fix: vault path from per-machine identity.json, not hardcoded paths
- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json) - get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root - syncro.md uses wrapper via CLAUDETOOLS_ROOT - CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding - identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL) Howard and Mac need vault_path added to their identity.json after pulling. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -15,9 +15,11 @@ This repo is shared across multiple team members. **At every session start, BEFO
|
||||
"full_name": "Mike Swanson",
|
||||
"email": "mike@azcomputerguru.com",
|
||||
"role": "admin",
|
||||
"machine": "<HOSTNAME>"
|
||||
"machine": "<HOSTNAME>",
|
||||
"vault_path": "<absolute path to vault repo on this machine>"
|
||||
}
|
||||
```
|
||||
Ask the user where the vault repo is cloned on this machine (e.g., `D:/vault`, `~/vault`, `/Users/howard/vault`).
|
||||
- Set local git config: `git config user.name "<full_name>"` and `git config user.email "<email>"`
|
||||
- Set git remote (read `gitea_username` from users.json): `git remote set-url origin https://<gitea_username>@git.azcomputerguru.com/azcomputerguru/claudetools.git`
|
||||
- Add hostname to user's `known_machines` in users.json and commit.
|
||||
@@ -173,23 +175,22 @@ When user references previous work, use `/context` command. Never ask for info i
|
||||
|
||||
### Credential Access (SOPS Vault)
|
||||
|
||||
Always resolve vault path portably — never hardcode `D:/vault`:
|
||||
Use the ClaudeTools vault wrapper — never hardcode the vault path:
|
||||
|
||||
```bash
|
||||
VAULT_SH=""
|
||||
for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do
|
||||
[[ -f "$_c" ]] && VAULT_SH="$_c" && break
|
||||
done
|
||||
[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault not found" >&2; exit 1; }
|
||||
# CLAUDETOOLS_ROOT is the repo root (D:\claudetools on Windows, ~/claudetools on Mac/Linux)
|
||||
VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
|
||||
|
||||
bash "$VAULT_SH" search "keyword" # Search without decrypting
|
||||
bash "$VAULT_SH" get-field <path> <field> # Get specific field
|
||||
bash "$VAULT_SH" get <path> # Decrypt full entry
|
||||
bash "$VAULT_SH" list # List all entries
|
||||
bash "$VAULT" search "keyword" # Search without decrypting
|
||||
bash "$VAULT" get-field <path> <field> # Get specific field
|
||||
bash "$VAULT" get <path> # Decrypt full entry
|
||||
bash "$VAULT" list # List all entries
|
||||
```
|
||||
|
||||
Vault repo: cloned at `D:\vault` (Windows) or `~/vault` (Mac/Linux) — set `VAULT_PATH` env var to override.
|
||||
Structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
|
||||
The wrapper reads `vault_path` from `.claude/identity.json` (per-machine, gitignored).
|
||||
Each machine sets its own vault path there — no hardcoded paths in any shared file.
|
||||
|
||||
Vault structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
|
||||
|
||||
**1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user