Files
claudetools/.claude/memory/reference_syncro_rmm_api_gui_only.md
Howard Enos 1f56098652 syncro: expand skill to full Syncro API surface (assets/RMM/deploy) + verified capability model
Add comprehensive Syncro coverage beyond PSA core:
- New .claude/standards/syncro/api-reference.md: complete verified inventory of ~180
  endpoints across 38 resource types (generated from live OpenAPI 3.0 spec + tenant
  probe 2026-07-10), with worked GET/POST/PUT/DELETE templates and token-capability matrix.
- /syncro: asset read intelligence (patches, installed_applications), asset create/update,
  policy-folder move (move-asset), RMM alerts, and deploy-agent (hybrid installer push via
  GuruRMM using SyncroSetup --console --allow-force-reboot).
- move-asset ships a capability preflight (GET /policy_folders?customer_id -> 401 = missing
  Assets-Policy-Change) + mandatory post-write verify, because an under-scoped token returns
  HTTP 200 and silently no-ops the move.

Correct the "Syncro RMM is API-impossible" belief: it was a token-scope gap, not an API
limit. Live-verified the asset move (flip-and-restore 692253->692278->692253). Token scope
today: Howard + Winter full; Mike (vaulted ...ebbeb3) still 401 pending re-vault.

Corrects memory reference-syncro-rmm-api-gui-only; correction logged to errorlog.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-10 15:45:26 -07:00

3.0 KiB

name, description, metadata
name description metadata
reference-syncro-rmm-api-gui-only Syncro asset/RMM IS API-drivable (reads, create/update, patches, installed_apps, rmm_alerts) — only policy-folder ops need a token scope our per-user keys currently lack (re-verified 2026-07-10)
type
reference

CORRECTION (2026-07-10): most of Syncro's asset/RMM surface IS API-drivable — the earlier "RMM is GUI-only" conclusion was a token-scope symptom, not an API limitation. Live-probed the ACG production tenant with a per-user token (howard) on 2026-07-10 and confirmed against the OpenAPI 3.0 spec (api-docs.syncromsp.com/swagger.json):

  • Works with our current per-user token (HTTP 200): GET/POST /customer_assets, PUT /customer_assets/{id} (name/serial/type/customer/properties — name required), GET /customer_assets/{id}/patches, .../installed_applications, /rmm_alerts (list + {id}/mute + DELETE clear), plus contacts, contracts, leads, vendors, purchase_orders, products, payments, wiki_pages, /me, /search. The /syncro skill now documents the asset-read/asset-write/rmm-alert/agent-deploy workflows; the full inventory is in .claude/standards/syncro/api-reference.md.
  • Policy-folder move: VERIFIED WORKING with a full-scope token (2026-07-10). Howard's token was upgraded to full scope; flip-and-restore on ACG-internal asset 12335235 (692253 → 692278 → 692253) succeeded, each confirmed by GET. PUT /customer_assets/{id} with policy_folder_id (+ required name) moves the asset. The spec: "only policy_folder_id requires Assets - Policy Change; with other fields requires Assets - Edit AND Assets - Policy Change; nil/nonexistent/cross-customer folder → 422."
  • Route quirks: GET /policy_folders (bare) → 404; GET /policy_folders?customer_id=N → 200 (enumerate a customer's folders); GET /policy_folders/{id} → 401 even at full scope.
  • Per-user scope differs — capability-check every scope-gated write. A token WITHOUT Policy-Change returns HTTP 200 and silently no-ops the move (the exact 2026-06-25 symptom that produced the original "GUI-only" belief); /me shows coarse asset:{write:true} and cannot detect it. The /syncro move-asset helper preflights GET /policy_folders?customer_id=N (401 = no scope) and verifies the folder actually changed after the PUT. Only Howard's token is confirmed full-scope so far; grant the scope to each per-user token for consistent behavior.
  • Archive (retire) IS genuinely GUI-only — no archive endpoint, no archived field, and DELETE is destructive. That part of the old note stands.

How to apply: Build/asset-manage freely via API for everything EXCEPT policy folders. To unlock /syncro move-asset + policy CRUD, add Assets - Policy Change + policy-folder read/manage to the Syncro API token (Admin → API Tokens), re-vault, then flip-and-restore verify on ACG-internal asset 12335235 (folder 692253). Do NOT re-assert "can't do assets via API" — that was wrong. See feedback-psa-default-syncro and the api-reference doc.