claudetools/.claude/memory/MEMORY.md

Memory Index

Reference

• ACG resource map — READ THIS FIRST when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
• GURU-5070 Rust toolchain — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent.
• ACG Office Network Infrastructure — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage.
• Power Failure Runbook — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
• Syncro API — Invoice Verification Pattern — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
• Approval Workflow: Tools vs Projects — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval; features→roadmap, bugs→bug list.
• Community Forum (Flarum) — Flarum forum at community.azcomputerguru.com, API access, database, posting workflow.
• Radio Show Website — Astro static site at radio.azcomputerguru.com on IX server.
• IX Server Access — ix.azcomputerguru.com / 172.16.3.10. Reachable when Tailscale is on (no VPN). SSH currently uses sshpass with root password; key auth from GURU-5070 not configured yet (was CachyOS, now Win11 — verify).
• Matomo Analytics — Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites.
• TickTick Integration — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
• Client Docs Structure — clients//docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
• MSP Audit Scripts — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
• Pluto Build Server — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
• Coord /messages API shape — GET /api/coord/messages returns {total,skip,limit,messages[]} NOT a bare array; parse .messages[], strip control chars, read flag may be null.
• Gitea API credential — Gitea API (PRs/merges) as howard uses services/gitea-howard.sops.yaml password on internal http://172.16.3.20:3000; NOT the gururmm-server SSH password.
• Gitea Internal API Access — git.azcomputerguru.com is NOT behind Cloudflare — it's the office Cox IP NAT'd to NPM (openresty) on Jupiter. Prefer internal 172.16.3.20:3000 for reliability (bypasses NPM SSL-renewal reload blips).
• Gitea git-op latency — SSH (.20:2222) is SLOWEST (~1.5s); internal HTTP+token ~0.55s; SOPS lookup only ~0.33s. Don't switch to SSH for speed. Gitea SSH is .20:2222 (API ssh_url .21 is wrong).
• GuruRMM technical reference — Server (172.16.3.30) layout + downloads dir /var/www/gururmm/downloads + .channel sidecar rollout control (stable/beta) + privileged server access via the server's OWN root RMM agent (hostname gururmm, no SSH needed; plink fallback) + API + context=user_session (WTS impersonation) + build-pipeline vendoring at deploy/build-pipeline/ + Linux agent systemd sandbox trap.
• Trebesch DESKTOP-QNP3ON5 shell replacement — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.

Users

• Howard Enos — Mike's brother, technician, full access. Machines: ACG-TECH03L, Howard-Home (authoritative in users.json).
• Mike — font preference — Mike prefers Lucida Console for monospace UI.

Feedback

• Scheduling = coord todo, not schedulers — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
• Attribution is read, never inferred — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.
• D2TESTNAS SSH Access — Use root@192.168.0.9 with Paper123!@#, not sysadmin.
• Bypass Permissions Setting — Set permissions.defaultMode to bypassPermissions in settings.json on all machines.
• 365 Remediation Tool — "remediation tool" = tiered ComputerGuru app suite via /remediation-tool; NOT CIPP, NOT the deprecated fabb3421.
• CA managed programmatically (with discipline) — Conditional Access CAN be written via Tenant Admin app; ALWAYS report-only first + exclude break-glass + confirm before enforcing. Overrides old "CA manual" rule.
• Ollama Tier-0 Routing — Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.
• /save writes narrative directly — No Ollama for /save; write all sections inline — too slow.
• Identity precedence — Trust .claude/identity.json over the system-reminder userEmail hint when they disagree (shared-login machines).
• 1Password — always use service token — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every op call. Desktop-app integration prompts are unacceptable in agent flows.
• Point vault-access teammates at SOPS path — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.
• /tmp path mismatch on Windows — Write tool and Git Bash resolve /tmp to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl.
• SQL instance role — verify by connections, not name — Standard installed under default SQLEXPRESS instance name is real. Prove role with sys.dm_exec_sessions + Get-NetTCPConnection -OwningProcess before recommending stop/uninstall.
• Clear-RecycleBin fails silently as SYSTEM — RMM-dispatched cleanup scripts cannot use Clear-RecycleBin -Force; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate C:\$Recycle.Bin\<SID>\* directly.
• Graph CA policy reads are eventually consistent — After PATCHing a CA policy (204), wait ~5s before GET-verifying; immediate reads can be stale.
• Graph password reset needs a privileged role — PATCH passwordProfile on an existing user 403s without a directory role; User.ReadWrite.All alone only sets a password at CREATE.
• Vault writes — do the full sequence yourself — A vault entry = write plaintext → sops -e -i → git add/commit/push, all of it; don't stop at "encrypted on disk."
• Syncro is the default PSA; Autotask is opt-in — Ticketing/billing/customers default to Syncro (/syncro). Only use /autotask on an explicit "in Autotask" request. /autotask kept local/undistributed.
• Paste-safe command formatting (Howard) — Two clauses, one root cause: (a) multi-line scripts not semicolon one-liners (wrap breaks paste), (b) all code at column 0 inside fences (indentation breaks PowerShell paste).
• Autonomous infra/build setup — During infra/build/CI/dev setup, just install prerequisites and push through routine steps; reserve check-ins for genuine decisions (forks, destructive/outward, client/prod).
• Check patterns before asking — Before asking how to do something repeat-style (sync, save, sweep, billing), study existing artifacts and workflow docs first; reach for similar past artifacts as the template.
• Pricing verification — no guessing — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess.
• Client communication tone — How to write client-facing Syncro comments — expert partner, not intake questionnaire.
• Add Mike as owner on all Entra apps — Apps created via management SP have no user owner — must add Mike manually or publisher verification fails.
• No TOML/config file approach for endpoints — User explicitly prohibits TOML or config-file-based endpoint configuration — this will never be approved.
• Python on Windows — use py launcher — Windows Store python/python3 aliases disabled; always use py or jq on DESKTOP-0O8A1RL.
• Memory tooling may delete now — additive-only constraint dropped — As of 2026-06-02, memory-dream and sync-memory.sh are sanctioned to perform destructive ops (apply proposed merges/dedups, propagate repo deletions back to harness profile stores). Onboarding-phase safety net now fights deliberate consolidation (e.g. 2026-06-01's 39 deletions resurrected on the next sync). Script updates pending.
• Unsaved sessions are recoverable from transcripts — Crashed/closed-before-save sessions live in ~/.claude/projects/<slug>/*.jsonl; the detector auto-recovers orphans, /recover <uuid> does it manually. Ollama prose + Python verbatim. See .claude/RECOVERY.md.

Syncro

• Syncro API plumbing — Content-Type required on all POST/PUT; NO idempotency anywhere — always GET before retrying; response wrappers (.ticket.id, .comment.id); add_line_item shape (internal ID, flat response, required fields); HTML uses <br> not <ul>/<li>; timer_entry response is FLAT but SUPERSEDED (use add_line_item).
• Syncro billing rules — Bill with add_line_item directly (not timers); fetch rates LIVE; never invent labor names (real product names only); match labor type to delivery channel (never "Prepaid project labor"); labor taxable:false (AZ); warranty 1049360 (never patch price); emergency 26184 ×1.5 once, branch by prepay_hours; corrections preserve original tech's user_id; estimate hardware 32252.
• Syncro workflow rules — ALWAYS preview comments before posting (no exceptions); verify appointment day-of-week ("Saturday 2026-05-23") before creating; ASK who the appointment owner is; leave contact_id BLANK by default for ALL customers (ignore Syncro's contact-picker auto-default).
• Syncro lessons / incident archive — Detail behind the three rule files: tickets (#32332, #32312, #32225, #32253, #32203, #32185, #32142, #32304, #32333), verbatim Mike/Howard/Winter quotes, dates, tech user_id table (Mike 1735 / Howard 1750 / Winter 1737 / Rob 1760), labor product table, and superseded-rule history.

GuruRMM

• GuruRMM operational rules — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
• Build channel default = beta — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.
• Dashboard beta-first deploy — Dashboard auto-builds to rmm-beta.azcomputerguru.com on push; prod (rmm.azcomputerguru.com) is explicit promote-only via promote-dashboard.sh --confirm. Never hand-rsync prod. One artifact, nginx sub_filter BETA banner. Stood up 2026-06-02.

Cascades

• Cascades operational rules — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.

Machine

• GURU-5070 Workstation Setup — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
• GURU-BEAST-ROG Setup Status — Windows workstation fully configured except SSH key deployment to servers.

Project

• Automate memory consolidation/lint (phased) — Eventually auto-run /memory-dream; lint+additive fixes can automate early, merges/deletes stay human-approved. Engine: .claude/skills/memory-dream/ + .claude/scripts/sync-memory.sh.
• Trebesch PST consolidation (staged) — Address-book CSV from 24 PSTs on DESKTOP-QNP3ON5; scripts staged at .claude/tmp/treb-*.ps1, WAITING for Howard's 6pm-MST 2026-06-01 go signal (attended run). See reference_trebesch_qnp3on5.
• GuruRMM project state — Dev principles (every feature full-stack: backend+API+UI+docs+scalability; product works without AI; FEATURE_ROADMAP update is part of definition-of-done; mirrors guru-rmm/docs/DESIGN.md). Webhook docs-only build guard (SPEC-020 Phase 0; webhook-handler.py repo copy is STALE — don't redeploy). Mac install-hooks.sh setup STILL PENDING on Mikes-MacBook-Air.
• GuruConnect — v2 direction (native-first full key fidelity Win+R/Ctrl+Alt+Del + bidirectional file cut/paste/drag; WebRTC fallback only; standalone-first + RMM contract; tenancy-ready schema; Mike willing to scrap v1). Manual deploy procedure to 172.16.3.30 (build-on-server in login shell; sqlx runtime queries; NPM CONNECT_TRUSTED_PROXIES=172.16.3.20 gotcha). v2 live since 2026-05-30.
• Apple MDM + Developer certs (GuruRMM mobile) — ACG holds Apple Developer+signing and Apple MDM Push certs (acquired 2026-05-29) for SPEC-017. MDM push cert RENEWS ANNUALLY on the same Apple ID or all enrolled iOS devices break.
• Only RMM & GC are versionable products — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer.
• Quantum GoDaddy M365 tenant — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed.
• Cascades — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
• Cascades history — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
• Sync script bug — untracked files (RESOLVED) — FIXED 2026-05-21: sync.sh now uses git status --porcelain for change detection (repo + vault).
• MasterBooter Side Project — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
• Audio Processor Architecture — Segment-first pipeline: detect breaks before transcription for complete content capture.
• Neptune SBR Email Routing Setup — Full SBR routing chain, config file locations, MailProtector integration, access methods. Treat routing breakage as systemic (devcon, Sorensen/rieussetcorp), not per-client.
• Dataforth Test Datasheet Pipeline — Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
• Dataforth — M365 email (Graph API; tenant in vault at clients/dataforth/m365.sops.yaml); neptune.acghosting.com is ACG's, NOT Dataforth's. MFA enforced 2026-04-04 (3 CA policies). AJ needs dataforthgit@ forwarding.
• Dataforth history (2026-03-27 incident) — DF-JOEL2 compromise via ScreenConnect social-engineering, attacker C2 IPs + IC3 case + remediation log + MFA rollout origin story + Joel Lohr retirement. RESOLVED 2026-04-04.
• Radio show co-host — Tara, not Tom — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete.
• Proposal: centralize config in identity.json — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented.
• ACG MSP tool stack — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active).
• ACG Website Hosting — azcomputerguru.com is hosted on IX Web Hosting via cPanel.
• jq on Windows emits CRLF — winget jq outputs CRLF; trailing \r silently breaks for x in $(jq ...) loops + read-from-@tsv. Override jq(){ command jq "$@"|tr -d '\r'; }. Windows-build-specific (passes on Mac/Linux).
• ScreenConnect RESTful API auth — CTRLAuthHeader = raw api_secret (no Basic/b64) + Origin header; only method is GetSessionsByName; matches blank-for-agents Name field so it cannot enumerate full inventory.