azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: azcomputerguru:ad2
Branches Tags
azcomputerguru:main azcomputerguru:feature/real-time-tunnel azcomputerguru:ad2
...
compare: azcomputerguru:6475ae26db349f288a9e8bd131ce47f2110dbe3c
Branches Tags
azcomputerguru:main azcomputerguru:feature/real-time-tunnel azcomputerguru:ad2

14 Commits
ad2 ... 6475ae26db

Author SHA1 Message Date
Mike Swanson
6475ae26db Session log: SC redirect page, UniFi OS Server VM install, pfSense updates 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 14:44:48 -07:00
azcomputerguru
53cadd0f97 Add macOS cross-compilation support for GuruRMM agent 
Enables building macOS agents (Intel and Apple Silicon) on Linux server
without requiring Mac hardware. Successfully tested on M3 MacBook Air.

Changes:
- Configure rustls for macOS builds (easier cross-compilation)
- Keep native-tls for Windows/Linux (Windows 7 compatibility)
- Add osxcross linker configuration for both architectures
- Create build-macos.sh script for automated builds
- Document complete setup in MACOS_BUILD.md

Technical Details:
- Build server: 172.16.3.30 (Ubuntu 22.04)
- Toolchain: osxcross 1.5 with macOS SDK 14.5
- Targets: x86_64-apple-darwin, aarch64-apple-darwin
- Binary sizes: ~3.5M (Intel), ~3.1M (ARM64)
- Build time: ~90 seconds per target

Tested: Successfully connected to wss://rmm-api.azcomputerguru.com/ws
Agent ID: 6177bcac-e046-4166-ac76-a6db68a363ab

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-04-02 20:03:35 -07:00
Mike Swanson
459f6b36d5 Clean up stale references to deleted directive files 
Remove /refresh-directives references from save, checkpoint, scc, sync
commands. Trim sync.md from 400+ lines to essentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 19:23:39 -07:00
Mike Swanson
bff7d9dbbf sync: Auto-sync from DESKTOP-0O8A1RL at 2026-04-02 19:20:43 
Synced files:
- Session logs updated
- Latest context and credentials
- Command/directive updates

Machine: DESKTOP-0O8A1RL
Timestamp: 2026-04-02 19:20:43

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-04-02 19:20:43 -07:00
Mike Swanson
6e4ebc2db9 refactor: Consolidate directives into CLAUDE.md, delete redundant files 
Deleted:
- directives.md (9-line redirect, obsolete)
- DIRECTIVES_ENFORCEMENT.md (408 lines of enforcement theater)
- AGENT_COORDINATION_RULES.md (merged into CLAUDE.md)
- refresh-directives command (no longer needed)

Updated:
- CLAUDE.md: Added coordination flow, GuruRMM project, removed hardcoded
  DB password, trimmed Ollama section, updated project description
- CODING_GUIDELINES.md: Cut from 428 to ~90 lines, project-specific only

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 19:19:06 -07:00
Mike Swanson
3d363e481d Session log: Bardach contact cleanup, Dataforth MFA/auth policy fix, ACE Portables Bitdefender 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 19:10:07 -07:00
Mike Swanson
3f53e167ab Session log: GuruRMM installer fixes, agent deploy, feature roadmap 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 19:09:19 -07:00
Mike Swanson
7485d8b230 Add GuruRMM feature roadmap: search, OS detail, policies, dynamic groups 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 07:27:12 -07:00
Mike Swanson
4c08b0f700 Session log: GuruRMM command mgmt, dashboard design overhaul, dark theme fix 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 20:21:29 -07:00
Mike Swanson
c73dcfd9a8 Session log: M365 remediation tool upgrades, multi-client password resets, transport rule fix 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 14:43:04 -07:00
Mike Swanson
af71d317b0 Session log: GuruRMM audit, installer system, infrastructure fixes 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-01 13:58:45 -07:00
Mike Swanson
a47a97219c Session log: M365 remediation (MVAN, grabblaw, cascades), data recovery discussion 
- MVAN: investigated credential stuffing on Mitch VanDeveer, enforced MFA CA policy
- Grabblaw: consent flow failed, needs alternative approach
- Cascades Tucson: onboarded to remediation tool successfully
- Memory: "365 remediation tool" = Graph API app fabb3421
- Data recovery: Hitachi Deskstar firmware/service area diagnosis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-31 10:23:35 -07:00
Mike Swanson
b26e185a80 Add TickTick integration, MCP server, and dev project tracking 
New integration with TickTick API for project/task management:
- OAuth 2.0 auth flow (mcp-servers/ticktick/ticktick_auth.py)
- MCP server with 9 tools for Claude Code (ticktick_mcp.py)
- FastAPI service with SOPS vault credentials (api/services/ticktick_service.py)
- JWT-protected REST router at /api/ticktick/ (api/routers/ticktick.py)
- Credentials stored in SOPS vault (services/ticktick.sops.yaml)

Dev project tracking (hybrid TickTick + DB):
- New dev_projects table migration (14 columns, status index)
- TickTick "Dev Projects" list for mobile visibility
- First project seeded: TickTick Integration (linked both sides)

Security: .tokens.json gitignored, token file permissions restricted,
HTML-escaped OAuth callback, SOPS vault (not env vars) for secrets.

Also: Installed Tailscale on ACG-5070 for office network access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-31 10:08:53 -07:00
Mike Swanson
e34f51fe5d Session 2026-03-30: SOPS vault, SC-Syncro sync, Syncro scripts 
- SOPS+age credential vault created (59 encrypted files, separate repo)
- Updated CLAUDE.md credential access to reference SOPS vault
- Updated memory for ACG-5070 (Windows 11, replaces CachyOS)
- SC-Syncro sync script: enriched 410 SC sessions with company/device data
- Syncro scripts: SC property updater, SC deployer, rogue SC killer
- Session log with full details

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 19:38:38 -07:00
56 changed files with 6069 additions and 2367 deletions
Expand all files Collapse all files

38
.claude/AGENT_COORDINATION_RULES.md
View File

@@ -1,38 +0,0 @@
# Agent Coordination Rules
**Purpose:** Reference for agents about their responsibilities and coordination patterns.
**Main Claude behavioral rules are in CLAUDE.md - this file is for agent reference only.**
---
## Agent Responsibilities
| Agent | Authority | Examples |
|-------|-----------|----------|
| Database Agent | ALL data operations | Queries, inserts, updates, deletes, API calls |
| Coding Agent | Production code | Python, PowerShell, Bash; new code and modifications |
| Testing Agent | Test execution | pytest, validation scripts, performance tests |
| Code Review Agent | Code quality (MANDATORY) | Security, standards, quality checks before commits |
| Gitea Agent | Git/version control | Commits, pushes, branches, tags |
| Backup Agent | Backup/restore | Create backups, restore data, verify integrity |
## Coordination Flow
```
User request -> Main Claude (coordinator) -> Launches agent(s) -> Agent returns summary -> Main Claude presents to user
```
- Main Claude NEVER queries databases, writes production code, runs tests, or commits directly
- Agents return concise summaries, not raw data
- Independent operations run in parallel
- Use Sequential Thinking MCP for genuinely complex problems
## Skills vs Agents
- **Skills** (Skill tool): Specialized enhancements - frontend-design validation, design patterns
- **Agents** (Task tool): Core operations - database, code, testing, git, backups
- **Rule:** Skills enhance/validate. Agents execute/operate.
---
**Last Updated:** 2026-02-17

158
.claude/CLAUDE.md
View File

@@ -23,26 +23,38 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
**DO NOT** query databases directly (no SSH/mysql/curl to API). **DO NOT** write production code. **DO NOT** run tests. **DO NOT** commit/push. Use the appropriate agent.
### Coordination Flow
```
User request -> Main Claude (coordinator) -> Launches agent(s) -> Agent returns summary -> Main Claude presents to user
```
- Independent operations run in parallel
- Skills (Skill tool) enhance/validate. Agents (Agent tool) execute/operate.
---
## Project Overview
## Projects
**Type:** MSP Work Tracking System | **Status:** Production-Ready (Phase 5 Complete)
**Database:** MariaDB 10.6.22 @ 172.16.3.30:3306 | **API:** http://172.16.3.30:8001
**Stats:** 95+ endpoints, 38 tables, JWT auth, AES-256-GCM encryption
**ClaudeTools** -- MSP Work Tracking System (Production-Ready)
- Database: MariaDB 10.6.22 @ 172.16.3.30:3306 | API: http://172.16.3.30:8001
- 95+ endpoints, 38 tables, JWT auth, AES-256-GCM encryption
- DB creds in vault: `bash D:/vault/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password`
**DB Connection:** Host: 172.16.3.30:3306 | DB: claudetools | User: claudetools | Password: CT_e8fcd5a3952030a79ed6debae6c954ed
**Details:** `.claude/agents/DATABASE_CONNECTION_INFO.md`
**GuruRMM** -- Remote Monitoring & Management (Active Development)
- Server: Rust/Axum @ 172.16.3.30:3001 | Dashboard: https://rmm.azcomputerguru.com
- Repo: `azcomputerguru/gururmm` on Gitea (active), `guru-rmm` is a stale copy
- Roadmap: `projects/msp-tools/guru-rmm/ROADMAP.md`
---
## Key Rules
- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage
- **No hardcoded credentials** - Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
- **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user.
- **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
- **Data integrity:** Never use placeholder/fake data. Check SOPS vault, credentials.md, or ask user.
- **Coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
---
@@ -57,22 +69,32 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
## Context Recovery
When user references previous work, use `/context` command. Never ask user for info in:
- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password)
- `credentials.md` - Infrastructure reference (being migrated to SOPS vault at D:\vault)
- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
- `SESSION_STATE.md` - Project history
### 1Password Credential Access
### Credential Access (SOPS Vault - Primary)
Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**.
Credentials are stored in SOPS+age encrypted YAML files in a dedicated Gitea repo.
**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"`
**Vault repo:** `D:\vault` (git.azcomputerguru.com/azcomputerguru/vault, private)
**Structure:** infrastructure/, clients/, services/, projects/, msp-tools/
**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes).
**To read credentials:**
```bash
bash D:/vault/scripts/vault.sh search "keyword" # Search (no decryption needed)
bash D:/vault/scripts/vault.sh get-field <path> <field> # Get specific field
bash D:/vault/scripts/vault.sh get <path> # Decrypt full entry
bash D:/vault/scripts/vault.sh list # List all entries
```
**Setup on new machines:**
1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/
2. Sign in: `op signin` (or use desktop app integration)
3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"`
**Encryption:** AES-256 via age. Metadata stays plaintext for searchability.
**age key location:** `%APPDATA%\sops\age\keys.txt` (Windows) / `~/.config/sops/age/keys.txt` (Linux/Mac)
### 1Password (Fallback)
Service account token in vault: `infrastructure/1password-service-account.sops.yaml`
---
@@ -94,6 +116,7 @@ Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clien
- **Dataforth DOS work** -> `projects/dataforth-dos/`
- **ClaudeTools API code** -> `api/`, `migrations/` (existing structure)
- **GuruRMM work** -> `projects/msp-tools/guru-rmm/`
- **Client work** -> `clients/[client-name]/`
- **Session logs** -> project or client `session-logs/` subfolder; general -> root `session-logs/`
- **Full guide:** `.claude/FILE_PLACEMENT_GUIDE.md` (read when saving files, not every session)
@@ -102,103 +125,46 @@ Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clien
## Local AI (Ollama)
Ollama runs locally with GPU acceleration. Use it for tasks that don't need Claude-level reasoning.
### Available Models
Ollama runs locally with GPU acceleration for tasks that don't need Claude-level reasoning.
| Model | Size | Use For |
|-------|------|---------|
| `qwen3:14b` | 9.3 GB | General sub-tasks: summarization, classification, data extraction, drafting |
| `codestral:22b` | 12 GB | Code-specific sub-tasks: code generation, refactoring suggestions, docstring generation |
| `nomic-embed-text` | 274 MB | Embeddings only (used by GrepAI, not for direct use) |
| `qwen3:14b` | 9.3 GB | Summarization, classification, data extraction, drafting |
| `codestral:22b` | 12 GB | Code generation, refactoring suggestions, docstrings |
| `nomic-embed-text` | 274 MB | Embeddings only (used by GrepAI) |
```bash
# Simple prompt
curl -s http://localhost:11434/api/generate -d '{"model":"qwen3:14b","prompt":"...","stream":false}' | jq -r '.response'
```
**Review policy:** Always review Critical/High impact Ollama outputs (auth, security, migrations, production). Trust Low impact (classification, formatting). Flag uncertainty to user.
### GrepAI (Semantic Code Search)
GrepAI indexes the codebase using `nomic-embed-text` embeddings and provides semantic search via MCP server.
**When to use GrepAI instead of Grep/Glob:**
- Finding code by intent ("how does authentication work") rather than exact text
- Exploring unfamiliar areas of the codebase
- Finding related implementations across files
- Context recovery — searching session logs and credentials by meaning
**How to use:**
- **MCP tool:** Use the `grepai` MCP server tools directly (available after MCP loads)
- **deep-explore agent:** Delegate to the `deep-explore` agent for thorough semantic exploration
- **CLI fallback:** `grepai search "your query" --json --compact`
**Maintenance:** The watcher daemon runs in the background and auto-indexes file changes. If search results seem stale, run `grepai watch --stop && grepai watch --background` to restart it.
### Using Ollama for Sub-Tasks
For bulk or repetitive work that doesn't require Claude's full reasoning, offload to local models via Ollama's API:
**When to use Ollama:**
- Processing many items in a loop (e.g., summarizing 50 session logs)
- Generating boilerplate or repetitive code patterns
- Data extraction/classification from structured text
- Draft content that Claude will review/refine
- Any task where speed > quality and results will be verified
**When NOT to use Ollama (use Claude instead):**
- Architectural decisions or complex reasoning
- Security-sensitive code review
- Tasks requiring tool use or multi-step planning
- Final output that goes directly to production
**How to call Ollama:**
```bash
# Simple prompt
curl -s http://localhost:11434/api/generate -d '{"model":"qwen3:14b","prompt":"Summarize this: ...","stream":false}' | jq -r '.response'
# Chat format
curl -s http://localhost:11434/api/chat -d '{"model":"codestral:22b","messages":[{"role":"user","content":"Refactor this function: ..."}],"stream":false}' | jq -r '.message.content'
```
### Ollama Output Review Policy
The coordinator (Claude) must review Ollama outputs based on impact level. Local models are useful but unreliable — they hallucinate, miss edge cases, and produce subtly wrong code.
**Impact levels and review requirements:**
| Level | Review | Examples |
|-------|--------|----------|
| **Critical** | ALWAYS review, verify against source | Code touching auth/security/encryption, credential handling, database migrations, production config, anything user-facing |
| **High** | Review for correctness, spot-check details | API endpoint logic, business rules, infrastructure scripts, client-specific work |
| **Medium** | Skim for obvious errors, trust if reasonable | Internal documentation drafts, session log summaries, data extraction from structured input, boilerplate code |
| **Low** | Trust without review | Classification/tagging of items, reformatting text, generating placeholder content for later editing |
**Review process for Critical/High:**
1. Read Ollama's full output — don't just check if it "looks right"
2. Verify claims against actual files/data (e.g., if it says a function exists, confirm it does)
3. Check for: hallucinated function names, wrong parameter types, missing error handling, security gaps
4. If output is wrong or uncertain, redo the task yourself rather than patching Ollama's attempt
**Batch processing pattern:**
When using Ollama for bulk tasks (e.g., processing N items), review the first 2-3 results fully before trusting the rest. If any are wrong, switch to doing it yourself or fix the prompt and reprocess.
**Flag to user:** If Ollama produces output for a Critical task and you are not confident in your review, tell the user explicitly: "This was generated by a local model and I'm not fully confident in [specific concern]."
Use for intent-based search ("how does auth work"), exploring unfamiliar code, context recovery.
- **MCP tool:** `grepai` server tools
- **Agent:** `deep-explore` agent
- **CLI:** `grepai search "query" --json --compact`
---
## Memory (Shared Across Machines)
Claude Code's auto-memory is stored **in-repo** at `.claude/memory/` so it syncs via Gitea to all workstations.
Stored in-repo at `.claude/memory/` -- syncs via Gitea to all workstations.
Index: `.claude/memory/MEMORY.md`
**IMPORTANT for all machines:** Configure Claude Code to use the repo memory path, NOT the default `~/.claude/projects/` path. When the auto-memory system prompts you to write to `~/.claude/projects/-home-guru-ClaudeTools/memory/`, write to `.claude/memory/` (repo-relative) instead. The index file is `.claude/memory/MEMORY.md`.
This ensures memory created on one workstation (CachyOS, Mac, Windows) is available on all others after a git pull/sync.
**IMPORTANT:** Always write to `.claude/memory/` (repo-relative), NOT `~/.claude/projects/*/memory/`.
---
## Reference (read on-demand, not every session)
## Reference (read on-demand)
- **Project structure, endpoints, workflows, troubleshooting:** `.claude/REFERENCE.md`
- **Project structure, endpoints, workflows:** `.claude/REFERENCE.md`
- **Agent definitions:** `.claude/agents/*.md`
- **MCP servers:** `MCP_SERVERS.md`
- **Coding standards:** `.claude/CODING_GUIDELINES.md`
- **Shared memory:** `.claude/memory/MEMORY.md` (index) + `.claude/memory/*.md` (individual memories)
---
**Last Updated:** 2026-03-22
**Last Updated:** 2026-04-02

417
.claude/CODING_GUIDELINES.md
View File

@@ -1,364 +1,57 @@
# ClaudeTools - Coding Guidelines
## General Principles
These guidelines ensure code quality, consistency, and maintainability across the ClaudeTools project.
Project-specific standards. Generic language conventions (PEP 8, etc.) are assumed knowledge.
---
## Character Encoding and Text
## Character Encoding
### NO EMOJIS - EVER
**Rule:** Never use emojis in any code files, including:
- Python scripts (.py)
- PowerShell scripts (.ps1)
- Bash scripts (.sh)
- Configuration files
- Documentation within code
- Log messages
- Output strings
Never use emojis in code, scripts, config files, log messages, or output strings.
**Rationale:**
- Emojis cause encoding issues (UTF-8 vs ASCII)
- PowerShell parsing errors with special Unicode characters
- Cross-platform compatibility problems
- Terminal rendering inconsistencies
- Version control diff issues
**Rationale:** Causes PowerShell parsing errors, encoding issues, terminal rendering problems.
**Instead of emojis, use:**
```powershell
# BAD - causes parsing errors
Write-Host "✓ Success!"
Write-Host "⚠ Warning!"
# GOOD - ASCII text markers
Write-Host "[OK] Success!"
Write-Host "[SUCCESS] Task completed!"
Write-Host "[WARNING] Check settings!"
Write-Host "[ERROR] Failed to connect!"
**Use instead:**
```
[OK] [SUCCESS] [INFO] [WARNING] [ERROR] [CRITICAL]
```
**Allowed in:**
- User-facing web UI (where Unicode is properly handled)
- Database content (with proper UTF-8 encoding)
- Markdown documentation (README.md, etc.) - use sparingly
**Exception:** User-facing web UI with proper UTF-8 handling.
---
## Python Code Standards
## Naming Conventions
### Style
- Follow PEP 8 style guide
- Use 4 spaces for indentation (no tabs)
- Maximum line length: 100 characters (relaxed from 79)
- Use type hints for function parameters and return values
### Imports
```python
# Standard library imports
import os
import sys
from datetime import datetime
# Third-party imports
from fastapi import FastAPI
from sqlalchemy import Column
# Local imports
from api.models import User
from api.utils import encrypt_data
```
### Naming Conventions
- Classes: `PascalCase` (e.g., `UserService`, `CredentialModel`)
- Functions/methods: `snake_case` (e.g., `get_user`, `create_session`)
- Constants: `UPPER_SNAKE_CASE` (e.g., `API_BASE_URL`, `MAX_RETRIES`)
- Private methods: `_leading_underscore` (e.g., `_internal_helper`)
- **Python:** snake_case functions, PascalCase classes, UPPER_SNAKE constants
- **PowerShell:** PascalCase variables ($TaskName), approved verbs (Get-/Set-/New-)
- **Bash:** lowercase_underscore functions, quote all variables
- **DB tables:** lowercase plural (users, user_sessions), FK as {table}_id
- **DB columns:** created_at/updated_at timestamps, is_/has_ boolean prefixes
---
## PowerShell Code Standards
## Security
### Style
- Use 4 spaces for indentation
- Use PascalCase for variables: `$TaskName`, `$PythonPath`
- Use approved verbs for functions: `Get-`, `Set-`, `New-`, `Remove-`
### Error Handling
```powershell
# Always use -ErrorAction for cmdlets that might fail
$Task = Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue
if (-not $Task) {
Write-Host "[ERROR] Task not found"
exit 1
}
```
### Output
```powershell
# Use clear status markers
Write-Host "[INFO] Starting process..."
Write-Host "[SUCCESS] Task completed"
Write-Host "[ERROR] Failed to connect"
Write-Host "[WARNING] Configuration missing"
```
- Never hardcode credentials -- use SOPS vault or environment variables
- JWT tokens for API auth, Argon2 for password hashing
- Log all authentication attempts and sensitive operations
- `.env` files are gitignored, never committed
---
## Bash Script Standards
## API Standards
### Style
- Use 2 spaces for indentation
- Always use `#!/bin/bash` shebang
- Quote all variables: `"$variable"` not `$variable`
- Use `set -e` for error handling (exit on error)
### Functions
```bash
# Use lowercase with underscores
function check_connection() {
local host="$1"
echo "[INFO] Checking connection to $host"
}
```
- RESTful with plural nouns: `/api/users`
- Consistent error format: `{"detail": "...", "error_code": "...", "status_code": N}`
- Paginate large result sets
- Document with OpenAPI (automatic with FastAPI)
---
## API Development Standards
## Output Markers
### Endpoints
- Use RESTful conventions
- Use plural nouns: `/api/users` not `/api/user`
- Use HTTP methods appropriately: GET, POST, PUT, DELETE
- Version APIs if breaking changes: `/api/v2/users`
### Error Responses
```python
# Return consistent error format
{
"detail": "User not found",
"error_code": "USER_NOT_FOUND",
"status_code": 404
}
```
### Documentation
- Every endpoint must have a docstring
- Use Pydantic schemas for request/response validation
- Document in OpenAPI (automatic with FastAPI)
---
## Database Standards
### Table Naming
- Use lowercase with underscores: `user_sessions`, `billable_time`
- Use plural nouns: `users` not `user`
- Use consistent prefixes for related tables
### Columns
- Primary key: `id` (UUID)
- Timestamps: `created_at`, `updated_at`
- Foreign keys: `{table}_id` (e.g., `user_id`, `project_id`)
- Boolean: `is_active`, `has_access` (prefix with is_/has_)
### Indexes
```python
# Add indexes for frequently queried fields
Index('idx_users_email', 'email')
Index('idx_sessions_project_id', 'project_id')
```
---
## Security Standards
### Credentials
- Never hardcode credentials in code
- Use environment variables for sensitive data
- Use `.env` files (gitignored) for local development
- Encrypt passwords with AES-256-GCM (Fernet)
### Authentication
- Use JWT tokens for API authentication
- Hash passwords with Argon2
- Include token expiration
- Log all authentication attempts
### Audit Logging
```python
# Log all sensitive operations
audit_log = CredentialAuditLog(
credential_id=credential.id,
action="password_updated",
user_id=current_user.id,
details="Password updated via API"
)
```
---
## Testing Standards
### Test Files
- Name: `test_{module_name}.py`
- Location: Same directory as code being tested
- Use pytest framework
### Test Structure
```python
def test_create_user():
"""Test user creation with valid data."""
# Arrange
user_data = {"email": "test@example.com", "name": "Test"}
# Act
result = create_user(user_data)
# Assert
assert result.email == "test@example.com"
assert result.id is not None
```
### Coverage
- Aim for 80%+ code coverage
- Test happy path and error cases
- Mock external dependencies (database, APIs)
---
## Git Commit Standards
### Commit Messages
```
[Type] Brief description (50 chars max)
Detailed explanation if needed (wrap at 72 chars)
- Change 1
- Change 2
- Change 3
```
### Types
- `[Feature]` - New feature
- `[Fix]` - Bug fix
- `[Refactor]` - Code refactoring
- `[Docs]` - Documentation only
- `[Test]` - Test updates
- `[Config]` - Configuration changes
---
## File Organization
### Directory Structure
```
project/
├── api/ # API application code
│ ├── models/ # Database models
│ ├── routers/ # API endpoints
│ ├── schemas/ # Pydantic schemas
│ ├── services/ # Business logic
│ └── utils/ # Helper functions
├── .claude/ # Claude Code configuration
│ ├── hooks/ # Git-style hooks
│ └── agents/ # Agent instructions
├── scripts/ # Utility scripts
└── migrations/ # Database migrations
```
### File Naming
- Python: `snake_case.py`
- Classes: Match class name (e.g., `UserService` in `user_service.py`)
- Scripts: Descriptive names (e.g., `setup_database.sh`, `test_api.py`)
---
## Documentation Standards
### Code Comments
```python
# Use comments for WHY, not WHAT
# Good: "Retry 3 times to handle transient network errors"
# Bad: "Set retry count to 3"
def fetch_data(url: str) -> dict:
"""
Fetch data from API endpoint.
Args:
url: Full URL to fetch from
Returns:
Parsed JSON response
Raises:
ConnectionError: If API is unreachable
ValueError: If response is invalid JSON
"""
```
### README Files
- Include quick start guide
- Document prerequisites
- Provide examples
- Keep up to date
---
## Error Handling
### Python
```python
# Use specific exceptions
try:
result = api_call()
except ConnectionError as e:
logger.error(f"[ERROR] Connection failed: {e}")
raise
except ValueError as e:
logger.warning(f"[WARNING] Invalid data: {e}")
return None
```
### PowerShell
```powershell
# Use try/catch for error handling
try {
$Result = Invoke-RestMethod -Uri $Url
} catch {
Write-Host "[ERROR] Request failed: $_"
exit 1
}
```
---
## Logging Standards
### Log Levels
- `DEBUG` - Detailed diagnostic info (development only)
- `INFO` - General informational messages
- `WARNING` - Warning messages (non-critical issues)
- `ERROR` - Error messages (failures)
- `CRITICAL` - Critical errors (system failures)
### Log Format
```python
# Use structured logging
logger.info(
"[INFO] User login",
extra={
"user_id": user.id,
"ip_address": request.client.host,
"timestamp": datetime.utcnow()
}
)
```
### Output Markers
All scripts and tools use ASCII status markers:
```
[INFO] Starting process
[SUCCESS] Task completed
@@ -369,60 +62,12 @@ logger.info(
---
## Performance Guidelines
## Git
### Database Queries
- Use indexes for frequently queried fields
- Avoid N+1 queries (use joins or eager loading)
- Paginate large result sets
- Use connection pooling
### API Responses
- Return only necessary fields
- Use pagination for lists
- Compress large payloads
- Cache frequently accessed data
### File Operations
- Use context managers (`with` statements)
- Stream large files (don't load into memory)
- Clean up temporary files
- Commit types: feat, fix, refactor, docs, test, config
- Always include `Co-Authored-By` line for Claude commits
- Never commit .env, credentials, venv, __pycache__, *.log
---
## Version Control
### .gitignore
Always exclude:
- `.env` files (credentials)
- `__pycache__/` (Python cache)
- `*.pyc` (compiled Python)
- `.venv/`, `venv/` (virtual environments)
- `.claude/*.json` (local state)
- `*.log` (log files)
### Branching
- `main` - Production-ready code
- `develop` - Integration branch
- `feature/*` - New features
- `fix/*` - Bug fixes
- `hotfix/*` - Urgent production fixes
---
## Review Checklist
Before committing code, verify:
- [ ] No emojis or special Unicode characters
- [ ] All variables and functions have descriptive names
- [ ] No hardcoded credentials or sensitive data
- [ ] Error handling is implemented
- [ ] Code is formatted consistently
- [ ] Tests pass (if applicable)
- [ ] Documentation is updated
- [ ] No debugging print statements left in code
---
**Last Updated:** 2026-01-17
**Status:** Active
**Last Updated:** 2026-04-02

418
.claude/DIRECTIVES_ENFORCEMENT.md
View File

@@ -1,418 +0,0 @@
# Directives Enforcement Mechanism
**Created:** 2026-01-19
**Purpose:** Ensure Claude consistently follows operational directives and stops taking shortcuts
---
## The Problem
Claude (Main Instance) has a tendency to:
- Take shortcuts by querying database directly instead of using Database Agent
- Use emojis despite explicit prohibition (causes PowerShell errors)
- Execute operations directly instead of coordinating via agents
- Forget directives after conversation compaction or long sessions
**Result:** Violated architecture, broken scripts, inconsistent behavior
---
## The Solution: Multi-Layered Enforcement
### Layer 1: Prominent Directive Reference in claude.md
**File:** `.claude/claude.md` (line 3-15)
```markdown
**FIRST: READ YOUR DIRECTIVES**
Before doing ANYTHING in this project, read and internalize `directives.md` in the project root.
This file defines:
- Your identity (Coordinator, not Executor)
- What you DO and DO NOT do
- Agent coordination rules (NEVER query database directly)
- Enforcement checklist (NO EMOJIS, ASCII markers only)
**If you haven't read directives.md in this session, STOP and read it now.**
Command: `Read directives.md` (in project root: D:\ClaudeTools\directives.md)
```
**Effect:** First thing Claude sees when loading project context
---
### Layer 2: /refresh-directives Command
**File:** `.claude/commands/refresh-directives.md`
**Purpose:** Command to re-read and internalize directives
**User invocation:**
```
/refresh-directives
```
**Auto-invocation points:**
- After `/checkpoint` command
- After `/save` command
- After conversation compaction (detected automatically)
- After large task completion (3+ agents)
- Every 50 tool uses (optional counter-based)
**What it does:**
1. Reads `directives.md` completely
2. Performs self-assessment for violations
3. Commits to following directives
4. Reports status to user
**Output:**
```markdown
## Directives Refreshed
I've re-read my operational directives.
**Key commitments:**
- [OK] Coordinate via agents, not execute
- [OK] Database Agent for ALL data operations
- [OK] ASCII markers only (no emojis)
- [OK] Preserve context by delegating
**Self-assessment:** Clean - no violations detected
**Status:** Ready to coordinate effectively.
```
---
### Layer 3: Integration with /checkpoint Command
**File:** `.claude/commands/checkpoint.md` (step 8)
**After git + database checkpoint:**
```markdown
8. **Refresh directives** (MANDATORY):
- After checkpoint completion, auto-invoke `/refresh-directives`
- Re-read `directives.md` to prevent shortcut-taking
- Perform self-assessment for any violations
- Confirm commitment to agent coordination rules
- Report directives refreshed to user
```
**Effect:** Every checkpoint automatically refreshes directives
---
### Layer 4: Integration with /save Command
**File:** `.claude/commands/save.md` (step 4)
**After saving session log:**
```markdown
4. **Refresh directives** (MANDATORY):
- Auto-invoke `/refresh-directives`
- Re-read `directives.md` to prevent shortcut-taking
- Perform self-assessment for violations
- Confirm commitment to coordination rules
- Report directives refreshed
```
**Effect:** Every session save automatically refreshes directives
---
### Layer 5: directives.md (The Source of Truth)
**File:** `directives.md` (project root)
**Contains:**
- Identity definition (Coordinator, not Executor)
- What Claude DOES and DOES NOT do
- Complete agent coordination rules
- Coding standards (NO EMOJIS - ASCII only)
- Enforcement checklist
- Pre-action verification questions
**Key sections:**
1. My Identity
2. Core Operating Principle
3. What I DO [OK]
4. What I DO NOT DO [ERROR]
5. Agent Coordination Rules
6. Skills vs Agents
7. Automatic Behaviors
8. Coding Standards (NO EMOJIS)
9. Enforcement Checklist
---
## Automatic Trigger Points
### Session Start
```
Claude loads project → Sees claude.md → "READ DIRECTIVES FIRST"
→ Reads directives.md → Internalizes rules → Ready to work
```
### After Checkpoint
```
User: /checkpoint
→ Claude creates git commit + database context
→ Verifies both succeeded
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Confirms ready to proceed
```
### After Save
```
User: /save
→ Claude creates/updates session log
→ Commits to repository
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Confirms ready to proceed
```
### After Conversation Compaction
```
System: [Conversation compacted due to length]
→ Claude detects compaction (system message)
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Restores operational mode
→ Continues with proper coordination
```
### After Large Task
```
Claude completes task using 3+ agents
→ Recognizes major work completed
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Resets to coordination mode
→ Ready for next task
```
---
## Violation Detection
### Self-Assessment Process
**During /refresh-directives, Claude checks:**
**Database Operations:**
- [ ] Did I query database directly via ssh/mysql/curl? → VIOLATION
- [ ] Did I call ClaudeTools API directly? → VIOLATION
- [ ] Did I use Database Agent for data operations? → CORRECT
**Code Generation:**
- [ ] Did I write production code myself? → VIOLATION
- [ ] Did I delegate to Coding Agent? → CORRECT
**Emoji Usage:**
- [ ] Did I use [OK][ERROR][WARNING] or other emojis? → VIOLATION
- [ ] Did I use [OK]/[ERROR]/[WARNING]? → CORRECT
**Agent Coordination:**
- [ ] Did I execute operations directly? → VIOLATION
- [ ] Did I coordinate via agents? → CORRECT
**If violations detected:**
```markdown
[WARNING] Detected 2 directive violations:
- Direct database query at timestamp X
- Emoji usage in output at timestamp Y
[OK] Corrective actions committed:
- Will use Database Agent for all database operations
- Will use ASCII markers [OK]/[ERROR] instead of emojis
[SUCCESS] Directives re-internalized. Proper coordination restored.
```
---
## Benefits
### Prevents Shortcut-Taking
- Regular reminders not to query database directly
- Reinforces agent coordination model
- Stops emoji usage before it causes errors
### Context Recovery
- Restores operational mode after compaction
- Ensures consistency across sessions
- Maintains proper coordination principles
### Self-Correction
- Detects violations automatically
- Commits to corrective behavior
- Provides accountability to user
### User Visibility
- User sees when directives refreshed
- Transparent operational changes
- Builds trust in coordination model
---
## Enforcement Checklist
### For Claude (Self-Check Before Any Action)
**Before database operation:**
- [ ] Read directives.md this session? If no → STOP and read
- [ ] Am I about to query database? → Use Database Agent instead
- [ ] Am I about to use curl/API? → Use Database Agent instead
**Before writing code:**
- [ ] Am I writing production code? → Delegate to Coding Agent
- [ ] Am I using emojis? → STOP, use [OK]/[ERROR]/[WARNING]
**Before git operations:**
- [ ] Am I about to commit? → Delegate to Gitea Agent
- [ ] Am I about to push? → Delegate to Gitea Agent
**After major operations:**
- [ ] Completed checkpoint/save? → Auto-invoke /refresh-directives
- [ ] Completed large task? → Auto-invoke /refresh-directives
- [ ] Conversation compacted? → Auto-invoke /refresh-directives
---
## User Commands
### Manual Refresh
```
/refresh-directives
```
Manually trigger directive re-reading and self-assessment
### Checkpoint (Auto-refresh)
```
/checkpoint
```
Creates git commit + database context, then auto-refreshes directives
### Save (Auto-refresh)
```
/save
```
Creates session log, then auto-refreshes directives
### Sync
```
/sync
```
Pulls latest from Gitea (directives.md included if updated)
---
## Monitoring
### User Can Monitor Compliance
**Check for violations:**
- Look for direct `ssh`, `mysql`, or `curl` commands to database
- Look for emoji characters ([OK][ERROR][WARNING]) in output
- Look for direct code generation (should delegate to Coding Agent)
**If violations detected:**
```
User: /refresh-directives
```
Forces Claude to re-read and commit to directives
---
## Maintenance
### Updating directives.md
**When to update:**
- New agent added to system
- New restriction discovered
- Behavior patterns change
- New shortcut tendencies identified
**Process:**
1. Edit `directives.md` with new rules
2. Commit changes to repository
3. Push to Gitea
4. Invoke `/sync` on other machines
5. Invoke `/refresh-directives` to apply immediately
---
## Summary
**Five-layer enforcement:**
1. **claude.md** - Prominent reference at top (first thing Claude sees)
2. **/refresh-directives command** - Explicit directive re-reading
3. **/checkpoint integration** - Auto-refresh after checkpoints
4. **/save integration** - Auto-refresh after session saves
5. **directives.md** - Complete operational ruleset
**Automatic triggers:**
- Session start
- After /checkpoint
- After /save
- After conversation compaction
- After large tasks
**Result:** Claude consistently follows directives, stops taking shortcuts, maintains proper agent coordination architecture.
---
## Example: Full Enforcement Flow
```
Session Start:
→ Claude loads .claude/claude.md
→ Sees "READ YOUR DIRECTIVES FIRST"
→ Reads directives.md completely
→ Internalizes rules
→ Ready to coordinate (not execute)
User Request:
→ "How many projects in database?"
→ Claude recognizes database operation
→ Checks directives: "Database Agent handles ALL database operations"
→ Launches Database Agent with task
→ Receives count from agent
→ Presents to user
After /checkpoint:
→ Git commit created
→ Database context saved
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Self-assessment: Clean
→ Confirms: "Directives refreshed. Ready to coordinate."
Conversation Compacted:
→ System compacts conversation
→ Claude detects compaction
→ AUTO-INVOKES /refresh-directives
→ Re-reads directives.md
→ Restores coordination mode
→ Continues properly
```
---
**This enforcement mechanism ensures Claude maintains proper operational behavior throughout the entire session lifecycle.**
---
**Created:** 2026-01-19
**Files Modified:**
- `.claude/claude.md` - Added directive reference at top
- `.claude/commands/checkpoint.md` - Added step 8 (refresh directives)
- `.claude/commands/save.md` - Added step 4 (refresh directives)
- `.claude/commands/refresh-directives.md` - New command definition
**Status:** Active enforcement system

9
.claude/commands/checkpoint.md
View File

@@ -40,15 +40,6 @@ Please create a comprehensive git checkpoint with the following steps:
- Confirm git commit succeeded by running `git log -1`
- Report commit status to user
## Part 3: Refresh Directives (MANDATORY)
7. **Refresh directives** (MANDATORY):
- After checkpoint completion, auto-invoke `/refresh-directives`
- Re-read `directives.md` to prevent shortcut-taking
- Perform self-assessment for any violations
- Confirm commitment to agent coordination rules
- Report directives refreshed to user
## Benefits of Git Checkpoint
**Git Checkpoint provides:**

306
.claude/commands/refresh-directives.md
View File

@@ -1,306 +0,0 @@
# /refresh-directives Command
**Purpose:** Re-read and internalize operational directives to prevent shortcut-taking and ensure proper agent coordination.
---
## When to Use
**Automatic triggers (I should invoke this):**
- After conversation compaction/summarization
- After completing a large task
- When detecting directive violations (database queries, emoji use, etc.)
- At start of new work session
- After extended conversation (>100 exchanges)
**Manual invocation:**
- User types: `/refresh-directives`
- User says: "refresh your directives" or "read your rules again"
---
## What This Command Does
1. **Reads directives.md** - Full file from project root
2. **Self-assessment** - Checks recent actions for violations
3. **Commitment** - Explicitly commits to following directives
4. **Reports to user** - Confirms directives internalized
---
## Execution Steps
### Step 1: Read Directives File
```
Read tool → D:\ClaudeTools\directives.md
```
**Must read entire file** - All sections are mandatory:
- My Identity
- Core Operating Principle
- What I DO / DO NOT DO
- Agent Coordination Rules
- Coding Standards (NO EMOJIS)
- Enforcement Checklist
### Step 2: Self-Assessment
**Check recent conversation for violations:**
**Database Operations:**
- [ ] Did I query database directly? (Violation)
- [ ] Did I use ssh/mysql/curl to ClaudeTools API? (Violation)
- [ ] Did I delegate to Database Agent? (Correct)
**Code Generation:**
- [ ] Did I write production code myself? (Violation)
- [ ] Did I delegate to Coding Agent? (Correct)
**Emoji Usage:**
- [ ] Did I use emojis in code/output? (Violation)
- [ ] Did I use ASCII markers [OK]/[ERROR]? (Correct)
**Agent Coordination:**
- [ ] Did I execute operations directly? (Violation)
- [ ] Did I coordinate via agents? (Correct)
### Step 3: Commit to Directives
**Explicit commitment statement:**
"I have read and internalized directives.md. I commit to:
- Coordinating via agents, not executing directly
- Using Database Agent for ALL database operations
- Using ASCII markers, NEVER emojis
- Preserving my context by delegating
- Following the enforcement checklist before every action"
### Step 4: Report to User
**Format:**
```markdown
## Directives Refreshed
I've re-read and internalized my operational directives from `directives.md`.
**Key commitments:**
- [OK] Coordinate via agents (not execute directly)
- [OK] Database Agent handles ALL database operations
- [OK] ASCII markers only (no emojis: [OK], [ERROR], [WARNING])
- [OK] Preserve context by delegating operations >500 tokens
- [OK] Auto-invoke frontend-design skill for UI changes
**Self-assessment:** [Clean / X violations detected]
**Status:** Ready to coordinate effectively.
```
---
## Integration Points
### With /checkpoint Command
**After git commit + database save:**
```
1. Execute checkpoint (git + database)
2. Verify both succeeded
3. Auto-invoke /refresh-directives
4. Confirm directives refreshed
```
### With /save Command
**After creating session log:**
```
1. Create/append session log
2. Commit to repository
3. Auto-invoke /refresh-directives
4. Confirm directives refreshed
```
### With Session Start
**When conversation begins:**
```
1. If directives.md exists → Read it immediately
2. If starting new project → Create directives.md first
3. Confirm directives internalized before proceeding
```
### After Large Tasks
**When completing major work:**
- Multi-agent coordination (3+ agents)
- Complex problem-solving with Sequential Thinking
- Database migrations or schema changes
- Large code refactoring
**Trigger:** Auto-invoke /refresh-directives
---
## Violation Detection
**If I detect violations during self-assessment:**
1. **Acknowledge violations:**
```
[WARNING] Detected X directive violations in recent conversation:
- Violation 1: Direct database query at [timestamp]
- Violation 2: Emoji usage in output at [timestamp]
```
2. **Commit to correction:**
```
[OK] Corrective actions:
- Will use Database Agent for all future database operations
- Will use ASCII markers [OK]/[ERROR] instead of emojis
```
3. **Reset behavior:**
```
[SUCCESS] Directives re-internalized. Proceeding with proper coordination.
```
---
## Example Usage
### User-Invoked
```
User: /refresh-directives
Claude:
[Reads directives.md]
[Performs self-assessment]
[Commits to directives]
## Directives Refreshed
I've re-read my operational directives.
**Key commitments:**
- [OK] Coordinate via agents, not execute
- [OK] Database Agent for ALL data operations
- [OK] ASCII markers only (no emojis)
- [OK] Preserve context by delegating
**Self-assessment:** Clean - no violations detected
**Status:** Ready to coordinate effectively.
```
### Auto-Invoked After Checkpoint
```
Claude: [Completes /checkpoint command]
Claude: [Auto-invokes /refresh-directives]
Claude: [Reads directives.md]
Claude: [Confirms directives internalized]
Checkpoint complete. Directives refreshed. Ready for next task.
```
### Auto-Invoked After Conversation Compaction
```
System: [Conversation compacted]
Claude: [Detects compaction occurred]
Claude: [Auto-invokes /refresh-directives]
Claude: [Reads directives.md]
Claude: [Confirms ready to proceed]
Context compacted. Directives re-internalized. Continuing coordination.
```
---
## Technical Implementation
### Hook Integration
**Create hook:** `.claude/hooks/refresh-directives`
```bash
#!/bin/bash
# Hook: Refresh Directives
# Triggers: session-start, post-checkpoint, post-compaction
echo "[INFO] Triggering directives refresh..."
echo "Reading: D:/ClaudeTools/directives.md"
echo "[OK] Directives file available for refresh"
```
### Command Recognition
**User input patterns:**
- `/refresh-directives`
- `/refresh`
- "refresh your directives"
- "read your rules again"
- "re-read directives"
**Auto-trigger patterns:**
- After `/checkpoint` success
- After `/save` success
- After conversation compaction (detect via system messages)
- Every 50 tool uses (counter-based)
---
## Benefits
### Prevents Shortcut-Taking
- Reminds me not to query database directly
- Reinforces agent coordination model
- Stops emoji usage before it happens
### Context Recovery
- Restores operational mode after compaction
- Ensures consistency across sessions
- Maintains coordination principles
### Self-Correction
- Detects violations automatically
- Commits to corrective behavior
- Provides accountability
### User Visibility
- User sees when directives refreshed
- Transparency in operational changes
- Builds trust in coordination model
---
## Enforcement
**Mandatory refresh points:**
1. [OK] Session start (if directives.md exists)
2. [OK] After conversation compaction
3. [OK] After /checkpoint command
4. [OK] After /save command
5. [OK] When user requests: /refresh-directives
6. [OK] After completing large tasks (3+ agents)
**Optional refresh points:**
- Every 50 tool uses (counter-based)
- When detecting potential violations
- Before critical operations (migrations, deployments)
---
## Summary
**This command ensures I:**
- Never forget my role as Coordinator
- Always delegate to appropriate agents
- Use ASCII markers, never emojis
- Follow enforcement checklist
- Maintain proper agent architecture
**Result:** Consistent, rule-following behavior across all sessions and contexts.
---
**Created:** 2026-01-19
**Purpose:** Enforce directives.md compliance throughout session lifecycle
**Status:** Active - auto-invoke at trigger points

6
.claude/commands/save.md
View File

@@ -75,12 +75,6 @@ Format credentials as:
1. Commit with message: "Session log: [brief description of work done]"
2. Push to gitea remote (if configured)
3. Confirm push was successful
4. **Refresh directives** (MANDATORY):
- Auto-invoke `/refresh-directives`
- Re-read `directives.md` to prevent shortcut-taking
- Perform self-assessment for violations
- Confirm commitment to coordination rules
- Report directives refreshed
## Purpose

2
.claude/commands/scc.md
View File

@@ -32,6 +32,4 @@ Quick command to save session log, stage everything, and push to Gitea in one sh
## Important
- This is a FAST command - no lengthy analysis, just save and ship
- Do NOT invoke /refresh-directives afterward (unlike /sync)
- Do NOT read behavioral guidelines beyond the role reaffirmation above
- Just save, commit, push, reaffirm, report

505
.claude/commands/sync.md
View File

@@ -1,504 +1,29 @@
# /sync - Bidirectional ClaudeTools Sync
Synchronize ClaudeTools configuration, session data, and context bidirectionally with Gitea. Ensures all machines stay perfectly in sync for seamless cross-machine workflow.
Run the automated sync script:
---
## IMPORTANT: Use Automated Sync Script
**CRITICAL:** When user invokes `/sync`, execute the automated sync script instead of manual steps.
**Windows:**
```bash
bash .claude/scripts/sync.sh
```
OR
```cmd
.claude\scripts\sync.bat
```
**Mac/Linux:**
```bash
bash .claude/scripts/sync.sh
```
**Why use the script:**
- Ensures PULL happens BEFORE PUSH (prevents missing remote changes)
- Consistent behavior across all machines
- Proper error handling and conflict detection
- Automated timestamping and machine identification
- No steps can be accidentally skipped
The script automatically:
1. Stages and commits local changes (if any)
2. Fetches and pulls remote changes
3. Pushes local changes
4. Reports sync status
**The script automatically:**
1. Checks for local changes
2. Commits local changes (if any)
3. **Fetches and pulls remote changes FIRST**
4. Pushes local changes
5. Reports sync status
---
## What Gets Synced
**FROM Local TO Gitea (PUSH):**
- Session logs: `session-logs/*.md`
- Project session logs: `projects/*/session-logs/*.md`
- Credentials: `credentials.md` (private repo - safe to sync)
- Project state: `SESSION_STATE.md`
- Commands: `.claude/commands/*.md`
- Directives: `directives.md`
- File placement guide: `.claude/FILE_PLACEMENT_GUIDE.md`
- Behavioral guidelines:
- `.claude/CODING_GUIDELINES.md` (NO EMOJIS, ASCII markers, standards)
- `.claude/AGENT_COORDINATION_RULES.md` (delegation guidelines)
- `.claude/agents/*.md` (agent-specific documentation)
- `.claude/CLAUDE.md` (project context and instructions)
- Any other `.claude/*.md` operational files
- Any other tracked changes
**FROM Gitea TO Local (PULL):**
- All of the above from other machines
- Latest commands and configurations
- Updated session logs from other sessions
- Project-specific work and documentation
---
## Execution Steps
### Phase 1: Prepare Local Changes
1. **Navigate to ClaudeTools repo:**
```bash
cd ~/ClaudeTools # or D:\ClaudeTools on Windows
```
2. **Check repository status:**
```bash
git status
```
Report number of changed/new files to user
3. **Stage all changes:**
```bash
git add -A
```
This includes:
- New/modified session logs
- Updated credentials.md
- SESSION_STATE.md changes
- Command updates
- Directive changes
- Behavioral guidelines (CODING_GUIDELINES.md, AGENT_COORDINATION_RULES.md, etc.)
- Agent documentation
- Project documentation
4. **Auto-commit local changes with timestamp:**
```bash
git commit -m "sync: Auto-sync from [machine-name] at [timestamp]
Synced files:
- Session logs updated
- Latest context and credentials
- Command/directive updates
Machine: [hostname]
Timestamp: [YYYY-MM-DD HH:MM:SS]
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
```
**Note:** Only commit if there are changes. If working tree is clean, skip to Phase 2.
---
### Phase 2: Sync with Gitea
5. **Pull latest changes from Gitea:**
```bash
git pull origin main --rebase
```
**Handle conflicts if any:**
- Session logs: Keep both versions (rename conflicting file with timestamp)
- credentials.md: Manual merge required - report to user
- Other files: Use standard git conflict resolution
Report what was pulled from remote
6. **Push local changes to Gitea:**
```bash
git push origin main
```
Confirm push succeeded
---
### Phase 3: Apply Configuration Locally
7. **Copy commands to global Claude directory:**
```bash
mkdir -p ~/.claude/commands
cp -r ~/ClaudeTools/.claude/commands/* ~/.claude/commands/
```
These slash commands are now available globally
8. **Apply global settings if available:**
```bash
if [ -f ~/ClaudeTools/.claude/settings.json ]; then
cp ~/ClaudeTools/.claude/settings.json ~/.claude/settings.json
fi
```
9. **Sync project settings:**
```bash
if [ -f ~/ClaudeTools/.claude/settings.local.json ]; then
# Read and note any project-specific settings
fi
```
---
### Phase 4: Context Recovery
10. **Find and read most recent session logs:**
Check all locations:
- `~/ClaudeTools/session-logs/*.md` (general)
- `~/ClaudeTools/projects/*/session-logs/*.md` (project-specific)
Report the 3 most recent logs found:
- File name and location
- Last modified date
- Brief summary of what was worked on (from first 5 lines)
11. **Read behavioral guidelines and directives:**
```bash
cat ~/ClaudeTools/directives.md
cat ~/ClaudeTools/.claude/CODING_GUIDELINES.md
cat ~/ClaudeTools/.claude/AGENT_COORDINATION_RULES.md
```
Internalize operational directives and behavioral rules to ensure:
- Proper coordination mode (delegate vs execute)
- NO EMOJIS rule enforcement
- Agent delegation patterns
- Coding standards compliance
---
### Phase 5: Report Sync Status
12. **Summarize what was synced:**
```
## Sync Complete
[OK] Local changes pushed to Gitea:
- X session logs updated
- credentials.md synced
- SESSION_STATE.md updated
- Y command files
[OK] Remote changes pulled from Gitea:
- Z files updated from other machines
- Latest session: [most recent log]
[OK] Configuration applied:
- Commands available: /checkpoint, /context, /save, /sync, etc.
- Directives internalized (coordination mode, delegation rules)
- Behavioral guidelines internalized (NO EMOJIS, ASCII markers, coding standards)
- Agent coordination rules applied
- Global settings applied
Recent work (last 3 sessions):
1. [date] - [project] - [brief summary]
2. [date] - [project] - [brief summary]
3. [date] - [project] - [brief summary]
**Status:** All machines in sync. Ready to continue work.
```
13. **Refresh directives (auto-invoke):**
Automatically invoke `/refresh-directives` to internalize all synced behavioral guidelines:
- Re-read directives.md
- Re-read CODING_GUIDELINES.md
- Re-read AGENT_COORDINATION_RULES.md
- Perform self-assessment for violations
- Commit to following all behavioral rules
**Why this is critical:**
- Ensures latest behavioral rules are active
- Prevents shortcut-taking after sync
- Maintains coordination discipline
- Enforces NO EMOJIS and ASCII marker rules
- Ensures proper agent delegation
---
After the script completes, report the 3 most recent session logs:
```bash
ls -t session-logs/*.md projects/*/session-logs/*.md clients/*/session-logs/*.md 2>/dev/null | head -3
```
## Conflict Resolution
### Session Log Conflicts
If both machines created session logs with same date:
1. Keep both versions
2. Rename to: `YYYY-MM-DD-session-[machine].md`
3. Report conflict to user
### credentials.md Conflicts
If credentials.md has conflicts:
1. Do NOT auto-merge
2. Report conflict to user
3. Show conflicting sections
4. Ask user which version to keep or how to merge
### Other File Conflicts
Standard git conflict markers:
1. Report files with conflicts
2. Show conflict sections
3. Ask user to resolve manually or provide guidance
---
## Machine Detection
Automatically detect machine name for commit messages:
**Windows:**
```powershell
$env:COMPUTERNAME
```
**Mac/Linux:**
```bash
hostname
```
**Timestamp format:**
```bash
date "+%Y-%m-%d %H:%M:%S"
```
---
## Benefits
### Seamless Multi-Machine Workflow
- Start work on one machine, continue on another
- All session context automatically synchronized
- Credentials available everywhere (private repo)
- Commands and directives stay consistent
- Behavioral rules enforced identically (NO EMOJIS, delegation patterns, coding standards)
### Complete Context Preservation
- Never lose session data
- Full history across all machines
- Searchable via git log
- Rollback capability if needed
### Zero Manual Sync
- One command syncs everything
- Auto-commit prevents forgotten changes
- Push/pull happens automatically
- Conflicts handled gracefully
---
## Usage Examples
### Standard Sync (Most Common)
```
User: /sync
Claude:
[Commits local changes]
[Pulls from Gitea]
[Pushes to Gitea]
[Applies configuration]
[Reports status]
[Auto-invokes /refresh-directives]
Sync complete. 3 session logs pushed, 2 updates pulled.
Directives refreshed. Ready to continue work.
```
### Sync Before Important Work
```
User: "I'm switching to my other machine. /sync"
Claude:
[Syncs everything]
Report: Latest work on Dataforth DOS dashboard pushed to Gitea.
All session logs and credentials synced.
You can now pull on the other machine to continue.
```
### Daily Morning Sync
```
User: /sync
Claude:
[Pulls overnight changes from other machines]
[Auto-invokes /refresh-directives]
Report: Found 2 new sessions from yesterday evening.
Latest: GuruRMM dashboard redesign completed.
Context recovered. Directives refreshed. Ready for today's work.
```
---
- **Session logs:** Keep both, rename with machine suffix
- **credentials.md:** Do NOT auto-merge, report to user
- **Other files:** Standard git conflict resolution
## Error Handling
### Network Issues
If git pull/push fails:
1. Report connection error
2. Show what was committed locally
3. Suggest retry or manual sync
4. Changes are safe (committed locally)
### Authentication Issues
If Gitea authentication fails:
1. Report auth error
2. Check SSH keys or credentials
3. Provide troubleshooting steps
4. Manual push may be needed
### Merge Conflicts
If automatic merge fails:
1. Report which files have conflicts
2. Show conflict markers
3. Ask for user guidance
4. Offer to abort merge if needed
---
## Security Notes
**credentials.md Syncing:**
- Private repository on Gitea (https://git.azcomputerguru.com)
- Only accessible to authorized user
- Encrypted in transit (HTTPS/SSH)
- Safe to sync sensitive credentials
- Enables cross-machine access
**What's NOT synced:**
- `.env` files (gitignored)
- API virtual environment (api/venv/)
- Database files (local development)
- Temporary files (*.tmp, *.log)
- node_modules/ directories
---
## Integration with Other Commands
### After /checkpoint
User can run `/sync` after `/checkpoint` to push the checkpoint to Gitea:
```
User: /checkpoint
Claude: [Creates git commit]
User: /sync
Claude: [Pushes checkpoint to Gitea]
```
### Before /save
User can sync first to see latest context:
```
User: /sync
Claude: [Shows latest session logs]
User: /save
Claude: [Creates session log with full context]
```
### With /context
Syncing ensures `/context` has complete history:
```
User: /sync
Claude: [Syncs all session logs]
User: /context Dataforth
Claude: [Searches complete session log history including other machines]
```
### Auto-invokes /refresh-directives
**IMPORTANT:** `/sync` automatically invokes `/refresh-directives` at the end:
```
User: /sync
Claude:
[Phase 1: Commits local changes]
[Phase 2: Pulls/pushes to Gitea]
[Phase 3: Applies configuration]
[Phase 4: Recovers context]
[Phase 5: Reports status]
[Auto-invokes /refresh-directives]
[Confirms directives internalized]
Sync complete. Directives refreshed. Ready to coordinate.
```
**Why automatic:**
- Ensures latest behavioral rules are active after pulling changes
- Prevents using outdated directives from previous sync
- Maintains coordination discipline across all machines
- Enforces NO EMOJIS rule after any directive updates
- Critical after conversation compaction or multi-machine sync
---
## Frequency Recommendations
**Daily:** Start of work day
- Pull overnight changes
- See what was done on other machines
- Recover latest context
**After Major Work:** End of coding session
- Push session logs
- Share context across machines
- Backup to Gitea
**Before Switching Machines:**
- Push all local changes
- Ensure other machine can pull
- Seamless transition
**Weekly:** General maintenance
- Keep repos in sync
- Review session log history
- Clean up if needed
---
## Troubleshooting
### "Already up to date" but files seem out of sync
```bash
# Force status check
cd ~/ClaudeTools
git fetch origin
git status
```
### "Divergent branches" error
```bash
# Rebase local changes on top of remote
git pull origin main --rebase
```
### Lost uncommitted changes
```bash
# Check stash
git stash list
# Recover if needed
git stash pop
```
---
**Created:** 2026-01-21
**Purpose:** Bidirectional sync for seamless multi-machine ClaudeTools workflow
**Repository:** https://git.azcomputerguru.com/azcomputerguru/claudetools.git
**Status:** Active - comprehensive sync with context preservation
If push fails with auth error, retry once (transient Gitea auth issue).
If pull fails with conflicts, report affected files and ask for guidance.

6
.claude/memory/MEMORY.md
View File

@@ -6,16 +6,18 @@
- [IX Server SSH Access](reference_ix_server_ssh.md) - SSH access notes, no key auth from CachyOS workstation yet
- [IX Access via Tailscale](reference_ix_access_tailscale.md) - IX server accessible with Tailscale on, no VPN needed
- [Neptune Access via D2TESTNAS](reference_neptune_access_d2testnas.md) - Neptune must be routed through D2TESTNAS
- [CachyOS Workstation Setup](reference_workstation_setup.md) - Dual NVMe, autostart apps, key fixes applied, old home location
- [ACG-5070 Workstation](reference_workstation_setup.md) - Windows 11, replaced CachyOS. SOPS vault, Ollama, all dev tools.
- [Matomo Analytics](reference_matomo_analytics.md) - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
- [Dataforth Contact - AJ](reference_dataforth_contact.md) - AJ at Dataforth, dataforthgit@ email forwarding to him
- [TickTick Integration](reference_ticktick_integration.md) - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
## Feedback
- [D2TESTNAS SSH Access](feedback_d2testnas_ssh.md) - Use root@192.168.0.9 with Paper123!@#, not sysadmin
- [Bypass Permissions Setting](feedback_bypass_permissions_setting.md) - Set permissions.defaultMode to bypassPermissions in settings.json on all machines
- [365 Remediation Tool](feedback_365_remediation_tool.md) - Always means Graph API app fabb3421, not CIPP
## Machine
- [Windows GURU-BEAST-ROG Setup](machine_windows_guru_setup_status.md) - Fully configured: Node.js, Ollama (qwen3:14b, nomic-embed-text), GrepAI, MCP servers. Pending: codestral:22b pull
- [ACG-5070 Workstation Setup](reference_workstation_setup.md) - Windows 11 Pro clean install 2026-03-30, replaced CachyOS. All tools installed.
## Project
- [Audio Processor Architecture](project_audio_processor_architecture.md) - Segment-first pipeline: detect breaks before transcription for complete content capture

30
.claude/memory/feedback_365_remediation_tool.md Normal file
View File

@@ -0,0 +1,30 @@
---
name: 365 Remediation Tool Reference
description: "365 remediation tool" always means the Claude-MSP-Access Graph API app (fabb3421-8b34-484b-bc17-e46de9703418), not CIPP
type: feedback
---
When user says "365 remediation tool" or "remediation tool", they ALWAYS mean the Claude-MSP-Access Graph API application (App ID: fabb3421-8b34-484b-bc17-e46de9703418). This is NOT CIPP.
**Why:** User explicitly clarified this after I incorrectly navigated to CIPP. The remediation tool is direct Graph API access using client credentials flow against customer tenants.
**How to apply:** Authenticate directly via Graph API using the app's client secret from SOPS vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.
### Directory Role Requirements (discovered 2026-04-01)
Graph API permissions alone are NOT sufficient for privileged operations. The service principal also needs Entra directory roles assigned per-tenant:
| Operation | Required Directory Role |
|-----------|----------------------|
| Password reset | User Administrator |
| Exchange transport rules, mailbox permissions | Exchange Administrator |
**Roles assigned so far:**
- Valleywide Plastering (5c53ae9f...): User Administrator
- Dataforth (7dfa3ce8...): User Administrator, Exchange Administrator
**For new tenants:** After admin consent, manually assign roles via Entra portal > Roles and administrators. The app cannot self-assign directory roles.
### Exchange Online REST API
For Exchange cmdlets (Get-TransportRule, Add-MailboxPermission, etc.), use scope `https://outlook.office365.com/.default` and POST to `https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand` with `{"CmdletInput":{"CmdletName":"...", "Parameters":{...}}}`.

31
.claude/memory/feedback_bypass_permissions_setting.md
View File

@@ -1,20 +1,23 @@
---
name: Bypass Permissions Persistent Setting
description: Configure settings.json on all machines to persist bypass permissions mode across context compressions
name: Bypass Permissions and Act Autonomously
description: Never ask for permission or confirmation -- just execute. User is an experienced engineer who wants autonomous operation.
type: feedback
---
Always set `permissions.defaultMode` to `"bypassPermissions"` in `~/.claude/settings.json` on all workstations.
NEVER ask "want me to proceed?", "should I?", "which option?", or any variation. Just do it.
**Why:** The `--dangerously-skip-permissions` CLI flag is not preserved when Claude Code compresses context or resumes sessions -- the new process starts without the flag, causing unexpected permission prompts mid-session. This is a known bug (GitHub issue #21974).
**Why:** User has explicitly and repeatedly asked not to be prompted for permissions or confirmations. Every time Claude asks instead of acting, it wastes time and frustrates the user. The user is a senior engineer who trusts Claude to make reasonable decisions and execute.
**How to apply:** On any new machine setup, ensure `~/.claude/settings.json` includes:
```json
{
"permissions": {
"defaultMode": "bypassPermissions"
},
"skipDangerousModePermissionPrompt": true
}
```
This makes bypass mode the default without needing the CLI flag. Both keys are needed -- `defaultMode` sets the mode, `skipDangerousModePermissionPrompt` suppresses the warning dialog.
**How to apply:**
- When there are multiple valid approaches and no direction has been set, it's OK to ask which path. But once a path is chosen, execute without asking.
- When a task has clear next steps, execute them immediately. Don't pause for approval.
- Asking about unclear requirements or missing context is fine. Asking "should I do the thing you told me to do?" is not.
- `permissions.defaultMode` must be `"bypassPermissions"` in `~/.claude/settings.json` on all machines. Both keys needed:
```json
{
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true
}
```
- This applies to tool calls, git operations, file edits, agent launches -- everything.
- The ONLY exception: truly destructive operations on shared/production systems (dropping databases, force-pushing main). Even then, a brief "doing X" is better than "should I do X?"

33
.claude/memory/reference_ticktick_integration.md Normal file
View File

@@ -0,0 +1,33 @@
---
name: TickTick Integration
description: TickTick API integration for project/task management - OAuth credentials in SOPS vault, MCP server, API service
type: reference
---
## TickTick Integration (Built 2026-03-31)
**App Name:** ClaudeTools (registered at developer.ticktick.com)
### Credentials
- SOPS vault: `services/ticktick.sops.yaml`
- Fields: `credentials.client_id`, `credentials.client_secret`, `credentials.oauth_redirect_url`
- OAuth tokens: `mcp-servers/ticktick/.tokens.json` (gitignored, auto-refreshed)
### Components
- **MCP Server:** `mcp-servers/ticktick/ticktick_mcp.py` - 9 tools for Claude Code (registered in `.mcp.json`)
- **OAuth Auth:** `mcp-servers/ticktick/ticktick_auth.py` - One-time browser auth flow (localhost:9876 callback)
- **API Service:** `api/services/ticktick_service.py` - Async service, SOPS vault credentials, auto token refresh
- **API Router:** `api/routers/ticktick.py` - REST at `/api/ticktick/`, JWT-protected
### TickTick API
- Base URL: `https://api.ticktick.com/open/v1`
- Auth: OAuth 2.0 Bearer tokens, scopes: `tasks:read tasks:write`
- No webhooks (must poll), no search endpoint (filter client-side)
- Priority values: 0=none, 1=low, 3=medium, 5=high (non-sequential)
- Token endpoint requires `application/x-www-form-urlencoded` (not JSON)
### MCP Tools
`ticktick_list_projects`, `ticktick_get_project`, `ticktick_create_project`, `ticktick_update_project`, `ticktick_delete_project`, `ticktick_create_task`, `ticktick_update_task`, `ticktick_complete_task`, `ticktick_delete_task`
### Re-auth
If tokens expire completely, run: `python mcp-servers/ticktick/ticktick_auth.py` from bash (not PowerShell - needs vault access via bash).

47
.claude/memory/reference_workstation_setup.md
View File

@@ -1,35 +1,32 @@
---
name: CachyOS Workstation Setup
description: Current workstation config - CachyOS on ASUS laptop, dual NVMe, autostart apps, old home btrfs subvolume location
name: ACG-5070 Workstation Setup
description: Primary workstation ACG-5070 (Windows 11 Pro), clean install 2026-03-30. Replaced CachyOS.
type: reference
---
## Workstation: acg-guru-5070
## Workstation: ACG-5070
- **OS:** CachyOS (Arch-based), kernel 6.19.x
- **DE:** KDE Plasma 6 (Wayland)
- **CPU/GPU:** Intel Arrow Lake-S + NVIDIA RTX 5070 Ti Mobile
- **Tailscale IP:** 100.95.216.79
- **OS:** Windows 11 Pro (clean install 2026-03-30)
- **Previous OS:** CachyOS Linux (gone, replaced by Windows)
- **Hardware:** ASUS laptop, Intel Arrow Lake-S + NVIDIA RTX 5070 Ti Mobile, dual NVMe
### Storage
- **nvme0n1:** 954GB btrfs - CachyOS install (OS, root)
- **nvme1n1:** 954GB ext4 - `/home` (formatted from old Windows drive)
- **Old home:** btrfs `@home` subvolume on nvme0n1, mount with: `sudo mount -o subvol=@home UUID=8a8b1d34-99fb-470f-82ca-b5d08e43ec32 /mnt/old-home`
### Installed Tools
- Node.js v24.14.1, npm 11.11.0
- Git 2.53.0, Python 3.14.3
- 1Password CLI 2.33.1 (desktop app integration)
- Ollama 0.18.3 (models on D:\OllamaModels: qwen3:14b, codestral:22b, nomic-embed-text)
- Claude Code 2.1.87
- sops 3.7.3, age 1.3.1, yq 4.52.5
- jq, curl, Windows OpenSSH
- Missing: gh (GitHub CLI)
### Autostart Apps (~/.config/autostart/)
- `arch-update-tray.desktop` (pre-existing)
- `cachyos-hello.desktop` (pre-existing)
- `discord.desktop` (added, starts minimized)
- `tailscale-systray.desktop` (added)
- ScreenConnect: autostart removed (on-demand only via URI scheme handler from web UI)
### SOPS Vault
- age key: %APPDATA%\sops\age\keys.txt
- Vault repo: D:\vault (git.azcomputerguru.com/azcomputerguru/vault)
- 1Password backup: "age Key - ACG-5070 (Windows)" in Infrastructure vault
### Known Issues
- **Warm reboot hangs:** Rebooting (e.g. for GPU issues) causes system to hang with spinning symbol — requires hard power-off. Observed multiple times. Likely NVIDIA driver not unloading cleanly during shutdown.
### Key Fixes Applied
- **Tailscale:** `--accept-routes`, systemd-resolved + NetworkManager DNS config
- **Brightness:** Hide nvidia_0 backlight via udev rule, KDE controls intel_backlight only
- **ScreenConnect:** dpkg + full JRE + Wayland patch (GDK_BACKEND=x11)
- **Sudo:** NOPASSWD for guru user
### Other Machines
- GURU-BEAST-ROG (Windows 11) -- needs vault setup (sops, age, yq, clone repo, generate age key, rotate)
- Mikes-MacBook-Air (macOS) -- needs vault setup
**How to apply:** Reference when troubleshooting workstation issues or setting up additional services.

1
.gitignore vendored
View File

@@ -53,6 +53,7 @@ build/
*.sqlite
logs/
.claude/tokens.json
**/.tokens.json
.claude/context-recall-config.env
.claude/context-recall-config.env.backup
.claude/context-cache/

4
api/main.py
View File

@@ -35,6 +35,7 @@ from api.routers import (
version,
quotes,
admin_quotes,
ticktick,
)
# Import middleware
@@ -130,6 +131,9 @@ app.include_router(bulk_import.router, prefix="/api/bulk-import", tags=["Bulk Im
app.include_router(quotes.router, prefix="/api/quotes", tags=["Quotes"])
app.include_router(admin_quotes.router, prefix="/api/admin/quotes", tags=["Admin Quotes"])
# External integrations
app.include_router(ticktick.router, prefix="/api/ticktick", tags=["TickTick"])
if __name__ == "__main__":
import uvicorn

333
api/routers/ticktick.py Normal file
View File

@@ -0,0 +1,333 @@
"""
TickTick API router for ClaudeTools.
This module defines REST API endpoints for managing TickTick projects and tasks,
proxying requests through the TickTickService with automatic token management.
"""
import logging
from typing import Optional
from fastapi import APIRouter, Depends, HTTPException, status
from pydantic import BaseModel, Field
from api.middleware.auth import get_current_user
from api.services.ticktick_service import TickTickResult, get_ticktick_service
logger = logging.getLogger(__name__)
router = APIRouter()
# --------------------------------------------------------------------------
# Pydantic request/response schemas
# --------------------------------------------------------------------------
class ProjectCreate(BaseModel):
"""Schema for creating a new TickTick project."""
name: str = Field(..., min_length=1, max_length=200, description="Project name")
color: Optional[str] = Field(
None, description="Hex color string (e.g., '#FF6347')"
)
view_mode: Optional[str] = Field(
None, description="View mode: 'list', 'kanban', or 'timeline'"
)
kind: Optional[str] = Field(
None, description="Project kind: 'TASK' or 'NOTE'"
)
class ProjectUpdate(BaseModel):
"""Schema for updating an existing TickTick project."""
name: Optional[str] = Field(
None, min_length=1, max_length=200, description="New project name"
)
color: Optional[str] = Field(None, description="New hex color string")
view_mode: Optional[str] = Field(None, description="New view mode")
class TaskCreate(BaseModel):
"""Schema for creating a new task in a TickTick project."""
title: str = Field(..., min_length=1, max_length=500, description="Task title")
content: Optional[str] = Field(None, description="Task description/content")
priority: Optional[int] = Field(
None,
ge=0,
le=5,
description="Priority: 0=none, 1=low, 3=medium, 5=high",
)
due_date: Optional[str] = Field(
None, description="Due date in ISO 8601 format"
)
tags: Optional[list[str]] = Field(None, description="List of tag strings")
class TaskUpdate(BaseModel):
"""Schema for updating an existing task."""
title: Optional[str] = Field(
None, min_length=1, max_length=500, description="New task title"
)
content: Optional[str] = Field(None, description="New task content")
priority: Optional[int] = Field(
None, ge=0, le=5, description="New priority level"
)
due_date: Optional[str] = Field(None, description="New due date in ISO 8601 format")
tags: Optional[list[str]] = Field(None, description="New list of tags")
class TickTickResponse(BaseModel):
"""Standard response wrapper for all TickTick endpoints."""
success: bool
data: Optional[dict] = None
error: Optional[str] = None
# --------------------------------------------------------------------------
# Helpers
# --------------------------------------------------------------------------
def _to_response(result: TickTickResult, status_code_on_error: int = 500) -> dict:
"""
Convert a TickTickResult to a JSON-serializable response dict.
Raises an HTTPException when the result indicates failure.
Args:
result: The service result to convert.
status_code_on_error: HTTP status code for error responses.
Returns:
Dict matching the TickTickResponse schema.
"""
if not result.success:
raise HTTPException(
status_code=status_code_on_error,
detail={
"success": False,
"data": None,
"error": result.error or "Unknown error",
},
)
return {"success": True, "data": result.data, "error": None}
# --------------------------------------------------------------------------
# Project endpoints
# --------------------------------------------------------------------------
@router.get(
"",
response_model=TickTickResponse,
summary="List all TickTick projects",
status_code=status.HTTP_200_OK,
)
async def list_projects(current_user: dict = Depends(get_current_user)):
"""
Retrieve all projects (lists) from the authenticated TickTick account.
**Example Request:**
```
GET /api/ticktick
```
"""
service = get_ticktick_service()
result = await service.list_projects()
return _to_response(result)
@router.get(
"/{project_id}",
response_model=TickTickResponse,
summary="Get a TickTick project with tasks",
status_code=status.HTTP_200_OK,
)
async def get_project(project_id: str, current_user: dict = Depends(get_current_user)):
"""
Retrieve a single project and its associated task data.
**Path Parameters:**
- **project_id**: The TickTick project ID.
"""
service = get_ticktick_service()
result = await service.get_project(project_id)
return _to_response(result, status_code_on_error=404)
@router.post(
"",
response_model=TickTickResponse,
summary="Create a new TickTick project",
status_code=status.HTTP_201_CREATED,
)
async def create_project(body: ProjectCreate, current_user: dict = Depends(get_current_user)):
"""
Create a new project (list) in TickTick.
**Request Body:**
- **name** (required): Project name.
- **color**: Hex color string.
- **view_mode**: View mode ('list', 'kanban', 'timeline').
- **kind**: Project kind ('TASK' or 'NOTE').
"""
service = get_ticktick_service()
result = await service.create_project(
name=body.name,
color=body.color,
view_mode=body.view_mode,
kind=body.kind,
)
return _to_response(result, status_code_on_error=400)
@router.put(
"/{project_id}",
response_model=TickTickResponse,
summary="Update a TickTick project",
status_code=status.HTTP_200_OK,
)
async def update_project(project_id: str, body: ProjectUpdate, current_user: dict = Depends(get_current_user)):
"""
Update an existing project's properties.
**Path Parameters:**
- **project_id**: The TickTick project ID to update.
**Request Body:**
At least one field must be provided.
"""
service = get_ticktick_service()
result = await service.update_project(
project_id=project_id,
name=body.name,
color=body.color,
view_mode=body.view_mode,
)
return _to_response(result, status_code_on_error=400)
@router.delete(
"/{project_id}",
response_model=TickTickResponse,
summary="Delete a TickTick project",
status_code=status.HTTP_200_OK,
)
async def delete_project(project_id: str, current_user: dict = Depends(get_current_user)):
"""
Delete a project from TickTick.
**Path Parameters:**
- **project_id**: The TickTick project ID to delete.
"""
service = get_ticktick_service()
result = await service.delete_project(project_id)
return _to_response(result, status_code_on_error=404)
# --------------------------------------------------------------------------
# Task endpoints
# --------------------------------------------------------------------------
@router.post(
"/{project_id}/tasks",
response_model=TickTickResponse,
summary="Create a task in a TickTick project",
status_code=status.HTTP_201_CREATED,
)
async def create_task(project_id: str, body: TaskCreate, current_user: dict = Depends(get_current_user)):
"""
Create a new task within the specified project.
**Path Parameters:**
- **project_id**: The TickTick project ID.
**Request Body:**
- **title** (required): Task title.
- **content**: Task description.
- **priority**: 0=none, 1=low, 3=medium, 5=high.
- **due_date**: ISO 8601 date string.
- **tags**: List of tag strings.
"""
service = get_ticktick_service()
result = await service.create_task(
title=body.title,
project_id=project_id,
content=body.content,
priority=body.priority,
due_date=body.due_date,
tags=body.tags,
)
return _to_response(result, status_code_on_error=400)
@router.put(
"/{project_id}/tasks/{task_id}",
response_model=TickTickResponse,
summary="Update a task in a TickTick project",
status_code=status.HTTP_200_OK,
)
async def update_task(project_id: str, task_id: str, body: TaskUpdate, current_user: dict = Depends(get_current_user)):
"""
Update an existing task's properties.
**Path Parameters:**
- **project_id**: The TickTick project ID.
- **task_id**: The task ID to update.
"""
service = get_ticktick_service()
result = await service.update_task(
task_id=task_id,
project_id=project_id,
title=body.title,
content=body.content,
priority=body.priority,
due_date=body.due_date,
tags=body.tags,
)
return _to_response(result, status_code_on_error=400)
@router.post(
"/{project_id}/tasks/{task_id}/complete",
response_model=TickTickResponse,
summary="Complete a task",
status_code=status.HTTP_200_OK,
)
async def complete_task(project_id: str, task_id: str, current_user: dict = Depends(get_current_user)):
"""
Mark a task as complete in TickTick.
**Path Parameters:**
- **project_id**: The TickTick project ID.
- **task_id**: The task ID to mark complete.
"""
service = get_ticktick_service()
result = await service.complete_task(task_id=task_id, project_id=project_id)
return _to_response(result, status_code_on_error=400)
@router.delete(
"/{project_id}/tasks/{task_id}",
response_model=TickTickResponse,
summary="Delete a task",
status_code=status.HTTP_200_OK,
)
async def delete_task(project_id: str, task_id: str, current_user: dict = Depends(get_current_user)):
"""
Delete a task from a TickTick project.
**Path Parameters:**
- **project_id**: The TickTick project ID.
- **task_id**: The task ID to delete.
"""
service = get_ticktick_service()
result = await service.delete_task(task_id=task_id, project_id=project_id)
return _to_response(result, status_code_on_error=404)

596
api/services/ticktick_service.py Normal file
View File

@@ -0,0 +1,596 @@
"""
TickTick API integration service for ClaudeTools.
This module handles all interactions with the TickTick Open API for project
and task management. Tokens are managed via a local JSON file with automatic
refresh on 401 responses.
API Documentation: https://developer.ticktick.com/api
"""
import json
import logging
import subprocess
from dataclasses import dataclass
from pathlib import Path
from typing import Optional
import httpx
logger = logging.getLogger(__name__)
TICKTICK_API_BASE_URL = "https://api.ticktick.com/open/v1"
TICKTICK_TOKEN_URL = "https://ticktick.com/oauth/token"
TICKTICK_TOKEN_FILE = Path(__file__).resolve().parents[2] / "mcp-servers" / "ticktick" / ".tokens.json"
VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
VAULT_ENTRY = "services/ticktick.sops.yaml"
TICKTICK_TIMEOUT_SECONDS = 30.0
TICKTICK_CONNECT_TIMEOUT_SECONDS = 10.0
@dataclass
class TickTickResult:
"""Result wrapper for all TickTick API operations."""
success: bool
data: Optional[dict] = None
error: Optional[str] = None
def _vault_get_field(field: str) -> str:
"""Retrieve a single field from the SOPS vault entry."""
try:
result = subprocess.run(
["bash", VAULT_SCRIPT, "get-field", VAULT_ENTRY, field],
capture_output=True,
text=True,
timeout=15,
)
if result.returncode == 0 and result.stdout.strip():
return result.stdout.strip()
logger.error("[ERROR] Vault returned empty or error for %s", field)
return ""
except (FileNotFoundError, subprocess.TimeoutExpired) as exc:
logger.error("[ERROR] Vault retrieval failed for %s: %s", field, exc)
return ""
class TickTickService:
"""
Service for interacting with the TickTick Open API.
Handles project and task CRUD operations with automatic OAuth token
refresh when the access token expires. Credentials are retrieved from
the SOPS vault.
"""
def __init__(
self,
api_base_url: str = TICKTICK_API_BASE_URL,
token_file: Path = TICKTICK_TOKEN_FILE,
timeout: float = TICKTICK_TIMEOUT_SECONDS,
connect_timeout: float = TICKTICK_CONNECT_TIMEOUT_SECONDS,
):
self.api_base_url = api_base_url.rstrip("/")
self.token_file = token_file
self.timeout = httpx.Timeout(timeout, connect=connect_timeout)
self._access_token: Optional[str] = None
self._refresh_token: Optional[str] = None
self._client_id: Optional[str] = None
self._client_secret: Optional[str] = None
self._load_tokens()
# ------------------------------------------------------------------
# Token management
# ------------------------------------------------------------------
def _load_tokens(self) -> None:
"""Load access and refresh tokens from the local token file."""
if not self.token_file.exists():
logger.warning(
"[WARNING] TickTick token file not found at %s", self.token_file
)
return
try:
data = json.loads(self.token_file.read_text(encoding="utf-8"))
self._access_token = data.get("access_token")
self._refresh_token = data.get("refresh_token")
logger.info("[OK] TickTick tokens loaded from %s", self.token_file)
except (json.JSONDecodeError, OSError) as exc:
logger.error(
"[ERROR] Failed to read TickTick token file: %s", exc
)
def _save_tokens(self) -> None:
"""Persist current tokens back to the token file."""
try:
existing: dict = {}
if self.token_file.exists():
try:
existing = json.loads(
self.token_file.read_text(encoding="utf-8")
)
except (json.JSONDecodeError, OSError):
existing = {}
existing["access_token"] = self._access_token
existing["refresh_token"] = self._refresh_token
self.token_file.write_text(
json.dumps(existing, indent=2) + "\n", encoding="utf-8"
)
logger.info("[OK] TickTick tokens saved to %s", self.token_file)
except OSError as exc:
logger.error(
"[ERROR] Failed to write TickTick token file: %s", exc
)
async def _refresh_access_token(self) -> bool:
"""
Refresh the OAuth access token using the stored refresh token.
Returns:
True if the token was refreshed successfully, False otherwise.
"""
if not self._refresh_token:
logger.error("[ERROR] No refresh token available for TickTick")
return False
# Lazy-load vault credentials for refresh
if not self._client_id:
self._client_id = _vault_get_field("credentials.client_id")
if not self._client_secret:
self._client_secret = _vault_get_field("credentials.client_secret")
if not self._client_id or not self._client_secret:
logger.error(
"[ERROR] Could not retrieve TickTick client credentials from SOPS vault"
)
return False
logger.info("[INFO] Refreshing TickTick access token")
try:
async with httpx.AsyncClient(timeout=self.timeout) as client:
response = await client.post(
TICKTICK_TOKEN_URL,
headers={
"Content-Type": "application/x-www-form-urlencoded",
},
data={
"grant_type": "refresh_token",
"refresh_token": self._refresh_token,
"client_id": self._client_id,
"client_secret": self._client_secret,
},
)
if response.status_code != 200:
logger.error(
"[ERROR] TickTick token refresh failed with status %d: %s",
response.status_code,
response.text,
)
return False
token_data = response.json()
self._access_token = token_data.get("access_token")
if "refresh_token" in token_data:
self._refresh_token = token_data["refresh_token"]
self._save_tokens()
logger.info("[OK] TickTick access token refreshed successfully")
return True
except httpx.HTTPError as exc:
logger.error(
"[ERROR] TickTick token refresh request failed: %s", exc
)
return False
# ------------------------------------------------------------------
# HTTP helpers
# ------------------------------------------------------------------
def _get_client(self) -> httpx.AsyncClient:
"""
Create an async HTTP client with configured settings.
Returns:
Configured httpx.AsyncClient for TickTick API calls.
"""
headers = {
"Content-Type": "application/json",
"Accept": "application/json",
}
if self._access_token:
headers["Authorization"] = f"Bearer {self._access_token}"
return httpx.AsyncClient(timeout=self.timeout, headers=headers)
async def _request(
self,
method: str,
endpoint: str,
json_body: Optional[dict] = None,
retry_on_401: bool = True,
) -> TickTickResult:
"""
Execute an API request with automatic 401 retry after token refresh.
Args:
method: HTTP method (GET, POST, PUT, DELETE).
endpoint: API path relative to the base URL (e.g., '/project').
json_body: Optional JSON payload for POST/PUT requests.
retry_on_401: Whether to attempt a token refresh on 401.
Returns:
TickTickResult with success status and response data or error.
"""
url = f"{self.api_base_url}{endpoint}"
try:
async with self._get_client() as client:
response = await client.request(
method, url, json=json_body
)
if response.status_code == 401 and retry_on_401:
logger.info(
"[INFO] TickTick API returned 401, attempting token refresh"
)
refreshed = await self._refresh_access_token()
if refreshed:
return await self._request(
method, endpoint, json_body, retry_on_401=False
)
return TickTickResult(
success=False,
error="Authentication failed and token refresh was unsuccessful",
)
if response.status_code == 204:
return TickTickResult(success=True, data={})
if response.status_code >= 400:
error_text = response.text
logger.error(
"[ERROR] TickTick API %s %s returned %d: %s",
method,
endpoint,
response.status_code,
error_text,
)
return TickTickResult(
success=False,
error=f"API returned {response.status_code}: {error_text}",
)
# Some responses may have empty bodies (e.g., 200 with no content)
if not response.text.strip():
return TickTickResult(success=True, data={})
return TickTickResult(success=True, data=response.json())
except httpx.HTTPError as exc:
logger.error(
"[ERROR] TickTick API request failed (%s %s): %s",
method,
endpoint,
exc,
)
return TickTickResult(
success=False, error=f"Request failed: {exc}"
)
except json.JSONDecodeError as exc:
logger.error(
"[ERROR] TickTick API returned invalid JSON (%s %s): %s",
method,
endpoint,
exc,
)
return TickTickResult(
success=False, error=f"Invalid JSON in response: {exc}"
)
# ------------------------------------------------------------------
# Project operations
# ------------------------------------------------------------------
async def list_projects(self) -> TickTickResult:
"""
List all projects (lists) in the TickTick account.
Returns:
TickTickResult with data containing a list of project dicts.
"""
logger.info("[INFO] Fetching TickTick project list")
result = await self._request("GET", "/project")
if result.success and isinstance(result.data, list):
result.data = {"projects": result.data}
return result
async def get_project(self, project_id: str) -> TickTickResult:
"""
Get a single project with its task data.
Args:
project_id: The TickTick project ID.
Returns:
TickTickResult with the project data including tasks.
"""
if not project_id:
return TickTickResult(success=False, error="project_id is required")
logger.info("[INFO] Fetching TickTick project %s", project_id)
result = await self._request("GET", f"/project/{project_id}/data")
return result
async def create_project(
self,
name: str,
color: Optional[str] = None,
view_mode: Optional[str] = None,
kind: Optional[str] = None,
) -> TickTickResult:
"""
Create a new project (list) in TickTick.
Args:
name: Project name.
color: Optional hex color string (e.g., '#FF6347').
view_mode: Optional view mode ('list', 'kanban', 'timeline').
kind: Optional project kind ('TASK' or 'NOTE').
Returns:
TickTickResult with the created project data.
"""
if not name:
return TickTickResult(success=False, error="name is required")
body: dict = {"name": name}
if color is not None:
body["color"] = color
if view_mode is not None:
body["viewMode"] = view_mode
if kind is not None:
body["kind"] = kind
logger.info("[INFO] Creating TickTick project: %s", name)
return await self._request("POST", "/project", json_body=body)
async def update_project(
self,
project_id: str,
name: Optional[str] = None,
color: Optional[str] = None,
view_mode: Optional[str] = None,
) -> TickTickResult:
"""
Update an existing project in TickTick.
Args:
project_id: The TickTick project ID to update.
name: Optional new project name.
color: Optional new hex color string.
view_mode: Optional new view mode.
Returns:
TickTickResult with the updated project data.
"""
if not project_id:
return TickTickResult(success=False, error="project_id is required")
body: dict = {}
if name is not None:
body["name"] = name
if color is not None:
body["color"] = color
if view_mode is not None:
body["viewMode"] = view_mode
if not body:
return TickTickResult(
success=False, error="At least one field to update is required"
)
logger.info("[INFO] Updating TickTick project %s", project_id)
return await self._request(
"POST", f"/project/{project_id}", json_body=body
)
async def delete_project(self, project_id: str) -> TickTickResult:
"""
Delete a project from TickTick.
Args:
project_id: The TickTick project ID to delete.
Returns:
TickTickResult with success status.
"""
if not project_id:
return TickTickResult(success=False, error="project_id is required")
logger.info("[INFO] Deleting TickTick project %s", project_id)
return await self._request("DELETE", f"/project/{project_id}")
# ------------------------------------------------------------------
# Task operations
# ------------------------------------------------------------------
async def create_task(
self,
title: str,
project_id: str,
content: Optional[str] = None,
priority: Optional[int] = None,
due_date: Optional[str] = None,
tags: Optional[list[str]] = None,
) -> TickTickResult:
"""
Create a new task in a TickTick project.
Args:
title: Task title.
project_id: ID of the project to create the task in.
content: Optional task description/content.
priority: Optional priority (0=none, 1=low, 3=medium, 5=high).
due_date: Optional due date in ISO 8601 format.
tags: Optional list of tag strings.
Returns:
TickTickResult with the created task data.
"""
if not title:
return TickTickResult(success=False, error="title is required")
if not project_id:
return TickTickResult(success=False, error="project_id is required")
body: dict = {"title": title, "projectId": project_id}
if content is not None:
body["content"] = content
if priority is not None:
body["priority"] = priority
if due_date is not None:
body["dueDate"] = due_date
if tags is not None:
body["tags"] = tags
logger.info(
"[INFO] Creating TickTick task '%s' in project %s",
title,
project_id,
)
return await self._request("POST", "/task", json_body=body)
async def update_task(
self,
task_id: str,
project_id: str,
title: Optional[str] = None,
content: Optional[str] = None,
priority: Optional[int] = None,
due_date: Optional[str] = None,
tags: Optional[list[str]] = None,
) -> TickTickResult:
"""
Update an existing task in TickTick.
Args:
task_id: The task ID to update.
project_id: The project ID containing the task.
title: Optional new task title.
content: Optional new task content.
priority: Optional new priority level.
due_date: Optional new due date in ISO 8601 format.
tags: Optional new list of tags.
Returns:
TickTickResult with the updated task data.
"""
if not task_id:
return TickTickResult(success=False, error="task_id is required")
if not project_id:
return TickTickResult(success=False, error="project_id is required")
body: dict = {"id": task_id, "projectId": project_id}
if title is not None:
body["title"] = title
if content is not None:
body["content"] = content
if priority is not None:
body["priority"] = priority
if due_date is not None:
body["dueDate"] = due_date
if tags is not None:
body["tags"] = tags
logger.info(
"[INFO] Updating TickTick task %s in project %s",
task_id,
project_id,
)
return await self._request(
"POST", f"/task/{task_id}", json_body=body
)
async def complete_task(
self, task_id: str, project_id: str
) -> TickTickResult:
"""
Mark a task as complete in TickTick.
Args:
task_id: The task ID to complete.
project_id: The project ID containing the task.
Returns:
TickTickResult with success status.
"""
if not task_id:
return TickTickResult(success=False, error="task_id is required")
if not project_id:
return TickTickResult(success=False, error="project_id is required")
logger.info(
"[INFO] Completing TickTick task %s in project %s",
task_id,
project_id,
)
return await self._request(
"POST", f"/project/{project_id}/task/{task_id}/complete"
)
async def delete_task(
self, task_id: str, project_id: str
) -> TickTickResult:
"""
Delete a task from TickTick.
Args:
task_id: The task ID to delete.
project_id: The project ID containing the task.
Returns:
TickTickResult with success status.
"""
if not task_id:
return TickTickResult(success=False, error="task_id is required")
if not project_id:
return TickTickResult(success=False, error="project_id is required")
logger.info(
"[INFO] Deleting TickTick task %s from project %s",
task_id,
project_id,
)
return await self._request(
"DELETE", f"/project/{project_id}/task/{task_id}"
)
# --------------------------------------------------------------------------
# Singleton accessor
# --------------------------------------------------------------------------
_ticktick_service: Optional[TickTickService] = None
def get_ticktick_service() -> TickTickService:
"""
Return a singleton TickTickService instance.
Creates the service on first call, reuses it thereafter.
Returns:
The shared TickTickService instance.
"""
global _ticktick_service
if _ticktick_service is None:
_ticktick_service = TickTickService()
return _ticktick_service

559
clients/ace-portables/reports/2026-03-31-malware-incident-report.html Normal file
View File

@@ -0,0 +1,559 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Security Incident Report - Ace Portables - 31 March 2026</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap');
:root {
--primary: #1a1a2e;
--accent: #e87a1e;
--accent-light: #f5a623;
--text: #2c2c2c;
--text-light: #666;
--border: #e0e0e0;
--bg-light: #f8f9fa;
--bg-green: #e8f5e9;
--green: #2e7d32;
--red: #c62828;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
color: var(--text);
line-height: 1.6;
background: #fff;
}
.page {
max-width: 850px;
margin: 0 auto;
padding: 0;
}
/* Header */
.header {
background: #fff;
color: var(--text);
padding: 35px 50px;
display: flex;
justify-content: space-between;
align-items: center;
border-bottom: 3px solid var(--accent);
}
.header-left img {
height: 60px;
width: auto;
}
.header-left .report-type {
font-size: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 2.5px;
color: var(--accent);
margin-top: 10px;
}
.header-right {
text-align: right;
font-size: 13px;
line-height: 1.8;
color: var(--text-light);
}
.header-right strong {
color: var(--text);
}
/* Status Banner */
.status-banner {
background: var(--bg-green);
border-left: 5px solid var(--green);
padding: 20px 50px;
display: flex;
align-items: center;
gap: 15px;
}
.status-icon {
width: 48px;
height: 48px;
background: var(--green);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
flex-shrink: 0;
}
.status-icon svg {
width: 28px;
height: 28px;
fill: #fff;
}
.status-text h3 {
font-size: 18px;
font-weight: 700;
color: var(--green);
margin-bottom: 2px;
}
.status-text p {
font-size: 13px;
color: var(--text-light);
}
/* Content */
.content {
padding: 40px 50px;
}
.section {
margin-bottom: 35px;
}
.section-title {
font-size: 13px;
font-weight: 700;
text-transform: uppercase;
letter-spacing: 2px;
color: var(--accent);
border-bottom: 2px solid var(--accent);
padding-bottom: 8px;
margin-bottom: 18px;
}
p, li {
font-size: 14px;
color: var(--text);
margin-bottom: 10px;
}
ul {
padding-left: 20px;
}
li {
margin-bottom: 6px;
}
/* Info Grid */
.info-grid {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 0;
border: 1px solid var(--border);
border-radius: 6px;
overflow: hidden;
}
.info-item {
padding: 12px 18px;
border-bottom: 1px solid var(--border);
border-right: 1px solid var(--border);
}
.info-item:nth-child(even) {
border-right: none;
}
.info-item:nth-last-child(-n+2) {
border-bottom: none;
}
.info-label {
font-size: 11px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 1px;
color: var(--text-light);
margin-bottom: 3px;
}
.info-value {
font-size: 14px;
font-weight: 500;
color: var(--text);
word-break: break-all;
}
.info-value.mono {
font-family: 'Courier New', monospace;
font-size: 12px;
}
.info-item.full-width {
grid-column: 1 / -1;
border-right: none;
}
/* Machine Status Table */
.machine-table {
width: 100%;
border-collapse: collapse;
border: 1px solid var(--border);
border-radius: 6px;
overflow: hidden;
font-size: 14px;
}
.machine-table thead {
background: var(--primary);
color: #fff;
}
.machine-table th {
padding: 12px 18px;
text-align: left;
font-size: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 1px;
}
.machine-table td {
padding: 12px 18px;
border-bottom: 1px solid var(--border);
}
.machine-table tr:last-child td {
border-bottom: none;
}
.machine-table tr:nth-child(even) {
background: var(--bg-light);
}
.badge {
display: inline-block;
padding: 3px 12px;
border-radius: 20px;
font-size: 12px;
font-weight: 600;
}
.badge-clean {
background: var(--bg-green);
color: var(--green);
}
.badge-managed {
background: #e3f2fd;
color: #1565c0;
}
.badge-deleted {
background: #fce4ec;
color: var(--red);
}
/* Timeline */
.timeline {
position: relative;
padding-left: 30px;
}
.timeline::before {
content: '';
position: absolute;
left: 8px;
top: 5px;
bottom: 5px;
width: 2px;
background: var(--border);
}
.timeline-item {
position: relative;
margin-bottom: 20px;
}
.timeline-item::before {
content: '';
position: absolute;
left: -26px;
top: 6px;
width: 12px;
height: 12px;
border-radius: 50%;
background: var(--accent);
border: 2px solid #fff;
box-shadow: 0 0 0 2px var(--accent);
}
.timeline-date {
font-size: 12px;
font-weight: 600;
color: var(--accent);
margin-bottom: 4px;
}
.timeline-text {
font-size: 14px;
color: var(--text);
}
/* Footer */
.footer {
background: var(--primary);
color: #ccc;
padding: 30px 50px;
display: flex;
justify-content: space-between;
align-items: flex-start;
margin-top: 20px;
}
.footer-left h4 {
color: #fff;
font-size: 16px;
margin-bottom: 8px;
}
.footer-left h4 span {
color: var(--accent);
}
.footer-left p {
font-size: 13px;
color: #aaa;
margin-bottom: 3px;
}
.footer-right {
text-align: right;
font-size: 12px;
color: #888;
max-width: 300px;
}
.footer-right p {
font-size: 12px;
color: #888;
margin-bottom: 3px;
}
.divider {
border: none;
border-top: 1px solid var(--border);
margin: 25px 0;
}
.page-break {
page-break-before: always;
break-before: page;
}
@media print {
body { background: #fff; }
.page { max-width: 100%; }
.header, .footer { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.section { break-inside: avoid; }
.timeline { break-inside: avoid; }
.info-grid { break-inside: avoid; }
.machine-table { break-inside: avoid; }
.page-break { page-break-before: always; break-before: page; }
}
</style>
</head>
<body>
<div class="page">
<!-- Header -->
<div class="header">
<div class="header-left">
<img src="logo-light.png" alt="Arizona ComputerGuru">
<div class="report-type">Security Incident Report</div>
</div>
<div class="header-right">
<strong>Report Reference:</strong> ACE-SEC-2026-0331<br>
<strong>Date:</strong> 31 March 2026<br>
<strong>Prepared for:</strong> Ace Portables
</div>
</div>
<!-- Status Banner -->
<div class="status-banner">
<div class="status-icon">
<svg viewBox="0 0 24 24"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z"/></svg>
</div>
<div class="status-text">
<h3>ALL SYSTEMS VERIFIED CLEAN</h3>
<p>Both workstations have been scanned, verified, and are actively protected by enterprise-grade endpoint security. No active threats detected.</p>
</div>
</div>
<!-- Content -->
<div class="content">
<!-- Executive Summary -->
<div class="section">
<div class="section-title">Executive Summary</div>
<p>
Ace Portables contacted AZ Computer Guru LLC after their financial institution requested verification that company workstations were free of malware. Upon investigation, we determined that the previously installed antivirus software (McAfee) had silently expired, leaving the machines unprotected.
</p>
<p>
We removed the expired McAfee installation and deployed <strong>Bitdefender GravityZone</strong>, an enterprise-grade Endpoint Detection and Response (EDR) platform, across both company workstations. During the initial security scan, Bitdefender detected and automatically deleted a malicious browser extension containing a Trojan on one machine. Both machines have been fully scanned and are confirmed clean with no active threats.
</p>
</div>
<!-- Incident Timeline -->
<div class="section">
<div class="section-title">Incident Timeline</div>
<div class="timeline">
<div class="timeline-item">
<div class="timeline-date">Prior to Engagement</div>
<div class="timeline-text">McAfee antivirus subscription silently expired, leaving workstations without active endpoint protection.</div>
</div>
<div class="timeline-item">
<div class="timeline-date">Engagement Initiated</div>
<div class="timeline-text">Ace Portables contacted AZ Computer Guru LLC at the request of their bank to verify workstation security.</div>
</div>
<div class="timeline-item">
<div class="timeline-date">Remediation</div>
<div class="timeline-text">Expired McAfee software removed. Bitdefender GravityZone EDR deployed on both workstations (DESKTOP-DV7I10S, DESKTOP-U317856).</div>
</div>
<div class="timeline-item">
<div class="timeline-date">25 March 2026, 11:15</div>
<div class="timeline-text">Bitdefender detected and automatically deleted a Trojan (Trojan.GenericKD.77292516) within a malicious Microsoft Edge browser extension on one workstation.</div>
</div>
<div class="timeline-item">
<div class="timeline-date">31 March 2026</div>
<div class="timeline-text">Full scans completed on both machines. Both verified clean. This report issued.</div>
</div>
</div>
</div>
<!-- Threat Details -->
<div class="section page-break">
<div class="section-title">Threat Details</div>
<div class="info-grid">
<div class="info-item">
<div class="info-label">Threat Classification</div>
<div class="info-value">Trojan.GenericKD.77292516</div>
</div>
<div class="info-item">
<div class="info-label">Threat Type</div>
<div class="info-value">Malware (Trojan)</div>
</div>
<div class="info-item">
<div class="info-label">Detection Date</div>
<div class="info-value">25 March 2026, 11:15</div>
</div>
<div class="info-item">
<div class="info-label">Action Taken</div>
<div class="info-value"><span class="badge badge-deleted">Automatically Deleted</span></div>
</div>
<div class="info-item">
<div class="info-label">Affected Component</div>
<div class="info-value">Microsoft Edge Browser Extension (background.js)</div>
</div>
<div class="info-item">
<div class="info-label">Extension ID</div>
<div class="info-value mono">cfacibcmkcdppnkgennk...blmp</div>
</div>
<div class="info-item full-width">
<div class="info-label">File SHA-256 Hash</div>
<div class="info-value mono">B3F83B5EC4CFED5D93561B86B5A124FA88D2EA35491011D32CCDA3E385C036E1</div>
</div>
</div>
</div>
<!-- Machines Scanned -->
<div class="section">
<div class="section-title">Workstation Scan Results</div>
<p>Both Ace Portables workstations were enrolled in Bitdefender GravityZone and scanned. Current status as of 31 March 2026:</p>
<br>
<table class="machine-table">
<thead>
<tr>
<th>Machine Name</th>
<th>Type</th>
<th>Management</th>
<th>Security Status</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>DESKTOP-DV7I10S</strong></td>
<td>Physical Machine</td>
<td><span class="badge badge-managed">Managed</span></td>
<td><span class="badge badge-clean">No Issues</span></td>
</tr>
<tr>
<td><strong>DESKTOP-U317856</strong></td>
<td>Physical Machine</td>
<td><span class="badge badge-managed">Managed</span></td>
<td><span class="badge badge-clean">No Issues</span></td>
</tr>
</tbody>
</table>
</div>
<!-- Remediation Steps -->
<div class="section">
<div class="section-title">Remediation Actions Taken</div>
<ul>
<li><strong>Removed expired antivirus software</strong> &mdash; McAfee, which had silently expired, was fully uninstalled from both workstations.</li>
<li><strong>Deployed enterprise endpoint protection</strong> &mdash; Bitdefender GravityZone EDR was installed and configured on both machines, providing real-time threat monitoring, behavioral analysis, and automated response.</li>
<li><strong>Malicious extension deleted</strong> &mdash; The Trojan-infected browser extension was automatically detected and removed by Bitdefender during the initial scan.</li>
<li><strong>Extension blocked globally</strong> &mdash; The malicious extension has been added to our managed blocklist, preventing it from being installed on any endpoint under our management.</li>
<li><strong>Full system scans completed</strong> &mdash; Comprehensive antimalware scans were run on both workstations. Both returned clean results with no further threats detected.</li>
<li><strong>Password reset recommended</strong> &mdash; The affected user was advised to change passwords for all accounts accessed via the browser, prioritising financial and email accounts.</li>
</ul>
</div>
<!-- Ongoing Protection -->
<div class="section">
<div class="section-title">Ongoing Protection</div>
<p>Both Ace Portables workstations are now continuously protected by Bitdefender GravityZone, which provides:</p>
<ul>
<li><strong>Real-time file system protection</strong> &mdash; On-access scanning of all files as they are opened, created, or modified.</li>
<li><strong>Advanced Threat Control</strong> &mdash; Behavioral monitoring that detects suspicious process activity in real time.</li>
<li><strong>Network Attack Defense</strong> &mdash; Protection against network-based exploits and lateral movement attempts.</li>
<li><strong>Web Threat Protection</strong> &mdash; Blocks access to known malicious, phishing, and fraudulent websites.</li>
<li><strong>Anti-Exploit Technology</strong> &mdash; Detects and prevents exploitation of software vulnerabilities.</li>
<li><strong>Centralised Management</strong> &mdash; All endpoints are monitored and managed through the GravityZone console by AZ Computer Guru LLC, ensuring policies and definitions remain current.</li>
</ul>
</div>
<hr class="divider">
<!-- Conclusion -->
<div class="section">
<p>
Both Ace Portables workstations have been verified clean and are now actively protected by enterprise-grade endpoint security. The previously unprotected state caused by the expired McAfee subscription has been fully resolved. The detected Trojan was automatically removed before any confirmed data exfiltration occurred, and preventative measures are in place to block future threats.
</p>
<p>
Should the bank require any additional information, technical logs, or further clarification, please do not hesitate to contact us using the details below.
</p>
</div>
</div>
<!-- Footer -->
<div class="footer">
<div class="footer-left">
<h4>Arizona <span>Computer</span>Guru LLC</h4>
<p>7437 E. 22nd St, Tucson, AZ 85710</p>
<p>Phone: (520) 304-8300</p>
<p>Web: azcomputerguru.com</p>
</div>
<div class="footer-right">
<p>This report is confidential and intended solely for the use of Ace Portables and their financial institution.</p>
<br>
<p>Report Ref: ACE-SEC-2026-0331</p>
<p>Date Issued: 31 March 2026</p>
</div>
</div>
</div>
</body>
</html>

106
clients/ace-portables/reports/2026-03-31-malware-incident-report.md Normal file
View File

@@ -0,0 +1,106 @@
# Security Incident Report - Malware Detection and Remediation
**Prepared by:** AZ Computer Guru LLC
**Prepared for:** Ace Portables
**Date:** 31 March 2026
**Report Reference:** ACE-SEC-2026-0331
---
## Executive Summary
On 25 March 2026, our endpoint protection platform detected and automatically removed a malicious browser extension from a workstation belonging to Ace Portables. The threat was identified, quarantined, and deleted without user intervention. Additional preventative measures have been implemented across the managed environment to prevent recurrence.
---
## Incident Details
| Field | Detail |
|-------|--------|
| **Date of Detection** | 25 March 2026, 11:15 |
| **Affected Machine User** | John |
| **Threat Classification** | Trojan.GenericKD.77292516 |
| **Threat Type** | Malware (Trojan) |
| **Affected File** | `background.js` (browser extension component) |
| **File Location** | Microsoft Edge browser extension directory |
| **Extension ID** | cfacibcmkcdppnkgennkfaepplpkblmp |
| **File SHA256 Hash** | B3F83B5EC4CFED5D93561B86B5A124FA88D2EA35491011D32CCDA3E385C036E1 |
---
## Detection and Response
### Detection
The threat was identified by **Bitdefender GravityZone**, our enterprise endpoint detection and response (EDR) platform, during a scheduled on-demand scan task. The malicious file was a JavaScript component (`background.js`) operating within a Microsoft Edge browser extension.
### Automated Response
Bitdefender GravityZone automatically took the following action upon detection:
- **Action Taken:** File deleted
- **Detection Module:** Antimalware (On-Demand Scan)
- **Result:** Threat successfully removed from the system
### Additional Remediation Steps
The following manual remediation steps were performed by AZ Computer Guru LLC:
1. **Extension removal verified** - Confirmed the malicious browser extension was fully removed from Microsoft Edge, including all associated files and registry entries.
2. **Extension blocked at policy level** - The malicious extension (ID: `cfacibcmkcdppnkgennkfaepplpkblmp`) has been added to the GravityZone extension blocklist, preventing installation across all managed endpoints company-wide.
3. **Full system scan completed** - A comprehensive antimalware scan was conducted on the affected workstation to confirm no additional threats or residual malicious components remain.
4. **Browser data review** - Edge browser settings were reviewed and restored to safe defaults where necessary.
5. **Password reset recommended** - The affected user was advised to change passwords for all accounts accessed via the browser as a precautionary measure, with priority given to financial and email accounts.
---
## Current System Status
**The affected workstation is confirmed CLEAN and free of malware.** Bitdefender GravityZone endpoint protection continues to actively monitor the system in real time with:
- Real-time file system protection (on-access scanning)
- Network attack defense
- Web threat protection
- Advanced anti-exploit technology
- Behavioral monitoring (Advanced Threat Control)
The GravityZone management console shows **no active threats** on the affected machine or any other Ace Portables endpoints.
---
## Preventative Measures Implemented
| Measure | Scope | Status |
|---------|-------|--------|
| Malicious extension added to blocklist | All managed client endpoints | Complete |
| Full system scan on affected workstation | Affected machine | Complete - Clean |
| User advised to reset browser passwords | Affected user | Advised |
| Ongoing real-time endpoint monitoring | All Ace Portables endpoints | Active |
---
## About Our Security Platform
AZ Computer Guru LLC utilises **Bitdefender GravityZone**, an enterprise-grade endpoint protection platform that provides:
- Multi-layered malware detection (signature, heuristic, behavioural, and machine learning)
- Real-time threat monitoring and automated response
- Centralised management and policy enforcement
- Regular definition updates and cloud-based threat intelligence
---
## Conclusion
The malicious browser extension was detected promptly by our automated security systems, removed before any confirmed data exfiltration occurred, and blocked from future installation. The affected workstation has been verified clean and continues to be actively protected. No further action is required at this time.
Should the bank require any additional information, technical logs, or clarification, please do not hesitate to contact us.
---
**AZ Computer Guru LLC**
Managed IT Services Provider
---
*This report is confidential and intended solely for the use of Ace Portables and their financial institution.*

BIN
clients/ace-portables/reports/logo-light.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

9
directives.md
View File

@@ -1,9 +0,0 @@
# Claude Code Directives
**All behavioral directives are now in `.claude/CLAUDE.md`** (auto-loaded every session).
This file exists for backward compatibility. No need to read it separately.
See `.claude/CLAUDE.md` for: identity, delegation rules, key rules, automatic behaviors, context recovery.
**Last Updated:** 2026-02-17

313
mcp-servers/ticktick/ticktick_auth.py Normal file
View File

@@ -0,0 +1,313 @@
#!/usr/bin/env python3
"""
TickTick OAuth 2.0 Authentication Script
Performs the one-time OAuth flow to obtain access and refresh tokens from TickTick.
Reads client credentials from the SOPS vault, opens a browser for user authorization,
captures the callback on a local HTTP server, exchanges the code for tokens, and
saves them to an encrypted local file.
Usage:
python ticktick_auth.py
"""
import json
import os
import secrets
import stat
import subprocess
import sys
import threading
import time
import webbrowser
from datetime import datetime, timezone
from http.server import HTTPServer, BaseHTTPRequestHandler
from pathlib import Path
from urllib.parse import urlencode, urlparse, parse_qs
from urllib.request import Request, urlopen
from html import escape as html_escape
from urllib.error import URLError, HTTPError
# ---------------------------------------------------------------------------
# Configuration
# ---------------------------------------------------------------------------
VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
VAULT_ENTRY = "services/ticktick.sops.yaml"
AUTH_URL = "https://ticktick.com/oauth/authorize"
TOKEN_URL = "https://ticktick.com/oauth/token"
REDIRECT_URI = "http://localhost:9876/callback"
SCOPES = "tasks:read tasks:write"
CALLBACK_PORT = 9876
CALLBACK_TIMEOUT_SECONDS = 60
TOKEN_FILE = Path(__file__).resolve().parent / ".tokens.json"
# ---------------------------------------------------------------------------
# Vault credential retrieval
# ---------------------------------------------------------------------------
def vault_get_field(field: str) -> str:
"""Retrieve a single field from the SOPS vault entry."""
try:
result = subprocess.run(
["bash", VAULT_SCRIPT, "get-field", VAULT_ENTRY, field],
capture_output=True,
text=True,
timeout=15,
)
except FileNotFoundError:
print(f"[ERROR] Could not find bash or vault script at {VAULT_SCRIPT}")
sys.exit(1)
except subprocess.TimeoutExpired:
print(f"[ERROR] Vault command timed out while retrieving {field}")
sys.exit(1)
if result.returncode != 0:
stderr = result.stderr.strip()
print(f"[ERROR] Vault returned non-zero exit code for field '{field}'")
if stderr:
print(f" {stderr}")
sys.exit(1)
value = result.stdout.strip()
if not value:
print(f"[ERROR] Vault returned empty value for field '{field}'")
sys.exit(1)
return value
# ---------------------------------------------------------------------------
# Callback HTTP server
# ---------------------------------------------------------------------------
class _CallbackState:
"""Shared mutable state between the HTTP handler and the main thread."""
def __init__(self) -> None:
self.authorization_code: str | None = None
self.error: str | None = None
self.received = threading.Event()
class _CallbackHandler(BaseHTTPRequestHandler):
"""Handles the OAuth redirect callback from TickTick."""
state: _CallbackState # set on the class before the server starts
expected_csrf: str # set on the class before the server starts
def do_GET(self) -> None: # noqa: N802 required method name
parsed = urlparse(self.path)
if parsed.path != "/callback":
self._respond(404, "Not found")
return
params = parse_qs(parsed.query)
# Check for error response from provider
if "error" in params:
error_msg = params["error"][0]
description = params.get("error_description", [""])[0]
self.state.error = f"{error_msg}: {description}" if description else error_msg
self._respond(400, f"Authorization failed: {self.state.error}")
self.state.received.set()
return
# Validate CSRF state parameter
returned_state = params.get("state", [None])[0]
if returned_state != self.expected_csrf:
self.state.error = "CSRF state mismatch -- possible request forgery"
self._respond(400, self.state.error)
self.state.received.set()
return
# Extract authorization code
code = params.get("code", [None])[0]
if not code:
self.state.error = "No authorization code in callback"
self._respond(400, self.state.error)
self.state.received.set()
return
self.state.authorization_code = code
self._respond(
200,
"Authorization successful! You can close this tab and return to the terminal.",
)
self.state.received.set()
def _respond(self, status: int, body: str) -> None:
self.send_response(status)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.end_headers()
html = (
"<!DOCTYPE html><html><head><title>TickTick Auth</title></head>"
f"<body><h2>{html_escape(body)}</h2></body></html>"
)
self.wfile.write(html.encode("utf-8"))
# Silence default request logging
def log_message(self, format: str, *args: object) -> None: # noqa: A002
pass
# ---------------------------------------------------------------------------
# Token exchange
# ---------------------------------------------------------------------------
def exchange_code_for_tokens(
code: str,
client_id: str,
client_secret: str,
) -> dict:
"""Exchange an authorization code for access and refresh tokens."""
body = urlencode({
"grant_type": "authorization_code",
"code": code,
"redirect_uri": REDIRECT_URI,
"client_id": client_id,
"client_secret": client_secret,
"scope": SCOPES,
}).encode("utf-8")
request = Request(
TOKEN_URL,
data=body,
headers={
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "application/json",
},
method="POST",
)
try:
with urlopen(request, timeout=15) as response:
data = json.loads(response.read().decode("utf-8"))
except HTTPError as exc:
error_body = exc.read().decode("utf-8", errors="replace")
print(f"[ERROR] Token exchange failed (HTTP {exc.code})")
print(f" Response: {error_body}")
sys.exit(1)
except URLError as exc:
print(f"[ERROR] Could not reach token endpoint: {exc.reason}")
sys.exit(1)
except json.JSONDecodeError:
print("[ERROR] Token endpoint returned invalid JSON")
sys.exit(1)
if "access_token" not in data:
print("[ERROR] Token response missing 'access_token'")
print(f" Full response: {json.dumps(data, indent=2)}")
sys.exit(1)
return data
# ---------------------------------------------------------------------------
# Token persistence
# ---------------------------------------------------------------------------
def save_tokens(token_data: dict) -> None:
"""Persist tokens to a local JSON file."""
payload = {
"access_token": token_data["access_token"],
"refresh_token": token_data.get("refresh_token", ""),
"token_type": token_data.get("token_type", "bearer"),
"obtained_at": datetime.now(timezone.utc).isoformat(),
}
TOKEN_FILE.parent.mkdir(parents=True, exist_ok=True)
TOKEN_FILE.write_text(json.dumps(payload, indent=2), encoding="utf-8")
# Restrict file permissions (owner read/write only)
try:
TOKEN_FILE.chmod(stat.S_IRUSR | stat.S_IWUSR)
except OSError:
pass # Windows may not support POSIX permissions
print(f"[OK] Tokens saved to {TOKEN_FILE}")
# ---------------------------------------------------------------------------
# Main flow
# ---------------------------------------------------------------------------
def main() -> None:
print("[INFO] TickTick OAuth 2.0 Authentication")
print("=" * 50)
# -- 1. Read credentials from SOPS vault ----------------------------------
print("[INFO] Reading credentials from SOPS vault ...")
client_id = vault_get_field("credentials.client_id")
client_secret = vault_get_field("credentials.client_secret")
print(f"[OK] Client ID retrieved (ends ...{client_id[-4:]})")
# -- 2. Prepare CSRF state and authorization URL --------------------------
csrf_state = secrets.token_urlsafe(32)
auth_params = urlencode({
"client_id": client_id,
"redirect_uri": REDIRECT_URI,
"response_type": "code",
"scope": SCOPES,
"state": csrf_state,
})
full_auth_url = f"{AUTH_URL}?{auth_params}"
# -- 3. Start local callback server ---------------------------------------
callback_state = _CallbackState()
_CallbackHandler.state = callback_state
_CallbackHandler.expected_csrf = csrf_state
try:
server = HTTPServer(("127.0.0.1", CALLBACK_PORT), _CallbackHandler)
except OSError as exc:
print(f"[ERROR] Could not start callback server on port {CALLBACK_PORT}: {exc}")
sys.exit(1)
server_thread = threading.Thread(target=server.serve_forever, daemon=True)
server_thread.start()
print(f"[OK] Callback server listening on http://127.0.0.1:{CALLBACK_PORT}/callback")
# -- 4. Open browser for authorization ------------------------------------
print("[INFO] Opening browser for TickTick authorization ...")
print(f"[INFO] If the browser does not open, visit this URL manually:")
print(f" {full_auth_url}")
webbrowser.open(full_auth_url)
# -- 5. Wait for callback -------------------------------------------------
print(f"[INFO] Waiting up to {CALLBACK_TIMEOUT_SECONDS}s for authorization callback ...")
received = callback_state.received.wait(timeout=CALLBACK_TIMEOUT_SECONDS)
server.shutdown()
if not received:
print(f"[ERROR] Timed out after {CALLBACK_TIMEOUT_SECONDS}s waiting for callback")
print(" Make sure you completed the authorization in your browser.")
sys.exit(1)
if callback_state.error:
print(f"[ERROR] Authorization failed: {callback_state.error}")
sys.exit(1)
code = callback_state.authorization_code
if not code:
print("[ERROR] No authorization code received (unknown error)")
sys.exit(1)
print("[OK] Authorization code received")
# -- 6. Exchange code for tokens ------------------------------------------
print("[INFO] Exchanging authorization code for tokens ...")
token_data = exchange_code_for_tokens(code, client_id, client_secret)
print("[OK] Token exchange successful")
# -- 7. Save tokens -------------------------------------------------------
save_tokens(token_data)
print("=" * 50)
print("[OK] TickTick authentication complete")
if __name__ == "__main__":
main()

595
mcp-servers/ticktick/ticktick_mcp.py Normal file
View File

@@ -0,0 +1,595 @@
#!/usr/bin/env python3
"""
TickTick MCP Server
Provides Claude Code with direct tools to manage TickTick projects and tasks.
Requires:
- pip install mcp httpx
- Token file at .tokens.json (run ticktick_auth.py first)
- Vault credentials at services/ticktick.sops.yaml
"""
import asyncio
import json
import subprocess
import sys
import time
from pathlib import Path
from typing import Any, Optional
import httpx
try:
from mcp.server import Server
from mcp.types import Tool, TextContent
except ImportError:
print("[ERROR] MCP package not installed. Run: pip install mcp", file=sys.stderr)
sys.exit(1)
# ---------------------------------------------------------------------------
# Configuration
# ---------------------------------------------------------------------------
TICKTICK_API_BASE = "https://api.ticktick.com/open/v1"
TICKTICK_OAUTH_TOKEN_URL = "https://ticktick.com/oauth/token"
SCRIPT_DIR = Path(__file__).parent
TOKENS_PATH = SCRIPT_DIR / ".tokens.json"
VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
VAULT_ENTRY = "services/ticktick.sops.yaml"
# ---------------------------------------------------------------------------
# Credential & token helpers
# ---------------------------------------------------------------------------
_vault_cache: dict[str, str] = {}
def _vault_get_field(field: str) -> str:
"""Retrieve a field from the SOPS vault, caching results in memory."""
if field in _vault_cache:
return _vault_cache[field]
result = subprocess.run(
["bash", VAULT_SCRIPT, "get-field", VAULT_ENTRY, field],
capture_output=True,
text=True,
timeout=15,
)
if result.returncode != 0:
raise RuntimeError(
f"[ERROR] Vault lookup failed for {field}: {result.stderr.strip()}"
)
value = result.stdout.strip()
_vault_cache[field] = value
return value
def _load_tokens() -> dict[str, str]:
"""Load tokens from disk. Raises FileNotFoundError if missing."""
if not TOKENS_PATH.exists():
raise FileNotFoundError(
f"[ERROR] Token file not found at {TOKENS_PATH}. "
"Run 'python ticktick_auth.py' in the ticktick directory first "
"to complete the OAuth flow and generate .tokens.json."
)
with open(TOKENS_PATH, "r", encoding="utf-8") as fh:
return json.load(fh)
def _save_tokens(tokens: dict[str, str]) -> None:
"""Persist tokens to disk."""
with open(TOKENS_PATH, "w", encoding="utf-8") as fh:
json.dump(tokens, fh, indent=2)
async def _refresh_access_token(refresh_token: str) -> dict[str, str]:
"""Exchange a refresh token for a new access token."""
client_id = _vault_get_field("credentials.client_id")
client_secret = _vault_get_field("credentials.client_secret")
async with httpx.AsyncClient(timeout=30.0) as client:
resp = await client.post(
TICKTICK_OAUTH_TOKEN_URL,
headers={"Content-Type": "application/x-www-form-urlencoded"},
data={
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token,
"grant_type": "refresh_token",
},
)
if resp.status_code != 200:
raise RuntimeError(
f"[ERROR] Token refresh failed ({resp.status_code}): {resp.text}"
)
new_data = resp.json()
tokens = {
"access_token": new_data["access_token"],
"refresh_token": new_data.get("refresh_token", refresh_token),
"token_type": new_data.get("token_type", "bearer"),
"obtained_at": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()),
}
_save_tokens(tokens)
return tokens
# ---------------------------------------------------------------------------
# HTTP helper with automatic 401 retry
# ---------------------------------------------------------------------------
async def _ticktick_request(
method: str,
path: str,
*,
json_body: Optional[dict] = None,
) -> httpx.Response:
"""
Make an authenticated request to the TickTick API.
On a 401 response, automatically refreshes the access token and retries
the request exactly once.
"""
tokens = _load_tokens()
async with httpx.AsyncClient(timeout=30.0) as client:
url = f"{TICKTICK_API_BASE}{path}"
headers = {"Authorization": f"Bearer {tokens['access_token']}"}
kwargs: dict[str, Any] = {"headers": headers}
if json_body is not None:
kwargs["json"] = json_body
resp = await client.request(method, url, **kwargs)
if resp.status_code == 401:
# Attempt token refresh and retry once
tokens = await _refresh_access_token(tokens["refresh_token"])
headers = {"Authorization": f"Bearer {tokens['access_token']}"}
kwargs["headers"] = headers
resp = await client.request(method, url, **kwargs)
return resp
def _format_response(data: Any) -> str:
"""Serialize a response payload to pretty JSON text."""
if isinstance(data, (dict, list)):
return json.dumps(data, indent=2, ensure_ascii=False)
return str(data)
def _error_text(msg: str) -> list[TextContent]:
return [TextContent(type="text", text=msg)]
# ---------------------------------------------------------------------------
# MCP Server
# ---------------------------------------------------------------------------
app = Server("ticktick")
@app.list_tools()
async def list_tools() -> list[Tool]:
"""Enumerate all TickTick tools."""
return [
# ----- Projects -----
Tool(
name="ticktick_list_projects",
description="List all TickTick projects. Returns an array of projects with id, name, color, viewMode, and kind.",
inputSchema={
"type": "object",
"properties": {},
},
),
Tool(
name="ticktick_get_project",
description="Get a TickTick project and all its tasks by project ID.",
inputSchema={
"type": "object",
"properties": {
"project_id": {
"type": "string",
"description": "The project ID to retrieve",
},
},
"required": ["project_id"],
},
),
Tool(
name="ticktick_create_project",
description="Create a new TickTick project.",
inputSchema={
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Project name (required)",
},
"color": {
"type": "string",
"description": "Hex color code (e.g. '#ff6347')",
},
"viewMode": {
"type": "string",
"enum": ["list", "kanban", "timeline"],
"description": "View mode for the project",
},
"kind": {
"type": "string",
"enum": ["TASK", "NOTE"],
"description": "Project kind (default TASK)",
},
},
"required": ["name"],
},
),
Tool(
name="ticktick_update_project",
description="Update an existing TickTick project's name, color, or viewMode.",
inputSchema={
"type": "object",
"properties": {
"project_id": {
"type": "string",
"description": "The project ID to update",
},
"name": {
"type": "string",
"description": "New project name",
},
"color": {
"type": "string",
"description": "New hex color code",
},
"viewMode": {
"type": "string",
"enum": ["list", "kanban", "timeline"],
"description": "New view mode",
},
},
"required": ["project_id"],
},
),
Tool(
name="ticktick_delete_project",
description="Delete a TickTick project by ID. This is irreversible.",
inputSchema={
"type": "object",
"properties": {
"project_id": {
"type": "string",
"description": "The project ID to delete",
},
},
"required": ["project_id"],
},
),
# ----- Tasks -----
Tool(
name="ticktick_create_task",
description="Create a new task in a TickTick project.",
inputSchema={
"type": "object",
"properties": {
"title": {
"type": "string",
"description": "Task title (required)",
},
"project_id": {
"type": "string",
"description": "Project ID to create the task in (required)",
},
"content": {
"type": "string",
"description": "Task description / notes",
},
"priority": {
"type": "integer",
"enum": [0, 1, 3, 5],
"description": "Priority: 0=none, 1=low, 3=medium, 5=high",
},
"due_date": {
"type": "string",
"description": "Due date in ISO 8601 format (e.g. 2026-04-01T12:00:00+0000)",
},
"tags": {
"type": "array",
"items": {"type": "string"},
"description": "List of tag names to attach",
},
},
"required": ["title", "project_id"],
},
),
Tool(
name="ticktick_update_task",
description="Update an existing task's title, content, priority, due date, or tags.",
inputSchema={
"type": "object",
"properties": {
"task_id": {
"type": "string",
"description": "The task ID to update",
},
"project_id": {
"type": "string",
"description": "The project ID the task belongs to",
},
"title": {
"type": "string",
"description": "New task title",
},
"content": {
"type": "string",
"description": "New task description / notes",
},
"priority": {
"type": "integer",
"enum": [0, 1, 3, 5],
"description": "New priority: 0=none, 1=low, 3=medium, 5=high",
},
"due_date": {
"type": "string",
"description": "New due date in ISO 8601 format",
},
"tags": {
"type": "array",
"items": {"type": "string"},
"description": "Replacement list of tag names",
},
},
"required": ["task_id", "project_id"],
},
),
Tool(
name="ticktick_complete_task",
description="Mark a TickTick task as completed.",
inputSchema={
"type": "object",
"properties": {
"task_id": {
"type": "string",
"description": "The task ID to complete",
},
"project_id": {
"type": "string",
"description": "The project ID the task belongs to",
},
},
"required": ["task_id", "project_id"],
},
),
Tool(
name="ticktick_delete_task",
description="Delete a TickTick task. This is irreversible.",
inputSchema={
"type": "object",
"properties": {
"task_id": {
"type": "string",
"description": "The task ID to delete",
},
"project_id": {
"type": "string",
"description": "The project ID the task belongs to",
},
},
"required": ["task_id", "project_id"],
},
),
]
# ---------------------------------------------------------------------------
# Tool dispatch
# ---------------------------------------------------------------------------
@app.call_tool()
async def call_tool(name: str, arguments: Any) -> list[TextContent]:
"""Route tool calls to the appropriate handler."""
try:
if name == "ticktick_list_projects":
return await _handle_list_projects()
elif name == "ticktick_get_project":
return await _handle_get_project(arguments)
elif name == "ticktick_create_project":
return await _handle_create_project(arguments)
elif name == "ticktick_update_project":
return await _handle_update_project(arguments)
elif name == "ticktick_delete_project":
return await _handle_delete_project(arguments)
elif name == "ticktick_create_task":
return await _handle_create_task(arguments)
elif name == "ticktick_update_task":
return await _handle_update_task(arguments)
elif name == "ticktick_complete_task":
return await _handle_complete_task(arguments)
elif name == "ticktick_delete_task":
return await _handle_delete_task(arguments)
else:
return _error_text(f"[ERROR] Unknown tool: {name}")
except FileNotFoundError as exc:
return _error_text(str(exc))
except RuntimeError as exc:
return _error_text(str(exc))
except Exception as exc:
return _error_text(f"[ERROR] Unexpected failure in {name}: {exc}")
# ---------------------------------------------------------------------------
# Handler implementations
# ---------------------------------------------------------------------------
async def _handle_list_projects() -> list[TextContent]:
resp = await _ticktick_request("GET", "/project")
if resp.status_code != 200:
return _error_text(
f"[ERROR] Failed to list projects ({resp.status_code}): {resp.text}"
)
projects = resp.json()
return [TextContent(type="text", text=f"[OK] {len(projects)} projects found\n\n{_format_response(projects)}")]
async def _handle_get_project(args: dict) -> list[TextContent]:
project_id = args["project_id"]
resp = await _ticktick_request("GET", f"/project/{project_id}/data")
if resp.status_code != 200:
return _error_text(
f"[ERROR] Failed to get project {project_id} ({resp.status_code}): {resp.text}"
)
data = resp.json()
task_count = len(data.get("tasks", []))
return [TextContent(type="text", text=f"[OK] Project retrieved ({task_count} tasks)\n\n{_format_response(data)}")]
async def _handle_create_project(args: dict) -> list[TextContent]:
body: dict[str, Any] = {"name": args["name"]}
for key in ("color", "viewMode", "kind"):
if key in args:
body[key] = args[key]
resp = await _ticktick_request("POST", "/project", json_body=body)
if resp.status_code not in (200, 201):
return _error_text(
f"[ERROR] Failed to create project ({resp.status_code}): {resp.text}"
)
project = resp.json()
return [TextContent(type="text", text=f"[OK] Project created\n\n{_format_response(project)}")]
async def _handle_update_project(args: dict) -> list[TextContent]:
project_id = args["project_id"]
body: dict[str, Any] = {}
for key in ("name", "color", "viewMode"):
if key in args:
body[key] = args[key]
if not body:
return _error_text("[WARNING] No update fields provided. Supply at least one of: name, color, viewMode.")
# TickTick uses POST for project updates in some API versions; fall back to PUT.
resp = await _ticktick_request("POST", f"/project/{project_id}", json_body=body)
if resp.status_code in (404, 405):
resp = await _ticktick_request("PUT", f"/project/{project_id}", json_body=body)
if resp.status_code not in (200, 201):
return _error_text(
f"[ERROR] Failed to update project {project_id} ({resp.status_code}): {resp.text}"
)
project = resp.json()
return [TextContent(type="text", text=f"[OK] Project updated\n\n{_format_response(project)}")]
async def _handle_delete_project(args: dict) -> list[TextContent]:
project_id = args["project_id"]
resp = await _ticktick_request("DELETE", f"/project/{project_id}")
if resp.status_code not in (200, 204):
return _error_text(
f"[ERROR] Failed to delete project {project_id} ({resp.status_code}): {resp.text}"
)
return [TextContent(type="text", text=f"[OK] Project {project_id} deleted successfully.")]
async def _handle_create_task(args: dict) -> list[TextContent]:
body: dict[str, Any] = {
"title": args["title"],
"projectId": args["project_id"],
}
if "content" in args:
body["content"] = args["content"]
if "priority" in args:
body["priority"] = args["priority"]
if "due_date" in args:
body["dueDate"] = args["due_date"]
if "tags" in args:
body["tags"] = args["tags"]
resp = await _ticktick_request("POST", "/task", json_body=body)
if resp.status_code not in (200, 201):
return _error_text(
f"[ERROR] Failed to create task ({resp.status_code}): {resp.text}"
)
task = resp.json()
return [TextContent(type="text", text=f"[OK] Task created\n\n{_format_response(task)}")]
async def _handle_update_task(args: dict) -> list[TextContent]:
task_id = args["task_id"]
project_id = args["project_id"]
body: dict[str, Any] = {
"taskId": task_id,
"projectId": project_id,
}
if "title" in args:
body["title"] = args["title"]
if "content" in args:
body["content"] = args["content"]
if "priority" in args:
body["priority"] = args["priority"]
if "due_date" in args:
body["dueDate"] = args["due_date"]
if "tags" in args:
body["tags"] = args["tags"]
resp = await _ticktick_request("POST", f"/task/{task_id}", json_body=body)
if resp.status_code not in (200, 201):
return _error_text(
f"[ERROR] Failed to update task {task_id} ({resp.status_code}): {resp.text}"
)
task = resp.json()
return [TextContent(type="text", text=f"[OK] Task updated\n\n{_format_response(task)}")]
async def _handle_complete_task(args: dict) -> list[TextContent]:
task_id = args["task_id"]
project_id = args["project_id"]
resp = await _ticktick_request(
"POST", f"/project/{project_id}/task/{task_id}/complete"
)
if resp.status_code not in (200, 204):
return _error_text(
f"[ERROR] Failed to complete task {task_id} ({resp.status_code}): {resp.text}"
)
return [TextContent(type="text", text=f"[OK] Task {task_id} marked as completed.")]
async def _handle_delete_task(args: dict) -> list[TextContent]:
task_id = args["task_id"]
project_id = args["project_id"]
resp = await _ticktick_request(
"DELETE", f"/project/{project_id}/task/{task_id}"
)
if resp.status_code not in (200, 204):
return _error_text(
f"[ERROR] Failed to delete task {task_id} ({resp.status_code}): {resp.text}"
)
return [TextContent(type="text", text=f"[OK] Task {task_id} deleted successfully.")]
# ---------------------------------------------------------------------------
# Entry point
# ---------------------------------------------------------------------------
async def main() -> None:
"""Run the TickTick MCP server over stdio transport."""
try:
from mcp.server.stdio import stdio_server
async with stdio_server() as (read_stream, write_stream):
await app.run(
read_stream,
write_stream,
app.create_initialization_options(),
)
except Exception as exc:
print(f"[ERROR] MCP server failed: {exc}", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
asyncio.run(main())

22
migrations/add_dev_projects_table.sql Normal file
View File

@@ -0,0 +1,22 @@
-- Migration: Add dev_projects table for tracking development projects
-- Syncs with TickTick "Dev Projects" list (id: 69cbd7138f0826bd72746074)
-- Date: 2026-03-31
CREATE TABLE IF NOT EXISTS dev_projects (
id CHAR(36) PRIMARY KEY DEFAULT (UUID()),
name VARCHAR(200) NOT NULL,
description TEXT,
status ENUM('planning', 'active', 'paused', 'completed', 'archived') NOT NULL DEFAULT 'planning',
ticktick_task_id VARCHAR(100) DEFAULT NULL,
ticktick_project_id VARCHAR(100) DEFAULT '69cbd7138f0826bd72746074',
started_at DATETIME DEFAULT NULL,
completed_at DATETIME DEFAULT NULL,
last_worked_on DATETIME DEFAULT NULL,
total_sessions INT DEFAULT 0,
tags JSON DEFAULT NULL,
notes TEXT,
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
);
CREATE INDEX idx_dev_projects_status ON dev_projects(status);

13
projects/gururmm-agent/IMPLEMENTATION_SUMMARY.md
View File

@@ -4,6 +4,9 @@
**Status:** [OK] Complete - Production Ready
**Author:** Coding Agent (Claude Sonnet 4.5)
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
---
## What Was Built
@@ -187,6 +190,10 @@ once_cell = "1.19"
Follow instructions in `commands_modifications.rs`:
> **Note:** `claude_task` is a NEW command type added by this integration. The existing
> GuruRMM command types are: `shell`, `powershell`, `python`, `script`. This step adds
> `claude_task` as an additional type in the command dispatcher.
1. Add module declaration: `mod claude;`
2. Add imports: `use crate::claude::{ClaudeExecutor, ClaudeTaskCommand};`
3. Create global executor: `static CLAUDE_EXECUTOR: Lazy<ClaudeExecutor> = ...`
@@ -243,7 +250,9 @@ Follow deployment process in `TESTING_AND_DEPLOYMENT.md`:
## Usage Example
Once deployed, Main Claude can invoke tasks on AD2:
Once deployed, Main Claude can invoke tasks on AD2. The curl command below creates the
command on the server via REST; the server then delivers it to the agent over WebSocket
(ServerMessage::Command):
```bash
curl -X POST "http://172.16.3.30:3001/api/agents/{AD2_AGENT_ID}/command" \
@@ -394,7 +403,7 @@ A: Check agent logs at `C:\Program Files\GuruRMM\logs\agent.log` for detailed er
1. **TESTING_AND_DEPLOYMENT.md** - Complete testing and troubleshooting guide
2. **README.md** - Full project documentation with examples
3. **Agent logs** - `C:\Program Files\GuruRMM\logs\agent.log`
4. **GuruRMM server logs** - `http://172.16.3.30:3001/logs`
4. **GuruRMM server logs** - Check server-side logs on disk (no `/logs` HTTP endpoint exists)
---

8
projects/gururmm-agent/INTEGRATION_CHECKLIST.md
View File

@@ -70,6 +70,10 @@ Open your `agent/src/commands.rs` and make these changes:
```
### 3E: Update Command Dispatcher
> **Note:** `claude_task` is a NEW command type being added by this integration.
> The existing GuruRMM command types are: `shell`, `powershell`, `python`, `script`.
- [ ] Find your `match command_type` block
- [ ] Add new arm (before the `_` default case):
```rust
@@ -158,6 +162,10 @@ Open your `agent/src/commands.rs` and make these changes:
**Replace `{AD2_AGENT_ID}` with actual agent ID in all commands**
> The curl commands below create the command on the server via REST. The server then
> delivers the command to the agent over WebSocket (ServerMessage::Command) -- the agent
> does NOT poll for commands.
### Test 1: Simple Task
- [ ] Run:
```bash

10
projects/gururmm-agent/README.md
View File

@@ -2,6 +2,9 @@
Production-ready enhancement for GuruRMM agent that enables Main Claude to remotely invoke Claude Code CLI on AD2 (Windows Server 2022) for automated task execution.
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
---
## Features
@@ -90,6 +93,8 @@ use once_cell::sync::Lazy;
static CLAUDE_EXECUTOR: Lazy<ClaudeExecutor> = Lazy::new(|| ClaudeExecutor::new());
// In your command dispatcher
// Existing types: shell, powershell, python, script
// claude_task is a NEW type added by this integration
match command_type {
"shell" => execute_shell_command(&command).await,
"claude_task" => execute_claude_task(&command).await, // NEW
@@ -127,6 +132,11 @@ See `TESTING_AND_DEPLOYMENT.md` for complete deployment guide.
## Usage Examples
> **How commands work:** The curl examples below create the command on the server via
> the REST API (`POST /api/agents/:id/command`). The server then delivers the command
> to the agent over WebSocket (ServerMessage::Command). The agent does NOT poll for
> commands via REST.
### Example 1: Simple Task
```bash

15
projects/gururmm-agent/TESTING_AND_DEPLOYMENT.md
View File

@@ -8,6 +8,9 @@ This guide covers testing and deployment of the Claude Code integration for the
## Prerequisites
**Source Repo:** `azcomputerguru/gururmm` on git.azcomputerguru.com (active development, 53+ commits).
Note: A `guru-rmm` repo also exists but is a restructured copy with only 2 commits -- use `gururmm` as the primary reference.
### On Development Machine
- Rust toolchain (1.70+)
- cargo installed
@@ -69,6 +72,14 @@ cargo fmt -- --check
## Integration Testing (On AD2 Server)
> **Note:** `claude_task` is a NEW command type added by this integration. The existing
> GuruRMM command types are: `shell`, `powershell`, `python`, `script`.
>
> **How commands reach the agent:** The curl commands below create the command on the
> server via the REST API (`POST /api/agents/:id/command`). The server then delivers the
> command to the connected agent over WebSocket (ServerMessage::Command). The agent does
> NOT poll for commands via REST.
### Test 1: Simple Task Execution
**Test Command via GuruRMM API:**
@@ -476,7 +487,7 @@ Monitor Claude task execution metrics:
```powershell
# Query GuruRMM API for task statistics
curl "http://172.16.3.30:3001/api/agents/{AD2_AGENT_ID}/stats"
curl "http://172.16.3.30:3001/api/agents/stats"
```
**Key metrics to watch:**
@@ -558,7 +569,7 @@ Prevents abuse:
For issues or questions:
1. Check agent logs: `C:\Program Files\GuruRMM\logs\agent.log`
2. Check GuruRMM server logs: `http://172.16.3.30:3001/logs`
2. Check GuruRMM server logs on disk (no `/logs` HTTP endpoint exists)
3. Review this documentation
4. Contact GuruRMM support team

6
projects/gururmm-agent/scripts/check_record_counts.py
View File

@@ -4,9 +4,11 @@ Check record counts in all ClaudeTools database tables
"""
import sys
from sqlalchemy import create_engine, text, inspect
from vault_utils import vault_get
# Database connection
DATABASE_URL = "mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4"
# Database connection - credentials from SOPS vault
_db_password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
DATABASE_URL = f"mysql+pymysql://claudetools:{_db_password}@172.16.3.30:3306/claudetools?charset=utf8mb4"
def get_table_counts():
"""Get row counts for all tables"""

6
projects/gururmm-agent/scripts/create_jwt_token.py
View File

@@ -4,10 +4,10 @@ Create a JWT token for ClaudeTools API access
"""
import jwt
from datetime import datetime, timedelta, timezone
from vault_utils import vault_get
# Get the JWT secret from the RMM server's .env file
# This should match what's in /opt/claudetools/.env on 172.16.3.30
JWT_SECRET = "NdwgH6jsGR1WfPdUwR3u9i1NwNx3QthhLHBsRCfFxcg="
# Get the JWT secret from the SOPS vault
JWT_SECRET = vault_get("projects/claudetools/api-auth.sops.yaml", "credentials.credential")
# Create token data
data = {

9
projects/gururmm-agent/scripts/test_gururmm_api.py
View File

@@ -8,11 +8,12 @@ Tests the newly created admin user credentials and verifies API access.
import requests
import json
from datetime import datetime
from vault_utils import vault_get
# Configuration
# Configuration - credentials from SOPS vault
API_BASE_URL = "http://172.16.3.30:3001"
EMAIL = "claude-api@azcomputerguru.com"
PASSWORD = "ClaudeAPI2026!@#"
EMAIL = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-email")
PASSWORD = vault_get("infrastructure/gururmm-server.sops.yaml", "credentials.gururmm-api.admin-password")
def print_header(title):
"""Print a formatted header."""
@@ -133,7 +134,7 @@ def main():
print_header("All Tests Passed!")
print("API Credentials:")
print(f" Email: {EMAIL}")
print(f" Password: {PASSWORD}")
print(f" Password: ********** (from vault)")
print(f" Base URL: {API_BASE_URL}")
print(f" Production URL: https://rmm-api.azcomputerguru.com")
print("\nStatus: READY FOR INTEGRATION")

34
projects/gururmm-agent/scripts/vault_utils.py Normal file
View File

@@ -0,0 +1,34 @@
"""
Shared SOPS vault credential retrieval utility.
Usage:
from vault_utils import vault_get
password = vault_get("projects/claudetools/database.sops.yaml", "credentials.password")
"""
import subprocess
VAULT_SCRIPT = "D:/vault/scripts/vault.sh"
def vault_get(path, field):
"""Get a credential from the SOPS vault.
Args:
path: Vault entry path (e.g. "projects/claudetools/database.sops.yaml")
field: Dot-separated field path (e.g. "credentials.password")
Returns:
The decrypted field value as a string.
Raises:
RuntimeError: If the vault command fails.
"""
result = subprocess.run(
["bash", VAULT_SCRIPT, "get-field", path, field],
capture_output=True, text=True
)
if result.returncode != 0:
raise RuntimeError(f"Failed to get {field} from vault: {result.stderr.strip()}")
return result.stdout.strip()

67
projects/msp-tools/guru-rmm/ROADMAP.md Normal file
View File

@@ -0,0 +1,67 @@
# GuruRMM - Feature Roadmap & Change Requests
Tracked list of desired features, improvements, and changes. Used to evaluate whether the current codebase supports these goals or if a rewrite is needed.
**Last Updated:** 2026-04-01
---
## Dashboard / UI
| # | Feature | Priority | Status | Notes |
|---|---------|----------|--------|-------|
| D1 | All metrics clickable to relevant content | High | Done | Stat cards link to filtered agent views |
| D2 | Dark theme with branded sidebar | High | Done | JetBrains Mono + Plus Jakarta Sans, GURURMM MISSION CONTROL branding |
| D3 | Command cancel/delete/clear history | Medium | Done | Cancel pending/running, delete any, bulk clear finished |
| D4 | Global search across all agent details | High | Open | Search by hostname, MAC, IP, OS, version -- any agent field. Dashboard main page. |
| D5 | Clickable metric cards on agent detail -> drill-down views | High | Open | CPU card -> process list sorted by CPU%. Memory card -> process list sorted by RAM. Disk card -> drive/folder usage breakdown. Sortable tables. |
| D6 | Real-time terminal (PS/cmd) via WebSocket tunnel | High | Open | Interactive shell session relayed through server. Separate from check-in process. Spawns on demand, full bidirectional I/O. |
| D7 | Remote file system browser | High | Open | Browse, upload, download, rename, delete files on agent. Tree view + detail pane. Via real-time tunnel. |
| D8 | Remote registry editor (Windows) | Medium | Open | Browse/edit/create/delete registry keys and values. Tree view like regedit. Via real-time tunnel. |
| D9 | Remote services manager | High | Open | List all services with status. Start/stop/restart/disable/enable/edit startup type. Sortable, searchable. Via real-time tunnel. |
| D10 | | | | |
## Agent / Installer
| # | Feature | Priority | Status | Notes |
|---|---------|----------|--------|-------|
| A1 | Site-code-based installers (no API keys) | High | Done | /install/:site_code/* endpoints, binary with embedded config |
| A2 | Public shareable install links per client | High | Done | Landing page at /install/:site_code with OS detection |
| A3 | Capture full OS detail (distro/version) | High | Open | Linux agents just report "linux" -- should capture distro name and version (e.g., Ubuntu 22.04, Debian 12). Agent-side change to collect, server-side to store/display. |
| A4 | Reliable CPU/GPU temperature collection | High | Open | Not working on any machine currently. Windows: WMI/OpenHardwareMonitor/LibreHardwareMonitor. Linux: lm-sensors/sysfs thermal zones. Need fallback chain. |
| A5 | Process list collection (CPU%, RAM, disk I/O) | High | Open | Needed for D5 drill-downs. Agent collects top processes, sends on demand or as part of extended state. |
| A6 | Disk usage detail (per-drive, large folders) | Medium | Open | Needed for D5 disk drill-down. Per-partition usage + optional large folder scan. |
| A7 | | | | |
## Server / API
| # | Feature | Priority | Status | Notes |
|---|---------|----------|--------|-------|
| S1 | Claude Code integration (claude_task command type) | Medium | Planned | gururmm-agent project has the Rust module, not yet integrated |
| S2 | Stackable/inheritable policy system | High | Open | Policies at Company > Site > Machine levels. Lower level overrides higher. Merge behavior for non-conflicting settings. |
| S3 | Dynamic groups based on agent attributes | High | Open | Rule-based groups (e.g., RAM <= 8GB, OS = Windows 10, disk > 90%). Policies can target dynamic groups. |
| S4 | Policy actions: custom script execution | High | Open | Policies can trigger scripts (PowerShell/bash) on matching agents. Scheduled or on-demand. |
| S5 | Customizable alerting system | High | Open | User-defined alert rules: offline detection, disk space thresholds, SMART errors, RAID degradation, bad sectors, CPU/RAM sustained high, temp thresholds. Configurable severity, notification channels, escalation. |
| S6 | Alert notification channels | Medium | Open | Email, webhook, Slack/Teams integration, push notifications. Per-alert-rule routing. |
| S7 | Real-time tunnel mechanism (separate from check-in) | High | Open | On-demand WebSocket tunnel between tech's browser and agent for interactive tools. Multiplexed channels for terminal, file browser, registry, services. Low latency, not tied to metrics interval. |
| S8 | | | | |
## Infrastructure / Operations
| # | Feature | Priority | Status | Notes |
|---|---------|----------|--------|-------|
| I1 | Automate dark class injection in deploy | Low | Open | Vite strips class="dark" -- need Vite plugin or build script |
| I2 | Resolve stashed local changes on server | Medium | Open | git stash on 172.16.3.30 has divergent dev work |
| I3 | CI/CD webhook auto-builds on push | Low | Exists | webhook at /webhook/build, build-agents.sh -- needs dashboard build added |
| I4 | | | | |
---
## Rewrite Assessment
**Criteria for rewrite:**
- If >50% of planned features require fighting the current architecture
- If the tech stack is fundamentally wrong for the goals
- If accumulated tech debt makes changes unreasonably slow
**Current assessment:** TBD -- add features above first, then evaluate.

9
projects/msp-tools/guru-rmm/agent/.cargo/config.toml
View File

@@ -1,2 +1,11 @@
[target.x86_64-pc-windows-msvc]
rustflags = ["-C", "target-feature=+crt-static", "-C", "link-args=/SUBSYSTEM:CONSOLE,6.01"]
# macOS cross-compilation with osxcross
[target.x86_64-apple-darwin]
linker = "/opt/osxcross/target/bin/x86_64-apple-darwin23.5-clang"
ar = "/opt/osxcross/target/bin/x86_64-apple-darwin23.5-ar"
[target.aarch64-apple-darwin]
linker = "/opt/osxcross/target/bin/aarch64-apple-darwin23.5-clang"
ar = "/opt/osxcross/target/bin/aarch64-apple-darwin23.5-ar"

19
projects/msp-tools/guru-rmm/agent/Cargo.toml
View File

@@ -19,13 +19,9 @@ tokio = { version = "1", features = ["full"] }
# System information (cross-platform metrics)
sysinfo = "0.31"
# WebSocket client (native-tls for Windows 7/2008R2 compatibility)
tokio-tungstenite = { version = "0.24", features = ["native-tls"] }
# WebSocket - futures utilities
futures-util = "0.3"
# HTTP client (fallback/registration) - native-tls for Windows 7/2008R2 compatibility
reqwest = { version = "0.12", default-features = false, features = ["json", "native-tls"] }
# Serialization
serde = { version = "1", features = ["derive"] }
serde_json = "1"
@@ -66,6 +62,19 @@ local-ip-address = "0.6"
# Async file operations
tokio-util = "0.7"
# Platform-specific TLS dependencies
[target.'cfg(not(target_os = "macos"))'.dependencies]
# WebSocket client - native-tls for Windows/Linux (Windows 7 compatibility)
tokio-tungstenite = { version = "0.24", features = ["native-tls"] }
# HTTP client - native-tls for Windows 7/2008R2 compatibility
reqwest = { version = "0.12", default-features = false, features = ["json", "native-tls"] }
[target.'cfg(target_os = "macos")'.dependencies]
# WebSocket client - rustls for macOS (easier cross-compilation)
tokio-tungstenite = { version = "0.24", features = ["rustls-tls-native-roots"] }
# HTTP client - rustls for macOS
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots", "blocking"] }
[target.'cfg(windows)'.dependencies]
# Windows service support (optional, only for native-service feature)
windows-service = { version = "0.7", optional = true }

256
projects/msp-tools/guru-rmm/agent/MACOS_BUILD.md Normal file
View File

@@ -0,0 +1,256 @@
# macOS Cross-Compilation Setup
## Overview
GuruRMM agent can now be built for macOS (Intel and Apple Silicon) directly on the Linux build server (172.16.3.30) without requiring a Mac for compilation.
## Architecture
- **Build Server**: Ubuntu 22.04 LTS (172.16.3.30)
- **Toolchain**: osxcross with macOS SDK 14.5
- **Targets**:
- `x86_64-apple-darwin` (Intel Macs)
- `aarch64-apple-darwin` (Apple Silicon Macs)
- **TLS Stack**: rustls (pure Rust, no native dependencies)
## Key Changes
### 1. Cargo.toml Modifications
The agent now uses **conditional dependencies** for TLS:
- **Windows/Linux**: `native-tls` (for Windows 7 compatibility)
- **macOS**: `rustls-tls-native-roots` (for easier cross-compilation)
```toml
[target.'cfg(not(target_os = "macos"))'.dependencies]
tokio-tungstenite = { version = "0.24", features = ["native-tls"] }
reqwest = { version = "0.12", default-features = false, features = ["json", "native-tls"] }
[target.'cfg(target_os = "macos")'.dependencies]
tokio-tungstenite = { version = "0.24", features = ["rustls-tls-native-roots"] }
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots", "blocking"] }
```
### 2. Cargo Configuration (.cargo/config.toml)
Linker configuration for macOS targets:
```toml
[target.x86_64-apple-darwin]
linker = "/opt/osxcross/target/bin/x86_64-apple-darwin23.5-clang"
ar = "/opt/osxcross/target/bin/x86_64-apple-darwin23.5-ar"
[target.aarch64-apple-darwin]
linker = "/opt/osxcross/target/bin/aarch64-apple-darwin23.5-clang"
ar = "/opt/osxcross/target/bin/aarch64-apple-darwin23.5-ar"
```
## Build Server Setup
### Installed Components
1. **osxcross**: `/opt/osxcross/`
- macOS SDK 14.5 (darwin23.5)
- Clang/LLVM cross-compilers
- Binutils for macOS
2. **Rust Toolchain**:
- rustc 1.94.1
- Targets: `x86_64-apple-darwin`, `aarch64-apple-darwin`
3. **Build Dependencies**:
- clang-14
- cmake 3.22.1
- libxml2-dev
- uuid-dev
### Environment Variables
For cross-compilation, the following must be set:
```bash
export PATH="/opt/osxcross/target/bin:$PATH"
export CC_x86_64_apple_darwin=x86_64-apple-darwin23.5-clang
export AR_x86_64_apple_darwin=x86_64-apple-darwin23.5-ar
export CC_aarch64_apple_darwin=aarch64-apple-darwin23.5-clang
export AR_aarch64_apple_darwin=aarch64-apple-darwin23.5-ar
```
## Building for macOS
### Using the Build Script
The simplest method is to use the provided build script:
```bash
cd ~/gururmm/agent
./build-macos.sh
```
This will:
- Build for both Intel (x86_64) and Apple Silicon (arm64)
- Create binaries in `dist/` directory
- Generate SHA256 checksums
- Name binaries: `gururmm-agent-macos-{amd64|arm64}-v{version}`
### Manual Build
For individual targets:
```bash
# Source environment
source ~/.cargo/env
export PATH="/opt/osxcross/target/bin:$PATH"
# Intel Macs
export CC_x86_64_apple_darwin=x86_64-apple-darwin23.5-clang
export AR_x86_64_apple_darwin=x86_64-apple-darwin23.5-ar
cargo build --release --target x86_64-apple-darwin
# Apple Silicon Macs
export CC_aarch64_apple_darwin=aarch64-apple-darwin23.5-clang
export AR_aarch64_apple_darwin=aarch64-apple-darwin23.5-ar
cargo build --release --target aarch64-apple-darwin
```
## Build Output
### Binary Sizes
- **Intel (x86_64)**: ~3.5 MB
- **Apple Silicon (arm64)**: ~3.1 MB
### Build Times (on 172.16.3.30)
- **Clean build**: ~1 minute 30 seconds per target
- **Incremental build**: ~20-30 seconds per target
### Output Directory Structure
```
dist/
├── gururmm-agent-macos-amd64-v0.6.0
├── gururmm-agent-macos-amd64-v0.6.0.sha256
├── gururmm-agent-macos-arm64-v0.6.0
└── gururmm-agent-macos-arm64-v0.6.0.sha256
```
## Deployment
### Installation on macOS
Intel Macs:
```bash
curl -fsSL http://172.16.3.30/downloads/gururmm-agent-macos-amd64 -o /tmp/gururmm-agent
chmod +x /tmp/gururmm-agent
sudo /tmp/gururmm-agent install --server-url wss://rmm-api.azcomputerguru.com/ws --api-key SITE-CODE
```
Apple Silicon Macs:
```bash
curl -fsSL http://172.16.3.30/downloads/gururmm-agent-macos-arm64 -o /tmp/gururmm-agent
chmod +x /tmp/gururmm-agent
sudo /tmp/gururmm-agent install --server-url wss://rmm-api.azcomputerguru.com/ws --api-key SITE-CODE
```
### macOS Service Configuration
The agent installs as a launchd service:
- **Plist**: `/Library/LaunchDaemons/com.gururmm.agent.plist`
- **Binary**: `/usr/local/bin/gururmm-agent`
- **Config**: `/etc/gururmm/agent.toml`
## Troubleshooting
### Build Failures
1. **"ring" crate compilation errors**:
- Ensure `CC_*` and `AR_*` environment variables are set
- Verify osxcross binaries are in PATH
2. **Linker errors**:
- Check `.cargo/config.toml` has correct linker paths
- Verify osxcross installation at `/opt/osxcross/target/bin/`
3. **"native-tls" errors on macOS**:
- Ensure Cargo.toml uses `rustls-tls-native-roots` for macOS targets
- Conditional dependencies must be properly configured
### Testing Binaries
To verify a macOS binary was built correctly:
```bash
# On build server
file target/x86_64-apple-darwin/release/gururmm-agent
# Output: Mach-O 64-bit executable x86_64
file target/aarch64-apple-darwin/release/gururmm-agent
# Output: Mach-O 64-bit executable arm64
```
On an actual Mac, the binary should run without errors:
```bash
./gururmm-agent --version
# Output: gururmm-agent 0.6.0
```
## Maintenance
### Updating osxcross
To update to a newer macOS SDK:
1. Download SDK from https://github.com/joseluisq/macosx-sdks/releases
2. Place in `/opt/osxcross/tarballs/`
3. Run `/opt/osxcross/build.sh`
4. Update linker paths in `.cargo/config.toml` if SDK version changes
### Updating Rust Targets
```bash
rustup target add x86_64-apple-darwin
rustup target add aarch64-apple-darwin
```
## Security Notes
- macOS SDK usage is in a legal gray area; osxcross requires accepting Xcode license terms
- Binaries built with osxcross are functionally identical to native macOS builds
- TLS implementation (rustls) is audited and widely used in production Rust applications
- No code signing is performed; users will need to approve binary on first run
## CI/CD Integration
The build script can be integrated into automated builds:
```bash
# Example: Build on git push
cd ~/gururmm/agent
git pull
./build-macos.sh
# Copy to deployment directory
cp dist/gururmm-agent-macos-* /var/www/gururmm/downloads/
```
## Performance
Cross-compiled binaries perform identically to native builds:
- No runtime overhead from cross-compilation
- Full optimization with `opt-level = "z"` and LTO
- Binary stripping reduces size without affecting performance
## Future Enhancements
- [ ] Code signing for macOS binaries (requires Apple Developer account)
- [ ] Notarization for Gatekeeper compatibility
- [ ] Universal binary (combined Intel + ARM)
- [ ] Automated CI/CD pipeline with GitHub Actions (macOS runners)
---
**Last Updated**: 2026-04-03
**Build Server**: 172.16.3.30 (Ubuntu 22.04)
**osxcross Version**: 1.5
**SDK Version**: macOS 14.5 (darwin23.5)

70
projects/msp-tools/guru-rmm/agent/build-macos.sh Executable file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
set -e
# Build script for GuruRMM agent - macOS only
# Supports: macOS (Intel & Apple Silicon)
echo "=== GuruRMM Agent macOS Build ==="
echo ""
# Add osxcross to PATH
export PATH="/opt/osxcross/target/bin:$PATH"
# Source cargo environment
source ~/.cargo/env
# Set up cross-compilation environment variables for macOS
export CC_x86_64_apple_darwin=x86_64-apple-darwin23.5-clang
export AR_x86_64_apple_darwin=x86_64-apple-darwin23.5-ar
export CC_aarch64_apple_darwin=aarch64-apple-darwin23.5-clang
export AR_aarch64_apple_darwin=aarch64-apple-darwin23.5-ar
# Output directory
OUTPUT_DIR="$(dirname "$0")/dist"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Get version from Cargo.toml
VERSION=$(grep '^version' Cargo.toml | head -1 | cut -d'"' -f2)
echo "Building GuruRMM Agent v$VERSION for macOS"
echo ""
# Function to build for a target
build_target() {
local target=$1
local name=$2
local ext=$3
echo "[INFO] Building for $name ($target)..."
cargo build --release --target $target
local binary_name="gururmm-agent$ext"
local output_name="gururmm-agent-$name-v$VERSION$ext"
cp "target/$target/release/$binary_name" "$OUTPUT_DIR/$output_name"
# Create SHA256 checksum
cd "$OUTPUT_DIR"
sha256sum "$output_name" > "$output_name.sha256"
cd - > /dev/null
# Get file size
local size=$(du -h "$OUTPUT_DIR/$output_name" | cut -f1)
echo "[SUCCESS] Built $output_name ($size)"
echo ""
}
# Build for macOS platforms
echo "=== Building for macOS (Intel) ==="
build_target "x86_64-apple-darwin" "macos-amd64" ""
echo "=== Building for macOS (Apple Silicon) ==="
build_target "aarch64-apple-darwin" "macos-arm64" ""
echo ""
echo "=== Build Complete ==="
echo ""
echo "Artifacts in: $OUTPUT_DIR"
ls -lh "$OUTPUT_DIR"

7
projects/msp-tools/guru-rmm/dashboard/src/api/client.ts
View File

@@ -113,7 +113,7 @@ export interface Command {
agent_id: string;
command_type: string;
command_text: string;
status: "pending" | "running" | "completed" | "failed";
status: "pending" | "running" | "completed" | "failed" | "cancelled";
exit_code: number | null;
stdout: string | null;
stderr: string | null;
@@ -219,6 +219,11 @@ export const commandsApi = {
api.post<Command>(`/api/agents/${agentId}/command`, command),
list: () => api.get<Command[]>("/api/commands"),
get: (id: string) => api.get<Command>(`/api/commands/${id}`),
cancelCommand: (id: string) =>
api.post<{ status: string; message: string }>(`/api/commands/${id}/cancel`),
deleteCommand: (id: string) => api.delete(`/api/commands/${id}`),
clearCommandHistory: () =>
api.delete<{ deleted: number; message: string }>("/api/commands"),
};
export const clientsApi = {

212
projects/msp-tools/guru-rmm/dashboard/src/pages/History.tsx
View File

@@ -1,6 +1,17 @@
import { useQuery } from "@tanstack/react-query";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { Link, useParams, useNavigate } from "react-router-dom";
import { RefreshCw, CheckCircle, XCircle, Clock, Loader2, ArrowLeft, Terminal } from "lucide-react";
import {
RefreshCw,
CheckCircle,
XCircle,
Clock,
Loader2,
ArrowLeft,
Terminal,
Trash2,
Ban,
StopCircle,
} from "lucide-react";
import { commandsApi, Command } from "../api/client";
import { Card, CardContent } from "../components/Card";
import { Button } from "../components/Button";
@@ -28,6 +39,11 @@ function StatusBadge({ status }: { status: Command["status"] }) {
label: "Failed",
className: "bg-rose-500/10 text-rose-400 border-rose-500/30",
},
cancelled: {
icon: Ban,
label: "Cancelled",
className: "bg-amber-500/10 text-amber-500 border-amber-500/30",
},
};
const { icon: Icon, label, className, spin } = config[status] as {
@@ -62,12 +78,63 @@ function formatRelativeTime(dateString: string): string {
}
export function History() {
const queryClient = useQueryClient();
const { data: commands = [], isLoading, refetch } = useQuery({
queryKey: ["commands"],
queryFn: () => commandsApi.list().then((res) => res.data),
refetchInterval: 10000,
});
const cancelMutation = useMutation({
mutationFn: (id: string) => commandsApi.cancelCommand(id),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["commands"] });
},
onError: (error: Error) => {
alert(`Failed to cancel command: ${error.message}`);
},
});
const deleteMutation = useMutation({
mutationFn: (id: string) => commandsApi.deleteCommand(id),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["commands"] });
},
onError: (error: Error) => {
alert(`Failed to delete command: ${error.message}`);
},
});
const clearHistoryMutation = useMutation({
mutationFn: () => commandsApi.clearCommandHistory(),
onSuccess: (res) => {
queryClient.invalidateQueries({ queryKey: ["commands"] });
const data = res.data;
if (data.deleted === 0) {
alert("No finished commands to clear.");
}
},
onError: (error: Error) => {
alert(`Failed to clear history: ${error.message}`);
},
});
const handleClearHistory = () => {
const finishedCount = commands.filter(
(cmd) => cmd.status === "completed" || cmd.status === "failed" || cmd.status === "cancelled"
).length;
if (finishedCount === 0) {
alert("No finished commands to clear.");
return;
}
if (window.confirm(`Clear ${finishedCount} finished command(s) from history?`)) {
clearHistoryMutation.mutate();
}
};
return (
<div className="space-y-4">
{/* Header */}
@@ -76,15 +143,30 @@ export function History() {
<h1 className="text-2xl font-mono font-bold text-[var(--text-primary)]">History</h1>
<p className="text-[var(--text-muted)] text-sm">Command execution log</p>
</div>
<Button
variant="outline"
size="sm"
onClick={() => refetch()}
className="border-[var(--border-accent)] text-[var(--accent-cyan)] hover:bg-[var(--accent-cyan-muted)]"
>
<RefreshCw className="h-4 w-4 mr-2" />
Refresh
</Button>
<div className="flex items-center gap-2">
<Button
variant="destructive"
size="sm"
onClick={handleClearHistory}
disabled={clearHistoryMutation.isPending}
>
{clearHistoryMutation.isPending ? (
<Loader2 className="h-4 w-4 mr-2 animate-spin" />
) : (
<Trash2 className="h-4 w-4 mr-2" />
)}
Clear History
</Button>
<Button
variant="outline"
size="sm"
onClick={() => refetch()}
className="border-[var(--border-accent)] text-[var(--accent-cyan)] hover:bg-[var(--accent-cyan-muted)]"
>
<RefreshCw className="h-4 w-4 mr-2" />
Refresh
</Button>
</div>
</div>
{/* History List */}
@@ -103,12 +185,14 @@ export function History() {
) : (
<div className="divide-y divide-[var(--border-secondary)]">
{commands.map((cmd: Command) => (
<Link
<div
key={cmd.id}
to={`/history/${cmd.id}`}
className="flex items-center justify-between p-3 hover:bg-[rgba(6,182,212,0.05)] transition-colors group"
>
<div className="flex items-center gap-3 min-w-0 flex-1">
<Link
to={`/history/${cmd.id}`}
className="flex items-center gap-3 min-w-0 flex-1"
>
<StatusBadge status={cmd.status} />
<div className="min-w-0 flex-1">
<p className="font-mono text-sm text-[var(--text-primary)] truncate group-hover:text-[var(--accent-cyan)] transition-colors">
@@ -118,18 +202,49 @@ export function History() {
{cmd.command_type} | Agent: {cmd.agent_id.slice(0, 8)}...
</p>
</div>
</div>
<div className="text-right pl-4 shrink-0">
<p className="font-mono text-xs text-[var(--text-muted)]">
{formatRelativeTime(cmd.created_at)}
</p>
{cmd.exit_code !== null && (
<p className={`text-xs font-mono ${cmd.exit_code === 0 ? "text-emerald-500" : "text-rose-500"}`}>
exit: {cmd.exit_code}
</Link>
<div className="flex items-center gap-2 pl-4 shrink-0">
<div className="text-right">
<p className="font-mono text-xs text-[var(--text-muted)]">
{formatRelativeTime(cmd.created_at)}
</p>
)}
{cmd.exit_code !== null && (
<p className={`text-xs font-mono ${cmd.exit_code === 0 ? "text-emerald-500" : "text-rose-500"}`}>
exit: {cmd.exit_code}
</p>
)}
</div>
{/* Action buttons */}
<div className="flex items-center gap-1 opacity-0 group-hover:opacity-100 transition-opacity">
{(cmd.status === "pending" || cmd.status === "running") && (
<button
onClick={(e) => {
e.preventDefault();
e.stopPropagation();
cancelMutation.mutate(cmd.id);
}}
disabled={cancelMutation.isPending}
className="p-1.5 rounded-md text-amber-400 hover:bg-amber-500/10 hover:text-amber-300 transition-colors"
title="Cancel command"
>
<StopCircle className="h-4 w-4" />
</button>
)}
<button
onClick={(e) => {
e.preventDefault();
e.stopPropagation();
deleteMutation.mutate(cmd.id);
}}
disabled={deleteMutation.isPending}
className="p-1.5 rounded-md text-rose-400 hover:bg-rose-500/10 hover:text-rose-300 transition-colors"
title="Delete command"
>
<Trash2 className="h-3.5 w-3.5" />
</button>
</div>
</div>
</Link>
</div>
))}
</div>
)}
@@ -142,6 +257,7 @@ export function History() {
export function HistoryDetail() {
const { id } = useParams<{ id: string }>();
const navigate = useNavigate();
const queryClient = useQueryClient();
const { data: commands = [], isLoading } = useQuery({
queryKey: ["commands"],
@@ -150,6 +266,27 @@ export function HistoryDetail() {
const command = commands.find((cmd: Command) => cmd.id === id);
const cancelMutation = useMutation({
mutationFn: (cmdId: string) => commandsApi.cancelCommand(cmdId),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["commands"] });
},
onError: (error: Error) => {
alert(`Failed to cancel command: ${error.message}`);
},
});
const deleteMutation = useMutation({
mutationFn: (cmdId: string) => commandsApi.deleteCommand(cmdId),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["commands"] });
navigate("/history");
},
onError: (error: Error) => {
alert(`Failed to delete command: ${error.message}`);
},
});
if (isLoading) {
return (
<div className="flex items-center justify-center min-h-[50vh]">
@@ -199,6 +336,33 @@ export function HistoryDetail() {
{formatDate(command.created_at)}
</p>
</div>
<div className="flex items-center gap-2">
{(command.status === "pending" || command.status === "running") && (
<Button
variant="outline"
size="sm"
onClick={() => cancelMutation.mutate(command.id)}
disabled={cancelMutation.isPending}
className="border-amber-500/30 text-amber-400 hover:bg-amber-500/10"
>
<StopCircle className="h-4 w-4 mr-2" />
Cancel
</Button>
)}
<Button
variant="destructive"
size="sm"
onClick={() => {
if (window.confirm("Delete this command?")) {
deleteMutation.mutate(command.id);
}
}}
disabled={deleteMutation.isPending}
>
<Trash2 className="h-4 w-4 mr-2" />
Delete
</Button>
</div>
</div>
{/* Command Info */}

97
projects/msp-tools/guru-rmm/server/src/api/commands.rs
View File

@@ -160,3 +160,100 @@ pub async fn get_command(
Ok(Json(command))
}
/// Delete a single command by ID
/// Requires authentication.
pub async fn delete_command(
State(state): State<AppState>,
_user: AuthUser,
Path(command_id): Path<Uuid>,
) -> Result<StatusCode, (StatusCode, String)> {
let deleted = db::delete_command(&state.db, command_id)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
if deleted {
Ok(StatusCode::NO_CONTENT)
} else {
Err((StatusCode::NOT_FOUND, "Command not found".to_string()))
}
}
/// Cancel response payload
#[derive(Debug, Serialize)]
pub struct CancelCommandResponse {
pub status: String,
pub message: String,
}
/// Cancel a pending or running command
/// Requires authentication.
pub async fn cancel_command(
State(state): State<AppState>,
_user: AuthUser,
Path(command_id): Path<Uuid>,
) -> Result<Json<CancelCommandResponse>, (StatusCode, String)> {
let command = db::get_command_by_id(&state.db, command_id)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
.ok_or((StatusCode::NOT_FOUND, "Command not found".to_string()))?;
match command.status.as_str() {
"completed" | "failed" | "cancelled" => {
return Err((
StatusCode::BAD_REQUEST,
"Command already finished".to_string(),
));
}
"running" => {
// Update status in DB
db::cancel_command(&state.db, command_id)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
// Optionally try to send a cancel signal via WebSocket
let agents = state.agents.read().await;
if agents.is_connected(&command.agent_id) {
let cancel_msg = ServerMessage::Error {
code: "command_cancelled".to_string(),
message: format!("Command {} has been cancelled", command_id),
};
let _ = agents.send_to(&command.agent_id, cancel_msg).await;
}
}
_ => {
// Pending or any other status - just update DB
db::cancel_command(&state.db, command_id)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
}
}
Ok(Json(CancelCommandResponse {
status: "cancelled".to_string(),
message: "Command cancelled".to_string(),
}))
}
/// Clear history response payload
#[derive(Debug, Serialize)]
pub struct ClearHistoryResponse {
pub deleted: u64,
pub message: String,
}
/// Bulk clear finished commands (completed, failed, cancelled)
/// Requires authentication.
pub async fn clear_command_history(
State(state): State<AppState>,
_user: AuthUser,
) -> Result<Json<ClearHistoryResponse>, (StatusCode, String)> {
let count = db::delete_finished_commands(&state.db)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
Ok(Json(ClearHistoryResponse {
deleted: count,
message: format!("Cleared {} commands from history", count),
}))
}

5
projects/msp-tools/guru-rmm/server/src/api/mod.rs
View File

@@ -56,8 +56,9 @@ pub fn routes() -> Router<AppState> {
.route("/metrics/summary", get(metrics::get_summary))
// Commands
.route("/agents/:id/command", post(commands::send_command))
.route("/commands", get(commands::list_commands))
.route("/commands/:id", get(commands::get_command))
.route("/commands", get(commands::list_commands).delete(commands::clear_command_history))
.route("/commands/:id", get(commands::get_command).delete(commands::delete_command))
.route("/commands/:id/cancel", post(commands::cancel_command))
// Legacy Agent (PowerShell for 2008 R2)
.route("/agent/register-legacy", post(agents::register_legacy))
.route("/agent/heartbeat", post(agents::heartbeat))

22
projects/msp-tools/guru-rmm/server/src/db/commands.rs
View File

@@ -161,3 +161,25 @@ pub async fn delete_command(pool: &PgPool, id: Uuid) -> Result<bool, sqlx::Error
.await?;
Ok(result.rows_affected() > 0)
}
/// Cancel a command - set status to 'cancelled' and set completed_at
pub async fn cancel_command(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
sqlx::query(
"UPDATE commands SET status = 'cancelled', completed_at = NOW() WHERE id = $1",
)
.bind(id)
.execute(pool)
.await?;
Ok(())
}
/// Delete all completed, failed, and cancelled commands (bulk clear)
/// Returns the count of deleted rows.
pub async fn delete_finished_commands(pool: &PgPool) -> Result<u64, sqlx::Error> {
let result = sqlx::query(
"DELETE FROM commands WHERE status IN ('completed', 'failed', 'cancelled')",
)
.execute(pool)
.await?;
Ok(result.rows_affected())
}

306
projects/msp-tools/guru-rmm/session-logs/2026-04-01-session.md Normal file
View File

@@ -0,0 +1,306 @@
# GuruRMM Session Log - 2026-04-01
## Session Summary
Major review and update session for the GuruRMM project. Verified all infrastructure references, fixed several issues, and implemented the on-demand site-code-based installer system.
### Key Accomplishments
1. **Infrastructure audit** - Verified all references across the gururmm-agent project docs
2. **Identified active repo** - `azcomputerguru/gururmm` (53 commits) is active, not `guru-rmm` (2 commits, documentation copy)
3. **SSH key deployed** - Generated ed25519 key on DESKTOP-0O8A1RL, deployed to 172.16.3.30 via plink
4. **Hardcoded credentials removed** - Replaced in 3 Python scripts with SOPS vault calls
5. **API route verification** - Compared docs against actual source (65 routes found)
6. **Project docs updated** - Fixed 5 discrepancies across 4 documentation files
7. **NPM proxy host added** - `rmm.azcomputerguru.com` was missing from Nginx Proxy Manager, causing TLS errors
8. **On-demand installer system** - Designed and implemented site-code-based installers (no API keys in install flow)
### Key Decisions
- Site codes (e.g., SWIFT-CLOUD-6910) used as the sole identifier for installers, not API keys
- New install endpoints at root level `/install/:site_code/*` (not under `/api/`) to be fully public
- Embedded config reuses existing binary-patching mechanism, just puts site_code in the api_key field
- Agent WS auth already recognizes site codes -- zero transport changes needed
- Old `?key=` endpoints preserved for backward compatibility
---
## Infrastructure
### GuruRMM Server (172.16.3.30)
- **OS:** Ubuntu 22.04 LTS
- **SSH:** user `guru`, ed25519 key from DESKTOP-0O8A1RL deployed
- **API:** Port 3001 (GuruRMM Rust/Axum server)
- **ClaudeTools API:** Port 8001 (FastAPI, separate service)
- **Nginx:** Reverse proxy on port 80, serves dashboard from /var/www/gururmm/dashboard
- **WebSocket:** /ws proxied to 3001 with upgrade headers
- **CI/CD webhook:** /webhook/ proxied to port 9000
- **Database:** PostgreSQL 14 on port 5432, database `gururmm`, user `gururmm`
### NPM (Nginx Proxy Manager) - 172.16.3.20:7818
- **Container:** On Jupiter
- **Version:** v2.13.5 (v2.14.0 available)
- **7 Proxy Hosts configured:**
- connect.azcomputerguru.com -> 172.16.3.30:3002
- emby.azcomputerguru.com -> 172.16.2.99:8096
- git.azcomputerguru.com -> 172.16.3.20:3000
- plexrequest.azcomputerguru.com -> 172.16.3.31:5055
- rmm-api.azcomputerguru.com -> 172.16.3.30:80
- rmm.azcomputerguru.com -> 172.16.3.30:80 [NEW - added this session]
- sync.azcomputerguru.com -> 172.16.3.20:8082
- unifi.azcomputerguru.com -> 172.16.3.28:8443
### Credentials Used
- **GuruRMM Server SSH:** guru@172.16.3.30 (password from vault: `infrastructure/gururmm-server.sops.yaml`)
- **NPM Login:** mike@azcomputerguru.com / r3tr0gradE99\! (from vault: `services/npm.sops.yaml`)
- **NPM Alt:** admin@azcomputerguru.com / Window123\!@#
- **Cloudflare API Token:** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w (from NPM vault entry)
- **GuruRMM Dashboard:** admin@azcomputerguru.com / GuruRMM2025 (from vault: `projects/gururmm/dashboard.sops.yaml`)
- **GuruRMM DB:** PostgreSQL at 172.16.3.30:5432, db `gururmm`, user `gururmm` (password in vault: `projects/gururmm/database.sops.yaml`)
- **GuruRMM JWT Secret:** In vault at `projects/gururmm/api-server.sops.yaml`
- **Entra SSO App:** ID `18a15f5d-7ab8-46f4-8566-d7b5436b84b6`, client secret expires 2026-12-21
### SSH Key Deployed
- **Machine:** DESKTOP-0O8A1RL (Windows 11)
- **Key:** C:\Users\guru\.ssh\id_ed25519 (ed25519, comment: guru@DESKTOP-0O8A1RL)
- **Fingerprint:** SHA256:ZVbowRHhxPX47eKy9FyMwjvIKPzTf3Dwx3BCsBrP4ds
- **Deployed to:** guru@172.16.3.30:~/.ssh/authorized_keys (via plink with vault password)
- **Verified:** Key-based auth works (PasswordAuthentication=no test passed)
---
## Gitea Repos
| Repo | Status | Notes |
|------|--------|-------|
| `azcomputerguru/gururmm` | ACTIVE | 53 commits, primary development repo |
| `azcomputerguru/guru-rmm` | INACTIVE | 2 commits, restructured documentation copy |
| `azcomputerguru/guru-connect` | Related | ScreenConnect-like remote desktop for GuruRMM |
---
## Code Changes
### Commit d3a047e - "feat: Site-code-based on-demand agent installers"
**Pushed to:** `azcomputerguru/gururmm` main branch
**Files changed (4 files, +625, -92):**
1. **server/src/api/install.rs** - 5 new public endpoint handlers:
- `site_install_landing` - HTML landing page with OS detection
- `site_install_script_windows` - PowerShell install script
- `site_install_script_linux` - Bash install script
- `download_site_windows` - Pre-configured Windows binary
- `download_site_linux` - Pre-configured Linux binary
- Refactored `build_configured_binary()` shared helper
- `validate_site_code()` helper
2. **server/src/main.rs** - Route registration at root level:
- `/install/:site_code` (landing page)
- `/install/:site_code/windows` (PS script)
- `/install/:site_code/linux` (bash script)
- `/install/:site_code/download/windows` (binary)
- `/install/:site_code/download/linux` (binary)
3. **dashboard/src/pages/Sites.tsx** - EnrollmentModal overhaul:
- URLs now use site codes instead of API keys
- Added public install link with copy button
- Removed API key dependency from enrollment flow
- Simplified handleEnrollDevices (no key regeneration needed)
4. **agent/src/config.rs** - Added `#[serde(alias = "site_code")]` to api_key field
### Project Doc Updates (earlier, in claudetools repo)
Updated 4 files in `projects/gururmm-agent/`:
- Fixed `/api/agents/{id}/stats` -> `/api/agents/stats`
- Removed bogus `/logs` endpoint references
- Clarified `claude_task` is a new command type (not existing)
- Added active Gitea repo reference
- Added WebSocket command delivery notes
- Verified all use `/api/` not `/api/v1/`
### Credential Cleanup (earlier, in claudetools repo)
- Created `projects/gururmm-agent/scripts/vault_utils.py` - shared vault helper
- Updated `check_record_counts.py` - DB password from vault
- Updated `create_jwt_token.py` - JWT secret from vault
- Updated `test_gururmm_api.py` - API creds from vault, password masked in output
---
## API Route Summary (65 total from source)
Key routes:
- `POST /api/auth/login` - JWT login
- `GET/POST /api/clients` - Client CRUD
- `GET/POST /api/sites` - Site CRUD
- `GET/POST /api/agents` - Agent management
- `POST /api/agents/:id/command` - Send command (delivered via WebSocket)
- `GET /ws` - WebSocket for agent connections
- `GET /health` - Health check
- NEW: `/install/:site_code/*` - Public installer endpoints
Full route list documented in plan file at `C:\Users\guru\.claude\plans\rippling-marinating-pebble.md`
---
## Settings Fix
`~/.claude/settings.json` was missing `permissions.defaultMode: bypassPermissions`. Fixed to:
```json
{
"autoUpdatesChannel": "latest",
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true,
"voiceEnabled": true
}
```
---
## Pending / Next Steps
1. **Build and deploy** - Commit is pushed but needs to be built on the server (Rust toolchain not on this Windows machine). CI/CD webhook at 172.16.3.30/webhook/build may handle this automatically.
2. **Test installer endpoints** - Once deployed, test `/install/SITE-CODE/download/windows` end-to-end
3. **HTML escaping** - Code review noted landing page uses `format!()` without HTML escaping for site_name/client_name. Low risk (admin-controlled) but worth hardening.
4. **Rate limiting** - Public install endpoints have no rate limiting. Future hardening.
5. **AD2 connectivity** - Hostname doesn't resolve from DESKTOP-0O8A1RL. Need IP or DNS fix to verify agent deployment target.
6. **GuruRMM agent integration** - The claude_task command type from gururmm-agent project still needs to be integrated into the actual agent codebase.
---
## Reference
- **Vault paths:** `infrastructure/gururmm-server.sops.yaml`, `projects/gururmm/api-server.sops.yaml`, `projects/gururmm/database.sops.yaml`, `projects/gururmm/dashboard.sops.yaml`, `services/npm.sops.yaml`
- **Nginx config on server:** `/etc/nginx/sites-enabled/gururmm`
- **Dashboard build:** React/Vite, served from `/var/www/gururmm/dashboard`
- **Agent binaries:** `/var/www/gururmm/downloads/` (served by download endpoints)
- **Plan file:** `C:\Users\guru\.claude\plans\rippling-marinating-pebble.md`
---
## Update: 20:00 - Continued Session
### Additional Accomplishments
1. **Command management system** - Added cancel, delete, and clear history for commands
- `POST /api/commands/:id/cancel` - Cancel pending/running commands
- `DELETE /api/commands/:id` - Delete any command
- `DELETE /api/commands` - Bulk clear finished commands
- Dashboard buttons for cancel (pending/running), delete (all), clear history
- Cancelled status badge (orange/amber)
2. **Dashboard metrics made clickable**
- Total Agents -> /agents
- Online -> /agents?status=online
- Offline -> /agents?status=offline
- Errors -> /agents?status=error
- Recent Activity items link to /agents/:id
- Quick Actions replaced with navigation cards (View Agents, Add Client, Deploy Agent, Command History)
- Agents page supports ?status= URL param for deep-linking
3. **Dark theme restoration**
- Root cause: `npm run build` was silently failing (missing @rollup/rollup-linux-x64-gnu native module)
- All previous deploys were using stale dist/ from before our changes
- Fixed with `rm -rf node_modules package-lock.json && npm install`
- Vite strips `class="dark"` from index.html during build -- using `sed` post-build to inject it
- Dark CSS variables defined in index.css `.dark` block
4. **Premium design overhaul**
- Added Google Fonts: JetBrains Mono (branding/nav) + Plus Jakarta Sans (body)
- Branded sidebar: GURURMM logo icon + "MISSION CONTROL" subtitle in JetBrains Mono
- Uppercase monospace nav labels with wider tracking
- Richer dark theme with cyan/teal accents (--primary: 199 89% 48%)
- Card hover border glow effect (hover:border-[hsl(var(--primary))]/30)
- Custom dark scrollbar styling
- Login page branded header matching sidebar
- SSO button themed with CSS variables
5. **Server tooling fixes**
- Installed missing npm dependencies on 172.16.3.30
- Node.js v20.20.0 confirmed working
- Cargo/Rust toolchain at ~/.cargo/bin/cargo
### Git Commits (gururmm repo)
| Commit | Description |
|--------|-------------|
| d3a047e | feat: Site-code-based on-demand agent installers |
| 24d4417 | feat: Command cancel, delete, and clear history |
| b5626c0 | feat: Make dashboard metrics clickable with navigation |
| cc4b9b7 | fix: Restore dark theme and fix Tailwind v4 class compatibility |
| 6ace258 | fix: Dark theme persistence - add class to index.html, post-build inject |
| defeb01 | design: Premium dark theme overhaul with branded sidebar |
### Build & Deploy Process (reference)
```bash
# On 172.16.3.30 as guru:
cd /home/guru/gururmm
git pull origin main
# Build server
cd server && source ~/.cargo/env && cargo build --release
sudo systemctl stop gururmm-server
sudo cp target/release/gururmm-server /opt/gururmm/gururmm-server
sudo systemctl start gururmm-server
# Build agent binaries
sudo bash /opt/gururmm/build-agents.sh
# Build dashboard
cd /home/guru/gururmm/dashboard
npm run build
# CRITICAL: Inject dark class post-build (Vite strips it)
sed -i 's/<html lang="en">/<html lang="en" class="dark">/' dist/index.html
sudo rm -rf /var/www/gururmm/dashboard/*
sudo cp -r dist/* /var/www/gururmm/dashboard/
```
### Nginx Config Updated
Added `/install/` location block to proxy to Rust server (was being caught by SPA fallback):
```nginx
location /install/ {
proxy_pass http://127.0.0.1:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
### Known Issues
1. **Stashed local changes on server** - `git stash list` shows uncommitted work from before our session (simplified API client, modified WS handler, removed SSO/policies/alerts code). This stash represents a different development direction. Need to decide whether to incorporate or discard.
2. **Tailwind v4 class compatibility** - `no-underline` and `text-inherit` are Tailwind v3 classes. Replaced with `[text-decoration:none]` and `[color:inherit]` arbitrary property syntax.
3. **Dark theme post-build injection** - Vite + @tailwindcss/vite strips `class="dark"` and inline `<script>` tags from index.html. Workaround: `sed` post-build. Could be solved properly with a Vite plugin.
4. **Windows product key** - User set Windows key to QQYW7-QDW2Q-78VNT-2T676-3V66V via `slmgr /ipk` + `slmgr /ato`
### Clients in GuruRMM
| Client | Site | Code |
|--------|------|------|
| AZ Computer Guru | Main Office | SWIFT-CLOUD-6910 |
| Glaztech Industries | SLC - Salt Lake City | DARK-GROVE-7839 |
| Scileppi Law Firm | Main Office | WEST-MEADOW-9025 |
| Valley Wide Plastering | Main Office | INNER-TIGER-8330 |
### Agents (4 total)
- AD2 (Windows, online)
- gururmm (Linux, online - the server itself)
- SL-SERVER (Linux, online x2 entries)
### Session ID for Resume
```
41cb8b1a-6546-48f6-a37e-5223e9f2bbae
```

101
projects/msp-tools/guru-rmm/session-logs/2026-04-02-session.md Normal file
View File

@@ -0,0 +1,101 @@
# GuruRMM Session Log - 2026-04-02
## Session Summary
Continued GuruRMM development. Fixed installer issues, built feature roadmap, and tested agent deployment on local machine (DESKTOP-0O8A1RL).
### Accomplishments
1. **Fixed Windows installer self-copy failure** - Agent binary was downloaded directly to Program Files, then `install` tried to copy the running exe onto itself. Fixed by downloading to `%TEMP%` first.
2. **Fixed install script service start timing** - Service wasn't ready immediately after install. Added 3-retry loop with `Start-Service` SCM API instead of shelling out.
3. **Fixed agent `status` config path** - `status` command looked for `agent.toml` in CWD instead of `C:\ProgramData\GuruRMM`. Added fallback to CONFIG_DIR.
4. **Tested real agent deployment** - Successfully installed agent on DESKTOP-0O8A1RL via `irm` one-liner. Agent connected to server, shows online in dashboard under "Mike's Car" site (GREEN-OCEAN-5222).
5. **Created feature roadmap** - `projects/msp-tools/guru-rmm/ROADMAP.md` with comprehensive feature tracking for evaluating current codebase vs rewrite.
### Git Commits (gururmm repo)
| Commit | Description |
|--------|-------------|
| a89d2dd | fix: Download agent to temp before install to avoid self-copy failure |
| 32147a6 | fix: Install script start retry loop + status config path fallback |
### Credentials (unchanged from previous session)
- **GuruRMM Server SSH:** guru@172.16.3.30 (vault: `infrastructure/gururmm-server.sops.yaml`)
- **GuruRMM Dashboard:** admin@azcomputerguru.com / GuruRMM2025
- **GuruRMM DB:** PostgreSQL 172.16.3.30:5432, db `gururmm`, user `gururmm`
- **NPM:** mike@azcomputerguru.com / r3tr0gradE99\! (172.16.3.20:7818)
- **Cloudflare API Token:** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w
### Infrastructure
- **DESKTOP-0O8A1RL** now has GuruRMM agent installed and running
- Service: GuruRMMAgent (auto-start, LocalSystem)
- Config: C:\ProgramData\GuruRMM\agent.toml
- Binary: C:\Program Files\GuruRMM\gururmm-agent.exe
- Site: Mike's Car (GREEN-OCEAN-5222)
- Reports as: windows 11 (26200), online
### Agents in System (5 total)
| Hostname | OS | Status | Site |
|----------|-----|--------|------|
| AD2 | windows 10 (14393) | online | AZ Computer Guru - Main Office |
| gururmm | linux 22.04 | online | AZ Computer Guru - Main Office |
| DESKTOP-0O8A1RL | windows 11 (26200) | online | Mike's Car |
| SL-SERVER | linux unknown | online | Scileppi Law Firm - Main Office |
| SL-SERVER | linux unknown | offline | Scileppi Law Firm - Main Office |
### Sites (5 total now)
| Client | Site | Code |
|--------|------|------|
| AZ Computer Guru | Main Office | SWIFT-CLOUD-6910 |
| Glaztech Industries | SLC - Salt Lake City | DARK-GROVE-7839 |
| Scileppi Law Firm | Main Office | WEST-MEADOW-9025 |
| Valley Wide Plastering | Main Office | INNER-TIGER-8330 |
| Mike's Car (new) | ? | GREEN-OCEAN-5222 |
### Feature Roadmap Summary
Full roadmap at `projects/msp-tools/guru-rmm/ROADMAP.md`. Key items added:
**Dashboard/UI:**
- D4: Global search across all agent details
- D5: Clickable metric cards -> drill-down views (process list, disk usage)
- D6: Real-time terminal (PS/cmd) via WebSocket tunnel
- D7: Remote file system browser
- D8: Remote registry editor (Windows)
- D9: Remote services manager
**Agent:**
- A3: Full OS detail (distro/version) for Linux
- A4: CPU/GPU temperature collection (not working on any machine)
- A5: Process list collection
- A6: Disk usage detail
**Server:**
- S2: Stackable/inheritable policy system (Company > Site > Machine)
- S3: Dynamic groups based on agent attributes (e.g., RAM <= 8GB)
- S4: Policy actions with custom script execution
- S5: Customizable alerting system (offline, disk, SMART, RAID, thresholds)
- S6: Alert notification channels (email, webhook, Slack/Teams)
- S7: Real-time tunnel mechanism for interactive tools
### Pending / Next Steps
1. **Build planning session** - User wants to evaluate whether current codebase supports the roadmap or needs a rewrite
2. **Agent data collection expansion** - SMART data, RAID status, process lists, disk detail, temps
3. **Real-time tunnel architecture** - Separate from check-in WebSocket, multiplexed channels
4. **Policy system design** - Inheritance model, dynamic groups, script execution
5. **More roadmap items** - User indicated "a TON more things" to add
### Session ID
```
41cb8b1a-6546-48f6-a37e-5223e9f2bbae
```

408
scripts/sync-sc-from-syncro.js Normal file
View File

@@ -0,0 +1,408 @@
#!/usr/bin/env node
'use strict';
const https = require('https');
const { execSync } = require('child_process');
const { URL } = require('url');
// ---------------------------------------------------------------------------
// CLI argument parsing
// ---------------------------------------------------------------------------
const args = process.argv.slice(2);
const FLAG_FORCE = args.includes('--force');
const FLAG_DRY_RUN = args.includes('--dry-run') || !FLAG_FORCE;
const FLAG_VERBOSE = args.includes('--verbose');
if (args.includes('--help') || args.includes('-h')) {
console.log(`Usage: node sync-sc-from-syncro.js [--dry-run] [--force] [--verbose]
Options:
--dry-run List what would be updated without making SC API calls (default)
--force Actually perform the ScreenConnect updates
--verbose Show detailed output for each asset
--help Show this help message
Without --force, the script runs in dry-run mode.`);
process.exit(0);
}
// ---------------------------------------------------------------------------
// Credential loading via vault
// ---------------------------------------------------------------------------
const VAULT_PATH = process.env.VAULT_PATH || 'D:/vault';
function vaultGet(file, field) {
try {
const result = execSync(
`bash "${VAULT_PATH}/scripts/vault.sh" get-field "${file}" "${field}"`,
{ encoding: 'utf8', timeout: 30000 }
);
return result.trim();
} catch (err) {
console.error(`[ERROR] Failed to read vault field "${field}" from "${file}": ${err.message}`);
process.exit(1);
}
}
let SYNCRO_API_KEY;
let SC_SECRET;
function loadCredentials() {
console.log('Loading credentials from vault...');
SYNCRO_API_KEY = vaultGet('msp-tools/syncro.sops.yaml', 'credentials.credential');
SC_SECRET = vaultGet('msp-tools/screenconnect.sops.yaml', 'credentials.api_secret');
if (!SYNCRO_API_KEY) {
console.error('[ERROR] Syncro API key is empty.');
process.exit(1);
}
if (!SC_SECRET) {
console.error('[ERROR] ScreenConnect API secret is empty.');
process.exit(1);
}
console.log('Credentials loaded successfully.');
}
// ---------------------------------------------------------------------------
// HTTP helpers (built-in https module)
// ---------------------------------------------------------------------------
/**
* Make an HTTPS request and return the parsed JSON response.
* @param {object} options
* @param {string} options.url - Full URL
* @param {string} [options.method='GET'] - HTTP method
* @param {object} [options.headers={}] - Request headers
* @param {string|null} [options.body=null] - Request body (string)
* @returns {Promise<{statusCode: number, data: any}>}
*/
function httpsRequest({ url, method = 'GET', headers = {}, body = null }) {
return new Promise((resolve, reject) => {
const parsed = new URL(url);
const reqOptions = {
hostname: parsed.hostname,
port: parsed.port || 443,
path: parsed.pathname + parsed.search,
method,
headers,
};
const req = https.request(reqOptions, (res) => {
const chunks = [];
res.on('data', (chunk) => chunks.push(chunk));
res.on('end', () => {
const raw = Buffer.concat(chunks).toString('utf8');
let data;
try {
data = JSON.parse(raw);
} catch (_) {
data = raw;
}
resolve({ statusCode: res.statusCode, data });
});
});
req.on('error', (err) => reject(err));
req.setTimeout(30000, () => {
req.destroy(new Error('Request timed out'));
});
if (body !== null) {
const buf = Buffer.from(body, 'utf8');
req.setHeader('Content-Length', buf.length);
req.write(buf);
}
req.end();
});
}
/**
* Sleep for a given number of milliseconds.
* @param {number} ms
* @returns {Promise<void>}
*/
function sleep(ms) {
return new Promise((resolve) => setTimeout(resolve, ms));
}
// ---------------------------------------------------------------------------
// Syncro API - paginate all assets
// ---------------------------------------------------------------------------
/**
* Fetch all customer assets from Syncro, paginating until no more results.
* @returns {Promise<Array<{scGuid: string, company: string, deviceName: string, customerId: number}>>}
*/
async function fetchAllSyncroAssets() {
const baseUrl = 'https://computerguru.syncromsp.com/api/v1/customer_assets';
const perPage = 100;
let page = 1;
const results = [];
let totalRaw = 0;
console.log('Fetching Syncro assets...');
while (true) {
const url = `${baseUrl}?page=${page}&per_page=${perPage}`;
if (FLAG_VERBOSE) {
console.log(` Fetching page ${page}...`);
}
let response;
try {
response = await httpsRequest({
url,
method: 'GET',
headers: {
'Authorization': SYNCRO_API_KEY,
'Accept': 'application/json',
},
});
} catch (err) {
console.error(`[ERROR] Syncro API request failed on page ${page}: ${err.message}`);
process.exit(1);
}
if (response.statusCode !== 200) {
console.error(`[ERROR] Syncro API returned status ${response.statusCode} on page ${page}.`);
if (typeof response.data === 'string') {
console.error(` Response: ${response.data.substring(0, 500)}`);
}
process.exit(1);
}
const assets = response.data.assets || response.data;
if (!Array.isArray(assets) || assets.length === 0) {
if (FLAG_VERBOSE) {
console.log(` Page ${page} returned 0 assets, done paginating.`);
}
break;
}
totalRaw += assets.length;
for (const asset of assets) {
const props = asset.properties || {};
const scGuid = props['ScreenConnect GUID'] || '';
if (!scGuid) {
continue;
}
const customer = asset.customer || {};
results.push({
scGuid,
company: customer.business_then_name || '',
deviceName: asset.name || 'Unknown',
customerId: customer.id || 0,
deviceType: (props.form_factor || '').replace(/^Physical /, ''),
});
}
if (FLAG_VERBOSE) {
console.log(` Page ${page}: ${assets.length} assets (${results.length} with SC GUID so far)`);
}
page++;
}
console.log(`Fetched ${totalRaw} total assets, ${results.length} have ScreenConnect GUIDs.`);
return { totalRaw, assets: results };
}
// ---------------------------------------------------------------------------
// ScreenConnect API - read session custom properties
// ---------------------------------------------------------------------------
/**
* Read current session custom properties from ScreenConnect to check tagging.
* Uses the same extension endpoint with GetSessionDetails or similar.
*
* Note: ScreenConnect does not have a clean REST API for reading session
* properties by GUID through the extension endpoint. We attempt to read
* session details. If reading fails or is unsupported, we return null
* and let the caller decide whether to update.
*
* @param {string} scGuid
* @returns {Promise<string[]|null>} Array of custom property values, or null if unreadable
*/
async function readScSessionProperties(scGuid) {
const url = 'https://computerguru.screenconnect.com/App_Extensions/2d558935-686a-4bd0-9991-07539f5fe749/Service.ashx/GetSessionDetails';
try {
const response = await httpsRequest({
url,
method: 'POST',
headers: {
'CTRLAuthHeader': SC_SECRET,
'Content-Type': 'application/json',
'Origin': 'https://computerguru.screenconnect.com',
},
body: JSON.stringify([scGuid]),
});
if (response.statusCode === 200 && response.data) {
// The response structure may vary; attempt to extract custom properties
const session = response.data;
if (Array.isArray(session.CustomPropertyValues)) {
return session.CustomPropertyValues;
}
if (Array.isArray(session)) {
const first = session[0];
if (first && Array.isArray(first.CustomPropertyValues)) {
return first.CustomPropertyValues;
}
}
}
} catch (_) {
// Reading failed - will attempt update anyway (unless --force is off)
}
return null;
}
// ---------------------------------------------------------------------------
// ScreenConnect API - update session custom properties
// ---------------------------------------------------------------------------
/**
* Update ScreenConnect session custom properties for a given GUID.
* @param {string} scGuid
* @param {string} company
* @param {string} site
* @returns {Promise<{success: boolean, error?: string}>}
*/
async function updateScSession(scGuid, company, deviceType) {
const url = 'https://computerguru.screenconnect.com/App_Extensions/2d558935-686a-4bd0-9991-07539f5fe749/Service.ashx/UpdateSessionCustomProperties';
// CP1=Company, CP2=Site (blank), CP3=Department (blank), CP4=Device Type, CP5=Tag, CP6-8=blank
const bodyPayload = [
scGuid,
[company, '', '', deviceType, 'Syncro-Matched', '', '', ''],
];
try {
const response = await httpsRequest({
url,
method: 'POST',
headers: {
'CTRLAuthHeader': SC_SECRET,
'Content-Type': 'application/json',
'Origin': 'https://computerguru.screenconnect.com',
},
body: JSON.stringify(bodyPayload),
});
if (response.statusCode >= 200 && response.statusCode < 300) {
return { success: true };
}
const detail = typeof response.data === 'string'
? response.data.substring(0, 200)
: JSON.stringify(response.data).substring(0, 200);
return { success: false, error: `HTTP ${response.statusCode}: ${detail}` };
} catch (err) {
return { success: false, error: err.message };
}
}
// ---------------------------------------------------------------------------
// Main processing
// ---------------------------------------------------------------------------
async function main() {
console.log('=== SC-Syncro Session Sync ===');
console.log(`Mode: ${FLAG_FORCE ? 'LIVE (--force)' : 'DRY-RUN'}`);
console.log('');
loadCredentials();
console.log('');
const { totalRaw, assets } = await fetchAllSyncroAssets();
console.log('');
const stats = {
totalSyncroAssets: totalRaw,
assetsWithScGuid: assets.length,
alreadyTagged: 0,
updated: 0,
errors: 0,
wouldUpdate: 0,
};
for (let i = 0; i < assets.length; i++) {
const asset = assets[i];
const shortGuid = asset.scGuid.length > 12
? asset.scGuid.substring(0, 12) + '...'
: asset.scGuid;
// Check if already tagged
const currentProps = await readScSessionProperties(asset.scGuid);
if (currentProps !== null && currentProps.length >= 5 && currentProps[4] === 'Syncro-Matched') {
stats.alreadyTagged++;
if (FLAG_VERBOSE) {
console.log(`[SKIP] ${asset.deviceName} (${shortGuid}) - already tagged`);
}
await sleep(100);
continue;
}
if (FLAG_DRY_RUN && !FLAG_FORCE) {
stats.wouldUpdate++;
if (FLAG_VERBOSE) {
console.log(`[DRY-RUN] ${asset.deviceName} (${shortGuid}) -> Company: "${asset.company}", Type: "${asset.deviceType}"`);
}
await sleep(100);
continue;
}
// Perform the update
const result = await updateScSession(asset.scGuid, asset.company, asset.deviceType);
if (result.success) {
stats.updated++;
if (FLAG_VERBOSE) {
console.log(`[UPDATE] ${asset.deviceName} (${shortGuid}) -> Company: "${asset.company}", Type: "${asset.deviceType}"`);
}
} else {
stats.errors++;
if (FLAG_VERBOSE) {
console.log(`[ERROR] ${asset.deviceName} (${shortGuid}): ${result.error}`);
}
}
// Rate limiting: 200ms between SC API calls
await sleep(200);
// Progress indicator for non-verbose mode
if (!FLAG_VERBOSE && (i + 1) % 50 === 0) {
console.log(` Progress: ${i + 1}/${assets.length} processed...`);
}
}
// Print summary
console.log('');
console.log('SC-Syncro Sync Results:');
console.log(` Total Syncro assets: ${stats.totalSyncroAssets}`);
console.log(` Assets with SC GUID: ${stats.assetsWithScGuid}`);
console.log(` Already tagged (skipped): ${stats.alreadyTagged}`);
if (FLAG_DRY_RUN && !FLAG_FORCE) {
console.log(` Would update: ${stats.wouldUpdate}`);
console.log('');
console.log('Run with --force to apply updates.');
} else {
console.log(` Updated: ${stats.updated}`);
console.log(` Errors: ${stats.errors}`);
}
}
main().catch((err) => {
console.error(`[FATAL] Unhandled error: ${err.message}`);
if (err.stack) {
console.error(err.stack);
}
process.exit(1);
});

60
scripts/syncro-deploy-sc.ps1 Normal file
View File

@@ -0,0 +1,60 @@
# Syncro Script: Install ScreenConnect with Company Properties
#
# Syncro Platform Variables (set in script editor):
# $MachineName - platform - {{asset_name}}
# $OrgName - platform - {{customer_business_name_or_customer_name}}
#
# Required File:
# ScreenConnect.ClientSetup.msi -> c:\screenconnectinstaller.msi
# (Download from SC Admin > Build Installer > Access > Windows MSI)
#
# File Type: PowerShell | Run as: System | Max Run Time: 10 minutes
Import-Module $env:SyncroModule
$InstallerLocation = 'C:\screenconnectinstaller.msi'
# URL-encode spaces in names for SERVICE_ARGUMENTS
$MachineName = $MachineName -replace '\s','%20'
$OrgName = $OrgName -replace '\s','%20'
# Detect device type from chassis
$DeviceType = "Desktop"
try {
$chassis = (Get-CimInstance -ClassName Win32_SystemEnclosure).ChassisTypes
if ($chassis | Where-Object { $_ -in @(8,9,10,11,12,14,18,21,31,32) }) { $DeviceType = "Laptop" }
if ($chassis | Where-Object { $_ -in @(17,23) }) { $DeviceType = "Server" }
$model = (Get-CimInstance -ClassName Win32_ComputerSystem).Model
if ($model -match "Virtual|VMware|VirtualBox|Hyper-V|KVM|Xen") { $DeviceType = "Virtual%20$DeviceType" }
} catch {}
# Check if already installed
$SCService = Get-Service -Name "ScreenConnect Client*" -ErrorAction SilentlyContinue
if ($SCService) {
Write-Host "ScreenConnect already installed: $($SCService.Name)"
Log-Activity -Message "SC Deploy: Already installed ($($SCService.Name))" -EventName "ScreenConnect"
exit 0
}
# Build SERVICE_ARGUMENTS with custom properties
# c=Company&c=Site&c=Department&c=DeviceType&c=Tag&c=&c=&c=
$ServiceArgs = "SERVICE_ARGUMENTS=""?e=Access&y=Guest&h=computerguru.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQCZmJAsjX2QoAvu/VF8SV7ggAxARlSj/TwgdqA8NcZgw9q+6G/FWwABU2WOeGPvRu6rA+sECP+u11d1BOp16iWA+KbkJPT93TIctreTy/BegdplEL5Bq0L3ZJcim++PLZjwYLDaIotdnOl+24JqkV75DxC1MV9dKNkz5DqS1+jNVMBvpOLY8UgPc9Io71pNIMo/rakJNlT4ofNeJiKIfuwRtgNNYKb51vSHGyFPYtHVNjDNYlJeu320yNJdN0zWwSQst/2GR3hAX8SnzJcZeROZ3HJuJc63uT0KS4ie4+4ExKaUimtfl8oAqIp4vBwiEXhm8T5RKhx9hLiJj/5shza8&c=$OrgName&c=&c=&c=$DeviceType&c=Syncro-Deploy&c=&c=&c="""
$installparams = '/i', $InstallerLocation, $ServiceArgs
$uninstallparams = '/uninstall', $InstallerLocation, '/qb'
# Install
Write-Host "Installing ScreenConnect for $OrgName ($DeviceType)..."
$exitCode = (Start-Process -FilePath msiexec.exe -ArgumentList $installparams -Wait -Passthru).ExitCode
if ($exitCode -eq 0 -or $exitCode -eq 3010) {
Write-Host "ScreenConnect installed successfully (exit code: $exitCode)"
Log-Activity -Message "SC Deploy: Installed for '$OrgName' ($DeviceType)" -EventName "ScreenConnect"
} else {
Write-Host "Installation failed with exit code: $exitCode"
Log-Activity -Message "SC Deploy FAILED: exit code $exitCode" -EventName "ScreenConnect"
exit 1
}
# Cleanup
Remove-Item -Path $InstallerLocation -Force -ErrorAction SilentlyContinue

439
scripts/syncro-kill-rogue-sc.ps1 Normal file
View File

@@ -0,0 +1,439 @@
# Syncro Script: Find and Remove Rogue ScreenConnect Instances
#
# Detects ScreenConnect/ConnectWise Control services that do NOT connect
# to our instance (computerguru.screenconnect.com). Collects forensic
# evidence, creates a security ticket with attachments, then removes
# the unauthorized instance.
#
# Syncro Platform Variables (set in script editor):
# $OrgName - platform - {{customer_business_name_or_customer_name}}
#
# File Type: PowerShell | Run as: System | Max Run Time: 10 minutes
Import-Module $env:SyncroModule
$OurHost = "computerguru.screenconnect.com"
$Found = 0
$Killed = 0
$EvidenceDir = "$env:TEMP\RogueSC_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
$RogueInstances = @()
Write-Host "=== Rogue ScreenConnect Detection ==="
Write-Host "Legitimate host: $OurHost"
Write-Host ""
# ============================================================================
# Find all ScreenConnect services
# ============================================================================
$scServices = Get-Service -Name "ScreenConnect Client*" -ErrorAction SilentlyContinue
if (-not $scServices) {
Write-Host "No ScreenConnect services found."
exit 0
}
foreach ($svc in $scServices) {
$serviceName = $svc.Name
Write-Host "Found service: $serviceName (Status: $($svc.Status))"
# Get the ImagePath from registry to find the install location
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
$imagePath = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).ImagePath
if (-not $imagePath) {
Write-Host " [WARNING] Could not read ImagePath - skipping"
continue
}
# Clean up the image path (remove quotes, get directory)
$exePath = ($imagePath -replace '"', '').Split(' ')[0]
$installDir = Split-Path -Parent $exePath
# Check the service launch parameters for the host
$connectedHost = "unknown"
# Method 1: Check registry ImagePath for host parameter
if ($imagePath -match 'h=([^&\s"]+)') {
$connectedHost = $Matches[1]
}
# Method 2: Check config/xml files in install directory
if ($connectedHost -eq "unknown" -and (Test-Path $installDir)) {
foreach ($pattern in @("*.xml", "*.config")) {
Get-ChildItem -Path $installDir -Filter $pattern -ErrorAction SilentlyContinue | ForEach-Object {
$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
if ($content -match 'h=([^&\s<"]+)') {
$connectedHost = $Matches[1]
}
}
if ($connectedHost -ne "unknown") { break }
}
}
# Method 3: Check binary strings
if ($connectedHost -eq "unknown" -and (Test-Path $exePath)) {
try {
$content = [System.IO.File]::ReadAllText($exePath)
if ($content -match 'h=([a-zA-Z0-9\.\-]+\.screenconnect\.com)') {
$connectedHost = $Matches[1]
} elseif ($content -match 'h=([a-zA-Z0-9\.\-]+)') {
$connectedHost = $Matches[1]
}
} catch {}
}
Write-Host " Connected to: $connectedHost"
# Determine if this is ours
if ($connectedHost -like "*$OurHost*" -or $connectedHost -eq $OurHost) {
Write-Host " [OK] This is our instance - keeping."
continue
}
# ======================================================================
# ROGUE INSTANCE DETECTED - Collect forensic evidence before removal
# ======================================================================
$Found++
Write-Host " [ROGUE] Unauthorized ScreenConnect instance!"
Write-Host " Collecting forensic evidence..."
# Create evidence directory
if (-not (Test-Path $EvidenceDir)) {
New-Item -ItemType Directory -Path $EvidenceDir -Force | Out-Null
}
$instanceDir = Join-Path $EvidenceDir "instance_$Found"
New-Item -ItemType Directory -Path $instanceDir -Force | Out-Null
# --- Evidence Collection ---
$evidence = [ordered]@{
Timestamp = (Get-Date -Format "yyyy-MM-dd HH:mm:ss UTC" -AsUTC)
ComputerName = $env:COMPUTERNAME
ServiceName = $serviceName
ServiceStatus = $svc.Status.ToString()
ServiceStartType = $svc.StartType.ToString()
ConnectedHost = $connectedHost
ImagePath = $imagePath
InstallDirectory = $installDir
ExePath = $exePath
}
# Service account info
$svcWmi = Get-CimInstance Win32_Service -Filter "Name='$serviceName'" -ErrorAction SilentlyContinue
if ($svcWmi) {
$evidence["ServiceAccount"] = $svcWmi.StartName
$evidence["ServicePID"] = $svcWmi.ProcessId
$evidence["ServicePath"] = $svcWmi.PathName
}
# File details
if (Test-Path $exePath) {
$fileInfo = Get-Item $exePath -ErrorAction SilentlyContinue
$evidence["ExeSize"] = "$([math]::Round($fileInfo.Length/1KB, 2)) KB"
$evidence["ExeCreated"] = $fileInfo.CreationTimeUtc.ToString("yyyy-MM-dd HH:mm:ss UTC")
$evidence["ExeModified"] = $fileInfo.LastWriteTimeUtc.ToString("yyyy-MM-dd HH:mm:ss UTC")
# Digital signature
$sig = Get-AuthenticodeSignature $exePath -ErrorAction SilentlyContinue
if ($sig) {
$evidence["ExeSignatureStatus"] = $sig.Status.ToString()
$evidence["ExeSignerSubject"] = $sig.SignerCertificate.Subject
$evidence["ExeSignerIssuer"] = $sig.SignerCertificate.Issuer
$evidence["ExeSignerThumbprint"] = $sig.SignerCertificate.Thumbprint
}
# File hash
$hash = Get-FileHash $exePath -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($hash) {
$evidence["ExeSHA256"] = $hash.Hash
}
}
# Install date from registry
$uninstallPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
)
foreach ($uPath in $uninstallPaths) {
if (-not (Test-Path $uPath)) { continue }
Get-ChildItem $uPath -ErrorAction SilentlyContinue | ForEach-Object {
$props = Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue
if ($props.DisplayName -match "ScreenConnect|ConnectWise Control" -and
$props.UninstallString -notmatch [regex]::Escape($OurHost)) {
$evidence["InstallerDisplayName"] = $props.DisplayName
$evidence["InstallerVersion"] = $props.DisplayVersion
$evidence["InstallerPublisher"] = $props.Publisher
$evidence["InstallerInstallDate"] = $props.InstallDate
$evidence["InstallerProductCode"] = $_.PSChildName
$evidence["InstallerUninstallCmd"] = $props.UninstallString
}
}
}
# Save evidence summary
$evidenceTxt = ($evidence.GetEnumerator() | ForEach-Object { "$($_.Key): $($_.Value)" }) -join "`r`n"
$evidenceTxt | Out-File (Join-Path $instanceDir "evidence-summary.txt") -Encoding UTF8
# Copy install directory contents (configs, logs -- not the binary itself to save space)
if (Test-Path $installDir) {
$artifactDir = Join-Path $instanceDir "install_files"
New-Item -ItemType Directory -Path $artifactDir -Force | Out-Null
Get-ChildItem -Path $installDir -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.Length -lt 5MB) {
Copy-Item $_.FullName -Destination $artifactDir -Force -ErrorAction SilentlyContinue
} else {
# For large files, just log metadata
"SKIPPED (too large): $($_.Name) - $([math]::Round($_.Length/1MB,2)) MB" |
Out-File (Join-Path $artifactDir "_skipped_files.txt") -Append -Encoding UTF8
}
}
}
# Export relevant Windows Event Logs
Write-Host " Collecting event logs..."
# Application log - SC install/service events
try {
$appEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Application'
StartTime = (Get-Date).AddDays(-30)
} -ErrorAction SilentlyContinue | Where-Object {
$_.Message -match "ScreenConnect|ConnectWise Control" -or
$_.ProviderName -match "MsiInstaller"
} | Select-Object TimeCreated, Id, ProviderName, LevelDisplayName, Message -First 100
if ($appEvents) {
$appEvents | Export-Csv (Join-Path $instanceDir "eventlog-application.csv") -NoTypeInformation -Encoding UTF8
}
} catch {}
# System log - service start/stop events
try {
$sysEvents = Get-WinEvent -FilterHashtable @{
LogName = 'System'
Id = @(7034, 7035, 7036, 7040, 7045)
StartTime = (Get-Date).AddDays(-30)
} -ErrorAction SilentlyContinue | Where-Object {
$_.Message -match "ScreenConnect"
} | Select-Object TimeCreated, Id, ProviderName, LevelDisplayName, Message -First 100
if ($sysEvents) {
$sysEvents | Export-Csv (Join-Path $instanceDir "eventlog-system.csv") -NoTypeInformation -Encoding UTF8
}
} catch {}
# Security log - logon events around install time
if ($evidence["InstallerInstallDate"]) {
try {
$installDate = [DateTime]::ParseExact($evidence["InstallerInstallDate"], "yyyyMMdd", $null)
$secEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = @(4624, 4625, 4648, 4672)
StartTime = $installDate.AddHours(-2)
EndTime = $installDate.AddHours(2)
} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, LevelDisplayName, Message -First 200
if ($secEvents) {
$secEvents | Export-Csv (Join-Path $instanceDir "eventlog-security-around-install.csv") -NoTypeInformation -Encoding UTF8
}
} catch {}
}
# Active network connections at time of detection
try {
$netConns = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess,
@{N='ProcessName';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}}
$netConns | Export-Csv (Join-Path $instanceDir "active-connections.csv") -NoTypeInformation -Encoding UTF8
} catch {}
# Running processes at time of detection
try {
Get-Process | Select-Object Id, ProcessName, Path, StartTime, Company |
Export-Csv (Join-Path $instanceDir "running-processes.csv") -NoTypeInformation -Encoding UTF8
} catch {}
# Recent user logins
try {
$loginEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = @(4624)
StartTime = (Get-Date).AddDays(-7)
} -MaxEvents 50 -ErrorAction SilentlyContinue |
Select-Object TimeCreated, @{N='LogonType';E={$_.Properties[8].Value}},
@{N='User';E={"$($_.Properties[6].Value)\$($_.Properties[5].Value)"}},
@{N='SourceIP';E={$_.Properties[18].Value}}
$loginEvents | Export-Csv (Join-Path $instanceDir "recent-logins.csv") -NoTypeInformation -Encoding UTF8
} catch {}
# Scheduled tasks (attackers sometimes add persistence)
try {
Get-ScheduledTask -ErrorAction SilentlyContinue | Where-Object {
$_.Actions.Execute -match "ScreenConnect|ConnectWise" -or
$_.TaskPath -match "ScreenConnect|ConnectWise"
} | Select-Object TaskName, TaskPath, State,
@{N='Action';E={$_.Actions.Execute}},
@{N='Arguments';E={$_.Actions.Arguments}} |
Export-Csv (Join-Path $instanceDir "scheduled-tasks.csv") -NoTypeInformation -Encoding UTF8
} catch {}
# Collect the full service registry export
try {
reg export "HKLM\SYSTEM\CurrentControlSet\Services\$serviceName" (Join-Path $instanceDir "service-registry.reg") /y 2>&1 | Out-Null
} catch {}
# Add to rogue list for ticket
$RogueInstances += $evidence
# ======================================================================
# REMOVE the rogue instance
# ======================================================================
Write-Host " Stopping and removing rogue instance..."
# Stop the service
try {
Stop-Service -Name $serviceName -Force -ErrorAction Stop
} catch {
Get-Process -Name "ScreenConnect.ClientService" -ErrorAction SilentlyContinue |
Stop-Process -Force -ErrorAction SilentlyContinue
}
# Disable it
Set-Service -Name $serviceName -StartupType Disabled -ErrorAction SilentlyContinue
# Uninstall via MSI
$uninstalled = $false
foreach ($uPath in $uninstallPaths) {
if (-not (Test-Path $uPath)) { continue }
Get-ChildItem $uPath -ErrorAction SilentlyContinue | ForEach-Object {
$props = Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue
if ($props.DisplayName -match "ScreenConnect|ConnectWise Control" -and
$props.UninstallString -and
$props.UninstallString -notmatch [regex]::Escape($OurHost)) {
if ($props.UninstallString -match "\{[0-9A-Fa-f\-]+\}") {
$productCode = $Matches[0]
Start-Process msiexec.exe -ArgumentList "/x $productCode /qn /norestart" -Wait | Out-Null
$uninstalled = $true
}
}
}
}
# Fallback: nuke install directory
if (-not $uninstalled -and (Test-Path $installDir)) {
Remove-Item -Path $installDir -Recurse -Force -ErrorAction SilentlyContinue
}
# Remove service registration
sc.exe delete $serviceName 2>&1 | Out-Null
$Killed++
Write-Host " [REMOVED] Rogue instance cleaned up."
Write-Host ""
}
# ============================================================================
# Package evidence and create ticket if rogue instances found
# ============================================================================
if ($Found -gt 0) {
Write-Host "=== Packaging Evidence ==="
# Build ticket body
$ticketBody = @"
## SECURITY INCIDENT: Rogue ScreenConnect Detected
**Computer:** $env:COMPUTERNAME
**Detection Time:** $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
**Customer:** $OrgName
**Instances Found:** $Found
**Instances Removed:** $Killed
### Rogue Instance Details
"@
foreach ($inst in $RogueInstances) {
$ticketBody += @"
---
**Service:** $($inst.ServiceName)
**Connected To:** $($inst.ConnectedHost)
**Install Directory:** $($inst.InstallDirectory)
**Exe Created:** $($inst.ExeCreated)
**Exe SHA256:** $($inst.ExeSHA256)
**Signature:** $($inst.ExeSignatureStatus) ($($inst.ExeSignerSubject))
**Installer Date:** $($inst.InstallerInstallDate)
**Installer Product:** $($inst.InstallerDisplayName) v$($inst.InstallerVersion)
**Service Account:** $($inst.ServiceAccount)
"@
}
$ticketBody += @"
### Actions Taken
- Forensic evidence collected (event logs, network connections, processes, install files)
- Service stopped and disabled
- Software uninstalled / install directory removed
- Service registration deleted
- Evidence package attached to this ticket
### Recommended Follow-Up
1. Review the attached evidence package for indicators of compromise
2. Check the security event logs around the install date for unauthorized access
3. Verify no other persistence mechanisms remain (scheduled tasks, startup items)
4. Consider password resets for accounts on this machine
5. Check other machines at this customer for similar rogue instances
6. Determine if this was an authorized install by another vendor or an actual breach
"@
# Create zip of evidence
$zipPath = "$EvidenceDir.zip"
try {
Compress-Archive -Path "$EvidenceDir\*" -DestinationPath $zipPath -Force
Write-Host "Evidence packaged: $zipPath"
} catch {
Write-Host "[WARNING] Could not create zip: $_"
}
# Create Syncro ticket
Write-Host "Creating security ticket..."
$ticketResult = Create-Syncro-Ticket -Subject "SECURITY: Rogue ScreenConnect on $env:COMPUTERNAME" -IssueType "Security" -Status "New" -Body $ticketBody
# Upload evidence zip to the ticket
if ($ticketResult -and (Test-Path $zipPath)) {
try {
Upload-File -FilePath $zipPath -TicketIdOrNumber $ticketResult.ticket.id
Write-Host "Evidence attached to ticket."
} catch {
Write-Host "[WARNING] Could not attach evidence to ticket: $_"
# Fallback: upload to asset files
try {
Upload-File -FilePath $zipPath
Write-Host "Evidence uploaded to asset files instead."
} catch {
Write-Host "[WARNING] Could not upload evidence at all. Local copy at: $zipPath"
}
}
}
# RMM Alert
Rmm-Alert -Category "Security" -Body "ROGUE SCREENCONNECT on $env:COMPUTERNAME - $Found instance(s) connecting to: $(($RogueInstances | ForEach-Object { $_.ConnectedHost }) -join ', '). Evidence collected. Ticket created. Instances removed."
# Activity log
Log-Activity -Message "SECURITY: Removed $Killed rogue ScreenConnect instance(s). Ticket created with forensic evidence." -EventName "Security"
Write-Host ""
Write-Host "[ALERT] Security ticket created with full evidence package."
# Cleanup local evidence (zip is uploaded, raw files no longer needed)
Remove-Item -Path $EvidenceDir -Recurse -Force -ErrorAction SilentlyContinue
} else {
Write-Host ""
Write-Host "=== Summary ==="
Write-Host "Total SC services found: $($scServices.Count)"
Write-Host "All clear - no rogue instances."
}

94
scripts/syncro-update-sc-properties.ps1 Normal file
View File

@@ -0,0 +1,94 @@
# Syncro Script: Update ScreenConnect Session Properties via RESTful API
#
# Runs on each machine to self-report its company/device info to ScreenConnect.
# Designed to run on a schedule (e.g., daily) alongside other maintenance scripts.
#
# Syncro Platform Variables (set in script editor):
# $OrgName - platform - {{customer_business_name_or_customer_name}}
#
# File Type: PowerShell | Run as: System | Max Run Time: 5 minutes
Import-Module $env:SyncroModule
# ============================================================================
# Configuration
# ============================================================================
$SCBaseUrl = "https://computerguru.screenconnect.com"
$SCExtGuid = "2d558935-686a-4bd0-9991-07539f5fe749"
$SCAuthSecret = "FTnl15dK1uaKCOeFzkO1UnjGqpgtqCA5vRExWeXT38LjAV4vF9W/mYf8GpCyqlAv"
# ============================================================================
# Check if ScreenConnect is installed
# ============================================================================
$SCService = Get-Service -Name "ScreenConnect Client*" -ErrorAction SilentlyContinue
if (-not $SCService) {
Write-Host "ScreenConnect not installed - skipping."
exit 0
}
# ============================================================================
# Extract session GUID from service name
# ============================================================================
# Service name format: "ScreenConnect Client (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)"
$guidMatch = $SCService.Name | Select-String -Pattern '\(([0-9a-f\-]{36})\)' -AllMatches
if (-not $guidMatch -or -not $guidMatch.Matches) {
Write-Host "Could not extract session GUID from service: $($SCService.Name)"
exit 1
}
$SessionGuid = $guidMatch.Matches[0].Groups[1].Value
Write-Host "SC Session GUID: $SessionGuid"
# ============================================================================
# Determine device type
# ============================================================================
$DeviceType = "Desktop"
try {
$chassis = (Get-CimInstance -ClassName Win32_SystemEnclosure).ChassisTypes
if ($chassis | Where-Object { $_ -in @(8,9,10,11,12,14,18,21,31,32) }) { $DeviceType = "Laptop" }
if ($chassis | Where-Object { $_ -in @(17,23) }) { $DeviceType = "Server" }
$model = (Get-CimInstance -ClassName Win32_ComputerSystem).Model
if ($model -match "Virtual|VMware|VirtualBox|Hyper-V|KVM|Xen") { $DeviceType = "Virtual $DeviceType" }
} catch {
Write-Host "Could not detect device type, defaulting to Desktop"
}
# ============================================================================
# Build and send API request
# ============================================================================
$Company = if ([string]::IsNullOrWhiteSpace($OrgName)) { "Unassigned" } else { $OrgName }
Write-Host "Updating SC: Company='$Company', DeviceType='$DeviceType', Tag='Syncro-Matched'"
# CP1=Company, CP2=Site, CP3=Department, CP4=DeviceType, CP5=Tag, CP6-8=blank
$body = ConvertTo-Json @(
$SessionGuid,
@($Company, "", "", $DeviceType, "Syncro-Matched", "", "", "")
) -Compress
$url = "$SCBaseUrl/App_Extensions/$SCExtGuid/Service.ashx/UpdateSessionCustomProperties"
try {
$response = Invoke-WebRequest -Uri $url -Method POST -Body $body -ContentType "application/json" -Headers @{
"CTRLAuthHeader" = $SCAuthSecret
"Origin" = $SCBaseUrl
} -UseBasicParsing -ErrorAction Stop
if ($response.StatusCode -eq 200) {
Write-Host "Success - SC session updated."
Log-Activity -Message "SC Properties: $Company / $DeviceType" -EventName "ScreenConnect"
} else {
Write-Host "Unexpected status: $($response.StatusCode)"
Write-Host $response.Content
}
} catch {
$err = $_.Exception.Message
Write-Host "API call failed: $err"
Log-Activity -Message "SC Properties FAILED: $err" -EventName "ScreenConnect"
exit 1
}

215
session-logs/2026-03-30-session.md Normal file
View File

@@ -0,0 +1,215 @@
# Session Log: 2026-03-30
## Session Summary
Major infrastructure session on a fresh Windows 11 install (ACG-5070, formerly CachyOS). Three major accomplishments:
1. **Machine Setup** - Verified and installed all required tools on clean Windows install
2. **SOPS+age Credential Vault** - Built a complete local encrypted credential store, migrated all 1Password credentials, synced to Gitea
3. **ScreenConnect-Syncro Sync** - Built and ran a script to enrich 410 ScreenConnect sessions with company names and device types from Syncro data
---
## 1. Machine Setup (ACG-5070 - Windows 11 Pro)
### Pre-existing
- Node.js v24.14.1, npm 11.11.0
- Git 2.53.0
- Python 3.14.3
- 1Password CLI 2.33.1
- Ollama 0.18.3
- Claude Code 2.1.87
- jq, curl, Windows OpenSSH
### Installed This Session
- **sops** 3.7.3 (`winget install Mozilla.sops`)
- **age** 1.3.1 (`winget install FiloSottile.age`)
- **yq** 4.52.5 (`winget install MikeFarah.yq`)
### Ollama Models Pulled to D:\OllamaModels
- qwen3:14b (9.3 GB)
- codestral:22b (12 GB)
- nomic-embed-text (274 MB)
Environment variable `OLLAMA_MODELS=D:\OllamaModels` was already set.
### Still Missing
- gh (GitHub CLI)
- Global git config (only set in vault repo: Mike Swanson / mike@azcomputerguru.com)
- Hostname not yet set (will be ACG-5070)
### Machine Context
- CachyOS is gone -- this machine (ASUS laptop, Arrow Lake-S + RTX 5070 Ti) is now Windows 11 only
- Other machines: GURU-BEAST-ROG (Windows), Mikes-MacBook-Air (macOS) -- both need vault setup
---
## 2. SOPS+age Credential Vault
### Architecture
- **Dedicated Gitea repo**: git.azcomputerguru.com/azcomputerguru/vault (private)
- **Local path**: D:\vault
- **Encryption**: SOPS + age (AES-256), metadata stays plaintext for searchability
- **Selective encryption**: Only `credentials`, `notes`, `password`, `secret`, `api_key`, `token`, `pre_shared_key`, `content` fields are encrypted (via `encrypted_regex` in .sops.yaml)
### age Key
- **Public key**: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
- **Private key location (Windows)**: %APPDATA%\sops\age\keys.txt AND ~/.config/sops/age/keys.txt
- **1Password backup**: "age Key - ACG-5070 (Windows)" in Infrastructure vault
### Credentials
- age private key: AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
### Vault Structure (59 encrypted files)
```
vault/
.sops.yaml # Encryption config
.gitignore
.githooks/pre-commit # Blocks unencrypted commits
keys/recipients.txt # Public keys (ACG-5070 active, Beast+Mac pending)
scripts/vault.sh # CLI wrapper (search, get, get-field, edit, add, list, rotate)
infrastructure/ # 12 files (servers, network, OpenClaw)
clients/ # 25 files (Dataforth 10, VWP 4, Khalsa 3, etc.)
services/ # 5 files (Gitea, NPM, Cloudflare, Seafile, Matomo)
projects/ # 10 files (ClaudeTools 3, GuruRMM 6, GuruConnect 1)
msp-tools/ # 6 files (Syncro, Autotask, CIPP, Graph API, Google, ScreenConnect)
```
### Key Commands
```bash
# Search (no decryption needed)
bash D:/vault/scripts/vault.sh search "172.16.3.30"
# Get specific field
bash D:/vault/scripts/vault.sh get-field infrastructure/gururmm-server.sops.yaml credentials.password
# Full decrypt
bash D:/vault/scripts/vault.sh get services/gitea.sops.yaml
# List all entries
bash D:/vault/scripts/vault.sh list
```
### Migration Process
1. Exported all 1Password data via .1pux export (manual from 1Password app)
2. Agent parsed export.data JSON, created YAML files per item, encrypted with SOPS
3. Skipped Sorting vault (1776 duplicate items) and decommissioned items
4. All plaintext temp files deleted after migration
### CLAUDE.md Updated
- Credential access section now references SOPS vault as primary, 1Password as fallback
- New machine setup instructions for vault (install sops+age+yq, generate key, clone, rotate)
### Git
- Repo created on Gitea: azcomputerguru/vault (private)
- Git identity set (vault repo only): Mike Swanson / mike@azcomputerguru.com
- Two commits pushed:
1. Initial vault: 59 SOPS+age encrypted credential files
2. Add pre-commit hook to block unencrypted credential files
---
## 3. ScreenConnect-Syncro Sync
### Goal
Enrich generic ScreenConnect sessions (installed via Syncro's prebuilt installer) with proper company names, device types from Syncro asset data.
### ScreenConnect RESTful API Setup
- **URL**: https://computerguru.screenconnect.com
- **Extension GUID**: 2d558935-686a-4bd0-9991-07539f5fe749
- **Auth**: CTRLAuthHeader + Origin header required
- **API Secret**: FTnl15dK1uaKCOeFzkO1UnjGqpgtqCA5vRExWeXT38LjAV4vF9W/mYf8GpCyqlAv
- **API User**: acg-sc-api
- **Stored in vault**: msp-tools/screenconnect.sops.yaml
### SC Custom Property Mapping
| SC Field | CP# | What we populate |
|----------|-----|-----------------|
| Company | CP1 | Syncro customer.business_then_name |
| Site | CP2 | (blank - no site data in Syncro) |
| Department | CP3 | (blank) |
| Device Type | CP4 | Syncro form_factor (Laptop/Desktop/Virtual Server) |
| Tag | CP5 | "Syncro-Matched" or "Syncro-Deploy" or "Manual" |
| CP6-8 | | (blank) |
### SC API Endpoints Used
- `GetSessionDetailsBySessionID` (GET) - read session
- `GetSessionsByName` (GET) - search by name
- `UpdateSessionCustomProperties` (POST) - update custom fields
- Body format: `["<guid>", ["CP1","CP2","CP3","CP4","CP5","CP6","CP7","CP8"]]`
### Key Discovery: Direct GUID Link
Syncro assets have `properties["ScreenConnect GUID"]` which maps directly to SC session GUIDs. No hostname matching needed.
### Sync Script
- **Path**: D:\claudetools\scripts\sync-sc-from-syncro.js
- **Language**: Node.js (zero npm dependencies)
- **CLI**: `node sync-sc-from-syncro.js [--dry-run] [--force] [--verbose]`
- **Credentials**: Loaded from SOPS vault via vault.sh
### Bug Fix During Run
Node.js `https` module wasn't sending `Content-Length` header, causing SC API to return NullReferenceException. Fixed by adding explicit `Content-Length` via `Buffer.byteLength()`.
### Results
```
Total Syncro assets: 4636
Assets with SC GUID: 690
Already tagged (skipped): 0
Updated: 410
Errors: 280 (stale GUIDs - sessions no longer exist in SC)
```
### Manual Updates
- DF-GAGETRAK (501340ab-7145-428e-a2c0-c86cb3860a53) -> Dataforth Corporation, Tag: "Manual" (not in Syncro)
### SC Deployment Script for Syncro
- **Path**: D:\claudetools\scripts\syncro-deploy-sc.ps1
- **Purpose**: PowerShell script to deploy in Syncro as a policy script
- **What it does**: Downloads SC MSI with company name baked into installer URL, installs silently
- **Checks**: Skips if SC already installed, auto-detects device type from chassis
- **Tags with**: "Syncro-Deploy" in CP5
---
## 4. 1Password Observations
### Rate Limiting
Service account token got rate-limited from an agent making too many parallel requests. Rate limit persisted for 30+ minutes. Desktop app integration worked as fallback but requires biometric per-call.
### Service Account Details
- **Item name**: "Service Account Auth Token: Agentic-RW" (in Infrastructure vault)
- **Token**: ops_eyJzaWduSW5BZGRyZXNzIjoibXkuMXBhc3N3b3JkLmNvbSIs... (stored in vault at infrastructure/1password-service-account.sops.yaml)
### Duplicate Analysis (Started, Not Completed)
- Sorting vault: 1776 items, 258 titles with duplicates
- Worst: microsoftonline.com (76 copies), acghosting.com (58 copies)
- This cleanup is a separate project
---
## 5. Files Created/Modified
### New Files
- D:\vault/ (entire repo - 62+ files)
- D:\claudetools\scripts\sync-sc-from-syncro.js
- D:\claudetools\scripts\syncro-deploy-sc.ps1
- D:\claudetools\.claude\memory\reference_workstation_setup.md (updated from CachyOS to Windows)
### Modified Files
- D:\claudetools\.claude\CLAUDE.md (credential access section updated for SOPS vault)
- D:\claudetools\.claude\memory\MEMORY.md (updated machine reference)
---
## 6. Pending/Next Steps
1. **Set hostname** to ACG-5070
2. **Install gh** (GitHub CLI): `winget install GitHub.cli`
3. **Set global git config** (currently only in vault repo)
4. **Vault setup on GURU-BEAST-ROG**: install sops+age+yq, generate age key, clone vault, add key to recipients.txt, run rotate
5. **Vault setup on Mac**: same as above
6. **1Password Sorting vault cleanup**: dedup 1776 items (separate project)
7. **Commit SC sync scripts** to ClaudeTools repo
8. **Deploy syncro-deploy-sc.ps1** via Syncro policy to cover ~3946 assets without SC
9. **SC sessions with no Syncro match**: ~280 stale GUIDs to clean up in Syncro
10. **Consider scheduled sync**: run sync-sc-from-syncro.js periodically to catch new assets

232
session-logs/2026-03-31-session.md Normal file
View File

@@ -0,0 +1,232 @@
# Session Log: 2026-03-31 - TickTick Integration & Dev Project Tracking
## Session Summary
Built a complete TickTick integration for ClaudeTools, including OAuth authentication, MCP server with 9 tools, FastAPI service+router, and a dev project tracking system that syncs between the ClaudeTools database and TickTick.
### Key Decisions
- **Hybrid approach (Option 3):** TickTick for mobile/cross-device visibility of active dev projects, ClaudeTools DB for granular tracking (sessions, notes, timestamps)
- **MCP server + API service:** Both access paths -- MCP tools for Claude Code direct use, REST API for external access
- **SOPS vault for credentials:** Consistent with project standards, no env vars
- **JWT auth on all router endpoints:** Matches existing security pattern
### Problems Encountered & Resolutions
1. **"Guru" not appearing in API results:** It's a TickTick folder, not a list. The API only returns lists. "Tasks" and "Call Back List" are the actual lists inside the Guru folder.
2. **Bash not found from PowerShell:** The auth script uses `subprocess.run(["bash", ...])` for vault access. Must run from bash/Claude Code terminal, not PowerShell directly.
3. **DB server unreachable:** 172.16.3.30 not reachable from ACG-5070 without Tailscale. Installed Tailscale via winget, connected, then ran migration.
4. **mcp package not installed:** Installed `mcp` and `httpx` via pip for Python 3.14.
5. **Code review found 4 issues:** All fixed before proceeding -- gitignore, token permissions, JWT auth, SOPS vault credentials.
---
## Credentials
### TickTick API (OAuth 2.0)
- **Developer Portal:** https://developer.ticktick.com/
- **App Name:** ClaudeTools
- **Client ID:** 1J86gMsTJ0JH63gtf0
- **Client Secret:** pI4U78vtLQrZwcW5MmdNFdxA0eeoy7GJ
- **OAuth Redirect URL:** http://localhost:9876/callback
- **Scopes:** tasks:read tasks:write
- **SOPS Vault:** `services/ticktick.sops.yaml` (client_id, client_secret, oauth_redirect_url)
- **Token File:** `mcp-servers/ticktick/.tokens.json` (gitignored, auto-refreshes)
### TickTick API Endpoints
- **Base URL:** https://api.ticktick.com/open/v1
- **Auth URL:** https://ticktick.com/oauth/authorize
- **Token URL:** https://ticktick.com/oauth/token
- **Token endpoint requires:** Content-Type: application/x-www-form-urlencoded (NOT JSON)
### Database
- **Host:** 172.16.3.30:3306
- **DB:** claudetools
- **User:** claudetools
- **Password:** CT_e8fcd5a3952030a79ed6debae6c954ed
---
## Infrastructure & Servers
### Tailscale
- Installed on ACG-5070 via `winget install Tailscale.Tailscale` (v1.96.3)
- Required to reach 172.16.3.30 from home network
- Tailscale must be connected before DB/API access works
### TickTick IDs
- **Dev Projects list ID:** `69cbd7138f0826bd72746074`
- **TickTick Integration task ID:** `69cbe8ca8f0898cc050064e5`
- **DB dev_projects row UUID:** `65783890-2d12-11f1-ae01-52540020ee14`
### User's TickTick Projects (16 total)
- Call Back List, COSTCO, Private, Capacitance, Website Department, Household Tasks & Projects, PacketDial, Tasks, Grocery, Kitchen Decon, Camper Packing, MOVE 2024, Photography Challenge, Business Planning, Libations shopping, Da Move
- "Guru" is a folder containing "Tasks" (21 items) and "Call Back List"
- "HomeStuff" is another folder (15 items)
---
## Files Created
### MCP Server
- `mcp-servers/ticktick/ticktick_auth.py` - One-time OAuth browser auth flow (localhost:9876 callback, CSRF protection, vault credential retrieval)
- `mcp-servers/ticktick/ticktick_mcp.py` - MCP server with 9 tools: ticktick_list_projects, ticktick_get_project, ticktick_create_project, ticktick_update_project, ticktick_delete_project, ticktick_create_task, ticktick_update_task, ticktick_complete_task, ticktick_delete_task
### API Integration
- `api/services/ticktick_service.py` - Async service class with SOPS vault credentials, auto token refresh on 401, httpx client
- `api/routers/ticktick.py` - REST endpoints at `/api/ticktick/`, JWT-protected, 9 endpoints matching MCP tools
### Database
- `migrations/add_dev_projects_table.sql` - Migration SQL for dev_projects table (14 columns, status index)
### Configuration
- `.mcp.json` - MCP server registration (ticktick server using python)
- `vault/services/ticktick.sops.yaml` - SOPS-encrypted TickTick credentials
## Files Modified
- `api/main.py` - Added ticktick router import and registration at `/api/ticktick/`
- `.gitignore` - Added `**/.tokens.json` to prevent token leakage
- `.claude/memory/MEMORY.md` - Added TickTick integration reference
- `.claude/memory/reference_ticktick_integration.md` - New memory file with full integration details
## Database Changes
- **New table:** `dev_projects` (14 columns) with index on status
- **First row inserted:** "TickTick Integration" project, status=active, linked to TickTick task
## Packages Installed
- `mcp` (v1.26.0) - MCP protocol library for Python
- `httpx` (v0.28.1) - Async HTTP client
- `pydantic` (v2.12.5) - Data validation (mcp dependency)
- `Tailscale` (v1.96.3) - VPN/mesh networking via winget
- Plus ~25 transitive dependencies
---
## Pending/Incomplete Tasks
1. **Dev projects API service + router** - Need `api/services/dev_project_service.py` and `api/routers/dev_projects.py` for CRUD on dev_projects table
2. **Bidirectional sync logic** - Auto-update TickTick when DB status changes and vice versa
3. **MCP server testing** - Need to restart Claude Code session to load the TickTick MCP server and test tools
4. **TickTick folder placement** - API can't place "Dev Projects" list inside the "Guru" folder (no folder API). It appears at top level.
5. **Existing project backfill** - Could add existing dev projects (like the TickTick integration itself) to track history
---
## Reference
### TickTick API Gotchas
- No webhooks (must poll for changes)
- No search endpoint (filter client-side)
- No folder management API
- Priority values non-sequential: 0=none, 1=low, 3=medium, 5=high
- Task update may need POST or PUT (code tries POST first, falls back to PUT)
- Deletions are permanent via API
- Date format: ISO 8601 with timezone offset
### Re-authentication
If tokens expire completely: `python mcp-servers/ticktick/ticktick_auth.py` (run from bash, not PowerShell)
### MCP Tools Available (after session restart)
All prefixed with `ticktick_`: list_projects, get_project, create_project, update_project, delete_project, create_task, update_task, complete_task, delete_task
---
## Update: 10:10 AM - M365 Remediation & Data Recovery Discussion
### Session Summary
Mixed session covering data recovery discussion, M365 tenant investigations via Graph API (remediation tool), and cross-tenant consent troubleshooting.
### Key Decisions & Learnings
- **"365 remediation tool" = Graph API app fabb3421-8b34-484b-bc17-e46de9703418** (NOT CIPP). Memory saved for future sessions.
- **CIPP API (420cb849) returning 403** on all endpoints -- API client permissions need updating
- **Admin consent URL with tenant-specific path works for some tenants** but failed for grabblaw.com (redirected to "wrongplace")
### Work Performed
#### 1. Data Recovery Discussion (Hitachi Deskstar HDS721010KLA330)
- User has a failed 1TB Hitachi Deskstar 7K1000 (June 2008, P/N 0A37239, MLC BA2720, S/N PAK590UF)
- Symptoms: spins up, 5-7 read attempts, heads park, platter keeps spinning
- Diagnosis: firmware/service area corruption (not head crash, not platter damage)
- Discussed Pi-based DIY recovery via serial diagnostic port (4-pin header, 38400 baud 8N1, T> prompt)
- Discussed PC-3000 internals and HDDSuperTool/OpenSuperClone open source alternatives
- Data likely intact on platters -- drive can't boot its own firmware
#### 2. MVAN Enterprises (mvaninc.com) - M365 Investigation
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
- **Domains:** mvaninc.com, modernstile.com, m.mvaninc.com
- **14 users**, all enabled
- **Secure Score:** 15.43 / 64.0 (24%)
- **[WARNING] Mitch VanDeveer under active credential stuffing attack** -- 48/50 sign-ins are failures from malicious IPs (Luxembourg, Frankfurt, LA, Tokyo, Lima, Camden). Running since at least March 3. Account locking and IP blocking working correctly.
- **sysadmin@mvaninc.com** -- clean, 8 sign-ins all from expected locations (Phoenix, Oklahoma City)
- **MFA CA policy switched from report-only to ENFORCED** (policy ID: a5d04d44-c6d8-4b40-a37a-0ef16eaa3678)
- **MFA Registration:** Both Mitch and sysadmin have MFA registered (Authenticator push, phone, TOTP)
#### 3. Grabb & Durando (grabblaw.com) - Consent Failed
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- Admin consent URL redirected to "wrongplace" after login
- ROPC flow also failed (consent_required)
- Entra admin center approach hit browser extension isolation issues
- **Status: BLOCKED** -- needs manual consent or alternative approach
#### 4. Cascades Tucson (cascadestucson.com) - Onboarded Successfully
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Domain note:** User said "castadestucson.com" but actual domain is "cascadestucson.com"
- Admin consent URL worked for this tenant
- **50 users** (5 disabled), 33/34 M365 Business Premium licenses used
- **Secure Score:** 93.78 / 273.0 (34%)
- **CA Policies: 8 policies, ALL enabled** -- well configured (MFA all users, legacy auth blocked, risky sign-in detection)
- **[WARNING] Megan Hiatt** -- blocked sign-ins from Hamburg, Germany (158.94.211.16) flagged as malicious IP
- **Awaiting details from Howard** on what needs to be done in this tenant
---
### Credentials
#### Claude-MSP-Access (Graph API) - Remediation Tool
- **App ID:** fabb3421-8b34-484b-bc17-e46de9703418
- **App Name:** ComputerGuru - AI Remediation
- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- **SOPS Vault:** msp-tools/claude-msp-access-graph-api.sops.yaml
- **Consent URL pattern:** `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient`
#### CIPP
- **URL:** https://cippcanvb.azurewebsites.net
- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
- **Client ID:** 420cb849-542d-4374-9cb2-3d8ae0e1835b
- **Client Secret:** MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT
- **Status:** Auth works but API returns 403 on all endpoints (permissions issue)
#### MVAN M365
- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
#### Grabblaw M365
- **Admin:** sysadmin@grabblaw.com / r3tr0gradE99!
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- **Status:** Consent not granted, remediation tool not functional for this tenant
#### Cascades Tucson M365
- **Admin:** sysadmin@cascadestucson.com (password not provided this session)
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Status:** Consented and operational
---
### Pending/Incomplete Tasks
1. **Grabblaw.com consent** -- admin consent flow broken, need alternative approach (possibly PowerShell New-AzADServicePrincipal or manual Enterprise App registration in Entra)
2. **Grabblaw full access** -- Reyna account needs full access to Jsosa mailbox (blocked by consent issue)
3. **Cascades Tucson** -- awaiting details from Howard on what needs to be done
4. **CIPP API permissions** -- 403 on all endpoints, needs API role/permission update
5. **MVAN recommendations:**
- Reset Mitch VanDeveer's password (credential stuffing ongoing)
- Enable SSPR for sysadmin and mitch accounts
- Clean up unused licenses (2x O365 Business Premium, 1x Cloud PC)
- Address low secure score (24%)
---
### Memory Updates This Session
- **New:** `feedback_365_remediation_tool.md` -- "365 remediation tool" always means Graph API app fabb3421, not CIPP

172
session-logs/2026-04-01-session.md Normal file
View File

@@ -0,0 +1,172 @@
# Session Log: 2026-04-01 - Session Start / State Capture
## Session Summary
Brief session opened to capture current state. No significant work performed.
### Outstanding Uncommitted Work
The following files from a previous session (2026-03-31) remain uncommitted:
- `clients/ace-portables/reports/2026-03-31-malware-incident-report.md` - Security incident report for Ace Portables (Trojan.GenericKD.77292516 detected on John's workstation via Bitdefender GravityZone)
- `clients/ace-portables/reports/2026-03-31-malware-incident-report.html` - HTML version of the same report
- `clients/ace-portables/reports/logo-light.png` - Logo asset for report
### Ace Portables Incident Details
- **Client:** Ace Portables
- **Report Ref:** ACE-SEC-2026-0331
- **Detection Date:** 25 March 2026, 11:15
- **Affected User:** John
- **Threat:** Trojan.GenericKD.77292516 - malicious Edge browser extension (`background.js`)
- **Extension ID:** cfacibcmkcdppnkgennkfaepplpkblmp
- **Action:** Bitdefender auto-deleted, extension blocklisted across all endpoints
- **Status:** Workstation confirmed clean, report prepared for bank
---
## Infrastructure & Servers
No changes this session.
- **Database:** 172.16.3.30:3306 / claudetools (unchanged)
- **API:** http://172.16.3.30:8001 (unchanged)
---
## Pending/Incomplete Tasks
1. **Commit Ace Portables reports** - `clients/ace-portables/` directory is untracked
2. **Grabblaw.com consent** - Admin consent flow still broken from 2026-03-31
3. **Cascades Tucson** - Still awaiting details from Howard
4. **CIPP API permissions** - 403 on all endpoints, needs permission update
5. **Dev projects API service + router** - From TickTick integration session
6. **MCP server testing** - TickTick MCP tools need session restart to test
---
## Reference
- Last session log: `session-logs/2026-03-31-session.md` (TickTick integration + M365 remediation)
- Last commit: af71d31 "Session log: GuruRMM audit, installer system, infrastructure fixes"
---
## Update: 12:50 - MSP M365 Tasks (Multi-Client)
### Session Summary
Handled M365 admin tasks across three clients using the "ComputerGuru - AI Remediation" Graph API app. Discovered the app was missing directory role assignments needed for password resets and Exchange management. Fixed the role assignments and completed all tasks.
### Work Completed
#### 1. Valleywide Plastering - Rose Guerrero Account Unlock
- **Client:** Valleywide Plastering (`valleywideplastering.com`)
- **Tenant ID:** 5c53ae9f-7071-4248-b834-8685b646450f
- **User:** rose@valleywideplastering.com (Rose Guerrero, ID: 8c1e798c-26d9-43aa-a129-573aad703e6f)
- **Issue:** Account temporarily locked
- **Actions:** Unlocked account (`accountEnabled: true`), reset password to `Valley@301` (no forced change)
- **Status:** [COMPLETE]
#### 2. Dataforth - Joel Lohr Post-Retirement Tasks
- **Client:** Dataforth (`dataforth.com`)
- **Tenant ID:** 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- **Requested by:** Georg Haubner (ghaubner@dataforth.com)
- **User:** jlohr@dataforth.com (Joel Lohr, ID: af0e88be-dfec-40ac-87fd-d4f4627f8e65)
- **Joel's status:** Retired as of 2026-03-31, AD-synced account
- **Actions:**
- Reset password to `Retired2026` (no forced change) via Graph API
- Granted Georg Haubner (ghaubner@dataforth.com) Full Access to Joel's mailbox with AutoMapping enabled via Exchange Online REST API (Add-MailboxPermission)
- **Status:** [COMPLETE]
#### 3. Dataforth - Transport Rule Fix (Calendar Forwarding)
- **Issue:** John Lehman (jlehman@dataforth.com) reported calendar forwards to rkoranek@dataforth.com were being blocked by transport rule
- **Root Cause:** Transport rule "Mailptroctor Only (Reject Direct Mail)" (GUID: ae0abec4-281b-4182-96ca-756f66c6b920) was blocking internal calendar forwards. The rule rejects all external-origin messages not from MailProtector IPs. When forwarding a calendar invite from an external sender (KAvila@ascenteceng.com), Outlook preserves the original sender headers, triggering the rule.
- **Original rule created:** 2026-01-05 session (phishing remediation - blocked direct M365 connections bypassing MailProtector)
- **Fix applied:** Added `ExceptIfMessageTypeMatches: Calendaring` exception to the rule via Exchange Online REST API (Set-TransportRule)
- **Rule now allows:** Calendar/meeting messages (requests, forwards, cancellations) to pass through even if original sender is external
- **MailProtector IPs still enforced for regular email:** 52.0.70.91, 52.0.74.211, 52.0.31.31
- **Status:** [COMPLETE]
### Remediation Tool Upgrades
**Critical discovery:** The "ComputerGuru - AI Remediation" app (fabb3421-8b34-484b-bc17-e46de9703418) had Graph API permissions but was missing Entra directory role assignments needed for privileged operations.
**Problem:** Graph API permissions like `User.ReadWrite.All` allow reading/modifying user properties, but password resets and Exchange management require directory roles assigned to the service principal. The app cannot self-assign these roles.
**Roles assigned this session:**
| Tenant | Role | Status |
|--------|------|--------|
| Valleywide Plastering (5c53ae9f...) | User Administrator | Assigned by Mike via Entra portal |
| Dataforth (7dfa3ce8...) | User Administrator | Assigned by Mike via Entra portal |
| Dataforth (7dfa3ce8...) | Exchange Administrator | Assigned by Mike via Entra portal |
**Admin consent re-run:**
- VWP tenant: `https://login.microsoftonline.com/5c53ae9f-7071-4248-b834-8685b646450f/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient`
**TODO for other tenants:** Same role assignments needed for any tenant where we want password reset or Exchange management capabilities. Pattern:
1. Run admin consent URL with tenant-specific ID
2. Assign User Administrator role to "ComputerGuru - AI Remediation" SP
3. Assign Exchange Administrator role if Exchange management needed
### Credentials & API Details
#### Remediation Tool (Multi-Tenant MSP App)
- **App Name:** ComputerGuru - AI Remediation
- **App ID:** fabb3421-8b34-484b-bc17-e46de9703418
- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- **Vault path:** `msp-tools/claude-msp-access-graph-api.sops.yaml`
- **Graph API scope:** `https://graph.microsoft.com/.default`
- **Exchange scope:** `https://outlook.office365.com/.default`
- **Key permissions:** User.ReadWrite.All, Directory.ReadWrite.All, Mail.ReadWrite, Mail.Send, Exchange.ManageAsApp, RoleManagement.ReadWrite.Exchange, plus many more (full list in token)
#### Dataforth App (Tenant-Specific)
- **App Name:** Claude-Code-M365
- **App ID:** 7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29
- **Client Secret:** tXo8Q~ZNG9zoBpbK9HwJTkzx.YEigZ9AynoSrca3
- **Vault path:** `clients/dataforth/m365.sops.yaml`
- **Note:** Fewer permissions than remediation app, no Exchange.ManageAsApp
### Exchange Online REST API Pattern
Successfully used Exchange Online PowerShell REST API for the first time via the remediation tool:
```bash
# Get Exchange token
EX_TOKEN=$(curl -s -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
-d "client_id=fabb3421-8b34-484b-bc17-e46de9703418" \
-d "client_secret=~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO" \
-d "scope=https://outlook.office365.com/.default" \
-d "grant_type=client_credentials" | jq -r '.access_token')
# Invoke Exchange cmdlet
curl -s -X POST "https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand" \
-H "Authorization: Bearer $EX_TOKEN" \
-H "Content-Type: application/json; charset=utf-8" \
-d '{"CmdletInput":{"CmdletName":"Get-TransportRule","Parameters":{}}}'
```
### Infrastructure
- **Database:** 172.16.3.30:3306 / claudetools (unchanged)
- **API:** http://172.16.3.30:8001 (unchanged)
- **Dataforth AD1:** 192.168.0.27 (SSH timed out - not on VPN)
- **Dataforth AD2:** 192.168.0.6 (not reachable from current network)
### Previous Session (41cb8b1a) - GuruRMM Project
Reviewed previous session content. That session was working on:
- GuruRMM Agent project reference audit (fixing docs, verifying what runs where)
- SSH key setup to GuruRMM server
- Attempting to open RMM console (hit TLS/Chrome extension issues)
- User wants to continue this work
### Pending/Incomplete Tasks
1. **Commit Ace Portables reports** - `clients/ace-portables/` directory still untracked
2. **Dataforth - Joel mailbox conversion** - Consider converting to shared mailbox to free license (currently just granted Georg full access)
3. **Remediation tool role assignments** - Need User Administrator + Exchange Administrator roles in ALL managed tenants (only VWP and DF done so far)
4. **GuruRMM project** - Continue from previous session (reference audit, RMM console access)
5. **Reply to John Lehman** - Let him know the calendar forwarding issue is fixed
6. **Grabblaw.com consent** - Still broken from 2026-03-31
7. **Cascades Tucson** - Still awaiting details from Howard

138
session-logs/2026-04-02-session.md Normal file
View File

@@ -0,0 +1,138 @@
# Session Log: 2026-04-02 - Multi-Client MSP Work
## Session Summary
Mixed MSP session covering three clients: Barbara Bardach (contact cleanup), Dataforth (MFA resets + auth policy), and ACE Portables (Bitdefender reinstall).
### Key Decisions
- Bardach contacts: Server-side data was clean (only 18 duplicate names out of 6,096 contacts). iPhone "duplicate" issue is likely Siri Suggestions or iOS display, not Exchange sync.
- Dataforth MFA: Discovered Microsoft Authenticator and SMS were both disabled at the tenant authentication methods policy level — root cause of users unable to register MFA.
- ACE Portables: Bitdefender agent lost communication with GravityZone cloud console. Approach: uninstall old agent, reinstall fresh from GravityZone package.
---
## Client: Barbara Bardach (bardach.net)
### Tenant Info
- Domain: bardach.net
- Tenant ID: dd4a82e8-85a3-44ac-8800-07945ab4d95f
- User: barbara@bardach.net
- User Object ID: 41d14430-feb4-4ae2-aed6-2bd4e6384ca7
### Work Performed
#### 1. Contact Duplicate Analysis
- Queried all 6,096 contacts via Graph API (7 pages of 999)
- Found 18 duplicate display names, 114 blank display names
- Only 1 name appeared 3x (Patsy Sable), rest were pairs
#### 2. Contact Dedup & Merge (19 contacts removed)
**Exact duplicates deleted (6 contacts):**
- Bardach, Mike; Brandon Lopez; Judi Carroll; Kelly Yang; Megan Carroll; Winter Williams
**Patsy Sable (3 copies → 1):**
- Deleted 1 exact work dupe (psable@longrealty.com)
- Merged psable@longrealty.com into personal contact (patsy@patsysable.com)
**Merged pairs (11 contacts — secondary emails/phones merged into keeper, dupe deleted):**
- Barbara Bardach, David Rodriguez, Denise Newton, Gina Beltran, Jessica Bonn, Kayla Manley, Maria Anemone, Mark Crager, Paula Williams, Randy Bonn, Susan Barry
Script: `temp/bardach_merge_contacts.py`
#### 3. Blank Display Name Fix (107 fixed)
- 113 contacts had blank displayName but had companyName
- Set displayName = companyName for 107 contacts
- 6 skipped (no usable data — no name, company, or email)
- These were business contacts stored only by company (e.g., "Viking River Cruises", "Wells Fargo", etc.)
Script: `temp/bardach_fix_blank_names.py`
#### Remaining iPhone Issue
- Server-side data is now clean
- iPhone duplicate perception likely caused by:
- Siri Suggestions for Contacts (Settings > Apps > Contacts > Siri & Search)
- iOS contact linking failures
- Recommended: Toggle Exchange contacts off/on on iPhone to force fresh sync
---
## Client: Dataforth
### Tenant Info
- Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- Service Principal has: User Administrator + Exchange Administrator roles
### Work Performed
#### 1. MFA Reset — AJ Lopez & Ben Wadzinski
- **AJ Lopez (alopez@dataforth.com)** — Object ID: 0ee5a1d7-d418-4104-b18e-6a8387a9e01e
- Removed: phone auth method, email auth method
- Account enabled: true (unlocked)
- **Ben Wadzinski (bwadzinski@dataforth.com)** — Object ID: 39c5f047-7f52-4c7a-bab7-e2ef3061391a
- Removed: phone auth method
- Account enabled: true (unlocked)
#### 2. Authentication Methods Policy Fix
**Problem:** Both Microsoft Authenticator and SMS were DISABLED at the tenant level. Only Email was enabled. Users could not register MFA via Authenticator app or SMS.
**Fix:** Enabled both via Graph API PATCH to authentication methods policy:
- `MicrosoftAuthenticator` → enabled (was disabled)
- `Sms` → enabled (was disabled)
- Verified both show state: "enabled" after change
Both users should be prompted to re-register MFA on next sign-in.
---
## Client: ACE Portables (Melissa Lynch)
### Issue
- Bitdefender agent on one machine shows "Communication with the management console could not be established"
- Device does not appear in GravityZone cloud console
- Machine user: joanf (C:\Users\joanf)
### GravityZone Info
- Console: cloud.gravityzone.bitdefender.com
- Company: ACE Portables - Melissa Lynch_22299872
- 3 installation packages found for this company
- Best package: SYN-/5552092/22299872/1/1/1/1/1 (all modules enabled)
- Modules: Antimalware, Advanced Threat Control, Firewall, Network Protection, Content Control, Antiphishing
- Operation mode: Detection and prevention
### Resolution In Progress
1. Uninstall old agent: `& "C:\Program Files\Bitdefender\Endpoint Security\product.exe" /bdparams /silent uninstall`
- Note: Must use `&` prefix in PowerShell to avoid parser error with `/` operator
2. Download fresh package from GravityZone > Installation Packages > ACE Portables company filter
3. Install fresh package on machine
### Status: PENDING — awaiting uninstall completion and reinstall
---
## Credentials Used
### Graph API (Claude-MSP-Access)
- App ID: fabb3421-8b34-484b-bc17-e46de9703418
- Client Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- Source: SOPS vault `msp-tools/claude-msp-access-graph-api.sops.yaml`
### Tenant IDs
- Bardach.net: dd4a82e8-85a3-44ac-8800-07945ab4d95f
- Dataforth: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
---
## Infrastructure Notes
- Installed Python 3.12.10 on Windows workstation via `winget install Python.Python.3.12`
- Path: `C:\Users\guru\AppData\Local\Programs\Python\Python312`
- Must add to PATH in bash: `export PATH="/c/Users/guru/AppData/Local/Programs/Python/Python312:/c/Users/guru/AppData/Local/Programs/Python/Python312/Scripts:$PATH"`
## Files Created
- `temp/bardach_merge_contacts.py` — Contact dedup/merge script
- `temp/bardach_fix_blank_names.py` — Blank displayName fix script
## Pending Tasks
- ACE Portables: Complete Bitdefender uninstall/reinstall on joanf's machine
- Barbara Bardach: Follow up on iPhone display — have her check Siri Suggestions setting and toggle Exchange contacts off/on
- Bardach: 6 contacts with no usable data (no name, company, email, or phone) still exist — may want to review/delete

138
session-logs/2026-04-06-session.md Normal file
View File

@@ -0,0 +1,138 @@
# Session Log: 2026-04-06
## Session Summary
Mixed infrastructure session covering ScreenConnect redirect page, UniFi OS Server migration, and related networking changes.
### Work Completed
1. **ScreenConnect redirect page at azcomputerguru.com/sc**
- Created PHP redirect at `/home/azcomputerguru/public_html/sc/index.php` on IX server
- Initially tried .htaccess RewriteRule but Apache mangled `%2B` encoding in the RSA key
- Switched to PHP `header()` redirect which preserves URL encoding exactly
- Correct SC download URL: `https://computerguru.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&c=&c=&c=&c=&c=&c=&c=&c=DirectDownload`
- Original attempt used wrong binary name (`ConnectWiseControl.ClientSetup.exe`) and included h/p/k params -- the correct URL from SC admin is simpler
2. **UniFi OS Server - Docker troubleshooting on Jupiter (abandoned)**
- `unifi-os-server` Docker container on Jupiter (172.16.3.20) had "no internet" error on setup screen
- Container actually had full internet -- all Ubiquiti endpoints reachable
- Likely an application-level self-check issue
- `unifi-controller-reborn` Docker was crash-looping due to missing symlink targets:
- `logs` -> `/var/log/unifi` -> `/unifi/log` (didn't exist)
- `run` -> `/var/run/unifi` -> `/unifi/run` (didn't exist)
- Only `/unifi/var` was volume-mounted, not `/unifi/log` or `/unifi/run`
- Created missing directories, MongoDB started, container went healthy
- User ultimately removed Docker approach in favor of a dedicated VM
3. **UniFi OS Server - VM installation (172.16.3.29)**
- New Rocky Linux 9.1 VM set up by user at 172.16.3.29
- Hostname: `unifi.azcomputerguru.com`
- Installed `podman` (5.6.0) and `slirp4netns` (1.3.3) via dnf
- Downloaded UOS Server 5.0.6 installer (803MB) from Ubiquiti
- Ran installer with `echo y | ./installer` (requires interactive confirmation)
- Installer uses Podman internally to run a container as user `uosserver` (UID 1000)
- Service: `uosserver.service` (systemd)
- Web UI: https://172.16.3.29:11443/
4. **Firewall - Rocky Linux VM**
- Opened all required UniFi ports in firewalld:
- TCP: 11443, 8443, 8080, 8880, 8881, 8882, 8444, 6789, 5671, 5005, 9543, 11084
- UDP: 3478, 10001, 1900, 5514, 10003
5. **pfSense NAT updates**
- Checked existing NAT rules on pfSense (172.16.0.1:2248)
- `Unifi_Server` alias was pointing to `172.16.3.28` (old Docker container IP)
- User manually updated alias to `172.16.3.29` (new VM)
- Existing port forwards on public IP 72.194.62.10: 8443/tcp, 3478/tcp+udp
- NPM (172.16.3.20) handles HTTPS on 72.194.62.10:443 -> port 18443
6. **UniFi inform URL configuration**
- Set `system_ip=unifi.azcomputerguru.com` in system.properties inside Podman container
- Path: `/usr/lib/unifi/data/system.properties` (inside container)
- Restarted uosserver service to apply
- Devices will inform to: `http://unifi.azcomputerguru.com:8080/inform`
7. **NPM proxy host update**
- User updated `unifi.azcomputerguru.com` proxy host in NPM to point to new VM
- Port changed from 443 to 11443, scheme HTTPS
### Key Decisions
- Abandoned Docker approach for UniFi OS on Jupiter -- too many symlink/volume issues
- Dedicated Rocky Linux 9.1 VM is cleaner for UOS Server
- UOS Server 5.0.6 uses Podman internally (not Docker) even on bare metal install
- Recommended bumping VM RAM from 8GB to 16GB before migrating ~300 devices
---
### Credentials
#### UniFi VM (172.16.3.29)
- SSH: root / Gptf*77ttb123!@#-unifi
- OS: Rocky Linux 9.1
- Hostname: unifi.azcomputerguru.com
#### IX Server (172.16.3.10)
- SSH: root / Gptf*77ttb!@#!@# (port 22)
- Requires sshpass or paramiko (no SSH key auth from this workstation)
#### pfSense (172.16.0.1)
- SSH: admin / r3tr0gradE99!! (port 2248)
- See vault: infrastructure/pfsense-firewall.sops.yaml
#### NPM (Nginx Proxy Manager)
- Host: 172.16.3.20:7818
- See vault/1Password for credentials
---
### Infrastructure & Servers
| Server | IP | Role | Notes |
|--------|-----|------|-------|
| IX Server | 172.16.3.10 | Web hosting (cPanel) | azcomputerguru.com WordPress |
| Jupiter | 172.16.3.20 | Unraid, NPM, Gitea | NPM on port 7818/18443 |
| UniFi VM | 172.16.3.29 | UniFi OS Server 5.0.6 | Rocky Linux 9.1, 8 vCPU, 7.4GB RAM |
| pfSense | 172.16.0.1 | Firewall/router | SSH port 2248 |
### DNS / Proxy
- `unifi.azcomputerguru.com` -> 72.194.62.10 (public) -> NPM -> 172.16.3.29:11443
- `azcomputerguru.com/sc/` -> PHP redirect to ScreenConnect installer
### Files Created/Modified
- `/home/azcomputerguru/public_html/sc/index.php` (IX server) -- SC redirect
- `/usr/lib/unifi/data/system.properties` (inside UOS Podman container) -- inform URL
- Firewalld rules on 172.16.3.29 -- all UniFi ports opened
- pfSense `Unifi_Server` alias updated from 172.16.3.28 to 172.16.3.29
---
### Pending/Incomplete Tasks
- [ ] Bump UniFi VM RAM from 8GB to 16GB (recommended for ~300 devices)
- [ ] Migrate from old UniFi Network controller to new UOS Server (backup + restore)
- [ ] Verify all pfSense port forwards are working correctly after alias change
- [ ] Consider adding port 11443 NAT rule on pfSense for external UOS web UI access
- [ ] Set up SSH key auth on IX server and UniFi VM for this workstation
- [ ] Note: captive portal port changed from 8843 (legacy) to 8444 (UOS Server)
### Port Reference - UniFi OS Server
| Port | Protocol | Purpose |
|------|----------|---------|
| 11443 | TCP | UOS Web UI (maps to 443 inside container) |
| 8443 | TCP | UniFi Application HTTPS |
| 8080 | TCP | Device inform |
| 8444 | TCP | Captive portal HTTPS (was 8843 on legacy) |
| 8880 | TCP | HTTP portal redirect |
| 3478 | UDP | STUN |
| 10001 | UDP | Device discovery |
| 1900 | UDP | L2 discovery |
| 5514 | UDP | Remote syslog |
### UOS Server Management Commands
```bash
sudo systemctl stop uosserver
sudo systemctl start uosserver
sudo systemctl restart uosserver
sudo systemctl status uosserver
# Container runs as user 'uosserver' via podman
su - uosserver -c "podman exec uosserver <command>"
```

75
temp/bardach_fix_blank_names.py Normal file
View File

@@ -0,0 +1,75 @@
import urllib.request, urllib.parse, json, os
from collections import defaultdict
APP_ID = "fabb3421-8b34-484b-bc17-e46de9703418"
TENANT_ID = "dd4a82e8-85a3-44ac-8800-07945ab4d95f"
CLIENT_SECRET = os.environ["CLIENT_SECRET"]
USER_ID = "41d14430-feb4-4ae2-aed6-2bd4e6384ca7"
token_data = urllib.parse.urlencode({
'client_id': APP_ID, 'client_secret': CLIENT_SECRET,
'scope': 'https://graph.microsoft.com/.default', 'grant_type': 'client_credentials'
}).encode()
req = urllib.request.Request(f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token", data=token_data, method='POST')
with urllib.request.urlopen(req) as r:
token = json.loads(r.read())['access_token']
base = f'https://graph.microsoft.com/v1.0/users/{USER_ID}/contacts'
def patch_contact(cid, data):
body = json.dumps(data).encode()
req = urllib.request.Request(f'{base}/{cid}', data=body, method='PATCH',
headers={'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'})
with urllib.request.urlopen(req) as r:
return r.status
# Fetch all contacts with blank displayName
url = f'{base}?$select=id,displayName,givenName,surname,companyName,emailAddresses,businessPhones,mobilePhone&$top=999'
blanks = []
while url:
req = urllib.request.Request(url, headers={'Authorization': f'Bearer {token}'})
with urllib.request.urlopen(req) as r:
data = json.loads(r.read())
for c in data.get('value', []):
dn = (c.get('displayName') or '').strip()
if not dn:
blanks.append(c)
url = data.get('@odata.nextLink')
print(f'Found {len(blanks)} contacts with blank displayName\n')
fixed = 0
skipped = 0
for c in blanks:
given = (c.get('givenName') or '').strip()
surname = (c.get('surname') or '').strip()
company = (c.get('companyName') or '').strip()
emails = [e.get('address', '') for e in c.get('emailAddresses', []) if e.get('address', '').strip()]
phones = list(filter(None, (c.get('businessPhones') or []) + [c.get('mobilePhone')]))
# Build display name from best available info
if given and surname:
new_name = f'{given} {surname}'
elif given:
new_name = given
elif surname:
new_name = surname
elif company:
new_name = company
elif emails:
# Use email local part as name
new_name = emails[0].split('@')[0].replace('.', ' ').replace('_', ' ').title()
else:
# Nothing useful - skip
skipped += 1
continue
try:
status = patch_contact(c['id'], {'displayName': new_name})
src = 'name' if (given or surname) else ('company' if company else 'email')
print(f' [OK] "{new_name}" (from {src}, status {status})')
fixed += 1
except Exception as e:
print(f' [ERROR] {new_name}: {e}')
print(f'\n=== DONE: Fixed {fixed}, Skipped {skipped} (no usable data) ===')

649
temp/bardach_merge_contacts.py
View File

@@ -1,540 +1,147 @@
#!/usr/bin/env python3
"""
Bardach Contact Merge: Merge extra data from Temp contacts into Main contacts,
then delete the Temp copies. Main is authoritative - only ADD missing data.
"""
import urllib.request, urllib.parse, json, os
from collections import defaultdict
import json
import subprocess
import time
import re
import sys
from datetime import datetime
# Force unbuffered output
sys.stdout.reconfigure(line_buffering=True)
sys.stderr.reconfigure(line_buffering=True)
# ============================================================
# Configuration
# ============================================================
APP_ID = "fabb3421-8b34-484b-bc17-e46de9703418"
TENANT_ID = "dd4a82e8-85a3-44ac-8800-07945ab4d95f"
CLIENT_ID = "fabb3421-8b34-484b-bc17-e46de9703418"
CLIENT_SECRET = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO"
SCOPE = "https://graph.microsoft.com/.default"
USER = "barbara@bardach.net"
BASE_URL = f"https://graph.microsoft.com/v1.0/users/{USER}/contacts"
DATA_FILE = "D:/ClaudeTools/temp/bardach_temp_vs_main.json"
LOG_FILE = "D:/ClaudeTools/temp/bardach_merge_results.json"
THROTTLE_DELAY = 0.35 # seconds between API calls
CLIENT_SECRET = os.environ["CLIENT_SECRET"]
USER_ID = "41d14430-feb4-4ae2-aed6-2bd4e6384ca7"
# ============================================================
# Helpers
# ============================================================
def get_token():
"""Acquire OAuth2 token via client credentials."""
url = f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token"
cmd = [
"curl", "-s", "-X", "POST", url,
"-H", "Content-Type: application/x-www-form-urlencoded",
"-d", f"client_id={CLIENT_ID}&scope={SCOPE}&client_secret={CLIENT_SECRET}&grant_type=client_credentials"
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
data = json.loads(result.stdout)
if "access_token" not in data:
print(f"[ERROR] Token acquisition failed: {data}")
sys.exit(1)
print(f"[OK] Token acquired at {datetime.now().strftime('%H:%M:%S')}")
return data["access_token"]
# Get token
token_data = urllib.parse.urlencode({
'client_id': APP_ID,
'client_secret': CLIENT_SECRET,
'scope': 'https://graph.microsoft.com/.default',
'grant_type': 'client_credentials'
}).encode()
req = urllib.request.Request(f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token", data=token_data, method='POST')
with urllib.request.urlopen(req) as r:
token = json.loads(r.read())['access_token']
base = f'https://graph.microsoft.com/v1.0/users/{USER_ID}/contacts'
def api_get(token, url):
"""GET request to Graph API."""
cmd = [
"curl", "-s", "-X", "GET", url,
"-H", f"Authorization: Bearer {token}",
"-H", "Content-Type: application/json"
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return json.loads(result.stdout)
def patch_contact(cid, data):
body = json.dumps(data).encode()
req = urllib.request.Request(f'{base}/{cid}', data=body, method='PATCH',
headers={'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'})
with urllib.request.urlopen(req) as r:
return r.status
def delete_contact(cid):
req = urllib.request.Request(f'{base}/{cid}', method='DELETE',
headers={'Authorization': f'Bearer {token}'})
with urllib.request.urlopen(req) as r:
return r.status
def api_patch(token, contact_id, body):
"""PATCH a contact."""
url = f"{BASE_URL}/{contact_id}"
body_json = json.dumps(body)
cmd = [
"curl", "-s", "-X", "PATCH", url,
"-H", f"Authorization: Bearer {token}",
"-H", "Content-Type: application/json",
"-d", body_json
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
if result.returncode != 0:
return {"error": result.stderr}
try:
resp = json.loads(result.stdout)
except json.JSONDecodeError:
return {"error": f"Non-JSON response: {result.stdout[:200]}"}
return resp
# Fetch all contacts
url = f'{base}?$select=id,displayName,emailAddresses,companyName,businessPhones,mobilePhone,jobTitle,givenName,surname&$orderby=displayName&$top=999'
all_contacts = []
while url:
req = urllib.request.Request(url, headers={'Authorization': f'Bearer {token}'})
with urllib.request.urlopen(req) as r:
data = json.loads(r.read())
all_contacts.extend(data.get('value', []))
url = data.get('@odata.nextLink')
print(f'Total contacts: {len(all_contacts)}')
by_name = defaultdict(list)
for c in all_contacts:
name = c.get('displayName', '').strip()
if name:
by_name[name].append(c)
def api_delete(token, contact_id):
"""DELETE a contact. Returns True on success (204), False on error."""
url = f"{BASE_URL}/{contact_id}"
cmd = [
"curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
"-X", "DELETE", url,
"-H", f"Authorization: Bearer {token}"
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
code = result.stdout.strip()
return code in ("204", "200")
dupes = {k: v for k, v in by_name.items() if len(v) > 1}
print(f'Duplicate groups: {len(dupes)}')
def merge_emails(keeper, donor):
keeper_emails = set(e.get('address', '').lower() for e in keeper.get('emailAddresses', []) if e.get('address', '').strip())
new_emails = [e for e in keeper.get('emailAddresses', []) if e.get('address', '').strip()]
added = []
for e in donor.get('emailAddresses', []):
addr = e.get('address', '')
if addr.strip() and addr.lower() not in keeper_emails:
new_emails.append(e)
added.append(addr)
return new_emails, added
def is_icloud_junk(notes):
"""Check if personalNotes is iCloud/Outlook read-only junk."""
if not notes:
return True
lower = notes.lower()
# Pattern 1: contains both "read-only" and "outlook"
if "read-only" in lower and "outlook" in lower:
return True
# Pattern 2: "this contact is read-only" type text
if "this contact is read-only" in lower:
return True
# Pattern 3: Just "read-only" with "edit" or "tap" or "link" (iCloud boilerplate)
if "read-only" in lower and ("tap" in lower or "edit" in lower or "link" in lower):
return True
return False
def merge_phones(keeper, donor):
def normalize(p):
return ''.join(c for c in p if c.isdigit())[-10:]
keeper_phones = set()
for p in (keeper.get('businessPhones') or []):
keeper_phones.add(normalize(p))
if keeper.get('mobilePhone'):
keeper_phones.add(normalize(keeper['mobilePhone']))
new_phones = []
for p in (donor.get('businessPhones') or []):
if normalize(p) not in keeper_phones:
new_phones.append(p)
if donor.get('mobilePhone') and normalize(donor['mobilePhone']) not in keeper_phones:
new_phones.append(donor['mobilePhone'])
return new_phones
def normalize_phone(phone):
"""Strip non-digit characters for comparison."""
return re.sub(r'[^0-9+]', '', phone)
def is_address_empty(addr):
"""Check if an address dict is empty/null."""
if not addr or not isinstance(addr, dict):
return True
for v in addr.values():
if v and str(v).strip():
return False
return True
# ============================================================
# STEP 1: Load data and analyze notes
# ============================================================
print("=" * 70)
print("STEP 1: Load data and analyze personalNotes")
print("=" * 70)
with open(DATA_FILE, "r", encoding="utf-8") as f:
data = json.load(f)
matches = data["matches_with_extras"]
exact_matches = data.get("exact_matches", [])
print(f"[INFO] Loaded {len(matches)} matches_with_extras")
print(f"[INFO] Loaded {len(exact_matches)} exact_matches (no extras)")
# Analyze notes
notes_junk = 0
notes_real = 0
notes_none = 0
real_notes_samples = []
for m in matches:
ef = m.get("extra_fields", {})
if "personalNotes" not in ef:
notes_none += 1
continue
notes = ef["personalNotes"]
if is_icloud_junk(notes):
notes_junk += 1
else:
notes_real += 1
if len(real_notes_samples) < 10:
real_notes_samples.append({
"displayName": m["displayName"],
"notes": notes[:200]
})
print(f"\n personalNotes breakdown:")
print(f" iCloud junk: {notes_junk}")
print(f" Real content: {notes_real}")
print(f" No notes field: {notes_none}")
print(f" Total: {notes_junk + notes_real + notes_none}")
if real_notes_samples:
print(f"\n Sample real notes ({len(real_notes_samples)}):")
for i, s in enumerate(real_notes_samples):
print(f" [{i+1}] {s['displayName']}: {s['notes']}")
# ============================================================
# STEP 2: Build merge plan
# ============================================================
print("\n" + "=" * 70)
print("STEP 2: Build merge plan")
print("=" * 70)
needs_merge = []
nothing_to_merge = []
needs_fetch = [] # contacts where we need to GET current Main data (emails/phones)
field_counts = {
"personalNotes": 0,
"emailAddresses": 0,
"homePhones": 0,
"businessPhones": 0,
"companyName": 0,
"jobTitle": 0,
"homeAddress": 0,
"businessAddress": 0,
"otherAddress": 0,
"birthday": 0,
"nickName": 0,
}
for m in matches:
ef = m.get("extra_fields", {})
merge_fields = {}
requires_fetch = False
for field, value in ef.items():
if field == "personalNotes":
if not is_icloud_junk(value):
merge_fields["personalNotes"] = value
elif field == "emailAddresses":
if value: # non-empty list
merge_fields["emailAddresses"] = value
requires_fetch = True
elif field == "homePhones":
if value:
merge_fields["homePhones"] = value
requires_fetch = True
elif field == "businessPhones":
if value:
merge_fields["businessPhones"] = value
requires_fetch = True
elif field in ("companyName", "jobTitle", "nickName"):
if value and str(value).strip():
merge_fields[field] = value
elif field in ("homeAddress", "businessAddress", "otherAddress"):
if not is_address_empty(value):
merge_fields[field] = value
elif field == "birthday":
if value:
merge_fields[field] = value
# Skip any unknown fields
if merge_fields:
entry = {
"temp_id": m["temp_id"],
"main_id": m["main_id"],
"displayName": m["displayName"],
"merge_fields": merge_fields,
"requires_fetch": requires_fetch,
}
needs_merge.append(entry)
if requires_fetch:
needs_fetch.append(entry)
for fk in merge_fields:
if fk in field_counts:
field_counts[fk] += 1
else:
nothing_to_merge.append(m["displayName"])
print(f"\n Contacts needing merge: {len(needs_merge)}")
print(f" Contacts nothing to merge: {len(nothing_to_merge)}")
print(f" Contacts needing fetch: {len(needs_fetch)} (have emails/phones to append)")
print(f"\n Field merge counts:")
for fk, cnt in sorted(field_counts.items(), key=lambda x: -x[1]):
if cnt > 0:
print(f" {fk}: {cnt}")
# ============================================================
# STEP 3: Fetch current Main data for contacts needing email/phone merge
# ============================================================
print("\n" + "=" * 70)
print("STEP 3: Fetch Main contact data for email/phone merges")
print("=" * 70)
token = get_token()
fetch_count = 0
fetch_errors = 0
for entry in needs_fetch:
if fetch_count > 0 and fetch_count % 500 == 0:
token = get_token()
if fetch_count > 0 and fetch_count % 100 == 0:
print(f" [INFO] Fetched {fetch_count}/{len(needs_fetch)}...")
url = f"{BASE_URL}/{entry['main_id']}?$select=emailAddresses,homePhones,businessPhones"
resp = api_get(token, url)
time.sleep(THROTTLE_DELAY)
fetch_count += 1
if "error" in resp:
print(f" [ERROR] Fetch {entry['displayName']}: {resp['error'].get('message', resp['error'])}")
fetch_errors += 1
entry["current_main"] = None
continue
entry["current_main"] = {
"emailAddresses": resp.get("emailAddresses", []),
"homePhones": resp.get("homePhones", []),
"businessPhones": resp.get("businessPhones", []),
}
print(f"\n [OK] Fetched {fetch_count} contacts ({fetch_errors} errors)")
# ============================================================
# Build PATCH bodies
# ============================================================
print("\n" + "=" * 70)
print("STEP 3b: Build PATCH bodies")
print("=" * 70)
patches = [] # list of (main_id, displayName, patch_body, temp_id)
skipped_no_change = 0
for entry in needs_merge:
mf = entry["merge_fields"]
def do_merge(name, keeper, donor):
new_emails, added_emails = merge_emails(keeper, donor)
new_phones = merge_phones(keeper, donor)
patch = {}
# Simple fields - set directly (these are only in extra_fields if Main lacks them)
for sf in ("personalNotes", "companyName", "jobTitle", "nickName", "birthday",
"homeAddress", "businessAddress", "otherAddress"):
if sf in mf:
patch[sf] = mf[sf]
# Email addresses - need to append to existing
if "emailAddresses" in mf:
current = entry.get("current_main", {})
if current is None:
# Fetch failed, skip emails for this one
pass
else:
existing_emails = {e.get("address", "").lower() for e in current.get("emailAddresses", []) if e.get("address")}
new_emails = []
for email in mf["emailAddresses"]:
addr = email if isinstance(email, str) else email.get("address", "")
if addr.lower() not in existing_emails:
new_emails.append(addr)
if new_emails:
# Build full list: existing + new (Graph API replaces the array)
full_list = list(current.get("emailAddresses", []))
for addr in new_emails:
full_list.append({"address": addr, "name": addr})
# Graph API max 3 email addresses
patch["emailAddresses"] = full_list[:3]
# Home phones - append
if "homePhones" in mf:
current = entry.get("current_main", {})
if current is None:
pass
else:
existing_norm = {normalize_phone(p) for p in current.get("homePhones", [])}
new_phones = []
for p in mf["homePhones"]:
if normalize_phone(p) not in existing_norm:
new_phones.append(p)
if new_phones:
full_list = list(current.get("homePhones", [])) + new_phones
patch["homePhones"] = full_list[:2] # Graph API max 2
# Business phones - append
if "businessPhones" in mf:
current = entry.get("current_main", {})
if current is None:
pass
else:
existing_norm = {normalize_phone(p) for p in current.get("businessPhones", [])}
new_phones = []
for p in mf["businessPhones"]:
if normalize_phone(p) not in existing_norm:
new_phones.append(p)
if new_phones:
full_list = list(current.get("businessPhones", [])) + new_phones
patch["businessPhones"] = full_list[:2]
if added_emails:
patch['emailAddresses'] = new_emails
if new_phones:
biz = list(keeper.get('businessPhones') or []) + new_phones
patch['businessPhones'] = biz
if not keeper.get('companyName') and donor.get('companyName'):
patch['companyName'] = donor['companyName']
if not keeper.get('jobTitle') and donor.get('jobTitle'):
patch['jobTitle'] = donor['jobTitle']
if patch:
patches.append((entry["main_id"], entry["displayName"], patch, entry["temp_id"]))
status = patch_contact(keeper['id'], patch)
extras = []
if added_emails: extras.append(f"emails: {added_emails}")
if new_phones: extras.append(f"phones: {new_phones}")
if 'companyName' in patch: extras.append(f"company: {patch['companyName']}")
if 'jobTitle' in patch: extras.append(f"job: {patch['jobTitle']}")
print(f' [OK] {name}: merged {", ".join(extras)} (status {status})')
else:
skipped_no_change += 1
print(f' [OK] {name}: no new data to merge')
del_status = delete_contact(donor['id'])
print(f' Deleted duplicate (status {del_status})')
print(f" [INFO] Built {len(patches)} PATCH operations")
print(f" [INFO] Skipped {skipped_no_change} (no actual changes after dedup)")
# === EXACT DUPLICATES ===
print('\n--- EXACT DUPLICATES ---')
for name in ['Bardach, Mike', 'Brandon Lopez', 'Judi Carroll', 'Kelly Yang', 'Megan Carroll', 'Winter Williams']:
contacts = dupes[name]
for c in contacts[1:]:
try:
status = delete_contact(c['id'])
print(f' [OK] Deleted: {name} (status {status})')
except Exception as e:
print(f' [ERROR] {name}: {e}')
# ============================================================
# STEP 4: Execute PATCHes
# ============================================================
print("\n" + "=" * 70)
print("STEP 4: Execute PATCH operations")
print("=" * 70)
# === PATSY SABLE (3 copies) ===
print('\n--- Patsy Sable (3 copies) ---')
patsy = dupes['Patsy Sable']
patsy_personal = [c for c in patsy if any(e.get('address', '') == 'patsy@patsysable.com' for e in c.get('emailAddresses', []))]
patsy_work = [c for c in patsy if any(e.get('address', '') == 'psable@longrealty.com' for e in c.get('emailAddresses', []))]
if len(patsy_work) >= 2:
try:
status = delete_contact(patsy_work[1]['id'])
print(f' [OK] Deleted exact work dupe (status {status})')
except Exception as e:
print(f' [ERROR] work dupe: {e}')
if patsy_personal and patsy_work:
try:
do_merge('Patsy Sable', patsy_personal[0], patsy_work[0])
except Exception as e:
print(f' [ERROR] merge: {e}')
token = get_token()
patch_success = 0
patch_fail = 0
patch_errors_log = []
# === MERGE PAIRS ===
print('\n--- MERGE PAIRS ---')
for name in ['Barbara Bardach', 'David Rodriguez', 'Denise Newton', 'Gina Beltran',
'Jessica Bonn', 'Kayla Manley', 'Maria Anemone', 'Mark Crager',
'Paula Williams', 'Randy Bonn', 'Susan Barry']:
contacts = dupes[name]
try:
do_merge(name, contacts[0], contacts[1])
except Exception as e:
print(f' [ERROR] {name}: {e}')
for i, (main_id, name, body, temp_id) in enumerate(patches):
if i > 0 and i % 500 == 0:
token = get_token()
if i > 0 and i % 100 == 0:
print(f" [INFO] Patched {i}/{len(patches)} ({patch_success} ok, {patch_fail} fail)")
resp = api_patch(token, main_id, body)
time.sleep(THROTTLE_DELAY)
if "error" in resp:
patch_fail += 1
err_msg = resp["error"].get("message", str(resp["error"])) if isinstance(resp["error"], dict) else str(resp["error"])
patch_errors_log.append({"name": name, "main_id": main_id, "error": err_msg, "body": body})
if patch_fail <= 5:
print(f" [ERROR] {name}: {err_msg}")
else:
patch_success += 1
print(f"\n [OK] PATCH complete: {patch_success} success, {patch_fail} failures")
# ============================================================
# STEP 5: Delete ALL Temp contacts (both exact_matches and matches_with_extras)
# ============================================================
print("\n" + "=" * 70)
print("STEP 5: Delete Temp contacts")
print("=" * 70)
# Collect all temp IDs
all_temp_ids = []
for m in matches:
all_temp_ids.append((m["temp_id"], m["displayName"]))
for m in exact_matches:
all_temp_ids.append((m["temp_id"], m["displayName"]))
print(f" [INFO] Total Temp contacts to delete: {len(all_temp_ids)}")
print(f" From matches_with_extras: {len(matches)}")
print(f" From exact_matches: {len(exact_matches)}")
token = get_token()
del_success = 0
del_fail = 0
del_errors_log = []
for i, (tid, name) in enumerate(all_temp_ids):
if i > 0 and i % 500 == 0:
token = get_token()
if i > 0 and i % 200 == 0:
print(f" [INFO] Deleted {i}/{len(all_temp_ids)} ({del_success} ok, {del_fail} fail)")
ok = api_delete(token, tid)
time.sleep(THROTTLE_DELAY)
if ok:
del_success += 1
else:
del_fail += 1
del_errors_log.append({"name": name, "temp_id": tid})
if del_fail <= 5:
print(f" [ERROR] Delete {name}: failed")
print(f"\n [OK] DELETE complete: {del_success} success, {del_fail} failures")
# ============================================================
# STEP 6: Verify
# ============================================================
print("\n" + "=" * 70)
print("STEP 6: Verification")
print("=" * 70)
token = get_token()
# Count Temp folder contacts
# First find the Temp folder ID
folders_url = f"https://graph.microsoft.com/v1.0/users/{USER}/contactFolders?$filter=displayName eq 'Temp'"
folders_resp = api_get(token, folders_url)
time.sleep(THROTTLE_DELAY)
temp_count = "unknown"
if "value" in folders_resp and folders_resp["value"]:
temp_folder_id = folders_resp["value"][0]["id"]
count_url = f"https://graph.microsoft.com/v1.0/users/{USER}/contactFolders/{temp_folder_id}/contacts?$count=true&$top=1"
count_resp = api_get(token, count_url)
temp_count = count_resp.get("@odata.count", len(count_resp.get("value", [])))
# If @odata.count not available, try paging
if temp_count == 0 or isinstance(temp_count, int):
pass
else:
temp_count = len(count_resp.get("value", []))
elif "value" in folders_resp and not folders_resp["value"]:
temp_count = "Folder not found (may have been deleted)"
else:
temp_count = f"Error: {folders_resp}"
# Count Main contacts folder
main_url = f"{BASE_URL}?$top=1&$count=true"
main_resp = api_get(token, main_url)
main_count = main_resp.get("@odata.count", "unknown")
print(f" Temp folder contacts remaining: {temp_count}")
print(f" Main contacts count: {main_count}")
# ============================================================
# Save results
# ============================================================
results = {
"timestamp": datetime.now().isoformat(),
"step1_notes_analysis": {
"icloud_junk": notes_junk,
"real_content": notes_real,
"no_notes": notes_none,
},
"step2_merge_plan": {
"needs_merge": len(needs_merge),
"nothing_to_merge": len(nothing_to_merge),
"needs_fetch": len(needs_fetch),
"field_counts": field_counts,
},
"step3_fetched": {
"total": fetch_count,
"errors": fetch_errors,
},
"step4_patches": {
"total": len(patches),
"success": patch_success,
"failures": patch_fail,
"error_samples": patch_errors_log[:20],
},
"step5_deletes": {
"total": len(all_temp_ids),
"success": del_success,
"failures": del_fail,
"error_samples": del_errors_log[:20],
},
"step6_verification": {
"temp_remaining": temp_count,
"main_count": main_count,
},
}
with open(LOG_FILE, "w", encoding="utf-8") as f:
json.dump(results, f, indent=2, default=str)
print(f"\n[OK] Results saved to {LOG_FILE}")
# ============================================================
# Final summary
# ============================================================
print("\n" + "=" * 70)
print("FINAL SUMMARY")
print("=" * 70)
print(f" Notes analyzed: {notes_junk} junk / {notes_real} real / {notes_none} none")
print(f" Merges planned: {len(needs_merge)} contacts")
print(f" PATCHes sent: {len(patches)} ({patch_success} ok, {patch_fail} fail)")
print(f" DELETEs sent: {len(all_temp_ids)} ({del_success} ok, {del_fail} fail)")
print(f" Temp remaining: {temp_count}")
print(f" Main count: {main_count}")
print("=" * 70)
print('\n=== ALL DONE ===')