claudetools/.claude/memory/MEMORY.md

Memory Index

Reference

• ACG resource map — READ THIS FIRST when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
• GURU-5070 Rust toolchain — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent.
• ACG Office Network Infrastructure — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage.
• Power Failure Runbook — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
• Syncro API — Invoice Verification Pattern — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
• Approval Workflow: Tools vs Projects — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval; features→roadmap, bugs→bug list.
• Community Forum (Flarum) — Flarum forum at community.azcomputerguru.com, API access, database, posting workflow.
• Radio Show Website — Astro static site at radio.azcomputerguru.com on IX server.
• IX Server Access — ix.azcomputerguru.com / 172.16.3.10. Reachable when Tailscale is on (no VPN). SSH currently uses sshpass with root password; key auth from GURU-5070 not configured yet (was CachyOS, now Win11 — verify).
• Matomo Analytics — Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites.
• TickTick Integration — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
• Client Docs Structure — clients//docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
• MSP Audit Scripts — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
• Pluto Build Server — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
• Coord /messages API shape — GET /api/coord/messages returns {total,skip,limit,messages[]} NOT a bare array; parse .messages[], strip control chars, read flag may be null.
• Gitea API credential — Gitea API (PRs/merges) as howard uses services/gitea-howard.sops.yaml password on internal http://172.16.3.20:3000; NOT the gururmm-server SSH password.
• Gitea Internal API Access — git.azcomputerguru.com is NOT behind Cloudflare — it's the office Cox IP NAT'd to NPM (openresty) on Jupiter. Prefer internal 172.16.3.20:3000 for reliability (bypasses NPM SSL-renewal reload blips).
• Gitea git-op latency — SSH (.20:2222) is SLOWEST (~1.5s); internal HTTP+token ~0.55s; SOPS lookup only ~0.33s. Don't switch to SSH for speed. Gitea SSH is .20:2222 (API ssh_url .21 is wrong).
• GuruRMM technical reference — Server (172.16.3.30) layout + downloads dir /var/www/gururmm/downloads + .channel sidecar rollout control (stable/beta) + privileged server access via the server's OWN root RMM agent (hostname gururmm, no SSH needed; plink fallback) + API + context=user_session (WTS impersonation) + build-pipeline vendoring at deploy/build-pipeline/ + Linux agent systemd sandbox trap.
• Trebesch DESKTOP-QNP3ON5 shell replacement — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.
• Dataforth Contact - AJ -- AJ at Dataforth - email forwarding setup needed for dataforthgit@ address
• GuruRMM API — run PowerShell on any agent -- API endpoints, auth flow, and curl recipe to execute a script on any GuruRMM agent and retrieve output. Use this instead of asking user to paste script into ScreenConnect.
• reference_gururmm_pipeline_vendored -- GuruRMM build-pipeline scripts are now version-controlled at deploy/build-pipeline/ in the gururmm repo (2026-06-01); build-shared.sh auto-syncs them to /opt/gururmm each build, so edit-in-repo + push = live — EXCEPT build-shared.sh + webhook-handler.py, which need a manual cp.
• GuruRMM Server Layout -- SSH user, home directory, and deploy paths on 172.16.3.30
• gururmm-user-session-context -- GuruRMM commands accept context=user_session (migration 041) to run as the active logged-on user via WTS impersonation — executes previously-interactive-only commands that fail as SYSTEM with "NonInteractive mode
• IX Server Access via Tailscale -- IX server (ix.azcomputerguru.com) is accessible with Tailscale on, no VPN needed
• IX Server SSH Access -- SSH access notes for IX server - key auth not set up on GURU-5070 (was CachyOS), must use sshpass with password
• reference_rmm_agent_runs_in_systemd_sandbox -- Commands dispatched via the GuruRMM agent execute INSIDE the agent's systemd sandbox (ProtectSystem=strict) — fs/mount observations reflect the agent's private namespace, NOT the host. For host truth, SSH directly or read /proc//mountinfo.

Users

• Howard Enos — Mike's brother, technician, full access. Machines: ACG-TECH03L, Howard-Home (authoritative in users.json).
• Mike — font preference — Mike prefers Lucida Console for monospace UI.

Feedback

• Scheduling = coord todo, not schedulers — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
• Attribution is read, never inferred — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.
• D2TESTNAS SSH Access — Use root@192.168.0.9 with Paper123!@#, not sysadmin.
• Bypass Permissions Setting — Set permissions.defaultMode to bypassPermissions in settings.json on all machines.
• 365 Remediation Tool — "remediation tool" = tiered ComputerGuru app suite via /remediation-tool; NOT CIPP, NOT the deprecated fabb3421.
• CA managed programmatically (with discipline) — Conditional Access CAN be written via Tenant Admin app; ALWAYS report-only first + exclude break-glass + confirm before enforcing. Overrides old "CA manual" rule.
• Ollama Tier-0 Routing — Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.
• /save writes narrative directly — No Ollama for /save; write all sections inline — too slow.
• Identity precedence — Trust .claude/identity.json over the system-reminder userEmail hint when they disagree (shared-login machines).
• 1Password — always use service token — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every op call. Desktop-app integration prompts are unacceptable in agent flows.
• Point vault-access teammates at SOPS path — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.
• /tmp path mismatch on Windows — Write tool and Git Bash resolve /tmp to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl.
• SQL instance role — verify by connections, not name — Standard installed under default SQLEXPRESS instance name is real. Prove role with sys.dm_exec_sessions + Get-NetTCPConnection -OwningProcess before recommending stop/uninstall.
• Clear-RecycleBin fails silently as SYSTEM — RMM-dispatched cleanup scripts cannot use Clear-RecycleBin -Force; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate C:\$Recycle.Bin\<SID>\* directly.
• Graph CA policy reads are eventually consistent — After PATCHing a CA policy (204), wait ~5s before GET-verifying; immediate reads can be stale.
• Graph password reset needs a privileged role — PATCH passwordProfile on an existing user 403s without a directory role; User.ReadWrite.All alone only sets a password at CREATE.
• Vault writes — do the full sequence yourself — A vault entry = write plaintext → sops -e -i → git add/commit/push, all of it; don't stop at "encrypted on disk."
• Syncro is the default PSA; Autotask is opt-in — Ticketing/billing/customers default to Syncro (/syncro). Only use /autotask on an explicit "in Autotask" request. /autotask kept local/undistributed.
• Paste-safe command formatting (Howard) — Two clauses, one root cause: (a) multi-line scripts not semicolon one-liners (wrap breaks paste), (b) all code at column 0 inside fences (indentation breaks PowerShell paste).
• Autonomous infra/build setup — During infra/build/CI/dev setup, just install prerequisites and push through routine steps; reserve check-ins for genuine decisions (forks, destructive/outward, client/prod).
• Check patterns before asking — Before asking how to do something repeat-style (sync, save, sweep, billing), study existing artifacts and workflow docs first; reach for similar past artifacts as the template.
• Pricing verification — no guessing — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess.
• Client communication tone — How to write client-facing Syncro comments — expert partner, not intake questionnaire.
• Add Mike as owner on all Entra apps — Apps created via management SP have no user owner — must add Mike manually or publisher verification fails.
• No TOML/config file approach for endpoints — User explicitly prohibits TOML or config-file-based endpoint configuration — this will never be approved.
• Python on Windows — use py launcher — Windows Store python/python3 aliases disabled; always use py or jq on DESKTOP-0O8A1RL.
• Unsaved sessions are recoverable from transcripts — Crashed/closed-before-save sessions live in ~/.claude/projects/<slug>/*.jsonl; the detector auto-recovers orphans, /recover <uuid> does it manually. Ollama prose + Python verbatim. See .claude/RECOVERY.md.

Syncro

• Syncro API plumbing — Content-Type required on all POST/PUT; NO idempotency anywhere — always GET before retrying; response wrappers (.ticket.id, .comment.id); add_line_item shape (internal ID, flat response, required fields); HTML uses <br> not <ul>/<li>; timer_entry response is FLAT but SUPERSEDED (use add_line_item).
• Syncro billing rules — Bill with add_line_item directly (not timers); fetch rates LIVE; never invent labor names (real product names only); match labor type to delivery channel (never "Prepaid project labor"); labor taxable:false (AZ); warranty 1049360 (never patch price); emergency 26184 ×1.5 once, branch by prepay_hours; corrections preserve original tech's user_id; estimate hardware 32252.
• Syncro workflow rules — ALWAYS preview comments before posting (no exceptions); verify appointment day-of-week ("Saturday 2026-05-23") before creating; ASK who the appointment owner is; leave contact_id BLANK by default for ALL customers (ignore Syncro's contact-picker auto-default).
• Syncro lessons / incident archive — Detail behind the three rule files: tickets (#32332, #32312, #32225, #32253, #32203, #32185, #32142, #32304, #32333), verbatim Mike/Howard/Winter quotes, dates, tech user_id table (Mike 1735 / Howard 1750 / Winter 1737 / Rob 1760), labor product table, and superseded-rule history.

GuruRMM

• GuruRMM operational rules — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
• Build channel default = beta — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.

Cascades

• Cascades operational rules — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.
• feedback-rmm-unc-path-encoding -- RMM PowerShell UNC paths via user_session context lose one backslash when using string literals — must build with [char]92
• feedback_cascades_folder_redirect -- Cascades folder redirection — fdeploy failure/retry behavior, correct new-user procedure, recovery script location
• cascades-user-security-group -- When creating or adding any Cascades user, always ask which security group(s) the account goes into — deliberate decision, never auto-derived from OU
• feedback_gururmm_agent_parity -- Add feature X to the agent" means all three platforms (Windows + Linux + macOS) in the same change — no exceptions
• feedback-gururmm-builds -- GuruRMM builds must go through the Gitea webhook pipeline, never run manually via SSH
• feedback-howard-delegation -- Howard prefers to leave backend/server-side follow-up and risky implementation work to Mike unless explicitly asked — don't assign those items to Howard or prompt him to do them.
• feedback_no_botalerts_internal_rmm -- Post #bot-alerts ONLY when an RMM command directly affects a client endpoint or a ticket; skip for internal infra/build/dev/recon (e.g. PLUTO build-runner setup)
• feedback_no_indented_code_blocks -- Never indent code inside code blocks — Howard copy-pastes directly and leading spaces break PowerShell commands
• GuruRMM development is Mike's, not Howard's -- GuruRMM code/bugs/dev are Mike's domain — never route RMM dev or bug coord notes to Howard. Howard only SUBMITS RMM feature requests; GuruScan is Howard's project, not RMM
• feedback_rmm_identify_by_ip -- When the offending/target machine is known by external IP, identify the RMM agent by matching the IP — don't recon every candidate.
• Syncro — verify appointment date day-of-week -- Before creating any Syncro appointment, verify the computed date falls on the intended weekday (py datetime) and show the day name in the preview. Wrong-day incident #32312 2026-05-21.
• Syncro — confirm appointment owner explicitly when creating tickets with appointments -- When creating Syncro tickets that include an appointment, always ask "who is the appointment owner?" before posting. Don't auto-default to the ticket's assigned tech, and distinguish owner from additional attendees.
• Syncro — leave contact blank by default on tickets and billing -- When creating Syncro tickets or billing them out, leave the contact field blank ("Not Assigned") in most cases. Blank contact lets Syncro use the company-level defaults for notifications and email routing. Setting a specific contact can route to a secondary email and bypass the customer's intended distribution.
• Syncro — Cascades contact incident detail (Meredith Kuhn) -- Incident context for why the blank-contact rule matters at Cascades — Meredith Kuhn is the recurring wrong default that Syncro pre-selects. See feedback_syncro_blank_contact.md for the global rule.
• Syncro duplicate prevention — tickets AND comments -- Never retry ANY Syncro POST (ticket create or comment) without first GETting to confirm the action didn't already succeed — Syncro has no idempotency on any endpoint
• feedback-syncro-content-type -- Syncro API POST calls require explicit Content-Type application/json header or they 400 with an HTML error page
• feedback-syncro-corrections-preserve-tech -- Preserve Syncro attribution — corrections keep the original tech's labor user_id (commission); and adding notes/labor never changes the ticket owner. Only reassign labor or ticket ownership when explicitly asked.
• Syncro emergency/after-hours billing — check prepay_hours first -- Emergency labor is time-and-a-half (×1.5), applied once, never additive. Branch by customer.prepay_hours. Prepaid → emergency item 26184 at hours×1.5 (premium in quantity); non-prepaid → 26184 at actual hours (rate has 1.5×).
• feedback_syncro_estimate_hardware -- Hardware line items on Syncro estimates always use product_id 32252 with varying name/price per item
• Syncro comment HTML formatting -- Use
  for line breaks in Syncro comments, not
  /
  • — list tags don't render
  • feedback-syncro-labor-tax -- Labor is never taxable in Arizona — always set taxable=false on labor line items in Syncro
  • Syncro — use a billable labor type (in-shop / onsite / remote / web), never "Prepaid project labor -- When billing Syncro tickets, the labor product on the line item MUST be one of in-shop, onsite, remote, or web labor. "Prepaid project labor" is an exempt labor type and will NOT draw down a customer's prepay block — using it silently breaks block-hour accounting.
  • feedback_syncro_line_items -- Correct Syncro API endpoint for adding labor/product line items to tickets
  • feedback-syncro-live-rates -- Always fetch Syncro labor rates live from the API — never use hardcoded rate table
  • feedback-syncro-no-madeup-labor-items -- NEVER invent or rename Syncro labor line items — every labor line must use an existing product with its REAL name (from GET /products/); work detail goes in the description field, not the name
  • Syncro — use add_line_item for billing, not timers -- Syncro billing uses add_line_item directly. Timer workflow (timer_entry → charge_timer_entry) is not used. Overrides previous rule about timers being required.
  • Syncro — timer_entry response is FLAT, not wrapped -- POST /tickets/{id}/timer_entry returns a flat object {"id": N, "ticket_id": ..., "product_id": ..., ...}, NOT wrapped in {"timer": {...}} or {"timer_entry": {...}}. Parse as .id, never .timer.id — using the wrapped pattern silently returns null and creates duplicate timers when the script "retries".
  • Syncro — warranty work uses the "Labor- Warranty work" product, never patch a billable product to $0 -- For warranty/no-charge labor on Syncro tickets, use product_id 1049360 (Labor- Warranty work, $0/hr). Do NOT use a regular labor product with billable=false or a patched price_retail=0. Prices are determined by the product selected; never override the dollar amount to make one product behave like another.

  Machine

  • GURU-5070 Workstation Setup — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
  • GURU-BEAST-ROG Setup Status — Windows workstation fully configured except SSH key deployment to servers.

  Project

  • Automate memory consolidation/lint (phased) — Eventually auto-run /memory-dream; lint+additive fixes can automate early, merges/deletes stay human-approved. Engine: .claude/skills/memory-dream/ + .claude/scripts/sync-memory.sh.
  • Trebesch PST consolidation (staged) — Address-book CSV from 24 PSTs on DESKTOP-QNP3ON5; scripts staged at .claude/tmp/treb-*.ps1, WAITING for Howard's 6pm-MST 2026-06-01 go signal (attended run). See reference_trebesch_qnp3on5.
  • GuruRMM project state — Dev principles (every feature full-stack: backend+API+UI+docs+scalability; product works without AI; FEATURE_ROADMAP update is part of definition-of-done; mirrors guru-rmm/docs/DESIGN.md). Webhook docs-only build guard (SPEC-020 Phase 0; webhook-handler.py repo copy is STALE — don't redeploy). Mac install-hooks.sh setup STILL PENDING on Mikes-MacBook-Air.
  • GuruConnect — v2 direction (native-first full key fidelity Win+R/Ctrl+Alt+Del + bidirectional file cut/paste/drag; WebRTC fallback only; standalone-first + RMM contract; tenancy-ready schema; Mike willing to scrap v1). Manual deploy procedure to 172.16.3.30 (build-on-server in login shell; sqlx runtime queries; NPM CONNECT_TRUSTED_PROXIES=172.16.3.20 gotcha). v2 live since 2026-05-30.
  • Apple MDM + Developer certs (GuruRMM mobile) — ACG holds Apple Developer+signing and Apple MDM Push certs (acquired 2026-05-29) for SPEC-017. MDM push cert RENEWS ANNUALLY on the same Apple ID or all enrolled iOS devices break.
  • Only RMM & GC are versionable products — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer.
  • Quantum GoDaddy M365 tenant — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed.
  • Cascades — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
  • Cascades history — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
  • Sync script bug — untracked files (RESOLVED) — FIXED 2026-05-21: sync.sh now uses git status --porcelain for change detection (repo + vault).
  • MasterBooter Side Project — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
  • Audio Processor Architecture — Segment-first pipeline: detect breaks before transcription for complete content capture.
  • Neptune SBR Email Routing Setup — Full SBR routing chain, config file locations, MailProtector integration, access methods. Treat routing breakage as systemic (devcon, Sorensen/rieussetcorp), not per-client.
  • Dataforth Test Datasheet Pipeline — Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
  • Dataforth — M365 email (Graph API; tenant in vault at clients/dataforth/m365.sops.yaml); neptune.acghosting.com is ACG's, NOT Dataforth's. MFA enforced 2026-04-04 (3 CA policies). AJ needs dataforthgit@ forwarding.
  • Dataforth history (2026-03-27 incident) — DF-JOEL2 compromise via ScreenConnect social-engineering, attacker C2 IPs + IC3 case + remediation log + MFA rollout origin story + Joel Lohr retirement. RESOLVED 2026-04-04.
  • Radio show co-host — Tara, not Tom — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete.
  • Proposal: centralize config in identity.json — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented.
  • ACG MSP tool stack — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active).
  • ACG Website Hosting — azcomputerguru.com is hosted on IX Web Hosting via cPanel.
  • jq on Windows emits CRLF — winget jq outputs CRLF; trailing \r silently breaks for x in $(jq ...) loops + read-from-@tsv. Override jq(){ command jq "$@"|tr -d '\r'; }. Windows-build-specific (passes on Mac/Linux).
  • GuruRMM Development Principles -- Every GuruRMM feature is full-stack (backend+API+UI+docs+scalability); product works without AI; the FEATURE_ROADMAP entry update is part of definition-of-done. Mirrors guru-rmm/docs/DESIGN.md.
  • project-cascades-migration-plan -- Cascades of Tucson department migration plan — Syncro ticket, plan file location, resume command
  • Cascades admin account ownership -- Howard uses sysadmin@cascadestucson.com, Mike uses admin@cascadestucson.com — used for daily admin work, not break-glass.
  • project-cascades-billing -- Cascades of Tucson Syncro billing — prepaid block customer, rate TBD
  • Cascades CA bypass — phased per-group rollout, NOT tenant-wide -- Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout.
  • Cascades caregiver pilot — cleanup obligations -- Pilot accounts (pilot.test@, howard.enos@ once synced) at Cascades must be removed at end of caregiver bypass pilot.
  • Dataforth email infrastructure -- Dataforth uses M365 for email; the Exchange server on 172.16.x.x / neptune.acghosting.com is NOT Dataforth's — it belongs to ACG's own infrastructure
  • Dataforth Security Incident 2026-03-27 -- DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
  • project_guruconnect_deploy -- How to deploy GuruConnect (v2+) to production — the server (172.16.3.30) builds its own Linux binary; gotchas with the systemd watchdog, trusted-proxy env, and auto-run migrations
  • project_guruconnect_v2_direction -- GuruConnect v2 modernization direction (Mike, 2026-05-29) — native-first full key fidelity + bidirectional file cut/paste/drag are the headline must-haves; WebRTC is fallback only
  • Mac gururmm hook setup pending -- Mikes-MacBook-Air needs install-hooks.sh run in gururmm repo — one-time setup to prevent sqlx migration drift
  • project-pluto-build-server -- Pluto Windows build server — location, role, and access details
  • project_rmm_webhook_docs_guard -- RMM build webhook now skips docs-only pushes (host guard in /opt/gururmm/webhook-handler.py). The repo copy is stale — don't redeploy it.