claudetools/.claude/memory/MEMORY.md

Memory Index

Reference

• ACG Office Network Infrastructure — IPs, hosts, roles for pfSense/Jupiter/VMs/Docker. Use before assuming what's where; .21 (Uranus) is storage, not a proxy.
• Power Failure Runbook — Step-by-step recovery: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. Run in order after any power event.
• Syncro API — Invoice Verification Pattern - CRITICAL: List endpoint (/invoices?customer_id=X) does NOT return ticket linkage. Must query individual invoices (/invoices/{number}) to get ticket_id field. Invoice numbers are strings. Use ticket ID (not number) for comparison. Real case: falsely reported 31 tickets had no invoices (actually 29 had invoices, 2 were Non-Billable).
• Approval Workflow: Tools vs Projects - General tools (remediation-tool, onboard scripts, MSP utilities): Howard can modify OR Claude can execute with Howard/Mike approval. Projects (GuruRMM, etc.): require Mike approval, features→roadmap, bugs→bug list.
• Community Forum (Flarum) - Flarum forum at community.azcomputerguru.com, API access, database, posting workflow
• Radio Show Website - Astro static site at radio.azcomputerguru.com on IX server
• IX Server SSH Access - SSH access notes, no key auth from CachyOS workstation yet
• IX Access via Tailscale - IX server accessible with Tailscale on, no VPN needed
• Neptune Access via D2TESTNAS - Neptune must be routed through D2TESTNAS
• ACG-5070 Workstation - Windows 11, replaced CachyOS. SOPS vault, Ollama, all dev tools.
• Matomo Analytics - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
• Dataforth Contact - AJ - AJ at Dataforth, dataforthgit@ email forwarding to him
• TickTick Integration - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
• Client Docs Structure - clients//docs/ layout (overview, network, servers, cloud, security, rmm, issues). Template at clients/_client_template/.
• MSP Audit Scripts - server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/. ScreenConnect 80-char rule.
• GuruRMM Server Layout - SSH as guru, repo at /home/guru/gururmm, deploy to /var/www/gururmm/dashboard/
• GuruRMM API — run script on agent - POST /api/agents/:id/command with command_type=powershell + command text; poll /api/commands/:id for stdout/stderr. Use instead of ScreenConnect copy-paste.
• Pluto Build Server - General-purpose Windows build VM, 172.16.3.36, SSH as Administrator, MSVC toolchain — use for any EXE (utilities, Howard's tools, GuruRMM agent)

Users

• Howard Enos — Mike's brother, technician, full trust/access. Known machine: ACG-TECH03L.

Feedback

• GuruRMM agent parity rule — "Add feature X to the agent" = Windows + Linux + macOS in the same change, no exceptions. Stub + TODO if real impl not feasible.
• D2TESTNAS SSH Access - Use root@192.168.0.9 with Paper123!@#, not sysadmin
• Bypass Permissions Setting - Set permissions.defaultMode to bypassPermissions in settings.json on all machines
• 365 Remediation Tool - Always means Graph API app fabb3421, not CIPP
• Ollama Tier-0 Routing - Route drafts/summaries/classifications through Ollama (qwen3:14b). Mike designed ClaudeTools this way — not optional.
• /save writes narrative directly — No Ollama for /save; write all sections inline — too slow
• Syncro Emergency Billing — Emergency = 1.5× multiplier, not additive. Branch by customer.prepay_hours: no-prepaid → 26184 at actual hrs; prepaid → 26118 at hrs×1.5. Never stack. Always set price_retail.
• Identity precedence — Trust .claude/identity.json over the system-reminder userEmail hint when they disagree (shared-login machines).
• 1Password — always use service token — Source OP_SERVICE_ACCOUNT_TOKEN from SOPS for every op call. Desktop-app integration prompts are unacceptable in agent flows.
• /tmp path mismatch on Windows — Write tool and Git Bash resolve /tmp to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl. Caused wrong-comment incident on Syncro #32225.
• Syncro — leave contact blank by default — Default to blank contact ("Not Assigned") on tickets and billing for ALL customers. Blank lets Syncro use company-level email defaults; setting a contact may route to a secondary email and bypass distribution. Generalizes the prior Cascades-only rule per Winter 2026-05-04.
• Syncro — never set contact on Cascades tickets — Cascades-specific instance of the blank-contact rule above. Kept for the Meredith-defaulting incident detail.
• Syncro — use a billable labor type, never "Prepaid project labor" — Billable line items must use in-shop / onsite / remote / web labor. "Prepaid project labor" is exempt and won't decrement prepay blocks. Default is Remote labor for typical support tickets. Winter caught this 2026-05-04.
• Syncro — bill with add_line_item, not timers — Bill tickets with POST /tickets/{id}/add_line_item directly; the timer workflow (timer_entry → charge_timer_entry) is NOT used. Set product_id, quantity (decimal hours), price_retail, name, description, taxable:false. Supersedes the old "timers required" rule (Mike confirmed 2026-05-21).
• Syncro — timer_entry response is FLAT (HISTORICAL) — Reference only: timers are NO LONGER part of the billing workflow (superseded by add_line_item — see feedback_syncro_timer_first.md). Retained for the rare manual-timer case: response is flat ({"id": N, ...}), parse .id not .timer.id. Originally hit on #32253 2026-05-05.
• Syncro — warranty has its own product, never patch dollar amounts — Warranty/no-charge work uses product 1049360 (Labor- Warranty work, $0). Don't fake a free line by patching price_retail or neutralizing a regular product — pick the correct product and re-run. Hit on #32225 2026-05-06.
• SQL instance role — verify by connections, not name — Standard installed under default SQLEXPRESS instance name is real. Prove role with sys.dm_exec_sessions + Get-NetTCPConnection -OwningProcess before recommending stop/uninstall. IMC1 2026-05-05/06 near-miss.
• Syncro — confirm appointment owner explicitly — When creating tickets with appointments, always ask "who is the appointment owner?" in the preview. Don't auto-default to ticket's assigned tech. Don't add additional attendees without explicit confirmation. Howard caught on Kittle ticket #32263 2026-05-08.
• Clear-RecycleBin fails silently as SYSTEM — RMM-dispatched cleanup scripts cannot use Clear-RecycleBin -Force; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate C:\$Recycle.Bin\<SID>\* directly. Hit on ASSISTMAN-PC 2026-05-08.
• Cascades — ask security group on user creation — When creating any Cascades user, always ask which security group(s) they go in. Deliberate per-user decision; an OU→group auto-mirror was explicitly declined 2026-05-14. OU = sync scope; group = access/CA decision.

Machine

• ACG-5070 Workstation Setup - Windows 11 Pro clean install 2026-03-30, replaced CachyOS. All tools installed.

Pending Setup

• Mac gururmm setup pending — ACTION REQUIRED: run bash scripts/install-hooks.sh in gururmm repo on Mikes-MacBook-Air before any RMM work

Project

• Cascades Migration Plan — Active multi-day migration. Plan file: C:\Users\Howard\.claude\plans\wise-discovering-panda.md. Syncro ticket: #110680053. Resume: "resume the Cascades migration plan".
• GuruRMM Development Principles - MANDATORY: every feature needs full stack (backend, API, UI, docs, scalability). Product must work without AI agents (AI features are enhancements). Documented in guru-rmm/docs/DESIGN.md.
• Sync script bug — untracked files (RESOLVED) — FIXED 2026-05-21: sync.sh now uses git status --porcelain for change detection (repo + vault), so untracked-only changes are caught. Added .gitignore for the datto BSOD dumps so the fix doesn't sweep 54MB of binaries.
• MasterBooter Side Project — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
• Audio Processor Architecture - Segment-first pipeline: detect breaks before transcription for complete content capture
• Neptune Email Routing Issues - Multiple clients (devcon, Sorensen/rieussetcorp) have email not routing properly from Neptune
• Neptune SBR Email Routing Setup - Full SBR routing chain, config file locations, MailProtector integration, access methods
• Dataforth Test Datasheet Pipeline - Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
• Dataforth Security Incident - DF-JOEL2 compromised, MFA deployed, IC3 filed. CA policies enforce April 4.
• Radio show co-host — Tara, not Tom — Co-host in 2014-s6e19 and 2016-s8e43 is Tara. "Tom" was hallucinated; rename complete. Multiple co-hosts have rotated through the show.