azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

core: restore 'vault + document EVERY in-session credential' rule; memory: IX WHM API token method + feedback

Browse Source 
Triggered by ~1h lost on 2026-06-12 when the IX WHM access method was forgotten and
password auth no longer worked. CLAUDE.md Key rules now mandates vaulting via the vault
skill + thorough documentation for any credential surfaced in a session.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-12 10:52:30 -07:00
parent adb8c492b8
commit 9b02a508d6
4 changed files with 73 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.claude/CLAUDE.md
View File

@@ -31,7 +31,15 @@ production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`.
## Key rules (always)
- **NO EMOJIS.** Use ASCII markers: `[OK]` `[ERROR]` `[WARNING]` `[INFO]` `[CRITICAL]`.
- **No hardcoded credentials.** SOPS vault: `bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field <path> <field>` (1Password fallback). Never commit plaintext secrets (the pre-commit `harness-guard.sh` warns).
- **Credentials — capture, vault, document (ALWAYS).** ANY credential that surfaces in a
session — one the user pastes, one you create/rotate, one you discover in a log/config — you
MUST immediately store it in the SOPS vault **via the `vault` skill** (the canonical path —
this is why the vault exists; do not improvise raw `sops`/`vault.sh`) AND document it
thoroughly in the entry: what it is, what it's for, and exactly how it's used (auth method,
endpoint, gotchas). Read with the skill too; `vault.sh get-field <path> <field>` is the
underlying read (1Password fallback). Never commit plaintext secrets (pre-commit
`harness-guard.sh` warns). Losing/forgetting infra credentials wastes real time — capturing
them is not optional.
- **SSH:** system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git-for-Windows SSH.
- **Data integrity:** never placeholder/fake data — check vault, wiki, or ask.
- **Hard-to-reverse or outward-facing actions:** confirm first (per-action, per-session).

2
.claude/memory/MEMORY.md
View File

@@ -134,3 +134,5 @@
- [Beast = primary GuruRMM Windows build host](gururmm-beast-windows-build-host.md) — GURU-BEAST-ROG (i9), reached from .30 via Tailscale-on-.30 at 100.101.122.4 as guru; Pluto is the fallback (`attempt_build beast || attempt_build pluto`). WiX must be 4.x (v6+ = OSMF); Beast NuGet needed nuget.org added
- [GuruRMM command_type gotcha](reference_gururmm_command_type.md) — only shell/powershell/python/script/claude_task (+cmd alias); unknown type silently dropped, looks like a black-hole
- [GuruRMM log analysis -> Claude Haiku](gururmm-log-analysis-claude-cutover.md) — cut over from Ollama-on-Beast (timed out on fleet-sized prompts; "unreachable" was a mislabeled 120s timeout) to Anthropic API Haiku 4.5 w/ structured outputs; key at vault `projects/gururmm/anthropic-api`; ZDR pending; deploy needs root on .30 (.env + restart)
- [IX WHM API access = 'ClaudeTools' token, not password](ix-whm-dns-api-access.md) — IX cPanel/WHM (ix.azcomputerguru.com:2087) DNS + all API work uses the FULL-ACCESS-root WHM API token at vault `infrastructure/ix-server` `credentials.whm-api-token` via header `Authorization: whm root:<token>` (force curl -4). Password basic-auth on legacy json-api now 403s. Public NS ns1/ns2.acghosting.com = 52.52.94.202.
- [Vault EVERY credential surfaced in-session](feedback-vault-every-credential.md) — any cred (pasted/created/discovered) -> store via the vault skill + document purpose & exact usage immediately; it's a standing job rule (reinforced in CORE CLAUDE.md). Lost IX creds wasted ~1h on 2026-06-12.

29
.claude/memory/feedback-vault-every-credential.md Normal file
View File

@@ -0,0 +1,29 @@
---
name: feedback-vault-every-credential
description: ANY credential surfaced in a session must be vaulted via the vault skill AND thoroughly documented — immediately
metadata:
type: feedback
---
When ANY credential appears in a session — the user pastes one, you create/rotate one, or you
discover one in a log/config — **immediately store it in the SOPS vault via the `vault` skill
and document it thoroughly** (what it is, what it's for, how it's used: auth method, endpoint,
gotchas). This is a standing job requirement, not a per-task ask — it is literally why the vault
exists.
**Why:** Mike (2026-06-12) was "highly irritated" after ~an hour was wasted because the IX WHM
access method had been lost/forgotten and I fell back to a password method that no longer works.
The original rule ("recognize any credential in-session, vault it, document what it's for and how
it's used") had drifted out of the always-loaded instructions.
**How to apply:**
- Use the **`vault` skill** (`vault-helper.sh new`/`set`, `vault.sh get`/`get-field`) — the
canonical path. Do NOT improvise raw `sops`/`vault.sh` with hand-built paths. (Exception: the
helper only writes under `credentials:`; a top-level metadata `notes` edit still needs `sops
--set` — but the secret itself always goes through the skill.)
- Document in the entry's `notes`: purpose + exact usage (e.g. header vs basic-auth, endpoint,
"force curl -4", what does NOT work and why). Future me reads this instead of re-deriving.
- Finish the job: store -> `verify` encrypted -> publish (sync/commit). Never paste the secret
into chat/commit/coord.
- Now reinforced in CORE `.claude/CLAUDE.md` "Key rules". See [[ix-whm-dns-api-access]] for the
concrete case that triggered this.

33
.claude/memory/ix-whm-dns-api-access.md Normal file
View File

@@ -0,0 +1,33 @@
---
name: ix-whm-dns-api-access
description: IX cPanel/WHM API access uses the FULL-ACCESS-root 'ClaudeTools' API token (header auth), NOT the root password
metadata:
type: reference
---
All WHM API work on **IX** (`ix.azcomputerguru.com:2087`, the primary cPanel/WHM box,
public NS `ns1/ns2.acghosting.com` = `52.52.94.202`) — DNS zone edits and everything else —
authenticates with the **WHM API token** named **`ClaudeTools`**, used as a header, NOT the
root password. The token is **FULL-ACCESS ROOT** (capable of ALL WHM API actions, not
DNS-scoped) — treat it as a root credential.
**Working method:**
```
curl -4 -sk "https://ix.azcomputerguru.com:2087/json-api/<func>?api.version=1&..." \
-H "Authorization: whm root:$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.whm-api-token)"
```
**Why (the trap that burned ~an hour on 2026-06-12):** the legacy `/json-api/` path with
**basic-auth password** (`-u root:<password>`) now returns `HTTP 403 Forbidden Access
denied` (a `cpanelresult` JSON, denied **pre-auth** — bad creds give the same 403). It is
NOT cPHulk (disabled) and NOT an Imunify IP block (the WHM login page `/:2087/` returns 200
from the same IP; whitelisting the IP does nothing). cpsrvd/Imunify simply rejects
password-based scripted `json-api` access; the API token is the supported client.
**Token location:** vault `infrastructure/ix-server.sops.yaml``credentials.whm-api-token`
(also documented in that entry's plaintext `notes`). `credentials.password` is still the
real root password but DOES NOT work for the API — leave it for SSH/console only.
Common funcs: `dumpzone` (read), `addzonerecord` / `editzonerecord` / `removezonerecord`
(write; cPanel auto-bumps SOA serial + cluster-syncs to the public NS), `synczone`
(force cluster push). Force IPv4 (`curl -4`) for a stable egress IP. Related: [[neptune-exchange-mail-hosting]].