azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71ada136a8bddebb84bcf8fe8bf62ca5ddb2d2dc
claudetools/.claude/URGENT-vault-path-bug.md
Mike Swanson 28d6b7646d docs: URGENT bug report - vault path variable collision in get-token.sh 
Critical bug discovered during Mac vault testing. Variable name collision
breaks token acquisition on all machines.

Fix required before proceeding with Howard's vault sync task.

Read .claude/URGENT-vault-path-bug.md on Windows laptop for remediation steps.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-21 19:06:12 -07:00

218 lines
6.3 KiB
Markdown
Raw Blame History

# URGENT: Vault Path Variable Collision Bug
**Date:** 2026-04-21
**Severity:** CRITICAL - Blocks all remediation-tool usage
**Affected:** All machines (DESKTOP-0O8A1RL, ACG-Tech03L, Mikes-MacBook-Air)
**Discovered on:** Mikes-MacBook-Air during vault wrapper testing
---
## TL;DR for Windows Laptop
**BEFORE doing Howard's vault sync task, fix this bug first:**
The recent vault portability changes introduced a variable name collision in `get-token.sh` that breaks token acquisition on all machines.
**Quick fix (2 minutes):**
1. Open `.claude/skills/remediation-tool/scripts/get-token.sh`
2. Rename the `VAULT_PATH` environment variable to `VAULT_ROOT_ENV`
3. Test: `./get-token.sh grabblaw.com investigator`
4. If working, commit fix and push
5. THEN proceed with Howard's vault sync task
---
## Bug Details
### Root Cause
**Variable name collision in get-token.sh around line 87-95:**
```bash
# PROBLEM: VAULT_PATH is used for TWO different things
# Line ~40-70: VAULT_PATH stores the SOPS file relative path
case "$TIER" in
investigator)
CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml" # <-- SOPS file path
SCOPE_URL="https://graph.microsoft.com/.default"
;;
...
esac
# Line ~87-95: VAULT_PATH is ALSO used as environment variable for vault root
VAULT_ROOT="${VAULT_PATH:-}" # <-- BUG: This gets the SOPS path, not the vault root!
if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
for py in py python3 python; do
if command -v "$py" >/dev/null 2>&1; then
VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
fi
done
fi
```
**Result:** `VAULT_ROOT` gets set to `msp-tools/computerguru-security-investigator.sops.yaml` instead of the vault directory path.
### Observed Failure
```bash
$ ./get-token.sh cascadestucson.com investigator
ERROR: vault not found at msp-tools/computerguru-security-investigator.sops.yaml
(check vault_path in /Users/azcomputerguru/ClaudeTools/.claude/identity.json)
```
The script is checking if `msp-tools/computerguru-security-investigator.sops.yaml` exists as a directory, which fails.
---
## Remediation Steps
### Step 1: Fix Variable Name Collision
**File:** `.claude/skills/remediation-tool/scripts/get-token.sh`
**Find (around line 87):**
```bash
VAULT_ROOT="${VAULT_PATH:-}"
```
**Replace with:**
```bash
VAULT_ROOT="${VAULT_ROOT_ENV:-}"
```
**And update the error message (around line 95):**
```bash
[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; }
```
**Purpose:** Separates the SOPS file path variable (`VAULT_PATH`) from the vault root override environment variable (now `VAULT_ROOT_ENV`).
### Step 2: Add vault_path to identity.json
**File:** `.claude/identity.json` (on DESKTOP-0O8A1RL)
**Add this field:**
```json
{
"user": "mike",
"full_name": "Mike Swanson",
"email": "mike@azcomputerguru.com",
"role": "admin",
"machine": "DESKTOP-0O8A1RL",
"vault_path": "D:/vault"
}
```
**On ACG-Tech03L (Howard's machine), the path is likely:**
```json
"vault_path": "D:/vault"
```
**On Mikes-MacBook-Air (if vault is cloned later):**
```json
"vault_path": "/Users/azcomputerguru/vault"
```
### Step 3: Test the Fix
**On DESKTOP-0O8A1RL:**
```bash
cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
# Test with a fully onboarded tenant
bash get-token.sh grabblaw.com investigator
# Should output a JWT token (long string starting with eyJ...)
# Or at least get past the vault path error
```
**Expected success output:**
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...
```
**If still failing, check:**
1. Is `D:/vault/scripts/vault.sh` present?
2. Does `D:/vault/msp-tools/computerguru-security-investigator.sops.yaml` exist?
3. Is SOPS configured with the correct age key?
### Step 4: Commit and Sync
```bash
cd D:\ClaudeTools
git add .claude/skills/remediation-tool/scripts/get-token.sh
git commit -m "fix: vault path variable collision in get-token.sh
Renamed VAULT_PATH env var to VAULT_ROOT_ENV to avoid collision with
the SOPS file path variable. Fixes token acquisition on all machines.
Bug discovered during Mac testing 2026-04-21.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
git push origin main
```
### Step 5: Notify Howard
Once fixed and pushed, tell Howard to:
1. Pull ClaudeTools: `cd C:\ClaudeTools && git pull`
2. Add `vault_path` to his `.claude/identity.json`
3. Test: `bash get-token.sh grabblaw.com investigator`
---
## After This Fix - Original Vault Sync Task
**THEN proceed with Howard's vault sync request:**
1. Navigate to `D:\vault`
2. Verify 5 new-tier SOPS files exist in `D:\vault\msp-tools\`
3. Git add, commit, push to vault repo
4. Notify Howard to pull vault on ACG-Tech03L
---
## Why This Happened
The recent portability improvements (commits 0a7cd6b and a86df11) added per-machine vault path support via `identity.json`. The implementation correctly updated `.claude/scripts/vault.sh` but inadvertently created a variable name collision in `get-token.sh` by reusing `VAULT_PATH` for both:
- The SOPS file relative path (existing usage)
- The environment variable override (new usage)
This is a regression introduced in the last 2 commits from DESKTOP-0O8A1RL.
---
## Testing Checklist
After applying the fix:
- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator`
- [ ] Token acquisition works on DESKTOP-0O8A1RL: `get-token.sh grabblaw.com investigator-exo`
- [ ] All 5 tiers work: investigator, investigator-exo, user-manager, tenant-admin, defender
- [ ] Vault wrapper works: `bash .claude/scripts/vault.sh list`
- [ ] Howard can pull and test on ACG-Tech03L (after vault sync)
- [ ] Mac can test once vault is cloned there
---
## Impact Assessment
**Blocked operations until fixed:**
- All remediation-tool token acquisition
- All breach checks via remediation-tool skill
- Howard's Cascades spoofing hunt (double-blocked: this bug + missing SOPS files)
- Any tenant investigation work
**Urgency:** Fix immediately before attempting vault sync task.
---
**Created:** 2026-04-21 19:10 (Mac session)
**Status:** URGENT - Needs Windows laptop remediation
**Next session:** Read this file first, apply fix, test, commit, then do vault sync
Reference in New Issue View Git Blame Copy Permalink