Session log: multi-user setup, audit + gap fixes, Howard onboarding package

Two session logs: - session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure) - guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling, settings.json created (bypassPermissions), MCP_SERVERS.md written. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:55:28 -07:00
parent a18157b5fa
commit 100a491ac6
20 changed files with 1617 additions and 3 deletions
--- a/projects/msp-tools/guru-rmm/session-logs/2026-04-16-session.md
+++ b/projects/msp-tools/guru-rmm/session-logs/2026-04-16-session.md
@@ -305,3 +305,55 @@ az ad sp credential reset --id 516d0bdc-5416-4d02-8521-b70e2bb26d29
 - **First signed MSI:** 2026-04-16 15:15 UTC (gururmm-agent-0.6.1.msi, 1.16 MB)
 - **Full Microsoft cert chain validates** through signtool from Windows workstation for both .exe and .msi
 - **Billing impact:** Trusted Signing Basic ~$9.99/mo + per-signature fees (fractional cents each). SP creation, cert profile creation, jsign — all free.
+
+---
+
+## Update: afternoon (continued same day)
+
+### MSI Installer — tested + verified
+
+- WiX 5.0.2 installed on Windows workstation via `dotnet tool install --global wix --version 5.0.2`
+- WiX does NOT work on Linux (despite .NET tooling — errors on Directory path validation). Windows-only for MSI builds.
+- WiX 7 was blocked by OSMF EULA requirement — stepped back to v5.
+- Built minimal `installer/gururmm.wxs` (installs exe to Program Files, creates ProgramData dir, Apps & Features entry)
+- Signed MSI via `sign.ps1` — full chain verifies (Arizona Computer Guru LLC)
+- Test install: `msiexec /qn` silent install ✓, signature preserved on installed binary ✓, Apps & Features shows publisher ✓, uninstall clean ✓
+- `installer/build-msi.ps1` wrapper script created (downloads signed agent, builds MSI, signs MSI, emits sha256)
+- Decision: Jupiter Windows VM (Server 2022) planned for production MSI builds; WiX on user's workstation for now
+
+### Len's Auto Brokerage — test client onboarded
+
+- **Client:** Len's Auto Brokerage (code: LAB)
+- **Client ID:** bc76984f-8dc9-42e7-b978-c8def1143144
+- **Site:** Main
+- **Site ID:** d8f69cd8-5c42-43bc-ae45-9cc6078d37fb
+- **Site code:** UPPER-STAR-2820
+- **API key:** grmm_mnR0gxGRxZ9wMqyn9Q4QxCrn6jbsJkZW (shown once, saved to vault)
+- ~10 Windows endpoints planned
+- Vault entry: `clients/lens-auto-brokerage.sops.yaml`
+
+### Server migration issue discovered
+
+- Attempted to rebuild gururmm-server to get `/install/:site_code` routes (exist in source but not in running binary)
+- New build fails: `migration 5 was previously applied but has been modified` — sqlx checksum drift
+- Migration 5 (005_temperature_metrics.sql) file content unchanged per git but sha384 doesn't match DB's recorded hash
+- Likely cause: sqlx crate version upgrade changed hash algorithm, or file bytes changed via line-ending normalization
+- Rolled back to stable binary (production restored, /health OK)
+- **Open item:** fix migration checksum drift to deploy server with install landing page routes
+
+### Smart App Control docs
+
+- Documented how to check/disable SAC on Windows 11 (for agent install at client sites)
+- SAC is separate from SmartScreen — our Public Trust signing helps SmartScreen but SAC is stricter
+- Main path: check state via `Get-MpComputerStatus`, disable via Settings if blocking, add Defender exclusions
+
+### Uranus server (ex-Pavon) — documented
+
+- Pavon server renamed to Uranus, re-IP'd from 172.16.1.33 → 172.16.3.21
+- OwnCloud external storage mount (ID 6, SMB share `Storage`) updated from old IP to new via `occ files_external:config 6 host 172.16.3.21`
+- Verified: `files_external:verify 6` → status ok
+- Swept all infrastructure (vault, CF DNS, NPM, pfSense) — no other references to old IP
+- Dell PowerEdge R730xd, 32 threads (Xeon E5-2630 v3), only 7.7 GiB RAM (2× 4GB RDIMM in 24 slots)
+- RAM upgrade needed before Windows build VM — recommended 8× 8GB DDR4 RDIMM (~$50 eBay)
+- Jupiter VM for build in the meantime (125 GiB RAM, ~60 GiB free)
+- Vault entry: `infrastructure/uranus-unraid.sops.yaml`, credentials.md updated
--- a/projects/msp-tools/howard-bootstrap/README.txt
+++ b/projects/msp-tools/howard-bootstrap/README.txt
@@ -0,0 +1,42 @@
+AZ Computer Guru - ClaudeTools Setup
+=====================================
+
+This package sets up the Claude Code workspace on your machine.
+
+WHAT'S INCLUDED:
+  setup.bat    - Run this first. It installs everything.
+  keys.txt     - Vault decryption key (if Mike included it)
+  README.txt   - This file
+
+WHAT IT DOES:
+  1. Checks for prerequisites (git, claude, python, sops)
+     - Auto-installs missing ones via winget
+  2. Clones the shared ClaudeTools repo from Gitea
+  3. Clones the encrypted credential vault
+  4. Sets up the decryption key for vault access
+  5. Creates a "ClaudeTools" shortcut on your desktop
+
+HOW TO RUN:
+  1. Extract this zip to any drive (e.g., D:\)
+  2. Double-click setup.bat
+  3. Follow the prompts (you'll be asked for your Gitea
+     password on first clone - ask Mike)
+  4. After setup, double-click "ClaudeTools" on your desktop
+  5. Claude will introduce itself and walk you through everything
+
+YOUR GITEA ACCOUNT:
+  URL:      https://git.azcomputerguru.com
+  Username: howard
+  Password: Ask Mike (you'll change it on first login)
+
+IF SOMETHING GOES WRONG:
+  - Close and re-run setup.bat (it's safe to run multiple times)
+  - If git clone fails: check network/VPN/Tailscale connection
+  - If vault fails: make sure keys.txt is at
+    %APPDATA%\sops\age\keys.txt
+  - Ask Mike or ask Claude (once it's running)
+
+AFTER SETUP:
+  Your workspace lives at <drive>:\claudetools
+  Credentials vault at <drive>:\vault
+  Everything syncs to Gitea automatically via /sync command
--- a/projects/msp-tools/howard-bootstrap/keys.txt
+++ b/projects/msp-tools/howard-bootstrap/keys.txt
@@ -0,0 +1,3 @@
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
--- a/projects/msp-tools/howard-bootstrap/setup.bat
+++ b/projects/msp-tools/howard-bootstrap/setup.bat
@@ -0,0 +1,176 @@
+@echo off
+setlocal EnableDelayedExpansion
+title AZ Computer Guru - ClaudeTools Setup
+color 0A
+
+echo ============================================
+echo   AZ Computer Guru - ClaudeTools Bootstrap
+echo ============================================
+echo.
+echo This sets up the Claude Code workspace on
+echo this machine. Takes about 5 minutes.
+echo.
+echo Press any key to start, or Ctrl+C to cancel.
+pause >nul
+
+:: Determine target drive (same drive as this script)
+set "DRIVE=%~d0"
+set "BASE=%DRIVE%\claudetools"
+set "VAULT=%DRIVE%\vault"
+set "AGE_DIR=%APPDATA%\sops\age"
+set "SCRIPT_DIR=%~dp0"
+
+echo.
+echo [1/7] Checking prerequisites...
+
+:: Check git
+where git >nul 2>&1
+if %ERRORLEVEL% neq 0 (
+    echo   [!] git not found. Installing via winget...
+    winget install --id Git.Git -e --accept-package-agreements --accept-source-agreements
+    echo   [!] Please close and reopen this script after git installs.
+    pause
+    exit /b 1
+)
+echo   [OK] git found
+
+:: Check claude
+where claude >nul 2>&1
+if %ERRORLEVEL% neq 0 (
+    echo   [!] Claude Code not found. Installing...
+    winget install --id Anthropic.ClaudeCode -e --accept-package-agreements --accept-source-agreements 2>nul
+    if %ERRORLEVEL% neq 0 (
+        echo   [!] winget install failed. Try: npm install -g @anthropic-ai/claude-code
+        echo       OR download from https://claude.ai/download
+        pause
+        exit /b 1
+    )
+)
+echo   [OK] Claude Code found
+
+:: Check sops
+where sops >nul 2>&1
+if %ERRORLEVEL% neq 0 (
+    echo   [!] SOPS not found. Installing via winget...
+    winget install --id Mozilla.sops -e --accept-package-agreements --accept-source-agreements
+)
+echo   [OK] SOPS found
+
+:: Check python
+where python >nul 2>&1
+if %ERRORLEVEL% neq 0 (
+    echo   [!] Python not found. Installing via winget...
+    winget install --id Python.Python.3.12 -e --accept-package-agreements --accept-source-agreements
+    echo   [!] Please close and reopen this script after Python installs.
+    pause
+    exit /b 1
+)
+echo   [OK] Python found
+
+echo.
+echo [2/7] Setting up age decryption key...
+
+if not exist "%AGE_DIR%" mkdir "%AGE_DIR%"
+if exist "%SCRIPT_DIR%keys.txt" (
+    copy /Y "%SCRIPT_DIR%keys.txt" "%AGE_DIR%\keys.txt" >nul
+    echo   [OK] Age key installed from bootstrap package
+) else if exist "%AGE_DIR%\keys.txt" (
+    echo   [OK] Age key already present
+) else (
+    echo   [!!] Age decryption key not found!
+    echo.
+    echo   Ask Mike for the keys.txt file and place it at:
+    echo     %AGE_DIR%\keys.txt
+    echo.
+    echo   Without this file, credential vault access won't work.
+    echo   Setup will continue but vault commands will fail until
+    echo   the key is in place.
+    echo.
+    pause
+)
+
+echo.
+echo [3/7] Cloning ClaudeTools repo...
+
+if not exist "%BASE%\.git" (
+    git clone https://howard@git.azcomputerguru.com/azcomputerguru/claudetools.git "%BASE%"
+    if %ERRORLEVEL% neq 0 (
+        echo   [!] Clone failed. Check your Gitea credentials.
+        echo   Username: howard
+        echo   Password: ask Mike for initial password
+        pause
+        exit /b 1
+    )
+    echo   [OK] Cloned to %BASE%
+) else (
+    echo   [OK] Already exists, pulling latest...
+    cd /d "%BASE%" && git pull
+)
+
+echo.
+echo [4/7] Cloning Vault repo...
+
+if not exist "%VAULT%\.git" (
+    git clone https://howard@git.azcomputerguru.com/azcomputerguru/vault.git "%VAULT%"
+    if %ERRORLEVEL% neq 0 (
+        echo   [!] Vault clone failed. Check credentials.
+        pause
+        exit /b 1
+    )
+    echo   [OK] Cloned to %VAULT%
+) else (
+    echo   [OK] Already exists, pulling latest...
+    cd /d "%VAULT%" && git pull
+)
+
+echo.
+echo [5/7] Configuring git identity...
+
+cd /d "%BASE%"
+git config user.name "Howard Enos"
+git config user.email "howard@azcomputerguru.com"
+cd /d "%VAULT%"
+git config user.name "Howard Enos"
+git config user.email "howard@azcomputerguru.com"
+echo   [OK] Git identity set to Howard Enos
+
+echo.
+echo [6/7] Creating desktop shortcut...
+
+set "SHORTCUT=%USERPROFILE%\Desktop\ClaudeTools.bat"
+(
+echo @echo off
+echo title ClaudeTools - AZ Computer Guru
+echo cd /d "%BASE%"
+echo claude
+) > "%SHORTCUT%"
+echo   [OK] Created: %SHORTCUT%
+
+echo.
+echo [7/7] Verifying setup...
+
+echo   Repo:     %BASE%
+echo   Vault:    %VAULT%
+echo   Age key:  %AGE_DIR%\keys.txt
+if exist "%AGE_DIR%\keys.txt" (
+    echo   Vault:    [OK] key present
+    cd /d "%BASE%"
+    bash "%VAULT%/scripts/vault.sh" list 2>nul | find /c ".sops.yaml" >nul 2>&1 && echo   Decrypt:  [OK] vault accessible || echo   Decrypt:  [!] vault test failed
+) else (
+    echo   Vault:    [!] key missing - ask Mike
+)
+
+echo.
+echo ============================================
+echo   Setup Complete!
+echo ============================================
+echo.
+echo Next steps:
+echo   1. Double-click "ClaudeTools" on your desktop
+echo   2. Claude will ask who you are - say "Howard"
+echo   3. Claude will walk you through the system
+echo.
+echo   If you need the vault key, ask Mike.
+echo   Your Gitea login: howard / (ask Mike for password)
+echo.
+pause