# INFRASTRUCTURE.md — Living System Reference > Last updated: 2026-04-05 > Single source of truth for models, API keys, web infrastructure, and agents. --- ## 1. API Keys & Credentials ### Provider Auth Profiles | Provider | Profile ID | Key Prefix | Account | Used By | |---|---|---|---|---| | Anthropic | `anthropic:daryl-hydrax` | `sk-ant-***REDACTED***...` | daryl@hydrax.io | main, daryl, all group agents | | Anthropic | `anthropic:default` | `sk-ant-***REDACTED***...` | Personal | her-bot, david | | MiniMax | `minimax:default` | `sk-cp-lYva...` | — | Cron, heartbeat | | OpenRouter | `openrouter:default` | (free) | — | Global default (Qwen) | **Key Storage:** - Per-agent: `~/.openclaw/agents//agent/auth-profiles.json` - Env block: `~/.openclaw/openclaw.json` → `env` - System env: `~/.openclaw/.env` **Rotate keys:** Edit `auth-profiles.json` token field — no restart needed. ### Other Keys | Key | Location | Purpose | |---|---|---| | `TAVILY_API_KEY` | `openclaw.json` env | Web search skill | | `GEMINI_API_KEY` | `openclaw.json` env | Gemini CLI | | `OPENAI_API_KEY` | `~/.openclaw/.env` | TTS, image gen | | `HF_TOKEN` | `workspace-her-bot/.secrets/hf.env` | HuggingFace (her-bot) | | `CLOUDFLARE_API_TOKEN` | `~/.openclaw/secrets/cloudflare.env` | Domain/subdomain mgmt | | `GOG_KEYRING_PASSWORD` | `~/.openclaw/.env` | Google OAuth unlock | --- ## 2. Web Infrastructure (Cloudflare + Caddy) ### Cloudflare API **Token:** `~/.openclaw/secrets/cloudflare.env` ``` CLOUDFLARE_API_TOKEN=S7mYOtWQ***REDACTED*** CLOUDFLARE_ZONE_NAME=hydraxai.com ``` **Capabilities:** - Create/delete DNS records (A, CNAME, TXT) - Manage subdomains under `hydraxai.com` - Proxy settings (orange cloud = proxied, grey = DNS-only) **Create subdomain via API:** ```bash curl -X POST "https://api.cloudflare.com/client/v4/zones//dns_records" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -H "Content-Type: application/json" \ --data '{"type":"A","name":"subdomain","content":"","proxied":true}' ``` ### Caddy Web Server **Config:** `/etc/caddy/Caddyfile` **Common patterns:** ```caddy # Simple static site subdomain.hydraxai.com { root * /var/www/public/ file_server } # Reverse proxy to local service subdomain.hydraxai.com { reverse_proxy 127.0.0.1: } # Download endpoint subdomain.hydraxai.com/download* { root * /var/www/public/downloads file_server browse } ``` **Deploy static page:** 1. Create folder: `mkdir -p /var/www/public/` 2. Add HTML files 3. Add Caddy block (see above) 4. Reload: `systemctl reload caddy` **Existing domains:** - `bb.hydraxai.com` → reverse proxy to `127.0.0.1:8765` (Bullet Buddy) - `live.gfbot.ai` → static + API proxy - `xlimit.ai`, `her-chat.com`, `gfbot.ai` → multi-site config **Restart Caddy:** `systemctl reload caddy` or `caddy reload` --- ## 3. GitHub ### Credentials | Type | Value | Scope | |---|---|---| | Username | `waffleiron88` | All repos | | Classic PAT | `ghp_***REDACTED***...JBdz` | `repo` scope (create + push) | | Legacy PAT | `github_pat_***REDACTED***...TUP` | Read-only (deprecated) | **Store PAT:** `~/.openclaw/.env` as `GITHUB_PAT` ### Repositories - **Bullet Buddy:** `github.com/waffleiron88/Bullet-buddy` - **Portfolio App:** Local only (`projects/portfolio-app/`) — needs remote creation **Create repo via CLI:** ```bash gh auth login --with-token <<< "$GITHUB_PAT" gh repo create --private --source=. --push ``` --- ## 4. Bullet Buddy VPS Deployment **Domain:** `bb.hydraxai.com` **Backend:** Gunicorn on `127.0.0.1:8765` **Service:** `bullet-buddy.service` **Working directory:** `projects/bullet-coach/` **Logs:** `/var/log/bullet-buddy/` **Deploy:** 1. Edit code in `projects/bullet-coach/` 2. `systemctl restart bullet-buddy` 3. Check: `systemctl status bullet-buddy` + `/var/log/bullet-buddy/error.log` Caddy auto-proxies `bb.hydraxai.com` → `127.0.0.1:8765`. --- ## 5. Google Workspace (gog CLI) **Config:** `~/.config/gogcli/` (shared keyring) ### Daryl (daryl@hydrax.io) - **Command:** `gog --account daryl@hydrax.io` - **Calendar:** ✅ Valid - **Gmail:** ⚠️ API not enabled (enable in GCP console) ### Trina (trina@hydrax.io) - **Command:** `gog --client trina --account trina@hydrax.io` - **Calendar:** ✅ Valid - **Gmail:** ❌ No scopes (needs re-auth) **Token precheck:** ```bash bash projects/harness-design/scripts/token_precheck.sh calendar ``` --- ## 6. Models (live from `openclaw models list`) | Model | Alias | Context | Notes | |---|---|---|---| | `openrouter/qwen/qwen3.6-plus:free` | — | 195k | **Default** (free) | | `anthropic/claude-sonnet-4-6` | sonnet | 195k | Standard for agents | | `anthropic/claude-opus-4-6` | opus | 195k | Heavy reasoning | | `anthropic/claude-haiku-4-5` | haiku | 195k | Fast/cheap tasks | | `minimax/MiniMax-M2.7-highspeed` | — | 195k | Cron/heartbeat | | `google/gemini-3-flash-preview` | gemini | 1024k | Image + text | **Note:** Qwen is temporarily free; plan to switch group agents back to Sonnet when Qwen monetises. --- ## 7. Active Agents | Agent | Model | Channel | |---|---|---| | `main` | claude-sonnet-4-5 | Default | | `daryl` | claude-sonnet-4-6 | WhatsApp direct | | `denise`, `mark`, `kelsey` | claude-sonnet-4-5 | WhatsApp direct | | `trina`, `tam`, `li-ping` | claude-haiku-4-5 | WhatsApp direct | | `david` | claude-sonnet-4-5 | WhatsApp direct | | `her-bot` | (default) | WhatsApp group | | `group-portfolio-app` | qwen/qwen3.6-plus:free | WhatsApp group | | `group-camera-app` | qwen/qwen3.6-plus:free | WhatsApp group | | `group-roast-time-buddy` | qwen/qwen3.6-plus:free | WhatsApp group | | `group-rescue-app` | qwen/qwen3.6-plus:free | WhatsApp group | --- ## 8. Token Optimisation (2026-04-05) ### Response Efficiency All agents have "Response Efficiency" section in their AGENTS.md: - Concise chat replies; detail in files - Use "✅ Done" / "❌ Blocked: reason" for routine updates - Link to files instead of printing content ### RTK (Command Output Compression) **Installed:** `~/.local/bin/rtk` (v0.34.3) **Plugin:** `~/.openclaw/extensions/rtk-rewrite/` **Purpose:** Compresses exec output 60-90% before LLM sees it **Usage:** Automatic via `before_tool_call` hook — no manual intervention needed ### Estimated Savings - Baseline (3 Sonnet agents): ~$81/mo - With optimisations: ~$38-45/mo (45-53% reduction) - Drivers: Output compression + prompt caching (80-90% on repeated context) --- ## 9. Config Files | File | Purpose | |---|---| | `~/.openclaw/openclaw.json` | Active config (gateway reads only this) | | `~/.openclaw/.env` | System env vars | | `~/.openclaw/agents//agent/auth-profiles.json` | Per-agent key routing | | `~/.openclaw/secrets/cloudflare.env` | Cloudflare credentials | | `~/.config/gogcli/` | Google OAuth + keyring | --- > ⚠️ **Config rule:** Always run `openclaw doctor` before restart. Backup `openclaw.json` before edits.