wiki: compile gururmm (update) — Feature 6 security-detection-alerts spec'd

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-07 14:02:10 -07:00
parent 8b016edb9d
commit 1952c36675
2 changed files with 14 additions and 3 deletions

View File

@@ -1,6 +1,6 @@
# Wiki Index
Last updated: 2026-07-06
Last updated: 2026-07-07
Compiled by: HOWARD-HOME/claude-main
(2026-07-06: added Goldstein client article; added Reference section — client Wi-Fi inventory.)
@@ -70,7 +70,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [GuruRMM](projects/gururmm.md) | RMM platform, Rust/Axum server + React dashboard + cross-platform agent; **agent v0.6.78 fleet-wide stable / 0.6.79 beta / server v0.3.103 / dashboard = Fleet-Policy Console**; ~360 enrolled; migrations through 068_visible_agents_folder_id. Merge to main = build+deploy; channel default FAIL-CLOSED beta (BUG-023), explicit promote to stable. Recent (2026-07-06): **Fleet-Policy Management Console** shipped to PROD (policy-ui — folder tree table / place-devices / effective-policy viewer / version-history / backfill; migration 068, folder_id in API); **WS-looper comms-durability** hardening (bounded WS write-timeout + heartbeat-count blackhole-vs-stall diagnostic + AIMD adaptive keepalive; agent 0.6.79 beta / server 0.3.102). Prior (2026-07-04/05): four bug-fix batches v0.3.95->v0.3.99 + policy-core (migration 067). **BUG-024 OPEN/CRITICAL** — Linux glibc incident, Linux binaries QUARANTINED (re-quarantined every build) pending glibc-floor fix; 4 chronic one-way-WS agents now have a server-visible blackhole diagnostic. Active development | 2026-07-06 |
| [GuruRMM](projects/gururmm.md) | RMM platform, Rust/Axum server + React dashboard + cross-platform agent; **agent v0.6.78 fleet-wide stable / 0.6.79 beta / server v0.3.103 / dashboard = Fleet-Policy Console**; ~360 enrolled; migrations through 068_visible_agents_folder_id. Merge to main = build+deploy; channel default FAIL-CLOSED beta (BUG-023), explicit promote to stable. Recent (2026-07-06): **Fleet-Policy Management Console** shipped to PROD (policy-ui — folder tree table / place-devices / effective-policy viewer / version-history / backfill; migration 068, folder_id in API); **WS-looper comms-durability** hardening (bounded WS write-timeout + heartbeat-count blackhole-vs-stall diagnostic + AIMD adaptive keepalive; agent 0.6.79 beta / server 0.3.102). Prior (2026-07-04/05): four bug-fix batches v0.3.95->v0.3.99 + policy-core (migration 067). **BUG-024 OPEN/CRITICAL** — Linux glibc incident, Linux binaries QUARANTINED (re-quarantined every build) pending glibc-floor fix; 4 chronic one-way-WS agents now have a server-visible blackhole diagnostic. Spec'd 2026-07-07: Feature 6 Phase-1 `security-detection-alerts` (Bitdefender detections -> RMM alerts, planning only). Active development | 2026-07-07 |
| [GuruConnect](projects/guruconnect.md) | ACG's proprietary Rust remote-access/remote-support tool (ScreenConnect-class) — Windows agent + web dashboard; **v0.3.0 production** at connect.azcomputerguru.com; versioned integration contract with GuruRMM; co-located on the physical .30 box (shares the PG cluster); next: SPEC-018 session broker / capture worker as SYSTEM | 2026-06-12 |
| [GPS -> GuruRMM Coverage Audit](projects/gps-rmm-audit.md) | Verify every GPS-billed client is fully enrolled in GuruRMM with billed services real (backup/AV/email). Single current list = `gps-master-status.md`. Phase 4 backup verification: authoritative source = MSP360 API (not B2 buckets); only 16/40 bill backup (7 OK / 2 review / 7 NOT backing up, endpoint-verified). Built msp360/seafile/owncloud/datto-workplace skills; 20 client wikis (56->76); onsite installer kit (Desktop/CLIENTS). Onboarded Janet Altschuler/Marty Ryan/BST + 3 shells. Datto Workplace key pending Mike; billing findings HELD for Winter/Mike; AutoEnroll task disabled | 2026-07-07 |
| [Dataforth DOS — Test Datasheet Pipeline](projects/dataforth-dos.md) | DOS update system + TestDataDB pipeline (Node.js, PostgreSQL, Hoffman API); 469K records, 458.5K live on website; 2025 crypto attack recovery; security incident 2026-03-27; SCMVAS/SCMHVAS extension; email notifications via Graph API | 2026-05-24 |

View File

@@ -2,11 +2,13 @@
type: project
name: gururmm
display_name: GuruRMM
last_compiled: 2026-07-06
last_compiled: 2026-07-07
compiled_by: Howard-Home/claude-main
aliases:
- guru-rmm
sources:
- "projects/msp-tools/guru-rmm/session-logs/2026-07/2026-07-07-howard-feature6-security-detection-alerts-spec.md"
- "gururmm@main: specs/security-detection-alerts/{shape,plan,references,standards}.md (commit b9f25fd — Feature 6 Phase-1 detections-as-alerts spec)"
- "gururmm@main: commit 5bf7896 (ContextTree collapse-during-search fix — dashboard/src/components/ContextTree.tsx, beta)"
- "projects/msp-tools/guru-rmm/session-logs/2026-07/2026-07-06-howard-tree-collapse-search-fix.md"
- "gururmm@origin/main f0320a4: policy-ui Fleet-Policy Console (migration 068_visible_agents_folder_id, folder_id in API d028ca1, dashboard rebuild bd25fa9), PROD deploy; agent 0.6.79 / server 0.3.103"
@@ -181,6 +183,12 @@ GuruRMM is a Remote Monitoring & Management platform built by Arizona Computer G
## Recent Work
### 2026-07-07 — Feature 6 Phase-1 spec'd: security-detection-alerts (Bitdefender detections -> RMM alerts) (Howard-Home, commit b9f25fd, planning only)
Howard re-affirmed **Feature 6** (multi-vendor AV/EDR integration) in `docs/RMM_THOUGHTS.md` — the driver is single-pane alerting (see a machine's EDR/AV threat state in the RMM instead of logging into each vendor console, the model NinjaOne/Datto/ConnectWise offer), flagged Mike for a discuss pass (coord msg `6bd16a7e`), then `/shape-spec`'d it. Scope was narrowed by Howard to **detections only** — no scan/isolate/policy (those stay Feature 6 Phase 2). The spec landed at `specs/security-detection-alerts/` (shape/plan/references/standards). Key research finding: the vendor-agnostic **integration-plugin framework already exists** (migration 065, CrowdStrike Falcon = plugin #1) and CrowdStrike's v1 *explicitly deferred* detection ingestion — so this slice is a **new `bitdefender` plugin (GravityZone client ported from the `bitdefender` skill) + a vendor-agnostic detection->alert helper** routing threats into the existing `alerts` table via `create_or_update_alert` (the same pattern `mspbackups/sync.rs` uses), not a green-field trait/schema. No new dashboard page (detections reuse the Alerts view), likely no new migration. Build + verify on the **beta RMM site** first. **Not built, not approved** — still needs Mike's go (GuruRMM is his project). P2.
---
### 2026-07-06 — Dashboard: Infrastructure-tree collapse-during-search fix (Howard-Home, commit 5bf7896, beta)
`ContextTree.tsx` force-expanded every client/site group whenever the filter box held text (`expanded[id] || !!filter`), so collapse clicks were discarded during a search — expand/collapse worked normally only with an empty filter (Howard-reported). Fixed to `expanded[id] ?? !!filter` (nullish) so a search sets only the DEFAULT open state and an explicit collapse is honored mid-search; `toggle(id, currentlyExpanded)` now flips the *visible* state (the stored value is `undefined` for an untouched group, so `!undefined === true` made the first collapse click a no-op). `verify.sh dashboard` (tsc + vite) clean; verified working on beta (rmm-beta) by Howard. Minor UI fix, no version bump — prod promotion deferred to ride the next `promote-dashboard.sh` run.
@@ -412,6 +420,7 @@ Agent<->server communication is a persistent authenticated WebSocket with auto-r
- **API:** `GET/POST /api/integrations`, `GET/DELETE /api/integrations/:id`, `GET/PUT /api/integrations/:id/credentials`, `GET/PUT /api/integrations/:id/mappings`, `DELETE /api/integrations/:id/mappings/:mapping_id`, `GET /api/integrations/:id/sync-state`, `POST /api/integrations/:id/test`.
- **First plugin: CrowdStrike Falcon.** API client + periodic sync worker (default `sync_interval_seconds=900`) pulls sensor state into `integration_agent_links`. Framework is modeled on the proven per-partner MSPBackups shape (migration 034).
- **No dedicated dashboard UI yet** — this is API/backend-only as of this compile (verify before claiming a management screen exists).
- **Detection ingestion is SPEC'D, not built (2026-07-07, `specs/security-detection-alerts/`):** the Feature 6 Phase-1 slice adds a `bitdefender` plugin whose `sync()` surfaces GravityZone detections as normal RMM alerts (via a vendor-agnostic `ingest_detections` helper -> `create_or_update_alert`, `alert_type="security_detection"`). CrowdStrike's plugin deliberately deferred detection ingestion; this is that slice. Read-only (no scan/isolate/policy). Awaiting Mike's go; build/test on beta first.
### Policy & Configuration Management
- **Policy folders + inheritance ("policy-core", NEW, deployed 2026-07-05, migration 067, merge e7e90c2):** per-client **folder tree** replacing the fixed global->client->site->agent stack for agents placed in a folder. Exactly one root folder per client; any folder optionally references a library policy (`policy_folders.policy_id`); `agents.folder_id` places a device in the tree; effective policy is the merged ancestry root->leaf plus an optional per-asset override. Recompute+push on policy edit is scoped to affected agents only. `policy_versions` gives every policy edit an immutable snapshot for diff/rollback and per-device "what changed." **Non-breaking migration by construction:** every new column/table is nullable, `folder_id` is NULL fleet-wide until an explicit, verification-gated, dry-run-capable backfill job runs (`POST /policy-folders/backfill`) — until then effective-policy resolution stays on the legacy path. **API:** `GET/POST /clients/:id/policy-folders`, `DELETE /policy-folders/:id`, `PUT /policy-folders/:id/rename`, `PUT /policy-folders/:id/policy`, `PUT /policy-folders/:id/parent` (move), `PUT /agents/:id/folder` (placement), `POST /policy-folders/backfill`. **Explicitly out of scope for policy-core:** module editor UI, drag-and-drop, subtree RBAC, tags/multi-folder membership, conditional modules, compliance compare engine, App Store UI — no agent-side change (wire format unchanged).
@@ -788,11 +797,13 @@ These decisions are locked. Do not reverse without explicit user approval.
| 2026-07-05 | BUG-018 altitude fix shipped (Howard, migration 066, server v0.3.98): `visible_agents` DB view + `BEFORE UPDATE` schema trigger replace nine scattered inline `status<>'deleting'` filters; all three WS auth paths reject mid-purge rows. |
| 2026-07-05 (11:05 PT) | Bug-fix batch 4 merged (Howard, server v0.3.99): pending-command 7-day TTL, agent-status reconciler for zombie 'online' rows, stale pending-update supersede logic. BUG-024 discovered (CRITICAL, OPEN): Linux agent binaries built against the build host's newer glibc crash-looped every older-distro Linux agent that took the newly-enabled update offer; mitigated via quarantine, real glibc-floor fix pending. |
| 2026-07-05 | Policy-core (policy folders + inheritance) deployed to production (Mike, merge `e7e90c2`, migration 067 renumbered from 066): per-client folder tree with inheritance resolution, versioning, scoped recompute+push, and a gated/dry-run backfill — non-breaking by construction. Follow-on policy-ui (dashboard UI) shape spec added same day (`01d962a`), not yet implemented. |
| 2026-07-07 | Feature 6 (multi-vendor AV/EDR) re-affirmed by Howard and `/shape-spec`'d to `specs/security-detection-alerts/` (commit `b9f25fd`): Phase-1 slice = Bitdefender GravityZone detections surfaced as RMM alerts on the existing integration-plugin framework (new `bitdefender` plugin + vendor-agnostic detection->alert helper), the detection-ingestion piece CrowdStrike's v1 deferred. Planning only; read-only; awaiting Mike's go; build/test on beta. |
---
## Compilation Notes
- **2026-07-07 update (Howard-Home/claude-main):** Incremental update mode, 1 new source (the Feature 6 security-detection-alerts spec log). Surgical edits only: new Recent Work entry, a "detection ingestion SPEC'D" bullet under Third-Party Integrations Framework, a History Highlights row, and frontmatter. No capability/fleet/version state changed — this was a planning/spec session (no shipped code, no deploy). Everything else left byte-for-byte intact.
- **2026-07-05 recompile (Howard-Home/claude-main):** Full rebuild. Delta from 2026-07-04 (migrations 65 -> 67; agent 0.6.77 -> 0.6.78 fleet-wide stable; server 0.3.96 -> 0.3.99; dashboard v0.2.83 beta). Major additions: **Policy-core** (migration 067, `e7e90c2`) — new Capabilities subsection, locked decision #14, follow-on policy-ui gap; **four sequential bug-fix batches** (repair batch 2/v0.3.97, batch 3/v0.3.98, batch 4/v0.3.99) folded into Recent Work + Capabilities; **BUG-003 CLOSED** (was open); **BUG-018** corrected from the morning's status-write-guard fix to the full v0.3.98 schema-level view+trigger fix; **BUG-023 (NEW)** — channel-race incident caused by the 07-04 scanner fix, own Recent Work entry + anti-pattern + locked decision #15; **BUG-024 (NEW, OPEN, CRITICAL)** — Linux glibc incident, documented across Recent Work/Capabilities/Active State/Architecture; **comms-durability Phase 1 marked COMPLETE** (was T2/T3-planned). All prior anti-patterns/good-patterns preserved verbatim except one ("build classification defaulting to stable") marked superseded rather than deleted.
- **2026-07-04 recompile (Howard-Home/claude-main):** Delta from 2026-06-25 (migrations 64 -> 65; agent 0.6.75 -> 0.6.77 modern / 0.6.76 legacy-frozen; server 0.3.87 -> 0.3.96; fleet 270 -> 359 enrolled). Added: Third-Party Integrations Framework, VSS Policy Configurator, Policy-Controlled Tray Deployment, legacy build variant disabled, cross-site agent dedup fix, 2026-07-04/05 easy-bugs + alert-triage batch.
- **2026-06-25 recompile (Howard-Home/claude-main):** Delta from 2026-06-22 — SPEC-030 remote software inventory + bulk uninstall added as a major Capabilities subsection; universal self-detecting installer (Feature 9) P1 shipped; Current Focus rewritten; flagged the old "pending PRs #40-#46, migrations 061-063" prediction as superseded because software-removal work consumed 061-064 instead.