sync: auto-sync from GURU-5070 at 2026-06-23 21:14:42

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-23 21:14:42
This commit is contained in:
2026-06-23 21:15:42 -07:00
parent 373883fb48
commit 7b252335cc
4 changed files with 19 additions and 2 deletions

View File

@@ -31,6 +31,7 @@
- [Unraid VM no-IP causes](unraid-windows-vm-virtio-no-ip.md) — PRIMARY (general "new VMs stopped getting IPs lately"): Docker sets bridge-nf-call-iptables=1, so br0 VM DHCP OFFERs hit DOCKER-FORWARD (no br0 ACCEPT) and get dropped; new VMs can't complete DORA (existing renew via ESTABLISHED). Fix `=0` runtime (needs persistent post-Docker hook; not yet persisted on Jupiter). SECONDARY (Windows VM): virtio-net has no in-box driver -> use e1000 or virtio-win. Diagnose: tcpdump DHCP on pfSense; /sys vnetN rx_packets.
- [Starr Pass mail routing](reference_starrpass_mail_routing.md) — starrpass.com is DIRECT to MS (EOP/Defender, tenant 222450dd…); only devconllc.com is on Mailprotector (MP acct 16170). Check @starrpass.com quarantine/rejects via remediation-tool, not Mailprotector.
- [INKY outbound breaks DMARC](reference_inky_outbound_breaks_dmarc.md) — Reverse-resolve DMARC rua failing IPs before blaming a sender: ipw-outbound.inkyphishfence.com / us.cloud-sec-av.com = INKY re-injection breaking DKIM+SPF. INKY is in-M365 (connectors+transport rules) per enrolled tenant, but hosting-level (IX/cPanel website) outbound also routes through it independent of M365 enrollment. Fix is INKY-side (outbound DKIM/SPF/ARC), not cPanel DNS.
- [Syncro prepay: full-GET only](feedback_syncro_prepay_full_get_only.md) — read prepay_hours ONLY from GET /customers/{id}; the customer search/list endpoint returns null/stale prepay. Never assert "no block" in a billing preview from search data.
- [AAD Connect msDS-KeyCredentialLink writeback](reference_aadconnect_keycredlink_writeback.md) — "completed-export-errors" + 8344 INSUFF_ACCESS_RIGHTS on a protected admin account = WHfB key writeback blocked by AdminSDHolder. Diagnose with csexport /f:x; fix with dsacls WP;msDS-KeyCredentialLink on AdminSDHolder + SDProp.
- [UniFi Site Manager cloud API](reference_unifi_site_manager_api.md) — `api.ui.com` + `X-API-KEY` (vault `services/unifi-site-manager`) = remote access to the WHOLE ACG UniFi fleet (~36 consoles) outside UOS. Tier1 `/v1/hosts|sites|devices|isp-metrics` = inventory+health+WAN. Tier2 CONNECTOR `/v1/connector/consoles/{id}/proxy/network/api/s/default/stat/{device,sta}` = **full UOS parity** (per-radio cu_total airtime + per-client RSSI) for ANY console, remote. Backend `unifi-wifi/scripts/gw-sitemanager.sh` (`fleet|devices|sites|isp|net`). Standalone UDM WAN SSH usually firewalled; per-console SSH pw at `clients/<slug>/udm-ssh`.
- [reference_sqlx_migrations_immutable](reference_sqlx_migrations_immutable.md) -- NEVER edit an already-applied sqlx migration file — even a comment. sqlx::migrate! checksums each file at compile time and validates against _sqlx_migrations at startup; a changed checksum crash-loops the server with "migration N was previously applied but has been modified". Code review MUST flag any edit to an applied migration.

View File

@@ -0,0 +1,12 @@
---
name: feedback-syncro-prepay-full-get-only
description: Syncro prepay_hours is only reliable from GET /customers/{id}; never read it from the customer search/list endpoint
metadata:
type: feedback
---
When billing in Syncro, read `prepay_hours` ONLY from the full `GET /customers/{id}` response (`.customer.prepay_hours`). The customer **search/list** endpoint (`GET /customers?query=...`) returns `prepay_hours: null` (or stale) even when the customer HAS a prepaid block. Never read prepay from a search result, and never assert "no prepaid block" / "real charge $N" in a billing preview built from search data.
**Why:** Repeated misfires — previews said "$300, no block," then the block surfaced during the invoice POST and the invoice netted $0 (block debited). Mike flagged this 2026-06-23 as a reliability problem that keeps recurring (Dataforth, Grabb & Durando #32455). The wrong figure in a preview the user confirms is the failure mode.
**How to apply:** In the billing gather step, ALWAYS `GET /customers/{id}` and pull `prepay_hours` from there BEFORE composing the preview — not just before the invoice. If you only have search/list data, fetch the full customer record first; do not guess. The /syncro skill hard rules now encode this. See [[feedback_syncro_labor_type.md]].