diff --git a/wiki/clients/birth-biologic.md b/wiki/clients/birth-biologic.md
new file mode 100644
index 0000000..3b6757d
--- /dev/null
+++ b/wiki/clients/birth-biologic.md
@@ -0,0 +1,130 @@
+---
+type: client
+name: birth-biologic
+display_name: BirthBiologic
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/birth-biologic/session-logs/2026-04-21-session.md
+backlinks:
+  - projects/gururmm
+---
+
+# BirthBiologic
+
+## Profile
+
+- **Company type:** Corporate (exact industry not documented — biological/healthcare services implied by name and SharePoint site structure: Donor Services, Quality Department, Birth Biologic Activity Reports)
+- **Contract type:** [unverified — MSP-managed implied; no explicit contract type documented]
+- **Key contacts:**
+  - Annise — primary client contact for SharePoint migration; no last name or email documented
+  - sysadmin@birthbiologic.com — M365 shared admin account; M365 Business Premium license assigned 2026-04-21
+- **Billing rate:** [unverified]
+- **Syncro ticket:** #109277420 (Datto Workplace to SharePoint Migration; assigned to Mike Swanson, user_id 1735; contact: Annise; due 2026-04-22)
+- **Syncro customer ID:** [unverified — not documented in available session logs]
+
+## Infrastructure
+
+### Servers & Services
+
+| Host | IP | Role | OS | Notes |
+|---|---|---|---|---|
+| BB-SERVER | [unverified] | On-premise Windows server | Windows Server 2016 | GuruRMM agent installed 2026-04-21; used as command channel for Datto→SharePoint migration script execution |
+
+### Email & Identity
+
+- **M365 tenant:** birthbiologic.com (tenant ID: [unverified — "not yet looked up" as of 2026-04-21 session])
+- **License:** M365 Business Premium (SKU `cbdc14ab-d96c-4132-b7f4-1f3a3a819bb4`) assigned to sysadmin@birthbiologic.com; includes EMS (standalone EMS removed after upgrade)
+- **MFA status:** [unverified]
+- **ACG remediation tool consent status (as of 2026-04-21):**
+  - Security Investigator: consented
+  - Tenant Admin (`709e6eed-0711-4875-9c44-2d3518c47063`): consented
+  - Exchange Operator: NOT consented
+  - User Manager: NOT consented
+  - Defender Add-on: NOT consented
+- **sysadmin SharePoint role:** sysadmin@birthbiologic.com confirmed as SharePoint admin (required for SPMT destination access)
+- **Note:** sysadmin@birthbiologic.com did not have a SharePoint/M365 license prior to 2026-04-21. For SharePoint app-only access, use Tenant Admin app with `Sites.ReadWrite.All` (no user license required for app-only).
+
+### File Storage
+
+- **Pre-migration:** Datto Workplace (on-premise network file server, accessed from BB-SERVER)
+- **Post-migration target:** Microsoft SharePoint (M365)
+- **Migration tool:** Custom PowerShell script (`clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1`) + SPMT for bulk folders
+
+### SharePoint Site Map
+
+| Datto Folder | SharePoint Site | Notes |
+|---|---|---|
+| Admin | birthbiologic.sharepoint.com/sites/Admin | Migrated via SPMT |
+| Birth Biologic Activity Reports | birthbiologic.sharepoint.com/sites/Admin | Same site as Admin; SPMT preserves source folder name as subfolder |
+| Donor Services | birthbiologic.sharepoint.com/sites/DonorServices | Migrated via SPMT |
+| Quality Department | birthbiologic.sharepoint.com/sites/QualityDepartment | Migrated via SPMT |
+| Supply Management | birthbiologic.sharepoint.com/sites/SupplyManagement | 160/160 files migrated via custom PS script (2026-04-21) |
+| ITSvcs | EXCLUDED | ACG-owned folder; not client data |
+
+Site IDs are hardcoded in `$SITE_MAP` hashtable in the migration script.
+
+### Network
+
+- **ISP / WAN:** [unverified]
+- **Firewall:** [unverified]
+- **VPN:** [unverified]
+
+## GuruRMM
+
+- **Client name:** BirthBiologic
+- **Client ID:** `da526b38-e832-4159-ab13-a3d94e9897a2`
+- **Site name:** Main Office
+- **Site code:** `BRIGHT-PEAK-5980`
+- **Site ID:** `3b20ef97-c764-4ef8-9154-79c3d5b486f8`
+- **Agent enrollment key:** `clients/birthbiologic/gururmm-site-main.sops.yaml` (vault)
+- **Install landing page:** `https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980`
+- **MSI download:** `https://rmm.azcomputerguru.com/sites/3b20ef97-c764-4ef8-9154-79c3d5b486f8/installer`
+
+### Enrolled Agents
+
+| Agent | Host | OS | Agent ID | Notes |
+|---|---|---|---|---|
+| BB-SERVER | BB-SERVER | Windows Server 2016 | [unverified — not captured in session log] | Installed 2026-04-21; used as command channel throughout Datto→SP migration |
+
+## Access
+
+- **GuruRMM:** Dashboard → BirthBiologic → Main Office
+- **M365 admin:** sysadmin@birthbiologic.com
+- **Vault paths:**
+  - `clients/birthbiologic/gururmm-site-main.sops.yaml` — GuruRMM site enrollment key
+  - `msp-tools/computerguru-tenant-admin.sops.yaml` → `credentials.credential` — Tenant Admin app secret
+- **Tenant Admin app:** client_id `709e6eed-0711-4875-9c44-2d3518c47063`; consent redirect URI must be `https://azcomputerguru.com` (NOT `https://rmm.azcomputerguru.com`)
+- **Migration script:** `clients/birth-biologic/scripts/migrate-datto-to-sharepoint.ps1`
+
+## Patterns & Known Issues
+
+- **Windows Server 2016 TLS:** BB-SERVER defaults to TLS 1.0. PowerShell scripts must include `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12` at the top or Graph API calls will fail.
+- **GuruRMM command timeout on long-running processes:** The RMM command channel times out on operations running longer than ~300 seconds. An 8 MB PDF upload at ~77 KB/s exceeded this limit during the migration. Workaround: base64-encode file on server, capture stdout, decode and upload locally.
+- **SharePoint 409 Conflict on retry:** If a chunked upload session is interrupted, a partial item remains in SharePoint. Subsequent upload sessions against the same path return 409 Conflict. Fix: DELETE the item before creating a new upload session.
+- **SPMT requires sysadmin to be SharePoint admin:** SPMT destination access requires the running account to have SharePoint admin rights. Confirm before scheduling future SPMT runs.
+- **Syncro comment rendering:** Use `<br>` for line breaks in Syncro comments. `<ul>/<li>` collapses into a single line in the Syncro renderer.
+- **Syncro duplicate comments on #109277420:** Two duplicate comments were noted in the session log. GUI deletion only (no API delete for comments). Verify status next time in ticket view.
+- **ITSvcs folder exclusion:** The `ITSvcs` folder on the Datto share is ACG-owned, not client data. Always exclude from any migration or client-facing file audit.
+- **GuruRMM command body requirements:** `command_type` field is required (use `"powershell"` for PS scripts). Missing field returns 422. JWT must include `sub`, `role`, `orgs`, `exp`, `iat` claims — any missing claim returns 401.
+- **PS5.1 quirks on BB-SERVER:** No Unicode box-drawing characters (parse error in PS5.1); no `@{} + @{}` hashtable merge (use foreach loop); use `${encodedPath}` not `$encodedPath:` in URL strings (colon interpreted as drive reference).
+
+## Active Work
+
+- **Datto → SharePoint migration:** Supply Management folder complete (160/160 files). SPMT launched for Admin, Birth Biologic Activity Reports, Donor Services, Quality Department as of end of 2026-04-21 session (20% on Donor Services at session end). [WARNING] Migration completion unconfirmed — no follow-up session log found. Outstanding tasks from session log:
+  - Verify SPMT migration complete for all 4 folders
+  - Verify file counts in each SharePoint site match Datto source
+  - Notify Annise to test access
+  - Schedule delta sync (`-DeltaOnly` flag) after client confirms
+  - Delete two duplicate Syncro comments on #109277420 (GUI only)
+  - Verify ITSvcs state file on BB-SERVER is not causing issues
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| 2026-04-21 | Mike: New client onboarded to GuruRMM (client + site created, vault entry saved). Tenant Admin app consented. sysadmin@birthbiologic.com assigned M365 Business Premium. GuruRMM agent installed on BB-SERVER. Custom Datto→SharePoint migration script built. Supply Management (160 files) migrated via script. SPMT launched for 4 remaining folders. Syncro ticket #109277420 opened. |
+
+## Backlinks
+
+- [[projects/gururmm]] — BB-SERVER enrolled (site: Main Office)
diff --git a/wiki/clients/cryoweave.md b/wiki/clients/cryoweave.md
new file mode 100644
index 0000000..01935d5
--- /dev/null
+++ b/wiki/clients/cryoweave.md
@@ -0,0 +1,144 @@
+---
+type: client
+name: cryoweave
+display_name: CryoWeave
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/cryoweave/session-logs/2026-05-21-session.md
+  - clients/cryoweave/session-logs/2026-05-22-session.md
+  - clients/cryoweave/impeccable/PRODUCT.md
+backlinks: []
+---
+
+# CryoWeave
+
+## Profile
+
+- **Contract type:** Project / break-fix (web services, SEO, marketing)
+- **Key contacts:** Greg Schickling (Owner & Fabricator) — greg@cryoweave.com — (520) 347-8440
+- **Business address:** 7437 E 22nd St, Tucson, AZ 85710
+- **Billing rate:** [unverified — not recorded in session logs]
+- **Syncro customer ID:** [unverified — not recorded in session logs]
+- **GuruRMM enrollment:** None recorded
+
+## Business Overview
+
+CryoWeave manufactures custom cryogenic cable assemblies (millikelvin to 300K) for university research institutions and space agencies. Primary revenue is astrophysics projects. Quantum computing is a growth target, not current revenue.
+
+**Core differentiators:**
+- 60-day delivery on configurations that competitors decline
+- Non-standard connector flexibility (most fabricators refuse)
+- Custom superconducting wire manufacturing (any alloy, small batch — NbTi, Nb, YBCO, research alloys)
+- Integrated thermal bleed-off plates (10x faster installation)
+- No length limits; small batch / prototype friendly
+- US-based
+
+**Standards & qualifications:** IPC J-STD-001ES (space applications soldering), IPC-A-610 Class 3 (high-reliability inspection), IPC/WHMA-A-620 (cable & harness fabrication)
+
+**Space agency credentials:** NASA, ESA, CNES (all publicly discussable). NIST is an existing customer — public naming requires legal verification [unverified status].
+
+**Price range:** $600–$20,000 per assembly depending on complexity. Lead time: 60 days typical.
+
+**Primary competitors:** Universal Cryogenics (long lead times — CryoWeave's main positioning target), Tekdata/Cryoconnect (UK).
+
+## Infrastructure
+
+### Web Hosting
+
+| Host | IP | Role | OS/Stack | Notes |
+|---|---|---|---|---|
+| ix.azcomputerguru.com | 172.16.3.10 | cPanel/WHM shared hosting | Apache, PHP 8.1.34 | ACG-managed IX Web Hosting |
+
+- **Production site:** https://cryoweave.com
+- **Dev site:** http://dev.cryoweave.com
+- **WordPress admin:** https://cryoweave.com/wp-admin
+- **WordPress version:** 7.0 (upgraded from 6.1.10 on 2026-05-21)
+- **Dev site type:** Static HTML (WordPress removed 2026-05-22; 106MB WP backup retained at `/home/cryoweave/public_html/dev-wordpress-backup-20260522.tar.gz`)
+- **WordPress path:** `/home/cryoweave/public_html`
+- **Dev path:** `/home/cryoweave/public_html/dev/`
+- **Plugins:** 8 total including RankMath SEO 1.0.220 (installed 2026-05-21)
+
+### Email & Identity
+
+- **Domain:** cryoweave.com
+- **Email:** Hosted externally [unverified — mail provider not documented]
+- **Greg's email:** greg@cryoweave.com
+
+### Network
+
+- **Hosting:** IX Web Hosting (cPanel), ACG-managed server 172.16.3.10
+- **SSH:** `root@172.16.3.10` (key auth, port 22) — direct root works; cPanel user `cryoweave` is subject to cPHulk lockout on failed SSH attempts
+
+## Access
+
+- **SSH (web server):** `ssh root@172.16.3.10` (bypasses cPanel cPHulk restrictions)
+- **WHM/cPanel:** https://ix.azcomputerguru.com:2083
+- **WP Admin user 1:** mikeadmin (mike@azcomputerguru.com, Administrator)
+- **WP Admin user 2:** guruadmin (rob@azcomputerguru.com, Administrator — prior work)
+- **Vault path:** `clients/cryoweave/wordpress-admin.sops.yaml`
+
+### Vault contents (structure)
+
+```
+site, url, wp_admin_url
+credentials.mikeadmin.{username,password,email,role}
+credentials.guruadmin.{username,email,role,note}
+wordpress.{version,php_version,path}
+cpanel.{username,server,email}
+contact.{name,email,phone,address}
+```
+
+Retrieve: `bash $VAULT get clients/cryoweave/wordpress-admin.sops.yaml`
+
+## Dev Site — Static Site (current state as of 2026-05-22)
+
+Six-page static HTML/CSS site built with bold-light theme. Design system: IBM Plex Sans + Mono, orange accent (#ff6b35), 64px headlines. WCAG 2.1 AA compliant. Mobile-responsive (breakpoints at 768px, 1024px).
+
+**Pages:** index, about, capabilities, applications, resources, contact
+
+**Deployed to:** `/home/cryoweave/public_html/dev/`
+
+**Pending before production launch:**
+- Formspree endpoint ID from Greg (contact.html placeholder at line 108)
+- Real testimonials (currently drafted)
+- Assembly photos from Greg
+- Google Business Profile setup
+- Research Universal Cryogenics competitive positioning
+- Verify NIST naming permission (legal)
+- RankMath SEO configuration
+
+## Patterns & Known Issues
+
+- **cPHulk lockout:** Multiple failed SSH attempts as `cryoweave` user trigger cPanel security lockout. Always use `root@172.16.3.10` directly.
+- **WordPress special characters:** Special characters in WP admin passwords (via WP-CLI over SSH) cause authentication failures. Use alphanumeric passwords for command-line-created accounts.
+- **Vault pull-rebase required:** Vault repo may have upstream commits; always `git pull --rebase` before vault push.
+- **Design audience:** Physicists and university administrators. Academic/journal aesthetic (Nature, IEEE), not SaaS marketing. IBM Plex typography.
+- **Market positioning:** Target universities frustrated with Universal Cryogenics lead times. Primary message: "60-day delivery when standard fabricators say 'wait'."
+
+## Active Work
+
+**Phase 1 (immediate, as of 2026-05-22):**
+- [ ] Google Business Profile — claim/create, add NASA/ESA/CNES qualifications and photos
+- [ ] Get high-res assembly photos from Greg (assemblies, thermal bleed-off, NASA/ESA/CNES project examples if allowed)
+- [ ] Replace dev homepage with professional version on production domain
+- [ ] Research Universal Cryogenics (lead times, pricing, CryoWeave win/loss positioning)
+- [ ] Get Formspree account ID from Greg for contact form
+
+**Phase 2 (next 30 days):**
+- [ ] Customer testimonials collection
+- [ ] Case studies: NIST reverse twist project, astrophysics detector wiring
+- [ ] Professional photography (workshop, assembly close-ups, Greg at work)
+- [ ] Application-specific subpages (/astrophysics-cryogenic-detectors/, /quantum-computing-cables/, /space-mission-hardware/)
+- [ ] Google Search Console — verify ownership, submit sitemap
+- [ ] RankMath configuration (focus keywords, meta descriptions, schema, sitemap)
+
+## History Highlights
+
+- **[Prior to 2026-05-21]** SEO audit, competitive research, noindex fix performed (details in earlier undocumented sessions).
+- **2026-05-21** — Greg meeting (21 Q&A): primary market confirmed as astrophysics (not quantum computing); CNES added to agency credentials; 60-day delivery identified as primary competitive advantage. WordPress 6.1.10 → 7.0 upgrade (dev + production). RankMath SEO plugin installed. WordPress admin account `mikeadmin` created. Credentials vaulted in SOPS. Four homepage design iterations; professional academic style (IBM Plex) published to dev site.
+- **2026-05-22** — Full 6-page static site built with bold-light theme (orange accent, IBM Plex). WordPress installation removed from dev server (backed up). WCAG 2.1 AA compliance applied throughout. Site deployed to http://dev.cryoweave.com/ awaiting client review and content from Greg.
+
+## Backlinks
+
+- `wiki/systems/ix-webhosting.md` [if exists] — shared hosting server
diff --git a/wiki/clients/glaztech.md b/wiki/clients/glaztech.md
new file mode 100644
index 0000000..7b4bfcc
--- /dev/null
+++ b/wiki/clients/glaztech.md
@@ -0,0 +1,125 @@
+---
+type: client
+name: glaztech
+display_name: Glaz-Tech Industries
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/glaztech/session-logs/2026-04-20-session.md
+  - clients/glaztech/session-logs/2026-04-21-session.md
+  - clients/glaztech/reports/2026-04-17-phishing-incident-report.md
+  - clients/glaztech/PROJECT_STATE.md
+  - clients/glaztech/README.md
+backlinks: []
+---
+
+# Glaz-Tech Industries
+
+## Profile
+
+- **Contract type:** Managed (long-term — ~15 years per session logs)
+- **Key contacts:** Steve Eastman — seastman@glaztech.com — internal IT, ~200 users, 9 locations. Desktop-level tech; guides technical direction, ACG implements.
+- **Billing rate:** [unverified — not recorded in session logs]
+- **Syncro customer ID:** 143932
+- **Active tickets:** #32176 (DMARC override, Invoiced), #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21)
+- **GuruRMM client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
+- **GuruRMM site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)
+
+## Infrastructure
+
+### Servers & Services
+
+No dedicated on-premises server infrastructure documented. Multi-site Windows environment (~200 users, 9 locations). Active Directory confirmed (OUs referenced in deployment scripts). IP range: 192.168.0.0/24 through 192.168.9.0/24 (10 site subnets, one per site).
+
+| Service | Details | Notes |
+|---|---|---|
+| M365 tenant | glaztechindustries.onmicrosoft.com | ~200 users, basic licensing (no Entra P1) |
+| Exchange Online | glaztech.com | MailProtector inbound filter (MX 5 primary) |
+| Active Directory | glaztech.com domain | [unverified — AD inferred from OU references in scripts] |
+
+### Email & Identity
+
+- **M365 tenant:** glaztechindustries.onmicrosoft.com
+- **Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
+- **Primary domain:** glaztech.com
+- **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io` (MX 5, sole MX as of 2026-04-17)
+- **DMARC:** p=reject; sp=reject (hardened 2026-04-17, was p=none)
+- **DKIM:** CNAME records exist for selector1/selector2 — active status unverified [WARNING: confirm DKIM is active in M365]
+- **MFA status:** [WARNING] DISABLED as of 2026-04-21. Security Defaults off. No Conditional Access (requires Entra P1, not licensed). ~160 users with password-only sign-in. MFA rollout is open work item — do not enable Security Defaults until service account audit is complete (see Active Work).
+- **Licensing:** Basic M365 (no Entra P1 / Business Premium). Per-user MFA or Security Defaults are the available free options.
+- **Mailbox forwarding (internal, low risk):** Payroll@glaztech.com → carmen@glaztech.com; TUCCSR@glaztech.com → bryce@glaztech.com
+- **OAuth consent grants:** 38 grants — not audited as of last session
+
+### Network
+
+- **Sites:** 9 locations
+- **IP ranges:** 192.168.0.x through 192.168.9.x (one subnet per site — up to 10 sites)
+- **Firewall/ISP:** [unverified — not documented]
+- **DNS hosted on:** IX server (172.16.3.10), PowerDNS. Zone file: `/var/named/glaztech.com.db`
+
+## Access
+
+- **Remediation tool:** ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
+- **Exchange Operator App ID:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9
+- **Remediation tool app (AI):** fabb3421-8b34-484b-bc17-e46de9703418
+- **Exchange Admin role:** Assigned to ACG service principal in Entra
+- **Global Admin account:** admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
+- **Vault path:** `clients/glaztech/` [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]
+- **Exchange Operator vault:** `msp-tools/computerguru-exchange-operator.sops.yaml`
+- **DNS access:** `root@172.16.3.10` (IX server)
+- **Deploy (endpoints):** ScreenConnect or GuruRMM
+
+## Patterns & Known Issues
+
+- **Phishing via direct-to-M365 MX bypass:** Two phishing campaigns in April 2026 succeeded because DNS had a secondary MX record (`glaztech-com.mail.protection.outlook.com` at priority 10) that bypassed MailProtector. Hardened: MX 10 removed, DMARC to p=reject, Enhanced Filtering for Connectors enabled. Do not re-add a secondary MX record.
+- **Inbound connector IP restriction:** Do NOT restrict `SenderIPAddresses` on the "Inbound Spam Filter" connector — blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident). EFSkipIPs are set to MailProtector IPs instead.
+- **Service accounts need audit before MFA rollout:** Shoretel, mitel, Gti-FaxFinder, GTIMail, GTIQUOTE, CAS1944, clerk — all need SMTP/auth method confirmation before Security Defaults can be enabled.
+- **PDF preview broken (MOTW):** Windows KB5066791/KB5066835 broke PDF preview on network shares via Mark of the Web. Fix scripts are ready in `clients/glaztech/` — deployment is pending (as of 2026-03-30).
+- **clearcutglass.com DMARC history:** Corena Spottsville (clearcutglass.com) emails to seastman and zulema were rejected. Temporary transport rule (SCL=-1) was set and removed on 2026-04-21. SPF ~all weakness noted to Team Logic IT (Jordan Fox, jfox@tlit60302.com); recommend they harden to -all and confirm DKIM.
+- **Client tone:** ACG has managed GlazTech ~15 years. Steve Eastman is a trusted internal IT partner. Comments and communication should lead with what we know, state findings and actions taken, ask only one targeted question if needed — not open-ended discovery.
+- **Unlicensed accounts (pending Steve confirmation):** Chauntelle@glaztech.com, Denouser1@glaztech.com, Gti-FaxFinder@glaztech.com.
+
+## Active Work
+
+### PDF Preview Fix (DEPLOYMENT-READY — pending execution)
+
+Scripts in `clients/glaztech/`:
+- `Fix-PDFPreview-Glaztech-UPDATED.ps1` — updated remediation (recommended)
+- `Fix-PDFPreview-Glaztech.ps1` — original
+- `Deploy-PDFFix-BulkRemote.ps1` — bulk remote deployment
+- `GPO-Configuration-Guide.md` — GPO method
+- `QUICK-REFERENCE.md` — summary of all three methods
+
+Deploy via Option A (ScreenConnect, individual), Option B (bulk remote via PS remoting), or Option C (GPO). Waiting on file server hostnames/IPs from Steve before bulk deploy.
+
+### MFA Rollout (Ticket #32186 — In Progress)
+
+Waiting on Steve's reply to:
+1. Service account auth methods (which use SMTP basic auth or password-only flows?)
+2. Disposition of unlicensed accounts (Chauntelle, Denouser1, Gti-FaxFinder)
+3. Licensing preference: Security Defaults (free, no exclusions) vs. per-user MFA (free, can exclude service accounts) vs. Conditional Access (requires Entra P1/Business Premium, ~$22/user/mo)
+
+**Do not enable Security Defaults until service accounts are confirmed safe.**
+
+MFA rollout plan: Phase 1 — user communication (install Authenticator); Phase 2 — enable enforcement; Phase 3 — follow-up stragglers; Phase 4 (future/P1) — Conditional Access with trusted IPs for office locations.
+
+### Pending follow-ups
+
+- Audit 38 OAuth consent grants (not done as of 2026-04-21)
+- Confirm DKIM signing active in M365 for glaztech.com
+- Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or reporting service)
+- Security awareness training for staff (multiple employees forwarded and replied to obvious phishing in April 2026)
+- Review whether any user clicked phishing links (check sign-in logs for suspicious auth attempts post-April 17)
+- Confirm test email clean delivery from clearcutglass.com after DMARC fix
+
+## History Highlights
+
+- **[~15 years prior]** Long-standing managed client.
+- **2026-01-27** — PDF preview break caused by Windows MOTW update (KB5066791/KB5066835). Fix scripts created. Deployment pending.
+- **2026-04-17** — Two phishing campaigns bypassed MailProtector via direct-to-M365 MX bypass. 32 messages purged across 8 users. Hardened: MX 10 removed, DMARC p=reject, Enhanced Filtering Connectors enabled. Remediation tool onboarded (admin consent, Exchange Admin role). Forensic evidence preserved in `clients/glaztech/reports/`.
+- **2026-04-20** — Exchange transport rule created to allow clearcutglass.com mail (DMARC bypass, SCL=-1) while Team Logic IT fixed their DNS. Ticket #32176 created.
+- **2026-04-21** — clearcutglass.com DNS fixed by Team Logic IT (Jordan Fox). Transport rule removed. External Global Admin (glaztechadmin from tomakkglass.com / Team Logic IT) removed from tenant. M365 security review surfaced: no MFA, 38 OAuth grants, unlicensed accounts, service account audit needed. Ticket #32186 opened for MFA implementation. Feedback: use expert-partner tone with Steve, not open-ended discovery questions.
+
+## Backlinks
+
+- `wiki/systems/ix-webhosting.md` [if exists] — DNS hosted on IX server
diff --git a/wiki/clients/grabb-durando.md b/wiki/clients/grabb-durando.md
new file mode 100644
index 0000000..e384dda
--- /dev/null
+++ b/wiki/clients/grabb-durando.md
@@ -0,0 +1,117 @@
+---
+type: client
+name: grabb-durando
+display_name: Grabb & Durando, P.C.
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/grabb-durando/session-logs/2026-05-04-leap-m365-calendar-fix.md
+  - clients/grabb-durando/reports/2026-05-04-leap-calendar-permission-investigation.md
+  - clients/grabb-durando/ai-demand-review/CONTEXT.md
+  - clients/grabb-durando/PROJECT_STATE.md
+  - clients/grabb-durando/website-migration/README.md
+  - clients/grabb-durando/gururmm-diag-GND-SERVER-20260512-155234.txt
+backlinks:
+  - projects/gururmm
+---
+
+# Grabb & Durando, P.C.
+
+## Profile
+
+- **Company type:** Plaintiff personal injury law firm (Arizona)
+- **Contract type:** Managed (MSP) — includes M365 tenant management
+- **Key contacts:**
+  - Robert Grabb — rgrabb@grabblaw.com (principal — AI demand review project)
+  - Svetlana Larionova — slarionova@grabblaw.com (end user; Leap calendar support 2026-05-04)
+  - sysadmin@grabblaw.com — shared admin account (M365 GA operations)
+  - guru@grabblaw.com — ACG-managed Global Admin account [unverified — referenced in remediation report]
+- **Billing rate:** [unverified — not documented in available files]
+- **Active ticket:** [unverified — no current open Syncro ticket found in sources]
+- **Syncro customer ID:** [unverified — not present in available session logs]
+
+## Infrastructure
+
+### Servers & Services
+
+| Host | IP | Role | OS | Notes |
+|---|---|---|---|---|
+| GND-SERVER | [unverified] | On-premise server | Windows Server 2019 Standard, AMD64 | GuruRMM agent installed 2026-05-12 via site-specific MSI |
+| GoDaddy VPS | 208.109.235.224 | Custom PHP web app (data.grabbanddurando.com) | CloudLinux 9.6, cPanel v126 | 99% disk full as of website migration plan — status post-migration unknown [unverified] |
+| ix.azcomputerguru.com (IX) | 72.194.62.5 | ACG shared hosting — migration target | CloudLinux 9.7, cPanel | Migration planned but no session log confirms completion [unverified] |
+| WebSvr (ACG) | 162.248.93.81 | Main domain (grabbanddurando.com) DNS/hosting | ACG managed | Nameserver authority for grabbanddurando.com zone |
+
+### Email & Identity
+
+- **M365 tenant:** grabblaw.com (tenant ID `032b383e-96e4-491b-880d-3fd3295672c3`)
+- **Licenses:** O365 Business Premium (confirmed on multiple users)
+- **MFA status:** [unverified]
+- **User-consent policy:** `microsoft-user-default-recommended` + `microsoft-user-default-allow-consent-apps` — high-risk delegated scopes (Mail.ReadWrite, Files.ReadWrite.All) require admin approval
+- **Leap (legal case management):** Two service principals registered in tenant:
+  - LEAP daemon/service app — `5602fc50-4c30-4faa-a595-e5a0f15d2cce` (app-only, tenant-wide consent already granted)
+  - LEAP user-facing/delegated app — `a7d19842-33e2-457b-a399-d4e6ec010f0a` (per-user or tenant-wide consent; tenant-wide granted 2026-05-04)
+- **Inky/GuruProtect:** Installed (confirmed in email headers)
+- **GuruRMM Security Investigator app:** Consented in tenant (used for read-only Graph investigation 2026-05-04)
+
+### Network
+
+- **ISP / WAN:** [unverified]
+- **Firewall:** [unverified]
+- **VPN:** [unverified]
+
+### Web Applications
+
+- **Primary site:** grabbanddurando.com — hosted on WebSvr (ACG)
+- **Data app:** data.grabbanddurando.com — custom PHP 7.4 app using mysqli; GoDaddy cPanel account `grabbandurando`, document root `/home/grabbanddurando/public_html/new_gdapp/`, database `grabblaw_gdapp` (31 MB)
+- **Case management:** Leap — integrated with M365 calendar/mail via delegated OAuth
+
+## GuruRMM
+
+- **Site name:** Main Office
+- **Client code:** [unverified — not documented in available files; MSI was site-specific]
+- **Site ID:** `d526d700-7210-48b1-94a9-40c87a29dc25` (from agent registry, this is the SiteId value baked into the MSI)
+
+### Enrolled Agents
+
+| Agent | Host | OS | Version at install | Agent key (partial) | Notes |
+|---|---|---|---|---|---|
+| GND-SERVER | GND-SERVER | Windows Server 2019 | 0.6.2 (2026-05-12) | `agk_NEzx7sRA9Jd...` | Installed via MSI `gururmm-agent-grabb-main-office.msi`; running as LocalSystem; [WARNING] binary path issue noted at install time — path in registry did not match actual binary location |
+
+- **GuruRMM agent ID:** [unverified — agent ID not captured in available files; use dashboard to confirm]
+- **Agent log:** `C:\ProgramData\GuruRMM\agent.log.2026-05-12` (0 bytes at install time)
+- **Network connectivity check (2026-05-12):** External HTTPS to rmm.azcomputerguru.com [OK]; internal API (172.16.3.30:3001) [FAIL — timeout, expected for external client]
+
+## Access
+
+- **M365 admin:** Entra portal via sysadmin@grabblaw.com or guru@grabblaw.com
+- **GoDaddy VPS (source):** `ssh -i ~/.ssh/id_ed25519 root@208.109.235.224`
+- **IX server (hosting target):** `ssh root@ix.azcomputerguru.com`
+- **WebSvr (DNS):** `ssh root@websvr.acghosting.com`
+- **Vault path:** `clients/grabb-durando/` [unverified — no confirmed SOPS entries found in session logs; check vault before assuming paths]
+- **Database credentials (GoDaddy):** [WARNING] Database password `e8o8glFDZD` appears in plaintext in `clients/grabb-durando/website-migration/README.md` — migrate to vault before any future work on this project
+
+## Patterns & Known Issues
+
+- **Leap OAuth consent pattern:** New hires at Grabb & Durando will NOT automatically have Leap M365 calendar sync enabled. As of 2026-05-04 tenant-wide consent was granted on the LEAP delegated app — new users should now get through the consent flow without admin intervention. Verify this holds for next new hire.
+- **Leap identity binding trap:** If an admin signs in to Leap on a user's machine to grant consent, Leap stores the admin's identity token instead of the user's. Symptom: Leap syncs the wrong mailbox and throws "unable to subscribe to notifications." Fix: revoke admin OAuth grant, clear `%LOCALAPPDATA%\Microsoft Corporation\` Leap cache, re-sign in as the correct user.
+- **SYSTEM context in GuruRMM commands:** Agent runs as LocalSystem. HKCU probes from GuruRMM commands read the SYSTEM hive, not a logged-in user's. Use `HKU:\<SID>` path for per-user registry work.
+- **Website migration (data.grabbanddurando.com):** PHP 7.4 app, 1.8 GB files + 31 MB database. Migration target is IX (ix.azcomputerguru.com). Migration plan is detailed; no session log confirms completion — assume NOT migrated until verified.
+
+## Active Work
+
+- **AI Demand Review System** (scoping/pre-quote as of 2026-05-12): Robert Grabb wants a custom Claude API web application for AI-assisted pre-suit demand package preparation. 11-category document upload UI, structured Claude output (case snapshot, liability, medical chronology, demand letter, etc.), DOCX/PDF export, per-case audit log. Estimated 32–48 hrs, $4,000–$6,960 flat fee range. Discovery call questions outstanding (user count, Leap API, file server structure). See `clients/grabb-durando/ai-demand-review/CONTEXT.md` for full spec.
+- **Website migration** (data.grabbanddurando.com → IX): Status unknown. GoDaddy VPS was 99% full as of project planning. No completion session log found. [WARNING] Verify migration status before any GoDaddy VPS work or billing.
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| Pre-2026 | Established MSP client; M365 tenant (grabblaw.com) under ACG management; Leap deployed firm-wide |
+| 2025-12-15 | Website migration session logs referenced (in old claude-projects path) — data.grabbanddurando.com migration likely attempted [unverified from available files] |
+| 2026-04-20 | PROJECT_STATE.md created noting website migration stalled, no session logs recorded at that time |
+| 2026-05-04 | Howard: Leap M365 calendar sync for Svetlana Larionova — OAuth consent investigation + tenant-wide LEAP consent granted by Mike; Leap identity token cleanup; Teams external-share limitation explained; second monitor added |
+| 2026-05-12 | GuruRMM agent installed on GND-SERVER via site-specific MSI (v0.6.2). Diagnostic run confirms agent service running. AI demand review project kicked off — Phase Two Package delivered by Robert Grabb, ACG scoping review begun. |
+
+## Backlinks
+
+- [[projects/gururmm]] — GND-SERVER enrolled (site: Main Office)
diff --git a/wiki/clients/internal-infrastructure.md b/wiki/clients/internal-infrastructure.md
new file mode 100644
index 0000000..899dff6
--- /dev/null
+++ b/wiki/clients/internal-infrastructure.md
@@ -0,0 +1,294 @@
+---
+type: client
+name: internal-infrastructure
+display_name: ACG Internal Infrastructure
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/internal-infrastructure/PROJECT_STATE.md
+  - clients/internal-infrastructure/ix-server-issues-2026-01-13.md
+  - clients/internal-infrastructure/docs/SSH_ACCESS_SETUP.md
+  - clients/internal-infrastructure/docs/SSH_CONNECTION_INVESTIGATION_REPORT.md
+  - clients/internal-infrastructure/reports/2026-04-16-howard-breach-check.md
+  - clients/internal-infrastructure/vendor-tickets/2026-04-13-cox-bgp-cloudflare-routing.md
+  - clients/internal-infrastructure/session-logs/2026-03-16-ix-account-cleanup.md
+  - clients/internal-infrastructure/session-logs/2026-03-17-neptune-exchange-cleanup.md
+  - clients/internal-infrastructure/session-logs/2026-04-11-smart-slider-security-scan.md
+  - clients/internal-infrastructure/session-logs/2026-04-13-session.md
+  - clients/internal-infrastructure/session-logs/2026-04-23-neptune-inbound-mail-outage.md
+  - .claude/memory/infra_office_network.md
+  - .claude/memory/reference_ix_server_ssh.md
+  - .claude/memory/project_email_routing_neptune.md
+  - CONTEXT.md (root)
+backlinks:
+  - systems/jupiter
+  - systems/neptune
+  - projects/msp-tools/guru-rmm
+---
+
+# ACG Internal Infrastructure
+
+Arizona Computer Guru's own internal systems, treated as a "client" record for work-tracking purposes. This article covers what lives under `clients/internal-infrastructure/` — ad-hoc operational work on ACG's own hosting servers, mail platform, network, and M365 tenant. It is NOT the primary record for GuruRMM development (see `wiki/projects/guru-rmm.md`), ClaudeTools API development (see `CONTEXT.md` root), or ACG office LAN topology (see `wiki/systems/`). The merge of the former `clients/ix-server/` folder into this one happened 2026-04-13.
+
+---
+
+## Profile
+
+- **Contract type:** Internal (no billing) — ACG's own infrastructure. Work is ad-hoc and reactive.
+- **Key contacts:**
+
+| Name | Role | Notes |
+|---|---|---|
+| Mike Swanson (mike) | Owner / admin | Primary operator |
+| Howard Enos (howard) | Technician | Full trust — same access as admin |
+
+- **Billing rate:** N/A — internal only
+- **M365 tenant:** azcomputerguru.com | Tenant ID: `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
+- **Syncro customer ID:** N/A — ACG's own work is not tracked in Syncro
+
+---
+
+## What This Client Record Covers
+
+This folder tracks reactive work on ACG's own:
+- **IX web hosting server** (cPanel/WHM, client websites, WordPress maintenance)
+- **Neptune Exchange server** (hosted mail for multiple client domains — physically at Dataforth D2)
+- **Cloudflare / DNS** (azcomputerguru.com zone, tunnel, BGP issues)
+- **ACG M365 tenant** (azcomputerguru.com — breach checks, CA policy hygiene)
+- **ACG office LAN** (pfSense, Jupiter Unraid, VMs) — incidental notes; primary docs are in `wiki/systems/`
+
+Work on **GuruRMM** (development, deployment) lives in `projects/msp-tools/guru-rmm/` and root `session-logs/`. Work on **ClaudeTools API** lives in `projects/` and root `CONTEXT.md`.
+
+---
+
+## Infrastructure
+
+### ACG Office LAN
+
+- **Subnet:** 172.16.0.0/22
+- **DNS / Router:** pfSense at 172.16.0.1 (SSH port 2248, user admin); handles Unbound DNS and Tailscale subnet routing
+- **Tailscale node:** pfsense-2 (100.119.153.74)
+- **Vault:** `infrastructure/pfsense-firewall.sops.yaml`
+
+| Host | IP | Role | Notes |
+|---|---|---|---|
+| Jupiter | 172.16.3.20 | Unraid NAS — all VMs + Docker | SSH port 22, root. NPM, Gitea, Seafile, GuruRMM VM, cloudflared |
+| GuruRMM VM | 172.16.3.30 | Linux VM on Jupiter | GuruRMM server, ClaudeTools API, MariaDB, Coord API |
+| Pluto | 172.16.3.36 | Windows Server 2019 VM on Jupiter | MSI build server for GuruRMM agents |
+| Uranus | 172.16.3.21 | OwnCloud additional storage | NOT a proxy |
+| IX Web Server | 172.16.3.10 | cPanel/WHM web hosting | 87 WordPress sites, CloudLinux 9.7 |
+| Neptune Exchange | 172.16.3.11 | Exchange Server 2016 | Physically at Dataforth D2 — NOT ACG office LAN |
+| ACG-DC16 | 172.16.3.52 / 172.16.3.50 | Windows Server 2016 DC | AD, DNS for acg.local; all FSMO roles |
+
+### IX Web Hosting Server
+
+- **Hostname:** ix.azcomputerguru.com
+- **Internal IP:** 172.16.3.10
+- **External IP:** 72.194.62.5
+- **OS:** CloudLinux 9.7 (RHEL 9 family)
+- **Stack:** Apache, WHM/cPanel, MySQL/MariaDB per-account
+- **Sites:** 87 WordPress installations (as of 2026-04-11 scan); 82 cPanel accounts audited 2026-03-16 (14 removed, 7 restored)
+- **WHM:** `https://ix.azcomputerguru.com:2087` — must be **DNS-only / grey-cloud** in Cloudflare (port 2087/2083 require direct IP routing; Cloudflare tunnel cannot forward non-standard ports)
+- **SSH:** `ssh root@172.16.3.10` (internal) or `ssh root@72.194.62.5` (external)
+- **Vault:** `infrastructure/ix-server.sops.yaml`
+- **[WARNING] SSH key auth not set up from CachyOS workstation (acg-guru-5070)** — must use sshpass with password from vault when connecting from that machine.
+
+**ACG infrastructure DNS zones on IX** (must never remove the `acg` cPanel account):
+- acghosting.com, ns1.acghosting.com, ns2.acghosting.com, fsusa.acghosting.com, websvr.acghosting.com
+
+**Clients with active mail on IX** (accounts kept for non-web services):
+- `cascades` — cascadestucson.com (active local mail, populated mailboxes)
+- `rrspc` — rrspc.com (active local mail, MX to mail.rrspc.com on IX)
+- `glaztech` — glaztech.com (DNS-only account)
+- `rarengineer` — rarengineer.com (MX may resolve to IX)
+- `thegirlsestate` — thegirlsestatesales.com (mail service account)
+
+### Neptune Exchange Server
+
+Neptune is ACG's on-premises Exchange Server 2016, hosting mail for multiple client domains. It is physically colocated at Dataforth's D2 facility but operates as ACG infrastructure.
+
+- **Hostname:** neptune.acghosting.com / mail.acghosting.com / NEPTUNE.acg.local
+- **Internal IP:** 172.16.3.11 (172.16.x.x subnet — NOT at ACG office despite the IP)
+- **External IP:** 67.206.163.124 (inbound); 67.206.163.122 (outbound)
+- **OS:** [WARNING] Windows Server 2022 (in-place upgraded from WS2016 on 2026-04-22 — Exchange 2016 is UNSUPPORTED on WS2022)
+- **Exchange:** 2016 Standard Evaluation, Build 15.1.2507.17
+- **AD Domain:** acg.local
+- **DNS Server (primary):** ACG-DC16 at 172.16.3.52 (also .50)
+- **Mailboxes:** 56 total (N-Hosting1 DB: 809 GB / 54 boxes; N-LargeBoxes DB: 313 GB / 2 boxes)
+- **Let's Encrypt cert:** CN=mail.acghosting.com, expires 2026-05-31 [WARNING] — renewal needed
+- **Internal transport cert:** Thumbprint `E58BFCBAEFEFDCAED0BF9E894127A3DE64CE9C69`, expires 2026-07-22 [WARNING]
+- **Access:** Local PowerShell with Exchange Management Shell snapin (`Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn`); must run as administrator.ACG on the box or via domain-admin WinRM
+- **Vault:** `infrastructure/neptune-exchange.sops.yaml` [unverified — check vault for current entry name]
+
+**Accepted domains on Neptune** (19 client-hosted):
+acg.local, acghosting.com (ExternalRelay), airandspaceacademy.com, amtransit.com, devconllc.com, farwestwell.com, goldenchoicecatering.com, jparkinsonaz.com, justsimplysmart.com, lifelonglearningacademy.com, littleheartslittlehands.com, littleheartslittlehands.org, outaboundssports.com, packetdial.com, patriotinternalmedicine.com, rieussetcorp.com, simplehost.email (Default), tucsongoldencorral.com, tucsonsafety.com
+
+**Outbound SBR send connectors** (via Mailprotector / emailservice.io smarthosts): devconllc, littleheartslittlehands/airandspaceacademy, patriotinternalmedicine, farwestwell, tucsongoldencorral, lifelonglearningacademy, amtransit, tucsonsafety, rieussetcorp/Sorensen, horseshoemgt, catch-all (DNS)
+
+**DKIM signing** (Exchange DkimSigner — currently DISABLED after 2026-04-23 KB outage): amtransit.com (s1), littleheartslittlehands.org (default), tucsongoldencorral.com (dkim), devconllc.com (default), jparkinsonaz.com (s1), rieussetcorp.com (s1). Keys in `C:\Program Files\Exchange DkimSigner\keys\`
+
+**Transport rules** (3): Restrict Inbound - Devcon and LittleHearts (priority 0), Webhost Spam (priority 1), Bardach BCC (priority 2)
+
+**[WARNING] Critical post-WS2022-upgrade changes that must survive reboots** (applied 2026-04-23):
+- `Set-TransportServer NEPTUNE -InternalDNSAdapterEnabled $false -InternalDNSServers @('172.16.3.50','172.16.3.52')` — Exchange transport DNS must NOT use adapter-mode on WS2022 (edgetransport bypasses suffix search list; causes `DnsDomainDoesNotExist` for short names like n-hosting1)
+- `Exchange DkimSigner` transport agent: DISABLED (went async on OnCategorizedMessage after .NET CU)
+- `messageconcept SenderBasedRouting` transport agent: DISABLED (expired license; MS SBR at priority 12 handles outbound routing)
+- IRM fully disabled: `Set-IRMConfiguration -InternalLicensingEnabled $false -ExternalLicensingEnabled $false -TransportDecryptionSetting Disabled ...`
+- `HKLM\SYSTEM\CurrentControlSet\Services\AssistantsQuarantine` ACL: NETWORK SERVICE has FullControl (inheritable) — added because WS2022 default ACL excludes NETWORK SERVICE, causing Event 10003 delivery crashes
+- DC-side DNS A records on ACG-DC16: n-hosting1 → 172.16.3.11, n-largeboxes → 172.16.3.11, mail.acg.local → 172.16.3.11
+- Hosts file on Neptune: MAIL → 172.16.3.11, mail.acg.local → 172.16.3.11, n-hosting1 → 172.16.3.11, n-largeboxes → 172.16.3.11 (belt-and-suspenders; edgetransport bypasses hosts file but other processes use it)
+- `msExchRoutingMasterDN` set to NEPTUNE DN (was pointing to tombstoned MAIL server AD object)
+- MSExchangeADTopology: 45-sec SCM start timeout on every cold boot on WS2022 — manual `Start-Service MSExchangeADTopology` then start remaining services in dependency order is required after every reboot
+
+**Dead MAIL server AD carcass** (still in AD — decommission pending):
+- `CN=MAIL,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),...`
+- Has 6 attached receive connectors and the WesternTire Relay connector — all can be removed with the server object
+- Must remove via ADSI Edit (`Remove-ADObject -Recursive`) — no physical server exists
+
+**Migration plan** (decided 2026-04-23): Build fresh WS2022 VM, install Exchange 2019 CU14+ (supported OS combo), move 56 mailboxes, repoint MailProtector relay + public DNS + AutoDiscover, force-remove both NEPTUNE and MAIL carcasses. Full runbook at `C:\NeptuneConfigExport-20260423\MIGRATION-RUNBOOK.md` on NEPTUNE — copy this folder before NEPTUNE goes away. Do NOT run `/PrepareSchema` without a system-state backup of ACG-DC16 first (single-DC forest; schema changes are forest-permanent).
+
+### Cloudflare / DNS
+
+- **Zone:** azcomputerguru.com — Zone ID `1beb9917c22b54be32e5215df2c227ce`
+- **Account:** Mike@azcomputerguru.com's Account, Pro Website plan
+- **CF API tokens:** in 1Password. Vault metadata only at `services/cloudflare.sops.yaml` (tokens not yet migrated to SOPS — pending action from 2026-04-13)
+- **Cloudflare Tunnel:** `acg-origin` (UUID `78d3e58f-1979-4f0e-a28b-98d6b3c3d867`) running as Docker container `cloudflared` on Jupiter (`/mnt/cache/appdata/cloudflared/`). Deployed 2026-04-13 as workaround for Cox BGP routing failure.
+
+**Tunneled hostnames** (9, all returning HTTP 200 via tunnel as of 2026-04-13):
+- To IX (172.16.3.10:443): azcomputerguru.com, analytics., community., radio.
+- To Jupiter NPM (172.16.3.20:18443): git., plexrequest., rmm., rmm-api., sync.
+
+**Grey-clouded (DNS-only) hostnames** — direct to public IP, NOT through tunnel:
+- `ix.azcomputerguru.com` → A 72.194.62.5 (must stay grey-cloud; WHM/cPanel on :2087/:2083 require direct routing)
+- `rmm-api.azcomputerguru.com` → [WARNING] must stay grey-cloud or DNS-only — Cloudflare proxy blocks WebSockets; GuruRMM agents use WebSocket to rmm-api. See Gitea Issue #9.
+
+**Unresolved / still broken hostnames** (as of 2026-04-13; no user-visible regression but not fixed):
+- `plex.azcomputerguru.com` (525) — needs Jupiter NPM vhost for Plex container
+- `rustdesk.azcomputerguru.com` (525) — rustdesk server location unknown; may be decommissioned
+- `secure.azcomputerguru.com` (ERR) — points to 172.16.1.16 which Jupiter cannot route to
+
+### ACG M365 Tenant
+
+- **Domain:** azcomputerguru.com
+- **Tenant ID:** `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
+- **MSP multi-tenant app (Claude-MSP-Access):** App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file
+
+---
+
+## Access
+
+| Resource | Method | Notes |
+|---|---|---|
+| IX (internal) | `ssh root@172.16.3.10` | Vault: `infrastructure/ix-server.sops.yaml` |
+| IX (external) | `ssh root@72.194.62.5` | Same credentials |
+| IX WHM | `https://ix.azcomputerguru.com:2087` | Must be grey-cloud in CF; NAT via pfSense |
+| Jupiter | `ssh root@172.16.3.20` | Vault: `infrastructure/jupiter-unraid-primary.sops.yaml` |
+| pfSense | `ssh admin@172.16.0.1 -p 2248` | Vault: `infrastructure/pfsense-firewall.sops.yaml` |
+| Neptune | Local PowerShell as administrator.ACG (on-box) | Also: WinRM from ACG-DC16; no WinRM from external without VPN |
+| ACG-DC16 | `Invoke-Command -ComputerName ACG-DC16` (from domain-joined box) | Kerberos via SPN-matching hostname required |
+| ACG M365 | Graph API via Claude-MSP-Access app | Vault: msp-tools SOPS file |
+| Cloudflare API | Bearer token from 1Password | Partial: lacks Zone Settings + Analytics permissions |
+
+**SSH passwordless automation to GuruRMM VM (172.16.3.30):**
+RSA 4096-bit key at `C:\Users\MikeSwanson\.ssh\id_rsa`; public key authorized for `guru@172.16.3.30`. See `clients/internal-infrastructure/docs/SSH_ACCESS_SETUP.md`.
+
+---
+
+## Patterns & Known Issues
+
+### IX Web Server — WordPress Hygiene
+
+IX hosts 87 WordPress sites. Recurring issues:
+- **Wordfence database bloat** (wp_wffilemods, wp_wfknownfilelist) — present on most sites; needs periodic truncation
+- **Error logs growing unchecked** — arizonahatters.com hit 468 MB (2026-01-13). Log rotation via logrotate not yet deployed.
+- **WP_DEBUG enabled on production sites** — debug.log files grow unbounded (gentlemansacres.com: 350 MB, azrestaurant.com: 181 MB as of scan)
+- **5 critically outdated WordPress sites** (security risk — unaddressed since 2026-03-16 cleanup)
+- **Supply chain attack awareness:** Smart Slider 3 Pro supply chain attack (April 7-9, 2026) — IX was not affected (0 Pro installations; 3 Free installations all safe). Scan script at `/root/scan_smart_slider.sh` on IX.
+- **Old backups consuming disk:** azcomputerguru (3 GB+), acepickupparts (1.6 GB), sundanzer (2 GB) on IX — not offloaded
+
+### IX cPanel Account Hygiene
+
+Lesson from 2026-03-16 cleanup: DNS migration alone does not mean mail/DNS services have migrated. Always verify non-HTTP services before removing an account. The `acg` account contains critical NS1/NS2 infrastructure DNS zones — never remove it.
+
+### Neptune Exchange — Systemic Fragility
+
+Neptune is Exchange 2016 running on an unsupported OS (WS2022 after the 2026-04-22 in-place upgrade). Three classes of problems recur:
+
+1. **Windows Update / CU-triggered service restarts surface latent issues** — the 2026-04-23 outage involved 4 separate latent problems surfacing simultaneously after KB5082142 + KB5084071 forced transport service reload. After any Exchange or OS CU, verify end-to-end DELIVER (not just SMTP-accept) within 10 minutes.
+2. **`MSExchangeADTopology` 45-sec SCM timeout on cold boot** — every reboot on WS2022 requires manual `Start-Service MSExchangeADTopology` first, then starting remaining 25 Exchange services in dependency order. Treat reboots as planned events.
+3. **edgetransport internal DNS does not follow suffix search list on WS2022** — short names like `n-hosting1` resolve fine via .NET/OS resolver but fail in Exchange's own DNS client unless explicit DNS servers are set (`Set-TransportServer -InternalDNSAdapterEnabled $false`). DC-side A records AND the explicit DNS server config must both be in place.
+
+**Recurring email routing issues:** Sorensen (rieussetcorp) and devcon have both hit outbound routing failures; when one breaks, check if SBR config applies to the other too. See `memory/project_email_routing_neptune.md`.
+
+**Mailprotector SBR routing:** Two agents on Neptune — `messageconcept ExSBR` (DISABLED, expired license) and `Sender Based Routing` (Microsoft, priority 12, ACTIVE). SBR config files at `C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Custom\Microsoft.Exchange.SBR.{InternalDomains,OverrideSettings,IgnoreAuthAs}.config`. After any SBR config change: `Restart-Service MSExchangeTransport -Force`.
+
+**Outbound spam / DKIM hygiene:**
+- Exchange DkimSigner is DISABLED — outbound mail currently lacks DKIM signatures. Receivers with strict DMARC p=reject (devconllc.com is the one ACG operates) may reject replies. Re-enabling requires verifying DkimSigner is compatible with the post-.NET-CU runtime.
+- messageconcept ExSBR can be fully uninstalled (DLL at `C:\Program Files\messageconcept\ExSBR\`, registry key `HKLM\SOFTWARE\SenderBasedRouting`).
+
+**Pending transport cert renewal:** Thumbprint `E58BFCBAEFEFDCAED0BF9E894127A3DE64CE9C69` expires 2026-07-22.
+
+**Pending Neptune Let's Encrypt renewal:** CN=mail.acghosting.com cert expires 2026-05-31 — URGENT.
+
+**Incomplete domain MX fixes from 2026-03-17** (still unresolved as of last session):
+- `airandspaceacademy.com`: DNS on GoDaddy still points MX to mail.acghosting.com (direct, no filter) — being rejected by the transport inbound restriction rule. Needs changing to Mailprotector inbound.
+- `littleheartslittlehands.com`: DNS on Cloudflare points MX to cbsolt.net — needs Mailprotector.
+- `littleheartslittlehands.org` DMARC: still p=none (could tighten to p=reject like devcon).
+
+### Cox BGP Routing Issue
+
+Cox ISP has broken BGP routing from ACG's netblock (72.194.62.0/29) to specific Cloudflare IP prefixes (162.158.0.0/16, 172.64.0.0/13, 173.245.48.0/20, 141.101.64.0/18). Cloudflare tunnel on Jupiter is the workaround. Cox escalation ticket drafted at `clients/internal-infrastructure/vendor-tickets/2026-04-13-cox-bgp-cloudflare-routing.md` — status: [unverified] not confirmed submitted to Cox as of last session.
+
+### ACG M365 Tenant Hygiene
+
+From 2026-04-16 Howard breach check:
+- **Active credential-stuffing campaign** against howard@azcomputerguru.com — 174 foreign attempts in 30 days (CN, IN, KR, LU via Azure CLI, BR, DE, JP targeting admin endpoints). All blocked. Pattern indicates attacker knows Howard is an MSP admin and probes Exchange Online basic auth + Azure AD PowerShell.
+- **Howard's password was 18 months old** (last changed 2024-09-24) — rotation recommended.
+- **Gap: ComputerGuru - AI Remediation SP lacks Exchange Administrator role in our own tenant** — blocks hidden inbox rule checks, delegate audits, mailbox-level forwarding checks. Fix: Entra → Roles → Exchange Administrator → add the app SP.
+- **Gap: IdentityRiskyUser.Read.All not consented in azcomputerguru tenant** — blocks Identity Protection checks.
+- [unverified] Whether Howard's password was rotated after this check.
+
+### ClaudeTools Hook / SSH Process Accumulation
+
+The Claude Code hooks (user-prompt-submit, task-complete) spawn background `sync-contexts` processes with `&`. Combined with `core.sshcommand = OpenSSH` in git config, this causes SSH processes to accumulate (~1-2 per user message) without cleanup. Investigation report at `clients/internal-infrastructure/docs/SSH_CONNECTION_INVESTIGATION_REPORT.md`. Recommended fix: remove background `&` spawn from hooks or add process cleanup traps. [unverified] Whether this was addressed.
+
+---
+
+## Active Work
+
+As of last session (2026-04-23):
+
+- **Neptune Exchange migration** — Build Exchange 2019 on fresh WS2022 VM. Runbook at `C:\NeptuneConfigExport-20260423\MIGRATION-RUNBOOK.md` on Neptune. Mike building the VM. Critical gate: **back up ACG-DC16 before running `/PrepareSchema`** (forest-permanent, no rollback).
+- **Neptune Let's Encrypt cert** — expires 2026-05-31. Renewal critical.
+- **Neptune internal transport cert** — expires 2026-07-22.
+- **DkimSigner re-enable / replace** — outbound mail currently unsigned. Evaluate whether Exchange DkimSigner is runtime-compatible post-KB5084071, or replace with alternative.
+- **MAIL server AD decommission** — once Exchange 2019 is live and mailboxes moved: `Remove-ADObject -Recursive` on the MAIL carcass. After that, remove hosts file entries for MAIL/mail.acg.local and DC-side DNS records (n-hosting1, n-largeboxes, mail can remain or be repurposed for the new server).
+- **Cox BGP ticket** — submit if not already done (`vendor-tickets/2026-04-13-cox-bgp-cloudflare-routing.md`).
+- **Cloudflare tokens** — migrate from 1Password-only to SOPS vault (`services/cloudflare.sops.yaml`) for pipeline use.
+- **IX WordPress hygiene** — 5 critically outdated sites, log rotation, WP_DEBUG on production (low urgency unless a site is actively impacted).
+- **plex/rustdesk/secure hostnames** — still returning 5xx/ERR; need NPM vhost additions and/or routing fixes.
+
+---
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| 2026-01-13 | IX server critical performance scan — arizonahatters.com 468 MB error log, peacefulspirit 310 MB DB bloat, Wordfence widespread. Documented; cleanup partially executed. |
+| 2026-01-17 | SSH process accumulation investigation — hook background-spawn pattern identified as cause. |
+| 2026-03-16 | IX account cleanup — 82 cPanel accounts audited, 14 removed, 7 restored. 8.5 GB error logs truncated. 60 inactive plugins removed. 4 WordPress nav-menu.php fatal errors fixed. `clients/ix-server/` folder (later merged into this one). |
+| 2026-03-17 | Neptune Exchange cleanup — 9 stale accepted domains removed, 24 mailboxes disabled, send connectors moved from dead MAIL server to NEPTUNE, SBR routing for devcon + littlehearts restored, devconllc.com DMARC tightened to p=reject, 20,473 spam messages purged. |
+| 2026-04-11 | IX Smart Slider 3 Pro supply chain attack scan — 87 WP sites scanned; 0 Pro installations; not affected. |
+| 2026-04-13 | Cox BGP / Cloudflare 521 incident — broken BGP for CF prefixes 162.158/172.64/173.245/141.101. Cloudflare Tunnel deployed on Jupiter Docker (`acg-origin`). 9 hostnames tunneled. `clients/ix-server/` merged into `clients/internal-infrastructure/`. |
+| 2026-04-16 | Howard breach check on azcomputerguru.com M365 — no breach; credential-stuffing campaign active (all blocked); password age 18 months; Exchange Admin role missing from our own tenant for remediation app. |
+| 2026-04-22 | Neptune in-place upgraded from WS2016 → WS2022 (unsupported with Exchange 2016). |
+| 2026-04-23 | **Neptune mail outage (~42 min)** — triggered by KB5082142 + KB5084071 CUs forcing Exchange service reload after WS2022 upgrade exposed 4 latent incompatibilities: registry ACL crash, dead MAIL server proxy routing, DkimSigner async bug, RMS + Index Routing agent timeouts. 7 fixes applied. Mail restored 14:32. Exchange 2019 migration plan agreed. |
+
+---
+
+## Backlinks
+
+- [[systems/jupiter]] — Unraid primary: hosts GuruRMM VM, NPM, Gitea, cloudflared tunnel, Pluto build server VM
+- [[systems/neptune]] — Exchange Server 2016 at Dataforth D2; full article if it exists
+- [[wiki/clients/dataforth]] — Neptune physically colocated at Dataforth D2; Neptune's 172.16.x.x IP routes through D2TESTNAS
+- [[projects/msp-tools/guru-rmm]] — GuruRMM server runs on ACG office infrastructure (172.16.3.30)
diff --git a/wiki/clients/pavon.md b/wiki/clients/pavon.md
new file mode 100644
index 0000000..4c83443
--- /dev/null
+++ b/wiki/clients/pavon.md
@@ -0,0 +1,155 @@
+---
+type: client
+name: pavon
+display_name: Pavon
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/pavon/session-logs/2026-04-12-session.md
+  - clients/pavon/session-logs/2026-04-29-session.md
+  - clients/pavon/PROJECT_STATE.md
+  - clients/pavon/infrastructure-analysis.md
+  - clients/pavon/final-setup-summary.md
+  - clients/pavon/owncloud-archive-scan-completion.md
+backlinks:
+  - wiki/systems/jupiter.md
+  - wiki/systems/uranus.md
+---
+
+# Pavon
+
+## Profile
+
+- **Contract type:** Former / archived client (break-fix / project). [WARNING: Confirm whether any active relationship remains — last recorded work 2026-04-29, but context implies this is archive-only infrastructure management, not an ongoing MSP contract.]
+- **Key contacts:** [unverified — no contact name or email documented in session logs]
+- **Billing rate:** [unverified — not recorded]
+- **Syncro customer ID:** [unverified — not recorded]
+- **GuruRMM enrollment:** None recorded
+
+## Business Overview
+
+Pavon is a client with video surveillance infrastructure across at least two properties: "Raiders" and "Curves." They operate GeoVision NVR (network video recorder) systems at each site. ACG's relationship with Pavon appears to be infrastructure management of the video archive rather than a full MSP engagement. Work has consisted of archive lifecycle management and OwnCloud integration.
+
+OwnCloud is the **source of truth** for all footage, not a backup. NVR units at the client sites use the OwnCloud Desktop sync client (virtual file placeholders) to upload footage and save local NVR disk. NVRs have no direct SMB access to ACG infrastructure — they reach OwnCloud only via WebDAV. Pavon users do not use OwnCloud directly; footage retrieval goes through the NVR interface.
+
+**Retention policy:** 3 years. Footage older than 3 years may be deleted.
+
+## Infrastructure
+
+### Servers & Services
+
+| Host | IP | Role | OS | Notes |
+|---|---|---|---|---|
+| Pavon Unraid | 172.16.1.33 | Archive/backup server (client-side) | Unraid 6.x | 121TB total, 37TB used as of 2026-04-12 after cleanup |
+| OwnCloud VM | 172.16.3.22 | OwnCloud 10.x + MariaDB 10.5.29 | Rocky Linux 9.6/9.7 | Hosted on Jupiter (KVM guest); `cloud.acghosting.com` |
+| Jupiter (Unraid Primary) | 172.16.3.20 | Hypervisor for OwnCloud VM; NFS host for OwnCloud data dir | Unraid (Slackware-based) | Primary ACG infrastructure server |
+| Uranus (Unraid Secondary) | 172.16.3.21 | SMB share host for `/Archive` external storage | Unraid | Hosts `Storage` share (35TB camera archive) |
+
+**Note on Uranus vs. Pavon Unraid:** The 2026-04-12 session documented the archive as being on the Pavon Unraid server (172.16.1.33). The 2026-04-29 session shows the OwnCloud external storage mount (Storage 6, `/Archive`) pointing to **Uranus (172.16.3.21)** as the SMB host. [WARNING: Reconcile whether the 35TB archive was migrated from 172.16.1.33 to 172.16.3.21 between these sessions, or whether the April 12 session had a misidentified host. The April 29 session's reference to Uranus appears authoritative — it was discovered as already-configured state, not a change made during that session.]
+
+### Storage Layout
+
+**OwnCloud VM data directory:** `/owncloud` (NFS-mounted from Jupiter: `172.16.3.20:/mnt/user/OwnCloud`)
+
+- **Filesystem state (as of 2026-04-29):** 932 GB total, 677 GB used, 248 GB free — **74% full** [WARNING: approaching capacity]
+- **OwnCloud data root:** `/owncloud` on VM
+- **Pavon user home files** (`storage numeric_id 78, home::pavon`):
+  - `/owncloud/pavon/files/Curves/` — 188,920 files (Curves property NVR footage, 2025–2026)
+  - `/owncloud/pavon/files/Raiders/` — 48,978 files (Raiders property NVR footage, 2025–2026)
+  - Total: ~237K files
+- **Version junk (to clean):** 30 GB in `/owncloud/pavon/files_versions/` (1,326 version files) — `occ versions:cleanup pavon` will reclaim immediately [deferred]
+- **External storage (Storage 6, `/Archive`):** SMB Personal to Uranus (172.16.3.21), share `Storage`, SMB user `owncloud`. ~35TB camera archive (May–Oct 2023). `filesystem_check_changes` already set to 0.
+
+**Pavon Unraid server (172.16.1.33) — state as of 2026-04-12:**
+
+- Total: 121TB; Used: 37TB (31%); Free: 84TB (69%) — after 25TB cleanup
+- Archive share path: `/mnt/user/Storage/`
+- Camera folders: cam02, cam04, cam06, cam07, cam08, cam10, cam11, cam12, cam13, cam14, cam16
+
+### Camera Systems
+
+**Historical archive (May–Oct 2023, ~35TB on Uranus/Storage):**
+- Old Raiders configuration, cameras cam02–cam16, `.avi` (lowercase) extension
+
+**Current (2025–2026, in OwnCloud local storage):**
+- Raiders: Cam01–07 + Cam17–23 (in `/Cameras` and `/Cameras2` subfolders), `.Avi` extension, 442GB
+- Curves: Cam17–43 + Aud25 (in `/Data-F`), `.Avi` extension, 4.5TB
+
+**File age distribution for pavon (as of 2026-04-29):**
+
+- 2024: 1 file (oldest from 2024-12-21)
+- 2025: 162,898 files
+- 2026: 74,719 files
+- Older than 365 days: 256 files
+
+### Email & Identity
+
+- No M365 or email infrastructure documented for this client.
+
+### Network
+
+- Pavon Unraid (172.16.1.33) is on a different subnet (172.16.1.x) from ACG infrastructure (172.16.3.x). Both on the same 172.16.0.0/16 LAN, all 1Gbps.
+- NVR units at Curves and Raiders reach OwnCloud via WebDAV over the internet or LAN [unverified — network path not fully documented].
+
+### OwnCloud VM Details
+
+- **OS:** Rocky Linux 9.6 (noted as 9.7 in one document — 9.6 per April 29 session which is more recent)
+- **OwnCloud path:** `/var/www/owncloud/`
+- **occ command:** `sudo -u apache php /var/www/owncloud/occ ...`
+- **Apache config:** `/etc/httpd/conf.d/owncloud.conf`
+- **MariaDB:** 10.5.29, local socket auth as root
+- **Web user:** `apache`
+- **Cron:** Apache crontab at `/var/spool/cron/apache` — hardened with `flock -n /tmp/oc-cron.lock` on 2026-04-29 to prevent stacking spiral
+- **OwnCloud users:** 10 total (Martell, anaise, bst, jburger, mara, minrec, pavon, rohrbach, sysadmin, themarcgroup)
+- **URL:** http://cloud.acghosting.com or http://172.16.3.22
+
+## Access
+
+- **Pavon Unraid SSH:** `ssh root@172.16.1.33`
+- **Pavon Unraid WebGUI:** http://172.16.1.33
+- **OwnCloud VM SSH:** `ssh root@172.16.3.22` (ed25519 key; host key fingerprint: `SHA256:Yy4oFv5HudmKjNJ4IZgHcuSSmeBvUg+ZJta6iLasdqU`)
+- **OwnCloud WebGUI:** http://cloud.acghosting.com
+- **OwnCloud pavon user:** pavon / Password44$ [WARNING: plaintext in session log — vault this]
+- **Jupiter Unraid WebGUI:** http://172.16.3.20 (VM management via VMs → OwnCloud → VNC)
+- **Vault path (infrastructure):**
+  - `infrastructure/jupiter-unraid-primary.sops.yaml` — Jupiter root credentials
+  - `infrastructure/owncloud-vm.sops.yaml` — OwnCloud VM root credentials
+
+**[WARNING] Credential drift:** SOPS has `r3tr0gradE99!!` for OwnCloud VM root (confirmed working as of 2026-04-29). 1Password has stale value `Paper123!@#-unifi!` (does NOT work). Reconcile 1Password item `h6usgzxxn26kvckxz5dhssxdai` before next session.
+
+**Pavon Unraid root password:** `r3tr0gradE99!` (from session log — vault status unverified).
+
+## Patterns & Known Issues
+
+- **OwnCloud cron stacking spiral:** Without the `flock -n` wrapper, each 15-minute cron tick fires a new `occ system:cron` process regardless of whether the prior one finished. Combined with an inefficient MariaDB query against `oc_filecache` (full table scan of 257K rows in storage 78 due to missing `(storage, name)` index + collation mismatch + mid-string LIKE wildcard), this caused 75–126 stale cron processes and load average of 80 on 2026-04-29. **Fix applied:** `/var/spool/cron/apache` now uses `flock -n /tmp/oc-cron.lock`. Backup: `/root/apache-crontab.backup-20260428-pre-flock`. Do not remove the flock wrapper.
+- **Do not kill the OwnCloud VM:** NVRs at Curves and Raiders depend on it being reachable to upload footage and to rehydrate virtual file placeholders. Taking the VM offline breaks active recording workflows.
+- **files_versions cannot be group-restricted in OwnCloud Community:** `app:enable --groups` is rejected. Per-user versioning disable is not possible. Only workaround: `occ versions:cleanup pavon` to purge accumulated versions (30 GB waiting). A dangling group `versioning_users` was created during the failed attempt — harmless, can be deleted with `occ group:delete versioning_users`.
+- **OwnCloud file cache corruption:** Can occur when multiple `occ files:scan` processes run concurrently (database lock contention). Fix: kill all scan processes, restart httpd and php-fpm, run a fresh scan. Files are physically intact; only the cache index is lost.
+- **GeoVision NVR has no age-based file routing:** Cannot configure NVRs to move old files to a different folder. Migration to `/Archive` must be done from the OwnCloud VM or Uranus side.
+- **OwnCloud data dir at 74% capacity:** `/owncloud` (NFS from Jupiter) was 677/932 GB used as of 2026-04-29. The 30 GB version cleanup and a migration cron for files older than 90 days (to `/Archive` on Uranus) were both deferred. This needs attention before capacity becomes critical.
+- **Nextcloud migration:** OwnCloud Community is no longer actively developed. Migration to Nextcloud was discussed in April 2026 — fresh install preferred. No urgency as of last session, but worth planning in the 3–6 month window.
+
+## Active Work / Deferred Tasks
+
+All items below were deferred per client request after the 2026-04-29 stabilization. System is stable (cron flock in place). None are emergencies.
+
+| # | Task | Notes |
+|---|---|---|
+| 1 | Clean 30 GB of pavon version files | `occ versions:cleanup pavon` + `occ trashbin:cleanup pavon` — instant reclaim |
+| 2 | Set up daily versions cleanup cron | `0 3 * * *` → `occ versions:cleanup pavon && occ trashbin:cleanup pavon` |
+| 3 | Build monthly migration cron (internal → /Archive) | Files older than 90 days; open question: OwnCloud API vs host-level CIFS move (CIFS may break file-ID invariant for SMB Personal backend) |
+| 4 | Build 3-year retention pruning cron on /Archive | `find /Archive -type f -mtime +1095 -delete` then `occ files:scan pavon/Archive` |
+| 5 | Reconcile 1Password OwnCloud VM password | SOPS is correct (`r3tr0gradE99!!`); update 1Password item `h6usgzxxn26kvckxz5dhssxdai` |
+| 6 | Delete dangling `versioning_users` group | `occ group:delete versioning_users` — harmless if left |
+| 7 | Vault pavon OwnCloud user password | Password44$ is plaintext in session log |
+| 8 | Nextcloud migration planning | 3–6 month horizon; fresh install, Rocky Linux 9.x, same SMB external storage config |
+
+## History Highlights
+
+- **2026-04-12** — Major archive cleanup: 184,124 files (25TB, Dec 2022–Mar 2023) deleted from Pavon Unraid (172.16.1.33). 84TB freed (69% capacity). Remaining 35TB (May–Oct 2023) mounted as external storage in OwnCloud via SMB. File cache corruption resolved during setup via full rescan (142,867 files re-indexed). All 11 camera folders in `/Archive` verified accessible.
+- **2026-04-29** — OwnCloud VM cron stacking spiral diagnosed on Jupiter (load avg 80, 75–126 stale cron processes). Root cause: missing flock wrapper + inefficient MariaDB filecache query pattern for camera filenames. Killed stale processes, load dropped from 80 to 5. Wrapped apache crontab with `flock -n`. Architecture clarified: OwnCloud is source of truth; NVRs use WebDAV virtual file sync; Pavon never touches OwnCloud directly. Credential drift between SOPS and 1Password discovered. External storage `/Archive` confirmed pointing to Uranus (172.16.3.21). All follow-up work deferred per user request.
+
+## Backlinks
+
+- `wiki/systems/jupiter.md` — OwnCloud VM hosted on Jupiter; OwnCloud data dir NFS from Jupiter
+- `wiki/systems/uranus.md` — `/Archive` SMB share host
diff --git a/wiki/clients/peaceful-spirit.md b/wiki/clients/peaceful-spirit.md
new file mode 100644
index 0000000..4285f82
--- /dev/null
+++ b/wiki/clients/peaceful-spirit.md
@@ -0,0 +1,154 @@
+---
+type: client
+name: peaceful-spirit
+display_name: Peaceful Spirit Therapeutic Massage
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/peaceful-spirit/session-logs/2026-05-10-session.md
+  - clients/peaceful-spirit/session-logs/2026-05-11-session.md
+  - clients/peaceful-spirit/session-logs/2026-05-22-session.md
+backlinks:
+  - projects/gururmm
+---
+
+# Peaceful Spirit Therapeutic Massage
+
+Massage therapy practice with at least two sites: Country Club (primary, all work performed here) and a Northwest (NW) site. On-premises Windows Server 2016 Essentials domain environment. Domain-joined workstations for Mara (owner/operator) and other staff. Active VPN and identity infrastructure work as of May 2026.
+
+---
+
+## Profile
+
+- **Contract type:** Break-fix / project [unverified — no contract details found in session logs]
+- **Key contacts:**
+  - Mara — primary point of contact; owner/operator; personal Microsoft account `mara.concordia@gmail.com` (OneDrive). Domain user: `mara` (password reset to SpiritWalk26! on 2026-05-22, PasswordNeverExpires=true).
+  - Bridgette — staff member with home computer (BridgettePSHomeComputer); no contact details captured.
+- **Billing rate:** [unverified — not documented in session logs]
+- **Syncro customer ID:** [unverified — not found in session logs]
+- **Active tickets:** [unverified — no Syncro ticket numbers found in session logs]
+
+---
+
+## Infrastructure
+
+### Servers & Services
+
+| Host | IP | Role | OS | Notes |
+|---|---|---|---|---|
+| PST-SERVER | 192.168.0.2 | DC, DNS, RRAS (L2TP/IPsec VPN), NPS, Enterprise Root CA (AD CS) | Windows Server 2016 Essentials (build 14393) | GuruRMM agent ID: `6b6106a7-8515-4b6b-857d-0dc6ede53f35`. Win32-OpenSSH installed 2026-05-11. |
+| UCG-PST-CC | 192.168.0.10 (LAN) / 98.190.129.150 (WAN) | UniFi Cloud Gateway — perimeter router + DNAT for VPN | UniFi OS | SSH: root@98.190.129.150 (not accessible from office WAN; use UCG cloud portal or on-site). VPN termination was formerly UCG-hosted (strongSwan/xl2tpd) — abandoned 2026-05-22 in favor of RRAS on PST-SERVER. |
+
+**Note:** An NW (Northwest) site exists with a separate UCG that previously had an OpenVPN server at 64.139.88.249:1194 (TCP). No further NW site details are documented.
+
+### Domain & Identity
+
+- **Domain:** PEACEFULSPIRIT.local
+- **Domain admins:** `sysadmin` (password: vault) — this is the domain admin account. `pst-admin` is a domain user (not domain admin) with VPN dial-in permission.
+- **AD domain SID base:** S-1-5-21-1105246401-3156558273-4088333098
+- **CA:** PEACEFULSPIRIT-PST-SERVER-CA — Enterprise Root CA on PST-SERVER. Thumbprint: 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid to 3/8/2061).
+- **VPN-eligible users (WseRemoteAccessUsers):** Domain Admins (group), PSTAdmin, pst-admin, LMT, Mara.
+- **OneDrive:** pst-admin uses personal OneDrive (mara.concordia@gmail.com, cid: 25f0851177ceabfd). Per-machine OneDrive (v26.063.0405.0002) deployed to Maras-HP-Laptop on 2026-05-11 via `/allusers` install.
+- **Email / M365:** [unverified — no M365 tenant found; practice likely uses personal or third-party email]
+
+### Network
+
+- **WAN IP:** 98.190.129.150 (Country Club site, UCG)
+- **LAN subnet:** 192.168.0.0/24
+- **DNS / DC:** 192.168.0.2 (PST-SERVER)
+- **VPN (current — L2TP/IPsec):**
+  - Endpoint: PST-SERVER RRAS at 192.168.0.2, exposed via UCG DNAT (UDP 500, 4500, ESP)
+  - PSK: vault (`clients/peaceful-spirit/vpn.sops.yaml`)
+  - Auth: MSCHAPv2, user pst-admin
+  - IP pool: 192.168.0.240+ (observed: .241)
+  - VPN profile name on clients: "Peaceful Spirit VPN" (AllUserConnection, split tunnel, 192.168.0.0/24 route, NRPT for .peacefulspirit.local → 192.168.0.2)
+  - UCG persistence: `/data/on_boot.d/10-vpn-portforward.sh`
+- **GPO:** "Block New Outlook" — GUID {577028AF-0901-4BDF-A283-CD1156F313D9}, linked to domain root. Disables new Outlook experience across all domain machines.
+
+### Client Workstations
+
+| Machine | Role | GuruRMM Agent ID | Notes |
+|---|---|---|---|
+| MaraHomeNew | Mara's home desktop | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | Domain-joined. VPN working (confirmed via rasdial 2026-05-11). Machine cert installed (D067E07B, CN=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027). |
+| Maras-HP-Laptop | Mara's HP laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). OneDrive per-machine deployed 2026-05-11. pst-admin profile wiped and rebuilt 2026-05-11. |
+| PST-SURFACE | Surface device | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). |
+| BridgettePSHomeComputer | Bridgette's home PC | [unverified] | Was offline during 2026-05-22 session. VPN profile not yet deployed. |
+
+---
+
+## GuruRMM Enrollment
+
+- **Client name in RMM:** Peaceful Spirit
+- **Client ID:** `00015eae-50e5-4102-93fa-ab0fdb135c08`
+- **Site name:** Country Club
+- **Site ID:** `7b32983d-982a-4a5c-af07-45a23453f589`
+
+**Enrolled agents:**
+
+| Host | Agent ID | Enrolled | Last Known Status |
+|---|---|---|---|
+| PST-SERVER | `6b6106a7-8515-4b6b-857d-0dc6ede53f35` | 2026-05-10 23:19 UTC | Active (2026-05-11 01:29 UTC) |
+| MaraHomeNew | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | [unverified date] | — |
+| Maras-HP-Laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | [unverified date] | — |
+| PST-SURFACE | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | [unverified date] | — |
+
+BridgettePSHomeComputer agent status unknown.
+
+---
+
+## Access
+
+- **PST-SERVER SSH:** `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` — requires OpenVPN or L2TP VPN to Country Club site active. Win32-OpenSSH at `C:\Program Files\OpenSSH\OpenSSH-Win64\`. SCP paths use Unix format (`/C:/path/to/file`).
+- **UCG SSH:** `ssh -i ~/.ssh/pst-cc-ucg root@98.190.129.150` — NOT accessible from office WAN. Requires on-site or UCG cloud portal (unifi.ui.com).
+- **GuruRMM (external):** https://rmm.azcomputerguru.com
+- **Vault paths:**
+  - `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER credentials, UCG details
+  - `clients/peaceful-spirit/vpn.sops.yaml` — VPN PSK, user credentials, network details
+
+---
+
+## Patterns & Known Issues
+
+- **Set-VpnConnection -L2tpPsk cannot run via RMM (SYSTEM context).** Windows enforces interactive mode for PSK registration. An admin must run this command manually on each machine in an interactive session. This is a one-time setup step per machine.
+- **NRPT instead of VPN DNS suffix push.** `Add-VpnConnectionTriggerDnsConfiguration` fails for AllUserConnection profiles. Use `Add-DnsClientNrptRule -Namespace ".peacefulspirit.local" -NameServers "192.168.0.2"` instead.
+- **cmdkey as SYSTEM for pre-login credential persistence.** Machine credential store entries (cmdkey in SYSTEM context) are available at the Windows login screen; per-user cmdkey entries are not.
+- **Stale hosts file.** During 2026-05-22 on-site, MaraHomeNew (and likely other machines) had a stale hosts entry mapping PST-SERVER to 72.194.62.5 (Mara's router's bogus DNS response). This caused name resolution failures even with VPN up. A GuruRMM cleanup script was deployed; verify no residual entries if name resolution issues recur. The hosts-file path encoding bug (`driverstc` artifact) means the cleanup script may not have fully run on all machines.
+- **UCG iptables DNAT required — UniFi Traffic Rules are firewall-allow only, NOT DNAT.** Port-forward rules must be placed via CLI in `/data/on_boot.d/10-vpn-portforward.sh` for persistence across reboots.
+- **UCG SSH unreachable from office WAN.** All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself).
+- **GuruRMM PowerShell invocation quirk.** Running `command_type: powershell` fails on PST machines with "-OutputEncoding is not recognized." Use `command_type: cmd` and call `powershell.exe` explicitly within the script body.
+- **Machine cert template (PEACEFULSPIRIT-PST-SERVER-CA / Machine template).** `msPKI-Certificate-Name-Flag` was changed from `0x18000000` to `0x1` (ENROLLEE_SUPPLIES_SUBJECT) on 2026-05-11. This is a domain-wide template change. New machine certs will use the CSR Subject/SAN rather than the submitting machine's AD DNS identity. RRAS UserAuthProtocolAccepted now includes Certificate (added 2026-05-11).
+- **OneDrive KFM on WSE folder-redirected profiles.** Machines formerly managed by Windows Server Essentials had WSE-specific non-standard GUID variants in User Shell Folders (different from standard Known Folder GUIDs). Direct HKU writes alone do not clear the shell's internal known folder policy state — `SHSetKnownFolderPath` must be called with `flags=0` (not 0x4000) in user session context. If KFM still fails after registry cleanup, wipe the profile and redeploy with per-machine OneDrive (`/allusers`).
+- **pst-admin vs sysadmin distinction.** `pst-admin` is a domain user (in WseRemoteAccessUsers, VPN-eligible). `sysadmin` is domain admin. Many early session failures were caused by using pst-admin credentials for domain admin operations.
+
+---
+
+## Active Work
+
+As of 2026-05-22 session end:
+
+- **BridgettePSHomeComputer VPN:** Was offline during 2026-05-22 on-site. When online: deploy full VPN script via RMM, then Mike must run `Set-VpnConnection -L2tpPsk` interactively on-site or via remote session with the user logged in as an admin.
+- **Pre-login VPN verification:** Confirmed working on MaraHomeNew via rasdial. Maras-HP-Laptop and PST-SURFACE need verification at the Windows login screen specifically.
+- **Hosts file cleanup verification:** The GuruRMM cleanup script had a path encoding bug (`driverstc` instead of `drivers\etc`) — DNS was flushed but hosts entries may not have been removed on all machines. Verify if name resolution issues recur.
+- **PST-SERVER temp file cleanup:** `C:\ProgramData\`: gen_certs.ps1, fix_acl.ps1, acl_result.txt, verify_acl.ps1, acl_verify.txt, and all *.inf, *.req, *.cer, *.pfx files. Also remove temporary firewall rules TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535).
+- **Vault update:** pst-admin and mara passwords were reset to SpiritWalk26! on 2026-05-22; vault entries need updating (`clients/peaceful-spirit/vpn.sops.yaml`).
+- **Machine cert VPN path (IKEv2) — deferred.** Machine certs were generated for MaraHomeNew (D067E07B), Maras-HP-Laptop (4CADDE8F, CA RequestId 66), and PST-SURFACE (197FF22A, CA RequestId 67) and PFXs (password: PstVpn2026!) were created. This IKEv2 machine-cert approach was superseded by the L2TP/RRAS decision on 2026-05-22. The certs and PFXs remain on PST-SERVER and DESKTOP-0O8A1RL — determine if IKEv2 path should be completed, abandoned, or the certs revoked.
+
+---
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| 2026-05-10 | GuruRMM agent installed on PST-SERVER. UCG-PST-CC reconfigured for IKEv2 in prior (unlogged) session. IKEv2 error 812 diagnosed — NPS rejecting nonexistent user `apst-admin` (typo in stored credential). NPS order-0 test policy (PST-VPN-Test) added. Credential Manager corrected on DESKTOP-0O8A1RL. |
+| 2026-05-10 | GuruRMM agents enrolled on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE. AllUserConnection IKEv2 "Peaceful Spirit VPN" profiles deployed to all three Mara machines. |
+| 2026-05-11 AM | PST-VPN-Test NPS policy removed. AutoEnroll ACL on Machine cert template fixed (Domain Computers, sysadmin scheduled task). Catch-22 identified: machine cert enrollment requires LAN access which requires a cert. OpenVPN on MaraHomeNew chosen as bootstrap path. |
+| 2026-05-11 PM | Machine cert auth working on MaraHomeNew. Win32-OpenSSH installed on PST-SERVER. msPKI-Certificate-Name-Flag changed to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). RRAS UserAuthProtocolAccepted updated to include Certificate. PFX certs generated for Maras-HP-Laptop and PST-SURFACE. |
+| 2026-05-11 PM | Maras-HP-Laptop: OneDrive KFM "Capabilities: 0x101" error troubleshooting. WSE non-standard GUID variants in User Shell Folders identified and corrected. Shell Folders cache directly updated via SYSTEM/HKU. SHSetKnownFolderPath flags=0x4000 bug identified (root cause of all prior script failures). |
+| 2026-05-11 Evening | pst-admin profile on Maras-HP-Laptop wiped entirely (WMI). Per-machine OneDrive deployed. "Block New Outlook" GPO created and linked to domain root. |
+| 2026-05-22 | L2TP/IPsec VPN successfully deployed to MaraHomeNew, Maras-HP-Laptop, PST-SURFACE during on-site visit at Mara's house. UCG-hosted strongSwan/xl2tpd abandoned; RRAS on PST-SERVER became the VPN endpoint. UCG DNAT rules created for UDP 500/4500/ESP. Stale hosts file entries removed. pst-admin and mara passwords reset to SpiritWalk26!. BridgettePSHomeComputer offline — VPN pending. |
+
+---
+
+## Backlinks
+
+- [[projects/gururmm]] — PST-SERVER, MaraHomeNew, Maras-HP-Laptop, PST-SURFACE enrolled (site: Country Club)
diff --git a/wiki/clients/sombra-residential.md b/wiki/clients/sombra-residential.md
new file mode 100644
index 0000000..bc7c75a
--- /dev/null
+++ b/wiki/clients/sombra-residential.md
@@ -0,0 +1,98 @@
+---
+type: client
+name: sombra-residential
+display_name: Sombra Residential LLC
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/sombra-residential/CONTEXT.md
+  - clients/sombra-residential/session-logs/2026-05-06-howard-bryan-sombrahomes-ghost-account-cleanup.md
+backlinks:
+  - projects/gururmm
+---
+
+# Sombra Residential LLC
+
+## Profile
+
+- **Company type:** Residential property management company (Arizona). Formerly operated under the brand/domain `sombrahomes.com`; rebranded to `sombraresidential.com` at some point post-2022.
+- **Contract type:** [unverified — managed MSP implied by ACG handling M365 and new-PC setup; no explicit contract type documented]
+- **Key contacts:**
+  - Amy — caller/office contact (last name not documented)
+  - Bryan Menie — employee; accounts `bryan@sombraresidential.com` (current), formerly `bryan@sombrahomes.com`
+- **Billing rate:** [unverified]
+- **Syncro customer ID:** 32971820
+
+## Infrastructure
+
+### Servers & Services
+
+| Host | IP | Role | OS | Notes |
+|---|---|---|---|---|
+| Server2013 | `Server2013` (hostname only) | File / application server | Windows Server **2012** (build 9200) — [WARNING] EOL 2023-10-10, running unpatched | Name "Server2013" is a label only; actual product is WS2012. Remote access via ScreenConnect. |
+| DESKTOP-UQRN4K3 | [unverified] | Bryan Menie's workstation | Windows (version unverified) | New PC set up by ACG prior to 2026-05-06; data transferred via Transwiz |
+
+### Email & Identity
+
+- **M365 tenant:** sombraresidential.com (primary current domain); former domain sombrahomes.com still exists in legacy identity caches on endpoints
+- **MFA status:** [unverified]
+- **Office version:** OneNote Free + O365 Business Retail, Click-to-Run, version 16.0.19929.20106 (confirmed on Bryan's PC 2026-05-06)
+- **Identity note:** Company rebranded from sombrahomes.com to sombraresidential.com after 2022. Classic Office MAPI profiles and token stores on pre-rebrand machines (or Transwiz-migrated machines) still reference the old domain. New Outlook app uses WAM (unaffected); classic Word/Excel prompt against dead LiveId tokens.
+
+### Network
+
+- **ISP / WAN:** [unverified]
+- **Firewall:** [unverified]
+- **VPN:** [unverified]
+
+## GuruRMM
+
+- **Client name:** Sombra Residential LLC
+- **Client ID:** `4143369f-de59-42e6-b1a0-e9939aa42a2d`
+- **Site name:** main office
+- **Site ID:** `787d497a-eb1d-4468-a8ac-51d3c23954cb`
+
+### Enrolled Agents
+
+| Agent | Host | OS | Agent ID | Notes |
+|---|---|---|---|---|
+| Server2013 | Server2013 | Windows Server 2012 | `5383e9c1-56e1-4389-9c89-1991a77bbc3a` (device id `win-e59d7c6c-9bd6-4b49-a892-71788039bf14`) | Enrolled 2026-04-30 |
+| DESKTOP-UQRN4K3 | Bryan's workstation | Windows | `6dc0fb03-d6c4-4e3e-a58c-d9d015ff588a` | Used as remote command channel for ghost-account cleanup 2026-05-06 |
+
+## Access
+
+- **ScreenConnect:** Installed on Server2013 and Bryan's PC (ACG SC instance)
+- **Server2013 local accounts:**
+  - `Administrator` — password at `clients/sombra-residential/server2013.sops.yaml`
+  - `sysadmin` — password [WARNING] TBD; not yet vaulted as of CONTEXT.md (2026-04-30). Confirm with Howard or pull from server before next session.
+- **Vault path:** `clients/sombra-residential/server2013.sops.yaml`
+
+## Patterns & Known Issues
+
+- **[WARNING] Server2013 is Windows Server 2012 (EOL 2023-10-10):** Running unpatched. EOL risk has not been formally presented to client per available session logs. Mike needs to confirm a refresh/migration recommendation with the client.
+- **Transwiz ghost account pattern:** Transwiz migrates M365 identity stores wholesale from the source machine, including DPAPI-bound tokens and Office MAPI profiles. On a domain-rebranded shop (sombrahomes.com → sombraresidential.com), the migrated machine carries dead LiveId entries from the old domain. Symptoms: Word and Excel prompt for `<user>@olddomain.com` credentials on every open; ErrorState=6 (stuck token, cannot refresh). New Outlook app (WAM-based) is unaffected — only classic Win32 Office apps hit this.
+  - **Detection:** Check `HKU\<user-SID>\Software\Microsoft\Office\16.0\Common\Identity\Identities` and `ServicesManagerCache\Identities` for LiveId entries with the old domain. Also check classic MAPI Outlook profiles under `15.0` and `16.0` trees.
+  - **Fix:** Three-pass cleanup (Identity keys → ServicesManagerCache + OneAuth blobs → classic MAPI profiles). Run with snapshot-first backup + auto-generated revert.ps1. All Office processes must be closed before each pass.
+  - **Recommended:** Add a "post-Transwiz Office identity sweep" step to the ACG new-PC checklist for any customer with M365 domain rebrand history.
+- **GuruRMM SYSTEM context:** HKCU probes from GuruRMM commands hit the SYSTEM hive, not the logged-in user's. For per-user registry work, resolve the target user's SID from `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` and read `HKU:\<SID>\` directly.
+- **Syncro warranty billing:** Use product `1049360` Labor - Warranty work for work that is a direct side effect of a prior ACG ticket. Do NOT use `1190473` Labor - Remote Business with `billable: false` or a patched price. The warranty product is the correct path.
+- **Syncro `billable: false` on timer_entry is silently ignored** — does not prevent a charged line item from being generated. Always pick the correct product.
+
+## Active Work
+
+- **Open items from CONTEXT.md (2026-04-30):**
+  - Capture `sysadmin` password for Server2013 into vault
+  - Confirm Server 2012 EOL risk with Mike and recommend refresh / migration path
+  - Discover and document: workstations, network, primary contact, full business purpose
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| Post-2022 | Company rebranded from sombrahomes.com to sombraresidential.com |
+| 2026-04-30 | Server2013 enrolled in GuruRMM (agent `5383e9c1`). CONTEXT.md stub created by Howard. New PCs set up for staff (referenced as "the week prior" in 2026-05-06 log). |
+| 2026-05-06 | Howard: Bryan's PC (DESKTOP-UQRN4K3) — Word/Excel ghost credential prompt for old domain `bryan@sombrahomes.com`. Root cause: Transwiz-migrated classic MAPI + LiveId entries from pre-rebrand machine. Three-pass registry cleanup via GuruRMM. Billed as warranty ($0) against ticket #32225 (invoice #67572). Revert scripts at `C:\ProgramData\ACG\sombrahomes-cleanup-*` on Bryan's PC. |
+
+## Backlinks
+
+- [[projects/gururmm]] — Server2013 and DESKTOP-UQRN4K3 enrolled (site: main office)
diff --git a/wiki/clients/stamback-septic.md b/wiki/clients/stamback-septic.md
new file mode 100644
index 0000000..9d71382
--- /dev/null
+++ b/wiki/clients/stamback-septic.md
@@ -0,0 +1,107 @@
+---
+type: client
+name: stamback-septic
+display_name: Stamback Septic
+last_compiled: 2026-05-24
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - clients/stamback-septic/CONTEXT.md
+  - clients/stamback-septic/session-logs/2026-05-05-howard-onboarding-and-joe-laptop-onedrive-fix.md
+backlinks:
+  - projects/gururmm
+---
+
+# Stamback Septic
+
+## Profile
+
+- **Company type:** Septic services company (Tucson, AZ)
+- **Contract type:** Prepaid block (hours-based)
+- **Key contacts:**
+  - Joe Schmuker — accountspayable@fusionsiteservices.com | (520) 384-4803 office | (520) 484-5235 mobile
+  - Joe alternate email: js.stambackseptic@gmail.com (linked to possible duplicate Syncro record)
+- **Address:** 8939 South Eisenhower Road, Tucson AZ 85756
+- **Billing rate:** $150/hr (Labor - Remote Business, product `1190473`)
+- **Hours remaining (prepaid):** ~3.5 hrs as of 2026-05-05 (was 5.5 hrs; 2.0 hrs debited via Syncro ticket #32234)
+- **Customer since:** 2018-01-09
+- **Syncro customer ID:** 11513046
+- **Possible duplicate Syncro record:** 34021422 (Joseph Schmuker, email js.stambackseptic@gmail.com, no business linked) — NOT merged; flag if it appears in billing or ticket flows
+
+## Infrastructure
+
+### Servers & Services
+
+Not yet documented. No servers or network infrastructure captured in available session logs.
+
+### Email & Identity
+
+- **M365 / email:** Joe uses `joe.schmuker@fusionsite.com` (FusionSite tenant `3dd7fc1e-7d46-4e83-931a-8abe57a8bc73`) — this appears to be Stamback's parent or affiliated company domain. Also associated with `joe@stambackservices.com`, `info@stambackservices.com`, `JSchmuker@fusionsiteservices.com` — multi-domain identity history.
+- **M365 tenant details:** [unverified — no ACG-managed tenant confirmed for Stamback directly]
+- **MFA status:** [unverified]
+
+### Network
+
+- **ISP / WAN:** [unverified]
+- **Firewall:** [unverified]
+- **VPN:** [unverified]
+
+## GuruRMM
+
+- **Client name:** Stamback Septic
+- **Client code:** `STAM`
+- **Client ID:** `b3ba0e60-6132-4403-888b-601054ed4a9a`
+- **Site name:** StambackSeptic
+- **Site code:** `SOUTH-PHOENIX-4306`
+- **Site ID:** `0f3abe88-834f-4943-b28f-e97c236a0fea`
+- **Agent enrollment key:** Encrypted at `clients/stamback-septic/gururmm-site-main.sops.yaml` (generated once at site creation 2026-05-05; do not regenerate unless compromised)
+
+### Enrolled Agents
+
+| Agent | Host | OS | Version | Agent ID | Notes |
+|---|---|---|---|---|---|
+| DESKTOP-BTR2AM3 | [unverified] | Windows | [unverified] | [unverified] | Seen in GuruRMM fleet table (wiki/projects/gururmm.md) — confirmed enrolled |
+| StambackLaptopNew | Joe Schmuker's laptop | Windows 11 26200 | [unverified] | `4b6e9b9e-b7bb-4a91-836d-c3ce11fbb9c3` | Cloned laptop; single local profile `Owner`; not domain/Azure AD joined; OneDrive identity cleanup performed 2026-05-05 |
+
+[WARNING] Neither agent was confirmed enrolled at time of CONTEXT.md creation (2026-05-05 — "None yet"). Both appear in the GuruRMM fleet table as of 2026-05-24 fleet snapshot, implying enrollment occurred after initial setup. Agent IDs for DESKTOP-BTR2AM3 not captured in any available file.
+
+### Agent Deployment Command (ScreenConnect / SYSTEM context)
+
+```powershell
+$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
+$d='C:\Windows\Temp\gururmm-agent.exe';
+Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
+& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key 'grmm_vC91v9Rv5FYsVfW4RBWa4UduDsUcW5uc'
+```
+
+## Licenses & Assets
+
+- **Emsisoft License:** `PAK-MIV-BAN-843`
+
+## Access
+
+- **Remote access:** ScreenConnect (ACG-managed instance) — used for OneDrive fix session 2026-05-05
+- **Vault path:** `clients/stamback-septic/gururmm-site-main.sops.yaml` (enrollment key only; other credentials not yet vaulted)
+- **Syncro:** https://computerguru.syncromsp.com/customers/11513046
+
+## Patterns & Known Issues
+
+- **Clone + multi-tenant identity mess:** Joe's laptop was cloned from an existing machine. The source machine had M365/OneDrive identity caches across at least three tenants (FusionSite, StambackServices, consumer MSA). Post-clone, DPAPI-bound refresh tokens from the source machine were undecryptable, causing OneDrive silent sign-in failure. A full identity wipe (HKCU OneDrive accounts, Office Identity, OneAuth cache, TokenBroker cache) followed by clean sign-in was required. This should be treated as a standard post-clone step for any user with an M365 history.
+- **"Allow my organization to manage my device" trap:** After identity wipe, Joe checked the device-management checkbox at OneDrive sign-in, which triggered an Azure AD device-join attempt that FusionSite's Conditional Access rejected. Fix: sign out from the failed join (Settings → Access work or school), re-sign in without the checkbox. Document this in new-PC checklist.
+- **GuruRMM agent task queue wedge:** If a remote command spawns a child process that does not exit cleanly (e.g., `OneDrive.exe /reset`), the agent command queue can wedge — agent stays online but new commands sit pending indefinitely. Resolved by endpoint reboot. Track as a known agent behavior; worth a check-and-clear hook in a future agent version.
+- **Prepay visibility in Syncro:** Prepay balance was not visible in the Syncro GUI during the session (Mike thought there were no prepay hours). Always verify via `GET /customers/{id}` → `.customer.prepay_hours` API call rather than relying on GUI display.
+- **Syncro auto-applies prepay at invoice creation:** Even when billing at standard rate ($150/hr, product `1190473`), Syncro deducts from prepay block automatically at invoice time. To bill at full rate without touching prepay, use a non-applicable product or zero out prepay first.
+
+## Active Work
+
+None documented as of 2026-05-05. Onboarding complete; agents enrolled.
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| 2018-01-09 | Customer since in Syncro |
+| 2026-05-05 | Howard: Initial GuruRMM onboarding — client + site created, in-repo scaffold created, enrollment key vaulted. Joe Schmuker's cloned laptop OneDrive identity cleanup (multi-tenant cache wipe). Billed 2 hrs via Syncro ticket #32234 (invoice #67562, $0 — prepay auto-applied). Stamback prepay balance: 5.5 → 3.5 hrs. |
+
+## Backlinks
+
+- [[projects/gururmm]] — DESKTOP-BTR2AM3 and StambackLaptopNew enrolled (site: StambackSeptic)
diff --git a/wiki/index.md b/wiki/index.md
index 7ea576b..982f486 100644
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -22,6 +22,15 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery; 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2 | 2026-05-24 |
 | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
 | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |
+| [ACG Internal Infrastructure](clients/internal-infrastructure.md) | ACG's own hosting infra — Neptune Exchange (cert expires 2026-05-31, DkimSigner disabled), IX server, Cloudflare tunnel workaround, ACG M365 tenant gaps | 2026-05-24 |
+| [BirthBiologic](clients/birth-biologic.md) | Bio/healthcare; BB-SERVER (WS2016) GuruRMM enrolled; Datto→SharePoint migration incomplete; M365 apps partially consented | 2026-05-24 |
+| [CryoWeave](clients/cryoweave.md) | Custom cryogenic cable assemblies; cPanel on IX; website redesign + SEO project in progress; Syncro ID not documented | 2026-05-24 |
+| [Glaz-Tech Industries](clients/glaztech.md) | ~200 users, 9 locations; M365; two phishing campaigns bypassed MailProtector via secondary MX (removed); no MFA enforcement yet | 2026-05-24 |
+| [Grabb & Durando Law Office](clients/grabb-durando.md) | Personal injury law firm; GND-SERVER GuruRMM enrolled; AI demand review app scoped ($4K–$7K); website migration pending; plaintext DB password in README needs vaulting | 2026-05-24 |
+| [Pavon](clients/pavon.md) | Former/archive client; GeoVision NVR surveillance; OwnCloud at 172.16.3.22 backed by Uranus; cron stacking fixed; Nextcloud migration deferred 3–6 months | 2026-05-24 |
+| [Peaceful Spirit Therapeutic Massage](clients/peaceful-spirit.md) | Massage therapy practice; PST-SERVER (192.168.0.2) + 4 GuruRMM agents; L2TP/IPsec RRAS VPN; billing rate/Syncro ID not documented | 2026-05-24 |
+| [Sombra Residential LLC](clients/sombra-residential.md) | Property management; Server2013 (actually WS2012 EOL, unpatched) + DESKTOP-UQRN4K3 GuruRMM enrolled; Transwiz migration artifacts cause Office credential prompts | 2026-05-24 |
+| [Stamback Septic](clients/stamback-septic.md) | Septic services; prepaid block ~3.5 hrs remaining; DESKTOP-BTR2AM3 + StambackLaptopNew GuruRMM enrolled; OneDrive identity wipe pattern documented | 2026-05-24 |
 
 ## Projects
 
@@ -56,6 +65,13 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | Dataforth Corporation | AD1 (192.168.0.27), AD2 (192.168.0.6), D2TESTNAS (192.168.0.9), SAGE-SQL (192.168.0.153), UDM (192.168.0.254); Neptune Exchange physically at Dataforth D2 (172.16.3.11 / 67.206.163.124) | Dataforth DOS — Test Datasheet Pipeline; GuruRMM (DF-GAGETRAK enrolled) |
 | Instrumental Music Center | IMC1 (192.168.0.2), phantom DC ServerIMC (192.168.0.63 — DNS-only, do not use) | GuruRMM (IMC1 enrolled) |
 | Valley Wide Plastering | VWP_ADSRVR (192.168.0.25), VWP-QBS (172.16.9.169), HP DL360 iLO (172.16.9.125), UDM (172.16.9.1) | — |
+| BirthBiologic | BB-SERVER (WS2016, GuruRMM enrolled) | GuruRMM |
+| Glaz-Tech Industries | M365, ~200 users, 9 locations | — |
+| Grabb & Durando Law Office | GND-SERVER (WS2019, GuruRMM enrolled) | GuruRMM; AI demand review app (scoped) |
+| Pavon | OwnCloud VM (172.16.3.22), Uranus /Archive storage | — |
+| Peaceful Spirit | PST-SERVER (192.168.0.2, GuruRMM enrolled), UCG (98.190.129.150) | GuruRMM |
+| Sombra Residential LLC | Server2013 (WS2012 EOL) + DESKTOP-UQRN4K3, GuruRMM enrolled | GuruRMM |
+| Stamback Septic | DESKTOP-BTR2AM3 + StambackLaptopNew, GuruRMM enrolled | GuruRMM |
 
 ---