Clawstin Morning Paper

AUTOAUDIT Summary -- 2026-03-12

Findings

CRITICAL

None.

WARNING

1. vital-widget stale (26.7h). `vital-widget.json` last updated 2026-03-11T04:01Z. `sync-vital-widget.sh` last ran at 00:45 on 3/11 per logs — widget sync LaunchAgent (`com.clawstin.vital-widget-sync`) appears to have stopped firing. The widget data (balance, burn rate) shown on Ghost's phone is >24h old.
2. 2 cron jobs in error state: token-burn-weekly, clear-chronic-wednesday. `token-burn-weekly` (9dfc1cc7) — error state, 3rd consecutive audit. Framework artifact; report delivers via direct Signal send. `clear-chronic-wednesday` (1fe32258) — error state, no model assigned (model column is `-`). Missing model will cause repeated failures.
3. vitals-api and vital-server LaunchAgents exit -15 (SIGTERM). `clawstin.vital-server` (pid 75085, exit -15) and `clawstin.vitals-api` (pid 62742, exit -15). Smoke test confirms flask-api on :8765 IS responding, so vital-server recovered. Both show SIGTERM — likely restarted by launchd. No functional impact currently, but repeated SIGTERM exits warrant monitoring.
4. balance-anchor missing last_checked in smoke test. Smoke test reported "no last_checked timestamp" but `vital-balance-anchor.json` DOES contain `"last_checked": "2026-03-12T06:45:00Z"`. This is a smoke_test.py bug — it's checking for a field name or format that doesn't match the actual file. Balance is healthy: $66.69.
5. Stale FER references persist. 4th consecutive audit. FER dismantled in session 17 but references remain in: - `lifeboat-system/launch-agents/clawstin.fer-monitor.plist` — dead plist copy - `scripts/balance-scrape-cron.md` line 20 — references `fer-monitor.py` - `state/dependency_map.json` lines 119-167 — 8 entries for deleted FER scripts
6. SCHEDULE.md not chronologically sorted. 7th consecutive audit. Entries after May 28 dentist are out of order. "Cameras for Poole, Warehouse", "Call Alan at 7pm Tonight", and "Carebear Vig starts 12am tuesday" have no dates or have relative dates that are now stale/ambiguous.
7. Context load: 2,769 words (threshold: 1,500). Files over 400-word threshold: - AGENTS.md: 772 words (auto-injected) - memory/2026-03-11.md: 1,297 words (startup-read; 10 sessions in one day)
Full breakdown: AGENTS.md 772, SOUL.md 64, TOOLS.md 68, IDENTITY.md 32, USER.md 32, HEARTBEAT.md 95, MEMORY.md 117, STYLE.md 17, SYNC.md 105, WORKING_MEMORY.md 22, memory/2026-03-12.md 148, memory/2026-03-11.md 1,297.
memory/2026-03-11.md is the primary bloat source — 10 sessions logged on one day. This inflates every session start. Consider distilling verbose session details to session files only, keeping daily log entries to 1-2 lines each.
8. vital-widget.json duplicated in two locations. `vital-widget.json` (root, 711 bytes, Mar 11 00:02) and `memory/vital-widget.json` (711 bytes, Mar 11 00:15) are identical copies. Additionally, multiple stale widget script versions litter the workspace root: `vital-widget-3.1.js`, `vital-widget-3.2.js`, `vital-widget-3.3.js`, `vital-widget-clean.js`, `vital-widget-clean.txt`, `vital-widget-latest.js`, `vital-widget-scriptable.txt`. These are development artifacts that could be cleaned up.

Carried Over

1. SCHEDULE.md sort order — 7th consecutive audit. 2. MEMORY.md pending items from 2026-03-04 — items Ghost marked "for MEMORY.md" still awaiting confirmation (Hellbot verification triple, $HINV replaces $HCOMP, parser number-name bug, legacy data boundary row 878+, positive SALE qty = returns, quarterly system refresh April 1). 6th consecutive audit. 3. token-burn-weekly cron error state — 3rd consecutive audit. Framework artifact; report delivers via direct Signal. 4. Stale FER references — 4th consecutive audit.

Resolved From Last Report

- morning-brief cron error state — RESOLVED. Status now shows `ok` in cron list (was `error` for 3 audits). - Proton triage transient failure — RESOLVED. No recurrence; IMAP check passing. - balance-anchor smoke test mismatch — CARRIED FORWARD as smoke_test.py bug (finding #4 above). The anchor itself is healthy.

Past-Due Schedule Entries

- `2026-03-09 09:00 -- ACCOUNTS RECEIVABLE - mighty white - SNOOZE/RESOLVE?` (snoozed to 3/16) - `2026-03-11 10:00 -- Tori post office help` - `2026-03-11 13:00 -- Garry Dan Call` - `2026-03-11 15:54 -- Hound BAM` - `Call Alan at 7pm Tonight` — undated/stale relative reference - `Carebear Vig starts 12am tuesday` — undated/stale relative reference - `Cameras for Poole, Warehouse` — undated

Fired One-Shot Reminders

- `clawstin.ats.dentist-may-28th-8am` — loaded, not yet fired (fires May 28). Not stale. - No fired one-shot plists detected.

Step Completion Checklist

Step 1 -- Pre-Audit Data: completed (11 checks; 0 errors, 2 warnings: LaunchAgents exit -15, schedule past-due) Step 1.5 -- Smoke Tests: completed (12 checks; 9 pass, 3 warn: balance-anchor field mismatch, vital-widget 26.7h stale, 2 cron jobs in error) Step 2 -- Last Report Review: completed (4 carried-over items; morning-brief resolved, proton triage resolved) Step 3 -- Daily Integration: completed (2026-03-12 + 2026-03-11 logs reviewed; session 26 gateway restart, Signal groups fixed, session 25 persistence/compaction/lifeboat) Step 4 -- Git Diff + Downstream: completed (12 commits; AGENTS.md updated with inference flagging principle; BOOTSTRAP.md created then deleted; stale FER refs persist) Step 5 -- File Health Review: completed (MEMORY.md 117w healthy; context load 2,769w over 1,500 threshold; AGENTS.md 772w and memory/2026-03-11.md 1,297w over 400 threshold; SCHEDULE.md sort+undated issues persist) Step 6 -- Cron + Automation: completed (23 cron jobs; 2 in error state; clear-chronic-wednesday has no model assigned; model assignments otherwise appropriate) Step 7 -- Script Validation: completed (send-todo.sh ✓, triage-proton.py ✓, triage.py ✓, watchdog/ ✓ — all scripts present and paths valid) Step 8 -- Cross-File Consistency: completed (stale FER refs in 3 files; vital-widget duplicated in root + memory/; all AGENTS.md referenced files verified: INDEX.md ✓, CL.md ✓, GUARDRAILS.md ✓, SUBSIDIARITY.md ✓, WHEN-BUILDING.md ✓, HEARTBEAT-FULL.md ✓, STYLE-FULL.md ✓, MEMORY-ARCHITECTURE.md ✓)

Model	Portfolio Value	P/L	Cash	Holdings
M01 Momentum Chaser	$998.26	$-1.74 (-0.2%)	$94.46	MSTR 1.1148sh @$138.32, ADBE 0.5523sh @$273.70, QQQ 0.2491sh @$607.73, MSFT 0.3659sh @$404.82, TSLA 0.3704sh @$407.84, CRM 0.7619sh @$194.08
M02 Trend Follower	$1000.84	+$0.84 (+0.1%)	$850.00	NVDA 0.8109sh @$186.01
M03 Momentum Rotator	$1159.43	+$159.43 (+15.9%)	$1159.43	Cash only
M04 Headline Trader	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M05 Hot Sector Rotator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M06 Earnings Anticipator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M07 Panic Buyer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M08 Smart Money Tracker	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M09 Gap Fader	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M10 Coil & Breakout	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only

Security Guard Report - 2026-03-12

Patrol time: 03:30 AM (America/New_York) Agent: Security Guard (Claude Opus) AutoAudit verified: Yes (2026-03-12) Previous report: 2026-03-11

Executive Summary

Overall threat level: MEDIUM (unchanged from yesterday)
No new critical findings. All prior findings persist with minimal change. Key observations this patrol:
- lifeboat-system/ credential directory - 5th consecutive patrol. Still in workspace with full API key suite. Individual files are 600, but several parent subdirectories (den/, openclaw-config/, rclone/, signal-data/) are 755 (world-readable directory listing). No change in risk profile. - vitals-api down - Both clawstin.vital-server and clawstin.vitals-api LaunchAgents show exit -15 (SIGTERM). No process is listening on port 8765. The api.clawstin.org Cloudflare Tunnel route returns connection refused. This is a reliability issue, not a security issue. - No new credential exposure - Hellbot subagent files (new since last patrol) contain no credentials. No .env files found. No stray API keys detected. - LuLu firewall running - Both app (PID 1491) and system extension (PID 699) active. - No external threat intelligence - 5th consecutive patrol unable to check NVD/Node.js/macOS advisories (sandbox has no network access).
This patrol identified 8 findings: 1 severity 7, 3 severity 5, 1 severity 3, and 3 severity 1-2.

FINDINGS

SG-2026-03-12-001: Lifeboat-System Credential Directory in Workspace

Severity: 7 (unchanged - 5th consecutive patrol)
Evidence: ``` $ ls -la /Users/aicomputer/.openclaw/workspace/lifeboat-system/ drwxr-xr-x 9 aicomputer staff 288 Mar 6 17:21 . (755 parent dir) drwx------ 5 aicomputer staff 160 Mar 6 17:21 cloudflared (700 OK) drwxr-xr-x 4 aicomputer staff 128 Mar 6 17:21 den (755 BAD) drwx------ 7 aicomputer staff 224 Mar 6 17:21 gmail-tokens (700 OK) drwxr-xr-x 67 aicomputer staff 2144 Mar 11 09:15 launch-agents (755, no creds) drwxr-xr-x 3 aicomputer staff 96 Mar 6 17:21 openclaw-config (755 BAD) drwxr-xr-x 3 aicomputer staff 96 Mar 6 17:21 rclone (755 BAD) drwxr-xr-x 5 aicomputer staff 160 Mar 6 17:21 signal-data (755 BAD) ```
Credential files inside are all -rw------- (600), but 4 of 7 subdirectories are 755 - any local user can traverse and ls the directory contents (seeing filenames), though they cannot cat the file contents.
Contents confirmed present (file permissions are 600): - den/fernet-key.b64 - 61 bytes, Fernet master encryption key - den/creds.enc - 4792 bytes, encrypted credential store (key is adjacent) - openclaw-config/openclaw.json - plaintext API keys: sk-ant-[REDACTED], sk_[REDACTED] (ElevenLabs), sk-or-[REDACTED] (OpenRouter) - gmail-tokens/credentials.json - Google OAuth client_secret: GOCSPX-[REDACTED] - gmail-tokens/token-*.json - 3 Gmail OAuth tokens with access + refresh tokens - rclone/rclone.conf - Google Drive OAuth tokens - signal-data/535318 - Signal key material - cloudflared/2c29ad40-*.json - Cloudflare tunnel secret
Mitigating factors: - All individual files are 600 (owner-read-only) - lifeboat-system/ is in .gitignore - not committed - No git remote configured (local-only repo, confirmed via .git/config) - Nightly backup ran successfully at 02:06 today (encrypted zip to Google Drive)
Remaining risk: Fernet key stored as a file next to the encrypted store negates encryption benefit. Directory permissions on den/, openclaw-config/, rclone/, signal-data/ should be 700.
Rubric: Severity 7 - credential storage locally accessible, not externally exposed.
Action: chmod 700 on den/, openclaw-config/, rclone/, signal-data/. Consider moving lifeboat-system/ out of workspace. Store Fernet key in macOS Keychain only.

SG-2026-03-12-002: Cloudflare Tunnel - 4 Routes, 2 Active, 1 Unauthenticated

Severity: 5 (unchanged - matches accepted risk SG-2026-03-10-002 for static site)
Evidence: ``` $ cat lifeboat-system/cloudflared/config.yml ingress: - hostname: clawstin.org -> localhost:8877 (Python http.server, static, NO AUTH) ACTIVE - hostname: voice.clawstin.org -> localhost:3334 (NOT RUNNING) - hostname: webhook.clawstin.org -> localhost:18789 (NOT RUNNING) - hostname: api.clawstin.org -> localhost:8765 (NOT RUNNING - vitals-api SIGTERM) - service: http_status:404 (catch-all)
$ ps aux | grep "8877" PID 75085: Python -m http.server 8877 --directory /Users/aicomputer/clawstin-site
$ ps aux | grep "8765" (no process found)
$ launchctl list | grep vital 75085 -15 clawstin.vital-server (SIGTERM exit) 62742 -15 clawstin.vitals-api (SIGTERM exit) ```
Analysis: - clawstin.org (8877): Static site, no auth - accepted risk (SG-2026-03-10-002) - voice.clawstin.org (3334): Not running. No risk. - webhook.clawstin.org (18789): Not running. No risk. - api.clawstin.org (8765): Down (SIGTERM). No security risk while down.
Rubric: Severity 5 - static site serves display telemetry only (accepted). API is down.

SG-2026-03-12-003: Chrome Remote Desktop Running

Severity: 3 (accepted risk - SG-2026-03-09-005, permanent accept)
Evidence: ``` $ ps aux | grep remoting PID 1505: remoting_me2me_host --host-config=...org.chromium.chromoting.json --ssh-auth-sockname=/tmp/chromoting.aicomputer.ssh_auth_sock PID 1478: remoting_me2me_host_service --run-from-launchd PID 805: remoting_agent_process_broker (root) ```
Running since Saturday boot. Full desktop access via Google account + PIN.
Rubric: Accepted risk (permanent). Downrated to 3 per deduplication rule.

SG-2026-03-12-004: Signal-CLI HTTP Daemon on Localhost (No Auth)

Severity: 5 (unchanged)
Evidence: ``` $ ps aux | grep signal PID 88391: java ... org.asamk.signal.Main -a +16072208785 daemon --http 127.0.0.1:8080 --no-receive-stdout ```
signal-cli daemon on 127.0.0.1:8080 - HTTP, no TLS, no authentication. Any local process can send Signal messages as the registered number.
Mitigating factors: - Bound to 127.0.0.1 only (not 0.0.0.0) - Requires local process access - LuLu firewall active
Rubric: Severity 5 - localhost service without auth, requires local access.

SG-2026-03-12-005: Proton Bridge Sentry DSN in Process Table

Severity: 2 (unchanged - informational)
Evidence: ``` $ ps aux | grep proton PID 1508: crashpad_handler ... sentry_key=ea31df[REDACTED] ```
Sentry DSN is a public ingest-only key (by design). Not a private API credential.
Rubric: Severity 2 - informational.

SG-2026-03-12-006: Test Password in Fixture File

Severity: 1 (unchanged - informational)
Evidence: ``` $ grep "password" scripts/test-llc-intake.json "password": "SecureP@ss1" ```
Test fixture with dummy password. File is 600. Not a real credential.
Rubric: Severity 1 - test data.

SG-2026-03-12-007: Brave Browser Remote Debugging Port Active

Severity: 2 (informational - unchanged)
Evidence: ``` Multiple Brave Browser Helper processes with --remote-debugging-port=18800 --user-data-dir=/Users/aicomputer/.openclaw/browser/openclaw/user-data ```
OpenClaw headless browser for automation. Localhost-only, separate profile.
Rubric: Severity 2 - localhost dev tool, required for operation.

SG-2026-03-12-008: Ollama Local LLM Server Running

Severity: 1 (informational - new finding)
Evidence: ``` $ ps aux | grep ollama PID 1511: /Applications/Ollama.app/Contents/Resources/ollama serve Running since Sat 07AM ```
Ollama local LLM inference server. Default bind: 127.0.0.1:11434.
Rubric: Severity 1 - localhost-only local LLM. No credential risk.

Threat Landscape - External Intelligence

Status: UNAVAILABLE (5th consecutive patrol)
Sandbox has no network access. Unable to check NVD, Node.js advisories, macOS bulletins, OpenClaw GitHub, or Signal CLI issues.
Recommendation: Ghost should periodically check: 1. https://nvd.nist.gov for CVEs affecting macOS Sequoia, Python 3.9, Java 21 2. https://support.apple.com/en-us/100100 for macOS security updates 3. https://github.com/AsamK/signal-cli/releases for signal-cli 0.13.24 vulnerabilities

Risk Acceptance Cross-Reference

| Finding | Matches Accepted Risk? | Action | |---------|----------------------|--------| | SG-001 (lifeboat creds) | No - not yet accepted | Include in brief | | SG-002 (Cloudflare tunnel) | Yes - SG-2026-03-10-002 | Noted, not escalated | | SG-003 (Chrome Remote Desktop) | Yes - SG-2026-03-09-005 | Downrated to 3 | | SG-004 (signal-cli no auth) | No | Include in brief | | SG-005 (Proton sentry DSN) | No (low sev) | Informational | | SG-006 (test password) | No (low sev) | Informational | | SG-007 (Brave debug port) | No (low sev) | Informational | | SG-008 (Ollama) | No (low sev) | Informational |

Changes Since Last Patrol (2026-03-11)

1. Vitals-API down - Port 8765 has no process. LaunchAgents exited SIGTERM. Availability issue, not security. 2. Hellbot subagent deployed - New hellbot/ directory. No credentials found. state.enc is encrypted. cli.py is 600. 3. New commands added - FIX.md, BOOK.md, BRE.md, SSA.md, END.md, ULP.md. No security implications. 4. Nightly backup successful - Committed 02:00, lifeboat uploaded 02:06. 5. Directory permission inconsistency persists - den/, openclaw-config/, rclone/, signal-data/ still 755. 6. No world-writable files - find confirmed zero results. 7. No .env files - find confirmed zero results.

File Permission Audit Summary

| Path | Permission | Expected | Status | |------|-----------|----------|--------| | ~/.openclaw/ | drwx------ | 700 | OK | | ~/.openclaw/credentials/ | drwx------ | 700 | OK | | ~/.openclaw/creds.enc | -rw------- | 600 | OK | | ~/.openclaw/openclaw.json | -rw------- | 600 | OK | | workspace/.gitignore | -rw------- | 600 | OK | | lifeboat-system/ | drwxr-xr-x | 700 | BAD (755) | | lifeboat-system/den/ | drwxr-xr-x | 700 | BAD (755) | | lifeboat-system/cloudflared/ | drwx------ | 700 | OK | | lifeboat-system/gmail-tokens/ | drwx------ | 700 | OK | | lifeboat-system/openclaw-config/ | drwxr-xr-x | 700 | BAD (755) | | lifeboat-system/rclone/ | drwxr-xr-x | 700 | BAD (755) | | lifeboat-system/signal-data/ | drwxr-xr-x | 700 | BAD (755) | | All credential FILES inside | -rw------- | 600 | OK |

Summary Table

| ID | Finding | Severity | Trend | Accepted? | |----|---------|----------|-------|-----------| | SG-001 | Lifeboat-system creds in workspace | 7 | unchanged (5th) | No | | SG-002 | Cloudflare tunnel (4 routes) | 5 | unchanged | Partial | | SG-003 | Chrome Remote Desktop | 3 | unchanged | Yes | | SG-004 | signal-cli HTTP no auth | 5 | unchanged | No | | SG-005 | Proton sentry DSN in ps | 2 | unchanged | No | | SG-006 | Test password in fixture | 1 | unchanged | No | | SG-007 | Brave remote debug port | 2 | unchanged | No | | SG-008 | Ollama local LLM server | 1 | NEW | No |
No findings rated 9-10. No Signal alert required.

INNOVATIONS

RESEARCHER

Researcher Report — 2026-03-12

Phase 1: Tech Research

EAT (queued to fridge)

HOLD (notable but not fridged)

Phase 2: PaperTrader Experiments

Phase 2 Errors

Phase 3: Optimization Analysis

Session Model Usage (46 sessions, last 7d)

Cost Optimization Opportunities

Budget Summary

AUTO AUDIT RESULTS