azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-10 15:18:03

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-10 15:18:03
This commit is contained in:
Mike Swanson
2026-06-10 15:18:16 -07:00
parent 4b0ae3448f
commit c871ad8815
4 changed files with 176 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
wiki/clients/grabb-durando.md
View File

@@ -26,9 +26,9 @@ backlinks:
- Svetlana Larionova — slarionova@grabblaw.com (end user; Leap calendar support 2026-05-04)
- sysadmin@grabblaw.com — shared admin account (M365 GA operations)
- guru@grabblaw.com — ACG-managed Global Admin account [unverified — referenced in remediation report]
- **Billing rate:** [unverified — not documented in available files]
- **Active ticket:** [unverified — no current open Syncro ticket found in sources]
- **Syncro customer ID:** [unverified — not present in available session logs]
- **Billing:** PREPAID block customer — **21.25 prepay hours remaining** as of 2026-06-10 (after ticket #32405). Syncro `prepay_hours` only shows on the per-customer detail endpoint, NOT the customer-list endpoint (list returns null — misleading). Remote labor rate $150/hr (drawn from block).
- **Syncro customer ID:** **14232794** (business: "Grabb & Durando Law Office"; primary contact on file: jwilliams@grabblaw.com)
- **Recent ticket:** #32405 (2026-06-10) — calendar-app login fix, 1.0 hr remote applied to prepaid block
## Infrastructure
@@ -37,8 +37,8 @@ backlinks:
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| GND-SERVER | [unverified] | On-premise server | Windows Server 2019 Standard, AMD64 | GuruRMM agent installed 2026-05-12 via site-specific MSI |
| GoDaddy VPS | 208.109.235.224 | Custom PHP web app (data.grabbanddurando.com) | CloudLinux 9.6, cPanel v126 | 99% disk full as of website migration plan — status post-migration unknown [unverified] |
| ix.azcomputerguru.com (IX) | 72.194.62.5 | ACG shared hosting — migration target | CloudLinux 9.7, cPanel | Migration planned but no session log confirms completion [unverified] |
| GoDaddy VPS | 208.109.235.224 | ORIGINAL host of data.grabbanddurando.com (long retired) | CloudLinux 9.6, cPanel v126 | App moved off years ago. Hosting path over ~2 years: GoDaddy -> WebSvr -> IX. Nothing points here now; verify the VPS is cancelled (may still bill). |
| ix.azcomputerguru.com (IX) | 72.194.62.5 (internal 172.16.3.10) | LIVE host of data.grabbanddurando.com (calendar/case app) | CloudLinux 9.7, cPanel | Current home of the app — on IX for ~1yr+ (path: GoDaddy -> WebSvr -> IX over ~2 yrs, per Mike). Confirmed live 2026-06-10. DNS `data.grabbanddurando.com -> 72.194.62.5`. cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB `grabblaw_gdapp_data`. App actively used. SSH via internal `172.16.3.10` only — public port 22 firewalled (times out). |
| WebSvr (ACG) | 162.248.93.81 | Main domain (grabbanddurando.com) DNS/hosting | ACG managed | Nameserver authority for grabbanddurando.com zone |
### Email & Identity
@@ -62,7 +62,8 @@ backlinks:
### Web Applications
- **Primary site:** grabbanddurando.com — hosted on WebSvr (ACG)
- **Data app:** data.grabbanddurando.com — custom PHP 7.4 app using mysqli; GoDaddy cPanel account `grabbandurando`, document root `/home/grabbanddurando/public_html/new_gdapp/`, database `grabblaw_gdapp` (31 MB)
- **Data app ("the calendar site"):** data.grabbanddurando.com — custom PHP app (mysqli, PHP session `law_admin`). Calendar + case management (agenda views, `gd_calendar_events`, `gd_cases`, "Jeff's Notes", phone log, contacts). **NOW LIVE ON IX** (migrated off GoDaddy): cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB **`grabblaw_gdapp_data`** (app user `grabblaw_gddata`; creds hardcoded in `connection.php` — [WARNING] not vaulted). Pre-migration copies `grabblaw_gdapp` (48 users) and `grabblaw_gdapp2` still present on IX as historical snapshots.
- **Auth model:** login is `index.php``SELECT * FROM vt_users WHERE username='<login>' AND password=MD5('<pw>') AND is_enabled=1`. Login is **by username** (the form field is labeled "Username" but POSTs as `email`); password is **unsalted MD5**; the account row must have `is_enabled=1` (a disabled row returns "you have not activated your account"). Roles live in `acl_user_role` (1=Super Admin, 3=Assistant, 4=Lawyer, 5=Call Center), linked via `acl_junction_user_role`. "I forgot my password" emails a reset link (writes a `code` to `vt_users`). [WARNING] weak auth: unsalted MD5 + a plaintext password cookie set on login.
- **Case management:** Leap — integrated with M365 calendar/mail via delegated OAuth
## GuruRMM
@@ -95,22 +96,26 @@ backlinks:
- **Leap OAuth consent pattern:** New hires at Grabb & Durando will NOT automatically have Leap M365 calendar sync enabled. As of 2026-05-04 tenant-wide consent was granted on the LEAP delegated app — new users should now get through the consent flow without admin intervention. Verify this holds for next new hire.
- **Leap identity binding trap:** If an admin signs in to Leap on a user's machine to grant consent, Leap stores the admin's identity token instead of the user's. Symptom: Leap syncs the wrong mailbox and throws "unable to subscribe to notifications." Fix: revoke admin OAuth grant, clear `%LOCALAPPDATA%\Microsoft Corporation\` Leap cache, re-sign in as the correct user.
- **SYSTEM context in GuruRMM commands:** Agent runs as LocalSystem. HKCU probes from GuruRMM commands read the SYSTEM hive, not a logged-in user's. Use `HKU:\<SID>` path for per-user registry work.
- **Website migration (data.grabbanddurando.com):** PHP 7.4 app, 1.8 GB files + 31 MB database. Migration target is IX (ix.azcomputerguru.com). Migration plan is detailed; no session log confirms completion — assume NOT migrated until verified.
- **Website migration (data.grabbanddurando.com):** COMPLETE — app is live on IX (`/home/grabblaw/public_html/data_grabbanddurando`, DB `grabblaw_gdapp_data`), confirmed 2026-06-10. DNS points to 72.194.62.5. App actively used post-migration.
- **[WARNING] Live user table holds only active logins — traced to the Dec 2025 rebuild (root cause of "login broken for one user"):** The live `vt_users` has only **6 of 48** rows (and 77 of 82 `acl_junction_user_role` links) vs. the older copy `grabblaw_gdapp`. Origin confirmed by 2026-06-10 forensics: a **Dec 1516 2025 server migration / MariaDB strict-mode rebuild**, documented on-server at `backups_mariadb_fix/MIGRATION_REPORT.md` ("Prepared by: IT Support" — GoDaddy/legacy → IX cPanel, PHP 7.4→8.1, MariaDB 10.11 strict mode, 61 app files modified). Live DB dir built 2025-12-16, alongside 5 clone/scratch DBs (`grabblaw_gdapp`, `gdapp2`, `_clone`, `_new`, `sandbox`) created 2025-12-11; `connection.php` repointed 2025-12-15; rocky aftermath (app `error_log` shows DB-connect failures Jan 2026). The rebuild imported every DATA table fully — all are ≥ the old copy (activity 18.6k>17.9k, gd_calendar_events 13.2k>12.6k, gd_assign_users 25.0k>23.1k; gd_cases/gd_cases_notes/gd_contacts/gd_phone_log identical) — **but `vt_users` came out short**. Binary logging is OFF, so no statement-level proof of deliberate prune vs. failed import. The live DB is authoritative and current — **do NOT full-restore from `grabblaw_gdapp`** (would lose newer live data). Correct remediation = **targeted backfill of the specific missing `vt_users` row(s) (+ `acl_junction_user_role` links) from `grabblaw_gdapp` → `grabblaw_gdapp_data`**, preserving each user's id + MD5 password. Symptom presented as "one user can't log in, everyone else fine" because the only 3 active users (rgrabb, rpesqueira, jsosa) happened to be among the 6 surviving rows.
- **Diagnostic pattern — per-user login failure on the calendar app:** first check the live DB: `SELECT id,username,is_enabled FROM grabblaw_gdapp_data.vt_users WHERE username='<u>'`. No row → user was dropped in migration; restore from `grabblaw_gdapp`. Row with `is_enabled=0` → re-enable. Row present + enabled → password/MD5 issue (use forgot-password flow or reset the hash).
## Active Work
- **AI Demand Review System** (scoping/pre-quote as of 2026-05-12): Robert Grabb wants a custom Claude API web application for AI-assisted pre-suit demand package preparation. 11-category document upload UI, structured Claude output (case snapshot, liability, medical chronology, demand letter, etc.), DOCX/PDF export, per-case audit log. Estimated 3248 hrs, $4,000$6,960 flat fee range. Discovery call questions outstanding (user count, Leap API, file server structure). See `clients/grabb-durando/ai-demand-review/CONTEXT.md` for full spec.
- **Website migration** (data.grabbanddurando.com → IX): Status unknown. GoDaddy VPS was 99% full as of project planning. No completion session log found. [WARNING] Verify migration status before any GoDaddy VPS work or billing.
- **Website migration** (data.grabbanddurando.com → IX): COMPLETE (confirmed 2026-06-10, live on IX). Remaining cleanup: confirm the old GoDaddy VPS (208.109.235.224) is decommissioned/cancelled — nothing points to it anymore but it may still bill.
- **Calendar-app user-table backfill (data.grabbanddurando.com) — DEFERRED to client:** 2026-06-10 restored `jwilliams` (Jeff Williams, id 46, Super Admin) into the live `vt_users` to fix his login. **41 other accounts still missing** from the live DB (20 enabled real users: ahayward, amarshall, apesqueira, cpavlik, ecorella, gcanto, Greg, jclark, kloya, lgonzalez, mbleaman, mcarias, mgonzales, mwaletitsch, pgrabb, rmaza, admin, etc. — plus disabled/test rows). **Per Mike (2026-06-10): only a handful of active users; left for Jeff Williams to decide later — no bulk backfill planned by ACG.** If a specific person needs access, restore just their row via targeted `INSERT ... SELECT` from `grabblaw_gdapp` (preserve id + MD5 pw); skip test/junk (`testsuntec`, `ContactOne`).
## History Highlights
| Date | Event |
|---|---|
| Pre-2026 | Established MSP client; M365 tenant (grabblaw.com) under ACG management; Leap deployed firm-wide |
| 2025-12-15 | Website migration session logs referenced (in old claude-projects path) — data.grabbanddurando.com migration likely attempted [unverified from available files] |
| 2025-12-15/16 | **data.grabbanddurando.com migrated to IX + MariaDB strict-mode rebuild** (confirmed 2026-06-10 via on-server `backups_mariadb_fix/MIGRATION_REPORT.md`, "Prepared by: IT Support"). GoDaddy/legacy → IX cPanel; PHP 7.4→8.1; MariaDB 10.11 strict mode; 61 app files modified. Live DB `grabblaw_gdapp_data` built 12-16 alongside 5 clone/scratch DBs (12-11); `connection.php` repointed 12-15; rocky aftermath (DB-connect failures in app error_log Jan 2026). The rebuild left the live `vt_users` with only ~6 of 48 logins — origin of the 2026-06-10 Jeff login issue. |
| 2026-04-20 | PROJECT_STATE.md created noting website migration stalled, no session logs recorded at that time |
| 2026-05-04 | Howard: Leap M365 calendar sync for Svetlana Larionova — OAuth consent investigation + tenant-wide LEAP consent granted by Mike; Leap identity token cleanup; Teams external-share limitation explained; second monitor added |
| 2026-05-12 | GuruRMM agent installed on GND-SERVER via site-specific MSI (v0.6.2). Diagnostic run confirms agent service running. AI demand review project kicked off — Phase Two Package delivered by Robert Grabb, ACG scoping review begun. |
| 2026-06-10 | **Calendar-app login fix + migration audit.** Reported: Jeff Williams (`jwilliams`) couldn't log in to data.grabbanddurando.com while others could. Root cause traced to the Dec 2025 IX/MariaDB rebuild, which left the live `vt_users` with only 6 of 48 logins (Jeff not among the survivors). Confirmed the app is live on IX (`grabblaw` cPanel acct, DB `grabblaw_gdapp_data`) and that the live DB is authoritative (all data tables ≥ old copy). Restored `jwilliams` (id 46, Super Admin, original MD5 password) from `grabblaw_gdapp` → live; login verified. 41 other (mostly inactive) accounts left un-restored at Mike's direction — Jeff to decide later. Billed 1.0 hr remote on new Syncro ticket #32405 — applied against their PREPAID block (invoice #67812 = $0.00; 21.25 prepay hrs remaining). Documented the app auth model, the Dec-2025 origin, and a per-user login diagnostic. |
## Backlinks

12
wiki/clients/kittle.md
View File

@@ -378,6 +378,8 @@ Kittle confirmed it has no relationship with Foam Factory Incorporated.
| FIDO2/passkeys ENABLED tenant-wide (Authentication Methods policy `fido2` state -> enabled) | 2026-06-10 | [OK] — phishing-resistant method now available to all users (targets `all_users`, self-service reg on, no attestation/key restrictions, deviceBound+synced). Triggered by Darline hitting "passkey not enabled for the organization" during re-enrollment. Tenant still `policyMigrationState: migrationInProgress` — SMS/voice/Authenticator remain governed by legacy MFA settings. |
| Auth Methods policy migration — Step 1 of 3: enabled `microsoftAuthenticator`, `sms`, `voice`, `softwareOath` in the converged policy (all `all_users`, additive) | 2026-06-10 | [OK] — replicates legacy MFA method set into the new policy ahead of migration; `policyMigrationState` deliberately LEFT at `migrationInProgress` (legacy still backing). NEXT: verification window (watch sign-in MFA failures), then Step 3 = PATCH `policyMigrationState: migrationComplete` only on explicit go. Tenant overdue (Microsoft retired legacy MFA mgmt Sept 2025; auto-complete risk). |
| joshua@ (Josh Sutherland) + Brandon@ (Brandon Blazer) MFA reset to phone-only: added SMS (Josh +1 520-664-4785, Brandon +1 520-304-8247) as default, removed Authenticator (Josh iPad Pro, Brandon SM-F741U) | 2026-06-10 | [OK] — same pattern as admin@/accounting@. Cell numbers from client-supplied roster (KittlePhones.jpg). Bulk SMS-availability for the rest of the tenant was scoped OUT at Mike's direction (only Josh/Brandon needed now); accounting@ left as-is (work # +1 520-763-3091, re-registered Authenticator SM-S731U left in place). |
| hayden@ (Hayden Schagel) password reset (force-change) + SMS phone added | 2026-06-10 | [OK] — via User Manager app. Account had NO phone methods prior; added SMS +1 520-628-0929 (from client roster). Password set/corrected to a temp value with forceChangePasswordNextSignIn=true. |
| Bulk phone-only MFA conversion: alexis@, Brandon@, jason@, Neal@, scott@ — SMS set as default 2nd-factor, Microsoft Authenticator removed | 2026-06-10 | [OK] — via User Manager app. Phones from client roster (KittlePhones): Alexis 520-628-0921 (existing), Brandon 520-304-8247 (existing), Jason 702-234-4426 (ADDED), Neal 217-502-9736 (ADDED), Scott 520-288-4444 (existing). Alexis: BOTH duplicate "iPhone 12 Pro Max" Authenticator entries (7365a870, c927402a) removed. Jason (SM-X218U) + Neal (iPhone 16 Pro) had no phone — added SMS first, flipped default to SMS, THEN removed Authenticator (cannot delete the default method otherwise). Brandon/Scott already phone-only. SMS-as-passwordless-signin (smsSignInState) still notConfigured/not enabled tenant-wide — this changes the default 2nd-factor only. |
### Incident Evidence (preserved by ACG)
@@ -444,6 +446,14 @@ Lori Schagel had 10 admin roles including Global Administrator as a pre-existing
**Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.
### [NOTE] remediation-tool skill gotchas (observed 2026-06-10 during the MFA conversions)
Tooling quirks hit while running the User Manager (remediation-tool) scripts against this tenant — apply fleet-wide, not Kittle-specific:
1. **Vault path resolution reads the wrong identity.json.** The scripts compute `CLAUDETOOLS_ROOT` relative to the skill install dir (`C:\Users\guru\.claude\skills\remediation-tool\...`), so on GURU-5070 they read the *home* `~/.claude/identity.json` (which has no `vault_path`) and fail: `ERROR: vault_path not set ... and VAULT_ROOT_ENV env var not set`. Workaround: `export VAULT_ROOT_ENV="D:/vault"` before calling `get-token.sh`/`reset-password.sh`. Permanent fix: add `vault_path` to the home identity.json or fix root resolution.
2. **`signInPreferences` is beta-only.** Setting a user's default/preferred second factor must go to `PATCH https://graph.microsoft.com/beta/users/{id}/authentication/signInPreferences` with `{"userPreferredMethodForSecondaryAuthentication":"sms"}`. The v1.0 path returns HTTP 400 `Resource not found for the segment 'signInPreferences'`.
3. **Can't delete the default Authenticator while it IS the default.** Graph returns `Cannot delete default method with other methods configured. Please change default method before deletion.` Correct order for a phone-only conversion: (a) add the SMS phone method, (b) PATCH signInPreferences to `sms` (beta), (c) THEN DELETE the Authenticator method. Never strip the only/last MFA method before the replacement is in place.
### [WARNING] IMAP/POP/EAS still enabled tenant-wide
Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.
@@ -474,7 +484,7 @@ Do not migrate or decommission SERVER without a proper QuickBooks migration plan
- [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
- [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
- [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
- [ ] **alexis@ duplicate Authenticator cleanup**entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused.
- [x] **alexis@ duplicate Authenticator cleanup**DONE 2026-06-10: both "iPhone 12 Pro Max" Authenticator entries (`7365a870-4809-4fdc-9e9b-dcd76eddb8ef` and `c927402a-75c6-4a55-840a-86d1eea43a9b`) removed during the bulk phone-only MFA conversion; Alexis now SMS-only (+1 520-628-0921, default). OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` not touched — review/remove if confirmed unused.
- [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license.
- [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
- [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended.