ADMIN ONLY -- JRD + KLJ Cadence (PureBrain AI) Access Revocation Guide
Console Library Tech Stack Ecosystem Emergency Protocol Kill Switch

Cadence Onboard / Offboard Kill Switch

Complete inventory of every system Cadence (PureBrain AI) is connected to. If Joe stops working with PureBrain, this is the guide to revoke all access in under 5 minutes.
Last updated: March 27, 2026 • This document is updated every time new access is granted

Emergency Quick Revocation

4 steps, under 5 minutes -- covers all critical access
1

Google Workspace -- Kill Domain-Wide Delegation

admin.google.com → Security → API Controls → Domain-wide Delegation → Remove tpj-ai-infrastructure

This instantly cuts access to ALL Google services (Gmail, Drive, Sheets, Calendar, Keep, People, YouTube).

2

AgentMail -- Revoke API Key

console.agentmail.to (login with M@TPJG Google SSO) → API Keys → Revoke. Or: delete the tpjg_curator@agentmail.to inbox entirely.

3

Cloudflare -- Delete API Token

dash.cloudflare.com → Profile → API Tokens → Delete the tpjg-reports token. Pages site continues working but cannot be updated.

4

VPS Container -- Stop or Remove SSH Key

SSH into 37.27.237.109:2219 → Remove key from ~/.ssh/authorized_keys. Or ask Corey/Witness to stop the Docker container tether-joseph-ray-diosana.

Systems Inventory (9 systems)

 Google Workspace

ACTIVE
Service Account
tether-bot@tpj-ai-infrastructure.iam.gserviceaccount.com
GCP Project
tpj-ai-infrastructure (Joe's own, full admin)
Delegation Scopes
Drive, Gmail, Sheets, Keep, People, YouTube, Gmail Settings
Delegated Accts
Joseph@TPJG, Manager@TPJG, all team @TPJG accounts
Calendar
Read/write to Joseph@TPJG calendar
Drive Access
Manager@TPJG Drive + Joseph@TPJG Drive + shared docs/spreadsheets
Email Alias
Manager@TPJG sends as "The Curator" (on behalf of Joseph)
Personal Gmail
joseph.diosana@gmail.com -- OAuth2 connected (refresh token)
Credentials: config/credentials/gdrive-personal-token.json, .env (GOOGLE_APP_PASSWORD, GOOGLE_API_KEY)

Revocation Steps

  1. Primary (kills everything): Admin Console → Security → API Controls → Domain-wide Delegation → Remove tpj-ai-infrastructure client ID
  2. Alternative: GCP Console → IAM → Service Accounts → Disable tether-bot
  3. Personal Gmail: myaccount.google.com/permissions → Revoke tpj-ai-infrastructure OAuth access
  4. App Password: myaccount.google.com/apppasswords → Remove any PureBrain/Cadence app passwords

 Google Voice

CHECK
Connection
SMS forwarding (if configured)
Status
May or may not be active -- verify in Google Voice settings

Revocation Steps

  1. Google Voice Settings → Forwarding → Remove any PureBrain/Cadence forwarding numbers
  2. Check linked numbers and remove any unfamiliar entries

 AgentMail

ACTIVE
Address
tpjg_curator@agentmail.to
Console
console.agentmail.to (login with M@TPJG Google SSO)
Purpose
AI agent email inbox for receiving replies, automated correspondence
Credentials: config/credentials/agentmail-credentials.json

Revocation Steps

  1. console.agentmail.to → API Keys → Revoke all keys
  2. Or: Delete the tpjg_curator@agentmail.to inbox entirely

 PureBrain Portal / VPS Container

ACTIVE
VPS IP
37.27.237.109
SSH Port
2219 (external) → 22 (internal)
SSH Key
~/.ssh/human_access (Ed25519)
Container
tether-joseph-ray-diosana (Docker)
Portal
purebrain_portal/portal_server.py (port 8097)
Managed By
Corey / Witness civilization (VPS host)

Revocation Steps

  1. Remove SSH key from ~/.ssh/authorized_keys on the VPS
  2. Or: Ask Corey/Witness to stop Docker container tether-joseph-ray-diosana
  3. Or: Ask Corey/Witness to delete the container entirely (permanent)

 ReferralMaker CRM

ACTIVE
Auth Type
Cookie-based session authentication (auto-expires)
Access Level
Full CRM access -- contacts, groups, activities, notes
Automation
Playwright browser automation (headless Chrome)
Credentials: config/credentials/ (session cookies, auto-expire)

Revocation Steps

  1. Change your ReferralMaker password → all stored sessions invalidate immediately
  2. Alternatively: sessions expire naturally (typically 24-48 hours)

 Cloudflare Pages

ACTIVE
Project
tpjg-reportstpjg-reports.pages.dev
Account ID
7578147b219857a03f965c07edbdf9d9
Services
Pages deployment + KV namespace (LEAD_STATE) + Functions (API endpoints)
What It Hosts
All TPJG reports, dashboards, lead management, lounge signage, this page
Credentials: config/credentials/cloudflare-credentials.json

Revocation Steps

  1. Cloudflare Dashboard → Profile → API Tokens → Delete the token
  2. Note: Existing deployed pages continue working; they just cannot be updated
  3. To take pages offline: Dashboard → Workers & Pages → tpjg-reports → Delete project

 Telegram Bot

ACTIVE
Bot
@TetherJRDBot
Purpose
Primary communication channel between Joe and Cadence AI. Commands: /status, /health, /restart
Hub Group
Chat ID: -1003813588016
Credentials: config/telegram_config.json

Revocation Steps

  1. Open Telegram → message @BotFather
  2. Send /revoke → select @TetherJRDBot
  3. Or: /deletebot to permanently remove the bot

 Bluesky

CHECK
Status
May have app password configured -- check .env for BSKY_USERNAME / BSKY_PASSWORD
Purpose
Social media posting (if configured)
Credentials: .env (BSKY_USERNAME, BSKY_PASSWORD)

Revocation Steps

  1. bsky.app/settings/app-passwords → Delete any PureBrain/Cadence app passwords

 Pending Integrations (Not Yet Active)

INACTIVE
Salesforce
Not yet connected -- no credentials stored
OAuth2
Not yet implemented -- future integration layer
Hospitable
Not yet connected -- short-term rental management

When Activated

  1. This page will be updated with full credentials location and revocation steps
  2. Each new integration must be added here before going live

Post-Revocation Checklist

After revoking access, verify the following:

  1. Google Workspace: Check Admin audit log -- confirm no new service account activity
  2. Email: Verify no emails are being sent from Manager@TPJG without authorization
  3. Cloudflare: Check Pages deployments -- confirm no new deployments after token revocation
  4. Telegram: Verify bot is no longer responding to commands
  5. tpjg-reports.pages.dev: Decide whether to keep existing pages live or delete the project
  6. ReferralMaker: Change password even if sessions already expired (safety measure)
  7. Google Voice: Review forwarding rules one more time

Re-Onboarding (If Resuming Service)

To restore Cadence access after revocation, reverse each step above: re-enable domain-wide delegation, generate new API keys, restore SSH access, and re-create Telegram bot token. All credential files on the VPS will need to be updated with new values.

Console Library Tech Stack Ecosystem Emergency Protocol Kill Switch
Cadence Kill Switch Documentation • ADMIN ONLY (JRD + KLJ) • Back to Library
Cadence Intelligence for The Property Joes Group • Updated March 27, 2026