Vault sync was failing with "remote: Failed to authenticate user" against
git.azcomputerguru.com. Root cause: Git Credential Manager (first in the
helper chain) shadowed the valid PAT in the store helper with a stale
cached OAUTH_USER JWT.
Fix (machine-local git config, already applied — not in the repo):
- Reset the vault repo credential.helper to store-only (drop inherited GCM).
- Pin azcomputerguru@ in the vault remote URL so store returns the durable
PAT instead of a volatile OAUTH_USER JWT.
Repo change here is documentation only: a feedback memory capturing the
diagnosis + fix, plus an index line in MEMORY.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add .claude/scripts/ff.py, a Firefox browser driver built on Playwright and
the Firefox sibling of the existing cdp.py Chrome driver. It runs a small
background daemon holding one Playwright Firefox page on a persistent profile,
controlled over localhost:9333, with subcommands launch/status/nav/shot/click/
type/eval/console/network/stop. Verified end-to-end (real screenshot, network
and console capture). This is now the preferred browser-automation path because
Mike dislikes Chrome and the claude-in-chrome extension (that connector was
disabled in ~/.claude.json this session - not a repo change).
Add memory reference_ff_firefox_driver.md documenting the driver and an index
line in MEMORY.md. The MEMORY.md change also unavoidably includes a pre-existing
adjacent index line for reference_antigravity_agy_not_headless.md, so that memory
file is bundled in to keep the index consistent.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Robert Wolkin use case is RSW-Laptop accessing file shares + a shared
printer on front. Add a reusable Windows files/printer section to the
pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface
gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS
FQDN, Point-and-Print via RMM, Taildrive alternative). Record the
concrete per-host post-connect config and the printer-type open item in
the client doc.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GuruRMM client Wolkin, Robert / site Main has 3 online Win11 Home agents
(DESKTOP-V1JT1SE, RSW-Laptop, front; agent v0.6.57, IDs recorded).
Tailscale scope is RSW-Laptop -> front only; DESKTOP-V1JT1SE is Bob's
personal machine, intentionally out of scope.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Stub client article (two-machine, non-technical office) tracking the
dedicated-tailnet rollout per the Tailscale client-management pattern.
Indexed under wiki Clients; profile/Syncro fields marked unverified.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
One tailnet per client (never merge into ACG own tailnet), MSP holds Admin,
devices enrolled as tagged nodes via pre-auth keys pushed from GuruRMM.
Includes tailscale-client-enroll.ps1 (idempotent unattended Windows MSI
install + tagged auth-key join), a see-each-other tag ACL, the Windows
subnet-routing reality (userspace/netstack, not the old IP-forward hack),
and a runbook. Indexed under wiki Patterns.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Amend windows-bootstrap.ps1 with every gap the 2026-06-06 GURU-5070
reinstall exposed, so the next rebuild is clean:
- Phase 7: install python deps into BOTH interpreters (py/3.14 for vault
+ scripts, python/3.12 for the MCP servers). Single-interpreter installs
left ticktick MCP (no httpx/mcp in 3.12) and vault get-field (no PyYAML
in 3.14) dead. Add pyyaml + websocket-client to the baseline libs.
- Phase 3: persist ~\.grok\bin (+ ~\.local\bin, %APPDATA%\npm) to the User
PATH; grok's installer leaves it session-only.
- Phase 6: prime non-interactive git auth (setup-git-auth.sh) so pushes
never hang on a GCM prompt.
- Phase 8: expand to the real 5-model set and add the hydration gotcha so a
populated D:\OllamaModels is never needlessly re-downloaded (~48 GB).
Document all four in machines/guru-5070.md known issues.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add setup-git-auth.sh: idempotent, fail-silent script that primes the
git credential store from the vault Gitea token, scoped per-repo by the
actual origin host. Only seizes the helper from the prompting GCM
`manager` (leaves Mac osxkeychain alone); fast-path no-op once set.
Wire it into a backgrounded SessionStart hook and set
GIT_TERMINAL_PROMPT=0 / GCM_INTERACTIVE=Never in settings.json env so
no session on any machine can hang on a credential prompt.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mike's objection to Git for Windows is the constant GCM password
prompts that hang automation/background pushes, not the tool itself.
Document the working fix (repo-local credential.helper=store primed
with the azcomputerguru Gitea API token, GIT_TERMINAL_PROMPT=0) in the
Gitea Agent definition and shared memory.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The ticktick local stdio MCP server crashed at startup with
"Connection closed" (surfaced by /doctor) because its Python 3.12
interpreter was missing the httpx and mcp packages. After installing
them, record the two third-party dependencies here so future machines
have them on record and can reproduce the working environment.
Rename the machine to the name in the bundle's identity.json (default GURU-5070,
override with -Hostname) when run as admin, with an end-of-run reboot reminder.
Ensures scheduled tasks, coord session IDs, and log attribution line up. RESTORE.md
documents the step.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add restore-at-risk-work.ps1 and wire it into bootstrap Phase 6. Recreates
local-only WIP rescued to the recovery bundle's at-risk-work/: re-applies the
three guru-rmm stash patches back AS stashes (LIFO order preserved) and drops
the guru-connect tmp-spec018.diff back as its untracked working file. Patches
that won't apply cleanly are reported for manual git apply --3way. Updates
RESTORE.md and the session log with the rescue details.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add .claude/bootstrap/ (windows-bootstrap.ps1, restore-secrets.ps1,
backup-to-bundle.ps1, RESTORE.md) plus machines/guru-5070.md. Idempotent
11-phase rebuild after a clean Windows reset: winget core tools + .NET/WiX,
protoc, Poppler, Tailscale; restore SOPS age key/SSH/tool-auth/identity from
the E:/F: recovery bundle; clone repos+submodules; set OLLAMA_MODELS/HOST/PROTOC;
detect existing D:\OllamaModels; register scheduled tasks. Includes session log.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sync.sh now posts a per-machine coord component
(claudetools/git_sync_<MACHINE>) flipped syncing -> idle/degraded around
each run, so the fleet can see who is mid-sync / last sync state. Fully
best-effort: a 3s-capped curl guarded with || true + return 0, emitted
only after the lock is acquired (contention/exit-75 emits nothing), and
finalize captures $? first and returns it so the signal can never change
the sync's real exit code. Reviewed (verified it cannot break sync).
Extract the per-machine concurrency lock from sync.sh into a sourceable
lib (.claude/scripts/sync-lock.sh) plus a `run <cmd>` wrapper that locks
the current repo (same lock-dir basename, so it mutually excludes with
sync.sh in the ClaudeTools repo and self-scopes in any project repo).
sync.sh now sources it (behavior identical — verified by review). /scc
routes its commit+push through the locked, rebase-safe sync.sh (and drops
the bare YYYY-MM-DD-session.md filename for the per-session-unique one).
/checkpoint now stages+commits atomically under the repo lock so a
concurrent session in a shared worktree can't be swept in. Closes the
remaining commit paths that bypassed the lock shipped in 6b0ce9a.
Multiple concurrent Claude sessions (and the scheduled-task sync) were
stepping on each other's git state. sync.sh now takes an atomic mkdir
lock in .git/ around the whole run (stage/commit/fetch/rebase/push +
vault), exits 75 (EX_TEMPFAIL = deferred) on contention instead of
racing, and reclaims stale/dead-owner locks with a re-verify-before-clear
guard (closes two TOCTOU races caught in review). /save now mandates
per-session-unique log filenames (never the bare YYYY-MM-DD-session.md).
Docs updated for the lock + deferred-exit semantics.
Note: git add -A is still the catch-all sweep; full per-session commit
isolation and routing /scc + /checkpoint through the lock are follow-ups.
New `elevate` mode that goes beyond friction to make a UI top-notch and
flags when to redesign rather than patch. references/polish-and-redesign.md
holds 12 heuristics (hierarchy, signature moment, action gravity, narrative,
lonely states, density, rhythm, type, tokens, depth/finish, motion, redesign
triggers) synthesized from three independent model passes (Claude + Gemini +
Grok). Adds an Elevation Index (0-10), a Redesign Urgency score (>=4 leads
with a Structural Audit), and Opportunity-ranked Quick Wins / Elevations /
Redesign Candidates tiers. SKILL.md: command + mode section + extend note.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
human-flow P0-P1 fixes for radio.azcomputerguru.com:
- K1: skip-to-content link (first tab stop) + id/tabindex on <main>.
- K2: global :focus-visible ring (accent outline) across links, buttons,
inputs and player controls; reveal the seek-bar handle on focus.
- K3: mobile menu a11y — aria-expanded/aria-controls, Escape closes and
restores focus to the toggle, focus moves to first link on open.
All token-based, no emojis. Not built (node_modules absent on this host).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- New wiki/systems/ix-server.md: IX web host (172.16.3.10) facts, the
ACG hosted sites table, and a full record of radio.azcomputerguru.com
(Astro static + React 19 islands; source in projects/radio-show/website/;
build npm run build -> dist -> rsync to cPanel doc root).
- index.md: list the new IX systems article.
- radio-show.md: fix the stale "ix-server.md may not exist" backlink.
- memory reference_radio_website.md: add stack detail (React islands,
wavesurfer/fuse, node>=22) + pointer to the new wiki article.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Upgrade the human-flow skill (Gemini-assisted, Claude-reviewed):
- scan.mjs rewritten to AST-based (@babel/parser/traverse) with 4
detectors: unlabeled-icon-button, tiny-target, missing-feedback-props,
click-without-keyboard; regex fallback on parse failure.
- Objective Friction Index (Motor 3.0 / Cognitive 2.5 / Keyboard 2.5 /
Feedback 2.0); 0-10 Human Workflow Score.
- New heuristics: State-Flow Audit, Precision Rail / Fumble Zones,
Restraint-o-Meter (1-5) for the fancy pass.
- `fix` command DISABLED for now (advisory only): the AST generator
reprints whole files and produces noisy diffs; agents apply surgical
fixes from the report. To be revisited with a string-splice editor.
- Add @babel/* deps + package-lock.json.
- Memory: agy review/review-files is NOT actually read-only (wrote files
+ ran npm despite documented plan-mode) — diff after every agy review.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
review/review-files resolve relative paths only against CWD or
$CLAUDETOOLS_ROOT, never a submodule/subdir — so submodule-relative
paths fail with "file not found". Add a [!WARNING] callout to both
SKILL.md files, fix the misleading "absolute or repo-relative" table
wording, and add inline GOTCHA comments at each resolution site in
both scripts. Bitten us repeatedly (latest: GuruConnect review).
Feedback from Mike (Bardach #32387): every Syncro ticket bot-alert needs a
clickable link (https://computerguru.syncromsp.com/tickets/<internal_id>).
post-bot-alert.sh posts raw text, so the URL must be in the message.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
