Two defects found while running /wiki-compile, both from tooling assuming
a path instead of resolving it.
1. Plaintext Syncro API keys. Mike's and Howard's live PSA keys were
copy-pasted into three command files, a script, and two catalog docs --
despite both already being vaulted at msp-tools/syncro and
msp-tools/syncro-howard. Replaced with reads from the SOPS vault via a
new sourced helper, .claude/scripts/syncro-env.sh. Write paths fail
closed; read-only paths degrade to skipped enrichment rather than a
wrong key. Per-user mapping is unchanged, so Syncro attribution is too.
2. Hardcoded repo root. wiki-compile/wiki-lint/inject-standards and
gen_b64.py hardcoded D:/claudetools; this machine is C:/claudetools.
syncro.md also read ~/.claude/identity.json before the repo copy -- the
same bug that made remediation-tool's consent-audit report a fully
consented tenant as RED. Root now resolves from the script's own
location, with identity.json claudetools_root as the override.
get-identity.sh had a chicken-and-egg bug: it read ${CLAUDETOOLS_ROOT:-.}
but never set it, so every caller had to already know the root. It now
self-resolves and exports CLAUDETOOLS_ROOT + VAULT_ROOT.
Verified: all three command setup blocks authenticate against live Syncro;
get-identity.sh works from any cwd and honors a pre-set root; gps-rmm
autoenroll resolves its key from the vault. security-review: no findings.
NOTE: both keys remain valid in git history. Rotation in the Syncro portal
is the required follow-up -- this commit does not resolve that exposure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- peaceful-spirit: record the standing 'Mara audit log' (daily PST Deletion Report task,
SACL 4660/4663 on G:\Shares\Scanned) and its new output location under the legal/
partner-review folder (moved 2026-07-02). Surgical update, no full recompile.
- wiki-compile: add an incremental UPDATE mode (now the no-flag default) that folds only
session logs newer than last_compiled via targeted section edits — no Sonnet subagent,
no full-article regeneration. --full is now the explicit REBUILD; --syncro is the
instant Syncro-only refresh. Addresses the slow-rebuild complaint.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
coord.py 'lock release' takes the lock ID; the documented path form no-ops
and strands the lock until TTL. Capture the lock ID at claim (5.0), release
it in Phase 6. Recurring friction (errorlog 2x).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 2a used `customers?name=` which is near-exact and missed slug/name spelling
mismatches — e.g. slug gonzvar-tax-services vs Syncro "Gonzvar Tax Service"
(singular), causing a false "not in Syncro". Switch to `query=` (fuzzy) with a
fallback ladder (first word, then de-pluralized token) before concluding not-found.
Live Sonnet-subagent recompile test inlined real passwords/PSK/RADIUS
secret from a session log into the article; review caught it. Added rule
6b to the synthesis brief: wiki references vault paths only, never raw
secrets (carry-over of values the existing article already discloses is
the only exception).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Seed/full synthesis in /wiki-compile (and the /save Phase 3 recompile) now
delegates the draft to a Sonnet subagent (model: "sonnet") instead of
Ollama qwen3 — better prose quality, no local-Ollama dependency. Refresh
mode unchanged (surgical, no model). Main agent still reviews the draft
before writing (billing/IPs/vault-paths; Patterns/History preserved).
Softfail now keys on subagent unavailability -> surgical refresh.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Skill + template:
- wiki-compile Phase 2P: type-aware authoritative-artifact discovery for
projects (migrations, API routes, agent modules, roadmap-done, commit log),
with a stale-submodule guard that reads origin/main when the pinned
submodule lags. Changelogs treated as incomplete, not authoritative.
- project template: add a Capabilities / Feature Set section.
GuruRMM recompile (from live main artifacts, not session logs):
- Added Capabilities / Feature Set section covering monitoring, remote
execution (incl. system vs user_session contexts), inventory/discovery,
update mgmt, policy, alerting/watchdog, backup, tunnel, identity/security.
- Fixed the misleading "runs as LocalSystem" command-fields line (the gap
that started this) and the stale BUG-001 temperature claim (now shipped).
- Qualified Entra-only SSO; noted safe-rollout is unwired scaffolding.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
/wiki-compile: new skill that seeds or refreshes wiki client articles
from session logs and live Syncro PSA data.
- Three modes: seed (new article), refresh (surgical update), full (--full flag)
- Syncro enrichment for client targets: customer profile, contacts,
open tickets, recent invoices, asset count
- Ambiguous customer search: pause and ask user to pick
- Customer not found: graceful warn + continue with session logs only
- Syncro is authoritative for all billing fields (hours, rate, contract type)
- Refresh mode: surgical edits only (hours, active tickets, frontmatter)
- Seed/full: Ollama qwen3:14b synthesis; Claude-direct fallback
- Asset count in Profile only — no asset detail tables in wiki
- Commits and pushes after write
/wiki-lint: add Step 6 — Syncro Live-Check
- Pulls live prepay_hours for every client article with a Syncro customer ID
- Auto-fixes stale hours in place; commits fixes in one batch
- Flags articles with open tickets and stale compiled date for review
- Adds Syncro section to lint report output
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>