The fetch helper (clawdie-iso) retrieves secrets by item NAME via
'bw get password' and no longer scopes by collection ID, but this doc still
taught the old contract (collectionid + jq). New agents following it would store
items the helper cannot read, and its verification test would fail.
- Document the retrieval contract: one login item per secret, ITEM NAME = env
var name, value in the password field. Item names must be unique in the
visible vault (fetch is fail-closed on ambiguity).
- Rewrite the Verification Test to use clawdie-vault-fetch end-to-end, with a
raw 'bw get password' fallback for hosts without the helper yet.
- Rewrite 'Retrieve a secret' to fetch by name + prefer --write-env upsert.
- Drop the hard-coded collection UUID from the fetch path.
Companion to clawdie-iso fix(vault): wire seed bootstrap -> vault-fetch path.
Checks: npx prettier@3 --check (clean); git diff --check.
Co-Authored-By: Hermes & Sam <hello@clawdie.si>
