sync: auto-sync from GURU-KALI at 2026-05-24 10:16:39

Author: Mike Swanson Machine: GURU-KALI Timestamp: 2026-05-24 10:16:39
2026-05-24 10:16:39 -07:00
parent 54a5d23ad3
commit 9c41e82dae
1 changed files with 110 additions and 0 deletions
--- a/session-logs/2026-05-24-session.md
+++ b/session-logs/2026-05-24-session.md
@@ -222,3 +222,113 @@ Key log lines:
 - Coord lock used: `425f588c-b41d-4d5f-a926-60d3e342c416` (released)
 - Machine doc: `.claude/machines/guru-kali.md`; onboarding: `.claude/machines/LINUX_PC_ONBOARDING.md`
 - Standards referenced: `.claude/CODING_GUIDELINES.md`, `.claude/standards/gururmm/{platform-parity,build-pipeline,sqlx-migrations}.md`
 ---
 ## Update: 10:15 MST — Phase 4 IPC hardening, PRs merged, follow-up issues, update watch
 ### Session Summary
 Merged the Linux-tray PR (#13) to `main`, then implemented and merged Phase 4 of the
 agent IPC (the H2 hardening follow-up from #13's review), opened tracking issues for
 the remaining gaps, and set up a watcher to confirm GURU-KALI auto-updates once the
 build pipeline publishes the new agent.
 PR #13 was merged via the internal Gitea API (merge commit `2857559`, then a CI
 `auto-bump versions` commit `9e7977c`). The local `gururmm` clone was fast-forwarded to
 the merged main, which also brought in unrelated landed work: `server/migrations/042_agent_events.sql`,
 `server/src/db/events.rs`, and an `AppState.log_sender_watch` field.
 Phase 4 was implemented by a Coding Agent (opus): peer-credential authorization on the
 0666 Unix socket (deny-by-default), real `ForceCheckin`/`StopAgent` wiring, and a tray
 GTK confirmation dialog. Code Review (opus) returned APPROVE WITH NITS, no blockers;
 the deny-by-default authz was verified sound across all paths. A follow-up fix pass
 addressed the two MEDIUMs (StopAgent on non-systemd installs; stale force_checkin Notify
 permit) and LOW-2 (macOS `admin` group). The change shipped as PR #14 and was merged
 (merge `b0e8ad9`, CI bump `bb3e8c0`).
 Five tracking issues were opened for the non-blocking follow-ups. Then, because the
 agent updater is server-push (not poll-based) and SSH to the build server is unavailable
 from GURU-KALI, a background watcher was started that polls the published-downloads
 endpoint for a version > 0.6.29 and GURU-KALI's running version, to confirm the
 pipeline publish + subsequent auto-update. As of this save the pipeline had not yet
 published the post-merge version (still 0.6.29); the watcher continues, and the user
 asked to be pinged (push notification) on publish.
 ### Key Decisions
 - **Merged both PRs to main** (user-authorized) despite the earlier branch+PR caution —
  each merge triggers the webhook build + stable-channel fleet auto-update.
 - **Differentiated IPC authz model** (user choice): ForceCheckin = active session-user
  uid or root; StopAgent = root or `sudo`/`wheel`/`admin` group AND policy
  `allow_stop_agent`; read-only requests ungated. Order: policy gate first, then peer-cred.
 - **force_checkin Notify wired into the WS task** (transport/websocket.rs), not the
  collect-only loop in main.rs — `notify_one()` wakes one waiter, so two waiters would
  race/steal the wakeup. Drained at WS task start to avoid a stale permit firing a
  spurious send on reconnect.
 - **StopAgent self-exits on non-systemd installs** (Unraid/Synology cron/nohup path)
  where `systemctl stop` is a no-op — detected via existing `has_systemd()`.
 - **Opened issues rather than expanding the PRs** for Windows peer authz, logind
  console-user resolution, macOS completion, pipeline tray build, and subscriber broadcast.
 ### Problems Encountered
 - **`AppState` drift on merged main** — main gained `log_sender_watch`; the Coding Agent
  added it (and `force_checkin`) to BOTH main.rs and service.rs, also fixing a pre-existing
  Windows-only build break where service.rs was missing `log_sender_watch`.
 - **`systemctl stop` no-op on non-systemd installs** (review MEDIUM-2) — fixed with a
  `has_systemd()` branch that self-exits otherwise.
 - **Stale force_checkin permit** (review MEDIUM-1) — drained once at WS task start via a
  `biased` select against `std::future::ready(())`.
 - **No SSH to build server** (`guru@172.16.3.30` Permission denied, publickey) — can't
  read `/var/log/gururmm-build.log`; watching the published-downloads endpoint instead.
 - **Vault field path** — token is at `credentials.api.api-token` (not `api.api-token`);
  the Gitea Agent corrected the lookup.
 - **`pkill` aborting compound bash commands** (exit 144) — re-ran the affected steps
  individually; wrote the watcher script via the Write tool after a heredoc was truncated.
 ### Configuration Changes (this update)
 GuruRMM (`/home/guru/gururmm`), Phase 4 — merged via PR #14:
 - `agent/src/ipc.rs` — `PeerIdentity`, peer_cred() at accept, authz helpers
  (`authorize_force_checkin`, `authorize_stop_agent`, `active_session_uid`,
  `uid_in_admin_group`), real `spawn_service_stop`, Denied responses.
 - `agent/src/main.rs` — `AppState.force_checkin: Arc<Notify>`; `has_systemd()` made `pub(crate)`.
 - `agent/src/metrics/mod.rs` — `logged_in_username()` associated fn.
 - `agent/src/service.rs` — mirrored `force_checkin` + `log_sender_watch` in the Windows AppState.
 - `agent/src/transport/websocket.rs` — metrics task selects on force_checkin Notify; drains stale permit at start.
 - `tray/src/tray.rs` — GTK Yes/No confirm before StopAgent (Linux).
 Local (not in repo): background watcher scripts `/tmp/gururmm-watch-publish.sh`,
 log `/tmp/gururmm-watch.log`.
 ### Commands & Outputs (this update)
 ```bash
 # current vs published agent version
 sudo /usr/local/bin/gururmm-agent --version            # gururmm-agent 0.6.29
 curl -s https://rmm.azcomputerguru.com/downloads/ | grep -oiE 'gururmm-agent-linux[^"<> ]*'
 # -> gururmm-agent-linux-amd64-0.6.29 (+ .sha256, -latest)  [no newer version yet]
 # live running version via IPC socket (no need to spawn the binary)
 echo '{"type":"get_status"}' | socat - UNIX-CONNECT:/var/run/gururmm/agent.sock | grep agent_version
 ssh guru@172.16.3.30   # -> Permission denied (publickey,password) — no build-log access
 ```
 ### Pending / Incomplete Tasks (this update)
 - **Watching for pipeline publish + GURU-KALI auto-update** — watcher running; ping user
  (push notification) on publish. If published version moves but the agent doesn't update,
  auto-update is disabled/manual (needs dashboard or `POST /agents/{id}/update`).
 - Follow-up issues open: #15 (pipeline tray build), #16 (Windows peer authz), #17 (logind
  console user), #18 (macOS tray), #19 (subscriber broadcast).
 - GURU-KALI still on local dev binaries until the pipeline build deploys.
 ### Reference Information (this update)
 - PR #13 merged: merge `2857559`, CI bump `9e7977c`.
 - PR #14 merged: https://git.azcomputerguru.com/azcomputerguru/gururmm/pulls/14 — merge `b0e8ad9`, CI bump `bb3e8c0`.
 - Issues #15-#19: https://git.azcomputerguru.com/azcomputerguru/gururmm/issues/15 .. /19
 - Phase 4 commit: `7a4e745`. Coord lock used + released: `3116d737`.
 - Published downloads: https://rmm.azcomputerguru.com/downloads/ (poll target). Build server `172.16.3.30` (no SSH from GURU-KALI).