Session log: glaztech DMARC override + syncro skill billing fix

- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
  transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
  silently drops time fields; use timer_entry endpoint instead

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

clients/glaztech/session-logs/2026-04-20-session.md

@@ -0,0 +1,60 @@
+# Session Log — 2026-04-20 — Glaz-Tech Industries
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+
+## Session Summary
+
+Set up Exchange Online DMARC bypass for inbound mail from clearcutglass.com → glaztech.com. Full remediation tool workflow: app consent, role assignment, transport rule creation via EXO REST API.
+
+## Work Performed
+
+### Problem
+Inbound mail from clearcutglass.com was being rejected at glaztech.com due to DMARC failure. Client needed a temporary override while clearcutglass.com fixes their email authentication.
+
+### Solution
+Created Exchange Online transport rule via EXO REST API (InvokeCommand) to set SCL = -1 for all mail from clearcutglass.com, bypassing DMARC/spam filtering.
+
+### Steps Taken
+
+1. **App consent** — Exchange Operator app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) was not yet consented in glaztech.com tenant. Provided admin consent URL:
+   `https://login.microsoftonline.com/82931e3c-de7a-4f74-87f7-fe714be1f160/adminconsent?client_id=b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
+   glaztech.com Global Admin completed consent.
+
+2. **Role assignment** — After consent, EXO REST API still returned 403 because the SP needed Exchange Administrator role in the tenant directory (consent alone is not sufficient for EXO cmdlets). Verified SP was already assigned via screenshot from Entra portal (ComputerGuru Exchange Operator already listed as Exchange Administrator member).
+
+3. **Transport rule created** — via `POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand`:
+   - Rule name: `TEMP - Allow DMARC fail from clearcutglass.com`
+   - Condition: `SenderDomainIs = clearcutglass.com`
+   - Action: `SetSCL = -1`
+   - State: Enabled, Enforce mode
+   - Rule GUID: `6b702a5c-02ad-46e5-a2e1-7cb70284bd5c`
+   - Created: 2026-04-20 19:28 UTC
+
+4. **Syncro ticket created** — #32176 "Exchange Online - DMARC override for clearcutglass.com", status Resolved.
+
+### Follow-up Required
+Once clearcutglass.com fixes their SPF/DMARC configuration, remove the transport rule:
+- **Exchange Admin Center** → Mail flow → Rules → delete "TEMP - Allow DMARC fail from clearcutglass.com"
+- Or via API: `Remove-TransportRule -Identity "6b702a5c-02ad-46e5-a2e1-7cb70284bd5c"`
+
+## Tenant Info
+
+- **Domain:** glaztech.com
+- **Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
+- **Syncro customer ID:** 143932
+- **Syncro ticket:** #32176 (ID: 109216691)
+- **Contact:** Steve Eastman (Seastman@glaztech.com)
+
+## Credentials Used
+
+- Exchange Operator app: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` / vault: `msp-tools/computerguru-exchange-operator.sops.yaml`
+
+## Issues Encountered
+
+- **AADSTS7000229** on first token attempt — app not consented in tenant. Fixed via admin consent URL.
+- **403 after consent** — SP needed Exchange Administrator role in Entra directory (separate from API consent). Already assigned per Entra portal.
+- **curl null byte response** — EXO REST API returns compressed/binary response when no `Accept` header or `--compressed` flag used. Fixed by writing payload to temp file and checking raw bytes.
+- **PowerShell Graph module device code auth failure** — `DeviceCodeCredential authentication failed: Object reference not set to an instance of an object` — known bug with Microsoft.Graph 2.36.1 + WAM on Windows. Workaround: not needed since role was already assigned.