Resolves issues that could cause agent failure, stuck updates, and
silent errors during the update process.
Critical Fixes:
1. Binary Replacement Race Condition (Unix)
- PROBLEM: Window between rename and copy where no binary exists
- FIX: Use atomic rename pattern - copy to temp in same directory,
then single atomic rename operation
- IMPACT: Eliminates complete agent failure on crash during update
2. Update Failure Without Rollback
- PROBLEM: If restart fails after update, no rollback triggered
- FIX: Added rollback_binary() method, explicitly rolls back on
restart failure before returning error
- IMPACT: Agent no longer stuck in broken state
3. Windows Scheduled Task Timing Bug
- PROBLEM: Scheduled time could be in past, schtasks would fail
- FIX: Add 60-second buffer, return date+time tuple with /SD param
- IMPACT: Rollback watchdog now reliably schedules on Windows
4. Windows Binary Replacement Error Handling
- PROBLEM: All errors silently ignored with .ok()
- FIX: Proper error propagation with .context() on all operations
- IMPACT: Update failures now visible with actionable error messages
Code Review: APPROVED
- All fixes correctly address root causes
- Atomic operations eliminate race conditions
- Comprehensive error handling throughout
- Platform-specific code properly isolated
Testing: Syntax verified (cross-compilation toolchain not available)
Additional Issues Identified (for follow-up):
- HIGH: Unix watchdog doesn't survive reboots (systemd timer needed)
- MEDIUM: No concurrent update protection (lock file recommended)
- LOW: chmod failure should be fatal
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Stub migrations (005-008) satisfy sqlx requirement for previously
applied migrations that are missing source files in the codebase.
These migrations were applied in production but not committed.
Renumbered 005_add_missing_indexes to 009 to match production sequence.
Test results document confirms all Phase 1 tunnel API endpoints are
functioning correctly with proper error handling and HTTP status codes.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Avoids conflict with migrations 5-8 that were applied to production
database but are missing from current codebase. Migration 010 will be
applied after the existing sequence (1-4, 9 for 005_add_missing_indexes).
PostgreSQL doesn't support inline CONSTRAINT with WHERE clause.
Changed to separate CREATE UNIQUE INDEX statement for the partial
unique constraint on (tech_id, agent_id, status) WHERE status = 'active'.
This ensures only one active tunnel session per (tech, agent) pair
while allowing multiple closed sessions in history.
Migration tested and verified on PostgreSQL 14.
Audited all 25 proxied zone records and expanded tunnel ingress to cover
9 hostnames total (azcomputerguru + analytics + community + radio +
git + plexrequest + rmm + rmm-api + sync). All verified HTTP 200.
Reverted 3 hostnames to original A records after discovering they
require backend work, not tunnel changes:
- plex/rustdesk: NPM on Jupiter has no vhost for these (returned
'tls: unrecognized name' when tunneled)
- secure: Jupiter can't route to its backend subnet 172.16.1.0/24
Reverted ix.azcomputerguru.com to DNS-only A record after user
reported :2087 WHM access broken. Cloudflare Tunnel is hostname-bound,
not port-bound, so non-standard admin ports can't pass through. Direct
NAT to 72.194.62.5 restored WHM/cPanel access.
Adds four new helper scripts under clients/internal-infrastructure/
scripts/cloudflared-tunnel-setup/ (audit_proxied, discover_backends,
expand_tunnel, revert_broken). All use SOPS vault / env var for creds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diagnosed azcomputerguru.com 521 errors: Cox's BGP route to specific
Cloudflare origin-pull prefixes (162.158.0.0/16, 172.64.0.0/13,
173.245.48.0/20, 141.101.64.0/18) is broken from 72.194.62.0/29.
Confirmed by TCP probe matrix from pfSense WAN, traceroute latency
comparison, and state-table showing 0 inbound CF connections while
direct-internet traffic still reached origin.
Deployed Cloudflare Tunnel 'acg-origin' on Jupiter Unraid as a
Docker container. Routes 4 proxied hostnames (azcomputerguru.com,
analytics., community., radio.) through the tunnel with HTTPS
backend to IX 172.16.3.10:443 with per-ingress SNI matching. All
4 hostnames return 200 OK through CF edge after the cutover.
Repo hygiene:
- Merged clients/ix-server/ into clients/internal-infrastructure/
(IX is internal infra, not a paying-client account). Git detected
the session-log files as renames so history is preserved. Updated
4 stale path references in 2 files.
- Moved cox-bgp ticket draft out of projects/dataforth-dos/ (wrong
project) to clients/internal-infrastructure/vendor-tickets/.
- Relocated tunnel-setup helper scripts from
projects/dataforth-dos/datasheet-pipeline/implementation/ to
clients/internal-infrastructure/scripts/cloudflared-tunnel-setup/.
Deleted superseded/abandoned login attempts. Sanitized hardcoded
Jupiter/pfSense SSH passwords to pull from SOPS vault at runtime;
Cloudflare token reads from env var (tokens still in 1Password,
vault entry is metadata-only).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comprehensive record of 2026-04-11/12 work extending the Dataforth Test
Datasheet Pipeline: discovery, implementation, deploy to AD2, full
backfill of 27,937 datasheets, post-deploy regex patch for QB plain-
decimal PASS lines, and repo commit 0dd3d82.
Includes credentials, infrastructure paths, commit reference, open
items (vault hygiene, rsync coverage), and accuracy-extraction
reference logic for future sessions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extends the Test Datasheet Pipeline on AD2:C:\Shares\testdatadb to
generate web-published datasheets for the SCMVAS-Mxxx (obsolete) and
SCMHVAS-Mxxxx (replacement) High Voltage Input Module product lines.
Both are tested either with the existing TESTHV3 software (production
VASLOG .DAT logs) or in Engineering with plain .txt output.
Key changes on AD2 (all deployed 2026-04-12 with dated backups):
- parsers/spec-reader.js: getSpecs() returns a `{_family:'SCMVAS',
_noSpecs:true}` sentinel for SCMVAS/SCMHVAS/VAS-M/HVAS-M model prefixes
so the export pipeline does not silently skip them for missing specs.
- templates/datasheet-exact.js: new Accuracy-only template branch
(generateSCMVASDatasheet + helpers) that mirrors the existing shipped
format byte-for-byte. Extraction regex covers both QuickBASIC STR$()
output formats: scientific-with-trailing-status-digit (98.4% of
records) and plain-decimal (1.6% of records above QB's threshold).
- parsers/vaslog-engtxt.js (new): parses the Engineering-Tested .txt
files in TS-3R\LOGS\VASLOG\VASLOG - Engineering Tested\. Filename SN
regex strips optional trailing 14-digit timestamp; in-file "SN:"
header is the authoritative source when the filename is malformed.
- database/import.js: LOG_TYPES grows a VASLOG_ENG entry with
subfolder + recursive flags. Pre-existing 7 log types keep their
implicit recursive=true behaviour (config.recursive !== false).
importFiles() routes VASLOG_ENG paths before the generic loop so a
VASLOG - Engineering Tested/*.txt path does not mis-dispatch to the
multiline parser.
- database/export-datasheets.js: VASLOG_ENG records are written
verbatim via fs.copyFileSync(source_file, For_Web/<SN>.TXT) for true
byte-level pass-through, with a graceful raw_data fallback when the
source file is no longer on disk.
Deploy outcome:
- 27,503 SCMVAS/SCMHVAS datasheets rendered (27,065 from scientific +
438 from plain-decimal PASS lines, post-patch rerun)
- 434 Engineering-Tested .txt files pass-through-copied to For_Web
- 0 errors across both batches
Repo layout added here:
- scmvas-hvas-research/: discovery artifacts (source .BAS, hvin.dat,
sample .DAT + .txt, binary-format notes, IMPLEMENTATION_PLAN.md)
- implementation/: staged final code + deploy helpers + local test
harness + per-step verification scripts
- backups/pre-deploy-20260412/: independent local snapshot of the 4
AD2 files replaced, pulled byte-for-byte before deploy
All helper scripts fetch the AD2 password at runtime from the SOPS
vault (clients/dataforth/ad2.sops.yaml). None of the committed files
contain the plaintext credential. Known vault-entry hygiene issue
(stale shell-escape backslash before the `!`) is documented in the
fetcher comments and stripped at read-time; flagged separately for
cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Removed gaming section per user request
- Added detailed pricing and availability for all CES gadgets
- Added company names, researchers, trial info for medical breakthroughs
- Added detailed specs for AI tools (NotebookLM, Gemini)
- Updated to 3-segment format
- Added price badges and availability badges for visual clarity
- Used ASCII markers instead of emojis per directives
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Added company names, prices, availability dates for all topics
- CES gadgets: LG (,999-,999), Samsung TriFold (,500-,000), Roborock (,599), etc.
- Medical: Galleri test (, available now), VERVE-102 gene therapy details
- AI tools: NotebookLM (free), Gemini Imagen 3 (free tier), detailed access info
- Removed gaming section per user request
- Updated common thread and show wrap for 3-segment format
- Added specific researchers, trial status, company details throughout
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Show prep for April 5, 11, 18, 2026 (markdown + HTML)
- IX server Smart Slider 3 Pro security scan script
- Comprehensive security audit report (87 WordPress sites)
- All sites safe: 0 PRO (compromised), 3 FREE (safe)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created show prep for April 5, 11, and 18, 2026
- HTML versions with clickable links for April 11 and 18
- IX server WordPress security scan (87 sites, 0 compromised)
- Local network scanning for Yealink devices
- Domain controller batch logon rights guidance
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove /refresh-directives references from save, checkpoint, scc, sync
commands. Trim sync.md from 400+ lines to essentials.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New integration with TickTick API for project/task management:
- OAuth 2.0 auth flow (mcp-servers/ticktick/ticktick_auth.py)
- MCP server with 9 tools for Claude Code (ticktick_mcp.py)
- FastAPI service with SOPS vault credentials (api/services/ticktick_service.py)
- JWT-protected REST router at /api/ticktick/ (api/routers/ticktick.py)
- Credentials stored in SOPS vault (services/ticktick.sops.yaml)
Dev project tracking (hybrid TickTick + DB):
- New dev_projects table migration (14 columns, status index)
- TickTick "Dev Projects" list for mobile visibility
- First project seeded: TickTick Integration (linked both sides)
Security: .tokens.json gitignored, token file permissions restricted,
HTML-escaped OAuth callback, SOPS vault (not env vars) for secrets.
Also: Installed Tailscale on ACG-5070 for office network access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Built exact-match TXT formatter from QuickBASIC source (SCM5B, 8B, DSCA, DSCT, SCM7B)
- Spec parser for 10 binary DAT files (1470+ models)
- Work order report importer (33K WOs, 63K test lines)
- On-demand PDF generation, styled HTML view
- Archived 500K pre-2026 For_Web files into year subfolders
- Created domain service account (INTRANET\svc_testdatadb)
- Generated 73/73 Quatronix customer datasheets
- Added STAGE + Reports auto-import to sync script
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DOS 6.22 MD fails on existing dirs, then COPY creates a file instead of
copying into a directory. Dirs now pre-created on NAS server side.
Also removed trailing backslash from COPY target path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mixed-case paths caused "invalid directory" on TS-27. All paths now uppercase
to match DOS convention and Samba default case = upper setting.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
No conditionals, no DEL. Just MD dirs and COPY. Deployed to AD2 and synced to D2TESTNAS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CTONWTXT.BAT was never being called. Now invoked from CTONW.BAT on every boot.
Destination changed from X: (broken Novell serve.sys check) to T:\Stage\%MACHINE%\.
Removed IF NOT clauses for DOS 6.22 compatibility. Deployed to AD2 and synced to D2TESTNAS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- beast-setup.ps1: Install script for OpenClaw on Win11 home desktop
- beast-workspace/: BOOTSTRAP.md, SOUL.md, USER.md templates
- Beast role: heavy compute (RTX 4090/128GB), large model inference, future smart home LLM server
- Updated README with Beast deployment instructions
