Mike Swanson
0c000109dc
Compressed memory store 104 -> 71 files via four passes: - Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files (api/billing/workflow) + an on-demand feedback_syncro_history.md for incident detail, quotes, and tech/product ID tables. - Four near-duplicate merges: Howard paste-safety, Pluto build server, Howard backend deferral, IX server access (ssh+tailscale). - Per-cluster rule/state/history split applied to GuruConnect (2->1), Dataforth (3->2), Cascades (7->3), GuruRMM (13->3). - New reference_resource_map.md: single auto-loaded cheatsheet for "do I have access to X and how do I connect from this machine?" - MEMORY.md rewritten to match the new layout. Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
3.6 KiB
name, description, type
| name | description | type |
|---|---|---|
| Cascades history — fdeploy root cause, CA rescoping decision, design rationale | Detail and rationale behind the active Cascades rules — fdeploy 502/ACL root cause and the Flags=1211→187 fix, the 2026-04-29 CA-policy rescoping decision (Howard pulled the brakes on tenant-wide rollout), and the per-user security-group decision. Read on-demand when judging an edge case or revisiting a design decision. | project |
This file is the rationale archive for project_cascades and feedback_cascades. Read on-demand.
fdeploy folder-redirection root cause (the "stuck forever" failure)
Symptom: new Cascades user logs in, folder redirection silently doesn't take effect. fdeploy logs "no changes detected" indefinitely.
Root cause: fdeploy1.ini had Flags=1211 which includes Grant Exclusive Rights (bit 0x400). The Homes share grants Domain Users = Change, which excludes WRITE_DAC. fdeploy fails to set NTFS on new subfolders → logs 502 → caches the failure and never retries.
Fix: changed to Flags=187 in:
{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini
on CS-SERVER.
Why both GUID and legacy registry keys matter at the client side: Downloads has no legacy-name key, so GUID alone works. Documents / Music / Pictures have BOTH {GUID} AND Personal / My Music / My Pictures. Windows reads the legacy key for the actual shell folder — GUID alone is insufficient. The recovery script fix-shell-redirect.ps1 sets both.
CA policy rescoping decision (2026-04-29)
The original §5 design in clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md and the resume-point in 2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md both implied a tenant-wide cutover. Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit ALL users — would have blocked any office user signing in off-site who wasn't in SG-External-Signin-Allowed.
The replay he pasted contained the correct rescoping:
"Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later."
Why phased: preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics. Tenant-wide cutover would have been a regression risk for office staff.
Operational application of this decision is captured in project_cascades "CA caregiver pilot — phased, group-scoped". Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it.
Per-user security-group decision (2026-05-14)
Howard explicitly declined an OU=Caregivers → SG-Caregivers auto-mirror script. Security-group membership controls access + CA-policy coverage; that decision should stay deliberate and reviewed per user, never automated away.
OU placement is mechanical (controls Entra Connect sync scope). Group membership is an access-control decision and must be conscious.
The active rule that comes from this is in feedback_cascades §2.
Pilot cleanup obligations (forward-looking)
The Cascades caregiver shared-phone bypass pilot (Path B, cloud-only) uses temporary pilot artifacts. At pilot wrap, all must be cleaned up — checklist lives in project_cascades "Pilot cleanup checklist". Originally flagged by Howard 2026-04-29 with the explicit "all pilot artifacts must be cleaned up" direction (clean tenant hygiene + license recovery: Business Premium seat returned to the 34-spare pool).