1. Variable name collision: VAULT_PATH was used for both the SOPS file
relative path (set by case statement) and the vault root override env
var. Renamed env var override to VAULT_ROOT_ENV to avoid collision.
2. Wrong directory depth: CLAUDETOOLS_ROOT was navigating 3 levels up
from scripts/ landing at .claude/ instead of repo root. Fixed to 4
levels (scripts -> remediation-tool -> skills -> .claude -> repo root).
Also added jq as primary vault_path reader (handles Unix paths on Windows),
with cygpath-converted Python fallback.
Bugs discovered during Mac testing 2026-04-21. Windows worked only because
tokens were served from /tmp cache after first acquisition.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Critical bug discovered during Mac vault testing. Variable name collision
breaks token acquisition on all machines.
Fix required before proceeding with Howard's vault sync task.
Read .claude/URGENT-vault-path-bug.md on Windows laptop for remediation steps.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
sync.sh: after pull, scan changed session logs for "## Note for" /
"## Message for" sections and print them in a highlighted block
before the sync summary. Forces attention on inter-team messages.
CLAUDE.md: document mandatory behavior — cross-user notes displayed
at top of response with full content, action items addressed before
continuing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)
Howard and Mac need vault_path added to their identity.json after pulling.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hardcoded D:/vault references with candidate-list pattern
that also checks $HOME/vault, ~/.vault, and respects VAULT_PATH
env var override. Fixes vault.sh lookup failures on Mac and
Howard's machine.
Affected: CLAUDE.md, syncro.md, get-token.sh, patch-tenant-admin-manifest.sh
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Removed DMARC bypass transport rule for clearcutglass.com from GlazTech Exchange Online
- Reviewed clearcutglass.com DNS post Team Logic IT changes; flagged SPF softfail (~all)
- Communicated findings to client and IT vendor (Jordan Fox / Team Logic IT)
- M365 tenant review: removed external Global Admin (tomakkglass.com guest)
- Identified no MFA enforcement (Security Defaults disabled, no CA, no P1)
- Created Syncro ticket #32186 for MFA implementation project
- Documented MFA rollout plan and service account audit requirements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added desertrat.com to /etc/mailprotector_domains on Websvr (outbound SBR now active)
- Created Mailprotector bulk user import CSV (38 desertrat.com accounts/forwarders)
- Created Syncro ticket #32181 + invoice #67437 for Furrier (30 min remote, $81.53)
- Corrected syncro.md skill doc: add_line_item for billing, remove_line_item to delete,
charge_timer_entry to convert timers, comment DELETE impossible via API
- Created clients/furrier/ with session log
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Decommissioned cloudflared tunnel, migrated 9 services to direct CF proxy,
removed ~22 stale pfSense rules and 22 unused aliases.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dark-theme HTML page with one-click consent URLs for each tenant.
Tracks done/pending state in localStorage. Re-consent tenants (martylryan,
grabblaw) highlighted separately. No copy-paste needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After Tenant Admin is consented by customer admin, the script automatically:
- Creates SPs for Security Investigator, Exchange Operator, User Manager,
and Defender Add-on (programmatic consent, no extra customer clicks needed)
- Grants all required Graph, Exchange Online, and Defender ATP appRoleAssignments
- Idempotent: skips any permissions already granted
Also added AppRoleAssignment.ReadWrite.All to Tenant Admin manifest so
fresh consents include this permission. Existing tenants (martylryan.com,
grabblaw.com) need a one-time Tenant Admin re-consent to pick it up.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 CIPP-managed tenants sourced from ListTenants API. Includes onboarding
status, tenant IDs, and pre-built Tenant Admin consent URLs for each.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: app-only Graph operations (password reset, Exchange REST) require
directory roles on each SP in the customer tenant, not just admin consent.
RoleManagement.ReadWrite.Directory was missing from all app manifests, making
role assignment impossible without manual portal work that was never being done.
Changes:
- patch-tenant-admin-manifest.sh: adds RoleManagement.ReadWrite.Directory to
Tenant Admin app manifest via Management app, grants home-tenant consent
- onboard-tenant.sh: new script — resolves tenant, acquires Tenant Admin token,
assigns Exchange Administrator to Security Investigator SP and User/Auth
Administrator to User Manager SP; --dry-run supported; idempotent
- get-token.sh: detects AADSTS7000229, emits consent URL + onboard-tenant.sh
reminder instead of silent failure
- gotchas.md: onboarding steps at top, tenant table expanded with role columns,
all known tenants updated including martylryan.com (first fully onboarded)
Verified: martylryan.com fully onboarded, password reset to MLR2026!! succeeded
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
silently drops time fields; use timer_entry endpoint instead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Windows Store python3 stub returns exit 49 instead of running Python.
Replace with: py (Windows launcher) for actual Python code, jq for
simple JSON extraction. Reorder fallback loops to try py first.
Add Bash(py:*) to settings.local.json allowlist.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extract Ollama docs and PROJECT_STATE locking protocol to on-demand
reference files. Trim Work Mode to detection table only. Remove verbose
anti-pattern examples and credential encryption details.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git add -A captured the stale submodule pointer on Howard's machine
(April 18 init, not updated) and committed it, causing a conflict.
Now sync always runs git submodule update --remote first so the pointer
is current before staging.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.
Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
