clawd/memory/2026-02-19.md

2026-02-19

SSH Keys Added

• johanjongsma@Johans-MacBook-Pro.local → forge authorized_keys (via control UI, ~23:13)
• johan@thinkpad-x1 → forge authorized_keys (via Telegram, ~23:34)
• ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi)
• james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1
• SSH from forge to ThinkPad X1 working: ssh johan@192.168.0.223

Go Environment Recovery (rogue agent incident)

• Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6)
• Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin
• Fixed: Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT
• Go 1.23.6 active from /usr/local/go — verified in fresh shell
• wails binary still in ~/go/bin — Johan's call whether to keep
• message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent

Win Alerts Fix

• Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard
• Fixed in connector_m365.go: added silentSenders blocklist filter before postFullyAlert
• Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com
• Committed b408ebc to mc-unified, mail-bridge restarted

ThinkPad X1 SSH Setup

• CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key
• IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes

Vaultwarden Saga (BIG one)

Root cause chain:

1. I (previous session) added HSTS includeSubDomains; preload to home Caddy for inou.com
2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains
3. Stalwart was set up on Zurich Feb 17 and claimed port 443
4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality
5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block

What Johan did: Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere.

Passwords: Still safe in Proton Pass (not deleted).

What was actually deployed: NOTHING — Vaultwarden was never running anywhere.

Final resolution:

• vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare
• Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
• Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/
• Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU=
• TODO: Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED

Zurich Caddy config now serves:

• vault.jongsma.me → Vaultwarden (127.0.0.1:8222)
• mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS)

Stalwart: Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public.

Supermemory Discussion

• OpenRouter followed @supermemory — Johan asked if we should reconsider
• Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.)
• If they get self-hosted option, worth revisiting for inou specifically