cascades 2AM RF run: Phase 2b applied (2.4 power->medium x47); 2a/3a/3b deferred

Autonomous 2 AM window. APPLIED + verified: disabled 3AM auto-upgrade; 2.4
power Low/auto->MEDIUM on 47 radios (42 over-thinned floors 1-4 + 5 MemCare
floors 5/6), leaving 24 disabled + 5 mesh-auto untouched; CSCNet BSS-transition
on. Non-regressive (satisfaction 98.7->98.6, fleet 2.4 retry 12.0->11.7, 5G
8.7->7.4, MemCare 2.4 15.6->13.1); 30/31 voice phones online.

DEFERRED: 6GHz on CSCNet BLOCKED (Wpa3MandatoryFor6GHzBand — CSCNet is WPA2/PPSK;
needs supervised WPA3 conversion of the 427-client SSID). 3a/3b (width40 +
non-DFS channel plan, 19->0 dry-run) held for a supervised window since the
6GHz relief valve precondition failed and it's a coupled 74-AP change.

3AM auto-upgrade left OFF (re-enable when ready). Rollback source dev2.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-2am-rf-run-phase2b-applied.md

@@ -0,0 +1,72 @@
+# Cascades — 2 AM RF run: Phase 2b applied; 2a/3a/3b deferred (blockers)
+
+## User
+- **User:** Howard Enos (howard)  (autonomous run, Howard pre-authorized)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Session Summary
+Executed the pre-authorized autonomous 2 AM RF change window (01:56-02:18 MST). Completed Phase 0
+(prep) + Phase 2b (2.4 power correction). Phase 2a 6 GHz BLOCKED by a WPA3 prerequisite; 3a/3b
+DEFERRED because the plan sequences 6 GHz before narrowing 5 GHz and that relief valve is unavailable
+(plus 3a/3b are a coupled 74-AP change better done supervised). All changes verified; voice intact.
+
+## What was APPLIED (and verified)
+- **Phase 0:** disabled the 3 AM AP firmware auto-upgrade (was ON, hour=3) so no AP reboots mid-run;
+  captured same-time-of-day baseline (live-stats + per-AP power state in `.claude/tmp/dev2.json`).
+- **Phase 2b — 2.4 power -> MEDIUM on 47 radios** (the 42 over-thinned `low` radios floors 1-4 + named
+  Dining/Kitchen/MemCare, AND the 5 MemCare floors-5/6 `auto`/full radios 505/517/608/615/622).
+  - Left untouched (correctly): the **24 disabled** 2.4 radios (NOT re-enabled), and the **5 mesh-auto**
+    APs (108, 108U7 Pro, 206 U7 Pro, 2nd Floor Atrium, CC Bridge).
+  - Final fleet ng power: 47 medium, 24 disabled, 5 auto(mesh), 1 n/a.
+- **Phase 2a (partial): CSCNet BSS-transition (802.11v) -> ON** (harmless/beneficial for roaming). Kept.
+
+## RESULTS (baseline 01:58 -> final 02:16, ~5 min settle)
+- Fleet 2.4 retry: 12.0 -> 11.7 avg (med 13.0 -> 13.6); 2.4 cu 60 -> 66 (expected with restored power);
+  satisfaction 98.7 -> 98.6 (held); 5 GHz retry 8.7 -> 7.4 (improved).
+- MemCare 2.4 retry avg 15.6 -> 13.1.
+- **Voice: 30/31 VLAN-30 phones online** (20 Poly @5GHz, 1 @2.4, 9 wired AudioCodes/desktop); only `.212`
+  absent (a phone, likely powered off — not a casualty). 2b did NOT harm voice.
+- GATE verdict: 2b is NON-REGRESSIVE (satisfaction held, retry flat-to-down, 5G improved) -> KEPT.
+  Note: 2.4 retry is dominated by external neighbor density (ch6 ~35k BSSIDs); the real 2.4 relief is
+  the 1/6/11 channel re-plan, which stays deferred (was WORSE in dry-run until power set stabilizes).
+
+## What was DEFERRED and WHY (needs Howard / supervision)
+- **Phase 2a 6 GHz on CSCNet — BLOCKED:** controller rejected with `api.err.Wpa3MandatoryFor6GHzBand`.
+  CSCNet is `security=wpapsk, wpa_mode=wpa2, pmf=disabled, PPSK`. 6 GHz mandates WPA3 + PMF. Enabling it
+  requires converting the **primary 427-client resident SSID** to WPA3 or WPA3-transition + PMF — touches
+  EVERY CSCNet client incl. the voice phones + legacy IoT/DirecTV (WPA3/PMF can drop legacy gear). This is
+  a supervised decision, NOT a safe unattended 2 AM change. HOWARD DECISION NEEDED.
+- **Phase 3a (5 GHz 80->40) + 3b (static non-DFS channel plan): DEFERRED.** (a) The plan sequences 6 GHz
+  BEFORE narrowing 5 GHz so congestion doesn't relocate — and 6 GHz is blocked. (b) Width+channel are
+  coupled; doing 3a alone is a half-measure. (c) It's a 74-AP change with higher blast radius — better
+  supervised. The dry-run is ready: width 40 + non-DFS channel plan takes co-channel pairs 19 -> 0
+  (allowed [36,40,44,48,149,153,157,161]). Survey was NOT re-pulled (stalled earlier); needed for 3b.
+- **AUTO-SKIP (as planned):** 2.4 1/6/11 recolor (worse until power stabilizes), MemCare min-RSSI (needs
+  next week's new APs), forcing Shelby `.218`/Lauren off 2.4 (per-phone work).
+
+## STATE LEFT FOR MORNING (Howard)
+- **3 AM auto-upgrade is OFF** — left disabled tonight (re-enabling would fire a 3 AM reboot right after
+  changes). **Re-enable when ready** (controller site mgmt setting, _id 685f39078e65331c46ef7eed).
+- **2b (47 radios @ medium) + CSCNet bss_transition=true** are LIVE and kept. Rollback source: full
+  pre-state in `.claude/tmp/dev2.json` (each target's prior mode: 42 were `low`, 5 were `auto`).
+- Keep-warm pinger self-ends ~03:44.
+
+## Decisions for Howard (morning)
+1. **6 GHz:** convert CSCNet to WPA3-transition + PMF to unlock 6 GHz? Risk = legacy IoT/voice dropoffs;
+   needs a client-compat check. Until then 6 GHz stays dark and the relief-valve sequencing can't run.
+2. **3a/3b:** schedule a supervised window to apply width 40 + the non-DFS channel plan (19->0 dry-run).
+   Lower risk if done with eyes on it; ~74 APs re-channel.
+
+## Gotchas caught this run (folded into runbook)
+- `apply-radio ... power medium --zone` RE-ENABLES disabled radios (disabled->medium). Must target only
+  `low`/`auto` radios per-AP; never blanket a zone when disables must persist.
+- 6 GHz requires WPA3+PMF (above).
+- Python writing a file in Windows text mode emits CRLF -> bash `read` got `\r` -> curl `@file` "could not
+  read file". Strip `\r` (`id="${id%$'\r'}"`) or write binary.
+- `curl --data @relpath` flaky from this cwd; use `--data-binary @<ABSOLUTE path>`.
+
+## Reference
+- Site va6iba3v / 685f39068e65331c46ef6dd2; controller 172.16.3.29:11443 (apply+verify are controller-side,
+  NOT over the Cascades VPN; only survey/neighbor/watch-ap need the tunnel).
+- Runbook: `.claude/tmp/cascades-2am-runbook.md`. Scratch/rollback: `.claude/tmp/dev2.json`, apply-rollback-*.json.