From 7dc519827cd6cd79a00c3ca851656d41844c6e9b Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Mon, 6 Jul 2026 16:10:52 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-07-06 16:10:24 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-06 16:10:24 --- .claude/skills/screenconnect/SKILL.md | 35 ++++--- .../screenconnect/references/api-reference.md | 17 +++- .claude/skills/screenconnect/scripts/sc.py | 58 +++++++++--- .../skills/screenconnect/scripts/sc_client.py | 92 ++++++++++++++++--- .../skills/screenconnect/scripts/selftest.py | 10 +- projects/gps-rmm-audit/backup-map.md | 26 +++--- 6 files changed, 186 insertions(+), 52 deletions(-) diff --git a/.claude/skills/screenconnect/SKILL.md b/.claude/skills/screenconnect/SKILL.md index ba79b69e..f131c1fa 100644 --- a/.claude/skills/screenconnect/SKILL.md +++ b/.claude/skills/screenconnect/SKILL.md @@ -13,13 +13,18 @@ extension. Read-only by default; writes gated behind `--confirm`. ```bash SC="bash $CLAUDETOOLS_ROOT/.claude/scripts/py.sh C:/claudetools/.claude/skills/screenconnect/scripts/sc.py" -$SC status # auth check + instance info -$SC sessions --name "" # find sessions by Name -$SC session # full session detail +$SC status # auth check + fleet counts +$SC sessions # WHOLE Access fleet (all agents) +$SC sessions --company "X" # one client's machines (CP1) +$SC sessions --like DELL # partial-name match +$SC sessions --name "" # exact Name match +$SC sessions --filter "SessionType = 'Access'" # raw session-filter expression +$SC sessions --limit 25 # cap printed rows (--json is always full) +$SC session # full session detail $SC build-installer --platform msi --name HOST --company "X" --site "Y" --tag "Z" $SC send-command --session --command "..." --confirm $SC set-properties --session --props-json '["Company","Site","Tag"]' --confirm -$SC raw --method GetSessionsByName --body '{"sessionName":""}' +$SC raw --method GetSessionsByFilter --body '{"sessionFilter":"SessionType = '"'"'Access'"'"'"}' ``` Transport auto-selects httpx, else stdlib urllib (no hard dependency). @@ -56,18 +61,24 @@ Company/Site/Tag, ran a command, re-tagged via set-properties). ## Method surface (probed live 2026-06-22) **Available (CLI-exposed):** -- Reads: `GetSessionsByName` (matches the Name field; "" -> blank-name sessions), - `GetSessionDetailsBySessionID`, `GetSessionBySessionID`. +- Full-fleet listing: `GetSessionsByFilter` `{"sessionFilter":""}` (probed live + 2026-07-06) - THE enumeration path. `SessionType = 'Access'` returns every + unattended agent (958 on this instance); `SessionType = 'Support'` the on-demand + sessions (24). Filter language: single-quoted literals, `=`/`LIKE` (with `*` + wildcards), `AND`/`OR`. Per-client `CustomProperty1 = 'Safesite'`; partial name + `Name LIKE '*DELL*'`. The CLI `sessions` command wraps this (default = whole fleet). +- Reads: `GetSessionsByName` (EXACT Name match; "" -> only blank-name sessions, NOT + the fleet - use the filter for listing), `GetSessionDetailsBySessionID`, + `GetSessionBySessionID`. - Writes (gated): `SendCommandToSession` `[sessionID, command]`, `SendMessageToSession` `[sessionID, message]`, `UpdateSessionCustomProperties` `[sessionID, [cp1,cp2,cp3,...]]`, `CreateSession` (array; not the primary path - the installer creates access sessions). -**MISSING on this extension version (NOT a deploy/control blocker):** -- `GetSessions` / `GetAllSessions` / `GetSessionGroups` (full-fleet inventory) -> - "web method does not exist". Listing ALL agents needs Mike to update the RESTful - API Manager extension to expose a list-all method. Until then, find sessions by - Name (the installer sets the Name = machine name, so by-name lookup works). +**Absent aliases (not needed):** +- `GetSessions` / `GetAllSessions` / `GetSessionGroups` -> "web method does not + exist". No extension update required: `GetSessionsByFilter` covers full-fleet + inventory. (Earlier notes flagged this as a gap pending Mike; it is resolved.) ## Safety gating @@ -121,5 +132,5 @@ Advance via RMM_THOUGHTS -> `/shape-spec`. Do NOT build until Mike gives the go. ## Reference -Verified method/param spec, auth, installer params, and the GetSessions gap: +Verified method/param spec, auth, installer params, and the session-filter language: `references/api-reference.md`. diff --git a/.claude/skills/screenconnect/references/api-reference.md b/.claude/skills/screenconnect/references/api-reference.md index 36fd09a8..1793ff49 100644 --- a/.claude/skills/screenconnect/references/api-reference.md +++ b/.claude/skills/screenconnect/references/api-reference.md @@ -22,14 +22,27 @@ probing 2026-06-22. | Method | Params | Status | Notes | |---|---|---|---| -| `GetSessionsByName` | `{"sessionName":""}` | VERIFIED | Matches the session Name field. "" returns blank-Name (unattended) sessions. CLI `sessions`. | +| `GetSessionsByFilter` | `{"sessionFilter":""}` | VERIFIED | **Full-fleet listing.** Session-filter expression. `SessionType = 'Access'` -> 958 agents; `SessionType = 'Support'` -> 24. CLI `sessions`. See filter syntax below. | +| `GetSessionsByName` | `{"sessionName":""}` | VERIFIED | EXACT Name match. "" returns only blank-Name sessions (NOT the fleet). CLI `sessions --name`. | | `GetSessionDetailsBySessionID` | `{"sessionID":""}` | VERIFIED | Full session object (CustomPropertyValues, ActiveConnections, ...). CLI `session`. | | `GetSessionBySessionID` | `{"sessionID":""}` | VERIFIED | Returns the session (or [] if none). | | `SendCommandToSession` | `["",""]` | VERIFIED (gated) | Runs a backstage command on the guest. CLI `send-command`. STATE-CHANGING. | | `SendMessageToSession` | `["",""]` | wired (array) | Chat message to the guest. CLI `send-message`. STATE-CHANGING. | | `UpdateSessionCustomProperties` | `["",["cp1","cp2","cp3",...]]` | VERIFIED (gated) | Set CP1=Company/CP2=Site/CP3=Tag. CLI `set-properties`. STATE-CHANGING. | | `CreateSession` | array (signature TBD) | EXISTS | Not the primary path - the installer creates access sessions. `raw` only. | -| `GetSessions` / `GetAllSessions` / `GetSessionGroups` | - | MISSING | "web method does not exist". Full-fleet inventory needs an extension update (Mike). | +| `GetSessions` / `GetAllSessions` / `GetSessionGroups` | - | ABSENT | "web method does not exist" - but not needed; `GetSessionsByFilter` covers inventory. | + +## Session-filter language (GetSessionsByFilter, probed live 2026-07-06) + +Param name is `sessionFilter` (not `filter`). Empty/null -> "Session filter cannot be +null". String literals are single-quoted (double-quotes also work but need JSON +escaping). Verified operators/forms: + +- `SessionType = 'Access'` (=2, the unattended agent fleet) | `'Support'` (=0) | `'Meeting'` (none here). +- `CustomProperty1 = 'Safesite'` -> per-client (CP1=Company, CP2=Site, CP3=Tag; up to CP8). +- `Name = '0124-DELL3540'` (exact) | `Name LIKE '*DELL*'` (partial, `*` wildcard, case-insensitive). +- Compound: `CustomProperty1 = 'Safesite' AND SessionType = 'Access'`; `AND`/`OR` supported. +- A bare token (`"DELL"`) or `"*"` matches nothing - always name a field. ## Parameterized access installer (the deploy capability) diff --git a/.claude/skills/screenconnect/scripts/sc.py b/.claude/skills/screenconnect/scripts/sc.py index ca5789ba..03872956 100644 --- a/.claude/skills/screenconnect/scripts/sc.py +++ b/.claude/skills/screenconnect/scripts/sc.py @@ -5,8 +5,12 @@ Read-only subcommands run freely. State-changing subcommands (send-command, send-message, set-properties) refuse to run without --confirm. Usage: - python sc.py status # auth check + instance info - python sc.py sessions [--name NAME] [--json] + python sc.py status # auth check + fleet counts + python sc.py sessions # whole Access fleet + python sc.py sessions --company "Safesite" # one client + python sc.py sessions --like DELL # partial name match + python sc.py sessions --name HOST # exact name + python sc.py sessions --filter "SessionType = 'Access'" # raw filter python sc.py session # full session detail python sc.py send-command --session --command "..." --confirm python sc.py send-message --session --message "..." --confirm @@ -97,20 +101,41 @@ def _gated(action_desc: str, confirm: bool) -> bool: # --- handlers --- def cmd_status(client, args): - # Auth check via the one verified method; report instance + custom-property map. - sessions = client.get_sessions_by_name("") - n = len(sessions) if isinstance(sessions, list) else 0 + # Auth check via the fleet filter; report instance + custom-property map + counts. + access = client.list_sessions(session_type="access") + support = client.list_sessions(session_type="support") + na = len(access) if isinstance(access, list) else 0 + ns = len(support) if isinstance(support, list) else 0 print(f"[OK] Authenticated to {SC_BASE_URL}") print(f" extension: {client.extension_guid}") print(f" custom properties: {CUSTOM_PROPERTIES}") - print(f" GetSessionsByName('') returned {n} session(s)") + print(f" fleet: {na} Access (unattended) + {ns} Support session(s)") return 0 def cmd_sessions(client, args): - _print_sessions(client.get_sessions_by_name(args.name)) if not args.json else _emit( - client.get_sessions_by_name(args.name), True - ) + # Full-fleet listing is the default (no selector -> every Access session). + # A raw --filter wins; otherwise build a filter from the structured flags. + if args.filter: + data = client.get_sessions_by_filter(args.filter) + else: + data = client.list_sessions( + session_type=args.type, + name=args.name or None, + name_like=args.like, + company=args.company, + site=args.site, + tag=args.tag, + ) + if isinstance(data, list) and args.limit and len(data) > args.limit: + shown = data[: args.limit] + if args.json: + _emit(shown, True) + else: + _print_sessions(shown) + print(f" ... {len(data) - args.limit} more (raise --limit or use --json)") + return 0 + _emit(data, True) if args.json else _print_sessions(data) return 0 @@ -192,8 +217,19 @@ def build_parser() -> argparse.ArgumentParser: sub.add_parser("status", help="Auth check + instance info.", parents=[common]) - sp = sub.add_parser("sessions", help="List sessions by Name (verified).", parents=[common]) - sp.add_argument("--name", default="", help="Session Name filter (blank = unattended).") + sp = sub.add_parser("sessions", + help="List sessions (default = whole Access fleet).", + parents=[common]) + sp.add_argument("--name", default="", help="Exact session Name match.") + sp.add_argument("--like", help="Partial Name match (wrapped in *...*).") + sp.add_argument("--company", help="Filter by CP1 = Company.") + sp.add_argument("--site", help="Filter by CP2 = Site.") + sp.add_argument("--tag", help="Filter by CP3 = Tag.") + sp.add_argument("--type", default="access", + help="access (default) | support | meeting | all.") + sp.add_argument("--filter", help="Raw session-filter expression (overrides the flags).") + sp.add_argument("--limit", type=int, default=0, + help="Cap rows printed (0 = no cap; --json is always full).") sp = sub.add_parser("session", help="Session detail.", parents=[common]) sp.add_argument("session_id") diff --git a/.claude/skills/screenconnect/scripts/sc_client.py b/.claude/skills/screenconnect/scripts/sc_client.py index ea3bfbee..b1396498 100644 --- a/.claude/skills/screenconnect/scripts/sc_client.py +++ b/.claude/skills/screenconnect/scripts/sc_client.py @@ -16,13 +16,20 @@ application/json and the body is the method's parameters (object or array). Credentials: never hardcoded. api_secret loaded at runtime from the SOPS vault, or the SCREENCONNECT_API_SECRET env var (testing override). -INSTANCE METHOD SURFACE (probed live 2026-06-22): control IS available - -GetSessionsByName, GetSessionDetailsBySessionID, GetSessionBySessionID (reads, -JSON-object params); SendCommandToSession, SendMessageToSession, -UpdateSessionCustomProperties, CreateSession (writes, POSITIONAL-ARRAY params). -MISSING on this extension version: GetSessions/GetAllSessions/GetSessionGroups -(full-fleet inventory) - "web method does not exist"; pending an admin update of -the RESTful API Manager extension. `raw()` probes arbitrary methods. +INSTANCE METHOD SURFACE (probed live 2026-06-22, extended 2026-07-06): control IS +available - GetSessionsByFilter, GetSessionsByName, GetSessionDetailsBySessionID, +GetSessionBySessionID (reads, JSON-object params); SendCommandToSession, +SendMessageToSession, UpdateSessionCustomProperties, CreateSession (writes, +POSITIONAL-ARRAY params). + +FULL-FLEET LISTING (fixed 2026-07-06): GetSessionsByFilter({"sessionFilter": }) +IS exposed and is the enumeration path. It takes a ScreenConnect session-filter +expression, e.g. SessionType = 'Access' (all 958 unattended agents), CustomProperty1 += 'Safesite' (per-client), Name LIKE '*DELL*' (partial name). SessionType 'Access' +(=2) is the agent fleet; 'Support' (=0) the on-demand sessions. The bare aliases +GetSessions/GetAllSessions/GetSessionGroups remain absent, but GetSessionsByFilter +covers the inventory use case fully - no extension update needed. `raw()` probes +arbitrary methods. """ from __future__ import annotations @@ -63,6 +70,10 @@ SKILL_DIR = Path(__file__).resolve().parent.parent # Custom-property mapping on this instance (from the vault notes). CUSTOM_PROPERTIES = {"CP1": "Company", "CP2": "Site", "CP3": "Tag"} +# SessionType filter literals (verified live 2026-07-06): 'Access' (=2) is the +# unattended agent fleet; 'Support' (=0) the on-demand sessions. +SESSION_TYPE_LITERALS = {"access": "Access", "support": "Support", "meeting": "Meeting"} + class ScreenConnectError(RuntimeError): """Raised for transport or API errors.""" @@ -200,17 +211,72 @@ class ScreenConnectClient: # VERIFIED methods (work on the current instance) # ====================================================================== def get_sessions_by_name(self, session_name: str = "") -> Any: - """List sessions whose Name matches `session_name` (RESTful API Manager - GetSessionsByName). VERIFIED LIVE. Empty string returns sessions with a - blank Name (the unattended access agents on this instance).""" + """List sessions whose Name EXACTLY equals `session_name` (RESTful API + Manager GetSessionsByName). VERIFIED LIVE. This is an exact match, not a + contains match ("" returns only the blank-Name sessions, not the fleet). + For full-fleet or partial-name listing use list_sessions()/get_sessions_by_filter().""" return self.call("GetSessionsByName", {"sessionName": session_name}) + def get_sessions_by_filter(self, session_filter: str) -> Any: + """Enumerate sessions matching a ScreenConnect session-filter expression + (GetSessionsByFilter, param `sessionFilter`). VERIFIED LIVE 2026-07-06 - + this IS the full-fleet listing path. Examples: + SessionType = 'Access' -> every unattended agent (the fleet) + CustomProperty1 = 'Safesite' -> one client's machines + Name LIKE '*DELL*' -> partial name (case-insensitive) + Combine with AND/OR. String literals are single-quoted.""" + return self.call("GetSessionsByFilter", {"sessionFilter": session_filter}) + + @staticmethod + def _filter_literal(value: str) -> str: + """Single-quote a value for the session-filter language, escaping any + embedded single quote by doubling it (SQL-style).""" + return "'" + str(value).replace("'", "''") + "'" + + def build_session_filter( + self, + session_type: Optional[str] = "access", + name: Optional[str] = None, + name_like: Optional[str] = None, + company: Optional[str] = None, + site: Optional[str] = None, + tag: Optional[str] = None, + extra: Optional[str] = None, + ) -> str: + """Assemble a session-filter expression from structured parts (AND-joined). + `session_type`: access | support | meeting | all (None/all -> no type clause). + `name` exact, `name_like` partial (wrapped in *...*), company/site/tag map to + CP1/CP2/CP3, `extra` is a raw clause appended verbatim. Defaults to the whole + Access fleet when nothing else is specified.""" + clauses: list[str] = [] + if session_type and session_type.lower() != "all": + literal = SESSION_TYPE_LITERALS.get(session_type.lower(), session_type) + clauses.append(f"SessionType = {self._filter_literal(literal)}") + if name: + clauses.append(f"Name = {self._filter_literal(name)}") + if name_like: + clauses.append(f"Name LIKE {self._filter_literal('*' + name_like + '*')}") + if company: + clauses.append(f"CustomProperty1 = {self._filter_literal(company)}") + if site: + clauses.append(f"CustomProperty2 = {self._filter_literal(site)}") + if tag: + clauses.append(f"CustomProperty3 = {self._filter_literal(tag)}") + if extra: + clauses.append(extra) + return " AND ".join(clauses) if clauses else "SessionType = 'Access'" + + def list_sessions(self, **kwargs) -> Any: + """Convenience: build a filter from keyword parts and enumerate. See + build_session_filter for the accepted keywords.""" + return self.get_sessions_by_filter(self.build_session_filter(**kwargs)) + # ====================================================================== # Control + detail methods (all VERIFIED LIVE 2026-06-22 on the ACG instance). # Reads take a JSON object {sessionID:...}; the POST/write methods take a - # POSITIONAL ARRAY. NOTE: full-fleet inventory (GetSessions) is NOT exposed by - # this extension version (returns "web method does not exist") - pending an - # admin update of the RESTful API Manager extension (see SKILL.md). + # POSITIONAL ARRAY. Full-fleet inventory is served by GetSessionsByFilter + # (see get_sessions_by_filter / list_sessions above) - the bare GetSessions + # alias is absent but not needed. # ====================================================================== def get_session_details(self, session_id: str) -> Any: """GetSessionDetailsBySessionID - full detail for one session. VERIFIED.""" diff --git a/.claude/skills/screenconnect/scripts/selftest.py b/.claude/skills/screenconnect/scripts/selftest.py index 3739bcb6..64bbb7a5 100644 --- a/.claude/skills/screenconnect/scripts/selftest.py +++ b/.claude/skills/screenconnect/scripts/selftest.py @@ -43,9 +43,15 @@ def check(name, args, *, want_rc=None, out_has=None, out_json_ok=False): # --- reads: succeed (rc 0) [hit the live instance] --- -check("status", ["status"], want_rc=0, out_has="Authenticated") -check("sessions", ["sessions"], want_rc=0, out_has="Sessions:") +check("status", ["status"], want_rc=0, out_has="fleet:") +check("sessions (full fleet)", ["sessions"], want_rc=0, out_has="Sessions:") check("sessions json", ["sessions", "--json"], want_rc=0, out_json_ok=True) +check("sessions --limit", ["sessions", "--limit", "5"], want_rc=0, out_has="Sessions:") +check("sessions --like", ["sessions", "--like", "DELL", "--json"], want_rc=0, out_json_ok=True) +check("sessions --filter", ["sessions", "--filter", "SessionType = 'Access'", "--json"], + want_rc=0, out_json_ok=True) +check("sessions --company", ["sessions", "--company", "Safesite", "--json"], + want_rc=0, out_json_ok=True) # --- build-installer: pure URL build (no network) --- check("build-installer", ["build-installer", "--name", "HOST", "--company", "AZ Computer Guru", diff --git a/projects/gps-rmm-audit/backup-map.md b/projects/gps-rmm-audit/backup-map.md index 92da43bc..125cfa98 100644 --- a/projects/gps-rmm-audit/backup-map.md +++ b/projects/gps-rmm-audit/backup-map.md @@ -36,21 +36,23 @@ audit. See `wiki/projects/gps-rmm-audit.md`. | Grabb & Durando Law | 1 | 49 | GND-SERVER cloud plan **failing / 0 bytes (flapping)** | **NOT BACKING UP** | | Bill Tedards | 1 | 45 | DESKTOP-SUFJR0J **last good 359d ago** | **NOT BACKING UP** (stale ~12 mo) | | Arizona Medical Transit | 1 | 0 | MSP360 company exists, **0 plans** | **NOT BACKING UP** | -| Reliant Well Drilling | 1 | 40 | none — RMM machines online, run Datto **EDR+RMM only, no backup client** | **UNCONFIRMED** (agentless SIRIS not ruled out) | -| The Prairie Schooner | 1 | 10 | none — 2 servers online, Datto **EDR only, no backup client** | **UNCONFIRMED** (SIRIS could image servers agentlessly) | +| Reliant Well Drilling | 1 | 40 | **CONFIRMED none** — both PCs scanned 2026-07-06: no backup software/task/WSB, Datto EDR+RMM only | **NOT BACKING UP** (endpoint-verified) | +| The Prairie Schooner | 1 | 10 | **CONFIRMED none current** — TPS-SERVER has Windows Server Backup to a USB disk but **last ran 3/7/2018 (~8 yr dead)**; other PCs nothing | **NOT BACKING UP** (endpoint-verified) | | Janet Altschuler | 2 | 0 | **CONFIRMED none** — direct scan of both machines 2026-07-06: no backup software/service/task, no Windows Backup, no Datto backup agent (only Dropbox, stopped) | **NOT BACKING UP** (endpoint-verified) | -| Design and Brand Envoys | 1 | 0 | none — machines online, Datto **EDR+RMM only, no backup client** | **UNCONFIRMED** | +| Design and Brand Envoys | 1 | 0 | **CONFIRMED none** — 2 PCs scanned 2026-07-06: no backup software/task/WSB (OSGOOD-PAUL offline, unscanned) | **NOT BACKING UP** (endpoint-verified) | -**Rollup (16 billed):** 7 OK · 2 REVIEW (seat>machine) · 3 NOT BACKING UP (Grabb, Tedards, -AMT) · 4 HELD-unconfirmed pending Datto Workplace enumeration. +**Rollup (16 billed):** 7 OK · 2 REVIEW (seat>machine) · **7 NOT BACKING UP** (Grabb, Tedards, +AMT, + the 4 now endpoint-verified: Reliant, Prairie, Janet Altschuler, Design & Brand Envoys). -The 4 UNCONFIRMED are billed for backup but have **no destination in any backend we can read** -(MSP360/B2/Seafile/ownCloud/Datto Workplace). 2026-07-06 RMM endpoint scan: their online -machines run **Datto EDR + Datto RMM only — NO Datto backup client** (no Workplace, no SIRIS -Windows Agent). The one thing endpoint detection CANNOT see is an **agentless Datto SIRIS/BCDR -appliance** (hypervisor-snapshot backup, no on-box agent) — only the Datto BCDR partner portal -(no ACG skill/creds) would confirm that. Sent to Mike+Winter 2026-07-06 asking where these -back up; also re-requested the Datto Workplace super-admin API key (current key = 0 projects). +All 4 were **endpoint-verified 2026-07-06** (GuruRMM now on their machines; full backup-software +scan): **NO backup software, service, scheduled backup job, Windows Server Backup, or Datto +backup client** on any machine — and nothing in MSP360/B2/Seafile/ownCloud/Datto Workplace. +Prairie's TPS-SERVER has a Windows Server Backup to a USB disk but it **last ran 3/7/2018 +(~8 years dead)**. Only residual endpoint-invisible possibility = an **agentless Datto SIRIS/BCDR +appliance** — but there's no Datto backup agent on any of them and 3 of 4 have no server, so +effectively ruled out. **Conclusion: none of these 4 are backing up.** Sent to Mike+Winter +2026-07-06 (message updated with the verified result); also re-requested the Datto Workplace +super-admin API key (current key = 0 projects). ---