# Session Log — 2026-04-18

## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Mode:** general (mixed)

## Session Summary

Continuation of yesterday's session. Synced Howard's work, reviewed AT Trebesch client onboard, created Howard's GuruRMM account, set up shared work items board, added TickTick tasks, and bulk-closed 179 stale Syncro tickets.

## Work Completed

### 1. Sync + Howard's work review

Pulled 2 commits from Howard (ACG-TECH03L):
- `273342e` — sync at 21:02
- `68153cf` — sync at 23:51

**AT Trebesch — new client onboarded by Howard:**
- 15 files, 626 lines — full client documentation structure
- 1 user, 1 desktop (DESKTOP-QNP3ON5, Lenovo Ryzen 7 250, Win 11 Home 25H2), no server, WORKGROUP
- Audit via workstation_audit.ps1 v2.0.2
- Critical findings: Owner account passwordless, dual AV (Bitdefender + Malwarebytes), Secure Boot disabled, Win 11 Home (not Pro)
- High findings: Defender Tamper Protection off, no ASR rules, two MSP backdoor accounts (guru + localadmin), 85% memory, NETLOGON errors
- Files at `clients/at-trebesch/` (overview, workstations, reports, network/*, cloud/*, security/*, rmm/*, issues/)

**Cascades Tucson — Howard's continued work:**
- `clients/cascades-tucson/CONTEXT.md` — new client context
- `clients/cascades-tucson/scripts/fix-live-shellfolders.ps1` — shell folders fix
- `clients/cascades-tucson/scripts/hive-cleanup-shellfolders.ps1` — registry hive cleanup
- Full session log: `clients/cascades-tucson/session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md`

Howard also read and cleared `.claude/messages/for-howard.md` (GuruRMM access + Cascades Synology request acknowledged).

### 2. SAGE-SQL session manager — deferred from yesterday

Files committed yesterday, deployment blocked by VPN issues (SSH/WinRM/RMM all timed out). Network recovered later but deployment postponed. Files at `clients/dataforth/session-manager/Default.aspx` + `web.config`. On WORKITEMS.md for today/tomorrow.

### 3. Shared work items board (WORKITEMS.md) — created yesterday

Created and committed `WORKITEMS.md` at repo root. Howard updated it in his sync (8 lines changed). Both team members using it.

### 4. Howard's GuruRMM account — created

Created platform-level admin account via direct database INSERT (no admin user creation API exists yet).

**Process:**
1. SSH to 172.16.3.30 as guru
2. `pip3 install argon2-cffi` (user install)
3. Hashed password with `PasswordHasher(memory_cost=19456, time_cost=2, parallelism=1)` — must match server's Argon2 params
4. INSERT INTO users via psql
5. Verified login returns 200 OK with JWT

**Gotcha discovered:** Python argon2-cffi defaults to `m=65536,t=3,p=4`. The Rust `argon2` crate (v0.5) does NOT verify hashes with different cost parameters even though params are encoded in the hash string. Must match the server's params exactly (`m=19456,t=2,p=1`). Also: CONTEXT.md anti-patterns mention `/tmp/hash_password` utility on the server — should have used that instead.

Instructions pushed to `.claude/messages/for-howard.md` — Howard read and cleared them.

### 5. TickTick integration — verified + tasks added

TickTick MCP integration tested and working. 17 projects returned. Created 2 tasks in "Tasks" project for today:
- Cascades file search
- Review Engineering docs for Dataforth and send them

### 6. Syncro bulk ticket closure — 179 tickets

Closed all "New" status tickets created before January 26, 2026.

**Stats:**
- 179 total tickets closed, 0 errors
- 14 invoice reminder auto-replies → closed silently (hidden internal note, `do_not_email: true`)
- 164 real tickets → closed with customer-facing comment + email
- 1 test ticket (#29256, Oct 2023) → closed first as proof of concept
- Date range: October 2023 through January 23, 2026

**Boilerplate message (emailed to customers):**
> "This ticket is being closed due to age. If this issue still requires attention, please reply to this message or call us at (520) 304-8300 and we will reopen it immediately."

**API discovery:** `PUT /tickets/{id}` accepts `comment_subject`, `comment_body`, `comment_hidden`, `comment_do_not_email` fields alongside `status` — single call for comment + status change. This is what the Syncro web GUI does internally.

**Invoice reminder pattern matched:**
```regex
(Re:|RE:|Automatic reply:).*Arizona Computer Guru LLC.*Invoice
```

**Rate limiting:** 0.4s delay between calls (~150 req/min, under 180 limit). Total runtime ~72 seconds for 178 tickets.

### 7. GuruRMM status review

Reviewed current state from CONTEXT.md for user:
- v0.6.0 deployed, Phase 1 (tunnel) complete
- Phase 2 (channels) pending — priority list: tunnel status 403 fix → OS-native logging → tunnel subscriber → multi-tenancy schema → terminal channel → client event pull
- Server migration 5 sqlx checksum drift still blocking new builds
- 2/6 agents online (AD2 + workstation)

## Credentials

### GuruRMM — Howard's account (NEW)
- Dashboard: https://rmm.azcomputerguru.com
- API: https://rmm-api.azcomputerguru.com
- Email: `howard@azcomputerguru.com`
- Password: `GuruRMM2025!`
- Role: admin (platform-level)
- UUID: `294c1242-68ac-42e7-85b0-564c8b155dba`

### GuruRMM — admin account
- Email: `admin@azcomputerguru.com`
- Password: `GuruRMM2025`
- Vault: `projects/gururmm/dashboard.sops.yaml`

### GuruRMM — database
- Host: 172.16.3.30:5432
- Database: gururmm
- Username: gururmm
- Password: `43617ebf7eb242e814ca9988cc4df5ad`
- Vault: `projects/gururmm/database.sops.yaml`

### GuruRMM — server SSH
- Host: 172.16.3.30
- Username: guru
- Password: `Gptf*77ttb123!@#-rmm`
- Vault: `infrastructure/gururmm-server.sops.yaml`

### GuruRMM — JWT secret
- `ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE=`
- Vault: `projects/gururmm/api-server.sops.yaml`

### Syncro PSA
- API Key: `T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3`
- Base: `https://computerguru.syncromsp.com/api/v1`
- Vault: `msp-tools/syncro.sops.yaml`

### Dataforth AD2
- Username: `INTRANET\sysadmin`
- Password: `Paper123!@#`
- Vault: `clients/dataforth/ad2.sops.yaml`

## Syncro API Notes (learned/confirmed today)

### Single-call comment + status update
```bash
curl -X PUT "https://computerguru.syncromsp.com/api/v1/tickets/{number}?api_key=${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "Closed",
    "comment_subject": "Subject",
    "comment_body": "Body text",
    "comment_hidden": false,
    "comment_do_not_email": false
  }'
```

### Ticket statuses
`New`, `In Progress`, `Waiting on Customer`, `Waiting on Vendor`, `Scheduled`, `Resolved`, `Invoiced`, `Closed`

No custom "Archived" status — used `Closed` for archival.

### Pagination
- Default: newest first
- `per_page=25` max
- Total pages available in `meta.total_pages`
- `created_before` filter param exists but doesn't seem to work (returns all tickets regardless)

## Files created/modified
- `session-logs/2026-04-18-session.md` — this file
- `.claude/commands/syncro.md` — needs update to document single-call comment+status (TODO)

## WinRM TrustedHosts (local workstation, set yesterday)
- `172.16.9.169,192.168.0.153,SAGE-SQL`

## Pending
1. **SAGE-SQL session manager deployment** — files ready at `clients/dataforth/session-manager/`, steps documented in yesterday's log
2. **Update /syncro command docs** — add single-call PUT comment+status pattern
3. **GuruRMM admin user creation API** — no endpoint, database-only. Low priority.
4. **All items in WORKITEMS.md**
5. **Cascades file search** — TickTick task for today
6. **Review Dataforth engineering docs and send** — TickTick task for today

---

## Update: ~14:00

### Topic: Claude Code model selection + complexity routing system

#### What was discussed

1. **Model selection in Claude Code** — confirmed it is always manual (no automatic complexity-based switching). Options: `/model`, `--model` flag, `ANTHROPIC_MODEL` env var, `settings.json`. The `opusplan` alias is the closest to automatic — uses Opus for planning phase, then switches to Sonnet for execution.

2. **Sub-agent complexity detection** — confirmed we had NO complexity-based model routing for spawned agents. Existing behavior: rule-based routing by operation type, `>500 token` delegation threshold, a few hardcoded Haiku hints in `AGENT_QUICK_REFERENCE.md` for documentation-squire.

#### What was built

**New file: `.claude/COMPLEXITY_ROUTING.md`**

Full 3-tier scoring rubric for sub-agent model selection:
- Tier 1 (Haiku): lookup, format, summarize, doc — no code changes
- Tier 2 (inherit/Sonnet): standard code, DB, tests, git — most work
- Tier 3 (Opus): architecture, security, ambiguous failures, production risk

Bump rule: if request contains `security`, `auth`, `token`, `credential`, `migration`, `production`, `race condition`, `data loss`, `breach`, `encrypt` → bump one tier up regardless.

**Updated: `.claude/CLAUDE.md`**

Inserted "Model Routing (Complexity-Based)" section in the coordinator block, just before Coordination Flow. Compact routing table + bump rule inline. References COMPLEXITY_ROUTING.md for full detail.

#### Files modified
- `.claude/COMPLEXITY_ROUTING.md` — new file, full rubric
- `.claude/CLAUDE.md` — coordinator section updated with routing table