From 401ecca9a27eeeecf816ff14802b9267c1d348c4 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Fri, 12 Jun 2026 13:21:39 -0700
Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-06-12 13:21:22

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-12 13:21:22
---
 .../remediation-tool/references/tenants.md    |  2 +-
 ...26-06-12-mike-jparkinson-mail-migration.md | 99 +++++++++++++++++++
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 session-logs/2026-06-12-mike-jparkinson-mail-migration.md

diff --git a/.claude/skills/remediation-tool/references/tenants.md b/.claude/skills/remediation-tool/references/tenants.md
index 55d9092..0b3ac14 100644
--- a/.claude/skills/remediation-tool/references/tenants.md
+++ b/.claude/skills/remediation-tool/references/tenants.md
@@ -38,7 +38,7 @@ that will fail the next email task; fix it with `assign-exchange-role.sh <domain
 | JR Kennedy Company | jrkco.com | a92594b9-c8ad-4dba-8b40-14fcd32c723c | NO | |
 | Khalsa Montessori School | khalsamontessorischools.onmicrosoft.com | b2950f9d-81f8-40e4-85d9-2854d1d4f31b | NO | |
 | Kittle Design & Construction | kittlearizona.com | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 | YES | Sec Inv + Exchange Operator + Tenant Admin consented (2026-06-08 BEC remediation). Exchange Admin role IS assigned to Exch Op SP (verified 2026-06-09 — prior "NOT assigned" note was stale). BEC EXO persistence re-verified clean 2026-06-09: malicious inbox rules gone, no forwarding, no transport rules, no rogue delegates. Open (need Ken): "Christina Micek" StopProcessing rule on Ken + Ken FullAccess to Accounting. |
-| LeeAnn Parkinson | lamaddux.com | 2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929 | NO | |
+| LeeAnn Parkinson | lamaddux.com | 2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929 | YES | All apps consented 2026-06-12 (Sec Inv + Exch Op Exchange Admin, User Mgr User Admin + Auth Admin, Tenant Admin CA Admin); no MDE. Onboarded for Jim Parkinson (jparkinsonaz.com) mailbox migration off Neptune. |
 | Marty Ryan | martylryan.com | 48581923-2153-48b9-82b3-6a3587813041 | YES | Sec Inv + Tenant Admin consented; all roles assigned 2026-04-20 |
 | MVAN Enterprises, Inc | mvan.onmicrosoft.com | 5affaf1e-de89-416b-a655-1b2cf615d5b1 | NO | |
 | Patient Care Advocates | pcatucson.com | 463b462d-0995-4e51-9e41-82c208015c7f | NO | |
diff --git a/session-logs/2026-06-12-mike-jparkinson-mail-migration.md b/session-logs/2026-06-12-mike-jparkinson-mail-migration.md
new file mode 100644
index 0000000..fc74bcd
--- /dev/null
+++ b/session-logs/2026-06-12-mike-jparkinson-mail-migration.md
@@ -0,0 +1,99 @@
+# 2026-06-12 — Jim Parkinson mail migration (Neptune -> lamaddux M365) + RMM log triage + IX API token
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Summary
+Multi-thread session. Headline: migrated **Jim Parkinson** (`jparkinsonaz.com`, mail on on-prem
+Neptune Exchange) into **LeeAnn Maddux's** existing **lamaddux.com** M365 tenant to fix shared-calendar
+sync issues (Syncro #32411). Also: triaged a stale GuruRMM AI log-analysis report (filed 2 root-caused
+bugs + a signal-design refinement), recovered the lost IX WHM API access method (now a vaulted full-access
+token), restored the "vault every credential" CORE rule, and handled a Bardach M365 sign-in error.
+
+## Threads
+
+### 1. Bardach (barbara@bardach.net) — AADSTS165000 on iPhone
+Client-side session-cookie failure (Missing session context cookie). NOT password/MFA/Smart-Lockout, and
+NOT caused by our 2026-06-05 Security Defaults change (she passed password + Authenticator). Gave iPhone
+fix steps (full Safari not in-app webview, allow cookies, clear site data, fresh single-pass sign-in,
+auto date/time). Offered Entra sign-in-log lookup for Correlation Id `71fa2d99-2607-4cfc-a032-da30b925d04d`.
+Tenant: bardach.net `dd4a82e8-85a3-44ac-8800-07945ab4d95f`.
+
+### 2. GuruRMM log-analysis triage (stale report reconciliation)
+Report came from GuruRMM's own `/api/logs/analyze` (cut over to Claude Haiku today). Reconciled vs live logs:
+- **Ollama unreachable** = HEALED (cutover; last stray 13:27 pre-deploy).
+- "1,100+ WS errors" = real (~1504/24h) but benign reconnect churn + deploy restart-storms; fleet reconnecting.
+- Auth timeouts 7/24h = benign.
+- **2 real bugs filed** in `projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md` (submodule, pushed `8d5bb9d`):
+  1. Hardware inventory NUL -> Postgres jsonb reject (7 Windows agents: IMC1, Seth-PC, QWM-JOHN, QWM-SHEILA,
+     goldstar19, SIF-SERVER, Christine-Win10). Fix: strip NUL before jsonb insert in `upsert_agent_hardware`.
+  2. Update scanner execs non-.exe binaries for `--version`; macOS Mach-O can't run on the Linux server ->
+     `continue`-skipped -> macOS/Linux agents never offered updates. Fix: trust filename version for non-Windows.
+  3. Feature 4a refinement: alert on STATE (offline-past-budget / flapping / mass-drop) not the disconnect
+     event; reclassify "connection reset without closing handshake" ERROR->INFO (ships standalone).
+
+### 3. IX WHM API access recovered (the ~1h time-sink)
+Password+legacy `json-api` basic-auth to `ix.azcomputerguru.com:2087` now returns **403 pre-auth** (not
+cpHulk/Imunify IP block — WHM login page 200s; bad creds also 403). Mike created a **full-access root WHM
+API token "ClaudeTools"**. Correct method: header `Authorization: whm root:<token>`, force `curl -4`.
+Stored at vault `infrastructure/ix-server` `credentials.whm-api-token` + documented in entry notes.
+Restored CORE rule in `.claude/CLAUDE.md` ("vault + document EVERY in-session credential, via the vault
+skill"); added memories `ix-whm-dns-api-access` + `feedback-vault-every-credential`.
+
+### 4. Leeann Maddux RMM onboarding
+New RMM client **Leeann Maddux** + site **Home** (`DARK-OCEAN-9950`, site_id `7357db16-114c-4404-92be-4a587056d9e5`,
+client_id `bd8c4027-7cbe-41c0-bc2c-c8e6c4846b62`). Enrollment key vaulted `clients/lamaddux/gururmm-site-home.sops.yaml`.
+Jim's 2 machines enrolled: **DESKTOP-EDN9UDO** (`2b24e8de-a774-4277-bad3-689c00f9eacc`) + **DESKTOP-M0GBKF3**
+(`4fdecea6-19d9-4dd0-bf6c-f2b1ab6c6c28`). (jpark = logged-in user on M0G, SID ...-1014.)
+
+### 5. Jim Parkinson mail migration (the main work)
+- **Tenant lamaddux.com** `2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929` (LeeAnn Maddux) onboarded via single-consent
+  (`onboard365`); all apps + roles provisioned (recorded YES in remediation-tool `tenants.md`).
+- Added + verified custom domain `jparkinsonaz.com` (TXT `MS=ms74863246`); Mike added the domain in portal
+  (our Tenant Admin app lacks `Domain.ReadWrite.All` — flagged as future automation item).
+- Created **jim@jparkinsonaz.com** (obj `387dc966-fd91-4512-9b0f-d80b125769f4`) + **Exchange Online Plan 1**
+  (skuId `4b9405b0-7788-4568-add1-99614e613b69`; Mike bought the 2nd license). Mailbox provisioned, primary
+  SMTP matches source.
+- **DNS cutover** on IX (token) to O365 + zone cleanup: MX `jparkinsonaz-com.mail.protection.outlook.com`,
+  SPF `v=spf1 include:spf.protection.outlook.com -all`, autodiscover CNAME -> `autodiscover.outlook.com`,
+  **DKIM** selector1/selector2 CNAMEs -> `selector{1,2}-jparkinsonaz-com._domainkey.lamaddux.a-v1.dkim.mail.microsoft`
+  (new MS format, resolves to live keys). Removed: **root A** (was -> Neptune 67.206.163.124), `mail` CNAME,
+  4x CalDAV/CardDAV SRV + path TXTs, cPanel `_cpanel-dcv-test-record` + `_acme-challenge`.
+- **PST export** off Neptune: `New-MailboxExportRequest` -> `\\NEPTUNE\PSTExport$\jim-jparkinsonaz.pst`,
+  Completed 100%, 1.776 GB, 8316 items. Mike to copy + Outlook-import himself.
+- **Outlook autodiscover fix (Exclude365):** ran undo of `C:\Users\guru\ownCloud\Toolbox\!-Utils\RegistryFixes\Exclude365-Final.reg`
+  on both machines (removed exclusions + acghosting RedirectServers pins, HKLM policy + user hives incl offline).
+  Fresh profile still hit mail.acghosting.com because **root A pointed to Neptune** -> root-domain autodiscover
+  probe answered on-prem. Set `ExcludeHttpsRootDomain=1` on both machines (interim), then **removed the root A
+  record** (permanent global fix -> root probe NXDOMAIN -> falls through to autodiscover CNAME -> O365).
+- Set password + MFA: see Credentials.
+
+### 6. Syncro #32411 (id 112542872, LeeAnn Parkinson, customer 139908)
+PUT status -> In Progress, problem_type -> Server Migration; posted customer-visible (no-email) note scoping
+it to a mail migration to resolve calendar sync. Comment id 418758100.
+
+## Credentials (unredacted — private repo)
+- **jim@jparkinsonaz.com** / `jP48504850$` (permanent, no force-change). MFA mobile **+1 520-349-2222**.
+  Vaulted `clients/lamaddux/jim-parkinson-m365.sops.yaml`.
+- **IX WHM API token "ClaudeTools"** (FULL-ACCESS ROOT): `HAUGCPQGJGDK3YDAMVA0B4ELR9CVNAQ6`.
+  Vaulted `infrastructure/ix-server` `credentials.whm-api-token`. Use: header `Authorization: whm root:<token>`,
+  `curl -4`. Password basic-auth on json-api now 403s.
+- Leeann Maddux RMM site key: vaulted `clients/lamaddux/gururmm-site-home.sops.yaml`.
+
+## Infrastructure
+- IX: `ix.azcomputerguru.com` = 72.194.62.5 (WHM:2087). Public NS `ns1/ns2.acghosting.com` = 52.52.94.202
+  (cluster; edits auto-sync). Neptune external 67.206.163.124 / 172.16.3.11 (mail.acghosting.com, Exchange 2016).
+- RMM API `http://172.16.3.30:3001`. (Brief `.30` outage mid-session — networking, Mike fixed.)
+- Imunify360 (cpHulk disabled) gated WHM; whitelisted our IPv4 98.97.118.217 + IPv6 2605:59c0:43a6:9710::/64.
+
+## Pending / next
+1. Mike: copy PST + Outlook-import on M0G/EDN9; confirm it connects to **Microsoft** (root-A removal is the fix).
+2. Mike: **Enable DKIM signing** for jparkinsonaz.com in Defender portal (CNAMEs are live).
+3. After import confirmed: **final delta export + decommission `jparkinsonaz.com` on Neptune** (remove accepted
+   domain/mailbox/DKIM/routing); then **close #32411**. Optional: remove stale `s1`/`default` DKIM TXT;
+   remove the now-redundant `ExcludeHttpsRootDomain` reg value.
+4. GuruRMM: 2 bugs + Feature 4a filed (ROOT-CAUSED) — await build decision.
+5. Future: add `Domain.ReadWrite.All` to Tenant Admin app to automate domain-adds (Mike: "wire this up").
+6. Bardach: Barbara to retry per iPhone steps; sign-in-log lookup on standby.