fix(security): Implement Phase 1 critical security fixes

CORS:
- Restrict CORS to DASHBOARD_URL environment variable
- Default to production dashboard domain

Authentication:
- Add AuthUser requirement to all agent management endpoints
- Add AuthUser requirement to all command endpoints
- Add AuthUser requirement to all metrics endpoints
- Add audit logging for command execution (user_id tracked)

Agent Security:
- Replace Unicode characters with ASCII markers [OK]/[ERROR]/[WARNING]
- Add certificate pinning for update downloads (allowlist domains)
- Fix insecure temp file creation (use /var/run/gururmm with 0700 perms)
- Fix rollback script backgrounding (use setsid instead of literal &)

Dashboard Security:
- Move token storage from localStorage to sessionStorage
- Add proper TypeScript types (remove 'any' from error handlers)
- Centralize token management functions

Legacy Agent:
- Add -AllowInsecureTLS parameter (opt-in required)
- Add Windows Event Log audit trail when insecure mode used
- Update documentation with security warnings

Closes: Phase 1 items in issue #1

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

projects/msp-tools/guru-rmm/agent-legacy/Install-GuruRMM.ps1

@@ -15,8 +15,20 @@
 .PARAMETER ServerUrl
     The GuruRMM server URL (default: https://rmm-api.azcomputerguru.com)
 
+.PARAMETER AllowInsecureTLS
+    [SECURITY RISK] Disables SSL/TLS certificate validation. Required ONLY for
+    systems with self-signed certificates or broken certificate chains.
+
+    WARNING: This flag makes the connection vulnerable to man-in-the-middle
+    attacks. Only use on isolated networks or when absolutely necessary.
+
 .EXAMPLE
+    # Secure installation (recommended)
     .\Install-GuruRMM.ps1 -SiteCode DARK-GROVE-7839
+
+.EXAMPLE
+    # Insecure installation (legacy systems with self-signed certs ONLY)
+    .\Install-GuruRMM.ps1 -SiteCode DARK-GROVE-7839 -AllowInsecureTLS
 #>
 
 param(
@@ -24,7 +36,10 @@ param(
     [string]$SiteCode,
 
     [Parameter()]
-    [string]$ServerUrl = "https://rmm-api.azcomputerguru.com"
+    [string]$ServerUrl = "https://rmm-api.azcomputerguru.com",
+
+    [Parameter()]
+    [switch]$AllowInsecureTLS
 )
 
 $ErrorActionPreference = "Stop"
@@ -112,8 +127,15 @@ try {
 
 # Step 3: Register agent
 Write-Status "Registering with GuruRMM server..."
+if ($AllowInsecureTLS) {
+    Write-Status "[SECURITY WARNING] Installing with certificate validation DISABLED" "WARN"
+    Write-Status "This makes the connection vulnerable to MITM attacks" "WARN"
+}
 try {
     $registerArgs = "-ExecutionPolicy Bypass -File `"$destScript`" -SiteCode `"$SiteCode`" -ServerUrl `"$ServerUrl`""
+    if ($AllowInsecureTLS) {
+        $registerArgs += " -AllowInsecureTLS"
+    }
     $process = Start-Process powershell.exe -ArgumentList $registerArgs -Wait -PassThru -NoNewWindow
 
     if ($process.ExitCode -ne 0) {
@@ -137,13 +159,19 @@ try {
 
 # Step 5: Create scheduled task
 try {
-    # Create the task to run at startup and every 5 minutes
+    # Create the task to run at startup
     $taskCommand = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$destScript`""
+    if ($AllowInsecureTLS) {
+        $taskCommand += " -AllowInsecureTLS"
+    }
 
     # Create task that runs at system startup
     schtasks /create /tn $TaskName /tr $taskCommand /sc onstart /ru SYSTEM /rl HIGHEST /f | Out-Null
 
     Write-Status "Scheduled task created: $TaskName" "OK"
+    if ($AllowInsecureTLS) {
+        Write-Status "Task configured with -AllowInsecureTLS flag" "WARN"
+    }
 } catch {
     Write-Status "Failed to create scheduled task: $($_.Exception.Message)" "ERROR"
     Write-Status "You may need to manually create the task" "WARN"