CR-2026-03-25: Claude Code /worklog Skill Implementation

domus-captures/docs/modules/ROOT/pages/
└── 2026/
    ├── 01/
    │   └── WRKLOG-2026-01-*.adoc
    ├── 02/
    │   └── WRKLOG-2026-02-*.adoc
    └── 03/
        └── WRKLOG-2026-03-*.adoc

= WRKLOG-YYYY-MM-DD
:description: DayOfWeek - Summary
:revdate: YYYY-MM-DD

== Summary

**DayOfWeek.** [Daily focus summary]

// Worklog Section: URGENT - All Domains — Assembler
// Usage: include::partial$worklog/urgent.adoc[]
// Contains: All urgent items across domains via sub-partials
//
// PARADIGM: Each domain = its own file in urgent/
// FILES: professional.adoc, personal.adoc, life-admin.adoc, certifications.adoc
//
// MAINTENANCE: Add/remove urgent domains by editing includes below

== URGENT - All Domains

// Worklog Urgent: Professional Backlog
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Work carryover backlog with aging

=== Professional Backlog

// Carryover Backlog — Critical tasks carried across worklogs
// Usage: include::partial$trackers/work/adhoc/carryover.adoc[]
// Last updated: 2026-04-12

=== Carryover Backlog (CRITICAL)

// =========================================================================
// UPDATE: Days column each worklog
// PRIORITY: P0 = blocking others or critical | P1 = important | P2 = scheduled
// =========================================================================

[cols="2,3,1,1,1"]
|===
| Task | Details | Origin | Days | Status

| **k3s NAT verification**
| NAT rule 170 for 10.42.0.0/16 pod network - test internet connectivity
| 2026-03-09
| 34
| **P0 - BLOCKING**

| **Wazuh indexer recovery**
| Restart pod after NAT confirmed working - SIEM visibility blocked
| 2026-03-09
| 34
| **P0 - Blocked by k3s**

| Strongline Gateway VLAN fix
| 8 devices in wrong identity group (David Rukiza assigned)
| 2026-03-16
| 27
| P0 - TODO

| Monad Pipeline Evaluation
| Test pipeline creation, input sources, transforms (LEAD ROLE)
| 2026-03-11
| 32
| P1 - TODO

| Vocera EAP-TLS Supplicant Fix
| ~10 phones failing 802.1X, missing supplicant config
| 2026-03-12
| 31
| P1 - TODO

| ISE MnT Messaging Service
| Enable "Use ISE Messaging Service for UDP syslogs delivery"
| 2026-03-12
| 31
| P2 - TODO

| ISE Patch 9 upgrade
| ISE 3.2 Patch 9 addresses known replication issues
| 2026-03-12
| 31
| P2 - TODO

|===

WARNING: Professional backlog remains critical. Check Days column for priorities.

// Worklog Urgent: Personal Blockers
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Personal blocking items

=== Personal Blockers

// Blockers — Fix before anything else
// Usage: include::partial$trackers/personal/tasks/blockers.adoc[]
// Last updated: 2026-04-09

=== BLOCKERS — Fix Immediately

[cols="2,3,1,1,2"]
|===
| Task | Details | Origin | Days | Impact

| **Z Fold 7 Termux**
| gopass and SSH not working
| 2026-03-10
| 30
| **BLOCKER** — Cannot access passwords on mobile

| **gopass v3 organization**
| Inconsistent structure, poor key-value usage
| 2026-03-20
| 20
| Inefficient password management, no aggregation

|===

// Worklog Urgent: Life Admin
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Urgent life admin items (medical, financial, legal, housing)

=== Life Admin

// Urgent - Requires Immediate Action
// Usage: include::partial$trackers/personal/life-admin/urgent.adoc[]
// Last updated: 2026-04-04

=== URGENT - Requires Immediate Action

[cols="2,2,1,1,2"]
|===
| Item | Details | Deadline | Status | Impact

| **Housing Search**
| Granada Hills area - apartments/rooms
| TBD
| In Progress
| Quality of life, commute

|===

// Worklog Urgent: Certification Deadlines
// Usage: Included by worklog/urgent.adoc assembler
// Contains: Cert deadline urgency flags

=== Certification Deadlines

=== URGENT — Performance Review Deadline (June 1, 2026)

[cols="2,2,1,1,2"]
|===
| Certification | Provider | Deadline | Status | Impact

| **CISSP**
| ISC² — Certified Information Systems Security Professional
| **June 1, 2026**
| **ACTIVE** — Phase 0 (xref:projects/education/edu-cissp/index.adoc[Project])
| Required for performance review

| **RHCSA 9**
| Red Hat Certified System Administrator
| **June 1, 2026**
| **ACTIVE** — 21-phase curriculum (xref:projects/education/edu-rhcsa/index.adoc[Project])
| Required for performance review

|===

WARNING: **53 days remaining** until June 1st deadline.

---

// Worklog Section: Early Morning — Assembler
// Usage: include::partial$worklog/morning.adoc[]
// Contains: Morning focus via slot partial
//
// PARADIGM: Slot-based — swap morning/focus.adoc for new priorities
// FILES: focus.adoc (current morning priority)

== Early Morning - 5:30am

// Worklog Morning: Current Focus
// Usage: Included by worklog/morning.adoc assembler
// Contains: Current morning priority (swap this file when focus changes)
//
// CURRENT FOCUS: Regex Training
// SWAP TO: Any morning priority without touching worklog structure

=== Regex Training (CRITICAL CARRYOVER)

* [ ] Session 3 - Character classes, word boundaries
* [ ] Practice drills from regex-mastery curriculum
* **Status:** 7 days carried over - DO THIS TODAY

WARNING: Regex training continues to slip. This is the foundation for all CLI mastery.

---

// Worklog Section: Work (CHLA) — Assembler
// Usage: include::partial$worklog/work-chla.adoc[]
// Contains: All work domains via sub-partials
//
// PARADIGM: Each concern = its own file in work/
// FILES: timekeeping.adoc, projects.adoc, priorities.adoc, tickets.adoc
//
// MAINTENANCE: Comment out sections for weekend/non-work worklogs
// Weekend: comment out timekeeping + tickets, keep projects + priorities

== Work (CHLA)

// Worklog Work: Timekeeping
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: PeopleSoft time entry reminder

CAUTION: **CHARGE TIME IN PEOPLESOFT - CRITICAL.** Do this NOW before anything else.

xref:projects/chla/PRJ-peoplesoft-time-entry.adoc[PeopleSoft Time Entry Reference]

// Worklog Work: Projects
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: P0/P1/P2 project priorities + case study links

// Critical Projects (P0) — Blocking or critical priority
// Usage: include::partial$trackers/work/projects/p0.adoc[]
// Last updated: 2026-04-04

=== Critical (P0)

[cols="2,3,1,1,1,2"]
|===
| Project | Description | Owner | Status | Due | Blocker

| Linux Research (Xianming Ding)
| EAP-TLS for Linux workstations, dACL, UFW
| Evan
| BEHIND
| 02-24
| Certificate "password required" - nmcli fix documented

| iPSK Manager
| Pre-shared key automation
| Ben Castillo
| BEHIND
| --
| DB replication issues

| MSCHAPv2 Migration
| Legacy auth deprecation
| Evan
| BEHIND
| --
| No progress on planning

| Research Segmentation
| All endpoints to Untrusted VLAN
| Evan
| BLOCKED
| --
| CISO decision pending
|===

// High Priority Projects (P1) — Important but not blocking
// Usage: include::partial$trackers/work/projects/p1.adoc[]
// Last updated: 2026-04-04

=== High Priority (P1)

[cols="2,3,1,1,1"]
|===
| Project | Description | Owner | Status | Target

| ISE 3.4 Migration
| Upgrade from 3.2p9
| Evan
| Blocked
| Q1 2026

| Switch Upgrades
| IOS-XE fleet update (C9300, 3560CX)
| Evan
| Pending
| Q1 2026

| Spikewell BYOD VPN
| dACL SQL, AD group integration
| Evan
| Active
| --

| Strongline Gateway
| MAC capture, Identity Group setup
| Evan
| Active
| --

| **QRadar → Sentinel Migration**
| Full SIEM platform transition, Monad evaluation
| Evan
| Active
| Q2 2026
|===

// Strategic Projects (P2) — Long-term or not yet started
// Usage: include::partial$trackers/work/projects/p2.adoc[]
// Last updated: 2026-04-04

=== Strategic (P2)

[cols="2,3,1,1"]
|===
| Project | Description | Owner | Status

| HHS Regulatory Compliance
| New HHS security policies implementation
| TBD
| NOT STARTED

| InfoSec Reporting Dashboard
| PowerBI metrics for executives
| TBD
| NOT STARTED

| EDR Migration (AMP → Defender)
| Endpoint protection consolidation
| TBD
| NOT STARTED

| Azure Legacy Migration
| Modern landing zone
| Team
| In Progress

| ChromeOS EAP-TLS
| SCEP + Victor, Paul testing
| Victor
| In Progress
|===

// Case Study Links — TAC, incidents, changes, RCAs
// Usage: include::partial$trackers/work/links/case-studies.adoc[]
// Last updated: 2026-04-04

==== Case Studies (March 2026)

**TAC Cases:**

* xref:case-studies/tac/chla-8021x-auth-failures/index.adoc[TAC-2026-03 - 802.1X Auth Failures]

**Incidents:**

* xref:case-studies/incidents/strongline-gateway-vlan/index.adoc[INC - Strongline Gateway VLAN]
* xref:case-studies/incidents/ise-incident-defense/index.adoc[PREP - ISE Incident Defense]

**Changes:**

* xref:case-studies/changes/vault-backup-selinux/index.adoc[CR - Vault Backup SELinux]

**RCAs:**

* xref:case-studies/rca/8021x-eaptls-ca-chain/index.adoc[RCA - 802.1X EAP-TLS CA Chain]
* xref:case-studies/rca/wifi-dhcp-failure/index.adoc[RCA - WiFi DHCP Failure]

// Worklog Work: Daily Priorities
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: Today's actionable priority checkboxes

=== Today's Priorities

// Current Priorities — P0 and P1 daily checkbox items
// Usage: include::partial$trackers/work/priorities/current.adoc[]
// Last updated: 2026-04-12

* [ ] **P0** - **CR-2026-04-15**: SRT Research VLAN — iTrack submission due Sunday (change window Tue 04/15)
* [ ] **P0** - MSCHAPv2 Migration: Run netapi endpoint report + pandas graph for team (URGENT — team meeting)
* [ ] **P0** - Enterprise Linux 802.1X: Standardize Shahab/Ding deployment (CISO priority)
* [ ] **P0** - Strongline Gateway VLAN fix (27 days - blocking Arin)
* [ ] **P0** - k3s NAT verification (34 days - CRITICAL)
* [ ] **P1** - Abnormal Security: ESA → API migration (Cisco→Microsoft shift)
* [ ] **P1** - DMZ Migration: External services audit behind NetScaler
* [ ] **P1** - Sentinel KQL: Build proficiency, distinguish from team
* [ ] **P1** - Monad Pipeline Evaluation (32 days - lead role assigned)
* [ ] **P1** - Vocera/Wyse iTrack RCA: Complete root cause report
* [ ] **P1** - GCC ISE Support: 3/4 nodes restored, PSN-04 deferred (NE-Systems)
* [ ] **P1** - Wazuh indexer recovery (34 days - blocked by NAT)
* [ ] **P1** - Vocera EAP-TLS Supplicant Fix (31 days)

// Worklog Work: ITSM Tickets
// Usage: Included by worklog/work-chla.adoc assembler
// Contains: Active service requests, incidents, and change requests

=== Active Tickets

// Service Requests — SR ticket tracking
// Usage: include::partial$trackers/work/itsm-tickets/service-requests.adoc[]
// Last updated: 2026-04-04

=== Service Requests (SR)

[cols="1,2,2,1,1"]
|===
| SR# | Request | Requestor | Opened | Status

| 3508542
| Zoll cards connection issue
| TBD
| TBD
| TODO

| 3508524
| Disable dot1x on (2) network ports - 5th floor 3250 Wilshire (PXE-boot imaging issues)
| TBD
| TBD
| Follow-up: Issues persisted after disable - plan to test re-enable

|===

// Incidents — INC ticket tracking
// Usage: include::partial$trackers/work/itsm-tickets/incidents.adoc[]
// Last updated: 2026-04-04

=== Incidents (INC)

[cols="1,1,2,1,1,1"]
|===
| INC# | Priority | Description | Opened | SLA | Status

| 1911859
| TBD
| Strongline Gateways in Miscellaneous Subnet
| TBD
| TBD
| TODO

|===

// Emergency Changes — ECAB change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-emergency.adoc[]
// Last updated: 2026-04-04

=== Change Requests - Emergency (ECAB)

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Scheduled | Status

| _No emergency changes_
|
|
|
|

|===

// Normal Changes — Standard change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-normal.adoc[]
// Last updated: 2026-04-04

=== Change Requests - Normal

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Scheduled | Status

| _No normal changes_
|
|
|
|

|===

// Scheduled Changes — Scheduled/standard change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-scheduled.adoc[]
// Last updated: 2026-04-04

=== Change Requests - Scheduled/Standard

[cols="1,2,1,1,1"]
|===
| CR# | Description | Opened | Window | Status

| _No scheduled changes_
|
|
|
|

|===

// RCA Changes — Root cause / post-incident change request tracking
// Usage: include::partial$trackers/work/itsm-tickets/changes-rca.adoc[]
// Last updated: 2026-04-04

=== Change Requests - Root Cause / Post-Incident

[cols="1,2,1,1,1"]
|===
| CR# | Description | Related INC | Opened | Status

| 100451
| Vocera Phones and Wyse devices went off network
| TBD
| TBD
| TODO

|===

---

== Session Accomplishments (Claude Code)

[Today's accomplishments go here]

---

// Worklog Section: Personal
// Usage: include::partial$worklog/personal.adoc[]
// Contains: Personal projects, adhoc items, reference links

== Personal

// In Progress Projects
// Usage: include::partial$trackers/personal/projects/active.adoc[]
// Last updated: 2026-04-04

=== In Progress

[cols="2,3,1,2"]
|===
| Project | Description | Status | Notes

| k3s Platform
| Production k3s cluster on kvm-01
| Active
| Prometheus, Grafana, Wazuh deployed

| Wazuh Archives
| Enable archives indexing in Filebeat
| Active
| PVC fix pending

| kvm-02 Hardware
| Supermicro B deployment
| Active
| Hardware ready, RAM upgrade done
|===

// Planned Projects
// Usage: include::partial$trackers/personal/projects/planned.adoc[]
// Last updated: 2026-04-04

=== Planned

[cols="2,3,1,2"]
|===
| Project | Description | Target | Blocked By

| Vault HA (3-node)
| vault-02, vault-03 on kvm-02
| Q1 2026
| kvm-02 deployment

| k3s HA (3-node)
| Control plane HA
| Q1 2026
| kvm-02 deployment

| ArgoCD GitOps
| k3s GitOps deployment
| After k3s stable
| --

| MinIO S3
| Object storage for k3s
| After ArgoCD
| --

| xref:projects/personal/domus-inventory/index.adoc[Domus Inventory]
| Personal asset management (YAML + CLI + AsciiDoc)
| Q2 2026
| Schema approved
|===

// Active — Infrastructure
// Usage: include::partial$trackers/personal/tasks/active-infrastructure.adoc[]
// Last updated: 2026-04-04

=== Active — Infrastructure

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Wazuh agent deployment**
| Deploy agents to all infrastructure hosts
| P2
| Pending
| After archives fix

| **k3s Platform**
| Production k3s cluster on kvm-01
| P1
| In Progress
| --

| **Wazuh Archives**
| Enable archives indexing in Filebeat, PVC fix
| P1
| In Progress
| --

| **kvm-02 Hardware**
| Supermicro B deployment, RAM upgrade done
| P1
| In Progress
| --

|===

'''

// Active — Security & Encryption
// Usage: include::partial$trackers/personal/tasks/active-security.adoc[]
// Last updated: 2026-04-04

=== Active — Security & Encryption

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Configure 4th YubiKey**
| SSH FIDO2 keys
| P1
| TODO
| --

| **Cold storage M-DISC backup**
| age-encrypted archives
| P1
| TODO
| After YubiKey setup

|===

'''

// Active — Development & Tools
// Usage: include::partial$trackers/personal/tasks/active-development.adoc[]
// Last updated: 2026-04-04

=== Active — Development & Tools

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **netapi Commercialization**
| Go CLI rewrite with Cobra-style argument discovery, package for distribution
| P0
| Active
| --

| **Ollama API Service**
| FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen
| P0
| Active
| --

| **Shell functions (fe, fec, fef)**
| File hunting helpers
| P3
| TODO
| --

|===

'''

// Active — Documentation
// Usage: include::partial$trackers/personal/tasks/active-docs.adoc[]
// Last updated: 2026-04-04

=== Active — Documentation

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **D2 Catppuccin Mocha styling**
| domus-* spoke repos (177 files total)
| P3
| In Progress
| --

|===

'''

// Active — Financial
// Usage: include::partial$trackers/personal/tasks/active-financial.adoc[]
// Last updated: 2026-04-04

=== Active — Financial

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **Amazon order history import**
| Download CSV from Privacy Central → parse with awk → populate subscriptions tracker
| P1
| Waiting
| Pending Amazon data export (requested 2026-04-04)

|===

'''

// Active — Education
// Usage: include::partial$trackers/personal/tasks/active-education.adoc[]
// Last updated: 2026-04-04

=== Active — Education

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| _No active education tasks — see education trackers_
|
|
|
|

|===

'''

// Active — Personal & Life Admin
// Usage: include::partial$trackers/personal/tasks/active-personal.adoc[]
// Last updated: 2026-04-04

=== Active — Personal & Life Admin

[cols="2,3,1,1,1"]
|===
| Task | Details | Priority | Status | Due

| **ThinkPad T16g Setup**
| Arch install, stow dotfiles, Ollama stack, netapi dev env
| P0
| Pending
| --

| **P50 Arch to Ubuntu migration**
| xref:case-studies/changes/p50-arch-to-ubuntu/index.adoc[CR-2026-03-12]
| P2
| In Progress
| --

| **X1 Carbon Ubuntu installs**
| 2 laptops, LUKS encryption
| P2
| In Progress
| --

| **P50 Steam Test**
| Test Flatpak Steam + apt cleanup of broken i386 packages
| P3
| Pending
| --

|===

// Documentation Sites Quick Links
// Usage: include::partial$trackers/personal/links/sites.adoc[]
// Last updated: 2026-04-04

==== Documentation Sites

* https://docs.domusdigitalis.dev/[docs.domusdigitalis.dev] - Private documentation hub
* https://docs.architectus.dev/[docs.architectus.dev] - Public portfolio site

=== Notes

_Day-specific personal notes here._

---

// Worklog Section: Education — Assembler
// Usage: include::partial$worklog/education.adoc[]
// Contains: All education domains via sub-partials
//
// PARADIGM: Each domain = its own file in education/
// FILES: ai-engineering.adoc, languages.adoc, study-today.adoc, regex.adoc
//
// MAINTENANCE: Add/remove domains by editing includes below
// To add RHCSA: include::partial$worklog/education/rhcsa.adoc[]

== Education

// Worklog Education: AI Engineering
// Usage: Included by worklog/education.adoc assembler
// Contains: Claude Code + AI training status

=== Claude Code + AI Engineering (ACTIVE)

=== Claude Code Mastery

[cols="2,3,1,1"]
|===
| Resource | Details | Progress | Status

| **Claude Code Full Course (4 hrs)**
| Nick Saraev - YouTube comprehensive course
| 26:49 / 4:00:00
| **IN PROGRESS**

| **Claude Code Certification**
| Anthropic official certification (newly released)
| Not started
| GOAL

|===

=== Active Tracks (Focus)

* xref:education/systems/regex-mastery.adoc[Regex Mastery] | xref:education/systems/regex/index.adoc[Curriculum]
* xref:education/rhcsa/index.adoc[RHCSA 9]
* xref:education/literature/don-quijote.adoc[Don Quijote] - Primera Parte
* xref:education/languages/dele-spanish.adoc[DELE C1/C2]

=== Skills Mastery (Critical)

* xref:education/systems/regex/index.adoc[Regex Mastery] - 10-module curriculum
* xref:education/programming/python.adoc[Python Mastery]
* xref:education/programming/bash.adoc[Bash Mastery]
* https://docs.asciidoctor.org/asciidoc/latest/[AsciiDoc Docs^] - Documentation format
* https://antora.org/[Antora Docs^] - Documentation pipeline

=== Certification Deadlines

* **CISSP** - Before June 1, 2026 (performance review)
* **RHCSA 9** - Before June 1, 2026 (performance review)
* **LPIC-1** - Renewal required (blocks LPIC-2)

// Worklog Education: Languages
// Usage: Included by worklog/education.adoc assembler
// Contains: DELE/SIELE certs, Don Quijote writing method

=== Language Certifications (DELE/SIELE)

=== Spanish C1 Certification Goals

[cols="2,2,1,1,2"]
|===
| Certification | Provider | Target | Status | Strategy

| xref:education/languages/siele.adoc[**SIELE C1**]
| https://siele.org/[Instituto Cervantes^] / UNAM / Salamanca
| **Q2 2026**
| ACTIVE
| Computer-based, faster results - take FIRST

| xref:education/languages/dele-spanish.adoc[**DELE C1**]
| https://examenes.cervantes.es/es/dele/que-es[Instituto Cervantes^]
| **Q3/Q4 2026**
| PLANNED
| After SIELE success, harder exam

| xref:education/languages/dele-spanish.adoc[**DELE C2**]
| https://examenes.cervantes.es/es/dele/que-es[Instituto Cervantes^]
| 2027
| FUTURE
| Mastery level - requires extensive immersion

|===

TIP: SIELE is computer-adaptive, results in 3 weeks. DELE is paper-based, results in 3-4 months. Do SIELE first to validate readiness.

=== Don Quijote Writing Practice - DELE C1/C2 Initiative

**Method:**

1. Read chapter in original Spanish
2. Write personal analysis/understanding _en espanol_
3. AI review for grammar, vocabulary, register
4. Build comprehensive understanding of literary elements

// Worklog Education: Today's Study
// Usage: Included by worklog/education.adoc assembler
// Contains: Current study focus pointer

=== Today's Study

* **Focus:** CISSP study (55 days to June 1), domus-api Phase 3 prep
* **Secondary:** RHCSA curriculum, Spanish DELE/SIELE
* [ ] CISSP — begin Phase 0 domain review
* [ ] RHCSA — continue curriculum phase
* [ ] Spanish — Don Quijote reading + analysis
* [ ] domus-api — evaluate Ollama RAG architecture for Phase 3

// Worklog Education: Regex Training
// Usage: Included by worklog/education.adoc assembler
// Contains: Regex training status (remove when complete)

=== Regex Training (CRITICAL)

* **Status:** 7 days carried over
* **Priority:** After PeopleSoft, before Quijote
* **Session:** Character classes, word boundaries

---

// Worklog Section: Infrastructure
// Usage: include::partial$worklog/infrastructure.adoc[]
// Contains: Infrastructure sites, HA status, SPOFs, validation

== Infrastructure

// Documentation Sites
// Usage: include::partial$trackers/personal/infrastructure/sites.adoc[]
// Last updated: 2026-04-04

=== Documentation Sites

[cols="2,2,1,2"]
|===
| Site | URL | Status | Actions Needed

| **Domus Digitalis**
| https://docs.domusdigitalis.dev[docs.domusdigitalis.dev]
| Active
| Validate, harden, improve

| **Architectus**
| https://docs.architectus.dev[docs.architectus.dev]
| Active
| Public portfolio site - maintain

|===

// HA Deployment Status
// Usage: include::partial$trackers/personal/infrastructure/ha-status.adoc[]
// Last updated: 2026-04-04

=== HA Deployment Status

[cols="2,2,1,2"]
|===
| System | Description | Status | Notes

| **VyOS HA**
| vyos-01 (kvm-01) + vyos-02 (kvm-02) with VRRP VIP
| ✅ COMPLETE
| 2026-03-07 - pfSense decommissioned

| **BIND DNS HA**
| bind-01 (kvm-01) + bind-02 (kvm-02) with AXFR
| ✅ COMPLETE
| Zone transfer operational

| **Vault HA**
| Raft cluster (vault-01/02/03)
| ✅ COMPLETE
| Integrated with PKI

| **Keycloak Rebuild**
| keycloak-01 corrupted, rebuild from scratch
| 🔄 NEXT
| Priority P3 - SSO broken

| **FreeIPA HA**
| ipa-02 replica planned
| 📋 PLANNED
| Linux auth redundancy

| **AD DC HA**
| home-dc02 replication
| 📋 PLANNED
| Windows auth redundancy

| **iPSK Manager HA**
| ipsk-mgr-02 with MySQL replication
| 📋 PLANNED
| PSK portal redundancy

| **ISE HA**
| PAN HA (ise-01 reconfigure)
| ⏳ DEFERRED
| Wait until ise-02 stable

| **ISE 3.5 Migration**
| Upgrade path: 3.2p9 → 3.4 (P1) → 3.5 (target)
| 📋 PLANNED
| After 3.4 Migration completes (Q2 2026)

|===

// Single Points of Failure
// Usage: include::partial$trackers/personal/infrastructure/spof.adoc[]
// Last updated: 2026-04-04

=== Single Points of Failure (CRITICAL)

WARNING: These systems have NO redundancy - outage impacts production.

[cols="2,2,3"]
|===
| System | Impact if Down | Mitigation

| **ISE (ise-02)**
| All 802.1X stops - wired and wireless auth fails
| ise-01 reconfiguration deferred until ise-02 stable

| **Keycloak (keycloak-01)**
| SAML/OIDC SSO broken (ISE admin, Grafana, etc.)
| **NEXT PRIORITY** - Rebuild runbook

| **FreeIPA (ipa-01)**
| Linux auth, sudo rules, HBAC fails
| ipa-02 replica planned

| **AD DC (home-dc01)**
| Windows auth, Kerberos, GPO fails
| home-dc02 replica planned

| **iPSK Manager**
| Self-service PSK portal unavailable
| ipsk-mgr-02 with MySQL replication planned

|===

// Validation Tasks
// Usage: include::partial$trackers/personal/infrastructure/validation.adoc[]
// Last updated: 2026-04-04

=== Validation Tasks

[cols="2,3,1"]
|===
| Task | Details | Status

| docs.domusdigitalis.dev validation
| Test all cross-references, search, rendering
| TODO

| docs.domusdigitalis.dev hardening
| HTTPS, CSP headers, security review
| TODO

| docs.architectus.dev validation
| Public site content review
| TODO

| Hub-spoke sync verification
| All components building correctly
| Ongoing

|===

---

// Worklog Section: Quick Commands
// Usage: include::partial$worklog/quick-commands.adoc[]
// Contains: Frequently used commands for daily workflow

== Quick Commands

=== gopass-personal-docs Usage

[listing]
....
\# Interactive entry creation
gopass-personal-docs

\# Categories: 1) Bills 2) Subscriptions 3) Housing 4) Vehicles 5) Insurance
....

=== gopass-query Usage

[listing]
....
\# List all recurring bills with totals
gopass-query bills

\# List storage units with gate codes
gopass-query storage

\# Export category to JSON
gopass-query export bills
....

=== API: domus-api — Documentation System REST API

_Source: 2026-04-06 — First domus-api session, querying 2,928 .adoc files via REST endpoints_

[listing]
....
\# Start the API server (localhost:8080, Tailscale accessible)
cd ~/atelier/_projects/personal/domus-api && uv run uvicorn domus_api.main:app --host 0.0.0.0 --port 8080

\# Health check — document counts
curl -s localhost:8080/ | jq

\# Full repository stats by category
curl -s localhost:8080/stats | jq

\# All 20+ standards as JSON
curl -s localhost:8080/standards | jq

\# Standards — extract just ID and title (awk-style with jq)
curl -s localhost:8080/standards | jq -r '.standards[] | "\(.id)\t\(.title)"'

\# Full-text search across all files
curl -s 'localhost:8080/search?q=mandiant' | jq

\# Search — extract just path, title, match count
curl -s 'localhost:8080/search?q=mandiant' | jq '.results[] | {path, title, match_count}'

\# Scoped search (standards only)
curl -s 'localhost:8080/search?q=RFC+2119&scope=standards' | jq

\# Get specific page with full content + metadata
curl -s localhost:8080/pages/standards/operations/change-control | jq

\# List pages filtered by category
curl -s 'localhost:8080/pages?category=standards' | jq
curl -s 'localhost:8080/pages?category=codex&limit=10' | jq

\# All antora.yml attributes (127)
curl -s localhost:8080/attributes | jq

\# Swagger UI (open in browser)
\# http://localhost:8080/docs

\# Kill server on port 8080
kill $(lsof -ti:8080)
....

=== API: Incident & Change Record Queries

_Source: 2026-04-07 — Querying incidents and CRs via domus-api for work reporting_

[listing]
....
\# ─── INCIDENT QUERIES ───

\# Get incident title
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.title'

\# Read incident content as plain text (jq -r unescapes \n)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' | head -50

\# List all incidents
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | "\(.title)\t\(.path)"'

\# Search incidents by keyword
curl -s 'localhost:8080/search?q=IOT_WAN' | jq -r '.results[] | "\(.title)\t\(.path)"'

\# Search for all VPN-related content
curl -s 'localhost:8080/search?q=GlobalProtect' | jq -r '.results[] | "\(.title)\t\(.path)"'

\# ─── CHANGE RECORD QUERIES ───

\# Get CR title
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.title'

\# Read CR content
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.content' | head -80

\# List all change records
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("changes")) | "\(.title)\t\(.path)"'

\# ─── WORKFLOW: INCIDENT TO CR TRACEABILITY ───

\# Find all documents related to an incident
curl -s 'localhost:8080/search?q=INC-2026-04-06-001' | jq -r '.results[] | "\(.path)"'

\# Find the CR linked to an incident
curl -s 'localhost:8080/search?q=CR-2026-04-07-iot-wan' | jq -r '.results[] | {title, path}'

\# ─── FORMAT FOR REPORTING ───

\# Incident summary as TSV (paste into spreadsheet)
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv'

\# Pipe to column for terminal table
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv' | column -t -s $'\t'

\# Export incident as markdown (basic conversion)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' > /tmp/incident-report.txt
....

=== Security: Mandiant Vulnerability Assessment Discovery

_Source: 2026-04-06 — Searching domus-captures + Principia for pentest findings, dACLs, and remediation content_

[listing]
....
\# Search for Mandiant references across domus-captures
grep -ri 'mandiant' docs/modules/ROOT/ | awk 'NR<=30'

\# Find dACL / downloadable ACL content
grep -ri 'dacl\|downloadable.acl' docs/modules/ROOT/ | awk 'NR<=30'

\# Search Principia vault (legacy PKM) for Mandiant data
grep -ri 'mandiant' ~/atelier/_bibliotheca/Principia/ 2>/dev/null | awk 'NR<=30'

\# Find files with security assessment terms in the name
find docs/ -name '*mandiant*' -o -name '*vuln*' -o -name '*dacl*'

\# Find dACL diagram source files
find docs/modules/ROOT/images/diagrams -name 'dacl*'

\# Posture redirect ACL references (the critical finding)
grep -ri 'posture.*redirect\|redirect.*acl\|pre.auth.*acl' docs/modules/ROOT/ | awk 'NR<=20'

\# Cross-repo vulnerability search
grep -ri 'vulnerability.assess\|pentest\|penetration.test' docs/modules/ROOT/pages/2026/ | awk 'NR<=20'

\# Principia asset directory discovery (OPS-* and PRJ-* directories)
find ~/atelier/_bibliotheca/Principia/02_Assets -maxdepth 1 -type d \( -name 'OPS-*' -o -name 'PRJ-*' \)

\# Raspberry Pi OUI detection (from pentest findings)
\# netapi ise mnt --format json sessions | jq -r '.[] | select(.calling_station_id | startswith("B8:27:EB") or startswith("DC:A6:32") or startswith("E4:5F:01")) | [.calling_station_id, .framed_ip_address, .nas_ip_address] | @tsv'
....

=== Audio: PipeWire Validation (Post-Reboot)

_Source: 2026-04-06 — P16g audio testing after sof-firmware install_

[listing]
....
\# PipeWire status (replaces pulseaudio pavucontrol for status)
wpctl status

\# List all audio sinks (short format)
pactl list sinks short

\# Play audio through default sink (native PipeWire — no alsa-utils needed)
pw-play /usr/share/sounds/freedesktop/stereo/bell.oga

\# Play through specific sink by ID
pw-play --target 65 /usr/share/sounds/freedesktop/stereo/bell.oga

\# Kernel audio firmware messages (Intel SOF)
journalctl -b --grep='sof|cs35l56|cs42l43' --no-pager | tail -20

\# ALSA sound cards
cat /proc/asound/cards
....

=== Git: Cross-Repo Activity Audit

_Source: 2026-04-06 — Reconstructing daily AI session history across all domus repos_

[listing]
....
\# All commits on a specific date across all domus repos
for repo in ~/atelier/_bibliotheca/domus-*/ ~/atelier/_projects/personal/domus-*/; do
  [ -d "$repo/.git" ] || continue
  name=$(basename "$repo")
  git -C "$repo" log --since="2026-04-06" --until="2026-04-07" --format="%h %aI %s" 2>/dev/null |
    awk -v r="$name" '{print r, $0}'
done

\# Structured commit log as JSON (pipe to jq)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"hash":"%h","date":"%aI","subject":"%s"}' -20 |
  jq -s 'sort_by(.date) | reverse'

\# Commits per month (aggregation)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"date":"%aI"}' -100 |
  jq -s 'map(.date | split("T")[0] | split("-")[0:2] | join("-")) | group_by(.) | map({month: .[0], count: length}) | sort_by(.month)'

\# Cross-repo search via GitHub API (quote URL for zsh)
gh search code "vault seal" --owner EvanusModestus --json repository,path,textMatches |
  jq '.[] | {repo: .repository.full_name, file: .path, match: .textMatches[].fragment}'

\# List .adoc files in a repo via GitHub API
gh api 'repos/EvanusModestus/domus-captures/git/trees/main?recursive=1' |
  jq '[.tree[] | select(.path | endswith(".adoc"))] | length'

\# Cross-repo activity dashboard (last 5 per repo)
for repo in domus-captures domus-infra-ops domus-ise-linux domus-netapi-docs domus-secrets-ops; do
  git -C ~/atelier/_bibliotheca/$repo log --pretty=format:"{\"repo\":\"$repo\",\"date\":\"%aI\",\"subject\":\"%s\"}" -5 2>/dev/null
done | jq -s 'sort_by(.date) | reverse | .[:15] | .[] | "\(.date | split("T")[0]) [\(.repo)] \(.subject)"' -r

\# Antora attribute comparison across repos
for f in ~/atelier/_bibliotheca/domus-*/docs/asciidoc/antora.yml; do
  repo=$(basename "$(dirname "$(dirname "$(dirname "$f")")")")
  count=$(yq '.asciidoc.attributes | length // 0' "$f")
  printf "%-30s %s attributes\n" "$repo" "$count"
done
....

=== Attribute Includes

[source,asciidoc]

// Worklog Section: Related Documents
// Usage: include::partial$worklog/related.adoc[]
// Contains: Common cross-references for worklogs

== Related Documents

* xref:education/literature/quijote/index.adoc[Don Quijote - Estudio Completo]
* xref:projects/chla/PRJ-peoplesoft-time-entry.adoc[PeopleSoft Time Entry]
* xref:trackers/work-2026-02.adoc[Work Tracker]
* xref:patterns/index.adoc[Pattern Journal]