claudetools/.claude/memory/reference_resource_map.md

name: ACG resource map — what I have access to and how to connect description: Cheatsheet for every resource ACG has access to (servers, services, APIs, M365 tenants, MSP tools). For each: what it is, default access method, per-machine exceptions (if any), gotchas, and pointer to the existing detail file. Use this FIRST when a task says "connect to X" / "check Y" — don't search; look here. type: reference

Use this first. When a task references a resource ("ssh into Jupiter", "check Syncro", "look at the Cascades tenant"), look here BEFORE searching for credentials or trying random connection methods. This is the lookup table; the detail lives in the linked reference_* / project_* files.

First principles (apply to ~everything)

• Vault wrapper (NEVER hardcode the vault path):

  VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
  bash "$VAULT" get-field <path> <field>     # e.g. infrastructure/gururmm-server.sops.yaml credentials.password
  bash "$VAULT" search <keyword>             # search without decrypting
  bash "$VAULT" list                         # full inventory
  

  Reads vault_path from .claude/identity.json per-machine (Windows c:/Users/guru/vault, Mac ~/vault, etc.).

• Tailscale must be on to reach anything on 172.16.x.x from outside the office. Office LAN is 172.16.0.0/22.

• SSH on Windows: always use system OpenSSH (C:\Windows\System32\OpenSSH\ssh.exe), NEVER Git for Windows SSH. Git for Windows ssh has subtle key handling differences that break auth silently.

• Git Bash on Windows: never redirect to Windows paths with backslashes (echo X > D:\path) — Git Bash strips backslashes and substitutes the colon with a Unicode PUA char, creating a garbled junk file. Use forward slashes (/d/path) or workspace-relative paths.

• 1Password fallback: service-account token in vault at infrastructure/1password-service-account.sops.yaml. Set OP_SERVICE_ACCOUNT_TOKEN, then op read "op://Vault/Item/field". Each workstation's age key backup lives at op://Infrastructure/age Key - <HOSTNAME>.

---

Office servers & VMs (all on Tailscale + 172.16.0.0/22)

Jupiter — Unraid primary (172.16.3.20)

• What: Unraid host. Runs ALL ACG VMs (GuruRMM server, OwnCloud, UniFi, Pluto, etc.) and the Docker stack (NPM, Gitea, Seafile).
• Default: ssh root@172.16.3.20. Password infrastructure/jupiter-unraid-primary.sops.yaml credentials.password. iDRAC out-of-band at 172.16.1.73.
• Notes: guru@wsl + guru@gururmm-build + Mac keys all authorized. Unraid web UI on port 80 — use VM console when a VM's SSH fails.
• Detail: infra_office_network.

gururmm-server (172.16.3.30, hostname gururmm)

• What: Linux VM on Jupiter. THE workhorse — runs MariaDB, PostgreSQL, ClaudeTools API (:8001), GuruRMM API (:3001), GuruConnect server (:3002), coord API, Gitea Actions runner, build pipeline, webhook.
• Default: ssh guru@172.16.3.30. Password infrastructure/gururmm-server.sops.yaml credentials.password. User is guru NOT mike. Home /home/guru/.
• Gotcha: for cargo/protoc/PATH, use a login shell: ssh guru@172.16.3.30 'bash -lc "..."'. Non-interactive shell doesn't source ~/.profile and these look "missing".
• Layout: repo at /home/guru/gururmm, build pipeline at /opt/gururmm/ (auto-synced from repo deploy/build-pipeline/ by build-shared.sh).
• Detail: reference_gururmm, project_gururmm, project_guruconnect.

Pluto — Windows build VM (172.16.3.36, Unraid VM "Claude-Builder")

• What: Windows Server 2019 VM. Native MSVC builds — Rust, WiX MSI, Azure Trusted Signing.
• Default: ssh -i ~/.ssh/id_ed25519 Administrator@172.16.3.36 (key auth, no password).
• Per-machine: Only gururmm-build@gururmm-server and guru@gururmm-build keys are authorized. From GURU-5070 (Mike's main) the pubkey is NOT authorized → use /rmm (PLUTO agent) instead of trying SSH.
• Gotcha: if adding a key, administrators_authorized_keys MUST be ASCII. PowerShell > writes UTF-16 BOM and silently breaks SSH. Use [System.IO.File]::WriteAllText(..., $key, [System.Text.Encoding]::ASCII).
• Detail: reference_pluto_build_server.

IX server (172.16.3.10 / ix.azcomputerguru.com)

• What: Rocky Linux cPanel/WHM. 40+ client WordPress sites + Matomo + Flarum forum + radio show site.
• Default: ssh root@172.16.3.10. Password infrastructure/ix-server.sops.yaml credentials.password. Tailscale-reachable directly (no separate VPN). WHM at :2087, cPanel at :2083.
• Per-machine: GURU-5070's pubkey is NOT authorized (was CachyOS, reinstalled to Win11, key never re-added) → use sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@172.16.3.10. Suppress warnings with | grep -v WARNING. Other machines: re-verify per machine.
• Detail: reference_ix_server_access.

Uranus — Unraid secondary (172.16.3.21)

• What: Unraid secondary. Pavon archive storage, planned future Windows build VM. Low RAM (7.7GB).
• Default: ssh root@172.16.3.21. Password infrastructure/uranus-unraid.sops.yaml.
• Note: NOT the Seafile proxy. Mounted as OwnCloud external storage (SMB → /Archive).

OwnCloud VM (172.16.3.22 / cloud.acghosting.com)

• What: Rocky Linux 9.6 VM on Jupiter. OwnCloud file sync.
• Default: SSH per infrastructure/owncloud-vm.sops.yaml.
• Note: distinct from Seafile (sync.azcomputerguru.com is Seafile on Jupiter Docker).

Neptune (67.206.163.124 / neptune.acghosting.com)

• What: Exchange Server 2016. Physically at Dataforth's D2 facility, NOT the ACG office (despite the acghosting.com name). Email for ACG-hosted clients.
• Default: RDP/admin via clients/dataforth/neptune-exchange.sops.yaml. OWA at https://neptune.acghosting.com/owa/.
• Note: to reach from the ACG office, route via D2TESTNAS (192.168.0.9) — Dataforth UDM subnet overlaps 172.16.x.x. It is NOT Dataforth's mail system — Dataforth uses M365 (see below).

WebSvr (162.248.93.81 / websvr.acghosting.com)

• What: Legacy CentOS 7 cPanel. DNS for ACG Hosting domains + some legacy sites.
• Default: ssh root@websvr.acghosting.com. infrastructure/websvr-legacy-hosting.sops.yaml.

pfSense firewall (172.16.0.1)

• What: FreeBSD pfSense 2.8.1. Firewall + OpenVPN + Tailscale subnet router for 172.16.0.0/22.
• Default: SSH on port 2248 (not 22), user admin. Creds infrastructure/pfsense-firewall.sops.yaml. Web UI https://172.16.0.1.
• Gotcha: Tailscale gateway — losing pfSense = no remote access to anything in office. Don't drop SSH/Tailscale config without an alternative path verified.

---

Office network services (Docker on Jupiter)

Gitea — internal (http://172.16.3.20:3000 / https://git.azcomputerguru.com)

• What: Self-hosted git. ALL ACG repos (claudetools, gururmm, guru-connect, vault, projects).
• Default: for API/automation use internal http://172.16.3.20:3000 (bypasses NPM SSL-renewal blips). For Howard-attributed PR merges: services/gitea-howard.sops.yaml credentials.password. For admin API: services/gitea.sops.yaml credentials.api.api-token. Git over SSH: ssh://git@172.16.3.20:2222.
• Gotcha: public git.azcomputerguru.com is NOT behind Cloudflare — it's the office Cox IP NAT'd to NPM. Internal :3000 is more reliable.
• Detail: reference_gitea_internal, reference_gitea_api_credential.

NPM (Nginx Proxy Manager)

• What: openresty reverse proxy for all *.azcomputerguru.com services.
• Default: admin UI http://172.16.3.20:7818. services/npm.sops.yaml.
• Note: proxy configs at /data/nginx/proxy_host/*.conf on Jupiter. Cert renewals briefly drop external :443.

Seafile Pro (sync.azcomputerguru.com)

• 11.8TB file sync. services/seafile-pro.sops.yaml.

Cloudflare (DNS for azcomputerguru.com)

• API tokens in services/cloudflare.sops.yaml. Analytics record is proxied; git is NOT.

GoDaddy API

• Domain registrar API. services/godaddy-api.sops.yaml.

---

PSA / ticketing

Syncro — primary (computerguru.syncromsp.com)

• What: Primary PSA / RMM (Kabuto agent). ACG's tickets, invoices, customers, time entries.
• Default: API key msp-tools/syncro.sops.yaml credentials.api_key; Howard's own key msp-tools/syncro-howard.sops.yaml. Base https://computerguru.syncromsp.com/api/v1. Skill: /syncro.
• Gotchas: NO idempotency on any endpoint — ALWAYS GET before retrying any POST. Content-Type header required. Comments need subject. add_line_item uses internal ticket ID, not ticket number. Timers no longer used for billing.
• Detail: feedback_syncro_api, feedback_syncro_billing, feedback_syncro_workflow, feedback_syncro_history.

Autotask — secondary

• What: Legacy/secondary PSA. Default to Syncro unless task explicitly says "Autotask".
• Default: msp-tools/autotask.sops.yaml (API username, password, integration code; zone webservices5.autotask.net).
• Detail: feedback_psa_default_syncro.

---

RMM / remote control

GuruRMM — ACG's own (rmm.azcomputerguru.com)

• What: Rust/Axum server @ 172.16.3.30:3001. Agents on all ACG-managed endpoints. Drives /rmm skill.
• Default: JWT login POST /api/auth/login. Creds infrastructure/gururmm-server.sops.yaml fields credentials.gururmm-api.admin-email / admin-password. External https://rmm-api.azcomputerguru.com. Dashboard https://rmm.azcomputerguru.com.
• Gotchas: use context: "user_session" for cmdlets that fail as SYSTEM with "NonInteractive mode" (see reference_gururmm). Linux agent runs in a systemd sandbox — findmnt//proc/mounts from the agent lie (sandbox view, not host). SSH the host directly for ground truth.
• Detail: reference_gururmm, project_gururmm, feedback_gururmm.

ScreenConnect / CW Control

• Primary remote-access tool. msp-tools/screenconnect.sops.yaml.
• Gotcha: Toolbox scripts truncate lines >80 chars silently; no inline comments mid-script. See reference_msp_audit_scripts.

Splashtop (SOS / Streamer)

• Secondary remote-access in the stack. Portal — verify vault entry if needed.

Datto RMM (CagService / Aemagent)

• Part of ACG stack on managed endpoints. Expected, not a threat. Portal creds — verify in vault.

GuruConnect — ACG's own (connect.azcomputerguru.com)

• What: ACG's own remote-access product. v2 live since 2026-05-30. Native-first, full key fidelity, bidirectional file transfer.
• Default: server 172.16.3.30:3002 behind NPM. Portal creds projects/guruconnect/portal.sops.yaml. DB projects/guruconnect/database.sops.yaml.
• Detail: project_guruconnect.

---

Security / EDR / AV

Bitdefender GravityZone (Cloud MSP partner tenant)

• What: ACG partner tenant. Endpoint AV/EDR.
• Default: API creds msp-tools/gravityzone.sops.yaml. Skill: /bitdefender.
• Gotcha: skill talks to live production partner tenant — destructive ops gated.

Datto EDR / Datto AV

• What: Managed AV on ACG endpoints. When active, Windows Defender real-time is OFF by design — that's expected, not a gap.
• Detail: reference_acg_msp_stack.

---

Cloud storage

Backblaze B2

• What: Per-client MSP360/CloudBerry backup destinations. Account ID 46f69bc61163, region us-west-001.
• Default: API key projects/claudetools/backblaze-b2.sops.yaml. Skill: /b2.

MSP360 API (backup orchestration)

• msp-tools/msp360-api.sops.yaml.

---

M365 / Google Workspace tenants

ACG manages multiple M365 tenants via the ComputerGuru tiered MSP app suite (Security Investigator / Exchange Operator / User Manager / Tenant Admin / Defender Add-on / Intune Manager). Per-tenant tokens in msp-tools/computerguru-*.sops.yaml. Use the /remediation-tool skill — NOT CIPP (CIPP creds exist at msp-tools/cipp.sops.yaml but the ComputerGuru suite is the primary path).

Tenant	Vault path
ACG own (computerguru)	msp-tools/computerguru-*.sops.yaml (partner tenant)
Dataforth	clients/dataforth/m365.sops.yaml
Cascades Tucson	clients/cascades-tucson/m365-admin.sops.yaml, m365-sysadmin.sops.yaml
QuantumWMS	clients/quantumwms/m365-breakglass.sops.yaml
BG Builders	clients/bg-builders/m365.sops.yaml
MVAN	clients/mvan/m365.sops.yaml
Heieck.org	clients/heieck-org/m365.sops.yaml
CW Concrete	clients/cw-concrete/m365.sops.yaml
Kittle (M. Sanchez)	clients/kittle/m365-michael-sanchez.sops.yaml

Also: multi-tenant Graph API service principal at msp-tools/claude-msp-access-graph-api.sops.yaml.

Google Workspace: ACG service account msp-tools/acg-msp-access-google-workspace.sops.yaml. Client-specific: clients/lonestar-electrical/google-workspace.sops.yaml.

Detail: project_cascades, project_dataforth, project_quantum_godaddy_m365_tenant.

---

Internal APIs (all on 172.16.3.30)

ClaudeTools main API (:8001)

• 95+ endpoints, JWT auth, MariaDB. Docs /api/docs. Auth creds projects/claudetools/api-auth.sops.yaml.

ClaudeTools coord API (:8001/api/coord)

• Inter-session coordination (locks, messages, todos, component state). NO AUTH. Direct curl. Spec in CLAUDE.md + reference_coord_messages_api_shape.

GuruRMM API (:3001) / GuruConnect API (:3002)

• See respective sections above.

---

Other services

Matomo Analytics (analytics.azcomputerguru.com)

• PHP analytics on IX server. Tracks 3 sites. Creds services/matomo-analytics.sops.yaml (verify; older docs hardcoded the password — should now be vault-only).
• Detail: reference_matomo_analytics.

Flarum forum (community.azcomputerguru.com)

• Flarum 1.8.14 on IX server cPanel azcomputerguru. Skill: /forum-post.
• Gotcha: Cloudflare blocks external Flarum API calls. Must SSH to IX and run PHP/DB script — the /forum-post skill handles this via paramiko SSH.
• Detail: reference_community_forum.

Radio show (radio.azcomputerguru.com)

• Astro static site, source at projects/radio-show/website/. Build npm run build → rsync dist/ to IX server cPanel.
• Detail: reference_radio_website.

TickTick

• OAuth creds services/ticktick.sops.yaml. MCP server + token cache at mcp-servers/ticktick/.tokens.json. Detail: reference_ticktick_integration.

Ollama (local, per-machine)

• Tier-0 LLM (drafts, summaries, classification). Endpoint per-machine in .claude/identity.json .ollama.endpoint. Models: qwen3:14b / qwen3.6 (structured) / codestral:22b (code). See .claude/OLLAMA.md.

GrepAI (local watcher + MCP server)

• Semantic code search over claudetools/ + session-logs/. MCP tools grepai_search, grepai_trace_callers/callees. CLI $CLAUDETOOLS_ROOT/grepai search. Watcher runs as scheduled task per machine.

Discord bot

• projects/discord-bot/anthropic-api.sops.yaml + bot-token.sops.yaml. Runs as .venv/Scripts/python.exe -m bot.main from projects/discord-bot/.

Azure Trusted Signing

• Windows code signing (Pluto signtool). services/azure-trusted-signing.sops.yaml.

Apple Developer Program

• macOS code signing + MDM Push cert. infrastructure/apple-developer-program.sops.yaml. MDM Push cert renews annually on the same Apple ID or enrolled iOS devices break. See project_apple_mdm_certs.

---

Client systems (per-client vault pattern)

Every managed client has access entries at clients/<slug>/<system>.sops.yaml. Examples by frequency: Cascades Tucson (pfSense / Synology / CS-SERVER / accountant PC / multiple admin accounts), Dataforth (AD1, AD2, ESXi 122/124, D2TESTNAS, PBX, UDM, Neptune, M365, OAuth), VWP (UDM / DC1 / XenServer / iLO / etc.), Peaceful Spirit (server + L2TP VPN), plus: Anaise, BG Builders, Birth Biologic, CryoWeave, CW Concrete, Grabb & Durando, Heieck, IMC, Khalsa, Kittle, Lens Auto Brokerage, Lonestar Electrical, MVAN, QuantumWMS, Rednour, Scileppi, Sif-Oidak, Sombra Residential, Stamback Septic, Tucson Golden Corral, Key Paul, Glaztech (GuruRMM site key only). Sweep bash $VAULT search <client> first.

Doc layout (overview/network/servers/cloud/security/rmm) and wiki articles at wiki/clients/<slug>.md. Detail: reference_client_docs_structure.

Notable gotcha — D2TESTNAS: root@192.168.0.9 with Paper123!@# (NOT sysadmin). See feedback_d2testnas_ssh.

---

Per-machine access gotchas (consolidated)

Machine	Gotchas
GURU-5070 (Mike's Win11 primary)	IX pubkey not authorized → use sshpass. Pluto pubkey not authorized → use /rmm agent PLUTO instead. Has full local Rust toolchain (cargo + MSVC + protoc) — build GuruConnect locally; set $env:PROTOC to the winget path. See reference_guru5070_rust_toolchain.
GURU-BEAST-ROG (Win11 secondary)	Verify SSH key deployment per resource. See machine_windows_guru_setup_status.
GURU-KALI (Linux)	Subject to GuruRMM agent sandbox issue (reference_gururmm §sandbox) for Linux-agent dispatched commands.
Mikes-MacBook-Air	gururmm install-hooks.sh still pending — see project_gururmm. Vault path is ~/vault.
Howard-Home / ACG-TECH03L	Vault path varies — read from .claude/identity.json vault_path.
All Windows machines	Use system OpenSSH (C:\Windows\System32\OpenSSH\ssh.exe) NEVER Git for Windows SSH. NEVER redirect to backslashed Windows paths from Git Bash (echo X > D:\path corrupts to junk file).
All machines	Tailscale must be on for any 172.16.x.x from outside office.