sync: auto-sync from GURU-5070 at 2026-07-02 17:30:07

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-02 17:30:07
This commit is contained in:
2026-07-02 17:30:57 -07:00
parent 59b5f1f5f2
commit 75f60df6a6
3 changed files with 141 additions and 0 deletions

View File

@@ -163,3 +163,76 @@ root RMM agent); staged crowdstrike installers under /var/www/gururmm/downloads/
applied 0.5 prepay, block 10.0->9.5); linked-ref offboarding ticket #32487 (id 113195707,
Invoiced). Remote labor product 1190473 @ $150 (category Labor).
- Docs: .claude/skills/remediation-tool/references/app-suite.md (authoritative 365 map).
---
## Update: 17:29 PT — PST "Mara audit log" relocation + fast wiki-compile update mode
### Summary
Two follow-on threads after the earlier save. (1) **Peaceful Spirit — "the Mara audit log":**
Mike asked to change its location to `G:\Shares\Private\Partner Review\Legal Documents - DO NOT
DELETE\_Deletion Reports`. No such mechanism was in our notes/wiki/coord — located it live via
GuruRMM (site SSH was down, no L2TP VPN). It is a scheduled task **`PST Deletion Report (Daily)`**
on PST-SERVER running `C:\PST-Tools\PST-DeletionReport.ps1` (SYSTEM, 06:30), harvesting Security
events 4660/4663 (SACL on `G:\Shares\Scanned`) into a per-day HTML deletion report — the standing
record Mara reviews after the mass-deletion incident. Repointed only `$OutDir` to the legal folder
(left `$Root = G:\Shares\Scanned` — the monitored scope — unchanged), backed up the script, and
validated by a test run (report written, 6 items) + confirmed the daily task unchanged.
(2) **wiki-compile speed:** Mike flagged the wiki rebuild as terribly slow and wanted update-vs-
rebuild. Root cause: the no-flag "refresh" only touched Syncro fields (useless for knowledge), so
capturing real work forced `--full` (reads ALL logs + Sonnet full-article regen). Added a real
**update mode** (new default) and did the PST wiki edit surgically as the exemplar.
### Key Decisions
- Located the audit mechanism via GuruRMM read-only discovery rather than guessing or asking —
SSH to the CC site needs the L2TP VPN (down); PST-SERVER is a GuruRMM agent (87293069), reachable.
- Changed ONLY `$OutDir`; `$Root` (audited folder) stays `G:\Shares\Scanned`. Backup kept
(`PST-DeletionReport.ps1.bak-20260702`) — reversible one-line change on a HIPAA DC.
- wiki-compile: made **update** the no-flag default = Syncro refresh + incremental merge of ONLY
logs newer than `last_compiled`, via targeted section edits (main agent/Haiku, no Sonnet, no full
regen). `--full` = explicit Rebuild; `--syncro` = instant Syncro-only. Folded old "refresh" into
update. Speedup = small input (new logs only) + small output (surgical edits) + no Sonnet pass.
- Applied the PST wiki edit directly (not via the staged/locked Phase 5 flow) — single known change,
faster; next `--full` reconciles.
### Problems Encountered
- Wrong RMM status endpoint first (`/api/agents/commands/{id}` returned empty) → correct is
`GET /api/commands/{id}` (from the /rmm command doc). Self-corrected.
- Flagged (not fixed): the target legal folder `...\Legal Documents - DO NOT DELETE\` contains
client-stored credentials in the clear (`passwords`, `Employee password list 2019-01-15.docx`) —
surfaced to Mike for a separate cleanup decision.
### Configuration Changes
- PST-SERVER (via GuruRMM, agent 87293069): edited `C:\PST-Tools\PST-DeletionReport.ps1`
(`$OutDir` -> legal folder); backup `C:\PST-Tools\PST-DeletionReport.ps1.bak-20260702`.
Scheduled task `PST Deletion Report (Daily)` unchanged.
- claudetools (main, commit 59b5f1f5): `wiki/clients/peaceful-spirit.md` (Deletion Investigation
paragraph + 2026-07-02 History row + frontmatter date), `wiki/index.md` (PST date bump),
`.claude/commands/wiki-compile.md` (+ global copy) — new update/rebuild/syncro modes.
### Infrastructure & Servers
- PST-SERVER (Peaceful Spirit CC): LAN 192.168.0.2, Server 2016 Essentials DC/file server,
GuruRMM agent `87293069-33b6-45e8-a68f-6811216cdb96` (online). G: is a local drive; SYSTEM has
full access. Site SSH (`sysadmin@192.168.0.2`) requires L2TP VPN to CC (was down this session).
- Audit basis: object-access auditing (File System) = Success+Failure; SACL Everyone/Delete+DC/
Success on `G:\Shares\Scanned`. Report retention 90 days, generated ~06:30 daily.
### Commands & Outputs
- Find PST-SERVER agent: `bash .claude/scripts/rmm-search.sh -c "peaceful spirit"`.
- RMM dispatch: `POST $RMM/api/agents/$AGENT/command` {command_type:"powershell", command, timeout_seconds};
poll `GET $RMM/api/commands/$CID` (.status/.stdout). Server 2016 -> use plain `powershell`
command_type (not ps-encoded EncodedCommand).
- Validation output: `Report written: G:\Shares\Private\Partner Review\Legal Documents - DO NOT
DELETE\_Deletion Reports\Deletion-Report-2026-07-02.html (6 items)`; task LastResult=0, NextRun 07/03 06:30.
### Pending / Incomplete Tasks
- (unchanged CrowdStrike Tasks 6-9, VWP/Cascades consent AMBERs from earlier.)
- Peaceful Spirit: client credentials stored in the clear in the Legal Documents share — Mike to
decide on cleanup/vaulting separately.
- Optional: run `/wiki-compile client:peaceful-spirit` (now fast update mode) to confirm the new
path end-to-end on the real article next time.
### Reference Information
- Commit 59b5f1f5 (wiki + wiki-compile update mode). PST-SERVER GuruRMM agent 87293069.
- Script: `C:\PST-Tools\PST-DeletionReport.ps1` (task "PST Deletion Report (Daily)").
- New report path: `G:\Shares\Private\Partner Review\Legal Documents - DO NOT DELETE\_Deletion Reports`.