scripts/provision-admin-vault.sh

#!/bin/bash
# Provision Admin Vault for Sankofa Admin Portal
# Creates the admin vault and migrates all secrets

set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Configuration
VAULT_ADDR="${VAULT_ADDR:-http://${IP_SERVICE_200:-${IP_SERVICE_200:-192.168.11.200}}:8200}"
VAULT_TOKEN="${VAULT_TOKEN:-${VAULT_ROOT_TOKEN:-}}"
ADMIN_ORG_NAME="${ADMIN_ORG_NAME:-Sankofa Admin}"
ADMIN_VAULT_NAME="${ADMIN_VAULT_NAME:-sankofa-admin}"
ADMIN_LEVEL="${ADMIN_LEVEL:-super_admin}"

# Colors
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[1;33m'
NC='\033[0m'

log_info() {
    echo -e "${BLUE}[INFO]${NC} $1"
}

log_success() {
    echo -e "${GREEN}[SUCCESS]${NC} $1"
}

log_warn() {
    echo -e "${YELLOW}[WARN]${NC} $1"
}

# Check prerequisites
if [ -z "$VAULT_TOKEN" ]; then
    log_warn "VAULT_TOKEN not set. Please set it before running."
    exit 1
fi

log_info "=== Provisioning Admin Vault ==="
log_info "Organization: $ADMIN_ORG_NAME"
log_info "Vault Name: $ADMIN_VAULT_NAME"
log_info "Admin Level: $ADMIN_LEVEL"
echo ""

# Check if we can use Node.js/TypeScript script
if command -v node &> /dev/null && [ -f "dbis_core/scripts/provision-admin-vault.ts" ]; then
    log_info "Using TypeScript provisioning script..."
    cd dbis_core
    export VAULT_TOKEN
    export VAULT_ADDR
    npx tsx scripts/provision-admin-vault.ts \
        --org "$ADMIN_ORG_NAME" \
        --name "$ADMIN_VAULT_NAME" \
        --level "$ADMIN_LEVEL"
    cd ..
else
    log_warn "TypeScript script not available. Using direct Vault API calls..."
    
    # Direct Vault API provisioning
    ORG_ID=$(echo "$ADMIN_ORG_NAME" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | cut -c1-32)
    VAULT_PATH="secret/data/admin/${ORG_ID}/${ADMIN_VAULT_NAME}"
    
    log_info "Creating admin vault at: $VAULT_PATH"
    
    # Create initial structure
    curl -s -X POST \
        -H "X-Vault-Token: $VAULT_TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"data\":{\"initialized\":true,\"adminVault\":true,\"createdAt\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}}" \
        "$VAULT_ADDR/v1/$VAULT_PATH" > /dev/null
    
    log_success "Admin vault created at: $VAULT_PATH"
fi

echo ""
log_info "Next steps:"
log_info "1. Run migration script: ./scripts/migrate-secrets-to-admin-vault.sh"
log_info "2. Store credentials securely"
log_info "3. Update applications to use admin vault"
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`#!/bin/bash`
			`# Provision Admin Vault for Sankofa Admin Portal`
			`# Creates the admin vault and migrates all secrets`

			`set -euo pipefail`

			`# Load IP configuration`
			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"`
			`source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null \|\| true`


			`# Configuration`
			`VAULT_ADDR="${VAULT_ADDR:-http://${IP_SERVICE_200:-${IP_SERVICE_200:-192.168.11.200}}:8200}"`
			`VAULT_TOKEN="${VAULT_TOKEN:-${VAULT_ROOT_TOKEN:-}}"`
			`ADMIN_ORG_NAME="${ADMIN_ORG_NAME:-Sankofa Admin}"`
			`ADMIN_VAULT_NAME="${ADMIN_VAULT_NAME:-sankofa-admin}"`
			`ADMIN_LEVEL="${ADMIN_LEVEL:-super_admin}"`

			`# Colors`
			`GREEN='\033[0;32m'`
			`BLUE='\033[0;34m'`
			`YELLOW='\033[1;33m'`
			`NC='\033[0m'`

			`log_info() {`
			`echo -e "${BLUE}[INFO]${NC} $1"`
			`}`

			`log_success() {`
			`echo -e "${GREEN}[SUCCESS]${NC} $1"`
			`}`

			`log_warn() {`
			`echo -e "${YELLOW}[WARN]${NC} $1"`
			`}`

			`# Check prerequisites`
			`if [ -z "$VAULT_TOKEN" ]; then`
			`log_warn "VAULT_TOKEN not set. Please set it before running."`
			`exit 1`
			`fi`

			`log_info "=== Provisioning Admin Vault ==="`
			`log_info "Organization: $ADMIN_ORG_NAME"`
			`log_info "Vault Name: $ADMIN_VAULT_NAME"`
			`log_info "Admin Level: $ADMIN_LEVEL"`
			`echo ""`

			`# Check if we can use Node.js/TypeScript script`
			`if command -v node &> /dev/null && [ -f "dbis_core/scripts/provision-admin-vault.ts" ]; then`
			`log_info "Using TypeScript provisioning script..."`
			`cd dbis_core`
			`export VAULT_TOKEN`
			`export VAULT_ADDR`
			`npx tsx scripts/provision-admin-vault.ts \`
			`--org "$ADMIN_ORG_NAME" \`
			`--name "$ADMIN_VAULT_NAME" \`
			`--level "$ADMIN_LEVEL"`
			`cd ..`
			`else`
			`log_warn "TypeScript script not available. Using direct Vault API calls..."`

			`# Direct Vault API provisioning`
			`ORG_ID=$(echo "$ADMIN_ORG_NAME" \| tr '[:upper:]' '[:lower:]' \| sed 's/[^a-z0-9]/-/g' \| sed 's/--*/-/g' \| cut -c1-32)`
			`VAULT_PATH="secret/data/admin/${ORG_ID}/${ADMIN_VAULT_NAME}"`

			`log_info "Creating admin vault at: $VAULT_PATH"`

			`# Create initial structure`
			`curl -s -X POST \`
			`-H "X-Vault-Token: $VAULT_TOKEN" \`
			`-H "Content-Type: application/json" \`
			`-d "{\"data\":{\"initialized\":true,\"adminVault\":true,\"createdAt\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}}" \`
			`"$VAULT_ADDR/v1/$VAULT_PATH" > /dev/null`

			`log_success "Admin vault created at: $VAULT_PATH"`
			`fi`

			`echo ""`
			`log_info "Next steps:"`
			`log_info "1. Run migration script: ./scripts/migrate-secrets-to-admin-vault.sh"`
			`log_info "2. Store credentials securely"`
			`log_info "3. Update applications to use admin vault"`