Root-caused the recurring '365 suite isn't documented' pain: the apps are fine (tiered by
privilege) but per-tenant consent is NOT uniform and there was no way to see a tenant's
actual grant state. VWP had the Tenant Admin app but no SharePoint app-only role -> silent
401s until this session.
- references/app-suite.md: authoritative, live-verified map of every app, App ID, and
actually-granted permission per tier; the consent-drift problem + both fix methods
(adminconsent URL, direct appRoleAssignment grant).
- scripts/consent-audit.sh: audits a tenant (or --all) vs the baseline, grades
GREEN/AMBER/RED, prints the exact fix per gap. Extends the assign-exchange-role --verify
pattern to Graph scopes + SharePoint role + EXO role. Verified: BirthBio GREEN, VWP/Cascades
AMBER (caught real drift - both missing grants).
- SKILL.md: run consent-audit FIRST on any tenant task. Memory + errorlog correction.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>