New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dark-theme HTML page with one-click consent URLs for each tenant.
Tracks done/pending state in localStorage. Re-consent tenants (martylryan,
grabblaw) highlighted separately. No copy-paste needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After Tenant Admin is consented by customer admin, the script automatically:
- Creates SPs for Security Investigator, Exchange Operator, User Manager,
and Defender Add-on (programmatic consent, no extra customer clicks needed)
- Grants all required Graph, Exchange Online, and Defender ATP appRoleAssignments
- Idempotent: skips any permissions already granted
Also added AppRoleAssignment.ReadWrite.All to Tenant Admin manifest so
fresh consents include this permission. Existing tenants (martylryan.com,
grabblaw.com) need a one-time Tenant Admin re-consent to pick it up.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 CIPP-managed tenants sourced from ListTenants API. Includes onboarding
status, tenant IDs, and pre-built Tenant Admin consent URLs for each.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: app-only Graph operations (password reset, Exchange REST) require
directory roles on each SP in the customer tenant, not just admin consent.
RoleManagement.ReadWrite.Directory was missing from all app manifests, making
role assignment impossible without manual portal work that was never being done.
Changes:
- patch-tenant-admin-manifest.sh: adds RoleManagement.ReadWrite.Directory to
Tenant Admin app manifest via Management app, grants home-tenant consent
- onboard-tenant.sh: new script — resolves tenant, acquires Tenant Admin token,
assigns Exchange Administrator to Security Investigator SP and User/Auth
Administrator to User Manager SP; --dry-run supported; idempotent
- get-token.sh: detects AADSTS7000229, emits consent URL + onboard-tenant.sh
reminder instead of silent failure
- gotchas.md: onboarding steps at top, tenant table expanded with role columns,
all known tenants updated including martylryan.com (first fully onboarded)
Verified: martylryan.com fully onboarded, password reset to MLR2026!! succeeded
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online
transport rule created to bypass DMARC for clearcutglass.com
- session-logs/2026-04-20-session.md: update with 12:55 work
- .claude/commands/syncro.md: fix billing workflow — comment endpoint
silently drops time fields; use timer_entry endpoint instead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Windows Store python3 stub returns exit 49 instead of running Python.
Replace with: py (Windows launcher) for actual Python code, jq for
simple JSON extraction. Reorder fallback loops to try py first.
Add Bash(py:*) to settings.local.json allowlist.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extract Ollama docs and PROJECT_STATE locking protocol to on-demand
reference files. Trim Work Mode to detection table only. Remove verbose
anti-pattern examples and credential encryption details.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git add -A captured the stale submodule pointer on Howard's machine
(April 18 init, not updated) and committed it, causing a conflict.
Now sync always runs git submodule update --remote first so the pointer
is current before staging.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.
Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Tier 0 (Ollama): summarize, classify, extract, draft, format — free/fast/private
- qwen3:14b for general tasks; codestral:22b for code suggestions
- Falls back to Haiku if Ollama unreachable or task needs agent tool use
- Bump rule extended: Ollama → Haiku on security/auth/migration/production
- Delegation pattern: direct Bash curl, not an agent spawn
- Per-task model guidance and review policy documented
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Establishes inter-session coordination for 29 projects/clients:
- Full lock/component format for active projects (dataforth-dos,
radio-show, cascades-tucson, valleywide, instrumental-music-center,
lens-auto-brokerage, msp-audit-scripts)
- Light format for complete/stalled/planning (msp-pricing, pavon,
wrightstown-*, gururmm-agent, community-forum, glaztech, etc.)
- Onboarding stubs for recently added clients
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Formalizes the read → lock → act → release cycle for any project
that has a PROJECT_STATE.md. Every Claude instance must:
- Re-read state before any action (not just at session start)
- Claim a lock row before touching any component
- Release lock + log result on completion or failure
- Clear stale locks (>2h) before proceeding
Applies to code edits, git ops, SSH/deploy, DB migrations, builds.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Restored the complete 504-line sync.md documentation from global
commands directory to the repo version. This ensures:
- Single source of truth for /sync documentation
- Documentation syncs across all machines
- PC and Mac have identical command reference
Previous simplified 39-line stub has been replaced with full
documentation including phases, examples, conflict resolution,
and troubleshooting.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
