Purge residual .vault_pass references (review R1-R5)

Point ADR-005, the new-host runbook, CONTRIBUTING, and AGENTS at the
rbw/Vaultwarden flow instead of a .vault_pass file. Also record the cron-section
idea in docs/TODO.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

AGENTS.md

@@ -12,8 +12,8 @@ only designed — much of the ADR-described design is not built yet.
 - **Never edit generated files** (e.g. `inventories/*/hosts.yml`). Edit the source
   (`terraform/environments/<env>/main.tf`) and regenerate with `make tf-inventory`.
   Generated files carry a header saying so.
-- **Secrets only in `vault.yml`** files — never plaintext elsewhere. Never read,
+- **Secrets only in `vault.yml`** files — never plaintext elsewhere. The master
-  print, or commit `.vault_pass`.
+  vault password comes from Vaultwarden via `rbw`; never print or commit it.
 - **No `make deploy` / `make tf-apply`** without running `make check` / `make tf-plan`
   first and showing the output.
 - **Before deleting or overwriting a file you did not create, read it first** and

CONTRIBUTING.md

@@ -29,8 +29,9 @@ Always use `make new-role NAME=<name>` to scaffold — never create structure by
 
 ## Secrets
 
-Vault password is shared via a secure channel (password manager).
+The master vault password lives in Vaultwarden; `rbw` fetches it on demand via
-Never commit `.vault_pass`. Never put secrets in non-`vault.yml` files.
+`scripts/vault-pass-client.sh` (run `rbw unlock` once per session). Never put
+secrets in any file other than `vault.yml`.
 
 See `docs/runbooks/rotate-secrets.md` for rotation procedures.
 

docs/TODO.md

@@ -42,3 +42,9 @@
 - [ ] Scheduled work
 - /review-repo maybe as claude -p via cron every two weeks?
 - Sanity checks: does a photoprism have its pictures? are email services recieving and sending?
+- Cron "section": a declarative way for the repo to own which cronjobs are active on a
+  host, enforced by Ansible. Sketch (deferred until we have hosts): a `scheduled_jobs`
+  role reading a `scheduled_jobs__jobs` list from group_vars/host_vars, rendered via a
+  managed /etc/cron.d file. Open Qs: general role vs control-node-only; prune
+  undeclared jobs (repo authoritative) vs additive; validate headless email + that
+  cron's env has the `claude` CLI. The /review-repo fortnightly job is the first entry.

docs/decisions/005-bootstrapping.md

@@ -62,7 +62,9 @@ exception to Terraform-owned VM existence (see ADR-009). The control node requir
    cd ~/ansible
    make setup        # creates venv, installs deps
    make collections  # installs Ansible collections
-   cp /secure/location/.vault_pass ~/ansible/.vault_pass
+   # set up rbw + unlock so the vault password resolves from Vaultwarden
+   # (one-time, per docs/runbooks/rotate-secrets.md)
+   rbw login && rbw unlock
    ```
 3. After that, the control node can manage all other hosts normally
 

docs/runbooks/new-host.md

@@ -3,7 +3,7 @@
 ## Prerequisites
 
 - Proxmox VM template exists (Debian 13 cloud-init image — see below if not)
-- You have the vault password (`.vault_pass`)
+- `rbw` is installed and unlocked (`rbw unlock`) so the vault password resolves from Vaultwarden
 - The host's intended hostname and IP are decided
 
 ---
@@ -126,8 +126,8 @@ qm set <VMID> --memory 2048 --cores 2 \
 qm start <VMID>
 ```
 
-Then set up the Ansible environment on it (`make setup`, `make collections`, place
+Then set up the Ansible environment on it (`make setup`, `make collections`, set up
-`.vault_pass`) per ADR-005, and add it to `inventories/<env>/hosts.yml` under the
+`rbw` and `rbw unlock`) per ADR-005, and add it to `inventories/<env>/hosts.yml` under the
 `control` group. Because the control node is not in `local.vms`, this is the only
 case where editing `hosts.yml` by hand is expected — every other host comes from
 `make tf-inventory`.