Full recompile via Sonnet synthesis: enriched with Syncro billing history
(#100079, #67060, #67810), corrected ticket #32397 to Invoiced status,
added deferred items. Break-fix/no-RMM client.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
IC3 filed 2026-06-09 12:46 EST. Stamped the submission ID on the report; bank freeze letters
(Truist/First State/Chase) updated with the IC3 # and real Kittle/ACG contacts - now turnkey to send.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per Kittle bookkeeper (2026-06-09): City of Tucson stopped the payment before any funds reached
the attacker (no completed loss; attempted $130k+). Kittle confirms no Foam Factory relationship,
confirming both receiving accounts are mules. Also: Ken un-restricted from sending (Outbox/Drafts
verified empty first); Lori was never restricted.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Inv #31468 $123,776.75 (confirmed), Inv #31400 ~$8,818, Inv #31453 $41,231 (open);
total identified exposure $130,000+ since the ACH change redirects all City->Kittle payments.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Double-checked the 2026-06-08 BEC remediation for missed EXO-dependent items now that
the Exchange role is confirmed. Findings: malicious inbox rules gone (cleanup stuck);
all 14 mailboxes clean of fwd/redirect/delete/move rules; no mailbox forwarding; no
transport rules; no rogue delegates. Open (need Ken): Christina-Micek StopProcessing rule
+ Ken FullAccess to Accounting. Corrected stale 'Exchange Admin NOT assigned' note (it IS).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
client.py: send() falls back to ResultMessage.result when no TextBlock streams
(the "(no response)" bug) and reconnects+retries once on a closed SDK session.
message_handler.py: per-thread turn lock so messages arriving mid-turn or from a
second user queue in order (nothing dropped); per-session requester-attribution
env (discord_id -> users.json key), pinned to the thread opener; _USER_MAP caches
only on a successful load; final answer posts as a fresh message at the BOTTOM
(no edit-in-place); a <@id> tag goes out as a fresh send so it actually pings.
main.py: allowed_mentions permits user pings, blocks @everyone/@here/roles.
DISCORD_CLAUDE.md: no thread auto-delete; tiered close-out (Q&A -> one-line rolling
log, substantive -> /save); @mention guidance; opener-pinned attribution note.
whoami-block.sh / sync.sh: bot-context attribution (Executed by ClaudeTools Bot /
Requested by <person>; git author = mapped requester, committer = bot). Strict
no-op for interactive sessions.
users.json: discord_id for Mike/Howard; added Winter Williams (bot-only, full trust).
Reviewed by Code Review Agent + Grok + Gemini (Gemini's "malformed email" finding
verified as a false positive).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
EXO email-cleanup tasks (Search-UnifiedAuditLog, Get-MessageTrace, inbox rules) kept
401/403-ing per tenant because the Exchange Operator SP was missing the Exchange Admin
directory role — admin consent grants Exchange.ManageAsApp but never the directory role.
onboard-tenant.sh assigns it, but tenants consented before that step / by hand never got
it, and nothing audited for it. Hence the recurring 'next onboarding will fix it' (false
for already-onboarded tenants).
- NEW assign-exchange-role.sh: idempotent role assignment via the authoritative
roleManagement/directory/roleAssignments API (the legacy directoryRoles/members list
reads back unreliably). <domain|--all> + --verify/--dry-run.
- Backfilled the whole fleet (--all): 13 stragglers ASSIGNED, 12 already OK, 20 skipped
(tenant-admin not consented), 0 errors. Safe Site included.
- Standing audit documented (assign-exchange-role.sh --all --verify) + memory so no future
session repeats the empty promise.
- Adds wiki/clients/safesite.md (tenant + 4-source endpoint inventory + investigation).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
