azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: GuruRMM audit, installer system, infrastructure fixes

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-01 13:58:45 -07:00
parent a47a97219c
commit af71d317b0
10 changed files with 286 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.claude/memory/feedback_bypass_permissions_setting.md
View File

@@ -1,20 +1,23 @@
---
name: Bypass Permissions Persistent Setting
description: Configure settings.json on all machines to persist bypass permissions mode across context compressions
name: Bypass Permissions and Act Autonomously
description: Never ask for permission or confirmation -- just execute. User is an experienced engineer who wants autonomous operation.
type: feedback
---
Always set `permissions.defaultMode` to `"bypassPermissions"` in `~/.claude/settings.json` on all workstations.
NEVER ask "want me to proceed?", "should I?", "which option?", or any variation. Just do it.
**Why:** The `--dangerously-skip-permissions` CLI flag is not preserved when Claude Code compresses context or resumes sessions -- the new process starts without the flag, causing unexpected permission prompts mid-session. This is a known bug (GitHub issue #21974).
**Why:** User has explicitly and repeatedly asked not to be prompted for permissions or confirmations. Every time Claude asks instead of acting, it wastes time and frustrates the user. The user is a senior engineer who trusts Claude to make reasonable decisions and execute.
**How to apply:** On any new machine setup, ensure `~/.claude/settings.json` includes:
```json
{
"permissions": {
"defaultMode": "bypassPermissions"
},
**How to apply:**
- When there are multiple valid approaches and no direction has been set, it's OK to ask which path. But once a path is chosen, execute without asking.
- When a task has clear next steps, execute them immediately. Don't pause for approval.
- Asking about unclear requirements or missing context is fine. Asking "should I do the thing you told me to do?" is not.
- `permissions.defaultMode` must be `"bypassPermissions"` in `~/.claude/settings.json` on all machines. Both keys needed:
```json
{
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true
}
```
This makes bypass mode the default without needing the CLI flag. Both keys are needed -- `defaultMode` sets the mode, `skipDangerousModePermissionPrompt` suppresses the warning dialog.
}
```
- This applies to tool calls, git operations, file edits, agent launches -- everything.
- The ONLY exception: truly destructive operations on shared/production systems (dropping databases, force-pushing main). Even then, a brief "doing X" is better than "should I do X?"

13
projects/gururmm-agent/IMPLEMENTATION_SUMMARY.md
View File

@@ -4,6 +4,9 @@
**Status:** [OK] Complete - Production Ready
**Author:** Coding Agent (Claude Sonnet 4.5)
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
---
## What Was Built
@@ -187,6 +190,10 @@ once_cell = "1.19"
Follow instructions in `commands_modifications.rs`:
> **Note:** `claude_task` is a NEW command type added by this integration. The existing
> GuruRMM command types are: `shell`, `powershell`, `python`, `script`. This step adds
> `claude_task` as an additional type in the command dispatcher.
1. Add module declaration: `mod claude;`
2. Add imports: `use crate::claude::{ClaudeExecutor, ClaudeTaskCommand};`
3. Create global executor: `static CLAUDE_EXECUTOR: Lazy<ClaudeExecutor> = ...`
@@ -243,7 +250,9 @@ Follow deployment process in `TESTING_AND_DEPLOYMENT.md`:
## Usage Example
Once deployed, Main Claude can invoke tasks on AD2:
Once deployed, Main Claude can invoke tasks on AD2. The curl command below creates the
command on the server via REST; the server then delivers it to the agent over WebSocket
(ServerMessage::Command):
```bash
curl -X POST "http://172.16.3.30:3001/api/agents/{AD2_AGENT_ID}/command" \
@@ -394,7 +403,7 @@ A: Check agent logs at `C:\Program Files\GuruRMM\logs\agent.log` for detailed er
1. **TESTING_AND_DEPLOYMENT.md** - Complete testing and troubleshooting guide
2. **README.md** - Full project documentation with examples
3. **Agent logs** - `C:\Program Files\GuruRMM\logs\agent.log`
4. **GuruRMM server logs** - `http://172.16.3.30:3001/logs`
4. **GuruRMM server logs** - Check server-side logs on disk (no `/logs` HTTP endpoint exists)
---

8
projects/gururmm-agent/INTEGRATION_CHECKLIST.md
View File

@@ -70,6 +70,10 @@ Open your `agent/src/commands.rs` and make these changes:
```
### 3E: Update Command Dispatcher
> **Note:** `claude_task` is a NEW command type being added by this integration.
> The existing GuruRMM command types are: `shell`, `powershell`, `python`, `script`.
- [ ] Find your `match command_type` block
- [ ] Add new arm (before the `_` default case):
```rust
@@ -158,6 +162,10 @@ Open your `agent/src/commands.rs` and make these changes:
**Replace `{AD2_AGENT_ID}` with actual agent ID in all commands**
> The curl commands below create the command on the server via REST. The server then
> delivers the command to the agent over WebSocket (ServerMessage::Command) -- the agent
> does NOT poll for commands.
### Test 1: Simple Task
- [ ] Run:
```bash

10
projects/gururmm-agent/README.md
View File

@@ -2,6 +2,9 @@
Production-ready enhancement for GuruRMM agent that enables Main Claude to remotely invoke Claude Code CLI on AD2 (Windows Server 2022) for automated task execution.
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
---
## Features
@@ -90,6 +93,8 @@ use once_cell::sync::Lazy;
static CLAUDE_EXECUTOR: Lazy<ClaudeExecutor> = Lazy::new(|| ClaudeExecutor::new());
// In your command dispatcher
// Existing types: shell, powershell, python, script
// claude_task is a NEW type added by this integration
match command_type {
"shell" => execute_shell_command(&command).await,
"claude_task" => execute_claude_task(&command).await, // NEW
@@ -127,6 +132,11 @@ See `TESTING_AND_DEPLOYMENT.md` for complete deployment guide.
## Usage Examples
> **How commands work:** The curl examples below create the command on the server via
> the REST API (`POST /api/agents/:id/command`). The server then delivers the command
> to the agent over WebSocket (ServerMessage::Command). The agent does NOT poll for
> commands via REST.
### Example 1: Simple Task
```bash

15
projects/gururmm-agent/TESTING_AND_DEPLOYMENT.md
View File

@@ -8,6 +8,9 @@ This guide covers testing and deployment of the Claude Code integration for the
## Prerequisites
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
### On Development Machine
- Rust toolchain (1.70+)
- cargo installed
@@ -69,6 +72,14 @@ cargo fmt -- --check
## Integration Testing (On AD2 Server)
> **Note:** `claude_task` is a NEW command type added by this integration. The existing
> GuruRMM command types are: `shell`, `powershell`, `python`, `script`.
>
> **How commands reach the agent:** The curl commands below create the command on the
> server via the REST API (`POST /api/agents/:id/command`). The server then delivers the
> command to the connected agent over WebSocket (ServerMessage::Command). The agent does
> NOT poll for commands via REST.
### Test 1: Simple Task Execution
**Test Command via GuruRMM API:**
@@ -476,7 +487,7 @@ Monitor Claude task execution metrics:
```powershell
# Query GuruRMM API for task statistics
curl "http://172.16.3.30:3001/api/agents/{AD2_AGENT_ID}/stats"
curl "http://172.16.3.30:3001/api/agents/stats"
```
**Key metrics to watch:**
@@ -558,7 +569,7 @@ Prevents abuse:
For issues or questions:
1. Check agent logs: `C:\Program Files\GuruRMM\logs\agent.log`
2. Check GuruRMM server logs: `http://172.16.3.30:3001/logs`
2. Check GuruRMM server logs on disk (no `/logs` HTTP endpoint exists)
3. Review this documentation
4. Contact GuruRMM support team

6
projects/gururmm-agent/scripts/check_record_counts.py
View File

@@ -4,9 +4,11 @@ Check record counts in all ClaudeTools database tables
"""
import sys
from sqlalchemy import create_engine, text, inspect
from vault_utils import vault_get
# Database connection
DATABASE_URL = "mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4"
# Database connection - credentials from SOPS vault
_db_password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
DATABASE_URL = f"mysql+pymysql://claudetools:{_db_password}@172.16.3.30:3306/claudetools?charset=utf8mb4"
def get_table_counts():
"""Get row counts for all tables"""

6
projects/gururmm-agent/scripts/create_jwt_token.py
View File

@@ -4,10 +4,10 @@ Create a JWT token for ClaudeTools API access
"""
import jwt
from datetime import datetime, timedelta, timezone
from vault_utils import vault_get
# Get the JWT secret from the RMM server's .env file
# This should match what's in /opt/claudetools/.env on 172.16.3.30
JWT_SECRET = "NdwgH6jsGR1WfPdUwR3u9i1NwNx3QthhLHBsRCfFxcg="
# Get the JWT secret from the SOPS vault
JWT_SECRET = vault_get("projects/claudetools/api-auth.sops.yaml", "credentials.credential")
# Create token data
data = {

9
projects/gururmm-agent/scripts/test_gururmm_api.py
View File

@@ -8,11 +8,12 @@ Tests the newly created admin user credentials and verifies API access.
import requests
import json
from datetime import datetime
from vault_utils import vault_get
# Configuration
# Configuration - credentials from SOPS vault
API_BASE_URL = "http://172.16.3.30:3001"
EMAIL = "claude-api@azcomputerguru.com"
PASSWORD = "ClaudeAPI2026!@#"
EMAIL = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-email")
PASSWORD = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-password")
def print_header(title):
"""Print a formatted header."""
@@ -133,7 +134,7 @@ def main():
print_header("All Tests Passed!")
print("API Credentials:")
print(f" Email: {EMAIL}")
print(f" Password: {PASSWORD}")
print(f" Password: ********** (from vault)")
print(f" Base URL: {API_BASE_URL}")
print(f" Production URL: https://rmm-api.azcomputerguru.com")
print("\nStatus: READY FOR INTEGRATION")

34
projects/gururmm-agent/scripts/vault_utils.py Normal file
View File

@@ -0,0 +1,34 @@
"""
Shared SOPS vault credential retrieval utility.
Usage:
from vault_utils import vault_get
password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
"""
import subprocess
VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
def vault_get(path, field):
"""Get a credential from the SOPS vault.
Args:
path: Vault entry path (e.g. "projects/claudetools/database.sops.yaml")
field: Dot-separated field path (e.g. "credentials.password")
Returns:
The decrypted field value as a string.
Raises:
RuntimeError: If the vault command fails.
"""
result = subprocess.run(
["bash", VAULT_SCRIPT, "get-field", path, field],
capture_output=True, text=True
)
if result.returncode != 0:
raise RuntimeError(f"Failed to get {field} from vault: {result.stderr.strip()}")
return result.stdout.strip()

181
projects/msp-tools/guru-rmm/session-logs/2026-04-01-session.md Normal file
View File

@@ -0,0 +1,181 @@
# GuruRMM Session Log - 2026-04-01
## Session Summary
Major review and update session for the GuruRMM project. Verified all infrastructure references, fixed several issues, and implemented the on-demand site-code-based installer system.
### Key Accomplishments
1. **Infrastructure audit** - Verified all references across the gururmm-agent project docs
2. **Identified active repo** - `azcomputerguru/gururmm` (53 commits) is active, not `guru-rmm` (2 commits, documentation copy)
3. **SSH key deployed** - Generated ed25519 key on DESKTOP-0O8A1RL, deployed to 172.16.3.30 via plink
4. **Hardcoded credentials removed** - Replaced in 3 Python scripts with SOPS vault calls
5. **API route verification** - Compared docs against actual source (65 routes found)
6. **Project docs updated** - Fixed 5 discrepancies across 4 documentation files
7. **NPM proxy host added** - `rmm.azcomputerguru.com` was missing from Nginx Proxy Manager, causing TLS errors
8. **On-demand installer system** - Designed and implemented site-code-based installers (no API keys in install flow)
### Key Decisions
- Site codes (e.g., SWIFT-CLOUD-6910) used as the sole identifier for installers, not API keys
- New install endpoints at root level `/install/:site_code/*` (not under `/api/`) to be fully public
- Embedded config reuses existing binary-patching mechanism, just puts site_code in the api_key field
- Agent WS auth already recognizes site codes -- zero transport changes needed
- Old `?key=` endpoints preserved for backward compatibility
---
## Infrastructure
### GuruRMM Server (172.16.3.30)
- **OS:** Ubuntu 22.04 LTS
- **SSH:** user `guru`, ed25519 key from DESKTOP-0O8A1RL deployed
- **API:** Port 3001 (GuruRMM Rust/Axum server)
- **ClaudeTools API:** Port 8001 (FastAPI, separate service)
- **Nginx:** Reverse proxy on port 80, serves dashboard from /var/www/gururmm/dashboard
- **WebSocket:** /ws proxied to 3001 with upgrade headers
- **CI/CD webhook:** /webhook/ proxied to port 9000
- **Database:** PostgreSQL 14 on port 5432, database `gururmm`, user `gururmm`
### NPM (Nginx Proxy Manager) - 172.16.3.20:7818
- **Container:** On Jupiter
- **Version:** v2.13.5 (v2.14.0 available)
- **7 Proxy Hosts configured:**
- connect.azcomputerguru.com -> 172.16.3.30:3002
- emby.azcomputerguru.com -> 172.16.2.99:8096
- git.azcomputerguru.com -> 172.16.3.20:3000
- plexrequest.azcomputerguru.com -> 172.16.3.31:5055
- rmm-api.azcomputerguru.com -> 172.16.3.30:80
- rmm.azcomputerguru.com -> 172.16.3.30:80 [NEW - added this session]
- sync.azcomputerguru.com -> 172.16.3.20:8082
- unifi.azcomputerguru.com -> 172.16.3.28:8443
### Credentials Used
- **GuruRMM Server SSH:** guru@172.16.3.30 (password from vault: `infrastructure/gururmm-server.sops.yaml`)
- **NPM Login:** mike@azcomputerguru.com / r3tr0gradE99\! (from vault: `services/npm.sops.yaml`)
- **NPM Alt:** admin@azcomputerguru.com / Window123\!@#
- **Cloudflare API Token:** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w (from NPM vault entry)
- **GuruRMM Dashboard:** admin@azcomputerguru.com / GuruRMM2025 (from vault: `projects/gururmm/dashboard.sops.yaml`)
- **GuruRMM DB:** PostgreSQL at 172.16.3.30:5432, db `gururmm`, user `gururmm` (password in vault: `projects/gururmm/database.sops.yaml`)
- **GuruRMM JWT Secret:** In vault at `projects/gururmm/api-server.sops.yaml`
- **Entra SSO App:** ID `18a15f5d-7ab8-46f4-8566-d7b5436b84b6`, client secret expires 2026-12-21
### SSH Key Deployed
- **Machine:** DESKTOP-0O8A1RL (Windows 11)
- **Key:** C:\Users\guru\.ssh\id_ed25519 (ed25519, comment: guru@DESKTOP-0O8A1RL)
- **Fingerprint:** SHA256:ZVbowRHhxPX47eKy9FyMwjvIKPzTf3Dwx3BCsBrP4ds
- **Deployed to:** guru@172.16.3.30:~/.ssh/authorized_keys (via plink with vault password)
- **Verified:** Key-based auth works (PasswordAuthentication=no test passed)
---
## Gitea Repos
| Repo | Status | Notes |
|------|--------|-------|
| `azcomputerguru/gururmm` | ACTIVE | 53 commits, primary development repo |
| `azcomputerguru/guru-rmm` | INACTIVE | 2 commits, restructured documentation copy |
| `azcomputerguru/guru-connect` | Related | ScreenConnect-like remote desktop for GuruRMM |
---
## Code Changes
### Commit d3a047e - "feat: Site-code-based on-demand agent installers"
**Pushed to:** `azcomputerguru/gururmm` main branch
**Files changed (4 files, +625, -92):**
1. **server/src/api/install.rs** - 5 new public endpoint handlers:
- `site_install_landing` - HTML landing page with OS detection
- `site_install_script_windows` - PowerShell install script
- `site_install_script_linux` - Bash install script
- `download_site_windows` - Pre-configured Windows binary
- `download_site_linux` - Pre-configured Linux binary
- Refactored `build_configured_binary()` shared helper
- `validate_site_code()` helper
2. **server/src/main.rs** - Route registration at root level:
- `/install/:site_code` (landing page)
- `/install/:site_code/windows` (PS script)
- `/install/:site_code/linux` (bash script)
- `/install/:site_code/download/windows` (binary)
- `/install/:site_code/download/linux` (binary)
3. **dashboard/src/pages/Sites.tsx** - EnrollmentModal overhaul:
- URLs now use site codes instead of API keys
- Added public install link with copy button
- Removed API key dependency from enrollment flow
- Simplified handleEnrollDevices (no key regeneration needed)
4. **agent/src/config.rs** - Added `#[serde(alias = "site_code")]` to api_key field
### Project Doc Updates (earlier, in claudetools repo)
Updated 4 files in `projects/gururmm-agent/`:
- Fixed `/api/agents/{id}/stats` -> `/api/agents/stats`
- Removed bogus `/logs` endpoint references
- Clarified `claude_task` is a new command type (not existing)
- Added active Gitea repo reference
- Added WebSocket command delivery notes
- Verified all use `/api/` not `/api/v1/`
### Credential Cleanup (earlier, in claudetools repo)
- Created `projects/gururmm-agent/scripts/vault_utils.py` - shared vault helper
- Updated `check_record_counts.py` - DB password from vault
- Updated `create_jwt_token.py` - JWT secret from vault
- Updated `test_gururmm_api.py` - API creds from vault, password masked in output
---
## API Route Summary (65 total from source)
Key routes:
- `POST /api/auth/login` - JWT login
- `GET/POST /api/clients` - Client CRUD
- `GET/POST /api/sites` - Site CRUD
- `GET/POST /api/agents` - Agent management
- `POST /api/agents/:id/command` - Send command (delivered via WebSocket)
- `GET /ws` - WebSocket for agent connections
- `GET /health` - Health check
- NEW: `/install/:site_code/*` - Public installer endpoints
Full route list documented in plan file at `C:\Users\guru\.claude\plans\rippling-marinating-pebble.md`
---
## Settings Fix
`~/.claude/settings.json` was missing `permissions.defaultMode: bypassPermissions`. Fixed to:
```json
{
"autoUpdatesChannel": "latest",
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true,
"voiceEnabled": true
}
```
---
## Pending / Next Steps
1. **Build and deploy** - Commit is pushed but needs to be built on the server (Rust toolchain not on this Windows machine). CI/CD webhook at 172.16.3.30/webhook/build may handle this automatically.
2. **Test installer endpoints** - Once deployed, test `/install/SITE-CODE/download/windows` end-to-end
3. **HTML escaping** - Code review noted landing page uses `format!()` without HTML escaping for site_name/client_name. Low risk (admin-controlled) but worth hardening.
4. **Rate limiting** - Public install endpoints have no rate limiting. Future hardening.
5. **AD2 connectivity** - Hostname doesn't resolve from DESKTOP-0O8A1RL. Need IP or DNS fix to verify agent deployment target.
6. **GuruRMM agent integration** - The claude_task command type from gururmm-agent project still needs to be integrated into the actual agent codebase.
---
## Reference
- **Vault paths:** `infrastructure/gururmm-server.sops.yaml`, `projects/gururmm/api-server.sops.yaml`, `projects/gururmm/database.sops.yaml`, `projects/gururmm/dashboard.sops.yaml`, `services/npm.sops.yaml`
- **Nginx config on server:** `/etc/nginx/sites-enabled/gururmm`
- **Dashboard build:** React/Vite, served from `/var/www/gururmm/dashboard`
- **Agent binaries:** `/var/www/gururmm/downloads/` (served by download endpoints)
- **Plan file:** `C:\Users\guru\.claude\plans\rippling-marinating-pebble.md`