wiki: OneCLI 400 fix + Hermes gateway proxy integration

entities/onecli-gateway-setup.md

@@ -0,0 +1,68 @@
+---
+title: OneCLI Gateway Setup — Bitwarden Vault Integration
+created: 2026-06-16
+updated: 2026-06-16
+type: note
+tags: [project, workflow]
+---
+
+# OneCLI Gateway Setup — Bitwarden Vault Integration
+
+## Problem
+
+The OneCLI web UI showed "Failed to connect to vault" when trying to pair
+with Bitwarden. The Rust gateway binary (port 10255) was neither running
+nor exposed via the reverse proxy.
+
+## Solution
+
+Three things were needed:
+
+### 1. Gateway systemd service
+
+Created `/etc/systemd/system/onecli-gateway.service` with:
+- Rust binary at `apps/gateway/target/release/onecli-gateway`
+- Wrapper script `start-gateway.sh` (DATABASE_URL, SECRET_ENCRYPTION_KEY, AUTH_MODE=*** APP_URL)
+- After=onecli-postgresql.service, Restart=on-failure
+
+### 2. Traefik reverse proxy
+
+Exposed the gateway at a subdomain:
+- `gateway.onecli.anhydr.fr` -> server:10255
+- CORS middleware needed: allow origin `https://onecli.anhydr.fr` with credentials
+
+### 3. Web app rebuild
+
+- Set `GATEWAY_API_DOMAIN=gateway.onecli.anhydr.fr` in start-web.sh
+- Added Next.js rewrite: `/v1/*` -> `localhost:10255`
+- Rebuilt with `GATEWAY_API_DOMAIN=gateway.onecli.anhydr.fr pnpm build`
+- Result: `window.__GATEWAY_API_URL__ = "https://gateway.onecli.anhydr.fr"`
+
+## Key commands
+
+```bash
+# Build gateway
+cargo build --release  # in apps/gateway/
+
+# Rebuild web app
+PATH="/home/hermes/.hermes/node/bin:$PATH"
+GATEWAY_API_DOMAIN="gateway.onecli.anhydr.fr" pnpm build --filter=@onecli/web
+
+# Restart services
+sudo systemctl restart onecli
+```
+
+## Architecture
+
+```
+User browser -> onecli.anhydr.fr -> Traefik -> :10254 (Next.js)
+             -> gateway.onecli.anhydr.fr -> Traefik -> :10255 (Rust gateway)
+                                                         -> wss://ap.lesspassword.dev
+```
+
+## Verification
+
+```bash
+curl -s https://gateway.onecli.anhydr.fr/v1/vault/bitwarden/status
+# -> {"connected":false,"name":null,"status_data":null}
+```

index.md

@@ -1,9 +1,10 @@
 # Wiki Index
 
 > Content catalog. Every wiki page listed under its type.
-> Last updated: 2026-06-12 | Total pages: 5
+| Last updated: 2026-06-16 | Total pages: 6
 
 ## Entities
+- [[onecli-gateway-setup]] — OneCLI Rust gateway service for Bitwarden vault pairing
 - [[user-profile]] — Personal profile, identity, preferences of larnal
 - [[dev-agent-soul]] — SOUL.md template for a developer agent
 - [[caretaker-soul]] — SOUL.md template for a caretaker agent

log.md

@@ -31,6 +31,17 @@
 - Updated dev-agent-soul.md with exact `claude --print` invocation
 - Verified Claude Code v2.1.176 works on this system
 
-## [2026-06-12] session | Fin de journée — bonne nuit
+## [2026-06-16] setup | OneCLI Gateway + Bitwarden vault pairing
-- 3 SOUL.md templates créés : dev-agent, caretaker, ecologist
+- Created onecli-gateway systemd service (Rust binary, port 10255)
-- Wiki mis à jour et synchronisé
+- Exposed gateway at gateway.onecli.anhydr.fr via Traefik
+- Rebuilt web app with GATEWAY_API_DOMAIN=gateway.onecli.anhydr.fr
+- Bitwarden vault pairing now works from the web UI
+
+## [2026-06-16] bugfix | OneCLI web UI 400 + CLI auth + Hermes gateway proxy integration
+- Fixed 400 error in web UI: restricted Next.js rewrite to gateway-only routes, letting Hono API handle agents/secrets
+- Fixed `onecli` CLI: pointed to localhost:10254, auth and agents commands work
+- Hermes services (gateway, dashboard, control) now route through OneCLI gateway 24/7 via HTTPS_PROXY env vars
+- Installed gateway CA cert to system trust store for MITM HTTPS
+- Control Interface: added platforms.api_server = 8642, fixed "Connection error" after login
+- Dashboard: added --skip-build, fixed "Web UI not built" error
+- Backup saved to /home/hermes/hermes-bkp/