azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-24 11:50:01

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 11:50:01
This commit is contained in:
Howard Enos
2026-06-24 11:50:29 -07:00
parent 47c9441781
commit 5c77b88654
9 changed files with 428 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/memory/MEMORY.md
View File

@@ -89,6 +89,7 @@
- [Calibrate effort to stakes](feedback_calibrate_effort_to_stakes.md) — Don't over-verify or over-engineer low-consequence details; confirm the happy path, note the limitation, and take the simplest path (e.g. put the instruction in the prompt) instead of building robust mechanisms.
- [Pricing verification — no guessing](policy_pricing_verification.md) — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess.
- [Client communication tone](feedback_client_tone.md) — How to write client-facing Syncro comments — expert partner, not intake questionnaire.
- [Impeccable on outbound](feedback_impeccable_on_outbound.md) — Run the `impeccable` skill on anything sent to a client or vendor before delivery; internal drafts exempt.
- [Default to inline links](feedback_inline_links.md) — Use `[text](url)` inline markdown links (clickable, wrap-safe) not bare URLs in code fences; exception = raw URL the user must copy/paste.
- [Add Mike as owner on all Entra apps](feedback_entra_app_owner.md) — Apps created via management SP have no user owner — must add Mike manually or publisher verification fails.
- [No TOML/config file approach for endpoints](feedback_no_toml_config_endpoints.md) — User explicitly prohibits TOML or config-file-based endpoint configuration — this will never be approved.

20
.claude/memory/feedback_impeccable_on_outbound.md Normal file
View File

@@ -0,0 +1,20 @@
---
name: feedback_impeccable_on_outbound
description: Run the `impeccable` skill on any deliverable before it goes out to a client or vendor
metadata:
type: feedback
---
Before sending ANYTHING to a client or another vendor — proposals, plans, reports,
agendas, one-pagers, emails meant to represent ACG externally — run the **`impeccable`**
skill on it first as a quality/polish gate. Applies to outbound, external-facing
deliverables; internal prep docs and working notes do not require it.
**Why:** Mike wants everything that leaves ACG to be polished and on-brand. A rough
internal draft is fine for us; a client/vendor never sees an unpolished artifact.
**How to apply:** When a deliverable is destined for a client/vendor, produce it, then
invoke `impeccable` to audit/polish before delivery. For document deliverables, that
means rendering them as a designed artifact (styled HTML/PDF one-pager) so `impeccable`
(a frontend/UI design skill) can do its job — confirm the format with the user if unsure.
Pairs with [[feedback_client_tone]] (tone) and [[stop-slop]] (text quality).

9
clients/cascades-tucson/PROJECT_STATE.md
View File

@@ -54,9 +54,14 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO
## Pending / Next Up
**>> CANONICAL EXECUTION PLAN: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live
AD+RMM domain-join diff). It sequences ALL remaining work — workstation domain migration,
users/departments/file-share access, HIPAA caregiver lockdown go-live, M365 relicense, server/RAID,
network tail — and maps every open Syncro ticket to its workstream. Work the migration from THAT doc.
**Open Syncro Tickets (folded into the engagement, 2026-06-24 — Howard review):**
These 7 open Cascades tickets are tracked todos #1#7 and roll up into the existing workstreams
(machine/user deployment into the domain + network/HIPAA lockdown). All are in Syncro status `New`.
These 7 open Cascades tickets are tracked todos #1#7 and roll up into the workstreams in the plan
above (machine/user deployment into the domain + network/HIPAA lockdown).
| Ticket | Workstream | Summary | Notes |
|--------|-----------|---------|-------|

208
clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md Normal file
View File

@@ -0,0 +1,208 @@
# Cascades of Tucson — Remaining Work Plan (to completion)
> Consolidated execution plan tying the open Syncro tickets to the broader migration
> workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown).
> Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to `PROJECT_STATE.md`
> and `wiki/clients/cascades-tucson.md` (current truth, compiled 2026-06-23).
> Goal: finish the migration quickly by working it as one sequenced plan.
---
## Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)
**Domain (`cascades.local`) — joined staff workstations (12):**
ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7,
DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley),
ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN.
(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)
**In RMM but NOT domain-joined — still to migrate (~17):**
| Machine | User / role | Plan |
|---|---|---|
| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct `meredithk`) | Domain-join + migrate her to `cascades\Meredith.Kuhn` |
| ANN-PC | (verify user) | Join + OU + drives |
| DESKTOP-LPOPV30 | (verify) | Join + OU + drives |
| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives |
| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance |
| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare |
| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs |
| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify |
| SALES4-PC | Sales | Join -> OU=Marketing |
| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path |
| Health-Services-Director | vs AD `HEALTH-SERVICES` | Verify dup/rename before acting |
| **CHEF-PC** | Culinary (Chef JD) | **Ticket #32254** — reinstall Windows, THEN join -> OU=Culinary |
| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — **replace machine** (decision 2026-06-18), join the replacement |
| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi |
| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance |
| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the **Caregiver Devices** path (Workstream 3), not the staff path |
**OU structure (built):** `OU=Departments` -> Administrative, Marketing, Care-Assisted Living
(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident
Services, Transportation, Caregivers. `OU=Workstations` -> Staff PCs, Shared PCs,
`OU=Caregiver Devices` (under Staff PCs). Groups in `OU=Groups`.
---
## Workstream 1 — Workstation domain migration
**Goal:** every staff PC on `cascades.local` + GuruRMM + correct dept OU + mapped dept drives;
retire per-PC Synology Drive Client.
**Per-machine runbook** (scripts in `docs/migration/scripts/`):
1. `phase3-pre-join-verify.ps1` (OneDrive KFM unlinked, no poisoned shell folders, name OK)
2. `phase3-join-domain.ps1` -> join `cascades.local`
3. `phase3-post-join-verify.ps1`
4. Move computer object into the correct **department OU**
5. Confirm GuruRMM agent still checks in; migrate the user profile/data
6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
7. Log the change
**Tickets in this workstream:** #32194 (deploy spare machine for new hire — join + enroll + AD acct),
#32254 (Chef-PC reinstall then join).
### Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)
| Machine | User | Edition | Readiness |
|---|---|---|---|
| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY |
| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY |
| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) |
| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot |
| ANN-PC | christina | Win11 Enterprise | pending reboot |
| Laptop2 | caregiver | Win11 Pro | pending reboot |
| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first |
| LAPTOP-8P7HDSEI | User | **Win10 Home** | BLOCKED: Home->Pro + OneDrive KFM ON |
| MDIRECTOR-PC | Shelby Trozzi | **Win11 Home** | BLOCKED: Home->Pro + reboot |
| MEMRECEPT-PC | memfrtdesk | **Win10 Home** | BLOCKED: Home->Pro + reboot |
| NurseAssist | Veronica | **Win11 Home** | BLOCKED: Home->Pro + KFM ON + reboot |
| SALES4-PC | Tamra (departing) | **Win11 Home** | BLOCKED: Home->Pro; Tamra leaving — repurpose? |
| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) |
| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced |
| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD `HEALTH-SERVICES`) |
**Prep blockers / decisions (2026-06-24):**
- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys):
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the
Home->Pro upgrades himself** (list DM'd 2026-06-24).
- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely.
- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) —
must be on-site/on-LAN before any join.
- Note: the legacy `phase3-pre-join-verify.ps1` hardcodes the DC at `192.168.2.254`; clients
actually reach it at `192.168.2.248` (the `.254` NIC is the Hyper-V vEthernet and does not
cleanly serve domain SMB) — update the script's target before reuse.
- Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite:
DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).
---
## Workstream 2 — Users, departments & file-share access
**Goal:** every user in the right OU + `SG-*-RW` group; department drives mapped per the
access matrix; Synology retired as primary.
- Shares already created on CS-SERVER (`D:\Shares\...`): Management, Sales/SalesDept, Server,
Accounting, Culinary, Activities, directoryshare, IT, Receptionist, **Executive (NEW — Ashley+Meredith)**.
Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix.
- Populate `SG-*-RW` groups per `docs/migration/share-access-matrix-2026-04-23.md`.
- Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
- **Close out the matrix open questions** (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks,
John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; `pacs`/Clinical-PHI
create-or-retire; `web` retire.
**Tickets:** #32193 (Executive restricted share — **DONE 2026-06-24**, E: mapped both machines),
#32230 (Karen Rossini -> ALDOCS on Synology — **recheck when she's in**, she was out 2026-06-24).
---
## Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)
Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from
test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)
1. Swap GPO `CSC - Caregiver Workstation` security filter `SG-Caregivers-Test` -> `SG-Caregivers`.
2. CA allow-list policy `1b7fd025`: test group `SG-Caregivers-DeviceTest` -> `SG-Caregivers`; disable the compliance-block policy `ede985e2`.
3. Move each caregiver machine into `OU=Caregiver Devices` + `SG-PC-MainTower`/`SG-PC-MemoryCare`
one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4).
4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
6. **Reboot NURSESTATION-PC** to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).
---
## Workstream 4 — M365
- **Relicense 31 users Business Standard -> Business Premium** (Standard is SUSPENDED — time-sensitive).
- Create break-glass accounts (`breakglass1/2-csc@`) + enroll FIDO2 YubiKeys.
- Build audit retention (Log Analytics 90d + Storage 6yr) in `rg-audit-cascadestucson`.
---
## Workstream 5 — Server / infrastructure
- **Verify cloud backup** (MSP360 -> ACG-backup) first full completed + set retention. [GATE for RAID work]
- **CS-SERVER degraded OS RAID-1** -> replace with 2x 480 GB enterprise SATA SSD (gate on backup verified). Real fix = DC migration off the 16-yr-old R610.
- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
- Rotate the Synology signin-portal credential (was committed plaintext historically).
---
## Workstream 6 — Network (mostly complete)
- **CSC ENT device-island consolidation (phones + Helpany on 5 GHz)** — repurpose CSC ENT as a
**5 GHz-only WPA2 PPSK** SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the
Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both
off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz.
Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea
(deleting it would orphan the Pauls). Both vendors can move their devices remotely once we
provide the network. **Onsite gate: verify per-room 5 GHz coverage before the band flip**
(steel walls; weak-5GHz devices stay on 2.4). Full design + sequence:
`docs/network/csc-ent-device-island-plan.md`.
- Build VLAN 40 (Helpany, egress-only to `*.sedimentum.com` + snapcraft/ubuntu) on pfSense.
- Enable PPSK on CSC ENT: key `Ftfd85710#` -> VLAN 40 (Pauls keep SSID+key, not reprogrammed);
new voice key -> VLAN 30 (phones re-pointed by Howard/Richard).
- Flip CSC ENT to 5 GHz-only (`apply-wlan.sh ... bands 5g`) in a coordinated window; pilot a few
phones + Pauls, then full rollout.
- Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
- **#32319** WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site `va6iba3v`).
- **#32342** Copy Room switch — install + adopt into UniFi.
- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
- *(Superseded)* Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single
dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).
---
## Workstream 7 — Onsite peripheral
- **#32370** eFax setup (Karen & Christin) + portable scanner on both machines.
---
## Suggested sequence (fastest path)
1. **Today's onsite batch (Howard, on-site):** #32342 (Copy Room switch), #32319 (Room 343 AP),
#32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join);
#32230 (Karen -> ALDOCS) once she's in. **While onsite: verify per-room 5 GHz coverage** for the
CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the
vendors.
2. **Caregiver lockdown go-live** (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
3. **M365 relicense 31 users** (Workstream 4) — time-sensitive.
4. **Backup verify -> RAID replacement** (Workstream 5) — critical single-DC risk.
5. **Remaining staff domain joins + dept drives** (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.
---
## Open Syncro tickets -> workstream map
| Ticket | Workstream | Status |
|---|---|---|
| #32193 Executive restricted share | 2 | **DONE 2026-06-24** (E: both machines, billed 0.5h block) |
| #32194 spare machine for new hire | 1 | Open — onsite |
| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in |
| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) |
| #32319 WiFi Room 343 | 6 | Open — onsite |
| #32342 Copy Room switch | 6 | Open — onsite |
| #32370 eFax + scanner | 7 | Open — onsite |

149
clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md Normal file
View File

@@ -0,0 +1,149 @@
# Cascades — CSC ENT Device-Island Consolidation (Phones + Helpany on 5 GHz)
> **Decision (2026-06-24, Howard + Mike):** Repurpose the existing **CSC ENT** SSID as the
> permanent **WPA2 / 5 GHz-only device island** and consolidate BOTH the Poly voice handsets
> and the Helpany "Paul" sensors onto it, separated at the VLAN layer via Private PSK (PPSK).
> This gets both device classes off congested 2.4 GHz, keeps the WPA2-only gear on its own
> network, and clears the path to eventually move **CSCNet** to WPA3 / WiFi 7 / 6 GHz.
>
> Companion to `network-optimization-master-plan.md`, `voice-vlan-cutover.md`,
> `2026-06-19-vertical-5ghz-lock-request.md`, and `docs/REMAINING-WORK-PLAN.md` (Workstream 6).
---
## Why (background)
Two separate vendor threads converged on the **same** fix — a dedicated 5 GHz SSID:
- **Poly voice handsets (Vertical / Richard Turner):** several Polys sit on saturated 2.4 GHz
despite excellent 5 GHz signal; UniFi band steering (`no2ghz_oui`, already ON) does **not**
hold the Poly OUI (`48:25:67`) on 5 GHz. Richard (2026-06-24): phones can't be statically
pinned to a band; Poly recommends a **separate 5 GHz SSID** for the phones (or disabling band
steering on a shared SSID so the phone targets 5 GHz itself). See
`2026-06-19-vertical-5ghz-lock-request.md`.
- **Helpany "Paul" sensors (Sandro Cilurzo / Eugenie Nicoud):** the room devices are **radar
fall/motion sensors** (Sedimentum backend — *no camera, no microphone*), currently programmed
onto **CSC ENT** (WPA2, key `Ftfd85710#`) and landing on 2.4 GHz. Per Sandro (email
2026-06-19): *"Do you have a dedicated 5 GHz network with a separate SSID? If so we can
remotely transition the Paul devices to that network... we'd need the SSID and password... if
5 GHz is not available or the signal is not strong enough, the devices default to 2.4 GHz."*
Helpany's engineering performs the band transition **remotely** once we provide the network.
CSC ENT was **deliberately kept as a WPA2 WiFi5 island** by Mike back in March 2026 precisely so
the WPA2-only Helpany gear had a home while CSCNet moves to newer standards (*"CSCNet is slated
to be converted to WiFi7 and will not be compatible with their devices — CSC ENT will remain
WiFi5 and is the correct network for them to use."*). This plan formalizes and extends that role.
---
## Hard constraints (vendor-stated)
- **Helpany is WPA2-only** — explicitly **NOT** WPA3 or hybrid WPA2/WPA3 (*"we don't support
hybrid, only WPA2"*). The device SSID must stay WPA2-PSK.
- **5 GHz has shorter range** than 2.4 GHz. Both vendors warn: a device with weak 5 GHz signal
will fall back to 2.4 GHz or be orphaned. **Per-room 5 GHz coverage must be verified before
transitioning** (Cascades is 6 floors with steel hallway walls). Leave any weak-signal device
on 2.4 rather than force it.
- **Reprogramming is painful on Helpany's side** — they can't reach offline devices, and key
rotations need **72 h notice + the new key**. The SSID/password must be right and stable.
- **Helpany bandwidth is negligible:** < 0.04 Mbps per Paul device; whole fleet ~0.38 Mbps low /
0.75 avg / **1.35 Mbps peak** (peaks ~11:00 AM & 7:00 PM). No capacity threat to voice.
---
## Target design
Repurpose CSC ENT; **no new SSID** (Pauls keep their current SSID + key, so they are NOT
reprogrammed — only band-moved by Helpany).
| Network | Band / Security | Mechanism | Clients | VLAN |
|---|---|---|---|---|
| **CSC ENT** (repurposed) | **5 GHz-only, WPA2-PSK** | **PPSK** | Poly voice handsets | **VLAN 30** (existing voice, keep) |
| | | | Helpany Paul sensors | **VLAN 40** (new, sensors) |
| **CSCNet** | 2.4 + 5 GHz, WPA2 (today) | PPSK (per-room) | residents + staff IoT/TVs | per-room VLANs (unchanged) |
| **Guest** | 2.4 + 5 GHz, WPA2 | — | guests | VLAN 50 (unchanged) |
**PPSK key map on CSC ENT:**
- Existing key `Ftfd85710#` -> **VLAN 40** (Helpany). Pauls keep SSID + password unchanged.
- New voice key -> **VLAN 30** (phones). Howard/Richard re-point the Polys to this key.
**Only structural change to CSC ENT itself:** flip `wlan_bands` from `[2g,5g]` to `[5g]` and
enable PPSK. The band flip is the step requiring vendor coordination + the coverage check.
### New VLAN 40 (Helpany sensors) — egress-only, isolated like VLAN 30
Mirror the Voice VLAN 30 isolation model: internet/cloud egress only; firewalled off PHI, main
LAN, voice, and resident VLANs (HIPAA). Required outbound destinations (Helpany / Sedimentum,
Ubuntu/snap based):
| Port | Proto | Destinations |
|---|---|---|
| 5671 | AMQPS (SSL) | `*.sedimentum.com` |
| 8883 | MQTT | `*.sedimentum.com` |
| 8030 | HTTP | `*.sedimentum.com` |
| 443 | HTTPS | `*.sedimentum.com`, `snapcraft.io`, `api.snapcraft.io`, `public.apps.ubuntu.com`, `fastly.cdn.snapcraft.io` |
(VLAN 40 = proposed; confirm it is free on pfSense/UniFi before use. Existing VLANs: 1, 20, 30,
50, 999, room VLANs 101-631; "CSC Internal Network" VLAN 10 is a suspected orphan to verify.)
### Why this shape
- **One SSID via PPSK** = minimal beacon airtime on a dense 77-AP site (vs. two separate SSIDs).
- **Pauls not reprogrammed** — same SSID + key, only a remote band move.
- **VLAN separation** keeps voice QoS (DSCP EF) and HIPAA isolation intact; sensor data never
mixes with voice.
- CSC ENT stays the **WPA2 island**, so a future CSCNet WPA3 migration doesn't touch this gear.
---
## Execution sequence
1. **Build VLAN 40** on pfSense (igc1.40, DHCP scope, DNS) + firewall egress rules above; mirror
VLAN 30 isolation.
2. **Enable PPSK on CSC ENT**; add keys: `Ftfd85710#` -> VLAN 40, new voice key -> VLAN 30.
3. **[ONSITE GATE] Verify 5 GHz coverage** in the rooms where Pauls + phones live (per-floor,
account for steel walls). Use `unifi-wifi` skill (`live-stats.sh --clients`, `watch-ap.sh`).
4. **Flip CSC ENT to 5 GHz-only** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`), coordinated
with both vendors during a change window.
5. **Vendors transition their devices:**
- **Helpany** remotely moves the Pauls to 5 GHz (we hand them: SSID `CSC ENT`, key
`Ftfd85710#` — unchanged; they confirm strong 2.4 signal per-device first).
- **Poly/Vertical** (Richard) — phones re-pointed to CSC ENT + the new voice key. Howard can
do the phone-side SSID change directly.
6. **Pilot first:** move 2-3 phones + bring up a few Pauls on 5 GHz; verify association +
stability before the full fleet.
7. **Full rollout** of remaining phones + Pauls.
8. **(Optional cleanup)** investigate the stray `element-5b32...` SSID on the controller and the
orphan "CSC Internal Network" VLAN 10; remove if unused (more airtime/clarity back).
**We do NOT delete CSC ENT** — it becomes the permanent device island. (Supersedes the earlier
"delete CSC ENT" idea, which would have orphaned the Pauls.)
---
## Future (separate project) — CSCNet -> WPA3 / WiFi 7 / 6 GHz
- WiFi 7 on 2.4/5 GHz already works on WPA2 (U7-Pro APs). The thing WPA3 unlocks is the **6 GHz
band** (6 GHz mandates WPA3 + PMF) — the largest untapped clean capacity at the site.
- Moving phones + Pauls onto CSC ENT is a **prerequisite**, but the real blocker for CSCNet -> WPA3
is the **~230 resident PPSK clients** (TVs / legacy IoT, many 2.4-only / WPA2-only). That
migration needs its own resident-device impact survey and is **not** gated by the voice/sensor
gear.
---
## Vendor contacts
- **Poly / Vertical:** Richard Turner <RTurner@vertical.com>
- **Helpany:** Sandro Cilurzo (CEO) <sandro.cilurzo@helpany.com>; Eugenie Nicoud (COO)
<eugenie.nicoud@helpany.com>
- **Facility liaison:** John Trozzi (Facilities Director) <john.trozzi@cascadestucson.com>
## Credentials
- **CSC ENT / CSCNet WPA2 key:** `Ftfd85710#` (vault: `clients/cascades-tucson/wifi-cscnet`;
confirm a CSC-ENT-specific entry exists or add `clients/cascades-tucson/wifi-csc-ent`).
- **New voice PPSK key (VLAN 30):** to be generated + vaulted at
`clients/cascades-tucson/wifi-voice-ppsk` when created.
## Open items / decisions
1. Confirm VLAN 40 is free (and whether VLAN 10 "CSC Internal Network" is an orphan to reclaim).
2. PPSK-on-one-SSID (recommended) vs. two separate 5 GHz SSIDs — confirm approach.
3. Schedule the coordinated change window with Poly/Vertical + Helpany.
4. Per-room 5 GHz coverage verification (onsite) — the gating task.

10
clients/cascades-tucson/docs/network/wifi.md
View File

@@ -4,7 +4,7 @@
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|------|-------------------|----------|-------|----------|---------|
| **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi + the WPA2 island for WPA2-only devices (Helpany "Paul" sensors, key `Ftfd85710#`). **PLANNED (2026-06-24): repurpose as the 5 GHz-only WPA2 PPSK device island** — phones -> VLAN 30, Helpany -> VLAN 40. **Do NOT delete** (would orphan the Pauls). See `csc-ent-device-island-plan.md`. |
| **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |
## UniFi Network Definitions
@@ -46,8 +46,12 @@ WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode w
**Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`.
### 5. No Band Steering or Separate SSIDs (Low)
All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room.
### 5. No Band Steering or Separate SSIDs (Low) — being addressed
Band steering (`no2ghz_oui`) is in fact ON on CSCNet/CSC ENT/Guest, but it does **not** reliably
hold the Poly voice OUI (`48:25:67`) or the Helpany sensors on 5 GHz — they land on congested 2.4.
**Fix in progress (2026-06-24):** rather than rely on steering, give the voice + sensor devices a
dedicated **5 GHz-only WPA2 SSID** by repurposing CSC ENT (PPSK -> VLAN 30 phones / VLAN 40 Helpany).
Full plan: `csc-ent-device-island-plan.md`.
## Migration Plan — WiFi Changes (Phase 1.1)

2
errorlog.md
View File

@@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-06-24 | Howard-Home | process/client-deliverables | [correction] did not gate outbound client/vendor deliverables through the impeccable skill; rule: run impeccable on anything sent externally
2026-06-24 | Howard-Home | syncro/ticket-create | [correction] created #32193/#32194 with priority 'Normal' instead of Syncro's canonical number-prefixed '2 Normal'; the value did not match the priority dropdown so it displayed blank (Winter flagged it). Always set priority as 'N Name' (e.g. '2 Normal','4 Urgent') AND a valid problem_type (Onsite/Remote/etc.) on every ticket create via the syncro skill. [ctx: ref=syncro-skill priority-format]
2026-06-24 | Howard-Home | rmm/dispatch | [friction] UNC double-backslash in heredoc+jq RMM command got mangled to single backslash (cs-server -> cs-server), causing net use error 67 and net-use hangs that looked like a missing/broken share; single-backslash local paths (D:Shares) were unaffected. Fix: build UNC from [char]92 at runtime ($bs=[char]92; $unc="{0}{0}server{0}share" -f $bs) so no literal backslash traverses the dispatch chain. [ctx: ref=feedback_windows_quote_stripping]

39
wiki/clients/cascades-tucson.md
View File

@@ -2,7 +2,7 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-06-23
last_compiled: 2026-06-24
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
@@ -88,6 +88,8 @@ sources:
- clients/cascades-tucson/docs/network/2026-06-19-vertical-5ghz-lock-request.md
- clients/cascades-tucson/docs/runbooks/2026-06-23-planned-power-outage.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-23-howard-cascades-planned-outage-shutdown-verify.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-ticket-review-and-cascades-consolidation.md
- clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md
backlinks:
- projects/gururmm
- wiki/systems/uos-server
@@ -155,10 +157,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Lupe Sanchez -- staff (DESKTOP-TRCIEJA). EOL workstation (Gateway ZX6971 AIO, i3-2120, 8 GB RAM, Win11 unsupported). **Decision 2026-06-18: replace machine** (dual-AV + EOL hardware causing slow Excel; no remediation on current box). GuruRMM agent `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll).
- **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com.
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** **48.75 hrs as of 2026-06-23 (live Syncro -- unchanged since 2026-06-20; the 2026-06-23 planned outage is monitoring, not yet billed).** Most recent draw: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Hours remaining:** **48.25 hrs as of 2026-06-24 (live Syncro).** Most recent draw: 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Syncro customer ID:** 20149445
- **Managed devices (Syncro):** 29 (live 2026-06-23)
- **Active tickets:** 0 open Syncro tickets as of 2026-06-23. See Active Work for open non-ticketed projects.
- **Active tickets:** 6 open Syncro tickets as of 2026-06-24 (#32194 spare machine, #32230 Karen->ALDOCS, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) -- all folded into `docs/REMAINING-WORK-PLAN.md`. See Active Work for open non-ticketed projects.
- #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- #109412123 -- Entra setup project (verify status)
- #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced)
@@ -234,11 +236,13 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **AP 108 (Floor 1) offline** pending a new cable run. Stale duplicate controller object ("108" vs "108U7 Pro") to clean up separately.
- **VoIP (vendor: Vertical -- Richard Turner <RTurner@vertical.com>):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK) -- **28 active** (29 re-keyed 2026-06-19, 1 removed bad). **All on VOICE VLAN 30: 28 Poly + 8 AudioCodes (`.224-.231`) + Vertical desktop (`.201`) = 37 devices.** Phones mark **DSCP EF (46)**. **[2026-06-19 hardware change] John (Trozzi) reported the Kitchen server phone (`48:25:67:64:95:7a`) BAD and pulled it; the Bistro phone (`.236`, `48:25:67:64:94:84`) was relocated to the Kitchen to cover it -- so the BISTRO now has NO phone (replacement pending, set up + re-key when it arrives).** (Verify VLAN via the client `vlan` field, NOT the cached display IP.) The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical).
- **[2026-06-19 COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **Migration COMPLETE 2026-06-19: 37 devices on VOICE.** Live inventory: `docs/network/voice-phone-inventory.md`.
- **Quality caveat + the actual fix (2026-06-19):** the VLAN move does NOT by itself fix call quality. Per-phone re-look found residual dropped-calls are a **band-selection problem, not RF/coverage** -- several Poly handsets sit on saturated 2.4 GHz despite EXCELLENT 5 GHz-capable signal (-50 to -60 dBm, 36-96% retry), and controller band-steering (`no2ghz_oui`, already ON) is NOT holding the Poly OUI on 5 GHz. **The fix is phone-side: set the Poly handsets to 5 GHz-only via Vertical** -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting Vertical**. Once pushed: clean voice VLAN + clean 5 GHz band = calls closed out.
- **Quality caveat + the actual fix (2026-06-19):** the VLAN move does NOT by itself fix call quality. Per-phone re-look found residual dropped-calls are a **band-selection problem, not RF/coverage** -- several Poly handsets sit on saturated 2.4 GHz despite EXCELLENT 5 GHz-capable signal (-50 to -60 dBm, 36-96% retry), and controller band-steering (`no2ghz_oui`, already ON) is NOT holding the Poly OUI on 5 GHz. **The fix is a dedicated 5 GHz network, not phone-side band pinning** -- Richard Turner (Vertical/Poly, 2026-06-24) confirmed Poly phones **cannot** be statically assigned to a band; Poly recommends a **separate 5 GHz SSID** (or disabling band steering on a shared SSID).
- **[PLAN 2026-06-24] CSC ENT device-island consolidation** (Howard + Mike): the phone 5 GHz fix is now merged with the Helpany sensor rollout into one plan -- **repurpose the existing CSC ENT SSID as a 5 GHz-only WPA2 PPSK "device island"** carrying BOTH the Poly voice handsets (PPSK key -> VLAN 30) and the Helpany "Paul" radar sensors (PPSK key -> new VLAN 40), separated at the VLAN layer. Both vendors transition their devices remotely once we hand them the network. Helpany is **WPA2-only** (no WPA3/hybrid) and the Pauls are already on CSC ENT (key `Ftfd85710#`), so they are **not reprogrammed** -- only band-moved; the phones get a new voice key. **Onsite gate:** verify per-room 5 GHz coverage before the band flip (steel walls; weak-5 GHz devices stay on 2.4 per both vendors' warning). **CSC ENT is NOT deleted** -- it becomes the permanent WPA2 island, which is the prerequisite that later lets **CSCNet** move to WPA3/WiFi7/6 GHz (that step is separately gated by the ~230 resident 2.4-only/WPA2-only IoT clients, NOT by the voice/sensor gear). Full design + sequence: `docs/network/csc-ent-device-island-plan.md`; folded into `docs/REMAINING-WORK-PLAN.md` Workstream 6.
- **Full runbook:** `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`. Voice-quality diagnostic: `reports/2026-06-18-voice-quality-diagnostic.md`. Holistic optimization plan: `docs/network/network-optimization-master-plan.md`; voice QoS design: `docs/network/phase1-voice-qos-design.md`.
### External Vendors & Mail Senders
- **Helpany (resident safety sensors -- Sandro Cilurzo CEO / Eugenie Nicoud COO):** "Paul" devices are **ceiling-mounted radar fall/motion sensors** (Sedimentum backend) -- **no camera, no microphone** (despite being colloquially called "IR cameras"). WiFi: **WPA2-only, NOT WPA3/hybrid**; 5 GHz-capable. Currently on SSID **CSC ENT** (key `Ftfd85710#`), being moved to 5 GHz (see CSC ENT device-island plan in the VoIP/network section). Bandwidth negligible: <0.04 Mbps/device, fleet peak ~1.35 Mbps. Egress to `*.sedimentum.com` (5671 AMQPS, 8883 MQTT, 8030 HTTP, 443) + snapcraft/ubuntu (443). Helpany transitions devices **remotely** (engineering); key rotation needs **72 h notice + new key**; reprogramming offline devices is hard. Rolled out floor-by-floor from 2026-06 (first shipment floors 1-2). Caregiver-facing app = app.safe-living.com (branded "Helpany"). Facility liaison: John Trozzi.
- **bill.com (BILL):** Sends from `inform.bill.com`, `hq.bill.com`, `hello.bill.com`, `mc.bill.com`. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: `account-services@inform.bill.com`.
- **BOK Financial:** Sends from `bokfinancial.com`. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question).
@@ -334,6 +338,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) -- Scan-to-Network profile (working 2026-06-09):** Network Folder Path `\\192.168.2.254\AcctDept\Scans`; **Auth Method NTLMv2** (not Auto/Kerberos -- printer can't KDC across VLAN); Username `cascades\svc-scan`; PDF Multi-Page.
- **[NETWORK] CS-SERVER cannot reach the VLAN-20 printers** -- main-LAN `192.168.2.x` -> VLAN 20 `10.0.20.x` is blocked at pfSense. Use a VLAN-20 PC's browser or go onsite. The reverse (printer -> CS-SERVER:445) **is** open.
- **Persistent drive maps to `\\cs-server\AcctDept`:** Chris (DESKTOP-N5G1ROO) Y:, Zachary (ACCT2-PC) Y:, Lauren (DESKTOP-H6QHRR7) X:.
- **Executive restricted share (built 2026-06-24, ticket #32193):** `D:\Shares\Executive` on CS-SERVER, shared as **`\\cs-server\Executive`**; inheritance broken; SYSTEM / BUILTIN\Administrators = Full; `CASCADES\Ashley.Jensen` + `CASCADES\Meredith.Kuhn` = Modify (no Everyone); share-access limited to the same two + Admins. Mapped persistent `E:` on DESKTOP-U2DHAP0 (Ashley) and ASSISTMAN-PC (Meredith), RW-verified. NOTE: clients reach CS-SERVER SMB at **192.168.2.248** (registered DNS / Ethernet idx16), NOT the .254 Hyper-V vEthernet NIC -- the `phase3-pre-join-verify.ps1` hardcodes .254 and should be updated. RMM dispatch gotcha: build UNC from `[char]92` (heredoc+jq eats `\\`->`\`); surface a remotely-mapped drive in the user's running Explorer with `SHChangeNotify(SHCNE_DRIVEADD)` in their session.
### Synology NAS (cascadesDS) / Shared File Access
@@ -441,7 +446,19 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing
## Active Work
Syncro live pull 2026-06-20: **0 open tickets.**
> **Canonical remaining-work plan: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live
> AD+RMM domain-join diff). 7 sequenced workstreams + every open ticket mapped to one. Work from it.
Syncro live pull 2026-06-24: **6 open tickets** -- #32194 (spare machine for new hire), #32230
(Karen Rossini -> ALDOCS, recheck when she's in), #32254 (Chef-PC reinstall), #32319 (WiFi Room 343),
#32342 (Copy Room switch), #32370 (eFax + scanner). #32193 (Executive restricted share) closed/billed 2026-06-24.
**Device-readiness for domain migration (2026-06-24 live audit, 15 un-joined online machines):**
- **READY to join** (Pro/Enterprise, internal): DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce), LAPTOP-E0STJJE8; after a reboot: ASSISTMAN-PC (Meredith), ANN-PC, Laptop2; CHEF-PC after #32254.
- **BLOCKED -- Windows Home (cannot domain-join until Pro):** LAPTOP-8P7HDSEI, MDIRECTOR-PC (Shelby), MEMRECEPT-PC, NurseAssist (Veronica), SALES4-PC (Tamra, departing). **Howard handling the Home->Pro upgrades** (list DM'd 2026-06-24).
- **OneDrive KFM ON** (unlink before folder-redirect): LAPTOP-8P7HDSEI, NurseAssist. **Pending reboots + KFM held for onsite.**
- **LAPTOP-DRQ5L558** is off the Cascades LAN (public DNS, no DC reach) -- get on-site before join.
- **Decision 2026-06-24:** caregivers stay TEST-scoped -- do NOT flip the lockdown to go-live until all devices are domain-ready first.
**Non-Syncro follow-ups open as of 2026-06-23:**
@@ -479,7 +496,9 @@ Syncro live pull 2026-06-20: **0 open tickets.**
| Lauren Hasselman | Domain-joined, folder redirect complete 2026-05-23 |
| Megan Hiatt (Marketing) | COMPLETE 2026-05-27 -- domain joined via ProfWiz, folder redirection live, data on server |
| DESKTOP-KQSL232 (Lois Lane -- CareTakers) | Blocked -- Lois Lane resistant to change; John Trozzi working with her |
| CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started |
| CHEF-PC, SALES4-PC, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, LAPTOP-8P7HDSEI | **On Windows Home -- blocked until Home->Pro upgrade** (2026-06-24 audit; Howard handling keys). CHEF-PC also pending #32254 reinstall. |
| ASSISTMAN-PC (Meredith), ANN-PC, DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce) | Pro/Enterprise + internal -- **READY to join** (clear pending reboot onsite first where flagged) (2026-06-24 audit) |
| HEALTH-SERVICES (Lois Lane) | Domain-joined (confirmed 2026-06-24; supersedes the old DESKTOP-KQSL232 "resistant" note for her primary box) |
| DESKTOP-TRCIEJA (Lupe Sanchez) | **EOL hardware -- replace instead of migrate.** Decision 2026-06-18. |
**Blocking issues / pending:**
@@ -545,11 +564,19 @@ Syncro live pull 2026-06-20: **0 open tickets.**
| 2026-06-19 | **PRODUCTION RF OPTIMIZATION APPLIED (autonomous 2 AM window) -- 5 GHz retry HALVED.** 2.4 power -> MEDIUM on 47 radios (over-thinning fix + MemCare off full power; per-AP targeting). CSCNet BSS-transition ON. 6 GHz attempted but BLOCKED (`Wpa3MandatoryFor6GHzBand`). Blind non-DFS 5 GHz reshuffle tried, failed, rolled back. Howard's correction: scan FIRST, decide from data. Full channel survey (74/74 APs) proved DFS channels here 4-5x cleaner (2-3%) than non-DFS (ch149=12%, ch157=28%). Data-driven clean-DFS plan (8 DFS 40MHz channels, per-AP cleanest + neighbor graph-color, 0 co-channel) applied to 72 non-mesh APs. **Result: 5 GHz retry 8.7->3.8 avg (median 8.2->2.1), satisfaction median 99, all 72 APs holding DFS, 0 radar vacates.** `survey-report.py` added; `channel-plan.sh` made data-driven. |
| 2026-06-19 | **Voice VLAN migration COMPLETE (29/29 Poly) + band-selection diagnosis + Vertical 5 GHz handoff.** Howard walked the building, re-keyed all remaining Poly handsets to voice PPSK. Per-phone re-look: most phones on clean 5 GHz (Lauren .202: 2.4/50% -> 5GHz/12%), but several stuck on 2.4 despite -50 to -60 dBm signal -- controller band-steering not holding Poly OUI on 5 GHz. Phone-side fix: **5 GHz-only lock request sent to Richard Turner (Vertical)**, awaiting response = the last voice item. Kitchen server phone bad (pulled by John); Bistro phone relocated to Kitchen; Bistro now has no phone (replacement pending). Billed ticket #32444 (7h: 4 onsite + 3 remote), block 55.75->48.75. |
| 2026-06-23 | **Planned power outage (05:30-09:00 MST) -- clean shutdown executed + verified.** Building electrical work; to avoid the 6/17 dirty-shutdown damage (and given CS-SERVER's degraded OS mirror), all three core devices were armed 6/22 ~19:06 to self-shut-down on local schedules (CS-SERVER task 05:28, Synology 05:28, pfSense 05:30) -- firing independent of any remote session/tunnel, UPS carrying them through the cut. Verified clean at 05:31: CS-SERVER offline via RMM cloud (last_seen 05:29:49 MST); pfSense/Synology unreachable as expected (pfSense = VPN endpoint). Pre-flight confirmed cloud backup last full SUCCESS (0 errors), iDRAC AC-recovery + Synology auto-restart backstops ON. Bring-up (~09:00, John onsite) pending. Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`. |
| 2026-06-24 | **Syncro ticket review + #32193 Executive share + device-readiness audit + consolidated plan.** Reviewed/closed a batch of tickets; built restricted share `\\cs-server\Executive` for Ashley.Jensen + Meredith.Kuhn (NTFS+share scoped, E: mapped both machines RW-verified, billed 0.5h block, invoice #1650785728, block 48.75->48.25). Diagnosed two real RMM gotchas (UNC `\\` eaten in dispatch -> build from [char]92; mapped drive not shown until SHChangeNotify DRIVEADD). Fixed malformed priority on #32193/#32194 (Winter flag -> memory). Live AD+RMM domain-join diff: 12 staff PCs joined, ~17 to migrate; **5 on Windows Home blocked until Home->Pro** (Howard handling). Built `docs/REMAINING-WORK-PLAN.md` (7 workstreams). Decision: caregivers stay TEST-scoped until all devices domain-ready. |
---
## Compilation Notes
**2026-06-24 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-23):**
- Surgical/additive update -- prior compile was 1 day old; preserved all sections verbatim, folded in the 2026-06-24 work.
- Billing re-verified live (Syncro): **48.25 hrs / 29 devices / 6 open tickets** (was 48.75 / 0 open). Block draw: 0.5h #32193.
- Profile: hours + active-tickets lines updated; Active Work now points at the new `docs/REMAINING-WORK-PLAN.md` and carries the 2026-06-24 device-readiness audit (Home-edition blockers, ready-to-join set, caregiver-test-scoped decision).
- Migration phase-status table: added 2026-06-24 domain-join reality (Home-blocked set, ready set, HEALTH-SERVICES/Lois joined).
- History Highlights: added 2026-06-24 entry. Sources: added the 2026-06-24 session log + REMAINING-WORK-PLAN.md.
**2026-06-23 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-20, GURU-5070):**
- Surgical/additive full recompile -- the prior compile was current; the only new knowledge was the 2026-06-23 planned power outage. All other sections preserved verbatim.
- Billing re-verified live (Syncro): 48.75 hrs / 29 devices / 0 open tickets -- unchanged since 2026-06-20; "as of" dates advanced to 2026-06-23. Outage day is monitoring, not yet billed.

2
wiki/index.md
View File

@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **48.75 hrs remaining** (live 2026-06-23); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610, OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup started); **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets | 2026-06-23 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **48.25 hrs remaining** (live 2026-06-24); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610, OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup started); **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 6 open tickets, device-readiness audit done (5 PCs on Win Home need Home->Pro before join); remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-24 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |