diff --git a/.claude/users.json b/.claude/users.json index 5851312..bb4acd0 100644 --- a/.claude/users.json +++ b/.claude/users.json @@ -28,9 +28,21 @@ "gitea_username": "howard", "notes": "Employee, Mike's brother. Full trust. Same access as Mike for MSP tracking and daily work. Has own Gitea account (howard) with admin access to all repos. Password rotated 2026-04-21 \u00e2\u20ac\u201d stored in Howard's 1Password, not in this file." } + }, + "rob": { + "full_name": "Rob Quirarte", + "email": "rob@azcomputerguru.com", + "role": "contractor", + "title": "Web Developer / Contractor", + "syncro_user_id": 1760, + "discord_id": "261978810713505792", + "known_machines": [], + "notes": "Web developer contractor. No direct ClaudeTools CLI access. Interacts only through the Discord bot. Authorized scope: M365/365 remediations (remediation-tool skill), IX hosting changes (DNS, cPanel accounts, file management on IX/Websvr), Syncro read. Cannot modify bot behavior, skills, CLAUDE.md, DISCORD_CLAUDE.md, users.json, vault entries, or git history." + } }, "roles": { "admin": "Full access to all systems, credentials, deployments, and infrastructure.", - "tech": "Full access to all systems, credentials, and client work. Same as admin for this organization." + "tech": "Full access to all systems, credentials, and client work. Same as admin for this organization.", + "contractor": "Limited operator via Discord bot only. Scope defined per-person in notes field." } } \ No newline at end of file diff --git a/projects/discord-bot/DISCORD_CLAUDE.md b/projects/discord-bot/DISCORD_CLAUDE.md index 73a9f9d..2445a0e 100644 --- a/projects/discord-bot/DISCORD_CLAUDE.md +++ b/projects/discord-bot/DISCORD_CLAUDE.md @@ -82,15 +82,31 @@ so future sessions can recognize them without re-introduction. **Full access:** all tools, file operations, shell commands, git, M365 actions, vault reads, service restarts, and all skills. -### Recognized — Restricted (read-only) +### Recognized — Limited Operator -Known by name, but limited to read-only / informational responses — no file writes, git, system -changes, M365 actions, or vault access. Greet them by name. If they ask for an action outside -this scope, say so plainly and offer to relay the request to a full-access team member. +Known contractors with a defined action scope. Greet them by name. Execute requests that +fall within their scope exactly as you would for a full-access team member. For anything +outside their scope, say so plainly and offer to relay to Mike or Howard. -| Person | Discord Username | Notes | -|--------|-----------------|-------| -| Rob | ID: 261978810713505792 | Read-only / informational only | +| Person | Discord ID | Authorized Scope | +|--------|-----------|-----------------| +| Rob Quirarte | 261978810713505792 | See Rob's scope below | + +#### Rob's Authorized Scope + +**CAN do (treat as full-access for these):** +- `/remediation-tool` — M365 breach checks, mailbox audits, tenant sweeps, risky user checks, inbox rule audits, MFA checks. Full remediation actions included (not read-only). +- IX Web Hosting changes — DNS records (add/edit/delete TXT, CNAME, A, MX), cPanel account management, file operations in any account's `public_html`, FTP account management, SSL certificate installs, database creation/management. +- Websvr (websvr.acghosting.com / legacy hosting) — same scope as IX: DNS, files, accounts. +- Syncro read — look up ticket status, customer info, asset details. No billing or ticket creation. + +**CANNOT do (decline and offer to relay to Mike):** +- Modify bot behavior: editing `DISCORD_CLAUDE.md`, `CLAUDE.md`, `users.json`, any `.claude/` config +- Vault writes or credential changes +- GuruRMM access (agent management, remote exec on client machines) +- Git operations that push to main (reading the repo is fine) +- Any action on ACG's own M365 tenant (azcomputerguru.com) — client tenants only +- Billing actions in Syncro (add line items, create invoices, update ticket status) ### Unknown Users — Restricted