sync: auto-sync from HOWARD-HOME at 2026-06-24 09:27:28
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-24 09:27:28
This commit is contained in:
@@ -87,3 +87,27 @@ The product direction then pivoted significantly: AMPIPIT becomes the engine beh
|
||||
- Commit SHAs — ampipit: `41b5dfa` (skill+design slice), `b8c0fd1` (ADR-045/048), `ab1b7c5` (ADR-048 reframe), `4324c07` (reliability/source). guru-rmm: `af3445b` (Feature 10 on main); feature branch restored to `bd6dd27`. claudetools: `8e512d1` (submodule add).
|
||||
- GuruRMM agent source for PE: `projects/msp-tools/guru-rmm/agent/` — `device_id.rs` (identity), `main.rs` (run/install), `scripts.rs`/`websocket.rs` (remote exec), `Cargo.toml` (features: native-service default, legacy console build).
|
||||
- Feasibility: GuruRMM-agent-in-WinPE = GO-WITH-WORK; build console agent via `cargo build --no-default-features --features legacy` or `gururmm-agent run`.
|
||||
|
||||
## Update: 2026-06-24 09:26 PT — research, deploy-hardening fix, Mike's Feature 10 verdict
|
||||
|
||||
**Product pivot recorded earlier:** AMPIPIT is now framed as a PAID GuruRMM add-on ("Recovery Environment"), captured as RMM_THOUGHTS Feature 10. No Claude in the shipped product (Claude is test-time only); GuruConnect is the remote channel; the RMM is the control plane (configure -> push to fleet/site/machine -> install -> boot -> repair/backup/reinstall). ADR-048 reframed to match; AMPIPIT design doc updated with the corrected reliability/source strategy (must work on ALL Windows incl. no/disabled WinRE; detect-and-fallback PE base; multi-source ISO delivery — official download / RMM-hosted on B2 / client 3rd-party storage / pushed; billing deferred).
|
||||
|
||||
**Second feasibility spike (no-WinRE recovery partition): GO-WITH-WORK.** Mechanism is almost entirely in-box (diskpart/reagentc/bcdedit/dism/manage-bde). reagentc-registered WinRE boots through the OS's signed boot manager, sidestepping Secure Boot. "Works on ALL machines" needs an explicit fallback chain (residue with no shrinkable space AND no image source -> external boot). Licensing finding: do NOT redistribute a generic winre.wim; source from the machine's own WinRE, else DISM-extract from a matching partner-licensed ISO. New build work: src/recovery/ live-disk install pipeline + reagentc/bcdedit wrappers + non-destructive shrink (GPT+MBR) + the no-WinRE fallback.
|
||||
|
||||
**Reference-project research (8 repos, techniques only per ADR-047)** -> `projects/msp-tools/ampipit/docs/RECOVERY_RESEARCH_NOTES.md` (commit `656b12a`). Confirms the reagentc-owns-everything WinRE-on-live-disk pattern (MHimken is the gold reference); captures discovery/resize/free-space-gate/BitLocker-suspend/MBR+x86 gaps/transactional-commit, the WinRE OC manifest + driver-harvest + winpeshl->exe + boot.wim-fallback WiFi techniques, and the cschneegans 4-tier script-hook model. Surfaced 3 P0 bugs in AMPIPIT's EXISTING deploy path.
|
||||
|
||||
**Deploy-hardening (independent of the RMM decision):**
|
||||
- **#3 FIXED + shipped** (ampipit `7355467`): scrub `%SystemRoot%\Panther\unattend.xml` + `unattend-original.xml` at end of FirstLogon (before any domain-join restart) so the base64-obscured admin password does not persist on disk. Ollama pre-flight 200; `deploy::autounattend` 27/27 green (added `panther_unattend_scrub_present`, count 5->6); security-review clean (static cmd, no injection surface).
|
||||
- **#1 TRACKED** (HKCU UI tweaks written to ineffective HKLM path — `show_file_extensions`/`show_hidden_files`/`taskbar_align_left` in `tweaks.rs` are silent no-ops): correct fix is the per-user-hive / 4-tier script-hook model so it sticks for the primary admin too — a deliberate change, not a one-liner.
|
||||
- **#2 TRACKED** (Win11 LabConfig bypass emitted in `specialize` pass, possibly too late): do NOT move blindly — gate on Phase 6 hardware verification.
|
||||
|
||||
**Mike's Feature 10 verdict (Discord DM, 2026-06-24 13:22 UTC):** "I like this idea but I think we'll have to come back to it. We need to think about it a little bit more." -> soft yes, deferred. Recorded on Feature 10 (status Raw -> Discussed (liked, deferred); guru-rmm `main` `9acade0`). The 6 open questions remain unanswered. AMPIPIT `src/recovery/` engine work stays HELD pending Mike's go.
|
||||
|
||||
**Commits since last save (all pushed to Gitea origins):**
|
||||
- ampipit `main`: `b8c0fd1` ADR-045/048, `ab1b7c5` ADR-048 reframe, `4324c07` reliability/source, `656b12a` research notes, `7355467` Panther scrub fix.
|
||||
- guru-rmm `main`: `af3445b` Feature 10 added, `9acade0` Feature 10 -> Discussed.
|
||||
- guru-rmm git slip from prior session corrected: removed an errant commit from a feature branch (force-with-lease back to `bd6dd27`); the entry landed on main as Feature 10 (Mike had already used 8/9).
|
||||
|
||||
**Process notes:** AMPIPIT/guru-rmm work lives on their own Gitea submodule origins; the parent ClaudeTools submodule POINTERS are deliberately NOT advanced (would need `--with-submodules` or a targeted gitlink bump as a version-pin decision). guru-rmm submodule edits require switching to `main`, editing, pushing, then restoring the prior feature-branch checkout (it has moved twice: `fix/software-uninstall-polish` -> `spec/av-removal-recipes`). The `ampipit-build` skill currently lives in the AMPIPIT submodule's `.claude/skills/`; Howard approved MOVING it to ClaudeTools `.claude/skills/` (still PENDING — held to reflect the final add-on/GuruConnect/Claude-test-only framing).
|
||||
|
||||
**Still pending / next steps:** Mike to revisit Feature 10 (he initiates); deploy-hardening #1 (#2 after hardware) available anytime; move `ampipit-build` skill into ClaudeTools; advance parent submodule pointers when desired.
|
||||
|
||||
Reference in New Issue
Block a user