claudetools/.claude/vault-setup-mac.md

Vault Setup on Mac (Mikes-MacBook-Air.local)

Status: Blocked on authentication Created: 2026-04-21 Purpose: Enable remediation-tool SOPS credential access on Mac

---

Current State

Vault repo: NOT cloned on this Mac identity.json: Missing vault_path field Remediation-tool: Cannot acquire tokens (no vault access)

---

What's Needed

Step 1: Clone Vault Repository

Vault URL: http://172.16.3.20:3000/azcomputerguru/vault.git

Authentication required. Options:

Option A: Use Gitea credentials (interactive)

git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
# Will prompt for password

Option B: Use stored credentials If you have git credential helper configured:

git config --global credential.helper osxkeychain
git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault

Option C: Use SSH (if keys configured)

git clone git@172.16.3.20:azcomputerguru/vault.git ~/vault

Step 2: Add vault_path to identity.json

File: /Users/azcomputerguru/ClaudeTools/.claude/identity.json

Add this field:

{
  "user": "mike",
  "full_name": "Mike Swanson",
  "email": "mike@azcomputerguru.com",
  "role": "admin",
  "machine": "Mikes-MacBook-Air",
  "mode": "general",
  "last_updated": "2026-04-19T08:40:00Z",
  "vault_path": "/Users/azcomputerguru/vault"
}

Step 3: Verify SOPS Files Are Present

ls -la ~/vault/msp-tools/computerguru-*.sops.yaml

Expected: 5 files

• computerguru-security-investigator.sops.yaml
• computerguru-exchange-operator.sops.yaml
• computerguru-user-manager.sops.yaml
• computerguru-tenant-admin.sops.yaml
• computerguru-defender-addon.sops.yaml

Step 4: Configure SOPS

Check if age key exists:

test -f ~/.config/sops/age/keys.txt && echo "Age key exists" || echo "Need age key"

If age key is missing: You'll need the SOPS age private key from DESKTOP-0O8A1RL or ACG-Tech03L.

Location on Windows: C:\Users\<username>\.config\sops\age\keys.txt

Copy the private key to Mac:

mkdir -p ~/.config/sops/age
# Copy keys.txt content to ~/.config/sops/age/keys.txt
chmod 600 ~/.config/sops/age/keys.txt

Step 5: Test Token Acquisition

cd /Users/azcomputerguru/ClaudeTools/.claude/skills/remediation-tool/scripts
./get-token.sh grabblaw.com investigator

Expected output: A JWT token (long string starting with eyJ...)

If it fails:

• Check vault_path in identity.json
• Verify SOPS files exist
• Verify age key is configured
• Check file permissions

---

Test Results (Attempted 2026-04-21)

Clone attempt 1:

git clone http://172.16.3.20:3000/azcomputerguru/vault.git ~/vault
→ fatal: could not read Username for 'http://172.16.3.20:3000': Device not configured

Clone attempt 2:

git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
→ fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured

Blocker: Git on Mac cannot prompt for credentials in this terminal session.

Workaround needed: Configure credential helper or use SSH authentication.

---

Why This Matters

Once vault is set up on Mac:

• Can test remediation-tool locally
• Can run breach checks without switching to Windows
• Full parity with Windows/Howard's machines
• Validates that vault sync from Windows worked

Current capability:

• remediation-tool scripts are executable ✓
• get-token.sh bugs are fixed ✓
• Vault wrapper logic is correct ✓
• Blocked only by vault clone authentication ✗

---

Alternative: Test on Windows

If Mac vault setup is low priority, the vault sync can be validated on Windows:

cd D:\vault
git pull origin main
ls D:\vault\msp-tools\computerguru-*.sops.yaml

cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
bash get-token.sh grabblaw.com investigator

Should return a JWT token proving the vault sync worked.

---

Next action:

• If Mac needs remediation-tool: Set up vault clone with proper authentication
• If Mac is just for testing: Test vault sync on Windows instead
• If vault not needed on Mac: Skip this setup entirely

Priority: LOW - Windows already has working vault + remediation-tool