Session log 2026-05-10: radio-show Jupiter deploy + MP3 rsync, Discord bot NSSM service, Apple Dev enrollment kickoff

- Deployed radio-show FastAPI redesign (HEAD already at b008b61 with sort fix) to Jupiter; rebuilt radio-archive container. - Solved Jupiter audio 404 by rsync IX -> Jupiter over LAN (8.09 GB, ~75s @ 108 MB/s); installed Jupiter root pubkey on IX root for passwordless server-to-server access. - Addressed 6 Note-for-Mike blocks from Howard (Cascades SDM activation root cause, IMC1 AIM SQL diagnosis correction, Sombra/Transwiz patterns, Stamback prepay). - Restored dead Discord bot (silent since 2026-05-06 reboot); installed as NSSM service ClaudeToolsDiscordBot with auto-restart + log rotation. - Resolved /sync conflict on memory entry by dropping redundant local commit in favor of Howard's richer feedback_syncro_appointment_owner.md. - Kicked off Apple Developer Program enrollment (HH5UA87LAH); flagged D&B name mismatch (DUNS 005661506 registered to 'COMPUTER GURU' not 'Arizona Computer Guru LLC') as real blocker; vaulted full sequence at infrastructure/apple-developer-program.sops.yaml in vault repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 19:23:05 -07:00
parent cc976863fc
commit eb61157adc
1 changed files with 373 additions and 0 deletions
--- a/session-logs/2026-05-10-session.md
+++ b/session-logs/2026-05-10-session.md
@@ -0,0 +1,373 @@
 # 2026-05-10 — Radio-show Jupiter deploy + audio rsync, Discord bot service, Apple Developer enrollment kickoff
 ## User
 - **User:** Mike Swanson (mike)
 - **Machine:** GURU-BEAST-ROG
 - **Role:** admin
 - **Session span:** 2026-05-08 ~07:00 PT (radio-show deploy) → 2026-05-10 ~18:40 PT (Apple Dev enrollment vault entry). Date rolled mid-session.
 ---
 ## Session Summary
 The session began with the deployment of the redesigned FastAPI backend for the radio-show application to Jupiter (Unraid Docker host, 172.16.3.20). Local `main.py` at HEAD already contained the `d7ce9cb` visual redesign and the May 1 intro/QA `sorted()` tie-break fix; verified clean working tree and parity with `origin/main`. scp'd `main.py` to `root@172.16.3.20:/mnt/user/appdata/radio-archive/app/main.py` via PuTTY pscp, then rebuilt the `radio-archive` container via `docker compose up -d --build` over plink. Smoke-tested new UI markers (`--accent #c39733`, `browse-toggle`, `loading::after` on `/`; `now-playing`, `preload="metadata"`, `qaBlocks`, sticky audio player on `/episode/139`).
 Mike then noted the deployed Jupiter instance still couldn't play audio — `/api/audio/{id}` returned 404 because the MP3 tree was never deployed. He pointed out that IX (the archive source, 172.16.3.10) and Jupiter (172.16.3.20) are on the same office LAN, so Jupiter should pull from IX directly rather than push from this desktop. Probed IX via plink: the archive lives at `/home/gurushow/public_html/archive/{YYYY}/{N - Month}/*.mp3`, the layout matches the DB `rel_path` exactly, and total size is 7.8 GB — the May 1 session log's "30–40 GB" estimate was wrong by a factor of 4. Installed Jupiter root's pubkey into IX root's `authorized_keys` for passwordless server-to-server rsync. Dry-run showed 590 MP3s / 8.09 GB. Real rsync IX → Jupiter completed in ~75 seconds at ~108 MB/s sustained over LAN. Verified `/api/audio/139` and `/api/audio/479` now return HTTP 206 `audio/mpeg` with range support.
 The first `/sync` of the session pulled 25 commits and surfaced six `## Note for Mike` blocks from Howard's recent Cascades / IMC1 / Sombra / Stamback work. Addressed each: Britney Thompson litigation hold (already in flight via the MacBook Air's follow-up commits), John Trozzi inbox cleanup (FYI only), SDM phone activation root-caused (`pilot.test` lacked Cloud Device Administrator role; new `devices@cascadestucson.com` account built specifically for this and vaulted), IMC1 AIM SQL diagnosis correction (SQLEXPRESS is the **production** instance not the orphan — `MSSQL$AIMSQL` is the consolidation candidate; memory caps and consolidation pending Mike's call), and three patterns to internalize (post-Transwiz Office identity sweep on new-PC checklist, GuruRMM agent's `nt authority\system` context for per-user probes, Syncro `billable: false` on `timer_entry` silently ignored).
 The next morning (2026-05-10 — date rolled mid-session), Mike reported the Discord bot wasn't responding. Found it dead since 2026-05-06 12:22 PT — no error in `bot.log`, just stopped; no NSSM service installed, no scheduled task, no service wrapper at all. The bot had been running interactively, so a reboot or terminal close that day killed it silently. Restarted temporarily via `pythonw.exe` (PID 62720) as a stopgap and confirmed it reconnected, then Mike asked to install it as a proper Windows service for durability. Installed NSSM 2.24-101 via `winget`, stopped the temporary process, and created `ClaudeToolsDiscordBot` pointing at the venv's `python.exe -m bot.main` with `AppDirectory`, stdout/stderr logging with 10 MB rotation, auto-start, and auto-restart-on-exit with a 5 s delay. Service started; bot reconnected with full channel access. Account is LocalSystem — flagged as a potential issue if vault/identity paths fail under SYSTEM context.
 The second `/sync` hit a conflict on `.claude/memory/MEMORY.md`. The local commit had added a redundant memory entry (`feedback_appointment_owner_first.md`, "appointment owner FIRST") that covered the same rule as Howard's incoming `feedback_syncro_appointment_owner.md` from Kittle ticket #32263 — but with substantially less detail. Resolved by aborting the rebase, doing `git reset --hard HEAD~1` to drop the redundant local commit entirely, then re-running sync — fast-forwarded 3 commits cleanly. Vault sync pulled Howard's Cascades ALIS SSO inbound creds and Kittle GuruRMM site enrollment key. Surfaced and addressed Howard's two GuruRMM items: (a) the macOS agent + installer route is blocking Sylvia at Kittle Main Office (Mac mini) and needs Apple Developer signing + notarization, and (b) Cloudflare's bot challenge is breaking the documented install one-liners on Linux/Windows — Howard recommends a WAF skip on `^/install/`.
 The session closed with the Apple Developer Program enrollment kickoff. Walked Mike through the prerequisites (cost, Developer ID Application + Developer ID Installer certs, notarytool flow requiring a real Mac in the build path, v1 shell-installer with right-click→Open as the no-cert fallback) and recommended enrolling now since the cert unblocks the no-friction install path long-term. Mike pulled the DUNS lookup and got `005661506` — but the D&B record is registered under "COMPUTER GURU", not "Arizona Computer Guru LLC". Mike kicked off enrollment (ID `HH5UA87LAH`) and Apple immediately requested a verification packet. Identified the D&B name mismatch as the real blocker — Apple compares enrollment name against DUNS record against Articles of Organization, and all three must match. Recommended sequence: D&B name correction via iUpdate first (free, 5–15 business days), gather the three verification documents in parallel, then upload to Apple once D&B confirms. Vaulted everything at `infrastructure/apple-developer-program.sops.yaml`.
 ---
 ## Key Decisions
 - **Pull MP3s server-to-server from IX, not push from desktop.** Mike caught that IX (172.16.3.10) and Jupiter (172.16.3.20) are physically on the same office LAN. Pulling IX→Jupiter directly hits ~108 MB/s sustained gigabit, eliminates the desktop as an intermediary, and uses the local copy already cached at the actual source. Far faster than re-uploading from GURU-BEAST-ROG.
 - **rsync the year directories only, excluding `Radio/` and `index.html`.** IX has unrelated content under `archive/Radio/Elements/` (203 MB of misc music) and HTML index files at archive root. The `--exclude=Radio --exclude='index.html*'` filter kept the transfer scoped to what matches the DB `rel_path` layout. Each year directory carries a duplicate set (loose MP3s at year root + month-subdir versions); accepted the ~4 GB of duplicate overhead rather than crafting per-year include patterns because Jupiter has plenty of array space.
 - **Install Jupiter's pubkey on IX `root` (not gurushow).** root has unconditional access to the entire archive tree; using `gurushow` would have worked but required either password auth or installing the key under a non-admin account. The pubkey install is durable infrastructure setup that future syncs can reuse without re-prompting.
 - **Drop the redundant local memory entry rather than merge.** Local `feedback_appointment_owner_first.md` was a thinner, generic restatement of Howard's `feedback_syncro_appointment_owner.md` (which has Syncro-specific detail, the exact ticket trigger #32263, owner-vs-attendees nuance, the preview format, and the what-NOT-to-do section). `git reset --hard HEAD~1` cleanly dropped the local commit; the rebase then fast-forwarded with no conflict on the second attempt.
 - **NSSM service runs as LocalSystem (NSSM default), not as a user account.** Avoids needing to store Mike's Windows password and matches how GuruRMM-style services typically run. Trade-off: SYSTEM context can hit user-profile path issues — flagged as a known watch item. If vault or identity paths fail under SYSTEM, fall back to running the service under `.\guru` with a vaulted password.
 - **Enroll in Apple Developer Program now even though shipping unsigned v1 is possible.** $99/year and 1-week enrollment clock is small overhead; the cert investment unlocks the long-term no-friction install path. Without enrollment, every macOS install for Sylvia and future clients requires a right-click→Open dance, which doesn't scale past a handful of installs.
 - **Fix D&B record before resubmitting Apple verification, not the other way.** Apple compares enrollment name / DUNS record / Articles of Organization in a single review pass; mismatches bounce. Submitting the verification packet now with a mismatched D&B record would just get rejected and force a redo, costing more wall-clock time than waiting for iUpdate to propagate the correction first.
 - **Recommend iUpdate (free, 5–15 days) over expedited D&B Customer Service ($50–$200, 24–72 h).** Apple won't cancel the enrollment for a slow D&B turn — there's no time pressure that justifies paying for expedited correction. Pending Mike's preference if he wants to spend the money to compress the timeline.
 ---
 ## Problems Encountered
 - **Jupiter `/api/audio/{id}` returned 404 after UI deploy.** Pre-existing deployment gap — the FastAPI app was deployed but the `/data/episodes/` MP3 tree was never populated. Resolved by rsyncing IX → Jupiter (8.09 GB, ~75 s over LAN). FastAPI volume mount `/mnt/user/appdata/radio-archive/data:/data:ro` picked up the new files immediately; no container restart needed.
 - **plink batch-mode SSH refused unknown host key on first IX probe.** Default `-batch` fails closed if the target's host key isn't in the PuTTY registry. Worked around by passing `-hostkey 'ssh-ed25519 255 SHA256:GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8'` explicitly. After that probe, Jupiter→IX passwordless SSH worked because the key install succeeded.
 - **Jupiter→IX ssh emitted `hostfile_replace_entries: Operation not permitted` for `/root/.ssh/known_hosts`.** Cosmetic — Unraid's filesystem doesn't permit the rename-based atomic update OpenSSH wants. The new known_hosts entry was still added to the in-memory state and the session worked. Did not block.
 - **Discord bot dead since 2026-05-06 12:22 PT, no error logged.** Bot had been running interactively; some reboot/terminal close on the 6th killed it silently. No watchdog, no service wrapper, no auto-restart. Resolved by installing it as an NSSM service with auto-start, auto-restart (5 s delay), and rotating logs — so future reboots can't take it down silently again.
 - **NSSM not installed on GURU-BEAST-ROG.** Resolved by `winget install NSSM.NSSM` (2.24-101, 405 KB). Required PowerShell `Path` refresh from machine+user scope to make `nssm` available in the current session before the install/config commands could run.
 - **`/sync` rebase conflict on `.claude/memory/MEMORY.md`.** Local commit added `feedback_appointment_owner_first.md` (which I had drafted earlier in the session) covering the same rule as Howard's incoming `feedback_syncro_appointment_owner.md`. Resolved by aborting the rebase, `git reset --hard HEAD~1` to drop the local commit entirely, then re-running sync to fast-forward 3 commits cleanly.
 - **Apple verification request bounced enrollment immediately.** Apple flagged that "COMPUTER GURU" (the D&B record name) needs to be a legal entity. Real cause: the D&B record name (`COMPUTER GURU`) doesn't match the AZ Corporation Commission filing (`Arizona Computer Guru LLC`) — three-way name match across enrollment / DUNS / Articles will fail. Resolution path: update D&B name first via iUpdate (free, 5–15 business days) or pay D&B Customer Service ($50–$200, 24–72 h) for expedited update, then submit verification packet. Vaulted the blocker, document list, and full sequence at `infrastructure/apple-developer-program.sops.yaml`.
 ---
 ## Credentials & Secrets
 ### Servers used
 | Server | User | Auth | Value |
 |---|---|---|---|
 | Jupiter (172.16.3.20) | root | password | `Th1nk3r^99##` |
 | IX (172.16.3.10) | root | password | `t4qygLl7{1zJcUj#022W^FBQ>}qYp-Od` |
 | IX (172.16.3.10) | root | pubkey | Jupiter root's `id_ed25519` added to `/root/.ssh/authorized_keys` this session |
 ### SSH keys installed
 - **Jupiter root pubkey (now authorized on IX `root`):**
  ```
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOS3AQMPhMl5c3r9hY0dT3w24NkEU5gshN43PwPn2Jvq root@Jupiter
  ```
 ### Apple Developer Program (pending verification)
 - **Enrollment ID:** `HH5UA87LAH`
 - **DUNS (registered to "COMPUTER GURU"):** `005661506`
 - **Target legal name:** Arizona Computer Guru LLC
 - **Verification upload URL:** https://developer.apple.com/contact/file-upload/
 - **D&B update portal:** https://iupdate.dnb.com
 - **D&B Customer Service:** 1-800-234-3867 (expedited update, paid)
 - Apple ID, Team ID, certs, App Store Connect API key: pending (will populate at vault entry `infrastructure/apple-developer-program.sops.yaml` as they come in)
 ### Discord bot service
 - **Service name:** `ClaudeToolsDiscordBot`
 - **Display name:** ClaudeTools Discord Bot
 - **Binary:** `C:\Users\guru\ClaudeTools\projects\discord-bot\.venv\Scripts\python.exe`
 - **Args:** `-m bot.main`
 - **AppDirectory:** `C:\Users\guru\ClaudeTools\projects\discord-bot`
 - **Account:** LocalSystem (NSSM default)
 - **Discord token, Anthropic API key, etc.** unchanged in `.env` (gitignored)
 - **Bot user ID:** 1499868551601983652 (per logs)
 ---
 ## Infrastructure & Servers
 ### Jupiter — `172.16.3.20` (Unraid Docker host, primary)
 - Vault path: `infrastructure/jupiter-unraid-primary.sops.yaml`
 - Hostname: `jupiter`
 - OS / Docker: Linux Jupiter 6.12.54-Unraid; Docker 27.5.1
 - Container modified this session: `radio-archive`
  - Image: `radio-archive:latest` (rebuilt, sha256:0ba76547…)
  - Bind: `172.16.3.20:8765 -> 8765/tcp`
  - Mount: `/mnt/user/appdata/radio-archive/data:/data:ro`
  - Restart policy: `unless-stopped`
 - Paths:
  - App source: `/mnt/user/appdata/radio-archive/app/main.py`
  - DB: `/mnt/user/appdata/radio-archive/data/archive.db`
  - **NEW: MP3 tree** `/mnt/user/appdata/radio-archive/data/episodes/{YYYY}/{N - Month}/*.mp3` (590 files, 8.09 GB)
 - Auth: `root` + `Th1nk3r^99##` for plink/pscp; ed25519 keypair at `/root/.ssh/id_ed25519` (now authorized on IX root)
 ### IX — `172.16.3.10` (Rocky Linux, cPanel/WHM)
 - Vault path: `infrastructure/ix-server.sops.yaml`
 - Hostname: `ix.azcomputerguru.com`
 - Archive source: `/home/gurushow/public_html/archive/`
  - Year dirs: `2010/` `2011/` `2012/` `2014/` `2015/` `2016/` `2017/` `2018/` (no 2013 season)
  - Layout: `{YYYY}/{N - Month}/*.mp3` (loose duplicates also exist at year root)
  - Excluded from rsync: `Radio/Elements/` (unrelated, 203 MB), `index.html*`
 - Total size on disk: 7.8 GB (the May 1 estimate of 30–40 GB was wrong)
 - Host key fingerprint (ssh-ed25519, SHA256): `GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8`
 - Jupiter root pubkey added to `/root/.ssh/authorized_keys` on 2026-05-08
 ### Discord bot host (GURU-BEAST-ROG)
 - Service: `ClaudeToolsDiscordBot` (NSSM)
 - NSSM 2.24-101 installed via winget at `C:\Users\guru\AppData\Local\Microsoft\WinGet\Links\nssm.exe`
 - Bot connects to Arizona Computer Guru Discord guild (ID `624663750603046913`)
 ---
 ## Commands & Outputs
 ### Radio-show deploy
 ```bash
 # 1. Push main.py to Jupiter
 echo y | "/c/Program Files/PuTTY/pscp.exe" -batch -pw 'Th1nk3r^99##' -scp \
    /c/Users/guru/ClaudeTools/projects/radio-show/audio-processor/server/main.py \
    root@172.16.3.20:/mnt/user/appdata/radio-archive/app/main.py
 # main.py | 55 kB | 100%
 # 2. Rebuild container on Jupiter
 "/c/Program Files/PuTTY/plink.exe" -batch -ssh -pw 'Th1nk3r^99##' root@172.16.3.20 \
  "cd /mnt/user/appdata/radio-archive/app && docker compose up -d --build"
 # Container radio-archive Recreated, Started
 # 3. Smoke test
 curl -s http://172.16.3.20:8765/ -o ix.html -w "index: %{http_code} %{size_download}B\n"
 # index: 200 21229B
 curl -s http://172.16.3.20:8765/episode/139 -o ep.html -w "ep139: %{http_code} %{size_download}B\n"
 # ep139: 200 74365B
 # Markers present: --accent, c39733, browse-toggle, loading::after, now-playing,
 # preload="metadata", qaBlocks, sticky
 ```
 ### Jupiter→IX SSH key install + rsync
 ```bash
 # 1. Probe IX archive structure + install Jupiter pubkey via plink (one shot)
 "/c/Program Files/PuTTY/plink.exe" -batch -ssh -pw 't4qygLl7{1zJcUj#022W^FBQ>}qYp-Od' \
  -hostkey 'ssh-ed25519 255 SHA256:GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8' \
  root@172.16.3.10 \
  "echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOS3AQMPhMl5c3r9hY0dT3w24NkEU5gshN43PwPn2Jvq root@Jupiter' >> /root/.ssh/authorized_keys"
 # 2. Verify passwordless SSH Jupiter -> IX
 "/c/Program Files/PuTTY/plink.exe" -batch -ssh -pw 'Th1nk3r^99##' root@172.16.3.20 \
  "ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new root@172.16.3.10 'echo ok; hostname'"
 # ok-from-jupiter
 # ix.azcomputerguru.com
 # 3. Dry-run rsync (count + size estimate)
 "/c/Program Files/PuTTY/plink.exe" -batch -ssh -pw 'Th1nk3r^99##' root@172.16.3.20 \
  "mkdir -p /mnt/user/appdata/radio-archive/data/episodes && \
   rsync -ahn --info=stats2 --exclude=Radio --exclude='index.html*' \
     root@172.16.3.10:/home/gurushow/public_html/archive/ \
     /mnt/user/appdata/radio-archive/data/episodes/"
 # Number of files: 675 (reg: 590, dir: 85)
 # Total file size: 8.09G bytes
 # 4. Real rsync (background, ~75 s)
 "/c/Program Files/PuTTY/plink.exe" -batch -ssh -pw 'Th1nk3r^99##' root@172.16.3.20 \
  "rsync -ah --info=progress2 --exclude=Radio --exclude='index.html*' \
     root@172.16.3.10:/home/gurushow/public_html/archive/ \
     /mnt/user/appdata/radio-archive/data/episodes/"
 # Peak 109.93 MB/s, completed exit 0
 # 5. Confirm audio endpoint works
 curl -s --max-time 8 -r 0-127 -o /dev/null \
  -w "ep139 audio: HTTP %{http_code} ct=%{content_type} len=%{size_download}B\n" \
  http://172.16.3.20:8765/api/audio/139
 # ep139 audio: HTTP 206 ct=audio/mpeg len=128B
 # ep479 audio: HTTP 206 ct=audio/mpeg len=128B
 ```
 ### Discord bot NSSM service install
 ```powershell
 winget install --id NSSM.NSSM --accept-source-agreements --accept-package-agreements --silent
 # Successfully installed (2.24-101 at C:\Users\guru\AppData\Local\Microsoft\WinGet\Links\nssm.exe)
 # Stop the temporary pythonw process started earlier
 Stop-Process -Id 62720 -Force
 # Install + configure the service
 $svc = 'ClaudeToolsDiscordBot'
 $wd  = 'C:\Users\guru\ClaudeTools\projects\discord-bot'
 $py  = "$wd\.venv\Scripts\python.exe"
 $logs = "$wd\logs"
 nssm install $svc $py '-m' 'bot.main'
 nssm set $svc AppDirectory $wd
 nssm set $svc DisplayName 'ClaudeTools Discord Bot'
 nssm set $svc Description 'Discord bot bridging the MSP team to ClaudeTools (Claude Agent SDK in a Discord channel)'
 nssm set $svc Start SERVICE_AUTO_START
 nssm set $svc AppStdout "$logs\stdout.log"
 nssm set $svc AppStderr "$logs\stderr.log"
 nssm set $svc AppRotateFiles 1
 nssm set $svc AppRotateOnline 1
 nssm set $svc AppRotateBytes 10485760
 nssm set $svc AppExit Default Restart
 nssm set $svc AppRestartDelay 5000
 Start-Service ClaudeToolsDiscordBot
 # Status: Running, StartType: Automatic
 # Bot reconnected: [OK] Bot connected as ClaudeTools (ID: 1499868551601983652)
 ```
 ### Conflict resolution on `/sync`
 ```bash
 # After conflict on .claude/memory/MEMORY.md (local + Howard both edited)
 git rebase --abort
 git reset --hard HEAD~1
 # HEAD now at 56ada4b (pre-redundant-commit state)
 # Re-run sync, clean fast-forward
 bash /c/Users/guru/ClaudeTools/.claude/scripts/sync.sh
 # Fast-forward 3 commits, nothing to push
 ```
 ### Apple Dev vault entry
 ```bash
 bash /c/Users/guru/ClaudeTools/.claude/scripts/vault.sh add infrastructure/apple-developer-program.sops.yaml
 # Wrote plaintext file with full structure
 cd /c/Users/guru/vault && sops --encrypt --in-place infrastructure/apple-developer-program.sops.yaml
 git add infrastructure/apple-developer-program.sops.yaml
 git -c user.name="Mike Swanson" -c user.email="mike@azcomputerguru.com" \
  commit -m "infrastructure/apple-developer-program: DUNS 005661506 + Apple verification packet pending"
 ```
 ---
 ## Configuration Changes
 ### Files modified (committed to ClaudeTools / origin already at HEAD)
 - None this session — the radio-show `main.py` already on `origin/main` at `b008b61`.
 ### Files modified (committed to ClaudeTools, awaiting push via `/sync`)
 - None pending in ClaudeTools at end of session.
 ### Files modified (vault repo, committed locally; next `/sync` will push)
 - `infrastructure/apple-developer-program.sops.yaml` — NEW. Two commits:
  - `4f8f5f7` — initial entry with enrollment ID + status `pending-activation` + structure.
  - `78706ca` — added DUNS `005661506`, set `status: pending-verification`, captured Apple verification request, documented D&B mismatch + iUpdate path + recommended sequence.
 ### Server-side changes
 - **Jupiter** — `/mnt/user/appdata/radio-archive/app/main.py` replaced (redesign + sort fix); `radio-archive` Docker image rebuilt; `/mnt/user/appdata/radio-archive/data/episodes/` populated with 590 MP3s (8.09 GB).
 - **IX** — `/root/.ssh/authorized_keys` appended with Jupiter root's ed25519 pubkey. No other changes.
 - **GURU-BEAST-ROG** — NSSM 2.24-101 installed via winget. Windows service `ClaudeToolsDiscordBot` created (auto-start, auto-restart, LocalSystem account). Discord bot bot.log now also captured by NSSM as `stdout.log` / `stderr.log` (10 MB rotation) — note: the bot's own internal `logs/bot.log` still writes too, so there are two log files going forward (NSSM-captured is in addition to bot-internal).
 ### Memory files synced from origin (not edited locally this session)
 - `feedback_syncro_appointment_owner.md` — Howard's Kittle #32263 rule
 - `feedback_clear_recyclebin_system_context.md` — Howard's ASSISTMAN-PC RMM finding
 ---
 ## Pending / Incomplete Tasks
 ### Apple Developer Program enrollment
 - [ ] **Update D&B record name from "COMPUTER GURU" to "Arizona Computer Guru LLC".** Submit at https://iupdate.dnb.com (free, 5–15 business days) or call D&B Customer Service at 1-800-234-3867 for paid expedited update (24–72 h, ~$50–$200). DUNS `005661506`.
 - [ ] **Gather Apple verification packet (in parallel with D&B):**
  - [ ] Government photo ID — driver's license (both sides) or passport
  - [ ] Employment verification — self-signed letter on Arizona Computer Guru LLC letterhead confirming Mike Swanson is President with binding authority. (Offered to draft, declined this turn.)
  - [ ] Articles of Organization — pull from https://ecorp.azcc.gov entity record → Documents tab
 - [ ] **Upload verification packet** at https://developer.apple.com/contact/file-upload/ once D&B name change is confirmed.
 - [ ] **After Apple approves enrollment:**
  - [ ] Capture Team ID (10-char) into the vault entry
  - [ ] Generate Developer ID Application + Developer ID Installer certs from developer.apple.com
  - [ ] Export both as `.p12`, vault them, update `p12_location` fields
  - [ ] Create App Store Connect API key for `notarytool`, store `.p8` in vault
  - [ ] Document the macOS sign + notarize pipeline at `projects/msp-tools/guru-rmm/docs/macos-signing.md`
 ### GuruRMM macOS agent (gated on Apple Dev)
 - [ ] Build Rust agent for `aarch64-apple-darwin` + `x86_64-apple-darwin`
 - [ ] Server route `/install/<site>/macos` returning shell installer or signed `.pkg`
 - [ ] LaunchDaemon manifest (macOS analog of the existing systemd unit)
 - [ ] Code sign + notarize the binary (gated on Developer ID certs)
 - [ ] Sylvia (Kittle Main Office, `WEST-MEADOW-9025`) is the blocked user — once installer is ready, deploy first there
 ### Cloudflare bot challenge breaking install one-liners
 - [ ] Add Cloudflare WAF skip rule for `(http.request.uri.path matches "^/install/")` on the GuruRMM endpoint per Howard's 2026-05-07 note. Recommended over UA-flag workaround.
 ### IMC1 SQL consolidation (Howard's items, partially addressed by your `e03e991` commit — verify)
 - [ ] Confirm `e03e991` "IMC1: Memory allocation approval + AD/WSUS clarification" covers all four of Howard's asks: SQLEXPRESS 12 GB cap, WID 512 MB cap, AIMSQL 256 MB cap, AIMSQL consolidation path, WID consolidation path, Server 2016 EOL migration scope. If gaps remain, flag back to Howard.
 ### Cascades (Howard's items, in flight on the MSP-app side)
 - [ ] **SDM phone activation** — Howard verifying 2026-05-08 (next-day) with the new `devices@cascadestucson.com` Cloud Device Administrator account. ~30 more phones to roll once verified.
 - [ ] **ALIS SSO** — blocked on Medtelligent enabling the Entra SSO app on the Cascades tenant; vaulted at `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`. Three values ready to paste once they act.
 ### Discord bot service watch items
 - [ ] Confirm bot continues to work as LocalSystem across vault/identity-path-dependent code paths. If anything fails under SYSTEM, switch service to run under `.\guru` with a vaulted password.
 - [ ] Consider adding `.gitignore` entry for `.claude/scheduled_tasks.lock` to eliminate the recurring rebase conflict noise (still a carry-forward from the May 1 session).
 ### Stamback Septic
 - [ ] Confirm Syncro prepay block shows 3.5 hrs on customer page next time you're in there. Registry-wipe backups on Joe's laptop at `C:\Windows\Temp\onedrive_cleanup_backup\` — leave ~30 days, then clear.
 ---
 ## Reference Information
 ### Radio-show
 - Local repo: `c:\Users\guru\ClaudeTools\projects\radio-show\audio-processor\`
 - Local server file: `projects/radio-show/audio-processor/server/main.py`
 - Local archive: `projects/radio-show/audio-processor/archive-data/`
 - Jupiter URLs:
  - Search index: http://172.16.3.20:8765/
  - Episode page: http://172.16.3.20:8765/episode/{id}
  - Audio stream: http://172.16.3.20:8765/api/audio/{id} (HTTP 206 with Range header)
  - QA list: http://172.16.3.20:8765/api/qa
 - DB on Jupiter: `/mnt/user/appdata/radio-archive/data/archive.db` (572 episodes per local snapshot; FTS5 over segments + qa_pairs)
 ### Apple Developer Program
 - Vault entry: `infrastructure/apple-developer-program.sops.yaml`
 - Enrollment ID: `HH5UA87LAH`
 - Enrollment status URL: https://developer.apple.com/enroll/
 - Verification upload URL: https://developer.apple.com/contact/file-upload/
 - DUNS lookup (Apple-routed): https://developer.apple.com/enroll/duns-lookup/
 - D&B iUpdate portal (free record correction): https://iupdate.dnb.com
 - D&B Customer Service (expedited): 1-800-234-3867
 - AZ corp filing portal: https://ecorp.azcc.gov
 ### Discord bot
 - Repo: `projects/discord-bot/`
 - Service: `ClaudeToolsDiscordBot` (NSSM)
 - Logs:
  - Bot's internal: `projects/discord-bot/logs/bot.log`
  - NSSM-captured: `projects/discord-bot/logs/stdout.log` + `stderr.log` (10 MB rotation)
 - Manage: `Start-Service` / `Stop-Service ClaudeToolsDiscordBot`, or `nssm edit ClaudeToolsDiscordBot` for the GUI editor.
 ### Commits during this session
 | SHA | Repo | Author | Subject |
 |---|---|---|---|
 | `4f8f5f7` | vault | Mike Swanson | infrastructure: vault Apple Developer Program enrollment (HH5UA87LAH) |
 | `78706ca` | vault | Mike Swanson | infrastructure/apple-developer-program: DUNS 005661506 + Apple verification packet pending |
 | `2f95f65` (discarded) | ClaudeTools | Mike Swanson | sync: auto-sync from GURU-BEAST-ROG (held redundant `feedback_appointment_owner_first.md`; dropped via reset) |
 No ClaudeTools-repo commits landed this session beyond the discarded sync commit. Vault is local-only ahead of next `/sync`.