fix: vault path from per-machine identity.json, not hardcoded paths
- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json) - get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root - syncro.md uses wrapper via CLAUDETOOLS_ROOT - CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding - identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL) Howard and Mac need vault_path added to their identity.json after pulling. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -65,24 +65,37 @@ Without `/save`, you'd lose everything when a session ends. Without `/sync`, you
|
||||
|
||||
## The SOPS vault (how credentials work)
|
||||
|
||||
We store ALL credentials in an encrypted vault at `D:\vault\` (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
|
||||
We store ALL credentials in an encrypted vault (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
|
||||
|
||||
**How Claude accesses a credential:**
|
||||
```bash
|
||||
bash D:/vault/scripts/vault.sh get-field clients/dataforth/ad2.sops.yaml credentials.password
|
||||
# Always via the ClaudeTools wrapper — never a hardcoded path
|
||||
bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field clients/dataforth/ad2.sops.yaml credentials.password
|
||||
```
|
||||
|
||||
**Why this matters:**
|
||||
- We never hardcode passwords in scripts or session logs (they're vault references)
|
||||
- The vault syncs across machines via Gitea (same as claudetools)
|
||||
- Encryption uses an age key at `%APPDATA%\sops\age\keys.txt` — this key needs to be on each machine that decrypts
|
||||
- Encryption uses an age key — this key needs to be on each machine that decrypts
|
||||
|
||||
**Your machine needs the age key.** Mike will give you the key file. Drop it at:
|
||||
```
|
||||
C:\Users\<you>\AppData\Roaming\sops\age\keys.txt
|
||||
```
|
||||
**Setup required on each machine:**
|
||||
|
||||
Without this file, vault commands fail. Everything else works fine.
|
||||
1. **Clone the vault repo** somewhere convenient (e.g., `~/vault` on Mac/Linux, `D:\vault` on Windows)
|
||||
|
||||
2. **Add `vault_path` to `.claude/identity.json`** (created during onboarding):
|
||||
```json
|
||||
{
|
||||
"user": "howard",
|
||||
"vault_path": "/Users/howard/vault"
|
||||
}
|
||||
```
|
||||
This is the only place the path lives — no hardcoded paths in any shared file.
|
||||
|
||||
3. **Install your age key.** Mike will give you the key file. Drop it at:
|
||||
- **Windows:** `C:\Users\<you>\AppData\Roaming\sops\age\keys.txt`
|
||||
- **Mac/Linux:** `~/.config/sops/age/keys.txt`
|
||||
|
||||
Without the age key, vault commands fail. Everything else works fine.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user