Two defects found while running /wiki-compile, both from tooling assuming
a path instead of resolving it.
1. Plaintext Syncro API keys. Mike's and Howard's live PSA keys were
copy-pasted into three command files, a script, and two catalog docs --
despite both already being vaulted at msp-tools/syncro and
msp-tools/syncro-howard. Replaced with reads from the SOPS vault via a
new sourced helper, .claude/scripts/syncro-env.sh. Write paths fail
closed; read-only paths degrade to skipped enrichment rather than a
wrong key. Per-user mapping is unchanged, so Syncro attribution is too.
2. Hardcoded repo root. wiki-compile/wiki-lint/inject-standards and
gen_b64.py hardcoded D:/claudetools; this machine is C:/claudetools.
syncro.md also read ~/.claude/identity.json before the repo copy -- the
same bug that made remediation-tool's consent-audit report a fully
consented tenant as RED. Root now resolves from the script's own
location, with identity.json claudetools_root as the override.
get-identity.sh had a chicken-and-egg bug: it read ${CLAUDETOOLS_ROOT:-.}
but never set it, so every caller had to already know the root. It now
self-resolves and exports CLAUDETOOLS_ROOT + VAULT_ROOT.
Verified: all three command setup blocks authenticate against live Syncro;
get-identity.sh works from any cwd and honors a pre-set root; gps-rmm
autoenroll resolves its key from the vault. security-review: no findings.
NOTE: both keys remain valid in git history. Rotation in the Syncro portal
is the required follow-up -- this commit does not resolve that exposure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
37 lines
1.9 KiB
Bash
37 lines
1.9 KiB
Bash
#!/bin/bash
|
|
# gps-rmm-autoenroll.sh — auto-enroll loop for the GPS->RMM audit.
|
|
# Every run: push the generic Staging installer (DARK-STORM-3150) to GPS-customer
|
|
# machines that are ONLINE in ScreenConnect but missing from GuruRMM, wait for them
|
|
# to enroll, then reassign Staging agents to their real client (hostname->Syncro).
|
|
# Registered as Windows task GPS-RMM-AutoEnroll (every 30 min). Remove the task when
|
|
# targets.json is fully enrolled. Safe to re-run: server v6.77+ dedups by device_id.
|
|
set -uo pipefail
|
|
cd /c/claudetools || exit 1
|
|
LOG="projects/gps-rmm-audit/autoenroll.log"
|
|
TS="$(date '+%Y-%m-%d %H:%M')"
|
|
|
|
eval "$(bash .claude/scripts/rmm-auth.sh 2>/dev/null)" >/dev/null 2>&1
|
|
if [ -z "${TOKEN:-}" ]; then echo "$TS auth FAILED" >> "$LOG"; exit 0; fi
|
|
SEC="$(bash .claude/scripts/vault.sh get-field msp-tools/screenconnect.sops.yaml credentials.api_secret 2>/dev/null | tr -d '\r\n')"
|
|
SK="$(bash .claude/scripts/vault.sh get-field msp-tools/syncro-howard credentials.credential 2>/dev/null | tr -d '\r\n')"
|
|
if [ -z "$SK" ]; then echo "$TS syncro key read FAILED" >> "$LOG"; exit 0; fi
|
|
|
|
OUT="$(RMM="$RMM" TOK="$TOKEN" SK="$SK" SC_SECRET="$SEC" python projects/gps-rmm-audit/tools/rebuild-and-push.py 2>/dev/null | tail -2)"
|
|
PUSHED="$(echo "$OUT" | grep -oE 'pushed: [0-9]+' | grep -oE '[0-9]+' | head -1 || true)"
|
|
PUSHED="${PUSHED:-0}"
|
|
echo "$TS sweep: $(echo "$OUT" | head -1)" >> "$LOG"
|
|
|
|
if [ "${PUSHED:-0}" -gt 0 ]; then
|
|
sleep 150
|
|
RES="$(RMM="$RMM" TOK="$TOKEN" SK="$SK" python projects/gps-rmm-audit/tools/reassign-staging.py 2>/dev/null)"
|
|
MOVED="$(echo "$RES" | grep -cE '^ .+ -> ' || true)"
|
|
MOVED="${MOVED:-0}"
|
|
echo "$TS pushed $PUSHED, reassigned $MOVED:" >> "$LOG"
|
|
echo "$RES" | grep -E '^ ' >> "$LOG"
|
|
if [ "${MOVED:-0}" -gt 0 ]; then
|
|
NAMES="$(echo "$RES" | grep -E '^ .+ -> ' | sed 's/^ //' | tr '\n' '; ')"
|
|
bash .claude/scripts/post-bot-alert.sh "[RMM] auto-enroll: $NAMES" >/dev/null 2>&1
|
|
fi
|
|
fi
|
|
exit 0
|