sync: auto-sync from GURU-5070 at 2026-06-25 21:13:47
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-25 21:13:47
This commit is contained in:
@@ -2,6 +2,9 @@
|
|||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
|
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
|
||||||
|
- [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write.
|
||||||
|
- [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder.
|
||||||
|
- [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand.
|
||||||
- [Tailscale subnet-route key expiry](reference_tailscale_subnet_key_expiry.md) — "internet OK but all of 172.16.3.x (Gitea .20, RMM/coord .30) dead" = Tailscale infra-node KEY EXPIRY (pfSense subnet router advertises 172.16.0.0/22), NOT a LAN outage; expiry now disabled on infra nodes (2026-06-25). Fallback: gururmm-server direct at tailnet 100.86.12.15:3001.
|
- [Tailscale subnet-route key expiry](reference_tailscale_subnet_key_expiry.md) — "internet OK but all of 172.16.3.x (Gitea .20, RMM/coord .30) dead" = Tailscale infra-node KEY EXPIRY (pfSense subnet router advertises 172.16.0.0/22), NOT a LAN outage; expiry now disabled on infra nodes (2026-06-25). Fallback: gururmm-server direct at tailnet 100.86.12.15:3001.
|
||||||
- [GravityZone support center](reference_gravityzone_support.md) — Authoritative Bitdefender GravityZone product + Public API docs; use to confirm UNVERIFIED `bitdefender` skill methods/param shapes (push setPushEventSettings, assignPolicy, report/account writes, maintenancewindows/integrations names).
|
- [GravityZone support center](reference_gravityzone_support.md) — Authoritative Bitdefender GravityZone product + Public API docs; use to confirm UNVERIFIED `bitdefender` skill methods/param shapes (push setPushEventSettings, assignPolicy, report/account writes, maintenancewindows/integrations names).
|
||||||
- [GURU-5070 Rust toolchain](reference_guru5070_rust_toolchain.md) — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent.
|
- [GURU-5070 Rust toolchain](reference_guru5070_rust_toolchain.md) — GURU-5070 now has cargo + MSVC + protoc; build/clippy/test guru-connect LOCALLY (set PROTOC to the winget path) instead of the build host. CI only clippy-checks the Linux server, not the Windows agent.
|
||||||
|
|||||||
12
.claude/memory/feedback_exchange_op_all_access.md
Normal file
12
.claude/memory/feedback_exchange_op_all_access.md
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
name: feedback_exchange_op_all_access
|
||||||
|
description: The exchange-op tier is the all-access Exchange tier — stop claiming "no tier can write mail"
|
||||||
|
metadata:
|
||||||
|
type: feedback
|
||||||
|
---
|
||||||
|
|
||||||
|
The **`exchange-op`** tier (ComputerGuru **Exchange Operator** app, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds the **Exchange Administrator** directory role PLUS `full_access_as_app` and `Exchange.ManageAsApp`. That is **full all-access to every mailbox and every Exchange Online operation** — reading, writing, moving mail, inbox rules, message trace, TABL, audit config, EWS, the lot.
|
||||||
|
|
||||||
|
**Why:** Mike's recurring correction (2026-06-25) — I keep claiming "no app tier has Mail.ReadWrite, so I need a workaround" and reaching for convoluted paths (EWS gymnastics, etc.). That framing is wrong and wastes time EVERY time. Graph application Mail.ReadWrite is not the only write path; the Exchange Operator app already has full Exchange admin rights.
|
||||||
|
|
||||||
|
**How to apply:** For ANY mailbox/Exchange write or all-access need (move/copy/delete mail, modify rules, change mailbox config, EWS operations, audit settings), default to the **`exchange-op`** tier. Never declare a task blocked for lack of mail-write permission without first using exchange-op. The Graph `investigator` tier is read-only (`Mail.Read`); `investigator-exo` lacks `Exchange.ManageAsApp` (see [[reference_investigator_exo_manageasapp_gap]]) — neither limitation means "we can't write," it just means use exchange-op. See [[reference_tedards_tenant_facts]].
|
||||||
12
.claude/memory/reference_investigator_exo_manageasapp_gap.md
Normal file
12
.claude/memory/reference_investigator_exo_manageasapp_gap.md
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
name: reference_investigator_exo_manageasapp_gap
|
||||||
|
description: Why the remediation-tool investigator-exo tier 401s on EXO adminapi; use exchange-op instead
|
||||||
|
metadata:
|
||||||
|
type: reference
|
||||||
|
---
|
||||||
|
|
||||||
|
The **Security Investigator** app (`bfbc12a4-f0dd-4e12-b06d-997e7271e10c`) registration grants only the `full_access_as_app` (EWS) Office 365 Exchange Online app role — it is **missing `Exchange.ManageAsApp`**. The EXO REST admin API (`outlook.office365.com/adminapi/beta/{tid}/InvokeCommand` — Get-Mailbox, Get-InboxRule, Search-UnifiedAuditLog, etc.) requires `Exchange.ManageAsApp`, so the `investigator-exo` token returns **401** on every cmdlet.
|
||||||
|
|
||||||
|
The Exchange Administrator **directory role** is NOT the cause — it is already assigned to the Investigator SP. The gap is the **API permission** on the app registration, which is a manual Entra portal change (suite rule: app registrations stay manual) and arguably shouldn't be added to the read-only Investigator at all.
|
||||||
|
|
||||||
|
**How to apply:** for any EXO `InvokeCommand` work (mailbox reads, inbox rules, message trace, TABL, audit), use the **`exchange-op`** tier — the **Exchange Operator** app (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) carries BOTH `full_access_as_app` and `Exchange.ManageAsApp`. Don't waste a round trip on `investigator-exo` for adminapi. See [[reference_tedards_tenant_facts]].
|
||||||
16
.claude/memory/reference_tedards_tenant_facts.md
Normal file
16
.claude/memory/reference_tedards_tenant_facts.md
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
name: reference_tedards_tenant_facts
|
||||||
|
description: Tedards (Bill Tedards law office) M365 tenant facts for investigations
|
||||||
|
metadata:
|
||||||
|
type: reference
|
||||||
|
---
|
||||||
|
|
||||||
|
**Tedards** = Bill Tedards law office. M365 tenant `tedards.net`, tenant ID `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`. Registry lists Onboarded=NO but the ComputerGuru apps ARE consented and working (Graph investigator + EXO exchange-op both verified live 2026-06-25).
|
||||||
|
|
||||||
|
Mailboxes: `bt@tedards.net` (Bill, owner), `y226@tedards.net` (Yvonne). Bill files mail by legal matter number into deep Inbox subfolders (e.g. "8445 BOLTON [Farmers TX]", "BOLTON, Lindsay"); a top-level "DUPLICATE need to check" folder (~11,864 items) is junk from a **botched mail import years ago** — ignore it.
|
||||||
|
|
||||||
|
Security gaps found 2026-06-25: tenant was **dehydrated** (never customized) — ran `Enable-OrganizationCustomization` (irreversible, one-time) then `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true` (both HTTP 200). Read-back still showed `false` immediately after — propagation lag; verify later that it flipped to true and that Search-UnifiedAuditLog starts returning data (ingestion lag up to ~60min). Before this, UAL was OFF so there was no queryable audit trail for the bt@ deletions. bt@ mailbox syncs to **9 devices** (5 aging iOS Mail/EAS, a Mac Outlook, 2 Outlook-for-iOS added 2026-06-25). Per-mailbox AuditEnabled=true but not queryable since Search-MailboxAuditLog is deprecated + UAL ingestion off.
|
||||||
|
|
||||||
|
EXO access: use the `exchange-op` tier, not `investigator-exo` — see [[reference_investigator_exo_manageasapp_gap]]. Ongoing matter: Wirechunk/agencyzoomify.com DMARC + the bt@ "delete folder" deletions (ticket #5070, #32228).
|
||||||
|
|
||||||
|
**bt@ "delete folder" mystery — SOLVED 2026-06-26 (root cause = client-side device auto-delete).** Lindsay's (lindsay@agencyzoomify.com) Bolton-thread mail auto-moves to Deleted Items. Proven via bait test: restored the 3 msgs to Inbox via EWS, all 3 were re-deleted to Deleted Items at the identical instant (02:54:24Z) — automated, not human. Eliminated: inbox rules (incl. hidden), sweep rules, transport rules, forwarding, delegates, folder perms, and any OAuth app with Mail.ReadWrite (none exist; admin apps only have MailboxSettings.ReadWrite/Mail.Send/Exchange.Manage). Only mail-MOVE capability present = Apple native iOS Mail (appId 32f67a9b, EAS+EWS) + Outlook-for-iOS. 5 Apple/Outlook-iOS devices push-synced within 8s of the re-delete; all activity from Bill's single home IP 69.242.239.94 (NOT a compromise). Bisection test (2026-06-26 03:23): removed/disabled Outlook-for-iOS, re-moved msgs to Inbox — re-deleted again in 4s, AND the re-delete (03:23:31Z) fired BEFORE the Outlook-iOS clients re-synced (03:23:38/48) → **Outlook-iOS EXONERATED; culprit = a NATIVE iOS Mail (EAS) device** with on-device "Block Sender → Move to Trash" for lindsay@agencyzoomify.com. Narrowed to the two devices syncing at the delete instant: **iPhone16C2** and **iPad15C8** (Bill's current iPhone + iPad). On-device block list is NOT server-readable — Bill must remove Lindsay from Blocked on those devices (iOS Settings → Mail → Blocked). Note: Set-CASMailbox OutlookMobileEnabled has heavy propagation lag (didn't enforce during the test window); same lag seen on Set-AdminAuditLogConfig. To pin the exact one device, block one EAS DeviceId and re-bait. Removed 2 Outlook-iOS partnerships (they auto-re-add) + toggled OutlookMobileEnabled (reverted to true, queued).
|
||||||
5
.gitignore
vendored
5
.gitignore
vendored
@@ -1,6 +1,11 @@
|
|||||||
# Backups (local only - don't commit to repo)
|
# Backups (local only - don't commit to repo)
|
||||||
backups/
|
backups/
|
||||||
|
|
||||||
|
# Session scratch (one-off dedup/EWS tooling — never commit)
|
||||||
|
.dup*
|
||||||
|
.ews_*.xml
|
||||||
|
.x.json
|
||||||
|
|
||||||
# Remediation-tool cache (live Graph API responses — may contain user data)
|
# Remediation-tool cache (live Graph API responses — may contain user data)
|
||||||
.cache-remediation/
|
.cache-remediation/
|
||||||
tmp-remediation/
|
tmp-remediation/
|
||||||
|
|||||||
@@ -0,0 +1,124 @@
|
|||||||
|
# Session Log — Tedards: bt@ "delete folder" root cause + DUPLICATE folder cleanup
|
||||||
|
|
||||||
|
## User
|
||||||
|
- **User:** Mike Swanson (mike)
|
||||||
|
- **Machine:** GURU-5070
|
||||||
|
- **Role:** admin
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
|
||||||
|
Resumed the Tedards investigation with a directive to make zero assumptions and verify live 365 access. Confirmed read access to both Tedards mailboxes (`y226@tedards.net`, `bt@tedards.net`) through the ComputerGuru app suite against tenant `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`: Graph via the Security Investigator tier (200 on user + message reads) and Exchange Online via the Exchange Operator tier (200 on Get-Mailbox). Documented that the Security Investigator `investigator-exo` tier 401s on the EXO adminapi because its app registration carries only `full_access_as_app`, not `Exchange.ManageAsApp`; the directory role (Exchange Administrator) is already assigned, so the gap is an app-registration API permission, not a role. The `exchange-op` tier is the all-access Exchange tier and was used for all EXO work thereafter (logged as a recurring correction).
|
||||||
|
|
||||||
|
Investigated the long-standing complaint that emails from `lindsay@agencyzoomify.com` were disappearing from Bill's inbox into a "delete folder" in real time. Ruled out every server-side mechanism with live data: 18 inbox rules (all newsletter filing, none touching Lindsay/Bolton/Deleted Items), zero sweep rules, no transport rules, no forwarding, no delegates, no Inbox folder permissions, and no OAuth app holding `Mail.ReadWrite`. Located the three affected messages in Deleted Items and confirmed via timing (received at spread-out times, all deleted in one 2-minute burst) that the deletion was interactive/client-side, not an automatic delivery-time rule. A bait test (EWS-move the 3 messages back to Inbox) proved automated re-deletion: all three were re-trashed within ~1-4 seconds at an identical timestamp, by a client, keyed to Lindsay's address (a co-threaded message from brandon@agentive-one.com survived). A bisection (disabled/removed the two new Outlook-for-iOS clients, re-baited) showed the re-delete fired before the Outlook-iOS clients re-synced, exonerating them and pinning the cause to a native iOS Mail (EAS) device — iPhone16C2 or iPad15C8 — with an on-device "Block Sender -> Move to Trash" for Lindsay. On-device block lists are not server-readable, so the fix is on Bill's devices.
|
||||||
|
|
||||||
|
Enabled tenant auditing to make any recurrence attributable: the tenant was dehydrated, so ran `Enable-OrganizationCustomization` (irreversible, confirmed with the user) then `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true`. The config flag propagated to true. Re-baited under live ingestion and filed the 3 messages into Bill's "BOLTON, Lindsay" folder (confirmed they stay put there — the block only sweeps the Inbox). A durable cron (`ce6e3e74`, every ~19 min) rechecks `Search-UnifiedAuditLog` for the capture; through end of session it returned entries=0 (ingestion still propagating / app-only UAL not yet surfacing mailbox-item events).
|
||||||
|
|
||||||
|
Billed 2.0h remote labor to ticket #32228 ($300, new invoice #67886) after verifying the new invoice contained only the 2h line (the prior 0.5h stays on #67882). Posted a customer-visible, emailed comment to Yvonne with the device-fix steps. Note: the session-log reference to "ticket #5070" does not resolve to any Syncro ticket; #32228 ("Unable to send/receive email to/from lindsay@agencyzoomify.com") is the correct ticket for this work.
|
||||||
|
|
||||||
|
Began cleanup of Bill's "DUPLICATE need to check" folder (11,864 items, a botched-import artifact Yvonne preserved). Swept all 119,223 mailbox messages, matched by Internet Message-ID, and classified: 11,810 true duplicates (identical copy confirmed in another real folder, excluding Deleted Items) and 54 unique (only copy — kept). With explicit user approval, soft-deleting (EWS move to Deleted Items, recoverable) the 11,810. As of save, the move is still running in the background (folder at ~3,264, 8,603 already moved, converging to 54). A new no-billing notification ticket for Yvonne is drafted and user-approved but NOT yet posted — held until the folder reaches 54 so the email numbers match the mailbox.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
|
||||||
|
- **Use the `exchange-op` tier for all Exchange writes/all-access** — it holds Exchange Administrator + `full_access_as_app` + `Exchange.ManageAsApp`. Stop claiming "no tier can write mail." (Recurring correction; saved to memory `feedback_exchange_op_all_access`.)
|
||||||
|
- **Did not add `Exchange.ManageAsApp` to the Security Investigator app** — it's a manual portal change and the read-only tier shouldn't have it; `exchange-op` covers everything.
|
||||||
|
- **Bait test over waiting** — moving the messages back to Inbox to observe behavior was the only way to prove automated re-deletion without a queryable audit log.
|
||||||
|
- **Soft-delete (move to Deleted Items), not hard purge** for the 11,810 duplicates — recoverable until Yvonne empties Deleted Items.
|
||||||
|
- **Kept the 54 uniques** — they have no copy elsewhere; deliberately did not dedupe them against each other to avoid removing a last-surviving copy.
|
||||||
|
- **Held the notification ticket until folder = 54** — avoid emailing Yvonne "54 remaining" while thousands are still visible.
|
||||||
|
- **Confirmed `Enable-OrganizationCustomization` with the user before running** — irreversible org-level change.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
|
||||||
|
- **`investigator-exo` 401 on EXO adminapi** — app lacks `Exchange.ManageAsApp`; used `exchange-op` instead. (Memory: `reference_investigator_exo_manageasapp_gap`.)
|
||||||
|
- **`Search-MailboxAuditLog` deprecated (Jan 2026)** — switched to `Search-UnifiedAuditLog`; found `UnifiedAuditLogIngestionEnabled=false`, enabled it (required hydrating the tenant first).
|
||||||
|
- **App-only `Search-UnifiedAuditLog` returns 0** even after ingestion enabled and after thousands of bulk MoveToDeletedItems events — ingestion propagation lag and/or app-only UAL not surfacing mailbox-item records. Recheck cron left running.
|
||||||
|
- **`Set-CASMailbox` / `Set-AdminAuditLogConfig` propagation lag** — read-backs lagged true for minutes; the `OutlookMobileEnabled=false` change never enforced during the bisection window (the timing evidence carried the conclusion instead).
|
||||||
|
- **Background dedup driver detached/died** when launched with `nohup ... &` *and* the tool's background mode (double-backgrounding); relaunched via the tool's background mechanism only. Two instances ended up running concurrently — harmless (idempotent) but wasteful.
|
||||||
|
- **Graph `$filter` on `from/emailAddress/address` returned null** intermittently — switched to client-side filtering of the message list.
|
||||||
|
- **#5070 does not exist in Syncro** — verified; used #32228 after user confirmation. Avoided posting a billable comment to a guessed ticket.
|
||||||
|
- **New invoice double-bill risk on an already-invoiced ticket** — guarded by verifying the new invoice total == $300 with auto-rollback (DELETE) if not.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
|
||||||
|
### Microsoft 365 — Tedards tenant (`4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`)
|
||||||
|
- `Enable-OrganizationCustomization` run (irreversible; tenant was dehydrated).
|
||||||
|
- `Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true` (propagated to true).
|
||||||
|
- bt@ mailbox: 3 Lindsay Bolton messages moved Deleted Items -> "BOLTON, Lindsay" folder.
|
||||||
|
- bt@ mailbox: ~11,810 duplicates being moved from "DUPLICATE need to check" -> Deleted Items (in progress at save).
|
||||||
|
- bt@ `Set-CASMailbox -OutlookMobileEnabled` toggled false then reverted to true (diagnostic; revert queued, propagation lag).
|
||||||
|
- Removed two Outlook-for-iOS device partnerships (`c42bbf6e…`, `548f2cdd…`) — they auto-re-add.
|
||||||
|
|
||||||
|
### Syncro
|
||||||
|
- Ticket #32228 (internal 109697650): customer comment 420824967 (emailed); line item 43027728 (2.0h remote @ $150); invoice 1650805941 / #67886 ($300); invoice note set.
|
||||||
|
|
||||||
|
### Repo
|
||||||
|
- `.gitignore`: added session scratch patterns (`.dup*`, `.ews_*.xml`, `.x.json`).
|
||||||
|
- Memory: added `reference_tedards_tenant_facts`, `reference_investigator_exo_manageasapp_gap`, `feedback_exchange_op_all_access`; updated `MEMORY.md` index.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Credentials & Secrets
|
||||||
|
|
||||||
|
No new credentials created or discovered. Tokens acquired via `get-token.sh` (cert auth) for tiers `investigator`, `investigator-exo`, `exchange-op`, `tenant-admin`. Vault unchanged.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
|
||||||
|
- **Tedards M365 tenant:** `tedards.net` / `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`
|
||||||
|
- **Mailboxes:** `bt@tedards.net` (Bill, owner, id `3044102c-ed9d-4777-ac8c-9d973d50e328`), `y226@tedards.net` (Yvonne, default contact, id `9c2cc39c-a523-4e73-81b7-4b818d8ea3b9`)
|
||||||
|
- **Apps:** Security Investigator `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` (SP oid `2dd202e8-5f70-4826-a378-cfeeadac9cf6`); Exchange Operator `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`; Tenant Admin `709e6eed-0711-4875-9c44-2d3518c47063`
|
||||||
|
- **Culprit devices (bt@):** iPhone16C2, iPad15C8 (native iOS Mail / EAS). All access from Bill's home IP `69.242.239.94`.
|
||||||
|
- **Key folder IDs (bt@):** DUPLICATE need to check `…AAABF_WUAAA=`; Deleted Items `…AAAAAAEKAAA=`; BOLTON, Lindsay `…AAEoMg_hAAA=`; Inbox `…AAAAAAEMAAA=`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Commands & Outputs
|
||||||
|
|
||||||
|
```
|
||||||
|
# verify access
|
||||||
|
get-token.sh tedards.net investigator|investigator-exo|exchange-op
|
||||||
|
investigator-exo EXO adminapi -> HTTP 401 (only full_access_as_app)
|
||||||
|
exchange-op Get-Mailbox -> 200 (bt@, y226@)
|
||||||
|
|
||||||
|
# bait test (EWS MoveItem to Inbox, then observe)
|
||||||
|
moved 03:30:58Z -> re-deleted 03:31:00Z (native device); brandon@ co-thread survived
|
||||||
|
|
||||||
|
# audit enable
|
||||||
|
Set-AdminAuditLogConfig UnifiedAuditLogIngestionEnabled -> 400 dehydrated
|
||||||
|
Enable-OrganizationCustomization -> 200
|
||||||
|
Set-AdminAuditLogConfig UnifiedAuditLogIngestionEnabled $true -> 200 (flag now true)
|
||||||
|
Search-UnifiedAuditLog (bt@, Move/Delete ops) -> entries=0 (still propagating)
|
||||||
|
|
||||||
|
# dedup
|
||||||
|
.dupscan.py: mailbox_total=119223, dup_folder=11864, true_duplicates=11810, unique_keep=54
|
||||||
|
.dupdelete.py / .dupdrive.sh: EWS MoveItem -> deleteditems, batches of 200 (in progress)
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks
|
||||||
|
|
||||||
|
- **Dedup move finishing** — folder ~3,264 at save, converging to 54; two idempotent background drivers running. Verify folder == 54 and Deleted Items ~= 11,810+ when done.
|
||||||
|
- **Post the approved notification ticket** (no billing) to Yvonne once folder == 54 — draft ready: subject "Mailbox Cleanup - Duplicate Emails Removed; Please File Remaining Items", customer 487887, status Waiting on Customer, comment emailed, then bot alert. Tells Yvonne to file the 54 remaining uniques and to empty Deleted Items only when satisfied.
|
||||||
|
- **Audit capture** — cron `ce6e3e74` still returning entries=0; let it keep retrying. If it never surfaces, attribution rests on the device-statistics timing (iPhone16C2/iPad15C8).
|
||||||
|
- **On Bill's devices (customer action):** unblock `lindsay@agencyzoomify.com` in iOS Mail (Settings - Mail - Blocked) on iPhone and iPad, or set Blocked Sender Options to None.
|
||||||
|
- **Optional:** remove scratch files (`.dup*`) after dedup completes.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
|
||||||
|
- **Syncro ticket:** #32228 (internal 109697650) — https://computerguru.syncromsp.com/tickets/109697650
|
||||||
|
- **Invoices:** #67886 (1650805941, $300, this session); #67882 (1650804914, $75, prior session)
|
||||||
|
- **Cron job:** `ce6e3e74` (durable, ~every 19 min) — UAL audit recheck
|
||||||
|
- **Prior session:** `clients/tedards/session-logs/2026-06/2026-06-25-discord-bot-agencyzoomify-dmarc-fix.md`
|
||||||
|
- **Memory:** `reference_tedards_tenant_facts`, `reference_investigator_exo_manageasapp_gap`, `feedback_exchange_op_all_access`
|
||||||
@@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
|||||||
|
|
||||||
<!-- Append entries below this line -->
|
<!-- Append entries below this line -->
|
||||||
|
|
||||||
|
2026-06-26 | GURU-5070 | remediation-tool | [correction] claimed no tier has mail read/write and reached for an EWS workaround; correct: exchange-op (Exchange Operator app) = Exchange Administrator role + full_access_as_app + Exchange.ManageAsApp = full all-access for ANY mailbox/Exchange op including moving mail [ctx: tenant=tedards.net recurring=true ref=feedback_exchange_op_all_access]
|
||||||
|
|
||||||
2026-06-25 | GURU-5070 | vault/display | [friction] echoing a vault entry, sed line-redaction missed the multi-line JSON private_key (matched 'key:' not 'private_key": "') and printed the full SA private key; when displaying vault entries use vault.sh get-field for named fields or drop the entire credentials: block, never a line-regex over JSON credential blobs
|
2026-06-25 | GURU-5070 | vault/display | [friction] echoing a vault entry, sed line-redaction missed the multi-line JSON private_key (matched 'key:' not 'private_key": "') and printed the full SA private key; when displaying vault entries use vault.sh get-field for named fields or drop the entire credentials: block, never a line-regex over JSON credential blobs
|
||||||
|
|
||||||
2026-06-26 | GURU-BEAST-ROG | email-investigation | [correction] assumed tedards.net also uses GuruProtect/Inky; correct: only ACG uses Inky for inbound. Tedards routes directly to Exchange Online.
|
2026-06-26 | GURU-BEAST-ROG | email-investigation | [correction] assumed tedards.net also uses GuruProtect/Inky; correct: only ACG uses Inky for inbound. Tedards routes directly to Exchange Online.
|
||||||
|
|||||||
Reference in New Issue
Block a user