Document agent secret vault installation

scripts/create-vault-pass-archive.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SRC="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
+OUT="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
+
+usage() {
+  cat <<USAGE
+Usage: scripts/create-vault-pass-archive.sh [output.zip]
+
+Creates a password-protected archive containing vault-pass.txt.
+Default source:
+  ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
+Default output:
+  $REPO_DIR/secrets/vault-pass.txt.zip
+
+The zip password is entered interactively. Do not print it in logs/chat.
+USAGE
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ ! -f "$SRC" ]; then
+  echo "Missing source vault password file: $SRC" >&2
+  exit 2
+fi
+
+if ! command -v zip >/dev/null 2>&1; then
+  echo "Missing dependency: zip" >&2
+  echo "Install it with: sudo apt install -y zip" >&2
+  exit 3
+fi
+
+mkdir -p "$(dirname "$OUT")"
+tmpdir="$(mktemp -d)"
+cleanup() { rm -rf "$tmpdir"; }
+trap cleanup EXIT
+install -m 600 "$SRC" "$tmpdir/vault-pass.txt"
+
+(
+  cd "$tmpdir"
+  # zip prompts for archive password interactively.
+  zip -e -q "$OUT" vault-pass.txt
+)
+chmod 600 "$OUT"
+echo "Created password-protected archive: $OUT"

scripts/get-secret.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
-VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/continuous-ai-workflow-spec/vault-pass.txt}"
+VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
 
 usage() {
   cat <<EOF

scripts/install-vault-pass.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
+ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
+
+usage() {
+  cat <<USAGE
+Usage: scripts/install-vault-pass.sh [archive.zip]
+
+Installs the Ansible Vault password file to:
+  ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
+
+The archive must be password-protected. The user will be prompted by unzip/7z.
+Default archive path:
+  $REPO_DIR/secrets/vault-pass.txt.zip
+USAGE
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ ! -f "$ARCHIVE" ]; then
+  cat >&2 <<ERR
+Missing archive: $ARCHIVE
+
+Create/provide a password-protected archive that contains one file named:
+  vault-pass.txt
+
+Then rerun:
+  scripts/install-vault-pass.sh $ARCHIVE
+ERR
+  exit 2
+fi
+
+if ! command -v unzip >/dev/null 2>&1; then
+  echo "Missing dependency: unzip" >&2
+  echo "Install it with: sudo apt install -y unzip" >&2
+  exit 3
+fi
+
+tmpdir="$(mktemp -d)"
+cleanup() { rm -rf "$tmpdir"; }
+trap cleanup EXIT
+
+umask 077
+mkdir -p "$(dirname "$DEST")"
+chmod 700 "$(dirname "$DEST")" || true
+
+# unzip will prompt for the archive password interactively.
+unzip -q "$ARCHIVE" -d "$tmpdir"
+
+src="$tmpdir/vault-pass.txt"
+if [ ! -f "$src" ]; then
+  echo "Archive extracted, but vault-pass.txt was not found inside." >&2
+  exit 4
+fi
+
+install -m 600 "$src" "$DEST"
+
+echo "Installed vault password file: $DEST"

scripts/render-env.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
-VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/continuous-ai-workflow-spec/vault-pass.txt}"
+VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
 
 SECTION="${1:-}"
 [ -n "$SECTION" ] || { echo "用法: $0 <section>"; exit 1; }

scripts/vault.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
-VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/continuous-ai-workflow-spec/vault-pass.txt}"
+VAULT_PASS_FILE="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
 
 usage() {
   cat <<EOF