azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate credentials to 1Password: 58 items across 4 vaults

Browse Source 
- Created 4 new vaults: Infrastructure (16), Clients (27), Projects (10), MSP Tools (5)
- Replaced credentials.md with op:// reference version (no plaintext secrets)
- Updated CLAUDE.md with 1Password access instructions for all workstations
- Service account (Agentic_Cli) for non-interactive CLI access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-03-24 13:46:48 -07:00
parent d95251d880
commit 0ca5b2b73d
3 changed files with 315 additions and 1024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.claude/CLAUDE.md
View File

@@ -39,9 +39,9 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
## Key Rules
- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
- **No hardcoded credentials** - Use encrypted storage
- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage
- **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
- **Data integrity:** Never use placeholder/fake data. Check credentials.md or ask user.
- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user.
- **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
---
@@ -57,10 +57,23 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
## Context Recovery
When user references previous work, use `/context` command. Never ask user for info in:
- `credentials.md` - All infrastructure credentials (UNREDACTED)
- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password)
- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
- `SESSION_STATE.md` - Project history
### 1Password Credential Access
Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**.
**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"`
**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes).
**Setup on new machines:**
1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/
2. Sign in: `op signin` (or use desktop app integration)
3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"`
---
## Commands & Skills
@@ -69,7 +82,8 @@ When user references previous work, use `/context` command. Never ask user for i
|---------|---------|
| `/checkpoint` | Dual checkpoint: git commit + database context |
| `/save` | Comprehensive session log (credentials, decisions, changes) |
| `/context` | Search session logs and credentials.md |
| `/context` | Search session logs, credentials.md, and 1Password |
| `/1password` | 1Password secrets management integration |
| `/sync` | Sync config from Gitea repository |
| `/create-spec` | Create app specification for AutoCoder |
| `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) |

1263
credentials.md
View File

File diff suppressed because it is too large Load Diff

54
session-logs/2026-03-24-session.md
View File

@@ -231,3 +231,57 @@ joser's phone immediately stopped prompting for MDM after re-adding the Lonestar
- `/home/guru/ClaudeTools/.claude/commands/1password.md` -- NEW, 1Password slash command for Claude Code
- `/home/guru/ClaudeTools/.claude/skills/1password/scripts/` -- NEW, extracted helper scripts (check_setup.sh, store_secret.sh, env_from_op.sh, store-mcp-credentials.sh, launch-in-terminal.sh)
- `/home/guru/ClaudeTools/.claude/skills/1password/references/` -- NEW, extracted reference docs (secret_references.md, integrations.md, op_commands.md)
---
## Update: 1Password Credentials Migration
### Summary
Migrated all credentials from plaintext credentials.md into 1Password. Created 58 items across 4 new vaults. Replaced credentials.md with op:// reference version.
### 1Password Vaults Created
| Vault | Items | Contents |
|-------|-------|----------|
| Infrastructure | 16 | Servers (GuruRMM, Jupiter, IX, pfSense, etc.), services (Gitea, NPM, Seafile, Cloudflare, Matomo), service account token |
| Clients | 27 | Neptune, Dataforth infra (ESXi, AD1/AD2, D2TESTNAS, UDM, PBX), M365 tenants (MVAN, BG Builders, CW Concrete, Dataforth, heieck), VWP, Khalsa, Scileppi, Lonestar, Peaceful Spirit VPN, Grabb & Durando |
| Projects | 10 | ClaudeTools (DB, encryption key, API auth), GuruRMM (dashboard, DB, API, Entra SSO, CI/CD, Glaztech), GuruConnect DB |
| MSP Tools | 5 | Syncro, Autotask, CIPP, Claude-MSP-Access (Graph API), ACG-MSP-Access (Google Workspace) |
### Service Account
- **Name:** Agentic_Cli
- **Token stored:** op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential
- **Access:** Read & Write on Infrastructure, Clients, MSP Tools. **Read-only on Projects** (immutable after creation -- needs new SA to fix)
- **Usage:** `export OP_SERVICE_ACCOUNT_TOKEN="token"` then `op read "op://..."` without biometric
- **Note:** Service account permissions are immutable after creation. To change, must delete and recreate.
### Key Decisions
- **Vault organization:** MSP-oriented (Infrastructure/Clients/Projects/MSP Tools) rather than per-client
- **credentials.md strategy:** Replaced with op:// references -- file stays as documentation, actual secrets only in 1Password
- **Service account:** Created for non-interactive CLI access, avoids biometric prompt on every op command
- **Backup:** Original credentials.md saved as credentials.md.bak (to be deleted after verification)
### 1Password CLI Notes
- **Version:** 2.32.1
- **Account:** mike@azcomputerguru.com (my.1password.com)
- **Desktop app integration:** Prompts for biometric auth every CLI call (10min timeout)
- **Service account:** Bypasses biometric entirely via OP_SERVICE_ACCOUNT_TOKEN env var
- **Service account limitations:** Cannot access Private vault, permissions immutable after creation
- **Fish config (CachyOS):** Add `set -gx OP_SERVICE_ACCOUNT_TOKEN "token"` to ~/.config/fish/config.fish
### Credentials Referenced
- 1Password CLI: op (v2.32.1)
- Service Account Token: ops_eyJ... (stored in 1Password itself)
- All credentials from original credentials.md (58 items total)
### Files Changed
- `credentials.md` -- Replaced with op:// reference version (no plaintext secrets)
- `credentials.md.bak` -- Backup of original plaintext version (DELETE after verification)
- `.claude/CLAUDE.md` -- Updated with 1Password access instructions, /1password skill reference
- `credentials.op.md` -- Intermediate draft (merged into credentials.md)
### Pending/Incomplete
1. **Projects vault write access** -- Service account has read-only. Needs new SA with write perms to fix.
2. **Other machines setup** -- Install op CLI + set OP_SERVICE_ACCOUNT_TOKEN on Mac and Windows workstations
3. **Fish config** -- Add OP_SERVICE_ACCOUNT_TOKEN to ~/.config/fish/config.fish on CachyOS
4. **Delete credentials.md.bak** -- After verifying all op:// refs resolve correctly
5. **launch-in-terminal.sh** -- Needs Linux adaptation (currently macOS-only osascript)