docs: purge stale fabb3421 narrative — Mail.Send already lives in the 365 app suite
Mail.Send is NOT an open decision or a 'blocked' item: the Exchange Operator tier (b43e7342) already holds Graph Mail.Send + Mail.ReadWrite + MailboxSettings.ReadWrite (the suite's IR victim-notification mail path). /mailbox (ACG own-mail) separately uses the dedicated ComputerGuru Mailbox app 1873b1b0. The deleted fabb3421/Claude-MSP-Access app is now referenced only as DELETED/do-not-use across all live surfaces. Corrected: remediation-tool gotchas.md (removed 'suite has no mail scopes / mailbox BLOCKED / decision-not-executed'), commands/mailbox.md (header + Attribution no longer name the deleted app as active), feedback memory (promoted 'suite has Mail.Send — settled' to a headline), breach-report template, .grok mirrors, credentials.md, CATALOG_SHARED_DATA.md, and wiki (internal-infrastructure, glaztech, dataforth). Removed dead plaintext secret for the deleted app from CATALOG_SHARED_DATA.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,8 @@ When the user says "365 remediation tool" or "remediation tool", they mean ACG's
|
||||
|
||||
**DELETED — gone, do not reference:** `fabb3421` ("AI Remediation" / "Claude-MSP-Access", secret `msp-tools/claude-msp-access-graph-api.sops.yaml`). Removed from the azcomputerguru.com tenant **2026-06-14**; every token request now returns **AADSTS700016**. It previously had ~159 perms incl. Defender ATP (admin consent broke with AADSTS650052 on no-MDE tenants). Any skill still pointing at it is broken — repoint to the suite. (Original deprecation: 2026-05-27 Quantum onboarding.)
|
||||
|
||||
**MAIL.SEND ALREADY EXISTS IN THE SUITE — settled, NOT an open decision (do not re-raise).** The **Exchange Operator** tier (`exchange-op`, `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`) holds Graph **`Mail.Send` + `Mail.ReadWrite` + `MailboxSettings.ReadWrite`**. The suite CAN send mail in any consented tenant via Graph `POST /users/<upn>/sendMail` (IR victim-notification). No separate app to provision, nothing "blocked", no pending click-through. Watch the token-audience gotcha below (line on Exchange-Online vs Graph audience). This replaced the deleted `fabb3421` for IR mail; `/mailbox` (ACG own-mail) separately uses the dedicated app `1873b1b0` (next paragraph).
|
||||
|
||||
**ACG OWN-mailbox reads/sends (`/mailbox`) — dedicated app `1873b1b0-3377-485c-a848-bae9b2f8f1f5`** ("ComputerGuru Mailbox", vault `msp-tools/computerguru-mailbox.sops.yaml`, Mail.ReadWrite + Mail.Send + Contacts.ReadWrite, azcomputerguru.com single-tenant). Token via `get-token.sh azcomputerguru.com mailbox` (a tier in get-token.sh; cert-preferred). This is what REPLACED fabb3421 for `/mailbox`. Its SP is **disabled when idle** → a token 401 "account is disabled" means enable the SP first. (`/mailbox` command doc repointed to it 2026-06-17 — it had been left on the dead fabb3421.)
|
||||
|
||||
**Why (original):** user clarified "remediation tool" != CIPP after a wrong CIPP navigation. **How to apply:** prefer the `/remediation-tool` skill — it wraps tenant resolution, token caching, breach check, sweep, gated remediation, and consent/onboarding URLs (`references/gotchas.md`, `graph-endpoints.md`, `checklist.md`).
|
||||
|
||||
Reference in New Issue
Block a user