Root-caused the recurring '365 suite isn't documented' pain: the apps are fine (tiered by
privilege) but per-tenant consent is NOT uniform and there was no way to see a tenant's
actual grant state. VWP had the Tenant Admin app but no SharePoint app-only role -> silent
401s until this session.
- references/app-suite.md: authoritative, live-verified map of every app, App ID, and
actually-granted permission per tier; the consent-drift problem + both fix methods
(adminconsent URL, direct appRoleAssignment grant).
- scripts/consent-audit.sh: audits a tenant (or --all) vs the baseline, grades
GREEN/AMBER/RED, prints the exact fix per gap. Extends the assign-exchange-role --verify
pattern to Graph scopes + SharePoint role + EXO role. Verified: BirthBio GREEN, VWP/Cascades
AMBER (caught real drift - both missing grants).
- SKILL.md: run consent-audit FIRST on any tenant task. Memory + errorlog correction.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Skill-first rule now has two halves: route the request to a doing-skill,
then gate the result with the matching check-skill before 'done' --
inferred from the request, not user-named. Adds .claude/SKILL_ROUTING.md
(on-demand request->doing-skill->check-skill map). Enforcement tier A+B
(CORE rule + map; Stop-hook backstop deferred). Calibrate to stakes,
Ollama Tier-0 for cheap passes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Corrects the assumption that GuruRMM merge-to-main (=deploy) is Mike-only. Mike still owns RMM
architecture/direction, but Howard can land prepared+verified branches himself — they no longer
bottleneck on Mike. Updated approval-workflow-tools-vs-projects + MEMORY.md index + logged the
correction in errorlog.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- bitdefender gz.py: add "missing name" to _EXPECTED_ERROR_MARKERS — closes the last gap in
Howard's errorlog suppression ("Missing name 'X' in 'options' object" validation errors were
still logged). Verified all 10 real spam messages now suppressed; genuine errors still log.
- memory feedback_submodule_autosync_discipline: capture the recurring auto-synced-submodule
rule (worktree or push-by-SHA + ls-remote verify; assert HEAD==origin/main before audits;
never checkout-- shared files). Recurred on Howard-Home x3 + GURU-5070 this session.
- CLAUDE.md CORE Windows bullet: promote the two top recurring mechanical traps (/tmp path
mismatch, curl.exe/plink quote-stripping) to always-loaded hard rules so they stop repeating.
Lint of errorlog.md: bitdefender expected-validation spam was ~70% of entries (Howard's
suppression now complete); fabb3421/Mail.Send drift closed earlier this session; wiki-compile
lock-release doc already fixed (entries predate the fix).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>