diff --git a/.claude/vault-setup-mac.md b/.claude/vault-setup-mac.md new file mode 100644 index 0000000..0410df7 --- /dev/null +++ b/.claude/vault-setup-mac.md @@ -0,0 +1,168 @@ +# Vault Setup on Mac (Mikes-MacBook-Air.local) + +**Status:** Blocked on authentication +**Created:** 2026-04-21 +**Purpose:** Enable remediation-tool SOPS credential access on Mac + +--- + +## Current State + +**Vault repo:** NOT cloned on this Mac +**identity.json:** Missing `vault_path` field +**Remediation-tool:** Cannot acquire tokens (no vault access) + +--- + +## What's Needed + +### Step 1: Clone Vault Repository + +**Vault URL:** `http://172.16.3.20:3000/azcomputerguru/vault.git` + +**Authentication required.** Options: + +**Option A: Use Gitea credentials (interactive)** +```bash +git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault +# Will prompt for password +``` + +**Option B: Use stored credentials** +If you have git credential helper configured: +```bash +git config --global credential.helper osxkeychain +git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault +``` + +**Option C: Use SSH (if keys configured)** +```bash +git clone git@172.16.3.20:azcomputerguru/vault.git ~/vault +``` + +### Step 2: Add vault_path to identity.json + +**File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json` + +**Add this field:** +```json +{ + "user": "mike", + "full_name": "Mike Swanson", + "email": "mike@azcomputerguru.com", + "role": "admin", + "machine": "Mikes-MacBook-Air", + "mode": "general", + "last_updated": "2026-04-19T08:40:00Z", + "vault_path": "/Users/azcomputerguru/vault" +} +``` + +### Step 3: Verify SOPS Files Are Present + +```bash +ls -la ~/vault/msp-tools/computerguru-*.sops.yaml +``` + +**Expected: 5 files** +- computerguru-security-investigator.sops.yaml +- computerguru-exchange-operator.sops.yaml +- computerguru-user-manager.sops.yaml +- computerguru-tenant-admin.sops.yaml +- computerguru-defender-addon.sops.yaml + +### Step 4: Configure SOPS + +**Check if age key exists:** +```bash +test -f ~/.config/sops/age/keys.txt && echo "Age key exists" || echo "Need age key" +``` + +**If age key is missing:** +You'll need the SOPS age private key from DESKTOP-0O8A1RL or ACG-Tech03L. + +**Location on Windows:** `C:\Users\\.config\sops\age\keys.txt` + +Copy the private key to Mac: +```bash +mkdir -p ~/.config/sops/age +# Copy keys.txt content to ~/.config/sops/age/keys.txt +chmod 600 ~/.config/sops/age/keys.txt +``` + +### Step 5: Test Token Acquisition + +```bash +cd /Users/azcomputerguru/ClaudeTools/.claude/skills/remediation-tool/scripts +./get-token.sh grabblaw.com investigator +``` + +**Expected output:** A JWT token (long string starting with `eyJ...`) + +**If it fails:** +- Check vault_path in identity.json +- Verify SOPS files exist +- Verify age key is configured +- Check file permissions + +--- + +## Test Results (Attempted 2026-04-21) + +**Clone attempt 1:** +``` +git clone http://172.16.3.20:3000/azcomputerguru/vault.git ~/vault +→ fatal: could not read Username for 'http://172.16.3.20:3000': Device not configured +``` + +**Clone attempt 2:** +``` +git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault +→ fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured +``` + +**Blocker:** Git on Mac cannot prompt for credentials in this terminal session. + +**Workaround needed:** Configure credential helper or use SSH authentication. + +--- + +## Why This Matters + +**Once vault is set up on Mac:** +- Can test remediation-tool locally +- Can run breach checks without switching to Windows +- Full parity with Windows/Howard's machines +- Validates that vault sync from Windows worked + +**Current capability:** +- remediation-tool scripts are executable ✓ +- get-token.sh bugs are fixed ✓ +- Vault wrapper logic is correct ✓ +- **Blocked only by vault clone authentication** ✗ + +--- + +## Alternative: Test on Windows + +If Mac vault setup is low priority, the vault sync can be validated on Windows: + +```bash +cd D:\vault +git pull origin main +ls D:\vault\msp-tools\computerguru-*.sops.yaml + +cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts +bash get-token.sh grabblaw.com investigator +``` + +Should return a JWT token proving the vault sync worked. + +--- + +**Next action:** +- **If Mac needs remediation-tool:** Set up vault clone with proper authentication +- **If Mac is just for testing:** Test vault sync on Windows instead +- **If vault not needed on Mac:** Skip this setup entirely + +**Priority:** LOW - Windows already has working vault + remediation-tool