Session 2026-03-30: SOPS vault, SC-Syncro sync, Syncro scripts

- SOPS+age credential vault created (59 encrypted files, separate repo)
- Updated CLAUDE.md credential access to reference SOPS vault
- Updated memory for ACG-5070 (Windows 11, replaces CachyOS)
- SC-Syncro sync script: enriched 410 SC sessions with company/device data
- Syncro scripts: SC property updater, SC deployer, rogue SC killer
- Session log with full details

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-03-30 19:38:38 -07:00
parent 505bc12355
commit e34f51fe5d
8 changed files with 1274 additions and 37 deletions

View File

@@ -39,9 +39,9 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
## Key Rules
- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage
- **No hardcoded credentials** - Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
- **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user.
- **Data integrity:** Never use placeholder/fake data. Check SOPS vault, credentials.md, or ask user.
- **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
---
@@ -57,22 +57,46 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
## Context Recovery
When user references previous work, use `/context` command. Never ask user for info in:
- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password)
- `credentials.md` - Infrastructure reference (being migrated to SOPS vault at D:\vault)
- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
- `SESSION_STATE.md` - Project history
### 1Password Credential Access
### Credential Access (SOPS Vault - Primary)
Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**.
Credentials are stored in SOPS+age encrypted YAML files in a dedicated Gitea repo.
**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"`
**Vault repo:** `D:\vault` (git.azcomputerguru.com/azcomputerguru/vault, private)
**Structure:** infrastructure/, clients/, services/, projects/, msp-tools/
**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes).
**To read credentials:**
```bash
# Search by keyword (no decryption needed - metadata is plaintext)
bash D:/vault/scripts/vault.sh search "172.16.3.30"
# Get a specific field
bash D:/vault/scripts/vault.sh get-field infrastructure/gururmm-server.sops.yaml credentials.password
# Decrypt full entry
bash D:/vault/scripts/vault.sh get infrastructure/gururmm-server.sops.yaml
# List all entries
bash D:/vault/scripts/vault.sh list
```
**Encryption:** AES-256 via age. Metadata (kind, name, host, tags) stays plaintext for searchability. Only `credentials`, `notes`, and secret fields are encrypted.
**age key location:** `%APPDATA%\sops\age\keys.txt` (Windows) / `~/.config/sops/age/keys.txt` (Linux/Mac)
**Setup on new machines:**
1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/
2. Sign in: `op signin` (or use desktop app integration)
3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"`
1. Install: `winget install Mozilla.sops FiloSottile.age MikeFarah.yq` (or brew/pacman)
2. Generate key: `age-keygen -o ~/.config/sops/age/keys.txt`
3. Clone: `git clone git@git.azcomputerguru.com:azcomputerguru/vault.git`
4. Add public key to `keys/recipients.txt`, push, then run `vault rotate` from existing machine
### 1Password (Fallback)
1Password remains available for browser autofill and as fallback. Service account token is in the vault:
`bash D:/vault/scripts/vault.sh get-field infrastructure/1password-service-account.sops.yaml credentials.token`
---