fix: vault path from per-machine identity.json, not hardcoded paths

- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)

Howard and Mac need vault_path added to their identity.json after pulling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-21 19:01:27 -07:00
parent da96c5a8ee
commit fcb5bebf5b
6 changed files with 116 additions and 42 deletions

View File

@@ -81,13 +81,22 @@ if [[ -f "$CACHE_FILE" ]] && [[ $(find "$CACHE_FILE" -mmin -55 2>/dev/null) ]];
exit 0
fi
# Locate vault repo — candidates cover Windows (D:/vault), Git Bash (/d/vault),
# Mac/Linux ($HOME/vault), and optional override via VAULT_PATH env var.
VAULT_ROOT=""
for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do
[[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
done
[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; }
# Locate vault repo via .claude/identity.json (per-machine, gitignored).
# Falls back to VAULT_PATH env var if set.
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
VAULT_ROOT="${VAULT_PATH:-}"
if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
for py in py python3 python; do
if command -v "$py" >/dev/null 2>&1; then
VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
fi
done
fi
[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_PATH env var not set" >&2; exit 3; }
[[ ! -d "$VAULT_ROOT" ]] && { echo "ERROR: vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }
SOPS_FILE="$VAULT_ROOT/$VAULT_PATH"
[[ ! -f "$SOPS_FILE" ]] && { echo "ERROR: vault file not found: $SOPS_FILE" >&2; exit 3; }

View File

@@ -17,11 +17,20 @@ TENANT_ADMIN_APP_ID="709e6eed-0711-4875-9c44-2d3518c47063"
GRAPH_RESOURCE_APP_ID="00000003-0000-0000-c000-000000000000"
ROLE_MGMT_PERMISSION_ID="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
VAULT_ROOT=""
for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do
[[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
done
[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; }
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
VAULT_ROOT="${VAULT_PATH:-}"
if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
for py in py python3 python; do
if command -v "$py" >/dev/null 2>&1; then
VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
fi
done
fi
[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] vault_path not set in $IDENTITY_FILE and VAULT_PATH env var not set" >&2; exit 3; }
[[ ! -d "$VAULT_ROOT" ]] && { echo "[ERROR] vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }
# ── Step 1: Get Management app client secret ──────────────────────────────────
echo "[INFO] Reading Management app secret from vault..."