diff --git a/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md b/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md
new file mode 100644
index 0000000..c78857c
--- /dev/null
+++ b/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md
@@ -0,0 +1,69 @@
+# Vaultwarden Connectivity — domedog Findings (2026-06-19)
+
+**Host:** domedog (`domedog.pro`, Linux)
+**Agent:** Claude
+**PR under evaluation:** clawdie-iso #65 (Vaultwarden fetch + per-agent seed import)
+
+## Test results
+
+Ran the verification flow from `docs/VAULTWARDEN-SETUP.md` against
+`https://vault.smilepowered.org`:
+
+| Step | Command | Result |
+|------|---------|--------|
+| Server reachable | `curl -sI https://vault.smilepowered.org/` | ✅ HTTP 200 (Rocket/Vaultwarden) |
+| bw CLI installed | `bw --version` | ✅ 2026.5.0 |
+| Server config | `bw config server https://vault.smilepowered.org` | ✅ Saved |
+| API key login | `bw login --apikey` (via `BW_CLIENTID`/`BW_CLIENTSECRET`) | ✅ Logged in as `samo.blatnik@gmail.com` |
+| Vault unlock | `bw unlock --raw --passwordenv BW_PASSWORD` | ❌ Decryption failed |
+
+## The failure
+
+Authentication succeeds but decryption fails:
+
+```
+ERROR bitwarden_crypto::keys::master_key: error=The decryption operation failed
+The provided key is not the expected type
+```
+
+`bw status` confirms the account is reachable and locked (not unauthenticated):
+
+```json
+{"status":"locked","userEmail":"samo.blatnik@gmail.com","userId":"ed912ad5-..."}
+```
+
+This means `BW_PASSWORD` in `~/.config/vault-bootstrap.env` does not match the
+vault's master encryption key. Either:
+1. The master password was changed in the web UI after the bootstrap file was
+   written.
+2. The password has a trailing whitespace or encoding issue.
+3. The KDF settings on the account were changed (iterations / algorithm).
+
+**Action required:** update `BW_PASSWORD` in the bootstrap env file to match
+the current vault master password, then re-run `bw unlock --passwordenv
+BW_PASSWORD`.
+
+## PR #65 assessment
+
+**Code quality:** solid. `clawdie-vault-fetch` has proper cleanup (trap-based
+lock-on-exit, temp dir removal), headless login via `--apikey`, sensible exit
+codes (0/1/3/4), and `--write-env` upsert that preserves untouched keys at
+0600. The seed importer extends the FAT32 CLAWDIESEED partition to per-agent
+directories with honest security documentation.
+
+**Not wired yet (documented as follow-ups):**
+- Runtime consumption: staged `soul/` → agent workspace cwd.
+- Harness launch from `harness.toml`.
+- `clawdie-ai` postinstall shelling out to `clawdie-vault-fetch`.
+
+**No blockers to merging PR #65.** The stale password is a host-config issue,
+not a code defect. Once `BW_PASSWORD` is corrected, the full
+`clawdie-vault-fetch` path should work end-to-end from any host with the bw CLI
+and a valid bootstrap env.
+
+## Note on identity
+
+Earlier analysis in this session incorrectly referred to the test host as
+"debby." The tests were run on **domedog** (`domedog.pro`). Debby is a separate
+host (Debian 13) with its own clone and bootstrap env — its vault connectivity
+is a separate question.