From 86abad216a5cc629c0464c558dbf553899424067 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Mon, 1 Jun 2026 09:40:01 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-01 09:39:50 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-01 09:39:50 --- ...2026-06-01-howard-client-status-and-qwm.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 session-logs/2026-06-01-howard-client-status-and-qwm.md diff --git a/session-logs/2026-06-01-howard-client-status-and-qwm.md b/session-logs/2026-06-01-howard-client-status-and-qwm.md new file mode 100644 index 0000000..d6a7bf3 --- /dev/null +++ b/session-logs/2026-06-01-howard-client-status-and-qwm.md @@ -0,0 +1,82 @@ +# Session Log — 2026-06-01 — Client work review, QWM M365, GDAP docs + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Reviewed outstanding client work across the books (excluding Cascades) by pulling the coord API todos + component states, then drilled into Quantum Wealth Management (QWM) M365. Performed a read-only Graph review of the live QWM tenant `2fd0092b` using the ComputerGuru Security Investigator app. Found the wiki article was stale (still described the abandoned GoDaddy/johnvelez `8f7eaff4` tenant) and corrected it. Confirmed the 2026-06-03 license-lapse deadline objective is MET: both John and Sheila are Business Premium licensed and activated Office (signed into Microsoft Office + Authentication Broker from the Tucson office 5/27). The broader Intermedia->M365 migration remains in progress. + +The significant QWM finding: `john@quantumwms.com` is under an active distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess), 0 successful malicious logins (account NOT breached). Risk is real because John is not MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (CA001 require-MFA, CA003 block-non-US) are still report-only. Saved a full report, updated the wiki + coord, closed the deadline todo, and filed urgent security + migration-remainder todos. Mike is taking over QWM. + +Ran a status pass on the remaining client items, then live-verified three: Deere Park WiFi quote (Syncro #32279 — still New, quote never sent, overdue), Len's Auto Brokerage + Sombra Residential GuruRMM deployments (live API), and Birth Biologic Datto SmartBadge (live RMM dispatch — PASS). Recorded all findings as coord components. Filed a todo for a new finding: Sombra's Server2013 (Win Server 2012/R2, EOL) GuruRMM agent has been offline since 2026-05-14 (~18 days), unmonitored. + +Investigated whether documented rules exist for onboarding a client to a Granular admin relationship (GDAP). Found ACG runs two delegated-admin models: (1) the ComputerGuru app-consent suite, well documented in the remediation-tool skill (gotchas.md, tenants.md, onboard-tenant.sh); (2) true Pax8/Partner-Center GDAP, which has NO requirements doc — only a group-membership script and scattered session-log mentions. The wiki has no onboarding article (wiki/patterns/ is empty). While reading the GDAP script, found a plaintext ClientSecret committed in the repo and flagged it as a security todo. + +## Key Decisions + +- Treated the live tenant `2fd0092b` as authoritative and rewrote the stale QWM wiki (was pointing at the abandoned johnvelez `8f7eaff4` tenant). +- Closed the 6/03 license-lapse todo (`46bda3ec`) because its named objective (license + Office activation before lapse) is verified met; created a migration-remainder todo (`72060fc8`) to preserve the personal-domain + GoDaddy-cancellation steps so nothing was lost. Left the stale johnvelez-tenant todo `37f2196c` open but flagged for cleanup (it's Mike's). +- Filed the QWM password-spray finding as its own urgent todo (`bf09d843`) rather than un-parking the existing security-baseline todo, because the active attack + no-MFA + report-only-CA combination is new and time-sensitive. +- Recorded all live-check results as coord components (the live-status tracker the team reads) rather than only in chat. Used hyphenated client project keys (e.g. `clients-lens-auto-brokerage`) — the slash form 404s on the component PUT endpoint. +- Made NO tenant changes anywhere (QWM and others) — all read-only per the request. + +## Problems Encountered + +- Coord component PUT returned `Not Found` with the slashed key `clients/quantumwms/m365`; resolved by using the hyphenated key `clients-quantumwms/m365` (matches how existing client components are stored). +- Graph `auditLogs/signIns` `$filter` on `userPrincipalName`/`status` returned empty silently, and `$top=999` returned an empty `value`; resolved by pulling unfiltered at `$top=200` and filtering client-side with jq. +- Coord todo POST initially failed validation (missing `created_by_user`/`created_by_machine`); resolved by adding both required fields. +- Briefly suspected a sync collision because the rebase diffstat showed the QWM report + wiki under "incoming"; verified it was just the pre-rebase comparison direction — Mike's same-day commits were for Jupiter/GURU-KALI/EZ Fast Auto Glass, zero QWM overlap. Files intact after rebase. + +## Configuration Changes + +Created: +- `clients/quantumwms/reports/2026-06-01-m365-review.md` — full read-only M365 review (committed earlier this session, commit `847d634`). + +Modified: +- `wiki/clients/quantumwms.md` — corrected tenant to `2fd0092b`, rewrote users/CA section, added Current Status + security block, updated Open Items (committed `847d634`). + +Coord API (server-side, not repo): +- Component `clients-quantumwms/m365` = active (created) +- Component `clients-lens-auto-brokerage/gururmm-deployment` = pending (verified 0 agents) +- Component `clients-sombra-residential/gururmm` = degraded (Server2013 offline) +- Component `clients-birth-biologic/datto-smartbadge` = active (created, PASS verified) +- Component `clients-deere-park/wifi-quote` = pending (created) +- Todo `46bda3ec` -> done (QWM 6/03 lapse) +- Todos created: `bf09d843` (QWM security/spray), `72060fc8` (QWM migration remainder), `7221c025` (Sombra Server2013 offline, ->howard), `10536f07` (exposed secret, ->mike) + +## Credentials & Secrets + +- **EXPOSED (flagged, not yet remediated):** plaintext `ClientSecret` for app `fabb3421-8b34-484b-bc17-e46de9703418` (deprecated ComputerGuru AI Remediation app) in ACG partner tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, committed at `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` line 9 (and in git history). Tracked in todo `10536f07` — rotate + remove + confirm app retirement. +- QWM read performed with ComputerGuru Security Investigator app `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` (cert auth, read-only). No new secrets created. +- QWM break-glass remains vaulted at `clients/quantumwms/m365-breakglass.sops.yaml`. + +## Infrastructure & Servers + +- **QWM M365 tenant (current):** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management", `quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial). Users: john@/sheila@ (Business Premium, not MFA-registered), sysadmin@ (Mike, GA, MFA), breakglass@ (GA, CA-excluded). CA001/CA002/CA003 all report-only; Security Defaults ON. Abandoned tenants: `8f7eaff4` (johnvelez/NETORGFT2570783), `ddf3d2c9` (dormant GoDaddy netorg18235235). +- **GuruRMM:** API `http://172.16.3.30:3001`. Len's Auto Brokerage client `bc76984f`, site "Main" code `UPPER-STAR-2820` — 0 agents. Sombra Residential client `4143369f`: Server2013 (agent `5383e9c1`, build 9200, OFFLINE last_seen 2026-05-14) + DESKTOP-UQRN4K3 (Win11, online). Birth Biologic KSTEENBB2025 agent `ee3c6aea` (online, verify PASS). +- **Syncro #32279** "Onsite - Install Office (and new quote for wifi)", customer Deere Park Development (id 7088463), internal id 110305905, status New. DPA Inc tenant `11de2fe0-4fa4-4b28-a430-40bc20c86fc2`. + +## Commands & Outputs + +- Graph token: `bash get-token.sh 2fd0092b-... investigator` (cert auth). +- Sign-in pull (filter quirk workaround): `GET /v1.0/auditLogs/signIns?$top=200` then jq client-side. John: 102 events, 4 success (all Tucson 69.254.197.173, 5/27), 98 failures (94x err 50053 malicious-IP block, 4x err 50126 bad password). Foreign: Amsterdam NL `192.42.116.61` (50053), Praha CZ `130.193.15.79` (50126). +- Component PUT pattern: `PUT /api/coord/components/clients-/` (hyphenated key). + +## Pending / Incomplete Tasks + +- **QWM (Mike owns now):** security todo `bf09d843` (reset John pw, MFA registration, enforce CA001+CA003); migration remainder `72060fc8`; PST backups `d3623023`; close stale `37f2196c`. +- **Len's Auto Brokerage GuruRMM deployment** — NEXT TASK this session. Site `UPPER-STAR-2820` exists, 0 agents. Need site-specific MSI from dashboard, then execute GPO rollout to ~10 endpoints. Prep in `clients/lens-auto-brokerage/docs/`. +- **Sombra Server2013 offline** — todo `7221c025` (investigate power/service/connectivity; EOL box dark). +- **Deere Park** — build + send updated UniFi quote to Richard Glabman, attach to #32279. +- **Exposed secret** — todo `10536f07`. +- **Doc gap:** no GDAP/onboarding rules doc; offered to draft `wiki/patterns/m365-client-onboarding.md`. + +## Reference Information + +- QWM report: `clients/quantumwms/reports/2026-06-01-m365-review.md`. Prior commit `847d634`. +- Onboarding docs: `.claude/skills/remediation-tool/references/{gotchas.md,tenants.md}`, `scripts/onboard-tenant.sh`. GDAP groups: `clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1` (13 M365 GDAP groups + AdminAgents in tenant ce61461e). +- Coord API: `http://172.16.3.30:8001/api/coord`. Todos this session: 46bda3ec(done), bf09d843, 72060fc8, 7221c025, 10536f07. +- Syncro #32279: https://computerguru.syncromsp.com/tickets/110305905