3 # 4 # Uses the recovery key that lives ENCRYPTED in the gcloud vault (never on disk in 5 # plaintext). Works from ANY box with the user's gcloud auth — so it survives deletion 6 # of the Hetzner reactor box. The build machine's Hetzner key is locked to build-only; 7 # THIS is the unrestricted way back in. 8 # 9 # aiq-mac-recover # open a full-access shell on the Mac 10 # aiq-mac-recover <command...> # run a command with full access… +37 lines ● Install and test the break-glass — it should decrypt the vault, extract the recovery key, and get me full access on the Mac (exercising the whole
recovery path):
Ran 1 shell command ●Break-glass verified end-to-end — aiq-mac-recover decrypted the vault, pulled the recovery key, and got full shell on the Mac. This path needs only
your gcloud auth, so it survives the Hetzner box being deleted. Let me commit it and record the whole anti-lockout design:
● Running 1 shell command…
⎿ $ cd /root/local_data/user/3/project_aiq_build_machine_onerm -f "$CLAUDE_JOB_DIR/tmp/vault_append_editor.sh" "$CLAUDE_JOB_DIR/tmp/aiq_mac_recovery.pub" 2>/dev/nullgit add tools/reactor_control/aiq-mac-recovergit commit -q -F - <<'MSG'recovery: aiq-mac-recover — gcloud-vault break-glass to the M…✻Misting… (11m 46s · ↓44.0k tokens · almost done thinking with max effort) ⎿ Tip: Use /btw to ask a quick side question without interrupting Claude's current work───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── continue-conversation ──❯ ⏵⏵ bypass permissions on (shift+tab to cycle) · ← for agents · esc to interrupt