Migracija Nikita + Ana + WhatsApp MCP na jura-server

Kompletna seoba dva ClaudeClaw Telegram bota (Nikita za Juru, Ana za Zlatka Krešića) s glavnog Plesk servera na novu Plesk-less platformu. Plus duplicirani WhatsApp MCP bridge i multi-account Claude Code (3 accounta).

Datum: 2026-05-16 Trajanje: ~2 h aktivnog rada Downtime: ~5 min/bot Status: Done

TL;DR. Bots-prebačeni na jura-server (178.105.131.67), oba aktivna sa Memory v2 + cron + GWS/Himalaya credentials preserved. WhatsApp bridge paralelni na novom (drugi linked device, glavni ostao aktivan dok ne migrira first5labs ERP). Sve hardened (systemd ProtectSystem, ReadWritePaths trimmed, fail2ban, Hetzner FW). Otkriven + dokumentiran session-flush gotcha za buduće bot migracije.

Sadržaj

Kontekst i ciljevi
Arhitektura jura-servera
Faze migracije (kronološki)
Što je instalirano
Bot infrastruktura
Multi-account Claude Code
WhatsApp MCP (paralelni bridge)
Security posture
Lessons learned / gotchas
Sljedeći koraci
Quick reference (komande + paths)

1. Kontekst i ciljevi

Glavni server server.2klika.eu hosta 19+ vhostova (Plesk panel, Apache/Nginx, PHP-FPM po verziji). Najteži klijent — first5labs ERP — raste, deserves vlastiti server. Jura je kupio drugi Hetzner. Cilj: clean split.

Ova migracija pokriva samo bots: Nikita (Jurin AI asistent), Ana (Zlatko Krešić, Jurina desna ruka), WhatsApp MCP. ERP migracija dolazi posebno (~30 min downtime, kasnu večer).

Zašto Plesk-less?

Claude Code je panel. Modifikacije konfigurirane su preko CLI (add-vhost), git i SSH — bez konflikta s panelom.
Caddy umjesto nginx+certbot: auto Let's Encrypt, 1 config file, manje moving parts.
Docker CE umjesto docker.io: novija verzija, službeni upstream.
Per-vhost sysuser (vh-<slug>) auto-kreiran od add-vhost skripte — isti pattern kao Plesk, bez Pleska.

2. Arhitektura jura-servera

Internet (Hetzner Cloud Firewall: 6222, 80, 443 only) │ Caddy v2 ←─── /etc/caddy/Caddyfile + sites.d/*.caddy │ Auto Let's Encrypt SSL ┌────┼────┐ │ │ │ Docker Static Reverse-Proxy apps files to local port │ (/opt/vhosts/<slug>/public/) │ PostgreSQL / SQLite / etc. (per-vhost docker-compose) Bot infrastructure (systemd, isolated): /opt/nikita/ → @jura_nikita_bot (Jurin asistent) /opt/ana/ → @ana_zlatko_bot (Zlatkov asistent) /opt/whatsapp-mcp/ → bridge :8080 → MCP za Janu Flego

Ubuntu 24.04.4 LTS

Hetzner default

CPU/RAM/Disk

— · 15 GB · 150 GB

5% korišteno (138 GB free)

SSH port

6222

ED25519 key-only, no password

Firewall

Hetzner Cloud

22, 80, 443 ONLY · UFW off

3. Faze migracije (kronološki)

2026-05-15 M0 — Server hardening. ED25519 SSH key + modern ciphers, fail2ban (smart bantime), hostname=jura-server, TZ=Zagreb, unattended-upgrades.
2026-05-15 M1 — Web/proxy stack. Caddy 2.11.3, Docker CE 29.5.0 + Compose v5.1.3, Node 22.22.2.
2026-05-15 M2 — Vhost framework. add-vhost / remove-vhost / list-vhosts CLI; per-vhost sysuser (vh-<slug>); end-to-end tested 4×.
2026-05-16 08:00 M3 — Monitoring + CLAUDE.md. disk-guardian, docker-health, server-health cron (commented, čeka Telegram alerts).
2026-05-16 09:30 M_PRE — CLI alati + accounti. claude 2.1.143 + gws 0.22.5 + himalaya 1.2.0 + graphify 0.8.5 + uv 0.11.14. Rsync /root/.claude/ (skills/agents/plugins/hooks) + /root/.claude-acc2/ (Jurin credentials). 3 account dirs setup.
2026-05-16 09:43 M_NIKITA — Bot seoba. Stop → SQLite .backup → rsync (sans node_modules + venv) → clean DB import → npm install → Python venv regen → adjusted systemd unit → start. Downtime: ~5 min.
2026-05-16 09:47 M_ANA — Bot seoba. Isti pattern. Pre-mig backup .env + service unit. Downtime: ~5 min.
2026-05-16 09:49 M_WA — WhatsApp MCP duplicate bridge. Rsync code + Go binary (19 MB) + Python MCP server bez session DB-a. Fresh QR scan (Josipov telefon) → drugi linked device. Glavni bridge ostao aktivan.
2026-05-16 10:00 Fix: stale session IDs. Otkriveni "No conversation found" errori za chatId Jure (Nikita) i Zlatka (Ana). Proactive DELETE FROM sessions u oba bot DB-a → iduća poruka kreće fresh. Dokumentirano u memory.
2026-05-16 10:15 M_CLAUDEMD — Server-specific docs. Doraditi /root/CLAUDE.md na jura-serveru (591 linija): RULES s glavnog (#-1, #0, #0b), Radionica v4.1 reference, LEGO princip, Expert Validation, multi-account, bot infrastructure. Bez Plesk reference.
2026-05-16 10:24 M_WA pairing complete. QR scan uspješan (38598781506:89). Bridge sync chats (DevOps Club, CroAI general, Slanica…). Whitelist Jan Flego intact.
2026-05-16 10:27 M_REPORT — Ovaj report. Vhost server.first5labs.eu (static) + HTML report deploy.
… M_TEST — Smoke test. Josip test /start oba bota + WhatsApp ping Jani.

4. Što je instalirano

Component	Verzija	Source	Purpose
Ubuntu	24.04.4 LTS	—	Base OS
OpenSSH	system	apt	SSH (key-only, port 6222)
fail2ban	system	apt	SSH brute-force protection
Caddy	2.11.3	cloudsmith stable	Web server + auto SSL
Docker CE	29.5.0	docker.com	Container runtime
Docker Compose	v5.1.3	docker.com	Orchestration
Node.js	22.22.2	NodeSource	JS runtime (botovi, gws)
Python	3.12.3	apt	Scripting + MCP servers
Go	1.26.3	/usr/local/go	WhatsApp bridge (whatsmeow)
uv	0.11.14	astral.sh	Python tool installer
Claude Code	2.1.143	rsync from main	AI CLI
gws	0.22.5	`@googleworkspace/cli` (npm)	Google services (Drive/Gmail/Calendar)
himalaya	1.2.0	binary (musl)	IMAP/SMTP (business email)
graphify	0.8.5	`uv tool install graphifyy`	Knowledge graph (Radionica integracija)
qrencode	system	apt	WhatsApp QR generation

Shared resources

U /opt/claude-shared/ (640 MB) — read-only za botove:

skills/ — 11 shared skills (radionica, dev-quality, handoff, huashu-design, graphify, image-creator, ui-ux-pro-max, react-best-practices, cleanup, linear-task, send-email, unsubscribe-newsletter)
walle-memory-v2/ — Memory v2 hybrid search util (FTS5 + sqlite-vec + Gemini embeddings), file: linked iz oba bot package.json-a
hooks/ — SessionStart, PreCompact memory compiler
opensrc/ — Dependency context cache

5. Bot infrastruktura

Bot	Owner	Telegram	Claude account	RAM	Service
Nikita	Jura Šandrk (First5Labs CEO)	`@jura_nikita_bot`	.claude-acc2 (Jurin Max)	117 MB	`nikita.service`
Ana	Zlatko Krešić (Jurina desna ruka)	`@ana_zlatko_bot`	.claude-acc2 (shared)	190 MB	`ana.service`
WhatsApp bridge	Josip (za Janu Flego u first5labs)	—	—	61 MB	`whatsapp-bridge.service` :8080

Po-bot izolacija (systemd hardening)

ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
RestrictSUIDSGID=true
ReadWritePaths=/opt/<bot> /root/.claude-acc2 /var/log /run
ReadOnlyPaths=/opt/claude-shared
InaccessiblePaths=/home /root/.ssh

# Per-bot environment
Environment=CLAUDE_CONFIG_DIR=/root/.claude-acc2
Environment=GOOGLE_WORKSPACE_CLI_CONFIG_DIR=/opt/<bot>/.config/gws
Environment=GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file
Environment=HIMALAYA_CONFIG=/opt/<bot>/.config/himalaya/config.toml
Environment=SKILLS_DIR=/opt/<bot>/skills

# Resources
MemoryMax=2G  MemoryHigh=1.5G  TasksMax=300

Cron entries

File	Frequency	Što radi
`/etc/cron.d/nikita-promo-cleanup`	every 2h	Gmail promo cleanup (Jurin)
`/etc/cron.d/nikita-update`	daily 04:00	Claude Code SDK auto-update
`/etc/cron.d/ana-update`	daily 04:00	Claude Code SDK auto-update
`/etc/cron.d/whatsapp-bridge-health`	every 30 min	Bridge health check (alert via Molly)

Migration data

Nikita

3 memories · 12 skills

681 MB · DB integrity ok

Ana

2 memories · 11 skills

770 MB · DB integrity ok

6. Multi-account Claude Code

Tri account-direktorija pripremljena na jura-serveru:

Direktorij	Account	Purpose
`/root/.claude`	Jurin (info@first5labs.eu)	Default: Josipov interaktivni rad na jura
`/root/.claude-acc2`	Jurin clone (info@first5labs.eu)	Botovi (Nikita+Ana) pišu odavde — hardcoded u systemd
`/root/.claude-acc3`	— (empty)	Rezerva: Josipov osobni Gmail kad rate-limit hit (`claude /login`)

Sva tri imaju chmod 700 root:root. .credentials.json 600. .claude-acc2 ima 15 apsolutnih symlinkova na /root/.claude/ (agents, skills, hooks, plugins, commands, rules, docs, etc.) — shared infrastructure.

PATH sustavski dostupan preko /etc/profile.d/local-bin.sh (claude/graphify/uv u /root/.local/bin/).

7. WhatsApp MCP (paralelni bridge)

WhatsApp dozvoljava do 4 linked devices po accountu. Strategija: dupliciraj — glavni bridge ostane aktivan, jura-server postaje drugi linked device. Kad first5labs ERP migrira, glavni gasimo, jura nastavlja.

Paired: 38598781506:89@s.whatsapp.net — Josipov broj kao 89. linked device. Bridge sync-ao history kontakata + chatova (DevOps Club, CroAI general, Product Club, Slanica, OG 2 zajebancija, …).

Stack

Bridge (Go, whatsmeow) — /opt/whatsapp-mcp/whatsapp-bridge/whatsapp-bridge (19 MB binary, port 8080)
MCP server (Python, uv-managed) — /opt/whatsapp-mcp/whatsapp-mcp-server/ (stdio interface za Claude Code, on-demand pokretanje)
Whitelist — /opt/whatsapp-mcp/whitelist.json (samo 21522450243772@lid = Jan Flego) — fail-closed
CLI — whatsapp-allowlist {list,add,remove} za upravljanje whitelistom bez restart-a
Health cron — /etc/cron.d/whatsapp-bridge-health svakih 30 min, alert preko Molly Telegram bota

8. Security posture

✓ SSH ED25519 key-only, password disabled, port 6222 (less attack surface)
✓ Modern ciphers: chacha20-poly1305, AES-GCM only
✓ Modern KEX: curve25519-sha256, dh-group16/18-sha512
✓ fail2ban smart bantime increment, 4× scale per repeat
✓ unattended-upgrades (security only, auto-reboot 04:30 if needed)
✓ Caddy HTTP/3 + auto HSTS + security headers (HSTS, XFO, XCTO, Referrer-Policy)
✓ Hetzner Cloud Firewall: 6222 + 80 + 443 ONLY inbound
✓ UFW namjerno isključen (Hetzner FW je autoritativni)
✓ Bot systemd hardening: ProtectSystem=strict, PrivateTmp, ReadWritePaths trimmed, InaccessiblePaths /home + /root/.ssh
✓ Per-bot GWS keyring (file backend, GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file) — isolated od Josipovog
✓ WhatsApp whitelist fail-closed (empty list = 0 results)

Backup: Hetzner Cloud Backup enabled (~€7/mo). Plus per-project daily DB dumps. Migration secrets backup u /root/migration-secrets-2026-05-16/ (chmod 600).

9. Lessons learned / gotchas

Gotcha 1: tsx u devDependencies, koristi se u runtime. Bot ExecStart=/usr/bin/node --import tsx src/index.ts ne radi s npm install --omit=dev. Treba full npm install (uključuje tsx). Memory action item: premjestiti tsx u dependencies u package.json botova.

Gotcha 2: mcp-image-gen bez requirements.txt. Python venv ima deps install-ane direktno (bez pinned requirements). Workaround: pip freeze > requirements.txt na glavnom, scp na novi, regen venv. Memory action: dodati requirements.txt u repo.

Gotcha 3: systemd InaccessiblePaths sadrži non-existent paths. Bot systemd na glavnom referencira /var/www/vhosts i /root/.claude-walle — ne postoje na jura. Trim za jura-server: InaccessiblePaths=/home /root/.ssh (samo realno postojeći).

Gotcha 4 (KRITIČNO): Stale Claude session IDs nakon migracije. Bot pamti Claude Code session ID per chat u SQLite. Pri migraciji DB se kopira (session IDs preservane), ALI .claude-acc2/projects/ i sessions/ ne migriraju (ephemeral state). Prva poruka u svakom chatu pada s "No conversation found with session ID". Bot kaže "Session cleared" ali poruku ne odgovara. Fix: sqlite3 /opt/<bot>/data/<bot>.db "DELETE FROM sessions;" PRIJE prvog start na novom serveru. Dokumentirano u memory reference_bot_migration_session_flush.md.

Lesson: WhatsApp dozvoljava 4 linked devices. Paralelne bridge instalacije su moguće (svaka sa svojim QR scanom). Različite session DB-ovi, isti broj. Idealno za zero-downtime migracije.

Lesson: Per-server CLAUDE.md prilagodba. Glavni CLAUDE.md ima Plesk-specifične sekcije (System Users tablica, Project Routing s 19+ vhostova). Na jura-server-u to ne vrijedi — drugačiji stack (Caddy + Docker + bash). Rješenje: server-specifični /root/CLAUDE.md (591 linija) koji NASLJEDUJE pravila s glavnog (RULES #-1, #0, #0b, LEGO, Radionica) ali ima vlastiti context (vhost framework, bot infrastructure, multi-account).

10. Sljedeći koraci

Task	Trajanje	Downtime	Kada
Smoke test — /start oba bota + WhatsApp Jan ping	5 min	—	Sad (Josip)
first5labseu migracija (static Astro site)	~20 min	0	Bilo kada
first5labs ERP migracija (CRITICAL)	~30 min	~30 min	Subotom ujutro ili kasnu večer
DNS TTL 300s na MyDataKnox za first5labs.eu	5 min	0	24h PRIJE first5labs migracije
Telegram alerts setup (`/root/secrets/telegram-alerts.env`)	5 min	0	Asap (za health checks)
Disable WhatsApp bridge na glavnom (nakon first5labs migracije)	1 min	~10 sec (rare)	Nakon first5labs
`/opt/server-config/` → git remote (off-server backup)	15 min	0	Bilo kada

11. Quick reference

Operativne komande

# SSH iz glavnog servera
ssh jura-server

# Bot management
systemctl status|restart|stop nikita | ana | whatsapp-bridge
journalctl -u nikita -f

# DB integrity (bilo kada)
sqlite3 /opt/nikita/data/nikita.db "PRAGMA integrity_check;"

# WhatsApp
whatsapp-allowlist list | add <jid> | remove <jid>

# Vhost
add-vhost <domain> static|proxy|docker [opts]
list-vhosts
remove-vhost <slug> [--keep-data]

# Logs
journalctl -u caddy -f
tail -f /var/log/caddy/<slug>.access.log | jq
fail2ban-client status sshd

Bitne lokacije

Path	Što
`/root/CLAUDE.md`	Server-specific Claude rules (591 linija)
`/opt/server-config/`	Vhost framework + monitoring (git, source na glavnom)
`/opt/vhosts/<slug>/`	Per-vhost root (public/, logs/, tmp/, data/)
`/opt/nikita/, /opt/ana/, /opt/whatsapp-mcp/`	Botovi
`/opt/claude-shared/`	Skills/hooks/memory shared (read-only za botove)
`/root/.claude{,-acc2,-acc3}/`	Multi-account Claude Code
`/root/secrets/`	API keys, Telegram tokens (chmod 700)
`/root/migration-secrets-2026-05-16/`	Migration .env backups (chmod 600)
`/etc/caddy/sites.d/`	Per-vhost Caddy blocks (auto-managed)
`/etc/systemd/system/`	nikita.service, ana.service, whatsapp-bridge.service
`/etc/cron.d/`	nikita-promo-cleanup, *-update, whatsapp-bridge-health
`/var/log/caddy/`	Caddy access logs (JSON, rotated)

Generirano s Claude Code · Author: Josip + Claude · jura-server (178.105.131.67)
Source workspace: (glavni server) /root/jura-server-setup/ · Last update: 2026-05-16