# 2026-03-05 — Major Stack Overhaul Session (with Claude Code)

A very long and productive session with Claude Code (not Pipo doing the work, but worth logging for continuity).

## What changed tonight

### OpenClaw & Gateway
- Updated openclaw from v2026.3.1 → v2026.3.2 (`sudo npm install -g openclaw@2026.3.2`)
- Fixed `OPENCLAW_SERVICE_VERSION` in systemd service file to match
- Updated `OPENROUTER_API_KEY` in service file to new key
- Fixed Model Selection dropdown bug: moved `blockrun/auto` to first position in `agents.defaults.models` (LitElement falls back to first option)
- Gateway token in service file ends with "our tailnet" — looks like a corruption artifact, but gateway is running fine. Don't touch unless it breaks.

### Kimi (Moonshot) agent added
- API key stored in openclaw.json under `custom-api-moonshot-ai` provider
- CLI wrapper: `/home/ubuntu/.local/bin/kimi-openclaw`
- Model: `kimi-k2.5` (most capable stable Moonshot model)
- Added to agents.list and defaults.models

### Skills installed (via clawhub into workspace/skills/)
- `gog` — Google Workspace CLI (gmail, calendar, drive — read-only configured)
- `summarize` — wrapper at `/home/ubuntu/.local/bin/summarize` (delegates to Gemini CLI, steipete binary is macOS-only)
- `session-logs` — search older sessions with jq
- `weather` — wttr.in, no API key needed
- `notion` — API key at `~/.config/notion/api_key`, integration sees 5 pages
- `gh-issues` — already bundled with openclaw, GitHub logged in as ignaciolagosruiz
- `coding-agent` — already bundled with openclaw
- `healthcheck` — already bundled with openclaw

### Removed
- `bitwarden` (rbw-based) skill — redundant with `openclaw-bitwarden` (bw-based)

### Chrome extension
- Files at `~/.openclaw/browser/chrome-extension/`
- Loaded unpacked on Igna's local Chrome, one tab attached and TESTED WORKING
- Port: 18792, Token: matches OPENCLAW_GATEWAY_TOKEN in service file
- Use `profile="chrome"` in browser tool calls for real logged-in sessions
- Use `profile="openclaw"` for headless automation

### gog (Google Workspace) — READ ONLY
- Services: gmail, calendar, drive (read-only)
- `contacts` service causes `invalid_request` because it includes `directory.readonly` scope (Google Workspace admin scope, blocked for personal accounts). Use `people` instead if contacts needed, but People API didn't add contact scopes in practice.
- Keyring: file-based, passphrase = "openclaw", stored as `GOG_KEYRING_PASSWORD=openclaw` in `~/.bash_aliases`
- Account: `GOG_ACCOUNT=ignaciolagosruiz@gmail.com` also in `~/.bash_aliases`
- Google Cloud project: OAuth client "pipo-gmail-readonly", Desktop app type, client_id: `481954864492-...`
- APIs enabled: Gmail, Calendar, Drive, People
- Re-auth command if needed: `gog auth add ignaciolagosruiz@gmail.com --services gmail,calendar,drive,people --readonly --manual`

### Notion
- Token: already at `~/.config/notion/api_key` (was configured in a previous session)
- Internal integration token starts with `ntn_`
- Remember: share pages with integration via "..." → "Connect to" in Notion UI

### Pipo model → gpt-5.3-codex MAXXXED
- Changed from `blockrun/auto` to `openai-codex/gpt-5.3-codex` with `reasoning_effort: high`
- Fallbacks: `blockrun/auto` → `openrouter/openrouter/free`

### ClawRouter agent created
- id: `clawrouter`, name: `ClawRouter`
- Model: `blockrun/auto` → `openrouter/openrouter/free`
- Purpose: dedicated routing agent — delegate to it when unsure which agent/model fits a task

## Agent roster (full, as of tonight)
| Agent | Model |
|-------|-------|
| pipo | gpt-5.3-codex (reasoning_effort: high) |
| clawrouter | blockrun/auto |
| codex | openai-codex/gpt-5.3-codex |
| claude | claude-sonnet-cli/default |
| claude-opus | claude-opus-cli/default |
| gemini | gemini-cli/default |
| deepseek-code | deepseek-code/default |
| kimi | kimi-cli/default (Moonshot kimi-k2.5) |

## Notes / gotchas
- `gpt-5.3-codex-spark` is NOT the right choice for Pipo — it's a distilled fast model for small real-time edits. Full `gpt-5.3-codex` is better for agentic work.
- `summarize` CLI is macOS-only binary via Homebrew. The wrapper at `/home/ubuntu/.local/bin/summarize` delegates to `gemini -p` instead.
- `directory.readonly` scope = blocked by Google for personal accounts. Never include `contacts` service in gog auth for personal Gmail.
- GOG_KEYRING_PASSWORD must be non-empty string. Empty string is ignored by gog.
- **openclaw.json model config**: only `{primary, fallbacks}` is valid for agent model objects. Adding extra fields like `params: {reasoning_effort}` causes gateway to crash with "Invalid input" and 502. Don't add unsupported fields.
- **CUPS ran as a snap** (`snap/cups/...`), not just systemd — masking the systemd unit wasn't enough. Had to `sudo snap disable cups` to fully kill it.
- **rpcbind was held by systemd socket activation** (PID 1) — had to mask the socket unit, not just the service.

## Security hardening done tonight
- CUPS (print spooler): fully disabled via `sudo snap disable cups`. Was on ports 631/tcp.
- rpcbind: masked via `sudo systemctl mask rpcbind.socket --now`. Was on port 111/tcp.
- Remaining public exposure: port 22 (SSH) only. Port 443 and 58687 are Tailscale-only.
- If port 631 or 111 appear again → regression, re-disable.

## Orphaned processes found and killed
- Multiple Python HTTP servers on ports 3001–3007 from previous sessions
- Old tmux socket from March 1st Bitwarden auth session
- Stale Tailscale preview routes: `/preview/ils-demo/`, `/preview/ils-claude/`
- Tip: run `ss -tlnp | grep -E "300[0-9]"` periodically to spot leftover dev servers