Fixed Cascades pfSense password in vault (a6A6c6fe→Th1nk3r^99, moved from
dataforth to cascades-tucson). Ollama exposed via Tailscale for Howard
(100.92.127.64:11434, firewall restricted to 100.0.0.0/8). Reviewed
Howard's first full day of work on shared system.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CLAUDE.md: Ollama section rewritten. localhost for Mike's workstation,
100.92.127.64:11434 via Tailscale for all other machines. Claude reads
identity.json hostname to determine which URL to use. Firewall rule
restricts to Tailscale 100.0.0.0/8 subnet only.
ONBOARDING.md: updated Ollama section for remote access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Discovered from GUI page source: comment[product_id] + comment[minutes_spent]
+ comment[bill_time_now] are fields on POST /tickets/{id}/comment. This is
how the GUI adds time — as part of the comment, not via separate timer_entry.
Updated billing workflow + added --time/--labor flags to comment command.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Timer entries use POST /tickets/{id}/timer_entry with labor product IDs
(not invoice products). "Make Invoice" converts timers to invoice.
Documented 7 common labor products with IDs. Fixed line_items path to
/invoices/{id}/line_items.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create, update, close, comment on, search, and bill tickets via Syncro
REST API. Includes customer search, invoice creation, line items, and
ticket timer management. API key from SOPS vault.
Verified: pulls real ticket data from computerguru.syncromsp.com.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two phishing campaigns hit Glaztech on 2026-04-17 bypassing MailProtector
via exposed M365 MX record. Spoofed internal senders, forwarded by 8 users.
Fixes applied: removed direct M365 MX, DMARC p=reject, Enhanced Filtering
on inbound connector. 32 messages purged across all affected mailboxes.
Forensic samples + full incident report preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New clients/evs/ directory with session log documenting the
registry tweak to restore the classic right-click context menu
on Howard's EVS VM (reg add of empty InprocServer32 under the
Win11 new-menu CLSID, per-user HKCU, no admin needed).
589G OwnCloud data moved from cache SSD to disk7 array (2h49m rsync).
Cache dropped from 82% to 34%. MariaDB + Discourse recovered and running
7h+ healthy. Share config changed to no-cache permanently.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jupiter cache drive at 99% BTRFS data allocation — MariaDB + Discourse
crash-looping. Root cause: 589G OwnCloud data stuck on cache (mover
blocked by active SMB session from OwnCloud VM). Migration in progress
(rsync cache->array disk7, ~90% at time of commit). Also fixed /mode
command to acknowledge /color is user-invokable only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Five modes: client (orange), dev (cyan), infra (red), general (blue),
remediation (purple). Auto-detects from user messages using keyword
priority rules. Manual override via /mode <name>. Color changes via
/color on mode transitions. Posture adjusts per mode (e.g., infra =
confirm-before-destructive, dev = delegate freely).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Appended afternoon work: MSI installer MVP, Len's Auto Brokerage test
client, Uranus server docs, multi-user identity system, onboarding guide,
bootstrap package, audit gap fixes (GrepAI/Ollama/MCP/settings), and
generic /import command for folder ingestion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Slash command that accepts any folder path, scans all files, classifies
by content (client work, project code, credentials, session logs, tools,
docs), sanitizes credentials into SOPS vault, presents a placement plan
for approval, then executes.
Handles Claude Code session data (delegates to tools/import-sessions.py),
existing project detection, duplicate checks, and credential extraction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tools/import-sessions.py: Scans ~/.claude/projects/ for existing Claude
Code sessions, extracts summaries (user messages, tools used, files
touched, credential flags), stages for Claude to organize into
ClaudeTools folder structure.
Audit gap fixes:
- .mcp.json: added grepai MCP server
- .claude/settings.json: created with bypassPermissions default
- .claude/MCP_SERVERS.md: documented all MCP servers
- Ollama: all 3 models pulled (qwen3:14b, codestral:22b, nomic-embed-text)
- GrepAI: initialized (grepai init), watcher ready
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Enhance /save and /sync slash commands to attribute commits by author
so Mike and Howard can see at a glance what the other person did.
- sync.sh: loads identity.json, shows incoming/outgoing commits with
author + age before pull/push, groups by author in final summary
- sync.md: describes the new output format + conflict attribution
- save.md: pre-commit Change Summary block + post-commit Summary
Motivation: repo is now shared across team, `git log` alone made it
hard to see "when did Howard change that?" without hunting.
- ONBOARDING.md: comprehensive guide explaining WHY the setup exists
(vault, session logs, skills, agents, Ollama/GrepAI, daily workflow).
Written for someone who's never used Claude Code before.
- CLAUDE.md: on first sync, Claude walks new users through ONBOARDING.md
section by section + sets up git remote for their own Gitea account.
- users.json: Howard's gitea_username added (own account, admin on all repos).
Audit findings noted: GrepAI not installed, Ollama not running,
MCP_SERVERS.md missing. These need fixing per-machine before onboarding
is fully smooth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .claude/identity.json (gitignored, per-machine) identifies who's at the keyboard
- .claude/users.json (tracked) registers known team members + roles + machines
- CLAUDE.md: on first sync, Claude asks "Mike or Howard?" and creates identity.json
- Session logs must include User section for attribution
- Git commits use per-user name/email (shared Gitea push account)
- Howard Enos (tech, full trust) added as second team member
- Memory entry created for Howard
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
End-to-end automated signing via jsign on Linux build server (SP-authenticated
to Azure Trusted Signing). First signed release built through the pipeline.
First signed MSI installer using WiX 5 on Windows workstation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sed escape-sequence handling through the heredoc lost the \1
backreference, yielding an empty VERSION. Switched to
awk -F'"' '/^version/{print $2; exit}' which is simpler and resistant to
quoting. First full end-to-end signed build validated v0.6.1 deployed
and verified against the Microsoft cert chain.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- sign-windows.sh: jsign wrapper using Trusted Signing service principal
via OAuth client_credentials flow. Reads SP creds from
/etc/gururmm-signing.env (root-only). Uses RFC3161 timestamping (jsign's
default Authenticode mode fails against Microsoft ACS).
- build-agents.sh: now signs the Windows binary in-place after cargo build
and computes sha256 AFTER signing so consumers get correct hashes.
- Updated -latest symlinks for both Linux + Windows in the build script.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reproducible signing setup for any developer machine. metadata.json
points signtool at the gururmm-signing account / gururmm-public-trust
cert profile. sign.ps1 wraps signtool with the right /dlib + /dmdf +
timestamp flags; uses az login session for authentication.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- TEST-DATASHEET-PROCESS.md: comprehensive pipeline documentation for
Dataforth engineering (10 sections, data flow, state diagram, FAQ)
- signing-attestation/: domain ownership attestation letter with
in-place signature for Azure Trusted Signing identity validation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Installed C:\ProgramData\dataforth-uploader\ on AD2 with:
- credentials.json (SYSTEM+Administrators ACL only)
- run-pipeline.ps1 (DFWDS-process -> enumerate For_Web -> upload-delta)
- dfwds-process.js + upload-delta.js (copied from prior install dir)
- logs/ with 60-day retention
Scheduled Task 'DataforthTestDatasheetUploader' registered as SYSTEM,
hourly trigger, 30-min execution limit. First SYSTEM-context run verified:
received=7061 unchanged=7061 errors=0 in 8.7s.
Initial registration via inline base64 mangled the backslashes in the -File
argument (resulted in ERROR_DIRECTORY 0x8007010B). Fixed by running the
registration PowerShell from a file rather than an encoded command string.
Also deleted throwaway tmp/list_amtransit.py + tmp/reset_cansley.py which
had hardcoded ACG admin password.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Built the missing piece between the test datasheet pipeline and Dataforth's
new product API. End-to-end:
- Pulled DFWDS (Dataforth Web Datasheet System) VB6 source from
AD1\Engineering\ENGR\ATE\Test Datasheets\DFWDS to local for analysis
- Decoded its filename validation: A-J prefix decodes (A=10..J=19), all-
numeric WO# valid (no leading 0), anything else bad
- Ported the validation + move logic to Node (dfwds-process.js)
- Built bulk uploader (upload-delta.js) for Hoffman's Swagger API
(POST /api/v1/TestReportDataFiles/bulk with OAuth client_credentials)
Sanitized 3 prior reference scripts (fetch-server-inventory, test-scenarios,
test-upload-two) to read CF_* env vars instead of hardcoded creds.
Live drain results:
- 897 files moved Test_Datasheets -> For_Web (all valid, no renames, no
bad), DFWDS port summary in 1.1s
- Pushed entire For_Web (7,061 files) to Hoffman API in 49.7s @ 142/s:
Created=803 Updated=114 Unchanged=6,144 Errors=0
- Server count: 489,579 -> 490,382 (+803 net new)
Also:
- Added clients/dataforth/.gitignore to exclude plaintext Oauth.txt note
- Added clients/instrumental-music-center/docs/2026-04-13-ticket-notes.md
(ticket write-up of 2026-04-11/12/13 IMC1 RDS removal/SQL migration work)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolves issues that could cause agent failure, stuck updates, and
silent errors during the update process.
Critical Fixes:
1. Binary Replacement Race Condition (Unix)
- PROBLEM: Window between rename and copy where no binary exists
- FIX: Use atomic rename pattern - copy to temp in same directory,
then single atomic rename operation
- IMPACT: Eliminates complete agent failure on crash during update
2. Update Failure Without Rollback
- PROBLEM: If restart fails after update, no rollback triggered
- FIX: Added rollback_binary() method, explicitly rolls back on
restart failure before returning error
- IMPACT: Agent no longer stuck in broken state
3. Windows Scheduled Task Timing Bug
- PROBLEM: Scheduled time could be in past, schtasks would fail
- FIX: Add 60-second buffer, return date+time tuple with /SD param
- IMPACT: Rollback watchdog now reliably schedules on Windows
4. Windows Binary Replacement Error Handling
- PROBLEM: All errors silently ignored with .ok()
- FIX: Proper error propagation with .context() on all operations
- IMPACT: Update failures now visible with actionable error messages
Code Review: APPROVED
- All fixes correctly address root causes
- Atomic operations eliminate race conditions
- Comprehensive error handling throughout
- Platform-specific code properly isolated
Testing: Syntax verified (cross-compilation toolchain not available)
Additional Issues Identified (for follow-up):
- HIGH: Unix watchdog doesn't survive reboots (systemd timer needed)
- MEDIUM: No concurrent update protection (lock file recommended)
- LOW: chmod failure should be fatal
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Stub migrations (005-008) satisfy sqlx requirement for previously
applied migrations that are missing source files in the codebase.
These migrations were applied in production but not committed.
Renumbered 005_add_missing_indexes to 009 to match production sequence.
Test results document confirms all Phase 1 tunnel API endpoints are
functioning correctly with proper error handling and HTTP status codes.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Avoids conflict with migrations 5-8 that were applied to production
database but are missing from current codebase. Migration 010 will be
applied after the existing sequence (1-4, 9 for 005_add_missing_indexes).
PostgreSQL doesn't support inline CONSTRAINT with WHERE clause.
Changed to separate CREATE UNIQUE INDEX statement for the partial
unique constraint on (tech_id, agent_id, status) WHERE status = 'active'.
This ensures only one active tunnel session per (tech, agent) pair
while allowing multiple closed sessions in history.
Migration tested and verified on PostgreSQL 14.
Audited all 25 proxied zone records and expanded tunnel ingress to cover
9 hostnames total (azcomputerguru + analytics + community + radio +
git + plexrequest + rmm + rmm-api + sync). All verified HTTP 200.
Reverted 3 hostnames to original A records after discovering they
require backend work, not tunnel changes:
- plex/rustdesk: NPM on Jupiter has no vhost for these (returned
'tls: unrecognized name' when tunneled)
- secure: Jupiter can't route to its backend subnet 172.16.1.0/24
Reverted ix.azcomputerguru.com to DNS-only A record after user
reported :2087 WHM access broken. Cloudflare Tunnel is hostname-bound,
not port-bound, so non-standard admin ports can't pass through. Direct
NAT to 72.194.62.5 restored WHM/cPanel access.
Adds four new helper scripts under clients/internal-infrastructure/
scripts/cloudflared-tunnel-setup/ (audit_proxied, discover_backends,
expand_tunnel, revert_broken). All use SOPS vault / env var for creds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
