|
|
|
|
@@ -0,0 +1,169 @@
|
|
|
|
|
## User
|
|
|
|
|
- **User:** Mike Swanson (mike)
|
|
|
|
|
- **Machine:** GURU-BEAST-ROG
|
|
|
|
|
- **Role:** admin
|
|
|
|
|
|
|
|
|
|
## Session Summary
|
|
|
|
|
|
|
|
|
|
Continued the GuruRMM Policy Folders work into a full **Fleet-Policy Management Console**. The
|
|
|
|
|
first-cut `PolicyFolders.tsx` (window.prompt/confirm, dual inline selects, JSON backfill dump) was
|
|
|
|
|
judged clunky. Ran a two-round multi-AI interface refresh (Claude + Grok via ask-grok.sh + Gemini via
|
|
|
|
|
agy.exe), first on a narrow brief then on a full-scope brief after Mike framed this as THE en-masse
|
|
|
|
|
Partner->Client->Site->Agent policy surface. Both models converged on a master-detail console (table-tree
|
|
|
|
|
left, tabbed detail right, all-Dialog mutations, en-masse device placement with throttled bulk, impact
|
|
|
|
|
previews, effective-policy view, KPI backfill). Captured the synthesis in `design-direction.md`, then a
|
|
|
|
|
delegated coding agent rebuilt the page into a `FleetPolicyConsole` (8 new components, nav promoted). Added
|
|
|
|
|
the backend `folder_id` exposure (needed for device counts/placement) plus migration 068 to recreate the
|
|
|
|
|
`visible_agents` view (067 had added folder_id to the table but not the frozen SELECT * view — a latent
|
|
|
|
|
ColumnNotFound landmine). Deployed server v0.3.103 (migration 068 applied) and pushed the console to the
|
|
|
|
|
beta dashboard.
|
|
|
|
|
|
|
|
|
|
Mid-session, an urgent **VWP (Valley Wide Plastering) M365 account-compromise incident** took priority.
|
|
|
|
|
orders@valleywideplastering.com (user "Orders VWP" / Ty Fetters) was compromised via a phishing "invite"
|
|
|
|
|
and mass-sent a phishing email ("Invitation to Bid: Municipal Mixed-Use Infrastructure Redevelopment") to
|
|
|
|
|
external contacts. Diagnosis via the remediation-tool skill: ~298 spam of 705 outbound in 24h; Microsoft
|
|
|
|
|
auto-restricted the account from sending (Restricted Entities) at 16:09. Contained by resetting the
|
|
|
|
|
password to Stucco2026!! and revoking all sign-in sessions/refresh tokens. Audited the mailbox: no
|
|
|
|
|
malicious inbox rules, forwarding, OAuth grants, or rogue MFA methods. Confirmed the password valid at the
|
|
|
|
|
auth layer (AADSTS50076 MFA-required, not 50126). After confirming the Outbox was empty (nothing queued),
|
|
|
|
|
released the sending restriction with Remove-BlockedSenderAddress. Full external recipient list could not
|
|
|
|
|
be pulled programmatically (no REST message-trace; app-only EXO PowerShell needs a cert not exposed to us);
|
|
|
|
|
captured 10 confirmed recipients from bounce-backs and drafted a phishing-notification email; the full list
|
|
|
|
|
needs an admin-center message-trace CSV export.
|
|
|
|
|
|
|
|
|
|
A **remediation-tool identity/vault-path bug** was discovered and partially fixed. The skill is installed
|
|
|
|
|
user-scoped (`~/.claude/skills/...`), but its scripts compute the repo root as "4 levels up," landing at
|
|
|
|
|
`~/` and looking for a nonexistent `~/.claude/identity.json`. This caused every token mint to fail, which
|
|
|
|
|
`consent-audit.sh` mis-reported as "app NOT consented" — leading to an initial wrong conclusion that our
|
|
|
|
|
apps weren't consented on VWP (they were). Root-caused it, worked around with VAULT_ROOT_ENV, then fixed
|
|
|
|
|
it by symlinking `~/.claude/identity.json` to the canonical repo copy (verified all 7 scripts now resolve
|
|
|
|
|
the vault with no env override).
|
|
|
|
|
|
|
|
|
|
Also: created **Syncro emergency ticket #32503** for the VWP remediation (1.5h remote, block/prepay
|
|
|
|
|
emergency billing), and diagnosed the **Lonestar Electrical Unraid** GuruRMM agent being offline — a glibc
|
|
|
|
|
version mismatch (agent v0.6.59 needs GLIBC_2.39, the Debian-12 container provides 2.36), a GuruRMM agent
|
|
|
|
|
build regression that likely affects other Linux agents on older glibc.
|
|
|
|
|
|
|
|
|
|
## Key Decisions
|
|
|
|
|
|
|
|
|
|
- **Fleet-Policy Console via multi-AI, then delegated build.** Two rounds of Grok+Gemini design (narrow,
|
|
|
|
|
then full-scope after Mike's "core en-masse surface" framing). Delegated the large UI rebuild to a coding
|
|
|
|
|
agent with the blueprint (large, well-specified, needs iterative tsc); did the backend + deploys myself.
|
|
|
|
|
- **Migration 068 (CREATE OR REPLACE VIEW), not DROP.** Recreated `visible_agents` to expose folder_id
|
|
|
|
|
(and last_applied_policy_hash) without breaking dependents; fixes the latent landmine 067 introduced.
|
|
|
|
|
- **VWP containment order:** revoke sessions + reset password first (stop the bleed), then investigate.
|
|
|
|
|
Released the MS sending restriction only after confirming the account was fully clean AND the Outbox was
|
|
|
|
|
empty (so nothing residual would flush).
|
|
|
|
|
- **Password reset to a caller-supplied value (Stucco2026!!)** with forceChange=false (permanent), per
|
|
|
|
|
Mike relaying "she said we could reset her pass to that."
|
|
|
|
|
- **Identity fix via symlink** (`~/.claude/identity.json` -> canonical) rather than editing 7 scripts —
|
|
|
|
|
single source of truth, no drift, fixes all scripts at once on this machine.
|
|
|
|
|
- **VWP billing = block Scenario A** (two line items on product 1190473, 1.5h + 0.75h "Emergency/Same day
|
|
|
|
|
rate", $0.00). Verified block still active via invoice 67865 despite a year-old "moved to QB" note.
|
|
|
|
|
- **Lonestar agent: root-cause fix, not a patch.** Restart won't fix a binary that can't load; the durable
|
|
|
|
|
fix is a static/musl (or old-glibc) agent build in the GuruRMM repo.
|
|
|
|
|
|
|
|
|
|
## Problems Encountered
|
|
|
|
|
|
|
|
|
|
- **"App NOT consented" on VWP — actually a vault-path bug.** remediation-tool scripts read
|
|
|
|
|
`~/.claude/identity.json` (missing on user-scoped install) so token mints failed; consent-audit reported
|
|
|
|
|
it as non-consent. Fixed: symlink `~/.claude/identity.json` -> `~/ClaudeTools/.claude/identity.json`;
|
|
|
|
|
workaround was `VAULT_ROOT_ENV=C:/Users/guru/vault`. THIS WASTED TIME AND SENT MIKE CHASING A CONSENT DM
|
|
|
|
|
— still needs a friction-log entry + the consent-audit misattribution hardening.
|
|
|
|
|
- **Migration 066 view froze without folder_id.** `visible_agents` = `SELECT * FROM agents` froze its
|
|
|
|
|
columns at 066; 067 added folder_id to the table but not the view. Fixed with migration 068.
|
|
|
|
|
- **Message trace not accessible programmatically.** Get-MessageTrace via adminapi InvokeCommand returns
|
|
|
|
|
400/401; the MessageTrace REST entity 404s; app-only Connect-ExchangeOnline needs the public cert which
|
|
|
|
|
isn't in VWP's tenant (only the SP) nor the vault (only the private key), and the ACG home-tenant
|
|
|
|
|
keyCredentials read returned 0. Fell back to bounce-derived recipients (10) + admin-center CSV path.
|
|
|
|
|
- **Message-ID-in-path 400s.** Fetching messages by id failed on URL-unsafe chars (+, /, =); worked around
|
|
|
|
|
with subject $search + $select instead.
|
|
|
|
|
- **Restricted-entity removal lag.** Remove-BlockedSenderAddress returned 200 but Get-BlockedSenderAddress
|
|
|
|
|
still listed it; re-check showed CLEARED (the first removal worked; the second errored "already gone").
|
|
|
|
|
- **Syncro wrong customer + stale block note.** First customer query matched an individual ("Teresa
|
|
|
|
|
Carpio"); correct company is "Valley Wide Plastering Inc (VWP)" id 31694734. Note said block hours moved
|
|
|
|
|
to QB 8/8/25, but recent $0.00 invoices confirmed block billing is still active.
|
|
|
|
|
- **Lonestar Unraid agent offline** = GLIBC_2.39 vs 2.36 mismatch (agent build regression).
|
|
|
|
|
|
|
|
|
|
## Configuration Changes
|
|
|
|
|
|
|
|
|
|
GuruRMM (projects/msp-tools/guru-rmm), branch feat/policy-ui -> merged to main:
|
|
|
|
|
- NEW `docs/specs/policy-ui/design-direction.md` — tri-model Fleet-Policy Console blueprint.
|
|
|
|
|
- NEW `server/migrations/068_visible_agents_folder_id.sql` — CREATE OR REPLACE VIEW visible_agents.
|
|
|
|
|
- MOD `server/src/db/agents.rs` — added folder_id to Agent / AgentWithDetails / AgentResponse (+ From) and
|
|
|
|
|
the 3 detail SELECTs.
|
|
|
|
|
- NEW dashboard components: `EffectivePolicyView.tsx`, `policy/policyTree.ts`, `policy/FolderTreeTable.tsx`,
|
|
|
|
|
`policy/FolderPicker.tsx`, `policy/PolicyFolderDialogs.tsx`, `policy/PlaceDevicesDialog.tsx`,
|
|
|
|
|
`policy/BackfillDialog.tsx`, `policy/VersionHistoryDialog.tsx`.
|
|
|
|
|
- MOD `dashboard/src/pages/PolicyFolders.tsx` (rebuilt as FleetPolicyConsole), `pages/AgentDetail.tsx`
|
|
|
|
|
(use EffectivePolicyView), `api/client.ts` (Agent.folder_id), `components/FunctionRail.tsx` (nav promote:
|
|
|
|
|
"Policies" -> console, "Policy Library" -> old flat page).
|
|
|
|
|
|
|
|
|
|
ClaudeTools:
|
|
|
|
|
- NEW `clients/valleywide/2026-07-06-phish-recipient-warning-draft.md` — phishing-notification draft.
|
|
|
|
|
- NEW `~/.claude/identity.json` — symlink to `~/ClaudeTools/.claude/identity.json` (identity/vault fix).
|
|
|
|
|
|
|
|
|
|
## Credentials & Secrets
|
|
|
|
|
|
|
|
|
|
- **VWP orders@valleywideplastering.com** — password RESET to `Stucco2026!!` (permanent, forceChange=false).
|
|
|
|
|
Verified valid at auth layer. NOT vaulted (client user mailbox, caller-supplied). MFA = Microsoft
|
|
|
|
|
Authenticator on "iPhone 11".
|
|
|
|
|
- **Lonestar Electrical Unraid "Tower" root** — user `root`, password `Gptf*77ttb123!@#-lonestar`.
|
|
|
|
|
Vault: `clients/lonestar-electrical/unraid-server.sops.yaml` field `credentials.root_password`.
|
|
|
|
|
- Syncro API key: vault `msp-tools/syncro.sops.yaml` -> `credentials.credential`.
|
|
|
|
|
- remediation-tool apps: vault `msp-tools/computerguru-*.sops.yaml` (cert `credentials.cert_private_key_pem_b64`
|
|
|
|
|
+ `credentials.cert_thumbprint_b64url`; also `credentials.client_secret`).
|
|
|
|
|
|
|
|
|
|
## Infrastructure & Servers
|
|
|
|
|
|
|
|
|
|
- **GuruRMM server** — 172.16.3.30, systemd gururmm-server, port 3001, now v0.3.103. Deploy via
|
|
|
|
|
`/opt/gururmm/build-server.sh` (git reset origin/main + --migrate-only pre-check + binary swap). SSH
|
|
|
|
|
key-only (BEAST-ROG key authorized). Beta dashboard: /var/www/gururmm/dashboard-beta,
|
|
|
|
|
rmm-beta.azcomputerguru.com, current asset index-BqlJ0oKg.js.
|
|
|
|
|
- **VWP M365** — tenant `5c53ae9f-7071-4248-b834-8685b646450f` (valleywideplastering.com /
|
|
|
|
|
valleywideplastering.onmicrosoft.com). orders@ oid `3739c527-f156-49b7-8779-a19033564a0f`. Normal egress
|
|
|
|
|
IP 4.18.160.106 (US/Leesburg). 33 mailboxes.
|
|
|
|
|
- **ACG home tenant** (app registrations) — `ce61461e-81a0-4c84-bb4a-7b354a9a356d` (azcomputerguru.com).
|
|
|
|
|
- **Lonestar Electrical / Warren** — Unraid "Tower" 172.16.1.188 (ACG-office IP; may have returned to site),
|
|
|
|
|
Unraid 7.1.4. GuruRMM agent = Docker container `bfcfbc739d23`, id `00b48379-ec09-4396-9d8f-31a1ee8b4ce3`,
|
|
|
|
|
device_id `ff0d2a3d-6af2-4326-bf68-fc87e5e9f61a`, agent v0.6.59, OFFLINE since 2026-07-05T06:09Z.
|
|
|
|
|
Other site machines LS-1 / LS-2 online.
|
|
|
|
|
|
|
|
|
|
## Commands & Outputs
|
|
|
|
|
|
|
|
|
|
- remediation-tool needs vault path on user-scoped install: `export VAULT_ROOT_ENV="C:/Users/guru/vault"`
|
|
|
|
|
(or the new `~/.claude/identity.json` symlink).
|
|
|
|
|
- MS restriction reason: `OutboundSpamLast24Hours=298;OutboundMailLast24Hours=705;OutboundSpamPercent=42;
|
|
|
|
|
...CIP=4.18.160.106` — orders@ blocked since 2026-07-06T16:09:22.
|
|
|
|
|
- Unblock: `Remove-BlockedSenderAddress -SenderAddress orders@valleywideplastering.com` (via EXO adminapi
|
|
|
|
|
InvokeCommand, exchange-op tier) -> Get-BlockedSenderAddress now CLEARED.
|
|
|
|
|
- Lonestar agent error: `/usr/local/bin/gururmm-agent: /lib/x86_64-linux-gnu/libc.so.6: version
|
|
|
|
|
'GLIBC_2.39' not found` (Debian 12 = glibc 2.36). Restart cmd `docker restart gururmm-agent` won't fix
|
|
|
|
|
(binary can't load).
|
|
|
|
|
|
|
|
|
|
## Pending / Incomplete Tasks
|
|
|
|
|
|
|
|
|
|
- **VWP:** export admin-center message trace (sender orders@, today) -> full recipient list; finalize +
|
|
|
|
|
send the phishing-notification (draft ready, needs signer/phone); write formal incident report.
|
|
|
|
|
- **remediation-tool:** log the vault-path friction (`log-skill-error.sh --friction`), save a feedback
|
|
|
|
|
memory, and harden `consent-audit.sh` to distinguish local-vault-failure from real non-consent (the
|
|
|
|
|
misattribution that misled the incident). The symlink fix is done; hardening + logging are not.
|
|
|
|
|
- **GuruRMM console (v1.1, TODO-stubbed):** compliance real data, per-setting provenance, version
|
|
|
|
|
compare/rollback, before/after impact samples, generate-default-structure empty state, pane resize /
|
|
|
|
|
>500-node virtualization. Also: rotate the failing Cloudflare API tokens.
|
|
|
|
|
- **Lonestar:** fix the Linux agent build (static/musl or target glibc 2.36) in the GuruRMM repo; scan the
|
|
|
|
|
fleet for other Linux agents offline from the same glibc regression; then restart/redeploy the container;
|
|
|
|
|
update the vault agent_id (stale e827f798 -> 00b48379).
|
|
|
|
|
|
|
|
|
|
## Reference Information
|
|
|
|
|
|
|
|
|
|
- Commits (guru-rmm): 0bd5f67 design-direction, d028ca1 backend folder_id+068, bd25fa9 UI console rebuild,
|
|
|
|
|
merge f0320a4 -> main, deployed auto-bump c09c18d (v0.3.103).
|
|
|
|
|
- Syncro ticket **#32503** (id 113534324), customer VWP Inc 31694734, product 1190473 (Labor - Remote
|
|
|
|
|
Business), 1.5h + 0.75h @ $0.00 block emergency. Prior VWP emergency precedent: #32487.
|
|
|
|
|
- VWP phish subject: "Invitation to Bid : Municipal Mixed-Use Infrastructure Redevelopment" (blasted ~16:00
|
|
|
|
|
2026-07-06). 10 confirmed recipients: stackct.com (x3), ascentworks.com (x2), LWSupply.com (x2),
|
|
|
|
|
camelothomes.com, truteam.com, willisroof.com. Saved to `.vwp-phish-recipients.txt`.
|
|
|
|
|
- Multi-AI: `bash .claude/skills/grok/scripts/ask-grok.sh review-files`; agy at
|
|
|
|
|
`/c/Users/guru/AppData/Local/agy/bin/agy.exe -p --add-dir`.
|
|
|
|
|
- Vault: `clients/lonestar-electrical/unraid-server.sops.yaml`.
|