core: restore 'vault + document EVERY in-session credential' rule; memory: IX WHM API token method + feedback
Triggered by ~1h lost on 2026-06-12 when the IX WHM access method was forgotten and password auth no longer worked. CLAUDE.md Key rules now mandates vaulting via the vault skill + thorough documentation for any credential surfaced in a session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
33
.claude/memory/ix-whm-dns-api-access.md
Normal file
33
.claude/memory/ix-whm-dns-api-access.md
Normal file
@@ -0,0 +1,33 @@
|
||||
---
|
||||
name: ix-whm-dns-api-access
|
||||
description: IX cPanel/WHM API access uses the FULL-ACCESS-root 'ClaudeTools' API token (header auth), NOT the root password
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
All WHM API work on **IX** (`ix.azcomputerguru.com:2087`, the primary cPanel/WHM box,
|
||||
public NS `ns1/ns2.acghosting.com` = `52.52.94.202`) — DNS zone edits and everything else —
|
||||
authenticates with the **WHM API token** named **`ClaudeTools`**, used as a header, NOT the
|
||||
root password. The token is **FULL-ACCESS ROOT** (capable of ALL WHM API actions, not
|
||||
DNS-scoped) — treat it as a root credential.
|
||||
|
||||
**Working method:**
|
||||
```
|
||||
curl -4 -sk "https://ix.azcomputerguru.com:2087/json-api/<func>?api.version=1&..." \
|
||||
-H "Authorization: whm root:$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.whm-api-token)"
|
||||
```
|
||||
|
||||
**Why (the trap that burned ~an hour on 2026-06-12):** the legacy `/json-api/` path with
|
||||
**basic-auth password** (`-u root:<password>`) now returns `HTTP 403 Forbidden Access
|
||||
denied` (a `cpanelresult` JSON, denied **pre-auth** — bad creds give the same 403). It is
|
||||
NOT cPHulk (disabled) and NOT an Imunify IP block (the WHM login page `/:2087/` returns 200
|
||||
from the same IP; whitelisting the IP does nothing). cpsrvd/Imunify simply rejects
|
||||
password-based scripted `json-api` access; the API token is the supported client.
|
||||
|
||||
**Token location:** vault `infrastructure/ix-server.sops.yaml` → `credentials.whm-api-token`
|
||||
(also documented in that entry's plaintext `notes`). `credentials.password` is still the
|
||||
real root password but DOES NOT work for the API — leave it for SSH/console only.
|
||||
|
||||
Common funcs: `dumpzone` (read), `addzonerecord` / `editzonerecord` / `removezonerecord`
|
||||
(write; cPanel auto-bumps SOA serial + cluster-syncs to the public NS), `synczone`
|
||||
(force cluster push). Force IPv4 (`curl -4`) for a stable egress IP. Related: [[neptune-exchange-mail-hosting]].
|
||||
Reference in New Issue
Block a user