syncro: finalize deploy-agent (installer URL = per-client vaulted secret, MSI)
Decoded the Syncro RMM installer URL from 4 client samples:
base64(v1-{customer_id}-{A}-48753-{policy_folder_id}). 48753 = our account id (constant);
customer_id + policy_folder_id are API-readable; A is an unguessable per-client security token
NOT exposed anywhere in the API -> the URL is NOT constructible and must be harvested per client
and vaulted. Installer is an MSI -> deploy uses msiexec /qn /norestart.
deploy-agent now reads clients/<slug>/syncro-agent-installer (credentials.installer_url) from
the vault (cascades-tucson, grabb-durando, reliant, howard-test seeded) and pushes via GuruRMM.
Findings recorded in test-findings.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,30 @@ Verified behaviors/gotchas discovered while testing `/syncro` against the live t
|
||||
Each entry is a rule the skill must not re-learn. Critical ones are also folded into
|
||||
`syncro.md` (operating manual) and `api-reference.md` (breadth reference).
|
||||
|
||||
## 2026-07-10 — Phase 2 prep: RMM installer URL (structure decoded)
|
||||
|
||||
**The Syncro RMM installer URL is a base64 token that partly encodes API-derivable IDs.**
|
||||
A working install link is `https://rmm.syncromsp.com/dl/msi/<b64>` where `<b64>` base64-decodes
|
||||
to `v1-{customer_id}-{A}-{B}-{policy_folder_id}`. For Howard Test:
|
||||
`djEt...` → `v1-36118743-1819842526-48753-5092561` (customer_id 36118743, policy_folder_id
|
||||
5092561 — both pulled from the API; `A=1819842526`, `B=48753` are NOT on the customer or
|
||||
policy-folder objects). Host is `rmm.syncromsp.com` (Kabuto/RMM), separate from the PSA API.
|
||||
|
||||
- **RESOLVED (4-client sample):** `B=48753` is CONSTANT (our Syncro account id). `A` VARIES per
|
||||
client (1819842526 / 1610167344 / 1552910968 / 1520216784) and is **not** `kabuto_customer_id`
|
||||
nor anywhere in the customer/policy-folder objects — an unguessable per-client security token
|
||||
(prevents URL forgery from sequential customer_ids). **Therefore the URL is NOT constructible**
|
||||
— it must be harvested per client and vaulted as a secret. `customer_id` + `policy_folder_id`
|
||||
ARE API-readable, but `A` is the blocker. Vaulted so far: cascades-tucson, grabb-durando,
|
||||
reliant, howard-test at `clients/<slug>/syncro-agent-installer.sops.yaml`
|
||||
(`credentials.installer_url`). `deploy-agent` reads from there.
|
||||
- **Installer is an MSI** (`/dl/msi/`), so silent deploy uses `msiexec /i <file>.msi /qn
|
||||
/norestart` (NOT the `.exe --console` path). Syncro also offers a `.exe` (`--console
|
||||
--allow-force-reboot`); the download link determines which. Verify the exact MSI silent
|
||||
behavior on RMM-TEST-MACHINE before any customer push.
|
||||
- The token embeds an enrollment secret → it is a **credential**: vault it (per client), never
|
||||
commit plaintext. `policy_folder_id` comes from `GET /policy_folders?customer_id=N`.
|
||||
|
||||
## 2026-07-10 — Phase 1 (PSA CRUD)
|
||||
|
||||
**Emailing an invoice/estimate returns 200 "Email sent" even when it delivered to NOBODY.**
|
||||
|
||||
Reference in New Issue
Block a user