Serenissima

The Talented
Mr Hatten

 

Anno Domini MMXXVI

Request Access

Enter your email address below. The administrator will review your request and grant access if approved.

🔒

Authentication Required

Enter your authenticator code to access the portal.

Open Google Authenticator and enter the 6-digit code for "Bushwick HQ"

The Talented Mr Hatten

Welcome, Terence

Bushwick Weather

--
Loading...

Home Status

Home Assistantv2026.3.4
Voice PipelineOrion
HACSinstalled
Config Syncactive
Recent Notes & Reminders
Latest Session Update
Session 7 — March 28, 2026
Built Wine Cellar, Finance, and Reminders pages. Set up Cloudflare Access for all domains. Added TOTP 2FA to Remote Terminal. Created butler skill. Installed HACS. Radio automations audited — both target stairs speaker with mutual exclusivity. Landing page redesigned with Art Nouveau aesthetic.
Quick Actions

Bushwick Command Center

Smart home control — lights, media, doorbell, power, environment.

💡 Lighting — 18 lights

Tuya, OSRAM Zigbee, and ESPHome across every room with scenes and dimming.

  • Kitchen: 2 Tuya ceiling lights
  • Lounge: 2 Tuya + Cosmic (RGB)
  • Office: Tuya + OSRAM + Globe
  • Bedroom: Above Bed + Space Lamp + 2 lamps
  • Corridors: Hallway, Walkway, Bathroom, Attic
  • 3 scenes: Daylight, Evening, Nighttime protocols
Click to expand

🎵 Media

Stream radio to any speaker in the house.

30%

🔔 Doorbell — Aeotec 6

Z-Wave doorbell with 4 configured tones at 30% volume.

  • Ding Dong (5s) — classic doorbell
  • Chimes (7s) — melodic chime
  • Ship Bell (3s) — short nautical ring
  • Jingle (3s) — festive tone
  • 30 total tones available, 4 on dashboard
Click to expand

⚡ Power Grid — 7 switches

Smart outlets with power monitoring — kicker, fan, air filter, attic fan.

  • Kicker + Fan Outlet: watts + kWh tracking
  • Air Filter, Attic Fan, Samjin Outlet
  • Fan Light + Kicker Light dimmers
Click to expand

🌡 Environment — Aranet4

Temperature, humidity, CO2, pressure with 24h trend graphs.

  • Temperature: 10-35°C (alerts above 26°C)
  • Humidity: 0-100% (alerts below 30%)
  • CO2: 400-3000 ppm (alerts above 1000)
  • Pressure: 950-1070 hPa
Click to expand

🔋 Protocols

Z-Wave, Zigbee, Matter, Thread, Wi-Fi, Bluetooth, ESPHome.

  • Z-Wave: Doorbell, smart plugs
  • Zigbee (ZHA): Lights, sensors, buttons
  • Matter/Thread: Future standard (SkyConnect)
  • Wi-Fi: Tuya lights, Chromecast
  • Bluetooth: Aranet4
  • ESPHome: Onju Voice 2
Click to expand

Voice Assistant

Say "OK Nabu" to control the house or ask questions.

🎤 "OK Nabu"

Wake word (openWakeWord on server)

  • Engine: openWakeWord add-on running on the NUC as a Home Assistant add-on
  • Model: okay_nabu — a pre-trained TFLite neural network that listens for the phonetic pattern "okay nabu" in a continuous audio stream
  • How it works: The Onju Voice 2 (ESP32-S3) runs ESPHome firmware with a microphone (I2S MEMS). It maintains a persistent TCP connection to the openWakeWord add-on. Audio is streamed as 16kHz 16-bit PCM. The model uses a sliding window of ~1.5s of audio, computing mel-frequency cepstral coefficients (MFCCs) and running inference every 80ms
  • Thresholds: threshold: 0.5, trigger_level: 1 — balances false positives vs missed triggers. All three params (threshold, trigger_level, debug_logging) are mandatory in the add-on config
  • Known fix: Pipeline was originally configured with ok_nabu_v0.1 but openWakeWord sends okay_nabu — mismatch fixed in /config/.storage/assist_pipeline.pipelines
  • After restart: Restarting the openWakeWord add-on requires restarting the Onju device AND toggling its wake word switch to re-establish the streaming connection
Click to expand

🗨 Whisper STT

Speech to text (local on NUC)

  • Engine: OpenAI Whisper running as a Home Assistant add-on (Whisper add-on)
  • Model: base model (~140MB) — runs entirely on CPU (i7-8559U). Larger models available but base gives best speed/accuracy tradeoff for the NUC's hardware
  • Processing: Once the wake word triggers, audio is buffered until silence is detected (Voice Activity Detection). The complete utterance is then sent to Whisper as a single WAV chunk
  • Latency: ~500-800ms for a typical command on the i7 NUC. No GPU acceleration — pure CPU inference using ONNX runtime
  • Language: English (en). Whisper supports 99 languages but is configured for English-only for faster inference
  • Privacy: All speech processing happens locally on the NUC. No audio leaves the network. Only the transcribed text is sent to the cloud (Claude) for intent processing
Click to expand

🤖 Ollama + Claude

Intent processing (local LLM + cloud fallback)

  • Primary engine: Ollama running qwen2.5:3b on the NUC — a 3-billion parameter model that handles device commands and general questions locally
  • Configuration: conversation.ollama_conversation entity, URL http://76e18fb5-ollama:11434, context_window=2048, max_history=5
  • keep_alive: Set to -1 (indefinite) — keeps the model loaded in RAM permanently. Warm response ~1.4s, cold load ~3.4s
  • Intent routing: prefer_local_intents=true — device commands (lights, switches, scenes) are handled natively by HA's intent system without hitting any LLM. Only general questions and complex queries go to Ollama
  • Cloud fallback: The Remote Terminal page uses Claude Haiku 4.5 via the Anthropic API for more complex interactions, but the voice pipeline uses Ollama locally for speed and privacy
  • Pipeline name: "Orion" — configured in HA's Assist pipeline settings
Click to expand

🔈 Piper TTS

Text to speech (local on NUC)

  • Engine: Piper TTS add-on — a fast, local neural text-to-speech system built on VITS (Variational Inference with adversarial learning for end-to-end Text-to-Speech)
  • Voice model: English male voice, optimized for natural-sounding smart home responses
  • Speed: Generates speech in ~200-400ms for typical responses. Streams output as 22kHz WAV audio
  • Architecture: Uses a phoneme-based approach — text is first converted to phonemes (pronunciation symbols), then a neural network generates a mel spectrogram, which is converted to audio via a HiFi-GAN vocoder
  • Privacy: Runs entirely on the NUC. No text or audio is sent to external services for speech synthesis
Click to expand

📢 Onju Voice 2

Plays the response (ESPHome speaker)

  • Hardware: ESP32-S3 microcontroller with I2S MEMS microphone and I2S DAC speaker output. Custom PCB designed for voice assistant use
  • Firmware: ESPHome — configured as a media_player entity (not speaker) because the voice_assistant component and media_player share the I2S bus and cannot operate simultaneously
  • Audio output: Receives synthesized speech from Piper as WAV over HTTP, plays through the built-in speaker via I2S DAC
  • Limitation: Cannot play live HTTP streams (like BBC radio) — ESPHome's I2S media_player only supports short audio files (TTS responses). Live streaming requires a Chromecast or similar device
  • Reference config: Based on tetele's Onju Voice 2 ESPHome config (Session 3 setup)
  • Entity: media_player.onju_voice2 — appears in HA as a media player with volume control
Click to expand

End-to-end flow

The Onju Voice 2 maintains a persistent audio stream to the openWakeWord add-on. When "OK Nabu" is detected, the audio pipeline activates: speech is captured until silence, sent to Whisper for local transcription (~500ms), the text is routed through HA's intent system (device commands handled locally) or Ollama for general questions (~1.4s), and the response is synthesized by Piper (~300ms) and played back on the Onju speaker. Total end-to-end latency: 2-3 seconds. All processing except Ollama inference happens on the NUC — no audio leaves the local network.

Devices

All connected hardware across the apartment.

💻 Intel NUC

i7-8559U, 16GB RAM, 185GB free. Runs HA OS 24/7.

  • CPU: Intel Core i7-8559U — 4 cores / 8 threads, 2.7GHz base / 4.5GHz turbo. Coffee Lake with Iris Plus 655 iGPU
  • RAM: 16GB DDR4 — sufficient for HA OS, Whisper, Piper, Ollama (qwen2.5:3b uses ~2.5GB), and all add-ons simultaneously
  • Storage: 256GB NVMe SSD, 185GB free. HA OS uses ~15GB, Ollama models ~5GB, recordings and backups take the rest
  • OS: Home Assistant OS (HassOS) — a minimal Linux distribution (buildroot-based) that runs HA Core in a Docker container with a Supervisor managing add-ons
  • Network: Gigabit Ethernet on LAN. Accessible at homeassistant.local:8123. Also runs the Ollama HTTP API on port 11434 internally
  • USB devices: SkyConnect (Zigbee/Thread), Z-Wave stick — both connected via USB passthrough to HA OS
  • Power: ~15W idle, ~35W under load. Runs 24/7 with no scheduled downtime
Click to expand

📢 Onju Voice 2

ESPHome voice satellite. Wake word + speaker.

  • SoC: ESP32-S3 — dual-core Xtensa LX7 @ 240MHz with 512KB SRAM. Wi-Fi 802.11 b/g/n + Bluetooth 5 LE
  • Microphone: I2S MEMS mic — captures audio at 16kHz 16-bit for wake word detection and speech capture
  • Speaker: I2S DAC output — plays TTS responses. Cannot share I2S bus with media_player simultaneously (hardware limitation)
  • Firmware: ESPHome with voice_assistant component. Compiled and flashed OTA from HA. Config based on tetele's reference gist
  • Entity: media_player.onju_voice2 — registered as media_player (not speaker) for voice_assistant compatibility
  • Limitation: Can only play short audio files (TTS). No live HTTP stream support — use Chromecast for radio
Click to expand

🎧 Chromecast (Stairs)

Media player for BBC/KissKiss radio streams.

  • Integration: Google Cast — discovered via mDNS on the local network. Entity: media_player.stairs
  • Capabilities: Plays HTTP audio streams (MP3, AAC, HLS). Supports volume control, play/pause/stop via HA REST API
  • Current use: BBC World Service (http://stream.live.vc.bbcmedia.co.uk/bbc_world_service) and KissKiss Radio (https://flufrg.fluidstream.eu/KissKiss.aac)
  • Automations: BBC and KissKiss are mutually exclusive — each automation stops the other before playing. Controlled via input_boolean toggles on the dashboard
  • Note: HomePod/AirPlay speakers are pending — Thread/Matter dongle incoming to connect them properly
Click to expand

🔋 SkyConnect (Zigbee)

USB coordinator for ZHA + Thread/Matter.

  • Hardware: Home Assistant SkyConnect — USB dongle with Silicon Labs EFR32MG21 chip. Supports Zigbee 3.0 and Thread (802.15.4)
  • Zigbee: Runs ZHA (Zigbee Home Automation) integration. Acts as the Zigbee coordinator managing all Zigbee devices (lights, sensors, buttons)
  • Thread/Matter: Can act as a Thread Border Router for Matter devices. Currently awaiting Thread dongle for HomePod integration
  • Firmware: Multi-protocol firmware allows simultaneous Zigbee + Thread, though in practice most setups use one at a time for stability
  • Connected devices: OSRAM Zigbee lights (some removed — dead), Zigbee sensors, buttons. Tuya lights connect via Wi-Fi, not Zigbee
Click to expand

🔋 Z-Wave Stick

USB controller for Z-Wave JS devices.

  • Integration: Z-Wave JS — runs the Z-Wave JS server as an HA add-on. Communicates with devices on the 908.42MHz frequency (US)
  • Protocol: Z-Wave Plus (Gen5+) — mesh networking where mains-powered devices act as repeaters. Range: ~30m indoors per hop
  • Connected devices: Aeotec Doorbell 6 (8 endpoints, 30 tones), smart plugs with power monitoring (watts + kWh)
  • Known issue: Zigbee power sensors sometimes report false 9500W readings — known firmware bug, those sensor entities were deleted
Click to expand

🌡 Aranet4

Bluetooth air quality: temp, humidity, CO2, pressure.

  • Connection: Bluetooth Low Energy (BLE) — pairs directly with the NUC's built-in Bluetooth adapter. Polled periodically by HA
  • Sensors: Temperature (10-35°C), Humidity (0-100%), CO2 (0-9999 ppm via NDIR sensor), Atmospheric Pressure (950-1070 hPa)
  • CO2 sensor: Uses Non-Dispersive Infrared (NDIR) — gold standard for CO2 measurement. Measures actual CO2 concentration, not estimated eCO2
  • Battery: 2x AA batteries, ~2 year life. Reports battery level to HA
  • Alerts: Configurable in HA — CO2 above 1000ppm (ventilate), temperature above 26°C, humidity below 30%
Click to expand

🔔 Aeotec Doorbell 6

Z-Wave doorbell, 30 tones, 8 endpoints.

  • Protocol: Z-Wave Plus — 8 siren endpoints, each configurable with different tones and volumes independently
  • Configured tones: Ding Dong (5s, classic), Chimes (7s, melodic), Ship Bell (3s, nautical), Christmas Tree (3s, festive)
  • Volume: Set to 0.3 (30%) — was 0.0 (silent) on initial setup, fixed in Session 5
  • 30 built-in tones: Each endpoint can play any of 30 pre-loaded sounds. 4 currently mapped to dashboard buttons
  • HA entity: Appears as siren.aeotec_doorbell_6 with multiple endpoints for different trigger zones
Click to expand

📱 Phone + iPad

Mobile companions with battery tracking.

  • Integration: HA Companion App (iOS) — registers as a mobile_app device, reports battery level, charging state, Wi-Fi SSID, and location
  • Sensors: Battery percentage, battery state (charging/not charging), connection type, last update timestamp
  • Notifications: HA can push notifications to the phone via the companion app — used for alerts, doorbell triggers, and automation confirmations
  • Location: Reports GPS coordinates for presence detection (home/away automations)
Click to expand

Security & Secrets

Three-layer defense-in-depth: encryption at rest, vault storage, and version-controlled audit trail.

🔒 git-crypt (Encryption at Rest)

Transparently encrypts sensitive files in the GitHub repo using AES-256-CTR.

  • Algorithm: AES-256-CTR stream cipher — each file is encrypted with a unique nonce derived from the file path, preventing identical plaintexts from producing identical ciphertexts
  • How it works: git-crypt installs as a git filter (clean/smudge). On git push, the "clean" filter encrypts files matching .gitattributes patterns. On git pull, the "smudge" filter decrypts them. Your local working copy is always plaintext
  • Protected paths: secrets/** directory — contains ha-token.secret, cf-access-token.secret, cf-token.secret
  • Key management: Symmetric key stored at /tmp/git-crypt.exe locally and backed up in 1Password vault "Claude Config" as the master key
  • On GitHub: Without the symmetric key, encrypted files appear as binary blobs. Even if the private repo were compromised, secrets remain encrypted
  • Binary: /tmp/git-crypt.exe — downloaded at session start if missing
Click to expand

🔐 1Password (Secret Vault)

Zero-knowledge encrypted vault with CLI access. Every credential has an audit trail.

  • Architecture: 1Password uses SRP (Secure Remote Password) protocol — the master password never leaves your device. Vault data is encrypted with AES-256-GCM using a key derived from your master password + Secret Key (128-bit entropy)
  • Vault: "Claude Config" — dedicated vault for infrastructure credentials, isolated from personal passwords
  • Stored items: HA long-lived access token, Anthropic API key, Netgear RAX80 router password, git-crypt symmetric master key, Cloudflare API tokens
  • CLI access: op command — authenticates via biometric or master password. Read secrets with op read "op://Claude Config/Item Name/field"
  • Audit trail: Every read/write to the vault is logged with timestamp and device. Can detect unauthorized access
  • Session: CLI sessions expire after 30 minutes. Re-authentication required via op signin
Click to expand

📁 GitHub Repo (Version Control)

Private repo with auto-sync, full diff history, and encrypted secrets. Every change is tracked.

  • Repo: github.com/thtltntdmrhttn/claude-config (private) — contains all Claude Code config, skills, memory files, and encrypted secrets
  • Auto-sync: A Claude Code hook fires on every session "Stop" event, running ~/claude-config/sync.sh push — auto-commits changes, pushes to remote
  • sync.sh: Bash script with three modes: push (commit + push), pull (fetch + merge), status (show diff). Copies files bidirectionally between ~/.claude and the repo
  • Git config: Commits as Terence <[email protected]> — no personal email exposed
  • Recovery: Any previous state can be restored via git checkout <commit>. Full history of every config change, skill edit, and memory update since setup
  • Authentication: GitHub CLI (gh) authenticated as thtltntdmrhttn — uses OAuth token stored by gh, not a PAT
Click to expand

☁ Cloudflare Access (Network Gate)

Zero-trust access layer protecting all portal domains with email OTP authentication.

  • Mechanism: Cloudflare Access acts as a reverse proxy — every request to the portal domains must carry a valid CF_Authorization JWT cookie. Unauthenticated requests get redirected to the OTP login page
  • Authentication: Email-based One-Time Password (OTP). User enters email, receives a 6-digit code, enters it to get a signed JWT session cookie
  • Session duration: 720 hours (30 days) — designed as a one-time setup per browser. The portal's own TOTP gate provides per-session security
  • JWT cookie: CF_Authorization — contains email, iat, exp claims. Signed by Cloudflare's keys, verified at the edge on every request
  • Protected domains: thetalentedmrhatten.com, terencelinushatten.com, oliviafrancesmcdowell.com
  • Binding cookie: enable_binding_cookie: true — ties the session to the specific browser/device. Prevents cookie theft from working on another machine
  • Team: bushwick-hq — Cloudflare Zero Trust organization. Account ID: f0425e...
Click to expand

🔒 Portal TOTP (Session Gate)

Time-based One-Time Password required every browser session. Uses Google Authenticator.

  • Standard: RFC 6238 (TOTP) — generates a 6-digit code that changes every 30 seconds based on a shared secret and the current Unix timestamp
  • Algorithm: HMAC-SHA1 over a counter derived from floor(unix_time / 30). The 160-bit HMAC output is dynamically truncated to a 6-digit decimal code
  • Secret storage: Base32-encoded secret stored in localStorage under key tmh-totp-secret. Generated client-side using crypto.getRandomValues() — never sent to any server
  • Verification window: Accepts codes from t-1 to t+1 (90-second window) to account for clock drift between phone and browser
  • Rate limiting: 5 failed attempts triggers a 60-second lockout. Counter resets on successful auth
  • Session scope: Verification stored as an HMAC-signed token in sessionStorage — derived from the TOTP secret, session ID, and date. Cannot be forged without the secret. Closing the tab clears it, requiring re-authentication
  • Setup: First-time users scan a QR code (otpauth:// URI) with Google Authenticator. Issuer: "Bushwick HQ"
Click to expand

🛠 Content Security Policy

HTTP headers and meta tags restricting what the portal can load and execute.

  • script-src: 'self' 'unsafe-inline' https://cdn.jsdelivr.net — only scripts from the portal origin, inline scripts, and jsdelivr (QR code lib) are allowed. No arbitrary external JS
  • connect-src: Whitelisted API endpoints only — Anthropic API, Open-Meteo (weather), Yahoo Finance, CoinGecko, HomeAssistant local. No other outbound requests possible
  • img-src: 'self' data: blob: — images from the portal, data URIs (QR codes), and blob URLs (wine photo capture). No external image loading
  • frame-src: 'none' — portal cannot be embedded in iframes (clickjacking protection)
  • HTTP headers: _headers file on CF Pages adds X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security with preload, Referrer-Policy: no-referrer
  • Referrer: <meta name="referrer" content="no-referrer"> — prevents the portal URL from leaking to external APIs via the Referer header
Click to expand

How secrets flow

When Claude needs to talk to Home Assistant, it reads the long-lived access token from ~/claude-config/secrets/ha-token.secret — a file that exists as plaintext on the local PC but is AES-256 encrypted by git-crypt before being pushed to GitHub. The same token is stored in 1Password vault "Claude Config" as a backup with full audit trail. The portal itself contains zero API keys or tokens — the Remote Terminal's Anthropic API key is entered by the user and stored in the browser's localStorage, sent directly to Anthropic's API with no intermediary server.

Audit Log

🔎 Recent Security Events

📱 Known Devices

Devices that have successfully authenticated. New device logins are flagged in the audit log.

Architecture

Three-tier system: PC (development + orchestration), NUC (automation + AI), smart devices (physical world).

💻 Windows PC (Tier 1: Development)

Claude Code, GitHub CLI, 1Password CLI, git-crypt

  • OS: Windows 11 Home (build 10.0.26200) with bash shell (Git Bash / MSYS2)
  • Claude Code: Anthropic's CLI agent (claude-opus-4-6) running in the terminal. Has full file system access, bash execution, and MCP tool integrations. This is the primary interface for managing the entire system
  • Skills system: Custom skill files in ~/.claude/skills/ — home-assistant.md (HA control), butler.md (life management), ha-api.sh (bash helpers), ha-entity-manager.py (WebSocket CRUD), ha-dashboard-push.py (dashboard config)
  • Memory system: Persistent file-based memory in ~/.claude/projects/C--/memory/ — MEMORY.md (index), session-log.md (history), home-assistant-details.md (entity reference). Loaded at conversation start, persists across sessions
  • Config sync: ~/claude-config/ repo auto-syncs to GitHub on session end via a Claude Code hook. Encrypted secrets stay encrypted in transit
  • Tools: git-crypt (/tmp/git-crypt.exe), jq (/tmp/jq.exe), GitHub CLI (gh), 1Password CLI (op), Python (py launcher)
Click to expand
↓ Wi-Fi / LAN (REST API + WebSocket)

🖥 Intel NUC (Tier 2: Automation + AI)

Home Assistant OS, Whisper, Piper, Ollama, openWakeWord

  • Home Assistant OS: Buildroot-based Linux running HA Core in a Docker container. Supervisor manages add-ons as separate containers. Version 2026.3.4
  • HA Core: Python application (asyncio event loop) managing all integrations, automations, and the entity state machine. REST API on port 8123, WebSocket on /api/websocket
  • Add-ons (containers): Whisper (STT), Piper (TTS), openWakeWord (wake word detection), Ollama (LLM), Z-Wave JS (protocol server), ESPHome (device compiler), HACS (community store)
  • Ollama: Runs qwen2.5:3b — 3B parameter model in ~2.5GB RAM. HTTP API on port 11434 (internal Docker network). keep_alive=-1 keeps model warm
  • Integrations: Z-Wave JS, ZHA (Zigbee), Tuya (cloud), ESPHome (local), Matter (future), Cast (Chromecast), HomeKit, Wyoming (voice protocol)
  • Entity count: 359 entities (cleaned from 1,198) — 18 lights, 7 switches, 1 media player, 3 scenes, 5 automations
  • Communication with PC: Claude Code sends REST API calls (curl) and WebSocket messages (Python scripts) to homeassistant.local:8123 using a long-lived access token
Click to expand
↓ Z-Wave (908MHz) / Zigbee (2.4GHz) / Wi-Fi / BLE / Thread

🏠 Smart Devices (Tier 3: Physical)

18 lights, 7 switches, doorbell, sensors, speakers

  • Zigbee (ZHA via SkyConnect): Lights (OSRAM), sensors, buttons — 2.4GHz mesh network. Each mains-powered device acts as a router, extending range
  • Z-Wave (Z-Wave JS via USB stick): Aeotec Doorbell 6, smart plugs with power monitoring — 908.42MHz mesh network (US frequency)
  • Wi-Fi (Tuya cloud + local): Tuya ceiling lights, RGB lights — connected via Tuya integration. Support full RGB (hs) + color_temp (153-500 mireds)
  • ESPHome (Wi-Fi, local only): Onju Voice 2 — ESP32-S3 with custom firmware. Communicates directly with HA over the local network, no cloud dependency
  • Bluetooth LE: Aranet4 air quality sensor — passive BLE connection to NUC's built-in Bluetooth
  • Cast (Wi-Fi): Chromecast on stairs, Office Speaker 2 — Google Cast protocol for media streaming
  • Pending: HomePod via Thread/Matter (dongle incoming), AC units (GE Profile + Midea), Yamaha receiver
Click to expand
Cloud Services

☁ Anthropic API

Claude models powering voice assistant and remote terminal.

  • Voice pipeline: Ollama (qwen2.5:3b) handles most queries locally. Claude is available as a cloud fallback for complex reasoning
  • Remote Terminal: Claude Haiku 4.5 via direct API calls from the browser. API key stored in localStorage, sent with each request via fetch() to https://api.anthropic.com/v1/messages
  • Claude Code: Claude Opus 4.6 running locally as the development agent. Manages the entire infrastructure through bash, file editing, and MCP tools
  • No intermediary: All API calls go directly from the client (browser or CLI) to Anthropic. No proxy server, no data logging
Click to expand

☁ GitHub

Private repos for config backup and portal hosting source.

  • claude-config repo: thtltntdmrhttn/claude-config (private) — all Claude Code settings, skills, memory files. Auto-synced on session end
  • Portal repo: thtltntdmrhttn/thetalentedmrhatten — source for the portal website. Pushes to master trigger automatic Cloudflare Pages deployment
  • Authentication: GitHub CLI (gh) using OAuth device flow. Git operations use HTTPS with credential helper
  • Encryption: git-crypt encrypts secrets/ directory in claude-config repo. All other files are plaintext in the private repo
Click to expand

☁ Cloudflare

Pages hosting, Access authentication, DNS, and edge security for all domains.

  • Pages: Static site hosting with automatic deploys from GitHub master branch. Build: none (static HTML). Preview URLs generated for each commit
  • Access: Zero-trust authentication layer. Email OTP login, JWT session cookies, binding cookies for device-level security
  • DNS: Manages thetalentedmrhatten.com, terencelinushatten.com, oliviafrancesmcdowell.com
  • Edge: DDoS protection, TLS termination, HTTP/2, Brotli compression — all handled at Cloudflare's edge before requests reach Pages
  • Team: bushwick-hq (Zero Trust org). Account ID: f0425e78...
Click to expand

☁ 1Password

Zero-knowledge vault for all infrastructure credentials with CLI access.

  • Vault: "Claude Config" — isolated vault for infrastructure secrets only
  • Items: HA long-lived access token, Anthropic API key, Netgear RAX80 password, git-crypt master key, Cloudflare API tokens
  • CLI: op read "op://Claude Config/Item/field" — used by Claude Code to load secrets at runtime without hardcoding them
  • Encryption: AES-256-GCM with keys derived from master password + Secret Key (128-bit). Zero-knowledge architecture — 1Password cannot decrypt your data
Click to expand

Roadmap

Click items to mark as done. Progress saves in your browser.

Glossary

Technical terms in plain English.

Home Assistant (HA)
Open-source software connecting all smart devices. Like a Bloomberg Terminal for your house.
Z-Wave / Zigbee
Low-power wireless protocols for smart devices. They create mesh networks where devices relay signals.
ESPHome
Custom firmware for microcontrollers. The Onju Voice runs on it — a tiny dedicated computer for one job.
git / GitHub
Version control. Like "track changes" in Excel but for config files. GitHub is the cloud storage.
git-crypt
Encrypts files in git. Scrambles them before upload, unscrambles on download. Transparent.
API
How programs talk to each other. When Claude controls lights, it sends API calls to HA.
Token
A long password for software-to-software auth. Like a building access card but digital.
CLI
Text-based interface for software. More powerful than clicking buttons.
NUC
Intel's small PC (paperback-sized). Runs 24/7 as the home server.
Matter / Thread
New universal smart home standard backed by Apple, Google, Amazon.
Webhook
An automatic notification between systems. "When X happens, tell Y about it."
Docker / Container
A way to run software in isolated packages. Like having separate drawers for each app.

Website Build

How this portal was built, deployed, and secured.

Architecture Overview

💻 Local Development

Single HTML file edited via Claude Code on Windows PC

↓ git push

☆ GitHub Repository

thtltntdmrhttn/thetalentedmrhatten (public repo)

↓ auto-deploy on push

☁ Cloudflare Pages

Static hosting, global CDN, custom domain

↓ Cloudflare Access

🔒 Email-Based Login

Only authorized emails can access the site

Deployment Stack

🌐 Domain

thetalentedmrhatten.com — registered through Cloudflare Registrar (at-cost pricing, no markup). DNS managed directly in Cloudflare.

⚡ Cloudflare Pages

Free static site hosting. Connected to GitHub — every push to the master branch triggers an automatic rebuild and deploy within seconds.

🔒 Cloudflare Access

Zero Trust authentication layer. Users must verify via email OTP before seeing any content. No passwords stored — Cloudflare handles the auth flow.

📦 GitHub Repo

Source code lives in thtltntdmrhttn/thetalentedmrhatten. The public/ folder contains the site. Cloudflare's GitHub App has read-only access to this repo only.

Security Model

🛡 Access Control

Cloudflare Access acts as a reverse proxy. Before any page content loads, visitors must authenticate via a one-time code sent to an approved email address.

🔐 No Secrets in Code

This portal contains no API keys, tokens, or passwords. All sensitive data stays in 1Password and git-crypt encrypted files on the local machine.

🌎 Edge Security

Cloudflare provides DDoS protection, SSL/TLS encryption, and WAF (Web Application Firewall) on the free tier. All traffic is proxied through their network.

🔑 GitHub App Scope

Cloudflare's GitHub integration is limited to the thetalentedmrhatten repo only. It cannot access the private claude-config repo or any other repos.

How to Update the Site

📝 Workflow

  1. Edit public/index.html locally (via Claude Code or any editor)
  2. Commit and push to GitHub: git add -A && git commit -m "update" && git push
  3. Cloudflare Pages auto-deploys within ~30 seconds
  4. Visit thetalentedmrhatten.com to verify

Access Control

Manage who can access this portal. Only the admin can approve requests.

Approved Users
[email protected] Admin · Owner
Request Access

📩 Submit Access Request

Enter a Gmail address to request access. The admin will review and approve or deny.

Pending Requests (Admin Only)

No pending requests.

Remote Terminal

Chat with Claude from anywhere. Secured by Cloudflare Access + TOTP 2FA.

🔒

Terminal Locked

This section requires additional authentication beyond Cloudflare Access.

Open your authenticator app and enter the 6-digit code for "Bushwick HQ"

Wine Cellar

Personal collection — home storage and MWC offsite cellar.

Total Bottles
0
All locations
Home
0
Bushwick apt
MWC Cellar
0
Offsite storage
Types
-
Red / White / Other
Take a photo or upload — Claude identifies the wine and adds it
WineTypeVintageRegionLocationQty

Reminders & Summaries

Notes, reminders, and session summaries — read on the go from any device.

Finance

Market data, watchlist, and financial news — updated on page load.

Market Snapshot
S&P 500
--
--
NASDAQ
--
--
DOW
--
--
BTC
--
--
EUR/USD
--
--
GBP/USD
--
--
Watchlist
SymbolPriceChange
Financial News
Loading...
Fetching latest financial headlines...
FT.com Integration

📰 Financial Times

Connect your FT.com subscription for premium market data and analysis.

FT API key stored in browser only. Used for premium content access.
🔌

Integrations

Coming soon. Connect external services, APIs, and automation workflows here.