From cc4e7169d484ed422a12d06f9f7dacc92d05c6cd Mon Sep 17 00:00:00 2001
From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com>
Date: Sat, 16 May 2026 15:27:47 +0200
Subject: [PATCH] fix(entrypoint): skip bw config server, only verify URL
 matches

bw refuses `config server <url>` while logged in. The host's copied bw
data is already logged into VAULT_SERVER_URL, so we replace the setter
call with a getter+compare. Containers were crash-looping on dfxdev with
"Logout required before server config update" until the fix.
---
 entrypoint.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 7ed051d..2f7ed37 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -34,8 +34,13 @@ if [ "${VAULT_FETCH_GUARD_KEY:-false}" = "true" ]; then
 	cp -r "$VAULT_BW_DATA_DIR"/* "$BW_RUNTIME_DIR"/ 2>/dev/null || true
 	export BITWARDENCLI_APPDATA_DIR="$BW_RUNTIME_DIR"
 
-	echo "entrypoint: configuring bw server $VAULT_SERVER_URL"
-	bw config server "$VAULT_SERVER_URL" > /dev/null
+	# bw refuses `config server` while logged in, so we never call it: the host's copied
+	# data is already logged into the right server. Verify the URL matches before we proceed.
+	CURRENT_SERVER="$(bw config server 2>/dev/null | tr -d '\n' || true)"
+	if [ -n "$CURRENT_SERVER" ] && [ "$CURRENT_SERVER" != "$VAULT_SERVER_URL" ]; then
+		echo "entrypoint: bw data dir is logged into '$CURRENT_SERVER' but VAULT_SERVER_URL='$VAULT_SERVER_URL'" >&2
+		exit 1
+	fi
 
 	echo "entrypoint: unlocking vault"
 	BW_PASSWORD="$(cat "$VAULT_PASSWORD_FILE")"