alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
PSA/ee/docs/plans/2026-04-06-tanium-rmm-integration/SCRATCHPAD.md
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

70 lines
5.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Scratchpad — Tanium RMM Integration
- Plan slug: `tanium-rmm-integration`
- Created: `2026-04-06`
## What This Is
Keep a lightweight, continuously-updated log of discoveries and decisions made while implementing this plan.
Prefer short bullets. Append new entries as you learn things, and also *update earlier notes* when a decision changes or an open question is resolved.
## Decisions
- (2026-04-06) Use a provider-neutral RMM adapter plus shared ingestion path before adding Tanium. Rationale: current NinjaOne and Tactical implementations already diverge enough that a third bespoke stack would compound duplication.
- (2026-04-06) Treat `tenant_external_entity_mappings` as the core asset identity seam for all RMM providers. Rationale: it already exists, is provider-neutral, and both NinjaOne and Tactical depend on it.
- (2026-04-06) Tanium v1 should be inventory-first and scope-mapping-first. Rationale: official Tanium guidance prefers Gateway for querying online/offline systems and reserves module APIs for gaps.
- (2026-04-06) Tanium event push should be modeled as an optional capability, not assumed as a public webhook subsystem. Rationale: official Tanium guidance positions Connect as the push/event delivery method for downstream systems.
## Discoveries / Constraints
- (2026-04-06) `server/src/middleware.ts` hard-codes public or API-key-skipped routes for NinjaOne and Tactical webhooks/callbacks. A new provider with public ingress would currently require another manual middleware change.
- (2026-04-06) `ee/server/src/interfaces/rmm.interfaces.ts` is nominally generic but still contains NinjaOne-specific settings leakage such as `ninja_instance_region`.
- (2026-04-06) `ee/server/src/lib/integrations/ninjaone/sync/syncEngine.ts` and `ee/temporal-workflows/src/activities/ninjaone-sync-activities.ts` duplicate asset upsert and external mapping logic.
- (2026-04-06) Official Tanium docs state:
- Gateway is the preferred integration method.
- Connect is best for scheduled or event-triggered outbound delivery to files, syslog, webhook, and similar destinations.
- Asset API is useful for endpoints that have aged out of TDS.
- Direct Connect is for limited live endpoint troubleshooting/evidence/remediation, not the main integration transport.
- (2026-04-06) Public developer docs give method-selection truth, but exact Gateway schema details still need tenant-backed verification. The docs themselves say the schema reference in Gateway is the most up-to-date source.
## Commands / Runbooks
- (2026-04-06) Pull official Tanium markdown guidance:
- `curl -L --max-time 20 https://developer.tanium.com/guides/core-platform/integration_methods.md`
- `curl -L --max-time 20 https://developer.tanium.com/use_cases.md`
- (2026-04-06) Browser inspection of the logged-in Tanium developer portal:
- `alga-dev list-browsers --allTabs --pretty`
- `alga-dev browser-eval --paneId=<tanium-pane> --script='(() => document.body.innerText)()'`
- `alga-dev browser-get-dom --paneId=<tanium-pane> --query='li, a' --pretty`
- (2026-04-06) Repo inspection used for architecture grounding:
- `rg -n "rmm_organization_mappings|rmm_integrations|tenant_external_entity_mappings" ee packages server -g '!**/node_modules/**'`
- `sed -n '1,240p' ee/server/src/interfaces/rmm.interfaces.ts`
- `sed -n '1,220p' ee/server/src/app/api/integrations/ninjaone/callback/route.ts`
- `sed -n '1,240p' packages/integrations/src/actions/integrations/tacticalRmmActions.ts`
## Links / References
- Official Tanium docs:
- https://developer.tanium.com/apis/api_intro
- https://developer.tanium.com/guides/core-platform/integration_methods
- https://developer.tanium.com/use_cases
- https://help.tanium.com/bundle/ug_gateway_cloud/page/gateway/index.html
- https://help.tanium.com/bundle/ug_gateway_cloud/page/gateway/gateway.html
- Key repo files:
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/src/middleware.ts`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/migrations/20250502173321_create_tenant_external_entity_mappings.cjs`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/migrations/20251124000001_create_rmm_integration_tables.cjs`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/ee/server/src/interfaces/rmm.interfaces.ts`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/ee/server/src/lib/integrations/ninjaone/sync/syncEngine.ts`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/packages/integrations/src/actions/integrations/tacticalRmmActions.ts`
- `/Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/packages/integrations/src/components/settings/integrations/RmmIntegrationsSetup.tsx`
## Open Questions
- What exact Gateway object(s) represent Tanium endpoint inventory in the target tenant?
- What exact field(s) map a Tanium endpoint to an MSP customer/client boundary?
- Is aged-out inventory fallback necessary in the target tenant, or is Gateway sufficient for the required device estate?
- If Connect is used for outbound event delivery, can the customers Tanium deployment deliver to the intended Alga-hosted destination model?
- Should Tanium v1 include only inventory, or does the customer expect compliance/vulnerability findings in the initial release?
Reference in New Issue View Git Blame Copy Permalink