workstation: share admin Claude subscription with non-admins (CLAUDE_CODE_OAUTH_TOKEN)

Non-admins without their own ~/.claude login get the shared long-lived sk-ant-oat01 token injected into their t3-serve env, so their agent authenticates against the admin's subscription. setup-devvm.sh stages it from Vault secret/workstation.claude_oauth_token (root-readable); the provisioner's install_user_claude_token injects per-user, if-absent (never clobbers emo's own login). Live-fixed anca (verified AUTHOK); this codifies it for reproducibility + future users. NOT pushed (shared-tree divergence hold). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 14:05:44 +00:00 · 2026-06-09 14:05:44 +00:00 · eeadf0f85d
commit eeadf0f85d
parent fbcc330214
2 changed files with 43 additions and 1 deletions
--- a/scripts/workstation/setup-devvm.sh
+++ b/scripts/workstation/setup-devvm.sh
@ -77,4 +77,21 @@ if [[ -d "$ADMIN_CODE" ]]; then
  log "hardened $ADMIN_CODE (o-rx — not world-readable)"
 fi

+# 8) stage the shared Claude subscription OAuth token (long-lived sk-ant-oat01) to a
+#    root-readable file the provisioner injects into non-admins' t3-serve env, so they
+#    share the admin's Claude subscription (only those without their own ~/.claude login).
+if command -v vault >/dev/null; then
+  export VAULT_ADDR="${VAULT_ADDR:-https://vault.viktorbarzin.me}"
+  # setup-devvm runs as root (no ~/.vault-token); borrow the admin's token to read Vault.
+  if [[ -z "${VAULT_TOKEN:-}" && -r /home/wizard/.vault-token ]]; then
+    VAULT_TOKEN="$(cat /home/wizard/.vault-token)"; export VAULT_TOKEN
+  fi
+  if claude_tok="$(vault kv get -field=claude_oauth_token secret/workstation 2>/dev/null)"; then
+    install -m 0600 /dev/stdin /etc/t3-serve/claude-oauth-token <<<"$claude_tok"
+    log "staged /etc/t3-serve/claude-oauth-token (shared Claude subscription)"
+  else
+    log "WARN: secret/workstation claude_oauth_token absent -> non-admins won't share Claude auth"
+  fi
+fi
+
 log "OK (idempotent)"