diff --git a/session-logs/2026-04-17-session.md b/session-logs/2026-04-17-session.md
new file mode 100644
index 0000000..6a64c1b
--- /dev/null
+++ b/session-logs/2026-04-17-session.md
@@ -0,0 +1,175 @@
+# Session Log — 2026-04-17
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+- **Mode:** client/infra (mixed)
+
+## Session Summary
+
+Full day of client security work + infrastructure + tooling. Major items: Jupiter OwnCloud migration confirmed complete, Glaztech phishing incident (32 messages purged, MX/DMARC/EFC hardened), MVAN DMARC added, Syncro PSA integration built, GoDaddy API onboarded, jparkinson DNS fixes, Neptune access issues.
+
+## Work Completed
+
+### 1. Jupiter OwnCloud migration — confirmed complete
+- rsync finished at 22:59 MST (2h49m total for ~750G uncompressed)
+- Cache dropped from 82% (756G) to 34% (311G)
+- MariaDB-Official + Discourse running healthy 7+ hours post-migration
+- OwnCloud VM running, share config changed to `shareUseCache="no"`
+
+### 2. Glaztech phishing incident — full remediation
+**Two phishing campaigns bypassing MailProtector via exposed M365 MX record:**
+
+Campaign 1: "ATTN: MaiIbox Password Login Expire" (spoofed alexander@, from 23.94.30.18 ColoCrossing)
+Campaign 2: "HR Paperwork – Awaiting Completion Approval" (spoofed enrique@, from 86.38.225.18)
+
+Both: SPF FAIL, DKIM none, DMARC FAIL (p=none), SCL 1 (M365 didn't flag), connected directly to MX 10 bypassing MailProtector.
+
+**Actions taken:**
+- Removed MX 10 (glaztech-com.mail.protection.outlook.com) from DNS on IX
+- Updated DMARC from p=none to p=reject
+- Enabled Enhanced Filtering for Connectors (EFSkipIPs: MailProtector IPs)
+- Purged 32 messages across 8 mailboxes (alexander, seastman, dominic, jack, bryce, cesar, daryld, holly)
+- Saved forensic .eml + .json samples
+- Onboarded Glaztech to remediation tool (admin consent + Exchange Admin role)
+- Syncro ticket #32165 created + billed
+
+**Glaztech tenant:** 82931e3c-de7a-4f74-87f7-fe714be1f160
+**Remediation tool roles:** Exchange Administrator assigned to ComputerGuru - AI Remediation SP
+
+### 3. MVAN phishing — DMARC added
+- mvaninc.com had NO DMARC, NO MailProtector, direct M365 MX only
+- Added DMARC p=reject via GoDaddy web GUI (delegate access from MVAN)
+- Syncro ticket #32166 created with notes to client about MailProtector add-on option and other domains needing protection
+- MVAN tenant: 5affaf1e-de89-416b-a655-1b2cf615d5b1 (already consented for remediation tool)
+
+### 4. /syncro command — Syncro PSA integration
+Built `/syncro` slash command for ticket management via Syncro REST API.
+
+**Key discovery:** Time is added as part of the comment, NOT via separate timer endpoint.
+- `POST /tickets/{id}/comment` with `product_id`, `minutes_spent`, `bill_time_now` fields
+- Timer entries (`/tickets/{id}/timer_entry`) exist but rarely used
+- Invoice creation: `POST /invoices` with `ticket_id` + `customer_id`
+- Invoice line items: `POST /invoices/{id}/line_items`
+
+**Labor product IDs:**
+- 1190473 — Labor - Remote Business
+- 26118 — Labor - Onsite Business
+- 26184 — Labor - Emergency or After Hours Business
+- 9269129 — Labor - Prepaid Project Labor
+- 9269124 — Labor - Internal Labor
+- 26117 — Fee - Travel Time
+- 68055 — Labor - Website Labor
+
+**Glaztech billing:** Prepaid Hours - Block (product 46303) at $130/hr, 40hr blocks
+
+### 5. GoDaddy API — onboarded
+- Created Production API key "RemediationTools"
+- Vaulted at `services/godaddy-api.sops.yaml`
+- Can manage DNS for ACG-owned domains programmatically
+- Delegate domains (client-managed) only accessible via web GUI, NOT API
+- MVAN delegated access accepted but API still returns 403 (known GoDaddy limitation)
+
+### 6. jparkinsonaz.com DNS fixes
+- Added DMARC: `p=reject; sp=reject`
+- Added autodiscover: CNAME → mail.acghosting.com
+- Changed A record: 72.194.62.7 (IX) → 67.206.163.124 (Neptune) — mail-only domain, no website
+- Required `pdns_control reload` after zone file edits (regular PowerDNS restart not sufficient)
+- Required `/usr/local/cpanel/scripts/dnscluster synczone` for cluster propagation
+- Serial format: epoch-based (NOT YYYYMMDDNN) — use incrementing epoch or zone check fails
+- Neptune certbot for autodiscover failing — likely DNS propagation delay (14400s TTL on old A)
+
+### 7. desertrat.com DNS audit
+- MX: mail.desertrat.com → 162.248.93.81 (ACG WebSvr/NFOservers VDS, NOT MailProtector)
+- SPF: includes spf.wdsolutions.com (WD Solutions/SmarterMail), uses ~all (softfail)
+- DMARC: MISSING
+- DNS: AWS Route 53 (not IX or GoDaddy)
+- Needs: DMARC p=reject, SPF ~all → -all, eventual migration to IX + MailProtector
+- Recommended SPF with MailProtector added: `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:162.248.93.81 +include:spf.wdsolutions.com +include:spf.us.emailservice.io -all`
+
+### 8. Neptune password reset — failed
+- Attempted to set jparkinson password to `jP$48504850` on Neptune (jparkinsonaz.com domain)
+- Neptune at 67.206.163.124 (public) / 172.16.3.50 (internal)
+- WinRM from AD2 failed (Kerberos cross-domain), direct WinRM from workstation failed (Negotiate auth error)
+- Internal IP 172.16.3.50 has RDP + WinRM open but auth failed
+- May have caused account lockout — user handling via separate Claude session on Neptune directly
+- ACG\administrator creds: `Gptf*77ttb##`
+
+## Credentials
+
+### GoDaddy API (Production)
+- Key: `2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe`
+- Secret: `5pQZs7H9WY7dwh59XsJMNr`
+- Auth header: `Authorization: sso-key 2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe:5pQZs7H9WY7dwh59XsJMNr`
+- Vault: `services/godaddy-api.sops.yaml`
+
+### Syncro PSA
+- API Key: `T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3`
+- Base: `https://computerguru.syncromsp.com/api/v1`
+- Vault: `msp-tools/syncro.sops.yaml`
+
+### Glaztech M365
+- Tenant ID: `82931e3c-de7a-4f74-87f7-fe714be1f160`
+- Remediation tool consented + Exchange Admin role assigned
+
+### MVAN M365
+- Tenant ID: `5affaf1e-de89-416b-a655-1b2cf615d5b1`
+- Already consented for remediation tool
+
+### Neptune
+- Public: 67.206.163.124
+- Internal: 172.16.3.50
+- Creds: `ACG\administrator` / `Gptf*77ttb##`
+- jparkinson target password: `jP$48504850`
+
+### IX server
+- 172.16.3.10, root, `Gptf*77ttb!@#!@#`
+- PowerDNS, cPanel, zone files at `/var/named/`
+- Cluster sync: `/usr/local/cpanel/scripts/dnscluster synczone <domain>`
+
+## DNS Changes Made Today
+
+| Domain | Record | Before | After | Server |
+|---|---|---|---|---|
+| glaztech.com | MX 10 | glaztech-com.mail.protection.outlook.com | REMOVED | IX |
+| glaztech.com | _dmarc TXT | p=none | p=reject; sp=reject | IX |
+| mvaninc.com | _dmarc TXT | (missing) | p=reject; sp=reject | GoDaddy (web GUI) |
+| jparkinsonaz.com | _dmarc TXT | (missing) | p=reject; sp=reject | IX |
+| jparkinsonaz.com | autodiscover | (missing) | CNAME mail.acghosting.com | IX |
+| jparkinsonaz.com | A (root) | 72.194.62.7 (IX) | 67.206.163.124 (Neptune) | IX |
+
+## IX DNS gotchas (learned today)
+
+1. **`pdns_control reload <zone>`** needed after zone file edits — full PowerDNS restart doesn't always pick up changes
+2. **Serial format varies** — some zones use epoch (1776xxxxxx), some use YYYYMMDDNN. New serial must be HIGHER than old or changes are ignored.
+3. **DNS cluster sync** required: `/usr/local/cpanel/scripts/dnscluster synczone <domain>` — editing zone files directly doesn't trigger cluster propagation
+4. **Zone file backups** at `/var/named/<domain>.db.bak-YYYYMMDD`
+
+## Syncro tickets created
+
+| # | Customer | Subject | Time | Status |
+|---|---|---|---|---|
+| 32165 | Glaz-Tech Industries | Email Security - Phishing remediation + MX/DMARC hardening | 1hr (timer, not comment — needs fix) | Invoiced |
+| 32166 | MVAN Enterprises Inc | Email Security - DMARC protection added for mvaninc.com | 30 min Remote Business | Resolved |
+
+## Files created/modified
+
+- `clients/glaztech/reports/2026-04-17-phishing-incident-report.md`
+- `clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.eml`
+- `clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.json`
+- `clients/glaztech/reports/2026-04-17-phishing-HR-paperwork.eml`
+- `clients/glaztech/reports/2026-04-17-hr-paperwork-*.json`
+- `.claude/commands/syncro.md` (new)
+- `D:\vault\services\godaddy-api.sops.yaml` (new)
+
+## Pending
+
+1. **Neptune jparkinson password** — being handled in separate Claude session on Neptune
+2. **desertrat.com** — needs DMARC + SPF hardening on Route 53 (need AWS access)
+3. **desertrat.com** — long-term migration from WebSvr to IX + MailProtector
+4. **Glaztech ticket #32165** — timer entry created wrong (should be comment+time); fix or rebill in Syncro GUI
+5. **jparkinsonaz.com certbot** — retry once A record propagates (14400s TTL from old IP)
+6. **MVAN other domains** — only mvaninc.com has DMARC; client has other domains needing protection
+7. **GoDaddy delegate API limitation** — can't manage delegate domains via API; need client's own API key for programmatic DNS
+8. **All carry-over items from 2026-04-16** (Howard onboarding, GuruRMM migration drift, Len's deployment, etc.)