## Summary

Splits the non-Curogram security/hardening changes out of #67 (per a blocking reviewer request to keep #67 Curogram-only). These changes were originally bundled into the Curogram PR-review rounds but touch files outside Curogram scope.

## Changes

**RingCentral admin (`tools/ringcentral-admin/server.py`, `README.md`)**
- Require an exact per-request `approval_text` on `update_call_queue_members`, `set_call_queue_ring_type`, and `set_call_queue_member_order`; the dry-run preview returns the exact string to confirm. Mirrors the stricter `create_ai_scheduling_extension` gate.
- Consistent preview-then-confirm on AI extension write.
- Fail-closed practice pin + operator gate for SIP secret reveal (SIP-credential redaction).
- Token cache: store only the keys we use instead of merging the full OAuth body (keeps `refresh_token` out of the cache).
- README: document all write tools + SIP reveal gating.

**teams-channel (`tools/teams-channel/server.ts`)**
- Consolidate the four `HTTP_ONLY` skip logs into one startup banner.

**Repo hygiene (`.claude/settings.json`, `.gitignore`)**
- Stop tracking `.claude/settings.json` (a personal rtk PreToolUse hook = arbitrary code exec from repo config) and gitignore it (plus `.claude/settings.local.json`).

## Provenance

These hunks were lifted verbatim from the #67 review rounds (commits f5a2e2d..fb71336) by file path; no behavior changed during the split. #67 has been rewritten to drop them and is now Curogram-only.

## Test plan

- N/a for runtime tests in this PR (changes are RC-admin Python + teams TS + repo config). Curogram-side `bun test tools/mcp-config/render.test.ts` and `bun build tools/curogram-mcp/server.ts` verified green on the cleaned #67.

Author: Gautam AI <gautamai@icloud.com>

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
