diff --git a/session-logs/2026-06/2026-06-17-mike-unifi-cloud-connector-ai-tooling.md b/session-logs/2026-06/2026-06-17-mike-unifi-cloud-connector-ai-tooling.md new file mode 100644 index 00000000..2ca62658 --- /dev/null +++ b/session-logs/2026-06/2026-06-17-mike-unifi-cloud-connector-ai-tooling.md @@ -0,0 +1,142 @@ +# Session - UniFi cloud Site Manager connector (UOS parity), AI-tooling audits + reliability, skill harvest + +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +## Session Summary + +Continuation of the 2026-06-16/17 MSP+harness day. Opened by finishing the Scileppi Mac +downloads redesign and resolving Syncro #32333 (corrected after a hallucinated/no-preview comment; +re-sent accurately, no charge). Then an error-log review drove two harness fixes: a PowerShell-2 +guard in `onboarding-diagnostic.ps1` (it was PS3+ only, crashed on Win7/AMT-PC) and a new +`feedback_windows_quote_stripping` memory consolidating the recurring embedded-double-quote bug. + +A large block was an RTFM audit of the second-model / Tier-0 skills against their real docs/APIs: +**grok** had a genuine bug (its multi-agent `web_search` was strangled by the wrapper's blanket +`--no-subagents`) - fixed, plus pinned `-m grok-build` for reasoning modes and corrected doc drift; +**gemini (agy)** audited clean (pinned model still valid); **ollama** had a broken endpoint +auto-detect one-liner in OLLAMA.md (urlopen-as-truthiness raises instead of failing over) - fixed. +Harvested 4 MIT skills from obra/superpowers (the Anthropic pdf/mcp-builder/canvas-design/ +theme-factory skills are license-restricted - installed those via the official Claude Code +marketplace instead). Curated the ACG brand kit into the website-showcase project and synced to Gitea. + +The centerpiece: a UniFi cloud capability. Mike provided a UniFi Site Manager API key. Mapped the +API empirically + via grok/gemini: `api.ui.com/v1/hosts|sites|devices|isp-metrics` gives fleet +inventory + WAN/ISP telemetry, and - the breakthrough - the **cloud CONNECTOR** +(`/v1/connector/consoles/{id}/proxy/network/...`) reaches each console's LOCAL Network API +remotely with the same account key, including the internal `/stat/device|sta` endpoints. That is +**full UOS parity** (per-radio cu_total airtime, per-client RSSI) for ALL 36 ACG consoles, no UOS +server / no LAN/VPN. Built `gw-sitemanager.sh` (fleet/devices/sites/isp/net) and wired the existing +`model-rank`/`optimize-radios` analyses to the connector via `--console` (new `rf-analyze.py`). +Validated against Cascades through the connector - matched the UOS-Mongo figures exactly (75 APs, +2.4GHz util 65-90%/interf 53-78%, all power-down) after fixing a macs[] gotcha (the report endpoint +returns only ~10 of 77 APs unless you POST the MAC list). + +Made `neighbor-collect.sh` connector-capable (name map from the cloud) so disable-analysis works on +remote sites. Researched gateway VPN/Teleport: the connector reaches VPN-server config and Teleport +settings; web search found the Teleport invite-link API (`POST /cmd/teleport`). Finally, on Mike's +must-fix directive, properly fixed the web-search bots (diagnosed from raw output): gemini gets +3-retry+backoff for its intermittent empty turns; grok xsearch (which chronically times out on +multi-part queries) now uses streaming-json and auto-falls-back to gemini search. + +## Key Decisions + +- **Connector internal stat API = the parity path.** The Site Manager API alone is inventory-only; + the connector proxy to `/proxy/network/api/s//stat/*` returns the same `ace_stat` depth as + UOS Mongo. Used that for the `net` command and rf-analyze, giving fleet-wide parity beyond UOS. +- **Left the UOS-Mongo path 100% untouched;** the connector path is purely additive (`--console` + flag) - "don't lose functionality." +- **Gemini is the reliable web-search engine; grok xsearch is best-effort with gemini fallback.** + Diagnosed grok's failure as a real multi-agent timeout (xAI-side), so a fallback - not more budget - + is the right fix. +- **Anthropic skills are NOT vendored** (their LICENSE.txt forbids copying/derivatives/redistribution); + installed via the official marketplace per-machine instead. Only MIT (obra) skills were committed. +- **Web search >= blind endpoint-probing** (Mike's correction): probing guesses URLs and mostly 404s; + the searches gave the real leads. Probe only to CONFIRM a search/doc hypothesis; reading our own + config is fine. + +## Problems Encountered + +- **#32333 hallucinated comment sent without preview** - logged correction+friction; rewrote + accurately, previewed, re-sent. +- **grok xsearch returned empty** - root-caused (RTFM): `web_search` = multi-agent model, killed by + `--no-subagents`. Later found it ALSO times out on heavy queries -> streaming-json + gemini fallback. +- **Cascades connector run showed 10 of 77 APs** - the `/stat/report/*.ap` endpoint defaults to a + small subset; fixed by POSTing `macs:[]` (now 75, matching UOS). +- **Teleport "no API" was wrong** - I'd probed wrong paths; the real surface is `/rest/setting/teleport` + (config) and `POST /cmd/teleport {"cmd":"invite-link"}` (invites), found via gemini + live verify. +- **Repeated empty captures** from mixing backgrounded ask-grok/gemini (`&`+`wait`) with foreground + work in one Bash call - logged as friction; run AI calls as separate run_in_background tool calls. +- **errorlog rebase conflict** with Howard's auto-sync - resolved by keeping both entries. + +## Configuration Changes + +New/changed (committed + pushed): +- `.claude/skills/unifi-wifi/scripts/gw-sitemanager.sh` - NEW cloud backend (fleet/host/devices/sites/isp/net/find/raw). +- `.claude/skills/unifi-wifi/scripts/rf-analyze.py` - NEW connector-fed analyzer (rank/optimize). +- `.claude/skills/unifi-wifi/scripts/model-rank.sh`, `optimize-radios.sh` - added `--console [--site]` route. +- `.claude/skills/unifi-wifi/scripts/neighbor-collect.sh` - added `--console [--site]` (connector name map). +- `.claude/skills/unifi-wifi/references/site-manager-api.md` - NEW full catalog (3 tiers + connector + VPN/Teleport). +- `.claude/skills/unifi-wifi/SKILL.md` - Plane 3 (cloud) note. +- `.claude/skills/grok/scripts/ask-grok.sh` - xsearch subagents/yolo fix, grok-build pin, streaming-json + gemini fallback. +- `.claude/skills/grok/SKILL.md` - model/xsearch/fallback notes. +- `.claude/skills/agy/scripts/ask-gemini.sh` - emit_or_fail 3-retry+backoff; version bump. +- `.claude/skills/agy/SKILL.md` - version/verified-date. +- `.claude/OLLAMA.md` - fixed the broken endpoint auto-detect one-liner. +- `.claude/scripts/onboarding-diagnostic.ps1` - PS2 version guard. +- `.claude/skills/{brainstorming,root-cause-tracing,test-driven-development,using-git-worktrees}/` - harvested (MIT). +- `projects/acg-website-showcase/brand-kit/` - curated ACG brand assets (14M). +- Memories: `feedback_windows_quote_stripping`, `feedback_interview_ai_read_docs`, + `feedback_web_search_over_probing`, `reference_unifi_site_manager_api`. +- `docs/CT_THOUGHTS.md` - Thought 2 (web-search reliability, Fixed). + +## Credentials & Secrets + +Vaulted this session (via vault-helper, encrypted + pushed to the vault repo): +- `services/unifi-site-manager` - UniFi Site Manager / Cloud API key (account owner mike@azcomputerguru.com). + Auth header `X-API-KEY`. Grants remote read of all ~36 ACG consoles + the connector deep path. +- `clients/brooklyn-skybar/udm-ssh` - Brooklyn/Skybar UDM root SSH password (root / vav0neb6vnf7FER-gev), + WAN 67.1.139.219. NOTE: WAN SSH/HTTPS (22/443/8443) is firewalled - reach via the connector, not direct. + +## Infrastructure & Servers + +- UniFi Site Manager API: base `https://api.ui.com`; connector proxy + `https://api.ui.com/v1/connector/consoles/{hostId}/proxy/network/...`. +- Brooklyn/Skybar console id `E43883325A01...77EA56D0000000063AA61F7:2109856759`, WAN 67.1.139.219, + UDM Pro, 31 devices, OpenVPN server enabled (67.1.115.174:1194), WireGuard server (disabled), Teleport enabled. +- "UOS Server" host id `2d6b654d-9b79-4eaa-b2e1-52062a5690ef` (ext 98.181.90.163), 47 sites; Cascades = site `va6iba3v`. +- Ollama (GURU-5070) localhost:11434 v0.30.8; models qwen3:8b/qwen3.6:latest/qwen3:14b/codestral:22b/nomic-embed-text. + +## Commands & Outputs + +- Cloud fleet: `bash .claude/skills/unifi-wifi/scripts/gw-sitemanager.sh fleet` (36 consoles). +- Deep parity: `... net "Brooklyn/Skybar" radios|clients`; via UOS Server: `... net "UOS Server" --site va6iba3v ...`. +- Analysis on non-UOS: `model-rank.sh --console "" [--site ] [days] [band]` / `optimize-radios.sh --console ...`. +- Cascades validated: `model-rank.sh --console "UOS Server" --site va6iba3v 7 ng` -> 75 APs, matched UOS. +- search-bot e2e: grok xsearch timed out (rc=124) -> `[grok xsearch timed out -> answered via gemini search]` -> real answer. + +## Pending / Incomplete Tasks + +- **On-demand VPN/tunnel for SSH access** (the open thread to continue): a host running Claude (or a + Linux jump host) brings up the gateway's OpenVPN/WireGuard server config on demand for AP-VLAN reach. + Solid: OpenVPN server config is readable via connector (`networkconf` x_ca_crt/x_shared_client_crt/ + x_shared_client_key/x_auth_key + WAN + RADIUS `/rest/account`). Open (settle via web search now that + it works): cleanest per-client `.ovpn`/`.conf` retrieval/download endpoint; WireGuard peer-create flow. +- **Gated `vpn` command** for gw-sitemanager.sh (read VPN/WAN/Teleport; create/modify + Teleport + invite-gen behind DRY-RUN+confirm) - offered, not built. +- Teleport invite gen (`POST /cmd/teleport {"cmd":"invite-link"}`) - found but NOT fired (write). +- Two observations from the ollama audit: GURU-5070 missing from the OLLAMA.md machine table; + syncro/feature-request hardcode qwen3:14b/3.6 instead of identity.json prose_model. +- AMT-PC Bitdefender push (Mike, via Syncro). + +## Reference Information + +- Commits (origin/main this session, newest first): `9b553179` errorlog, `972bade0` search-bot fix, + earlier: `7e435e31` neighbor-collect connector + VPN/Teleport doc, `47b31dcd` Cascades validation, + `f987812f` rf-analyze, `6fdc21d9` cloud backend, plus grok/gemini/ollama/skill-harvest/brand-kit commits. +- Catalog: `.claude/skills/unifi-wifi/references/site-manager-api.md`. +- Syncro #32333 (Scileppi) internal id 111242786 - Resolved, no charge. +- Marketplace install for Anthropic skills: `/plugin marketplace add anthropics/skills` then + `/plugin install document-skills@anthropic-agent-skills` + `example-skills@anthropic-agent-skills`.