clawd/memory/2026-02-19.md

2026-02-19

SSH Keys Added

• johanjongsma@Johans-MacBook-Pro.local → forge authorized_keys (via control UI, ~23:13)
• johan@thinkpad-x1 → forge authorized_keys (via Telegram, ~23:34)
• ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi)
• james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1
• SSH from forge to ThinkPad X1 working: ssh johan@192.168.0.223

Go Environment Recovery (rogue agent incident)

• Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6)
• Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin
• Fixed: Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT
• Go 1.23.6 active from /usr/local/go — verified in fresh shell
• wails binary still in ~/go/bin — Johan's call whether to keep
• message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent

Win Alerts Fix

• Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard
• Fixed in connector_m365.go: added silentSenders blocklist filter before postFullyAlert
• Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com
• Committed b408ebc to mc-unified, mail-bridge restarted

ThinkPad X1 SSH Setup

• CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key
• IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes

Vaultwarden Saga (BIG one)

Root cause chain:

1. I (previous session) added HSTS includeSubDomains; preload to home Caddy for inou.com
2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains
3. Stalwart was set up on Zurich Feb 17 and claimed port 443
4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality
5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block

What Johan did: Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere.

Passwords: Still safe in Proton Pass (not deleted).

What was actually deployed: NOTHING — Vaultwarden was never running anywhere.

Final resolution:

• vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare
• Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
• Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/
• Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU=
• TODO: Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED

Zurich Caddy config now serves:

• vault.jongsma.me → Vaultwarden (127.0.0.1:8222)
• mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS)

Stalwart: Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public.

Supermemory Discussion

• OpenRouter followed @supermemory — Johan asked if we should reconsider
• Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.)
• If they get self-hosted option, worth revisiting for inou specifically

Vaultwarden (Feb 19 ~5AM)

• Discovered Caddy was never on Zurich — Stalwart had claimed port 443 on Feb 17
• vault.inou.com was broken: Stalwart presenting mail.inou.com cert → HSTS blocked it
• Root cause: I set includeSubDomains HSTS on inou.com home Caddy, cascading to vault.*
• Deployed Caddy on Zurich as proper reverse proxy, moved Stalwart web off port 443 → 127.0.0.1:8443
• Vaultwarden deployed on Zurich at /opt/vaultwarden/data, serving vault.jongsma.me
• DNS: vault.jongsma.me → 82.24.174.112 (Zurich specific A record, overrides *.jongsma.me wildcard)
• vault.inou.com: removed (nuked per Johan)
• Status: Vaultwarden live, Johan needs to create account + import Proton Pass
• Signups still open — disable after Johan creates account

Go Environment Fix (Feb 18 ~11:30PM)

• Rogue agent installed golang-go (1.22.2) via apt → shadowed /usr/local/go (1.23.6)
• Also installed libgtk-3-dev + libwebkit2gtk + wails binary (~/go/bin/wails)
• Fixed: removed apt golang packages, moved /usr/local/go/bin to FRONT of PATH in .bashrc
• Go 1.23.6 restored as active

SSH Keys Added

• johanjongsma@Johans-MacBook-Pro.local (forge authorized_keys)
• johan@thinkpad-x1 (forge authorized_keys) — 2019 ThinkPad, Ubuntu 24.04 desktop, 192.168.0.223 WiFi
• james@forge added to ThinkPad X1 authorized_keys via CC
• forge can now SSH to ThinkPad X1 at 192.168.0.223

Win Alerts Fix

• Kaseya winalert@kaseya.com, lostalert@kaseya.com, instrumentation, salesforce → now suppressed from Fully dashboard
• Filter added in connector_m365.go silentSenders list, committed b408ebc