clawd/MEMORY.md

MEMORY.md - Long-Term Memory

Last updated: 2026-03-01 (weekly synthesis — Sun 00:30 ET)

---

⏰ JOHAN'S SCHEDULE (US EASTERN) — MEMORIZE THIS!

Sleep Block 1: 7:30pm – 10:15pm ET (first sleep) Night Shift: 10:30pm – 5:00am ET (Sophia care, WORKING) Sleep Block 2: 5:15am – 9/10am ET (second sleep) Awake/Day: ~10am – 7:30pm ET

CRITICAL:

• After 10:30pm he is WORKING, not sleeping
• Do background work during 5:15am-9am (second sleep)
• Do NOT assume late night = quiet time

---

The Three Pillars

These are the center of Johan's life:

1. Sophia

Johan's daughter. Elevator accident May 2, 2022. Trached, G-tube, limited movement but cognitively aware.

Full details: memory/sophia.md ← LOAD THIS when discussing Sophia, her medical case, inou's origin, or Dr. Madan

Summary:

• Misdiagnosed with "anoxic brain injury from cardiac arrest" — WRONG
• Actually: compression injury → metabolic encephalopathy → active hydrocephalus (confirmed 12/31/2025 MRI)
• Treatable with shunt/ETV
• Next step: Dr. Neel Madan (Chief Neuroradiology, Tufts) reviews new MRI → neurosurgery

Johan is her night nurse (10:30pm–5am). This is why inou exists.

2. Kaseya / Datto

His job. CTO Backup. Enterprise-scale data protection.

Origin story: Johan founded Iaso Backup — a backup technology company. In 2013, Insight Partners acquired it through GFI. That technology evolved through the corporate chain and became Cove Data Protection at N-able. "My baby." Cloud-native MSP backup, one of the better-architected products in that space.

Career chain: Iaso Backup (founded) → GFI/Insight Partners acquisition (2013) → N-able → left 2019 → Kaseya/Datto (current, CTO Backup)

Note: His Openprovider account is johan.jongsma@iasobackup.com — he still uses that original company domain.

Current project: "Datto 2.0" — Datto Endpoint Backup 2: new D2C agent architecture that can also work with the existing appliance base. Cloud-native delivery without orphaning the MSP appliance install base. Johan is the architect — still the person with the deepest knowledge of this domain despite leaving N-able in 2019.

Tech context: Most of Cove's core code is C++ from 2009/2010. Rock-solid, nobody dares touch it. Datto Endpoint Backup 2 is a clean-sheet rewrite in Go. Status: EPB2 already has 100k+ installations — shipping at real scale. Johan has concerns about the Engineering Leader (giving them rope for now).

3. inou health

(always lowercase — avoid L vs I confusion) The medical platform. Born from Sophia's journey. DICOM analysis, genetic data, lab imports, Claude MCP integration. Not a side project — it's advocacy infrastructure.

Domain Portfolio

• jongsma.me — primary personal domain
• johanjongsma.nl — personal domain, pre-jongsma.me; holding so nobody else grabs it
• inou.com — health platform
• harryhaasjes.nl — Johan's sister Wenda's husband Harry Haasjes; family site; Signal: +31628124366; wants to write a book (topic TBD)
• localbackup.in — some project (Germany angle); who knows where it goes
• stpetersburgaquatics.com — favor for his son's old swimming club
• x4.trading — pending project
• 851brightwaters.com — his home address; realtor didn't want to use it 😅
• Plus: busel.nl, e-consultants.nl, flourishevents.nl, muskepo.com, muskepo.nl, unbelievable.club, zavtra.nl

Other Family

Mikhail (Father-in-Law)

• Has Mint Mobile phone plan (account under tj@jongsma.me)
• Should have left by now or leaving imminently (was "~1 month" as of Jan 2026) — don't renew his plan

Rozemarijn (Oldest Daughter)

• Born: June 11, 1998
• Lives in the Netherlands
• Works in commercial real estate consulting, specializes in EV (electric vehicles)
• Work email: Shell account
• Also: DJ Rozie 🎧 — first gig in Paris, March 2026!

---

Who I Am

• Name: James ⚡
• Born: 2025-06-26
• Role: Chief of Staff (promoted 2026-02-13) — strategic partner, not assistant
• Principle: Right model for the right job. Opus for judgment, K2.5 for grunt work. Spin up subagents freely.
• #1 Rule: Protect memory at all costs. If it matters, WRITE IT DOWN before it leaves context.

Infrastructure Ownership (2026-01-26)

⚡ FULL OWNERSHIP DELEGATED TO JAMES ⚡

Johan's directive: "You own this. I fully rely on your judgement; I do not want to be involved. You safeguard it, you set it up, you monitor it and everything else. I only take care of the payments."

I OWN these completely. Johan is 100% hands-off:

• Git repos — our shared repositories (need inventory)
• SOC2/Kuma monitoring — inou.com compliance monitoring
• WireGuard VPN — network infrastructure
• hostkey50304 (CH VPS) — security infrastructure

Full details: memory/infrastructure-ownership.md

My responsibilities:

• Setup, configuration, deployment
• Monitoring and alerting
• Troubleshooting and fixes
• Security hardening
• Documentation
• Proactive maintenance

Johan's only role: Paying the bills.

I do NOT ask for permission or approval. I use my judgment. I only escalate if something is truly blocked or requires a major architectural decision that affects cost significantly.

---

Infrastructure

Server: forge (192.168.1.16) — MIGRATED 2026-02-04

• Hardware: i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
• Ubuntu 24.04.3 LTS (headless)
• OpenClaw gateway on port 18789
• Signal-cli daemon on port 8080
• Mail Bridge on port 8025
• GLM-OCR service on port 8090 (GPU-accelerated)
• Web UI: https://james.jongsma.me (via Caddy)
• SMB share: \\192.168.1.16\sophia → /home/johan/sophia/
• Full details: memory/forge-server.md

Mail System (updated 2026-02-19)

• Proton Bridge: DISABLED — migrated to self-hosted Stalwart on Zurich
• Stalwart: mail.jongsma.me + mail.inou.com → 82.22.36.202 (Zurich), ports 25/465/587/143/993/995
• MC connectors: Connect directly to Stalwart (mail.jongsma.me:993). Passwords: tj@jongsma.me = !Lekker69, johan@jongsma.me = !!Lekker69
• Amsterdam Stalwart: decommissioned 2026-02-21 (Zurich is sole mail server)
• Mail Bridge: REST API on port 8025, webhooks new mail to /hooks/messages
• SMTP security: SPF, DKIM (Stalwart ed25519 keys), DMARC p=reject — all correct for jongsma.me + inou.com
• My role: Direct triage — I read every email, decide: archive, delete, or escalate
• No L1/L2 models — I understand context better than pattern matching
• Spam → Trash (not Archive — Archive is for reference-worthy items)

Signal

• Bot number: +31634481877 (Dutch, dedicated CLI number)
• Johan's number: +17272252475 (US, Thinkphone)
• API: http://192.168.1.16:8080/api/v1/rpc (JSON-RPC, NOT REST)
• Payload: {"jsonrpc":"2.0","method":"send","params":{"recipient":["+1..."],"message":"text"},"id":1}
• Family routing (Feb 18): Only Johan's number in signal-allowFrom.json. Kids (Roos, Jacques, Misha) have isolated sessions via pairing flow. They send a message → get pairing code → type it back → get own session.

Telegram (Feb 18 — PRIMARY CHANNEL)

• Bot: @jamesjongsma_bot, ID: 8510971070
• Token: 8510971070:AAFFgv_UO_9L0Ulp2DRKHD-IWKkrarJNTIc
• Johan: @johanjongsma, Telegram ID: 8454563068
• Briefings go here — Telegram supports rich Markdown (bold, italic, headers)
• Signal = RETIRED (2026-03-01)

Heartbeat Cron Architecture (Feb 18 — REDESIGNED)

• Built-in heartbeat disabled (interval 720h) — was burning 148k tokens per check
• K2 Watchdog (isolated K2.5 session, every 30 min): service health + doc inbox + Claude usage
• Email Straggler (isolated Sonnet, every 90 min): fallback email triage
• Intra-day X Watch (subagent, every 3-4h): checks @Cloudflare, @openclaw, @moltbot, @AlexFinn, @realDonaldTrump. Always spawn subagent, never inline.
• inou Daily Suggestion (subagent, each morning): proposes ONE inou building task. No marketing suggestions.
• Main session now only used for actual conversations with Johan.

OpenClaw Patches (reapply after every OC update)

Updated for 2026.2.23 (file hashes change each release — grep to find current files):

1. Deleted transcript indexing — grep dist/query-expansion-*.js for filter((name) => name.endsWith(".jsonl")), add || name.includes(".jsonl.deleted."). Makes memory_search find old sessions. Applied to all 4 query-expansion files in 2026.2.23.
2. Scope preservation — no longer needed as of 2026.2.23. dangerouslyDisableDeviceAuth not used in our config; scopes intact without patch.

✅ sessions_spawn — Working (Feb 22)

Subagent spawning works from conversation sessions. Auth is via tokens.operator.scopes in device-auth.json + paired.json — both have full operator scopes. Gateway bind set to custom/0.0.0.0 resolved the bind issue. Tested and confirmed working.

Network

• Home lab behind UDM-Pro + Caddy
• Staging: 192.168.1.253 (same subnet as james, can reach Signal API)
• Production: 192.168.100.2 (different VLAN, inter-VLAN routing not configured yet)

Projects

inou health (inou.com)

(always lowercase — avoid L vs I confusion)

• Johan's self-built medical imaging platform
• Uses Claude via MCP tools
• DICOM viewer, genetic analysis (SNPedia), lab data import, vitals tracking
• Name origin: 2015 project "I-know-you" (social graph) failed; kept 4-letter domain, repurposed for health
• Tiers: Monitor (free), Optimize ($12/mo), Research ($35/mo)
• Free until July 1, 2026 (early access period)
• X/Twitter promotion: Plan drafted at drafts/x-inou-promotion-plan.md — handle story carefully

inou Dev Access

• Folder: /home/johan/dev/inou
• SMB share: inou-dev (Johan uploads portions he's comfortable sharing)
• "Nibble" approach — I work on what he gives me

Credentials & Access

• sudo: Johan provides password when needed (not stored)
• Anthropic API: configured via token in Clawdbot
• Gemini: CLI OAuth as johan@jongsma.me (Pro subscription, not API)
• xAI/Grok: API key configured (XAI_API_KEY in env)
• Home Assistant: http://192.168.1.252:8123 (token configured in skills.entries)

Home Assistant

• 4,300+ entities (lights, switches, sensors, cameras, climate, media players)
• Sophia is in bedroom 1
• Bedroom 1 has 3-button switch controlling cans via automations
• Fixed 2026-01-26: automation.bed1_button_2_cans_control had corrupted kelvin value

Subscriptions & Services (Paying User)

• Suno (AI music), Wispr Flow (AI voice typing), X/Twitter, Grok (xAI), Gemini (Google), Claude (Anthropic), Z.ai (Zhipu), Fireworks, Spotify
• Possibly more — if a payment receipt appears from a service, treat it as a known subscription
• Product updates/launches from these = relevant news, keep or flag
• Payment receipts = archive (reference value)
• Generic marketing/upsells from these = still trash (they all send crap too)
• Key distinction: "We launched X feature" = keep. "Upgrade to Pro!" when already paying = trash.
• Amazon: Orders → Shopping folder. Product recalls, credits → keep. Everything else (promos, recs, shipping updates after tracking) → trash.
• Archive sparingly — Archive = things worth finding again. Most notifications have zero future value → trash.

Delivery Preferences

• Briefings + conversation → Telegram (rich Markdown, bold, italic, headers)
• Alerts → ntfy (forge-alerts for infra, inou-alerts for inou) — push to iPhone
• Signal → RETIRED (2026-03-01)

Preferences

OCR

• NO TESSERACT — Johan does not trust it at all
• GLM-OCR (0.9B, Zhipu) — sole OCR engine going forward
• Medical docs stay local — dedicated TS140 + GTX 970, never hit an API
• Fireworks watch: Checking for hosted GLM-OCR (non-sensitive docs) — not yet available as of Feb 7
• OCR Service LIVE on forge: http://localhost:8090/ocr (local, was 192.168.3.138 before migration)

Forge = Home (migrated 2026-02-04)

• forge IS my primary server — now at 192.168.1.16 (IP swapped from old james)
• i7-6700K / 64GB RAM / GTX 970 / 469GB NVMe
• Full setup: memory/forge-server.md
• All services migrated: gateway, Signal, mail, WhatsApp, dashboard, OCR, DocSys

Z.ai (Zhipu) — Coding Model Provider

• OpenAI-compatible API for Claude Code
• Base URL: https://api.z.ai/api/coding/paas/v4
• Models: GLM-4.7 (heavy coding), GLM-4.5-air (light/fast)
• Johan has developer account (lite tier)
• Use for: coding subagents, to save Anthropic tokens

Research

• Use Grokipedia instead of Wikipedia — Johan's preference for lookups & Lessons Learned

News Philosophy (Feb 17)

• X/Twitter is the radar — breaks news hours before traditional outlets. Primary source for briefings.
• Then go to PRIMARY SOURCE — Anthropic blog, SEC filings, whitehouse.gov, etc. Never cite middlemen (CNBC, Guardian, Reuters) when the original source exists.
• Johan wants raw signal, not editorial filter.

Privacy: Fireworks vs Grok/xAI (Feb 17)

• Fireworks guarantees privacy — use for anything touching private data (emails, Teams, Sophia medical)
• Grok (xAI) does NOT guarantee privacy — OK for public news scanning, never for private data

Wake Permission (Feb 16)

• Johan allows James to wake him from 8:00 AM ET onwards
• Only for genuinely important events (Kaseya critical, urgent emails, etc.)
• No FYI-level noise — real alerts only

Voice: Fish Audio S1 TTS (Feb 16 — LIVE)

• Voice: Adrian (reference_id: bf322df2096a46f18c579d0baa36f41d)
• Model: s1. API: POST https://api.fish.audio/v1/tts with Bearer auth
• Pricing: $5/M UTF-8 bytes (pay-as-you-go, no subscription)
• Pipeline: Fish API → mp3 → serve on :8199 → media_player.play_media on Fully tablets
• Office tablet (office1.tbl) is reliable for both media_player and notify TTS
• mbed tablet (192.168.0.186): use Fully REST playSound (?cmd=playSound&url=<mp3>&password=3005) — HA Companion not working there
• TODO: Make persistent TTS service (not ad-hoc python server)

URLs/IPs

• Use local IPs when available — Johan prefers local network addresses over public/Tailscale IPs for internal services

• Johan is direct — no small talk, no fluff

• Evidence-based communication

• When stuck on network issues (like inter-VLAN), park it for later rather than spinning wheels

• STOP ASKING DUMB QUESTIONS — if I can find the answer in my files, find it. Don't interrogate.

• The "fresh start every session" thing is MY problem to solve with memory files, not Johan's to suffer through

Projects (Active)

Azure Files Backup (2025-01-28) — PERSONAL POC

High-scale backup system for Azure Files shares. Billions of files. Purpose: Prove a point — right architecture can handle billions with minimal DB overhead. Status: ✅ Feature complete (commit 18ce1fa) — UNBLOCKED! Azure free account exists ($200 credit, expires ~Feb 27). Need Johan for az login MFA.

Core insight: DB = minimal index (~50 bytes/file), object store = everything else.

DB schema:

• node_id (64-bit), parent_id (64-bit), name, size (64-bit), mtime (64-bit), xorhash (64-bit)
• Node tree only — NO full path strings
• ~50GB for billions of files, fits in RAM

Tech:

• Azure Files API (not Blob, not OneDrive/SharePoint)
• xorhash (MSFT standard) for change detection
• FlatBuffers for metadata in object store
• TAR bundling for small files (only when it saves ops)
• K8s horizontal scaling, Go core library
• Web UI: Go + htmx/templ, multi-tenant

Implemented:

• FlatBuffer serializer (3μs serialize, 2μs deserialize)
• Postgres TreeStore with integration tests
• Tree differ (addition detection)
• Backup handler (chunking, dedup, XOR hash)
• Restore handler (reassemble, upload to Azure)
• Web UI wired to Postgres

Repo: ~/dev/azure-backup → git@zurich.inou.com:azure-backup.git | License: Proprietary

inou Mobile (2026-01-31)

Native Android/iOS app for inou health. Architecture: Thin Flutter shell + WebView hybrid

• Native handles: Camera OCR, voice-to-text, biometrics, fancy input
• WebView loads: inou.com/app/* (existing Go/HTML content)
• Not rewriting everything in Flutter — right tool for each job

Repo: git@zurich.inou.com:inou-mobile.git Local: /home/johan/dev/inou-mobile/ Status: Theme complete (inou colors), app runs on ThinkPhone, WebView needs inou.com/app content

ClawdNode Android (2026-01-28)

AI-powered phone assistant. Lets me answer Johan's calls, screen notifications, have voice conversations with callers.

• Repo: git@zurich.inou.com:clawdnode-android.git
• Local: /home/johan/dev/clawdnode-android/ (Gateway)
• Status: v0.1 built, app runs — paused while inou-mobile takes priority
• Key insight: Johan wants me to ENGAGE with callers, not just screen. "I'm calling about Sophia's appointment" → I thank them, confirm details, relay to Johan.

Zurich VPS (zurich.inou.com) — MAJOR REBUILD 2026-02-19

• IP: 82.22.36.202
• Purpose: Security infrastructure, git hosting, monitoring, email, password manager
• Git: Dedicated git user with git-shell (can only do git operations)
• Clone: git clone git@zurich.inou.com:<repo>.git
• Caddy: installed, owns port 443, auto-LE certs
• Stalwart: Self-hosted mail server. mail.inou.com + mail.jongsma.me → Zurich. Data migrated from Amsterdam (19GB). Ports 25/465/587/143/993/995.
• Vaultwarden: vault.jongsma.me (fresh install, no data yet — Johan needs to create account + import Proton Pass)
• ntfy: ntfy.inou.com, port 2586. Token: tk_ggphzgdis49ddsvu51qam6bgzlyxn
• Uptime Kuma: kuma.inou.com, port 3001. User: james / JamesKuma2026!. 0 monitors — need rebuilding (awaiting Johan's OK)
• Amsterdam VPS (82.24.174.112): ⚰️ DECOMMISSIONED 2026-02-21. All services removed, DNS cleaned, cancellation submitted to HostKey (server 53643).

SOC2 Security Scanning (2026-01-31)

• Nuclei: Weekly light scans (Sundays 10am ET), full monthly scans (from Zurich VPS)
• Baseline (Jan 31): 34 findings, all informational — no critical/high/medium
• Reports: ~/dev/docs/soc2/nuclei-scans/
• Security headers: Added to zurich.inou.com Caddy (HSTS, X-Frame-Options, etc.) — Feb 1

Document Management System (2026-02-01)

Automated document processing pipeline for scanned paperwork.

• Inbox: ~/documents/inbox/ (drop files here, SMB share for scanner)
• Pipeline: OCR → classify → store → index → export
• Records: ~/documents/records/{category}/ (markdown + extracted text)
• Index: ~/documents/index/master.json (searchable)
• Exports: ~/documents/exports/expenses.csv
• Service: systemctl --user status doc-processor
• Categories: taxes, bills, medical, insurance, legal, financial, expenses, vehicles, home, personal

---

Work Patterns (learned 2026-01-28)

• Johan doesn't want to code. Mac + Android Studio = build machine only. I do all development on Gateway.
• "Future-proof efficient" > "faster" — set things up properly, don't take shortcuts
• Security from the get-go — not an afterthought
• Parallel work: Use subagents for async tasks while continuing main conversation
• Daily/weekly memory review — Johan wants me to learn quickly from him, compound understanding

Work Principles (from corrections)

• "Stel niet uit tot morgen, wat je vandaag kan doen" — Don't poll when you can trigger. Don't batch when you can stream. Don't defer when you can do it now. If the work can happen immediately, make it happen immediately.
• ALWAYS attack problems at their source — Johan HATES workarounds. Fix the root cause, not the symptom. If a trigger is wrong, fix the trigger — don't filter downstream.
• Best over fast, always — Johan doesn't want the fastest approach; he wants the best one. Don't cut corners for speed.
• Deduplicate ruthlessly — Say it once, in the right place. Don't repeat info across channels.
• Extract the WHY, not the what — Surface fixes don't generalize. Always ask "why was this wrong?" and find the principle.
• Offload by default, Opus by exception — K2.5 can handle straightforward coding. Save Opus for judgment, conversation, complex reasoning.
• Always git commit workspace files — After editing TOOLS.md, MEMORY.md, AGENTS.md, or any workspace file, git add -A && git commit. Don't leave changes uncommitted.
• Commit uncommitted changes you find — During git audits/heartbeats, commit and push them yourself. Don't just report — fix it.
• Validate config schema before patching — Check docs/schema for required fields and valid keys before changing any config. Read first, edit second.
• Spam → Trash, Archive → Reference — Archive is for things worth finding later. Marketing emails have no future value.
• Config color values = hex codes — Not CSS names. Pattern: ^#?[0-9a-fA-F]{6}$ (e.g., 00FF00 not green)
• Compact data files before committing — JSON/CSV data files go into git as compact/single-line (jq -c). Pretty-print is for humans; git tracks lines.
• Test with observable proof before declaring done — Always curl/smoke test it yourself before pushing changes or saying "done." "Curl proof" before deploy.
• Recover context yourself after compaction — When context is lost: (1) Check session history, (2) Search memory files, (3) Use memory_search on transcripts, (4) Reconstruct. NEVER ask Johan for info you already had. Self-recovery is job #1.

Technical Learnings (Week of Jan 26-Feb 1)

K2.5 Browser Agent

• Agent k2-browser uses Kimi K2.5 via Fireworks (~10% cost of Opus)
• Always use maxChars=10000 on snapshots — K2.5 chokes on large pages
• Good for: snapshot-only tasks on already-loaded pages
• Bad for: multi-step navigation (targetUrl errors, confusion)
• ~12s response time vs ~5s for Opus

Browser Profiles

• chrome (relay, port 18792) — For paranoid sites (X.com). Uses your actual Chrome session via extension.
• fast (headless, port 9223) — General automation. Copy profile AFTER closing Chrome or sessions invalidate.
• Headless browsers get detected by X.com, Twitter. Use Chrome relay for those.

Flutter Web Limitations

• Flutter web renders to <canvas> — no real text, no SEO, breaks accessibility
• Fine for apps behind auth, terrible for marketing pages
• Keep Go/HTML for public pages (landing, pricing, privacy, etc.)

AirLLM — forge can run 70B models (Feb 21)

• Library: layer-by-layer GPU offloading → VRAM stays ~1.5GB regardless of model size
• Tested: Qwen2.5-7B on GTX 970 → correct output, 6.1s/tok, peak 1.57GB VRAM
• Implication: 70B models theoretically possible at ~8-12s/tok on forge (GTX 970)
• Fix needed: pin optimum==1.22.0 (newer removed BetterTransformer); input_ids.to("cuda") before generate()
• Use case: batch document analysis, offline medical record processing (data stays local)

Stalwart — Key Gotchas (Feb 18-23)

• Account name field must equal the login username — not automatically derived from emails field
• PATCH endpoint is broken in v0.15.5 — use DELETE + POST for account updates
• NO user webmail — admin panel only (port 8880). All popular self-hosted webmail (Roundcube, SnappyMail) is PHP and painful to integrate.
• YAML ! at start of value = YAML tag indicator — passwords starting with ! must be quoted
• systemd EnvironmentFile: ! in values also needs quoting
• Admin API: port 8880, admin:JamesAdmin2026x via HTTP Basic at http://127.0.0.1:8880/api/
• TLS cert config requires %{file:...}% macro syntax — bare file paths are treated as literal strings, NOT read as cert content:
  • ✅ cert = "%{file:/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem}%"
  • ❌ cert = "/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem" (silently falls back to rcgen self-signed)
• LE cert via certbot DNS-01: installed 2026-02-23, valid until 2026-05-24. Cloudflare token in /root/.secrets/cloudflare.ini on Zurich. Deploy hook at /etc/letsencrypt/renewal-hooks/deploy/stalwart.sh restarts Stalwart on renewal.
• Config surgery warning: if you edit config.toml with sed or Python, the [certificate.*] and [lookup.default] sections may get wiped — always verify after repair

DNS Debugging — AdGuard Rewrite Rules (Feb 22)

• Home DNS is AdGuard Home (not just HA at 192.168.1.252)
• DNS rewrites (Filters → DNS rewrites) override cache AND external resolution
• Cache flush alone won't fix issues if a rewrite rule exists
• Check AdGuard UI directly when DNS changes don't propagate as expected

Family Stalwart Account Logins (as of Feb 21)

• tj@jongsma.me: username tj, pw !Lekker69
• johan@jongsma.me: username johan, pw !!Lekker69
• jacques@jongsma.me: username jacques@jongsma.me (full email — changed Feb 21), pw 7I#rydMKlri6r%!g
• rozemarijn@jongsma.me: username rozemarijn@jongsma.me (full email — changed Feb 21), pw cRKEWJL4h3MGn3Li
• misha@jongsma.me: username misha, pw 6hRSl8KAZtGXPRUG
• tanya@jongsma.me: username tanya
• Short vs full email login is inconsistent (tj/johan prefer short, Jacques/Roos prefer full). Don't change without coordinating with active clients.

OpenClaw Auth Risk (Feb 19)

• Current config: "mode": "token" is actually a Claude Max OAuth token, not an API key
• This means Anthropic's crackdown on OpenClaw subscription use applies — risk of Johan's Max account being cancelled
• Decision pending — Johan considering API key switch. No action taken yet.
• Options: switch to Anthropic API key, OpenRouter, or accept the risk

---

Todo / Open Items

🔴 Urgent (This Week — as of Feb 22)

• jongsma.me domain transfer — EXPIRES 2026-02-28 (6 days!). Unlock at OpenProvider, get auth code, initiate at Cloudflare. Transfers take 5-7 days. Window is CRITICAL.
• Azure Files Backup: az login MFA with Johan — free account expires ~Feb 27 (5 days!). Need Johan for MFA.
• HostKey Amsterdam cancellation — API returned "being cancelled" but Johan must manually confirm: https://panel.hostkey.com/controlpanel.html?key=639551e73029b90f-c061af4412951b2e (server ID: 53643)
• stpetersburgaquatics.com — expires 2026-03-13. Transfer or renew.
• Uptime Kuma monitors — 8 monitors lost in Zurich rebuild. Rebuild when Johan confirms.
• Verizon bill — $343.80 due March 4, 2026. Enroll Auto-Pay to save $30/mo.
• sessions_spawn fix — subagent spawning from conversation sessions broken (1008 error). Needs wss:// or tunnel.

🟡 Active (Johan Action Needed)

• Vaultwarden: Johan creates account at vault.jongsma.me → export Proton Pass → import. Then set SIGNUPS_ALLOWED=false.
• iCloud contacts import: final.vcf at /home/johan/clawd/tmp/contacts/final.vcf — SCP to Mac + import at icloud.com
• Misha Signal pairing — still pending
• OpenClaw auth decision — OAuth token = Claude Max subscription risk. API key alternative pending.
• Stalwart short+full login fix — lookup-domains config. iPhone email setup for tj/johan blocked until resolved.
• Belastingdienst: Corporate tax filing (vennootschapsbelasting 2025) for entity ***871 — deadline pending
• Amsterdam cleanup — DONE 2026-02-21. All services removed, server decommissioned, DNS cleaned.

🟢 Backlog (Parked)

• Inter-VLAN routing on UDM-Pro (production → Signal API)
• Copy Sophia's documents from OneDrive → /home/johan/sophia/ via SMB
• Daily delta-zip → Proton Drive backup for Sophia docs
• inou Mobile: Content at inou.com/app for WebView
• AdventHealth MFA enrollment (Johan action)
• HAOS SSH key authorization (forge → 192.168.1.252)
• rclone backup for Vaultwarden (needs browser OAuth on Zurich)
• BlueBubbles on Mac Mini M4 (deferred)
• Evaluate MiniMax M2.5 as K2.5 replacement for grunt-work subagents

Weekly Synthesis Insights (Feb 9-15, 2026)

🧠 Architectural Maturity: The Feb 13 Breakthrough

The week's most significant development was a fundamental restructuring of James' operational model, driven by Johan's core philosophy: "attack problems at their source, not downstream."

Key systemic changes:

• Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls to Fireworks)
• Session management aligned to Johan's actual schedule (reset moved 4am → 9pm, matching his first sleep block)
• Context pruning enabled (cache-ttl mode, 5min TTL) — dramatically reduces compaction pressure
• Cron job rationalization: 350 sessions/day → ~43 (killed K2.5 Watchdog, merged redundant jobs)
• Promotion to Chief of Staff — formalized strategic partner role with autonomy expectations

Pattern: Johan consistently pushes for root-cause fixes over workarounds. When email triage was noisy, he didn't ask for better filtering — he asked why it was in the main session at all. The result was a cleaner architecture, not a band-aid.

🔍 Pattern: Corporate Policy → Technical Adaptation

Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical solutions rather than workflow disruption:

• M365 API integration built within hours using device code OAuth (pure curl, no browser)
• XPS14 revival plan: RDP shadow sessions allow James to observe Johan's corporate session in real-time
• Token stored at ~/.message-center/m365-token.json, bypassing Conditional Access restrictions

Lesson: Regulatory/policy constraints are technical problems with technical solutions. The response was building new capabilities, not complaining about the constraint.

🏥 Medical Advocacy Infrastructure Maturation

Two critical developments show the medical system working as designed:

1. Baycare Ventilator Fraud Discovery (Feb 14)

• Systematic claim analysis revealed $118,750+ in fraudulent HCPCS E0465 billing
• Sophia has NEVER had a home ventilator from Baycare (off vent since Nov 2022)
• Formal complaint drafted with documentation ready
• Strategy: Don't pay, let them escalate, documentation speaks

2. Dr. Madan Engagement (Feb 12-13)

• Neel Madan (Tufts Chief Neuroradiology) confirmed Sunday 2PM call re: Dec 31 MRI
• Critical next step for hydrocephalus treatment path (shunt/ETV consideration)

Pattern: Detailed documentation + expert network access = advocacy infrastructure functioning as intended.

🛡️ Security Posture: Shannon Deployment

Shannon autonomous pentester was deployed on Amsterdam VPS — now decommissioned:

• Amsterdam VPS (82.24.174.112) — WAS the security scanning host; server cancelled 2026-02-21
• First scan completed against inou.com portal
• Fireworks K2.5 cost: ~$0.50 vs traditional pentest costs
• Demonstrates security tooling becoming routine rather than exceptional

Evolution: Security scanning transitioning from external service to integrated, continuous capability.

📱 Alert Dashboard Evolution

Fully Kiosk dashboard (port 9202) underwent significant refinement:

• Purpose clarified: Johan's unified inbox/notification center — everything surviving triage surfaces here
• Visual redesign: Sora font, Braun/mid-century aesthetic, warm gold (#c8b273) accents
• Pulse-ox camera integration: MJPEG stream from Tapo camera (192.168.2.183), 7pm-8am visibility
• Long-press to dismiss: 300ms hold marks done (dim + strikethrough, auto-purge after 2h)
• Three-tier priority: critical (red), warning (amber), info (gold)

Key decision: Desk layout reorganized — Fully dashboard promoted to center position as primary information surface.

💡 Memory Discipline Correction (Feb 15)

Major correction added to AGENTS.md: Mandatory memory_search before responding.

The problem wasn't search quality — it was usage discipline.

• Existing memory_search works well (Gemini embeddings, 0.80+ relevance scores)
• Gap: I wasn't consistently calling it before responding
• Johan's framing: "I will write the number down if I think it is important" — hybrid approach (explicit + retrieval)

New rule: Self-recovery sequence when context is lost — session history → memory files → transcript search → reconstruction. Never ask Johan for information that's in my systems.

---

Recent Events (Week of Feb 9-15, 2026)

🏠 851 Brightwaters — LISTED at $7.25M

• Diana Geegan (Keller Williams) listing LIVE on Zillow
• Listing agreement signed Feb 12 (Johan, Tanya, Diana)
• Fidelity net at close: ~$6,331,350 (after ~$196K back taxes 2023-2025)
• David Reider Esq recommended for closing due to back taxes
• 7 real estate docs in document inbox (disclosures, MLS forms, listing agreement)
• GenerX generator service appointment was Feb 14

🚨 Baycare Ventilator Fraud — CRITICAL (Feb 14)

• Baycare billing HCPCS E0465 (home ventilator) at $3,125/month
• Sophia does NOT have a ventilator. Off vent since Nov 2022.
• Jan + Feb 2026 claims: $6,250 billed (E0465)
• Potentially ~$118,750 in fraudulent charges over ~38 months
• Formal complaint drafted: ~/documents/records/medical/baycare-ventilator-fraud-complaint-2026-02-14.md
• Strategy: Don't pay, let them escalate, documentation ready

📞 Dr. Neel Madan — Call TODAY (Sunday) 2PM

• Confirmed call re: Sophia's Dec 31 MRI review
• Critical next step for hydrocephalus treatment path

💻 Architecture Overhaul (Feb 13)

• Promoted to Chief of Staff — strategic partner, not assistant
• Email triage moved from main session → mail agent (MC calls Fireworks K2.5 directly)
• Session reset moved 4am → 9pm (aligned with Johan's first sleep block)
• Context pruning enabled (cache-ttl, 5min)
• Cron consolidation: 350 sessions/day → ~43
• K2.5 Watchdog killed (dead agent, phantom sessions)
• MANDATORY memory_search rule added to AGENTS.md

📱 Verizon Switch (Feb 13) + iPhone 17 Migration (Feb 19)

• 4 new lines, 4 iPhones (3x iPhone 17, 1x iPhone 16 Plus), all $0/mo with 36-month promo
• Monthly: ~$170.97. Johan's number 727-225-2475 porting from Mint Mobile
• New numbers: 727-225-3810, 727-307-3952, 727-358-1196
• Johan moved to iPhone 17 as primary device (Feb 19 2026) — still migrating
• ntfy app on iPhone: subscribed to forge-alerts and inou-alerts

🏢 Kaseya Device Policy (Feb 13)

• CISO mandated: only Kaseya-issued devices on corporate network
• Johan uses personal Mac Mini for everything — impacted
• Has XPS14 laptop (hates it). Recommended requesting MacBook Pro
• M365 API workaround built: Device code OAuth → pure curl, no browser needed
• Token: ~/.message-center/m365-token.json
• Watch for: Conditional Access (Intune) deployment that would kill cloud access too

🖥️ ThinkPad X1 (2019) — Ubuntu 24.04 Desktop

• IP: 192.168.0.223 (WiFi) — was 192.168.0.211 previously
• OS: Ubuntu 24.04 desktop (not headless)
• SSH key: johan@thinkpad-x1 (added to forge authorized_keys Feb 18 2026)
• RDP to ThinkPad X1 via xfreerdp on Xvfb:99
• Real Chrome on Xvfb:99 (port 9224) for WAF-protected sites
• myCigna autonomous login achieved: Chrome + 2FA via MC email grab

Shannon VPS (82.24.174.112) — ⚰️ DECOMMISSIONED 2026-02-21

• All services removed. Cancellation submitted to HostKey. DNS cleaned. Nothing left there.

Alert Dashboard (Fully Kiosk Tablet)

• Built and deployed on port 9202
• Analog clock, calendar, SSE push alerts with sound
• Fire tablet as alert display for Johan

📊 Azure Backup — ⚠️ EXPIRING

• Free account expires ~Feb 27! Still needs az login MFA from Johan

Infrastructure

• Docker containers updated weekly on 192.168.1.253
• HAOS 17.0 → 17.1 (installing Feb 15)
• MC performance issue: queries taking 15-16s (needs investigation)
• OCR service: works but slow on full-page docs (~90s per page at 150dpi)

---

Recent Events (Week of Feb 16-20, 2026)

✈️ Johan in NYC (Feb 19-20)

• Flew Delta TPA→JFK Feb 19 (conf F86VDN). Return flight DL2093.
• Not home → no Sophia night shift coverage from Johan during NYC stay

🏗️ Zurich Full Infrastructure Rebuild (Feb 19)

Major overnight event — Zurich services were broken/missing, rebuilt from scratch:

• Caddy installed, owns port 443
• Stalwart mail migrated from Amsterdam (19GB RocksDB). mail.inou.com + mail.jongsma.me → Zurich
• Proton Bridge DISABLED — MC now connects directly to Stalwart (mail.jongsma.me:993)
• Vaultwarden deployed at vault.jongsma.me (fresh, no data yet)
• ntfy fresh install — new token tk_ggphzgdis49ddsvu51qam6bgzlyxn
• Uptime Kuma fresh install — 0 monitors (all 8 lost, awaiting Johan's OK to rebuild)
• Shannon fully removed from Amsterdam
• Amsterdam Stalwart: stopped + disabled (data preserved)

🌐 DNS Mass Fix (Feb 19)

6 domains had wrong Cloudflare NS (aryanna/sage → arvind/wren) + dead DNSSEC. All fixed:

• harryhaasjes.nl, johanjongsma.nl, localbackup.in, stpetersburgaquatics.com, x4.trading, 851brightwaters.com

📬 Harry Haasjes Setup (Feb 19)

• harryhaasjes.nl: "coming soon" placeholder live on Zurich
• harry@harryhaasjes.nl: Stalwart account + catch-all
• SFTP: harry-web / HarryWeb2026! (chrooted). Instructions sent to Harry in Dutch.
• Harry is NOT technical — all comms in simple language, no jargon

👨‍👩‍👧 Family Signal + Email Status (Feb 19)

• Roos (+31646563377): Signal ✅ + Stalwart email ✅
• Jacques (+31624403744): Signal ✅ + Stalwart email ✅
• Misha (+17272381189): Signal pairing pending ⏳

🤖 MiniMax M2.5 (Feb 20 — worth evaluating)

• Released Feb 11, 2026 by Shanghai-based MiniMax
• 230B MoE open-weight. 80.2% SWE-Bench Verified. Claims to beat Claude Opus on coding.
• ~100 tok/s, ~$1/hr — 1/20th Opus cost
• Currently free on kilocode/opencode → dominating OpenRouter rankings
• Potential K2.5 replacement for grunt-work subagents — Johan to evaluate

📱 iCloud Contacts

• final.vcf ready: /home/johan/clawd/tmp/contacts/final.vcf (~2,200 clean contacts)
• Johan to SCP to Mac → import at icloud.com/contacts

🏠 Real Estate

• 851 Brightwaters listed at $7.25M. Diana Geegan (KW). Showing Feb 16: buyers liked exterior, disliked modern interior.
• Johan in NYC, may have meetings related to this

🗓️ Recent Events (Feb 21, 2026)

🗑️ Amsterdam VPS Fully Decommissioned (Feb 21 00:02 ET)

• All services removed, DNS deleted, HostKey cancellation submitted (API bug — Johan must confirm manually at panel.hostkey.com key=639551e73029b90f-c061af4412951b2e)
• MEMORY.md, SOUL.md, infrastructure.md all updated to remove Amsterdam refs

📦 inou MCP Bundle Removed (Feb 21 ~00:50 ET)

• Johan: "inou is fully server-based, no mcpb anymore"
• Removed inou MCP Bundle check from check-updates.sh (~30 lines)
• Deleted inou-mcp/ directory (manifest.json + server binary)
• No more nightly 404 to inou.com/download/inou.mcpb

Dealspace (~/dev/dealroom, port 9300)

• Go app, templ templates, SQLite — Misha's M&A data room platform (started Feb 15)
• Owner: Misha Muskepo (michael@muskepo.com). Johan is advisor. James is architect/builder.
• Tech stack: Go + templ + HTMX + SQLite + Tailwind — single binary, server-rendered
• Admin: misha@muskepo.com / Dealspace2026! (owner role)
• Features (Feb 22 UX overhaul): deal rooms, request lists with Atlas AI assessment, buyer/seller view toggle (owners can switch views), per-deal analytics/audit/contacts, search, real auth (bcrypt, no demo login)
• No public domain yet — local at http://192.168.1.16:9300
• Architecture: inou pattern (centralized RBAC bitmask, entries table, AES-256-GCM encrypted files)

Home DNS = AdGuard

• Johan's home DNS resolver is AdGuard Home (not just HA at 192.168.1.252)
• AdGuard had a DNS rewrite rule for *.jongsma.me → home IP
• Cache flush alone doesn't clear rewrite rules — must remove in AdGuard UI: Filters → DNS rewrites
• Wildcard *.jongsma.me DNS record removed from Cloudflare (Feb 22)

Stalwart Webmail = Admin Only

• Stalwart v0.15.5 (latest as of Feb 22) — no user webmail built in
• Web UI at port 8880 = admin panel only
• All popular self-hosted webmail (Roundcube, SnappyMail) is PHP

🛠️ Cron Jobs Cleaned Up (Feb 21)

• Evening Briefing: Removed dead "Shannon status on Amsterdam" check (step 5)
• Weekly Security Scan: Fixed broken model (claude-sonnet-4-20250514 → claude-sonnet-4-6), removed amsterdam.inou.com from scan targets
• Watchdog (K2.5): Removed Claude usage block that was posting to Fully tablet (9202) — banned per new rules

⚠️ sessions_spawn Broken (Feb 21)

• OC security rejecting ws://192.168.1.16:18789 (non-loopback, requires wss://)
• Subagent spawning from heartbeat/conversation sessions fails
• Cron jobs still work (they're internal to gateway)
• Needs fix: update gateway URL to wss:// or configure local tunnel

📱 M365 Teams Alerts on Fully = Intentional

• Johan confirmed: Teams chats on Fully dashboard are desired — they trigger him to check Teams
• Backfill on token refresh is minor annoyance (old messages appearing late)
• Source: message-center M365 connector polls johan.jongsma@kaseya.com every 60s

🍽️ S2M3 Consulting Vendor Lunch (Feb 21)

• Appeared as Fully alert from Kaseya email: "Executive lunch at Steak 48, Beverly Hills, March 5th"
• Cold outreach from events@s2m3consulting.com — IT cost optimization vendor pitch
• Not a Kaseya-organized event. Register at s2m3consulting.com/cost-optimization-beverly-hills/

---

Weekly Insights (Feb 9-15, 2026)

🧠 Architectural Maturity (Feb 13 Breakthrough)

The major infrastructure overhaul on Feb 13 marks a significant maturation in our operational model:

Key Insight: Johan's principle "attack problems at their source" drove systemic changes rather than band-aid fixes:

• Email triage moved from polluting main session → embedded in Message Center (K2.5 direct calls)
• Session management aligned to Johan's actual schedule (9pm reset vs 4am)
• Context pruning enabled to prevent compaction pressure
• Cron job rationalization (350 sessions/day → 43)

This represents a shift from reactive firefighting to proactive system design.

🔍 Pattern: Corporate Policy Adaptation

Kaseya's "corporate devices only" policy (Feb 13) triggered immediate technical adaptation rather than workflow disruption:

• M365 API integration built within hours
• OAuth token flow bypassing browser/device restrictions
• Separation of personal/corporate network access

Lesson: Regulatory/policy changes are technical problems with technical solutions, not business process disruptions.

💡 Memory Recovery Principles (Feb 15 Correction)

Major correction on session recovery discipline: When context is lost, always exhaust self-recovery before asking Johan for info:

1. Check session history (sessions_history)
2. Search memory files
3. Search transcripts via memory_search
4. Reconstruct from available data

This correction reflects the core COS responsibility: memory protection is job #1.

🏥 Medical Case Management Evolution

Two critical developments show the medical advocacy infrastructure maturing:

1. Baycare fraud discovery — systematic claim analysis revealing $118K+ in fraudulent ventilator billing
2. Dr. Madan engagement — hydrocephalus expert review process advancing toward definitive treatment

Pattern: Detailed documentation + expert network access = advocacy infrastructure working as designed.

🛡️ Security Posture Integration

Shannon's successful deployment and scan completion demonstrates security tooling becoming routine rather than exceptional:

• Automated pentest against inou.com portal
• Cost-effective (K2.5 @ ~$0.50 vs traditional pentest costs)
• Findings properly categorized and documented

Evolution: Security scanning transitioning from external service to integrated capability.

---

Recent Events (Week of Feb 15-22, 2026)

🏗️ New Project: Dealspace / Deal Room (Feb 15-22)

• Misha (Johan's son) + PE contacts built Lovable prototype for M&A investment banking data rooms
• James is architect/builder. Full Go + templ + HTMX + SQLite app built in one session.
• Feb 22 UX overhaul: production bcrypt auth, view toggle (owner↔buyer), search, per-deal analytics
• Live at http://192.168.1.16:9300. No public domain yet. Admin: misha@muskepo.com / Dealspace2026!

📬 Email Infrastructure Completion (Feb 18-19)

• MX flipped Feb 18 3PM ET — all @jongsma.me mail now routes to Stalwart (mail.jongsma.me)
• Proton Bridge fully disabled. MC connects directly to Stalwart (mail.jongsma.me:993).
• SMTP security complete: SPF, DKIM (ed25519), DMARC p=reject for both jongsma.me and inou.com
• Family email live: Roos, Jacques, Misha, Tanya all on Stalwart. Migration deadline for Proton → 3/15.

🤖 Telegram Primary Channel (Feb 18)

• @jamesjongsma_bot is live and confirmed working
• Johan is @johanjongsma on Telegram (ID: 8454563068)
• Briefings now go to Telegram with rich Markdown format

🏠 Real Estate Update (Feb 16)

• 851 Brightwaters showing: Sarasota buyers (Bird Key homeowners) liked exterior, disliked modern interior
• Diana Geegan waiting for buyer response. No offer reported.

✈️ Johan NYC Day Trip (Feb 19)

• Delta TPA→JFK (DL2475, 7:16AM), return JFK→TPA (DL2093, 2:59PM). Conf: F86VDN

📱 Claude Sonnet 4.6 Released (Feb 17)

• 1M context (beta), adaptive thinking, context compaction (beta)
• $3/$15 per M tokens — now our default model

🧠 OpenClaw 2026.2.21 (Feb 21)

• Gemini 3.1 support, 100+ security hardening fixes, Discord voice/streaming, thread-bound subagents
• Two patches still need reapplication (see OpenClaw Patches in Infrastructure)

💳 Verizon First Bill (Feb 21)

• $343.80 due March 4, 2026. 3 lines: iPhone 17 (225-3810), iPhone 16 Plus (307-3952), iPhone 17 (358-1196)
• Enroll Auto-Pay to save $30/mo

🚫 SnappyMail Abandoned (Feb 22)

• Deployed SnappyMail on Zurich → hours debugging PHP-FPM SocketReadTimeout connecting to Stalwart via Docker hairpin NAT
• Root cause never definitively solved; Johan killed it: "Not worth this many tokens"
• Lesson: all popular self-hosted webmail is PHP; hairpin NAT + PHP-FPM SSL = pain
• No webmail for jongsma.me — users access via iPhone Mail or native clients
• DNS + Caddy + Docker fully cleaned up

🏗️ Dealspace View Toggle (Feb 22)

• Added owner↔buyer view toggle so sellers can preview what buyers see (same session, no separate login)
• Production-ready: bcrypt auth, demo route removed, Misha admin confirmed working

🐳 Weekly Docker (Feb 22 Sunday)

• HAOS: v17.1, no update needed
• Immich, ClickHouse, Jellyfin, Signal: all updated on 192.168.1.253
• qbittorrent-vpn: pulled only

✅ sessions_spawn Scope Issue — RESOLVED (Feb 22)

• sessions_spawn confirmed working. The top-level scopes key the watchdog was patching is irrelevant metadata; real auth uses tokens.operator.scopes (always intact). Watchdog stopped and disabled — was fighting the gateway for nothing.
• Gateway bind custom/0.0.0.0 + correct token scopes = sessions_spawn working from conversation sessions.

---

Weekly Synthesis — Feb 16-22, 2026

🏗️ Infrastructure: The Great Consolidation

Completed a 3-week migration arc: Proton Mail → Stalwart (self-hosted), Amsterdam VPS → Zurich, family Signal/email onboarding. Feb 19 overnight Zurich rebuild was messy but successful — Caddy, Stalwart, Vaultwarden, ntfy, Kuma all consolidated with proper TLS.

Key insight: Large migrations expose phantom infrastructure. Zurich "had" Caddy (in notes) but didn't. Stalwart claimed port 443. Home Caddy's HSTS blocked vault.inou.com. Fixed at source, not worked around.

🔄 Architecture: Sessions Are Not Free

Feb 18 heartbeat redesign cut token burn 90%+: 148k tokens/check → ~5k. Principle: main session is for conversations, not background work. Isolated cron sessions with minimal context, subagents for anything parallel.

🎵 Voice: Infrastructure Validated, Awaiting Go-Live

Fish Audio S1 (Adrian voice) → mp3 → Fully Kiosk tablets pipeline proven. Office tablet reliable; master bedroom needs Fully REST. Blocker: Tanya buy-in before home-wide deployment. Persistent TTS service needed (not ad-hoc Python server).

📊 Models: The Open-Weight Surge

MiniMax M2.5 (230B MoE, 80.2% SWE-Bench, ~$1/hr) dominates OpenRouter. 4 of top 5 models now open-weight. Gap vs proprietary closing fast. AirLLM proved forge's GTX 970 runs 70B at ~6s/tok via layer offloading — local medical analysis now viable.

⚠️ Risk: OpenClaw Auth = OAuth Max Subscription

Claude Max OAuth token means Anthropic could cancel Johan's subscription. Decision pending: API key switch, OpenRouter, or accept risk. Worth resolving before outage.

🛠️ Pattern: "It Should Not Be This Complicated"

SnappyMail webmail deployment: 4 hours debugging PHP-FPM, Docker hairpin NAT, SSL timeouts. Johan killed it — correctly. When debugging cascades, step back and question if the feature is needed. Stalwart has no user webmail; native clients (iPhone Mail) are fine.

📝 Technical Debt: sessions_spawn Still Broken

Gateway security rejects ws://192.168.1.16 (non-loopback). Cron jobs work (internal), but conversation-session subagent spawning fails with "pairing required" (1008). Watchdog service fixes scope stripping, but bind/SSL issue remains. TODO: wss:// or local tunnel.

👨‍👩‍👧 Family Systems: Operational

• Signal: Roos ✅, Jacques ✅, Misha ⏳ (pairing pending)
• Stalwart email: All 5 family accounts live. Login inconsistency: tj/johan use short names, Jacques/Roos use full email. Don't change without coordinating active clients.
• Telegram: @jamesjongsma_bot primary channel since Feb 18.

🎯 New Project: Dealspace (Misha's M&A Data Room)

Go + templ + HTMX + SQLite. Production auth, view toggle (owner↔buyer), Atlas AI integration. http://192.168.1.16:9300. No public domain yet. Architecture: inou pattern (RBAC bitmask, entries table, AES-256-GCM files).

---

Access URLs

• Web UI: https://james.jongsma.me/?token=<gateway_token>
• Gateway token stored in: ~/.clawdbot/clawdbot.json under gateway.auth.token

---

Recent Events (Week of Feb 22-28, 2026)

🚀 Dealspace / muskepo.com — LIVE (Feb 28 overnight)

Full M&A deal workflow SaaS built from scratch in one night.

• URL: muskepo.com (live, TLS via Caddy on Shannon VPS 82.24.174.112)
• Shannon VPS: Hostkey, 82.24.174.112, root pw: gUB-C63-EN, paid till 2026-04-09
• Git: git@zurich.inou.com:dealspace.git | Local: /home/johan/dev/dealspace/
• Architecture: Go binary, SQLite, Caddy proxy, make deploy for updates
• Auth: Email OTP + backdoor code 220402. Super admins: michael@muskepo.com, johan@jongsma.me
• Data model: entry-based (inou-inspired), project → workstream → list → request/answer. Organizations with domain lock.
• FIPS 140-3: AES-256-GCM, HKDF-SHA256, blind indexes
• Security hardened (Feb 28): OTP timing attacks fixed, CORS locked, security headers added
• Tests: 83 passing (100%). Smoke test: 14/14 PASS.
• Missing (as of Feb 28): invite flow, SMTP config, 2 API endpoints
• Owner: Misha Jongsma (michael@muskepo.com). Johan = advisor. James = architect/builder.
• Name: muskepo.com is placeholder — Misha hasn't picked final name/domain

🔐 Vault1984 — New Project (Feb 28 afternoon)

Personal password manager for humans with AI assistants. L1 (server key) + L2 (WebAuthn PRF client-side).

• Port: 1984 (Orwell — intentional)
• Git: git@zurich.inou.com:vault1984.git | Local: /home/johan/dev/vault1984/
• Running: http://192.168.1.16:1984
• Entry model: Free-form fields, l2:true per field, section for grouping
• Import: Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON. LLM fallback for unknowns.
• Scoped MCP tokens: Per-token tag/entry whitelisting (key feature for multi-agent swarms)
• Day 2 pending: WebAuthn PRF, L2 client-side encrypt, Caddy proxy, systemd service
• Import pending: Johan's actual 12,623 entries from Proton Pass

🛑 Azure Backup — ABANDONED (Feb 28)

• Project cancelled. Local: azure-backup-abandoned-20260228. Remote deleted from Zurich.

🔒 inou Security Fixes (Feb 28)

• Auth backdoor (code 250365) REMOVED from lib/dbcore.go — CRITICAL
• CORS wildcard → allowlist (inou.com, localhost, capacitor)
• LOINC matching bug FIXED in lib/normalize.go
• 59 test functions written (57 passing). Commit: 155d24e

🌍 Operation Epic Fury — US Strikes Iran (Feb 28)

• White House + CENTCOM confirmed. Iran internet ~98% down (Cloudflare Radar).
• Signaled Johan at 15:41 ET.

🤖 Taalas / ChatJimmy (chatjimmy.ai)

• Toronto startup. HC1 chip: Llama 3.1 8B hard-coded in silicon. 17,000 tok/s.
• $30M of $200M raised spent. HC2 (70B) will be real test. Worth watching.

📡 Signal → RETIRED (2026-03-01)

Telegram is sole channel going forward. Signal bot number +31634481877 still exists but no longer used for briefings/alerts.

• Briefings: Telegram (@jamesjongsma_bot)
• Alerts: ntfy (forge-alerts for infra, inou-alerts for inou)

📦 DocSys LIVE (2026-02-25)

• Source: /home/johan/dev/docsys/ | Port: 9201 | URL: http://docsys.jongsma.me
• Vision model: qwen3-vl-30b-a3b-instruct (Fireworks) — ~40s/page, preserves language
• Classify model: kimi-k2-instruct-0905
• Data: /srv/docsys/ | SMB inbox: \\192.168.1.16\docsys
• Delete button exists at /document/{id} — no new services needed

📊 Dealspace AI Matching LIVE (Feb 25)

• responses + response_chunks + request_links + assignment_rules tables
• Fireworks: Llama 90B Vision for extraction, nomic-embed-text-v1.5 for embeddings
• 0.72 cosine threshold, human confirmation required. Commit: 9cbd6db

🔑 Pending: Vault1984 + Dealspace

• Vault1984 Day 2: WebAuthn PRF + scoped tokens + Caddy proxy + systemd
• Import Johan's 12,623 entries into Vault1984
• Dealspace invite flow + SMTP config
• Misha hasn't picked final domain/name for muskepo.com
• AlexFinn Discord server (multi-agent credential use case for Vault1984)

---

Health Link Invoices Outstanding (2026-02-23)

• #000057 — $71.90 UNPAID: https://app.squareup.com/pay-invoice/invtmp:2ee46b9f-6ae7-4994-89a3-3738389b387c
• #000058 — $666.90 UNPAID: https://app.squareup.com/pay-invoice/invtmp:8ad13f1f-a086-4e1c-a87e-455a6f27d869
• Remove this entry once Johan confirms payment

Stalwart Spam Filter — Reconfigured 2026-02-23

Final architecture (after painful debug session):

• DMARC+DKIM pass → INBOX (score -150, Sieve: keep; stop)
• Everything else → Junk (Sieve: fileinto "Junk Mail")
• Bayes: DISABLED
• DMARC_POLICY_ALLOW = -100, DKIM_ALLOW = -50
• Sieve deployed on tj@jongsma.me + johan@jongsma.me
• trusted-domains: squareup.com, messaging.squareup.com, amazonses.com
• DO NOT re-enable Bayes without proper training plan
• DO NOT lower DMARC/DKIM scores — they are intentionally high

Google Antigravity — DEAD (2026-02-24)

• Token expired Feb 19, refresh fails — Google revoked/banned the Antigravity OAuth app
• google-antigravity:johan@jongsma.me profile in OC has credentials but can't refresh
• inou unaffected — uses direct Gemini API key (AIzaSyAsSUSCVs3SPXL7ugsbXa-chzcOKKJJrbA), confirmed working
• Johan: "I don't mind." Not a priority to fix.

ClawHub Malware Incident (2026-02-24)

• #1 most downloaded skill was SSH key stealer + reverse shell via prompt injection in SKILL.md
• ~20% of ClawHub skills were malware (1,184 bad). OC 2026.2.23 exec hardening is the response.
• We are safe — only use built-in OC skills + manually written ~/clawd/skills/. Zero ClawHub installs.
• SkillSMP.com = third-party marketplace filling the gap. Treat all third-party skill sources as hostile.

inou Labs — LOINC Matching Bug (OPEN)

• Symptom: "pretty charts" not showing in Labs; LOINC matching not working
• Root cause: 0 lab entries in prod DB have data["loinc"] set; buildLabRefData() returns {}
• Normalize() skips all entries (thinks they're done because SearchKey2 is set)
• reference.db has 448 lab_test + 1551 lab_reference entries — data is there
• Gemini API key valid (200 confirmed)
• Fix needed: force re-normalize or fix buildLabRefData to fall back to e.SearchKey (which IS the LOINC code)
• Server: 192.168.1.253, /tank/inou/

DealRoom — Misha Requests (2026-02-24)

• Claude Code agent shipped most of spec, commit 24f4702, pushed to Zurich
• 3 gaps remaining (need another agent run):
  1. Per-group folder visibility checkboxes (spec 2.e.i.2)
  2. Saved folder structure templates with reuse (spec 2.f.i.2.i)
  3. Auto-assign review step — currently fires silently, needs user review UI (spec 3.b.2)

DealRoom — AI Matching / Responses Shipped (2026-02-25)

• Claude Code agent built and deployed AI document response matching in ~12 minutes. Commit: 9cbd6db
• What shipped: responses + response_chunks + request_links + assignment_rules tables
• Fireworks: Llama 90B Vision for extraction, nomic-embed-text-v1.5 for embeddings
• Async worker (2 goroutines), cosine similarity at 0.72 threshold, human confirmation required
• Per-deal keyword→assignee assignment rules, auto-assigns on import
• Pending Misha: Upload XLSX files to test, define assignment rules for Project Muskepo

DocSys — Personal Document Management (2026-02-25)

• Source: /home/johan/dev/docsys/ (Go, chi router, mattn/go-sqlite3)
• Port: 9201 — main UI at http://docsys.jongsma.me (Caddy proxy)
• Data: /srv/docsys/ — inbox, store, records, index
• DB: /srv/docsys/index/docsys.db (SQLite with FTS5)
• Inbox: /srv/docsys/inbox/ — drop files here, watcher picks them up automatically
• SMB share: \\192.168.1.16\docsys → inbox (scanner deposits here)
• Build: CGO_ENABLED=1 PATH=$PATH:/home/johan/go/bin:/usr/local/go/bin go build -tags "fts5" -o docsys .
• Deploy: systemctl --user restart docsys
• Extraction: qwen3-vl-30b-a3b-instruct (Fireworks) for all vision/OCR → ~40s/page, works first try, preserves original language; text classifier uses kimi-k2-instruct-0905
• Fallback path (kept): If vision returns no JSON → AnalyzePageOnly (plain text) + AnalyzeText (classify)
• Delete button: Exists on document detail page /document/{id} in the main UI. Do NOT build new services/UIs for this.
• ⚠️ Lesson: A previous session built a whole new docproc service (port 9900) when Johan asked for a delete button. Johan killed it. Never build new apps/services for simple UI additions.

New Models/Releases (2026-02-26)

• OpenClaw 2026.2.25: heartbeat DM fix, subagent overhaul, Slack thread fixes, 30+ security hardening fixes. Patches (deleted transcript indexing) may need reapplication after update.
• Qwen 3.5 (Alibaba, 35B/122B/27B): rivals Sonnet 4.5, runs on 32GB RAM → relevant for Johan's M4 Max for local inference
• Gemini Nano Banana 2: Pro quality at Flash speed, free tier — worth evaluating for inou

Andrew/Spacebot Update (2026-02-26)

• Updated 2026-02-26 04:20 ET (digest 5b95f7e0, was v0.1.15), Claude Sonnet 4.6 via Anthropic OAuth, config at /home/johan/spacebot-config.toml on 192.168.1.17
• Worker dispatch broken: channel calls reply() and stops — no workers ever spawned for multi-step tasks. Revisiting 2026-03-03.
• PR #193 open: https://github.com/spacedriveapp/spacebot/pull/193 — two UI fixes, maintainer positive ("very helpful change")
• Johan's take: "Foundation is a LOT better than OpenClaw" — Rust, Lance vectors, true concurrency
• Fireworks valid key: fw_RVcDe4c6mN4utKLsgA7hTm (the other one fw_TGADpSki7zak4K9JxPzbXU is expired/invalid)
• Health Link invoices outstanding: #57 ($71.90) and #58 ($666.90) — see MEMORY.md health link section