Skip to content

Environment Setup

All runtime configuration lives in a single .env file at the repo root. The easiest way to get it is to pull it from the team's Vaultwarden instance using the bundled script.


Prerequisites

The Bitwarden CLI is included as a local dependency — no global install needed.

pnpm install

One-time: create your API key in Vaultwarden

You need an API key (not your password) to authenticate non-interactively.

  1. Open your Vaultwarden instance in the browser.
  2. Click your avatar → Account SettingsSecurityAPI Key tab.
  3. Click View API Key and re-enter your master password when prompted.
  4. Note down the three values shown:
Value Maps to
client_id BW_CLIENTID
client_secret BW_CLIENTSECRET
Your master password BW_PASSWORD

One-time: create your credentials file

cp .bw-credentials.example .bw-credentials

Open .bw-credentials and fill in the four values:

BW_SERVER=https://vault.peecai-csee.com
BW_CLIENTID=user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
BW_PASSWORD=your-master-password

.bw-credentials is gitignored — it will never be committed.


Fetch the .env

pnpm fetch-env --credentials .bw-credentials

This will:

  1. Log out of any existing Bitwarden session.
  2. Configure the CLI to point at the team's Vaultwarden instance.
  3. Log in using your API key.
  4. Unlock the vault with your master password.
  5. Sync the latest vault data.
  6. Fetch the secure note named peec-ai-env.
  7. Write its contents to .env in the repo root.
  8. Log out.

Run this command again any time the team updates the shared secrets.


Verify

# Should print all keys without any blank required values
grep -v '^#' .env | grep -v '^$'

Then start the stack:

docker compose up -d --build   # local Docker
# or
pnpm dev                       # local without Docker (uses apps/*/.env)

Manual setup (no Vaultwarden access)

If you do not have access to Vaultwarden, copy the example and fill in values manually:

cp .env.example .env

Open .env and fill in at minimum:

Variable Where to get it
POSTGRES_PASSWORD Choose any local password
OPENAI_API_KEY platform.openai.com/api-keys
FIREBASE_SERVICE_ACCOUNT_BASE64 Firebase Console → Project Settings → Service Accounts → Generate new private key, then base64 -w0 key.json
LANGFUSE_PUBLIC_KEY / LANGFUSE_SECRET_KEY Langfuse project settings (optional — only needed for observability)

All other variables have working defaults for local development.


Updating shared secrets

When you change a secret that the whole team needs:

  1. Update the peec-ai-env secure note in Vaultwarden.
  2. Tell the team to re-run pnpm fetch-env --credentials .bw-credentials.