- secrets/bookkeeping-sa.json.enc: team service-account key, encrypted with
AES-256-CBC + PBKDF2(100k iter) using a 48-char random passphrase. Safe to
commit to a public repo; the passphrase lives in the team password manager.
- scripts/decrypt-key.sh: one-liner that decrypts to ~/.config/gcp/ (mode 600)
and prints the service-account email so users know which address to share
their Sheet with.
- secrets/README.md: explains the crypto, decrypt flow, and rotation
procedures (passphrase rotation vs underlying GCP key rotation).
- README + DEPLOY.md + setup.md: install flow updated. Users no longer wait
for the admin to send a JSON; they git clone, run decrypt-key.sh with the
passphrase from the team password manager, and continue. Cuts one
out-of-band file transfer from the user experience.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GitHub is now the public-facing primary repo (MIT licensed). Point new
users at github.com/CharlesZhang2023/AutoACCT for cloning.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Install flow now assumes one admin-distributed service account JSON shared
across the team. Each user creates their own Google Sheet and shares it
with the SA email; per-user GCP project setup is gone.
- DEPLOY.md: a step-by-step walkthrough for non-technical users following
along with an AI agent (Terminal basics, screenshots-worth of expected
output, common-error table).
- scripts/append_row.py: sheet_id field accepts either a bare ID or a full
Google Sheets URL; normalize_sheet_id() extracts the ID via regex.
- scripts/setup.md: rewritten as an admin guide (one-time GCP setup, key
rotation) plus a troubleshooting reference.
- LICENSE: MIT (previously "private — internal use"). README license
sections updated to match.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
