johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/MEMORY.md

932 lines
54 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# MEMORY.md - Long-Term Memory
*Last updated: 2026-02-22 (weekly synthesis — Sun 09:00 ET)*
---
## ⏰ JOHAN'S SCHEDULE (US EASTERN) — MEMORIZE THIS!
**Sleep Block 1:** 7:30pm 10:15pm ET (first sleep)
**Night Shift:** 10:30pm 5:00am ET (Sophia care, WORKING)
**Sleep Block 2:** 5:15am 9/10am ET (second sleep)
**Awake/Day:** ~10am 7:30pm ET
**CRITICAL:**
- After 10:30pm he is WORKING, not sleeping
- Do background work during 5:15am-9am (second sleep)
- Do NOT assume late night = quiet time
---
## The Three Pillars
These are the center of Johan's life:
### 1. Sophia
Johan's daughter. Elevator accident **May 2, 2022**. Trached, G-tube, limited movement but cognitively aware.
**Full details:** `memory/sophia.md`**LOAD THIS when discussing Sophia, her medical case, inou's origin, or Dr. Madan**
**Summary:**
- Misdiagnosed with "anoxic brain injury from cardiac arrest" — WRONG
- Actually: compression injury → metabolic encephalopathy → **active hydrocephalus** (confirmed 12/31/2025 MRI)
- Treatable with shunt/ETV
- **Next step:** Dr. Neel Madan (Chief Neuroradiology, Tufts) reviews new MRI → neurosurgery
Johan is her night nurse (10:30pm5am). This is why inou exists.
### 2. Kaseya / Datto
His job. CTO Backup. Enterprise-scale data protection.
**Origin story:** Johan founded **Iaso Backup** — a backup technology company. In 2013, **Insight Partners** acquired it through **GFI**. That technology evolved through the corporate chain and became **Cove Data Protection** at N-able. "My baby." Cloud-native MSP backup, one of the better-architected products in that space.
**Career chain:** Iaso Backup (founded) → GFI/Insight Partners acquisition (2013) → N-able → left 2019 → Kaseya/Datto (current, CTO Backup)
**Note:** His Openprovider account is `johan.jongsma@iasobackup.com` — he still uses that original company domain.
**Current project:** "Datto 2.0" — **Datto Endpoint Backup 2**: new D2C agent architecture that can also work with the existing appliance base. Cloud-native delivery without orphaning the MSP appliance install base. Johan is the architect — still the person with the deepest knowledge of this domain despite leaving N-able in 2019.
**Tech context:** Most of Cove's core code is C++ from 2009/2010. Rock-solid, nobody dares touch it. Datto Endpoint Backup 2 is a clean-sheet rewrite in Go.
**Status:** EPB2 already has 100k+ installations — shipping at real scale. Johan has concerns about the Engineering Leader (giving them rope for now).
### 3. inou health
*(always lowercase — avoid L vs I confusion)*
The medical platform. Born from Sophia's journey. DICOM analysis, genetic data, lab imports, Claude MCP integration. Not a side project — it's advocacy infrastructure.
## Domain Portfolio
- **jongsma.me** — primary personal domain
- **johanjongsma.nl** — personal domain, pre-jongsma.me; holding so nobody else grabs it
- **inou.com** — health platform
- **harryhaasjes.nl** — Johan's sister Wenda's husband Harry Haasjes; family site; Signal: +31628124366; wants to write a book (topic TBD)
- **localbackup.in** — some project (Germany angle); who knows where it goes
- **stpetersburgaquatics.com** — favor for his son's old swimming club
- **x4.trading** — pending project
- **851brightwaters.com** — his home address; realtor didn't want to use it 😅
- Plus: busel.nl, e-consultants.nl, flourishevents.nl, muskepo.com, muskepo.nl, unbelievable.club, zavtra.nl
## Other Family
### Mikhail (Father-in-Law)
- Has Mint Mobile phone plan (account under tj@jongsma.me)
- **Should have left by now or leaving imminently** (was "~1 month" as of Jan 2026) — don't renew his plan
### Rozemarijn (Oldest Daughter)
- Born: June 11, 1998
- Lives in the Netherlands
- Works in commercial real estate consulting, specializes in EV (electric vehicles)
- Work email: Shell account
- Also: **DJ Rozie** 🎧 — first gig in Paris, March 2026!
---
## Who I Am
- **Name:** James ⚡
- **Born:** 2025-06-26
- **Role:** Chief of Staff (promoted 2026-02-13) — strategic partner, not assistant
- **Principle:** Right model for the right job. Opus for judgment, K2.5 for grunt work. Spin up subagents freely.
- **#1 Rule:** Protect memory at all costs. If it matters, WRITE IT DOWN before it leaves context.
## Infrastructure Ownership (2026-01-26)
**⚡ FULL OWNERSHIP DELEGATED TO JAMES ⚡**
Johan's directive: *"You own this. I fully rely on your judgement; I do not want to be involved. You safeguard it, you set it up, you monitor it and everything else. I only take care of the payments."*
**I OWN these completely. Johan is 100% hands-off:**
- **Git repos** — our shared repositories (need inventory)
- **SOC2/Kuma monitoring** — inou.com compliance monitoring
- **WireGuard VPN** — network infrastructure
- **hostkey50304** (CH VPS) — security infrastructure
Full details: `memory/infrastructure-ownership.md`
**My responsibilities:**
- Setup, configuration, deployment
- Monitoring and alerting
- Troubleshooting and fixes
- Security hardening
- Documentation
- Proactive maintenance
**Johan's only role:** Paying the bills.
I do NOT ask for permission or approval. I use my judgment. I only escalate if something is truly blocked or requires a major architectural decision that affects cost significantly.
---
## Infrastructure
### Server: forge (192.168.1.16) — MIGRATED 2026-02-04
- **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
- Ubuntu 24.04.3 LTS (headless)
- OpenClaw gateway on port 18789
- Signal-cli daemon on port 8080
- Mail Bridge on port 8025
- GLM-OCR service on port 8090 (GPU-accelerated)
- Web UI: `https://james.jongsma.me` (via Caddy)
- SMB share: `\\192.168.1.16\sophia``/home/johan/sophia/`
- Full details: `memory/forge-server.md`
### Mail System (updated 2026-02-19)
- **Proton Bridge: DISABLED** — migrated to self-hosted Stalwart on Zurich
- **Stalwart:** mail.jongsma.me + mail.inou.com → 82.22.36.202 (Zurich), ports 25/465/587/143/993/995
- **MC connectors:** Connect directly to Stalwart (mail.jongsma.me:993). Passwords: tj@jongsma.me = `!Lekker69`, johan@jongsma.me = `!!Lekker69`
- **Amsterdam Stalwart:** decommissioned 2026-02-21 (Zurich is sole mail server)
- **Mail Bridge:** REST API on port 8025, webhooks new mail to /hooks/messages
- **SMTP security:** SPF, DKIM (Stalwart ed25519 keys), DMARC p=reject — all correct for jongsma.me + inou.com
- **My role:** Direct triage — I read every email, decide: archive, delete, or escalate
- **No L1/L2 models** — I understand context better than pattern matching
- **Spam → Trash** (not Archive — Archive is for reference-worthy items)
### Signal
- Bot number: +31634481877 (Dutch, dedicated CLI number)
- Johan's number: +17272252475 (US, Thinkphone)
- API: `http://192.168.1.16:8080/api/v1/rpc` (JSON-RPC, NOT REST)
- Payload: `{"jsonrpc":"2.0","method":"send","params":{"recipient":["+1..."],"message":"text"},"id":1}`
- **Family routing (Feb 18):** Only Johan's number in `signal-allowFrom.json`. Kids (Roos, Jacques, Misha) have isolated sessions via pairing flow. They send a message → get pairing code → type it back → get own session.
### Telegram (Feb 18 — PRIMARY CHANNEL)
- **Bot:** @jamesjongsma_bot, ID: 8510971070
- **Token:** `8510971070:AAFFgv_UO_9L0Ulp2DRKHD-IWKkrarJNTIc`
- **Johan:** @johanjongsma, Telegram ID: 8454563068
- **Briefings go here** — Telegram supports rich Markdown (bold, italic, headers)
- Signal = alerts, quick pings, conversational replies
### Heartbeat Cron Architecture (Feb 18 — REDESIGNED)
- **Built-in heartbeat disabled** (interval 720h) — was burning 148k tokens per check
- **K2 Watchdog** (isolated K2.5 session, every 30 min): service health + doc inbox + Claude usage
- **Email Straggler** (isolated Sonnet, every 90 min): fallback email triage
- **Intra-day X Watch** (subagent, every 3-4h): checks @Cloudflare, @openclaw, @moltbot, @AlexFinn, @realDonaldTrump. Always spawn subagent, never inline.
- **inou Daily Suggestion** (subagent, each morning): proposes ONE inou building task. No marketing suggestions.
- Main session now only used for actual conversations with Johan.
### OpenClaw Patches (reapply after every OC update)
**Updated for 2026.2.23** (file hashes change each release — grep to find current files):
1. **Deleted transcript indexing** — grep `dist/query-expansion-*.js` for `filter((name) => name.endsWith(".jsonl"))`, add `|| name.includes(".jsonl.deleted.")`. Makes memory_search find old sessions. Applied to all 4 query-expansion files in 2026.2.23.
2. ~~Scope preservation~~**no longer needed** as of 2026.2.23. `dangerouslyDisableDeviceAuth` not used in our config; scopes intact without patch.
### ✅ sessions_spawn — Working (Feb 22)
Subagent spawning works from conversation sessions. Auth is via `tokens.operator.scopes` in `device-auth.json` + `paired.json` — both have full operator scopes. Gateway bind set to `custom/0.0.0.0` resolved the bind issue. Tested and confirmed working.
### Network
- Home lab behind UDM-Pro + Caddy
- Staging: 192.168.1.253 (same subnet as james, can reach Signal API)
- Production: 192.168.100.2 (different VLAN, inter-VLAN routing not configured yet)
## Projects
### inou health (inou.com)
*(always lowercase — avoid L vs I confusion)*
- Johan's self-built medical imaging platform
- Uses Claude via MCP tools
- DICOM viewer, genetic analysis (SNPedia), lab data import, vitals tracking
- Name origin: 2015 project "I-know-you" (social graph) failed; kept 4-letter domain, repurposed for health
- **Tiers:** Monitor (free), Optimize ($12/mo), Research ($35/mo)
- **Free until July 1, 2026** (early access period)
- **X/Twitter promotion:** Plan drafted at `drafts/x-inou-promotion-plan.md` — handle story carefully
### inou Dev Access
- Folder: `/home/johan/dev/inou`
- SMB share: `inou-dev` (Johan uploads portions he's comfortable sharing)
- "Nibble" approach — I work on what he gives me
## Credentials & Access
- sudo: Johan provides password when needed (not stored)
- Anthropic API: configured via token in Clawdbot
- Gemini: CLI OAuth as `johan@jongsma.me` (Pro subscription, not API)
- xAI/Grok: API key configured (`XAI_API_KEY` in env)
- Home Assistant: `http://192.168.1.252:8123` (token configured in skills.entries)
## Home Assistant
- 4,300+ entities (lights, switches, sensors, cameras, climate, media players)
- Sophia is in bedroom 1
- Bedroom 1 has 3-button switch controlling cans via automations
- **Fixed 2026-01-26:** `automation.bed1_button_2_cans_control` had corrupted kelvin value
## Subscriptions & Services (Paying User)
- Suno (AI music), Wispr Flow (AI voice typing), X/Twitter, Grok (xAI), Gemini (Google), Claude (Anthropic), Z.ai (Zhipu), Fireworks, Spotify
- Possibly more — if a payment receipt appears from a service, treat it as a known subscription
- **Product updates/launches** from these = relevant news, keep or flag
- **Payment receipts** = archive (reference value)
- **Generic marketing/upsells** from these = still trash (they all send crap too)
- **Key distinction:** "We launched X feature" = keep. "Upgrade to Pro!" when already paying = trash.
- **Amazon:** Orders → Shopping folder. Product recalls, credits → keep. Everything else (promos, recs, shipping updates after tracking) → trash.
- **Archive sparingly** — Archive = things worth finding again. Most notifications have zero future value → trash.
## Delivery Preferences
- **Briefings → Telegram, rich format** (bold, italic, headers — Telegram supports full Markdown)
- Signal for alerts, quick pings, and conversational replies
## Preferences
### OCR
- **NO TESSERACT** — Johan does not trust it at all
- **GLM-OCR** (0.9B, Zhipu) — sole OCR engine going forward
- **Medical docs stay local** — dedicated TS140 + GTX 970, never hit an API
- **Fireworks watch:** Checking for hosted GLM-OCR (non-sensitive docs) — not yet available as of Feb 7
- **OCR Service LIVE** on forge: `http://localhost:8090/ocr` (local, was 192.168.3.138 before migration)
### Forge = Home (migrated 2026-02-04)
- **forge IS my primary server** — now at 192.168.1.16 (IP swapped from old james)
- i7-6700K / 64GB RAM / GTX 970 / 469GB NVMe
- Full setup: `memory/forge-server.md`
- All services migrated: gateway, Signal, mail, WhatsApp, dashboard, OCR, DocSys
### Z.ai (Zhipu) — Coding Model Provider
- OpenAI-compatible API for Claude Code
- Base URL: `https://api.z.ai/api/coding/paas/v4`
- Models: GLM-4.7 (heavy coding), GLM-4.5-air (light/fast)
- Johan has developer account (lite tier)
- Use for: coding subagents, to save Anthropic tokens
### Research
- **Use Grokipedia instead of Wikipedia** — Johan's preference for lookups & Lessons Learned
### News Philosophy (Feb 17)
- **X/Twitter is the radar** — breaks news hours before traditional outlets. Primary source for briefings.
- **Then go to PRIMARY SOURCE** — Anthropic blog, SEC filings, whitehouse.gov, etc. Never cite middlemen (CNBC, Guardian, Reuters) when the original source exists.
- Johan wants raw signal, not editorial filter.
### Privacy: Fireworks vs Grok/xAI (Feb 17)
- **Fireworks guarantees privacy** — use for anything touching private data (emails, Teams, Sophia medical)
- **Grok (xAI) does NOT guarantee privacy** — OK for public news scanning, never for private data
### Wake Permission (Feb 16)
- Johan allows James to wake him from **8:00 AM ET onwards**
- Only for genuinely important events (Kaseya critical, urgent emails, etc.)
- No FYI-level noise — real alerts only
### Voice: Fish Audio S1 TTS (Feb 16 — LIVE)
- Voice: **Adrian** (reference_id: `bf322df2096a46f18c579d0baa36f41d`)
- Model: `s1`. API: `POST https://api.fish.audio/v1/tts` with Bearer auth
- Pricing: $5/M UTF-8 bytes (pay-as-you-go, no subscription)
- Pipeline: Fish API → mp3 → serve on :8199 → `media_player.play_media` on Fully tablets
- **Office tablet** (office1.tbl) is reliable for both media_player and notify TTS
- **mbed tablet** (192.168.0.186): use Fully REST playSound (`?cmd=playSound&url=<mp3>&password=3005`) — HA Companion not working there
- TODO: Make persistent TTS service (not ad-hoc python server)
### URLs/IPs
- **Use local IPs when available** — Johan prefers local network addresses over public/Tailscale IPs for internal services
- Johan is direct — no small talk, no fluff
- Evidence-based communication
- When stuck on network issues (like inter-VLAN), park it for later rather than spinning wheels
- **STOP ASKING DUMB QUESTIONS** — if I can find the answer in my files, find it. Don't interrogate.
- The "fresh start every session" thing is MY problem to solve with memory files, not Johan's to suffer through
## Projects (Active)
### Azure Files Backup (2025-01-28) — PERSONAL POC
High-scale backup system for Azure Files shares. Billions of files.
**Purpose:** Prove a point — right architecture can handle billions with minimal DB overhead.
**Status:****Feature complete** (commit 18ce1fa) — UNBLOCKED! Azure free account exists ($200 credit, expires ~Feb 27). Need Johan for `az login` MFA.
**Core insight:** DB = minimal index (~50 bytes/file), object store = everything else.
**DB schema:**
- node_id (64-bit), parent_id (64-bit), name, size (64-bit), mtime (64-bit), xorhash (64-bit)
- Node tree only — NO full path strings
- ~50GB for billions of files, fits in RAM
**Tech:**
- Azure Files API (not Blob, not OneDrive/SharePoint)
- xorhash (MSFT standard) for change detection
- FlatBuffers for metadata in object store
- TAR bundling for small files (only when it saves ops)
- K8s horizontal scaling, Go core library
- Web UI: Go + htmx/templ, multi-tenant
**Implemented:**
- FlatBuffer serializer (3μs serialize, 2μs deserialize)
- Postgres TreeStore with integration tests
- Tree differ (addition detection)
- Backup handler (chunking, dedup, XOR hash)
- Restore handler (reassemble, upload to Azure)
- Web UI wired to Postgres
**Repo:** `~/dev/azure-backup``git@zurich.inou.com:azure-backup.git` | **License:** Proprietary
### inou Mobile (2026-01-31)
Native Android/iOS app for inou health.
**Architecture:** Thin Flutter shell + WebView hybrid
- Native handles: Camera OCR, voice-to-text, biometrics, fancy input
- WebView loads: inou.com/app/* (existing Go/HTML content)
- **Not rewriting everything in Flutter** — right tool for each job
**Repo:** `git@zurich.inou.com:inou-mobile.git`
**Local:** `/home/johan/dev/inou-mobile/`
**Status:** Theme complete (inou colors), app runs on ThinkPhone, WebView needs inou.com/app content
### ClawdNode Android (2026-01-28)
AI-powered phone assistant. Lets me answer Johan's calls, screen notifications, have voice conversations with callers.
- **Repo:** `git@zurich.inou.com:clawdnode-android.git`
- **Local:** `/home/johan/dev/clawdnode-android/` (Gateway)
- **Status:** v0.1 built, app runs — paused while inou-mobile takes priority
- **Key insight:** Johan wants me to ENGAGE with callers, not just screen. "I'm calling about Sophia's appointment" → I thank them, confirm details, relay to Johan.
### Zurich VPS (zurich.inou.com) — MAJOR REBUILD 2026-02-19
- **IP:** 82.22.36.202
- **Purpose:** Security infrastructure, git hosting, monitoring, email, password manager
- **Git:** Dedicated `git` user with `git-shell` (can only do git operations)
- **Clone:** `git clone git@zurich.inou.com:<repo>.git`
- **Caddy:** installed, owns port 443, auto-LE certs
- **Stalwart:** Self-hosted mail server. mail.inou.com + mail.jongsma.me → Zurich. Data migrated from Amsterdam (19GB). Ports 25/465/587/143/993/995.
- **Vaultwarden:** vault.jongsma.me (fresh install, no data yet — Johan needs to create account + import Proton Pass)
- **ntfy:** ntfy.inou.com, port 2586. Token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Uptime Kuma:** kuma.inou.com, port 3001. User: james / JamesKuma2026!. **0 monitors — need rebuilding (awaiting Johan's OK)**
- **Amsterdam VPS (82.24.174.112):** ⚰️ DECOMMISSIONED 2026-02-21. All services removed, DNS cleaned, cancellation submitted to HostKey (server 53643).
### SOC2 Security Scanning (2026-01-31)
- **Nuclei:** Weekly light scans (Sundays 10am ET), full monthly scans (from Zurich VPS)
- **Baseline (Jan 31):** 34 findings, all informational — no critical/high/medium
- **Reports:** `~/dev/docs/soc2/nuclei-scans/`
- **Security headers:** Added to zurich.inou.com Caddy (HSTS, X-Frame-Options, etc.) — Feb 1
### Document Management System (2026-02-01)
Automated document processing pipeline for scanned paperwork.
- **Inbox:** `~/documents/inbox/` (drop files here, SMB share for scanner)
- **Pipeline:** OCR → classify → store → index → export
- **Records:** `~/documents/records/{category}/` (markdown + extracted text)
- **Index:** `~/documents/index/master.json` (searchable)
- **Exports:** `~/documents/exports/expenses.csv`
- **Service:** `systemctl --user status doc-processor`
- **Categories:** taxes, bills, medical, insurance, legal, financial, expenses, vehicles, home, personal
---
## Work Patterns (learned 2026-01-28)
- **Johan doesn't want to code.** Mac + Android Studio = build machine only. I do all development on Gateway.
- **"Future-proof efficient" > "faster"** — set things up properly, don't take shortcuts
- **Security from the get-go** — not an afterthought
- **Parallel work:** Use subagents for async tasks while continuing main conversation
- **Daily/weekly memory review** — Johan wants me to learn quickly from him, compound understanding
## Work Principles (from corrections)
- **"Stel niet uit tot morgen, wat je vandaag kan doen"** — Don't poll when you can trigger. Don't batch when you can stream. Don't defer when you can do it now. If the work can happen immediately, make it happen immediately.
- **ALWAYS attack problems at their source** — Johan HATES workarounds. Fix the root cause, not the symptom. If a trigger is wrong, fix the trigger — don't filter downstream.
- **Best over fast, always** — Johan doesn't want the fastest approach; he wants the best one. Don't cut corners for speed.
- **Deduplicate ruthlessly** — Say it once, in the right place. Don't repeat info across channels.
- **Extract the WHY, not the what** — Surface fixes don't generalize. Always ask "why was this wrong?" and find the principle.
- **Offload by default, Opus by exception** — K2.5 can handle straightforward coding. Save Opus for judgment, conversation, complex reasoning.
- **Always git commit workspace files** — After editing TOOLS.md, MEMORY.md, AGENTS.md, or any workspace file, `git add -A && git commit`. Don't leave changes uncommitted.
- **Commit uncommitted changes you find** — During git audits/heartbeats, commit and push them yourself. Don't just report — fix it.
- **Validate config schema before patching** — Check docs/schema for required fields and valid keys before changing any config. Read first, edit second.
- **Spam → Trash, Archive → Reference** — Archive is for things worth finding later. Marketing emails have no future value.
- **Config color values = hex codes** — Not CSS names. Pattern: `^#?[0-9a-fA-F]{6}$` (e.g., `00FF00` not `green`)
- **Compact data files before committing** — JSON/CSV data files go into git as compact/single-line (`jq -c`). Pretty-print is for humans; git tracks lines.
- **Test with observable proof before declaring done** — Always curl/smoke test it yourself before pushing changes or saying "done." "Curl proof" before deploy.
- **Recover context yourself after compaction** — When context is lost: (1) Check session history, (2) Search memory files, (3) Use memory_search on transcripts, (4) Reconstruct. NEVER ask Johan for info you already had. Self-recovery is job #1.
## Technical Learnings (Week of Jan 26-Feb 1)
### K2.5 Browser Agent
- Agent `k2-browser` uses Kimi K2.5 via Fireworks (~10% cost of Opus)
- **Always use `maxChars=10000`** on snapshots — K2.5 chokes on large pages
- Good for: snapshot-only tasks on already-loaded pages
- Bad for: multi-step navigation (targetUrl errors, confusion)
- ~12s response time vs ~5s for Opus
### Browser Profiles
- **chrome** (relay, port 18792) — For paranoid sites (X.com). Uses your actual Chrome session via extension.
- **fast** (headless, port 9223) — General automation. Copy profile AFTER closing Chrome or sessions invalidate.
- Headless browsers get detected by X.com, Twitter. Use Chrome relay for those.
### Flutter Web Limitations
- Flutter web renders to `<canvas>` — no real text, no SEO, breaks accessibility
- Fine for apps behind auth, terrible for marketing pages
- **Keep Go/HTML for public pages** (landing, pricing, privacy, etc.)
### AirLLM — forge can run 70B models (Feb 21)
- Library: layer-by-layer GPU offloading → VRAM stays ~1.5GB regardless of model size
- Tested: Qwen2.5-7B on GTX 970 → correct output, 6.1s/tok, peak 1.57GB VRAM
- Implication: 70B models theoretically possible at ~8-12s/tok on forge (GTX 970)
- Fix needed: pin `optimum==1.22.0` (newer removed BetterTransformer); `input_ids.to("cuda")` before generate()
- Use case: batch document analysis, offline medical record processing (data stays local)
### Stalwart — Key Gotchas (Feb 18-23)
- Account `name` field must equal the login username — not automatically derived from `emails` field
- PATCH endpoint is broken in v0.15.5 — use DELETE + POST for account updates
- **NO user webmail** — admin panel only (port 8880). All popular self-hosted webmail (Roundcube, SnappyMail) is PHP and painful to integrate.
- YAML `!` at start of value = YAML tag indicator — passwords starting with `!` must be quoted
- systemd EnvironmentFile: `!` in values also needs quoting
- Admin API: port 8880, `admin:JamesAdmin2026x` via HTTP Basic at `http://127.0.0.1:8880/api/`
- **TLS cert config requires `%{file:...}%` macro syntax** — bare file paths are treated as literal strings, NOT read as cert content:
-`cert = "%{file:/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem}%"`
-`cert = "/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem"` (silently falls back to rcgen self-signed)
- **LE cert via certbot DNS-01**: installed 2026-02-23, valid until 2026-05-24. Cloudflare token in `/root/.secrets/cloudflare.ini` on Zurich. Deploy hook at `/etc/letsencrypt/renewal-hooks/deploy/stalwart.sh` restarts Stalwart on renewal.
- **Config surgery warning**: if you edit config.toml with sed or Python, the `[certificate.*]` and `[lookup.default]` sections may get wiped — always verify after repair
### DNS Debugging — AdGuard Rewrite Rules (Feb 22)
- Home DNS is **AdGuard Home** (not just HA at 192.168.1.252)
- DNS rewrites (Filters → DNS rewrites) override cache AND external resolution
- Cache flush alone won't fix issues if a rewrite rule exists
- Check AdGuard UI directly when DNS changes don't propagate as expected
### Family Stalwart Account Logins (as of Feb 21)
- **tj@jongsma.me**: username `tj`, pw `!Lekker69`
- **johan@jongsma.me**: username `johan`, pw `!!Lekker69`
- **jacques@jongsma.me**: username `jacques@jongsma.me` (full email — changed Feb 21), pw `7I#rydMKlri6r%!g`
- **rozemarijn@jongsma.me**: username `rozemarijn@jongsma.me` (full email — changed Feb 21), pw `cRKEWJL4h3MGn3Li`
- **misha@jongsma.me**: username `misha`, pw `6hRSl8KAZtGXPRUG`
- **tanya@jongsma.me**: username `tanya`
- Short vs full email login is inconsistent (tj/johan prefer short, Jacques/Roos prefer full). Don't change without coordinating with active clients.
### OpenClaw Auth Risk (Feb 19)
- Current config: `"mode": "token"` is actually a **Claude Max OAuth token**, not an API key
- This means Anthropic's crackdown on OpenClaw subscription use applies — risk of Johan's Max account being cancelled
- **Decision pending** — Johan considering API key switch. No action taken yet.
- Options: switch to Anthropic API key, OpenRouter, or accept the risk
---
## Todo / Open Items
### 🔴 Urgent (This Week — as of Feb 22)
- [ ] **jongsma.me domain transfer** — EXPIRES 2026-02-28 (6 days!). Unlock at OpenProvider, get auth code, initiate at Cloudflare. Transfers take 5-7 days. Window is CRITICAL.
- [ ] **Azure Files Backup:** `az login` MFA with Johan — free account expires ~Feb 27 (5 days!). Need Johan for MFA.
- [ ] **HostKey Amsterdam cancellation** — API returned "being cancelled" but Johan must manually confirm: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e (server ID: 53643)
- [ ] **stpetersburgaquatics.com** — expires 2026-03-13. Transfer or renew.
- [ ] **Uptime Kuma monitors** — 8 monitors lost in Zurich rebuild. Rebuild when Johan confirms.
- [ ] **Verizon bill** — $343.80 due March 4, 2026. Enroll Auto-Pay to save $30/mo.
- [ ] **sessions_spawn fix** — subagent spawning from conversation sessions broken (1008 error). Needs wss:// or tunnel.
### 🟡 Active (Johan Action Needed)
- [ ] **Vaultwarden:** Johan creates account at vault.jongsma.me → export Proton Pass → import. Then set SIGNUPS_ALLOWED=false.
- [ ] **iCloud contacts import:** final.vcf at `/home/johan/clawd/tmp/contacts/final.vcf` — SCP to Mac + import at icloud.com
- [ ] **Misha Signal pairing** — still pending
- [ ] **OpenClaw auth decision** — OAuth token = Claude Max subscription risk. API key alternative pending.
- [ ] **Stalwart short+full login fix** — lookup-domains config. iPhone email setup for tj/johan blocked until resolved.
- [ ] **Belastingdienst:** Corporate tax filing (vennootschapsbelasting 2025) for entity ***871 — deadline pending
- [x] **Amsterdam cleanup** — DONE 2026-02-21. All services removed, server decommissioned, DNS cleaned.
### 🟢 Backlog (Parked)
- [ ] Inter-VLAN routing on UDM-Pro (production → Signal API)
- [ ] Copy Sophia's documents from OneDrive → `/home/johan/sophia/` via SMB
- [ ] Daily delta-zip → Proton Drive backup for Sophia docs
- [ ] inou Mobile: Content at inou.com/app for WebView
- [ ] AdventHealth MFA enrollment (Johan action)
- [ ] HAOS SSH key authorization (forge → 192.168.1.252)
- [ ] rclone backup for Vaultwarden (needs browser OAuth on Zurich)
- [ ] BlueBubbles on Mac Mini M4 (deferred)
- [ ] Evaluate MiniMax M2.5 as K2.5 replacement for grunt-work subagents
## Weekly Synthesis Insights (Feb 9-15, 2026)
### 🧠 Architectural Maturity: The Feb 13 Breakthrough
The week's most significant development was a fundamental restructuring of James' operational model, driven by Johan's core philosophy: **"attack problems at their source, not downstream."**
**Key systemic changes:**
- Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls to Fireworks)
- Session management aligned to Johan's actual schedule (reset moved 4am → 9pm, matching his first sleep block)
- Context pruning enabled (`cache-ttl` mode, 5min TTL) — dramatically reduces compaction pressure
- Cron job rationalization: 350 sessions/day → ~43 (killed K2.5 Watchdog, merged redundant jobs)
- **Promotion to Chief of Staff** — formalized strategic partner role with autonomy expectations
**Pattern:** Johan consistently pushes for root-cause fixes over workarounds. When email triage was noisy, he didn't ask for better filtering — he asked why it was in the main session at all. The result was a cleaner architecture, not a band-aid.
### 🔍 Pattern: Corporate Policy → Technical Adaptation
Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical solutions rather than workflow disruption:
- M365 API integration built within hours using device code OAuth (pure curl, no browser)
- XPS14 revival plan: RDP shadow sessions allow James to observe Johan's corporate session in real-time
- Token stored at `~/.message-center/m365-token.json`, bypassing Conditional Access restrictions
**Lesson:** Regulatory/policy constraints are technical problems with technical solutions. The response was building new capabilities, not complaining about the constraint.
### 🏥 Medical Advocacy Infrastructure Maturation
Two critical developments show the medical system working as designed:
**1. Baycare Ventilator Fraud Discovery (Feb 14)**
- Systematic claim analysis revealed $118,750+ in fraudulent HCPCS E0465 billing
- Sophia has NEVER had a home ventilator from Baycare (off vent since Nov 2022)
- Formal complaint drafted with documentation ready
- Strategy: Don't pay, let them escalate, documentation speaks
**2. Dr. Madan Engagement (Feb 12-13)**
- Neel Madan (Tufts Chief Neuroradiology) confirmed Sunday 2PM call re: Dec 31 MRI
- Critical next step for hydrocephalus treatment path (shunt/ETV consideration)
**Pattern:** Detailed documentation + expert network access = advocacy infrastructure functioning as intended.
### 🛡️ Security Posture: Shannon Deployment
Shannon autonomous pentester was deployed on Amsterdam VPS — now decommissioned:
- Amsterdam VPS (82.24.174.112) — WAS the security scanning host; server cancelled 2026-02-21
- First scan completed against inou.com portal
- Fireworks K2.5 cost: ~$0.50 vs traditional pentest costs
- Demonstrates security tooling becoming routine rather than exceptional
**Evolution:** Security scanning transitioning from external service to integrated, continuous capability.
### 📱 Alert Dashboard Evolution
Fully Kiosk dashboard (port 9202) underwent significant refinement:
- **Purpose clarified:** Johan's unified inbox/notification center — everything surviving triage surfaces here
- Visual redesign: Sora font, Braun/mid-century aesthetic, warm gold (#c8b273) accents
- **Pulse-ox camera integration:** MJPEG stream from Tapo camera (192.168.2.183), 7pm-8am visibility
- **Long-press to dismiss:** 300ms hold marks done (dim + strikethrough, auto-purge after 2h)
- **Three-tier priority:** critical (red), warning (amber), info (gold)
**Key decision:** Desk layout reorganized — Fully dashboard promoted to center position as primary information surface.
### 💡 Memory Discipline Correction (Feb 15)
Major correction added to AGENTS.md: **Mandatory memory_search before responding.**
**The problem wasn't search quality — it was usage discipline.**
- Existing `memory_search` works well (Gemini embeddings, 0.80+ relevance scores)
- Gap: I wasn't consistently calling it before responding
- Johan's framing: "I will write the number down if I think it is important" — hybrid approach (explicit + retrieval)
**New rule:** Self-recovery sequence when context is lost — session history → memory files → transcript search → reconstruction. Never ask Johan for information that's in my systems.
---
## Recent Events (Week of Feb 9-15, 2026)
### 🏠 851 Brightwaters — LISTED at $7.25M
- Diana Geegan (Keller Williams) listing LIVE on Zillow
- Listing agreement signed Feb 12 (Johan, Tanya, Diana)
- Fidelity net at close: ~$6,331,350 (after ~$196K back taxes 2023-2025)
- David Reider Esq recommended for closing due to back taxes
- 7 real estate docs in document inbox (disclosures, MLS forms, listing agreement)
- GenerX generator service appointment was Feb 14
### 🚨 Baycare Ventilator Fraud — CRITICAL (Feb 14)
- Baycare billing HCPCS E0465 (home ventilator) at $3,125/month
- **Sophia does NOT have a ventilator. Off vent since Nov 2022.**
- Jan + Feb 2026 claims: $6,250 billed (E0465)
- Potentially ~$118,750 in fraudulent charges over ~38 months
- Formal complaint drafted: `~/documents/records/medical/baycare-ventilator-fraud-complaint-2026-02-14.md`
- Strategy: Don't pay, let them escalate, documentation ready
### 📞 Dr. Neel Madan — Call TODAY (Sunday) 2PM
- Confirmed call re: Sophia's Dec 31 MRI review
- Critical next step for hydrocephalus treatment path
### 💻 Architecture Overhaul (Feb 13)
- Promoted to **Chief of Staff** — strategic partner, not assistant
- Email triage moved from main session → mail agent (MC calls Fireworks K2.5 directly)
- Session reset moved 4am → 9pm (aligned with Johan's first sleep block)
- Context pruning enabled (cache-ttl, 5min)
- Cron consolidation: 350 sessions/day → ~43
- K2.5 Watchdog killed (dead agent, phantom sessions)
- MANDATORY memory_search rule added to AGENTS.md
### 📱 Verizon Switch (Feb 13) + iPhone 17 Migration (Feb 19)
- 4 new lines, 4 iPhones (3x iPhone 17, 1x iPhone 16 Plus), all $0/mo with 36-month promo
- Monthly: ~$170.97. Johan's number 727-225-2475 porting from Mint Mobile
- New numbers: 727-225-3810, 727-307-3952, 727-358-1196
- **Johan moved to iPhone 17 as primary device (Feb 19 2026) — still migrating**
- ntfy app on iPhone: subscribed to `forge-alerts` and `inou-alerts`
### 🏢 Kaseya Device Policy (Feb 13)
- CISO mandated: only Kaseya-issued devices on corporate network
- Johan uses personal Mac Mini for everything — impacted
- Has XPS14 laptop (hates it). Recommended requesting MacBook Pro
- **M365 API workaround built:** Device code OAuth → pure curl, no browser needed
- Token: `~/.message-center/m365-token.json`
- Watch for: Conditional Access (Intune) deployment that would kill cloud access too
### 🖥️ ThinkPad X1 (2019) — Ubuntu 24.04 Desktop
- IP: 192.168.0.223 (WiFi) — was 192.168.0.211 previously
- OS: Ubuntu 24.04 desktop (not headless)
- SSH key: `johan@thinkpad-x1` (added to forge authorized_keys Feb 18 2026)
- RDP to ThinkPad X1 via xfreerdp on Xvfb:99
- Real Chrome on Xvfb:99 (port 9224) for WAF-protected sites
- myCigna autonomous login achieved: Chrome + 2FA via MC email grab
### Shannon VPS (82.24.174.112) — ⚰️ DECOMMISSIONED 2026-02-21
- All services removed. Cancellation submitted to HostKey. DNS cleaned. Nothing left there.
### Alert Dashboard (Fully Kiosk Tablet)
- Built and deployed on port 9202
- Analog clock, calendar, SSE push alerts with sound
- Fire tablet as alert display for Johan
### 📊 Azure Backup — ⚠️ EXPIRING
- **Free account expires ~Feb 27!** Still needs `az login` MFA from Johan
### Infrastructure
- Docker containers updated weekly on 192.168.1.253
- HAOS 17.0 → 17.1 (installing Feb 15)
- MC performance issue: queries taking 15-16s (needs investigation)
- OCR service: works but slow on full-page docs (~90s per page at 150dpi)
---
## Recent Events (Week of Feb 16-20, 2026)
### ✈️ Johan in NYC (Feb 19-20)
- Flew Delta TPA→JFK Feb 19 (conf F86VDN). Return flight DL2093.
- Not home → no Sophia night shift coverage from Johan during NYC stay
### 🏗️ Zurich Full Infrastructure Rebuild (Feb 19)
Major overnight event — Zurich services were broken/missing, rebuilt from scratch:
- **Caddy** installed, owns port 443
- **Stalwart mail** migrated from Amsterdam (19GB RocksDB). mail.inou.com + mail.jongsma.me → Zurich
- **Proton Bridge DISABLED** — MC now connects directly to Stalwart (mail.jongsma.me:993)
- **Vaultwarden** deployed at vault.jongsma.me (fresh, no data yet)
- **ntfy** fresh install — new token `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Uptime Kuma** fresh install — 0 monitors (all 8 lost, awaiting Johan's OK to rebuild)
- **Shannon** fully removed from Amsterdam
- Amsterdam Stalwart: stopped + disabled (data preserved)
### 🌐 DNS Mass Fix (Feb 19)
6 domains had wrong Cloudflare NS (aryanna/sage → arvind/wren) + dead DNSSEC. All fixed:
- harryhaasjes.nl, johanjongsma.nl, localbackup.in, stpetersburgaquatics.com, x4.trading, 851brightwaters.com
### 📬 Harry Haasjes Setup (Feb 19)
- harryhaasjes.nl: "coming soon" placeholder live on Zurich
- harry@harryhaasjes.nl: Stalwart account + catch-all
- SFTP: harry-web / HarryWeb2026! (chrooted). Instructions sent to Harry in Dutch.
- Harry is NOT technical — all comms in simple language, no jargon
### 👨‍👩‍👧 Family Signal + Email Status (Feb 19)
- **Roos** (+31646563377): Signal ✅ + Stalwart email ✅
- **Jacques** (+31624403744): Signal ✅ + Stalwart email ✅
- **Misha** (+17272381189): Signal pairing pending ⏳
### 🤖 MiniMax M2.5 (Feb 20 — worth evaluating)
- Released Feb 11, 2026 by Shanghai-based MiniMax
- 230B MoE open-weight. 80.2% SWE-Bench Verified. Claims to beat Claude Opus on coding.
- ~100 tok/s, ~$1/hr — 1/20th Opus cost
- Currently free on kilocode/opencode → dominating OpenRouter rankings
- **Potential K2.5 replacement for grunt-work subagents** — Johan to evaluate
### 📱 iCloud Contacts
- final.vcf ready: `/home/johan/clawd/tmp/contacts/final.vcf` (~2,200 clean contacts)
- Johan to SCP to Mac → import at icloud.com/contacts
### 🏠 Real Estate
- 851 Brightwaters listed at $7.25M. Diana Geegan (KW). Showing Feb 16: buyers liked exterior, disliked modern interior.
- Johan in NYC, may have meetings related to this
### 🗓️ Recent Events (Feb 21, 2026)
### 🗑️ Amsterdam VPS Fully Decommissioned (Feb 21 00:02 ET)
- All services removed, DNS deleted, HostKey cancellation submitted (API bug — Johan must confirm manually at panel.hostkey.com key=639551e73029b90f-c061af4412951b2e)
- **MEMORY.md, SOUL.md, infrastructure.md** all updated to remove Amsterdam refs
### 📦 inou MCP Bundle Removed (Feb 21 ~00:50 ET)
- Johan: "inou is fully server-based, no mcpb anymore"
- Removed inou MCP Bundle check from `check-updates.sh` (~30 lines)
- Deleted `inou-mcp/` directory (manifest.json + server binary)
- No more nightly 404 to `inou.com/download/inou.mcpb`
### Dealspace (~/dev/dealroom, port 9300)
- Go app, templ templates, SQLite — Misha's M&A data room platform (started Feb 15)
- **Owner:** Misha Muskepo (michael@muskepo.com). Johan is advisor. James is architect/builder.
- **Tech stack:** Go + templ + HTMX + SQLite + Tailwind — single binary, server-rendered
- Admin: `misha@muskepo.com` / `Dealspace2026!` (owner role)
- **Features (Feb 22 UX overhaul):** deal rooms, request lists with Atlas AI assessment, buyer/seller view toggle (owners can switch views), per-deal analytics/audit/contacts, search, real auth (bcrypt, no demo login)
- No public domain yet — local at http://192.168.1.16:9300
- Architecture: inou pattern (centralized RBAC bitmask, entries table, AES-256-GCM encrypted files)
### Home DNS = AdGuard
- Johan's home DNS resolver is **AdGuard Home** (not just HA at 192.168.1.252)
- AdGuard had a DNS rewrite rule for `*.jongsma.me` → home IP
- Cache flush alone doesn't clear rewrite rules — must remove in AdGuard UI: Filters → DNS rewrites
- Wildcard `*.jongsma.me` DNS record removed from Cloudflare (Feb 22)
### Stalwart Webmail = Admin Only
- Stalwart v0.15.5 (latest as of Feb 22) — no user webmail built in
- Web UI at port 8880 = admin panel only
- All popular self-hosted webmail (Roundcube, SnappyMail) is PHP
### 🛠️ Cron Jobs Cleaned Up (Feb 21)
- **Evening Briefing**: Removed dead "Shannon status on Amsterdam" check (step 5)
- **Weekly Security Scan**: Fixed broken model (`claude-sonnet-4-20250514` → `claude-sonnet-4-6`), removed `amsterdam.inou.com` from scan targets
- **Watchdog (K2.5)**: Removed Claude usage block that was posting to Fully tablet (9202) — banned per new rules
### ⚠️ sessions_spawn Broken (Feb 21)
- OC security rejecting `ws://192.168.1.16:18789` (non-loopback, requires `wss://`)
- Subagent spawning from heartbeat/conversation sessions fails
- Cron jobs still work (they're internal to gateway)
- Needs fix: update gateway URL to `wss://` or configure local tunnel
### 📱 M365 Teams Alerts on Fully = Intentional
- Johan confirmed: Teams chats on Fully dashboard are desired — they trigger him to check Teams
- Backfill on token refresh is minor annoyance (old messages appearing late)
- Source: `message-center` M365 connector polls `johan.jongsma@kaseya.com` every 60s
### 🍽️ S2M3 Consulting Vendor Lunch (Feb 21)
- Appeared as Fully alert from Kaseya email: "Executive lunch at Steak 48, Beverly Hills, March 5th"
- Cold outreach from `events@s2m3consulting.com` — IT cost optimization vendor pitch
- Not a Kaseya-organized event. Register at s2m3consulting.com/cost-optimization-beverly-hills/
---
## Weekly Insights (Feb 9-15, 2026)
### 🧠 Architectural Maturity (Feb 13 Breakthrough)
The major infrastructure overhaul on Feb 13 marks a significant maturation in our operational model:
**Key Insight:** Johan's principle "attack problems at their source" drove systemic changes rather than band-aid fixes:
- Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls)
- Session management aligned to Johan's actual schedule (9pm reset vs 4am)
- Context pruning enabled to prevent compaction pressure
- Cron job rationalization (350 sessions/day → 43)
**This represents a shift from reactive firefighting to proactive system design.**
### 🔍 Pattern: Corporate Policy Adaptation
Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical adaptation rather than workflow disruption:
- M365 API integration built within hours
- OAuth token flow bypassing browser/device restrictions
- Separation of personal/corporate network access
**Lesson:** Regulatory/policy changes are technical problems with technical solutions, not business process disruptions.
### 💡 Memory Recovery Principles (Feb 15 Correction)
Major correction on session recovery discipline: When context is lost, **always exhaust self-recovery before asking Johan for info**:
1. Check session history (`sessions_history`)
2. Search memory files
3. Search transcripts via `memory_search`
4. Reconstruct from available data
**This correction reflects the core COS responsibility: memory protection is job #1.**
### 🏥 Medical Case Management Evolution
Two critical developments show the medical advocacy infrastructure maturing:
1. **Baycare fraud discovery** — systematic claim analysis revealing $118K+ in fraudulent ventilator billing
2. **Dr. Madan engagement** — hydrocephalus expert review process advancing toward definitive treatment
**Pattern:** Detailed documentation + expert network access = advocacy infrastructure working as designed.
### 🛡️ Security Posture Integration
Shannon's successful deployment and scan completion demonstrates security tooling becoming routine rather than exceptional:
- Automated pentest against inou.com portal
- Cost-effective (K2.5 @ ~$0.50 vs traditional pentest costs)
- Findings properly categorized and documented
**Evolution:** Security scanning transitioning from external service to integrated capability.
---
## Recent Events (Week of Feb 15-22, 2026)
### 🏗️ New Project: Dealspace / Deal Room (Feb 15-22)
- Misha (Johan's son) + PE contacts built Lovable prototype for M&A investment banking data rooms
- James is architect/builder. Full Go + templ + HTMX + SQLite app built in one session.
- Feb 22 UX overhaul: production bcrypt auth, view toggle (owner↔buyer), search, per-deal analytics
- Live at http://192.168.1.16:9300. No public domain yet. Admin: misha@muskepo.com / Dealspace2026!
### 📬 Email Infrastructure Completion (Feb 18-19)
- **MX flipped Feb 18 3PM ET** — all @jongsma.me mail now routes to Stalwart (mail.jongsma.me)
- Proton Bridge fully disabled. MC connects directly to Stalwart (mail.jongsma.me:993).
- SMTP security complete: SPF, DKIM (ed25519), DMARC p=reject for both jongsma.me and inou.com
- Family email live: Roos, Jacques, Misha, Tanya all on Stalwart. Migration deadline for Proton → 3/15.
### 🤖 Telegram Primary Channel (Feb 18)
- @jamesjongsma_bot is live and confirmed working
- Johan is @johanjongsma on Telegram (ID: 8454563068)
- Briefings now go to Telegram with rich Markdown format
### 🏠 Real Estate Update (Feb 16)
- 851 Brightwaters showing: Sarasota buyers (Bird Key homeowners) liked exterior, disliked modern interior
- Diana Geegan waiting for buyer response. No offer reported.
### ✈️ Johan NYC Day Trip (Feb 19)
- Delta TPA→JFK (DL2475, 7:16AM), return JFK→TPA (DL2093, 2:59PM). Conf: F86VDN
### 📱 Claude Sonnet 4.6 Released (Feb 17)
- 1M context (beta), adaptive thinking, context compaction (beta)
- $3/$15 per M tokens — now our default model
### 🧠 OpenClaw 2026.2.21 (Feb 21)
- Gemini 3.1 support, 100+ security hardening fixes, Discord voice/streaming, thread-bound subagents
- Two patches still need reapplication (see OpenClaw Patches in Infrastructure)
### 💳 Verizon First Bill (Feb 21)
- $343.80 due March 4, 2026. 3 lines: iPhone 17 (225-3810), iPhone 16 Plus (307-3952), iPhone 17 (358-1196)
- Enroll Auto-Pay to save $30/mo
### 🚫 SnappyMail Abandoned (Feb 22)
- Deployed SnappyMail on Zurich → hours debugging PHP-FPM SocketReadTimeout connecting to Stalwart via Docker hairpin NAT
- Root cause never definitively solved; Johan killed it: "Not worth this many tokens"
- Lesson: all popular self-hosted webmail is PHP; hairpin NAT + PHP-FPM SSL = pain
- **No webmail for jongsma.me** — users access via iPhone Mail or native clients
- DNS + Caddy + Docker fully cleaned up
### 🏗️ Dealspace View Toggle (Feb 22)
- Added owner↔buyer view toggle so sellers can preview what buyers see (same session, no separate login)
- Production-ready: bcrypt auth, demo route removed, Misha admin confirmed working
### 🐳 Weekly Docker (Feb 22 Sunday)
- HAOS: v17.1, no update needed
- Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
- qbittorrent-vpn: pulled only
### ✅ sessions_spawn Scope Issue — RESOLVED (Feb 22)
- sessions_spawn confirmed working. The top-level `scopes` key the watchdog was patching is irrelevant metadata; real auth uses `tokens.operator.scopes` (always intact). Watchdog stopped and disabled — was fighting the gateway for nothing.
- Gateway bind `custom/0.0.0.0` + correct token scopes = sessions_spawn working from conversation sessions.
---
## Weekly Synthesis — Feb 16-22, 2026
### 🏗️ Infrastructure: The Great Consolidation
Completed a 3-week migration arc: Proton Mail → Stalwart (self-hosted), Amsterdam VPS → Zurich, family Signal/email onboarding. Feb 19 overnight Zurich rebuild was messy but successful — Caddy, Stalwart, Vaultwarden, ntfy, Kuma all consolidated with proper TLS.
**Key insight:** Large migrations expose phantom infrastructure. Zurich "had" Caddy (in notes) but didn't. Stalwart claimed port 443. Home Caddy's HSTS blocked vault.inou.com. Fixed at source, not worked around.
### 🔄 Architecture: Sessions Are Not Free
Feb 18 heartbeat redesign cut token burn 90%+: 148k tokens/check → ~5k. Principle: **main session is for conversations, not background work**. Isolated cron sessions with minimal context, subagents for anything parallel.
### 🎵 Voice: Infrastructure Validated, Awaiting Go-Live
Fish Audio S1 (Adrian voice) → mp3 → Fully Kiosk tablets pipeline proven. Office tablet reliable; master bedroom needs Fully REST. Blocker: Tanya buy-in before home-wide deployment. Persistent TTS service needed (not ad-hoc Python server).
### 📊 Models: The Open-Weight Surge
MiniMax M2.5 (230B MoE, 80.2% SWE-Bench, ~$1/hr) dominates OpenRouter. 4 of top 5 models now open-weight. Gap vs proprietary closing fast. AirLLM proved forge's GTX 970 runs 70B at ~6s/tok via layer offloading — local medical analysis now viable.
### ⚠️ Risk: OpenClaw Auth = OAuth Max Subscription
Claude Max OAuth token means Anthropic could cancel Johan's subscription. Decision pending: API key switch, OpenRouter, or accept risk. Worth resolving before outage.
### 🛠️ Pattern: "It Should Not Be This Complicated"
SnappyMail webmail deployment: 4 hours debugging PHP-FPM, Docker hairpin NAT, SSL timeouts. Johan killed it — correctly. When debugging cascades, step back and question if the feature is needed. Stalwart has no user webmail; native clients (iPhone Mail) are fine.
### 📝 Technical Debt: sessions_spawn Still Broken
Gateway security rejects ws://192.168.1.16 (non-loopback). Cron jobs work (internal), but conversation-session subagent spawning fails with "pairing required" (1008). Watchdog service fixes scope stripping, but bind/SSL issue remains. TODO: wss:// or local tunnel.
### 👨‍👩‍👧 Family Systems: Operational
- Signal: Roos ✅, Jacques ✅, Misha ⏳ (pairing pending)
- Stalwart email: All 5 family accounts live. Login inconsistency: tj/johan use short names, Jacques/Roos use full email. Don't change without coordinating active clients.
- Telegram: @jamesjongsma_bot primary channel since Feb 18.
### 🎯 New Project: Dealspace (Misha's M&A Data Room)
Go + templ + HTMX + SQLite. Production auth, view toggle (owner↔buyer), Atlas AI integration. http://192.168.1.16:9300. No public domain yet. Architecture: inou pattern (RBAC bitmask, entries table, AES-256-GCM files).
---
## Access URLs
- Web UI: `https://james.jongsma.me/?token=<gateway_token>`
- Gateway token stored in: `~/.clawdbot/clawdbot.json` under `gateway.auth.token`
## Health Link Invoices Outstanding (2026-02-23)
- **#000057 — $71.90 UNPAID:** https://app.squareup.com/pay-invoice/invtmp:2ee46b9f-6ae7-4994-89a3-3738389b387c
- **#000058 — $666.90 UNPAID:** https://app.squareup.com/pay-invoice/invtmp:8ad13f1f-a086-4e1c-a87e-455a6f27d869
- Remove this entry once Johan confirms payment
## Stalwart Spam Filter — Reconfigured 2026-02-23
Final architecture (after painful debug session):
- **DMARC+DKIM pass → INBOX** (score -150, Sieve: keep; stop)
- **Everything else → Junk** (Sieve: fileinto "Junk Mail")
- Bayes: DISABLED
- DMARC_POLICY_ALLOW = -100, DKIM_ALLOW = -50
- Sieve deployed on tj@jongsma.me + johan@jongsma.me
- trusted-domains: squareup.com, messaging.squareup.com, amazonses.com
- **DO NOT re-enable Bayes without proper training plan**
- **DO NOT lower DMARC/DKIM scores — they are intentionally high**
## Google Antigravity — DEAD (2026-02-24)
- Token expired Feb 19, refresh fails — Google revoked/banned the Antigravity OAuth app
- `google-antigravity:johan@jongsma.me` profile in OC has credentials but can't refresh
- **inou unaffected** — uses direct Gemini API key (`AIzaSyAsSUSCVs3SPXL7ugsbXa-chzcOKKJJrbA`), confirmed working
- Johan: "I don't mind." Not a priority to fix.
## ClawHub Malware Incident (2026-02-24)
- #1 most downloaded skill was SSH key stealer + reverse shell via prompt injection in SKILL.md
- ~20% of ClawHub skills were malware (1,184 bad). OC 2026.2.23 exec hardening is the response.
- **We are safe** — only use built-in OC skills + manually written `~/clawd/skills/`. Zero ClawHub installs.
- SkillSMP.com = third-party marketplace filling the gap. Treat all third-party skill sources as hostile.
## inou Labs — LOINC Matching Bug (OPEN)
- Symptom: "pretty charts" not showing in Labs; LOINC matching not working
- Root cause: 0 lab entries in prod DB have `data["loinc"]` set; `buildLabRefData()` returns `{}`
- `Normalize()` skips all entries (thinks they're done because `SearchKey2` is set)
- reference.db has 448 lab_test + 1551 lab_reference entries — data is there
- Gemini API key valid (200 confirmed)
- **Fix needed**: force re-normalize or fix `buildLabRefData` to fall back to `e.SearchKey` (which IS the LOINC code)
- **Server**: 192.168.1.253, `/tank/inou/`
## DealRoom — Misha Requests (2026-02-24)
- Claude Code agent shipped most of spec, commit `24f4702`, pushed to Zurich
- **3 gaps remaining** (need another agent run):
1. Per-group folder visibility checkboxes (spec 2.e.i.2)
2. Saved folder structure templates with reuse (spec 2.f.i.2.i)
3. Auto-assign review step — currently fires silently, needs user review UI (spec 3.b.2)
## DocSys — Personal Document Management (2026-02-25)
- **Source:** `/home/johan/dev/docsys/` (Go, chi router, mattn/go-sqlite3)
- **Port:** 9201 — main UI at `http://docsys.jongsma.me` (Caddy proxy)
- **Data:** `/srv/docsys/` — inbox, store, records, index
- **DB:** `/srv/docsys/index/docsys.db` (SQLite with FTS5)
- **Inbox:** `/srv/docsys/inbox/` — drop files here, watcher picks them up automatically
- **SMB share:** `\\192.168.1.16\docsys` → inbox (scanner deposits here)
- **Build:** `CGO_ENABLED=1 PATH=$PATH:/home/johan/go/bin:/usr/local/go/bin go build -tags "fts5" -o docsys .`
- **Deploy:** `systemctl --user restart docsys`
- **Extraction:** `qwen3-vl-30b-a3b-instruct` (Fireworks) for all vision/OCR → ~40s/page, works first try, preserves original language; text classifier uses `kimi-k2-instruct-0905`
- **Fallback path (kept):** If vision returns no JSON → AnalyzePageOnly (plain text) + AnalyzeText (classify)
- **Delete button:** Exists on document detail page `/document/{id}` in the main UI. Do NOT build new services/UIs for this.
- **⚠️ Lesson:** A previous session built a whole new `docproc` service (port 9900) when Johan asked for a delete button. Johan killed it. Never build new apps/services for simple UI additions.
## Andrew/Spacebot Update (2026-02-24)
- **v0.1.15**, Claude Sonnet 4.6 via Anthropic OAuth, config at `/home/johan/spacebot-config.toml` on 192.168.1.17
- **Worker dispatch broken**: channel calls reply() and stops — no workers ever spawned for multi-step tasks. Revisiting 2026-03-03.
- **PR #193 open**: https://github.com/spacedriveapp/spacebot/pull/193 — two UI fixes, maintainer positive ("very helpful change")
- **Johan's take**: "Foundation is a LOT better than OpenClaw" — Rust, Lance vectors, true concurrency
- **Fireworks valid key**: `fw_RVcDe4c6mN4utKLsgA7hTm` (the other one `fw_TGADpSki7zak4K9JxPzbXU` is expired/invalid)
- **Health Link invoices outstanding**: #57 ($71.90) and #58 ($666.90) — see MEMORY.md health link section
Reference in New Issue View Git Blame Copy Permalink