azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
260be8c2ad70c6b6a849bad06ce2a5a84b753f29
claudetools/projects/msp-tools/security-assessment/DEPLOY.md
Mike Swanson 260be8c2ad security.azcomputerguru.com: scaffold the client security-assessment intake app 
New MSP tool — single-assessor consult intake. Stack: PHP + MySQL on the IX cPanel
host, gated by Cloudflare Access (only mike@azcomputerguru.com; app re-checks the
Cf-Access-Authenticated-User-Email header).

- app/questions.json — risk-ordered question framework (9 sections); each field tagged
  source=syncro/rmm/scan/ask so the consult asks only what a human knows and the
  post-meeting scan fills the technical reality.
- app/index.php — wizard UI: Syncro phone lookup -> prefill, section rail with live
  progress, importance-colored question cards, in-meeting 365/Google consent links,
  review + export.
- app/api.php — Syncro lookup-by-phone, save/load/list, consent-URL generation (reuses
  the read-only Security Investigator app bfbc12a4-...), HTML export.
- app/schema.sql, config.sample.php, DEPLOY.md, README.md.

Consent links let the client approve read-only 365/Google access during the consult so
the audit scan runs afterward. Read-only by design (reads Syncro, generates consent; no
tenant writes).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 14:20:05 -07:00

1.4 KiB
Raw Blame History

Deploy — security.azcomputerguru.com

1. cPanel / WHM (IX server, 172.16.3.10)

  • Create subdomain security.azcomputerguru.com (docroot e.g. /home/<acct>/security).
  • Create MySQL DB acgsec_assess + user acgsec_app, grant all on the DB. Vault the password (msp-tools/security-assessment-db). Import app/schema.sql.
  • Upload app/* to the docroot. cp config.sample.php config.php and fill secrets (DB pass + Mike's Syncro key from vault msp-tools/syncro-mike).

2. Cloudflare DNS + Access

  • DNS: security A/CNAME -> the IX origin, proxied (orange cloud).
  • Zero Trust > Access > Applications: add self-hosted app for security.azcomputerguru.com, policy = Allow, include mike@azcomputerguru.com (require MFA). Everyone else blocked. The app reads Cf-Access-Authenticated-User-Email as a second check.

3. Consent apps

  • 365: register redirect URI https://security.azcomputerguru.com/consent-callback.php on the Security Investigator app (bfbc12a4-...). Admin-consent link is generated per-tenant in-app.
  • Google: create a Workspace read-only OAuth client, set GOOGLE_CLIENT_ID + redirect; scopes are in config. (Stubbed until created.)

Notes

  • Read-only by design: the app only reads Syncro and generates consent links. No tenant writes.
  • Post-meeting scan consumes the export + the granted 365/Google consent to run the audit.
Reference in New Issue View Git Blame Copy Permalink