# /vault — Consistent SOPS vault operations

The one canonical way to read, store, update, and verify secrets in the ClaudeTools SOPS+age
vault. Use instead of raw `sops` or guessed paths. Full reference: `.claude/skills/vault/SKILL.md`.

## Quick reference

```bash
# READ
bash .claude/scripts/vault.sh get        <path>
bash .claude/scripts/vault.sh get-field  <path> credentials.api_key
bash .claude/scripts/vault.sh search     <query>
bash .claude/scripts/vault.sh list       [subdir]

# STORE / UPDATE (non-interactive — these work in this harness; `vault edit` does not)
bash .claude/skills/vault/scripts/vault-helper.sh new <path> --kind api-key \
     --name "..." [--url ..] [--tag ..] --set api_key=SECRET [--set username=foo]
bash .claude/skills/vault/scripts/vault-helper.sh set <path> --set password=NEW

# VERIFY (after any write, before any commit)
bash .claude/skills/vault/scripts/vault-helper.sh verify <path>
bash .claude/skills/vault/scripts/vault-helper.sh check  [subdir]

# PUBLISH
bash .claude/scripts/sync.sh        # Phase 6 commits + pushes the vault repo
```

## Rules (non-negotiable)

1. Never paste a secret into chat / ticket / commit / channel — share the vault path instead.
2. Secrets ALWAYS go under `credentials:` (only those keys get encrypted; anything else = plaintext).
3. Use the scripts above — never hand-roll `sops` + a guessed path, never use `VAULT_ROOT_ENV` for vault access.
4. Finish: write → `verify` → publish (sync). Don't hand off the push.

Paths are vault-root-relative (`clients/<slug>/...`, `msp-tools/...`, `infrastructure/...`,
`services/...`), with or without `.sops.yaml`.