# Phase 1 — Bitwarden Cloud Migration # Phase 1 — Bitwarden Cloud Migration **Timeline:** Days 1-3 **Goal:** Eliminate Vaultwarden SPOF as the very first step. Every subsequent phase depends on secrets being available globally, not just when the Azure VM is alive. **MC Task:** #8494 **Proveo Owner:** Angie Jones **Status:** PREVIEW — Parisa writing detailed runbook in parallel ## Why First Phase 2 onwards deploys to Azure Container Apps. Those containers need secrets at startup (Anthropic API key, Postgres connection string, Azure SP). If Vaultwarden is down, all containers fail to start. Fix the foundation before building on it. ## Deliverables - Export all current Vaultwarden items to encrypted JSON - Import to Bitwarden cloud Teams ($4/user/month — 1 seat = $4/month total) - Update `alai-cli` bootstrap step to use `bw login` against `cloud.bitwarden.com` - Update all agent bootstrap scripts to use cloud BW endpoint - Delete the BW CLI config pointing to `vault.basicconsulting.no` ## Rollback Plan Vaultwarden self-hosted remains running in parallel until Phase 6. If Bitwarden cloud import fails, fall back to self-hosted immediately. Keep vault export as encrypted offline backup in `~/system/backups/`. ## Proveo Validation Criteria **Test Owner:** Angie Jones (Proveo) 1. Fresh `bw login alembasic@gmail.com` on a machine with NO `vault.basicconsulting.no` access returns all expected items (GitHub token, Azure SP, Anthropic key, SSH key) 2. `alai login` (once built in Phase 4) succeeds using cloud BW credentials 3. Vaultwarden VM can be stopped for 1 hour with no agent failures on ANVIL ## Cost **Bitwarden cloud Teams:** $4/user/month × 1 user = $4/month **vs Vaultwarden HA (2 VMs + Load Balancer):** ~$88/month ## Detailed Runbook Parisa Tabriz (Securion) is writing the full step-by-step runbook in parallel. Once complete, it will be referenced here: `~/system/architecture/phase-1-bitwarden-runbook.md` (pending) --- Credit: ALAI, 2026