# Vault Setup on Mac (Mikes-MacBook-Air.local) **Status:** Blocked on authentication **Created:** 2026-04-21 **Purpose:** Enable remediation-tool SOPS credential access on Mac --- ## Current State **Vault repo:** NOT cloned on this Mac **identity.json:** Missing `vault_path` field **Remediation-tool:** Cannot acquire tokens (no vault access) --- ## What's Needed ### Step 1: Clone Vault Repository **Vault URL:** `http://172.16.3.20:3000/azcomputerguru/vault.git` **Authentication required.** Options: **Option A: Use Gitea credentials (interactive)** ```bash git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault # Will prompt for password ``` **Option B: Use stored credentials** If you have git credential helper configured: ```bash git config --global credential.helper osxkeychain git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault ``` **Option C: Use SSH (if keys configured)** ```bash git clone git@172.16.3.20:azcomputerguru/vault.git ~/vault ``` ### Step 2: Add vault_path to identity.json **File:** `/Users/azcomputerguru/ClaudeTools/.claude/identity.json` **Add this field:** ```json { "user": "mike", "full_name": "Mike Swanson", "email": "mike@azcomputerguru.com", "role": "admin", "machine": "Mikes-MacBook-Air", "mode": "general", "last_updated": "2026-04-19T08:40:00Z", "vault_path": "/Users/azcomputerguru/vault" } ``` ### Step 3: Verify SOPS Files Are Present ```bash ls -la ~/vault/msp-tools/computerguru-*.sops.yaml ``` **Expected: 5 files** - computerguru-security-investigator.sops.yaml - computerguru-exchange-operator.sops.yaml - computerguru-user-manager.sops.yaml - computerguru-tenant-admin.sops.yaml - computerguru-defender-addon.sops.yaml ### Step 4: Configure SOPS **Check if age key exists:** ```bash test -f ~/.config/sops/age/keys.txt && echo "Age key exists" || echo "Need age key" ``` **If age key is missing:** You'll need the SOPS age private key from DESKTOP-0O8A1RL or ACG-Tech03L. **Location on Windows:** `C:\Users\\.config\sops\age\keys.txt` Copy the private key to Mac: ```bash mkdir -p ~/.config/sops/age # Copy keys.txt content to ~/.config/sops/age/keys.txt chmod 600 ~/.config/sops/age/keys.txt ``` ### Step 5: Test Token Acquisition ```bash cd /Users/azcomputerguru/ClaudeTools/.claude/skills/remediation-tool/scripts ./get-token.sh grabblaw.com investigator ``` **Expected output:** A JWT token (long string starting with `eyJ...`) **If it fails:** - Check vault_path in identity.json - Verify SOPS files exist - Verify age key is configured - Check file permissions --- ## Test Results (Attempted 2026-04-21) **Clone attempt 1:** ``` git clone http://172.16.3.20:3000/azcomputerguru/vault.git ~/vault → fatal: could not read Username for 'http://172.16.3.20:3000': Device not configured ``` **Clone attempt 2:** ``` git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault → fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured ``` **Blocker:** Git on Mac cannot prompt for credentials in this terminal session. **Workaround needed:** Configure credential helper or use SSH authentication. --- ## Why This Matters **Once vault is set up on Mac:** - Can test remediation-tool locally - Can run breach checks without switching to Windows - Full parity with Windows/Howard's machines - Validates that vault sync from Windows worked **Current capability:** - remediation-tool scripts are executable ✓ - get-token.sh bugs are fixed ✓ - Vault wrapper logic is correct ✓ - **Blocked only by vault clone authentication** ✗ --- ## Alternative: Test on Windows If Mac vault setup is low priority, the vault sync can be validated on Windows: ```bash cd D:\vault git pull origin main ls D:\vault\msp-tools\computerguru-*.sops.yaml cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts bash get-token.sh grabblaw.com investigator ``` Should return a JWT token proving the vault sync worked. --- **Next action:** - **If Mac needs remediation-tool:** Set up vault clone with proper authentication - **If Mac is just for testing:** Test vault sync on Windows instead - **If vault not needed on Mac:** Skip this setup entirely **Priority:** LOW - Windows already has working vault + remediation-tool