Reorganize repo: compartmentalize scripts by client/project

Move 150+ scripts from root and scripts/ into client/project directories:
- clients/dataforth/scripts/ (110 files: AD2, sync, SSH, DB, DOS scripts)
- clients/bg-builders/scripts/ (14 files: Lesley mgmt, Exchange, termination)
- clients/internal-infrastructure/scripts/ (10 files: GDAP, Gitea, backups)
- projects/msp-tools/scripts/ (9 files: CIPP, MSP onboarding, Datto)
- projects/gururmm-agent/scripts/ (3 files: API test, JWT, record counts)
- clients/glaztech/scripts/ (1 file: CentraStage removal)

Also reorganized:
- VPN scripts → infrastructure/vpn-configs/
- Retrieved API/JS files → api/
- Forum posts → projects/community-forum/forum-posts/
- SSH docs → clients/internal-infrastructure/docs/
- NWTOC/CTONW docs → projects/wrightstown-smarthome/docs/
- ACG website files → projects/internal/acg-website-2025/
- Dataforth docs → clients/dataforth/docs/
- schema-retrieved.sql → docs/database/

Deleted 24 tmp_*.ps1 one-off debug scripts (preserved in git history).
Root reduced from 220+ files to 62 items (docs + directories only).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

projects/msp-tools/scripts/claude-msp-update-permissions.ps1

@@ -0,0 +1,93 @@
+# Claude-MSP-Access - Update App Registration with Combined CIPP + Investigation Permissions
+# App ID: fabb3421-8b34-484b-bc17-e46de9703418
+# Partner Tenant: ce61461e-81a0-4c84-bb4a-7b354a9a356d
+#
+# This script updates the app registration to include:
+#   - All CIPP SAM required permissions (Graph, Exchange, SharePoint, Intune, PowerBI, Partner Center)
+#   - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All, etc.)
+#
+# After running this, the admin consent URL will grant everything in one click.
+
+$ErrorActionPreference = "Stop"
+$tenantId = "ce61461e-81a0-4c84-bb4a-7b354a9a356d"
+$appId = "fabb3421-8b34-484b-bc17-e46de9703418"
+
+Write-Output "========================================="
+Write-Output " Claude-MSP-Access - Permission Update"
+Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
+Write-Output "========================================="
+
+# --- STEP 1: Connect to Graph ---
+Write-Output "`n[STEP 1] Connecting to Microsoft Graph..."
+Import-Module Microsoft.Graph.Authentication
+Import-Module Microsoft.Graph.Applications
+Connect-MgGraph -TenantId $tenantId -Scopes 'Application.ReadWrite.All' -NoWelcome
+Write-Output "[OK] Connected to Graph"
+
+# --- STEP 2: Get current app registration ---
+Write-Output "`n[STEP 2] Reading current app registration..."
+$app = Get-MgApplication -Filter "appId eq '$appId'"
+if (-not $app) {
+    Write-Output "[ERROR] App not found: $appId"
+    exit 1
+}
+Write-Output "[OK] Found: $($app.DisplayName) (Object ID: $($app.Id))"
+$currentPerms = ($app.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count
+Write-Output "[INFO] Current permission count: $currentPerms"
+
+# --- STEP 3: Load combined manifest ---
+Write-Output "`n[STEP 3] Loading combined permission manifest..."
+$manifestPath = Join-Path $PSScriptRoot "claude-msp-combined-manifest.json"
+$manifest = Get-Content $manifestPath -Raw | ConvertFrom-Json
+
+# Build the requiredResourceAccess array
+$resourceAccess = @()
+foreach ($resource in $manifest.requiredResourceAccess) {
+    $accessList = @()
+    foreach ($access in $resource.resourceAccess) {
+        $accessList += @{
+            Id   = $access.id
+            Type = $access.type
+        }
+    }
+    $resourceAccess += @{
+        ResourceAppId  = $resource.resourceAppId
+        ResourceAccess = $accessList
+    }
+}
+
+$newPerms = ($manifest.requiredResourceAccess | ForEach-Object { $_.resourceAccess }).Count
+Write-Output "[INFO] New permission count: $newPerms"
+
+# --- STEP 4: Update app registration ---
+Write-Output "`n[STEP 4] Updating app registration..."
+Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $resourceAccess
+Write-Output "[OK] App registration updated with combined permissions"
+
+# --- STEP 5: Verify ---
+Write-Output "`n[STEP 5] Verifying update..."
+$updated = Get-MgApplication -ApplicationId $app.Id
+$updatedPerms = ($updated.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count
+Write-Output "[OK] Verified: $updatedPerms permissions across $($updated.RequiredResourceAccess.Count) resource APIs"
+
+# --- STEP 6: Show admin consent URL ---
+Write-Output "`n[STEP 6] Admin consent URL (use this to onboard tenants):"
+Write-Output ""
+Write-Output "  https://login.microsoftonline.com/common/adminconsent?client_id=$appId&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient"
+Write-Output ""
+Write-Output "[INFO] This single URL now grants ALL permissions:"
+Write-Output "  - Microsoft Graph (application + delegated)"
+Write-Output "  - Exchange Online (ManageAsApp + Calendars + Mailbox)"
+Write-Output "  - SharePoint Online (FullControl)"
+Write-Output "  - Intune (user_impersonation)"
+Write-Output "  - PowerBI (Vulnerability.Read)"
+Write-Output "  - Partner Center (user_impersonation)"
+Write-Output "  - Office Management API (ActivityFeed.Read)"
+Write-Output "  - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All)"
+
+Write-Output "`n========================================="
+Write-Output " UPDATE COMPLETE"
+Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
+Write-Output "========================================="
+
+Disconnect-MgGraph