kushi-agents 4.4.0 → 4.4.1

package/plugin/prompts/bootstrap.prompt.md

@@ -1,49 +1,64 @@
----
-name: bootstrap
-description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
-argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
-agent: kushi
-tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
----
-
-## User Input
-
-```text
-${input:project:Project name, e.g. HCA}
-${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
-```
-
-# /bootstrap
-
-Route to `@Kushi bootstrap <project>`.
-
-Inputs the agent will resolve:
-- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
-- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
-
-Reads:
-- `<workspace>/.kushi/config/user/project-evidence.yml` for alias + engagement-root.
-- `<workspace>/.kushi/config/user/m365-auth.json` for tenant + default notebook + mailbox-folder hints.
-
-**Step 0 — verify per-user config is filled.** Before any pull, call:
-
-```powershell
-& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'project-evidence' -AllowPlaceholders | Out-Null  # tolerates <auto>; identity-resolution fills it
-& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'm365-auth'                                       # hard-fails on placeholders
-```
-
-If `Get-KushiConfig -Name 'm365-auth'` throws (file missing or still `__FILL_ME_IN__`), STOP and prompt the user:
-
-> ⚠ `<workspace>/.kushi/config/user/m365-auth.json` still has template placeholders. Open it and fill in your tenant ID, default OneNote notebook ID, mailbox folder names, and SharePoint root before re-running `bootstrap`.
-
-Continue only when both helper calls succeed.
-
-Produces:
-- `<engagement-root>/.project-evidence/m365/{m365-auth,m365-mutable}.json` (per-user filled)
-- `<engagement-root>/<project>/integrations.yml`
-- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/}`
-- `<engagement-root>/<project>/State/{00..09}_*.md`
-
-Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state`.
-
-Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.
+---
+name: bootstrap
+description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
+argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
+agent: kushi
+tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
+---
+
+## User Input
+
+```text
+${input:project:Project name, e.g. HCA}
+${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
+```
+
+# /bootstrap
+
+Route to `@Kushi bootstrap <project>`.
+
+Inputs the agent will resolve:
+- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
+- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
+
+Reads:
+- `<workspace>/.kushi/config/user/project-evidence.yml` for alias + engagement-root.
+- `<workspace>/.kushi/config/user/m365-auth.json` for tenant + default notebook + mailbox-folder hints.
+- `<workspace>/.kushi/config/shared/integrations.yml` for ADO/CRM org-level connections (shared per project).
+
+**Step 0 — verify per-user config is filled** (the minimum the bootstrap skill needs before it can discover the rest). Before any pull, call:
+
+```powershell
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'project-evidence' -AllowPlaceholders | Out-Null  # tolerates <auto>; identity-resolution fills it
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'm365-auth'                                       # hard-fails on placeholders in required fields
+```
+
+`Get-KushiConfig -Name 'm365-auth'` (kushi v4.4.1+) checks both: (a) no `__FILL_ME_IN__` / sentinel strings anywhere, AND (b) the required-field set is populated:
+`defaultTenantId`, `oneNote.defaultNotebookName`, `oneNote.defaultNotebookId`, `oneNote.defaultLinkOwner`, `emailContext.folders[]` (≥ 1 entry), `sharePointContext.localProjectsRoot`.
+
+If it throws, STOP and prompt the user with the exact missing-field list:
+
+> ⚠ `<workspace>/.kushi/config/user/m365-auth.json` is missing required fields: `<list from the helper>`. Open it, fill in those values, then re-run `bootstrap`. Everything else (section IDs, calendar series, specific mailbox folder discovery, channel IDs, SharePoint site IDs, CRM `crmRecordId`, ADO work-item IDs) is the bootstrap skill's job to **discover via WorkIQ + per-source probes** — do NOT pre-fill those.
+
+Continue only when both helper calls succeed (`project-evidence.yml` is allowed to still have `<auto>` for identity; identity-resolution.instructions.md fills it in Step 0 of the bootstrap skill).
+
+**What the bootstrap SKILL discovers (you do NOT need to pre-fill any of this):**
+- Identity (`alias`, `email`, `display_name`) — resolved via WorkIQ if `<auto>`.
+- OneNote section identifiers (`one_sectionFileId`, `one_sectionGroupId`, `one_sectionOneNoteGuid`, `one_notebookSourceDoc`) — discovered from the user-provided section name.
+- Calendar series, meeting `joinUrl`s, Teams chat/channel hints, SharePoint site/web/list IDs — discovered per source.
+- CRM account `crmRecordId` — discovered via the 4-step Dataverse REST sequence.
+- ADO area path / iteration / work-item IDs — discovered via ADO REST.
+
+On WorkIQ failure during discovery, per `deferred-retry-on-workiq-fail.instructions.md`: the bootstrap skill writes a marker, surfaces it in the run report, and continues. **It does NOT call `m365_get_*` / Graph as a fallback.** The next `refresh` drains the queue.
+
+Produces:
+- `<workspace>/.kushi/config/user/{m365-auth,m365-mutable}.json` (per-user, hand-edited above + auto-populated by Step 4a)
+- `<workspace>/.kushi/config/shared/integrations.yml` (shared, ADO/CRM connection blocks; per-project `boundaries:` lives in the project file below)
+- `<engagement-root>/<project>/integrations.yml` (per-project boundaries + enabled-sources, shared via OneDrive)
+- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/, <alias>/_deferred-retries/}`
+- `<engagement-root>/<project>/State/{00..09}_*.md` (full profile only)
+- `<engagement-root>/<project>/bootstrap-status.md` (shared, multi-user safe)
+
+Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state` (full profile only).
+
+Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.

package/plugin/skills/apply-ado-update/SKILL.md

@@ -30,14 +30,14 @@ Belongs to the **`preview`** profile. Opt in via `npx kushi-agents --clawpilot -
 
 ## Deterministic config — do not invent paths
 
-Same as `propose-ado-update`. Reads ADO connection from `<engagement-root>/.project-evidence/ado/config.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
+Same as `propose-ado-update`. Reads ADO connection from `<workspace>/.kushi/config/shared/integrations.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
 
 ## Pre-flight (HARD — do not bypass)
 
 1. **Resolve engagement root + project** per `engagement-root-resolution.instructions.md`.
 2. Confirm `<project>/integrations.yml ado.engagement_id > 0`. If 0 → abort with the same message `propose-ado-update` uses ("ADO Initiative not yet linked").
 3. Confirm `<project>/ado-updates/<YYYY-MM-DD>/proposed.md` exists. If not → tell user to run `@Kushi propose ado <project>` first. Never fabricate a proposal.
-4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<engagement-root>/.project-evidence/ado/config.yml`) **must** complete green before any further step.
+4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<workspace>/.kushi/config/shared/integrations.yml`) **must** complete green before any further step.
 
 ## Steps (current preview-stub behavior)
 

package/plugin/skills/bootstrap-project/SKILL.md

@@ -66,7 +66,7 @@ Verify in order. Stop on hard failures.
    - `$env:LOCALAPPDATA\Programs\WorkIQ\workiq.cmd`
    - `$env:ProgramFiles\WorkIQ\workiq.cmd`
    If found, persist path. If not found, ask user for path (or to install). Test with `<workiq.cli_path> --help`. Without WorkIQ, M365 sources will all fail — STOP.
-3. **Conditional az login** — only if `<engagement-root>/.project-evidence/crm/config.yml` OR `<engagement-root>/.project-evidence/ado/config.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
+3. **Conditional az login** — only if `<workspace>/.kushi/config/shared/integrations.yml` OR `<workspace>/.kushi/config/shared/integrations.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
 4. **Engagement-root resolution** — per `engagement-root-resolution.instructions.md`. Persist to `<workspace>/.kushi/config/user/project-evidence.yml engagement_root` if newly resolved.
 
 Display SETUP summary table with ✅ / ⚙️ / ❌ / ⚠️ / ➖ markers.
@@ -81,18 +81,18 @@ Required live files:
 |---|---|
 | `<workspace>/.kushi/config/user/project-evidence.yml` | `templates/init/project-evidence.template.yml` (seeded by installer) |
 | `<workspace>/.kushi/config/shared/integrations.yml` | `templates/init/integrations.template.yml` (seeded by installer) |
-| `<engagement-root>/.project-evidence/m365/m365-auth.json` | `templates/init/m365-auth.template.json` |
-| `<engagement-root>/.project-evidence/m365/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
+| `<workspace>/.kushi/config/user/m365-auth.json` | `templates/init/m365-auth.template.json` |
+| `<workspace>/.kushi/config/user/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
 | `<engagement-root>/<project>/integrations.yml` | `templates/init/project-integrations.template.yml` |
 | `<engagement-root>/<project>/Evidence/contributors.yml` | `templates/init/project-contributors.template.yml` |
 | `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` | `templates/init/project-user-settings.template.yml` |
 
-Optional (only if user enables CRM/ADO):
+Optional (only if user enables CRM/ADO — both go into `<workspace>/.kushi/config/shared/integrations.yml` `crm:` and `ado:` blocks, NOT separate files):
 
-| Live file | Template source |
+| Live destination | Source |
 |---|---|
-| `<engagement-root>/.project-evidence/crm/config.yml` | `templates/init/crm-config.template.yml` |
-| `<engagement-root>/.project-evidence/ado/config.yml` | `templates/init/ado-config.template.yml` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `crm:` block | already seeded by `templates/init/integrations.template.yml` — fill in `crm.environmentUrl` + `crm.tenantId` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `ado:` block | already seeded by `templates/init/integrations.template.yml` — fill in `ado.organization` + `ado.project` |
 
 **Boundaries upgrade for existing projects (v3.7.0+):** If `<engagement-root>/<project>/integrations.yml` already exists but has no top-level `boundaries:` key, append the scaffolded `boundaries:` block from `templates/init/project-integrations.template.yml` (preserving every existing key). Then proceed to Step 4 to populate it.
 
@@ -121,15 +121,15 @@ The `State/` subtree is created **only on `full` profile**. On `standard`, only
 
 **Boundaries gate** (kushi v3.7.0+, per `scope-boundaries.instructions.md`): before dispatching any `pull-*`, read `<engagement-root>/<project>/integrations.yml#boundaries` and verify each enabled source has its required boundary key populated. For sources where bootstrap can auto-populate from existing `m365-mutable.json` discovery hints (e.g. a previously-discovered `section_file_id` lands in `boundaries.onenote.section_file_ids`), do so and continue. For sources where the boundary cannot be auto-populated, write the source as **disabled** in `integrations.yml` and add a one-liner to `<project>/OPEN-QUESTIONS-DRAFT.md` (or `State/09_open-questions.md` on `full` profile) asking the user to fill the boundary and re-enable.
 
-For CRM and ADO additionally verify the global config files exist (`<engagement-root>/.project-evidence/{crm,ado}/config.yml`) with non-placeholder values; if missing, scaffold from `templates/init/{crm,ado}-config.template.yml` and park in Open Questions with the path and template reference. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
+For CRM and ADO additionally verify the shared connection block exists in `<workspace>/.kushi/config/shared/integrations.yml` (`crm:` block with `environmentUrl` + `tenantId`, OR `ado:` block with `organization` + `project`) with non-placeholder values; if missing, prompt the user to fill those two/four fields directly (no separate template files — they live in `templates/init/integrations.template.yml`) and park in Open Questions with the path. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
 
-**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<engagement-root>/.project-evidence/crm/config.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
+**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<workspace>/.kushi/config/shared/integrations.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
 
 #### Step 4a — Discovery & registry persistence (REQUIRED, kushi v3.7.8+, per `m365-id-registry.instructions.md`)
 
 **Doctrine: bootstrap discovers, refresh consumes.** Bootstrap is the ONLY phase that probes WorkIQ to resolve canonical M365 identifiers. Refresh runs MUST read these from `m365-mutable.json#knownSections.<project>` and pass them into the index extractor verbatim. Refresh must NEVER re-discover — that is the source of "OneNote works for me sometimes" non-determinism.
 
-For each enabled source, resolve and persist the canonical lookup keys into `<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
+For each enabled source, resolve and persist the canonical lookup keys into `<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
 
 ```jsonc
 "knownSections": {

package/plugin/skills/propose-ado-update/SKILL.md

@@ -21,7 +21,7 @@ This skill does **NOT** create a new top-level config file. It reads from the co
 
 | What | Where | Maintained by |
 |---|---|---|
-| ADO tenant + org + apiVersion + auth strategy | `<engagement-root>/.project-evidence/ado/config.yml` | `bootstrap-project` (global, one-time) |
+| ADO tenant + org + apiVersion + auth strategy | `<workspace>/.kushi/config/shared/integrations.yml` | `bootstrap-project` (global, one-time) |
 | Per-project Initiative ID (`engagement_id`), area, title filter, discovery hints | `<engagement-root>/<project>/integrations.yml` under `ado:` | `bootstrap-project` + `pull-ado` (auto-discovers and persists) |
 | Per-project **writes block** (allowlist, autoApply per field, strategy, fieldRefName) | `<engagement-root>/<project>/integrations.yml` under `ado.writes:` | First run of this skill scaffolds the block from the template, then user edits |
 
@@ -41,7 +41,7 @@ Refuse to produce `proposed.md` and tell the user exactly what's missing if any
 |---|---|
 | `<project>/integrations.yml` exists | "Project not bootstrapped. Run `@Kushi bootstrap <project>` first." |
 | `ado.engagement_id` > 0 | "ADO Initiative not yet linked for `<project>` (engagement_id is 0). pull-ado will auto-discover on next refresh; once `engagement_id` is set in `integrations.yml`, retry." |
-| `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` | "Global ADO config missing or has placeholder org. Run `@Kushi bootstrap <project>` to scaffold, then fill `.project-evidence/ado/config.yml`." |
+| `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `organization` | "Global ADO config missing or has placeholder org. Run `@Kushi bootstrap <project>` to scaffold, then fill `.kushi/config/shared/integrations.yml`." |
 | At least one `Evidence/_Consolidated/<date>_consolidated.md` exists | "No consolidated evidence yet for `<project>`. Run `@Kushi refresh <project>` then `consolidate` first." |
 | Latest consolidated file ≤ 8 days old | Continue but flag `stale-evidence` at top of `proposed.md`. |
 
@@ -76,7 +76,7 @@ Refuse to produce `proposed.md` and tell the user exactly what's missing if any
 ## What this skill does NOT do
 
 - Does NOT call any ADO `PATCH` or `POST` endpoint.
-- Does NOT create or modify the global `.project-evidence/ado/config.yml`.
+- Does NOT create or modify the global `.kushi/config/shared/integrations.yml`.
 - Does NOT touch `<project>/integrations.yml` other than appending the `ado.writes:` sub-block on first run (preserving every existing key).
 - Does NOT re-pull evidence (uses the most recent `_Consolidated/` file as-is).
 - Does NOT write to the ledger (the ledger is written only by `apply-ado-update`).

package/plugin/skills/pull-ado/SKILL.md

@@ -27,9 +27,9 @@ WorkIQ-first per `workiq-first.instructions.md` — but **for ADO, REST is prefe
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/ado/config.yml` — connection.
+- (read) `<workspace>/.kushi/config/shared/integrations.yml` — connection.
 - (read) `<engagement-root>/<project>/integrations.yml#ado` — per-project pinned IDs.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -42,15 +42,15 @@ WorkIQ-first per `workiq-first.instructions.md` — but **for ADO, REST is prefe
 
 This skill is **HARD-fail** without both:
 
-1. Global config: `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` AND `defaultProject`.
+1. Global config: `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `organization` AND `defaultProject`.
 2. Per-project boundary: `<engagement-root>/<project>/integrations.yml#boundaries.ado.area_paths` is non-empty (OR `boundaries.ado.work_item_ids` is pinned).
 
 If either is missing, refuse with the exact message:
 
 ```
 ado-config-missing — drop a filled config.yml at
-<engagement-root>/.project-evidence/ado/config.yml. See template at
-plugin/templates/init/ado-config.template.yml. Then add boundaries.ado.area_paths
+<workspace>/.kushi/config/shared/integrations.yml. See template at
+plugin/templates/init/integrations.template.yml (ado: block). Then add boundaries.ado.area_paths
 to <project>/integrations.yml.
 ```
 
@@ -61,7 +61,7 @@ tenant-wide title-fuzzy scan in v3.7.0+.
 ## Auth (deterministic, no improvisation)
 
 ```powershell
-$cfg = Get-Content "<engagement-root>/.project-evidence/ado/config.yml" | ConvertFrom-Yaml
+$cfg = Get-Content "<workspace>/.kushi/config/shared/integrations.yml" | ConvertFrom-Yaml
 $tok = az account get-access-token `
   --resource $cfg.azDevOpsResourceId `
   --tenant $cfg.tenantId `

package/plugin/skills/pull-crm/SKILL.md

@@ -27,7 +27,7 @@ WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thor
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -40,15 +40,15 @@ WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thor
 
 This skill is **HARD-fail** without both:
 
-1. Global config: `<engagement-root>/.project-evidence/crm/config.yml` exists with non-placeholder `environmentUrl`.
+1. Global config: `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `environmentUrl`.
 2. Per-project boundary: `<engagement-root>/<project>/integrations.yml#boundaries.crm.record_ids` OR `boundaries.crm.request_ids` is non-empty.
 
 If either is missing, refuse with the exact message:
 
 ```
 crm-config-missing — drop a filled config.yml at
-<engagement-root>/.project-evidence/crm/config.yml. See template at
-plugin/templates/init/crm-config.template.yml. Then add boundaries.crm.record_ids
+<workspace>/.kushi/config/shared/integrations.yml. See template at
+plugin/templates/init/integrations.template.yml (crm: block). Then add boundaries.crm.record_ids
 (or request_ids) to <project>/integrations.yml.
 ```
 
@@ -195,7 +195,7 @@ If a week file already exists, MERGE (dedupe by event ID, append new events, kee
 
 ## Tools (in order)
 
-1. **Dataverse REST Web API** (preferred for snapshot — gives explicit `$select` + `$expand` control) via `az account get-access-token` against the configured tenant. Read connection from `<engagement-root>/.project-evidence/crm/config.yml`.
+1. **Dataverse REST Web API** (preferred for snapshot — gives explicit `$select` + `$expand` control) via `az account get-access-token` against the configured tenant. Read connection from `<workspace>/.kushi/config/shared/integrations.yml`.
 2. **WorkIQ** — only when REST is unavailable; phrase queries to demand verbatim long-text + every annotation (see Step B template above). WorkIQ summarizes by default, so use this path only as fallback.
 3. **Graph REST** — last resort, soft-fail per `az-auth-conditional.instructions.md`.
 4. **Ask user** — paste verbatim source content if all above fail.

package/plugin/skills/pull-email/SKILL.md

@@ -26,7 +26,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -43,7 +43,7 @@ This skill REFUSES to query unless `<engagement-root>/<project>/integrations.yml
 - `boundaries.email.subject_keywords` — optional narrowing.
 - `boundaries.date_window_days` — defaults to 30 if absent.
 
-Every WorkIQ ask, every `m365_search_emails` / `m365_list_emails` call, every Graph fallback MUST be scoped to those mailboxes + (if set) sender_domains + subject_keywords. Empty hits inside the boundary → write Coverage Notes citing the limiting key; do NOT widen the scope.
+Every WorkIQ ask MUST be scoped to those mailboxes + (if set) sender_domains + subject_keywords. Empty hits inside the boundary → write Coverage Notes citing the limiting key; do NOT widen the scope. (`m365_search_emails` / `m365_list_emails` / any Graph call is FORBIDDEN per `workiq-only.instructions.md`; on WorkIQ failure, write a deferred-retry marker per `deferred-retry-on-workiq-fail.instructions.md` and continue.)
 
 Refusal message when boundary is missing:
 

package/plugin/skills/pull-meetings/SKILL.md

@@ -30,7 +30,7 @@ Auth + retry + error logging per `auth-and-retry.instructions.md`. WorkIQ-only p
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints (`calendarContext.subjectKeywords`, `calendarContext.knownSeries`).
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints (`calendarContext.subjectKeywords`, `calendarContext.knownSeries`).
 
 ## Discovery (snapshot pass — WorkIQ ONLY per `workiq-only.instructions.md`)
 

package/plugin/skills/pull-onenote/scripts/recapture-section-url.mjs

@@ -49,7 +49,8 @@ if (!PROJECT || !ENGAGEMENT_ROOT) {
   process.exit(2);
 }
 
-const REG_PATH = path.join(ENGAGEMENT_ROOT, '.project-evidence', 'm365', 'm365-mutable.json');
+const WORKSPACE = args.workspace || process.cwd();
+const REG_PATH = path.join(WORKSPACE, '.kushi', 'config', 'user', 'm365-mutable.json');
 if (!fs.existsSync(REG_PATH)) {
   console.error(`[recapture-section-url] Registry not found: ${REG_PATH}`);
   process.exit(3);

package/plugin/skills/pull-onenote/write-snapshot.mjs

@@ -54,7 +54,8 @@ const TIMEOUT_MS = args.timeout || '120000';
 const PROJECT = args.project;
 const ROOT = args['engagement-root'];
 const ALIAS = args.alias || 'ushak';
-const MUTABLE_PATH = args.mutable || path.join(ROOT || '.', '.project-evidence', 'm365', 'm365-mutable.json');
+const WORKSPACE = args.workspace || process.cwd();
+const MUTABLE_PATH = args.mutable || path.join(WORKSPACE, '.kushi', 'config', 'user', 'm365-mutable.json');
 
 if ((!JSON_PATH && !SECTION_URL) || !PROJECT || !ROOT) {
   console.error('Usage: (--json <runner-output> | --section-url <url>) --project <name> --engagement-root <root> [--alias ushak] [--mutable <path>] [--timeout 120000]');

package/plugin/skills/pull-sharepoint/SKILL.md

@@ -28,7 +28,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)

package/plugin/skills/pull-teams/SKILL.md

@@ -28,7 +28,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)

package/plugin/skills/refresh-project/SKILL.md

@@ -8,7 +8,7 @@ description: "Incremental refresh for an already-bootstrapped project. Reads run
 
 > **Verbatim-by-default**: This orchestrator MUST dispatch every enabled `pull-<source>` skill whose boundary in `integrations.yml#boundaries.<source>` is satisfied. Skipping a source silently is a defect. See `verbatim-by-default.instructions.md`.
 >
-> **Discover once, consume deterministically**: Refresh MUST read canonical M365 IDs from `<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>` and pass them verbatim into each `pull-*`'s index-extractor query. **Refresh never re-discovers.** If the project entry is missing or a per-source key is empty, re-dispatch through `bootstrap-project` for that source's discovery only, then resume. See `m365-id-registry.instructions.md`.
+> **Discover once, consume deterministically**: Refresh MUST read canonical M365 IDs from `<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>` and pass them verbatim into each `pull-*`'s index-extractor query. **Refresh never re-discovers.** If the project entry is missing or a per-source key is empty, re-dispatch through `bootstrap-project` for that source's discovery only, then resume. See `m365-id-registry.instructions.md`.
 >
 > **Per-user refresh report REQUIRED**: At end of run, write `<project>/Evidence/<alias>/refresh-reports/<YYYY-MM-DD-HHmm>_refresh.md` per `run-reports.instructions.md`. Even on a no-op run. Cite the registry: `Resolved IDs sourced from m365-mutable.json#knownSections.<projectKey>`.
 >
@@ -50,6 +50,26 @@ Profile is read from `kushi-install.json#profile` next to the agent file. Defaul
   - Else if `sources.<src>.watermark` exists → use `(watermark, today)`.
   - Else (first refresh after bootstrap, or new source) → fallback to `last 7 days`.
 
+### Step 2a — Drain deferred-retry queue (REQUIRED, kushi v4.4.1+, per `deferred-retry-on-workiq-fail.instructions.md`)
+
+**Before per-source dispatch**, drain any markers that previous runs deferred. The queue lives at:
+
+```
+<engagement-root>/<project>/Evidence/<alias>/_deferred-retries/*.yml
+```
+
+For each marker (chronological order):
+
+1. Load the YAML marker. Parse `source`, `target`, `window`, `workiq.command`.
+2. Re-issue the canonical WorkIQ query (NOT the doubled-strict — give the first prompt another chance first; if it fails, then doubled-strict).
+3. If success → write the artifact to its canonical `Evidence/<alias>/<source>/{snapshot,stream}/` path per the source's normal write rules. Delete the marker. Append a `drained:` entry to the refresh report's `## Deferred-retry drain` section.
+4. If failure → increment `attempts`, update `last_attempt_at`, leave marker in place. Append a `still-deferred:` entry to the report.
+5. If `attempts >= 5` after this run → also promote to a row in `<project>/OPEN-QUESTIONS-DRAFT.md` (or `State/09_open-questions.md` on `full` profile) per the doctrine's escalation rule.
+
+**NEVER call `m365_get_*` / Graph as a fallback during drain.** A drain failure is just another deferral.
+
+After drain, proceed to Step 2 even if some markers remain — the orchestrator never blocks on deferred-retry failures.
+
 ### Step 2 — Per-source dispatch
 
 For each enabled source (or just the requested one), call its `pull-<source>` skill with the effective window.

package/plugin/skills/self-check/run.ps1

@@ -616,7 +616,7 @@ if ($Deep) {
     if (-not (Test-Path $layoutInst)) {
         Add-Finding D14 'Evidence layout' 'warning' "plugin/instructions/evidence-layout-canonical.instructions.md is missing" "Restore the canonical-layout doctrine from kushi v3.12.1." $layoutInst 0
     }
-    $allowedSiblings = @('Evidence','State','Reports','.kushi','.kushi-reference','.project-evidence','.vscode','.git')
+    $allowedSiblings = @('Evidence','State','Reports','.kushi','.kushi-reference','.vscode','.git')
     $sourceTokens = @(
         'email-context','email-summary','email-summaries',
         'teams-context','teams-summary','teams-summaries',
@@ -655,6 +655,29 @@ if ($Deep) {
             }
         }
     }
+
+    # D15: legacy path regression guard — no `.project-evidence/{m365,crm,ado}` refs outside CHANGELOG/learnings.
+    # v4.4.0+ moved per-user config to `<workspace>/.kushi/config/{user,shared}/`. Any plugin/docs file
+    # still referencing the legacy `<engagement-root>/.project-evidence/(m365|crm|ado)` path will mislead
+    # skills and authors. CHANGELOG and learnings/ legitimately mention the legacy path for history.
+    $legacyPattern = '\.project-evidence[\\/](?:m365|crm|ado)'
+    $legacyTargets = @(
+        (Join-Path $Root 'plugin'),
+        (Join-Path $Root 'docs')
+    )
+    foreach ($target in $legacyTargets) {
+        if (-not (Test-Path $target)) { continue }
+        $legacyHits = Get-ChildItem -Path $target -Recurse -File -Include '*.md','*.ps1','*.mjs','*.json','*.yml','*.yaml' -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -notmatch '[\\/]learnings[\\/]' -and $_.Name -ne 'CHANGELOG.md' } |
+            Select-String -Pattern $legacyPattern -ErrorAction SilentlyContinue
+        foreach ($m in $legacyHits) {
+            # Allow lines that explicitly mark as historical breadcrumb (contain "legacy" or "v4.4.0+" or "was")
+            if ($m.Line -match '(?i)\blegacy\b|v4\.4\.0\+|\bwas\b|\breplaces?\b|\bdeprecated\b|\bhistorical\b') { continue }
+            $msg  = 'Legacy .project-evidence/{m365|crm|ado} reference — v4.4.0+ moved per-user config to <workspace>/.kushi/config/{user,shared}/'
+            $fix  = "Replace with the new path; if intentionally documenting history, add the word 'legacy' or 'v4.4.0+ replaces' on the same line."
+            Add-Finding D15 'Legacy paths' 'warning' $msg $fix $m.Path $m.LineNumber
+        }
+    }
 }
 
 # === Output ===

package/plugin/templates/ado-update/integrations-ado-writes.example.yml

@@ -4,7 +4,7 @@
 # read from the SAME integrations.yml that pull-ado already uses — no separate config file.
 #
 # Global ADO connection (tenantId, organization, apiVersion, auth) lives at:
-#   <engagement-root>/.project-evidence/ado/config.yml
+#   <workspace>/.kushi/config/shared/integrations.yml
 # Do NOT duplicate those keys here.
 
 ado:

package/plugin/templates/init/m365-auth.template.json

@@ -15,16 +15,16 @@
       "dataverse": "https://iscrm.crm.dynamics.com"
     },
     "oneNote": {
-      "defaultNotebookName": "",
-      "defaultNotebookId": "",
+      "defaultNotebookName": "__FILL_ME_IN__",
+      "defaultNotebookId": "__FILL_ME_IN__",
       "defaultSectionResolverUrl": "",
       "defaultNotebookRootLink": "",
-      "defaultLinkOwner": ""
+      "defaultLinkOwner": "__FILL_ME_IN__"
     },
     "emailContext": {
       "enabled": true,
       "dateFloor": "",
-      "folders": [],
+      "folders": ["__FILL_ME_IN__"],
       "includeSubfolders": true,
       "sourceCoverageLabel": "",
       "matchingPolicy": {
@@ -56,7 +56,7 @@
     },
     "sharePointContext": {
       "enabled": true,
-      "localProjectsRoot": "",
+      "localProjectsRoot": "__FILL_ME_IN__",
       "matchingPolicy": {
         "mode": "fuzzy-folder-name",
         "rankingOrder": ["exact", "prefix", "contains"],

package/plugin/templates/init/project-integrations.template.yml

@@ -3,8 +3,8 @@
 # AND declares the explicit boundaries inside which Kushi is allowed to query.
 #
 # Connection / auth / field mappings are NOT here — those are global at:
-#   <engagement-root>/.project-evidence/crm/config.yml
-#   <engagement-root>/.project-evidence/ado/config.yml
+#   <workspace>/.kushi/config/shared/integrations.yml
+#   <workspace>/.kushi/config/shared/integrations.yml
 #
 # Boundaries doctrine: see plugin/instructions/scope-boundaries.instructions.md.
 # Required boundary keys MUST be filled or the source is disabled (not silently widened).

package/plugin/templates/snapshot/onenote-page.template.md

@@ -20,7 +20,7 @@ captured_at:   "<ISO-8601 if captured/user-pasted, else empty>"
 - **Capture status:** `<last_status>`
 - **Attempts:** <int>
 - **Last attempt:** <ts>
-- **Source basis:** WorkIQ enumerate + per-page verbatim probe (pull-onenote v2.5.0). Graph `/me/onenote/*` skipped per workspace policy. Per-page retry registry: `.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>.one_pages`.
+- **Source basis:** WorkIQ enumerate + per-page verbatim probe (pull-onenote v2.5.0). Graph `/me/onenote/*` skipped per workspace policy. Per-page retry registry: `.kushi/config/user/m365-mutable.json#knownSections.<projectKey>.one_pages`.
 
 <!-- IF last_status == "captured" or "user-pasted" -->
 
@@ -43,7 +43,7 @@ captured_at:   "<ISO-8601 if captured/user-pasted, else empty>"
 
 ❌ **page-body-unavailable: WorkIQ returned BODY-NOT-EXPOSED on attempt <N>.**
 
-> Per `pull-onenote` v2.5.0 § "Empirical contract": WorkIQ OneNote body retrieval is non-deterministic — the same page may return a body on a later refresh. This page IS registered for retry in `.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>.one_pages` and will be re-attempted on every refresh until `last_status` becomes `captured` or `user-pasted`. Inferring the page contents from adjacent emails or chat traffic is forbidden.
+> Per `pull-onenote` v2.5.0 § "Empirical contract": WorkIQ OneNote body retrieval is non-deterministic — the same page may return a body on a later refresh. This page IS registered for retry in `.kushi/config/user/m365-mutable.json#knownSections.<projectKey>.one_pages` and will be re-attempted on every refresh until `last_status` becomes `captured` or `user-pasted`. Inferring the page contents from adjacent emails or chat traffic is forbidden.
 
 ### next_step
 
@@ -93,5 +93,5 @@ Per `thoroughness-detector.instructions.md`, the writer must tick all that apply
 - [ ] If `last_status == captured` or `user-pasted`: AI Narrative Summary (3+ paragraphs) AND verbatim Body section are present and non-empty
 - [ ] If `last_status == BODY-NOT-EXPOSED`: explicit marker, `next_step` block, and metadata table all present; NO inferred or paraphrased body content
 - [ ] If `last_status == enumeration-only`: explicit transient marker present; NO body content of any kind
-- [ ] Page is registered in `.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>.one_pages` with matching `last_status` and `attempts`
+- [ ] Page is registered in `.kushi/config/user/m365-mutable.json#knownSections.<projectKey>.one_pages` with matching `last_status` and `attempts`
 - [ ] No fabrication: nothing in this file came from adjacent emails, chats, or other sources to "fill in" what WorkIQ did not return