37 lines
1.6 KiB
Markdown
37 lines
1.6 KiB
Markdown
# /vault — Consistent SOPS vault operations
|
|
|
|
The one canonical way to read, store, update, and verify secrets in the ClaudeTools SOPS+age
|
|
vault. Use instead of raw `sops` or guessed paths. Full reference: `.claude/skills/vault/SKILL.md`.
|
|
|
|
## Quick reference
|
|
|
|
```bash
|
|
# READ
|
|
bash .claude/scripts/vault.sh get <path>
|
|
bash .claude/scripts/vault.sh get-field <path> credentials.api_key
|
|
bash .claude/scripts/vault.sh search <query>
|
|
bash .claude/scripts/vault.sh list [subdir]
|
|
|
|
# STORE / UPDATE (non-interactive — these work in this harness; `vault edit` does not)
|
|
bash .claude/skills/vault/scripts/vault-helper.sh new <path> --kind api-key \
|
|
--name "..." [--url ..] [--tag ..] --set api_key=SECRET [--set username=foo]
|
|
bash .claude/skills/vault/scripts/vault-helper.sh set <path> --set password=NEW
|
|
|
|
# VERIFY (after any write, before any commit)
|
|
bash .claude/skills/vault/scripts/vault-helper.sh verify <path>
|
|
bash .claude/skills/vault/scripts/vault-helper.sh check [subdir]
|
|
|
|
# PUBLISH
|
|
bash .claude/scripts/sync.sh # Phase 6 commits + pushes the vault repo
|
|
```
|
|
|
|
## Rules (non-negotiable)
|
|
|
|
1. Never paste a secret into chat / ticket / commit / channel — share the vault path instead.
|
|
2. Secrets ALWAYS go under `credentials:` (only those keys get encrypted; anything else = plaintext).
|
|
3. Use the scripts above — never hand-roll `sops` + a guessed path, never use `VAULT_ROOT_ENV` for vault access.
|
|
4. Finish: write → `verify` → publish (sync). Don't hand off the push.
|
|
|
|
Paths are vault-root-relative (`clients/<slug>/...`, `msp-tools/...`, `infrastructure/...`,
|
|
`services/...`), with or without `.sops.yaml`.
|