docs: vault sync validation test for Windows PC

Step-by-step test to validate: - 5 SOPS files are in vault repo - Token acquisition works for all tiers - Howard can be notified to pull Includes Howard notification message template. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-21 19:30:19 -07:00
parent 4bb5dd937b
commit 2484075f6f
1 changed files with 178 additions and 0 deletions
--- a/.claude/TEST-vault-and-tokens.md
+++ b/.claude/TEST-vault-and-tokens.md
@@ -0,0 +1,178 @@
 # TEST: Vault Sync & Token Acquisition (DESKTOP-0O8A1RL)
 **Priority:** MEDIUM - Validate vault sync completed successfully
 **Estimated time:** 2-3 minutes
 **Created:** 2026-04-21 Mac session
 **Purpose:** Confirm vault sync worked and Howard can be notified
 ---
 ## What to Test
 Validate that the 5 new-tier SOPS files are in the vault repo and token acquisition works.
 ---
 ## Test Steps
 ### 1. Pull Latest Vault Changes
 ```bash
 cd D:\vault
 git pull origin main
 ```
 **Expected:** Should pull cleanly (or say "Already up to date")
 ### 2. Verify 5 New-Tier SOPS Files Exist
 ```bash
 dir D:\vault\msp-tools\computerguru-*.sops.yaml
 ```
 **Expected output - 5 files:**
 ```
 computerguru-security-investigator.sops.yaml
 computerguru-exchange-operator.sops.yaml
 computerguru-user-manager.sops.yaml
 computerguru-tenant-admin.sops.yaml
 computerguru-defender-addon.sops.yaml
 ```
 **If any are missing:** Stop and tell me which files are missing.
 ### 3. Test Token Acquisition - Security Investigator
 ```bash
 cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
 bash get-token.sh grabblaw.com investigator
 ```
 **Expected:** JWT token (long string starting with `eyJ...`)
 **If you see an error instead:** Copy the exact error message - I'll need to see it.
 ### 4. Test Token Acquisition - Exchange Operator (Optional)
 ```bash
 bash get-token.sh grabblaw.com investigator-exo
 ```
 **Expected:** JWT token for Exchange Online access
 ### 5. Test All 5 Tiers (Quick Loop)
 ```bash
 for tier in investigator investigator-exo user-manager tenant-admin defender; do
    echo "Testing tier: $tier"
    bash get-token.sh grabblaw.com $tier 2>&1 | head -1
    echo "---"
 done
 ```
 **Expected:** Each tier should return a JWT token (or at least not error about missing SOPS files)
 ---
 ## What Success Looks Like
 **All tests pass means:**
 1. ✓ Vault sync from Windows completed successfully
 2. ✓ All 5 SOPS files are in the shared vault repo
 3. ✓ get-token.sh bug fixes are working
 4. ✓ Howard can pull vault on ACG-Tech03L and be unblocked
 5. ✓ Remediation-tool is ready for production use
 ---
 ## If Tests Fail
 ### Error: "vault not found at D:/vault"
 **Problem:** Vault path in identity.json is wrong or vault repo moved
 **Check:** `cat D:\ClaudeTools\.claude\identity.json | grep vault_path`
 ### Error: "vault file not found: D:/vault/msp-tools/computerguru-*.sops.yaml"
 **Problem:** SOPS files weren't committed/pushed to vault repo
 **Check:** `git log --oneline --all -10` in vault repo to see recent commits
 ### Error: "failed to decrypt"
 **Problem:** SOPS age key issue
 **Check:** `test -f C:\Users\<username>\.config\sops\age\keys.txt`
 ### Error: "VAULT_ROOT_ENV env var not set"
 **This is wrong** - means get-token.sh is still broken
 **Check:** `grep VAULT_ROOT_ENV D:\ClaudeTools\.claude\skills\remediation-tool\scripts\get-token.sh`
 ---
 ## After Tests Pass - Notify Howard
 Send Howard this message (Slack/Teams/Email):
 ```
 Howard,
 Vault is synced and tested. Pull both repos on ACG-Tech03L:
 # Pull vault (gets the 5 new SOPS files)
 cd D:/vault
 git pull origin main
 # Pull ClaudeTools (gets get-token.sh fixes)
 cd C:/claudetools
 git pull origin main
 Test token acquisition:
 bash C:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator
 If that returns a JWT token (eyJ...), you're fully unblocked.
 You can now:
 - Complete the Cascades spoofing hunt
 - Run remediation-tool against any consented tenant
 - Use all 5 tiers (investigator, investigator-exo, user-manager, tenant-admin, defender)
 The get-token.sh had two bugs (variable collision + wrong directory depth) that would have blocked you - both fixed in commit 90f9d9e.
 Let me know if you hit any issues.
 - Mike
 ```
 ---
 ## Quick Checklist
 - [ ] Navigate to D:\vault
 - [ ] Pull latest changes
 - [ ] Verify 5 SOPS files exist
 - [ ] Test token acquisition (investigator tier)
 - [ ] Test all 5 tiers (optional but recommended)
 - [ ] If all pass, notify Howard
 - [ ] Delete this TODO file after completion
 ---
 ## Background Context
 **From Mac session:**
 - Discovered vault path variable collision bug in get-token.sh
 - Fixed on Windows (commit 90f9d9e)
 - Mac cannot test because vault clone needs authentication
 - Windows already has vault configured - best place to validate
 **What was synced:**
 - 5 new-tier app SOPS files (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender)
 - Enables tiered privilege remediation-tool usage
 - Unblocks Howard's Cascades spoofing hunt
 **Status before this test:**
 - Vault sync appears complete (message in for-howard.md said it was done)
 - get-token.sh bugs are fixed
 - Just need validation that everything works end-to-end
 ---
 **Status:** Ready for Windows testing
 **Expected duration:** 2-3 minutes
 **Next action:** Run through the test checklist above