azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fec5686cd2f270aebab0d7b19a7f091fa1a135d8
claudetools/projects/msp-tools/security-assessment/DEPLOY.md
Mike Swanson 260be8c2ad security.azcomputerguru.com: scaffold the client security-assessment intake app 
New MSP tool — single-assessor consult intake. Stack: PHP + MySQL on the IX cPanel
host, gated by Cloudflare Access (only mike@azcomputerguru.com; app re-checks the
Cf-Access-Authenticated-User-Email header).

- app/questions.json — risk-ordered question framework (9 sections); each field tagged
  source=syncro/rmm/scan/ask so the consult asks only what a human knows and the
  post-meeting scan fills the technical reality.
- app/index.php — wizard UI: Syncro phone lookup -> prefill, section rail with live
  progress, importance-colored question cards, in-meeting 365/Google consent links,
  review + export.
- app/api.php — Syncro lookup-by-phone, save/load/list, consent-URL generation (reuses
  the read-only Security Investigator app bfbc12a4-...), HTML export.
- app/schema.sql, config.sample.php, DEPLOY.md, README.md.

Consent links let the client approve read-only 365/Google access during the consult so
the audit scan runs afterward. Read-only by design (reads Syncro, generates consent; no
tenant writes).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 14:20:05 -07:00

25 lines
1.4 KiB
Markdown
Raw Blame History

# Deploy — security.azcomputerguru.com
## 1. cPanel / WHM (IX server, 172.16.3.10)
- Create subdomain `security.azcomputerguru.com` (docroot e.g. `/home/<acct>/security`).
- Create MySQL DB `acgsec_assess` + user `acgsec_app`, grant all on the DB. Vault the password
(`msp-tools/security-assessment-db`). Import `app/schema.sql`.
- Upload `app/*` to the docroot. `cp config.sample.php config.php` and fill secrets (DB pass +
Mike's Syncro key from vault `msp-tools/syncro-mike`).
## 2. Cloudflare DNS + Access
- DNS: `security` A/CNAME -> the IX origin, **proxied** (orange cloud).
- Zero Trust > Access > Applications: add self-hosted app for `security.azcomputerguru.com`,
policy = Allow, include `mike@azcomputerguru.com` (require MFA). Everyone else blocked.
The app reads `Cf-Access-Authenticated-User-Email` as a second check.
## 3. Consent apps
- 365: register redirect URI `https://security.azcomputerguru.com/consent-callback.php` on the
Security Investigator app (bfbc12a4-...). Admin-consent link is generated per-tenant in-app.
- Google: create a Workspace read-only OAuth client, set GOOGLE_CLIENT_ID + redirect; scopes are
in config. (Stubbed until created.)
## Notes
- Read-only by design: the app only *reads* Syncro and *generates* consent links. No tenant writes.
- Post-meeting scan consumes the export + the granted 365/Google consent to run the audit.
Reference in New Issue View Git Blame Copy Permalink