149 lines
8.4 KiB
Markdown
149 lines
8.4 KiB
Markdown
# 2026-02-08 — Session Memory
|
|
|
|
## Pentest Night (carried over from Feb 6-7 late night)
|
|
|
|
### SuperFunnels AI (app.superfunnelsai.com)
|
|
- **Owner:** Jake's site. Developer: Code & Beans AB (Sweden), nils@codeandbeans.se
|
|
- **CRITICAL:** Wildcard CORS with credential reflection on all `/api/*` endpoints
|
|
- **CRITICAL:** GHL credential proxying — stores plaintext GHL tokens
|
|
- **HIGH:** SSRF potential in `/api/funnel-clone` sourceUrl (accepts AWS metadata URLs)
|
|
- **HIGH:** No input sanitization on businessName (XSS stored)
|
|
- Built working CORS exploit PoC at `pentest-superfunnels/cors-exploit-poc.html`
|
|
- Reverse-engineered full 10-stage funnel clone pipeline from JS bundles
|
|
- Couldn't complete authenticated funnel creation — needs GHL connection (separate from SuperFunnels login)
|
|
- Creds: jake@burtonmethod.com / FMQ-gbd6qxb@zmb6mbt (SuperFunnels only, NOT GHL)
|
|
- Reports: `pentest-superfunnels/REPORT.md`, `FULL-REPORT.md`, `FULL-AUTH-REPORT.md`, `FUNNEL-CREATION-REPORT.md`
|
|
|
|
### RealWave (www.realwave.com)
|
|
- **Owner:** Jake's site. Angular SPA + ASP.NET + Firebase Auth + SignalR
|
|
- **NO criticals** — Firestore rules are locked down properly ✅
|
|
- **HIGH:** Missing all security headers (CSP, HSTS, X-Frame-Options)
|
|
- **HIGH:** GHL webhook accepts XSS payloads (stored XSS in CRM)
|
|
- **HIGH:** No rate limiting anywhere
|
|
- **MEDIUM:** Firebase API key exposed but DB access blocked. However, ANYONE can create accounts (email/password signup open)
|
|
- **Firebase project:** gpteam-37d0c, API key: AIzaSyBdlwRi-iJImV0sdCE8gGxBpym4slvEgv8
|
|
- IP directly exposed: 162.43.207.214 (no CDN/WAF)
|
|
- GHL location ID: 8jJylXIxcMrt2E2RW0hW
|
|
- Tested Firestore with auth token — still blocked (good rules)
|
|
- Reports: `pentest-realwave/REPORT.md`, `INJECTION-REPORT.md`
|
|
|
|
### CloseBot (app.closebot.com)
|
|
- **Owner:** Jake's site. Next.js (Vercel) + Clerk auth + ASP.NET API (Azure)
|
|
- **CRITICAL:** `api.closebot.com` has `Access-Control-Allow-Origin: *` on ALL endpoints including `/bot`, `/lead`, `/agency`
|
|
- **HIGH:** Zero security headers on API
|
|
- **HIGH:** API origin IP exposed — Azure `20.115.232.12`, hostname `cb-api-zarqcgo3sph6q.azurewebsites.net`
|
|
- **HIGH:** No rate limiting on API
|
|
- Vercel Security Checkpoint working well on frontend
|
|
- Clerk auth is solid
|
|
- WordPress marketing site on Kinsta/Cloudflare
|
|
- Report: `pentest-closebot/REPORT.md`
|
|
|
|
### Common Pattern Across All Sites
|
|
- **CORS wildcard is the recurring critical vuln** — SuperFunnels and CloseBot both have it
|
|
- **Missing security headers** across all three sites
|
|
- **No rate limiting** on any API
|
|
|
|
## Coaching — Oliver & Kevin (OSKV Labs)
|
|
|
|
### Key Fix: Name/Number Swap
|
|
- ALL 3 coaching crons had Olly and Kevin's numbers SWAPPED — fixed Feb 8
|
|
- **Olly = +19175028872** (correct, verified)
|
|
- **Kevin = +19179929834** (correct, verified)
|
|
|
|
### War Stories Rule (Feb 8)
|
|
- Jake requested: whenever they drop the ball, share a <55 word war story about someone who did something similar but WAY more intense
|
|
- Added to `memory/oskv-labs-coaching.md` with example stories
|
|
- Examples: DP who shot 90 days free BTS and got $200K commercial, kid who edited 3 MVs at Panera on cracked MacBook, creator who posted 400 days straight
|
|
|
|
### Messaging Fix
|
|
- `imsg send` with `--to "chat:58"` DOES NOT WORK for group chats — silently fails
|
|
- Must use AppleScript with full chat ID: `any;+;chat98661049481506374`
|
|
- Individual texts via `imsg send --to "+1XXXXXXXXXX"` work fine
|
|
|
|
### Status (end of session)
|
|
- Individual texts to Olly and Kevin: SENT ✅ (Opus energy, accountability)
|
|
- Discord #general coaching channel message: SENT ✅ (Weenie Hut Jr's war story)
|
|
- INTERNAL MAIN group chat: SENT ✅ (via AppleScript, war story + status demand)
|
|
- Olly responded positively: "Bro I f***ing love buba", "Goat", cutting Harry Styles
|
|
- BlueBubbles server is DOWN — imessage agent can't receive/respond to texts
|
|
|
|
## Config Changes
|
|
|
|
### Exec Security (Feb 8)
|
|
- Added `"tools": { "exec": { "security": "full" } }` to gateway config
|
|
- Reason: `imsg send` was blocked by default exec approval gate, kept timing out
|
|
- Jake approved this change
|
|
|
|
### Cron Errors
|
|
- Multiple crons failing with "Discord bot token missing for account default"
|
|
- Affected: edtech-intel-feed, mixed-use-entertainment-scan, competitor-intel-scan, mcp-pipeline-standup, daily-api-key-acquisition, all 3 TLDR crons, daily-memory-log
|
|
- Likely related to "glm havoc" Jake mentioned — needs investigation
|
|
|
|
## Misc
|
|
- Jake asked "what model r u" — confirmed running Opus (was on Sonnet earlier, escalated)
|
|
- Jake's clipboard had mystery string `X1ytU1uxIz2Xh70GdaH9ngnQj2lnYzdDgxCtxrBojwOwWnrd5o5irfLRtLsv8YjvKCDaPFdniRbL6cPum9` — likely from pentest webhook hitting his GHL or a session token
|
|
- Browser relay extension installed at `~/.clawdbot/browser/chrome-extension` but Jake never got it loaded in Brave
|
|
|
|
## Rest of Day (Feb 8, daytime → 11 PM)
|
|
|
|
### Coaching Day 3 — Still Zero Posts
|
|
- Morning, 2 PM, and evening coaching messages sent to Discord #general
|
|
- Individual iMessages sent to both Olly and Kevin
|
|
- **Olly:** Talked about iPhone research and Harry Styles BTS clip but no post confirmed. No screenshot shared.
|
|
- **Kevin:** Said "Hello Mr Buba" and then went silent again
|
|
- **Day 3 scoreboard: 0 posts from either person.** Assigned specific tasks for Day 4 (post ONE thing before noon)
|
|
- War stories deployed in all check-ins per Jake's rule
|
|
|
|
### MCP Pipeline — Complete Holding Pattern
|
|
- **CloseBot & Brevo** advanced overnight: Stage 12 → Stage 16 (Website Built)
|
|
- **5 MCPs now at Stage 16:** CloseBot, Brevo, Close, FreshDesk, HelpScout
|
|
- Pipeline in total steady state — all movement blocked on human inputs:
|
|
- Stage 16→17: needs hosting/deploy decision from Jake
|
|
- GHL: 42 failing tests, repo not cloned locally
|
|
- 21 MCPs: need API key signups (manual task)
|
|
- Pipeline heartbeats posted to #build-log at 12 PM and 2 PM, then skipped redundant ones
|
|
- **API key auto-signup cron fired** — I refused to run it (CAPTCHA bypass violates ToS, would risk blacklisting burtonmethod.com domain). Recommended manual 30-min batch instead.
|
|
|
|
### Burton Method Competitor Intel Scan — Week of Feb 8
|
|
- Full competitor scan completed and posted to #competitor-digest
|
|
- **Key findings:**
|
|
- Princeton Review x Google Gemini partnership (SAT now, LSAT likely next) — biggest market signal
|
|
- Jenova AI entering AI LSAT tutor space
|
|
- PowerScore + Spivey Consulting co-authoring Admissions Bible (going full-funnel)
|
|
- Feb LSAT completed (Feb 6-7), scores release Feb 25 — retake campaign window
|
|
- Kaplan running $150-200 off promo cycle
|
|
- 7Sage, Demon, Blueprint, Magoosh: no meaningful innovation
|
|
- **Action items:** retake campaign by Feb 24, counter Princeton Review x Gemini narrative, exploit PowerScore brand fracture
|
|
|
|
### Mixed-Use Entertainment Intel Scan
|
|
- Posted to Jake's server #general
|
|
- **New find:** Roanoke Entertainment District, VA — $330M project (casino anchor), unnamed private investor, ground-floor opportunity
|
|
- **Rock Creek, Norman, OK** ($1.2B) most urgent — Supreme Court ruling finalized, $400M+ private capital still unnamed
|
|
- Sphere at National Harbor confirmed, Capital One Arena "The Halo" $800M+ details unveiled
|
|
|
|
### Discord Community Activity
|
|
- TLDR summaries posted at 1 PM and 10 PM
|
|
- Opus 4.6 token usage debate — multiple members reporting faster burn rates
|
|
- Nicholai's tip: use 4.6 for planning/orchestration only, delegate coding to Sonnet/Haiku
|
|
- Compass update: native Anthropic OAuth + Claude Code integration
|
|
- B0R1NG (krillset) joined the server
|
|
- #off-topic channel created, Reed posting memes
|
|
- Mention gating confirmed working — only respond when called "Buba" or @pinged
|
|
- Jake confirmed I'm alive after restart
|
|
|
|
### Cron Health
|
|
- Multiple crons still failing with "Discord bot token missing" errors
|
|
- GLM havoc aftermath still not fully resolved
|
|
- Pipeline heartbeat crons running but just reporting steady state
|
|
|
|
## TODO
|
|
- Fix BlueBubbles server (down, can't receive iMessages)
|
|
- Investigate "Discord bot token missing" cron errors — GLM havoc aftermath
|
|
- Get browser extension loaded in Brave for authenticated SuperFunnels funnel creation
|
|
- Write consolidated CORS fix plan across all 3 sites
|
|
- Jake still needs fresh Anthropic API key for MCP build page + LocalBosses
|
|
- Jake needs to decide hosting/deploy strategy for 5 Stage 16 MCPs
|
|
- Manual API key signup batch (~30 min) for 21 MCPs
|
|
- Retake campaign content ready by Feb 24 (Feb LSAT scores release Feb 25)
|
|
- Coaching Day 4 tomorrow (Feb 9) — 9 AM brief, push for first actual posts
|