From 90f9d9eda1e81ce8a19a8cec434060fb23d25aff Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Tue, 21 Apr 2026 19:12:15 -0700
Subject: [PATCH] fix: two bugs in get-token.sh vault path resolution

1. Variable name collision: VAULT_PATH was used for both the SOPS file
   relative path (set by case statement) and the vault root override env
   var. Renamed env var override to VAULT_ROOT_ENV to avoid collision.

2. Wrong directory depth: CLAUDETOOLS_ROOT was navigating 3 levels up
   from scripts/ landing at .claude/ instead of repo root. Fixed to 4
   levels (scripts -> remediation-tool -> skills -> .claude -> repo root).

Also added jq as primary vault_path reader (handles Unix paths on Windows),
with cygpath-converted Python fallback.

Bugs discovered during Mac testing 2026-04-21. Windows worked only because
tokens were served from /tmp cache after first acquisition.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../remediation-tool/scripts/get-token.sh     | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.claude/skills/remediation-tool/scripts/get-token.sh b/.claude/skills/remediation-tool/scripts/get-token.sh
index f4214a6..6c4bf64 100755
--- a/.claude/skills/remediation-tool/scripts/get-token.sh
+++ b/.claude/skills/remediation-tool/scripts/get-token.sh
@@ -84,16 +84,24 @@ fi
 # Locate vault repo via .claude/identity.json (per-machine, gitignored).
 # Falls back to VAULT_PATH env var if set.
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../../.." && pwd)"
 IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
 
 VAULT_ROOT="${VAULT_ROOT_ENV:-}"
 if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
-  for py in py python3 python; do
-    if command -v "$py" >/dev/null 2>&1; then
-      VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
-    fi
-  done
+  # Try jq first (handles Unix paths on Windows cleanly)
+  if command -v jq >/dev/null 2>&1; then
+    VAULT_ROOT=$(jq -r '.vault_path // empty' "$IDENTITY_FILE" 2>/dev/null)
+  fi
+  # Fall back to Python with Windows path conversion
+  if [[ -z "$VAULT_ROOT" ]]; then
+    IDENTITY_FILE_WIN=$(cygpath -w "$IDENTITY_FILE" 2>/dev/null || echo "$IDENTITY_FILE")
+    for py in py python3 python; do
+      if command -v "$py" >/dev/null 2>&1; then
+        VAULT_ROOT=$("$py" -c "import json; print(json.load(open(r'${IDENTITY_FILE_WIN}')).get('vault_path',''))" 2>/dev/null) && break
+      fi
+    done
+  fi
 fi
 [[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; }
 [[ ! -d "$VAULT_ROOT" ]] && { echo "ERROR: vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }