sync: auto-sync from GURU-5070 at 2026-06-21 17:24:36

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-21 17:24:36
This commit is contained in:
2026-06-21 17:25:22 -07:00
parent b49cb21fa6
commit f8c33c9019
5 changed files with 319 additions and 1 deletions

View File

@@ -101,6 +101,7 @@
- [Syncro lessons / incident archive](feedback_syncro_history.md) — Detail behind the three rule files: tickets (#32332, #32312, #32225, #32253, #32203, #32185, #32142, #32304, #32333), verbatim Mike/Howard/Winter quotes, dates, tech user_id table (Mike 1735 / Howard 1750 / Winter 1737 / Rob 1760), labor product table, and superseded-rule history.
### GuruRMM
- [GuruRMM build verification (read before touching the pipeline)](feedback_gururmm_build_verification.md) — Merge-to-main IS the build+deploy; verify locally FIRST. Canonical refs: guru-rmm `docs/BUILD.md` + the `gururmm-build` skill (`verify.sh server|agent|dashboard|migrations`) + `deploy/build-pipeline/README.md`. Compile-gate trap: Windows cargo can't verify Linux-gated agent code (openssl-sys); Linux build on .30 is the real gate. Server needs SQLX_OFFLINE + fresh server/.sqlx; check migration-number collisions.
- [GuruRMM operational rules](feedback_gururmm.md) — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
- [Build channel default = beta](feedback_gururmm_build_channel_default.md) — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.
- [Dashboard beta-first deploy](feedback_dashboard_beta_first.md) — Dashboard auto-builds to rmm-beta.azcomputerguru.com on push; prod (rmm.azcomputerguru.com) is explicit promote-only via promote-dashboard.sh --confirm. Never hand-rsync prod. One artifact, nginx sub_filter BETA banner. Stood up 2026-06-02.

View File

@@ -0,0 +1,48 @@
---
name: feedback_gururmm_build_verification
description: Before touching the GuruRMM build pipeline, verify locally first — merge-to-main IS the build+deploy. Canonical refs: docs/BUILD.md + the gururmm-build skill. Compile-gate trap.
metadata:
type: feedback
---
Every Claude instance that touches the GuruRMM build pipeline must internalize this before
editing agent/server/dashboard code:
**Merging to `main` IS the build-and-deploy trigger — there is no separate build step.** A push
to main fires the Gitea webhook → `webhook-handler.py` on 172.16.3.30 → `build-shared.sh` (version
bump + `[ci-version-bump]` commit) → per-component builds (each self-gated on change). New
agent/server/dashboard artifacts land on **beta** first; prod promotion is deliberate.
Canonical, kept-current references (use these, don't re-derive from the scripts):
- **`projects/msp-tools/guru-rmm/docs/BUILD.md`** — developer build + pre-merge verification guide.
- **`gururmm-build` skill** — `verify.sh {server|agent|dashboard|all|migrations} [--check]` runs the
same cargo/npm the server runs, on the right OS, with the gotchas baked in + errorlog on failure.
- **`projects/msp-tools/guru-rmm/deploy/build-pipeline/README.md`** — server-side pipeline source of
truth (webhook, Beast/Pluto hosts, signing, dashboard channels, repo↔/opt sync). The repo's older
`scripts/build-agents.sh` + `scripts/webhook-handler.py` are a PRIOR generation — do not follow them.
The traps that break a post-merge build:
- **Compile gate:** Linux-gated agent code (`#[cfg(target_os="linux")]`, e.g. `is_docker_container()`
in `agent/src/updater/mod.rs`) is ONLY compiled by the Linux agent build — Windows `cargo check`
CANNOT verify it (`openssl-sys` won't cross-build). The Linux agent build on .30 is the real gate.
Build agent changes on the OS family they target; Windows-only paths (MSI/tray/legacy/x86) are
gated only by the Beast/Pluto Windows build.
- **sqlx offline cache:** the server build uses `SQLX_OFFLINE=true` + `server/.sqlx`. If you changed
queries/migrations, run `cargo sqlx prepare` and commit `server/.sqlx`, or the build fails.
- **Migration number collisions** across branches: check the highest `NNN_` on origin/main before
naming a new one (`verify.sh migrations`). Idempotent (`IF NOT EXISTS`) keeps overlaps harmless.
- Webhook builds from **origin/main**, so verify the COMMITTED state, not the working tree.
**Why:** merging deploys, so an unverified merge breaks the build or ships broken code. Howard hit
this 2026-06-21 — couldn't cross-build the Linux-gated BUG-019 path from his Windows box, so the
post-merge Linux build on .30 was the only gate.
**How to apply:** before merging gururmm changes, run `gururmm-build` `verify.sh` for each touched
component (on the OS it targets); read `docs/BUILD.md` if unfamiliar with the model; after merge,
watch the matching `/var/log/gururmm-build-*.log` on .30. Promote the dashboard beta→prod only via
`promote-dashboard.sh --confirm`.
Related: [[reference_gururmm]] [[rmm-dashboard-beta-before-main]] [[feedback_dashboard_beta_first]]
[[feedback_gururmm_build_channel_default]] [[feedback_verify_committed_state_before_push]]
[[reference_guru5070_rust_toolchain]] [[reference_sqlx_migrations_immutable]]
[[gururmm-beast-windows-build-host]] [[feedback_gururmm]] [[rmm-agent-update-model]]

View File

@@ -185,7 +185,7 @@ ACG manages multiple M365 tenants via the **ComputerGuru tiered MSP app suite**
| CW Concrete | `clients/cw-concrete/m365.sops.yaml` |
| Kittle (M. Sanchez) | `clients/kittle/m365-michael-sanchez.sops.yaml` |
Also: multi-tenant Graph API service principal at `msp-tools/claude-msp-access-graph-api.sops.yaml`.
Also: the multi-tenant **ComputerGuru remediation app suite** — tiered SPs (Security Investigator `bfbc12a4`, Exchange Operator `b43e7342` (holds Graph Mail.Send), User Manager `64fac46b`, Tenant Admin `709e6eed`, Defender add-on `dbf8ad1a`), secrets `msp-tools/computerguru-*.sops.yaml`. ACG own-mail (`/mailbox`) uses the single-tenant `1873b1b0` app (`msp-tools/computerguru-mailbox.sops.yaml`). The old single-app `fabb3421` ("Claude-MSP-Access", secret `msp-tools/claude-msp-access-graph-api.sops.yaml`) was **DELETED from the tenant 2026-06-14 — do not reference** (token requests return AADSTS700016). See [[feedback_365_remediation_tool]].
**Google Workspace:** ACG service account `msp-tools/acg-msp-access-google-workspace.sops.yaml`. Client-specific: `clients/lonestar-electrical/google-workspace.sops.yaml`.