sync: auto-sync from HOWARD-HOME at 2026-06-25 11:42:29

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 11:42:29
This commit is contained in:
2026-06-25 11:42:58 -07:00
parent fc36f98450
commit 4a63b583b7
5 changed files with 245 additions and 1 deletions

View File

@@ -7,6 +7,7 @@
- [ACG Office Network Infrastructure](infra_office_network.md) — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage. - [ACG Office Network Infrastructure](infra_office_network.md) — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage.
- [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. - [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
- [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number. - [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
- [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work.
- [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list. - [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list.
- [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style. - [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style.
- [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06. - [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06.

View File

@@ -0,0 +1,15 @@
---
name: reference-syncro-rmm-api-gui-only
description: Syncro's public API cannot manage RMM policies/folders — creation, assignment, and asset moves are GUI-only (live-verified 2026-06-25)
metadata:
type: reference
---
**Syncro RMM policy management is GUI-only — the public REST API does NOT expose it.** Live-verified against the ACG production tenant (computerguru.syncromsp.com) on 2026-06-25:
- `GET /customer_assets` objects carry a read-only **`policy_folder_id`** field (which policy folder the machine sits in). **`PUT /customer_assets/{id}` with `policy_folder_id` is silently ignored** — returns HTTP 200 but the value never changes. Proven by a flip-and-restore test on ACG-internal asset 12335235 (DESKTOP-0O8A1RL): value stayed at folder 692253. **You CANNOT move a machine between policy folders via the API.**
- `/policies`, `/policy_builders`, `/rmm_policies`, `/asset_policies` all return **404** — no policy-CRUD endpoints exist. Policy Builder (the `/policy_builders` GUI page) is web-console only.
- `/policy_folders` (collection and specific-ID) returns **401** — the route exists but our API token lacks RMM/policy scope. A re-issued token *might* read folders, but since assets can't be moved anyway, it's moot for the move use case.
- Syncro docs (docs.syncrosecure.com / docs.syncromsp.com "Work with Policies") confirm: policies are created in Policy Builder, assigned via an Organization's "Assets & Policies" subtab "Update Assigned Policy" dropdown, or "Bulk Assign Top-Level Policy" — all GUI, **no API mention**.
**How to apply:** Do NOT attempt to build `/syncro move-asset` or any Syncro RMM policy/folder/group capability — it's not buildable on the public API. Don't re-probe these endpoints. The only API-drivable policy surface in the fleet is the `bitdefender` skill (GravityZone: create/assign policies, custom groups, move endpoints). For Syncro RMM policy work, direct the user to the Syncro web console. The `/syncro` skill stays PSA-only (tickets/billing/customers/scheduling/estimates + read-only asset lookup). See [[feedback-psa-default-syncro]].

View File

@@ -84,7 +84,11 @@ retire per-PC Synology Drive Client.
**Prep blockers / decisions (2026-06-24):** **Prep blockers / decisions (2026-06-24):**
- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys): - **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys):
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the
Home->Pro upgrades himself** (list DM'd 2026-06-24). Home->Pro upgrades himself, ONSITE** (decision 2026-06-25).
- *2026-06-25 live re-check: the 6PM cron `ad0a56a9` never completed — all 5 still `EditionID=Core`
(Home), Licensed on Home keys, none half-upgraded. Remote job abandoned; Howard doing them onsite.
Next step for these 5 = domain-join once they read `EditionID=Professional`. ProductName reads
"Windows 10 Home" even on the Win11 boxes (stale registry string) — trust EditionID, not ProductName.*
- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist. - **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely. - **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely.
- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) — - **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) —

View File

@@ -0,0 +1,130 @@
# CS-SERVER Share Group Roster — PROPOSED (for review)
> **Built 2026-06-25 (Howard)** by inverting `share-access-matrix-2026-04-23.md` onto the
> **live** `SG-*` groups on CS-SERVER. **Nothing assigned yet** — every `SG-*-RW` group is
> currently EMPTY. This is the worksheet to walk through and confirm "the right people"
> before we populate the groups. Tick/strike names as we go.
>
> Legend: **[OPEN]** = matrix left this person's scope unresolved · *(leaving)* = exclude ·
> *(no AD acct yet)* = create account first · **[VERIFY AD]** = confirm a domain account exists.
---
## Live state snapshot (2026-06-25)
- **All access groups exist but are EMPTY:** `SG-Management-RW`, `SG-Mgmt-RW` (dup),
`SG-Sales-RW`, `SG-Sales-RO`, `SG-Server-RW`, `SG-Directory-RW`, `SG-Receptionist-RW`,
`SG-Culinary-RW`, `SG-Activities-RW`, `SG-IT-RW`, `SG-Chat-RW` (retired share).
- **Populated (not part of this pass):** `SG-Caregivers` (38), `SG-FolderRedirect` (8),
`SG-FrontDesk` (1), `SG-Reception-PCs` (1 = RECEPTIONIST-PC), `SG-PC-MainTower` (1 = NURSESTATION-PC).
- **Data shares present:** Accounting, Activities, Culinary, directoryshare, Executive, IT,
Management, Receptionist, Sales, SalesDept, Server, homes.
- **Missing vs matrix:** no **ALdocs** / **WebDocs** share or group; no **Clinical/PHI** share
(pending Meredith); `SG-Office-PHI-Internal/-External` exist empty.
---
## Per-group proposed rosters
### `SG-Management-RW` → `\\CS-SERVER\Management`
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Allison Reibschied, Megan Hiatt,
Crystal Rodriguez, Veronica Feller, Shelby Trozzi, Christina DuPras · ~~Tamra Matthews~~ *(leaving)*
**RO (read-only):** Lois Lane, Christine Nyanzunda **[OPEN]**, Susan Hicks **[OPEN]**, John Trozzi, Lupe Sanchez **[OPEN]**
> No `SG-Management-RO` group exists — RO members need either a new RO group or a direct NTFS read ACL. **Decision needed.**
### `SG-Sales-RW` → `\\CS-SERVER\Sales` / `SalesDept`
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)*
**RO (`SG-Sales-RO`):** Shelby Trozzi
> **Two shares exist — `Sales` and `SalesDept`.** SalesDept holds the real history (20142026 reports, marketing). Confirm which the group maps to (or both), and what `Sales` is for.
### `SG-ALdocs-RW` → `\\CS-SERVER\ALdocs` *(share + group NOT created yet)*
**RW:** Lois Lane, Karen Rossini, Meredith Kuhn, Ashley Jensen, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)*
> Must create the share + `SG-ALdocs-RW` group before assigning. Nurses (Lois/Karen) + Exec tier + Sales team.
### `SG-WebDocs-RW` → `\\CS-SERVER\WebDocs` *(share + group NOT created yet)*
**RW:** Megan Hiatt, Crystal Rodriguez, Meredith Kuhn, Ashley Jensen · ~~Tamra Matthews~~ *(leaving)*
> Must create the share + `SG-WebDocs-RW` group. Distinct from the retired DSM `web` station.
### `SG-Server-RW` → `\\CS-SERVER\Server`
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Veronica Feller, Shelby Trozzi, Christina DuPras, John Trozzi **[OPEN — Server or just Directory?]**
**RO:** Matt Brooks
> No `SG-Server-RO` group — Matt's RO needs an RO group or direct NTFS read.
### `SG-Directory-RW` → `\\CS-SERVER\directoryshare`
**RW (per matrix "Access: Directory"):** Meredith, Ashley, Lauren, Allison, Megan, Crystal,
Lois, Karen, Veronica, Shelby, Christine, Christina DuPras, Cathy Kingston, Shontiel Nunn,
Kyla Quick Tiffany *(no AD acct yet)*, Michelle Shestko, Sebastian Leon, Sheldon Gardfrey,
Ray Rai, Susan Hicks, Sharon Edwards, Alma R Montt *(no AD acct yet)*, John Trozzi, Matt Brooks, Lupe Sanchez
**Excluded:** kitchen staff (JD, Ramon, Alyssa), drivers, caregivers
> **Big question:** matrix intro says "most staff need **read**" but each person's line reads
> "Access" (= RW). Does everyone really need WRITE to the resident directory, or **read for most +
> write for the few who maintain it** (front desk)? Likely should be a `SG-Directory-RO` (most) +
> `SG-Directory-RW` (front-desk maintainers). **Decision needed.**
### `SG-Receptionist-RW` → `\\CS-SERVER\Receptionist` *(Tower front desk ONLY)*
**RW:** Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany *(no AD acct yet)*, Sebastian Leon,
Sheldon Gardfrey, Ray Rai, Christina DuPras, Meredith Kuhn, Ashley Jensen
**RO:** Lauren Hasselman
**Explicitly excluded:** Michelle Shestko (MC desk), Matt Brooks (MC coverage), Sales team
> Mapped **by machine + user** via GPO/logon script — drive appears only on Tower reception PC(s)
> for users in this group. Needs the machine-scope GPO, not just group membership.
### `SG-Culinary-RW` → `\\CS-SERVER\Culinary`
**RW:** JD Martin, Ramon Castaneda, Alyssa Brooks
**RO:** Meredith Kuhn, John Trozzi, Ashley Jensen
> Kitchen staff get Culinary ONLY (no Directory, no other shares). No `SG-Culinary-RO` group — RO trio needs one or direct NTFS read.
### `SG-Activities-RW` → `\\CS-SERVER\Activities` (= Life Enrichment)
**RW:** Susan Hicks **[OPEN]**, Sharon Edwards, Alma R Montt *(no AD acct yet)*, Veronica Feller,
Meredith Kuhn, Ashley Jensen
**RO:** Shelby Trozzi, Christina DuPras
> Confirm `Activities` share == the Life Enrichment data share (matrix called it `LifeEnrichment`).
> LE workstations have no mapped drives today — this is their first map.
### `SG-IT-RW` → `\\CS-SERVER\IT`
**RW:** IT only — ACG admins (no Cascades staff)
> Leave as admin-only.
### Clinical / PHI → `\\CS-SERVER\Clinical-PHI` **(PENDING — share may not be created)**
**Proposed RW *if* created:** Meredith Kuhn, Ashley Jensen, Lois Lane, Karen Rossini,
Veronica Feller, Shelby Trozzi, Christine Nyanzunda
> Synology `pacs` was empty. **Meredith decision:** create an empty Clinical-PHI share with this
> list, or retire the concept (everything clinical lives in ALIS) and strip Clinical from all lines above.
> `SG-Office-PHI-Internal/-External` already exist empty — decide if those are the intended groups.
### Accounting → `\\CS-SERVER\Accounting` **(share exists, no SG group, not in matrix)**
**Proposed RW:** Allison Reibschied (Accounting Asst), Lauren Hasselman (Business Office Dir)? Meredith/Ashley?
> **Not defined in the 2026-04-23 matrix.** Confirm who owns the Accounting share + whether it needs its own `SG-Accounting-RW` group.
### Direct-ACL shares (no group — leave as-is)
- **`Executive`** — Ashley Jensen + Meredith Kuhn (done 2026-06-24, #32193).
- **Sandra Fish Archive** (`D:\Shares\Archive\Former-Director-Sandra-Fish`) — Meredith, sole custodian.
---
## Structural decisions to make before we populate (not per-person)
1. **RO groups missing.** Only `SG-Sales-RO` exists. Several shares need read-only members
(Management, Server, Culinary, Receptionist, Activities). Create matching `SG-*-RO` groups, or
apply direct NTFS read ACLs? (Groups are cleaner/auditable; recommend RO groups.)
2. **Dedupe `SG-Management-RW` vs `SG-Mgmt-RW`** — keep one, delete the other (both empty — zero risk).
3. **Delete `SG-Chat-RW`** — the chat share is retired (→ Teams).
4. **Create ALdocs + WebDocs** shares + `SG-ALdocs-RW`/`SG-WebDocs-RW` groups.
5. **Directory RW-vs-RO model** — decide read-for-most + write-for-front-desk (recommended) vs everyone-RW.
6. **Clinical/PHI** — create or retire (Meredith).
7. **Accounting share** — define ownership + group.
## Per-person open questions (carry over from the matrix — confirm with John/Meredith)
- [ ] **Lois Lane** — Clinical + Directory + Mgmt-read, or ALIS-only?
- [ ] **Karen Rossini** — Clinical + Directory, or less?
- [ ] **Susan Hicks** — LE Director scope as proposed?
- [ ] **John Trozzi** — Server access, or just Directory + Culinary-read?
- [ ] **Lupe Sanchez** — Directory only, or + Management read?
- [ ] **Shelby Trozzi** — narrowed MC-Director scope (no admin-full) OK?
- [ ] **Matt Brooks** — primary dept: Maintenance or MC Reception?
- [ ] **Christine Nyanzunda** — Management read or write?
## AD-account verification needed before assignment
Confirm a domain account exists for: Cathy Kingston, Shontiel Nunn, Michelle Shestko,
Sebastian Leon, Sheldon Gardfrey, Ray Rai, Sharon Edwards, Allison Reibschied.
**Create first:** Kyla Quick Tiffany, Alma R Montt (matrix: not yet created).

View File

@@ -0,0 +1,94 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Investigated a reported BSOD on the Dataforth shipping-station PC DFORTH-Ship: stop code
`0x00000116 VIDEO_TDR_FAILURE`. Resolved the agent via `/rmm-search` (exact match DFORTH-Ship,
id `db17e069-2948-4cbc-97ea-1da721edcaf5`, Dataforth Corp / site D1, online), distinguishing it
from a near-twin host `DForth-Shipp`.
Ran two read-only PowerShell diagnostics over GuruRMM. The first pulled GPU/driver inventory,
recent bugcheck/Kernel-Power events, display/TDR driver events, WHEA, and the minidump list. The
GPU is an integrated Intel HD Graphics 4600 on driver `20.19.15.5126` (1/20/2020 — Intel's final
driver for that part). The latest crash (6/24/2026 04:36) was confirmed `0x116` with arg3
`0xc0000001` (GPU reset did not complete in the 2s TDR window). Five minidumps exist spanning
11/3/2025 -> 5/3 -> 5/20 -> 6/16 -> 6/24/2026, an accelerating cadence.
The second diagnostic confirmed the System event log had rolled (only the latest 1001 bugcheck
survives in events, though dump files persist), that TdrDelay/TdrLevel are at defaults, that Edge
+ WebView2 (hardware-accelerated) are installed, and that the hardware is an HP EliteDesk 800 G1
USDT with a Dec-2014 BIOS (~11.5-year-old ultra-slim chassis, heat/dust prone).
Diagnosis: display-driver TDR on aging integrated graphics; because it is integrated there is no
card to reseat/swap. Recommended PC replacement as the real fix with interim mitigations. Per
Howard's go-ahead, applied mitigation #1: disabled Edge hardware acceleration via machine policy
(`HKLM\SOFTWARE\Policies\Microsoft\Edge\HardwareAccelerationModeEnabled = 0`), verified value = 0,
exit 0. Posted the required `[RMM]` write alert to #dev-alerts.
## Key Decisions
- Targeted the exact host DFORTH-Ship over the near-twin DForth-Shipp to avoid acting on the wrong
Dataforth machine.
- Classified the crash as a TDR on integrated graphics, so ruled out "reseat/replace the GPU"
advice — the GPU is on the CPU/motherboard.
- Chose disabling Edge hardware acceleration as the first mitigation: it is the most common
software TDR trigger on HD 4600, low-risk, reversible, and offers no downside on a shipping PC.
- Held off on the TdrDelay registry band-aid; it masks marginal timeouts and would not save a
genuine hardware fault. Flagged thermal cleaning + PC replacement as the durable path given the
accelerating dump cadence on an 11.5-year-old slim desktop.
## Problems Encountered
- Full bugcheck-code history was unavailable from the event log (System log had rolled; only the
6/24 1001 event remained). Worked around by enumerating the persisted `.dmp` files to establish
the crash cadence; older signatures left unconfirmed (would require loading the dumps).
## Configuration Changes
- DFORTH-Ship registry (via RMM): created/set `HKLM\SOFTWARE\Policies\Microsoft\Edge` value
`HardwareAccelerationModeEnabled` (DWORD) = `0`. Reversible (delete value or set to 1). Effective
on next Edge restart.
- No files modified in the repo.
## Credentials & Secrets
None discovered or created this session. RMM auth via existing vault path
`infrastructure/gururmm-server.sops.yaml`.
## Infrastructure & Servers
- Host: DFORTH-Ship — GuruRMM agent id `db17e069-2948-4cbc-97ea-1da721edcaf5`, Dataforth Corp,
site D1, Windows, online.
- Hardware: HP EliteDesk 800 G1 USDT, BIOS release 12/10/2014. GPU: Intel HD Graphics 4600,
driver 20.19.15.5126 (2020-01-20). Logged-on console user: `shipping`.
- Near-twin host (not touched): DForth-Shipp, id `95991b45-d843-4586-8275-9996d0d9ae17`.
- GuruRMM API: http://172.16.3.30:3001
## Commands & Outputs
- Latest bugcheck: `0x00000116 (0xffff850c0cc03010, 0xfffff80646d91b10, 0xffffffffc0000001,
0x0000000000000003)` at 6/24/2026 04:36, dump `C:\WINDOWS\Minidump\062426-8953-01.dmp`.
- Minidumps present: 110325-8265-01, 050326-7921-01, 052026-7937-01, 061626-7687-01, 062426-8953-01.
- Mitigation verify output: `Set HardwareAccelerationModeEnabled = 0 (0 = disabled)`, exit 0
(cmd `b98d56ba-065b-431b-b976-783d5902d80d`).
- Diagnostic cmd ids: `b666b53b-...` (GPU/events/dumps), `f562d01f-...` (history/TDR/model).
## Pending / Incomplete Tasks
- Have on-site staff fully restart Edge (or reboot) so the HW-accel policy takes effect; verify at
`edge://policy` and `edge://settings/system`.
- Monitor for recurrence. If it bugchecks again, pull and analyze the four older dump signatures to
confirm whether it is drifting toward a hard hardware fault.
- Schedule thermal cleaning of the USDT chassis/fan (on-site).
- Recommend/plan replacement of the 11.5-year-old EliteDesk 800 G1 USDT shipping station.
## Reference Information
- Stop code: 0x00000116 VIDEO_TDR_FAILURE (Timeout Detection & Recovery; default TdrDelay 2s).
- TDR registry: `HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers` (TdrDelay/TdrLevel — at
defaults on this host).
- Edge policy: `HKLM\SOFTWARE\Policies\Microsoft\Edge\HardwareAccelerationModeEnabled`.
- #dev-alerts message id: 1519768574304980993.