sync: auto-sync from HOWARD-HOME at 2026-06-21 18:54:05

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-21 18:54:05

session-logs/2026-06/2026-06-21-howard-security-assessment-deploy.md

@@ -109,3 +109,45 @@ php _deploytest.php export <id> client   # posture/recommendations, 0 ACG-servic
 - Live server backups: `*.bak-20260621-181744` in the docroot (rollback if needed).
 - Export endpoint: `api.php?action=export&id=<id>&view=internal|client` (origin requires the CF Access email header).
 - Companion logs: `2026-06-21-howard-security-assessment-scoring.md`, `...-unifi-pfsense-control-verbs.md`, `...-gururmm-bug-018-019.md`.
+
+---
+
+## Update: 18:53 PT — site was broken in browser (stale opcache); root-caused + fixed; CONFIRMED loading
+
+After the deploy, Howard reported the live page "mostly broken — only the Export and Assessments
+buttons at the top." Diagnosed and resolved.
+
+### What was wrong (two compounding issues)
+1. **api.php allow-list bug** (already fixed earlier this session): single `strcasecmp($email, ALLOWED_EMAIL)`
+   vs the whole comma string → 403 for every API call. Confirmed live via the access log (`POST /api.php?action=save 403` repeatedly).
+2. **Stale PHP OPcache** — the server kept executing the OLD `index.php` (rendered output 14637 bytes) and OLD
+   `api.php` even though the new files were on disk (md5 matched local). So the new wizard never rendered (boot()
+   ran the old code / the old api 403'd) and the fix wasn't live.
+
+### Diagnosis path
+- Verified deployed files = local (identical md5), perms 644, `.htaccess` benign, questions.json valid on server,
+  no PHP error log → not a crash. Ran the wizard JS in node with DOM/fetch stubs → boot() completed fine (so not
+  a code bug). The **Apache SSL access log** (`/etc/apache2/logs/domlogs/security.azcomputerguru.com-ssl_log`) was
+  the smoking gun: `GET / 200 14637` (old size; new index.php renders ~27.9k) + many `api.php ... 403`.
+- SAPI = Apache (httpd) + opcache On. Origin-direct curl to 127.0.0.1 hits a default vhost that 404s — the app is
+  only reachable via the EXTERNAL IP path Cloudflare uses.
+
+### Fix
+- Dropped a one-off `_oc.php` (`opcache_reset()`) in the docroot and ran it through the real path:
+  `curl -sk --resolve security.azcomputerguru.com:443:72.194.62.5 -H 'Cf-Access-Authenticated-User-Email: mike@azcomputerguru.com' https://.../_oc.php` → `opcache_reset: OK` (validate_timestamps=1, but the cache hadn't revalidated; reset forced it).
+- Verified: `GET /` now 200 **27885 bytes**, served HTML contains `computeScores`/`gradeFor`/"Posture &amp; findings";
+  `api.php?action=list` returns JSON (no 403). Removed `_oc.php` + local scratch (`_jsrun.cjs`, `_deploytest.php`, `_smoke.php`).
+- Howard confirmed: **"it is loading now."**
+
+### Durable fixes
+- `DEPLOY.md` updated (`31bc786`): "FLUSH OPCACHE after updating" (the external-IP `_oc.php` recipe) + the
+  comma-separated `ALLOWED_EMAIL` gotcha. claudetools pin advanced (`5299f3d`). Logged --friction (deploy/cpanel: stale opcache).
+
+### Key gotchas for next deploy
+- After uploading PHP changes to this cPanel host, opcache can serve stale bytecode → flush it (recipe in DEPLOY.md).
+- Origin-direct (127.0.0.1) 404s the vhost; test/flush via `--resolve ...:443:72.194.62.5` (external IP).
+- Coord (Mike, GURU-5070): BUG-018 (cea87d4) + Event Log Watch UI merged to gururmm main + deploying; I'm cleared to self-merge gururmm going forward.
+
+### Net state
+security.azcomputerguru.com is LIVE and working (new scoring wizard + larger UI + dual export + fixed backend),
+verified server-side and confirmed loading in Howard's browser. Remaining: #1 RMM prefill (deferred, infra), FR-1 portal (deferred, auth decision).