CR-2026-03-25: /worklog Skill — Implementation

mkdir -p ~/.claude/skills/worklog
ls -la ~/.claude/skills/

---
name: worklog
description: Create daily worklog with standard partials. Generates WRKLOG file in domus-captures with correct structure.
disable-model-invocation: true
user-invocable: true
allowed-tools: Bash(date:*), Bash(mkdir:*), Bash(ls:*), Read, Write
argument-hint: [YYYY-MM-DD]
---

# /worklog - Daily Worklog Creation

Create a new daily worklog in domus-captures with all standard partials.

## What This Does

1. Parses date (defaults to today)
2. Creates directory structure if needed
3. Generates worklog with standard template
4. Includes all 8 standard partials
5. Opens file path for editing

## Usage

```
/worklog                    # Create today's worklog
/worklog 2026-03-26         # Create specific date
/worklog tomorrow           # Create tomorrow's worklog
```

## File Location

```
~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/pages/YYYY/MM/WRKLOG-YYYY-MM-DD.adoc
```

## Standard Template

The skill creates this structure:

```asciidoc
= WRKLOG-YYYY-MM-DD
:description: DayOfWeek - [summary]
:revdate: YYYY-MM-DD

== Summary

**DayOfWeek.** [Focus for today]

// Worklog Section: URGENT - All Domains — Assembler
// Usage: include::partial$worklog/urgent.adoc[]
// Contains: All urgent items across domains via sub-partials
//
// PARADIGM: Each domain = its own file in urgent/
// FILES: professional.adoc, personal.adoc, life-admin.adoc, certifications.adoc
//
// MAINTENANCE: Add/remove urgent domains by editing includes below

== URGENT - All Domains

// Worklog Urgent: Professional Backlog
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Work carryover backlog with aging

=== Professional Backlog

// Carryover Backlog — CRITICAL SUBSET of the master project tracker
// Usage: include::partial$trackers/work/adhoc/carryover.adoc[]
// Master: partial$trackers/work/project-master.adoc (32 projects, full inventory)
// This file: P0 items only — daily view for worklogs
// Full review: Every Monday — see work-project-inventory page
// Last updated: 2026-06-05

=== Carryover Backlog (CRITICAL)

// =========================================================================
// UPDATE: Days column each worklog via `make update-days`
// PRIORITY: P0 = blocking others or critical | P1 = important | P2 = scheduled
// =========================================================================

[cols="2,3,1,1,1"]
|===
| Task | Details | Origin | Days | Status

| **MSCHAPv2 Migration Report**
| Report due. 6-sheet Standard Report (exec summary, trend, waves, device detail, stale, policy match). Sheet 6 added 05-14: policy match by protocol for removal planning + anonymous identity validation. Migration window 2026-05-04 to 2026-05-30. ~6,227 devices, 5 waves.
| 2026-04-17
| 49
| **P0 - DUE — run report this week**

| **Abnormal Security — ✅ COMPLETE**
| CR-2026-05-07-abnormal-read-write. CAB approved 2026-05-12. Implemented successfully 2026-05-13. Read/write enabled for pilot group. Post-deployment validation pending.
| 2026-05-07
| 29
| **✅ IMPLEMENTED — post-validation pending**

| **SIEM QRadar → Sentinel Migration**
| Lead role. Monad console error RESOLVED 2026-05-12 — secrets configured in CHLA production tenant. **ISE secure syslog integration in progress** — cert imported, remote logging target configured, streaming errors under investigation. **Blocking:** DCR not created (Rule ID + Stream Name). Azure private network policy unresolved. Victor + Mauricio action.
| 2026-04-10
| 56
| **P0 - ACTIVE — ISE syslog + DCR blocking**

| **Monad Pipeline Evaluation**
| Sentinel output connector. Console error resolved. 3 of 6 values configured. Remaining: Endpoint URL (have it), Rule ID + Stream Name (need DCR). ISE Remote Logging Target configured 2026-05-18 — TLS cert imported, secure syslog target created. Streaming errors in Monad console under investigation.
| 2026-03-11
| 86
| **P0 - ACTIVE — ISE integration in progress**

| **Guest Redirect ACL**
| Guest redirect ACL work needed. Related to Mandiant remediation findings.
| 2026-05-12
| 24
| **P0 - TODO**

| **ISE Patch 10** (CVE-2026-20147 CVSS 9.9)
| ISE 3.2 Patch 10. Supersedes Patch 9. **61 days on a CVSS 9.9 — schedule maintenance window. Write CR if needed.**
| 2026-03-12
| 85
| **P0 - OVERDUE — schedule immediately**

| **k3s NAT verification**
| NAT rule 170 for 10.42.0.0/16 pod network - test internet connectivity. **64 days — test this week or defer to Q3.**
| 2026-03-09
| 88
| **P0 - BLOCKING — TRIAGE: schedule or defer**

| **Wazuh indexer recovery**
| Restart pod after NAT confirmed working - SIEM visibility blocked. **Blocked by k3s NAT — cannot proceed until above resolved.**
| 2026-03-09
| 88
| **P0 - Blocked by k3s**

| Strongline Gateway VLAN fix
| 8 devices in wrong identity group (David Rukiza assigned)
| 2026-03-16
| 81
| P0 - TODO

| **TCP Clocks deployment**
| ISE identity group validation, query outputs, comms with team. Active d001 data Apr 22-23.
| 2026-04-22
| 44
| P0 - ACTIVE

| **IoT Dr. Kim — recurring**
| Sleep study devices (Apr 15-16), watches recurrence (Apr 22). 5 incident versions in d001. Validate iPSK enrollment.
| 2026-04-15
| 51
| P0 - RECURRING

| **Murus Portae (WAF) — Phase 0**
| FMC cert expired, ACP returns zero rules. d001: zone map, architecture D2, FMC API reference, ops script.
| 2026-04-16
| 50
| P0 - INVESTIGATING

| Vocera EAP-TLS Supplicant Fix
| ~10 phones failing 802.1X, missing supplicant config. **61 days — schedule with clinical engineering team.**
| 2026-03-12
| 85
| P1 - TODO — schedule

| ISE MnT Messaging Service
| Enable "Use ISE Messaging Service for UDP syslogs delivery". **61 days — low risk, schedule with ISE Patch 10 maintenance window.**
| 2026-03-12
| 85
| P2 - BUNDLE with Patch 10

|===

WARNING: Professional backlog remains critical. Check Days column for priorities.

// Worklog Urgent: Personal Blockers
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Personal blocking items

=== Personal Blockers

// Blockers — Fix before anything else
// Usage: include::partial$trackers/personal/tasks/blockers.adoc[]
// Last updated: 2026-05-07

=== BLOCKERS — Fix Immediately

[cols="2,3,1,1,2"]
|===
| Task | Details | Origin | Days | Impact

| **Z Fold 7 Termux**
| gopass and SSH not working
| 2026-03-10
| 58
| **BLOCKER** — Cannot access passwords on mobile

| **gopass v3 organization**
| Inconsistent structure, poor key-value usage
| 2026-03-20
| 48
| Inefficient password management, no aggregation

| **Git history scrub — sensitive personal terms**
| Plaintext references to personal legal matters in committed worklogs (WRKLOG-2026-03-14, WRKLOG-2026-04-18). Forward-fixed but old commits still contain strings. Requires `git filter-repo` + force-push. See runbook below.
| 2026-04-22
| 15
| **SECURITY** — sensitive terms in public git history

|===

==== Runbook: Git History Scrub (d000 Personal Terms)

**Problem:** Two committed worklogs contained plaintext references to personal legal matters. The files have been edited (forward-fix), but git history retains the original text in prior commits.

**Affected commits:** Any commit touching these files:

[source,bash]
----
# Identify affected commits
git log --oneline -- \
  docs/modules/ROOT/pages/2026/03/WRKLOG-2026-03-14.adoc \
  docs/modules/ROOT/pages/2026/04/WRKLOG-2026-04-18.adoc
----

**Scrub procedure:**

[source,bash]
......
# 1. BEFORE: Full backup of the repo
cp -a ~/atelier/_bibliotheca/domus-captures ~/atelier/_bibliotheca/domus-captures.bak

# 2. Install git-filter-repo (if not present)
# Arch: pacman -S git-filter-repo
# pip: pip install git-filter-repo

# 3. Create expressions file for replacement
cat > /tmp/scrub-expressions.txt << 'EXPR'
regex:(?i)divorce==[REDACTED]
regex:(?i)dissolutio(?!n\.adoc\.age)==[REDACTED-LEGAL]
regex:(?i)iliana==[REDACTED-NAME]
regex:(?i)angulo-arreola==[REDACTED-NAME]
regex:legal-divorce-notes\.age==legal-notes.age
regex:1099-NEC-iliana==1099-NEC
EXPR

# 4. Verify before (dry run — count matches in history)
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches"

# 5. Run filter-repo (DESTRUCTIVE — rewrites all commit hashes)
git filter-repo --replace-text /tmp/scrub-expressions.txt --force

# 6. Verify after
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches — CLEAN"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches — CLEAN"

# 7. Re-add remotes (filter-repo removes them)
git remote add origin git@github.com:<user>/domus-captures.git
# Add any other remotes (Gitea, etc.)

# 8. Force-push to all remotes (DESTRUCTIVE — overwrites remote history)
git remote | xargs -I{} git push {} main --force

# 9. Clean up
rm /tmp/scrub-expressions.txt
rm -rf ~/atelier/_bibliotheca/domus-captures.bak  # only after verifying
......

**Post-scrub checklist:**

* [ ] Backup created before running
* [ ] `git filter-repo` installed
* [ ] Expressions file reviewed — no false positives (e.g., Don Quijote "Angulo el Malo" is in `segunda-parte/texto/texto-011.adoc` — the regex targets `angulo-arreola` specifically to avoid this)
* [ ] Dry-run counts match expectations
* [ ] Filter-repo executed
* [ ] Post-scrub verification shows 0 matches
* [ ] Remotes re-added
* [ ] Force-pushed to all remotes
* [ ] Cloudflare Pages rebuild verified
* [ ] Local clones on other machines re-cloned or `git fetch --all && git reset --hard origin/main`
* [ ] Backup removed

// Worklog Urgent: Life Admin
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Urgent life admin items (medical, financial, legal, housing)

=== Life Admin

// Urgent - Requires Immediate Action
// Usage: include::partial$trackers/personal/life-admin/urgent.adoc[]
// Last updated: 2026-05-07

=== URGENT - Requires Immediate Action

[cols="2,2,1,1,2"]
|===
| Item | Details | Deadline | Status | Impact

| **Housing Search**
| Granada Hills area - apartments/rooms
| TBD
| In Progress
| Quality of life, commute

| **2025 Tax — IRS Transcript Review**
| MFJ filed 2026-04-22. Pull IRS Return Transcript to verify contents. Consult attorney re: Form 8857 (Innocent Spouse Relief). Details in encrypted case file.
| Before attorney meeting
| In Progress
| Financial — liability exposure. See `data/d000/personal/dissolutio/`

| **Rack Relocation**
| Physical move of server rack. CR written: CR-2026-04-18 (pending in infra-ops). Borg backup completed. VM XML dumps, switch save, shutdown/startup procedure documented.
| TBD
| Pending
| Infrastructure downtime — all services offline during move

| **D000 Legal Planning**
| Encrypted case file: `data/d000/personal/dissolutio/`. Open: `dissolutio-open`. Close: `dissolutio-close`. 19 partials + assembler. PDF build for attorney handoff. Critical deadline: Jan 2029.
| **Before Jan 2029**
| Active — escalating
| Life transition — see case file for details

| **Credit Report Review**
| Pull reports from all 3 bureaus via annualcreditreport.com. Verify no unknown joint accounts or debts. Credentials in gopass: `v3/personal/finance/credit/annual_credit_report`
| TBD
| In Progress
| Financial discovery — FL-142 preparation

| **Gopass Security Audit**
| Rotate passwords on shared/known accounts. Add 2FA backup codes to `v3/personal/recovery/`. Create missing government entries (IRS, SSA, VA, DMV). Add `last_login` field to active entries.
| TBD
| Pending
| Digital security — pre-filing preparation

| **Subscription Audit**
| Download 3 months bank/CC statements (Chase, NFCU, USAA). Identify all recurring charges. Cancel unnecessary. Document active subscriptions for FL-150.
| TBD
| Pending
| Financial — expense documentation

| **401(k) Enrollment**
| Enroll in CHLA 401(k) immediately. Post-separation contributions are 100% separate property. Reduces gross income for support calculations. Max 2026: $23,500/yr.
| **In progress (started 5/4)**
| In Progress
| Financial — support calculation + retirement

|===

// Worklog Urgent: Certification Deadlines
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Cert deadline urgency flags

=== Certification Deadlines

=== URGENT — Performance Review Certifications

[cols="2,2,1,1,2"]
|===
| Certification | Provider | Deadline | Status | Impact

| **CISSP**
| ISC² — Certified Information Systems Security Professional
| **July 12, 2026**
| **ACTIVE** — Week 2 of 10 (xref:projects/education/edu-cissp/index.adoc[Project])
| Required for performance review. 10-week accelerated plan.

| **RHCSA 9**
| Red Hat Certified System Administrator
| **Q3 2026**
| **ACTIVE** — 21-phase curriculum (xref:projects/education/edu-rhcsa/index.adoc[Project])
| After CISSP. Required for performance review.

|===

WARNING: **CISSP: 41 days remaining** (exam July 12). Domain 1 study in progress. **Schedule exam today (06-01).**

---
// Worklog Section: Early Morning — Assembler
// Usage: include::partial$worklog/morning.adoc[]
// Contains: Morning focus via slot partial
//
// PARADIGM: Slot-based — swap morning/focus.adoc for new priorities
// FILES: focus.adoc (current morning priority)

== Early Morning - 5:30am

// Worklog Morning: Current Focus
// Usage: Included by worklog/morning.adoc assembler
// Contains: Current morning priority (swap this file when focus changes)
//
// CURRENT FOCUS: Regex Training
// SWAP TO: Any morning priority without touching worklog structure

=== Regex Training (CRITICAL CARRYOVER)

* [ ] Session 3 - Character classes, word boundaries
* [ ] Practice drills from regex-mastery curriculum
* **Status:** 52 days carried over (since 2026-03-16) — CRITICAL

WARNING: Regex training continues to slip. This is the foundation for all CLI mastery.

---
// Worklog Section: Work (CHLA) — Assembler
// Usage: include::partial$worklog/work-chla.adoc[]
// Contains: All work domains via sub-partials
//
// PARADIGM: Each concern = its own file in work/
// FILES: timekeeping.adoc, projects.adoc, priorities.adoc, tickets.adoc
//
// MAINTENANCE: Comment out sections for weekend/non-work worklogs
// Weekend: comment out timekeeping + tickets, keep projects + priorities

== Work (CHLA)

// Worklog Work: Timekeeping
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: PeopleSoft time entry reminder

CAUTION: **CHARGE TIME IN PEOPLESOFT - CRITICAL.** Do this NOW before anything else.

xref:projects/chla/PRJ-peoplesoft-time-entry.adoc[PeopleSoft Time Entry Reference]

// Worklog Work: Projects
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: P0/P1/P2 project priorities + case study links

// Critical Projects (P0) — Blocking or critical priority
// Usage: include::partial$trackers/work/projects/p0.adoc[]
// Last updated: 2026-05-12

=== Critical (P0)

[cols="2,3,1,1,1,2"]
|===
| Project | Description | Owner | Status | Due | Blocker

| Linux Research (Xianming Ding)
| EAP-TLS for Linux workstations, dACL, UFW
| Evan
| BEHIND (72 days overdue)
| 02-24
| Certificate "password required" - nmcli fix documented

| iPSK Manager
| Pre-shared key automation
| Ben Castillo
| BEHIND
| --
| DB replication issues

| MSCHAPv2 Migration
| Legacy auth deprecation — 6,227 devices, 5 waves. 6 batch SQL queries + 3-API endpoint profile script added (05-11). Report due.
| Evan
| 25% — Report due, batch queries ready
| 05-30
| Report to turn in

| Research Segmentation
| All endpoints to Untrusted VLAN
| Evan
| BLOCKED
| --
| CISO decision pending

| Disaster Recovery
| ISE DR scoping — dot1x closed mode = total blackout
| Evan
| Scoping
| --
| --

| Mandiant Remediation
| Copy 4/16 findings, Guest ACL lab, Q2 assessment
| Evan
| Active
| --
| --

| SIEM QRadar → Sentinel
| Full SIEM platform transition. Monad console error resolved 05-12. Secrets configured. Blocked on DCR creation (Rule ID + Stream Name). Azure private network policy unresolved.
| Evan
| Active — blocked on DCR
| Q2 2026
| Victor/Mauricio: create DCR, resolve Azure network policy

| Abnormal Security
| AI email platform — ESA cutover. CR assigned, CAB May 12 15:00. Implementation May 14 10:00.
| Evan
| Active — CAB today 15:00
| 05-14
| Pre-CAB checklist: confirm Tyler, Jason, Sarah
|===

// High Priority Projects (P1) — Important but not blocking
// Usage: include::partial$trackers/work/projects/p1.adoc[]
// Last updated: 2026-04-22

=== High Priority (P1)

[cols="2,3,1,1,1"]
|===
| Project | Description | Owner | Status | Target

| ISE 3.4 Migration
| Upgrade from 3.2p9
| Evan
| Blocked — maintenance window needed
| Q2 2026

| Switch Upgrades
| IOS-XE fleet update (C9300, 3560CX)
| Evan
| Pending
| Q2 2026

| Spikewell BYOD VPN
| dACL SQL, AD group integration
| Evan
| Active
| --

| Strongline Gateway
| MAC capture, Identity Group setup — 37 days aging
| Evan
| Active — David Rukiza assigned
| --

| Abnormal Security
| AI email security platform research, ESA cutover timeline
| Evan
| Newly assigned
| --

| DMZ Migration
| External services audit behind NetScaler
| Evan
| Audit phase
| --

| Firewall Audit (murus-portae)
| EtherChannel query, prefilter, policy assignments
| Evan
| Scoping — ASA API creds needed
| --

| iPSK Manager HA
| Server 2 config, TLS, SQL security audit
| Evan
| In progress
| --

| Sentinel KQL
| Build proficiency, distinguish from team
| Evan
| Onboarding
| --

| VNC Blocking
| Block and eliminate VNC protocol enterprise-wide
| Evan
| Active — Phase 0 (Discovery)
| Mid-June 2026
|===

// Strategic Projects (P2) — Long-term or not yet started
// Usage: include::partial$trackers/work/projects/p2.adoc[]
// Last updated: 2026-04-22

=== Strategic (P2)

[cols="2,3,1,1"]
|===
| Project | Description | Owner | Status

| HHS Regulatory Compliance
| New HHS security policies implementation
| TBD
| NOT STARTED

| InfoSec Reporting Dashboard
| PowerBI metrics for executives
| TBD
| NOT STARTED

| EDR Migration (AMP → Defender)
| Endpoint protection consolidation
| TBD
| NOT STARTED

| Azure Legacy Migration
| Modern landing zone
| Team
| In Progress

| ChromeOS EAP-TLS
| SCEP + Victor, Paul testing
| Victor
| In Progress
|===

// Case Study Links — TAC, incidents, changes, RCAs
// Usage: include::partial$trackers/work/links/case-studies.adoc[]
// Last updated: 2026-04-04

==== Case Studies (March 2026)

**TAC Cases:**

* xref:case-studies/tac/chla-8021x-auth-failures/index.adoc[TAC-2026-03 - 802.1X Auth Failures]

**Incidents:**

* xref:case-studies/incidents/strongline-gateway-vlan/index.adoc[INC - Strongline Gateway VLAN]
* xref:case-studies/incidents/ise-incident-defense/index.adoc[PREP - ISE Incident Defense]

**Changes:**

* xref:case-studies/changes/vault-backup-selinux/index.adoc[CR - Vault Backup SELinux]

**RCAs:**

* xref:case-studies/rca/8021x-eaptls-ca-chain/index.adoc[RCA - 802.1X EAP-TLS CA Chain]
* xref:case-studies/rca/wifi-dhcp-failure/index.adoc[RCA - WiFi DHCP Failure]

// Worklog Work: Daily Priorities
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: Today's actionable priority checkboxes

=== Today's Priorities

// Current Priorities — Persistent P0/P1 tracker
// Usage: include::partial$trackers/work/priorities/current.adoc[]
// Last updated: 2026-05-12
//
// RULES:
// - No dated sections (morning/meeting checklists go in the WORKLOG, not here)
// - Items stay until YOU confirm completion, then move to === Completed with date
// - Day counts use {origin-*} attributes from antora.yml — update-days recalculates
// - New work items from d001/ get added here during daily triage
// - Review weekly: anything resolved? anything to add?

=== P0 — Critical / Blocking

==== Security & Compliance

* [ ] **ISE 3.2 Patch 10 upgrade** — CVE-2026-20147 CVSS 9.9 / CVE-2026-20148. Propose maintenance window once patch confirmed on software.cisco.com.
* [ ] **ISE Advisory sa-ise-rce-traversal-8bYndVrZ** — check Patch 10 availability
* [ ] **Mandiant Remediation** — findings status tracked. Working session prep + defensive posture documented (comms-2026-04-24). Copy 4/16 updates into Excel at work. Guest ACL lockdown (WIR-M-01) pending lab validation. appendix-todos updated with MSCHAPv2 milestones.
* [ ] **Guest ACL update** — guest redirect ACL work needed. Lab validate GUEST_CWA_REDIRECT_MAX_SECURITY in d000, then joint CR with NE. On today's task list.
* [ ] **Disaster Recovery & Downtime Procedures** — ISE top priority (dot1x closed mode = SPOF for network access)
** ISE DR: Document failover sequence — PAN, MnT, PSN priority order
** ISE DR: RADIUS dead-server detection on WLCs/switches — critical-auth VLAN fallback
** ISE DR: Backup/restore procedures — scheduled config backups, tested restores
** FTD/FMC DR: FMC loss = no policy management
** Network DR: Core/distribution switch failure, STP reconvergence, HSRP failover
** Document RTO/RPO per system

==== SIEM Migration (QRadar → Sentinel)

* [ ] **SIEM QRadar → Sentinel Migration** — LEAD ROLE. 4 collection iterations (Apr 16, 17, 17-streamlined, 20-streamlined). Python chart pipeline built (`qradar-charts.py`). Migration XLSX generated. Verification pending. Comms sent Apr 23.
** d001 artifacts: 8 JSON exports, 2 CSV inventories, migration XLSX, top5 source SVG/PNG, verification doc
** Dependency: Monad pipeline for log source transition
** Dependency: Sentinel KQL proficiency for query migration
* [ ] **Monad Pipeline Evaluation** (origin: {origin-monad}) — lead role. Console error RESOLVED 05-12 — secrets configured in CHLA production tenant. Blocked on DCR creation (Rule ID + Stream Name). Azure private network policy unresolved. 10am call today 05-12.
* [ ] **Sentinel KQL** — build proficiency, distinguish from team. Azure portal access acquired.
* [ ] **QRadar log source report** — run AQL queries, fetch JSON, generate Python Excel

==== Active Deployments & Migrations

* [ ] **MSCHAPv2 Migration** — Report due. 6-sheet Standard Report ready (Sheet 6: policy match by protocol added 05-14 for removal planning + anonymous identity validation on cert profiles). Migration window **5/4 – 5/30**. 6,227 MSCHAPv2 devices, 14,249 EAP-TLS/TEAP (70% migrated). **Focus: run Standard Report, turn in spreadsheet.**
* [x] **MSCHAPv2 weekly cadence** — recurring Wednesday call established (first 04-22). Completed 2026-04-22.
* [x] **MSCHAPv2 ownership matrix** — sent in scoping email 4/24 with manager callouts (@Albert, @John). Completed 2026-04-24.
* [ ] **TCP Clocks deployment** — new device added via ERS POST and confirmed (04-24). 7+ clocks validated. v2 query file with partials architecture. Revalidate full set — confirm no flapping.
* [ ] **SRT Research VLAN — confirm roles with Tony Sun**: Tony implementor, Evan tester. CAB approved 04-21.
* [ ] **Downtime Computers enforcement** — draft ISE AuthZ rule: medigate_724 + Wireless = DenyAccess. Separate CR. d001: DC queries, audit CSVs (v1-v3), wireless violations report delivered 04-21.
* [ ] **Enterprise Linux 802.1X** — standardize Shahab/Ding deployment (CISO priority). Overdue since 02-24. Blocked by nmcli cert fix.
* [ ] **Abnormal Security** — CR-2026-05-07-abnormal-read-write. CAB 05-12 approved, implementation 05-14. Jason Landeros implements, Evan presents. **06-01 update:** Review Jihad's policy mapping XLSX + Tyler's Policy and Rules Migration doc before next call. Plan email migration expansion beyond security group to full environment — priority to move off ESA. Exchange rule considerations: external sender disclaimer (sender not company, outside org, not internal IP → prepend disclaimer).
** Team: Cox/William, Landeros/Jason, Rosado/Evan, Naranjo/Mauricio, Sandoval/Carlos

==== Tube System Upgrade (NEW — 06-01)

* [ ] **Tube System Upgrade** — iTrack 3528165. 15x 10" TS stations need MAC addresses added to ISE identity group IoT_Onboard. MACs received from vendor (C8:1A:FE:20:xx:xx series). Station list spans ICU (CTICU, PICU, BMT, NICU, NICCU), ED, Surgery, Trauma, Pharmacy. Vendor contact: John Genest. Rationale: manufacturer no longer supports current system; failure risks delayed/missed patient care.

==== BMS Device Inventory (NEW — 04-24)

* [ ] **BMS Device Inventory** — 72 devices discovered across 37 switches (04-24). Profile-driven architecture (Claroty/Medigate). 16 queries built. Phase 0 complete. Next: cross-reference with Visio diagrams, classify by function, begin D2 diagrams. Cleanup: delete 4 orphaned test groups, migrate 4 retire-dACL devices, investigate 3 null-profile devices.

==== VNC Blocking (NEW — 05-11)

* [ ] **VNC Blocking** — block and eliminate VNC enterprise-wide. Due mid-June 2026. Phase 0: discovery. January AQL query baseline to incorporate. Cross-reference BMS inventory for VNC-capable devices.

==== Investigations & Audits

* [ ] **Murus Portae (WAF)** — Phase 0 discovery in progress. FMC cert expired. d001: DMZ NetScaler WAF investigation, zone map, architecture D2 diagrams (v1+v2 SVGs), FMC REST API reference guide, ops script. FMC API returning zero ACP rules — under investigation.
* [ ] **Firewall audit** — FMC discovery inventory done (d001: fmc-discovery-2026-04-16). EtherChannel query, prefilter, policy assignments pending.
* [ ] **IoT Dr. Kim devices** — RECURRING. All 4 MACs validated in IoT_iPSK_VLAN1620_Misc (04-24). v2 validation queries built with 7 deep analysis queries (group flapping, credential leakage, profile drift, NAS tracking, remediation timeline, deny audit, OUI scan). Revalidate — confirm no flapping since 04-24.
* [x] **IoT device validation queries** — v2 created with partials architecture, 16 queries across ERS/MnT/DataConnect/FMC. Completed 2026-04-24.

==== Stale Blockers (carried via carryover tracker)

* [ ] **k3s NAT verification** — rule 170, 10.42.0.0/16 pod network (origin: {origin-k3s-nat}). **59 days.** Blocks Wazuh indexer recovery → blocks SIEM visibility. Weekend task?
* [ ] **Strongline Gateway VLAN fix** — 8 devices wrong identity group (origin: {origin-strongline}). **52 days.** David Rukiza assigned — follow up on status.

==== Administrative

* [ ] **PeopleSoft** — track time for current week
* [ ] **iTrack tickets** — close open tickets
* [ ] **KQL library** — build initial queries in codex + d001
* [ ] **Linux Research project** — finalize and review
* [ ] **Tax filing 2025 (MFJ)** — see encrypted case file in `data/d000/personal/` for details and action items

=== P1 — Important

* [ ] **MSCHAPv2 action-item tracker** — owner/status/next-steps per workstream
* [ ] **ISE admin MFA enforcement** — recommendation tied to advisory (interim control pending Patch 10)
* [ ] **DMZ Migration** — external services audit behind NetScaler. Linked to Murus Portae investigation.
* [ ] **Vocera/Wyse iTrack RCA** — complete root cause report
* [ ] **GCC ISE Support** — 3/4 nodes restored, PSN-04 deferred
* [ ] **Wazuh indexer recovery** — blocked by k3s NAT (origin: {origin-k3s-nat})
* [ ] **Vocera EAP-TLS Supplicant Fix** (origin: {origin-vocera})
* [ ] **iPSK Manager HA** — blocked by DB replication (Ben Castillo)
* [ ] **ISE 3.4 Migration** — depends on Patch 10 completion first
* [ ] **Git history scrub** — murus-portae-output.md + ise-analytics CSVs
* [ ] **Encrypt `prep-cmds-2026-04-15.adoc`** — plaintext committed to git
* [ ] **ISE MnT Messaging Service** — enable UDP syslog delivery (maintenance window needed)

=== Infrastructure (Personal)

* [ ] Borg backups — test and validate on ALL systems (Razer, P16g, vault-01, bind-01, kvm-01, kvm-02)
* [ ] Borg — verify backup script paths updated from dotfiles-optimus to dots-quantum
* [ ] Borg — create initial archive for ThinkPad P16g if none exists
* [ ] Libvirt VLAN hook debug on both KVMs
* [ ] Te1/0/2 cable replacement and re-test
* [ ] Vault Raft cluster — verify vault-01 rejoined
* [ ] Fix EAP-TLS keyring/secrets issue on Razer workstation

=== Completed (confirmed — do not delete, archive only)

// Move items here with completion date when YOU verify they're done.
// Format: * [x] **Item** — completed YYYY-MM-DD

* [x] **CR-2026-04-15 SRT Research VLAN** — submitted to iTrack. Completed 2026-04-15.
* [x] **CAB presentation 4/21** — SRT Research VLAN 233 → CHLA-Research. APPROVED. Completed 2026-04-21.
* [x] **Downtime Computers wireless audit** — 45 computers, 16 violating, v3 report delivered. Completed 2026-04-21.
* [x] **Git identity fix** — dots-quantum/git/.gitconfig email corrected. Completed 2026-04-21.
* [x] **MSCHAPv2 10:30 meeting** — next steps + ACL coordination. Completed 2026-04-17.

// Worklog Work: ITSM Tickets
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: Active service requests, incidents, and change requests

=== Active Tickets

// Service Requests — SR ticket tracking
// Usage: include::partial$trackers/work/itsm-tickets/service-requests.adoc[]
// Last updated: 2026-04-30

=== Service Requests (SR)

[cols="1,2,2,1,1"]
|===
| SR# | Request | Requestor | Opened | Status

| 3508542
| Zoll cards connection issue
| —
| —
| STALE — verify in iTrack

| 3508524
| Disable dot1x on (2) network ports - 5th floor 3250 Wilshire (PXE-boot imaging issues)
| —
| —
| STALE — verify in iTrack (issues persisted after disable)

| 3528165
| Tube System Upgrade — 15 stations, MAC addresses for ISE IoT_Onboard identity group
| Genest, John (vendor contact)
| 2026-06-01
| NEW — MACs received, need ISE onboarding

|===

// Incidents — INC ticket tracking
// Usage: include::partial$trackers/work/itsm-tickets/incidents.adoc[]
// Last updated: 2026-04-30

=== Incidents (INC)

[cols="1,1,2,1,1,1"]
|===
| INC# | Priority | Description | Opened | SLA | Status

| 1911859
| —
| Strongline Gateways in Miscellaneous Subnet
| —
| —
| STALE — verify in iTrack (related to carryover P0)

|===

// Emergency Changes — ECAB change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-emergency.adoc[]
// Last updated: 2026-04-30

=== Change Requests - Emergency (ECAB)

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Scheduled | Status

| _No emergency changes_
|
|
|
|

|===

// Normal Changes — Standard change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-normal.adoc[]
// Last updated: 2026-04-30

=== Change Requests - Normal

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Scheduled | Status

| _No normal changes_
|
|
|
|

|===

// Scheduled Changes — Scheduled/standard change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-scheduled.adoc[]
// Last updated: 2026-04-30

=== Change Requests - Scheduled/Standard

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Window | Status

| _No scheduled changes_
|
|
|
|

|===

// RCA Changes — Root cause / post-incident change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-rca.adoc[]
// Last updated: 2026-04-30

=== Change Requests - Root Cause / Post-Incident

[cols="1,2,1,1,1"]
|===
| CR# | Description | Related INC | Opened | Status

| 100451
| Vocera Phones and Wyse devices went off network
| —
| —
| STALE — verify in iTrack

|===

---

== Session Accomplishments (Claude Code)

[Today's accomplishments]

---

// Worklog Section: Personal
// Usage: include::partial$worklog/personal.adoc[]
// Contains: Personal projects, adhoc items, reference links

== Personal

// In Progress Projects
// Usage: include::partial$trackers/personal/projects/active.adoc[]
// Last updated: 2026-04-04

=== In Progress

[cols="2,3,1,2"]
|===
| Project | Description | Status | Notes

| k3s Platform
| Production k3s cluster on kvm-01
| Active
| Prometheus, Grafana, Wazuh deployed

| Wazuh Archives
| Enable archives indexing in Filebeat
| Active
| PVC fix pending

| kvm-02 Hardware
| Supermicro B deployment
| Active
| Hardware ready, RAM upgrade done
|===

// Planned Projects
// Usage: include::partial$trackers/personal/projects/planned.adoc[]
// Last updated: 2026-04-30

=== Planned

[cols="2,3,1,2"]
|===
| Project | Description | Target | Blocked By

| Vault HA (3-node)
| vault-02, vault-03 on kvm-02
| Q2 2026 (slipped from Q1)
| kvm-02 deployment

| k3s HA (3-node)
| Control plane HA
| Q2 2026 (slipped from Q1)
| kvm-02 deployment

| ArgoCD GitOps
| k3s GitOps deployment
| After k3s stable
| --

| MinIO S3
| Object storage for k3s
| After ArgoCD
| --

| xref:projects/personal/domus-inventory/index.adoc[Domus Inventory]
| Personal asset management (YAML + CLI + AsciiDoc)
| Q2 2026
| Schema approved
|===

// Active — Infrastructure
// Usage: include::partial$trackers/personal/tasks/active-infrastructure.adoc[]
// Last updated: 2026-04-04

=== Active — Infrastructure

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Wazuh agent deployment**
| Deploy agents to all infrastructure hosts
| P2
| Pending
| After archives fix

| **k3s Platform**
| Production k3s cluster on kvm-01
| P1
| In Progress
| --

| **Wazuh Archives**
| Enable archives indexing in Filebeat, PVC fix
| P1
| In Progress
| --

| **kvm-02 Hardware**
| Supermicro B deployment, RAM upgrade done
| P1
| In Progress
| --

|===

'''

// Active — Security & Encryption
// Usage: include::partial$trackers/personal/tasks/active-security.adoc[]
// Last updated: 2026-04-04

=== Active — Security & Encryption

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Configure 4th YubiKey**
| SSH FIDO2 keys
| P1
| TODO
| --

| **Cold storage M-DISC backup**
| age-encrypted archives
| P1
| TODO
| After YubiKey setup

|===

'''

// Active — Development & Tools
// Usage: include::partial$trackers/personal/tasks/active-development.adoc[]
// Last updated: 2026-04-04

=== Active — Development & Tools

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **netapi Commercialization**
| Go CLI rewrite with Cobra-style argument discovery, package for distribution
| P0
| Active
| --

| **Ollama API Service**
| FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen
| P0
| Active
| --

| **Shell functions (fe, fec, fef)**
| File hunting helpers
| P3
| TODO
| --

|===

'''

// Active — Documentation
// Usage: include::partial$trackers/personal/tasks/active-docs.adoc[]
// Last updated: 2026-04-04

=== Active — Documentation

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **D2 Catppuccin Mocha styling**
| domus-* spoke repos (177 files total)
| P3
| In Progress
| --

|===

'''

// Active — Financial
// Usage: include::partial$trackers/personal/tasks/active-financial.adoc[]
// Last updated: 2026-04-04

=== Active — Financial

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Amazon order history import**
| Download CSV from Privacy Central → parse with awk → populate subscriptions tracker
| P1
| Waiting
| Pending Amazon data export (requested 2026-04-04)

|===

'''

// Active — Education
// Usage: include::partial$trackers/personal/tasks/active-education.adoc[]
// Last updated: 2026-04-04

=== Active — Education

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| _No active education tasks — see education trackers_
|
|
|
|

|===

'''

// Active — Personal & Life Admin
// Usage: include::partial$trackers/personal/tasks/active-personal.adoc[]
// Last updated: 2026-04-04

=== Active — Personal & Life Admin

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **ThinkPad T16g Setup**
| Arch install, stow dotfiles, Ollama stack, netapi dev env
| P0
| Pending
| --

| **P50 Arch to Ubuntu migration**
| xref:case-studies/changes/p50-arch-to-ubuntu/index.adoc[CR-2026-03-12]
| P2
| In Progress
| --

| **X1 Carbon Ubuntu installs**
| 2 laptops, LUKS encryption
| P2
| In Progress
| --

| **P50 Steam Test**
| Test Flatpak Steam + apt cleanup of broken i386 packages
| P3
| Pending
| --

|===

// Documentation Sites Quick Links
// Usage: include::partial$trackers/personal/links/sites.adoc[]
// Last updated: 2026-04-04

==== Documentation Sites

* https://docs.domusdigitalis.dev/[docs.domusdigitalis.dev] - Private documentation hub
* https://docs.architectus.dev/[docs.architectus.dev] - Public portfolio site

=== Notes

_Day-specific personal notes here._

---
// Worklog Section: Education — Assembler
// Usage: include::partial$worklog/education.adoc[]
// Contains: All education domains via sub-partials
//
// PARADIGM: Each domain = its own file in education/
// FILES: ai-engineering.adoc, languages.adoc, study-today.adoc, regex.adoc
//
// MAINTENANCE: Add/remove domains by editing includes below
// To add RHCSA: include::partial$worklog/education/rhcsa.adoc[]

== Education

// Worklog Education: AI Engineering
// Usage: Included by worklog/education.adoc assembler
// Contains: Claude Code + AI training status

=== Claude Code + AI Engineering (ACTIVE)

=== Claude Code Mastery

[cols="2,3,1,1"]
|===
| Resource | Details | Progress | Status

| **Claude Code Full Course (4 hrs)**
| Nick Saraev - YouTube comprehensive course
| 26:49 / 4:00:00
| **IN PROGRESS**

| **Claude Code Certification**
| Anthropic official certification (newly released)
| Not started
| GOAL

|===

=== Active Tracks (Focus)

* xref:education/systems/regex-mastery.adoc[Regex Mastery] | xref:education/systems/regex/index.adoc[Curriculum]
* xref:education/rhcsa/index.adoc[RHCSA 9]
* xref:education/literature/don-quijote.adoc[Don Quijote] - Primera Parte
* xref:education/languages/dele-spanish.adoc[DELE C1/C2]

=== Skills Mastery (Critical)

* xref:education/systems/regex/index.adoc[Regex Mastery] - 10-module curriculum
* xref:education/programming/python.adoc[Python Mastery]
* xref:education/programming/bash.adoc[Bash Mastery]
* https://docs.asciidoctor.org/asciidoc/latest/[AsciiDoc Docs^] - Documentation format
* https://antora.org/[Antora Docs^] - Documentation pipeline

=== Certification Deadlines

* **CISSP** - July 12, 2026 (10-week plan active — Week 1)
* **RHCSA 9** - Q3 2026 (after CISSP)
* **LPIC-1** - Renewal required (blocks LPIC-2)

// Worklog Education: Languages
// Usage: Included by worklog/education.adoc assembler
// Contains: DELE/SIELE certs, Don Quijote writing method

=== Language Certifications (DELE/SIELE)

=== Spanish C1 Certification Goals

[cols="2,2,1,1,2"]
|===
| Certification | Provider | Target | Status | Strategy

| xref:education/languages/siele.adoc[**SIELE C1**]
| https://siele.org/[Instituto Cervantes^] / UNAM / Salamanca
| **Q2 2026**
| ACTIVE
| Computer-based, faster results - take FIRST

| xref:education/languages/dele-spanish.adoc[**DELE C1**]
| https://examenes.cervantes.es/es/dele/que-es[Instituto Cervantes^]
| **Q3/Q4 2026**
| PLANNED
| After SIELE success, harder exam

| xref:education/languages/dele-spanish.adoc[**DELE C2**]
| https://examenes.cervantes.es/es/dele/que-es[Instituto Cervantes^]
| 2027
| FUTURE
| Mastery level - requires extensive immersion

|===

TIP: SIELE is computer-adaptive, results in 3 weeks. DELE is paper-based, results in 3-4 months. Do SIELE first to validate readiness.

=== Don Quijote Writing Practice - DELE C1/C2 Initiative

**Method:**

1. Read chapter in original Spanish
2. Write personal analysis/understanding _en espanol_
3. AI review for grammar, vocabulary, register
4. Build comprehensive understanding of literary elements

// Worklog Education: Today's Study
// Usage: Included by worklog/education.adoc assembler
// Contains: Current study focus pointer

=== Today's Study

* **Focus:** CISSP (41 days to July 12 exam — schedule exam today 06-01), MSCHAPv2 migration wrap-up
* **Secondary:** RHCSA curriculum, Spanish SIELE C1
* [ ] CISSP — Security & Risk Management (continuing). **Schedule exam this afternoon.**
* [ ] RHCSA — continue curriculum phase
* [ ] Spanish — Don Quijote reading + analysis (DTLA study day)
* [ ] MSCHAPv2 — migration window closed 05-30, review final report

// Worklog Education: Regex Training
// Usage: Included by worklog/education.adoc assembler
// Contains: Regex training status (remove when complete)

=== Regex Training (CRITICAL)

* **Status:** 52 days carried over (since 2026-03-16)
* **Priority:** After PeopleSoft, before Quijote
* **Session:** Character classes, word boundaries

---
// Worklog Section: Infrastructure
// Usage: include::partial$worklog/infrastructure.adoc[]
// Contains: Infrastructure sites, HA status, SPOFs, validation

== Infrastructure

// Documentation Sites
// Usage: include::partial$trackers/personal/infrastructure/sites.adoc[]
// Last updated: 2026-04-04

=== Documentation Sites

[cols="2,2,1,2"]
|===
| Site | URL | Status | Actions Needed

| **Domus Digitalis**
| https://docs.domusdigitalis.dev[docs.domusdigitalis.dev]
| Active
| Validate, harden, improve

| **Architectus**
| https://docs.architectus.dev[docs.architectus.dev]
| Active
| Public portfolio site - maintain

|===

// HA Deployment Status
// Usage: include::partial$trackers/personal/infrastructure/ha-status.adoc[]
// Last updated: 2026-04-04

=== HA Deployment Status

[cols="2,2,1,2"]
|===
| System | Description | Status | Notes

| **VyOS HA**
| vyos-01 (kvm-01) + vyos-02 (kvm-02) with VRRP VIP
| ✅ COMPLETE
| 2026-03-07 - pfSense decommissioned

| **BIND DNS HA**
| bind-01 (kvm-01) + bind-02 (kvm-02) with AXFR
| ✅ COMPLETE
| Zone transfer operational

| **Vault HA**
| Raft cluster (vault-01/02/03)
| ✅ COMPLETE
| Integrated with PKI

| **Keycloak Rebuild**
| keycloak-01 corrupted, rebuild from scratch
| 🔄 NEXT
| Priority P3 - SSO broken

| **FreeIPA HA**
| ipa-02 replica planned
| 📋 PLANNED
| Linux auth redundancy

| **AD DC HA**
| home-dc02 replication
| 📋 PLANNED
| Windows auth redundancy

| **iPSK Manager HA**
| ipsk-mgr-02 with MySQL replication
| 📋 PLANNED
| PSK portal redundancy

| **ISE HA**
| PAN HA (ise-01 reconfigure)
| ⏳ DEFERRED
| Wait until ise-02 stable

| **ISE 3.5 Migration**
| Upgrade path: 3.2p9 → 3.4 (P1) → 3.5 (target)
| 📋 PLANNED
| After 3.4 Migration completes (Q2 2026)

|===

// Single Points of Failure
// Usage: include::partial$trackers/personal/infrastructure/spof.adoc[]
// Last updated: 2026-04-04

=== Single Points of Failure (CRITICAL)

WARNING: These systems have NO redundancy - outage impacts production.

[cols="2,2,3"]
|===
| System | Impact if Down | Mitigation

| **ISE (ise-02)**
| All 802.1X stops - wired and wireless auth fails
| ise-01 reconfiguration deferred until ise-02 stable

| **Keycloak (keycloak-01)**
| SAML/OIDC SSO broken (ISE admin, Grafana, etc.)
| **NEXT PRIORITY** - Rebuild runbook

| **FreeIPA (ipa-01)**
| Linux auth, sudo rules, HBAC fails
| ipa-02 replica planned

| **AD DC (home-dc01)**
| Windows auth, Kerberos, GPO fails
| home-dc02 replica planned

| **iPSK Manager**
| Self-service PSK portal unavailable
| ipsk-mgr-02 with MySQL replication planned

|===

// Validation Tasks
// Usage: include::partial$trackers/personal/infrastructure/validation.adoc[]
// Last updated: 2026-04-04

=== Validation Tasks

[cols="2,3,1"]
|===
| Task | Details | Status

| docs.domusdigitalis.dev validation
| Test all cross-references, search, rendering
| TODO

| docs.domusdigitalis.dev hardening
| HTTPS, CSP headers, security review
| TODO

| docs.architectus.dev validation
| Public site content review
| TODO

| Hub-spoke sync verification
| All components building correctly
| Ongoing

|===

---
// Worklog Section: Quick Commands — Assembler
// Usage: include::partial$worklog/quick-commands.adoc[]
// Sub-partials: commands/<category>.adoc
//
// PARADIGM: Each tool domain = its own file in commands/
// Add new categories by adding an include below.
// Graduate mature entries to codex/ pages.
//
// MAINTENANCE: Add new commands to the appropriate sub-partial.
// Split when a sub-partial exceeds ~150 lines.

== Quick Commands

// Commands: Git & GitHub CLI
// Graduated from: .drafts/domus-terminal-workflows-2026-04-23.adoc
// Promote mature entries to: codex/git/

=== Git & GitHub CLI

.create GitHub repo from existing local repo
[source,bash]
----
gh repo create <name> --private --source . --remote origin --push
----

.clone a forked repo into a specific directory
[source,bash]
----
gh repo clone EvanusModestus/PowerShell ~/atelier/_projects/work/PowerShell
----

NOTE: `gh repo clone` defaults to SSH. If key is passphrase-protected, load agent first: `eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519_github`

.cross-repo commit search — all domus repos on a specific date
[source,bash]
----
for repo in ~/atelier/_bibliotheca/domus-*/ ~/atelier/_projects/personal/domus-*/; do
  [ -d "$repo/.git" ] || continue
  name=$(basename "$repo")
  git -C "$repo" log --since="2026-04-06" --until="2026-04-07" --format="%h %aI %s" 2>/dev/null |
    awk -v r="$name" '{print r, $0}'
done
----

.commit history touching only today's modified files
[source,bash]
----
git log --oneline -- $(find . -name "*.adoc" -type f -newermt "$(date +%F)")
----

.unstage a file without losing changes
[source,bash]
----
git restore --staged data/d001/api/ise-dataconnect/output/output-2026-04-24
----

Safe — removes from staging area only. Working tree is untouched. Use when you accidentally `git add` a plaintext or output file.

==== gh CLI — repo discovery and filtering

.list repos by name pattern (domus/antora ecosystem)
[source,bash]
----
gh repo list --limit 100 --json name,description \
  | jq -r '.[] | select(.name | test("domus|antora|asciidoc"; "i")) | "\(.name)\t\(.description)"'
----

.top 20 most recently updated repos
[source,bash]
----
gh repo list --limit 100 --json name,description,updatedAt \
  | jq -r 'sort_by(.updatedAt) | reverse | .[:20] | .[] | "\(.updatedAt[:10])\t\(.name)\t\(.description)"'
----

.top 10 repos by disk usage
[source,bash]
----
gh repo list --limit 100 --json name,diskUsage \
  | jq -r '.[] | "\(.diskUsage)\t\(.name)"' | sort -rn | head -10
----

.clone a repo that's not local yet
[source,bash]
----
gh repo clone EvanusModestus/<repo-name> ~/atelier/_bibliotheca/<repo-name>
----

// Commands: find & grep
// Graduated from: .drafts/domus-terminal-workflows-2026-04-23.adoc, find-discovery-2026-04-18.adoc
// Promote mature entries to: codex/cli/find.adoc, codex/cli/grep.adoc

=== find & grep

.files modified since midnight today (precise — not "last 24 hours")
[source,bash]
----
find . -name "*.adoc" -type f -newermt "$(date +%F)" | sort
----

NOTE: `-mtime 0` means "last 24 hours", not "today". `-newermt "$(date +%F)"` compares against midnight — exact.

.case-insensitive file search
[source,bash]
----
find . -iname "*mschap*" -type f | sort
----

.multiple name patterns with -o
[source,bash]
----
find . -type f \( -iname "*ise*" -o -iname "*mschap*" \) | sort
----

.same thing, single regex — fewer parens, extensible
[source,bash]
----
find . -type f -iregex '.*\(ise\|mschap\).*'
----

.exclude directories
[source,bash]
----
find . -type f -iname "*meeting*" \
  -not -path "*/node_modules/*" \
  -not -path "*/.git/*" \
  -not -path "*/build/*"
----

.recent drafts by modification time (newest first)
[source,bash]
----
find .drafts -type f -printf '%T@ %Tc %p\n' | sort -rn | awk '{$1="";print}' | head -3
----

.grep — know what you're counting
[source,bash]
----
grep -rl "pattern" . --include="*.adoc"         # file count (which files)
grep -rn "pattern" . --include="*.adoc"         # line matches (every occurrence)
grep -rc "pattern" . --include="*.adoc" | grep -v ':0$'  # match count per file
----

.search with context — avoid opening the file
[source,bash]
----
grep -rn -E 'git init|gh repo create' docs/ --include='*.adoc' -B2 -A2
----

==== Search codex by content — which files contain a command?

.find all PowerShell files that use a specific cmdlet
[source,bash]
----
find docs/modules/ROOT/examples/codex/powershell -type f -name "*.adoc" \
  -exec grep -l 'Get-Process\|Start-Process\|pipeline\|Where-Object' {} \;
----

Pattern: `find -exec grep -l` returns only filenames with matches — like `grep -rl` but with `find`'s `-type f -name` filtering. Use `\|` for OR in `grep` basic regex. Swap the pattern for any cmdlet or keyword to locate coverage across the codex.

.inventory a codex tool directory — count files per tier
[source,bash]
----
find docs/modules/ROOT -name "powershell" -type d \
  -exec sh -c 'echo "$1: $(find "$1" -type f | wc -l) files"' _ {} \;
----

.find orphaned examples (not included by any page)
[source,bash]
----
for f in $(find docs/modules/ROOT/examples/codex/powershell -name "*.adoc" -type f); do
  base=$(basename "$f")
  dir_parent=$(basename $(dirname "$f"))
  grep -rq "$dir_parent/$base" docs/modules/ROOT/pages/codex/powershell/ \
    docs/modules/ROOT/examples/codex/powershell/*.adoc 2>/dev/null \
    || echo "ORPHAN: $f"
done
----

==== find → grep → open in nvim

.find by path + content, open result in nvim
[source,bash]
----
nvim $(find -path '*oauth*' -name '*.adoc' -type f \
  -exec grep -l 'timeout\|expire\|reconfig\|token' {} \;)
----

Command substitution `$(...)` feeds all matches as arguments to nvim — opens every hit as a buffer. `:bn`/`:bp` to cycle, `:ls` to list. One file? Opens directly. Five files? All loaded, ready to navigate.

.find by content across entire tree, open in nvim
[source,bash]
----
nvim $(find docs/modules/ROOT -name '*.adoc' -type f \
  -exec grep -l 'token.*expire\|oauth.*refresh' {} \;)
----

.open one at a time (sequential — -exec nvim per match)
[source,bash]
----
find -path '*oauth*' -name '*.adoc' -type f \
  -exec grep -l 'timeout\|expire' {} \; \
  -exec nvim {} \;
----

WARNING: Trailing `\|` in grep patterns matches empty string — every file matches. Always end with a term, not a pipe: `'timeout\|expire\|token'` not `'timeout\|expire\|token\|'`.

==== Trace Antora partial inclusion chains

.who includes this partial? (one level up)
[source,bash]
----
grep -rl 'commands/shell' docs/modules/ROOT/partials/
----

.count all pages that include a partial
[source,bash]
----
grep -rl 'quick-commands' docs/modules/ROOT | wc -l
----

.full chain: partial → assembler → every page that uses it
[source,bash]
----
file="commands/shell"
grep -rl "$file" docs/modules/ROOT/partials/ | while read f; do
  parent=$(basename "$f" .adoc)
  echo "$file -> $parent"
  grep -rl "$parent" docs/modules/ROOT/pages/ | while read p; do
    echo "  -> $(basename "$p")"
  done
done
----

Pattern: `grep -rl` finds which files contain the string. Chain two passes — first finds the assembler partial, second finds every page that includes it. Works for any partial in the Antora include hierarchy.

==== Multi-pattern file search — worklog partial discovery

.brute force — one find per partial name
[source,bash]
----
find docs/modules/ROOT -name "*urgent.adoc*" -type f
find docs/modules/ROOT -name "*morning.adoc*" -type f
----

.consolidated — single find with regex (production approach)
[source,bash]
----
find docs/modules/ROOT -type f -regextype posix-extended \
  -regex '.*(urgent|morning|work-chla|personal|education|infrastructure|quick-commands|related)\.adoc' \
  | sort
----

Pattern: `-regextype posix-extended` enables `|` alternation without escaping. One process, one sort — versus 8 separate finds. The `sort` deduplicates visually and groups by path.

.pipeline alternative — find piped to grep
[source,bash]
----
find docs/modules/ROOT -type f -name "*.adoc" \
  | grep -E 'urgent|morning|work-chla|personal|education|infrastructure|quick-commands|related'
----

Trade-off: the pipeline version is more readable but spawns two processes. The regex version is a single `find` — faster on large trees, same result.

==== Cross-repo literary term search — bibliotheca-wide discovery

When searching for a term across the entire `_bibliotheca` (multiple repos, mixed file types), these patterns escalate from narrow to broad.

.1. Single repo — count matches per file
[source,bash]
----
grep -rn --include='*.adoc' -c 'sanchuelo' . | grep -v ':0$'
----

.2. Cross-repo — filenames only (all bibliotheca)
[source,bash]
----
grep -rl --include='*.adoc' -i 'sanchuelo' ~/atelier/_bibliotheca/ | sort
----

.3. Cross-repo with context — see the line in situ
[source,bash]
----
grep -rn --include='*.adoc' -i -B1 -A1 'sanchuelo' ~/atelier/_bibliotheca/domus-captures/
----

.4. Multi-filetype — .adoc + .txt (catches source texts)
[source,bash]
----
grep -rl -i 'sanchuelo' ~/atelier/_bibliotheca/ --include='*.txt' --include='*.adoc' | sort
----

.5. Null-safe find + xargs — handles spaces in paths
[source,bash]
----
find ~/atelier/_bibliotheca/ -type f \( -name '*.adoc' -o -name '*.txt' \) -print0 \
  | xargs -0 grep -li 'sanchuelo' | sort
----

.6. Open all hits directly in nvim
[source,bash]
----
grep -rl -i 'sanchuelo' ~/atelier/_bibliotheca/ --include='*.adoc' --include='*.txt' | xargs nvim
----

Pattern escalation: #1 confirms the term exists and where. #2 expands to all repos. #3 shows context without opening files. #4 adds plain text sources (Quijote `.txt` originals). #5 is the safe version for automation. #6 opens everything for editing.

Trade-off: `grep -r --include` is faster for known file types. `find | xargs grep` is safer for paths with spaces and more extensible (add `-name '*.md'` etc.). For literary searches across the bibliotheca, #4 or #5 is usually the right starting point — the source texts are `.txt`, not `.adoc`.

==== Email thread analysis — extract people, dates, commitments, silence

.who's in the thread (@ mentions + From headers)
[source,bash]
----
grep -P '(@\w+|^From:.*<)' comms.adoc
----

.timeline — every date with context
[source,bash]
----
grep -nP '\d{1,2}/\d{1,2}/\d{2,4}|20\d{2}-\d{2}-\d{2}' comms.adoc
----

.commitments — who promised what
[source,bash]
----
grep -niP '(I can |I will |I.ll |we will |we.ll )' comms.adoc
----

.open questions and unknowns
[source,bash]
----
grep -niP '(\?|need to confirm|need to validate|TBD|pending)' comms.adoc
----

==== comm — set difference (who hasn't replied)

[source,bash]
----
# All recipients
grep -oP '<\K[^>]+' comms.adoc | sort -u > /tmp/all-recipients

# All senders
grep -P '^From:' comms.adoc | grep -oP '<\K[^>]+' | sort -u > /tmp/replied

# Who's silent — follow-up targets
comm -23 /tmp/all-recipients /tmp/replied
----

`comm -23` outputs lines only in file 1 (recipients not in senders). Requires sorted input. `grep -oP '<\K[^>]+'` uses PCRE lookbehind — match `<` but don't include it, capture until `>`.

// Commands: awk, sed, jq — Text Processing
// Graduated from: .drafts/terminal-mastery-session-2026-04-19.adoc,
//   .drafts/domus-terminal-workflows-2026-04-22.adoc
// Promote mature entries to: codex/awk/, codex/jq/

=== awk, sed, jq

==== awk — field extraction

.print second field (whitespace-delimited)
[source,bash]
----
awk '{print $2}' file.txt
----

.custom delimiter — colon-separated (like /etc/passwd)
[source,bash]
----
awk -F: '{print $1, $3}' /etc/passwd
----

.extract JSON code blocks from AsciiDoc
[source,bash]
----
awk '/\[source,json\]/{getline; if ($0 ~ /^----/) {p=1; next}} p && /^----/{p=0; next} p' file.adoc
----

.field extraction with printf formatting
[source,bash]
----
awk '{printf "%-30s %s\n", $1, $2}' file.txt
----

==== sed — stream editing

.in-place replacement with verify-before/after
[source,bash]
----
# Before
awk 'NR==73' /etc/ssh/sshd_config
# Change
sed -i '73s/#GSSAPIAuthentication no/GSSAPIAuthentication yes/' /etc/ssh/sshd_config
# After
awk 'NR==73' /etc/ssh/sshd_config
----

.extract line range
[source,bash]
----
sed -n '10,20p' file.txt
----

==== jq — JSON processing

.extract nested fields
[source,bash]
----
curl -s localhost:8080/stats | jq '.stats.total_files'
----

.filter array by property
[source,bash]
----
jq '.results[] | select(.category == "standards")' response.json
----

.transform to TSV for spreadsheets
[source,bash]
----
jq -r '.[] | [.title, .path] | @tsv' response.json | column -t -s $'\t'
----

.GitHub API + jq — commit history by path
[source,bash]
----
gh api "repos/EvanusModestus/domus-captures/commits?path=docs/&per_page=10" |
  jq -r '.[] | "\(.commit.author.date[:10]) \(.sha[:7]) \(.commit.message | split("\n")[0])"'
----

// Commands: Shell Patterns (bash/zsh)
// Graduated from: .drafts/domus-terminal-workflows-2026-04-23.adoc
// Promote mature entries to: codex/bash/

=== Shell Patterns

==== xargs — when the next command reads arguments, not stdin

[cols="1,2"]
|===
| Next command reads... | Use

| stdin (`awk`, `grep`, `wc`, `sort`) | pipe directly
| arguments (`stat`, `rm`, `cp`, `nvim`, `git add`) | `xargs`
|===

.copy today's files to backup — `-I{}` placeholder
[source,bash]
----
mkdir -p /tmp/adoc-backup-$(date +%F) && \
  find . -name "*.adoc" -type f -newermt "$(date +%F)" | \
  xargs -I{} cp {} /tmp/adoc-backup-$(date +%F)/
----

.parallel validation — `-P4` runs 4 at a time
[source,bash]
----
find .drafts -name "*.adoc" -type f | xargs -P4 -I{} asciidoctor -o /dev/null {}
----

.null-delimited pipeline — safe for filenames with spaces
[source,bash]
----
find . -name "*.adoc" -type f -print0 | xargs -0 wc -l
----

==== Process substitution — `<(cmd)` treats output as a file

.compare tracker state: yesterday vs today
[source,bash]
----
diff <(grep '|' partials/trackers/work/adhoc/carryover.adoc | head -20) \
     <(git show HEAD~1:partials/trackers/work/adhoc/carryover.adoc | grep '|' | head -20)
----

.files on disk vs files in nav — drift detection
[source,bash]
----
diff <(find docs/modules/ROOT/pages/projects/chla/mschapv2-migration -name "*.adoc" -type f | sort) \
     <(grep -oP 'mschapv2-migration/[^[]+\.adoc' docs/modules/ROOT/nav.adoc | sort)
----

==== Command substitution — embed output as arguments

.open most recently modified file in nvim
[source,bash]
----
nvim "$(find data/ -name '*.adoc' -type f -printf '%T@ %p\n' | sort -rn | awk 'NR==1{print $2}')"
----

.line count across a project
[source,bash]
----
wc -l $(find docs/modules/ROOT -path '*mschapv2*' -name '*.adoc' -type f)
----

==== Conditional execution — capture, test, act

.open matching files only if they exist
[source,bash]
----
files=$(find .drafts -name 'in*' -type f) && [ -n "$files" ] && nvim $files
----

.open files that contain unchecked items
[source,bash]
----
files=$(grep -rl '\[ \]' .drafts/*.adoc) && [ -n "$files" ] && nvim $files
----

.guard with grep -q — only act if pattern matches
[source,bash]
----
grep -q 'TODO\|FIXME\|\[ \]' "$file" && nvim "$file"
----

Pattern: `$(capture)` → `[ -n ]` tests non-empty → `&&` only proceeds if true.
`grep -q` is the idempotent guard — run repeatedly, only opens when there's work.

==== Decrypt and open — find .age, decrypt, nvim in one shot

[source,bash]
----
files=$(find . -name "*tcp-clock*.age" -type f) && \
  [ -n "$files" ] && echo "$files" | xargs -I{} decrypt-file {} && \
  nvim $(echo "$files" | sed 's/\.age$//')
----

Pattern: find `.age` only (never tries plaintext), `sed` derives the decrypted path, guard prevents empty nvim. Change the glob to match any project.

==== tee_clean — color on screen, clean text in file

[source,bash]
----
tee_clean() {
  tee >(sed 's/\x1b\[[0-9;]*m//g' > "$1")
}

# Color output on terminal, stripped in file
jq -C '.' data.json | tee_clean output.json
xq -C '.' data.xml | tee_clean output.json

# Wrap a whole block
{
  echo "=== Summary ==="
  jq -C '.[] | .name' data.json
} | tee_clean summary.txt
----

The `>(cmd)` is process substitution — `tee` writes to stdout AND to the subshell pipe. `sed` strips ANSI escape sequences (`\x1b\[[0-9;]*m`) before they hit the file.

==== Dependency check — verify toolchain in one shot

[source,bash]
----
for cmd in asciidoctor asciidoctor-pdf pandoc rouge d2 mmdc age; do
  printf "%-20s %s\n" "$cmd" "$(command -v $cmd >/dev/null 2>&1 && echo 'OK' || echo 'MISSING')"
done
----

Pattern: `command -v` checks if binary exists on PATH. `>/dev/null 2>&1` suppresses output — we only care about exit code. Swap the tool list for any project's dependencies.

==== printf safety — dashes as data, not options

.wrong — printf treats `---` as invalid option
[source,bash]
----
printf '---\n\n'
----

.right — %s format string treats `---` as data
[source,bash]
----
printf '%s\n\n' '---'
----

==== Kill stuck SSH sessions

.Find established SSH connections
[source,bash]
----
lsof -i TCP -n -P | awk '/ssh.*ESTABLISHED/ {print $2, $9}'
----

.Kill all stuck SSH sessions to a specific host
[source,bash]
----
lsof -i TCP -n -P | awk '/ssh.*kvm-01.*ESTABLISHED/ {print $2}' | sort -u | xargs kill
----

.Kill ALL stuck SSH sessions
[source,bash]
----
lsof -i TCP -n -P | awk '/ssh.*ESTABLISHED/ {print $2}' | sort -u | xargs kill
----

`lsof -i TCP -n -P` lists all TCP connections. `awk` filters for SSH + ESTABLISHED, prints only the PID (`$2`). `sort -u` deduplicates (multiple file descriptors per process). `xargs kill` sends SIGTERM to each.

// Commands: File Descriptors & Redirection
// Graduated from: .drafts/terminal-mastery-session-2026-04-19.adoc
// Promote mature entries to: codex/bash/

=== File Descriptors & Redirection

==== The three file descriptors

[cols="1,1,3"]
|===
| FD | Name | Purpose

| 0 | stdin | input to the command
| 1 | stdout | normal output (valid results)
| 2 | stderr | error messages
|===

==== Split stdout and stderr into separate files

[source,bash]
----
find / -name "*.conf" 1>results.txt 2>errors.txt
----

==== Suppress errors — `2>/dev/null`

[source,bash]
----
find / -name "*.conf" 2>/dev/null
----

==== Merge stderr into stdout — `2>&1`

[source,bash]
----
command 2>&1 | grep "pattern"
----

This sends both stdout and stderr through the pipe. Without `2>&1`, only stdout reaches grep — errors print to the terminal and bypass the pipeline.

==== Heredoc patterns

.multi-line input to a command
[source,bash]
----
cat <<'EOF'
Line 1
Line 2
EOF
----

.heredoc commit messages (quotes prevent variable expansion)
[source,bash]
----
git commit -m "$(cat <<'EOF'
feat: add new feature

Multi-line description here.
EOF
)"
----

// Commands: API & curl/jq
// Graduated from: quick-commands.adoc (existing)
// Promote mature entries to: codex/fastapi/, codex/jq/

=== API & curl/jq

==== domus-api — Documentation System REST API

.start the API server
[source,bash]
----
cd ~/atelier/_projects/personal/domus-api && uv run uvicorn domus_api.main:app --host 0.0.0.0 --port 8080
----

.health check
[source,bash]
----
curl -s localhost:8080/ | jq
----

.full-text search
[source,bash]
----
curl -s 'localhost:8080/search?q=mandiant' | jq
----

.search — extract path, title, match count
[source,bash]
----
curl -s 'localhost:8080/search?q=mandiant' | jq '.results[] | {path, title, match_count}'
----

.list pages by category
[source,bash]
----
curl -s 'localhost:8080/pages?category=standards' | jq
----

.all antora.yml attributes
[source,bash]
----
curl -s localhost:8080/attributes | jq
----

==== GitHub API

.cross-repo search via GitHub API
[source,bash]
----
gh search code "vault seal" --owner EvanusModestus --json repository,path,textMatches |
  jq '.[] | {repo: .repository.full_name, file: .path, match: .textMatches[].fragment}'
----

.count .adoc files in a repo via API
[source,bash]
----
gh api 'repos/EvanusModestus/domus-captures/git/trees/main?recursive=1' |
  jq '[.tree[] | select(.path | endswith(".adoc"))] | length'
----

// Commands: Domus Documentation System — Terminal Workflows
// Graduated from: .drafts/domus-terminal-workflows-2026-04-21.adoc
// Promote mature entries to: codex/documentation/

=== Domus Workflows

==== Read content from terminal (meeting-ready)

.today's worklog
[source,bash]
----
bat docs/modules/ROOT/pages/2026/04/WRKLOG-$(date +%Y-%m-%d).adoc
----

.current priorities
[source,bash]
----
bat docs/modules/ROOT/partials/trackers/work/priorities/current.adoc
----

.carryover backlog
[source,bash]
----
bat docs/modules/ROOT/partials/trackers/work/adhoc/carryover.adoc
----

.any project summary
[source,bash]
----
bat docs/modules/ROOT/partials/projects/mandiant-remediation/summary.adoc
----

==== Search and discovery

.find all files related to a topic
[source,bash]
----
grep -rl "MSCHAPv2" docs/modules/ROOT/ --include="*.adoc" | sort
----

.search codex entries
[source,bash]
----
grep -rn "pattern" docs/modules/ROOT/partials/codex/ --include="*.adoc" -B1 -A3
----

.list all worklogs for a month
[source,bash]
----
ls -1 docs/modules/ROOT/pages/2026/04/WRKLOG-*.adoc
----

==== Tracker aging — calculate days from origin

.how many days since a carryover item started
[source,bash]
----
echo $(( ($(date +%s) - $(date -d "2026-03-09" +%s)) / 86400 ))
----

==== Encrypted data access (d001)

.view encrypted file without disk write
[source,bash]
----
age --decrypt -i ~/.secrets/.metadata/keys/master.age.key \
  data/d001/projects/mandiant-remediation/findings-status-2026-04-16.adoc.age \
  | bat --language asciidoc
----

.project encryption dashboard
[source,bash]
----
for d in data/d001/projects/*/; do
  total=$(find "$d" -type f | wc -l)
  plain=$(find "$d" -type f ! -name '*.age' ! -name 'README.adoc' ! -name '.gitkeep' ! -name '*.py' | wc -l)
  printf "%-25s %s files  %s plaintext\n" "$(basename "$d")" "$total" "$plain"
done
----

// Commands: ISE & Network Operations
// Graduated from: .drafts/terminal-mastery-session-2026-04-19.adoc,
//   data/d000/infra/ references
// Promote mature entries to: codex/networking/, codex/security/

=== ISE & Network Ops

==== ISE ERS API — endpoint CRUD

.set credentials (session)
[source,bash]
----
export ISE_HOST="{ise-ip}" ISE_USER="admin" ISE_PASS="$(gopass show -o ise/admin)"
----

.list identity groups
[source,bash]
----
curl -sk "https://$ISE_HOST:{ise-ers-port}/ers/config/identitygroup" \
  -H "Accept: application/json" -u "$ISE_USER:$ISE_PASS" | jq '.SearchResult.resources[].name'
----

.check if endpoint exists by MAC
[source,bash]
----
curl -sk "https://$ISE_HOST:{ise-ers-port}/ers/config/endpoint?filter=mac.EQ.AA:BB:CC:DD:EE:FF" \
  -H "Accept: application/json" -u "$ISE_USER:$ISE_PASS" | jq '.SearchResult.total'
----

==== Certificate inspection

.view EAP-TLS client cert from local store
[source,bash]
----
openssl x509 -in {cert-dir}/client.pem -text -noout | head -30
----

.check cert expiry
[source,bash]
----
openssl x509 -in {cert-dir}/client.pem -enddate -noout
----

==== Network diagnostics

.check listening ports
[source,bash]
----
ss -tlnp | grep -E ':{port-https}|:{port-ssh}|:{port-ldaps}'
----

.test ISE connectivity
[source,bash]
----
nc -zv {ise-ip} {ise-ers-port}
----

.DNS resolution
[source,bash]
----
dig {ise-hostname} +short
----

// Commands: PowerShell (from zsh)
// Graduated from: .drafts/domus-terminal-workflows-2026-04-23.adoc
// Promote mature entries to: codex/powershell/

=== PowerShell (from zsh)

NOTE: All PowerShell commands run inside `pwsh -NoLogo -Command '...'` from zsh. Running them bare fails — zsh interprets `$`, `|`, `()` as shell syntax.

==== Process management

.top 5 processes by memory
[source,bash]
----
pwsh -NoLogo -Command 'Get-Process | Sort-Object WorkingSet64 -Descending |
  Select-Object -First 5 ProcessName, Id,
    @{N="MB";E={[math]::Round($_.WorkingSet64/1MB)}} | Format-Table'
----

.stop/start Teams
[source,bash]
----
pwsh -NoLogo -Command 'Get-Process | Where-Object {$_.ProcessName -like "*teams*"} | Stop-Process'
pwsh -NoLogo -Command 'Start-Process "ms-teams"'
----

==== Export to JSON (pipe to jq)

.always use -NoLogo when piping pwsh output to zsh tools
[source,bash]
----
pwsh -NoLogo -Command 'Get-Process | Sort-Object WorkingSet64 -Descending |
  Select-Object -First 5 ProcessName, Id,
    @{N="MB";E={[math]::Round($_.WorkingSet64/1MB)}} | ConvertTo-Json' | jq '.'
----

WARNING: Never pipe `Format-Table` into `ConvertTo-Json` — it produces layout metadata, not data. `Select-Object` first, then `ConvertTo-Json`.

==== Wi-Fi management (netsh)

.force fresh network scan
[source,powershell]
----
netsh wlan disconnect interface="Wi-Fi"
netsh wlan show networks mode=bssid
netsh wlan connect name="CHLA-Remote" interface="Wi-Fi"
----

==== SSH from PowerShell

.connect to homelab from Windows terminal
[source,powershell]
----
ssh evan@modestus-razer.inside.domusdigitalis.dev
----

// Commands: Security & Encryption
// Graduated from: .drafts/domus-terminal-workflows-2026-04-23.adoc
// Promote mature entries to: codex/security/

=== Security & Encryption

==== View encrypted files without writing to disk

.pipe age decrypt to bat — nothing touches the filesystem
[source,bash]
----
age --decrypt -i ~/.secrets/.metadata/keys/master.age.key \
  data/d001/projects/mandiant-remediation/findings-status-2026-04-16.adoc.age \
  | bat --language asciidoc --file-name "findings-status-2026-04-16.adoc"
----

==== Batch re-encrypt — brace expansion + loop

.re-encrypt multiple project files
[source,bash]
----
for f in data/d001/projects/mandiant-remediation/{findings-status,guest-acl-update,siem-report}-2026-04-16.adoc; do
  rm -f "${f}.age" && echo y | encrypt-file "$f"
done
----

WARNING: Always `rm -f` the `.age` first. If you skip it, `encrypt-file` prompts about overwrite and may only delete the plaintext without re-encrypting.

==== Detect stale plaintext — files needing re-encryption

.find plaintext newer than its .age counterpart
[source,bash]
----
for f in data/d001/projects/*/*.adoc; do
  age="${f}.age"
  if [ -f "$f" ] && [ -f "$age" ]; then
    pt_mod=$(/usr/bin/stat -c'%Y' "$f")
    age_mod=$(/usr/bin/stat -c'%Y' "$age")
    [ "$pt_mod" -gt "$age_mod" ] && echo "STALE: $f"
  fi
done
----

==== Secure delete — shred for sensitive plaintext

[source,bash]
----
shred -u data/d001/projects/mandiant-remediation/man-report.txt
----

NOTE: On SSD/NVMe, `shred` is less effective (wear leveling), but better than `rm` which only removes the directory entry.

==== Pre-push audit — find all unencrypted project files

[source,bash]
----
find data/d001/projects -type f ! -name '*.age' ! -name 'README.adoc' ! -name '.gitkeep' ! -name '*.py' | sort
----

// Commands: System & Infrastructure
// Graduated from: quick-commands.adoc (existing), .drafts/
// Promote mature entries to: codex/

=== System & Infrastructure

==== PipeWire audio validation

[source,bash]
----
wpctl status                                    # PipeWire status
pactl list sinks short                          # list audio sinks
pw-play /usr/share/sounds/freedesktop/stereo/bell.oga  # test default sink
journalctl -b --grep='sof|cs35l56' --no-pager | tail -20  # kernel audio firmware
cat /proc/asound/cards                          # ALSA sound cards
----

==== gopass — personal document management

[source,bash]
----
gopass-personal-docs    # interactive entry creation
gopass-query bills      # list recurring bills with totals
gopass-query storage    # list storage units with gate codes
gopass-query export bills  # export category to JSON
----

==== Makefile — daily workflow

[source,bash]
----
make new-day      # create today's worklog + update attributes
make serve        # build + local server (port 8000)
make              # build only
make sync-nav     # sync worklog nav entries
make update-index # rebuild monthly index
----

==== Per-project file dashboard

.per-project summary — total files vs unencrypted plaintext
[source,bash]
----
for d in data/d001/projects/*/; do
  total=$(find "$d" -type f | wc -l)
  plain=$(find "$d" -type f ! -name '*.age' ! -name 'README.adoc' ! -name '.gitkeep' ! -name '*.py' | wc -l)
  echo "$(basename "$d") | ${total} files | ${plain} plaintext"
done
----

---
// Worklog Section: Related Documents
// Usage: include::partial$worklog/related.adoc[]
// Contains: Common cross-references for worklogs

== Related Documents

* xref:education/literature/quijote/index.adoc[Don Quijote - Estudio Completo]
* xref:projects/chla/PRJ-peoplesoft-time-entry.adoc[PeopleSoft Time Entry]
* xref:trackers/quarterly-q2-2026.adoc[Q2 2026 Tracker]
* xref:patterns/index.adoc[Pattern Journal]
```

## Standard Partials

| Partial | Content |
|---------|---------|
| `urgent.adoc` | Professional backlog, blockers, life admin, cert deadlines |
| `morning.adoc` | Early morning focus, regex training |
| `work-chla.adoc` | CHLA work context |
| `personal.adoc` | Personal projects |
| `education.adoc` | Learning, certifications |
| `infrastructure.adoc` | Home lab work |
| `quick-commands.adoc` | Command references |
| `related.adoc` | Related documentation |

---

## Your Task

Arguments received: $ARGUMENTS

Execute the worklog creation workflow:

1. **Parse date**:
   - If no argument: use today's date
   - If `tomorrow`: use tomorrow's date
   - If `yesterday`: use yesterday's date
   - If YYYY-MM-DD format: use that date

2. **Calculate day of week**: Run `date -d "YYYY-MM-DD" +%A`

3. **Construct paths**:
   ```bash
   BASE="/home/evanusmodestus/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/pages"
   DIR="$BASE/YYYY/MM"
   FILE="$DIR/WRKLOG-YYYY-MM-DD.adoc"
   ```

4. **Check if exists**: If file exists, inform user and ask whether to open or overwrite

5. **Create directory**: `mkdir -p $DIR`

6. **Generate content**: Create the worklog using the standard template with:
   - Title: `= WRKLOG-YYYY-MM-DD`
   - Description: `DayOfWeek - [to be filled]`
   - All 8 standard includes

7. **Write file**: Use Write tool to create the file

8. **Report**: Show full path to new worklog

**IMPORTANT**: Show the file path so user can open it in their editor.

# Restart Claude Code or start new session
# Type /worklog and check autocomplete