sync: auto-sync from HOWARD-HOME at 2026-04-22 11:48:29

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 11:48:29

.claude/commands/syncro.md

@@ -19,7 +19,7 @@ Create, update, close, comment on, and bill tickets in Syncro PSA.
 ## API Configuration
 
 **Base URL:** `https://computerguru.syncromsp.com/api/v1`
-**API Key:** SOPS vault `msp-tools/syncro.sops.yaml` → `credentials.credential`
+**API Key:** per-user tokens in SOPS vault — see "Get API key" below
 **Rate limit:** 180 requests/minute per IP
 **Docs:** https://api-docs.syncromsp.com/
 
@@ -27,21 +27,65 @@ Create, update, close, comment on, and bill tickets in Syncro PSA.
 
 When invoked, use the Syncro REST API via `curl`. All requests include `?api_key=<key>` as query parameter (NOT in header — Syncro uses query param auth).
 
+### Attribution rule (CRITICAL)
+
+Every Syncro API call is attributed to the **owner of the API key**. Comments, line items, timer entries, and invoices created by the API are logged as the API user — regardless of who is running the command. So the skill MUST use a per-user API key that matches the actual tech running it, or comments will be misattributed.
+
+| Vault entry | Syncro user | user_id |
+|---|---|---|
+| `msp-tools/syncro-howard.sops.yaml` | Howard Enos | 1750 |
+| `msp-tools/syncro.sops.yaml` | Michael Swanson | 1735 (current shared fallback) |
+
+When Mike generates his own per-user key, add `msp-tools/syncro-mike.sops.yaml` and demote the shared entry or remove it entirely.
+
 ### Get API key
 
 ```bash
-# Vault path comes from .claude/identity.json (per-machine) via the ClaudeTools wrapper
 VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
-API_KEY=$(bash "$VAULT" get-field msp-tools/syncro.sops.yaml credentials.credential)
 BASE="https://computerguru.syncromsp.com/api/v1"
+
+# Select key by identity.json user; fall back to shared key if per-user missing
+USER_ID=$(jq -r '.user // empty' "$CLAUDETOOLS_ROOT/.claude/identity.json")
+KEY_PATH="msp-tools/syncro-${USER_ID}.sops.yaml"
+if ! bash "$VAULT" list 2>/dev/null | grep -qx "${KEY_PATH}"; then
+    echo "[WARN] No per-user Syncro key at ${KEY_PATH} — falling back to shared key. Actions will be attributed to the shared key owner." >&2
+    KEY_PATH="msp-tools/syncro.sops.yaml"
+fi
+API_KEY=$(bash "$VAULT" get-field "$KEY_PATH" credentials.credential)
 ```
 
-If `vault.sh get-field` fails (yq not installed), fall back to:
+Verify attribution before destructive operations:
 ```bash
-VAULT_ROOT=$(bash "$VAULT" get msp-tools/syncro.sops.yaml 2>/dev/null | head -1 || python3 -c "import json; print(json.load(open('$CLAUDETOOLS_ROOT/.claude/identity.json'))['vault_path'])")
-API_KEY=$(sops -d "$VAULT_ROOT/msp-tools/syncro.sops.yaml" | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])")
+ME=$(curl -s "${BASE}/me?api_key=${API_KEY}" | jq -r '.user_name + " (user_id=" + (.user_id|tostring) + ")"')
+echo "Authenticated as: $ME"
 ```
 
+### Adding a per-user key
+
+1. User logs into Syncro → Admin → API Tokens → New (`/api_tokens/new`)
+2. Type: Integration API Token (or Custom with all standard scopes: asset/customer/ticket/invoice/payment read+write+delete, worksheet add+manage+delete, chat + script.execute)
+3. Copy the token once (Syncro only shows it on creation)
+4. Encrypt to vault:
+   ```bash
+   cat > $VAULT_ROOT/msp-tools/syncro-<user>.sops.yaml <<YAML
+   kind: api-key
+   name: Syncro (<Full Name>)
+   subdomain: computerguru
+   api-base-url: https://computerguru.syncromsp.com/api/v1
+   api-docs: https://api-docs.syncromsp.com/
+   status: active
+   owner: <user>
+   syncro_user_id: <id>
+   tags: [msp-tools, per-user]
+   credentials:
+       credential: <TOKEN>
+   notes: Per-user Syncro API token for <Full Name>. Created YYYY-MM-DD.
+   YAML
+   # MUST run from vault root so sops picks up .sops.yaml
+   (cd "$VAULT_ROOT" && sops --encrypt --in-place "msp-tools/syncro-<user>.sops.yaml")
+   ```
+5. Commit + push vault repo.
+
 ### Endpoints reference
 
 #### Tickets