Skip to content

Document steps for mdm configuration#4

Open
mohit-a21 wants to merge 2 commits into
mainfrom
mdm_config
Open

Document steps for mdm configuration#4
mohit-a21 wants to merge 2 commits into
mainfrom
mdm_config

Conversation

@mohit-a21

@mohit-a21 mohit-a21 commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Note

Low Risk
Documentation-only change with no runtime or application code modifications.

Overview
Adds docs/mdm-browser-capture.md, an enterprise add-on to the existing Claude Code MDM guide. It documents how to route claude.ai and chatgpt.com web chat traffic through the TrueFoundry AI Gateway using aitori, without changing Claude Code CLI settings.

The doc explains why browsers need a local proxy (TLS intercept + explicit host list, fail-open on gateway errors), prerequisites (reuse base conf + ~/.tfy-refresh-token), and scope limits (builtin_profiles: false, only two hosts). It includes copy-paste root MDM scripts for macOS (system proxy + launchd) and Linux (transparent nftables + systemd + per-user NSS CA trust), plus scheduling (30-minute offset from the base script to avoid refresh-token rotation races), verification, ops/debug, and uninstall steps.

Reviewed by Cursor Bugbot for commit 6dc4569. Bugbot is set up for automated code reviews on this repo. Configure here.

Signed-off-by: Mohit Agarwal <mohit.agarwal@truefoundry.com>
else
log "NOTE: ${RT_FILE} not found — run the Claude Code device login first; aitori fail-opens meanwhile"
fi
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linux MDM misses console user

High Severity

The Linux add-on sets USER_NAME from SUDO_USER or logname, but MDM and most config-management jobs run as root without an interactive sudo session, so both are usually empty (or root). The token-exchange and NSS certutil blocks are skipped, so tf_token is not refreshed from ~/.tfy-refresh-token and the aitori CA is not trusted in the developer’s Chrome/Firefox store—browser capture fails despite the guide’s MDM workflow.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 09f9e3a. Configure here.

Signed-off-by: Mohit Agarwal <mohit.agarwal@truefoundry.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 3 potential issues.

There are 4 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want higher recall? High effort reviews run extra passes and find more bugs. A team admin can switch effort levels in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 6dc4569. Configure here.


launchctl bootout system "${PLIST}" 2>/dev/null || true # idempotent reload
launchctl bootstrap system "${PLIST}"
launchctl enable "system/${LABEL}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

macOS reload stops service hourly

Medium Severity

Each MDM run unconditionally runs launchctl bootout then bootstrap on the aitori daemon. On an hourly schedule that fully stops and reloads the service every time, briefly tearing down the system proxy and restarting capture even when nothing changed.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6dc4569. Configure here.


systemctl daemon-reload
systemctl enable --now aitori
log "aitori service enabled + started on ${AITORI_LISTEN}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linux keeps old binary running

Medium Severity

After installing a new aitori binary or rewriting config.yaml, the Linux script only runs systemctl enable --now, which does not restart an already-active service. Upgraded releases and config changes may not take effect until a manual restart.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6dc4569. Configure here.

log "aitori gateway token refreshed"
else
log "WARNING: token exchange returned no accessToken — keeping previous token; aitori fail-opens until next run"
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rotates refresh without access

Medium Severity

Both platform scripts persist a new refreshToken to ~/.tfy-refresh-token whenever NEW_RT is non-empty, before confirming ACCESS_TOKEN was written to TOKEN_FILE. A successful rotation with a failed access-token parse leaves the shared refresh token updated but the gateway token file unchanged.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6dc4569. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant