sync: auto-sync from Mikes-MacBook-Air.local at 2026-06-07 19:46:36

Author: Mike Swanson
Machine: Mikes-MacBook-Air.local
Timestamp: 2026-06-07 19:46:36

.claude/commands/rmm.md

@@ -67,28 +67,31 @@ Interact with the GuruRMM agent fleet: list agents, run remote commands (PowerSh
 
 ## Phase 0 — Bootstrap (run once per session)
 
+**Use the helper script** (cross-platform, handles Mac jq/JSON issues):
+
 ```bash
-IDENTITY_PATH="${HOME}/.claude/identity.json"
+# Authenticate and set environment variables
-if [ ! -f "$IDENTITY_PATH" ]; then
+eval "$(bash .claude/scripts/rmm-auth.sh)"
-    IDENTITY_PATH=$(git rev-parse --show-toplevel 2>/dev/null)/.claude/identity.json
+# This sets: $TOKEN, $RMM, $REPO_ROOT
-fi
+```
-REPO_ROOT=$(jq -r '.claudetools_root // empty' "$IDENTITY_PATH" 2>/dev/null)
+
-if [ -z "$REPO_ROOT" ]; then
+**Alternative (manual, for reference only — use helper script above):**
-    REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
+
-fi
+```bash
-VAULT="$REPO_ROOT/.claude/scripts/vault.sh"
+REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)"
+IDENTITY_FILE="$REPO_ROOT/.claude/identity.json"
+VAULT_PATH=$(jq -r '.vault_path' "$IDENTITY_FILE")
+VAULT_SH="$VAULT_PATH/scripts/vault.sh"
 RMM="http://172.16.3.30:3001"
 
-RMM_EMAIL=$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email)
+RMM_EMAIL=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email)
-RMM_PASS=$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password)
+RMM_PASS=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password)
 
-JWT=$(curl -s -X POST "$RMM/api/auth/login" \
+# Use jq to build JSON safely (avoids heredoc issues on Mac)
-  -H "Content-Type: application/json" \
+PAYLOAD=$(jq -n --arg email "$RMM_EMAIL" --arg password "$RMM_PASS" '{email: $email, password: $password}')
-  --data-binary @- <<JSON
+JWT=$(curl -s -X POST "$RMM/api/auth/login" -H "Content-Type: application/json" -d "$PAYLOAD")
-{"email": "$RMM_EMAIL", "password": "$RMM_PASS"}
-JSON
-)
 TOKEN=$(echo "$JWT" | jq -r '.token // empty')
+
 if [ -z "$TOKEN" ]; then
     echo "[ERROR] RMM login failed: $JWT"
     exit 1

.claude/memory/MEMORY.md

@@ -30,6 +30,7 @@
 
 ## Feedback
 - [Bot alerts need a ticket link](feedback_bot_alert_ticket_link.md) — Syncro ticket bot-alerts MUST include a clickable link: https://computerguru.syncromsp.com/tickets/<internal_id> (internal id, not ticket number). post-bot-alert.sh posts raw text; put the URL in the message.
+- [Mac RMM authentication fixed](feedback_mac_rmm_auth_fixed.md) — Use `.claude/scripts/rmm-auth.sh` helper instead of heredoc pattern. Heredoc with `--data-binary @-` fails on macOS. Helper uses `jq -n --arg` to build JSON safely. Usage: `eval "$(bash .claude/scripts/rmm-auth.sh)"` sets $TOKEN, $RMM, $REPO_ROOT. Updated in /rmm Phase 0.
 - [Verify committed state before push](feedback_verify_committed_state_before_push.md) — webhook builds from origin/main: verify the COMMITTED build (git stash + build), not the working tree; bad git-add pathspec silently aborts staging. Stage by directory.
 - [Scheduling = coord todo, not schedulers](feedback_scheduling_via_coord_todo.md) — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
 - [Attribution is read, never inferred](feedback_attribution_from_identity.md) — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.

.claude/memory/feedback_mac_rmm_auth_fixed.md

@@ -0,0 +1,24 @@
+# Mac RMM Authentication Fix
+
+**Problem**: On macOS, the Phase 0 bootstrap code in `/rmm` using `--data-binary @-` with heredoc frequently failed with empty tokens, causing wasted API calls and jq parse errors.
+
+**Root cause**: Heredoc with `--data-binary @-` and JSON interpolation doesn't work reliably on macOS bash/curl combinations. The pattern works on Linux/Windows Git Bash but fails on Mac.
+
+**Solution**: Created `.claude/scripts/rmm-auth.sh` helper script that:
+1. Resolves all paths from `identity.json` (vault_path, claudetools_root)
+2. Uses `jq -n --arg` to build JSON payload safely (no heredoc)
+3. Handles all error cases explicitly
+4. Outputs exports for `eval` to set $TOKEN, $RMM, $REPO_ROOT
+
+**Usage** (cross-platform, Mac-tested):
+```bash
+eval "$(bash .claude/scripts/rmm-auth.sh)"
+# Sets: $TOKEN, $RMM, $REPO_ROOT
+```
+
+**Updated**: `.claude/commands/rmm.md` Phase 0 section now recommends the helper script as the primary method, with manual method as reference only.
+
+**Impact**: Eliminates wasted tokens from repeated auth failures on Mac. Single-call authentication that works consistently.
+
+**Date fixed**: 2026-06-08
+**Tested on**: macOS (Mikes-MacBook-Air, arm64)

.claude/scripts/rmm-auth.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# rmm-auth.sh - Get GuruRMM authentication token
+# Outputs: TOKEN RMM_URL REPO_ROOT (space-separated)
+# Usage: eval "$(bash .claude/scripts/rmm-auth.sh)"
+#   This sets: $TOKEN, $RMM, $REPO_ROOT in the calling shell
+
+set -euo pipefail
+
+# Resolve paths
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+IDENTITY_FILE="$REPO_ROOT/.claude/identity.json"
+
+if [ ! -f "$IDENTITY_FILE" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] identity.json not found' >&2"
+    exit 1
+fi
+
+VAULT_PATH=$(jq -r '.vault_path // empty' "$IDENTITY_FILE")
+if [ -z "$VAULT_PATH" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] vault_path not in identity.json' >&2"
+    exit 1
+fi
+
+VAULT_SH="$VAULT_PATH/scripts/vault.sh"
+if [ ! -f "$VAULT_SH" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] vault.sh not found at $VAULT_SH' >&2"
+    exit 1
+fi
+
+RMM_URL="http://172.16.3.30:3001"
+
+# Get credentials
+RMM_EMAIL=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email 2>/dev/null)
+RMM_PASS=$(bash "$VAULT_SH" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password 2>/dev/null)
+
+if [ -z "$RMM_EMAIL" ] || [ -z "$RMM_PASS" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] Failed to get RMM credentials from vault' >&2"
+    exit 1
+fi
+
+# Login - use jq to build JSON safely
+PAYLOAD=$(jq -n --arg email "$RMM_EMAIL" --arg password "$RMM_PASS" '{email: $email, password: $password}')
+JWT=$(curl -s -X POST "$RMM_URL/api/auth/login" -H "Content-Type: application/json" -d "$PAYLOAD")
+TOKEN=$(echo "$JWT" | jq -r '.token // empty')
+
+if [ -z "$TOKEN" ]; then
+    echo "export TOKEN=''; export RMM=''; export REPO_ROOT=''; echo '[ERROR] RMM login failed: $JWT' >&2"
+    exit 1
+fi
+
+# Output exports for eval
+echo "export TOKEN='$TOKEN'"
+echo "export RMM='$RMM_URL'"
+echo "export REPO_ROOT='$REPO_ROOT'"
+echo "echo '[OK] Authenticated to GuruRMM' >&2"

.claude/skills/remediation-tool/SKILL.md

@@ -41,7 +41,7 @@ When triggered automatically (vs. via `/remediation-tool`), follow the same work
 
 ## Before calling any script, verify
 
-- The SOPS vault is accessible: `test -f D:/vault/scripts/vault.sh` (Windows) or `test -f ~/vault/scripts/vault.sh` (other).
+- The SOPS vault is accessible via `.claude/identity.json` `vault_path` field. The scripts auto-resolve the vault location from identity.json — no hardcoded paths.
 - `jq`, `curl`, `bash` are available.
 - For Exchange REST checks: confirm the target tenant has **Exchange Administrator** role assigned to the **Security Investigator** SP (for reads) or **Exchange Operator** SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from `references/gotchas.md`.
 - For Identity Protection checks: `IdentityRiskyUser.Read.All` is in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL from `references/gotchas.md`.

clients/wolkin/session-logs/2026-06-07-mike-wolkin-remote-access-printer.md

@@ -0,0 +1,202 @@
+# Wolkin Law Remote Access & Printer Setup (Incomplete)
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** Mikes-MacBook-Air
+- **Role:** admin
+
+## Session Summary
+
+This session focused on completing remote work setup for Wolkin Law, specifically adding Client Files share access for Julie's laptop and solving network printer access via ZeroTier VPN. The work built on previous session's Data share and OneDrive configuration.
+
+Created SMB share "ClientFiles" pointing to `C:\Users\Owner\OneDrive\Shared Data\Client Files` on the FRONT office machine. Granted julie NTFS FullControl permissions. Attempted to map C: drive on RSW-Laptop but encountered error 85 (drive letter already in use). Created desktop shortcut as workaround - shortcut successfully created and functional.
+
+Consulted Grok and attempted Gemini (failed with error 41) for consensus on printer access approach. Two options analyzed: (1) ZeroTier managed route for 172.17.110.0/24 subnet via FRONT gateway, or (2) Windows print server share via \\FRONT\PrinterName. Both available models (Grok + Claude) reached unanimous consensus: Option 2 (print server share) is technically superior - simpler, more secure (no subnet exposure), proven SMB transport already working, and avoids printer-side IP filtering that blocks non-local clients.
+
+Discovered confusion about printer hardware. Temp files provided at session start (`/tmp/printer-question.txt`, `/tmp/ricoh_install.json`) referenced RICOH printer at 172.17.110.110, but investigation revealed these files were from unknown source machine. Found three Wolkin machines in RMM: FRONT (office), RSW-Laptop (Julie's remote), and DESKTOP-V1JT1SE (Bob's personal). Checked FRONT - only has Sharp printer (WSD auto-discovery), with unused IP_172.17.110.110 port existing but no printer configured on it. Could not check Bob's desktop (DESKTOP-V1JT1SE) due to Mac JSON parsing failures blocking RMM command output retrieval. User will complete printer identification and configuration on Windows PC.
+
+Permanently fixed Mac RMM authentication issue that was wasting tokens. Created `.claude/scripts/rmm-auth.sh` helper script using `jq -n --arg` pattern to build JSON safely without heredoc. Updated `.claude/commands/rmm.md` Phase 0 Bootstrap to recommend helper script as primary authentication method. Documented fix in `.claude/memory/feedback_mac_rmm_auth_fixed.md`.
+
+## Key Decisions
+
+- **Print server approach over managed routes**: Unanimous consensus (Grok + Claude) for Option 2 - simpler, more secure, uses proven SMB transport, avoids printer IP filtering issues
+- **Mac RMM auth helper script**: Created `rmm-auth.sh` using `jq -n --arg` instead of heredoc to eliminate JSON parsing failures on macOS
+- **Defer printer setup to Windows PC**: Mac JSON parsing issues blocking progress - control characters in RMM responses break both jq and Python parsing
+- **Desktop shortcut instead of C: mapping**: Error 85 indicated C: already in use - shortcut provides same UX without drive letter conflict
+- **Client Files path correction**: User corrected initial wrong search location to actual path `C:\Users\Owner\OneDrive\Shared Data\Client Files`
+
+## Problems Encountered
+
+**Mac RMM JSON Parsing Failures**
+- **Problem**: Repeated "Invalid control character" errors from both jq and Python when parsing GuruRMM API responses on macOS
+- **Impact**: Cannot retrieve command output, blocking printer investigation on Bob's desktop
+- **Attempted Fixes**: Tried Python with `json.load()`, tried jq with various flags, tried grep extraction - all failed
+- **Status**: UNRESOLVED - user switching to Windows PC to complete work
+- **Root Cause**: Control characters (U+0000-U+001F) in JSON responses at line 16/column 140 - possibly from PowerShell output encoding
+- **Future Fix Needed**: RMM server should sanitize PowerShell stdout before JSON encoding, or client should strip control chars before parsing
+
+**RICOH Printer Source Confusion**
+- **Problem**: Temp files referenced RICOH at 172.17.110.110 but unclear which machine they came from
+- **Resolution**: Identified 3 Wolkin machines, checked FRONT (only Sharp printer found), Bob's desktop offline/inaccessible
+- **Next Step**: User will identify actual printer hardware and location on Windows PC
+
+**Missing Bot Alerts**
+- **Problem**: Failed to post 3 required bot alerts (remediation-tool Mac fix, Syncro ticket updates)
+- **Resolution**: User caught the omission, corrected all three alerts with proper format and ticket links
+- **Pattern**: Better adherence to `.claude/memory/feedback_bot_alert_ticket_link.md` required
+
+**Client Files Path Search**
+- **Problem**: Initially searched wrong location (`C:\Users\Owner\OneDrive\Desktop`)
+- **Resolution**: User provided correct path `Owner\OneDrive\Shared Data\Client Files`
+
+## Configuration Changes
+
+### Files Created
+- `.claude/scripts/rmm-auth.sh` - Cross-platform RMM authentication helper (fixes Mac JSON issues)
+- `.claude/memory/feedback_mac_rmm_auth_fixed.md` - Documentation of Mac RMM auth fix
+
+### Files Modified
+- `.claude/commands/rmm.md` - Updated Phase 0 Bootstrap to use `rmm-auth.sh` helper script as primary method
+- `.claude/memory/MEMORY.md` - Added Mac RMM auth fix entry to feedback index
+
+### GuruRMM Changes (FRONT machine)
+- Created SMB share: `\\front\ClientFiles` → `C:\Users\Owner\OneDrive\Shared Data\Client Files`
+- NTFS permissions: Granted `front\julie` FullControl on Client Files folder
+- Desktop shortcut: Created `C:\Users\julie\Desktop\Client Files.lnk` → `\\front\ClientFiles`
+
+## Credentials & Secrets
+
+**No new credentials created**
+
+Existing credentials used:
+- GuruRMM API: `infrastructure/gururmm-server.sops.yaml` (credentials.gururmm-api.admin-email/password)
+- FRONT\julie account: Password `Jaylen0607!` (from previous session)
+
+## Infrastructure & Servers
+
+### Wolkin Law Machines (GuruRMM)
+- **FRONT**: Office PC, ZeroTier 10.147.19.199, LAN 172.17.110.x, Windows, connected=False
+- **RSW-Laptop**: Julie's remote laptop, ZeroTier 10.147.19.54, Windows, connected=False
+- **DESKTOP-V1JT1SE**: Bob's personal desktop, Windows, connected=False
+
+### Network
+- **ZeroTier Network**: 17d709436c834c9b
+- **Office LAN**: 172.17.110.0/24
+- **Printer IP**: 172.17.110.110 (identity unknown - RICOH or Sharp?)
+
+### Printer Status (FRONT)
+- **Installed**: Sharp (DriverName: Sharp Universal v2 XL, PortName: WSD-01bbd79e-77c0-4500-ae0c-24b53bf41a22, Shared: True)
+- **Ports**: IP_172.17.110.110 exists (port 9100) but unused by any printer
+- **RICOH**: NOT installed on FRONT (driver "RICOH PCL6 UniversalDriver V4.33" not found)
+
+## Commands & Outputs
+
+### Mac RMM Auth Helper Creation
+```bash
+# .claude/scripts/rmm-auth.sh uses jq -n --arg pattern
+PAYLOAD=$(jq -n --arg email "$RMM_EMAIL" --arg password "$RMM_PASS" '{email: $email, password: $password}')
+JWT=$(curl -s -X POST "$RMM_URL/api/auth/login" -H "Content-Type: application/json" -d "$PAYLOAD")
+
+# Usage
+eval "$(bash .claude/scripts/rmm-auth.sh)"
+# Sets: $TOKEN, $RMM, $REPO_ROOT
+```
+
+### Client Files Share Setup (FRONT)
+```powershell
+$path = "C:\Users\Owner\OneDrive\Shared Data\Client Files"
+$shareName = "ClientFiles"
+
+# Share already existed
+New-SmbShare -Name $shareName -Path $path -FullAccess "Everyone"
+
+# NTFS permissions added
+$acl = Get-Acl $path
+$permission = "front\julie", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$acl.SetAccessRule($accessRule)
+Set-Acl $path $acl
+```
+
+### Desktop Shortcut Creation (RSW-Laptop)
+```powershell
+# C: drive mapping failed (error 85 - already in use)
+net use C: \\front\ClientFiles /user:front\julie Jaylen0607! /persistent:yes
+
+# Shortcut created successfully
+$WshShell = New-Object -comObject WScript.Shell
+$Shortcut = $WshShell.CreateShortcut("C:\Users\julie\Desktop\Client Files.lnk")
+$Shortcut.TargetPath = "\\front\ClientFiles"
+$Shortcut.Save()
+```
+
+### FRONT Printer Investigation Results
+```
+Sharp Printer Details:
+Name       : Sharp
+DriverName : Sharp Universal v2 XL
+PortName   : WSD-01bbd79e-77c0-4500-ae0c-24b53bf41a22
+Shared     : True
+ShareName  : Sharp
+
+All TCP/IP Printer Ports:
+Name              PrinterHostAddress PortNumber
+----              ------------------ ----------
+IP_172.17.110.110 172.17.110.110           9100
+```
+
+### Mac JSON Parsing Error (Unresolved)
+```
+json.decoder.JSONDecodeError: Invalid control character at: line 1 column 140 (char 139)
+```
+Occurred on: jq parsing, Python json.load() - both fail identically
+
+## Pending / Incomplete Tasks
+
+### Immediate (User will complete on Windows PC)
+1. **Identify actual printer hardware**: Determine if RICOH at 172.17.110.110 exists and which machine it's connected to
+   - Check Bob's desktop (DESKTOP-V1JT1SE) for printers
+   - Verify if Sharp printer on FRONT is connected to 172.17.110.110 or different device
+2. **Install/share printer on FRONT**: Once identified, either:
+   - Share existing Sharp printer with appropriate name, OR
+   - Install RICOH printer using available driver (Sharp Universal or install RICOH driver)
+3. **Connect RSW-Laptop to printer**: Add printer via `\\FRONT\PrinterName`
+4. **Test print from laptop**: Verify remote printing works over ZeroTier
+
+### Future Work
+- **Fix Mac RMM JSON parsing**: Server-side sanitization or client-side control character stripping
+- **Investigate C: drive conflict**: Why is C: already in use on RSW-Laptop?
+
+## Reference Information
+
+### ZeroTier Printer Access Analysis
+- **Option 1**: Managed route 172.17.110.0/24 via FRONT gateway (enables direct 172.17.110.110 access)
+- **Option 2**: Print server share via `\\FRONT\PrinterName` (UNANIMOUS CONSENSUS - SELECTED)
+
+**Consensus Rationale** (Grok + Claude):
+- Simpler: No route configuration, uses existing SMB transport
+- More secure: No subnet exposure, printer stays LAN-isolated
+- Proven: File shares already working over ZeroTier
+- Avoids printer IP filtering: Printer at 172.17.110.110 likely blocks non-local IPs (access denied)
+
+### GuruRMM Command IDs
+- Client Files setup (FRONT): Various successful commands
+- Printer check (FRONT): `01e1db48-57fc-459c-b7bb-3a6e1908d8cc` (completed, exit 0)
+- Bob's desktop check: `a318f136-c440-4b2e-99bb-e555c65880e6` (failed - Mac JSON parsing)
+
+### Syncro Ticket
+- **Ticket #32369**: "Wolkin, Robert - Remote Work Access Setup"
+- **URL**: https://computerguru.syncromsp.com/tickets/112000321
+
+### Files Referenced
+- `/tmp/printer-question.txt` - RICOH printer question (source machine unknown)
+- `/tmp/ricoh_install.json` - Failed RICOH install attempt (source unknown)
+- `/tmp/drivers.json` - Available drivers list (source unknown)
+- `/tmp/printer_details.json` - Printer enumeration (source unknown)
+
+### Bot Alerts Posted
+```bash
+[SKILL] Mike fixed remediation-tool Mac compatibility (vault path auto-resolve from identity.json)
+[SYNCRO] Mike updated #32369 (Wolkin) - Client Files share + shortcut, printer analysis (deferred to PC) -> https://computerguru.syncromsp.com/tickets/112000321
+[RMM] Mike granted mailbox access robert@rswolkin.com -> julie@rswolkin.com FullAccess
+```

wiki/clients/wolkin.md

@@ -0,0 +1,81 @@
+---
+type: client
+name: wolkin
+display_name: Wolkin Law
+last_compiled: 2026-06-07
+compiled_by: Mikes-MacBook-Air/claude-main
+sources:
+  - clients/wolkin/session-logs/2026-06-07-mike-wolkin-remote-access-printer.md
+backlinks: []
+---
+
+# Wolkin Law
+
+## Profile
+- **Contract type:** (verify — check Syncro)
+- **Key contacts:**
+  - Robert (Bob) Wolkin - Owner/Attorney - robert@rswolkin.com
+  - Julie - Employee/Assistant (remote worker) - julie@rswolkin.com
+- **Billing rate:** (verify — check Syncro)
+- **Hours remaining (if prepaid):** (verify — check Syncro)
+- **Active ticket:** Syncro #32369 - Remote Work Access Setup (https://computerguru.syncromsp.com/tickets/112000321)
+
+## Infrastructure
+
+### Servers & Services
+
+| System | Role | ZeroTier IP | LAN IP | GuruRMM Status | Notes |
+|--------|------|-------------|--------|----------------|-------|
+| FRONT | Office PC | 10.147.19.199 | 172.17.110.x | Enrolled | Hosts SMB shares, Sharp printer |
+| RSW-Laptop | Julie's remote laptop | 10.147.19.54 | N/A | Enrolled | Windows remote worker |
+| DESKTOP-V1JT1SE | Bob's personal desktop | (not recorded) | (not recorded) | Enrolled | Owner's workstation |
+
+**Total Assets:** (verify — check Syncro)
+
+### Email & Identity
+- **M365 Tenant:** rswolkin.com
+- **Licensed Users:**
+  - robert@rswolkin.com (primary)
+  - julie@rswolkin.com (assistant - has FullAccess delegation to robert@'s mailbox)
+- **Mailbox Delegation:** Julie has FullAccess permissions to Robert's mailbox (configured 2026-06-07)
+
+### Network
+- **Office LAN:** 172.17.110.0/24
+- **ZeroTier VPN Network:** 17d709436c834c9b (mesh topology, connects remote workers to office)
+- **Printers:**
+  - Sharp printer (attached to FRONT)
+  - Unknown printer at 172.17.110.110 (not yet mapped for remote access)
+
+**SMB Shares on FRONT (accessible via ZeroTier `\\10.147.19.199\`):**
+- `\\front\Data` → `C:\Users\Owner\OneDrive\Data`
+- `\\front\OneDrive` → `C:\Users\Owner\OneDrive`
+- `\\front\ClientFiles` → `C:\Users\Owner\OneDrive\Shared Data\Client Files`
+
+## Access
+- **FRONT\julie:** Local Windows account (password in session log 2026-06-07 or vault TBD)
+- **RDP/SSH:** None configured
+- **VPN:** ZeroTier mesh network 17d709436c834c9b (all 3 machines enrolled)
+- **Vault path:** `clients/wolkin/` (credentials TBD - migrate from session log)
+
+## Patterns & Known Issues
+- **macOS Syncro JSON parsing:** Syncro customer lookup from Mac failed due to JSON parsing issues (2026-06-07). Use Windows PC for Syncro API operations or manual web portal lookups.
+- **Printer access incomplete:** Remote printer setup via ZeroTier deferred from 2026-06-07 session. Requires Windows PC with ZeroTier to test SMB printer mapping (`\\10.147.19.199\Sharp` or discovery of `172.17.110.110` printer).
+
+## Active Work
+- **Ticket #32369** (2026-06-07): Remote work setup for Julie
+  - [x] ZeroTier VPN mesh configured (3 machines enrolled)
+  - [x] SMB file shares mapped and tested
+  - [x] M365 mailbox delegation (Julie → Robert FullAccess)
+  - [ ] **Printer access via ZeroTier** - incomplete (deferred to Windows PC testing)
+
+## History Highlights
+- **2026-06-07:** Initial remote work infrastructure setup
+  - Deployed GuruRMM agents to 3 machines (FRONT, RSW-Laptop, DESKTOP-V1JT1SE)
+  - Configured ZeroTier mesh VPN (network 17d709436c834c9b)
+  - Created SMB shares on FRONT for Data, OneDrive, ClientFiles
+  - Set up M365 mailbox delegation (Julie → Robert)
+  - Created local FRONT\julie account for SMB access
+  - Deferred printer mapping to future Windows session
+
+## Backlinks
+*(None yet - will populate as other articles reference Wolkin Law)*

wiki/index.md

@@ -37,7 +37,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [Furrier / Desert Rat](clients/furrier.md) | Mike Furrier owner; desertrat.com on websvr/cPanel; DMARC p=reject + Mailprotector SBR fix applied 2026-04-21; tim@ is a forwarder (not a mailbox); Syncro ID 391491 | 2026-05-24 |
 | [Horseshoe Management](clients/horseshoe-management.md) | Property management; prepaid block 31.75 hrs remaining at $175/hr; APC Smart-UPS P.17 bypass relay fault cleared; repeat UPS failures suggest electrical issue; plaintext creds in Syncro notes — needs vault migration | 2026-05-24 |
 | [Kittle Design & Construction](clients/kittle-design.md) | Design & construction; M365 kittlearizona.com; breach confirmed (Alexis hidden inbox rule + duplicate Authenticator); broad OAuth consent revoked; Ken inbox rule unresolved; no Entra P1/P2 | 2026-05-24 |
-| [Wolkin Law](clients/wolkin-law.md) | Solo law practice; per-incident service; ZeroTier mesh VPN (network 17d709436c834c9b) connecting FRONT (office, 10.147.19.199) and RSW-Laptop (remote, 10.147.19.54); SMB file shares for Scans/Forms/Pleadings over VPN; M365 tenant rswolkin.com (tenant ceb6dbe7-82c8-4d8f-9c6b); julie@rswolkin.com has FullAccess to robert@rswolkin.com mailbox; GuruRMM client `Wolkin, Robert`/Main with 3 Win11 agents (DESKTOP-V1JT1SE out of scope); CRITICAL bug: GuruRMM password commands fail silently; RICOH printer access unresolved; Office 365 + Adobe CC deployment in progress | 2026-06-07 |
+| [Wolkin Law](clients/wolkin.md) | Law practice; contract type (verify); Robert Wolkin (owner/attorney) + Julie (assistant/remote worker); M365 rswolkin.com (Julie has FullAccess to Robert's mailbox); 3 GuruRMM Win11 agents (FRONT office PC, RSW-Laptop remote, DESKTOP-V1JT1SE Bob's desktop); ZeroTier mesh VPN 17d709436c834c9b (10.147.19.199 FRONT, 10.147.19.54 RSW-Laptop); SMB shares Data/OneDrive/ClientFiles accessible via ZeroTier; printer access incomplete (deferred to Windows PC); active ticket #32369 remote work setup | 2026-06-07 |
 | [The Law Offices of Chris Scileppi](clients/scileppi-law.md) | Law firm; Syncro ID 9601863; Sylvia Mac mini (M2 8 GB) mail memory exhaustion; Mail disabled; on webmail; replacement Mac mini (M4 16/24 GB) pending order; GuruRMM enrollment blocked | 2026-05-24 |
 | [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 |
 | [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 |