sync: auto-sync from GURU-5070 at 2026-06-15 17:49:06

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-15 17:49:06
2026-06-15 17:49:23 -07:00
parent 9b4e86cdfc
commit 4ef6a9a3b0
5 changed files with 66 additions and 2 deletions
--- a/.claude/memory/MEMORY.md
+++ b/.claude/memory/MEMORY.md
@@ -146,3 +146,4 @@
 - [Physical access codes -> vault + wiki pointer](feedback_physical_access_codes.md) — alarm/lockbox/door codes go in vault clients/<slug>/physical-access-<location>.sops.yaml (kind: physical-access) + a `## Physical Access` pointer section in the client wiki; never plaintext. First entry: Peaceful Spirit NW.
 - [CT Thoughts backlog](feedback_ct_thoughts_backlog.md) — ClaudeTools harness ideas go in docs/CT_THOUGHTS.md (trigger "ct thought:"); CT analogue of RMM_THOUGHTS. Don't build until explicit go. First entry = ClaudeTools 3.0 web co-work vision.
 - [AI-auth product boundary](project_ai_auth_product_boundary.md) — ClaudeTools/ClaudeTools 3.0 = internal-only, per-person subscription OAuth ok; GuruRMM = sellable, customer brings own API key (never ACG's subscription); backend dev = internal. Anthropic ToS bans subscription auth in third-party products.
+- [RMM SYSTEM context can't see user mapped drives](feedback_rmm_system_context_mapped_drives.md) — RMM runs as SYSTEM; `Test-Path F:\` etc. is False even when the user's mapped/redirected drive exists. Diagnose mapped-drive/redirect issues in `context:user_session`. Elevated apps (e.g. QB DB Server Manager "unable to retrieve root folder") need `EnableLinkedConnections=1` + reboot.
--- a/.claude/memory/feedback_rmm_system_context_mapped_drives.md
+++ b/.claude/memory/feedback_rmm_system_context_mapped_drives.md
@@ -0,0 +1,28 @@
+---
+name: feedback-rmm-system-context-mapped-drives
+description: RMM commands run as SYSTEM and cannot see a user's mapped network drives / network-redirected folders — diagnose those in user_session; elevated apps need EnableLinkedConnections.
+metadata:
+  type: feedback
+---
+
+GuruRMM agent commands execute as **SYSTEM**, which has **no access to a logged-on user's
+mapped network drives or network-redirected shell folders**. A `Test-Path F:\` (or a
+redirected Desktop on a UNC) will return **False under SYSTEM even when it exists fine in the
+user's session** — do not conclude the drive/folder is "missing/dead" from a SYSTEM check.
+
+**Why:** Mike corrected exactly this on LS-1 (Lonestar) 2026-06-15 — I called `F:\FolderRedirection\Robin\Desktop`
+a dead drive; it's actually `F: -> \\tower\Data` (folder redirection to the Unraid "Tower"
+server), present with 102 items in Robin's session.
+
+**How to apply:**
+- For any mapped-drive / network-redirected-folder / per-user-path question, dispatch the RMM
+  command with `"context": "user_session"` (runs under the active user's token) and verify with
+  `whoami`, `net use`, `Get-PSDrive`.
+- Separately: an **elevated** app (UAC) gets a different token that also lacks the user's mapped
+  drives. Symptom seen: QuickBooks Database Server Manager ("Add" folder) throws
+  `FolderBrowserDialog ... Unable to retrieve the root folder` because its root (the Desktop) is
+  on an unmapped `F:` in the elevated token. Fix: set
+  `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = 1`
+  (DWORD) and reboot — shares the mapped drives across the user's elevated + normal tokens.
+
+Related: [[feedback_tmp_path_windows]]
--- a/.claude/scripts/uos-mongo.sh
+++ b/.claude/scripts/uos-mongo.sh
@@ -33,7 +33,32 @@ set -euo pipefail

 UOS_HOST="${UOS_HOST:-172.16.3.29}"
 UOS_SSH_USER="${UOS_SSH_USER:-root}"
-SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new "${UOS_SSH_USER}@${UOS_HOST}")
+
+# Resolve the SSH key. Prefer $UOS_SSH_KEY; otherwise extract the vaulted dedicated
+# UOS key (infrastructure/uos-server-ssh-key, stored base64 in ssh-private-key-b64
+# because vault-helper can't store multiline) to a temp file so this works on ANY
+# fleet machine, not just one whose personal key happens to be authorized on .29.
+_uos_key=""
+if [ -n "${UOS_SSH_KEY:-}" ]; then
+    _uos_key="$UOS_SSH_KEY"
+else
+    _repo="$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
+    _vault="$_repo/.claude/scripts/vault.sh"
+    if [ -f "$_vault" ]; then
+        _uos_key="$(mktemp "${TMPDIR:-/tmp}/uos-key.XXXXXX")"
+        bash "$_vault" get-field infrastructure/uos-server-ssh-key credentials.ssh-private-key-b64 2>/dev/null \
+            | tr -d '\r\n ' | base64 -d > "$_uos_key" 2>/dev/null
+        chmod 600 "$_uos_key" 2>/dev/null || true
+        trap '[ -z "${UOS_SSH_KEY:-}" ] && [ -n "$_uos_key" ] && rm -f "$_uos_key"' EXIT
+        [ -s "$_uos_key" ] || { rm -f "$_uos_key"; _uos_key=""; }   # fall back to default key
+    fi
+fi
+
+if [ -n "$_uos_key" ]; then
+    SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes -i "$_uos_key" "${UOS_SSH_USER}@${UOS_HOST}")
+else
+    SSH=(ssh -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new "${UOS_SSH_USER}@${UOS_HOST}")
+fi
 REMOTE='su - uosserver -c "XDG_RUNTIME_DIR=/run/user/1000 podman exec -i uosserver mongo --quiet --port 27117 ace"'

 run_js() { "${SSH[@]}" "$REMOTE"; }   # reads Mongo JS from this function's stdin