errorlog lint follow-ups: bitdefender log-gap fix + submodule memory + Windows CORE rules

- bitdefender gz.py: add "missing name" to _EXPECTED_ERROR_MARKERS — closes the last gap in
  Howard's errorlog suppression ("Missing name 'X' in 'options' object" validation errors were
  still logged). Verified all 10 real spam messages now suppressed; genuine errors still log.
- memory feedback_submodule_autosync_discipline: capture the recurring auto-synced-submodule
  rule (worktree or push-by-SHA + ls-remote verify; assert HEAD==origin/main before audits;
  never checkout-- shared files). Recurred on Howard-Home x3 + GURU-5070 this session.
- CLAUDE.md CORE Windows bullet: promote the two top recurring mechanical traps (/tmp path
  mismatch, curl.exe/plink quote-stripping) to always-loaded hard rules so they stop repeating.

Lint of errorlog.md: bitdefender expected-validation spam was ~70% of entries (Howard's
suppression now complete); fabb3421/Mail.Send drift closed earlier this session; wiki-compile
lock-release doc already fixed (entries predate the fix).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -48,7 +48,12 @@ production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`.
 - **Log preventable friction too (`--friction`):** any time you waste tokens on a preventable, repeatable self-inflicted error — harness/env/tool misuse (Git-Bash `/tmp` path mismatch, shell env not persisting between Bash calls, passing huge args on the command line, PowerShell var case-collisions, etc.) — log it: `bash .claude/scripts/log-skill-error.sh "<context e.g. bash/env>" "what wasted tokens + the fix" --friction [--context "ref=<memory-or-rule>"]`. **If it repeats something already in memory or CLAUDE.md, that's the highest-value entry** — it means a rule/memory isn't working; cite the ref. This log is the corpus we lint to build better CLAUDE.md rules and to clean stale/misleading memory. Goal: stop paying twice for the same mistake.
 - **Windows:** ensure `bash` resolves to Git-for-Windows MSYS bash, not the WSL stub; write
   `.claude/current-mode` with a relative/forward-slash path only (never a backslash Windows
-  path). Detail + fixes: EXTENDED.
+  path). **Never write API/scratch JSON to `/tmp`** — Git-Bash `/tmp` and the Write/Python tools
+  resolve it to different places (read-back fails); use a repo-relative path (`./.x.json`). **Never
+  embed `"` in `curl.exe`/`plink` args from PowerShell** — `CommandLineToArgvW` strips them and
+  silently mangles the payload; single-quote bodies, build `$` from `[char]36`, or use SSH key auth.
+  These two recur fleet-wide (errorlog) — treat as hard rules. Detail + fixes: EXTENDED,
+  memories `feedback_tmp_path_windows` + `feedback_windows_quote_stripping`.
 
 ## Coordination (live source of truth)
 The coord API (`http://172.16.3.30:8001/api/coord`, no auth) holds live locks, messages,

.claude/memory/MEMORY.md

@@ -102,6 +102,7 @@
 
 ### GuruRMM
 - [GuruRMM build verification (read before touching the pipeline)](feedback_gururmm_build_verification.md) — Merge-to-main IS the build+deploy; verify locally FIRST. Canonical refs: guru-rmm `docs/BUILD.md` + the `gururmm-build` skill (`verify.sh server|agent|dashboard|migrations`) + `deploy/build-pipeline/README.md`. Compile-gate trap: Windows cargo can't verify Linux-gated agent code (openssl-sys); Linux build on .30 is the real gate. Server needs SQLX_OFFLINE + fresh server/.sqlx; check migration-number collisions.
+- [Submodule auto-sync discipline](feedback_submodule_autosync_discipline.md) — In auto-synced submodules (guru-rmm/guru-connect) local branch refs/HEAD don't survive across calls (background sync resets to the lagging gitlink; sessions share the tree). Use a git worktree or commit+push-by-explicit-SHA + `ls-remote` verify; assert HEAD==origin/main (or read `origin/main:<file>`) before audits; never `checkout --` shared files. Recurring fleet friction.
 - [GuruRMM operational rules](feedback_gururmm.md) — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
 - [Build channel default = beta](feedback_gururmm_build_channel_default.md) — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.
 - [Dashboard beta-first deploy](feedback_dashboard_beta_first.md) — Dashboard auto-builds to rmm-beta.azcomputerguru.com on push; prod (rmm.azcomputerguru.com) is explicit promote-only via promote-dashboard.sh --confirm. Never hand-rsync prod. One artifact, nginx sub_filter BETA banner. Stood up 2026-06-02.

.claude/memory/feedback_submodule_autosync_discipline.md

@@ -0,0 +1,38 @@
+---
+name: feedback_submodule_autosync_discipline
+description: In auto-synced submodules (guru-rmm/guru-connect) don't trust local branch refs — use a worktree or push-by-SHA + verify; assert HEAD==origin/main before audits. Recurring fleet friction.
+metadata:
+  type: feedback
+---
+
+The superproject's background auto-sync resets each submodule's working tree to the **pinned
+gitlink** (which intentionally lags `main`), and 3-4 Claude sessions can share one submodule
+checkout. So inside `projects/msp-tools/guru-rmm` (and guru-connect) **local branch refs / HEAD do
+NOT reliably survive across tool calls or sessions** — a `git switch -c feat` can get reset to the
+gitlink mid-work, commits land on a detached HEAD, and `push -u origin <branch>` ships a stale ref.
+
+**Do this instead:**
+- **Feature work:** `git worktree add <path> origin/main`, edit + commit + push there, then
+  `worktree remove` — OR commit in place, capture `sha=$(git rev-parse HEAD)`, and push by EXPLICIT
+  sha: `git push origin <sha>:refs/heads/<branch-or-main>`. Then VERIFY: `git ls-remote origin <ref>`.
+  (This session: that push-by-SHA is exactly how the BUG-019 merge + docs landed cleanly.)
+- **Before any audit/analysis that reads the working tree:** assert `HEAD == origin/main`
+  (`git rev-parse HEAD` vs `git rev-parse origin/main`); if behind, `git fetch` + checkout
+  origin/main first, or read `git show origin/main:<file>`. A stale gitlink makes you "fix"
+  already-fixed code (a real audit wasted a fix on a bug already closed in main).
+- **Never `git checkout -- <shared file>`** to clean up a dirty submodule tree — it clobbers a
+  concurrent session's uncommitted work. Move untracked files aside instead.
+- HTTPS auth to the gururmm/guru-connect remote (git.azcomputerguru.com) on GURU-5070 uses the
+  vaulted `services/gitea` api-token via GIT_ASKPASS (the gitea skill can't inject it — parent repo
+  is HTTP, submodule is a different host; SSH key not authorized here).
+
+**Why:** recurring across the fleet (Howard-Home detached-HEAD x2 + a stale-gitlink audit;
+GURU-5070 hit a non-fast-forward on a docs push this session). Each occurrence costs a
+re-diagnose/rebuild cycle. Howard fixed the `sync.sh` submodule-clobber root cause + moved to
+worktrees (2026-06-21), but the defensive discipline still applies.
+
+**How to apply:** worktree or push-by-SHA + `ls-remote` verify for writes; assert HEAD==origin/main
+(or read `origin/main:<file>`) before audits; never `checkout --` shared files.
+
+Related: [[gururmm-session-logs-submodule-save]] [[feedback_gururmm_build_verification]]
+[[feedback_verify_committed_state_before_push]] [[using-git-worktrees]]

.claude/skills/bitdefender/scripts/gz.py

@@ -68,6 +68,7 @@ def _log_skill_error(skill, msg, context=""):
 # conditions - only real failures worth pattern-spotting. These are NOT logged.
 _EXPECTED_ERROR_MARKERS = (
     "required parameter is missing",
+    "missing name",          # e.g. "Missing name 'reportingInterval' in 'options' object" (validation)
     "invalid value",
     "not expected",
     "method not found",