diff --git a/.claude/memory/blockers.md b/.claude/memory/blockers.md index 196ff7b..0f43b0c 100644 --- a/.claude/memory/blockers.md +++ b/.claude/memory/blockers.md @@ -14,3 +14,20 @@ repo (remote git.bchanot.fr) would leak it. Root cause: key inlined in `write_op Fix: repo copy `bin/claude-provider` reads `${OPENROUTER_API_KEY:?...}` from env; key never in repo. Verified `git grep sk-or` clean. Status: resolved in repo. ACTION user: revoke old key at openrouter.ai (compromised — was in plaintext + exposed in chat). + +## BLK-003 — xrdp block: `systemctl enable xrdb` typo aborted installer — RESOLVED +2026-06-23. Uncommitted install.sh xrdp block had `sudo systemctl enable xrdb` (typo: `xrdb` = X +resource-DB tool, no such systemd service). Returns non-zero → under `set -euo pipefail` aborts +whole installer. Also `apt-get install xrdp` missing `-y` → hangs non-interactive run. Root cause: +one-letter typo `xrdp`→`xrdb` + missing -y. Fix: idempotent `install_xrdp()` (apt -y, adduser xrdp +ssl-cert, polkit .rules, conditional ufw 3389, enable+restart). shellcheck + bash -n CLEAN. +Status: resolved in repo. Not run live / RDP connection not tested. + +## BLK-004 — RDP Win→Linux 0x904/0x7: empty gate creds on g-r-d --system — RESOLVED +2026-06-23. After xrdp dropped for gnome-remote-desktop (Wayland), mstsc fails `0x904 / 0x7` +despite: daemon LISTEN *:3389, ufw inactive, TLS cert readable, service active. Root cause: +`grdctl --system status` → `Username: (empty)` / `Password: (empty)`. System "Remote Login" = +2-layer auth: shared gate creds (`grdctl --system rdp set-credentials`) unlock GDM, then per-user +PAM login at GDM. Empty gate creds → RDP nego refused before GDM → 0x904. Fix: set-credentials, +connect (gate creds → GDM `bchanot`). Connection CONFIRMED live. Automated in install.sh via +ensure_rdp_credentials (prompt, TTY-guarded, idempotent). Supersedes BLK-003 (xrdp). Status: resolved. diff --git a/.claude/memory/journal.md b/.claude/memory/journal.md index 8e0dc34..1f9ce6e 100644 --- a/.claude/memory/journal.md +++ b/.claude/memory/journal.md @@ -12,3 +12,17 @@ Then: install.sh arg dropped → uname OS-detect (Darwin→osx else linux). Dele Added remote-install.sh curl|bash bootstrap (BDR-004). shellcheck CLEAN. Docs synced. Committed in 4 atomic commits (chore claude / refactor install / feat remote-install / docs). Slip: staged deletion swept into commit 1; fixed via soft-reset + restore --staged. Unpushed. + +## 2026-06-23 — xrdp install fix +Added/fixed xrdp in install.sh. Found uncommitted block: `enable xrdb` typo (aborts set -e +installer, BLK-003) + `apt-get install xrdp` no -y. Built idempotent install_xrdp() — ssl-cert group ++ polkit .rules (verified polkit 127) + conditional ufw 3389 + enable/restart (LRN-003). Also fixed +adjacent: code-server@"$USER" quoting, broken .profile dtach block (invalid `[ ! grep ]` test + +heredoc unterminated indented EOF). shellcheck + bash -n CLEAN. Not run live / RDP untested. + +## 2026-06-23 — RDP pivot xrdp → gnome-remote-desktop +xrdp abandoned (Wayland-only GNOME kills Xorg session). Replaced install_xrdp → setup_remote_desktop +(g-r-d system Remote Login): TLS cert + rdp enable + service. Live debug mstsc 0x904/0x7 = gate creds +empty (BLK-004); 2-layer auth gate→GDM PAM (LRN-004). Added ensure_rdp_credentials (prompt, TTY-guard, +idempotent). Connection CONFIRMED live. install.sh committed 0bd936b (bash -n + shellcheck CLEAN); +push blocked here (HTTPS remote, no creds in env) → user pushes. TPM GKeyFile-fallback warn harmless. diff --git a/.claude/memory/learnings.md b/.claude/memory/learnings.md index 1bfb9e7..dba1fcd 100644 --- a/.claude/memory/learnings.md +++ b/.claude/memory/learnings.md @@ -11,3 +11,21 @@ dir exists" on second run. Apply to any provisioning script. 2026-05-27. molokai colorscheme committed in `vim/colors/` AND cloned to /tmp then copied. `cp -rupv vim/* ~/.vim/` already deploys it. Dropped the clone. Lesson: check what tracked files already cover before adding external fetch. + +## LRN-003 — GNOME + xrdp working recipe (Ubuntu) +2026-06-23. `apt install xrdp` alone = black screen + auth popups. Need: `adduser xrdp ssl-cert` +(xrdp reads TLS key, else black screen on login); polkit rule allowing `org.freedesktop.color-manager.*` +(else recurring "Authentication required to create a color managed device" popups). Polkit format +version-gated: v>=0.106 → `/etc/polkit-1/rules.d/*.rules` (JS); older → `.pkla`. Verified live polkit +127 → `.rules` only (`.pkla` backend dropped). Open RDP 3389 only if firewall active. Restart xrdp +after group add so daemon reloads ssl-cert membership. + +## LRN-004 — gnome-remote-desktop --system: remote desktop on Wayland-only GNOME +2026-06-23. xrdp does NOT work on Wayland-only GNOME (Shell asserts XDG_SESSION_TYPE=wayland, Xorg +backend dies instantly on login) → LRN-003 xrdp recipe N/A on such hosts. Use g-r-d system "Remote +Login": self-signed TLS cert via `grdctl --system rdp set-tls-cert/set-tls-key`, `rdp enable`, +enable+start `gnome-remote-desktop.service`. Auth = 2 layers: shared gate creds via `set-credentials` +(unlock GDM) THEN per-user PAM login. Gate creds REQUIRED — empty → mstsc 0x904/0x7 (BLK-004). +Listening socket + TLS + enable NOT enough alone. TPM warn `Init TPM credentials failed ... using +GKeyFile as fallback` = harmless on TPM-less host (creds → keyfile). Connect: client → ip:3389, +accept self-signed cert, gate creds, then GDM user. Supersedes LRN-003 for Wayland GNOME.