azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
227e1a4fceaed6c43834053f2a3e2230ec6f0743
claudetools/.claude/memory/project_cascades.md
Mike Swanson 0c000109dc chore(memory): consolidate scattered feedback/project/reference files 
Compressed memory store 104 -> 71 files via four passes:

- Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files
  (api/billing/workflow) + an on-demand feedback_syncro_history.md for
  incident detail, quotes, and tech/product ID tables.
- Four near-duplicate merges: Howard paste-safety, Pluto build server,
  Howard backend deferral, IX server access (ssh+tailscale).
- Per-cluster rule/state/history split applied to GuruConnect (2->1),
  Dataforth (3->2), Cascades (7->3), GuruRMM (13->3).
- New reference_resource_map.md: single auto-loaded cheatsheet for
  "do I have access to X and how do I connect from this machine?"
- MEMORY.md rewritten to match the new layout.

Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
2026-06-01 16:25:45 -07:00

4.5 KiB
Raw Blame History

name, description, type
name description type
Cascades of Tucson — current state (migration, admin, CA rollout, billing) Active state of the Cascades migration — Syncro ticket project

Rules: feedback_cascades. Detail / decisions / pilot-cleanup checklist: project_cascades_history.

Migration

Multi-day department-by-department migration from workgroup/cloud-only to domain-integrated environment. Clean end state: everything works automatically on a fresh-machine domain join.

  • Syncro ticket: https://computerguru.syncromsp.com/tickets/110680053 — update with notes after each session.
  • Plan file: C:\Users\Howard\.claude\plans\wise-discovering-panda.md (machine-specific path on Howard's box; confirm it resolves on ACG-TECH03L / Howard-Home or relocate into the synced repo).
  • Resume: Howard says "resume the Cascades migration plan" → read plan file, check CURRENT SAVE POINT, pick up at next unchecked item. At session start, read the save point BEFORE doing any work; update + /save at session end.

Tenant

Cascades Tucson tenant: 207fa277-e9d8-4eb7-ada1-1064d2221498.

Admin accounts (daily-driver, NOT break-glass)

  • sysadmin@cascadestucson.com — Howard's working admin (used PIM portal click 2026-04-28 for CA Admin role).
  • admin@cascadestucson.com — Mike's working admin.

As of 2026-04-29, neither is confirmed cloud-only / FIDO2 / CA-excluded. A break-glass admin still needs to be designed before CA bypass policies go live. Don't assume sysadmin@ / admin@ meet break-glass criteria — verify against Graph (onPremisesSyncEnabled, authentication methods, CA exclusions) first.

CA caregiver pilot — phased, group-scoped

The caregiver bypass CA work is a phased rollout, not a tenant-wide cutover. The original §5 design in clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md and the 2026-04-29 resume-point implied tenant-wide; that was corrected.

  • New CA policies target SG-Caregivers-Pilot only (then SG-Caregivers after Entra Connect exits staging). Never includeUsers: All.
  • The legacy Require multifactor authentication for all users policy stays in place. PATCH its excludeGroups to add the pilot group; existing office-staff behavior is unchanged.
  • Expansion to other populations happens one group at a time post-pilot. Legacy all-users-MFA is deleted only at the very end when every population is governed by phased policies.

Caregiver policy set (current scope):

  • PATCH Require multifactor authentication for all users: add SG-Caregivers-Pilot to excludeGroups.
  • CREATE CSC - Block caregivers off Cascades network (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
  • CREATE CSC - Block caregivers on non-compliant device (includeGroups: pilot, device filter isCompliant -eq False, grant: BLOCK).
  • CREATE CSC - Caregiver sign-in frequency 8h (includeGroups: pilot, session control: 8h re-auth).

For caregivers we use Block directly on non-compliant + off-network — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. Future non-caregiver populations will likely use MFA grants since office staff have MFA capability.

Billing

Cascades is a prepaid block customer (Syncro customer_id: 20149445). Block had ~37.5h remaining as of 2026-05-20 (38.5h minus 1h for ticket #32304).

Block rate: NOT yet confirmed. $175/hr is the standard non-block remote rate, NOT necessarily the Cascades block rate. Ask Mike before billing. Invoices post at $0.00 with hours deducted by quantity. See feedback_syncro_billing §7 for emergency-on-prepaid mechanics.

Pilot cleanup checklist

At pilot wrap (transition to production SG-Caregivers), the following MUST be cleaned up — surface this list when we get to "flip pilot CA policies to production":

  • pilot.test@cascadestucson.com — delete (or disable + remove license; recovers a Business Premium seat).
  • howard.enos@cascadestucson.com — if used during pilot validation, clean up (Howard's eventual synced identity won't exist as a cloud user until Entra Connect exits staging).
  • SG-Caregivers-Pilot — remove from CA policy targets when superseded by synced SG-Caregivers; group itself can be deleted after.
Reference in New Issue View Git Blame Copy Permalink