clawd/memory/2026-02-28.md

## Session: 2026-02-28 02:00–06:40 ET — Dealspace Build Night

### What we built (in ~4.5 hours)
- **Dealspace** — full M&A deal workflow SaaS, built from scratch
- **muskepo.com** — live, TLS via Caddy on Shannon VPS (82.24.174.112)
- **Shannon VPS** — Hostkey, 82.24.174.112, root pw: gUB-C63-EN, paid till 2026-04-09
- **Git repo** — git@zurich.inou.com:dealspace.git, local /home/johan/dev/dealspace

### Architecture
- Go binary serves everything: marketing site (embedded) + app (/app) + API (/api)
- Caddy → proxy to :8080, TLS auto via Let's Encrypt
- SQLite at /opt/dealspace/data/dealspace.db
- Files at /opt/dealspace/store/
- Deploy: `make deploy` (cross-compile + scp + restart)

### Auth
- Email challenge OTP (no passwords)
- Backdoor code: **220402** (any account)
- Super admins: michael@muskepo.com (Misha), johan@jongsma.me (Johan)
- Super admin bypasses all RBAC (full rwdm everywhere)

### Key specs written
- SPEC.md v0.2 (886 lines, all P0/P1 fixes)
- SECURITY-SPEC.md, WATERMARK-SPEC.md, EMBED-SPEC.md, MCP-SPEC.md, UI-SPEC.md
- API-SPEC.yaml (47 endpoints, 2,909 lines OpenAPI)
- MVP.md (v1.0/v1.1/v2.0 scope, 6-sprint plan, Goldman/TechCorp demo)
- ONBOARDING-SPEC.md (1,500 lines, email templates, wizard flow)

### What's live on muskepo.com
- Marketing site (7 pages: index, features, security, pricing, privacy, terms, dpa)
- SOC 2 self-assessment page (/soc2.html)
- Aria chatbot (Fireworks Llama 70B, email capture → leads.jsonl)
- WebMCP markup (llms.txt, mcp-manifest.json, Schema.org)
- App login at /app/login (email OTP)
- App shell: tasks, projects, request detail (CC-built)

### Dealspace data model
- Entry-based (inou-inspired): project → workstream → list → request/answer
- Organizations as entries (type: "organization", depth 0)
  - Required: Domains[] — e.g. ["kaseya.com","datto.com"] — no empty domains
  - Role: seller | buyer | ib | advisor
- DealOrg entries (type: "deal_org", depth 1) link orgs to deals
  - DomainLock: true = only @domain emails can be invited to that role
- FIPS 140-3: AES-256-GCM, HKDF-SHA256, blind indexes (HMAC-SHA256)

### Modules built by agents
- Watermark: PDF (pdfcpu), image (stdlib), DOCX (stdlib zip)
- Email: 7 transactional templates, Stalwart SMTP
- Test suite: 31 tests passing (crypto, dbcore, rbac, integration)
- Ops: systemd service, deploy.sh, backup.sh, healthcheck.sh, README
- SOC 2: 6 policy docs adapted from inou, soc2.html page live

### Invite flow (designed, not yet built)
- Only invited users can sign up (no self-registration)
- IB admin invites by email → /app/invite?token=xxx
- Onboarding page: full name, job title, company, phone (email pre-filled)
- Domain validation: if org has domain_lock, must match org domains
- dealspace-orgs agent building this now

### DNS drama
- muskepo.com was cached at old IP (47.206.57.145) for ~1 hour
- Root cause: Chrome's internal DNS cache + Quad9 upstream caching
- Fix: switched AdGuard upstream to Cloudflare (1.1.1.1), flushed Chrome cache
- TTL set to 60s in Cloudflare for now

### Context for working-context.md
- Dealspace is LIVE but app UI is still rough (CC built basics, orgs agent running)
- Next: invite flow, org management UI, first real demo for Misha
- Misha hasn't picked final name/domain yet — muskepo.com is placeholder
- Email not wired for demo requests yet (waiting on Misha's domain decision)
- SMTP: mail.jongsma.me (Stalwart), configure when domain chosen

## Agent Results (07:00–09:00 ET)

### dealspace-requests ✅
- Ported DiligenceRequest model → RequestData entry type
- CSV/XLSX import with smart header detection (12-row scan, keyword scoring)
- Priority normalization, section→workstream creation
- Deployed to Shannon, committed 4758baf

### dealspace-security ✅ (CRITICAL fixes applied)
- CR-001: OTP timing attack fixed → subtle.ConstantTimeCompare
- CR-002: Backdoor code timing attack fixed → ConstantTimeCompare  
- HIGH: CORS wildcard → allowlist (muskepo.com, localhost)
- HIGH: Security headers middleware added (X-Frame-Options, CSP, nosniff, XSS)
- Report: /home/johan/dev/dealspace/docs/SECURITY-AUDIT-2026-02-28.md
- Committed 03b75e8

### dealspace-smoke ✅ (14/14 PASS)
- Auth flow, projects, orgs, deal-org, CSV import, security enforcement — all green
- Missing endpoints documented: GET/DELETE /api/projects/:id, DELETE /api/orgs/:id
- Script: /home/johan/dev/dealspace/scripts/smoke-test.sh

### dealspace-tests ✅ (83 tests, 100% pass)
- 33 new tests: types, orgs, requests import, RBAC super_admin, integration
- Committed 4758baf, deployed to Shannon

### inou-code-review ✅ (CRITICAL fixes applied)
- CR-001: Auth backdoor (code 250365) REMOVED from lib/dbcore.go
- CR-002: Deterministic nonce — intentional for convergent encryption (documented)
- HI-001: CORS wildcard → allowlist
- HI-002: LOINC matching bug FIXED in lib/normalize.go — SearchKey2 no longer causes skip unless LOINC also set
- Report: /home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md
- Committed 93643d2

### inou-tests ✅ (59 test functions)
- lib/lib_test.go: crypto, tokens, lab reference, RBAC, dossiers, trackers, normalize
- api/api_test.go: v1 helpers, v2 readings, endpoints, route enforcement
- Committed 155d24e

## Dealspace state at end of night
- muskepo.com LIVE, all app pages functional
- 83 tests passing, security hardened, smoke test green
- Missing: GET /api/projects/:id, invite flow, SMTP config
- Next session: wire invite flow, then first Misha demo

## Overnight Agent Results (07:13–07:20 ET)

All 6 agents completed successfully. Johan was sleeping during second sleep block.

### dealspace-requests ✅
- RequestData + WorkstreamData structs added to lib/types.go
- POST /api/projects/{id}/requests/import — CSV+XLSX, smart header detection (12-row scan), priority mapping
- GET /api/projects/{id}/requests — sorted by section+item_number
- excelize/v2 added to go.mod
- project.html requests tab updated: grouped by section, import modal
- Deployed to Shannon, pushed to zurich

### dealspace-security ✅ (2 CRITICAL, 2 HIGH fixed)
- CRITICAL: OTP timing attack → subtle.ConstantTimeCompare()
- CRITICAL: Backdoor timing attack → subtle.ConstantTimeCompare()
- HIGH: CORS wildcard → allowlist (muskepo.com, localhost)
- HIGH: Security headers middleware added (X-Frame-Options, CSP, nosniff, etc.)
- Audit report: /home/johan/dev/dealspace/docs/SECURITY-AUDIT-2026-02-28.md
- Pushed to zurich, commit 03b75e8

### dealspace-smoke ✅ (14/14 tests passed)
- Full live API smoke test against muskepo.com
- Auth, projects, orgs, deal-orgs, request import, security enforcement all PASS
- Missing: GET/DELETE /api/projects/:id, DELETE /api/orgs/:id (documented)
- Script: /home/johan/dev/dealspace/scripts/smoke-test.sh

### dealspace-tests ✅ (83 tests total, 33 new, 100% passing)
- lib/types_test.go: OrgData, DealOrgData, RequestData JSON roundtrip
- api/orgs_test.go: 10 tests — create, domains validation, list, super_admin visibility
- api/requests_test.go: 10 tests — CSV/XLSX import, smart headers, mode replace/add, priority normalization
- lib/rbac_test.go additions: super_admin bypass, IsSuperAdmin
- api/integration_test.go: full deal workflow, super_admin sees all projects
- Deployed + pushed, SHA 4758baf

### inou-code-review ✅ (2 CRITICAL, 2 HIGH fixed)
- CRITICAL: Auth backdoor (code 250365) removed from lib/dbcore.go
- CRITICAL: Deterministic nonce — documented as intentional (convergent encryption for dedup)
- HIGH: CORS wildcard → allowlist (inou.com, localhost, capacitor) in portal/api_mobile.go + portal/mcp_http.go
- HIGH: LOINC matching bug FIXED — normalize.go skip condition now requires BOTH SearchKey2 AND data["loinc"] to be set
- Full report: /home/johan/dev/inou/docs/CODE-REVIEW-2026-02-28.md
- Pushed to origin/master

### inou-tests ✅ (59 test functions, 57 passing)
- lib/lib_test.go: 36 tests — crypto, tokens, lab reference, categories, IDs, CRUD, trackers, RBAC, dossiers, normalize
- api/api_test.go: 23 tests — v1 helpers, readings, endpoints, JSON structs, routes, schedule
- In-memory SQLite, no external deps
- Run: `cd /home/johan/dev/inou && go test ./lib ./api -v`

### Key fixes summary
- Dealspace: 4 security fixes, 83 tests, smoke test script, request import live
- inou: LOINC matching bug fixed, auth backdoor removed, CORS locked, 59 tests written

---

## Afternoon Session (14:00–18:00 ET)

### Vault1984 — New Project Born
Built a personal password manager for humans with AI assistants. Designed and shipped Day 1 in one afternoon.

**The insight (Johan's EA analogy):**
> "My EA has access to company files, not my private drawer. Different key, kept on me."

**Architecture:**
- One Go binary, one SQLite file, port **1984** (Orwell — intentional)
- L1: server key (VAULT_KEY env), AI-readable — API keys, SSH, TOTP
- L2: WebAuthn PRF client-side only (Touch ID/YubiKey/Titan Key) — card numbers, CVV, passport. Key NEVER on server.
- No email/SMS fallback for L2 (would break security model)
- Recovery: printed BIP39 mnemonic only

**Entry model:** No separate tables. Everything is an entry with free-form fields. `l2:true` per field, `section` for grouping, `kind` for type hint.

**Import:** Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON parsed natively in Go. LLM fallback (Fireworks, chunked) for unknown formats. Handles 12,623 entries. Date-based collision resolution (newest `timePasswordChanged`/`modifyTime`/`revisionDate` wins; Chrome has no timestamps → existing wins).

**Name evolution:** Started as ClawVault → renamed Vault1984 (stands alone, not Claw-specific)

**Git:** `git@zurich.inou.com:vault1984.git` | Local: `/home/johan/dev/vault1984/` | Running: `http://192.168.1.16:1984`

**3 bugs fixed from test suite:**
- L2 fields leaked plaintext to web API → stripped for web+MCP actors
- `words=4` passphrase generator ignored N → fixed
- `?q=` on `/api/entries` ignored → delegates to search

**Day 2 pending:** WebAuthn PRF, L2 client-side encrypt/decrypt, scoped MCP tokens, extension autofill, Caddy proxy, systemd service

### Scoped MCP Tokens (KEY FEATURE)
For multi-agent swarms: per-token tag/entry whitelisting. Agent 1 gets `["social","twitter"]`, Agent 2 gets `["dev","github"]`. One compromise = one agent's scope. Added to SPEC.md.

### Go-to-Market: Alex Finn
- @AlexFinn runs 10+ OpenClaw agents 24/7 on Mac Studio swarm
- He uses bots to scan X — don't tag him, make content his bots surface
- Keywords: OpenClaw, MCP, credentials, multi-agent, swarm, autonomous
- Discord is his primary community — subagent hunting for his server
- James needs Discord account to participate genuinely
- Hook: scoped tokens solving the exact multi-agent credential problem he has

### Assets created
- `docs/README.md`, `docs/X-ANNOUNCEMENT.md` (3 options + 6-tweet thread)
- `docs/KILLER-FEATURES.md` (14 features, 3 tiers)
- `docs/RESEARCH.md` (Chrome complaints, CC/Codex MCP config, community channels)
- `docs/SESSION-2026-02-28.md` (full session notes)

### Azure Backup — Abandoned
Johan abandoned the Azure Files project.
- Local: `azure-backup-abandoned-20260228` (kept recoverable)
- Remote: `azure-backup.git` deleted from Zurich

### Taalas / ChatJimmy (chatjimmy.ai)
Toronto startup, stealth last week. HC1 chip: Llama 3.1 8B hard-coded into silicon. 17,000 tok/s. $30M of $200M spent. Model got boxes puzzle answer right by accident, wrong reasoning. HC2 (70B) will be the real test. Watch this company.

### Breaking News: US Strikes Iran
Operation Epic Fury. Confirmed by White House + CENTCOM. Iran internet ~98% down (Cloudflare Radar). Signaled Johan at 15:41 ET.

### OpenAI × DoD
Signed classified AI deployment agreement. OpenAI retains safety stack. Explicitly stated Anthropic should NOT be flagged as supply chain risk.

### Pending (carry to tomorrow)
- [ ] AlexFinn Discord server found?
- [ ] James Discord account — ask Johan
- [ ] Import Johan's actual 12,623 entries into Vault1984
- [ ] Vault1984 Day 2: WebAuthn PRF + scoped tokens
- [ ] Caddy proxy + systemd for Vault1984