2026-06-20 07:11:37 +02:00
1 changed files with 62 additions and 50 deletions
--- a/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md
+++ b/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md
@ -1,69 +1,81 @@
-# Vaultwarden Connectivity — domedog Findings (2026-06-19)
+# Vaultwarden Connectivity — domedog Findings (2026-06-19, updated)

 **Host:** domedog (`domedog.pro`, Linux)
 **Agent:** Claude
-**PR under evaluation:** clawdie-iso #65 (Vaultwarden fetch + per-agent seed import)
+**PRs under evaluation:** clawdie-iso #65 (merged as #67) + clawdie-ai #14 (doc contract)

-## Test results
+## Test results — end-to-end PASS ✅

-Ran the verification flow from `docs/VAULTWARDEN-SETUP.md` against
-`https://vault.smilepowered.org`:
+Full chain proven: bootstrap creds → `bw` login → unlock → fetch → `.env` → re-lock.

-| Step | Command | Result |
-|------|---------|--------|
-| Server reachable | `curl -sI https://vault.smilepowered.org/` | ✅ HTTP 200 (Rocket/Vaultwarden) |
-| bw CLI installed | `bw --version` | ✅ 2026.5.0 |
-| Server config | `bw config server https://vault.smilepowered.org` | ✅ Saved |
-| API key login | `bw login --apikey` (via `BW_CLIENTID`/`BW_CLIENTSECRET`) | ✅ Logged in as `samo.blatnik@gmail.com` |
-| Vault unlock | `bw unlock --raw --passwordenv BW_PASSWORD` | ❌ Decryption failed |
+| Step             | Command                                                   | Result                                              |
+| ---------------- | --------------------------------------------------------- | --------------------------------------------------- |
+| Server reachable | `curl -sI https://vault.smilepowered.org/`                | ✅ HTTP 200 (Rocket/Vaultwarden)                    |
+| bw CLI installed | `bw --version`                                            | ✅ 2026.5.0                                         |
+| API key login    | `bw login --apikey` (via `BW_CLIENTID`/`BW_CLIENTSECRET`) | ✅ Logged in as `samo.blatnik@gmail.com`            |
+| Vault unlock     | `bw unlock --passwordenv BW_PASSWORD`                     | ✅ Unlock succeeds — master password is correct     |
+| Fetch item       | `clawdie-vault-fetch --keys DEEPSEEK_API_KEY`             | ✅ Resolved 1 of 1 key                              |
+| Write to `.env`  | `--write-env /tmp/smoke.env`                              | ✅ Written 0600, value correct (35 chars, `sk-...`) |
+| Re-lock on exit  | trap cleanup                                              | ✅ Vault re-locked automatically                    |

-## The failure
+## The test item

-Authentication succeeds but decryption fails:
+A `DEEPSEEK_API_KEY` login item was created in the `agent-secrets` collection,
+with the **item name = the env var name** and the **value in the password
+field**, per the documented contract. The helper fetched it cleanly with
+`bw get password DEEPSEEK_API_KEY` — confirming the name-based retrieval
+contract works.

-```
-ERROR bitwarden_crypto::keys::master_key: error=The decryption operation failed
-The provided key is not the expected type
-```
+## One real bug found and fixed

-`bw status` confirms the account is reachable and locked (not unauthenticated):
+**`clawdie-vault-fetch` failed when `bw` was already logged in.**

-```json
-{"status":"locked","userEmail":"samo.blatnik@gmail.com","userId":"ed912ad5-..."}
-```
+`bw config server "$SERVER"` refuses with `Logout required before server config
+update` when the CLI is already authenticated. The helper treated that as fatal
+(`exit 1`), which broke **every repeat run** on a host that is already logged in
+— including the very case the helper exists for (refresh `.env` from the vault
+on demand).

-This means `BW_PASSWORD` in `~/.config/vault-bootstrap.env` does not match the
-vault's master encryption key. Either:
-1. The master password was changed in the web UI after the bootstrap file was
-   written.
-2. The password has a trailing whitespace or encoding issue.
-3. The KDF settings on the account were changed (iterations / algorithm).
+The `bw login` block already tolerated the analogous "already logged in" case.
+Fix (clawdie-iso, branch `fix/vault-fetch-bw-config-when-logged-in`): mirror
+that pattern for `bw config` — capture stderr/stdout and tolerate
+`logout required` / `already configured` / `already set`, failing only on a
+real error. Verified: the fixed helper runs cleanly from the logged-in state
+(previously exited 1 at the config step).

-**Action required:** update `BW_PASSWORD` in the bootstrap env file to match
-the current vault master password, then re-run `bw unlock --passwordenv
-BW_PASSWORD`.
+## Correction to the earlier draft

-## PR #65 assessment
+An earlier draft of this doc reported `bw unlock` failing with
+`Decryption failed` and concluded the master password was wrong. That was
+incorrect: the unlock failure was a side effect of running the flow against a
+**stale logged-in session**. After `bw logout` and a clean re-run, unlock
+succeeds with the **same** master password — it was never wrong. The only
+defect was the `bw config` intolerance documented above.

-**Code quality:** solid. `clawdie-vault-fetch` has proper cleanup (trap-based
-lock-on-exit, temp dir removal), headless login via `--apikey`, sensible exit
-codes (0/1/3/4), and `--write-env` upsert that preserves untouched keys at
-0600. The seed importer extends the FAT32 CLAWDIESEED partition to per-agent
-directories with honest security documentation.
+## Setup state on domedog

-**Not wired yet (documented as follow-ups):**
- Runtime consumption: staged `soul/` → agent workspace cwd.
- Harness launch from `harness.toml`.
- `clawdie-ai` postinstall shelling out to `clawdie-vault-fetch`.
+- `bw` 2026.5.0 installed at `~/.nvm/versions/node/v22.22.0/bin/bw`.
+- Helper staged at `~/.colibri/clawdie-vault-fetch` (the fixed version).
+- Bootstrap env at `~/.config/vault-bootstrap.env` (0600) — `BW_CLIENTID`,
+  `BW_CLIENTSECRET`, and `BW_PASSWORD` all correct and verified by a successful
+  fetch.
+- Server set to `https://vault.smilepowered.org`.

-**No blockers to merging PR #65.** The stale password is a host-config issue,
-not a code defect. Once `BW_PASSWORD` is corrected, the full
-`clawdie-vault-fetch` path should work end-to-end from any host with the bw CLI
-and a valid bootstrap env.
+## Not wired yet (documented follow-ups)

-## Note on identity
+- **Runtime consumption:** the helper fetches into a `.env`, but nothing yet
+  loads that `.env` into a running agent's environment at launch. This is the
+  next milestone (soul load + harness launch).
+- **Auto-refresh:** no scheduled/firstboot caller of the helper yet — it is run
+  manually. The `bw config` bug fix is a prerequisite for auto-refresh to be
+  reliable.

-Earlier analysis in this session incorrectly referred to the test host as
-"debby." The tests were run on **domedog** (`domedog.pro`). Debby is a separate
-host (Debian 13) with its own clone and bootstrap env — its vault connectivity
-is a separate question.
+## PR #65 / #14 assessment
+
+**Code quality:** solid. `clawdie-vault-fetch` has trap-based lock-on-exit,
+headless `--apikey` login, tolerates "already logged in", sensible exit codes
+(0/1/3/4), and a `--write-env` upsert that preserves untouched keys at 0600.
+The one repeat-run bug (`bw config` intolerance) is fixed in a follow-up.
+
+**No blockers** to the runtime-consumption milestone. The secret→`.env` path is
+proven; what remains is having an agent read it.