- Update guru-rmm submodule pointer (SPEC-017 mobile device support)
- Record Apple Developer + MDM Push certs (acquired 2026-05-29); MDM push
cert renews annually on the same Apple ID or all enrolled iOS devices break
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Pluto memory/wiki/machine notes: Unraid VM "Claude-Builder" == hostname PLUTO ==
172.16.3.36 (same box); RMM-agent access path when SSH key unauthorized; now also
builds the GuruConnect Windows agent + hosts a Gitea Actions runner.
- New feedback memories: post #bot-alerts only for client/ticket-affecting RMM commands;
proceed autonomously through routine infra/build prerequisites.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
guru-connect is now tracked as a submodule (azcomputerguru/guru-connect @ e3e95f8);
its working state was published to the GC repo first, so no content is lost. guru-rmm
advanced to include ADR-008 (GC integration boundary) replayed on top of the team's
Integrations Center / discovery advances. Includes the native-remote-control spec
(now inside the GC submodule), the versionable-products memory, and the session log.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pin down the coord messages endpoint shape after repeated mark-read failures:
{total,skip,limit,messages[]}; parse .messages[], strip control chars, read may be null.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Audit of .claude/memory found and fixed:
- Broken link: Power Failure Runbook (../.claude/... -> ../...)
- 8 orphaned memories not in MEMORY.md index (Graph CA/password-reset,
vault-write-sequence, GURU-BEAST-ROG, 3x Cascades, identity proposal)
-> now indexed under their sections, so they're discoverable
- 5 files missing frontmatter -> added name/description/type
- Duplicate index entry for reference_workstation_setup.md -> deduped
- Trimmed the worst oversized index hooks (Syncro invoice line was 427 chars)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mike's decision (2026-05-27): the roadmap is a maintained status-and-plan
tracker ([ ]=planned, [x]=shipped, dated), consulted going in and updated
coming out.
- gururmm-development-principles memory: new "Living Roadmap (MANDATORY)"
principle — consult before building, update the entry in the SAME change
when shipping/modifying; roadmap update is part of definition-of-done.
Dev is the primary maintainer; the audit is the backstop.
- rmm-audit skill: state the convention explicitly — the roadmap pass
default is reconcile-and-flip (not annotate-only).
(Companion gururmm-repo changes — DESIGN.md principle + baseline checkbox
reconcile — pushed separately to the gururmm repo.)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge Ollama fallback pattern with identity.json approach.
Store endpoint/fallback/prose_model to eliminate curl probes.
Same pattern as claudetools_root/vault_path (working).
Next: coord message rollout to populate fields on all machines.
Update cascades-tucson.md Syncro billing pattern to note the blank-contact
rule applies to all customers. Update feedback_syncro_cascades_contact.md
to be incident-detail only (Meredith Kuhn default), pointing to the global
rule in feedback_syncro_blank_contact.md. Update MEMORY.md index entry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements LLM-compiled wiki layer between raw session logs and live
CONTEXT.md, inspired by Karpathy's knowledge base workflow. Adds wiki/
directory structure, article templates, spec docs, and seeds first two
articles (Cascades of Tucson, GuruRMM) from 60+ session logs.
Updates CLAUDE.md to check wiki first on all context-loading triggers.
Captures verified ACG IP/hostname map and Neptune physical-location
clarification (Dataforth D2, subnet overlap TODO) in memory.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sync.sh: replace `git diff-index --quiet HEAD --` with
`[ -n "$(git status --porcelain)" ]` in both the main-repo (Phase 1) and
vault change-detection, so brand-new untracked files are no longer silently
skipped (the bug Howard hit 2026-04-17). Mark project_sync_script_bug.md
RESOLVED.
.gitignore: exclude the datto BSOD dumps (6 MB zip + 48 MB extracted) so the
detection fix doesn't sweep 54 MB of binaries into the repo.
memory: finish the add_line_item reconciliation — drop legacy "time entry" /
timer-billable framing from feedback_syncro_labor_type and
feedback_syncro_warranty_product (and their index lines); the product-selection
rules themselves are unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mike's overhaul replaced the timer workflow with add_line_item, and he
already rewrote feedback_syncro_timer_first.md. Reconcile the leftovers:
- MEMORY.md index line for timer_first still stated the superseded
"timers required" rule as current — rewrite to the add_line_item rule.
- timer_entry response-shape memory is now about a dead workflow — mark
it HISTORICAL (index + file banner), retained only for manual timer use.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Billing now uses add_line_item directly; timer_entry/charge_timer_entry removed
- Added Verified Response Shapes table for all endpoints (tested live against ACG internal customer)
- Billing workflow rewritten as strict 5-step locked script with no branches
- Added STOP rule: never try alternative endpoints/formats on unexpected responses
- bot-alerts section: explicit success ([OK] + message_id) and failure ([WARNING]) criteria
- Updated feedback memory to supersede the old timer-first rule
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CODING_GUIDELINES.md: tighten parity rule wording to match Mike's intent:
"add feature X" means Windows + Linux + macOS in the same commit
- memory: add feedback_gururmm_agent_parity for future session enforcement
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Promote timer_entry → charge_timer_entry to default billing path; demote
bare add_line_item to a clearly-labeled fallback for non-time items only.
Mike caught the bare-add_line_item bug across 31 tickets on 2026-04-30;
repeated on 3 tickets 2026-05-01. Time entries are required for Syncro
reporting (hours per client, tech productivity, prepay burn).
- Replace /tmp/*.json payload pattern with heredoc throughout. /tmp resolves
to C:\tmp\ in the Write tool but %LOCALAPPDATA%\Temp\ in Git Bash on
Windows — different real directories. Caused a wrong-comment incident on
ticket #32225 2026-05-01 (rogue payload from prior session). Heredoc
avoids the file handoff entirely.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three tickets billed today: #32225 Sombra ($525 onsite), #32229 Mineralogical
Record ($262.50 emergency), #32214 Cascades Entra (33.5 hrs project labor at $0
debits prepaid block). Hit a real incident on Sombra: rogue comment posted with
content from a different ticket because /tmp resolves differently in the Write
tool (C:/tmp/) vs Git Bash (%LOCALAPPDATA%/Temp/) on Windows. Howard manually
deleted from GUI; subsequent posts used heredoc to avoid the file handoff
entirely. Root cause documented in feedback_tmp_path_windows.md so future
sessions don't trip the same wire. Scheduled remote agent
trig_01CAfvwoQ4nLcKEqbU4UQmSa to update the syncro skill examples 2026-05-02.
Created memory entry documenting correct way to verify ticket-invoice linkage
in Syncro API after 2026-04-30 incident where faulty verification script
falsely claimed 31 tickets had no invoices (actually 29 had invoices properly,
2 were correctly Non-Billable).
Key lessons:
- List endpoint does NOT return ticket_id or line_items
- Must query individual invoices for full data
- Invoice numbers are strings, not integers
- Use ticket ID (internal), not ticket number (user-visible)
Added to memory index for future GrepAI semantic search.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.
Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
SG-Caregivers-Pilot group, Business Premium license, vault entry
pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
CREATE 3 new Report-only policies (block off-network, block
non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
awaiting MHS to take over launcher and SDM sign-in prompt
6 new project/feedback memories. Resume point at top of new session log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both servers were already patched (11.110.0.97 and 11.134.0.20) via
daily auto-update. IOC scan found 16 flagged sessions across both
plus 4 uncommented SSH keys on IX.
Critical remediation:
- Forensic evidence preserved before any deletion
- 4 uncommented SSH keys removed from IX (server-side backup retained)
- 16 flagged sessions purged across both servers
- Root passwords rotated via chpasswd
- New WHM API tokens created; 3 stale transfer-* tokens revoked
- Vault entries + 1Password Infrastructure items updated
Forensic deep-dive verdict: patch held. All 7 actual CVE exploit
attempts (botnet IPs hitting /json-api/version) returned HTTP 403.
The "multi-line pass" IOC hits on user sessions were false positives.
Unidentified 76.18.103.222 root session traced to routine SSL
maintenance (zero sensitive endpoints touched).
Skill hardening:
- Added MANDATORY service-token directive to .claude/commands/1password.md
enforcing OP_SERVICE_ACCOUNT_TOKEN from SOPS for all op CLI calls
- Per Mike: memory files alone don't reliably bind agent behavior;
baking governance into skill content loaded at moment of use.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
