- Removed DMARC bypass transport rule for clearcutglass.com from GlazTech Exchange Online
- Reviewed clearcutglass.com DNS post Team Logic IT changes; flagged SPF softfail (~all)
- Communicated findings to client and IT vendor (Jordan Fox / Team Logic IT)
- M365 tenant review: removed external Global Admin (tomakkglass.com guest)
- Identified no MFA enforcement (Security Defaults disabled, no CA, no P1)
- Created Syncro ticket #32186 for MFA implementation project
- Documented MFA rollout plan and service account audit requirements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added desertrat.com to /etc/mailprotector_domains on Websvr (outbound SBR now active)
- Created Mailprotector bulk user import CSV (38 desertrat.com accounts/forwarders)
- Created Syncro ticket #32181 + invoice #67437 for Furrier (30 min remote, $81.53)
- Corrected syncro.md skill doc: add_line_item for billing, remove_line_item to delete,
charge_timer_entry to convert timers, comment DELETE impossible via API
- Created clients/furrier/ with session log
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Decommissioned cloudflared tunnel, migrated 9 services to direct CF proxy,
removed ~22 stale pfSense rules and 22 unused aliases.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dark-theme HTML page with one-click consent URLs for each tenant.
Tracks done/pending state in localStorage. Re-consent tenants (martylryan,
grabblaw) highlighted separately. No copy-paste needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After Tenant Admin is consented by customer admin, the script automatically:
- Creates SPs for Security Investigator, Exchange Operator, User Manager,
and Defender Add-on (programmatic consent, no extra customer clicks needed)
- Grants all required Graph, Exchange Online, and Defender ATP appRoleAssignments
- Idempotent: skips any permissions already granted
Also added AppRoleAssignment.ReadWrite.All to Tenant Admin manifest so
fresh consents include this permission. Existing tenants (martylryan.com,
grabblaw.com) need a one-time Tenant Admin re-consent to pick it up.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 CIPP-managed tenants sourced from ListTenants API. Includes onboarding
status, tenant IDs, and pre-built Tenant Admin consent URLs for each.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: app-only Graph operations (password reset, Exchange REST) require
directory roles on each SP in the customer tenant, not just admin consent.
RoleManagement.ReadWrite.Directory was missing from all app manifests, making
role assignment impossible without manual portal work that was never being done.
Changes:
- patch-tenant-admin-manifest.sh: adds RoleManagement.ReadWrite.Directory to
Tenant Admin app manifest via Management app, grants home-tenant consent
- onboard-tenant.sh: new script — resolves tenant, acquires Tenant Admin token,
assigns Exchange Administrator to Security Investigator SP and User/Auth
Administrator to User Manager SP; --dry-run supported; idempotent
- get-token.sh: detects AADSTS7000229, emits consent URL + onboard-tenant.sh
reminder instead of silent failure
- gotchas.md: onboarding steps at top, tenant table expanded with role columns,
all known tenants updated including martylryan.com (first fully onboarded)
Verified: martylryan.com fully onboarded, password reset to MLR2026!! succeeded
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
silently drops time fields; use timer_entry endpoint instead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Windows Store python3 stub returns exit 49 instead of running Python.
Replace with: py (Windows launcher) for actual Python code, jq for
simple JSON extraction. Reorder fallback loops to try py first.
Add Bash(py:*) to settings.local.json allowlist.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extract Ollama docs and PROJECT_STATE locking protocol to on-demand
reference files. Trim Work Mode to detection table only. Remove verbose
anti-pattern examples and credential encryption details.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git add -A captured the stale submodule pointer on Howard's machine
(April 18 init, not updated) and committed it, causing a conflict.
Now sync always runs git submodule update --remote first so the pointer
is current before staging.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.
Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Tier 0 (Ollama): summarize, classify, extract, draft, format — free/fast/private
- qwen3:14b for general tasks; codestral:22b for code suggestions
- Falls back to Haiku if Ollama unreachable or task needs agent tool use
- Bump rule extended: Ollama → Haiku on security/auth/migration/production
- Delegation pattern: direct Bash curl, not an agent spawn
- Per-task model guidance and review policy documented
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Establishes inter-session coordination for 29 projects/clients:
- Full lock/component format for active projects (dataforth-dos,
radio-show, cascades-tucson, valleywide, instrumental-music-center,
lens-auto-brokerage, msp-audit-scripts)
- Light format for complete/stalled/planning (msp-pricing, pavon,
wrightstown-*, gururmm-agent, community-forum, glaztech, etc.)
- Onboarding stubs for recently added clients
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Formalizes the read → lock → act → release cycle for any project
that has a PROJECT_STATE.md. Every Claude instance must:
- Re-read state before any action (not just at session start)
- Claim a lock row before touching any component
- Release lock + log result on completion or failure
- Clear stale locks (>2h) before proceeding
Applies to code edits, git ops, SSH/deploy, DB migrations, builds.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
