azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: seed remaining clients and projects (batch 3)

Browse Source 
Adds 11 client articles and 5 project articles:

Clients: kittle, khalsa, anaise, azcomputerguru.com, bg-builders,
evs, furrier, horseshoe-management, kittle-design, scileppi-law,
western-tire

Projects: discord-bot, radio-show, msp-pricing, wrightstown-smarthome,
wrightstown-solar

Updates wiki/index.md with all new entries, cross-references, and
removes seeded client:birthbiologic from compilation queue.

Critical findings surfaced:
- Kittle: WS2025 EVAL license, no backups, 3 plaintext creds in Syncro
- Western Tire: SSL cert *.westerntire.com expires 2026-05-30
- Kittle Design: active compromise (Ken inbox rule unresolved)
- Horseshoe Mgmt: plaintext creds for 5+ users in Syncro notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-24 19:59:40 -07:00
parent 30b8020edf
commit f4fb131529
17 changed files with 2426 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
wiki/clients/anaise.md Normal file
View File

@@ -0,0 +1,141 @@
---
type: client
name: anaise
display_name: Anaise
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/anaise/docs/overview.md
- clients/anaise/docs/cloud/m365.md
- clients/anaise/docs/cloud/azure.md
- clients/anaise/docs/rmm/rmm.md
- clients/anaise/docs/security/antivirus.md
- clients/anaise/docs/security/backup.md
- clients/anaise/docs/issues/log.md
- clients/anaise/docs/network/topology.md
- clients/anaise/docs/network/firewall.md
- clients/anaise/docs/network/dns.md
- clients/anaise/docs/network/dhcp.md
- clients/anaise/docs/network/vlans.md
- clients/anaise/PROJECT_STATE.md
---
# Anaise
## Overview
New client in ONBOARDING status as of 2026-04-16. Standard client directory structure applied by Howard. Single-site [unverified]. Onboarding is incomplete — only a primary contact name, email, and one workstation have been captured.
- **Business type:** *(not documented)*
- **Locations:** *(not documented — single site assumed [unverified])*
- **Total users:** *(not documented — at minimum 1 user: David)*
- **Billing model:** *(not documented)*
- **Billing rate:** *(not documented)*
- **Contract status:** ONBOARDING — terms not yet documented
- **Hours remaining:** *(not documented)*
[WARNING] Almost all template fields across all docs are blank. The only substantive data is the primary contact (David), one workstation (DESKTOP-O8GF4SD), and a vault credential reference. Onboarding must be completed before this client can be effectively supported.
---
## Contacts
| Name | Title | Email | Phone |
|------|-------|-------|-------|
| David | Primary Contact [unverified — no title documented] | anaisedavid.office@gmail.com | *(not documented)* |
No IT contact, no secondary contacts documented.
---
## Infrastructure
Only one machine documented.
### Workstations
| Hostname | Username | OS | Notes |
|----------|----------|----|-------|
| DESKTOP-O8GF4SD | david | *(not documented)* | Credentials in SOPS vault — see below |
### Servers
*(not documented)*
### Credentials
Machine credentials are stored in the SOPS vault. **Do not put plaintext passwords in any file.**
- **DESKTOP-O8GF4SD / david:** `clients/anaise/desktop-o8gf4sd.sops.yaml``credentials.password`
- Retrieve: `bash $VAULT get-field clients/anaise/desktop-o8gf4sd.sops.yaml credentials.password`
---
## Network
All network template files (topology, firewall, DNS, DHCP, VLANs) are blank placeholders — no ISP, IPs, hardware, subnets, or VPN details documented.
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Template defines VLAN IDs 1, 10, 20, 30, 40, 50, 60, 100 (standard schema) — no subnets or IPs filled in.
---
## Cloud / M365
All M365 and Azure template fields are blank. No tenant name, tenant ID, domain, licenses, Exchange settings, SharePoint, Teams, Entra, or Defender details are documented.
- **M365 tenant:** *(not documented)*
- **Azure subscription:** *(not documented)*
- **Other cloud services:** *(not documented)*
Note: David's contact email is a Gmail address (anaisedavid.office@gmail.com). It is unknown whether the organization uses M365 or Google Workspace, or neither. [unverified]
---
## GuruRMM
All RMM template fields are blank.
- **Client ID:** *(not documented)*
- **Site ID:** *(not documented)*
- **Enrolled agents:** *(not documented)*
- **Monitoring policies:** Template placeholders only — no client-specific values
- **Patch policy:** *(not documented)*
---
## Active Projects / Open Items
- [ ] Complete onboarding — capture infrastructure details, contacts, credentials to vault
- [ ] Populate all `docs/` templates with real data (network, servers, M365 or other email/cloud, backup, AV, RMM)
- [ ] Determine whether client uses M365, Google Workspace, or no cloud services
- [ ] Document workstation OS for DESKTOP-O8GF4SD
- [ ] Capture any additional users and machines
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Client directory created by Howard. Standard template applied. ONBOARDING status set. |
No issue log entries. No session logs exist for this client.
---
## Anti-Patterns / Warnings
- [WARNING] Onboarding is incomplete. Do not assume any template placeholder values are real — only contact name/email and one workstation credential vault reference are confirmed.
- [WARNING] Primary contact email is Gmail (anaisedavid.office@gmail.com). Do not assume M365 is in use — confirm cloud/email provider before attempting any M365 remediation or enrollment.
- Credential for DESKTOP-O8GF4SD is in vault only — never expose plaintext. Use vault wrapper to retrieve.
- No network, firewall, or server data exists. Do not attempt remote access without first completing the onboarding discovery.
---
## Backlinks
- [[wiki/index]] — client index

114
wiki/clients/azcomputerguru.com.md Normal file
View File

@@ -0,0 +1,114 @@
---
type: client
name: azcomputerguru.com
display_name: ACG Website (azcomputerguru.com)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/azcomputerguru.com/session-logs/2026-05-22-session.md
---
# ACG Website (azcomputerguru.com)
> This article covers the public-facing azcomputerguru.com website only. For ACG's internal infrastructure (Neptune Exchange, Gitea, Jupiter, etc.), see [[internal-infrastructure]].
## Overview
The azcomputerguru.com website is Arizona Computer Guru's own public marketing site. As of 2026-05-22, it is being redesigned as a static Astro site with a custom design system, replacing the previous live site. The prototype is under active development in the `clients/azcomputerguru.com/` directory of the ClaudeTools repo.
- **Status:** Prototype in progress. Not yet deployed to production.
- **Billing model:** Internal / owner project — no client billing.
- **Contract status:** N/A (ACG's own site).
## Contacts
*(not documented)* — ACG internal project; no external client contacts.
## Infrastructure
### Production Hosting
- **Host:** IX Web Hosting (cPanel)
- **Deploy path:** `/public_html/`
- **Deployment method:** Manual file upload (no CI/CD configured as of last session)
- **URL:** https://azcomputerguru.com
### Local Development
- **Build tool:** Astro (`npm run build`)
- **Build output:** `dist/`
- **Preview server:** `npx astro preview --port 4325``http://localhost:4325/`
- **Build location:** `D:/claudetools/clients/azcomputerguru.com/`
- **Config file:** `clients/azcomputerguru.com/astro.config.mjs`
- `site: 'https://azcomputerguru.com'`
- `compressHTML: true`
## Network
*(not documented)* — Static hosted site; no proprietary network infrastructure.
## Cloud / M365
*(not documented)* — Website project only; M365/cloud tenant info belongs in [[internal-infrastructure]].
## GuruRMM
*(not documented)* — No GuruRMM agents are associated with website hosting.
## Active Projects / Open Items
### Prototype Redesign (Astro)
Main deliverable file: `clients/azcomputerguru.com/src/pages/index.astro`
Current design score: **33/40** (up from 21/40 on original live site)
Score progression:
- `2026-05-22T15-08-23Z` — original live site critique: 21/40
- `2026-05-22T15-53-21Z` — after initial craft + harden pass: 31/40
- `2026-05-22T17-03-45Z` — after all P1+P2 fixes: 33/40
Critique snapshots stored in `.impeccable/critique/`.
### Open P2 Items (from last session)
- **Form error states:** CTA form uses browser-native `required` validation only. No styled error feedback. Fix: ~15 lines of inline `<script>` + one CSS error token.
- **Pricing signal:** No pricing context on page. A single line near the catalog or CTA subtext would address persona red flag without committing to numbers.
### Future / Pre-Launch
- **Form backend:** `action="/contact" method="GET"` is a prototype placeholder. IX Web Hosting supports PHP; options: simple `contact.php` or Formspree.
- **Replace placeholder testimonials:** Current testimonials use constructed names (Sarah M., James K., Linda R.) and fabricated quotes. Must be replaced with actual client quotes before launch.
- **`aria-current="page"`:** Not set on homepage nav item.
- **Dynamic copyright year:** Footer `© 2026` is hardcoded. Replace with JS expression or Astro template variable.
- **Production deployment:** Site has not been deployed to IX Web Hosting this session.
## Key Events / History
### 2026-05-22 — Homepage Redesign Session (Impeccable Craft Pass)
- Resumed from a prior context-compacted session that had completed initial craft + harden pass (31/40).
- Scope: all P1 + P2 items from most recent critique.
- Changes made to `index.astro`:
- Added `.sr-only` utility class to CSS reset block.
- Added full testimonials section (HTML + CSS): `.testimonial-grid`, `.testimonial-item`, `.testimonial-quote`, `.testimonial-attribution`. Cards use `border-top: 3px solid var(--color-accent)` (not side-stripe — banned).
- Redesigned CTA band from centered single-column to two-column grid (`1fr 1.1fr`): left = `.cta-text` (heading, subtext, phone link); right = `.cta-form-wrap` with 3-field form (name required, phone/email required, textarea).
- Restructured service catalog from flat 12-item `<ul>` to 3 labeled groups (`<div class="catalog-group">`): Management (5 items), Security (4 items), Support (3 items). Grid changed from `auto-fit minmax(320px, 1fr)` to `repeat(3, 1fr)`.
- Removed orphaned CSS rules `.cta-actions`, `.cta-or` after CTA band rewrite.
- Final score: 33/40.
## Design System Notes
- **Fonts:** Barlow Condensed (display, `--font-display`) + Lexend (body, `--font-body`) — Google Fonts via `<head>`
- **Color system:** OKLCH throughout; brand orange `oklch(0.70 0.18 55)`; all tokens in `:root`
- **Spacing scale:** `--sp-1` through `--sp-24` (0.25rem steps)
- **CTA form panel background:** `oklch(0.22 0.06 30)` — very dark brownish-red, chroma shifted toward brand hue
- **Input fields:** `oklch(0.17 0.04 30)`
- **Submit button:** white background + brand-color text (inverts off orange band)
## Anti-Patterns / Warnings
- [WARNING] **Do not deploy the prototype as-is.** Testimonials use placeholder names and fabricated quotes. Replace before any production push.
- [WARNING] **The CTA form has no backend handler.** `action="/contact" method="GET"` will 404 on the live site. Do not launch without a form processor.
- **Side-stripe card borders are banned** in this design system. Use `border-top` accent treatment instead.
- **Do not use a flat `<ul>` for the service catalog.** The grouped `catalog-groups` structure is intentional and was a scored improvement.
- **Do not confuse this article with [[internal-infrastructure]].** The azcomputerguru.com site lives on IX Web Hosting, not Neptune or any ACG-managed server.
## Backlinks
- [[internal-infrastructure]] — ACG's internal servers, Neptune Exchange, Gitea, Jupiter (separate from this article)
- [[gururmm]] — GuruRMM project (referenced in service catalog as a service offering)

128
wiki/clients/bg-builders.md Normal file
View File

@@ -0,0 +1,128 @@
---
type: client
name: bg-builders
display_name: BG Builders LLC
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/bg-builders/session-logs/2026-03-09-session.md
---
# BG Builders LLC
## Overview
- **Business type:** Construction / building contractor [unverified beyond name]
- **M365 tenant:** bgbuildersllc.com
- **Billing model:** Unknown — no billing data in session log
- **Contract status:** Unknown
- **CIPP Name:** sonorangreenllc.com (alternate tenant name in CIPP)
## Contacts
| Name | UPN | Access | Notes |
|---|---|---|---|
| Barry | barry@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from original termination |
| Shelly | Shelly@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from re-enable script 2026-02-27 |
| Lesley Roth | lesley@bgbuildersllc.com | Disabled | Terminated employee; account preserved per client request |
## Infrastructure
*(not documented — session was M365 account disable/wipe focused; no on-premises infrastructure captured)*
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | bgbuildersllc.com |
| Tenant ID | ededa4fb-f6eb-4398-851d-5eb3e11fab27 |
| CIPP Name | sonorangreenllc.com |
| Admin UPN | sysadmin@bgbuildersllc.com |
| Admin credentials | Vault only — do NOT hardcode |
| Intune / Business Premium | No — no Intune-managed devices |
| Lesley account state | Disabled (AccountEnabled: False), Litigation Hold: True, licenses still assigned |
> [WARNING] Session log contained plaintext M365 admin credentials (sysadmin@bgbuildersllc.com). Use vault only: `vault.sh get-field clients/bg-builders/m365`.
### Lesley Roth — account state as of 2026-03-09
| Property | Value |
|---|---|
| AccountEnabled | False (was already False from 2026-02-27 prior termination) |
| Mailbox type | UserMailbox |
| Litigation Hold | True |
| Licenses | Still assigned (per client request — not removed) |
| Barry access | FullAccess + SendAs |
| Shelly access | FullAccess + SendAs |
| iPhone 16 Pro (iOS 26.3.1) | AccountOnlyDeviceWipePending (active device, last sync 2026-03-09) |
| iPhone 14 Pro (iOS 18.5) | AccountOnlyDeviceWipePending (stale — last sync 2025-06-27, may never acknowledge) |
| OneDrive | Not addressed |
### 72-hour mail activity report (Lesley, 2026-03-06 to 2026-03-09)
- No suspicious activity found — no suspicious sent/deleted mail, no inbox rules, no forwarding configured.
- Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt`
### M365 PowerShell technical notes
- `Get-MessageTrace` deprecated Sep 2025 — use `Get-MessageTraceV2` (no `-PageSize` parameter).
- `Search-MailboxAuditLog` deprecated Jan 2026 — use `Search-UnifiedAuditLog`.
- Exchange Online `-Device` auth switch requires PowerShell 7 (`pwsh`), NOT Windows PowerShell 5.1.
- WAM broker auth requires a visible PowerShell window — cannot run from bash or non-interactive shell.
### Scripts created (2026-03-09)
| Script | Purpose |
|---|---|
| `scripts/bgb-lesley-disable-wipe.ps1` | Disable account + device email wipe |
| `scripts/bgb-lesley-mail-report.ps1` | 72-hour mail activity report |
| `scripts/bgb-lesley-verify-wipe.ps1` | Verify device wipe status |
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | iPhone 16 Pro (active) — wipe should have completed; verify status | Howard / Mike |
| P1 | iPhone 14 Pro (stale since 2025-06-27) — wipe likely never acknowledged; verify or close | Howard / Mike |
| P2 | Lesley's OneDrive access not addressed in this session | Mike |
| P3 | sysadmin password reset — admin lacked privilege to reset Lesley's password via script (403); was done manually via M365 Admin Center. Verify sysadmin role assignments are sufficient for future terminations | Mike |
## Key Events / History
### 2026-02-27 — First termination (prior session, minimal detail)
- Lesley's account was previously disabled and sessions revoked.
- Litigation hold was enabled.
- Barry given FullAccess + SendAs.
### 2026-03-09 — Employee disable and device wipe
Lesley Roth (lesley@bgbuildersllc.com) terminated employee offboarding:
- Account already disabled (AccountEnabled was already False from 2026-02-27).
- Sessions re-revoked (belt-and-suspenders).
- Password manually reset via M365 Admin Center to `bgb-pass-reset-2026!!` (script failed 403 — sysadmin lacked privilege). Store in vault; rotate if account still exists.
- AccountOnly device wipe initiated on both iPhones (removes M365 email only; personal data preserved).
- Shelly given FullAccess + SendAs (added this session via re-enable script logic).
- 72-hour mail activity report: nothing suspicious.
- Account NOT converted to shared mailbox; licenses NOT removed — per client request.
## Anti-Patterns / Warnings
- [WARNING] Plaintext M365 admin credentials in session log — use vault only.
- [WARNING] sysadmin account has insufficient privileges to programmatically reset user passwords (403 on password reset). Plan for Global Admin or verify role assignments before future offboardings.
- BG Builders has NO Intune / Business Premium — device management is via EAS ActiveSync only. AccountOnly wipes (not full Intune wipes) are the only available device action.
- iPhone 14 Pro last synced 2025-06-27 — wipe will never complete if device stays offline. Do not wait on it.
- Do NOT delete Lesley's account or remove licenses without explicit client instruction — client requested account preservation.
- CIPP name for this tenant is `sonorangreenllc.com` — use this when looking up the tenant in CIPP.
## Backlinks
- *(no related wiki articles yet)*

82
wiki/clients/evs.md Normal file
View File

@@ -0,0 +1,82 @@
---
type: client
name: evs
display_name: Equity Valuation Services
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/evs/session-logs/2026-04-17-session.md
---
# Equity Valuation Services (EVS)
## Overview
- **Business type:** Financial services — equity valuation [unverified beyond name]
- **Billing model:** Unknown — no billing data in source log
- **Contract status:** Unknown
- **Billing rate:** Unknown
- **Hours remaining:** Unknown
- This is the first documented entry for EVS. Minimal infrastructure detail captured.
## Contacts
| Name | Title | Notes |
|---|---|---|
| *(not documented)* | | Howard maintains the VM onsite |
## Infrastructure
| Asset | Role | OS | Notes |
|---|---|---|---|
| EVS VM | User workstation | Windows 11 | Howard's primary working machine at this site; running Win11 compact right-click menu |
- No IP addresses, hostnames, or hardware specs documented.
- Single VM confirmed; no detail on hypervisor or host hardware.
## Network
*(not documented)*
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
- Howard to apply Win11 right-click registry fix on the VM (pending confirmation as of 2026-04-17).
- If Howard uses more than one user profile on the VM, the registry fix must be run for each profile separately (fix is HKCU-scoped).
## Key Events / History
### 2026-04-17 — Win11 right-click menu revert
Howard reported the Win11 VM shows the compact (Win11-style) right-click context menu and finds it confusing. Standard per-user registry fix provided:
```powershell
reg add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve
Stop-Process -Name explorer -Force
```
- HKCU-scoped — affects only the user who runs it on that session.
- Persists across reboots. Stable on 22H2/23H2/24H2/25H2.
- No admin elevation required.
To revert to Win11 default:
```powershell
reg delete "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}" /f
Stop-Process -Name explorer -Force
```
## Anti-Patterns / Warnings
- [WARNING] Almost no infrastructure is documented for this client. Do not assume anything about their environment beyond a single Win11 VM managed by Howard.
- Add infrastructure detail to this article whenever encountered — this is a thin record.
## Backlinks
- *(no related wiki articles yet)*

112
wiki/clients/furrier.md Normal file
View File

@@ -0,0 +1,112 @@
---
type: client
name: furrier
display_name: Furrier (Mike Furrier / Western Tire / Desert Rat)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/furrier/session-logs/2026-04-21-session.md
---
# Furrier / Mike Furrier
## Overview
- **Business type:** Mike Furrier is the owner/contact behind multiple entities: Western Tire and Desert Rat (desertrat.com). These are managed under a single Syncro customer record.
- **Syncro Customer ID:** 391491
- **Billing model:** Time and materials [unverified — one invoice observed]
- **Billing rate:** $150/hr [unverified — $75.00 billed for 30 min remote]
- **Contract status:** Unknown
> Note: Mike Furrier is also the customer contact for Western Tire (see [[wiki/clients/western-tire.md]]). These may be the same Syncro record. Confirm whether furrier and western-tire are the same Syncro customer.
## Contacts
| Name | Title | Email | Notes |
|---|---|---|---|
| Mike Furrier | Owner | *(not documented)* | Primary contact for desertrat.com and Western Tire |
| Tim Furrier | Employee/forwarder user | tim@desertrat.com | Forwarder → timfurrier@gmail.com; was sending from Gmail causing DMARC failures |
## Infrastructure
### Websvr (ACG-hosted cPanel)
| Property | Value |
|---|---|
| Hostname | websvr.acghosting.com |
| External IP (primary) | 162.248.93.233 |
| External IP (secondary) | 162.248.93.81 |
| OS | CentOS 7 |
| WHM version | 11.110.0.95 |
| SSH port | 22 |
| SSH credentials | Vault: `infrastructure/websvr` (do NOT hardcode) |
| WHM API Token | Vault only — do not hardcode |
| cPanel account | desertra |
| Domain | desertrat.com |
> [WARNING] Session log contained plaintext SSH credentials and WHM API token. These must not be committed or referenced outside the vault. Retrieve via `vault.sh get-field`.
### Mail architecture (desertrat.com)
- Mail hosted on websvr.acghosting.com (cPanel/exim).
- Inbound spam filter: Mailprotector (emailservice.io front-end).
- `tim@desertrat.com` is a **forwarder** (not a mailbox) → `timfurrier@gmail.com`. Located in `/etc/valiases/desertrat.com`.
- 38 mailboxes/forwarders total.
## Network
### DNS (desertrat.com)
- **DNS Host:** AWS Route 53
- **MX:** `10 desertrat-com.inbound.emailservice.io`, `20 .inbound.emailservice.cc`, `30 .inbound.emailservice.co`
- **SPF:** `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:162.248.93.81 +include:spf.wdsolutions.com +include:spf.us.emailservice.io -all`
- **DKIM:** `default._domainkey.desertrat.com` — active, signed by Websvr
- **DMARC:** `v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; pct=100` — full enforcement
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Tim configures Gmail "Send mail as" using Websvr SMTP (mail.desertrat.com:587 or :465) to stop DMARC rejections | Mike Furrier / Tim |
| P2 | Mailprotector user import CSV delivered — Mike Furrier to import into Mailprotector admin manually | Mike Furrier |
| P3 | Confirm with WebShop whether their DKIM record add request is still needed (Websvr DKIM already active) | Mike Swanson |
## Key Events / History
### 2026-04-21 — desertrat.com DMARC/SBR email fix
**Syncro ticket #32181** (ID: 109263692). Invoice #67437 — $75.00 + tax = $81.53. Status: Invoiced.
**Root cause:** Two compounding issues:
1. `tim@desertrat.com` is a forwarder to Gmail. Tim replies from Gmail using `tim@desertrat.com` as From. Gmail's servers are not in desertrat.com SPF → DMARC p=reject rejects on inbound.
2. Mailprotector SBR was unconfigured — `/etc/mailprotector_domains` on Websvr was empty; desertrat.com was never enrolled, so outbound forwarded mail bypassed Mailprotector relay.
**Fix applied:** Added `desertrat.com` to `/etc/mailprotector_domains` on websvr. No exim restart required (runtime lsearch lookup). Outbound now routes through `desertrat-com.outbound.emailservice.io`.
**Permanent fix still pending:** Tim must configure Gmail "Send mail as" with Websvr SMTP credentials to send mail that passes DMARC.
### Mailprotector user import CSV
Created `C:\Users\guru\Downloads\desertrat_mailprotector_import.csv` — 38 entries. Key aliases:
- desertrat60 → store60
- desertrat64 → store64
- jobs → tim
## Anti-Patterns / Warnings
- [WARNING] Tim's DMARC rejections will recur any time he replies from Gmail as tim@desertrat.com until "Send mail as" is properly configured. Do not attempt a DNS-level workaround — the correct fix is client-side SMTP configuration.
- [WARNING] DMARC is `p=reject` at 100% — any SPF/DKIM misalignment will hard-fail with no fallback. Be careful with any DNS or mail-routing changes.
- Do NOT look for tim@desertrat.com in cPanel email accounts — it is a forwarder in `/etc/valiases/desertrat.com`, not a mailbox.
- Mailprotector has no automated sync for non-AD/365/Google environments — user import is manual CSV only.
## Backlinks
- [[wiki/clients/western-tire.md]] — Western Tire is another entity under Mike Furrier (same Syncro customer ID 391491)

99
wiki/clients/horseshoe-management.md Normal file
View File

@@ -0,0 +1,99 @@
---
type: client
name: horseshoe-management
display_name: Horseshoe Management
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/horseshoe-management/session-logs/2026-05-06-howard-ups-bypass-relay-fault-onsite.md
---
# Horseshoe Management
## Overview
- **Business type:** Property/business management [unverified beyond name]
- **Syncro Customer ID:** 625269 (Bill Young)
- **Billing model:** Prepaid block hours
- **Billing rate:** $175/hr (onsite business); emergency multiplier 1.5x applied to qty, not rate
- **Hours remaining:** 31.75 hrs (as of 2026-05-06, after 1.5 hr emergency debit)
- **Address:** 2325 E Grant Rd, Tucson
## Contacts
| Name | Role | Notes |
|---|---|---|
| Bill Young | Primary contact / owner [unverified] | Syncro customer name; was on-site during 2026-05-06 visit |
| Donna | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Randy | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Frank | Employee [unverified] | Credentials in Syncro notes (see Warning) |
| Sam | Employee [unverified] | Credentials in Syncro notes (see Warning) |
## Infrastructure
### UPS
- **Model:** APC Smart-UPS 1350
- **Status as of 2026-05-06:** Operational after power-cycle. Prior error: P.17 / Event 17 (Bypass Relay Weld fault).
- **History:** Site has gone through multiple batteries and at least two complete UPS units with battery-related errors — pattern suggests underlying electrical/wiring issue.
### Servers / Workstations
*(not documented — session was UPS-focused; no server/workstation inventory captured)*
## Network
*(not documented)*
## Cloud / M365
- **M365 tenant present** — admin account: `Bill@horseshoemgt.com`
- **[WARNING] M365 admin password was stored in plaintext in Syncro customer notes** — see Anti-Patterns section.
- Tenant ID and domain not confirmed beyond `horseshoemgt.com` [unverified domain spelling].
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Follow up with Bill to confirm whether they engaged a licensed electrician to check the branch circuit/outlet feeding the UPS equipment | Howard / Mike |
| P1 | Migrate all plaintext credentials from Syncro customer notes to SOPS vault under `clients/horseshoe-management/` and strip from Syncro | Mike |
## Key Events / History
### 2026-05-06 — APC Smart-UPS P.17 bypass relay fault (emergency onsite)
**Syncro ticket #32256** — "Emergency onsite - Server making strange noise" (misleading subject — actual issue was UPS).
**Technician:** Howard Enos.
**Error:** APC Smart-UPS 1350 displaying P.17 / Event 17 (Bypass Relay Weld fault) — internal transfer relay stuck, unit unable to switch between line and battery power.
**Resolution:** Full power-cycle procedure:
1. Disconnected all loads.
2. Unplugged UPS from wall.
3. Removed batteries.
4. Held power button 10 seconds to discharge residual capacitance.
5. Reinstalled batteries, plugged in, reconnected loads, powered up.
6. Error code cleared. UPS operating normally post-cycle.
**Billing:** Emergency onsite on prepay block.
- Product: 26118 (Labor - Onsite Business, $175/hr)
- Qty: 1.5 hrs (1.0 actual × 1.5 emergency multiplier applied to qty, NOT rate)
- Line total: $262.50
- Invoice #67568 — $0.00 (fully covered by prepay block)
- Prepay: 33.25 hrs → 31.75 hrs
**Recommendation given to customer:** Engage a licensed electrician to inspect the branch circuit and outlet before purchasing additional batteries or replacement UPS units. History of repeat failures (multiple batteries, two complete UPS units) does not match normal wear — points to voltage irregularities, poor grounding, or a shared circuit with a high-draw load.
## Anti-Patterns / Warnings
- [WARNING] CRITICAL SECURITY EXPOSURE: Plaintext passwords for Donna, Bill, Randy, Frank, Sam, "Bill Server", and the M365 admin account (`Bill@horseshoemgt.com`) were found in the Syncro customer notes free-text field as of 2026-05-06. These must be migrated to the SOPS vault (`clients/horseshoe-management/`) and stripped from Syncro before any future work exposes them further.
- [WARNING] Do NOT use Emergency product (26184) for emergency billing on prepay customers — use standard Onsite Business (26118) with qty multiplied by 1.5. Stacking both products double-counts the time-and-a-half.
- Do not dismiss repeat UPS/battery failures as normal wear. Pattern at this site strongly suggests an electrical infrastructure problem.
## Backlinks
- *(no related wiki articles yet)*

174
wiki/clients/khalsa.md Normal file
View File

@@ -0,0 +1,174 @@
---
type: client
name: khalsa
display_name: Khalsa
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/khalsa/docs/overview.md
- clients/khalsa/docs/cloud/m365.md
- clients/khalsa/docs/cloud/azure.md
- clients/khalsa/docs/rmm/rmm.md
- clients/khalsa/docs/security/antivirus.md
- clients/khalsa/docs/security/backup.md
- clients/khalsa/docs/issues/log.md
- clients/khalsa/docs/apple-domain-join.md
- clients/khalsa/docs/network/README.md
- clients/khalsa/docs/network/camden/topology.md
- clients/khalsa/docs/network/camden/firewall.md
- clients/khalsa/docs/network/camden/dns.md
- clients/khalsa/docs/network/camden/dhcp.md
- clients/khalsa/docs/network/camden/vlans.md
- clients/khalsa/docs/network/river/topology.md
- clients/khalsa/docs/network/river/firewall.md
- clients/khalsa/docs/network/river/dns.md
- clients/khalsa/docs/network/river/dhcp.md
- clients/khalsa/docs/network/river/vlans.md
- clients/khalsa/PROJECT_STATE.md
---
# Khalsa
## Overview
New client in ONBOARDING status as of 2026-04-16. Standard client directory structure applied by Howard. Multi-site environment with two locations: **Camden** and **River**. Onboarding is incomplete — infrastructure details, contacts, and credentials have not yet been captured to the vault.
- **Business type:** *(not documented)*
- **Locations:** 2 (Camden, River)
- **Total users:** *(not documented)*
- **Billing model:** *(not documented)*
- **Billing rate:** *(not documented)*
- **Contract status:** ONBOARDING — terms not yet documented
- **Hours remaining:** *(not documented)*
[WARNING] All template fields in overview.md, m365.md, azure.md, rmm.md, antivirus.md, and backup.md are blank. The only substantive technical content in the entire client directory is `docs/apple-domain-join.md`. Onboarding must be completed before this client can be effectively supported.
---
## Contacts
All contact fields in overview.md are blank. No primary contact, IT contact, names, phones, or emails documented.
- **Primary Contact:** *(not documented)*
- **IT Contact:** *(not documented)*
- **Location (Camden):** *(not documented)*
- **Location (River):** *(not documented)*
---
## Infrastructure
No server or workstation inventory has been captured. The following is known only from `docs/apple-domain-join.md`:
### Known Servers
| Hostname | IP | Role | OS | Notes |
|----------|----|------|----|-------|
| TROUT | 10.11.12.254 | Domain Controller, Primary DNS | *(not documented)* | khalsa.local domain; DNS forwarder at 10.11.12.1 |
| *(unknown)* | 10.11.12.243 | DNS server | *(not documented)* | [WARNING] This is a DNS server but NOT the DC — do not confuse the two |
### Workstations
*(not documented)*
### Active Directory
- **Domain:** `khalsa.local`
- **Domain admin account:** `guru`
- **DC hostname:** TROUT at 10.11.12.254
- **DNS primary:** 10.11.12.254 (DC/TROUT)
- **DNS secondary:** 10.11.12.1
- Kerberos (port 88), LDAP (port 389), SMB (port 445) required to reach DC
---
## Network
Two sites: Camden and River. All network template files (topology, firewall, DNS, DHCP, VLANs) are blank placeholders for both sites — no subnets, IPs, hardware, ISPs, or VPN details are recorded.
### Camden
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Template defines VLAN IDs 1, 10, 20, 30, 40, 50, 60, 100 (standard schema: Management, Servers, Workstations, VoIP, WiFi-Corp, WiFi-Guest, Security) — but no subnets or IPs filled in.
### River
- **Topology:** *(not documented — template only)*
- **Firewall:** *(not documented — template only)*
- **DNS:** *(not documented — template only)*
- **DHCP:** *(not documented — template only)*
- **VLANs:** Same VLAN ID schema as Camden — no subnets or IPs filled in.
### Site-to-Site Connectivity
*(not documented)* — firewall.md VPN sections are blank for both sites.
### Confirmed Network Info (from apple-domain-join.md)
- DC/DNS: TROUT at 10.11.12.254 (implies /24 range starting with 10.11.12.x)
- Secondary DNS: 10.11.12.1 [unverified — likely a firewall or router]
- 10.11.12.243 is a DNS server (role unknown, not the DC)
- Site assignment of these IPs (Camden vs River) is unknown
---
## Cloud / M365
All M365 and Azure template fields are blank. No tenant name, tenant ID, domain, licenses, Exchange settings, SharePoint, Teams, Entra, or Defender details are documented.
- **M365 tenant:** *(not documented)*
- **Azure subscription:** *(not documented)*
- **Other cloud services:** *(not documented)*
---
## GuruRMM
All RMM template fields are blank.
- **Client ID:** *(not documented)*
- **Site IDs:** *(not documented)*
- **Enrolled agents:** *(not documented)*
- **Monitoring policies:** Template placeholders only (Disk Space, CPU, Service Monitor, Backup Monitor, Offline Alert — no client-specific values)
- **Patch policy:** *(not documented)*
---
## Active Projects / Open Items
- [ ] Complete onboarding — capture infrastructure details, contacts, credentials to vault
- [ ] Populate all `docs/` templates with real data (network, servers, M365, backup, AV, RMM)
- [ ] Document both Camden and River site specifics (topology, firewall rules, VLANs, IPs)
- [ ] Capture contacts to overview.md
- [ ] Store credentials in SOPS vault under `clients/khalsa/`
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Client directory created by Howard. Standard template applied. ONBOARDING status set. |
No issue log entries. No session logs exist for this client.
---
## Anti-Patterns / Warnings
- [WARNING] 10.11.12.243 is a DNS server but NOT the domain controller. Do not treat it as the DC. The DC is TROUT at 10.11.12.254.
- [WARNING] Onboarding is incomplete. Do not assume any template placeholder values are real — all fields other than the apple-domain-join.md content are empty.
- [WARNING] Do NOT run `dsconfigad` commands via ScreenConnect — the domain join step requires a password prompt that ScreenConnect cannot handle. Must use direct Terminal access.
- When joining a Mac that was previously joined and has a broken trust: force-remove first (`dsconfigad -remove -username guru -force`), then re-join. Skipping this causes error 2100.
- After applying `DefaultDomain` setting for login window, a reboot is required for the domain prefix to drop from login.
- No credentials are in this wiki. Retrieve from vault under `clients/khalsa/` once captured.
---
## Backlinks
- [[wiki/index]] — client index
- [[wiki/patterns/apple-domain-join]] — if a general Apple domain join pattern article exists or is created

118
wiki/clients/kittle-design.md Normal file
View File

@@ -0,0 +1,118 @@
---
type: client
name: kittle-design
display_name: Kittle Design & Construction
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/kittle-design/session-logs/2026-04-24-session.md
---
# Kittle Design & Construction
## Overview
- **Business type:** Design & construction firm
- **M365 tenant:** kittlearizona.com
- **Billing model:** Time and materials [unverified — one ticket observed]
- **Billing rate:** Unknown (Labor - Remote Business, product_id 1190473)
- **Contract status:** Unknown
- **Syncro ticket:** #32207
## Contacts
| Name | UPN | Notes |
|---|---|---|
| Alexis | alexis@kittlearizona.com | Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued |
| Ken | Ken@kittlearizona.com | Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end |
| Lori | Lori@kittlearizona.com | Two Authenticator entries (different Samsung models — likely phone upgrade) |
| Scott | scott@kittlearizona.com | Phone-only MFA, no Authenticator enrolled |
## Infrastructure
- **On-premises servers/workstations:** Not documented.
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable.
- Token cache location (local): `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Entra P1/P2 | No — sign-in logs unavailable |
| Exchange Admin role | Assigned to Security Investigator SP (manually) |
### Service Principals (Remediation Tool)
| App | SP Object ID | Role |
|---|---|---|
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | *(role not documented)* |
> [WARNING] Alexis's temp password `KittleGwiNUK#2026` was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.
### Alexis — Compromise Details
- **Hidden inbox rule "."** — was routing Howmet-related emails to Conversation History folder. Deleted.
- **Emails recovered** (moved back to inbox, HTTP 201):
- "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
- "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
- "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
- **Duplicate Authenticator entries** — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40). Pending removal after confirmation from Alexis.
- **Sessions revoked** — revokeSignInSessions returned true.
- **Password reset** — temp password issued, force-change enforced.
- **User object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Exchange identity:** `alexis\2866869517449953281`
### OAuth Consents Revoked
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted):
- Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth — 1 grant deleted):
- IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry `c927402a` | Mike |
| P1 | Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions) | Mike |
| P2 | Verify Alexis received temp password `KittleGwiNUK#2026` and has changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (currently phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473) | Mike |
## Key Events / History
### 2026-04-23/24 — Full M365 breach check and remediation
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
- Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
- Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
- Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
- One unresolved finding: Ken's "Admin" rule — awaiting his response.
- Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.
## Anti-Patterns / Warnings
- [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
- [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
- [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
- Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.
## Backlinks
- *(no related wiki articles yet)*

348
wiki/clients/kittle.md Normal file
View File

@@ -0,0 +1,348 @@
---
type: client
name: kittle
display_name: Kittle (client)
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/kittle/docs/overview.md
- clients/kittle/docs/servers/server.md
- clients/kittle/docs/network/topology.md
- clients/kittle/docs/network/firewall.md
- clients/kittle/docs/network/dns.md
- clients/kittle/docs/network/dhcp.md
- clients/kittle/docs/network/vlans.md
- clients/kittle/docs/cloud/m365.md
- clients/kittle/docs/cloud/azure.md
- clients/kittle/docs/rmm/rmm.md
- clients/kittle/docs/security/antivirus.md
- clients/kittle/docs/security/backup.md
- clients/kittle/docs/issues/log.md
- clients/kittle/docs/email/dkim-dmarc-setup.md
- clients/kittle/PROJECT_STATE.md
- clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md
---
# Kittle Design & Construction LLC
## Overview
- **Business type:** General contractor (construction)
- **Address:** 2539 N Balboa Ave #125, Tucson, AZ 85705
- **Phone:** 520.299.0404 | **Fax:** 520.299.0477
- **Website:** kittlearizona.com
- **Syncro customer ID:** 32460233
- **Status:** Active — onboarding in progress (as of 2026-05-08)
- **Billing model:** [unverified] — no contract or rate documented in source files
- **Hours remaining:** [unverified] — not documented
---
## Contacts
| Name | Title | Email | Notes |
|------|-------|-------|-------|
| Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | |
| Kimberly Ross | Admin | admin@kittlearizona.com | Primary M365 contact per session log |
| Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account: `accountant` on AD |
| Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Took over Wrex's workstation |
| Howard Enos | MSP Tech (ACG) | — | AD account: `sysadmin` (Domain Admin) |
**Known M365 users (licensed):**
- Office 365 E3 (no Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
- Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner
---
## Infrastructure
### Servers
| Hostname | IP | OS | Role | Hardware | Notes |
|----------|----|----|------|----------|-------|
| SERVER | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, DHCP (unused), File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Syncro asset: `SERVER2021` (id `10584015`) |
**SERVER storage:**
| Drive | Label | Size | Notes |
|-------|-------|------|-------|
| C: | OS | ~11 TB | Primary volume (NTFS) |
| Secondary | Server2 2022_03_31 | ~2 TB | Purpose unknown — possibly old server backup/migration data |
**[WARNING]** Unknown service listening on TCP port 8019 on SERVER. Not a standard Windows/AD port. Likely QuickBooks or ScreenConnect — needs identification (`netstat -ano | findstr 8019`).
### Workstations
| AD Name | OS | Last Logon | Notes |
|---------|----|------------|-------|
| FRONTDESK | Windows 11 Pro | 2026-03-09 | Front Desk user; Syncro asset id `11122225` |
| ACCOUNTING | Windows 11 Pro for Workstations | 2026-03-09 | `accountant` role account |
| CHRISTINE-WIN10 | Windows 11 Pro | 2026-03-09 | Legacy name; actually Win11 |
| DESKTOP-2560Q7R | Windows 11 Pro | 2026-03-06 | Wrex — now used by Joshua Sutherland; needs rename |
| WINDOWS-QV1B0EL | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
| DESKTOP-R0KA2UG | Windows 11 Pro | 2026-03-11 | User unknown; needs rename |
| DESKTOP-9B2SMD9 | Windows 11 Pro | 2026-03-06 | User unknown; needs rename |
**Known machine-to-user mapping:** FRONTDESK = Front Desk, ACCOUNTING = accountant (Darline?), CHRISTINE-WIN10 = Christine, DESKTOP-2560Q7R = Wrex/Joshua. Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) unidentified — require onsite correlation.
### Active Directory
- **Domain:** kittle.lan (NetBIOS: KITTLE)
- **Domain Admins:** Administrator, sysadmin (Computer Guru)
- **Total domain users:** 12 (8 regular + sysadmin + QBDataServiceUser34 + joshua.sutherland added 2026-05-08 + Administrator)
- **Total workstations:** 7
**AD Users:**
| SamAccountName | Display Name | Enabled | Notes |
|---------------|-------------|---------|-------|
| Administrator | Administrator | Yes | Domain Admin |
| alexis | Alexis | Yes | |
| Marco | Marco | Yes | |
| accountant | accountant | Yes | [WARNING] Role-based — should be individual account |
| ken | Ken | Yes | Owner |
| frontdesk | Front Desk | Yes | [WARNING] Role-based — should be individual account |
| lori | Lori | Yes | |
| wrex | Wrex | Yes | [WARNING] Wrex's PC now used by Joshua |
| sysadmin | Computer Guru | Yes | MSP Domain Admin |
| QBDataServiceUser34 | QuickBooks service | Yes | Service account |
| joshua.sutherland | Joshua Sutherland | Yes | Created 2026-05-08; UPN joshua.sutherland@kittle.lan, email joshua@kittlearizona.com |
### File Shares
| Share | Path | Notes |
|-------|------|-------|
| Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO |
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
| NETLOGON | (default) | AD logon scripts |
| SYSVOL | (default) | Group Policy |
### Installed Software (SERVER)
| Software | Notes |
|----------|-------|
| QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to workstation |
| ScreenConnect | Remote access agent |
### Backup
[WARNING] NO BACKUP EXISTS. No Windows Server Backup, no third-party agent, no cloud backup. If SERVER fails, AD, DNS, file shares, and QuickBooks data are permanently lost. SERVER is the only domain controller.
### Antivirus / EDR
*(not documented)* — no AV/EDR product deployed or documented.
---
## Network
### Topology
- **Subnet:** Single flat 10.0.0.0/24 — no VLANs, no segmentation
- **Gateway:** 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
- **Switch:** UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
- **~31 devices** observed on network via ARP — most unidentified (phones, printers, APs, workstations)
**Key device IPs:**
| Device | IP | Notes |
|--------|----|-------|
| ISP Router | 10.0.0.1 | Gateway, DHCP, only perimeter device |
| SERVER (DC) | 10.0.0.5 | Static |
| UniFi Switch | 10.0.0.122 | Should have DHCP reservation |
### Firewall
[WARNING] NO dedicated firewall. ISP router at 10.0.0.1 (MAC: 42:0f:c1:f0:e6:43 — randomized/consumer MAC) is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. The firewall.md template is empty — no firewall config has been documented because none exists.
**Recommendation:** Deploy pfSense (free) or commercial UTM (FortiGate, SonicWall) between ISP router and LAN switch.
### VLANs
No VLANs configured. All devices on the same broadcast domain. The vlans.md template exists but is empty — no VLAN segmentation is deployed.
### DNS
**Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated.
- Zones: kittle.lan, _msdcs.kittle.lan
- Forwarder: 10.0.0.1 (ISP router) — single forwarder, no redundancy
- No reverse lookup zone for 10.0.0.0/24 (PTR lookups fail)
**External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers
| Nameservers |
|-------------|
| dns1.p02.nsone.net, dns2.p02.nsone.net, dns3.p02.nsone.net, dns4.p02.nsone.net |
| ns01.squarespacedns.com, ns02.squarespacedns.com, ns03.squarespacedns.com, ns04.squarespacedns.com |
**Email DNS records (as of 2026-04-23):**
| Record | Status | Value |
|--------|--------|-------|
| MX | [OK] | kittlearizona-com.mail.protection.outlook.com |
| SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY |
| DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY |
**DKIM/DMARC setup guide:** `clients/kittle/docs/email/dkim-dmarc-setup.md`
DNS registrar: Unknown — needs identification.
### DHCP
[WARNING] DHCP runs on the ISP router (10.0.0.1), not on SERVER. The Windows DHCP role is installed on SERVER but has zero scopes configured. Unknown what DNS server is handed out via DHCP — if DHCP hands out ISP DNS instead of 10.0.0.5, AD name resolution may break for domain clients. DHCP range, lease time, and reservations not documented (need ISP router admin access to check).
---
## Cloud / M365
### Tenant
| Field | Value |
|-------|-------|
| Tenant name | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Primary domain | kittlearizona.com |
| Admin portal | https://admin.microsoft.com |
### Licensing (as of 2026-04-28)
| License | Qty | Assigned | Available |
|---------|-----|----------|-----------|
| Microsoft 365 Business Standard (SKU: O365_BUSINESS_PREMIUM, skuId: f245ecc8-75af-4f8e-b61f-27d8114de5f3) | 12 | 12 | 0 |
| Office 365 E3 No Teams (skuId: 46c3a859-c90d-40b3-9551-6178a48d5c18) | 4 | 4 | 0 |
ACG `sysadmin` account is unlicensed.
### Exchange Online / Email
- Mail provider: Microsoft 365 (kittlearizona.com)
- MX: kittlearizona-com.mail.protection.outlook.com
- Shared mailboxes, distribution groups, mail flow rules: *(not documented)*
- Known Outlook accounts in Syncro notes (plaintext — flagged for vault migration): `kittletucson@outlook.com`, `kittletucson2@outlook.com`
### Azure
*(not documented)* — Azure subscription template is empty; no Azure VMs or cloud resources documented.
### Entra ID / Hybrid Join
- Hybrid joined: [unverified] — not documented
- No Azure AD Connect server documented
- MFA enforcement status: [unverified]
### SharePoint / OneDrive / Teams
*(not documented)*
---
## GuruRMM
| Field | Value |
|-------|-------|
| Client name | Kittle Design & Construction LLC |
| Client ID | d8b08837-78e0-441e-b824-e0abbf0254ed |
| Client code | KITTLE |
| Site name | Main Office |
| Site ID | 851376d1-33be-46ee-9e48-be44767e4a0a |
| Site code | SILVER-HAWK-7639 |
| Site address | 2539 N Balboa Ave #125, Tucson AZ 85705 |
| API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` (vault commit 6eb3414) |
| Dashboard | https://rmm.azcomputerguru.com |
| API | https://rmm-api.azcomputerguru.com |
**GuruRMM client and site created 2026-05-08** by Howard during Joshua onboarding onsite. Agent deployment was in progress at time of log:
- SERVER (SERVER2021) — agent install pending/in-progress during onsite
- Wrex's workstation (DESKTOP-2560Q7R) — agent install pending/in-progress during onsite
- Enrolled agent IDs and hostnames: *(not yet documented — confirm after onsite)*
**Agent deployment command (ScreenConnect, requires `#!ps` prefix):**
```powershell
#!ps
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key '<key-from-vault>'
```
---
## Active Projects / Open Items
### CRITICAL — Must Resolve
- [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires after 180 days; server shuts down hourly after expiry. Check remaining time: `slmgr /dlv`
- [ ] **Implement backup for SERVER** — No backup exists. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi)
- [ ] **Migrate credentials from Syncro plaintext to SOPS vault:**
- SERVER admin (`administrator / AXman2Z`) → `clients/kittle/server2021.sops.yaml`
- Outlook accounts (`kittletucson@outlook.com`, `kittletucson2@outlook.com`) → vault
- Strip plaintext from Syncro customer notes after vaulting
### HIGH Priority
- [ ] **Configure DKIM for kittlearizona.com** — Add CNAME selectors in NSOne/Squarespace; enable signing in M365 Defender Portal. Guide: `clients/kittle/docs/email/dkim-dmarc-setup.md`
- [ ] **Add DMARC policy for kittlearizona.com** — Start with `p=none` (monitor), escalate to `p=quarantine` after 1 week clean
- [ ] **Migrate QuickBooks off the domain controller** — QB should run on ACCOUNTING workstation; data stays on \\SERVER\QBooks
- [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection or content filtering
- [ ] **Confirm Joshua Sutherland's onsite setup complete** — local admin on Wrex's PC, password changed, GuruRMM agent installed
- [ ] **GuruRMM agent enrollment** — Confirm agents running on SERVER and Wrex's PC; roll out to FRONTDESK and other endpoints
### MEDIUM Priority
- [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5
- [ ] Replace role-based AD accounts (`accountant`, `frontdesk`) with individual named accounts
- [ ] Rename 4 workstations with generic DESKTOP-xxx / WINDOWS-xxx names
- [ ] Investigate and identify port 8019 on SERVER
- [ ] Identify unknown DNS registrar for kittlearizona.com
- [ ] Verify what DNS server ISP router hands out via DHCP (critical for AD)
- [ ] Investigate email issue: emails moved to folders reappearing in inbox (suspected Outlook cached mode / OST corruption)
- [ ] Identify M365 mailbox need for Joshua Sutherland (AD creation is separate from M365 licensing)
### LOW Priority
- [ ] Create reverse DNS zone for 10.0.0.0/24 (0.0.10.in-addr.arpa)
- [ ] Identify purpose of secondary SERVER volume "Server2 2022_03_31" (~2 TB)
- [ ] Identify 3 unknown workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) — requires onsite correlation
- [ ] Add secondary DNS forwarder on SERVER (8.8.8.8 or 1.1.1.1) for ISP router failure redundancy
- [ ] Enable DNS scavenging to prevent stale records
- [ ] Identify remaining ~20 unknown ARP entries on the network
- [ ] Identify DHCP reservations on ISP router; create proper reservations for SERVER, switch, printers
---
## Key Events / History
| Date | Event |
|------|-------|
| 2026-04-16 | Standard client directory structure applied by Howard; onboarding started |
| 2026-04-23 | Email DNS audit: SPF confirmed OK, DKIM/DMARC confirmed missing |
| 2026-04-28 | M365 licensing documented: 16 total seats (12 Business Standard + 4 E3), all assigned |
| 2026-03-12 | Server audit: discovered evaluation license, no backup, QB on DC, no firewall, role-based accounts, DHCP on ISP router |
| 2026-03-12 | Fixed HomeFolder GPO drive map action from Replace → Update to stop File Explorer closing on GP refresh |
| 2026-03-20 | Deployed "Intranet Zone - File Server" GPO — adds \\SERVER and \\10.0.0.5 to Local Intranet zone; fixes PDF preview on shares (Oct 2025 security update regression) |
| 2026-03-25 | FRONTDESK: folder view sort order fix — cleared Bags/BagMRU registry, disabled auto folder-type detection, forced Details view via AllFolders shell key |
| 2026-05-08 | Howard onsite: AD user `joshua.sutherland` created; GuruRMM client + Main Office site created; GuruRMM enrollment key vaulted; agents being deployed to SERVER and Wrex's PC |
---
## Anti-Patterns / Warnings
- [WARNING] **ScreenConnect command runner defaults to `cmd` context** — PowerShell scripts MUST be prefixed with `#!ps` or they will fail silently. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. all require PowerShell.
- [WARNING] **Do NOT run `Add-LocalGroupMember` on the DC to add a user to local Administrators** — DCs have no local SAM; the command will fail with "Group Administrators was not found." Run this on the target workstation instead.
- [WARNING] **SERVER is the sole domain controller** — Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No backup. No failover.
- [WARNING] **QuickBooks Pro 2024 is on the DC** — Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`.
- [WARNING] **DHCP DNS server unknown** — ISP router may be handing out ISP DNS instead of 10.0.0.5. Do not assume domain resolution works correctly for all clients. Test before deploying domain-joined systems.
- [WARNING] **Two Outlook account credentials (`kittletucson@outlook.com` / `kittletucson2@outlook.com`) and the SERVER admin password (`administrator / AXman2Z`) are in Syncro customer notes as plaintext.** Migrate to vault and strip from Syncro before any additional access sharing.
- [WARNING] **Wrex's AD account (`wrex`) is still active** but his workstation is now used by Joshua Sutherland. Wrex's account should be reviewed — disable or confirm Wrex is still an employee.
- [WARNING] **Password set during Joshua onboarding (`Kota2020!`) was set with force-change-at-logon.** Confirm Joshua completed the password change; if not, the temp password is known to Howard.
- [WARNING] **DKIM and DMARC are not configured.** Domain kittlearizona.com can be trivially spoofed. Emails to strict recipients (Gmail, Google Workspace) may land in spam.
- [WARNING] **GPO drive map action (HomeFolder GPO)** — Must stay as `Update`, not `Replace`. Changing back to Replace will cause File Explorer to close during GP refresh for users browsing mapped drives.
- [WARNING] **Always use `Update` (not `Replace`) for GPO drive maps** — Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.
---
## Backlinks
- [[wiki/projects/gururmm]] — GuruRMM agent enrollment; Kittle is an active RMM client as of 2026-05-08
- [[wiki/clients/internal-infrastructure]] — ACG UniFi controller manages Kittle's UniFi switch

112
wiki/clients/scileppi-law.md Normal file
View File

@@ -0,0 +1,112 @@
---
type: client
name: scileppi-law
display_name: The Law Offices of Chris Scileppi
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/scileppi-law/session-logs/2026-05-07-howard-sylvia-mac-mini-mail-memory.md
---
# The Law Offices of Chris Scileppi
## Overview
- **Business type:** Law firm
- **Syncro Customer ID:** 9601863
- **Billing model:** Time and materials [unverified]
- **Billing rate:** $175/hr (onsite business, product 26118)
- **Contract status:** Unknown
- **Note:** As of 2026-05-07, Sylvia's billing line item was logged but deliberately NOT invoiced — held for later disposition per Mike's instruction.
## Contacts
| Name | Role | Notes |
|---|---|---|
| Chris Scileppi | Owner / attorney | Client namesake |
| Sylvia | Employee | Primary user of the Mac mini with memory issue; single user account `sylvia` on machine |
## Infrastructure
### Workstations
| Asset | Hostname | Model | RAM | Storage | OS | Status |
|---|---|---|---|---|---|---|
| Sylvia's Mac mini | `Sylvias-Mini` | Apple Mac14,3 (M2 base) | 8 GB LPDDR5 (Hynix, soldered — no upgrade path) | 256 GB SSD (92.78 GB free as of 2026-05-07) | macOS 14.4.1 (23E224) | Mail disabled; on webmail |
**Current state of Sylvias-Mini:**
- Apple Mail disabled at System Settings → Internet Accounts (Mail toggle off; Calendar/Contacts left enabled).
- Sylvia using outlook.office.com (webmail) for daily mail.
- Machine is usable but 8 GB with Office + OneDrive + Safari is tight without Mail running.
- Machine is NOT enrolled in GuruRMM (enrollment attempted 2026-05-07, failed — see notes).
### Replacement Mac (planned, not yet ordered)
- **Target spec:** M4 Mac mini, 16 GB minimum, 24 GB preferred. 256 GB SSD sufficient; 512 GB optional.
- **Migration plan:** Migration Assistant over wired Ethernet or Thunderbolt, then reconfigure Mail with Download Attachments = None.
## Network
*(not documented)*
## Cloud / M365
- **Mail platform:** Exchange/M365 (Sylvia's mailbox is an IMAP/Exchange account accessed via Apple Mail or Outlook Web).
- **Webmail URL:** outlook.office.com
- Tenant domain and ID not documented in this session log.
## GuruRMM
- **GuruRMM site:** Main Office (`WEST-MEADOW-9025`)
- **Sylvias-Mini enrollment:** FAILED as of 2026-05-07. macOS installer not yet available on GuruRMM server; Cloudflare bot challenge also blocked install one-liner. Documented separately at `session-logs/2026-05-07-howard-gururmm-macos-installer-and-cf-bot-block.md`.
- Enrollment to be retried on the replacement Mac after migration, once Mike ships the macOS agent.
## Active Projects / Open Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Spec, quote, and order replacement Mac mini (M4, 16 or 24 GB) | Mike |
| P2 | When new Mac arrives: run Migration Assistant from Sylvias-Mini; reconfigure Mail with Download Attachments = None | Howard |
| P2 | Enroll new Mac in GuruRMM (gated on macOS agent availability from Mike) | Howard |
| P3 | Re-enable Mail in Internet Accounts on new machine after migration verified | Howard |
| P3 | Invoice Syncro ticket #32262 (line item 42350646 exists, $175.00 × 1.0 — not yet invoiced per Mike's instruction) | Mike |
## Key Events / History
### 2026-05-07 — Sylvia's Mac mini: Apple Mail memory exhaustion
**Syncro ticket #32262** — "Sylvia is having applications crash and getting errors regarding low memory."
**Technician:** Howard Enos. Status: Resolved.
**Root cause:** Apple Mail's local cache (Envelope Index + message cache under `~/Library/Mail/V10/`) had grown beyond what 8 GB unified RAM can service. Mail's virtual memory footprint exceeded 45 GB on an 8 GB machine, forcing constant swap. ~4.4 million swapouts observed in 9 minutes of uptime.
**Diagnosis process:**
1. Attempt 1: Backed up and rebuilt Envelope Index. Memory footprint rose to 12 GB before Mail was killed by OS for memory pressure.
2. Attempt 2: Fresh index rebuild — footprint climbed to 28 GB while downloading 349 messages (ETA shown: "69 hours"). This conclusively ruled out index corruption — the mailbox itself is too large for 8 GB.
**Interim fix applied:**
- Force-quit Mail.
- Disabled Mail toggle in System Settings → Internet Accounts.
- Verified Mail no longer auto-relaunches after reboot.
- Walked Sylvia through outlook.office.com in Safari for daily mail.
**Billing artifacts:**
| Artifact | ID |
|---|---|
| Syncro ticket | #32262 |
| Resolution comment | 409686752 |
| Timer entry | 39082403 (3600 s, billable) |
| Line item | 42350646 ($175.00 × 1.0, non-taxable) |
| Invoice | None — deliberately not created |
## Anti-Patterns / Warnings
- [WARNING] Do NOT re-enable Apple Mail on Sylvias-Mini. The machine has 8 GB soldered RAM with no upgrade path — Mail will reproduce the memory exhaustion immediately. Machine stays on webmail until replaced.
- [WARNING] After migration to new Mac mini, configure Mail → Settings → Accounts → Mail Behaviors → Download Attachments = None. Skipping this on a large mailbox will eventually reproduce the same issue even on 16/24 GB.
- 8 GB M2 Mac mini RAM is **soldered and not upgradeable** — do not quote a RAM upgrade to the client.
- GuruRMM macOS enrollment is blocked until Mike ships the macOS agent — do not attempt install one-liner again without confirming agent availability first.
## Backlinks
- `session-logs/2026-05-07-howard-gururmm-macos-installer-and-cf-bot-block.md` — related GuruRMM macOS installer failure

163
wiki/clients/western-tire.md Normal file
View File

@@ -0,0 +1,163 @@
---
type: client
name: western-tire
display_name: Western Tire
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/western-tire/session-logs/2026-04-22-session.md
---
# Western Tire
## Overview
- **Business type:** Tire retail/service (westerntire.com). Website redirects to jackfurriers.com — Jack Furrier's Tire is the active brand.
- **Syncro Customer ID:** 391491 (Mike Furrier — same record as the Furrier client)
- **Billing model:** Time and materials [unverified — ticket not yet billed as of session end]
- **Billing rate:** Unknown
- **Contract status:** Unknown
> Note: Western Tire and the Furrier client share Syncro customer ID 391491 (Mike Furrier). See [[wiki/clients/furrier.md]].
## Contacts
| Name | Role | Notes |
|---|---|---|
| Mike Furrier | Owner | Primary contact; owns Western Tire and Desert Rat |
### Mailbox users (westerntire.com, 23 notified)
`accounting, admin, ap, ap2, ar, chloe, fduarte, heather, jack, jack.furrier, jack_ritter, karen_dwornik, k_crespo, m_bouck, millie_scott, pat_wallace, payroll, pete, purchasing, rachel_riggs, rick, sean, work`
System/automated (not notified): `donotreply, storealert, integrilogic, receipts, payslips, programs, inventory`
## Infrastructure
### Mail servers
| Server | Hostname | IP | Role | Status |
|---|---|---|---|---|
| IX (current) | ix.azcomputerguru.com | 72.194.62.5 | cPanel email host (new) | Active — all westerntire.com mail lands here |
| websvr (old) | websvr.acghosting.com | 162.248.93.81 | Old cPanel host | Decommissioned for westerntire.com mail; still authoritative DNS; forwards arriving mail to IX during DNS lag |
> [WARNING] Session log contained plaintext SSH credentials for websvr and IX. Use vault only: `vault.sh get-field infrastructure/websvr` and `vault.sh get-field infrastructure/ix`.
### IX — cPanel account
- **cPanel account:** westernt
- **Home dir:** 62 GB
- **Mailboxes:** 30 accounts under westerntire.com
- **MySQL:** None (account does not use MySQL)
- **SSL:** Wildcard `*.westerntire.com` from Let's Encrypt, valid to 2026-05-30 (AutoSSL should renew)
### Key file paths on IX
| Path | Purpose |
|---|---|
| `/etc/exim.conf.local` | Mailprotector relay config (smarthost router + relay transport) |
| `/etc/mailprotector_domains` | Domains using Mailprotector outbound (westerntire.com added) |
| `/etc/skipsmtpcheckhosts` | Mailprotector inbound IPs bypass (50 IPs added) |
| `/home/westernt/public_html/.htaccess` | 301 redirect to jackfurriers.com |
| `/var/cpanel/domain_keys/private/westerntire.com` | DKIM private key |
### Key file paths on websvr
| Path | Purpose |
|---|---|
| `/var/named/westerntire.com.db` | Authoritative DNS zone (PowerDNS) |
| `/etc/manualmx` | Service forwarding → ix.azcomputerguru.com |
| `/etc/remotedomains` | westerntire.com listed as remote domain |
### Local artifacts
| Path | Purpose |
|---|---|
| `clients/western-tire/dns-backups/westerntire.com.db.2026-04-22.bak` | Pre-migration DNS zone backup |
| `clients/western-tire/email-setup-guide.html` | User notification email (sent 2026-04-22) |
| `clients/western-tire/email-setup-guide.md` | Markdown source for above |
## Network
### DNS (westerntire.com)
- **Nameservers:** ns1.azcomputerguru.com, ns2.azcomputerguru.com (PowerDNS on websvr — ACG-authoritative)
- **A record:** 72.194.62.5 (IX) — TTL 300
- **MX:** `10 westerntire-com.inbound.emailservice.io` (Mailprotector — unchanged during migration)
- **SPF:** `v=spf1 +a +mx +ip4:162.248.93.233 +ip4:72.194.62.5 +ip4:184.187.220.69 +include:spf.us.emailservice.io +ip4:72.194.188.146 +ip4:162.248.93.185 +ip4:173.201.39.86 ~all`
- **DKIM:** `default._domainkey` (generated by IX during transfer)
- **DMARC:** `v=DMARC1; p=none; rua=mailto:sysadmin@azcomputerguru.com`
- **Zone TTL:** 300s (lowered from 14400 this session)
### jackfurrier.com / jackfurriers.com
- `jackfurriers.com` (with 's') — active redirect target from westerntire.com .htaccess. Main brand site; not on ACG servers.
- `jackfurrier.com` (no 's') — DNS via Cloudflare + Google Workspace MX. Not on ACG servers.
- `/etc/vdomainaliases/jackfurrier.com` on IX: `jackfurrier.com : westerntire.net` — dormant alias, no active inbound.
## Cloud / M365
*(not documented)*
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Monitor for user mail client issues after email setup guide was sent (new IMAP/SMTP settings) | Mike |
| P2 | Bill ticket #32199 when scope is confirmed | Mike |
| P2 | westerntire.com SSL cert (`*.westerntire.com`) expires 2026-05-30 — verify AutoSSL renewed | Mike |
| P3 | Update Syncro customer property "DNS Detail" field — currently says "Email is on Websvr" (now IX) | Mike |
### User mail client settings (from setup guide sent 2026-04-22)
- **IMAP:** mail.westerntire.com:993 SSL/TLS
- **POP3:** mail.westerntire.com:995 SSL/TLS
- **SMTP:** mail.westerntire.com:587 STARTTLS
- **Username:** full email address; password unchanged
- **Webmail:** https://mail.westerntire.com
## Key Events / History
### 2026-04-22 — Full email migration websvr → IX
**Syncro ticket #32199** (ID: 109325058) — Status: Waiting on Customer. Not yet billed.
Migration completed in one session:
1. Verified cpmove account transfer (62 GB home dir, 30 mailboxes) on IX.
2. Managed DNS A record transition (websvr → IX); backed up zone file.
3. Configured Mailprotector SBR on IX (`/etc/mailprotector_domains`, exim smarthost router).
4. Added all 50 Mailprotector inbound IPs to `/etc/skipsmtpcheckhosts` on IX.
5. Updated Mailprotector admin portal delivery server from 162.248.93.81 to 72.194.62.5.
6. Added missing `.htaccess` 301 redirect to jackfurriers.com on IX (was absent post-cpmove).
7. Confirmed websvr service forwarding in place for DNS lag period.
8. Sent HTML email setup guide to 23 real user accounts.
Outbound test confirmed: `accounting@westerntire.com → westerntire-com.outbound.emailservice.io` — 250 OK.
Inbound confirmed: live mail arriving from Mailprotector inbound relay at 18:59.
A duplicate ticket #32198 was inadvertently created and deleted.
### Accounts with high unread counts (pre-existing, not migration artifact)
- jack.furrier: 737 unread
- millie_scott: 466 unread
- pat_wallace: 385 unread
- jack_ritter: 144 unread
- rachel_riggs: 111 unread
## Anti-Patterns / Warnings
- [WARNING] Plaintext SSH credentials for websvr and IX appeared in session log. Always retrieve from vault — never hardcode.
- [WARNING] SSL cert `*.westerntire.com` expires 2026-05-30 — check AutoSSL renewal immediately if it's past that date.
- Do NOT use `${sg{}{\\\.}{-}}` in exim.conf.local on WHM servers — WHM buildeximconf strips backslash levels and breaks the regex. Use `${tr{}{.}{-}}` instead.
- Do NOT use tainted `$sender_address_domain` directly in file path lookups in exim 4.94+ — use `dsearch` (returns untainted value) for DKIM private key paths.
- Do NOT look for westerntire.com mail on websvr — migration is complete; mail lives on IX.
- Syncro "DNS Detail" field is stale — it still says "Email is on Websvr" as of 2026-04-22.
## Backlinks
- [[wiki/clients/furrier.md]] — Same Syncro customer (Mike Furrier, ID 391491); desertrat.com email infrastructure on same websvr

37
wiki/index.md
View File

@@ -31,6 +31,17 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Peaceful Spirit Therapeutic Massage](clients/peaceful-spirit.md) | Massage therapy practice; PST-SERVER (192.168.0.2) + 4 GuruRMM agents; L2TP/IPsec RRAS VPN; billing rate/Syncro ID not documented | 2026-05-24 |
| [Sombra Residential LLC](clients/sombra-residential.md) | Property management; Server2013 (actually WS2012 EOL, unpatched) + DESKTOP-UQRN4K3 GuruRMM enrolled; Transwiz migration artifacts cause Office credential prompts | 2026-05-24 |
| [Stamback Septic](clients/stamback-septic.md) | Septic services; prepaid block ~3.5 hrs remaining; DESKTOP-BTR2AM3 + StambackLaptopNew GuruRMM enrolled; OneDrive identity wipe pattern documented | 2026-05-24 |
| [BG Builders LLC](clients/bg-builders.md) | Construction; M365 bgbuildersllc.com (CIPP: sonorangreenllc.com); terminated employee (Lesley Roth) — account disabled, litigation hold, device wipes pending; no Intune | 2026-05-24 |
| [Equity Valuation Services (EVS)](clients/evs.md) | Financial services; minimal infra documented; single Win11 VM maintained by Howard; Win11 right-click menu fix applied | 2026-05-24 |
| [Furrier / Desert Rat](clients/furrier.md) | Mike Furrier owner; desertrat.com on websvr/cPanel; DMARC p=reject + Mailprotector SBR fix applied 2026-04-21; tim@ is a forwarder (not a mailbox); Syncro ID 391491 | 2026-05-24 |
| [Horseshoe Management](clients/horseshoe-management.md) | Property management; prepaid block 31.75 hrs remaining at $175/hr; APC Smart-UPS P.17 bypass relay fault cleared; repeat UPS failures suggest electrical issue; plaintext creds in Syncro notes — needs vault migration | 2026-05-24 |
| [Kittle Design & Construction](clients/kittle-design.md) | Design & construction; M365 kittlearizona.com; breach confirmed (Alexis hidden inbox rule + duplicate Authenticator); broad OAuth consent revoked; Ken inbox rule unresolved; no Entra P1/P2 | 2026-05-24 |
| [The Law Offices of Chris Scileppi](clients/scileppi-law.md) | Law firm; Syncro ID 9601863; Sylvia Mac mini (M2 8 GB) mail memory exhaustion; Mail disabled; on webmail; replacement Mac mini (M4 16/24 GB) pending order; GuruRMM enrollment blocked | 2026-05-24 |
| [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 |
| [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 |
| [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
| [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |
| [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 |
## Projects
@@ -38,6 +49,11 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
|---|---|---|
| [GuruRMM](projects/gururmm.md) | RMM platform, Rust/Axum server + React dashboard + cross-platform agent; v0.6.38; 55 enrolled agents; active development | 2026-05-24 |
| [Dataforth DOS — Test Datasheet Pipeline](projects/dataforth-dos.md) | DOS update system + TestDataDB pipeline (Node.js, PostgreSQL, Hoffman API); 469K records, 458.5K live on website; 2025 crypto attack recovery; security incident 2026-03-27; SCMVAS/SCMHVAS extension; email notifications via Graph API | 2026-05-24 |
| [ClaudeTools Discord Bot](projects/discord-bot.md) | Claude Agent SDK bot in Discord; one persistent session per thread; Phase 1.5 complete (native tools, no hand-written tools); Phases 2-4 (API integration, remediation, UX) pending; runs as NSSM service on BEAST | 2026-05-24 |
| [The Computer Guru Show](projects/radio-show.md) | Radio show archive processing pipeline (Whisper + pyannote + SQLite FTS5) + post-show content workflow; 572 episodes indexed; FastAPI UI redesigned; Jupiter audio-file gap open | 2026-05-24 |
| [MSP Pricing & Marketing](projects/msp-pricing.md) | GPS pricing docs + Python calculators + MSP Buyers Guide HTML; covers GPS monitoring, support plans, block time, web/email hosting, VoIP; customer-facing tools pending | 2026-05-24 |
| [Wrightstown Smarthome](projects/wrightstown-smarthome.md) | Home automation project (HA Yellow + Ollama + LiteLLM + Wyoming voice stack); 4-VLAN design; planning phase only as of 2026-02-09; no hardware deployed | 2026-05-24 |
| [Wrightstown Solar](projects/wrightstown-solar.md) | Off-grid solar project (EVE C40 16S5P packs, Victron MultiPlus II, JK BMS); Phase 1 budget $2,1752,945; planning phase only as of 2026-02-09; no hardware purchased | 2026-05-24 |
## Systems
@@ -72,6 +88,23 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Peaceful Spirit | PST-SERVER (192.168.0.2, GuruRMM enrolled), UCG (98.190.129.150) | GuruRMM |
| Sombra Residential LLC | Server2013 (WS2012 EOL) + DESKTOP-UQRN4K3, GuruRMM enrolled | GuruRMM |
| Stamback Septic | DESKTOP-BTR2AM3 + StambackLaptopNew, GuruRMM enrolled | GuruRMM |
| BG Builders LLC | M365 bgbuildersllc.com; no on-prem infra documented | — |
| Equity Valuation Services | Single Win11 VM (no IPs documented) | — |
| Furrier / Desert Rat | websvr.acghosting.com (162.248.93.233); desertrat.com on cPanel/exim | — |
| Horseshoe Management | APC Smart-UPS 1350; no server/network detail documented | — |
| Kittle Design & Construction | M365 kittlearizona.com; no on-prem infra documented | — |
| Scileppi Law | Sylvias-Mini (Mac14,3 M2 8 GB); GuruRMM site WEST-MEADOW-9025 (enrollment pending) | GuruRMM (enrollment blocked — macOS agent not yet shipped) |
| Western Tire | ix.azcomputerguru.com (72.194.62.5) — email host; websvr.acghosting.com — DNS authoritative | — |
| Kittle | HPE MicroServer Gen11 (10.0.0.5), UniFi switch (10.0.0.122); flat 10.0.0.0/24 | GuruRMM (enrollment in progress) |
| Khalsa | DC TROUT (10.11.12.254); two sites (Camden, River) | — |
| Anaise | DESKTOP-O8GF4SD; single-workstation | — |
| ACG Website | IX Web Hosting (cPanel); Astro static site | — |
| BG Builders LLC | M365 bgbuildersllc.com; no on-prem infra documented | — |
| Kittle Design & Construction | M365 kittlearizona.com; no on-prem infra documented | — |
| Horseshoe Management | APC Smart-UPS 1350; no server/network detail documented | — |
| Furrier / Desert Rat | websvr.acghosting.com; cPanel exim | — |
| Equity Valuation Services | Single Win11 VM | — |
| Scileppi Law | Sylvias-Mini (M2 Mac mini) | GuruRMM (enrollment pending) |
---
@@ -81,5 +114,5 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
|---|---|---|
| `system:neptune` | Low | neptune.acghosting.com, 172.16.3.11 internal / 67.206.163.124 external — Exchange Server 2016; ACG infrastructure physically colocated at Dataforth D2 facility; active mail server for multiple ACG-hosted clients; Neptune context captured in clients/dataforth.md and projects/dataforth-dos.md; still warrants own system article for SBR config, MailProtector, per-client send connectors, and full routing detail |
| `system:d2testnas` | Low | 192.168.0.9 — Linux (CachyOS?), SMB1 bridge for Dataforth DOS stations, rsync daemon port 873, hosts Neptune Exchange physically; key routing node for ACG-Dataforth connectivity; SSH root@192.168.0.9; also provides Tailscale 172.16.0.0/22 route |
| `client:birthbiologic` | Medium | GuruRMM enrolled (site BRIGHT-PEAK-5980) |
| `client:key-paul` | Low | GuruRMM enrolled (KEY-MEDIA) |
| `client:key-paul` | Low | GuruRMM enrolled (KEY-MEDIA); no session logs or docs found |
| `system:neptune` | Medium | URGENT: cert expires 2026-05-31; DkimSigner disabled; see internal-infrastructure.md for interim notes |

166
wiki/projects/discord-bot.md Normal file
View File

@@ -0,0 +1,166 @@
---
type: project
name: discord-bot
display_name: ClaudeTools Discord Bot
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- projects/discord-bot/README.md
- projects/discord-bot/DISCORD_CLAUDE.md
- projects/discord-bot/session-logs/2026-04-30-session.md
- projects/discord-bot/session-logs/2026-05-20-session.md
---
# ClaudeTools Discord Bot
## Overview
Discord bot that gives the ACG MSP team access to the ClaudeTools database, M365 remediation-tool, and Claude AI assistance through Discord channels. Each Discord thread is a persistent Claude Code agent session — the bot is effectively "Claude Code in a Discord channel." Responses stream in real time.
**Status:** Active. Running as a Windows service on GURU-BEAST-ROG. Core architecture complete; Phases 24 (tool execution, remediation integration, UX polish) are pending.
---
## Tech Stack
| Layer | Technology |
|---|---|
| Language | Python 3.11+ |
| Discord library | discord.py 2.3.2 |
| AI SDK | Anthropic Claude Agent SDK (claude-sonnet-4-6) |
| HTTP client | httpx 0.27.0 |
| Config | Pydantic Settings 2.7.0 |
| Service manager | NSSM (Windows) |
| Headless browser (fallback) | Playwright, Chrome channel — for bot-blocked sites only |
---
## Architecture
As of Phase 1.5, the bot is a Claude Agent SDK deployment. Hand-written tool definitions from Phase 1 were removed. The agent uses native SDK tools (Read, Edit, Write, Bash, Glob, Grep, etc.) with the ClaudeTools repo as its working directory and `DISCORD_CLAUDE.md` as its system prompt.
```
Discord thread --> MessageHandler --> ClaudeAgentManager
|
v
ClaudeSDKClient (one per thread_id)
cwd = C:/Users/guru/ClaudeTools
system_prompt = DISCORD_CLAUDE.md
|
v
Native SDK tools:
Read / Edit / Write / Bash / Glob / Grep / ...
```
- System prompt (`DISCORD_CLAUDE.md`) is loaded ONCE at startup in `ClaudeAgentManager.__init__`. Editing it requires a bot restart to take effect.
- One persistent `ClaudeSDKClient` (ThreadAgent) is kept per `thread_id`. Follow-up messages within a thread reuse the same client, preserving full conversation history.
- Caller identity is injected as a `[DISCORD_CONTEXT]` block in `message_handler.py` so the agent knows who is asking.
### Access Control
| Identity | Access Level |
|---|---|
| Mike Swanson (ID: 264814939619721216) | Full — all tools, M365, vault, git |
| Howard Enos (ID: 624667664501178379) | Full |
| Winter (ID: 624666486362996755) | Full. Syncro SME — route Syncro questions to her |
| Rob Williams (ID: 261978810713505792) | Limited operator — remediation-tool, IX hosting, Syncro; NO bot config changes, vault writes, GuruRMM, ACG tenant actions |
| Unknown users | Read-only / informational only |
### Task Loop (per request)
1. Identify requester from `[DISCORD_CONTEXT]` block.
2. Do the work; ask clarifying questions in-thread as needed.
3. Ask "Anything else?"
4. Offer to log in Syncro.
5. Run `/save` to write session log and sync repo.
---
## Deployment / Hosting
| Item | Value |
|---|---|
| Host | GURU-BEAST-ROG (Windows 11 Pro) |
| Service name | `ClaudeToolsDiscordBot` (NSSM, StartType: Automatic) |
| Working directory | `C:/Users/guru/ClaudeTools` |
| nssm binary | `C:\Users\guru\AppData\Local\Microsoft\WinGet\Links\nssm.exe` |
| Stdout log | `projects/discord-bot/logs/stdout.log` |
| Stderr log | `projects/discord-bot/logs/stderr.log` |
| Discord guild | Arizona Computer Guru (id `624663750603046913`), 11 channels |
Restart command: `nssm restart ClaudeToolsDiscordBot`
The bot requires restart after any change to `DISCORD_CLAUDE.md` (system prompt is loaded once at startup).
---
## Configuration / Credentials
Secrets live in a `.env` file at `projects/discord-bot/.env` (gitignored on BEAST). Required variables:
- `DISCORD_TOKEN` — Discord bot token (Discord Developer Portal)
- `DISCORD_GUILD_ID` — ACG Discord server ID
- `ANTHROPIC_API_KEY` — or use the local Claude Code OAuth credential
- `CLAUDETOOLS_API_KEY` — JWT token for ClaudeTools API (not yet active — Phase 2)
- `VAULT_PATH` — path to SOPS vault on BEAST (`D:\vault`)
- `CLAUDETOOLS_ROOT``D:\claudetools`
Vault access (for remediation-tool): `msp-tools/computerguru-*.sops.yaml`, `clients/<slug>/m365*.sops.yaml`. Use the vault wrapper at `C:/Users/guru/ClaudeTools/.claude/scripts/vault.sh`.
---
## Active Work / Open Items
**Phase 2 — ClaudeTools API Integration (not started)**
- HTTP client with JWT auth (`bot/services/claudetools_api.py`)
- Implement `query_claudetools_api` tool executor
- User role mapping (Discord ID -> ClaudeTools user)
- Audit logging to `/api/security-incidents`
**Phase 3 — Remediation-Tool Integration (not started)**
- Bash subprocess runner (Git Bash on Windows)
- Implement `run_breach_check` and `run_tenant_sweep` executors
- Progress streaming to Discord
- Artifact upload
**Phase 4 — Polish (not started)**
- Confirmation buttons for remediation actions
- Rich embeds for structured data
- Slash commands (`/breach-check`, `/query`, `/status`)
- Ephemeral messages for sensitive data
---
## Key Events / History
| Date | Event |
|---|---|
| 2026-04-30 | Phase 1 MVP implemented on Mac (Mike). Project structure, discord.py handler, streaming Claude client, tool definitions (placeholder), README. Commit `777ad52`. |
| 2026-04-30 | Architecture decision: Python over Node.js; Claude Agent SDK instead of raw Anthropic SDK; thread-based conversations. |
| 2026-05-20 | On BEAST (Mike). Reviewed and corrected bot operating rules in `DISCORD_CLAUDE.md`: reversed no-interaction rule, added headless constraint, defined task loop. Service restarted twice; reconnected clean. No code changes — instructions only. |
| 2026-05-20 | Confirmed bot model is `claude-sonnet-4-6` (per `bot/config.py`). Phase 1.5 architecture confirmed: `ClaudeAgentManager` with persistent per-thread `ClaudeSDKClient`. |
---
## Anti-Patterns / Warnings
[WARNING] The system prompt (`DISCORD_CLAUDE.md`) is loaded ONCE at startup. Any edit is silently ineffective until `nssm restart ClaudeToolsDiscordBot` is run.
[WARNING] The bot is headless — no human is at the BEAST console. Never attempt: visible/interactive browser windows, OAuth flows that need a browser, Windows credential prompts, UAC dialogs, or any interactive GUI. These will hang the service forever. Credentials must come from the SOPS vault non-interactively.
[WARNING] Headless Chrome (`web-fetch-chrome.py`) is the ONLY sanctioned browser use — it never opens a visible window and uses an isolated profile. Do not drive the human's interactive Chrome session.
[WARNING] Unknown Discord users get read-only/informational responses only. Do not grant file writes, git ops, system changes, M365 actions, or vault access to unrecognized IDs.
[WARNING] The `AskUserQuestion` SDK tool does not render in Discord. Ask clarifying questions as plain text messages only.
[INFO] Phase 2 tool execution is still placeholder. `execute_tool()` in `message_handler.py` is a stub. The bot cannot currently query the ClaudeTools API or run remediation scripts programmatically — it relies on the Claude agent using native file/bash tools against the repo.
---
## Backlinks
- `wiki/systems/beast.md` [unverified — may not exist yet] — GURU-BEAST-ROG host spec
- `wiki/projects/gururmm.md` — related ACG internal project
- `.claude/CLAUDE.md` — system prompt source for the main ClaudeTools coordinator session
- `projects/discord-bot/DISCORD_CLAUDE.md` — bot's own operating instructions / system prompt

196
wiki/projects/msp-pricing.md Normal file
View File

@@ -0,0 +1,196 @@
---
type: project
name: msp-pricing
display_name: MSP Pricing & Marketing
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- projects/msp-pricing/session-logs/2026-02-01-project-import.md
- projects/msp-pricing/session-logs/2026-02-03-buyers-guide-refinements.md
---
# MSP Pricing & Marketing
## Overview
Pricing structure documentation, calculators, and marketing materials for Arizona Computer Guru's managed services offerings (GPS — Guru Protection Services). Covers GPS Endpoint Monitoring, Support Plans, Block Time, Web Hosting, Email Hosting (WHM + M365), Email Security, and VoIP.
Also includes the MSP Buyers Guide — a marketing document that helps prospects evaluate MSPs, with ACG's GPS plans as the reference example.
**Status:** Active reference project. Core pricing documentation and Python calculators exist. Buyers Guide exists in HTML (paginated and continuous-scroll versions). Further development (customer-facing web calculator, proposal templates, ROI calculator) is pending.
**Location:** `projects/msp-pricing/` in the ClaudeTools repo.
---
## Tech Stack
| Item | Technology |
|---|---|
| Pricing calculators | Python (py, not python3) |
| Marketing documents | HTML (hand-crafted, dual versions: paginated + continuous-scroll) |
| Content source | Markdown (`docs/*.md`, `marketing/*-Content.md`) |
---
## Architecture
The project is a documentation and tooling repository, not a running application.
```
projects/msp-pricing/
README.md
docs/
gps-pricing-structure.md
web-email-hosting-pricing.md
voip-pricing-structure.md
calculators/
gps-calculator.py
complete-pricing-calculator.py
marketing/
MSP-Buyers-Guide.html -- original paginated
MSP-Buyers-Guide-NoPagination.html -- continuous-scroll (1,100+ lines)
MSP-Buyers-Guide-Content.md
Service-Overview-OnePager-Content.md
GPS_Price_Sheet_12.html
GPS_VoIP_Pricing.html
GPS_VoIP_Tier_Comparison.html
session-logs/
```
### Calculators
- `gps-calculator.py` — GPS-only quotes (endpoints, tiers, equipment, support).
- `complete-pricing-calculator.py` — Full integrated quote: GPS + web hosting + email + security. Key functions: `calculate_whm_email()`, `calculate_m365_email()`, `calculate_web_hosting()`, `calculate_complete_quote()`, `print_complete_quote()`.
---
## Deployment / Hosting
*(not documented)* — This is a local documentation/tooling project. No deployed service. The Buyers Guide HTML files are intended as print handouts or web-viewable documents, not hosted web pages.
---
## Configuration / Credentials
*(not documented)* — No secrets or credentials are associated with this project. Pricing data is maintained directly in markdown and HTML files.
---
## Active Work / Open Items
- [ ] Create printable quote templates (Word/PDF)
- [ ] Add competitor comparison calculator
- [ ] Create ROI calculator for prospects
- [ ] Add internal margin calculator
- [ ] Build customer-facing web calculator
- [ ] Create proposal templates
- [ ] Add cost-of-breach calculator for security justification
- [ ] Buyers Guide: add professional logo image
- [ ] Buyers Guide: add icons for red flags
- [ ] Buyers Guide: add table of contents with jump links (web version)
- [ ] Buyers Guide: add page numbers (print version)
- [ ] Buyers Guide: professional photography (Tucson, office, team)
- [ ] Buyers Guide: infographics for pricing comparisons
---
## Key Events / History
| Date | Event |
|---|---|
| 2026-02-01 | Project created. Imported GPS Endpoint Monitoring, Support Plans, Web/Email Hosting pricing from web-chat session. Created Python calculators. Documented 4 example scenarios (Small Office, Modern Business, E-Commerce, Web/Email Only). |
| 2026-02-01 | VoIP pricing imported (from November 2025 web chat). GPS-Voice tiers + OIT white-label platform wholesale costs documented. |
| 2026-02-03 | Buyers Guide refinements (Mac session). Created continuous-scroll HTML version (`MSP-Buyers-Guide-NoPagination.html`). Content improvements: checklist reorder, GPS acronym explanation, Red Flag 2 rewrite (high-pressure sales), block time section added, cost justification notes, contact info updated (info@, $175/hr, 9am5pm office hours). Next Steps section rewritten. Commit `3c673fd`. |
---
## Pricing Reference (as documented — verify before quoting)
### GPS Endpoint Monitoring
| Tier | Price |
|---|---|
| GPS-BASIC | $19/endpoint/month |
| GPS-PRO | $26/endpoint/month (most popular) |
| GPS-ADVANCED | $39/endpoint/month |
| Equipment Pack | $25/month (up to 10 devices) |
### GPS Support Plans
| Plan | Price | Hours Included |
|---|---|---|
| Essential | $200/month | 2 hrs |
| Standard | $380/month | 4 hrs (most popular) |
| Premium | $540/month | 6 hrs |
| Priority | $850/month | 10 hrs |
Support plan hours are use-it-or-lose-it (do not roll over).
### Block Time (never expires)
| Block | Price |
|---|---|
| 10 hours | $1,500 |
| 20 hours | $2,600 |
| 30 hours | $3,000 |
### Web Hosting
| Tier | Price | Storage | Sites |
|---|---|---|---|
| Starter | $15/month | 5 GB | 1 |
| Business | $35/month | 25 GB | 5 (most popular) |
| Commerce | $65/month | 50 GB | Unlimited |
### Email Hosting
**WHM Email:** $2/mailbox/month base (5 GB included); +$2 per additional 5 GB block. Legacy "unlimited" clients converting to metered billing — 6090 day notice before changes.
**Microsoft 365:**
| SKU | Price |
|---|---|
| Business Basic | $7/user/month |
| Business Standard | $14/user/month (most popular) |
| Business Premium | $24/user/month |
| Exchange Online | $5/user/month |
**Email Security Add-on:** $3/mailbox/month (MailProtector / migrating to INKY via Kaseya). Works with WHM or M365.
### VoIP (GPS-Voice — OIT White Label)
| Tier | Price | Margin |
|---|---|---|
| GPS-Voice Basic | $22/user | 68% |
| GPS-Voice Standard | $28/user | 70% (most popular) |
| GPS-Voice Pro | $35/user | 69% |
| GPS-Voice Call Center | $55/user | 76% |
OIT wholesale: $4/seat/month (regular), $6/seat (call center). Platform fees: $199299/month billing platform + $500/month PBX minimum + $2,500 one-time onboarding.
### ACG Hourly Rate
$175/hour (full rate as of 2026-02-03). GPS Support effective rate: $85100/hour.
---
## Anti-Patterns / Warnings
[WARNING] Always fetch live rates from Syncro (`GET /products/<id> price_retail`) before quoting. Never use hardcoded rate tables — proven wrong in practice (2026-05-20 memory entry).
[WARNING] Arizona labor is never taxable. Set `taxable=false` on all labor line items in Syncro.
[INFO] Email Security platform is in transition: currently MailProtector (Emailservice.io), migrating to INKY via Kaseya bundle. Verify current platform before customer communications.
[INFO] In-house Exchange Server is discontinued. Recommend M365 for any Exchange-level needs.
[INFO] The Buyers Guide contact email was updated to `info@azcomputerguru.com` (not `mike@`) and office hours to 9:00 AM5:00 PM. Earlier versions of the document have stale info.
---
## Backlinks
- `wiki/clients/` — individual client billing records may reference GPS tiers
- `.claude/memory/feedback_syncro_live_rates.md` — memory entry: never use hardcoded rate table
- `.claude/memory/feedback_syncro_labor_tax.md` — memory entry: Arizona labor is non-taxable

205
wiki/projects/radio-show.md Normal file
View File

@@ -0,0 +1,205 @@
---
type: project
name: radio-show
display_name: The Computer Guru Show
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- projects/radio-show/post-show-workflow.md
- projects/radio-show/audio-processor/README.md
- projects/radio-show/session-logs/2026-04-27-qa-extraction-cohost-indexing.md
- projects/radio-show/session-logs/2026-05-01-ui-redesign-recovery.md
---
# The Computer Guru Show
## Overview
"The Computer Guru Show" is Mike Swanson's radio program. The project covers two distinct workstreams:
1. **Audio Processor** — Automated pipeline that processes raw broadcast recordings (with commercials) into podcast-ready audio, transcripts, speaker-diarized segments, and a searchable SQLite archive.
2. **Post-Show Content Workflow** — Process for turning each episode into an episode page (website), forum discussion thread (Flarum), and 13 deep-dive blog posts within 48 hours of air.
**Status:** Active development. Audio processor pipeline functional with 572 episodes indexed locally on BEAST. FastAPI browse/search UI redesigned (2026-05-01). Jupiter deployment has a known audio-file gap (open). Post-show workflow documented but not yet fully automated.
Archive spans 20102018 (no 2013 season), 579 MP3s, ~3040 GB.
---
## Tech Stack
| Layer | Technology |
|---|---|
| Transcription | faster-whisper (`large-v3`, CTranslate2 + CUDA), int8_float16, batched |
| Speaker diarization | pyannote.audio 3.1 (WavLM embeddings) |
| Audio processing | ffmpeg, pydub, librosa |
| Audio fingerprinting | chromaprint |
| Voice activity detection | silero-vad |
| ML / classification | scikit-learn (break pattern classifier) |
| Content analysis | Ollama — `qwen3:14b` (narrative/summary), local LLM |
| Archive database | SQLite with FTS5 (segments, Q&A pairs) |
| Web server | FastAPI + uvicorn (embedded HTML templates) |
| Hardware (primary) | DESKTOP-0O8A1RL — RTX 5070 Ti Laptop GPU |
| Hardware (secondary) | GURU-BEAST-ROG — RTX 4090 (benchmark pending) |
---
## Architecture
### Audio Processor Pipeline
```
Raw MP3 (full broadcast with commercials)
|
+-- 1. Transcription: faster-whisper large-v3 (63.8x realtime on 5070 Ti)
| Output: word-level timestamps, language detection
|
+-- 2. Speaker Diarization: pyannote.audio 3.1 (209.7x realtime on 5070 Ti)
| 10s windows / 5s hop, midpoint boundary resolution at load time
| Speaker profiles: host (Mike, era-specific embeddings), co-hosts, callers
|
+-- 3. Segment Detection: Multi-signal classifier (6 signals, combined weighted score)
| Signals: fingerprint match (0.30), speaker identity (0.25),
| audio characteristics (0.20), break pattern (0.15), structural heuristics (0.10)
| Element library: SQLite fingerprints.db + learning/discovery system
|
+-- 4. Commercial Removal: ffmpeg — stitch segments, EBU R128 normalize
|
+-- 5. Segment Splitting: ffmpeg — individual MP3s per segment, ID3 tags, chapter markers
|
+-- 6. Content Analysis: Ollama qwen3:14b
Output: episode summary, per-segment summaries, key quotes, topic tags,
suggested blog post topics, auto-filled post-show debrief
```
### Key Thresholds
| Parameter | Value |
|---|---|
| Host/co-host match threshold | 0.85 cosine similarity (WavLM) |
| Tara (co-host) vs Mike separation | 0.698 cosine similarity |
| CALLER minimum coverage in transcript segment | 4.0 seconds |
| Promo score threshold | 2 (weighted signatures) |
| Min Q&A question duration | 5.0s |
| Min Q&A answer duration | 15.0s |
| Max gap between Q and A | 30.0s |
| Commercial break: min/max duration | 30s / 300s |
| Combined confidence threshold (commercial) | 0.70 |
### Voice Profile System
Bootstrapped from the 579-episode archive. Host (Mike) has era-specific embeddings (2010, 2014, 2018, 2026). Co-host Tara has 44 embeddings from 2 episodes. Unknown repeat voices are clustered and held for host review.
```
voice-profiles/
host-mike-swanson/ -- composite + era embeddings
guests/<name>.npy -- named guest embeddings (built over time)
callers/regular-NNN.npy -- unnamed repeat callers
unknown/cluster-NNN.npy -- unidentified voices appearing multiple times
```
### Archive Index (SQLite)
`archive.db` schema: `episodes`, `segments`, `segments_fts` (FTS5), `qa_pairs`, `qa_fts`. As of 2026-05-01 on BEAST: 572 episodes indexed.
FTS5 search supports: segment text search, Q&A pair search, speaker filter.
### FastAPI Browse/Search UI
Single-file server at `projects/radio-show/audio-processor/server/main.py`. Two embedded HTML templates:
- `INDEX_HTML` — search/browse page with CSS custom property theme (`#c39733` accent), browse-mode toggle, Q&A pill badges.
- `EPISODE_HTML` — episode detail page with sticky `<audio>` player, active-Q&A highlight that follows playhead via `timeupdate` listener, `preload="metadata"`.
Env vars: `ARCHIVE_DB`, `EPISODES_DIR`, `PORT`.
### Post-Show Content Workflow
Three content tiers produced within 48 hours of each episode:
| Tier | Target | Output |
|---|---|---|
| 1 | Radio show website | Episode page (`website/src/content/episodes/sXXeYY-slug.md`) with summary, chapters, links |
| 2 | Flarum forum | Discussion thread (tag: Show Discussion, ID 8) at community.azcomputerguru.com |
| 3 | Radio show website | 13 deep-dive blog posts (`website/src/content/blog/<slug>.md`) |
Claude handles: generating all content from show-prep + debrief, posting to Flarum via DB insert, building and deploying the Astro website.
---
## Deployment / Hosting
| Item | Value |
|---|---|
| Jupiter (primary archive host) | `172.16.3.20:8765` — uvicorn, FastAPI |
| Local dev (BEAST) | `127.0.0.1:8765` — same port as Jupiter for bookmark parity |
| Archive source (IX server) | `172.16.3.10``gurushow@`, `/home/gurushow/public_html/archive/Radio/` |
| Archive local copy (BEAST) | `projects/radio-show/audio-processor/archive-data/` |
| Forum | community.azcomputerguru.com (Flarum) |
| Radio show website | Astro site, deployed via rsync |
[WARNING] Jupiter's `/data/episodes` tree is EMPTY. `GET /api/audio/{id}` returns HTTP 404 for all episode IDs on Jupiter. Audio works locally on BEAST only (full archive in `archive-data/episodes/`). Fix decision is pending — see Open Items.
---
## Configuration / Credentials
| Secret | Location |
|---|---|
| IX server SSH (gurushow) | SOPS vault — search `gurushow` or `ix server` |
| HuggingFace token (pyannote license) | `huggingface-cli login` — required for pyannote.audio |
| Forum DB access (Flarum insert) | SOPS vault — search `flarum` or `community forum` |
IX server access: paramiko with `look_for_keys=False, allow_agent=False`. Tailscale required for `172.16.3.10`.
---
## Active Work / Open Items
- [ ] **Jupiter audio fix (open, unresolved).** Three options, no pick made:
1. rsync full archive (~3040 GB) to Jupiter at `/data/episodes/`
2. Proxy `/api/audio/{id}` from Jupiter to IX on demand (~5 lines)
3. Point `<audio src>` at IX directly via public HTTPS endpoint
- [ ] **Commit intro/QA sort tie-break fix** (`server/main.py` lines 551, 597 — `key=lambda x: x[0]`). Two-line fix, uncommitted as of end of 2026-05-01 session. Mike had not yet OK'd the commit.
- [ ] **RTX 4090 benchmark on BEAST** — establish diarization RTF baseline (expected ~250300x vs 209.7x on laptop 5070 Ti).
- [ ] **Download full archive from IX to BEAST** for batch training (paramiko script skeleton exists in prior session log `2026-04-27-diarization-pipeline.md`).
- [ ] **Verify Tara profile generalizes across 2015/2016 episodes** — re-run `build_cohost_profile.py` with additional windows if false positives appear.
- [ ] **Post-show workflow automation** — social media, email newsletter, podcast RSS still need platform setup.
---
## Key Events / History
| Date | Event |
|---|---|
| 20102018 | Show original run. 579 episodes archived. No 2013 season. |
| 2026-04-27 | Q&A extraction + co-host profile session (DESKTOP-0O8A1RL). Built Tara co-host voice profile (44 embeddings, 0.698 cosine vs Mike). Fixed false-positive Q&A extraction for co-host episodes. Created `archive.db` with FTS5. Indexed 6 test episodes: 762 segments, 10 Q&A pairs. Transcription benchmarked at 63.8x realtime; diarization at 209.7x realtime. |
| 2026-04-30 | UI redesign done on BEAST (mid-session, uncommitted before reboot). |
| 2026-05-01 | Session recovery after BEAST reboot. Found 820-line uncommitted diff to `server/main.py`. Committed as `d7ce9cb` (rebased to `296d157`). Diagnosed Jupiter audio-404 (pre-existing deployment gap, not a regression). Deployed locally on BEAST — confirmed 572 episodes, working audio. Fixed episode-500 sort bug (episode 479). |
| 2026-05-01 | Co-host name corrected: previously labeled "Tom" in session log, Mike confirmed it is "Tara." All references updated. |
---
## Anti-Patterns / Warnings
[WARNING] Do NOT attempt interactive SSH to `gurushow@172.16.3.10` from scripts. Use paramiko with `look_for_keys=False, allow_agent=False`. Key-based auth is disabled on this host.
[WARNING] Tailscale must be active to reach `172.16.3.10` (IX server) or `172.16.3.20` (Jupiter).
[WARNING] The Ollama `/save` protocol has a known stale-prompt-file bug: `save_narrative_prompt.txt` at `C:/Users/guru/AppData/Local/Temp/` is reused across sessions and can cause qwen3 to produce a narrative about the WRONG session. Recovery: write narrative directly. Fix: delete prompt file before re-writing, or use a unique per-session filename.
[WARNING] `sorted()` over `(timestamp, sqlite3.Row)` tuples without `key=` will raise `TypeError` when two rows share the same timestamp. Always use `key=lambda x: x[0]`. This bit `_episode_html` at lines 551 and 597 (2026-05-01 bug).
[INFO] Co-host voice profiles must be built from the first 60 minutes of co-host episodes. Real callers do not call in during the first hour — those CALLER-labeled windows are safely all co-host speech.
[INFO] Tara's exact tenure as co-host is unverified. Do not assume her profile applies across all 20132016 episodes without spot-checking.
---
## Backlinks
- `wiki/systems/jupiter.md` [unverified — may not exist yet] — Jupiter server spec
- `wiki/systems/ix-server.md` [unverified — may not exist yet] — IX hosting server spec
- `wiki/projects/gururmm.md` — related ACG project
- `projects/radio-show/audio-processor/README.md` — full pipeline spec and configuration reference
- `projects/radio-show/post-show-workflow.md` — full post-show content workflow spec

116
wiki/projects/wrightstown-smarthome.md Normal file
View File

@@ -0,0 +1,116 @@
---
type: project
name: wrightstown-smarthome
display_name: Wrightstown Smart Home
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- projects/wrightstown-smarthome/session-logs/2026-02-09-session.md
---
# Wrightstown Smart Home
## Overview
A privacy-first smart home automation project for the Wrightstown residence. The goal is a fully local-first home automation system with no dependency on Google, Amazon Alexa, or other cloud platforms for core functionality. A hybrid LLM bridge allows selective use of cloud AI for reasoning and search while keeping private data (cameras, sensors, presence) entirely local.
- **Status:** Planning / initial research phase as of 2026-02-09. No hardware deployed yet.
- **Scope:** Home Assistant Yellow setup, local LLM server build, hybrid AI bridge, VLAN network security.
- **Related project:** [[wrightstown-solar]] — planned future crossover via Victron Modbus TCP integration.
## Tech Stack
- **Home automation platform:** Home Assistant (open source, local-first)
- **Hardware:** Home Assistant Yellow (already owned, CM4/CM5 module needed)
- **Connectivity:** Built-in Zigbee 3.0 radio; M.2 NVMe slot
- **Local voice:** Wyoming + Whisper + Piper (fully local, no cloud)
- **LLM inference:** Ollama (primary local runtime)
- **LLM interface:** Open WebUI
- **LLM routing layer:** LiteLLM proxy (unified API, cost tracking, fallbacks)
- **Cloud AI — reasoning:** Claude API (Anthropic)
- **Cloud AI — search:** Grok API (xAI, 2M context, internet access)
- **HA integration:** Extended OpenAI Conversation (connects HA to LiteLLM)
- **Remote access:** Tailscale or WireGuard [unverified — not yet selected]
## Architecture
### Home Automation Core
- Home Assistant Yellow as the central hub
- Zigbee 3.0 radio built-in for device connectivity
- All automations, sensors, and local voice run entirely on-device
### Hybrid LLM Bridge
- LiteLLM proxy as unified routing layer with OpenAI-compatible API
- Estimated routing split: 80% local (Ollama) / 15% Claude API / 5% Grok API
- Estimated cloud cost: ~$5/month
- Routing progression: manual → keyword-based → semantic (eventual)
- PII sanitization pipeline for any cloud-bound queries
- Private data (cameras, sensors, presence) stays local only
### Local LLM Server (Planned Build)
- **Recommended GPU:** RTX 4090 24GB ($1,9402,240)
- **Alternative builds researched:** budget build (~$580), flagship ($4,000+), Mac Mini M4
- **Primary model (fast/voice):** Qwen 2.5 7B
- **Primary model (reasoning):** Llama 3.1 70B Q4
### Network Security
- 4-VLAN architecture: Trusted / Infrastructure / IoT / Guest
- IoT VLAN isolation: devices cannot reach trusted network
- VLAN hardware decision pending: TP-Link Omada vs Ubiquiti UniFi [unverified]
## Deployment / Hosting
- Runs entirely on-premises at Wrightstown residence
- No cloud hosting; cloud APIs used selectively via LiteLLM proxy
- Remote access via Tailscale or WireGuard (not yet configured)
## Configuration / Credentials
- **Claude API key:** [unverified — account not yet created as of 2026-02-09]
- **Grok API key:** [unverified — account not yet created as of 2026-02-09]
- When created, store in SOPS vault under `clients/wrightstown/` or `projects/wrightstown-smarthome/`
## Active Work / Open Items
All items were pending as of the 2026-02-09 initial research session:
- [ ] Confirm whether CM4 or CM5 compute module is already owned or needs purchasing
- [ ] Set up HA Yellow (basic install, Zigbee, first automations)
- [ ] Research specific Zigbee devices to purchase
- [ ] Finalize LLM server GPU budget (budget 3060 vs sweet-spot 4090)
- [ ] Purchase and build LLM server hardware
- [ ] Decide on VLAN hardware (TP-Link Omada vs Ubiquiti UniFi)
- [ ] Set up Ollama + Open WebUI
- [ ] Create Anthropic API account + Grok API account
- [ ] Configure LiteLLM proxy
- [ ] Integrate HA with LiteLLM via Extended OpenAI Conversation
- [ ] Plan and implement Victron Modbus TCP crossover with [[wrightstown-solar]]
## Key Events / History
### 2026-02-09 — Initial Research and Planning Session
- Session run on machine: ACG-M-L5090
- Defined project scope: privacy-first, no Google/Alexa, HA Yellow as hub
- Researched and selected all major components (HA Yellow, LiteLLM, Ollama, voice stack)
- Designed hybrid LLM bridge architecture with 80/15/5 routing split
- Designed 4-VLAN network security model
- Researched local LLM server hardware options; recommended RTX 4090 24GB build
- Created project documentation structure:
- `projects/wrightstown-smarthome/PROJECT_INDEX.md`
- `projects/wrightstown-smarthome/documentation/ha-yellow-setup.md`
- `projects/wrightstown-smarthome/documentation/llm-server-build.md`
- `projects/wrightstown-smarthome/documentation/hybrid-bridge.md`
- `projects/wrightstown-smarthome/documentation/network-security.md`
- No hardware purchased or deployed this session. All work was research and planning.
## Anti-Patterns / Warnings
- [WARNING] **HA Yellow requires a CM4 or CM5 compute module — it does not include one.** Verify ownership before ordering other hardware.
- [WARNING] **JK BMS CAN pinout is reversed** (noted in [[wrightstown-solar]] research, relevant to future crossover). Use USB-UART path with dbus-serialbattery driver, not CAN direct.
- **Do not use Google Home or Amazon Alexa integrations** — privacy-first constraint is a hard project requirement.
- **PII sanitization is mandatory** before any data leaves the local network to cloud APIs.
- **Cloud API credentials must go in the SOPS vault** when created — do not hardcode in HA configuration files.
## Backlinks
- [[wrightstown-solar]] — Related project at same residence; planned Victron Modbus TCP crossover

117
wiki/projects/wrightstown-solar.md Normal file
View File

@@ -0,0 +1,117 @@
---
type: project
name: wrightstown-solar
display_name: Wrightstown Solar Battery System
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- projects/wrightstown-solar/session-logs/2026-02-09-session.md
---
# Wrightstown Solar Battery System
## Overview
A DIY home solar battery storage project at the Wrightstown residence. The system adds battery storage and whole-house UPS capability to an existing grid-tie solar installation (Fronius IG Plus inverter). The design uses LiFePO4 cylindrical cells assembled into modular 5kWh packs, a Victron MultiPlus II inverter/charger, and a Victron Cerbo GX for system management.
- **Status:** Planning / initial research phase as of 2026-02-09. No hardware purchased yet.
- **Existing solar:** Fronius IG Plus (grid-tie only, no battery port)
- **Goal:** Add battery backup, whole-house UPS with <20ms transfer, generator failover capability
- **Expansion target:** Up to 20kWh (4 packs of 5kWh each)
- **Related project:** [[wrightstown-smarthome]] — planned future integration via Victron Modbus TCP
## Tech Stack
- **Cell chemistry:** LiFePO4 (Lithium Iron Phosphate) — EVE C40 (IFR40135) cylindrical cells
- **Pack configuration:** 16S5P per pack (80 cells per 5kWh pack)
- **BMS:** JK BMS B2A8S20P 150A (recommended)
- **Inverter/charger:** Victron MultiPlus II 48/5000
- **GX device (system manager):** Victron Cerbo GX
- **BMS integration method:** dbus-serialbattery driver via USB-UART cable (not CAN direct)
- **Existing inverter:** Fronius IG Plus (grid-tie, retained — MultiPlus creates micro-grid for Fronius to sync during outages)
## Architecture
### Battery Pack Design
- Cell: EVE C40 (IFR40135) — 3.2V nominal, 20Ah, 64Wh per cell, 366g, 5060A continuous discharge
- Configuration: 16S5P = 16 cells in series × 5 in parallel
- Voltage: 51.2V nominal (48V system)
- Capacity: 5kWh per pack (100Ah)
- Modular: build in 5kWh increments; target up to 4 packs (20kWh)
- 5kWh chosen over 10kWh for: cost spreading, manageable builds, fault isolation, single-person liftable weight
### Power Architecture
- Victron MultiPlus II as central inverter/charger: AC-coupled to Fronius IG Plus
- MultiPlus creates a micro-grid so Fronius can continue producing during grid outages
- <20ms transfer time (UPS-grade seamless switchover)
- Physical relay disconnect ensures zero backfeed to grid
- Generator input supported as third source
- Cerbo GX manages BMS-inverter communication and system telemetry
### BMS Integration
- JK BMS B2A8S20P 150A: 2A active balancing (critical for cylindrical cells)
- Integration path: USB-UART cable → dbus-serialbattery driver → Cerbo GX
- [WARNING] JK BMS CAN bus pinout is reversed — do NOT use CAN direct; use USB-UART path
### Alternative BMS Options (Researched)
| BMS | Notes |
|---|---|
| SEPLOS V4 ($150250) | Native CAN, no pinout issue |
| REC Q16 ($559) | Plug-and-play Victron integration |
| Daly | Not recommended (no active balancing) |
## Deployment / Hosting
- Entirely on-premises at Wrightstown residence
- No cloud services involved in core system operation
- Future: Victron Modbus TCP integration with [[wrightstown-smarthome]] Home Assistant for monitoring
## Configuration / Credentials
*(not documented)* — No credentials or cloud accounts required for this project. Victron Cerbo GX may use VRM portal (Victron Remote Monitoring); if configured, store VRM account credentials in SOPS vault under `projects/wrightstown-solar/`.
## Active Work / Open Items
All items pending as of the 2026-02-09 initial research session:
- [ ] Finalize BMS selection (JK BMS B2A8S20P confirmed as recommendation; alternatives noted)
- [ ] Source EVE C40 cells — Grade A, matched, with test data (required for 16S5P pack)
- [ ] Order Victron MultiPlus II 48/5000 + Cerbo GX
- [ ] Design physical cell holder and bus bar layout for 16S5P cylindrical pack
- [ ] Plan sub-panel / transfer switch wiring
- [ ] Build Pack 1, run for 1 month before expanding to additional packs
- [ ] Plan Victron Modbus TCP crossover with [[wrightstown-smarthome]] Home Assistant
## Key Events / History
### 2026-02-09 — Initial Research and Planning Session
- Session run on machine: ACG-M-L5090
- Researched and selected EVE C40 (IFR40135) LiFePO4 cells over salvaged EV battery packs
- Determined 16S5P / 5kWh modular pack design
- Selected Victron MultiPlus II 48/5000 as inverter/charger for UPS-grade seamless transfer
- Evaluated 8 BMS models; recommended JK BMS B2A8S20P 150A ($80150)
- Selected Cerbo GX ($320350) as GX device over Raspberry Pi
- Analyzed salvaged EV battery options (Tesla LFP, Chevy Bolt, Nissan Leaf) — rejected due to cost and complexity
- Budget estimates established:
- Phase 1 (5kWh + full Victron system): $2,1752,945
- Full 20kWh system: $3,6355,750
- Battery-only cost: $86153/kWh
- Created project documentation structure:
- `projects/wrightstown-solar/PROJECT_INDEX.md`
- `projects/wrightstown-solar/documentation/system-design.md`
- `projects/wrightstown-solar/documentation/bms-comparison.md`
- `projects/wrightstown-solar/documentation/ev-salvage-analysis.md`
- `projects/wrightstown-solar/documentation/parts-list.md`
- No hardware purchased or deployed this session. All work was research and planning.
## Anti-Patterns / Warnings
- [WARNING] **JK BMS CAN bus pinout is reversed.** Use USB-UART path with dbus-serialbattery driver. Do NOT attempt CAN direct connection.
- [WARNING] **Salvaged EV packs were explicitly rejected.** Most salvage is NMC chemistry (less safe than LFP for home use), unknown state of health, requires voltage conversion and custom BMS. New EVE C40 cells are cheaper and simpler.
- **The Fronius IG Plus cannot directly interface with batteries** — it is grid-tie only. The MultiPlus II creates the micro-grid; do not try to connect batteries to the Fronius directly.
- **Buy Grade A matched cells with test data.** Mismatched cells in a 16S5P pack will cause balancing problems even with active balancing.
- **Build Pack 1 first and run for 1 month before ordering materials for additional packs.** This is an explicit project decision to validate the design before scaling.
## Backlinks
- [[wrightstown-smarthome]] — Related project at same residence; planned Victron Modbus TCP crossover for Home Assistant monitoring