sync: auto-sync from GURU-5070 at 2026-05-26 14:02:23

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 14:02:23

.claude/memory/feedback_vault_pointer_for_teammates.md

@@ -0,0 +1,15 @@
+---
+name: Point vault-access teammates at the SOPS path, don't transcribe
+description: When relaying infra/credential info to Howard (or any teammate with vault access), hand over the SOPS vault path and let them decrypt — don't transcribe the entry's fields into the message
+type: feedback
+---
+
+When sending infra, service, or credential details to a teammate via coord messages (or any shared channel), point them at the SOPS vault path (e.g. `services/azure-trusted-signing.sops.yaml`) rather than transcribing the entry's fields into the message body.
+
+**Why:** Mike, 2026-05-26. Howard has full vault access. I composed a GuruScan signing note to Howard that re-typed a dozen non-secret fields from the Trusted Signing vault entry; Mike's note: "He has vault access, you could just point him at sops for that." Transcribing is redundant work, bloats the message, and risks drift from the source of truth — the vault entry is canonical and self-updating.
+
+**How to apply:**
+- Give the vault path + the one or two anchors needed to act (e.g. "wrapper at `C:\tools\trusted-signing\sign.ps1` on Pluto; full details in `services/azure-trusted-signing.sops.yaml`").
+- Let the teammate `sops -d` / `vault.sh get` the rest themselves.
+- Still never paste secrets into shared channels regardless — but for vault-access teammates, the default is "here's the path," not "here's the contents."
+- This applies to teammates with vault access (Howard, Mike). For someone without vault access, transcribe the non-secret fields they need.