azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/.claude/memory/project_cascades_history.md
Mike Swanson 0c000109dc chore(memory): consolidate scattered feedback/project/reference files 
Compressed memory store 104 -> 71 files via four passes:

- Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files
  (api/billing/workflow) + an on-demand feedback_syncro_history.md for
  incident detail, quotes, and tech/product ID tables.
- Four near-duplicate merges: Howard paste-safety, Pluto build server,
  Howard backend deferral, IX server access (ssh+tailscale).
- Per-cluster rule/state/history split applied to GuruConnect (2->1),
  Dataforth (3->2), Cascades (7->3), GuruRMM (13->3).
- New reference_resource_map.md: single auto-loaded cheatsheet for
  "do I have access to X and how do I connect from this machine?"
- MEMORY.md rewritten to match the new layout.

Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
2026-06-01 16:25:45 -07:00

53 lines
3.6 KiB
Markdown
Raw Blame History

---
name: Cascades history — fdeploy root cause, CA rescoping decision, design rationale
description: Detail and rationale behind the active Cascades rules — fdeploy 502/ACL root cause and the Flags=1211→187 fix, the 2026-04-29 CA-policy rescoping decision (Howard pulled the brakes on tenant-wide rollout), and the per-user security-group decision. Read on-demand when judging an edge case or revisiting a design decision.
type: project
---
This file is the rationale archive for [[project_cascades]] and [[feedback_cascades]]. Read on-demand.
---
## fdeploy folder-redirection root cause (the "stuck forever" failure)
**Symptom:** new Cascades user logs in, folder redirection silently doesn't take effect. fdeploy logs "no changes detected" indefinitely.
**Root cause:** `fdeploy1.ini` had `Flags=1211` which includes **Grant Exclusive Rights** (bit `0x400`). The Homes share grants `Domain Users = Change`, which excludes `WRITE_DAC`. fdeploy fails to set NTFS on new subfolders → logs 502 → **caches the failure** and never retries.
**Fix:** changed to `Flags=187` in:
```
{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini
```
on CS-SERVER.
**Why both GUID and legacy registry keys matter at the client side:** Downloads has no legacy-name key, so GUID alone works. Documents / Music / Pictures have BOTH `{GUID}` AND `Personal` / `My Music` / `My Pictures`. Windows reads the legacy key for the actual shell folder — GUID alone is insufficient. The recovery script `fix-shell-redirect.ps1` sets both.
---
## CA policy rescoping decision (2026-04-29)
The original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the resume-point in `2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md` both implied a **tenant-wide cutover**. Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit ALL users — would have blocked any office user signing in off-site who wasn't in `SG-External-Signin-Allowed`.
The replay he pasted contained the correct rescoping:
> *"Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later."*
**Why phased:** preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics. Tenant-wide cutover would have been a regression risk for office staff.
**Operational application of this decision** is captured in [[project_cascades]] "CA caregiver pilot — phased, group-scoped". Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.
---
## Per-user security-group decision (2026-05-14)
Howard explicitly **declined** an `OU=Caregivers``SG-Caregivers` auto-mirror script. Security-group membership controls access + CA-policy coverage; that decision should stay deliberate and reviewed per user, never automated away.
OU placement is mechanical (controls Entra Connect sync scope). Group membership is an access-control decision and must be conscious.
The active rule that comes from this is in [[feedback_cascades]] §2.
---
## Pilot cleanup obligations (forward-looking)
The Cascades caregiver shared-phone bypass pilot (Path B, cloud-only) uses temporary pilot artifacts. At pilot wrap, all must be cleaned up — checklist lives in [[project_cascades]] "Pilot cleanup checklist". Originally flagged by Howard 2026-04-29 with the explicit "all pilot artifacts must be cleaned up" direction (clean tenant hygiene + license recovery: Business Premium seat returned to the 34-spare pool).
Reference in New Issue View Git Blame Copy Permalink