Multi-user support: identity tracking for Mike + Howard

- .claude/identity.json (gitignored, per-machine) identifies who's at the keyboard
- .claude/users.json (tracked) registers known team members + roles + machines
- CLAUDE.md: on first sync, Claude asks "Mike or Howard?" and creates identity.json
- Session logs must include User section for attribution
- Git commits use per-user name/email (shared Gitea push account)
- Howard Enos (tech, full trust) added as second team member
- Memory entry created for Howard

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -1,5 +1,56 @@
 # ClaudeTools Project Context
 
+## Multi-User Environment (CHECK FIRST)
+
+This repo is shared across multiple team members. **At every session start, BEFORE doing anything else:**
+
+1. **Read `.claude/identity.json`** (local, gitignored). If it exists, greet the user by name and proceed.
+2. **If identity.json does NOT exist** (first sync on a new machine):
+   - Read `.claude/users.json` for the known user list
+   - Ask: "This looks like a new machine. Are you **Mike Swanson** or **Howard Enos**? (Or someone new?)"
+   - Based on their answer, create `.claude/identity.json`:
+     ```json
+     {
+       "user": "mike",
+       "full_name": "Mike Swanson",
+       "email": "mike@azcomputerguru.com",
+       "role": "admin",
+       "machine": "<HOSTNAME>"
+     }
+     ```
+   - Also set local git config for this repo:
+     ```bash
+     git config user.name "<full_name>"
+     git config user.email "<email>"
+     ```
+   - Add the machine hostname to the user's `known_machines` list in `.claude/users.json` and commit.
+3. **If the hostname doesn't match any known machine** for the identified user, update their `known_machines` in users.json.
+
+### Session log attribution
+
+Every session log MUST include a `## User` section at the top:
+```markdown
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+```
+
+### Git commit attribution
+
+Commits use the local git config (user.name / user.email), which is set per-user during identity setup. The Gitea push account is shared (azcomputerguru) but commit authorship tracks the actual person.
+
+### Current team
+
+| User | Role | Access | Notes |
+|---|---|---|---|
+| **Mike Swanson** (mike) | admin | Full | Owner, President of Arizona Computer Guru LLC |
+| **Howard Enos** (howard) | tech | Full | Employee, technician. Full trust — same access as admin for all MSP tracking and daily work. |
+
+Both users have identical access. No permission gating between them. If a new team member is added later, their role and access scope should be defined in `.claude/users.json` before they sync.
+
+---
+
 ## Identity: You Are a Coordinator
 
 You are NOT an executor. You coordinate specialized agents and preserve your context window.
@@ -194,6 +245,7 @@ Service account token in vault: `infrastructure/1password-service-account.sops.y
 | `/sync` | Sync config from Gitea repository |
 | `/create-spec` | Create app specification for AutoCoder |
 | `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) |
+| `/remediation-tool` | M365 breach checks, tenant sweeps, gated remediation via Claude-MSP-Access Graph API app |
 
 ---
 

.claude/memory/MEMORY.md

@@ -11,6 +11,9 @@
 - [Dataforth Contact - AJ](reference_dataforth_contact.md) - AJ at Dataforth, dataforthgit@ email forwarding to him
 - [TickTick Integration](reference_ticktick_integration.md) - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
 
+## Users
+- [Howard Enos](user_howard.md) — Mike's brother, technician, full trust/access. Known machine: ACG-TECH03L.
+
 ## Feedback
 - [D2TESTNAS SSH Access](feedback_d2testnas_ssh.md) - Use root@192.168.0.9 with Paper123!@#, not sysadmin
 - [Bypass Permissions Setting](feedback_bypass_permissions_setting.md) - Set permissions.defaultMode to bypassPermissions in settings.json on all machines

.claude/memory/user_howard.md

@@ -0,0 +1,13 @@
+---
+name: Howard Enos — team member
+description: Howard is Mike's brother and employee at AZ Computer Guru. Technician role with full trust and full access. Uses claudetools for MSP tracking and daily client work.
+type: user
+---
+
+Howard Enos is a technician at Arizona Computer Guru LLC and Mike Swanson's brother. He has full access to all systems, credentials, and client data — same level as Mike. No permission gating.
+
+Known machine: ACG-TECH03L (laptop). Desktop hostname TBD (will be registered on first sync).
+
+When working with Howard, treat him exactly as you would Mike — same context loading, same credential access, same capabilities. He uses claudetools for MSP work tracking, client management, and daily IT operations.
+
+His git commits should show `Howard Enos <howard@azcomputerguru.com>`.

.claude/users.json

@@ -0,0 +1,28 @@
+{
+  "users": {
+    "mike": {
+      "full_name": "Mike Swanson",
+      "email": "mike@azcomputerguru.com",
+      "role": "admin",
+      "title": "President",
+      "known_machines": ["DESKTOP-0O8A1RL"],
+      "git_name": "Mike Swanson",
+      "git_email": "mike@azcomputerguru.com",
+      "notes": "Owner. Full access to everything."
+    },
+    "howard": {
+      "full_name": "Howard Enos",
+      "email": "howard@azcomputerguru.com",
+      "role": "tech",
+      "title": "Technician",
+      "known_machines": ["ACG-TECH03L"],
+      "git_name": "Howard Enos",
+      "git_email": "howard@azcomputerguru.com",
+      "notes": "Employee, Mike's brother. Full trust. Same access as Mike for MSP tracking and daily work."
+    }
+  },
+  "roles": {
+    "admin": "Full access to all systems, credentials, deployments, and infrastructure.",
+    "tech": "Full access to all systems, credentials, and client work. Same as admin for this organization."
+  }
+}

.gitignore

@@ -3,6 +3,7 @@ backups/
 
 # Local settings (machine-specific)
 .claude/settings.local.json
+.claude/identity.json
 
 # Temporary files
 *.tmp