fix: vault path from per-machine identity.json, not hardcoded paths

- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)

Howard and Mac need vault_path added to their identity.json after pulling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-21 19:01:27 -07:00
parent da96c5a8ee
commit fcb5bebf5b
6 changed files with 116 additions and 42 deletions

View File

@@ -65,24 +65,37 @@ Without `/save`, you'd lose everything when a session ends. Without `/sync`, you
## The SOPS vault (how credentials work)
We store ALL credentials in an encrypted vault at `D:\vault\` (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
We store ALL credentials in an encrypted vault (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
**How Claude accesses a credential:**
```bash
bash D:/vault/scripts/vault.sh get-field clients/dataforth/ad2.sops.yaml credentials.password
# Always via the ClaudeTools wrapper — never a hardcoded path
bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field clients/dataforth/ad2.sops.yaml credentials.password
```
**Why this matters:**
- We never hardcode passwords in scripts or session logs (they're vault references)
- The vault syncs across machines via Gitea (same as claudetools)
- Encryption uses an age key at `%APPDATA%\sops\age\keys.txt` — this key needs to be on each machine that decrypts
- Encryption uses an age key — this key needs to be on each machine that decrypts
**Your machine needs the age key.** Mike will give you the key file. Drop it at:
```
C:\Users\<you>\AppData\Roaming\sops\age\keys.txt
```
**Setup required on each machine:**
Without this file, vault commands fail. Everything else works fine.
1. **Clone the vault repo** somewhere convenient (e.g., `~/vault` on Mac/Linux, `D:\vault` on Windows)
2. **Add `vault_path` to `.claude/identity.json`** (created during onboarding):
```json
{
"user": "howard",
"vault_path": "/Users/howard/vault"
}
```
This is the only place the path lives — no hardcoded paths in any shared file.
3. **Install your age key.** Mike will give you the key file. Drop it at:
- **Windows:** `C:\Users\<you>\AppData\Roaming\sops\age\keys.txt`
- **Mac/Linux:** `~/.config/sops/age/keys.txt`
Without the age key, vault commands fail. Everything else works fine.
---