clawdie/clawdie-ai
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: clawdie:fix/mask-tailscale-ips
Branches Tags
clawdie:main
clawdie:fix/cms-docs-0.12-alignment
clawdie:fix/mask-tailscale-ips
clawdie:feat/freebsd-hermes-runtime-pkgs
clawdie:docs/vaultwarden-domedog-findings
clawdie:fix/vault-fetch-contract-docs
clawdie:docs/legacy-html-sources
clawdie:docs/skill-migration-plan
clawdie:incident/vaultwarden-clientsecret-leak
...
pull from: clawdie:main
Branches Tags
clawdie:fix/cms-docs-0.12-alignment
clawdie:main
clawdie:fix/mask-tailscale-ips
clawdie:feat/freebsd-hermes-runtime-pkgs
clawdie:docs/vaultwarden-domedog-findings
clawdie:fix/vault-fetch-contract-docs
clawdie:docs/legacy-html-sources
clawdie:docs/skill-migration-plan
clawdie:incident/vaultwarden-clientsecret-leak
Sign in to create a new pull request.

2 commits
fix/mask-t ... main

Author SHA1 Message Date
clawdie
9841c24ec9 Merge pull request 'Document the Vaultwarden fetch contract' (#12) from secrets-out-of-the-box into main
Some checks failed
Crowdin Sync / sync (push) Has been cancelled
Details 
Reviewed-on: #12
 2026-06-23 06:57:41 +02:00
Sam & Claude
622bdee32f docs: document clawdie-vault-fetch contract in Vaultwarden setup
Some checks failed
CI / ci (pull_request) Has been cancelled
Details 
Adds the runtime-fetch section the seam depends on: item-naming
convention (item name = env var name, value in password field),
the ~/.config/vault-bootstrap.env drop, helper usage and exit-code
semantics. The manual CLI flow remains the floor.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-16 08:46:08 +02:00
1 changed files with 54 additions and 0 deletions
Show stats Expand all files Collapse all files

54
docs/VAULTWARDEN-SETUP.md
View file

@ -163,6 +163,60 @@ clawdie-vault-fetch --write-env ~/.env
bw lock
```
## Runtime fetch: `clawdie-vault-fetch`
The manual flow above is the operator/agent CLI path. For a host to pull its own
provider keys **out of the box**, the image ships a small language-neutral
helper, `clawdie-vault-fetch` (`/usr/local/bin/`), that the post-install setup
flow shells out to and the live USB can run directly. It depends only on `bw`
no node module, no `jq`.
### Item-naming convention (the contract)
For a secret to be auto-fetchable, store it in `agent-secrets` as a **login item
whose name is exactly the env var name**, with the value in the **password
field**:
| Item name | Field | Becomes |
| -------------------- | -------- | ---------------------- |
| `ANTHROPIC_API_KEY` | password | `ANTHROPIC_API_KEY=…` |
| `OPENAI_API_KEY` | password | `OPENAI_API_KEY=…` |
| `OPENROUTER_API_KEY` | password | `OPENROUTER_API_KEY=…` |
| `ZAI_API_KEY` | password | `ZAI_API_KEY=…` |
The default key set mirrors clawdie-ai's `PROVIDER_KEY_BY_PROVIDER` (anthropic,
openai, openrouter, zai, deepseek, gemini, groq). `bw get password <NAME>`
returns the raw value, so no JSON parsing is involved.
### Bootstrap drop (the one secret that can't live in the vault)
The helper reads `~/.config/vault-bootstrap.env` (mode 0600) for the headless
credentials — exactly the file from the [Bootstrap Flow](#bootstrap-flow) above:
```sh
BW_CLIENTID=user....
BW_CLIENTSECRET=...
BW_PASSWORD=<master-password>
```
**No bootstrap file → the helper exits cleanly and does nothing**, so a host with
no vault access still uses the manual setup wizard. That is the floor; the vault
fetch only ever adds.
### Usage
```sh
clawdie-vault-fetch # print KEY=VALUE lines to stdout
clawdie-vault-fetch --write-env FILE # upsert results into FILE (0600), keys preserved
clawdie-vault-fetch --bootstrap FILE # explicit bootstrap env file
clawdie-vault-fetch --keys "A B C" # override the key-name list
```
Exit codes let a caller tell "skip" from "broken": `0` ran cleanly · `1` vault
configured but login/unlock/fetch failed · `3` no bootstrap config (fall back to
manual) · `4` `bw` not installed. The helper always `bw lock`s on exit and never
logs secret values.
## Current items in agent-secrets
| Name | Type | Purpose |