clawdie-ai/docs/VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md

Vaultwarden Connectivity — domedog Findings (2026-06-19, updated)

Host: domedog (domedog.pro, Linux) Agent: Claude PRs under evaluation: clawdie-iso #65 (merged as #67) + clawdie-ai #14 (doc contract)

Test results — end-to-end PASS ✅

Full chain proven: bootstrap creds → bw login → unlock → fetch → .env → re-lock.

Step	Command	Result
Server reachable	curl -sI https://vault.smilepowered.org/	✅ HTTP 200 (Rocket/Vaultwarden)
bw CLI installed	bw --version	✅ 2026.5.0
API key login	bw login --apikey (via BW_CLIENTID/BW_CLIENTSECRET)	✅ Logged in as samo.blatnik@gmail.com
Vault unlock	bw unlock --passwordenv BW_PASSWORD	✅ Unlock succeeds — master password is correct
Fetch item	clawdie-vault-fetch --keys DEEPSEEK_API_KEY	✅ Resolved 1 of 1 key
Write to .env	--write-env /tmp/smoke.env	✅ Written 0600, value correct (35 chars, sk-...)
Re-lock on exit	trap cleanup	✅ Vault re-locked automatically

The test item

A DEEPSEEK_API_KEY login item was created in the agent-secrets collection, with the item name = the env var name and the value in the password field, per the documented contract. The helper fetched it cleanly with bw get password DEEPSEEK_API_KEY — confirming the name-based retrieval contract works.

One real bug found and fixed

clawdie-vault-fetch failed when bw was already logged in.

bw config server "$SERVER" refuses with Logout required before server config update when the CLI is already authenticated. The helper treated that as fatal (exit 1), which broke every repeat run on a host that is already logged in — including the very case the helper exists for (refresh .env from the vault on demand).

The bw login block already tolerated the analogous "already logged in" case. Fix (clawdie-iso, branch fix/vault-fetch-bw-config-when-logged-in): mirror that pattern for bw config — capture stderr/stdout and tolerate logout required / already configured / already set, failing only on a real error. Verified: the fixed helper runs cleanly from the logged-in state (previously exited 1 at the config step).

Correction to the earlier draft

An earlier draft of this doc reported bw unlock failing with Decryption failed and concluded the master password was wrong. That was incorrect: the unlock failure was a side effect of running the flow against a stale logged-in session. After bw logout and a clean re-run, unlock succeeds with the same master password — it was never wrong. The only defect was the bw config intolerance documented above.

Setup state on domedog

• bw 2026.5.0 installed at ~/.nvm/versions/node/v22.22.0/bin/bw.
• Helper staged at ~/.colibri/clawdie-vault-fetch (the fixed version).
• Bootstrap env at ~/.config/vault-bootstrap.env (0600) — BW_CLIENTID, BW_CLIENTSECRET, and BW_PASSWORD all correct and verified by a successful fetch.
• Server set to https://vault.smilepowered.org.

Not wired yet (documented follow-ups)

• Runtime consumption: the helper fetches into a .env, but nothing yet loads that .env into a running agent's environment at launch. This is the next milestone (soul load + harness launch).
• Auto-refresh: no scheduled/firstboot caller of the helper yet — it is run manually. The bw config bug fix is a prerequisite for auto-refresh to be reliable.

PR #65 / #14 assessment

Code quality: solid. clawdie-vault-fetch has trap-based lock-on-exit, headless --apikey login, tolerates "already logged in", sensible exit codes (0/1/3/4), and a --write-env upsert that preserves untouched keys at 0600. The one repeat-run bug (bw config intolerance) is fixed in a follow-up.

No blockers to the runtime-consumption milestone. The secret→.env path is proven; what remains is having an agent read it.