Credentials (references only)

This wiki never holds secret values. Only env-var names, account labels, and where the truth lives.

Where the real secrets live

Surface	Location
Bridge VPS	/opt/yourevenings/bridge/.env (root-only on 72.62.112.155)
Workspace dev	/data/.openclaw/workspace/ventures/yourevenings/.env* (gitignored, must be git rm --cached)
Cloudflare Worker secrets	Cloudflare Dashboard → Workers → yourevenings-site → Settings → Variables
Vapi keys	Vapi Dashboard → Project Settings
Twilio keys	Twilio Console → Account → API keys
Stripe restricted keys	Stripe Dashboard → Developers → API keys

Env var index (names only)

Name	Used by	Source of truth
TWILIO_ACCOUNT_SID	bridge	Twilio Console
TWILIO_AUTH_TOKEN	bridge	Twilio Console
TWILIO_PHONE_NUMBER	bridge	Twilio Console
TWILIO_REGULATORY_BUNDLE_SID	bridge / Vapi	Twilio Console
VAPI_API_KEY	bridge	Vapi Dashboard
STRIPE_SECRET_KEY	bridge + Worker	Stripe Dashboard
SMTP_HOST	bridge	Zoho (smtp.zoho.eu)
SMTP_PORT	bridge	465
SMTP_USER	bridge	hello@yourevenings.com
SMTP_PASS	bridge	Zoho App Password
INTERNAL_API_KEY	bridge	self-generated, on VPS + workspace
FALLBACK_AUDIT_EMAIL	bridge	Matt's inbox during pilot
XAI_VOICE_API_KEY	legacy US Polly	xAI dashboard (dormant)

Open hygiene TODOs

• git rm --cached .env* in ventures/yourevenings/ and in weather_bot/ history — keys exposed pre-policy.
• Rotate the live keys that were in weather_bot history (carry-over from trading repo).
• Confirm Zoho App Password is rotation-safe (used by SMTP).

Hard rules

• Never paste a secret into a wiki page, chat, ticket, or screenshot.
• Never echo secrets in tool output.
• If a secret leaks → rotate within the hour, audit access logs.