From 6125ba15d90c081df331be824acb4e3f40d303db Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 21 Apr 2026 19:34:56 -0700 Subject: [PATCH] docs: Mac vault readiness test results Tested vault access capability on Mac. Found multiple blockers: - SOPS not installed - age not installed - age key not configured - vault repo not cloned (git auth blocked) Documents what would be required vs. recommendation to skip Mac setup. Windows already validated - all 5 tiers working. Co-Authored-By: Claude Sonnet 4.5 --- .claude/MAC-vault-readiness-test.md | 197 ++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 .claude/MAC-vault-readiness-test.md diff --git a/.claude/MAC-vault-readiness-test.md b/.claude/MAC-vault-readiness-test.md new file mode 100644 index 0000000..f82668c --- /dev/null +++ b/.claude/MAC-vault-readiness-test.md @@ -0,0 +1,197 @@ +# Mac Vault Readiness Test Results + +**Date:** 2026-04-21 +**Machine:** Mikes-MacBook-Air.local +**Purpose:** Test vault access capability for remediation-tool + +--- + +## Test Results Summary + +**Status:** NOT READY - Multiple blockers present + +### Dependencies Check + +| Component | Status | Notes | +|-----------|--------|-------| +| jq | ✓ INSTALLED | jq-1.7.1-apple | +| SOPS | ✗ NOT INSTALLED | Required for decrypting .sops.yaml files | +| age | ✗ NOT INSTALLED | Required for SOPS encryption/decryption | +| age key | ✗ NOT CONFIGURED | ~/.config/sops/age/keys.txt missing | +| vault repo | ✗ NOT CLONED | Git authentication blocked | +| vault_path in identity.json | ✗ NOT SET | Would point to ~/vault once cloned | + +### What Works + +**[OK] Vault wrapper script exists and reports correct errors:** +```bash +bash .claude/scripts/vault.sh list +→ [ERROR] vault_path not set in identity.json +``` + +**[OK] get-token.sh bug fixes applied:** +- Variable collision fixed (VAULT_PATH → VAULT_ROOT_ENV) +- Directory traversal corrected (4 levels up instead of 3) + +**[OK] Remediation-tool scripts are executable:** +```bash +ls -la .claude/skills/remediation-tool/scripts/*.sh +→ All scripts have execute permissions +``` + +### What's Blocked + +**1. Vault Repository Clone** +```bash +git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault +→ fatal: could not read Password: Device not configured +``` + +Git cannot prompt for credentials in this terminal session. + +**2. SOPS Installation** +```bash +sops --version +→ command not found +``` + +SOPS not installed via Homebrew or other package manager. + +**3. age Installation** +```bash +age --version +→ command not found +``` + +age encryption tool not installed. + +**4. age Key Configuration** +```bash +test -f ~/.config/sops/age/keys.txt +→ File does not exist +``` + +No SOPS age private key configured. + +--- + +## What Would Be Required to Unblock + +### Installation Steps (If Vault Access on Mac is Needed) + +**1. Install Homebrew (if not already installed):** +```bash +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" +``` + +**2. Install SOPS:** +```bash +brew install sops +``` + +**3. Install age:** +```bash +brew install age +``` + +**4. Copy age private key from Windows:** + +On Windows (DESKTOP-0O8A1RL): +```bash +cat C:\Users\\.config\sops\age\keys.txt +``` + +On Mac: +```bash +mkdir -p ~/.config/sops/age +# Paste the private key content into: +nano ~/.config/sops/age/keys.txt +chmod 600 ~/.config/sops/age/keys.txt +``` + +**5. Configure Git credential helper:** +```bash +git config --global credential.helper osxkeychain +``` + +**6. Clone vault repository:** +```bash +git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault +# Will prompt for password - enter Gitea password +``` + +**7. Add vault_path to identity.json:** +```bash +# Edit .claude/identity.json and add: +"vault_path": "/Users/azcomputerguru/vault" +``` + +**8. Test token acquisition:** +```bash +cd .claude/skills/remediation-tool/scripts +./get-token.sh grabblaw.com investigator +``` + +Should return a JWT token if all configured correctly. + +--- + +## Is This Worth Doing? + +**Probably not, unless you need remediation-tool on Mac.** + +**Why it's not urgent:** +- Windows (DESKTOP-0O8A1RL) has working vault + remediation-tool ✓ +- Vault sync validated on Windows - all 5 tiers working ✓ +- Howard can be unblocked by pulling vault on ACG-Tech03L ✓ +- Mac is just for testing/portability + +**Use cases for Mac vault:** +- Running breach checks while away from Windows desktop +- Testing remediation-tool portability across platforms +- Validating vault sync from Mac perspective + +**Alternatives:** +- Use Windows for all remediation-tool work (current state) +- SSH into Windows from Mac when needed +- Remote desktop to Windows desktop + +--- + +## Recommendation + +**Skip Mac vault setup for now.** + +**Reasons:** +1. Windows already validated vault sync works +2. All 5 SOPS files confirmed present +3. Token acquisition tested on all 5 tiers +4. Howard can be notified to pull +5. Mac setup requires 4 installations + credential management + +**Only set up Mac vault if:** +- You frequently work from Mac and need remediation-tool +- You want to test cross-platform portability +- Windows desktop is unavailable for extended periods + +--- + +## Current Capability on Mac + +**What works:** +- Reading/editing remediation-tool scripts +- Viewing tenant lists (references/tenants.md) +- Resolving tenant IDs: `./resolve-tenant.sh ` +- All other ClaudeTools functionality + +**What doesn't work:** +- Token acquisition (no vault) +- SOPS decryption (no vault + no SOPS) +- Running breach checks (needs tokens) +- Testing remediation-tool workflows (needs tokens) + +--- + +**Status:** Documented and understood - Mac not currently set up for vault access +**Action:** No action needed unless Mac remediation-tool access becomes necessary +**Validated on:** Windows (DESKTOP-0O8A1RL) - all 5 tiers working