azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
551aaf2fe158700dd367b3c64eb025731b955cde
claudetools/.claude/memory/MEMORY.md
Mike Swanson f8ed03c75a sync: auto-sync from GURU-5070 at 2026-06-02 07:25:49 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 07:25:49
2026-06-02 07:25:55 -07:00

18 KiB
Raw Blame History

Memory Index

Reference

  • ACG resource mapREAD THIS FIRST when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
  • GURU-5070 Rust toolchain — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent.
  • ACG Office Network Infrastructure — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage.
  • Power Failure Runbook — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
  • Syncro API — Invoice Verification Pattern — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
  • Approval Workflow: Tools vs Projects — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval; features→roadmap, bugs→bug list.
  • Community Forum (Flarum) — Flarum forum at community.azcomputerguru.com, API access, database, posting workflow.
  • Radio Show Website — Astro static site at radio.azcomputerguru.com on IX server.
  • IX Server Accessix.azcomputerguru.com / 172.16.3.10. Reachable when Tailscale is on (no VPN). SSH currently uses sshpass with root password; key auth from GURU-5070 not configured yet (was CachyOS, now Win11 — verify).
  • Matomo Analytics — Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites.
  • TickTick Integration — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
  • Client Docs Structure — clients//docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
  • MSP Audit Scripts — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
  • Pluto Build Server — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
  • Coord /messages API shape — GET /api/coord/messages returns {total,skip,limit,messages[]} NOT a bare array; parse .messages[], strip control chars, read flag may be null.
  • Gitea API credential — Gitea API (PRs/merges) as howard uses services/gitea-howard.sops.yaml password on internal http://172.16.3.20:3000; NOT the gururmm-server SSH password.
  • Gitea Internal API Access — git.azcomputerguru.com is NOT behind Cloudflare — it's the office Cox IP NAT'd to NPM (openresty) on Jupiter. Prefer internal 172.16.3.20:3000 for reliability (bypasses NPM SSL-renewal reload blips).
  • Gitea git-op latency — SSH (.20:2222) is SLOWEST (~1.5s); internal HTTP+token ~0.55s; SOPS lookup only ~0.33s. Don't switch to SSH for speed. Gitea SSH is .20:2222 (API ssh_url .21 is wrong).
  • GuruRMM technical reference — Server (172.16.3.30) layout + downloads dir /var/www/gururmm/downloads + .channel sidecar rollout control (stable/beta) + privileged server access via the server's OWN root RMM agent (hostname gururmm, no SSH needed; plink fallback) + API + context=user_session (WTS impersonation) + build-pipeline vendoring at deploy/build-pipeline/ + Linux agent systemd sandbox trap.
  • Trebesch DESKTOP-QNP3ON5 shell replacement — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.

Users

  • Howard Enos — Mike's brother, technician, full access. Machines: ACG-TECH03L, Howard-Home (authoritative in users.json).
  • Mike — font preference — Mike prefers Lucida Console for monospace UI.

Feedback

  • Scheduling = coord todo, not schedulers — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
  • Attribution is read, never inferred — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.
  • D2TESTNAS SSH Access — Use root@192.168.0.9 with Paper123!@#, not sysadmin.
  • Bypass Permissions Setting — Set permissions.defaultMode to bypassPermissions in settings.json on all machines.
  • 365 Remediation Tool — "remediation tool" = tiered ComputerGuru app suite via /remediation-tool; NOT CIPP, NOT the deprecated fabb3421.
  • CA managed programmatically (with discipline) — Conditional Access CAN be written via Tenant Admin app; ALWAYS report-only first + exclude break-glass + confirm before enforcing. Overrides old "CA manual" rule.
  • Ollama Tier-0 Routing — Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.
  • /save writes narrative directly — No Ollama for /save; write all sections inline — too slow.
  • Identity precedence — Trust .claude/identity.json over the system-reminder userEmail hint when they disagree (shared-login machines).
  • 1Password — always use service token — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every op call. Desktop-app integration prompts are unacceptable in agent flows.
  • Point vault-access teammates at SOPS path — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.
  • /tmp path mismatch on Windows — Write tool and Git Bash resolve /tmp to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl.
  • SQL instance role — verify by connections, not name — Standard installed under default SQLEXPRESS instance name is real. Prove role with sys.dm_exec_sessions + Get-NetTCPConnection -OwningProcess before recommending stop/uninstall.
  • Clear-RecycleBin fails silently as SYSTEM — RMM-dispatched cleanup scripts cannot use Clear-RecycleBin -Force; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate C:\$Recycle.Bin\<SID>\* directly.
  • Graph CA policy reads are eventually consistent — After PATCHing a CA policy (204), wait ~5s before GET-verifying; immediate reads can be stale.
  • Graph password reset needs a privileged role — PATCH passwordProfile on an existing user 403s without a directory role; User.ReadWrite.All alone only sets a password at CREATE.
  • Vault writes — do the full sequence yourself — A vault entry = write plaintext → sops -e -i → git add/commit/push, all of it; don't stop at "encrypted on disk."
  • Syncro is the default PSA; Autotask is opt-in — Ticketing/billing/customers default to Syncro (/syncro). Only use /autotask on an explicit "in Autotask" request. /autotask kept local/undistributed.
  • Paste-safe command formatting (Howard) — Two clauses, one root cause: (a) multi-line scripts not semicolon one-liners (wrap breaks paste), (b) all code at column 0 inside fences (indentation breaks PowerShell paste).
  • Autonomous infra/build setup — During infra/build/CI/dev setup, just install prerequisites and push through routine steps; reserve check-ins for genuine decisions (forks, destructive/outward, client/prod).
  • Check patterns before asking — Before asking how to do something repeat-style (sync, save, sweep, billing), study existing artifacts and workflow docs first; reach for similar past artifacts as the template.
  • Client communication tone — How to write client-facing Syncro comments — expert partner, not intake questionnaire.
  • Add Mike as owner on all Entra apps — Apps created via management SP have no user owner — must add Mike manually or publisher verification fails.
  • No TOML/config file approach for endpoints — User explicitly prohibits TOML or config-file-based endpoint configuration — this will never be approved.
  • Python on Windows — use py launcher — Windows Store python/python3 aliases disabled; always use py or jq on DESKTOP-0O8A1RL.
  • Unsaved sessions are recoverable from transcripts — Crashed/closed-before-save sessions live in ~/.claude/projects/<slug>/*.jsonl; the detector auto-recovers orphans, /recover <uuid> does it manually. Ollama prose + Python verbatim. See .claude/RECOVERY.md.

Syncro

  • Syncro API plumbing — Content-Type required on all POST/PUT; NO idempotency anywhere — always GET before retrying; response wrappers (.ticket.id, .comment.id); add_line_item shape (internal ID, flat response, required fields); HTML uses <br> not <ul>/<li>; timer_entry response is FLAT but SUPERSEDED (use add_line_item).
  • Syncro billing rules — Bill with add_line_item directly (not timers); fetch rates LIVE; never invent labor names (real product names only); match labor type to delivery channel (never "Prepaid project labor"); labor taxable:false (AZ); warranty 1049360 (never patch price); emergency 26184 ×1.5 once, branch by prepay_hours; corrections preserve original tech's user_id; estimate hardware 32252.
  • Syncro workflow rules — ALWAYS preview comments before posting (no exceptions); verify appointment day-of-week ("Saturday 2026-05-23") before creating; ASK who the appointment owner is; leave contact_id BLANK by default for ALL customers (ignore Syncro's contact-picker auto-default).
  • Syncro lessons / incident archive — Detail behind the three rule files: tickets (#32332, #32312, #32225, #32253, #32203, #32185, #32142, #32304, #32333), verbatim Mike/Howard/Winter quotes, dates, tech user_id table (Mike 1735 / Howard 1750 / Winter 1737 / Rob 1760), labor product table, and superseded-rule history.

GuruRMM

  • GuruRMM operational rules — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
  • Build channel default = beta — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.

Cascades

  • Cascades operational rules — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.

Machine

  • GURU-5070 Workstation Setup — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
  • GURU-BEAST-ROG Setup Status — Windows workstation fully configured except SSH key deployment to servers.

Project

  • Automate memory consolidation/lint (phased) — Eventually auto-run /memory-dream; lint+additive fixes can automate early, merges/deletes stay human-approved. Engine: .claude/skills/memory-dream/ + .claude/scripts/sync-memory.sh.
  • Trebesch PST consolidation (staged) — Address-book CSV from 24 PSTs on DESKTOP-QNP3ON5; scripts staged at .claude/tmp/treb-*.ps1, WAITING for Howard's 6pm-MST 2026-06-01 go signal (attended run). See reference_trebesch_qnp3on5.
  • GuruRMM project state — Dev principles (every feature full-stack: backend+API+UI+docs+scalability; product works without AI; FEATURE_ROADMAP update is part of definition-of-done; mirrors guru-rmm/docs/DESIGN.md). Webhook docs-only build guard (SPEC-020 Phase 0; webhook-handler.py repo copy is STALE — don't redeploy). Mac install-hooks.sh setup STILL PENDING on Mikes-MacBook-Air.
  • GuruConnect — v2 direction (native-first full key fidelity Win+R/Ctrl+Alt+Del + bidirectional file cut/paste/drag; WebRTC fallback only; standalone-first + RMM contract; tenancy-ready schema; Mike willing to scrap v1). Manual deploy procedure to 172.16.3.30 (build-on-server in login shell; sqlx runtime queries; NPM CONNECT_TRUSTED_PROXIES=172.16.3.20 gotcha). v2 live since 2026-05-30.
  • Apple MDM + Developer certs (GuruRMM mobile) — ACG holds Apple Developer+signing and Apple MDM Push certs (acquired 2026-05-29) for SPEC-017. MDM push cert RENEWS ANNUALLY on the same Apple ID or all enrolled iOS devices break.
  • Only RMM & GC are versionable products — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer.
  • Quantum GoDaddy M365 tenant — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed.
  • Cascades — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
  • Cascades history — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
  • Sync script bug — untracked files (RESOLVED) — FIXED 2026-05-21: sync.sh now uses git status --porcelain for change detection (repo + vault).
  • MasterBooter Side Project — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
  • Audio Processor Architecture — Segment-first pipeline: detect breaks before transcription for complete content capture.
  • Neptune SBR Email Routing Setup — Full SBR routing chain, config file locations, MailProtector integration, access methods. Treat routing breakage as systemic (devcon, Sorensen/rieussetcorp), not per-client.
  • Dataforth Test Datasheet Pipeline — Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
  • Dataforth — M365 email (Graph API; tenant in vault at clients/dataforth/m365.sops.yaml); neptune.acghosting.com is ACG's, NOT Dataforth's. MFA enforced 2026-04-04 (3 CA policies). AJ needs dataforthgit@ forwarding.
  • Dataforth history (2026-03-27 incident) — DF-JOEL2 compromise via ScreenConnect social-engineering, attacker C2 IPs + IC3 case + remediation log + MFA rollout origin story + Joel Lohr retirement. RESOLVED 2026-04-04.
  • Radio show co-host — Tara, not Tom — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete.
  • Proposal: centralize config in identity.json — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented.
  • ACG MSP tool stack — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active).
  • ACG Website Hosting — azcomputerguru.com is hosted on IX Web Hosting via cPanel.
Reference in New Issue View Git Blame Copy Permalink