Appearance
Itachi Credential Store
REFERENCE — consult when locating credentials or wiring scripts. See how-to_fix-vaultwarden-tls-cert for cert repair procedure.
Store location
| Layer | Path | Access | Status |
|---|---|---|---|
| Vaultwarden (PRIMARY) | Docker in CT103, port 443 | bw get notes [name] --session $BW_SESSION | Canonical — 36 live items (37 migrated 2026-06-09; bq_token + gdrive_token deleted to trash 2026-06-11; gmail_oauth_client added 2026-06-11) |
| bw session cache | /root/.bw_session on Z2 host | BW_SESSION=$(cat /root/.bw_session) | Active — unlock with bw unlock --raw |
| File store (deleted) | /opt/itachi/credentials/ on CT103 | — | DELETED 2026-06-09 — directory empty |
| ct102 runtime cache | /opt/itachi/credentials/ on ct102 | read directly by mail-poller | LIVE — 5 mail files + gmail_oauth_client.json (mode 600); same-named as the deleted CT103 dir but a separate, active directory |
Vaultwarden: running as Docker container in CT103 (itachi-security). Migration of 37 credentials completed 2026-06-09. Flat file store at /opt/itachi/credentials/ on CT103: deleted 2026-06-09, directory empty. ct102 keeps its own /opt/itachi/credentials/ as the mail-poller's runtime cache — Vaultwarden remains the canonical copy of those items.
Credential intake: bw CLI on Z2 host, writing directly to Vaultwarden. The former bw-add-credential.sh script is deleted (2026-06-11).
Vaultwarden account: michael.asolo1@gmail.com
Credential file inventory
Item names in Vaultwarden drop the .json suffix (e.g. file bq_token.json ↔ item bq_token). Deleted 2026-06-11 (Michael instruction, trash-level — recoverable): bq_token (BigQuery), gdrive_token (Google Drive).
| File | Service | Type |
|---|---|---|
anthropic-api-key.md | Anthropic / Claude API | API key (**Key:** sk-ant-...) |
vaultwarden_credentials.json | Vaultwarden (CT103) | hostname · username · password |
claude_api_key.json | Anthropic / Claude API | key · model · console · type |
cloudflare_api_token.json | Cloudflare | API token |
cloudflare_account_id.json | Cloudflare | Account ID |
cloudflare_tunnel_cert.json | Cloudflare Tunnel | Tunnel cert |
cloudflare_tunnel_id.json | Cloudflare Tunnel | Tunnel ID |
tokens_gcp.json | Google Cloud Platform | OAuth tokens |
gmail_oauth_client.json | Gmail OAuth2 (hinata-brain web client) | Client ID + secret — added 2026-06-11; runtime copy on ct102 |
gmail_oauth_token.json | Gmail IMAP XOAUTH2 | Refresh token, scope https://mail.google.com/ — minted + live 2026-06-11 (consent app "In production"); runtime copy on ct102 |
tokens_monzo.json | Monzo API | OAuth tokens |
monzo_credentials.json | Monzo API | Client credentials |
tokens_truelayer.json | TrueLayer | OAuth tokens |
truelayer_credentials.json | TrueLayer | Client credentials |
trading212_api_key.json | Trading212 | API key |
trading212_credentials.json | Trading212 | Account credentials |
outlook-graph-credentials.json | Microsoft Graph API | OAuth app registration |
outlook-tokens-outlook-n-nnamah.json | Outlook (n.nnamah) | OAuth tokens |
outlook-tokens-outlook-michael-nnamah.json | Outlook (michael.nnamah) | OAuth tokens |
outlook-tokens-hotmail-michael-asolo.json | Hotmail (michael.asolo) | OAuth tokens |
mail_imap_credential.json | Gmail IMAP | App password |
telegram_bot_credentials.json | Telegram (primary bot) | Bot token |
kakashi_telegram_bot_credentials.json | Telegram (Kakashi) | Bot token |
brook_telegram_bot_credentials.json | Telegram (Brook) | Bot token |
gohan_telegram_bot_credentials.json | Telegram (Melfi — file retains gohan_ prefix pending Itachi-owned rename) | Bot token |
iroh_telegram_bot_credentials.json | Telegram (Iroh) | Bot token |
sanji_telegram_bot_credentials.json | Telegram (Sanji) | Bot token |
squidward_telegram_bot_credentials.json | Telegram (Squidward) | Bot token |
zuko_telegram_bot_credentials.json | Telegram (Zuko) | Bot token |
pilates_key.json | Pilates API | API key |
fit_token.json | Google Fit API | OAuth token — API access expired 2026-05-22; restore decision pending Michael (see reference_google-fit-validation) |
hinata_studio_access.json | Hinata Studio | Access credentials |
hinata_collector_api_key.json | Hinata Collector | API key |
ngrok_auth.json | ngrok | Auth token |
vps-credentials.json | Jimmy VPS | SSH / access credentials |
wrangler_oauth_credentials.json | Cloudflare Wrangler | OAuth credentials |
zoro_webhook_signing_key.json | Zoro webhook | Signing key |
Token death watch (ruling 2026-06-11: no token dies silently)
token-watchdog.py (sandpit scripts/, runs from Z2 host clone /opt/hinata-sandpit/scripts/) sweeps daily at 08:30 via hinata-token-watchdog.timer (Z2 host systemd):
| Surface | Signal watched |
|---|---|
| Gmail XOAUTH2 (ct102) | Gmail OAuth refresh failed in journal; latest connect line degraded to app password |
| MS Graph ×3 (ct102) | Graph token refresh failed / invalid_grant / AUTHENTICATIONFAILED; outlook-tokens-*.json not rewritten in 7 days (rotation stopped) |
| Poller liveness (ct102) | no Mail poller complete in 2h (15-min timer) |
| Monzo + TrueLayer (ct109) | 401 / Bad refresh token / invalid_grant in poll logs |
| Data plane (Z2 host) | /mnt/data mount check (task 800148) |
Alerts: Telegram (creds read from CT106 /etc/hinata/telegram.env, never printed). Sunday all-clear pulse guards against watchdog self-death. Run log: /mnt/data/hinata/logs/token-watchdog.log. Excluded: fit_token (pipeline retired, restore pending Michael), tokens_gcp (no active consumer).
bw CLI session management
| Operation | Command |
|---|---|
| Check status | ssh hinata-z2 "bw status" |
| Unlock and cache session | ssh -t hinata-z2 "bw unlock --raw > /root/.bw_session && chmod 600 /root/.bw_session" |
| Read item by name | ssh hinata-z2 "BW_SESSION=\$(cat /root/.bw_session) bw get password [item-name]" |
| Session expiry | On idle timeout — re-run unlock command above |
Resolution order in itachi_read.sh
- Exact filename match in
/opt/itachi/credentials/on CT103 [name].jsonin/opt/itachi/credentials/[name].mdin/opt/itachi/credentials/- Vaultwarden CLI via
/root/.bw_sessionon Z2 (canonical — 36 live items)
Script consumers
| Script | Key consumed | What it is | Source path |
|---|---|---|---|
telegram-bot.py | ANTHROPIC_API_KEY | Anthropic Claude API key (sk-ant-...) | /root/Sandpit/hinata/scripts/.env.anthropic-api → CT103 anthropic-api-key.md |
telegram-bot.py | TELEGRAM_BOT_TOKEN | Primary Hinata bot token | /etc/hinata/telegram.env on CT106 (also: ANTHROPIC_API_KEY, TELEGRAM_CHAT_ID, HINATA_API_KEY) |
chat-audit.py | HINATA_ANTHROPIC_API_KEY | Anthropic Claude API key | /opt/jimmy-brain-ops/.env |
collector-bulma.py + all collectors | HINATA_API_KEY | Internal Hinata collector API auth key (x-hinata-key header) — not the Anthropic key | CT103 hinata_collector_api_key.json; local cache /opt/jimmy-brain-ops/secrets/monzo/collector_api_key.txt |
poll-monzo.py | monzo_credentials.json · telegram_bot_credentials.json | Monzo OAuth client credentials; Telegram bot token | CT103 /opt/itachi/credentials/ — broken symlinks at /opt/jimmy-brain-ops/secrets/monzo/ removed 2026-06-09; credentials now accessed via pct exec 103 -- cat /opt/itachi/credentials/[file] |
read-credentials.sh | any | — | itachi_read.sh resolution order above |
Broken credential path — poll-monzo.py / monzo-token-watchdog.py
These scripts hardcode Path("/opt/jimmy-brain-ops/secrets/monzo") and expect monzo_credentials.json and telegram_bot_credentials.json there. The symlinks at that path pointed to /mnt/data/itachi-credentials/ (bind mount absent). Symlinks removed 2026-06-09. Canonical source: CT103 /opt/itachi/credentials/. Access: pct exec 103 -- cat /opt/itachi/credentials/[file] from Z2 host.
Cross-links: reference_approved-ip-addresses · how-to_fix-vaultwarden-tls-cert