- apply-wlan.sh: wlan_bands token was "6e" but this controller stores "6g" (verified live on Cascades
Guest SSID) -> setting 6 GHz membership would have failed. Fixed band values + option names (5g6g/6g/all).
- Cascades 2.4 runbook: folded in Phase 5 (5 GHz: width 80->40 on 76 radios; channel plan with the
DFS decision flagged -- DFS empirically clean here, so including clean-DFS gives ~20 channels vs ~5
non-DFS-only for 77 APs) and Phase 6 (6 GHz: root cause = production SSID CSCNet not on 6 GHz [bands
2g,5g only]; add 6g + enable bss-transition; band-steering already on). Per Howard.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
DECISION (Mike, 2026-06-16): drop the RESTAPI package — VPN + SSH shell reads the same data and makes
changes. Confirmed Cascades pfSense is Plus 25.07-RELEASE (current; the "too old" premise was wrong) and
admin SSH = real shell (no menu). The upgrade/package blocker is moot; compat layer is off hold.
- NEW scripts/pfsense-ssh.sh: audit (version/WAN-media/gateway-events/DHCP-exhaustion/states/DNS/load/NIC),
dhcp (pool utilization + no-free-leases), run "<cmd>" (arbitrary, incl changes; operator-gated). Cred
from clients/<slug>/pfsense-firewall; system OpenSSH via askpass. Validated live on Cascades.
- audit report: added "pfSense health check (2026-06-16)" — DHCP NOT exhausted (192.168.0.0/22 pool 270/507,
0 no-free-leases), DNS up, dual-WAN stable (no gateway flaps), states/load healthy => gateway is NOT a
WiFi factor; the 2.4 GHz RF work is the sole fix. (Minor: igc3/WAN2 I225 2.5G counter quirk, not a fault.)
- ROADMAP §E + SKILL.md updated to the SSH backend decision; REST pfsense-backend.sh kept dormant/optional.
- Remaining: named gated CONTROL verbs over SSH (easyrule block-ips, pf/fw toggles) + optional gw-* dispatch.
- Closed obsolete coord todo (upgrade-pfSense-for-RESTAPI).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First onboarding-diagnostic baseline for GND-SERVER (Grabb & Durando DC/file/RRAS box,
gd.local, 192.168.242.200). Grade RED: 2 critical (host firewall OFF on all profiles;
OS-EOL flag — false positive, build 17763 is Server 2019, supported to 2029), 6 warning
(Defender/AV unconfirmed, built-in Administrator enabled, 1 pending update, 2 disk errors
/14d, pending reboot, 2 stopped auto services), plus tempadmin local admin + no confirmed
BitLocker. Immutable JSON + report under onboarding-baselines/.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Removed 44 scratch files that got committed into the tracked root tmp/
(grok/gemini second-opinion rounds r1-r7, rmm-diag-* dumps, ns*.out
captures, and throwaway helpers jssh.py/addnpmnat.php/delnpmnat.php/
cleanup.sh/fix_ws_agent.py) — all from the resolved RMM command_type
'cmd' investigation, already captured in session logs + the gururmm wiki.
Graduated the three non-scratch artifacts per TEMP_GRADUATION.md:
- tmp/site-scan.sh -> scripts/cpanel-wp-site-scan.sh (+ header)
- tmp/ix-site-audit.md -> clients/internal-infrastructure/reports/2026-03-16-ix-server-cpanel-wp-audit.md
- tmp/ix-scan-results.txt -> clients/internal-infrastructure/reports/2026-03-16-ix-server-scan-results.txt
tmp/ is now empty.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
