azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-24 09:27:28

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 09:27:28
This commit is contained in:
Howard Enos
2026-06-24 09:27:58 -07:00
parent 00115c79f0
commit befd701678
4 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/memory/MEMORY.md
View File

@@ -32,6 +32,7 @@
- [Starr Pass mail routing](reference_starrpass_mail_routing.md) — starrpass.com is DIRECT to MS (EOP/Defender, tenant 222450dd…); only devconllc.com is on Mailprotector (MP acct 16170). Check @starrpass.com quarantine/rejects via remediation-tool, not Mailprotector.
- [INKY outbound breaks DMARC](reference_inky_outbound_breaks_dmarc.md) — Reverse-resolve DMARC rua failing IPs before blaming a sender: ipw-outbound.inkyphishfence.com / us.cloud-sec-av.com = INKY re-injection breaking DKIM+SPF. INKY is in-M365 (connectors+transport rules) per enrolled tenant, but hosting-level (IX/cPanel website) outbound also routes through it independent of M365 enrollment. Fix is INKY-side (outbound DKIM/SPF/ARC), not cPanel DNS.
- [Syncro prepay: full-GET only](feedback_syncro_prepay_full_get_only.md) — read prepay_hours ONLY from GET /customers/{id}; the customer search/list endpoint returns null/stale prepay. Never assert "no block" in a billing preview from search data.
- [Syncro priority/type format](feedback_syncro_priority_type_format.md) — every ticket create needs a number-prefixed priority ("2 Normal", not bare "Normal" which renders blank) AND a valid problem_type. Winter flagged #32193/#32194. Use the syncro skill's create flow.
- [AAD Connect msDS-KeyCredentialLink writeback](reference_aadconnect_keycredlink_writeback.md) — "completed-export-errors" + 8344 INSUFF_ACCESS_RIGHTS on a protected admin account = WHfB key writeback blocked by AdminSDHolder. Diagnose with csexport /f:x; fix with dsacls WP;msDS-KeyCredentialLink on AdminSDHolder + SDProp.
- [UniFi Site Manager cloud API](reference_unifi_site_manager_api.md) — `api.ui.com` + `X-API-KEY` (vault `services/unifi-site-manager`) = remote access to the WHOLE ACG UniFi fleet (~36 consoles) outside UOS. Tier1 `/v1/hosts|sites|devices|isp-metrics` = inventory+health+WAN. Tier2 CONNECTOR `/v1/connector/consoles/{id}/proxy/network/api/s/default/stat/{device,sta}` = **full UOS parity** (per-radio cu_total airtime + per-client RSSI) for ANY console, remote. Backend `unifi-wifi/scripts/gw-sitemanager.sh` (`fleet|devices|sites|isp|net`). Standalone UDM WAN SSH usually firewalled; per-console SSH pw at `clients/<slug>/udm-ssh`.
- [reference_sqlx_migrations_immutable](reference_sqlx_migrations_immutable.md) -- NEVER edit an already-applied sqlx migration file — even a comment. sqlx::migrate! checksums each file at compile time and validates against _sqlx_migrations at startup; a changed checksum crash-loops the server with "migration N was previously applied but has been modified". Code review MUST flag any edit to an applied migration.

14
.claude/memory/feedback_syncro_priority_type_format.md Normal file
View File

@@ -0,0 +1,14 @@
---
name: feedback_syncro_priority_type_format
description: Syncro tickets must be created with a number-prefixed priority ("2 Normal") and a valid problem_type — bare "Normal" shows blank in the UI
metadata:
type: feedback
---
When creating ANY Syncro ticket, ALWAYS set both:
- `priority` in the **number-prefixed** form Syncro's dropdown expects: `"1 High"`, `"2 Normal"`, `"3 Low"`, `"4 Urgent"`. A bare `"Normal"` does NOT match the dropdown and renders **blank** in the Syncro UI.
- `problem_type` to a valid Issue Type (most often `Onsite` or `Remote`; others exist — Software, Hardware, File Services / Permissions, New User / Workstation Deployment, Service Request, etc.). Default to `"2 Normal"` priority unless it's an emergency/after-hours job (then `"4 Urgent"`).
**Why:** Winter flagged (2026-06-24) that two tickets Claude created (#32193, #32194) had priority `"Normal"` instead of `"2 Normal"`, so priority showed blank — she has to fix these by hand. "Claude knows how to do that" — the format is already documented in the `syncro` skill; the miss was not following it on create.
**How to apply:** Use the `syncro` skill's ticket-create flow (it documents the exact priority strings + problem-type list); never hand-roll a create that omits priority/type or uses a non-prefixed priority. Verify after create that `.ticket.priority` came back as `"N Name"`, not a bare word. See [[feedback_syncro_blank_contact]] for the companion Cascades contact rule.

4
errorlog.md
View File

@@ -17,6 +17,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-06-24 | Howard-Home | syncro/ticket-create | [correction] created #32193/#32194 with priority 'Normal' instead of Syncro's canonical number-prefixed '2 Normal'; the value did not match the priority dropdown so it displayed blank (Winter flagged it). Always set priority as 'N Name' (e.g. '2 Normal','4 Urgent') AND a valid problem_type (Onsite/Remote/etc.) on every ticket create via the syncro skill. [ctx: ref=syncro-skill priority-format]
2026-06-24 | Howard-Home | rmm/dispatch | [friction] UNC double-backslash in heredoc+jq RMM command got mangled to single backslash (cs-server -> cs-server), causing net use error 67 and net-use hangs that looked like a missing/broken share; single-backslash local paths (D:Shares) were unaffected. Fix: build UNC from [char]92 at runtime ($bs=[char]92; $unc="{0}{0}server{0}share" -f $bs) so no literal backslash traverses the dispatch chain. [ctx: ref=feedback_windows_quote_stripping]
2026-06-24 | GURU-5070 | syncro/billing-prepay | [friction] customer SEARCH endpoint returned prepay_hours=null so preview wrongly said 'no block / $300'; the customer actually had a 20.5h block. ALWAYS read prepay via GET /customers/{id} (full record), never the search-list field [ctx: cust=14232794 ticket=32455]
2026-06-24 | GURU-5070 | unifi-wifi/controller-rest | [friction] CSRF token missed because read via dict(resp.headers) (case-sensitive); UniFi returns X-Csrf-Token mixed-case -> PUT got 403. Use resp.headers.get() (case-insensitive) to capture X-CSRF-Token/X-Updated-Csrf-Token

24
session-logs/2026-06/2026-06-23-howard-ampipit-migration-recovery-rmm.md
View File

@@ -87,3 +87,27 @@ The product direction then pivoted significantly: AMPIPIT becomes the engine beh
- Commit SHAs — ampipit: `41b5dfa` (skill+design slice), `b8c0fd1` (ADR-045/048), `ab1b7c5` (ADR-048 reframe), `4324c07` (reliability/source). guru-rmm: `af3445b` (Feature 10 on main); feature branch restored to `bd6dd27`. claudetools: `8e512d1` (submodule add).
- GuruRMM agent source for PE: `projects/msp-tools/guru-rmm/agent/``device_id.rs` (identity), `main.rs` (run/install), `scripts.rs`/`websocket.rs` (remote exec), `Cargo.toml` (features: native-service default, legacy console build).
- Feasibility: GuruRMM-agent-in-WinPE = GO-WITH-WORK; build console agent via `cargo build --no-default-features --features legacy` or `gururmm-agent run`.
## Update: 2026-06-24 09:26 PT — research, deploy-hardening fix, Mike's Feature 10 verdict
**Product pivot recorded earlier:** AMPIPIT is now framed as a PAID GuruRMM add-on ("Recovery Environment"), captured as RMM_THOUGHTS Feature 10. No Claude in the shipped product (Claude is test-time only); GuruConnect is the remote channel; the RMM is the control plane (configure -> push to fleet/site/machine -> install -> boot -> repair/backup/reinstall). ADR-048 reframed to match; AMPIPIT design doc updated with the corrected reliability/source strategy (must work on ALL Windows incl. no/disabled WinRE; detect-and-fallback PE base; multi-source ISO delivery — official download / RMM-hosted on B2 / client 3rd-party storage / pushed; billing deferred).
**Second feasibility spike (no-WinRE recovery partition): GO-WITH-WORK.** Mechanism is almost entirely in-box (diskpart/reagentc/bcdedit/dism/manage-bde). reagentc-registered WinRE boots through the OS's signed boot manager, sidestepping Secure Boot. "Works on ALL machines" needs an explicit fallback chain (residue with no shrinkable space AND no image source -> external boot). Licensing finding: do NOT redistribute a generic winre.wim; source from the machine's own WinRE, else DISM-extract from a matching partner-licensed ISO. New build work: src/recovery/ live-disk install pipeline + reagentc/bcdedit wrappers + non-destructive shrink (GPT+MBR) + the no-WinRE fallback.
**Reference-project research (8 repos, techniques only per ADR-047)** -> `projects/msp-tools/ampipit/docs/RECOVERY_RESEARCH_NOTES.md` (commit `656b12a`). Confirms the reagentc-owns-everything WinRE-on-live-disk pattern (MHimken is the gold reference); captures discovery/resize/free-space-gate/BitLocker-suspend/MBR+x86 gaps/transactional-commit, the WinRE OC manifest + driver-harvest + winpeshl->exe + boot.wim-fallback WiFi techniques, and the cschneegans 4-tier script-hook model. Surfaced 3 P0 bugs in AMPIPIT's EXISTING deploy path.
**Deploy-hardening (independent of the RMM decision):**
- **#3 FIXED + shipped** (ampipit `7355467`): scrub `%SystemRoot%\Panther\unattend.xml` + `unattend-original.xml` at end of FirstLogon (before any domain-join restart) so the base64-obscured admin password does not persist on disk. Ollama pre-flight 200; `deploy::autounattend` 27/27 green (added `panther_unattend_scrub_present`, count 5->6); security-review clean (static cmd, no injection surface).
- **#1 TRACKED** (HKCU UI tweaks written to ineffective HKLM path — `show_file_extensions`/`show_hidden_files`/`taskbar_align_left` in `tweaks.rs` are silent no-ops): correct fix is the per-user-hive / 4-tier script-hook model so it sticks for the primary admin too — a deliberate change, not a one-liner.
- **#2 TRACKED** (Win11 LabConfig bypass emitted in `specialize` pass, possibly too late): do NOT move blindly — gate on Phase 6 hardware verification.
**Mike's Feature 10 verdict (Discord DM, 2026-06-24 13:22 UTC):** "I like this idea but I think we'll have to come back to it. We need to think about it a little bit more." -> soft yes, deferred. Recorded on Feature 10 (status Raw -> Discussed (liked, deferred); guru-rmm `main` `9acade0`). The 6 open questions remain unanswered. AMPIPIT `src/recovery/` engine work stays HELD pending Mike's go.
**Commits since last save (all pushed to Gitea origins):**
- ampipit `main`: `b8c0fd1` ADR-045/048, `ab1b7c5` ADR-048 reframe, `4324c07` reliability/source, `656b12a` research notes, `7355467` Panther scrub fix.
- guru-rmm `main`: `af3445b` Feature 10 added, `9acade0` Feature 10 -> Discussed.
- guru-rmm git slip from prior session corrected: removed an errant commit from a feature branch (force-with-lease back to `bd6dd27`); the entry landed on main as Feature 10 (Mike had already used 8/9).
**Process notes:** AMPIPIT/guru-rmm work lives on their own Gitea submodule origins; the parent ClaudeTools submodule POINTERS are deliberately NOT advanced (would need `--with-submodules` or a targeted gitlink bump as a version-pin decision). guru-rmm submodule edits require switching to `main`, editing, pushing, then restoring the prior feature-branch checkout (it has moved twice: `fix/software-uninstall-polish` -> `spec/av-removal-recipes`). The `ampipit-build` skill currently lives in the AMPIPIT submodule's `.claude/skills/`; Howard approved MOVING it to ClaudeTools `.claude/skills/` (still PENDING — held to reflect the final add-on/GuruConnect/Claude-test-only framing).
**Still pending / next steps:** Mike to revisit Feature 10 (he initiates); deploy-hardening #1 (#2 after hardware) available anytime; move `ampipit-build` skill into ClaudeTools; advance parent submodule pointers when desired.