New skill to manage ACG's Yealink phone fleets via Yealink Management Cloud Service v2
(us-api.ymcs.yealink.com). RTFM'd the API (token auth via POST /v2/token Basic+bearer, NOT the
legacy RPS HMAC; legacy-TLS renegotiation required) + endpoint map from the dszp/n8n-nodes-
yealinkymcs community node. Live-verified: token auth, sites (one ACG AccessKey sees ALL client
sites — VWP/GuruHQ/Ace Pick Up Parks as children of the ACG parent), devices, accounts,
rps-servers (RPS = "WL - ACG" ftp://p.packetdials.net). Gated writes (--confirm): add-devices-by-mac,
add-sipaccount (push a NetSapiens SIP cred onto a phone = the PBX glue), reboot, reset, rps add/del;
+ raw passthrough (auto-recovers the MSYS /v2 path-mangling). Creds vaulted at
services/yealink-ymcs.sops.yaml. Pairs with packetdial onboard-domain for new-client phone
provisioning; VWP is the live pilot. Honest [V]/[P] verification status in SKILL.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
onboard-domain runs POST /domains -> addresses/validate (gen E911 pidflo) -> addresses/create
from one JSON body (domain fields + optional `emergency` block), gated --confirm. Reverse-
engineered from the OITVOIP wizard screenshots; live-created the real client domain
vwp.91912.service (Valley Wide Plastering) + E911 address, and proved the wrapper with a
throwaway create->delete (no leftovers, vwp intact). Documented GUI->API mapping + the two
manual gaps (voicemail user-defaults, email-send-from-address pending the packetdial.com mailbox)
+ the domain-type "no"-on-create quirk.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Added read wrappers: addresses (E911), smsnumbers, blocked-numbers, moh, dialrules,
recording, transcriptions. Added gated write wrappers: DID update/delete, per-user device
CRUD, E911 address CRUD, contact CRUD, site create/update, auto-attendant create, SMS
number CRUD, block/unblock numbers, MoH TTS create/delete.
Verification: contact create→delete lifecycle verified on arizonacomputerguru (id field is
`unique-id`); reads for addresses/blocked-numbers/moh verified. Remaining writes are plumbed
per the OpenAPI spec [P] but not lifecycle-verified (test domain lacks the feature or needs a
special body) — SKILL.md marks each [V]/[P] and documents the gotchas (E911 pidflo via
addresses/validate; SMS not provisioned on test domain; number-filters add 202'd but didn't
persist; MoH file upload is multipart -> raw). Capability map + api.md history updated.
All writes --confirm-gated; anything unwrapped still reachable via `raw`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Added write wrappers, each tested create→update→delete on the arizonacomputerguru test
domain (sanctioned, non-production):
- call queues: create-callqueue, update-callqueue, delete-callqueue + add-agent /
update-agent / remove-agent
- time frames: create-timeframe, update-timeframe, delete-timeframe (body-discriminated —
same path, server selects the op from the body; wrappers pass --body verbatim)
All behind --confirm (gate verified: DRY RUN refuses without it). SKILL.md documents the
bodies + the days-of-week-needs-array gotcha + names ACG as the test bed; capability map
+ api.md history updated. No production objects touched; no test leftovers.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Key is now provisioned + live-verified, so grounded the skill in the real spec (RTFM):
- Mapped the OpenAPI surface (v44.4.10, 239 paths / 354 ops) — capability map added to
SKILL.md (what the platform exposes vs what's wrapped vs raw-only).
- Added 6 live-verified read wrappers (ns.py + ns_client.py): callqueues, timeframes,
sites, contacts, autoattendants, billing (domain limits/usage).
- Replaced the stale "not yet provisioned" credentials section with the live status
(vaulted nsr_ reseller key, key-id nsr_hSGUB5Wo, scope Reseller 91912.service, RW) +
the pbx.packetdial.com vs api.ucaasnetwork.com hostname note + override.
- api.md history updated. Writes remain gated behind --confirm; everything unwrapped
reachable via `raw`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The control methods (send-command/send-message/set-properties) and session
detail are verified live on the ACG instance; the "pending unlock" help text
was left over from before probing confirmed them. Skill validated against
skill-creator rules (frontmatter, vault creds, gated writes, errorlog
compliance, ASCII, selftest 12/12).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds c_msg_purge to coord.py + SKILL.md doc. Deletes coordination messages older than a
date cutoff via DELETE /api/coord/messages/{id}. Safety: --before is required (can't wipe
the store by accident), DRY-RUN by default (previews; --yes to actually delete), optional
--to scopes to one recipient session, paginates over the API's 1000-row limit cap, logs
partial failures. Replaces the ad-hoc curl loop used to purge 208 stale messages this session.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Corrects the assumption that GuruRMM merge-to-main (=deploy) is Mike-only. Mike still owns RMM
architecture/direction, but Howard can land prepared+verified branches himself — they no longer
bottleneck on Mike. Updated approval-workflow-tools-vs-projects + MEMORY.md index + logged the
correction in errorlog.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- bitdefender gz.py: add "missing name" to _EXPECTED_ERROR_MARKERS — closes the last gap in
Howard's errorlog suppression ("Missing name 'X' in 'options' object" validation errors were
still logged). Verified all 10 real spam messages now suppressed; genuine errors still log.
- memory feedback_submodule_autosync_discipline: capture the recurring auto-synced-submodule
rule (worktree or push-by-SHA + ls-remote verify; assert HEAD==origin/main before audits;
never checkout-- shared files). Recurred on Howard-Home x3 + GURU-5070 this session.
- CLAUDE.md CORE Windows bullet: promote the two top recurring mechanical traps (/tmp path
mismatch, curl.exe/plink quote-stripping) to always-loaded hard rules so they stop repeating.
Lint of errorlog.md: bitdefender expected-validation spam was ~70% of entries (Howard's
suppression now complete); fabb3421/Mail.Send drift closed earlier this session; wiki-compile
lock-release doc already fixed (entries predate the fix).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
PROBLEM: Broadcast messages were never being marked as read on the server,
only tracked in a local gitignored seen-file. This caused them to re-appear
in every new session or on different machines.
ROOT CAUSE: check-messages.sh lines 101-104 had a flawed assumption that
broadcasts share a single read_at field that would "clobber" other machines'
unread state. This was wrong - the API supports per-session read tracking.
FIX:
- check-messages.sh now marks broadcasts as read on the server (like personal
messages), in addition to tracking them in the local seen-file
- Updated comments to reflect correct behavior
- coord SKILL.md now documents auto-mark-read behavior and reply workflow
- Manually marked all 39 accumulated unread broadcasts as read
IMPACT: Broadcast messages will now be properly marked as read and won't
keep appearing across sessions. Fixes user complaint about answered questions
(pfSense cred-path, fabb3421, etc.) continuing to show up.
Logged to errorlog.md as --correction.
Found during the RMM-TEST-MACHINE full-function test (live tenant):
- assignPolicy: assigning a policyId REQUIRES inheritFromAbove:false in the same
call, else the API rejects with a misleading "inheritFromAbove should not be
used with policyId" error. Fixed assign_policy to always send it; dropped the
wrong --inherit-from-above flag.
- isolate/unisolate: the API takes a SINGLE endpointId per call, NOT an
endpointIds array (errored "not expected"). Client now loops per endpoint.
unisolate fails while the isolate task is in progress — wait + retry.
- api-reference updated with the live-verified shapes.
Full function test PASSED on RMM-TEST-MACHINE: install(offline kit/SYSTEM) ->
enroll -> move(ZZ-RMM-TEST) -> assign-policy(GPS Base, applied) -> set-label ->
scan -> reconfigure -> isolate -> unisolate -> quarantine/blocklist read ->
managed uninstall(deleteEndpoint). selftest 75/75.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Completed Companies module for bitdefender GravityZone Public API
- Implemented: getCompanyDetails, getCompanyDetailsByUser, createCompany, suspendCompany, activateCompany, deleteCompany
- Discovered updateCompany and getCompaniesList not available; companies retrieved via network inventory
- Company types: 0=Partner, 1=Customer; createCompany accepts nested licenseSubscription via JSON passthrough
- All write operations require --confirm; raw also restricts createCompany/suspendCompany/activateCompany
- selftest 49 -> 55 passing
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Completed Accounts module for bitdefender skill (GravityZone Public API)
- Added 5 methods: getAccountDetails, createAccount, updateAccount, deleteAccount, configureNotificationsSettings
- Write methods require --confirm; raw also gates createAccount/updateAccount/configureNotificationsSettings
- Param shapes validated against official docs and safe validation probes
- configureNotificationsSettings is a setter with no required param; warning documented against empty payload on live tenant
- selftest 42 -> 49 passing
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- assign_policy: add inheritFromAbove option; mark VERIFIED via official docs
(policyId/targetIds/forcePolicyInheritance/inheritFromAbove; not applied to
ENFORCED-policy targets).
- setPushEventSettings: documented serviceType (splunk/cef/jsonRPC), TLS 1.2+
receiver requirement, subscribeToEventTypes event-flag map; webhook receiver
pattern noted.
- api-reference.md: cite GravityZone Support Center as authoritative source.
- add references/BUILDOUT.md — master checklist to implement every API method
module-by-module; seeded with current done/todo/dead state.
- memory: reference_gravityzone_support (+ index).
selftest 42/42.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Re-verified the live tenant's full API scope and wrapped the modules the key
allows but the skill didn't expose. New CLI subcommands:
- assign-policy (gated) — apply an existing policy to endpoints/groups
(param shape policyId+targetIds verified live)
- reports, accounts, notif-settings, scan-tasks — read
- push-settings / push-stats / push-set (gated) — push event service
(status param verified; needs a receiver URL to enable)
Corrections from live probing:
- policies are NOT shallow: getPolicyDetails returns the FULL granular config.
Removed the false "shallow" warning; documented read+assign, console-only authoring.
- raw now gates assignPolicy + setPushEventSettings.
- documented dead modules (patchmanagement/phasr/maintenancewindows/integrations,
incidents.getIncidentsList) and unconfigured-push handled cleanly (rc0, no errorlog).
selftest 29/29 -> 42/42, all green against the live tenant.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/mailbox (ACG own-mail, single-tenant 1873b1b0) and client send (suite
Exchange Operator b43e7342, multi-tenant) stay separate on purpose: 1873b1b0
is single-tenant so it cannot serve clients; consolidating onto exchange-op was
rejected (privilege creep on casual own-mail + loses Contacts). Documented the
why in commands/mailbox.md scope boundary + feedback memory so it stops being
re-litigated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mail.Send is NOT an open decision or a 'blocked' item: the Exchange Operator
tier (b43e7342) already holds Graph Mail.Send + Mail.ReadWrite +
MailboxSettings.ReadWrite (the suite's IR victim-notification mail path).
/mailbox (ACG own-mail) separately uses the dedicated ComputerGuru Mailbox app
1873b1b0. The deleted fabb3421/Claude-MSP-Access app is now referenced only as
DELETED/do-not-use across all live surfaces.
Corrected: remediation-tool gotchas.md (removed 'suite has no mail scopes /
mailbox BLOCKED / decision-not-executed'), commands/mailbox.md (header +
Attribution no longer name the deleted app as active), feedback memory
(promoted 'suite has Mail.Send — settled' to a headline), breach-report
template, .grok mirrors, credentials.md, CATALOG_SHARED_DATA.md, and wiki
(internal-infrastructure, glaztech, dataforth). Removed dead plaintext secret
for the deleted app from CATALOG_SHARED_DATA.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>