New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dark-theme HTML page with one-click consent URLs for each tenant.
Tracks done/pending state in localStorage. Re-consent tenants (martylryan,
grabblaw) highlighted separately. No copy-paste needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After Tenant Admin is consented by customer admin, the script automatically:
- Creates SPs for Security Investigator, Exchange Operator, User Manager,
and Defender Add-on (programmatic consent, no extra customer clicks needed)
- Grants all required Graph, Exchange Online, and Defender ATP appRoleAssignments
- Idempotent: skips any permissions already granted
Also added AppRoleAssignment.ReadWrite.All to Tenant Admin manifest so
fresh consents include this permission. Existing tenants (martylryan.com,
grabblaw.com) need a one-time Tenant Admin re-consent to pick it up.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 CIPP-managed tenants sourced from ListTenants API. Includes onboarding
status, tenant IDs, and pre-built Tenant Admin consent URLs for each.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: app-only Graph operations (password reset, Exchange REST) require
directory roles on each SP in the customer tenant, not just admin consent.
RoleManagement.ReadWrite.Directory was missing from all app manifests, making
role assignment impossible without manual portal work that was never being done.
Changes:
- patch-tenant-admin-manifest.sh: adds RoleManagement.ReadWrite.Directory to
Tenant Admin app manifest via Management app, grants home-tenant consent
- onboard-tenant.sh: new script — resolves tenant, acquires Tenant Admin token,
assigns Exchange Administrator to Security Investigator SP and User/Auth
Administrator to User Manager SP; --dry-run supported; idempotent
- get-token.sh: detects AADSTS7000229, emits consent URL + onboard-tenant.sh
reminder instead of silent failure
- gotchas.md: onboarding steps at top, tenant table expanded with role columns,
all known tenants updated including martylryan.com (first fully onboarded)
Verified: martylryan.com fully onboarded, password reset to MLR2026!! succeeded
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Windows Store python3 stub returns exit 49 instead of running Python.
Replace with: py (Windows launcher) for actual Python code, jq for
simple JSON extraction. Reorder fallback loops to try py first.
Add Bash(py:*) to settings.local.json allowlist.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extract Ollama docs and PROJECT_STATE locking protocol to on-demand
reference files. Trim Work Mode to detection table only. Remove verbose
anti-pattern examples and credential encryption details.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git add -A captured the stale submodule pointer on Howard's machine
(April 18 init, not updated) and committed it, causing a conflict.
Now sync always runs git submodule update --remote first so the pointer
is current before staging.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Tier 0 (Ollama): summarize, classify, extract, draft, format — free/fast/private
- qwen3:14b for general tasks; codestral:22b for code suggestions
- Falls back to Haiku if Ollama unreachable or task needs agent tool use
- Bump rule extended: Ollama → Haiku on security/auth/migration/production
- Delegation pattern: direct Bash curl, not an agent spawn
- Per-task model guidance and review policy documented
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Formalizes the read → lock → act → release cycle for any project
that has a PROJECT_STATE.md. Every Claude instance must:
- Re-read state before any action (not just at session start)
- Claim a lock row before touching any component
- Release lock + log result on completion or failure
- Clear stale locks (>2h) before proceeding
Applies to code edits, git ops, SSH/deploy, DB migrations, builds.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Restored the complete 504-line sync.md documentation from global
commands directory to the repo version. This ensures:
- Single source of truth for /sync documentation
- Documentation syncs across all machines
- PC and Mac have identical command reference
Previous simplified 39-line stub has been replaced with full
documentation including phases, examples, conflict resolution,
and troubleshooting.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Memory entry prompts Mac session to run scripts/install-hooks.sh
before any GuruRMM work. Syncs via Gitea on next pull.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents bash scripts/install-hooks.sh requirement after cloning gururmm.
Explains the sqlx migration checksum / CRLF root cause so the step makes
sense and doesn't get skipped.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Created platform-level admin account (howard@azcomputerguru.com) on GuruRMM.
Dashboard + API access details in messages/for-howard.md.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CLAUDE.md: Ollama section rewritten. localhost for Mike's workstation,
100.92.127.64:11434 via Tailscale for all other machines. Claude reads
identity.json hostname to determine which URL to use. Firewall rule
restricts to Tailscale 100.0.0.0/8 subnet only.
ONBOARDING.md: updated Ollama section for remote access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Discovered from GUI page source: comment[product_id] + comment[minutes_spent]
+ comment[bill_time_now] are fields on POST /tickets/{id}/comment. This is
how the GUI adds time — as part of the comment, not via separate timer_entry.
Updated billing workflow + added --time/--labor flags to comment command.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Timer entries use POST /tickets/{id}/timer_entry with labor product IDs
(not invoice products). "Make Invoice" converts timers to invoice.
Documented 7 common labor products with IDs. Fixed line_items path to
/invoices/{id}/line_items.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create, update, close, comment on, search, and bill tickets via Syncro
REST API. Includes customer search, invoice creation, line items, and
ticket timer management. API key from SOPS vault.
Verified: pulls real ticket data from computerguru.syncromsp.com.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jupiter cache drive at 99% BTRFS data allocation — MariaDB + Discourse
crash-looping. Root cause: 589G OwnCloud data stuck on cache (mover
blocked by active SMB session from OwnCloud VM). Migration in progress
(rsync cache->array disk7, ~90% at time of commit). Also fixed /mode
command to acknowledge /color is user-invokable only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Five modes: client (orange), dev (cyan), infra (red), general (blue),
remediation (purple). Auto-detects from user messages using keyword
priority rules. Manual override via /mode <name>. Color changes via
/color on mode transitions. Posture adjusts per mode (e.g., infra =
confirm-before-destructive, dev = delegate freely).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Slash command that accepts any folder path, scans all files, classifies
by content (client work, project code, credentials, session logs, tools,
docs), sanitizes credentials into SOPS vault, presents a placement plan
for approval, then executes.
Handles Claude Code session data (delegates to tools/import-sessions.py),
existing project detection, duplicate checks, and credential extraction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Enhance /save and /sync slash commands to attribute commits by author
so Mike and Howard can see at a glance what the other person did.
- sync.sh: loads identity.json, shows incoming/outgoing commits with
author + age before pull/push, groups by author in final summary
- sync.md: describes the new output format + conflict attribution
- save.md: pre-commit Change Summary block + post-commit Summary
Motivation: repo is now shared across team, `git log` alone made it
hard to see "when did Howard change that?" without hunting.
- ONBOARDING.md: comprehensive guide explaining WHY the setup exists
(vault, session logs, skills, agents, Ollama/GrepAI, daily workflow).
Written for someone who's never used Claude Code before.
- CLAUDE.md: on first sync, Claude walks new users through ONBOARDING.md
section by section + sets up git remote for their own Gitea account.
- users.json: Howard's gitea_username added (own account, admin on all repos).
Audit findings noted: GrepAI not installed, Ollama not running,
MCP_SERVERS.md missing. These need fixing per-machine before onboarding
is fully smooth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .claude/identity.json (gitignored, per-machine) identifies who's at the keyboard
- .claude/users.json (tracked) registers known team members + roles + machines
- CLAUDE.md: on first sync, Claude asks "Mike or Howard?" and creates identity.json
- Session logs must include User section for attribution
- Git commits use per-user name/email (shared Gitea push account)
- Howard Enos (tech, full trust) added as second team member
- Memory entry created for Howard
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
