# ClaudeTools Windows Bootstrap & Recovery Runbook Rebuild this workstation (GURU-5070, Lenovo Legion Pro 7 16IAX10H) after a clean Windows reset. Everything here is driven by two scripts in this folder: - `windows-bootstrap.ps1` — installs tools, restores secrets, clones repos, wires tasks - `restore-secrets.ps1` — copies secrets/identity from the recovery bundle back into place The recovery bundle lives on the removable drives: | Drive | Label | Holds | |-------|---------|-------| | **E:** | (FAT32) | `claudetools-recovery\` — secrets + identity + manifests (redundant copy) | | **F:** | Ventoy | `claudetools-recovery\` — same bundle **plus** `data\` (large client data) | > F: is also a bootable rescue stick (SystemRescue, Boot Repair) — keep it; it can > help fix the machine. The bundle lives in `F:\claudetools-recovery\`, Ventoy is untouched. --- ## What's in the bundle (and why it can't just be re-cloned) `claudetools-recovery\` - `secrets\` - `sops-age\keys.txt` — **THE most critical file.** The SOPS age private key. Without it the entire vault (`D:\vault`) is permanently undecryptable. Not stored in any repo. - `ssh\` — `id_ed25519` (+pub), `pst-cc-ucg` (+pub), `config`, `known_hosts` - `claude\` — `.claude.json`, `.credentials.json` (Claude Code login), settings, keybindings, statusline - `grok\` — `auth.json`, `config.toml`, `agent_id` - `gemini\` — `oauth_creds.json`, `google_accounts.json`, settings, installation_id - `git\.gitconfig`, `powershell\Microsoft.PowerShell_profile.ps1` - `identity\` — repo-local gitignored files: `identity.json`, `settings.local.json`, `current-mode`, `coord-broadcasts-seen`, `mcp.json`, `.claude/state\`, ticktick tokens, dataforth oauth - `config\` — Windows Terminal settings, fleet `hosts` file, quote-wizard `.env.production` - `manifests\` — `installed-tools.txt`, `ollama-models.txt`, `git-global-config.txt`, `repos.txt`, `user-environment.reg` / `.txt` (incl. `OLLAMA_MODELS`/`OLLAMA_HOST`/`PROTOC`), `scheduled-tasks\*.xml` - `at-risk-work\` — local-only WIP rescued from the submodules (not on any remote): guru-rmm stashes as `.patch` files + guru-connect `tmp-spec018.diff`. The bootstrap re-applies these automatically in Phase 6 (`restore-at-risk-work.ps1`) — the guru-rmm ones are put back **as stashes** (`git stash list`), the guru-connect diff is dropped back as its untracked working file. See `RESTORE-at-risk-work.txt` for manual steps. - `data\` (F: only) — large non-Gitea client/project data, repo-relative paths Everything else (all tracked code, skills, commands, docs, session logs, wiki) comes back from Gitea on clone — no need to back it up. --- ## Fast path (one shot) From an **elevated PowerShell**, with E: or F: plugged in: ```powershell # copy the script off the drive first (so it survives a re-clone) Copy-Item F:\claudetools-recovery\bootstrap\windows-bootstrap.ps1 $env:TEMP\boot.ps1 & $env:TEMP\.. # or just run directly: F:\claudetools-recovery\bootstrap\windows-bootstrap.ps1 -SkipModels ``` `-SkipModels` defers the ~50 GB Ollama downloads. Drop it (or run Phase 8 later) when you want them. Add `-RestoreData` to also pull back the large client data from `F:\...\data`. The script is **idempotent** — safe to re-run; it skips anything already done. To run just part of it: `-OnlyPhases "1,2,3"`. --- ## Manual path (if you'd rather do it by hand) 1. **Install App Installer** (winget) from the Microsoft Store if missing. 2. **Core tools** (winget ids): `Git.Git`, `OpenJS.NodeJS.LTS`, `Python.Python.3.14`, `Rustlang.Rustup`, `Microsoft.VisualStudioCode`, `Ollama.Ollama`, `jqlang.jq`, `SecretsOPerationS.SOPS`, `FiloSottile.age`, `GitHub.cli`, `AgileBits.1Password.CLI`, `Microsoft.DotNet.SDK.8`, `Google.Protobuf`, `oschwartz10612.Poppler`, `Tailscale.Tailscale` Then `dotnet tool install --global wix` (MSI builds). Set env: `OLLAMA_MODELS=D:\OllamaModels`, `OLLAMA_HOST=0.0.0.0:11434`, `PROTOC=`. 3. **AI CLIs:** - Claude: `irm https://claude.ai/install.ps1 | iex` → `~/.local/bin/claude.exe` - Gemini: `npm install -g @google/gemini-cli` - Grok: `bash -c "curl -fsSL https://x.ai/cli/install.sh | bash"` (Git Bash) 4. **Restore home secrets:** `F:\claudetools-recovery\bootstrap\restore-secrets.ps1 -Group home` 5. **Clone repos:** ``` git clone https://git.azcomputerguru.com/azcomputerguru/claudetools.git D:\claudetools cd D:\claudetools; git submodule update --init --recursive git clone https://git.azcomputerguru.com/azcomputerguru/vault.git D:\vault ``` (On-network you can use `http://172.16.3.20:3000/...` to bypass the SSL-renewal blips.) 6. **Restore identity:** `restore-secrets.ps1 -Group repo` 7. **Ollama models (proper set for this 12 GB-VRAM laptop):** `ollama pull nomic-embed-text:latest` (GrepAI embeddings) and `ollama pull qwen3:8b` (prose_model). Models live on `D:\OllamaModels` (47.8 GB) — **if D: survived the reset they're already there, skip this.** Heavy extras (`qwen3:14b`, `codestral:22b`, `qwen3.6:latest`) are opt-in only; they over-saturate 12 GB VRAM. 8. **Scheduled tasks:** import each XML in `manifests\scheduled-tasks\` via `Register-ScheduledTask -Xml (Get-Content x.xml -Raw) -TaskName "..."`. 9. **Verify:** `D:\claudetools\.claude\scripts\onboarding-diagnostic.ps1`, then `/self-check` in Claude Code. --- ## Post-install: things that need an interactive login Auth tokens are backed up, but some expire. If a tool says it's unauthenticated: - **Claude Code:** run `claude`, then `/login` (browser). - **GitHub CLI:** `gh auth login` - **1Password:** `op signin` - **Gemini:** launch `gemini`, complete the Google OAuth browser flow. - **Grok:** `grok login` (tokens expire after 7 days). - **Gitea git push:** uses the Windows Credential Manager (`credential.helper=manager`). First push prompts for the shared `azcomputerguru` account. **Do NOT** bake the password into the remote URL (the old `D:\work\gururmm` clone did — reset it to a clean URL). ## Verify the vault decrypts (proves the age key restored correctly) ``` bash D:/claudetools/.claude/scripts/vault.sh list bash D:/claudetools/.claude/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password ``` If that returns the password, recovery succeeded. If it errors about decryption, the age key at `%APPDATA%\sops\age\keys.txt` and `~/.config/sops/age/keys.txt` is missing/wrong. --- ## Refreshing this bundle later Re-run the backup any time (it's just file copies): `D:\claudetools\.claude\bootstrap\backup-to-bundle.ps1` (writes to E: and F:).