sync: Auto-sync from ACG-M-L5090 at 2026-03-10 19:11:00

Synced files:
- Quote wizard frontend (all components, hooks, types, config)
- API updates (config, models, routers, schemas, services)
- Client work (bg-builders, gurushow)
- Scripts (BGB Lesley termination, CIPP, Datto, migration)
- Temp files (Bardach contacts, VWP investigation, misc)
- Credentials and session logs
- Email service, PHP API, session logs

Machine: ACG-M-L5090
Timestamp: 2026-03-10 19:11:00

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

clients/bg-builders/lesley-disable-summary.md

@@ -0,0 +1,29 @@
+Hi Shelly,
+
+Lesley Roth's account has been disabled. Here's a summary of what was done:
+
+**Account Access**
+- Sign-in has been blocked -- Lesley can no longer log in to any Microsoft 365 services
+- All active sessions have been revoked (any currently logged-in session was terminated immediately)
+- Password has been reset
+- The account itself is preserved and mailbox is intact
+
+**Device Email Wipe**
+- An account-only wipe has been sent to both of Lesley's devices:
+  - iPhone 16 Pro (active) -- wipe is pending and will complete the next time the phone connects
+  - iPhone 14 Pro (older device, not actively syncing)
+- This removes only the BG Builders email account and company data from the devices. Personal data on the phones is not affected.
+
+**Email Activity Review**
+- We reviewed all sent, received, and deleted email for the last 72 hours
+- Nothing unusual or concerning was found
+- Litigation hold is enabled on the mailbox, so no emails can be permanently deleted
+
+**Mailbox Access**
+- You and Barry both have full access to Lesley's mailbox. It should appear automatically in your Outlook.
+- You can also send email on behalf of Lesley's address if needed.
+
+Let us know if you need anything else or if you'd like us to proceed with converting the mailbox to shared and removing the license once you've had a chance to review the contents.
+
+Thanks,
+Mike

clients/bg-builders/session-logs/2026-03-09-session.md

@@ -0,0 +1,74 @@
+# BG Builders - Session Log 2026-03-09
+
+## Session Summary
+
+Lesley Roth (lesley@bgbuildersllc.com) employee disable and device wipe. Account disabled (sign-in blocked, sessions revoked), email data wipe initiated on both mobile devices, and 72-hour mail activity report generated. Account preserved (not deleted/converted to shared) per client request.
+
+## Actions Completed
+
+### 1. Account Disable
+- **Sign-in blocked** - AccountEnabled set to False (was already False from previous termination on 2026-02-27)
+- **All sessions revoked** - Confirmed via Revoke-MgUserSignInSession
+- **Password reset** - Script failed with 403 (sysadmin lacks privilege), manually reset via M365 Admin Center to: `bgb-pass-reset-2026!!`
+
+### 2. Device Email Wipe
+- **iPhone 16 Pro** (iOS 26.3.1) - AccountOnlyDeviceWipePending. Active device, last synced 2026-03-09 16:23:30. Should complete on next sync.
+- **iPhone 14 Pro** (iOS 18.5) - AccountOnlyDeviceWipePending. Stale device, last synced 2025-06-27. May never acknowledge.
+- No Intune-managed devices found (BGB has no Intune/Business Premium)
+- Wipe type: AccountOnly (removes M365 email account only, preserves personal data)
+
+### 3. 72-Hour Mail Activity Report
+- Report generated covering 2026-03-06 09:25 to 2026-03-09 09:25
+- **Nothing of consequence found** - no suspicious sent/deleted mail activity
+- Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt`
+- Checked: sent messages, received messages, deleted items, inbox rules, forwarding config
+
+### 4. Pre-existing Security Measures
+- **Litigation hold** already enabled (from previous re-enable script on 2026-02-27)
+- **Barry** (barry@bgbuildersllc.com) has FullAccess + SendAs on mailbox (from original termination)
+- **Shelly** (Shelly@bgbuildersllc.com) has FullAccess + SendAs (from re-enable script)
+
+## Credentials Used
+
+### Microsoft 365 Tenant - BG Builders LLC
+- **Tenant:** bgbuildersllc.com
+- **Tenant ID:** ededa4fb-f6eb-4398-851d-5eb3e11fab27
+- **CIPP Name:** sonorangreenllc.com
+- **Admin User:** sysadmin@bgbuildersllc.com
+- **Password:** Window123!@#-bgb
+
+### Target User
+- **User:** Lesley Roth
+- **UPN:** lesley@bgbuildersllc.com
+
+## Scripts Created/Modified
+
+### New Scripts
+- `scripts/bgb-lesley-disable-wipe.ps1` - Disable account + device email wipe
+- `scripts/bgb-lesley-mail-report.ps1` - 72-hour mail activity report (sent/received/deleted)
+- `scripts/bgb-lesley-verify-wipe.ps1` - Verify device wipe status
+
+### Technical Notes
+- `Get-MessageTrace` deprecated Sep 2025 - use `Get-MessageTraceV2` (no `-PageSize` parameter)
+- `Search-MailboxAuditLog` deprecated Jan 2026 - use `Search-UnifiedAuditLog`
+- Exchange Online `-Device` auth switch only works in PowerShell 7 (pwsh), not Windows PowerShell 5.1
+- WAM broker auth requires a visible PowerShell window (can't run from bash/non-interactive shell)
+
+## Current Account State
+| Property | Value |
+|----------|-------|
+| AccountEnabled | False |
+| Mailbox Type | UserMailbox |
+| Litigation Hold | True |
+| Licenses | Still assigned |
+| Barry Access | FullAccess + SendAs |
+| Shelly Access | FullAccess + SendAs |
+| iPhone 16 Pro | AccountOnlyDeviceWipePending |
+| iPhone 14 Pro | AccountOnlyDeviceWipePending |
+
+## Pending/Follow-up
+- Password reset needs Global Admin or check sysadmin role assignments
+- iPhone 16 Pro wipe should complete soon (active device)
+- iPhone 14 Pro wipe may never complete (stale since June 2025)
+- Account NOT converted to shared, licenses NOT removed (per request to keep account)
+- OneDrive access not addressed this session