"""
Shared SOPS vault credential retrieval utility.

Usage:
    from vault_utils import vault_get

    password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
"""
import subprocess


VAULT_SCRIPT = "D:/vault/scripts/vault.sh"


def vault_get(path, field):
    """Get a credential from the SOPS vault.

    Args:
        path: Vault entry path (e.g. "projects/claudetools/database.sops.yaml")
        field: Dot-separated field path (e.g. "credentials.password")

    Returns:
        The decrypted field value as a string.

    Raises:
        RuntimeError: If the vault command fails.
    """
    result = subprocess.run(
        ["bash", VAULT_SCRIPT, "get-field", path, field],
        capture_output=True, text=True
    )
    if result.returncode != 0:
        raise RuntimeError(f"Failed to get {field} from vault: {result.stderr.strip()}")
    return result.stdout.strip()