Skip to content

Credentials

Note on runtime references (2026-05-20): Some sections below reference OpenClaw config paths (e.g., .openclaw/...) and Pi-E token-sync mechanics that pre-date the 2026-05-20 OpenClaw retirement. The credential entries themselves (Bitwarden names, admin accounts, rotation cadence) remain accurate; OpenClaw paths should be read as historical artifacts — current agents Pi-E and Volt-E (and iBuild-E on launchd) run on agent-runner and use the token paths documented in agent-token-sync.md; Review-E now runs in the GCP k3s cluster (rig-agent-runtime) with a cluster-managed credential.

Credential inventory with Bitwarden entry names. NEVER store actual secrets in this file.

Admin Accounts

Account Purpose
invotekas@gmail.com Invotek admin — Cloudflare login, Tailscale login, Cloudflare Access
codiedev42@gmail.com Dev/project — Bitwarden, Xcode Cloud notifications, Google Drive
post@stigjohnny.no Personal — vCluster Platform access

Bitwarden Configuration

Setting Value
Server vault.bitwarden.eu (EU)
Email codiedev42@gmail.com
Unlock See memory MCP (get_context(project: "global", key: "bitwarden_unlock"))

Credential Inventory

GitHub

Bitwarden Entry Purpose Used By Expiry
GitHub PAT (Claude) Legacy PAT — EXPIRED Was used by Docker runners Expired
GitHub OAuth Token OAuth token for gh CLI Docker runners (.env as GITHUB_TOKEN)
RELEASE_PAT Review-E PAT for release PR auto-approval dashecorp dashe-* + dashe-cutie (via OpenTofu in dashecorp/infra) 2026-05-30 (EXPIRED — rotation pending, #23)
codi-e-bot App PEM (ORCHESTRATOR_BOT_PEM) Read-only GitHub App (ID 4127706, @dashecorp) for orchestrator cross-org reads; replaced the expired GH_PAT claude-3 monitor-infra.yml + build-unified-docs.yml (mint per-org tokens via actions/create-github-app-token) App key (no expiry) — must be PKCS#8 (#765)

GitHub App PEMs: Stored locally on each agent host, not in Bitwarden. See .claude/skills/github-apps/SKILL.md for paths. Exception: the codi-e-bot App PEM is also held as the ORCHESTRATOR_BOT_PEM repo secret on Stig-Johnny/claude-3 (Bitwarden entry codi-e-bot); actions/create-github-app-token requires it in PKCS#8, so convert PKCS#1 keys before upload — runbook docs/runbooks/ops-e-reset-orchestrator-bot-pem.md.

Apple / App Store Connect

Bitwarden Entry Purpose Used By
App Store Connect API Key ASC API (issuer ID, key ID, private key) appstoreconnect-mcp
Apple ID (u7232055051@gmail.com) ASC portal login, Xcode signing Browser automation

Cloud Services

Bitwarden Entry Purpose Used By
Cloudflare API Token Cloudflare API access cloudflare MCP, GitHub Actions
OpenAI API Key (Claude) DALL-E image generation, Nutri-E workers Blog images, Nutri-E
Google Service Account Key Play Store deployment dashe-reward-e Android

Cloudflare account facts (non-secret): account ID 59710bf016d417f860051f1f00b00258 (dashboard identifier). The local wrangler OAuth token lives at ~/.config/.wrangler/config/default.toml on the operator machine (not in Bitwarden); the Cloudflare API Token above is what the cloudflare MCP + CI use.

Messaging / Notifications

Bitwarden Entry Purpose Used By
Discord Bot Token (Codi-E) Codi-E Discord bot discord MCP
Discord Bot Token (Pi-E) Pi-E Discord bot Pi-E agent-runner
Discord Bot Token (Volt-E) Volt-E Discord bot Volt-E agent-runner
Discord Bot Token (Review-E) Review-E Discord bot Review-E agent-runner
~~Discord Bot Token (ATL-E)~~ ~~ATL-E Agent bot~~ — retired 2026-05-20 (ATL-E replaced by rig-conductor + rig-planner)
Telegram Bot Token Telegram notifications (legacy) telegram-notifications-mcp
Pushbullet API Key SMS forwarding pushbullet-sms-mcp

Revenue / Subscriptions

Bitwarden Entry Purpose Used By
RevenueCat API Key Subscription management revenuecat MCP

GCP

Resource Value
Infra Project invotek-github-infra
Service Account github-actions@invotek-github-infra.iam.gserviceaccount.com
Auth Workload Identity Federation (keyless, no secret needed)
Billing Account 015BBC-422A59-EB7AF4

Agent Authentication Methods

All agents share ONE Claude Max subscription: invotekas@gmail.com (max tier).

Agent Claude Auth GitHub Auth How Token Stays Alive
Codi-E / Claude-4/5/6 Local Claude Max User's gh CLI Manual claude auth login
Pi-E OAuth (invotekas@gmail.com) pie-agent-bot GitHub App Claude cron job (3-day keepalive)
Volt-E OAuth (invotekas@gmail.com) volt-e-agent-bot GitHub App Claude cron job (3-day keepalive)
Review-E OAuth (invotekas@gmail.com) review-e-bot GitHub App Cluster-managed (GCP k3s rig-agent-runtime)
iBuild-E Local Claude Max ibuild-e-bot GitHub App Local LaunchAgent

Token Lifecycle

  1. Primary: Each Pi/VPS remote agent (Pi-E, Volt-E) runs a Claude cron job that keeps the OAuth token alive for 3 days by refreshing it automatically. (Review-E runs in GCP k3s and uses a cluster-managed credential, not this cron path.)
  2. Bootstrap/Fallback: M4 MacBook pushes tokens via push-claude-creds.sh (LaunchAgent, every 5 min). Only pushes when local token is newer than remote. Used to bootstrap new agents or recover from expiry.
  3. Emergency: VNC into agent host, run claude login to get a fresh token directly.

Token Sync Infrastructure

LaunchAgents on MacBook Air M4: - com.invotek.push-claude-creds — pushes OAuth to Pi-E only on credential change + 5-min interval (Volt-E disabled — it uses interactive claude login + VNC; Review-E migrated to GCP k3s and is no longer a push target) - com.invotek.refresh-github-tokens — generates fresh ghs_ GitHub App tokens every 30 min - ~~ai.invotek.claude3.token-sync — additional token sync~~ (DISABLED 2026-03-26) - ai.invotek.claude3.heartbeat — heartbeat check

Push targets (from script): - Pi-E: claude@100.107.48.17 (key: rpi-claude), path: /home/claude/.openclaw/agents/main/agent/auth-profiles.json - Volt-E: root@100.111.142.118 (key: vps-srv1099021), path: ~/.claude/credentials.json (agent-runner) - Review-E: migrated to GCP k3s (rig-agent-runtime) — credential is cluster-managed, no longer pushed to Pi4-02

Note: iBuild-E manages its own token via environment variable in ~/.zshrc and ai.invotek.mac-executor.plist LaunchAgent (disabled com.invotek.ibuild-e.token-sync), not through the push script.

Pi-E Token Watchdog: Cron every 5 min, Discord alert 1hr before OAuth expiry.

Rotation Schedule

Credential Rotation Next Due
RELEASE_PAT Manual (Review-E PAT) 2026-05-30 (EXPIRED — rotation pending, #23)
GitHub App tokens Auto (1hr lifetime, refreshed every 30min)
OAuth tokens Auto (refreshed by push script / VNC login)
Cloudflare API Token Manual Check Bitwarden
ASC API Key Manual Check Bitwarden

Expired / Deprecated

Entry Status Notes
GitHub PAT (Claude) (ghp_*) EXPIRED Replaced by OAuth + GitHub Apps
Telegram Bot Token Deprecated Discord preferred, Telegram still configured