claudetools/wiki/clients/grabb-durando.md

---
type: client
name: grabb-durando
display_name: Grabb & Durando, P.C.
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
  - clients/grabb-durando/session-logs/2026-05-04-leap-m365-calendar-fix.md
  - clients/grabb-durando/reports/2026-05-04-leap-calendar-permission-investigation.md
  - clients/grabb-durando/ai-demand-review/CONTEXT.md
  - clients/grabb-durando/PROJECT_STATE.md
  - clients/grabb-durando/website-migration/README.md
  - clients/grabb-durando/gururmm-diag-GND-SERVER-20260512-155234.txt
backlinks:
  - projects/gururmm
---

# Grabb & Durando, P.C.

## Profile

- **Company type:** Plaintiff personal injury law firm (Arizona)
- **Contract type:** Managed (MSP) — includes M365 tenant management
- **Key contacts:**
  - Robert Grabb — rgrabb@grabblaw.com (principal — AI demand review project)
  - Svetlana Larionova — slarionova@grabblaw.com (end user; Leap calendar support 2026-05-04)
  - sysadmin@grabblaw.com — shared admin account (M365 GA operations)
  - guru@grabblaw.com — ACG-managed Global Admin account [unverified — referenced in remediation report]
- **Billing:** PREPAID block customer — **21.25 prepay hours remaining** as of 2026-06-10 (after ticket #32405). Syncro `prepay_hours` only shows on the per-customer detail endpoint, NOT the customer-list endpoint (list returns null — misleading). Remote labor rate $150/hr (drawn from block).
- **Syncro customer ID:** **14232794** (business: "Grabb & Durando Law Office"; primary contact on file: jwilliams@grabblaw.com)
- **Recent ticket:** #32405 (2026-06-10) — calendar-app login fix, 1.0 hr remote applied to prepaid block

## Infrastructure

### Servers & Services

| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| GND-SERVER | [unverified] | On-premise server | Windows Server 2019 Standard, AMD64 | GuruRMM agent installed 2026-05-12 via site-specific MSI |
| GoDaddy VPS | 208.109.235.224 | ORIGINAL host of data.grabbanddurando.com (long retired) | CloudLinux 9.6, cPanel v126 | App moved off years ago. Hosting path over ~2 years: GoDaddy -> WebSvr -> IX. Nothing points here now; verify the VPS is cancelled (may still bill). |
| ix.azcomputerguru.com (IX) | 72.194.62.5 (internal 172.16.3.10) | LIVE host of data.grabbanddurando.com (calendar/case app) | CloudLinux 9.7, cPanel | Current home of the app — on IX for ~1yr+ (path: GoDaddy -> WebSvr -> IX over ~2 yrs, per Mike). Confirmed live 2026-06-10. DNS `data.grabbanddurando.com -> 72.194.62.5`. cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB `grabblaw_gdapp_data`. App actively used. SSH via internal `172.16.3.10` only — public port 22 firewalled (times out). |
| WebSvr (ACG) | 162.248.93.81 | Main domain (grabbanddurando.com) DNS/hosting | ACG managed | Nameserver authority for grabbanddurando.com zone |

### Email & Identity

- **M365 tenant:** grabblaw.com (tenant ID `032b383e-96e4-491b-880d-3fd3295672c3`)
- **Licenses:** O365 Business Premium (confirmed on multiple users)
- **MFA status:** [unverified]
- **User-consent policy:** `microsoft-user-default-recommended` + `microsoft-user-default-allow-consent-apps` — high-risk delegated scopes (Mail.ReadWrite, Files.ReadWrite.All) require admin approval
- **Leap (legal case management):** Two service principals registered in tenant:
  - LEAP daemon/service app — `5602fc50-4c30-4faa-a595-e5a0f15d2cce` (app-only, tenant-wide consent already granted)
  - LEAP user-facing/delegated app — `a7d19842-33e2-457b-a399-d4e6ec010f0a` (per-user or tenant-wide consent; tenant-wide granted 2026-05-04)
- **Inky/GuruProtect:** Installed (confirmed in email headers)
- **GuruRMM Security Investigator app:** Consented in tenant (used for read-only Graph investigation 2026-05-04)

### Network

- **ISP / WAN:** [unverified]
- **Firewall:** [unverified]
- **VPN:** [unverified]

### Web Applications

- **Primary site:** grabbanddurando.com — hosted on WebSvr (ACG)
- **Data app ("the calendar site"):** data.grabbanddurando.com — custom PHP app (mysqli, PHP session `law_admin`). Calendar + case management (agenda views, `gd_calendar_events`, `gd_cases`, "Jeff's Notes", phone log, contacts). **NOW LIVE ON IX** (migrated off GoDaddy): cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB **`grabblaw_gdapp_data`** (app user `grabblaw_gddata`; creds hardcoded in `connection.php` — [WARNING] not vaulted). Pre-migration copies `grabblaw_gdapp` (48 users) and `grabblaw_gdapp2` still present on IX as historical snapshots.
  - **Auth model:** login is `index.php` → `SELECT * FROM vt_users WHERE username='<login>' AND password=MD5('<pw>') AND is_enabled=1`. Login is **by username** (the form field is labeled "Username" but POSTs as `email`); password is **unsalted MD5**; the account row must have `is_enabled=1` (a disabled row returns "you have not activated your account"). Roles live in `acl_user_role` (1=Super Admin, 3=Assistant, 4=Lawyer, 5=Call Center), linked via `acl_junction_user_role`. "I forgot my password" emails a reset link (writes a `code` to `vt_users`). [WARNING] weak auth: unsalted MD5 + a plaintext password cookie set on login.
- **Case management:** Leap — integrated with M365 calendar/mail via delegated OAuth

## GuruRMM

- **Site name:** Main Office
- **Client code:** [unverified — not documented in available files; MSI was site-specific]
- **Site ID:** `d526d700-7210-48b1-94a9-40c87a29dc25` (from agent registry, this is the SiteId value baked into the MSI)

### Enrolled Agents

| Agent | Host | OS | Version at install | Agent key (partial) | Notes |
|---|---|---|---|---|---|
| GND-SERVER | GND-SERVER | Windows Server 2019 | 0.6.2 (2026-05-12) | `agk_NEzx7sRA9Jd...` | Installed via MSI `gururmm-agent-grabb-main-office.msi`; running as LocalSystem; [WARNING] binary path issue noted at install time — path in registry did not match actual binary location |

- **GuruRMM agent ID:** [unverified — agent ID not captured in available files; use dashboard to confirm]
- **Agent log:** `C:\ProgramData\GuruRMM\agent.log.2026-05-12` (0 bytes at install time)
- **Network connectivity check (2026-05-12):** External HTTPS to rmm.azcomputerguru.com [OK]; internal API (172.16.3.30:3001) [FAIL — timeout, expected for external client]

## Access

- **M365 admin:** Entra portal via sysadmin@grabblaw.com or guru@grabblaw.com
- **GoDaddy VPS (source):** `ssh -i ~/.ssh/id_ed25519 root@208.109.235.224`
- **IX server (hosting target):** `ssh root@ix.azcomputerguru.com`
- **WebSvr (DNS):** `ssh root@websvr.acghosting.com`
- **Vault path:** `clients/grabb-durando/` [unverified — no confirmed SOPS entries found in session logs; check vault before assuming paths]
- **Database credentials (GoDaddy):** [WARNING] Database password `e8o8glFDZD` appears in plaintext in `clients/grabb-durando/website-migration/README.md` — migrate to vault before any future work on this project

## Patterns & Known Issues

- **Leap OAuth consent pattern:** New hires at Grabb & Durando will NOT automatically have Leap M365 calendar sync enabled. As of 2026-05-04 tenant-wide consent was granted on the LEAP delegated app — new users should now get through the consent flow without admin intervention. Verify this holds for next new hire.
- **Leap identity binding trap:** If an admin signs in to Leap on a user's machine to grant consent, Leap stores the admin's identity token instead of the user's. Symptom: Leap syncs the wrong mailbox and throws "unable to subscribe to notifications." Fix: revoke admin OAuth grant, clear `%LOCALAPPDATA%\Microsoft Corporation\` Leap cache, re-sign in as the correct user.
- **SYSTEM context in GuruRMM commands:** Agent runs as LocalSystem. HKCU probes from GuruRMM commands read the SYSTEM hive, not a logged-in user's. Use `HKU:\<SID>` path for per-user registry work.
- **Website migration (data.grabbanddurando.com):** COMPLETE — app is live on IX (`/home/grabblaw/public_html/data_grabbanddurando`, DB `grabblaw_gdapp_data`), confirmed 2026-06-10. DNS points to 72.194.62.5. App actively used post-migration.
- **[WARNING] Live user table holds only active logins — traced to the Dec 2025 rebuild (root cause of "login broken for one user"):** The live `vt_users` has only **6 of 48** rows (and 77 of 82 `acl_junction_user_role` links) vs. the older copy `grabblaw_gdapp`. Origin confirmed by 2026-06-10 forensics: a **Dec 15–16 2025 server migration / MariaDB strict-mode rebuild**, documented on-server at `backups_mariadb_fix/MIGRATION_REPORT.md` ("Prepared by: IT Support" — GoDaddy/legacy → IX cPanel, PHP 7.4→8.1, MariaDB 10.11 strict mode, 61 app files modified). Live DB dir built 2025-12-16, alongside 5 clone/scratch DBs (`grabblaw_gdapp`, `gdapp2`, `_clone`, `_new`, `sandbox`) created 2025-12-11; `connection.php` repointed 2025-12-15; rocky aftermath (app `error_log` shows DB-connect failures Jan 2026). The rebuild imported every DATA table fully — all are ≥ the old copy (activity 18.6k>17.9k, gd_calendar_events 13.2k>12.6k, gd_assign_users 25.0k>23.1k; gd_cases/gd_cases_notes/gd_contacts/gd_phone_log identical) — **but `vt_users` came out short**. Binary logging is OFF, so no statement-level proof of deliberate prune vs. failed import. The live DB is authoritative and current — **do NOT full-restore from `grabblaw_gdapp`** (would lose newer live data). Correct remediation = **targeted backfill of the specific missing `vt_users` row(s) (+ `acl_junction_user_role` links) from `grabblaw_gdapp` → `grabblaw_gdapp_data`**, preserving each user's id + MD5 password. Symptom presented as "one user can't log in, everyone else fine" because the only 3 active users (rgrabb, rpesqueira, jsosa) happened to be among the 6 surviving rows.
- **Diagnostic pattern — per-user login failure on the calendar app:** first check the live DB: `SELECT id,username,is_enabled FROM grabblaw_gdapp_data.vt_users WHERE username='<u>'`. No row → user was dropped in migration; restore from `grabblaw_gdapp`. Row with `is_enabled=0` → re-enable. Row present + enabled → password/MD5 issue (use forgot-password flow or reset the hash).

## Active Work

- **AI Demand Review System** (scoping/pre-quote as of 2026-05-12): Robert Grabb wants a custom Claude API web application for AI-assisted pre-suit demand package preparation. 11-category document upload UI, structured Claude output (case snapshot, liability, medical chronology, demand letter, etc.), DOCX/PDF export, per-case audit log. Estimated 32–48 hrs, $4,000–$6,960 flat fee range. Discovery call questions outstanding (user count, Leap API, file server structure). See `clients/grabb-durando/ai-demand-review/CONTEXT.md` for full spec.
- **Website migration** (data.grabbanddurando.com → IX): COMPLETE (confirmed 2026-06-10, live on IX). Remaining cleanup: confirm the old GoDaddy VPS (208.109.235.224) is decommissioned/cancelled — nothing points to it anymore but it may still bill.
- **Calendar-app user-table backfill (data.grabbanddurando.com) — DEFERRED to client:** 2026-06-10 restored `jwilliams` (Jeff Williams, id 46, Super Admin) into the live `vt_users` to fix his login. **41 other accounts still missing** from the live DB (20 enabled real users: ahayward, amarshall, apesqueira, cpavlik, ecorella, gcanto, Greg, jclark, kloya, lgonzalez, mbleaman, mcarias, mgonzales, mwaletitsch, pgrabb, rmaza, admin, etc. — plus disabled/test rows). **Per Mike (2026-06-10): only a handful of active users; left for Jeff Williams to decide later — no bulk backfill planned by ACG.** If a specific person needs access, restore just their row via targeted `INSERT ... SELECT` from `grabblaw_gdapp` (preserve id + MD5 pw); skip test/junk (`testsuntec`, `ContactOne`).

## History Highlights

| Date | Event |
|---|---|
| Pre-2026 | Established MSP client; M365 tenant (grabblaw.com) under ACG management; Leap deployed firm-wide |
| 2025-12-15/16 | **data.grabbanddurando.com migrated to IX + MariaDB strict-mode rebuild** (confirmed 2026-06-10 via on-server `backups_mariadb_fix/MIGRATION_REPORT.md`, "Prepared by: IT Support"). GoDaddy/legacy → IX cPanel; PHP 7.4→8.1; MariaDB 10.11 strict mode; 61 app files modified. Live DB `grabblaw_gdapp_data` built 12-16 alongside 5 clone/scratch DBs (12-11); `connection.php` repointed 12-15; rocky aftermath (DB-connect failures in app error_log Jan 2026). The rebuild left the live `vt_users` with only ~6 of 48 logins — origin of the 2026-06-10 Jeff login issue. |
| 2026-04-20 | PROJECT_STATE.md created noting website migration stalled, no session logs recorded at that time |
| 2026-05-04 | Howard: Leap M365 calendar sync for Svetlana Larionova — OAuth consent investigation + tenant-wide LEAP consent granted by Mike; Leap identity token cleanup; Teams external-share limitation explained; second monitor added |
| 2026-05-12 | GuruRMM agent installed on GND-SERVER via site-specific MSI (v0.6.2). Diagnostic run confirms agent service running. AI demand review project kicked off — Phase Two Package delivered by Robert Grabb, ACG scoping review begun. |
| 2026-06-10 | **Calendar-app login fix + migration audit.** Reported: Jeff Williams (`jwilliams`) couldn't log in to data.grabbanddurando.com while others could. Root cause traced to the Dec 2025 IX/MariaDB rebuild, which left the live `vt_users` with only 6 of 48 logins (Jeff not among the survivors). Confirmed the app is live on IX (`grabblaw` cPanel acct, DB `grabblaw_gdapp_data`) and that the live DB is authoritative (all data tables ≥ old copy). Restored `jwilliams` (id 46, Super Admin, original MD5 password) from `grabblaw_gdapp` → live; login verified. 41 other (mostly inactive) accounts left un-restored at Mike's direction — Jeff to decide later. Billed 1.0 hr remote on new Syncro ticket #32405 — applied against their PREPAID block (invoice #67812 = $0.00; 21.25 prepay hrs remaining). Documented the app auth model, the Dec-2025 origin, and a per-user login diagnostic. |

## Backlinks

- [[projects/gururmm]] — GND-SERVER enrolled (site: Main Office)