claudetools/session-logs/2026-03-31-session.md

# Session Log: 2026-03-31 - TickTick Integration & Dev Project Tracking

## Session Summary

Built a complete TickTick integration for ClaudeTools, including OAuth authentication, MCP server with 9 tools, FastAPI service+router, and a dev project tracking system that syncs between the ClaudeTools database and TickTick.

### Key Decisions
- **Hybrid approach (Option 3):** TickTick for mobile/cross-device visibility of active dev projects, ClaudeTools DB for granular tracking (sessions, notes, timestamps)
- **MCP server + API service:** Both access paths -- MCP tools for Claude Code direct use, REST API for external access
- **SOPS vault for credentials:** Consistent with project standards, no env vars
- **JWT auth on all router endpoints:** Matches existing security pattern

### Problems Encountered & Resolutions
1. **"Guru" not appearing in API results:** It's a TickTick folder, not a list. The API only returns lists. "Tasks" and "Call Back List" are the actual lists inside the Guru folder.
2. **Bash not found from PowerShell:** The auth script uses `subprocess.run(["bash", ...])` for vault access. Must run from bash/Claude Code terminal, not PowerShell directly.
3. **DB server unreachable:** 172.16.3.30 not reachable from ACG-5070 without Tailscale. Installed Tailscale via winget, connected, then ran migration.
4. **mcp package not installed:** Installed `mcp` and `httpx` via pip for Python 3.14.
5. **Code review found 4 issues:** All fixed before proceeding -- gitignore, token permissions, JWT auth, SOPS vault credentials.

---

## Credentials

### TickTick API (OAuth 2.0)
- **Developer Portal:** https://developer.ticktick.com/
- **App Name:** ClaudeTools
- **Client ID:** 1J86gMsTJ0JH63gtf0
- **Client Secret:** pI4U78vtLQrZwcW5MmdNFdxA0eeoy7GJ
- **OAuth Redirect URL:** http://localhost:9876/callback
- **Scopes:** tasks:read tasks:write
- **SOPS Vault:** `services/ticktick.sops.yaml` (client_id, client_secret, oauth_redirect_url)
- **Token File:** `mcp-servers/ticktick/.tokens.json` (gitignored, auto-refreshes)

### TickTick API Endpoints
- **Base URL:** https://api.ticktick.com/open/v1
- **Auth URL:** https://ticktick.com/oauth/authorize
- **Token URL:** https://ticktick.com/oauth/token
- **Token endpoint requires:** Content-Type: application/x-www-form-urlencoded (NOT JSON)

### Database
- **Host:** 172.16.3.30:3306
- **DB:** claudetools
- **User:** claudetools
- **Password:** CT_e8fcd5a3952030a79ed6debae6c954ed

---

## Infrastructure & Servers

### Tailscale
- Installed on ACG-5070 via `winget install Tailscale.Tailscale` (v1.96.3)
- Required to reach 172.16.3.30 from home network
- Tailscale must be connected before DB/API access works

### TickTick IDs
- **Dev Projects list ID:** `69cbd7138f0826bd72746074`
- **TickTick Integration task ID:** `69cbe8ca8f0898cc050064e5`
- **DB dev_projects row UUID:** `65783890-2d12-11f1-ae01-52540020ee14`

### User's TickTick Projects (16 total)
- Call Back List, COSTCO, Private, Capacitance, Website Department, Household Tasks & Projects, PacketDial, Tasks, Grocery, Kitchen Decon, Camper Packing, MOVE 2024, Photography Challenge, Business Planning, Libations shopping, Da Move
- "Guru" is a folder containing "Tasks" (21 items) and "Call Back List"
- "HomeStuff" is another folder (15 items)

---

## Files Created

### MCP Server
- `mcp-servers/ticktick/ticktick_auth.py` - One-time OAuth browser auth flow (localhost:9876 callback, CSRF protection, vault credential retrieval)
- `mcp-servers/ticktick/ticktick_mcp.py` - MCP server with 9 tools: ticktick_list_projects, ticktick_get_project, ticktick_create_project, ticktick_update_project, ticktick_delete_project, ticktick_create_task, ticktick_update_task, ticktick_complete_task, ticktick_delete_task

### API Integration
- `api/services/ticktick_service.py` - Async service class with SOPS vault credentials, auto token refresh on 401, httpx client
- `api/routers/ticktick.py` - REST endpoints at `/api/ticktick/`, JWT-protected, 9 endpoints matching MCP tools

### Database
- `migrations/add_dev_projects_table.sql` - Migration SQL for dev_projects table (14 columns, status index)

### Configuration
- `.mcp.json` - MCP server registration (ticktick server using python)
- `vault/services/ticktick.sops.yaml` - SOPS-encrypted TickTick credentials

## Files Modified

- `api/main.py` - Added ticktick router import and registration at `/api/ticktick/`
- `.gitignore` - Added `**/.tokens.json` to prevent token leakage
- `.claude/memory/MEMORY.md` - Added TickTick integration reference
- `.claude/memory/reference_ticktick_integration.md` - New memory file with full integration details

## Database Changes

- **New table:** `dev_projects` (14 columns) with index on status
- **First row inserted:** "TickTick Integration" project, status=active, linked to TickTick task

## Packages Installed

- `mcp` (v1.26.0) - MCP protocol library for Python
- `httpx` (v0.28.1) - Async HTTP client
- `pydantic` (v2.12.5) - Data validation (mcp dependency)
- `Tailscale` (v1.96.3) - VPN/mesh networking via winget
- Plus ~25 transitive dependencies

---

## Pending/Incomplete Tasks

1. **Dev projects API service + router** - Need `api/services/dev_project_service.py` and `api/routers/dev_projects.py` for CRUD on dev_projects table
2. **Bidirectional sync logic** - Auto-update TickTick when DB status changes and vice versa
3. **MCP server testing** - Need to restart Claude Code session to load the TickTick MCP server and test tools
4. **TickTick folder placement** - API can't place "Dev Projects" list inside the "Guru" folder (no folder API). It appears at top level.
5. **Existing project backfill** - Could add existing dev projects (like the TickTick integration itself) to track history

---

## Reference

### TickTick API Gotchas
- No webhooks (must poll for changes)
- No search endpoint (filter client-side)
- No folder management API
- Priority values non-sequential: 0=none, 1=low, 3=medium, 5=high
- Task update may need POST or PUT (code tries POST first, falls back to PUT)
- Deletions are permanent via API
- Date format: ISO 8601 with timezone offset

### Re-authentication
If tokens expire completely: `python mcp-servers/ticktick/ticktick_auth.py` (run from bash, not PowerShell)

### MCP Tools Available (after session restart)
All prefixed with `ticktick_`: list_projects, get_project, create_project, update_project, delete_project, create_task, update_task, complete_task, delete_task

---

## Update: 10:10 AM - M365 Remediation & Data Recovery Discussion

### Session Summary

Mixed session covering data recovery discussion, M365 tenant investigations via Graph API (remediation tool), and cross-tenant consent troubleshooting.

### Key Decisions & Learnings
- **"365 remediation tool" = Graph API app fabb3421-8b34-484b-bc17-e46de9703418** (NOT CIPP). Memory saved for future sessions.
- **CIPP API (420cb849) returning 403** on all endpoints -- API client permissions need updating
- **Admin consent URL with tenant-specific path works for some tenants** but failed for grabblaw.com (redirected to "wrongplace")

### Work Performed

#### 1. Data Recovery Discussion (Hitachi Deskstar HDS721010KLA330)
- User has a failed 1TB Hitachi Deskstar 7K1000 (June 2008, P/N 0A37239, MLC BA2720, S/N PAK590UF)
- Symptoms: spins up, 5-7 read attempts, heads park, platter keeps spinning
- Diagnosis: firmware/service area corruption (not head crash, not platter damage)
- Discussed Pi-based DIY recovery via serial diagnostic port (4-pin header, 38400 baud 8N1, T> prompt)
- Discussed PC-3000 internals and HDDSuperTool/OpenSuperClone open source alternatives
- Data likely intact on platters -- drive can't boot its own firmware

#### 2. MVAN Enterprises (mvaninc.com) - M365 Investigation
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1
- **Domains:** mvaninc.com, modernstile.com, m.mvaninc.com
- **14 users**, all enabled
- **Secure Score:** 15.43 / 64.0 (24%)
- **[WARNING] Mitch VanDeveer under active credential stuffing attack** -- 48/50 sign-ins are failures from malicious IPs (Luxembourg, Frankfurt, LA, Tokyo, Lima, Camden). Running since at least March 3. Account locking and IP blocking working correctly.
- **sysadmin@mvaninc.com** -- clean, 8 sign-ins all from expected locations (Phoenix, Oklahoma City)
- **MFA CA policy switched from report-only to ENFORCED** (policy ID: a5d04d44-c6d8-4b40-a37a-0ef16eaa3678)
- **MFA Registration:** Both Mitch and sysadmin have MFA registered (Authenticator push, phone, TOTP)

#### 3. Grabb & Durando (grabblaw.com) - Consent Failed
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- Admin consent URL redirected to "wrongplace" after login
- ROPC flow also failed (consent_required)
- Entra admin center approach hit browser extension isolation issues
- **Status: BLOCKED** -- needs manual consent or alternative approach

#### 4. Cascades Tucson (cascadestucson.com) - Onboarded Successfully
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Domain note:** User said "castadestucson.com" but actual domain is "cascadestucson.com"
- Admin consent URL worked for this tenant
- **50 users** (5 disabled), 33/34 M365 Business Premium licenses used
- **Secure Score:** 93.78 / 273.0 (34%)
- **CA Policies: 8 policies, ALL enabled** -- well configured (MFA all users, legacy auth blocked, risky sign-in detection)
- **[WARNING] Megan Hiatt** -- blocked sign-ins from Hamburg, Germany (158.94.211.16) flagged as malicious IP
- **Awaiting details from Howard** on what needs to be done in this tenant

---

### Credentials

#### Claude-MSP-Access (Graph API) - Remediation Tool
- **App ID:** fabb3421-8b34-484b-bc17-e46de9703418
- **App Name:** ComputerGuru - AI Remediation
- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- **SOPS Vault:** msp-tools/claude-msp-access-graph-api.sops.yaml
- **Consent URL pattern:** `https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient`

#### CIPP
- **URL:** https://cippcanvb.azurewebsites.net
- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
- **Client ID:** 420cb849-542d-4374-9cb2-3d8ae0e1835b
- **Client Secret:** MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT
- **Status:** Auth works but API returns 403 on all endpoints (permissions issue)

#### MVAN M365
- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
- **Tenant ID:** 5affaf1e-de89-416b-a655-1b2cf615d5b1

#### Grabblaw M365
- **Admin:** sysadmin@grabblaw.com / r3tr0gradE99!
- **Tenant ID:** 032b383e-96e4-491b-880d-3fd3295672c3
- **Status:** Consent not granted, remediation tool not functional for this tenant

#### Cascades Tucson M365
- **Admin:** sysadmin@cascadestucson.com (password not provided this session)
- **Tenant ID:** 207fa277-e9d8-4eb7-ada1-1064d2221498
- **Status:** Consented and operational

---

### Pending/Incomplete Tasks

1. **Grabblaw.com consent** -- admin consent flow broken, need alternative approach (possibly PowerShell New-AzADServicePrincipal or manual Enterprise App registration in Entra)
2. **Grabblaw full access** -- Reyna account needs full access to Jsosa mailbox (blocked by consent issue)
3. **Cascades Tucson** -- awaiting details from Howard on what needs to be done
4. **CIPP API permissions** -- 403 on all endpoints, needs API role/permission update
5. **MVAN recommendations:**
   - Reset Mitch VanDeveer's password (credential stuffing ongoing)
   - Enable SSPR for sysadmin and mitch accounts
   - Clean up unused licenses (2x O365 Business Premium, 1x Cloud PC)
   - Address low secure score (24%)

---

### Memory Updates This Session
- **New:** `feedback_365_remediation_tool.md` -- "365 remediation tool" always means Graph API app fabb3421, not CIPP