diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 915be916..228e3826 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -135,6 +135,7 @@ - [Only RMM & GC are versionable products](project_versionable_products.md) — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer. - [Quantum GoDaddy M365 tenant](project_quantum_godaddy_m365_tenant.md) — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed. - [Howard-Home LAN shadow (RESOLVED)](howard-home-lan-shadow.md) — Howard-Home renumbered 2026-06-16 to **10.137.42.0/24** (gw 10.137.42.1, UniFi — NOT pfSense), off the old 192.168.0.0/24 that shadowed Cascades pfSense .0.x over the VPN. Cascades .0.x should now route via the tunnel; this machine is 10.137.42.x now (not 192.168.0.x). +- [Cascades CARF tech plan](project_cascades_carf_tech_plan.md) — Ashley's "technology plan" is a CARF accreditation deliverable (Aging Services Technology and System Plan standard); must use CARF action-plan structure (owner/cost/target+completion dates per area), persons-served assistive-tech lens, annual-review sign-off; it's Cascades' leadership-adopted plan, ACG supplies content. - [Cascades](project_cascades.md) — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist. - [Cascades history](project_cascades_history.md) — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale. - [Cascades isolated-VLAN pattern](project_cascades_isolated_vlan_pattern.md) — pfSense: the GUEST VLAN (VLAN50/igc1.50) is the isolation template (4 any-proto quick rules: block 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any; public DNS via DHCP). VLAN20 is NOT isolated. Verify with `pfctl -sr`, not config.xml. Protocol MUST be Any (TCP-only leaks UDP). VOICE VLAN30 built to this 2026-06-17. diff --git a/.claude/memory/project_cascades_carf_tech_plan.md b/.claude/memory/project_cascades_carf_tech_plan.md new file mode 100644 index 00000000..6286cba5 --- /dev/null +++ b/.claude/memory/project_cascades_carf_tech_plan.md @@ -0,0 +1,27 @@ +--- +name: project_cascades_carf_tech_plan +description: Cascades technology plan is a CARF accreditation deliverable, not an MSP status report +metadata: + type: project +--- + +The Cascades of Tucson "technology plan" Ashley Jensen requested (2026-06) is for **CARF +accreditation** (Commission on Accreditation of Rehabilitation Facilities, Aging Services +program). Her agenda list maps to CARF's **Technology and System Plan** standard (Section 1 +"CARF Plans"; the 8 canonical areas: hardware, software, security, confidentiality, backup, +assistive technology, disaster recovery, virus protection). + +**Why it matters:** the document is **Cascades' plan, adopted by their leadership** (ACG is the +IT partner who supplies the technical content), NOT an ACG sales/status doc. CARF surveyors +check it as a **living action document** that, for each area, lists: current tech + unmet/ +projected needs + timeline + possible vendor + estimated/actual cost + person responsible + +target date + completion date. Must be **based on needs of persons served/personnel/stakeholders**, +**aligned to the strategic plan**, and **reviewed/updated at least annually with dated sign-off**. + +**How to apply:** any Cascades tech-plan deliverable must use the CARF action-plan structure +(owner/cost/dates columns), include a resident/persons-served assistive-technology dimension, +a backup-policy section, and a version/annual-review block. CARF passes on a credible REVIEWED +plan, not on zero gaps. Verify exact standard citation + review cadence against their current +Aging Services Standards Manual (2025/2026 edition). Deliverables live in +`clients/cascades-tucson/docs/proposals/`. Pairs with [[feedback_impeccable_on_outbound]], +[[policy_pricing_verification]] (cost figures must be verified). diff --git a/clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md b/clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md index 2b29ae2b..bf624b54 100644 --- a/clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md +++ b/clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md @@ -100,7 +100,7 @@ Notable: three `98:17:3c:*` devices clustered on one AP at strong signal (-39/-4 | ASSISTMAN-PC | ee:80:75:ae:49:e3 | 192.168.2.38 | Meredith Kuhn | | DESKTOP-DLTAGOI | a0:a4:c5:7a:83:16 | 192.168.3.133 | Sharon Edwards (LE) | | DESKTOP-LPOPV30 | e4:fa:c4:00:65:f1 | 192.168.2.250 | Karen Rossini | -| DESKTOP-ROK7VNM | 90:0f:0c:5a:c7:4d | 192.168.3.148 | staff (domain-joined) | +| DESKTOP-ROK7VNM | 90:0f:0c:5a:c7:4d | 192.168.3.148 | Susan Hicks (`CASCADES\Susan.Hicks`) | | DESKTOP-U2DHAP0 | e8:c8:29:6b:c1:d7 | 192.168.3.37 | Ashley Jensen | | RECEPTIONIST-PC | 98:59:7a:d7:9d:fd | 192.168.3.187 | Reception | | NurseAssist | a8:6d:aa:51:d6:55 | 192.168.3.254 | Veronica | diff --git a/clients/cascades-tucson/docs/proposals/carf-technology-plan-intake.md b/clients/cascades-tucson/docs/proposals/carf-technology-plan-intake.md new file mode 100644 index 00000000..efab6aba --- /dev/null +++ b/clients/cascades-tucson/docs/proposals/carf-technology-plan-intake.md @@ -0,0 +1,125 @@ +# Cascades of Tucson — CARF Technology & System Plan: Input Worksheet + +> Purpose: collect the few facts only Cascades/ACG leadership can supply, so the final +> CARF-format Technology and System Plan can be built complete (no placeholders). +> Everything marked **>> NEEDED <<** is an input from you. Everything else is pre-filled from +> ACG's records and is yours to correct. +> Prepared by Az Computer Guru · drafted 2026-06-24. Costs left blank are **[ACG TO PRICE]** +> (we verify, never guess). + +--- + +## Part 1 — Plan header & governance (CARF Section 1 requirements) + +| Field | Value | +|---|---| +| Accreditation program | **>> NEEDED <<** (Aging Services — which: Assisted Living / CCRC / other?) | +| CARF manual year / edition | **>> NEEDED <<** (2025 or 2026 Aging Services Standards Manual — so we cite the exact standard number) | +| Standard reference | Technology and System Plan (Section 1 "CARF Plans") — confirm number from your manual | +| Plan period / fiscal year covered | **>> NEEDED <<** | +| Plan owner (Cascades) | **>> NEEDED <<** (suggest: Administrator / Ashley Jensen) | +| Prepared with (IT partner) | Az Computer Guru (Mike Swanson, Howard Enos) — pre-filled | +| Approved/adopted by (leadership) | **>> NEEDED <<** (Executive Director name + title) | +| Date adopted | **>> NEEDED <<** | +| Last reviewed / Next annual review | **>> NEEDED <<** (CARF requires at least annual review with a dated record) | + +## Part 2 — Needs basis (CARF: plan must be based on the needs of persons served, personnel, stakeholders) + +Draft below — confirm or edit: + +- **Persons served (residents & families):** reliable building Wi-Fi and phone service; resident-safety + monitoring (fall detection); strict confidentiality of personal health information; access to + assistive/adaptive technology where needed. **>> confirm / add <<** +- **Personnel (staff & caregivers):** secure on-site access to the clinical record (ALIS) and email; + dependable phones and workstations; protection against credential theft and lost/stolen devices. **>> confirm / add <<** +- **Other stakeholders (vendors, payers, regulators):** HIPAA confidentiality, business continuity, + auditable records. **>> confirm / add <<** + +## Part 3 — Strategic-plan alignment (CARF: plan aligns to the strategic plan) + +One paragraph tying technology priorities to Cascades' strategic goals. +**>> NEEDED <<** — please share your top 2–3 strategic goals (e.g. resident safety, census growth, +regulatory standing) and we will write the alignment paragraph. + +--- + +## Part 4 — The eight areas (CARF action-document format) + +For each area, fill the four input fields: **Responsible person**, **Estimated/actual cost**, +**Target date**, **Completion date**. Current state / needs / vendor are pre-filled. + +### 1. Hardware +- **Current:** Dell PowerEdge R610 server (verified healthy 2026-06-24, all drives online); Synology + NAS; pfSense firewall; UniFi network (77 APs, 12 switches); ~29 staff PCs; resident/safety devices. +- **Unmet / projected needs:** restore server redundant power supply; install enterprise SSDs already + purchased; replace end-of-life PCs; longer-term server replacement off the 16-yr-old R610. +- **Possible vendor:** Az Computer Guru (Dell hardware). +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** · Target date: **>> NEEDED <<** · Completion: PSU/SSD pending + +### 2. Software +- **Current:** Microsoft 365 (Business Premium); Windows Server 2019; clinical EHR (ALIS); line-of-business apps. +- **Unmet / projected needs:** move 31 users off the suspended M365 license onto Business Premium (time-sensitive); finish staff domain migration; upgrade Windows Home PCs to Pro. +- **Possible vendor:** Microsoft / Az Computer Guru. +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** (license true-up) · Target date: **>> NEEDED <<** · Completion: in progress + +### 3. Security +- **Current:** identity-based access control (Entra), MFA, caregiver on-site/approved-device lockdown, isolated voice & resident-data network segments, email filtering. +- **Unmet / projected needs:** enable file-access audit logging on the resident-data share; build audit-retention storage (90-day + 6-year); create emergency break-glass admin accounts with security keys. +- **Possible vendor:** Microsoft / Az Computer Guru. +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** (audit-retention build) · Target date: **>> NEEDED <<** · Completion: pending + +### 4. Confidentiality +- **Current:** PHI access limited by role and security group; encryption in transit; single sign-on to ALIS; caregiver PCs auto-lock and sign out; per-room and voice network isolation. +- **Unmet / projected needs:** confirm signed Business Associate Agreement (BAA) with ALIS/Medtelligent; enable SMB encryption on the resident-data share; rotate one historically-exposed credential. +- **Possible vendor:** Az Computer Guru / Medtelligent. +- Responsible person: **>> NEEDED <<** · Cost: minimal/internal · Target date: **>> NEEDED <<** · Completion: pending + +### 5. Backup policy +- **Current:** cloud backup (MSP360) **verified running 2026-06-24** — last run succeeded, ~576 GB protected off-site, daily incrementals. +- **Unmet / projected needs:** confirm/extend to full system-image (bare-metal) backup for the server; **run and document a test restore** (CARF looks for this); set/confirm retention. +- **Possible vendor:** Az Computer Guru / MSP360. +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** · Target date: **>> NEEDED <<** · Completion: backup live; image + restore-test pending + +### 6. Assistive technology (persons served) — **biggest input gap** +- **Current (known):** Helpany "Paul" resident-safety sensors — ceiling radar fall/motion detection, **no camera, no microphone**; rolling out floor by floor. +- **>> NEEDED — full resident-facing inventory:** nurse-call / emergency-call / pendant system? hearing loops or assistive listening? adaptive/accessible computers or devices? resident/guest Wi-Fi for telehealth or family contact? Anything else residents use to maintain function/independence. +- **Possible vendor:** Helpany / [nurse-call vendor?] — **>> NEEDED <<** +- Responsible person: **>> NEEDED <<** · Cost: **>> NEEDED <<** (vendor-billed) · Target date: **>> NEEDED <<** · Completion: Helpany in rollout + +### 7. Disaster recovery preparedness +- **Current:** documented power-outage runbook with scripted clean shutdown and **verified recovery** (June 2026); UPS protection; backup running. +- **Unmet / projected needs:** written DR/business-continuity plan with target recovery times (RTO/RPO); add server redundancy; complete the system-image backup + restore test (links to area 5). +- **Possible vendor:** Az Computer Guru. +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** · Target date: **>> NEEDED <<** · Completion: procedure proven; written plan pending + +### 8. Virus protection — **close before survey if possible** +- **Current:** managed antivirus (Bitdefender) on endpoints; Microsoft Defender + email filtering. +- **Unmet / projected needs:** enroll the **main server** and all remaining PCs into managed antivirus; remove the previous IT provider's leftover security agents; run a coverage audit so every device reports in. +- **Possible vendor:** Az Computer Guru / Bitdefender. +- Responsible person: **>> NEEDED <<** (suggest ACG) · Cost: **[ACG TO PRICE]** (per-endpoint) · Target date: **>> NEEDED <<** · Completion: pending + +### (Extra, not CARF-required) Communication technology / Services & contracts / Use of AI +- Ashley's list also included these. We will carry them as supplementary sections (phones + Wi-Fi + device network; vendor/contract register; an AI acceptable-use policy). No CARF fields required, but + the AI-use policy strengthens the Security area. **>> confirm you want these kept <<** + +--- + +## Part 5 — Supporting evidence the surveyor may also request (status) + +| Evidence | Status | +|---|---| +| DR procedure tested + documented | **Have** (June outage runbook + verified recovery) | +| Backup running + successful **test restore** | Backup verified; **restore test owed** | +| Security risk assessment (dated) | Substance exists (HIPAA gap list); **package + date it** | +| Confidentiality controls in place | **Have** (access model, MFA, isolation); audit logging pending | +| Antivirus coverage all devices | **Gap** (server + cleanup) | +| Plan reviewed annually w/ sign-off | **To create** (Part 1 governance block) | + +--- + +## What we do once you return this +1. Build the final **CARF Technology and System Plan** (Cascades-branded, ACG as preparer) in CARF + action-document format, complete with your owners/costs/dates. +2. Package the security risk assessment + DR plan as named attachments. +3. Deliver as a print-ready PDF for leadership adoption and the survey file. diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-csc-ent-voice-helpany-consolidation-plan.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-csc-ent-voice-helpany-consolidation-plan.md new file mode 100644 index 00000000..82c51b84 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-csc-ent-voice-helpany-consolidation-plan.md @@ -0,0 +1,155 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +# Cascades — CSC ENT device-island consolidation plan + live client inventory + +## Session Summary + +Picked up the Cascades voice-quality thread after Richard Turner (Vertical/Poly) replied that +Poly handsets cannot be statically pinned to a band; Poly recommends a dedicated 5 GHz SSID for +the phones (or disabling band steering on a shared SSID). Verified the live UniFi config via the +`unifi-wifi` skill / UOS Mongo: the voice phones ride a PPSK voice key on the shared `CSCNet` +SSID (2.4+5 GHz), band steering (`no2ghz_oui`) is already ON across CSCNet/CSC ENT/Guest, and it +is not holding the Poly OUI on 5 GHz. Conclusion: the durable fix is a dedicated 5 GHz network, +not toggling steering. + +Pulled the Helpany context from Howard's mailbox (June 19 forward from John Trozzi + the March +install thread). Key findings: the Helpany "Paul" devices are radar fall/motion sensors +(Sedimentum backend, no camera/mic — not "IR cameras"), are WPA2-only (no WPA3/hybrid), were +deliberately placed on the `CSC ENT` SSID (key `Ftfd85710#`) as Mike's WPA2 island, carry +negligible bandwidth (<0.04 Mbps/device, ~1.35 Mbps fleet peak), and Helpany can remotely +transition them to a dedicated 5 GHz SSID if given SSID+password. Both vendors converged on the +same fix. + +Designed and documented the consolidation: repurpose CSC ENT as a 5 GHz-only WPA2 PPSK device +island carrying both the Poly phones (PPSK key -> VLAN 30) and the Helpany Pauls (PPSK key -> +new VLAN 40), separated at the VLAN layer; Pauls keep their SSID+key (not reprogrammed, only +band-moved); CSC ENT is NOT deleted (that would orphan the Pauls). Wrote the plan to +`docs/network/csc-ent-device-island-plan.md`, folded it into `docs/REMAINING-WORK-PLAN.md` +Workstream 6 + the onsite batch, and updated the wiki + `docs/network/wifi.md`. + +Ran a live client pull (UOS `stat/sta`, site `va6iba3v`) to find who is actually on CSC ENT +before any change: 149 associated clients, only 68 Helpany Pauls. The other ~79 must be evacuated +first (14 staff PCs, 11 printers, 11 DIRECTV resident TVs, 11 resident IoT/TVs, 15 personal +phones/tablets, 17 unknown/randomized). ~51 are on 2.4 GHz and would drop on a 5 GHz-only flip. +Built `docs/network/csc-ent-client-inventory-2026-06-24.md`, then re-cut the data into grouped +form (Cascades/facility vs resident vs unknown, with room guesses where derivable) and DM'd the +grouped list to Howard in Discord. Identified DESKTOP-ROK7VNM as Susan Hicks's machine +(`CASCADES\Susan.Hicks`). + +## Key Decisions + +- Repurpose CSC ENT as the permanent 5 GHz-only WPA2 device island rather than build a new SSID: + the Pauls are already on CSC ENT, so they are not reprogrammed (Helpany only band-moves them); + reuse avoids an extra beaconing SSID on a dense 77-AP site. +- One SSID via PPSK with per-key VLANs (phones -> VLAN 30, Helpany -> new VLAN 40) rather than two + separate SSIDs — minimizes beacon airtime while keeping voice QoS + HIPAA L2 isolation. +- Keep CSC ENT WPA2-only forever (Helpany hard requirement); this is the prerequisite that later + lets CSCNet move to WPA3/WiFi7/6 GHz — but that step is gated by the ~230 resident 2.4-only/WPA2 + IoT clients on CSCNet, not by the voice/sensor gear (separate project). +- Do NOT flip CSC ENT to 5 GHz-only until the ~79 non-Helpany clients are evacuated; 51 clients on + 2.4 GHz would drop instantly. +- Treat resident devices (DIRECTV/Ring/Echo/TVs/phones) as the visible-impact group requiring an + onsite door-to-door reconnection plan (senior population will not self-serve). +- Room mapping must come from the AP-name map (Cascades APs are named by room/area), not IP — all + CSC ENT clients are in the flat 192.168.2.x/3.x AP pool, not per-room VLANs. + +## Problems Encountered + +- UOS controller login throttle: rapid successive `/api/auth/login` calls (categorizer + retry + loop) tripped HTTP 403 lockout that persisted across later attempts. Resolved by stopping the + re-auth attempts and working from the first successful `stat/sta` pull. Logged as friction via + `log-skill-error.sh --friction`. Lesson: reuse one session / save the JSON, do not re-login per + query. The AP-name map + `stat/alluser` pulls are deferred until the lockout clears. +- Offline transcription of the captured client list summed to 147 vs the live 149 (2 dropped in + hand-transcription); category proportions unaffected. Authoritative count is 149 from the live + pull. +- Mailbox/web lookup mismatch: helpany.com markets "PAUL" radar (no cameras), while Howard + described "IR cameras." Reconciled via the March install email — they are radar sensors; the + "IR camera" label is colloquial. Flagged in docs. + +## Configuration Changes + +Created: +- `clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md` — full consolidation design, + vendor constraints, VLAN 40 spec, execution sequence (incl. evacuation prerequisite), WPA3 future. +- `clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md` — per-device CSC ENT + inventory (149), resident "help-reconnect" list, staff/printer/Helpany breakdown. + +Modified: +- `clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md` — Workstream 6 rewritten to lead with the + CSC ENT consolidation + evacuation prerequisite; onsite batch now includes per-room 5 GHz + coverage verification. +- `wiki/clients/cascades-tucson.md` — voice "actual fix" bullet updated (Richard reply), added the + `[PLAN 2026-06-24]` consolidation bullet + a Helpany vendor/hardware entry. +- `clients/cascades-tucson/docs/network/wifi.md` — CSC ENT SSID row (repurpose + do-not-delete); + Issue #5 (band steering) corrected. +- `errorlog.md` — friction entry for the login-throttle. + +## Credentials & Secrets + +- `CSC ENT` / `CSCNet` WPA2 key: `Ftfd85710#` — surfaced in the March Helpany install thread. Already + vaulted as the CSCNet password (`clients/cascades-tucson/wifi-cscnet.sops.yaml`, `credentials` + block). CSC ENT shares the same key. A dedicated `clients/cascades-tucson/wifi-csc-ent` entry was + offered but not yet created (the secret value is already captured). +- Read-only UOS controller admin used for live pulls: vault `infrastructure/uos-server-network-api`. + +## Infrastructure & Servers + +- UOS UniFi controller: `172.16.3.29:11443` (HTTPS), site short `va6iba3v` / site_id + `685f39068e65331c46ef6dd2`. Mongo read via `.claude/scripts/uos-mongo.sh` (vault + `infrastructure/uos-server-ssh-key`). +- Cascades WLANs (wlanconf): CSCNet `685f39078e65331c46ef7ee5` (PPSK, 2g+5g, WPA2, no2ghz_oui ON, + bss_transition ON); CSC ENT `685f39078e65331c46ef7ee4` (single PSK, 2g+5g, WPA2, no2ghz_oui ON); + Guest `685f39078e65331c46ef7ee6` (2g/5g/6g); `element-5b32...` `685f39078e65331c46ef7ee3` + (unnamed, investigate). +- Helpany/Sedimentum egress (for VLAN 40): `*.sedimentum.com` on 5671 AMQPS, 8883 MQTT, 8030 HTTP, + 443 HTTPS; plus snapcraft.io / api.snapcraft.io / public.apps.ubuntu.com / fastly.cdn.snapcraft.io + on 443. +- Live SSID client counts (2026-06-24): CSCNet 434, CSC ENT 149, Guest 21. +- CSC ENT breakdown: Helpany Paul 68 (42 on 5 GHz, 26 on 2.4), Staff PC 14, Printer 11, DIRECTV 11, + Resident IoT/TV 11, Personal phone/tab 15, Unknown/randomized 17. ~51 on 2.4 GHz total. + +## Commands & Outputs + +- Live WLAN config: `echo 'db.wlanconf.find({site_id:"685f39068e65331c46ef6dd2"},{...}).forEach(...)' + | bash .claude/scripts/uos-mongo.sh` +- Live clients per SSID + CSC ENT detail: custom curl login to + `https://172.16.3.29:11443/api/auth/login` then `GET /proxy/network/api/s/va6iba3v/stat/sta`, + grouped by `essid` in Python. JSON saved to scratchpad `sta.json`. +- Mailbox search: `/mailbox` skill (ComputerGuru Mailbox app `1873b1b0`) — search `"helpany"`, read + the June 19 forward (`...AAG6nFrbAAA=`) + March install thread (`...AAGDNhycAAA=`). +- Discord: grouped list DM'd to howard via `bash .claude/scripts/discord-dm.sh howard` (2 messages). +- Friction log: `bash .claude/scripts/log-skill-error.sh "unifi-wifi/live-stats" "rapid successive + controller logins -> HTTP 403 lockout..." --friction`. + +## Pending / Incomplete Tasks + +- Controller login-throttled; once clear, pull: (1) `stat/device` AP-name map -> attach real + room/area to all 149 CSC ENT clients; (2) `stat/alluser` -> add offline resident TVs/boxes + (true count > 149). +- Identify the 17 unknown/randomized devices + the generic iPhone/iPad/Samsung BYOD (DHCP lease + names + onsite pass / John Trozzi for the named phones Espe, Sepopo). +- Reconcile the 68 Helpany serials against Helpany's install QA/placement forms (their room map). +- Build the resident-device reconnection sub-plan (target network + who reconnects what; door-to-door + worksheet). +- Decide PPSK-on-one-SSID (recommended) vs two SSIDs; confirm VLAN 40 free (and whether VLAN 10 + "CSC Internal Network" is an orphan to reclaim). +- Coordinate the change window with Vertical (Richard) + Helpany (Sandro/Eugenie); verify per-room + 5 GHz coverage onsite before any band flip. +- Optional: create dedicated `clients/cascades-tucson/wifi-csc-ent` vault entry; draft the two + vendor coordination emails. +- Update REMAINING-WORK-PLAN Workstream 2 to mark Susan Hicks's machine (DESKTOP-ROK7VNM) pinned. + +## Reference Information + +- Plan: `clients/cascades-tucson/docs/network/csc-ent-device-island-plan.md` +- Inventory: `clients/cascades-tucson/docs/network/csc-ent-client-inventory-2026-06-24.md` +- Prior voice work: `docs/network/2026-06-19-vertical-5ghz-lock-request.md`, + `docs/network/voice-vlan-cutover.md`, `reports/2026-06-18-voice-quality-diagnostic.md`. +- Vendors: Richard Turner (Poly/Vertical); Sandro Cilurzo + , Eugenie Nicoud (Helpany); John Trozzi + (facility liaison). +- DESKTOP-ROK7VNM = `CASCADES\Susan.Hicks`.