Pick a file in Files to edit it here.
3 #
4 # Uses the recovery key that lives ENCRYPTED in the gcloud vault (never on disk in
5 # plaintext). Works from ANY box with the user's gcloud auth — so it survives deletion
6 # of the Hetzner reactor box. The build machine's Hetzner key is locked to build-only;
7 # THIS is the unrestricted way back in.
8 #
9 # aiq-mac-recover # open a full-access shell on the Mac
10 # aiq-mac-recover <command...> # run a command with full access
… +37 lines
● Install and test the break-glass — it should decrypt the vault, extract the recovery key, and get me full access on the Mac (exercising the whole
recovery path):
Ran 1 shell command
● Break-glass verified end-to-end — aiq-mac-recover decrypted the vault, pulled the recovery key, and got full shell on the Mac. This path needs only
your gcloud auth, so it survives the Hetzner box being deleted. Let me commit it and record the whole anti-lockout design:
Ran 1 shell command
● Committed (3bc90d7). The anti-lockout is complete and verified — the single most important part given your lockout fear. Let me record the security
design in memory before I build the gate:
● Writing 2 memories…
· Misting… (12m 45s · ↑ 50.6k tokens)
⎿ Tip: Use /btw to ask a quick side question without interrupting Claude's current work
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── continue-conversation ──
❯
⏵⏵ bypass permissions on (shift+tab to cycle) · ← for agents · esc to interrupt