`make edit-vault` runs `ansible-vault edit` (decrypt → nvim → re-encrypt on :wq, abort on :cq) so editing the vault is one step with no plaintext left in the work tree, then validates structure. `make check-vault` runs scripts/check-vault.py: decrypts in-memory, asserts valid YAML with secrets under the nested `vault:` map and no empty leaves, and prints a values-masked structure view (comments visible, secrets never printed). Both default to the production all-vault; override VAULT=. Update the vault header comment, CLAUDE.md (command table + Secrets section), and scripts/README to point at edit-vault (note check-vault.py is the one venv- dependent helper, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
22 lines
1.4 KiB
Markdown
22 lines
1.4 KiB
Markdown
# scripts/
|
|
|
|
Small helper scripts. **Python standard library only** — no third-party
|
|
dependencies (keeps them runnable anywhere without a venv). One deliberate
|
|
exception: `check-vault.py` is a vault tool that needs the ansible venv (PyYAML +
|
|
`ansible-vault`) and `rbw`, so it is not run-anywhere by design.
|
|
|
|
- `tf_to_inventory.py` — reads `terraform output -json` on stdin and writes an
|
|
Ansible `hosts.yml`. Invoked by `make tf-inventory`. Data contract: **ADR-009**.
|
|
- `check-vault.py` — validates a vault file's structure (decrypts in-memory; valid
|
|
YAML; secrets under the nested `vault:` map; no empty leaves) and prints a
|
|
values-masked view. Invoked by `make check-vault` and after `make edit-vault`.
|
|
- `vault-pass-client.sh` — fetches the master vault password from Vaultwarden via
|
|
`rbw`. Wired as `vault_password_file` (ADR-002).
|
|
- `check-vault-encrypted.sh` — pre-commit guard: fails if a `vault.yml` holds
|
|
plaintext secrets.
|
|
- `repo-scan.py` — Phase-0 deterministic scan for `/review-repo` (markers, broken
|
|
refs, unencrypted vaults, inventory).
|
|
- `capacity-scan.py` — deterministic capacity facts for `/capacity-review`: parses
|
|
the machine-readable tables in `docs/hardware/reference.md`, computes per-node
|
|
allocated-vs-physical rollups, and cross-checks workload hostnames against
|
|
Terraform output / Ansible inventory for drift. Emits JSON. See **ADR-012**.
|