claudetools/.claude/URGENT-vault-path-bug.md

URGENT: Vault Path Variable Collision Bug

Date: 2026-04-21 Severity: CRITICAL - Blocks all remediation-tool usage Affected: All machines (DESKTOP-0O8A1RL, ACG-Tech03L, Mikes-MacBook-Air) Discovered on: Mikes-MacBook-Air during vault wrapper testing

---

TL;DR for Windows Laptop

BEFORE doing Howard's vault sync task, fix this bug first:

The recent vault portability changes introduced a variable name collision in get-token.sh that breaks token acquisition on all machines.

Quick fix (2 minutes):

1. Open .claude/skills/remediation-tool/scripts/get-token.sh
2. Rename the VAULT_PATH environment variable to VAULT_ROOT_ENV
3. Test: ./get-token.sh grabblaw.com investigator
4. If working, commit fix and push
5. THEN proceed with Howard's vault sync task

---

Bug Details

Root Cause

Variable name collision in get-token.sh around line 87-95:

# PROBLEM: VAULT_PATH is used for TWO different things

# Line ~40-70: VAULT_PATH stores the SOPS file relative path
case "$TIER" in
  investigator)
    CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
    VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml"  # <-- SOPS file path
    SCOPE_URL="https://graph.microsoft.com/.default"
    ;;
  ...
esac

# Line ~87-95: VAULT_PATH is ALSO used as environment variable for vault root
VAULT_ROOT="${VAULT_PATH:-}"  # <-- BUG: This gets the SOPS path, not the vault root!
if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
  for py in py python3 python; do
    if command -v "$py" >/dev/null 2>&1; then
      VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
    fi
  done
fi

Result: VAULT_ROOT gets set to msp-tools/computerguru-security-investigator.sops.yaml instead of the vault directory path.

Observed Failure

$ ./get-token.sh cascadestucson.com investigator

ERROR: vault not found at msp-tools/computerguru-security-investigator.sops.yaml
       (check vault_path in /Users/azcomputerguru/ClaudeTools/.claude/identity.json)

The script is checking if msp-tools/computerguru-security-investigator.sops.yaml exists as a directory, which fails.

---

Remediation Steps

Step 1: Fix Variable Name Collision

File: .claude/skills/remediation-tool/scripts/get-token.sh

Find (around line 87):

VAULT_ROOT="${VAULT_PATH:-}"

Replace with:

VAULT_ROOT="${VAULT_ROOT_ENV:-}"

And update the error message (around line 95):

[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; }

Purpose: Separates the SOPS file path variable (VAULT_PATH) from the vault root override environment variable (now VAULT_ROOT_ENV).

Step 2: Add vault_path to identity.json

File: .claude/identity.json (on DESKTOP-0O8A1RL)

Add this field:

{
  "user": "mike",
  "full_name": "Mike Swanson",
  "email": "mike@azcomputerguru.com",
  "role": "admin",
  "machine": "DESKTOP-0O8A1RL",
  "vault_path": "D:/vault"
}

On ACG-Tech03L (Howard's machine), the path is likely:

"vault_path": "D:/vault"

On Mikes-MacBook-Air (if vault is cloned later):

"vault_path": "/Users/azcomputerguru/vault"

Step 3: Test the Fix

On DESKTOP-0O8A1RL:

cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts

# Test with a fully onboarded tenant
bash get-token.sh grabblaw.com investigator

# Should output a JWT token (long string starting with eyJ...)
# Or at least get past the vault path error

Expected success output:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6...

If still failing, check:

1. Is D:/vault/scripts/vault.sh present?
2. Does D:/vault/msp-tools/computerguru-security-investigator.sops.yaml exist?
3. Is SOPS configured with the correct age key?

Step 4: Commit and Sync

cd D:\ClaudeTools

git add .claude/skills/remediation-tool/scripts/get-token.sh
git commit -m "fix: vault path variable collision in get-token.sh

Renamed VAULT_PATH env var to VAULT_ROOT_ENV to avoid collision with
the SOPS file path variable. Fixes token acquisition on all machines.

Bug discovered during Mac testing 2026-04-21.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"

git push origin main

Step 5: Notify Howard

Once fixed and pushed, tell Howard to:

1. Pull ClaudeTools: cd C:\ClaudeTools && git pull
2. Add vault_path to his .claude/identity.json
3. Test: bash get-token.sh grabblaw.com investigator

---

After This Fix - Original Vault Sync Task

THEN proceed with Howard's vault sync request:

1. Navigate to D:\vault
2. Verify 5 new-tier SOPS files exist in D:\vault\msp-tools\
3. Git add, commit, push to vault repo
4. Notify Howard to pull vault on ACG-Tech03L

---

Why This Happened

The recent portability improvements (commits 0a7cd6b and a86df11) added per-machine vault path support via identity.json. The implementation correctly updated .claude/scripts/vault.sh but inadvertently created a variable name collision in get-token.sh by reusing VAULT_PATH for both:

• The SOPS file relative path (existing usage)
• The environment variable override (new usage)

This is a regression introduced in the last 2 commits from DESKTOP-0O8A1RL.

---

Testing Checklist

After applying the fix:

• Token acquisition works on DESKTOP-0O8A1RL: get-token.sh grabblaw.com investigator
• Token acquisition works on DESKTOP-0O8A1RL: get-token.sh grabblaw.com investigator-exo
• All 5 tiers work: investigator, investigator-exo, user-manager, tenant-admin, defender
• Vault wrapper works: bash .claude/scripts/vault.sh list
• Howard can pull and test on ACG-Tech03L (after vault sync)
• Mac can test once vault is cloned there

---

Impact Assessment

Blocked operations until fixed:

• All remediation-tool token acquisition
• All breach checks via remediation-tool skill
• Howard's Cascades spoofing hunt (double-blocked: this bug + missing SOPS files)
• Any tenant investigation work

Urgency: Fix immediately before attempting vault sync task.

---

Created: 2026-04-21 19:10 (Mac session) Status: URGENT - Needs Windows laptop remediation Next session: Read this file first, apply fix, test, commit, then do vault sync