sync: auto-sync from GURU-BEAST-ROG at 2026-07-06 10:55:23

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-06 10:55:23
This commit is contained in:
2026-07-06 10:56:28 -07:00
parent c1706393b9
commit 14ac542a00
4 changed files with 215 additions and 3 deletions

View File

@@ -0,0 +1,42 @@
# VWP phishing notification — draft warning to recipients
2026-07-06. Send from a verified VWP account (or have VWP send). Review before sending.
**Subject:** Important: Please disregard the "Invitation to Bid" email from our office
---
Dear valued partner,
Earlier today, an unauthorized email was sent from our address
(**orders@valleywideplastering.com**) with the subject **"Invitation to Bid: Municipal
Mixed-Use Infrastructure Redevelopment."** This message did **not** come from Valley Wide
Plastering — it is a phishing email sent without our authorization.
If you received it, please:
- **Do not** open any attachments or click any links in that email.
- **Do not** reply to it or provide any information.
- **Delete** it from your inbox.
If you already clicked a link or entered any login information, we recommend you **change
your email password immediately** and notify your IT provider as a precaution.
We have already secured the affected account, and the issue has been resolved on our end.
We sincerely apologize for any concern or inconvenience this may have caused.
If you have any questions, or if you receive anything else that appears to be from us but
seems suspicious, please contact us directly at **[PHONE]** rather than replying to any
unexpected message.
Thank you for your understanding,
**[Name]**
Valley Wide Plastering
[phone] | [email]
---
*Notes for sender:* fill in [Name]/[PHONE]. Send from a known-good VWP mailbox (not orders@
if you'd rather recipients not associate the reply with the compromised address, though
orders@ is now secured). Known recipients so far (from bounce-backs; not exhaustive):
stackct.com, ascentworks.com, LWSupply.com, camelothomes.com, truteam.com, willisroof.com.

View File

@@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-07-06 | GURU-BEAST-ROG | remediation-tool | onboard-tenant: failed to acquire Tenant Admin token [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f exit=3] (x2)
2026-07-06 | Howard-Home | vault/windows-pro-mak | [correction] assumed vault key labeled 'Windows Pro MAK' was plain Pro; correct is Pro FOR WORKSTATIONS MAK - slmgr /ipk auto-upgrades edition to ProfessionalWorkstation [ctx: host=ACG-Tech03L partial=HMJ4K]
2026-07-06 | Howard-Home | rmm/reboot | [friction] shutdown /r /t 15 /c "comment" failed exit1 (usage dump) - quotes around /c comment stripped by RMM->cmd.exe layer; drop the /c comment or PS-encode [ctx: ref=feedback_windows_quote_stripping host=ACG-Tech03L]

View File

@@ -10,8 +10,8 @@
"description": "Your current thinking step"
},
"nextThoughtNeeded": {
"type": "boolean",
"description": "Whether another thought step is needed"
"description": "Whether another thought step is needed",
"type": "boolean"
},
"thoughtNumber": {
"type": "integer",
@@ -52,7 +52,6 @@
},
"required": [
"thought",
"nextThoughtNeeded",
"thoughtNumber",
"totalThoughts"
]

View File

@@ -0,0 +1,169 @@
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
## Session Summary
Continued the GuruRMM Policy Folders work into a full **Fleet-Policy Management Console**. The
first-cut `PolicyFolders.tsx` (window.prompt/confirm, dual inline selects, JSON backfill dump) was
judged clunky. Ran a two-round multi-AI interface refresh (Claude + Grok via ask-grok.sh + Gemini via
agy.exe), first on a narrow brief then on a full-scope brief after Mike framed this as THE en-masse
Partner->Client->Site->Agent policy surface. Both models converged on a master-detail console (table-tree
left, tabbed detail right, all-Dialog mutations, en-masse device placement with throttled bulk, impact
previews, effective-policy view, KPI backfill). Captured the synthesis in `design-direction.md`, then a
delegated coding agent rebuilt the page into a `FleetPolicyConsole` (8 new components, nav promoted). Added
the backend `folder_id` exposure (needed for device counts/placement) plus migration 068 to recreate the
`visible_agents` view (067 had added folder_id to the table but not the frozen SELECT * view — a latent
ColumnNotFound landmine). Deployed server v0.3.103 (migration 068 applied) and pushed the console to the
beta dashboard.
Mid-session, an urgent **VWP (Valley Wide Plastering) M365 account-compromise incident** took priority.
orders@valleywideplastering.com (user "Orders VWP" / Ty Fetters) was compromised via a phishing "invite"
and mass-sent a phishing email ("Invitation to Bid: Municipal Mixed-Use Infrastructure Redevelopment") to
external contacts. Diagnosis via the remediation-tool skill: ~298 spam of 705 outbound in 24h; Microsoft
auto-restricted the account from sending (Restricted Entities) at 16:09. Contained by resetting the
password to Stucco2026!! and revoking all sign-in sessions/refresh tokens. Audited the mailbox: no
malicious inbox rules, forwarding, OAuth grants, or rogue MFA methods. Confirmed the password valid at the
auth layer (AADSTS50076 MFA-required, not 50126). After confirming the Outbox was empty (nothing queued),
released the sending restriction with Remove-BlockedSenderAddress. Full external recipient list could not
be pulled programmatically (no REST message-trace; app-only EXO PowerShell needs a cert not exposed to us);
captured 10 confirmed recipients from bounce-backs and drafted a phishing-notification email; the full list
needs an admin-center message-trace CSV export.
A **remediation-tool identity/vault-path bug** was discovered and partially fixed. The skill is installed
user-scoped (`~/.claude/skills/...`), but its scripts compute the repo root as "4 levels up," landing at
`~/` and looking for a nonexistent `~/.claude/identity.json`. This caused every token mint to fail, which
`consent-audit.sh` mis-reported as "app NOT consented" — leading to an initial wrong conclusion that our
apps weren't consented on VWP (they were). Root-caused it, worked around with VAULT_ROOT_ENV, then fixed
it by symlinking `~/.claude/identity.json` to the canonical repo copy (verified all 7 scripts now resolve
the vault with no env override).
Also: created **Syncro emergency ticket #32503** for the VWP remediation (1.5h remote, block/prepay
emergency billing), and diagnosed the **Lonestar Electrical Unraid** GuruRMM agent being offline — a glibc
version mismatch (agent v0.6.59 needs GLIBC_2.39, the Debian-12 container provides 2.36), a GuruRMM agent
build regression that likely affects other Linux agents on older glibc.
## Key Decisions
- **Fleet-Policy Console via multi-AI, then delegated build.** Two rounds of Grok+Gemini design (narrow,
then full-scope after Mike's "core en-masse surface" framing). Delegated the large UI rebuild to a coding
agent with the blueprint (large, well-specified, needs iterative tsc); did the backend + deploys myself.
- **Migration 068 (CREATE OR REPLACE VIEW), not DROP.** Recreated `visible_agents` to expose folder_id
(and last_applied_policy_hash) without breaking dependents; fixes the latent landmine 067 introduced.
- **VWP containment order:** revoke sessions + reset password first (stop the bleed), then investigate.
Released the MS sending restriction only after confirming the account was fully clean AND the Outbox was
empty (so nothing residual would flush).
- **Password reset to a caller-supplied value (Stucco2026!!)** with forceChange=false (permanent), per
Mike relaying "she said we could reset her pass to that."
- **Identity fix via symlink** (`~/.claude/identity.json` -> canonical) rather than editing 7 scripts —
single source of truth, no drift, fixes all scripts at once on this machine.
- **VWP billing = block Scenario A** (two line items on product 1190473, 1.5h + 0.75h "Emergency/Same day
rate", $0.00). Verified block still active via invoice 67865 despite a year-old "moved to QB" note.
- **Lonestar agent: root-cause fix, not a patch.** Restart won't fix a binary that can't load; the durable
fix is a static/musl (or old-glibc) agent build in the GuruRMM repo.
## Problems Encountered
- **"App NOT consented" on VWP — actually a vault-path bug.** remediation-tool scripts read
`~/.claude/identity.json` (missing on user-scoped install) so token mints failed; consent-audit reported
it as non-consent. Fixed: symlink `~/.claude/identity.json` -> `~/ClaudeTools/.claude/identity.json`;
workaround was `VAULT_ROOT_ENV=C:/Users/guru/vault`. THIS WASTED TIME AND SENT MIKE CHASING A CONSENT DM
— still needs a friction-log entry + the consent-audit misattribution hardening.
- **Migration 066 view froze without folder_id.** `visible_agents` = `SELECT * FROM agents` froze its
columns at 066; 067 added folder_id to the table but not the view. Fixed with migration 068.
- **Message trace not accessible programmatically.** Get-MessageTrace via adminapi InvokeCommand returns
400/401; the MessageTrace REST entity 404s; app-only Connect-ExchangeOnline needs the public cert which
isn't in VWP's tenant (only the SP) nor the vault (only the private key), and the ACG home-tenant
keyCredentials read returned 0. Fell back to bounce-derived recipients (10) + admin-center CSV path.
- **Message-ID-in-path 400s.** Fetching messages by id failed on URL-unsafe chars (+, /, =); worked around
with subject $search + $select instead.
- **Restricted-entity removal lag.** Remove-BlockedSenderAddress returned 200 but Get-BlockedSenderAddress
still listed it; re-check showed CLEARED (the first removal worked; the second errored "already gone").
- **Syncro wrong customer + stale block note.** First customer query matched an individual ("Teresa
Carpio"); correct company is "Valley Wide Plastering Inc (VWP)" id 31694734. Note said block hours moved
to QB 8/8/25, but recent $0.00 invoices confirmed block billing is still active.
- **Lonestar Unraid agent offline** = GLIBC_2.39 vs 2.36 mismatch (agent build regression).
## Configuration Changes
GuruRMM (projects/msp-tools/guru-rmm), branch feat/policy-ui -> merged to main:
- NEW `docs/specs/policy-ui/design-direction.md` — tri-model Fleet-Policy Console blueprint.
- NEW `server/migrations/068_visible_agents_folder_id.sql` — CREATE OR REPLACE VIEW visible_agents.
- MOD `server/src/db/agents.rs` — added folder_id to Agent / AgentWithDetails / AgentResponse (+ From) and
the 3 detail SELECTs.
- NEW dashboard components: `EffectivePolicyView.tsx`, `policy/policyTree.ts`, `policy/FolderTreeTable.tsx`,
`policy/FolderPicker.tsx`, `policy/PolicyFolderDialogs.tsx`, `policy/PlaceDevicesDialog.tsx`,
`policy/BackfillDialog.tsx`, `policy/VersionHistoryDialog.tsx`.
- MOD `dashboard/src/pages/PolicyFolders.tsx` (rebuilt as FleetPolicyConsole), `pages/AgentDetail.tsx`
(use EffectivePolicyView), `api/client.ts` (Agent.folder_id), `components/FunctionRail.tsx` (nav promote:
"Policies" -> console, "Policy Library" -> old flat page).
ClaudeTools:
- NEW `clients/valleywide/2026-07-06-phish-recipient-warning-draft.md` — phishing-notification draft.
- NEW `~/.claude/identity.json` — symlink to `~/ClaudeTools/.claude/identity.json` (identity/vault fix).
## Credentials & Secrets
- **VWP orders@valleywideplastering.com** — password RESET to `Stucco2026!!` (permanent, forceChange=false).
Verified valid at auth layer. NOT vaulted (client user mailbox, caller-supplied). MFA = Microsoft
Authenticator on "iPhone 11".
- **Lonestar Electrical Unraid "Tower" root** — user `root`, password `Gptf*77ttb123!@#-lonestar`.
Vault: `clients/lonestar-electrical/unraid-server.sops.yaml` field `credentials.root_password`.
- Syncro API key: vault `msp-tools/syncro.sops.yaml` -> `credentials.credential`.
- remediation-tool apps: vault `msp-tools/computerguru-*.sops.yaml` (cert `credentials.cert_private_key_pem_b64`
+ `credentials.cert_thumbprint_b64url`; also `credentials.client_secret`).
## Infrastructure & Servers
- **GuruRMM server** — 172.16.3.30, systemd gururmm-server, port 3001, now v0.3.103. Deploy via
`/opt/gururmm/build-server.sh` (git reset origin/main + --migrate-only pre-check + binary swap). SSH
key-only (BEAST-ROG key authorized). Beta dashboard: /var/www/gururmm/dashboard-beta,
rmm-beta.azcomputerguru.com, current asset index-BqlJ0oKg.js.
- **VWP M365** — tenant `5c53ae9f-7071-4248-b834-8685b646450f` (valleywideplastering.com /
valleywideplastering.onmicrosoft.com). orders@ oid `3739c527-f156-49b7-8779-a19033564a0f`. Normal egress
IP 4.18.160.106 (US/Leesburg). 33 mailboxes.
- **ACG home tenant** (app registrations) — `ce61461e-81a0-4c84-bb4a-7b354a9a356d` (azcomputerguru.com).
- **Lonestar Electrical / Warren** — Unraid "Tower" 172.16.1.188 (ACG-office IP; may have returned to site),
Unraid 7.1.4. GuruRMM agent = Docker container `bfcfbc739d23`, id `00b48379-ec09-4396-9d8f-31a1ee8b4ce3`,
device_id `ff0d2a3d-6af2-4326-bf68-fc87e5e9f61a`, agent v0.6.59, OFFLINE since 2026-07-05T06:09Z.
Other site machines LS-1 / LS-2 online.
## Commands & Outputs
- remediation-tool needs vault path on user-scoped install: `export VAULT_ROOT_ENV="C:/Users/guru/vault"`
(or the new `~/.claude/identity.json` symlink).
- MS restriction reason: `OutboundSpamLast24Hours=298;OutboundMailLast24Hours=705;OutboundSpamPercent=42;
...CIP=4.18.160.106` — orders@ blocked since 2026-07-06T16:09:22.
- Unblock: `Remove-BlockedSenderAddress -SenderAddress orders@valleywideplastering.com` (via EXO adminapi
InvokeCommand, exchange-op tier) -> Get-BlockedSenderAddress now CLEARED.
- Lonestar agent error: `/usr/local/bin/gururmm-agent: /lib/x86_64-linux-gnu/libc.so.6: version
'GLIBC_2.39' not found` (Debian 12 = glibc 2.36). Restart cmd `docker restart gururmm-agent` won't fix
(binary can't load).
## Pending / Incomplete Tasks
- **VWP:** export admin-center message trace (sender orders@, today) -> full recipient list; finalize +
send the phishing-notification (draft ready, needs signer/phone); write formal incident report.
- **remediation-tool:** log the vault-path friction (`log-skill-error.sh --friction`), save a feedback
memory, and harden `consent-audit.sh` to distinguish local-vault-failure from real non-consent (the
misattribution that misled the incident). The symlink fix is done; hardening + logging are not.
- **GuruRMM console (v1.1, TODO-stubbed):** compliance real data, per-setting provenance, version
compare/rollback, before/after impact samples, generate-default-structure empty state, pane resize /
>500-node virtualization. Also: rotate the failing Cloudflare API tokens.
- **Lonestar:** fix the Linux agent build (static/musl or target glibc 2.36) in the GuruRMM repo; scan the
fleet for other Linux agents offline from the same glibc regression; then restart/redeploy the container;
update the vault agent_id (stale e827f798 -> 00b48379).
## Reference Information
- Commits (guru-rmm): 0bd5f67 design-direction, d028ca1 backend folder_id+068, bd25fa9 UI console rebuild,
merge f0320a4 -> main, deployed auto-bump c09c18d (v0.3.103).
- Syncro ticket **#32503** (id 113534324), customer VWP Inc 31694734, product 1190473 (Labor - Remote
Business), 1.5h + 0.75h @ $0.00 block emergency. Prior VWP emergency precedent: #32487.
- VWP phish subject: "Invitation to Bid : Municipal Mixed-Use Infrastructure Redevelopment" (blasted ~16:00
2026-07-06). 10 confirmed recipients: stackct.com (x3), ascentworks.com (x2), LWSupply.com (x2),
camelothomes.com, truteam.com, willisroof.com. Saved to `.vwp-phish-recipients.txt`.
- Multi-AI: `bash .claude/skills/grok/scripts/ask-grok.sh review-files`; agy at
`/c/Users/guru/AppData/Local/agy/bin/agy.exe -p --add-dir`.
- Vault: `clients/lonestar-electrical/unraid-server.sops.yaml`.