Phase 1 — Bitwarden Cloud Migration

Phase 1 — Bitwarden Cloud Migration 
 Timeline: Days 1-3 
 Goal: Eliminate Vaultwarden SPOF as the very first step. Every subsequent phase depends on secrets being available globally, not just when the Azure VM is alive. 
 MC Task: #8494 
 Proveo Owner: Angie Jones 
 Status: PREVIEW — Parisa writing detailed runbook in parallel 

 Why First 
 Phase 2 onwards deploys to Azure Container Apps. Those containers need secrets at startup (Anthropic API key, Postgres connection string, Azure SP). If Vaultwarden is down, all containers fail to start. Fix the foundation before building on it. 

 Deliverables 
 
 Export all current Vaultwarden items to encrypted JSON 
 Import to Bitwarden cloud Teams ($4/user/month — 1 seat = $4/month total) 
 Update alai-cli bootstrap step to use bw login against cloud.bitwarden.com 
 Update all agent bootstrap scripts to use cloud BW endpoint 
 Delete the BW CLI config pointing to vault.basicconsulting.no 
 

 Rollback Plan 
 Vaultwarden self-hosted remains running in parallel until Phase 6. If Bitwarden cloud import fails, fall back to self-hosted immediately. Keep vault export as encrypted offline backup in ~/system/backups/ . 

 Proveo Validation Criteria 
 Test Owner: Angie Jones (Proveo) 
 
 Fresh bw login alembasic@gmail.com on a machine with NO vault.basicconsulting.no access returns all expected items (GitHub token, Azure SP, Anthropic key, SSH key) 
 alai login (once built in Phase 4) succeeds using cloud BW credentials 
 Vaultwarden VM can be stopped for 1 hour with no agent failures on ANVIL 
 

 Cost 
 Bitwarden cloud Teams: $4/user/month × 1 user = $4/month 
 vs Vaultwarden HA (2 VMs + Load Balancer): ~$88/month 

 Detailed Runbook 
 Parisa Tabriz (Securion) is writing the full step-by-step runbook in parallel. Once complete, it will be referenced here: 
 ~/system/architecture/phase-1-bitwarden-runbook.md (pending) 

 
 Credit: ALAI, 2026