- intune-manager SOPS file is present; Howard needs to pull vault (2 commits behind)
- Directed Howard to check Syncro for current labor rates
- Cleared addressed items from for-mike.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Syncro auto-calculates price from the product's configured rate — omit price_retail.
Cleared Howard's messages from for-mike.md (both items addressed).
Left reply for Howard in for-howard.md confirming fix is live.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Python open() can't read MSYS-style paths (/c/claudetools/...).
Fix: try jq first (handles Unix paths cleanly on all platforms),
fall back to Python with cygpath -m conversion to mixed Windows paths.
Matches the same fix already applied to get-token.sh.
Bug reported by Howard (HOWARD-HOME, 2026-04-21).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Complete vault and SOPS setup on Mac from scratch. Fixed critical
get-token.sh bugs (variable collision + directory depth), validated
vault sync from Windows, tested all 5 tiers.
Key accomplishments:
- Installed SOPS 3.12.2 + age 1.3.1 via Homebrew
- Configured age private key and SOPS environment
- Cloned vault repository with 6 SOPS files
- Fixed vault.sh line endings (CRLF → LF)
- Token acquisition working: 4/5 tiers (defender not consented)
- Created comprehensive VAULT-SETUP-GUIDE.md (522 lines)
- Removed guru-rmm submodule auto-update from sync script
Remediation-tool now portable across Mac/Windows. Ready for Howard setup.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Complete reference for setting up vault access on Mac/Windows/Linux.
Covers all issues encountered during Mac setup:
- Line ending fixes (CRLF → LF)
- SOPS_AGE_KEY_FILE environment configuration
- Age key installation and permissions
- Common errors and solutions
Includes quick setup for Howard's machines (ACG-Tech03L, HOWARD-HOME).
Successfully validated on Mikes-MacBook-Air - all 4 tiers working.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Tested vault access capability on Mac. Found multiple blockers:
- SOPS not installed
- age not installed
- age key not configured
- vault repo not cloned (git auth blocked)
Documents what would be required vs. recommendation to skip Mac setup.
Windows already validated - all 5 tiers working.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Step-by-step test to validate:
- 5 SOPS files are in vault repo
- Token acquisition works for all tiers
- Howard can be notified to pull
Includes Howard notification message template.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Documents authentication blocker for vault clone on Mac.
Provides step-by-step setup instructions for future vault access.
Vault sync from Windows is complete - Mac setup is optional.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1. Variable name collision: VAULT_PATH was used for both the SOPS file
relative path (set by case statement) and the vault root override env
var. Renamed env var override to VAULT_ROOT_ENV to avoid collision.
2. Wrong directory depth: CLAUDETOOLS_ROOT was navigating 3 levels up
from scripts/ landing at .claude/ instead of repo root. Fixed to 4
levels (scripts -> remediation-tool -> skills -> .claude -> repo root).
Also added jq as primary vault_path reader (handles Unix paths on Windows),
with cygpath-converted Python fallback.
Bugs discovered during Mac testing 2026-04-21. Windows worked only because
tokens were served from /tmp cache after first acquisition.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Critical bug discovered during Mac vault testing. Variable name collision
breaks token acquisition on all machines.
Fix required before proceeding with Howard's vault sync task.
Read .claude/URGENT-vault-path-bug.md on Windows laptop for remediation steps.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
sync.sh: after pull, scan changed session logs for "## Note for" /
"## Message for" sections and print them in a highlighted block
before the sync summary. Forces attention on inter-team messages.
CLAUDE.md: document mandatory behavior — cross-user notes displayed
at top of response with full content, action items addressed before
continuing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)
Howard and Mac need vault_path added to their identity.json after pulling.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hardcoded D:/vault references with candidate-list pattern
that also checks $HOME/vault, ~/.vault, and respects VAULT_PATH
env var override. Fixes vault.sh lookup failures on Mac and
Howard's machine.
Affected: CLAUDE.md, syncro.md, get-token.sh, patch-tenant-admin-manifest.sh
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Removed DMARC bypass transport rule for clearcutglass.com from GlazTech Exchange Online
- Reviewed clearcutglass.com DNS post Team Logic IT changes; flagged SPF softfail (~all)
- Communicated findings to client and IT vendor (Jordan Fox / Team Logic IT)
- M365 tenant review: removed external Global Admin (tomakkglass.com guest)
- Identified no MFA enforcement (Security Defaults disabled, no CA, no P1)
- Created Syncro ticket #32186 for MFA implementation project
- Documented MFA rollout plan and service account audit requirements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added desertrat.com to /etc/mailprotector_domains on Websvr (outbound SBR now active)
- Created Mailprotector bulk user import CSV (38 desertrat.com accounts/forwarders)
- Created Syncro ticket #32181 + invoice #67437 for Furrier (30 min remote, $81.53)
- Corrected syncro.md skill doc: add_line_item for billing, remove_line_item to delete,
charge_timer_entry to convert timers, comment DELETE impossible via API
- Created clients/furrier/ with session log
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fixed MSI build on Pluto (missing WixToolset.Util.wixext in install.rs)
- Created docs/DESIGN.md in gururmm repo (per-component design guide)
- Saved BirthBiologic GuruRMM site credentials to vault
- Added birth-biologic and mvan-inc client session logs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Decommissioned cloudflared tunnel, migrated 9 services to direct CF proxy,
removed ~22 stale pfSense rules and 22 unused aliases.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New SPs need ~5s to replicate before appRoleAssignments can be granted.
Also fixes jq null iterator error when SP has no existing assignments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dark-theme HTML page with one-click consent URLs for each tenant.
Tracks done/pending state in localStorage. Re-consent tenants (martylryan,
grabblaw) highlighted separately. No copy-paste needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After Tenant Admin is consented by customer admin, the script automatically:
- Creates SPs for Security Investigator, Exchange Operator, User Manager,
and Defender Add-on (programmatic consent, no extra customer clicks needed)
- Grants all required Graph, Exchange Online, and Defender ATP appRoleAssignments
- Idempotent: skips any permissions already granted
Also added AppRoleAssignment.ReadWrite.All to Tenant Admin manifest so
fresh consents include this permission. Existing tenants (martylryan.com,
grabblaw.com) need a one-time Tenant Admin re-consent to pick it up.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
