diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index dffddac..7bc6aeb 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -173,14 +173,23 @@ When user references previous work, use `/context` command. Never ask for info i ### Credential Access (SOPS Vault) +Always resolve vault path portably — never hardcode `D:/vault`: + ```bash -bash D:/vault/scripts/vault.sh search "keyword" # Search without decrypting -bash D:/vault/scripts/vault.sh get-field # Get specific field -bash D:/vault/scripts/vault.sh get # Decrypt full entry -bash D:/vault/scripts/vault.sh list # List all entries +VAULT_SH="" +for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do + [[ -f "$_c" ]] && VAULT_SH="$_c" && break +done +[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault not found" >&2; exit 1; } + +bash "$VAULT_SH" search "keyword" # Search without decrypting +bash "$VAULT_SH" get-field # Get specific field +bash "$VAULT_SH" get # Decrypt full entry +bash "$VAULT_SH" list # List all entries ``` -Vault repo: `D:\vault` — structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/` +Vault repo: cloned at `D:\vault` (Windows) or `~/vault` (Mac/Linux) — set `VAULT_PATH` env var to override. +Structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/` **1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml` diff --git a/.claude/commands/syncro.md b/.claude/commands/syncro.md index ecd063c..8d37d0a 100644 --- a/.claude/commands/syncro.md +++ b/.claude/commands/syncro.md @@ -30,13 +30,21 @@ When invoked, use the Syncro REST API via `curl`. All requests include `?api_key ### Get API key ```bash -API_KEY=$(bash D:/vault/scripts/vault.sh get-field msp-tools/syncro.sops.yaml credentials.credential) +# Portable vault resolver — works on Windows (D:/vault), Mac (~/.vault or ~/vault), Linux +VAULT_SH="" +for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do + [[ -f "$_c" ]] && VAULT_SH="$_c" && break +done +[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault.sh not found" >&2; exit 1; } + +API_KEY=$(bash "$VAULT_SH" get-field msp-tools/syncro.sops.yaml credentials.credential) BASE="https://computerguru.syncromsp.com/api/v1" ``` If `vault.sh get-field` fails (yq not installed), fall back to: ```bash -API_KEY=$(sops -d D:/vault/msp-tools/syncro.sops.yaml | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])") +VAULT_ROOT=$(dirname "$(dirname "$VAULT_SH")") +API_KEY=$(sops -d "$VAULT_ROOT/msp-tools/syncro.sops.yaml" | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])") ``` ### Endpoints reference diff --git a/.claude/skills/remediation-tool/scripts/get-token.sh b/.claude/skills/remediation-tool/scripts/get-token.sh index ed22f93..6e0c0b1 100644 --- a/.claude/skills/remediation-tool/scripts/get-token.sh +++ b/.claude/skills/remediation-tool/scripts/get-token.sh @@ -81,12 +81,13 @@ if [[ -f "$CACHE_FILE" ]] && [[ $(find "$CACHE_FILE" -mmin -55 2>/dev/null) ]]; exit 0 fi -# Locate vault repo +# Locate vault repo — candidates cover Windows (D:/vault), Git Bash (/d/vault), +# Mac/Linux ($HOME/vault), and optional override via VAULT_PATH env var. VAULT_ROOT="" -for candidate in "D:/vault" "$HOME/vault" "/d/vault"; do - [[ -d "$candidate" ]] && VAULT_ROOT="$candidate" && break +for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do + [[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break done -[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: SOPS vault not found (tried D:/vault ~/vault /d/vault)" >&2; exit 3; } +[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; } SOPS_FILE="$VAULT_ROOT/$VAULT_PATH" [[ ! -f "$SOPS_FILE" ]] && { echo "ERROR: vault file not found: $SOPS_FILE" >&2; exit 3; } diff --git a/.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh b/.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh index 03159c6..5218c75 100644 --- a/.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh +++ b/.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh @@ -18,10 +18,10 @@ GRAPH_RESOURCE_APP_ID="00000003-0000-0000-c000-000000000000" ROLE_MGMT_PERMISSION_ID="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" VAULT_ROOT="" -for candidate in "D:/vault" "$HOME/vault" "/d/vault"; do - [[ -d "$candidate" ]] && VAULT_ROOT="$candidate" && break +for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do + [[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break done -[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] SOPS vault not found (tried D:/vault ~/vault /d/vault)" >&2; exit 3; } +[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; } # ── Step 1: Get Management app client secret ────────────────────────────────── echo "[INFO] Reading Management app secret from vault..."