From 4a63b583b72fdc0f45c455342196307a606c79fa Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 25 Jun 2026 11:42:58 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-25 11:42:29 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 11:42:29 --- .claude/memory/MEMORY.md | 1 + .../reference_syncro_rmm_api_gui_only.md | 15 ++ .../docs/REMAINING-WORK-PLAN.md | 6 +- .../share-group-roster-proposed-2026-06-25.md | 130 ++++++++++++++++++ .../2026-06-25-howard-dforth-ship-tdr-bsod.md | 94 +++++++++++++ 5 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 .claude/memory/reference_syncro_rmm_api_gui_only.md create mode 100644 clients/cascades-tucson/docs/migration/share-group-roster-proposed-2026-06-25.md create mode 100644 clients/dataforth/session-logs/2026-06/2026-06-25-howard-dforth-ship-tdr-bsod.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 228e3826..389e3bd3 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -7,6 +7,7 @@ - [ACG Office Network Infrastructure](infra_office_network.md) — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage. - [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. - [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number. +- [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work. - [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list. - [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style. - [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06. diff --git a/.claude/memory/reference_syncro_rmm_api_gui_only.md b/.claude/memory/reference_syncro_rmm_api_gui_only.md new file mode 100644 index 00000000..59d7a5bf --- /dev/null +++ b/.claude/memory/reference_syncro_rmm_api_gui_only.md @@ -0,0 +1,15 @@ +--- +name: reference-syncro-rmm-api-gui-only +description: Syncro's public API cannot manage RMM policies/folders — creation, assignment, and asset moves are GUI-only (live-verified 2026-06-25) +metadata: + type: reference +--- + +**Syncro RMM policy management is GUI-only — the public REST API does NOT expose it.** Live-verified against the ACG production tenant (computerguru.syncromsp.com) on 2026-06-25: + +- `GET /customer_assets` objects carry a read-only **`policy_folder_id`** field (which policy folder the machine sits in). **`PUT /customer_assets/{id}` with `policy_folder_id` is silently ignored** — returns HTTP 200 but the value never changes. Proven by a flip-and-restore test on ACG-internal asset 12335235 (DESKTOP-0O8A1RL): value stayed at folder 692253. **You CANNOT move a machine between policy folders via the API.** +- `/policies`, `/policy_builders`, `/rmm_policies`, `/asset_policies` all return **404** — no policy-CRUD endpoints exist. Policy Builder (the `/policy_builders` GUI page) is web-console only. +- `/policy_folders` (collection and specific-ID) returns **401** — the route exists but our API token lacks RMM/policy scope. A re-issued token *might* read folders, but since assets can't be moved anyway, it's moot for the move use case. +- Syncro docs (docs.syncrosecure.com / docs.syncromsp.com "Work with Policies") confirm: policies are created in Policy Builder, assigned via an Organization's "Assets & Policies" subtab "Update Assigned Policy" dropdown, or "Bulk Assign Top-Level Policy" — all GUI, **no API mention**. + +**How to apply:** Do NOT attempt to build `/syncro move-asset` or any Syncro RMM policy/folder/group capability — it's not buildable on the public API. Don't re-probe these endpoints. The only API-drivable policy surface in the fleet is the `bitdefender` skill (GravityZone: create/assign policies, custom groups, move endpoints). For Syncro RMM policy work, direct the user to the Syncro web console. The `/syncro` skill stays PSA-only (tickets/billing/customers/scheduling/estimates + read-only asset lookup). See [[feedback-psa-default-syncro]]. diff --git a/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md b/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md index e5a41981..eb252c2a 100644 --- a/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md +++ b/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md @@ -84,7 +84,11 @@ retire per-PC Synology Drive Client. **Prep blockers / decisions (2026-06-24):** - **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys): LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the - Home->Pro upgrades himself** (list DM'd 2026-06-24). + Home->Pro upgrades himself, ONSITE** (decision 2026-06-25). + - *2026-06-25 live re-check: the 6PM cron `ad0a56a9` never completed — all 5 still `EditionID=Core` + (Home), Licensed on Home keys, none half-upgraded. Remote job abandoned; Howard doing them onsite. + Next step for these 5 = domain-join once they read `EditionID=Professional`. ProductName reads + "Windows 10 Home" even on the Win11 boxes (stale registry string) — trust EditionID, not ProductName.* - **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist. - **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely. - **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) — diff --git a/clients/cascades-tucson/docs/migration/share-group-roster-proposed-2026-06-25.md b/clients/cascades-tucson/docs/migration/share-group-roster-proposed-2026-06-25.md new file mode 100644 index 00000000..da83ecce --- /dev/null +++ b/clients/cascades-tucson/docs/migration/share-group-roster-proposed-2026-06-25.md @@ -0,0 +1,130 @@ +# CS-SERVER Share Group Roster — PROPOSED (for review) + +> **Built 2026-06-25 (Howard)** by inverting `share-access-matrix-2026-04-23.md` onto the +> **live** `SG-*` groups on CS-SERVER. **Nothing assigned yet** — every `SG-*-RW` group is +> currently EMPTY. This is the worksheet to walk through and confirm "the right people" +> before we populate the groups. Tick/strike names as we go. +> +> Legend: **[OPEN]** = matrix left this person's scope unresolved · *(leaving)* = exclude · +> *(no AD acct yet)* = create account first · **[VERIFY AD]** = confirm a domain account exists. + +--- + +## Live state snapshot (2026-06-25) + +- **All access groups exist but are EMPTY:** `SG-Management-RW`, `SG-Mgmt-RW` (dup), + `SG-Sales-RW`, `SG-Sales-RO`, `SG-Server-RW`, `SG-Directory-RW`, `SG-Receptionist-RW`, + `SG-Culinary-RW`, `SG-Activities-RW`, `SG-IT-RW`, `SG-Chat-RW` (retired share). +- **Populated (not part of this pass):** `SG-Caregivers` (38), `SG-FolderRedirect` (8), + `SG-FrontDesk` (1), `SG-Reception-PCs` (1 = RECEPTIONIST-PC), `SG-PC-MainTower` (1 = NURSESTATION-PC). +- **Data shares present:** Accounting, Activities, Culinary, directoryshare, Executive, IT, + Management, Receptionist, Sales, SalesDept, Server, homes. +- **Missing vs matrix:** no **ALdocs** / **WebDocs** share or group; no **Clinical/PHI** share + (pending Meredith); `SG-Office-PHI-Internal/-External` exist empty. + +--- + +## Per-group proposed rosters + +### `SG-Management-RW` → `\\CS-SERVER\Management` +**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Allison Reibschied, Megan Hiatt, +Crystal Rodriguez, Veronica Feller, Shelby Trozzi, Christina DuPras · ~~Tamra Matthews~~ *(leaving)* +**RO (read-only):** Lois Lane, Christine Nyanzunda **[OPEN]**, Susan Hicks **[OPEN]**, John Trozzi, Lupe Sanchez **[OPEN]** +> No `SG-Management-RO` group exists — RO members need either a new RO group or a direct NTFS read ACL. **Decision needed.** + +### `SG-Sales-RW` → `\\CS-SERVER\Sales` / `SalesDept` +**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)* +**RO (`SG-Sales-RO`):** Shelby Trozzi +> **Two shares exist — `Sales` and `SalesDept`.** SalesDept holds the real history (2014–2026 reports, marketing). Confirm which the group maps to (or both), and what `Sales` is for. + +### `SG-ALdocs-RW` → `\\CS-SERVER\ALdocs` *(share + group NOT created yet)* +**RW:** Lois Lane, Karen Rossini, Meredith Kuhn, Ashley Jensen, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)* +> Must create the share + `SG-ALdocs-RW` group before assigning. Nurses (Lois/Karen) + Exec tier + Sales team. + +### `SG-WebDocs-RW` → `\\CS-SERVER\WebDocs` *(share + group NOT created yet)* +**RW:** Megan Hiatt, Crystal Rodriguez, Meredith Kuhn, Ashley Jensen · ~~Tamra Matthews~~ *(leaving)* +> Must create the share + `SG-WebDocs-RW` group. Distinct from the retired DSM `web` station. + +### `SG-Server-RW` → `\\CS-SERVER\Server` +**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Veronica Feller, Shelby Trozzi, Christina DuPras, John Trozzi **[OPEN — Server or just Directory?]** +**RO:** Matt Brooks +> No `SG-Server-RO` group — Matt's RO needs an RO group or direct NTFS read. + +### `SG-Directory-RW` → `\\CS-SERVER\directoryshare` +**RW (per matrix "Access: Directory"):** Meredith, Ashley, Lauren, Allison, Megan, Crystal, +Lois, Karen, Veronica, Shelby, Christine, Christina DuPras, Cathy Kingston, Shontiel Nunn, +Kyla Quick Tiffany *(no AD acct yet)*, Michelle Shestko, Sebastian Leon, Sheldon Gardfrey, +Ray Rai, Susan Hicks, Sharon Edwards, Alma R Montt *(no AD acct yet)*, John Trozzi, Matt Brooks, Lupe Sanchez +**Excluded:** kitchen staff (JD, Ramon, Alyssa), drivers, caregivers +> **Big question:** matrix intro says "most staff need **read**" but each person's line reads +> "Access" (= RW). Does everyone really need WRITE to the resident directory, or **read for most + +> write for the few who maintain it** (front desk)? Likely should be a `SG-Directory-RO` (most) + +> `SG-Directory-RW` (front-desk maintainers). **Decision needed.** + +### `SG-Receptionist-RW` → `\\CS-SERVER\Receptionist` *(Tower front desk ONLY)* +**RW:** Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany *(no AD acct yet)*, Sebastian Leon, +Sheldon Gardfrey, Ray Rai, Christina DuPras, Meredith Kuhn, Ashley Jensen +**RO:** Lauren Hasselman +**Explicitly excluded:** Michelle Shestko (MC desk), Matt Brooks (MC coverage), Sales team +> Mapped **by machine + user** via GPO/logon script — drive appears only on Tower reception PC(s) +> for users in this group. Needs the machine-scope GPO, not just group membership. + +### `SG-Culinary-RW` → `\\CS-SERVER\Culinary` +**RW:** JD Martin, Ramon Castaneda, Alyssa Brooks +**RO:** Meredith Kuhn, John Trozzi, Ashley Jensen +> Kitchen staff get Culinary ONLY (no Directory, no other shares). No `SG-Culinary-RO` group — RO trio needs one or direct NTFS read. + +### `SG-Activities-RW` → `\\CS-SERVER\Activities` (= Life Enrichment) +**RW:** Susan Hicks **[OPEN]**, Sharon Edwards, Alma R Montt *(no AD acct yet)*, Veronica Feller, +Meredith Kuhn, Ashley Jensen +**RO:** Shelby Trozzi, Christina DuPras +> Confirm `Activities` share == the Life Enrichment data share (matrix called it `LifeEnrichment`). +> LE workstations have no mapped drives today — this is their first map. + +### `SG-IT-RW` → `\\CS-SERVER\IT` +**RW:** IT only — ACG admins (no Cascades staff) +> Leave as admin-only. + +### Clinical / PHI → `\\CS-SERVER\Clinical-PHI` **(PENDING — share may not be created)** +**Proposed RW *if* created:** Meredith Kuhn, Ashley Jensen, Lois Lane, Karen Rossini, +Veronica Feller, Shelby Trozzi, Christine Nyanzunda +> Synology `pacs` was empty. **Meredith decision:** create an empty Clinical-PHI share with this +> list, or retire the concept (everything clinical lives in ALIS) and strip Clinical from all lines above. +> `SG-Office-PHI-Internal/-External` already exist empty — decide if those are the intended groups. + +### Accounting → `\\CS-SERVER\Accounting` **(share exists, no SG group, not in matrix)** +**Proposed RW:** Allison Reibschied (Accounting Asst), Lauren Hasselman (Business Office Dir)? Meredith/Ashley? +> **Not defined in the 2026-04-23 matrix.** Confirm who owns the Accounting share + whether it needs its own `SG-Accounting-RW` group. + +### Direct-ACL shares (no group — leave as-is) +- **`Executive`** — Ashley Jensen + Meredith Kuhn (done 2026-06-24, #32193). +- **Sandra Fish Archive** (`D:\Shares\Archive\Former-Director-Sandra-Fish`) — Meredith, sole custodian. + +--- + +## Structural decisions to make before we populate (not per-person) + +1. **RO groups missing.** Only `SG-Sales-RO` exists. Several shares need read-only members + (Management, Server, Culinary, Receptionist, Activities). Create matching `SG-*-RO` groups, or + apply direct NTFS read ACLs? (Groups are cleaner/auditable; recommend RO groups.) +2. **Dedupe `SG-Management-RW` vs `SG-Mgmt-RW`** — keep one, delete the other (both empty — zero risk). +3. **Delete `SG-Chat-RW`** — the chat share is retired (→ Teams). +4. **Create ALdocs + WebDocs** shares + `SG-ALdocs-RW`/`SG-WebDocs-RW` groups. +5. **Directory RW-vs-RO model** — decide read-for-most + write-for-front-desk (recommended) vs everyone-RW. +6. **Clinical/PHI** — create or retire (Meredith). +7. **Accounting share** — define ownership + group. + +## Per-person open questions (carry over from the matrix — confirm with John/Meredith) +- [ ] **Lois Lane** — Clinical + Directory + Mgmt-read, or ALIS-only? +- [ ] **Karen Rossini** — Clinical + Directory, or less? +- [ ] **Susan Hicks** — LE Director scope as proposed? +- [ ] **John Trozzi** — Server access, or just Directory + Culinary-read? +- [ ] **Lupe Sanchez** — Directory only, or + Management read? +- [ ] **Shelby Trozzi** — narrowed MC-Director scope (no admin-full) OK? +- [ ] **Matt Brooks** — primary dept: Maintenance or MC Reception? +- [ ] **Christine Nyanzunda** — Management read or write? + +## AD-account verification needed before assignment +Confirm a domain account exists for: Cathy Kingston, Shontiel Nunn, Michelle Shestko, +Sebastian Leon, Sheldon Gardfrey, Ray Rai, Sharon Edwards, Allison Reibschied. +**Create first:** Kyla Quick Tiffany, Alma R Montt (matrix: not yet created). diff --git a/clients/dataforth/session-logs/2026-06/2026-06-25-howard-dforth-ship-tdr-bsod.md b/clients/dataforth/session-logs/2026-06/2026-06-25-howard-dforth-ship-tdr-bsod.md new file mode 100644 index 00000000..bf74d95a --- /dev/null +++ b/clients/dataforth/session-logs/2026-06/2026-06-25-howard-dforth-ship-tdr-bsod.md @@ -0,0 +1,94 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Investigated a reported BSOD on the Dataforth shipping-station PC DFORTH-Ship: stop code +`0x00000116 VIDEO_TDR_FAILURE`. Resolved the agent via `/rmm-search` (exact match DFORTH-Ship, +id `db17e069-2948-4cbc-97ea-1da721edcaf5`, Dataforth Corp / site D1, online), distinguishing it +from a near-twin host `DForth-Shipp`. + +Ran two read-only PowerShell diagnostics over GuruRMM. The first pulled GPU/driver inventory, +recent bugcheck/Kernel-Power events, display/TDR driver events, WHEA, and the minidump list. The +GPU is an integrated Intel HD Graphics 4600 on driver `20.19.15.5126` (1/20/2020 — Intel's final +driver for that part). The latest crash (6/24/2026 04:36) was confirmed `0x116` with arg3 +`0xc0000001` (GPU reset did not complete in the 2s TDR window). Five minidumps exist spanning +11/3/2025 -> 5/3 -> 5/20 -> 6/16 -> 6/24/2026, an accelerating cadence. + +The second diagnostic confirmed the System event log had rolled (only the latest 1001 bugcheck +survives in events, though dump files persist), that TdrDelay/TdrLevel are at defaults, that Edge ++ WebView2 (hardware-accelerated) are installed, and that the hardware is an HP EliteDesk 800 G1 +USDT with a Dec-2014 BIOS (~11.5-year-old ultra-slim chassis, heat/dust prone). + +Diagnosis: display-driver TDR on aging integrated graphics; because it is integrated there is no +card to reseat/swap. Recommended PC replacement as the real fix with interim mitigations. Per +Howard's go-ahead, applied mitigation #1: disabled Edge hardware acceleration via machine policy +(`HKLM\SOFTWARE\Policies\Microsoft\Edge\HardwareAccelerationModeEnabled = 0`), verified value = 0, +exit 0. Posted the required `[RMM]` write alert to #dev-alerts. + +## Key Decisions + +- Targeted the exact host DFORTH-Ship over the near-twin DForth-Shipp to avoid acting on the wrong + Dataforth machine. +- Classified the crash as a TDR on integrated graphics, so ruled out "reseat/replace the GPU" + advice — the GPU is on the CPU/motherboard. +- Chose disabling Edge hardware acceleration as the first mitigation: it is the most common + software TDR trigger on HD 4600, low-risk, reversible, and offers no downside on a shipping PC. +- Held off on the TdrDelay registry band-aid; it masks marginal timeouts and would not save a + genuine hardware fault. Flagged thermal cleaning + PC replacement as the durable path given the + accelerating dump cadence on an 11.5-year-old slim desktop. + +## Problems Encountered + +- Full bugcheck-code history was unavailable from the event log (System log had rolled; only the + 6/24 1001 event remained). Worked around by enumerating the persisted `.dmp` files to establish + the crash cadence; older signatures left unconfirmed (would require loading the dumps). + +## Configuration Changes + +- DFORTH-Ship registry (via RMM): created/set `HKLM\SOFTWARE\Policies\Microsoft\Edge` value + `HardwareAccelerationModeEnabled` (DWORD) = `0`. Reversible (delete value or set to 1). Effective + on next Edge restart. +- No files modified in the repo. + +## Credentials & Secrets + +None discovered or created this session. RMM auth via existing vault path +`infrastructure/gururmm-server.sops.yaml`. + +## Infrastructure & Servers + +- Host: DFORTH-Ship — GuruRMM agent id `db17e069-2948-4cbc-97ea-1da721edcaf5`, Dataforth Corp, + site D1, Windows, online. +- Hardware: HP EliteDesk 800 G1 USDT, BIOS release 12/10/2014. GPU: Intel HD Graphics 4600, + driver 20.19.15.5126 (2020-01-20). Logged-on console user: `shipping`. +- Near-twin host (not touched): DForth-Shipp, id `95991b45-d843-4586-8275-9996d0d9ae17`. +- GuruRMM API: http://172.16.3.30:3001 + +## Commands & Outputs + +- Latest bugcheck: `0x00000116 (0xffff850c0cc03010, 0xfffff80646d91b10, 0xffffffffc0000001, + 0x0000000000000003)` at 6/24/2026 04:36, dump `C:\WINDOWS\Minidump\062426-8953-01.dmp`. +- Minidumps present: 110325-8265-01, 050326-7921-01, 052026-7937-01, 061626-7687-01, 062426-8953-01. +- Mitigation verify output: `Set HardwareAccelerationModeEnabled = 0 (0 = disabled)`, exit 0 + (cmd `b98d56ba-065b-431b-b976-783d5902d80d`). +- Diagnostic cmd ids: `b666b53b-...` (GPU/events/dumps), `f562d01f-...` (history/TDR/model). + +## Pending / Incomplete Tasks + +- Have on-site staff fully restart Edge (or reboot) so the HW-accel policy takes effect; verify at + `edge://policy` and `edge://settings/system`. +- Monitor for recurrence. If it bugchecks again, pull and analyze the four older dump signatures to + confirm whether it is drifting toward a hard hardware fault. +- Schedule thermal cleaning of the USDT chassis/fan (on-site). +- Recommend/plan replacement of the 11.5-year-old EliteDesk 800 G1 USDT shipping station. + +## Reference Information + +- Stop code: 0x00000116 VIDEO_TDR_FAILURE (Timeout Detection & Recovery; default TdrDelay 2s). +- TDR registry: `HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers` (TdrDelay/TdrLevel — at + defaults on this host). +- Edge policy: `HKLM\SOFTWARE\Policies\Microsoft\Edge\HardwareAccelerationModeEnabled`. +- #dev-alerts message id: 1519768574304980993.