Replace inline credentials with Infisical pointers

CLAUDE.md

@@ -12,6 +12,34 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 - **Network infrastructure**: Ubiquiti Unifi switches
 - **Debugging scope**: VM-to-external-client connectivity issues across the ESXi virtual switch and physical Unifi switch layers
 
+## Credentials convention
+
+Plaintext passwords / API keys / tokens have been moved out of these files into [Infisical](infisical.md). Where a credential used to be inline, you'll now see a pointer in the form:
+
+```
+[Infisical: homelab/<env>/<folder>/<KEY>]
+```
+
+To fetch one (machine identity required — see `infisical.md`):
+
+```bash
+TOKEN=$(curl -s -X POST https://infisical.dohertylan.com/api/v1/auth/universal-auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"clientId":"<id>","clientSecret":"<secret>"}' \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['accessToken'])")
+PROJ=$(curl -s -H "Authorization: Bearer $TOKEN" \
+  https://infisical.dohertylan.com/api/v1/workspace \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['workspaces'][0]['id'])")
+curl -sG "https://infisical.dohertylan.com/api/v3/secrets/raw/<KEY>" \
+  -H "Authorization: Bearer $TOKEN" \
+  --data-urlencode "workspaceId=$PROJ" \
+  --data-urlencode "environment=<env>" \
+  --data-urlencode "secretPath=<folder>" \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['secret']['secretValue'])"
+```
+
+Or via the Infisical web UI at https://infisical.dohertylan.com.
+
 ## Components
 
 - [TrueNAS Server](truenas.md) — NAS at 10.100.0.25 (management) / 10.50.0.x (storage), serves SMB and NFS