claudetools/session-logs/2026-06-01-howard-client-status-and-qwm.md

Session Log — 2026-06-01 — Client work review, QWM M365, GDAP docs

User

• User: Howard Enos (howard)
• Machine: Howard-Home
• Role: tech

Session Summary

Reviewed outstanding client work across the books (excluding Cascades) by pulling the coord API todos + component states, then drilled into Quantum Wealth Management (QWM) M365. Performed a read-only Graph review of the live QWM tenant 2fd0092b using the ComputerGuru Security Investigator app. Found the wiki article was stale (still described the abandoned GoDaddy/johnvelez 8f7eaff4 tenant) and corrected it. Confirmed the 2026-06-03 license-lapse deadline objective is MET: both John and Sheila are Business Premium licensed and activated Office (signed into Microsoft Office + Authentication Broker from the Tucson office 5/27). The broader Intermedia->M365 migration remains in progress.

The significant QWM finding: john@quantumwms.com is under an active distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess), 0 successful malicious logins (account NOT breached). Risk is real because John is not MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (CA001 require-MFA, CA003 block-non-US) are still report-only. Saved a full report, updated the wiki + coord, closed the deadline todo, and filed urgent security + migration-remainder todos. Mike is taking over QWM.

Ran a status pass on the remaining client items, then live-verified three: Deere Park WiFi quote (Syncro #32279 — still New, quote never sent, overdue), Len's Auto Brokerage + Sombra Residential GuruRMM deployments (live API), and Birth Biologic Datto SmartBadge (live RMM dispatch — PASS). Recorded all findings as coord components. Filed a todo for a new finding: Sombra's Server2013 (Win Server 2012/R2, EOL) GuruRMM agent has been offline since 2026-05-14 (~18 days), unmonitored.

Investigated whether documented rules exist for onboarding a client to a Granular admin relationship (GDAP). Found ACG runs two delegated-admin models: (1) the ComputerGuru app-consent suite, well documented in the remediation-tool skill (gotchas.md, tenants.md, onboard-tenant.sh); (2) true Pax8/Partner-Center GDAP, which has NO requirements doc — only a group-membership script and scattered session-log mentions. The wiki has no onboarding article (wiki/patterns/ is empty). While reading the GDAP script, found a plaintext ClientSecret committed in the repo and flagged it as a security todo.

Key Decisions

• Treated the live tenant 2fd0092b as authoritative and rewrote the stale QWM wiki (was pointing at the abandoned johnvelez 8f7eaff4 tenant).
• Closed the 6/03 license-lapse todo (46bda3ec) because its named objective (license + Office activation before lapse) is verified met; created a migration-remainder todo (72060fc8) to preserve the personal-domain + GoDaddy-cancellation steps so nothing was lost. Left the stale johnvelez-tenant todo 37f2196c open but flagged for cleanup (it's Mike's).
• Filed the QWM password-spray finding as its own urgent todo (bf09d843) rather than un-parking the existing security-baseline todo, because the active attack + no-MFA + report-only-CA combination is new and time-sensitive.
• Recorded all live-check results as coord components (the live-status tracker the team reads) rather than only in chat. Used hyphenated client project keys (e.g. clients-lens-auto-brokerage) — the slash form 404s on the component PUT endpoint.
• Made NO tenant changes anywhere (QWM and others) — all read-only per the request.

Problems Encountered

• Coord component PUT returned Not Found with the slashed key clients/quantumwms/m365; resolved by using the hyphenated key clients-quantumwms/m365 (matches how existing client components are stored).
• Graph auditLogs/signIns $filter on userPrincipalName/status returned empty silently, and $top=999 returned an empty value; resolved by pulling unfiltered at $top=200 and filtering client-side with jq.
• Coord todo POST initially failed validation (missing created_by_user/created_by_machine); resolved by adding both required fields.
• Briefly suspected a sync collision because the rebase diffstat showed the QWM report + wiki under "incoming"; verified it was just the pre-rebase comparison direction — Mike's same-day commits were for Jupiter/GURU-KALI/EZ Fast Auto Glass, zero QWM overlap. Files intact after rebase.

Configuration Changes

Created:

• clients/quantumwms/reports/2026-06-01-m365-review.md — full read-only M365 review (committed earlier this session, commit 847d634).

Modified:

• wiki/clients/quantumwms.md — corrected tenant to 2fd0092b, rewrote users/CA section, added Current Status + security block, updated Open Items (committed 847d634).

Coord API (server-side, not repo):

• Component clients-quantumwms/m365 = active (created)
• Component clients-lens-auto-brokerage/gururmm-deployment = pending (verified 0 agents)
• Component clients-sombra-residential/gururmm = degraded (Server2013 offline)
• Component clients-birth-biologic/datto-smartbadge = active (created, PASS verified)
• Component clients-deere-park/wifi-quote = pending (created)
• Todo 46bda3ec -> done (QWM 6/03 lapse)
• Todos created: bf09d843 (QWM security/spray), 72060fc8 (QWM migration remainder), 7221c025 (Sombra Server2013 offline, ->howard), 10536f07 (exposed secret, ->mike)

Credentials & Secrets

• EXPOSED (flagged, not yet remediated): plaintext ClientSecret for app fabb3421-8b34-484b-bc17-e46de9703418 (deprecated ComputerGuru AI Remediation app) in ACG partner tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d, committed at clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1 line 9 (and in git history). Tracked in todo 10536f07 — rotate + remove + confirm app retirement.
• QWM read performed with ComputerGuru Security Investigator app bfbc12a4-f0dd-4e12-b06d-997e7271e10c (cert auth, read-only). No new secrets created.
• QWM break-glass remains vaulted at clients/quantumwms/m365-breakglass.sops.yaml.

Infrastructure & Servers

• QWM M365 tenant (current): 2fd0092b-e9b7-474c-ad73-301f34dd6b64 ("Quantum Wealth Management", quantumwms.com primary, quantumwms.onmicrosoft.com initial). Users: john@/sheila@ (Business Premium, not MFA-registered), sysadmin@ (Mike, GA, MFA), breakglass@ (GA, CA-excluded). CA001/CA002/CA003 all report-only; Security Defaults ON. Abandoned tenants: 8f7eaff4 (johnvelez/NETORGFT2570783), ddf3d2c9 (dormant GoDaddy netorg18235235).
• GuruRMM: API http://172.16.3.30:3001. Len's Auto Brokerage client bc76984f, site "Main" code UPPER-STAR-2820 — 0 agents. Sombra Residential client 4143369f: Server2013 (agent 5383e9c1, build 9200, OFFLINE last_seen 2026-05-14) + DESKTOP-UQRN4K3 (Win11, online). Birth Biologic KSTEENBB2025 agent ee3c6aea (online, verify PASS).
• Syncro #32279 "Onsite - Install Office (and new quote for wifi)", customer Deere Park Development (id 7088463), internal id 110305905, status New. DPA Inc tenant 11de2fe0-4fa4-4b28-a430-40bc20c86fc2.

Commands & Outputs

• Graph token: bash get-token.sh 2fd0092b-... investigator (cert auth).
• Sign-in pull (filter quirk workaround): GET /v1.0/auditLogs/signIns?$top=200 then jq client-side. John: 102 events, 4 success (all Tucson 69.254.197.173, 5/27), 98 failures (94x err 50053 malicious-IP block, 4x err 50126 bad password). Foreign: Amsterdam NL 192.42.116.61 (50053), Praha CZ 130.193.15.79 (50126).
• Component PUT pattern: PUT /api/coord/components/clients-<slug>/<component> (hyphenated key).

Pending / Incomplete Tasks

• QWM (Mike owns now): security todo bf09d843 (reset John pw, MFA registration, enforce CA001+CA003); migration remainder 72060fc8; PST backups d3623023; close stale 37f2196c.
• Len's Auto Brokerage GuruRMM deployment — NEXT TASK this session. Site UPPER-STAR-2820 exists, 0 agents. Need site-specific MSI from dashboard, then execute GPO rollout to ~10 endpoints. Prep in clients/lens-auto-brokerage/docs/.
• Sombra Server2013 offline — todo 7221c025 (investigate power/service/connectivity; EOL box dark).
• Deere Park — build + send updated UniFi quote to Richard Glabman, attach to #32279.
• Exposed secret — todo 10536f07.
• Doc gap: no GDAP/onboarding rules doc; offered to draft wiki/patterns/m365-client-onboarding.md.

Reference Information

• QWM report: clients/quantumwms/reports/2026-06-01-m365-review.md. Prior commit 847d634.
• Onboarding docs: .claude/skills/remediation-tool/references/{gotchas.md,tenants.md}, scripts/onboard-tenant.sh. GDAP groups: clients/internal-infrastructure/scripts/add-rob-to-gdap-groups.ps1 (13 M365 GDAP groups + AdminAgents in tenant ce61461e).
• Coord API: http://172.16.3.30:8001/api/coord. Todos this session: 46bda3ec(done), bf09d843, 72060fc8, 7221c025, 10536f07.
• Syncro #32279: https://computerguru.syncromsp.com/tickets/110305905

---

Update: 10:26 PT — Len's Auto Brokerage GuruRMM deployment (complete) + Dataforth handoff

Summary

Executed and reconciled the Len's Auto Brokerage GuruRMM rollout. Resolved the enrollment key from agent source: the site code UPPER-STAR-2820 IS the enrollment credential (the site's api_key is null, irrelevant for the .exe install --api-key <site_code> / WS auto-register path). Installer confirmed live. Environment is a workgroup (no AD domain), so delivery was via ScreenConnect, not GPO. Howard enrolled all machines online in the last ~2 months.

Reconciled GuruRMM (8 online agents) against the Syncro asset list (15). All online-in-2mo machines enrolled. Key identity resolution: LAB-SVR (RMM) = LENS-SV (Syncro) = the new/current server, one HPE MicroServer Gen10+ v2 (SN 3M1D1T12PD, Server 2019, IP .81) that the old overview doc had called DESKTOP-BMBTQLI. The old LAB-SERVER (Server 2008, .241) is deliberately NOT enrolled — agent won't run on 2008; decommission handles it. Offline>2mo machines (DESKTOP-LJ825H1, LAB-005252, MATT, PARKER) are being removed from Syncro — no action. desertRV machines (DESERTRVSERVER, DRV-TK-DESKTOP) belong to a separate group that doesn't exist in GuruRMM yet.

Decisions

• ScreenConnect delivery (workgroup, no domain → GPO not viable).
• Site code = enrollment key (verified in agent source, not guessed).
• Do not enroll the EOL Server 2008 box; let decommission handle it.
• Re-scoped the desertRV todo to its own client key (was mis-filed under Len's).

Config / coord changes

• Created: clients/lens-auto-brokerage/docs/gururmm-deployment.md (runbook + reconciliation).
• Modified: clients/lens-auto-brokerage/docs/overview.md (server table — LAB-SVR/LENS-SV identity, LAB-SERVER EOL).
• Coord: component clients-lens-auto-brokerage/gururmm-deployment = deployed (reconciled); deployment lock 01eae532 claimed + released.
• Todos: 3aeb3f2b (desertRV stand-up, ->howard), a0b890ae closed (superseded/re-scoped), 37543f7f (Dataforth optical-tester, ->howard).

Infrastructure

• Len's: 192.168.1.0/24, WAN 174.77.67.237, ScreenConnect. GuruRMM client bc76984f, site "Main" d8f69cd8 / code UPPER-STAR-2820. 8 agents online.
• New server LAB-SVR/LENS-SV: HPE MicroServer Gen10+ v2, SN 3M1D1T12PD, Server 2019 (installed 4/15/2026), 192.168.1.81.
• Old EOL server LAB-SERVER: HP ProLiant ML310e Gen8 v2, SN MX253500HB, Server 2008, 192.168.1.241 (up 79d, not in RMM).

Pending / Next

• NEXT SESSION (after /clear): Dataforth optical-tester (todo 37543f7f, Mike's request) — VLAN the XP optical tester + give it backup to a server; XP can't do modern SMB, so it must reach the legacy NAS or an SMB1-capable server. Scope SMB1 narrowly (security).
• desertRV stand-up (todo 3aeb3f2b).
• Len's optional follow-up: site walkthrough + user self-installer (UPPER-STAR-2820) to catch stragglers; cosmetic LAB-SVR vs LENS-SV hostname mismatch.