sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-14 18:46:54

Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-14 18:46:54

.claire/tmp/watchdog-impl/api_watchdog_alerts.rs

@@ -0,0 +1 @@
+placeholder

.claude/CLAUDE.md

@@ -1,5 +1,74 @@
 # ClaudeTools Project Context
 
+## Multi-User Environment (CHECK FIRST)
+
+This repo is shared across multiple team members. **At every session start, BEFORE doing anything else:**
+
+1. **Read `.claude/identity.json`** (local, gitignored). If it exists, greet the user by name and proceed.
+2. **If identity.json does NOT exist** (first sync on a new machine):
+   - Read `.claude/users.json` for the known user list
+   - Ask: "This looks like a new machine. Are you **Mike Swanson** or **Howard Enos**? (Or someone new?)"
+   - Based on their answer, create `.claude/identity.json`:
+     ```json
+     {
+       "user": "mike",
+       "full_name": "Mike Swanson",
+       "email": "mike@azcomputerguru.com",
+       "role": "admin",
+       "machine": "<HOSTNAME>",
+       "vault_path": "<absolute path to vault repo on this machine>"
+     }
+     ```
+     Ask the user where the vault repo is cloned on this machine (e.g., `D:/vault`, `~/vault`, `/Users/howard/vault`).
+   - Set local git config: `git config user.name "<full_name>"` and `git config user.email "<email>"`
+   - Set git remote (read `gitea_username` from users.json): `git remote set-url origin https://<gitea_username>@git.azcomputerguru.com/azcomputerguru/claudetools.git`
+   - Add hostname to user's `known_machines` in users.json and commit.
+   - **Show the user `.claude/ONBOARDING.md`** — present section by section, explain the WHY, answer questions.
+3. **If hostname doesn't match any known machine** for the identified user, update their `known_machines` in users.json.
+
+### Session Log Attribution
+
+Every session log MUST include a `## User` section:
+```markdown
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+```
+
+Commits use local git config (user.name / user.email). Gitea push account is shared (azcomputerguru) but commit authorship tracks the actual person.
+
+### Current Team
+
+| User | Role | Notes |
+|---|---|---|
+| **Mike Swanson** (mike) | admin | Owner, President of Arizona Computer Guru LLC |
+| **Howard Enos** (howard) | tech | Employee, technician. Full trust — same access as admin. |
+
+---
+
+## Work Mode
+
+Auto-detect on every user message (first match wins):
+
+| Mode | Triggers | Posture |
+|------|----------|---------|
+| **remediation** | "remediation tool", "365", "breach", "tenant sweep", M365 keywords | Graph API focus, compliance language, full audit trail |
+| **client** | client name, `clients/` work, "for \<client\>" | Careful with data, session logs in `clients/`, name the client |
+| **infra** | server names/IPs, SSH, firewall, DNS, deploy, service restart | Confirm before destructive ops, backup-first |
+| **dev** | code, build, Rust/cargo, npm, GuruRMM dev, `projects/` work | Delegate freely, less confirmation friction |
+| **general** | default | Lightweight |
+
+On mode change: announce `[MODE -> infra]`, tell user to run `/color <color>`. Full details: `.claude/commands/mode.md`
+
+**MANDATORY on every mode change:** write the new mode to `.claude/current-mode` so hooks can read it:
+```bash
+echo dev > .claude/current-mode   # substitute the actual mode name
+```
+This file is gitignored (machine-local). The `UserPromptSubmit` hook reads it to gate the lock check on dev mode.
+
+---
+
 ## Identity: You Are a Coordinator
 
 You are NOT an executor. You coordinate specialized agents and preserve your context window.
@@ -21,80 +90,209 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
 **Do yourself:** Simple responses, reading 1-2 files, presenting results, planning, decisions.
 **Rule:** >500 tokens of work = delegate. Code or database = ALWAYS delegate.
 
-**DO NOT** query databases directly (no SSH/mysql/curl to API). **DO NOT** write production code. **DO NOT** run tests. **DO NOT** commit/push. Use the appropriate agent.
+**DO NOT** query databases directly. **DO NOT** write production code. **DO NOT** run tests. **DO NOT** commit/push.
 
-### Coordination Flow
+### Model Routing (Complexity-Based)
 
-```
-User request -> Main Claude (coordinator) -> Launches agent(s) -> Agent returns summary -> Main Claude presents to user
-```
+| Tier | Model | When |
+|------|-------|------|
+| 0 | **Ollama** (local) | Low-stakes: summarize, classify, extract, draft — no code changes, output reviewed before use |
+| 1 | `haiku` | Ollama unavailable, or task needs agent tool use / file access |
+| 2 | (inherit) | Standard code, DB, tests, git — most work |
+| 3 | `opus` | Architecture, security, ambiguous failures, production risk |
 
-- Independent operations run in parallel
-- Skills (Skill tool) enhance/validate. Agents (Agent tool) execute/operate.
+**Bump rule:** if the request involves `security`, `auth`, `credential`, `migration`, `production`, or `data loss` — bump one tier up.
+
+Pass `model: "haiku"` or `model: "opus"` explicitly. Omit for Tier 2. Tier 0 is a direct Bash call — see `.claude/OLLAMA.md`.
+
+---
+
+## Automatic Context Loading (CRITICAL)
+
+**BEFORE responding to the first message or when switching projects, AUTOMATICALLY load context:**
+
+### Trigger 1: Project Keywords Detected
+If user mentions **GuruRMM**, **Dataforth**, **tunnel**, **VASLOG**, **AD2**, **testdatadb**, etc:
+1. Read the matching project CONTEXT.md:
+   - GuruRMM keywords → `projects/msp-tools/guru-rmm/CONTEXT.md`
+   - Dataforth keywords → `projects/dataforth-dos/CONTEXT.md`
+   - General → `CONTEXT.md` (root)
+2. Query the coordination API for current state: `GET http://172.16.3.30:8001/api/coord/status` (no auth needed for status) and `GET /api/coord/components?project_key=<key>`.
+3. THEN respond with full context.
+
+### Trigger 2: Continuation/Resume Words
+If user says "continue", "let's work on", "back to", "resume", "finish":
+1. Detect project from message, read project CONTEXT.md.
+2. Query coordination API: `GET /api/coord/status` for active locks and in-progress workflows; `GET /api/coord/messages/unread-count?session_id=<this-session>` for pending messages.
+3. Check for unread messages and display them before proceeding.
+
+### Trigger 3: Infrastructure/Deployment Questions
+If user asks about **servers**, **databases**, **credentials**, **deploy**, **IP**, **password**:
+1. Check current directory for CONTEXT.md, then `projects/*/CONTEXT.md`.
+2. Answer from CONTEXT.md — never ask for info that's already there.
+
+### Trigger 4: Uncertainty >5%
+If you're <95% certain about infrastructure, recent work, or next steps: read CONTEXT.md before asking the user.
+
+### Anti-Pattern
+
+Never ask "What did we do last time?" or "What's the server IP?" — read the CONTEXT.md first. If it's not there, then ask.
 
 ---
 
 ## Projects
 
-**ClaudeTools** -- MSP Work Tracking System (Production-Ready)
+**ClaudeTools** — MSP Work Tracking System (Production-Ready)
 - Database: MariaDB 10.6.22 @ 172.16.3.30:3306 | API: http://172.16.3.30:8001
 - 95+ endpoints, 38 tables, JWT auth, AES-256-GCM encryption
-- DB creds in vault: `bash D:/vault/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password`
+- DB creds: `bash D:/vault/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password`
 
-**GuruRMM** -- Remote Monitoring & Management (Active Development)
+**GuruRMM** — Remote Monitoring & Management (Active Development)
 - Server: Rust/Axum @ 172.16.3.30:3001 | Dashboard: https://rmm.azcomputerguru.com
 - Repo: `azcomputerguru/gururmm` on Gitea (active), `guru-rmm` is a stale copy
-- Roadmap: `projects/msp-tools/guru-rmm/ROADMAP.md`
+- Roadmap: `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` (also `docs/UI_GAPS.md`)
 
 ---
 
 ## Key Rules
 
-- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
-- **No hardcoded credentials** - Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
-- **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
+- **Coord messages in system-reminder:** If a `system-reminder` contains "UNREAD COORD MESSAGES", you MUST reproduce the full message block verbatim at the top of your response before addressing anything else. The hook injects messages into your context but the user cannot see system-reminders — they rely on you to display them.
+- **NO EMOJIS** — Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
+- **No hardcoded credentials** — Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
+- **SSH:** Use system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
 - **Data integrity:** Never use placeholder/fake data. Check SOPS vault, credentials.md, or ask user.
-- **Coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
+- **Coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand)
+
+---
+
+## Live State Tracking (ALL Projects)
+
+**The ClaudeTools coordination API is the live source of truth for ALL projects.** Every agent session MUST use it — not PROJECT_STATE.md files (those are archived).
+
+API base: `http://172.16.3.30:8001/api/coord` | No auth required for coord endpoints.
+
+### Session Start Protocol (MANDATORY)
+
+Run these at the beginning of every session:
+
+```bash
+# 1. Check for messages addressed to this session or broadcast
+curl -s "http://172.16.3.30:8001/api/coord/messages?to_session=<SESSION_ID>&unread_only=true"
+
+# 2. Check overall live status
+curl -s "http://172.16.3.30:8001/api/coord/status"
+
+# 3. Check active locks on any project you plan to touch
+curl -s "http://172.16.3.30:8001/api/coord/locks?project_key=<KEY>"
+```
+
+Display any unread messages prominently before any other work. Mark them read:
+```bash
+curl -s -X PUT "http://172.16.3.30:8001/api/coord/messages/<id>/read"
+```
+
+### Before Significant Work (MANDATORY)
+
+Claim a lock before editing code, running migrations, deploying, or touching shared resources:
+```bash
+curl -s -X POST http://172.16.3.30:8001/api/coord/locks \
+  -H "Content-Type: application/json" \
+  -d '{"project_key":"gururmm","session_id":"DESKTOP-0O8A1RL/claude-main","resource":"server/src","description":"Adding credential endpoints","ttl_hours":2}'
+# Save the returned "id" for release
+```
+
+### After Work Completes (or Fails) — MANDATORY
+
+```bash
+# Release lock
+curl -s -X DELETE "http://172.16.3.30:8001/api/coord/locks/<lock_id>?session_id=<SESSION_ID>"
+
+# Update component state
+curl -s -X PUT "http://172.16.3.30:8001/api/coord/components/gururmm/server" \
+  -H "Content-Type: application/json" \
+  -d '{"state":"deployed","version":"0.3.0","notes":"Credential store live","updated_by":"DESKTOP-0O8A1RL/claude-main"}'
+```
+
+### Project Keys and Components to Track
+
+| project_key | Components | States |
+|-------------|------------|--------|
+| `gururmm` | `server`, `agents`, `dashboard`, `db_migrations` | `building`, `built`, `deploying`, `deployed`, `degraded` |
+| `claudetools` | `api`, `db_migrations`, `coord_api` | `deploying`, `deployed`, `degraded` |
+| `dataforth-dos` | `app`, `db` | `active`, `idle`, `degraded` |
+| `clients/<name>` | `(free-form)` | `(free-form)` |
+
+### Softfail When Coordination API Is Unavailable
+
+If the coord API is unreachable (connection refused, timeout, or 5xx):
+1. **Do not block work.** Continue with the task.
+2. Log the failed call to `.claude/coord-queue.jsonl` (one JSON object per line):
+   ```json
+   {"ts":"2026-05-12T15:30:00Z","method":"PUT","path":"/api/coord/components/gururmm/server","body":{...}}
+   ```
+3. On the next session start or `/sync`, drain the queue:
+   ```bash
+   # For each line in coord-queue.jsonl, replay the call, then remove the file if all succeed
+   ```
+
+If coord API returns 503 with `Retry-After`, wait that many seconds and retry once before queuing locally.
+
+### Inter-Session Messages
+
+Send messages to specific sessions or broadcast to a project:
+```bash
+curl -s -X POST http://172.16.3.30:8001/api/coord/messages \
+  -H "Content-Type: application/json" \
+  -d '{"from_session":"DESKTOP-0O8A1RL/claude-main","to_session":"HOWARD-HOME/claude-main","project_key":"gururmm","subject":"macOS build ready","body":"build-agents.sh marked TODO-MACOS."}'
+# Omit to_session for a broadcast to everyone watching the project
+```
+
+Full protocol reference: `.claude/COORDINATION_PROTOCOL.md`
 
 ---
 
 ## Automatic Behaviors
 
 - **Frontend Design:** Auto-invoke `/frontend-design` skill after ANY UI change (HTML/CSS/JSX/styling)
-- **Sequential Thinking:** Use for genuine complexity - rejection loops, 3+ critical issues, architectural decisions, multi-step debugging
-- **Task Management:** Complex work (>3 steps) -> TaskCreate. Persist to `.claude/active-tasks.json`.
+- **Sequential Thinking:** Use for genuine complexity — rejection loops, 3+ critical issues, architectural decisions
+- **Task Management:** Complex work (>3 steps) → TaskCreate. Persist to `.claude/active-tasks.json`.
+
+### Cross-Session Messages (MANDATORY)
+
+See the **Session Start Protocol** in "Live State Tracking" above. Messages must be displayed and marked read before any other work.
+
+Also scan session logs pulled during `/sync` for legacy `## Note for <user>` sections (transitional — older sessions still use markdown).
 
 ---
 
 ## Context Recovery
 
-When user references previous work, use `/context` command. Never ask user for info in:
-- `credentials.md` - Infrastructure reference (being migrated to SOPS vault at D:\vault)
-- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
-- `SESSION_STATE.md` - Project history
+When user references previous work, use `/context` command. Never ask for info in:
+- `credentials.md` — Infrastructure reference (being migrated to SOPS vault)
+- `session-logs/` — Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
+- **Coordination API** — current locks, component states, workflows, messages: `GET http://172.16.3.30:8001/api/coord/status`
+- `projects/*/PROJECT_STATE.md` — ARCHIVED. Read-only historical reference. Do not edit. Use coordination API for live state.
 
-### Credential Access (SOPS Vault - Primary)
+### Credential Access (SOPS Vault)
 
-Credentials are stored in SOPS+age encrypted YAML files in a dedicated Gitea repo.
+Use the ClaudeTools vault wrapper — never hardcode the vault path:
 
-**Vault repo:** `D:\vault` (git.azcomputerguru.com/azcomputerguru/vault, private)
-**Structure:** infrastructure/, clients/, services/, projects/, msp-tools/
-
-**To read credentials:**
 ```bash
-bash D:/vault/scripts/vault.sh search "keyword"       # Search (no decryption needed)
-bash D:/vault/scripts/vault.sh get-field <path> <field> # Get specific field
-bash D:/vault/scripts/vault.sh get <path>               # Decrypt full entry
-bash D:/vault/scripts/vault.sh list                     # List all entries
+# CLAUDETOOLS_ROOT is the repo root (D:\claudetools on Windows, ~/claudetools on Mac/Linux)
+VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
+
+bash "$VAULT" search "keyword"         # Search without decrypting
+bash "$VAULT" get-field <path> <field> # Get specific field
+bash "$VAULT" get <path>               # Decrypt full entry
+bash "$VAULT" list                     # List all entries
 ```
 
-**Encryption:** AES-256 via age. Metadata stays plaintext for searchability.
+The wrapper reads `vault_path` from `.claude/identity.json` (per-machine, gitignored).
+Each machine sets its own vault path there — no hardcoded paths in any shared file.
 
-**age key location:** `%APPDATA%\sops\age\keys.txt` (Windows) / `~/.config/sops/age/keys.txt` (Linux/Mac)
+Vault structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
 
-### 1Password (Fallback)
-
-Service account token in vault: `infrastructure/1password-service-account.sops.yaml`
+**1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml`
 
 ---
 
@@ -103,55 +301,52 @@ Service account token in vault: `infrastructure/1password-service-account.sops.y
 | Command | Purpose |
 |---------|---------|
 | `/checkpoint` | Dual checkpoint: git commit + database context |
-| `/save` | Comprehensive session log (credentials, decisions, changes) |
+| `/save` | Comprehensive session log |
 | `/context` | Search session logs, credentials.md, and 1Password |
-| `/1password` | 1Password secrets management integration |
+| `/1password` | 1Password secrets management |
 | `/sync` | Sync config from Gitea repository |
 | `/create-spec` | Create app specification for AutoCoder |
-| `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) |
+| `/frontend-design` | Modern frontend design (auto-invoke after UI changes) |
+| `/remediation-tool` | M365 breach checks, tenant sweeps, gated remediation |
 
 ---
 
-## File Placement (Quick Rules)
+## File Placement
 
-- **Dataforth DOS work** -> `projects/dataforth-dos/`
-- **ClaudeTools API code** -> `api/`, `migrations/` (existing structure)
-- **GuruRMM work** -> `projects/msp-tools/guru-rmm/`
-- **Client work** -> `clients/[client-name]/`
-- **Session logs** -> project or client `session-logs/` subfolder; general -> root `session-logs/`
-- **Full guide:** `.claude/FILE_PLACEMENT_GUIDE.md` (read when saving files, not every session)
+- **Dataforth DOS work** → `projects/dataforth-dos/`
+- **ClaudeTools API code** → `api/`, `migrations/`
+- **GuruRMM work** → `projects/msp-tools/guru-rmm/`
+- **Client work** → `clients/[client-name]/`
+- **Session logs** → project or client `session-logs/` subfolder; general → root `session-logs/`
+- **Full guide:** `.claude/FILE_PLACEMENT_GUIDE.md`
 
 ---
 
 ## Local AI (Ollama)
 
-Ollama runs locally with GPU acceleration for tasks that don't need Claude-level reasoning.
+Tier 0 — **Ollama is the documentation engine.** Route prose generation through it: commit messages, ticket comments, client notes, code docs. Claude reviews output, owns credentials/facts/execution. Session log narratives are written directly by Claude (Ollama too slow for /save).
 
-| Model | Size | Use For |
-|-------|------|---------|
-| `qwen3:14b` | 9.3 GB | Summarization, classification, data extraction, drafting |
-| `codestral:22b` | 12 GB | Code generation, refactoring suggestions, docstrings |
-| `nomic-embed-text` | 274 MB | Embeddings only (used by GrepAI) |
-
-```bash
-# Simple prompt
-curl -s http://localhost:11434/api/generate -d '{"model":"qwen3:14b","prompt":"...","stream":false}' | jq -r '.response'
-```
-
-**Review policy:** Always review Critical/High impact Ollama outputs (auth, security, migrations, production). Trust Low impact (classification, formatting). Flag uncertainty to user.
+- **DESKTOP-0O8A1RL:** `http://localhost:11434`
+- **Other machines:** `http://100.92.127.64:11434` (Tailscale required)
+- **Models:** `qwen3:14b` (all documentation/prose), `codestral:22b` (code suggestions — always review)
+- **Warm-start:** GrepAI keeps the Ollama service running; qwen3 VRAM swap is ~5s worst case, not 50s
+- **Full reference:** `.claude/OLLAMA.md` (documentation engine scope, model selection, review policy)
 
 ### GrepAI (Semantic Code Search)
 
-Use for intent-based search ("how does auth work"), exploring unfamiliar code, context recovery.
-- **MCP tool:** `grepai` server tools
-- **Agent:** `deep-explore` agent
-- **CLI:** `grepai search "query" --json --compact`
+**Use GrepAI first for any context lookup before reading files directly.** It indexes all session logs, skill files, and project docs with boosted relevance for `.claude/` and `session-logs/`.
+
+- **When to use:** "what did we do with X", "how does Y work", "find where Z is configured", context recovery, exploring unfamiliar code
+- **MCP tools:** `grepai_search` (primary), `grepai_trace_callers`, `grepai_trace_callees`
+- **Agent:** `deep-explore` (for multi-hop exploration)
+- **CLI:** `D:/claudetools/grepai.exe search "query" --json -c -n 5`
+- **Watcher:** runs as scheduled task "GrepAI Watcher - claudetools" (auto-starts on login, keeps index current)
 
 ---
 
 ## Memory (Shared Across Machines)
 
-Stored in-repo at `.claude/memory/` -- syncs via Gitea to all workstations.
+Stored in-repo at `.claude/memory/` — syncs via Gitea to all workstations.
 Index: `.claude/memory/MEMORY.md`
 
 **IMPORTANT:** Always write to `.claude/memory/` (repo-relative), NOT `~/.claude/projects/*/memory/`.
@@ -164,7 +359,9 @@ Index: `.claude/memory/MEMORY.md`
 - **Agent definitions:** `.claude/agents/*.md`
 - **MCP servers:** `MCP_SERVERS.md`
 - **Coding standards:** `.claude/CODING_GUIDELINES.md`
+- **Ollama connection + examples:** `.claude/OLLAMA.md`
+- **PROJECT_STATE locking protocol:** `.claude/PROJECT_STATE_PROTOCOL.md`
 
 ---
 
-**Last Updated:** 2026-04-02
+**Last Updated:** 2026-04-20

.claude/CODING_GUIDELINES.md

@@ -31,6 +31,40 @@ Never use emojis in code, scripts, config files, log messages, or output strings
 
 ---
 
+## PowerShell Execution (Windows)
+
+### ALWAYS Use -NoProfile -File Pattern
+
+Never use inline PowerShell commands (`-Command` or `-c`). Always write scripts to `.ps1` files and execute with `-NoProfile -File`.
+
+**Rationale:**
+- **Prevents font/codepage changes**: PowerShell profile scripts often set `chcp 65001` or modify `[Console]::OutputEncoding`, which changes the Claude Code CLI font and breaks rendering
+- **Avoids Git Bash quoting issues**: Inline commands have unpredictable quote escaping and variable expansion (`$_`, `$foo`) before PowerShell sees them
+- **Enforced by hooks**: `.claude/hooks/pre-bash-pwsh-script.sh` blocks inline execution and requires the file-based approach
+
+**Correct:**
+```bash
+# Write script to file using Write tool
+cat > /tmp/script.ps1 << 'EOF'
+Get-Process | Select-Object -First 5 Name, CPU
+EOF
+
+# Execute with -NoProfile -File
+pwsh -NoProfile -File /tmp/script.ps1
+```
+
+**Incorrect (BLOCKED BY HOOKS):**
+```bash
+# These will be rejected
+powershell -Command "Get-Process"
+pwsh -c "Get-Date"
+powershell.exe -Command '$x = 5; Write-Host $x'
+```
+
+**Reference:** See `.claude/hooks/pre-bash-pwsh-script.sh` for enforcement details.
+
+---
+
 ## Security
 
 - Never hardcode credentials -- use SOPS vault or environment variables
@@ -70,4 +104,4 @@ All scripts and tools use ASCII status markers:
 
 ---
 
-**Last Updated:** 2026-04-02
+**Last Updated:** 2026-05-12

.claude/COMPLEXITY_ROUTING.md

@@ -0,0 +1,74 @@
+# Complexity-Based Model Routing
+
+When spawning an agent, pick a tier based on the request signals below, then pass `model` accordingly.
+
+---
+
+## Tier 1 — Haiku (fast/cheap)
+
+**Signals:** single lookup, no code changes, classification, formatting, summarization, status check, documentation
+
+**Examples:**
+- "What's the status of X?"
+- Summarize or format a session log
+- Search/grep for a value
+- Convert or extract data
+- Write/update a markdown doc
+
+**Agents that default here:** documentation-squire, explore (quick searches), photo
+
+**Agent call:** `model: "haiku"`
+
+---
+
+## Tier 2 — Sonnet (default, inherit)
+
+**Signals:** standard code generation, routine DB queries, test execution, API work, multi-file reads, git operations
+
+**Examples:**
+- Add or modify an endpoint
+- Run tests and report results
+- Write a DB migration
+- Fetch credentials, configure a service
+- Commit and push changes
+
+**Agents that default here:** coding, database, testing, gitea, general-purpose, deep-explore (standard search)
+
+**Agent call:** omit `model` (inherits session model)
+
+---
+
+## Tier 3 — Opus (high-stakes reasoning)
+
+**Signals:** architectural decision, security/auth, 3+ interacting systems, ambiguous root cause, production data risk, anything that fails badly if wrong
+
+**Examples:**
+- Redesign an auth or data flow
+- Security or code review of a critical PR
+- Debug a multi-service race condition
+- Schema migration on production data
+- Evaluate competing architectural approaches
+
+**Agents that default here:** code-review (when Sequential Thinking triggers), deep-explore (architecture questions)
+
+**Agent call:** `model: "opus"`
+
+---
+
+## Bump Rule
+
+If the request contains ANY of these keywords, bump one tier up regardless of other signals:
+
+`security`, `auth`, `token`, `credential`, `migration`, `production`, `race condition`, `data loss`, `breach`, `encrypt`
+
+---
+
+## Quick Reference
+
+| Tier | Model | Typical cost | Use when |
+|------|-------|-------------|----------|
+| 1 | `haiku` | ~10x cheaper | Lookup, format, summarize, doc |
+| 2 | (inherit) | baseline | Standard code, DB, tests |
+| 3 | `opus` | ~5x more expensive | Architecture, security, ambiguous failures |
+
+Err toward Tier 2 when uncertain. Only use Opus when the reasoning stakes justify the cost.

.claude/COORDINATION_PROTOCOL.md

@@ -0,0 +1,233 @@
+# Coordination Protocol
+
+Cross-session coordination uses the ClaudeTools API at `http://172.16.3.30:8001/api/coord/`. This replaces PROJECT_STATE.md files.
+
+No auth token required for coordination endpoints — they are internal-only on the 172.16.3.30 private network. Pass `session_id` in the request body or as a query parameter to identify the calling session (e.g., `DESKTOP-0O8A1RL/claude-main`).
+
+---
+
+## When a Lock Is Required
+
+- Editing or creating source code files
+- Git commit or push
+- SSH command that modifies a server (deploy, install, config change, service restart)
+- Database schema change or data migration
+- Build pipeline modification
+
+Reading files, planning, and answering questions do NOT require a lock.
+
+---
+
+## Lock Lifecycle
+
+**Step 1 — Check for conflicts**
+```
+GET /api/coord/locks?project_key=<key>&resource=<resource>
+```
+- Active lock present: stop, report to user, ask how to proceed.
+- Lock `acquired_at` > 2 hours ago: note it, release it (Step 2 below), proceed.
+
+**Step 2 — Claim your lock**
+```
+POST /api/coord/locks
+{
+  "project_key": "gururmm",
+  "session_id": "DESKTOP-0O8A1RL/claude-main",
+  "resource": "server/src/api/credentials.rs",
+  "description": "Adding credential endpoints",
+  "ttl_hours": 2
+}
+```
+Response: `{ "id": "<uuid>", ... }` — save the `id` for release.
+
+`ttl_hours`: use 2 for normal work; 0 for no expiry (use sparingly).
+
+**Step 3 — Do the work**
+
+**Step 4 — Release the lock**
+```
+DELETE /api/coord/locks/<id>?session_id=<session_id>
+```
+Release on completion AND on failure. Only the claiming session may release.
+
+**Stale lock rule:** A lock with `acquired_at` older than 2 hours and no activity update is abandoned. Release it, then proceed.
+
+---
+
+## Component States
+
+Record the current status of named system components so all sessions share a live view.
+
+**Upsert a component state:**
+```
+PUT /api/coord/components
+{
+  "project_key": "gururmm",
+  "component": "server",
+  "state": "deployed",
+  "version": "0.3.0",
+  "notes": "Deployed 2026-05-12; credential store live",
+  "updated_by": "DESKTOP-0O8A1RL/claude-main"
+}
+```
+
+Valid states (convention — not enforced): `building`, `built`, `deploying`, `deployed`, `degraded`, `unknown`
+
+**Read all component states for a project:**
+```
+GET /api/coord/components?project_key=gururmm
+```
+
+---
+
+## Workflows and Work Items
+
+Use workflows to track multi-step initiatives that span sessions or days.
+
+**Create a workflow:**
+```
+POST /api/coord/workflows
+{
+  "project_key": "gururmm",
+  "name": "Network Discovery Phase 1",
+  "description": "TCP probe scanner + DB layer + API + dashboard",
+  "status": "planning",
+  "created_by": "DESKTOP-0O8A1RL/claude-main"
+}
+```
+
+**Add work items to a workflow:**
+```
+POST /api/coord/work-items
+{
+  "workflow_id": "<uuid>",
+  "project_key": "gururmm",
+  "title": "Write migrations 017-019 for discovery tables",
+  "status": "pending",
+  "priority": 10
+}
+```
+
+**Update work item status:**
+```
+PATCH /api/coord/work-items/<id>
+{ "status": "completed" }
+```
+
+Workflow statuses: `planning`, `active`, `blocked`, `completed`, `cancelled`
+Work item statuses: `pending`, `in_progress`, `blocked`, `completed`, `cancelled`
+
+---
+
+## Inter-Session Messages
+
+Send targeted messages between sessions or broadcast to a project.
+
+**Send a message:**
+```
+POST /api/coord/messages
+{
+  "from_session": "DESKTOP-0O8A1RL/claude-main",
+  "to_session": "HOWARD-HOME/claude-main",   // omit for broadcast
+  "project_key": "gururmm",
+  "subject": "macOS build pipeline ready for wiring",
+  "body": "build-agents.sh updated. Section marked TODO-MACOS. Wire in from your end."
+}
+```
+
+**Check for unread messages (do this at session start):**
+```
+GET /api/coord/messages?to_session=<session_id>&unread_only=true
+```
+
+Display each unread message prominently:
+```
+============================================================
+MESSAGE FROM <from_session> — <subject>
+============================================================
+<body>
+============================================================
+```
+
+**Mark as read:**
+```
+PUT /api/coord/messages/<id>/read
+```
+
+---
+
+## Status Overview
+
+Quick snapshot of everything active:
+```
+GET /api/coord/status
+```
+Returns: active locks, recent component state changes, active workflows, unread message count.
+
+---
+
+## Session Cleanup
+
+When a session ends cleanly, release all its locks:
+```
+DELETE /api/coord/locks?session_id=<session_id>&release_all=true
+```
+
+---
+
+## project_key Slugs
+
+| Slug | Project |
+|------|---------|
+| `gururmm` | GuruRMM server + dashboard |
+| `claudetools` | ClaudeTools API + coordination system |
+| `dataforth-dos` | Dataforth DOS project |
+
+Free-form — add new slugs as needed. Does NOT foreign-key to the projects table.
+
+---
+
+## Softfail and Catch-Up
+
+The coordination API must never block work. If it is unavailable:
+
+**On any network error, timeout, or 5xx response:**
+1. Log the failed call to `.claude/coord-queue.jsonl` (one JSON object per line):
+   ```json
+   {"ts":"2026-05-12T15:30:00Z","method":"PUT","path":"/api/coord/components/gururmm/server","body":{"state":"deployed","version":"0.3.0","notes":"...","updated_by":"DESKTOP-0O8A1RL/claude-main"}}
+   ```
+2. Continue working. Do not retry immediately.
+
+**On 503 with `Retry-After` header:**  
+Wait the specified seconds, then retry once. If the retry also fails, queue it.
+
+**Catch-up (session start and after `/sync`):**
+```bash
+# If coord-queue.jsonl exists and is non-empty:
+while read -r line; do
+  method=$(echo "$line" | jq -r .method)
+  path=$(echo "$line" | jq -r .path)
+  body=$(echo "$line" | jq -r .body)
+  curl -s -X "$method" "http://172.16.3.30:8001$path" -H "Content-Type: application/json" -d "$body"
+done < .claude/coord-queue.jsonl
+# Remove the file only if all calls succeeded
+```
+
+The queue file lives in `.claude/coord-queue.jsonl` (gitignored — local to each workstation).
+
+---
+
+## API Softfail Behavior (Server Side)
+
+When the MariaDB database is unavailable:
+- Coord endpoints return `503 Service Unavailable` with header `Retry-After: 30`
+- Response body: `{"detail": "Database unavailable. Retry after 30 seconds.", "retry_after": 30}`
+- `GET /health` reflects DB status: `{"status":"degraded","database":"disconnected"}`
+
+This behavior is implemented in the API server and does not need to be coded by agents.
+
+---
+
+## Migration Note
+
+`projects/*/PROJECT_STATE.md` files are ARCHIVED — read-only historical reference. Do not edit them. Use this API for all live coordination going forward.

.claude/DATABASE_FIRST_PROTOCOL.md

@@ -232,7 +232,7 @@ curl http://172.16.3.30:8001/health
 # Check total contexts
 curl -H "Authorization: Bearer $JWT" \
   http://172.16.3.30:8001/api/conversation-contexts | \
-  python -c "import sys,json; print(f'Total: {json.load(sys.stdin)[\"total\"]}')"
+  jq -r '.total'
 
 # Try different search term
 # Instead of: search_term=dataforth%20DOS

.claude/FILE_PLACEMENT_GUIDE.md

@@ -16,7 +16,7 @@
 | Client Info | Client details | `clients/[client-name]/CLIENT_INFO.md` |
 | Client Session Logs | Support notes | `clients/[client-name]/session-logs/` |
 | ClaudeTools API Code | `*.py`, migrations | `api/`, `migrations/` (keep existing structure) |
-| ClaudeTools API Logs | Session notes | `projects/claudetools-api/session-logs/` |
+| ClaudeTools API Logs | Session notes | `session-logs/` (root) |
 | General Session Logs | Mixed work | `session-logs/YYYY-MM-DD-session.md` |
 | Credentials | All credentials | `credentials.md` (root - shared) |
 
@@ -28,7 +28,7 @@
 
 **Ask yourself:** What project or client is this related to?
 - Dataforth DOS → `projects/dataforth-dos/`
-- ClaudeTools API → `projects/claudetools-api/` or root API folders
+- ClaudeTools API → root `api/`, `migrations/` folders; session logs to root `session-logs/`
 - Specific Client → `clients/[client-name]/`
 - Multiple projects → Root or `session-logs/`
 
@@ -96,8 +96,8 @@ clients/[client-name]/
 **Files Created:**
 - New router → `api/routers/new_endpoint.py` (existing structure)
 - Migration → `migrations/versions/xxx_add_table.py` (existing structure)
-- Session log → `projects/claudetools-api/session-logs/2026-01-20-session.md`
-- API docs → `projects/claudetools-api/documentation/NEW_ENDPOINT.md`
+- Session log → `session-logs/2026-01-20-session.md` (root)
+- API docs → `api/` or root `docs/` if cross-cutting
 
 ### Scenario 4: Mixed Work (Multiple Projects)
 

.claude/MAC-vault-readiness-test.md

@@ -0,0 +1,197 @@
+# Mac Vault Readiness Test Results
+
+**Date:** 2026-04-21
+**Machine:** Mikes-MacBook-Air.local
+**Purpose:** Test vault access capability for remediation-tool
+
+---
+
+## Test Results Summary
+
+**Status:** NOT READY - Multiple blockers present
+
+### Dependencies Check
+
+| Component | Status | Notes |
+|-----------|--------|-------|
+| jq | ✓ INSTALLED | jq-1.7.1-apple |
+| SOPS | ✗ NOT INSTALLED | Required for decrypting .sops.yaml files |
+| age | ✗ NOT INSTALLED | Required for SOPS encryption/decryption |
+| age key | ✗ NOT CONFIGURED | ~/.config/sops/age/keys.txt missing |
+| vault repo | ✗ NOT CLONED | Git authentication blocked |
+| vault_path in identity.json | ✗ NOT SET | Would point to ~/vault once cloned |
+
+### What Works
+
+**[OK] Vault wrapper script exists and reports correct errors:**
+```bash
+bash .claude/scripts/vault.sh list
+→ [ERROR] vault_path not set in identity.json
+```
+
+**[OK] get-token.sh bug fixes applied:**
+- Variable collision fixed (VAULT_PATH → VAULT_ROOT_ENV)
+- Directory traversal corrected (4 levels up instead of 3)
+
+**[OK] Remediation-tool scripts are executable:**
+```bash
+ls -la .claude/skills/remediation-tool/scripts/*.sh
+→ All scripts have execute permissions
+```
+
+### What's Blocked
+
+**1. Vault Repository Clone**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+→ fatal: could not read Password: Device not configured
+```
+
+Git cannot prompt for credentials in this terminal session.
+
+**2. SOPS Installation**
+```bash
+sops --version
+→ command not found
+```
+
+SOPS not installed via Homebrew or other package manager.
+
+**3. age Installation**
+```bash
+age --version
+→ command not found
+```
+
+age encryption tool not installed.
+
+**4. age Key Configuration**
+```bash
+test -f ~/.config/sops/age/keys.txt
+→ File does not exist
+```
+
+No SOPS age private key configured.
+
+---
+
+## What Would Be Required to Unblock
+
+### Installation Steps (If Vault Access on Mac is Needed)
+
+**1. Install Homebrew (if not already installed):**
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+**2. Install SOPS:**
+```bash
+brew install sops
+```
+
+**3. Install age:**
+```bash
+brew install age
+```
+
+**4. Copy age private key from Windows:**
+
+On Windows (DESKTOP-0O8A1RL):
+```bash
+cat C:\Users\<username>\.config\sops\age\keys.txt
+```
+
+On Mac:
+```bash
+mkdir -p ~/.config/sops/age
+# Paste the private key content into:
+nano ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+**5. Configure Git credential helper:**
+```bash
+git config --global credential.helper osxkeychain
+```
+
+**6. Clone vault repository:**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Will prompt for password - enter Gitea password
+```
+
+**7. Add vault_path to identity.json:**
+```bash
+# Edit .claude/identity.json and add:
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+**8. Test token acquisition:**
+```bash
+cd .claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+Should return a JWT token if all configured correctly.
+
+---
+
+## Is This Worth Doing?
+
+**Probably not, unless you need remediation-tool on Mac.**
+
+**Why it's not urgent:**
+- Windows (DESKTOP-0O8A1RL) has working vault + remediation-tool ✓
+- Vault sync validated on Windows - all 5 tiers working ✓
+- Howard can be unblocked by pulling vault on ACG-Tech03L ✓
+- Mac is just for testing/portability
+
+**Use cases for Mac vault:**
+- Running breach checks while away from Windows desktop
+- Testing remediation-tool portability across platforms
+- Validating vault sync from Mac perspective
+
+**Alternatives:**
+- Use Windows for all remediation-tool work (current state)
+- SSH into Windows from Mac when needed
+- Remote desktop to Windows desktop
+
+---
+
+## Recommendation
+
+**Skip Mac vault setup for now.**
+
+**Reasons:**
+1. Windows already validated vault sync works
+2. All 5 SOPS files confirmed present
+3. Token acquisition tested on all 5 tiers
+4. Howard can be notified to pull
+5. Mac setup requires 4 installations + credential management
+
+**Only set up Mac vault if:**
+- You frequently work from Mac and need remediation-tool
+- You want to test cross-platform portability
+- Windows desktop is unavailable for extended periods
+
+---
+
+## Current Capability on Mac
+
+**What works:**
+- Reading/editing remediation-tool scripts
+- Viewing tenant lists (references/tenants.md)
+- Resolving tenant IDs: `./resolve-tenant.sh <domain>`
+- All other ClaudeTools functionality
+
+**What doesn't work:**
+- Token acquisition (no vault)
+- SOPS decryption (no vault + no SOPS)
+- Running breach checks (needs tokens)
+- Testing remediation-tool workflows (needs tokens)
+
+---
+
+**Status:** Documented and understood - Mac not currently set up for vault access
+**Action:** No action needed unless Mac remediation-tool access becomes necessary
+**Validated on:** Windows (DESKTOP-0O8A1RL) - all 5 tiers working

.claude/MCP_SERVERS.md

@@ -0,0 +1,109 @@
+# MCP Servers — Configuration Reference
+
+MCP (Model Context Protocol) servers extend Claude Code with external tool
+capabilities. Each server runs as a child process and exposes tools that
+Claude can call.
+
+**Config file:** `.mcp.json` in repo root (shared across machines via git).
+
+---
+
+## Active Servers
+
+### TickTick
+
+Task management integration for TickTick (todo/project tracking app).
+
+**Tools provided:**
+- `ticktick_create_task`, `ticktick_update_task`, `ticktick_complete_task`, `ticktick_delete_task`
+- `ticktick_create_project`, `ticktick_update_project`, `ticktick_delete_project`
+- `ticktick_list_projects`, `ticktick_get_project`
+
+**Auth:** OAuth token stored in vault at `services/ticktick.sops.yaml`. Token file
+auto-generated by `mcp-servers/ticktick/ticktick_auth.py` on first use.
+
+**Config in `.mcp.json`:**
+```json
+{
+  "mcpServers": {
+    "ticktick": {
+      "command": "python",
+      "args": ["D:\\claudetools\\mcp-servers\\ticktick\\ticktick_mcp.py"]
+    }
+  }
+}
+```
+
+### Claude-in-Chrome (browser automation)
+
+Installed as a Chrome browser extension. Provides browser automation tools
+for web interaction, form filling, page reading, screenshots, GIF recording.
+
+**Not configured in `.mcp.json`** — runs as a Chrome extension that connects
+automatically when the Claude Code extension is active and Chrome is open.
+
+**Tools provided:** `tabs_context_mcp`, `tabs_create_mcp`, `navigate`, `computer`
+(click/type/screenshot), `read_page`, `find`, `form_input`, `javascript_tool`,
+`get_page_text`, `read_console_messages`, `gif_creator`, etc.
+
+**Requires:** Chrome browser with the Claude-in-Chrome extension installed.
+
+---
+
+## Available but Not Wired
+
+These server directories exist but aren't in `.mcp.json`. Add them when needed.
+
+### GrepAI MCP Server
+
+Semantic code search over the indexed codebase. Alternative to using the
+`grepai search` CLI directly.
+
+**To activate:** Add to `.mcp.json`:
+```json
+{
+  "grepai": {
+    "command": "D:\\claudetools\\grepai.exe",
+    "args": ["mcp-serve"]
+  }
+}
+```
+
+**Requires:** GrepAI initialized (`grepai init`) + Ollama running with
+`nomic-embed-text` model. Index builds automatically via `grepai watch`.
+
+### Ollama Assistant
+
+Local LLM integration for delegating simple tasks (summarization,
+classification, drafting) to locally-running models.
+
+**Location:** `mcp-servers/ollama-assistant/`
+
+**To activate:** Check the server's README for the exact `.mcp.json` entry.
+Requires Ollama running at `http://localhost:11434` with models pulled.
+
+### Feature Management
+
+Feature flag management server.
+
+**Location:** `mcp-servers/feature-management/`
+
+**Status:** Exists but purpose unclear. Check directory for README.
+
+---
+
+## Adding a New MCP Server
+
+1. Create directory: `mcp-servers/<name>/`
+2. Write the server script (Python or Node recommended)
+3. Add entry to `.mcp.json` with `command` and `args`
+4. Restart Claude Code to pick up the new server
+5. Document in this file
+
+**Important:** `.mcp.json` is tracked in git. Changes sync to all machines.
+Machine-specific server paths should use absolute paths that work on all
+team workstations (or use relative paths from repo root).
+
+---
+
+*Last updated: 2026-04-16*

.claude/OLLAMA.md

@@ -0,0 +1,161 @@
+# Ollama — Local AI Reference
+
+Ollama runs on Mike's workstation (DESKTOP-0O8A1RL) with GPU acceleration. Available to all team members via Tailscale.
+
+## Models
+
+| Model | Size | Use For |
+|-------|------|---------|
+| `qwen3:14b` | 9.3 GB | Summarization, classification, data extraction, drafting |
+| `codestral:22b` | 12 GB | Code generation, refactoring suggestions, docstrings |
+| `nomic-embed-text` | 274 MB | Embeddings only (used by GrepAI) |
+
+## Endpoints
+
+Auto-detect: any machine that has a local Ollama listening on `127.0.0.1:11434` uses local. Otherwise fall back to Mike's workstation over Tailscale.
+
+```bash
+# Preferred universal resolver — works on any machine
+if curl -s -m 2 http://localhost:11434/api/tags >/dev/null 2>&1; then
+    OLLAMA="http://localhost:11434"
+else
+    OLLAMA="http://100.92.127.64:11434"
+fi
+```
+
+Rationale:
+- **Mike's workstation (DESKTOP-0O8A1RL):** local matches, no change.
+- **HOWARD-HOME:** also has a local Ollama with the canonical model set (confirmed 2026-04-22). Uses local — faster, zero Tailscale hop, no load on Mike's GPU.
+- **Other team machines:** no local Ollama → falls back to Mike's over Tailscale.
+- **Mike's machine offline:** graceful degradation — local users continue working; non-local users get a clean timeout.
+
+Manual override (for testing or explicit preference): set `OLLAMA=http://100.92.127.64:11434` before the call.
+
+Check reachability:
+```bash
+curl -s $OLLAMA/api/tags | jq -r '.models[].name'
+```
+
+If neither endpoint responds: verify Tailscale (`tailscale status`) and whether your local Ollama service is running.
+
+## Access Control
+
+- Port 11434 allowed ONLY from Tailscale subnet (100.0.0.0/8)
+- NOT exposed to LAN, VPN, or internet
+- Binding: `OLLAMA_HOST=0.0.0.0:11434` (firewall restricts)
+
+## Calling Ollama
+
+Use the `/api/chat` endpoint with `think:false` for qwen3 models. The older `/api/generate` endpoint on qwen3 puts output into thinking tokens that don't appear in the `response` field — you'll get an empty response if you use `/api/generate`.
+
+Preferred one-liner:
+```bash
+python -c "
+import urllib.request, json, sys, os
+OLLAMA = os.environ.get('OLLAMA') or ('http://localhost:11434' if __import__('urllib.request').request.urlopen(urllib.request.Request('http://localhost:11434/api/tags'),timeout=2) else 'http://100.92.127.64:11434')
+body = json.dumps({
+  'model':'qwen3:14b',
+  'messages':[{'role':'user','content': sys.argv[1]}],
+  'stream':False,
+  'think':False
+}).encode()
+res = json.loads(urllib.request.urlopen(urllib.request.Request(OLLAMA+'/api/chat', body), timeout=120).read())
+print(res['message']['content'])
+" "Your prompt here"
+```
+
+Or set `$OLLAMA` once from bash (see auto-detect formula above) and reuse it across calls.
+
+For code suggestions, swap `qwen3:14b` for `codestral:22b`. Codestral doesn't need `think:false`.
+
+Cold-start is ~30-50s on first call per model per session. Warm calls are 1-5s.
+
+## Documentation Engine
+
+**Ollama is the default documentation engine for all prose output.** Any time stored text needs to be generated — session logs, commit messages, ticket comments, client notes, code docs — route it through Ollama first. Claude reviews, corrects if needed, then writes or posts.
+
+This keeps Claude tokens focused on reasoning, decisions, and execution. Ollama handles the writing.
+
+### What Ollama owns
+
+| Output | Model | Claude's role |
+|--------|-------|---------------|
+| Session log narrative (summary, decisions, problems) | qwen3:14b | Review + assemble with factual sections |
+| Commit message body | qwen3:14b | Review + execute git commit |
+| Syncro comment bodies + billing descriptions | qwen3:14b | Review checklist + post via API |
+| Ticket initial issue / description text | qwen3:14b | Review + post |
+| Client-facing notes and summaries | qwen3:14b | Review for accuracy |
+| Code comments and docstrings | codestral:22b | Review before applying |
+| Refactor suggestions | codestral:22b | Review before applying |
+
+### What Claude always owns (never Ollama)
+
+- Credentials, passwords, API keys — must be verbatim accurate
+- Infrastructure details, IPs, hostnames — must be verbatim accurate
+- Command outputs and error messages — verbatim from actual output
+- Security decisions, auth review, production migrations
+- Final field values on API payloads (rates, IDs, quantities)
+
+### GrepAI config (re-apply on new machines)
+
+`.grepai/` is gitignored (90 MB index + machine-specific timestamps). After running `grepai init` on a new machine, apply these overrides to `.grepai/config.yaml`:
+
+**Remove the `.md` penalty** (markdown is primary content here, not docs noise):
+```yaml
+# DELETE this block:
+- pattern: .md
+  factor: 0.6
+```
+
+**Add these bonuses** under `search.boost.bonuses`:
+```yaml
+- pattern: session-logs/
+  factor: 1.3
+- pattern: .claude/
+  factor: 1.2
+- pattern: /clients/
+  factor: 1.1
+```
+
+**Start watcher + register scheduled task:**
+```bash
+D:/claudetools/grepai.exe watch --background
+# Then in PowerShell (admin not required):
+$action = New-ScheduledTaskAction -Execute "D:\claudetools\grepai.exe" -Argument "watch --background" -WorkingDirectory "D:\claudetools"
+$trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
+$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 0) -MultipleInstances IgnoreNew
+Register-ScheduledTask -TaskName "GrepAI Watcher - claudetools" -Action $action -Trigger $trigger -Settings $settings -Force
+```
+
+### Warm-start and GrepAI
+
+GrepAI uses `nomic-embed-text` for context lookups, which keeps the Ollama **service** running continuously. The 30-50s service cold-start is effectively eliminated in normal workflow. `qwen3:14b` may take ~5s to swap into VRAM if it hasn't been called recently, but that's the worst case — not 50s.
+
+If the first Ollama call of a session needs to be fast, send a throwaway warm-up ping:
+```bash
+py -c "
+import urllib.request, json
+body = json.dumps({'model':'qwen3:14b','messages':[{'role':'user','content':'ok'}],'stream':False,'think':False}).encode()
+urllib.request.urlopen(urllib.request.Request('$OLLAMA/api/chat', body), timeout=60).read()
+print('warm')
+"
+```
+
+## When to Use Which Model
+
+| Task | Model |
+|------|-------|
+| Session log narrative sections | qwen3:14b |
+| Commit message body | qwen3:14b |
+| Ticket / client comment drafting | qwen3:14b |
+| Summarize logs, diffs, incident notes | qwen3:14b |
+| Classify bug type, severity, category | qwen3:14b |
+| Extract structured data from text | qwen3:14b |
+| Code comment / docstring generation | codestral:22b |
+| Refactor suggestions | codestral:22b |
+
+## Review Policy
+
+- Documentation output (session logs, commit messages, comments) — Claude reviews before writing/posting
+- Code suggestions from codestral — always review before applying
+- Never use Ollama for: credentials, auth decisions, production migrations, security review, API payload field values

.claude/ONBOARDING.md

@@ -0,0 +1,274 @@
+# Welcome to ClaudeTools — Onboarding Guide
+
+Hey! This guide explains how our Claude Code setup works, WHY it's built the way it is, and how to use it effectively for daily MSP work. Read this once, then use it as reference when something feels unfamiliar.
+
+---
+
+## What is this?
+
+ClaudeTools is our shared workspace for **Claude Code** — the AI coding + automation assistant. It's a git repo that syncs across our workstations via Gitea (our self-hosted Git server). Everything Claude learns, every session log, every automation script, every project we build — it all lives here and stays in sync.
+
+**Why a repo instead of just using Claude directly?**
+- Claude Code loses context between sessions. This repo IS the memory.
+- Session logs preserve what we did, what creds we used, what decisions we made.
+- CLAUDE.md tells Claude HOW to behave specifically for our org (not generic defaults).
+- Skills and commands give us reusable shortcuts for common MSP tasks.
+- The vault (separate repo) stores all credentials encrypted so Claude can access them without us typing passwords every session.
+
+---
+
+## First time setup
+
+When you open Claude Code for the first time on a new machine, Claude will ask who you are. Just answer with your name. Claude then:
+
+1. Creates a local identity file (so it knows who's at the keyboard)
+2. Sets your git name/email for commits
+3. Registers your machine in the shared users list
+
+After that, every session log and git commit is attributed to you.
+
+### GuruRMM repo — one-time setup per machine
+
+The GuruRMM repo (`projects/msp-tools/guru-rmm/`) requires one extra step after cloning or first use. Run this from the repo root:
+
+```bash
+bash scripts/install-hooks.sh
+```
+
+This does three things permanently:
+- Points git at `scripts/hooks/` so pre-commit checks run automatically (and stay current as hooks evolve — no re-install after updates)
+- Sets `core.autocrlf=false` and `core.eol=lf` for this repo (prevents sqlx migration checksum drift from Windows CRLF line endings)
+- Sets `core.autocrlf=false` globally on this machine
+
+**Why this matters:** sqlx verifies migration files by sha384 hash. A file committed with CRLF line endings hashes differently than the same file with LF — the server sees the mismatch and refuses to start. The `.gitattributes` file handles new commits automatically; this command configures the git client for existing checkouts.
+
+---
+
+## The slash commands (most important daily tools)
+
+Type these in Claude Code's prompt. They're shortcuts for common operations.
+
+| Command | What it does | When to use |
+|---------|-------------|-------------|
+| `/save` | Saves a comprehensive session log (what you did, creds used, decisions made) | **End of every significant work session.** This is how future-you (or future-me) recovers context. |
+| `/sync` | Pull + push changes to/from Gitea | Start of session (get latest), end of session (push yours) |
+| `/context` | Searches session logs and credentials for previous work | "What did we do for Dataforth last week?" or "What's the password for AD2?" |
+| `/checkpoint` | Git commit + database context save | After completing a feature or fix |
+| `/scc` | Save + Commit + Push (all three in one shot) | Quick end-of-session wrap-up |
+| `/1password` | Access secrets from 1Password | When vault doesn't have a credential |
+
+### Why these exist
+
+Without `/save`, you'd lose everything when a session ends. Without `/sync`, your work stays on one machine. Without `/context`, you'd re-discover the same information every session. These three commands are 90% of daily usage.
+
+---
+
+## The SOPS vault (how credentials work)
+
+We store ALL credentials in an encrypted vault (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
+
+**How Claude accesses a credential:**
+```bash
+# Always via the ClaudeTools wrapper — never a hardcoded path
+bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field clients/dataforth/ad2.sops.yaml credentials.password
+```
+
+**Why this matters:**
+- We never hardcode passwords in scripts or session logs (they're vault references)
+- The vault syncs across machines via Gitea (same as claudetools)
+- Encryption uses an age key — this key needs to be on each machine that decrypts
+
+**Setup required on each machine:**
+
+1. **Clone the vault repo** somewhere convenient (e.g., `~/vault` on Mac/Linux, `D:\vault` on Windows)
+
+2. **Add `vault_path` to `.claude/identity.json`** (created during onboarding):
+   ```json
+   {
+     "user": "howard",
+     "vault_path": "/Users/howard/vault"
+   }
+   ```
+   This is the only place the path lives — no hardcoded paths in any shared file.
+
+3. **Install your age key.** Mike will give you the key file. Drop it at:
+   - **Windows:** `C:\Users\<you>\AppData\Roaming\sops\age\keys.txt`
+   - **Mac/Linux:** `~/.config/sops/age/keys.txt`
+
+Without the age key, vault commands fail. Everything else works fine.
+
+---
+
+## How Claude knows about our infrastructure
+
+### CLAUDE.md (the brain)
+
+`.claude/CLAUDE.md` is the master instructions file. Claude reads it at the start of every session. It tells Claude:
+
+- **Who we are** (AZ Computer Guru, MSP)
+- **How to behave** (delegate to agents, no emojis, use vault for creds)
+- **What projects exist** (GuruRMM, Dataforth, ClaudeTools API)
+- **How to load context** automatically when you mention a project keyword
+
+**Key behavior:** If you say "work on Dataforth", Claude automatically reads `projects/dataforth-dos/CONTEXT.md` before responding. Same for "GuruRMM" → reads `projects/msp-tools/guru-rmm/CONTEXT.md`. This means Claude starts every project conversation with full context — server IPs, current state, recent work, anti-patterns to avoid.
+
+### CONTEXT.md files (per-project state)
+
+Each major project has a `CONTEXT.md` that captures:
+- Server IPs, ports, credentials references
+- Current deployment state
+- Recent session logs (what was done last)
+- Anti-patterns (things NOT to do, learned from past mistakes)
+- What to work on next
+
+These files are the **single source of truth** for "where are we on this project."
+
+### Session logs (the history)
+
+Every significant work session gets a log saved to `session-logs/` (root for general, or `projects/*/session-logs/` for project-specific). These include:
+- What was accomplished
+- Full credentials used (unredacted — needed for future sessions)
+- Infrastructure changes made
+- Commands that worked and errors that didn't
+- What's still pending
+
+**This is why `/save` matters.** Without it, the next person (or the next Claude session) starts from scratch.
+
+---
+
+## Skills (auto-invoked behaviors)
+
+Skills are more powerful than commands — some trigger automatically.
+
+| Skill | Auto-invokes? | What it does |
+|-------|--------------|-------------|
+| `frontend-design` | YES — after any UI change | Validates visual correctness, accessibility, design quality |
+| `stop-slop` | YES — always active | Prevents generic/lazy AI output. Enforces quality. |
+| `remediation-tool` | When you say "remediation tool" or "365" | M365 tenant investigation via our Graph API app |
+| `skill-creator` | On request | Helps build new custom skills |
+| `theme-factory` | On request | Apply visual themes to HTML artifacts |
+
+### Why "stop-slop" exists
+
+Without it, Claude defaults to generic patterns (purple gradients, Inter font, emoji-heavy prose). Our `stop-slop` skill enforces our standards: ASCII markers instead of emojis, specific rather than vague, no filler phrases.
+
+---
+
+## Agents (specialized workers)
+
+Claude Code can spawn sub-agents for specific tasks. These are defined in `.claude/agents/`. The main ones you'll encounter:
+
+| Agent | What it does | When Claude uses it |
+|-------|-------------|-------------------|
+| **Database Agent** | Runs SQL queries on our databases | Any database operation — Claude should NEVER query directly |
+| **Code Review Agent** | Reviews code changes for quality/security | After any code modification |
+| **Coding Agent** | Writes production code | When Claude needs to generate code (not just edit) |
+| **Explore Agent** | Searches codebases quickly | When looking for files, patterns, or understanding code |
+| **Gitea Agent** | Git commits, pushes, branch operations | Commit workflow |
+| **Backup Agent** | Backup operations | Before destructive changes |
+
+**Why agents?** Claude has a limited context window. If it does everything itself, it runs out of memory mid-conversation. Agents handle heavy work in isolation and return just the summary. Also: separation of concerns — the Code Review Agent can independently evaluate code the Coding Agent wrote.
+
+---
+
+## Local AI tools (when available)
+
+### Ollama (local LLM)
+
+Ollama runs AI models locally on your GPU. Used for tasks that don't need Claude's full reasoning power — summarization, classification, data extraction.
+
+**Models we use:**
+- `qwen3:14b` — general purpose (summarization, drafting)
+- `codestral:22b` — code generation assistance
+- `nomic-embed-text` — embeddings for semantic search
+
+**Ollama runs on Mike's workstation** and is shared via Tailscale. You don't need to install it locally.
+
+**To use from your machine (Tailscale must be connected):**
+```bash
+curl -s http://100.92.127.64:11434/api/tags
+```
+
+If that returns models, you're connected. Claude automatically uses the right URL based on which machine you're on (reads from `identity.json`).
+
+If it fails: check that Tailscale is connected (`tailscale status`) and Mike's workstation is online.
+
+### GrepAI (semantic code search)
+
+Searches code by MEANING rather than exact text. "How does auth work?" finds authentication code even if the word "auth" doesn't appear.
+
+**Status:** Requires setup per-machine (index build). The `deep-explore` agent uses it. If it's not installed, Claude uses regular grep (still works, just less smart).
+
+---
+
+## Project structure
+
+```
+D:\claudetools\
+  .claude/           — Claude's brain (CLAUDE.md, agents, skills, memory, commands)
+  session-logs/      — General work logs
+  projects/
+    dataforth-dos/   — Dataforth test datasheet pipeline (AD2, testdatadb)
+    msp-tools/
+      guru-rmm/      — GuruRMM agent + server (Rust, our product)
+    newsletter/      — Marketing newsletters
+  clients/
+    dataforth/       — Dataforth-specific client docs
+    pavon/           — Pavon/client docs
+    ...              — Other clients
+  credentials.md     — Quick-reference credentials (vault is source of truth)
+  CONTEXT.md         — Root-level project context
+
+D:\vault\            — SOPS-encrypted credentials (separate repo)
+  infrastructure/    — Our servers (Jupiter, Uranus, pfSense, etc.)
+  clients/           — Client credentials
+  services/          — Service credentials (Cloudflare, Azure, Gitea, etc.)
+  projects/          — Project-specific secrets
+```
+
+---
+
+## Daily workflow
+
+### Starting a work session
+1. Open Claude Code in the project directory
+2. Claude greets you by name (reads identity.json)
+3. Tell Claude what you're working on — it auto-loads the right context
+4. Work normally — ask questions, make changes, run commands
+
+### Ending a work session
+1. `/save` — creates the session log (DO THIS EVERY TIME)
+2. `/sync` — pushes everything to Gitea
+3. Close Claude Code
+
+### When switching projects mid-session
+Just say "let's work on GuruRMM" or "switch to Dataforth" — Claude reads the relevant CONTEXT.md and picks up where the last session left off.
+
+---
+
+## Things to know
+
+**Claude remembers across sessions** — via session logs and memory files, not magic. If you don't `/save`, the next session starts cold.
+
+**Credentials are in the vault** — don't ask Mike for passwords; ask Claude. It decrypts from the vault.
+
+**Git commits are attributed to YOU** — your name and email appear on every commit from your machine.
+
+**Production deployments need care** — Claude will warn before destructive operations (git push --force, database drops, service restarts). Read the warnings.
+
+**If Claude seems confused about a project** — say `/context` and ask it to search for recent work. Or read the project's CONTEXT.md yourself.
+
+**If something breaks** — session logs have the full history. `git log` shows what changed and who changed it. Gitea keeps everything.
+
+---
+
+## Getting help
+
+- Ask Claude: "What commands do I have?" or "How do I access credentials?"
+- Read `.claude/CLAUDE.md` for the full rulebook
+- Check `session-logs/` for recent work examples
+- Ask Mike
+
+---
+
+*Last updated: 2026-04-16*

.claude/PROJECT_STATE_PROTOCOL.md

@@ -0,0 +1,42 @@
+# PROJECT_STATE.md Locking Protocol
+
+This protocol prevents conflicts between concurrent Claude sessions. Follow it for every significant action on any project that has a PROJECT_STATE.md.
+
+## What Requires a Lock
+
+- Editing or creating source code files
+- Git commit or push
+- SSH command that modifies a server (deploy, install, config change, service restart)
+- Database schema change or data migration
+- Build pipeline modification
+
+Reading files, planning, and answering questions do NOT require a lock.
+
+## The Protocol
+
+**Step 1 — Read before acting**
+Re-read PROJECT_STATE.md before starting:
+- Check Active Session Locks: is anything locked that you need to touch?
+- Conflicting lock < 2 hours old: stop, report to user, ask how to proceed.
+- Lock > 2 hours old (stale): note it to user, clear the row, proceed.
+
+**Step 2 — Claim your lock**
+Add a row to Active Session Locks before performing the action:
+
+| Session | Working On | Status | Blocks | Started |
+|---------|-----------|--------|--------|---------|
+| DESKTOP-0O8A1RL/Claude | Brief description | IN_PROGRESS | What others must avoid | HH:MM UTC |
+
+Use `{machine}/{Claude or agent description}` as the Session identifier.
+
+**Step 3 — Perform the action**
+
+**Step 4 — Update on completion OR failure**
+1. Remove your lock row
+2. Add a Recent Changes entry with status: `COMPLETE`, `FAILED`, `PARTIAL`, or `ROLLED_BACK`
+3. Update Current Project State if any component status changed
+4. Check off completed Pending items
+
+## Stale Lock Rule
+
+A lock older than 2 hours with no timestamp update is abandoned. Clear it, note `[Cleared stale lock from {session}]` in Recent Changes, then proceed.

.claude/VAULT-SETUP-GUIDE.md

@@ -0,0 +1,522 @@
+# Vault Setup Guide - Multi-Machine Reference
+
+**Last Updated:** 2026-04-21
+**Tested On:** Mikes-MacBook-Air.local (Mac), DESKTOP-0O8A1RL (Windows)
+**Purpose:** Complete guide for setting up vault access on any machine
+
+---
+
+## Overview
+
+The vault repository contains encrypted credentials (SOPS files) required for remediation-tool to acquire tokens. This guide covers full setup from scratch on any machine.
+
+---
+
+## Prerequisites
+
+Before starting, you need:
+- ClaudeTools repository cloned
+- Network access to Gitea server (http://172.16.3.20:3000)
+- Gitea credentials (username: azcomputerguru, password: see below)
+- Age key (private key shared across team - see below)
+
+---
+
+## Quick Reference - Credentials
+
+### Gitea Password
+```
+Gptf*77ttb123!@#-git
+```
+
+### Age Private Key
+```
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+```
+
+---
+
+## Installation Steps
+
+### Step 1: Install Dependencies
+
+**Mac (Homebrew):**
+```bash
+brew install sops age jq
+```
+
+**Windows (Chocolatey):**
+```powershell
+choco install sops age jq
+```
+
+**Windows (Manual):**
+- Download SOPS: https://github.com/mozilla/sops/releases
+- Download age: https://github.com/FiloSottile/age/releases
+- Download jq: https://jqlang.github.io/jq/download/
+- Add to PATH
+
+**Linux (apt):**
+```bash
+sudo apt install age jq
+# SOPS from GitHub releases (not in apt)
+wget https://github.com/mozilla/sops/releases/download/v3.12.2/sops-v3.12.2.linux.amd64 -O /usr/local/bin/sops
+chmod +x /usr/local/bin/sops
+```
+
+### Step 2: Clone Vault Repository
+
+**Mac/Linux:**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Password when prompted: Gptf*77ttb123!@#-git
+```
+
+**Windows:**
+```cmd
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git D:\vault
+REM Password when prompted: Gptf*77ttb123!@#-git
+```
+
+**Important:** Must use real terminal, not Claude Code shell (auth prompts don't work in Claude Code).
+
+### Step 3: Configure Age Key
+
+**Mac/Linux:**
+```bash
+mkdir -p ~/.config/sops/age
+cat > ~/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+**Windows (PowerShell):**
+```powershell
+$KeyDir = "$env:USERPROFILE\.config\sops\age"
+New-Item -ItemType Directory -Force -Path $KeyDir | Out-Null
+
+$KeyContent = @"
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+"@
+
+Set-Content -Path "$KeyDir\keys.txt" -Value $KeyContent -NoNewline
+```
+
+**Windows (Git Bash):**
+```bash
+mkdir -p /c/Users/$USER/.config/sops/age
+cat > /c/Users/$USER/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+```
+
+### Step 4: Configure SOPS Environment Variable
+
+**Mac (zsh):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.zshenv
+source ~/.zshenv
+```
+
+**Mac (bash):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bash_profile
+source ~/.bash_profile
+```
+
+**Windows (PowerShell - permanent):**
+```powershell
+[Environment]::SetEnvironmentVariable("SOPS_AGE_KEY_FILE", "$env:USERPROFILE\.config\sops\age\keys.txt", "User")
+```
+
+**Windows (Git Bash):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bashrc
+source ~/.bashrc
+```
+
+**Linux:**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bashrc
+source ~/.bashrc
+```
+
+### Step 5: Fix vault.sh Line Endings (If Needed)
+
+**If you see error: `env: bash\r: No such file or directory`**
+
+This means vault.sh has Windows line endings (CRLF). Fix with:
+
+**Mac/Linux:**
+```bash
+# Using perl (always available)
+perl -pi -e 's/\r\n/\n/g' ~/vault/scripts/vault.sh
+
+# Or using dos2unix if installed
+dos2unix ~/vault/scripts/vault.sh
+```
+
+**Windows (Git Bash):**
+```bash
+dos2unix /d/vault/scripts/vault.sh
+```
+
+**Make executable:**
+```bash
+chmod +x ~/vault/scripts/vault.sh  # Mac/Linux
+chmod +x /d/vault/scripts/vault.sh  # Windows Git Bash
+```
+
+### Step 6: Add vault_path to identity.json
+
+**Edit ClaudeTools identity.json:**
+
+**Mac:**
+```bash
+# File: ~/ClaudeTools/.claude/identity.json
+# Add this field:
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+**Windows:**
+```bash
+# File: D:\ClaudeTools\.claude\identity.json
+# Add this field:
+"vault_path": "D:/vault"
+```
+
+**Linux:**
+```bash
+# File: ~/ClaudeTools/.claude/identity.json
+# Add this field:
+"vault_path": "/home/<username>/vault"
+```
+
+**Full example:**
+```json
+{
+  "user": "mike",
+  "full_name": "Mike Swanson",
+  "email": "mike@azcomputerguru.com",
+  "role": "admin",
+  "machine": "Mikes-MacBook-Air",
+  "mode": "general",
+  "last_updated": "2026-04-19T08:40:00Z",
+  "vault_path": "/Users/azcomputerguru/vault"
+}
+```
+
+---
+
+## Verification Steps
+
+### Test 1: Verify SOPS Can Decrypt
+
+**Mac/Linux:**
+```bash
+sops --decrypt ~/vault/msp-tools/computerguru-security-investigator.sops.yaml | head -10
+```
+
+**Windows:**
+```bash
+sops --decrypt D:/vault/msp-tools/computerguru-security-investigator.sops.yaml | head -10
+```
+
+**Expected output:** YAML content starting with `kind: entra-app`
+
+**If you see:** `Failed to get the data key` → Age key not configured correctly
+
+### Test 2: Verify vault.sh Works
+
+**Mac/Linux:**
+```bash
+~/vault/scripts/vault.sh get-field msp-tools/computerguru-security-investigator.sops.yaml credentials.client_id
+```
+
+**Windows:**
+```bash
+bash D:/vault/scripts/vault.sh get-field msp-tools/computerguru-security-investigator.sops.yaml credentials.client_id
+```
+
+**Expected output:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
+
+### Test 3: Verify Token Acquisition
+
+**Mac/Linux:**
+```bash
+cd ~/ClaudeTools/.claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+**Windows:**
+```bash
+cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
+bash get-token.sh grabblaw.com investigator
+```
+
+**Expected output:** JWT token starting with `eyJ0eXAiOiJKV1Qi...`
+
+### Test 4: Test All Tiers
+
+**Mac/Linux/Windows (Git Bash):**
+```bash
+for tier in investigator investigator-exo user-manager tenant-admin; do
+    echo "Testing tier: $tier"
+    ./get-token.sh grabblaw.com $tier | head -c 50
+    echo "..."
+    echo "---"
+done
+```
+
+**Expected:** JWT tokens for all 4 tiers (defender will fail - not consented in grabblaw.com)
+
+---
+
+## Common Issues and Solutions
+
+### Issue 1: "Device not configured" when cloning vault
+
+**Symptom:**
+```
+fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured
+```
+
+**Cause:** Git cannot prompt for password in Claude Code shell
+
+**Solution:** Clone in real terminal (Terminal.app, PowerShell, etc.)
+
+### Issue 2: "env: bash\r: No such file or directory"
+
+**Symptom:** vault.sh won't execute, complains about `bash\r`
+
+**Cause:** Windows line endings (CRLF) in vault.sh
+
+**Solution:**
+```bash
+perl -pi -e 's/\r\n/\n/g' ~/vault/scripts/vault.sh
+chmod +x ~/vault/scripts/vault.sh
+```
+
+### Issue 3: "Failed to get the data key"
+
+**Symptom:** SOPS can't decrypt files
+
+**Cause:** Age key not found or SOPS_AGE_KEY_FILE not set
+
+**Solution:**
+1. Verify age key exists: `cat ~/.config/sops/age/keys.txt`
+2. Set environment variable: `export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt`
+3. Add to shell RC file for persistence
+
+### Issue 4: "vault_path not set in identity.json"
+
+**Symptom:** get-token.sh fails with vault_path error
+
+**Cause:** Missing vault_path field in .claude/identity.json
+
+**Solution:** Add `"vault_path": "/path/to/vault"` to identity.json
+
+### Issue 5: Python "pipefail: invalid option name"
+
+**Symptom:** vault.sh fails on Mac with pipefail error
+
+**Cause:** macOS ships with old bash (3.2) that doesn't support `set -o pipefail`
+
+**Solution:** Already fixed in vault.sh - ensure you have latest version
+
+### Issue 6: "command not found: sops"
+
+**Symptom:** SOPS not in PATH
+
+**Cause:** SOPS not installed or not in PATH
+
+**Solution:**
+- Mac: `brew install sops`
+- Windows: `choco install sops` or add to PATH manually
+- Linux: Download from GitHub releases
+
+---
+
+## What Gets Installed
+
+After successful setup, these files/directories exist:
+
+### Mac/Linux
+```
+~/.config/sops/age/keys.txt           # Age private key
+~/vault/                               # Vault repository
+~/vault/.sops.yaml                     # SOPS config
+~/vault/msp-tools/*.sops.yaml          # Encrypted credentials (6 files)
+~/vault/scripts/vault.sh               # Vault CLI wrapper
+~/ClaudeTools/.claude/identity.json    # Contains vault_path
+~/.zshenv (or ~/.bashrc)               # Contains SOPS_AGE_KEY_FILE
+```
+
+### Windows
+```
+C:\Users\<user>\.config\sops\age\keys.txt    # Age private key
+D:\vault\                                     # Vault repository
+D:\vault\.sops.yaml                           # SOPS config
+D:\vault\msp-tools\*.sops.yaml                # Encrypted credentials (6 files)
+D:\vault\scripts\vault.sh                     # Vault CLI wrapper
+D:\ClaudeTools\.claude\identity.json          # Contains vault_path
+Environment variable: SOPS_AGE_KEY_FILE       # System environment
+```
+
+---
+
+## Vault Repository Structure
+
+```
+vault/
+├── .sops.yaml                    # SOPS encryption config
+├── README.md                     # Vault documentation
+├── scripts/
+│   ├── vault.sh                  # CLI wrapper
+│   └── yaml-query.py             # YAML parser (yq fallback)
+├── msp-tools/
+│   ├── computerguru-security-investigator.sops.yaml    # Tier 1: Graph read
+│   ├── computerguru-exchange-operator.sops.yaml        # Tier 2: EXO write
+│   ├── computerguru-user-manager.sops.yaml             # Tier 3: Graph user write
+│   ├── computerguru-tenant-admin.sops.yaml             # Tier 4: Graph admin
+│   ├── computerguru-defender-addon.sops.yaml           # Tier 5: MDE only
+│   └── computerguru-management.sops.yaml               # Legacy (deprecated)
+├── infrastructure/
+├── clients/
+├── services/
+└── projects/
+```
+
+---
+
+## Security Notes
+
+### Age Key Security
+
+**The age private key decrypts ALL vault secrets. Treat it like a master password.**
+
+- Never commit to git repositories
+- Never share in plaintext over unsecured channels
+- File permissions: 600 (owner read/write only)
+- Store in `.config/sops/age/` (standard location)
+
+### Gitea Credentials
+
+- Password: `Gptf*77ttb123!@#-git`
+- Used for vault repo clone/pull/push
+- Same credentials on all machines
+- Consider using SSH keys instead of HTTPS for better security
+
+### SOPS Files
+
+- Encrypted at rest with age
+- Only `credentials`, `password`, `secret`, `api_key`, `token` fields are encrypted
+- Metadata (kind, name, description) is plaintext
+- Encrypted regex defined in `.sops.yaml`
+
+---
+
+## Maintenance
+
+### Pulling Latest Vault Changes
+
+**Mac/Linux:**
+```bash
+cd ~/vault
+git pull origin main
+```
+
+**Windows:**
+```bash
+cd D:\vault
+git pull origin main
+```
+
+**Run this periodically to get:**
+- New SOPS files
+- Updated credentials
+- Vault script improvements
+
+### Rotating Age Key
+
+If the age key needs to be rotated:
+
+1. Generate new age key: `age-keygen -o new-key.txt`
+2. Re-encrypt all SOPS files with new key
+3. Distribute new key to all machines
+4. Update `.config/sops/age/keys.txt` on each machine
+5. Update `.sops.yaml` with new public key
+
+**Note:** This is a team-wide operation requiring coordination.
+
+---
+
+## Multi-Machine Status
+
+| Machine | Vault Status | Notes |
+|---------|--------------|-------|
+| DESKTOP-0O8A1RL (Windows) | ✓ WORKING | Original setup, all tiers tested |
+| Mikes-MacBook-Air (Mac) | ✓ WORKING | Full setup completed 2026-04-21 |
+| ACG-Tech03L (Howard) | PENDING | Needs vault clone + age key setup |
+| HOWARD-HOME | PENDING | Needs vault clone + age key setup |
+
+---
+
+## For Howard (ACG-Tech03L Setup)
+
+Howard, when you're ready to set up remediation-tool:
+
+### Quick Setup (Git Bash)
+
+```bash
+# 1. Clone vault
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git D:/vault
+# Password: Gptf*77ttb123!@#-git
+
+# 2. Install age key
+mkdir -p ~/.config/sops/age
+cat > ~/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+
+# 3. Set environment variable (PowerShell)
+# Run this in PowerShell (not Git Bash):
+[Environment]::SetEnvironmentVariable("SOPS_AGE_KEY_FILE", "$env:USERPROFILE\.config\sops\age\keys.txt", "User")
+
+# 4. Add vault_path to identity.json
+# Edit C:\claudetools\.claude\identity.json
+# Add: "vault_path": "D:/vault"
+
+# 5. Fix line endings if needed
+dos2unix /d/vault/scripts/vault.sh
+chmod +x /d/vault/scripts/vault.sh
+
+# 6. Test
+bash C:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator
+```
+
+---
+
+## References
+
+- **SOPS:** https://github.com/mozilla/sops
+- **age:** https://github.com/FiloSottile/age
+- **Vault repo:** http://172.16.3.20:3000/azcomputerguru/vault
+- **ClaudeTools repo:** http://172.16.3.20:3000/azcomputerguru/claudetools
+
+---
+
+**Last tested:** 2026-04-21 on Mikes-MacBook-Air.local
+**Status:** Complete and validated - all 4 tiers working
+**Maintainer:** Mike Swanson

.claude/commands/1password.md

@@ -34,16 +34,61 @@ Never ask users to paste API keys, passwords, or tokens into:
 
 ---
 
-## Setup Check
+## ⚠️ MANDATORY: Use the SOPS-vaulted service account token, never the desktop session
 
-Always verify the CLI is ready before any operation:
+**Every `op` invocation in agent flows must run with `OP_SERVICE_ACCOUNT_TOKEN` set.** The desktop-app integration prompts to unlock the app, which interrupts the agent flow and is unacceptable. The service token is in the SOPS vault at `infrastructure/1password-service-account.sops.yaml` (vault entry kind=`api-key`, name=`1Password Service Account (Agentic-RW)`).
+
+### Load the token at the start of any 1Password work
+
+```bash
+# Decrypt the service token from SOPS (uses the machine's age key)
+export OP_SERVICE_ACCOUNT_TOKEN=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null \
+  | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+
+# Verify
+op whoami    # expect "User Type: SERVICE_ACCOUNT"
+```
+
+After `export`, every subsequent `op` call in the same bash invocation inherits the token. For one-off calls without exporting:
+
+```bash
+SVC=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+OP_SERVICE_ACCOUNT_TOKEN="$SVC" op item get "Item Name" --vault Infrastructure
+```
+
+### Vault path resolution
+
+The vault lives wherever `.claude/identity.json` says (`vault_path`). On the current Windows workstation it's `C:/Users/guru/vault`, but other machines (Howard's, future workstations) may differ. Resolve dynamically when needed:
+
+```bash
+VAULT_DIR=$(python -c "import json; print(json.load(open('/c/Users/guru/ClaudeTools/.claude/identity.json'))['vault_path'])")
+SVC=$(sops -d "$VAULT_DIR/infrastructure/1password-service-account.sops.yaml" 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+export OP_SERVICE_ACCOUNT_TOKEN="$SVC"
+```
+
+### Service account scope (verified 2026-04-30)
+
+The Agentic-RW service account has access to: **Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting**. The Private vault is intentionally NOT shared with the service account — if you need to read from Private, that's a different conversation, not a fallback to desktop session.
+
+### When the token fails
+
+- `op vault list` returns "account is not signed in" with the token set → token is malformed or revoked. Decrypt directly via `sops -d` and inspect.
+- `vault.sh get-field` may fail with "PyYAML not installed" — use direct `sops -d` + grep instead until that wrapper bug is fixed.
+- Never fall back to the desktop-app session in agent flows. If the service token is unrecoverable, stop and tell Mike.
+
+---
+
+## Setup Check (only for net-new machine onboarding)
+
+For a fresh workstation that doesn't have the service token wired up yet:
 
 ```bash
 bash scripts/check_setup.sh
 ```
 
 If not installed: https://developer.1password.com/docs/cli/get-started/
-If not signed in: unlock the **1Password desktop app** (after Mac restart, the app must be unlocked before the CLI works)
+
+The desktop-app sign-in flow is for **interactive human use**, not agent flows — those go through the service account above.
 
 ---
 

.claude/commands/checkpoint.md

@@ -20,17 +20,34 @@ Please create a comprehensive git checkpoint with the following steps:
    - Add ALL untracked files (new files)
    - Use `git add -A` or `git add .` to stage everything
 
-4. **Create a detailed commit message**:
+4. **Draft commit message body via Ollama** (documentation engine):
 
-   - **First line**: Write a clear, concise summary (50-72 chars) describing the primary change
-     - Use imperative mood (e.g., "Add feature" not "Added feature")
-     - Examples: "feat: add user authentication", "fix: resolve database connection issue", "refactor: improve API route structure"
-   - **Body**: Provide a detailed description including:
-     - What changes were made (list of key modifications)
-     - Why these changes were made (purpose/motivation)
-     - Any important technical details or decisions
-     - Breaking changes or migration notes if applicable
-   - **Footer**: Include co-author attribution as shown in the Git Safety Protocol
+   ```bash
+   # Resolve Ollama
+   if curl -s -m 2 http://localhost:11434/api/tags >/dev/null 2>&1; then OLLAMA="http://localhost:11434"
+   elif curl -s -m 3 http://100.92.127.64:11434/api/tags >/dev/null 2>&1; then OLLAMA="http://100.92.127.64:11434"
+   else OLLAMA=""; fi
+
+   # Capture diff summary for Ollama prompt
+   { git diff --stat HEAD; echo "---"; git diff HEAD | head -200; } \
+     > "C:/Users/guru/AppData/Local/Temp/checkpoint_diff.txt"
+
+   # Ollama drafts the body; fallback to Claude if unavailable
+   if [ -n "$OLLAMA" ]; then
+     BODY=$(py -c "
+import urllib.request, json
+diff = open('C:/Users/guru/AppData/Local/Temp/checkpoint_diff.txt', encoding='utf-8').read()
+prompt = 'Write a git commit message BODY only (not the summary line). Imperative mood. What changed and why. No filler. Under 150 words.\n\nDIFF:\n' + diff
+body = json.dumps({'model':'qwen3:14b','messages':[{'role':'user','content':prompt}],'stream':False,'think':False}).encode()
+res = json.loads(urllib.request.urlopen(urllib.request.Request('$OLLAMA/api/chat', body), timeout=60).read())
+print(res['message']['content'])
+")
+   fi
+   ```
+
+   - **Summary line** (first line): Claude writes — 50-72 chars, imperative mood, from `git diff --stat`
+   - **Body**: Ollama draft (Claude reviews); Claude writes directly if Ollama unavailable
+   - **Footer**: `Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>`
 
 5. **Execute the commit**: Create the commit with the properly formatted message following this repository's conventions.
 

.claude/commands/import.md

@@ -0,0 +1,132 @@
+# /import — Ingest a folder into ClaudeTools
+
+Import any folder of data into the ClaudeTools structure. Claude analyzes each file's content, classifies it, proposes placement, sanitizes credentials, and organizes everything into the correct locations.
+
+## Usage
+
+```
+/import <path>                    Import a folder
+/import <path> --dry-run          Show plan without executing
+/import <path> --client <name>    Hint: this data belongs to a specific client
+/import <path> --project <name>   Hint: this data belongs to a specific project
+```
+
+## Arguments
+
+The first argument is a folder path to ingest. Everything inside (recursive) is scanned and classified.
+
+## Process
+
+Follow these steps IN ORDER. Do not skip any step.
+
+### Step 1: Scan
+
+Read the source folder recursively. For each file, note:
+- Filename + extension
+- Size
+- First ~200 lines of content (for text files)
+- Binary vs text detection
+
+Skip files >50 MB (flag them for manual review).
+
+### Step 2: Classify
+
+For each file, determine its category based on content analysis:
+
+| Category | Signals | Destination |
+|---|---|---|
+| **Session log** | Conversation transcript, dated entries, "accomplished", "session" | `session-logs/` or `projects/*/session-logs/` or `clients/*/session-logs/` |
+| **Client work** | Client name mentioned, ticket/case references, client-specific infra | `clients/<client>/` |
+| **Project code** | Source code, configs, build files, READMEs | `projects/<project>/` |
+| **Credentials** | Passwords, API keys, tokens, connection strings, SSH keys | `D:\vault\` (SOPS encrypted) |
+| **Infrastructure docs** | Server configs, network diagrams, IP lists, runbooks | `credentials.md` update or memory entry |
+| **Tool/script** | Standalone utility, automation script, helper | `tools/` or `projects/msp-tools/` |
+| **Documentation** | Guides, how-tos, notes, procedures | Project-specific docs or root docs |
+| **Unknown** | Can't classify | Flag for user decision |
+
+If `--client` or `--project` was specified, weight classification toward that target.
+
+### Step 3: Credential extraction
+
+Before placing ANY file, scan for sensitive data:
+- Passwords (inline, in configs, in notes)
+- API keys / tokens (any string matching `[A-Za-z0-9_\-]{20,}` near words like key/token/secret)
+- Connection strings (jdbc:, postgres://, mysql://, mongodb://)
+- SSH private keys (`-----BEGIN`)
+- Certificate private keys
+
+For each credential found:
+1. Show the user: "Found credential in `<file>`: `<context>` — move to vault?"
+2. If approved: create a vault SOPS entry, replace inline value with a vault reference
+3. If declined: leave as-is but warn
+
+### Step 4: Present plan
+
+Show a table:
+
+```
+SOURCE                          → DESTINATION                              ACTION
+────────────────────────────────────────────────────────────────────────────────────
+notes/client-acme.md            → clients/acme/notes.md                    copy
+scripts/backup-check.ps1        → tools/backup-check.ps1                  copy
+creds.txt                       → D:\vault\clients\acme.sops.yaml         vault + delete source
+session-2026-04-10.md           → clients/acme/session-logs/2026-04-10.md copy
+my-tool/src/main.rs             → projects/msp-tools/howard-tools/src/    copy (new project)
+random-binary.exe               → (SKIP - 85 MB, too large)               flag
+unknown-doc.pdf                 → (UNKNOWN - needs your input)             ask
+```
+
+Ask: "Does this plan look right? I can adjust any placement before executing."
+
+### Step 5: Execute
+
+After approval:
+1. Copy files to destinations (never move from source — source is the user's data)
+2. Create destination directories as needed
+3. Encrypt credential files via SOPS
+4. Update `MEMORY.md` if new knowledge was gained
+5. Update project `CONTEXT.md` files if project state changed
+6. Update `credentials.md` if infrastructure details were discovered
+
+### Step 6: Report
+
+Write a summary showing:
+- Files imported: N
+- Credentials vaulted: N
+- New directories created: list
+- Skipped files: list with reasons
+- Suggested follow-ups (e.g., "review clients/acme/ for completeness")
+
+Commit the imported files with message: `import: ingested <N> files from <source_path>`
+
+## Special cases
+
+### Claude Code session data (~/.claude/projects/)
+
+If the source folder IS a Claude Code projects directory (contains `.jsonl` files):
+- Use `tools/import-sessions.py` to extract summaries first
+- Then apply the standard classification to the summaries
+- Don't import raw JSONL (too large, mostly noise)
+
+### Existing project detection
+
+If imported code has a `Cargo.toml`, `package.json`, `pyproject.toml`, or similar:
+- Detect the project name from the manifest
+- Check if it already exists under `projects/`
+- If new: propose creating a new project directory
+- If existing: propose merging into the existing project
+
+### Duplicate detection
+
+Before copying, check if a file with the same name already exists at the destination:
+- If content is identical: skip (report as "already present")
+- If content differs: ask user which version to keep, or keep both with suffix
+
+## File placement rules
+
+Follow the conventions in `.claude/FILE_PLACEMENT_GUIDE.md`. Key rules:
+- Dataforth work → `projects/dataforth-dos/`
+- GuruRMM work → `projects/msp-tools/guru-rmm/`
+- Client work → `clients/<client-name>/`
+- General session logs → `session-logs/`
+- Credentials → SOPS vault at `D:\vault\`, NEVER in plaintext in the repo

.claude/commands/mode.md

@@ -0,0 +1,68 @@
+# /mode — Set or view the current work mode
+
+Manually set the work mode, or let it auto-detect. Mode controls the terminal color and adjusts Claude's operational posture.
+
+## Usage
+
+```
+/mode                  Show current mode
+/mode client           Switch to client mode (orange)
+/mode dev              Switch to development mode (cyan)
+/mode infra            Switch to infrastructure mode (red)
+/mode general          Switch to general mode (blue)
+/mode remediation      Switch to remediation/365 mode (purple)
+/mode auto             Re-run auto-detection from current context
+```
+
+## Modes
+
+| Mode | Color | Posture |
+|---|---|---|
+| **client** | orange | Working on/for a specific client. Extra care with data handling. Session logs go to `clients/<name>/session-logs/`. Credential access audited. Always identify the client in session logs. |
+| **dev** | cyan | Building features, writing code, testing. Delegate freely to Coding/Testing agents. Use Ollama for drafts when available. Less confirmation friction on non-destructive operations. |
+| **infra** | red | Infrastructure work — servers, firewalls, DNS, deployments, backups. Confirm before any destructive or hard-to-reverse operation. Backup-first mentality. Double-check IPs and hostnames. |
+| **general** | blue | Research, planning, documentation, email drafts, general questions. Default mode. Lightweight posture. |
+| **remediation** | purple | M365 tenant work, breach investigation, security remediation. Graph API focus. Compliance-grade language. Full audit trail. |
+
+## When invoked
+
+1. Set the mode in `.claude/identity.json` under a `"mode"` key
+2. Run the color change: invoke `/color <mode_color>`
+3. Confirm to user: "Mode: **<mode>** (<color>)"
+
+## Auto-detection rules
+
+When `/mode auto` is called, OR at session start, OR when the user shifts topics, determine mode from context:
+
+**Priority order (first match wins):**
+
+1. **remediation** — user said "remediation tool", "365", "breach", "tenant sweep", or `/remediation-tool` was invoked
+2. **client** — user mentions a client name (check `clients/` subdirectories for name matches), or current work is under `clients/`, or user said "for <client>"
+3. **infra** — user mentions servers by name/IP (AD2, Jupiter, Uranus, pfSense, 172.16.x.x), SSH commands, firewall rules, DNS changes, service restarts, or "deploy to production"
+4. **dev** — user mentions code, building, compiling, Rust/Python/Node, cargo, npm, GuruRMM development, writing features, testing, or current work is under `projects/`
+5. **general** — default if nothing else matches
+
+**On mode change (auto or manual):**
+- Update `.claude/identity.json` with `"mode": "<mode>"`
+- **Tell the user to run `/color <color>`** — Claude cannot invoke `/color` programmatically (it's a built-in CLI command). Include the command inline so the user can copy-paste.
+- Log the transition: `[MODE] general -> infra (detected: SSH to 172.16.3.30) — run /color red`
+
+**Silent auto-switching:** When auto-detection triggers a mode change mid-session, announce it as: `[MODE -> infra] /color red` — short, actionable, the user can run the color command or ignore it. Don't interrupt flow with a long explanation. If the detection seems wrong, the user can override with `/mode <correct_mode>`.
+
+## Session log integration
+
+Session logs should include the mode in the User section:
+
+```markdown
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+- **Mode:** infra (red)
+```
+
+If mode changed during the session, note the transitions:
+
+```markdown
+- **Mode:** general → infra → dev (transitioned during session)
+```

.claude/commands/remediation-tool.md

@@ -0,0 +1,192 @@
+---
+description: M365 tenant investigation + remediation via the ComputerGuru tiered MSP app suite. Breach checks, tenant sweeps, consent URLs, and gated remediation actions.
+---
+
+# /remediation-tool
+
+M365 investigation and remediation using the **ComputerGuru tiered MSP app suite** — five multi-tenant apps covering read-only investigation, Exchange write operations, user lifecycle management, high-privilege tenant admin, and optional Defender ATP.
+
+**Default posture: READ-ONLY.** Remediation actions require explicit `YES` confirmation in chat.
+
+---
+
+## App Tiers (quick reference)
+
+| Tier flag | App | App ID | Use for |
+|---|---|---|---|
+| `investigator` | ComputerGuru Security Investigator | `bfbc12a4` | All read-only breach checks via Graph |
+| `investigator-exo` | ComputerGuru Security Investigator | `bfbc12a4` | Exchange read: Get-InboxRule (hidden), Get-Mailbox, permissions |
+| `exchange-op` | ComputerGuru Exchange Operator | `b43e7342` | Exchange write: Set-Mailbox, Remove-InboxRule, session revoke |
+| `user-manager` | ComputerGuru User Manager | `64fac46b` | User create/disable, license assign, MFA reset, password reset |
+| `tenant-admin` | ComputerGuru Tenant Admin | `709e6eed` | App role assignments, CA policy, high-privilege directory |
+| `defender` | ComputerGuru Defender Add-on | `dbf8ad1a` | Alerts, machine risk, vuln data — MDE-licensed tenants only |
+
+Pass the tier flag to `get-token.sh`:
+```bash
+bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> <tier>
+```
+
+---
+
+## Subcommands
+
+| Form | What it does |
+|---|---|
+| `/remediation-tool check <upn>` | 10-point breach check on a single user |
+| `/remediation-tool sweep <domain>` | Tenant-wide signals (sign-ins, audits, risky users, guests) |
+| `/remediation-tool signins <domain> [--user upn] [--failed-only] [--days N]` | Ad-hoc sign-in query |
+| `/remediation-tool consent-url <domain> [--app <tier>]` | Emit admin consent URL for a tenant + app |
+| `/remediation-tool remediate <upn> <action>` | **GATED:** revoke-sessions, disable-forwarding, remove-inbox-rules, disable-account, password-reset |
+
+`<domain>` accepts a tenant domain (`cascadestucson.com`), a UPN (`user@domain.com`), or a tenant GUID.
+
+---
+
+## Workflow Claude should follow
+
+### 0. Parse invocation
+
+- Extract subcommand, target, and any flags from `$ARGUMENTS`.
+- Normalize: UPN -> domain (split on `@`), domain -> look up tenant-id.
+- If the target is ambiguous or missing, ask the user once and proceed.
+
+### 1. Resolve tenant ID
+
+Run `bash .claude/skills/remediation-tool/scripts/resolve-tenant.sh <domain>` — returns tenant GUID via OpenID discovery. If it fails, the domain is not in Entra ID; surface the error and stop.
+
+### 2. Acquire tokens (cached)
+
+Use the minimum-privilege tier for the task. Most breach checks only need:
+```bash
+GT=$(bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> investigator)
+ET=$(bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> investigator-exo)
+```
+
+Escalate to write tiers only for remediation:
+```bash
+# Exchange write (disable-forwarding, remove-inbox-rules)
+EXO_WRITE=$(bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> exchange-op)
+
+# User write (revoke-sessions, disable-account, password-reset, MFA reset)
+UT=$(bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> user-manager)
+
+# Defender (MDE tenants only)
+DT=$(bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> defender)
+```
+
+Tokens cache at `/tmp/remediation-tool/{tenant}/{tier}.jwt` with 55-minute TTL.
+
+If a token returns 403/401 on first use, check `.claude/skills/remediation-tool/references/gotchas.md` for per-tenant prerequisites and emit the appropriate consent or role-assignment link.
+
+### 3. Run the requested checks
+
+- **`check <upn>`** -> `bash scripts/user-breach-check.sh <tenant> <upn>`. Runs all 10 checks and dumps raw JSON to `/tmp/remediation-tool/{tenant}/user-breach/<slug>/`. Interpret against `references/checklist.md` and write report.
+
+- **`sweep <domain>`** -> `bash scripts/tenant-sweep.sh <tenant>`. Pulls tenant-wide failed sign-ins (30d), successful non-US sign-ins, directory audits filtered for consent/auth-method/service-principal changes, risky users, B2B guest invites. Claude summarizes priority findings.
+
+- **`signins`** — build ad-hoc `curl` against Graph `/auditLogs/signIns` with the requested filter. Use `investigator` tier.
+
+- **`consent-url <domain> [--app <tier>]`** — emit the appropriate admin consent URL (see below). Default to Security Investigator (`investigator`) unless `--app` specifies another tier.
+
+- **`remediate`** — see Remediation section below.
+
+### 4. Write the report
+
+Location: `clients/{client-slug}/reports/YYYY-MM-DD-{action}.md` (UTC date). Derive client slug from domain:
+- `cascadestucson.com` -> `cascades-tucson`
+- `grabblaw.com` -> `grabblaw`
+- Use existing `clients/<slug>/` directory if present; if no match, ask the user for the slug.
+
+Use `templates/breach-report.md` as skeleton. For single-user checks, fill per-check findings from raw JSON.
+
+### 5. Summarize to the user
+
+Short chat summary: top findings, blocked checks (with remediation links), next actions. Save raw JSON artifact paths in the report.
+
+### 6. Auto-commit
+
+After writing the report, delegate to the **Gitea Agent** to commit with `Remediation report: <action> for <target>`. Do not push unless the user asks.
+
+---
+
+## Admin Consent URLs
+
+Each app must be individually consented in each customer tenant. Consent URL format:
+
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={app-id}&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Security Investigator** (read-only — consent this first):
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Exchange Operator** (EXO write — consent when remediation needed):
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=b43e7342-5b4b-492f-890f-bb5a4f7f40e9&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**User Manager** (user/license write):
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=64fac46b-8b44-41ad-93ee-7da03927576c&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Tenant Admin** (high-privilege — use sparingly):
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Defender Add-on** (MDE-licensed tenants only):
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+The customer admin must sign in as Global Admin of that tenant and click Accept. Redirect lands on azcomputerguru.com — that is expected. Verify consent via `/servicePrincipals/{sp-id}/appRoleAssignments` (new grants should be timestamped today).
+
+---
+
+## Remediation (gated)
+
+When the user runs `/remediation-tool remediate <upn> <action>`:
+
+1. **Confirm read-only context first**: skill must have recently run `check <upn>` in this session (check `/tmp/remediation-tool/{tenant}/user-breach/<slug>/` exists). If not, tell the user to run the check first.
+2. **Display the exact action** (curl command, cmdlet name, parameters).
+3. **Require explicit `YES` in chat** — not a permission prompt. Anything else aborts.
+4. Execute via the appropriate app tier. Capture response to `/tmp/remediation-tool/{tenant}/remediation/<slug>-YYYY-MM-DDTHHMMSS.json`.
+5. Update the user's report with a `## Remediation Actions` section.
+
+Allowed actions and which tier handles them:
+
+| Action | App tier | API |
+|---|---|---|
+| `revoke-sessions` | `user-manager` | Graph `POST /users/{upn}/revokeSignInSessions` |
+| `disable-account` | `user-manager` | Graph `PATCH /users/{upn}` with `accountEnabled: false` |
+| `password-reset` | `user-manager` | Graph `PATCH /users/{upn}` with new `passwordProfile` |
+| `disable-forwarding` | `exchange-op` | Exchange REST `Set-Mailbox -ForwardingAddress $null -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false` |
+| `remove-inbox-rules` | `exchange-op` | Exchange REST `Remove-InboxRule` per non-default rule (ask which to keep first) |
+| `disable-smtp-auth` | `exchange-op` | Exchange REST `Set-CASMailbox -SmtpClientAuthenticationDisabled $true` |
+
+---
+
+## Arguments
+
+`$ARGUMENTS` — the full invocation text. Parse freely; common forms:
+
+- `check john.trozzi@cascadestucson.com`
+- `sweep cascadestucson.com`
+- `signins cascadestucson.com --user megan.hiatt@cascadestucson.com --failed-only --days 30`
+- `consent-url cascadestucson.com`
+- `consent-url grabblaw.com --app exchange-op`
+- `remediate megan.hiatt@cascadestucson.com revoke-sessions`
+
+If the user's phrasing is loose ("check john's box at cascades", "who's being attacked"), infer intent from CONTEXT.md and session logs. Prefer asking one clarifying question to guessing.
+
+---
+
+## Scope and references
+
+- Detailed check rubric: `.claude/skills/remediation-tool/references/checklist.md`
+- Permission/role gotchas + consent URLs: `.claude/skills/remediation-tool/references/gotchas.md`
+- Endpoint cheatsheet: `.claude/skills/remediation-tool/references/graph-endpoints.md`
+- Report template: `.claude/skills/remediation-tool/templates/breach-report.md`

.claude/commands/save.md

@@ -1,109 +1,90 @@
-Save a COMPREHENSIVE session log to appropriate session-logs/ directory. This is critical for context recovery.
+Save a comprehensive session log to the appropriate `session-logs/` directory, then sync the repo.
 
-## Determine Correct Location
+`/save` and `/sync` share `bash .claude/scripts/sync.sh` as the canonical driver for git operations. The only difference: `/save` writes a session log first, then calls sync. `/sync` calls sync directly (no log).
 
-**IMPORTANT: Save to project-specific or general session-logs based on work context**
+---
 
-### Project-Specific Logs
-If working on a specific project, save to project folder:
-- Dataforth DOS work → `projects/dataforth-dos/session-logs/YYYY-MM-DD-session.md`
-- ClaudeTools API work → `projects/claudetools-api/session-logs/YYYY-MM-DD-session.md`
-- Client-specific work → `clients/[client-name]/session-logs/YYYY-MM-DD-session.md`
+## Phase 1 — Generate the narrative
 
-### General/Mixed Work
-If working across multiple projects or general tasks:
-- Use root `session-logs/YYYY-MM-DD-session.md`
+Claude writes all sections directly. Be concise, factual, technical. No filler phrases. Past tense. No emojis.
 
-## Filename
-Use format `YYYY-MM-DD-session.md` (today's date) in appropriate folder
+| Author | Sections |
+|---|---|
+| Claude | All sections |
 
-## If file exists
-Append a new section with timestamp header (## Update: HH:MM), don't overwrite
+### Narrative sections (Claude writes directly)
 
-## MANDATORY Content to Include
+**Session Summary** — 3-5 paragraphs: what was accomplished, in what order, why.
 
-### 1. Session Summary
-- What was accomplished in this session
-- Key decisions made and rationale
-- Problems encountered and how they were solved
+**Key Decisions** — bullet list of non-obvious decisions and their rationale.
 
-### 2. ALL Credentials & Secrets (UNREDACTED)
-**CRITICAL: Store credentials completely - these are needed for future sessions**
-- API keys and tokens (full values)
-- Usernames and passwords
-- Database credentials
-- JWT secrets
-- SSH keys/passphrases if relevant
-- Any authentication information used or discovered
+**Problems Encountered** — bullet list of problems hit and how each was resolved. Omit section if none.
 
-Format credentials as:
-```
-### Credentials
-- Service Name: username / password
-- API Token: full_token_value
+---
+
+## Phase 2 — Write to disk
+
+### Location
+
+| Work scope | Path |
+|---|---|
+| Single project | `projects/<project>/session-logs/YYYY-MM-DD-session.md` |
+| Client | `clients/<slug>/session-logs/YYYY-MM-DD-session.md` |
+| Multi-project / general | `session-logs/YYYY-MM-DD-session.md` |
+
+### Filename + append behavior
+
+- Filename: `YYYY-MM-DD-session.md` (today's local date)
+- If file exists, **append** a `## Update: HH:MM PT — <topic>` section. Do not overwrite.
+- If two users worked on the same date, namespace: `YYYY-MM-DD-<user>-<topic>.md` (e.g. `2026-05-01-howard-syncro-billing-batch.md`)
+
+### Required sections (in order)
+
+1. **User block** — name, machine, role, session span. Pull from `.claude/identity.json` + git config.
+2. **Session Summary** (Ollama)
+3. **Key Decisions** (Ollama)
+4. **Problems Encountered** (Ollama)
+5. **Configuration Changes** — files modified / created / deleted (with paths)
+6. **Credentials & Secrets** — UNREDACTED if newly discovered or created. Vault paths if vaulted. Never half-redact a value future-Claude might need.
+7. **Infrastructure & Servers** — IPs, hostnames, ports, tenant IDs, container names, DNS, certs
+8. **Commands & Outputs** — important one-liners, key outputs, error messages with resolution
+9. **Pending / Incomplete Tasks** — what's left, blockers, next steps
+10. **Reference Information** — URLs, endpoints, commit SHAs, ticket IDs, routine IDs, file paths
+
+When in doubt, include MORE detail — future sessions search these logs to recover context.
+
+---
+
+## Phase 3 — Sync
+
+```bash
+bash .claude/scripts/sync.sh
 ```
 
-### 3. Infrastructure & Servers
-- All IPs, hostnames, ports used
-- Container names and configurations
-- DNS records added or modified
-- SSL certificates created
-- Any network/firewall changes
+`sync.sh` handles: stage tracked changes by name (never `git add -A`), auto-commit, fetch + rebase, push, then the same flow for the vault repo, then surface cross-user `## Note for <user>` blocks.
 
-### 4. Commands & Outputs
-- Important commands run (especially complex ones)
-- Key outputs and results
-- Error messages and their resolutions
+After sync, emit a **Post-commit Summary**:
 
-### 5. Configuration Changes
-- Files created or modified (with paths)
-- Settings changed
-- Environment variables set
+```
+## Post-commit Summary
+Commit:  <sha>  <subject>
+Author:  <name> <<email>>
+Push:    <old>..<new>  main -> main  (origin)
+File:    <session log path>  (+N lines, appended/created)
+```
 
-### 6. Pending/Incomplete Tasks
-- What still needs to be done
-- Blockers or issues awaiting resolution
-- Next steps for future sessions
+---
 
-### 7. Reference Information
-- URLs, endpoints, ports
-- File paths that may be needed again
-- Any technical details that might be forgotten
+## Cross-user note handling (CRITICAL)
 
-## After Saving
+If `sync.sh` surfaces a `## Note for <user>` or `## Message for <user>` block from an incoming session log, display it **prominently at the top of the response, before the sync summary**:
 
-1. Commit with message: "Session log: [brief description of work done]"
-2. Push to gitea remote (if configured)
-3. Confirm push was successful
+```
+============================================================
+MESSAGE FROM <author> (<date>)
+============================================================
+<full note content>
+============================================================
+```
 
-## Purpose
-
-This log MUST contain enough detail to fully restore context if this conversation is summarized or a new session starts. When in doubt, include MORE information rather than less. Future Claude instances will search these logs to find credentials and context.
-
-## Project-Specific Requirements
-
-### Dataforth DOS Project
-Save to: `projects/dataforth-dos/session-logs/`
-Include:
-- DOS batch file changes and versions
-- Deployment script updates
-- Infrastructure changes (AD2, D2TESTNAS)
-- Test results from TS-XX machines
-- Documentation files created
-
-### ClaudeTools API Project
-Save to: `projects/claudetools-api/session-logs/`
-Include:
-- Database connection details (172.16.3.30:3306/claudetools)
-- API endpoints created or modified
-- Migration files created
-- Test results and coverage
-- Any infrastructure changes (servers, networks, clients)
-
-### Client Work
-Save to: `clients/[client-name]/session-logs/`
-Include:
-- Issues resolved
-- Services provided
-- Support tickets/cases
-- Client-specific infrastructure changes
+Explicitly address each action item or question before moving on.

.claude/commands/sync.md

@@ -1,29 +1,47 @@
-# /sync - Bidirectional ClaudeTools Sync
+Sync the ClaudeTools and vault repos with Gitea.
 
-Run the automated sync script:
+## What this does
 
-```bash
-bash .claude/scripts/sync.sh
+Invokes `bash .claude/scripts/sync.sh`, which:
+
+1. Stages tracked local changes **by name** (never `git add -A` — avoids picking up `.env`, generated files, etc.)
+2. Auto-commits any local changes with `sync: auto-sync from <hostname> at <timestamp>`
+3. Fetches from origin, rebases local commits onto remote
+4. Pushes to origin
+5. Repeats 1-4 for the **vault** repo (path read from `.claude/identity.json` `vault_path` field)
+6. Surfaces any `## Note for <user>` / `## Message for <user>` blocks from incoming session logs
+
+The script is the single source of truth for git operations. Both `/sync` and `/save` invoke it.
+
+---
+
+## Cross-user note handling (CRITICAL)
+
+If sync surfaces a note from another user, display it **prominently at the top of the response, before the sync summary**, formatted as:
+
+```
+============================================================
+MESSAGE FROM <author> (<date>)
+============================================================
+<full note content>
+============================================================
 ```
 
-The script automatically:
-1. Stages and commits local changes (if any)
-2. Fetches and pulls remote changes
-3. Pushes local changes
-4. Reports sync status
+Address each action item or question explicitly before moving on. Do not bury cross-user notes in the sync summary or skip them because other work is in progress.
 
-After the script completes, report the 3 most recent session logs:
-```bash
-ls -t session-logs/*.md projects/*/session-logs/*.md clients/*/session-logs/*.md 2>/dev/null | head -3
-```
+---
 
-## Conflict Resolution
+## Output format
 
-- **Session logs:** Keep both, rename with machine suffix
-- **credentials.md:** Do NOT auto-merge, report to user
-- **Other files:** Standard git conflict resolution
+Report:
+- Pulled commits — count + authors + one-line summaries
+- Pushed commits — count + your commits + outgoing SHAs
+- Vault sync status — pulled/pushed/clean
+- Cross-user notes addressed (if any)
+- Final HEAD + status
 
-## Error Handling
+---
 
-If push fails with auth error, retry once (transient Gitea auth issue).
-If pull fails with conflicts, report affected files and ask for guidance.
+## Companion: `/save`
+
+`/save` writes a comprehensive session log first, then invokes the same `sync.sh`. Use `/save` after substantive work to capture context for future sessions. Use `/sync` for routine repo sync without writing a log (start of day, switching machines, mid-session check-in).

.claude/commands/syncro.md

@@ -0,0 +1,821 @@
+# /syncro — Syncro PSA ticket management
+
+Create, update, close, comment on, and bill tickets in Syncro PSA.
+
+## Usage
+
+```
+/syncro                                  Show open tickets summary
+/syncro ticket <number>                  View ticket details + comments
+/syncro create <customer> <subject>      Create new ticket
+/syncro update <number> <status>         Update ticket status
+/syncro close <number>                   Close/resolve a ticket
+/syncro comment <number> <text>          Add a comment to a ticket
+/syncro bill <number>                    Add billable time and create invoice
+/syncro search <query>                   Search tickets by subject/customer
+/syncro customers <query>                Search customers
+/syncro move-appointment <customer>      Find and reschedule an existing appointment
+```
+
+## API Configuration
+
+**Base URL:** `https://computerguru.syncromsp.com/api/v1`
+**API Key:** per-user tokens in SOPS vault — see "Get API key" below
+**Rate limit:** 180 requests/minute per IP
+**Docs:** https://api-docs.syncromsp.com/
+
+## Hard Rules (violations have occurred — no exceptions)
+
+**All work-time billing MUST go through `timer_entry → charge_timer_entry`.** Bare `add_line_item` for time-bearing work bypasses Syncro's time tracking and breaks reporting (hours per client, tech productivity, prepay burn). Bare `add_line_item` is reserved for non-time items only (hardware, flat-fee services). Even warranty/free work needs a time entry — set `billable: false`. Only cancelled tickets are exempt. Mike caught the bare-`add_line_item` bug across 31 tickets on 2026-04-30; it was repeated on 3 more tickets on 2026-05-01 — see `.claude/memory/feedback_syncro_timer_first.md`.
+
+**JSON payloads to curl: use heredoc with `--data-binary @-`, not `/tmp/*.json` files.** On Windows the Write tool resolves `/tmp/foo.json` to `C:\tmp\foo.json` while Git Bash resolves it to `%LOCALAPPDATA%\Temp\foo.json` — different real directories, so a payload written by Write may not be the file curl reads. Heredoc with `<<'JSON'` (single-quoted to suppress bash variable expansion inside the payload) avoids the file handoff entirely. See `.claude/memory/feedback_tmp_path_windows.md` — caused a wrong-comment incident on ticket #32225 on 2026-05-01 (rogue payload from a prior session).
+
+**Before any POST:** Always show the full payload to the user and wait for explicit confirmation. This applies to tickets, comments, line items, and invoices — including hidden/internal notes.
+
+**After any ambiguous POST result** (null fields, jq error, curl error, timeout): Do NOT retry. GET the resource first to confirm whether the action succeeded. Syncro has no idempotency on any endpoint — one POST always creates one record. Duplicate tickets and comments cannot be deleted via API; comments require manual GUI removal.
+
+**Ticket response shape:** `{"ticket": {...}}` — always use `.ticket.id`, never `.id`. The flat-object jq pattern silently returns nulls and looks like failure when it isn't.
+
+**Billing:** Always ask for minutes and labor type before adding any line item. Never assume a default.
+
+**Emergency/after-hours billing — check prepaid first:** Before adding a `26184` (Emergency) line item, `GET /customers/<id>` and read `prepay_hours`. If `prepay_hours > 0`, the customer has a prepaid block — bill `26118` (Onsite) at `quantity × 1.5` instead (prepaid debits by quantity, not by dollars). Never stack `26118` + `26184` for the same hours — the Emergency product rate already has the 1.5× multiplier baked in. Verified 2026-04-23 on ticket #32203 (Desert Auto Tech) after Winter caught the bug.
+
+**Prepaid customers — ALL billing (not just emergency):** `GET /customers/<id>` → `prepay_hours` before creating ANY invoice for a prepaid customer. When you bill a prepaid customer using a billable labor product (remote / onsite / in-shop / web), Syncro automatically deducts from their prepay block and the invoice total shows $0.00. The line item name is annotated "- Applied X Prepay Hours". This is correct behavior — do NOT treat a $0.00 invoice as an error. Verify the deduction by re-fetching `customer.prepay_hours` after invoicing and confirming it dropped by `quantity`.
+
+**`9269129` (Labor - Prepaid Project Labor) is EXEMPT — it does NOT deduct from prepay blocks:** Despite the name, this product is categorized as Exempt Labor at $0.00 and contains no prepay-deduction logic. Billing a prepaid customer with this product results in a $0.00 invoice AND no block decrement — silent accounting drift. Discovered 2026-05-04 (see `feedback_syncro_labor_type.md`). NEVER use `9269129` for normal or prepaid work. Only use it if explicitly directed. The correct approach for prepaid customers is a billable labor product matching the delivery channel (remote / onsite / in-shop / web).
+
+**Line-item `price_retail` MUST be set explicitly:** Earlier guidance to "omit `price_retail` and let Syncro auto-calc from the product rate" was wrong — the rate does NOT populate automatically. Fetch it with `GET /products/<id>` → `.product.price_retail` and pass it on `add_line_item`. Omitting it leaves the line at $0.00 and the invoice posts at $0.00 (verified 2026-04-23 on #32203).
+
+## Implementation
+
+When invoked, use the Syncro REST API via `curl`. All requests include `?api_key=<key>` as query parameter (NOT in header — Syncro uses query param auth).
+
+### Attribution rule (CRITICAL)
+
+Every Syncro API call is attributed to the **owner of the API key**. Comments, line items, timer entries, and invoices created by the API are logged as the API user — regardless of who is running the command. So the skill MUST use a per-user API key that matches the actual tech running it, or comments will be misattributed.
+
+| identity.json user | Syncro user | user_id |
+|---|---|---|
+| `mike` | Michael Swanson | 1735 |
+| `howard` | Howard Enos | 1750 |
+
+Keys are baked into the skill below. To add a new user: generate a token in Syncro → Admin → API Tokens, add a case to the key-select block, and store a backup copy in the vault at `msp-tools/syncro-<user>.sops.yaml`.
+
+### Get API key
+
+```bash
+BASE="https://computerguru.syncromsp.com/api/v1"
+
+# Per-user keys — actions in Syncro are attributed to the key owner
+USER_ID=$(jq -r '.user // empty' "$CLAUDETOOLS_ROOT/.claude/identity.json")
+case "$USER_ID" in
+  mike)   API_KEY="T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3" ;;
+  howard) API_KEY="Tde5174a6e9e312d14-02fd5bfe0f0ee40c87d027507c680e18" ;;
+  *)      echo "[ERROR] Unknown user '$USER_ID' in identity.json — cannot select Syncro API key" >&2; exit 1 ;;
+esac
+```
+
+### Ollama drafting
+
+Ollama handles prose drafting for write operations. Claude reviews the output against the hard rules below, then presents a preview. User confirms. Claude executes.
+
+**Availability check** — run once at the start of any write operation, reuse `$OLLAMA` for the rest of the session:
+
+```bash
+if curl -s -m 2 http://localhost:11434/api/tags >/dev/null 2>&1; then
+    OLLAMA="http://localhost:11434"
+elif curl -s -m 3 http://100.92.127.64:11434/api/tags >/dev/null 2>&1; then
+    OLLAMA="http://100.92.127.64:11434"
+else
+    OLLAMA=""  # fallback: Claude drafts directly
+fi
+```
+
+**Draft call:**
+
+```bash
+# Write prompt to a workspace path both the Write tool and Git Bash agree on
+# (do NOT use /tmp on Windows — see Hard Rules: /tmp resolves differently in
+# Write vs Git Bash). Use $CLAUDETOOLS_ROOT/.claude/tmp/ or pipe via heredoc.
+PROMPT_FILE="$CLAUDETOOLS_ROOT/.claude/tmp/ollama_prompt.txt"
+mkdir -p "$(dirname "$PROMPT_FILE")"
+cat > "$PROMPT_FILE" <<'ENDPROMPT'
+<prompt content here>
+ENDPROMPT
+
+if [ -n "$OLLAMA" ]; then
+    DRAFT=$(PROMPT_FILE="$PROMPT_FILE" py -c "
+import os, urllib.request, json, sys
+prompt = open(os.environ['PROMPT_FILE']).read()
+body = json.dumps({
+  'model': 'qwen3:14b',
+  'messages': [{'role': 'user', 'content': prompt}],
+  'stream': False,
+  'think': False
+}).encode()
+res = json.loads(urllib.request.urlopen(
+    urllib.request.Request('$OLLAMA/api/chat', body), timeout=60
+).read())
+print(res['message']['content'])
+")
+else
+    echo "[INFO] Ollama unavailable — Claude will draft directly."
+    DRAFT=""
+fi
+```
+
+**When to use Ollama:**
+- Comment body drafting (`/syncro comment`, `/syncro close`, billing resolution notes)
+- Billing `description` field (line item billing narrative)
+- Ticket initial description during `/syncro create`
+
+**When NOT to use Ollama:**
+- JSON field selection (product_id, quantity, price_retail) — Claude owns this using the local rate table and rules
+- Read operations (GET)
+- Auth, credential, or security decisions
+
+#### Billing draft prompt template
+
+```
+You are a Syncro PSA billing assistant. Draft a resolution comment and billing description.
+
+TICKET #<id>: <subject>
+CUSTOMER: <customer_name>
+TECH: <tech_name>
+WORK DONE: <user description of work>
+LABOR: <product_name> — <minutes> min (<quantity> hrs) @ $<price_retail>/hr = $<total>
+
+Rules:
+- comment_body must use <br> for line breaks. Do NOT use <ul> or <li> — they do not render.
+- Keep it professional and factual. No filler phrases.
+- line_item_description is one plain-text line, billing-facing.
+
+Return ONLY valid JSON, no prose before or after:
+{
+  "comment_subject": "Resolution",
+  "comment_body": "<HTML with <br> line breaks>",
+  "line_item_description": "<one line plain text>",
+  "preview": "<2-3 sentence plain-text summary for tech review>"
+}
+```
+
+#### Comment draft prompt template
+
+```
+You are a Syncro PSA tech assistant. Draft a ticket comment.
+
+TICKET #<id>: <subject>
+CUSTOMER: <customer_name>
+NOTE: <user's note or description>
+VISIBILITY: <"Internal only" | "Customer-visible">
+
+Rules:
+- Use <br> for line breaks. Do NOT use <ul> or <li>.
+- Professional and factual. No filler.
+
+Return ONLY valid JSON:
+{
+  "subject": "Update",
+  "body": "<HTML with <br> line breaks>",
+  "preview": "<plain text for tech review>"
+}
+```
+
+#### Claude review checklist (always run before presenting to user)
+
+Whether the draft came from Ollama or Claude wrote it directly:
+
+1. `price_retail` matches the local rate table for the selected `product_id`
+2. `quantity` = minutes ÷ 60 — verify the arithmetic (e.g. 45 min = 0.75, not 0.77)
+3. Computed total = `price_retail × quantity` — matches what was communicated to user
+4. If labor_type is `emergency` and `prepay_hours > 0`: product must be `26118`, qty must be actual_hours × 1.5
+5. `comment_body` uses `<br>`, not `<ul>/<li>`
+6. No internal notes or credential data in a customer-visible comment body
+
+If a check fails: correct it and note the fix in the preview so the user can see what changed.
+
+#### Fallback behavior
+
+If `OLLAMA` is empty (neither endpoint reachable): Claude drafts the comment body and billing description directly from the same variables. All other logic — review checklist, confirmation, execution — is identical. Announce `[INFO] Ollama unavailable — drafting directly.`
+
+---
+
+### Adding a per-user key
+
+1. User logs into Syncro → Admin → API Tokens → New (`/api_tokens/new`)
+2. Type: Integration API Token (or Custom with all standard scopes: asset/customer/ticket/invoice/payment read+write+delete, worksheet add+manage+delete, chat + script.execute)
+3. Copy the token once (Syncro only shows it on creation)
+4. Encrypt to vault:
+   ```bash
+   cat > $VAULT_ROOT/msp-tools/syncro-<user>.sops.yaml <<YAML
+   kind: api-key
+   name: Syncro (<Full Name>)
+   subdomain: computerguru
+   api-base-url: https://computerguru.syncromsp.com/api/v1
+   api-docs: https://api-docs.syncromsp.com/
+   status: active
+   owner: <user>
+   syncro_user_id: <id>
+   tags: [msp-tools, per-user]
+   credentials:
+       credential: <TOKEN>
+   notes: Per-user Syncro API token for <Full Name>. Created YYYY-MM-DD.
+   YAML
+   # MUST run from vault root so sops picks up .sops.yaml
+   (cd "$VAULT_ROOT" && sops --encrypt --in-place "msp-tools/syncro-<user>.sops.yaml")
+   ```
+5. Commit + push vault repo.
+
+### Endpoints reference
+
+#### Tickets
+
+| Operation | Method | Endpoint | Body |
+|---|---|---|---|
+| List tickets | GET | `/tickets?status=<status>&per_page=25` | — |
+| Get ticket | GET | `/tickets/<id>` | — |
+| Create ticket | POST | `/tickets` | see full create workflow below |
+| Update ticket | PUT | `/tickets/<id>` | `{"status": "In Progress", "priority": "..."}` |
+| Delete ticket | DELETE | `/tickets/<id>` | — |
+
+**Ticket statuses:** `New`, `In Progress`, `Waiting on Customer`, `Waiting on Vendor`, `Scheduled`, `Resolved`, `Invoiced`, `Closed`
+
+**Priority format** (number-prefixed string): `"1 High"`, `"2 Normal"`, `"3 Low"`, `"4 Urgent"`
+Default: `"2 Normal"`. Use `"4 Urgent"` for emergency/after-hours.
+
+**Problem types (Issue Type dropdown — use closest match, else "Not determined"):**
+`API`, `Email`, `Emergency Service`, `File Services / Permissions`, `Hardware`, `Maintenance`,
+`New User / M365 Account Creation`, `New User / Workstation Deployment`, `Not determined`,
+`Onsite`, `Other`, `Phone/VOIP`, `Remote`, `Security`, `Server Migration`, `Service Request`,
+`Software`, `Website`
+
+**Appointment types:**
+
+| Name | ID | location_type |
+|---|---|---|
+| In Shop | 4321 | shop |
+| Onsite | 4322 | customer |
+| Phone Call | 4323 | pre_defined |
+| Reminder | 193053 | manual_entry |
+| Remote | 59289 | pre_defined |
+
+**Tech user IDs:** Mike = 1735, Howard = 1750, Winter = 1737, Rob = 1760
+
+#### Appointments
+
+| Operation | Method | Endpoint | Notes |
+|---|---|---|---|
+| List (today) | GET | `/appointments?start_at=YYYY-MM-DD` | Filter by date; use `.summary` to match customer |
+| Get | GET | `/appointments/<id>` | Returns `{"appointment": {...}}` |
+| Create | POST | `/appointments` | Used in ticket creation flow (Call 3) |
+| Move / edit | PUT | `/appointments/<id>` | Verified 2026-04-24 — updates `start_at`/`end_at` |
+| Delete | DELETE | `/appointments/<id>` | Not yet verified |
+
+**Finding an appointment by customer:** `GET /appointments?start_at=<date>` returns all appointments — filter client-side with `select(.summary | test("customer name"; "i"))` or `select(.ticket.customer_id == N)`. The `customer_id` query param does not filter correctly.
+
+**Move workflow:**
+1. `GET /appointments?start_at=<date>` — find appointment ID
+2. Confirm new date/time with user
+3. `PUT /appointments/<id>` with `{"start_at": "ISO8601", "end_at": "ISO8601"}`
+4. Verify response: `.appointment.start_at` matches intended time
+
+**Response shape:** `{"appointment": {...}}` — parse as `.appointment.id`, `.appointment.start_at`, etc.
+
+---
+
+### Ticket creation workflow (full — 3 API calls)
+
+Ticket creation in Syncro maps to three separate API calls. Gather all inputs first, show a full preview, wait for confirmation, then execute in order.
+
+#### Step 1 — Gather inputs
+
+Collect in one pass (do not ask field by field):
+
+| # | Field | Notes |
+|---|---|---|
+| 1 | **Subject** | Brief title: reason for the ticket |
+| 2 | **Issue Type** (`problem_type`) | From dropdown above; "Not determined" if unclear |
+| 3 | **Priority** | "2 Normal" default; "4 Urgent" for emergencies |
+| 4 | **Description** | Expanded detail — becomes the "Initial Issue" comment body |
+| 5 | **Do Not Email** | Suppress customer notification on ticket create? (yes for internal/reminder tickets) |
+| 6 | **Due Date** | ISO date |
+| 7 | **Assigned Tech** | Who owns the ticket. Defaults to API key owner if not specified (mike → 1735, howard → 1750). MUST always be included in the POST payload — never omit. |
+| 8 | **Contact** | Look up from `GET /customers/{id}` → `.contacts[]`; show list, ask user to pick |
+| 9 | **Address/Site** | `address_id` — also comes from customer contacts with address data |
+| 10 | **Appointment Type** | From table above; omit section if no appointment needed |
+| 11 | **Location** | Free text; usually blank unless onsite at non-primary address |
+| 12 | **Start Time** | ISO8601 datetime; omit if no scheduled appointment |
+| 13 | **End Time** | Default: start + 90 minutes |
+| 14 | **Appointment Owner** | Usually same as assigned tech; noted for calendar attribution (not a separate API field — inherits from ticket `user_id`) |
+| 15 | **Do Not Invite** | If not onsite, suppress calendar invite — note: not directly controllable via API; inform user if they need this set manually |
+| 16 | **Asset** | Search `GET /customer_assets?customer_id=N&query=<name>` if a specific device is involved |
+
+#### Step 2 — Look up customer data
+
+Before showing the preview, fetch what you need:
+
+```bash
+# Get contacts and addresses
+curl -s "${BASE}/customers/${CUST_ID}?api_key=${API_KEY}" | jq '{contacts: [.customer.contacts[] | {id, name, address1, email}]}'
+
+# Search assets
+curl -s "${BASE}/customer_assets?customer_id=${CUST_ID}&query=<name>&api_key=${API_KEY}" | jq '[.assets[] | {id, name, asset_type}]'
+```
+
+#### Step 3 — Show preview and confirm
+
+Display the full ticket before posting. Include all populated fields. Wait for explicit confirmation.
+
+```
+TICKET PREVIEW
+--------------
+Customer:     <name>
+Subject:      <subject>
+Issue Type:   <problem_type>
+Priority:     <priority>
+Description:  <description>
+Due Date:     <due_date>
+Assigned To:  <tech name>
+Contact:      <contact name>
+Address:      <address>
+Do Not Email: <yes/no>
+
+APPOINTMENT
+-----------
+Type:         <type name>
+Start:        <start_at>
+End:          <end_at>  (90 min)
+Location:     <location or blank>
+
+ASSET:        <asset name or none>
+
+Confirm? (yes/no)
+```
+
+#### Step 4 — Execute (after confirmation)
+
+**Call 1 — Create ticket:**
+
+```bash
+RESP=$(curl -s -X POST "${BASE}/tickets?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "customer_id": N,
+  "subject": "...",
+  "problem_type": "...",
+  "status": "New",
+  "priority": "2 Normal",
+  "user_id": N,
+  "due_date": "YYYY-MM-DD",
+  "contact_id": N,
+  "address_id": N,
+  "start_at": "ISO8601",
+  "end_at": "ISO8601",
+  "asset_ids": [N]
+}
+JSON
+)
+TICKET_ID=$(echo "$RESP" | jq -r '.ticket.id')
+CUST_ID=$(echo "$RESP" | jq -r '.ticket.customer_id')
+```
+
+Omit null/blank fields from the payload before piping. The `'JSON'` quoting on the heredoc opener is required — it suppresses bash variable and backtick expansion inside, which matters when descriptions contain `$` (passwords, prices, regex, etc.).
+
+**Call 2 — Post initial description as "Initial Issue" comment:**
+
+```bash
+curl -s -X POST "${BASE}/tickets/${TICKET_ID}/comment?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "subject": "Initial Issue",
+  "body": "<the full description>",
+  "hidden": false,
+  "do_not_email": true
+}
+JSON
+# Parse: .comment.id  (NOT .id — see Hard Rules)
+```
+
+Set `do_not_email: true` if "Do Not Email" was checked; `false` otherwise.
+
+**Call 3 — Create appointment (only if start_at provided):**
+
+```bash
+curl -s -X POST "${BASE}/appointments?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "ticket_id": N,
+  "customer_id": N,
+  "appointment_type_id": N,
+  "start_at": "ISO8601",
+  "end_at": "ISO8601",
+  "location": ""
+}
+JSON
+```
+
+Note: "Do Not Invite" (suppress calendar invite email) is not API-controllable. Tell the user to toggle it in the Syncro GUI if needed.
+
+**Payload handoff: prefer heredoc with `--data-binary @-` and `<<'JSON'` quoting** — never use `/tmp/<file>.json` for piping payloads from the Write tool to curl. On Windows, the Write tool resolves `/tmp/foo.json` to `C:\tmp\foo.json` while Git Bash resolves it to `%LOCALAPPDATA%\Temp\foo.json` — different real directories, so curl reads a different (or stale) file than Write created. Heredoc avoids the file handoff entirely, and the `'JSON'` quoting prevents bash from expanding `$` characters inside the payload (passwords, regex, jq queries, etc.). See `.claude/memory/feedback_tmp_path_windows.md` for the full failure mode.
+
+#### Comments
+
+| Operation | Method | Endpoint | Body |
+|---|---|---|---|
+| Add comment | POST | `/tickets/<id>/comment` | `{"subject": "Update", "body": "...", "hidden": false, "do_not_email": false}` |
+
+**Comment fields (verified):**
+- `subject` — required; comment header (e.g., "Update", "Resolution", "Internal Note")
+- `body` — required; comment text (HTML supported)
+- `hidden` — bool; if true, internal-only (customer can't see)
+- `do_not_email` — bool; if true, suppresses customer email notification
+- `tech` — string; overrides the authenticated user's name shown on the comment
+
+**Drafting comment bodies:** Use Ollama (comment draft prompt template above) to generate `body` content. Run Claude review checklist. Present preview and wait for confirmation before POST. Fallback to Claude direct draft if `$OLLAMA` is empty.
+
+**Silently ignored (do not use):** `product_id`, `minutes_spent`, `bill_time_now` — accepted but not saved. Verified 2026-04-21.
+
+**CRITICAL — response wrapper:** POST /comment returns `{"comment": {"id": ..., "subject": ..., ...}}` — NOT a flat object. Always parse as `.comment.id`, `.comment.created_at`, etc. Using `.id` returns null and looks like failure even when the comment posted successfully. This caused duplicate comments on 2026-04-22 (#32185) and 2026-04-23 (#32142) — both times the POST succeeded but null `.id` triggered a retry.
+
+```bash
+# Correct pattern — always check .comment.id
+RESP=$(curl -s -X POST "${BASE}/tickets/${ID}/comment?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "subject": "Update",
+  "body": "...",
+  "hidden": false,
+  "do_not_email": false
+}
+JSON
+)
+echo "$RESP" | jq '{id: .comment.id, subject: .comment.subject, created_at: .comment.created_at}'
+```
+
+**CRITICAL — duplicate prevention:** The server has no idempotency. One POST = one comment, always. Duplicates are caused by calling the endpoint twice (retry after a perceived timeout, double tool invocation, etc.). **Never retry a POST /comment without first GET /tickets/{id} to confirm the comment did not already land.** When verifying, search all comments by subject — do not rely on `[-3:]` tail. The `Idempotency-Key` header is silently ignored.
+
+```bash
+# Correct verification pattern after ambiguous response
+curl -s "${BASE}/tickets/${ID}?api_key=${API_KEY}" | \
+  jq '.ticket.comments[] | select(.subject == "Your Subject Here") | {id, created_at}'
+```
+
+**Comments cannot be deleted via API.** No DELETE endpoint exists in the Syncro API for comments — confirmed against official swagger spec. Duplicate comments require manual removal in the GUI.
+
+**Do NOT wrap body in `{"comment": {...}}`** — returns 422 "Body can't be blank". POST flat JSON directly.
+
+#### Customers
+
+| Operation | Method | Endpoint |
+|---|---|---|
+| List/search | GET | `/customers?query=<search>&per_page=25` |
+| Get customer | GET | `/customers/<id>` |
+| Create customer | POST | `/customers` |
+
+#### Billable Line Items
+
+There are two verified mechanisms for putting a billable charge on a ticket. They are NOT interchangeable.
+
+**Default — `timer_entry → charge_timer_entry` (REQUIRED for any work that has a time component):**
+
+This is the documented billing path. It records hours into Syncro's time-tracking system AND creates the line item, so reporting (hours per client, tech productivity, prepay burn rate, average resolution time) stays accurate. Bare `add_line_item` skips the time-tracking system and leaves Syncro showing `00:00:00` worked even though the invoice posts correctly — which is what produced the 31-ticket gap on 2026-04-30 and three more on 2026-05-01.
+
+| Operation | Method | Endpoint |
+|---|---|---|
+| Create timer | POST | `/tickets/<id>/timer_entry` |
+| Charge timer (creates line item) | POST | `/tickets/<id>/charge_timer_entry` |
+| Update timer | PUT | `/tickets/<id>/update_timer_entry` |
+| Delete timer | POST | `/tickets/<id>/delete_timer_entry` |
+| List timers (on a ticket) | GET | `/tickets/<id>` → `.ticket.ticket_timers` |
+
+**CRITICAL — response shapes are FLAT:** Both `POST /timer_entry` and `POST /charge_timer_entry` return a flat object — `{"id": N, "ticket_id": ..., "product_id": ..., ...}` — NOT wrapped in `{"timer": {...}}` or `{"timer_entry": {...}}`. Parse as `.id` directly. The wrapped pattern silently returns `null`, breaks `charge_timer_entry` ("Not found"), and triggers a duplicate-timer retry. Hit on ticket #32253 on 2026-05-05; recovery via `delete_timer_entry`. Verified shape:
+
+```json
+// POST /tickets/{id}/timer_entry response
+{"id": 39031258, "ticket_id": 109895882, "user_id": 1750, "start_time": "...", "end_time": "...",
+ "recorded": false, "billable": true, "notes": "...", "product_id": 26118,
+ "comment_id": null, "ticket_line_item_id": null, "active_duration": 1800, ...}
+
+// POST /tickets/{id}/charge_timer_entry response (also flat)
+{"id": 39031258, "recorded": true, "ticket_line_item_id": 42313052, ...}
+```
+
+**CRITICAL — duplicate prevention:** Syncro has no idempotency on `/timer_entry`. **Never retry the POST without first GET `/tickets/{id}` and inspecting `.ticket.ticket_timers[]`.** The standalone `GET /ticket_timers?ticket_id=N` query parameter does NOT filter — it returns the entire global timer history. Use the ticket object instead.
+
+```bash
+# Verification pattern after ambiguous timer_entry response
+curl -s "${BASE}/tickets/${ID}?api_key=${API_KEY}" | \
+  jq '.ticket.ticket_timers[] | select(.recorded == false) | {id, start_time, end_time, product_id, notes}'
+```
+
+If duplicates exist, delete the older one(s) before charging:
+```bash
+curl -s -X POST "${BASE}/tickets/${ID}/delete_timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{"timer_entry_id": <older_duplicate_id>}
+JSON
+# Returns: {"success": true}
+```
+
+```bash
+# 1. Create timer entry — records hours in Syncro's time-tracking system.
+#    For warranty / no-charge work, set "billable": false (time still records).
+#    Capture .id directly — response is FLAT (see above).
+TIMER_RESP=$(curl -s -X POST "${BASE}/tickets/${ID}/timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "start_at": "ISO8601",
+  "end_at": "ISO8601",
+  "notes": "...",
+  "billable": true,
+  "product_id": 1190473
+}
+JSON
+)
+TIMER_ID=$(echo "$TIMER_RESP" | jq -r '.id')
+
+# 2. Charge the timer — sets recorded:true and auto-generates a linked line
+#    item with the timer's product_id and computed quantity (hours).
+curl -s -X POST "${BASE}/tickets/${ID}/charge_timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<JSON
+{"timer_entry_id": ${TIMER_ID}}
+JSON
+
+# 3. Verify the auto-generated line item picked up the rate. Syncro sometimes
+#    creates the line at $0.00 even though the product has a price_retail set
+#    (same root cause as the bare add_line_item bug). If price_retail is 0,
+#    patch it via update_line_item.
+curl -s "${BASE}/tickets/${ID}?api_key=${API_KEY}" | jq '.ticket.line_items[] | {id, product_id, quantity, price_retail}'
+
+# 4. (only if needed) Patch a $0 line:
+curl -s -X PUT "${BASE}/tickets/${ID}/update_line_item?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "ticket_line_item_id": NNN,
+  "price_retail": 150.00
+}
+JSON
+
+# Delete timer (rarely needed):
+curl -s -X POST "${BASE}/tickets/${ID}/delete_timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{"timer_entry_id": N}
+JSON
+# Returns: {"success": true}
+```
+
+`charge_timer_entry` produces the line item; you do NOT call `add_line_item` afterward — that would double-bill.
+
+**Fallback — bare `add_line_item` (NON-TIME items only):**
+
+Use this ONLY when there is genuinely no labor time component to bill — selling a hardware product, a flat-fee service, a recurring subscription line. For ANY work with a time component, including warranty/free work (where time should record at `billable: false`), use the timer path above. Cancelled tickets are the only exemption from creating a time entry.
+
+| Operation | Method | Endpoint |
+|---|---|---|
+| Add line item | POST | `/tickets/<id>/add_line_item` |
+| Remove line item | POST | `/tickets/<id>/remove_line_item` |
+| Update line item | PUT | `/tickets/<id>/update_line_item` |
+
+```bash
+# Non-time line item (hardware, flat-fee). Always include price_retail —
+# the API does not auto-apply product rates.
+curl -s -X POST "${BASE}/tickets/${ID}/add_line_item?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "product_id": 1190473,
+  "quantity": 1,
+  "price_retail": 150.00,
+  "name": "Hardware - Replacement Drive",
+  "description": "Item description",
+  "taxable": true
+}
+JSON
+
+# Remove
+curl -s -X POST "${BASE}/tickets/${ID}/remove_line_item?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{"ticket_line_item_id": 12345}
+JSON
+# Returns: {"success": true, "message": ""}
+```
+
+**add_line_item required fields** (also apply to the auto-generated line from `charge_timer_entry` — verify after charging and patch via `update_line_item` if needed):
+- `name` — required (422 if missing)
+- `description` — required (422 if missing)
+- `product_id` — product ID (labor product table below for time-based work, or any other product for hardware / flat-fee items)
+- `quantity` — units of the product. For labor products, this is decimal hours (0.5 = 30 min, 1.0 = 1 hour). For hardware, the unit count.
+- `price_retail` — **must always be set explicitly**; `price`, `retail_price`, `rate`, `price_cents` all silently ignored and leave line at $0.00. Syncro does NOT auto-calculate rates via API even though it does in the web UI. Omitting it leaves the line at $0.00 and the invoice generates at $0 (verified 2026-04-23 on #32203). Always pass the rate from the table below.
+- `taxable` — **always set explicitly**; labor products default to no-tax in GUI but the API applies tax if this is omitted. Use `false` for labor, `true` for taxable hardware.
+
+**Do NOT remove ticket line items after invoicing.** Leave them on the ticket — the "Add/View Charges" button and billing verification by techs depends on seeing line items there.
+
+**Labor product IDs and rates** (rates pulled from Syncro API 2026-04-24):
+
+| product_id | Name | price_retail ($/hr) | Notes |
+|---|---|---|---|
+| `1190473` | Labor - Remote Business | `150.00` | Standard remote work |
+| `26118` | Labor - Onsite Business | `175.00` | Base onsite rate |
+| `573881` | Labor - In Shop Business | `150.00` | Hardware brought into ACG's shop |
+| `26184` | Labor - Emergency or After Hours Business | `262.50` | **1.5× onsite; time-and-a-half baked into the rate.** Non-prepaid customers only. Do NOT stack with `26118` for the same hours. |
+| `1049360` | **Labor- Warranty work** | `0.00` | **Use this for ANY warranty / no-charge work.** Do NOT use a billable labor product + `billable: false` or a patched price. See `feedback_syncro_warranty_product.md`. |
+| `9269129` | Labor - Prepaid Project Labor | `0.00` | **DO NOT USE for normal or prepaid work.** Exempt Labor category — does NOT deduct from `prepay_hours` block despite the name. Billing a prepaid customer with this product gives a $0.00 invoice AND silently skips the block decrement. Verified 2026-05-04 (see `feedback_syncro_labor_type.md`). Only use if explicitly directed. |
+| `9269124` | Labor - Internal Labor | `0.00` | Non-billable internal ACG time (not customer-facing). |
+| `26117` | Fee - Travel Time | `40.00` | Per travel event (not hourly) |
+| `68055` | Labor - Website Labor | `150.00` | Website-related work |
+
+`price_retail` is the per-unit rate. Line item total = `price_retail × quantity`. **Rates are determined by the product selected** — never patch `price_retail` on a line item to convert one product into another (e.g. don't take Remote Labor at $150 and patch to $0 to mimic warranty). If a line's dollar amount is wrong, the wrong `product_id` was picked — undo, pick the correct product, redo. The only legitimate `update_line_item price_retail` use is the Syncro auto-gen-zero recovery (when an auto-generated line came in at $0 instead of the product's intended rate).
+
+**Emergency / after-hours billing branches by whether customer has prepaid labor:**
+
+Check: `GET /customers/<id>` → `.customer.prepay_hours` (string; `"0.0"` means no prepaid, any non-zero means prepaid block exists).
+
+| `prepay_hours` | Regular hours | Emergency / after-hours |
+|---|---|---|
+| `0` / null (no prepaid) | delivery-channel product, qty = actual_hours | `26184`, qty = actual_hours (rate already 1.5×) |
+| `> 0` (has prepaid block) | delivery-channel product, qty = actual_hours | delivery-channel product, qty = actual_hours × **1.5** |
+
+"Delivery-channel product" = `1190473` remote, `26118` onsite, `573881` in-shop, `68055` web — match to how work was actually delivered.
+
+**Rationale (Winter, 2026-04-23):** Prepaid blocks debit by QUANTITY, not dollars. To charge time-and-a-half against a prepaid block we bump the quantity to 1.5× on the Onsite product rather than switching to the Emergency product — switching would double-count because the Emergency product has the 1.5× already built into its dollar rate.
+
+**Example — 2 hour emergency onsite job:**
+- Non-prepaid customer: one line of 2.0 hrs × `26184` @ $262.50 → $525.00 billed
+- Prepaid customer: one line of 3.0 hrs × `26118` @ $175.00 → debits 3 hrs from prepaid block
+
+Winter caught this on #32203 (Desert Auto Tech) 2026-04-23 after a stack of 1hr `26118` + 1hr `26184` for a single hour of emergency work — the $ doubled because the 1.5× was applied twice.
+
+#### Timer Entries (time tracking reference)
+
+| Operation | Method | Endpoint |
+|---|---|---|
+| Add timer | POST | `/tickets/<id>/timer_entry` |
+| Charge timer → line item | POST | `/tickets/<id>/charge_timer_entry` |
+| Update timer | PUT | `/tickets/<id>/update_timer_entry` |
+| Delete timer | POST | `/tickets/<id>/delete_timer_entry` |
+| List timers (on a ticket) | GET | `/tickets/<id>` → `.ticket.ticket_timers` |
+
+Both `POST /timer_entry` and `POST /charge_timer_entry` return FLAT objects — parse `.id` directly. See "Billable Line Items → Default" above for the full response-shape note and duplicate-prevention pattern.
+
+#### Invoices
+
+| Operation | Method | Endpoint | Body |
+|---|---|---|---|
+| List invoices | GET | `/invoices?per_page=25` | — |
+| Get invoice | GET | `/invoices/<id>` | — |
+| Create from ticket | POST | `/invoices` | `{"ticket_id": N, "customer_id": N, "category": "Standard"}` |
+| Delete invoice | DELETE | `/invoices/<id>` | — |
+
+**"Make Invoice" flow:** `POST /invoices` pulls all line items currently on the ticket into the invoice. Line items are produced by `charge_timer_entry` (the default path for time-based work) or by bare `add_line_item` (the fallback path for non-time items). A bare timer entry that has not been charged is NOT pulled in — the timer must be converted to a line item via `charge_timer_entry` first.
+
+**Note:** The `POST /invoices` response body does not include `line_items` — do `GET /invoices/{id}` to verify line items transferred correctly.
+
+### Display formatting
+
+When showing ticket lists, format as:
+
+```
+#32164  New        Jerry Burger           Own cloud thing again
+#32163  New        LeeAnn Parkinson       Remote - Jim cant access his email
+#32162  Invoiced   Len's Auto Brokerage   Server upgrade
+```
+
+When showing ticket detail, include:
+- Ticket number, subject, status, priority
+- Customer name + contact
+- Created date, due date, last updated
+- Assigned tech
+- Comments (most recent first, truncated to last 5)
+- Line items / billing status
+
+### Billing workflow
+
+**ALWAYS ask the user for minutes and labor type before logging any time. Never assume a default.**
+**ALWAYS show a preview of the comment + timer entry to the user before posting. Wait for confirmation.**
+**ALWAYS read `customer.prepay_hours` before billing ANY work** — not just emergency. Prepaid customers get $0.00 invoices with block deductions; non-prepaid customers get dollar invoices. Knowing this before you start prevents false "zero invoice" panic mid-workflow.
+**ALWAYS bill via `timer_entry → charge_timer_entry`. Bare `add_line_item` for time-based work bypasses Syncro's time-tracking system and is forbidden — see Hard Rules.**
+
+When `/syncro bill <number>` is called:
+1. `GET /tickets/{id}` for ticket detail, then `GET /customers/{customer_id}` to read `prepay_hours`
+2. Check Ollama availability (see "Ollama drafting" above) — do this once, reuse `$OLLAMA`
+3. Ask: "How many minutes should I bill, and what labor type? (remote / onsite / emergency / project / internal / warranty)"
+4. Decide product + quantity using the emergency-branching table above:
+   - Non-prepaid + emergency → product `26184`, qty = actual hours
+   - Prepaid + emergency     → product `26118`, qty = actual hours × 1.5
+   - Warranty / no-charge    → product **`1049360` (Labor- Warranty work)**, `billable: true`, qty = actual hours. Do NOT pick a regular labor product with `billable: false` — Syncro silently overrides the flag and generates a billable line. (Verified 2026-05-06 on #32225 — see `feedback_syncro_warranty_product.md`.)
+   - Otherwise               → per `--labor` mapping below, qty = actual hours
+5. Look up `price_retail` from the local rate table (do NOT fetch live — rates are baked in)
+6. Compute `start_at` and `end_at` for the timer (use ISO8601; the `end_at − start_at` interval should equal `quantity` hours so Syncro's reporting math matches what you bill)
+7. Send billing draft prompt to Ollama (or draft directly if `$OLLAMA` is empty) — see prompt template above
+8. Run Claude review checklist on the draft output
+9. Present preview to user: product, quantity, rate, computed total, comment body, timer notes / line item description. Wait for confirmation.
+10. Post resolution comment: `POST /tickets/{id}/comment`
+11. Create timer entry: `POST /tickets/{id}/timer_entry` with `start_at`, `end_at`, `billable` (true for paid work, false for warranty/no-charge), `product_id`, `notes`. Capture the returned timer ID.
+12. Charge the timer: `POST /tickets/{id}/charge_timer_entry` with `{"timer_entry_id": N}` — this records the time AND auto-generates a linked line item with the timer's `product_id` and computed `quantity` (hours).
+13. Verify the auto-generated line item picked up the rate: `GET /tickets/{id}` and inspect the new entry in `.ticket.line_items[]`. If `price_retail` came in at `0.00` (Syncro sometimes drops it on auto-generated lines), patch it: `PUT /tickets/{id}/update_line_item` with `{"ticket_line_item_id": N, "price_retail": <rate>}`.
+14. Create invoice: `POST /invoices` with `{"ticket_id": N, "customer_id": N, "category": "Standard"}`
+15. Verify invoice: `GET /invoices/{id}` → confirm line items transferred. **For prepaid customers, `.invoice.total` will be $0.00 — this is correct.** The line item name is annotated "- Applied X Prepay Hours" and the block is debited. Confirm by re-fetching `customer.prepay_hours` and checking it dropped by `quantity`. For non-prepaid customers, `.invoice.total` must equal `qty × price_retail`.
+16. Update ticket status to `Invoiced`
+
+**If `.invoice.total` comes back $0.00** (auto-generated line item went in with null price and you missed step 13): `PUT /tickets/{id}/update_line_item` with `price_retail` on each item, then `DELETE /invoices/{bad_id}` and re-POST `/invoices`. Recovery verified on #32203 (2026-04-23).
+
+**Correct pattern:**
+```bash
+# Step 1: Post resolution comment
+curl -s -X POST "${BASE}/tickets/${ID}/comment?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "subject": "Resolution",
+  "body": "...",
+  "hidden": false,
+  "do_not_email": false
+}
+JSON
+
+# Step 2: Create timer entry — records hours in Syncro's time-tracking system.
+# Convert minutes to decimal hours (60 min = 1.0, 30 min = 0.5, 45 min = 0.75).
+# Set start_at/end_at so end - start equals the billed duration.
+# For warranty / no-charge work, set "billable": false (time still records).
+TIMER_RESP=$(curl -s -X POST "${BASE}/tickets/${ID}/timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{
+  "start_at": "2026-05-01T13:00:00-07:00",
+  "end_at":   "2026-05-01T14:00:00-07:00",
+  "notes": "Resolved customer issue — see ticket comment for detail.",
+  "billable": true,
+  "product_id": 1190473
+}
+JSON
+)
+TIMER_ID=$(echo "$TIMER_RESP" | jq -r '.id')  # response is FLAT — see "response shapes" note above
+
+# Step 3: Charge the timer — creates the linked line item automatically.
+curl -s -X POST "${BASE}/tickets/${ID}/charge_timer_entry?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<JSON
+{"timer_entry_id": ${TIMER_ID}}
+JSON
+
+# Step 4: Verify auto-generated line item — price_retail should equal the
+# product rate. If it's 0.00, patch with update_line_item before invoicing.
+LINE=$(curl -s "${BASE}/tickets/${ID}?api_key=${API_KEY}" | \
+  jq '.ticket.line_items | map(select(.product_id == 1190473)) | last')
+echo "$LINE" | jq '{id, product_id, quantity, price_retail}'
+
+# Step 5: (only if price_retail came in at 0) patch it
+LINE_ID=$(echo "$LINE" | jq -r '.id')
+curl -s -X PUT "${BASE}/tickets/${ID}/update_line_item?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<JSON
+{"ticket_line_item_id": ${LINE_ID}, "price_retail": 150.00}
+JSON
+
+# Step 6: Create invoice
+INV_RESP=$(curl -s -X POST "${BASE}/invoices?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<JSON
+{"ticket_id": ${ID}, "customer_id": ${CUST}, "category": "Standard"}
+JSON
+)
+INVOICE_ID=$(echo "$INV_RESP" | jq -r '.invoice.id')
+
+# Step 7: Verify line items transferred and total is correct
+curl -s "${BASE}/invoices/${INVOICE_ID}?api_key=${API_KEY}" | \
+  jq '{total: .invoice.total, line_items: .invoice.line_items}'
+
+# Step 8: Mark ticket Invoiced
+curl -s -X PUT "${BASE}/tickets/${ID}?api_key=${API_KEY}" \
+  -H "Content-Type: application/json" \
+  --data-binary @- <<'JSON'
+{"status": "Invoiced"}
+JSON
+```
+
+The two heredocs that interpolate `${TIMER_ID}` / `${LINE_ID}` / `${ID}` / `${CUST}` / `${INVOICE_ID}` use unquoted `<<JSON` (allows expansion). The static-payload heredocs use `<<'JSON'` (single-quoted, no expansion) so any `$` inside the body — passwords, regex, jq queries — comes through as a literal. Pick the right form per heredoc.
+
+`--labor` maps to product IDs: `remote` → 1190473, `onsite` → 26118, `emergency` → 26184, `project` → 9269129, `internal` → 9269124, `travel` → 26117, `website` → 68055
+
+**Override:** `emergency` becomes `26118` with `quantity × 1.5` when the customer has `prepay_hours > 0`. See the Emergency billing branching table above. The override applies to the timer's `product_id` field and the timer's interval (set `end_at − start_at` to `actual_hours × 1.5` so the auto-generated line gets the right quantity).
+
+### Error handling
+
+- 401: API key invalid or expired
+- 404: ticket/customer/invoice not found
+- 422: validation error (show the error message from response body)
+- 429: rate limited (wait 60s and retry)
+
+### Integration with session logs
+
+When closing a ticket (`/syncro close`), offer to create a session log entry in `clients/<customer>/session-logs/` documenting what was resolved. Pull the ticket subject, comments, and resolution into a structured log.

.claude/context-recall-config.env.example

@@ -1,11 +0,0 @@
-# Claude Context Import Configuration
-# Copy this file to context-recall-config.env and update with your actual values
-
-# JWT Token for API Authentication
-# Generate this token using the ClaudeTools API /auth endpoint
-# Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
-JWT_TOKEN=your-jwt-token-here
-
-# API Base URL (default: http://localhost:8000)
-# Change this if your API is running on a different host/port
-API_BASE_URL=http://localhost:8000

.claude/hooks/.gitkeep

@@ -1,2 +0,0 @@
-# This directory contains Claude Code hooks for Context Recall
-# See README.md for documentation

.claude/hooks/EXAMPLES.md

@@ -1,390 +0,0 @@
-# Context Recall Examples
-
-Real-world examples of how the Context Recall System works.
-
-## Example 1: Continuing Previous Work
-
-### Session 1 (Monday)
-
-**User:** "Add authentication endpoints to the API"
-
-**Claude:** Creates `/api/auth/login` and `/api/auth/register` endpoints
-
-**System:** Saves context:
-```json
-{
-  "title": "Session: 2025-01-13T14:30:00Z",
-  "context_type": "session_summary",
-  "dense_summary": "Created authentication endpoints including login and register. Implemented JWT token generation with 24-hour expiry. Added password hashing with bcrypt.",
-  "relevance_score": 8.5,
-  "metadata": {
-    "files_modified": "api/auth.py,api/models.py",
-    "git_branch": "feature/auth"
-  }
-}
-```
-
-### Session 2 (Tuesday)
-
-**User:** "Add password reset functionality"
-
-**System:** Automatically recalls context:
-```markdown
-## [DOCS] Previous Context
-
-### 1. Session: 2025-01-13T14:30:00Z (Score: 8.5/10)
-*Type: session_summary*
-
-Created authentication endpoints including login and register.
-Implemented JWT token generation with 24-hour expiry.
-Added password hashing with bcrypt.
-
-Modified files: api/auth.py,api/models.py
-Branch: feature/auth
-```
-
-**Claude:** (with context) "I'll add password reset to the existing authentication system. Based on the previous session, I can see we're using JWT tokens and bcrypt..."
-
-## Example 2: Technical Decision Recall
-
-### Session 1
-
-**User:** "Why did we choose PostgreSQL over MongoDB?"
-
-**Claude:** "We chose PostgreSQL because: 1) Strong ACID guarantees, 2) Complex relationships in data model, 3) Team familiarity..."
-
-**System:** Saves context:
-```json
-{
-  "title": "Database Technology Decision",
-  "context_type": "technical_decision",
-  "dense_summary": "Chose PostgreSQL over MongoDB for: ACID guarantees, complex relationships, team familiarity, excellent tooling ecosystem. Decision made after evaluating both options.",
-  "relevance_score": 9.0
-}
-```
-
-### Session 2 (Weeks Later)
-
-**User:** "Should we use MongoDB for the logging service?"
-
-**System:** Recalls context:
-```markdown
-## [DOCS] Previous Context
-
-### 1. Database Technology Decision (Score: 9.0/10)
-*Type: technical_decision*
-
-Chose PostgreSQL over MongoDB for: ACID guarantees, complex relationships,
-team familiarity, excellent tooling ecosystem. Decision made after
-evaluating both options.
-```
-
-**Claude:** "Given our previous decision to use PostgreSQL for its ACID guarantees and relational features, let's consider if logging has different requirements..."
-
-## Example 3: Bug Fix History
-
-### Session 1
-
-**User:** "Fix the authentication timeout issue"
-
-**Claude:** Fixes bug in JWT token validation
-
-**System:** Saves:
-```json
-{
-  "title": "Bug Fix: Authentication Timeouts",
-  "context_type": "bug_fix",
-  "dense_summary": "Fixed authentication timeout issue caused by incorrect JWT expiry validation. Changed from server time to UTC. Added timezone handling.",
-  "relevance_score": 8.0,
-  "metadata": {
-    "bug_type": "authentication",
-    "fix_type": "timezone_handling"
-  }
-}
-```
-
-### Session 2
-
-**User:** "Users are getting logged out randomly"
-
-**System:** Recalls:
-```markdown
-## [DOCS] Previous Context
-
-### 1. Bug Fix: Authentication Timeouts (Score: 8.0/10)
-*Type: bug_fix*
-
-Fixed authentication timeout issue caused by incorrect JWT expiry
-validation. Changed from server time to UTC. Added timezone handling.
-```
-
-**Claude:** "This might be related to the previous timeout issue. Let me check the JWT timezone handling..."
-
-## Example 4: Multi-Session Feature Development
-
-### Session 1: Planning
-
-**User:** "Plan a user dashboard feature"
-
-**Claude:** Creates architecture plan
-
-**System:** Saves:
-```json
-{
-  "title": "User Dashboard Architecture",
-  "context_type": "architecture_decision",
-  "dense_summary": "Planned user dashboard with: Real-time metrics, customizable widgets, role-based access. Tech stack: React frontend, WebSocket for real-time, Redis for caching.",
-  "relevance_score": 9.5
-}
-```
-
-### Session 2: Frontend Implementation
-
-**User:** "Implement the dashboard frontend"
-
-**System:** Recalls planning context, Claude implements according to plan
-
-**System:** Saves:
-```json
-{
-  "title": "Dashboard Frontend Implementation",
-  "context_type": "session_summary",
-  "dense_summary": "Implemented React dashboard with widget system. Created: DashboardContainer, WidgetGrid, individual widget components. Used WebSocket hook for real-time updates.",
-  "relevance_score": 8.0
-}
-```
-
-### Session 3: Backend Implementation
-
-**User:** "Add the backend API for the dashboard"
-
-**System:** Recalls both previous contexts
-
-**Claude:** "Based on the architecture plan and frontend implementation, I'll create the WebSocket endpoints and Redis caching layer..."
-
-### Session 4: Testing
-
-**User:** "Write tests for the dashboard"
-
-**System:** Recalls all three previous contexts
-
-**Claude:** "I'll write tests covering the complete dashboard flow: frontend widgets, WebSocket connections, Redis caching, and API endpoints..."
-
-## Example 5: Context Filtering
-
-### Query with High Threshold
-
-```bash
-MIN_RELEVANCE_SCORE=7.5
-```
-
-Result: Only highly relevant contexts (major decisions, current feature work)
-
-```markdown
-### 1. User Authentication Refactor (Score: 9.0/10)
-### 2. Database Schema Changes (Score: 8.5/10)
-### 3. API Rate Limiting Implementation (Score: 7.8/10)
-```
-
-### Query with Low Threshold
-
-```bash
-MIN_RELEVANCE_SCORE=3.0
-```
-
-Result: More historical context (includes older sessions, minor changes)
-
-```markdown
-### 1. User Authentication Refactor (Score: 9.0/10)
-### 2. Database Schema Changes (Score: 8.5/10)
-### 3. API Rate Limiting Implementation (Score: 7.8/10)
-### 4. Update README documentation (Score: 6.5/10)
-### 5. Fix typo in comment (Score: 4.2/10)
-### 6. Add gitignore entry (Score: 3.5/10)
-```
-
-## Example 6: Project State Tracking
-
-### After Each Session
-
-**task-complete hook** saves project state:
-
-```json
-{
-  "project_id": "abc123...",
-  "state_data": {
-    "last_task_completion": "2025-01-15T10:30:00Z",
-    "last_git_commit": "a1b2c3d",
-    "last_git_branch": "feature/dashboard",
-    "recent_files": "src/Dashboard.tsx,api/dashboard.py"
-  },
-  "state_type": "task_completion"
-}
-```
-
-This enables Claude to answer questions like:
-- "What was I working on last?"
-- "What files did I modify recently?"
-- "What branch am I on?"
-
-## Example 7: Cross-Feature Context
-
-### Session 1: Feature A
-
-**User:** "Add user roles system"
-
-**System:** Saves context about role implementation (Admin, User, Guest)
-
-### Session 2: Feature B
-
-**User:** "Add permissions to the API endpoints"
-
-**System:** Recalls role system context
-
-**Claude:** "I'll add permissions using the existing role system (Admin, User, Guest) that we implemented..."
-
-This shows how context from one feature automatically informs work on related features.
-
-## Example 8: Onboarding New Team Members
-
-### New Developer's First Session
-
-**New Dev:** "How does authentication work in this project?"
-
-**System:** Recalls all authentication-related contexts:
-```markdown
-### 1. User Authentication Refactor (Score: 9.0/10)
-Implemented JWT-based authentication with bcrypt password hashing...
-
-### 2. Session Management Design (Score: 8.5/10)
-Added Redis-backed session storage with 24-hour expiry...
-
-### 3. OAuth Integration (Score: 8.0/10)
-Integrated Google and GitHub OAuth providers...
-```
-
-**Claude:** (with full context) "Our authentication system uses JWT tokens with bcrypt hashing. We also have OAuth integration with Google and GitHub..."
-
-## Example 9: Debugging with Context
-
-### Session 1: Implementation
-
-**User:** "Add email notification system"
-
-**System:** Saves implementation details (SMTP config, template system, queuing)
-
-### Session 2: Bug Report
-
-**User:** "Emails aren't being sent"
-
-**System:** Recalls implementation context
-
-**Claude:** "Let me check the email system we implemented. Based on the previous session, we're using SMTP with a queue system. Common issues could be..."
-
-## Example 10: Evolving Requirements
-
-### Month 1
-
-**User:** "Build simple user profile page"
-
-**System:** Saves initial implementation
-
-### Month 2
-
-**User:** "Add social features to profiles"
-
-**System:** Recalls original implementation
-
-**Claude:** "I'll extend the existing profile system to include social features..."
-
-### Month 3
-
-**User:** "Make profiles customizable"
-
-**System:** Recalls both previous implementations
-
-**Claude:** "Building on the profile and social features, I'll add customization options..."
-
-Each session builds on previous work with full context.
-
-## Real Output Example
-
-Here's what you actually see in Claude Code when context is recalled:
-
-```markdown
-<!-- Context Recall: Retrieved 3 relevant context(s) -->
-
-## [DOCS] Previous Context
-
-The following context has been automatically recalled from previous sessions:
-
-### 1. API Authentication Implementation (Score: 8.5/10)
-*Type: session_summary*
-
-Task completed on branch 'feature/auth' (commit: a1b2c3d).
-
-Summary: Implemented JWT-based authentication system with login/register
-endpoints. Added password hashing using bcrypt. Created middleware for
-protected routes. Token expiry set to 24 hours.
-
-Modified files: api/auth.py,api/middleware.py,api/models.py
-
-Timestamp: 2025-01-15T14:30:00Z
-
----
-
-### 2. Database Schema for Users (Score: 7.8/10)
-*Type: technical_decision*
-
-Added User model with fields: id, username, email, password_hash,
-created_at, last_login. Decided to use UUID for user IDs instead of
-auto-increment integers for better security and scalability.
-
----
-
-### 3. Security Best Practices Discussion (Score: 7.2/10)
-*Type: session_summary*
-
-Discussed security considerations: password hashing (bcrypt), token
-storage (httpOnly cookies), CORS configuration, rate limiting. Decided
-to implement rate limiting in next session.
-
----
-
-*This context was automatically injected to help maintain continuity across sessions.*
-```
-
-This gives Claude complete awareness of your previous work without you having to explain it!
-
-## Benefits Demonstrated
-
-1. **Continuity** - Work picks up exactly where you left off
-2. **Consistency** - Decisions made previously are remembered
-3. **Efficiency** - No need to re-explain project details
-4. **Learning** - New team members get instant project knowledge
-5. **Debugging** - Past implementations inform current troubleshooting
-6. **Evolution** - Features build naturally on previous work
-
-## Configuration Tips
-
-**For focused work (single feature):**
-```bash
-MIN_RELEVANCE_SCORE=7.0
-MAX_CONTEXTS=5
-```
-
-**For comprehensive context (complex projects):**
-```bash
-MIN_RELEVANCE_SCORE=5.0
-MAX_CONTEXTS=15
-```
-
-**For debugging (need full history):**
-```bash
-MIN_RELEVANCE_SCORE=3.0
-MAX_CONTEXTS=20
-```
-
-## Next Steps
-
-See `CONTEXT_RECALL_SETUP.md` for setup instructions and `README.md` for technical details.

.claude/hooks/INSTALL.md

@@ -1,223 +0,0 @@
-# Hook Installation Verification
-
-This document helps verify that Claude Code hooks are properly installed.
-
-## Quick Check
-
-Run this command to verify installation:
-
-```bash
-bash scripts/test-context-recall.sh
-```
-
-Expected output: **15/15 tests passed**
-
-## Manual Verification
-
-### 1. Check Hook Files Exist
-
-```bash
-ls -la .claude/hooks/
-```
-
-Expected files:
-- `user-prompt-submit` (executable)
-- `task-complete` (executable)
-- `README.md`
-- `EXAMPLES.md`
-- `INSTALL.md` (this file)
-
-### 2. Check Permissions
-
-```bash
-ls -l .claude/hooks/user-prompt-submit
-ls -l .claude/hooks/task-complete
-```
-
-Both should show: `-rwxr-xr-x` (executable)
-
-If not executable:
-```bash
-chmod +x .claude/hooks/user-prompt-submit
-chmod +x .claude/hooks/task-complete
-```
-
-### 3. Check Configuration Exists
-
-```bash
-cat .claude/context-recall-config.env
-```
-
-Should show:
-- `CLAUDE_API_URL=http://localhost:8000`
-- `JWT_TOKEN=...` (should have a value)
-- `CONTEXT_RECALL_ENABLED=true`
-
-If file missing, run setup:
-```bash
-bash scripts/setup-context-recall.sh
-```
-
-### 4. Test Hooks Manually
-
-**Test user-prompt-submit:**
-```bash
-source .claude/context-recall-config.env
-bash .claude/hooks/user-prompt-submit
-```
-
-Expected: Either context output or silent success (if no contexts exist)
-
-**Test task-complete:**
-```bash
-source .claude/context-recall-config.env
-export TASK_SUMMARY="Test task"
-bash .claude/hooks/task-complete
-```
-
-Expected: Silent success or "✓ Context saved to database"
-
-### 5. Check API Connectivity
-
-```bash
-curl http://localhost:8000/health
-```
-
-Expected: `{"status":"healthy"}` or similar
-
-If fails: Start API with `uvicorn api.main:app --reload`
-
-### 6. Verify Git Config
-
-```bash
-git config --local claude.projectid
-```
-
-Expected: A UUID value
-
-If empty, run setup:
-```bash
-bash scripts/setup-context-recall.sh
-```
-
-## Common Issues
-
-### Hooks Not Executing
-
-**Problem:** Hooks don't run when using Claude Code
-
-**Solutions:**
-1. Verify Claude Code supports hooks (see docs)
-2. Check hook permissions: `chmod +x .claude/hooks/*`
-3. Test hooks manually (see above)
-
-### Context Not Appearing
-
-**Problem:** No context injected in Claude Code
-
-**Solutions:**
-1. Check API is running: `curl http://localhost:8000/health`
-2. Check JWT token is valid: Run setup again
-3. Enable debug: `echo "DEBUG_CONTEXT_RECALL=true" >> .claude/context-recall-config.env`
-4. Check if contexts exist: Run a few tasks first
-
-### Context Not Saving
-
-**Problem:** Contexts not persisted to database
-
-**Solutions:**
-1. Check project ID: `git config --local claude.projectid`
-2. Test manually: `bash .claude/hooks/task-complete`
-3. Check API logs for errors
-4. Verify JWT token: Run setup again
-
-### Permission Denied
-
-**Problem:** `Permission denied` when running hooks
-
-**Solution:**
-```bash
-chmod +x .claude/hooks/user-prompt-submit
-chmod +x .claude/hooks/task-complete
-```
-
-### API Connection Refused
-
-**Problem:** `Connection refused` errors
-
-**Solutions:**
-1. Start API: `uvicorn api.main:app --reload`
-2. Check API URL in config
-3. Verify firewall settings
-
-## Troubleshooting Commands
-
-```bash
-# Full system test
-bash scripts/test-context-recall.sh
-
-# Check all permissions
-ls -la .claude/hooks/ scripts/
-
-# Re-run setup
-bash scripts/setup-context-recall.sh
-
-# Enable debug mode
-echo "DEBUG_CONTEXT_RECALL=true" >> .claude/context-recall-config.env
-
-# Test API
-curl http://localhost:8000/health
-curl -H "Authorization: Bearer $JWT_TOKEN" http://localhost:8000/api/projects
-
-# View configuration
-cat .claude/context-recall-config.env
-
-# Test hooks with debug
-bash -x .claude/hooks/user-prompt-submit
-bash -x .claude/hooks/task-complete
-```
-
-## Expected Workflow
-
-When properly installed:
-
-1. **You start Claude Code** → `user-prompt-submit` runs
-2. **Hook queries database** → Retrieves relevant contexts
-3. **Context injected** → You see previous work context
-4. **You work normally** → Claude has full context
-5. **Task completes** → `task-complete` runs
-6. **Context saved** → Available for next session
-
-All automatic, zero user action required!
-
-## Documentation
-
-- **Quick Start:** `.claude/CONTEXT_RECALL_QUICK_START.md`
-- **Full Setup:** `CONTEXT_RECALL_SETUP.md`
-- **Architecture:** `.claude/CONTEXT_RECALL_ARCHITECTURE.md`
-- **Hook Details:** `.claude/hooks/README.md`
-- **Examples:** `.claude/hooks/EXAMPLES.md`
-
-## Support
-
-If issues persist after following this guide:
-
-1. Review full documentation (see above)
-2. Run full test suite: `bash scripts/test-context-recall.sh`
-3. Check API logs for errors
-4. Enable debug mode for verbose output
-
-## Success Checklist
-
-- [ ] Hook files exist in `.claude/hooks/`
-- [ ] Hooks are executable (`chmod +x`)
-- [ ] Configuration file exists (`.claude/context-recall-config.env`)
-- [ ] JWT token is set in configuration
-- [ ] Project ID detected or set
-- [ ] API is running (`curl http://localhost:8000/health`)
-- [ ] Test script passes (`bash scripts/test-context-recall.sh`)
-- [ ] Hooks execute manually without errors
-
-If all items checked: **Installation is complete!** [OK]
-
-Start using Claude Code and enjoy automatic context recall!

.claude/hooks/README.md

@@ -1,323 +0,0 @@
-# Claude Code Context Recall Hooks
-
-Automatically inject and save relevant context from the ClaudeTools database into Claude Code conversations.
-
-## Overview
-
-This system provides seamless context continuity across Claude Code sessions by:
-
-1. **Recalling context** - Automatically inject relevant context from previous sessions before each message
-2. **Saving context** - Automatically save conversation summaries after task completion
-3. **Project awareness** - Track project state and maintain context across sessions
-
-## Hooks
-
-### `user-prompt-submit`
-
-**Runs:** Before each user message is processed
-
-**Purpose:** Injects relevant context from the database into the conversation
-
-**What it does:**
-- Detects the current project ID (from git config or remote URL)
-- Calls `/api/conversation-contexts/recall` to fetch relevant contexts
-- Injects context as a formatted markdown section
-- Falls back gracefully if API is unavailable
-
-**Example output:**
-```markdown
-## [DOCS] Previous Context
-
-The following context has been automatically recalled from previous sessions:
-
-### 1. Database Schema Updates (Score: 8.5/10)
-*Type: technical_decision*
-
-Updated the Project model to include new fields for MSP integration...
-
----
-```
-
-### `task-complete`
-
-**Runs:** After a task is completed
-
-**Purpose:** Saves conversation context to the database for future recall
-
-**What it does:**
-- Gathers task information (git branch, commit, modified files)
-- Creates a compressed summary of the task
-- POST to `/api/conversation-contexts` to save context
-- Updates project state via `/api/project-states`
-
-**Saved information:**
-- Task summary
-- Git branch and commit hash
-- Modified files
-- Timestamp
-- Metadata for future retrieval
-
-## Configuration
-
-### Quick Setup
-
-Run the automated setup script:
-
-```bash
-bash scripts/setup-context-recall.sh
-```
-
-This will:
-1. Create a JWT token
-2. Detect or create your project
-3. Configure environment variables
-4. Make hooks executable
-5. Test the system
-
-### Manual Setup
-
-1. **Get JWT Token**
-
-```bash
-curl -X POST http://localhost:8000/api/auth/login \
-  -H "Content-Type: application/json" \
-  -d '{"username": "admin", "password": "your-password"}'
-```
-
-2. **Get/Create Project**
-
-```bash
-curl -X POST http://localhost:8000/api/projects \
-  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "name": "ClaudeTools",
-    "description": "Your project description"
-  }'
-```
-
-3. **Configure `.claude/context-recall-config.env`**
-
-```bash
-CLAUDE_API_URL=http://localhost:8000
-CLAUDE_PROJECT_ID=your-project-uuid-here
-JWT_TOKEN=your-jwt-token-here
-CONTEXT_RECALL_ENABLED=true
-MIN_RELEVANCE_SCORE=5.0
-MAX_CONTEXTS=10
-```
-
-4. **Make hooks executable**
-
-```bash
-chmod +x .claude/hooks/user-prompt-submit
-chmod +x .claude/hooks/task-complete
-```
-
-### Configuration Options
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `CLAUDE_API_URL` | `http://localhost:8000` | API base URL |
-| `CLAUDE_PROJECT_ID` | Auto-detect | Project UUID |
-| `JWT_TOKEN` | Required | Authentication token |
-| `CONTEXT_RECALL_ENABLED` | `true` | Enable/disable system |
-| `MIN_RELEVANCE_SCORE` | `5.0` | Minimum score (0-10) |
-| `MAX_CONTEXTS` | `10` | Max contexts per query |
-| `AUTO_SAVE_CONTEXT` | `true` | Save after completion |
-| `DEBUG_CONTEXT_RECALL` | `false` | Enable debug logs |
-
-## Project ID Detection
-
-The system automatically detects your project ID using:
-
-1. **Git config** - `git config --local claude.projectid`
-2. **Git remote URL hash** - Consistent ID from remote URL
-3. **Environment variable** - `CLAUDE_PROJECT_ID`
-
-To manually set project ID in git config:
-
-```bash
-git config --local claude.projectid "your-project-uuid"
-```
-
-## Testing
-
-Run the test script:
-
-```bash
-bash scripts/test-context-recall.sh
-```
-
-This will:
-- Test API connectivity
-- Test context recall endpoint
-- Test context saving
-- Verify hooks are working
-
-## Usage
-
-Once configured, the system works automatically:
-
-1. **Start Claude Code** - Context is automatically recalled
-2. **Work normally** - All your conversations happen as usual
-3. **Complete tasks** - Context is automatically saved
-4. **Next session** - Previous context is automatically available
-
-## Troubleshooting
-
-### Context not appearing?
-
-1. Enable debug mode:
-   ```bash
-   echo "DEBUG_CONTEXT_RECALL=true" >> .claude/context-recall-config.env
-   ```
-
-2. Check API is running:
-   ```bash
-   curl http://localhost:8000/health
-   ```
-
-3. Verify JWT token:
-   ```bash
-   curl -H "Authorization: Bearer $JWT_TOKEN" http://localhost:8000/api/projects
-   ```
-
-4. Check hooks are executable:
-   ```bash
-   ls -la .claude/hooks/
-   ```
-
-### Context not saving?
-
-1. Check task-complete hook output:
-   ```bash
-   bash -x .claude/hooks/task-complete
-   ```
-
-2. Verify project ID:
-   ```bash
-   source .claude/context-recall-config.env
-   echo $CLAUDE_PROJECT_ID
-   ```
-
-3. Check API logs for errors
-
-### Hooks not running?
-
-1. Verify hook permissions:
-   ```bash
-   chmod +x .claude/hooks/*
-   ```
-
-2. Test hook manually:
-   ```bash
-   bash .claude/hooks/user-prompt-submit
-   ```
-
-3. Check Claude Code hook documentation:
-   https://docs.claude.com/claude-code/hooks
-
-### API connection errors?
-
-1. Verify API is running:
-   ```bash
-   curl http://localhost:8000/health
-   ```
-
-2. Check firewall/port blocking
-
-3. Verify API URL in config
-
-## How It Works
-
-### Context Recall Flow
-
-```
-User sends message
-    ↓
-[user-prompt-submit hook runs]
-    ↓
-Detect project ID
-    ↓
-Call /api/conversation-contexts/recall
-    ↓
-Format and inject context
-    ↓
-Claude processes message with context
-```
-
-### Context Save Flow
-
-```
-Task completes
-    ↓
-[task-complete hook runs]
-    ↓
-Gather task information
-    ↓
-Create context summary
-    ↓
-POST to /api/conversation-contexts
-    ↓
-Update /api/project-states
-    ↓
-Context saved for future recall
-```
-
-## API Endpoints Used
-
-- `GET /api/conversation-contexts/recall` - Retrieve relevant contexts
-- `POST /api/conversation-contexts` - Save new context
-- `POST /api/project-states` - Update project state
-- `GET /api/projects` - Get project information
-- `POST /api/auth/login` - Get JWT token
-
-## Security Notes
-
-- JWT tokens are stored in `.claude/context-recall-config.env`
-- This file should be in `.gitignore` (DO NOT commit tokens!)
-- Tokens expire after 24 hours (configurable)
-- Hooks fail gracefully if authentication fails
-
-## Advanced Usage
-
-### Custom Context Types
-
-Modify `task-complete` hook to create custom context types:
-
-```bash
-CONTEXT_TYPE="bug_fix"  # or "feature", "refactor", etc.
-RELEVANCE_SCORE=9.0     # Higher for important contexts
-```
-
-### Filtering Contexts
-
-Adjust recall parameters in config:
-
-```bash
-MIN_RELEVANCE_SCORE=7.0  # Only high-quality contexts
-MAX_CONTEXTS=5           # Fewer contexts per query
-```
-
-### Manual Context Injection
-
-You can manually trigger context recall:
-
-```bash
-bash .claude/hooks/user-prompt-submit
-```
-
-## References
-
-- [Claude Code Hooks Documentation](https://docs.claude.com/claude-code/hooks)
-- [ClaudeTools API Documentation](.claude/API_SPEC.md)
-- [Database Schema](.claude/SCHEMA_CORE.md)
-
-## Support
-
-For issues or questions:
-1. Check troubleshooting section above
-2. Review API logs: `tail -f api/logs/app.log`
-3. Test with `scripts/test-context-recall.sh`
-4. Check hook output with `bash -x .claude/hooks/[hook-name]`

.claude/hooks/pre-bash-backslash.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Pre-tool hook: block Windows backslash paths in Bash commands.
+#
+# Blocks patterns like C:\Users\foo passed inside Bash command strings.
+# Enforces forward slashes: C:/Users/foo
+#
+# Why: Git Bash mangles backslash paths — C:\tmp writes to a different
+# directory than the Write tool's C:\tmp, causing stale payload bugs.
+
+input=$(cat)
+cmd=$(echo "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)
+
+# Match a drive letter followed by a literal backslash in the command.
+# In the extracted command string (not JSON-escaped), backslash is just \.
+if echo "$cmd" | grep -qE '[A-Za-z]:\\[A-Za-z/\\]'; then
+    echo "BLOCKED: Use forward slashes for Windows paths in Bash commands."
+    echo ""
+    echo "  Wrong:   C:\\Users\\guru\\file.txt"
+    echo "  Correct: C:/Users/guru/file.txt"
+    echo ""
+    echo "Git Bash converts backslash paths unpredictably. PowerShell and Windows"
+    echo "APIs both accept forward slashes without issue."
+    exit 2
+fi
+
+exit 0

.claude/hooks/pre-bash-pwsh-script.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Pre-tool hook: block inline PowerShell, enforce .ps1 file approach.
+#
+# Blocks powershell.exe -Command and pwsh -Command / pwsh -c inline execution.
+# Forces: write a .ps1 file, then run pwsh -NoProfile -File script.ps1
+#
+# Why: Git Bash expands $_ and mangles quoting before PowerShell sees the
+# command. Inline execution fails 2-3 times before landing on the .ps1 approach.
+
+input=$(cat)
+cmd=$(echo "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)
+
+# Match: (powershell[.exe] | pwsh) followed by -Command or -c (as a flag, not a filename)
+if echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c) ' || \
+   echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c)$'; then
+    echo "BLOCKED: Do not use powershell.exe or pwsh with inline -Command/-c arguments."
+    echo ""
+    echo "Git Bash mangles quoting and variable expansion before PowerShell sees the command."
+    echo ""
+    echo "Correct approach:"
+    echo "  1. Write the script using the Write tool to a .ps1 file"
+    echo "  2. Run: pwsh -NoProfile -File \"path/to/script.ps1\""
+    exit 2
+fi
+
+exit 0

.claude/machines/guru-beast-rog.md

@@ -1,7 +1,7 @@
 # Machine: GURU-BEAST-ROG
 
 **Hostname:** GURU-BEAST-ROG
-**Last Updated:** 2026-03-24
+**Last Updated:** 2026-04-26
 
 ---
 
@@ -22,10 +22,27 @@
 | Spec | Value |
 |------|-------|
 | OS | Windows 11 Pro (26200) |
-| Python | 3.x (installed) |
+| Python | 3.12.10 |
 | Node.js | v24.14.0 |
-| Ollama | v0.18.2 |
-| Git | Installed (Git for Windows) |
+| Ollama | v0.21.0 |
+| Git | 2.52.0.windows.1 |
+| jq | 1.8.1 |
+| sops | 3.12.2 |
+| age | installed (winget) |
+| 1Password CLI | 2.33.1 |
+| GrepAI | v0.35.0 (grepai.exe in repo root) |
+
+---
+
+## Ollama Models
+
+| Model | Size |
+|-------|------|
+| gemma3:27b | 17.4 GB |
+| qwen3:32b | 20.2 GB |
+| qwen3:14b | 9.3 GB |
+| codestral:22b | 12.6 GB |
+| nomic-embed-text | 0.3 GB |
 
 ---
 
@@ -33,8 +50,11 @@
 
 - **Working Directory:** C:\Users\guru\ClaudeTools
 - **User:** guru
-- **Shell:** bash (Git for Windows)
+- **Shell:** bash (Git for Windows / MINGW64)
 - **Git:** Configured for Gitea (git.azcomputerguru.com)
+- **Identity:** mike (identity.json configured)
+- **Vault:** C:/Users/guru/vault (SOPS + age, decryption working)
+- **OP_SERVICE_ACCOUNT_TOKEN:** configured in ~/.bashrc
 
 ---
 
@@ -43,20 +63,23 @@
 | Interface | Address |
 |-----------|---------|
 | Wi-Fi | 10.2.51.228 |
-| LAN (Local Area Connection) | 192.168.2.3 |
+| Tailscale | 100.101.122.4 |
 
 ---
 
 ## Capabilities
 
 - [x] Git operations
-- [x] SSH access to infrastructure
+- [ ] SSH access to infrastructure (key generated, not yet deployed to servers)
 - [x] GrepAI semantic search (watcher running)
-- [x] Ollama local AI (nomic-embed-text installed; qwen3:14b, codestral:22b pulling)
+- [x] Ollama local AI (5 models, GPU-accelerated)
 - [x] MCP servers configured (filesystem, sequential-thinking, grepai)
 - [x] NVIDIA RTX 4090 GPU (CUDA compute)
 - [x] Claude Code CLI
 - [x] Bypass permissions mode (settings.json configured)
+- [x] SOPS vault decryption
+- [x] 1Password CLI (service account)
+- [x] Tailscale
 
 ---
 
@@ -65,5 +88,5 @@
 - Powerhouse desktop -- best GPU and most RAM across all workstations
 - RTX 4090 does NOT have the GSP firmware bug that affects the 5070 Ti on Linux
 - OpenVPN Connect adapter present (VPN capable)
-- credentials.md present and populated
-- Settings.json has permissions.defaultMode: bypassPermissions
+- SSH pubkey: `~/.ssh/id_ed25519.pub` (ed25519, generated 2026-04-26) -- needs deployment to infra servers
+- No D: drive -- vault cloned to C:/Users/guru/vault (not D:/vault)

.claude/memory/MEMORY.md

@@ -1,27 +1,60 @@
-# Memory Index
-
-## Reference
-- [Community Forum (Flarum)](reference_community_forum.md) - Flarum forum at community.azcomputerguru.com, API access, database, posting workflow
-- [Radio Show Website](reference_radio_website.md) - Astro static site at radio.azcomputerguru.com on IX server
-- [IX Server SSH Access](reference_ix_server_ssh.md) - SSH access notes, no key auth from CachyOS workstation yet
-- [IX Access via Tailscale](reference_ix_access_tailscale.md) - IX server accessible with Tailscale on, no VPN needed
-- [Neptune Access via D2TESTNAS](reference_neptune_access_d2testnas.md) - Neptune must be routed through D2TESTNAS
-- [ACG-5070 Workstation](reference_workstation_setup.md) - Windows 11, replaced CachyOS. SOPS vault, Ollama, all dev tools.
-- [Matomo Analytics](reference_matomo_analytics.md) - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
-- [Dataforth Contact - AJ](reference_dataforth_contact.md) - AJ at Dataforth, dataforthgit@ email forwarding to him
-- [TickTick Integration](reference_ticktick_integration.md) - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
-
-## Feedback
-- [D2TESTNAS SSH Access](feedback_d2testnas_ssh.md) - Use root@192.168.0.9 with Paper123!@#, not sysadmin
-- [Bypass Permissions Setting](feedback_bypass_permissions_setting.md) - Set permissions.defaultMode to bypassPermissions in settings.json on all machines
-- [365 Remediation Tool](feedback_365_remediation_tool.md) - Always means Graph API app fabb3421, not CIPP
-
-## Machine
-- [ACG-5070 Workstation Setup](reference_workstation_setup.md) - Windows 11 Pro clean install 2026-03-30, replaced CachyOS. All tools installed.
-
-## Project
-- [Audio Processor Architecture](project_audio_processor_architecture.md) - Segment-first pipeline: detect breaks before transcription for complete content capture
-- [Neptune Email Routing Issues](project_email_routing_neptune.md) - Multiple clients (devcon, Sorensen/rieussetcorp) have email not routing properly from Neptune
-- [Neptune SBR Email Routing Setup](project_neptune_sbr_email_routing.md) - Full SBR routing chain, config file locations, MailProtector integration, access methods
-- [Dataforth Test Datasheet Pipeline](project_datasheet_pipeline.md) - Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
-- [Dataforth Security Incident](project_dataforth_incident_2026-03-27.md) - DF-JOEL2 compromised, MFA deployed, IC3 filed. CA policies enforce April 4.
+# Memory Index
+
+## Reference
+- [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) - **CRITICAL:** List endpoint (/invoices?customer_id=X) does NOT return ticket linkage. Must query individual invoices (/invoices/{number}) to get ticket_id field. Invoice numbers are strings. Use ticket ID (not number) for comparison. Real case: falsely reported 31 tickets had no invoices (actually 29 had invoices, 2 were Non-Billable).
+- [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) - General tools (remediation-tool, onboard scripts, MSP utilities): Howard can modify OR Claude can execute with Howard/Mike approval. Projects (GuruRMM, etc.): require Mike approval, features→roadmap, bugs→bug list.
+- [Community Forum (Flarum)](reference_community_forum.md) - Flarum forum at community.azcomputerguru.com, API access, database, posting workflow
+- [Radio Show Website](reference_radio_website.md) - Astro static site at radio.azcomputerguru.com on IX server
+- [IX Server SSH Access](reference_ix_server_ssh.md) - SSH access notes, no key auth from CachyOS workstation yet
+- [IX Access via Tailscale](reference_ix_access_tailscale.md) - IX server accessible with Tailscale on, no VPN needed
+- [Neptune Access via D2TESTNAS](reference_neptune_access_d2testnas.md) - Neptune must be routed through D2TESTNAS
+- [ACG-5070 Workstation](reference_workstation_setup.md) - Windows 11, replaced CachyOS. SOPS vault, Ollama, all dev tools.
+- [Matomo Analytics](reference_matomo_analytics.md) - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
+- [Dataforth Contact - AJ](reference_dataforth_contact.md) - AJ at Dataforth, dataforthgit@ email forwarding to him
+- [TickTick Integration](reference_ticktick_integration.md) - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
+- [Client Docs Structure](reference_client_docs_structure.md) - clients/<name>/docs/ layout (overview, network, servers, cloud, security, rmm, issues). Template at clients/_client_template/.
+- [MSP Audit Scripts](reference_msp_audit_scripts.md) - server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/. ScreenConnect 80-char rule.
+- [GuruRMM Server Layout](reference_gururmm_server.md) - SSH as `guru`, repo at /home/guru/gururmm, deploy to /var/www/gururmm/dashboard/
+- [GuruRMM API — run script on agent](reference_gururmm_api.md) - POST /api/agents/:id/command with command_type=powershell + command text; poll /api/commands/:id for stdout/stderr. Use instead of ScreenConnect copy-paste.
+- [Pluto Build Server](reference_pluto_build_server.md) - General-purpose Windows build VM, 172.16.3.36, SSH as Administrator, MSVC toolchain — use for any EXE (utilities, Howard's tools, GuruRMM agent)
+
+## Users
+- [Howard Enos](user_howard.md) — Mike's brother, technician, full trust/access. Known machine: ACG-TECH03L.
+
+## Feedback
+- [D2TESTNAS SSH Access](feedback_d2testnas_ssh.md) - Use root@192.168.0.9 with Paper123!@#, not sysadmin
+- [Bypass Permissions Setting](feedback_bypass_permissions_setting.md) - Set permissions.defaultMode to bypassPermissions in settings.json on all machines
+- [365 Remediation Tool](feedback_365_remediation_tool.md) - Always means Graph API app fabb3421, not CIPP
+- [Ollama Tier-0 Routing](feedback_ollama_tier0_routing.md) - Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.
+- [/save writes narrative directly](feedback_save_no_ollama.md) — No Ollama for /save; write all sections inline — too slow
+- [Syncro Emergency Billing](feedback_syncro_emergency_billing.md) — Emergency = 1.5× multiplier, not additive. Branch by `customer.prepay_hours`: no-prepaid → `26184` at actual hrs; prepaid → `26118` at hrs×1.5. Never stack. Always set `price_retail`.
+- [Identity precedence](feedback_identity_precedence.md) — Trust `.claude/identity.json` over the system-reminder `userEmail` hint when they disagree (shared-login machines).
+- [1Password — always use service token](feedback_1password_service_token.md) — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every `op` call. Desktop-app integration prompts are unacceptable in agent flows.
+- [/tmp path mismatch on Windows](feedback_tmp_path_windows.md) — Write tool and Git Bash resolve `/tmp` to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl. Caused wrong-comment incident on Syncro #32225.
+- [Syncro — leave contact blank by default](feedback_syncro_blank_contact.md) — Default to blank contact ("Not Assigned") on tickets and billing for ALL customers. Blank lets Syncro use company-level email defaults; setting a contact may route to a secondary email and bypass distribution. Generalizes the prior Cascades-only rule per Winter 2026-05-04.
+- [Syncro — never set contact on Cascades tickets](feedback_syncro_cascades_contact.md) — Cascades-specific instance of the blank-contact rule above. Kept for the Meredith-defaulting incident detail.
+- [Syncro — use a billable labor type, never "Prepaid project labor"](feedback_syncro_labor_type.md) — Time entries must use in-shop / onsite / remote / web labor. "Prepaid project labor" is exempt and won't decrement prepay blocks. Default is Remote labor for typical support tickets. Winter caught this 2026-05-04.
+- [Syncro — log time entries first, never bare add_line_item](feedback_syncro_timer_first.md) — All Syncro work-time billing MUST go through `timer_entry → charge_timer_entry`. Bare `add_line_item` leaves Syncro time tracking at 00:00:00 and breaks reporting. Mike caught this on 2026-04-30 across 31 tickets; I repeated the bug on 2026-05-01 across 3 more.
+- [Syncro — timer_entry response is FLAT](feedback_syncro_timer_response_shape.md) — POST /tickets/{id}/timer_entry returns `{"id": N, ...}` directly, NOT `{"timer": {...}}`. Parse as `.id`. The skill doc's `.timer.id // .timer_entry.id` fallback always resolves to null and causes duplicate-timer retries. Hit on #32253 2026-05-05.
+- [Syncro — warranty has its own product, never patch dollar amounts](feedback_syncro_warranty_product.md) — Warranty/no-charge work uses product `1049360` (Labor- Warranty work, $0). Do NOT use Remote/Onsite + `billable: false` — Syncro silently overrides the flag. Do NOT patch `price_retail` to convert one labor product into another; pick the correct product and re-run. Hit on #32225 2026-05-06.
+- [SQL instance role — verify by connections, not name](feedback_sql_instance_role_by_connection.md) — Standard installed under default `SQLEXPRESS` instance name is real. Prove role with `sys.dm_exec_sessions` + `Get-NetTCPConnection -OwningProcess` before recommending stop/uninstall. IMC1 2026-05-05/06 near-miss.
+- [Syncro — confirm appointment owner explicitly](feedback_syncro_appointment_owner.md) — When creating tickets with appointments, always ask "who is the appointment owner?" in the preview. Don't auto-default to ticket's assigned tech. Don't add additional attendees without explicit confirmation. Howard caught on Kittle ticket #32263 2026-05-08.
+- [Clear-RecycleBin fails silently as SYSTEM](feedback_clear_recyclebin_system_context.md) — RMM-dispatched cleanup scripts cannot use `Clear-RecycleBin -Force`; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate `C:\$Recycle.Bin\<SID>\*` directly. Hit on ASSISTMAN-PC 2026-05-08.
+- [Cascades — ask security group on user creation](feedback_cascades_user_security_group.md) — When creating any Cascades user, always ask which security group(s) they go in. Deliberate per-user decision; an OU→group auto-mirror was explicitly declined 2026-05-14. OU = sync scope; group = access/CA decision.
+
+## Machine
+- [ACG-5070 Workstation Setup](reference_workstation_setup.md) - Windows 11 Pro clean install 2026-03-30, replaced CachyOS. All tools installed.
+
+## Pending Setup
+- [Mac gururmm setup pending](project_mac_gururmm_setup_pending.md) — ACTION REQUIRED: run `bash scripts/install-hooks.sh` in gururmm repo on Mikes-MacBook-Air before any RMM work
+
+## Project
+- [GuruRMM Development Principles](gururmm-development-principles.md) - MANDATORY: every feature needs full stack (backend, API, UI, docs, scalability). Product must work without AI agents (AI features are enhancements). Documented in guru-rmm/docs/DESIGN.md.
+- [Sync script bug — untracked files](project_sync_script_bug.md) — Flagged for Mike. `.claude/scripts/sync.sh` line 53 misses untracked-only changes; one-line fix included.
+- [MasterBooter Side Project](project_masterbooter.md) — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
+- [Audio Processor Architecture](project_audio_processor_architecture.md) - Segment-first pipeline: detect breaks before transcription for complete content capture
+- [Neptune Email Routing Issues](project_email_routing_neptune.md) - Multiple clients (devcon, Sorensen/rieussetcorp) have email not routing properly from Neptune
+- [Neptune SBR Email Routing Setup](project_neptune_sbr_email_routing.md) - Full SBR routing chain, config file locations, MailProtector integration, access methods
+- [Dataforth Test Datasheet Pipeline](project_datasheet_pipeline.md) - Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
+- [Dataforth Security Incident](project_dataforth_incident_2026-03-27.md) - DF-JOEL2 compromised, MFA deployed, IC3 filed. CA policies enforce April 4.
+- [Radio show co-host — Tara, not Tom](radio_show_no_cohost_named_tom.md) — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete. Multiple co-hosts have rotated through the show.

.claude/memory/approval-workflow-tools-vs-projects.md

@@ -0,0 +1,83 @@
+# Approval Workflow: Tools vs Projects
+
+**Created:** 2026-04-29
+**Authority:** Mike Swanson (owner)
+**Context:** Cascades CA role gap fix discussion
+
+---
+
+## General Tools (Immediate Operational Changes)
+
+**Scope:**
+- remediation-tool skill and all subscripts
+- onboard-tenant.sh and MSP automation utilities
+- Backup scripts, sync scripts, operational tooling
+- Any utility designed to support field work
+
+**Approval Authority:**
+- **Howard Enos** can modify directly to further his work
+- **Claude** can execute changes with approval from **either** Howard **or** Mike
+- No roadmap process required
+- Changes go directly to implementation
+
+**Rationale:**
+Tools need to adapt quickly to field conditions. When a technician hits a blocker (like the CA role gap), the tool should be fixed immediately to unblock the work.
+
+---
+
+## Projects (Structured Development)
+
+**Scope:**
+- GuruRMM (Rust/Axum server + dashboard)
+- ClaudeTools API (FastAPI/MariaDB)
+- Radio show audio processor
+- Any larger software system with architectural complexity
+
+**Approval Authority:**
+- **Requires Mike Swanson approval** for changes
+- Feature requests → add to project roadmap
+- Bugs → add to project bug list
+- More structured development workflow with planning
+
+**Rationale:**
+Projects need architectural oversight, version planning, and consideration of downstream impacts. Changes follow formal development process.
+
+---
+
+## Examples
+
+### Tool Fix (Approved Immediately)
+- **Scenario:** Howard discovers Tenant Admin SP lacks CA Administrator role in newly onboarded tenant
+- **Action:** Fix onboard-tenant.sh to assign the role automatically
+- **Approval:** Mike approved in conversation; Howard could have approved directly
+- **Process:** Implement immediately, test, commit
+
+### Project Feature (Roadmap)
+- **Scenario:** Howard wants GuruRMM to add automatic Windows patching workflow
+- **Action:** Add to GuruRMM roadmap with priority and scope notes
+- **Approval:** Mike reviews roadmap quarterly, prioritizes features
+- **Process:** Design → approval → sprint planning → implementation
+
+### Project Bug (Bug List)
+- **Scenario:** GuruRMM dashboard doesn't refresh agent status automatically
+- **Action:** Add to GuruRMM bug list with severity and reproduction steps
+- **Approval:** Mike reviews bug list, assigns priority
+- **Process:** Triage → fix → test → deploy
+
+---
+
+## When Unclear
+
+**If in doubt about tool vs project:**
+- Tools are utilities that **support** the work
+- Projects are systems that **are** the work
+
+**If in doubt about approval:**
+- Operational blocker in the field → tool fix, proceed with available approval
+- Enhancement or new capability → ask Mike first
+- Security or credential handling → always confirm with Mike
+
+---
+
+**Status:** Active policy
+**Last Updated:** 2026-04-29

.claude/memory/feedback_1password_service_token.md

@@ -0,0 +1,26 @@
+---
+name: 1Password — always use service account token
+description: Use the SOPS-vaulted OP_SERVICE_ACCOUNT_TOKEN for all op CLI calls; the desktop-app integration prompts are unacceptable in agent flows
+type: feedback
+---
+
+For every `op` CLI invocation, source `OP_SERVICE_ACCOUNT_TOKEN` from `infrastructure/1password-service-account.sops.yaml` first. Without it, `op` falls back to the desktop-app integration which interrupts the workflow with "unlock the app" prompts.
+
+**Why:** Mike confirmed 2026-04-30 — "the prompts are infuriating." Service account auth is the standard CI/agent pattern documented in the 1password skill but I had been defaulting to the desktop session.
+
+**How to apply:**
+```bash
+SVC_TOKEN=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null \
+  | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+
+# Pass through env var to every op call
+OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN" op item get ...
+# Or export once at the top of a script
+export OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN"
+```
+
+The `vault.sh get-field` wrapper currently fails on this entry due to a missing PyYAML dependency in the wrapper's fallback parser — use direct `sops -d` + grep until that's fixed.
+
+**Vaults the service account can see** (per 2026-04-30 test): Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting. (The Private vault is intentionally not shared with the service account.)
+
+**When to skip:** Never. If the desktop session also happens to be authed, that's fine, but the service token path must be the one the agent reaches for.

.claude/memory/feedback_365_remediation_tool.md

@@ -10,6 +10,8 @@ When user says "365 remediation tool" or "remediation tool", they ALWAYS mean th
 
 **How to apply:** Authenticate directly via Graph API using the app's client secret from SOPS vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`), get tenant ID from OpenID discovery for the target domain, and query Graph API endpoints directly. No browser/UI needed.
 
+**Preferred invocation: use the `/remediation-tool` skill** (`.claude/skills/remediation-tool/`, also surfaces as a `/remediation-tool` command). It wraps tenant resolution, token caching, the 10-point user breach check, and tenant-wide sweep. Remediation actions are gated behind explicit `YES` confirmation. Reference docs at `references/gotchas.md`, `references/graph-endpoints.md`, `references/checklist.md`.
+
 ### Directory Role Requirements (discovered 2026-04-01)
 
 Graph API permissions alone are NOT sufficient for privileged operations. The service principal also needs Entra directory roles assigned per-tenant:

.claude/memory/feedback_cascades_user_security_group.md

@@ -0,0 +1,12 @@
+---
+name: cascades-user-security-group
+description: When creating or adding any Cascades user, always ask which security group(s) the account goes into — deliberate decision, never auto-derived from OU
+metadata:
+  type: feedback
+---
+
+When creating, or being asked to create, any Cascades user account (AD or M365), always ask the user **which security group(s)** the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume it from the OU, department, or job title.
+
+**Why:** Howard explicitly declined an `OU=Caregivers` -> `SG-Caregivers` auto-mirror script (2026-05-14). Security-group membership controls what access and Conditional Access policies apply to a user; he wants that to stay a deliberate, reviewed decision per user, not automated away. OU placement is mechanical (it controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously.
+
+**How to apply:** During any Cascades user-creation flow, ask "which security group(s)?" and confirm it in the preview. For caregivers specifically: the account goes in `OU=Caregivers` (for sync scope) AND must be deliberately added to `SG-Caregivers` (for CA policy coverage) — two separate, intentional steps, neither auto-derived from the other.

.claude/memory/feedback_clear_recyclebin_system_context.md

@@ -0,0 +1,13 @@
+---
+name: Clear-RecycleBin fails silently as SYSTEM
+description: Clear-RecycleBin -Force is a no-op when invoked from a SYSTEM-context process (RMM agents, scheduled tasks running as LocalSystem). Returns success but reclaims nothing. Use direct enumeration of C:\$Recycle.Bin\<SID> instead.
+type: feedback
+---
+
+`Clear-RecycleBin -Force` returns silently without erroring when called from a process that has no interactive desktop session — i.e. SYSTEM-context contexts like the GuruRMM agent, Datto RMM agent, scheduled tasks running as LocalSystem, or any service. The cmdlet wraps the Shell COM `IFileOperation` API which requires an interactive Shell; SYSTEM has none, so the call exits as a no-op. No exception, no warning, no event log entry. The folder size before and after is identical.
+
+**Why:** Hit during ASSISTMAN-PC cleanup 2026-05-08 (Cascades). First cleanup pass reported "Recycle Bin status=cleared" but `Get-FolderSizeMB` showed 12,272 MB before and 12,272 MB after. 12 GB of reclaimable space sitting untouched.
+
+**How to apply:** When writing temp-file / cleanup scripts that will be dispatched via an RMM (GuruRMM, Datto RMM, ScreenConnect Backstage, scheduled tasks as SYSTEM), do not use `Clear-RecycleBin`. Instead enumerate `C:\$Recycle.Bin\<SID>\*` directly across each user SID folder and `Remove-Item -Recurse -Force` on each child, skipping `desktop.ini`. Working pattern saved at `C:\Users\Howard\AppData\Local\Temp\assistman-rb-clean.ps1` (and embedded in the 2026-05-08 ASSISTMAN-PC session log).
+
+If the script needs to run in either context (interactive *or* SYSTEM), still prefer direct enumeration — it works in both, while `Clear-RecycleBin` only works in interactive sessions. One code path, no branching.

.claude/memory/feedback_complete_vault_operations_end_to_end.md

@@ -0,0 +1,20 @@
+---
+name: Complete vault operations end-to-end (don't hand off the commit/push)
+description: When writing a new entry to D:/vault, do the full sequence (write plaintext → sops -e -i → git add/commit/push) yourself. Don't stop at "encrypted on disk, you push it."
+type: feedback
+---
+
+When the user asks to vault a credential or any new vault entry, complete the entire operation in one flow:
+
+1. Write the plaintext yaml to `D:/vault/<path>.sops.yaml`
+2. `sops -e -i <path>` to encrypt in place
+3. Verify round-trip (`vault.sh get` shows correct decrypted output)
+4. `git add` + `git commit` + `git push` from `D:/vault` via the Bash tool
+
+**Why:** Howard explicitly flagged on 2026-04-29 that he doesn't understand why I'd hand off the trivial last-mile step. He has bash via Git for Windows but invokes from PowerShell, so a "run this bash one-liner" handoff costs him a context switch — and there's no privilege/risk reason to stop at "encrypted on disk." Pushing a clean SOPS-encrypted vault entry is routine, not destructive.
+
+**How to apply:**
+- Just push. Trust the encrypted blob, the round-trip verify, and the standard git workflow.
+- If `git push` fails (auth, conflict, etc.), surface the error and ask — that's a real handoff. But "I created the file, you push it" is unnecessary friction.
+- The LF→CRLF warning on Windows is benign for SOPS yaml — line endings on the yaml file don't affect SOPS integrity (the MAC covers values inside `ENC[...]` blobs and structural data). Don't surface it as a problem.
+- Same principle applies to commits in the claudetools repo when I'm done with a discrete unit of work — don't park "you should /scc this" as a task; just do it (unless the user has explicitly said wait).

.claude/memory/feedback_graph_ca_policy_eventual_consistency.md

@@ -0,0 +1,17 @@
+---
+name: Microsoft Graph CA policy reads are eventually consistent (~5s)
+description: After PATCHing a CA policy (204 No Content), an immediate GET may return stale state. Wait ~5 seconds before verifying.
+type: feedback
+---
+
+When PATCHing `/identity/conditionalAccess/policies/{id}` and immediately re-reading via GET, the read may return pre-PATCH state for a few seconds even though the PATCH was accepted (204).
+
+Observed 2026-04-29 during the Cascades admin@ exclusion backfill: 7 of 8 PATCHes returned 204, but immediate verify GETs showed the old `excludeUsers` list. Re-query after `sleep 5` showed all 8 had landed correctly. No retries were needed — the PATCH had succeeded; only the read lagged.
+
+**Why:** Microsoft Graph fronts CA policy reads through a regional cache that doesn't immediately reflect writes. Writes hit the authoritative store and return 204 right away. Reads converge after a short propagation window.
+
+**How to apply:**
+- After a CA policy PATCH that returns 204, do not treat an immediate "verify mismatch" as failure.
+- Insert `sleep 3-5` (or a poll loop with a few seconds of backoff) before the verify GET.
+- If verifying many policies in a batch, the simplest pattern is: do all PATCHes, sleep 5, then re-query everything once at the end.
+- This applies to CA policies specifically. Other Graph endpoints (e.g., users, groups) have their own consistency characteristics — don't generalize.

.claude/memory/feedback_graph_password_reset_requires_role.md

@@ -0,0 +1,17 @@
+---
+name: Tenant Admin SP cannot PATCH-reset existing user passwords (app perms ≠ enough)
+description: With User.ReadWrite.All app perm + no privileged directory role, Tenant Admin can CREATE a user with a password but PATCH passwordProfile on an existing user returns 403 Authorization_RequestDenied.
+type: feedback
+---
+
+The ComputerGuru Tenant Admin SP (`709e6eed-0711-4875-9c44-2d3518c47063`) can create users with `passwordProfile.password` set, but cannot **reset** the password on an existing user via PATCH `/users/{id}` — returns 403 `Authorization_RequestDenied: Insufficient privileges`.
+
+Observed 2026-04-29 in Cascades when trying to reset `pilot.test@cascadestucson.com` after the password was lost in script flow control.
+
+**Why:** Microsoft Graph's password reset endpoint requires the caller to hold a privileged directory role (Authentication Administrator, User Administrator, or stronger), in addition to `User.ReadWrite.All` app permission. App permission alone is insufficient. Tenant Admin SP currently has Application Administrator + Cloud Application Administrator + Conditional Access Administrator — none of which grant password-reset rights. The CREATE flow is permitted under `User.ReadWrite.All` because the password is part of the create payload, not a reset.
+
+**How to apply:**
+- For new pilot/test users: print the password BEFORE doing any subsequent API call, so a flow-control failure later doesn't lose it.
+- If a password rotation is needed for an existing pilot/test user: delete + recreate (cleanest), OR have a human use admin@/sysadmin@ via the portal, OR use the ComputerGuru User Manager app (separate tier with dedicated `User-PasswordProfile.ReadWrite.All` scope, designed for this).
+- **Don't** add Authentication Administrator or User Administrator to Tenant Admin SP just to fix this — that broadens its blast radius unnecessarily. The User Manager app is the right tool for password operations; Tenant Admin should stay focused on directory + CA work.
+- Hard-delete a freshly-created user via DELETE `/users/{id}` — the recycle bin endpoint `/directory/deletedItems/{id}` may 404 if the user wasn't soft-deleted (depends on tenant settings + age).

.claude/memory/feedback_identity_precedence.md

@@ -0,0 +1,11 @@
+---
+name: identity.json beats userEmail hint
+description: When .claude/identity.json and system-reminder userEmail disagree, trust identity.json — it's the per-machine source of truth
+type: feedback
+---
+
+When the system-reminder context claims `userEmail = mike@azcomputerguru.com` but `.claude/identity.json` says `howard`, trust identity.json. The userEmail comes from global Claude Code config (Mike set up the login on both machines under his account); identity.json is the per-machine, gitignored file that records who actually sits at this keyboard.
+
+**Why:** On 2026-04-23 I addressed Howard as "Mike" because the claudeMd/userEmail context said so. Howard corrected me. The CLAUDE.md onboarding flow explicitly defines identity.json as the authoritative local identity.
+
+**How to apply:** At every session start, read `.claude/identity.json` FIRST (as CLAUDE.md step 1 requires) and greet from that file's `full_name`. Ignore the `# userEmail` context block for greeting purposes. If identity.json is missing, follow the first-machine bootstrap flow in CLAUDE.md — don't fall back to userEmail.

.claude/memory/feedback_ollama_tier0_routing.md

@@ -0,0 +1,46 @@
+---
+name: Route Tier-0 tasks through Ollama (Mike's ClaudeTools design intent)
+description: Drafts, summaries, classifications, extractions MUST go through Ollama per Mike's tiered-model architecture. Don't default to Claude inference for low-stakes text generation.
+type: feedback
+---
+
+Route Tier-0 tasks (summaries, classifications, drafts, extractions) through Ollama. Not optional — this is how Mike designed ClaudeTools to work.
+
+**Why:** Mike built the tiered-model architecture (`CLAUDE.md` Model Routing section + `.claude/OLLAMA.md`) deliberately. Tier 0 is free + fast + private. Defaulting to Claude for every drafting task burns context window and Anthropic tokens on work that qwen3:14b does fine.
+
+**How to apply:**
+- Drafting emails, session-log paragraphs, status-update sentences, commit-message first-drafts → qwen3:14b
+- Summarizing long output (Graph JSON, PowerShell transcripts, log tails) → qwen3:14b
+- Extracting structured data from text → qwen3:14b
+- Suggesting refactors / generating docstrings → codestral:22b (then review)
+- NEVER for: auth decisions, credential handling, production migrations, security review, citation work, production-change scripts
+
+**Endpoint resolution (updated 2026-04-22 in `.claude/OLLAMA.md`):**
+```bash
+if curl -s -m 2 http://localhost:11434/api/tags >/dev/null 2>&1; then
+    OLLAMA="http://localhost:11434"
+else
+    OLLAMA="http://100.92.127.64:11434"
+fi
+```
+
+HOWARD-HOME has the canonical models loaded locally (qwen3:14b, codestral:22b, nomic-embed-text, plus bonus qwen3-coder:30b) — so HOWARD-HOME uses local Ollama, not Mike's. Zero Tailscale hop.
+
+**Call pattern for qwen3 — use `/api/chat` with `think:false`**, NOT `/api/generate`. qwen3 on generate endpoint dumps reasoning into internal thinking tokens and returns empty `response` field. Chat endpoint with `think:false` returns clean content in `message.content`:
+
+```python
+body = json.dumps({
+  'model':'qwen3:14b',
+  'messages':[{'role':'user','content': prompt}],
+  'stream':False,
+  'think':False
+}).encode()
+# POST to OLLAMA + '/api/chat'
+# Read res['message']['content']
+```
+
+Codestral doesn't need `think:false` — just use it on `/api/chat` normally.
+
+Cold-start ~30-50s on first call per model per session; warm calls 1-5s.
+
+**Incident 2026-04-22:** Spent an entire Cascades rollout session (G1 hygiene, orphan cleanup, risk register, synology discovery, etc.) without routing a single task through Ollama despite many drafting opportunities (report drafts, summary text, email drafts). Howard called this out: "just make sure ollama is being used as mike has designed claudetools to work."

.claude/memory/feedback_save_no_ollama.md

@@ -0,0 +1,11 @@
+---
+name: /save writes narrative directly — no Ollama
+description: Claude writes all /save session log sections directly; Ollama removed from save workflow
+type: feedback
+---
+
+Do NOT use Ollama for /save session log narrative sections (Session Summary, Key Decisions, Problems Encountered). Write them directly. Ollama takes too long.
+
+**Why:** User explicitly removed Ollama from the /save documentation role on 2026-05-12 — the Ollama round-trip added unacceptable latency to every /save.
+
+**How to apply:** On every /save invocation, write all narrative sections yourself inline. Do not curl Ollama, do not write a prompt file, do not spawn a py subprocess. Ollama is still available for other prose tasks (commit messages, ticket comments, client notes) but not /save.

.claude/memory/feedback_sql_instance_role_by_connection.md

@@ -0,0 +1,19 @@
+---
+name: SQL instance role — verify by active connections, never by name
+description: Before recommending stop/uninstall of any SQL Server instance, prove its role with sys.dm_exec_sessions + Get-NetTCPConnection. Instance names lie when Standard is installed under the default Express name.
+type: feedback
+---
+
+When investigating a multi-instance SQL Server box, **identify each instance's actual role by querying active connections** — never trust the instance name alone.
+
+**Why:** On 2026-05-05 at IMC1, the named instance `MSSQL$AIMSQL` was assumed to be the production AIM database, with `MSSQL$SQLEXPRESS` flagged as a leftover for shutdown. Re-enumeration on 2026-05-06 reversed both: SQLEXPRESS is the **live production AIM instance** (SQL 2019 Standard installed under the default `SQLEXPRESS` instance name and never renamed — `SERVERPROPERTY('Edition')` proved Standard, not Express). AIMSQL is the actual orphan with only 2023-era conversion-test DBs. The "shut down SQLEXPRESS" recommendation in the Note for Mike, if acted on, would have killed the entire store (every register, repair workstation, lessons workstation, and the C2B credit module). A scheduled `Restart-Service MSSQL$AIMSQL` ran the wrong instance and did nothing for the user-facing error, which then recurred 9 hours later.
+
+**How to apply:** Before recommending any change to a SQL instance — stop, uninstall, cap memory, restart cadence, anything — run this minimum enumeration on each instance you're considering:
+
+1. `sqlcmd -S .\<instance> -E -d master -Q "SELECT SERVERPROPERTY('Edition'), SERVERPROPERTY('ProductVersion'), SERVERPROPERTY('InstanceName')"` — proves edition vs name
+2. `Get-NetTCPConnection -OwningProcess <pid> -State Established` — shows every IP currently talking to it
+3. `SELECT login_name, host_name, program_name, client_net_address, DB_NAME(database_id) FROM sys.dm_exec_sessions WHERE is_user_process = 1` — names the apps and machines
+4. `SELECT name, create_date FROM sys.databases` — distinguishes live DBs from legacy/test artifacts
+5. Tail the ERRORLOG — recent login traces confirm who connects when no one is connected at the moment you check
+
+If `Established` connection count is zero AND `is_user_process=1` sessions are zero AND ERRORLOG has no recent login activity, the instance is a real orphan. Anything else: leave it alone or get explicit confirmation from the customer's app owner before touching it. Especially watch for the Standard-installed-as-SQLEXPRESS pattern — common when an MSP migrates from Express to Standard in place and keeps the original instance name.

.claude/memory/feedback_syncro_appointment_owner.md

@@ -0,0 +1,40 @@
+---
+name: Syncro — confirm appointment owner explicitly when creating tickets with appointments
+description: When creating Syncro tickets that include an appointment, always ask "who is the appointment owner?" before posting. Don't auto-default to the ticket's assigned tech, and distinguish owner from additional attendees.
+type: feedback
+---
+
+**Rule:** When creating a Syncro ticket that includes an appointment (Onsite, Remote, Phone Call, etc.), explicitly **ask the user who the appointment owner is** in the preview phase. Do not assume the appointment owner equals the ticket's assigned tech, and do not silently add other techs as attendees.
+
+**Why:** The appointment owner is the person whose calendar the appointment lands on as the primary entry — they are the one accountable for being there. Additional `user_ids` in the appointment payload only add the entry to other techs' calendars as secondary/visible items, which clutters their schedule and creates ambiguity about who is actually on the hook for the visit. Howard caught this on 2026-05-08 after a ticket creation where I added the assigned tech to `user_ids` without confirming whether they should be the owner versus an attendee.
+
+**How to apply:**
+
+In the ticket creation preview (Step 3 of the ticket creation workflow), present the appointment block with the OWNER as a separate, explicit field — not buried as an inferred default. Example preview format:
+
+```
+APPOINTMENT
+-----------
+Type:               Onsite
+Owner:              <ASK USER — who's calendar should this be on?>
+Additional attendees: (optional, leave blank unless explicitly added)
+Start:              <start_at>
+End:                <end_at>
+Location:           <blank or override>
+```
+
+In the API payload, the appointment owner is the FIRST or PRIMARY entry in `user_ids`. Confirm:
+
+- The owner is the person actually attending the appointment (or the lead tech if multiple).
+- If the user wants ONLY the owner with no co-attendees, `user_ids` should contain ONE id only.
+- If the user wants additional attendees (e.g., "Mike will join remote, Howard onsite"), add them only after explicit confirmation in the preview.
+
+**What NOT to do:**
+
+- Do NOT auto-add the ticket's `user_id` (assigned tech) as the appointment owner without asking.
+- Do NOT add additional attendees to `user_ids` without explicit user direction.
+- Do NOT treat appointment owner as a passive inheritance from the ticket — surface it as an active confirmation field in the preview.
+
+**Trigger context:**
+
+Howard created the Kittle Design ticket (#32263) on 2026-05-08 for an 11:30 AM onsite to set up Joshua. I auto-added Howard's `user_id` to the appointment's `user_ids` array without confirming whether Howard was the owner or just an attendee. Howard flagged: "when setting up an appointment confirm the appointment owner — don't just add additional attendees." Save as a rule for syncro ticket creation.

.claude/memory/feedback_syncro_blank_contact.md

@@ -0,0 +1,19 @@
+---
+name: Syncro — leave contact blank by default on tickets and billing
+description: When creating Syncro tickets or billing them out, leave the contact field blank ("Not Assigned") in most cases. Blank contact lets Syncro use the company-level defaults for notifications and email routing. Setting a specific contact can route to a secondary email and bypass the customer's intended distribution.
+type: feedback
+---
+
+**Rule:** When creating or billing Syncro tickets, leave `contact_id` / `contact_name` / `contact_email` blank ("Not Assigned") by default for any customer. Only set a contact when there's an explicit, deliberate reason to (e.g., user explicitly says "set the contact to X").
+
+**Why:** Winter clarified on 2026-05-04: blank contact lets Syncro apply the **company-level email defaults** for the account — those defaults route notifications to the right people. Setting a specific contact overrides that and may push notifications to a secondary email address belonging to that contact, bypassing the customer's intended distribution. This was originally flagged for Cascades of Tucson (where Meredith was being incorrectly auto-selected), but Winter generalized it: the rule applies to most customers.
+
+**How to apply:**
+
+- **Creating a ticket** (POST `/tickets`): Omit `contact_id` from the body entirely. Do not pull contacts via `GET /customers/{id}` and pick one — let Syncro use the company defaults.
+- **Editing a ticket** (PUT `/tickets/{id}`): Send only the fields you're changing (`status`, `priority`, etc.). Never include `contact_id`, `contact_name`, or `contact_email` in the body, even matching the existing value. PUT can re-apply the record; safest is to never reference contact in any write payload.
+- **Billing / invoices**: Same rule on the invoice creation side. If `contact_id` shows up in any payload, drop it.
+- **When to set a contact anyway:** Only if the user explicitly directs you to ("set Mike as the contact on this one") OR there's a documented per-customer instruction that overrides the default. Default is always blank.
+- **Verify after any write:** `GET /tickets/{id}` and confirm `.ticket.contact_id` is `null`. If you find it set, blank it explicitly: `PUT /tickets/{id}` with `{"contact_id": null}`.
+
+**Generalizes from:** the prior Cascades-specific guidance (originally `feedback_syncro_cascades_contact.md`). Winter's 2026-05-04 message broadened the scope from "Cascades only" to "most customers."

.claude/memory/feedback_syncro_cascades_contact.md

@@ -0,0 +1,19 @@
+---
+name: Syncro — never set contact on Cascades tickets
+description: When creating or editing Syncro tickets for Cascades of Tucson, do NOT set the contact field. Leave it blank. Syncro defaults blank-contact tickets to the correct distribution emails; setting a specific contact (e.g. Meredith) overrides that and breaks notifications.
+type: feedback
+---
+
+When creating or editing Syncro tickets for **Cascades of Tucson** (customer_id 20149445), the `contact_id` / `contact_name` / `contact_email` fields MUST be left blank/untouched.
+
+**Why:** Cascades has a default email distribution behavior on tickets with no contact set — Syncro routes ticket notifications to the correct group of email accounts when contact is null. If contact is set to a specific person (Meredith Kuhn has been the recurring incorrect default), notifications go to that one person only and the rest of the distribution is bypassed. This breaks the customer's expected ticket-notification flow.
+
+**How to apply:**
+
+- **Creating a Cascades ticket:** Omit `contact_id` from the POST body entirely. Do not pull contacts via `GET /customers/{id}` and pick one. Let Syncro handle it.
+- **Editing a Cascades ticket via PUT:** Send only the fields you actually want to change (`status`, `priority`, etc.). Never include `contact_id`, `contact_name`, or `contact_email` in the body — even with a value matching the existing one. Some PUT semantics re-apply the whole record; the safest pattern is to never reference the contact field at all in PUT payloads.
+- **Verifying after any write:** `GET /tickets/{id}` and confirm `.ticket.contact_id` is `null`. If you find it set, blank it explicitly: `PUT /tickets/{id}` with `{"contact_id": null}`.
+
+**Open question:** This may apply to other customers too — Howard called it out specifically for Cascades. If a similar complaint surfaces about another customer, generalize the rule. For now, it is a Cascades-specific guard.
+
+**Verified clean on 2026-05-01:** ticket #32214 contact_id was null after billing session (PUT bodies only included `status`). The risk is real on the next ticket-edit workflow if defaults aren't held.

.claude/memory/feedback_syncro_emergency_billing.md

@@ -0,0 +1,23 @@
+---
+name: Syncro emergency/after-hours billing — check prepay_hours first
+description: Emergency labor is 1.5× multiplier, not additive. Branch by customer.prepay_hours — wrong branch doubles or undercharges. Applies to every /syncro bill for emergency work.
+type: feedback
+---
+
+**Rule:** Before adding any Emergency/after-hours labor line item on a Syncro ticket, `GET /customers/<id>` and read `prepay_hours`.
+
+- If `prepay_hours == 0` (no prepaid block): use product `26184` (Labor - Emergency/After Hours) at quantity = actual hours. The $262.50/hr rate already has the 1.5× multiplier baked in.
+- If `prepay_hours > 0` (customer has a prepaid block): use product `26118` (Labor - Onsite) at quantity = actual hours × 1.5. Prepaid blocks debit by QUANTITY, not dollars, so we bump qty instead of swapping to the Emergency product.
+
+Never stack `26118` + `26184` for the same hour of work. Pick one path based on the prepaid state.
+
+**Why:** Learned on ticket #32203 (Desert Auto Tech) 2026-04-23. Howard asked to bill "1 hour onsite + 1 hour emergency onsite." I posted both as separate additive line items and the invoice came out at $437.50 when the correct bill for 1 actual hour of emergency work was $262.50. Winter caught it and explained the rule: "the goal is to have it bill at time and a half." The Emergency product = time-and-a-half by rate; prepaid accounts = time-and-a-half by quantity. Swapping products AND multiplying quantity double-counts.
+
+**How to apply:**
+- Every `/syncro bill` for emergency/after-hours work: check `prepay_hours` BEFORE choosing the product. Do not shortcut this.
+- For a 2-hour emergency job:
+  - Non-prepaid customer → one line, 2.0 hrs × `26184` → $525.00
+  - Prepaid customer → one line, 3.0 hrs × `26118` → 3 hours debit from block
+- Always set `price_retail` explicitly on `add_line_item`. The old "omit and let Syncro auto-calc" guidance was wrong — the rate does not populate from the product config, and the invoice will post at $0 if `price_retail` is missing. Fetch the current rate with `GET /products/<id>`.
+- Never let a customer-facing invoice post without verifying `.invoice.total` matches the expected `qty × price_retail`.
+- Full rules and examples live in `.claude/commands/syncro.md` under the "Labor product IDs" section.

.claude/memory/feedback_syncro_labor_type.md

@@ -0,0 +1,24 @@
+---
+name: Syncro — use a billable labor type (in-shop / onsite / remote / web), never "Prepaid project labor"
+description: When creating Syncro time entries, the labor type / product on the entry MUST be one of in-shop, onsite, remote, or web labor. "Prepaid project labor" is an exempt labor type and will NOT draw down a customer's prepay block — using it silently breaks block-hour accounting.
+type: feedback
+---
+
+**Rule:** Time entries on Syncro tickets must use a billable labor product matching the work delivery channel: **in-shop**, **onsite**, **remote**, or **web labor**. Do NOT use **"Prepaid project labor"** as the labor type for normal work.
+
+**Why:** Winter caught me on 2026-05-04 using "Prepaid project labor" by default. That product is **exempt** — it does not consume hours from a customer's prepaid block. So even if the ticket is for a prepay customer and looks billed correctly on the invoice, the block balance never decrements. Block-hour accounting silently drifts. Only the four non-exempt labor types (in-shop / onsite / remote / web) burn block time as intended.
+
+**How to apply:**
+
+- **Picking labor type:** Match it to how the work was actually delivered:
+  - **Remote labor** — work done over remote tools (RDP, Splashtop, ScreenConnect, phone-only support, scripts). This will be the most common pick.
+  - **Onsite labor** — work done at the client's physical location.
+  - **In-shop labor** — hardware brought to ACG's office for repair/build.
+  - **Web labor** — purely cloud/portal work (Microsoft 365 admin center, Entra, Cloudflare, etc.) where there's no remote-into-a-machine component. (Confirm with Winter if this distinction matters in your situation — sometimes "remote" is the right pick even for cloud work.)
+- **Resolving the product_id:** Use `GET /products?search=remote+labor` (etc.) to pull the right product_id for the labor type, then pass that as `product_id` on the `timer_entry` POST.
+- **Never default to "Prepaid project labor"** unless explicitly directed. If you find an existing entry with that product on a normal billable ticket, flag it — Winter (or whoever) will need to retroactively switch the labor type so the block decrement actually posts.
+- **Verifying:** After billing, check that the customer's prepay block balance dropped by the expected number of hours. If it didn't, the labor type was wrong.
+
+**Real-world incident — 2026-05-04:** Tickets I created on this date used "Prepaid project labor" as the auto-selected labor type. Winter is fixing them retroactively. Going forward, default to `Remote labor` for the typical remote-support ticket, then adjust per delivery channel.
+
+**Where this lands in skill code:** `.claude/commands/syncro.md` and the `syncro` skill workflow examples need to make labor-type selection an explicit step in the timer_entry workflow, not a silent default.

.claude/memory/feedback_syncro_timer_first.md

@@ -0,0 +1,31 @@
+---
+name: Syncro — log time entries first, never bare add_line_item
+description: All Syncro tickets must have a Syncro time entry recorded for any work done. Use timer_entry + charge_timer_entry to bill, NOT bare add_line_item. Bare add_line_item leaves Syncro time tracking at 00:00:00 and breaks reporting (hours per client, tech productivity, prepay burn rate). This applies even to warranty/free work; only cancelled tickets are exempt.
+type: feedback
+---
+
+**Rule:** When billing a Syncro ticket, the workflow MUST be:
+
+1. Do the work.
+2. POST `/tickets/{id}/timer_entry` with `start_at`, `end_at`, `billable`, `product_id`, `notes`. This records hours in Syncro's time-tracking system.
+3. POST `/tickets/{id}/charge_timer_entry` with `{"timer_entry_id": N}` to convert the timer into a billable line item on the ticket.
+4. POST `/invoices` to roll the line item onto a customer invoice.
+5. PUT ticket status as needed.
+
+**Why:** Syncro's reporting (hours per client, technician productivity, average resolution time, prepay burn rates) is built on the **time-entries** table, not on invoice line items. If we use bare `add_line_item` and type hours into the description ("Applied 1.5 Prepay Hours"), the invoice posts but Syncro's time tracking shows `00:00:00`. We lose all reporting visibility on actual work performed.
+
+**How to apply:**
+
+- **Default billing path:** `timer_entry → charge_timer_entry → invoice`. Always.
+- **Bare `add_line_item` is NOT a default option.** Only acceptable when there is genuinely no time component to bill — e.g. selling a hardware product or a flat-fee service with zero labor. For any work-time billing, use the timer path.
+- **Even warranty/free work needs a time entry.** Set `billable: false` (or appropriate type) on the timer entry. Time still records, just doesn't generate a paid line item.
+- **Only cancelled tickets are exempt** from time entries.
+
+**Real-world incident — 2026-04-30:** Mike audited 31 closed tickets and found ALL 31 had `00:00:00` in Syncro time tracking. 29 had proper invoices with revenue captured correctly, but the underlying time data was bypassed entirely. Examples: #32156 (Cascades) "Applied 8.0 Prepay Hours" — should have been an 8.0 hr time entry. #32218 (Instrumental) "Applied 1.5 Prepay Hours" — should have been a 1.5 hr time entry.
+
+**Repeat incident — 2026-05-01:** I (Claude, Howard's session) billed three tickets the same broken way (#32225 Sombra $525, #32229 Mineralogical Record $262.50, #32214 Cascades $0 prepaid). Winter retroactively added time entries to fix them. The skill examples need to be updated to make timer-first the default, and that's tracked in the syncro skill rewrite work.
+
+**Where the fix needs to land:**
+- `.claude/commands/syncro.md` — promote the timer-entry workflow to be the documented default. Demote `add_line_item` to a clearly-labeled fallback for non-time work only. Every example in the "Billing workflow" section should use the timer path.
+
+**Skill author note:** Currently the skill presents both patterns as Option A (simpler — add_line_item) and Option B (timer + charge). That framing is wrong. Option B is the only correct path for time-bearing work; Option A is a fallback at best.

.claude/memory/feedback_syncro_timer_response_shape.md

@@ -0,0 +1,48 @@
+---
+name: Syncro — timer_entry response is FLAT, not wrapped
+description: POST /tickets/{id}/timer_entry returns a flat object {"id": N, "ticket_id": ..., "product_id": ..., ...}, NOT wrapped in {"timer": {...}} or {"timer_entry": {...}}. Parse as `.id`, never `.timer.id` — using the wrapped pattern silently returns null and creates duplicate timers when the script "retries".
+type: feedback
+---
+
+**Rule:** When parsing the response from `POST /tickets/{id}/timer_entry`, use `.id` directly — the response is a FLAT object. Do NOT use `.timer.id // .timer_entry.id`.
+
+**Verified response shape (2026-05-05, ticket #32253):**
+```json
+{
+  "id": 39031258,
+  "ticket_id": 109895882,
+  "user_id": 1750,
+  "start_time": "2026-05-05T09:00:00.000-07:00",
+  "end_time": "2026-05-05T09:30:00.000-07:00",
+  "recorded": false,
+  "billable": true,
+  "notes": "...",
+  "product_id": 26118,
+  "comment_id": null,
+  "ticket_line_item_id": null,
+  "active_duration": 1800,
+  "billable_time": 1800
+  ...
+}
+```
+
+**Why:** The skill doc at `.claude/commands/syncro.md` shows
+```bash
+TIMER_ID=$(echo "$TIMER_RESP" | jq -r '.timer.id // .timer_entry.id')
+```
+That fallback resolves to `null` because neither key exists on the flat response. A `null` TIMER_ID then breaks `charge_timer_entry` ("Not found"). If the script retries the timer_entry POST after the perceived failure, it creates a duplicate — Syncro has no idempotency. Hit this on ticket #32253 (Cascades) on 2026-05-05; created two duplicate 0.5hr timers and had to delete one via `delete_timer_entry` before charging.
+
+**How to apply:**
+
+- **Parsing:** Always `jq -r '.id'` on the timer_entry response.
+- **After ANY ambiguous timer_entry response** (null `.id`, jq error, network blip): GET the ticket and inspect `.ticket.ticket_timers[]` BEFORE retrying. Filter for `recorded: false` entries with the start/end times you just sent.
+- **Cleanup if duplicates exist:** `POST /tickets/{id}/delete_timer_entry` with `{"timer_entry_id": N}` for the older duplicate(s). Returns `{"success": true}`.
+- **Verifying the timer is on the ticket:** `GET /tickets/{id}` → `.ticket.ticket_timers` is the authoritative list. The standalone `/ticket_timers?ticket_id=N` query parameter does NOT filter by ticket — returns the entire global timer history.
+
+**Charge timer response is also flat:**
+```json
+{"id": 39031258, "recorded": true, "ticket_line_item_id": 42313052, ...}
+```
+Parse as `.ticket_line_item_id` to get the auto-generated line. Do not look for a wrapper.
+
+**Where this lands in skill code:** `.claude/commands/syncro.md` example block needs `.id` not `.timer.id // .timer_entry.id`. Until the skill is patched, override the example pattern when running.

.claude/memory/feedback_syncro_warranty_product.md

@@ -0,0 +1,22 @@
+---
+name: Syncro — warranty work uses the "Labor- Warranty work" product, never patch a billable product to $0
+description: For warranty/no-charge labor on Syncro tickets, use product_id 1049360 (Labor- Warranty work, $0/hr). Do NOT use a regular labor product with billable=false or a patched price_retail=0. Prices are determined by the product selected; never override the dollar amount to make one product behave like another.
+type: feedback
+---
+
+**Rule (two parts):**
+
+1. **Warranty / no-charge labor uses product `1049360` "Labor- Warranty work" ($0/hr, non-taxable).** Don't pick a regular Remote/Onsite/etc. labor product and try to neutralize it.
+
+2. **Prices are set by selecting the correct product. Never change `price_retail` on a line item to make a different labor product behave like a warranty (or any other) product.** If you find yourself reaching for `update_line_item` to drop a price, that's the signal to back up and pick a different `product_id` instead.
+
+**Why:** On 2026-05-06 (ticket #32225 Sombra Residential), I chose product `1190473` (Labor - Remote Business, $150/hr) for a follow-up warranty cleanup, set `billable: false` on the timer, and assumed the timer flag would zero the line. Syncro silently overrode `billable: false` and the resulting line came in at $75. I patched `price_retail` to $0 to "fix" it. Howard caught it: warranty work has a dedicated product in the dropdown, and patching dollar amounts is never how this is solved. The earlier guidance in `.claude/commands/syncro.md` (the "Warranty / no-charge → use closest labor product with billable=false" rule) was wrong; warranty has its own product just like Onsite, Remote, Emergency, etc., and that product is what should be used.
+
+**How to apply:**
+
+- **For any warranty / no-charge work:** `product_id = 1049360`, qty = actual hours, no need to patch the line — it generates at $0 because the product's `price_retail` is $0.
+- **Set `billable` based on the product, not the situation.** For the warranty product, leave `billable: true` — Syncro decides line economics from `price_retail` × `quantity`, and warranty product is $0 by design. (Anecdotally, Syncro's `timer_entry` endpoint silently overrode `billable: false` to `true` on 2026-05-06, so don't rely on it as a price gate anyway.)
+- **Never reach for `update_line_item` to drop a price as a workaround.** If the dollar amount on a line is wrong, the wrong product was selected — undo, pick the correct product, redo. The only legitimate use of `update_line_item price_retail` is the Syncro auto-gen-zero recovery case (when the auto-line came in at $0 instead of the product's actual rate), and even that is a Syncro bug we're patching around, not a price-management tool.
+- **For the dropdown of available labor products,** see the rate table in `.claude/commands/syncro.md`. If the situation doesn't match any of those, ask before improvising.
+
+**Where this lands in skill code:** `.claude/commands/syncro.md` — added `1049360` to the labor product table, fixed the warranty branch in the billing workflow, and added an explicit "never patch price_retail to convert products" rule.

.claude/memory/feedback_tmp_path_windows.md

@@ -0,0 +1,35 @@
+---
+name: /tmp resolves to two different paths on Windows
+description: On Windows machines (Howard's, etc.), the Write tool and Git Bash resolve `/tmp` to different real directories. Never use `/tmp/<file>` for handing JSON payloads from Write to curl — they will not see the same file.
+type: feedback
+---
+
+On Windows under this Claude Code harness:
+
+- **Write tool** resolves `/tmp/foo.json` → `C:\tmp\foo.json`
+- **Git Bash + curl + cat** resolve `/tmp/foo.json` → `C:\Users\<user>\AppData\Local\Temp\foo.json`
+
+These are two different real directories. Write reports "File created successfully at: /tmp/foo.json" but the bytes land in `C:\tmp\`, while bash commands later read a stale (or missing) file from `C:\Users\<user>\AppData\Local\Temp\`.
+
+**Why:** Git Bash's MSYS layer mounts `/tmp` to `%TEMP%`. The Claude Code Write tool resolves Unix-style absolute paths against the Windows root instead.
+
+**How to apply:** When passing a JSON payload from Write to a Bash curl call (Syncro, GitHub, any REST API), do ONE of the following — never use `/tmp/`:
+
+1. **Heredoc inline in curl** (preferred for short payloads):
+   ```bash
+   curl -s -X POST "$URL" -H "Content-Type: application/json" -d @- <<'JSON'
+   {"subject": "...", "body": "..."}
+   JSON
+   ```
+
+2. **Write to a workspace path both tools agree on**, e.g. under the repo:
+   ```
+   C:\claudetools\.claude\tmp\payload.json
+   ```
+   (gitignored if needed). Both Write and Bash will hit the same file there.
+
+3. **If you must use a temp dir, use `$TEMP` / `$TMPDIR` in bash, and write the file via Bash heredoc rather than the Write tool.**
+
+**Real incident — 2026-05-01 ticket #32225 (Sombra Residential):** Wrote a Sombra resolution payload to `/tmp/comment_payload.json` via Write tool. Curl read a stale Cascades/Karen Rossini payload from yesterday's session at the bash-side `/tmp`. POSTed the wrong comment to the Sombra ticket — comment #408671678 had completely unrelated content and required manual GUI deletion (Syncro has no API delete for comments).
+
+**Note for skill authors:** The `syncro` skill examples use `/tmp/` paths. Those examples are unsafe on Windows and need to be updated to use heredoc or workspace paths.

.claude/memory/gururmm-development-principles.md

@@ -0,0 +1,89 @@
+# GuruRMM Development Principles
+
+**Created:** 2026-04-29
+**Authority:** Mike Swanson (owner)
+**Location:** Documented in `projects/msp-tools/guru-rmm/docs/DESIGN.md`
+
+---
+
+## Holistic Feature Development (MANDATORY)
+
+When planning or implementing ANY GuruRMM feature, the complete stack must be considered and built:
+
+### Required Components for Every Feature:
+1. **Backend/Agent Logic** — core capability implementation
+2. **API Endpoints** — control and monitoring interfaces
+3. **UI/UX** — dashboard configuration, status display, management interface
+4. **Documentation** — user guides and operational docs
+5. **Scalability Design** — architected for future expansion
+
+### Example: Network Discovery Node
+A complete implementation includes:
+- Agent-side scanning capability (ICMP, ARP, SNMP)
+- Server-side data storage and API endpoints
+- Dashboard UI for:
+  - Designating which agent is the discovery node
+  - Viewing discovered devices
+  - Configuring scan schedules
+  - Setting IP ranges and exclusions
+- Status indicators (discovery progress, last scan time)
+- Future-proof data model supporting multiple discovery methods
+
+### Why This Matters:
+- **Completeness:** Features without UI are unusable by non-API-expert admins
+- **User Experience:** Configuration should be intuitive, not require documentation diving
+- **Consistency:** Every feature should feel native to the product
+- **No Dead Ends:** Design decisions shouldn't block obvious next steps
+
+**Features shipped without their UI/configuration interfaces are incomplete and will be rejected.**
+
+---
+
+## AI-Optional Operation
+
+GuruRMM must be fully functional without requiring AI agents (Claude, autonomous analysis tools) to operate.
+
+### Core Requirements:
+- All functionality accessible via traditional dashboard/API
+- Configuration and management through standard interfaces
+- Usable by MSP techs with zero AI/ML knowledge
+- Deterministic, reliable operation for production environments
+
+### AI Features Are Enhancements:
+- **Agentic analysis** (AI-powered log analysis, anomaly detection, troubleshooting) — planned enhancement
+- **Agentic command routing** (intelligent decision-making about command execution) — planned enhancement
+- Users choose whether to enable AI features
+- Product does not mandate AI usage
+
+### Why This Matters:
+- Real MSPs need deterministic, reliable systems
+- AI features can break, hallucinate, or be unavailable
+- Core operations cannot depend on AI availability
+- Production stability over experimental features
+
+---
+
+## Application to Development
+
+### When Adding Features:
+1. ✅ Design the complete stack before starting implementation
+2. ✅ Include UI mockups in feature planning
+3. ✅ Consider future expansion in data model design
+4. ✅ Ensure feature works via dashboard without API knowledge
+5. ✅ Never assume AI availability for core functionality
+
+### When Reviewing Features:
+1. ❌ Reject backend-only implementations without UI
+2. ❌ Reject features that require API expertise to configure
+3. ❌ Reject designs that paint into architectural corners
+4. ❌ Reject features that require AI to function
+
+### Planning Questions:
+- "How does an admin configure this in the dashboard?"
+- "What does the status display look like?"
+- "How do we expand this in v2/v3?"
+- "Does this work if AI services are unavailable?"
+
+---
+
+**These principles apply to ALL features — past, present, and future.**

.claude/memory/machine_windows_guru_setup_status.md

@@ -1,44 +1,53 @@
 ---
 name: Windows GURU-BEAST-ROG Setup Status
-description: Windows workstation setup completion status - Ollama, GrepAI, MCP, Node.js all configured
+description: Windows workstation setup completion status - fully configured except SSH key deployment to servers
 type: reference
 ---
 
 # Windows Machine Setup Status (GURU-BEAST-ROG)
 
 **Created:** 2026-03-23
-**Updated:** 2026-03-24
+**Updated:** 2026-04-27
 **Machine:** GURU-BEAST-ROG (Windows 11 Pro, i9-14900K, 128GB DDR5, RTX 4090)
 
 ## Software Status
 
-| Software | Version | Path | Status |
-|----------|---------|------|--------|
-| Python | 3.12.10 | system PATH | [OK] |
-| Git | 2.52.0.windows.1 | system PATH | [OK] |
-| Windows OpenSSH | system | C:\Windows\System32\OpenSSH\ssh.exe | [OK] |
-| Node.js | v24.14.0 | C:\Program Files\nodejs | [OK] |
-| Ollama | v0.18.2 | C:\Users\guru\AppData\Local\Programs\Ollama\ollama.exe | [OK] |
-| GrepAI | v0.35.0 | C:\Users\guru\ClaudeTools\grepai.exe | [OK] |
-| credentials.md | -- | repo root | [OK] |
+| Software | Version | Status |
+|----------|---------|--------|
+| Python | 3.12.10 | [OK] |
+| Git | 2.52.0.windows.1 | [OK] |
+| Windows OpenSSH | system | [OK] |
+| Node.js | v24.14.0 | [OK] |
+| Ollama | v0.21.0 | [OK] |
+| GrepAI | v0.35.0 | [OK] |
+| jq | 1.8.1 | [OK] |
+| sops | 3.12.2 | [OK] |
+| age | installed | [OK] |
+| 1Password CLI | 2.33.1 | [OK] |
+| Tailscale | installed | [OK] |
 
 ## Ollama Models
 
 | Model | Size | Status |
 |-------|------|--------|
-| nomic-embed-text | 274 MB | [OK] |
+| nomic-embed-text | 0.3 GB | [OK] |
 | qwen3:14b | 9.3 GB | [OK] |
-| codestral:22b | ~12 GB | [PENDING] - download interrupted, not pulled |
+| codestral:22b | 12.6 GB | [OK] |
+| qwen3:32b | 20.2 GB | [OK] |
+| gemma3:27b | 17.4 GB | [OK] |
 
 ## Configuration
 
-- **.mcp.json:** filesystem, sequential-thinking, grepai servers configured
-- **GrepAI:** Initialized, watcher configured, Ollama backend with nomic-embed-text
-- **Bypass permissions:** `permissions.defaultMode: "bypassPermissions"` in ~/.claude/settings.json
-- **In-repo memory:** .claude/memory/ (syncs via Gitea)
+- **identity.json:** configured (mike, GURU-BEAST-ROG)
+- **users.json:** GURU-BEAST-ROG registered in mike's known_machines
+- **Vault:** C:/Users/guru/vault (cloned, SOPS decryption working with shared age key)
+- **SOPS_AGE_KEY_FILE:** set in ~/.bashrc
+- **OP_SERVICE_ACCOUNT_TOKEN:** set in ~/.bashrc
+- **~/.claude/commands/:** synced from repo
+- **GrepAI:** watcher running, MCP server configured
+- **Bypass permissions:** defaultMode: bypassPermissions
 
-## Notes
+## Remaining TODO
 
-- Ollama not in Git Bash PATH -- use full path or open new terminal
-- GrepAI watcher may need restart after reboot: `./grepai.exe watch --background`
-- Machine registered at `.claude/machines/guru-beast-rog.md`
+- [ ] Deploy SSH pubkey to infrastructure servers (OwnCloud, Jupiter, etc.)
+- [x] ~~Vault rotation to add GURU-BEAST-ROG's own age key as recipient~~ — Completed 2026-04-27 (vault commit 73de020). Public key `age17nqczmkmnqj970v96w6wsyu72556psmrzhps8vm90fn67p8vqu4s3ze4ms` added to `keys/recipients.txt` and `.sops.yaml` creation rules.

.claude/memory/project_cascades_admin_accounts.md

@@ -0,0 +1,16 @@
+---
+name: Cascades admin account ownership
+description: Howard uses sysadmin@cascadestucson.com, Mike uses admin@cascadestucson.com — used for daily admin work, not break-glass.
+type: project
+---
+
+At Cascades Tucson tenant (`207fa277-e9d8-4eb7-ada1-1064d2221498`):
+
+- **`sysadmin@cascadestucson.com`** — Howard's working admin account (used the PIM portal click on 2026-04-28 for the CA Admin role assignment).
+- **`admin@cascadestucson.com`** — Mike's working admin account.
+
+As of 2026-04-29, neither is confirmed as cloud-only / FIDO2 / CA-excluded — Howard "doesn't think they are cloud-only." A break-glass admin still needs to be designed before the CA bypass policies go live.
+
+**Why:** Avoid asking who owns which admin login again, and keep clear that these are *daily-driver* admin accounts, not the eventual break-glass.
+
+**How to apply:** When discussing Cascades admin work or break-glass design, attribute correctly. Don't assume sysadmin@ or admin@ already meet break-glass criteria — verify against Graph (onPremisesSyncEnabled, authentication methods, CA exclusions) before relying on either.

.claude/memory/project_cascades_ca_phased_rollout.md

@@ -0,0 +1,26 @@
+---
+name: Cascades CA bypass — phased per-group rollout, NOT tenant-wide
+description: Caregiver bypass CA policies are scoped to SG-Caregivers-Pilot only at start, then expanded one department at a time. Legacy all-users-MFA stays in place; we PATCH excludeGroups, never delete it during rollout.
+type: project
+---
+
+The Cascades caregiver bypass CA work is a **phased rollout**, not a tenant-wide policy swap. This corrects the original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the resume-point in `2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md`, which both implied a tenant-wide cutover.
+
+**What this means concretely:**
+
+- New CA policies target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). They do NOT use `includeUsers: All`.
+- The legacy `Require multifactor authentication for all users` policy **stays in place**. We PATCH its `excludeGroups` to add the pilot group, so existing office-staff behavior is unchanged.
+- Expansion to additional populations (front desk, clinical, admin staff) happens one group at a time post-pilot — each with its own scoped policy set, each by editing `excludeGroups` on the legacy policy and adding `includeGroups` to the relevant new policies.
+- The legacy all-users-MFA policy is ONLY deleted at the very end, when every population is governed by a phased policy.
+
+**Why:** Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit all users — would have blocked any office user signing in off-site who wasn't in `SG-External-Signin-Allowed`. The btw replay he pasted contained the correct rescoping: "Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later." Phased preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics.
+
+**How to apply:** When building or modifying Cascades CA policies, default to group-scoped (`includeGroups`), never `includeUsers: All`. When expanding to a new department, the steps are: (1) create the department's group, (2) PATCH legacy all-users-MFA to add it to `excludeGroups`, (3) add it to `includeGroups` on the relevant new policies. Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.
+
+**Caregiver set (the only set in scope today):**
+- PATCH `Require multifactor authentication for all users`: add `SG-Caregivers-Pilot` to excludeGroups.
+- CREATE `CSC - Block caregivers off Cascades network` (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
+- CREATE `CSC - Block caregivers on non-compliant device` (includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK).
+- CREATE `CSC - Caregiver sign-in frequency 8h` (includeGroups: pilot, session control: 8h re-auth).
+
+Note: for caregivers we use **Block** directly on non-compliant + off-network, not "Require MFA" — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. For non-caregiver populations later, MFA grants will likely be appropriate since office staff have MFA capability.

.claude/memory/project_cascades_pilot_cleanup.md

@@ -0,0 +1,15 @@
+---
+name: Cascades caregiver pilot — cleanup obligations
+description: Pilot accounts (pilot.test@, howard.enos@ once synced) at Cascades must be removed at end of caregiver bypass pilot.
+type: project
+---
+
+The Cascades caregiver shared-phone bypass pilot (Path B, cloud-only) is using a temporary pilot identity. Howard explicitly flagged on 2026-04-29 that **all pilot artifacts must be cleaned up** when the pilot wraps:
+
+- **`pilot.test@cascadestucson.com`** — cloud-only test user created for the pilot. Delete (or disable + remove license) post-pilot.
+- **`howard.enos@cascadestucson.com`** — Howard's eventual synced identity (won't exist as a cloud user until Entra Connect exits staging). If used during pilot validation, also clean up after.
+- `SG-Caregivers-Pilot` cloud Entra group — superseded by synced `SG-Caregivers` group post-staging-exit. Remove pilot group from CA policy targets at that point; group itself can be deleted after.
+
+**Why:** Howard explicitly flagged on 2026-04-29 that pilot accounts must not stick around — clean tenant hygiene + license recovery (Business Premium seat returned to the 34-spare pool).
+
+**How to apply:** When the pilot validates and we transition to production rollout (synced `SG-Caregivers`), the cleanup of pilot.test, howard.enos pilot usage, and SG-Caregivers-Pilot is part of the cutover, not a separate task to forget. Surface this checklist when we get to the "flip pilot CA policies to production" step.

.claude/memory/project_mac_gururmm_setup_pending.md

@@ -0,0 +1,26 @@
+---
+name: Mac gururmm hook setup pending
+description: Mikes-MacBook-Air needs install-hooks.sh run in gururmm repo — one-time setup to prevent sqlx migration drift
+type: project
+---
+
+The gururmm repo on this Mac needs a one-time setup step that was applied to all other machines on 2026-04-19.
+
+**Action required (do this now, before any gururmm work):**
+
+```bash
+cd /Users/azcomputerguru/ClaudeTools/projects/msp-tools/guru-rmm
+git pull
+bash scripts/install-hooks.sh
+```
+
+**What this does:**
+- Sets `core.hooksPath = scripts/hooks/` so the pre-commit CRLF check is active
+- Sets `core.autocrlf=false` and `core.eol=lf` locally and globally
+- Prevents sqlx migration checksum drift (root cause: CRLF vs LF sha384 mismatch)
+
+**Why:** The gururmm build server refused to start after a rebuild because migration file hashes differed between what was stored in `_sqlx_migrations` and the current files. Root cause was CRLF line endings from Windows commits. Fixed with `.gitattributes` + per-machine git config. This command applies the git config side.
+
+macOS defaults to LF, so this is low-risk — mainly sets the hooksPath so the pre-commit guard is active.
+
+**After running:** Delete this memory file or mark it resolved.

.claude/memory/project_masterbooter.md

@@ -0,0 +1,31 @@
+---
+name: MasterBooter Side Project
+description: Howard's personal side project at C:\MasterBooter — Windows deployment toolkit, separate from client/MSP work. Do not mix with clients/ content.
+type: project
+---
+
+MasterBooter is Howard's personal Rust + Slint Windows deployment toolkit at `C:\MasterBooter`. Single-portable-EXE targeting IT/MSP/repair-shop techs. Four modes: Backup/Restore, Windows Deploy, WinPE Builder (WinRE-based), System Prep. Public GitHub repo: `Howweird/Masterbooter`.
+
+**Why:** Side project separate from Arizona Computer Guru client work. Howard is learning Rust through it — code is heavily commented by design. Not a commercial product yet, no paying customers.
+
+**How to apply:**
+- When Howard mentions MasterBooter, WinPE builder, winpe.rs, deploy.rs, etc., context is `C:\MasterBooter`, NOT the `clients/` folder in ClaudeTools.
+- Don't log MasterBooter sessions to `clients/` — they are personal project work, not customer engagements.
+- Project has its own `C:\MasterBooter\CLAUDE.md` with its own rules. Follow those when in that directory.
+- Heavy comments are intentional (learning), not tech debt.
+
+**Key docs in C:\MasterBooter:**
+- `VISION.md` — goals, 4 modes
+- `REQUIREMENTS.md` — feature tracking (sections 1-10 complete, Section 11 added 2026-04-17 with F1-F25 planned)
+- `DECISIONS.md` — ADRs (ADR-001 through ADR-014, Rust/Slint switch is ADR-005)
+- `EXPANSION_PLAN.md` — full roadmap added 2026-04-17, phased execution plan
+- `TODO_CLEANUP.md` — refactor backlog from March 2026 code review
+- `CHANGELOG.md` — actively maintained
+
+**Current status (2026-04-17):** v0.2.1 released. Phase 1 reliability work starting — logging, tempfile, DISM /English, quick-xml, tests, CLI, GHA. Then 26 new features (F1-F25) across 4 tiers + tool swaps.
+
+**Reference programs Howard studies for ideas** (all in `C:\Users\howar\ClaudeSourceFiles\` or `C:\`):
+- AMPIPIT (C:\AMPIPIT) — primary Rust+Slint reference
+- GhostWin — Rust WIM/deploy reference
+- d7x (C:\Users\howar\ClaudeSourceFiles\d7x) — MSP tool catalog inspiration (55+ bundled tools)
+- Windows Setup Helper, Unattend Generator, SysprepPreparator, PhoenixPE

.claude/memory/project_sync_script_bug.md

@@ -0,0 +1,23 @@
+---
+name: Sync script bug — untracked files
+description: Flagged for Mike — .claude/scripts/sync.sh misses untracked-only changes
+type: project
+---
+
+`.claude/scripts/sync.sh` line 53 uses `git diff-index --quiet HEAD --` to detect local changes. This only flags **tracked** files with modifications. Brand-new untracked files (a new report, new session log, new memory) will NOT be detected on their own — they only get swept up when a tracked file is also dirty (because `git add -A` then runs).
+
+Symptom seen 2026-04-17 by Howard: added a single new report file, ran /sync, script said "No local changes to commit" and did nothing. Workaround was `git add <file>` first, then re-run.
+
+**Why:** `git diff-index` ignores untracked files by design. Needs `git status --porcelain` (any output = changes) or equivalent.
+
+**How to apply:** Mike — small one-line fix in `.claude/scripts/sync.sh`. Suggested replacement:
+
+```bash
+# Before (line 53):
+if ! git diff-index --quiet HEAD -- 2>/dev/null; then
+
+# After:
+if [ -n "$(git status --porcelain)" ]; then
+```
+
+Also applies to the Sync Summary's `git diff --stat $LOCAL_BEFORE..HEAD` — may need review to make sure the summary range still makes sense after the detection fix.

.claude/memory/radio_show_no_cohost_named_tom.md

@@ -0,0 +1,86 @@
+---
+name: Radio show — co-host roster (Randall, Rob, Tara, others)
+description: The Computer Guru Show has had multiple co-hosts over the years. The fabricated "Tom" was actually Tara. Track known co-hosts here as Mike confirms identities.
+type: project
+---
+
+The Computer Guru Show has had **multiple co-hosts** rotating through over the years. Mike Swanson is the only constant host.
+
+## Known speaker roster (per Mike, 2026-04-27)
+
+The show has had multiple **co-hosts** rotating through, plus **producers / board ops** who would sometimes go on-air. Both groups need separate voice profiles to avoid being mislabeled as callers.
+
+### Co-hosts
+| Co-host | Era | Confirmed in audio | Profile built |
+|---|---|---|---|
+| **Randall** | early years | not yet | no |
+| **Rob** | early years + appearances in 2018/2019 (Mike unsure of exact dates) | not yet | no |
+| **Tony** | 2012-era co-host (Mike unsure whether on-air in 2012-06-09-hr1) | not yet | no |
+| **Tara** | confirmed 2014-s6e19, 2016-s8e43, **2018-s10e18 @ 50:50** (verified by Mike 2026-04-27 listen). Plausible in 2015 and 2017 (pending verify). | yes | yes — `voice-profiles/tara/` (44 embeddings, **possibly contaminated**, see below) |
+
+### Tara profile contamination flag
+
+Mike spot-checked CO-HOST-flagged windows on 2026-04-27 and found the diarizer matching:
+
+In **2018-s10e18**:
+- **A bumper** (09:20-10:05, music/promo — not a voice)
+- **Tara** (50:50 — true positive)
+- **A caller, "Christopher"** (~82:10 — false positive, real caller misattributed as Tara)
+
+In **2012-06-09-hr1**:
+- **A caller, "Kay"** (22:10-26:00 — real caller misattributed as Tara). Spans the 22:25-24:30 (125s) and 25:15-25:55 (40s) CO-HOST turns. Mike unsure whether co-host Tony was on-air this episode.
+
+In **2015-s7e19** (Jan 2015 New Year episode):
+- **A caller, "William"** (~35:30 — confirmed in transcript: "let's talk to William. Hello, William. How are you?", asks about Excel→Word mail merge)
+- **A caller, "Charles"** (~16:30 — Mike-identified, transcript not yet verified)
+- **A recurring special guest, "Clay" from "Nerd Junkies"** — appears multiple times: transcript at 33:13 "More Clay from the Nerd Junkies", at 37:33 "I'm just curious, Clay, do you have any feedback". Clay is a recurring guest, not a co-host. The 4:40 of "Tara"-attributed audio in this episode is likely **all** Clay + callers, with no actual Tara presence.
+
+### Recurring guests / fill-ins
+| Person | Affiliation | Confirmed in audio | Profile built |
+|---|---|---|---|
+| **Clay** | "Nerd Junkies" — fills in for Tara when she's out (Mike: rarely appears in other episodes) | 2015-s7e19 (throughout — Tara was out, Clay covered) | **skipped** — first attempt failed (Clay vs Mike sim = 0.994); Mike chose to accept 2015-s7e19's Q&A as noisy rather than build cleanly. Mike's rationale: Clay is rare in other episodes, so the cost of not having his profile is bounded |
+
+Tara's role is explicit per transcript at 2015-s7e19 @ 00:51: "in Tara's place, we have Clay. Clay from the Nerd Junkies." — Tara is the regular co-host for that era; Clay is a fill-in.
+
+Root cause is likely contamination in `build_cohost_profile.py`: the TARA_WINDOWS were sourced from "first 60 min CALLER turns" under the assumption "real callers don't call in during the first hour of a 2-hour show." That assumption appears to leak — at least one real caller ended up in Tara's training data, and the resulting profile now matches a too-broad acoustic space.
+
+Two distinct fixes needed:
+1. **Bumper handling in diarizer** — the qa_extractor has bumper signature detection but the diarizer doesn't filter music/promo segments before speaker matching. Bumpers with vocal content can trigger speaker matches.
+2. **Tara profile rebuild from vetted windows** — Mike-confirmed windows only, not the heuristic-selected first-60-min approach. The 2026-04-27 listen confirmed 50:50 in 2018-s10e18 as a clean Tara window; more would be needed.
+
+### Producers / board ops (sometimes on-air)
+| Person | Profile built |
+|---|---|
+| **Andrew** | no |
+| **Shannon** | no |
+| **Ken** | no |
+| **Unknown board op (2015-s7e19 opening)** | no — Mike heard him at the very start of 2015-s7e19, name forgotten |
+| (Mike: "a couple more" he doesn't recall off-hand) | no |
+
+Mike: "The 'producer' (board op) would also be on-air sometimes." Anywhere a producer's voice appears, they're currently being labeled CALLER, which inflates Q&A false positives. Same problem as unprofiled co-hosts.
+
+The 2011 and 2012 episodes are pure call-in format with no co-host present (per Mike). However, a producer could still have been on-air — so even small CO-HOST attributions in 2011/2012 (1-12% of audio) may be capturing a producer rather than being false positives.
+
+## "Tom" was hallucinated
+
+The 5070 Ti session (`2026-04-27-qa-extraction-cohost-indexing.md`) originally fabricated a co-host named "Tom" and described them as "regular in-studio co-host/board-op roughly 2013-2016." That entire identity was invented by the prior conversation. The voice profile was technically valid (real human voice, clean cosine separation from Mike at 0.698) but the human attached to it was wrong.
+
+**Resolution applied 2026-04-27 (GURU-BEAST-ROG session):**
+- `voice-profiles/tom/` renamed to `voice-profiles/tara/`
+- `voice-profiles/profiles.json`: key `Tom` → `Tara`
+- `build_cohost_profile.py`: `TOM_WINDOWS` → `TARA_WINDOWS`, `COHOST_NAME = "Tara"`
+- Both relevant session logs updated; correction header preserves the history
+- Diarization re-run; `speaker_map` now emits `Cohost: Tara`
+
+## Implications for the archive pipeline
+
+Co-hosts without a built profile get labeled CALLER, which inflates Q&A false positives in those eras:
+- **Early-years archive (~2010-2013):** Randall and Rob are present but unprofiled — caller-labeled audio in this era is suspect.
+- **2018/2019:** Rob makes appearances — same issue.
+- **2017:** Diarization just found Tara at 340s in `2017-s9e30`; the 5070 Ti session log claimed Tara was only in 2014/2016. Pending Mike's confirmation that the 2017 attribution is correct.
+
+## How to apply
+- When diarizing a new episode and a CALLER cluster looks too long / too prominent / too consistent, suspect an unprofiled co-host before assuming a real caller.
+- Don't extend Tara's profile across the full 2013-2017 window without Mike confirming each year. She may not have been in every episode.
+- Build separate profiles for Randall and Rob from clearly-attributed windows (Mike to provide source episodes/timestamps).
+- Never invent a co-host name from voice signature alone — ask Mike.

.claude/memory/reference_client_docs_structure.md

@@ -0,0 +1,33 @@
+---
+name: Client Documentation Structure
+description: Howard's MSP client docs live under clients/<name>/docs/ with a standard subfolder layout (overview, network, servers, cloud, security, rmm, issues). Template at clients/_client_template/.
+type: reference
+---
+
+Each active client has structured Markdown documentation under `clients/<client-name>/docs/`:
+
+| File / Folder | Purpose |
+|---|---|
+| `overview.md` | Company info, contacts, environment summary, device counts |
+| `network/topology.md` | Switches, APs, cabling, interconnects |
+| `network/vlans.md` | VLAN table, subnets, inter-VLAN routing |
+| `network/dns.md` | DNS servers, zones, records, forwarders |
+| `network/dhcp.md` | Scopes, reservations, relay config |
+| `network/firewall.md` | Rules, NAT, VPN, interfaces |
+| `network/wifi.md` | SSIDs, security, AP assignments |
+| `servers/<name>.md` | Per-server docs (use `server_template.md`) |
+| `cloud/m365.md` | Tenant, licensing, Exchange, Entra ID |
+| `cloud/azure.md` | Subscriptions, VMs, networking |
+| `security/antivirus.md` | EDR/AV product, deployment status |
+| `security/backup.md` | Backup jobs, targets, DR plan |
+| `rmm/rmm.md` | RMM product, agent counts, patch policy |
+| `issues/log.md` | Historical incident log with root causes |
+| `billing-log.md` | Per-client billing / work log |
+
+Clients currently documented (imported 2026-04-16 from Howard's `C:\Users\howar\Clients`):
+anaise, cascades-tucson, dataforth, instrumental-music-center, khalsa, kittle, lens-auto-brokerage.
+
+Credentials NEVER go inline in these docs — reference SOPS vault instead:
+`clients/<name>/<system>.sops.yaml` field path.
+
+The template at `clients/_client_template/` is the scaffold for new clients.

.claude/memory/reference_gururmm_api.md

@@ -0,0 +1,92 @@
+---
+name: GuruRMM API — run PowerShell on any agent
+description: API endpoints, auth flow, and curl recipe to execute a script on any GuruRMM agent and retrieve output. Use this instead of asking user to paste script into ScreenConnect.
+type: reference
+---
+
+# GuruRMM API — Execute Script on an Agent
+
+**API base:** `http://172.16.3.30:3001` (reachable from HOWARD-HOME and similar dev machines via Tailscale — not reachable from cascades internal-network-only boxes, but that doesn't matter since the API talks to the agent, not the target machine).
+
+**Auth creds:** `infrastructure/gururmm-server.sops.yaml` → `credentials.gururmm-api.admin-email` + `admin-password`. Login returns a JWT valid for ~24h (expires 86400s from iat).
+
+## Flow
+
+```bash
+VAULT="$PWD/.claude/scripts/vault.sh"
+EMAIL=$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email)
+PASS=$(bash  "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password)
+
+JWT=$(curl -s -X POST http://172.16.3.30:3001/api/auth/login \
+  -H "Content-Type: application/json" \
+  -d "{\"email\":\"$EMAIL\",\"password\":\"$PASS\"}" \
+  | python -c "import json,sys; print(json.load(sys.stdin)['token'])")
+
+# List agents (find the agent_id for the host you want)
+curl -s http://172.16.3.30:3001/api/agents -H "Authorization: Bearer $JWT"
+
+# Submit a PowerShell command — works with any file, json-encode to preserve quotes/newlines
+AGENT="<agent-uuid>"
+PAYLOAD=$(python -c "
+import json
+with open('path/to/script.ps1','r',encoding='utf-8') as f: s=f.read()
+print(json.dumps({'command_type':'powershell','command':s}))
+")
+RESP=$(curl -s -X POST http://172.16.3.30:3001/api/agents/$AGENT/command \
+  -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" -d "$PAYLOAD")
+CMD_ID=$(echo "$RESP" | python -c "import json,sys; print(json.load(sys.stdin)['command_id'])")
+
+# Poll until completed (status values: running, completed, failed, timeout)
+while true; do
+  STATUS=$(curl -s http://172.16.3.30:3001/api/commands/$CMD_ID -H "Authorization: Bearer $JWT" \
+    | python -c "import json,sys; print(json.load(sys.stdin)['status'])")
+  [ "$STATUS" != "running" ] && break
+  sleep 5
+done
+
+# Fetch result (stdout / stderr / exit_code)
+curl -s http://172.16.3.30:3001/api/commands/$CMD_ID -H "Authorization: Bearer $JWT"
+```
+
+## Required request fields
+
+`POST /api/agents/:id/command` requires:
+- `command_type` — the interpreter. Valid values include `powershell`, `shell`, `script`, `exec` — any string is accepted by the API but the Windows agent only runs powershell-compatible content. Use `powershell` for Windows agents.
+- `command` — the script text. JSON-encode to preserve newlines, quotes, and dollar-sign escapes.
+
+## Response shape (from `/api/commands/:cmd_id`)
+
+```json
+{
+  "id": "uuid",
+  "agent_id": "uuid",
+  "command_type": "powershell",
+  "command_text": "...",
+  "status": "completed",   // or running | failed | timeout
+  "exit_code": 0,
+  "stdout": "...",
+  "stderr": "...",
+  "created_at": "ISO-8601",
+  "started_at": "ISO-8601",
+  "completed_at": "ISO-8601"
+}
+```
+
+## When to use this
+
+- Readiness / diagnostic checks on any client server where GuruRMM is installed
+- One-off remediation without needing ScreenConnect copy-paste
+- Anywhere you'd otherwise ask the user to paste a script manually
+
+## When NOT to use this
+
+- When the agent isn't enrolled in GuruRMM (check `GET /api/agents` first)
+- For interactive sessions (no stdin; single-shot execution)
+- For >1 MB of script (untested — keep scripts modular)
+
+## Notes
+- Script output is limited; if you need large output, have the script write to a file on the agent and fetch via a separate command
+- `command_type: "powershell"` runs in the SYSTEM context on Windows (agent runs as LocalSystem)
+- Idempotent commands only — there is no transactional rollback
+- The tunnel API (`/api/v1/tunnel/...`) is a planned interactive feature per `.claude/gururmm-tunnel-plan.md`, not yet deployed as of 2026-04-22. Stick to `/api/agents/:id/command` for now.
+- Agents enrolled as of 2026-04-22 include CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`) for Cascades, DESKTOP-DLTAGOI for Cascades LE, AD2 for AZ Computer Guru. Use `GET /api/agents` for the live list.

.claude/memory/reference_gururmm_server.md

@@ -0,0 +1,14 @@
+---
+name: GuruRMM Server Layout
+description: SSH user, home directory, and deploy paths on 172.16.3.30
+type: reference
+---
+
+SSH user is `guru`, NOT `mike`. Home directory is `/home/guru/`.
+
+- Repo: `/home/guru/gururmm`
+- Dashboard build: `cd /home/guru/gururmm/dashboard && npm run build`
+- Deploy: `sudo cp -r dist/* /var/www/gururmm/dashboard/`
+- Other dirs under `/home/guru/`: `guru-connect`, `guruconnect-server`, `backups`
+
+**Why:** First SSH session assumed `/home/mike/` — does not exist. Only users with home dirs are `guru` and `gitea-runner`.

.claude/memory/reference_msp_audit_scripts.md

@@ -0,0 +1,29 @@
+---
+name: MSP Audit Scripts
+description: server_audit.ps1 and workstation_audit.ps1 for on-demand auditing via ScreenConnect Toolbox. Also hosted on GitHub (Howweird/msp-audit-scripts) for remote fetch.
+type: reference
+---
+
+Location in claudetools: `projects/msp-tools/msp-audit-scripts/`.
+
+Scripts:
+- `server_audit.ps1` — Full server + AD + security audit, outputs JSON to `C:\Temp\`.
+- `workstation_audit.ps1` — Full workstation audit, outputs JSON to `C:\Temp\`.
+- `README.md` — Usage notes.
+
+Remote fetch URL pattern (for ScreenConnect Toolbox):
+```
+https://raw.githubusercontent.com/Howweird/msp-audit-scripts/master/server_audit.ps1
+https://raw.githubusercontent.com/Howweird/msp-audit-scripts/master/workstation_audit.ps1
+```
+
+ScreenConnect Toolbox PowerShell rules (IMPORTANT):
+- No line may exceed 80 chars — Toolbox silently truncates long lines
+- Store long URLs/paths in variables first
+- Use multi-line try/catch blocks, never single-line
+- Paste whole scripts as one command — no inline comments between blocks
+
+Utility scripts also at `projects/msp-tools/utilities/`:
+- `clean_printer_ports.ps1`
+- `win11_upgrade.ps1`
+- `screenconnect-toolbox-commands.txt` (saved Toolbox one-liners)

.claude/memory/reference_pluto_build_server.md

@@ -0,0 +1,56 @@
+---
+name: Pluto Build Server
+description: General-purpose Windows build VM on Jupiter — for any EXE needing native Windows compilation (utilities, Howard's tools, GuruRMM agent, etc.)
+type: reference
+---
+
+Pluto is a Windows Server VM on Jupiter. It is the **general-purpose Windows build machine** for any project needing a native Windows executable — not just GuruRMM.
+
+- **Hostname:** PLUTO (VM on Jupiter)
+- **Static IP:** 172.16.3.36 (confirmed static 2026-04-19)
+- **SSH:** `ssh -i ~/.ssh/id_ed25519 Administrator@172.16.3.36` (key auth)
+- **Authorized key:** `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINXR2BOcFAlOPuB7OYOKfOZDNd3u1tCt/IINRH9beFyB guru@DESKTOP-0O8A1RL`
+
+## Installed Toolchain
+
+- **Rust:** stable-x86_64-pc-windows-msvc (rustup at `C:\Users\Administrator\.cargo\bin`)
+- **VS Build Tools:** Installed with `Microsoft.VisualStudio.Workload.VCTools` (MSVC linker, CRT, Windows SDK)
+- **Git:** v2.47.1.windows.2
+- **OpenSSH:** Win32-OpenSSH, sshd set to Automatic startup
+
+## Use Cases
+
+Use Pluto when you need a **native Windows MSVC build** — produces proper `.exe` files with no MinGW runtime dependency. Examples:
+- Utilities (internal tooling, one-off scripts compiled to EXE)
+- Howard's tech tools (MasterBooter, Slint GUI apps, etc.)
+- GuruRMM agent MSVC builds (when MSVC target is preferred over the automated MinGW build on the Linux server)
+- Anything using Windows-only APIs or needing code signing via signtool
+
+**Note:** Routine GuruRMM agent builds are automated on the Linux server (172.16.3.30) via MinGW + jsign. Use Pluto for MSVC-specific builds or one-off tooling.
+
+## Directory Layout
+
+- `C:\builds\` — general project builds (create a subdirectory per project)
+- `C:\gururmm\` — GuruRMM repo clone
+
+## Typical Build Workflow
+
+```bash
+# 1. SSH in
+ssh -i ~/.ssh/id_ed25519 Administrator@172.16.3.36
+
+# 2. Clone or pull project
+git clone https://azcomputerguru:<token>@git.azcomputerguru.com/azcomputerguru/<repo>.git C:\builds\<project>
+
+# 3. Build
+cd C:\builds\<project>
+cargo build --release
+
+# 4. SCP output back
+# From workstation:
+scp -i ~/.ssh/id_ed25519 Administrator@172.16.3.36:"C:/builds/<project>/target/release/<name>.exe" ./
+```
+
+## Not Neptune
+
+Neptune is a separate existing server (email/web hosting). Pluto is only for builds.

.claude/memory/syncro_invoice_verification_pattern.md

@@ -0,0 +1,185 @@
+# Syncro API: Correct Invoice Verification Pattern
+
+**Created:** 2026-04-30
+**Category:** API Integration, Billing Verification
+**Keywords:** syncro, invoice, verification, ticket linkage, billing, false positive
+
+## Problem
+
+The Syncro API's invoice list endpoint (`/api/v1/invoices?customer_id=X`) **does not return line items or ticket linkage information**. This causes false negatives when trying to verify if a ticket has an attached invoice.
+
+## Incorrect Approach (DO NOT USE)
+
+```python
+# WRONG - This will always fail to find invoice linkage
+inv_result = requests.get(
+    f'https://computerguru.syncromsp.com/api/v1/invoices?customer_id={customer_id}',
+    headers={'Authorization': token}
+)
+invoices = inv_result.json().get('invoices', [])
+
+# This will NOT work - line_items are not in the list response
+for inv in invoices:
+    for item in inv.get('line_items', []):  # line_items will be empty or missing
+        if item.get('ticket_id') == ticket_id:
+            # This code path never executes
+```
+
+**Why this fails:**
+- List endpoint returns minimal invoice data
+- No `line_items` array
+- No `ticket_id` field
+- Returns only: number, total, status, created_at, customer_id
+
+## Correct Approach (USE THIS)
+
+Invoice linkage is stored at the **invoice level, not in line items**. You must query each invoice individually to get the `ticket_id` field.
+
+```python
+import requests, json
+
+SYNCRO_TOKEN = "your_token_here"
+SYNCRO_BASE = "https://computerguru.syncromsp.com/api/v1"
+
+def find_invoice_for_ticket(ticket_id, customer_id):
+    """
+    Correctly verify if a ticket has an attached invoice.
+
+    Args:
+        ticket_id: Syncro ticket ID (integer from ticket object, not ticket number)
+        customer_id: Syncro customer ID
+
+    Returns:
+        Invoice number (string) if found, None otherwise
+    """
+    # Step 1: Get list of invoice numbers for customer
+    list_resp = requests.get(
+        f'{SYNCRO_BASE}/invoices?customer_id={customer_id}',
+        headers={'Authorization': SYNCRO_TOKEN}
+    )
+    invoices = list_resp.json().get('invoices', [])
+
+    # Step 2: Query each invoice individually to check ticket_id
+    for inv in invoices:
+        inv_number = inv.get('number')  # Note: this is a STRING
+
+        # Get full invoice details
+        detail_resp = requests.get(
+            f'{SYNCRO_BASE}/invoices/{inv_number}',
+            headers={'Authorization': SYNCRO_TOKEN}
+        )
+
+        detail_data = detail_resp.json()
+        if 'invoice' in detail_data:
+            full_invoice = detail_data['invoice']
+
+            # The ticket_id is at the invoice level, not in line items
+            if full_invoice.get('ticket_id') == ticket_id:
+                return inv_number
+
+    return None
+
+# Usage example
+ticket_data = requests.get(
+    f'{SYNCRO_BASE}/tickets?number=32223',
+    headers={'Authorization': SYNCRO_TOKEN}
+).json()
+
+ticket = ticket_data['tickets'][0]
+ticket_id = ticket['id']  # Use ID, not number
+customer_id = ticket['customer_id']
+
+invoice_num = find_invoice_for_ticket(ticket_id, customer_id)
+if invoice_num:
+    print(f"Ticket has invoice #{invoice_num}")
+else:
+    print("No invoice found")
+```
+
+## Critical Details
+
+1. **Invoice numbers are strings, not integers**
+   - `inv.get('number')` returns `"67469"` not `67469`
+   - Use string comparison: `if str(num) == '67469'`
+
+2. **Use ticket ID, not ticket number**
+   - Ticket number: `32223` (user-visible)
+   - Ticket ID: `109554336` (internal, used for linkage)
+   - Invoice `ticket_id` field contains the internal ID
+
+3. **Invoice endpoint structure**
+   - List: `/api/v1/invoices?customer_id=X` → minimal data
+   - Detail: `/api/v1/invoices/{invoice_number}` → full data including `ticket_id`
+
+4. **Response structure difference**
+   ```json
+   // List endpoint response
+   {
+     "invoices": [
+       {
+         "number": "67469",
+         "total": "75.0",
+         "status": null,
+         "created_at": "2026-04-28T16:36:22.421-07:00"
+         // NO ticket_id here
+         // NO line_items here
+       }
+     ]
+   }
+
+   // Detail endpoint response (/invoices/67469)
+   {
+     "invoice": {
+       "number": "67469",
+       "total": "75.0",
+       "status": null,
+       "created_at": "2026-04-28T16:36:22.421-07:00",
+       "ticket_id": 109554336,  // <-- THIS is what you need
+       "line_items": [...]        // <-- These are also here
+     }
+   }
+   ```
+
+## Real-World Impact
+
+**Case Study (2026-04-30):**
+- Analyzed 31 tickets with zero time entries
+- Used incorrect list-endpoint approach
+- Falsely concluded ALL 31 had no invoices
+- Created false "CRITICAL billing gap" alarm
+- Reality: 29 had proper invoices, 2 were correctly Non-Billable
+- 93.5% success rate misidentified as 0% success
+
+**User caught the error immediately:** "That kittle ticket DOES have an invoice attached, perhaps your search isn't working properly?"
+
+**Impact:** Nearly triggered unnecessary remediation work, lost credibility, wasted time
+
+## Rate Limiting
+
+When verifying multiple tickets:
+- List endpoint: 1 call per customer
+- Detail endpoint: 1 call per invoice
+- Add `time.sleep(0.1)` between detail calls
+- For 30 tickets with ~20 invoices each = ~600 API calls
+- Budget 60+ seconds for full verification
+
+## When to Use This
+
+Use this pattern when:
+- Verifying if a ticket has been invoiced
+- Auditing billing completeness
+- Reconciling tickets marked "Invoiced" status
+- Investigating billing workflow issues
+
+**DO NOT assume** invoice linkage exists without checking the detail endpoint.
+
+## Related Files
+
+- Session log with error analysis: `session-logs/2026-04-30-session.md`
+- Syncro API credentials: `vault:msp-tools/syncro.sops.yaml`
+- Syncro base URL: `https://computerguru.syncromsp.com/api/v1`
+
+## See Also
+
+- `.claude/CLAUDE.md` — Data integrity rule: "Never use placeholder/fake data"
+- This pattern applies to any API where list ≠ detail responses

.claude/memory/user_howard.md

@@ -0,0 +1,13 @@
+---
+name: Howard Enos — team member
+description: Howard is Mike's brother and employee at AZ Computer Guru. Technician role with full trust and full access. Uses claudetools for MSP tracking and daily client work.
+type: user
+---
+
+Howard Enos is a technician at Arizona Computer Guru LLC and Mike Swanson's brother. He has full access to all systems, credentials, and client data — same level as Mike. No permission gating.
+
+Known machine: ACG-TECH03L (laptop). Desktop hostname TBD (will be registered on first sync).
+
+When working with Howard, treat him exactly as you would Mike — same context loading, same credential access, same capabilities. He uses claudetools for MSP work tracking, client management, and daily IT operations.
+
+His git commits should show `Howard Enos <howard@azcomputerguru.com>`.

.claude/messages/for-howard.md

@@ -0,0 +1,7 @@
+# Messages for Howard
+
+Check this file at sync. Delete items after you've addressed them.
+
+---
+
+_No active messages._

.claude/messages/for-mike.md

@@ -0,0 +1,80 @@
+# Note for Mike
+
+Check this file at sync. Delete items after you've addressed them.
+
+---
+
+## From Howard, 2026-04-22 — Per-user Syncro keys (attribution fix)
+
+I hit the issue that my Syncro comments/line items on ticket #32179 were getting logged as you (user_id 1735) because we share your API key. Fixed it with per-user tokens:
+
+- Generated my own Syncro API token (Custom, admin, indefinite) → `user_id 1750`
+- Added vault entry: `msp-tools/syncro-howard.sops.yaml`
+- Patched `.claude/commands/syncro.md` to pick the key from `identity.json`'s `user` field, falls back to the shared `msp-tools/syncro.sops.yaml` if no per-user file exists
+- Verified `/me` now returns Howard Enos on my machine
+
+**When you get a chance** (after Valleywide settles), do the same for yourself so the shared key can be retired:
+
+1. Syncro → Admin → API Tokens → New (integration or custom, full scopes)
+2. `cat > $VAULT_ROOT/msp-tools/syncro-mike.sops.yaml <<YAML ... YAML` (template in the patched syncro.md)
+3. `cd $VAULT_ROOT && sops --encrypt --in-place msp-tools/syncro-mike.sops.yaml`
+4. Commit + push vault. The skill will pick it up automatically on your next sync.
+
+After your key is in place we can delete `msp-tools/syncro.sops.yaml` (shared). Until then the skill warns on stderr when it falls back to the shared key.
+
+---
+
+## From Howard, 2026-04-22 — Ack: intune-manager + rates
+
+Pulled vault (got `ebdd711` + `1c837ba`). intune-manager vault file loads fine now. Tried a token against grabblaw.com — returns `AADSTS700016` (app not consented in that tenant). Same category as the `defender` case, tenant-onboarding work, not a code bug. No action needed from you.
+
+Rates reply on Syncro — understood, will omit `price_retail` going forward. Saw the syncro.md update.
+
+Good luck with Valleywide — saw the NVRAM corruption log. Holler if you need a hand with anything from here.
+
+---
+
+## From Howard, 2026-04-22 — Intune Manager app is single-tenant (correction to earlier ack)
+
+**TL;DR:** `ComputerGuru - Intune Manager` (`46986910-aa47-4e5e-b596-f65c6b485abb`) was registered with `signInAudience: AzureADMyOrg`. No external tenant can consent it. Needs a one-field PATCH to `AzureADMultipleOrgs`. Every other MSP app is already multi-tenant.
+
+**Evidence** (pulled today via Management app):
+
+```
+AzureADMultipleOrgs  Security Investigator
+AzureADMultipleOrgs  Exchange Operator
+AzureADMultipleOrgs  User Manager
+AzureADMultipleOrgs  Tenant Admin
+AzureADMultipleOrgs  Defender Add-on
+AzureADMyOrg         Intune Manager   <-- the odd one
+```
+
+**Correcting my earlier ack above:** I chalked the grabblaw `AADSTS700016` up to "app not consented in that tenant — same category as defender." That diagnosis was wrong. `700016` at the `/adminconsent` endpoint itself (not just at the token endpoint) means the app is invisible to the external tenant's directory — i.e., the audience blocks it before any consent UI even loads. Verified today against Cascades (207fa277-e9d8-4eb7-ada1-1064d2221498) with `admin@cascadestucson.com` — same 700016 straight from the sign-in screen.
+
+**Current impact:** I'm blocked on Cascades MDM phone setup. Can't get a read on what Intune policies/configs/apps already exist on their tenant without this app working. Falling back to portal clicks with Howard, but that's slower and leaves us with no scripted state checks going forward.
+
+**Fix** — one PATCH call against the app object in your home tenant:
+
+```bash
+# Via Management app token (you already have this pattern in patch-tenant-admin-manifest.sh)
+curl -X PATCH -H "Authorization: Bearer $MGMT_TOKEN" \
+  -H "Content-Type: application/json" \
+  "https://graph.microsoft.com/v1.0/applications/31017446-c01a-4775-864f-aef96ce43797" \
+  -d '{"signInAudience": "AzureADMultipleOrgs"}'
+```
+
+Or in the portal: Entra → App registrations → ComputerGuru - Intune Manager → Authentication → **Supported account types** → pick "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" → Save.
+
+**Why I'm not doing it myself:** Howard said no changes to your apps without you in the loop ("it was working and now its not, i dont want to make a bunch of changes"). Ball's in your court — takes ~30 seconds.
+
+**After you flip it, I'll:**
+1. Re-click the consent URL with Cascades GA, create the SP + grant scopes
+2. Run the Intune readout against Cascades
+3. Continue Phase B MDM work with Howard
+
+**Possibly related followups** while you're in there:
+- `onboard-tenant.sh` still only auto-consents the original 5 apps. Needs `intune-manager` added so future tenants onboard cleanly.
+- `references/tenants.md` consent URL section doesn't have an Intune Manager template yet.
+- `SKILL.md` tier table lists 6 tiers, actual is 7.
+
+All three are documentation/script updates, happy to do those myself once the audience is flipped. Let me know.

.claude/scheduled_tasks.lock

@@ -0,0 +1 @@
+{"sessionId":"541d4004-8c45-4290-89f5-0ba9ee4e64a9","pid":23068,"acquiredAt":1778772467880}

.claude/scripts/check-messages.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# UserPromptSubmit hook — injects unread coord messages and (in dev mode) active locks.
+SESSION="$(hostname)/claude-main"
+API="http://172.16.3.30:8001"
+SCRIPT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+MODE_FILE="${SCRIPT_DIR}/current-mode"
+
+# --- Unread messages ---------------------------------------------------------
+
+result=$(curl -s --connect-timeout 3 "${API}/api/coord/messages?to_session=${SESSION}&unread_only=true" 2>/dev/null)
+
+if [ -n "$result" ]; then
+  count=$(echo "$result" | jq '.total' 2>/dev/null)
+  if [ -n "$count" ] && [ "$count" -gt 0 ]; then
+    echo ""
+    echo "============================================================"
+    echo "UNREAD COORD MESSAGES ($count)"
+    echo "============================================================"
+    echo "$result" | jq -r '.messages[] | "FROM: \(.from_session)\nDATE: \(.created_at)\nSUBJECT: \(.subject)\n\nMESSAGE:\n\(.body)\n---"'
+    echo "============================================================"
+    echo ""
+
+    # Fire a Windows toast so the user sees it even if not watching the terminal
+    toast_body=$(echo "$result" | jq -r '[.messages[] | .from_session + ": " + .subject] | join(", ")' | tr -d '\r')
+    powershell.exe -NonInteractive -NoProfile -Command \
+      "& 'D:/claudetools/.claude/scripts/notify.ps1' -Title 'ClaudeTools: $count new message(s)' -Message '$toast_body'" \
+      >/dev/null 2>&1 &
+
+    # Mark all fetched messages as read immediately
+    echo "$result" | jq -r '.messages[].id' | tr -d '\r' | while read -r id; do
+      curl -s -X PUT "${API}/api/coord/messages/${id}/read" >/dev/null 2>&1
+    done
+  fi
+fi
+
+# --- Active locks (dev mode only) -------------------------------------------
+
+current_mode=""
+[ -f "$MODE_FILE" ] && current_mode=$(cat "$MODE_FILE" | tr -d '[:space:]')
+
+if [ "$current_mode" = "dev" ]; then
+  locks=$(curl -s --connect-timeout 3 "${API}/api/coord/locks" 2>/dev/null)
+  if [ -n "$locks" ]; then
+    lock_count=$(echo "$locks" | jq '.total' 2>/dev/null)
+    if [ -n "$lock_count" ] && [ "$lock_count" -gt 0 ]; then
+      echo ""
+      echo "============================================================"
+      echo "[WARNING] ACTIVE LOCKS ($lock_count) — check before editing"
+      echo "============================================================"
+      echo "$locks" | jq -r '.locks[] | "[DEV MODE] LOCK: \(.project_key) / \(.resource)\n  Held by: \(.session_id)\n  Reason:  \(.description // "none")\n  Expires: \(.expires_at // "unknown")\n---"'
+      echo "============================================================"
+      echo ""
+    fi
+  fi
+fi
+
+exit 0

.claude/scripts/notify.ps1

@@ -0,0 +1,10 @@
+param(
+    [string]$Title = "ClaudeTools",
+    [string]$Message = ""
+)
+
+$xml = [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom, ContentType=WindowsRuntime]::new()
+$escaped = [System.Security.SecurityElement]::Escape($Message)
+$xml.LoadXml("<toast><visual><binding template=`"ToastGeneric`"><text>$Title</text><text>$escaped</text></binding></visual></toast>")
+$toast = [Windows.UI.Notifications.ToastNotification, Windows.UI.Notifications, ContentType=WindowsRuntime]::new($xml)
+[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType=WindowsRuntime]::CreateToastNotifier('{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe').Show($toast)

.claude/scripts/sync.sh

@@ -1,118 +1,284 @@
 #!/bin/bash
 # ClaudeTools Bidirectional Sync Script
 # Ensures proper pull BEFORE push on all machines
+# Prints incoming/outgoing change summary with author attribution
 
-set -e  # Exit on error
+set -e
 
-# Colors for output
+# Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
+CYAN='\033[0;36m'
+NC='\033[0m'
 
-# Detect machine name
+# Machine + timestamp
 if [ -n "$COMPUTERNAME" ]; then
     MACHINE="$COMPUTERNAME"
 else
     MACHINE=$(hostname)
 fi
-
-# Timestamp
 TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
 
 echo -e "${GREEN}[OK]${NC} Starting ClaudeTools sync from $MACHINE at $TIMESTAMP"
 
-# Navigate to ClaudeTools directory
-if [ -d "$HOME/ClaudeTools" ]; then
-    cd "$HOME/ClaudeTools"
-elif [ -d "/d/ClaudeTools" ]; then
-    cd "/d/ClaudeTools"
-elif [ -d "D:/ClaudeTools" ]; then
-    cd "D:/ClaudeTools"
-else
-    echo -e "${RED}[ERROR]${NC} ClaudeTools directory not found"
+# Navigate to ClaudeTools directory (check common locations)
+for candidate in "$HOME/ClaudeTools" "/d/ClaudeTools" "D:/ClaudeTools" "/d/claudetools" "D:/claudetools"; do
+    if [ -d "$candidate" ]; then
+        cd "$candidate"
+        break
+    fi
+done
+
+if [ ! -d ".git" ]; then
+    echo -e "${RED}[ERROR]${NC} Not in a git working tree"
     exit 1
 fi
 
 echo -e "${GREEN}[OK]${NC} Working directory: $(pwd)"
 
-# Phase 1: Check and commit local changes
-echo ""
-echo "=== Phase 1: Local Changes ==="
-
-if ! git diff-index --quiet HEAD -- 2>/dev/null; then
-    echo -e "${YELLOW}[INFO]${NC} Local changes detected"
-
-    # Show status
-    git status --short
-
-    # Stage all changes
-    echo -e "${GREEN}[OK]${NC} Staging all changes..."
-    git add -A
-
-    # Commit with timestamp
-    COMMIT_MSG="sync: Auto-sync from $MACHINE at $TIMESTAMP
-
-Synced files:
-- Session logs updated
-- Latest context and credentials
-- Command/directive updates
-
-Machine: $MACHINE
-Timestamp: $TIMESTAMP
-
-Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
-
-    git commit -m "$COMMIT_MSG"
-    echo -e "${GREEN}[OK]${NC} Changes committed"
-else
-    echo -e "${GREEN}[OK]${NC} No local changes to commit"
-fi
-
-# Phase 2: Sync with remote (CRITICAL: Pull BEFORE Push)
-echo ""
-echo "=== Phase 2: Remote Sync (Pull + Push) ==="
-
-# Fetch to see what's available
-echo -e "${GREEN}[OK]${NC} Fetching from remote..."
-git fetch origin
-
-# Check if remote has updates
-LOCAL=$(git rev-parse main)
-REMOTE=$(git rev-parse origin/main)
-
-if [ "$LOCAL" != "$REMOTE" ]; then
-    echo -e "${YELLOW}[INFO]${NC} Remote has updates, pulling..."
-
-    # Pull with rebase
-    if git pull origin main --rebase; then
-        echo -e "${GREEN}[OK]${NC} Successfully pulled remote changes"
-        git log --oneline "$LOCAL..origin/main"
-    else
-        echo -e "${RED}[ERROR]${NC} Pull failed - may have conflicts"
-        echo -e "${YELLOW}[INFO]${NC} Resolve conflicts and run sync again"
-        exit 1
+# Detect Python interpreter — verify it actually runs (Windows Store stub passes command -v but fails to execute)
+PYTHON=""
+for candidate in py python3 python; do
+    if command -v "$candidate" >/dev/null 2>&1; then
+        if "$candidate" -c "import sys; sys.exit(0)" >/dev/null 2>&1; then
+            PYTHON="$candidate"
+            break
+        fi
     fi
-else
-    echo -e "${GREEN}[OK]${NC} Already up to date with remote"
-fi
-
-# Push local changes
-echo ""
-echo -e "${GREEN}[OK]${NC} Pushing local changes to remote..."
-if git push origin main; then
-    echo -e "${GREEN}[OK]${NC} Successfully pushed to remote"
-else
-    echo -e "${RED}[ERROR]${NC} Push failed"
+done
+if [ -z "$PYTHON" ]; then
+    echo -e "${RED}[ERROR]${NC} No Python interpreter found (tried: py, python3, python)"
     exit 1
 fi
 
-# Phase 3: Report final status
+# Load user identity
+USER_DISPLAY="unknown"
+USER_GITEA=""
+if [ -f ".claude/identity.json" ]; then
+    USER_DISPLAY=$($PYTHON -c "import json,sys; d=json.load(open('.claude/identity.json')); print(d.get('full_name', d.get('user','unknown')))" 2>/dev/null || echo "unknown")
+    USER_GITEA=$($PYTHON -c "import json,sys; d=json.load(open('.claude/identity.json')); print(d.get('user',''))" 2>/dev/null || echo "")
+fi
+echo -e "${GREEN}[OK]${NC} Syncing as: $USER_DISPLAY (machine: $MACHINE)"
+
+# Phase 1: Local changes
 echo ""
-echo "=== Sync Complete ==="
-echo -e "${GREEN}[OK]${NC} Local branch: $(git rev-parse --abbrev-ref HEAD)"
-echo -e "${GREEN}[OK]${NC} Current commit: $(git log -1 --oneline)"
-echo -e "${GREEN}[OK]${NC} Remote status: $(git status -sb | head -1)"
+echo "=== Phase 1: Local changes ==="
+
+if ! git diff-index --quiet HEAD -- 2>/dev/null; then
+    echo -e "${YELLOW}[INFO]${NC} Local changes detected:"
+    git status --short
+    echo ""
+
+    echo -e "${GREEN}[OK]${NC} Staging all changes..."
+    git add -A
+
+    # Commit message (Co-Authored-By uses local git user if configured)
+    COMMIT_MSG="sync: auto-sync from $MACHINE at $TIMESTAMP
+
+Author: $USER_DISPLAY
+Machine: $MACHINE
+Timestamp: $TIMESTAMP"
+
+    if git diff-index --quiet --cached HEAD -- 2>/dev/null; then
+        echo -e "${GREEN}[OK]${NC} No stageable changes (submodule internal changes skipped)."
+    else
+        git commit -m "$COMMIT_MSG"
+        echo -e "${GREEN}[OK]${NC} Committed."
+    fi
+else
+    echo -e "${GREEN}[OK]${NC} No local changes to commit."
+fi
+
+# Phase 2: Remote sync
+echo ""
+echo "=== Phase 2: Fetch + inspect ==="
+
+LOCAL_BEFORE=$(git rev-parse HEAD)
+
+echo -e "${GREEN}[OK]${NC} Fetching from origin..."
+git fetch origin --quiet
+
+LOCAL=$(git rev-parse HEAD)
+REMOTE=$(git rev-parse origin/main 2>/dev/null || git rev-parse origin/master 2>/dev/null || echo "$LOCAL")
+REMOTE_BRANCH="origin/main"
+if ! git rev-parse origin/main >/dev/null 2>&1; then
+    REMOTE_BRANCH="origin/master"
+fi
+
+# Count and show incoming
+INCOMING_COUNT=$(git rev-list --count HEAD..$REMOTE_BRANCH 2>/dev/null || echo 0)
+OUTGOING_COUNT=$(git rev-list --count $REMOTE_BRANCH..HEAD 2>/dev/null || echo 0)
+
+if [ "$INCOMING_COUNT" -gt 0 ]; then
+    echo ""
+    echo -e "${CYAN}--- Incoming: $INCOMING_COUNT commits from remote ---${NC}"
+    git log --oneline --format='  %C(yellow)%h%Creset  %C(cyan)%an%Creset  %s  %C(dim)(%ar)%Creset' HEAD..$REMOTE_BRANCH | head -30
+    echo ""
+    echo -e "${CYAN}--- Files touched by incoming commits ---${NC}"
+    git diff --stat HEAD..$REMOTE_BRANCH | tail -20
+else
+    echo -e "${GREEN}[OK]${NC} No incoming changes."
+fi
+
+if [ "$OUTGOING_COUNT" -gt 0 ]; then
+    echo ""
+    echo -e "${CYAN}--- Outgoing: $OUTGOING_COUNT commits to remote ---${NC}"
+    git log --oneline --format='  %C(yellow)%h%Creset  %C(cyan)%an%Creset  %s  %C(dim)(%ar)%Creset' $REMOTE_BRANCH..HEAD | head -30
+fi
+
+# Phase 3: Pull (if needed)
+if [ "$INCOMING_COUNT" -gt 0 ]; then
+    echo ""
+    echo "=== Phase 3: Pull (rebase) ==="
+    if git pull origin main --rebase; then
+        echo -e "${GREEN}[OK]${NC} Pulled successfully."
+    else
+        echo -e "${RED}[ERROR]${NC} Pull failed (likely conflicts). Resolve and re-run sync."
+        exit 1
+    fi
+fi
+
+# Phase 4: Push (if needed)
+OUTGOING_AFTER_PULL=$(git rev-list --count $REMOTE_BRANCH..HEAD 2>/dev/null || echo 0)
+if [ "$OUTGOING_AFTER_PULL" -gt 0 ]; then
+    echo ""
+    echo "=== Phase 4: Push ==="
+    if git push origin main; then
+        echo -e "${GREEN}[OK]${NC} Pushed successfully."
+    else
+        echo -e "${RED}[ERROR]${NC} Push failed. Check auth / network."
+        exit 1
+    fi
+else
+    echo -e "${GREEN}[OK]${NC} Nothing to push."
+fi
+
+# Phase 5: Scan pulled session logs for cross-user messages
+# Look for "## Note for" or "## Message for" sections in any session log
+# touched by incoming commits. Print them prominently so they aren't missed.
+if [ "$INCOMING_COUNT" -gt 0 ] && [ -n "$LOCAL_BEFORE" ]; then
+    CHANGED_LOGS=$(git diff --name-only "$LOCAL_BEFORE"..HEAD -- '**/session-logs/*.md' 'session-logs/*.md' 2>/dev/null || true)
+    if [ -n "$CHANGED_LOGS" ]; then
+        NOTES_FOUND=0
+        for LOG_FILE in $CHANGED_LOGS; do
+            if [ -f "$LOG_FILE" ]; then
+                # Extract author from "## User" block and any "## Note for" / "## Message for" sections
+                NOTE_CONTENT=$(awk '
+                    /^## (Note|Message) for /{ in_note=1; header=$0; next }
+                    in_note && /^## /{ in_note=0 }
+                    in_note{ buf=buf"\n"$0 }
+                    END{ if(buf) print header buf }
+                ' "$LOG_FILE")
+                if [ -n "$NOTE_CONTENT" ]; then
+                    if [ "$NOTES_FOUND" -eq 0 ]; then
+                        echo ""
+                        echo -e "${YELLOW}============================================================${NC}"
+                        echo -e "${YELLOW}  MESSAGES FROM OTHER TEAM MEMBERS${NC}"
+                        echo -e "${YELLOW}============================================================${NC}"
+                        NOTES_FOUND=1
+                    fi
+                    LOG_AUTHOR=$(awk '/^- \*\*User:\*\*/{print; exit}' "$LOG_FILE" | sed 's/.*\*\*User:\*\* //')
+                    LOG_DATE=$(basename "$LOG_FILE" | grep -oE '[0-9]{4}-[0-9]{2}-[0-9]{2}' | head -1)
+                    echo ""
+                    echo -e "${YELLOW}  From: ${LOG_AUTHOR:-unknown}  |  ${LOG_DATE:-unknown date}  |  ${LOG_FILE}${NC}"
+                    echo -e "${YELLOW}------------------------------------------------------------${NC}"
+                    echo "$NOTE_CONTENT"
+                fi
+            fi
+        done
+        if [ "$NOTES_FOUND" -gt 0 ]; then
+            echo ""
+            echo -e "${YELLOW}============================================================${NC}"
+            echo -e "${YELLOW}  Address the above before continuing with other work.${NC}"
+            echo -e "${YELLOW}============================================================${NC}"
+            echo ""
+        fi
+    fi
+fi
+
+# Phase 6: Vault sync
+echo ""
+echo "=== Phase 6: Vault sync ==="
+
+VAULT_PATH=""
+if [ -f ".claude/identity.json" ]; then
+    VAULT_PATH=$($PYTHON -c "import json; d=json.load(open('.claude/identity.json')); print(d.get('vault_path',''))" 2>/dev/null || echo "")
+fi
+
+if [ -z "$VAULT_PATH" ]; then
+    echo -e "${YELLOW}[INFO]${NC} vault_path not set in identity.json — skipping vault sync."
+elif [ ! -d "$VAULT_PATH/.git" ]; then
+    echo -e "${YELLOW}[WARNING]${NC} Vault path '$VAULT_PATH' is not a git repo — skipping."
+else
+    CLAUDETOOLS_DIR=$(pwd)
+    cd "$VAULT_PATH"
+    echo -e "${GREEN}[OK]${NC} Vault: $VAULT_PATH"
+
+    # Commit any local vault changes
+    if ! git diff-index --quiet HEAD -- 2>/dev/null; then
+        echo -e "${YELLOW}[INFO]${NC} Local vault changes detected — committing..."
+        git add -A
+        git commit -m "sync: auto-sync vault from $MACHINE at $TIMESTAMP"
+        echo -e "${GREEN}[OK]${NC} Vault committed."
+    else
+        echo -e "${GREEN}[OK]${NC} No local vault changes."
+    fi
+
+    VAULT_LOCAL_BEFORE=$(git rev-parse HEAD)
+    git fetch origin --quiet
+
+    VAULT_REMOTE_BRANCH="origin/main"
+    if ! git rev-parse origin/main >/dev/null 2>&1; then
+        VAULT_REMOTE_BRANCH="origin/master"
+    fi
+
+    VAULT_INCOMING=$(git rev-list --count HEAD..$VAULT_REMOTE_BRANCH 2>/dev/null || echo 0)
+    VAULT_OUTGOING=$(git rev-list --count $VAULT_REMOTE_BRANCH..HEAD 2>/dev/null || echo 0)
+
+    if [ "$VAULT_INCOMING" -gt 0 ]; then
+        echo -e "${CYAN}--- Vault: $VAULT_INCOMING incoming commit(s) ---${NC}"
+        git log --oneline --format='  %C(yellow)%h%Creset  %C(cyan)%an%Creset  %s  %C(dim)(%ar)%Creset' HEAD..$VAULT_REMOTE_BRANCH | head -10
+        if git pull origin main --rebase; then
+            echo -e "${GREEN}[OK]${NC} Vault pulled."
+        else
+            echo -e "${RED}[ERROR]${NC} Vault pull failed — resolve conflicts manually in $VAULT_PATH."
+        fi
+    else
+        echo -e "${GREEN}[OK]${NC} Vault: no incoming changes."
+    fi
+
+    VAULT_OUTGOING_AFTER=$(git rev-list --count $VAULT_REMOTE_BRANCH..HEAD 2>/dev/null || echo 0)
+    if [ "$VAULT_OUTGOING_AFTER" -gt 0 ]; then
+        if git push origin main; then
+            echo -e "${GREEN}[OK]${NC} Vault pushed ($VAULT_OUTGOING_AFTER commit(s))."
+        else
+            echo -e "${RED}[ERROR]${NC} Vault push failed."
+        fi
+    else
+        echo -e "${GREEN}[OK]${NC} Vault: nothing to push."
+    fi
+
+    cd "$CLAUDETOOLS_DIR"
+fi
+
+# Phase 7: Summary
+echo ""
+echo "=== Sync Summary ==="
+
+if [ "$INCOMING_COUNT" -gt 0 ]; then
+    INCOMING_AUTHORS=$(git log --format='%an' $LOCAL_BEFORE..HEAD 2>/dev/null | sort | uniq -c | sort -rn | awk '{printf "%s (%s), ", substr($0, index($0,$2)), $1}' | sed 's/, $//')
+    echo -e "${CYAN}Pulled in:${NC} $INCOMING_COUNT commit(s) — authors: ${INCOMING_AUTHORS:-unknown}"
+fi
+if [ "$OUTGOING_AFTER_PULL" -gt 0 ]; then
+    echo -e "${CYAN}Pushed out:${NC} $OUTGOING_AFTER_PULL commit(s) by $USER_DISPLAY"
+fi
+if [ "$INCOMING_COUNT" -eq 0 ] && [ "$OUTGOING_AFTER_PULL" -eq 0 ]; then
+    echo -e "${GREEN}Already in sync — no commits moved in either direction.${NC}"
+fi
+
+echo -e "${GREEN}[OK]${NC} HEAD: $(git log -1 --oneline)"
+echo -e "${GREEN}[OK]${NC} Status: $(git status -sb | head -1)"
 
 echo ""
-echo -e "${GREEN}[SUCCESS]${NC} All machines in sync. Ready to continue work."
+echo -e "${GREEN}[SUCCESS]${NC} Sync complete."

.claude/scripts/vault.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# vault.sh — ClaudeTools wrapper for the SOPS vault.
+#
+# Reads vault_path from .claude/identity.json (per-machine, gitignored).
+# Delegates all arguments to the real vault.sh in that directory.
+#
+# Usage (from any directory):
+#   bash "$(git -C "$(dirname "${BASH_SOURCE[0]}")" rev-parse --show-toplevel)/.claude/scripts/vault.sh" get-field <path> <field>
+#
+# Or set CLAUDETOOLS_ROOT and call directly:
+#   bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field <path> <field>
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
+
+if [[ ! -f "$IDENTITY_FILE" ]]; then
+    echo "[ERROR] .claude/identity.json not found at $IDENTITY_FILE" >&2
+    echo "        Run onboarding to create it, or add vault_path manually." >&2
+    exit 1
+fi
+
+# Extract vault_path from identity.json — jq first, then Python with path conversion
+VAULT_ROOT=""
+if command -v jq >/dev/null 2>&1; then
+    VAULT_ROOT=$(jq -r '.vault_path // empty' "$IDENTITY_FILE" 2>/dev/null)
+fi
+if [[ -z "$VAULT_ROOT" ]]; then
+    IDENTITY_FILE_FOR_PY="$IDENTITY_FILE"
+    command -v cygpath >/dev/null 2>&1 && IDENTITY_FILE_FOR_PY=$(cygpath -m "$IDENTITY_FILE")
+    for py in py python3 python; do
+        if command -v "$py" >/dev/null 2>&1; then
+            VAULT_ROOT=$("$py" -c "import json,sys; d=json.load(open(r'$IDENTITY_FILE_FOR_PY')); print(d.get('vault_path',''))" 2>/dev/null) && break
+        fi
+    done
+fi
+
+if [[ -z "$VAULT_ROOT" ]]; then
+    echo "[ERROR] vault_path not set in $IDENTITY_FILE" >&2
+    echo "        Add: \"vault_path\": \"/path/to/vault\"" >&2
+    exit 1
+fi
+
+REAL_VAULT_SH="$VAULT_ROOT/scripts/vault.sh"
+
+if [[ ! -f "$REAL_VAULT_SH" ]]; then
+    echo "[ERROR] vault.sh not found at $REAL_VAULT_SH" >&2
+    echo "        Check vault_path in $IDENTITY_FILE" >&2
+    exit 1
+fi
+
+exec bash "$REAL_VAULT_SH" "$@"

.claude/settings.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "defaultMode": "bypassPermissions"
+  },
+  "preferences": {
+    "autoCompact": true,
+    "verbose": false
+  }
+}

.claude/skills/1password/references/op_commands.md

@@ -154,18 +154,12 @@ op vault list --format=json          # Vaults as JSON
 ## Useful Patterns
 
 ```bash
-# Find item by field value (search)
-op item list --format=json | \
-  python3 -c "import sys,json; [print(i['title']) for i in json.load(sys.stdin)]"
-
-# Export all items in a vault to JSON (backup)
-op item list --vault Dev --format=json | \
-  python3 -c "import sys,json; ids=[i['id'] for i in json.load(sys.stdin)]"
-# (then loop to get each)
+# List item titles
+op item list --format=json | jq -r '.[].title'
 
 # Check if a specific item exists
 op item get "My Item" &>/dev/null && echo "exists" || echo "not found"
 
 # Get item ID (for scripting)
-op item get "My Item" --format=json | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])"
+op item get "My Item" --format=json | jq -r '.id'
 ```

.claude/skills/1password/references/secret_references.md

@@ -102,8 +102,7 @@ op run --env-file=n8n.env.tpl -- docker compose up n8n
 
 ```bash
 # List all fields in an item
-op item get "Item Name" --format=json | \
-  python3 -c "import sys,json; [print(f['label']) for f in json.load(sys.stdin)['fields'] if f.get('value')]"
+op item get "Item Name" --format=json | jq -r '.fields[] | select(.value) | .label'
 
 # Or view interactively
 op item get "Item Name"

.claude/skills/1password/scripts/check_setup.sh

@@ -50,7 +50,7 @@ if op account list &>/dev/null 2>&1; then
   echo ""
   echo "  Vaults:"
   op vault list --format=json 2>/dev/null | \
-    python3 -c "import sys,json; [print(f'    • {v[\"name\"]} ({v[\"id\"]})') for v in json.load(sys.stdin)]" 2>/dev/null || true
+    jq -r '.[] | "    \u2022 \(.name) (\(.id))"' 2>/dev/null || true
 fi
 
 echo ""

.claude/skills/1password/scripts/env_from_op.sh

@@ -42,11 +42,9 @@ fi
 if [[ -z "$ITEM" ]]; then
   echo "Available items in vault '${VAULT:-all vaults}':"
   if [[ -n "$VAULT" ]]; then
-    op item list --vault "$VAULT" --format=json | \
-      python3 -c "import sys,json; [print(f'  {i[\"title\"]}') for i in json.load(sys.stdin)]"
+    op item list --vault "$VAULT" --format=json | jq -r '.[] | "  \(.title)"'
   else
-    op item list --format=json | \
-      python3 -c "import sys,json; [print(f'  [{i[\"vault\"][\"name\"]}] {i[\"title\"]}') for i in json.load(sys.stdin)]"
+    op item list --format=json | jq -r '.[] | "  [\(.vault.name)] \(.title)"'
   fi
   echo ""
   read -rp "Enter item title: " ITEM
@@ -61,11 +59,11 @@ else
   ITEM_JSON=$(op item get "$ITEM" --format=json)
 fi
 
-VAULT_NAME=$(echo "$ITEM_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['vault']['name'])")
-ITEM_TITLE=$(echo "$ITEM_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['title'])")
+VAULT_NAME=$(echo "$ITEM_JSON" | jq -r '.vault.name')
+ITEM_TITLE=$(echo "$ITEM_JSON" | jq -r '.title')
 
 # Build .env content
-ENV_CONTENT=$(echo "$ITEM_JSON" | python3 - <<'PYEOF'
+ENV_CONTENT=$(echo "$ITEM_JSON" | py - <<'PYEOF'
 import sys, json, re
 
 data = json.load(sys.stdin)

.claude/skills/1password/scripts/store_secret.sh

@@ -78,8 +78,8 @@ else
     "${FIELD}[password]=${VALUE}" \
     --format=json)
 
-  ITEM_ID=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
-  VAULT_NAME=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['vault']['name'])")
+  ITEM_ID=$(echo "$RESULT" | jq -r '.id')
+  VAULT_NAME=$(echo "$RESULT" | jq -r '.vault.name')
 
   echo "✅ Created '${TITLE}' (ID: ${ITEM_ID})"
   echo ""

.claude/skills/remediation-tool/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: remediation-tool
+description: |
+  M365 tenant investigation and remediation using the ComputerGuru tiered MSP app suite (5 apps: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app suite.
+
+  Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365.
+
+  Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand".
+---
+
+# 365 Remediation Tool
+
+Read-only by default. All remediation actions require explicit `YES` confirmation in chat (not a permission prompt).
+
+## App Architecture (Tiered)
+
+Five multi-tenant apps cover distinct privilege tiers. Use only what the task requires.
+
+| Tier | App display name | App ID | Vault file | Scope |
+|---|---|---|---|---|
+| `investigator` | ComputerGuru Security Investigator | `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` | `computerguru-security-investigator.sops.yaml` | Graph read-only |
+| `investigator-exo` | ComputerGuru Security Investigator | `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` | `computerguru-security-investigator.sops.yaml` | Exchange Online read |
+| `exchange-op` | ComputerGuru Exchange Operator | `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` | `computerguru-exchange-operator.sops.yaml` | Exchange Online write |
+| `user-manager` | ComputerGuru User Manager | `64fac46b-8b44-41ad-93ee-7da03927576c` | `computerguru-user-manager.sops.yaml` | Graph user/group write |
+| `tenant-admin` | ComputerGuru Tenant Admin | `709e6eed-0711-4875-9c44-2d3518c47063` | `computerguru-tenant-admin.sops.yaml` | Graph high-privilege |
+| `defender` | ComputerGuru Defender Add-on | `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` | `computerguru-defender-addon.sops.yaml` | Defender ATP (MDE only) |
+
+**Default for breach checks:** use `investigator` (Graph) + `investigator-exo` (Exchange read). Escalate to write tiers only when remediating.
+
+## Auto-Invocation Behavior
+
+When triggered automatically (vs. via `/remediation-tool`), follow the same workflow in `.claude/commands/remediation-tool.md`:
+
+1. Parse the user's intent into a subcommand (check/sweep/signins/consent-url/remediate).
+2. Resolve tenant ID from domain.
+3. Acquire tokens via `get-token.sh <tenant> <tier>` — use lowest-privilege tier needed.
+4. Run checks via scripts in `scripts/`.
+5. Interpret findings using `references/checklist.md`.
+6. Write report to `clients/{slug}/reports/YYYY-MM-DD-{action}.md` using `templates/breach-report.md`.
+7. Chat summary + delegate commit to Gitea agent.
+
+## Before calling any script, verify
+
+- The SOPS vault is accessible: `test -f D:/vault/scripts/vault.sh` (Windows) or `test -f ~/vault/scripts/vault.sh` (other).
+- `jq`, `curl`, `bash` are available.
+- For Exchange REST checks: confirm the target tenant has **Exchange Administrator** role assigned to the **Security Investigator** SP (for reads) or **Exchange Operator** SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from `references/gotchas.md`.
+- For Identity Protection checks: `IdentityRiskyUser.Read.All` is in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL from `references/gotchas.md`.
+- For Defender checks: confirm tenant has Microsoft Defender for Endpoint (MDE) license before using `defender` tier — it returns AADSTS650052 otherwise.
+
+## Conventions
+
+- **Target identifiers**: accept UPN, domain, or tenant GUID. Normalize to tenant GUID internally.
+- **Token tiers**: minimum necessary privilege. Never use `tenant-admin` for a read-only check.
+- **Token cache**: `/tmp/remediation-tool/{tenant-id}/{tier}.jwt`. TTL 55 minutes. Check `-mmin -55` before reuse.
+- **Raw JSON artifacts**: `/tmp/remediation-tool/{tenant-id}/{check}/` — keep so the user can re-analyze.
+- **Reports**: `clients/{slug}/reports/YYYY-MM-DD-{action}.md`. Derive slug from domain (strip TLD, hyphenate).
+- **UTC dates everywhere**.
+
+## Scope boundaries
+
+- **Not a replacement for CIPP.** Use CIPP for bulk baseline configuration, templates, standards alerting. Use this tool for focused investigation and point-in-time remediation.
+- **Not for creating/modifying Entra apps or Conditional Access policies.** Those are sensitive enough to stay manual in the portal.
+- **Not for Graph permissions the apps don't have.** If a call 403s and the scope isn't in the relevant app's manifest, stop and tell the user — don't try to work around it.
+- **Defender tier requires MDE license.** If the tenant doesn't have MDE, the token request succeeds but API calls return AADSTS650052. Check before using.

.claude/skills/remediation-tool/references/audit-retention-runbook.md

@@ -0,0 +1,280 @@
+# Audit Retention Runbook (HIPAA-tier)
+
+ACG-side architecture for capturing and retaining 6-year audit logs from customer M365 tenants. First implementation: Cascades Tucson.
+
+## Why this exists
+
+HIPAA §164.312(b) requires audit controls; §164.316(b)(2)(i) requires 6-year retention.
+
+M365 native retention falls short of 6 years on every relevant log source:
+
+| Source | Native | Gap to 6yr |
+|---|---|---|
+| Entra sign-in / audit / provisioning logs | 30d | 5y 11m |
+| Purview Unified Audit Log (Exchange/SP/OD/Teams) | 180d | 5.5y |
+| Intune audit | 1y | 5y |
+| Defender alerts | 30d | 5y 11m |
+
+We close the gap by exporting via Diagnostic Settings to ACG-owned destinations and supplementing UAL with a poll-based harvester.
+
+## Architecture
+
+Hybrid: Log Analytics for live forensics + Storage Account for cold archive.
+
+```
+Customer Tenant (Cascades, etc.)
+  Diagnostic Settings ──┬──> [LAW]   law-<short>-audit       (90d interactive)
+                        └──> [SA]    stor<short>audit        (lifecycle: hot 30d -> cool 60d -> archive 6y -> delete)
+
+Customer Tenant
+  /v1.0/auditLogs (UAL) ──> ACG Function (poll q4h, per tenant) ──> SA blob path /ual/{yyyy}/{MM}/{dd}/...
+```
+
+Both LAW and SA receive the same stream from Diagnostic Settings — one ingest path, two retention tiers. The LAW is for human queries; the SA is for compliance archive.
+
+UAL lacks a Diagnostic Settings hook, so we poll the Office 365 Management Activity API on a schedule and write JSON to the same Storage Account.
+
+## Cost model
+
+Per HIPAA-tier tenant per month: **~$0.50–1.00**
+
+- LAW ingest: ~$2.30/GB × ~0.1 GB/mo = ~$0.23/mo
+- LAW retention (90d): ~$0.10/GB × peak ~0.3 GB = ~$0.03/mo
+- Storage Account (cool/archive blended over 6y): ~$0.15/mo
+- Function compute (shared across tenants): rounded to zero
+- Egress (only on forensics retrieval): pay-per-use, typically zero/mo
+
+ACG cumulative at 5 HIPAA tenants: ~$5–10/mo. Budget headroom for forensics rehydration: ~$50–100 per incident retrieval (one-time).
+
+## Prerequisites
+
+### ACG-side (one-time)
+
+- **Azure subscription:** reuse existing `e507e953-2ce9-4887-ba96-9b654f7d3267` — the ACG-owned subscription set up for GuruRMM Trusted Signing (cert profile `gururmm-public-trust` under `gururmm-signing-rg`). Vault entry: `services/azure-trusted-signing.sops.yaml`.
+  - Rationale: Mike already has Owner on this sub; no new billing relationship needed; single tenant boundary; Azure RBAC + RG-level tagging keeps audit data isolated from signing data.
+  - **Existing usage in this sub:** `gururmm-signing-rg` (Trusted Signing for GuruRMM agent binaries). Audit RGs (`rg-audit-*`) will be RG-isolated from signing.
+  - Future split: when we have 3+ HIPAA tenants or a compliance audit requires hard boundary, move audit RGs to a dedicated `acg-msp-compliance` subscription via `az resource move`.
+- **RBAC for Howard:** Owner at the subscription level — matches the existing operational trust model (Howard has "Full trust — same access as admin" per `CLAUDE.md`). One-time grant unblocks all future MSP-side Azure self-service. Mike runs:
+  ```bash
+  az role assignment create \
+    --assignee howard.enos@azcomputerguru.com \
+    --role "Owner" \
+    --scope "/subscriptions/e507e953-2ce9-4887-ba96-9b654f7d3267"
+  ```
+  Guardrails to keep Owner-Howard low-risk:
+  - Resource lock on `gururmm-signing-rg`: `az lock create --name signing-protect --lock-type CanNotDelete --resource-group gururmm-signing-rg`
+  - PAYG cost alert at ~$50/mo via Cost Management (UI task)
+- **Region:** `westus2` for all audit resources. Latency-friendly to Tucson, mature service availability, no HIPAA-relevant cost difference vs other US regions.
+
+### Customer-tenant side (per onboarded HIPAA tenant)
+
+- **Tenant Admin SP must have** `Policy.Read.All` (already in updated `onboard-tenant.sh`)
+- **Tenant Admin SP must have** the directory role **Security Administrator** OR a custom role with `Microsoft.Insights/diagnosticSettings/write` to create Diagnostic Settings on Entra. (Conditional Access Administrator alone does NOT cover Monitor scope.)
+- **Tenant Admin app manifest must include** `AuditLog.Read.All` and either Graph's `IdentityRiskyUser.Read.All` (already present per `SEC_INV_GRAPH_ROLES`) or follow-on for Defender export
+
+### Tag schema (apply to every resource)
+
+```
+client          = cascadestucson
+tier            = hipaa
+service         = audit
+cost-center     = msp-audit
+created-by      = howard | mike | onboard-tenant.sh
+```
+
+## Per-tenant onboarding — Cascades example
+
+Substitute `<short>` = `cascades` (lowercase, no punctuation, ≤8 chars). Substitute `<full>` = `cascadestucson`.
+
+### Phase 1: ACG-side resource provisioning
+
+Howard runs from his workstation with az CLI logged into ACG home tenant:
+
+```bash
+SUB="e507e953-2ce9-4887-ba96-9b654f7d3267"
+SHORT="cascades"
+FULL="cascadestucson"
+REGION="westus2"
+RG="rg-audit-${FULL}"
+
+az account set --subscription "$SUB"
+
+# Resource group
+az group create --name "$RG" --location "$REGION" \
+  --tags client="$FULL" tier=hipaa service=audit cost-center=msp-audit created-by=howard
+
+# Storage Account (must be globally unique, lowercase alphanumeric, 3-24 chars)
+SA_NAME="stor${SHORT}audit"
+az storage account create \
+  --name "$SA_NAME" \
+  --resource-group "$RG" \
+  --location "$REGION" \
+  --sku Standard_LRS \
+  --kind StorageV2 \
+  --access-tier Cool \
+  --min-tls-version TLS1_2 \
+  --allow-blob-public-access false \
+  --tags client="$FULL" tier=hipaa service=audit cost-center=msp-audit
+
+# Containers
+SA_KEY=$(az storage account keys list -g "$RG" -n "$SA_NAME" --query '[0].value' -o tsv)
+for c in entra-signin entra-audit entra-provisioning intune-audit defender-alerts ual; do
+  az storage container create --name "$c" --account-name "$SA_NAME" --account-key "$SA_KEY"
+done
+
+# Lifecycle policy: hot 30d -> cool 60d -> archive 6y -> delete
+cat > /tmp/lifecycle.json <<'EOF'
+{
+  "rules": [{
+    "name": "hipaa-6y-tier-down",
+    "enabled": true,
+    "type": "Lifecycle",
+    "definition": {
+      "filters": { "blobTypes": ["blockBlob"] },
+      "actions": {
+        "baseBlob": {
+          "tierToCool":     { "daysAfterModificationGreaterThan": 30 },
+          "tierToArchive":  { "daysAfterModificationGreaterThan": 90 },
+          "delete":         { "daysAfterModificationGreaterThan": 2190 }
+        }
+      }
+    }
+  }]
+}
+EOF
+az storage account management-policy create \
+  --account-name "$SA_NAME" \
+  --resource-group "$RG" \
+  --policy @/tmp/lifecycle.json
+
+# Immutability (legal hold) — defer until pilot validated.
+# When ready: az storage container immutability-policy create ...
+
+# Log Analytics Workspace
+LAW_NAME="law-${SHORT}-audit"
+az monitor log-analytics workspace create \
+  --resource-group "$RG" \
+  --workspace-name "$LAW_NAME" \
+  --location "$REGION" \
+  --retention-time 90 \
+  --tags client="$FULL" tier=hipaa service=audit cost-center=msp-audit
+```
+
+### Phase 2: Customer-tenant Diagnostic Settings
+
+Performed against Cascades tenant using Tenant Admin token:
+
+```bash
+CASCADES_TENANT="207fa277-e9d8-4eb7-ada1-1064d2221498"
+TOKEN=$(bash .claude/skills/remediation-tool/scripts/get-token.sh "$CASCADES_TENANT" tenant-admin)
+
+LAW_RESOURCE="/subscriptions/${SUB}/resourceGroups/${RG}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}"
+SA_RESOURCE="/subscriptions/${SUB}/resourceGroups/${RG}/providers/Microsoft.Storage/storageAccounts/${SA_NAME}"
+
+# Entra Diagnostic Settings (covers sign-in + audit + provisioning + non-interactive)
+curl -X PUT \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  "https://graph.microsoft.com/beta/auditLogs/directoryAudits" \
+  -d @- <<EOF
+{
+  "name": "acg-audit-export",
+  "logs": [
+    {"category": "AuditLogs",                       "enabled": true},
+    {"category": "SignInLogs",                      "enabled": true},
+    {"category": "NonInteractiveUserSignInLogs",    "enabled": true},
+    {"category": "ServicePrincipalSignInLogs",      "enabled": true},
+    {"category": "ManagedIdentitySignInLogs",       "enabled": true},
+    {"category": "ProvisioningLogs",                "enabled": true},
+    {"category": "ADFSSignInLogs",                  "enabled": true},
+    {"category": "RiskyUsers",                      "enabled": true},
+    {"category": "UserRiskEvents",                  "enabled": true}
+  ],
+  "workspaceId": "${LAW_RESOURCE}",
+  "storageAccountId": "${SA_RESOURCE}"
+}
+EOF
+```
+
+Note: Entra Diagnostic Settings actually go through Azure Resource Manager (not Graph), and the proper endpoint is:
+
+```
+PUT https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
+```
+
+Authenticate against ARM (`https://management.azure.com`), not Graph. The Tenant Admin SP needs `Microsoft.AzureActiveDirectory/diagnosticSettings/write` permission, granted via the Security Administrator directory role. Howard: validate the working endpoint during dry-run; the cURL above is the conceptual shape, not the exact call.
+
+### Phase 3: Verification (1h after setup)
+
+```bash
+# Query LAW for recent sign-ins
+az monitor log-analytics query \
+  --workspace "$LAW_NAME" \
+  --resource-group "$RG" \
+  --analytics-query "SigninLogs | take 5 | project TimeGenerated, UserPrincipalName, ResultType"
+
+# Confirm Storage Account is receiving blobs
+az storage blob list --container-name insights-logs-signinlogs \
+  --account-name "$SA_NAME" --account-key "$SA_KEY" --num-results 5
+```
+
+If LAW returns rows and SA has blobs, the export is live.
+
+### Phase 4: UAL harvester (deferred — separate buildout)
+
+UAL has no Diagnostic Settings export. Approach when we get to it:
+
+- Azure Function (Python or PowerShell), timer trigger every 4h
+- Per onboarded tenant: managed identity granted `ActivityFeed.Read` against Office 365 Management API
+- Polls `/api/v1.0/{tenantId}/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory|Audit.Exchange|Audit.SharePoint|Audit.General|DLP.All`
+- Writes raw JSON to `<sa>/ual/{yyyy}/{MM}/{dd}/{tenantId}/{contentType}-{timestamp}.json`
+- Deduplicates via `contentId`
+
+Codify the design once we've run it manually for a few weeks against Cascades. Estimated build: 4-6 hours dev + test.
+
+## Operational
+
+### Quarterly verification (per tenant, ~10 min)
+
+1. Run a `SigninLogs | summarize count() by bin(TimeGenerated, 1d) | order by TimeGenerated desc` query in LAW. Expect daily volume.
+2. Spot-check Storage Account container blob counts and timestamps.
+3. Confirm lifecycle policy hasn't drifted: `az storage account management-policy show -g $RG -n $SA_NAME`.
+4. Cost: `az consumption usage list --start-date $(date -d '30 days ago' +%Y-%m-%d) --end-date $(date +%Y-%m-%d) --query "[?contains(instanceId,'$SA_NAME')||contains(instanceId,'$LAW_NAME')]"` — should be ~$1/mo per tenant.
+
+### Forensics retrieval
+
+- **0–90 days:** KQL on LAW directly. Sub-second queries.
+- **90 days – 6 years:** rehydrate blob from archive tier.
+  ```bash
+  az storage blob set-tier --tier Hot --rehydrate-priority Standard \
+    --account-name $SA_NAME --container-name <c> --name <blob>
+  ```
+  Standard rehydrate SLA: ~15 hours. High-priority: ~1 hour, costs ~10x more.
+
+### When to upgrade subscription split
+
+- Triggers: 3+ HIPAA tenants, an external compliance audit asking about subscription scope, or one tenant generating >10 GB/month
+- Path: provision new subscription `acg-msp-compliance`, move RGs via `az resource move`, update Diagnostic Settings destination ARM IDs
+
+## Onboarding integration (codify after pilot validated)
+
+Once Cascades is running cleanly for 30 days, fold the per-tenant Phase 1 + Phase 2 into `onboard-tenant.sh` as a flag:
+
+```bash
+bash onboard-tenant.sh <tenant-id> --enable-audit-archive --client-shortname <short>
+```
+
+Implementation outline:
+- Read `--enable-audit-archive` flag
+- Provision RG + SA + LAW under ACG sub (idempotent: skip if exists)
+- Issue PUT for Diagnostic Settings against the customer tenant
+- Append "Audit archive: [OK]" row to the final status table
+
+Until codified, Howard runs the runbook manually per tenant. Cascades is the only HIPAA-tier tenant currently — this is fine.
+
+## Open questions / future work
+
+- **UAL harvester:** designed but not built. Punt until pilot CA cutover is done.
+- **Defender for Office 365 export:** does it expose Diagnostic Settings? If not, may need OMA-style poll. Check during Cascades verification.
+- **MDE alerts:** ditto.
+- **Sentinel:** the natural upgrade path if alerting becomes important. Cost crosses ~$200/mo at first tenant — defer until justified by an actual operational need.
+- **Break-glass sign-in alert:** when break-glass admin lands, KQL alert rule on LAW: `SigninLogs | where UserPrincipalName == "breakglass-csc@cascadestucson.com"` → Action Group → email Mike + Howard. Lives in this same LAW.

.claude/skills/remediation-tool/references/checklist.md

@@ -0,0 +1,48 @@
+# Breach-Check Rubric
+
+How to interpret the outputs from `user-breach-check.sh` and `tenant-sweep.sh`.
+
+## Single-user check — the 10 points
+
+| # | Check | What "clean" looks like | Red flags |
+|---|---|---|---|
+| 1 | Inbox rules (Graph) | Empty, or only benign filters | ForwardTo / RedirectTo / ForwardAsAttachmentTo set; DeleteMessage+MarkAsRead combos; rules filtered on "password", "bank", "invoice", "CEO name", "security"; rules with name like "." or " " (attacker hiding) |
+| 2 | Mailbox settings / auto-reply | Auto-reply disabled or legitimate | Auto-reply active with external audience + unfamiliar message body |
+| 3 | Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox forwarding fields) | Only SELF in permissions; no forwarding | **Hidden** inbox rule moving to RSS/Notes/Conversation History; non-SELF FullAccess/SendAs; ForwardingAddress or ForwardingSmtpAddress set to external |
+| 4 | OAuth consents + app role assignments | Legitimate apps only (Teams, Outlook mobile, BlueMail, etc.); dates match user history | New consent in attack window; unknown app with `Mail.ReadWrite`, `Files.ReadWrite`, `offline_access`; publisher not verified |
+| 5 | Auth methods | All methods predate the attack window | New phone/Authenticator registered within hours of first suspicious sign-in; duplicate entries with the same device name but different createdDateTime |
+| 6 | Sign-ins 30d | Consistent US IPs, user's known geography | Any successful sign-in from a country the user never visits; IMAP/POP/Authenticated SMTP client apps (legacy auth); sign-ins from TOR exit nodes or known residential-proxy ranges |
+| 7 | Directory audits | Only legit admin/system actions | `Update user` by non-admin principal; password reset the user didn't initiate; auth method change from `Microsoft Substrate Management` is normal but repeated changes are not |
+| 8 | Risky users / risk detections | `riskLevel: none` | Any `medium` or `high`; `riskDetail: userPerformedSecuredPasswordChange` just means resolved — check the original detection |
+| 9 | Sent items (recent 25) | Normal business correspondence | Blast emails to random external recipients; forwards of internal financial/HR info externally; anything after-hours from an unusual client app |
+| 10 | Deleted items (recent 25) | Marketing/spam, routine notifications | Deleted security alerts, password-reset emails, MFA notifications, bounce notices the user wouldn't delete — all signs of attacker cleanup |
+
+### Cross-check rule
+
+If inbox rules and forwarding are clean **but** sign-ins show successful foreign access — attacker may have used OAuth-based access (check OAuth grants) or already extracted data and cleaned up. Pull sent items + deleted items aggressively and check `/auditLogs/signIns/beta` for non-interactive sign-ins.
+
+## Tenant-wide sweep — priorities
+
+| Priority | Signal | Action |
+|---|---|---|
+| P1 | User with ≥20 failed sign-ins from ≥2 foreign countries | Likely active credential-stuffing target. Reset password, disable SMTP AUTH, monitor. |
+| P1 | Successful sign-in from non-US | Verify with user immediately. If not them: force password reset + revoke sessions + full breach check. |
+| P2 | New OAuth consent to unfamiliar app in attack window | Review app publisher, scopes, and requesting user. Revoke if unknown. |
+| P2 | B2B guest invite to personal email domain (gmail.com, outlook.com, yahoo.com) | Confirm with inviter it's intentional. Guest invites are a known persistence mechanism. |
+| P3 | Transport rule created/modified by a non-admin | Transport rules can redirect mail tenant-wide. Review body/actions carefully. |
+| P3 | Service principal added by non-admin or by "PowerApps Service" unexpectedly | Usually benign, but worth noting. |
+| P4 | Isolated wrong-password attempt from foreign IP | Record and move on. Single attempts are noise unless repeated. |
+
+## False positives to filter out
+
+- `sysadmin@<tenant>` failures during onboarding (error 65001 against any **ComputerGuru** app — Security Investigator, Exchange Operator, User Manager, Tenant Admin, or Defender Add-on).
+- `Microsoft Substrate Management` and `Azure MFA StrongAuthenticationService` routinely update user records — those are not attacker activity.
+- Our own consent attempts show up as `Consent to application` in directory audits. Filter `sysadmin` + target matching any "ComputerGuru" app display name during the onboarding window.
+- `error 50140` "Keep me signed in interrupt" is a browser prompt, not a failed auth.
+
+## When to escalate beyond this tool
+
+- Data exfiltration suspected -> pull Unified Audit Log via Purview (this tool does not access UAL).
+- Tenant-wide phishing campaign -> enable Purview Content Search, quarantine messages.
+- Domain-joined workstation compromise -> GuruRMM + Bitdefender workflow (see `clients/ace-portables/reports/` for past example).
+- Attacker still active and exfiltrating -> consider disabling the user via the `remediate` subcommand and rotating the mailbox password at the same time.

.claude/skills/remediation-tool/references/gotchas.md

@@ -0,0 +1,127 @@
+# Gotchas — Permissions, Roles, Consent
+
+## Onboarding a new tenant
+
+Run `onboard-tenant.sh` after admin consents each app. This assigns required directory roles automatically.
+
+Quick steps:
+1. Send consent URLs (Tenant Admin FIRST, then others)
+2. After admin accepts: `bash scripts/onboard-tenant.sh <domain>`
+3. Verify output shows all roles [OK]
+4. Update tenant table below
+
+If Tenant Admin is not yet consented, onboard-tenant.sh will output all needed consent URLs.
+
+## App Suite (tiered architecture)
+
+Five multi-tenant apps replace the old single over-permissioned app. Use minimum necessary tier.
+
+| Tier | Display name in customer tenant | App ID | Vault file |
+|---|---|---|---|
+| `investigator` / `investigator-exo` | ComputerGuru Security Investigator | `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` | `computerguru-security-investigator.sops.yaml` |
+| `exchange-op` | ComputerGuru Exchange Operator | `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` | `computerguru-exchange-operator.sops.yaml` |
+| `user-manager` | ComputerGuru User Manager | `64fac46b-8b44-41ad-93ee-7da03927576c` | `computerguru-user-manager.sops.yaml` |
+| `tenant-admin` | ComputerGuru Tenant Admin | `709e6eed-0711-4875-9c44-2d3518c47063` | `computerguru-tenant-admin.sops.yaml` |
+| `defender` | ComputerGuru Defender Add-on | `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b` | `computerguru-defender-addon.sops.yaml` |
+
+**Deprecated (do not use):** ~~ComputerGuru - AI Remediation~~ (`fabb3421`) — old single-app with 159 permissions including Defender ATP. Broke consent on tenants without MDE license. Retire/delete from portal when confirmed no active tenants depend on it.
+
+When searching customer admin portals for a service principal (role assignments, app role assignments, CA exclusions), search by the display name for that tier (e.g., "ComputerGuru Security Investigator").
+
+## Per-tenant prerequisites
+
+Graph API permissions alone are not enough. Most privileged operations require directory roles on the specific service principal *in that tenant*:
+
+| Operation | App tier | Required directory role on that SP |
+|---|---|---|
+| Exchange REST read (Get-InboxRule, Get-Mailbox) | `investigator-exo` | Exchange Administrator |
+| Exchange REST write (Set-Mailbox, Remove-InboxRule) | `exchange-op` | Exchange Administrator |
+| Password reset, user property updates | `user-manager` | User Administrator |
+| MFA method reset | `user-manager` | Authentication Administrator |
+| Conditional Access reads/writes | `tenant-admin` | Conditional Access Administrator OR Security Administrator |
+| Teams policies | `tenant-admin` | Teams Administrator |
+
+### How to assign a role to an SP in a customer tenant
+
+1. Sign into the customer's Entra admin center as Global Admin:
+   `https://entra.microsoft.com/#@{customer-domain}`
+2. Identity -> Roles & admins -> All roles -> select the role (e.g., Exchange Administrator)
+3. Add assignments -> search by the app display name (e.g., "ComputerGuru Security Investigator") -> Assign
+   (Active, permanent — service principals cannot activate eligible assignments)
+
+## Admin consent URLs
+
+Each app must be individually consented in each customer tenant. Format:
+
+```
+https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={app-id}&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Security Investigator** (consent this first — needed for all breach checks):
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Exchange Operator** (consent when remediation scope is needed):
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=b43e7342-5b4b-492f-890f-bb5a4f7f40e9&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**User Manager**:
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=64fac46b-8b44-41ad-93ee-7da03927576c&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Tenant Admin**:
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+**Defender Add-on** (MDE-licensed tenants only — AADSTS650052 if no MDE license):
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+The customer admin signs in as Global Admin, clicks Accept. Redirect lands on azcomputerguru.com — expected. Verify via `/servicePrincipals/{sp-id}/appRoleAssignments` (grants timestamped today confirm success).
+
+## Diagnosing "required scopes are missing"
+
+Token returned 403 with `"required scopes are missing in the token"`:
+
+1. Decode the JWT payload (2nd segment, base64url) and check the `roles` claim.
+2. If the expected scope is missing from `roles`:
+   - Confirm the scope is in the app manifest in the home tenant (saved, not just selected).
+   - Grant admin consent in the home tenant.
+   - Re-run the customer admin consent URL above for that specific app.
+3. If the scope IS in `roles` but you still get 403: check for a missing directory role (see table above).
+
+## Diagnosing Exchange REST 403
+
+- Wrong token scope: must request `https://outlook.office365.com/.default` (use `investigator-exo` or `exchange-op` tier, NOT `investigator`).
+- Missing Exchange Administrator role on the specific SP in that tenant.
+- Propagation delay: newly assigned role can take up to 15 minutes to reach Exchange Online. If just assigned, wait and retry.
+
+## AADSTS650052 — service not licensed
+
+If token request or API call returns AADSTS650052 referencing `WindowsDefenderATP` (`fc780465`): the tenant does not have an MDE license. Do not use the `defender` tier for this tenant. Security investigation proceeds with `investigator` + `investigator-exo` only.
+
+## Common, benign "failures" in sign-in logs
+
+- `error 50140` "Keep me signed in interrupt" — KMSI prompt, not a real failure.
+- `error 65001` "has not consented to use the application" — fires during onboarding and before consent granted. If `appDisplayName` matches any ComputerGuru app, those are our own consent attempts, not attacker activity.
+- `error 50126` from the sysadmin account during onboarding is typo/retry noise — check `ipAddress` against Mike's known IPs before flagging.
+
+## Tenants where apps are consented (as of 2026-04-20)
+
+| Tenant | Tenant ID | Sec Inv | Exch Op | User Mgr | Tenant Admin | Defender | Exch Admin (Sec Inv) | User Admin (User Mgr) | Auth Admin (User Mgr) | Notes |
+|---|---|---|---|---|---|---|---|---|---|---|
+| Valleywide Plastering | 5c53ae9f... | old app only | — | — | — | — | — | old app only | — | Needs migration to new app suite |
+| Dataforth | 7dfa3ce8... | old app only | — | — | — | — | old app only | old app only | — | Needs migration |
+| Cascades Tucson | 207fa277-e9d8-4eb7-ada1-1064d2221498 | old app only | — | — | — | — | old app only | old app only | — | IdentityRiskyUser scope still not consented as of 2026-04-16 |
+| Grabblaw | 032b383e-96e4-491b-880d-3fd3295672c3 | YES (2026-04-20) | — | YES (2026-04-20) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded |
+| martylryan.com | (resolve via script) | YES (2026-04-20) | — | YES (old app) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded |
+| mvaninc.com | 5affaf1e-de89-416b-a655-1b2cf615d5b1 | YES (2026-04-21) | — | YES (2026-04-21) | YES (2026-04-21) | — | — | — | — | Fully onboarded. Incident 2026-04-21: sysadmin GA account unauthorized sign-in from OKC via device PRT (MITCH-LAPTOP/JUNE). Remediated: pw reset, sessions revoked. CA policy (MFA all users) still pending — Mike to create. |
+
+**Migration note:** Valleywide, Dataforth, and Cascades still use the old deprecated app. Next visit: consent Security Investigator + assign Exchange Administrator role to new SP, then retire old app consent.
+
+Keep this table updated when rolling out to new tenants or migrating existing ones. Run `onboard-tenant.sh` after each consent and update the role columns from the script's final status output.

.claude/skills/remediation-tool/references/graph-endpoints.md

@@ -0,0 +1,159 @@
+# Graph + Exchange REST Cheatsheet
+
+All examples assume:
+- `$GT` = Graph token (`investigator` tier)
+- `$EXO_R` = Exchange read token (`investigator-exo` tier) — Get-* cmdlets
+- `$EXO_W` = Exchange write token (`exchange-op` tier) — Set-*/Remove-* cmdlets
+- `$UT` = User Manager graph token (`user-manager` tier) — user write ops
+- `$TID` = tenant ID, `$UPN`/`$UID` = user identifiers
+
+Acquire tokens:
+```bash
+GT=$(bash .claude/skills/remediation-tool/scripts/get-token.sh $TID investigator)
+EXO_R=$(bash .claude/skills/remediation-tool/scripts/get-token.sh $TID investigator-exo)
+EXO_W=$(bash .claude/skills/remediation-tool/scripts/get-token.sh $TID exchange-op)   # remediation only
+UT=$(bash .claude/skills/remediation-tool/scripts/get-token.sh $TID user-manager)     # remediation only
+```
+
+## Graph API (`https://graph.microsoft.com/v1.0`)
+
+### User lookup / status
+
+```bash
+# By UPN
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/$UPN?\$select=id,displayName,userPrincipalName,mail,accountEnabled,createdDateTime,lastPasswordChangeDateTime"
+
+# All users (filter, paged)
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users?\$top=999&\$filter=accountEnabled%20eq%20true"
+```
+
+### Mailbox
+
+```bash
+# Visible inbox rules (Graph v1.0 — does NOT return hidden rules)
+/users/$UPN/mailFolders/inbox/messageRules
+
+# Mailbox settings (auto-reply, delegates meeting option, NOT forwarding flags)
+/users/$UPN/mailboxSettings
+
+# Recent sent / deleted
+/users/$UPN/mailFolders/sentitems/messages?$top=25&$orderby=sentDateTime%20desc
+/users/$UPN/mailFolders/deleteditems/messages?$top=25&$orderby=receivedDateTime%20desc
+```
+
+### Authentication methods
+
+```bash
+/users/$UPN/authentication/methods
+# Watch for new methods added within the attack window
+```
+
+### OAuth + app role assignments
+
+```bash
+/users/$UPN/oauth2PermissionGrants      # user-level consents
+/users/$UPN/appRoleAssignments          # apps assigned to this user
+/servicePrincipals/$SP_ID/appRoleAssignments  # what scopes a SP has
+```
+
+### Sign-ins (needs Entra ID P1 or higher)
+
+```bash
+# Interactive sign-ins v1.0 (does NOT include non-interactive/service-principal)
+/auditLogs/signIns?$filter=userId eq '$UID' and createdDateTime ge $FROM&$top=200
+
+# All sign-in event types (beta endpoint)
+/beta/auditLogs/signIns?$filter=userId eq '$UID' and (signInEventTypes/any(t:t eq 'nonInteractiveUser'))
+
+# Foreign successful sign-ins tenant-wide
+/auditLogs/signIns?$filter=(status/errorCode eq 0) and (location/countryOrRegion ne 'US')
+```
+
+### Directory audits
+
+```bash
+# Changes targeting a specific user
+/auditLogs/directoryAudits?$filter=targetResources/any(t:t/id eq '$UID')
+
+# Tenant-wide consent / auth-method / role events
+/auditLogs/directoryAudits?$filter=activityDateTime ge $FROM
+# Then client-side filter by activityDisplayName ~ Consent|Authentication Method|Add service principal|Add member to role
+```
+
+### Identity Protection (needs IdentityRiskyUser.Read.All)
+
+```bash
+/identityProtection/riskyUsers
+/identityProtection/riskyUsers/$UID
+/identityProtection/riskDetections?$filter=userId eq '$UID'
+```
+
+### B2B guests
+
+```bash
+# Get guest by gmail/external address
+/users?$filter=startswith(userPrincipalName,'dunedolly21')
+
+# Invite audits
+/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Invite external user'
+```
+
+## Exchange Online REST (`https://outlook.office365.com/adminapi/beta/{tenant-id}/InvokeCommand`)
+
+POST with JSON body `{"CmdletInput":{"CmdletName":"<cmdlet>","Parameters":{...}}}`.
+- **Read ops** (Get-*): use `$EXO_R` — Security Investigator token (`investigator-exo` tier)
+- **Write ops** (Set-*, Remove-*): use `$EXO_W` — Exchange Operator token (`exchange-op` tier)
+
+### Inbox rules (INCLUDING hidden)
+
+```json
+{"CmdletInput":{"CmdletName":"Get-InboxRule","Parameters":{"Mailbox":"user@domain.com","IncludeHidden":true}}}
+```
+
+Why this matters: attackers commonly create hidden rules that Graph v1.0 cannot see.
+
+### Mailbox forwarding / properties
+
+```json
+{"CmdletInput":{"CmdletName":"Get-Mailbox","Parameters":{"Identity":"user@domain.com"}}}
+```
+
+Check: `ForwardingAddress`, `ForwardingSmtpAddress`, `DeliverToMailboxAndForward`, `GrantSendOnBehalfTo`, `HiddenFromAddressListsEnabled`.
+
+### Mailbox permissions (delegates / FullAccess)
+
+```json
+{"CmdletInput":{"CmdletName":"Get-MailboxPermission","Parameters":{"Identity":"user@domain.com"}}}
+```
+
+Filter out `NT AUTHORITY\\SELF` — anything else is a delegate.
+
+### SendAs permissions
+
+```json
+{"CmdletInput":{"CmdletName":"Get-RecipientPermission","Parameters":{"Identity":"user@domain.com"}}}
+```
+
+### Transport rules (tenant-wide mail flow)
+
+```json
+{"CmdletInput":{"CmdletName":"Get-TransportRule","Parameters":{}}}
+```
+
+Check for rules that reroute, delete, or exfiltrate mail.
+
+### SMTP AUTH
+
+```json
+{"CmdletInput":{"CmdletName":"Get-CASMailbox","Parameters":{"Identity":"user@domain.com"}}}
+```
+
+Check `SmtpClientAuthenticationDisabled`. To disable SMTP AUTH on a single mailbox (remediation): `Set-CASMailbox -SmtpClientAuthenticationDisabled $true`.
+
+## Rate limits / pagination
+
+- Graph signIns endpoints cap `$top` at 999. For >999 results, follow `@odata.nextLink`.
+- Exchange REST has undocumented throttling — if you hit 429, back off 30–60s.
+- Token is valid ~60 minutes. Script caches for 55 min.

.claude/skills/remediation-tool/references/tenant-consent.html

@@ -0,0 +1,197 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>ComputerGuru — Tenant Admin Consent</title>
+<style>
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: #0f1117; color: #e2e8f0; min-height: 100vh; padding: 32px 24px; }
+  h1 { font-size: 1.4rem; font-weight: 600; color: #f8fafc; margin-bottom: 4px; }
+  .subtitle { font-size: 0.85rem; color: #64748b; margin-bottom: 28px; }
+  .section-label { font-size: 0.7rem; font-weight: 600; letter-spacing: 0.08em; text-transform: uppercase; color: #475569; margin-bottom: 10px; margin-top: 24px; }
+  .grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(320px, 1fr)); gap: 8px; }
+  .card { background: #1e2330; border: 1px solid #2d3548; border-radius: 8px; padding: 14px 16px; display: flex; align-items: center; justify-content: space-between; gap: 12px; transition: border-color 0.15s; }
+  .card:hover { border-color: #3b82f6; }
+  .card.done { border-color: #166534; background: #14281f; opacity: 0.7; }
+  .card.reconsent { border-color: #92400e; background: #1c1a0f; }
+  .tenant-info { min-width: 0; }
+  .tenant-name { font-size: 0.9rem; font-weight: 500; color: #e2e8f0; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+  .tenant-domain { font-size: 0.75rem; color: #64748b; margin-top: 2px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+  .btn { flex-shrink: 0; font-size: 0.78rem; font-weight: 500; padding: 6px 14px; border-radius: 5px; border: none; cursor: pointer; text-decoration: none; display: inline-block; white-space: nowrap; transition: background 0.15s; }
+  .btn-primary { background: #2563eb; color: #fff; }
+  .btn-primary:hover { background: #1d4ed8; }
+  .btn-warn { background: #92400e; color: #fef3c7; }
+  .btn-warn:hover { background: #b45309; }
+  .btn-done { background: #166534; color: #bbf7d0; cursor: default; }
+  .badge { font-size: 0.65rem; font-weight: 600; padding: 2px 7px; border-radius: 3px; display: inline-block; margin-top: 3px; }
+  .badge-reconsent { background: #451a03; color: #fbbf24; }
+  .badge-done { background: #052e16; color: #4ade80; }
+  .stats { display: flex; gap: 20px; margin-bottom: 24px; padding: 16px; background: #1e2330; border: 1px solid #2d3548; border-radius: 8px; }
+  .stat-val { font-size: 1.4rem; font-weight: 700; }
+  .stat-label { font-size: 0.72rem; color: #64748b; margin-top: 1px; }
+  .stat-pending .stat-val { color: #f59e0b; }
+  .stat-done .stat-val { color: #4ade80; }
+  .stat-reconsent .stat-val { color: #fb923c; }
+  .instructions { background: #1e2330; border: 1px solid #2d3548; border-left: 3px solid #3b82f6; border-radius: 8px; padding: 14px 16px; margin-bottom: 24px; font-size: 0.82rem; color: #94a3b8; line-height: 1.6; }
+  .instructions strong { color: #e2e8f0; }
+  code { background: #0f1117; padding: 2px 6px; border-radius: 3px; font-family: monospace; font-size: 0.8em; color: #93c5fd; }
+</style>
+</head>
+<body>
+
+<h1>ComputerGuru — Tenant Admin Consent</h1>
+<p class="subtitle">Send the consent URL to each customer's Global Admin. After they accept, run <code>onboard-tenant.sh &lt;domain&gt;</code>.</p>
+
+<div class="instructions">
+  <strong>One-click onboarding flow:</strong> Customer Global Admin clicks their consent link below → logs in → clicks Accept.
+  Then run: <code>bash scripts/onboard-tenant.sh &lt;domain&gt;</code> — the script will automatically consent all other apps and assign all directory roles.
+  <br><br>
+  <strong>Re-consent</strong> (orange) means Tenant Admin was previously consented but needs a refresh to pick up <code>AppRoleAssignment.ReadWrite.All</code>.
+</div>
+
+<div class="stats">
+  <div class="stat stat-pending"><div class="stat-val" id="cnt-pending">—</div><div class="stat-label">Pending consent</div></div>
+  <div class="stat stat-reconsent"><div class="stat-val" id="cnt-reconsent">—</div><div class="stat-label">Need re-consent</div></div>
+  <div class="stat stat-done"><div class="stat-val" id="cnt-done">—</div><div class="stat-label">Done</div></div>
+</div>
+
+<div class="section-label">Re-consent required</div>
+<div class="grid" id="grid-reconsent"></div>
+
+<div class="section-label">Pending initial consent</div>
+<div class="grid" id="grid-pending"></div>
+
+<div class="section-label" id="label-done" style="display:none">Fully onboarded</div>
+<div class="grid" id="grid-done"></div>
+
+<script>
+const BASE = "https://login.microsoftonline.com";
+const CLIENT = "709e6eed-0711-4875-9c44-2d3518c47063";
+const REDIRECT = "https://azcomputerguru.com";
+
+const TENANTS = [
+  // status: "done" | "reconsent" | "pending"
+  { name: "Marty Ryan",              domain: "martylryan.com",                          id: "48581923-2153-48b9-82b3-6a3587813041", status: "done" },
+  { name: "Grabblaw",                domain: "grabblaw.com",                            id: "032b383e-96e4-491b-880d-3fd3295672c3", status: "done" },
+  { name: "Andy's Mobile Fuel",      domain: "andysmobilefuel.com",                     id: "806d4728-4545-495e-9eba-f0f96584ea08", status: "done" },
+  { name: "Bill Tedards",            domain: "tedards.net",                             id: "4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6", status: "done" },
+  { name: "Brian Kahn",              domain: "lIGQB0q47JGi8MGBPBAmzBfDHdf.onmicrosoft.com", id: "f5f86b40-4345-406e-94a3-470376d7590b", status: "pending" },
+  { name: "cascadestucson.com",      domain: "cascadestucson.com",                      id: "207fa277-e9d8-4eb7-ada1-1064d2221498", status: "done" },
+  { name: "cclac.net",               domain: "cclac.net",                               id: "e8a0fafc-21ee-41e8-a5ba-f3a250a8a30e", status: "done" },
+  { name: "Cobalt Fine Arts",        domain: "cobaltfinearts.com",                      id: "03c4d4ec-b6d3-4061-a75c-8a4250ba2b29", status: "done" },
+  { name: "CUADRO LLC",              domain: "cuadro.design",                           id: "b68c7171-31d6-4b63-8243-7a2cade9caf8", status: "pending" },
+  { name: "Curtis Plumbing",         domain: "cparizona.onmicrosoft.com",               id: "d2d7ea54-9146-42d1-b99e-0da098550bde", status: "pending" },
+  { name: "cwconcretellc.com",       domain: "NETORGFT11452752.onmicrosoft.com",        id: "dfee2224-93cd-4291-9b09-6c6ce9bb8711", status: "pending" },
+  { name: "Dataforth Corporation",   domain: "dataforth.com",                           id: "7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584", status: "done" },
+  { name: "Feline Ltd Cat Clinic",   domain: "felineltd.onmicrosoft.com",               id: "1b5f38ef-b6c8-4b6d-9bfb-9250ea7e7994", status: "pending" },
+  { name: "Glaz-Tech Industries",    domain: "glaztech.com",                            id: "82931e3c-de7a-4f74-87f7-fe714be1f160", status: "done" },
+  { name: "Heieck Sheila",           domain: "heieck.org",                              id: "7462ce7e-071e-49da-88ec-50ec6b46d12e", status: "done" },
+  { name: "ICE INC",                 domain: "iceinc.us.com",                           id: "ff26952e-970d-4c02-9179-416ed931ec50", status: "pending" },
+  { name: "Instrumental Music Ctr",  domain: "instrumentalmusic.onmicrosoft.com",       id: "65adab75-f1fd-4ef9-b2b4-c24f595393e3", status: "pending" },
+  { name: "Jema Enterprises, LLC",   domain: "jemaenterprises.com",                     id: "41268042-9a8e-41c2-9a3c-0775398b86cb", status: "done" },
+  { name: "JR Kennedy Company",      domain: "jrkco.com",                               id: "a92594b9-c8ad-4dba-8b40-14fcd32c723c", status: "pending" },
+  { name: "Khalsa Montessori",       domain: "khalsamontessorischools.onmicrosoft.com", id: "b2950f9d-81f8-40e4-85d9-2854d1d4f31b", status: "pending" },
+  { name: "Kittle Design & Const.",  domain: "kittlearizona.com",                       id: "3d073ebe-806a-4a5e-9035-3c7c4a264fc0", status: "pending" },
+  { name: "LeeAnn Parkinson",        domain: "lamaddux.com",                            id: "2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929", status: "pending" },
+  { name: "MVAN Enterprises",        domain: "mvan.onmicrosoft.com",                    id: "5affaf1e-de89-416b-a655-1b2cf615d5b1", status: "done" },
+  { name: "Patient Care Advocates",  domain: "pcatucson.com",                           id: "463b462d-0995-4e51-9e41-82c208015c7f", status: "pending" },
+  { name: "Peaceful Spirit Massage", domain: "bestmassageintucson.com",                 id: "13be285a-374d-4a7c-a7d8-4cb5a98b5c29", status: "done" },
+  { name: "Putt Land Surveying",     domain: "puttsurveying.com",                       id: "25008634-91b4-40aa-8113-78ea03826156", status: "pending" },
+  { name: "Rednour Law",             domain: "rednourlaw.com",                          id: "4a4ca18a-f516-478b-99da-2e0722c5dc18", status: "done" },
+  { name: "Reliant Well Drilling",   domain: "reliantpump.services",                    id: "2b124552-3891-4090-b3ed-2eebad3c4083", status: "done" },
+  { name: "Ridgetop Group",          domain: "ridgetopgroup.com",                       id: "ef111bfc-9c90-43c9-a581-f9bbfceb6517", status: "done" },
+  { name: "Rincon Vista Vet Ctr",    domain: "rinconvistavet.onmicrosoft.com",          id: "b8cdcd89-d0f4-4747-bcf3-8bd8a25fd7e1", status: "pending" },
+  { name: "Russo Law Firm",          domain: "rrs-law.com",                             id: "bef1b190-f78f-4b1c-aa4b-fab186a30702", status: "pending" },
+  { name: "Safe Site Utility Svcs",  domain: "safesitellc.com",                         id: "71b4e637-c802-4137-a812-ae50dbc839e3", status: "done" },
+  { name: "SANDTEKO MACHINERY",      domain: "SANDTEKOMACHINERY.com",                   id: "739bb777-cf76-478f-866b-f61c830c8246", status: "done" },
+  { name: "Shave, Kevin",            domain: "az2son.com",                              id: "984c05a9-708b-4ec1-9f43-558865cb3c9d", status: "pending" },
+  { name: "Sonorangreenllc.com",     domain: "sonorangreenllc.com",                     id: "ededa4fb-f6eb-4398-851d-5eb3e11fab27", status: "done" },
+  { name: "Starr Pass Realty",       domain: "starrpass.com",                           id: "222450dd-141f-435f-87b8-cec719aac99e", status: "pending" },
+  { name: "The Dumpster Guys",       domain: "dumpsterguys.onmicrosoft.com",            id: "0b3cd451-2679-4697-b161-07b9ef8d41e9", status: "pending" },
+  { name: "The Prairie Schooner",    domain: "theprairieschooner.onmicrosoft.com",      id: "c941033c-2752-42ef-be22-fbab77e2e587", status: "pending" },
+  { name: "Tucson Golden Corral",    domain: "tucsongoldencorral.onmicrosoft.com",      id: "50e23e94-960f-4f61-8a27-97dbbe001a36", status: "pending" },
+  { name: "Tucson Mountain Motors",  domain: "tucsonmountainmotors.com",                id: "ffdabd05-236b-4666-a7f5-cc40ae9f9122", status: "pending" },
+  { name: "Valley Wide Plastering",  domain: "valleywideplastering.com",                id: "5c53ae9f-7071-4248-b834-8685b646450f", status: "done" },
+  { name: "Von's Carstar",           domain: "vonscarstar.com",                         id: "53de51b9-a063-4f46-88ff-7c3468828ed9", status: "pending" },
+];
+
+// Load done state from localStorage
+const DONE_KEY = "cg_consent_done";
+const done = new Set(JSON.parse(localStorage.getItem(DONE_KEY) || "[]"));
+
+function consentUrl(id) {
+  return `${BASE}/${id}/adminconsent?client_id=${CLIENT}&redirect_uri=${REDIRECT}&prompt=consent`;
+}
+
+function markDone(id, btn, card) {
+  done.add(id);
+  localStorage.setItem(DONE_KEY, JSON.stringify([...done]));
+  btn.textContent = "Done";
+  btn.className = "btn btn-done";
+  btn.onclick = null;
+  card.className = "card done";
+  updateCounts();
+}
+
+function renderCard(t) {
+  const isDone = done.has(t.id);
+  const card = document.createElement("div");
+  card.className = "card" + (isDone ? " done" : t.status === "reconsent" ? " reconsent" : "");
+
+  const info = document.createElement("div");
+  info.className = "tenant-info";
+  info.innerHTML = `<div class="tenant-name">${t.name}</div><div class="tenant-domain">${t.domain}</div>` +
+    (t.status === "reconsent" && !isDone ? `<span class="badge badge-reconsent">Re-consent</span>` : "") +
+    (isDone ? `<span class="badge badge-done">Done</span>` : "");
+
+  const btn = document.createElement("a");
+  btn.href = consentUrl(t.id);
+  btn.target = "_blank";
+  btn.rel = "noopener";
+
+  if (isDone) {
+    btn.textContent = "Done";
+    btn.className = "btn btn-done";
+    btn.onclick = (e) => e.preventDefault();
+  } else if (t.status === "reconsent") {
+    btn.textContent = "Re-consent";
+    btn.className = "btn btn-warn";
+    btn.onclick = () => setTimeout(() => markDone(t.id, btn, card), 500);
+  } else {
+    btn.textContent = "Consent";
+    btn.className = "btn btn-primary";
+    btn.onclick = () => setTimeout(() => markDone(t.id, btn, card), 500);
+  }
+
+  card.appendChild(info);
+  card.appendChild(btn);
+  return { card, isDone };
+}
+
+function updateCounts() {
+  const total = TENANTS.length;
+  const doneCount = TENANTS.filter(t => done.has(t.id)).length;
+  const reconsent = TENANTS.filter(t => t.status === "reconsent" && !done.has(t.id)).length;
+  const pending = TENANTS.filter(t => t.status === "pending" && !done.has(t.id)).length;
+  document.getElementById("cnt-pending").textContent = pending;
+  document.getElementById("cnt-reconsent").textContent = reconsent;
+  document.getElementById("cnt-done").textContent = doneCount;
+  const labelDone = document.getElementById("label-done");
+  labelDone.style.display = doneCount > 0 ? "" : "none";
+}
+
+function render() {
+  const grids = { pending: document.getElementById("grid-pending"), reconsent: document.getElementById("grid-reconsent"), done: document.getElementById("grid-done") };
+  TENANTS.forEach(t => {
+    const { card, isDone } = renderCard(t);
+    if (isDone) grids.done.appendChild(card);
+    else grids[t.status].appendChild(card);
+  });
+  updateCounts();
+}
+
+render();
+</script>
+</body>
+</html>

.claude/skills/remediation-tool/references/tenants.md

@@ -0,0 +1,185 @@
+# Managed Tenant Reference
+
+Last updated: 2026-04-20. Source of truth: CIPP ListTenants API.
+
+Run `bash scripts/onboard-tenant.sh <domain>` after any tenant consents Tenant Admin.
+After full onboarding, update the Onboarded column below.
+
+## Tenant List
+
+| Display Name | Domain | Tenant ID | Onboarded | Notes |
+|---|---|---|---|---|
+| Andy's Mobile Fuel | andysmobilefuel.com | 806d4728-4545-495e-9eba-f0f96584ea08 | NO | |
+| Bill Tedards | tedards.net | 4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6 | NO | |
+| Brian Kahn | lIGQB0q47JGi8MGBPBAmzBfDHdf.onmicrosoft.com | f5f86b40-4345-406e-94a3-470376d7590b | NO | |
+| cascadestucson.com | cascadestucson.com | 207fa277-e9d8-4eb7-ada1-1064d2221498 | NO | Old app only; IdentityRiskyUser not consented |
+| cclac.net | cclac.net | e8a0fafc-21ee-41e8-a5ba-f3a250a8a30e | NO | |
+| Cobalt Fine Arts | cobaltfinearts.com | 03c4d4ec-b6d3-4061-a75c-8a4250ba2b29 | NO | |
+| CUADRO LLC | cuadro.design | b68c7171-31d6-4b63-8243-7a2cade9caf8 | NO | |
+| Curtis Plumbing | cparizona.onmicrosoft.com | d2d7ea54-9146-42d1-b99e-0da098550bde | NO | |
+| cwconcretellc.com | NETORGFT11452752.onmicrosoft.com | dfee2224-93cd-4291-9b09-6c6ce9bb8711 | NO | |
+| Dataforth Corporation | dataforth.com | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 | YES | All apps consented; Sec Inv + Exch Op + User Mgr roles assigned 2026-04-23; Exch Op Exchange Admin role added manually |
+| Feline Limited Cat Clinic | felineltd.onmicrosoft.com | 1b5f38ef-b6c8-4b6d-9bfb-9250ea7e7994 | NO | |
+| Glaz-Tech Industries | glaztech.com | 82931e3c-de7a-4f74-87f7-fe714be1f160 | NO | |
+| Grabblaw | grabblaw.com | 032b383e-96e4-491b-880d-3fd3295672c3 | YES | Sec Inv + User Mgr + Tenant Admin consented; all roles assigned 2026-04-20 |
+| Heieck Sheila | heieck.org | 7462ce7e-071e-49da-88ec-50ec6b46d12e | NO | |
+| ICE INC | iceinc.us.com | ff26952e-970d-4c02-9179-416ed931ec50 | NO | |
+| Instrumental Music Center | instrumentalmusic.onmicrosoft.com | 65adab75-f1fd-4ef9-b2b4-c24f595393e3 | NO | |
+| Jema Enterprises, LLC | jemaenterprises.com | 41268042-9a8e-41c2-9a3c-0775398b86cb | NO | |
+| JR Kennedy Company | jrkco.com | a92594b9-c8ad-4dba-8b40-14fcd32c723c | NO | |
+| Khalsa Montessori School | khalsamontessorischools.onmicrosoft.com | b2950f9d-81f8-40e4-85d9-2854d1d4f31b | NO | |
+| Kittle Design & Construction | kittlearizona.com | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 | PARTIAL | Sec Inv consented 2026-04-23; Exchange Admin role NOT assigned; Tenant Admin not consented; breach check run — Alexis + Ken inbox rules flagged |
+| LeeAnn Parkinson | lamaddux.com | 2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929 | NO | |
+| Marty Ryan | martylryan.com | 48581923-2153-48b9-82b3-6a3587813041 | YES | Sec Inv + Tenant Admin consented; all roles assigned 2026-04-20 |
+| MVAN Enterprises, Inc | mvan.onmicrosoft.com | 5affaf1e-de89-416b-a655-1b2cf615d5b1 | NO | |
+| Patient Care Advocates | pcatucson.com | 463b462d-0995-4e51-9e41-82c208015c7f | NO | |
+| Peaceful Spirit Massage | bestmassageintucson.com | 13be285a-374d-4a7c-a7d8-4cb5a98b5c29 | NO | |
+| Putt Land Surveying Inc | puttsurveying.com | 25008634-91b4-40aa-8113-78ea03826156 | NO | |
+| Rednour Law | rednourlaw.com | 4a4ca18a-f516-478b-99da-2e0722c5dc18 | NO | |
+| Reliant Well Drilling and Pump | reliantpump.services | 2b124552-3891-4090-b3ed-2eebad3c4083 | NO | |
+| Ridgetop Group | ridgetopgroup.com | ef111bfc-9c90-43c9-a581-f9bbfceb6517 | NO | |
+| Rincon Vista Veterinary Center | rinconvistavet.onmicrosoft.com | b8cdcd89-d0f4-4747-bcf3-8bd8a25fd7e1 | NO | |
+| Russo Law Firm | rrs-law.com | bef1b190-f78f-4b1c-aa4b-fab186a30702 | NO | |
+| Safe Site Utility Services LLC | safesitellc.com | 71b4e637-c802-4137-a812-ae50dbc839e3 | NO | |
+| SANDTEKO MACHINERY LLC | SANDTEKOMACHINERY.com | 739bb777-cf76-478f-866b-f61c830c8246 | YES | All apps consented 2026-04-24; Sec Inv + Exch Op Exchange Admin + User Mgr User Admin + Auth Admin roles assigned; no MDE |
+| Shave, Kevin | az2son.com | 984c05a9-708b-4ec1-9f43-558865cb3c9d | NO | |
+| Sonorangreenllc.com | sonorangreenllc.com | ededa4fb-f6eb-4398-851d-5eb3e11fab27 | NO | |
+| Starr Pass Realty | starrpass.com | 222450dd-141f-435f-87b8-cec719aac99e | NO | |
+| The Dumpster Guys | dumpsterguys.onmicrosoft.com | 0b3cd451-2679-4697-b161-07b9ef8d41e9 | NO | |
+| The Prairie Schooner | theprairieschooner.onmicrosoft.com | c941033c-2752-42ef-be22-fbab77e2e587 | NO | |
+| Tucson Golden Corral | tucsongoldencorral.onmicrosoft.com | 50e23e94-960f-4f61-8a27-97dbbe001a36 | NO | |
+| Tucson Mountain Motors | tucsonmountainmotors.com | ffdabd05-236b-4666-a7f5-cc40ae9f9122 | NO | |
+| Valley Wide Plastering | valleywideplastering.com | 5c53ae9f-7071-4248-b834-8685b646450f | NO | Old app only |
+| Von's Carstar | vonscarstar.com | 53de51b9-a063-4f46-88ff-7c3468828ed9 | NO | |
+
+## Tenant Admin Consent URLs (batch)
+
+Send this URL to each customer's Global Admin. After they accept, run:
+`bash scripts/onboard-tenant.sh <domain>`
+
+Consent URL format:
+```
+https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+```
+
+### Per-tenant consent URLs
+
+Andy's Mobile Fuel:
+https://login.microsoftonline.com/806d4728-4545-495e-9eba-f0f96584ea08/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Bill Tedards:
+https://login.microsoftonline.com/4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Brian Kahn:
+https://login.microsoftonline.com/f5f86b40-4345-406e-94a3-470376d7590b/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+cascadestucson.com:
+https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+cclac.net:
+https://login.microsoftonline.com/e8a0fafc-21ee-41e8-a5ba-f3a250a8a30e/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Cobalt Fine Arts:
+https://login.microsoftonline.com/03c4d4ec-b6d3-4061-a75c-8a4250ba2b29/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+CUADRO LLC:
+https://login.microsoftonline.com/b68c7171-31d6-4b63-8243-7a2cade9caf8/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Curtis Plumbing:
+https://login.microsoftonline.com/d2d7ea54-9146-42d1-b99e-0da098550bde/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+cwconcretellc.com:
+https://login.microsoftonline.com/dfee2224-93cd-4291-9b09-6c6ce9bb8711/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Dataforth Corporation:
+https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Feline Limited Cat Clinic:
+https://login.microsoftonline.com/1b5f38ef-b6c8-4b6d-9bfb-9250ea7e7994/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Glaz-Tech Industries:
+https://login.microsoftonline.com/82931e3c-de7a-4f74-87f7-fe714be1f160/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Heieck Sheila:
+https://login.microsoftonline.com/7462ce7e-071e-49da-88ec-50ec6b46d12e/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+ICE INC:
+https://login.microsoftonline.com/ff26952e-970d-4c02-9179-416ed931ec50/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Instrumental Music Center:
+https://login.microsoftonline.com/65adab75-f1fd-4ef9-b2b4-c24f595393e3/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Jema Enterprises, LLC:
+https://login.microsoftonline.com/41268042-9a8e-41c2-9a3c-0775398b86cb/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+JR Kennedy Company:
+https://login.microsoftonline.com/a92594b9-c8ad-4dba-8b40-14fcd32c723c/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Khalsa Montessori School:
+https://login.microsoftonline.com/b2950f9d-81f8-40e4-85d9-2854d1d4f31b/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Kittle Design & Construction:
+https://login.microsoftonline.com/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+LeeAnn Parkinson:
+https://login.microsoftonline.com/2f0c4c92-c608-4ee0-bdc2-87d5fd8fe929/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+MVAN Enterprises, Inc:
+https://login.microsoftonline.com/5affaf1e-de89-416b-a655-1b2cf615d5b1/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Patient Care Advocates:
+https://login.microsoftonline.com/463b462d-0995-4e51-9e41-82c208015c7f/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Peaceful Spirit Massage:
+https://login.microsoftonline.com/13be285a-374d-4a7c-a7d8-4cb5a98b5c29/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Putt Land Surveying Inc:
+https://login.microsoftonline.com/25008634-91b4-40aa-8113-78ea03826156/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Rednour Law:
+https://login.microsoftonline.com/4a4ca18a-f516-478b-99da-2e0722c5dc18/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Reliant Well Drilling and Pump:
+https://login.microsoftonline.com/2b124552-3891-4090-b3ed-2eebad3c4083/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Ridgetop Group:
+https://login.microsoftonline.com/ef111bfc-9c90-43c9-a581-f9bbfceb6517/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Rincon Vista Veterinary Center:
+https://login.microsoftonline.com/b8cdcd89-d0f4-4747-bcf3-8bd8a25fd7e1/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Russo Law Firm:
+https://login.microsoftonline.com/bef1b190-f78f-4b1c-aa4b-fab186a30702/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Safe Site Utility Services LLC:
+https://login.microsoftonline.com/71b4e637-c802-4137-a812-ae50dbc839e3/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+SANDTEKO MACHINERY LLC:
+https://login.microsoftonline.com/739bb777-cf76-478f-866b-f61c830c8246/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Shave, Kevin:
+https://login.microsoftonline.com/984c05a9-708b-4ec1-9f43-558865cb3c9d/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Sonorangreenllc.com:
+https://login.microsoftonline.com/ededa4fb-f6eb-4398-851d-5eb3e11fab27/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Starr Pass Realty:
+https://login.microsoftonline.com/222450dd-141f-435f-87b8-cec719aac99e/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+The Dumpster Guys:
+https://login.microsoftonline.com/0b3cd451-2679-4697-b161-07b9ef8d41e9/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+The Prairie Schooner:
+https://login.microsoftonline.com/c941033c-2752-42ef-be22-fbab77e2e587/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Tucson Golden Corral:
+https://login.microsoftonline.com/50e23e94-960f-4f61-8a27-97dbbe001a36/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Tucson Mountain Motors:
+https://login.microsoftonline.com/ffdabd05-236b-4666-a7f5-cc40ae9f9122/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Valley Wide Plastering:
+https://login.microsoftonline.com/5c53ae9f-7071-4248-b834-8685b646450f/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
+
+Von's Carstar:
+https://login.microsoftonline.com/53de51b9-a063-4f46-88ff-7c3468828ed9/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent

.claude/skills/remediation-tool/scripts/get-token.sh

@@ -0,0 +1,375 @@
+#!/usr/bin/env bash
+# Acquire a client-credentials bearer token for a ComputerGuru MSP app tier.
+# Usage: get-token.sh <tenant-id-or-domain> <tier>
+#
+# Tiers and their app + resource scope:
+#   investigator       ComputerGuru Security Investigator -> Graph API  (read-only breach checks)
+#   investigator-exo   ComputerGuru Security Investigator -> Exchange Online  (EXO read: Get-InboxRule, Get-Mailbox)
+#   exchange-op        ComputerGuru Exchange Operator     -> Exchange Online  (EXO write: Set-Mailbox, Remove-InboxRule, revoke sessions)
+#   user-manager       ComputerGuru User Manager          -> Graph API  (user create/update/disable, license assign, MFA reset)
+#   tenant-admin       ComputerGuru Tenant Admin          -> Graph API  (app roles, CA policy, directory write — high privilege)
+#   defender           ComputerGuru Defender Add-on       -> Defender ATP API  (MDE-licensed tenants only)
+#
+# Authentication: certificate-based (client_assertion JWT, RS256) is preferred
+# when cert_thumbprint_b64url + cert_private_key_pem_b64 are present in the vault
+# entry's credentials block. Falls back to client_secret otherwise.
+#
+# Override via env: REMEDIATION_AUTH=cert | secret  (default: auto, prefer cert)
+#   - REMEDIATION_AUTH=cert   forces cert; errors if cert fields missing (no fallback).
+#   - REMEDIATION_AUTH=secret forces client_secret; errors if secret missing.
+#   - unset / any other value: auto-detect (cert preferred, secret fallback).
+#
+# Cert fields read from the vault entry (under credentials:):
+#   cert_thumbprint_b64url   x5t header value (base64url SHA1, no padding)
+#   cert_private_key_pem_b64 base64-encoded RSA private key PEM
+#
+# Output (stdout): bearer token. Exits 0 on success.
+# Cache: /tmp/remediation-tool/{tenant-id}/{tier}.jwt  TTL 55 minutes.
+set -euo pipefail
+
+TARGET="${1:?usage: get-token.sh <tenant-id|domain> <tier>}"
+TIER="${2:?usage: get-token.sh <tenant-id|domain> <tier>}"
+
+# Resolve domain to tenant GUID if needed
+if [[ "$TARGET" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then
+  TENANT_ID="$TARGET"
+else
+  SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
+  TENANT_ID=$("$SCRIPT_DIR/resolve-tenant.sh" "$TARGET")
+fi
+
+# Map tier -> client_id, vault SOPS path, resource scope
+case "$TIER" in
+  investigator)
+    CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
+    VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml"
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  investigator-exo)
+    CLIENT_ID="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
+    VAULT_PATH="msp-tools/computerguru-security-investigator.sops.yaml"
+    SCOPE_URL="https://outlook.office365.com/.default"
+    ;;
+  exchange-op)
+    CLIENT_ID="b43e7342-5b4b-492f-890f-bb5a4f7f40e9"
+    VAULT_PATH="msp-tools/computerguru-exchange-operator.sops.yaml"
+    SCOPE_URL="https://outlook.office365.com/.default"
+    ;;
+  user-manager)
+    CLIENT_ID="64fac46b-8b44-41ad-93ee-7da03927576c"
+    VAULT_PATH="msp-tools/computerguru-user-manager.sops.yaml"
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  tenant-admin)
+    CLIENT_ID="709e6eed-0711-4875-9c44-2d3518c47063"
+    VAULT_PATH="msp-tools/computerguru-tenant-admin.sops.yaml"
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  tenant-admin-onboard)
+    # Same app as tenant-admin; this alias signals the token is being used
+    # during initial tenant onboarding (clearer error messages on failure).
+    CLIENT_ID="709e6eed-0711-4875-9c44-2d3518c47063"
+    VAULT_PATH="msp-tools/computerguru-tenant-admin.sops.yaml"
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  defender)
+    CLIENT_ID="dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b"
+    VAULT_PATH="msp-tools/computerguru-defender-addon.sops.yaml"
+    SCOPE_URL="https://api.securitycenter.microsoft.com/.default"
+    ;;
+  intune-manager)
+    CLIENT_ID="46986910-aa47-4e5e-b596-f65c6b485abb"
+    VAULT_PATH="msp-tools/computerguru-intune-manager.sops.yaml"
+    SCOPE_URL="https://graph.microsoft.com/.default"
+    ;;
+  *)
+    echo "ERROR: unknown tier '$TIER'." >&2
+    echo "Valid tiers: investigator | investigator-exo | exchange-op | user-manager | tenant-admin | tenant-admin-onboard | defender | intune-manager" >&2
+    exit 2
+    ;;
+esac
+
+CACHE_DIR="/tmp/remediation-tool/$TENANT_ID"
+mkdir -p "$CACHE_DIR"
+CACHE_FILE="$CACHE_DIR/${TIER}.jwt"
+
+# Return cached token if < 55 minutes old
+if [[ -f "$CACHE_FILE" ]] && [[ $(find "$CACHE_FILE" -mmin -55 2>/dev/null) ]]; then
+  cat "$CACHE_FILE"
+  exit 0
+fi
+
+# Locate vault repo via .claude/identity.json (per-machine, gitignored).
+# Falls back to VAULT_PATH env var if set.
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../../.." && pwd)"
+IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
+
+VAULT_ROOT="${VAULT_ROOT_ENV:-}"
+if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
+  if command -v jq >/dev/null 2>&1; then
+    VAULT_ROOT=$(jq -r '.vault_path // empty' "$IDENTITY_FILE" 2>/dev/null)
+  fi
+  if [[ -z "$VAULT_ROOT" ]]; then
+    IDENTITY_FILE_WIN=$(cygpath -w "$IDENTITY_FILE" 2>/dev/null || echo "$IDENTITY_FILE")
+    for py in py python3 python; do
+      if command -v "$py" >/dev/null 2>&1; then
+        VAULT_ROOT=$("$py" -c "import json; print(json.load(open(r'${IDENTITY_FILE_WIN}')).get('vault_path',''))" 2>/dev/null) && break
+      fi
+    done
+  fi
+fi
+[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: vault_path not set in $IDENTITY_FILE and VAULT_ROOT_ENV env var not set" >&2; exit 3; }
+[[ ! -d "$VAULT_ROOT" ]] && { echo "ERROR: vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }
+
+SOPS_FILE="$VAULT_ROOT/$VAULT_PATH"
+[[ ! -f "$SOPS_FILE" ]] && { echo "ERROR: vault file not found: $SOPS_FILE" >&2; exit 3; }
+
+# Pick a Python interpreter once for all helpers.
+PYTHON_BIN=""
+for p in py python python3; do command -v "$p" >/dev/null 2>&1 && PYTHON_BIN="$p" && break; done
+
+# Decrypt the SOPS file once and cache plaintext in a memory-mapped tmp file.
+# All field reads below pull from this single decrypt; saves multiple sops invocations
+# (each is ~1s on Windows due to age key load) and avoids piping ~2KB key material
+# through subshells repeatedly.
+PLAINTEXT_FILE="$(mktemp -t sops-plain.XXXXXX)"
+trap 'rm -f "$PLAINTEXT_FILE"' EXIT
+
+# Try vault.sh first (handles yq vs python-yaml selection internally).
+# If that fails (e.g. PyYAML missing on this host), do a raw sops decrypt.
+SOPS_OK=0
+if [[ -f "$VAULT_ROOT/scripts/vault.sh" ]]; then
+  if bash "$VAULT_ROOT/scripts/vault.sh" get "$VAULT_PATH" > "$PLAINTEXT_FILE" 2>/dev/null && [[ -s "$PLAINTEXT_FILE" ]]; then
+    SOPS_OK=1
+  fi
+fi
+if [[ $SOPS_OK -eq 0 ]]; then
+  command -v sops >/dev/null 2>&1 || { echo "ERROR: vault.sh failed and sops not on PATH (needed for fallback decrypt)" >&2; exit 3; }
+  if ! sops -d "$SOPS_FILE" > "$PLAINTEXT_FILE" 2>/dev/null; then
+    echo "ERROR: sops decrypt failed for $SOPS_FILE" >&2
+    exit 3
+  fi
+fi
+
+# read_field <field-name> -> stdout (empty if missing)
+# Tries PyYAML for correctness; falls back to a tolerant flat-key regex that handles
+# the actual vault file shape (single-line scalars under a 4-space-indented credentials:
+# block — including 2KB+ values like cert_private_key_pem_b64).
+read_field() {
+  local field="$1"
+  local val=""
+  if [[ -n "$PYTHON_BIN" ]]; then
+    val=$("$PYTHON_BIN" - "$PLAINTEXT_FILE" "$field" <<'PY' 2>/dev/null || true
+import sys
+path, field = sys.argv[1], sys.argv[2]
+try:
+    import yaml
+except ImportError:
+    sys.exit(1)
+try:
+    with open(path, "r", encoding="utf-8") as f:
+        doc = yaml.safe_load(f) or {}
+except Exception:
+    sys.exit(1)
+creds = (doc.get("credentials") or {})
+v = creds.get(field)
+if v is None:
+    sys.exit(0)
+print(v)
+PY
+)
+    val="${val%$'\r'}"
+    if [[ -n "$val" ]]; then
+      printf '%s' "$val"
+      return 0
+    fi
+  fi
+  # Regex fallback: flat keys under credentials:, indent 2 or 4 spaces, value on same line.
+  # Strips surrounding quotes if present. Stops at first match. Works for the actual
+  # vault format because cert_private_key_pem_b64 is emitted as a single long line.
+  if [[ -n "$PYTHON_BIN" ]]; then
+    val=$("$PYTHON_BIN" - "$PLAINTEXT_FILE" "$field" <<'PY' 2>/dev/null || true
+import sys, re
+path, field = sys.argv[1], sys.argv[2]
+try:
+    with open(path, "r", encoding="utf-8") as f:
+        text = f.read()
+except Exception:
+    sys.exit(1)
+m = re.search(r'(?ms)^credentials:\s*\n((?:[ \t]+.*\n?)+)', text)
+if not m:
+    sys.exit(0)
+block = m.group(1)
+pat = re.compile(r'^[ \t]+' + re.escape(field) + r'\s*:\s*(.*?)\s*$', re.MULTILINE)
+fm = pat.search(block)
+if not fm:
+    sys.exit(0)
+v = fm.group(1)
+if (v.startswith('"') and v.endswith('"')) or (v.startswith("'") and v.endswith("'")):
+    v = v[1:-1]
+print(v)
+PY
+)
+    val="${val%$'\r'}"
+    printf '%s' "$val"
+  fi
+}
+
+# Auth-method selection: env override > auto-detect.
+AUTH_OVERRIDE="${REMEDIATION_AUTH:-}"
+AUTH_METHOD=""
+CERT_X5T=""
+CERT_KEY_B64=""
+CLIENT_SECRET=""
+
+case "$AUTH_OVERRIDE" in
+  cert)
+    CERT_X5T=$(read_field cert_thumbprint_b64url | tr -d '\r\n')
+    CERT_KEY_B64=$(read_field cert_private_key_pem_b64 | tr -d '\r\n')
+    if [[ -z "$CERT_X5T" || -z "$CERT_KEY_B64" ]]; then
+      echo "ERROR: REMEDIATION_AUTH=cert but cert fields missing in vault ($VAULT_PATH)" >&2
+      echo "  Required fields under credentials: cert_thumbprint_b64url, cert_private_key_pem_b64" >&2
+      exit 4
+    fi
+    AUTH_METHOD="cert"
+    ;;
+  secret)
+    CLIENT_SECRET=$(read_field client_secret | tr -d '\r\n')
+    if [[ -z "$CLIENT_SECRET" ]]; then
+      CLIENT_SECRET=$(read_field credential | tr -d '\r\n')
+    fi
+    if [[ -z "$CLIENT_SECRET" ]]; then
+      echo "ERROR: REMEDIATION_AUTH=secret but client_secret missing in vault ($VAULT_PATH)" >&2
+      echo "  Check field: credentials.client_secret  (or credentials.credential for older entries)" >&2
+      exit 4
+    fi
+    AUTH_METHOD="secret"
+    ;;
+  *)
+    CERT_X5T=$(read_field cert_thumbprint_b64url | tr -d '\r\n')
+    CERT_KEY_B64=$(read_field cert_private_key_pem_b64 | tr -d '\r\n')
+    if [[ -n "$CERT_X5T" && -n "$CERT_KEY_B64" ]]; then
+      AUTH_METHOD="cert"
+    else
+      CLIENT_SECRET=$(read_field client_secret | tr -d '\r\n')
+      if [[ -z "$CLIENT_SECRET" ]]; then
+        CLIENT_SECRET=$(read_field credential | tr -d '\r\n')
+      fi
+      if [[ -z "$CLIENT_SECRET" ]]; then
+        echo "ERROR: no usable credential found in $VAULT_PATH" >&2
+        echo "  Need either credentials.cert_thumbprint_b64url + credentials.cert_private_key_pem_b64," >&2
+        echo "  or credentials.client_secret (or legacy credentials.credential)." >&2
+        exit 4
+      fi
+      AUTH_METHOD="secret"
+    fi
+    ;;
+esac
+
+echo "[INFO] auth=$AUTH_METHOD" >&2
+
+# Build request and POST.
+TOKEN_URL="https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token"
+
+if [[ "$AUTH_METHOD" == "cert" ]]; then
+  [[ -z "$PYTHON_BIN" ]] && { echo "ERROR: cert auth requires python (py/python/python3) for JWT signing" >&2; exit 4; }
+
+  CLIENT_ASSERTION=$(CERT_X5T_ENV="$CERT_X5T" \
+                     CERT_KEY_B64_ENV="$CERT_KEY_B64" \
+                     CLIENT_ID_ENV="$CLIENT_ID" \
+                     TOKEN_URL_ENV="$TOKEN_URL" \
+                     "$PYTHON_BIN" - <<'PY' 2>&1
+import os, sys, time, uuid, base64
+try:
+    import jwt
+except ImportError:
+    sys.stderr.write("ERROR: PyJWT not installed (pip install PyJWT cryptography)\n")
+    sys.exit(2)
+try:
+    from cryptography.hazmat.primitives.serialization import load_pem_private_key
+except ImportError:
+    sys.stderr.write("ERROR: cryptography not installed (pip install cryptography)\n")
+    sys.exit(2)
+
+x5t = os.environ["CERT_X5T_ENV"]
+key_b64 = os.environ["CERT_KEY_B64_ENV"]
+client_id = os.environ["CLIENT_ID_ENV"]
+aud = os.environ["TOKEN_URL_ENV"]
+
+try:
+    key_pem = base64.b64decode(key_b64)
+except Exception as e:
+    sys.stderr.write(f"ERROR: cert_private_key_pem_b64 is not valid base64: {e}\n")
+    sys.exit(3)
+
+# Validate the PEM parses before handing to PyJWT, for a clearer error.
+try:
+    load_pem_private_key(key_pem, password=None)
+except Exception as e:
+    sys.stderr.write(f"ERROR: cert_private_key_pem_b64 did not decode to a valid PEM private key: {e}\n")
+    sys.exit(3)
+
+now = int(time.time())
+payload = {
+    "aud": aud,
+    "iss": client_id,
+    "sub": client_id,
+    "jti": str(uuid.uuid4()),
+    "exp": now + 300,
+    "nbf": now,
+}
+token = jwt.encode(payload, key_pem, algorithm="RS256", headers={"x5t": x5t})
+sys.stdout.write(token)
+PY
+)
+  ASSERT_RC=$?
+  if [[ $ASSERT_RC -ne 0 || -z "$CLIENT_ASSERTION" ]]; then
+    echo "ERROR: failed to build client_assertion JWT" >&2
+    [[ -n "$CLIENT_ASSERTION" ]] && echo "$CLIENT_ASSERTION" >&2
+    exit 4
+  fi
+
+  RESP=$(curl -s --max-time 15 -X POST "$TOKEN_URL" \
+    --data-urlencode "client_id=${CLIENT_ID}" \
+    --data-urlencode "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
+    --data-urlencode "client_assertion=${CLIENT_ASSERTION}" \
+    --data-urlencode "scope=${SCOPE_URL}" \
+    --data-urlencode "grant_type=client_credentials")
+else
+  RESP=$(curl -s --max-time 15 -X POST "$TOKEN_URL" \
+    --data-urlencode "client_id=${CLIENT_ID}" \
+    --data-urlencode "client_secret=${CLIENT_SECRET}" \
+    --data-urlencode "scope=${SCOPE_URL}" \
+    --data-urlencode "grant_type=client_credentials")
+fi
+
+TOKEN=$(echo "$RESP" | jq -r '.access_token // empty')
+
+if [[ -z "$TOKEN" ]]; then
+  ERROR_CODE=$(echo "$RESP" | jq -r '.error_codes[0] // empty' 2>/dev/null || true)
+  ERROR_DESC=$(echo "$RESP" | jq -r '.error_description // empty' 2>/dev/null || true)
+
+  # AADSTS7000229 — service principal not found in tenant (not consented)
+  if echo "$ERROR_DESC" | grep -qi "7000229\|AADSTS7000229" || [[ "$ERROR_CODE" == "7000229" ]]; then
+    echo "ERROR: AADSTS7000229 — app not consented in tenant $TENANT_ID (tier=$TIER, auth=$AUTH_METHOD)" >&2
+    echo "" >&2
+    echo "  The '${TIER}' service principal has not been authorized in this tenant." >&2
+    echo "  Send this consent URL to the customer Global Admin:" >&2
+    echo "" >&2
+    echo "  https://login.microsoftonline.com/${TENANT_ID}/adminconsent?client_id=${CLIENT_ID}&redirect_uri=https://azcomputerguru.com&prompt=consent" >&2
+    echo "" >&2
+    echo "  After the admin accepts, run onboard-tenant.sh to assign required directory roles:" >&2
+    SCRIPT_DIR_ERR="$(dirname "${BASH_SOURCE[0]}")"
+    echo "  bash ${SCRIPT_DIR_ERR}/onboard-tenant.sh ${TARGET}" >&2
+    exit 5
+  fi
+
+  echo "ERROR: token request failed (tenant=$TENANT_ID tier=$TIER auth=$AUTH_METHOD)" >&2
+  echo "$RESP" >&2
+  exit 5
+fi
+
+echo "$TOKEN" > "$CACHE_FILE"
+chmod 600 "$CACHE_FILE" 2>/dev/null || true
+echo "$TOKEN"

.claude/skills/remediation-tool/scripts/onboard-tenant.sh

@@ -0,0 +1,656 @@
+#!/usr/bin/env bash
+# Assign required Entra directory roles to ComputerGuru MSP service principals
+# in a newly-consented customer tenant, and programmatically consent all other
+# ComputerGuru apps so only Tenant Admin requires a manual customer consent click.
+#
+# Usage: onboard-tenant.sh <domain-or-tenant-id> [--dry-run]
+#
+# What this script does:
+#   1. Resolves the tenant ID
+#   2. Acquires a Tenant Admin token (fails gracefully if not consented)
+#   3. Creates SPs for Security Investigator, Exchange Operator, User Manager,
+#      and Defender Add-on (equivalent to admin consent for each)
+#   4. Grants all required Graph/EXO/Defender appRoleAssignments to each SP
+#   5. Assigns required directory roles to each SP
+#   6. Prints a final status table
+#
+# Exit codes:
+#   0  all roles present or successfully assigned
+#   1  resolve failure
+#   2  Tenant Admin not consented (consent URL printed)
+#   3  vault error
+#   10 partial failure (some roles could not be assigned)
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+TARGET="${1:?Usage: onboard-tenant.sh <domain-or-tenant-id> [--dry-run]}"
+DRY_RUN=false
+[[ "${2:-}" == "--dry-run" ]] && DRY_RUN=true
+
+# ── App IDs ───────────────────────────────────────────────────────────────────
+APP_SEC_INV="bfbc12a4-f0dd-4e12-b06d-997e7271e10c"
+APP_EXCH_OP="b43e7342-5b4b-492f-890f-bb5a4f7f40e9"
+APP_USER_MGR="64fac46b-8b44-41ad-93ee-7da03927576c"
+APP_TENANT_ADMIN="709e6eed-0711-4875-9c44-2d3518c47063"
+APP_DEFENDER="dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b"
+
+# ── Resource app IDs (well-known Microsoft multi-tenant apps) ─────────────────
+GRAPH_APP_ID="00000003-0000-0000-c000-000000000000"
+EXO_APP_ID="00000002-0000-0ff1-ce00-000000000000"
+DEFENDER_APP_ID="fc780465-2017-40d4-a0c5-307022471b92"
+
+# ── Directory role GUIDs ──────────────────────────────────────────────────────
+ROLE_EXCHANGE_ADMIN="29232cdf-9323-42fd-ade2-1d097af3e4de"
+ROLE_USER_ADMIN="fe930be7-5e62-47db-91af-98c3a49a38b1"
+ROLE_AUTH_ADMIN="c4e39bd9-1100-46d3-8c65-fb160da0071f"
+ROLE_CA_ADMIN="b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"
+
+# ── Graph appRole GUIDs per app (from requiredResourceAccess in home tenant) ──
+# Security Investigator — Graph
+SEC_INV_GRAPH_ROLES=(
+  "df021288-bdef-4463-88db-98f22de89214"
+  "b0afded3-3588-46d8-8b3d-9842eff778da"
+  "7ab1d382-f21e-4acd-a863-ba3e13f7da61"
+  "40f97065-369a-49f4-947c-6a255697ae91"
+  "810c84a8-4a9e-49e6-bf7d-12d183f40d01"
+  "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30"
+  "38d9df27-64da-44fd-b7c5-a6fbac20248f"
+  "dc5007c0-2d7d-4c42-879c-2dab87571379"
+  "246dd0d5-5bd0-4def-940b-0421030a5b68"
+  "498476ce-e0fe-48b0-b801-37ba7e2685c6"
+)
+# Security Investigator — Exchange Online
+SEC_INV_EXO_ROLES=(
+  "dc890d15-9560-4a4c-9b7f-a736ec74ec40"
+)
+
+# Exchange Operator — Graph
+EXCH_OP_GRAPH_ROLES=(
+  "df021288-bdef-4463-88db-98f22de89214"
+  "6931bccd-447a-43d1-b442-00a195474933"
+  "e2a3a72e-5f79-4c64-b1b1-878b674786c9"
+  "77f3a031-c388-4f99-b373-dc68676a979e"
+  "498476ce-e0fe-48b0-b801-37ba7e2685c6"
+)
+# Exchange Operator — Exchange Online
+EXCH_OP_EXO_ROLES=(
+  "dc890d15-9560-4a4c-9b7f-a736ec74ec40"
+  "dc50a0fb-09a3-484d-be87-e023b12c6440"
+)
+
+# User Manager — Graph only
+USER_MGR_GRAPH_ROLES=(
+  "741f803b-c850-494e-b5df-cde7c675a1ca"
+  "19dbc75e-c2e2-444c-a770-ec69d8559fc7"
+  "62a82d76-70ea-41e2-9197-370581804d09"
+  "50483e42-d915-4231-9639-7fdb7fd190e5"
+  "77f3a031-c388-4f99-b373-dc68676a979e"
+  "498476ce-e0fe-48b0-b801-37ba7e2685c6"
+)
+
+# Defender Add-on — Graph
+DEFENDER_GRAPH_ROLES=(
+  "bf394140-e372-4bf9-a898-299cfc7564e5"
+)
+# Defender Add-on — Defender ATP
+DEFENDER_ATP_ROLES=(
+  "71fe6b80-7034-4028-9ed8-0f316df9c3ff"
+  "ea8291d3-4b9a-44b5-bc3a-6cea3026dc79"
+  "93489bf5-0fbc-4f2d-b901-33f2fe08ff05"
+  "41269fc5-d04d-4bfd-bce7-43a51cea049a"
+  "528ca142-c849-4a5b-935e-10b8b9c38a84"
+)
+
+CONSENT_BASE="https://login.microsoftonline.com"
+CONSENT_REDIRECT="https://azcomputerguru.com"
+
+# ── Helper: print consent URLs for all apps ───────────────────────────────────
+print_consent_urls() {
+  local tenant_id="$1"
+  echo ""
+  echo "[INFO] Consent URLs for tenant $tenant_id (provide to customer Global Admin):"
+  echo "  [1] Tenant Admin (consent FIRST — needed for programmatic onboarding of all other apps):"
+  echo "  ${CONSENT_BASE}/${tenant_id}/adminconsent?client_id=${APP_TENANT_ADMIN}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+  echo ""
+  echo "  After the admin accepts Tenant Admin consent, run:"
+  echo "  bash $0 $TARGET"
+  echo ""
+  echo "  The script will then automatically consent all other apps in the suite."
+  echo ""
+  echo "  (Optional — only needed if Tenant Admin consent failed for individual apps):"
+  echo "  [2] Security Investigator: ${CONSENT_BASE}/${tenant_id}/adminconsent?client_id=${APP_SEC_INV}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+  echo "  [3] Exchange Operator:     ${CONSENT_BASE}/${tenant_id}/adminconsent?client_id=${APP_EXCH_OP}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+  echo "  [4] User Manager:          ${CONSENT_BASE}/${tenant_id}/adminconsent?client_id=${APP_USER_MGR}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+  echo "  [5] Defender Add-on (MDE-licensed tenants only): ${CONSENT_BASE}/${tenant_id}/adminconsent?client_id=${APP_DEFENDER}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+}
+
+# ── Helper: get SP OID in tenant ──────────────────────────────────────────────
+get_sp_oid() {
+  local token="$1"
+  local app_id="$2"
+  local resp
+  resp=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    -G \
+    --data-urlencode "\$filter=appId eq '${app_id}'" \
+    --data-urlencode "\$select=id,displayName" \
+    "https://graph.microsoft.com/v1.0/servicePrincipals")
+  echo "$resp" | jq -r '.value[0].id // empty'
+}
+
+# ── Helper: create SP for our app if not present ──────────────────────────────
+create_sp_if_missing() {
+  local token="$1"
+  local app_id="$2"
+  local app_name="$3"
+
+  local oid
+  oid=$(get_sp_oid "$token" "$app_id")
+
+  if [[ -n "$oid" ]]; then
+    echo "  [OK] $app_name SP already present: $oid" >&2
+    echo "$oid"
+    return 0
+  fi
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    echo "  [DRY-RUN] Would create SP for $app_name ($app_id)" >&2
+    echo ""
+    return 0
+  fi
+
+  local resp
+  resp=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    "https://graph.microsoft.com/v1.0/servicePrincipals" \
+    -d "{\"appId\": \"$app_id\"}")
+
+  local new_oid
+  new_oid=$(echo "$resp" | jq -r '.id // empty')
+
+  if [[ -z "$new_oid" ]]; then
+    local err_code
+    err_code=$(echo "$resp" | jq -r '.error.code // empty')
+    if [[ "$err_code" == "Request_MultipleObjectsWithSameKeyValue" ]] || echo "$resp" | grep -qi "conflicting"; then
+      oid=$(get_sp_oid "$token" "$app_id")
+      echo "  [OK] $app_name SP already exists: $oid" >&2
+      echo "$oid"
+      return 0
+    fi
+    echo "  [ERROR] Failed to create SP for $app_name: $(echo "$resp" | jq -r '.error.message // empty')" >&2
+    return 1
+  fi
+
+  echo "  [CREATED] $app_name SP: $new_oid" >&2
+  # Brief pause for Graph replication before granting appRoleAssignments
+  sleep 5
+  echo "$new_oid"
+}
+
+# ── Helper: grant single appRoleAssignment (idempotent) ───────────────────────
+grant_app_role() {
+  local token="$1"
+  local principal_oid="$2"
+  local resource_oid="$3"
+  local role_id="$4"
+
+  # Check if already granted
+  local already
+  already=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    "https://graph.microsoft.com/v1.0/servicePrincipals/$principal_oid/appRoleAssignments" \
+    | jq --arg rid "$role_id" '([.value[]? | select(.appRoleId == $rid)] | length) > 0')
+
+  if [[ "$already" == "true" ]]; then
+    return 0
+  fi
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    echo "    [DRY-RUN] Would grant role $role_id"
+    return 0
+  fi
+
+  local body
+  body=$(jq -n \
+    --arg principal "$principal_oid" \
+    --arg resource "$resource_oid" \
+    --arg role "$role_id" \
+    '{"principalId": $principal, "resourceId": $resource, "appRoleId": $role}')
+
+  local resp
+  resp=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    "https://graph.microsoft.com/v1.0/servicePrincipals/$principal_oid/appRoleAssignments" \
+    -d "$body")
+
+  local granted_id
+  granted_id=$(echo "$resp" | jq -r '.id // empty')
+
+  if [[ -z "$granted_id" ]]; then
+    local err_code
+    err_code=$(echo "$resp" | jq -r '.error.code // empty')
+    if [[ "$err_code" == "Request_MultipleObjectsWithSameKeyValue" ]] || echo "$resp" | grep -qi "conflicting"; then
+      return 0
+    fi
+    echo "    [ERROR] grant_app_role failed for $role_id: $(echo "$resp" | jq -r '.error.message // "unknown"')" >&2
+    return 1
+  fi
+}
+
+# ── Helper: consent app + grant all permissions ───────────────────────────────
+# Usage: consent_app <token> <app_id> <app_name> \
+#          <graph_sp_oid> <exo_sp_oid_or_empty> <defender_sp_oid_or_empty> \
+#          <graph_roles_varname> [<exo_roles_varname>] [<atp_roles_varname>]
+consent_app() {
+  local token="$1"
+  local app_id="$2"
+  local app_name="$3"
+  local graph_sp_oid="$4"
+  local exo_sp_oid="${5:-}"
+  local defender_sp_oid="${6:-}"
+  local graph_roles_varname="$7"
+  local exo_roles_varname="${8:-}"
+  local atp_roles_varname="${9:-}"
+
+  echo ""
+  echo "[CONSENT] $app_name ($app_id)"
+
+  # Create SP (or confirm existing)
+  local sp_oid
+  sp_oid=$(create_sp_if_missing "$token" "$app_id" "$app_name")
+  if [[ -z "$sp_oid" ]]; then
+    echo "  [ERROR] Cannot proceed — SP creation failed" >&2
+    return 1
+  fi
+
+  local grant_errors=0
+
+  # Grant Graph permissions
+  eval "local graph_roles=(\"\${${graph_roles_varname}[@]}\")"
+  local granted=0 skipped=0 errors=0
+  for role_id in "${graph_roles[@]}"; do
+    if grant_app_role "$token" "$sp_oid" "$graph_sp_oid" "$role_id"; then
+      ((granted++)) || true
+    else
+      ((errors++)) || true
+      ((grant_errors++)) || true
+    fi
+  done
+  echo "  Graph permissions: ${#graph_roles[@]} total — $errors error(s)"
+
+  # Grant Exchange Online permissions
+  if [[ -n "$exo_roles_varname" ]] && [[ -n "$exo_sp_oid" ]]; then
+    eval "local exo_roles=(\"\${${exo_roles_varname}[@]}\")"
+    local exo_errors=0
+    for role_id in "${exo_roles[@]}"; do
+      if ! grant_app_role "$token" "$sp_oid" "$exo_sp_oid" "$role_id"; then
+        ((exo_errors++)) || true
+        ((grant_errors++)) || true
+      fi
+    done
+    echo "  Exchange Online permissions: ${#exo_roles[@]} total — $exo_errors error(s)"
+  elif [[ -n "$exo_roles_varname" ]] && [[ -z "$exo_sp_oid" ]]; then
+    echo "  [WARNING] Exchange Online SP not found — EXO permissions skipped"
+  fi
+
+  # Grant Defender ATP permissions
+  if [[ -n "$atp_roles_varname" ]] && [[ -n "$defender_sp_oid" ]]; then
+    eval "local atp_roles=(\"\${${atp_roles_varname}[@]}\")"
+    local atp_errors=0
+    for role_id in "${atp_roles[@]}"; do
+      if ! grant_app_role "$token" "$sp_oid" "$defender_sp_oid" "$role_id"; then
+        ((atp_errors++)) || true
+        ((grant_errors++)) || true
+      fi
+    done
+    echo "  Defender ATP permissions: ${#atp_roles[@]} total — $atp_errors error(s)"
+  elif [[ -n "$atp_roles_varname" ]] && [[ -z "$defender_sp_oid" ]]; then
+    echo "  [INFO] Defender ATP SP not found — tenant likely not MDE-licensed, skipping"
+  fi
+
+  if [[ $grant_errors -eq 0 ]]; then
+    echo "  [OK] $app_name fully consented and permissions granted"
+    return 0
+  else
+    echo "  [WARNING] $app_name consent completed with $grant_errors permission error(s)"
+    return 1
+  fi
+}
+
+# ── Helper: check if directory role already assigned ─────────────────────────
+# TODO(howard): This only checks roleAssignments (direct/permanent). PIM-managed
+# assignments live in roleAssignmentSchedules and won't be found here, causing
+# noisy-but-harmless "MISSING -> ASSIGNING" output that hits the Conflict fallback.
+# Fix: also query /roleManagement/directory/roleAssignmentSchedules?$filter=principalId eq '...'
+# and return true if either query finds the role. Reference: Howard's note 2026-04-29.
+role_assigned() {
+  local token="$1"
+  local sp_oid="$2"
+  local role_id="$3"
+  local resp
+  resp=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalId eq '${sp_oid}'")
+  echo "$resp" | jq --arg rid "$role_id" \
+    '[.value[] | select(.roleDefinitionId == $rid)] | length > 0'
+}
+
+# ── Helper: assign directory role ─────────────────────────────────────────────
+assign_role() {
+  local token="$1"
+  local sp_oid="$2"
+  local role_id="$3"
+  local role_name="$4"
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    echo "    [DRY-RUN] Would assign $role_name to SP $sp_oid"
+    return 0
+  fi
+
+  local body
+  body=$(jq -n \
+    --arg role "$role_id" \
+    --arg principal "$sp_oid" \
+    '{"roleDefinitionId": $role, "principalId": $principal, "directoryScopeId": "/"}')
+
+  local resp
+  resp=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $token" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments" \
+    -d "$body")
+
+  local assigned_id
+  assigned_id=$(echo "$resp" | jq -r '.id // empty')
+  if [[ -z "$assigned_id" ]]; then
+    local err_code
+    err_code=$(echo "$resp" | jq -r '.error.code // empty')
+    if [[ "$err_code" == "Conflict" ]] || [[ "$err_code" == "Request_MultipleObjectsWithSameKeyValue" ]] || \
+       echo "$resp" | grep -qi "conflicting object"; then
+      echo "    [OK] $role_name already assigned (conflict returned — idempotent)"
+      return 0
+    fi
+    echo "    [ERROR] Failed to assign $role_name" >&2
+    echo "    Response: $resp" >&2
+    return 1
+  fi
+  echo "    [OK] $role_name assigned (assignment id=$assigned_id)"
+}
+
+# ── Step 1: Resolve tenant ────────────────────────────────────────────────────
+echo "[INFO] Resolving tenant: $TARGET"
+TENANT_ID=$("$SCRIPT_DIR/resolve-tenant.sh" "$TARGET")
+if [[ -z "$TENANT_ID" ]]; then
+  echo "[ERROR] Could not resolve tenant ID for: $TARGET" >&2
+  exit 1
+fi
+
+DISPLAY_NAME="$TARGET"
+echo "[OK] Tenant: $DISPLAY_NAME ($TENANT_ID)"
+
+# ── Step 2: Acquire Tenant Admin token ───────────────────────────────────────
+echo "[INFO] Acquiring Tenant Admin token for $TENANT_ID..."
+set +e
+TENANT_ADMIN_TOKEN_OUT=$("$SCRIPT_DIR/get-token.sh" "$TENANT_ID" "tenant-admin" 2>/tmp/onboard-token-err.txt)
+GET_TOKEN_EXIT=$?
+TOKEN_ERR=$(cat /tmp/onboard-token-err.txt 2>/dev/null || true)
+set -e
+
+if [[ $GET_TOKEN_EXIT -ne 0 ]]; then
+  if echo "$TOKEN_ERR" | grep -qi "7000229\|AADSTS7000229\|service principal\|not been authorized\|not found"; then
+    echo "[WARNING] Tenant Admin app not yet consented in tenant $TENANT_ID"
+    print_consent_urls "$TENANT_ID"
+    exit 2
+  fi
+  echo "[ERROR] Failed to acquire Tenant Admin token (exit $GET_TOKEN_EXIT)" >&2
+  echo "$TOKEN_ERR" >&2
+  exit 5
+fi
+TENANT_ADMIN_TOKEN="$TENANT_ADMIN_TOKEN_OUT"
+
+TA_SP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_TENANT_ADMIN")
+if [[ -z "$TA_SP_OID" ]]; then
+  echo "[WARNING] Tenant Admin SP not found in tenant — app not consented yet"
+  print_consent_urls "$TENANT_ID"
+  exit 2
+fi
+echo "[OK] Tenant Admin consented — SP: $TA_SP_OID"
+
+[[ "$DRY_RUN" == "true" ]] && echo "[INFO] --dry-run mode: no changes will be made"
+
+# ── Step 3: Locate resource SPs in customer tenant ───────────────────────────
+echo ""
+echo "[INFO] Locating resource service principals in tenant..."
+
+GRAPH_SP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$GRAPH_APP_ID")
+EXO_SP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$EXO_APP_ID")
+DEFENDER_SP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$DEFENDER_APP_ID")
+
+[[ -n "$GRAPH_SP_OID" ]]    && echo "  [OK] Microsoft Graph SP:      $GRAPH_SP_OID" || echo "  [ERROR] Microsoft Graph SP not found — cannot proceed" >&2
+[[ -n "$EXO_SP_OID" ]]      && echo "  [OK] Exchange Online SP:      $EXO_SP_OID"   || echo "  [WARNING] Exchange Online SP not found (no Exchange license?)"
+[[ -n "$DEFENDER_SP_OID" ]] && echo "  [OK] Defender ATP SP:         $DEFENDER_SP_OID" || echo "  [INFO] Defender ATP SP not found (tenant likely not MDE-licensed)"
+
+if [[ -z "$GRAPH_SP_OID" ]]; then
+  echo "[ERROR] Microsoft Graph SP missing — cannot grant app permissions" >&2
+  exit 1
+fi
+
+# ── Step 3.5: Backfill Tenant Admin SP — Policy.Read.All ─────────────────────
+# Microsoft tightened LIST /identity/conditionalAccess/* to require Policy.Read.All
+# (Policy.ReadWrite.ConditionalAccess no longer accepted for reads). Added to manifest
+# 2026-04-29; tenants consented before that need backfill.
+POLICY_READ_ALL_ID="246dd0d5-5bd0-4def-940b-0421030a5b68"
+HAS_POLICY_READ=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $TENANT_ADMIN_TOKEN" \
+  "https://graph.microsoft.com/v1.0/servicePrincipals/$TA_SP_OID/appRoleAssignments" \
+  | jq --arg rid "$POLICY_READ_ALL_ID" '[.value[]? | select(.appRoleId == $rid)] | length > 0')
+
+if [[ "$HAS_POLICY_READ" != "true" ]]; then
+  echo ""
+  echo "[INFO] Tenant Admin SP missing Policy.Read.All — backfilling..."
+  if [[ "$DRY_RUN" == "true" ]]; then
+    echo "  [DRY-RUN] Would grant Policy.Read.All ($POLICY_READ_ALL_ID) to Tenant Admin SP"
+  elif grant_app_role "$TENANT_ADMIN_TOKEN" "$TA_SP_OID" "$GRAPH_SP_OID" "$POLICY_READ_ALL_ID"; then
+    echo "  [OK] Policy.Read.All granted to Tenant Admin SP"
+  else
+    echo "  [WARNING] Could not grant Policy.Read.All programmatically — customer re-consent may be needed"
+    echo "    Re-consent URL: ${CONSENT_BASE}/${TENANT_ID}/adminconsent?client_id=${APP_TENANT_ADMIN}&redirect_uri=${CONSENT_REDIRECT}&prompt=consent"
+  fi
+fi
+
+# ── Step 4: Programmatic consent — create SPs + grant appRoleAssignments ──────
+echo ""
+echo "[INFO] Consenting app suite in tenant (programmatic — no customer click needed)..."
+
+CONSENT_PARTIAL=false
+
+consent_app "$TENANT_ADMIN_TOKEN" "$APP_SEC_INV"  "Security Investigator" \
+  "$GRAPH_SP_OID" "$EXO_SP_OID" "" \
+  "SEC_INV_GRAPH_ROLES" "SEC_INV_EXO_ROLES" \
+  || CONSENT_PARTIAL=true
+
+consent_app "$TENANT_ADMIN_TOKEN" "$APP_EXCH_OP"  "Exchange Operator" \
+  "$GRAPH_SP_OID" "$EXO_SP_OID" "" \
+  "EXCH_OP_GRAPH_ROLES" "EXCH_OP_EXO_ROLES" \
+  || CONSENT_PARTIAL=true
+
+consent_app "$TENANT_ADMIN_TOKEN" "$APP_USER_MGR"  "User Manager" \
+  "$GRAPH_SP_OID" "" "" \
+  "USER_MGR_GRAPH_ROLES" \
+  || CONSENT_PARTIAL=true
+
+if [[ -n "$DEFENDER_SP_OID" ]]; then
+  consent_app "$TENANT_ADMIN_TOKEN" "$APP_DEFENDER" "Defender Add-on" \
+    "$GRAPH_SP_OID" "" "$DEFENDER_SP_OID" \
+    "DEFENDER_GRAPH_ROLES" "" "DEFENDER_ATP_ROLES" \
+    || CONSENT_PARTIAL=true
+else
+  echo ""
+  echo "[INFO] Skipping Defender Add-on consent (no MDE license detected)"
+fi
+
+# ── Step 5: Check/assign directory roles per SP ───────────────────────────────
+declare -A STATUS_MAP
+
+echo ""
+echo "[INFO] Checking and assigning directory roles..."
+
+SEC_INV_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_SEC_INV")
+EXCH_OP_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_EXCH_OP")
+USER_MGR_OID=$(get_sp_oid "$TENANT_ADMIN_TOKEN" "$APP_USER_MGR")
+
+PARTIAL_FAILURE=false
+
+# Security Investigator -> Exchange Administrator
+if [[ -z "$SEC_INV_OID" ]]; then
+  echo "[WARNING] Security Investigator SP still not found after consent attempt"
+  STATUS_MAP["Security Investigator:Exchange Administrator"]="MISSING SP"
+else
+  echo ""
+  echo "[CHECK] Security Investigator SP: $SEC_INV_OID"
+  IS_PRESENT=$(role_assigned "$TENANT_ADMIN_TOKEN" "$SEC_INV_OID" "$ROLE_EXCHANGE_ADMIN")
+  if [[ "$IS_PRESENT" == "true" ]]; then
+    echo "  Exchange Administrator: PRESENT"
+    STATUS_MAP["Security Investigator:Exchange Administrator"]="OK"
+  else
+    echo "  Exchange Administrator: MISSING -> ASSIGNING..."
+    if assign_role "$TENANT_ADMIN_TOKEN" "$SEC_INV_OID" "$ROLE_EXCHANGE_ADMIN" "Exchange Administrator"; then
+      STATUS_MAP["Security Investigator:Exchange Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+    else
+      STATUS_MAP["Security Investigator:Exchange Administrator"]="ERROR"
+      PARTIAL_FAILURE=true
+    fi
+  fi
+fi
+
+# Exchange Operator -> Exchange Administrator
+if [[ -z "$EXCH_OP_OID" ]]; then
+  echo "[WARNING] Exchange Operator SP still not found after consent attempt"
+  STATUS_MAP["Exchange Operator:Exchange Administrator"]="MISSING SP"
+else
+  echo ""
+  echo "[CHECK] Exchange Operator SP: $EXCH_OP_OID"
+  IS_PRESENT=$(role_assigned "$TENANT_ADMIN_TOKEN" "$EXCH_OP_OID" "$ROLE_EXCHANGE_ADMIN")
+  if [[ "$IS_PRESENT" == "true" ]]; then
+    echo "  Exchange Administrator: PRESENT"
+    STATUS_MAP["Exchange Operator:Exchange Administrator"]="OK"
+  else
+    echo "  Exchange Administrator: MISSING -> ASSIGNING..."
+    if assign_role "$TENANT_ADMIN_TOKEN" "$EXCH_OP_OID" "$ROLE_EXCHANGE_ADMIN" "Exchange Administrator"; then
+      STATUS_MAP["Exchange Operator:Exchange Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+    else
+      STATUS_MAP["Exchange Operator:Exchange Administrator"]="ERROR"
+      PARTIAL_FAILURE=true
+    fi
+  fi
+fi
+
+# Tenant Admin -> Conditional Access Administrator
+# Required because Microsoft Graph evaluates SP membership in CA-relevant directory
+# roles in addition to OAuth scopes when calling /identity/conditionalAccess/* endpoints.
+# Without this role, the Tenant Admin SP gets 403 even with Policy.ReadWrite.ConditionalAccess
+# in its token. Discovered Cascades 2026-04-28; backfilled here so future tenants don't trip on it.
+echo ""
+echo "[CHECK] Tenant Admin SP: $TA_SP_OID"
+# Activate CA Admin role in tenant first (idempotent — returns 400 if already activated)
+ACTIVATE_RESP=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $TENANT_ADMIN_TOKEN" \
+  -H "Content-Type: application/json" \
+  -X POST \
+  "https://graph.microsoft.com/v1.0/directoryRoles" \
+  -d "{\"roleTemplateId\":\"$ROLE_CA_ADMIN\"}" 2>/dev/null || true)
+# Don't fail on activation — directly-assigned role POST handles the case where already active
+
+IS_CA=$(role_assigned "$TENANT_ADMIN_TOKEN" "$TA_SP_OID" "$ROLE_CA_ADMIN")
+if [[ "$IS_CA" == "true" ]]; then
+  echo "  Conditional Access Administrator: PRESENT"
+  STATUS_MAP["Tenant Admin:Conditional Access Administrator"]="OK"
+else
+  echo "  Conditional Access Administrator: MISSING -> ASSIGNING..."
+  if assign_role "$TENANT_ADMIN_TOKEN" "$TA_SP_OID" "$ROLE_CA_ADMIN" "Conditional Access Administrator"; then
+    STATUS_MAP["Tenant Admin:Conditional Access Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+  else
+    STATUS_MAP["Tenant Admin:Conditional Access Administrator"]="ERROR"
+    PARTIAL_FAILURE=true
+  fi
+fi
+
+# User Manager -> User Administrator + Authentication Administrator
+if [[ -z "$USER_MGR_OID" ]]; then
+  echo "[WARNING] User Manager SP still not found after consent attempt"
+  STATUS_MAP["User Manager:User Administrator"]="MISSING SP"
+  STATUS_MAP["User Manager:Authentication Administrator"]="MISSING SP"
+else
+  echo ""
+  echo "[CHECK] User Manager SP: $USER_MGR_OID"
+
+  IS_UA=$(role_assigned "$TENANT_ADMIN_TOKEN" "$USER_MGR_OID" "$ROLE_USER_ADMIN")
+  if [[ "$IS_UA" == "true" ]]; then
+    echo "  User Administrator: PRESENT"
+    STATUS_MAP["User Manager:User Administrator"]="OK"
+  else
+    echo "  User Administrator: MISSING -> ASSIGNING..."
+    if assign_role "$TENANT_ADMIN_TOKEN" "$USER_MGR_OID" "$ROLE_USER_ADMIN" "User Administrator"; then
+      STATUS_MAP["User Manager:User Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+    else
+      STATUS_MAP["User Manager:User Administrator"]="ERROR"
+      PARTIAL_FAILURE=true
+    fi
+  fi
+
+  IS_AA=$(role_assigned "$TENANT_ADMIN_TOKEN" "$USER_MGR_OID" "$ROLE_AUTH_ADMIN")
+  if [[ "$IS_AA" == "true" ]]; then
+    echo "  Authentication Administrator: PRESENT"
+    STATUS_MAP["User Manager:Authentication Administrator"]="OK"
+  else
+    echo "  Authentication Administrator: MISSING -> ASSIGNING..."
+    if assign_role "$TENANT_ADMIN_TOKEN" "$USER_MGR_OID" "$ROLE_AUTH_ADMIN" "Authentication Administrator"; then
+      STATUS_MAP["User Manager:Authentication Administrator"]=$( [[ "$DRY_RUN" == "true" ]] && echo "DRY-RUN" || echo "ASSIGNED" )
+    else
+      STATUS_MAP["User Manager:Authentication Administrator"]="ERROR"
+      PARTIAL_FAILURE=true
+    fi
+  fi
+fi
+
+# ── Step 6: Final status table ────────────────────────────────────────────────
+echo ""
+if [[ "$PARTIAL_FAILURE" == "true" ]] || [[ "$CONSENT_PARTIAL" == "true" ]]; then
+  echo "[WARNING] Onboarding completed with errors for $DISPLAY_NAME"
+else
+  if [[ "$DRY_RUN" == "true" ]]; then
+    echo "[INFO] Dry-run complete for $DISPLAY_NAME ($TENANT_ID) — no changes made"
+  else
+    echo "[SUCCESS] Onboarding complete for $DISPLAY_NAME"
+  fi
+fi
+
+echo "SP roles status:"
+TA_CA="${STATUS_MAP["Tenant Admin:Conditional Access Administrator"]:-SKIPPED}"
+echo "  Tenant Admin:"
+printf "    Conditional Access Administrator: %s\n" "[$TA_CA]"
+
+SEC_EXCH="${STATUS_MAP["Security Investigator:Exchange Administrator"]:-SKIPPED}"
+echo "  Security Investigator:"
+printf "    Exchange Administrator:       %s\n" "[$SEC_EXCH]"
+
+EO_EXCH="${STATUS_MAP["Exchange Operator:Exchange Administrator"]:-SKIPPED}"
+echo "  Exchange Operator:"
+printf "    Exchange Administrator:       %s\n" "[$EO_EXCH]"
+
+UA="${STATUS_MAP["User Manager:User Administrator"]:-SKIPPED}"
+AA="${STATUS_MAP["User Manager:Authentication Administrator"]:-SKIPPED}"
+echo "  User Manager:"
+printf "    User Administrator:           %s\n" "[$UA]"
+printf "    Authentication Administrator: %s\n" "[$AA]"
+
+if [[ "$PARTIAL_FAILURE" == "true" ]]; then
+  exit 10
+fi
+exit 0

.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh

@@ -0,0 +1,181 @@
+#!/usr/bin/env bash
+# Patch the Tenant Admin app manifest to add RoleManagement.ReadWrite.Directory,
+# then grant admin consent for that role in the ACG home tenant.
+#
+# Usage: patch-tenant-admin-manifest.sh
+#
+# Requirements:
+#   - Management app token (ACG home tenant) via SOPS vault
+#   - jq on PATH
+#   - curl on PATH
+set -euo pipefail
+
+ACG_HOME_TENANT="ce61461e-81a0-4c84-bb4a-7b354a9a356d"
+MANAGEMENT_CLIENT_ID="0df4e185-4cf2-478c-a490-cc4ef36c6118"
+MANAGEMENT_VAULT_PATH="msp-tools/computerguru-management.sops.yaml"
+TENANT_ADMIN_APP_ID="709e6eed-0711-4875-9c44-2d3518c47063"
+GRAPH_RESOURCE_APP_ID="00000003-0000-0000-c000-000000000000"
+ROLE_MGMT_PERMISSION_ID="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
+
+VAULT_ROOT="${VAULT_PATH:-}"
+if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
+  for py in py python3 python; do
+    if command -v "$py" >/dev/null 2>&1; then
+      VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
+    fi
+  done
+fi
+[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] vault_path not set in $IDENTITY_FILE and VAULT_PATH env var not set" >&2; exit 3; }
+[[ ! -d "$VAULT_ROOT" ]] && { echo "[ERROR] vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }
+
+# ── Step 1: Get Management app client secret ──────────────────────────────────
+echo "[INFO] Reading Management app secret from vault..."
+CLIENT_SECRET=""
+CLIENT_SECRET=$(bash "$VAULT_ROOT/scripts/vault.sh" get-field "$MANAGEMENT_VAULT_PATH" credentials.client_secret 2>/dev/null | tr -d '\r\n' || true)
+if [[ -z "$CLIENT_SECRET" ]]; then
+  CLIENT_SECRET=$(bash "$VAULT_ROOT/scripts/vault.sh" get-field "$MANAGEMENT_VAULT_PATH" credentials.credential 2>/dev/null | tr -d '\r\n' || true)
+fi
+[[ -z "$CLIENT_SECRET" ]] && { echo "[ERROR] Could not read secret from $MANAGEMENT_VAULT_PATH" >&2; exit 4; }
+echo "[OK] Management app secret retrieved"
+
+# ── Step 2: Get Management app token (home tenant) ───────────────────────────
+echo "[INFO] Acquiring Management app token for ACG home tenant..."
+TOKEN_RESP=$(curl -s --max-time 15 -X POST \
+  "https://login.microsoftonline.com/${ACG_HOME_TENANT}/oauth2/v2.0/token" \
+  --data-urlencode "client_id=${MANAGEMENT_CLIENT_ID}" \
+  --data-urlencode "client_secret=${CLIENT_SECRET}" \
+  --data-urlencode "scope=https://graph.microsoft.com/.default" \
+  --data-urlencode "grant_type=client_credentials")
+
+MGMT_TOKEN=$(echo "$TOKEN_RESP" | jq -r '.access_token // empty')
+if [[ -z "$MGMT_TOKEN" ]]; then
+  echo "[ERROR] Failed to acquire Management app token" >&2
+  echo "$TOKEN_RESP" >&2
+  exit 5
+fi
+echo "[OK] Management app token acquired"
+
+# ── Step 3: Get current Tenant Admin app object + requiredResourceAccess ──────
+echo "[INFO] Fetching Tenant Admin app registration (appId=$TENANT_ADMIN_APP_ID)..."
+APP_RESP=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $MGMT_TOKEN" \
+  -G \
+  --data-urlencode "\$filter=appId eq '$TENANT_ADMIN_APP_ID'" \
+  --data-urlencode "\$select=id,displayName,requiredResourceAccess" \
+  "https://graph.microsoft.com/v1.0/applications")
+
+APP_OBJ_ID=$(echo "$APP_RESP" | jq -r '.value[0].id // empty')
+APP_DISPLAY=$(echo "$APP_RESP" | jq -r '.value[0].displayName // empty')
+if [[ -z "$APP_OBJ_ID" ]]; then
+  echo "[ERROR] Tenant Admin application not found (appId=$TENANT_ADMIN_APP_ID)" >&2
+  echo "Response: $APP_RESP" >&2
+  exit 6
+fi
+echo "[OK] Found app: $APP_DISPLAY (objectId=$APP_OBJ_ID)"
+
+# ── Step 4: Check whether RoleManagement.ReadWrite.Directory already present ──
+ALREADY_PRESENT=$(echo "$APP_RESP" | jq --arg pid "$ROLE_MGMT_PERMISSION_ID" \
+  '[.value[0].requiredResourceAccess[].resourceAccess[].id] | map(select(. == $pid)) | length > 0')
+if [[ "$ALREADY_PRESENT" == "true" ]]; then
+  echo "[OK] RoleManagement.ReadWrite.Directory already present in manifest — no patch needed"
+else
+  echo "[INFO] RoleManagement.ReadWrite.Directory not in manifest — patching..."
+
+  # Build updated requiredResourceAccess: inject new permission into the Graph entry
+  UPDATED_RRA=$(echo "$APP_RESP" | jq --arg gid "$GRAPH_RESOURCE_APP_ID" \
+    --arg pid "$ROLE_MGMT_PERMISSION_ID" '
+    .value[0].requiredResourceAccess
+    | map(
+        if .resourceAppId == $gid
+        then .resourceAccess += [{"id": $pid, "type": "Role"}]
+        else .
+        end
+      )
+  ')
+
+  # PATCH the application
+  PATCH_RESP=$(curl -s --max-time 15 -o /dev/null -w "%{http_code}" -X PATCH \
+    -H "Authorization: Bearer $MGMT_TOKEN" \
+    -H "Content-Type: application/json" \
+    "https://graph.microsoft.com/v1.0/applications/$APP_OBJ_ID" \
+    -d "{\"requiredResourceAccess\": $UPDATED_RRA}")
+
+  if [[ "$PATCH_RESP" == "204" ]]; then
+    echo "[OK] App manifest patched (HTTP 204)"
+  else
+    echo "[ERROR] PATCH returned HTTP $PATCH_RESP" >&2
+    exit 7
+  fi
+fi
+
+# ── Step 5: Locate Tenant Admin SP and Graph SP in the home tenant ─────────────
+echo "[INFO] Locating Tenant Admin service principal in home tenant..."
+TA_SP_RESP=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $MGMT_TOKEN" \
+  -G \
+  --data-urlencode "\$filter=appId eq '$TENANT_ADMIN_APP_ID'" \
+  --data-urlencode "\$select=id,displayName" \
+  "https://graph.microsoft.com/v1.0/servicePrincipals")
+TA_SP_OID=$(echo "$TA_SP_RESP" | jq -r '.value[0].id // empty')
+[[ -z "$TA_SP_OID" ]] && { echo "[ERROR] Tenant Admin SP not found in home tenant" >&2; exit 8; }
+echo "[OK] Tenant Admin SP: $TA_SP_OID"
+
+echo "[INFO] Locating Microsoft Graph SP in home tenant..."
+GRAPH_SP_RESP=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $MGMT_TOKEN" \
+  -G \
+  --data-urlencode "\$filter=appId eq '00000003-0000-0000-c000-000000000000'" \
+  --data-urlencode "\$select=id" \
+  "https://graph.microsoft.com/v1.0/servicePrincipals")
+GRAPH_SP_OID=$(echo "$GRAPH_SP_RESP" | jq -r '.value[0].id // empty')
+[[ -z "$GRAPH_SP_OID" ]] && { echo "[ERROR] Microsoft Graph SP not found in home tenant" >&2; exit 8; }
+echo "[OK] Microsoft Graph SP: $GRAPH_SP_OID"
+
+# ── Step 6: Check if appRoleAssignment already granted ────────────────────────
+echo "[INFO] Checking existing appRoleAssignments for Tenant Admin SP..."
+EXISTING_RESP=$(curl -s --max-time 15 \
+  -H "Authorization: Bearer $MGMT_TOKEN" \
+  "https://graph.microsoft.com/v1.0/servicePrincipals/$TA_SP_OID/appRoleAssignments")
+
+ALREADY_GRANTED=$(echo "$EXISTING_RESP" | jq --arg rid "$ROLE_MGMT_PERMISSION_ID" \
+  '[.value[] | select(.appRoleId == $rid)] | length > 0')
+
+if [[ "$ALREADY_GRANTED" == "true" ]]; then
+  echo "[OK] RoleManagement.ReadWrite.Directory appRoleAssignment already granted in home tenant — nothing to do"
+else
+  echo "[INFO] Granting RoleManagement.ReadWrite.Directory appRoleAssignment in home tenant..."
+  GRANT_BODY=$(jq -n \
+    --arg principal "$TA_SP_OID" \
+    --arg resource "$GRAPH_SP_OID" \
+    --arg role "$ROLE_MGMT_PERMISSION_ID" \
+    '{"principalId": $principal, "resourceId": $resource, "appRoleId": $role}')
+
+  GRANT_RESP=$(curl -s --max-time 15 \
+    -H "Authorization: Bearer $MGMT_TOKEN" \
+    -H "Content-Type: application/json" \
+    -X POST \
+    "https://graph.microsoft.com/v1.0/servicePrincipals/$TA_SP_OID/appRoleAssignments" \
+    -d "$GRANT_BODY")
+
+  GRANT_ID=$(echo "$GRANT_RESP" | jq -r '.id // empty')
+  if [[ -z "$GRANT_ID" ]]; then
+    echo "[ERROR] Failed to grant appRoleAssignment" >&2
+    echo "$GRANT_RESP" >&2
+    exit 9
+  fi
+  echo "[OK] appRoleAssignment granted (id=$GRANT_ID)"
+fi
+
+echo ""
+echo "[SUCCESS] Tenant Admin app manifest patched and home-tenant consent granted."
+echo "  RoleManagement.ReadWrite.Directory (id=$ROLE_MGMT_PERMISSION_ID) is now active."
+echo ""
+echo "[INFO] Next step: re-run admin consent in any customer tenants where Tenant Admin"
+echo "  is already consented, so the new permission is reflected in their service principal."
+echo ""
+echo "  Consent URL pattern:"
+echo "  https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent"

.claude/skills/remediation-tool/scripts/resolve-tenant.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Resolve an M365 domain (or UPN) to a tenant GUID via OpenID discovery.
+# Usage: resolve-tenant.sh <domain-or-upn-or-tenantid>
+# Output (stdout): tenant GUID. Exit 0 on success, 1 on failure.
+set -euo pipefail
+
+INPUT="${1:?usage: resolve-tenant.sh <domain|upn|tenant-id>}"
+
+# If it looks like a GUID already, pass through.
+if [[ "$INPUT" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then
+  echo "$INPUT"
+  exit 0
+fi
+
+# If it's a UPN, strip to domain.
+DOMAIN="${INPUT#*@}"
+
+# Lightweight cache keyed by domain.
+CACHE_DIR="/tmp/remediation-tool/_tenant-cache"
+mkdir -p "$CACHE_DIR"
+CACHE_FILE="$CACHE_DIR/${DOMAIN}.txt"
+if [[ -f "$CACHE_FILE" ]] && [[ $(find "$CACHE_FILE" -mmin -1440 2>/dev/null) ]]; then
+  cat "$CACHE_FILE"
+  exit 0
+fi
+
+# OpenID discovery — parse issuer URL for tenant GUID.
+RESP=$(curl -s --max-time 10 "https://login.microsoftonline.com/${DOMAIN}/v2.0/.well-known/openid-configuration")
+TENANT_ID=$(echo "$RESP" | jq -r '.issuer // empty' | sed -E 's|^https://login\.microsoftonline\.com/||;s|/v2\.0/?$||' || true)
+
+if [[ -z "$TENANT_ID" ]] || [[ ! "$TENANT_ID" =~ ^[0-9a-fA-F]{8}- ]]; then
+  echo "ERROR: could not resolve tenant for domain: $DOMAIN" >&2
+  echo "Response: $RESP" >&2
+  exit 1
+fi
+
+echo "$TENANT_ID" | tee "$CACHE_FILE"

.claude/skills/remediation-tool/scripts/tenant-sweep.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# Tenant-wide signals sweep: failed sign-ins, foreign successful sign-ins, directory audits,
+# risky users, B2B guest invites, per-user location profile.
+# Usage: tenant-sweep.sh <tenant-id-or-domain>
+# Writes raw JSON to /tmp/remediation-tool/{tenant-id}/sweep/
+# Prints a priority summary to stdout.
+set -euo pipefail
+
+SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
+TENANT_INPUT="${1:?usage: tenant-sweep.sh <tenant-id|domain>}"
+TENANT_ID=$("$SCRIPT_DIR/resolve-tenant.sh" "$TENANT_INPUT")
+GT=$("$SCRIPT_DIR/get-token.sh" "$TENANT_ID" investigator)
+
+OUT="/tmp/remediation-tool/$TENANT_ID/sweep"
+mkdir -p "$OUT"
+FROM=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
+echo "[info] tenant=$TENANT_ID window=30d from=$FROM"
+
+# Enabled users list
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users?\$top=999&\$filter=accountEnabled%20eq%20true&\$select=id,displayName,userPrincipalName,accountEnabled,userType,externalUserState,lastPasswordChangeDateTime,createdDateTime" \
+  > "$OUT/users.json" &
+
+# Failed sign-ins tenant-wide
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=(createdDateTime%20ge%20${FROM})%20and%20(status/errorCode%20ne%200)&\$top=999" \
+  > "$OUT/failed_signins.json" &
+
+# Successful sign-ins tenant-wide (to find non-US)
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=(createdDateTime%20ge%20${FROM})%20and%20(status/errorCode%20eq%200)&\$top=999" \
+  > "$OUT/success_signins.json" &
+
+# Directory audits, filtered by risky activity names
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDateTime%20ge%20${FROM}&\$top=999" \
+  > "$OUT/dir_audits.json" &
+
+# Risky users (may 403 if IdentityRiskyUser scope absent)
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?\$top=100" \
+  > "$OUT/risky_users.json" &
+
+# B2B guest invites
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDateTime%20ge%20${FROM}%20and%20activityDisplayName%20eq%20'Invite%20external%20user'&\$top=100" \
+  > "$OUT/guest_invites.json" &
+
+wait
+
+echo ""
+echo "=== Priority 1: accounts with foreign failed sign-ins (credential stuffing candidates) ==="
+jq '[.value[] | select(.location.countryOrRegion != "US" and .location.countryOrRegion != null) | {user: .userPrincipalName, ip: .ipAddress, country: .location.countryOrRegion, city: .location.city, t: .createdDateTime, err: .status.errorCode, fail: .status.failureReason}] | group_by(.user) | map({user: .[0].user, attempts: length, unique_ips: ([.[]|.ip]|unique|length), countries: ([.[]|.country]|unique), first: ([.[]|.t]|min), last: ([.[]|.t]|max)}) | sort_by(-.attempts)' "$OUT/failed_signins.json"
+
+echo ""
+echo "=== Priority 2: successful sign-ins from non-US (suspicious) ==="
+jq '[.value[] | select(.location.countryOrRegion != "US" and .location.countryOrRegion != null) | {user: .userPrincipalName, ip: .ipAddress, country: .location.countryOrRegion, city: .location.city, t: .createdDateTime, app: .appDisplayName, clientApp: .clientAppUsed}] | sort_by(.t) | reverse | .[:30]' "$OUT/success_signins.json"
+
+echo ""
+echo "=== Priority 3: B2B guest invites (30d) ==="
+jq '[.value[] | {t: .activityDateTime, by: (.initiatedBy.user.userPrincipalName // .initiatedBy.app.displayName), target: [.targetResources[]?|{name: .displayName, upn: .userPrincipalName}], result: .result}] | sort_by(.t) | reverse' "$OUT/guest_invites.json"
+
+echo ""
+echo "=== Priority 4: directory audit - consent/role/auth-method changes ==="
+jq '[.value[] | select(.activityDisplayName | test("[Cc]onsent|[Aa]uthentication [Mm]ethod|Add service principal|Add delegated permission grant|Add app role|Add member to role"; "")) | {t: .activityDateTime, act: .activityDisplayName, by: (.initiatedBy.user.userPrincipalName // .initiatedBy.app.displayName // "system"), target: [.targetResources[]?|{type: .type, name: .displayName, upn: .userPrincipalName}], result: .result}] | sort_by(.t) | reverse | .[:50]' "$OUT/dir_audits.json"
+
+echo ""
+echo "=== Risky users (if Identity Protection accessible) ==="
+if jq -e '.error' "$OUT/risky_users.json" >/dev/null 2>&1; then
+  echo "BLOCKED: $(jq -r '.error.code // "?"' "$OUT/risky_users.json") — $(jq -r '.error.message // ""' "$OUT/risky_users.json")"
+  echo "(Check references/gotchas.md for how to unblock IdentityRiskyUser scope)"
+else
+  jq '[.value[] | {upn: .userPrincipalName, level: .riskLevel, state: .riskState, detail: .riskDetail, lastUpdated: .riskLastUpdatedDateTime}]' "$OUT/risky_users.json"
+fi
+
+echo ""
+echo "=== User locations profile (successful sign-ins) ==="
+jq '[.value[] | {user: .userPrincipalName, country: .location.countryOrRegion, city: .location.city}] | unique | group_by(.user) | map({user: .[0].user, locations: [.[]|{country, city}]|unique})' "$OUT/success_signins.json"
+
+echo ""
+echo "[info] Enabled users in tenant: $(jq '.value | length' "$OUT/users.json")"
+echo "[info] raw artifacts: $OUT"

.claude/skills/remediation-tool/scripts/user-breach-check.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+# Run the 10-point breach check on a single user.
+# Usage: user-breach-check.sh <tenant-id-or-domain> <upn>
+# Writes raw JSON to /tmp/remediation-tool/{tenant-id}/user-breach/{user-slug}/
+# Prints a summary table to stdout.
+set -euo pipefail
+
+SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
+
+TENANT_INPUT="${1:?usage: user-breach-check.sh <tenant-id|domain> <upn>}"
+UPN="${2:?usage: user-breach-check.sh <tenant-id|domain> <upn>}"
+
+TENANT_ID=$("$SCRIPT_DIR/resolve-tenant.sh" "$TENANT_INPUT")
+GT=$("$SCRIPT_DIR/get-token.sh" "$TENANT_ID" investigator)
+EXO=$("$SCRIPT_DIR/get-token.sh" "$TENANT_ID" investigator-exo) || EXO=""
+
+USER_SLUG=$(echo "$UPN" | tr '@.' '__')
+OUT="/tmp/remediation-tool/$TENANT_ID/user-breach/$USER_SLUG"
+mkdir -p "$OUT"
+
+echo "[info] tenant=$TENANT_ID user=$UPN out=$OUT"
+
+# --- 0. Resolve user object ID ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}?\$select=id,displayName,userPrincipalName,mail,accountEnabled,createdDateTime,lastPasswordChangeDateTime" \
+  > "$OUT/00_user.json"
+UID_=$(jq -r '.id // empty' "$OUT/00_user.json")
+if [[ -z "$UID_" ]]; then
+  echo "ERROR: user not found or Graph returned error" >&2
+  cat "$OUT/00_user.json" >&2
+  exit 1
+fi
+echo "[info] object id: $UID_"
+
+# --- 1. Inbox rules (Graph v1.0 — visible only) ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/mailFolders/inbox/messageRules" \
+  > "$OUT/01_inbox_rules_graph.json" &
+
+# --- 2. Mailbox settings (forwarding flags) ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/mailboxSettings" \
+  > "$OUT/02_mailbox_settings.json" &
+
+# --- 4. OAuth consents + app role assignments ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/oauth2PermissionGrants" \
+  > "$OUT/04a_oauth_grants.json" &
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/appRoleAssignments" \
+  > "$OUT/04b_app_role_assignments.json" &
+
+# --- 5. Authentication methods ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/authentication/methods" \
+  > "$OUT/05_auth_methods.json" &
+
+wait
+
+# --- 6. Sign-ins 30d (v1.0 — interactive only) ---
+FROM=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=userId%20eq%20'${UID_}'%20and%20createdDateTime%20ge%20${FROM}&\$top=200" \
+  > "$OUT/06_signins.json" &
+
+# --- 7. Directory audits (targetResources = user) 30d ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDateTime%20ge%20${FROM}%20and%20targetResources/any(t:t/id%20eq%20'${UID_}')&\$top=200" \
+  > "$OUT/07_dir_audits.json" &
+
+# --- 8. Risky user + risk detections (403 if app lacks IdentityRiskyUser scope) ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers/${UID_}" \
+  > "$OUT/08a_risky_user.json" &
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/identityProtection/riskDetections?\$filter=userId%20eq%20'${UID_}'&\$top=100" \
+  > "$OUT/08b_risk_detections.json" &
+
+# --- 9. Sent items (last 25) ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/mailFolders/sentitems/messages?\$top=25&\$orderby=sentDateTime%20desc&\$select=subject,toRecipients,sentDateTime,from" \
+  > "$OUT/09_sent.json" &
+
+# --- 10. Deleted items (last 25) ---
+curl -s -H "Authorization: Bearer $GT" \
+  "https://graph.microsoft.com/v1.0/users/${UPN}/mailFolders/deleteditems/messages?\$top=25&\$orderby=receivedDateTime%20desc&\$select=subject,from,receivedDateTime" \
+  > "$OUT/10_deleted.json" &
+
+wait
+
+# --- 3. Exchange REST (hidden rules + delegates + SendAs + Get-Mailbox) ---
+if [[ -n "$EXO" ]]; then
+  EX_URL="https://outlook.office365.com/adminapi/beta/${TENANT_ID}/InvokeCommand"
+
+  curl -s -X POST -H "Authorization: Bearer $EXO" -H "Content-Type: application/json" "$EX_URL" \
+    -d "{\"CmdletInput\":{\"CmdletName\":\"Get-InboxRule\",\"Parameters\":{\"Mailbox\":\"${UPN}\",\"IncludeHidden\":true}}}" \
+    > "$OUT/03a_InboxRule_hidden.json" &
+
+  curl -s -X POST -H "Authorization: Bearer $EXO" -H "Content-Type: application/json" "$EX_URL" \
+    -d "{\"CmdletInput\":{\"CmdletName\":\"Get-MailboxPermission\",\"Parameters\":{\"Identity\":\"${UPN}\"}}}" \
+    > "$OUT/03b_MailboxPermission.json" &
+
+  curl -s -X POST -H "Authorization: Bearer $EXO" -H "Content-Type: application/json" "$EX_URL" \
+    -d "{\"CmdletInput\":{\"CmdletName\":\"Get-RecipientPermission\",\"Parameters\":{\"Identity\":\"${UPN}\"}}}" \
+    > "$OUT/03c_RecipientPermission.json" &
+
+  curl -s -X POST -H "Authorization: Bearer $EXO" -H "Content-Type: application/json" "$EX_URL" \
+    -d "{\"CmdletInput\":{\"CmdletName\":\"Get-Mailbox\",\"Parameters\":{\"Identity\":\"${UPN}\"}}}" \
+    > "$OUT/03d_Mailbox.json" &
+
+  wait
+else
+  echo "[warn] no Exchange token; skipping check 3 (hidden rules/delegates/SendAs/mailbox forwarding flags)"
+fi
+
+# --- Summary table ---
+echo ""
+echo "=== Summary: $UPN ==="
+jq -r '"account_enabled: \(.accountEnabled)  lastPwChange: \(.lastPasswordChangeDateTime)  created: \(.createdDateTime)"' "$OUT/00_user.json"
+echo "01 inbox_rules (Graph):    $(jq '.value | length // "error"' "$OUT/01_inbox_rules_graph.json")"
+echo "02 forwarding:             fwdSmtp=$(jq -r '.automaticRepliesSetting.status // "n/a"' "$OUT/02_mailbox_settings.json" 2>/dev/null) (see mailbox Get-Mailbox for forwarding fields)"
+echo "04a oauth_grants:          $(jq '.value | length // "error"' "$OUT/04a_oauth_grants.json")"
+echo "04b app_role_assignments:  $(jq '.value | length // "error"' "$OUT/04b_app_role_assignments.json")"
+echo "05 auth_methods:           $(jq '.value | length // "error"' "$OUT/05_auth_methods.json")"
+echo "06 signins (30d, interactive): $(jq '.value | length // "error"' "$OUT/06_signins.json")  non-US: $(jq '[.value[]?|select(.location.countryOrRegion != "US" and .location.countryOrRegion != null)] | length' "$OUT/06_signins.json" 2>/dev/null)"
+echo "07 dir_audits (30d):       $(jq '.value | length // "error"' "$OUT/07_dir_audits.json")"
+echo "08 risky_user:             $(jq -r '.riskLevel // .error.code // "none"' "$OUT/08a_risky_user.json" 2>/dev/null)"
+echo "08 risk_detections:        $(jq '.value | length // (.error.code // "error")' "$OUT/08b_risk_detections.json")"
+echo "09 sent (recent 25):       $(jq '.value | length // "error"' "$OUT/09_sent.json")"
+echo "10 deleted (recent 25):    $(jq '.value | length // "error"' "$OUT/10_deleted.json")"
+if [[ -f "$OUT/03a_InboxRule_hidden.json" ]]; then
+  HIDDEN=$(jq '.value | length // (.error.code // "?")' "$OUT/03a_InboxRule_hidden.json" 2>/dev/null || echo "?")
+  echo "03a hidden_inbox_rules:    $HIDDEN"
+  echo "03b mailbox_permissions:   $(jq '[.value[]? | select(.User != "NT AUTHORITY\\SELF")] | length // "?"' "$OUT/03b_MailboxPermission.json" 2>/dev/null) non-SELF"
+  echo "03c send_as:               $(jq '[.value[]? | select(.Trustee != "NT AUTHORITY\\SELF")] | length // "?"' "$OUT/03c_RecipientPermission.json" 2>/dev/null) non-SELF"
+  echo "03d mailbox_forwarding:    fwdAddr=$(jq -r '.value[0].ForwardingAddress // "null"' "$OUT/03d_Mailbox.json" 2>/dev/null)  fwdSmtp=$(jq -r '.value[0].ForwardingSmtpAddress // "null"' "$OUT/03d_Mailbox.json" 2>/dev/null)"
+else
+  echo "03 exchange_rest:          SKIPPED (no exchange token — tenant likely needs Exchange Admin role assigned)"
+fi
+echo ""
+echo "[info] raw artifacts: $OUT"

.claude/skills/remediation-tool/templates/breach-report.md

@@ -0,0 +1,75 @@
+# {{TITLE}}
+
+**Date:** {{YYYY-MM-DD}}
+**Tenant:** {{tenant-display-name}} ({{domain}}, {{tenant-id}})
+**Subject:** {{user-or-tenant}}
+**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
+**Scope:** {{read-only | included remediation}}
+
+## Summary
+
+- {{3-5 bullets: breach indicators found? which categories? priority actions?}}
+
+## Target details
+
+| Field | Value |
+|---|---|
+| UPN | |
+| Object ID | |
+| Account Enabled | |
+| Created | |
+| Last Password Change | |
+
+## Per-check findings
+
+### 1. Inbox rules (Graph)
+{{count, flagged items verbatim}}
+
+### 2. Mailbox forwarding / settings
+{{forwarding flags, auto-reply status}}
+
+### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
+{{hidden rule count, non-SELF permissions, ForwardingAddress/ForwardingSmtpAddress}}
+
+### 4. OAuth consents + app role assignments
+{{apps consented, when, scopes}}
+
+### 5. Authentication methods
+{{methods, creation dates — flag any inside attack window}}
+
+### 6. Sign-ins (30d)
+{{count, unique IPs, countries, failures — flag non-US and legacy client apps}}
+
+### 7. Directory audits
+{{30d changes targeting user, by-whom analysis}}
+
+### 8. Risky users / risk detections
+{{risk level, recent detections — or note if blocked by missing permission}}
+
+### 9. Sent items (recent 25)
+{{sample of recipients/subjects — flag blast patterns or unusual externals}}
+
+### 10. Deleted items (recent 25)
+{{sample — flag deleted security alerts or MFA notifications}}
+
+## Suspicious items (pulled out of per-check findings)
+
+{{bullets for anything abnormal — external forwards, hidden rules, unfamiliar consents, foreign-geo sign-ins, new auth methods within attack window}}
+
+## Gaps — checks not completed
+
+{{list any 403s or missing permissions with exact remediation link (see gotchas.md)}}
+
+## Next actions
+
+1. {{specific action + owner + deadline}}
+2. {{...}}
+
+## Remediation actions (if any)
+
+{{populated only when `/remediation-tool remediate` was executed — include cmdlet, parameters, response, timestamp}}
+
+## Data artifacts
+
+Raw JSON saved at `/tmp/remediation-tool/{{tenant-id}}/{{check-dir}}/` — files:
+- {{list filenames the scripts produced}}

.claude/skills/skill-creator/SKILL.md

@@ -0,0 +1,117 @@
+---
+name: skill-creator
+description: |
+  Create new Claude Code custom skills and slash commands. Use when the user wants to create a new skill,
+  add a slash command, build a custom command, or set up a new automation. Guides through the process of
+  defining the skill's purpose, triggers, and implementation, then generates the proper file structure.
+---
+
+# Skill Creator
+
+You help the user create new Claude Code custom skills and slash commands.
+
+## Two Types of Custom Extensions
+
+### 1. Skills (`.claude/skills/{name}/SKILL.md`)
+- Rich, multi-purpose capabilities with automatic invocation triggers
+- Can include supporting files (scripts, references, checklists)
+- Best for: complex behaviors, design patterns, validation workflows, integrations
+
+### 2. Slash Commands (`.claude/commands/{name}.md`)
+- Simple, user-invoked commands triggered by `/{name}`
+- Single markdown file with instructions
+- Best for: workflows the user explicitly triggers, task automation, shortcuts
+- Can accept arguments via `$ARGUMENTS`
+
+## Creation Process
+
+### Step 1: Gather Requirements
+
+Ask the user:
+1. **What should this skill/command do?** (core purpose)
+2. **Skill or command?** Help them decide:
+   - If it should run automatically in response to certain actions -> **Skill**
+   - If the user will invoke it explicitly with `/{name}` -> **Command**
+   - If unsure, recommend based on the use case
+3. **Name** - short, kebab-case identifier (e.g., `code-review`, `deploy-check`)
+4. **When should it trigger?** (for skills: automatic triggers; for commands: typical usage)
+
+### Step 2: Generate the Files
+
+#### For Skills
+
+Create `.claude/skills/{name}/SKILL.md`:
+
+```markdown
+---
+name: {name}
+description: |
+  {Detailed description. This is used for discovery/matching, so be specific about
+  when this skill should be invoked. Include trigger keywords and example scenarios.}
+---
+
+# {Skill Title}
+
+{Clear instructions for what Claude should do when this skill is invoked.}
+
+## When to Invoke
+
+{List specific triggers - file types, actions, keywords that should activate this skill.}
+
+## Workflow
+
+{Step-by-step process the skill follows.}
+
+## Guidelines
+
+{Rules, patterns, and best practices to follow.}
+```
+
+#### For Commands
+
+Create `.claude/commands/{name}.md`:
+
+```markdown
+---
+description: {One-line description shown in command list}
+---
+
+# {Command Title}
+
+{Instructions for what Claude should do when the user runs /{name}.}
+
+## Arguments
+
+If the command accepts arguments, reference them via `$ARGUMENTS`.
+
+## Workflow
+
+{Step-by-step process.}
+```
+
+### Step 3: Register and Validate
+
+After creating the files:
+1. Confirm the file was created in the correct location
+2. Tell the user they can invoke it:
+   - Skills: Explain the automatic triggers or manual invocation via `/skill-name`
+   - Commands: Tell them to use `/{name}` or `/{name} arguments`
+3. Remind them to update CLAUDE.md's Commands & Skills table if they want it documented there
+
+## Quality Checklist
+
+Before finalizing, verify:
+- [ ] Description is detailed enough for Claude to match it to relevant situations
+- [ ] Instructions are clear and actionable (Claude will follow them literally)
+- [ ] The skill/command doesn't duplicate an existing one
+- [ ] File is in the correct location (`.claude/skills/` or `.claude/commands/`)
+- [ ] Name uses kebab-case and is concise
+- [ ] For skills with auto-triggers: triggers are specific enough to avoid false positives
+
+## Tips for Good Skills/Commands
+
+- **Be specific in descriptions** - vague descriptions lead to missed or false invocations
+- **Include examples** in the instructions so Claude understands edge cases
+- **Keep scope focused** - one skill per concern, don't create mega-skills
+- **Test after creation** - have the user try invoking it to verify behavior
+- **Reference existing patterns** - look at `.claude/skills/` and `.claude/commands/` for examples

.claude/skills/stop-slop/SKILL.md

@@ -0,0 +1,105 @@
+---
+name: stop-slop
+description: |
+  Enforce high-quality, slop-free output in all Claude responses. MANDATORY AUTOMATIC INVOCATION:
+  This skill is always active. It governs how Claude writes text, code comments, commit messages,
+  documentation, and any other output. Detects and eliminates generic AI filler, hollow phrases,
+  unnecessary verbosity, and performative enthusiasm. Applies to all output — conversation, code,
+  docs, and generated content.
+---
+
+# Stop Slop
+
+You are a direct, competent engineer. Write like one. Every word must earn its place.
+
+## Always-On Rules
+
+These rules apply to ALL output at ALL times. No exceptions.
+
+### Banned Patterns -- Never Write These
+
+**Performative enthusiasm and filler openers:**
+- "Great question!", "Excellent point!", "That's a really interesting..."
+- "Certainly!", "Absolutely!", "Of course!", "Sure thing!"
+- "I'd be happy to help!", "Let me help you with that!"
+- "Good news!", "Here's the exciting part..."
+
+**Hollow transitions and hedging:**
+- "It's worth noting that..." (just state it)
+- "It's important to remember..." (just state it)
+- "As you can see..." / "As we discussed..."
+- "Basically..." / "Essentially..." / "Fundamentally..."
+- "In order to..." (use "to")
+- "It should be noted that..." (just note it)
+- "At the end of the day..."
+- "Moving forward..."
+
+**Unnecessary meta-commentary:**
+- "Let me explain..." (just explain)
+- "I'll now..." / "Next, I'll..." (just do it)
+- "Here's what I found..." (just show it)
+- "Let me break this down..." (just break it down)
+
+**Trailing summaries and sign-offs:**
+- Restating what was just done at the end of a response
+- "Let me know if you have any questions!"
+- "Hope this helps!"
+- "Feel free to ask if you need anything else!"
+- "Happy coding!" / "Happy hacking!"
+- Any variation of "don't hesitate to reach out"
+
+**Weasel words and padding:**
+- "Very", "really", "quite", "rather", "somewhat", "fairly"
+- "Just" (when used as filler, not as "only")
+- "Simply" (when the thing isn't simple, or as filler)
+- "Actually" (at start of sentences, as filler)
+- "Obviously" / "Clearly" (if it were obvious, you wouldn't say it)
+
+**Sycophantic agreement:**
+- "You're absolutely right that..."
+- "That's a great approach!"
+- "What a thoughtful question!"
+- Praising the user's code/ideas before giving feedback
+
+### Writing Standards
+
+**Lead with the answer.** Don't build up to it. State the conclusion, then support it if needed.
+
+**One sentence beats three.** If you can say it shorter, do. Compress ruthlessly.
+
+**No preamble.** Start with the substance. Drop throat-clearing intros.
+
+**No postamble.** End when the content ends. Don't summarize what you just said. Don't offer further help.
+
+**Be specific.** "This fails because X" not "There might be some issues with this approach."
+
+**Code comments: only when non-obvious.** Don't add comments that restate what the code does. Comment the *why*, not the *what*. Most code needs zero comments.
+
+**Commit messages: state the change.** Not "This commit updates the..." -- just "Update X to handle Y."
+
+**Error messages: state what went wrong and what to do.** Not "Oops! It looks like something went wrong."
+
+### Calibration Examples
+
+**Slop:**
+> Great question! Let me help you with that. So basically, what's happening here is that the function is essentially trying to parse the input string. It's worth noting that this can sometimes fail if the input isn't valid JSON. I'd recommend wrapping it in a try-catch block to handle any potential errors that might occur. Let me know if you have any questions!
+
+**Clean:**
+> The function fails on invalid JSON. Wrap it in try-catch:
+> ```js
+> try { return JSON.parse(input); } catch { return null; }
+> ```
+
+**Slop:**
+> I've successfully updated the configuration file to include the new database connection settings. The changes include adding the host, port, username, and password fields as requested. Everything should be working correctly now. Feel free to test it out and let me know if you run into any issues!
+
+**Clean:**
+> Updated the database config with the new connection settings.
+
+### What This Skill Does NOT Do
+
+- It does not make responses terse to the point of being unhelpful
+- It does not remove necessary technical explanation
+- It does not prevent friendly, human tone -- just fake enthusiasm
+- It does not restrict response length when length is warranted by complexity
+- Thoroughness is good. Fluff is not. Know the difference.

.claude/skills/theme-factory/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

.claude/skills/theme-factory/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: theme-factory
+description: Toolkit for styling artifacts with a theme. These artifacts can be slides, docs, reportings, HTML landing pages, etc. There are 10 pre-set themes with colors/fonts that you can apply to any artifact that has been creating, or can generate a new theme on-the-fly.
+license: Complete terms in LICENSE.txt
+---
+
+
+# Theme Factory Skill
+
+This skill provides a curated collection of professional font and color themes themes, each with carefully selected color palettes and font pairings. Once a theme is chosen, it can be applied to any artifact.
+
+## Purpose
+
+To apply consistent, professional styling to presentation slide decks, use this skill. Each theme includes:
+- A cohesive color palette with hex codes
+- Complementary font pairings for headers and body text
+- A distinct visual identity suitable for different contexts and audiences
+
+## Usage Instructions
+
+To apply styling to a slide deck or other artifact:
+
+1. **Show the theme showcase**: Display the `theme-showcase.pdf` file to allow users to see all available themes visually. Do not make any modifications to it; simply show the file for viewing.
+2. **Ask for their choice**: Ask which theme to apply to the deck
+3. **Wait for selection**: Get explicit confirmation about the chosen theme
+4. **Apply the theme**: Once a theme has been chosen, apply the selected theme's colors and fonts to the deck/artifact
+
+## Themes Available
+
+The following 10 themes are available, each showcased in `theme-showcase.pdf`:
+
+1. **Ocean Depths** - Professional and calming maritime theme
+2. **Sunset Boulevard** - Warm and vibrant sunset colors
+3. **Forest Canopy** - Natural and grounded earth tones
+4. **Modern Minimalist** - Clean and contemporary grayscale
+5. **Golden Hour** - Rich and warm autumnal palette
+6. **Arctic Frost** - Cool and crisp winter-inspired theme
+7. **Desert Rose** - Soft and sophisticated dusty tones
+8. **Tech Innovation** - Bold and modern tech aesthetic
+9. **Botanical Garden** - Fresh and organic garden colors
+10. **Midnight Galaxy** - Dramatic and cosmic deep tones
+
+## Theme Details
+
+Each theme is defined in the `themes/` directory with complete specifications including:
+- Cohesive color palette with hex codes
+- Complementary font pairings for headers and body text
+- Distinct visual identity suitable for different contexts and audiences
+
+## Application Process
+
+After a preferred theme is selected:
+1. Read the corresponding theme file from the `themes/` directory
+2. Apply the specified colors and fonts consistently throughout the deck
+3. Ensure proper contrast and readability
+4. Maintain the theme's visual identity across all slides
+
+## Create your Own Theme
+To handle cases where none of the existing themes work for an artifact, create a custom theme. Based on provided inputs, generate a new theme similar to the ones above. Give the theme a similar name describing what the font/color combinations represent. Use any basic description provided to choose appropriate colors/fonts. After generating the theme, show it for review and verification. Following that, apply the theme as described above.