azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-01 09:39:50

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:39:50
This commit is contained in:
Howard Enos
2026-06-01 09:40:01 -07:00
parent db87a469ba
commit 86abad216a
1 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
session-logs/2026-06-01-howard-client-status-and-qwm.md Normal file
View File

@@ -0,0 +1,82 @@
# Session Log — 2026-06-01 — Client work review, QWM M365, GDAP docs
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Reviewed outstanding client work across the books (excluding Cascades) by pulling the coord API todos + component states, then drilled into Quantum Wealth Management (QWM) M365. Performed a read-only Graph review of the live QWM tenant `2fd0092b` using the ComputerGuru Security Investigator app. Found the wiki article was stale (still described the abandoned GoDaddy/johnvelez `8f7eaff4` tenant) and corrected it. Confirmed the 2026-06-03 license-lapse deadline objective is MET: both John and Sheila are Business Premium licensed and activated Office (signed into Microsoft Office + Authentication Broker from the Tucson office 5/27). The broader Intermedia->M365 migration remains in progress.
The significant QWM finding: `john@quantumwms.com` is under an active distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess), 0 successful malicious logins (account NOT breached). Risk is real because John is not MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (CA001 require-MFA, CA003 block-non-US) are still report-only. Saved a full report, updated the wiki + coord, closed the deadline todo, and filed urgent security + migration-remainder todos. Mike is taking over QWM.
Ran a status pass on the remaining client items, then live-verified three: Deere Park WiFi quote (Syncro #32279 — still New, quote never sent, overdue), Len's Auto Brokerage + Sombra Residential GuruRMM deployments (live API), and Birth Biologic Datto SmartBadge (live RMM dispatch — PASS). Recorded all findings as coord components. Filed a todo for a new finding: Sombra's Server2013 (Win Server 2012/R2, EOL) GuruRMM agent has been offline since 2026-05-14 (~18 days), unmonitored.
Investigated whether documented rules exist for onboarding a client to a Granular admin relationship (GDAP). Found ACG runs two delegated-admin models: (1) the ComputerGuru app-consent suite, well documented in the remediation-tool skill (gotchas.md, tenants.md, onboard-tenant.sh); (2) true Pax8/Partner-Center GDAP, which has NO requirements doc — only a group-membership script and scattered session-log mentions. The wiki has no onboarding article (wiki/patterns/ is empty). While reading the GDAP script, found a plaintext ClientSecret committed in the repo and flagged it as a security todo.
## Key Decisions
- Treated the live tenant `2fd0092b` as authoritative and rewrote the stale QWM wiki (was pointing at the abandoned johnvelez `8f7eaff4` tenant).
- Closed the 6/03 license-lapse todo (`46bda3ec`) because its named objective (license + Office activation before lapse) is verified met; created a migration-remainder todo (`72060fc8`) to preserve the personal-domain + GoDaddy-cancellation steps so nothing was lost. Left the stale johnvelez-tenant todo `37f2196c` open but flagged for cleanup (it's Mike's).
- Filed the QWM password-spray finding as its own urgent todo (`bf09d843`) rather than un-parking the existing security-baseline todo, because the active attack + no-MFA + report-only-CA combination is new and time-sensitive.
- Recorded all live-check results as coord components (the live-status tracker the team reads) rather than only in chat. Used hyphenated client project keys (e.g. `clients-lens-auto-brokerage`) — the slash form 404s on the component PUT endpoint.
- Made NO tenant changes anywhere (QWM and others) — all read-only per the request.
## Problems Encountered
- Coord component PUT returned `Not Found` with the slashed key `clients/quantumwms/m365`; resolved by using the hyphenated key `clients-quantumwms/m365` (matches how existing client components are stored).
- Graph `auditLogs/signIns` `$filter` on `userPrincipalName`/`status` returned empty silently, and `$top=999` returned an empty `value`; resolved by pulling unfiltered at `$top=200` and filtering client-side with jq.
- Coord todo POST initially failed validation (missing `created_by_user`/`created_by_machine`); resolved by adding both required fields.
- Briefly suspected a sync collision because the rebase diffstat showed the QWM report + wiki under "incoming"; verified it was just the pre-rebase comparison direction — Mike's same-day commits were for Jupiter/GURU-KALI/EZ Fast Auto Glass, zero QWM overlap. Files intact after rebase.
## Configuration Changes
Created:
- `clients/quantumwms/reports/2026-06-01-m365-review.md` — full read-only M365 review (committed earlier this session, commit `847d634`).
Modified:
- `wiki/clients/quantumwms.md` — corrected tenant to `2fd0092b`, rewrote users/CA section, added Current Status + security block, updated Open Items (committed `847d634`).
Coord API (server-side, not repo):
- Component `clients-quantumwms/m365` = active (created)
- Component `clients-lens-auto-brokerage/gururmm-deployment` = pending (verified 0 agents)
- Component `clients-sombra-residential/gururmm` = degraded (Server2013 offline)
- Component `clients-birth-biologic/datto-smartbadge` = active (created, PASS verified)
- Component `clients-deere-park/wifi-quote` = pending (created)
- Todo `46bda3ec` -> done (QWM 6/03 lapse)
- Todos created: `bf09d843` (QWM security/spray), `72060fc8` (QWM migration remainder), `7221c025` (Sombra Server2013 offline, ->howard), `10536f07` (exposed secret, ->mike)
## Credentials & Secrets
- **EXPOSED (flagged, not yet remediated):** plaintext `ClientSecret` for app `fabb3421-8b34-484b-bc17-e46de9703418` (deprecated ComputerGuru AI Remediation app) in ACG partner tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, committed at `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` line 9 (and in git history). Tracked in todo `10536f07` — rotate + remove + confirm app retirement.
- QWM read performed with ComputerGuru Security Investigator app `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` (cert auth, read-only). No new secrets created.
- QWM break-glass remains vaulted at `clients/quantumwms/m365-breakglass.sops.yaml`.
## Infrastructure & Servers
- **QWM M365 tenant (current):** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management", `quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial). Users: john@/sheila@ (Business Premium, not MFA-registered), sysadmin@ (Mike, GA, MFA), breakglass@ (GA, CA-excluded). CA001/CA002/CA003 all report-only; Security Defaults ON. Abandoned tenants: `8f7eaff4` (johnvelez/NETORGFT2570783), `ddf3d2c9` (dormant GoDaddy netorg18235235).
- **GuruRMM:** API `http://172.16.3.30:3001`. Len's Auto Brokerage client `bc76984f`, site "Main" code `UPPER-STAR-2820` — 0 agents. Sombra Residential client `4143369f`: Server2013 (agent `5383e9c1`, build 9200, OFFLINE last_seen 2026-05-14) + DESKTOP-UQRN4K3 (Win11, online). Birth Biologic KSTEENBB2025 agent `ee3c6aea` (online, verify PASS).
- **Syncro #32279** "Onsite - Install Office (and new quote for wifi)", customer Deere Park Development (id 7088463), internal id 110305905, status New. DPA Inc tenant `11de2fe0-4fa4-4b28-a430-40bc20c86fc2`.
## Commands & Outputs
- Graph token: `bash get-token.sh 2fd0092b-... investigator` (cert auth).
- Sign-in pull (filter quirk workaround): `GET /v1.0/auditLogs/signIns?$top=200` then jq client-side. John: 102 events, 4 success (all Tucson 69.254.197.173, 5/27), 98 failures (94x err 50053 malicious-IP block, 4x err 50126 bad password). Foreign: Amsterdam NL `192.42.116.61` (50053), Praha CZ `130.193.15.79` (50126).
- Component PUT pattern: `PUT /api/coord/components/clients-<slug>/<component>` (hyphenated key).
## Pending / Incomplete Tasks
- **QWM (Mike owns now):** security todo `bf09d843` (reset John pw, MFA registration, enforce CA001+CA003); migration remainder `72060fc8`; PST backups `d3623023`; close stale `37f2196c`.
- **Len's Auto Brokerage GuruRMM deployment** — NEXT TASK this session. Site `UPPER-STAR-2820` exists, 0 agents. Need site-specific MSI from dashboard, then execute GPO rollout to ~10 endpoints. Prep in `clients/lens-auto-brokerage/docs/`.
- **Sombra Server2013 offline** — todo `7221c025` (investigate power/service/connectivity; EOL box dark).
- **Deere Park** — build + send updated UniFi quote to Richard Glabman, attach to #32279.
- **Exposed secret** — todo `10536f07`.
- **Doc gap:** no GDAP/onboarding rules doc; offered to draft `wiki/patterns/m365-client-onboarding.md`.
## Reference Information
- QWM report: `clients/quantumwms/reports/2026-06-01-m365-review.md`. Prior commit `847d634`.
- Onboarding docs: `.claude/skills/remediation-tool/references/{gotchas.md,tenants.md}`, `scripts/onboard-tenant.sh`. GDAP groups: `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` (13 M365 GDAP groups + AdminAgents in tenant ce61461e).
- Coord API: `http://172.16.3.30:8001/api/coord`. Todos this session: 46bda3ec(done), bf09d843, 72060fc8, 7221c025, 10536f07.
- Syncro #32279: https://computerguru.syncromsp.com/tickets/110305905