diff --git a/docs/superpowers/specs/2026-03-18-vaultwarden-design.md b/docs/superpowers/specs/2026-03-18-vaultwarden-design.md
index 6c4a1a7..8a28424 100644
--- a/docs/superpowers/specs/2026-03-18-vaultwarden-design.md
+++ b/docs/superpowers/specs/2026-03-18-vaultwarden-design.md
@@ -11,10 +11,25 @@ Add Vaultwarden (a lightweight Bitwarden-compatible password manager) as a NixOS
 - Admin panel enabled
 - No email functionality needed
 
+## Module Header Comment
+
+```nix
+# Vaultwarden Module (Podman)
+# Provides: Bitwarden-compatible password manager
+#
+# Usage:
+#   myModules.vaultwarden = {
+#     enable = true;
+#     port = 8222;
+#     websocketPort = 3012;
+#     domain = "vault.example.com";
+#   };
+```
+
 ## Module Options
 
 ```nix
-myModules.vaultwarden = {
+options.myModules.vaultwarden = {
   enable = lib.mkEnableOption "Vaultwarden password manager";
 
   domain = lib.mkOption {
@@ -54,16 +69,46 @@ myModules.vaultwarden = {
 
 ### Nginx Integration
 
-The module adds the domain to `myModules.nginx.domains` with:
-- Main location `/` → proxy to HTTP port
+The module adds the domain to `myModules.nginx.domains` with WebSocket support via `extraConfig`:
+
+```nix
+myModules.nginx.domains = {
+  "${cfg.domain}" = {
+    port = cfg.port;
+    extraConfig = ''
+      location /notifications/hub {
+        proxyPass http://127.0.0.1:${toString cfg.websocketPort};
+        proxyHttpVersion 1.1;
+        proxySetHeader Upgrade $http_upgrade;
+        proxySetHeader Connection "upgrade";
+      }
+    '';
+  };
+};
+```
+
+This configures:
+- Main location `/` → proxy to HTTP port (handled by nginx module)
 - WebSocket location `/notifications/hub` → proxy to WebSocket port with upgrade headers
 
 ### Secrets
 
-One secret required in `secrets/secrets.yaml`:
-- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin`
+**SOPS secret declaration** (in configuration.nix):
+```nix
+sops.secrets.vaultwarden_admin_token = { };
+```
 
-SOPS template `vaultwarden.env` will inject the admin token.
+**SOPS template** (in configuration.nix):
+```nix
+sops.templates."vaultwarden.env" = {
+  content = ''
+    ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
+  '';
+};
+```
+
+**Secret required** in `secrets/secrets.yaml`:
+- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin`
 
 ## Files to Create/Modify
 
@@ -71,7 +116,7 @@ SOPS template `vaultwarden.env` will inject the admin token.
 |------|--------|
 | `modules/vaultwarden.nix` | Create - new module |
 | `modules/default.nix` | Modify - add import |
-| `configuration.nix` | Modify - enable module and add secrets |
+| `configuration.nix` | Modify - enable module, add sops.secrets, add sops.templates |
 | `secrets/secrets.yaml` | Modify - add admin token (manual) |
 
 ## Usage