sync: auto-sync from HOWARD-HOME at 2026-06-21 13:04:37

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-21 13:04:37

wiki/systems/pfsense.md

@@ -99,11 +99,12 @@ The REST backend (`pfsense-backend.sh`, `clients/<slug>/pfsense-api`) is a dorma
 `pfsense-firewall` cred) and run the dispatch BEFORE UOS site resolution, so a pfSense-only client
 slug works without a matching UOS site name (pass `--pfsense <slug>` if the names differ).
 
-**THIS office box:** listens on SSH **port 2248** (not 22). The skill supports non-default ports as
-of 2026-06-21 — pass `--port 2248`, or (preferred) store `port: 2248` in the box's vault entry and
-it's automatic. Cred for it is vaulted at `infrastructure/pfsense-firewall` (verify), but the SSH
-backend expects the cred at `clients/<slug>/pfsense-firewall`, so an `infrastructure/`-path cred
-would need a slug alias or a small path tweak before `pfsense-ssh.sh` can read it (verify).
+**THIS office box:** SSH **port 2248** (not 22). **Fully reachable by the skill as of 2026-06-21.**
+Cred vaulted at `infrastructure/pfsense-firewall` (verify) — pass it as a **full vault path**
+(option A, Mike 2026-06-21: a 1st arg containing `/` is a vault path, not a client slug), e.g.
+`pfsense-ssh.sh infrastructure/pfsense-firewall audit` or
+`gw-audit '<site>' --pfsense infrastructure/pfsense-firewall`. Add `port: 2248` to that vault entry
+so the non-standard port is automatic (or pass `--port 2248`). No cred duplication needed.
 
 **pfSense PHP gotchas** (baked into the scripts; carry forward to any new helper):
 - Bootstrap with `require_once("config.inc")` ONLY — re-requiring util/functions/filter → "cannot