# Session Log: Windows Bootstrap & Recovery Toolkit (GURU-5070)

**Date:** 2026-06-06
**Mode:** infra
**Topic:** Build a full backup + bootstrap to rebuild this workstation after a clean Windows reset.

## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin

## Context

The machine became unstable ("super broken all of the sudden") and a full OS reset is
planned. Goal: preserve everything that won't return from a `git clone` (identity +
secrets + select large data), and produce a clean, less-bloated reinstall path.

## What was done

### 1. Inventory
Full read-only sweep of the environment:
- Tools/versions/paths (node 24, py 3.14, git 2.53, cargo 1.96, ollama 0.30.6, claude 2.1.x,
  gemini 0.45, grok 0.2.x, jq, sops 3.7, age 1.3, op 2.33, VS Code 1.113). **`gh` was missing.**
- Out-of-repo secrets: SOPS **age key** (`%APPDATA%\sops\age\keys.txt`), SSH keys, Claude/grok/gemini auth.
- Gitignored repo data, scheduled tasks, MCP config, ollama models, env vars, hosts file.
- Drives: **E:** FAT32 removable 14.6 GB · **F:** Ventoy exFAT 57.7 GB (26.8 GB free).

### 2. Backup (two-drive)
- **E:** redundant copy of the crown jewels (secrets + identity + config + manifests + bootstrap), ~10 MB.
- **F:** full bundle **+** `data\` 9.11 GB of large non-Gitea client/project data.
- Bundle layout: `secrets\` (age key, ssh, claude/grok/gemini auth, git config, PS profile,
  user-global `~/.claude` commands+plugins), `identity\` (identity.json, settings.local.json,
  current-mode, .mcp.json, .claude/state, ticktick tokens, dataforth oauth),
  `config\` (Windows Terminal, hosts, quote-wizard .env.production),
  `manifests\` (tools, ollama models, scheduled-task XML, user-environment.reg).
- **Age key hash-verified identical** across source/E:/F: (pubkey `age1qz7ct84...`).

### 3. Bootstrap toolkit (committed to `.claude/bootstrap/`)
- `windows-bootstrap.ps1` — 11-phase idempotent rebuild (winget core tools → AI CLIs →
  restore secrets → clone repos+submodules → restore identity → python/.NET deps →
  ollama models → scheduled tasks → optional data → verify).
- `restore-secrets.ps1` — restores home secrets + repo-local identity.
- `backup-to-bundle.ps1` — repeatable backup (re-run anytime to refresh the drives).
- `RESTORE.md` — human runbook.

### Key findings folded into the bootstrap
- **47.8 GB of Ollama models live on `D:\OllamaModels`** (OLLAMA_MODELS env). If the reset
  only wipes C:, models + repos survive — bootstrap auto-detects and skips re-download.
- Added missing tooling: **.NET 8 SDK + WiX 5** (MSI builds), **Protobuf/protoc** (gururmm
  prost builds, PROTOC env), **Poppler** (dataforth PDF pipeline), **Tailscale** (fleet mesh), **gh**.
- Env vars restored: `OLLAMA_MODELS=D:\OllamaModels`, `OLLAMA_HOST=0.0.0.0:11434`, `PROTOC` (resolved live).
- **Ollama model set trimmed** to the proper two for a 12 GB-VRAM laptop: `nomic-embed-text`
  (GrepAI) + `qwen3:8b` (prose_model). Heavy `qwen3.6:latest`/`codestral:22b`/`qwen3:14b` are opt-in.
- **Radio-show MP3s excluded** from backup (they live on IX Web Hosting).

### Notes / gotchas
- `D:\work\gururmm` remote URL embeds the shared Gitea password in plaintext — rebuild uses
  Windows Credential Manager instead (flagged in RESTORE.md and machines/guru-5070.md).
- Reset scope (C: only vs whole disk) is unknown → backup assumes worst case, safe either way.
- Created `machines/guru-5070.md` (the only prior profile, `acg-guru-5070.md`, documents the
  old CachyOS install on the same Lenovo Legion Pro 7 hardware).

## State at end of session
- E: and F: recovery bundles complete and verified.
- Bootstrap toolkit committed to repo (3rd copy, fleet-reusable).
- Part 2 (the actual reset + rebuild) pending — driven by `F:\claudetools-recovery\bootstrap\windows-bootstrap.ps1`.

## At-risk WIP rescued (addendum)

Checked the GuruRMM/GuruConnect repos for local-only work a reset would destroy.
All committed code was already pushed (every submodule HEAD is on origin), but found
uncommitted WIP and preserved it to `at-risk-work\` on both E: and F:

- **guru-rmm** (3 stashes, exported as patches): `stash@{0}` +119 lines `docs/FEATURE_ROADMAP.md`;
  `stash@{1}` `CONTEXT.md`; `stash@{2}` `agent/Dockerfile` + `docs/unraid-ca-template.xml`.
- **guru-connect**: untracked `tmp-spec018.diff` (54 KB; `agent/src/install.rs` + more).
- `D:\work\gururmm`: only a local deletion of a legacy file still on remote — no loss.

Original stashes left intact (not dropped). Added `restore-at-risk-work.ps1` and wired it
into bootstrap Phase 6: on rebuild it re-applies the guru-rmm patches **back as stashes**
(LIFO order preserved) and drops the guru-connect diff back as its untracked file. Patches
that won't apply cleanly are reported and left for manual `git apply --3way`.

## Follow-ups
- When ready to reset: run the bootstrap from the drive; verify vault decrypts via
  `vault.sh get-field projects/claudetools/database.sops.yaml credentials.password`.
- Re-auth interactive logins if tokens expired (claude /login, gh, op, gemini, grok).