Ezra Identity Bootstrap¶

This guide documents the full process for bootstrapping Ezra's identity in a fresh environment: Gmail account access, Bitwarden vault setup, API key configuration, and credential sync.

Overview¶

Ezra's identity centers on two services:

Credentials are stored locally in .env (gitignored) and should be kept in sync with Bitwarden using just bw-env-push and just bw-env-pull.

Prerequisites¶

• Access to a browser (Playwright MCP or manual)
• Karl's confirmation that Ezra has been added to the Bitwarden ai-sandbox org
• Nix dev shell active (direnv allow or nix develop)

Part 1: Gmail Initial Login¶

Gmail requires a mandatory password change on first login.

1. Navigate to https://mail.google.com
2. Sign in as ezra@karlvanderslice.com with the password from Karl
3. Google will force a password change — generate a temporary password and set it, then store it in .env as EZRA_GMAIL_PW_TEMP
4. After accepting the Bitwarden invite (Part 2), generate a final password with the Bitwarden generator and update Gmail (accounts.google.com)
5. Store the final Gmail password in .env as EZRA_GMAIL_PW

Part 2: Bitwarden Account Setup¶

1. Log into Gmail and locate the invitation email from no-reply@bitwarden.com. Subject: invitation to join the ai-sandbox org
2. Click Accept invitation — this opens the Bitwarden finish-signup page
3. Create a master password and record it in .env as EZRA_BITWARDEN_MASTER_PW
4. Karl must confirm Ezra's membership in the Bitwarden admin console before the vault becomes usable — ask Karl to do this before continuing
5. Log into https://vault.bitwarden.com

Part 3: API Key and MCP Credentials¶

Ezra's Bitwarden MCP server authenticates via API key + session.

Retrieve the API Key¶

1. In the Bitwarden web vault, go to Settings > Security > Keys
2. Click View API key (confirm master password when prompted)
3. Record client_id → BW_CLIENT_ID and client_secret → BW_CLIENT_SECRET in .env

Generate a Session Token¶

Session tokens expire. Regenerate them with:

export BW_SESSION=$(bw unlock "${EZRA_BITWARDEN_MASTER_PW}" --raw)

Or use just bw-env-pull which regenerates the session automatically.

The Bitwarden MCP Docker container reads BW_SESSION, BW_CLIENT_ID, and BW_CLIENT_SECRET from the environment via the nix devShell's shellHook (which sources .env on entry).

Part 4: Store Gmail in Bitwarden¶

Store the Gmail login in the AI_Shared collection so it is available to all agents:

bw login ezra@karlvanderslice.com
# Or via API key:
bw login --apikey
export BW_SESSION=$(bw unlock "${EZRA_BITWARDEN_MASTER_PW}" --raw)

Create the item using the Bitwarden MCP mcp_bitwarden_create_item tool, or via the bw CLI.

Part 5: .env Sync Workflow¶

.env is gitignored. Its contents are stored as a Bitwarden secure note named "Ezra .env" in the AI_Shared collection.

Push (update Bitwarden from current .env)¶

just bw-env-push

Strips BW_SESSION (ephemeral) and upserts the rest to the secure note.

Pull (restore .env from Bitwarden)¶

just bw-env-pull

Fetches the secure note and writes .env. Appends a freshly unlocked BW_SESSION.

Bootstrap (first-time pull on a new machine)¶

bw-env-pull requires BW_CLIENT_ID, BW_CLIENT_SECRET, and EZRA_BITWARDEN_MASTER_PW to already be available. Set them manually:

export BW_CLIENT_ID=user.10862d32-99fe-4e0c-b2e6-b41b016fedfc
export BW_CLIENT_SECRET=<from Karl or Bitwarden>
export EZRA_BITWARDEN_MASTER_PW=<master password>
just bw-env-pull

After pull succeeds, source .env to get all other credentials:

source .env

Reference¶

Bitwarden organization ID: e811338f-5a1c-4a4e-9037-b417001b98f6
Collection (AI_Shared) ID: 97da177f-9e7f-434e-8647-b417001bb48f