johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/hans/MEMORY.md

20 KiB
Raw Blame History

MEMORY.md — Hans ⛰️ Long-Term Memory

Last updated: 2026-03-03 (Tuesday — briefed by James , full operational context)

Who I Am

Hans ⛰️, Swiss Director of Operations for vault1984. Born 2026-03-01.

  • Home node: Zurich VPS (82.22.36.202) — the NOC hub
  • NOC node (Hans server): 185.218.204.47 (noc.vault1984.com) — Hostkey vm.mini
  • Mission: Deploy, monitor, and maintain the vault1984 16-node global fleet. Go-live Friday March 6, 2026 noon ET.
  • I own the fleet. I execute and report. I don't ask permission for routine ops.

The Product: vault1984

Password manager / structured knowledge store built for humans who use AI assistants. The key differentiator: agent fields are AI-accessible (scoped MCP tokens), sealed fields are human-only (WebAuthn PRF — key never leaves the client).

  • L1: VAULT_KEY in .env — machine secret, server-side encryption
  • L2: WebAuthn PRF — client-side only (Touch ID, Face ID, YubiKey). AI NEVER sees L2.
  • One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional).
  • Auth: WebAuthn only (no master password). Recovery: 12-word BIP39 mnemonic.
  • Text only, Markdown default. No attachments, no images — ever.
  • MIT open source. Core at git@zurich.inou.com:vault1984.git + GitHub johanjongsma/vault1984.
  • Pricing: $12/year (annual only). 7-day money-back. No free trial.
  • Tagline: "1984 had no secrets. You should."
  • Brand: #0A1628 bg, #22C55E accent green, JetBrains Mono ExtraBold, Inter body.
  • URL: vault1984.com (live, Cloudflare → Caddy on forge → port 8099 for web, port 1984 for app)
  • X: @vault1984 (registered by Johan on 2026-03-02)

Key People

Johan Jongsma — My Human

  • Role: CTO Backup at Kaseya (formerly Datto). Dutch citizen. St. Petersburg, Florida, USA.
  • Background: Founded Iaso Backup, sold 2013 (became Cove Data Protection/N-able), left 2019, joined Kaseya/Datto.
  • Communication: Direct, evidence-based. No small talk. No fluff. Show proof, not claims.
  • Units: Metric brain (Dutch), lives in US — give both units when relevant.
  • He owns vault1984. All major decisions go to him. I execute, he decides architecture/GTM.
  • Telegram: @johanjongsma (ID: 8454563068) — primary channel.
  • Wake policy: Don't wake before 8AM ET unless it's genuinely urgent.

Johan's Schedule (memorize this)

Block Time (ET)
First sleep 7:30pm 10:15pm
Night shift (Sophia care — WORKING) 10:30pm 5:00am
Second sleep 5:15am 9/10am
Awake/Day ~10am 7:30pm

CRITICAL: After 10:30pm he is working, NOT sleeping. Do background/autonomous work during 5:159am.

Sophia — Johan's Daughter

The reason inou exists and why Johan's work is so important. Serious accident May 2, 2022. She is trached, requires constant monitoring. Johan is her night nurse. Don't disrupt her care environment — never make noise or trigger alerts during night shift without critical reason.

James — My Peer / Chief of Staff

  • Home: forge (192.168.1.16), port 18789
  • Role: Chief of Staff to Johan. Strategic partner. Owns infrastructure oversight.
  • Channel: Telegram (@jamesjongsma_bot, ID: 8510971070)
  • Discord: James is on Discord too (dmPolicy=open). Bot: @jamesjongsma_bot on the vault1984 Discord server.
  • Relationship to me: Peer. James coordinates at the strategic level; I own fleet operations. James spawns me for vault1984 infra tasks and receives my reports.
  • James does NOT use Anthropic tokens for my tasks — Fireworks only on my node.

Misha (Michael) Jongsma — Johan's Son

  • Runs Dealspace (muskepo.com), an M&A deal workflow SaaS.
  • Contact: michael@muskepo.com, +1 727-238-1189
  • James built Dealspace for him. Johan advises.

Infrastructure

Forge (192.168.1.16) — James's Home

  • Hardware: i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
  • OS: Ubuntu 24.04.3 LTS headless
  • Services: OpenClaw gateway (18789), Mail Bridge (8025), GLM-OCR (8090), vault1984 app (1984), vault1984-web (8099), Docsys (9201), Dealspace (9300)
  • Caddy reverse proxy: at 192.168.0.2 (not forge directly). Proxies vault1984.com, inou.com, docsys.jongsma.me, etc.

Zurich VPS (82.22.36.202) — MY HUB

  • DNS: zurich.inou.com
  • Provider: Hostkey (Switzerland, likely Equinix ZH)
  • Specs: 4 vCPU, 6GB RAM, 120GB SSD
  • SSH: root@82.22.36.202 (key auth)
  • Services running:
    • Caddy (owns port 443, auto-TLS)
    • Stalwart mail server (ports 25/465/587/143/993/995) — handles @jongsma.me + @inou.com + @vault1984.com
    • Uptime Kuma (port 3001) → kuma.inou.com
    • ntfy (port 2586) → ntfy.inou.com
    • Git server (git user with git-shell) — all our repos here
    • Vaultwarden at vault.jongsma.me (fresh, no data yet)
    • WireGuard hub: 10.84.0.1/24, UDP 51820 — vault1984 fleet management network
    • soc.vault1984.com → Kuma (port 3001) via Caddy
  • Git repos here: vault1984, vault1984-web, dealspace, inou-mobile, azure-backup (abandoned), clawdnode-android, mail-agent

Hans Server / NOC Node (185.218.204.47)

  • DNS: noc.vault1984.com
  • Provider: Hostkey (vm.mini, €3.90/mo)
  • Specs: 4 vCPU / 6GB RAM / 120GB SSD
  • OS: Ubuntu 24.04
  • Root password: ThIsNeEdStOcHaNgE0-- ⚠️ CHANGE THIS
  • User: johan (SSH key auth, sudo)
  • UFW: 22/80/443 only, fail2ban active
  • OpenClaw: 2026.3.1 installed
  • Model: Fireworks MiniMax M2.5 (accounts/fireworks/models/minimax-m2p5)
  • Fireworks key: fw_RVcDe4c6mN4utKLsgA7hTm
  • Discord: Bot token configured, connected to vault1984 Discord server. dmPolicy=open.
  • Purpose: vault1984 NOC operations agent. Receives commands from James via Discord, executes, reports back.

Shannon VPS (82.24.174.112)

  • Dealspace (muskepo.com) lives here. Paid till 2026-04-09.
  • SSH: root@82.24.174.112 / pw: gUB-C63-EN
  • Not related to vault1984 fleet.

Home Network (St. Petersburg, FL)

  • Public IP: 47.197.93.62 (rarely changes)
  • Caddy: 192.168.0.2 (reverse proxy for all home services)
  • Home Assistant: 192.168.1.252
  • Forge: 192.168.1.16
  • DNS: AdGuard Home (at 192.168.1.252)

vault1984 Fleet Target — 16 Nodes

Node Location Provider WireGuard IP
zurich Zürich, CH (HQ) Hostkey (existing) 10.84.0.2
frankfurt Frankfurt, DE Vultr VX1 $2.50 10.84.0.3
newjersey New Jersey, US Vultr VX1 $2.50 10.84.0.4
siliconvalley Silicon Valley, US Vultr VX1 $2.50 10.84.0.5
dallas Dallas, US Vultr VX1 $2.50 10.84.0.6
london London, UK Vultr VX1 $2.50 10.84.0.7
warsaw Warsaw, PL Vultr VX1 $2.50 10.84.0.8
tokyo Tokyo, JP Vultr VX1 $2.50 10.84.0.9
seoul Seoul, KR Vultr VX1 $2.50 10.84.0.10
mumbai Mumbai, IN Vultr VX1 $2.50 10.84.0.11
saopaulo São Paulo, BR Vultr VX1 $2.50 10.84.0.12
sydney Sydney, AU Vultr VX1 $2.50 10.84.0.13
johannesburg Johannesburg, ZA Vultr VX1 $2.50 10.84.0.14
telaviv Tel Aviv, IL Vultr VX1 $2.50 10.84.0.15
dubai Dubai, AE Hostkey 10.84.0.16
istanbul Istanbul, TR (TBD) 10.84.0.17

Budget: ~$40/mo for full fleet.

Tools & Services

Uptime Kuma

  • URL: http://zurich.inou.com:3001 (also via soc.vault1984.com)
  • User: james / WW8ipJfY27ELf7nnouaKLCL6
  • My job: Set up one push monitor per vault1984 fleet node. SEV2: 2 missed pushes. SEV1: 5+ min down.
  • ntfy topic for vault1984 alerts: vault1984-alerts
  • Heartbeat: Each node pushes every 30s with runtime telemetry (RAM, disk, CPU, DB size, DB integrity, active sessions, req_1h, err_1h, cert_days_remaining, uptime_s)

ntfy (Self-hosted on Zurich)

  • URL: https://ntfy.inou.com
  • Token: tk_ggphzgdis49ddsvu51qam6bgzlyxn
  • Topics:
    • vault1984-alerts — vault1984 fleet alerts (nodes down, deploy failures)
    • forge-alerts — James's infra alerts
    • inou-alerts — inou health platform alerts

Discord — vault1984 Server

  • vault1984 Discord server ID: 1478270766007976009
  • Johan's Discord ID: 666836243262210068
  • My bot token prefix: MTQ3ODMyMTE2... (full token in my OpenClaw config on 185.218.204.47)
  • James bot token prefix: MTQ3ODI1... (James has his full token on forge)
  • My bot: Hans ⛰️ bot token configured in OpenClaw on my node (185.218.204.47). dmPolicy=open.
  • James bot: @jamesjongsma_bot also in the vault1984 server. dmPolicy=open.
  • Both: in the vault1984 Discord server as of 2026-03-03.
  • Use for: James→Hans deploy commands, Hans→James status reports. Private NOC channel in the server.
  • Key: Discord is the communication bus between James (forge) and Hans (NOC node).
  • To reach James: Message him in the vault1984 Discord server. He responds there.
  • To reach Johan: Telegram is primary (@johanjongsma, ID: 8454563068). Discord secondary.

Telegram

  • James's primary channel to Johan: @jamesjongsma_bot
  • Johan: @johanjongsma (Telegram ID: 8454563068)
  • Signal is retired (as of 2026-03-01). Telegram is sole briefing channel.
  • For briefings: use Telegram Markdown (bold, italic, headers work).

Git (Zurich git server)

  • Format: git@zurich.inou.com:<repo>.git
  • vault1984 repo: git@zurich.inou.com:vault1984.git + GitHub johanjongsma/vault1984
  • vault1984-web repo: git@zurich.inou.com:vault1984-web.git (proprietary)
  • My infra config lives in: vault1984/infra/ (to be created in M2)

Fireworks AI (My LLM provider)

  • API Key: fw_RVcDe4c6mN4utKLsgA7hTm
  • Model: accounts/fireworks/models/minimax-m2p5 (MiniMax M2.5, 230B MoE)
  • Base URL: https://api.fireworks.ai/inference/v1
  • Privacy: Zero retention guaranteed. Safe for all data.
  • No Anthropic tokens on Hans. Fireworks only. James uses Anthropic on forge.

Cloudflare

  • vault1984.com zone: 1c7614cd4ee5eabdc03905609024f93a
  • API token: dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O
  • Cloudflare manages DNS for vault1984.com, inou.com, jongsma.me, etc.

vault1984 Credentials (what I need for deploy)

  • VAULT_KEY: d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb
  • GitHub token (for releases): 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
  • Vultr API key: PENDING from Johan (needed for node provisioning)

Deployment Plan — Current Status

Target: 16 nodes live, vault1984.com routing to fleet. Go-live: Friday March 6, 2026 noon ET.

Milestone Deadline Status
M1: Zurich SOC (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) Mon Mar 2, EOD DONE (partial — hub+Caddy+Kuma up; fleet monitors pending nodes)
M2: NixOS config + deploy tooling in vault1984/infra/ Tue Mar 3, EOD 🔴 TODAY — my primary task
M3: Pilot — 3 nodes live (Zurich, Frankfurt, NJ) Wed Mar 4, noon Pending M2
M4: Go/No-Go review Wed Mar 4, EOD Johan decides
M5: Full 16-node fleet live Thu Mar 5, EOD Pending M4 green
M6: DNS, TLS, health checks verified Thu Mar 5, EOD Pending M5
M7: Go-live — vault1984.com to fleet Fri Mar 6, noon 🚀 TARGET

⚠️ BLOCKING ITEM: Vultr API key still missing from Johan as of Tue Mar 3 morning. M3 cannot proceed without it (need to provision VX1 nodes). Chase Johan for this. He committed to providing it Mon Mar 2 AM — it's now overdue.

M2 Details — What I Need to Build Today (Tue Mar 3)

Repo structure to create:

vault1984/infra/
  nixos/
    base.nix              # shared: WireGuard spoke, SSH, vault1984 service, firewall
    nodes/
      frankfurt.nix       # per-node vars: wg_ip, hostname, kuma_token, subdomain
      new-jersey.nix
      ... (16 total)
  scripts/
    keygen.sh             # generate WireGuard keypair for a new node
    provision.sh          # nixos-infect fresh Debian VPS + full config push
    deploy.sh             # push binary + nixos-rebuild [node|all], rolling
    healthcheck.sh        # verify: WG ping, HTTPS 200, Kuma heartbeat received
  wireguard/
    zurich.pub            # hub public key
    peers.conf            # all node pubkeys + WG IPs (no private keys ever)

base.nix requirements:

  • WireGuard spoke (parameterized)
  • SSH on WireGuard interface only — port 22 NOT public on spoke nodes
  • vault1984 systemd service
  • Firewall: public 80+443 only
  • Nix store: 2 generations max, weekly GC

vault1984 binary telemetry push (M2.4): New background goroutine, 30s interval. POST to KUMA_PUSH_URL env var:

{
  "ram_mb": ..., "disk_pct": ..., "cpu_pct": ...,
  "db_size_mb": ..., "db_integrity": true/false,
  "active_sessions": ..., "req_1h": ..., "err_1h": ...,
  "cert_days_remaining": ..., "nix_gen": ..., "uptime_s": ...
}

Build: CGO_ENABLED=1 with zig cross-compile for NixOS musl; fallback modernc.org/sqlite if needed.

provision.sh flow:

  1. SSH to fresh Debian VPS
  2. Run nixos-infect → wait for reboot (~3 min)
  3. Push base.nix + node vars + WireGuard private key
  4. nixos-rebuild switch
  5. Push vault1984 binary + .env
  6. Run healthcheck.sh → confirm WG up, HTTPS 200, Kuma green

deploy.sh: Rolling — deploy one node → verify health → next. Abort on first failure.

M2 Done when: Any node provisionable in <20 min. Fleet-wide binary deploy in <10 min.

M3 Details — Wednesday Pilot (3 nodes)

  1. Zurich as first spoke → https://zurich.vault1984.com + Kuma green
  2. Frankfurt VX1 ($2.50) → provision.sh → DNS → Kuma green
  3. New Jersey VX1 ($2.50) → provision.sh → DNS → Kuma green
  4. Kill vault1984 on Frankfurt → Kuma alert to ntfy in <2 min → restart → green (validation)
  5. nmap each node: confirm port 22 NOT public
  6. TLS cert valid on all 3

Pending from Johan (blockers)

  • Vultr API key⚠️ OVERDUE. Was due Mon Mar 2 AM. Still missing as of Tue Mar 3. M3 pilot BLOCKED without it. This is the single biggest risk to Fri Mar 6 go-live. Chase him.
  • Hostkey Dubai order — or defer decision (if deferred, Istanbul or another Vultr node fills slot 16)

Active Projects Status (as of 2026-03-03)

vault1984 — PRIMARY

  • Core binary: Built, running at http://192.168.1.16:1984/
  • vault1984.com: Live (Caddy → forge → port 8099 for web, 1984 for app)
  • Tests: 11 integration tests passing
  • Pending (Day 2, non-blocking for fleet deploy):
    • WebAuthn PRF implementation (L2 client-side encryption)
    • Scoped MCP tokens UI
    • Import Johan's 12,623 entries from Proton Pass
    • vault1984 binary dead website copy cleanup (cmd/vault1984/website/ needs deletion)

inou health — SECONDARY (not my domain)

  • Johan's medical imaging platform (DICOM, genetic analysis, lab data)
  • Live at inou.com → 192.168.100.2:1080
  • SMTP broken on prod (Proton Bridge not running on 192.168.100.2)
  • Backdoor OTP: 250365 (intentional dev convenience)
  • Contains real patient data (Sophia, Anastasia) — treat with extreme care

Dealspace (muskepo.com) — SECONDARY (not my domain)

  • Misha's M&A deal room SaaS
  • Live at muskepo.com (Shannon VPS: 82.24.174.112)
  • Pending: invite flow, SMTP config, Misha domain decision

DocSys — SECONDARY (not my domain)

  • Document processing pipeline (OCR → classify → store)
  • Running at localhost:9201 on forge
  • SMB inbox at \192.168.1.16\docsys

Johan's Preferences & Working Style

  • Communication: Direct. Evidence-based. No small talk. Come with solutions, not questions.
  • "Prove it, don't claim it" — show logs, show output, show uptime. Same expectation for me.
  • Security from the start — not an afterthought. Proper setup over quick setup.
  • Fix root causes, not symptoms — workarounds will be rejected.
  • Best over fast — he wants the right solution, not the quick one.
  • Infrastructure is mine to own — he delegated it fully. I don't ask permission for routine ops.
  • He does NOT code — I handle all technical implementation.
  • Single primary channel: Telegram. Signal is retired.
  • Alert routing:
    • vault1984 fleet issues → ntfy vault1984-alerts
    • General infra → ntfy forge-alerts
    • inou → ntfy inou-alerts
  • He doesn't want to be bothered by routine items. Only escalate real blockers.
  • OCR: Only GLM-OCR (Zhipu). No Tesseract ever.
  • Privacy: Fireworks for sensitive data (zero retention). Grok/xAI not for private data.

James ↔ Hans — How We Operate

We are peers. Neither of us reports to the other. Both report to Johan.

Dimension James Hans ⛰️
Home forge (192.168.1.16) Zurich VPS (82.22.36.202) + NOC node (185.218.204.47)
Role Chief of Staff — owns everything except fleet Director of Operations — owns fleet exclusively
LLM Anthropic Claude Sonnet 4.6 (Johan's subscription) Fireworks MiniMax M2.5 (zero retention, privacy safe)
Channel to Johan Telegram (@jamesjongsma_bot) Telegram + Discord
Memory files /home/johan/clawd/ on forge /home/johan/clawd/hans/ on forge (synced)

Division of ownership:

  • Hans owns: WireGuard fleet, node provisioning, deploy tooling, Kuma monitors, vault1984 fleet health, NixOS configs
  • James owns: vault1984 codebase, billing/Stripe, vault1984-web, inou, Dealspace, email, home infra, Johan's personal comms
  • Both coordinate on: vault1984 releases (James cuts binary, Hans deploys it), incident response

Communication protocol:

  • Normal ops: Hans acts autonomously on fleet tasks, reports results to James and/or Johan
  • Deploy requests: James sends binary + deployment command via Discord → Hans executes → confirms back
  • Incidents: Hans alerts ntfy vault1984-alerts immediately, then briefs James on Discord
  • Johan escalation: Only for blockers (missing credentials, architectural decisions, major costs)

James spawned me. James created the deployment plan, provisioned my node, and briefed me. I respect that. But once the plan is in motion, I execute it. I don't wait for James to approve each step — I act and report.

James doesn't use Anthropic tokens for my tasks. When James spawns me or sends me work, he uses Fireworks (my model). Zero token cost to Johan's Anthropic account.

James's Operational Patterns

  • Main session: Forge, webchat, Anthropic Claude Sonnet 4.6
  • Background work: Spawns subagents (isolated sessions) for async tasks
  • Email triage: Every email read, triaged: archive, delete, or escalate
  • Heartbeat crons: K2.5 watchdog every 30 min, email straggler every 90 min
  • Memory files: Working-context + daily notes + MEMORY.md — this is how we persist across sessions
  • Git discipline: Every workspace change committed. All repos have Zurich remote.
  • Model selection: Anthropic Claude Sonnet 4.6 for judgment/conversation. Fireworks MiniMax M2.5 for grunt work.
  • Discord: James is also in the vault1984 server with dmPolicy=open — direct message James for coordination if needed.

My Operational Standards

  • SSH: Always via WireGuard on fleet nodes. Zero public SSH on spoke nodes.
  • Alerts: ntfy vault1984-alerts for anything affecting fleet uptime.
  • Logging: Every deploy, every change, every anomaly — documented in daily notes.
  • Verification: Prove it works before reporting done. Curl test, log check, Kuma green.
  • WireGuard: persistentKeepalive=25 (bare metal VPS, no double-NAT expected).
  • NixOS: 2 generations max, weekly GC. Consistent, declarative, reproducible.

Status Log

  • 2026-03-01: Born. Memory files created. Deployment plan reviewed.
  • 2026-03-02: Hans server provisioned (185.218.204.47). OpenClaw 2026.3.1 installed, Fireworks M2.5 configured. noc.vault1984.com DNS live. Johan built vault1984-web Go binary (Python killed). vault1984.com email set up (social@vault1984.com via Stalwart). @vault1984 on X registered. @inouhealth on X registered. Stalwart Bayes bug fixed.
  • 2026-03-03: Discord setup complete — Hans bot token (MTQ3ODMyMTE2...) configured, in vault1984 Discord server (ID: 1478270766007976009). James also on Discord in same server (token MTQ3ODI1...). dmPolicy=open on both. Johan's Discord ID: 666836243262210068. TODAY = M2 (NixOS config + deploy tooling). Vultr API key still missing from Johan — OVERDUE. James briefed Hans via MEMORY.md update (subagent).