johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/2026-02-28.md

12 KiB
Raw Blame History

Session: 2026-02-28 02:0006:40 ET — Dealspace Build Night

What we built (in ~4.5 hours)

  • Dealspace — full M&A deal workflow SaaS, built from scratch
  • muskepo.com — live, TLS via Caddy on Shannon VPS (82.24.174.112)
  • Shannon VPS — Hostkey, 82.24.174.112, root pw: gUB-C63-EN, paid till 2026-04-09
  • Git repo — git@zurich.inou.com:dealspace.git, local /home/johan/dev/dealspace

Architecture

  • Go binary serves everything: marketing site (embedded) + app (/app) + API (/api)
  • Caddy → proxy to :8080, TLS auto via Let's Encrypt
  • SQLite at /opt/dealspace/data/dealspace.db
  • Files at /opt/dealspace/store/
  • Deploy: make deploy (cross-compile + scp + restart)

Auth

  • Email challenge OTP (no passwords)
  • Backdoor code: 220402 (any account)
  • Super admins: michael@muskepo.com (Misha), johan@jongsma.me (Johan)
  • Super admin bypasses all RBAC (full rwdm everywhere)

Key specs written

  • SPEC.md v0.2 (886 lines, all P0/P1 fixes)
  • SECURITY-SPEC.md, WATERMARK-SPEC.md, EMBED-SPEC.md, MCP-SPEC.md, UI-SPEC.md
  • API-SPEC.yaml (47 endpoints, 2,909 lines OpenAPI)
  • MVP.md (v1.0/v1.1/v2.0 scope, 6-sprint plan, Goldman/TechCorp demo)
  • ONBOARDING-SPEC.md (1,500 lines, email templates, wizard flow)

What's live on muskepo.com

  • Marketing site (7 pages: index, features, security, pricing, privacy, terms, dpa)
  • SOC 2 self-assessment page (/soc2.html)
  • Aria chatbot (Fireworks Llama 70B, email capture → leads.jsonl)
  • WebMCP markup (llms.txt, mcp-manifest.json, Schema.org)
  • App login at /app/login (email OTP)
  • App shell: tasks, projects, request detail (CC-built)

Dealspace data model

  • Entry-based (inou-inspired): project → workstream → list → request/answer
  • Organizations as entries (type: "organization", depth 0)
    • Required: Domains[] — e.g. ["kaseya.com","datto.com"] — no empty domains
    • Role: seller | buyer | ib | advisor
  • DealOrg entries (type: "deal_org", depth 1) link orgs to deals
    • DomainLock: true = only @domain emails can be invited to that role
  • FIPS 140-3: AES-256-GCM, HKDF-SHA256, blind indexes (HMAC-SHA256)

Modules built by agents

  • Watermark: PDF (pdfcpu), image (stdlib), DOCX (stdlib zip)
  • Email: 7 transactional templates, Stalwart SMTP
  • Test suite: 31 tests passing (crypto, dbcore, rbac, integration)
  • Ops: systemd service, deploy.sh, backup.sh, healthcheck.sh, README
  • SOC 2: 6 policy docs adapted from inou, soc2.html page live

Invite flow (designed, not yet built)

  • Only invited users can sign up (no self-registration)
  • IB admin invites by email → /app/invite?token=xxx
  • Onboarding page: full name, job title, company, phone (email pre-filled)
  • Domain validation: if org has domain_lock, must match org domains
  • dealspace-orgs agent building this now

DNS drama

  • muskepo.com was cached at old IP (47.206.57.145) for ~1 hour
  • Root cause: Chrome's internal DNS cache + Quad9 upstream caching
  • Fix: switched AdGuard upstream to Cloudflare (1.1.1.1), flushed Chrome cache
  • TTL set to 60s in Cloudflare for now

Context for working-context.md

  • Dealspace is LIVE but app UI is still rough (CC built basics, orgs agent running)
  • Next: invite flow, org management UI, first real demo for Misha
  • Misha hasn't picked final name/domain yet — muskepo.com is placeholder
  • Email not wired for demo requests yet (waiting on Misha's domain decision)
  • SMTP: mail.jongsma.me (Stalwart), configure when domain chosen

Agent Results (07:0009:00 ET)

dealspace-requests

  • Ported DiligenceRequest model → RequestData entry type
  • CSV/XLSX import with smart header detection (12-row scan, keyword scoring)
  • Priority normalization, section→workstream creation
  • Deployed to Shannon, committed 4758baf

dealspace-security (CRITICAL fixes applied)

  • CR-001: OTP timing attack fixed → subtle.ConstantTimeCompare
  • CR-002: Backdoor code timing attack fixed → ConstantTimeCompare
  • HIGH: CORS wildcard → allowlist (muskepo.com, localhost)
  • HIGH: Security headers middleware added (X-Frame-Options, CSP, nosniff, XSS)
  • Report: /home/johan/dev/dealspace/docs/SECURITY-AUDIT-2026-02-28.md
  • Committed 03b75e8

dealspace-smoke (14/14 PASS)

  • Auth flow, projects, orgs, deal-org, CSV import, security enforcement — all green
  • Missing endpoints documented: GET/DELETE /api/projects/:id, DELETE /api/orgs/:id
  • Script: /home/johan/dev/dealspace/scripts/smoke-test.sh

dealspace-tests (83 tests, 100% pass)

  • 33 new tests: types, orgs, requests import, RBAC super_admin, integration
  • Committed 4758baf, deployed to Shannon

inou-code-review (CRITICAL fixes applied)

  • CR-001: Auth backdoor (code 250365) REMOVED from lib/dbcore.go
  • CR-002: Deterministic nonce — intentional for convergent encryption (documented)
  • HI-001: CORS wildcard → allowlist
  • HI-002: LOINC matching bug FIXED in lib/normalize.go — SearchKey2 no longer causes skip unless LOINC also set
  • Report: /home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md
  • Committed 93643d2

inou-tests (59 test functions)

  • lib/lib_test.go: crypto, tokens, lab reference, RBAC, dossiers, trackers, normalize
  • api/api_test.go: v1 helpers, v2 readings, endpoints, route enforcement
  • Committed 155d24e

Dealspace state at end of night

  • muskepo.com LIVE, all app pages functional
  • 83 tests passing, security hardened, smoke test green
  • Missing: GET /api/projects/:id, invite flow, SMTP config
  • Next session: wire invite flow, then first Misha demo

Overnight Agent Results (07:1307:20 ET)

All 6 agents completed successfully. Johan was sleeping during second sleep block.

dealspace-requests

  • RequestData + WorkstreamData structs added to lib/types.go
  • POST /api/projects/{id}/requests/import — CSV+XLSX, smart header detection (12-row scan), priority mapping
  • GET /api/projects/{id}/requests — sorted by section+item_number
  • excelize/v2 added to go.mod
  • project.html requests tab updated: grouped by section, import modal
  • Deployed to Shannon, pushed to zurich

dealspace-security (2 CRITICAL, 2 HIGH fixed)

  • CRITICAL: OTP timing attack → subtle.ConstantTimeCompare()
  • CRITICAL: Backdoor timing attack → subtle.ConstantTimeCompare()
  • HIGH: CORS wildcard → allowlist (muskepo.com, localhost)
  • HIGH: Security headers middleware added (X-Frame-Options, CSP, nosniff, etc.)
  • Audit report: /home/johan/dev/dealspace/docs/SECURITY-AUDIT-2026-02-28.md
  • Pushed to zurich, commit 03b75e8

dealspace-smoke (14/14 tests passed)

  • Full live API smoke test against muskepo.com
  • Auth, projects, orgs, deal-orgs, request import, security enforcement all PASS
  • Missing: GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented)
  • Script: /home/johan/dev/dealspace/scripts/smoke-test.sh

dealspace-tests (83 tests total, 33 new, 100% passing)

  • lib/types_test.go: OrgData, DealOrgData, RequestData JSON roundtrip
  • api/orgs_test.go: 10 tests — create, domains validation, list, super_admin visibility
  • api/requests_test.go: 10 tests — CSV/XLSX import, smart headers, mode replace/add, priority normalization
  • lib/rbac_test.go additions: super_admin bypass, IsSuperAdmin
  • api/integration_test.go: full deal workflow, super_admin sees all projects
  • Deployed + pushed, SHA 4758baf

inou-code-review (2 CRITICAL, 2 HIGH fixed)

  • CRITICAL: Auth backdoor (code 250365) removed from lib/dbcore.go
  • CRITICAL: Deterministic nonce — documented as intentional (convergent encryption for dedup)
  • HIGH: CORS wildcard → allowlist (inou.com, localhost, capacitor) in portal/api_mobile.go + portal/mcp_http.go
  • HIGH: LOINC matching bug FIXED — normalize.go skip condition now requires BOTH SearchKey2 AND data["loinc"] to be set
  • Full report: /home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md
  • Pushed to origin/master

inou-tests (59 test functions, 57 passing)

  • lib/lib_test.go: 36 tests — crypto, tokens, lab reference, categories, IDs, CRUD, trackers, RBAC, dossiers, normalize
  • api/api_test.go: 23 tests — v1 helpers, readings, endpoints, JSON structs, routes, schedule
  • In-memory SQLite, no external deps
  • Run: cd /home/johan/dev/inou && go test ./lib ./api -v

Key fixes summary

  • Dealspace: 4 security fixes, 83 tests, smoke test script, request import live
  • inou: LOINC matching bug fixed, auth backdoor removed, CORS locked, 59 tests written

Afternoon Session (14:0018:00 ET)

Vault1984 — New Project Born

Built a personal password manager for humans with AI assistants. Designed and shipped Day 1 in one afternoon.

The insight (Johan's EA analogy):

"My EA has access to company files, not my private drawer. Different key, kept on me."

Architecture:

  • One Go binary, one SQLite file, port 1984 (Orwell — intentional)
  • L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
  • L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.
  • No email/SMS fallback for L2 (would break security model)
  • Recovery: printed BIP39 mnemonic only

Entry model: No separate tables. Everything is an entry with free-form fields. l2:true per field, section for grouping, kind for type hint.

Import: Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON parsed natively in Go. LLM fallback (Fireworks, chunked) for unknown formats. Handles 12,623 entries. Date-based collision resolution (newest timePasswordChanged/modifyTime/revisionDate wins; Chrome has no timestamps → existing wins).

Name evolution: Started as ClawVault → renamed Vault1984 (stands alone, not Claw-specific)

Git: git@zurich.inou.com:vault1984.git | Local: /home/johan/dev/vault1984/ | Running: http://192.168.1.16:1984

3 bugs fixed from test suite:

  • L2 fields leaked plaintext to web API → stripped for web+MCP actors
  • words=4 passphrase generator ignored N → fixed
  • ?q= on /api/entries ignored → delegates to search

Day 2 pending: WebAuthn PRF, L2 client-side encrypt/decrypt, scoped MCP tokens, extension autofill, Caddy proxy, systemd service

Scoped MCP Tokens (KEY FEATURE)

For multi-agent swarms: per-token tag/entry whitelisting. Agent 1 gets ["social","twitter"], Agent 2 gets ["dev","github"]. One compromise = one agent's scope. Added to SPEC.md.

Go-to-Market: Alex Finn

  • @AlexFinn runs 10+ OpenClaw agents 24/7 on Mac Studio swarm
  • He uses bots to scan X — don't tag him, make content his bots surface
  • Keywords: OpenClaw, MCP, credentials, multi-agent, swarm, autonomous
  • Discord is his primary community — subagent hunting for his server
  • James needs Discord account to participate genuinely
  • Hook: scoped tokens solving the exact multi-agent credential problem he has

Assets created

  • docs/README.md, docs/X-ANNOUNCEMENT.md (3 options + 6-tweet thread)
  • docs/KILLER-FEATURES.md (14 features, 3 tiers)
  • docs/RESEARCH.md (Chrome complaints, CC/Codex MCP config, community channels)
  • docs/SESSION-2026-02-28.md (full session notes)

Azure Backup — Abandoned

Johan abandoned the Azure Files project.

  • Local: azure-backup-abandoned-20260228 (kept recoverable)
  • Remote: azure-backup.git deleted from Zurich

Taalas / ChatJimmy (chatjimmy.ai)

Toronto startup, stealth last week. HC1 chip: Llama 3.1 8B hard-coded into silicon. 17,000 tok/s. $30M of $200M spent. Model got boxes puzzle answer right by accident, wrong reasoning. HC2 (70B) will be the real test. Watch this company.

Breaking News: US Strikes Iran

Operation Epic Fury. Confirmed by White House + CENTCOM. Iran internet ~98% down (Cloudflare Radar). Signaled Johan at 15:41 ET.

OpenAI × DoD

Signed classified AI deployment agreement. OpenAI retains safety stack. Explicitly stated Anthropic should NOT be flagged as supply chain risk.

Pending (carry to tomorrow)

  • AlexFinn Discord server found?
  • James Discord account — ask Johan
  • Import Johan's actual 12,623 entries into Vault1984
  • Vault1984 Day 2: WebAuthn PRF + scoped tokens
  • Caddy proxy + systemd for Vault1984