Contempo operations

Todo

Paste this list back to Grim when it is time to expand it into exact procedures, commands, rollback notes, and verification steps.

Procedure-ready prompts Vague by design. No secrets here.
  1. 01

    Tighten the loose credential files.

    Review the obvious local credential files and make their permissions owner-only.

  2. 02

    Move config secrets into the safer secret path.

    Convert the OpenClaw config values that still live as plain text into managed secret references.

  3. 03

    Decide how the gateway should be reachable.

    Choose whether OpenClaw should stay LAN-visible or be narrowed to local/tunneled access.

  4. 04

    Name the command owner.

    Bind privileged OpenClaw commands to the real operator identity.

  5. 05

    Refresh the small hook token.

    Replace the short hook secret with a longer random one and verify the hooks still work.

  6. 06

    Clean up model and memory auth.

    Fix expired model access and the memory embedding quota issue so recall stays healthy.

  7. 07

    Let Doctor normalize the stale bits.

    Run the safe OpenClaw repair pass for cron/session housekeeping after reviewing what it will touch.

  8. 08

    Restart and watch the gateway.

    Restart during a quiet window, then monitor memory growth and service recovery.

  9. 09

    Check the public-site headers.

    Review basic hardening headers for the public Contempo-facing services.

  10. 10

    Recheck the remote hosts after the local pass.

    Do a separate SSH-backed health check for the Contempo and Mission Reloaded servers.

Working phrase for later: “Expand the Contempo Todo list into full procedures.”