syncro: expand skill to full Syncro API surface (assets/RMM/deploy) + verified capability model
Add comprehensive Syncro coverage beyond PSA core: - New .claude/standards/syncro/api-reference.md: complete verified inventory of ~180 endpoints across 38 resource types (generated from live OpenAPI 3.0 spec + tenant probe 2026-07-10), with worked GET/POST/PUT/DELETE templates and token-capability matrix. - /syncro: asset read intelligence (patches, installed_applications), asset create/update, policy-folder move (move-asset), RMM alerts, and deploy-agent (hybrid installer push via GuruRMM using SyncroSetup --console --allow-force-reboot). - move-asset ships a capability preflight (GET /policy_folders?customer_id -> 401 = missing Assets-Policy-Change) + mandatory post-write verify, because an under-scoped token returns HTTP 200 and silently no-ops the move. Correct the "Syncro RMM is API-impossible" belief: it was a token-scope gap, not an API limit. Live-verified the asset move (flip-and-restore 692253->692278->692253). Token scope today: Howard + Winter full; Mike (vaulted ...ebbeb3) still 401 pending re-vault. Corrects memory reference-syncro-rmm-api-gui-only; correction logged to errorlog.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,15 +1,41 @@
|
||||
---
|
||||
name: reference-syncro-rmm-api-gui-only
|
||||
description: Syncro's public API cannot manage RMM policies/folders — creation, assignment, and asset moves are GUI-only (live-verified 2026-06-25)
|
||||
description: Syncro asset/RMM IS API-drivable (reads, create/update, patches, installed_apps, rmm_alerts) — only policy-folder ops need a token scope our per-user keys currently lack (re-verified 2026-07-10)
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
**Syncro RMM policy management is GUI-only — the public REST API does NOT expose it.** Live-verified against the ACG production tenant (computerguru.syncromsp.com) on 2026-06-25:
|
||||
**CORRECTION (2026-07-10): most of Syncro's asset/RMM surface IS API-drivable — the earlier
|
||||
"RMM is GUI-only" conclusion was a token-scope symptom, not an API limitation.** Live-probed
|
||||
the ACG production tenant with a per-user token (howard) on 2026-07-10 and confirmed against
|
||||
the OpenAPI 3.0 spec (`api-docs.syncromsp.com/swagger.json`):
|
||||
|
||||
- `GET /customer_assets` objects carry a read-only **`policy_folder_id`** field (which policy folder the machine sits in). **`PUT /customer_assets/{id}` with `policy_folder_id` is silently ignored** — returns HTTP 200 but the value never changes. Proven by a flip-and-restore test on ACG-internal asset 12335235 (DESKTOP-0O8A1RL): value stayed at folder 692253. **You CANNOT move a machine between policy folders via the API.**
|
||||
- `/policies`, `/policy_builders`, `/rmm_policies`, `/asset_policies` all return **404** — no policy-CRUD endpoints exist. Policy Builder (the `/policy_builders` GUI page) is web-console only.
|
||||
- `/policy_folders` (collection and specific-ID) returns **401** — the route exists but our API token lacks RMM/policy scope. A re-issued token *might* read folders, but since assets can't be moved anyway, it's moot for the move use case.
|
||||
- Syncro docs (docs.syncrosecure.com / docs.syncromsp.com "Work with Policies") confirm: policies are created in Policy Builder, assigned via an Organization's "Assets & Policies" subtab "Update Assigned Policy" dropdown, or "Bulk Assign Top-Level Policy" — all GUI, **no API mention**.
|
||||
- **Works with our current per-user token (HTTP 200):** `GET/POST /customer_assets`,
|
||||
`PUT /customer_assets/{id}` (name/serial/type/customer/properties — `name` required),
|
||||
`GET /customer_assets/{id}/patches`, `.../installed_applications`, `/rmm_alerts` (list +
|
||||
`{id}/mute` + DELETE clear), plus contacts, contracts, leads, vendors, purchase_orders,
|
||||
products, payments, wiki_pages, `/me`, `/search`. The `/syncro` skill now documents the
|
||||
asset-read/asset-write/rmm-alert/agent-deploy workflows; the full inventory is in
|
||||
`.claude/standards/syncro/api-reference.md`.
|
||||
- **Policy-folder move: VERIFIED WORKING with a full-scope token (2026-07-10).** Howard's
|
||||
token was upgraded to full scope; flip-and-restore on ACG-internal asset `12335235`
|
||||
(`692253 → 692278 → 692253`) succeeded, each confirmed by GET. `PUT /customer_assets/{id}`
|
||||
with `policy_folder_id` (+ required `name`) moves the asset. The spec: *"only
|
||||
policy_folder_id requires **Assets - Policy Change**; with other fields requires **Assets -
|
||||
Edit** AND **Assets - Policy Change**; nil/nonexistent/cross-customer folder → 422."*
|
||||
- **Route quirks:** `GET /policy_folders` (bare) → 404; `GET /policy_folders?customer_id=N` →
|
||||
200 (enumerate a customer's folders); `GET /policy_folders/{id}` → 401 even at full scope.
|
||||
- **Per-user scope differs — capability-check every scope-gated write.** A token WITHOUT
|
||||
Policy-Change returns HTTP 200 and silently no-ops the move (the exact 2026-06-25 symptom
|
||||
that produced the original "GUI-only" belief); `/me` shows coarse `asset:{write:true}` and
|
||||
cannot detect it. The `/syncro move-asset` helper preflights `GET /policy_folders?customer_id=N`
|
||||
(401 = no scope) and verifies the folder actually changed after the PUT. Only Howard's token
|
||||
is confirmed full-scope so far; grant the scope to each per-user token for consistent behavior.
|
||||
- **Archive (retire) IS genuinely GUI-only** — no archive endpoint, no `archived` field, and
|
||||
DELETE is destructive. That part of the old note stands.
|
||||
|
||||
**How to apply:** Do NOT attempt to build `/syncro move-asset` or any Syncro RMM policy/folder/group capability — it's not buildable on the public API. Don't re-probe these endpoints. The only API-drivable policy surface in the fleet is the `bitdefender` skill (GravityZone: create/assign policies, custom groups, move endpoints). For Syncro RMM policy work, direct the user to the Syncro web console. The `/syncro` skill stays PSA-only (tickets/billing/customers/scheduling/estimates + read-only asset lookup). See [[feedback-psa-default-syncro]].
|
||||
**How to apply:** Build/asset-manage freely via API for everything EXCEPT policy folders. To
|
||||
unlock `/syncro move-asset` + policy CRUD, add **Assets - Policy Change** + policy-folder
|
||||
read/manage to the Syncro API token (Admin → API Tokens), re-vault, then flip-and-restore
|
||||
verify on ACG-internal asset `12335235` (folder `692253`). Do NOT re-assert "can't do assets
|
||||
via API" — that was wrong. See [[feedback-psa-default-syncro]] and the api-reference doc.
|
||||
|
||||
Reference in New Issue
Block a user