SECRET-INVENTORY.md

# Secret inventory — do not store values here

This file lists categories of secrets required for full restoration. Store actual values in a password manager or provider dashboard, not in Git.

## Required for normal operation

- Telegram bot token
- OpenClaw gateway/auth credentials if externally exposed
- Model/provider credentials or OAuth sessions
- GitHub authentication for `BeViable42`
- SSH key or deploy key for GitHub access from the VPS

## Optional / project-specific

- Vercel token
- Cloudflare API token
- Supabase access tokens/database passwords
- Expo/EAS credentials
- Domain registrar credentials

## Rotation guidance

If this VPS is suspected compromised:

1. Revoke GitHub CLI token.
2. Remove `openclaw-ubuntu-kompis` SSH key from GitHub.
3. Rotate Telegram bot token via BotFather.
4. Rotate model/API provider keys.
5. Rebuild VPS from scratch.
6. Re-auth only after rebuild.