1.6 KiB
1.6 KiB
/vault — Consistent SOPS vault operations
The one canonical way to read, store, update, and verify secrets in the ClaudeTools SOPS+age
vault. Use instead of raw sops or guessed paths. Full reference: .claude/skills/vault/SKILL.md.
Quick reference
# READ
bash .claude/scripts/vault.sh get <path>
bash .claude/scripts/vault.sh get-field <path> credentials.api_key
bash .claude/scripts/vault.sh search <query>
bash .claude/scripts/vault.sh list [subdir]
# STORE / UPDATE (non-interactive — these work in this harness; `vault edit` does not)
bash .claude/skills/vault/scripts/vault-helper.sh new <path> --kind api-key \
--name "..." [--url ..] [--tag ..] --set api_key=SECRET [--set username=foo]
bash .claude/skills/vault/scripts/vault-helper.sh set <path> --set password=NEW
# VERIFY (after any write, before any commit)
bash .claude/skills/vault/scripts/vault-helper.sh verify <path>
bash .claude/skills/vault/scripts/vault-helper.sh check [subdir]
# PUBLISH
bash .claude/scripts/sync.sh # Phase 6 commits + pushes the vault repo
Rules (non-negotiable)
- Never paste a secret into chat / ticket / commit / channel — share the vault path instead.
- Secrets ALWAYS go under
credentials:(only those keys get encrypted; anything else = plaintext). - Use the scripts above — never hand-roll
sops+ a guessed path, never useVAULT_ROOT_ENVfor vault access. - Finish: write →
verify→ publish (sync). Don't hand off the push.
Paths are vault-root-relative (clients/<slug>/..., msp-tools/..., infrastructure/...,
services/...), with or without .sops.yaml.