1af0e62942
Two parallel, additive paths so a host gets its secrets out of the box; the manual setup wizard stays the floor (no config = no-op). clawdie-vault-fetch (new): language-neutral bw bridge. Reads a 0600 ~/.config/vault-bootstrap.env, pulls keys from the agent-secrets collection (item name = env var name, value in password field, so no jq), prints KEY=VALUE or --write-env upserts 0600. Exit codes distinguish skip (3, no bootstrap) / broken (1) / no bw (4). Pinned @bitwarden/cli@2026.5.0 for offline bundling; staged in configure_live_operator_session. clawdie-live-seed: extend the CLAWDIESEED FAT32 importer from the authorized_keys allowlist to a per-agent directory convention — /<agent>/ with env (merged 0600), harness.toml (pi|zot|local), soul/ (staged), ssh/authorized_keys. Live USB single-agent (first dir = active); extra dirs staged + flagged for deployed multi-agent. Optional consume-and-shred. Import core is unit-testable via CLAWDIE_SEED_TEST. README rewritten to document the per-agent contract and the operator decision to allow plaintext secrets on the seed (seeded sticks are secret-bearing media; 0600 landing + shred mitigations). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
12 lines
553 B
Text
12 lines
553 B
Text
# Bundled npm global CLIs for offline firstboot/live operator use.
|
|
# Pin exact versions to prevent build-to-build drift.
|
|
#
|
|
# Keep Pi current through coordinated version-sync work; do not rely on
|
|
# npm's moving latest dist-tag during ISO builds.
|
|
|
|
@earendil-works/pi-coding-agent@0.78.0
|
|
|
|
# Bitwarden CLI (`bw`) — headless access to the Clawdie Vaultwarden instance,
|
|
# used by clawdie-vault-fetch. Bundled offline so a booted image can pull agent
|
|
# secrets without a network npm install. See clawdie-ai/docs/VAULTWARDEN-SETUP.md.
|
|
@bitwarden/cli@2026.5.0
|