docs(session)+rules: 2026-05-27 — Quantum M365 onboarding, IX autodiscover fix, Syncro emergency/labor/attribution rules

Session logs: root (Michael #32329 hosting offer + IX simplehost.email autodiscover DNS fix + Cascades #32332 emergency correction) + Quantum client log (M365 tenant 2fd0092b onboarding, break-glass GA, CA report-only).

Syncro rule overhaul:
- Emergency billing: prepaid -> 26184 @ hours x1.5 (was 26118); non-prepaid -> 26184 with channel rate (onsite $262.50 / remote+inshop $225)
- Never make up labor items (existing product + real name; QuickBooks sync)
- Corrections preserve original tech's user_id (commission); adding notes/labor never changes ticket owner

/remediation-tool: Conditional Access may be managed programmatically (report-only first + exclude break-glass + confirm before enforce); fabb3421 deprecated for customer tenants; Quantum tenant onboarded (gotchas table).

Memory: 4 new (no-madeup-labor, corrections-preserve-tech, ca-programmatic, quantum-godaddy-tenant) + updates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

session-logs/2026-05-27-session.md

@@ -254,3 +254,65 @@ Built a new `/mailbox` command (`.claude/commands/mailbox.md`) for reading and s
 ### Reference Information
 
 - Commits: `b22de6c` (gitignore autotask), `f8c00d3` (add /mailbox). Skill: `.claude/commands/mailbox.md`. Graph app `fabb3421` (see also `feedback_365_remediation_tool.md`).
+
+---
+
+## Update: 14:55 PT — Quantum M365 onboarding; IX autodiscover fix; Syncro emergency/labor rule overhaul
+
+### Session Summary
+
+Multi-client afternoon. **Michael Johnson #32329** (residential, prepaid=none): pulled the calendar-emergency ticket; emailed a hosting offer (his neptune-hosted mailbox has never been billed — product `45869` "Email - Exchange Hosted Email" $5/mo, or $50/yr) and **waived today's emergency fee** as a courtesy (noting declared emergencies normally carry a half-hour min). Noticed he was getting **Outlook cPanel redirect popups** and traced it to the `simplehost.email` DNS zone on **IX** (`172.16.3.10`, WHM/cPanel): `autodiscover`/`autoconfig` + a set of SRV records pointed at the cPanel box instead of the real mail host. Fixed `autodiscover` → CNAME `mail.acghosting.com` and removed all 6 SRV records (autodiscover/caldav/carddav); left `autoconfig` per Mike. Backed up the zone first. Emailed Michael that it's resolved.
+
+**Quantum Wealth Management** M365 migration advanced substantially — full detail in `clients/quantumwms/session-logs/2026-05-27-session.md`. Summary: Jen Curry (IFG) approved the move; appointments + PST-backup TODO + an empty "365 Services" recurring template created; the GoDaddy-parked tenant was bypassed for a **fresh tenant `2fd0092b`**, onboarded with the full ComputerGuru app suite (Pax8 GDAP + `onboard-tenant.sh`); started the security baseline — break-glass GA, Conditional Access in report-only (programmatic), John's password set, office static-IP requested for a trusted-location policy.
+
+**Cascades #32332** (prepaid) drove a Syncro rule overhaul. Howard had billed an emergency new-user setup with **made-up labor line names** ("Emergency Call Setup", "Onsite Computer Setup") on the wrong product. Corrected to a single line — `26184` "Labor - Emergency or After Hours Business" @ **2.25** (1.5 hrs × 1.5) — **via `update_line_item` (preserving Howard's `user_id=1750`** so his commission stayed intact). Posted an internal note for Winter; Winter resolved it / handled the invoice+QB re-sync.
+
+That cascade produced several **rule changes** (all encoded in memory + the relevant skills): emergency billing (prepaid → `26184` @ hours×1.5 quantity, replacing the old `26118`×1.5; non-prepaid → `26184` with channel rate: Onsite $262.50, Remote/In-Shop $225); **never make up labor items** (existing product + real name; made-up items break the QuickBooks sync; description is free text); **corrections preserve the original tech's `user_id`** (commission); **Conditional Access may now be managed programmatically** (report-only first + exclude break-glass + confirm before enforce); and the **`fabb3421` app is deprecated** for customer-tenant onboarding (breaks AADSTS650052 on no-MDE tenants — use the tiered suite).
+
+### Key Decisions
+
+- **IX autodiscover fix via `whmapi1`, backup-first** — removed the cPanel proxy-subdomain hijack (autodiscover A→cPanel + SRVs) that caused Outlook redirect alerts; pointed autodiscover at the real Exchange (`mail.acghosting.com` = 67.206.163.124). Affects all `simplehost.email` hosted-mail clients, not just Michael.
+- **#32332 corrected in place (`update_line_item`), not remove+add** — preserved Howard's `user_id`/commission. Codified as a rule: corrections are a debug action, don't reassign labor to the correcting tech.
+- **Emergency rule: prepaid now uses `26184`** (was `26118`) at hours×1.5 quantity — keeps the line labeled emergency for QuickBooks; the dollar double-1.5 worry is moot for prepaid ($0 invoice).
+- **Quantum: fresh tenant + CA over Security Defaults + programmatic CA** (see Quantum log).
+
+### Problems Encountered
+
+- **Wrong-tenant consent** for Quantum (pointed at GoDaddy `ddf3d2c9`; `sysadmin@` bounced) — re-discovery showed the domain had verified into the new `2fd0092b`; corrected. (Quantum log.)
+- **`onboard-tenant.sh` replication-lag perm errors** — re-ran (idempotent) → clean.
+- **#32332 prepaid gotcha** — Mike's "use the emergency item `26184`" would've been wrong for a prepaid customer under the OLD rule; the prepay check (27 hrs) caught it, then Mike clarified the rule (prepaid emergency = `26184` ×1.5 quantity).
+
+### Configuration Changes
+
+- IX `172.16.3.10`: `/var/named/simplehost.email.db` — `autodiscover` A→CNAME `mail.acghosting.com`, 6 SRV records removed, `autoconfig` left. Backup `simplehost.email.db.bak-claude-20260527`.
+- Memory (new): `feedback_syncro_no_madeup_labor_items.md`, `feedback_syncro_corrections_preserve_tech.md`, `feedback_ca_programmatic_management.md`, `project_quantum_godaddy_m365_tenant.md`. (modified): `feedback_syncro_emergency_billing.md`, `feedback_365_remediation_tool.md`, `MEMORY.md`. (committed earlier this session): `feedback_psa_default_syncro.md`, `reference_coord_messages_api_shape.md`.
+- Skills: `.claude/commands/syncro.md` (emergency-billing rules, 4 spots), `.claude/skills/remediation-tool/SKILL.md` (CA-manual boundary relaxed), `.claude/skills/remediation-tool/references/gotchas.md` (Quantum tenant row).
+- Syncro: #32329 (Michael) hosting offer + waiver + DNS-fix notes, status Waiting on Customer; #32332 (Cascades) single corrected emergency line + internal note.
+
+### Credentials & Secrets
+
+- IX `simplehost.email` autodiscover now → `mail.acghosting.com` (neptune Exchange, `67.206.163.124`). IX = `172.16.3.10` (vault `infrastructure/ix-server.sops.yaml`).
+- Michael Johnson hosted-email billing product: `45869` ("Email - Exchange Hosted Email", $5). Customer 152567.
+- Quantum creds (tenant `2fd0092b`, break-glass, John's initial pw) — in the Quantum client log.
+
+### Infrastructure & Servers
+
+- IX (`172.16.3.10`, ix.azcomputerguru.com, ext 72.194.62.5): Rocky Linux WHM/cPanel, 80+ accounts. Hosts `simplehost.email` DNS zone (ACG hosted-email domain). `mail.acghosting.com` = neptune Exchange (`67.206.163.124`).
+
+### Commands & Outputs
+
+- IX: `whmapi1 removezonerecord/addzonerecord zone=simplehost.email ...` (autodiscover→CNAME, SRVs removed); verified via `dig +short autodiscover.simplehost.email`.
+- #32332: `PUT /tickets/111233015/update_line_item` → `26184` @ 2.25, `user_id` preserved 1750.
+
+### Pending / Incomplete Tasks
+
+- **Michael #32329:** awaiting hosting choice ($5/mo vs $50/yr); ticket Waiting on Customer.
+- **Cascades #32332:** Resolved; Winter verifying invoice/QB re-sync.
+- **Quantum:** see Quantum log — Thu 5/28 1PM Jen DNS + mail cutover, PST backups, CA enforce, Defender, static IP.
+- IX autodiscover may be recreated by cPanel proxy-subdomain feature — if Michael's popups return, disable that feature in WHM.
+
+### Reference Information
+
+- Tickets: #32329 (id 111214431, Michael Johnson), #32332 (id 111233015, Cascades), #32323 (id 111056440, Quantum).
+- IX `172.16.3.10`; mail.acghosting.com `67.206.163.124`. Products: hosting `45869`, emergency `26184`, onsite `26118`, remote `1190473`. Tech user_ids: Mike 1735, Howard 1750, Winter 1737.
+- Quantum tenant `2fd0092b`; detail in `clients/quantumwms/session-logs/2026-05-27-session.md`.