sync: auto-sync from Mikes-MacBook-Air.local at 2026-06-07 19:46:36

Author: Mike Swanson
Machine: Mikes-MacBook-Air.local
Timestamp: 2026-06-07 19:46:36

.claude/commands/rmm.md

@@ -67,28 +67,31 @@ Interact with the GuruRMM agent fleet: list agents, run remote commands (PowerSh
 
 ## Phase 0 — Bootstrap (run once per session)
 
+**Use the helper script** (cross-platform, handles Mac jq/JSON issues):
+
 ```bash
-IDENTITY_PATH="${HOME}/.claude/identity.json"
-if [ ! -f "$IDENTITY_PATH" ]; then
-    IDENTITY_PATH=$(git rev-parse --show-toplevel 2>/dev/null)/.claude/identity.json
-fi
-REPO_ROOT=$(jq -r '.claudetools_root // empty' "$IDENTITY_PATH" 2>/dev/null)
-if [ -z "$REPO_ROOT" ]; then
-    REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
-fi
-VAULT="$REPO_ROOT/.claude/scripts/vault.sh"
+# Authenticate and set environment variables
+eval "$(bash .claude/scripts/rmm-auth.sh)"
+# This sets: $TOKEN, $RMM, $REPO_ROOT
+```
+
+**Alternative (manual, for reference only — use helper script above):**
+
+```bash
+REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)"
+IDENTITY_FILE="$REPO_ROOT/.claude/identity.json"
+VAULT_PATH=$(jq -r '.vault_path' "$IDENTITY_FILE")
+VAULT_SH="$VAULT_PATH/scripts/vault.sh"
 RMM="http://172.16.3.30:3001"
 
-RMM_EMAIL=$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email)
-RMM_PASS=$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password)
+RMM_EMAIL=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email)
+RMM_PASS=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password)
 
-JWT=$(curl -s -X POST "$RMM/api/auth/login" \
-  -H "Content-Type: application/json" \
-  --data-binary @- <<JSON
-{"email": "$RMM_EMAIL", "password": "$RMM_PASS"}
-JSON
-)
+# Use jq to build JSON safely (avoids heredoc issues on Mac)
+PAYLOAD=$(jq -n --arg email "$RMM_EMAIL" --arg password "$RMM_PASS" '{email: $email, password: $password}')
+JWT=$(curl -s -X POST "$RMM/api/auth/login" -H "Content-Type: application/json" -d "$PAYLOAD")
 TOKEN=$(echo "$JWT" | jq -r '.token // empty')
+
 if [ -z "$TOKEN" ]; then
     echo "[ERROR] RMM login failed: $JWT"
     exit 1

.claude/memory/MEMORY.md

@@ -30,6 +30,7 @@
 
 ## Feedback
 - [Bot alerts need a ticket link](feedback_bot_alert_ticket_link.md) — Syncro ticket bot-alerts MUST include a clickable link: https://computerguru.syncromsp.com/tickets/<internal_id> (internal id, not ticket number). post-bot-alert.sh posts raw text; put the URL in the message.
+- [Mac RMM authentication fixed](feedback_mac_rmm_auth_fixed.md) — Use `.claude/scripts/rmm-auth.sh` helper instead of heredoc pattern. Heredoc with `--data-binary @-` fails on macOS. Helper uses `jq -n --arg` to build JSON safely. Usage: `eval "$(bash .claude/scripts/rmm-auth.sh)"` sets $TOKEN, $RMM, $REPO_ROOT. Updated in /rmm Phase 0.
 - [Verify committed state before push](feedback_verify_committed_state_before_push.md) — webhook builds from origin/main: verify the COMMITTED build (git stash + build), not the working tree; bad git-add pathspec silently aborts staging. Stage by directory.
 - [Scheduling = coord todo, not schedulers](feedback_scheduling_via_coord_todo.md) — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
 - [Attribution is read, never inferred](feedback_attribution_from_identity.md) — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.

.claude/memory/feedback_mac_rmm_auth_fixed.md

@@ -0,0 +1,24 @@
+# Mac RMM Authentication Fix
+
+**Problem**: On macOS, the Phase 0 bootstrap code in `/rmm` using `--data-binary @-` with heredoc frequently failed with empty tokens, causing wasted API calls and jq parse errors.
+
+**Root cause**: Heredoc with `--data-binary @-` and JSON interpolation doesn't work reliably on macOS bash/curl combinations. The pattern works on Linux/Windows Git Bash but fails on Mac.
+
+**Solution**: Created `.claude/scripts/rmm-auth.sh` helper script that:
+1. Resolves all paths from `identity.json` (vault_path, claudetools_root)
+2. Uses `jq -n --arg` to build JSON payload safely (no heredoc)
+3. Handles all error cases explicitly
+4. Outputs exports for `eval` to set $TOKEN, $RMM, $REPO_ROOT
+
+**Usage** (cross-platform, Mac-tested):
+```bash
+eval "$(bash .claude/scripts/rmm-auth.sh)"
+# Sets: $TOKEN, $RMM, $REPO_ROOT
+```
+
+**Updated**: `.claude/commands/rmm.md` Phase 0 section now recommends the helper script as the primary method, with manual method as reference only.
+
+**Impact**: Eliminates wasted tokens from repeated auth failures on Mac. Single-call authentication that works consistently.
+
+**Date fixed**: 2026-06-08
+**Tested on**: macOS (Mikes-MacBook-Air, arm64)

.claude/scripts/rmm-auth.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# rmm-auth.sh - Get GuruRMM authentication token
+# Outputs: TOKEN RMM_URL REPO_ROOT (space-separated)
+# Usage: eval "$(bash .claude/scripts/rmm-auth.sh)"
+#   This sets: $TOKEN, $RMM, $REPO_ROOT in the calling shell
+
+set -euo pipefail
+
+# Resolve paths
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+IDENTITY_FILE="$REPO_ROOT/.claude/identity.json"
+
+if [ ! -f "$IDENTITY_FILE" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] identity.json not found' >&2"
+    exit 1
+fi
+
+VAULT_PATH=$(jq -r '.vault_path // empty' "$IDENTITY_FILE")
+if [ -z "$VAULT_PATH" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] vault_path not in identity.json' >&2"
+    exit 1
+fi
+
+VAULT_SH="$VAULT_PATH/scripts/vault.sh"
+if [ ! -f "$VAULT_SH" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] vault.sh not found at $VAULT_SH' >&2"
+    exit 1
+fi
+
+RMM_URL="http://172.16.3.30:3001"
+
+# Get credentials
+RMM_EMAIL=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email 2>/dev/null)
+RMM_PASS=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password 2>/dev/null)
+
+if [ -z "$RMM_EMAIL" ] || [ -z "$RMM_PASS" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] Failed to get RMM credentials from vault' >&2"
+    exit 1
+fi
+
+# Login - use jq to build JSON safely
+PAYLOAD=$(jq -n --arg email "$RMM_EMAIL" --arg password "$RMM_PASS" '{email: $email, password: $password}')
+JWT=$(curl -s -X POST "$RMM_URL/api/auth/login" -H "Content-Type: application/json" -d "$PAYLOAD")
+TOKEN=$(echo "$JWT" | jq -r '.token // empty')
+
+if [ -z "$TOKEN" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] RMM login failed: $JWT' >&2"
+    exit 1
+fi
+
+# Output exports for eval
+echo "export TOKEN='$TOKEN'"
+echo "export RMM='$RMM_URL'"
+echo "export REPO_ROOT='$REPO_ROOT'"
+echo "echo '[OK] Authenticated to GuruRMM' >&2"

.claude/skills/remediation-tool/SKILL.md

@@ -41,7 +41,7 @@ When triggered automatically (vs. via `/remediation-tool`), follow the same work
 
 ## Before calling any script, verify
 
-- The SOPS vault is accessible: `test -f D:/vault/scripts/vault.sh` (Windows) or `test -f ~/vault/scripts/vault.sh` (other).
+- The SOPS vault is accessible via `.claude/identity.json` `vault_path` field. The scripts auto-resolve the vault location from identity.json — no hardcoded paths.
 - `jq`, `curl`, `bash` are available.
 - For Exchange REST checks: confirm the target tenant has **Exchange Administrator** role assigned to the **Security Investigator** SP (for reads) or **Exchange Operator** SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from `references/gotchas.md`.
 - For Identity Protection checks: `IdentityRiskyUser.Read.All` is in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL from `references/gotchas.md`.