kushi-agents 4.4.0 → 4.4.3

package/plugin/prompts/bootstrap.prompt.md

@@ -1,49 +1,64 @@
----
-name: bootstrap
-description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
-argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
-agent: kushi
-tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
----
-
-## User Input
-
-```text
-${input:project:Project name, e.g. HCA}
-${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
-```
-
-# /bootstrap
-
-Route to `@Kushi bootstrap <project>`.
-
-Inputs the agent will resolve:
-- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
-- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
-
-Reads:
-- `<workspace>/.kushi/config/user/project-evidence.yml` for alias + engagement-root.
-- `<workspace>/.kushi/config/user/m365-auth.json` for tenant + default notebook + mailbox-folder hints.
-
-**Step 0 — verify per-user config is filled.** Before any pull, call:
-
-```powershell
-& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'project-evidence' -AllowPlaceholders | Out-Null  # tolerates <auto>; identity-resolution fills it
-& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'm365-auth'                                       # hard-fails on placeholders
-```
-
-If `Get-KushiConfig -Name 'm365-auth'` throws (file missing or still `__FILL_ME_IN__`), STOP and prompt the user:
-
-> ⚠ `<workspace>/.kushi/config/user/m365-auth.json` still has template placeholders. Open it and fill in your tenant ID, default OneNote notebook ID, mailbox folder names, and SharePoint root before re-running `bootstrap`.
-
-Continue only when both helper calls succeed.
-
-Produces:
-- `<engagement-root>/.project-evidence/m365/{m365-auth,m365-mutable}.json` (per-user filled)
-- `<engagement-root>/<project>/integrations.yml`
-- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/}`
-- `<engagement-root>/<project>/State/{00..09}_*.md`
-
-Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state`.
-
-Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.
+---
+name: bootstrap
+description: "First-time setup for a new project — scaffold folders, lay configs side-by-side, do an initial 30-day pull, build State."
+argument-hint: "Project name (fuzzy-matched under engagement-root); optional initial pull window"
+agent: kushi
+tools: [search, read/readFile, edit, agent, execute/runInTerminal, execute/getTerminalOutput, 'workiq/*']
+---
+
+## User Input
+
+```text
+${input:project:Project name, e.g. HCA}
+${input:window:Optional initial pull window — last N days, since YYYY-MM-DD, or YYYY-MM-DD..YYYY-MM-DD (default 30 days)}
+```
+
+# /bootstrap
+
+Route to `@Kushi bootstrap <project>`.
+
+Inputs the agent will resolve:
+- `<project>` — the engagement folder name (fuzzy-match under engagement-root if needed).
+- `<window>` — defaults to 30 days. Override with `last 60 days`, `since 2026-04-01`, or `2026-04-01..2026-05-01`.
+
+Reads:
+- `<workspace>/.kushi/config/user/project-evidence.yml` for alias + engagement-root.
+- `<workspace>/.kushi/config/user/m365-auth.json` for tenant + default notebook + mailbox-folder hints.
+- `<workspace>/.kushi/config/shared/integrations.yml` for ADO/CRM org-level connections (shared per project).
+
+**Step 0 — verify per-user config is filled** (the minimum the bootstrap skill needs before it can discover the rest). Before any pull, call:
+
+```powershell
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'project-evidence' -AllowPlaceholders | Out-Null  # tolerates <auto>; identity-resolution fills it
+& "<install-dest>/lib/Get-KushiConfig.ps1" -Name 'm365-auth'                                       # hard-fails on placeholders in required fields
+```
+
+`Get-KushiConfig -Name 'm365-auth'` (kushi v4.4.1+) checks both: (a) no `__FILL_ME_IN__` / sentinel strings anywhere, AND (b) the required-field set is populated:
+`defaultTenantId`, `oneNote.defaultNotebookName`, `oneNote.defaultNotebookId`, `oneNote.defaultLinkOwner`, `emailContext.folders[]` (≥ 1 entry), `sharePointContext.localProjectsRoot`.
+
+If it throws, STOP and prompt the user with the exact missing-field list:
+
+> ⚠ `<workspace>/.kushi/config/user/m365-auth.json` is missing required fields: `<list from the helper>`. Open it, fill in those values, then re-run `bootstrap`. Everything else (section IDs, calendar series, specific mailbox folder discovery, channel IDs, SharePoint site IDs, CRM `crmRecordId`, ADO work-item IDs) is the bootstrap skill's job to **discover via WorkIQ + per-source probes** — do NOT pre-fill those.
+
+Continue only when both helper calls succeed (`project-evidence.yml` is allowed to still have `<auto>` for identity; identity-resolution.instructions.md fills it in Step 0 of the bootstrap skill).
+
+**What the bootstrap SKILL discovers (you do NOT need to pre-fill any of this):**
+- Identity (`alias`, `email`, `display_name`) — resolved via WorkIQ if `<auto>`.
+- OneNote section identifiers (`one_sectionFileId`, `one_sectionGroupId`, `one_sectionOneNoteGuid`, `one_notebookSourceDoc`) — discovered from the user-provided section name.
+- Calendar series, meeting `joinUrl`s, Teams chat/channel hints, SharePoint site/web/list IDs — discovered per source.
+- CRM account `crmRecordId` — discovered via the 4-step Dataverse REST sequence.
+- ADO area path / iteration / work-item IDs — discovered via ADO REST.
+
+On WorkIQ failure during discovery, per `deferred-retry-on-workiq-fail.instructions.md`: the bootstrap skill writes a marker, surfaces it in the run report, and continues. **It does NOT call `m365_get_*` / Graph as a fallback.** The next `refresh` drains the queue.
+
+Produces:
+- `<workspace>/.kushi/config/user/{m365-auth,m365-mutable}.json` (per-user, hand-edited above + auto-populated by Step 4a)
+- `<workspace>/.kushi/config/shared/integrations.yml` (shared, ADO/CRM connection blocks; per-project `boundaries:` lives in the project file below)
+- `<engagement-root>/<project>/integrations.yml` (per-project boundaries + enabled-sources, shared via OneDrive)
+- `<engagement-root>/<project>/Evidence/{contributors.yml, run-log.yml, <alias>/.settings.yml, <alias>/{email,teams,meetings,onenote,sharepoint,crm,ado}/{snapshot,stream}/, <alias>/_deferred-retries/}`
+- `<engagement-root>/<project>/State/{00..09}_*.md` (full profile only)
+- `<engagement-root>/<project>/bootstrap-status.md` (shared, multi-user safe)
+
+Delegates to `bootstrap-project` skill. After scaffolding, calls each `pull-<source>` skill, then `build-state` (full profile only).
+
+Tracking: see `tracking.instructions.md`. Write `<workspace>/.kushi/tracking/runs/{{YYYY-MM-DD}}-<project>-bootstrap.md` as the final step.

package/plugin/skills/apply-ado-update/SKILL.md

@@ -30,14 +30,14 @@ Belongs to the **`preview`** profile. Opt in via `npx kushi-agents --clawpilot -
 
 ## Deterministic config — do not invent paths
 
-Same as `propose-ado-update`. Reads ADO connection from `<engagement-root>/.project-evidence/ado/config.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
+Same as `propose-ado-update`. Reads ADO connection from `<workspace>/.kushi/config/shared/integrations.yml`, per-project `engagement_id` and `writes:` block from `<engagement-root>/<project>/integrations.yml ado:`. Never asks for paths the bootstrap layer already resolved.
 
 ## Pre-flight (HARD — do not bypass)
 
 1. **Resolve engagement root + project** per `engagement-root-resolution.instructions.md`.
 2. Confirm `<project>/integrations.yml ado.engagement_id > 0`. If 0 → abort with the same message `propose-ado-update` uses ("ADO Initiative not yet linked").
 3. Confirm `<project>/ado-updates/<YYYY-MM-DD>/proposed.md` exists. If not → tell user to run `@Kushi propose ado <project>` first. Never fabricate a proposal.
-4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<engagement-root>/.project-evidence/ado/config.yml`) **must** complete green before any further step.
+4. Per `azure-auth-patterns.instructions.md` — Section 1 (session pre-check) + Section 3 (ADO tenant validation, using `<workspace>/.kushi/config/shared/integrations.yml`) **must** complete green before any further step.
 
 ## Steps (current preview-stub behavior)
 

package/plugin/skills/bootstrap-project/SKILL.md

@@ -66,7 +66,7 @@ Verify in order. Stop on hard failures.
    - `$env:LOCALAPPDATA\Programs\WorkIQ\workiq.cmd`
    - `$env:ProgramFiles\WorkIQ\workiq.cmd`
    If found, persist path. If not found, ask user for path (or to install). Test with `<workiq.cli_path> --help`. Without WorkIQ, M365 sources will all fail — STOP.
-3. **Conditional az login** — only if `<engagement-root>/.project-evidence/crm/config.yml` OR `<engagement-root>/.project-evidence/ado/config.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
+3. **Conditional az login** — only if `<workspace>/.kushi/config/shared/integrations.yml` OR `<workspace>/.kushi/config/shared/integrations.yml` exists. Per `az-auth-conditional.instructions.md`. Soft warning on failure, never blocking.
 4. **Engagement-root resolution** — per `engagement-root-resolution.instructions.md`. Persist to `<workspace>/.kushi/config/user/project-evidence.yml engagement_root` if newly resolved.
 
 Display SETUP summary table with ✅ / ⚙️ / ❌ / ⚠️ / ➖ markers.
@@ -81,18 +81,18 @@ Required live files:
 |---|---|
 | `<workspace>/.kushi/config/user/project-evidence.yml` | `templates/init/project-evidence.template.yml` (seeded by installer) |
 | `<workspace>/.kushi/config/shared/integrations.yml` | `templates/init/integrations.template.yml` (seeded by installer) |
-| `<engagement-root>/.project-evidence/m365/m365-auth.json` | `templates/init/m365-auth.template.json` |
-| `<engagement-root>/.project-evidence/m365/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
+| `<workspace>/.kushi/config/user/m365-auth.json` | `templates/init/m365-auth.template.json` |
+| `<workspace>/.kushi/config/user/m365-mutable.json` | `templates/init/m365-mutable.template.json` |
 | `<engagement-root>/<project>/integrations.yml` | `templates/init/project-integrations.template.yml` |
 | `<engagement-root>/<project>/Evidence/contributors.yml` | `templates/init/project-contributors.template.yml` |
 | `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` | `templates/init/project-user-settings.template.yml` |
 
-Optional (only if user enables CRM/ADO):
+Optional (only if user enables CRM/ADO — both go into `<workspace>/.kushi/config/shared/integrations.yml` `crm:` and `ado:` blocks, NOT separate files):
 
-| Live file | Template source |
+| Live destination | Source |
 |---|---|
-| `<engagement-root>/.project-evidence/crm/config.yml` | `templates/init/crm-config.template.yml` |
-| `<engagement-root>/.project-evidence/ado/config.yml` | `templates/init/ado-config.template.yml` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `crm:` block | already seeded by `templates/init/integrations.template.yml` — fill in `crm.environmentUrl` + `crm.tenantId` |
+| `<workspace>/.kushi/config/shared/integrations.yml` `ado:` block | already seeded by `templates/init/integrations.template.yml` — fill in `ado.organization` + `ado.project` |
 
 **Boundaries upgrade for existing projects (v3.7.0+):** If `<engagement-root>/<project>/integrations.yml` already exists but has no top-level `boundaries:` key, append the scaffolded `boundaries:` block from `templates/init/project-integrations.template.yml` (preserving every existing key). Then proceed to Step 4 to populate it.
 
@@ -121,15 +121,15 @@ The `State/` subtree is created **only on `full` profile**. On `standard`, only
 
 **Boundaries gate** (kushi v3.7.0+, per `scope-boundaries.instructions.md`): before dispatching any `pull-*`, read `<engagement-root>/<project>/integrations.yml#boundaries` and verify each enabled source has its required boundary key populated. For sources where bootstrap can auto-populate from existing `m365-mutable.json` discovery hints (e.g. a previously-discovered `section_file_id` lands in `boundaries.onenote.section_file_ids`), do so and continue. For sources where the boundary cannot be auto-populated, write the source as **disabled** in `integrations.yml` and add a one-liner to `<project>/OPEN-QUESTIONS-DRAFT.md` (or `State/09_open-questions.md` on `full` profile) asking the user to fill the boundary and re-enable.
 
-For CRM and ADO additionally verify the global config files exist (`<engagement-root>/.project-evidence/{crm,ado}/config.yml`) with non-placeholder values; if missing, scaffold from `templates/init/{crm,ado}-config.template.yml` and park in Open Questions with the path and template reference. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
+For CRM and ADO additionally verify the shared connection block exists in `<workspace>/.kushi/config/shared/integrations.yml` (`crm:` block with `environmentUrl` + `tenantId`, OR `ado:` block with `organization` + `project`) with non-placeholder values; if missing, prompt the user to fill those two/four fields directly (no separate template files — they live in `templates/init/integrations.template.yml`) and park in Open Questions with the path. **Do NOT auto-improvise** by inferring a tenant/org or by narrating CRM evidence from email — both are explicit anti-patterns in v3.7.0.
 
-**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<engagement-root>/.project-evidence/crm/config.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
+**CRM discovery is REQUIRED before declaring `disabled` (kushi v3.11.0+, per `crm-bootstrap-discovery.instructions.md`).** If `<workspace>/.kushi/config/shared/integrations.yml` exists and `az` auth succeeds, bootstrap MUST run the full 4-step Dataverse REST resolution sequence from `pull-crm/SKILL.md#resolution-order-when-crmrecordid-is-unset` (title-first → all matching accounts → wide-text → recent-slice → ask user) against the live endpoint before writing `boundaries.crm.disabled: true`. Any other path that sets `disabled: true` is a defect. If steps 1–4 all return 0, present the top 5 candidates from step 4 to the user before final disposition. Log the full attempt trail (queries + counts + outcome) to the bootstrap refresh-report under `## CRM resolution attempts`. If auth fails or Dataverse is unreachable, leave the boundary empty with `reason: 'crm-auth-unavailable-<date>'` — NOT `disabled: true` — so the next refresh retries.
 
 #### Step 4a — Discovery & registry persistence (REQUIRED, kushi v3.7.8+, per `m365-id-registry.instructions.md`)
 
 **Doctrine: bootstrap discovers, refresh consumes.** Bootstrap is the ONLY phase that probes WorkIQ to resolve canonical M365 identifiers. Refresh runs MUST read these from `m365-mutable.json#knownSections.<project>` and pass them into the index extractor verbatim. Refresh must NEVER re-discover — that is the source of "OneNote works for me sometimes" non-determinism.
 
-For each enabled source, resolve and persist the canonical lookup keys into `<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
+For each enabled source, resolve and persist the canonical lookup keys into `<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>`. The schema is fixed — populate every key the source supports:
 
 ```jsonc
 "knownSections": {

package/plugin/skills/propose-ado-update/SKILL.md

@@ -21,7 +21,7 @@ This skill does **NOT** create a new top-level config file. It reads from the co
 
 | What | Where | Maintained by |
 |---|---|---|
-| ADO tenant + org + apiVersion + auth strategy | `<engagement-root>/.project-evidence/ado/config.yml` | `bootstrap-project` (global, one-time) |
+| ADO tenant + org + apiVersion + auth strategy | `<workspace>/.kushi/config/shared/integrations.yml` | `bootstrap-project` (global, one-time) |
 | Per-project Initiative ID (`engagement_id`), area, title filter, discovery hints | `<engagement-root>/<project>/integrations.yml` under `ado:` | `bootstrap-project` + `pull-ado` (auto-discovers and persists) |
 | Per-project **writes block** (allowlist, autoApply per field, strategy, fieldRefName) | `<engagement-root>/<project>/integrations.yml` under `ado.writes:` | First run of this skill scaffolds the block from the template, then user edits |
 
@@ -41,7 +41,7 @@ Refuse to produce `proposed.md` and tell the user exactly what's missing if any
 |---|---|
 | `<project>/integrations.yml` exists | "Project not bootstrapped. Run `@Kushi bootstrap <project>` first." |
 | `ado.engagement_id` > 0 | "ADO Initiative not yet linked for `<project>` (engagement_id is 0). pull-ado will auto-discover on next refresh; once `engagement_id` is set in `integrations.yml`, retry." |
-| `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` | "Global ADO config missing or has placeholder org. Run `@Kushi bootstrap <project>` to scaffold, then fill `.project-evidence/ado/config.yml`." |
+| `<workspace>/.kushi/config/shared/integrations.yml` exists with non-placeholder `organization` | "Global ADO config missing or has placeholder org. Run `@Kushi bootstrap <project>` to scaffold, then fill `.kushi/config/shared/integrations.yml`." |
 | At least one `Evidence/_Consolidated/<date>_consolidated.md` exists | "No consolidated evidence yet for `<project>`. Run `@Kushi refresh <project>` then `consolidate` first." |
 | Latest consolidated file ≤ 8 days old | Continue but flag `stale-evidence` at top of `proposed.md`. |
 
@@ -76,7 +76,7 @@ Refuse to produce `proposed.md` and tell the user exactly what's missing if any
 ## What this skill does NOT do
 
 - Does NOT call any ADO `PATCH` or `POST` endpoint.
-- Does NOT create or modify the global `.project-evidence/ado/config.yml`.
+- Does NOT create or modify the global `.kushi/config/shared/integrations.yml`.
 - Does NOT touch `<project>/integrations.yml` other than appending the `ado.writes:` sub-block on first run (preserving every existing key).
 - Does NOT re-pull evidence (uses the most recent `_Consolidated/` file as-is).
 - Does NOT write to the ledger (the ledger is written only by `apply-ado-update`).

package/plugin/skills/pull-ado/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: "pull-ado"
-version: "2.3.1"
+version: "2.3.2"
 description: "Pull ADO evidence as an engagement TREE (parent Engagement + every child WI). Per-item discussion comments + revision history (verbatim). Deterministic resolution; no parent-only summaries. Per ado-engagement-tree.instructions.md."
 ---
 
@@ -27,9 +27,9 @@ WorkIQ-first per `workiq-first.instructions.md` — but **for ADO, REST is prefe
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/ado/config.yml` — connection.
+- (read) `<workspace>/.kushi/config/shared/integrations.yml` — connection.
 - (read) `<engagement-root>/<project>/integrations.yml#ado` — per-project pinned IDs.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -40,28 +40,42 @@ WorkIQ-first per `workiq-first.instructions.md` — but **for ADO, REST is prefe
 
 ## Hard prerequisites (REQUIRED — see `scope-boundaries.instructions.md` Rule 3)
 
-This skill is **HARD-fail** without both:
+This skill is **HARD-fail** without ALL of the following (effective-config rule):
 
-1. Global config: `<engagement-root>/.project-evidence/ado/config.yml` exists with non-placeholder `organization` AND `defaultProject`.
-2. Per-project boundary: `<engagement-root>/<project>/integrations.yml#boundaries.ado.area_paths` is non-empty (OR `boundaries.ado.work_item_ids` is pinned).
+1. A resolvable `organization` from EITHER:
+   - per-project override: `<engagement-root>/<project>/integrations.yml#sources.ado.organization_override`, OR
+   - global default: `<workspace>/.kushi/config/shared/integrations.yml#ado.organization` (non-placeholder).
+2. A resolvable `defaultProject` from EITHER:
+   - per-project override: `<engagement-root>/<project>/integrations.yml#sources.ado.project_override`, OR
+   - global default: `<workspace>/.kushi/config/shared/integrations.yml#ado.project` (non-placeholder).
+3. Per-project boundary: `<engagement-root>/<project>/integrations.yml#boundaries.ado.area_paths` is non-empty OR `boundaries.ado.work_item_ids` is pinned OR `sources.ado.engagement_id` is pinned (pinned WI IDs are sufficient — they bypass area-path discovery).
 
-If either is missing, refuse with the exact message:
+**Resolution order at runtime:**
+```
+effective.organization = project.sources.ado.organization_override ?? global.ado.organization
+effective.project      = project.sources.ado.project_override      ?? global.ado.project
+effective.tenant_id    = project.sources.ado.tenant_id_override    ?? global.ado.tenant_id
+```
+
+If any required value resolves to null/placeholder, refuse with:
 
 ```
-ado-config-missing — drop a filled config.yml at
-<engagement-root>/.project-evidence/ado/config.yml. See template at
-plugin/templates/init/ado-config.template.yml. Then add boundaries.ado.area_paths
-to <project>/integrations.yml.
+ado-config-missing — fill the ado: block in
+<workspace>/.kushi/config/shared/integrations.yml, OR set the corresponding
+sources.ado.*_override in <project>/integrations.yml. Then ensure
+boundaries.ado.area_paths (or work_item_ids, or sources.ado.engagement_id)
+is pinned.
 ```
 
 Discovery loops (`title_contains`, `tags_contains`, `custom_iscrm_id`) are still
 permitted — but ONLY inside `boundaries.ado.area_paths`. There is no
-tenant-wide title-fuzzy scan in v3.7.0+.
+tenant-wide title-fuzzy scan in v3.7.0+. If `sources.ado.engagement_id` is
+already pinned, skip discovery entirely and proceed to Step 2 (tree expansion).
 
 ## Auth (deterministic, no improvisation)
 
 ```powershell
-$cfg = Get-Content "<engagement-root>/.project-evidence/ado/config.yml" | ConvertFrom-Yaml
+$cfg = Get-Content "<workspace>/.kushi/config/shared/integrations.yml" | ConvertFrom-Yaml
 $tok = az account get-access-token `
   --resource $cfg.azDevOpsResourceId `
   --tenant $cfg.tenantId `

package/plugin/skills/pull-crm/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: "pull-crm"
-version: "2.3.1"
+version: "2.3.2"
 description: "Pull CRM (Dataverse) evidence (snapshot: engagement record VERBATIM long-text fields + ALL annotations with formatted values; stream: notes/activities/status changes). Per-record explicit $select + formatted-value annotations. FDE entity sets use crm-field-manifest.md. v2.3.0: exhaustive 4-step resolution sequence (title → account[s] → wide-text → recent-slice → ask). Anti-patterns codified: no statecode filter, new_companyname is NOT a field, never disable from one shallow probe."
 ---
 
@@ -27,7 +27,7 @@ WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thor
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -38,20 +38,31 @@ WorkIQ-first per `workiq-first.instructions.md`. Thoroughness per `evidence-thor
 
 ## Hard prerequisites (REQUIRED — see `scope-boundaries.instructions.md` Rule 3)
 
-This skill is **HARD-fail** without both:
+This skill is **HARD-fail** without BOTH (effective-config rule):
 
-1. Global config: `<engagement-root>/.project-evidence/crm/config.yml` exists with non-placeholder `environmentUrl`.
+1. A resolvable Dataverse `environment_url` from EITHER:
+   - per-project override: `<engagement-root>/<project>/integrations.yml#sources.crm.environment_url_override` (preferred — survives global config drift), OR
+   - global default: `<workspace>/.kushi/config/shared/integrations.yml#crm.environment_url` (non-placeholder).
 2. Per-project boundary: `<engagement-root>/<project>/integrations.yml#boundaries.crm.record_ids` OR `boundaries.crm.request_ids` is non-empty.
 
-If either is missing, refuse with the exact message:
+**Resolution order at runtime:**
+```
+effective.environment_url = project.sources.crm.environment_url_override ?? global.crm.environment_url
+effective.entity_set      = project.sources.crm.entity_set_override     ?? global.crm.default_entity_set
+effective.tenant_id       = project.sources.crm.tenant_id_override      ?? global.crm.tenant_id
+```
+
+If `effective.environment_url` is null/placeholder, refuse with:
 
 ```
 crm-config-missing — drop a filled config.yml at
-<engagement-root>/.project-evidence/crm/config.yml. See template at
-plugin/templates/init/crm-config.template.yml. Then add boundaries.crm.record_ids
-(or request_ids) to <project>/integrations.yml.
+<workspace>/.kushi/config/shared/integrations.yml (crm: block), OR set
+sources.crm.environment_url_override in <project>/integrations.yml.
+Then ensure boundaries.crm.record_ids (or request_ids) is non-empty.
 ```
 
+If `effective.environment_url` resolves but `boundaries.crm.record_ids` AND `boundaries.crm.request_ids` are both empty, refuse with the analogous `crm-boundary-missing` message.
+
 **No "narrate from email" fallback exists in v3.7.0+.** CRM evidence comes from CRM
 or it is absent — Coverage Notes will say so explicitly. Synthesis across sources
 happens at consolidation, not at pull.
@@ -195,7 +206,7 @@ If a week file already exists, MERGE (dedupe by event ID, append new events, kee
 
 ## Tools (in order)
 
-1. **Dataverse REST Web API** (preferred for snapshot — gives explicit `$select` + `$expand` control) via `az account get-access-token` against the configured tenant. Read connection from `<engagement-root>/.project-evidence/crm/config.yml`.
+1. **Dataverse REST Web API** (preferred for snapshot — gives explicit `$select` + `$expand` control) via `az account get-access-token` against the configured tenant. Read connection from `<workspace>/.kushi/config/shared/integrations.yml`.
 2. **WorkIQ** — only when REST is unavailable; phrase queries to demand verbatim long-text + every annotation (see Step B template above). WorkIQ summarizes by default, so use this path only as fallback.
 3. **Graph REST** — last resort, soft-fail per `az-auth-conditional.instructions.md`.
 4. **Ask user** — paste verbatim source content if all above fail.

package/plugin/skills/pull-email/SKILL.md

@@ -26,7 +26,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)
@@ -43,7 +43,7 @@ This skill REFUSES to query unless `<engagement-root>/<project>/integrations.yml
 - `boundaries.email.subject_keywords` — optional narrowing.
 - `boundaries.date_window_days` — defaults to 30 if absent.
 
-Every WorkIQ ask, every `m365_search_emails` / `m365_list_emails` call, every Graph fallback MUST be scoped to those mailboxes + (if set) sender_domains + subject_keywords. Empty hits inside the boundary → write Coverage Notes citing the limiting key; do NOT widen the scope.
+Every WorkIQ ask MUST be scoped to those mailboxes + (if set) sender_domains + subject_keywords. Empty hits inside the boundary → write Coverage Notes citing the limiting key; do NOT widen the scope. (`m365_search_emails` / `m365_list_emails` / any Graph call is FORBIDDEN per `workiq-only.instructions.md`; on WorkIQ failure, write a deferred-retry marker per `deferred-retry-on-workiq-fail.instructions.md` and continue.)
 
 Refusal message when boundary is missing:
 

package/plugin/skills/pull-meetings/SKILL.md

@@ -30,7 +30,7 @@ Auth + retry + error logging per `auth-and-retry.instructions.md`. WorkIQ-only p
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints (`calendarContext.subjectKeywords`, `calendarContext.knownSeries`).
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints (`calendarContext.subjectKeywords`, `calendarContext.knownSeries`).
 
 ## Discovery (snapshot pass — WorkIQ ONLY per `workiq-only.instructions.md`)
 

package/plugin/skills/pull-onenote/scripts/recapture-section-url.mjs

@@ -49,7 +49,8 @@ if (!PROJECT || !ENGAGEMENT_ROOT) {
   process.exit(2);
 }
 
-const REG_PATH = path.join(ENGAGEMENT_ROOT, '.project-evidence', 'm365', 'm365-mutable.json');
+const WORKSPACE = args.workspace || process.cwd();
+const REG_PATH = path.join(WORKSPACE, '.kushi', 'config', 'user', 'm365-mutable.json');
 if (!fs.existsSync(REG_PATH)) {
   console.error(`[recapture-section-url] Registry not found: ${REG_PATH}`);
   process.exit(3);

package/plugin/skills/pull-onenote/write-snapshot.mjs

@@ -54,7 +54,8 @@ const TIMEOUT_MS = args.timeout || '120000';
 const PROJECT = args.project;
 const ROOT = args['engagement-root'];
 const ALIAS = args.alias || 'ushak';
-const MUTABLE_PATH = args.mutable || path.join(ROOT || '.', '.project-evidence', 'm365', 'm365-mutable.json');
+const WORKSPACE = args.workspace || process.cwd();
+const MUTABLE_PATH = args.mutable || path.join(WORKSPACE, '.kushi', 'config', 'user', 'm365-mutable.json');
 
 if ((!JSON_PATH && !SECTION_URL) || !PROJECT || !ROOT) {
   console.error('Usage: (--json <runner-output> | --section-url <url>) --project <name> --engagement-root <root> [--alias ushak] [--mutable <path>] [--timeout 120000]');

package/plugin/skills/pull-sharepoint/SKILL.md

@@ -28,7 +28,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)

package/plugin/skills/pull-teams/SKILL.md

@@ -28,7 +28,7 @@ Thoroughness per `evidence-thoroughness.instructions.md`; runtime detector + aut
 - `<project>` — already-resolved project name.
 - `<alias>` — current contributor.
 - `<window>` — date range. For snapshot: ignored (always full re-fetch). For stream: `(from, to)`.
-- (read) `<engagement-root>/.project-evidence/m365/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
+- (read) `<workspace>/.kushi/config/user/m365-mutable.json m365Mutable.knownSections.<project>` — pinned hints.
 - (read) `<engagement-root>/<project>/Evidence/<alias>/.settings.yml` — per-(project x user) overrides.
 
 ## Resolution hints (pinned in mutable)

package/plugin/skills/refresh-project/SKILL.md

@@ -8,7 +8,7 @@ description: "Incremental refresh for an already-bootstrapped project. Reads run
 
 > **Verbatim-by-default**: This orchestrator MUST dispatch every enabled `pull-<source>` skill whose boundary in `integrations.yml#boundaries.<source>` is satisfied. Skipping a source silently is a defect. See `verbatim-by-default.instructions.md`.
 >
-> **Discover once, consume deterministically**: Refresh MUST read canonical M365 IDs from `<engagement-root>/.project-evidence/m365/m365-mutable.json#knownSections.<projectKey>` and pass them verbatim into each `pull-*`'s index-extractor query. **Refresh never re-discovers.** If the project entry is missing or a per-source key is empty, re-dispatch through `bootstrap-project` for that source's discovery only, then resume. See `m365-id-registry.instructions.md`.
+> **Discover once, consume deterministically**: Refresh MUST read canonical M365 IDs from `<workspace>/.kushi/config/user/m365-mutable.json#knownSections.<projectKey>` and pass them verbatim into each `pull-*`'s index-extractor query. **Refresh never re-discovers.** If the project entry is missing or a per-source key is empty, re-dispatch through `bootstrap-project` for that source's discovery only, then resume. See `m365-id-registry.instructions.md`.
 >
 > **Per-user refresh report REQUIRED**: At end of run, write `<project>/Evidence/<alias>/refresh-reports/<YYYY-MM-DD-HHmm>_refresh.md` per `run-reports.instructions.md`. Even on a no-op run. Cite the registry: `Resolved IDs sourced from m365-mutable.json#knownSections.<projectKey>`.
 >
@@ -50,6 +50,26 @@ Profile is read from `kushi-install.json#profile` next to the agent file. Defaul
   - Else if `sources.<src>.watermark` exists → use `(watermark, today)`.
   - Else (first refresh after bootstrap, or new source) → fallback to `last 7 days`.
 
+### Step 2a — Drain deferred-retry queue (REQUIRED, kushi v4.4.1+, per `deferred-retry-on-workiq-fail.instructions.md`)
+
+**Before per-source dispatch**, drain any markers that previous runs deferred. The queue lives at:
+
+```
+<engagement-root>/<project>/Evidence/<alias>/_deferred-retries/*.yml
+```
+
+For each marker (chronological order):
+
+1. Load the YAML marker. Parse `source`, `target`, `window`, `workiq.command`.
+2. Re-issue the canonical WorkIQ query (NOT the doubled-strict — give the first prompt another chance first; if it fails, then doubled-strict).
+3. If success → write the artifact to its canonical `Evidence/<alias>/<source>/{snapshot,stream}/` path per the source's normal write rules. Delete the marker. Append a `drained:` entry to the refresh report's `## Deferred-retry drain` section.
+4. If failure → increment `attempts`, update `last_attempt_at`, leave marker in place. Append a `still-deferred:` entry to the report.
+5. If `attempts >= 5` after this run → also promote to a row in `<project>/OPEN-QUESTIONS-DRAFT.md` (or `State/09_open-questions.md` on `full` profile) per the doctrine's escalation rule.
+
+**NEVER call `m365_get_*` / Graph as a fallback during drain.** A drain failure is just another deferral.
+
+After drain, proceed to Step 2 even if some markers remain — the orchestrator never blocks on deferred-retry failures.
+
 ### Step 2 — Per-source dispatch
 
 For each enabled source (or just the requested one), call its `pull-<source>` skill with the effective window.

package/plugin/skills/self-check/run.ps1

@@ -616,7 +616,7 @@ if ($Deep) {
     if (-not (Test-Path $layoutInst)) {
         Add-Finding D14 'Evidence layout' 'warning' "plugin/instructions/evidence-layout-canonical.instructions.md is missing" "Restore the canonical-layout doctrine from kushi v3.12.1." $layoutInst 0
     }
-    $allowedSiblings = @('Evidence','State','Reports','.kushi','.kushi-reference','.project-evidence','.vscode','.git')
+    $allowedSiblings = @('Evidence','State','Reports','.kushi','.kushi-reference','.vscode','.git')
     $sourceTokens = @(
         'email-context','email-summary','email-summaries',
         'teams-context','teams-summary','teams-summaries',
@@ -655,6 +655,29 @@ if ($Deep) {
             }
         }
     }
+
+    # D15: legacy path regression guard — no `.project-evidence/{m365,crm,ado}` refs outside CHANGELOG/learnings.
+    # v4.4.0+ moved per-user config to `<workspace>/.kushi/config/{user,shared}/`. Any plugin/docs file
+    # still referencing the legacy `<engagement-root>/.project-evidence/(m365|crm|ado)` path will mislead
+    # skills and authors. CHANGELOG and learnings/ legitimately mention the legacy path for history.
+    $legacyPattern = '\.project-evidence[\\/](?:m365|crm|ado)'
+    $legacyTargets = @(
+        (Join-Path $Root 'plugin'),
+        (Join-Path $Root 'docs')
+    )
+    foreach ($target in $legacyTargets) {
+        if (-not (Test-Path $target)) { continue }
+        $legacyHits = Get-ChildItem -Path $target -Recurse -File -Include '*.md','*.ps1','*.mjs','*.json','*.yml','*.yaml' -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -notmatch '[\\/]learnings[\\/]' -and $_.Name -ne 'CHANGELOG.md' } |
+            Select-String -Pattern $legacyPattern -ErrorAction SilentlyContinue
+        foreach ($m in $legacyHits) {
+            # Allow lines that explicitly mark as historical breadcrumb (contain "legacy" or "v4.4.0+" or "was")
+            if ($m.Line -match '(?i)\blegacy\b|v4\.4\.0\+|\bwas\b|\breplaces?\b|\bdeprecated\b|\bhistorical\b') { continue }
+            $msg  = 'Legacy .project-evidence/{m365|crm|ado} reference — v4.4.0+ moved per-user config to <workspace>/.kushi/config/{user,shared}/'
+            $fix  = "Replace with the new path; if intentionally documenting history, add the word 'legacy' or 'v4.4.0+ replaces' on the same line."
+            Add-Finding D15 'Legacy paths' 'warning' $msg $fix $m.Path $m.LineNumber
+        }
+    }
 }
 
 # === Output ===

package/plugin/templates/ado-update/integrations-ado-writes.example.yml

@@ -4,7 +4,7 @@
 # read from the SAME integrations.yml that pull-ado already uses — no separate config file.
 #
 # Global ADO connection (tenantId, organization, apiVersion, auth) lives at:
-#   <engagement-root>/.project-evidence/ado/config.yml
+#   <workspace>/.kushi/config/shared/integrations.yml
 # Do NOT duplicate those keys here.
 
 ado:

package/plugin/templates/init/integrations.template.yml

@@ -1,19 +1,32 @@
-# Kushi — optional global integrations defaults.
-#
-# Seeded by the installer on first install. Never overwritten on upgrade.
-# Per-project `integrations.yml` (inside the engagement folder) always
-# takes precedence over this file.
-#
-# Most users can leave this file as-is. Fill it in only if you want a
-# default CRM / ADO configuration that applies across all projects.
-
-# Microsoft Dataverse (CRM) defaults.
-# crm:
-#   environment_url: 'https://<org>.crm.dynamics.com'
-#   tenant_id:       '72f988bf-86f1-41af-91ab-2d7cd011db47'   # Microsoft tenant
-
-# Azure DevOps defaults.
-# ado:
-#   organization: 'https://dev.azure.com/<org>'
-#   project:      '<default-project>'
-#   tenant_id:    '72f988bf-86f1-41af-91ab-2d7cd011db47'      # Microsoft tenant
+# Kushi — optional global integrations defaults.
+#
+# Seeded by the installer on first install. Never overwritten on upgrade.
+# Per-project `integrations.yml` (inside the engagement folder) always
+# takes precedence over this file. Effective-config rule:
+#   effective.X = project.override ?? global.X   (hard-fail only if both empty)
+#
+# Most users can leave this file as-is. Uncomment + edit only if you want a
+# default CRM / ADO configuration that applies across all projects.
+#
+# Microsoft (MSFT) tenant defaults shown below. If you work in the Microsoft
+# tenant (most Industry Solutions FDEs), these values are correct as-is.
+
+# Microsoft Dataverse (CRM) defaults.
+# Per-project overrides in <engagement-root>/<project>/integrations.yml under
+# sources.crm.environment_url_override / entity_set_override always take
+# precedence (e.g. FDE intake projects point at iscrm.crm.dynamics.com /
+# new_frontierengineeringtriages).
+# crm:
+#   environment_url:     'https://microsoftsales.crm.dynamics.com'
+#   tenant_id:           '72f988bf-86f1-41af-91ab-2d7cd011db47'   # Microsoft tenant
+#   default_entity_set:  'opportunities'
+#   az_resource_id:      'https://microsoftsales.crm.dynamics.com'
+
+# Azure DevOps defaults.
+# Per-project pin in <engagement-root>/<project>/integrations.yml sources.ado
+# (engagement_id, area_paths) overrides the discovery defaults here.
+# ado:
+#   organization:    'https://dev.azure.com/IndustrySolutions'
+#   project:         'IS Engagements'
+#   tenant_id:       '72f988bf-86f1-41af-91ab-2d7cd011db47'   # Microsoft tenant
+#   az_resource_id:  '499b84ac-1321-427f-aa17-267ca6975798'   # ADO well-known resource id