kushi-agents 4.4.0 → 4.4.3

package/plugin/instructions/fde-grounding.instructions.md

@@ -0,0 +1,146 @@
+---
+applyTo: "**"
+description: "Always-on: every kushi FDE-shaped output (fde-intake, fde-report, fde-triage, build-state, project-status, ask-project FDE answers) MUST ground in the FDE reference pack at reference-packs/fde/, apply recency precedence, and pair every CRM-recorded decision with the confidence ladder. This is the doctrinal companion to the reference pack itself."
+---
+
+# FDE Reference Grounding (HARD RULE)
+
+Every kushi output that interprets engagement health, FDE stage, fitness, risks, readiness, status, or recommended next steps MUST be **grounded in the FDE reference pack** rather than inferred from intuition or model priors.
+
+The reference pack lives at:
+
+```
+plugin/reference-packs/fde/
+  README.md
+  core-fde-reference.md       # operating model, fitness criteria, anti-patterns, stage gates, risk categories
+  crm-field-manifest.md       # FDE-CRM field shape (FE-* triage entity)
+  intake-questions.md         # the 10-question intake (used by fde-intake skill)
+  report-doctrine.md          # report shape doctrine (used by fde-report skill)
+```
+
+Per `reference-packs` doctrine, the **effective** pack is the 3-layer override:
+
+1. Project: `<engagement-root>/<project>/.kushi-reference/fde/<file>.md` (highest)
+2. User: `~/.copilot/kushi-reference/fde/<file>.md` (override)
+3. Packaged: `<install-dest>/reference-packs/fde/<file>.md` (default)
+
+Citations MUST carry the layer marker: `[source: reference-packs/fde/<file>.md · packaged|user-override|project-override]`.
+
+## Required behavior
+
+### For every FDE-shaped output
+
+1. **Read the pack first.** Before drafting any FDE-shaped artifact, read `reference-packs/fde/README.md` and enumerate the human-readable files. Treat the folder as ONE reference set; any file may contribute.
+2. **Score against the 10-criterion FDE Fitness Checklist** from `core-fde-reference.md`:
+   - use case fit, platform commitment, C-level sponsor, hypervelocity culture, co-build commitment, funding clarity, measurable outcomes, contracting speed, business owner engagement, non-standard scope.
+   - Report which criteria are met, unclear, at risk — never just an overall thumbs-up.
+3. **Map every risk to one of the eight FDE risk categories** (also from `core-fde-reference.md`):
+   - Competitive & Strategic Fit, Funding & Commercial, Contracting / Procurement, Sponsorship, Hypervelocity / Culture, Scope / Use Case Fit, Resourcing (MS side), Handover / Sustainability.
+   - Free-form risk taxonomies are a defect.
+4. **Flag FDE anti-patterns explicitly** when evidence suggests drift toward what FDE is not: advisory-only, long governance cycles, platform-agnostic, staff-aug, out-of-box use case.
+5. **Use CRM `Status` as a primary lifecycle signal** when available. Translate it via the CRM Triage Plan mapping in `core-fde-reference.md`. Distinguish carefully between `Completed`, `Withdrawn`, `On Hold`, discovery-stage, and active-delivery statuses.
+6. **Call out mismatches explicitly** when structured system state, older notes, or older artifacts imply a different reality than newer evidence.
+
+### Recency precedence (every conclusion, not just status)
+
+When dated sources conflict, newer evidence has more authority — and not only for status, but also for **conclusions, risk posture, momentum, blockers, ownership assumptions, and recommended next steps**.
+
+Default precedence order (unless the user explicitly asks otherwise):
+
+1. latest CRM note entries
+2. latest meeting transcripts
+3. latest dated local project docs / assets in `<project>/Evidence/`
+4. latest external linked notes / docs (OneNote, SharePoint)
+5. older CRM notes and historical project artifacts
+
+**When newer evidence supersedes an older conclusion or signal, say so directly** — do not blend the two into an averaged summary. If a recommendation from an older source is no longer appropriate because of newer evidence, state that it has been superseded; do not repeat it as active guidance.
+
+Do not let stale evidence dominate synthesis. If an older source says a decision is open, a blocker is active, or a plan is current, but a newer dated source shows the issue was resolved or reversed, the newer source drives the narrative.
+
+### CRM field values vs confirmed facts
+
+This rule is the FDE-specific application of `evidence-confidence-ladder.instructions.md`. Every materially important FDE response (funding, owner, scope decision, timeline, legal / commercial gate, SI lane) MUST carry one of:
+
+- `internal-only` — CRM/ADO field recorded; no customer-facing confirmation in evidence
+- `communicated` — customer or external stakeholder acknowledged in transcript / email / Teams
+- `confirmed` — signed / approved / executed artifact on record
+
+A CRM-only signal is **not** a confirmed fact. Do not say "ECIF is the selected funding model" based on a `statuscode` flip alone. Say "Internal team decision favors ECIF (CRM field updated <date>, `internal-only`); latest customer-facing transcript predates the change; no `communicated` evidence yet."
+
+For living triage reports (`fde-triage` output), every row that drives a decision (`FDE Fit First`, `ECIF Confirmation Gate`, `Verification Evidence`) MUST classify the response as one of `CRM-only` / `Cross-verified` / `Conflicting evidence` and cite the confirming source + date for the upgrade past `CRM-only`.
+
+### Full customer view requires in-session source resolution
+
+This grounding doctrine defines **how to interpret** evidence. It does NOT by itself satisfy the requirement to retrieve every applicable customer artifact.
+
+Before drafting a "full view", "complete picture", or equivalent FDE-shaped output, the current session MUST attempt retrieval of every applicable source category that has a defined retrieval path:
+
+1. CRM (Dataverse / FDE triage entity)
+2. Meeting transcripts
+3. Email
+4. Teams chats
+5. OneNote
+6. SharePoint / external linked artifacts
+7. ADO (when an engagement WI exists)
+
+For each, record one of: `retrieved` / `not present for project` / `attempted but blocked` (with reason). Per `status-taxonomy.instructions.md`, use the closed-set Status values. Per `fallback-status-reporting.instructions.md`, mark fallback recoveries explicitly.
+
+Do not describe an output as a `full view`, `complete picture`, `comprehensive`, or equivalent unless these source categories were retrieved or explicitly attempted+dispositioned in the current session.
+
+### Workspace evidence boundary + source quotes
+
+For every report, summary, recommendation, status response, or inferred conclusion:
+
+1. Use workspace evidence only (this repository's context, with priority on `<project>/Evidence/` and the configured reference pack).
+2. Do not invent or assume facts not present in retrieved evidence.
+3. Do not fill gaps with unstated assumptions. If evidence is missing, state `insufficient evidence in workspace context`.
+4. Quote sources for material claims using the kushi citation format: `[source: <relative-path> · <YYYY-MM-DD>]`. For reference-pack citations: `[source: reference-packs/fde/<file>.md · packaged|user-override|project-override]`.
+5. For every key conclusion, include at least one source line.
+6. If sources are ambiguous or conflicting, state so clearly and apply date-based recency precedence.
+7. Living triage reports MUST include a complete `Sources Used (Complete Ledger)` section per `citation-ledger.instructions.md`.
+
+### CRM notes integration
+
+When kushi assists with CRM note authoring (manual today; `propose-crm-update` future), include a brief FDE fitness signal (1–2 sentences) whenever the note summarizes engagement status — e.g. "Funding model unconfirmed (criterion 6 at risk)" or "C-level sponsor accessible and engaged (criterion 3 met)."
+
+### Engagement authoring artifacts
+
+- `fde-intake` 10-question output MUST use `reference-packs/fde/intake-questions.md` as its prompt scaffold; do not paraphrase the question wording.
+- `fde-report` shapes (weekly / short / long / fitness / stage-readiness) MUST cite `reference-packs/fde/report-doctrine.md` and `core-fde-reference.md` for stage gates and fitness mapping.
+- `fde-triage` bundle MUST include the FDE Fitness Checklist (file 01) and map every risk to the eight categories (file 03).
+
+### Status reports / readouts
+
+- Treat CRM `Status` as one of the first facts established in the summary.
+- Translate raw `statuscode` into plain-language stage meaning, not just the numeric label.
+- Do not describe `Withdrawn` or `On Hold` engagements with active-delivery language.
+- Do not describe `Technical Assessment` or `Assigned` as `In Progress` unless execution evidence supports the distinction and the mismatch is called out.
+- Let the newer dated source drive the narrative; mark the older interpretation as superseded.
+
+### Inferred conclusions / recommendations / summaries
+
+Apply the same recency precedence to conclusions about health, urgency, readiness, commitment level, decision ownership, and likely next actions. Older plans and recommendations are historical context when newer evidence changes the picture.
+
+## Anti-patterns (defects)
+
+1. Drafting an FDE-shaped output without reading the reference pack.
+2. Inventing risk categories beyond the eight defined.
+3. Treating a CRM field flip as a confirmed customer-facing decision.
+4. Blending older and newer dated evidence into an averaged summary instead of letting newer evidence supersede.
+5. Calling the output "comprehensive" / "full view" without running the in-session source-resolution sweep.
+6. Citing the FDE pack without the layer marker (`packaged | user-override | project-override`).
+
+## Always-on
+
+This instruction applies to every kushi agent invocation and to any external consumer rendering kushi evidence into an FDE-shaped artifact.
+
+## References
+
+- `reference-packs/fde/README.md` — the pack itself.
+- `evidence-confidence-ladder.instructions.md` — the three-state confidence vocabulary used here.
+- `citation-ledger.instructions.md` — citation format (Sources Used ledger).
+- `evidence-thoroughness.instructions.md` — depth bar (orthogonal: depth applies inside scope).
+- `scope-boundaries.instructions.md` — what's in scope (orthogonal: scope defines surface).
+- `fallback-status-reporting.instructions.md` — how to report retrieval outcome.
+- `status-taxonomy.instructions.md` — closed-set Status values.
+- skills: `fde-intake`, `fde-report`, `fde-triage`, `build-state`, `project-status`, `ask-project` (FDE-shaped answers).

package/plugin/instructions/identity-resolution.instructions.md

@@ -37,30 +37,37 @@ Map the response:
    > ✓ Identity: `Alex Smith <alex@microsoft.com>` (alias=`alex`). Edit `.kushi/config/user/project-evidence.yml` to override.
 3. **Continue** the prompt.
 
-## Failure modes
+## Failure modes (kushi v4.4.1+: never block, never fallback to Graph)
+
+Per `deferred-retry-on-workiq-fail.instructions.md`, identity resolution NEVER blocks the orchestrator and NEVER calls `m365_get_*` / Graph as a fallback. On WorkIQ failure, the agent writes a deferred-retry marker and continues with a derived alias so evidence still lands somewhere it can later be re-keyed.
 
 | Scenario                                      | Behavior                                                                                                                     |
 |-----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
-| WorkIQ returns auth error                     | Block: "Sign in to WorkIQ first: `workiq accept-eula && workiq ask -q ping`". Do not proceed.                                |
-| WorkIQ returns empty / NO_RESULTS             | Block: "WorkIQ could not resolve your identity. Try `workiq ask -q 'who am I'` and retry."                                   |
-| WorkIQ binary missing                         | This should already have been caught by the installer's pre-flight. If reached, block with the same install hint.            |
-| User has explicit non-placeholder values      | Skip resolution entirely. Never overwrite user-set values.                                                                   |
+| WorkIQ returns auth error                     | Write deferred-retry marker (`source: identity`, `error_class: auth-error`). Echo: *"⚠ Identity unresolved (WorkIQ auth). Using alias=`<from-config-or-env>`; will retry on next refresh. Sign in with `workiq accept-eula && workiq ask -q ping` and re-run."* Continue. **Do NOT call `m365_get_my_profile` or Graph `/me`.** |
+| WorkIQ returns empty / NO_RESULTS             | Write marker (`error_class: empty`). Echo: *"⚠ Identity unresolved (WorkIQ empty). Using alias=`<env-user>`; will retry on next refresh."* Continue. |
+| WorkIQ binary missing                         | Installer pre-flight should catch this. If reached at skill-time, write marker (`error_class: cli-missing`), echo the install hint, continue with alias=`<env-user>`. |
+| User has explicit non-placeholder values      | Skip resolution entirely. Never overwrite user-set values. No marker needed.                                                 |
 | Alias collision with another contributor      | Bootstrap detects existing `Evidence/<alias>/` whose `contributors.yml` records a different email → ask the user to disambiguate (suggest `<alias>-<tenant-prefix>` e.g. `alex-ms`). |
 
+**Derived alias fallback (when WorkIQ unavailable):** use `$env:USERNAME` (Windows) or `$env:USER` (POSIX) lowercased. Persist provisionally with `alias_resolved_from: env-fallback-pending-workiq`. The next refresh's deferred-retry drain will re-issue the WorkIQ probe and rename `Evidence/<env-alias>/` → `Evidence/<workiq-alias>/` if they differ.
+
 ## What NOT to do
 
 * Do NOT ask the user `What alias should Kushi use?`. The legacy onboarding prompt is gone.
-* Do NOT call `m365_*` / Graph as a fallback. WorkIQ is the single source of identity truth (`workiq-first.instructions.md`).
+* Do NOT call `m365_get_my_profile`, `m365_*`, or Graph `/me` as a fallback. WorkIQ is the single source of identity truth. On failure, write a marker and use the env-fallback. See `workiq-only.instructions.md` and `deferred-retry-on-workiq-fail.instructions.md`.
+* Do NOT block the bootstrap orchestrator on identity failure. Continue with the env-fallback alias; the marker drives the eventual reconciliation.
 * Do NOT resolve on every run. Once persisted, the config values are authoritative.
 
 ## Integration with other doctrine
 
-* `workiq-first.instructions.md` — identity resolution is the canonical example of WorkIQ-first. Add to the inventory.
+* `workiq-only.instructions.md` — identity resolution is the canonical example of WorkIQ-only. M365 fallbacks are forbidden.
+* `deferred-retry-on-workiq-fail.instructions.md` — on WorkIQ failure, mark + continue + inform; never block.
 * `bootstrap-project` SKILL — Step 0 is identity resolution. Step 1 is project context.
 * `tracking.instructions.md` — the resolved identity goes into the tracking artifact's frontmatter under `actor:`.
 
 ## References
 
-* `workiq-first.instructions.md` — the parent doctrine.
+* `workiq-only.instructions.md` — the parent doctrine (supersedes legacy `workiq-first`).
+* `deferred-retry-on-workiq-fail.instructions.md` — failure-mode contract.
 * `engagement-root-resolution.instructions.md` — `projects_root` resolution (separate from identity).
 * `templates/init/project-evidence.template.yml` — defaults to `<auto>` for these three fields.

package/plugin/instructions/m365-id-registry.instructions.md

@@ -12,7 +12,7 @@ priority: HARD
 
 ## The registry
 
-`<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>` is the **single source of truth** for canonical M365 identifiers per project.
+`<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>` is the **single source of truth** for canonical M365 identifiers per project.
 
 Schema (populate every key the source supports):
 

package/plugin/instructions/scope-boundaries.instructions.md

@@ -21,7 +21,7 @@ host-fallback Graph call, and every CRM/ADO probe MUST honor.
 Before issuing **any** WorkIQ query, `m365_*` host call, Graph REST call, or CRM/ADO
 REST call, the skill MUST resolve the boundary it is operating inside from
 `<engagement-root>/<project>/integrations.yml boundaries:` (per-source) or the
-global `<engagement-root>/.project-evidence/{crm,ado}/config.yml` (auth +
+global `<workspace>/.kushi/config/shared/integrations.yml` (auth +
 tenant + org). The resolved boundary MUST be recorded in the evidence file's
 `## Source Basis` block, e.g.:
 
@@ -57,8 +57,8 @@ returns evidence over the same surface — no run-to-run drift.
 
 | Skill | Hard prerequisite | Failure message (verbatim) |
 |---|---|---|
-| `pull-crm` | `<engagement-root>/.project-evidence/crm/config.yml` exists with non-placeholder `environmentUrl` | `crm-config-missing — drop a filled config.yml at <engagement-root>/.project-evidence/crm/config.yml. See plugin/templates/init/crm-config.template.yml.` |
-| `pull-ado` | `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` AND `defaultProject` | `ado-config-missing — drop a filled config.yml at <engagement-root>/.project-evidence/ado/config.yml. See plugin/templates/init/ado-config.template.yml.` |
+| `pull-crm` | `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `crm.environmentUrl` | `crm-config-missing — fill the crm: block in <workspace>/.kushi/config/shared/integrations.yml. See plugin/templates/init/integrations.template.yml.` |
+| `pull-ado` | `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `ado.organization` AND `ado.defaultProject` | `ado-config-missing — fill the ado: block in <workspace>/.kushi/config/shared/integrations.yml. See plugin/templates/init/integrations.template.yml.` |
 | `propose-ado-update` | both above + `integrations.yml ado.engagement_id > 0` | per `propose-ado-update/SKILL.md` Prerequisites table |
 
 Pre-v3.7.0 behavior allowed `pull-crm` to "narrate from email" when the live
@@ -172,7 +172,7 @@ On first run for a new project, bootstrap MUST:
 3. For sources where bootstrap cannot auto-populate, write the source as
    **disabled** (`enabled: false`) with a one-liner in `OPEN-QUESTIONS-DRAFT.md`
    asking the user to fill the boundary and re-enable.
-4. For CRM and ADO, ALSO check that the global `<engagement-root>/.project-evidence/{crm,ado}/config.yml`
+4. For CRM and ADO, ALSO check that the global `<workspace>/.kushi/config/shared/integrations.yml`
    exists and has non-placeholder values; if not, scaffold from
    `plugin/templates/init/{crm,ado}-config.template.yml` and park in
    `OPEN-QUESTIONS-DRAFT.md` with the path the user needs to fill.

package/plugin/instructions/status-taxonomy.instructions.md

@@ -0,0 +1,118 @@
+---
+applyTo: "**"
+description: "The single normalized vocabulary for Status + Retry-Signal values used in every kushi status artifact (bootstrap-status.md, refresh reports, run-log.yml, ask-project footers, fde-report cover lines). Replaces the ad-hoc strings that drifted across skills."
+---
+
+# Status Taxonomy (HARD RULE)
+
+Every place a kushi skill renders a per-source or per-task status MUST use a value from the closed taxonomy below. Pre-v4.4.2 skills used ad-hoc strings (`populated`, `unsynced`, `degraded`, `partial-cap`, `blocked-sandbox`, `no stream`, `half done`, `waiting`) — those are now mapped onto the canonical values here.
+
+## 1. Status values (closed set)
+
+| Status | Meaning | Use when |
+|---|---|---|
+| `completed` | Direct path succeeded; full coverage. | Preferred path returned everything in scope. |
+| `completed-via-fallback` | Alternate path recovered the result; full coverage. | Direct path failed but a documented fallback delivered the requested scope. See `fallback-status-reporting.instructions.md`. |
+| `completed-with-coverage-gaps` | Result was produced but specific known gaps remain. | Some items in scope were not retrievable; gaps are enumerated. |
+| `partial` | Less than the requested scope was delivered; rerun recommended. | Fewer items than the boundary called for; not all gaps are enumerable. |
+| `failed` | Both primary and fallback paths failed; no usable evidence written. | Every documented path returned no usable result. |
+| `blocked-auth` | Pre-flight or token acquisition failed; the source could not be queried. | `az account show` non-zero, `m365_status` not signed in, tenant mismatch, WorkIQ EULA pending, etc. |
+| `blocked-config` | A required configuration value (per-project + global both empty) prevented querying. | `<source>-config-missing` or `<source>-boundary-missing` per `scope-boundaries.instructions.md` Rule 3. |
+| `blocked-permission` | Auth succeeded but the principal lacks access to the target. | HTTP 403 / `accessDenied` / SharePoint `UnauthorizedAccessException` on the canonical API. |
+| `blocked-throttled` | Service throttled the request; no narrower query succeeded. | `tooManyRequests`, `More than 3 retries performed`, `high demand` per `auth-and-retry §3`. |
+| `unresolved` | Discovery returned no matches inside the configured boundary. | All resolution-order steps returned 0 candidates; user has not yet picked or widened. |
+| `deferred` | WorkIQ failed after doubled-strict retry; deferred-retry marker written. | Per `deferred-retry-on-workiq-fail.instructions.md`. Next refresh drains the queue. |
+| `not-applicable` | Source is not configured for this project. | Source enabled=false or boundary list empty by design (e.g. SharePoint when project has no team site). |
+| `no-run-history` | Source has never been pulled for this project. | Used in backfill rows when creating status artifacts retroactively. |
+
+### Mapping from legacy strings
+
+| Legacy ad-hoc string | Canonical value |
+|---|---|
+| `populated` | `completed` (or `completed-with-coverage-gaps` if `## Coverage Notes` flags gaps) |
+| `unsynced` | `partial` (rerun recommended) OR `not-applicable` (if intentionally deferred) — pick by intent |
+| `degraded` | `completed-with-coverage-gaps` |
+| `degraded-list-only` | `completed-with-coverage-gaps` (note: bodies missing, index present) |
+| `partial-cap` | `partial` |
+| `partial-template` | `completed-with-coverage-gaps` |
+| `blocked-sandbox` | `blocked-permission` (with reason: agent sandbox) |
+| `throttled-tooManyRequests` | `blocked-throttled` |
+| `cli-available` (preflight pass) | `completed` (preflight row only) |
+| `resolved` (preflight pass) | `completed` (preflight row only) |
+| `missing` (preflight) | `blocked-config` |
+| `ado-not-complete` | `partial` (with reason) |
+| `no-match` | `unresolved` |
+| `❌ all paths failed` | `failed` |
+| `❌ workiq-empty-after-retry` | `deferred` (marker written) OR `failed` (if no marker for permanent reasons) |
+
+## 2. Retry-Signal values (closed set)
+
+| Retry Signal | Meaning |
+|---|---|
+| `none` | No retry needed; result is settled. |
+| `watch` | Usable result exists but direct-path gaps are worth reviewing later. |
+| `retry` | Rerun is recommended; the next `refresh <project>` should pick this up. |
+| `user-action` | Retry requires a user step first (paste verbatim, widen boundary, `az login`, install workiq, sign in to m365). |
+
+### Default mapping (Status → Retry Signal)
+
+| Status | Default Retry Signal |
+|---|---|
+| `completed` | `none` |
+| `completed-via-fallback` | `watch` |
+| `completed-with-coverage-gaps` | `watch` |
+| `partial` | `retry` |
+| `failed` | `retry` |
+| `blocked-auth` | `user-action` |
+| `blocked-config` | `user-action` |
+| `blocked-permission` | `user-action` |
+| `blocked-throttled` | `retry` (next run, after backoff) |
+| `unresolved` | `user-action` (pick a candidate or widen boundary) |
+| `deferred` | `retry` (auto-drained by refresh Step 2a) |
+| `not-applicable` | `none` |
+| `no-run-history` | `none` |
+
+A skill MAY override the default — but it must include the override reason in the `notes` column.
+
+## 3. Required usage
+
+1. `bootstrap-status.md` Context Artifact Status table — `Status` column values MUST come from §1. A new `Retry` column (added v4.4.2) MUST contain a §2 value.
+2. `Evidence/run-log.yml#sources.<source>.last_status` — MUST be a §1 value.
+3. `Evidence/run-log.yml#sources.<source>.retry_signal` (new v4.4.2 field) — MUST be a §2 value.
+4. Refresh report (`Evidence/<alias>/refresh-reports/<ts>_refresh.md`) per-source summary table — same columns + same vocabulary.
+5. `fde-report` cover line — when summarizing source coverage, use these values; do not invent new ones.
+6. `ask-project` answer footer — when surfacing coverage caveats (`Source basis: completed-via-fallback`), use these values.
+
+## 4. Retry review behavior
+
+When the user asks "what failed?", "anything to retry?", "redo errors", or "/refresh failed" (`refresh-project` accepts this argument variant):
+
+1. Read every `<project>/Evidence/<alias>/run-log.yml` and every `<project>/bootstrap-status.md` newest-first.
+2. Filter to rows where `retry_signal` is `retry` or `deferred` is the status.
+3. If the user named a time window (e.g. "past 2 days"), filter by run timestamp first.
+4. Offer or execute the per-source `pull-*` again — scoped to the original boundary + window (no scope widening).
+5. After retry, update the per-source row with the new Status + Retry Signal. Never delete history; append a new row newest-first.
+
+## 5. Backfill rule
+
+If a project has artifacts (`bootstrap-status.md`, snapshots) but no normalized status row yet (pre-v4.4.2 history):
+
+- Create a backfill row using the best available evidence.
+- Set `Status` from the legacy-string mapping in §1.
+- Set `Retry Signal` from §2 default mapping.
+- Note `(backfill)` in the row's `Notes` column.
+- Do not invent precision: if exact timestamps are unavailable, write the date and note `(time inferred)`.
+
+## 6. Non-destructive rule
+
+- Status artifacts are append-only at the row level. Never delete a historical row to "clean up".
+- Newest rows go at the top of every status table.
+- When a status changes between runs, write a new row; do not edit the old row in place.
+
+## References
+
+- `fallback-status-reporting.instructions.md` — when `completed-via-fallback` applies.
+- `auth-and-retry.instructions.md §4` — `errors[]` schema (signatures map to Status via the legacy table above).
+- `bootstrap-status-format.instructions.md` — the artifact that uses this vocabulary most prominently.
+- `deferred-retry-on-workiq-fail.instructions.md` — `deferred` status semantics.
+- `scope-boundaries.instructions.md` — `blocked-config` rules.

package/plugin/instructions/workiq-only.instructions.md

@@ -42,8 +42,8 @@ For every M365 source in scope:
 
 1. **WorkIQ FIRST and ONLY.** Issue the canonical query from the table below.
 2. **If WorkIQ returns insufficient content** (empty, truncated, or only a summary when the query asked for verbatim): retry ONCE with the doubled-strict prompt from the same row.
-3. **If WorkIQ still fails or is unavailable**: ask the user to paste the data verbatim. This is a first-class evidence path, not a degradation.
-4. **DO NOT attempt** `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, `m365_search_files` (for content), `m365_download_file` (for transcript/notes), or any Graph REST URL for the in-scope sources above. These are FORBIDDEN. Calling them is a defect; coverage.md must NOT show them in the attempt trail.
+3. **If WorkIQ still fails or is unavailable**: follow `deferred-retry-on-workiq-fail.instructions.md` — write a deferred-retry marker under `<project>/Evidence/<alias>/_deferred-retries/`, surface a one-liner in coverage.md and the run report, and **continue the run** for the remaining sources. The next `refresh-project` drains the queue. User-paste remains available as a manual recovery the user MAY do later by populating the artifact directly and deleting the marker — it is NOT the agent's recovery flow.
+4. **DO NOT attempt** `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events`, `m365_search_files` (for content), `m365_download_file` (for transcript/notes), or any Graph REST URL for the in-scope sources above. These are FORBIDDEN — **including as a "last-resort" fallback after WorkIQ fails** (kushi v4.4.1+). Calling them is a defect; coverage.md must NOT show them in the attempt trail. The deferred-retry marker IS the audit trail for WorkIQ failures.
 5. **Allowed alongside WorkIQ** (structured-data dumps only): `m365_list_chat_messages` for chat-id'd threads → `chat-messages.json`. These run in parallel with the WorkIQ pull, not as a substitute.
 
 ## Canonical WorkIQ commands (CODIFIED — do not re-discover)
@@ -174,6 +174,7 @@ If `Result: SUMMARY-ONLY` after doubled-strict retry: the artifact is acceptable
 
 ## Anti-patterns (defects)
 
+0. **Falling back to `m365_get_*` / Graph after a WorkIQ failure (kushi v4.4.1+).** FORBIDDEN. Even framed as "a last-resort partial," "just to try," or "we already have a WorkIQ marker so this is harmless." The doctrine is: WorkIQ fail → deferred-retry marker → continue → next refresh retries. Never a Graph escape hatch. See `deferred-retry-on-workiq-fail.instructions.md`.
 1. **Calling `m365_get_transcript`, `m365_get_facilitator_notes`, `m365_list_meetings`, `m365_list_events` from a kushi pull-* skill.** FORBIDDEN. These tools have a near-100% failure rate in this workspace. Use WorkIQ.
 2. **Using Graph REST URLs directly** (e.g. `https://graph.microsoft.com/v1.0/me/onlineMeetings/...`) from a kushi pull-* skill. FORBIDDEN for the in-scope M365 sources. Use WorkIQ.
 3. **Re-discovering the right WorkIQ prompt every run.** FORBIDDEN. Use the codified prompts from the table above. If a new source variant is needed, add a row to the table, do not improvise.
@@ -192,3 +193,4 @@ If `Result: SUMMARY-ONLY` after doubled-strict retry: the artifact is acceptable
 - `plugin/instructions/ado-bootstrap-discovery.instructions.md` — ADO is OUT of WorkIQ scope; it uses ADO REST.
 - `plugin/instructions/scope-boundaries.instructions.md` — every pull-* still respects integrations.yml#boundaries.
 - `plugin/instructions/evidence-thoroughness.instructions.md` — verbatim is the bar; this rule operationalizes how to hit it.
+- `plugin/instructions/deferred-retry-on-workiq-fail.instructions.md` (kushi v4.4.1+) — defines exactly what happens when WorkIQ fails. NO Graph fallback. Marker + continue + inform.

package/plugin/lib/Get-KushiConfig.ps1

@@ -53,6 +53,92 @@ param(
 
 $ErrorActionPreference = 'Stop'
 
+# Schema-aware required-field map (kushi v4.4.1+).
+# For each logical config name, list the dot-paths that MUST be populated
+# (non-empty, non-sentinel) before the config is considered usable. The check
+# runs IN ADDITION to the substring sentinel check.
+$script:RequiredFields = @{
+  'm365-auth' = @(
+    'm365Auth.defaultTenantId',
+    'm365Auth.oneNote.defaultNotebookName',
+    'm365Auth.oneNote.defaultNotebookId',
+    'm365Auth.oneNote.defaultLinkOwner',
+    'm365Auth.emailContext.folders',
+    'm365Auth.sharePointContext.localProjectsRoot'
+  )
+  'project-evidence' = @(
+    'identity.alias',
+    'identity.email',
+    'engagement_root'
+  )
+  # integrations.yml is shared and per-project — required-field check is
+  # the consumer skill's job (it knows which sources are enabled).
+  'integrations' = @()
+}
+
+# Sentinel substrings that indicate "still a placeholder."
+$script:Sentinels = @(
+  '__FILL_ME_IN__',
+  '<auto>',
+  '<TENANT_ID>',
+  '<NOTEBOOK_ID>',
+  '<NOTEBOOK_NAME>',
+  '<LINK_OWNER>',
+  '<SP_LOCAL_ROOT>',
+  '<your-alias>',
+  '<Your Full Name>',
+  'your.email@example.com'
+)
+
+function Test-Sentinel {
+  param([string] $Value)
+  if ([string]::IsNullOrWhiteSpace($Value)) { return $true }
+  foreach ($s in $script:Sentinels) {
+    if ($Value -like "*$s*") { return $true }
+  }
+  return $false
+}
+
+function Get-DotPath {
+  param([object] $Obj, [string] $DotPath)
+  $cur = $Obj
+  foreach ($seg in $DotPath -split '\.') {
+    if ($null -eq $cur) { return $null }
+    if ($cur -is [System.Collections.IDictionary]) {
+      $cur = $cur[$seg]
+    } else {
+      $cur = $cur.$seg
+    }
+  }
+  return $cur
+}
+
+function Test-RequiredFields {
+  param([string] $Name, [object] $Parsed)
+  $required = $script:RequiredFields[$Name]
+  if (-not $required) { return @() }
+  $missing = @()
+  foreach ($field in $required) {
+    $val = Get-DotPath -Obj $Parsed -DotPath $field
+    if ($null -eq $val) { $missing += $field; continue }
+    # Arrays: must have at least one non-sentinel element.
+    if ($val -is [System.Collections.IEnumerable] -and -not ($val -is [string])) {
+      $arr = @($val)
+      if ($arr.Count -eq 0) { $missing += $field; continue }
+      $allBlank = $true
+      foreach ($item in $arr) {
+        if ($item -is [string]) {
+          if (-not (Test-Sentinel $item)) { $allBlank = $false; break }
+        } else { $allBlank = $false; break }
+      }
+      if ($allBlank) { $missing += $field }
+      continue
+    }
+    if ($val -is [string] -and (Test-Sentinel $val)) { $missing += $field }
+  }
+  return ,$missing
+}
+
 function Get-DefaultExtension([string] $name) {
   if ($name -match '^(project-evidence|integrations)$') { return 'yml' }
   return 'json'
@@ -84,9 +170,13 @@ if ($Path) { return $resolved }
 $raw = Get-Content -LiteralPath $resolved -Raw
 
 if (-not $AllowPlaceholders) {
-  if ($raw -match '__FILL_ME_IN__' -or $raw -match '<auto>') {
+  $sentinelHit = $false
+  foreach ($s in $script:Sentinels) {
+    if ($raw -like "*$s*") { $sentinelHit = $true; break }
+  }
+  if ($sentinelHit) {
     throw @"
-Kushi config '$resolved' still has template placeholders (__FILL_ME_IN__ or <auto>).
+Kushi config '$resolved' still has template placeholders (e.g. __FILL_ME_IN__, <auto>, <TENANT_ID>).
 Edit the file with your actual values, or pass -AllowPlaceholders to bypass this check.
 "@
   }
@@ -94,16 +184,31 @@ Edit the file with your actual values, or pass -AllowPlaceholders to bypass this
 
 if ($Raw) { return $raw }
 
-switch ($ext) {
+$parsed = switch ($ext) {
   'json' {
-    return ($raw | ConvertFrom-Json -Depth 100)
+    $raw | ConvertFrom-Json -Depth 100
   }
   { $_ -in 'yml','yaml' } {
     if (Get-Module -ListAvailable -Name 'powershell-yaml') {
       Import-Module powershell-yaml -ErrorAction Stop
-      return ConvertFrom-Yaml -Yaml $raw
+      ConvertFrom-Yaml -Yaml $raw
+    } else {
+      Write-Warning "powershell-yaml not installed; required-field validation skipped. Install with: Install-Module powershell-yaml -Scope CurrentUser"
+      $null
     }
-    Write-Warning "powershell-yaml not installed; returning raw YAML text. Install with: Install-Module powershell-yaml -Scope CurrentUser"
-    return $raw
   }
 }
+
+if (-not $AllowPlaceholders -and $null -ne $parsed) {
+  $missing = Test-RequiredFields -Name $Name -Parsed $parsed
+  if ($missing.Count -gt 0) {
+    throw @"
+Kushi config '$resolved' is missing required fields:
+$(($missing | ForEach-Object { "  - $_" }) -join "`n")
+Edit the file with your actual values, or pass -AllowPlaceholders to bypass this check.
+"@
+  }
+}
+
+if ($null -eq $parsed) { return $raw }
+return $parsed