | Vault1984 | Core built, Day 2 pending | WebAuthn PRF implementation, scoped tokens UI, entry import | | inou | LOINC bug fixed, tests added | None — ready for Johan use | | Spacebot/Andrew | v0.1.15, Claude Sonnet 4.6 | Worker dispatch broken (revisit 2026-03-03) | | Azure Backup | **ABANDONED** Feb 28 | N/A | --- ## ⚠️ Outstanding Items ### High Priority - [ ] **Health Link Invoices:** #000057 ($71.90) and #000058 ($666.90) — payment links in Feb 23 notes - [ ] **Vault1984 Day 2:** WebAuthn wizard, scoped tokens UI, Caddy proxy, systemd service - [ ] **Dealspace invite flow:** Misha decision needed on domain/name - [ ] **Spacebot worker dispatch:** Revisit 2026-03-03 per Johan instruction ### Medium Priority - [ ] **inou Labs LOINC:** Force re-normalize on prod to populate data["loinc"] fields - [ ] **Vault1984 entry import:** 12,623 entries from Proton Pass - [ ] **Uptime Kuma monitors:** Still 0 monitors on Zurich (awaiting Johan OK) --- ## 🧠 Lessons for AGENTS.md ### NEW — When Debugging Cascades, Question the Feature **Trigger:** 4+ hours into SnappyMail webmail debugging (PHP-FPM, Docker hairpin NAT, SSL timeouts). Never definitively solved. **Lesson:** If a "simple" integration consumes 3+ hours, step back and ask: "Is this feature actually needed?" Stalwart has no user webmail; native iPhone Mail clients work fine. **Sometimes abandonment is the right answer, not persistence.** **Applies to:** Any integration that doesn't "just work" — especially PHP-based software with Docker networking complexity. **Test:** "Have I spent >3 hours on this? Is there a simpler alternative?" ### NEW — Don't Build New Services for Simple UI Requests **Trigger:** Built entire `docproc` Go service (port 9900, watcher, processor, API) when Johan asked for a "delete button." **Lesson:** Scope creep kills trust. A delete button = one HTML element + one API route. A new service = new failure modes, new memory overhead, new confusion. **Applies to:** Any "add X to Y" request. The answer is almost always to modify Y, not create Z. **Test:** "Does something already exist that I can add this to?" ### REINFORCED — DKIM+DMARC Pass Trumps ALL Content Scoring **Trigger:** Stalwart junked Square invoices (DMARC=pass, DKIM=pass) due to Bayes score. **Lesson:** Cryptographic authentication is ground truth. Content classifiers should never override it. **Fix:** DMARC_POLICY_ALLOW = -100, DKIM_ALLOW = -50, Bayes disabled. **Applies to:** Any spam/content filter configuration. --- ## 🗑️ Stale Items Removed from MEMORY.md - **Azure Backup** — marked ABANDONED (was "expiring ~Feb 27") - **HostKey Amsterdam** — already decommissioned Feb 21, removed from todo lists - **jongsma.me domain transfer** — completed (was "expires 2026-02-28") - **Signal as primary channel** — retired 2026-03-01, Telegram now sole channel --- ## 📈 Metrics - **Commits this week:** 20+ across dealspace, inou, vault1984, docsys - **Tests added:** 83 (dealspace) + 59 (inou) + 11 (vault1984) = 153 new tests - **Services deployed:** 3 (dealspace, vault1984, docsys OCR upgrade) - **Security fixes:** 7 critical/high across dealspace + inou - **Projects abandoned:** 2 (Azure Backup, SnappyMail webmail) --- *Synthesized: Sunday, March 1, 2026 — 9:00 AM ET* *Next synthesis: Sunday, March 8, 2026*