Adds full GravityZone API integration to ClaudeTools. Key additions:
- api/services/gravityzone_service.py: JSON-RPC client with Basic auth,
methods for company/endpoint/quarantine/licensing data, and security_sweep
which paginates all endpoints, enriches with malware/agent status, and
sorts infected > outdated > clean
- api/schemas/gravityzone.py: Pydantic response models for all endpoints
- api/routers/gravityzone.py: 7 REST endpoints at /api/gravityzone/*,
JWT-protected, returns 502 on downstream GZ errors
- api/config.py: GRAVITYZONE_API_KEY + GRAVITYZONE_API_BASE_URL settings
- api/main.py: router registered under /api/gravityzone
Vault entry: msp-tools/gravityzone.sops.yaml (partner-level key, 14 modules)
Server .env updated, ticktick router synced, service restarted and verified.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Major work from 2026-04-23:
Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
(Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
verified via live SMB session + content access.
Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
short block per employee (department + position + folders they can access).
All settled decisions from today's calls captured (Sandra Fish = Meredith-
only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
Veronica = Meredith tier, CasAdmin201 retired, pacs empty).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KB5082142 (Windows Server 21H2 CU) + KB5084071 (.NET Framework CU) triggered
cascading Exchange 2016 failures on NEPTUNE today. External SMTP ingest was
restored after 4 fixes (registry ACL on AssistantsQuarantine, Routing Master
DN, disabled messageconcept ExSBR, hosts entries for dead MAIL server). But
internal pipeline (Submission -> categorizer -> mailbox delivery) remained
broken until 3 more fixes (DNS records on ACG-DC16 for n-hosting1/n-largeboxes
/mail, disabled hung DkimSigner agent, disabled IRM to silence RMS Encryption
Agent timeouts). Submission queue still pinned at ~427 messages pre-reboot;
full Neptune reboot queued to clear edgetransport.exe in-memory DNS cache and
pending KB5082142 reboot actions.
All registry/AD/config backups in C:\BackupBeforeFix\ on Neptune. Post-reboot
verification checklist documented in the log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Single-doc consolidation of every Cascades doc in the repo: where we are
(what's done, in-flight, ahead), all 48 open questions grouped by recipient
(Meredith, John, Ashley, internal) with T1/T2/T3 urgency, suggested 4-session
sequencing to unblock most work fastest, license/cost summary, and the
5 items Howard can execute right now without answers.
Replaces the piecemeal view across user-account-rollout-plan,
p2-staff-candidates, staff-working-list, hipaa-review, and risk-register docs.
Those remain the detail source; this is the navigation layer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deleted 7 former-employee / zombie accounts via Graph user-manager tier.
All verified in soft-delete bin (30-day recovery):
- ann.dery, anna.pitzlin, jeff.bristol, kristiana.dowse, nela.durut-azizi,
nick.pavloff (all were disabled already)
- jodi.ramstack (was a zombie: enabled in M365 with 1 Business Standard
license but deleted from AD 2026-04-13. Freed $12.50/mo seat.)
admin@NETORGFT... (Sandra Fish) confirmed already gone from tenant.
Role-based accounts (accounting@, frontdesk@, hr@, etc.) NOT touched —
pending delegation decisions before shared-mailbox conversion. Stephanie.Devin
left alone pending Meredith confirmation.
Report: reports/2026-04-22-m365-orphan-deletes.md
Docs updated: docs/cloud/m365.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Full cpmove transfer verified (62GB, mailboxes, public_html)
- Mailprotector configured on IX (exim.conf.local, DKIM via dsearch, skipsmtpcheckhosts)
- DNS zone updated: A record to IX (72.194.62.5), TTLs lowered to 300s, zone backed up
- .htaccess redirect to jackfurriers.com added to IX public_html
- Delivery server updated in Mailprotector admin, inbound confirmed live
- HTML setup guide created and sent to 23 real user accounts
- Syncro ticket #32199 created (no billing yet)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CS-SERVER post-reboot verification: time sync, TLS 1.2 enforcement, and
Windows Server Backup feature all persisted cleanly. dcdiag clean. Ready
for Entra Connect install.
Synology cascadesDS permission inventory captured via DSM API (SSH
disabled by default on Synology). 35 users, 4 groups, 10 shares.
Analysis identifies 7 shared-account role logins (HIPAA violation),
8 departed-employee accounts to clean up, and 4 shares needing
Meredith-side confirmation before migration (pacs most sensitive).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Meredith/John returned the staff-editor questionnaire (70 people, 11
departments). CSV ingested to reports/; p2-staff-candidates.md updated
with real persona breakdown. Wrote full AD/M365 user rollout plan (8
personas, license mapping, OU/group layout, CA policies, 4-wave
sequence, 8 open decisions). Drafted follow-up email for remaining open
items — Howard will edit and send.
Britney Thompson and Polett Pinazavala confirmed still employed (were
absent from the CSV return). Christine Nyanzunda confirmed as one
person with two roles. Usernames locked for new accounts:
Alma.Montt, Kyla.QuickTiffany.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added Teams deployment + HIPAA-appropriate configuration as a tracked
gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission
security + BAA requirements and outlines controls needed (retention,
DLP, external sharing lockdown, guest access, meeting consent).
Dependency on Microsoft BAA flagged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Intune Manager (46986910-...) registered as AzureADMyOrg instead of
AzureADMultipleOrgs, blocking consent in any external tenant. Includes
evidence, PATCH command, and portal steps. Blocks Cascades MDM Phase B.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- UNREGISTERED_MODELS set: 9 model numbers not in Hoffman API catalog; skipped
silently instead of generating errors
- batch-500 fallback: when a bulk batch returns HTTP 500, retry each record
individually so good records get stamped and only truly-bad records count
as errors
- FAIL-parameter filter: records with any FAIL on a parameter line are excluded
from the push before the batch is assembled
- notify.js integration: wired in existing notification module
Files added:
- projects/dataforth-dos/database/upload-to-api.js
- projects/dataforth-dos/database/notify.js
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Comprehensive emergency response documentation:
- Complete timeline from 0935 arrival to 1115 handoff
- All 4 servers documented with current status
- HP ProLiant: NVRAM resolved, iLO pending
- Dell VWP-QBS: Boot issue resolved
- XenServer: OFFLINE (CRITICAL - Server3 VM down)
- 4th server: Appears fine
Work status:
- Timer running (~1h40m so far)
- Switching to laptop to continue
- XenServer restoration is highest priority
Created comprehensive session log:
- session-logs/2026-04-22-valleywide-power-outage-emergency-response.md
- Complete status, timeline, next steps, recommendations
- Ready for laptop continuation
All changes synced to Gitea for seamless handoff.
Machine: Mikes-MacBook-Air.local
Timestamp: 2026-04-22 11:05:39
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- intune-manager SOPS file is present; Howard needs to pull vault (2 commits behind)
- Directed Howard to check Syncro for current labor rates
- Cleared addressed items from for-mike.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Syncro auto-calculates price from the product's configured rate — omit price_retail.
Cleared Howard's messages from for-mike.md (both items addressed).
Left reply for Howard in for-howard.md confirming fix is live.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Python open() can't read MSYS-style paths (/c/claudetools/...).
Fix: try jq first (handles Unix paths cleanly on all platforms),
fall back to Python with cygpath -m conversion to mixed Windows paths.
Matches the same fix already applied to get-token.sh.
Bug reported by Howard (HOWARD-HOME, 2026-04-21).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Complete vault and SOPS setup on Mac from scratch. Fixed critical
get-token.sh bugs (variable collision + directory depth), validated
vault sync from Windows, tested all 5 tiers.
Key accomplishments:
- Installed SOPS 3.12.2 + age 1.3.1 via Homebrew
- Configured age private key and SOPS environment
- Cloned vault repository with 6 SOPS files
- Fixed vault.sh line endings (CRLF → LF)
- Token acquisition working: 4/5 tiers (defender not consented)
- Created comprehensive VAULT-SETUP-GUIDE.md (522 lines)
- Removed guru-rmm submodule auto-update from sync script
Remediation-tool now portable across Mac/Windows. Ready for Howard setup.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Complete reference for setting up vault access on Mac/Windows/Linux.
Covers all issues encountered during Mac setup:
- Line ending fixes (CRLF → LF)
- SOPS_AGE_KEY_FILE environment configuration
- Age key installation and permissions
- Common errors and solutions
Includes quick setup for Howard's machines (ACG-Tech03L, HOWARD-HOME).
Successfully validated on Mikes-MacBook-Air - all 4 tiers working.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Tested vault access capability on Mac. Found multiple blockers:
- SOPS not installed
- age not installed
- age key not configured
- vault repo not cloned (git auth blocked)
Documents what would be required vs. recommendation to skip Mac setup.
Windows already validated - all 5 tiers working.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
