📄 2026-04-25.md 6,533 bytes Apr 25, 2026 📋 Raw

2026-04-25 — Host Routing Rollout & Architecture Lock

Wordmark Fix ✅

Matt flagged wordmark was crunched (tagline overlapping "Desk" text)
SVG canvas expanded: 400×128 → 440×160
Dropped scale(0.85) on the mark, restored ground line
Re-spaced: Hoff at y=70, Desk at y=112, tagline at y=142 (30px buffer)
Updated: wordmark.svg, preview.html, and live brand-preview.html on notes.hoffdesk.com

Starlette Host Routing — FULLY DEPLOYED ✅

What Changed

Socrates wrote main_v2.py with Starlette Host() routing — 3 sub-apps (family, notes, blog) + dev mode fallback
Systemd service updated from main:app → main_v2:application, host 127.0.0.1 → 0.0.0.0
Cloudflare tunnel ingress updated:
Removed family. → port 8001 split (now all through port 8000, Host routing handles dispatch)
Removed blog.hoffdesk.com (zombie subdomain, no DNS CNAME)
Added hoffdesk.com ingress entry
DNS: hoffdesk.com apex changed from placeholder A record (192.0.2.1) to CNAME pointing to *.cfargotunnel.com

Verification

Subdomain	Result	Notes
`family.hoffdesk.com`	✅ 302 → `/family/login/`	Dashboard app
`notes.hoffdesk.com`	✅ 302 → `/admin/blog/`	Blog admin app (was showing dashboard before!)
`hoffdesk.com`	✅ 302 → `/api/blog/`	Public blog app (was NXDOMAIN before)
`api.hoffdesk.com`	✅ 200	Health check pass
`cal.hoffdesk.com`	✅	Radicale, unchanged
`hook.hoffdesk.com`	✅	Webhooks, unchanged

Auth Testing

family.hoffdesk.com/family/login/ — POST /auth/login with matt/hoffdesk-matt-2026 → ✅ 200, session cookie set
notes.hoffdesk.com/admin/blog/ — session cookie carries across subdomain → ✅ admin dashboard renders
Credentials confirmed: matt/hoffdesk-matt-2026, aundrea/hoffdesk-aundrea-2026

UI Enhancements

Password visibility toggle (eye icon) added to both login pages:
family_login.html — toggle sits inside password input, eye/eye-off SVGs
admin_login.html.j2 — same toggle, blog admin login
CSS: .password-wrapper with .password-toggle button, absolute positioned
JS: togglePassword() swaps type="password" ↔ type="text"

Remaining

Dashboard still served as static HTML (read_text), not Jinja2 — handoff doc JINJA2-HANDOFF.md written
Pipeline Phase 2 templates still unwired (blocked on Socrates routes)
proto.hoffdesk.com dev server still running, should retire

2026-04-25 — Continued: Codebase Reviews + Credential Security

HoffDesk Agents — Full Codebase Review Delivered ✅

What I Reviewed

Full mono-repo: agents/ (3 OpenClaw agents), services/family_assistant/ (24 modules, ~10k lines), shared/ (api-specs, schemas, project-docs)
Every major Python module read: pipeline.py (1148), intent_engine.py (761), hermes.py (666), calendar_sync.py (660), location_cache.py (658), newsletter_parser.py (612), family_brain.py (495), document_sorter.py (486), cli.py (475), conflict_engine.py (415), conflict_notify.py (414), rejection_engine.py (412), maintenance_sentinel.py (376), config.py (369), clicker.py (303), slot_handler.py (309), appointment_parser.py (325), rrule_builder.py (273), email_webhook.py (252), setup.py (251), email_fetcher.py (224), intent_router.py (208), inbound_hook.py (173)
GitHub: NightKnight64/hoffdesk-agents

Key Findings

Overall score by dimension: Architecture 8/10, Features 7/10, Code Quality 7/10, Portability 6/10, Commercial Viability 4/10, Security 6/10
CRITICAL: .env with live credentials lives inside the tracked repo tree — gitignored but one force-push from exposure
CRITICAL: appointment_retry.txt is empty (0 lines) — LLM retry path sends blank prompt, email silently fails
Pipeline has ~500 lines of duplicated code (IMAP path vs webhook path)
23/24 modules have zero tests
Gaming PC (Tailscale) is a hard dependency for embeddings + vision
Circuit breaker pattern on IMAP auth is a smart pattern
Shadow filtering (rejection_engine.py) events are demoted, not deleted — correct UX decision
rrule_builder.py prevents LLM hallucination on recurrence — best pattern in the codebase
Review written to review/hoffdesk-agents-review.md

DHA Core — Codebase Review Delivered ✅

What I Reviewed

/home/hoffmann_admin/dha-core-legacy (NightKnight64/dha-core) — 10 files, 716 lines
Historical prototype that became family-assistant
Architecture: Abstract module framework (DHA_Module ABC) + EventBus + Service_Manifest YAML

Key Findings

Good abstraction design (plugin pattern via ABC + YAML manifest) but all adapters stubbed
Google adapter returns hardcoded mock data, notification module just print()s, no real I/O
household.yaml includes Maggie the dog with RBAC role — playful, but reflects prototype stage
Portability 5/10 by virtue of being incomplete (minimal deps, but useless without wiring)
Evolution value: 7/10 — taught patterns that shaped Family Assistant
Recommendation: Archive on GitHub with "superseded by family-assistant" note

Family Assistant (Standalone) — Reviewed ✅

Relationship to hoffdesk-agents

22/24 Python files are byte-for-identical to the mono-repo version
hermes.py differs (602 vs 666 lines — mono-repo has OpenClaw integration)
pipeline.py differs by 1 byte
Standalone repo has important artifacts mono-repo lacks: systemd/ service files, Cloudflare email_worker.js, WEBHOOK_DEPLOY.md, backup script, MIT LICENSE
SAME .env credential risk as mono-repo

Evolution: DHA Core (716 lines, abstract) → Family Assistant (~10k lines, shipping) → hoffdesk-agents monorepo

DHA Core: prototype with good patterns, everything stubbed
Family Assistant: real production code processing Matt's email, syncing Radicale, serving Telegram
hoffdesk-agents: mono-repo adding OpenClaw agent integration, shared workspace, cross-agent coordination

Credential Security Summary

Three repos with live .env files in tracked trees:
1. hoffdesk-agents/services/.env — GMAIL_APP_PASSWORD, GOOGLE_PLACES_API_KEY, CALDAV_PASSWORD, TELEGRAM_BOT_TOKEN, WEBHOOK_SECRET, OLLAMA_EMBED_URL
2. ~/.openclaw/workspace/scripts/.env — same credentials
3. dha-core has no live credentials (prototype)

Recommendation (repeated from review): Rotate all 6 credentials, move .env to ~/.openclaw/secrets/family-assistant.env

← Back