sync: auto-sync from GURU-5070 at 2026-06-19 08:40:35

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-19 08:40:35

.claude/memory/MEMORY.md

@@ -148,6 +148,7 @@
 - [Autonomy scope](feedback_autonomy_scope.md) — confirm only for client-affecting actions; internal docs/wiki/ClaudeTools = act autonomously
 - [Check for client-slug fragmentation](feedback_client_slug_fragmentation.md) — Before concluding a client has no records, grep broadly (company/owner/initials/hostname/"Last, First") across clients/, wiki/, session-logs/, vault — one client gets split across slug variants (Wolkin was 4: wolkin/wolkin-law/rswolkin/robert-wolkin). Consolidate to one canonical slug; action prior logs' Pending items.
 - [RMM user_session = false SMB failures](feedback_rmm_user_session_smb_false_negative.md) — GuruRMM net use/net view/Add-Printer to a remote \HOST fail with error 67 / RPC 1702 (even with valid creds) because user_session is a WTS-impersonated non-interactive token that can't do authenticated SMB. The share/printer may work fine interactively. Treat RMM SMB results as "can't tell"; verify via ScreenConnect.
+- [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — when a target has SSH (key auth) and it's easier, drive it via system OpenSSH (scp+ssh) instead of the GuruRMM agent; RMM runs as SYSTEM + is bound by the server-side timeout reaper + forces base64/quoting gymnastics. Reserve RMM as the fallback when SSH/VPN is down.
 - [Broken [[backlinks]] = write-me-later markers](feedback_broken_backlinks_are_writeme_markers.md) — A [[name]] with no matching file is an intentional "worth writing" marker, not breakage. Flesh the missing memory out from session history/logs and index it; never strip the link to silence the warning. memory-dream reports these as INFO candidates, not errors.
 - [gururmm session-logs are in a submodule](gururmm-session-logs-submodule-save.md) — commit in the submodule + `git push origin HEAD:main` (GURU-5070 CAN push over HTTP now); then advance the parent gitlink
 - [Use `python` not `python3` on GURU-5070](python3-shim-use-python.md) — `python3` in Git bash hits the flaky MS Store shim; real interpreters are `python` (3.12) / `py` (3.14). coord.py + wiki-compile work via `python`; the coord lock IS claimable here

.claude/skills/agy/SKILL.md

@@ -1,14 +1,12 @@
 ---
 name: agy
 description: >
-  Route a task to the official Google Gemini CLI for an independent second
+  Route a task to the official Google Gemini CLI for an independent second model — a
-  model — a sibling of the `grok` second-opinion router. Use for: an
+  sibling of the `grok` second-opinion router. Use for a different-vendor SECOND OPINION
-  independent, different-vendor SECOND OPINION or adversarial VERIFICATION of a
+  or adversarial VERIFICATION of a Claude finding/design, a Gemini code REVIEW of files /
-  Claude finding/design before acting on it, a Gemini code REVIEW of a file /
+  a git diff, and one-shot Gemini TEXT answers. Triggers: ask gemini, gemini verify,
-  set of files / git diff, and one-shot Gemini TEXT answers. Invoke on:
+  second opinion from gemini, gemini review, agy ... A second model, NOT a replacement
-  "ask gemini", "gemini verify", "second opinion from gemini", "gemini review",
+  for Claude's own codebase work.
-  "agy ...". Gemini is an independent second model (and Google-ecosystem reach),
-  NOT a replacement for Claude's own codebase work.
 ---
 
 # AGY — Gemini capability router

.claude/skills/b2/SKILL.md

@@ -1,15 +1,12 @@
 ---
 name: b2
 description: >-
-  Manage Arizona Computer Guru's (ACG) Backblaze B2 storage account via the B2
+  Manage ACG's Backblaze B2 storage account (Native API v3) — the LIVE production
-  Native API v3. Talks to the LIVE production B2 account (accountId 46f69bc61163,
+  account (accountId 46f69bc61163, us-west-001) holding per-client MSP360/CloudBerry
-  region us-west-001) that holds the per-client MSP360/CloudBerry backup
+  backup destinations. List buckets/keys/files, compute per-bucket size, run the
-  destinations. List buckets and application keys, list files / file versions,
+  headline storage-cost report (mspbackups calc); provision/delete buckets and scoped
-  compute per-bucket stored size, and produce the headline storage-cost report
+  keys (destructive ops gated behind --confirm). Read-only by default. Triggers:
-  (the mspbackups storage-cost calc). Provision buckets and scoped backup keys
+  backblaze, b2, b2 storage, bucket, storage cost, backup storage, mspbackups storage.
-  and delete buckets/keys (all destructive ops are gated behind --confirm).
-  Read-only by default. Invoke for: "backblaze", "b2", "b2 storage", "bucket",
-  "storage cost", "backup storage", "mspbackups storage", "list buckets b2".
 ---
 
 # Backblaze B2 Skill

.claude/skills/bitdefender/SKILL.md

@@ -1,17 +1,13 @@
 ---
 name: bitdefender
 description: >-
-  Manage the Arizona Computer Guru (ACG) Bitdefender GravityZone Cloud MSP
+  Manage the ACG Bitdefender GravityZone Cloud MSP tenant (Public JSON-RPC API):
-  tenant via the Public JSON-RPC API. Inventory and audit endpoints, run live
+  inventory/audit endpoints, live security sweeps (infected / outdated-signature /
-  security sweeps (infected / outdated-signature / outdated-product), list
+  outdated-product), client companies, install packages, custom groups, scans,
-  client companies, build and fetch installation packages, manage custom groups,
+  move/delete endpoints (gated), policies (read-only), quarantine. Live production
-  start scans, move/delete endpoints (gated), inspect policies (read-only,
+  partner tenant — treat destructive actions conservatively. Triggers: bitdefender,
-  shallow), and review quarantine. Invoke for: "bitdefender", "gravityzone",
+  gravityzone, install bitdefender on, list endpoints, infected machines, av coverage,
-  "gravity zone", "add machine to bitdefender", "install bitdefender on",
+  security sweep, endpoint protection, quarantine.
-  "list endpoints", "infected machines", "av coverage", "security sweep",
-  "endpoint protection", "policy assignment", "quarantine". This skill talks to
-  the real production ACG GravityZone partner tenant — treat destructive actions
-  conservatively.
 ---
 
 # Bitdefender GravityZone Skill

.claude/skills/coord/SKILL.md

@@ -2,13 +2,11 @@
 name: coord
 description: >
   Talk to the ClaudeTools coordination API (inter-session messaging, fleet todos,
-  resource locks, component/status) without re-deriving the schema each time. Use
+  resource locks, component/status) without re-deriving the schema. Send/read messages
-  for: sending a message to another machine's Claude session or BROADCASTING to the
+  to another machine's session or BROADCAST to the fleet; create/list/complete coord
-  whole fleet; checking/reading your own unread coord messages; creating/listing/
+  todos; claim/release work locks; read coord status. Triggers: send a coord message,
-  completing coord todos; claiming/releasing work locks; reading coord status.
+  message <machine>/<user>, broadcast to the fleet, coord todo, claim a lock,
-  Invoke on: "send a coord message", "message <machine>/<user>", "broadcast to the
+  coord status, any unread coord messages.
-  fleet", "tell the other sessions", "coord todo", "claim a lock", "coord status",
-  "any unread coord messages".
 ---
 
 # coord — coordination API helper

.claude/skills/discord-dm/SKILL.md

@@ -1,16 +1,11 @@
 ---
 name: discord-dm
 description: >
-  Send a Discord message to an org member's DMs or to a team channel via the
+  Send a Discord message to an org member's DMs or a team channel via the ClaudeTools
-  ClaudeTools bot. Use this whenever you need to hand a person something
+  bot — for handing a person copy-paste-friendly content the terminal would mangle
-  copy-paste-friendly that the terminal would wrap or mangle — consent links,
+  (consent links, long commands, URLs, tokens-to-rotate) or to ping someone. Addresses
-  long single-line commands, URLs, tokens-to-rotate notices — or to ping someone
+  people by name (mike/howard/rob/winter), not raw snowflakes. Triggers: DM/message
-  directly. Prepopulated with every org member's user ID and the team channel IDs,
+  <person> in discord, discord DM, send that link to my discord, ping <person>.
-  so you address people by name (mike/howard/rob/winter) not raw snowflakes.
-  Invoke on: "DM me/<person> in discord", "send <person> a discord message",
-  "message <person> on discord", "discord DM", "send that link to my discord",
-  "ping <person>". For one-line [SYNCRO]/[RMM] status alerts to the alert channels,
-  prefer post-bot-alert.sh; use this for direct/person-targeted delivery.
 ---
 
 # discord-dm — direct Discord messaging to the org

.claude/skills/frontend-design/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: frontend-design
-description: Create distinctive, production-grade frontend interfaces with high design quality. MANDATORY AUTOMATIC INVOCATION: Use this skill whenever ANY action affects a UI element to validate visual correctness, functionality, and user experience. Also use when the user asks to build web components, pages, artifacts, posters, or applications (examples include websites, landing pages, dashboards, React components, HTML/CSS layouts, or when styling/beautifying any web UI). Generates creative, polished code and UI design that avoids generic AI aesthetics.
+description: Create distinctive, production-grade frontend interfaces with high design quality. MANDATORY AUTOMATIC INVOCATION: use whenever ANY action affects a UI element, or when the user asks to build web components, pages, artifacts, posters, or applications (websites, landing pages, dashboards, React components, HTML/CSS layouts, styling any web UI). Generates creative, polished UI that avoids generic AI aesthetics.
 license: Complete terms in LICENSE.txt
 ---
 

.claude/skills/grok/SKILL.md

@@ -1,15 +1,13 @@
 ---
 name: grok
 description: >
-  Route a task to the Grok CLI (xAI Grok 4.3) for capabilities Claude lacks or
+  Route a task to the Grok CLI (xAI Grok 4.3) for capabilities Claude lacks or an
-  for an independent second model. Use for: IMAGE generation/editing, VIDEO
+  independent second model: IMAGE generation/editing, VIDEO (image->video), live
-  generation (image->video), live WEB + X/TWITTER search (current/real-time
+  WEB + X/TWITTER search (real-time data past Claude's cutoff), adversarial
-  data past Claude's cutoff), and adversarial second-opinion VERIFICATION or
+  second-opinion VERIFICATION. Triggers: ask grok, grok image, generate/make an image,
-  drafts. Invoke on: "ask grok", "grok image", "generate/make an image",
+  make a video / animate this, grok verify / second opinion, search X / twitter,
-  "make a video / animate this", "grok verify / second opinion from grok",
+  what's the latest <current-event>. A capability EXTENSION, not a replacement for
-  "search X / twitter", "what's the latest <current-event/version>". Grok is a
+  Claude's own coding/editing.
-  capability EXTENSION (image/video/live-data), not a replacement for Claude's
-  own coding/editing.
 ---
 
 # Grok capability router

.claude/skills/mailprotector/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: mailprotector
-description: "Manage the ACG Mailprotector CloudFilter email-security gateway (emailservice.io). Search/release held/quarantined mail (in+outbound), pull mail-flow logs (why a message did/did not deliver), inspect + manage allow/block rules. Read-only default; releases/rule-changes gated --confirm. Triggers: mailprotector, cloudfilter, held/quarantined mail, release email, allow/block rule, INKY. Live production."
+description: "Manage the ACG Mailprotector CloudFilter email-security gateway (emailservice.io). Search/release held/quarantined mail (in+outbound), pull mail-flow logs (why a message did/didn't deliver), inspect + manage allow/block rules. Read-only default; releases/rule-changes gated --confirm. Triggers: mailprotector, cloudfilter, held/quarantined mail, release email, allow/block rule, INKY."
 
 ---
 

.claude/skills/onboard365/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: onboard365
-description: "Single-consent onboarding of a customer Microsoft 365 tenant to the ComputerGuru remediation app suite (Security Investigator / Exchange Operator / User Manager / Tenant Admin / Defender). The customer Global Admin clicks ONE admin-consent link (Tenant Admin); everything else — service principals, Graph/EXO/Defender permissions, and Entra directory roles — is provisioned automatically, no further clicks. Triggers: onboard 365, onboard a tenant, add tenant to remediation tools, single consent, consent link for new client, provision tenant apps, new M365 client onboarding, get a tenant ready for breach checks."
+description: "Single-consent onboarding of a customer Microsoft 365 tenant to the ComputerGuru remediation app suite. The customer Global Admin clicks ONE admin-consent link (Tenant Admin); service principals, Graph/EXO/Defender permissions, and Entra roles are then provisioned automatically. Triggers: onboard 365, onboard a tenant, add tenant to remediation tools, single consent, consent link for new client, provision tenant apps, get a tenant ready for breach checks."
 ---
 
 # Onboard365 — Single-Consent M365 Tenant Onboarding

.claude/skills/rmm-audit/SKILL.md

@@ -1,17 +1,11 @@
 ---
 name: rmm-audit
 description: |
-  Periodic end-to-end verification of the GuruRMM codebase and build infrastructure.
+  Periodic end-to-end verification of the GuruRMM codebase + build infra: 5 parallel
-  Runs 5 parallel audit passes: (1) API/route inventory cross-reference, (2) UI
+  audit passes (API/route, UI coverage, Rust, TypeScript, security) plus a sequential
-  coverage and gap update, (3) Rust code quality and standards compliance,
+  pipeline-health pass; writes a timestamped report and updates UI_GAPS.md and
-  (4) TypeScript/frontend quality, (5) security and data integrity. A 6th sequential
+  FEATURE_ROADMAP.md. Explicit only — /rmm-audit, optional
-  pass audits build pipeline health (logs, artifacts, change gates, script integrity).
+  --pass=<api|ui|rust|ts|security|pipeline|roadmap>. Detail in the SKILL body.
-  Produces a timestamped audit report and updates the living docs (UI_GAPS.md,
-  FEATURE_ROADMAP.md). Takes 10-20 minutes.
-
-  Invoke explicitly only — no auto-trigger. Use /rmm-audit for a full audit.
-  Optional arg: --pass=<name> to run a single pass (api, ui, rust, ts, security, pipeline, roadmap).
-  The roadmap pass reconciles FEATURE_ROADMAP.md checkboxes against the code and cleans up stale ones.
 ---
 
 # GuruRMM End-to-End Audit

.claude/skills/rmm-search/SKILL.md

@@ -1,15 +1,12 @@
 ---
 name: rmm-search
 description: >
-  Find machines/agents in the GuruRMM fleet cleanly and on the first try. Use
+  Find machines/agents in the GuruRMM fleet cleanly and on the first try — locate an
-  this ANY time you need to locate an RMM agent by name, role, client, site, or
+  RMM agent by name, role, client, site, or OS before acting on it, instead of pulling
-  OS before acting on it — instead of pulling /api/agents and grepping (which
+  /api/agents and grepping (which bleeds across clients). Forgiving multi-field search
-  bleeds across clients and picks the wrong box). Flexible, forgiving, multi-field
+  with a client filter so "hyperv valleywide" returns ONLY Valley Wide's host. Triggers:
-  search with a client filter so a query like "hyperv valleywide" returns ONLY
+  find the X machine, which agent is, look up <host> in RMM, <client>'s server/DC/hyperv,
-  Valley Wide's hyperv host, never Dataforth's. Invoke on: "find the X machine",
+  search RMM for, what's the agent id for. Hand the result to the `rmm` skill to run commands.
-  "which agent is", "look up <host> in RMM", "<client>'s server/DC/hyperv/file
-  server", "search RMM for", "what's the agent id for". After finding the agent,
-  hand its hostname/id to the `rmm` skill to run commands.
 ---
 
 # rmm-search — clean machine lookup in GuruRMM

.claude/skills/stop-slop/SKILL.md

@@ -2,10 +2,8 @@
 name: stop-slop
 description: |
   Enforce high-quality, slop-free output in all Claude responses. MANDATORY AUTOMATIC INVOCATION:
-  This skill is always active. It governs how Claude writes text, code comments, commit messages,
+  always active. Governs how Claude writes text, code comments, commit messages, and docs —
-  documentation, and any other output. Detects and eliminates generic AI filler, hollow phrases,
+  detects and eliminates generic AI filler, hollow phrases, verbosity, and performative enthusiasm.
-  unnecessary verbosity, and performative enthusiasm. Applies to all output — conversation, code,
-  docs, and generated content.
 ---
 
 # Stop Slop

.claude/skills/unifi-wifi/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: unifi-wifi
-description: "Analyze and tune UniFi WiFi for performance + stability, especially in dense/congested environments. Audits AP/radio config and the neighbor-interference map from the UOS controller, flags issues (2.4GHz over-provisioning, channel width, min-RSSI/sticky clients, channel plan), and recommends prioritized changes. Works for any UniFi site on the UOS (172.16.3.29); Cascades is the hard case. Triggers: unifi wifi tuning, RF/airtime/channel analysis, 2.4GHz congestion, AP channel plan, sticky clients, wireless performance."
+description: "Analyze and tune UniFi WiFi for performance + stability in dense/congested environments. Audits AP/radio config and the neighbor-interference map from the UOS controller, flags issues (2.4GHz over-provisioning, channel width, min-RSSI/sticky clients, channel plan), recommends prioritized changes. Any UniFi site on the UOS (172.16.3.29); Cascades is the hard case. Triggers: unifi wifi tuning, RF/airtime/channel analysis, 2.4GHz congestion, AP channel plan, sticky clients, wireless performance."
 ---
 
 # UniFi WiFi tuning (UOS sites)

.claude/skills/vault/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: vault
-description: "The ONE canonical way to use the ClaudeTools SOPS+age secret vault — read, store, update, and verify credentials. Use this whenever a task involves a password, API key, token, secret, connection string, SSH key, or any credential: retrieving one to use it, storing a newly created/discovered one, or checking what's vaulted. Stops the per-session improvising (raw sops, guessed paths, VAULT_ROOT_ENV hacks, plaintext-field mistakes). Triggers: vault, store/save a secret, add to vault, get the password/api key for X, where is the credential for X, sops, encrypt this secret, decrypt, rotate a credential, 1password fallback, vault a new key."
+description: "The ONE canonical way to use the ClaudeTools SOPS+age secret vault — read, store, update, and verify credentials. Use whenever a task involves a password, API key, token, secret, connection string, SSH key, or any credential: retrieving, storing a new/discovered one, or checking what's vaulted. Stops per-session improvising (raw sops, guessed paths, plaintext-field mistakes). Triggers: vault, store/save a secret, add to vault, get the password/api key for X, where is the credential for X, sops, encrypt, decrypt, rotate a credential, 1password fallback."
 ---
 
 # Vault — one consistent way to handle secrets