Environment Setup
All runtime configuration lives in a single .env file at the repo root.
The easiest way to get it is to pull it from the team's Vaultwarden instance using the bundled script.
Prerequisites
The Bitwarden CLI is included as a local dependency — no global install needed.
pnpm install
One-time: create your API key in Vaultwarden
You need an API key (not your password) to authenticate non-interactively.
- Open your Vaultwarden instance in the browser.
- Click your avatar → Account Settings → Security → API Key tab.
- Click View API Key and re-enter your master password when prompted.
- Note down the three values shown:
| Value | Maps to |
|---|---|
client_id |
BW_CLIENTID |
client_secret |
BW_CLIENTSECRET |
| Your master password | BW_PASSWORD |
One-time: create your credentials file
cp .bw-credentials.example .bw-credentials
Open .bw-credentials and fill in the four values:
BW_SERVER=https://vault.peecai-csee.com
BW_CLIENTID=user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
BW_PASSWORD=your-master-password
.bw-credentials is gitignored — it will never be committed.
Fetch the .env
pnpm fetch-env --credentials .bw-credentials
This will:
- Log out of any existing Bitwarden session.
- Configure the CLI to point at the team's Vaultwarden instance.
- Log in using your API key.
- Unlock the vault with your master password.
- Sync the latest vault data.
- Fetch the secure note named
peec-ai-env. - Write its contents to
.envin the repo root. - Log out.
Run this command again any time the team updates the shared secrets.
Verify
# Should print all keys without any blank required values
grep -v '^#' .env | grep -v '^$'
Then start the stack:
docker compose up -d --build # local Docker
# or
pnpm dev # local without Docker (uses apps/*/.env)
Manual setup (no Vaultwarden access)
If you do not have access to Vaultwarden, copy the example and fill in values manually:
cp .env.example .env
Open .env and fill in at minimum:
| Variable | Where to get it |
|---|---|
POSTGRES_PASSWORD |
Choose any local password |
OPENAI_API_KEY |
platform.openai.com/api-keys |
FIREBASE_SERVICE_ACCOUNT_BASE64 |
Firebase Console → Project Settings → Service Accounts → Generate new private key, then base64 -w0 key.json |
LANGFUSE_PUBLIC_KEY / LANGFUSE_SECRET_KEY |
Langfuse project settings (optional — only needed for observability) |
All other variables have working defaults for local development.
Updating shared secrets
When you change a secret that the whole team needs:
- Update the
peec-ai-envsecure note in Vaultwarden. - Tell the team to re-run
pnpm fetch-env --credentials .bw-credentials.