2.3 KiB
2.3 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| rmm-spawn-headless-claude | Spawn a headless `claude -p` on any RMM-managed Windows box that has Claude Code installed — reaches isolated sites (AD2) the coord API can't |
|
Any RMM-managed Windows endpoint with Claude Code installed can run an autonomous headless
Claude, dispatched via a GuruRMM command — even a site that's isolated from the ACG coord API.
The RMM agent phones home outbound, so this works where ad2-comms-via-sync-only says coord
can't reach (coord :8001 blocked ≠ RMM :3001 blocked). Validated 2026-07-01 on AD2
(Dataforth DC, agent cfa93bb6-..., claude v2.1.181 at C:\Users\sysadmin\.local\bin\claude.exe).
Recipe:
- Dispatch with
"context":"user_session"— needs an interactive logged-on user (checkquser); an admin session comes back elevated.claudeis a per-user install, not on the SYSTEM PATH, so SYSTEM context won't find it. - GOTCHA: unset
ANTHROPIC_API_KEYfirst. A stale machine-levelANTHROPIC_API_KEY(108-char) shadows the good OAuth creds and makesclaude -pfail withInvalid API key · Fix external API key.Remove-Item Env:\ANTHROPIC_API_KEY(+$env:ANTHROPIC_API_KEY=$null) before invoking → falls back to~\.claude\.credentials.jsonOAuth and authenticates. - Detach + poll. A real audit run takes many minutes; RMM caps command lifetime (see
gururmm-command-timeout-seconds — use
timeout_seconds). Launch detached (Start-Process powershell -File runner.ps1 -WindowStyle Hidden), have the runner write the deliverable to a file + aDONE.txtmarker, and poll the marker via short RMM commands. - Run headless as:
claude -p <brief> --permission-mode bypassPermissions --output-format text. For an audit, give an ironclad READ-ONLY brief (no writes/git/state changes) since bypassPermissions lets it run any tool. Pass the brief via a base64'd file to dodge quoting. - Windows/Git-Bash: the mingw
curlintermittently hitsPermission denied(AV lock) — use/c/Windows/System32/curl.exefor the dispatch. See feedback_windows_quote_stripping.
Use for: live audits/data-gathering on isolated or hard-to-reach managed boxes without the async sync-handoff. Keep it read-only on production (AD2 is a domain controller).