Quartz 4

GitHub Integration Hub

7 min read

GitHub Integration Hub

GitHub hosts the traewayrer/openclaw-vault private repository — the canonical git-backed mirror of the OpenClaw knowledge vault, synced from the VPS every 15 minutes via openclaw-vault-sync.timer and pulled back every 5 minutes via openclaw-vault-pull.timer. This hub governs the vault repo’s security posture, the sync timers, and any future GitHub webhooks or CI/CD integrations. Read this hub before touching vault sync config, PAT rotation, or Cloudflare security posture for vault-hosted content.

Quick reference

FieldValue
VendorMicrosoft / GitHub
URLhttps://github.com / https://docs.github.com/en/rest
KB docAPI · WEBHOOKS
Auth methodPAT (Authorization: Bearer ghp_...) for API calls; HMAC-SHA256 (X-Hub-Signature-256) for inbound webhooks
Auth credentialop://Aurora/github/pat
Cred-proxy portn/a (until B1-B6 ratified)
Webhook portn/a (no GitHub webhook handler currently active)
Webhook handlern/a
Webhook dedup tableprocessed_webhook_events (24h TTL) — provision before wiring any GitHub webhook
Tunnel pathn/a
Outbound API basehttps://api.github.com
API version headerX-GitHub-Api-Version: 2022-11-28
Rate limits5,000 req/hr (authenticated PAT); 60 req/hr (unauthenticated)
Rate-limit action429/403 → check X-RateLimit-Reset header → wait until reset; exponential backoff for secondary rate limits
CostFree (public/private repos on current plan)
Backup/recoveryVendor-owned (GitHub cloud); vault content additionally backed by VPS canonical paths + Obsidian Sync
Discord alert channelops (vault-sync push failures)
Drift cadenceOn PAT rotation; after repo permission changes; on vault sync failure
Statusproduction

Vault repository

traewayrer/openclaw-vault (PRIVATE)

The primary artifact managed by this integration. Key facts:

PropertyValue
VisibilityPrivate — never expose publicly
Ownertraewayrer (Henry’s GitHub account)
Content~926 files — plans, memory, KB stubs, agent SOULs, system maps, hubs
Wikilinks~3,981 wikilinks as of Wave 1 hub authoring (2026-05-03)
Overnight commits (2026-05-03)21+ commits from parallel Wave 1 sub-agent runs
Sync push timeropenclaw-vault-sync.timer — every 15 min from VPS
Sync pull timeropenclaw-vault-pull.timer — every 5 min to VPS
Obsidian pathMac/iPhone: Obsidian Sync → openclaw-mac-cloud → Obsidian Git → GitHub

The vault is the authoritative source for Obsidian on Mac and iPhone. Changes made via Claude Code on VPS propagate: VPS canonical → vault push → GitHub → Obsidian pull on Mac/iPhone.

Security posture

⚠️ P0 Security Finding: Stale OpenRouter API key in handler-audit-*.plan files committed to vault history. The key may still be active. Cleanup is P0 priority:

  1. Identify the exact commit(s) containing the key: git log --all --oneline -- '*handler-audit*'
  2. Rotate the OpenRouter key immediately in 1Password: op item edit "OpenRouter" --vault Aurora credential=<new-value>
  3. BFG-rewrite vault history or git-filter-repo to remove the file: bfg --delete-files 'handler-audit-*.plan'
  4. Force-push cleaned history to traewayrer/openclaw-vault (requires explicit Henry authorization)
  5. Verify with git log --all -S <old-key-prefix> that no traces remain

See cloudflare — vault-on-GitHub security posture cross-link; and 1password for PAT + OpenRouter key rotation.

Vault sync timers

UnitScheduleScriptLogPurpose
openclaw-vault-sync.timerEvery 15 min~/.openclaw/tools/openclaw-vault-sync.sh~/.openclaw/logs/openclaw-vault-sync.logrsync canonical → vault, git commit + push to traewayrer/openclaw-vault
openclaw-vault-pull.timerEvery 5 min~/.openclaw/tools/openclaw-vault-pull.sh~/.openclaw/logs/openclaw-vault-pull.loggit pull GitHub → VPS (brings Mac/phone edits back to canonical)

Both timers use a mutex at /tmp/openclaw-vault-sync.lock to prevent concurrent runs.

Alert behavior: push failures post to Discord ops. If timer is in failed state >24h, G-FAILED-SERVICE-MTTR daily cron escalates to incidents.

Components

  • ~/.openclaw/tools/openclaw-vault-sync.sh — rsync + git commit + push to traewayrer/openclaw-vault
  • ~/.openclaw/tools/openclaw-vault-pull.sh — git pull from GitHub to VPS
  • /home/opsadmin/.openclaw/workspace/scripts/sync-to-github.sh — legacy workspace sync (pre-vault-timer pattern)
  • /home/opsadmin/.openclaw/workspace/scripts/sync-to-github-optimized.sh — optimized change-only sync for workspace docs
  • /home/opsadmin/.openclaw/workspace/scripts/sync-from-github.sh — manual pull script (backup to timer)
  • /home/opsadmin/.openclaw/workspace/scripts/setup-github-credentials.sh — credential bootstrap for PAT injection
  • /home/opsadmin/.openclaw/logs/github-sync.log — vault sync operational log
  • traewayrer/openclaw-vault — private GitHub repo (the vault)

How it’s used

  • Trigger (push): openclaw-vault-sync.timer fires every 15 min → openclaw-vault-sync.sh rsyncs canonical paths → git add -A && git commit -m "vault-sync $(date)"git push origin main
  • Trigger (pull): openclaw-vault-pull.timer fires every 5 min → git pull origin main → updated files available in /home/opsadmin/openclaw-vault/
  • Workflow (Mac/iPhone): Obsidian Sync keeps Mac vault in sync → Obsidian Git plugin pushes Mac edits to traewayrer/openclaw-vault → pull timer brings edits to VPS canonical paths
  • Agents involved: no agent directly calls GitHub API; vault sync is infrastructure-layer automation; _summary may use GitHub API for repo operations if explicitly tasked
  • Failure mode: PAT expiry causes 401 on push/pull; git conflict (divergent histories from Mac + VPS concurrent edits) causes push failure requiring manual git pull --rebase; stale lock file at /tmp/openclaw-vault-sync.lock blocks all sync runs
  • Success criteria: git push exits 0; git log --oneline -1 origin/main shows recent commit within 15 min window; github-sync.log shows no errors

The vault repository is private, but the security posture depends on PAT scope and commit history hygiene. Two governance touchpoints:

  1. PAT scope: op://Aurora/github/pat should be scoped to traewayrer/openclaw-vault repo only (fine-grained PAT preferred). Classic PAT with broad scope is a blast-radius risk.
  2. Commit history secrets: Stale API keys committed to vault history persist even after file deletion. See cloudflare for WAF/tunnel security posture and the linked security-audit-funnel.timer governance. The OpenRouter key cleanup (P0 above) must complete before vault becomes more broadly referenced.

See cloudflare for FUNNEL-REGISTRY and WAF governance that protect other OpenClaw public endpoints.

HubRelationship
cloudflareVault security posture (stale key in history P0 pending); any future GitHub webhook endpoint must be in FUNNEL-REGISTRY with HMAC-SHA256 sig verification
hetznerVPS is the sync orchestrator; Hetzner compute runs both vault-sync timers
discordVault-sync push failures post to Discord ops; 21+ overnight sub-agent commits visible in GitHub activity
CredentialReferenceNotes
Personal Access Token (PAT)op://Aurora/github/patUsed by both sync timers; prefer fine-grained PAT scoped to vault repo only
Webhook secretn/a (no active webhook)Provision as op://Aurora/github/webhook-secret before wiring any GitHub webhook handler

See 1password for Aurora vault structure, PAT rotation procedures, and G-NO-PLAINTEXT-CREDS enforcement.

Agents that touch this

  • _summary — may use GitHub API for repo management tasks when explicitly instructed
  • Infrastructure automation (vault-sync timers) — no agent context; pure systemd automation

Skills that invoke this

Plans that govern this

Feedback rules

  • feedback_no_plaintext_creds — G-NO-PLAINTEXT-CREDS: PAT (ghp_... prefix) must never appear in vault files; use op://Aurora/github/pat references only
  • feedback_post_audit_persistence — vault is the persistence layer for plan + memory audit outputs; sync must stay healthy
  • feedback_plan_index_required — G-PLAN-INDEX-REQUIRED: plan files pushed to vault must have matching project_*.md memory file + MEMORY.md/PLAN-INDEX.md entry

KB / source docs

  • API — GitHub REST API v3 / GraphQL v4 reference (last verified 2026-03-04); PAT auth, rate limits
  • WEBHOOKS — GitHub webhook delivery, HMAC-SHA256 signature, event types, retry policy

System maps

The vault repository runs on the VPS (Hetzner) and integrates with edge protection (Cloudflare) and the EC2 Mac Ultra (AWS) for InvestorLift scraping.

  • hetzner — VPS host running vault sync timers
  • cloudflare — Edge protection + WAF for any future webhook
  • aws — EC2 Mac Ultra (Obsidian Sync orchestrator endpoint)

Open issues / TODOs

  • P0: Stale OpenRouter API key in handler-audit-*.plan commit history — rotate key + BFG-rewrite vault history + force-push (requires Henry authorization). See Security posture section above.
  • P1: PAT scope audit — verify op://Aurora/github/pat is a fine-grained PAT scoped to traewayrer/openclaw-vault only; if classic PAT, migrate to fine-grained
  • P1: setup-github-credentials.sh — verify it reads PAT from op:// reference and not from plaintext env var
  • P1: EC2 Mac Ultra impaired since 2026-05-02 22:15 UTC — Obsidian Git on Mac may have interrupted push/pull loop; verify vault sync resumed after Mac reboot. See aws
  • P2: No GitHub webhook handler registered — if CI/CD triggers or PR-based governance are added, wire handler with HMAC-SHA256 verification and register in FUNNEL-REGISTRY
  • P2: sync-to-github.sh and sync-to-github-optimized.sh are legacy scripts predating the vault-timer pattern — verify they are no longer invoked by any active cron or systemd unit

Recent activity

  • 2026-05-03: 21+ commits pushed overnight by Wave 1 sub-agents (OSIL maps, KB stubs, hub files)
  • 2026-05-03: Hub created by W1-S6 (Wave 1 hub authoring pass)
  • 2026-05-02: Vault pull timer (openclaw-vault-pull.timer) activated — pulls Mac Obsidian edits to VPS every 5 min
  • 2026-05-02: openclaw-vault-sync.timer activated — pushes VPS canonical to traewayrer/openclaw-vault every 15 min
  • 2026-05-02: EC2 Mac Ultra entered impaired state; vault sync from Mac paused
  • 2026-03-04: KB docs (API.md + WEBHOOKS.md) last verified

Graph View

Backlinks