diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index f14961dc..45b20e48 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -10,7 +10,7 @@ - [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand. - [Tailscale subnet-route key expiry](reference_tailscale_subnet_key_expiry.md) — "internet OK but all of 172.16.3.x (Gitea .20, RMM/coord .30) dead" = Tailscale infra-node KEY EXPIRY (pfSense subnet router advertises 172.16.0.0/22), NOT a LAN outage; expiry now disabled on infra nodes (2026-06-25). Fallback: gururmm-server direct at tailnet 100.86.12.15:3001. - [GravityZone support center](reference_gravityzone_support.md) — Authoritative Bitdefender GravityZone product + Public API docs; use to confirm UNVERIFIED `bitdefender` skill methods/param shapes (push setPushEventSettings, assignPolicy, report/account writes, maintenancewindows/integrations names). -- [GURU-5070 Rust toolchain](reference_guru5070_rust_toolchain.md) — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent. +- [GURU-5070 Rust toolchain](reference_guru5070_rust_toolchain.md) — toolchain installed BUT a WDAC/Smart App Control policy (since 2026-07-04) BLOCKS running rustc/cargo/sops/openssl locally (os error 4551) — build the Windows agent on Beast, not here. Toolchain paths + CI gates still valid for reference. - [ACG Office Network Infrastructure](infra_office_network.md) — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage. - [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. - [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number. diff --git a/.claude/memory/reference_guru5070_rust_toolchain.md b/.claude/memory/reference_guru5070_rust_toolchain.md index 8cf8e011..108ff840 100644 --- a/.claude/memory/reference_guru5070_rust_toolchain.md +++ b/.claude/memory/reference_guru5070_rust_toolchain.md @@ -1,12 +1,24 @@ --- name: reference_guru5070_rust_toolchain -description: GURU-5070 has the full local Rust toolchain (cargo + MSVC + protoc) — build/clippy/test the guru-connect workspace LOCALLY instead of the build host; set PROTOC first +description: GURU-5070 has a full Rust toolchain installed BUT a WDAC/Smart App Control policy now blocks running rustc/cargo locally (os error 4551) — build the Windows agent on Beast, not here; toolchain paths + CI gates still valid for reference metadata: type: reference --- -As of 2026-05-30, GURU-5070 has the full Rust dev toolchain installed, so GuruConnect can be -built/linted/tested locally — **no more build-host (172.16.3.30) round-trips just for `cargo fmt`/clippy.** +**BLOCKED AS OF 2026-07-04 — do NOT rely on local Rust builds on GURU-5070.** A Windows +Application Control (WDAC / Smart App Control) policy now blocks execution of `rustc.exe`/`cargo.exe` +(and `sops.exe`, `openssl`, `gawk`, Python `cryptography`'s native DLL) — attempts fail with +`An Application Control policy has blocked this file. (os error 4551)`. This is the same policy behind +the "Windows can't confirm who published …" blocks on unsigned binaries. Until the policy is adjusted +to trust the toolchain, **compile Windows agent/GuruConnect changes on Beast** (`guru@100.101.122.4`, +Tailscale; sccache at `C:\sccache`) via a throwaway `git worktree` + `cargo check` — see +[[gururmm-beast-windows-build-host]]. The paths/gates below remain accurate for reference and for when +the policy is relaxed. WDAC impact also breaks the `vault`/`sops` path here (use `age`+Node fallback per +[[feedback_vault_gcm_shadow_auth]]) and silently swallowed error logging (`CLAUDETOOLS_ROOT=D:/claudetools` +wrong-case → `log-skill-error.sh` can't write; real repo is `D:/ClaudeTools`). + +As of 2026-05-30, GURU-5070 has the full Rust dev toolchain installed (able to build locally *until the +2026-07-04 WDAC block above*): - **cargo/rustc/clippy/rustfmt:** `C:\Users\guru\.cargo\bin\` (rustup; cargo 1.96, rustfmt 1.9, clippy 0.1.96). - **MSVC C++ Build Tools:** VS2022 BuildTools (VCTools workload) — provides the `x86_64-pc-windows-msvc` linker. diff --git a/errorlog.md b/errorlog.md index 153cea23..644cf5df 100644 --- a/errorlog.md +++ b/errorlog.md @@ -43,6 +43,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-07-04 | Howard-Home | screenconnect | ScreenConnect API error [SendCommandToSession]: HTTP 500: {"errorType":"","message":"An session manager fault error occurred while processing your request. Please contact support if the problem persists."} [ctx: cmd=send-command] +2026-07-04 | GURU-5070 | dataforth/ctonw-v5.1 | CONFIG.SYS collection used 'IF NOT EXIST T:STATUS%MACHINE%NUL MD ...' (the NUL dir-exists test is unreliable on a network/SMB drive) and COPY targets had NO trailing backslash -> MD skipped, COPY created FILES named after each machine instead of per-machine folders, and 'MEM /C > T:STATUS%MACHINE%MEM.TXT' wrote to a nonexistent path -> DOS 'T: write fault Abort/Retry/Fail?' HUNG unattended boot on production DOS test stations. Reverted CTONW to v5.0. Fix: pre-create per-machine dirs server-side on the NAS, use trailing backslash on COPY dir targets, never let a network write error reach the critical-error handler at boot; test on ONE isolated station before any fleet exposure. [ctx: ref=dos-network-drive-copy sev=production-boot-hang] + +2026-07-04 | GURU-5070 | deploy/dos-batch | [friction] reported CRLF via grep -c $' $' which misfired on an LF-only file the Write tool produced; staged an LF-only .BAT to the Dataforth NAS (DOS needs CRLF). Caught by Mike at the station. Fix: verify line endings with 'tr -cd | wc -c' (must equal LF count) and CRLF-convert Write-tool batch files with 'sed s/$/ /' before deploy. [ctx: ref=projects/dataforth-dos/.gitattributes file=NWTOC.v5.1] + 2026-07-04 | GURU-5070 | ps-encoded | encode produced empty output [ctx: src=/dev/fd/63] 2026-07-03 | GURU-5070 | agy/gemini-cli | old gemini npm CLI dead on this account: throwIneligibleOrProjectIdError (needs GOOGLE_CLOUD_PROJECT); replaced by Antigravity 'agy' binary [ctx: fix=rewired-to-agy]