Session log: GuruRMM audit, installer system, infrastructure fixes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 13:58:45 -07:00
parent a47a97219c
commit af71d317b0
10 changed files with 286 additions and 27 deletions
--- a/projects/gururmm-agent/scripts/check_record_counts.py
+++ b/projects/gururmm-agent/scripts/check_record_counts.py
@@ -4,9 +4,11 @@ Check record counts in all ClaudeTools database tables
 """
 import sys
 from sqlalchemy import create_engine, text, inspect
+from vault_utils import vault_get

-# Database connection
-DATABASE_URL = "mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4"
+# Database connection - credentials from SOPS vault
+_db_password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
+DATABASE_URL = f"mysql+pymysql://claudetools:{_db_password}@172.16.3.30:3306/claudetools?charset=utf8mb4"

 def get_table_counts():
    """Get row counts for all tables"""
--- a/projects/gururmm-agent/scripts/create_jwt_token.py
+++ b/projects/gururmm-agent/scripts/create_jwt_token.py
@@ -4,10 +4,10 @@ Create a JWT token for ClaudeTools API access
 """
 import jwt
 from datetime import datetime, timedelta, timezone
+from vault_utils import vault_get

-# Get the JWT secret from the RMM server's .env file
-# This should match what's in /opt/claudetools/.env on 172.16.3.30
-JWT_SECRET = "NdwgH6jsGR1WfPdUwR3u9i1NwNx3QthhLHBsRCfFxcg="
+# Get the JWT secret from the SOPS vault
+JWT_SECRET = vault_get("projects/claudetools/api-auth.sops.yaml", "credentials.credential")

 # Create token data
 data = {
--- a/projects/gururmm-agent/scripts/test_gururmm_api.py
+++ b/projects/gururmm-agent/scripts/test_gururmm_api.py
@@ -8,11 +8,12 @@ Tests the newly created admin user credentials and verifies API access.
 import requests
 import json
 from datetime import datetime
+from vault_utils import vault_get

-# Configuration
+# Configuration - credentials from SOPS vault
 API_BASE_URL = "http://172.16.3.30:3001"
-EMAIL = "claude-api@azcomputerguru.com"
-PASSWORD = "ClaudeAPI2026!@#"
+EMAIL = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-email")
+PASSWORD = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-password")

 def print_header(title):
    """Print a formatted header."""
@@ -133,7 +134,7 @@ def main():
    print_header("All Tests Passed!")
    print("API Credentials:")
    print(f"  Email: {EMAIL}")
-    print(f"  Password: {PASSWORD}")
+    print(f"  Password: ********** (from vault)")
    print(f"  Base URL: {API_BASE_URL}")
    print(f"  Production URL: https://rmm-api.azcomputerguru.com")
    print("\nStatus: READY FOR INTEGRATION")
--- a/projects/gururmm-agent/scripts/vault_utils.py
+++ b/projects/gururmm-agent/scripts/vault_utils.py
@@ -0,0 +1,34 @@
+"""
+Shared SOPS vault credential retrieval utility.
+
+Usage:
+    from vault_utils import vault_get
+
+    password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
+"""
+import subprocess
+
+
+VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
+
+
+def vault_get(path, field):
+    """Get a credential from the SOPS vault.
+
+    Args:
+        path: Vault entry path (e.g. "projects/claudetools/database.sops.yaml")
+        field: Dot-separated field path (e.g. "credentials.password")
+
+    Returns:
+        The decrypted field value as a string.
+
+    Raises:
+        RuntimeError: If the vault command fails.
+    """
+    result = subprocess.run(
+        ["bash", VAULT_SCRIPT, "get-field", path, field],
+        capture_output=True, text=True
+    )
+    if result.returncode != 0:
+        raise RuntimeError(f"Failed to get {field} from vault: {result.stderr.strip()}")
+    return result.stdout.strip()