diff --git a/.claude/URGENT-vault-path-bug.md b/.claude/URGENT-vault-path-bug.md new file mode 100644 index 0000000..238c7ba --- /dev/null +++ b/.claude/URGENT-vault-path-bug.md @@ -0,0 +1,217 @@ +# URGENT: Vault Path Variable Collision Bug + +**Date:** 2026-04-21 +**Severity:** CRITICAL - Blocks all remediation-tool usage +**Affected:** All machines (DESKTOP-0O8A1RL, ACG-Tech03L, Mikes-MacBook-Air) +**Discovered on:** Mikes-MacBook-Air during vault wrapper testing + +--- + +## TL;DR for Windows Laptop + +**BEFORE doing Howard's vault sync task, fix this bug first:** + +The recent vault portability changes introduced a variable name collision in `get-token.sh` that breaks token acquisition on all machines. + +**Quick fix (2 minutes):** +1. Open `.claude/skills/remediation-tool/scripts/get-token.sh` +2. Rename the `VAULT_PATH` environment variable to `VAULT_ROOT_ENV` +3. Test: `./get-token.sh grabblaw.com investigator` +4. If working, commit fix and push +5. THEN proceed with Howard's vault sync task + +--- + +## Bug Details + +### Root Cause + +**Variable name collision in get-token.sh around line 87-95:** + +```bash +# PROBLEM: VAULT_PATH is used for TWO different things + +# Line ~40-70: VAULT_PATH stores the SOPS file relative path +case "$TIER" in + investigator) + CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c" + VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml" # <-- SOPS file path + SCOPE_URL="https://graph.microsoft.com/.default" + ;; + ... +esac + +# Line ~87-95: VAULT_PATH is ALSO used as environment variable for vault root +VAULT_ROOT="${VAULT_PATH:-}" # <-- BUG: This gets the SOPS path, not the vault root! +if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then + for py in py python3 python; do + if command -v "$py" >/dev/null 2>&1; then + VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break + fi + done +fi +``` + +**Result:** `VAULT_ROOT` gets set to `msp-tools/computerguru-security-investigator.sops.yaml` instead of the vault directory path. + +### Observed Failure + +```bash +$ ./get-token.sh cascadestucson.com investigator + +ERROR: vault not found at msp-tools/computerguru-security-investigator.sops.yaml + (check vault_path in /Users/azcomputerguru/ClaudeTools/.claude/identity.json) +``` + +The script is checking if `msp-tools/computerguru-security-investigator.sops.yaml` exists as a directory, which fails. + +--- + +## Remediation Steps + +### Step 1: Fix Variable Name Collision + +**File:** `.claude/skills/remediation-tool/scripts/get-token.sh` + +**Find (around line 87):** +```bash +VAULT_ROOT="${VAULT_PATH:-}" +``` + +**Replace with:** +```bash +VAULT_ROOT="${VAULT_ROOT_ENV:-}" +``` + +**And update the error message (around line 95):** +```bash +[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; } +``` + +**Purpose:** Separates the SOPS file path variable (`VAULT_PATH`) from the vault root override environment variable (now `VAULT_ROOT_ENV`). + +### Step 2: Add vault_path to identity.json + +**File:** `.claude/identity.json` (on DESKTOP-0O8A1RL) + +**Add this field:** +```json +{ + "user": "mike", + "full_name": "Mike Swanson", + "email": "mike@azcomputerguru.com", + "role": "admin", + "machine": "DESKTOP-0O8A1RL", + "vault_path": "D:/vault" +} +``` + +**On ACG-Tech03L (Howard's machine), the path is likely:** +```json +"vault_path": "D:/vault" +``` + +**On Mikes-MacBook-Air (if vault is cloned later):** +```json +"vault_path": "/Users/azcomputerguru/vault" +``` + +### Step 3: Test the Fix + +**On DESKTOP-0O8A1RL:** +```bash +cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts + +# Test with a fully onboarded tenant +bash get-token.sh grabblaw.com investigator + +# Should output a JWT token (long string starting with eyJ...) +# Or at least get past the vault path error +``` + +**Expected success output:** +``` +eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6... +``` + +**If still failing, check:** +1. Is `D:/vault/scripts/vault.sh` present? +2. Does `D:/vault/msp-tools/computerguru-security-investigator.sops.yaml` exist? +3. Is SOPS configured with the correct age key? + +### Step 4: Commit and Sync + +```bash +cd D:\ClaudeTools + +git add .claude/skills/remediation-tool/scripts/get-token.sh +git commit -m "fix: vault path variable collision in get-token.sh + +Renamed VAULT_PATH env var to VAULT_ROOT_ENV to avoid collision with +the SOPS file path variable. Fixes token acquisition on all machines. + +Bug discovered during Mac testing 2026-04-21. + +Co-Authored-By: Claude Sonnet 4.5 " + +git push origin main +``` + +### Step 5: Notify Howard + +Once fixed and pushed, tell Howard to: +1. Pull ClaudeTools: `cd C:\ClaudeTools && git pull` +2. Add `vault_path` to his `.claude/identity.json` +3. Test: `bash get-token.sh grabblaw.com investigator` + +--- + +## After This Fix - Original Vault Sync Task + +**THEN proceed with Howard's vault sync request:** + +1. Navigate to `D:\vault` +2. Verify 5 new-tier SOPS files exist in `D:\vault\msp-tools\` +3. Git add, commit, push to vault repo +4. Notify Howard to pull vault on ACG-Tech03L + +--- + +## Why This Happened + +The recent portability improvements (commits 0a7cd6b and a86df11) added per-machine vault path support via `identity.json`. The implementation correctly updated `.claude/scripts/vault.sh` but inadvertently created a variable name collision in `get-token.sh` by reusing `VAULT_PATH` for both: +- The SOPS file relative path (existing usage) +- The environment variable override (new usage) + +This is a regression introduced in the last 2 commits from DESKTOP-0O8A1RL. + +--- + +## Testing Checklist + +After applying the fix: + +- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator` +- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator-exo` +- [ ] All 5 tiers work: investigator, investigator-exo, user-manager, tenant-admin, defender +- [ ] Vault wrapper works: `bash .claude/scripts/vault.sh list` +- [ ] Howard can pull and test on ACG-Tech03L (after vault sync) +- [ ] Mac can test once vault is cloned there + +--- + +## Impact Assessment + +**Blocked operations until fixed:** +- All remediation-tool token acquisition +- All breach checks via remediation-tool skill +- Howard's Cascades spoofing hunt (double-blocked: this bug + missing SOPS files) +- Any tenant investigation work + +**Urgency:** Fix immediately before attempting vault sync task. + +--- + +**Created:** 2026-04-21 19:10 (Mac session) +**Status:** URGENT - Needs Windows laptop remediation +**Next session:** Read this file first, apply fix, test, commit, then do vault sync