Add Vaultwarden CLI setup and Claude token integration notes

Vaultwarden.md

@@ -31,7 +31,39 @@ services:
       - 127.0.0.1:8041:80
 ```
 
+## CLI Setup
+
+Bitwarden CLI (`bw`) is installed at `/home/alvis/bin/bw` (on PATH).
+
+Server is configured to `https://localhost:8042` (Caddy local HTTPS — avoids hairpin NAT issue with public IP).
+
+```bash
+# Configure server (one-time)
+NODE_TLS_REJECT_UNAUTHORIZED=0 bw config server https://localhost:8042
+
+# Login (one-time)
+NODE_TLS_REJECT_UNAUTHORIZED=0 bw login adolf46@proton.me
+
+# Unlock and get session
+SESSION=$(NODE_TLS_REJECT_UNAUTHORIZED=0 bw unlock '<master_password>' 2>/dev/null \
+  | grep -o 'BW_SESSION="[^"]*"' | cut -d'"' -f2)
+
+# Fetch a stored token
+NODE_TLS_REJECT_UNAUTHORIZED=0 bw get item <item_id> --session "$SESSION" 2>/dev/null \
+  | python3 -c "import sys,json; notes=json.load(sys.stdin)['notes']; \
+    print(next(v for k,v in (l.split('=',1) for l in notes.splitlines()) if k=='KEY_NAME'))"
+```
+
+## Agap Claude Tokens
+
+All Agap API tokens are stored in the **AI collection** as a secure note named **"Agap Claude Tokens"** (item ID: `dc65c697-7c9e-42d1-ac60-bd2900737a28`).
+
+Stored keys: `GITEA_TOKEN`, `ZABBIX_TOKEN`, `TELEGRAM_BOT_TOKEN`, `TELEGRAM_CHAT_ID`, `HA_TOKEN`
+
+Claude fetches these on demand using `BW_PASSWORD` from its environment.
+
 ## Notes
 
 - `ADMIN_TOKEN` is an argon2id hash — generate with `vaultwarden hash` or use the web tool
-- Caddy handles TLS: `vw.alogins.net { reverse_proxy localhost:8041 }`
+- Caddy handles TLS at `https://localhost:8042` (local) and `https://vw.alogins.net` (public)
+- `NODE_TLS_REJECT_UNAUTHORIZED=0` required because localhost uses a self-signed cert