Updated DESIGN.md with two fundamental principles:
1. Holistic Feature Development - every feature needs full stack (backend, API, UI, docs)
2. AI-Optional Operation - product works without AI agents; AI features are enhancements
Submodule commit: e490307
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated GuruRMM roadmap with two major features:
- Network Discovery Node (P2): site-level device discovery and mapping
- Local Collection Node (P2): reduce WAN traffic by local aggregation
Submodule commit: db7d074
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Howard is cleared to proceed with Path A (Graph API role assignment) for
Cascades CA Administrator fix.
Also communicated new approval workflow:
- General tools: Howard can modify OR Claude can execute with Howard/Mike approval
- Projects: require Mike approval, features→roadmap, bugs→bug list
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Tools (remediation-tool, onboard scripts, MSP utilities):
- Howard can modify directly
- Claude can execute with Howard OR Mike approval
- No roadmap process, immediate operational changes
Projects (GuruRMM, ClaudeTools API, etc.):
- Require Mike approval
- Features go to roadmap
- Bugs go to bug list
Established during Cascades CA role gap fix discussion.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New laptop provisioned onsite at IMC Speedway: joined to imc.local, AD
account created for Manda (incoming GM), Outlook bound to her M365
mailbox, Office activated via retail key, AIMsi USER#=4 per Leslie.
- Syncro ticket #32218 invoiced — 1.5 hrs Onsite Business labor debited
from IMC's prepay block (14.0 -> 12.5 hrs).
- ServerIMC (192.168.0.63) confirmed as a real authentication-degrading
phantom DC: SRV/A records claim it's a DC; LDAP/Kerberos refuse
connections. Promoted from "unclear, worth verifying" (2026-04-13) to
confirmed AD hygiene issue. Was the root cause of the 2026-04-22 remote
domain-join failure. Needs follow-up ticket: repair or ntdsutil cleanup.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Thread 1 (AD-side prep on CS-SERVER) completed:
- howard.enos password reset to memorable value (PHS will sync to M365 once staging exits)
- proxyAddresses=SMTP:howard.enos@cascadestucson.com added (G1 convention)
Thread 2 (CA reconciliation) blocked: ComputerGuru - Tenant Admin SP
(appId 709e6eed-...) has zero directory role assignments in Cascades.
Graph CA endpoints 403 despite Policy.ReadWrite.ConditionalAccess on token.
Decision pending: Path A (Graph-side role assignment via existing
RoleManagement.ReadWrite.Directory) vs Path B (portal click as admin@).
Target role: Conditional Access Administrator
(b1be1c3e-b65d-4f19-8427-f6fa0d97feb9) on SP objectId
a5fa89a9-b735-4e10-b664-f042e265d137.
Follow-up: extend onboard-tenant.sh to assign this role at onboard time
(parallels 16f95e8 Exchange Admin fix for Exchange Operator SP).
Pilot target slipped 2026-04-27 to 2026-04-28. ALIS App Store still
inaccessible — install-side of ALIS SSO still deferred regardless.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Append to 2026-04-28-session.md covering the FastAPI/SQLite container
deploy: build + ship + verify, plus credentials, paths, and re-deploy
procedures for both DB updates and source updates.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Read-only HTTP layer over archive.db. Endpoints: /api/stats,
/api/episodes, /api/episodes/{id}, /api/episodes/{id}/transcript,
/api/search (FTS5 over segments + qa_pairs, bm25-ranked, snippets),
/api/callers. Single-file HTML index with debounced search UI.
Deployed: Jupiter (Unraid Docker), bound to 172.16.3.20:8765, LAN only.
Container path: /mnt/user/appdata/radio-archive/{app,data}.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Synced with Gitea, reviewed 14 commits from GURU-BEAST-ROG:
- Radio show audio processing (Tara voice profile, Q&A extraction, 4090 benchmark)
- Cascades client work (Howard - HIPAA remediation, Entra Connect staging)
- Valleywide client init (app modernization project)
Note detected: Co-host name 'Tom' needs correction in radio show profiles.
Session type: Sync and context review only, no active development.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Execution-only follow-on to 2026-04-27. Both batch passes done (519+53,
0 errors), import_to_sqlite.py run incrementally to bring archive.db
to final state. Next step: Jupiter Docker container deploy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
QAPair gets caller_name and caller_role fields populated by a new
attach_caller_names(pairs, transcript_segments) helper. For each pair,
finds the active opening intro at the question_start time (8s forward
tolerance, no backward limit — a caller's call can run for 10+ minutes
and the intro happens once at the start) and attaches the speaker name.
Validation on 9-episode test set:
19/19 Q&A pairs (100%) now have caller names attached.
Examples of corrections from oracle attribution:
2018-s10e18 @ 73:36 Christopher (was misattributed to "Tara")
2015-s7e19 @ 35:45 William (was misattributed to "Tara")
2010-05-08-hr1 Jackie x3, Bruce
2012-03-10-hr1 Adam x2
2016-s8e43 John, Doug
2017-s9e30 Tom, Denise x3, Charlie
speaker_oracle.py: adds speaker_at(time, intros) helper used both by the
existing resolve_speakers() and the new caller-name attachment. Also
adds the "let's fit/bring/put X in/on" intro pattern variant (caught
Charlie at 70:21 in 2017-s9e30 that "talk to X" missed).
download_full_archive.py: SSH keepalive every 30s + per-file retry-on-
failure (up to 3 attempts with reconnect). Earlier run hung on a dead
connection at file 109 of 589 with no recovery; restarted run is now
running at ~10 MB/s vs ~2-3 MB/s before.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New module src/speaker_oracle.py extracts speaker introductions from
transcripts ("let's talk to William", "we have Clay from the Nerd Junkies",
"in Tara's place, we have Clay", "thanks for the call <name>") and binds
them to non-HOST diarization turns. Pure post-pass on diarization JSONs,
no audio processing — corrects audio-only cosine errors using Mike's
deterministic on-air announcements.
Algorithm:
- Extract intros: regex patterns for caller pickups, guest intros,
fill-in announcements, caller closes. Case-strict (rejects mid-sentence
lowercase matches), with a blacklist of common false-positive words.
Deduplicates same-name intros within 5s.
- Resolve speakers: for each non-HOST turn, find the LATEST opening intro
at or before turn.start (with 8s forward tolerance for boundary slop).
Later intros implicitly close earlier callers, so the most recent
intro wins. No artificial lookback limit (callers can talk for 10+ min).
- Falls back to caller_close patterns within 30s after a turn ends.
Validation on 9-episode test set:
2018-s10e18: Christopher 190s correctly named (was mislabeled "Tara")
2012-06-09 : Kay 160s correctly named (was mislabeled "Tara")
2015-s7e19 : Clay 45s as fillin for Tara, William 40s as caller
2016-s8e43 : Charles 630s, Bruce 210s, John 205s — most callers named
2017-s9e30 : Denise 295s, Tom 115s, Elaine 85s, Jeff 10s
Many other callers across all episodes correctly named.
Remaining unnamed CO-HOST/CALLER (~5-10% of non-HOST time) are real
co-host banter or callers without explicit Mike-introductions.
benchmark.py: adds Phase 2.5 "Name Resolution" between diarization and
Q&A extraction. Prints named-speaker breakdown per episode. Doesn't
modify diarization JSONs (resolution is computed on demand).
Next step: feed named turns into qa_extractor so Q&A pairs get caller
name attached for searchability. Also: bootstrap recurring-speaker
profiles (Tara, Tony, Rob, Randall, producers) by accumulating
intro-tagged windows across the full archive once download completes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First attempt at Clay's voice profile from 2015-s7e19 produced
Clay-vs-Mike cosine similarity of 0.994 — essentially a Mike clone.
Root cause: 10s WavLM x-vector chunks averaged Mike's frequent
interjections together with Clay's dialogue, and Mike's well-trained
profile dominated the resulting embedding signal.
Mike's call: skip Clay, accept the 2015-s7e19 Q&A as noisy. Clay rarely
appears in other episodes, so the cost of not having his profile is
bounded to this one episode plus any rare future appearances.
Cleanup:
- voice-profiles/clay/ removed
- voice-profiles/profiles.json: Clay entry removed
- Memory updated to record the decision and the failure mode
Kept build_clay_profile.py in-repo as documentation of the attempt and
the Mike-similarity-filter pattern. Useful starting point if a future
attempt provides cleaner pure-Clay timestamps.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a transcript-driven bumper filter to the diarization pipeline. When
a transcript segment matches qa_extractor's promo/bumper signatures, the
overlapping audio windows are labeled BUMPER and the WavLM cosine match
is skipped. Prevents music/promo from being matched against speaker
profiles (the failure mode Mike caught in 2018-s10e18 @ 09:20-10:05).
Code changes:
- src/voice_profiler.py: identify_speakers() takes optional skip_ranges
parameter; windows whose midpoint falls in a skip range get labeled
"[bumper]" and skip cosine match
- src/diarizer.py: diarize() takes optional transcript_path; pre-computes
bumper time ranges via qa_extractor._is_promo_or_bumper, passes to
identify_speakers; adds BUMPER speaker label
- benchmark.py: passes transcript_path to diarize()
Aggregate impact across 9-episode test set:
Tara attribution: 4880s -> 3680s (-1200s / -25%)
Q&A pairs: 17 -> 19 (+2)
(bumper-flagged segments had been disrupting conversation detection
in 2017-s9e30 and 2018-s10e18)
CALLER total: 1320s -> 1190s (bumpers previously labeled CALLER moved)
Per-episode bumpers caught: 1-8, total ~165 bumper segments across set
Remaining Tara false positives are real callers acoustically similar to
Tara (Christopher in 2018, Kay in 2012, William and Charles in 2015) and
guest Clay in 2015-s7e19 — those need profile rebuild + Clay profile,
not bumper filtering.
Adds download_full_archive.py — resumable mirror-style downloader that
walks IX server's /home/gurushow/public_html/archive/{year}/ and copies
all MP3s to archive-data/episodes/. Run is in progress (~589 files,
~10-15GB). Used to source clean profile windows for the remaining
co-hosts (Tara rebuild, Clay, Tony, Rob, Randall, producers).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added 2010, 2015, 2018 test episodes to round out the test set to one
per available year:
- 2010-05-08-hr1 (May 2010, earliest available; pre-Tara era)
- 2015-s7e19 (Jan 2015, avoids training's s7e30)
- 2018-s10e18 (only 3 non-training 2018 episodes exist)
Archive has no 2019 directory — Rob's "2018/2019 appearances" are
constrained to the 5 available 2018 episodes only.
Per-year diarization summary (Tara presence, post-rename):
2010-05-08 30s 1.2% likely false positive (pre-Tara)
2011-03-12 140s 5.6% likely false positive (call-in only)
2012-03-10 30s 1.1% likely false positive (call-in only)
2012-06-09 340s 12.8% suspicious — Mike to confirm
2014-s6e19 680s 23.3% confirmed
2015-s7e19 280s 9.9% plausible — Mike to confirm
2016-s8e43 1890s 35.5% confirmed
2017-s9e30 610s 11.4% plausible
2018-s10e18 880s 17.1% COULD BE ROB — Mike flagged Rob for
2018/2019 appearances; cosine threshold may
be hitting on Rob being acoustically similar
to Tara
Total Tara across 9 episodes: 1h 21m / 8h 52m audio (15.3%).
Q&A counts (still suspect — every voice that isn't Mike-or-Tara is
labeled CALLER, so Randall/Rob/producers inflate the bucket):
2010=4, 2011=1, 2012a=2, 2012b=0, 2014=0, 2015=1, 2016=2, 2017=4, 2018=3
Total: 17 pairs across 9 episodes
4090 perf on the expanded set:
- Diarization: 31928s in 121.5s = 262.7x realtime (vs 209.7x on 5070 Ti, +25.3%)
- Transcription (3 new episodes only): 10554s in 112.4s = 93.9x
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mike confirmed there is no co-host named "Tom" — the voice in 2014-s6e19
and 2016-s8e43 is Tara. The 5070 Ti session fabricated the Tom identity.
The voice profile itself (44 embeddings, 0.698 cosine vs Mike) is correct;
only the human label was wrong.
Rename swept:
- voice-profiles/tom/ -> voice-profiles/tara/ (git mv preserves all .npy)
- voice-profiles/profiles.json: "Tom" key -> "Tara"
- build_cohost_profile.py: TOM_WINDOWS -> TARA_WINDOWS, COHOST_NAME, comments
- 2026-04-27-qa-extraction-cohost-indexing.md: correction header + body sweep
- 2026-04-27-4090-benchmark-and-test-set.md: closure note
- .claude/memory/radio_show_no_cohost_named_tom.md: resolution + speaker roster
Diarization re-run after rename so speaker_map emits "Cohost: Tara".
Q&A counts unchanged (rename is label-only): 9 pairs across 6 test episodes.
Tara distribution from the post-rename diarization (per-episode % of audio):
2011-03-12-hr1 140s 5.6% likely false positive (call-in only)
2012-03-10-hr1 30s 1.1% likely false positive (call-in only)
2012-06-09-hr1 340s 12.8% suspicious — pending Mike confirm
2014-s6e19 680s 23.3% confirmed
2016-s8e43 1890s 35.5% confirmed
2017-s9e30 610s 11.4% plausible — pending Mike confirm
Broader speaker-roster context Mike provided this session (saved to
memory): the show has had multiple co-hosts (Tara, Randall, Rob) plus
producers/board ops (Andrew, Shannon, Ken, others) who would sometimes
go on-air. Only Tara has a profile so far. Every other speaker is
currently labeled CALLER, which means small CO-HOST attributions in
unexpected episodes (e.g. 2011/2012) may actually be a producer rather
than a false positive — Mike to spot-check.
Action item before full-archive run: build profiles for Randall, Rob,
and the named producers to avoid systematic Q&A false positives in
early-years and 2018/2019 episodes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-ran benchmark.py on GURU-BEAST-ROG against the post-overhaul code
(co-host profile, batched Whisper int8_float16, revised Q&A extractor).
Results vs 5070 Ti baseline:
- Diarization: 209.7x -> 338.1x (+61.2%)
- Transcription: 63.8x -> 94.8x (+48.6%)
- Q&A pairs: 9 vs 10 (within run-to-run noise; structural correctness matches:
2014 = 0 callers, 2016 = 2 WiFi caller pairs)
Setup change: BENCH_SETUP.md now lists ffmpeg as a Step-2 prereq
(winget install Gyan.FFmpeg). Was missing on this machine and the pipeline
fails silently at the first diarize call without ffprobe.
Code change: benchmark.py BASELINE_RTF updated 149.5 -> 209.7 to reflect
the 5070 Ti's post-overhaul measurement (e9ac607).
Data: 6 test episode transcripts and diarizations regenerated under the
new code path (batched Whisper output + co-host-aware speaker_map).
Correction memory: voice-profiles/tom/ directory + 5070 Ti session log
fabricated a co-host named "Tom" — Mike confirms no such person exists on
the show. The audio profile is real and the diarization separation is
sound, but the human identity attached to it is wrong. Saved under
.claude/memory/radio_show_no_cohost_named_tom.md pending Mike providing
the correct name for rename.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comprehensive log of the Entra setup work spanning 4/24 evening through 4/25.
Includes a Resume Point at the top so the next session can pick up cleanly.
Highlights:
- Entra Connect Sync installed in staging mode on CS-SERVER, scope OU=Caregivers
- Pilot AD account howard.enos@cascadestucson.com created
- Master plan v2 with explicit drift log (FIDO2/YubiKey injection caught)
- HIPAA retention remediation: 7 mailboxes restored from soft-delete (4/22 deletes
violated 164.316(b)(2)); termination procedures policy + IR-2026-04-24-001 documented
- admin@cascadestucson.com re-promoted to Global Admin (Sandra Fish cleanup had
stripped role); residual profile data cleaned
- Existing Cascades CA architecture discovered (Named Location 72.211.21.217 + all-users
MFA policy from 2026-02-11) — adjusts plan, no duplicate policies needed
- Syncro ticket #32214 'Entra setup' with hidden private rollup (~40-45 billable hrs)
Released session lock; resume point flagged in PROJECT_STATE.md.
Replaced thin Ollama draft with complete show prep:
- Full common thread narrative
- 5-7 talking points per segment (was 2-3)
- Added second story per segment (dot-com playbook, Optimus robot, Adobe/NVIDIA small biz angle)
- Specific facts: NASDAQ -78%, Amazon $107->$5.51, pets.com $82.5M raised
- Tucson-specific angles added throughout
- HTML rewritten with full template CSS matching April 18 show format
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenants.md: updated status to PARTIAL with full detail note
- clients/sandteko-machinery/: new client directory with reports/ and session-logs/ scaffolding
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Appended update to 2026-04-24 session log covering the font change
investigation. Checked bash startup files, Windows Terminal settings,
registry console keys, raw PowerShell output bytes, and installed
fonts. No root cause found — user will report next real-time
occurrence for definitive diagnosis.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Index was dead since 2026-04-19 (watcher not running). Fixes:
- Watcher restarted; scheduled task registered for login persistence
- Removed .md 0.6x penalty — markdown is primary content in this repo
- Added session-logs/ 1.3x, .claude/ 1.2x, /clients/ 1.1x relevance bonuses
- CLAUDE.md: grepai_search is now the first step for any context lookup
- OLLAMA.md: documents config overrides + watcher setup for new machines
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Write operations (bill, comment, create) now send a prompt to Ollama
(qwen3:14b) for comment body and billing description drafting. Claude
reviews the output against the rate/prepaid/formatting checklist before
presenting the preview. If neither Ollama endpoint is reachable, Claude
drafts directly — same review and confirmation flow either way.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add local rate table (pulled 2026-04-24) for all 7 labor products; always
set price_retail explicitly — Syncro API does not auto-apply product rates
- Replace vault-based key fetch with inline case block on identity.json user;
both Mike and Howard keys included for correct per-user attribution
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenant-sweep.sh line 12: renamed tier `graph` to `investigator` to match
the valid tier name expected by get-token.sh
- tenants.md: updated Kittle Design & Construction consent status from NO
to PARTIAL with notes on what was consented and what remains pending
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the 3-call create pattern (ticket → Initial Issue comment →
appointment), adds problem type and appointment type dropdowns with IDs,
fixes priority format to number-prefixed strings ("2 Normal"), adds Howard
to tech user ID table, and adds asset/contact lookup steps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds JSON-RPC client, Pydantic schemas, and FastAPI router for
Bitdefender GravityZone. Endpoints: status, companies, endpoints,
quarantine, and security sweep across all 55 managed client companies.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds full GravityZone API integration to ClaudeTools. Key additions:
- api/services/gravityzone_service.py: JSON-RPC client with Basic auth,
methods for company/endpoint/quarantine/licensing data, and security_sweep
which paginates all endpoints, enriches with malware/agent status, and
sorts infected > outdated > clean
- api/schemas/gravityzone.py: Pydantic response models for all endpoints
- api/routers/gravityzone.py: 7 REST endpoints at /api/gravityzone/*,
JWT-protected, returns 502 on downstream GZ errors
- api/config.py: GRAVITYZONE_API_KEY + GRAVITYZONE_API_BASE_URL settings
- api/main.py: router registered under /api/gravityzone
Vault entry: msp-tools/gravityzone.sops.yaml (partner-level key, 14 modules)
Server .env updated, ticktick router synced, service restarted and verified.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Major work from 2026-04-23:
Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
(Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
verified via live SMB session + content access.
Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
short block per employee (department + position + folders they can access).
All settled decisions from today's calls captured (Sandra Fish = Meredith-
only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
Veronica = Meredith tier, CasAdmin201 retired, pacs empty).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KB5082142 (Windows Server 21H2 CU) + KB5084071 (.NET Framework CU) triggered
cascading Exchange 2016 failures on NEPTUNE today. External SMTP ingest was
restored after 4 fixes (registry ACL on AssistantsQuarantine, Routing Master
DN, disabled messageconcept ExSBR, hosts entries for dead MAIL server). But
internal pipeline (Submission -> categorizer -> mailbox delivery) remained
broken until 3 more fixes (DNS records on ACG-DC16 for n-hosting1/n-largeboxes
/mail, disabled hung DkimSigner agent, disabled IRM to silence RMS Encryption
Agent timeouts). Submission queue still pinned at ~427 messages pre-reboot;
full Neptune reboot queued to clear edgetransport.exe in-memory DNS cache and
pending KB5082142 reboot actions.
All registry/AD/config backups in C:\BackupBeforeFix\ on Neptune. Post-reboot
verification checklist documented in the log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
