Several bugs found and fixed during live testing against the ACG GravityZone
tenant:
- security_sweep_all_clients: iterate each company (the companies container is
not a valid endpoint parent; passing it 400'd the whole sweep)
- list_quarantine: use service-scoped path quarantine/computers with companyId
(bare quarantine module 404'd; param is companyId not parentId)
- rename GZEndpointSummary.detection_active -> threat_detected with corrected
semantics (True = active threat, tracks with infected; not an engine-on flag)
- status: readable sectioned table renderer for the nested apiKey/license dict
- portable CLAUDETOOLS_ROOT resolution (derive from file path, not a Windows
literal) so it works on the Mac/Linux fleet
Adds scripts/selftest.py: a 29-check read-only harness (all passing) covering
every read command, --json, error exit codes, and destructive-action gating.
EDR/incident commands (blocklist, isolate/unisolate, blocklist-add/remove) and
raw destructive-method gating are included from this session's work.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- raw now refuses destructive methods (delete/uninstall/remove/reconfigure)
without --confirm (it previously bypassed all gating)
- --json is now accepted after the subcommand (shared via a common parent
parser), matching the documented usage
- drop a placeholder-less f-string
- SKILL.md: document raw gating + that raw echoes upstream responses verbatim
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds a /bitdefender skill that drives the ACG GravityZone partner tenant
via the JSON-RPC Public API. Read + management ops (companies, endpoints,
live security sweep, policies [read-only/shallow], packages, quarantine,
scans, groups, move/delete). Identity-tier JSON cache (24h TTL,
--refresh); volatile status is always pulled live, never cached.
Security hardening: API key loaded from SOPS vault at runtime (never on
disk/logs/argv/cache); destructive deletes gated behind --confirm; `raw`
also gates destructive methods; upstream error bodies truncated. UNVERIFIED
API methods reachable only via `raw`. Reuses the auth/JSON-RPC pattern from
api/services/gravityzone_service.py.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates submodule to include:
- Credential Management & Notes feature in roadmap
- SPEC-017 Mobile Device Support specification
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
GC's db layer uses runtime sqlx::query()/query_as() throughout - zero
compile-time macros (verified during v2 Task 1; CLAUDE.md's "compile-time
checked queries" line is stale). Pass B now treats a NEW sqlx::query! macro
as a [LOW] deviation (reintroduces the .sqlx-cache footgun + build-time
DATABASE_URL) instead of blessing macros as the GC norm. Fixed both the
intro divergence note and the Pass B check.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Load .claude/standards/ (index.yml + files) as the compliance baseline;
Rust/TS passes now cite the specific standard each finding violates
- Glob all docs/specs/SPEC-*.md (incl. SPEC-002) + specs/*/plan.md; Pass F
reconciles SPEC phases and plan.md [DONE] markers against code (3rd table)
- Extract a planned-work list from SPEC-002 + active plans; tag findings that
match already-planned work as [TRACKED] so mid-rebuild audits surface net-new
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Update guru-rmm submodule pointer (SPEC-017 mobile device support)
- Record Apple Developer + MDM Push certs (acquired 2026-05-29); MDM push
cert renews annually on the same Apple ID or all enrolled iOS devices break
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the Memory Care Reception Epson ET-5800 (EPSON833571, 10.0.20.78,
dc:cd:2f:83:35:71) as a named print share on CS-SERVER. The printer was
previously pending a UniFi switch replacement; it is now online on VLAN 20.
- Created TCP port TCP_10.0.20.78 and shared as MCReception via GuruRMM
remote PS (driver already present from FrontDesk ET-5800 setup)
- Updated printers.md entry #12 with IP, MAC, share path, and Online status
- Added MCReception to active-directory.md printer table with OU=Care-Memorycare
ILT scope; GPO count bumped to 14
- Added MCReception entry to phase2-print-server.ps1 for reference
Access: OU=Care-Memorycare via Printer Deployment GPO (unlinked until Phase 3).
Alma Montt (cloud-only M365) connects manually to \CS-SERVER\MCReception.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Created .claude/TEMP_GRADUATION.md with review protocol before cleanup
- Graduation decision tree and checklist
- Examples from May 2026 cleanup (what should have been kept)
- Added to CLAUDE.md reference section
temp/ is local scratch (probe drafts, JSON dumps, debug scripts). It was being
swept into every /save by sync.sh's git add -A. Now ignored + untracked (files
remain on disk; history unchanged).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/rmm diagnose: dispatches a Windows security/health probe to a newly onboarded
agent, grades RED/AMBER/GREEN, writes an immutable per-client baseline
(clients/<slug>/onboarding-baselines/), diffs vs prior, and alerts CRITICALs to
#dev-alerts. Probe is PS5.1/ASCII/SYSTEM-safe, never-abort, base64 chunked upload
around the agent command-size cap. Code-reviewed (no blockers); folded in
immutability guard, severity-independent finding ids, Defender-unknown sentinel,
expanded competitor/backup detection.
First baselines captured: Rednour FRONTDESKRECEPT + LEGALASST (both RED - prior
MSP ScreenConnect/Splashtop/Syncro still live; LEGALASST OS EOL).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
