diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index edd9024d..ceb56916 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -143,7 +143,7 @@ - [ACG MSP tool stack](reference_acg_msp_stack.md) — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active). - [ACG Website Hosting](project_azcomputerguru_hosting.md) — azcomputerguru.com is hosted on IX Web Hosting via cPanel. - [jq on Windows emits CRLF](feedback_jq_crlf_windows.md) — winget jq outputs CRLF; trailing \r silently breaks `for x in $(jq ...)` loops + read-from-@tsv. Override `jq(){ command jq "$@"|tr -d '\r'; }`. Windows-build-specific (passes on Mac/Linux). -- [ScreenConnect RESTful API auth](reference_screenconnect_api.md) — CTRLAuthHeader = raw api_secret (no Basic/b64) + Origin header; only method is GetSessionsByName; matches blank-for-agents Name field so it cannot enumerate full inventory. +- [ScreenConnect RESTful API auth](reference_screenconnect_api.md) — CTRLAuthHeader = raw api_secret (no Basic/b64) + Origin header; now wrapped by the /screenconnect skill. Verified surface: GetSessionsByName/GetSessionDetails + writes SendCommand/SendMessage/UpdateCustomProperties + parameterized self-tagging installer. Still NO full-fleet inventory method (GetSessions missing). - [No manufactured guardrails on our products](feedback_no_manufactured_guardrails.md) — At Mikes request on GuruRMM/GuruConnect/ClaudeTools, just execute; stop only for genuinely irreversible/destructive ops (with a heads-up). Read the actual code/state before claiming something is disallowed or a security hole. - [Stream-of-thought design convos](feedback_stream_of_thought_design.md) — Mike brainstorms features free-form, adding requirements iteratively; Claude validates/sharpens as a design partner but does NOT build until an explicit go, then captures parked threads durably (PARKED_*.md + todos) for a later /shape-spec. - [RMM Thoughts backlog](feedback_rmm_thoughts_backlog.md) — GuruRMM ideas from Mike & Howard go in projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md (Status: Raw); pipeline thought -> discuss -> spec (/shape-spec) -> roadmap. Don't build until an explicit go. diff --git a/.claude/memory/reference_resource_map.md b/.claude/memory/reference_resource_map.md index 5ebb26f0..61c474c9 100644 --- a/.claude/memory/reference_resource_map.md +++ b/.claude/memory/reference_resource_map.md @@ -129,7 +129,7 @@ type: reference - Detail: [[reference_gururmm]], [[project_gururmm]], [[feedback_gururmm]]. ### ScreenConnect / CW Control -- Primary remote-access tool. `msp-tools/screenconnect.sops.yaml`. +- Primary remote-access tool. `msp-tools/screenconnect.sops.yaml`. Skill: `/screenconnect` (sessions, parameterized self-tagging installer, gated backstage control). See [[reference_screenconnect_api]]. - **Gotcha:** Toolbox scripts truncate lines >80 chars silently; no inline comments mid-script. See [[reference_msp_audit_scripts]]. ### Splashtop (SOS / Streamer) diff --git a/.claude/memory/reference_screenconnect_api.md b/.claude/memory/reference_screenconnect_api.md index 02e91461..67828537 100644 --- a/.claude/memory/reference_screenconnect_api.md +++ b/.claude/memory/reference_screenconnect_api.md @@ -1,15 +1,22 @@ --- name: reference_screenconnect_api -description: Working auth + method for the ACG ScreenConnect RESTful API extension (CTRLAuthHeader = raw secret, GetSessionsByName) +description: ACG ScreenConnect RESTful API auth + verified method surface (CTRLAuthHeader=raw secret); now wrapped by the /screenconnect skill metadata: type: reference --- -ACG ScreenConnect RESTful API extension — verified working call (2026-06-02, Howard). Credentials in vault `msp-tools/screenconnect.sops.yaml` (`credentials.username`, `credentials.api_secret`). +ACG ScreenConnect (CW Control) RESTful API Manager extension. Auth verified 2026-06-02; +full method surface + parameterized-installer deploy verified live 2026-06-21 (Howard). +**Now wrapped by the `/screenconnect` skill** (`.claude/skills/screenconnect/`) — use that +(`sc.py`/`sc_client.py`) rather than hand-rolling calls. Secret in vault +`msp-tools/screenconnect.sops.yaml` (`credentials.api_secret`). - **Host:** `https://computerguru.screenconnect.com` **extension-guid:** `2d558935-686a-4bd0-9991-07539f5fe749` -- **Auth (the non-obvious part):** header `CTRLAuthHeader: ` with **NO `Basic ` prefix and no base64** + header `Origin: https://computerguru.screenconnect.com`. Putting the secret in `Authorization: Basic `, or `CTRLAuthHeader: Basic `, both return 401. Raw secret in CTRLAuthHeader is what works. -- **Only method that exists:** `POST /App_Extensions//Service.ashx/GetSessionsByName` with JSON body `{"sessionName":""}`. Every other `Get*` name (GetSessions, GetSessionList, GetHosts, ...) returns 500 `"Web method does not exist"`. Bad/missing params return 500 `"Unknown parameter: "` — the valid param is `sessionName`. -- **Big limitation:** the match is on the session `Name` field, which is **blank for unattended access agents**, so this api user only enumerates a handful of named sessions — it CANNOT list a client's full machine inventory. For per-machine last-seen across a whole client, the API is not sufficient; read the ScreenConnect console (or a screen recording) instead. Session objects do carry `LastConnectedEventTime`, `LastEventTime`, `GuestInfo.LastActivityTime`, and custom props CP1=Company / CP2=Site / CP3=Tag. +- **Auth (the non-obvious part):** header `CTRLAuthHeader: ` with **NO `Basic ` prefix and no base64** + header `Origin: https://computerguru.screenconnect.com`. `Authorization: Basic ` or `CTRLAuthHeader: Basic ` both 401. Raw secret in CTRLAuthHeader is what works. Endpoint: `POST /App_Extensions//Service.ashx/`. +- **Verified methods (CORRECTS the old "only GetSessionsByName" note):** reads take a JSON object, writes take a POSITIONAL ARRAY. + - Reads: `GetSessionsByName {"sessionName":""}`, `GetSessionDetailsBySessionID {"sessionID":""}`, `GetSessionBySessionID`. + - Writes (gated in the skill): `SendCommandToSession ["",""]` (backstage command on the guest), `SendMessageToSession ["",""]`, `UpdateSessionCustomProperties ["",["cp1","cp2","cp3",...]]`. CP1=Company / CP2=Site / CP3=Tag (up to CP8). +- **Parameterized access installer (deploy):** the cloud serves a pre-keyed installer at `/Bin/ScreenConnect.ClientSetup.?e=Access&y=Guest&t=&c=&c=&c=...` (ext: msi/exe/pkg/deb/rpm/sh). The repeated `c=` self-tag the agent on install, so an RMM-pushed install self-places into the right Company/Site/Tag. Windows silent: `msiexec /i /qn /norestart`. VERIFIED end-to-end on RMM-TEST-MACHINE 2026-06-21. +- **Real limitation (still true):** NO full-fleet inventory method — `GetSessions`/`GetAllSessions`/`GetSessionGroups` return 500 `"Web method does not exist"`. You CANNOT list a client's whole machine inventory via this API yet; needs Mike to update the RESTful API Manager extension (coord msg 60d9e876). Workaround: the installer sets session Name = machine name, so by-name lookup works post-install. -Used during the Dataforth Syncro asset cleanup as the third liveness source alongside Syncro + Bitdefender. See [[reference_acg_msp_stack]]. +Used during the Dataforth Syncro asset cleanup as a liveness source. See [[reference_acg_msp_stack]] and the `/screenconnect` skill SKILL.md. diff --git a/.claude/skills/self-check/baseline/manifest.json b/.claude/skills/self-check/baseline/manifest.json index fdce0e19..4971ba4d 100644 --- a/.claude/skills/self-check/baseline/manifest.json +++ b/.claude/skills/self-check/baseline/manifest.json @@ -96,7 +96,7 @@ "skills": [ "1password", "b2", "bitdefender", "frontend-design", "gc-audit", "impeccable", "memory-dream", "remediation-tool", "rmm-audit", - "skill-creator", "stop-slop", "theme-factory", "self-check" + "screenconnect", "skill-creator", "stop-slop", "theme-factory", "self-check" ], "commands": [ diff --git a/session-logs/2026-06/2026-06-21-howard-screenconnect-skill-finalize.md b/session-logs/2026-06/2026-06-21-howard-screenconnect-skill-finalize.md index 7543a777..6e37cdf8 100644 --- a/session-logs/2026-06/2026-06-21-howard-screenconnect-skill-finalize.md +++ b/session-logs/2026-06/2026-06-21-howard-screenconnect-skill-finalize.md @@ -135,3 +135,18 @@ auth is the `CTRLAuthHeader` (raw secret, no "Basic" prefix) + `Origin` header. - Skill path: `.claude/skills/screenconnect/` (SKILL.md, scripts/{sc.py,sc_client.py, selftest.py}, references/api-reference.md). - ScreenConnect docs: https://docs.connectwise.com/ScreenConnect_Documentation + +## Update: 21:1x PT — Mike handoff + registry/memory updates + +- Sent coord broadcast message (`b3d6db3e`) + durable todo for mike (`f0e7f0ad`, project + gururmm) to merge branch `docs/rmm-thoughts-sc-feature7` (4f10149) into gururmm main. +- Registered the new skill + corrected stale knowledge for parity with `bitdefender`: + - `.claude/skills/self-check/baseline/manifest.json` — added `screenconnect` to the + project-local skills array. + - `.claude/memory/reference_resource_map.md` — added `Skill: /screenconnect` to the + ScreenConnect/CW Control section. + - `.claude/memory/reference_screenconnect_api.md` — REWROTE: the old note claimed "only + method is GetSessionsByName / cannot enumerate"; corrected to the verified surface + (reads + writes SendCommand/SendMessage/UpdateCustomProperties + parameterized + self-tagging installer), kept the still-true full-fleet-inventory gap, pointed at the + skill. Updated the matching `MEMORY.md` index hook.