azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

harness: PS2 guard for onboarding probe + Windows quote-stripping memory

Browse Source 
onboarding-diagnostic.ps1: add a PowerShell-version guard. The probe is PS3+ by
design (Get-CimInstance, [ordered], ConvertTo-Json); on stock PS2 (Win7 SP1 /
2008 R2 without WMF) it crashed with cryptic [ordered] errors and emitted empty
DIAG-JSON (first hit: AMT-PC). Now on PS<3 it emits a legible, parseable result
inside the DIAG-JSON markers (hand-built JSON) with a WMF 5.1 / KB3191566
remediation hint instead. Parses clean. True PS2-native probe stays an RMM Thought.

memory: add feedback_windows_quote_stripping (+ index) consolidating the two
recent embedded-double-quote incidents (PowerShell->curl.exe CommandLineToArgvW,
RMM->cmd.exe shutdown /c) into one root cause + fix, so future ref= entries land.

errorlog: the two self-logged entries from #32333 (preview-skip friction,
AMT-PC/Scileppi conflation correction).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-16 18:07:27 -07:00
parent 08fcafa0a4
commit 54c7f9940d
4 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/memory/MEMORY.md
View File

@@ -54,6 +54,7 @@
- [1Password — always use service token](feedback_1password_service_token.md) — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every `op` call. Desktop-app integration prompts are unacceptable in agent flows. - [1Password — always use service token](feedback_1password_service_token.md) — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every `op` call. Desktop-app integration prompts are unacceptable in agent flows.
- [Point vault-access teammates at SOPS path](feedback_vault_pointer_for_teammates.md) — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message. - [Point vault-access teammates at SOPS path](feedback_vault_pointer_for_teammates.md) — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.
- [/tmp path mismatch on Windows](feedback_tmp_path_windows.md) — Write tool and Git Bash resolve `/tmp` to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl. - [/tmp path mismatch on Windows](feedback_tmp_path_windows.md) — Write tool and Git Bash resolve `/tmp` to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl.
- [Windows strips embedded double-quotes](feedback_windows_quote_stripping.md) — Embedded `"` in an arg gets eaten twice over: PowerShell->curl.exe (CommandLineToArgvW) AND RMM->cmd.exe. Use single-quoted heredoc `<<'JSON'` + `--data-binary @-` for bodies; build `"` from `[char]34`; or drop the quoted part (e.g. `shutdown /c`).
- [Windows bash command mapping](feedback_windows_bash_mapping.md) — `bash` often resolves to WSL stub instead of Git/MSYS bash required by the harness. Fix by prepending `C:\Program Files\Git\bin` (and usr\bin) to PATH, or source `.claude/scripts/ensure-git-bash.ps1`. Profile has the logic; use plain `bash .claude/scripts/...` after remap. See the helper and this memory file for details. - [Windows bash command mapping](feedback_windows_bash_mapping.md) — `bash` often resolves to WSL stub instead of Git/MSYS bash required by the harness. Fix by prepending `C:\Program Files\Git\bin` (and usr\bin) to PATH, or source `.claude/scripts/ensure-git-bash.ps1`. Profile has the logic; use plain `bash .claude/scripts/...` after remap. See the helper and this memory file for details.
- [Git must authenticate non-interactively](feedback_git_noninteractive_auth.md) — Mike's gripe with Git for Windows is the constant password prompts (GCM) that hang automation, NOT the tool itself. D:\ClaudeTools is set to `credential.helper=store` primed with the azcomputerguru Gitea API token (host 172.16.3.20:3000); always set `GIT_TERMINAL_PROMPT=0`. Any never-prompts solution is acceptable. - [Git must authenticate non-interactively](feedback_git_noninteractive_auth.md) — Mike's gripe with Git for Windows is the constant password prompts (GCM) that hang automation, NOT the tool itself. D:\ClaudeTools is set to `credential.helper=store` primed with the azcomputerguru Gitea API token (host 172.16.3.20:3000); always set `GIT_TERMINAL_PROMPT=0`. Any never-prompts solution is acceptable.
- [Vault git auth — GCM shadows store token](feedback_vault_gcm_shadow_auth.md) — vault sync "Failed to authenticate user" on git.azcomputerguru.com: GCM is first in the helper chain and shadows the valid store token. Fix (machine-local): store-only credential.helper reset + pin `azcomputerguru@` in the vault remote URL so store returns the durable PAT (not the volatile OAUTH_USER JWT). Applied GURU-5070 2026-06-07. - [Vault git auth — GCM shadows store token](feedback_vault_gcm_shadow_auth.md) — vault sync "Failed to authenticate user" on git.azcomputerguru.com: GCM is first in the helper chain and shadows the valid store token. Fix (machine-local): store-only credential.helper reset + pin `azcomputerguru@` in the vault remote URL so store returns the durable PAT (not the volatile OAUTH_USER JWT). Applied GURU-5070 2026-06-07.

42
.claude/memory/feedback_windows_quote_stripping.md Normal file
View File

@@ -0,0 +1,42 @@
---
name: feedback_windows_quote_stripping
description: On Windows, embedded double-quotes in command args get stripped/mangled twice over — by PowerShell-invoked curl.exe (CommandLineToArgvW) and by the GuruRMM cmd shell layer. Build quoted args without literal embedded double-quotes.
metadata:
type: feedback
---
On Windows, **embedded double-quotes inside a command argument get silently
stripped or mangled** at two separate layers we hit repeatedly. The body of the
arg survives; the `"` characters vanish, so the receiving program sees broken
syntax (an undefined constant, a usage dump, a parse error) — never a clean error
that points at quoting.
Two confirmed failure layers:
- **`curl.exe` invoked from PowerShell** — Windows re-parses the process command
line via `CommandLineToArgvW`, which eats the inner `"` in
`--data-urlencode 'x="y"'`. A pfSense `diag_command.php` PHP body became
`echo PHPRUNS-OK` -> `echo PHPRUNS` -> "Undefined constant" (cost ~4 wasted RMM
round-trips). (Howard, 2026-06-16.)
- **GuruRMM `command_type:shell` (cmd.exe) layer** — `shutdown /r /t 60 /c "comment"`
had its `"comment"` quotes mangled through the agent's cmd layer; shutdown
rejected the args and dumped usage. Fix was to drop `/c` entirely. (2026-06-16.)
**Why:** It's the same root cause both times — Windows command-line re-tokenization
(`CommandLineToArgvW`) strips a layer of double-quotes that a Unix shell would have
preserved. PowerShell -> native exe, and RMM -> cmd.exe, each add a re-parse.
**How to apply:**
- Don't put **literal embedded double-quotes** inside an arg you pass through
PowerShell->curl.exe or RMM->cmd. Prefer single-quotes for the outer payload and
construct any needed `"` from `[char]34` (PowerShell) — keep the command on one
line.
- For JSON request bodies, use a **single-quoted heredoc** (`<<'JSON'`) with
`--data-binary @-` (per the Syncro/RMM skill rules) — that bypasses
command-line re-parsing entirely. This is the reliable path.
- If an arg with quotes is unavoidable, **drop the quoted part** (as with
`shutdown /c`) or move the value into a file/variable the program reads itself.
- Distinct-but-adjacent gotchas: non-ASCII chars in payload text also break on
Windows/Git-bash (see [[feedback_ascii_only_api_payloads]]); `/tmp` resolves
differently between Write and Git-bash (see [[feedback_tmp_path_windows]]);
PowerShell variable names are case-insensitive (see the errorlog `$gUid`/`$guid`
incident).

29
.claude/scripts/onboarding-diagnostic.ps1
View File

@@ -33,6 +33,35 @@ $ErrorActionPreference = 'Continue'
$ProgressPreference = 'SilentlyContinue' $ProgressPreference = 'SilentlyContinue'
Set-StrictMode -Off Set-StrictMode -Off
# ---------------------------------------------------------------------------
# Legacy-PowerShell guard.
# This probe targets Windows PowerShell 5.1 (see .SYNOPSIS): it uses [ordered],
# Get-CimInstance, and ConvertTo-Json - ALL PowerShell 3.0+. On stock PowerShell
# 2.0 (Win7 SP1 / Server 2008 R2 without WMF) those throw and the probe emits
# empty DIAG-JSON with no grade. Rather than crash cryptically, emit a legible,
# parseable result (hand-built JSON - ConvertTo-Json is itself PS3+) so the
# runner still extracts a clean object plus a remediation hint. A true
# PS2-native probe is tracked separately in RMM_THOUGHTS (PS2-compat diagnostic).
# ---------------------------------------------------------------------------
if ($PSVersionTable.PSVersion.Major -lt 3) {
$legacyHost = $env:COMPUTERNAME
$legacyVer = $PSVersionTable.PSVersion.ToString()
$nowUtc = (Get-Date).ToUniversalTime()
$legacyUtc = $nowUtc.ToString('yyyy-MM-dd') + 'T' + $nowUtc.ToString('HH:mm:ss') + 'Z'
$detail = 'This host runs Windows PowerShell ' + $legacyVer + '. The onboarding probe requires PowerShell 3.0+ (it uses Get-CimInstance, [ordered], and ConvertTo-Json), so the full diagnostic could not run. Install WMF 5.1 (KB3191566) to enable it, or run the legacy-native probe when available.'
# Hand-built JSON - keep ASCII, no ConvertTo-Json on PS2.
$legacyJson = '{"host":"' + $legacyHost + '","collected_at_utc":"' + $legacyUtc + '",' +
'"os":{"powershell_version":"' + $legacyVer + '"},"facts":{},"findings":[' +
'{"id":"probe.legacy_powershell","category":"probe","severity":"unknown",' +
'"title":"Diagnostic probe requires PowerShell 3.0+",' +
'"detail":"' + $detail + '",' +
'"evidence":"PSVersion ' + $legacyVer + ' is older than 3.0"}]}'
Write-Output '===DIAG-JSON-START==='
Write-Output $legacyJson
Write-Output '===DIAG-JSON-END==='
exit 0
}
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
# Collectors # Collectors
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------

14
errorlog.md
View File

@@ -17,6 +17,20 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line --> <!-- Append entries below this line -->
2026-06-17 | GURU-5070 | syncro/customer-comment | [friction] posted a customer-facing emailed comment to #32333 WITHOUT previewing for human review first; preview-before-send is mandatory for ALL outgoing comms [ctx: ref=CLAUDE.md syncro 'Before any POST: Always show the full payload and wait for confirmation']
2026-06-17 | GURU-5070 | syncro/customer-comment | [correction] conflated Arizona Medical Transit (AMT-PC, Windows: Dell bloatware + misbehaving Syncro agent) cleanup into the Scileppi Mac (#32333) customer comment; Scileppi was a full-disk/Trash + Mail + Downloads-redesign job, no Dell/agent work [ctx: ticket=32333 mac=scileppi]
2026-06-16 | GURU-5070 | grok | grok xsearch returned no result [ctx: mode=xsearch stopReason=]
2026-06-16 | GURU-5070 | rmm/shell-quoting | [friction] shutdown /r /t 60 /c "comment" FAILED via command_type=shell: embedded double-quotes in the command got mangled through the agent cmd layer, shutdown rejected the args and dumped usage. Fix: avoid embedded double-quotes in RMM shell commands (drop /c, or build the quoted arg another way) [ctx: ref=bash/curl.exe-on-windows quote-stripping; agent=AMT-PC; cmd=shutdown]
2026-06-16 | GURU-5070 | syncro/billing | [friction] billed AMT as non-prepaid off the customer-SEARCH endpoint prepay=null; real prepay (detail endpoint) was 7.0 -> invoice correctly netted $0 via block, but I set the wrong (upsell) invoice note. Always read prepay from /customers/{id} detail, not the list/search [ctx: ref=syncro_invoice_verification_pattern;cust=7088349]
2026-06-16 | GURU-5070 | rmm/onboarding-diagnostic | onboarding-diagnostic.ps1 fails on Win7/PowerShell 2.0: uses [ordered] hashtables (PS3+) -> 'Unable to find type [ordered]', empty DIAG-JSON, no grade. Probe not PS2/legacy-compatible -> can't diagnose Win7/2008R2 legacy agents (first hit: AMT-PC)
2026-06-16 | GURU-5070 | rmm-diagnose | could not extract valid diagnostic JSON from probe output [ctx: host=AMT-PC status=completed exit=0]
2026-06-16 | GURU-5070 | mailprotector/starrpass | [correction] assumed starrpass.com was on Mailprotector; correct: starrpass.com is direct-to-MS (EOP/Defender) - Starr Pass MP account 16170 covers ONLY devconllc.com. Check @starrpass.com mail via remediation-tool/EOP 2026-06-16 | GURU-5070 | mailprotector/starrpass | [correction] assumed starrpass.com was on Mailprotector; correct: starrpass.com is direct-to-MS (EOP/Defender) - Starr Pass MP account 16170 covers ONLY devconllc.com. Check @starrpass.com mail via remediation-tool/EOP
2026-06-16 | GURU-5070 | mailprotector | HTTP 404 POST https://emailservice.io/api/v1/users/find_by_address: "Not found" [ctx: cmd=find-user] 2026-06-16 | GURU-5070 | mailprotector | HTTP 404 POST https://emailservice.io/api/v1/users/find_by_address: "Not found" [ctx: cmd=find-user]