sync: auto-sync from GURU-BEAST-ROG at 2026-06-04 16:05:04

Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-06-04 16:05:04
2026-06-04 16:05:09 -07:00
parent a51715e0ba
commit 295126ee6c
4 changed files with 142 additions and 7 deletions
--- a/clients/cascades-tucson/session-logs/2026-06-04-session.md
+++ b/clients/cascades-tucson/session-logs/2026-06-04-session.md
@@ -0,0 +1,117 @@
 ## User
 - **User:** Mike Swanson (mike)
 - **Machine:** GURU-BEAST-ROG
 - **Role:** admin
 > **Requester:** Howard Enos (@howard9645) via Discord bot
 > **Ticket:** Billed by Howard — resolved in separate channel
 ---
 ## Session Summary
 Howard requested an investigation into why chris.knight@cascadestucson.com was not receiving verification emails from bill.com and BOK Financial (bokfinancial.com). The investigation began with a full M365 tenant analysis of the Cascades Tucson tenant (cascadestucson.com, tenant ID 207fa277-e9d8-4eb7-ada1-1064d2221498).
 DNS records for cascadestucson.com were confirmed healthy: MX points directly to EOP (cascadestucson-com.mail.protection.outlook.com), SPF includes spf.protection.outlook.com and secureserver.net, DMARC is p=quarantine pct=100. No anomalies. The mailbox for chris.knight@cascadestucson.com was confirmed active, enabled, with no inbox rules, no forwarding, no inference overrides, no litigation hold, and an empty junk folder (0 items). A live test email from Howard (howard@azcomputerguru.com) was confirmed delivered in real time during the investigation.
 Exchange Online was connected using the ComputerGuru Exchange Operator MSP app (client credentials / access token method) against the Cascades tenant. Message trace (Get-MessageTraceV2), quarantine, transport rules, anti-spam policies, connection filter, add-ins, inbound/outbound connectors, and Azure AD enterprise apps were all checked. No Inky deployment was found anywhere in the tenant (no connector, no transport rule, no OAuth app, no add-in). Howard had suspected Inky as a factor; this was ruled out definitively.
 Bill.com (inform.bill.com, hq.bill.com, hello.bill.com) was confirmed delivering successfully to other Cascades users (Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Zachary Nelson) throughout the investigation period. However, zero bill.com emails had ever been delivered to chris.knight@cascadestucson.com or its alias c.knight@cascadestucson.com in 90 days of message trace history. BOK Financial (bokfinancial.com) showed zero emails to any cascadestucson.com user in 90 days. Howard confirmed the bill.com account had been updated to chris.knight@cascadestucson.com; a live resend was triggered by Meredith Kuhn during the session. That resend did not arrive at the tenant within 5+ minutes of monitoring, indicating it was still routing to the old wrong email address in bill.com's backend. The issue was resolved separately in another channel and billed by Howard.
 ---
 ## Key Decisions
 - Used ComputerGuru Exchange Operator MSP app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) with client_credentials flow to obtain an EXO access token and connect via `Connect-ExchangeOnline -AccessToken` — admin credential auth was blocked (MFA/modern auth constraint), and the app cert was not in the Windows cert store on BEAST. Access token method bypassed both issues.
 - Searched for "bills.com" initially; corrected to "bill.com" (BILL) after fetching BILL's help article which lists inform.bill.com, hq.bill.com, hello.bill.com, mc.bill.com as their sending domains.
 - Checked c.knight@cascadestucson.com alias after Howard raised it — confirmed it is a valid secondary SMTP proxy address on the same mailbox, but also showed zero bill.com/BOK emails.
 - Treated "box.com" as a typo for "bok.com" / "bokfinancial.com" after Howard clarified. Both checked thoroughly with zero results.
 - Get-MessageTraceV2 has a 10-day max window; ran 9 consecutive 10-day windows to cover 90 days of history.
 ---
 ## Problems Encountered
 - **Get-MessageTrace deprecated:** Get-MessageTrace returned a deprecation warning and empty results. Switched to Get-MessageTraceV2. V2 has a 10-day window limit (not 30 as initially attempted); looped windows to cover 90 days.
 - **EXO credential auth blocked:** `Connect-ExchangeOnline -Credential` failed with token error (MFA/modern auth). MSP app cert was not in Windows cert store on BEAST and only the private key PEM is stored in vault (no public cert). Resolved by using client_credentials flow to get an EXO-scoped access token and passing it via `-AccessToken` parameter.
 - **Graph API inbox rule check returned 401:** Initial token was pasted as a literal string (stale). Fixed by generating a fresh token inline in the same PowerShell session block.
 - **Wildcard sender search returned false positives:** `*@bills.com` with 30-day window returned "1 message found" across all subdomains — artifact of the wildcard matching and the 30-day limit violation. Narrowed to 10-day windows and specific domains to get clean results.
 ---
 ## Configuration Changes
 None. Investigation only — no changes made to the tenant or any configuration.
 ---
 ## Credentials & Secrets
 - **Cascades Tucson M365 admin:** `clients/cascades-tucson/m365-admin.sops.yaml` — admin@cascadestucson.com (used for reference; auth via MSP app instead)
 - **ComputerGuru Exchange Operator MSP app:** `msp-tools/computerguru-exchange-operator.sops.yaml`
  - App ID: b43e7342-5b4b-492f-890f-bb5a4f7f40e9
  - Client secret used for client_credentials token acquisition
 ---
 ## Infrastructure & Servers
 - **Cascades Tucson M365 Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
 - **Cascades Tucson primary domain:** cascadestucson.com
 - **MX:** cascadestucson-com.mail.protection.outlook.com (EOP direct, no third-party gateway)
 - **SPF:** v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all
 - **DMARC cascadestucson.com:** p=quarantine; pct=100; rua=info@cascadestucson.com
 - **Bill.com sending domains:** inform.bill.com, hq.bill.com, hello.bill.com, mc.bill.com, bill.com — MX via pphosted.com (Proofpoint)
 - **BOK Financial:** bokfinancial.com — MX via pphosted.com (Proofpoint); DMARC p=reject
 - **ComputerGuru Exchange Operator MSP tenant:** ce61461e-81a0-4c84-bb4a-7b354a9a356d (ACG tenant)
 ---
 ## Commands & Outputs
 ```powershell
 # EXO connection via access token (bypasses cert/MFA requirement)
 $body = @{ grant_type='client_credentials'; client_id=$clientId; client_secret=$clientSecret; scope='https://outlook.office365.com/.default' }
 $tok = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body -ContentType 'application/x-www-form-urlencoded'
 Connect-ExchangeOnline -AccessToken $tok.access_token -Organization 'cascadestucson.com' -AppId $clientId -ShowBanner:$false
 # 90-day message trace loop (Get-MessageTraceV2 max 10-day window)
 for ($i = 0; $i -lt 9; $i++) {
    $wend = (Get-Date).AddDays(-($i * 10))
    $wstart = $wend.AddDays(-10)
    Get-MessageTraceV2 -SenderAddress "*@inform.bill.com" -RecipientAddress "chris.knight@cascadestucson.com" -StartDate $wstart -EndDate $wend
 }
 ```
 Key findings:
 - chris.knight mailbox: 30 messages in 10 days, all delivered, all non-bill.com/BOK
 - c.knight alias: 2 messages in 10 days (Howard test 5/28 "email address name change", Chris personal test)
 - bill.com to tenant: active delivery to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson — confirms no tenant-wide block
 - bill.com to chris.knight: 0 messages in 90 days
 - BOK Financial to entire tenant: 0 messages in 90 days
 - Live resend by Meredith: 0 messages arrived within 5-minute monitoring window
 Anti-spam policies:
 - Default: Spam/HighConfSpam/Bulk → MoveToJmf; HighConfPhish → Quarantine
 - Standard Preset: HighConfSpam/Phish → Quarantine (applies to all recipients per EOPProtectionPolicyRule)
 Transport rules: "Fax Forward and Retain Copy" (P0), "Allow WordPress contact form" (P1) — neither relevant.
 Connection filter: IPBlockList = 89.106.1.38 (single entry, unrelated to bill.com/BOK).
 ---
 ## Pending / Incomplete Tasks
 - Root cause of bill.com resend not arriving was not confirmed before the session ended — most likely bill.com's backend still has the old email address despite the profile showing the new one. Resolved externally.
 - BOK Financial email address for Chris Knight was never confirmed — likely still the old wrong address.
 ---
 ## Reference Information
 - BILL help article (sending domains): https://help.bill.com/direct/s/article/360000026246
 - BILL safe sender: account-services@inform.bill.com
 - BOK Financial: https://www.bokfinancial.com/
 - Cascades Tucson client wiki: wiki/clients/cascades-tucson.md
 - MSP Exchange Operator vault: msp-tools/computerguru-exchange-operator.sops.yaml
--- a/0
+++ b/0
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -3,7 +3,7 @@ type: client
 name: cascades-tucson
 display_name: Cascades of Tucson
 last_compiled: 2026-06-04
-compiled_by: Howard-Home/claude-main
+compiled_by: GURU-BEAST-ROG/claude-main
 sources:
  - session-logs/2026-03-24-session.md
  - session-logs/2026-03-31-session.md
@@ -35,6 +35,7 @@ sources:
  - clients/cascades-tucson/session-logs/2026-06-03-session.md
  - clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md
  - clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
  - clients/cascades-tucson/session-logs/2026-06-04-session.md
  - clients/cascades-tucson/docs/overview.md
  - clients/cascades-tucson/docs/network/topology.md
  - clients/cascades-tucson/docs/network/vlans.md
@@ -70,6 +71,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
  - Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
  - Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
  - Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
  - Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04)
 - **Billing rate:** $175/hr all labor (prepaid block customer)
 - **Hours remaining:** 15.75 hrs as of 2026-06-04 (after tickets #32381 0.5h onsite, #32382 1.5h onsite, #32383 1.5h remote billed 2026-06-04). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
 - **Syncro customer ID:** 20149445
@@ -105,7 +107,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 - **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
 - **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
 - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
- **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored).
+- **MX / mail flow:** Exchange Online (M365). SPF: `v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all`. DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). No third-party email gateway (EOP direct MX).
 - **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section.
 - **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
 - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
@@ -124,6 +126,8 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
    - **Sweep target:** apply to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.
 - **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)` (`9a0fcc6d-0a88-466e-aa53-44401bb74fca`); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7-3000-45da-ab1f-ddb28f509526`). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device (see below re: pending replacement with allow-list), 8h sign-in frequency. Android enrollment token expires 2027-05-08 — token is a join key only; expiry does NOT unenroll existing devices.
 - **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`.
 - **Inky:** No Inky deployment exists in this tenant. No connector, no transport rule, no OAuth app, no add-in. Confirmed 2026-06-04.
 - **EXO MSP app auth note (2026-06-04):** When the MSP app cert is not in the Windows cert store on a given machine, use client_credentials flow to obtain an EXO-scoped access token and connect via `Connect-ExchangeOnline -AccessToken`. This bypasses both the cert requirement and interactive MFA. App: ComputerGuru Exchange Operator (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`). Vault: `msp-tools/computerguru-exchange-operator.sops.yaml`.
 ### Network
@@ -136,6 +140,11 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
  - Guest — isolated, VLAN 50
 - **VoIP:** AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static.
 ### External Vendors & Mail Senders
 - **bill.com (BILL):** Sends from `inform.bill.com`, `hq.bill.com`, `hello.bill.com`, `mc.bill.com`. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: `account-services@inform.bill.com`.
 - **BOK Financial:** Sends from `bokfinancial.com`. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question).
 ---
 ## Access
@@ -151,6 +160,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 - **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
 - **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates)
 - **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded.
 - **ComputerGuru Exchange Operator MSP app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` — vault: `msp-tools/computerguru-exchange-operator.sops.yaml`. Use access token auth when cert not in store (see Email & Identity section).
 - **Vault root:** `clients/cascades-tucson/` in vault repo
 ---
@@ -211,11 +221,17 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
 - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.
-### Known Issues / Pending Hygiene (as of 2026-06-03)
+### EXO / Message Trace
 - **Get-MessageTrace is deprecated.** Use `Get-MessageTraceV2` instead. V2 has a 10-day max window — loop 9 consecutive windows to cover 90 days. A wildcard sender with a 30-day window returns false positives due to the window-limit violation; keep windows to 10 days and use specific sender domains.
 - **EXO access token auth:** When `Connect-ExchangeOnline -Credential` fails (MFA/modern auth block) and the app cert is not in the Windows cert store, use client_credentials flow to get an EXO-scoped token and pass it via `-AccessToken`. See access note in the Access section above.
 ### Known Issues / Pending Hygiene (as of 2026-06-04)
 - **[BUG] Stale exclude-group on MFA-all-users policy:** The `Require multifactor authentication for all users` policy (`7e87a1c7…`) currently excludes `SG-Caregivers-Pilot` (`0674f0bc…`) instead of the live `SG-Caregivers` (`8b8d9222…`). Functionally harmless today (pilot group still exists), but this is a known bug that must be corrected. Fix: PATCH `excludeGroups` to replace `SG-Caregivers-Pilot` with `SG-Caregivers`.
 - **[DESIGN] ALIS-native 2FA is not a perimeter control.** The `Require MFA for all users` policy excludes `AllTrusted` locations, so Entra never prompts on the Cascades network. A non-SSO ALIS user can reach ALIS from anywhere with only ALIS credentials — Entra never sees that login. The correct permanent model: force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), so Entra enforces onsite-seamless / offsite-MFA. Office/privileged users should be standardized onto ALIS SSO as a separate workstream; ALIS-native 2FA should then be disabled per-user then globally.
 - **[INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices.** The `CSC - Android Shared Phones (Entra SDM)` enrollment token (`9a0fcc6d`) is a join key only. Existing enrolled devices (25 as of 2026-06-03) are unaffected by token expiry. Renewal is needed only before enrolling new devices after that date.
 - **[INFO] Chris Knight bill.com/BOK Financial emails (2026-06-04):** Zero bill.com or BOK Financial emails ever delivered to chris.knight@ or c.knight@ in 90 days. bill.com confirmed delivering to other Cascades users (no tenant-wide block). Root cause: bill.com and BOK Financial backends likely still have Chris Knight's old email address. Resolved externally by Howard. No tenant config changes needed.
 ### Security Incidents (historical)
@@ -267,6 +283,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
 - ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream)
 - Fix stale `SG-Caregivers-Pilot` exclude-group on `Require MFA for all users` policy (known bug, see Known Issues)
 - LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use
 - Chris Knight bill.com/BOK Financial addresses: confirm updated in bill.com backend and at BOK Financial (resolved externally 2026-06-04 but no confirmation of actual address update on vendor side)
 ---
@@ -296,7 +313,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
 | 2026-05-24 | RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket. |
 | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
 | 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
-| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation confirmed healthy — root cause was sender-side SendGrid suppression on bill.com side; BOK resolved by correcting email in portal (delivery within minutes). Prepay block: 17.25 → 15.75 hrs. |
+| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
 ---
@@ -313,12 +330,13 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
 - dunedolly21@gmail.com guest invite — confirm with Lauren
 - Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope)
 - #32381 / #32382 ticket details (Tamra scanner, Megan file access) — referenced in 2026-06-04 session log reference table only; full ticket details not documented in session logs
 - Chris Knight bill.com/BOK Financial vendor-side address updates — resolved externally but no confirmation of actual update on vendor side
 **Resolved since last compile:**
 - New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
 - DMARC — confirmed upgraded to p=quarantine;pct=100
 - ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
- BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call)
+- BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call); no tenant config changes needed
 ## Backlinks
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -1,7 +1,7 @@
 # Wiki Index
 Last updated: 2026-06-04
-Compiled by: GURU-5070/claude-main
+Compiled by: GURU-BEAST-ROG/claude-main
 This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update.
 Run `/wiki-lint` to check for stale entries and broken backlinks.
@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | Article | Summary | Last Compiled |
 |---|---|---|
-| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); #32383 bill.com/BOK email delivery (sender-side SendGrid suppression — bill.com support call pending) | 2026-06-04 |
+| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending) | 2026-06-04 |
 | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery; 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-02 |
 | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
 | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |