# Vaultwarden Secrets

Self-hosted secrets management at **vault.smilepowered.org** (Vaultwarden 2025.12.0, SSL).

## Organization

**Clawdie** (ID: `39727691-3403-4c50-89b8-d5f24310e79c`)

### Collections

| Collection    | ID                                     | Access     | Purpose                     |
| ------------- | -------------------------------------- | ---------- | --------------------------- |
| agent-secrets | `94ba61b8-633c-454e-b749-f115617eeac3` | All agents | API keys, tokens, passwords |
| bootstrap     | (admin only)                           | Sam        | Setup keys, admin tokens    |

## Agent access

Each agent gets its own Vaultwarden user account and personal API key (starts with `user.`). Organization API keys do NOT work with `bw` CLI — only personal ones.

Bootstrap credentials stored in `~/.hermes/.env`:

- `BW_CLIENTID` / `BW_CLIENTSECRET` — personal API key
- `BW_PASSWORD` — master password
- `BW_SERVER` — https://vault.smilepowered.org

All other secrets move into the vault, fetched by `bw` CLI at runtime. Currently stored: hermes-debby Forgejo password, provider API keys pending migration.

## bw CLI

Installed via npx wrapper at `~/.local/bin/bw` (version must match Vaultwarden server — 2025.12.0). Login via `bw login --apikey`, unlock via `bw unlock --passwordenv BW_PASSWORD`.