# Secrets Index

DO NOT store actual credentials in this file. Reference locations only.

## Locations

- **Gmail app password (mikeziarko@gmail.com):** Known to Harvey, used in IMAP scripts
- **NMC Gmail app password (mike@nomorechores.com):** Known to Harvey, no longer accessed
- **Telegram bot token:** In `~/.openclaw/openclaw.json` → channels.telegram.botToken
- **Gateway token:** In `~/.openclaw/openclaw.json` → gateway.auth.token
- **Google service account key:** `~/.openclaw/secrets/google-calendar-sa.json`
- **Google OAuth client config:** `~/.openclaw/secrets/google-oauth-client.json`
- **Contractor SINs:** Encrypted DMG at `business/contractors-secure.dmg` (ask Mike for password)
- **Browser extension gateway token:** In `~/.openclaw/openclaw.json`

## Rules

- Never log credentials in memory files or conversation
- Reference by location, not value
- Encrypted DMG for SINs — mount only when needed, unmount after