layered-soul/memories/curated/vaultwarden-secrets.md

# Vaultwarden Secrets

Self-hosted secrets management at **vault.smilepowered.org** (Vaultwarden 2025.12.0, SSL).

## Organization

**Clawdie** (ID: `39727691-3403-4c50-89b8-d5f24310e79c`)

### Collections

| Collection | ID | Access | Purpose |
|-----------|-----|--------|---------|
| agent-secrets | `94ba61b8-633c-454e-b749-f115617eeac3` | All agents | API keys, tokens, passwords |
| bootstrap | (admin only) | Sam | Setup keys, admin tokens |

## Agent access

Each agent gets its own Vaultwarden user account and personal API key (starts with `user.`). Organization API keys do NOT work with `bw` CLI — only personal ones.

Bootstrap credentials stored in `~/.hermes/.env`:
- `BW_CLIENTID` / `BW_CLIENTSECRET` — personal API key
- `BW_PASSWORD` — master password
- `BW_SERVER` — https://vault.smilepowered.org

All other secrets move into the vault, fetched by `bw` CLI at runtime. Currently stored: hermes-debby Forgejo password, provider API keys pending migration.

## bw CLI

Installed via npx wrapper at `~/.local/bin/bw` (version must match Vaultwarden server — 2025.12.0). Login via `bw login --apikey`, unlock via `bw unlock --passwordenv BW_PASSWORD`.