deploy-agent proven end-to-end on RMM-TEST-MACHINE: vaulted Howard Test MSI URL -> GuruRMM
push (msiexec /qn, SYSTEM) -> Syncro service Running -> auto-enrolled as asset 12676769 under
the client + the policy folder embedded in the installer token (5092561) in ~1 min.
installed_applications populates fast; patches lag. POST /policy_folders {policy_folder}
requires parent_id (null->422); move-asset flip-restore verified on the real asset; DELETE
policy_folder works. Shapes + findings recorded.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Live-tested the remaining write resources on Howard Test. Recorded:
- wrapped response shapes (.lead.id/.vendor.id/.product.id/.purchase_order.id/
.po_line_item.id/.worksheet_result.id) added to Verified Response Shapes.
- create_po_line_item requires product maintain_stock:true.
- worksheet templates live in GET /tickets/settings (.worksheet_templates[]), no standalone
endpoint; need a valid worksheet_template_id.
- PUT /products requires name+description; leads/vendors/products/POs have NO DELETE (global
test records persist -> GUI cleanup).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Decoded the Syncro RMM installer URL from 4 client samples:
base64(v1-{customer_id}-{A}-48753-{policy_folder_id}). 48753 = our account id (constant);
customer_id + policy_folder_id are API-readable; A is an unguessable per-client security token
NOT exposed anywhere in the API -> the URL is NOT constructible and must be harvested per client
and vaulted. Installer is an MSI -> deploy uses msiexec /qn /norestart.
deploy-agent now reads clients/<slug>/syncro-agent-installer (credentials.installer_url) from
the vault (cascades-tucson, grabb-durando, reliant, howard-test seeded) and pushes via GuruRMM.
Findings recorded in test-findings.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Test campaign on Howard Test sandbox (customer 36118743) surfaced traps the skill must not
re-learn:
- invoice/estimate email endpoints return 200 "Email sent" even with NO recipient
(customer.email null) -> never report delivery from the 200; verify customer.email first.
- customer.email is UNIQUE tenant-wide; PUT /customers failure returns
{success:false,message:[...]} not {customer:{...}} -> check .success.
- POST/PUT /contacts return a FLAT object (.id), not {contact:{...}}; contact recipient
flags (primary/receives_invoices) are ignored via API.
- POST /contracts write succeeds but body doesn't echo the object; /contracts?customer_id
doesn't filter server-side -> GET-verify + client-filter.
New living log .claude/standards/syncro/test-findings.md; critical items folded into
syncro.md Hard Rules + Verified Response Shapes. Correction logged to errorlog.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add comprehensive Syncro coverage beyond PSA core:
- New .claude/standards/syncro/api-reference.md: complete verified inventory of ~180
endpoints across 38 resource types (generated from live OpenAPI 3.0 spec + tenant
probe 2026-07-10), with worked GET/POST/PUT/DELETE templates and token-capability matrix.
- /syncro: asset read intelligence (patches, installed_applications), asset create/update,
policy-folder move (move-asset), RMM alerts, and deploy-agent (hybrid installer push via
GuruRMM using SyncroSetup --console --allow-force-reboot).
- move-asset ships a capability preflight (GET /policy_folders?customer_id -> 401 = missing
Assets-Policy-Change) + mandatory post-write verify, because an under-scoped token returns
HTTP 200 and silently no-ops the move.
Correct the "Syncro RMM is API-impossible" belief: it was a token-scope gap, not an API
limit. Live-verified the asset move (flip-and-restore 692253->692278->692253). Token scope
today: Howard + Winter full; Mike (vaulted ...ebbeb3) still 401 pending re-vault.
Corrects memory reference-syncro-rmm-api-gui-only; correction logged to errorlog.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two defects found while running /wiki-compile, both from tooling assuming
a path instead of resolving it.
1. Plaintext Syncro API keys. Mike's and Howard's live PSA keys were
copy-pasted into three command files, a script, and two catalog docs --
despite both already being vaulted at msp-tools/syncro and
msp-tools/syncro-howard. Replaced with reads from the SOPS vault via a
new sourced helper, .claude/scripts/syncro-env.sh. Write paths fail
closed; read-only paths degrade to skipped enrichment rather than a
wrong key. Per-user mapping is unchanged, so Syncro attribution is too.
2. Hardcoded repo root. wiki-compile/wiki-lint/inject-standards and
gen_b64.py hardcoded D:/claudetools; this machine is C:/claudetools.
syncro.md also read ~/.claude/identity.json before the repo copy -- the
same bug that made remediation-tool's consent-audit report a fully
consented tenant as RED. Root now resolves from the script's own
location, with identity.json claudetools_root as the override.
get-identity.sh had a chicken-and-egg bug: it read ${CLAUDETOOLS_ROOT:-.}
but never set it, so every caller had to already know the root. It now
self-resolves and exports CLAUDETOOLS_ROOT + VAULT_ROOT.
Verified: all three command setup blocks authenticate against live Syncro;
get-identity.sh works from any cwd and honors a pre-set root; gps-rmm
autoenroll resolves its key from the vault. security-review: no findings.
NOTE: both keys remain valid in git history. Rotation in the Syncro portal
is the required follow-up -- this commit does not resolve that exposure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add .claude/skills/ask-forum/SKILL.md (usage contract, correlation model,
forum-only scope, access/permissions) and route to it from CLAUDE.md
(skill-first covered domains) + SKILL_ROUTING.md, so sessions invoke the
skill instead of hand-rolling the Discord API — the footgun that produced a
broken background wait. Capture that footgun as memory
feedback_background_task_no_ampersand (run_in_background, never a shell &).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add ask-forum.sh + /ask-forum command: a live Claude session posts a
question to the private #ct-forum forum and blocks (server-side, one tool
call) until a human replies, then acts on the answer. Same session throughout
- a three-way between the user, the session, and the teammate. No DMs, no
second bot. Bumps the discord-bot submodule to the matching #ct-forum guard.
Approved by Mike via #ct-forum (a-go, forum-only, /ask-forum yes), 2026-07-08.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- peaceful-spirit: record the standing 'Mara audit log' (daily PST Deletion Report task,
SACL 4660/4663 on G:\Shares\Scanned) and its new output location under the legal/
partner-review folder (moved 2026-07-02). Surgical update, no full recompile.
- wiki-compile: add an incremental UPDATE mode (now the no-flag default) that folds only
session logs newer than last_compiled via targeted section edits — no Sonnet subagent,
no full-article regeneration. --full is now the explicit REBUILD; --syncro is the
instant Syncro-only refresh. Addresses the slow-rebuild complaint.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
/mailbox (ACG own-mail, single-tenant 1873b1b0) and client send (suite
Exchange Operator b43e7342, multi-tenant) stay separate on purpose: 1873b1b0
is single-tenant so it cannot serve clients; consolidating onto exchange-op was
rejected (privilege creep on casual own-mail + loses Contacts). Documented the
why in commands/mailbox.md scope boundary + feedback memory so it stops being
re-litigated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mail.Send is NOT an open decision or a 'blocked' item: the Exchange Operator
tier (b43e7342) already holds Graph Mail.Send + Mail.ReadWrite +
MailboxSettings.ReadWrite (the suite's IR victim-notification mail path).
/mailbox (ACG own-mail) separately uses the dedicated ComputerGuru Mailbox app
1873b1b0. The deleted fabb3421/Claude-MSP-Access app is now referenced only as
DELETED/do-not-use across all live surfaces.
Corrected: remediation-tool gotchas.md (removed 'suite has no mail scopes /
mailbox BLOCKED / decision-not-executed'), commands/mailbox.md (header +
Attribution no longer name the deleted app as active), feedback memory
(promoted 'suite has Mail.Send — settled' to a headline), breach-report
template, .grok mirrors, credentials.md, CATALOG_SHARED_DATA.md, and wiki
(internal-infrastructure, glaztech, dataforth). Removed dead plaintext secret
for the deleted app from CATALOG_SHARED_DATA.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
coord.py 'lock release' takes the lock ID; the documented path form no-ops
and strands the lock until TTL. Capture the lock ID at claim (5.0), release
it in Phase 6. Recurring friction (errorlog 2x).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extends the invoice Message (note) automation into a single reusable helper
set_invoice_note <invoice_id> <customer_id> [pre_billing_prepay]:
- no block (prepay_hours==0) -> "Interested in discounted labor? Ask us about block-rate pricing."
- block, >=4 hrs left -> "Block hours remaining: N."
- block, <4 hrs left -> remaining + renew line, AND tags Winter (<@624666486362996755>)
in #bot-alerts (low-block heads-up; mentions ping, no allowed_mentions)
Pre-billing prepay arg keeps a just-depleted block counted as a block customer (shows renew, not upsell).
Never clobbers a non-empty note.
Wired into billing Step 3 (set_invoice_note "$INVOICE_ID" "$CUST_ID" "$PREPAY"), and a new
"Recurring invoice note sweep" applies the same policy to Syncro's auto-generated recurring invoices
(schedule_id != null, recent, current balance) — idempotent, run after each recurring run.
Branch logic + a real e2e note set/restore validated on the ACG internal test account (#67741); the
<4hr Winter alert was stubbed in testing so no real ping fired.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The on-screen "Invoice Message" text block IS the invoice `note` field, editable via
PUT /invoices/{id} {"note": "..."} (response {"invoice": {...}}). Verified on the ACG
internal test account (#67741: set/verify/restore).
Billing flow now sets a one-line upsell hint on the invoice note — "Interested in
discounted labor? Ask us about block-rate pricing." — ONLY for customers with no prepaid
block (prepay_hours == 0). Block customers (prepay_hours > 0) get no hint; never clobber
a non-empty note.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- graduation-push.sh: tar+scp scratch -> BEAST graduation-inbox over Tailscale (decoupled
from /save, soft-fail if BEAST off). Tested: 241 files -> BEAST.
- docs/graduation-pipeline.md: full spec (push -> Ollama triage on BEAST GPU via API ->
reviewed sanitize+git-mv). Secrets never enter git; ride the encrypted link to BEAST only.
- tmp-promotion-check.sh: rewritten pure-builtin (0.4s) after the per-file grep/fork loop
hung /save for 4 min on Windows at ~240 scratch files. Deep triage moves to the pipeline.
- forum-post: GRADUATED the canonical flarum poster from scratch ->
skills/forum-post/scripts/flarum-post.py (s9e markdown->XML + DB insert machinery), with
the hardcoded IX SSH + Flarum DB passwords swapped to vault lookups. First pipeline test case.
- Vaulted the Flarum DB cred (services/flarum-community.sops.yaml) + sanitized the two
plaintext copies in forum-post.md.
- errorlog: logged the WSL-stub correction + BEAST-Ollama-CPU(vram=0) finding + the
promotion-check hang, all via the new log helper.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The skill/command DOCS instructed Claude to run a bare `py ...`, which is the
Windows py-launcher — absent on Linux/macOS (exit 127, hit on GURU-KALI). A blind
py->python3 swap is wrong too: python3 is a broken MS Store shim on some Windows
boxes where `py` is the correct launcher.
Fix mirrors the resolution the .sh skill scripts already do:
- New .claude/scripts/py.sh: picks the interpreter that actually RUNS —
identity.json python.command first, then py -> python3 -> python, each
validated with `-c 'import sys'` so the MS Store stub is skipped. exec's it.
- Repointed all DOC invocations (10 files, ~70 sites) from `py ...` to
`bash "$CLAUDETOOLS_ROOT/.claude/scripts/py.sh" ...` (incl. the `py -c` and
`py -` heredoc forms in checkpoint.md / mailbox.md).
- Left the .sh skill scripts untouched — they already resolve py/python/python3.
- errorlog.md: marked the GURU-KALI entry RESOLVED.
Depends on CLAUDETOOLS_ROOT (seeded by ensure-settings-env.py); py.sh also
self-resolves the repo root via git/cwd as a fallback.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 2a used `customers?name=` which is near-exact and missed slug/name spelling
mismatches — e.g. slug gonzvar-tax-services vs Syncro "Gonzvar Tax Service"
(singular), causing a false "not in Syncro". Switch to `query=` (fuzzy) with a
fallback ladder (first word, then de-pluralized token) before concluding not-found.
- .gitignore: ignore root tmp/ (temp/ and .claude/tmp/ were already ignored;
root tmp/ was not, which is how scratch got committed and needed cleanup).
- New .claude/scripts/tmp-promotion-check.sh: advisory, read-only, never blocks.
Scans the gitignored scratch dirs (tmp/, temp/, .claude/tmp/) and flags files
worth graduating (scripts, substantial docs, session-log-referenced) before
they're lost to cleanup. Silent when scratch is empty.
- /save (Phase 4) and /scc (new step 2) run the check before sync.sh, pointing
at .claude/TEMP_GRADUATION.md for the graduate-vs-delete decision.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Task 3/3a of the harness-optimization spec. Mike confirmed normal billing uses
add_line_item; timers stay available only for explicit outlier requests, never the
normal loop. Rewrote time-entry-protocol.md to defer to the /syncro command (SSOT for
billing mechanics) and state timers are outlier-only; aligned the command's two
absolute "no timers" lines. Contradiction removed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extract the per-machine concurrency lock from sync.sh into a sourceable
lib (.claude/scripts/sync-lock.sh) plus a `run <cmd>` wrapper that locks
the current repo (same lock-dir basename, so it mutually excludes with
sync.sh in the ClaudeTools repo and self-scopes in any project repo).
sync.sh now sources it (behavior identical — verified by review). /scc
routes its commit+push through the locked, rebase-safe sync.sh (and drops
the bare YYYY-MM-DD-session.md filename for the per-session-unique one).
/checkpoint now stages+commits atomically under the repo lock so a
concurrent session in a shared worktree can't be swept in. Closes the
remaining commit paths that bypassed the lock shipped in a85c2cc.
Multiple concurrent Claude sessions (and the scheduled-task sync) were
stepping on each other's git state. sync.sh now takes an atomic mkdir
lock in .git/ around the whole run (stage/commit/fetch/rebase/push +
vault), exits 75 (EX_TEMPFAIL = deferred) on contention instead of
racing, and reclaims stale/dead-owner locks with a re-verify-before-clear
guard (closes two TOCTOU races caught in review). /save now mandates
per-session-unique log filenames (never the bare YYYY-MM-DD-session.md).
Docs updated for the lock + deferred-exit semantics.
Note: git add -A is still the catch-all sweep; full per-session commit
isolation and routing /scc + /checkpoint through the lock are follow-ups.
Adds explicit Syncro ticket creation section to remediation-tool.md.
Ticket #32387 was created without priority, assignee, or a valid issue type.
Now specifies required fields, valid problem_type values, and an enforcement
checklist to prevent null fields in any POST payload.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New /self-check skill: each machine probes its own ClaudeTools harness wiring
(identity.json paths, required tooling, settings.json hooks, skill/command/script
set, vault decrypt, coord/Gitea connectivity, Ollama capability tier) and grades
RED/AMBER/GREEN against a checked-in provisional baseline manifest.
- Capability-tier model: architectural/OS/hardware differences (e.g. no local
Ollama) select a fallback ruleset instead of failing.
- Duplicate detection: flags command/skill names that diverge between the repo
and ~/.claude (the "same /cmd, different behaviour" cross-machine bug);
CRLF-only diffs ignored.
- Memory check: index + orphan detection, plus a model-driven semantic pass for
memories that contradict identity/settings.
- V1 is a census tool: --publish writes a per-machine census to coord
(component selfcheck_<host>); fanout requests the fleet to self-check +
self-remediate + re-publish; aggregate derives the proposed baseline. No
machine ever fixes another.
Reviewed twice by the Code Review Agent; three CRITICAL coord-API bugs and the
CRLF false-WARN found and fixed, verified live against the coord API.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Live Sonnet-subagent recompile test inlined real passwords/PSK/RADIUS
secret from a session log into the article; review caught it. Added rule
6b to the synthesis brief: wiki references vault paths only, never raw
secrets (carry-over of values the existing article already discloses is
the only exception).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Seed/full synthesis in /wiki-compile (and the /save Phase 3 recompile) now
delegates the draft to a Sonnet subagent (model: "sonnet") instead of
Ollama qwen3 — better prose quality, no local-Ollama dependency. Refresh
mode unchanged (surgical, no model). Main agent still reviews the draft
before writing (billing/IPs/vault-paths; Patterns/History preserved).
Softfail now keys on subagent unavailability -> surgical refresh.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/save now full-recompiles the worked-on article (Ollama, preserving
Patterns/History) so the session's findings land in the wiki, not just
dynamic fields. Seeds the article if missing. Softfalls to a surgical
refresh when Ollama is down so a save is never blocked. Still pre-sync,
so the article ships in the same commit; /scc inherits via /save logic.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/save now refreshes the client/project wiki article (refresh-only: live
Syncro fields, sources, last_compiled -- never narrative/Patterns/History)
before sync.sh, so the article + index ship in the same commit as the
session log. Skips root/general scope; suggests /wiki-compile seed when no
article exists; softfails so a wiki hiccup never blocks the save. Folds in
the old post-sync unseeded-wiki check. /scc inherits via /save logic.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reconstructs session logs from Claude Code transcripts when a session
crashes or is closed before /save. Two entry points:
- /recover <uuid|latest> : manual, Claude-reviewed reconstruction
- detect_orphaned_sessions.py : scheduled scan that auto-builds logs for
substantive, unsaved, not-yet-recovered transcripts (banner-marked
RECOVERED-UNVERIFIED), commits them, and posts a #bot-alerts FYI.
recover_session.py is the shared engine: Python extracts the verbatim
command/config/reference timeline; Ollama drafts prose-only narrative.
Machine-local ledger (.claude/state/) prevents reprocessing. Reviewed:
git add scoped to own files, ledger written only after successful push,
per-uuid idempotency, --max cap for unattended runs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>