Merge pull request 'docs: self-serve Vaultwarden setup guide for agents (Sam & Hermes)' (#4) from docs/vaultwarden-setup into main
Some checks failed
Crowdin Sync / sync (push) Has been cancelled
Some checks failed
Crowdin Sync / sync (push) Has been cancelled
Reviewed-on: #4
This commit is contained in:
commit
f37183da3d
1 changed files with 89 additions and 0 deletions
89
docs/VAULTWARDEN-SETUP.md
Normal file
89
docs/VAULTWARDEN-SETUP.md
Normal file
|
|
@ -0,0 +1,89 @@
|
|||
# Vaultwarden Setup for Agents
|
||||
|
||||
Secrets store: `vault.smilepowered.org` (Vaultwarden, self-hosted).
|
||||
Organization: **Clawdie** (39727691-3403-4c50-89b8-d5f24310e79c).
|
||||
Collection: `agent-secrets` (94ba61b8-633c-454e-b749-f115617eeac3).
|
||||
|
||||
Agents use the `bw` CLI to retrieve secrets programmatically — no passwords in chat.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Node.js (for npm install) or a pre-built `bw` binary
|
||||
- Org API key from the operator (Samo or Hermes on debby)
|
||||
|
||||
## Setup
|
||||
|
||||
### 1. Install bw CLI
|
||||
|
||||
```sh
|
||||
npm install -g @bitwarden/cli
|
||||
# or download binary from https://github.com/bitwarden/clients/releases
|
||||
```
|
||||
|
||||
### 2. Configure server
|
||||
|
||||
```sh
|
||||
bw config server https://vault.smilepowered.org
|
||||
```
|
||||
|
||||
### 3. Get API key from operator
|
||||
|
||||
Ask Samo or Hermes to generate an org API key scoped to the `agent-secrets` collection.
|
||||
You'll receive:
|
||||
- `BW_CLIENTID` (starts with `organization.`)
|
||||
- `BW_CLIENTSECRET`
|
||||
|
||||
The operator also provides the master password for unlocking. This is shared
|
||||
across the org — handle it like any other secret.
|
||||
|
||||
### 4. Login and unlock
|
||||
|
||||
```sh
|
||||
# One-time login
|
||||
bw login --apikey
|
||||
# → paste client_id and client_secret when prompted
|
||||
|
||||
# Every session: unlock
|
||||
bw unlock --passwordenv BW_PASSWORD
|
||||
# → copy the BW_SESSION value from output
|
||||
|
||||
export BW_SESSION="..."
|
||||
```
|
||||
|
||||
Alternative for scripting (no prompts):
|
||||
|
||||
```sh
|
||||
export BW_CLIENTID="organization...."
|
||||
export BW_CLIENTSECRET="..."
|
||||
|
||||
bw login --apikey # uses env vars if set
|
||||
bw unlock --passwordenv BW_PASSWORD
|
||||
# → export BW_SESSION from output
|
||||
```
|
||||
|
||||
### 5. Retrieve a secret
|
||||
|
||||
```sh
|
||||
bw list items --session "$BW_SESSION" --search "hermes-debby" | jq '.[0].login'
|
||||
# or get by ID
|
||||
bw get item <item-id> --session "$BW_SESSION"
|
||||
```
|
||||
|
||||
### 6. Lock when done
|
||||
|
||||
```sh
|
||||
bw lock
|
||||
```
|
||||
|
||||
## Current items in agent-secrets
|
||||
|
||||
| Name | Type | Purpose |
|
||||
|------|------|---------|
|
||||
| hermes-debby Forgejo | login | Hermes's code.smilepowered.org password (browser access) |
|
||||
|
||||
## Rules
|
||||
|
||||
- Never store `BW_CLIENTSECRET` or `BW_PASSWORD` in git, chat logs, or AGENTS.md.
|
||||
- Use `--passwordenv BW_PASSWORD` — the env var is safer than passing on command line.
|
||||
- Lock the vault (`bw lock`) after each session. Sessions auto-expire.
|
||||
- If you need a new secret stored, ask the operator to add it via `bw create item`.
|
||||
Loading…
Add table
Reference in a new issue