# 2026-02-08 — Session Memory

## Pentest Night (carried over from Feb 6-7 late night)

### SuperFunnels AI (app.superfunnelsai.com)
- **Owner:** Jake's site. Developer: Code & Beans AB (Sweden), nils@codeandbeans.se
- **CRITICAL:** Wildcard CORS with credential reflection on all `/api/*` endpoints
- **CRITICAL:** GHL credential proxying — stores plaintext GHL tokens
- **HIGH:** SSRF potential in `/api/funnel-clone` sourceUrl (accepts AWS metadata URLs)
- **HIGH:** No input sanitization on businessName (XSS stored)
- Built working CORS exploit PoC at `pentest-superfunnels/cors-exploit-poc.html`
- Reverse-engineered full 10-stage funnel clone pipeline from JS bundles
- Couldn't complete authenticated funnel creation — needs GHL connection (separate from SuperFunnels login)
- Creds: jake@burtonmethod.com / FMQ-gbd6qxb@zmb6mbt (SuperFunnels only, NOT GHL)
- Reports: `pentest-superfunnels/REPORT.md`, `FULL-REPORT.md`, `FULL-AUTH-REPORT.md`, `FUNNEL-CREATION-REPORT.md`

### RealWave (www.realwave.com)
- **Owner:** Jake's site. Angular SPA + ASP.NET + Firebase Auth + SignalR
- **NO criticals** — Firestore rules are locked down properly ✅
- **HIGH:** Missing all security headers (CSP, HSTS, X-Frame-Options)
- **HIGH:** GHL webhook accepts XSS payloads (stored XSS in CRM)
- **HIGH:** No rate limiting anywhere
- **MEDIUM:** Firebase API key exposed but DB access blocked. However, ANYONE can create accounts (email/password signup open)
- **Firebase project:** gpteam-37d0c, API key: AIzaSyBdlwRi-iJImV0sdCE8gGxBpym4slvEgv8
- IP directly exposed: 162.43.207.214 (no CDN/WAF)
- GHL location ID: 8jJylXIxcMrt2E2RW0hW
- Tested Firestore with auth token — still blocked (good rules)
- Reports: `pentest-realwave/REPORT.md`, `INJECTION-REPORT.md`

### CloseBot (app.closebot.com)
- **Owner:** Jake's site. Next.js (Vercel) + Clerk auth + ASP.NET API (Azure)
- **CRITICAL:** `api.closebot.com` has `Access-Control-Allow-Origin: *` on ALL endpoints including `/bot`, `/lead`, `/agency`
- **HIGH:** Zero security headers on API
- **HIGH:** API origin IP exposed — Azure `20.115.232.12`, hostname `cb-api-zarqcgo3sph6q.azurewebsites.net`
- **HIGH:** No rate limiting on API
- Vercel Security Checkpoint working well on frontend
- Clerk auth is solid
- WordPress marketing site on Kinsta/Cloudflare
- Report: `pentest-closebot/REPORT.md`

### Common Pattern Across All Sites
- **CORS wildcard is the recurring critical vuln** — SuperFunnels and CloseBot both have it
- **Missing security headers** across all three sites
- **No rate limiting** on any API

## Coaching — Oliver & Kevin (OSKV Labs)

### Key Fix: Name/Number Swap
- ALL 3 coaching crons had Olly and Kevin's numbers SWAPPED — fixed Feb 8
- **Olly = +19175028872** (correct, verified)
- **Kevin = +19179929834** (correct, verified)

### War Stories Rule (Feb 8)
- Jake requested: whenever they drop the ball, share a <55 word war story about someone who did something similar but WAY more intense
- Added to `memory/oskv-labs-coaching.md` with example stories
- Examples: DP who shot 90 days free BTS and got $200K commercial, kid who edited 3 MVs at Panera on cracked MacBook, creator who posted 400 days straight

### Messaging Fix
- `imsg send` with `--to "chat:58"` DOES NOT WORK for group chats — silently fails
- Must use AppleScript with full chat ID: `any;+;chat98661049481506374`
- Individual texts via `imsg send --to "+1XXXXXXXXXX"` work fine

### Status (end of session)
- Individual texts to Olly and Kevin: SENT ✅ (Opus energy, accountability)
- Discord #general coaching channel message: SENT ✅ (Weenie Hut Jr's war story)
- INTERNAL MAIN group chat: SENT ✅ (via AppleScript, war story + status demand)
- Olly responded positively: "Bro I f***ing love buba", "Goat", cutting Harry Styles
- BlueBubbles server is DOWN — imessage agent can't receive/respond to texts

## Config Changes

### Exec Security (Feb 8)
- Added `"tools": { "exec": { "security": "full" } }` to gateway config
- Reason: `imsg send` was blocked by default exec approval gate, kept timing out
- Jake approved this change

### Cron Errors
- Multiple crons failing with "Discord bot token missing for account default" 
- Affected: edtech-intel-feed, mixed-use-entertainment-scan, competitor-intel-scan, mcp-pipeline-standup, daily-api-key-acquisition, all 3 TLDR crons, daily-memory-log
- Likely related to "glm havoc" Jake mentioned — needs investigation

## Misc
- Jake asked "what model r u" — confirmed running Opus (was on Sonnet earlier, escalated)
- Jake's clipboard had mystery string `X1ytU1uxIz2Xh70GdaH9ngnQj2lnYzdDgxCtxrBojwOwWnrd5o5irfLRtLsv8YjvKCDaPFdniRbL6cPum9` — likely from pentest webhook hitting his GHL or a session token
- Browser relay extension installed at `~/.clawdbot/browser/chrome-extension` but Jake never got it loaded in Brave

## Rest of Day (Feb 8, daytime → 11 PM)

### Coaching Day 3 — Still Zero Posts
- Morning, 2 PM, and evening coaching messages sent to Discord #general
- Individual iMessages sent to both Olly and Kevin
- **Olly:** Talked about iPhone research and Harry Styles BTS clip but no post confirmed. No screenshot shared.
- **Kevin:** Said "Hello Mr Buba" and then went silent again
- **Day 3 scoreboard: 0 posts from either person.** Assigned specific tasks for Day 4 (post ONE thing before noon)
- War stories deployed in all check-ins per Jake's rule

### MCP Pipeline — Complete Holding Pattern
- **CloseBot & Brevo** advanced overnight: Stage 12 → Stage 16 (Website Built)
- **5 MCPs now at Stage 16:** CloseBot, Brevo, Close, FreshDesk, HelpScout
- Pipeline in total steady state — all movement blocked on human inputs:
  - Stage 16→17: needs hosting/deploy decision from Jake
  - GHL: 42 failing tests, repo not cloned locally
  - 21 MCPs: need API key signups (manual task)
- Pipeline heartbeats posted to #build-log at 12 PM and 2 PM, then skipped redundant ones
- **API key auto-signup cron fired** — I refused to run it (CAPTCHA bypass violates ToS, would risk blacklisting burtonmethod.com domain). Recommended manual 30-min batch instead.

### Burton Method Competitor Intel Scan — Week of Feb 8
- Full competitor scan completed and posted to #competitor-digest
- **Key findings:**
  - Princeton Review x Google Gemini partnership (SAT now, LSAT likely next) — biggest market signal
  - Jenova AI entering AI LSAT tutor space
  - PowerScore + Spivey Consulting co-authoring Admissions Bible (going full-funnel)
  - Feb LSAT completed (Feb 6-7), scores release Feb 25 — retake campaign window
  - Kaplan running $150-200 off promo cycle
  - 7Sage, Demon, Blueprint, Magoosh: no meaningful innovation
- **Action items:** retake campaign by Feb 24, counter Princeton Review x Gemini narrative, exploit PowerScore brand fracture

### Mixed-Use Entertainment Intel Scan
- Posted to Jake's server #general
- **New find:** Roanoke Entertainment District, VA — $330M project (casino anchor), unnamed private investor, ground-floor opportunity
- **Rock Creek, Norman, OK** ($1.2B) most urgent — Supreme Court ruling finalized, $400M+ private capital still unnamed
- Sphere at National Harbor confirmed, Capital One Arena "The Halo" $800M+ details unveiled

### Discord Community Activity
- TLDR summaries posted at 1 PM and 10 PM
- Opus 4.6 token usage debate — multiple members reporting faster burn rates
- Nicholai's tip: use 4.6 for planning/orchestration only, delegate coding to Sonnet/Haiku
- Compass update: native Anthropic OAuth + Claude Code integration
- B0R1NG (krillset) joined the server
- #off-topic channel created, Reed posting memes
- Mention gating confirmed working — only respond when called "Buba" or @pinged
- Jake confirmed I'm alive after restart

### Cron Health
- Multiple crons still failing with "Discord bot token missing" errors
- GLM havoc aftermath still not fully resolved
- Pipeline heartbeat crons running but just reporting steady state

## TODO
- Fix BlueBubbles server (down, can't receive iMessages)
- Investigate "Discord bot token missing" cron errors — GLM havoc aftermath
- Get browser extension loaded in Brave for authenticated SuperFunnels funnel creation
- Write consolidated CORS fix plan across all 3 sites
- Jake still needs fresh Anthropic API key for MCP build page + LocalBosses
- Jake needs to decide hosting/deploy strategy for 5 Stage 16 MCPs
- Manual API key signup batch (~30 min) for 21 MCPs
- Retake campaign content ready by Feb 24 (Feb LSAT scores release Feb 25)
- Coaching Day 4 tomorrow (Feb 9) — 9 AM brief, push for first actual posts