claudetools/clients/dataforth/session-logs/2026-06-04-session.md

# Dataforth — Session Log 2026-06-04

## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin

## Session Summary

Recovered missing PCB manufacturing print files for the SP1366 MAQ20 Communications Module (revisions E, F, G, H), reported missing by John Lehman. The files live on AD2 (`Q:` → `\\ad2\c-drive` → `C:\Shares\c-drive`) under `DOCUMENT\DESIGN\SP\SP1366 MAQ20 Communications Module\{E,F,G,H}\PCB1366 REV <rev> PRINTOUTS FOR MANUFACTURING`. The PRINTOUTS folders existed but contained only a `TOP SIDE DRILL PANEL.PDF` each; the LAYERS/PASTE/AD/CD/DG exports were gone. The same set existed for revs A (2010) and I (2024), and the Altium source `.SchDoc` files for E–H survived — only the exported PDFs were missing.

Confirmed no local recovery path: AD2 had no shadow copies; its MSP360 (ACG-branded "Online Backup") agent showed an image plan and a Files plan both "Never started" locally, but the MSP360 account view (api.mspbackups.com) showed the AD2 Image plan running daily. The breakthrough was a second backup set in the `ACG-Dataforth` storage: a file-level NBF backup ("Backup plan on 8/29/2025", bunch `faad5a67`) with restore points 8/29–9/29/2025. Browsing it (`cbb.exe list -b <bunch> -rp <id> -path ...`) found the files under `D:\c-drive\...` (the share's pre-migration physical path) — 19 of John's 20 files present (REV F's `TOP PASTE LAYER` absent in every backup; it never existed as a separate F export).

Established WHEN the files were lost via NTFS timestamps: the `C:\Shares\c-drive` tree was created 10/1–10/2/2025 by the post-ransomware recovery restore (`Restore plan 10/1/2025`, ~3.4M files). That restore brought back only the drill panel into each PRINTOUTS folder and dropped the rest — i.e. an incomplete recovery restore, not a later user deletion. Files were intact in backup through 9/29/2025. The image backup retention only reaches back to 5/6/2026 (post-loss), so it cannot contain them.

Restored the 19 files from HGHAUBNER's pre-attack backup (`D:\DF C-Drive`, accessible after Mike installed GuruRMM on HGHAUBNER) rather than the cloud backup — same files, no B2 egress. Cross-machine copy was blocked by Windows auth (SSH double-hop; WTS-impersonation tokens can't open fresh UNC). Solution: ran the copy on HGHAUBNER in `user_session` (as logged-in `ghaubner`), reading local `D:\DF C-Drive` and writing to his existing GPO-mapped `Q:` (→ `\\ad2\c-drive`) — local read + existing-mapping write needs no fresh auth. Verified 6 files/rev landed in the live `C:\Shares\c-drive` path. Created Syncro ticket #32385, billed 1.0 hr remote labor (prepaid → $0, block 35.5→34.5), resolved + invoiced.

Set up follow-on work and parked it: rescanned the GuruRMM fleet (grew 13 → 45 agents incl. servers AD1/FILES-D1/SAGE-SQL); prepared (but did not run) an AD1 Files backup plan matching AD2's (180-day retention); and scoped a broader migration-gap audit (WizTree both sides, ~8.7M files / 5.7 TB across 7 shares). Mike will run the WizTree-on-servers pass tomorrow. All parked state is in `clients/dataforth/migration-gap-diff-RESUME.md`.

## Key Decisions

- Restored from HGHAUBNER's local pre-attack backup rather than the MSP360 cloud backup — identical files, no B2 egress, and it independently cross-validated the cloud backup (both 19/20).
- Ran the cross-machine copy on HGHAUBNER in `user_session` writing to an existing mapped drive, after both SSH-from-AD2 and AD2-side `user_session` failed (double-hop / impersonation has no network creds). Existing GPO mappings work in the impersonated token; fresh UNC does not.
- Did NOT restore REV F's paste file — confirmed absent from both independent backups; framed it as "not in our backups under that name" rather than "never existed," per Mike's caution that the ask may be slightly off.
- Moved the WizTree CSV (a sensitive full file-list) OFF the c-drive share into private `C:\ClaudeTools` on AD2 — it was wrongly staged in a share visible to all c-drive users.
- For the broad migration-gap diff, chose WizTree-both-sides (MFT-fast, exact, CSV-to-CSV) over live RMM enumeration, given ~8.7M files. Catalog is review-only — no auto-restore, since some deletions were intentional and the HGH backup is additive-only.
- AD1 backup: build fresh via `addBackupPlan` CLI (Mike's choice, option b), matched to AD2's real `.cbb` config (read `SerializationSupportRetentionTime=180 days`).

## Problems Encountered

- AD2's local `cbb.exe` reported the image/Files plans "Never started" and `listIBBContent` found "No disk image backups" — stale local repo view. Mike had me restart the Online Backup services; the `list` command then surfaced the file-backup bunch.
- Path confusion: backup stored the share under `D:\c-drive` while the live share is `C:\Shares\c-drive`. Reconciled via NTFS metadata — the old `D:` data volume is gone (now a mounted Windows install ISO); the 10/1/2025 restore migrated the data to `C:\Shares` on the C: volume.
- Cross-machine file copy repeatedly blocked by Windows double-hop / WTS-impersonation (no network creds). Resolved by running on the source machine in `user_session` and writing to an existing mapped drive.
- Repeated bash-heredoc backslash mangling of PowerShell/Python — resolved by base64-encoding PowerShell (`-EncodedCommand`) and writing Python via the Write tool / `chr(92)` instead of literal backslashes.
- WizTree export was in Georg's `Documents`, not `Downloads` as expected — found by listing largest files under the profile.
- Coord API was unreachable for the parking todo — used a repo resume doc instead.

## Configuration Changes

- **AD2 `C:\Shares\c-drive\...\{E,F,G,H}\PCB1366 REV <rev> PRINTOUTS FOR MANUFACTURING\`** — added 19 recovered PDFs (additive; existing files untouched).
- **AD2 `C:\ClaudeTools\clients\dataforth\WizTree_20260604184904.zip`** — moved here (private) from the c-drive share staging; `C:\Shares\c-drive\__wiztree` staging folder removed.
- **AD2 Online Backup services** — restarted (by request) to resync the local repo. No plan changes.
- Repo: created `clients/dataforth/session-logs/2026-06-04-session.md`, `clients/dataforth/migration-gap-diff-RESUME.md`.
- **No AD1 backup plan created yet** (command prepared, parked). No diff catalog written yet (parked).

## Credentials & Secrets

- AD2 SSH: `sysadmin` (INTRANET\\sysadmin), vault `clients/dataforth/ad2.sops.yaml → credentials.password` (note: strip stray backslash).
- HGHAUBNER: no SSH; reached via GuruRMM agent; logged-in user `intranet\ghaubner`.
- MSP360 Managed Backup API: vault `msp-tools/msp360-api.sops.yaml` (api.mspbackups.com, /api/Provider/Login).
- GuruRMM API: vault `infrastructure/gururmm-server.sops.yaml`. Syncro: per-user key (mike) in the syncro skill.
- No new credentials created.

## Infrastructure & Servers

- **AD2** — 192.168.0.6, Win Server 2022 DC + file server. Shares now `C:\Shares\{c-drive,e-drive,webshare}`; old `D:\c-drive` data volume repurposed (D: = mounted install ISO). MSP360 agent `C:\Program Files\Arizona Computer Guru\Online Backup\cbb.exe`; storage account `ACG-Dataforth` (`0b49ca5e-…`). GuruRMM agent `cfa93bb6-…`.
- **AD1** — DC; shares `Engineering`→`C:\Engineering`, `ITSvc`→`C:\Shares\ITSvc`. GuruRMM agent `bf7bc5ee-…`. Only `Image2025` backup plan.
- **FILES-D1** — file server; shares `E:\Shares\{sales,archive}` (no `staff` share — missing). Agent `8566a19d-…`.
- **SAGE-SQL** — `C:\sage`. Agent `120ba7bf-…`.
- **HGHAUBNER** — Georg Haubner's PC; `D:` = pre-attack backup of DF shares (`DF C-Drive`, `DF E-Drive`, `DF WebShare`, `DF Sage`, `DF Server Sales/Archive/Engineering`, + personal `DF Staff`/`Dataforth`). Agent `2aefe0d5-…`.
- Backup sets in `ACG-Dataforth`: `AD2 Image` (image, `35a5c3d2`), file backup `Backup plan on 8/29/2025` (`faad5a67`, restore points 8/29–9/29/2025).

## Commands & Outputs

- Browse file backup: `cbb.exe list -a "ACG-Dataforth" -b faad5a67-… -rp 20250830005237 -path "D:\c-drive\DOCUMENT\DESIGN\SP\SP1366 MAQ20 Communications Module\F\PCB1366 REV F PRINTOUTS FOR MANUFACTURING"`.
- Forensic: `C:\Shares` Created `10/1/2025 2:23 PM`; SP1366 rev/PRINTOUTS folders Created `10/2/2025 ~12:17 PM`; surviving drill PDFs Created `10/2/2025`, Modified = original 2012–2024.
- Copy (HGHAUBNER user_session): local `D:\DF C-Drive\…` → `Q:\…` (mapped `\\ad2\c-drive`) — 19 copied, 5 skipped, 6 files/rev verified.
- AD2 Files plan retention (from `de4fd4fd*.cbb`): `<SerializationSupportRetentionTime>180.00:00:00</…>`, GFS disabled.
- WizTree backup totals: DF C-Drive 2.74M files/426GB; DF E-Drive 2.29M/2261GB; DF Server Sales 461k/1487GB; DF Server Engineering 971k/1079GB; DF Server Archive 1.09M/392GB; DF Sage 58.6k/88GB; DF WebShare 1.06M/2.9GB.

## Pending / Incomplete Tasks

See `clients/dataforth/migration-gap-diff-RESUME.md` for full detail. Parked:
1. **AD1 Files backup** — `addBackupPlan` command ready (NBF, daily 2 AM, 180-day, `C:\Engineering` + `C:\Shares\ITSvc`); run on Mike's OK.
2. **Migration-gap diff** — WizTree both sides tomorrow; diff CSV-to-CSV per share → `clients/dataforth/migration-gap-catalog-2026-06-04.md`. Backup-side CSV at AD2 `C:\ClaudeTools\clients\dataforth\WizTree_20260604184904.zip`.
3. **AD2 Claude** capability updates (syncro/coord + DF wiki read-write + Dataforth data; its repo is `C:\ClaudeTools`).
4. **Dataforth wiki** GuruRMM-enrollment section: update 13 → 45 agents.
5. **REV F `TOP PASTE LAYER`** — John doesn't care; closed.
6. Housekeeping: delete sensitive local copy `GURU-5070 C:\Users\guru\AppData\Local\Temp\wiztree.zip` after the diff.

## Reference Information

- Syncro ticket **#32385** (id 112202781) — https://computerguru.syncromsp.com/tickets/112202781 ; invoice 1650579125 ($0, prepaid).
- Dataforth Corp Syncro customer 578095; contact John Lehman 2851723 (jlehman@dataforth.com).
- GuruRMM API http://172.16.3.30:3001 ; MSP360 API https://api.mspbackups.com.
- Resume doc: `clients/dataforth/migration-gap-diff-RESUME.md`.