docs: URGENT bug report - vault path variable collision in get-token.sh

Critical bug discovered during Mac vault testing. Variable name collision
breaks token acquisition on all machines.

Fix required before proceeding with Howard's vault sync task.

Read .claude/URGENT-vault-path-bug.md on Windows laptop for remediation steps.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.claude/URGENT-vault-path-bug.md

@@ -0,0 +1,217 @@
+# URGENT: Vault Path Variable Collision Bug
+
+**Date:** 2026-04-21
+**Severity:** CRITICAL - Blocks all remediation-tool usage
+**Affected:** All machines (DESKTOP-0O8A1RL, ACG-Tech03L, Mikes-MacBook-Air)
+**Discovered on:** Mikes-MacBook-Air during vault wrapper testing
+
+---
+
+## TL;DR for Windows Laptop
+
+**BEFORE doing Howard's vault sync task, fix this bug first:**
+
+The recent vault portability changes introduced a variable name collision in `get-token.sh` that breaks token acquisition on all machines.
+
+**Quick fix (2 minutes):**
+1. Open `.claude/skills/remediation-tool/scripts/get-token.sh`
+2. Rename the `VAULT_PATH` environment variable to `VAULT_ROOT_ENV`
+3. Test: `./get-token.sh grabblaw.com investigator`
+4. If working, commit fix and push
+5. THEN proceed with Howard's vault sync task
+
+---
+
+## Bug Details
+
+### Root Cause
+
+**Variable name collision in get-token.sh around line 87-95:**
+
+```bash
+# PROBLEM: VAULT_PATH is used for TWO different things
+
+# Line ~40-70: VAULT_PATH stores the SOPS file relative path
+case "$TIER" in
+  investigator)
+    CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
+    VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml"  # <-- SOPS file path
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  ...
+esac
+
+# Line ~87-95: VAULT_PATH is ALSO used as environment variable for vault root
+VAULT_ROOT="${VAULT_PATH:-}"  # <-- BUG: This gets the SOPS path, not the vault root!
+if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
+  for py in py python3 python; do
+    if command -v "$py" >/dev/null 2>&1; then
+      VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
+    fi
+  done
+fi
+```
+
+**Result:** `VAULT_ROOT` gets set to `msp-tools/computerguru-security-investigator.sops.yaml` instead of the vault directory path.
+
+### Observed Failure
+
+```bash
+$ ./get-token.sh cascadestucson.com investigator
+
+ERROR: vault not found at msp-tools/computerguru-security-investigator.sops.yaml
+       (check vault_path in /Users/azcomputerguru/ClaudeTools/.claude/identity.json)
+```
+
+The script is checking if `msp-tools/computerguru-security-investigator.sops.yaml` exists as a directory, which fails.
+
+---
+
+## Remediation Steps
+
+### Step 1: Fix Variable Name Collision
+
+**File:** `.claude/skills/remediation-tool/scripts/get-token.sh`
+
+**Find (around line 87):**
+```bash
+VAULT_ROOT="${VAULT_PATH:-}"
+```
+
+**Replace with:**
+```bash
+VAULT_ROOT="${VAULT_ROOT_ENV:-}"
+```
+
+**And update the error message (around line 95):**
+```bash
+[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; }
+```
+
+**Purpose:** Separates the SOPS file path variable (`VAULT_PATH`) from the vault root override environment variable (now `VAULT_ROOT_ENV`).
+
+### Step 2: Add vault_path to identity.json
+
+**File:** `.claude/identity.json` (on DESKTOP-0O8A1RL)
+
+**Add this field:**
+```json
+{
+  "user": "mike",
+  "full_name": "Mike Swanson",
+  "email": "mike@azcomputerguru.com",
+  "role": "admin",
+  "machine": "DESKTOP-0O8A1RL",
+  "vault_path": "D:/vault"
+}
+```
+
+**On ACG-Tech03L (Howard's machine), the path is likely:**
+```json
+"vault_path": "D:/vault"
+```
+
+**On Mikes-MacBook-Air (if vault is cloned later):**
+```json
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+### Step 3: Test the Fix
+
+**On DESKTOP-0O8A1RL:**
+```bash
+cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
+
+# Test with a fully onboarded tenant
+bash get-token.sh grabblaw.com investigator
+
+# Should output a JWT token (long string starting with eyJ...)
+# Or at least get past the vault path error
+```
+
+**Expected success output:**
+```
+eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...
+```
+
+**If still failing, check:**
+1. Is `D:/vault/scripts/vault.sh` present?
+2. Does `D:/vault/msp-tools/computerguru-security-investigator.sops.yaml` exist?
+3. Is SOPS configured with the correct age key?
+
+### Step 4: Commit and Sync
+
+```bash
+cd D:\ClaudeTools
+
+git add .claude/skills/remediation-tool/scripts/get-token.sh
+git commit -m "fix: vault path variable collision in get-token.sh
+
+Renamed VAULT_PATH env var to VAULT_ROOT_ENV to avoid collision with
+the SOPS file path variable. Fixes token acquisition on all machines.
+
+Bug discovered during Mac testing 2026-04-21.
+
+Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
+
+git push origin main
+```
+
+### Step 5: Notify Howard
+
+Once fixed and pushed, tell Howard to:
+1. Pull ClaudeTools: `cd C:\ClaudeTools && git pull`
+2. Add `vault_path` to his `.claude/identity.json`
+3. Test: `bash get-token.sh grabblaw.com investigator`
+
+---
+
+## After This Fix - Original Vault Sync Task
+
+**THEN proceed with Howard's vault sync request:**
+
+1. Navigate to `D:\vault`
+2. Verify 5 new-tier SOPS files exist in `D:\vault\msp-tools\`
+3. Git add, commit, push to vault repo
+4. Notify Howard to pull vault on ACG-Tech03L
+
+---
+
+## Why This Happened
+
+The recent portability improvements (commits 0a7cd6b and a86df11) added per-machine vault path support via `identity.json`. The implementation correctly updated `.claude/scripts/vault.sh` but inadvertently created a variable name collision in `get-token.sh` by reusing `VAULT_PATH` for both:
+- The SOPS file relative path (existing usage)
+- The environment variable override (new usage)
+
+This is a regression introduced in the last 2 commits from DESKTOP-0O8A1RL.
+
+---
+
+## Testing Checklist
+
+After applying the fix:
+
+- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator`
+- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator-exo`
+- [ ] All 5 tiers work: investigator, investigator-exo, user-manager, tenant-admin, defender
+- [ ] Vault wrapper works: `bash .claude/scripts/vault.sh list`
+- [ ] Howard can pull and test on ACG-Tech03L (after vault sync)
+- [ ] Mac can test once vault is cloned there
+
+---
+
+## Impact Assessment
+
+**Blocked operations until fixed:**
+- All remediation-tool token acquisition
+- All breach checks via remediation-tool skill
+- Howard's Cascades spoofing hunt (double-blocked: this bug + missing SOPS files)
+- Any tenant investigation work
+
+**Urgency:** Fix immediately before attempting vault sync task.
+
+---
+
+**Created:** 2026-04-21 19:10 (Mac session)
+**Status:** URGENT - Needs Windows laptop remediation
+**Next session:** Read this file first, apply fix, test, commit, then do vault sync