# 2026-02-19

## SSH Keys Added
- `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys (via control UI, ~23:13)
- `johan@thinkpad-x1` → forge authorized_keys (via Telegram, ~23:34)
- ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi)
- james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1
- SSH from forge to ThinkPad X1 working: `ssh johan@192.168.0.223`

## Go Environment Recovery (rogue agent incident)
- Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6)
- Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin
- **Fixed:** Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT
- Go 1.23.6 active from /usr/local/go — verified in fresh shell
- wails binary still in ~/go/bin — Johan's call whether to keep
- message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent

## Win Alerts Fix
- Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard
- Fixed in connector_m365.go: added `silentSenders` blocklist filter before postFullyAlert
- Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com
- Committed b408ebc to mc-unified, mail-bridge restarted

## ThinkPad X1 SSH Setup
- CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key
- IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes

## Vaultwarden Saga (BIG one)
**Root cause chain:**
1. I (previous session) added HSTS `includeSubDomains; preload` to home Caddy for inou.com
2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains
3. Stalwart was set up on Zurich Feb 17 and claimed port 443
4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality
5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block

**What Johan did:** Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere.

**Passwords:** Still safe in Proton Pass (not deleted).

**What was actually deployed:** NOTHING — Vaultwarden was never running anywhere.

**Final resolution:**
- vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare
- Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
- Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/
- Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU=
- **TODO:** Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED

**Zurich Caddy config now serves:**
- vault.jongsma.me → Vaultwarden (127.0.0.1:8222)
- mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS)

**Stalwart:** Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public.

## Supermemory Discussion
- OpenRouter followed @supermemory — Johan asked if we should reconsider
- Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.)
- If they get self-hosted option, worth revisiting for inou specifically