# Native Remote Control — Applicable Standards The following standards from `.claude/standards/` apply to this feature. ## security/credential-handling No hardcoded credentials. The GuruRMM→guru-connect integration key (`CONNECT_INTEGRATION_KEY`), per-machine agent keys, and viewer tokens come from env/SOPS — never source. Per-machine agent keys and viewer tokens are **hashed/short-lived**; JWT for auth, Argon2id for any password storage. Log all auth attempts and session brokering (timestamp, identity, agent_id). Source: `.claude/standards/security/credential-handling.md` ## api/response-format New endpoints (`POST /api/agents/:agent_id/remote-control`, GC `POST /api/sessions`, `POST /api/sessions/:id/viewer-token`, `POST /api/agents/:agent_id/keys`) use RESTful plural nouns, kebab-case multi-word segments (`/remote-control`), and the standard error envelope `{ detail, error_code, status_code }`. Prefer `sqlx::query()` (runtime) over the `query!()` macro for new queries. Source: `.claude/standards/api/response-format.md` ## gururmm/sqlx-migrations New migrations (`connect_agent_keys`, session `is_managed`/`source` columns, `remote_control_sessions`) must be idempotent (`CREATE TABLE IF NOT EXISTS`, `ADD COLUMN IF NOT EXISTS`). Let the server binary apply migrations on startup; never pre-apply via psql without the `_sqlx_migrations` row. Run `cargo sqlx prepare` and commit `.sqlx/` if any `query!()` macro changes. Source: `.claude/standards/gururmm/sqlx-migrations.md` ## gururmm/platform-parity The endpoint launch logic (Task 7) is Windows-only because the guru-connect agent is Windows-only. This is allowed, but the non-Windows path must be a working stub with `// TODO(platform): linux/macos — guru-connect agent not available`, not a silent no-op. Any new `AppState` field added in `main.rs` must also be mirrored in `service.rs` (Windows-service entry). Source: `.claude/standards/gururmm/platform-parity.md` ## gururmm/build-pipeline Never run `build-agents.sh` / build scripts manually over SSH. All agent and server builds go through the Gitea webhook pipeline (push to `main`). Deploy = stop → copy binary → start. Source: `.claude/standards/gururmm/build-pipeline.md` ## conventions/no-emojis & conventions/output-markers No emojis anywhere in code, logs, dashboard strings, or commit messages. Use ASCII status markers `[OK] [ERROR] [WARNING] [SUCCESS] [INFO] [CRITICAL]` in any script or operator-facing output (installer scripts, agent launch logs, dashboard toasts). Source: `.claude/standards/conventions/no-emojis.md`, `.claude/standards/conventions/output-markers.md` ## git/commit-style Conventional commit types (`feat:`, `fix:`, `spec:`, `build:`), and `Co-Authored-By` for Claude-assisted commits. Never commit `.env`, keys, or unencrypted secrets. Source: `.claude/standards/git/commit-style.md` ## Integration contract versioning (feature-specific rule) Because GC and RMM ship on independent pipelines/cadences, the integration surface is **semver'd** and namespaced (`/api/integration/v1/`). GC must not change a published contract version in a breaking way without a major bump, and must keep `CONTRACT.md` in lockstep with the code (enforced by the Task 11 contract test in each pipeline). RMM discovers support via `GET /api/integration/capabilities` and version-gates — never assumes a feature exists. This is the mechanism that keeps the two products "in-sync" without coupling their releases. ## Embedding / clickjacking (security, feature-specific) The embedded viewer relaxes `frame-ancestors`/`X-Frame-Options` **only on the viewer route**, to an explicit RMM-origin allowlist sourced from env. The global `frame-ancestors 'none'` (`server/src/middleware/security_headers.rs:30`) and `X-Frame-Options` (`:37-39`) stay in force for every other route. Never disable framing protection globally to enable the embed. ## guru-connect project conventions (`projects/msp-tools/guru-connect/CLAUDE.md`) Not in `.claude/standards/` but binding for the GC repo: Rust uses `tracing` (not `println!`), `anyhow` in binaries, `thiserror` for library errors, `async`/`await`, `cargo clippy` before commits; protobuf is the source of truth (`proto/guruconnect.proto`); transport is protobuf over `wss://`; Argon2id for passwords; agent stays a single static binary with no runtime deps. Source: `projects/msp-tools/guru-connect/CLAUDE.md`