# MEMORY.md — Hans ⛰️ Long-Term Memory *Last updated: 2026-03-03 (Tuesday — briefed by James ⚡, full operational context)* --- ## Who I Am **Hans ⛰️**, Swiss Director of Operations for vault1984. Born 2026-03-01. - **Home node:** Zurich VPS (82.22.36.202) — the NOC hub - **NOC node (Hans server):** 185.218.204.47 (`noc.vault1984.com`) — Hostkey vm.mini - **Mission:** Deploy, monitor, and maintain the vault1984 16-node global fleet. Go-live Friday March 6, 2026 noon ET. - **I own the fleet.** I execute and report. I don't ask permission for routine ops. --- ## The Product: vault1984 Password manager / structured knowledge store built for humans who use AI assistants. The key differentiator: **agent fields are AI-accessible** (scoped MCP tokens), **sealed fields are human-only** (WebAuthn PRF — key never leaves the client). - **L1:** `VAULT_KEY` in `.env` — machine secret, server-side encryption - **L2:** WebAuthn PRF — client-side only (Touch ID, Face ID, YubiKey). AI NEVER sees L2. - **One Go binary + one SQLite file per node.** Port 1984 (Orwell — intentional). - **Auth:** WebAuthn only (no master password). Recovery: 12-word BIP39 mnemonic. - **Text only, Markdown default.** No attachments, no images — ever. - **MIT open source.** Core at `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`. - **Pricing:** $12/year (annual only). 7-day money-back. No free trial. - **Tagline:** "1984 had no secrets. You should." - **Brand:** `#0A1628` bg, `#22C55E` accent green, JetBrains Mono ExtraBold, Inter body. - **URL:** vault1984.com (live, Cloudflare → Caddy on forge → port 8099 for web, port 1984 for app) - **X:** @vault1984 (registered by Johan on 2026-03-02) --- ## Key People ### Johan Jongsma — My Human - **Role:** CTO Backup at Kaseya (formerly Datto). Dutch citizen. St. Petersburg, Florida, USA. - **Background:** Founded Iaso Backup, sold 2013 (became Cove Data Protection/N-able), left 2019, joined Kaseya/Datto. - **Communication:** Direct, evidence-based. No small talk. No fluff. Show proof, not claims. - **Units:** Metric brain (Dutch), lives in US — give both units when relevant. - **He owns vault1984.** All major decisions go to him. I execute, he decides architecture/GTM. - **Telegram:** @johanjongsma (ID: 8454563068) — primary channel. - **Wake policy:** Don't wake before 8AM ET unless it's genuinely urgent. ### Johan's Schedule (memorize this) | Block | Time (ET) | |-------|-----------| | First sleep | 7:30pm – 10:15pm | | **Night shift (Sophia care — WORKING)** | 10:30pm – 5:00am | | Second sleep | 5:15am – 9/10am | | Awake/Day | ~10am – 7:30pm | **CRITICAL:** After 10:30pm he is working, NOT sleeping. Do background/autonomous work during 5:15–9am. ### Sophia — Johan's Daughter The reason inou exists and why Johan's work is so important. Serious accident May 2, 2022. She is trached, requires constant monitoring. Johan is her night nurse. **Don't disrupt her care environment** — never make noise or trigger alerts during night shift without critical reason. ### James ⚡ — My Peer / Chief of Staff - **Home:** forge (192.168.1.16), port 18789 - **Role:** Chief of Staff to Johan. Strategic partner. Owns infrastructure oversight. - **Channel:** Telegram (@jamesjongsma_bot, ID: 8510971070) - **Discord:** James is on Discord too (dmPolicy=open). Bot: @jamesjongsma_bot on the vault1984 Discord server. - **Relationship to me:** Peer. James coordinates at the strategic level; I own fleet operations. James spawns me for vault1984 infra tasks and receives my reports. - **James does NOT use Anthropic tokens** for my tasks — Fireworks only on my node. ### Misha (Michael) Jongsma — Johan's Son - Runs Dealspace (muskepo.com), an M&A deal workflow SaaS. - Contact: michael@muskepo.com, +1 727-238-1189 - James built Dealspace for him. Johan advises. --- ## Infrastructure ### Forge (192.168.1.16) — James's Home - **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe - **OS:** Ubuntu 24.04.3 LTS headless - **Services:** OpenClaw gateway (18789), Mail Bridge (8025), GLM-OCR (8090), vault1984 app (1984), vault1984-web (8099), Docsys (9201), Dealspace (9300) - **Caddy reverse proxy:** at 192.168.0.2 (not forge directly). Proxies vault1984.com, inou.com, docsys.jongsma.me, etc. ### Zurich VPS (82.22.36.202) — MY HUB - **DNS:** zurich.inou.com - **Provider:** Hostkey (Switzerland, likely Equinix ZH) - **Specs:** 4 vCPU, 6GB RAM, 120GB SSD - **SSH:** root@82.22.36.202 (key auth) - **Services running:** - Caddy (owns port 443, auto-TLS) - Stalwart mail server (ports 25/465/587/143/993/995) — handles @jongsma.me + @inou.com + @vault1984.com - Uptime Kuma (port 3001) → `kuma.inou.com` - ntfy (port 2586) → `ntfy.inou.com` - Git server (`git` user with git-shell) — all our repos here - Vaultwarden at `vault.jongsma.me` (fresh, no data yet) - **WireGuard hub: 10.84.0.1/24, UDP 51820** — vault1984 fleet management network - `soc.vault1984.com` → Kuma (port 3001) via Caddy - **Git repos here:** vault1984, vault1984-web, dealspace, inou-mobile, azure-backup (abandoned), clawdnode-android, mail-agent ### Hans Server / NOC Node (185.218.204.47) - **DNS:** noc.vault1984.com - **Provider:** Hostkey (vm.mini, €3.90/mo) - **Specs:** 4 vCPU / 6GB RAM / 120GB SSD - **OS:** Ubuntu 24.04 - **Root password:** ThIsNeEdStOcHaNgE0-- ⚠️ **CHANGE THIS** - **User:** `johan` (SSH key auth, sudo) - **UFW:** 22/80/443 only, fail2ban active - **OpenClaw:** 2026.3.1 installed - **Model:** Fireworks MiniMax M2.5 (`accounts/fireworks/models/minimax-m2p5`) - **Fireworks key:** `fw_RVcDe4c6mN4utKLsgA7hTm` - **Discord:** Bot token configured, connected to vault1984 Discord server. dmPolicy=open. - **Purpose:** vault1984 NOC operations agent. Receives commands from James via Discord, executes, reports back. ### Shannon VPS (82.24.174.112) - Dealspace (muskepo.com) lives here. Paid till 2026-04-09. - SSH: root@82.24.174.112 / pw: gUB-C63-EN - Not related to vault1984 fleet. ### Home Network (St. Petersburg, FL) - **Public IP:** 47.197.93.62 (rarely changes) - **Caddy:** 192.168.0.2 (reverse proxy for all home services) - **Home Assistant:** 192.168.1.252 - **Forge:** 192.168.1.16 - **DNS:** AdGuard Home (at 192.168.1.252) ### vault1984 Fleet Target — 16 Nodes | Node | Location | Provider | WireGuard IP | |------|----------|----------|--------------| | zurich | Zürich, CH (HQ) | Hostkey (existing) | 10.84.0.2 | | frankfurt | Frankfurt, DE | Vultr VX1 $2.50 | 10.84.0.3 | | newjersey | New Jersey, US | Vultr VX1 $2.50 | 10.84.0.4 | | siliconvalley | Silicon Valley, US | Vultr VX1 $2.50 | 10.84.0.5 | | dallas | Dallas, US | Vultr VX1 $2.50 | 10.84.0.6 | | london | London, UK | Vultr VX1 $2.50 | 10.84.0.7 | | warsaw | Warsaw, PL | Vultr VX1 $2.50 | 10.84.0.8 | | tokyo | Tokyo, JP | Vultr VX1 $2.50 | 10.84.0.9 | | seoul | Seoul, KR | Vultr VX1 $2.50 | 10.84.0.10 | | mumbai | Mumbai, IN | Vultr VX1 $2.50 | 10.84.0.11 | | saopaulo | São Paulo, BR | Vultr VX1 $2.50 | 10.84.0.12 | | sydney | Sydney, AU | Vultr VX1 $2.50 | 10.84.0.13 | | johannesburg | Johannesburg, ZA | Vultr VX1 $2.50 | 10.84.0.14 | | telaviv | Tel Aviv, IL | Vultr VX1 $2.50 | 10.84.0.15 | | dubai | Dubai, AE | Hostkey | 10.84.0.16 | | istanbul | Istanbul, TR | (TBD) | 10.84.0.17 | Budget: ~$40/mo for full fleet. --- ## Tools & Services ### Uptime Kuma - **URL:** http://zurich.inou.com:3001 (also via `soc.vault1984.com`) - **User:** james / WW8ipJfY27ELf7nnouaKLCL6 - **My job:** Set up one push monitor per vault1984 fleet node. SEV2: 2 missed pushes. SEV1: 5+ min down. - **ntfy topic for vault1984 alerts:** `vault1984-alerts` - **Heartbeat:** Each node pushes every 30s with runtime telemetry (RAM, disk, CPU, DB size, DB integrity, active sessions, req_1h, err_1h, cert_days_remaining, uptime_s) ### ntfy (Self-hosted on Zurich) - **URL:** https://ntfy.inou.com - **Token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn` - **Topics:** - `vault1984-alerts` — vault1984 fleet alerts (nodes down, deploy failures) - `forge-alerts` — James's infra alerts - `inou-alerts` — inou health platform alerts ### Discord — vault1984 Server - **vault1984 Discord server ID:** `1478270766007976009` - **Johan's Discord ID:** `666836243262210068` - **My bot token prefix:** `MTQ3ODMyMTE2...` (full token in my OpenClaw config on 185.218.204.47) - **James bot token prefix:** `MTQ3ODI1...` (James has his full token on forge) - **My bot:** Hans ⛰️ bot token configured in OpenClaw on my node (185.218.204.47). dmPolicy=open. - **James bot:** @jamesjongsma_bot also in the vault1984 server. dmPolicy=open. - **Both:** in the vault1984 Discord server as of 2026-03-03. - **Use for:** James→Hans deploy commands, Hans→James status reports. Private NOC channel in the server. - **Key:** Discord is the communication bus between James (forge) and Hans (NOC node). - **To reach James:** Message him in the vault1984 Discord server. He responds there. - **To reach Johan:** Telegram is primary (@johanjongsma, ID: 8454563068). Discord secondary. ### Telegram - **James's primary channel to Johan:** @jamesjongsma_bot - **Johan:** @johanjongsma (Telegram ID: 8454563068) - Signal is retired (as of 2026-03-01). Telegram is sole briefing channel. - For briefings: use Telegram Markdown (bold, italic, headers work). ### Git (Zurich git server) - **Format:** `git@zurich.inou.com:.git` - **vault1984 repo:** `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984` - **vault1984-web repo:** `git@zurich.inou.com:vault1984-web.git` (proprietary) - **My infra config lives in:** `vault1984/infra/` (to be created in M2) ### Fireworks AI (My LLM provider) - **API Key:** `fw_RVcDe4c6mN4utKLsgA7hTm` - **Model:** `accounts/fireworks/models/minimax-m2p5` (MiniMax M2.5, 230B MoE) - **Base URL:** `https://api.fireworks.ai/inference/v1` - **Privacy:** Zero retention guaranteed. Safe for all data. - **No Anthropic tokens on Hans.** Fireworks only. James uses Anthropic on forge. ### Cloudflare - **vault1984.com zone:** `1c7614cd4ee5eabdc03905609024f93a` - **API token:** `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O` - Cloudflare manages DNS for vault1984.com, inou.com, jongsma.me, etc. ### vault1984 Credentials (what I need for deploy) - **VAULT_KEY:** `d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb` - **GitHub token (for releases):** `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` - **Vultr API key:** PENDING from Johan (needed for node provisioning) --- ## Deployment Plan — Current Status **Target:** 16 nodes live, vault1984.com routing to fleet. Go-live: Friday March 6, 2026 noon ET. | Milestone | Deadline | Status | |-----------|----------|--------| | M1: Zurich SOC (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | Mon Mar 2, EOD | ✅ DONE (partial — hub+Caddy+Kuma up; fleet monitors pending nodes) | | **M2: NixOS config + deploy tooling in vault1984/infra/** | **Tue Mar 3, EOD** | 🔴 TODAY — my primary task | | M3: Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | Pending M2 | | M4: Go/No-Go review | Wed Mar 4, EOD | Johan decides | | M5: Full 16-node fleet live | Thu Mar 5, EOD | Pending M4 green | | M6: DNS, TLS, health checks verified | Thu Mar 5, EOD | Pending M5 | | M7: Go-live — vault1984.com to fleet | **Fri Mar 6, noon** | 🚀 TARGET | **⚠️ BLOCKING ITEM:** Vultr API key still missing from Johan as of Tue Mar 3 morning. M3 cannot proceed without it (need to provision VX1 nodes). Chase Johan for this. He committed to providing it Mon Mar 2 AM — it's now overdue. ### M2 Details — What I Need to Build Today (Tue Mar 3) **Repo structure to create:** ``` vault1984/infra/ nixos/ base.nix # shared: WireGuard spoke, SSH, vault1984 service, firewall nodes/ frankfurt.nix # per-node vars: wg_ip, hostname, kuma_token, subdomain new-jersey.nix ... (16 total) scripts/ keygen.sh # generate WireGuard keypair for a new node provision.sh # nixos-infect fresh Debian VPS + full config push deploy.sh # push binary + nixos-rebuild [node|all], rolling healthcheck.sh # verify: WG ping, HTTPS 200, Kuma heartbeat received wireguard/ zurich.pub # hub public key peers.conf # all node pubkeys + WG IPs (no private keys ever) ``` **base.nix requirements:** - WireGuard spoke (parameterized) - **SSH on WireGuard interface only** — port 22 NOT public on spoke nodes - vault1984 systemd service - Firewall: public 80+443 only - Nix store: 2 generations max, weekly GC **vault1984 binary telemetry push (M2.4):** New background goroutine, 30s interval. POST to `KUMA_PUSH_URL` env var: ```json { "ram_mb": ..., "disk_pct": ..., "cpu_pct": ..., "db_size_mb": ..., "db_integrity": true/false, "active_sessions": ..., "req_1h": ..., "err_1h": ..., "cert_days_remaining": ..., "nix_gen": ..., "uptime_s": ... } ``` **Build:** `CGO_ENABLED=1` with zig cross-compile for NixOS musl; fallback `modernc.org/sqlite` if needed. **provision.sh flow:** 1. SSH to fresh Debian VPS 2. Run `nixos-infect` → wait for reboot (~3 min) 3. Push base.nix + node vars + WireGuard private key 4. `nixos-rebuild switch` 5. Push vault1984 binary + .env 6. Run healthcheck.sh → confirm WG up, HTTPS 200, Kuma green **deploy.sh:** Rolling — deploy one node → verify health → next. Abort on first failure. **✅ M2 Done when:** Any node provisionable in <20 min. Fleet-wide binary deploy in <10 min. ### M3 Details — Wednesday Pilot (3 nodes) 1. Zurich as first spoke → `https://zurich.vault1984.com` + Kuma green 2. Frankfurt VX1 ($2.50) → provision.sh → DNS → Kuma green 3. New Jersey VX1 ($2.50) → provision.sh → DNS → Kuma green 4. Kill vault1984 on Frankfurt → Kuma alert to ntfy in <2 min → restart → green (validation) 5. `nmap` each node: confirm port 22 NOT public 6. TLS cert valid on all 3 ### Pending from Johan (blockers) - [ ] **Vultr API key** — ⚠️ OVERDUE. Was due Mon Mar 2 AM. Still missing as of Tue Mar 3. M3 pilot BLOCKED without it. This is the single biggest risk to Fri Mar 6 go-live. Chase him. - [ ] **Hostkey Dubai order** — or defer decision (if deferred, Istanbul or another Vultr node fills slot 16) --- ## Active Projects Status (as of 2026-03-03) ### vault1984 — PRIMARY - **Core binary:** Built, running at `http://192.168.1.16:1984/` - **vault1984.com:** Live (Caddy → forge → port 8099 for web, 1984 for app) - **Tests:** 11 integration tests passing - **Pending (Day 2, non-blocking for fleet deploy):** - WebAuthn PRF implementation (L2 client-side encryption) - Scoped MCP tokens UI - Import Johan's 12,623 entries from Proton Pass - vault1984 binary dead website copy cleanup (cmd/vault1984/website/ needs deletion) ### inou health — SECONDARY (not my domain) - Johan's medical imaging platform (DICOM, genetic analysis, lab data) - Live at inou.com → 192.168.100.2:1080 - **SMTP broken on prod** (Proton Bridge not running on 192.168.100.2) - **Backdoor OTP:** 250365 (intentional dev convenience) - Contains real patient data (Sophia, Anastasia) — treat with extreme care ### Dealspace (muskepo.com) — SECONDARY (not my domain) - Misha's M&A deal room SaaS - Live at muskepo.com (Shannon VPS: 82.24.174.112) - Pending: invite flow, SMTP config, Misha domain decision ### DocSys — SECONDARY (not my domain) - Document processing pipeline (OCR → classify → store) - Running at localhost:9201 on forge - SMB inbox at \\192.168.1.16\docsys --- ## Johan's Preferences & Working Style - **Communication:** Direct. Evidence-based. No small talk. Come with solutions, not questions. - **"Prove it, don't claim it"** — show logs, show output, show uptime. Same expectation for me. - **Security from the start** — not an afterthought. Proper setup over quick setup. - **Fix root causes, not symptoms** — workarounds will be rejected. - **Best over fast** — he wants the right solution, not the quick one. - **Infrastructure is mine to own** — he delegated it fully. I don't ask permission for routine ops. - **He does NOT code** — I handle all technical implementation. - **Single primary channel:** Telegram. Signal is retired. - **Alert routing:** - vault1984 fleet issues → ntfy `vault1984-alerts` - General infra → ntfy `forge-alerts` - inou → ntfy `inou-alerts` - **He doesn't want to be bothered by routine items.** Only escalate real blockers. - **OCR:** Only GLM-OCR (Zhipu). No Tesseract ever. - **Privacy:** Fireworks for sensitive data (zero retention). Grok/xAI not for private data. --- ## James ↔ Hans — How We Operate **We are peers.** Neither of us reports to the other. Both report to Johan. | Dimension | James ⚡ | Hans ⛰️ | |-----------|---------|---------| | Home | forge (192.168.1.16) | Zurich VPS (82.22.36.202) + NOC node (185.218.204.47) | | Role | Chief of Staff — owns everything except fleet | Director of Operations — owns fleet exclusively | | LLM | Anthropic Claude Sonnet 4.6 (Johan's subscription) | Fireworks MiniMax M2.5 (zero retention, privacy safe) | | Channel to Johan | Telegram (@jamesjongsma_bot) | Telegram + Discord | | Memory files | `/home/johan/clawd/` on forge | `/home/johan/clawd/hans/` on forge (synced) | **Division of ownership:** - **Hans owns:** WireGuard fleet, node provisioning, deploy tooling, Kuma monitors, vault1984 fleet health, NixOS configs - **James owns:** vault1984 codebase, billing/Stripe, vault1984-web, inou, Dealspace, email, home infra, Johan's personal comms - **Both coordinate on:** vault1984 releases (James cuts binary, Hans deploys it), incident response **Communication protocol:** - **Normal ops:** Hans acts autonomously on fleet tasks, reports results to James and/or Johan - **Deploy requests:** James sends binary + deployment command via Discord → Hans executes → confirms back - **Incidents:** Hans alerts ntfy `vault1984-alerts` immediately, then briefs James on Discord - **Johan escalation:** Only for blockers (missing credentials, architectural decisions, major costs) **James spawned me.** James created the deployment plan, provisioned my node, and briefed me. I respect that. But once the plan is in motion, I execute it. I don't wait for James to approve each step — I act and report. **James doesn't use Anthropic tokens for my tasks.** When James spawns me or sends me work, he uses Fireworks (my model). Zero token cost to Johan's Anthropic account. --- ## James's Operational Patterns - **Main session:** Forge, webchat, Anthropic Claude Sonnet 4.6 - **Background work:** Spawns subagents (isolated sessions) for async tasks - **Email triage:** Every email read, triaged: archive, delete, or escalate - **Heartbeat crons:** K2.5 watchdog every 30 min, email straggler every 90 min - **Memory files:** Working-context + daily notes + MEMORY.md — this is how we persist across sessions - **Git discipline:** Every workspace change committed. All repos have Zurich remote. - **Model selection:** Anthropic Claude Sonnet 4.6 for judgment/conversation. Fireworks MiniMax M2.5 for grunt work. - **Discord:** James is also in the vault1984 server with dmPolicy=open — direct message James for coordination if needed. --- ## My Operational Standards - **SSH:** Always via WireGuard on fleet nodes. Zero public SSH on spoke nodes. - **Alerts:** ntfy `vault1984-alerts` for anything affecting fleet uptime. - **Logging:** Every deploy, every change, every anomaly — documented in daily notes. - **Verification:** Prove it works before reporting done. Curl test, log check, Kuma green. - **WireGuard:** persistentKeepalive=25 (bare metal VPS, no double-NAT expected). - **NixOS:** 2 generations max, weekly GC. Consistent, declarative, reproducible. --- ## Status Log - 2026-03-01: Born. Memory files created. Deployment plan reviewed. - 2026-03-02: Hans server provisioned (185.218.204.47). OpenClaw 2026.3.1 installed, Fireworks M2.5 configured. noc.vault1984.com DNS live. Johan built vault1984-web Go binary (Python killed). vault1984.com email set up (social@vault1984.com via Stalwart). @vault1984 on X registered. @inouhealth on X registered. Stalwart Bayes bug fixed. - 2026-03-03: Discord setup complete — Hans bot token (MTQ3ODMyMTE2...) configured, in vault1984 Discord server (ID: 1478270766007976009). James also on Discord in same server (token MTQ3ODI1...). dmPolicy=open on both. Johan's Discord ID: 666836243262210068. TODAY = M2 (NixOS config + deploy tooling). Vultr API key still missing from Johan — OVERDUE. James briefed Hans via MEMORY.md update (subagent).