docs: record kept-split mailbox architecture decision (2026-06-21)
/mailbox (ACG own-mail, single-tenant 1873b1b0) and client send (suite Exchange Operator b43e7342, multi-tenant) stay separate on purpose: 1873b1b0 is single-tenant so it cannot serve clients; consolidating onto exchange-op was rejected (privilege creep on casual own-mail + loses Contacts). Documented the why in commands/mailbox.md scope boundary + feedback memory so it stops being re-litigated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,8 @@ When the user says "365 remediation tool" or "remediation tool", they mean ACG's
|
||||
|
||||
**DELETED — gone, do not reference:** `fabb3421` ("AI Remediation" / "Claude-MSP-Access", secret `msp-tools/claude-msp-access-graph-api.sops.yaml`). Removed from the azcomputerguru.com tenant **2026-06-14**; every token request now returns **AADSTS700016**. It previously had ~159 perms incl. Defender ATP (admin consent broke with AADSTS650052 on no-MDE tenants). Any skill still pointing at it is broken — repoint to the suite. (Original deprecation: 2026-05-27 Quantum onboarding.)
|
||||
|
||||
**ARCHITECTURE — two mail paths, kept SPLIT on purpose (decided 2026-06-21, Mike).** `/mailbox` (ACG own-mail) uses the single-tenant `1873b1b0` app; CLIENT mail send uses the suite's Exchange Operator `b43e7342`. They CANNOT be merged onto `/mailbox` because `1873b1b0` is single-tenant (azcomputerguru.com only) — it has no SP in client tenants. The reverse merge (everything on exchange-op, which IS multi-tenant + already has Mail.Send + consented in the ACG home tenant since 2026-06-05) was considered and rejected: it would put casual own-mail on a tenant-wide EXO-write remediation app (privilege creep) and lose `Contacts.ReadWrite` (exchange-op doesn't have it). Least-privilege wins — keep the split.
|
||||
|
||||
**MAIL.SEND ALREADY EXISTS IN THE SUITE — settled, NOT an open decision (do not re-raise).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users/<upn>/sendMail` (IR victim-notification). No separate app to provision, nothing "blocked", no pending click-through. Watch the token-audience gotcha below (line on Exchange-Online vs Graph audience). This replaced the deleted `fabb3421` for IR mail; `/mailbox` (ACG own-mail) separately uses the dedicated app `1873b1b0` (next paragraph).
|
||||
|
||||
**ACG OWN-mailbox reads/sends (`/mailbox`) — dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`** ("ComputerGuru Mailbox", vault `msp-tools/computerguru-mailbox.sops.yaml`, Mail.ReadWrite + Mail.Send + Contacts.ReadWrite, azcomputerguru.com single-tenant). Token via `get-token.sh azcomputerguru.com mailbox` (a tier in get-token.sh; cert-preferred). This is what REPLACED fabb3421 for `/mailbox`. Its SP is **disabled when idle** → a token 401 "account is disabled" means enable the SP first. (`/mailbox` command doc repointed to it 2026-06-17 — it had been left on the dead fabb3421.)
|
||||
|
||||
Reference in New Issue
Block a user