# scripts/

Small helper scripts. **Python standard library only** — no third-party
dependencies (keeps them runnable anywhere without a venv). One deliberate
exception: `check-vault.py` is a vault tool that needs the ansible venv (PyYAML +
`ansible-vault`) and `rbw`, so it is not run-anywhere by design.

- `tf_to_inventory.py` — reads `terraform output -json` on stdin and writes an
  Ansible `hosts.yml`. Invoked by `make tf-inventory`. Data contract: **ADR-009**.
- `check-vault.py` — validates a vault file's structure (decrypts in-memory; valid
  YAML; secrets under the nested `vault:` map; no empty leaves) and prints a
  values-masked view. Invoked by `make check-vault` and after `make edit-vault`.
- `vault-pass-client.sh` — fetches the master vault password from Vaultwarden via
  `rbw`. Wired as `vault_password_file` (ADR-002).
- `check-vault-encrypted.sh` — pre-commit guard: fails if a `vault.yml` holds
  plaintext secrets.
- `check-tags.py` — enforces the closed tag vocabulary (`tests/tags.yml`) and that
  each role import in a play carries its role-name tag. Invoked by `make lint`. See
  **ADR-019**.
- `repo-scan.py` — Phase-0 deterministic scan for `/review-repo` (markers, broken
  refs, unencrypted vaults, inventory).
- `capacity-scan.py` — deterministic capacity facts for `/capacity-review`: parses
  the machine-readable tables in `docs/hardware/reference.md`, computes per-node
  allocated-vs-physical rollups, and cross-checks workload hostnames against
  Terraform output / Ansible inventory for drift. Emits JSON. See **ADR-012**.