claudetools/session-logs/2026-05-27-howard-session.md

Session Log: 2026-05-27 (Howard)

User

• User: Howard Enos (howard)
• Machine: Howard-Home
• Role: tech

Session Summary

Session opened with Howard's previous Claude session having locked up mid-investigation. The last visible output from that session described a GuruRMM build pipeline issue: three bug fixes had been pushed to main (analysis panel display fix 612c00a, fleet log level filter fix 3b19ff0, and audit docs e2ef0e77) but neither the server nor dashboard had deployed the changes. The coord API was showing both components stuck in building state since the previous day at 1 AM.

Context was recovered by checking the coord API status, reading the 2026-05-26 and 2026-05-27 session logs, and reviewing recent GuruRMM git history. The coord confirmed server and dashboard both still in building state, last updated 2026-05-26T01:03:36 and 2026-05-26T00:50:29 respectively. The GuruRMM Gitea repo was checked and showed the fleet log fix commit (3b19ff0) at the top of main with a CI version-bump (879d42bd) pushed at 14:53 UTC the same day, indicating the CI webhook had fired.

The running server at http://172.16.3.30:3001 was tested directly: a JWT was obtained via the admin login, and the fleet logs endpoint was queried with no level filter (returned 0 results) and with explicit WARN/INFO filters (returned results correctly). This confirmed the fleet log fix is not yet deployed — the old behavior of defaulting to ERROR with no results is still live. SSH from HOWARD-HOME could not be established (no key configured for the build server), so direct build log inspection was not possible.

A high-priority coord message was sent to Mike (GURU-5070/claude-main) with the full status: commits pushed, confirmed bug still live, CI likely building, SSH commands to check the build server and restart the container if needed. Mike acknowledged and began investigating. Session ended with a save/sync.

Key Decisions

• Context recovery via coord API + git log rather than re-running investigation — the locked session had already done the diagnostic work; recovering from the coord state and session logs was faster than repeating it.
• Direct API test to confirm fix state — rather than assuming the CI status reflected what was running, tested the actual endpoint behavior to confirm the old bug was still live.
• Coord message over direct action — SSH from HOWARD-HOME has no key for 172.16.3.30; forwarding to Mike via a high-priority coord message was the correct escalation path rather than trying workarounds.

Problems Encountered

• Previous session locked up — Claude session became unresponsive mid-investigation. Recovered context from coord API, session logs, and git history in a new session.
• SSH failed from HOWARD-HOME — Permission denied (publickey,password) when trying to reach 172.16.3.30. This machine has no configured SSH key for the build server. No resolution in this session; escalated to Mike.
• whoami-block.sh ran from wrong directory — script was invoked from projects/msp-tools/guru-rmm (left over from a git command), returned UNKNOWN. Fixed by running with cd C:/claudetools prefix.

Configuration Changes

None — session was investigative only.

Credentials & Secrets

• GuruRMM API admin: claude-api@azcomputerguru.com / ClaudeAPI2026!@# (vault: infrastructure/gururmm-server.sops.yaml → credentials.gururmm-api)
• Gitea API token: 9b1da4b79a38ef782268341d25a4b6880572063f (vault: services/gitea.sops.yaml → credentials.api.api-token)

Infrastructure & Servers

• GuruRMM server: http://172.16.3.30:3001 — running, responding, but on pre-fix code as of 15:10 UTC 2026-05-27
• Build webhook: http://172.16.3.30/webhook/build — alive (500 on bare POST), secret: gururmm-build-secret
• Gitea: https://git.azcomputerguru.com — repo azcomputerguru/gururmm, webhook ID 1 active
• Coord API: http://172.16.3.30:8001/api/coord — reachable, no unread messages at session start

Commands & Outputs

# Confirmed server is live but running old code
curl -s "http://172.16.3.30:3001/api/logs?limit=5" -H "Authorization: Bearer $TOKEN"
# No level filter → count: 0 (old hardcoded ERROR default, no ERROR logs exist)
# ?level=WARN → count: 5  |  ?level=INFO → count: 5  (filters work fine)

# Coord API status snapshot
# server: building, post-bug-007, updated 2026-05-26T01:03:36
# dashboard: building, post-log-dispatch, updated 2026-05-26T00:50:29

# Gitea: CI version-bump fired at 14:53 UTC after fleet log fix push at 14:25 UTC
# Most recent commit on main: 879d42bd (auto-bump) → 3b19ff0 (fleet log fix) confirmed on Gitea

Update: 10:20 PT — Log Analysis Feature Interview + Build Resolution

Summary

Picked up after saving the earlier context-recovery session. Four unread coord messages arrived from Mike:

1. (15:29 UTC) Audit remediation task list — Phase 1 (3 CRITICAL authz holes + fleet-log caller fix) merged and deploying. Phases 2-5 tracked as coord todos. Roadmap living-doc convention now in effect. Process nit: run SQLX_OFFLINE=true cargo check on server/ before pushing server code — 3b19ff0 broke the server crate and went undetected because the CI webhook only builds agents, not the server binary.

2. (15:36 UTC) Server v0.3.30 deployed — fleet log level-filter fix live in prod. build-server.sh finished clean, systemd restarted 15:32 UTC, PID 598071 at /opt/gururmm/gururmm-server.

3. (16:22 UTC) Mike's Mac session sent a 19-question interview on the proposed log analysis & remediation feature design (three-level Platform/Site/Machine system with auto-remediation engine).

4. (16:33 UTC) Phase 2 deployed — server v0.3.31 (b346b7b). HIGH BOLA/IDOR cluster closed: org-scoping on checks.rs (7 handlers), inventory.rs, user_inventory.rs, commands.rs, registry.rs. All use Phase 1 authorize_agent_access helper. /agents/status-stream SSE auth split to follow-up todo 06c16144 (needs ?token= extractor first — EventSource can't send Authorization header).

Answered all 19 interview questions and sent responses via coord to both Mac and GURU-5070 sessions. Key inputs: morning proactive monitoring is the primary log use case; severity + client/machine + duration + user impact are the four decision factors; auto-fix requires show-first + known-safe whitelist + rollback; default sort by age.

Standout UX idea (Q16): log deduplication — repeated identical errors on the same agent should collapse to a single row with a count badge (×N), sorted by age of first occurrence, expandable to show all instances, with bulk-resolve on the parent. Equivalent to Sentry's error grouping model. Per-machine muting for specific finding types also requested.

Key Decisions (Update)

• Sent interview responses to both Mac and GURU-5070 — covered all 20 questions, highlighted deduplication idea clearly so it makes it into the spec.
• Noted cargo check process nit — will run SQLX_OFFLINE=true cargo check on server/ before future server-code pushes.

Pending (Update)

• MAINTENANCE-PC "Invalid namespace" fix: the original fix was approved in the prior locked session. Now that the server is on v0.3.31, the underlying LHM fix still needs the agent binary to rebuild and the machine to download the update — separate from the server deploy.
• cargo check habit: add SQLX_OFFLINE=true cargo check to pre-push habit for any server/ changes.

---

Pending / Incomplete Tasks

• GuruRMM build pipeline: Mike investigating. Server needs to deploy commit 3b19ff0 (fleet log fix). SSH to 172.16.3.30 and check journalctl -u gururmm-server + ps aux | grep docker; restart container if build completed but deploy step failed.
• Dashboard analysis panel: Hard-refresh rmm.azcomputerguru.com to verify 612c00a (analysis findings on agent logs tab) is live once build deploys.
• MAINTENANCE-PC agent: Still on v0.6.27; LHM fix not applied. Separate step — requires agent binary rebuild and endpoint download.
• SSH key for HOWARD-HOME → build server (172.16.3.30): Not configured. Should be set up to avoid escalation for future build checks.

Reference Information

• Fleet log fix commit: 3b19ff0 — fix: fleet log stream respects level filter and supports agent_id
• Analysis panel fix commit: 612c00a — fix: show analysis findings in agent logs tab + clear LHM_RUNNING on WMI failure
• Coord message to Mike: ID fd6da8b3-b87e-4936-a341-c67a0d50fcb9, priority high
• GuruRMM API base: http://172.16.3.30:3001/api
• Gitea webhooks: GET https://git.azcomputerguru.com/api/v1/repos/azcomputerguru/gururmm/hooks

---

Update: 10:25 PT — Sif-oidak Setup + Factory-Clone Device ID Bug

Summary

Resumed after context compaction. Howard had run a fresh-install script on SIF-Laptop554 to try to separate it from SIF-Laptop555, which were colliding on the same agent record due to identical factory MachineGuids. The script deleted .device-id, agent.toml, and the binary before reinstalling, but the workaround failed silently: the installer served the old v0.6.43 binary which still reads MachineGuid first and ignores .device-id on first install. Both machines still had device_id: win-83e84dca.

Identified the residual root cause: the c347c6b fix (persisted file wins over hardware ID) only prevents reinstall collisions — it does not prevent FIRST-INSTALL collisions when two machines share the same factory MachineGuid and neither has a .device-id yet. The correct fix is to drop hardware ID seeding entirely and always generate a random UUID v4 on first install.

Committed 51a7e6c to GuruRMM — removed all get_hardware_device_id() implementations (Windows/Linux/macOS/fallback) from agent/src/device_id.rs. get_device_id() now: reads persisted file (returns immediately if found), otherwise generates UUID v4, persists it, returns. Hardware identifiers are no longer consulted at any point.

For the immediate workaround (current v0.6.43 binary still reads MachineGuid), changed the MachineGuid registry value on SIF-Laptop554 to a newly generated GUID f0fae6b3-3dc8-4905-81f2-e63ead4741e3, deleted .device-id, and restarted the agent service. This forced 554 to register as a new agent record (ce868d0f) with device_id: win-f0fae6b3. The old record (acb14901, win-83e84dca) now belongs to SIF-Laptop555 exclusively and will update its hostname to "Sif-Laptop555" on next 555 heartbeat. Verified both records online under the Sif-oidak site.

Sent Mike a coord message (346ede45) explaining the residual issue, the code fix, and the registry workaround used.

Key Decisions

• Dropped hardware ID seeding entirely rather than patching priority again — the persisted file already provides reinstall stability. Hardware IDs provide zero additional value and are the source of factory-clone collisions. Removing them is cleaner than adding special-case logic to detect cloned IDs.
• Registry MachineGuid change as workaround — only viable option with the current deployed binary (which ignores .device-id on first install). Pre-seeding .device-id would have required the new binary. Changing MachineGuid is a one-time setup step on 554 and has no downstream impact since GuruRMM no longer reads it.
• Appended to existing 2026-05-27-howard-session.md — same-day continuation, not a new file.

Problems Encountered

• Fresh-install script on 554 did not separate the agents — because the downloaded binary was still old v0.6.43. Deleting .device-id only helps if the binary prioritizes the persisted file; old code reads MachineGuid first regardless. Resolution: identified root cause, committed proper fix (51a7e6c), used registry MachineGuid change as immediate workaround.
• c347c6b (persisted wins over hardware) did not fully solve factory clone — priority swap prevents reinstall collisions but not first-install collisions when .device-id is absent on both machines. Resolution: 51a7e6c removes hardware seeding entirely.

Configuration Changes

• agent/src/device_id.rs — MODIFIED: removed all get_hardware_device_id() functions and hardware seeding path. get_device_id() now generates random UUID v4 on first install unconditionally. Committed 51a7e6c.
• HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid on SIF-Laptop554 — changed from factory value to f0fae6b3-3dc8-4905-81f2-e63ead4741e3 (workaround for current binary).

Infrastructure & Servers

• Sif-oidak District — GuruRMM client: 91dbd56d-ce59-4b98-8b09-22c6267f864c
• Sif-oidak Main Office — GuruRMM site: dfb6cf3e-8e12-4010-8330-9addf2b63ac2 | enrollment key: CALM-STORM-1968
• SIF-Laptop554 — agent ce868d0f, device_id win-f0fae6b3-3dc8-4905-81f2-e63ead4741e3, online, v0.6.43
• SIF-Laptop555 — agent acb14901, device_id win-83e84dca-0cac-4a02-83c7-5b13c2a85aea, hostname will update to "Sif-Laptop555" on next heartbeat
• GuruRMM server: http://172.16.3.30:3001 — running v0.3.31

Commands & Outputs

# Workaround run on SIF-Laptop554 to force unique device ID
Stop-Service GuruRMMAgent -Force -ErrorAction SilentlyContinue
Stop-Service GuruRMMWatchdog -Force -ErrorAction SilentlyContinue
Get-Process gururmm-agent -ErrorAction SilentlyContinue | Stop-Process -Force
Start-Sleep -Seconds 2
$g = [System.Guid]::NewGuid().ToString()
reg add "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d $g /f
Remove-Item "C:\ProgramData\GuruRMM\.device-id" -Force -ErrorAction SilentlyContinue
Start-Service GuruRMMAgent
# Output: The operation completed successfully.
#         New MachineGuid: f0fae6b3-3dc8-4905-81f2-e63ead4741e3

# Verified two separate agents under dfb6cf3e after workaround:
# ce868d0f  Sif-Laptop554  win-f0fae6b3  created 18:21:47  online
# acb14901  (Sif-Laptop555)  win-83e84dca  created 17:26:59  online

# GuruRMM commits (device_id fixes):
c347c6b  fix(agent): persisted device ID wins over hardware ID to prevent factory-clone collisions
51a7e6c  fix: drop hardware ID seeding — always generate random UUID on first install

Pending / Incomplete Tasks

• SIF-Laptop555 hostname: Record acb14901 still shows "Sif-Laptop554" — will auto-correct to "Sif-Laptop555" on next 555 heartbeat. No action needed.
• New agent binary deploy: 51a7e6c needs to build and deploy before fresh installs on new machines get the fully clean fix. Mike is handling CI/build pipeline.
• localadmin password on both SIF laptops: Still unknown. Need Howard to set it so UAC prompts work for "Sif" standard user and credentials can be vaulted.
• UAC fix on both SIF laptops: Standard user "Sif" gets a Close button instead of a credential prompt for admin actions. Root cause: blank localadmin password. Fix: set localadmin password → test UAC prompt works → vault credentials.
• Make localadmin selectable at Windows login screen on both laptops.
• Vault SIF laptop credentials: Sif / SifSif (user); localadmin / TBD (admin). Path TBD under clients/sif-oidak/.
• Syncro assets: Created for both laptops (from session-start context). Verify they are linked correctly.
• MAINTENANCE-PC agent: Still on v0.6.27; LHM fix pending agent binary update.

Reference Information

• GuruRMM device_id fix commits: c347c6b, 51a7e6c
• Coord message to Mike (device_id follow-up): 346ede45-b005-41b2-b066-bd7042a221c1
• Sif-oidak GuruRMM client: 91dbd56d | site: dfb6cf3e | enrollment key: CALM-STORM-1968
• Sif-Laptop554 new agent ID: ce868d0f | new device_id: win-f0fae6b3-3dc8-4905-81f2-e63ead4741e3
• Sif-Laptop555 agent ID: acb14901 | device_id: win-83e84dca-0cac-4a02-83c7-5b13c2a85aea
• Syncro customer: https://computerguru.syncromsp.com/customers/7694718

---

Update: ~11:30 PT — Sif Ticket Billing + Cascades Printing + Chris Knight

Summary

Closed out billing on three tickets and created Chris Knight's accounts at Cascades.

Sif-oidak ticket #32168 ("Estimate - 2 x office laptops"): Added a setup resolution comment documenting machine names (Sif-Laptop554, Sif-Laptop555), username Sif / password SifSif on sticky note, and GuruRMM installation. Billed 1hr in-shop labor (setup/naming) and 1hr internal labor (GuruRMM device_id fix work). Both line items added via add_line_item. Sif-oidak is prepaid — invoices showed $0.00 with prepay deduction annotations. Prepay block decremented by 2.0 hrs total.

Cascades printing ticket #32331 ("Printing Issues - Alma Montt"): Created new ticket for Alma Montt printing issue (resolved). Billed 0.5h remote labor via add_line_item (product 1190473). Cascades is prepaid — prepay balance 28.0 → 27.5 hrs. Sent bot alert to #bot-alerts.

Cascades Chris Knight ticket #32332 ("New User - Chris Knight"): Created ticket and billed 0.5h remote labor for user account creation. Prepay 27.5 → 27.0 hrs.

Chris Knight M365 account: Created c.knight@cascadestucson.com via Graph API (user-manager tier, Cascades tenant 207fa277). O365 Business Premium SKU was suspended (grace period) — used Microsoft 365 Business Premium (SPB, cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46) which had 31 available seats. Added to SG-SSPR-Eligible (same groups as Lauren Hasselman — only group she was in). OU placement not applicable for cloud-only object.

Chris Knight AD account: Created c.knight@cascadestucson.com on cascades.local via GuruRMM PowerShell command dispatched to CS-SERVER agent (6766e973). OU: OU=Administrative,OU=Departments,DC=cascades,DC=local (no Accounting OU exists; Administrative is where accounting staff land per Cascades OU structure). UPN suffix cascadestucson.com confirmed as registered UPN suffix in AD. Temp password set; user must change on first login.

Credentials delivered to Howard for relay to Meredith:

• Email: c.knight@cascadestucson.com
• Temp password: (provided in session — not logged here; vault if needed)
• Must change password at first login

O365BP suspension flagged: Noted to Howard that the O365 Business Premium subscription at Cascades appears suspended (31 users on grace period). Needs Mike to check M365 admin center and confirm whether renewal/assignment is needed before grace period expires.

Key Decisions

• SPB over O365BP for Chris Knight license: O365BP was suspended; SPB was the active subscription with available seats. Used SPB rather than blocking on the suspended SKU.
• Administrative OU for accounting staff: No dedicated Accounting OU exists at Cascades. Administrative OU is the correct placement for office/accounting staff per existing user pattern.
• SG-SSPR-Eligible only: Matched Lauren Hasselman's exact group membership — only security group she was in. Per Cascades security group rule, no additional groups added without explicit confirmation.

Problems Encountered

• O365 Business Premium suspended: Could not assign to new user. Identified SPB as the correct active subscription. Flagged suspension to Howard for Mike to investigate.
• python3 not on PATH on Windows: curl | python3 pipes failed. Switched to PowerShell Invoke-RestMethod and grep/sed patterns for API calls.

Configuration Changes

None to the codebase. User accounts created in external systems (M365 tenant, cascades.local AD).

Credentials & Secrets

• Chris Knight M365 / AD: c.knight@cascadestucson.com | temp password given to Howard for relay — vault under clients/cascades-tucson/ if needed
• Cascades prepay balance after this session: ~27.0 hrs (started at 28.0; -0.5 printing, -0.5 Chris Knight account)

Infrastructure & Servers

• Cascades M365 tenant: 207fa277-e9d8-4eb7-ada1-1064d2221498 | SPB subscription: cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46
• CS-SERVER GuruRMM agent: 6766e973-e703-47c1-be56-76950290f87c (used to dispatch AD account creation)
• O365BP subscription status: SUSPENDED — 31 users on grace period (flag for Mike)

Pending / Incomplete Tasks

• O365BP suspension at Cascades: Mike needs to check M365 admin center; 31 users may lose access when grace period expires.
• Vault Chris Knight credentials: Temp password not yet vaulted — should go under clients/cascades-tucson/.
• SIF-Laptop555 hostname: Record acb14901 still shows "Sif-Laptop554" — auto-corrects on next heartbeat.
• New GuruRMM agent binary (51a7e6c): Needs CI build and deploy; Mike handling.
• localadmin on SIF laptops: Password unknown; set it so UAC prompts work for "Sif" standard user, then vault.
• Make localadmin selectable at Windows login screen on both SIF laptops.
• MAINTENANCE-PC agent: Still on v0.6.27; LHM fix pending agent binary update.

Reference Information

• Sif ticket: https://computerguru.syncromsp.com/tickets/32168
• Cascades printing ticket: https://computerguru.syncromsp.com/tickets/32331
• Cascades Chris Knight ticket: https://computerguru.syncromsp.com/tickets/32332
• Cascades customer: https://computerguru.syncromsp.com/customers/7502279
• Chris Knight M365 object ID: (recorded in Graph at time of creation)
• Cascades SPB subscription: cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46

---

Update: ~12:00 PT — SIF Laptop localadmin Login + Password

User

• User: Howard Enos (howard)
• Machine: Howard-Home
• Role: tech

Session Summary

Two follow-up tasks were completed on SIF-Laptop554 and SIF-Laptop555 to finish the localadmin account setup.

First, both machines had localadmin hidden from the Windows login screen via a SpecialAccounts\UserList registry entry set to 0. A PowerShell command was dispatched via GuruRMM to each laptop to remove the hide entry and confirm the account was already enabled. On SIF-Laptop554 (online), the command ran immediately and confirmed removal. On SIF-Laptop555 (offline), the command was queued and will execute on next agent reconnect.

Second, the localadmin password was set to r3tr0gradE99# on both machines using Set-LocalUser with PasswordNeverExpires $true. 554 completed immediately (exit 0). 555 has the command queued. The full agent UUID lookup was required — the short prefixes from the session log (ce868d0f, acb14901) are not sufficient for the GuruRMM command API.

Credentials were vaulted at clients/sif-oidak/laptops.sops.yaml covering both the standard user (Sif/SifSif) and localadmin (localadmin/r3tr0gradE99#). Vault entry committed and pushed.

Key Decisions

• PasswordNeverExpires set to true: These are unmanaged workgroup machines with no domain policy. A rotating or expiring localadmin password would lock out UAC elevation with no recovery path.
• Single vault entry for both laptops: Credentials are identical across 554 and 555 — one entry covering both machines avoids duplication.
• Dispatched both commands even though 555 was offline: GuruRMM queues commands for offline agents; they execute on next reconnect. No need to wait or repeat manually.

Problems Encountered

• Short agent ID prefixes insufficient for GuruRMM command API: Session log recorded ce868d0f and acb14901 as agent IDs. The command endpoint requires full UUIDs. Required an API lookup of the Sif-oidak site's agents to retrieve the full IDs before dispatching.
• SOPS encrypt failed when run from claudetools directory: sops --encrypt could not find .sops.yaml when invoked from C:/claudetools. Fixed by running from D:/vault (the vault root) where .sops.yaml lives.

Configuration Changes

• D:/vault/clients/sif-oidak/laptops.sops.yaml — CREATED: encrypted credentials for Sif-Laptop554 and Sif-Laptop555 (standard user + localadmin). Vault commit 1e2dd3c.

Credentials & Secrets

• localadmin (both SIF laptops): localadmin / r3tr0gradE99# — vault: clients/sif-oidak/laptops.sops.yaml → credentials.local_admin
• Standard user (both SIF laptops): Sif / SifSif — vault: clients/sif-oidak/laptops.sops.yaml → credentials.standard_user

Infrastructure & Servers

• SIF-Laptop554: agent ce868d0f-6381-444d-8fd3-94c563ddc4d9 — online, both commands completed (exit 0)
• SIF-Laptop555: agent acb14901-f659-40eb-a59c-b5954de0ba7f — offline at time of dispatch, both commands queued

Commands & Outputs

# 554 — remove SpecialAccounts hide entry
BEFORE: Enabled=True
Removed SpecialAccounts hide entry
AFTER: Enabled=True
DONE
# exit_code: 0

# 554 — set localadmin password
localadmin: Enabled=True PasswordNeverExpires=
DONE
# exit_code: 0

# 555 — both commands: status=pending (queued for offline agent)

Pending / Incomplete Tasks

• SIF-Laptop555 queued commands: Remove SpecialAccounts hide entry + set password — run automatically on next agent reconnect. Verify via GuruRMM command history once 555 is back online.
• UAC test on both laptops: Log in as Sif (standard user), trigger an admin action, confirm credential prompt (not Close button) now appears and accepts localadmin / r3tr0gradE99#.
• Make localadmin selectable at Windows login screen — done for 554, pending 555 reconnect.
• SIF-Laptop555 hostname: Record acb14901 still shows "Sif-Laptop554" — auto-corrects on next heartbeat.
• New GuruRMM agent binary (51a7e6c): Needs CI build and deploy; Mike handling.
• O365BP suspension at Cascades: Mike needs to check M365 admin center.
• MAINTENANCE-PC agent: Still on v0.6.27; LHM fix pending agent binary update.

Reference Information

• SIF-Laptop554 full agent UUID: ce868d0f-6381-444d-8fd3-94c563ddc4d9
• SIF-Laptop555 full agent UUID: acb14901-f659-40eb-a59c-b5954de0ba7f
• Vault entry: clients/sif-oidak/laptops.sops.yaml (vault commit 1e2dd3c)
• GuruRMM command IDs: 554 hide-fix 9ff6c7a7, 554 password 10a0042f, 555 hide-fix queued TBD, 555 password queued ccd1047b

---

Update: ~2:45 PT — Chris Knight Additional Billing + Syncro Rule Corrections

User

• User: Howard Enos (howard)
• Machine: Howard-Home
• Role: tech

Session Summary

Attempted to add emergency and onsite labor to Cascades ticket #32332 (Chris Knight, ticket ID 111233015) for after-hours computer setup, Outlook configuration, share mapping, and moving old Jeff data to the Accounting/Management folder. Howard requested 0.5hr emergency + 1hr onsite.

Two billing errors were made. First, the emergency line used product 26118 (Labor - Onsite Business) with the 1.5× prepaid multiplier applied to the quantity (0.75hr), instead of product 26184 (Labor - Emergency or After Hours). Second, both line items were given invented names ("Emergency Call Setup", "Onsite Computer Setup") instead of the real product names from Syncro. Custom labor names break the Syncro→QuickBooks sync.

Additionally, a second POST /invoices was created with line items specified in the body, while the ticket already had uninvoiced add_line_item entries. Syncro included both sets on the invoice, resulting in 4 line items (2 duplicates) and a prepay over-deduction of 3.5hrs instead of the correct 1.75hrs. Howard confirmed the emergency should also have been 0.5hr (not 0.75hr multiplied), so Winter and Mike are correcting the full ticket.

Mike pushed updated Syncro billing rules after fixing the ticket. Key corrections: prepaid emergency uses 26184 at hours×1.5 quantity (not 26118); labor item names must be the real product name verbatim; corrections use update_line_item in place to preserve the original tech's commission (user_id 1750 / Howard). Commission on the corrected lines is preserved.

Key Decisions

• Left fix to Winter/Mike: Howard confirmed to leave the billing error for Winter to correct and not attempt further API changes. Mike fixed via update_line_item in place.
• Do not create an invoice body with line items when add_line_item items already exist on the ticket: The two workflows conflict — Syncro merges both onto the invoice, causing duplicates. Going forward: use add_line_item only, then let invoicing handle ticket items without specifying a body.

Problems Encountered

• Wrong emergency product: Used 26118 (Onsite) instead of 26184 (Emergency or After Hours) for the emergency line. Rule updated: prepaid emergency always goes on 26184 at hours×1.5 quantity.
• Invented labor item names: "Emergency Call Setup" / "Onsite Computer Setup" are not Syncro products and break QB sync. Rule updated: name = verbatim product name; description = work narrative.
• Duplicate invoice line items: add_line_item ticket entries + invoice POST body entries both landed on the same invoice. Prepay deducted 3.5hr instead of 1.75hr. Balance was 27.0, went to 23.5; correct post-billing balance should be 25.25 (−0.5 emergency, −1.0 onsite).

Configuration Changes

None to codebase. Three new memory files from Mike's sync commit (a42d657):

• .claude/memory/feedback_syncro_emergency_billing.md — updated: prepaid emergency → 26184 at hrs×1.5 quantity
• .claude/memory/feedback_syncro_no_madeup_labor_items.md — new: labor names must be real product names
• .claude/memory/feedback_syncro_corrections_preserve_tech.md — new: corrections use update_line_item, preserve user_id

Credentials & Secrets

None new.

Infrastructure & Servers

• Cascades prepay balance: Should be ~25.25hrs after correction (27.0 − 0.5 emergency − 1.0 onsite). Winter/Mike correcting.

Commands & Outputs

# Ticket 111233015 — line items added (both wrong product + wrong names)
LI1: id=42609337  name="Emergency Call Setup"  qty=0.75  (WRONG — should be 26184 at 0.5)
LI2: id=42609338  name="Onsite Computer Setup"  qty=1.0   (WRONG — invented name)

# Invoice created with body items — duplicated onto invoice
Invoice 67661 (id 1650436338): 4 line items, prepay deducted 3.5hrs

# Prepay after error: 27.0 → 23.5 (should be 25.25 after correct fix)

Pending / Incomplete Tasks

• #32332 billing correction: Winter/Mike handling — verify prepay returns to ~25.25 after fix.
• SIF-Laptop555 queued commands: hide-fix + password — run on next agent reconnect; verify via GuruRMM command history.
• UAC test on SIF laptops: Confirm credential prompt (not Close button) works for Sif user.
• O365BP suspension at Cascades: Mike needs to check M365 admin center.
• MAINTENANCE-PC agent: Still on v0.6.27; LHM fix pending agent binary update.
• New GuruRMM agent binary (51a7e6c): CI build and deploy pending.

Reference Information

• Ticket: https://computerguru.syncromsp.com/tickets/111233015 (internal #32332)
• Cascades customer ID: 20149445
• Bad invoice: 67661 (id 1650436338) — 4 duplicate line items
• Mike's rule-fix commit: a42d657
• Emergency product: 26184 (Labor - Emergency or After Hours Business, $262.50)
• Onsite product: 26118 (Labor - Onsite Business, $175.00)
• Remote product: 1190473 (Labor - Remote Business, $150.00)