Session 2026-03-30: SOPS vault, SC-Syncro sync, Syncro scripts
- SOPS+age credential vault created (59 encrypted files, separate repo) - Updated CLAUDE.md credential access to reference SOPS vault - Updated memory for ACG-5070 (Windows 11, replaces CachyOS) - SC-Syncro sync script: enriched 410 SC sessions with company/device data - Syncro scripts: SC property updater, SC deployer, rogue SC killer - Session log with full details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -39,9 +39,9 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
|
||||
## Key Rules
|
||||
|
||||
- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
|
||||
- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage
|
||||
- **No hardcoded credentials** - Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
|
||||
- **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
|
||||
- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user.
|
||||
- **Data integrity:** Never use placeholder/fake data. Check SOPS vault, credentials.md, or ask user.
|
||||
- **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
|
||||
|
||||
---
|
||||
@@ -57,22 +57,46 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
|
||||
## Context Recovery
|
||||
|
||||
When user references previous work, use `/context` command. Never ask user for info in:
|
||||
- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password)
|
||||
- `credentials.md` - Infrastructure reference (being migrated to SOPS vault at D:\vault)
|
||||
- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
|
||||
- `SESSION_STATE.md` - Project history
|
||||
|
||||
### 1Password Credential Access
|
||||
### Credential Access (SOPS Vault - Primary)
|
||||
|
||||
Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**.
|
||||
Credentials are stored in SOPS+age encrypted YAML files in a dedicated Gitea repo.
|
||||
|
||||
**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"`
|
||||
**Vault repo:** `D:\vault` (git.azcomputerguru.com/azcomputerguru/vault, private)
|
||||
**Structure:** infrastructure/, clients/, services/, projects/, msp-tools/
|
||||
|
||||
**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes).
|
||||
**To read credentials:**
|
||||
```bash
|
||||
# Search by keyword (no decryption needed - metadata is plaintext)
|
||||
bash D:/vault/scripts/vault.sh search "172.16.3.30"
|
||||
|
||||
# Get a specific field
|
||||
bash D:/vault/scripts/vault.sh get-field infrastructure/gururmm-server.sops.yaml credentials.password
|
||||
|
||||
# Decrypt full entry
|
||||
bash D:/vault/scripts/vault.sh get infrastructure/gururmm-server.sops.yaml
|
||||
|
||||
# List all entries
|
||||
bash D:/vault/scripts/vault.sh list
|
||||
```
|
||||
|
||||
**Encryption:** AES-256 via age. Metadata (kind, name, host, tags) stays plaintext for searchability. Only `credentials`, `notes`, and secret fields are encrypted.
|
||||
|
||||
**age key location:** `%APPDATA%\sops\age\keys.txt` (Windows) / `~/.config/sops/age/keys.txt` (Linux/Mac)
|
||||
|
||||
**Setup on new machines:**
|
||||
1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/
|
||||
2. Sign in: `op signin` (or use desktop app integration)
|
||||
3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"`
|
||||
1. Install: `winget install Mozilla.sops FiloSottile.age MikeFarah.yq` (or brew/pacman)
|
||||
2. Generate key: `age-keygen -o ~/.config/sops/age/keys.txt`
|
||||
3. Clone: `git clone git@git.azcomputerguru.com:azcomputerguru/vault.git`
|
||||
4. Add public key to `keys/recipients.txt`, push, then run `vault rotate` from existing machine
|
||||
|
||||
### 1Password (Fallback)
|
||||
|
||||
1Password remains available for browser autofill and as fallback. Service account token is in the vault:
|
||||
`bash D:/vault/scripts/vault.sh get-field infrastructure/1password-service-account.sops.yaml credentials.token`
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user