Investigated barbara@bardach.net login issues (account-locked message, INKY SSL
errors). Finding: active distributed password-spray against the tenant (also
hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/
forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA).
Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active
accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked.
- 2026-06-05-account-investigation-mfa-enforcement.md (full report)
- 2026-06-05-barbara-note-draft.md (client note, for Mike to send)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- 2026-06-05-tom-message-draft.md: Mike's final relief-framed wording
- 2026-06-05-quo-sql-fix-list.md: 80 live quo call sites across 15 files (C3)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the "from emergency to deliberate staged objectives" pacing strategy
(severity unchanged, tempo deliberate - the depth of the Glaz tools estate makes
rushing the bigger risk) and records Steve's blanket approval (Tier A
execution-cleared). Softens the Tom outreach to a partnership / not-a-fire-drill
tone per Mike.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Grok + Gemini consensus reframe of the way forward: ACG-owned containment
(E-bucket, DB de-privilege, WAF, SQL network segmentation) is the real C0
reduction; the audience/network split is real only for the employee surface.
Tom's one within-skill ask = parameterize the 59 quo() SQL queries (ACG hands
him the exact lines); tokenized payments is a deferred scaffolded sub-project.
Steve Eastman gave ACG blanket approval to proceed (Tier A execution-cleared).
Includes a relief-framed draft message to Tom.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Scope (v0.3) for replacing the website's sysadmin login 'tom' with a
least-privilege login: two-phase plan (GTIware co-residency forces keeping
cc_file in Phase 1), Grok + Gemini independent review folded in, and live
RMM recon findings that materially changed the picture - the website is a
cross-office + Sage accounting + payroll + msdb hub on one sysadmin
credential, SQL is centralized on GTI-INV-SQL\GTISQL:3436 (not per-site).
PARKED pending a full network recon. Session log covers the website outage
fix (incomplete E1 ACL hardening) + the scoping + recon.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Test of the new /save Phase 3: session log written to the client dir,
then the wiki article full-recompiled (Patterns/History preserved, History
extended with the 2026-06-01 handoff, sources + Syncro fields refreshed),
both committed together.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Relocated the recovered RADIUS/VPN log from root session-logs to
clients/peaceful-spirit/. It is the primary-source transcript of the
crashed 2026-05-10 session that the existing 2026-05-10-session.md
reconstructed second-hand; cross-referenced both as a pair. Corrected
machine attribution to DESKTOP-0O8A1RL (recovery engine had stamped the
current machine GURU-5070).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
