kushi-agents 4.3.0 → 4.4.1

package/plugin/instructions/scope-boundaries.instructions.md

@@ -21,7 +21,7 @@ host-fallback Graph call, and every CRM/ADO probe MUST honor.
 Before issuing **any** WorkIQ query, `m365_*` host call, Graph REST call, or CRM/ADO
 REST call, the skill MUST resolve the boundary it is operating inside from
 `<engagement-root>/<project>/integrations.yml boundaries:` (per-source) or the
-global `<engagement-root>/.project-evidence/{crm,ado}/config.yml` (auth +
+global `<workspace>/.kushi/config/shared/integrations.yml` (auth +
 tenant + org). The resolved boundary MUST be recorded in the evidence file's
 `## Source Basis` block, e.g.:
 
@@ -57,8 +57,8 @@ returns evidence over the same surface — no run-to-run drift.
 
 | Skill | Hard prerequisite | Failure message (verbatim) |
 |---|---|---|
-| `pull-crm` | `<engagement-root>/.project-evidence/crm/config.yml` exists with non-placeholder `environmentUrl` | `crm-config-missing — drop a filled config.yml at <engagement-root>/.project-evidence/crm/config.yml. See plugin/templates/init/crm-config.template.yml.` |
-| `pull-ado` | `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` AND `defaultProject` | `ado-config-missing — drop a filled config.yml at <engagement-root>/.project-evidence/ado/config.yml. See plugin/templates/init/ado-config.template.yml.` |
+| `pull-crm` | `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `crm.environmentUrl` | `crm-config-missing — fill the crm: block in <workspace>/.kushi/config/shared/integrations.yml. See plugin/templates/init/integrations.template.yml.` |
+| `pull-ado` | `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `ado.organization` AND `ado.defaultProject` | `ado-config-missing — fill the ado: block in <workspace>/.kushi/config/shared/integrations.yml. See plugin/templates/init/integrations.template.yml.` |
 | `propose-ado-update` | both above + `integrations.yml ado.engagement_id > 0` | per `propose-ado-update/SKILL.md` Prerequisites table |
 
 Pre-v3.7.0 behavior allowed `pull-crm` to "narrate from email" when the live
@@ -172,7 +172,7 @@ On first run for a new project, bootstrap MUST:
 3. For sources where bootstrap cannot auto-populate, write the source as
    **disabled** (`enabled: false`) with a one-liner in `OPEN-QUESTIONS-DRAFT.md`
    asking the user to fill the boundary and re-enable.
-4. For CRM and ADO, ALSO check that the global `<engagement-root>/.project-evidence/{crm,ado}/config.yml`
+4. For CRM and ADO, ALSO check that the global `<workspace>/.kushi/config/shared/integrations.yml`
    exists and has non-placeholder values; if not, scaffold from
    `plugin/templates/init/{crm,ado}-config.template.yml` and park in
    `OPEN-QUESTIONS-DRAFT.md` with the path the user needs to fill.

package/plugin/instructions/side-by-side-config.instructions.md

@@ -5,20 +5,23 @@ description: "Side-by-side config rule — whenever the skill creates or changes
 
 # Side-by-side config rule (HARD RULE)
 
-Whenever the skill creates, changes, or extends any template in `<KUSHI_ROOT>/plugin/templates/init/`, it MUST also write the corresponding live file under `<engagement-root>/.project-evidence/`.
+Whenever the skill creates, changes, or extends any template in `<KUSHI_ROOT>/plugin/templates/init/`, it MUST also write the corresponding live file in the workspace under `<workspace>/.kushi/config/user/` (for per-contributor identity + paths) or `<workspace>/.kushi/config/shared/` (for team-owned config the team commits).
 
 Templates stay generic; the live file gets the actual filled-in fact. Never leave the user with only the template — that's a half-done config.
 
-## The two layers
+## The three layers
 
 | Layer | Where | Lifecycle |
 |---|---|---|
 | Template (generic) | `<KUSHI_ROOT>/plugin/templates/init/*.template.{json,yml}` | Ships with kushi, never edited per-user |
-| Live filled | `<engagement-root>/.project-evidence/*.{json,yml}` | Per-user, OneDrive-synced, edited by skill + user |
+| Live shared | `<workspace>/.kushi/config/shared/*.{json,yml}` | Team-owned, committed; doctrine files overwrite on install, others seed-once |
+| Live user | `<workspace>/.kushi/config/user/*.{json,yml}` | Per-contributor, gitignored; seed-once and preserved across upgrades |
+
+Skills read configs via `<install-dest>/lib/Get-KushiConfig.ps1` which resolves `user/` first, then `shared/`.
 
 ## Discover → upsert immediately
 
-Any time the skill discovers a high-confidence fact about a project (folder id, chat id, OneNote section id, CRM record id, ADO WI id, stakeholder hint, alias) — upsert it into the live mutable file (`<engagement-root>/.project-evidence/m365/m365-mutable.json` under `m365Mutable.knownSections.<project>.<source>`) **in the same turn it was discovered**, with `discoveredOn: <today>` and `confidence: high|medium|low`.
+Any time the skill discovers a high-confidence fact about a project (folder id, chat id, OneNote section id, CRM record id, ADO WI id, stakeholder hint, alias) — upsert it into the live mutable file (`<workspace>/.kushi/config/user/m365-mutable.json` under `m365Mutable.knownSections.<project>.<source>`) **in the same turn it was discovered**, with `discoveredOn: <today>` and `confidence: high|medium|low`.
 
 Don't wait until the end of the run.
 
@@ -38,19 +41,22 @@ End every bootstrap / fix-up turn by listing the live config files (path + size
 ## Live config locations
 
 ```
-<engagement-root>/.project-evidence/
-   m365/
-      m365-auth.json          ← stable (OneDrive-synced, hand-edited mostly)
-      m365-mutable.json       ← discovered hints, auto-updated by skill
-   crm/
-      config.yml              ← Dataverse env URL, tenant, schema
-   ado/
-      config.yml              ← organization, projects, queries
-   project-evidence.yml       ← (optional) per-engagement override of personal config
+<workspace>/.kushi/config/
+   shared/                      ← committed; doctrine + team defaults
+      azuredevops.json          ← ADO org/project/field-map doctrine (overwritten on install)
+      dynamics365.json          ← CRM env/schema doctrine (overwritten on install)
+      rsi-program-catalog.json  ← RSI segment reference (overwritten on install)
+      integrations.yml          ← optional team CRM/ADO defaults (seed-once)
+      *.example                 ← reference scaffolds (overwritten on install)
+   user/                        ← gitignored; per-contributor
+      project-evidence.yml      ← your alias, engagement-root, active projects (seed-once)
+      m365-auth.json            ← your tenant, default notebook, mailbox folders (seed-once)
+      m365-mutable.json         ← discovered hints, auto-updated by skill (seed-once)
 ```
 
-## Why outside the kushi repo
+## Why side-by-side
 
-- **Multi-machine portability** — OneDrive-synced beside engagement folders, follows the user wherever they install kushi.
-- **Discoverability** — user can see/edit it next to their engagement work and inside their workspace at `<workspace>/.kushi/config/`, not buried in an OS-hidden home directory.
-- **Repo-safe** — kushi is meant to be GitHub-published; live filled configs MUST never be committed.
+- **Self-contained** — everything Kushi needs to run lives under `.kushi/`. No `.github/config/` split, no `~/.copilot/` scatter.
+- **Multi-user safe** — the `user/` tier is per-contributor and gitignored; `shared/` is committed once and stays in sync via git.
+- **Discoverable** — visible in VS Code's file tree, not buried in an OS-hidden home directory.
+- **Repo-safe** — `<workspace>/.kushi/.gitignore` (auto-written by installer) excludes `config/user/` so personal IDs never leak.

package/plugin/instructions/tracking.instructions.md

@@ -77,7 +77,7 @@ kushi_version: 4.1.0
 - Engagement root: `C:/.../Engagement Assets`
 - Project folder: `HCA Healthcare`
 - Alias: `ushak`
-- Config: `<workspace>/.kushi/config/project-evidence.yml`
+- Config: `<workspace>/.kushi/config/user/project-evidence.yml`
 
 ## Steps taken
 

package/plugin/instructions/workiq-only.instructions.md

@@ -42,13 +42,13 @@ For every M365 source in scope:
 
 1. **WorkIQ FIRST and ONLY.** Issue the canonical query from the table below.
 2. **If WorkIQ returns insufficient content** (empty, truncated, or only a summary when the query asked for verbatim): retry ONCE with the doubled-strict prompt from the same row.
-3. **If WorkIQ still fails or is unavailable**: ask the user to paste the data verbatim. This is a first-class evidence path, not a degradation.
-4. **DO NOT attempt** `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, `m365_search_files` (for content), `m365_download_file` (for transcript/notes), or any Graph REST URL for the in-scope sources above. These are FORBIDDEN. Calling them is a defect; coverage.md must NOT show them in the attempt trail.
+3. **If WorkIQ still fails or is unavailable**: follow `deferred-retry-on-workiq-fail.instructions.md` — write a deferred-retry marker under `<project>/Evidence/<alias>/_deferred-retries/`, surface a one-liner in coverage.md and the run report, and **continue the run** for the remaining sources. The next `refresh-project` drains the queue. User-paste remains available as a manual recovery the user MAY do later by populating the artifact directly and deleting the marker — it is NOT the agent's recovery flow.
+4. **DO NOT attempt** `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, `m365_search_files` (for content), `m365_download_file` (for transcript/notes), or any Graph REST URL for the in-scope sources above. These are FORBIDDEN — **including as a "last-resort" fallback after WorkIQ fails** (kushi v4.4.1+). Calling them is a defect; coverage.md must NOT show them in the attempt trail. The deferred-retry marker IS the audit trail for WorkIQ failures.
 5. **Allowed alongside WorkIQ** (structured-data dumps only): `m365_list_chat_messages` for chat-id'd threads → `chat-messages.json`. These run in parallel with the WorkIQ pull, not as a substitute.
 
 ## Canonical WorkIQ commands (CODIFIED — do not re-discover)
 
-The CLI is at `<USER_HOME>\.kushi\bin\workiq.cmd` (resolved from `<workspace>/.kushi/config/project-evidence.yml workiq.cli_path`; fall back to PATH; fall back to `~/.kushi/bin/workiq.cmd`).
+The CLI is at `<USER_HOME>\.kushi\bin\workiq.cmd` (resolved from `<workspace>/.kushi/config/user/project-evidence.yml workiq.cli_path`; fall back to PATH; fall back to `~/.kushi/bin/workiq.cmd`).
 
 Invocation shape:
 
@@ -153,7 +153,7 @@ List my Teams meetings between <YYYY-MM-DD> and <YYYY-MM-DD> where the subject c
 
 Before the first WorkIQ query in a run:
 
-1. Resolve CLI path: `<workspace>/.kushi/config/project-evidence.yml workiq.cli_path` → `Get-Command workiq` → `~/.kushi/bin/workiq.cmd`. If none resolves → log `workiq-not-on-path`, write evidence file pointing at install docs, STOP this source.
+1. Resolve CLI path: `<workspace>/.kushi/config/user/project-evidence.yml workiq.cli_path` → `Get-Command workiq` → `~/.kushi/bin/workiq.cmd`. If none resolves → log `workiq-not-on-path`, write evidence file pointing at install docs, STOP this source.
 2. Probe with `workiq ask -q "ping"`. If EULA prompt → `workiq accept-eula` once, retry.
 3. Capture `--version` once into run-log for audit.
 
@@ -174,6 +174,7 @@ If `Result: SUMMARY-ONLY` after doubled-strict retry: the artifact is acceptable
 
 ## Anti-patterns (defects)
 
+0. **Falling back to `m365_get_*` / Graph after a WorkIQ failure (kushi v4.4.1+).** FORBIDDEN. Even framed as "a last-resort partial," "just to try," or "we already have a WorkIQ marker so this is harmless." The doctrine is: WorkIQ fail → deferred-retry marker → continue → next refresh retries. Never a Graph escape hatch. See `deferred-retry-on-workiq-fail.instructions.md`.
 1. **Calling `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events` from a kushi pull-* skill.** FORBIDDEN. These tools have a near-100% failure rate in this workspace. Use WorkIQ.
 2. **Using Graph REST URLs directly** (e.g. `https://graph.microsoft.com/v1.0/me/onlineMeetings/...`) from a kushi pull-* skill. FORBIDDEN for the in-scope M365 sources. Use WorkIQ.
 3. **Re-discovering the right WorkIQ prompt every run.** FORBIDDEN. Use the codified prompts from the table above. If a new source variant is needed, add a row to the table, do not improvise.
@@ -192,3 +193,4 @@ If `Result: SUMMARY-ONLY` after doubled-strict retry: the artifact is acceptable
 - `plugin/instructions/ado-bootstrap-discovery.instructions.md` — ADO is OUT of WorkIQ scope; it uses ADO REST.
 - `plugin/instructions/scope-boundaries.instructions.md` — every pull-* still respects integrations.yml#boundaries.
 - `plugin/instructions/evidence-thoroughness.instructions.md` — verbatim is the bar; this rule operationalizes how to hit it.
+- `plugin/instructions/deferred-retry-on-workiq-fail.instructions.md` (kushi v4.4.1+) — defines exactly what happens when WorkIQ fails. NO Graph fallback. Marker + continue + inform.

package/plugin/lib/Get-KushiConfig.ps1

@@ -0,0 +1,214 @@
+<#
+.SYNOPSIS
+  Resolve and load a Kushi config file from the two-tier .kushi/config/ layout.
+
+.DESCRIPTION
+  Kushi configs live in <workspace>/.kushi/config/ split across two subdirs:
+    - user/    per-contributor identity & local paths (gitignored)
+    - shared/  team-owned, safe to commit (doctrine + team defaults)
+
+  Lookup order (highest-priority first):
+    1. <workspace>/.kushi/config/user/<name>.<ext>
+    2. <workspace>/.kushi/config/shared/<name>.<ext>
+
+  By default the file is parsed (JSON or YAML inferred from extension) and
+  returned as a PowerShell object. Use -Raw for raw text, or -Path to only
+  resolve the path.
+
+  Throws if the file is missing or appears to still hold template
+  placeholder values (sentinel `__FILL_ME_IN__` or `<auto>`). Suppress with
+  -AllowPlaceholders (needed for the identity-resolution flow which fills
+  `<auto>` on first run).
+
+.PARAMETER Name
+  Logical config name, e.g. `project-evidence`, `m365-auth`, `azuredevops`.
+
+.PARAMETER Extension
+  Override extension. Defaults: yml for project-evidence/integrations; json otherwise.
+
+.PARAMETER Workspace
+  Workspace root. Defaults to the current location.
+
+.EXAMPLE
+  $auth = Get-KushiConfig -Name 'm365-auth'
+  $notebookId = $auth.m365Auth.oneNote.defaultNotebookId
+
+.EXAMPLE
+  $cfgPath = Get-KushiConfig -Name 'project-evidence' -Path
+#>
+[CmdletBinding()]
+param(
+  [Parameter(Mandatory = $true, Position = 0)]
+  [string] $Name,
+
+  [ValidateSet('json', 'yml', 'yaml')]
+  [string] $Extension,
+
+  [string] $Workspace = (Get-Location).Path,
+
+  [switch] $Raw,
+  [switch] $Path,
+  [switch] $AllowPlaceholders
+)
+
+$ErrorActionPreference = 'Stop'
+
+# Schema-aware required-field map (kushi v4.4.1+).
+# For each logical config name, list the dot-paths that MUST be populated
+# (non-empty, non-sentinel) before the config is considered usable. The check
+# runs IN ADDITION to the substring sentinel check.
+$script:RequiredFields = @{
+  'm365-auth' = @(
+    'm365Auth.defaultTenantId',
+    'm365Auth.oneNote.defaultNotebookName',
+    'm365Auth.oneNote.defaultNotebookId',
+    'm365Auth.oneNote.defaultLinkOwner',
+    'm365Auth.emailContext.folders',
+    'm365Auth.sharePointContext.localProjectsRoot'
+  )
+  'project-evidence' = @(
+    'identity.alias',
+    'identity.email',
+    'engagement_root'
+  )
+  # integrations.yml is shared and per-project — required-field check is
+  # the consumer skill's job (it knows which sources are enabled).
+  'integrations' = @()
+}
+
+# Sentinel substrings that indicate "still a placeholder."
+$script:Sentinels = @(
+  '__FILL_ME_IN__',
+  '<auto>',
+  '<TENANT_ID>',
+  '<NOTEBOOK_ID>',
+  '<NOTEBOOK_NAME>',
+  '<LINK_OWNER>',
+  '<SP_LOCAL_ROOT>',
+  '<your-alias>',
+  '<Your Full Name>',
+  'your.email@example.com'
+)
+
+function Test-Sentinel {
+  param([string] $Value)
+  if ([string]::IsNullOrWhiteSpace($Value)) { return $true }
+  foreach ($s in $script:Sentinels) {
+    if ($Value -like "*$s*") { return $true }
+  }
+  return $false
+}
+
+function Get-DotPath {
+  param([object] $Obj, [string] $DotPath)
+  $cur = $Obj
+  foreach ($seg in $DotPath -split '\.') {
+    if ($null -eq $cur) { return $null }
+    if ($cur -is [System.Collections.IDictionary]) {
+      $cur = $cur[$seg]
+    } else {
+      $cur = $cur.$seg
+    }
+  }
+  return $cur
+}
+
+function Test-RequiredFields {
+  param([string] $Name, [object] $Parsed)
+  $required = $script:RequiredFields[$Name]
+  if (-not $required) { return @() }
+  $missing = @()
+  foreach ($field in $required) {
+    $val = Get-DotPath -Obj $Parsed -DotPath $field
+    if ($null -eq $val) { $missing += $field; continue }
+    # Arrays: must have at least one non-sentinel element.
+    if ($val -is [System.Collections.IEnumerable] -and -not ($val -is [string])) {
+      $arr = @($val)
+      if ($arr.Count -eq 0) { $missing += $field; continue }
+      $allBlank = $true
+      foreach ($item in $arr) {
+        if ($item -is [string]) {
+          if (-not (Test-Sentinel $item)) { $allBlank = $false; break }
+        } else { $allBlank = $false; break }
+      }
+      if ($allBlank) { $missing += $field }
+      continue
+    }
+    if ($val -is [string] -and (Test-Sentinel $val)) { $missing += $field }
+  }
+  return ,$missing
+}
+
+function Get-DefaultExtension([string] $name) {
+  if ($name -match '^(project-evidence|integrations)$') { return 'yml' }
+  return 'json'
+}
+
+$ext = if ($PSBoundParameters.ContainsKey('Extension')) { $Extension } else { Get-DefaultExtension $Name }
+$fileName = "$Name.$ext"
+
+$configRoot = Join-Path $Workspace '.kushi/config'
+$userPath   = Join-Path $configRoot (Join-Path 'user'   $fileName)
+$sharedPath = Join-Path $configRoot (Join-Path 'shared' $fileName)
+
+$resolved = $null
+if (Test-Path -LiteralPath $userPath -PathType Leaf)        { $resolved = $userPath }
+elseif (Test-Path -LiteralPath $sharedPath -PathType Leaf)  { $resolved = $sharedPath }
+
+if (-not $resolved) {
+  throw @"
+Kushi config '$Name' not found. Looked in:
+  - $userPath
+  - $sharedPath
+Run `npx kushi-agents@latest` to (re)seed config files, then edit
+$userPath with your values.
+"@
+}
+
+if ($Path) { return $resolved }
+
+$raw = Get-Content -LiteralPath $resolved -Raw
+
+if (-not $AllowPlaceholders) {
+  $sentinelHit = $false
+  foreach ($s in $script:Sentinels) {
+    if ($raw -like "*$s*") { $sentinelHit = $true; break }
+  }
+  if ($sentinelHit) {
+    throw @"
+Kushi config '$resolved' still has template placeholders (e.g. __FILL_ME_IN__, <auto>, <TENANT_ID>).
+Edit the file with your actual values, or pass -AllowPlaceholders to bypass this check.
+"@
+  }
+}
+
+if ($Raw) { return $raw }
+
+$parsed = switch ($ext) {
+  'json' {
+    $raw | ConvertFrom-Json -Depth 100
+  }
+  { $_ -in 'yml','yaml' } {
+    if (Get-Module -ListAvailable -Name 'powershell-yaml') {
+      Import-Module powershell-yaml -ErrorAction Stop
+      ConvertFrom-Yaml -Yaml $raw
+    } else {
+      Write-Warning "powershell-yaml not installed; required-field validation skipped. Install with: Install-Module powershell-yaml -Scope CurrentUser"
+      $null
+    }
+  }
+}
+
+if (-not $AllowPlaceholders -and $null -ne $parsed) {
+  $missing = Test-RequiredFields -Name $Name -Parsed $parsed
+  if ($missing.Count -gt 0) {
+    throw @"
+Kushi config '$resolved' is missing required fields:
+$(($missing | ForEach-Object { "  - $_" }) -join "`n")
+Edit the file with your actual values, or pass -AllowPlaceholders to bypass this check.
+"@
+  }
+}
+
+if ($null -eq $parsed) { return $raw }
+return $parsed

package/plugin/prompts/bootstrap.prompt.md

@@ -1,35 +1,64 @@
----
-name: bootstrap
-description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
-argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
-agent: kushi
-tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
----
-
-## User Input
-
-```text
-${input:project:Project name, e.g. HCA}
-${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
-```
-
-# /bootstrap
-
-Route to `@Kushi bootstrap <project>`.
-
-Inputs the agent will resolve:
-- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
-- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
-
-Reads:
-- `<workspace>/.kushi/config/project-evidence.yml` for alias + engagement-root.
-
-Produces:
-- `<engagement-root>/.project-evidence/m365/{m365-auth,m365-mutable}.json` (per-user filled)
-- `<engagement-root>/<project>/integrations.yml`
-- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/}`
-- `<engagement-root>/<project>/State/{00..09}_*.md`
-
-Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state`.
-
-Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.
+---
+name: bootstrap
+description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
+argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
+agent: kushi
+tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
+---
+
+## User Input
+
+```text
+${input:project:Project name, e.g. HCA}
+${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
+```
+
+# /bootstrap
+
+Route to `@Kushi bootstrap <project>`.
+
+Inputs the agent will resolve:
+- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
+- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
+
+Reads:
+- `<workspace>/.kushi/config/user/project-evidence.yml` for alias + engagement-root.
+- `<workspace>/.kushi/config/user/m365-auth.json` for tenant + default notebook + mailbox-folder hints.
+- `<workspace>/.kushi/config/shared/integrations.yml` for ADO/CRM org-level connections (shared per project).
+
+**Step 0 — verify per-user config is filled** (the minimum the bootstrap skill needs before it can discover the rest). Before any pull, call:
+
+```powershell
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'project-evidence' -AllowPlaceholders | Out-Null  # tolerates <auto>; identity-resolution fills it
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'm365-auth'                                       # hard-fails on placeholders in required fields
+```
+
+`Get-KushiConfig -Name 'm365-auth'` (kushi v4.4.1+) checks both: (a) no `__FILL_ME_IN__` / sentinel strings anywhere, AND (b) the required-field set is populated:
+`defaultTenantId`, `oneNote.defaultNotebookName`, `oneNote.defaultNotebookId`, `oneNote.defaultLinkOwner`, `emailContext.folders[]` (≥ 1 entry), `sharePointContext.localProjectsRoot`.
+
+If it throws, STOP and prompt the user with the exact missing-field list:
+
+> ⚠ `<workspace>/.kushi/config/user/m365-auth.json` is missing required fields: `<list from the helper>`. Open it, fill in those values, then re-run `bootstrap`. Everything else (section IDs, calendar series, specific mailbox folder discovery, channel IDs, SharePoint site IDs, CRM `crmRecordId`, ADO work-item IDs) is the bootstrap skill's job to **discover via WorkIQ + per-source probes** — do NOT pre-fill those.
+
+Continue only when both helper calls succeed (`project-evidence.yml` is allowed to still have `<auto>` for identity; identity-resolution.instructions.md fills it in Step 0 of the bootstrap skill).
+
+**What the bootstrap SKILL discovers (you do NOT need to pre-fill any of this):**
+- Identity (`alias`, `email`, `display_name`) — resolved via WorkIQ if `<auto>`.
+- OneNote section identifiers (`one_sectionFileId`, `one_sectionGroupId`, `one_sectionOneNoteGuid`, `one_notebookSourceDoc`) — discovered from the user-provided section name.
+- Calendar series, meeting `joinUrl`s, Teams chat/channel hints, SharePoint site/web/list IDs — discovered per source.
+- CRM account `crmRecordId` — discovered via the 4-step Dataverse REST sequence.
+- ADO area path / iteration / work-item IDs — discovered via ADO REST.
+
+On WorkIQ failure during discovery, per `deferred-retry-on-workiq-fail.instructions.md`: the bootstrap skill writes a marker, surfaces it in the run report, and continues. **It does NOT call `m365_get_*` / Graph as a fallback.** The next `refresh` drains the queue.
+
+Produces:
+- `<workspace>/.kushi/config/user/{m365-auth,m365-mutable}.json` (per-user, hand-edited above + auto-populated by Step 4a)
+- `<workspace>/.kushi/config/shared/integrations.yml` (shared, ADO/CRM connection blocks; per-project `boundaries:` lives in the project file below)
+- `<engagement-root>/<project>/integrations.yml` (per-project boundaries + enabled-sources, shared via OneDrive)
+- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/, <alias>/_deferred-retries/}`
+- `<engagement-root>/<project>/State/{00..09}_*.md` (full profile only)
+- `<engagement-root>/<project>/bootstrap-status.md` (shared, multi-user safe)
+
+Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state` (full profile only).
+
+Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.

package/plugin/reference-packs/README.md

@@ -33,7 +33,7 @@ Skills must always:
 What does **not** go in a pack:
 
 - Per-engagement data (lives under `<project>/Evidence/`)
-- Per-user identity / configs (lives in `<workspace>/.kushi/config/project-evidence.yml`)
+- Per-user identity / configs (lives in `<workspace>/.kushi/config/user/project-evidence.yml`)
 - Skill behavior (lives in `plugin/skills/<skill>/SKILL.md`)
 - Cross-cutting agent doctrine (lives in `plugin/instructions/*.instructions.md`)
 

package/plugin/skills/apply-ado-update/SKILL.md

@@ -30,14 +30,14 @@ Belongs to the **`preview`** profile. Opt in via `npx kushi-agents --clawpilot -
 
 ## Deterministic config — do not invent paths
 
-Same as `propose-ado-update`. Reads ADO connection from `<engagement-root>/.project-evidence/ado/config.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
+Same as `propose-ado-update`. Reads ADO connection from `<workspace>/.kushi/config/shared/integrations.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
 
 ## Pre-flight (HARD — do not bypass)
 
 1. **Resolve engagement root + project** per `engagement-root-resolution.instructions.md`.
 2. Confirm `<project>/integrations.yml ado.engagement_id > 0`. If 0 → abort with the same message `propose-ado-update` uses ("ADO Initiative not yet linked").
 3. Confirm `<project>/ado-updates/<YYYY-MM-DD>/proposed.md` exists. If not → tell user to run `@Kushi propose ado <project>` first. Never fabricate a proposal.
-4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<engagement-root>/.project-evidence/ado/config.yml`) **must** complete green before any further step.
+4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<workspace>/.kushi/config/shared/integrations.yml`) **must** complete green before any further step.
 
 ## Steps (current preview-stub behavior)
 

package/plugin/skills/ask-project/SKILL.md

@@ -40,7 +40,7 @@ In order, stop on first hit:
 1. Exact `<engagement-root>/<project>/Evidence/` folder.
 2. Fuzzy match against `discovery.project_aliases` in any `<engagement-root>/<project>/Evidence/<alias>/.settings.yml`.
 3. `<engagement-root>/<project>/external-context/` (lighter-weight projects without full bootstrap).
-4. `<workspace>/.kushi/config/project-evidence.yml` `active_projects` list.
+4. `<workspace>/.kushi/config/user/project-evidence.yml` `active_projects` list.
 
 If zero matches → ask user. If multiple → list candidates and ask user to pick. **Echo the resolved root path before answering** so the user can confirm.
 

package/plugin/skills/bootstrap-project/SKILL.md

@@ -31,6 +31,8 @@ The active profile is read from `kushi-install.json#profile` next to this agent
 
 After every run (success or coverage-gaps), write `<project>/bootstrap-status.md` per the format contract in `instructions/bootstrap-status-format.instructions.md`. This is the project's fast-orientation artifact — required tables, normalized status vocabulary (`resolved`, `populated`, `unsynced`, `degraded-list-only`, `throttled-tooManyRequests`, `ado-not-complete`, `completed-with-coverage-gaps`), one-line final status. Do NOT inline run history here; that goes in `update-status.md`.
 
+> **Multi-contributor safety (kushi v4.4.0+)**: this file is shared via OneDrive. Per `multi-user-shared-files.instructions.md`, every write MUST: (a) absorb sibling conflict copies, (b) preserve other aliases' rows in `## Contributors who have bootstrapped this project`, (c) cite the discovering alias in per-source rows. Same rules apply to `<project>/integrations.yml`, `<project>/OPEN-QUESTIONS-DRAFT.md`, `<project>/Evidence/run-log.yml`, `<project>/Evidence/contributors.yml`.
+
 ## Inputs
 
 - `<project>` — engagement name (fuzzy-matched per `engagement-root-resolution.instructions.md`).
@@ -41,7 +43,7 @@ After every run (success or coverage-gaps), write `<project>/bootstrap-status.md
 
 ### Step 0 — Identity resolution (REQUIRED, never asks the user)
 
-Per `identity-resolution.instructions.md`. Read `<workspace>/.kushi/config/project-evidence.yml`:
+Per `identity-resolution.instructions.md`. Read `<workspace>/.kushi/config/user/project-evidence.yml`:
 
 * If `alias`, `email`, or `display_name` is missing / `<auto>` / matches a placeholder → call WorkIQ once:
   ```
@@ -49,7 +51,7 @@ Per `identity-resolution.instructions.md`. Read `<workspace>/.kushi/config/proje
   ```
   Map `upn → email`, `displayName → display_name`, `mailNickname → alias` (fallback `email.split('@')[0]`).
 * Persist resolved values back to the YAML (preserve comments).
-* Echo one line: `✓ Identity: <displayName> <<UPN>> (alias=<alias>). Edit .kushi/config/project-evidence.yml to override.`
+* Echo one line: `✓ Identity: <displayName> <<UPN>> (alias=<alias>). Edit .kushi/config/user/project-evidence.yml to override.`
 * If all three are already explicit non-placeholder values → skip silently.
 
 Hard stop if WorkIQ returns auth error or empty — print the WorkIQ sign-in hint and exit. Never fall back to asking the user.
@@ -59,13 +61,13 @@ Hard stop if WorkIQ returns auth error or empty — print the WorkIQ sign-in hin
 Verify in order. Stop on hard failures.
 
 1. **OS + host runtime** — display OS + Node/PowerShell version. Informational.
-2. **WorkIQ install (REQUIRED, hard stop)** — read `<workspace>/.kushi/config/project-evidence.yml workiq.cli_path`. If missing, probe known paths:
+2. **WorkIQ install (REQUIRED, hard stop)** — read `<workspace>/.kushi/config/user/project-evidence.yml workiq.cli_path`. If missing, probe known paths:
    - `$HOME\.kushi\bin\workiq.cmd`
    - `$env:LOCALAPPDATA\Programs\WorkIQ\workiq.cmd`
    - `$env:ProgramFiles\WorkIQ\workiq.cmd`
    If found, persist path. If not found, ask user for path (or to install). Test with `<workiq.cli_path> --help`. Without WorkIQ, M365 sources will all fail — STOP.
-3. **Conditional az login** — only if `<engagement-root>/.project-evidence/crm/config.yml` OR `<engagement-root>/.project-evidence/ado/config.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
-4. **Engagement-root resolution** — per `engagement-root-resolution.instructions.md`. Persist to `<workspace>/.kushi/config/project-evidence.yml engagement_root` if newly resolved.
+3. **Conditional az login** — only if `<workspace>/.kushi/config/shared/integrations.yml` OR `<workspace>/.kushi/config/shared/integrations.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
+4. **Engagement-root resolution** — per `engagement-root-resolution.instructions.md`. Persist to `<workspace>/.kushi/config/user/project-evidence.yml engagement_root` if newly resolved.
 
 Display SETUP summary table with ✅ / ⚙️ / ❌ / ⚠️ / ➖ markers.
 
@@ -77,20 +79,20 @@ Required live files:
 
 | Live file | Template source |
 |---|---|
-| `<workspace>/.kushi/config/project-evidence.yml` | `templates/init/project-evidence.template.yml` (seeded by installer) |
-| `<workspace>/.kushi/config/integrations.yml` | `templates/init/integrations.template.yml` (seeded by installer) |
-| `<engagement-root>/.project-evidence/m365/m365-auth.json` | `templates/init/m365-auth.template.json` |
-| `<engagement-root>/.project-evidence/m365/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
+| `<workspace>/.kushi/config/user/project-evidence.yml` | `templates/init/project-evidence.template.yml` (seeded by installer) |
+| `<workspace>/.kushi/config/shared/integrations.yml` | `templates/init/integrations.template.yml` (seeded by installer) |
+| `<workspace>/.kushi/config/user/m365-auth.json` | `templates/init/m365-auth.template.json` |
+| `<workspace>/.kushi/config/user/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
 | `<engagement-root>/<project>/integrations.yml` | `templates/init/project-integrations.template.yml` |
 | `<engagement-root>/<project>/Evidence/contributors.yml` | `templates/init/project-contributors.template.yml` |
 | `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` | `templates/init/project-user-settings.template.yml` |
 
-Optional (only if user enables CRM/ADO):
+Optional (only if user enables CRM/ADO — both go into `<workspace>/.kushi/config/shared/integrations.yml` `crm:` and `ado:` blocks, NOT separate files):
 
-| Live file | Template source |
+| Live destination | Source |
 |---|---|
-| `<engagement-root>/.project-evidence/crm/config.yml` | `templates/init/crm-config.template.yml` |
-| `<engagement-root>/.project-evidence/ado/config.yml` | `templates/init/ado-config.template.yml` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `crm:` block | already seeded by `templates/init/integrations.template.yml` — fill in `crm.environmentUrl` + `crm.tenantId` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `ado:` block | already seeded by `templates/init/integrations.template.yml` — fill in `ado.organization` + `ado.project` |
 
 **Boundaries upgrade for existing projects (v3.7.0+):** If `<engagement-root>/<project>/integrations.yml` already exists but has no top-level `boundaries:` key, append the scaffolded `boundaries:` block from `templates/init/project-integrations.template.yml` (preserving every existing key). Then proceed to Step 4 to populate it.
 
@@ -119,15 +121,15 @@ The `State/` subtree is created **only on `full` profile**. On `standard`, only
 
 **Boundaries gate** (kushi v3.7.0+, per `scope-boundaries.instructions.md`): before dispatching any `pull-*`, read `<engagement-root>/<project>/integrations.yml#boundaries` and verify each enabled source has its required boundary key populated. For sources where bootstrap can auto-populate from existing `m365-mutable.json` discovery hints (e.g. a previously-discovered `section_file_id` lands in `boundaries.onenote.section_file_ids`), do so and continue. For sources where the boundary cannot be auto-populated, write the source as **disabled** in `integrations.yml` and add a one-liner to `<project>/OPEN-QUESTIONS-DRAFT.md` (or `State/09_open-questions.md` on `full` profile) asking the user to fill the boundary and re-enable.
 
-For CRM and ADO additionally verify the global config files exist (`<engagement-root>/.project-evidence/{crm,ado}/config.yml`) with non-placeholder values; if missing, scaffold from `templates/init/{crm,ado}-config.template.yml` and park in Open Questions with the path and template reference. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
+For CRM and ADO additionally verify the shared connection block exists in `<workspace>/.kushi/config/shared/integrations.yml` (`crm:` block with `environmentUrl` + `tenantId`, OR `ado:` block with `organization` + `project`) with non-placeholder values; if missing, prompt the user to fill those two/four fields directly (no separate template files — they live in `templates/init/integrations.template.yml`) and park in Open Questions with the path. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
 
-**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<engagement-root>/.project-evidence/crm/config.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
+**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<workspace>/.kushi/config/shared/integrations.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
 
 #### Step 4a — Discovery & registry persistence (REQUIRED, kushi v3.7.8+, per `m365-id-registry.instructions.md`)
 
 **Doctrine: bootstrap discovers, refresh consumes.** Bootstrap is the ONLY phase that probes WorkIQ to resolve canonical M365 identifiers. Refresh runs MUST read these from `m365-mutable.json#knownSections.<project>` and pass them into the index extractor verbatim. Refresh must NEVER re-discover — that is the source of "OneNote works for me sometimes" non-determinism.
 
-For each enabled source, resolve and persist the canonical lookup keys into `<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
+For each enabled source, resolve and persist the canonical lookup keys into `<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
 
 ```jsonc
 "knownSections": {

package/plugin/skills/intro/SKILL.md

@@ -138,7 +138,7 @@ Present this verbatim:
 
 Before opening, check whether any project is already bootstrapped:
 
-1. Read `<workspace>/.kushi/config/project-evidence.yml` (personal config). If `active_projects` has entries, pick the most recent as the demo target — substitute that name into `{{active_project}}` placeholders below.
+1. Read `<workspace>/.kushi/config/user/project-evidence.yml` (personal config). If `active_projects` has entries, pick the most recent as the demo target — substitute that name into `{{active_project}}` placeholders below.
 2. If none, propose a fictional project named **Contoso Discovery** and tell the user that Try-it prompts will use that name; they can substitute their own at any time.
 
 ### Navigation Keywords
@@ -444,6 +444,6 @@ Reply `next` to see the closing cheat sheet, or `done` to exit.
 - Rule 1.2: Mode selection must always present BOTH options — never auto-route to one mode.
 - Rule 1.3: In walkthrough mode, each moment must wait for `next` / `skip` / `done` / `try` before advancing — never auto-advance.
 - Rule 1.4: `done` must work at every moment — never trap the user.
-- Rule 1.5: Try-it prompts must use the active project name from `<workspace>/.kushi/config/project-evidence.yml`, OR the placeholder `Contoso Discovery` if no projects are configured. Never invent a real-sounding project name.
+- Rule 1.5: Try-it prompts must use the active project name from `<workspace>/.kushi/config/user/project-evidence.yml`, OR the placeholder `Contoso Discovery` if no projects are configured. Never invent a real-sounding project name.
 - Rule 1.6: Skill descriptions in this file must match `kushi.agent.md` and the live `SKILL.md` files — `self-check` D-checks catch drift.
 - Rule 1.7: Demo moments must reflect the actual verb count in `kushi.agent.md`. If a verb is added or removed, this file must be updated in the same commit (`self-check` warns on drift).