fix: vault path from per-machine identity.json, not hardcoded paths

- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)

Howard and Mac need vault_path added to their identity.json after pulling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-21 19:01:27 -07:00
parent da96c5a8ee
commit fcb5bebf5b
6 changed files with 116 additions and 42 deletions

View File

@@ -15,9 +15,11 @@ This repo is shared across multiple team members. **At every session start, BEFO
"full_name": "Mike Swanson",
"email": "mike@azcomputerguru.com",
"role": "admin",
"machine": "<HOSTNAME>"
"machine": "<HOSTNAME>",
"vault_path": "<absolute path to vault repo on this machine>"
}
```
Ask the user where the vault repo is cloned on this machine (e.g., `D:/vault`, `~/vault`, `/Users/howard/vault`).
- Set local git config: `git config user.name "<full_name>"` and `git config user.email "<email>"`
- Set git remote (read `gitea_username` from users.json): `git remote set-url origin https://<gitea_username>@git.azcomputerguru.com/azcomputerguru/claudetools.git`
- Add hostname to user's `known_machines` in users.json and commit.
@@ -173,23 +175,22 @@ When user references previous work, use `/context` command. Never ask for info i
### Credential Access (SOPS Vault)
Always resolve vault path portably — never hardcode `D:/vault`:
Use the ClaudeTools vault wrapper — never hardcode the vault path:
```bash
VAULT_SH=""
for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do
[[ -f "$_c" ]] && VAULT_SH="$_c" && break
done
[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault not found" >&2; exit 1; }
# CLAUDETOOLS_ROOT is the repo root (D:\claudetools on Windows, ~/claudetools on Mac/Linux)
VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
bash "$VAULT_SH" search "keyword" # Search without decrypting
bash "$VAULT_SH" get-field <path> <field> # Get specific field
bash "$VAULT_SH" get <path> # Decrypt full entry
bash "$VAULT_SH" list # List all entries
bash "$VAULT" search "keyword" # Search without decrypting
bash "$VAULT" get-field <path> <field> # Get specific field
bash "$VAULT" get <path> # Decrypt full entry
bash "$VAULT" list # List all entries
```
Vault repo: cloned at `D:\vault` (Windows) or `~/vault` (Mac/Linux) — set `VAULT_PATH` env var to override.
Structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
The wrapper reads `vault_path` from `.claude/identity.json` (per-machine, gitignored).
Each machine sets its own vault path there — no hardcoded paths in any shared file.
Vault structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
**1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml`