Meredith/John returned the staff-editor questionnaire (70 people, 11
departments). CSV ingested to reports/; p2-staff-candidates.md updated
with real persona breakdown. Wrote full AD/M365 user rollout plan (8
personas, license mapping, OU/group layout, CA policies, 4-wave
sequence, 8 open decisions). Drafted follow-up email for remaining open
items — Howard will edit and send.
Britney Thompson and Polett Pinazavala confirmed still employed (were
absent from the CSV return). Christine Nyanzunda confirmed as one
person with two roles. Usernames locked for new accounts:
Alma.Montt, Kyla.QuickTiffany.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added Teams deployment + HIPAA-appropriate configuration as a tracked
gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission
security + BAA requirements and outlines controls needed (retention,
DLP, external sharing lockdown, guest access, meeting consent).
Dependency on Microsoft BAA flagged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Removed DMARC bypass transport rule for clearcutglass.com from GlazTech Exchange Online
- Reviewed clearcutglass.com DNS post Team Logic IT changes; flagged SPF softfail (~all)
- Communicated findings to client and IT vendor (Jordan Fox / Team Logic IT)
- M365 tenant review: removed external Global Admin (tomakkglass.com guest)
- Identified no MFA enforcement (Security Defaults disabled, no CA, no P1)
- Created Syncro ticket #32186 for MFA implementation project
- Documented MFA rollout plan and service account audit requirements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added desertrat.com to /etc/mailprotector_domains on Websvr (outbound SBR now active)
- Created Mailprotector bulk user import CSV (38 desertrat.com accounts/forwarders)
- Created Syncro ticket #32181 + invoice #67437 for Furrier (30 min remote, $81.53)
- Corrected syncro.md skill doc: add_line_item for billing, remove_line_item to delete,
charge_timer_entry to convert timers, comment DELETE impossible via API
- Created clients/furrier/ with session log
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
silently drops time fields; use timer_entry endpoint instead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.
Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Establishes inter-session coordination for 29 projects/clients:
- Full lock/component format for active projects (dataforth-dos,
radio-show, cascades-tucson, valleywide, instrumental-music-center,
lens-auto-brokerage, msp-audit-scripts)
- Light format for complete/stalled/planning (msp-pricing, pavon,
wrightstown-*, gururmm-agent, community-forum, glaztech, etc.)
- Onboarding stubs for recently added clients
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two phishing campaigns hit Glaztech on 2026-04-17 bypassing MailProtector
via exposed M365 MX record. Spoofed internal senders, forwarded by 8 users.
Fixes applied: removed direct M365 MX, DMARC p=reject, Enhanced Filtering
on inbound connector. 32 messages purged across all affected mailboxes.
Forensic samples + full incident report preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New clients/evs/ directory with session log documenting the
registry tweak to restore the classic right-click context menu
on Howard's EVS VM (reg add of empty InprocServer32 under the
Win11 new-menu CLSID, per-user HKCU, no admin needed).
Built the missing piece between the test datasheet pipeline and Dataforth's
new product API. End-to-end:
- Pulled DFWDS (Dataforth Web Datasheet System) VB6 source from
AD1\Engineering\ENGR\ATE\Test Datasheets\DFWDS to local for analysis
- Decoded its filename validation: A-J prefix decodes (A=10..J=19), all-
numeric WO# valid (no leading 0), anything else bad
- Ported the validation + move logic to Node (dfwds-process.js)
- Built bulk uploader (upload-delta.js) for Hoffman's Swagger API
(POST /api/v1/TestReportDataFiles/bulk with OAuth client_credentials)
Sanitized 3 prior reference scripts (fetch-server-inventory, test-scenarios,
test-upload-two) to read CF_* env vars instead of hardcoded creds.
Live drain results:
- 897 files moved Test_Datasheets -> For_Web (all valid, no renames, no
bad), DFWDS port summary in 1.1s
- Pushed entire For_Web (7,061 files) to Hoffman API in 49.7s @ 142/s:
Created=803 Updated=114 Unchanged=6,144 Errors=0
- Server count: 489,579 -> 490,382 (+803 net new)
Also:
- Added clients/dataforth/.gitignore to exclude plaintext Oauth.txt note
- Added clients/instrumental-music-center/docs/2026-04-13-ticket-notes.md
(ticket write-up of 2026-04-11/12/13 IMC1 RDS removal/SQL migration work)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Audited all 25 proxied zone records and expanded tunnel ingress to cover
9 hostnames total (azcomputerguru + analytics + community + radio +
git + plexrequest + rmm + rmm-api + sync). All verified HTTP 200.
Reverted 3 hostnames to original A records after discovering they
require backend work, not tunnel changes:
- plex/rustdesk: NPM on Jupiter has no vhost for these (returned
'tls: unrecognized name' when tunneled)
- secure: Jupiter can't route to its backend subnet 172.16.1.0/24
Reverted ix.azcomputerguru.com to DNS-only A record after user
reported :2087 WHM access broken. Cloudflare Tunnel is hostname-bound,
not port-bound, so non-standard admin ports can't pass through. Direct
NAT to 72.194.62.5 restored WHM/cPanel access.
Adds four new helper scripts under clients/internal-infrastructure/
scripts/cloudflared-tunnel-setup/ (audit_proxied, discover_backends,
expand_tunnel, revert_broken). All use SOPS vault / env var for creds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Diagnosed azcomputerguru.com 521 errors: Cox's BGP route to specific
Cloudflare origin-pull prefixes (162.158.0.0/16, 172.64.0.0/13,
173.245.48.0/20, 141.101.64.0/18) is broken from 72.194.62.0/29.
Confirmed by TCP probe matrix from pfSense WAN, traceroute latency
comparison, and state-table showing 0 inbound CF connections while
direct-internet traffic still reached origin.
Deployed Cloudflare Tunnel 'acg-origin' on Jupiter Unraid as a
Docker container. Routes 4 proxied hostnames (azcomputerguru.com,
analytics., community., radio.) through the tunnel with HTTPS
backend to IX 172.16.3.10:443 with per-ingress SNI matching. All
4 hostnames return 200 OK through CF edge after the cutover.
Repo hygiene:
- Merged clients/ix-server/ into clients/internal-infrastructure/
(IX is internal infra, not a paying-client account). Git detected
the session-log files as renames so history is preserved. Updated
4 stale path references in 2 files.
- Moved cox-bgp ticket draft out of projects/dataforth-dos/ (wrong
project) to clients/internal-infrastructure/vendor-tickets/.
- Relocated tunnel-setup helper scripts from
projects/dataforth-dos/datasheet-pipeline/implementation/ to
clients/internal-infrastructure/scripts/cloudflared-tunnel-setup/.
Deleted superseded/abandoned login attempts. Sanitized hardcoded
Jupiter/pfSense SSH passwords to pull from SOPS vault at runtime;
Cloudflare token reads from env var (tokens still in 1Password,
vault entry is metadata-only).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Show prep for April 5, 11, 18, 2026 (markdown + HTML)
- IX server Smart Slider 3 Pro security scan script
- Comprehensive security audit report (87 WordPress sites)
- All sites safe: 0 PRO (compromised), 3 FREE (safe)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
