Five modes: client (orange), dev (cyan), infra (red), general (blue),
remediation (purple). Auto-detects from user messages using keyword
priority rules. Manual override via /mode <name>. Color changes via
/color on mode transitions. Posture adjusts per mode (e.g., infra =
confirm-before-destructive, dev = delegate freely).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Appended afternoon work: MSI installer MVP, Len's Auto Brokerage test
client, Uranus server docs, multi-user identity system, onboarding guide,
bootstrap package, audit gap fixes (GrepAI/Ollama/MCP/settings), and
generic /import command for folder ingestion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Slash command that accepts any folder path, scans all files, classifies
by content (client work, project code, credentials, session logs, tools,
docs), sanitizes credentials into SOPS vault, presents a placement plan
for approval, then executes.
Handles Claude Code session data (delegates to tools/import-sessions.py),
existing project detection, duplicate checks, and credential extraction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tools/import-sessions.py: Scans ~/.claude/projects/ for existing Claude
Code sessions, extracts summaries (user messages, tools used, files
touched, credential flags), stages for Claude to organize into
ClaudeTools folder structure.
Audit gap fixes:
- .mcp.json: added grepai MCP server
- .claude/settings.json: created with bypassPermissions default
- .claude/MCP_SERVERS.md: documented all MCP servers
- Ollama: all 3 models pulled (qwen3:14b, codestral:22b, nomic-embed-text)
- GrepAI: initialized (grepai init), watcher ready
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Enhance /save and /sync slash commands to attribute commits by author
so Mike and Howard can see at a glance what the other person did.
- sync.sh: loads identity.json, shows incoming/outgoing commits with
author + age before pull/push, groups by author in final summary
- sync.md: describes the new output format + conflict attribution
- save.md: pre-commit Change Summary block + post-commit Summary
Motivation: repo is now shared across team, `git log` alone made it
hard to see "when did Howard change that?" without hunting.
- ONBOARDING.md: comprehensive guide explaining WHY the setup exists
(vault, session logs, skills, agents, Ollama/GrepAI, daily workflow).
Written for someone who's never used Claude Code before.
- CLAUDE.md: on first sync, Claude walks new users through ONBOARDING.md
section by section + sets up git remote for their own Gitea account.
- users.json: Howard's gitea_username added (own account, admin on all repos).
Audit findings noted: GrepAI not installed, Ollama not running,
MCP_SERVERS.md missing. These need fixing per-machine before onboarding
is fully smooth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .claude/identity.json (gitignored, per-machine) identifies who's at the keyboard
- .claude/users.json (tracked) registers known team members + roles + machines
- CLAUDE.md: on first sync, Claude asks "Mike or Howard?" and creates identity.json
- Session logs must include User section for attribution
- Git commits use per-user name/email (shared Gitea push account)
- Howard Enos (tech, full trust) added as second team member
- Memory entry created for Howard
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
End-to-end automated signing via jsign on Linux build server (SP-authenticated
to Azure Trusted Signing). First signed release built through the pipeline.
First signed MSI installer using WiX 5 on Windows workstation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sed escape-sequence handling through the heredoc lost the \1
backreference, yielding an empty VERSION. Switched to
awk -F'"' '/^version/{print $2; exit}' which is simpler and resistant to
quoting. First full end-to-end signed build validated v0.6.1 deployed
and verified against the Microsoft cert chain.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- sign-windows.sh: jsign wrapper using Trusted Signing service principal
via OAuth client_credentials flow. Reads SP creds from
/etc/gururmm-signing.env (root-only). Uses RFC3161 timestamping (jsign's
default Authenticode mode fails against Microsoft ACS).
- build-agents.sh: now signs the Windows binary in-place after cargo build
and computes sha256 AFTER signing so consumers get correct hashes.
- Updated -latest symlinks for both Linux + Windows in the build script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reproducible signing setup for any developer machine. metadata.json
points signtool at the gururmm-signing account / gururmm-public-trust
cert profile. sign.ps1 wraps signtool with the right /dlib + /dmdf +
timestamp flags; uses az login session for authentication.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- TEST-DATASHEET-PROCESS.md: comprehensive pipeline documentation for
Dataforth engineering (10 sections, data flow, state diagram, FAQ)
- signing-attestation/: domain ownership attestation letter with
in-place signature for Azure Trusted Signing identity validation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Installed C:\ProgramData\dataforth-uploader\ on AD2 with:
- credentials.json (SYSTEM+Administrators ACL only)
- run-pipeline.ps1 (DFWDS-process -> enumerate For_Web -> upload-delta)
- dfwds-process.js + upload-delta.js (copied from prior install dir)
- logs/ with 60-day retention
Scheduled Task 'DataforthTestDatasheetUploader' registered as SYSTEM,
hourly trigger, 30-min execution limit. First SYSTEM-context run verified:
received=7061 unchanged=7061 errors=0 in 8.7s.
Initial registration via inline base64 mangled the backslashes in the -File
argument (resulted in ERROR_DIRECTORY 0x8007010B). Fixed by running the
registration PowerShell from a file rather than an encoded command string.
Also deleted throwaway tmp/list_amtransit.py + tmp/reset_cansley.py which
had hardcoded ACG admin password.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Built the missing piece between the test datasheet pipeline and Dataforth's
new product API. End-to-end:
- Pulled DFWDS (Dataforth Web Datasheet System) VB6 source from
AD1\Engineering\ENGR\ATE\Test Datasheets\DFWDS to local for analysis
- Decoded its filename validation: A-J prefix decodes (A=10..J=19), all-
numeric WO# valid (no leading 0), anything else bad
- Ported the validation + move logic to Node (dfwds-process.js)
- Built bulk uploader (upload-delta.js) for Hoffman's Swagger API
(POST /api/v1/TestReportDataFiles/bulk with OAuth client_credentials)
Sanitized 3 prior reference scripts (fetch-server-inventory, test-scenarios,
test-upload-two) to read CF_* env vars instead of hardcoded creds.
Live drain results:
- 897 files moved Test_Datasheets -> For_Web (all valid, no renames, no
bad), DFWDS port summary in 1.1s
- Pushed entire For_Web (7,061 files) to Hoffman API in 49.7s @ 142/s:
Created=803 Updated=114 Unchanged=6,144 Errors=0
- Server count: 489,579 -> 490,382 (+803 net new)
Also:
- Added clients/dataforth/.gitignore to exclude plaintext Oauth.txt note
- Added clients/instrumental-music-center/docs/2026-04-13-ticket-notes.md
(ticket write-up of 2026-04-11/12/13 IMC1 RDS removal/SQL migration work)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolves issues that could cause agent failure, stuck updates, and
silent errors during the update process.
Critical Fixes:
1. Binary Replacement Race Condition (Unix)
- PROBLEM: Window between rename and copy where no binary exists
- FIX: Use atomic rename pattern - copy to temp in same directory,
then single atomic rename operation
- IMPACT: Eliminates complete agent failure on crash during update
2. Update Failure Without Rollback
- PROBLEM: If restart fails after update, no rollback triggered
- FIX: Added rollback_binary() method, explicitly rolls back on
restart failure before returning error
- IMPACT: Agent no longer stuck in broken state
3. Windows Scheduled Task Timing Bug
- PROBLEM: Scheduled time could be in past, schtasks would fail
- FIX: Add 60-second buffer, return date+time tuple with /SD param
- IMPACT: Rollback watchdog now reliably schedules on Windows
4. Windows Binary Replacement Error Handling
- PROBLEM: All errors silently ignored with .ok()
- FIX: Proper error propagation with .context() on all operations
- IMPACT: Update failures now visible with actionable error messages
Code Review: APPROVED
- All fixes correctly address root causes
- Atomic operations eliminate race conditions
- Comprehensive error handling throughout
- Platform-specific code properly isolated
Testing: Syntax verified (cross-compilation toolchain not available)
Additional Issues Identified (for follow-up):
- HIGH: Unix watchdog doesn't survive reboots (systemd timer needed)
- MEDIUM: No concurrent update protection (lock file recommended)
- LOW: chmod failure should be fatal
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Stub migrations (005-008) satisfy sqlx requirement for previously
applied migrations that are missing source files in the codebase.
These migrations were applied in production but not committed.
Renumbered 005_add_missing_indexes to 009 to match production sequence.
Test results document confirms all Phase 1 tunnel API endpoints are
functioning correctly with proper error handling and HTTP status codes.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Avoids conflict with migrations 5-8 that were applied to production
database but are missing from current codebase. Migration 010 will be
applied after the existing sequence (1-4, 9 for 005_add_missing_indexes).
PostgreSQL doesn't support inline CONSTRAINT with WHERE clause.
Changed to separate CREATE UNIQUE INDEX statement for the partial
unique constraint on (tech_id, agent_id, status) WHERE status = 'active'.
This ensures only one active tunnel session per (tech, agent) pair
while allowing multiple closed sessions in history.
Migration tested and verified on PostgreSQL 14.
Audited all 25 proxied zone records and expanded tunnel ingress to cover
9 hostnames total (azcomputerguru + analytics + community + radio +
git + plexrequest + rmm + rmm-api + sync). All verified HTTP 200.
Reverted 3 hostnames to original A records after discovering they
require backend work, not tunnel changes:
- plex/rustdesk: NPM on Jupiter has no vhost for these (returned
'tls: unrecognized name' when tunneled)
- secure: Jupiter can't route to its backend subnet 172.16.1.0/24
Reverted ix.azcomputerguru.com to DNS-only A record after user
reported :2087 WHM access broken. Cloudflare Tunnel is hostname-bound,
not port-bound, so non-standard admin ports can't pass through. Direct
NAT to 72.194.62.5 restored WHM/cPanel access.
Adds four new helper scripts under clients/internal-infrastructure/
scripts/cloudflared-tunnel-setup/ (audit_proxied, discover_backends,
expand_tunnel, revert_broken). All use SOPS vault / env var for creds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diagnosed azcomputerguru.com 521 errors: Cox's BGP route to specific
Cloudflare origin-pull prefixes (162.158.0.0/16, 172.64.0.0/13,
173.245.48.0/20, 141.101.64.0/18) is broken from 72.194.62.0/29.
Confirmed by TCP probe matrix from pfSense WAN, traceroute latency
comparison, and state-table showing 0 inbound CF connections while
direct-internet traffic still reached origin.
Deployed Cloudflare Tunnel 'acg-origin' on Jupiter Unraid as a
Docker container. Routes 4 proxied hostnames (azcomputerguru.com,
analytics., community., radio.) through the tunnel with HTTPS
backend to IX 172.16.3.10:443 with per-ingress SNI matching. All
4 hostnames return 200 OK through CF edge after the cutover.
Repo hygiene:
- Merged clients/ix-server/ into clients/internal-infrastructure/
(IX is internal infra, not a paying-client account). Git detected
the session-log files as renames so history is preserved. Updated
4 stale path references in 2 files.
- Moved cox-bgp ticket draft out of projects/dataforth-dos/ (wrong
project) to clients/internal-infrastructure/vendor-tickets/.
- Relocated tunnel-setup helper scripts from
projects/dataforth-dos/datasheet-pipeline/implementation/ to
clients/internal-infrastructure/scripts/cloudflared-tunnel-setup/.
Deleted superseded/abandoned login attempts. Sanitized hardcoded
Jupiter/pfSense SSH passwords to pull from SOPS vault at runtime;
Cloudflare token reads from env var (tokens still in 1Password,
vault entry is metadata-only).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comprehensive record of 2026-04-11/12 work extending the Dataforth Test
Datasheet Pipeline: discovery, implementation, deploy to AD2, full
backfill of 27,937 datasheets, post-deploy regex patch for QB plain-
decimal PASS lines, and repo commit 0dd3d82.
Includes credentials, infrastructure paths, commit reference, open
items (vault hygiene, rsync coverage), and accuracy-extraction
reference logic for future sessions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extends the Test Datasheet Pipeline on AD2:C:\Shares\testdatadb to
generate web-published datasheets for the SCMVAS-Mxxx (obsolete) and
SCMHVAS-Mxxxx (replacement) High Voltage Input Module product lines.
Both are tested either with the existing TESTHV3 software (production
VASLOG .DAT logs) or in Engineering with plain .txt output.
Key changes on AD2 (all deployed 2026-04-12 with dated backups):
- parsers/spec-reader.js: getSpecs() returns a `{_family:'SCMVAS',
_noSpecs:true}` sentinel for SCMVAS/SCMHVAS/VAS-M/HVAS-M model prefixes
so the export pipeline does not silently skip them for missing specs.
- templates/datasheet-exact.js: new Accuracy-only template branch
(generateSCMVASDatasheet + helpers) that mirrors the existing shipped
format byte-for-byte. Extraction regex covers both QuickBASIC STR$()
output formats: scientific-with-trailing-status-digit (98.4% of
records) and plain-decimal (1.6% of records above QB's threshold).
- parsers/vaslog-engtxt.js (new): parses the Engineering-Tested .txt
files in TS-3R\LOGS\VASLOG\VASLOG - Engineering Tested\. Filename SN
regex strips optional trailing 14-digit timestamp; in-file "SN:"
header is the authoritative source when the filename is malformed.
- database/import.js: LOG_TYPES grows a VASLOG_ENG entry with
subfolder + recursive flags. Pre-existing 7 log types keep their
implicit recursive=true behaviour (config.recursive !== false).
importFiles() routes VASLOG_ENG paths before the generic loop so a
VASLOG - Engineering Tested/*.txt path does not mis-dispatch to the
multiline parser.
- database/export-datasheets.js: VASLOG_ENG records are written
verbatim via fs.copyFileSync(source_file, For_Web/<SN>.TXT) for true
byte-level pass-through, with a graceful raw_data fallback when the
source file is no longer on disk.
Deploy outcome:
- 27,503 SCMVAS/SCMHVAS datasheets rendered (27,065 from scientific +
438 from plain-decimal PASS lines, post-patch rerun)
- 434 Engineering-Tested .txt files pass-through-copied to For_Web
- 0 errors across both batches
Repo layout added here:
- scmvas-hvas-research/: discovery artifacts (source .BAS, hvin.dat,
sample .DAT + .txt, binary-format notes, IMPLEMENTATION_PLAN.md)
- implementation/: staged final code + deploy helpers + local test
harness + per-step verification scripts
- backups/pre-deploy-20260412/: independent local snapshot of the 4
AD2 files replaced, pulled byte-for-byte before deploy
All helper scripts fetch the AD2 password at runtime from the SOPS
vault (clients/dataforth/ad2.sops.yaml). None of the committed files
contain the plaintext credential. Known vault-entry hygiene issue
(stale shell-escape backslash before the `!`) is documented in the
fetcher comments and stripped at read-time; flagged separately for
cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Removed gaming section per user request
- Added detailed pricing and availability for all CES gadgets
- Added company names, researchers, trial info for medical breakthroughs
- Added detailed specs for AI tools (NotebookLM, Gemini)
- Updated to 3-segment format
- Added price badges and availability badges for visual clarity
- Used ASCII markers instead of emojis per directives
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Added company names, prices, availability dates for all topics
- CES gadgets: LG (,999-,999), Samsung TriFold (,500-,000), Roborock (,599), etc.
- Medical: Galleri test (, available now), VERVE-102 gene therapy details
- AI tools: NotebookLM (free), Gemini Imagen 3 (free tier), detailed access info
- Removed gaming section per user request
- Updated common thread and show wrap for 3-segment format
- Added specific researchers, trial status, company details throughout
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Show prep for April 5, 11, 18, 2026 (markdown + HTML)
- IX server Smart Slider 3 Pro security scan script
- Comprehensive security audit report (87 WordPress sites)
- All sites safe: 0 PRO (compromised), 3 FREE (safe)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created show prep for April 5, 11, and 18, 2026
- HTML versions with clickable links for April 11 and 18
- IX server WordPress security scan (87 sites, 0 compromised)
- Local network scanning for Yealink devices
- Domain controller batch logon rights guidance
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove /refresh-directives references from save, checkpoint, scc, sync
commands. Trim sync.md from 400+ lines to essentials.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
