Block inline pwsh -Command/-c (force .ps1 file approach) and
Windows backslash paths in Bash commands (enforce forward slashes).
Eliminates the 2-3 retry loop on PowerShell operations and prevents
the /tmp path mismatch that caused the stale-payload Syncro incident.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CLAUDE.md: triggers now query coordination API (/api/coord/status,
/api/coord/components, /api/coord/messages) instead of reading
PROJECT_STATE.md files
- COORDINATION_PROTOCOL.md: new doc covering locks, component states,
workflows, work items, and inter-session messages via ClaudeTools API
- guru-rmm/PROJECT_STATE.md: marked ARCHIVED, redirects to
COORDINATION_PROTOCOL.md for live state
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add hard rule: 9269129 (Prepaid Project Labor) is Exempt and does NOT deduct
from prepay_hours block — never use for normal work (verified 2026-05-04)
- Expand prepay_hours check from emergency-only to ALL billing workflows
- Fix emergency/prepaid branching table to use delivery-channel product instead
of hardcoding 26118 (Onsite) for remote and other labor types
- Clarify invoice step 15: $0.00 invoice total is correct for prepaid customers;
verify by checking customer.prepay_hours dropped by quantity
- Field 7 (Assigned Tech): add explicit default to API key owner; mark as MUST
always be included in POST payload to prevent null user_id on ticket create
- Add billing workflow hard rule: read prepay_hours before any billing, not just
emergency, so prepaid invoice behavior is known before execution begins
Triggered by ticket #32265 (Russo Law Firm) missing assignee/priority/billing.
Russo Law has 12.5 prepaid hrs — 0.5 hrs correctly deducted via invoice #67578.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deletions (~1,500 lines of dead docs):
- .claude/hooks/ — docs-only directory, no executables. Referenced scripts
setup-context-recall.sh / test-context-recall.sh did not exist. Hooks
would have POSTed to localhost:8000; the API actually ran at
172.16.3.30:8001 and is no longer in use.
- .claude/AUTO_CONTEXT_SYSTEM.md — 347-line duplicate spec of CLAUDE.md's
Automatic Context Loading section, referencing unimplemented hooks.
- .claude/URGENT-vault-path-bug.md — 217-line urgency note for a fix that
already shipped weeks ago.
- .claude/context-recall-config.env.example — config template for the same
dead system.
Refactors (~500 lines net removed):
- /save and /sync now wrap bash .claude/scripts/sync.sh as the single
source of truth for git ops. /save adds a session-log-writing step in
front; /sync invokes the script directly.
- Dropped /sync's manual git phases that contradicted sync.sh.
- Dropped the cp -r ~/ClaudeTools/.claude/commands/* ~/.claude/commands/
step (clobbered per-user customization in the multi-user model).
- Dropped auto-invoke of /refresh-directives (command does not exist).
- Dropped references to directives.md (file does not exist).
- /save now documents the rm -f save_narrative_prompt.txt step, fixing
the stale-prompt bug Howard documented in feedback_tmp_path_windows.md.
Fixes:
- CLAUDE.md SESSION_STATE.md reference replaced with the canonical
PROJECT_STATE.md (per-project, with protocol at
.claude/PROJECT_STATE_PROTOCOL.md). 16 client folders already use
PROJECT_STATE.md; SESSION_STATE.md was only a stale reference.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Auth selection logic:
- Default: prefer cert when cert_thumbprint_b64url + cert_private_key_pem_b64
are present in the vault entry's credentials block; fall back to client_secret.
- REMEDIATION_AUTH=secret -> force client_secret flow.
- REMEDIATION_AUTH=cert -> force cert flow; error if cert fields missing.
- Logs [INFO] auth=cert/secret to stderr so users see which path was taken.
Cert flow signs an RS256 JWT (header includes x5t) via inline Python (PyJWT
+ cryptography), POSTs client_assertion_type +
client_assertion=<jwt> in place of client_secret. Same scope, same cache, same
error handling (AADSTS7000229 still emits the consent URL).
Single sops -d to a mktemp file feeds both field reads to avoid repeated
~1s decrypt invocations on Windows; trap removes plaintext on exit.
Verified end-to-end against tedards.net for all three modes after wiping
/tmp/remediation-tool/.
- Promote timer_entry → charge_timer_entry to default billing path; demote
bare add_line_item to a clearly-labeled fallback for non-time items only.
Mike caught the bare-add_line_item bug across 31 tickets on 2026-04-30;
repeated on 3 tickets 2026-05-01. Time entries are required for Syncro
reporting (hours per client, tech productivity, prepay burn).
- Replace /tmp/*.json payload pattern with heredoc throughout. /tmp resolves
to C:\tmp\ in the Write tool but %LOCALAPPDATA%\Temp\ in Git Bash on
Windows — different real directories. Caused a wrong-comment incident on
ticket #32225 2026-05-01 (rogue payload from prior session). Heredoc
avoids the file handoff entirely.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three tickets billed today: #32225 Sombra ($525 onsite), #32229 Mineralogical
Record ($262.50 emergency), #32214 Cascades Entra (33.5 hrs project labor at $0
debits prepaid block). Hit a real incident on Sombra: rogue comment posted with
content from a different ticket because /tmp resolves differently in the Write
tool (C:/tmp/) vs Git Bash (%LOCALAPPDATA%/Temp/) on Windows. Howard manually
deleted from GUI; subsequent posts used heredoc to avoid the file handoff
entirely. Root cause documented in feedback_tmp_path_windows.md so future
sessions don't trip the same wire. Scheduled remote agent
trig_01CAfvwoQ4nLcKEqbU4UQmSa to update the syncro skill examples 2026-05-02.
Created memory entry documenting correct way to verify ticket-invoice linkage
in Syncro API after 2026-04-30 incident where faulty verification script
falsely claimed 31 tickets had no invoices (actually 29 had invoices properly,
2 were correctly Non-Billable).
Key lessons:
- List endpoint does NOT return ticket_id or line_items
- Must query individual invoices for full data
- Invoice numbers are strings, not integers
- Use ticket ID (internal), not ticket number (user-visible)
Added to memory index for future GrepAI semantic search.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cascades caregiver shared-phone bypass pilot — 2026-04-29 evening into
2026-04-30 early morning continuation.
Major work:
- Adopted phased per-group CA rollout (corrects original tenant-wide §5
design that would have blocked off-site office users)
- Step A: backfilled admin@ into excludeUsers on all 8 existing Cascades
CA policies (mirrors sysadmin@ exclusion posture; Option 1 break-glass)
- Outlook + Helpany + LinkRx assigned to Cascades - Shared Phones group
and added to MHS kiosk app list (final dashboard: 5 caregiver apps)
- Created cloud-only pilot user pilot.test@cascadestucson.com,
SG-Caregivers-Pilot group, Business Premium license, vault entry
pushed to Gitea vault repo
- Built 4 CA changes: PATCH legacy all-users-MFA to exclude pilot group,
CREATE 3 new Report-only policies (block off-network, block
non-compliant, 8h sign-in frequency) with both admins excluded
- Pilot phone wipe + re-enroll after first attempt stuck; PIN set,
awaiting MHS to take over launcher and SDM sign-in prompt
6 new project/feedback memories. Resume point at top of new session log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both servers were already patched (11.110.0.97 and 11.134.0.20) via
daily auto-update. IOC scan found 16 flagged sessions across both
plus 4 uncommented SSH keys on IX.
Critical remediation:
- Forensic evidence preserved before any deletion
- 4 uncommented SSH keys removed from IX (server-side backup retained)
- 16 flagged sessions purged across both servers
- Root passwords rotated via chpasswd
- New WHM API tokens created; 3 stale transfer-* tokens revoked
- Vault entries + 1Password Infrastructure items updated
Forensic deep-dive verdict: patch held. All 7 actual CVE exploit
attempts (botnet IPs hitting /json-api/version) returned HTTP 403.
The "multi-line pass" IOC hits on user sessions were false positives.
Unidentified 76.18.103.222 root session traced to routine SSL
maintenance (zero sensitive endpoints touched).
Skill hardening:
- Added MANDATORY service-token directive to .claude/commands/1password.md
enforcing OP_SERVICE_ACCOUNT_TOKEN from SOPS for all op CLI calls
- Per Mike: memory files alone don't reliably bind agent behavior;
baking governance into skill content loaded at moment of use.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
role_assigned() only checks direct/permanent roleAssignments.
PIM-managed assignments are in roleAssignmentSchedules and won't
be found, producing noisy (non-blocking) output on re-runs against
tenants with PIM-assigned roles (e.g. Cascades).
TODO comment added at the helper — Howard to implement the fix.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Day-long session unblocking the Cascades CA reconciliation that was paused on
the Tenant Admin SP directory-role gap. Discovered Microsoft also tightened
the OAuth scope for /identity/conditionalAccess/* reads (Policy.Read.All now
required, Policy.ReadWrite.ConditionalAccess no longer accepted for reads).
Patched Tenant Admin manifest accordingly and re-consented in Cascades.
Phase B Intune state turned out to be far more built than the 4/20 log
suggested -- compliance policy, Wi-Fi, device restrictions, both SDM app
configs (Authenticator + Teams), and 7 of 8 apps were already deployed and
assigned. PATCHed device restrictions to block camera/Bluetooth/roaming
and enabled Managed Home Screen multi-app kiosk (ALIS + Teams visible,
10-min auto-signout). PATCHed Cascades named location to add primary WAN
(184.191.143.62/32). Howard added Outlook from Managed Play; SMB encryption
enabled on \CS-SERVER\homes.
CA bypass design corrected -- original §5 plan in user-account-rollout-plan.md
called for "block off-site + MFA on-site" which doesn't match the actual goal
of bypass when network + device assurance present. Reshaped to three policies
that produce on-site-compliant = password only, anything else = MFA or block.
onboard-tenant.sh patched to:
1. Backfill Policy.Read.All on Tenant Admin SP if missing (idempotent --
for tenants consented before the 2026-04-29 manifest update).
2. Assign Conditional Access Administrator directory role to Tenant Admin
SP at onboard time. Mirrors the Exchange Operator fix Mike landed in
16f95e8.
Validated with --dry-run against Cascades. Customer-facing tenants already
onboarded should be re-run with this script to backfill both items.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Documented two fundamental GuruRMM development principles:
1. Holistic Feature Development (MANDATORY):
- Every feature requires complete stack: backend, API, UI/UX, docs
- Features without management interfaces are incomplete
- Design for scalability and future expansion
- Example workflows included
2. AI-Optional Operation:
- Product must work without AI agents (Claude, autonomous tools)
- AI features are enhancements, not requirements
- Core operations remain deterministic and reliable
Principles documented in guru-rmm/docs/DESIGN.md and now in memory for
cross-session reference.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Tools (remediation-tool, onboard scripts, MSP utilities):
- Howard can modify directly
- Claude can execute with Howard OR Mike approval
- No roadmap process, immediate operational changes
Projects (GuruRMM, ClaudeTools API, etc.):
- Require Mike approval
- Features go to roadmap
- Bugs go to bug list
Established during Cascades CA role gap fix discussion.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
First attempt at Clay's voice profile from 2015-s7e19 produced
Clay-vs-Mike cosine similarity of 0.994 — essentially a Mike clone.
Root cause: 10s WavLM x-vector chunks averaged Mike's frequent
interjections together with Clay's dialogue, and Mike's well-trained
profile dominated the resulting embedding signal.
Mike's call: skip Clay, accept the 2015-s7e19 Q&A as noisy. Clay rarely
appears in other episodes, so the cost of not having his profile is
bounded to this one episode plus any rare future appearances.
Cleanup:
- voice-profiles/clay/ removed
- voice-profiles/profiles.json: Clay entry removed
- Memory updated to record the decision and the failure mode
Kept build_clay_profile.py in-repo as documentation of the attempt and
the Mike-similarity-filter pattern. Useful starting point if a future
attempt provides cleaner pure-Clay timestamps.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a transcript-driven bumper filter to the diarization pipeline. When
a transcript segment matches qa_extractor's promo/bumper signatures, the
overlapping audio windows are labeled BUMPER and the WavLM cosine match
is skipped. Prevents music/promo from being matched against speaker
profiles (the failure mode Mike caught in 2018-s10e18 @ 09:20-10:05).
Code changes:
- src/voice_profiler.py: identify_speakers() takes optional skip_ranges
parameter; windows whose midpoint falls in a skip range get labeled
"[bumper]" and skip cosine match
- src/diarizer.py: diarize() takes optional transcript_path; pre-computes
bumper time ranges via qa_extractor._is_promo_or_bumper, passes to
identify_speakers; adds BUMPER speaker label
- benchmark.py: passes transcript_path to diarize()
Aggregate impact across 9-episode test set:
Tara attribution: 4880s -> 3680s (-1200s / -25%)
Q&A pairs: 17 -> 19 (+2)
(bumper-flagged segments had been disrupting conversation detection
in 2017-s9e30 and 2018-s10e18)
CALLER total: 1320s -> 1190s (bumpers previously labeled CALLER moved)
Per-episode bumpers caught: 1-8, total ~165 bumper segments across set
Remaining Tara false positives are real callers acoustically similar to
Tara (Christopher in 2018, Kay in 2012, William and Charles in 2015) and
guest Clay in 2015-s7e19 — those need profile rebuild + Clay profile,
not bumper filtering.
Adds download_full_archive.py — resumable mirror-style downloader that
walks IX server's /home/gurushow/public_html/archive/{year}/ and copies
all MP3s to archive-data/episodes/. Run is in progress (~589 files,
~10-15GB). Used to source clean profile windows for the remaining
co-hosts (Tara rebuild, Clay, Tony, Rob, Randall, producers).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mike confirmed there is no co-host named "Tom" — the voice in 2014-s6e19
and 2016-s8e43 is Tara. The 5070 Ti session fabricated the Tom identity.
The voice profile itself (44 embeddings, 0.698 cosine vs Mike) is correct;
only the human label was wrong.
Rename swept:
- voice-profiles/tom/ -> voice-profiles/tara/ (git mv preserves all .npy)
- voice-profiles/profiles.json: "Tom" key -> "Tara"
- build_cohost_profile.py: TOM_WINDOWS -> TARA_WINDOWS, COHOST_NAME, comments
- 2026-04-27-qa-extraction-cohost-indexing.md: correction header + body sweep
- 2026-04-27-4090-benchmark-and-test-set.md: closure note
- .claude/memory/radio_show_no_cohost_named_tom.md: resolution + speaker roster
Diarization re-run after rename so speaker_map emits "Cohost: Tara".
Q&A counts unchanged (rename is label-only): 9 pairs across 6 test episodes.
Tara distribution from the post-rename diarization (per-episode % of audio):
2011-03-12-hr1 140s 5.6% likely false positive (call-in only)
2012-03-10-hr1 30s 1.1% likely false positive (call-in only)
2012-06-09-hr1 340s 12.8% suspicious — pending Mike confirm
2014-s6e19 680s 23.3% confirmed
2016-s8e43 1890s 35.5% confirmed
2017-s9e30 610s 11.4% plausible — pending Mike confirm
Broader speaker-roster context Mike provided this session (saved to
memory): the show has had multiple co-hosts (Tara, Randall, Rob) plus
producers/board ops (Andrew, Shannon, Ken, others) who would sometimes
go on-air. Only Tara has a profile so far. Every other speaker is
currently labeled CALLER, which means small CO-HOST attributions in
unexpected episodes (e.g. 2011/2012) may actually be a producer rather
than a false positive — Mike to spot-check.
Action item before full-archive run: build profiles for Randall, Rob,
and the named producers to avoid systematic Q&A false positives in
early-years and 2018/2019 episodes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-ran benchmark.py on GURU-BEAST-ROG against the post-overhaul code
(co-host profile, batched Whisper int8_float16, revised Q&A extractor).
Results vs 5070 Ti baseline:
- Diarization: 209.7x -> 338.1x (+61.2%)
- Transcription: 63.8x -> 94.8x (+48.6%)
- Q&A pairs: 9 vs 10 (within run-to-run noise; structural correctness matches:
2014 = 0 callers, 2016 = 2 WiFi caller pairs)
Setup change: BENCH_SETUP.md now lists ffmpeg as a Step-2 prereq
(winget install Gyan.FFmpeg). Was missing on this machine and the pipeline
fails silently at the first diarize call without ffprobe.
Code change: benchmark.py BASELINE_RTF updated 149.5 -> 209.7 to reflect
the 5070 Ti's post-overhaul measurement (e9ac607).
Data: 6 test episode transcripts and diarizations regenerated under the
new code path (batched Whisper output + co-host-aware speaker_map).
Correction memory: voice-profiles/tom/ directory + 5070 Ti session log
fabricated a co-host named "Tom" — Mike confirms no such person exists on
the show. The audio profile is real and the diarization separation is
sound, but the human identity attached to it is wrong. Saved under
.claude/memory/radio_show_no_cohost_named_tom.md pending Mike providing
the correct name for rename.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- tenants.md: updated status to PARTIAL with full detail note
- clients/sandteko-machinery/: new client directory with reports/ and session-logs/ scaffolding
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Index was dead since 2026-04-19 (watcher not running). Fixes:
- Watcher restarted; scheduled task registered for login persistence
- Removed .md 0.6x penalty — markdown is primary content in this repo
- Added session-logs/ 1.3x, .claude/ 1.2x, /clients/ 1.1x relevance bonuses
- CLAUDE.md: grepai_search is now the first step for any context lookup
- OLLAMA.md: documents config overrides + watcher setup for new machines
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Write operations (bill, comment, create) now send a prompt to Ollama
(qwen3:14b) for comment body and billing description drafting. Claude
reviews the output against the rate/prepaid/formatting checklist before
presenting the preview. If neither Ollama endpoint is reachable, Claude
drafts directly — same review and confirmation flow either way.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add local rate table (pulled 2026-04-24) for all 7 labor products; always
set price_retail explicitly — Syncro API does not auto-apply product rates
- Replace vault-based key fetch with inline case block on identity.json user;
both Mike and Howard keys included for correct per-user attribution
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenant-sweep.sh line 12: renamed tier `graph` to `investigator` to match
the valid tier name expected by get-token.sh
- tenants.md: updated Kittle Design & Construction consent status from NO
to PARTIAL with notes on what was consented and what remains pending
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
