kushi-agents 3.4.2 → 3.12.1

package/plugin/skills/pull-email/SKILL.md

@@ -1,17 +1,25 @@
 ---
 name: "pull-email"
-version: "2.0.0"
-description: "Pull Email evidence (stream only — emails ARE events). WorkIQ-first. Scopes to configured project email folder per m365-mutable hints."
+version: "2.3.1"
+description: "Pull Email evidence (stream only — emails ARE events). WorkIQ-ONLY per workiq-only.instructions.md (m365_get_email / m365_search_emails / Graph REST FORBIDDEN — near-100% failure in this workspace). Folder-scoped fast path → root-scope WorkIQ fallback. Enumerate-then-fetch via two WorkIQ calls per project. Mutable folder-hint upsert during run. Throttle-aware. User-paste is a first-class fallback, NOT Graph."
 ---
 
 # Skill: pull-email
 
+
+> **v3.7.6 + v3.11.0 contracts** — This skill operates under five HARD-rule doctrines:
+> - `verbatim-by-default.instructions.md` — full bodies/notetext/fields by default; no preview-grade pulls accepted.
+> - **`workiq-only.instructions.md` (v3.11.0)** — email list + body fetch go through WorkIQ ONLY. `m365_get_email`, `m365_search_emails`, `m365_list_emails`, and Graph REST URLs are FORBIDDEN as fallbacks (they fail nearly every call in this workspace). The canonical WorkIQ prompts (folder-scoped enumerate, root-scope fallback, per-message body fetch) are codified in that instruction — do not re-discover them.
+> - `capture-learnings.instructions.md` — every fix/discovery is logged to `plugin/learnings/<source>.md` immediately.
+> - `cleanup-on-resolution.instructions.md` — when a value resolves, all stale `no-match` / `not yet` notes referencing the prior unresolved state must be rewritten in the same turn.
+> - `run-reports.instructions.md` — every refresh writes a per-user report under `Evidence/<alias>/refresh-reports/YYYY-MM-DD-HHMM_refresh.md`.
+> - `evidence-layout-canonical.instructions.md` (kushi v3.12.1+) — ALL email artifacts MUST be written under `<project>/Evidence/<alias>/email/{snapshot,stream,_index,_legacy_*}/`. Writing to `<project>/email-context/`, `<project>/email/`, `<project>/_Weekly Summaries/`, or any other sibling path under `<project>/` is a DEFECT.
 Pulls **email** evidence in two shapes per `snapshot-vs-stream.instructions.md`:
 
 - **snapshot/** — (none — emails ARE events, no snapshot)
 - **stream/** — messages with full body, sender, recipients, attachments, reply chain — grouped by thread
 
-WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + auto-retry + paste-prompt per `thoroughness-detector.instructions.md`. Citations per `citation-ledger.instructions.md`. Side-by-side mutable hints written immediately on discovery per `side-by-side-config.instructions.md`.
+Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + auto-retry + paste-prompt per `thoroughness-detector.instructions.md`. Citations per `citation-ledger.instructions.md`. Side-by-side mutable hints written immediately on discovery per `side-by-side-config.instructions.md`.
 
 ## Inputs
 
@@ -26,50 +34,159 @@ WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thor
 - `emailContext.folder` — full path of the project's email folder
 - `emailContext.folderId` — folder ID for direct lookup
 
-## Snapshot pass
+## Boundaries (REQUIRED — see `scope-boundaries.instructions.md`)
 
-_(no snapshot for email — emails are inherently event-stream)_
+This skill REFUSES to query unless `<engagement-root>/<project>/integrations.yml#boundaries.email` is satisfied:
+
+- `boundaries.email.mailboxes` — REQUIRED, non-empty. Empty = source disabled.
+- `boundaries.email.sender_domains` — optional narrowing.
+- `boundaries.email.subject_keywords` — optional narrowing.
+- `boundaries.date_window_days` — defaults to 30 if absent.
+
+Every WorkIQ ask, every `m365_search_emails` / `m365_list_emails` call, every Graph fallback MUST be scoped to those mailboxes + (if set) sender_domains + subject_keywords. Empty hits inside the boundary → write Coverage Notes citing the limiting key; do NOT widen the scope.
+
+Refusal message when boundary is missing:
+
+```
+email-boundary-missing — add boundaries.email.mailboxes to
+<engagement-root>/<project>/integrations.yml. See doctrine in
+plugin/instructions/scope-boundaries.instructions.md.
+```
+
+## Retrieval order (deterministic — folder fast path → root fallback)
+
+Borrowed from production email-context hardening. WorkIQ is more reliable when the query is folder-scoped to one known project folder than when it scans the whole mailbox. Order:
+
+### Order 1 — Exact project-folder fast path (when hint exists)
+
+If `m365Mutable.knownSections.<project>.emailContext.folder` (or `.folderId`) is set with `confidence >= medium`:
+
+```
+workiq ask -q "Search my Outlook mailbox for emails from <window-start> onward in folder(s) '<projectFolder>' (including all subfolders) related to <project aliases>. Return: sent datetime, subject, sender, recipients, folder path, message link, and a short relevance reason. Do not return NO_RESULTS unless the folder truly has no messages in that range."
+```
+
+If this path returns 0 results AND the same query has succeeded recently in this project's run-log, retry the exact-folder query ONCE before escalating. WorkIQ has been observed to return spurious empty hits on first call.
+
+### Order 2 — Root-scope fallback
+
+Only if Order 1 returns insufficient/empty results after the retry, OR the project has no folder hint, OR multiple plausible hints exist:
+
+```
+workiq ask -q "Search my Outlook mailbox for emails from <window-start> onward in folder(s) <boundaries.email.mailboxes joined> (including all subfolders) related to <project aliases>. Return: sent datetime, subject, sender, recipients, folder path, message link, and a short relevance reason."
+```
+
+### Throttle handling (HARD stop in same run)
+
+If WorkIQ returns `tooManyRequests`, `More than 3 retries performed`, or `We're experiencing high demand`:
+
+- Mark `sources.email.coverage_state = throttled-tooManyRequests` in run-log.
+- Write what enumeration HAS been collected so far to the message-index file with a `⚠️ throttled — partial enumeration` banner.
+- Stop email pulls for this run. Do NOT issue broader mailbox queries.
+- Continue with non-email sources.
+
+### Degraded list-only state
+
+If Step A enumeration succeeds but Step B body fetch fails repeatedly (host + WorkIQ both returning empty / `body-unavailable` for >50% of messages):
+
+- Set `sources.email.coverage_state = degraded-list-only`.
+- Keep the message index with sent date, subject, sender, recipients, folder path, message link as evidence — these ARE usable signals at list level.
+- Mark each affected message with `❌ body-unavailable` in the weekly stream file.
+- Do NOT discard list-level evidence. Do NOT loop on broad fallback queries trying to rescue bodies.
+
+## Two-pass pull (REQUIRED — no single-call summarization)
 
-Write to: `<engagement-root>/<project>/Evidence/<alias>/email/snapshot/<entity>.md`
+Same anti-summarization pattern as `pull-onenote` v2.2.0. WorkIQ summarizes by default — relying on a single "give me all emails this week" call returns a curated subset, not the full set. Doctrine: **enumerate the message list first, then fetch each message body individually.**
 
-Use template: `templates/snapshot/email-<kind>.template.md`
+### Step A — Enumerate the message list
 
-## Stream pass
+For each `boundaries.email.mailboxes[i]` × the date window (and optional sender_domains / subject_keywords):
 
-Per `evidence-thoroughness.instructions.md`: every substantive thread gets sender + recipients (to+cc) + subject + **full body or close paraphrase** + attachments + reply chain in order. Group by thread.
+```
+workiq ask -q "List EVERY email in mailbox <mb> received between <start> and <end> [filtered to senders @<domain>] [containing subject keyword <kw>]. Return one row per message: messageId, internetMessageId, conversationId, sentDate, fromAddress, toAddresses, ccAddresses, subject, hasAttachments, sizeKB. Do NOT summarize, do NOT omit, do NOT group by thread yet, do NOT add commentary. Flat table only."
+```
+
+If the response is summarized (heuristics: `"and N more"`, `"sample"`, row count noticeably less than expected, message bodies included instead of just the index): **retry once** with `Return as a flat table with no commentary, no grouping, no truncation. Message count must equal the actual count in the date window.`
+
+Persist the enumerated list to `Evidence/<alias>/email/_index/<YYYY-MM-DD>_message-index.md` (date = Monday of the ISO week). This makes the run idempotent + resumable.
+
+### Step B — Per-message body fetch (one WorkIQ call per message)
+
+For each message in the index, ONE WorkIQ call (per `workiq-only.instructions.md`):
+
+```
+workiq ask -q "Get the FULL body of email with messageId <id> (mailbox <mb>). Return: full text body verbatim (no summarization, no truncation), all headers (from, to, cc, bcc, sentDate, subject, conversationId, internetMessageId, references, in-reply-to), attachment list (filename + size + mimetype, do NOT download binary), and any inline images as alt text or skip with marker."
+```
+
+**FORBIDDEN** (per workiq-only): `m365_get_email`, `m365_search_emails`, `m365_list_emails`, Graph REST. Do NOT add them as fallbacks. If WorkIQ body fetch fails, use the doubled-strict retry then user-paste — NEVER fall through to a host m365_* call.
+
+If body comes back < 200 chars or includes phrases like `"unable to retrieve"`, `"body unavailable"`, `"truncated"`: doubled-strict retry once with `Return the raw email body, no summary, no truncation. If you cannot return the full body, say "body-unavailable" exactly and nothing else.` On second failure, record that message as `❌ body-unavailable` in the weekly stream file + continue (or prompt user to paste — first-class evidence path per workiq-only).
+
+### Step C — Group by conversationId into threads
+
+After all bodies fetched, group messages by `conversationId`. For each thread:
+
+- Sort by `sentDate` ascending.
+- Write a `## Thread: <subject>` block in the weekly stream file with:
+  - **AI Narrative Summary (REQUIRED FIRST, 3+ paragraphs)** — conversation arc, who's pushing what, decisions, asks, tone (per `evidence-thoroughness.instructions.md`).
+  - One `### Message <N> — <fromAddress> (<sentDate>)` block per message with: full headers (to/cc/subject), full body verbatim as a blockquote, attachment list.
+- Append the thread block to the weekly file (`<YYYY-MM-DD>_email-stream.md`, date = Monday of the ISO week).
+
+## Snapshot pass
+
+_(no snapshot for email — emails are inherently event-stream)_
+
+## Stream pass output
 
 Write to: `<engagement-root>/<project>/Evidence/<alias>/email/stream/<YYYY-MM-DD>_email-stream.md` (date = Monday of the ISO week the events fall in).
 
+Write the message index to: `<engagement-root>/<project>/Evidence/<alias>/email/_index/<YYYY-MM-DD>_message-index.md`.
+
 Use template: `templates/weekly/email-summary.template.md`
 
-If a week file already exists, MERGE (dedupe by event ID, append new events, keep existing).
+If a week file already exists, MERGE (dedupe by `internetMessageId`, append new threads, keep existing).
+
+## Tools (WorkIQ ONLY — per `workiq-only.instructions.md`)
 
-## Tools (in order)
+1. **WorkIQ (`workiq ask`)** — the ONLY allowed path for both enumeration (Step A) and per-message body fetch (Step B). Always include the boundary keys + the verbatim/no-summary phrasing. Use the canonical prompts codified in `plugin/instructions/workiq-only.instructions.md` (Email Bodies section) — do NOT re-derive them.
+2. **Ask user (paste verbatim)** — first-class fallback when WorkIQ doubled-strict retry fails or returns `body-unavailable`. NOT a degradation; coverage.md labels it `Source: User paste on <ISO>`.
 
-1. **WorkIQ** — ````$WorkIQQuery`````
-2. **Host fallback** — `m365_search_emails` / `m365_list_emails` scoped to `m365Auth.emailContext.folders`
-3. **Graph REST** — last resort, soft-fail per `az-auth-conditional.instructions.md`.
-4. **Ask user** — paste verbatim source content if all above fail.
+**FORBIDDEN** for this skill (per workiq-only.instructions.md): `m365_get_email`, `m365_search_emails`, `m365_list_emails`, `m365_list_mail_folders`, `m365_search_mail`, Graph REST `https://graph.microsoft.com/v1.0/me/messages*`, Graph REST `https://graph.microsoft.com/v1.0/me/mailFolders*`. These tools have a near-100% failure rate in this workspace. Calling them is a DEFECT; coverage.md must NOT show them in the attempt trail.
 
-Document which path succeeded under `## Source Basis` in each output file.
+Document the WorkIQ request-id + the exact prompt + which boundary was applied under `## Source Basis` in each output file (per workiq-only coverage.md requirements).
 
 ## Mutable hints to upsert (during the run, not at the end)
 
-If discovered, immediately write to `m365Mutable.knownSections.<project>.<source>` with `discoveredOn` + `confidence`:
+If discovered, immediately write to `m365Mutable.knownSections.<project>.<source>` with `discoveredOn` + `confidence`. Mandatory in EVERY run mode (bootstrap, refresh, retry):
 
-- `emailContext.folder` — full path of the project's email folder
+- `emailContext.folder` — full path of the project's email folder (upsert only when `confidence >= medium`)
 - `emailContext.folderId` — folder ID for direct lookup
+- `emailContext.lastFastPathUsed` — boolean; whether Order 1 succeeded this run
+
+Upsert only confident folder mappings. Do not write low-confidence guesses — that pollutes the hint cache and degrades future fast-path success.
 
 ## Update run-log
 
 After successful pass:
 - `sources.email.last_pulled = now`
-- `sources.email.watermark = now` (stream only; snapshot has no watermark)
-- `sources.email.item_count = <N>`
+- `sources.email.watermark = now`
+- `sources.email.coverage_state = ok | degraded-list-only | throttled-tooManyRequests | unavailable`
+- `sources.email.retrieval_path = fast-folder | fast-folder-retry | root-fallback`
+- `sources.email.messages_enumerated = <N>` — total messages discovered in scope
+- `sources.email.messages_fetched = <N>` — total messages with full body captured
+- `sources.email.messages_failed = <N>` — `body-unavailable` count
+- `sources.email.threads = <N>` — number of conversations grouped
 - For each week touched, add to `weekly_files` index.
 
+## Depth bar (per `evidence-thoroughness.instructions.md`)
+
+The pre-Step-C anti-summary doctrine + the Step-C AI Narrative Summary per thread together produce the depth users expect. Empty thread bodies are a defect — if Step B couldn't fetch a body, the message gets a `❌ body-unavailable` marker, NOT a paraphrase from the index row.
+
+**Completeness bar:** `messages_enumerated` should equal `messages_fetched + messages_failed`. Drift surfaces in run-log; consolidate skill renders it as a Coverage Note.
+
 ## Stop conditions
 
+- Boundary missing → refuse (see Boundaries above).
 - Hint missing AND fuzzy resolution returns 0 candidates → ask user once, persist answer to mutable, continue.
-- Multiple plausible candidates → ask user to pick, persist answer.
-- WorkIQ fails AND host fallback fails AND Graph fails → write evidence file with `❌ all paths failed` marker, log to run-log errors, continue with rest of run.
+- Enumeration step (Step A) failed → write `_index/<date>_message-index.md` with failure marker, log to run-log errors, do NOT proceed to per-message loop.
+- Per-message fetch failed → record marker, continue.
+- All paths failed → write evidence file with `❌ all paths failed` marker, log to run-log errors, continue with rest of run.

package/plugin/skills/pull-meetings/SKILL.md

@@ -1,17 +1,29 @@
 ---
 name: "pull-meetings"
-version: "2.1.0"
-description: "Pull Meetings evidence (snapshot: series-index; stream: per-meeting transcripts + decisions + actions). WorkIQ-first; falls back to chat reconstruction when transcripts don't exist."
+version: "2.2.1"
+description: "Pull Meetings evidence in THREE shapes: snapshot/ series-index, stream/ per-meeting curated blocks, AND verbatim/ raw immutable folder per meeting (meetings expire — verbatim/ MUST contain the full transcript text, not just chat). v2.4.0: WorkIQ-ONLY for transcript capture per workiq-only.instructions.md (m365_get_transcript / Graph REST FORBIDDEN — they have near-100% failure rate in this workspace). Chat is parallel supporting evidence (via m365_list_chat_messages structured dump), NEVER a transcript substitute."
 ---
 
 # Skill: pull-meetings
 
-Pulls **meetings** evidence in two shapes per `snapshot-vs-stream.instructions.md`:
 
-- **snapshot/** — series-index.md listing all recurring meeting series for this project (subject, recurrence, organizer, current attendees)
-- **stream/** — per-meeting blocks: attendees (req/opt/actual), agenda, **chronological transcript walk-through with verbatim quotes + timestamps**, decisions, actions, open questions, artifact links
+> **v3.7.6 + v3.10.0 + v3.11.0 contracts** — This skill operates under six HARD-rule doctrines:
+> - `verbatim-by-default.instructions.md` — full bodies/notetext/fields by default; no preview-grade pulls accepted.
+> - `meetings-verbatim-required.instructions.md` (v3.10.0) — meetings are an EXPIRING evidence class; every captured meeting MUST also produce a sibling `verbatim/<YYYY-MM-DD-HHMM>_<slug>/` folder with raw chat + transcript + recording URL. Curated snapshot alone is a defect.
+> - **`workiq-only.instructions.md` (v3.11.0)** — transcripts, facilitator notes, calendar discovery, and chat-thread human rendering go through WorkIQ ONLY. `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, and Graph REST URLs are FORBIDDEN as fallbacks (they fail nearly every call). The canonical WorkIQ prompts are codified in that instruction — do not re-discover them.
+> - `capture-learnings.instructions.md` — every fix/discovery is logged to `plugin/learnings/<source>.md` immediately.
+> - `cleanup-on-resolution.instructions.md` — when a value resolves, all stale `no-match` / `not yet` notes referencing the prior unresolved state must be rewritten in the same turn.
+> - `run-reports.instructions.md` — every refresh writes a per-user report under `Evidence/<alias>/refresh-reports/YYYY-MM-DD-HHMM_refresh.md`.
 
-Auth + retry + error logging per `auth-and-retry.instructions.md`. WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + auto-retry + paste-prompt per `thoroughness-detector.instructions.md`. Citations per `citation-ledger.instructions.md`.
+> **Canonical evidence layout** (HARD, kushi v3.12.1+): all artifacts produced by this skill MUST be written under `<project>/Evidence/<alias>/<source>/{snapshot,stream,...}/` — sibling folders under `<project>/` (e.g. `<project>/<source>-context/`, `<project>/<source>/`, `<project>/_Weekly Summaries/`) are FORBIDDEN. See `evidence-layout-canonical.instructions.md`.
+
+Pulls **meetings** evidence in three shapes per `snapshot-vs-stream.instructions.md` + `meetings-verbatim-required.instructions.md`:
+
+- **snapshot/** — `series-index.md` listing all recurring meeting series for this project (subject, recurrence, organizer, current attendees)
+- **stream/** — per-meeting curated blocks: attendees (req/opt/actual), agenda, **chronological transcript walk-through with verbatim quotes + timestamps**, decisions, actions, open questions, artifact links. Each block MUST cite the matching verbatim/ folder.
+- **verbatim/** (REQUIRED, NEW v2.2.0) — per-meeting subfolder `verbatim/<YYYY-MM-DD-HHMM>_<slug>/` containing the raw immutable capture: `captured-at.txt`, `chat-messages.json`, `chat-messages.md`, `transcript.vtt` or `transcript-source.md`, `recording-url.txt`, `recap-card.md`, `attachments/`, `coverage.md`. See `templates/snapshot/meeting-verbatim.template.md` for the contract.
+
+Auth + retry + error logging per `auth-and-retry.instructions.md`. WorkIQ-only per `workiq-only.instructions.md`. Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + auto-retry + paste-prompt per `thoroughness-detector.instructions.md`. Citations per `citation-ledger.instructions.md`.
 
 ## Inputs
 
@@ -20,39 +32,110 @@ Auth + retry + error logging per `auth-and-retry.instructions.md`. WorkIQ-first
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
 - (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints (`calendarContext.subjectKeywords`, `calendarContext.knownSeries`).
 
-## Discovery (snapshot pass)
+## Discovery (snapshot pass — WorkIQ ONLY per `workiq-only.instructions.md`)
 
-1. `m365_list_meetings` over the window with `subjectKeywords` filter (post-filter — Graph search is relevance-ranked, not exact).
-2. For each match: capture `id`, `subject`, `start`, `end`, `organizer`, `joinUrl`. Persist to mutable as `calendarContext.knownSeries[]`.
-3. Cross-reference with Teams chat IDs from `pull-teams` (meeting chat IDs of form `19:meeting_…@thread.v2`). Each match enriches with attendee roster + chat ID.
+1. **WorkIQ meeting discovery** (canonical prompt from `workiq-only.instructions.md` Calendar/online meetings section):
+   > `List my Teams meetings between <start> and <end> where the subject contains "<token>". Return subject, date, start time, organizer, joinUrl, and Teams chat id.`
+   - Issued ONCE per token in `calendarContext.subjectKeywords`.
+   - For each match: capture `subject`, `start`, `end`, `organizer`, `joinUrl`, `chatId`. Persist to mutable as `calendarContext.knownSeries[]`.
+2. Cross-reference returned `chatId` values with `boundaries.teams.chat_ids[]` — every meeting whose chat-id falls inside the teams boundary is treated as in-scope. This enriches each meeting with the attendee roster the `pull-teams` snapshot already captured.
+
+**FORBIDDEN** for discovery: `m365_list_meetings`, `m365_list_events`, Graph REST `/me/calendar/events`, Graph REST `/me/onlineMeetings`. Use WorkIQ.
 
 Write `snapshot/series-index.md` listing all matched series. Updated every refresh (organizers/attendees may change).
 
-## Per-meeting stream pass — path cascade
+## Boundaries (REQUIRED — see `scope-boundaries.instructions.md`)
+
+This skill REFUSES to query unless `<engagement-root>/<project>/integrations.yml#boundaries.meetings` is satisfied:
+
+- `boundaries.meetings.series_join_urls` — REQUIRED, non-empty (pinned join URLs; no subject-keyword fuzz).
+- `boundaries.meetings.organizer_emails` — optional additional filter.
+- `boundaries.date_window_days` — defaults to 30 if absent.
+
+The pre-existing `subjectKeywords` / `knownSeries` discovery loop is now a **bootstrap-time aid only** — it helps populate `boundaries.meetings.series_join_urls` once. At pull time, only meetings whose `joinUrl` is in the boundary list are processed.
+
+Refusal message when boundary is missing:
+
+```
+meetings-boundary-missing — add boundaries.meetings.series_join_urls to
+<engagement-root>/<project>/integrations.yml. See doctrine in
+plugin/instructions/scope-boundaries.instructions.md.
+```
+
+## Per-meeting capture cascade — verbatim/ FIRST, then curated stream
+
+For EACH meeting in the window, the cascade has **two halves**: (A) write raw artifacts to `verbatim/<YYYY-MM-DD-HHMM>_<slug>/`, then (B) produce the curated stream block citing those verbatim files. Half A is mandatory before Half B per `meetings-verbatim-required.instructions.md`.
+
+### Half A — verbatim/ capture (REQUIRED, transcript-first, WorkIQ-only per workiq-only.instructions.md)
+
+For every meeting, BEFORE writing any curated text:
+
+0. Compute slug + timestamp, create `Evidence/<alias>/meetings/verbatim/<YYYY-MM-DD-HHMM>_<slug>/`, write `captured-at.txt` (started_at, kushi_version).
 
-For EACH meeting in the window, attempt to capture transcript text via this cascade. Apply retry pattern per `auth-and-retry.instructions.md`. Record errors[] entry for each path attempted.
+1. **Transcript cascade — WorkIQ-only, EXHAUSTIVE, in order. Do NOT stop at first weak result; record each path's result in `coverage.md`.** Per `meetings-verbatim-required.instructions.md` "Transcript capture cascade":
+   - **a. WorkIQ full-transcript pull (REQUIRED first attempt)** with the canonical prompt from `workiq-only.instructions.md`:
+     > `Find the Teams meeting titled "<subject>" that occurred on <YYYY-MM-DD>. Return the full transcript verbatim with speaker labels and timestamps. Do not summarize.`
+     - If WorkIQ returns full speaker-turn text (≥ ~10 distinct `Name:` lines) → strip `request-id:` prefix, save body as `transcript.txt` with header (source, query, request-id, fidelity).
+     - If WorkIQ returns a summary (paragraphs only, no speaker turns) → run the **doubled-strict retry** from `workiq-only.instructions.md` once. If still summary-only, save as `transcript-source.md` with the `WARNING: NOT a verbatim transcript` header.
+   - **b. WorkIQ Copilot recap (SUPPLEMENTARY, always attempt)**:
+     > `Get the Copilot meeting recap (decisions, action items, key points) for the Teams meeting "<subject>" on <YYYY-MM-DD>. Return the FULL recap card verbatim. Do not summarize.`
+     - Save as `facilitator-notes.md`. Supplementary; does NOT replace the transcript.
+   - **c. WorkIQ recording-URL discovery**:
+     > `For the meeting "<subject>" on <YYYY-MM-DD>, return the SharePoint Stream recording URL if it exists, and the calendar event body.`
+     - Save URL(s) to `recording-url.txt`. If a `.mp4` URL is present, downloading the recording binary is governed by the `pull-meetings` recording-download carve-out (size < 200MB) — this is the ONLY allowed `m365_download_file` call in any kushi pull-* skill, because the recording is binary media and WorkIQ does not download binaries.
+   - **d. User-paste fallback (first-class, NOT a degradation)** — when (a) returns empty/`body-unavailable` after doubled-strict retry AND (b) returns nothing usable: prompt the user to paste verbatim transcript or notes. Save to `transcript.txt` with header `User-pasted; WorkIQ returned no transcript on <ISO timestamp>`.
 
-1. **WorkIQ**: `Get full transcript and Copilot recap for meeting "<subject>" on <date>`.
-2. **`m365_get_transcript`** with the meeting's `joinUrl`.
-3. **Reconstruction from chat** (NOT a failure — first-class fallback). When transcripts simply don't exist (transcription was off, or VTT not yet attached), reconstruct evidence from:
-   - Meeting chat thread: `m365_list_chat_messages(chatId)` — captured already by `pull-teams`.
-   - Pre/post-meeting context messages.
-   - Any Copilot recap card posted to the chat.
-   Mark the per-meeting block `Source basis: reconstructed from meeting chat (no transcript)`. This is **evidence**, not a gap.
-4. **Ask user**: paste verbatim transcript or notes if all above produced nothing usable.
+   **FORBIDDEN** (do NOT attempt; do NOT log as cascade steps in coverage.md): `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, Graph REST `/me/onlineMeetings/.../transcripts/.../content`. These have a near-100% failure rate in this workspace and pollute the coverage trail. Use WorkIQ steps (a)/(b)/(c).
 
-A meeting block built from chat reconstruction with attendees + key decisions + actions is **valid evidence**. Do NOT mark such a meeting as `failed`. Mark it `partial` only if NO source produced any content (no transcript AND no chat messages).
+2. **Chat capture (ALWAYS, parallel with step 1 — allowed exception to workiq-only)**: `m365_list_chat_messages(chatId)` → `chat-messages.json` (raw structured-data dump) + `chat-messages.md` (rendered, one heading-block per message). Chat is **supporting evidence**; it is **NEVER** a transcript substitute. If `m365_list_chat_messages` fails, run the WorkIQ chat-thread prompt as fallback (per `workiq-only.instructions.md` Teams chat thread section).
+
+3. Walk chat for attachments → `m365_download_file` each → `attachments/<original-name>` (binary download carve-out, same as recording.mp4).
+
+4. Walk chat for Copilot recap card → `recap-card.md` verbatim.
+
+5. **Classify** the verbatim folder per the doctrine:
+   - `transcript-complete` — at least one of `transcript.vtt` / `transcript.txt` / `transcript-source.md` is non-empty.
+   - `transcript-missing` — only `chat-messages.*` present; all WorkIQ cascade paths (1a–1d) returned empty.
+
+6. Write `coverage.md` with classification + per-path attempt log (every WorkIQ path attempted, with request-id, even successful ones) + source-basis classification for stream/.
+
+7. Update `captured-at.txt` with `completed_at` + `final_status` (one of `transcript-complete-text` / `transcript-complete-summary-only` / `transcript-missing-chat-only` / `unrecoverable`).
+
+If 1a–1d ALL return empty AND step 2 chat is also empty AND user paste is declined → `unrecoverable`. Apply retry pattern per `auth-and-retry.instructions.md`.
+
+### Half B — curated stream/ block (cites verbatim/)
+
+Build the per-meeting block in `stream/<week>_meetings-stream.md` using ONLY content already persisted in verbatim/. Every assertion cites a verbatim file. Preferred citation chain:
+- `[source: Evidence/<alias>/meetings/verbatim/<dir>/transcript.vtt · <date>]` when transcript-complete-vtt.
+- `[source: Evidence/<alias>/meetings/verbatim/<dir>/transcript.txt · <date>]` when transcript-complete-text.
+- `[source: Evidence/<alias>/meetings/verbatim/<dir>/transcript-source.md · <date>]` when only Copilot summary (always note the warning).
+- `[source: Evidence/<alias>/meetings/verbatim/<dir>/chat-messages.md · <date>]` only for assertions backed by chat (not transcript content).
+
+`Source basis` line in the curated block reflects verbatim classification:
+- `transcript (raw VTT)` — transcript.vtt present
+- `transcript (plain text)` — transcript.txt present, no VTT
+- `transcript (WorkIQ Copilot summary — NOT verbatim)` — only transcript-source.md
+- `❌ no-transcript-recovered-chat-only` — only chat-messages.*
+- `❌ unrecoverable` — only captured-at.txt + coverage.md
+
+A meeting with `transcript-missing-chat-only` is valid evidence in a degraded sense — actions/decisions citeable from chat are still useful — but the curated block MUST flag the gap prominently and the run-log MUST record `transcript-unrecoverable` for that meeting.
+
+### Ask-user fallback
+
+When the entire cascade (1a–1d + chat) produces nothing usable, ask the user to paste verbatim transcript or notes. Persist any paste to `verbatim/<dir>/transcript.txt` with header `User-pasted; automated paths returned no transcript on <ISO timestamp>`.
 
 ## Stream pass
 
-Per `evidence-thoroughness.instructions.md`: every meeting in the window gets a full per-meeting block. **A 30-line meetings file for a week with 2 meetings is a defect — expect 200+ lines.**
+Per `evidence-thoroughness.instructions.md`: every meeting in the window gets a full per-meeting block whose **FIRST sub-section is an AI Narrative Summary (REQUIRED, 5+ paragraphs)** covering the whole meeting end-to-end — context, what was discussed in what order, who took which position, the reasoning, the back-and-forth, soft signals, sentiment, what landed and what stayed open (cited to transcript timestamps). Then attendees → agenda → Detailed Discussion Summary (topic-organized) → chronological transcript walk-through with verbatim quotes → Decisions → Open Questions → Next Steps → Action Items → Risks → Customer Asks → Coverage Notes. **A 30-line meetings file for a week with 2 meetings is a defect — expect 300+ lines (the AI Narrative Summary alone is typically 30-50 lines per meeting).** A per-meeting block missing the AI Narrative Summary as the first sub-section is a defect even if every other section is present.
 
 Write to: `<engagement-root>/<project>/Evidence/<alias>/Meetings/stream/<YYYY-MM-DD>_meetings-stream.md` (date = Monday of the ISO week).
 
-Use template: `templates/weekly/meetings-summary.template.md`
+Use template: `templates/weekly/meetings-stream.template.md`
 
 If a week file already exists, MERGE (dedupe by event ID, append new events, keep existing).
 
+**Verbatim sibling required.** Every per-meeting block written here MUST have a matching `Evidence/<alias>/meetings/verbatim/<YYYY-MM-DD-HHMM>_<slug>/` folder produced by Half A. The block's `Source basis` line and `Artifacts` section must cite the verbatim folder's relative path. Self-check D13 enforces this.
+
 ## Mutable hints to upsert (during the run, not at the end)
 
 If discovered, immediately write to `m365Mutable.knownSections.<project>.calendarContext` with `discoveredOn` + `confidence`:
@@ -73,5 +156,6 @@ After the pass:
 ## Stop conditions
 
 - Subject keyword resolution returns 0 candidates → ask user once for keywords, persist to mutable, continue.
-- A meeting has neither transcript NOR chat messages → write `❌ no source available` block, log error, continue.
-- All paths failed for ALL meetings in the window → mark source `failed`, write a single `❌ all paths failed` evidence file with actionable next step.
+- A meeting has neither transcript NOR chat messages → write `verbatim/<dir>/coverage.md` documenting every failed path + write `❌ source-expired-or-unrecoverable` block in stream/, log error, continue.
+- All paths failed for ALL meetings in the window → mark source `failed`, write a single `❌ all paths failed` evidence file with actionable next step. Verbatim/ folders for each meeting still get created with captured-at.txt + coverage.md (the empty-folder audit trail is itself evidence).
+- A per-meeting block lacks a sibling `verbatim/<YYYY-MM-DD-HHMM>_<slug>/` directory → **defect** per `meetings-verbatim-required.instructions.md`. Re-run Half A immediately; do NOT ship the curated block alone.

package/plugin/skills/pull-misc/README.md

@@ -0,0 +1,84 @@
+# pull-misc runner
+
+Pulls evidence from a user-curated link list (`<project>/external-links.txt`). Handles types that don't fit a dedicated `pull-*` skill: Loop pages, public web pages, learn.microsoft.com / docs sites, GitHub repos, local files. Delegated types (onenote, sharepoint, ado) are recorded as `delegated` and pulled by their dedicated skills.
+
+See `SKILL.md` for the full doctrine.
+
+## One-time setup
+
+```pwsh
+# Install deps in the kushi repo
+cd C:\Usha\ISERepos\kushi
+npm install playwright jsdom @mozilla/readability
+npx playwright install chromium
+
+# (Loop links only) Seed the Playwright profile by reusing the OneNote profile
+# If you've already done OneNote bootstrap, you're done — Loop reuses it.
+node plugin/skills/pull-onenote/runner.mjs --bootstrap
+```
+
+## Per-project run
+
+```pwsh
+node plugin/skills/pull-misc/runner.mjs `
+  --project "ABN AMRO" `
+  --links-file "C:\Users\ushak\OneDrive - Microsoft\ISE\Engagement Assets\ABN AMRO\external-links.txt" `
+  --engagement-root "C:\Users\ushak\OneDrive - Microsoft\ISE\Engagement Assets" `
+  --headless
+```
+
+## Output
+
+Single JSON object on stdout:
+
+```json
+{
+  "project": "ABN AMRO",
+  "linksFile": "...",
+  "runStatus": "ok | auth-required | partial",
+  "counts": {
+    "total": 12,
+    "captured": 8,
+    "placeholder": 2,
+    "delegated": 1,
+    "auth_required": 0,
+    "fetch_failed": 1,
+    "skipped_binary": 0
+  },
+  "links": [
+    { "type": "web", "title": "...", "url": "...", "last_status": "captured", "captured_via": "http",
+      "http_status": 200, "content_type": "text/html", "etag": "...", "last_modified_http": "...",
+      "body": "...", "char_count": 18420, "captured_at": "..." }
+    /* ... */
+  ]
+}
+```
+
+## Filtering
+
+```pwsh
+# Only loop links
+node runner.mjs --project ABN ... --types loop
+
+# Only specific titles (substring match)
+node runner.mjs --project ABN ... --titles "Workshop,Architecture"
+
+# Combine
+node runner.mjs --project ABN ... --types web,loop --titles "Architecture"
+```
+
+## Scheduled / unattended runs
+
+- Browser branch (loop) reuses `~/.copilot/playwright-profile/onenote/`. When MFA fires, runner marks loop links `auth-required` and exits cleanly. User does one interactive bootstrap; next scheduled run silent.
+- HTTP branch needs no auth for public links. For sites behind SSO (auth'd Confluence, internal dashboards) it returns `auth-required` and is currently NOT supported — paste the content into a `file` link as a workaround, OR add a per-site auth handler in a future version.
+- `placeholder` links surface in the run report every refresh until the user fills them in.
+
+## Troubleshooting
+
+| Symptom | Cause | Fix |
+|---|---|---|
+| `Cannot find module 'jsdom'` | deps not installed | `npm install jsdom @mozilla/readability` in repo root |
+| All loop links `auth-required` | profile expired | `node plugin/skills/pull-onenote/runner.mjs --bootstrap` |
+| `web` link returns near-empty body | site is SPA / requires JS render | Add it as a `loop` type to use browser path; or paste content as `file` |
+| `confluence` link returns auth-required | private Confluence, no anon access | not supported in v0.1; paste content as `file` |
+| `pdf` link returns "text extraction not yet implemented" | pdfjs not bundled | text extract is a v0.2 item; manually extract for now |