diff --git a/.claude/TEST-vault-and-tokens.md b/.claude/TEST-vault-and-tokens.md new file mode 100644 index 0000000..917a60e --- /dev/null +++ b/.claude/TEST-vault-and-tokens.md @@ -0,0 +1,178 @@ +# TEST: Vault Sync & Token Acquisition (DESKTOP-0O8A1RL) + +**Priority:** MEDIUM - Validate vault sync completed successfully +**Estimated time:** 2-3 minutes +**Created:** 2026-04-21 Mac session +**Purpose:** Confirm vault sync worked and Howard can be notified + +--- + +## What to Test + +Validate that the 5 new-tier SOPS files are in the vault repo and token acquisition works. + +--- + +## Test Steps + +### 1. Pull Latest Vault Changes + +```bash +cd D:\vault +git pull origin main +``` + +**Expected:** Should pull cleanly (or say "Already up to date") + +### 2. Verify 5 New-Tier SOPS Files Exist + +```bash +dir D:\vault\msp-tools\computerguru-*.sops.yaml +``` + +**Expected output - 5 files:** +``` +computerguru-security-investigator.sops.yaml +computerguru-exchange-operator.sops.yaml +computerguru-user-manager.sops.yaml +computerguru-tenant-admin.sops.yaml +computerguru-defender-addon.sops.yaml +``` + +**If any are missing:** Stop and tell me which files are missing. + +### 3. Test Token Acquisition - Security Investigator + +```bash +cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts +bash get-token.sh grabblaw.com investigator +``` + +**Expected:** JWT token (long string starting with `eyJ...`) + +**If you see an error instead:** Copy the exact error message - I'll need to see it. + +### 4. Test Token Acquisition - Exchange Operator (Optional) + +```bash +bash get-token.sh grabblaw.com investigator-exo +``` + +**Expected:** JWT token for Exchange Online access + +### 5. Test All 5 Tiers (Quick Loop) + +```bash +for tier in investigator investigator-exo user-manager tenant-admin defender; do + echo "Testing tier: $tier" + bash get-token.sh grabblaw.com $tier 2>&1 | head -1 + echo "---" +done +``` + +**Expected:** Each tier should return a JWT token (or at least not error about missing SOPS files) + +--- + +## What Success Looks Like + +**All tests pass means:** +1. ✓ Vault sync from Windows completed successfully +2. ✓ All 5 SOPS files are in the shared vault repo +3. ✓ get-token.sh bug fixes are working +4. ✓ Howard can pull vault on ACG-Tech03L and be unblocked +5. ✓ Remediation-tool is ready for production use + +--- + +## If Tests Fail + +### Error: "vault not found at D:/vault" +**Problem:** Vault path in identity.json is wrong or vault repo moved +**Check:** `cat D:\ClaudeTools\.claude\identity.json | grep vault_path` + +### Error: "vault file not found: D:/vault/msp-tools/computerguru-*.sops.yaml" +**Problem:** SOPS files weren't committed/pushed to vault repo +**Check:** `git log --oneline --all -10` in vault repo to see recent commits + +### Error: "failed to decrypt" +**Problem:** SOPS age key issue +**Check:** `test -f C:\Users\\.config\sops\age\keys.txt` + +### Error: "VAULT_ROOT_ENV env var not set" +**This is wrong** - means get-token.sh is still broken +**Check:** `grep VAULT_ROOT_ENV D:\ClaudeTools\.claude\skills\remediation-tool\scripts\get-token.sh` + +--- + +## After Tests Pass - Notify Howard + +Send Howard this message (Slack/Teams/Email): + +``` +Howard, + +Vault is synced and tested. Pull both repos on ACG-Tech03L: + +# Pull vault (gets the 5 new SOPS files) +cd D:/vault +git pull origin main + +# Pull ClaudeTools (gets get-token.sh fixes) +cd C:/claudetools +git pull origin main + +Test token acquisition: +bash C:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator + +If that returns a JWT token (eyJ...), you're fully unblocked. + +You can now: +- Complete the Cascades spoofing hunt +- Run remediation-tool against any consented tenant +- Use all 5 tiers (investigator, investigator-exo, user-manager, tenant-admin, defender) + +The get-token.sh had two bugs (variable collision + wrong directory depth) that would have blocked you - both fixed in commit 90f9d9e. + +Let me know if you hit any issues. + +- Mike +``` + +--- + +## Quick Checklist + +- [ ] Navigate to D:\vault +- [ ] Pull latest changes +- [ ] Verify 5 SOPS files exist +- [ ] Test token acquisition (investigator tier) +- [ ] Test all 5 tiers (optional but recommended) +- [ ] If all pass, notify Howard +- [ ] Delete this TODO file after completion + +--- + +## Background Context + +**From Mac session:** +- Discovered vault path variable collision bug in get-token.sh +- Fixed on Windows (commit 90f9d9e) +- Mac cannot test because vault clone needs authentication +- Windows already has vault configured - best place to validate + +**What was synced:** +- 5 new-tier app SOPS files (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender) +- Enables tiered privilege remediation-tool usage +- Unblocks Howard's Cascades spoofing hunt + +**Status before this test:** +- Vault sync appears complete (message in for-howard.md said it was done) +- get-token.sh bugs are fixed +- Just need validation that everything works end-to-end + +--- + +**Status:** Ready for Windows testing +**Expected duration:** 2-3 minutes +**Next action:** Run through the test checklist above