clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
layered-soul/skills/forgejo-operations/references/vaultwarden-bw-cli.md
Hermes & Sam 5c5df32101 Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) 
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00

2.4 KiB
Raw Permalink Blame History

Vaultwarden bw CLI

bw (Bitwarden CLI) talks to self-hosted Vaultwarden. Install via npm:

npm install -g @bitwarden/cli
bw config server https://vault.example.org

Headless Auth Pattern

API key login + master password unlock. No interactive prompts.

export BW_CLIENTID="user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export BW_CLIENTSECRET="xxxxxxxxxxxxxxxxxxxxxx"
export BW_PASSWORD="master-password"

bw login --apikey
# "You are logged in!"

BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
# Returns raw session key string

# Use session for all subsequent commands:
bw list items --session "$BW_SESSION"
bw get item "item name" --session "$BW_SESSION"

# Lock when done:
bw lock

Session keys expire. For long-running agent sessions, do login once then unlock as needed. Never store BW_PASSWORD in plaintext — the user provides it, agent uses it, clears it.

Quirks

Organization API keys don't work for login

bw login --apikey rejects organization API keys (organization.xxx). Use a personal API key (user.xxx) from Account Settings → Security → Keys.

Flag names are dashless in some versions

  • --organizationid (not --organization-id)
  • --collectionid (not --collection-id)
  • --passwordenv (not --password-env)

Creating/editing items requires encode pipe

The bw create item and bw edit item commands expect base64-encoded JSON. Use bw encode:

echo '{"type":1,"name":"my login",...}' | bw encode | bw create item --session "$BW_SESSION"

Item types: 1=login, 2=note, 3=card, 4=identity.

Getting item by name vs ID

bw get item "hermes-debby Forgejo" --session "$BW_SESSION"   # by name
bw get item "5311d063-..." --session "$BW_SESSION"            # by ID (faster)

Moving items between collections

GET the item, modify collectionIds array, encode, edit:

bw get item "<item-id>" --session "$S" | \
  python3 -c "import sys,json; d=json.load(sys.stdin); d['collectionIds']=['<new-collection-id>']; print(json.dumps(d))" | \
  bw encode | bw edit item "<item-id>" --session "$S"

Sync after creating collections

New collections created in the web UI don't appear in bw list collections until after bw sync.

Collection Management

Collections live under an Organization. To list:

bw list collections --organizationid <org-id> --session "$S"

To check orgs:

bw list organizations --session "$S"