claudetools/.claude/memory/MEMORY.md

Memory Index

Reference

• ACG Office Network Infrastructure — IPs/hosts/roles for pfSense/Jupiter/VMs/Docker. Check before assuming; .21 (Uranus) is storage.
• Power Failure Runbook — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
• Syncro API — Invoice Verification Pattern — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
• Approval Workflow: Tools vs Projects — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval; features→roadmap, bugs→bug list.
• Community Forum (Flarum) - Flarum forum at community.azcomputerguru.com, API access, database, posting workflow
• Radio Show Website - Astro static site at radio.azcomputerguru.com on IX server
• IX Server SSH Access - SSH access notes for GURU-5070 — re-verify key auth (was CachyOS)
• IX Access via Tailscale - IX server accessible with Tailscale on, no VPN needed
• Matomo Analytics - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
• Dataforth Contact - AJ - AJ at Dataforth, dataforthgit@ email forwarding to him
• TickTick Integration - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
• Client Docs Structure — clients//docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
• MSP Audit Scripts — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
• GuruRMM Server Layout - SSH as guru, repo at /home/guru/gururmm, deploy to /var/www/gururmm/dashboard/
• GuruRMM API — run script on agent — POST /api/agents/:id/command (command_type=powershell); poll /api/commands/:id for output. Beats ScreenConnect copy-paste.
• Pluto Build Server — Windows build VM, 172.16.3.36, SSH Administrator, MSVC + WiX. Use for any EXE/MSI build.

Users

• Howard Enos — Mike's brother, technician, full access. Machines: ACG-TECH03L, Howard-Home (authoritative in users.json).

Feedback

• Attribution is read, never inferred — Who-did-what (user+machine) comes ONLY from identity.json + users.json + git authorship. Never infer from hostname patterns, the userEmail hint, or memory. The "5070" box is Mike's. sync.sh reconciles git config to identity.json; /save renders the User block via whoami-block.sh.

• GuruRMM agent parity rule — "Add feature X to the agent" = Windows + Linux + macOS in the same change, no exceptions. Stub + TODO if real impl not feasible.

• D2TESTNAS SSH Access - Use root@192.168.0.9 with Paper123!@#, not sysadmin

• Bypass Permissions Setting - Set permissions.defaultMode to bypassPermissions in settings.json on all machines

• No indented code blocks — Never indent code inside fences; Howard copy-pastes directly and leading spaces break PowerShell

• 365 Remediation Tool - Always means Graph API app fabb3421, not CIPP

• Ollama Tier-0 Routing - Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.

• /save writes narrative directly — No Ollama for /save; write all sections inline — too slow

• Syncro Emergency Billing — Emergency = 1.5× multiplier, not additive. Branch by customer.prepay_hours: no-prepaid → 26184 at actual hrs; prepaid → 26118 at hrs×1.5. Never stack. Always set price_retail.

• Identity precedence — Trust .claude/identity.json over the system-reminder userEmail hint when they disagree (shared-login machines).

• 1Password — always use service token — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every op call. Desktop-app integration prompts are unacceptable in agent flows.

• Point vault-access teammates at SOPS path — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.

• /tmp path mismatch on Windows — Write tool and Git Bash resolve /tmp to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl. Caused wrong-comment incident on Syncro #32225.

• Syncro — leave contact blank by default — Default to blank contact ("Not Assigned") on tickets and billing for ALL customers. Blank lets Syncro use company-level email defaults; setting a contact may route to a secondary email and bypass distribution. Generalizes the prior Cascades-only rule per Winter 2026-05-04.

• Syncro — Cascades contact incident (Meredith Kuhn) — Meredith Kuhn is the recurring wrong Syncro default at Cascades. Incident context only; global rule is in feedback_syncro_blank_contact.md.

• Syncro — use a billable labor type, never "Prepaid project labor" — Billable line items must use in-shop / onsite / remote / web labor. "Prepaid project labor" is exempt and won't decrement prepay blocks. Default is Remote labor for typical support tickets. Winter caught this 2026-05-04.

• Syncro — bill with add_line_item, not timers — Bill tickets with POST /tickets/{id}/add_line_item directly; the timer workflow (timer_entry → charge_timer_entry) is NOT used. Set product_id, quantity (decimal hours), price_retail, name, description, taxable:false. Supersedes the old "timers required" rule (Mike confirmed 2026-05-21).

• Syncro — timer_entry response is FLAT (HISTORICAL) — Reference only: timers are NO LONGER part of the billing workflow (superseded by add_line_item — see feedback_syncro_timer_first.md). Retained for the rare manual-timer case: response is flat ({"id": N, ...}), parse .id not .timer.id. Originally hit on #32253 2026-05-05.

• Syncro — warranty has its own product, never patch dollar amounts — Warranty/no-charge work uses product 1049360 (Labor- Warranty work, $0). Don't fake a free line by patching price_retail or neutralizing a regular product — pick the correct product and re-run. Hit on #32225 2026-05-06.

• SQL instance role — verify by connections, not name — Standard installed under default SQLEXPRESS instance name is real. Prove role with sys.dm_exec_sessions + Get-NetTCPConnection -OwningProcess before recommending stop/uninstall. IMC1 2026-05-05/06 near-miss.

• Syncro — confirm appointment owner explicitly — When creating tickets with appointments, always ask "who is the appointment owner?" in the preview. Don't auto-default to ticket's assigned tech. Don't add additional attendees without explicit confirmation. Howard caught on Kittle ticket #32263 2026-05-08.

• Syncro — verify appointment date day-of-week — Always compute and display the day name (e.g. "Saturday 2026-05-23") in the ticket preview — never just the numeric date. Verify with py -c "import datetime; ..." before posting. Wrong-day incident on #32312 2026-05-21 (Sunday booked instead of Saturday). Reported by Winter.

• Syncro estimate hardware product — All hardware on estimates uses product_id 32252 ("Hardware", $0 base); set name/price_retail per item. Never look up individual hardware product IDs.

• Clear-RecycleBin fails silently as SYSTEM — RMM-dispatched cleanup scripts cannot use Clear-RecycleBin -Force; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate C:\$Recycle.Bin\<SID>\* directly. Hit on ASSISTMAN-PC 2026-05-08.

• Cascades — ask security group on user creation — When creating any Cascades user, always ask which security group(s) they go in. Deliberate per-user decision; an OU→group auto-mirror was explicitly declined 2026-05-14. OU = sync scope; group = access/CA decision.

• Cascades folder redirect — fdeploy failure/recovery — Must pre-create subfolders before first logon. fdeploy caches failures silently. Recovery: fix-shell-redirect.ps1. Both GUID and legacy name keys required.

• Graph CA policy reads are eventually consistent — After PATCHing a CA policy (204), wait ~5s before GET-verifying; immediate reads can be stale.

• Graph password reset needs a privileged role — PATCH passwordProfile on an existing user 403s without a directory role; User.ReadWrite.All alone only sets a password at CREATE.

• Vault writes — do the full sequence yourself — A vault entry = write plaintext → sops -e -i → git add/commit/push, all of it; don't stop at "encrypted on disk."

• GuruRMM dev is Mike's, not Howard's — Never route RMM dev/bug coord notes to Howard (0 RMM commits by him). Howard only submits RMM feature requests; GuruScan is his project, RMM is not.

Machine

• GURU-5070 Workstation Setup - Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
• GURU-BEAST-ROG Setup Status — Windows workstation fully configured except SSH key deployment to servers.

Pending Setup

• Mac gururmm setup pending — ACTION REQUIRED: run bash scripts/install-hooks.sh in gururmm repo on Mikes-MacBook-Air before any RMM work

Project

• Cascades Migration Plan — Active multi-day migration. Plan file: C:\Users\Howard\.claude\plans\wise-discovering-panda.md. Syncro ticket: #110680053. Resume: "resume the Cascades migration plan".
• GuruRMM Development Principles - MANDATORY: every feature needs full stack (backend, API, UI, docs, scalability). Product must work without AI agents (AI features are enhancements). Documented in guru-rmm/docs/DESIGN.md.
• Sync script bug — untracked files (RESOLVED) — FIXED 2026-05-21: sync.sh now uses git status --porcelain for change detection (repo + vault), so untracked-only changes are caught. Added .gitignore for the datto BSOD dumps so the fix doesn't sweep 54MB of binaries.
• MasterBooter Side Project — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
• Audio Processor Architecture - Segment-first pipeline: detect breaks before transcription for complete content capture
• Neptune SBR Email Routing Setup - Full SBR routing chain, config file locations, MailProtector integration, access methods. Treat routing breakage as systemic (devcon, Sorensen/rieussetcorp), not per-client.
• Dataforth Test Datasheet Pipeline - Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
• Dataforth Security Incident - DF-JOEL2 compromised, MFA deployed, IC3 filed. CA policies enforce April 4.
• Radio show co-host — Tara, not Tom — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete. Multiple co-hosts have rotated through the show.
• Cascades admin accounts — Howard uses sysadmin@cascadestucson.com, Mike uses admin@cascadestucson.com; daily admin, NOT break-glass.
• Cascades CA phased rollout — Caregiver CA policies scoped to SG-Caregivers-Pilot, expand by dept; PATCH excludeGroups, never delete the all-users-MFA policy.
• Cascades caregiver pilot cleanup — Remove pilot accounts (pilot.test@, howard.enos@) at the end of the caregiver bypass pilot.
• Proposal: centralize config in identity.json — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented.