Phase 1 — Bitwarden Cloud Migration

Phase 1 — Bitwarden Cloud Migration

Timeline: Days 1-3
Goal: Eliminate Vaultwarden SPOF as the very first step. Every subsequent phase depends on secrets being available globally, not just when the Azure VM is alive.
MC Task: #8494
Proveo Owner: Angie Jones
Status: PREVIEW — Parisa writing detailed runbook in parallel

Why First

Phase 2 onwards deploys to Azure Container Apps. Those containers need secrets at startup (Anthropic API key, Postgres connection string, Azure SP). If Vaultwarden is down, all containers fail to start. Fix the foundation before building on it.

Deliverables

• Export all current Vaultwarden items to encrypted JSON
• Import to Bitwarden cloud Teams ($4/user/month — 1 seat = $4/month total)
• Update alai-cli bootstrap step to use bw login against cloud.bitwarden.com
• Update all agent bootstrap scripts to use cloud BW endpoint
• Delete the BW CLI config pointing to vault.basicconsulting.no

Rollback Plan

Vaultwarden self-hosted remains running in parallel until Phase 6. If Bitwarden cloud import fails, fall back to self-hosted immediately. Keep vault export as encrypted offline backup in ~/system/backups/.

Proveo Validation Criteria

Test Owner: Angie Jones (Proveo)

1. Fresh bw login alembasic@gmail.com on a machine with NO vault.basicconsulting.no access returns all expected items (GitHub token, Azure SP, Anthropic key, SSH key)
2. alai login (once built in Phase 4) succeeds using cloud BW credentials
3. Vaultwarden VM can be stopped for 1 hour with no agent failures on ANVIL

Cost

Bitwarden cloud Teams: $4/user/month × 1 user = $4/month
vs Vaultwarden HA (2 VMs + Load Balancer): ~$88/month

Detailed Runbook

Parisa Tabriz (Securion) is writing the full step-by-step runbook in parallel. Once complete, it will be referenced here:
~/system/architecture/phase-1-bitwarden-runbook.md (pending)

Credit: ALAI, 2026