# Working Context
*Updated: 2026-02-28 21:00 ET (nightly maintenance)*

## PRIMARY PROJECT: Vault1984

**Full session notes:** `/home/johan/dev/vault1984/docs/SESSION-2026-02-28.md`

### What it is
Password manager for humans with AI assistants. Two-tier encryption:
- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.

### Status: Day 1 complete, Day 2 pending
- Binary: `/home/johan/dev/vault1984/vault1984`
- Running: `http://192.168.1.16:1984` (port = Orwell, intentional)
- Git: `git@zurich.inou.com:vault1984.git`
- 3 bugs found and fixed by test suite

### Day 2 TODO
1. WebAuthn PRF (client-side L2 key derivation)
2. L2 client-side encrypt/decrypt in browser
3. Scoped MCP tokens (per-agent credential scoping — KEY FEATURE)
4. Extension autofill (LLM field mapping)
5. Caddy proxy + systemd service
6. Import Johan's actual 12,623 entries

### Go-to-Market: Alex Finn (@AlexFinn)
- Runs 10+ OpenClaw agents 24/7 on Mac Studio swarm (3x Mac Studio + DGX Spark)
- Discord is his primary community — subagent was hunting for his server
- James needs Discord account token from Johan to participate genuinely
- Hook: scoped MCP tokens = exact problem he has (multi-agent credential isolation)
- Content strategy: let his bots surface the content, don't @ tag him

### Pending items
- [ ] AlexFinn Discord server — did subagent find it?
- [ ] James Discord account token — ask Johan
- [ ] Import 12,623 entries into Vault1984
- [ ] Vault1984 Day 2 (WebAuthn PRF, scoped tokens, Caddy, systemd)

---

## SECONDARY PROJECT: Dealspace (muskepo.com)

### Status: Live, hardened, tests passing
- Live at: https://muskepo.com (Shannon VPS — 82.24.174.112)
- Shannon VPS: root pw `gUB-C63-EN`, paid till 2026-04-09
- Git: `git@zurich.inou.com:dealspace.git` | Local: `/home/johan/dev/dealspace`
- 83 tests passing, security hardened (timing attacks fixed, CORS locked, security headers)
- Smoke test: 14/14 PASS (`scripts/smoke-test.sh`)

### Pending
- [ ] Invite flow (only invited users can sign up — not yet built)
- [ ] GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented, missing)
- [ ] SMTP config (waiting on Misha's domain decision)
- [ ] First Misha demo — muskepo.com is placeholder name, Misha hasn't confirmed

---

## SECONDARY PROJECT: inou health

### Status: Code reviewed, hardened
- LOINC matching bug FIXED (normalize.go)
- Auth backdoor REMOVED (code 250365 gone from dbcore.go)
- CORS locked to allowlist
- 59 tests written and passing
- Full report: `/home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md`

---

## Abandoned
- **Azure Backup project** — abandoned, local at `azure-backup-abandoned-20260228`, remote deleted from Zurich

## World Events Noted
- US Operation Epic Fury (Iran strikes) — 2026-02-28 ~15:41 ET
- OpenAI × DoD classified AI agreement signed
- Taalas/ChatJimmy (chatjimmy.ai) — HC1 silicon Llama 3.1 8B, 17,000 tok/s, $30M spent

## Infrastructure
- **DocSys**: Running at localhost:9201
- **Vault1984**: Running at http://192.168.1.16:1984
- **Dealspace**: Running at muskepo.com (Shannon VPS)