docs(obsidian): sync vault notes

2026-03-30 17:08:55 -07:00
parent 1606283197
commit f0c84a8f05
12 changed files with 558 additions and 265 deletions
@@ -25,12 +25,14 @@
            "id": "614d9018f88254e9",
            "type": "leaf",
            "state": {
-              "type": "release-notes",
+              "type": "markdown",
              "state": {
-                "currentVersion": "1.12.7"
+                "file": "Infrastructure/Architecture.md",
+                "mode": "source",
+                "source": false
              },
-              "icon": "lucide-book-up",
-              "title": "Release Notes 1.12.7"
+              "icon": "lucide-file",
+              "title": "Architecture"
            }
          }
        ],
@@ -196,16 +198,31 @@
      "bases:Create new base": false
    }
  },
-  "active": "614d9018f88254e9",
+  "active": "83702dd4b091f767",
  "lastOpenFiles": [
-    "Notes/2026-03-25 OpenClaw Core Update.md",
-    "Infrastructure/Automation/Cron Jobs.md",
-    "Infrastructure/Automation/Channel Routing Policy.md",
-    "Infrastructure/Automation/n8n Workflows.md",
-    "Conventions.md",
-    "Plans/Daily Schedule.md",
+    "Notes/2026-03-27 Nightly Vault Sync.md",
+    "Infrastructure/Automation/n8n Nightly Vault Sync.md",
+    "Infrastructure/Automation/n8n IMAP Triage Pipeline.md",
+    "Notes/2026-03-27 Obsidian Vault Audit.md",
+    "Notes/2026-03-27 Obsidian REST Write Fix.md",
+    "Infrastructure/Automation/api-tiny-write-test.md",
+    "Notes/test-postput.md",
+    "Infrastructure/Automation/fs-write-test.md",
+    "Infrastructure/fs-write-test.md",
+    "Plans/fs-write-test.md",
+    "Notes/fs-write-test.md",
+    "OpenClaw Checks/test-a.md",
+    "OpenClaw Checks/curl-write-check.md",
    "Infrastructure/Architecture.md",
    "Infrastructure/Services/Docker Services.md",
+    "Conventions.md",
+    "OpenClaw Checks/obsidian-api-write-check.md",
+    "OpenClaw Checks",
+    "Plans/Daily Schedule.md",
+    "Infrastructure/Automation/n8n Workflows.md",
+    "Infrastructure/Automation/Channel Routing Policy.md",
+    "Notes/2026-03-25 OpenClaw Core Update.md",
+    "Infrastructure/Automation/Cron Jobs.md",
    "Daily Schedule.md",
    "Resources",
    "Notes",
@@ -216,7 +233,6 @@
    "Plans",
    "Architecture.md",
    "Welcome.md",
-    "test-from-zap.md",
-    "asdasdasdas.md"
+    "test-from-zap.md"
  ]
 }
@@ -3,7 +3,7 @@ title: Architecture
 area: infrastructure
 tags: [infrastructure, homelab, assistant, integrations, automation]
 created: 2026-03-18
-updated: 2026-03-25
+updated: 2026-03-27
 status: active
 related: [[Infrastructure/Services/Docker Services]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Automation/n8n Workflows]]
 ---
@@ -12,105 +12,73 @@ related: [[Infrastructure/Services/Docker Services]], [[Infrastructure/Automatio

 High-level map of Will's homelab + assistant stack. For operational details (IPs, credential paths, commands), see TOOLS.md in the assistant workspace.

+Operational note: the shared Obsidian vault lives on a `virtiofs` mount and is touched by both the host Obsidian user (`claw`) and the VM assistant user (`openclaw`); collaborative note folders need write permissions that work for both sides.
+
 See sub-notes for details:
 - [[Infrastructure/Services/Docker Services]]
 - [[Infrastructure/Automation/Cron Jobs]]
 - [[Infrastructure/Automation/n8n Workflows]]

---
+## Current deployment

-## Overview
-
-Will's stack runs on a laptop VM (moving to main host post April 1st). The assistant ([[zap ⚡]]) is an OpenClaw instance with memory, skills, and automation layered on top of local Docker services and a small Raspberry Pi Kubernetes cluster.
-
---
+- The assistant currently runs in a VM on Will's laptop.
+- Planned later move: main host.
+- Shared note workspace lives in `will/will-shared-zap/` inside the Obsidian vault tree.

 ## Networking

-| Layer | Detail |
-|---|---|
-| Primary LAN IP | `192.168.153.113` |
-| Secondary LAN IP | `192.168.153.117` (eth0) |
-| Tailscale IP | `100.123.88.127` |
+- **Primary LAN IP:** `192.168.153.113`
+- **Secondary LAN IP:** `192.168.153.117`
+- **Tailscale IP:** `100.123.88.127`

---
+## Core service layers

-## Core Docker Services
+### Search / retrieval
+- **SearXNG** on `18803` for local-first search
+- **Brave MCP** on `18802` for fallback / second opinion
+- **Ollama embeddings** on `18807` for memory search

-See [[Infrastructure/Services/Docker Services]] for full details.
+### Automation / orchestration
+- **OpenClaw runtime:** `2026.3.24`
+- **Current main interactive session model:** `gpt-5.4`
+- **Local LLM runtime:** llama.cpp on `18806` serving `gemma-3-12b-it-q4_0.gguf`
+- **n8n-agent:** `18808` for scheduled/API-native workflows
+- **LiteLLM proxy:** `18804` for model routing / proxying

-| Service | Port | Role |
-|---|---|---|
-| SearXNG | `18803` | Local-first web search |
-| LiteLLM proxy | `18804` | Model gateway (all providers) |
-| Whisper server | `18801` | Local audio transcription |
-| Brave MCP | `18802` | Brave Search fallback |
-| n8n-agent | `18808` | Automation workflows |
-| Ollama | `18807` | Local embeddings |
-| llama.cpp | `18806` | Local LLM (Gemma 3 12B) |
-| MinIO | `9000` | Object storage (`192.168.153.253`) |
+### Speech / media
+- **Whisper server:** `18801`
+- **Kokoro TTS:** `18805`

---
+## Storage / repos

-## Storage & Git
+### MinIO
+- Bucket: `zap`
+- Purpose: full `~/.openclaw` backups every 6 hours
+- Operational status on 2026-03-27:
+  - one backup run failed at `20260327T061701Z` because the storage backend hit its minimum free-drive threshold
+  - a later backup succeeded at `20260327T181701Z`
+  - backup freshness is currently recovered

-| System | Detail |
-|---|---|
-| **MinIO** | Bucket `zap` — full `~/.openclaw` backups every 6h. Versioned, 90-day retention. |
-| **Gitea** | `gitea-http.taildb3494.ts.net` — `will/swarm-zap.git` — workspace backup/review |
-
---
+### Gitea
+- Repo host: `gitea-http.taildb3494.ts.net`
+- Repo: `will/swarm-zap.git`
+- Purpose: workspace backup / review / sync point

 ## Kubernetes

 - Small Raspberry Pi cluster
 - Shared namespace: `swarm`
- Lightweight workloads only
- Safe scoped operations via `swarm-kubectl-safe` skill
+- Keep workloads lightweight and scoped

---
+## Key integrations

-## Assistant Layer
+- **Telegram:** primary interrupt / reminder / mobile channel
+- **Discord:** deeper technical work and scoped threads
+- **Obsidian:** shared vault + zap memory vault under `/mnt/swarm-common/obsidian-vault/`
+- **Google Workspace:** Gmail / Calendar / Drive / Tasks via `gog`

-| Component | Detail |
-|---|---|
-| Runtime | OpenClaw `2026.3.23-2` |
-| Identity | zap ⚡ |
-| Default model | `github-copilot/gpt-4o` + fallback chain |
-| Memory | Ollama embeddings + markdown workspace files |
-| Council | Pragmatist / Visionary / Skeptic (GLM 4.7) + Referee (Claude Sonnet 4.6) |
+## Operating decisions worth keeping

-### Model Tiers
-
-| Tier | Model |
-|---|---|
-| Fast/cheap | `litellm/zai-glm-4.7` |
-| Default | `litellm/copilot-claude-sonnet-4.6` |
-| Strongest | `litellm/copilot-claude-opus-4.6` |
-
---
-
-## Integrations
-
-| Integration | Detail |
-|---|---|
-| **Telegram** | Primary notification + interaction channel for reminders, alerts, and quick mobile interaction |
-| **Discord** | Preferred surface for deep technical work, brainstorming, experiments, and scoped threads |
-| **Obsidian** | Shared vault + zap's memory vault at `/mnt/swarm-common/obsidian-vault/` |
-| **Google Workspace** | Gmail, Calendar, Drive, Tasks via `gog` CLI |
-| **Search** | SearXNG first → Brave MCP fallback |
-
---
-
-## Automation
-
-See [[Infrastructure/Automation/Cron Jobs]] and [[Infrastructure/Automation/n8n Workflows]].
-
---
-
-## Key Decisions
-
- Search: SearXNG first → Brave fallback. Brave free plan rate-limited; no parallel bursts.
- n8n vs cron: n8n for native-node tasks. OpenClaw/OS cron for shell tasks. No SSH bridge.
- Kubernetes: scoped to `swarm` namespace, Pi-friendly resource limits.
- Daily schedule goes live April 7, 2026. See [[Plans/Daily Schedule]].
+- Search: SearXNG first, then Brave-backed fallback
+- n8n vs cron: use n8n when it has the right native node or API path; keep shell-heavy local tasks in OpenClaw/OS cron
+- Daily schedule goes live April 7, 2026 — see [[Plans/Daily Schedule]]
@@ -1,103 +1,75 @@
 ---
 title: Cron Jobs
 area: automation
-tags: [automation, health, assistant]
+tags: [automation, health, assistant, cron]
 created: 2026-03-18
-updated: 2026-03-18
+updated: 2026-03-27
 status: active
 related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/n8n Workflows]], [[Plans/Daily Schedule]]
 ---

 # OpenClaw Cron Jobs

-All jobs run via the OpenClaw cron scheduler. Agent: `automation` unless noted.
+This note reflects the **live OpenClaw cron inventory** as checked on 2026-03-27.

---
+All jobs run via the OpenClaw cron scheduler.

-## Active Jobs
-
-### memory-reindex
- **Schedule:** Every 5 min
- **Purpose:** Keeps the memory vector index (Ollama embeddings) fresh
+## Enabled jobs

 ### obsidian-inbox-watcher
- **Schedule:** Every 5 min
- **Purpose:** Watches `/mnt/swarm-common/obsidian-vault/will/inbox/` for drop notes. Processes and replies via Telegram. Moves processed files to `inbox/processed/`.
+- **Agent:** `automation`
+- **Schedule:** every 5 minutes
+- **Session target:** isolated
+- **Purpose:** watches `/mnt/swarm-common/obsidian-vault/will/inbox/` for inbound notes, classifies them, handles them, moves them to `processed/`, and notifies Will via Telegram

-### litellm model sync
- **Schedule:** Every 12h
- **Purpose:** Syncs LiteLLM model metadata to OpenClaw config. See [[Infrastructure/Services/Docker Services]].
+### Daily follow-up: Discord Unknown Channel bug
+- **Agent:** `main`
+- **Schedule:** daily at `15:00 UTC`
+- **Session target:** main
+- **Purpose:** reminder to review the tracked Discord outbound `Unknown Channel` bug and only send Will an update if there is meaningful progress or a clear next step

-### litellm weekly audit
- **Schedule:** Mon 9:17am UTC
- **Purpose:** Audits model sync state for drift, reports if model count changes or fallbacks appear
-
-### Homelab services sentinel
- **Schedule:** Every 4h
- **Purpose:** Runs `ops-sentinel.sh`, alerts via Telegram if services degraded
- **Delivery:** Telegram
-
-### Weekly backup recovery smoke
- **Schedule:** Sun 3:30am PT
- **Purpose:** Downloads latest MinIO backup, verifies sha256 + structure
- **Delivery:** Telegram on failure
-
-### Model best-practices sync
- **Schedule:** Mon 9am PT
- **Purpose:** Syncs OpenAI/Anthropic tool-calling best practices to local hint files, commits changes
-
-### Weekly recycling reminder
- **Schedule:** Fri 2am PT
- **Purpose:** Reminds Will to take recycling out
- **Delivery:** Telegram
-
---
-
-## One-Shot Jobs
-
-### Tax Reminder
- **Fires:** Apr 14, 2026 noon UTC
- **Purpose:** Tax deadline reminder
+### Model best-practices sync (OpenAI+Anthropic)
+- **Agent:** `automation`
+- **Schedule:** Mondays at `09:00` America/Los_Angeles
+- **Session target:** isolated
+- **Purpose:** refresh local tool-calling / model best-practice hint files from official docs
+- **Current note:** enabled, but the last recorded run errored due timeout / rate-limit issues

 ### Enable shift reminders
- **Fires:** Apr 7, 2026 9am PT
- **Purpose:** Enables the three shift reminder jobs below when the new [[Plans/Daily Schedule]] goes live
+- **Agent:** `automation`
+- **Schedule:** one-shot at `2026-04-07 16:00 UTC`
+- **Session target:** isolated
+- **Purpose:** enable the three work-shift reminder jobs when the new [[Plans/Daily Schedule]] goes live

---
+### Tax Reminder
+- **Agent:** `main`
+- **Schedule:** one-shot at `2026-04-14 12:00 UTC`
+- **Session target:** main
+- **Purpose:** tax deadline reminder

-## Pending (Active April 7)
+## Disabled jobs (planned / staged)

-### Shift water reminder 💧
- **Schedule:** Hourly, 2–9pm PT, weekdays
- **Purpose:** Drink water reminder during work shift
- **Delivery:** Telegram
- **Status:** Disabled until April 7
+### Shift water reminder
+- **Schedule:** hourly, weekdays, `14:00–21:00` America/Los_Angeles
+- **Status:** disabled until April 7
+- **Purpose:** Telegram water reminder during work shift

-### Shift walk reminder 🚶
- **Schedule:** 2pm + 8pm PT, weekdays
- **Purpose:** Get up and walk 5–10 min
- **Delivery:** Telegram
- **Status:** Disabled until April 7
+### Shift walk reminder
+- **Schedule:** weekdays at `14:00` and `20:00` America/Los_Angeles
+- **Status:** disabled until April 7
+- **Purpose:** Telegram walk reminder

-### Shift walk reminder (offset) 🚶
- **Schedule:** 3:30pm + 6:30pm + 9:30pm PT, weekdays
- **Purpose:** Walk reminder (90-min offset times)
- **Delivery:** Telegram
- **Status:** Disabled until April 7
+### Shift walk reminder (30min offset)
+- **Schedule:** weekdays at `15:30`, `18:30`, `21:30` America/Los_Angeles
+- **Status:** disabled until April 7
+- **Purpose:** offset Telegram walk reminder

---
+## OS cron (host)

-## Disabled Jobs
+### MinIO backup
+- **Schedule:** every 6 hours at minute `17`
+- **Purpose:** full `~/.openclaw` backup to MinIO bucket `zap`

-| Name | Purpose |
-|---|---|
-| Inbox priority triage | Himalaya IMAP triage → Telegram summary (every 4h) |
-| Ops+MCP sentinel (Den/Dev/Brainstorming) | Group Telegram channel health alerts (every 6h) |
+## Note

---
-
-## OS Cron (Host)
-
-| Schedule | Purpose |
-|---|---|
-| Every 6h at :17 | Full `~/.openclaw` backup to MinIO bucket `zap` |
+Earlier versions of this note listed several jobs that are not present in the current live cron inventory anymore. This file was refreshed from the actual runtime state on 2026-03-27.
@@ -0,0 +1,80 @@
+---
+title: n8n IMAP Triage Pipeline
+area: infrastructure
+tags: [n8n, imap, llm, automation, email]
+created: 2026-03-27
+updated: 2026-03-27
+status: active
+related: [[Infrastructure/Automation/n8n Workflows]], [[Infrastructure/Architecture]]
+---
+
+# n8n IMAP Triage Pipeline
+
+## Overview
+
+- **Workflow:** `IMAP Inbox Triage + Obsidian Notes`
+- **Workflow ID:** `9sFwRyUDz51csAp7`
+- **Schedule:** every 15 minutes
+- **Account:** `wills_portal` IMAP (`will@wills-portal.com`)
+
+## Pipeline flow
+
+Read Unseen Emails
+→ Stage 1 - Static Filter
+→ Any Left?
+→ Needs LLM Judgement?
+→ Judge with Local LLM (only for ambiguous mail)
+→ Parse LLM Result / Tag Definite Signal
+→ Merge All Signal
+→ Format & Send → Send to Telegram
+→ Format Email Notes → Write Email to Vault
+
+## Local LLM
+
+- **Model:** `gemma-3-12b-it-q4_0.gguf`
+- **Endpoint:** `http://192.168.153.113:18806/v1/chat/completions`
+- **Used for:** ambiguous emails only
+- **Reply shape:** JSON like `{"signal": true|false, "priority": 1|2|3, "reason": "..."}`
+- **Priority scale:**
+  - `1` = act now 🔴
+  - `2` = read today 🟡
+  - `3` = FYI 🔵
+
+## Static filter behavior
+
+### Definite noise
+Examples include newsletters, no-reply mail, marketing, Discord/Plex/Spotify/YouTube-style noise, and known recurring low-value sender/subject patterns.
+
+### Definite signal
+Examples include login attempts, unusual access, invoices, payment due, receipts, urgent/action-required mail, password resets, GitHub/Gitea, and similar operational/security mail.
+
+### Everything else
+Sent to the local LLM for judgement.
+
+## Outputs
+
+### Telegram
+- digest sent via OpenClaw Telegram bot
+- grouped by priority with concise reason text
+
+### Obsidian
+- writes per-email notes to `Notes/YYYY-MM-DD Subject.md`
+- uses the Obsidian Local REST API at `http://192.168.153.113:27123`
+
+## Important operational notes
+
+- The Obsidian Local REST API must be reachable when the workflow runs.
+- A major 2026-03-27 failure mode was **not** the LLM or the workflow logic — it was shared-vault cross-user permissions on the `virtiofs` mount. The API was up, but writes to some folders hung until permissions were fixed.
+- First checks if this breaks again:
+  1. Obsidian Local REST API reachable?
+  2. shared vault path writable from host Obsidian user (`claw`) and VM assistant user (`openclaw`)?
+  3. local LLM endpoint still serving `gemma-3-12b-it-q4_0.gguf`?
+
+## Validation summary
+
+Validated live on 2026-03-27:
+- n8n healthy
+- local Gemma endpoint healthy
+- live local inference succeeded
+- Telegram notifications previously verified
+- Obsidian REST writes repaired and re-verified after permission fix
@@ -0,0 +1,54 @@
+---
+title: n8n Nightly Vault Sync
+area: infrastructure
+tags: [n8n, obsidian, llm, automation, nightly]
+created: 2026-03-27
+updated: 2026-03-27 23:39 UTC
+status: active
+related: [[Infrastructure/Automation/n8n Workflows]], [[Infrastructure/Architecture]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Services/Docker Services]]
+---
+
+# n8n Nightly Vault Sync
+
+## Overview
+
+- **Workflow:** `Nightly Obsidian Vault Sync`
+- **Workflow ID:** `75JCevkdgkyCr2qH`
+- **Status:** active
+- **Trigger:** nightly cron expression `45 23 * * *`
+- **Local LLM:** `gemma-3-12b-it-q4_0.gguf`
+
+## Purpose
+
+Create a concise nightly sync note in the shared Obsidian vault so there is a low-noise daily operational breadcrumb without manually editing the canonical architecture/automation notes every single night.
+
+## What it does
+
+Each run:
+1. reads these shared vault notes:
+   - `Infrastructure/Architecture.md`
+   - `Infrastructure/Automation/n8n Workflows.md`
+   - `Infrastructure/Automation/Cron Jobs.md`
+   - `Infrastructure/Services/Docker Services.md`
+2. checks live health from:
+   - `http://192.168.153.113:18808/healthz`
+   - `http://192.168.153.113:18806/v1/models`
+3. sends that context to the local Gemma model
+4. writes a nightly note to:
+   - `Notes/YYYY-MM-DD Nightly Vault Sync.md`
+
+## Output style
+
+The nightly note is intended to stay compact:
+- short summary
+- current state
+- follow-ups / drift worth checking
+
+## Design note
+
+This workflow writes a **nightly snapshot note** rather than trying to auto-rewrite all canonical architecture docs. That keeps the automation lower-risk while still keeping the vault alive and current every night.
+
+## Test note
+
+- On 2026-03-27, the schedule was temporarily advanced for a near-term test run and an automatic revert to the normal nightly cron was scheduled immediately afterward.
+- At `2026-03-27 23:39 UTC`, the revert completed successfully. Verified via n8n API that the workflow is active and the `Schedule Trigger` node is back on cron `45 23 * * *` UTC.
@@ -1,11 +1,11 @@
 ---
 title: n8n Workflows
 area: automation
-tags: [automation, integrations]
+tags: [automation, integrations, n8n]
 created: 2026-03-18
-updated: 2026-03-25
+updated: 2026-03-27
 status: active
-related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Services/Docker Services]]
+related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Services/Docker Services]], [[Infrastructure/Automation/n8n IMAP Triage Pipeline]], [[Infrastructure/Automation/n8n Nightly Vault Sync]]
 ---

 # n8n Workflows
@@ -14,42 +14,78 @@ Running on `n8n-agent` at port `18808`. See [[Infrastructure/Services/Docker Ser

 ## Division of labor

- **n8n:** tasks where n8n has a native node (email/IMAP, calendar, webhooks, API integrations)
- **OpenClaw/OS cron:** shell-based / local tasks — no SSH bridge complexity
- When in doubt: does n8n have a native node for this? Yes → n8n. No → cron.
+- **n8n:** tasks where n8n has a native node or is acting as the controlled integration/scheduling layer
+- **OpenClaw / OS cron:** shell-heavy local tasks, reminders, and agent-driven jobs that fit better outside n8n
+- When in doubt: if n8n has the right native node or a clean HTTP/API path, prefer n8n. If it needs host shell/script glue, prefer OpenClaw cron or OS cron.

---
+## Core workflows

-## Workflows
-
-### Inbox Triage - wills_portal
+### IMAP Inbox Triage + Obsidian Notes
 - **ID:** `9sFwRyUDz51csAp7`
 - **Status:** ✅ Active
- **Trigger:** Schedule (every 15 minutes)
- **Purpose:** Reads unseen IMAP emails from `wills_portal`, filters with static rules + local LLM triage (Qwen2.5-14B), tags by priority (P1/P2/P3), sends digest to Telegram, and writes individual email notes to Obsidian vault at `Notes/YYYY-MM-DD Subject.md`
- **Flow:** Read IMAP → Static filter → LLM judge → Merge → Format & Send to Telegram + Write to Vault (parallel)
- **Obsidian note frontmatter:** includes `from`, `priority` (high/medium/low), `signal_reason`, tags `[email, imap, priority-*]`
- **Status:** ✅ Active
- **Type:** Webhook
- **Purpose:** Test/ping endpoint — verified end-to-end
- **Path:** `/webhook/openclaw-ping`
+- **Trigger:** Schedule polling every 15 minutes
+- **Account:** `wills_portal` IMAP
+- **Local LLM:** `gemma-3-12b-it-q4_0.gguf`
+- **Purpose:** reads unseen IMAP mail, drops obvious noise, judges ambiguous mail with the local LLM, sends signal digests to Telegram, and writes per-email notes to the shared Obsidian vault
+- **Details:** see [[Infrastructure/Automation/n8n IMAP Triage Pipeline]]

-### Gmail to Obsidian Notes
- **ID:** `fd0yacHqJHZNOw8l`
+### Gmail Inbox Monitor + Obsidian Notes
+- **ID:** `whtdorf7yJMVYeHm`
 - **Status:** ✅ Active
- **Trigger:** Gmail Trigger — polls hourly for unread IMPORTANT emails
- **Purpose:** Two-stage triage (static filter → Qwen2.5-14B local LLM) then writes signal emails as Obsidian notes in `Notes/YYYY-MM-DD Subject.md`
- **Flow:** Gmail Trigger → Static Filter → LLM Judge → Format Note → Write to Vault → Notify Telegram
- **Obsidian note frontmatter:** includes `from`, `priority` (high/medium/low), `signal_reason`, tags `[email, gmail, priority-*]`
- **Output:** Writes to vault via Obsidian REST API → Telegram ping with priority
+- **Trigger:** Gmail-triggered monitor flow
+- **Purpose:** watches Gmail, applies local triage, writes signal notes to Obsidian, and supports notification routing

 ### Calendar to Obsidian Notes
 - **ID:** `QRCCdHNXZUHc2Oz4`
 - **Status:** ✅ Active
- **Trigger:** Schedule — every 6 hours
- **Purpose:** Fetches upcoming Google Calendar events (next 7 days) and creates notes in `Notes/YYYY-MM-DD Event.md` with frontmatter, time, location, attendees, and a notes section
- **Credential:** `Google Calendar account` (OAuth2)
+- **Trigger:** scheduled sync
+- **Purpose:** fetches upcoming calendar events and writes/update notes in the shared vault
+- **Credential:** `Google Calendar account`

---
+### Nightly Obsidian Vault Sync
+- **ID:** `75JCevkdgkyCr2qH`
+- **Status:** ✅ Active
+- **Trigger:** nightly cron (`45 23 * * *`)
+- **Local LLM:** `gemma-3-12b-it-q4_0.gguf`
+- **Purpose:** fetches key operational notes plus live n8n/LLM health, uses the local LLM to generate a concise nightly vault sync note, and writes it to `Notes/YYYY-MM-DD Nightly Vault Sync.md`
+- **Details:** see [[Infrastructure/Automation/n8n Nightly Vault Sync]]

-_Add new workflows here as they are created._
+### OpenClaw Action Bus
+- **ID:** `Jwi54VWMdlLqYnRo`
+- **Status:** ✅ Active
+- **Type:** webhook / action router
+- **Purpose:** controlled execution path for approved actions and structured OpenClaw-to-n8n integration
+
+### OpenClaw Reminder Webhook
+- **ID:** `RUR1CGn0ikkxbPin`
+- **Status:** ✅ Active
+- **Type:** webhook
+- **Purpose:** reminder ingress path for simple reminder-style automation
+
+## Reminder / utility workflows
+
+### Chase Sapphire Payment Reminder
+- **ID:** `3OY2At6jP2WMALTp`
+- **Status:** ✅ Active
+- **Purpose:** scheduled credit-card payment reminder
+
+### Amex Payment Reminder
+- **ID:** `rJeUsRbMSmI1PRHf`
+- **Status:** ✅ Active
+- **Purpose:** scheduled credit-card payment reminder
+
+### Sink Leak Fix Reminder
+- **ID:** `M0U2Ag0XRUec5ASJ`
+- **Status:** ✅ Active
+- **Purpose:** reminder workflow for the sink leak follow-up
+
+### IMAP Inbox Triage + Obsidian Notes (squareffect)
+- **ID:** `kHDK9QdUSiAJ8rCM`
+- **Status:** ✅ Active
+- **Purpose:** second IMAP triage flow for the squareffect mailbox
+
+## Operational notes
+
+- Local n8n API and workflow management were re-verified live on 2026-03-27.
+- Local LLM inference path was re-verified live on 2026-03-27 via `http://192.168.153.113:18806/v1`.
+- Obsidian REST writes were re-verified on 2026-03-27 after fixing shared-vault cross-user permissions.
@@ -1,62 +1,79 @@
 ---
 title: Docker Services
 area: infrastructure
-tags: [infrastructure, homelab]
+tags: [infrastructure, homelab, docker]
 created: 2026-03-18
-updated: 2026-03-18
+updated: 2026-03-27
 status: active
-related: [[Infrastructure/Architecture]]
+related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/n8n Workflows]]
 ---

 # Docker Services

-All services run on the LAN host (`192.168.153.113`). See [[Infrastructure/Architecture]] for networking context.
+Most service containers run on the LAN host at `192.168.153.113`. Some adjacent AI/runtime services run as host-level user services instead of Docker; those are noted separately below.

---
-
-## Services
+## Dockerized services

 ### SearXNG
- **Port:** `18803`
- **Role:** Local-first web search (preferred over Brave for privacy)
- **API:** JSON enabled
- **Smoke test:** `skills/searxng-local-search/scripts/smoke.sh openclaw`
+- **Container:** `searxng`
+- **Image:** `searxng/searxng:latest`
+- **Port:** `18803 -> 8080`
+- **Role:** preferred local-first web search backend
+- **URLs:** `http://192.168.153.113:18803`, `http://192.168.153.117:18803`

-### LiteLLM Proxy
- **Port:** `18804`
- **Role:** OpenAI-compatible gateway routing to all model providers (Copilot, ZAI, local)
- **Sync:** Auto-synced every 12h via [[Infrastructure/Automation/Cron Jobs]]
-
-### Whisper Server
- **Port:** `18801`
- **Role:** Local audio transcription (whisper.cpp)
- **Skill:** `whisper-local-safe`
-
-### Brave MCP
- **Port:** `18802`
- **Role:** Brave Search MCP server — fallback / second opinion
- **Note:** Free plan rate-limited; serialize requests, avoid parallel bursts
+### brave-search (MCP)
+- **Container:** `brave-search`
+- **Image:** `mcp/brave-search:latest`
+- **Port:** `18802 -> 8000`
+- **Role:** Brave-backed search fallback / second opinion
+- **Note:** free-plan rate-limited; avoid parallel bursts

 ### n8n-agent
- **Port:** `18808`
- **Role:** Automation workflows for tasks with native n8n nodes
- **Workflows:** See [[Infrastructure/Automation/n8n Workflows]]
+- **Container:** `n8n-agent`
+- **Image:** `docker.n8n.io/n8nio/n8n:latest`
+- **Port:** `18808 -> 5678`
+- **Role:** automation workflows and integration runtime
+- **Primary URL:** `http://192.168.153.113:18808`
+- **Health:** `/healthz` returned `{"status":"ok"}` during live check on 2026-03-27
+- **Workflows:** see [[Infrastructure/Automation/n8n Workflows]]
+
+### whisper-server
+- **Container:** `whisper-server`
+- **Image:** `ghcr.io/ggml-org/whisper.cpp:main`
+- **Port:** `18801 -> 8080`
+- **Role:** local audio transcription
+
+### kokoro-tts
+- **Container:** `kokoro-tts`
+- **Port:** `18805`
+- **Role:** local CPU TTS service
+
+### LiteLLM proxy + DB
+- **Containers:** `litellm`, `litellm-db`
+- **Port:** `18804`
+- **Role:** OpenAI-compatible model gateway / proxy layer
+- **Pinned note:** keep LiteLLM at `<=1.82.6` due the 2026-03-24 supply-chain incident affecting `1.82.7` / `1.82.8`
+
+## Adjacent host services (not Docker)
+
+### llama.cpp
+- **Port:** `18806`
+- **Model:** `gemma-3-12b-it-q4_0.gguf`
+- **Role:** local OpenAI-compatible LLM endpoint for private/offline reasoning and workflow inference
+- **Live check:** model endpoint and chat-completion path re-verified on 2026-03-27

 ### Ollama
 - **Port:** `18807`
- **Role:** Local embeddings server
- **Model:** `nomic-embed-text` (768 dims, loaded forever)
- **Used by:** OpenClaw memory search
+- **Role:** embeddings runtime for OpenClaw memory search
+- **Model:** `nomic-embed-text`

-### llama.cpp (Gemma 3 12B)
- **Port:** `18806`
- **Model:** `gemma-3-12b-it-q4_0.gguf`
- **Role:** Private/offline LLM, tool-calling capable (verified with `--jinja`)
- **Context:** 131072 tokens, max output 8192
- **LiteLLM alias:** `litellm/gemma-3-12b-local`
+## Adjacent storage / infra

 ### MinIO
 - **Endpoint:** `192.168.153.253:9000`
 - **Bucket:** `zap`
- **Role:** Object storage for OpenClaw backups
- **Versioning:** Enabled, 90-day noncurrent retention
+- **Role:** object storage for OpenClaw backups
+
+## Operational note
+
+The shared Obsidian vault is not a Docker service, but it is a critical part of this stack. Its Local REST API path was re-verified on 2026-03-27 after fixing cross-user write permissions on the shared `virtiofs` mount.
@@ -3,55 +3,58 @@ title: OpenClaw Core Update
 area: infrastructure
 tags: [infrastructure, assistant, automation, health]
 created: 2026-03-25
-updated: 2026-03-25
+updated: 2026-03-27
 status: active
 related: [[Infrastructure/Architecture]]
 ---

 # OpenClaw Core Update

-Updated OpenClaw core to `2026.3.23-2`.
+This note started with the 2026-03-25 update / repair pass and now includes the follow-up state through 2026-03-27.

-## Post-update verification
+## 2026-03-25 update pass

- `dist/control-ui/` assets are present in the installed package
+OpenClaw was updated to `2026.3.23-2`.
+
+### Post-update verification
+- `dist/control-ui/` assets present in the installed package
 - Discord message tool schema includes `Type.Optional(createDiscordMessageToolComponentsSchema())`
 - gateway/runtime verified healthy after launcher repair

-## Issue found
-
-The global CLI launcher at `~/.local/bin/openclaw` was stale after the update and still pointed at a removed version-pinned pnpm path for `2026.3.22`. That broke commands like `openclaw status` with `Cannot find module ... /openclaw.mjs` even though the actual installed package was correct.
-
-## Fix
-
-Replaced `~/.local/bin/openclaw` with a stable wrapper that launches the symlinked package path at:
+### Issue found
+The global CLI launcher at `~/.local/bin/openclaw` was stale after the update and still pointed at a removed version-pinned pnpm path for `2026.3.22`. That broke commands like `openclaw status` even though the actual installed package was correct.

+### Fix
+Replaced `~/.local/bin/openclaw` with a stable wrapper targeting:
 - `/home/openclaw/.local/share/pnpm/5/node_modules/openclaw/openclaw.mjs`

-This avoids depending on a removed version-specific pnpm path.
-
-## Additional work completed
-
- Removed stale `openclaw@2026.3.13` from the global store, freeing about 185 MB
+### Additional work completed
+- Removed stale `openclaw@2026.3.13` from the global store
 - Updated the instance registry so `orb` and `sun` now show as stopped
 - Backed up the post-upgrade config to the local mirror and MinIO

-## Upgrade workarounds used
+## 2026-03-26 follow-up update

- pnpm virtual-store conflict: used `pnpm install` in the global store directory instead of `pnpm add -g`
- non-interactive SSH PATH issue: exported PATH manually before running OpenClaw commands
+OpenClaw was then updated again to `2026.3.24` using the safe update workflow.

-## Snapshot limitation
+### Notes from that pass
+- prior dist/hotfix workarounds were fixed upstream; no local patch re-application was needed
+- `openclaw-update-safe.sh` was updated so it also patches the systemd service unit after future updates when needed
+- MinIO backup was taken during the update run

-The current VM uses pflash-based firmware, which prevents libvirt internal snapshots. If pre-upgrade VM snapshots are wanted later, either:
+## Current live state (checked 2026-03-27)

- convert the NVRAM to qcow2, or
- use external file-based snapshots instead
+- `openclaw status` reports runtime version `2026.3.24`
+- gateway reachable and healthy
+- Telegram enabled (`WARN` posture note only)
+- Discord enabled (`OK`)

 ## Outstanding watch item

-No fix yet for advisory `GHSA-7xr2-q9vf-x4r5` (symlink traversal via `IDENTITY.md` appendFile). Keep watching future OpenClaw releases for a patch.
+Still keep watching future OpenClaw releases for a fix to advisory `GHSA-7xr2-q9vf-x4r5` (symlink traversal via `IDENTITY.md` appendFile).

 ## Operational note

-For future OpenClaw updates, verify `openclaw status` immediately after the update. If it fails with an older package path, inspect `which openclaw` and the launcher contents before assuming the package install itself is broken.
+For future OpenClaw updates:
+- run `openclaw status` immediately after the update
+- if it points at an older package path, inspect `which openclaw` and the launcher contents before assuming the install itself is broken
@@ -0,0 +1,28 @@
+---
+title: Nightly Vault Sync
+area: infrastructure
+tags: [infrastructure, obsidian, automation, nightly, assistant]
+created: 2026-03-27
+updated: 2026-03-27
+status: active
+related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/n8n Workflows]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Services/Docker Services]]
+---
+
+# Nightly Vault Sync
+
+## Summary
+
+Manual seed note for the new nightly sync series. The nightly n8n workflow is now active and will take over future entries.
+
+## Current State
+
+- shared Obsidian vault notes were refreshed from live state on 2026-03-27
+- stale automation / architecture / service notes were repaired
+- debug/test artifact notes from the write-fix investigation were cleaned up
+- new workflow `Nightly Obsidian Vault Sync` (`75JCevkdgkyCr2qH`) is active
+- local n8n health and local Gemma endpoint were both verified earlier in the repair pass
+
+## Follow-ups
+
+- first scheduled run of the nightly n8n workflow will be the real end-to-end proof point
+- if the nightly job ever stops writing notes, first check the local LLM timeout path and shared-vault cross-user write permissions
@@ -0,0 +1,62 @@
+---
+title: Obsidian REST Write Fix
+area: infrastructure
+tags: [infrastructure, automation, obsidian, assistant, health]
+created: 2026-03-27
+updated: 2026-03-27
+status: active
+related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/n8n Workflows]]
+---
+
+# Obsidian REST Write Fix
+
+## Summary
+
+Fixed a shared-vault write failure affecting Obsidian Local REST API updates from the host side.
+
+## Root cause
+
+The shared vault at `will/will-shared-zap/` lives on a `virtiofs` mount and is written by two different users:
+
+- host Obsidian / Local REST API user: `claw`
+- VM assistant user: `openclaw`
+
+That created asymmetric write access:
+
+- VM-side writes worked in folders owned by `openclaw`
+- host-side Obsidian REST writes worked in folders owned by `claw`
+- collaborative folders like `Notes/`, `Plans/`, and `Infrastructure/` were mostly `openclaw`-owned, so host-side REST writes hung and timed out
+
+## Evidence
+
+Live behavior before fix:
+
+- `PUT /vault/OpenClaw Checks/...` succeeded
+- `PUT /vault/Notes/...` timed out
+- `PUT /vault/Infrastructure/Automation/...` timed out
+- reads continued to work
+
+## Fix applied
+
+Adjusted permissions on shared collaborative folders/files under:
+
+- `Notes/`
+- `Plans/`
+- `Infrastructure/`
+
+Pragmatic fix used: make the guest-visible collaborative paths writable by the host Obsidian side as well.
+
+## Verification
+
+Live checks after fix:
+
+- `PUT /vault/Notes/test-postput.md` → `204`
+- `PUT /vault/Infrastructure/Automation/api-tiny-write-test.md` → `204`
+- full overwrite of `[[Infrastructure/Automation/n8n Workflows]]` succeeded → `204`
+- read-back verification succeeded
+
+## Follow-up
+
+Current fix is practical, not elegant. A cleaner long-term setup would use a proper shared-group or host-side permission model instead of permissive fallback modes, but ACLs were not supported from the guest side on this `virtiofs` mount.
+
+This permission issue may recur later if new shared folders or notes are created from only one side (`claw` on host or `openclaw` in the VM) without compatible write permissions. Now we know the failure pattern and the first thing to check: cross-user write access on the shared vault paths.
@@ -0,0 +1,45 @@
+---
+title: Obsidian Vault Audit
+area: infrastructure
+tags: [infrastructure, obsidian, assistant, audit]
+created: 2026-03-27
+updated: 2026-03-27
+status: active
+related: [[Infrastructure/Architecture]], [[Infrastructure/Automation/n8n Workflows]], [[Infrastructure/Automation/Cron Jobs]], [[Infrastructure/Services/Docker Services]]
+---
+
+# Obsidian Vault Audit
+
+Audited shared vault contents against recent workspace memory and live system state on 2026-03-27.
+
+## Initial finding
+
+Vault was **partially up to date**, but not fully current.
+
+- recent Obsidian REST write fix was documented
+- architecture + n8n notes had been touched
+- several operational notes were stale or incomplete
+- test/debug files were present and needed cleanup
+
+## Repair pass completed
+
+The requested repair pass was completed on 2026-03-27.
+
+### Refreshed notes
+- `Infrastructure/Automation/n8n Workflows.md`
+- `Infrastructure/Automation/Cron Jobs.md`
+- `Infrastructure/Services/Docker Services.md`
+- `Infrastructure/Architecture.md`
+- `Notes/2026-03-25 OpenClaw Core Update.md`
+
+### Added notes
+- `Infrastructure/Automation/n8n IMAP Triage Pipeline.md`
+- `Infrastructure/Automation/n8n Nightly Vault Sync.md`
+
+### Automation added
+- live n8n workflow `Nightly Obsidian Vault Sync` (`75JCevkdgkyCr2qH`), active
+- uses the local Gemma endpoint to generate a nightly vault sync note
+
+## Remaining note
+
+The vault should now be in much better operational shape, but like any living system it can drift again. Future audits should still compare against live runtime state rather than trusting old note text blindly.
@@ -11,10 +11,14 @@
            "id": "927f45921e5d8b5f",
            "type": "leaf",
            "state": {
-              "type": "graph",
-              "state": {},
-              "icon": "lucide-git-fork",
-              "title": "Graph view"
+              "type": "markdown",
+              "state": {
+                "file": "memory/ops/2026-03-03-tailscale-setup.md",
+                "mode": "source",
+                "source": false
+              },
+              "icon": "lucide-file",
+              "title": "2026-03-03-tailscale-setup"
            }
          }
        ]
@@ -178,6 +182,14 @@
  },
  "active": "927f45921e5d8b5f",
  "lastOpenFiles": [
+    "memory/incidents/2026-03-03-litellm-model.md",
+    "memory/archive/session-summaries/2026-03-02-2127.md",
+    "memory/ops/2026-03-04-git-workflow.md",
+    "memory/ops/2026-03-03-cron-backup.md",
+    "memory/ops/2026-03-03-acp-wiring.md",
+    "memory/plans/inference-cost-optimization.md",
+    "memory/archive/session-summaries/2026-03-04-greeting.md",
+    "memory/tasks.md",
    "memory/ops/2026-03-03-skill-toolbox.md",
    "memory/archive/session-summaries/2026-03-04-0825.md",
    "memory/council-runs/2026-03-05-mode-comparison.md",