- Add hard rule: 9269129 (Prepaid Project Labor) is Exempt and does NOT deduct
from prepay_hours block — never use for normal work (verified 2026-05-04)
- Expand prepay_hours check from emergency-only to ALL billing workflows
- Fix emergency/prepaid branching table to use delivery-channel product instead
of hardcoding 26118 (Onsite) for remote and other labor types
- Clarify invoice step 15: $0.00 invoice total is correct for prepaid customers;
verify by checking customer.prepay_hours dropped by quantity
- Field 7 (Assigned Tech): add explicit default to API key owner; mark as MUST
always be included in POST payload to prevent null user_id on ticket create
- Add billing workflow hard rule: read prepay_hours before any billing, not just
emergency, so prepaid invoice behavior is known before execution begins
Triggered by ticket #32265 (Russo Law Firm) missing assignee/priority/billing.
Russo Law has 12.5 prepaid hrs — 0.5 hrs correctly deducted via invoice #67578.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deletions (~1,500 lines of dead docs):
- .claude/hooks/ — docs-only directory, no executables. Referenced scripts
setup-context-recall.sh / test-context-recall.sh did not exist. Hooks
would have POSTed to localhost:8000; the API actually ran at
172.16.3.30:8001 and is no longer in use.
- .claude/AUTO_CONTEXT_SYSTEM.md — 347-line duplicate spec of CLAUDE.md's
Automatic Context Loading section, referencing unimplemented hooks.
- .claude/URGENT-vault-path-bug.md — 217-line urgency note for a fix that
already shipped weeks ago.
- .claude/context-recall-config.env.example — config template for the same
dead system.
Refactors (~500 lines net removed):
- /save and /sync now wrap bash .claude/scripts/sync.sh as the single
source of truth for git ops. /save adds a session-log-writing step in
front; /sync invokes the script directly.
- Dropped /sync's manual git phases that contradicted sync.sh.
- Dropped the cp -r ~/ClaudeTools/.claude/commands/* ~/.claude/commands/
step (clobbered per-user customization in the multi-user model).
- Dropped auto-invoke of /refresh-directives (command does not exist).
- Dropped references to directives.md (file does not exist).
- /save now documents the rm -f save_narrative_prompt.txt step, fixing
the stale-prompt bug Howard documented in feedback_tmp_path_windows.md.
Fixes:
- CLAUDE.md SESSION_STATE.md reference replaced with the canonical
PROJECT_STATE.md (per-project, with protocol at
.claude/PROJECT_STATE_PROTOCOL.md). 16 client folders already use
PROJECT_STATE.md; SESSION_STATE.md was only a stale reference.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Promote timer_entry → charge_timer_entry to default billing path; demote
bare add_line_item to a clearly-labeled fallback for non-time items only.
Mike caught the bare-add_line_item bug across 31 tickets on 2026-04-30;
repeated on 3 tickets 2026-05-01. Time entries are required for Syncro
reporting (hours per client, tech productivity, prepay burn).
- Replace /tmp/*.json payload pattern with heredoc throughout. /tmp resolves
to C:\tmp\ in the Write tool but %LOCALAPPDATA%\Temp\ in Git Bash on
Windows — different real directories. Caused a wrong-comment incident on
ticket #32225 2026-05-01 (rogue payload from prior session). Heredoc
avoids the file handoff entirely.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both servers were already patched (11.110.0.97 and 11.134.0.20) via
daily auto-update. IOC scan found 16 flagged sessions across both
plus 4 uncommented SSH keys on IX.
Critical remediation:
- Forensic evidence preserved before any deletion
- 4 uncommented SSH keys removed from IX (server-side backup retained)
- 16 flagged sessions purged across both servers
- Root passwords rotated via chpasswd
- New WHM API tokens created; 3 stale transfer-* tokens revoked
- Vault entries + 1Password Infrastructure items updated
Forensic deep-dive verdict: patch held. All 7 actual CVE exploit
attempts (botnet IPs hitting /json-api/version) returned HTTP 403.
The "multi-line pass" IOC hits on user sessions were false positives.
Unidentified 76.18.103.222 root session traced to routine SSL
maintenance (zero sensitive endpoints touched).
Skill hardening:
- Added MANDATORY service-token directive to .claude/commands/1password.md
enforcing OP_SERVICE_ACCOUNT_TOKEN from SOPS for all op CLI calls
- Per Mike: memory files alone don't reliably bind agent behavior;
baking governance into skill content loaded at moment of use.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Write operations (bill, comment, create) now send a prompt to Ollama
(qwen3:14b) for comment body and billing description drafting. Claude
reviews the output against the rate/prepaid/formatting checklist before
presenting the preview. If neither Ollama endpoint is reachable, Claude
drafts directly — same review and confirmation flow either way.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add local rate table (pulled 2026-04-24) for all 7 labor products; always
set price_retail explicitly — Syncro API does not auto-apply product rates
- Replace vault-based key fetch with inline case block on identity.json user;
both Mike and Howard keys included for correct per-user attribution
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the 3-call create pattern (ticket → Initial Issue comment →
appointment), adds problem type and appointment type dropdowns with IDs,
fixes priority format to number-prefixed strings ("2 Normal"), adds Howard
to tech user ID table, and adds asset/contact lookup steps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Syncro auto-calculates price from the product's configured rate — omit price_retail.
Cleared Howard's messages from for-mike.md (both items addressed).
Left reply for Howard in for-howard.md confirming fix is live.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)
Howard and Mac need vault_path added to their identity.json after pulling.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hardcoded D:/vault references with candidate-list pattern
that also checks $HOME/vault, ~/.vault, and respects VAULT_PATH
env var override. Fixes vault.sh lookup failures on Mac and
Howard's machine.
Affected: CLAUDE.md, syncro.md, get-token.sh, patch-tenant-admin-manifest.sh
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added desertrat.com to /etc/mailprotector_domains on Websvr (outbound SBR now active)
- Created Mailprotector bulk user import CSV (38 desertrat.com accounts/forwarders)
- Created Syncro ticket #32181 + invoice #67437 for Furrier (30 min remote, $81.53)
- Corrected syncro.md skill doc: add_line_item for billing, remove_line_item to delete,
charge_timer_entry to convert timers, comment DELETE impossible via API
- Created clients/furrier/ with session log
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Windows Store python3 stub returns exit 49 instead of running Python.
Replace with: py (Windows launcher) for actual Python code, jq for
simple JSON extraction. Reorder fallback loops to try py first.
Add Bash(py:*) to settings.local.json allowlist.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Restored the complete 504-line sync.md documentation from global
commands directory to the repo version. This ensures:
- Single source of truth for /sync documentation
- Documentation syncs across all machines
- PC and Mac have identical command reference
Previous simplified 39-line stub has been replaced with full
documentation including phases, examples, conflict resolution,
and troubleshooting.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Discovered from GUI page source: comment[product_id] + comment[minutes_spent]
+ comment[bill_time_now] are fields on POST /tickets/{id}/comment. This is
how the GUI adds time — as part of the comment, not via separate timer_entry.
Updated billing workflow + added --time/--labor flags to comment command.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Timer entries use POST /tickets/{id}/timer_entry with labor product IDs
(not invoice products). "Make Invoice" converts timers to invoice.
Documented 7 common labor products with IDs. Fixed line_items path to
/invoices/{id}/line_items.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create, update, close, comment on, search, and bill tickets via Syncro
REST API. Includes customer search, invoice creation, line items, and
ticket timer management. API key from SOPS vault.
Verified: pulls real ticket data from computerguru.syncromsp.com.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jupiter cache drive at 99% BTRFS data allocation — MariaDB + Discourse
crash-looping. Root cause: 589G OwnCloud data stuck on cache (mover
blocked by active SMB session from OwnCloud VM). Migration in progress
(rsync cache->array disk7, ~90% at time of commit). Also fixed /mode
command to acknowledge /color is user-invokable only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Five modes: client (orange), dev (cyan), infra (red), general (blue),
remediation (purple). Auto-detects from user messages using keyword
priority rules. Manual override via /mode <name>. Color changes via
/color on mode transitions. Posture adjusts per mode (e.g., infra =
confirm-before-destructive, dev = delegate freely).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Slash command that accepts any folder path, scans all files, classifies
by content (client work, project code, credentials, session logs, tools,
docs), sanitizes credentials into SOPS vault, presents a placement plan
for approval, then executes.
Handles Claude Code session data (delegates to tools/import-sessions.py),
existing project detection, duplicate checks, and credential extraction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Enhance /save and /sync slash commands to attribute commits by author
so Mike and Howard can see at a glance what the other person did.
- sync.sh: loads identity.json, shows incoming/outgoing commits with
author + age before pull/push, groups by author in final summary
- sync.md: describes the new output format + conflict attribution
- save.md: pre-commit Change Summary block + post-commit Summary
Motivation: repo is now shared across team, `git log` alone made it
hard to see "when did Howard change that?" without hunting.
Remove /refresh-directives references from save, checkpoint, scc, sync
commands. Trim sync.md from 400+ lines to essentials.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Activated 1Password skill for Claude Code (extracted from .skill ZIP)
- Resolved Lonestar Electrical MDM issue: ManageEngine was configured as
third-party EMM in Google Workspace, causing persistent enrollment prompts
on joser's personal phone
- Scoped credentials.md migration to 1Password (op:// refs + MSP vaults)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CRITICAL FIX: The /sync command was not pulling remote changes before pushing,
causing machines to miss each other's work.
Changes:
- Created .claude/scripts/sync.sh (automated sync script)
- Created .claude/scripts/sync.bat (Windows wrapper)
- Updated .claude/commands/sync.md to use script
The script ensures:
1. Fetches remote changes FIRST
2. Pulls with rebase (conflict detection)
3. Then pushes local changes
4. Proper error handling
5. Clear status reporting
This fixes the issue where running /sync multiple times did not see
the Mac's changes until manual git fetch was run.
Both Windows and Mac will now use the same reliable sync script.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed Gitea repository URL from SSH to HTTPS format for better
compatibility across different machines and authentication setups.
URL change: git@git.azcomputerguru.com → https://git.azcomputerguru.com
Also simplified the command documentation to focus on practical steps
rather than extensive technical implementation details.
Files modified:
- .claude/commands/sync.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed deprecated database context save functionality from /checkpoint:
- Deleted Part 2: Database Context Save section
- Removed API endpoint, JWT auth, and payload examples
- Updated description to focus on git operations only
- Simplified verification to git commit only
- Kept directives refresh requirement
Checkpoint command now handles git commits exclusively.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implemented comprehensive DOS 6.22 update system for ~30 test stations with
critical fix for test data database import routing.
## Major Changes
### DOS Batch Files (7 files)
- NWTOC.BAT: Download updates from network to DOS machines
- CTONW.BAT v1.2: Upload with separate ProdSW/LOGS routing (CRITICAL FIX)
- UPDATE.BAT: Full system backup to network
- STAGE.BAT: System file staging for safe updates
- REBOOT.BAT: Apply staged updates on reboot
- CHECKUPD.BAT: Check for available updates
- DEPLOY.BAT: One-time deployment installer for DOS machines
### CTONW v1.2 Critical Fix
Fixed test data routing to match AD2 sync script expectations:
- Software distribution: C:\ATE\*.EXE -> T:\TS-4R\ProdSW\ (bidirectional)
- Test data logging: C:\ATE\8BDATA\*.DAT -> T:\TS-4R\LOGS\8BLOG\ (upload only)
- Subdirectory mapping: 8BDATA->8BLOG, DSCDATA->DSCLOG, HVDATA->HVLOG, etc.
- Test data now correctly imported to AD2 database via Sync-FromNAS.ps1
### Deployment Infrastructure
- copy-to-ad2.ps1: Automated deployment to AD2 server
- DOS_DEPLOYMENT_GUIDE.md: Complete deployment documentation
- DEPLOYMENT_GUIDE.md: Technical workflow documentation
- credentials.md: Centralized credentials (AD2, NAS, Gitea)
### Analysis & Documentation (15 files)
- CTONW_ANALYSIS.md: Comprehensive compliance analysis
- CTONW_V1.2_CHANGELOG.md: Detailed v1.2 changes
- NWTOC_ANALYSIS.md: Download workflow analysis
- DOS_BATCH_ANALYSIS.md: DOS 6.22 compatibility guide
- UPDATE_WORKFLOW.md: Backup system workflow
- BEHAVIORAL_RULES_INTEGRATION_SUMMARY.md: C: drive integration
### Session Logs
- session-logs/2026-01-19-session.md: Complete session documentation
### Conversation Reorganization
- Cleaned up 156 imported conversation files
- Organized into sessions-by-date structure
- Created metadata index and large files guide
## Technical Details
### AD2 → NAS → DOS Sync Flow
1. Admin copies files to AD2: \192.168.0.6\C$\Shares\test\
2. Sync-FromNAS.ps1 runs every 15 minutes (AD2 → NAS)
3. DOS machines access via T: drive (\D2TESTNAS\test)
4. NWTOC downloads updates, CTONW uploads test data
5. Sync imports test data to AD2 database
### DOS 6.22 Compatibility
- No %COMPUTERNAME%, uses %MACHINE% variable
- No IF /I, uses multiple case-specific checks
- Proper ERRORLEVEL checking (highest values first)
- XCOPY /S for subdirectory support
- ASCII markers ([OK], [ERROR], [WARNING]) instead of emojis
### File Locations
- AD2: C:\Shares\test\COMMON\ProdSW\ (deployed)
- NAS: T:\COMMON\ProdSW\ (synced)
- DOS: C:\BAT\ (installed)
- Logs: T:\TS-4R\LOGS\8BLOG\ (test data for database import)
## Deployment Status
✅ All 7 batch files deployed to AD2 (both COMMON and _COMMON)
⏳ Pending sync to NAS (within 15 minutes)
⏳ Pending pilot deployment on TS-4R
📋 Ready for rollout to ~30 DOS machines
## Breaking Changes
CTONW v1.1 → v1.2: Test data now uploads to LOGS folder instead of ProdSW.
Existing machines must download v1.2 via NWTOC for proper database import.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Completely removed the database context recall system while preserving
database tables for safety. This major cleanup removes 80+ files and
16,831 lines of code.
What was removed:
- API layer: 4 routers (conversation-contexts, context-snippets,
project-states, decision-logs) with 35+ endpoints
- Database models: 5 models (ConversationContext, ContextSnippet,
DecisionLog, ProjectState, ContextTag)
- Services: 4 service layers with business logic
- Schemas: 4 Pydantic schema files
- Claude Code hooks: 13 hook files (user-prompt-submit, task-complete,
sync-contexts, periodic saves)
- Scripts: 15+ scripts (import, migration, testing, tombstone checking)
- Tests: 5 test files (context recall, compression, diagnostics)
- Documentation: 30+ markdown files (guides, architecture, quick starts)
- Utilities: context compression, conversation parsing
Files modified:
- api/main.py: Removed router registrations
- api/models/__init__.py: Removed model imports
- api/schemas/__init__.py: Removed schema imports
- api/services/__init__.py: Removed service imports
- .claude/claude.md: Completely rewritten without context references
Database tables preserved:
- conversation_contexts, context_snippets, context_tags,
project_states, decision_logs (5 orphaned tables remain for safety)
- Migration created but NOT applied: 20260118_172743_remove_context_system.py
- Tables can be dropped later when confirmed not needed
New files added:
- CONTEXT_SYSTEM_REMOVAL_SUMMARY.md: Detailed removal report
- CONTEXT_SYSTEM_REMOVAL_COMPLETE.md: Final status
- CONTEXT_EXPORT_RESULTS.md: Export attempt results
- scripts/export-tombstoned-contexts.py: Export tool for future use
- migrations/versions/20260118_172743_remove_context_system.py
Impact:
- Reduced from 130 to 95 API endpoints
- Reduced from 43 to 38 active database tables
- Removed 16,831 lines of code
- System fully operational without context recall
Reason for removal:
- System was not actively used (no tombstoned contexts found)
- Reduces codebase complexity
- Focuses on core MSP work tracking functionality
- Database preserved for safety (can rollback if needed)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
