diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index ea81ed99..4b9dce8a 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -89,6 +89,7 @@ - [Calibrate effort to stakes](feedback_calibrate_effort_to_stakes.md) — Don't over-verify or over-engineer low-consequence details; confirm the happy path, note the limitation, and take the simplest path (e.g. put the instruction in the prompt) instead of building robust mechanisms. - [Pricing verification — no guessing](policy_pricing_verification.md) — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess. - [Client communication tone](feedback_client_tone.md) — How to write client-facing Syncro comments — expert partner, not intake questionnaire. +- [Impeccable on outbound](feedback_impeccable_on_outbound.md) — Run the `impeccable` skill on anything sent to a client or vendor before delivery; internal drafts exempt. - [Default to inline links](feedback_inline_links.md) — Use `[text](url)` inline markdown links (clickable, wrap-safe) not bare URLs in code fences; exception = raw URL the user must copy/paste. - [Add Mike as owner on all Entra apps](feedback_entra_app_owner.md) — Apps created via management SP have no user owner — must add Mike manually or publisher verification fails. - [No TOML/config file approach for endpoints](feedback_no_toml_config_endpoints.md) — User explicitly prohibits TOML or config-file-based endpoint configuration — this will never be approved. diff --git a/.claude/memory/feedback_impeccable_on_outbound.md b/.claude/memory/feedback_impeccable_on_outbound.md new file mode 100644 index 00000000..6de01d82 --- /dev/null +++ b/.claude/memory/feedback_impeccable_on_outbound.md @@ -0,0 +1,20 @@ +--- +name: feedback_impeccable_on_outbound +description: Run the `impeccable` skill on any deliverable before it goes out to a client or vendor +metadata: + type: feedback +--- + +Before sending ANYTHING to a client or another vendor — proposals, plans, reports, +agendas, one-pagers, emails meant to represent ACG externally — run the **`impeccable`** +skill on it first as a quality/polish gate. Applies to outbound, external-facing +deliverables; internal prep docs and working notes do not require it. + +**Why:** Mike wants everything that leaves ACG to be polished and on-brand. A rough +internal draft is fine for us; a client/vendor never sees an unpolished artifact. + +**How to apply:** When a deliverable is destined for a client/vendor, produce it, then +invoke `impeccable` to audit/polish before delivery. For document deliverables, that +means rendering them as a designed artifact (styled HTML/PDF one-pager) so `impeccable` +(a frontend/UI design skill) can do its job — confirm the format with the user if unsure. +Pairs with [[feedback_client_tone]] (tone) and [[stop-slop]] (text quality). diff --git a/clients/cascades-tucson/PROJECT_STATE.md b/clients/cascades-tucson/PROJECT_STATE.md index 834b8b3d..9ea06161 100644 --- a/clients/cascades-tucson/PROJECT_STATE.md +++ b/clients/cascades-tucson/PROJECT_STATE.md @@ -54,9 +54,14 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO ## Pending / Next Up +**>> CANONICAL EXECUTION PLAN: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live +AD+RMM domain-join diff). It sequences ALL remaining work — workstation domain migration, +users/departments/file-share access, HIPAA caregiver lockdown go-live, M365 relicense, server/RAID, +network tail — and maps every open Syncro ticket to its workstream. Work the migration from THAT doc. + **Open Syncro Tickets (folded into the engagement, 2026-06-24 — Howard review):** -These 7 open Cascades tickets are tracked todos #1–#7 and roll up into the existing workstreams -(machine/user deployment into the domain + network/HIPAA lockdown). All are in Syncro status `New`. +These 7 open Cascades tickets are tracked todos #1–#7 and roll up into the workstreams in the plan +above (machine/user deployment into the domain + network/HIPAA lockdown). | Ticket | Workstream | Summary | Notes | |--------|-----------|---------|-------| diff --git a/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md b/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md new file mode 100644 index 00000000..b0b29bb0 --- /dev/null +++ b/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md @@ -0,0 +1,208 @@ +# Cascades of Tucson — Remaining Work Plan (to completion) + +> Consolidated execution plan tying the open Syncro tickets to the broader migration +> workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown). +> Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to `PROJECT_STATE.md` +> and `wiki/clients/cascades-tucson.md` (current truth, compiled 2026-06-23). +> Goal: finish the migration quickly by working it as one sequenced plan. + +--- + +## Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff) + +**Domain (`cascades.local`) — joined staff workstations (12):** +ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7, +DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley), +ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN. +(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.) + +**In RMM but NOT domain-joined — still to migrate (~17):** + +| Machine | User / role | Plan | +|---|---|---| +| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct `meredithk`) | Domain-join + migrate her to `cascades\Meredith.Kuhn` | +| ANN-PC | (verify user) | Join + OU + drives | +| DESKTOP-LPOPV30 | (verify) | Join + OU + drives | +| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives | +| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance | +| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare | +| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs | +| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify | +| SALES4-PC | Sales | Join -> OU=Marketing | +| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path | +| Health-Services-Director | vs AD `HEALTH-SERVICES` | Verify dup/rename before acting | +| **CHEF-PC** | Culinary (Chef JD) | **Ticket #32254** — reinstall Windows, THEN join -> OU=Culinary | +| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — **replace machine** (decision 2026-06-18), join the replacement | +| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi | +| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance | +| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the **Caregiver Devices** path (Workstream 3), not the staff path | + +**OU structure (built):** `OU=Departments` -> Administrative, Marketing, Care-Assisted Living +(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident +Services, Transportation, Caregivers. `OU=Workstations` -> Staff PCs, Shared PCs, +`OU=Caregiver Devices` (under Staff PCs). Groups in `OU=Groups`. + +--- + +## Workstream 1 — Workstation domain migration + +**Goal:** every staff PC on `cascades.local` + GuruRMM + correct dept OU + mapped dept drives; +retire per-PC Synology Drive Client. + +**Per-machine runbook** (scripts in `docs/migration/scripts/`): +1. `phase3-pre-join-verify.ps1` (OneDrive KFM unlinked, no poisoned shell folders, name OK) +2. `phase3-join-domain.ps1` -> join `cascades.local` +3. `phase3-post-join-verify.ps1` +4. Move computer object into the correct **department OU** +5. Confirm GuruRMM agent still checks in; migrate the user profile/data +6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean +7. Log the change + +**Tickets in this workstream:** #32194 (deploy spare machine for new hire — join + enroll + AD acct), +#32254 (Chef-PC reinstall then join). + +### Device readiness audit (2026-06-24, live probe of 15 un-joined online machines) + +| Machine | User | Edition | Readiness | +|---|---|---|---| +| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY | +| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY | +| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) | +| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot | +| ANN-PC | christina | Win11 Enterprise | pending reboot | +| Laptop2 | caregiver | Win11 Pro | pending reboot | +| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first | +| LAPTOP-8P7HDSEI | User | **Win10 Home** | BLOCKED: Home->Pro + OneDrive KFM ON | +| MDIRECTOR-PC | Shelby Trozzi | **Win11 Home** | BLOCKED: Home->Pro + reboot | +| MEMRECEPT-PC | memfrtdesk | **Win10 Home** | BLOCKED: Home->Pro + reboot | +| NurseAssist | Veronica | **Win11 Home** | BLOCKED: Home->Pro + KFM ON + reboot | +| SALES4-PC | Tamra (departing) | **Win11 Home** | BLOCKED: Home->Pro; Tamra leaving — repurpose? | +| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) | +| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced | +| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD `HEALTH-SERVICES`) | + +**Prep blockers / decisions (2026-06-24):** +- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys): + LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the + Home->Pro upgrades himself** (list DM'd 2026-06-24). +- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist. +- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely. +- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) — + must be on-site/on-LAN before any join. +- Note: the legacy `phase3-pre-join-verify.ps1` hardcodes the DC at `192.168.2.254`; clients + actually reach it at `192.168.2.248` (the `.254` NIC is the Hyper-V vEthernet and does not + cleanly serve domain SMB) — update the script's target before reuse. +- Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite: + DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254). + +--- + +## Workstream 2 — Users, departments & file-share access + +**Goal:** every user in the right OU + `SG-*-RW` group; department drives mapped per the +access matrix; Synology retired as primary. + +- Shares already created on CS-SERVER (`D:\Shares\...`): Management, Sales/SalesDept, Server, + Accounting, Culinary, Activities, directoryshare, IT, Receptionist, **Executive (NEW — Ashley+Meredith)**. + Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix. +- Populate `SG-*-RW` groups per `docs/migration/share-access-matrix-2026-04-23.md`. +- Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only). +- **Close out the matrix open questions** (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks, + John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; `pacs`/Clinical-PHI + create-or-retire; `web` retire. + +**Tickets:** #32193 (Executive restricted share — **DONE 2026-06-24**, E: mapped both machines), +#32230 (Karen Rossini -> ALDOCS on Synology — **recheck when she's in**, she was out 2026-06-24). + +--- + +## Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built) + +Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from +test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".) + +1. Swap GPO `CSC - Caregiver Workstation` security filter `SG-Caregivers-Test` -> `SG-Caregivers`. +2. CA allow-list policy `1b7fd025`: test group `SG-Caregivers-DeviceTest` -> `SG-Caregivers`; disable the compliance-block policy `ede985e2`. +3. Move each caregiver machine into `OU=Caregiver Devices` + `SG-PC-MainTower`/`SG-PC-MemoryCare` + one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4). +4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user. +5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin). +6. **Reboot NURSESTATION-PC** to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min). + +--- + +## Workstream 4 — M365 + +- **Relicense 31 users Business Standard -> Business Premium** (Standard is SUSPENDED — time-sensitive). +- Create break-glass accounts (`breakglass1/2-csc@`) + enroll FIDO2 YubiKeys. +- Build audit retention (Log Analytics 90d + Storage 6yr) in `rg-audit-cascadestucson`. + +--- + +## Workstream 5 — Server / infrastructure + +- **Verify cloud backup** (MSP360 -> ACG-backup) first full completed + set retention. [GATE for RAID work] +- **CS-SERVER degraded OS RAID-1** -> replace with 2x 480 GB enterprise SATA SSD (gate on backup verified). Real fix = DC migration off the 16-yr-old R610. +- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle. +- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk). +- Rotate the Synology signin-portal credential (was committed plaintext historically). + +--- + +## Workstream 6 — Network (mostly complete) + +- **CSC ENT device-island consolidation (phones + Helpany on 5 GHz)** — repurpose CSC ENT as a + **5 GHz-only WPA2 PPSK** SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the + Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both + off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz. + Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea + (deleting it would orphan the Pauls). Both vendors can move their devices remotely once we + provide the network. **Onsite gate: verify per-room 5 GHz coverage before the band flip** + (steel walls; weak-5GHz devices stay on 2.4). Full design + sequence: + `docs/network/csc-ent-device-island-plan.md`. + - Build VLAN 40 (Helpany, egress-only to `*.sedimentum.com` + snapcraft/ubuntu) on pfSense. + - Enable PPSK on CSC ENT: key `Ftfd85710#` -> VLAN 40 (Pauls keep SSID+key, not reprogrammed); + new voice key -> VLAN 30 (phones re-pointed by Howard/Richard). + - Flip CSC ENT to 5 GHz-only (`apply-wlan.sh ... bands 5g`) in a coordinated window; pilot a few + phones + Pauls, then full rollout. + - Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical). +- **#32319** WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site `va6iba3v`). +- **#32342** Copy Room switch — install + adopt into UniFi. +- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep). +- *(Superseded)* Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single + dedicated 5 GHz network for phones + sensors, not just a phone-side band lock). + +--- + +## Workstream 7 — Onsite peripheral + +- **#32370** eFax setup (Karen & Christin) + portable scanner on both machines. + +--- + +## Suggested sequence (fastest path) + +1. **Today's onsite batch (Howard, on-site):** #32342 (Copy Room switch), #32319 (Room 343 AP), + #32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join); + #32230 (Karen -> ALDOCS) once she's in. **While onsite: verify per-room 5 GHz coverage** for the + CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the + vendors. +2. **Caregiver lockdown go-live** (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves. +3. **M365 relicense 31 users** (Workstream 4) — time-sensitive. +4. **Backup verify -> RAID replacement** (Workstream 5) — critical single-DC risk. +5. **Remaining staff domain joins + dept drives** (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine. +6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention. + +--- + +## Open Syncro tickets -> workstream map + +| Ticket | Workstream | Status | +|---|---|---| +| #32193 Executive restricted share | 2 | **DONE 2026-06-24** (E: both machines, billed 0.5h block) | +| #32194 spare machine for new hire | 1 | Open — onsite | +| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in | +| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) | +| #32319 WiFi Room 343 | 6 | Open — onsite | +| #32342 Copy Room switch | 6 | Open — onsite | +| #32370 eFax + scanner | 7 | Open — onsite | diff --git a/clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md b/clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md new file mode 100644 index 00000000..ab866c7f --- /dev/null +++ b/clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md @@ -0,0 +1,149 @@ +# Cascades — CSC ENT Device-Island Consolidation (Phones + Helpany on 5 GHz) + +> **Decision (2026-06-24, Howard + Mike):** Repurpose the existing **CSC ENT** SSID as the +> permanent **WPA2 / 5 GHz-only device island** and consolidate BOTH the Poly voice handsets +> and the Helpany "Paul" sensors onto it, separated at the VLAN layer via Private PSK (PPSK). +> This gets both device classes off congested 2.4 GHz, keeps the WPA2-only gear on its own +> network, and clears the path to eventually move **CSCNet** to WPA3 / WiFi 7 / 6 GHz. +> +> Companion to `network-optimization-master-plan.md`, `voice-vlan-cutover.md`, +> `2026-06-19-vertical-5ghz-lock-request.md`, and `docs/REMAINING-WORK-PLAN.md` (Workstream 6). + +--- + +## Why (background) + +Two separate vendor threads converged on the **same** fix — a dedicated 5 GHz SSID: + +- **Poly voice handsets (Vertical / Richard Turner):** several Polys sit on saturated 2.4 GHz + despite excellent 5 GHz signal; UniFi band steering (`no2ghz_oui`, already ON) does **not** + hold the Poly OUI (`48:25:67`) on 5 GHz. Richard (2026-06-24): phones can't be statically + pinned to a band; Poly recommends a **separate 5 GHz SSID** for the phones (or disabling band + steering on a shared SSID so the phone targets 5 GHz itself). See + `2026-06-19-vertical-5ghz-lock-request.md`. +- **Helpany "Paul" sensors (Sandro Cilurzo / Eugenie Nicoud):** the room devices are **radar + fall/motion sensors** (Sedimentum backend — *no camera, no microphone*), currently programmed + onto **CSC ENT** (WPA2, key `Ftfd85710#`) and landing on 2.4 GHz. Per Sandro (email + 2026-06-19): *"Do you have a dedicated 5 GHz network with a separate SSID? If so we can + remotely transition the Paul devices to that network... we'd need the SSID and password... if + 5 GHz is not available or the signal is not strong enough, the devices default to 2.4 GHz."* + Helpany's engineering performs the band transition **remotely** once we provide the network. + +CSC ENT was **deliberately kept as a WPA2 WiFi5 island** by Mike back in March 2026 precisely so +the WPA2-only Helpany gear had a home while CSCNet moves to newer standards (*"CSCNet is slated +to be converted to WiFi7 and will not be compatible with their devices — CSC ENT will remain +WiFi5 and is the correct network for them to use."*). This plan formalizes and extends that role. + +--- + +## Hard constraints (vendor-stated) + +- **Helpany is WPA2-only** — explicitly **NOT** WPA3 or hybrid WPA2/WPA3 (*"we don't support + hybrid, only WPA2"*). The device SSID must stay WPA2-PSK. +- **5 GHz has shorter range** than 2.4 GHz. Both vendors warn: a device with weak 5 GHz signal + will fall back to 2.4 GHz or be orphaned. **Per-room 5 GHz coverage must be verified before + transitioning** (Cascades is 6 floors with steel hallway walls). Leave any weak-signal device + on 2.4 rather than force it. +- **Reprogramming is painful on Helpany's side** — they can't reach offline devices, and key + rotations need **72 h notice + the new key**. The SSID/password must be right and stable. +- **Helpany bandwidth is negligible:** < 0.04 Mbps per Paul device; whole fleet ~0.38 Mbps low / + 0.75 avg / **1.35 Mbps peak** (peaks ~11:00 AM & 7:00 PM). No capacity threat to voice. + +--- + +## Target design + +Repurpose CSC ENT; **no new SSID** (Pauls keep their current SSID + key, so they are NOT +reprogrammed — only band-moved by Helpany). + +| Network | Band / Security | Mechanism | Clients | VLAN | +|---|---|---|---|---| +| **CSC ENT** (repurposed) | **5 GHz-only, WPA2-PSK** | **PPSK** | Poly voice handsets | **VLAN 30** (existing voice, keep) | +| | | | Helpany Paul sensors | **VLAN 40** (new, sensors) | +| **CSCNet** | 2.4 + 5 GHz, WPA2 (today) | PPSK (per-room) | residents + staff IoT/TVs | per-room VLANs (unchanged) | +| **Guest** | 2.4 + 5 GHz, WPA2 | — | guests | VLAN 50 (unchanged) | + +**PPSK key map on CSC ENT:** +- Existing key `Ftfd85710#` -> **VLAN 40** (Helpany). Pauls keep SSID + password unchanged. +- New voice key -> **VLAN 30** (phones). Howard/Richard re-point the Polys to this key. + +**Only structural change to CSC ENT itself:** flip `wlan_bands` from `[2g,5g]` to `[5g]` and +enable PPSK. The band flip is the step requiring vendor coordination + the coverage check. + +### New VLAN 40 (Helpany sensors) — egress-only, isolated like VLAN 30 +Mirror the Voice VLAN 30 isolation model: internet/cloud egress only; firewalled off PHI, main +LAN, voice, and resident VLANs (HIPAA). Required outbound destinations (Helpany / Sedimentum, +Ubuntu/snap based): + +| Port | Proto | Destinations | +|---|---|---| +| 5671 | AMQPS (SSL) | `*.sedimentum.com` | +| 8883 | MQTT | `*.sedimentum.com` | +| 8030 | HTTP | `*.sedimentum.com` | +| 443 | HTTPS | `*.sedimentum.com`, `snapcraft.io`, `api.snapcraft.io`, `public.apps.ubuntu.com`, `fastly.cdn.snapcraft.io` | + +(VLAN 40 = proposed; confirm it is free on pfSense/UniFi before use. Existing VLANs: 1, 20, 30, +50, 999, room VLANs 101-631; "CSC Internal Network" VLAN 10 is a suspected orphan to verify.) + +### Why this shape +- **One SSID via PPSK** = minimal beacon airtime on a dense 77-AP site (vs. two separate SSIDs). +- **Pauls not reprogrammed** — same SSID + key, only a remote band move. +- **VLAN separation** keeps voice QoS (DSCP EF) and HIPAA isolation intact; sensor data never + mixes with voice. +- CSC ENT stays the **WPA2 island**, so a future CSCNet WPA3 migration doesn't touch this gear. + +--- + +## Execution sequence + +1. **Build VLAN 40** on pfSense (igc1.40, DHCP scope, DNS) + firewall egress rules above; mirror + VLAN 30 isolation. +2. **Enable PPSK on CSC ENT**; add keys: `Ftfd85710#` -> VLAN 40, new voice key -> VLAN 30. +3. **[ONSITE GATE] Verify 5 GHz coverage** in the rooms where Pauls + phones live (per-floor, + account for steel walls). Use `unifi-wifi` skill (`live-stats.sh --clients`, `watch-ap.sh`). +4. **Flip CSC ENT to 5 GHz-only** (`apply-wlan.sh bands 5g --wlan `), coordinated + with both vendors during a change window. +5. **Vendors transition their devices:** + - **Helpany** remotely moves the Pauls to 5 GHz (we hand them: SSID `CSC ENT`, key + `Ftfd85710#` — unchanged; they confirm strong 2.4 signal per-device first). + - **Poly/Vertical** (Richard) — phones re-pointed to CSC ENT + the new voice key. Howard can + do the phone-side SSID change directly. +6. **Pilot first:** move 2-3 phones + bring up a few Pauls on 5 GHz; verify association + + stability before the full fleet. +7. **Full rollout** of remaining phones + Pauls. +8. **(Optional cleanup)** investigate the stray `element-5b32...` SSID on the controller and the + orphan "CSC Internal Network" VLAN 10; remove if unused (more airtime/clarity back). + +**We do NOT delete CSC ENT** — it becomes the permanent device island. (Supersedes the earlier +"delete CSC ENT" idea, which would have orphaned the Pauls.) + +--- + +## Future (separate project) — CSCNet -> WPA3 / WiFi 7 / 6 GHz + +- WiFi 7 on 2.4/5 GHz already works on WPA2 (U7-Pro APs). The thing WPA3 unlocks is the **6 GHz + band** (6 GHz mandates WPA3 + PMF) — the largest untapped clean capacity at the site. +- Moving phones + Pauls onto CSC ENT is a **prerequisite**, but the real blocker for CSCNet -> WPA3 + is the **~230 resident PPSK clients** (TVs / legacy IoT, many 2.4-only / WPA2-only). That + migration needs its own resident-device impact survey and is **not** gated by the voice/sensor + gear. + +--- + +## Vendor contacts +- **Poly / Vertical:** Richard Turner +- **Helpany:** Sandro Cilurzo (CEO) ; Eugenie Nicoud (COO) + +- **Facility liaison:** John Trozzi (Facilities Director) + +## Credentials +- **CSC ENT / CSCNet WPA2 key:** `Ftfd85710#` (vault: `clients/cascades-tucson/wifi-cscnet`; + confirm a CSC-ENT-specific entry exists or add `clients/cascades-tucson/wifi-csc-ent`). +- **New voice PPSK key (VLAN 30):** to be generated + vaulted at + `clients/cascades-tucson/wifi-voice-ppsk` when created. + +## Open items / decisions +1. Confirm VLAN 40 is free (and whether VLAN 10 "CSC Internal Network" is an orphan to reclaim). +2. PPSK-on-one-SSID (recommended) vs. two separate 5 GHz SSIDs — confirm approach. +3. Schedule the coordinated change window with Poly/Vertical + Helpany. +4. Per-room 5 GHz coverage verification (onsite) — the gating task. diff --git a/clients/cascades-tucson/docs/network/wifi.md b/clients/cascades-tucson/docs/network/wifi.md index d4e138bd..c83c8e21 100644 --- a/clients/cascades-tucson/docs/network/wifi.md +++ b/clients/cascades-tucson/docs/network/wifi.md @@ -4,7 +4,7 @@ | SSID | Network Assignment | AP Group | Bands | Security | Purpose | |------|-------------------|----------|-------|----------|---------| | **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. | -| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. | +| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi + the WPA2 island for WPA2-only devices (Helpany "Paul" sensors, key `Ftfd85710#`). **PLANNED (2026-06-24): repurpose as the 5 GHz-only WPA2 PPSK device island** — phones -> VLAN 30, Helpany -> VLAN 40. **Do NOT delete** (would orphan the Pauls). See `csc-ent-device-island-plan.md`. | | **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) | ## UniFi Network Definitions @@ -46,8 +46,12 @@ WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode w **Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`. -### 5. No Band Steering or Separate SSIDs (Low) -All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room. +### 5. No Band Steering or Separate SSIDs (Low) — being addressed +Band steering (`no2ghz_oui`) is in fact ON on CSCNet/CSC ENT/Guest, but it does **not** reliably +hold the Poly voice OUI (`48:25:67`) or the Helpany sensors on 5 GHz — they land on congested 2.4. +**Fix in progress (2026-06-24):** rather than rely on steering, give the voice + sensor devices a +dedicated **5 GHz-only WPA2 SSID** by repurposing CSC ENT (PPSK -> VLAN 30 phones / VLAN 40 Helpany). +Full plan: `csc-ent-device-island-plan.md`. ## Migration Plan — WiFi Changes (Phase 1.1) diff --git a/errorlog.md b/errorlog.md index 69e2200c..f9e8d6ee 100644 --- a/errorlog.md +++ b/errorlog.md @@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-06-24 | Howard-Home | process/client-deliverables | [correction] did not gate outbound client/vendor deliverables through the impeccable skill; rule: run impeccable on anything sent externally + 2026-06-24 | Howard-Home | syncro/ticket-create | [correction] created #32193/#32194 with priority 'Normal' instead of Syncro's canonical number-prefixed '2 Normal'; the value did not match the priority dropdown so it displayed blank (Winter flagged it). Always set priority as 'N Name' (e.g. '2 Normal','4 Urgent') AND a valid problem_type (Onsite/Remote/etc.) on every ticket create via the syncro skill. [ctx: ref=syncro-skill priority-format] 2026-06-24 | Howard-Home | rmm/dispatch | [friction] UNC double-backslash in heredoc+jq RMM command got mangled to single backslash (cs-server -> cs-server), causing net use error 67 and net-use hangs that looked like a missing/broken share; single-backslash local paths (D:Shares) were unaffected. Fix: build UNC from [char]92 at runtime ($bs=[char]92; $unc="{0}{0}server{0}share" -f $bs) so no literal backslash traverses the dispatch chain. [ctx: ref=feedback_windows_quote_stripping] diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 3ca6f1f2..65de4e4f 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -2,7 +2,7 @@ type: client name: cascades-tucson display_name: Cascades of Tucson -last_compiled: 2026-06-23 +last_compiled: 2026-06-24 compiled_by: HOWARD-HOME/claude-main sources: - session-logs/2026-03-24-session.md @@ -88,6 +88,8 @@ sources: - clients/cascades-tucson/docs/network/2026-06-19-vertical-5ghz-lock-request.md - clients/cascades-tucson/docs/runbooks/2026-06-23-planned-power-outage.md - clients/cascades-tucson/session-logs/2026-06/2026-06-23-howard-cascades-planned-outage-shutdown-verify.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-ticket-review-and-cascades-consolidation.md + - clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md backlinks: - projects/gururmm - wiki/systems/uos-server @@ -155,10 +157,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - Lupe Sanchez -- staff (DESKTOP-TRCIEJA). EOL workstation (Gateway ZX6971 AIO, i3-2120, 8 GB RAM, Win11 unsupported). **Decision 2026-06-18: replace machine** (dual-AV + EOL hardware causing slow Excel; no remediation on current box). GuruRMM agent `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll). - **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com. - **Billing rate:** $175/hr all labor (prepaid block customer) -- **Hours remaining:** **48.75 hrs as of 2026-06-23 (live Syncro -- unchanged since 2026-06-20; the 2026-06-23 planned outage is monitoring, not yet billed).** Most recent draw: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing. +- **Hours remaining:** **48.25 hrs as of 2026-06-24 (live Syncro).** Most recent draw: 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing. - **Syncro customer ID:** 20149445 - **Managed devices (Syncro):** 29 (live 2026-06-23) -- **Active tickets:** 0 open Syncro tickets as of 2026-06-23. See Active Work for open non-ticketed projects. +- **Active tickets:** 6 open Syncro tickets as of 2026-06-24 (#32194 spare machine, #32230 Karen->ALDOCS, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) -- all folded into `docs/REMAINING-WORK-PLAN.md`. See Active Work for open non-ticketed projects. - #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` - #109412123 -- Entra setup project (verify status) - #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced) @@ -234,11 +236,13 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **AP 108 (Floor 1) offline** pending a new cable run. Stale duplicate controller object ("108" vs "108U7 Pro") to clean up separately. - **VoIP (vendor: Vertical -- Richard Turner ):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK) -- **28 active** (29 re-keyed 2026-06-19, 1 removed bad). **All on VOICE VLAN 30: 28 Poly + 8 AudioCodes (`.224-.231`) + Vertical desktop (`.201`) = 37 devices.** Phones mark **DSCP EF (46)**. **[2026-06-19 hardware change] John (Trozzi) reported the Kitchen server phone (`48:25:67:64:95:7a`) BAD and pulled it; the Bistro phone (`.236`, `48:25:67:64:94:84`) was relocated to the Kitchen to cover it -- so the BISTRO now has NO phone (replacement pending, set up + re-key when it arrives).** (Verify VLAN via the client `vlan` field, NOT the cached display IP.) The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). - **[2026-06-19 COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **Migration COMPLETE 2026-06-19: 37 devices on VOICE.** Live inventory: `docs/network/voice-phone-inventory.md`. - - **Quality caveat + the actual fix (2026-06-19):** the VLAN move does NOT by itself fix call quality. Per-phone re-look found residual dropped-calls are a **band-selection problem, not RF/coverage** -- several Poly handsets sit on saturated 2.4 GHz despite EXCELLENT 5 GHz-capable signal (-50 to -60 dBm, 36-96% retry), and controller band-steering (`no2ghz_oui`, already ON) is NOT holding the Poly OUI on 5 GHz. **The fix is phone-side: set the Poly handsets to 5 GHz-only via Vertical** -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting Vertical**. Once pushed: clean voice VLAN + clean 5 GHz band = calls closed out. + - **Quality caveat + the actual fix (2026-06-19):** the VLAN move does NOT by itself fix call quality. Per-phone re-look found residual dropped-calls are a **band-selection problem, not RF/coverage** -- several Poly handsets sit on saturated 2.4 GHz despite EXCELLENT 5 GHz-capable signal (-50 to -60 dBm, 36-96% retry), and controller band-steering (`no2ghz_oui`, already ON) is NOT holding the Poly OUI on 5 GHz. **The fix is a dedicated 5 GHz network, not phone-side band pinning** -- Richard Turner (Vertical/Poly, 2026-06-24) confirmed Poly phones **cannot** be statically assigned to a band; Poly recommends a **separate 5 GHz SSID** (or disabling band steering on a shared SSID). + - **[PLAN 2026-06-24] CSC ENT device-island consolidation** (Howard + Mike): the phone 5 GHz fix is now merged with the Helpany sensor rollout into one plan -- **repurpose the existing CSC ENT SSID as a 5 GHz-only WPA2 PPSK "device island"** carrying BOTH the Poly voice handsets (PPSK key -> VLAN 30) and the Helpany "Paul" radar sensors (PPSK key -> new VLAN 40), separated at the VLAN layer. Both vendors transition their devices remotely once we hand them the network. Helpany is **WPA2-only** (no WPA3/hybrid) and the Pauls are already on CSC ENT (key `Ftfd85710#`), so they are **not reprogrammed** -- only band-moved; the phones get a new voice key. **Onsite gate:** verify per-room 5 GHz coverage before the band flip (steel walls; weak-5 GHz devices stay on 2.4 per both vendors' warning). **CSC ENT is NOT deleted** -- it becomes the permanent WPA2 island, which is the prerequisite that later lets **CSCNet** move to WPA3/WiFi7/6 GHz (that step is separately gated by the ~230 resident 2.4-only/WPA2-only IoT clients, NOT by the voice/sensor gear). Full design + sequence: `docs/network/csc-ent-device-island-plan.md`; folded into `docs/REMAINING-WORK-PLAN.md` Workstream 6. - **Full runbook:** `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`. Voice-quality diagnostic: `reports/2026-06-18-voice-quality-diagnostic.md`. Holistic optimization plan: `docs/network/network-optimization-master-plan.md`; voice QoS design: `docs/network/phase1-voice-qos-design.md`. ### External Vendors & Mail Senders +- **Helpany (resident safety sensors -- Sandro Cilurzo CEO / Eugenie Nicoud COO):** "Paul" devices are **ceiling-mounted radar fall/motion sensors** (Sedimentum backend) -- **no camera, no microphone** (despite being colloquially called "IR cameras"). WiFi: **WPA2-only, NOT WPA3/hybrid**; 5 GHz-capable. Currently on SSID **CSC ENT** (key `Ftfd85710#`), being moved to 5 GHz (see CSC ENT device-island plan in the VoIP/network section). Bandwidth negligible: <0.04 Mbps/device, fleet peak ~1.35 Mbps. Egress to `*.sedimentum.com` (5671 AMQPS, 8883 MQTT, 8030 HTTP, 443) + snapcraft/ubuntu (443). Helpany transitions devices **remotely** (engineering); key rotation needs **72 h notice + new key**; reprogramming offline devices is hard. Rolled out floor-by-floor from 2026-06 (first shipment floors 1-2). Caregiver-facing app = app.safe-living.com (branded "Helpany"). Facility liaison: John Trozzi. - **bill.com (BILL):** Sends from `inform.bill.com`, `hq.bill.com`, `hello.bill.com`, `mc.bill.com`. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: `account-services@inform.bill.com`. - **BOK Financial:** Sends from `bokfinancial.com`. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question). @@ -334,6 +338,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) -- Scan-to-Network profile (working 2026-06-09):** Network Folder Path `\\192.168.2.254\AcctDept\Scans`; **Auth Method NTLMv2** (not Auto/Kerberos -- printer can't KDC across VLAN); Username `cascades\svc-scan`; PDF Multi-Page. - **[NETWORK] CS-SERVER cannot reach the VLAN-20 printers** -- main-LAN `192.168.2.x` -> VLAN 20 `10.0.20.x` is blocked at pfSense. Use a VLAN-20 PC's browser or go onsite. The reverse (printer -> CS-SERVER:445) **is** open. - **Persistent drive maps to `\\cs-server\AcctDept`:** Chris (DESKTOP-N5G1ROO) Y:, Zachary (ACCT2-PC) Y:, Lauren (DESKTOP-H6QHRR7) X:. +- **Executive restricted share (built 2026-06-24, ticket #32193):** `D:\Shares\Executive` on CS-SERVER, shared as **`\\cs-server\Executive`**; inheritance broken; SYSTEM / BUILTIN\Administrators = Full; `CASCADES\Ashley.Jensen` + `CASCADES\Meredith.Kuhn` = Modify (no Everyone); share-access limited to the same two + Admins. Mapped persistent `E:` on DESKTOP-U2DHAP0 (Ashley) and ASSISTMAN-PC (Meredith), RW-verified. NOTE: clients reach CS-SERVER SMB at **192.168.2.248** (registered DNS / Ethernet idx16), NOT the .254 Hyper-V vEthernet NIC -- the `phase3-pre-join-verify.ps1` hardcodes .254 and should be updated. RMM dispatch gotcha: build UNC from `[char]92` (heredoc+jq eats `\\`->`\`); surface a remotely-mapped drive in the user's running Explorer with `SHChangeNotify(SHCNE_DRIVEADD)` in their session. ### Synology NAS (cascadesDS) / Shared File Access @@ -441,7 +446,19 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing ## Active Work -Syncro live pull 2026-06-20: **0 open tickets.** +> **Canonical remaining-work plan: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live +> AD+RMM domain-join diff). 7 sequenced workstreams + every open ticket mapped to one. Work from it. + +Syncro live pull 2026-06-24: **6 open tickets** -- #32194 (spare machine for new hire), #32230 +(Karen Rossini -> ALDOCS, recheck when she's in), #32254 (Chef-PC reinstall), #32319 (WiFi Room 343), +#32342 (Copy Room switch), #32370 (eFax + scanner). #32193 (Executive restricted share) closed/billed 2026-06-24. + +**Device-readiness for domain migration (2026-06-24 live audit, 15 un-joined online machines):** +- **READY to join** (Pro/Enterprise, internal): DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce), LAPTOP-E0STJJE8; after a reboot: ASSISTMAN-PC (Meredith), ANN-PC, Laptop2; CHEF-PC after #32254. +- **BLOCKED -- Windows Home (cannot domain-join until Pro):** LAPTOP-8P7HDSEI, MDIRECTOR-PC (Shelby), MEMRECEPT-PC, NurseAssist (Veronica), SALES4-PC (Tamra, departing). **Howard handling the Home->Pro upgrades** (list DM'd 2026-06-24). +- **OneDrive KFM ON** (unlink before folder-redirect): LAPTOP-8P7HDSEI, NurseAssist. **Pending reboots + KFM held for onsite.** +- **LAPTOP-DRQ5L558** is off the Cascades LAN (public DNS, no DC reach) -- get on-site before join. +- **Decision 2026-06-24:** caregivers stay TEST-scoped -- do NOT flip the lockdown to go-live until all devices are domain-ready first. **Non-Syncro follow-ups open as of 2026-06-23:** @@ -479,7 +496,9 @@ Syncro live pull 2026-06-20: **0 open tickets.** | Lauren Hasselman | Domain-joined, folder redirect complete 2026-05-23 | | Megan Hiatt (Marketing) | COMPLETE 2026-05-27 -- domain joined via ProfWiz, folder redirection live, data on server | | DESKTOP-KQSL232 (Lois Lane -- CareTakers) | Blocked -- Lois Lane resistant to change; John Trozzi working with her | -| CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started | +| CHEF-PC, SALES4-PC, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, LAPTOP-8P7HDSEI | **On Windows Home -- blocked until Home->Pro upgrade** (2026-06-24 audit; Howard handling keys). CHEF-PC also pending #32254 reinstall. | +| ASSISTMAN-PC (Meredith), ANN-PC, DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce) | Pro/Enterprise + internal -- **READY to join** (clear pending reboot onsite first where flagged) (2026-06-24 audit) | +| HEALTH-SERVICES (Lois Lane) | Domain-joined (confirmed 2026-06-24; supersedes the old DESKTOP-KQSL232 "resistant" note for her primary box) | | DESKTOP-TRCIEJA (Lupe Sanchez) | **EOL hardware -- replace instead of migrate.** Decision 2026-06-18. | **Blocking issues / pending:** @@ -545,11 +564,19 @@ Syncro live pull 2026-06-20: **0 open tickets.** | 2026-06-19 | **PRODUCTION RF OPTIMIZATION APPLIED (autonomous 2 AM window) -- 5 GHz retry HALVED.** 2.4 power -> MEDIUM on 47 radios (over-thinning fix + MemCare off full power; per-AP targeting). CSCNet BSS-transition ON. 6 GHz attempted but BLOCKED (`Wpa3MandatoryFor6GHzBand`). Blind non-DFS 5 GHz reshuffle tried, failed, rolled back. Howard's correction: scan FIRST, decide from data. Full channel survey (74/74 APs) proved DFS channels here 4-5x cleaner (2-3%) than non-DFS (ch149=12%, ch157=28%). Data-driven clean-DFS plan (8 DFS 40MHz channels, per-AP cleanest + neighbor graph-color, 0 co-channel) applied to 72 non-mesh APs. **Result: 5 GHz retry 8.7->3.8 avg (median 8.2->2.1), satisfaction median 99, all 72 APs holding DFS, 0 radar vacates.** `survey-report.py` added; `channel-plan.sh` made data-driven. | | 2026-06-19 | **Voice VLAN migration COMPLETE (29/29 Poly) + band-selection diagnosis + Vertical 5 GHz handoff.** Howard walked the building, re-keyed all remaining Poly handsets to voice PPSK. Per-phone re-look: most phones on clean 5 GHz (Lauren .202: 2.4/50% -> 5GHz/12%), but several stuck on 2.4 despite -50 to -60 dBm signal -- controller band-steering not holding Poly OUI on 5 GHz. Phone-side fix: **5 GHz-only lock request sent to Richard Turner (Vertical)**, awaiting response = the last voice item. Kitchen server phone bad (pulled by John); Bistro phone relocated to Kitchen; Bistro now has no phone (replacement pending). Billed ticket #32444 (7h: 4 onsite + 3 remote), block 55.75->48.75. | | 2026-06-23 | **Planned power outage (05:30-09:00 MST) -- clean shutdown executed + verified.** Building electrical work; to avoid the 6/17 dirty-shutdown damage (and given CS-SERVER's degraded OS mirror), all three core devices were armed 6/22 ~19:06 to self-shut-down on local schedules (CS-SERVER task 05:28, Synology 05:28, pfSense 05:30) -- firing independent of any remote session/tunnel, UPS carrying them through the cut. Verified clean at 05:31: CS-SERVER offline via RMM cloud (last_seen 05:29:49 MST); pfSense/Synology unreachable as expected (pfSense = VPN endpoint). Pre-flight confirmed cloud backup last full SUCCESS (0 errors), iDRAC AC-recovery + Synology auto-restart backstops ON. Bring-up (~09:00, John onsite) pending. Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`. | +| 2026-06-24 | **Syncro ticket review + #32193 Executive share + device-readiness audit + consolidated plan.** Reviewed/closed a batch of tickets; built restricted share `\\cs-server\Executive` for Ashley.Jensen + Meredith.Kuhn (NTFS+share scoped, E: mapped both machines RW-verified, billed 0.5h block, invoice #1650785728, block 48.75->48.25). Diagnosed two real RMM gotchas (UNC `\\` eaten in dispatch -> build from [char]92; mapped drive not shown until SHChangeNotify DRIVEADD). Fixed malformed priority on #32193/#32194 (Winter flag -> memory). Live AD+RMM domain-join diff: 12 staff PCs joined, ~17 to migrate; **5 on Windows Home blocked until Home->Pro** (Howard handling). Built `docs/REMAINING-WORK-PLAN.md` (7 workstreams). Decision: caregivers stay TEST-scoped until all devices domain-ready. | --- ## Compilation Notes +**2026-06-24 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-23):** +- Surgical/additive update -- prior compile was 1 day old; preserved all sections verbatim, folded in the 2026-06-24 work. +- Billing re-verified live (Syncro): **48.25 hrs / 29 devices / 6 open tickets** (was 48.75 / 0 open). Block draw: 0.5h #32193. +- Profile: hours + active-tickets lines updated; Active Work now points at the new `docs/REMAINING-WORK-PLAN.md` and carries the 2026-06-24 device-readiness audit (Home-edition blockers, ready-to-join set, caregiver-test-scoped decision). +- Migration phase-status table: added 2026-06-24 domain-join reality (Home-blocked set, ready set, HEALTH-SERVICES/Lois joined). +- History Highlights: added 2026-06-24 entry. Sources: added the 2026-06-24 session log + REMAINING-WORK-PLAN.md. + **2026-06-23 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-20, GURU-5070):** - Surgical/additive full recompile -- the prior compile was current; the only new knowledge was the 2026-06-23 planned power outage. All other sections preserved verbatim. - Billing re-verified live (Syncro): 48.75 hrs / 29 devices / 0 open tickets -- unchanged since 2026-06-20; "as of" dates advanced to 2026-06-23. Outage day is monitoring, not yet billed. diff --git a/wiki/index.md b/wiki/index.md index 2f7caec0..003d4ba5 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **48.75 hrs remaining** (live 2026-06-23); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610, OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup started); **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets | 2026-06-23 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **48.25 hrs remaining** (live 2026-06-24); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610, OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup started); **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 6 open tickets, device-readiness audit done (5 PCs on Win Home need Home->Pro before join); remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-24 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |