diff --git a/.claude/skills/unifi-wifi/references/site-manager-api.md b/.claude/skills/unifi-wifi/references/site-manager-api.md index 4eeb0f58..ee86256b 100644 --- a/.claude/skills/unifi-wifi/references/site-manager-api.md +++ b/.claude/skills/unifi-wifi/references/site-manager-api.md @@ -115,9 +115,16 @@ The connector reaches the gateway config surface - `GET/PUT /rest/networkconf`, (`purpose=remote-user-vpn`, `vpn_type=wireguard-server|openvpn-server`; site-to-site as `*-vpn`). So VPN configs are READABLE now and WRITABLE in principle (PUT/POST) - but writes are high-stakes (lockout risk) and must be DRY-RUN + confirm gated like gw-control.sh; not wired in yet. -**Teleport: no usable API found** - `/v1/teleport`, `/ea/teleport` -> 404; per-console `/teleport` -> 403; -no teleport-tagged networks. It's the ui.com-brokered zero-config overlay, managed via the account/app; -needs deeper research before claiming any programmatic path. +**Teleport: config IS reachable** (corrected 2026-06-17 - the first probes used the wrong paths +`/rest/teleport`/`/stat/teleport`/`/v1/teleport`). The real surface: +- `GET/PUT /api/s//rest/setting/teleport` (also under `/get/setting`, key `teleport`) -> reads/writes + `{enabled, subnet_cidr}`. Confirmed via connector: Brooklyn Teleport `{enabled:true, subnet_cidr:'192.168.1.1/24'}`. +- Invite generate/revoke is reportedly `POST /api/s//cmd/teleport {"cmd":"generate-invite"|"revoke-invite"}` + (Gemini + community + pulumiverse-unifi `setting.Teleport`) - NOT tested here; it creates a live VPN access + link, so gate it as a write. Caveat: Teleport invites are consumable only by the WiFiman app (no native + WireGuard `.conf` export). +- Reach it via the connector `/v1/connector/consoles/{id}/proxy/network/api/s//...` (Gemini's + `/v1/hosts/{id}/proxy` form 404s; grok xsearch returned empty twice on this query - gemini + live probe settled it). ## Gotchas - Direct WAN SSH/HTTPS to a standalone UDM is usually firewalled (Brooklyn 67.1.139.219: