johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/weekly-synthesis-2026-03-01.md

7.3 KiB
Raw Blame History

Weekly Memory Synthesis — Feb 23 Mar 1, 2026

Executive Summary

Two major projects launched: Dealspace (M&A data room SaaS) and Vault1984 (password manager for AI assistants). Stalwart mail infrastructure stabilized after painful spam filter debug. Spacebot/Andrew remains blocked on worker dispatch. Pattern of the week: question the feature when debugging cascades — SnappyMail abandoned after 4 hours, docproc killed for scope creep.

🚀 Major Launches

Dealspace / muskepo.com — LIVE (Feb 28)

Misha's M&A deal workflow platform, built from scratch in one overnight session.

  • URL: muskepo.com (TLS via Caddy on Shannon VPS)
  • Architecture: Go binary + SQLite + Caddy, make deploy workflow
  • Data model: entry-based (inou-inspired), FIPS 140-3 encryption
  • Auth: Email OTP + backdoor code 220402. Super admins: michael@muskepo.com, johan@jongsma.me
  • Security hardened: OTP timing attacks fixed (subtle.ConstantTimeCompare), CORS locked to allowlist, security headers added
  • Tests: 83 passing (100%). Smoke test: 14/14 PASS.
  • Missing: invite flow, SMTP config, GET/DELETE /api/projects/:id endpoints

Key insight: Production-ready architecture in 4.5 hours — Go + templ + HTMX + SQLite pattern is proven.

Vault1984 — New Project (Feb 28)

Personal password manager designed for humans with AI assistants. L1 (server key) + L2 (WebAuthn PRF client-side) architecture.

  • Port: 1984 (Orwell reference — intentional)
  • Git: git@zurich.inou.com:vault1984.git (OSS) + git@zurich.inou.com:vault1984-web.git (proprietary marketing)
  • Entry model: Free-form fields, l2:true per field, section grouping
  • Import: Chrome/Firefox CSV, Bitwarden JSON, Proton Pass JSON (12,623 entries pending)
  • Scoped MCP tokens: Per-token tag/entry whitelisting for multi-agent swarms
  • Tests: 11 integration tests passing
  • Architecture locked: VAULT_KEY in .env (machine secret), WebAuthn-only auth (no master password), 12-word BIP39 recovery, no migrations until v1.0
  • Domain: vault1984.com registered, Caddy proxy live

GTM target: Alex Finn (multi-agent swarm use case). Discord community hunting required.

🔧 Infrastructure Wins & Lessons

Stalwart Spam Filter — FIXED (Feb 23)

Painful 4-month debug session finally resolved. Root cause: DNSWL queries returning 127.0.0.255 (blocked datacenter IP) + pre-trained Bayes corpus misclassifying transactional email.

Final architecture:

  • DMARC+DKIM pass → INBOX (score -150, Sieve: keep; stop)
  • Everything else → Junk Mail
  • Bayes: DISABLED (auto-poisoned from junk moves)
  • Trusted domains: squareup.com, messaging.squareup.com, amazonses.com

Lessons documented:

  1. DKIM+DMARC pass should be near-definitive trust signal — never let content scoring override cryptographic authentication
  2. A fresh Bayes install comes pre-trained with generic corpus — not neutral
  3. Don't blame the tool — we misconfigured it
  4. Go slow on production mail config — understand root cause before touching

DocSys — OCR Upgraded (Feb 25)

Vision model: qwen3-vl-30b-a3b-instruct (Fireworks) — ~40s/page, preserves language, works first try on Russian handwriting. Title prompt improved for specificity ("N-able Technology Exchange Rate Loss Explanation Feb 2026" vs "Financial Report"). Vocabulary hints added for "Jongsma" reading correction.

Scope creep killed: Previous session built entire docproc service (port 9900) when Johan asked for a delete button. Service removed, delete button added properly to existing UI.

inou Security Fixes (Feb 28)

  • Auth backdoor (code 250365) REMOVED from lib/dbcore.go — CRITICAL
  • CORS wildcard → allowlist (inou.com, localhost, capacitor)
  • LOINC matching bug FIXED — normalize.go now requires BOTH SearchKey2 AND data["loinc"] to skip
  • 59 test functions written (57 passing)

📊 Active Projects Status

Project Status Blockers
Dealspace Live, needs invite flow Misha domain decision, SMTP config
Vault1984 Core built, Day 2 pending WebAuthn PRF implementation, scoped tokens UI, entry import
inou LOINC bug fixed, tests added None — ready for Johan use
Spacebot/Andrew v0.1.15, Claude Sonnet 4.6 Worker dispatch broken (revisit 2026-03-03)
Azure Backup ABANDONED Feb 28 N/A

⚠️ Outstanding Items

High Priority

  • Health Link Invoices: #000057 ($71.90) and #000058 ($666.90) — payment links in Feb 23 notes
  • Vault1984 Day 2: WebAuthn wizard, scoped tokens UI, Caddy proxy, systemd service
  • Dealspace invite flow: Misha decision needed on domain/name
  • Spacebot worker dispatch: Revisit 2026-03-03 per Johan instruction

Medium Priority

  • inou Labs LOINC: Force re-normalize on prod to populate data["loinc"] fields
  • Vault1984 entry import: 12,623 entries from Proton Pass
  • Uptime Kuma monitors: Still 0 monitors on Zurich (awaiting Johan OK)

🧠 Lessons for AGENTS.md

NEW — When Debugging Cascades, Question the Feature

Trigger: 4+ hours into SnappyMail webmail debugging (PHP-FPM, Docker hairpin NAT, SSL timeouts). Never definitively solved. Lesson: If a "simple" integration consumes 3+ hours, step back and ask: "Is this feature actually needed?" Stalwart has no user webmail; native iPhone Mail clients work fine. Sometimes abandonment is the right answer, not persistence. Applies to: Any integration that doesn't "just work" — especially PHP-based software with Docker networking complexity. Test: "Have I spent >3 hours on this? Is there a simpler alternative?"

NEW — Don't Build New Services for Simple UI Requests

Trigger: Built entire docproc Go service (port 9900, watcher, processor, API) when Johan asked for a "delete button." Lesson: Scope creep kills trust. A delete button = one HTML element + one API route. A new service = new failure modes, new memory overhead, new confusion. Applies to: Any "add X to Y" request. The answer is almost always to modify Y, not create Z. Test: "Does something already exist that I can add this to?"

REINFORCED — DKIM+DMARC Pass Trumps ALL Content Scoring

Trigger: Stalwart junked Square invoices (DMARC=pass, DKIM=pass) due to Bayes score. Lesson: Cryptographic authentication is ground truth. Content classifiers should never override it. Fix: DMARC_POLICY_ALLOW = -100, DKIM_ALLOW = -50, Bayes disabled. Applies to: Any spam/content filter configuration.

🗑️ Stale Items Removed from MEMORY.md

  • Azure Backup — marked ABANDONED (was "expiring ~Feb 27")
  • HostKey Amsterdam — already decommissioned Feb 21, removed from todo lists
  • jongsma.me domain transfer — completed (was "expires 2026-02-28")
  • Signal as primary channel — retired 2026-03-01, Telegram now sole channel

📈 Metrics

  • Commits this week: 20+ across dealspace, inou, vault1984, docsys
  • Tests added: 83 (dealspace) + 59 (inou) + 11 (vault1984) = 153 new tests
  • Services deployed: 3 (dealspace, vault1984, docsys OCR upgrade)
  • Security fixes: 7 critical/high across dealspace + inou
  • Projects abandoned: 2 (Azure Backup, SnappyMail webmail)

Synthesized: Sunday, March 1, 2026 — 9:00 AM ET Next synthesis: Sunday, March 8, 2026