clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(vault): bake Vaultwarden endpoint defaults into ISO (Sam & Pi)

Browse source 
Stage a non-secret /usr/local/etc/colibri/provider.env with the Clawdie Vaultwarden endpoint so operators only add BW bootstrap credentials. Also teach clawdie-vault-fetch to honor BW_SERVER and fail closed if an existing bw login points at a different server.\n\nChecks: sh -n live/operator-session/clawdie-vault-fetch scripts/stage-colibri-iso.sh; ./scripts/check-format.sh; git diff --check; COLIBRI_REPO=/home/clawdie/ai/colibri scripts/stage-colibri-iso.sh <tmp>
This commit is contained in:
Sam & Claude 2026-06-20 07:27:51 +02:00
parent 14bd7f5255
commit e70ea171b3
4 changed files with 51 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
live/operator-session/bootstrap.html
View file

@ -129,19 +129,25 @@ colibri list-tasks --status queued</pre>
<code>/usr/local/share/clawdie-iso/mcp-examples/</code>. <code>/usr/local/share/clawdie-iso/mcp-examples/</code>.
</p> </p>
<h2>LLM provider keys</h2> <h2>LLM provider keys + Vaultwarden bootstrap</h2>
<p> <p>
Colibri can run local checks without a key. Remote providers need a key Colibri can run local checks without a key. The ISO prepopulates the
in <code>/usr/local/etc/colibri/provider.env</code>. Keep this file non-secret Vaultwarden endpoint in
root-owned and mode <code>0600</code>; it is read when <code>/usr/local/etc/colibri/provider.env</code>. To let agents populate
<code>colibri_daemon</code> starts. their own provider secrets from Vaultwarden, add only the bootstrap
credentials there. Keep this file root-owned and mode <code>0600</code>;
it is read when <code>colibri_daemon</code> starts.
</p> </p>
<pre> <pre>
mdo -u root cp /usr/local/etc/colibri/provider.env.sample /usr/local/etc/colibri/provider.env
mdo -u root chmod 600 /usr/local/etc/colibri/provider.env
mdo -u root ee /usr/local/etc/colibri/provider.env mdo -u root ee /usr/local/etc/colibri/provider.env
mdo -u root chmod 600 /usr/local/etc/colibri/provider.env
mdo -u root service colibri_daemon restart</pre> mdo -u root service colibri_daemon restart</pre>
<p>Put only the providers you use in that file:</p> <p>The endpoint is already present. Add the three Vaultwarden bootstrap values:</p>
<pre>
BW_CLIENTID="..."
BW_CLIENTSECRET="..."
BW_PASSWORD="..."</pre>
<p>Direct provider keys are optional fallback entries:</p>
<pre> <pre>
DEEPSEEK_API_KEY="sk-..." DEEPSEEK_API_KEY="sk-..."
OPENROUTER_API_KEY="sk-or-..." OPENROUTER_API_KEY="sk-or-..."

5
live/operator-session/clawdie-live-seed.README.txt
View file

@ -46,8 +46,11 @@ Inside it, any of these are honored:
preserved. Blank/`#` lines are ignored. preserved. Blank/`#` lines are ignored.
Typical contents: provider API keys Typical contents: provider API keys
(ANTHROPIC_API_KEY=..., ZAI_API_KEY=...), (ANTHROPIC_API_KEY=..., ZAI_API_KEY=...),
and optionally the Vaultwarden bootstrap or the Vaultwarden bootstrap
(BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD). (BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD).
The Vaultwarden endpoint is baked into the
image; do not put it on the seed unless you
are deliberately overriding it.
/<agent>/harness.toml Which agent harness to run + basic knobs: /<agent>/harness.toml Which agent harness to run + basic knobs:

16
live/operator-session/clawdie-vault-fetch
View file

@ -28,7 +28,7 @@
# 4 `bw` CLI not installed # 4 `bw` CLI not installed
set -eu set -eu
SERVER="${VAULT_SERVER:-https://vault.smilepowered.org}" SERVER="${VAULT_SERVER:-${BW_SERVER:-https://vault.smilepowered.org}}"
# NOTE: items are fetched by name with `bw get password`, which is fail-closed # NOTE: items are fetched by name with `bw get password`, which is fail-closed
# on ambiguity (multiple matches error out). Item names must therefore be unique # on ambiguity (multiple matches error out). Item names must therefore be unique
# in the agent account's visible vault — see docs/VAULTWARDEN-SETUP.md. We do not # in the agent account's visible vault — see docs/VAULTWARDEN-SETUP.md. We do not
@ -106,11 +106,17 @@ cleanup() {
trap cleanup EXIT INT TERM trap cleanup EXIT INT TERM
# Set the server. When already logged in, `bw config` refuses with # Set the server. When already logged in, `bw config` refuses with
# "Logout required before server config update" — tolerate that, since the # "Logout required before server config update". Tolerate that only when the
# server is already set to the right value (we read it from VAULT_SERVER). # current bw server already matches the expected Clawdie endpoint; otherwise
# Mirror the login tolerance: capture stderr and only fail on a real error. # fail closed so a stale login cannot fetch from the wrong Bitwarden host.
if ! bw config server "$SERVER" >"$WORK/config.out" 2>"$WORK/config.err"; then if ! bw config server "$SERVER" >"$WORK/config.out" 2>"$WORK/config.err"; then
if ! grep -qi 'logout required\|already configured\|already set' "$WORK/config.err" "$WORK/config.out" 2>/dev/null; then if grep -qi 'logout required\|already configured\|already set' "$WORK/config.err" "$WORK/config.out" 2>/dev/null; then
CURRENT_SERVER="$(bw config server 2>/dev/null || true)"
if [ "$CURRENT_SERVER" != "$SERVER" ]; then
log "bw is already logged in with server '$CURRENT_SERVER' (expected '$SERVER'); logout and rerun"
exit 1
fi
else
log "could not set bw server to $SERVER:" log "could not set bw server to $SERVER:"
sed 's/^/ /' "$WORK/config.err" >&2 sed 's/^/ /' "$WORK/config.err" >&2
exit 1 exit 1

24
scripts/stage-colibri-iso.sh
View file

@ -103,10 +103,30 @@ colibri_daemon_host="\$(/bin/hostname)"
colibri_daemon_cost_mode="${COLIBRI_COST_MODE}" colibri_daemon_cost_mode="${COLIBRI_COST_MODE}"
EOF EOF
cat > "${ETC_DIR}/provider.env" <<'EOF'
# Non-secret Clawdie defaults. Keep this file mode 0600: operators may add
# provider keys and Vaultwarden bootstrap credentials here after boot.
VAULT_SERVER="https://vault.smilepowered.org"
BW_SERVER="https://vault.smilepowered.org"
EOF
chmod 0600 "${ETC_DIR}/provider.env" 2>/dev/null || true
cat > "${ETC_DIR}/provider.env.sample" <<'EOF' cat > "${ETC_DIR}/provider.env.sample" <<'EOF'
# Optional provider keys for colibri_daemon. Copy this file to provider.env, # Optional provider keys and Vaultwarden bootstrap credentials for
# chmod it 0600, fill in only the providers you use, then restart the service. # colibri_daemon. The ISO already stages provider.env with the non-secret
# Clawdie Vaultwarden endpoint; copy values from here into provider.env,
# keep it mode 0600, then restart the service.
# #
# Baked non-secret defaults:
VAULT_SERVER="https://vault.smilepowered.org"
BW_SERVER="https://vault.smilepowered.org"
#
# Vaultwarden bootstrap credentials (secret; operator-provided):
# BW_CLIENTID="..."
# BW_CLIENTSECRET="..."
# BW_PASSWORD="..."
#
# Direct provider keys (optional when Vaultwarden provisioning is used):
# DEEPSEEK_API_KEY="sk-..." # DEEPSEEK_API_KEY="sk-..."
# OPENROUTER_API_KEY="sk-or-..." # OPENROUTER_API_KEY="sk-or-..."
# ANTHROPIC_API_KEY="sk-ant-..." # ANTHROPIC_API_KEY="sk-ant-..."