sync: auto-sync from GURU-5070 at 2026-05-24 13:57:13

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-24 13:57:13

.claude/skills/rmm-audit/SKILL.md

@@ -1,14 +1,16 @@
 ---
 name: rmm-audit
 description: |
-  Periodic end-to-end verification of the GuruRMM codebase. Runs 5 parallel audit
-  passes: (1) API/route inventory cross-reference, (2) UI coverage and gap update,
-  (3) Rust code quality and standards compliance, (4) TypeScript/frontend quality,
-  (5) security and data integrity. Produces a timestamped audit report and updates
-  the living docs (UI_GAPS.md, FEATURE_ROADMAP.md). Takes 10-20 minutes.
+  Periodic end-to-end verification of the GuruRMM codebase and build infrastructure.
+  Runs 5 parallel audit passes: (1) API/route inventory cross-reference, (2) UI
+  coverage and gap update, (3) Rust code quality and standards compliance,
+  (4) TypeScript/frontend quality, (5) security and data integrity. A 6th sequential
+  pass audits build pipeline health (logs, artifacts, change gates, script integrity).
+  Produces a timestamped audit report and updates the living docs (UI_GAPS.md,
+  FEATURE_ROADMAP.md). Takes 10-20 minutes.
 
   Invoke explicitly only — no auto-trigger. Use /rmm-audit for a full audit.
-  Optional arg: --pass=<name> to run a single pass (api, ui, rust, ts, security).
+  Optional arg: --pass=<name> to run a single pass (api, ui, rust, ts, security, pipeline).
 ---
 
 # GuruRMM End-to-End Audit
@@ -22,14 +24,16 @@ report file and living docs are updated. No code is changed.
 
 ```
 Phase 0: Context load (coordinator reads key files)
-Phase 1: Spawn 4 parallel audit agents
-Phase 2: Collect findings, aggregate, score
-Phase 3: Write report + update living docs
-Phase 4: Present summary to user
+Phase 1: Spawn 5 parallel audit agents (codebase passes)
+Phase 2: Run build pipeline audit (sequential — requires SSH to build server)
+Phase 3: Collect findings, aggregate, score
+Phase 4: Write report + update living docs
+Phase 5: Present summary to user
 ```
 
-The audit is orchestrated here (Claude coordinator). All heavy passes run in
-parallel subagents. Each agent returns structured findings; the coordinator
+The audit is orchestrated here (Claude coordinator). All codebase passes run in
+parallel subagents. The build pipeline pass runs sequentially after (it touches
+live server state via SSH). Each agent returns structured findings; the coordinator
 aggregates and writes the final report.
 
 ---
@@ -214,9 +218,128 @@ Return structured findings with file:line references.
 
 ---
 
-## Phase 2: Aggregating Findings
+---
 
-Collect all four agents' outputs. Classify each finding:
+### Agent E — Build Pipeline Health
+
+**Goal:** Verify the build/deploy infrastructure is functioning correctly and producing
+fresh, trustworthy artifacts. This pass catches issues invisible to codebase-only
+audits: log rot, stale artifacts, dead pipeline paths, and change gate failures.
+
+**NOTE:** This agent runs sequentially (after Agents A–D complete) because it SSHes
+into the live build server. It is read-only — it checks state but does not trigger builds.
+
+**Instructions for agent:**
+
+Connect to the build server: `ssh guru@172.16.3.30`
+
+**1. Log integrity — check for doubling and freshness:**
+
+```bash
+# Check Windows build log — each line should appear exactly once
+tail -50 /var/log/gururmm-build-windows.log
+# Check Linux build log
+tail -50 /var/log/gururmm-build-linux.log
+```
+
+- Lines duplicated (same content appearing twice in a row) → `[HIGH]` log doubling — double-writer bug
+- Last entry timestamp > 7 days old AND recent pushes known → `[HIGH]` stale log — builds may be silently failing
+- Log file missing entirely → `[CRITICAL]` — build infrastructure not initialised
+- Presence of `=== PHASE:` markers → `[INFO]` phase tracking is active (expected)
+
+**2. Artifact freshness — check distribution directory:**
+
+```bash
+ls -lht /var/www/gururmm/downloads/windows/amd64/ | head -10
+ls -lht /var/www/gururmm/downloads/linux/amd64/ | head -10
+```
+
+- Newest MSI/EXE older than 14 days AND active development confirmed → `[HIGH]` artifacts stale
+- Legacy path `/opt/gururmm/updates/windows/amd64/` should NOT be served (it is the old path); if a
+  symlink or nginx config still points there → `[HIGH]` dead artifact path still active
+
+**3. Per-platform last-built-commit recency:**
+
+```bash
+cat /opt/gururmm/last-built-commit-linux
+cat /opt/gururmm/last-built-commit-windows
+cat /opt/gururmm/last-built-commit-mac
+```
+
+- SHA should be recent relative to `git log --oneline -5` in `/home/guru/gururmm`
+- Linux and Windows SHAs diverging by many commits → `[MEDIUM]` platform builds out of sync
+- A SHA that resolves to a commit months old while git log shows recent work → `[HIGH]` change gate stuck
+
+**4. Stale lock files:**
+
+```bash
+ls -la /var/run/gururmm-build-*.lock 2>/dev/null
+```
+
+- Lock file present with no corresponding running process → `[HIGH]` orphaned lock, all future builds for that
+  platform will be blocked until manually removed
+- Check: `ps aux | grep build-` — if no `build-linux.sh` / `build-windows.sh` running but lock exists, it's orphaned
+
+**5. Script syntax validity:**
+
+```bash
+bash -n /opt/gururmm/build-shared.sh
+bash -n /opt/gururmm/build-linux.sh
+bash -n /opt/gururmm/build-windows.sh
+bash -n /opt/gururmm/build-mac.sh
+```
+
+- Any syntax error → `[CRITICAL]` — that platform's builds will silently fail at next trigger
+
+**6. Webhook handler health:**
+
+```bash
+curl -s http://localhost:9000/health
+ps aux | grep webhook-handler
+```
+
+- `/health` returns non-200 or connection refused → `[CRITICAL]` webhook handler down
+- Handler not in process list → `[CRITICAL]` handler not running
+- Check handler is using the new multi-threaded version (should mention `PLATFORMS` in its source):
+  `grep -c PLATFORMS /opt/gururmm/webhook-handler.py`
+  Count of 0 → `[HIGH]` old monolithic handler still deployed
+
+**7. Pluto known-hosts file:**
+
+```bash
+ls -la /opt/gururmm/pluto_known_hosts
+wc -l /opt/gururmm/pluto_known_hosts
+```
+
+- File missing → `[CRITICAL]` Windows builds will fail (SSH strict host checking with no key file)
+- File empty (0 lines) → `[CRITICAL]` same
+- Confirm `build-windows.sh` references it: `grep pluto_known_hosts /opt/gururmm/build-windows.sh`
+  If missing → `[HIGH]` StrictHostKeyChecking=no likely, MITM risk on build artifacts
+
+**8. Tray EXE accumulation:**
+
+```bash
+ls -lht /var/www/gururmm/downloads/windows/amd64/gururmm-tray-* 2>/dev/null | wc -l
+```
+
+- More than 3 tray EXE versions present → `[LOW]` cleanup not running (design: keep latest 2)
+
+**9. Build compat wrapper check:**
+
+```bash
+head -5 /opt/gururmm/build-agents.sh
+```
+
+- Should begin with a deprecation warning and call to `build-shared.sh`
+- If it still contains the old monolithic build logic → `[HIGH]` pipeline split not deployed
+
+Return structured findings with source (file path + line or command output) for every finding.
+
+---
+
+## Phase 3: Aggregating Findings
+
+Collect all five agents' outputs. Classify each finding:
 
 | Severity | Meaning |
 |----------|---------|
@@ -244,7 +367,7 @@ Write to: `projects/msp-tools/guru-rmm/reports/YYYY-MM-DD-rmm-audit.md`
 # GuruRMM Audit Report — YYYY-MM-DD
 
 **Auditor:** Claude (claude-sonnet-4-6)
-**Passes:** API Coverage, UI Gaps, Rust Quality, TypeScript Quality, Data Integrity
+**Passes:** API Coverage, UI Gaps, Rust Quality, TypeScript Quality, Data Integrity, Build Pipeline
 **Previous audit:** [link to prior report if one exists, else "First audit"]
 
 ---
@@ -258,6 +381,7 @@ Write to: `projects/msp-tools/guru-rmm/reports/YYYY-MM-DD-rmm-audit.md`
 | Rust Quality | N | N | N | N | N |
 | TypeScript | N | N | N | N | N |
 | Data Integrity | N | N | N | N | N |
+| Build Pipeline | N | N | N | N | N |
 | **TOTAL** | **N** | **N** | **N** | **N** | **N** |
 
 **Requires immediate action:** [list of CRITICAL findings in one line each]
@@ -300,6 +424,13 @@ are now COMPLETE vs. still open vs. newly discovered.]
 
 ---
 
+## Pass 6: Build Pipeline Health
+
+[findings — log integrity, artifact freshness, change gate state, lock files, script
+syntax, webhook handler health, Pluto known-hosts, tray EXE accumulation]
+
+---
+
 ## UI_GAPS.md Delta
 
 Items completed since last audit:
@@ -330,7 +461,7 @@ After writing the report, update `docs/UI_GAPS.md`:
 
 ---
 
-## Phase 4: User Summary
+## Phase 5: User Summary
 
 Present a concise summary to the user:
 
@@ -341,6 +472,7 @@ CRITICAL (N): [one-line each]
 HIGH (N):     [one-line each]
 MEDIUM (N):   Batched in report.
 
+Pipeline: [one-line status — e.g. "all green" or highest-severity finding]
 UI_GAPS.md: N items marked complete, N new gaps added.
 
 Recommended first action: [the single highest-priority finding]
@@ -402,3 +534,19 @@ Then ask: "Want me to start on any of these findings?"
 | UI gaps tracker | `projects/msp-tools/guru-rmm/docs/UI_GAPS.md` |
 | Architecture decisions | `projects/msp-tools/guru-rmm/docs/ARCHITECTURE_DECISIONS.md` |
 | Past audit reports | `projects/msp-tools/guru-rmm/reports/` |
+
+### Build Pipeline (on 172.16.3.30)
+| Area | Path |
+|------|------|
+| Webhook handler | `/opt/gururmm/webhook-handler.py` |
+| Shared build script | `/opt/gururmm/build-shared.sh` |
+| Linux build script | `/opt/gururmm/build-linux.sh` |
+| Windows build script | `/opt/gururmm/build-windows.sh` |
+| Mac build script | `/opt/gururmm/build-mac.sh` |
+| Pluto known-hosts | `/opt/gururmm/pluto_known_hosts` |
+| Linux build log | `/var/log/gururmm-build-linux.log` |
+| Windows build log | `/var/log/gururmm-build-windows.log` |
+| Distribution dir | `/var/www/gururmm/downloads/` |
+| Per-platform last SHA | `/opt/gururmm/last-built-commit-{linux,windows,mac}` |
+| Lock files | `/var/run/gururmm-build-{linux,windows,mac}.lock` |
+| Pluto machine doc | `.claude/machines/pluto.md` |