No compromise found; alert traced to geo-IP mislocation of Tucson FirstDigital IP.
Documents ongoing password-spray against Azure CLI app (0 successes).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Points the guru-scan submodule at 11b5d85: RKill now default_disabled (opt in
via -IncludeRKill/-Scanners) so background scans don't kill the interactive
user, and the scanner whitelist now also covers Tailscale, ownCloud, Datto
Workplace, Seafile, and OpenVPN.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
deploy-agent proven end-to-end on RMM-TEST-MACHINE: vaulted Howard Test MSI URL -> GuruRMM
push (msiexec /qn, SYSTEM) -> Syncro service Running -> auto-enrolled as asset 12676769 under
the client + the policy folder embedded in the installer token (5092561) in ~1 min.
installed_applications populates fast; patches lag. POST /policy_folders {policy_folder}
requires parent_id (null->422); move-asset flip-restore verified on the real asset; DELETE
policy_folder works. Shapes + findings recorded.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Live-tested the remaining write resources on Howard Test. Recorded:
- wrapped response shapes (.lead.id/.vendor.id/.product.id/.purchase_order.id/
.po_line_item.id/.worksheet_result.id) added to Verified Response Shapes.
- create_po_line_item requires product maintain_stock:true.
- worksheet templates live in GET /tickets/settings (.worksheet_templates[]), no standalone
endpoint; need a valid worksheet_template_id.
- PUT /products requires name+description; leads/vendors/products/POs have NO DELETE (global
test records persist -> GUI cleanup).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Decoded the Syncro RMM installer URL from 4 client samples:
base64(v1-{customer_id}-{A}-48753-{policy_folder_id}). 48753 = our account id (constant);
customer_id + policy_folder_id are API-readable; A is an unguessable per-client security token
NOT exposed anywhere in the API -> the URL is NOT constructible and must be harvested per client
and vaulted. Installer is an MSI -> deploy uses msiexec /qn /norestart.
deploy-agent now reads clients/<slug>/syncro-agent-installer (credentials.installer_url) from
the vault (cascades-tucson, grabb-durando, reliant, howard-test seeded) and pushes via GuruRMM.
Findings recorded in test-findings.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Test campaign on Howard Test sandbox (customer 36118743) surfaced traps the skill must not
re-learn:
- invoice/estimate email endpoints return 200 "Email sent" even with NO recipient
(customer.email null) -> never report delivery from the 200; verify customer.email first.
- customer.email is UNIQUE tenant-wide; PUT /customers failure returns
{success:false,message:[...]} not {customer:{...}} -> check .success.
- POST/PUT /contacts return a FLAT object (.id), not {contact:{...}}; contact recipient
flags (primary/receives_invoices) are ignored via API.
- POST /contracts write succeeds but body doesn't echo the object; /contracts?customer_id
doesn't filter server-side -> GET-verify + client-filter.
New living log .claude/standards/syncro/test-findings.md; critical items folded into
syncro.md Hard Rules + Verified Response Shapes. Correction logged to errorlog.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add comprehensive Syncro coverage beyond PSA core:
- New .claude/standards/syncro/api-reference.md: complete verified inventory of ~180
endpoints across 38 resource types (generated from live OpenAPI 3.0 spec + tenant
probe 2026-07-10), with worked GET/POST/PUT/DELETE templates and token-capability matrix.
- /syncro: asset read intelligence (patches, installed_applications), asset create/update,
policy-folder move (move-asset), RMM alerts, and deploy-agent (hybrid installer push via
GuruRMM using SyncroSetup --console --allow-force-reboot).
- move-asset ships a capability preflight (GET /policy_folders?customer_id -> 401 = missing
Assets-Policy-Change) + mandatory post-write verify, because an under-scoped token returns
HTTP 200 and silently no-ops the move.
Correct the "Syncro RMM is API-impossible" belief: it was a token-scope gap, not an API
limit. Live-verified the asset move (flip-and-restore 692253->692278->692253). Token scope
today: Howard + Winter full; Mike (vaulted ...ebbeb3) still 401 pending re-vault.
Corrects memory reference-syncro-rmm-api-gui-only; correction logged to errorlog.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Point the superproject at the tested guru-scan commit: RKill -w process
whitelist (spares the PowerShell host + running GuruRMM/Syncro/Datto EDR/
ScreenConnect/Bitdefender/MSP360/Splashtop agents), Datto EDR folders added to
the HitmanPro/Emsisoft exclusion list, and cleanup guard so scan logs/archives
are never deleted.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>