sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46

wiki/clients/quantumwms.md

@@ -0,0 +1,159 @@
+---
+title: Quantum WMS
+slug: quantumwms
+type: client
+project_key: clients/quantumwms
+last_updated: 2026-05-26
+---
+
+# Quantum WMS
+
+## Overview
+
+| Field | Value |
+|---|---|
+| Company | Quantum WMS |
+| Primary domain | quantumwms.com |
+| Personal domain | sheilaperess.com |
+| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` |
+| GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access |
+| Project key | `clients/quantumwms` |
+
+## Contacts
+
+| Name | Role | Notes |
+|---|---|---|
+| John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains |
+| Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier |
+
+## Current Email Infrastructure
+
+- **Registrar:** GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
+- **DNS:** GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
+- **Mail routing:** Intermedia hosted Exchange — `exch090.serverdata.net` cluster (east/west)
+  - IP: `64.78.25.106` (Intermedia data center)
+  - Autodiscover: `ar-east.exch090.serverdata.net`
+  - This is Exchange Server software hosted by Intermedia, NOT Exchange Online
+- **Intermedia setup:** Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure
+
+### DNS / Email Security Gaps (CRITICAL)
+
+| Record | Status | Impact |
+|---|---|---|
+| DMARC | **MISSING** | Anyone can spoof @quantumwms.com with no enforcement |
+| SPF | **TWO RECORDS** (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures |
+| DKIM | Not found on standard selectors | Outbound mail not cryptographically signed |
+| DNSSEC | Not signed | Domain hijack risk |
+
+SPF records found (conflict):
+1. `v=spf1 include:spf.intermedia.net -all`
+2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all`
+
+## M365 Tenant (GoDaddy/johnvelez.com)
+
+- **Tenant created:** 2016-12-05 (GoDaddy-provisioned)
+- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com`
+- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia
+- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26
+
+### Users
+
+| UPN | Display | Licenses | Notes |
+|---|---|---|---|
+| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps |
+| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account |
+| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 |
+| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account |
+
+### Consent URL (Tenant Admin tier)
+
+```
+https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+Post-consent onboard command:
+```bash
+bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6
+```
+
+## Compliance Context: Broker/Dealer Requirements
+
+John and Sheila believe Intermedia is mandated by their Broker/Dealer. **This is almost certainly incorrect.**
+
+### What SEC Rule 17a-4 / FINRA Rule 4511 actually require
+
+- Electronic communication retention (3 years accessible, 6 years total for most records)
+- Non-rewritable, non-erasable (WORM-compliant) archiving
+- Supervisory review capability
+- Ability to produce records on regulatory demand
+
+### What they do NOT require
+
+- Intermedia specifically
+- Any named third-party vendor
+- Exchange Server or hosted Exchange
+
+### Microsoft 365 satisfies all FINRA/17a-4 requirements
+
+Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.
+
+### Action item (BLOCKER)
+
+Sheila has been asked to produce **written policy from the Broker/Dealer that explicitly names Intermedia** as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.
+
+## Recommended Architecture: M365 Business Premium + Mailprotector
+
+### License Plan
+
+| Account | License | Domain |
+|---|---|---|
+| John (firm) | M365 Business Premium | quantumwms.com |
+| Sheila (firm) | M365 Business Premium | quantumwms.com |
+| Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com |
+| Others TBD | Exchange Online Plan 1 | TBD |
+
+### What Business Premium provides over Intermedia
+
+| Capability | Intermedia Hosted Exchange | M365 Business Premium |
+|---|---|---|
+| Email | Exchange Server (hosted) | Exchange Online (Microsoft cloud) |
+| Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day |
+| Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) |
+| Frontend filtering | None | Mailprotector (ACG-managed) |
+| MFA enforcement | Manual | Entra ID P1 — Conditional Access |
+| FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included |
+| Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) |
+| Mobile device management | No | Intune — included |
+| DMARC/DKIM setup | Not managed | ACG-managed during migration |
+
+### Migration Steps
+
+1. [DONE] Get consent from John (2026-05-26)
+2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
+3. Add quantumwms.com as verified domain to johnvelez.com tenant
+4. Purchase 2x Business Premium (direct or ACG CSP)
+5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
+6. Assign Business Premium licenses
+7. Set up Mailprotector frontend for quantumwms.com
+8. Configure DMARC, fix SPF (single record), configure DKIM
+9. Cut MX from Intermedia → Exchange Online
+10. Migrate existing mail from Intermedia → Exchange Online
+11. Activate Office apps on their machines
+12. Cancel Intermedia after cutover confirmed
+13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
+14. Purchase Exchange Online Plan 1 for personal domain accounts
+15. Cancel GoDaddy email hosting per account as each migrates
+
+### GoDaddy Decoupling Plan
+
+- DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
+- M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
+- Intermedia: cancel after mail cutover confirmed
+
+## Open Items
+
+- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
+- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
+- [ ] Determine additional personal domain accounts beyond sheilaperess.com
+- [ ] DNS cutover timing for both domains
+- [ ] Confirm whether SkyKick migration app account (2016) can be deleted

wiki/index.md

@@ -42,6 +42,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
 | [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |
 | [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 |
+| [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |
 
 ## Projects