azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eed3ece2c7a30d7eb531c8fea6533d2f2cbdb234
claudetools/.claude/memory/project_cascades.md
Mike Swanson 0c000109dc chore(memory): consolidate scattered feedback/project/reference files 
Compressed memory store 104 -> 71 files via four passes:

- Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files
  (api/billing/workflow) + an on-demand feedback_syncro_history.md for
  incident detail, quotes, and tech/product ID tables.
- Four near-duplicate merges: Howard paste-safety, Pluto build server,
  Howard backend deferral, IX server access (ssh+tailscale).
- Per-cluster rule/state/history split applied to GuruConnect (2->1),
  Dataforth (3->2), Cascades (7->3), GuruRMM (13->3).
- New reference_resource_map.md: single auto-loaded cheatsheet for
  "do I have access to X and how do I connect from this machine?"
- MEMORY.md rewritten to match the new layout.

Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
2026-06-01 16:25:45 -07:00

56 lines
4.5 KiB
Markdown
Raw Blame History

---
name: Cascades of Tucson — current state (migration, admin, CA rollout, billing)
description: Active state of the Cascades migration — Syncro ticket #110680053, plan file (machine-specific path), admin accounts (sysadmin@ = Howard, admin@ = Mike, not break-glass), CA caregiver pilot (Phase B / SG-Caregivers-Pilot, scope group-only never tenant-wide), prepaid block ~37.5h (rate TBD). Active rules in feedback_cascades.md, incident detail in project_cascades_history.md.
type: project
---
Rules: [[feedback_cascades]]. Detail / decisions / pilot-cleanup checklist: [[project_cascades_history]].
## Migration
Multi-day department-by-department migration from workgroup/cloud-only to domain-integrated environment. Clean end state: everything works automatically on a fresh-machine domain join.
- **Syncro ticket:** https://computerguru.syncromsp.com/tickets/110680053 — update with notes after each session.
- **Plan file:** `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` *(machine-specific path on Howard's box; confirm it resolves on ACG-TECH03L / Howard-Home or relocate into the synced repo)*.
- **Resume:** Howard says "resume the Cascades migration plan" → read plan file, check `CURRENT SAVE POINT`, pick up at next unchecked item. At session start, read the save point BEFORE doing any work; update + `/save` at session end.
## Tenant
Cascades Tucson tenant: `207fa277-e9d8-4eb7-ada1-1064d2221498`.
## Admin accounts (daily-driver, NOT break-glass)
- **`sysadmin@cascadestucson.com`** — Howard's working admin (used PIM portal click 2026-04-28 for CA Admin role).
- **`admin@cascadestucson.com`** — Mike's working admin.
As of 2026-04-29, neither is confirmed cloud-only / FIDO2 / CA-excluded. **A break-glass admin still needs to be designed** before CA bypass policies go live. Don't assume sysadmin@ / admin@ meet break-glass criteria — verify against Graph (`onPremisesSyncEnabled`, authentication methods, CA exclusions) first.
## CA caregiver pilot — phased, group-scoped
The caregiver bypass CA work is a **phased rollout**, not a tenant-wide cutover. The original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the 2026-04-29 resume-point implied tenant-wide; that was corrected.
- New CA policies target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). Never `includeUsers: All`.
- The legacy `Require multifactor authentication for all users` policy **stays in place**. PATCH its `excludeGroups` to add the pilot group; existing office-staff behavior is unchanged.
- Expansion to other populations happens one group at a time post-pilot. Legacy all-users-MFA is deleted only at the very end when every population is governed by phased policies.
**Caregiver policy set (current scope):**
- PATCH `Require multifactor authentication for all users`: add `SG-Caregivers-Pilot` to excludeGroups.
- CREATE `CSC - Block caregivers off Cascades network` (includeGroups: pilot, locations: not Cascades, grant: BLOCK).
- CREATE `CSC - Block caregivers on non-compliant device` (includeGroups: pilot, device filter `isCompliant -eq False`, grant: BLOCK).
- CREATE `CSC - Caregiver sign-in frequency 8h` (includeGroups: pilot, session control: 8h re-auth).
For caregivers we use **Block** directly on non-compliant + off-network — caregivers can't satisfy MFA (no personal device), so block is the cleaner UX. Future non-caregiver populations will likely use MFA grants since office staff have MFA capability.
## Billing
Cascades is a **prepaid block** customer (Syncro `customer_id: 20149445`). Block had ~37.5h remaining as of 2026-05-20 (38.5h minus 1h for ticket #32304).
**Block rate:** NOT yet confirmed. $175/hr is the standard non-block remote rate, NOT necessarily the Cascades block rate. **Ask Mike before billing.** Invoices post at $0.00 with hours deducted by quantity. See [[feedback_syncro_billing]] §7 for emergency-on-prepaid mechanics.
## Pilot cleanup checklist
At pilot wrap (transition to production `SG-Caregivers`), the following MUST be cleaned up — surface this list when we get to "flip pilot CA policies to production":
- `pilot.test@cascadestucson.com` — delete (or disable + remove license; recovers a Business Premium seat).
- `howard.enos@cascadestucson.com` — if used during pilot validation, clean up (Howard's eventual synced identity won't exist as a cloud user until Entra Connect exits staging).
- `SG-Caregivers-Pilot` — remove from CA policy targets when superseded by synced `SG-Caregivers`; group itself can be deleted after.
Reference in New Issue View Git Blame Copy Permalink