remediation-tool: document the 365 app suite + build consent-audit

Root-caused the recurring '365 suite isn't documented' pain: the apps are fine (tiered by
privilege) but per-tenant consent is NOT uniform and there was no way to see a tenant's
actual grant state. VWP had the Tenant Admin app but no SharePoint app-only role -> silent
401s until this session.

- references/app-suite.md: authoritative, live-verified map of every app, App ID, and
  actually-granted permission per tier; the consent-drift problem + both fix methods
  (adminconsent URL, direct appRoleAssignment grant).
- scripts/consent-audit.sh: audits a tenant (or --all) vs the baseline, grades
  GREEN/AMBER/RED, prints the exact fix per gap. Extends the assign-exchange-role --verify
  pattern to Graph scopes + SharePoint role + EXO role. Verified: BirthBio GREEN, VWP/Cascades
  AMBER (caught real drift - both missing grants).
- SKILL.md: run consent-audit FIRST on any tenant task. Memory + errorlog correction.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 15:13:21 -07:00
parent 42da3cfcca
commit 8152476ee4
6 changed files with 447 additions and 0 deletions

View File

@@ -25,6 +25,12 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-07-02 | Howard-Home | unifi/site-manager-api | [friction] vault infrastructure/unifi-site-manager-api key returns 401 (stale/rotated); the WORKING cloud key is services/unifi-site-manager (X-API-KEY vs api.ui.com) [ctx: ref=uos-server wiki; use services/unifi-site-manager]
2026-07-02 | GURU-5070 | remediation-tool/consent-drift | [correction] assumed VWP had SharePoint access because the suite 'has' it; VWP had the Tenant Admin app but only PARTIAL consent (Graph Sites but not the SharePoint app-only role) -> SP calls 401 with empty roles. Fix: audit per-tenant token roles, grant missing app role via appRoleAssignment (Method B). Per-tenant consent is NOT uniform. [ctx: ref=app-suite.md tenant=VWP]
2026-07-02 | GURU-5070 | rmm/long-install-reaper | [friction] long download+install (131MB Falcon) exceeds the RMM command timeout on a slow-egress box -> command shows failed/'Command timeout'/'Access is denied' but the install COMPLETES in background (service came up Running). Verify service state after, don't trust the failed status for fire-and-forget installs. [ctx: ref=reference_gururmm_command_timeout_seconds host=ACG-DC16]
2026-07-02 | GURU-5070 | ps-encoded/server2016 | [friction] ps-encoded.sh rmm (shell->cmd.exe->powershell -EncodedCommand) returns 'Access is denied' with no stdout on Windows Server 2016 (DC16); plain command_type=powershell works. Fall back to direct powershell dispatch on Server 2016. [ctx: ref=ps-encoded.sh host=ACG-DC16 os=server2016]
2026-07-02 | GURU-BEAST-ROG | self-check/registry-trim | [friction] trimmed skill registry locally while GURU-5070 shipped the same trim upstream; auto-sync merge raced my uncommitted edits (transient UU state, stale 15777 reading mid-merge); fix: check coord / claim a lock before fleet-wide harness edits [ctx: ref=coord-locks]
2026-07-02 | Howard-Home | rmm/user-manager | [correction] reset Shelby.Trozzi domain password with raw Set-ADAccountPassword via /rmm; memory reference_gururmm_user_manager says use the built-in GuruRMM User Manager (reset_password action, is_dc) instead. [ctx: ref=reference_gururmm_user_manager]