chore: add drafts and memory letters

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Oliver Baer

.memory/letter_20260206_0001.md

@@ -0,0 +1,52 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 02:30 CET
+
+## 1. Executive Summary
+* **Goal:** Migrate Aurus Voice Intelligence from desktop-only to cross-platform mobile-ready architecture (Tauri v2 + Next.js 14), now entering Phase 5 (Yjs + WebRTC sync).
+* **Current Status:** Phases 1-6 complete and committed. Mobile build compatibility (rustls-tls, desktop-only global shortcut, Android scaffolding) committed as `d68738a`. Ready to begin Phase 5: Desktop <-> Mobile real-time sync.
+
+## 2. The "Done" List (Context Anchor)
+
+### This Session
+* Committed mobile build compatibility changes as `d68738a`:
+  - `src-tauri/src/lib.rs` - Global shortcut plugin wrapped in `#[cfg(desktop)]`
+  - `src-tauri/Cargo.toml` - Moved `tauri-plugin-global-shortcut` to desktop-only deps (`[target.'cfg(not(any(target_os = "ios", target_os = "android")))'.dependencies]`)
+  - `src-tauri/Cargo.toml` - Switched `reqwest` from native-tls to `rustls-tls` (cross-platform)
+  - `src-tauri/Cargo.toml` - Switched `async-tungstenite` from `tokio-native-tls` to `tokio-rustls-native-certs`
+  - Added Android project scaffolding (`src-tauri/gen/android/`)
+  - Added `src-tauri/.cargo/config.toml` for Android NDK cross-compilation targets
+  - Added `.claudeignore`, `.claude/settings.json`, `claude.toml`
+* Verified: `cargo check` clean (0 warnings), 53/53 frontend tests passing
+
+### Previous Sessions (already committed)
+* Phase 1: Platform abstraction layer (`src-tauri/src/platform/`), SecureStorage trait
+* Phase 2: secrets.rs rewritten to use platform abstraction
+* Phase 3: AudioCapture trait, CPAL desktop, mobile stub, useWebAudioCapture hook
+* Phase 4: ai-worker.ts (Transformers.js Web Worker), useLocalAI hook
+* Phase 6: 19 platform tests (`__tests__/platform.test.tsx`)
+* `2ce5e60` - Offline Whisper transcription fallback for mobile
+* `8b7a2c2` - Mobile recording integration, CI/CD pipeline, cleanup
+* `16ce596` - Cross-platform mobile architecture (Phases 1-6)
+
+## 3. The "Pain" Log (CRITICAL)
+* **Tried:** Using `native-tls` features for reqwest/async-tungstenite on mobile targets
+* **Failed:** native-tls requires platform-specific OpenSSL or Security.framework linking that differs per mobile target
+* **Workaround:** Switched to `rustls-tls` / `tokio-rustls-native-certs` which is pure Rust and works on all platforms
+* *Note:* Always use rustls for cross-platform Tauri apps targeting mobile
+
+## 4. Active Variable State
+* Working directory: `/Users/oliverbaer/Projects/aurus-voiceintelligence`
+* Build status: `cargo check` clean (0 warnings), `pnpm build` passes
+* Test status: 53/53 frontend (3 test files), 7/7 Rust tests
+* Git: `d68738a` on `main`, 4 commits ahead of origin (not pushed)
+* Unstaged: `.claude/settings.local.json`, `.memory copy/`, `drafts/`, `licenses/`, `ndk/`, `src-tauri/.github/`, `src-tauri/.memory/`
+* No Xcode (full app) installed - only Command Line Tools. No Android SDK fully configured.
+
+## 5. Immediate Next Steps
+1. [ ] Phase 5: Design and implement Yjs + WebRTC sync architecture for Desktop <-> Mobile
+2. [ ] Wire `useLocalAI` hook into UI for on-device transcription fallback
+3. [ ] Install Xcode (full app) and run `pnpm tauri ios init` with Apple Team ID
+4. [ ] Test useWebAudioCapture in mobile simulator (requires Xcode)
+5. [ ] Create GitHub Actions workflow for mobile CI/CD
+6. [ ] Test Transformers.js worker initialization in browser dev mode

.memory/letter_20260206_0002.md

@@ -0,0 +1,69 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 03:15 CET
+
+## 1. Executive Summary
+* **Goal:** Design Phase 5 — Privacy-first ephemeral device sync for Aurus Voice Intelligence (Desktop <-> Mobile).
+* **Current Status:** Architecture plan complete and written to `/Users/oliverbaer/.claude/plans/declarative-baking-whistle.md`. Ready for user approval to begin implementation. Committed mobile build changes as `d68738a`.
+
+## 2. The "Done" List (Context Anchor)
+
+### This Session
+* Committed `d68738a` — mobile build compatibility (rustls-tls, desktop-only global shortcut, Android scaffolding)
+* Saved checkpoint `letter_20260206_0001.md`
+* Explored full codebase architecture via 3 subagents:
+  - Zustand store data model (7 agents, streaming state, preferences)
+  - Platform abstraction patterns (traits, cfg, platform-specific impls)
+  - WebSocket/channel patterns from `transcription.rs`
+  - Type definitions matching Rust ↔ TypeScript
+* Created comprehensive Gemini research prompt for privacy-first sync architecture
+* Received Gemini recommendations: webrtc-rs, yrs, SPAKE2+, double-layer E2E, in-memory only
+* Wrote full Phase 5 implementation plan with 4 sub-phases (5a/5b/5c/5d)
+
+### Architecture Decisions Made (via Gemini security analysis)
+* **Transport:** Rust-native WebRTC (`webrtc-rs`) + mDNS local discovery
+* **Pairing:** Magic Wormhole / SPAKE2+ (short human-readable codes like "4-purple-castle")
+* **Encryption:** Double-layer E2E (WebRTC DTLS + application-layer via `ring` AES-256-GCM)
+* **CRDT:** `yrs` crate (Rust port of Yjs), in-memory Y.Doc only — zero persistence
+* **Signaling:** Opaque relay (encrypted blobs, server can't read content)
+* **Session lifecycle:** Dead man's switch, 4h max timeout, key rotation every 30min
+
+### Plan File Location
+`/Users/oliverbaer/.claude/plans/declarative-baking-whistle.md`
+
+## 3. The "Pain" Log (CRITICAL)
+* **Tried:** Initially explored JS-side Yjs + y-webrtc approach
+* **Pivoted:** Gemini recommended Rust-native approach (yrs + webrtc-rs) for security — keeps all sync logic in Rust where memory can be securely wiped
+* **Key insight:** "Don't store any data" constraint eliminates y-indexeddb, localStorage, and any persistence layer. In-memory yrs Y.Doc in Rust process is the only safe option.
+* **Risk identified:** Cross-network sync requires a signaling server. Even as opaque relay, it's an infrastructure dependency. Local-network-first approach mitigates this.
+* *Note:* webrtc-rs `v0.11` is tokio-native and matches existing async patterns. The newer `rtc` crate (Sans-IO) is more flexible but adds complexity — stick with `webrtc-rs` for MVP.
+
+## 4. Active Variable State
+* Working directory: `/Users/oliverbaer/Projects/aurus-voiceintelligence`
+* Build status: `cargo check` clean (0 warnings), `pnpm build` passes
+* Test status: 53/53 frontend (3 test files), 7/7 Rust tests
+* Git: `d68738a` on `main`, 4 commits ahead of origin (not pushed)
+* Plan mode: WAS active, user requested checkpoint before approval
+* Plan file: `/Users/oliverbaer/.claude/plans/declarative-baking-whistle.md`
+
+## 5. Immediate Next Steps
+1. [ ] **Approve plan** — re-enter plan mode, review `declarative-baking-whistle.md`, approve to begin implementation
+2. [ ] **Phase 5a:** Add yrs, uuid, ring, rand to Cargo.toml; create `src-tauri/src/sync/mod.rs`, `document.rs`, `encryption.rs`
+3. [ ] **Phase 5b:** Add mdns-sd, spake2; create `discovery.rs`, `transport.rs`, `pairing.rs`; build pairing UI
+4. [ ] **Phase 5d:** Dead man's switch, session timeout, forward secrecy
+5. [ ] **Phase 5c:** Add webrtc crate; create `webrtc.rs`, `signaling.rs`; deploy signaling relay
+
+### New Cargo Dependencies Needed (7)
+```toml
+yrs = "0.21"
+uuid = { version = "1", features = ["v4", "serde"] }
+ring = "0.17"
+rand = "0.8"
+mdns-sd = "0.11"
+spake2 = "0.4"
+webrtc = "0.11"  # Phase 5c only
+```
+
+### New Files to Create (11)
+**Rust (8):** sync/mod.rs, document.rs, encryption.rs, discovery.rs, transport.rs, pairing.rs, webrtc.rs, signaling.rs
+**Frontend (3):** hooks/useSync.ts, components/SyncPairing.tsx, components/SyncStatus.tsx

.memory/letter_20260206_0003.md

@@ -0,0 +1,51 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 03:20 CET
+
+## 1. Executive Summary
+* **Goal:** Design and begin implementing Phase 5 — Privacy-first ephemeral device sync for Aurus Voice Intelligence (Desktop <-> Mobile).
+* **Current Status:** Plan approved by user. Ready to begin Phase 5a implementation (yrs CRDT core + encryption scaffolding). No code written yet for sync — next session starts building.
+
+## 2. The "Done" List (Context Anchor)
+
+### This Session
+* Committed `d68738a` — mobile build compatibility:
+  - `src-tauri/src/lib.rs`: Global shortcut plugin wrapped in `#[cfg(desktop)]`
+  - `src-tauri/Cargo.toml`: Moved `tauri-plugin-global-shortcut` to desktop-only deps, switched reqwest to `rustls-tls`, async-tungstenite to `tokio-rustls-native-certs`
+  - Added Android project scaffolding (`src-tauri/gen/android/`)
+  - Added `.claudeignore`, `.claude/settings.json`, `claude.toml`, `src-tauri/.cargo/config.toml`
+* Explored codebase via subagents (voiceStore data model, platform traits, transcription.rs patterns, TypeScript types)
+* Created comprehensive Gemini research prompt for privacy-first sync security architecture
+* Received and synthesized Gemini security recommendations
+* Wrote full Phase 5 implementation plan at `/Users/oliverbaer/.claude/plans/declarative-baking-whistle.md`
+* Plan approved — ready for implementation
+
+### Architecture Decisions (Finalized)
+* **Transport:** Rust-native WebRTC (`webrtc-rs` v0.11) + mDNS local discovery (`mdns-sd`)
+* **Pairing:** SPAKE2+ via `spake2` crate (short human-readable codes like "4-purple-castle")
+* **Encryption:** Double-layer E2E — WebRTC DTLS (transport) + `ring` AES-256-GCM (application layer)
+* **CRDT:** `yrs` v0.21 (Rust Yjs), in-memory Y.Doc only — ZERO persistence
+* **Signaling:** Opaque relay (encrypted blobs only, server can't read content)
+* **Session lifecycle:** Dead man's switch (15s timeout), 4h max session, key rotation every 30min
+
+## 3. The "Pain" Log (CRITICAL)
+* **Tried:** Initially explored JS-side Yjs + y-webrtc approach
+* **Pivoted:** Gemini recommended Rust-native approach (yrs + webrtc-rs) — keeps all sync logic in Rust where memory can be securely wiped on Drop
+* **Key insight:** "Don't store any data" eliminates y-indexeddb, localStorage, any persistence. In-memory yrs Y.Doc in Rust is the only safe option
+* **Risk:** Cross-network sync needs a signaling server (infrastructure dependency). Mitigated by local-network-first approach
+* *Note:* Use `webrtc-rs` v0.11 (tokio-native), NOT the newer `rtc` crate (Sans-IO adds unnecessary complexity for MVP)
+
+## 4. Active Variable State
+* Working directory: `/Users/oliverbaer/Projects/aurus-voiceintelligence`
+* Build: `cargo check` clean (0 warnings), 53/53 frontend tests, 7/7 Rust tests
+* Git: `d68738a` on `main`, 4 commits ahead of origin (not pushed)
+* Plan file: `/Users/oliverbaer/.claude/plans/declarative-baking-whistle.md` (APPROVED)
+
+## 5. Immediate Next Steps
+1. [ ] **Phase 5a — Step 1:** Add `yrs`, `uuid`, `ring`, `rand` to `src-tauri/Cargo.toml` and verify `cargo check`
+2. [ ] **Phase 5a — Step 2:** Create `src-tauri/src/sync/mod.rs` — SyncManager, SyncState, SyncError, Tauri commands (create_sync_session, join_sync_session, leave_sync_session, get_sync_status, get_pairing_code)
+3. [ ] **Phase 5a — Step 3:** Create `src-tauri/src/sync/document.rs` — yrs Y.Doc setup mapping voiceStore structure (session map, agent result maps, preferences map), observe/apply update functions
+4. [ ] **Phase 5a — Step 4:** Create `src-tauri/src/sync/encryption.rs` — ECDH key agreement, AES-256-GCM encrypt/decrypt for yrs update vectors, nonce management
+5. [ ] **Phase 5a — Step 5:** Register sync module in `src-tauri/src/lib.rs` (SyncManager state + invoke_handler commands)
+6. [ ] **Phase 5a — Step 6:** Create frontend hooks/components — `app/hooks/useSync.ts`, `app/components/SyncStatus.tsx`, add sync fields to `app/store/voiceStore.ts`
+7. [ ] **Phase 5a — Step 7:** Write unit tests for document mapping + encryption round-trip

.memory/letter_20260206_0004.md

@@ -0,0 +1,57 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 03:45 CET
+
+## 1. Executive Summary
+* **Goal:** Implement Phase 5a — Core sync infrastructure (yrs CRDT, E2E encryption, Tauri commands, frontend state).
+* **Current Status:** Phase 5a COMPLETE. All code written, 24/24 Rust tests passing (17 new sync tests), 53/53 frontend tests passing. Ready to commit and begin Phase 5b (local network transport).
+
+## 2. The "Done" List (Context Anchor)
+
+### Phase 5a Files Created (Rust)
+* `src-tauri/src/sync/mod.rs` — SyncManager (Arc<Mutex<SyncState>>), SyncState, SyncError enum, SyncStatus enum, PeerInfo struct, 5 Tauri commands (create_sync_session, join_sync_session, leave_sync_session, get_sync_status, get_pairing_code), generate_pairing_code() with word lists, Drop impl that zeros sensitive data
+* `src-tauri/src/sync/document.rs` — SyncDocument wrapping yrs::Doc, Y.Map for each voiceStore section (session, 7 agents, preferences), typed helpers (set_transcript, set_agent_result, get_*/set_* for all fields), encode_state_as_update/apply_update/encode_diff for CRDT sync, snapshot() for emitting full state to frontend, extract_string helper using yrs::Out::Any(Any::String(...))
+* `src-tauri/src/sync/encryption.rs` — SessionEncryption with AES-256-GCM via ring crate, HKDF-SHA256 key derivation from shared secret, counter-based nonces (96-bit), EncryptedEnvelope struct, encrypt/decrypt methods, rotate_key() with HKDF ratchet, Drop impl that zeros all key material
+
+### Phase 5a Files Modified (Rust)
+* `src-tauri/Cargo.toml` — Added yrs = "0.21", uuid (v4, serde), ring = "0.17", rand = "0.8"
+* `src-tauri/src/lib.rs` — Added `pub mod sync;`, SyncManager state initialization in setup(), 5 sync commands in invoke_handler
+
+### Phase 5a Files Created (Frontend)
+* `app/hooks/useSync.ts` — Listens to sync-status-changed and sync-state-updated Tauri events, applies remote state to voiceStore, exposes createSession/joinSession/leaveSession actions
+* `app/components/SyncStatus.tsx` — Connection indicator component (shows pairing code, connected device name, status dot)
+
+### Phase 5a Files Modified (Frontend)
+* `app/store/voiceStore.ts` — Added SyncStatus type, PeerInfo interface, sync fields (syncStatus, pairingCode, pairedDeviceName, syncPeer), sync setters
+
+### Test Results
+* Rust: 24/24 (7 existing + 17 new: 3 sync/mod, 7 sync/document, 7 sync/encryption)
+* Frontend: 53/53 (unchanged, all existing tests still pass)
+
+## 3. The "Pain" Log (CRITICAL)
+* **Tried:** Using `yrs::Value` enum for extracting string values from Y.Map
+* **Failed:** `Value` is deprecated in yrs 0.21 — compiler warns "Use `yrs::Out` instead"
+* **Fix:** Changed to `Out::Any(Any::String(s))` pattern matching
+* **Tried:** Using `txn.get_map()` for read-only access to maps
+* **Failed:** `get_map()` doesn't exist on `Transaction` (ReadTxn) in yrs 0.21
+* **Fix:** Use `transact_mut()` everywhere and `txn.get_or_insert_map()` (requires `WriteTxn` trait import). MapRef is Copy so the mutable borrow is released immediately.
+* **Tried:** Using `v.to_string(&txn)` on Value/Out
+* **Failed:** `to_string` doesn't exist as a method on Out — it's not Display-like
+* **Fix:** Pattern match on `Out::Any(Any::String(s))` directly
+* *Note:* Always import `yrs::WriteTxn` when working with yrs 0.21. Use `Out` not `Value`. Use `transact_mut()` for both reads and writes when accessing named maps.
+
+## 4. Active Variable State
+* Working directory: `/Users/oliverbaer/Projects/aurus-voiceintelligence`
+* Build: `cargo check` clean (0 warnings), `pnpm build` passes
+* Tests: 24/24 Rust, 53/53 frontend
+* Git: `d68738a` on `main`, 4 commits ahead of origin + uncommitted Phase 5a changes
+* Uncommitted files: sync/mod.rs, sync/document.rs, sync/encryption.rs, lib.rs, Cargo.toml, Cargo.lock, voiceStore.ts, useSync.ts, SyncStatus.tsx
+
+## 5. Immediate Next Steps
+1. [ ] Commit Phase 5a changes
+2. [ ] Phase 5b: Add `mdns-sd` and `spake2` to Cargo.toml
+3. [ ] Phase 5b: Create `sync/discovery.rs` — mDNS service announcement + browsing (_aurus-sync._tcp.local)
+4. [ ] Phase 5b: Create `sync/transport.rs` — SyncTransport trait + LocalTransport (WebSocket on LAN)
+5. [ ] Phase 5b: Create `sync/pairing.rs` — SPAKE2+ key exchange with human-readable codes
+6. [ ] Phase 5b: Create `app/components/SyncPairing.tsx` — Pairing UI (code display + input)
+7. [ ] Phase 5b: Wire transport to SyncDocument — send yrs updates through encrypted channel

.memory/letter_20260206_0006.md

@@ -0,0 +1,43 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 ~08:35 UTC
+
+## 1. Executive Summary
+* **Goal:** Implement Phase 5d — security hardening for the sync transport (heartbeat, session timeout, forward secrecy)
+* **Current Status:** Phase 5d complete and committed as `140b81a`. All 34 Rust + 53 frontend tests passing. Next: Phase 5c (cross-network WebRTC with signaling relay).
+
+## 2. The "Done" List (Context Anchor)
+* Rewrote `src-tauri/src/sync/transport.rs` with security hardening:
+  - Added constants: `HEARTBEAT_INTERVAL` (5s), `PEER_TIMEOUT` (15s), `SESSION_MAX_DURATION` (4h), `SESSION_WARNING_BEFORE` (15m), `KEY_ROTATION_INTERVAL` (30m)
+  - Added `KeyRotate { epoch: u64 }` variant to `SyncMessage` enum
+  - Changed `run_sync_loop` encryption param from `Arc<SessionEncryption>` to `mut SessionEncryption` (owned, mutable for rotation)
+  - Dead man's switch: tracks `last_peer_activity`, disconnects if > 15s silent
+  - Session timeout: 4h max, emits `sync-session-warning` at 3h45m, `sync-session-timeout` at 4h
+  - Forward secrecy: HKDF key ratchet every 30 minutes, `KeyRotate` message sent before rotation (WebSocket ordering guarantees)
+  - Added `send_msg` helper for cleaner message sending
+  - 2 new tests: `test_key_rotate_serialization`, `test_constants_sanity` (6 total transport tests)
+* Updated `app/hooks/useSync.ts` with 3 new security event listeners:
+  - `sync-heartbeat-timeout` — resets sync state on peer timeout
+  - `sync-session-warning` — stores warning message in store
+  - `sync-session-timeout` — resets sync state on session expiry
+* Updated `app/store/voiceStore.ts`:
+  - Added `syncWarning: string | null` field + `setSyncWarning` setter
+
+## 3. The "Pain" Log (CRITICAL)
+* **Warning:** `let mut encryption = creator.finish(...)` had unused `mut` — the binding doesn't need `mut` because `run_sync_loop` declares its parameter as `mut encryption: SessionEncryption`. Removed the `mut` on the binding.
+* No major issues in Phase 5d — the security code compiled cleanly on first attempt.
+
+## 4. Active Variable State
+* Git: Phase 5d committed as `140b81a` on main. Branch is 7 ahead of origin.
+* Test counts: 34 Rust, 53 frontend = 87 total
+* Commits: 5a (`031c7df`) → 5b (`be74ebd`) → 5d (`140b81a`)
+* Key rotation protocol: sender sends `KeyRotate { epoch }` then calls `encryption.rotate_key()`. Receiver receives `KeyRotate`, checks `epoch > key_rotation_epoch`, then rotates. Both arrive at same key via deterministic HKDF ratchet.
+
+## 5. Immediate Next Steps
+1. [ ] Phase 5c: Cross-network WebRTC with signaling relay
+   - [ ] `src-tauri/src/sync/signaling.rs` — opaque relay client (WebSocket to signaling server)
+   - [ ] `src-tauri/src/sync/webrtc.rs` — WebRTC data channel transport
+   - [ ] Transport auto-selection: try mDNS local first, fall back to WebRTC
+   - [ ] Lightweight signaling relay server (Node.js or Rust)
+2. [ ] Push commits to origin when ready
+3. [ ] Manual integration test: pair two devices on same WiFi