# URGENT: Vault Path Variable Collision Bug **Date:** 2026-04-21 **Severity:** CRITICAL - Blocks all remediation-tool usage **Affected:** All machines (DESKTOP-0O8A1RL, ACG-Tech03L, Mikes-MacBook-Air) **Discovered on:** Mikes-MacBook-Air during vault wrapper testing --- ## TL;DR for Windows Laptop **BEFORE doing Howard's vault sync task, fix this bug first:** The recent vault portability changes introduced a variable name collision in `get-token.sh` that breaks token acquisition on all machines. **Quick fix (2 minutes):** 1. Open `.claude/skills/remediation-tool/scripts/get-token.sh` 2. Rename the `VAULT_PATH` environment variable to `VAULT_ROOT_ENV` 3. Test: `./get-token.sh grabblaw.com investigator` 4. If working, commit fix and push 5. THEN proceed with Howard's vault sync task --- ## Bug Details ### Root Cause **Variable name collision in get-token.sh around line 87-95:** ```bash # PROBLEM: VAULT_PATH is used for TWO different things # Line ~40-70: VAULT_PATH stores the SOPS file relative path case "$TIER" in investigator) CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c" VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml" # <-- SOPS file path SCOPE_URL="https://graph.microsoft.com/.default" ;; ... esac # Line ~87-95: VAULT_PATH is ALSO used as environment variable for vault root VAULT_ROOT="${VAULT_PATH:-}" # <-- BUG: This gets the SOPS path, not the vault root! if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then for py in py python3 python; do if command -v "$py" >/dev/null 2>&1; then VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break fi done fi ``` **Result:** `VAULT_ROOT` gets set to `msp-tools/computerguru-security-investigator.sops.yaml` instead of the vault directory path. ### Observed Failure ```bash $ ./get-token.sh cascadestucson.com investigator ERROR: vault not found at msp-tools/computerguru-security-investigator.sops.yaml (check vault_path in /Users/azcomputerguru/ClaudeTools/.claude/identity.json) ``` The script is checking if `msp-tools/computerguru-security-investigator.sops.yaml` exists as a directory, which fails. --- ## Remediation Steps ### Step 1: Fix Variable Name Collision **File:** `.claude/skills/remediation-tool/scripts/get-token.sh` **Find (around line 87):** ```bash VAULT_ROOT="${VAULT_PATH:-}" ``` **Replace with:** ```bash VAULT_ROOT="${VAULT_ROOT_ENV:-}" ``` **And update the error message (around line 95):** ```bash [[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; } ``` **Purpose:** Separates the SOPS file path variable (`VAULT_PATH`) from the vault root override environment variable (now `VAULT_ROOT_ENV`). ### Step 2: Add vault_path to identity.json **File:** `.claude/identity.json` (on DESKTOP-0O8A1RL) **Add this field:** ```json { "user": "mike", "full_name": "Mike Swanson", "email": "mike@azcomputerguru.com", "role": "admin", "machine": "DESKTOP-0O8A1RL", "vault_path": "D:/vault" } ``` **On ACG-Tech03L (Howard's machine), the path is likely:** ```json "vault_path": "D:/vault" ``` **On Mikes-MacBook-Air (if vault is cloned later):** ```json "vault_path": "/Users/azcomputerguru/vault" ``` ### Step 3: Test the Fix **On DESKTOP-0O8A1RL:** ```bash cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts # Test with a fully onboarded tenant bash get-token.sh grabblaw.com investigator # Should output a JWT token (long string starting with eyJ...) # Or at least get past the vault path error ``` **Expected success output:** ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6... ``` **If still failing, check:** 1. Is `D:/vault/scripts/vault.sh` present? 2. Does `D:/vault/msp-tools/computerguru-security-investigator.sops.yaml` exist? 3. Is SOPS configured with the correct age key? ### Step 4: Commit and Sync ```bash cd D:\ClaudeTools git add .claude/skills/remediation-tool/scripts/get-token.sh git commit -m "fix: vault path variable collision in get-token.sh Renamed VAULT_PATH env var to VAULT_ROOT_ENV to avoid collision with the SOPS file path variable. Fixes token acquisition on all machines. Bug discovered during Mac testing 2026-04-21. Co-Authored-By: Claude Sonnet 4.5 " git push origin main ``` ### Step 5: Notify Howard Once fixed and pushed, tell Howard to: 1. Pull ClaudeTools: `cd C:\ClaudeTools && git pull` 2. Add `vault_path` to his `.claude/identity.json` 3. Test: `bash get-token.sh grabblaw.com investigator` --- ## After This Fix - Original Vault Sync Task **THEN proceed with Howard's vault sync request:** 1. Navigate to `D:\vault` 2. Verify 5 new-tier SOPS files exist in `D:\vault\msp-tools\` 3. Git add, commit, push to vault repo 4. Notify Howard to pull vault on ACG-Tech03L --- ## Why This Happened The recent portability improvements (commits 0a7cd6b and a86df11) added per-machine vault path support via `identity.json`. The implementation correctly updated `.claude/scripts/vault.sh` but inadvertently created a variable name collision in `get-token.sh` by reusing `VAULT_PATH` for both: - The SOPS file relative path (existing usage) - The environment variable override (new usage) This is a regression introduced in the last 2 commits from DESKTOP-0O8A1RL. --- ## Testing Checklist After applying the fix: - [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator` - [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator-exo` - [ ] All 5 tiers work: investigator, investigator-exo, user-manager, tenant-admin, defender - [ ] Vault wrapper works: `bash .claude/scripts/vault.sh list` - [ ] Howard can pull and test on ACG-Tech03L (after vault sync) - [ ] Mac can test once vault is cloned there --- ## Impact Assessment **Blocked operations until fixed:** - All remediation-tool token acquisition - All breach checks via remediation-tool skill - Howard's Cascades spoofing hunt (double-blocked: this bug + missing SOPS files) - Any tenant investigation work **Urgency:** Fix immediately before attempting vault sync task. --- **Created:** 2026-04-21 19:10 (Mac session) **Status:** URGENT - Needs Windows laptop remediation **Next session:** Read this file first, apply fix, test, commit, then do vault sync