docs: Mac vault readiness test results

Tested vault access capability on Mac. Found multiple blockers:
- SOPS not installed
- age not installed
- age key not configured
- vault repo not cloned (git auth blocked)

Documents what would be required vs. recommendation to skip Mac setup.

Windows already validated - all 5 tiers working.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.claude/MAC-vault-readiness-test.md

@@ -0,0 +1,197 @@
+# Mac Vault Readiness Test Results
+
+**Date:** 2026-04-21
+**Machine:** Mikes-MacBook-Air.local
+**Purpose:** Test vault access capability for remediation-tool
+
+---
+
+## Test Results Summary
+
+**Status:** NOT READY - Multiple blockers present
+
+### Dependencies Check
+
+| Component | Status | Notes |
+|-----------|--------|-------|
+| jq | ✓ INSTALLED | jq-1.7.1-apple |
+| SOPS | ✗ NOT INSTALLED | Required for decrypting .sops.yaml files |
+| age | ✗ NOT INSTALLED | Required for SOPS encryption/decryption |
+| age key | ✗ NOT CONFIGURED | ~/.config/sops/age/keys.txt missing |
+| vault repo | ✗ NOT CLONED | Git authentication blocked |
+| vault_path in identity.json | ✗ NOT SET | Would point to ~/vault once cloned |
+
+### What Works
+
+**[OK] Vault wrapper script exists and reports correct errors:**
+```bash
+bash .claude/scripts/vault.sh list
+→ [ERROR] vault_path not set in identity.json
+```
+
+**[OK] get-token.sh bug fixes applied:**
+- Variable collision fixed (VAULT_PATH → VAULT_ROOT_ENV)
+- Directory traversal corrected (4 levels up instead of 3)
+
+**[OK] Remediation-tool scripts are executable:**
+```bash
+ls -la .claude/skills/remediation-tool/scripts/*.sh
+→ All scripts have execute permissions
+```
+
+### What's Blocked
+
+**1. Vault Repository Clone**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+→ fatal: could not read Password: Device not configured
+```
+
+Git cannot prompt for credentials in this terminal session.
+
+**2. SOPS Installation**
+```bash
+sops --version
+→ command not found
+```
+
+SOPS not installed via Homebrew or other package manager.
+
+**3. age Installation**
+```bash
+age --version
+→ command not found
+```
+
+age encryption tool not installed.
+
+**4. age Key Configuration**
+```bash
+test -f ~/.config/sops/age/keys.txt
+→ File does not exist
+```
+
+No SOPS age private key configured.
+
+---
+
+## What Would Be Required to Unblock
+
+### Installation Steps (If Vault Access on Mac is Needed)
+
+**1. Install Homebrew (if not already installed):**
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+**2. Install SOPS:**
+```bash
+brew install sops
+```
+
+**3. Install age:**
+```bash
+brew install age
+```
+
+**4. Copy age private key from Windows:**
+
+On Windows (DESKTOP-0O8A1RL):
+```bash
+cat C:\Users\<username>\.config\sops\age\keys.txt
+```
+
+On Mac:
+```bash
+mkdir -p ~/.config/sops/age
+# Paste the private key content into:
+nano ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+**5. Configure Git credential helper:**
+```bash
+git config --global credential.helper osxkeychain
+```
+
+**6. Clone vault repository:**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Will prompt for password - enter Gitea password
+```
+
+**7. Add vault_path to identity.json:**
+```bash
+# Edit .claude/identity.json and add:
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+**8. Test token acquisition:**
+```bash
+cd .claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+Should return a JWT token if all configured correctly.
+
+---
+
+## Is This Worth Doing?
+
+**Probably not, unless you need remediation-tool on Mac.**
+
+**Why it's not urgent:**
+- Windows (DESKTOP-0O8A1RL) has working vault + remediation-tool ✓
+- Vault sync validated on Windows - all 5 tiers working ✓
+- Howard can be unblocked by pulling vault on ACG-Tech03L ✓
+- Mac is just for testing/portability
+
+**Use cases for Mac vault:**
+- Running breach checks while away from Windows desktop
+- Testing remediation-tool portability across platforms
+- Validating vault sync from Mac perspective
+
+**Alternatives:**
+- Use Windows for all remediation-tool work (current state)
+- SSH into Windows from Mac when needed
+- Remote desktop to Windows desktop
+
+---
+
+## Recommendation
+
+**Skip Mac vault setup for now.**
+
+**Reasons:**
+1. Windows already validated vault sync works
+2. All 5 SOPS files confirmed present
+3. Token acquisition tested on all 5 tiers
+4. Howard can be notified to pull
+5. Mac setup requires 4 installations + credential management
+
+**Only set up Mac vault if:**
+- You frequently work from Mac and need remediation-tool
+- You want to test cross-platform portability
+- Windows desktop is unavailable for extended periods
+
+---
+
+## Current Capability on Mac
+
+**What works:**
+- Reading/editing remediation-tool scripts
+- Viewing tenant lists (references/tenants.md)
+- Resolving tenant IDs: `./resolve-tenant.sh <domain>`
+- All other ClaudeTools functionality
+
+**What doesn't work:**
+- Token acquisition (no vault)
+- SOPS decryption (no vault + no SOPS)
+- Running breach checks (needs tokens)
+- Testing remediation-tool workflows (needs tokens)
+
+---
+
+**Status:** Documented and understood - Mac not currently set up for vault access
+**Action:** No action needed unless Mac remediation-tool access becomes necessary
+**Validated on:** Windows (DESKTOP-0O8A1RL) - all 5 tiers working