# 2026-04-18 Daily Notes

## Location Cache & Hermes Integration — Completed
- **location_cache.py** committed (`d54ca65`) — cache-first, goplaces CLI + Nominatim fallback + haversine
- **Hermes integration** (`a718b2a`) — `enrich_location()` appends 📍 + travel time to event notifications
- Known locations seeded: Golrusk (7 min), Aurora BayCare (5 min), Resurrection Church (12 min)
- Google Places API key in `scripts/.env` (currently 403 — suspended). Nominatim is fallback.

## Google Account Suspended
- SA + Gmail app password + Places API all dead (CONSUMER_SUSPENDED)
- Crons disabled, then re-enabled after Radicale migration removed all Google deps

## Drop-Box Document Sorter — Built
- `document_sorter.py` committed (`b615b9b`) — OCR + LLM + Drive pipeline
- Blocked on Google account restoration for Drive API

## OpenClaw Quick Wins — Applied
- Security: secrets to `.env` (chmod 600), `redactSensitive: "tools"`
- Heartbeat: `lightContext` + `isolatedSession` + `activeHours 06:00-23:00 CST`
- Fallback chain: kimi-k2.5:cloud → gemma4:latest → qwen2.5-coder:7b
- Command logger hook enabled
- Dreaming (3 AM CST) + Active Memory (DMs only, 30s timeout) enabled
- sessionMemory experimental enabled

## Radicale CalDAV Migration — COMPLETED
- Radicale 3.7.1 on `0.0.0.0:5232`, htpasswd bcrypt, 3 users (matt, aundrea, assistant)
- `calendar_sync.py` fully rewritten — all Google API stripped, uses caldav+icalendar
- 6 downstream modules updated, public API preserved
- `process_webhook_email()` wired: webhook → LLM → Radicale → Brain → Hermes
- Commit `a8f32d1` pushed

### Key Lessons
- htpasswd MUST use bcrypt `$2b$` — `$apr1$` fails
- Bind `0.0.0.0:5232` — Tailscale IPs are virtual/rotating
- Rights file: permissive `RrWw` — per-user ACL caused 403
- iOS CalDAV discovery is per-user principal only → both phones use `assistant` account

## Cloudflare + Phone Setup
- `cal.hoffdesk.com` Cloudflare Tunnel → `localhost:5232` (HTTPS for iOS)
- `hook.hoffdesk.com` Cloudflare Tunnel → webhook FastAPI
- Cloudflare Email Worker deployed: `assistant@hoffdesk.com` → Worker → webhook
- iPhone CalDAV confirmed syncing (Matt's phone)

## Hermes + Location Hardening
- `hermes_notify()` — fires on every Radicale write, direct Bot API (no CLI hang)
- Day-of-week mismatch detection: LLM extracts `claimed_day_of_week`, pipeline cross-checks
- LLM location hallucination fix: "Golrusk" → fuzzy cache match → "Golrusk Pet Care Center"
- Nominatim fallback for when Google Places API is dead
- Duplicate notification fix: removed event-creation from `push_pipeline_results()`

## Auth Circuit Breaker
- 3 consecutive IMAP auth failures → circuit trips → ONE alert to Matt → silence
- Auto-resets on success, manual reset via CLI or state file deletion
- Webhook pipeline unaffected (no IMAP dependency)

## Backup Strategy
- Daily 7 AM: tar Radicale + ChromaDB + config → `~/.hoffdesk_backups/` (7-day rolling)
- Remote copy to Gaming PC via Tailscale SSH (`matt-pc.tail864e81.ts.net`)
- Windows SCP workaround: Python pipe on remote side
- `SKIP_REMOTE=true` env var for when Gaming PC is offline

## Security Fixes
- `scripts/.env`: 664 → 600
- `htpasswd`: 664 → 600
- Location cache deduped: 11 → 6 entries
- MagicDNS replacing hardcoded IPs in all config

## Outstanding (as of 4/18)
- Aundrea phone CalDAV setup (deferred)
- Auth circuit breaker (done 4/19)
- Drop-Box Drive (blocked on Google)
- command-logger.jsonl logrotate check in ~1 month