clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(vault-fetch): tolerate 'already logged in' at bw config server #68

Merged
clawdie merged 1 commit from fix/vault-fetch-bw-config-when-logged-in into main 2026-06-20 07:10:52 +02:00
Conversation 0 Commits 1 Files changed 1 +11 -4
clawdie commented 2026-06-20 07:07:46 +02:00
Owner
Copy link

What

Fixes clawdie-vault-fetch failing on every repeat run when bw is already logged in — the exact case the helper exists for (refresh .env from the vault on demand).

The bug

bw config server "$SERVER" refuses with Logout required before server config update when the Bitwarden CLI is already authenticated. The helper treated that message as fatal (exit 1), so:

# first run on a fresh host: works
clawdie-vault-fetch --write-env ~/.env

# any subsequent run on the same host: fails at 'bw config server'
clawdie-vault-fetch --write-env ~/.env   # → exit 1

The fix

The bw login block already tolerates the analogous "already logged in" case by capturing stderr. Mirror that for bw config: capture stderr/stdout and tolerate logout required / already configured / already set, failing only on a real error.

Verification (domedog, against live vault)

Reproduced the failure case (logged-in state), then ran the fixed helper:

# before: logged-in state → exit 1 at 'could not set bw server'
# after:
clawdie-vault-fetch --write-env /tmp/smoke.env --keys DEEPSEEK_API_KEY
# → resolved 1 of 1 key(s) from agent-secrets
# → wrote 1 key(s) into /tmp/smoke.env
# → exit 0; vault re-locked on exit

Full end-to-end chain now proven and repeatable: bootstrap creds → login → unlock → fetch → .env → re-lock.

Checks

sh -n live/operator-session/clawdie-vault-fetch
git diff --check
./scripts/check-format.sh        # prettier clean

Companion

Findings documented in clawdie-ai docs/vault-domedog-proof-passed — updates VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md to reflect end-to-end PASS (correcting the first draft's misdiagnosis of unlock failure) plus this bug and fix.

Co-Authored-By: Hermes & Sam <hello@clawdie.si>

## What Fixes `clawdie-vault-fetch` failing on **every repeat run** when `bw` is already logged in — the exact case the helper exists for (refresh `.env` from the vault on demand). ## The bug `bw config server "$SERVER"` refuses with `Logout required before server config update` when the Bitwarden CLI is already authenticated. The helper treated that message as fatal (`exit 1`), so: ```sh # first run on a fresh host: works clawdie-vault-fetch --write-env ~/.env # any subsequent run on the same host: fails at 'bw config server' clawdie-vault-fetch --write-env ~/.env # → exit 1 ``` ## The fix The `bw login` block already tolerates the analogous "already logged in" case by capturing stderr. Mirror that for `bw config`: capture stderr/stdout and tolerate `logout required` / `already configured` / `already set`, failing only on a real error. ## Verification (domedog, against live vault) Reproduced the failure case (logged-in state), then ran the fixed helper: ``` # before: logged-in state → exit 1 at 'could not set bw server' # after: clawdie-vault-fetch --write-env /tmp/smoke.env --keys DEEPSEEK_API_KEY # → resolved 1 of 1 key(s) from agent-secrets # → wrote 1 key(s) into /tmp/smoke.env # → exit 0; vault re-locked on exit ``` Full end-to-end chain now proven and **repeatable**: bootstrap creds → login → unlock → fetch → `.env` → re-lock. ## Checks ```sh sh -n live/operator-session/clawdie-vault-fetch git diff --check ./scripts/check-format.sh # prettier clean ``` ## Companion Findings documented in **clawdie-ai `docs/vault-domedog-proof-passed`** — updates `VAULTWARDEN-DOMEDOG-FINDINGS-2026-06-19.md` to reflect end-to-end PASS (correcting the first draft's misdiagnosis of unlock failure) plus this bug and fix. Co-Authored-By: Hermes &amp; Sam &lt;hello@clawdie.si&gt;
clawdie added 1 commit 2026-06-20 07:07:49 +02:00 
bw config server refuses with 'Logout required before server config update'
when the CLI is already authenticated. The helper treated that as fatal
(exit 1), which broke every repeat run on an already-logged-in host — exactly
the 'refresh .env from vault' case the helper exists for.

The bw login block already tolerates 'already logged in'; mirror that for
bw config: capture stderr/stdout and tolerate 'logout required' /
'already configured' / 'already set', failing only on a real error.

Verified on domedog: fixed helper runs cleanly from the logged-in state
(previously exited 1 at the config step).

Checks: sh -n; git diff --check; ./scripts/check-format.sh (prettier clean).

Co-Authored-By: Hermes & Sam <hello@clawdie.si>
clawdie merged commit 14bd7f5255 into main 2026-06-20 07:10:52 +02:00
clawdie deleted branch fix/vault-fetch-bw-config-when-logged-in 2026-06-20 07:10:53 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/clawdie-iso#68
No description provided.
Delete branch "fix/vault-fetch-bw-config-when-logged-in"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?