tsafe_bitwarden/lib.rs
1//! Bitwarden cloud-pull integration for tsafe.
2//!
3//! # E2E Encryption — bw CLI approach
4//!
5//! Bitwarden REST API ciphers are always E2E encrypted client-side. Even when
6//! authenticated with a `client_credentials` machine token (`api.organization`
7//! scope), the `/api/sync` response contains `encryptedString` blobs for every
8//! field value. Decryption requires the Bitwarden client-side SDK and the
9//! organization symmetric key derived from the master password, neither of
10//! which is available to a headless API caller.
11//!
12//! This crate therefore delegates to the `bw` CLI subprocess, which handles
13//! local decryption after `bw unlock --passwordenv <VAR>`. This is the same
14//! pattern used by `tsafe op-pull` (1Password CLI delegation).
15//!
16//! ## Auth flow
17//!
18//! 1. `bw login --apikey --clientid $id --clientsecret $secret`
19//! 2. `bw unlock --passwordenv TSAFE_BW_PASSWORD` → `BW_SESSION` token
20//! 3. `BW_SESSION=<token> bw list items [--folderid <id>]`
21//! 4. `bw lock` (cleanup; non-fatal)
22//!
23//! ## Configuration
24//!
25//! | Env var | Purpose |
26//! |---------------------------|----------------------------------------------|
27//! | `TSAFE_BW_CLIENT_ID` | Bitwarden API client ID |
28//! | `TSAFE_BW_CLIENT_SECRET` | Bitwarden API client secret |
29//! | `TSAFE_BW_PASSWORD` | Master password for `bw unlock` |
30//! | `TSAFE_BW_API_URL` | API base URL (default: Bitwarden cloud) |
31//! | `TSAFE_BW_IDENTITY_URL` | Identity base URL (default: Bitwarden cloud) |
32
33pub mod config;
34pub mod error;
35pub mod sync;
36
37pub use config::BitwConfig;
38pub use error::BitwError;
39pub use sync::{map_ciphers_to_kv, normalize_item_name, pull_items, BwCipher, BwField, BwLogin};