Fix bw CLI procedure: use --raw and separate commands

Vaultwarden.md

@@ -39,21 +39,20 @@ Server is configured to `https://localhost:8042` (Caddy local HTTPS — avoids h
 
 ```bash
 # Configure server (one-time)
-NODE_TLS_REJECT_UNAUTHORIZED=0 bw config server https://localhost:8042
+bw config server https://localhost:8042
 
 # Login (one-time)
-NODE_TLS_REJECT_UNAUTHORIZED=0 bw login adolf46@proton.me
+bw login adolf46@proton.me
 
-# Unlock and get session
+# Unlock — use --raw to get a plain session token with no extra output
-SESSION=$(NODE_TLS_REJECT_UNAUTHORIZED=0 bw unlock '<master_password>' 2>/dev/null \
+SESSION=$(bw unlock '<master_password>' --raw 2>/dev/null)
-  | grep -o 'BW_SESSION="[^"]*"' | cut -d'"' -f2)
 
-# Fetch a stored token
+# Fetch a token by item name — returns password field value directly
-NODE_TLS_REJECT_UNAUTHORIZED=0 bw get item <item_id> --session "$SESSION" 2>/dev/null \
+bw get password "GITEA_TOKEN" --session "$SESSION" 2>/dev/null
-  | python3 -c "import sys,json; notes=json.load(sys.stdin)['notes']; \
-    print(next(v for k,v in (l.split('=',1) for l in notes.splitlines()) if k=='KEY_NAME'))"
 ```
 
+**Important:** run unlock and get as separate commands. Never chain them in a single pipeline — bw may write status text to stdout that corrupts the result.
+
 ## Agap Claude Tokens
 
 All Agap API tokens are stored as **individual login entries** in the AI collection. Token value is in the `password` field.