#!/usr/bin/env bash
set -euo pipefail

# bw_env.sh - run a command with a fresh Bitwarden BW_SESSION sourced from OS keyring
# Requires: secret-tool, bw
# Keyring entry: service=openclaw account=bw-bot (stores the bw-bot master password)

# Fetch master password from keyring
BW_PASSWORD="$(secret-tool lookup service openclaw account bw-bot)"
export BW_PASSWORD

# Unlock to get a fresh session token (do NOT print it)
BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)"
export BW_SESSION

# Clear master password immediately
unset BW_PASSWORD

# Optional: sync to ensure latest vault
bw sync >/dev/null 2>&1 || true

# Run the provided command
if [ "$#" -lt 1 ]; then
  echo "usage: $0 <command> [args...]" >&2
  exit 2
fi

exec "$@"