diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 67c7de7..93d3a36 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -31,7 +31,15 @@ production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`. ## Key rules (always) - **NO EMOJIS.** Use ASCII markers: `[OK]` `[ERROR]` `[WARNING]` `[INFO]` `[CRITICAL]`. -- **No hardcoded credentials.** SOPS vault: `bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field ` (1Password fallback). Never commit plaintext secrets (the pre-commit `harness-guard.sh` warns). +- **Credentials — capture, vault, document (ALWAYS).** ANY credential that surfaces in a + session — one the user pastes, one you create/rotate, one you discover in a log/config — you + MUST immediately store it in the SOPS vault **via the `vault` skill** (the canonical path — + this is why the vault exists; do not improvise raw `sops`/`vault.sh`) AND document it + thoroughly in the entry: what it is, what it's for, and exactly how it's used (auth method, + endpoint, gotchas). Read with the skill too; `vault.sh get-field ` is the + underlying read (1Password fallback). Never commit plaintext secrets (pre-commit + `harness-guard.sh` warns). Losing/forgetting infra credentials wastes real time — capturing + them is not optional. - **SSH:** system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git-for-Windows SSH. - **Data integrity:** never placeholder/fake data — check vault, wiki, or ask. - **Hard-to-reverse or outward-facing actions:** confirm first (per-action, per-session). diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 019740a..e63186a 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -134,3 +134,5 @@ - [Beast = primary GuruRMM Windows build host](gururmm-beast-windows-build-host.md) — GURU-BEAST-ROG (i9), reached from .30 via Tailscale-on-.30 at 100.101.122.4 as guru; Pluto is the fallback (`attempt_build beast || attempt_build pluto`). WiX must be 4.x (v6+ = OSMF); Beast NuGet needed nuget.org added - [GuruRMM command_type gotcha](reference_gururmm_command_type.md) — only shell/powershell/python/script/claude_task (+cmd alias); unknown type silently dropped, looks like a black-hole - [GuruRMM log analysis -> Claude Haiku](gururmm-log-analysis-claude-cutover.md) — cut over from Ollama-on-Beast (timed out on fleet-sized prompts; "unreachable" was a mislabeled 120s timeout) to Anthropic API Haiku 4.5 w/ structured outputs; key at vault `projects/gururmm/anthropic-api`; ZDR pending; deploy needs root on .30 (.env + restart) +- [IX WHM API access = 'ClaudeTools' token, not password](ix-whm-dns-api-access.md) — IX cPanel/WHM (ix.azcomputerguru.com:2087) DNS + all API work uses the FULL-ACCESS-root WHM API token at vault `infrastructure/ix-server` `credentials.whm-api-token` via header `Authorization: whm root:` (force curl -4). Password basic-auth on legacy json-api now 403s. Public NS ns1/ns2.acghosting.com = 52.52.94.202. +- [Vault EVERY credential surfaced in-session](feedback-vault-every-credential.md) — any cred (pasted/created/discovered) -> store via the vault skill + document purpose & exact usage immediately; it's a standing job rule (reinforced in CORE CLAUDE.md). Lost IX creds wasted ~1h on 2026-06-12. diff --git a/.claude/memory/feedback-vault-every-credential.md b/.claude/memory/feedback-vault-every-credential.md new file mode 100644 index 0000000..f4eb65b --- /dev/null +++ b/.claude/memory/feedback-vault-every-credential.md @@ -0,0 +1,29 @@ +--- +name: feedback-vault-every-credential +description: ANY credential surfaced in a session must be vaulted via the vault skill AND thoroughly documented — immediately +metadata: + type: feedback +--- + +When ANY credential appears in a session — the user pastes one, you create/rotate one, or you +discover one in a log/config — **immediately store it in the SOPS vault via the `vault` skill +and document it thoroughly** (what it is, what it's for, how it's used: auth method, endpoint, +gotchas). This is a standing job requirement, not a per-task ask — it is literally why the vault +exists. + +**Why:** Mike (2026-06-12) was "highly irritated" after ~an hour was wasted because the IX WHM +access method had been lost/forgotten and I fell back to a password method that no longer works. +The original rule ("recognize any credential in-session, vault it, document what it's for and how +it's used") had drifted out of the always-loaded instructions. + +**How to apply:** +- Use the **`vault` skill** (`vault-helper.sh new`/`set`, `vault.sh get`/`get-field`) — the + canonical path. Do NOT improvise raw `sops`/`vault.sh` with hand-built paths. (Exception: the + helper only writes under `credentials:`; a top-level metadata `notes` edit still needs `sops + --set` — but the secret itself always goes through the skill.) +- Document in the entry's `notes`: purpose + exact usage (e.g. header vs basic-auth, endpoint, + "force curl -4", what does NOT work and why). Future me reads this instead of re-deriving. +- Finish the job: store -> `verify` encrypted -> publish (sync/commit). Never paste the secret + into chat/commit/coord. +- Now reinforced in CORE `.claude/CLAUDE.md` "Key rules". See [[ix-whm-dns-api-access]] for the + concrete case that triggered this. diff --git a/.claude/memory/ix-whm-dns-api-access.md b/.claude/memory/ix-whm-dns-api-access.md new file mode 100644 index 0000000..1e31cb6 --- /dev/null +++ b/.claude/memory/ix-whm-dns-api-access.md @@ -0,0 +1,33 @@ +--- +name: ix-whm-dns-api-access +description: IX cPanel/WHM API access uses the FULL-ACCESS-root 'ClaudeTools' API token (header auth), NOT the root password +metadata: + type: reference +--- + +All WHM API work on **IX** (`ix.azcomputerguru.com:2087`, the primary cPanel/WHM box, +public NS `ns1/ns2.acghosting.com` = `52.52.94.202`) — DNS zone edits and everything else — +authenticates with the **WHM API token** named **`ClaudeTools`**, used as a header, NOT the +root password. The token is **FULL-ACCESS ROOT** (capable of ALL WHM API actions, not +DNS-scoped) — treat it as a root credential. + +**Working method:** +``` +curl -4 -sk "https://ix.azcomputerguru.com:2087/json-api/?api.version=1&..." \ + -H "Authorization: whm root:$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.whm-api-token)" +``` + +**Why (the trap that burned ~an hour on 2026-06-12):** the legacy `/json-api/` path with +**basic-auth password** (`-u root:`) now returns `HTTP 403 Forbidden Access +denied` (a `cpanelresult` JSON, denied **pre-auth** — bad creds give the same 403). It is +NOT cPHulk (disabled) and NOT an Imunify IP block (the WHM login page `/:2087/` returns 200 +from the same IP; whitelisting the IP does nothing). cpsrvd/Imunify simply rejects +password-based scripted `json-api` access; the API token is the supported client. + +**Token location:** vault `infrastructure/ix-server.sops.yaml` → `credentials.whm-api-token` +(also documented in that entry's plaintext `notes`). `credentials.password` is still the +real root password but DOES NOT work for the API — leave it for SSH/console only. + +Common funcs: `dumpzone` (read), `addzonerecord` / `editzonerecord` / `removezonerecord` +(write; cPanel auto-bumps SOA serial + cluster-syncs to the public NS), `synczone` +(force cluster push). Force IPv4 (`curl -4`) for a stable egress IP. Related: [[neptune-exchange-mail-hosting]].