Live-verified 2026-06-08: Security Investigator + User Manager + Tenant Admin Graph
tiers all consented and reading (subscribedSkus/organization HTTP 200) on
safesitellc.com (71b4e637-...). The reference's 'NO' was stale (last touched 2026-04-20).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Builds the false-positive/true-positive proof the plan requires before the guard can be
promoted to blocking, and fixes the one false-positive it surfaced.
- test-harness-guard.sh: 12-case matrix in a throwaway repo, runs the REAL guard, asserts
WARN/clean for real conflicts/secrets/keys vs legit content (setext underlines, dividers,
docs that mention a marker, encrypted sops, public keys, .example templates).
- harness-guard.sh: conflict rule now requires a real hunk (BOTH ^<<<<<<< AND ^>>>>>>>),
dropping the lone =======$ trigger that false-positived on a 7-char setext underline /
divider. Identical true-positive power (git writes all three markers); FP surface -> 0.
- /self-check: new harness.guard_selftest runs the matrix in an isolated temp repo (read-only
vs the real tree) so guard correctness is continuously proven.
Verified 12/12 pass, true positives intact, real-tree FP surface = 0. FATAL flip (todo
f1c11d0d, on/after 2026-06-22) is now evidence-backed + one-step.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Task 3 leftover. Adds a 'consistency' category to /self-check that catches a standard
drifting back into restating/contradicting the command that owns the rule -- the Syncro
timers failure mode (standard said 'always timer' while /syncro said 'outlier only').
Deterministic half: each manifest.command_standard_links pair's standard must still carry
its defer-to-SSOT pointer (must_reference regex). Lost pointer = WARN. Seeded with
syncro-billing (time-entry-protocol.md -> /syncro). Semantic contradiction pass delegated
to the model in SKILL.md, mirroring check_memory. Verified PASS; negative-tested.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds a 'harness' category to /self-check (Task 12, self-check half) so the harness-
optimization gains can't silently regress. All read-only / non-invasive:
- VERSION marker present + not older than manifest.harness.min_version
- skill-registry description budget (sum of all SKILL.md description: fields under
registry_desc_budget_chars) -- the metric that catches Task 5 bloating back
- global deploy targets ~/.claude/skills + ~/.claude/commands populated (Mac-wipe failure)
- harness-guard.sh present + wired into sync.sh
- core scripts parse (bash -n on sync/guard/now-phoenix); now-phoenix.sh emits a valid date
Tunables in baseline/manifest.json 'harness' block. Verified 9/9 PASS; budget WARN
negative-tested at a synthetic over-budget value.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The context-lookup standard + CODING_GUIDELINES still said 'GrepAI First' unconditionally.
Updated both to: wiki first for known-entity facts; GrepAI/Grep-before-read for code+discovery.
Keeps the search-before-read token discipline; removes the wiki overlap. Completes the
positioning fix started in e8a689b0 (all 4 sources now consistent: CORE, EXTENDED, standard,
guidelines).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Resolves the contradiction between CORE (wiki-first) and EXTENDED (which said
'use GrepAI first for any context lookup'). New order: wiki for known entities ->
GrepAI for code call-graphs / discovery / un-compiled detail -> raw reads. Keeps
GrepAI's irreplaceable code-search value; removes the redundant wiki overlap.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Safety prerequisites for the P0 rollout, landed BEFORE any sync.sh change so a bad
harness change cannot strand a node. .claude/harness/VERSION (1.0.0) lets a session
detect partial rollout; .claude/scripts/force-pull-raw.sh is a hook-free git rescue
(dry-run by default; --confirm hard-resets to origin/main, saving prior HEAD to a
recovery branch).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Task 3/3a of the harness-optimization spec. Mike confirmed normal billing uses
add_line_item; timers stay available only for explicit outlier requests, never the
normal loop. Rewrote time-entry-protocol.md to defer to the /syncro command (SSOT for
billing mechanics) and state timers are outlier-only; aligned the command's two
absolute "no timers" lines. Contradiction removed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Optimize the harness (not projects) for accuracy/completeness with context pressure
as a first-class constraint; token efficiency secondary. Authored as a Claude+Grok+
Gemini review (see review-3way.md): P0 reliability footguns (submodule-safe sync,
serialized/staged wiki synthesis, syncro SSOT, warn-only guard), P1 context diet
(one-line registry descriptions, CLAUDE CORE/EXTENDED, thin save/sync), P2 delegation
re-tune, P3 knowledge tiering. Adds harness VERSION marker + OOB recovery as rollout
safety. Python port split to a separate future spec.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Vault sync was failing with "remote: Failed to authenticate user" against
git.azcomputerguru.com. Root cause: Git Credential Manager (first in the
helper chain) shadowed the valid PAT in the store helper with a stale
cached OAUTH_USER JWT.
Fix (machine-local git config, already applied — not in the repo):
- Reset the vault repo credential.helper to store-only (drop inherited GCM).
- Pin azcomputerguru@ in the vault remote URL so store returns the durable
PAT instead of a volatile OAUTH_USER JWT.
Repo change here is documentation only: a feedback memory capturing the
diagnosis + fix, plus an index line in MEMORY.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add .claude/scripts/ff.py, a Firefox browser driver built on Playwright and
the Firefox sibling of the existing cdp.py Chrome driver. It runs a small
background daemon holding one Playwright Firefox page on a persistent profile,
controlled over localhost:9333, with subcommands launch/status/nav/shot/click/
type/eval/console/network/stop. Verified end-to-end (real screenshot, network
and console capture). This is now the preferred browser-automation path because
Mike dislikes Chrome and the claude-in-chrome extension (that connector was
disabled in ~/.claude.json this session - not a repo change).
Add memory reference_ff_firefox_driver.md documenting the driver and an index
line in MEMORY.md. The MEMORY.md change also unavoidably includes a pre-existing
adjacent index line for reference_antigravity_agy_not_headless.md, so that memory
file is bundled in to keep the index consistent.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Robert Wolkin use case is RSW-Laptop accessing file shares + a shared
printer on front. Add a reusable Windows files/printer section to the
pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface
gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS
FQDN, Point-and-Print via RMM, Taildrive alternative). Record the
concrete per-host post-connect config and the printer-type open item in
the client doc.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GuruRMM client Wolkin, Robert / site Main has 3 online Win11 Home agents
(DESKTOP-V1JT1SE, RSW-Laptop, front; agent v0.6.57, IDs recorded).
Tailscale scope is RSW-Laptop -> front only; DESKTOP-V1JT1SE is Bob's
personal machine, intentionally out of scope.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Stub client article (two-machine, non-technical office) tracking the
dedicated-tailnet rollout per the Tailscale client-management pattern.
Indexed under wiki Clients; profile/Syncro fields marked unverified.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
One tailnet per client (never merge into ACG own tailnet), MSP holds Admin,
devices enrolled as tagged nodes via pre-auth keys pushed from GuruRMM.
Includes tailscale-client-enroll.ps1 (idempotent unattended Windows MSI
install + tagged auth-key join), a see-each-other tag ACL, the Windows
subnet-routing reality (userspace/netstack, not the old IP-forward hack),
and a runbook. Indexed under wiki Patterns.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
