docs: vault setup procedure for Mac

Documents authentication blocker for vault clone on Mac.
Provides step-by-step setup instructions for future vault access.

Vault sync from Windows is complete - Mac setup is optional.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.claude/vault-setup-mac.md

@@ -0,0 +1,168 @@
+# Vault Setup on Mac (Mikes-MacBook-Air.local)
+
+**Status:** Blocked on authentication
+**Created:** 2026-04-21
+**Purpose:** Enable remediation-tool SOPS credential access on Mac
+
+---
+
+## Current State
+
+**Vault repo:** NOT cloned on this Mac
+**identity.json:** Missing `vault_path` field
+**Remediation-tool:** Cannot acquire tokens (no vault access)
+
+---
+
+## What's Needed
+
+### Step 1: Clone Vault Repository
+
+**Vault URL:** `http://172.16.3.20:3000/azcomputerguru/vault.git`
+
+**Authentication required.** Options:
+
+**Option A: Use Gitea credentials (interactive)**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Will prompt for password
+```
+
+**Option B: Use stored credentials**
+If you have git credential helper configured:
+```bash
+git config --global credential.helper osxkeychain
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+```
+
+**Option C: Use SSH (if keys configured)**
+```bash
+git clone git@172.16.3.20:azcomputerguru/vault.git ~/vault
+```
+
+### Step 2: Add vault_path to identity.json
+
+**File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json`
+
+**Add this field:**
+```json
+{
+  "user": "mike",
+  "full_name": "Mike Swanson",
+  "email": "mike@azcomputerguru.com",
+  "role": "admin",
+  "machine": "Mikes-MacBook-Air",
+  "mode": "general",
+  "last_updated": "2026-04-19T08:40:00Z",
+  "vault_path": "/Users/azcomputerguru/vault"
+}
+```
+
+### Step 3: Verify SOPS Files Are Present
+
+```bash
+ls -la ~/vault/msp-tools/computerguru-*.sops.yaml
+```
+
+**Expected: 5 files**
+- computerguru-security-investigator.sops.yaml
+- computerguru-exchange-operator.sops.yaml
+- computerguru-user-manager.sops.yaml
+- computerguru-tenant-admin.sops.yaml
+- computerguru-defender-addon.sops.yaml
+
+### Step 4: Configure SOPS
+
+**Check if age key exists:**
+```bash
+test -f ~/.config/sops/age/keys.txt && echo "Age key exists" || echo "Need age key"
+```
+
+**If age key is missing:**
+You'll need the SOPS age private key from DESKTOP-0O8A1RL or ACG-Tech03L.
+
+**Location on Windows:** `C:\Users\<username>\.config\sops\age\keys.txt`
+
+Copy the private key to Mac:
+```bash
+mkdir -p ~/.config/sops/age
+# Copy keys.txt content to ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+### Step 5: Test Token Acquisition
+
+```bash
+cd /Users/azcomputerguru/ClaudeTools/.claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+**Expected output:** A JWT token (long string starting with `eyJ...`)
+
+**If it fails:**
+- Check vault_path in identity.json
+- Verify SOPS files exist
+- Verify age key is configured
+- Check file permissions
+
+---
+
+## Test Results (Attempted 2026-04-21)
+
+**Clone attempt 1:**
+```
+git clone http://172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+→ fatal: could not read Username for 'http://172.16.3.20:3000': Device not configured
+```
+
+**Clone attempt 2:**
+```
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+→ fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured
+```
+
+**Blocker:** Git on Mac cannot prompt for credentials in this terminal session.
+
+**Workaround needed:** Configure credential helper or use SSH authentication.
+
+---
+
+## Why This Matters
+
+**Once vault is set up on Mac:**
+- Can test remediation-tool locally
+- Can run breach checks without switching to Windows
+- Full parity with Windows/Howard's machines
+- Validates that vault sync from Windows worked
+
+**Current capability:**
+- remediation-tool scripts are executable ✓
+- get-token.sh bugs are fixed ✓
+- Vault wrapper logic is correct ✓
+- **Blocked only by vault clone authentication** ✗
+
+---
+
+## Alternative: Test on Windows
+
+If Mac vault setup is low priority, the vault sync can be validated on Windows:
+
+```bash
+cd D:\vault
+git pull origin main
+ls D:\vault\msp-tools\computerguru-*.sops.yaml
+
+cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
+bash get-token.sh grabblaw.com investigator
+```
+
+Should return a JWT token proving the vault sync worked.
+
+---
+
+**Next action:**
+- **If Mac needs remediation-tool:** Set up vault clone with proper authentication
+- **If Mac is just for testing:** Test vault sync on Windows instead
+- **If vault not needed on Mac:** Skip this setup entirely
+
+**Priority:** LOW - Windows already has working vault + remediation-tool