Pattern analysis reveals:
- 31 tickets span March 3 - April 28 (not one-time event)
- Multiple update date clusters (batch processing pattern)
- All missing normal invoice workflow steps
- Tickets changed to 'Invoiced' status without:
* Time entries
* Invoice generation
* Workflow comments
NOT a Claude/API integration issue - Claude doesn't change ticket statuses.
Likely causes:
1. Manual bulk status updates to clear queue
2. Misconfigured Syncro automation/workflow
3. Periodic batch status changes
Urgent: Need to review Syncro automation rules and prevent future revenue loss
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Deep verification performed:
- Checked customer invoice records for all 31 tickets
- ZERO invoices found matching these tickets
- Cascades confirmed to have NO contract (11 tickets affected)
- Example: Kittle #32223 marked 'Invoiced' but no invoice exists
- This is genuine lost revenue, not contract-covered work
Estimated impact: 31 billable tickets with no revenue captured
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major billing gap identified:
- 39 tickets closed/invoiced today
- 31 have ZERO time logged (00:00:00)
- Many marked 'Invoiced' but sent with no time
- Detailed list provided for review and correction
Sombra RMM enrollment: no billing needed per Mike
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Ticket #32225 exists but has no time logged
- Today's GuruRMM enrollment work is unbilled
- Needs either ticket update or new ticket creation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Both servers were already patched (11.110.0.97 and 11.134.0.20) via
daily auto-update. IOC scan found 16 flagged sessions across both
plus 4 uncommented SSH keys on IX.
Critical remediation:
- Forensic evidence preserved before any deletion
- 4 uncommented SSH keys removed from IX (server-side backup retained)
- 16 flagged sessions purged across both servers
- Root passwords rotated via chpasswd
- New WHM API tokens created; 3 stale transfer-* tokens revoked
- Vault entries + 1Password Infrastructure items updated
Forensic deep-dive verdict: patch held. All 7 actual CVE exploit
attempts (botnet IPs hitting /json-api/version) returned HTTP 403.
The "multi-line pass" IOC hits on user sessions were false positives.
Unidentified 76.18.103.222 root session traced to routine SSL
maintenance (zero sensitive endpoints touched).
Skill hardening:
- Added MANDATORY service-token directive to .claude/commands/1password.md
enforcing OP_SERVICE_ACCOUNT_TOKEN from SOPS for all op CLI calls
- Per Mike: memory files alone don't reliably bind agent behavior;
baking governance into skill content loaded at moment of use.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
