sync: auto-sync from GURU-KALI at 2026-05-26 19:41:06

Author: Mike Swanson
Machine: GURU-KALI
Timestamp: 2026-05-26 19:41:06
This commit is contained in:
2026-05-26 19:41:06 -07:00
parent e0dd370934
commit 15de6a7cf2
15 changed files with 64 additions and 39 deletions

View File

@@ -9,9 +9,10 @@ For every `op` CLI invocation, source `OP_SERVICE_ACCOUNT_TOKEN` from `infrastru
**Why:** Mike confirmed 2026-04-30 — "the prompts are infuriating." Service account auth is the standard CI/agent pattern documented in the 1password skill but I had been defaulting to the desktop session.
**How to apply:**
Vault path is per-machine from `.claude/identity.json` `vault_path` — never hardcode it. Reach the entry via the wrapper:
```bash
SVC_TOKEN=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null \
| grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
SVC_TOKEN=$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/1password-service-account.sops.yaml credential 2>/dev/null | head -1)
# Pass through env var to every op call
OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN" op item get ...
@@ -19,7 +20,13 @@ OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN" op item get ...
export OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN"
```
The `vault.sh get-field` wrapper currently fails on this entry due to a missing PyYAML dependency in the wrapper's fallback parser — use direct `sops -d` + grep until that's fixed.
If the `vault.sh get-field` wrapper fails on this entry (it has historically tripped on a missing PyYAML dependency in the fallback parser), fall back to a direct `sops -d` + grep on the same entry. Resolve the vault root from identity.json rather than hardcoding it, e.g.:
```bash
VAULT_PATH=$(python3 -c "import json;print(json.load(open('$CLAUDETOOLS_ROOT/.claude/identity.json'))['vault_path'])")
SVC_TOKEN=$(sops -d "$VAULT_PATH/infrastructure/1password-service-account.sops.yaml" 2>/dev/null \
| grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
```
**Vaults the service account can see** (per 2026-04-30 test): Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting. (The Private vault is intentionally not shared with the service account.)