Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
# bw CLI Reference
Quick-reference for the `bw` (Bitwarden) CLI against a self-hosted Vaultwarden instance.
## Install
```sh
npm install -g @bitwarden/cli
```
On systems where `node` /`npm` aren't on default PATH (e.g. nvm-managed), use the full path:
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```bash
~/.nvm/versions/node/v24.16.0/bin/npm install -g @bitwarden/cli
export PATH="$HOME/.nvm/versions/node/v24.16.0/bin:$PATH"
```
## Login (headless API key)
```sh
bw config server https://vault.example.com
bw login --apikey
# Non-interactive: set BW_CLIENTID + BW_CLIENTSECRET env vars, then:
bw login --apikey
```
## Unlock (headless)
```sh
BW_PASSWORD="master-password" bw unlock --passwordenv BW_PASSWORD
# Returns session key — capture BW_SESSION from output
```
Or combine: `bw login --apikey && bw unlock --passwordenv BW_PASSWORD`
## Status
```sh
bw status # {"status":"locked"} or {"status":"unlocked"}
```
## Organization Collections
```sh
# List
bw list collections --organizationid < org-id > --session "$BW_SESSION"
# Sync (after creating new collections in web UI)
bw sync --session "$BW_SESSION"
```
## Item CRUD
### Create
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```sh
echo '{"type":1,"name":"...","login":{"username":"...","password":"..."},"organizationId":"< org-id > "}' | \
bw encode | bw create item --session "$BW_SESSION"
```
### Get
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```sh
bw get item "Item Name" --session "$BW_SESSION"
# Returns JSON including .login.password, .login.username, .login.uris
```
### Get by ID (extract password)
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```sh
bw get item < id > --session "$BW_SESSION" | python3 -c "import sys,json; print(json.load(sys.stdin)['login']['password'])"
```
### Edit (e.g., move to collection)
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```sh
bw get item < id > --session "$BW_SESSION" | \
python3 -c "import sys,json; d=json.load(sys.stdin); d['collectionIds']=['< col-id > ']; print(json.dumps(d))" | \
bw encode | bw edit item < id > --session "$BW_SESSION"
```
### List all items
2026-06-14 01:48:32 +02:00
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
```sh
bw list items --session "$BW_SESSION" | python3 -c "import sys,json; [print(i['name']) for i in json.load(sys.stdin)]"
```
## Lock
```sh
bw lock # Locks vault, invalidates session
```
## Item Types
2026-06-14 01:48:32 +02:00
| type | Name |
| ---- | --------------------------------- |
| 1 | Login (username + password + URI) |
| 2 | Secure Note |
| 3 | Card |
| 4 | Identity |
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam)
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00
## Pitfalls
- Organization API keys don't work with `bw login --apikey` . Use a personal API key (`user.xxx` ).
- `--organizationid` flag is `--organizationid` not `--organization-id` .
- `--collectionids` flag doesn't exist on `bw create item` — use `organizationId` in the JSON body and set `collectionIds` via `bw edit item` after creation.
- Session tokens expire. Run `bw status` to check.
- After creating collections in the web UI, run `bw sync` before `bw list collections` .
- `bw login --apikey` is interactive — doesn't accept stdin piping. Use `BW_CLIENTID` + `BW_CLIENTSECRET` env vars for non-interactive use.
- On Vaultwarden you must first log out then log in: `bw logout && bw login --apikey` .
## Forgejo integration example
```sh
bw get item "hermes-debby Forgejo" --session "$BW_SESSION" | \
python3 -c "import sys,json; d=json.load(sys.stdin); print(f'user={d[\"login\"][\"username\"]} pass={d[\"login\"][\"password\"]}')"
```
