Bunker OS ships aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/SamBleed/opencode-obsidian/llms.txt
Use this file to discover all available pages before exploring further.
bin/ directory of shell scripts that cover the entire operational lifecycle of a vault: session management, health checks, integrity scans, evidence indexing, syncing, alerting, and ingest. Each script resolves its vault path through the BUNKER_HOME environment variable or falls back to the repo root, so they work whether you run them from inside the project or reference the vault from another project.
Environment Variable
Every script inbin/ uses this pattern to locate the vault root:
BUNKER_HOME first:
Scripts Reference
| Script | Usage | Description |
|---|---|---|
bunker.sh | ./bin/bunker.sh [init|save|refresh|close] | Session lifecycle orchestrator |
bunker-check.sh | ./bin/bunker-check.sh | Full local health check (definition of done) |
wiki-integrity.sh | ./bin/wiki-integrity.sh | Scan for orphans and broken links |
evidence-index.sh | ./bin/evidence-index.sh | Index evidence artifacts with SHA256 |
wiki-sync.sh | ./bin/wiki-sync.sh --apply | Sync and commit wiki changes |
bunker-ingest.sh | ./bin/bunker-ingest.sh [file] | CLI ingest trigger |
bunker-alert.sh | ./bin/bunker-alert.sh <target> <level> <msg> | Send alert via n8n Ultimate Alerter |
bunker-pulse.sh | ./bin/bunker-pulse.sh [--apply] | Triage bug memos from wiki/inbox |
setup-vault.sh | ./bin/setup-vault.sh | Initial vault setup |
setup-opencode.sh | ./bin/setup-opencode.sh | OpenCode configuration setup |
audit-repo.sh | ./bin/audit-repo.sh | Trivy security scan → JSON report |
bunker-scaffold.sh | ./bin/bunker-scaffold.sh | Scaffold vault structure |
bunker-push.sh | ./bin/bunker-push.sh | Push vault to remote |
bunker-github-setup.sh | ./bin/bunker-github-setup.sh | Configure GitHub integration |
setup-multi-agent.sh | ./bin/setup-multi-agent.sh | Multi-agent configuration |
bunker.sh — Session Lifecycle Orchestrator
bunker.sh is the top-level orchestrator for session management. It accepts four subcommands:
init — Start a session
Reads
wiki/hot.md and the latest handover. Sets STATUS: READ_HOT_AND_HANDOVER so the agent knows the context window is primed.save — Checkpoint mid-session
Calls
wiki-sync.sh to stage and commit current changes. Use this to checkpoint long sessions without closing them.refresh — Re-read core context
Re-reads
wiki/hot.md, wiki/index.md, and ADRs. Sets STATUS: RE-READING_HOT_INDEX_AND_ADRS. Use after a context compaction or long gap.bunker-check.sh — Definition of Done
bunker-check.sh is the authoritative health check. It runs every pre-push check the vault needs to pass. Run it before pushing to confirm the vault is clean.
Bash Syntax
Runs
bash -n on every script in bin/ to verify they parse without errors.Go Ingest Server Build
Attempts
go build on bin/ingest_server.go. Skipped gracefully if go is not installed.Forbidden Config File
Checks that
.obsidian/plugins/obsidian-local-rest-api/data.json is not present in shared artifacts (it must stay local).Hard-coded Path Check
Scans
bin/, README.md, and core docs for any hard-coded legacy vault paths that should be replaced with BUNKER_HOME.Evidence Index
Confirms
wiki/meta/evidence-index.md and wiki/meta/evidence-manifest.json both exist.Wiki Integrity
Calls
wiki-integrity.sh to regenerate the full integrity report and confirm it exits cleanly.1 if any section fails and prints a summary:
wiki-integrity.sh — Vault Integrity Scanner
This script generates both a Markdown and a JSON integrity report without modifying any wiki content (only the report files are written).wiki/meta/INTEGRITY-REPORT.md— human-readable summarywiki/meta/INTEGRITY-REPORT.json— machine-readable full report
| Check | Description |
|---|---|
| Broken links | Wikilinks whose targets cannot be resolved in the vault |
| Orphan notes | Pages with zero incoming wikilinks (excluding index.md, hot.md, log.md) |
| Short notes | Active pages under 30 lines (configurable via BUNKER_SHORT_NOTE_LIMIT) |
| Missing frontmatter | Pages without a --- ... --- frontmatter block |
| Unprocessed raw | Files in .raw/ not mentioned in the ingestion log |
| Plugin drift | Declared vs. installed Obsidian plugins divergence |
| Sensitive files | Local data.json plugin configs or .env files that leaked into the vault |
| Absolute path refs | Files referencing hard-coded local paths |
evidence-index.sh — SHA256 Artifact Indexing
This script indexes evidence artifacts (report.zip, security-audit-report.json) by computing SHA256 checksums and writing structured metadata.
wiki/meta/evidence-index.md— Markdown index with hashes and sizeswiki/meta/evidence-manifest.json— JSON manifest with full artifact metadata
BUNKER_HOME and never modifies the original artifacts.
wiki-sync.sh — Safe Commit Helper
wiki-sync.sh stages and commits wiki changes. It defaults to dry-run — pass --apply to actually create the commit.
The commit stages:
wiki/, _templates/, bin/, docs/, *.md, .gitignore, .obsidian/community-plugins.json, and the Local REST API plugin’s SECURITY-NOTE.md and data.example.json. The wiki/ directory itself is not gitignored — individual sensitive files within it may be.bunker-ingest.sh — CLI Ingest Trigger
Copies a local file to.raw/ and triggers the ingestion pipeline via bunker-alert.sh.
- Copies the file to
.raw/ - Fires an
INFOalert to the n8n Ultimate Alerter webhook with aNUEVA FUENTE DETECTADAmessage - Returns — the agent picks up the source from
.raw/and processes it
bunker-alert.sh — n8n Alert Webhook
Sends an alert payload to the n8n Ultimate Alerter webhook athttp://localhost:5678/webhook/bunker-security-alert.
Content-Type: application/json. The script exits with code 1 if the HTTP response is outside the 2xx range.
bunker-pulse.sh — Bug Memo Triage
Triages bug memos fromwiki/inbox/ — any file with type: bug or tags: [bug] in frontmatter. In dry-run mode it previews what would happen; --apply creates real GitHub branches, issues, and draft PRs via the gh CLI.
Ingest Server (bin/ingest_server.go)
The compiled binarybin/ingest_server is an HTTP server written in Go that receives ingest requests over HTTP.
- Binds to
127.0.0.1:9090by default — never0.0.0.0 - Accepts an optional
BUNKER_INGEST_TOKENenvironment variable; if set, all requests must pass it viaX-Bunker-TokenorAuthorization: Bearer <token> - Body size is capped at 10 MiB (
maxBodyBytes = 10 << 20) - Slugifies filenames to
[a-zA-Z0-9-], max 80 characters
Related Pages
Testing
The test suite that validates every script for syntax, shebang, executables, and secrets.
BM25 Retrieval
Python retrieval scripts that complement the shell toolchain.
Security
Security model, secrets policy, and ingest server hardening.
Hooks
OpenCode lifecycle hooks that call wiki-sync and auto-commit.