diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md
index 0ef720a..cf8accf 100644
--- a/.claude/memory/MEMORY.md
+++ b/.claude/memory/MEMORY.md
@@ -21,14 +21,6 @@
 - [Gitea git-op latency](reference_gitea_git_op_latency.md) — SSH (.20:2222) is SLOWEST (~1.5s); internal HTTP+token ~0.55s; SOPS lookup only ~0.33s. Don't switch to SSH for speed. Gitea SSH is .20:2222 (API ssh_url .21 is wrong).
 - [GuruRMM technical reference](reference_gururmm.md) — Server (172.16.3.30) layout + downloads dir `/var/www/gururmm/downloads` + `.channel` sidecar rollout control (stable/beta) + privileged server access via the server's OWN root RMM agent (hostname `gururmm`, no SSH needed; plink fallback) + API + `context=user_session` (WTS impersonation) + build-pipeline vendoring at `deploy/build-pipeline/` + Linux agent systemd sandbox trap.
 - [Trebesch DESKTOP-QNP3ON5 shell replacement](reference_trebesch_qnp3on5.md) — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.
-- [Dataforth Contact - AJ](reference_dataforth_contact.md) -- AJ at Dataforth - email forwarding setup needed for dataforthgit@ address
-- [GuruRMM API — run PowerShell on any agent](reference_gururmm_api.md) -- API endpoints, auth flow, and curl recipe to execute a script on any GuruRMM agent and retrieve output. Use this instead of asking user to paste script into ScreenConnect.
-- [reference_gururmm_pipeline_vendored](reference_gururmm_pipeline_vendored.md) -- GuruRMM build-pipeline scripts are now version-controlled at deploy/build-pipeline/ in the gururmm repo (2026-06-01); build-shared.sh auto-syncs them to /opt/gururmm each build, so edit-in-repo + push = live — EXCEPT build-shared.sh + webhook-handler.py, which need a manual cp.
-- [GuruRMM Server Layout](reference_gururmm_server.md) -- SSH user, home directory, and deploy paths on 172.16.3.30
-- [gururmm-user-session-context](reference_gururmm_user_session_context.md) -- GuruRMM commands accept context=user_session (migration 041) to run as the active logged-on user via WTS impersonation — executes previously-interactive-only commands that fail as SYSTEM with "NonInteractive mode
-- [IX Server Access via Tailscale](reference_ix_access_tailscale.md) -- IX server (ix.azcomputerguru.com) is accessible with Tailscale on, no VPN needed
-- [IX Server SSH Access](reference_ix_server_ssh.md) -- SSH access notes for IX server - key auth not set up on GURU-5070 (was CachyOS), must use sshpass with password
-- [reference_rmm_agent_runs_in_systemd_sandbox](reference_rmm_agent_runs_in_systemd_sandbox.md) -- Commands dispatched via the GuruRMM agent execute INSIDE the agent's systemd sandbox (ProtectSystem=strict) — fs/mount observations reflect the agent's private namespace, NOT the host. For host truth, SSH directly or read /proc/<host-pid>/mountinfo.
 
 ## Users
 - [Howard Enos](user_howard.md) — Mike's brother, technician, full access. Machines: ACG-TECH03L, Howard-Home (authoritative in users.json).
@@ -76,34 +68,6 @@
 
 ### Cascades
 - [Cascades operational rules](feedback_cascades.md) — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.
-- [feedback-rmm-unc-path-encoding](feedback-rmm-unc-path-encoding.md) -- RMM PowerShell UNC paths via user_session context lose one backslash when using string literals — must build with [char]92
-- [feedback_cascades_folder_redirect](feedback_cascades_folder_redirect.md) -- Cascades folder redirection — fdeploy failure/retry behavior, correct new-user procedure, recovery script location
-- [cascades-user-security-group](feedback_cascades_user_security_group.md) -- When creating or adding any Cascades user, always ask which security group(s) the account goes into — deliberate decision, never auto-derived from OU
-- [feedback_gururmm_agent_parity](feedback_gururmm_agent_parity.md) -- Add feature X to the agent" means all three platforms (Windows + Linux + macOS) in the same change — no exceptions
-- [feedback-gururmm-builds](feedback_gururmm_builds.md) -- GuruRMM builds must go through the Gitea webhook pipeline, never run manually via SSH
-- [feedback-howard-delegation](feedback_howard_delegation.md) -- Howard prefers to leave backend/server-side follow-up and risky implementation work to Mike unless explicitly asked — don't assign those items to Howard or prompt him to do them.
-- [feedback_no_botalerts_internal_rmm](feedback_no_botalerts_internal_rmm.md) -- Post #bot-alerts ONLY when an RMM command directly affects a client endpoint or a ticket; skip for internal infra/build/dev/recon (e.g. PLUTO build-runner setup)
-- [feedback_no_indented_code_blocks](feedback_no_indented_code_blocks.md) -- Never indent code inside code blocks — Howard copy-pastes directly and leading spaces break PowerShell commands
-- [GuruRMM development is Mike's, not Howard's](feedback_rmm_dev_is_mike.md) -- GuruRMM code/bugs/dev are Mike's domain — never route RMM dev or bug coord notes to Howard. Howard only SUBMITS RMM feature requests; GuruScan is Howard's project, not RMM
-- [feedback_rmm_identify_by_ip](feedback_rmm_identify_by_ip.md) -- When the offending/target machine is known by external IP, identify the RMM agent by matching the IP — don't recon every candidate.
-- [Syncro — verify appointment date day-of-week](feedback_syncro_appointment_date_check.md) -- Before creating any Syncro appointment, verify the computed date falls on the intended weekday (py datetime) and show the day name in the preview. Wrong-day incident #32312 2026-05-21.
-- [Syncro — confirm appointment owner explicitly when creating tickets with appointments](feedback_syncro_appointment_owner.md) -- When creating Syncro tickets that include an appointment, always ask "who is the appointment owner?" before posting. Don't auto-default to the ticket's assigned tech, and distinguish owner from additional attendees.
-- [Syncro — leave contact blank by default on tickets and billing](feedback_syncro_blank_contact.md) -- When creating Syncro tickets or billing them out, leave the contact field blank ("Not Assigned") in most cases. Blank contact lets Syncro use the company-level defaults for notifications and email routing. Setting a specific contact can route to a secondary email and bypass the customer's intended distribution.
-- [Syncro — Cascades contact incident detail (Meredith Kuhn)](feedback_syncro_cascades_contact.md) -- Incident context for why the blank-contact rule matters at Cascades — Meredith Kuhn is the recurring wrong default that Syncro pre-selects. See feedback_syncro_blank_contact.md for the global rule.
-- [Syncro duplicate prevention — tickets AND comments](feedback_syncro_comment_dedup.md) -- Never retry ANY Syncro POST (ticket create or comment) without first GETting to confirm the action didn't already succeed — Syncro has no idempotency on any endpoint
-- [feedback-syncro-content-type](feedback_syncro_content_type.md) -- Syncro API POST calls require explicit Content-Type application/json header or they 400 with an HTML error page
-- [feedback-syncro-corrections-preserve-tech](feedback_syncro_corrections_preserve_tech.md) -- Preserve Syncro attribution — corrections keep the original tech's labor user_id (commission); and adding notes/labor never changes the ticket owner. Only reassign labor or ticket ownership when explicitly asked.
-- [Syncro emergency/after-hours billing — check prepay_hours first](feedback_syncro_emergency_billing.md) -- Emergency labor is time-and-a-half (×1.5), applied once, never additive. Branch by customer.prepay_hours. Prepaid → emergency item 26184 at hours×1.5 (premium in quantity); non-prepaid → 26184 at actual hours (rate has 1.5×).
-- [feedback_syncro_estimate_hardware](feedback_syncro_estimate_hardware.md) -- Hardware line items on Syncro estimates always use product_id 32252 with varying name/price per item
-- [Syncro comment HTML formatting](feedback_syncro_html.md) -- Use <br> for line breaks in Syncro comments, not <ul>/<li> — list tags don't render
-- [feedback-syncro-labor-tax](feedback_syncro_labor_tax.md) -- Labor is never taxable in Arizona — always set taxable=false on labor line items in Syncro
-- [Syncro — use a billable labor type (in-shop / onsite / remote / web), never "Prepaid project labor](feedback_syncro_labor_type.md) -- When billing Syncro tickets, the labor product on the line item MUST be one of in-shop, onsite, remote, or web labor. "Prepaid project labor" is an exempt labor type and will NOT draw down a customer's prepay block — using it silently breaks block-hour accounting.
-- [feedback_syncro_line_items](feedback_syncro_line_items.md) -- Correct Syncro API endpoint for adding labor/product line items to tickets
-- [feedback-syncro-live-rates](feedback_syncro_live_rates.md) -- Always fetch Syncro labor rates live from the API — never use hardcoded rate table
-- [feedback-syncro-no-madeup-labor-items](feedback_syncro_no_madeup_labor_items.md) -- NEVER invent or rename Syncro labor line items — every labor line must use an existing product with its REAL name (from GET /products/<id>); work detail goes in the description field, not the name
-- [Syncro — use add_line_item for billing, not timers](feedback_syncro_timer_first.md) -- Syncro billing uses add_line_item directly. Timer workflow (timer_entry → charge_timer_entry) is not used. Overrides previous rule about timers being required.
-- [Syncro — timer_entry response is FLAT, not wrapped](feedback_syncro_timer_response_shape.md) -- POST /tickets/{id}/timer_entry returns a flat object {"id": N, "ticket_id": ..., "product_id": ..., ...}, NOT wrapped in {"timer": {...}} or {"timer_entry": {...}}. Parse as `.id`, never `.timer.id` — using the wrapped pattern silently returns null and creates duplicate timers when the script "retries".
-- [Syncro — warranty work uses the "Labor- Warranty work" product, never patch a billable product to $0](feedback_syncro_warranty_product.md) -- For warranty/no-charge labor on Syncro tickets, use product_id 1049360 (Labor- Warranty work, $0/hr). Do NOT use a regular labor product with billable=false or a patched price_retail=0. Prices are determined by the product selected; never override the dollar amount to make one product behave like another.
 
 ## Machine
 - [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
@@ -131,16 +95,3 @@
 - [ACG MSP tool stack](reference_acg_msp_stack.md) — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active).
 - [ACG Website Hosting](project_azcomputerguru_hosting.md) — azcomputerguru.com is hosted on IX Web Hosting via cPanel.
 - [jq on Windows emits CRLF](feedback_jq_crlf_windows.md) — winget jq outputs CRLF; trailing \r silently breaks `for x in $(jq ...)` loops + read-from-@tsv. Override `jq(){ command jq "$@"|tr -d '\r'; }`. Windows-build-specific (passes on Mac/Linux).
-- [GuruRMM Development Principles](gururmm-development-principles.md) -- Every GuruRMM feature is full-stack (backend+API+UI+docs+scalability); product works without AI; the FEATURE_ROADMAP entry update is part of definition-of-done. Mirrors guru-rmm/docs/DESIGN.md.
-- [project-cascades-migration-plan](project-cascades-migration-plan.md) -- Cascades of Tucson department migration plan — Syncro ticket, plan file location, resume command
-- [Cascades admin account ownership](project_cascades_admin_accounts.md) -- Howard uses sysadmin@cascadestucson.com, Mike uses admin@cascadestucson.com — used for daily admin work, not break-glass.
-- [project-cascades-billing](project_cascades_billing.md) -- Cascades of Tucson Syncro billing — prepaid block customer, rate TBD
-- [Cascades CA bypass — phased per-group rollout, NOT tenant-wide](project_cascades_ca_phased_rollout.md) -- Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout.
-- [Cascades caregiver pilot — cleanup obligations](project_cascades_pilot_cleanup.md) -- Pilot accounts (pilot.test@, howard.enos@ once synced) at Cascades must be removed at end of caregiver bypass pilot.
-- [Dataforth email infrastructure](project_dataforth_email.md) -- Dataforth uses M365 for email; the Exchange server on 172.16.x.x / neptune.acghosting.com is NOT Dataforth's — it belongs to ACG's own infrastructure
-- [Dataforth Security Incident 2026-03-27](project_dataforth_incident_2026-03-27.md) -- DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
-- [project_guruconnect_deploy](project_guruconnect_deploy.md) -- How to deploy GuruConnect (v2+) to production — the server (172.16.3.30) builds its own Linux binary; gotchas with the systemd watchdog, trusted-proxy env, and auto-run migrations
-- [project_guruconnect_v2_direction](project_guruconnect_v2_direction.md) -- GuruConnect v2 modernization direction (Mike, 2026-05-29) — native-first full key fidelity + bidirectional file cut/paste/drag are the headline must-haves; WebRTC is fallback only
-- [Mac gururmm hook setup pending](project_mac_gururmm_setup_pending.md) -- Mikes-MacBook-Air needs install-hooks.sh run in gururmm repo — one-time setup to prevent sqlx migration drift
-- [project-pluto-build-server](project_pluto_build_server.md) -- Pluto Windows build server — location, role, and access details
-- [project_rmm_webhook_docs_guard](project_rmm_webhook_docs_guard.md) -- RMM build webhook now skips docs-only pushes (host guard in /opt/gururmm/webhook-handler.py). The repo copy is stale — don't redeploy it.