CopilotConversation403Error on GCC (Government Community Cloud) tenant — CLI and MCP both fail

[jeffike7385]

Summary

WorkIQ CLI and MCP server return CopilotConversation403Error on a GCC (Government Community Cloud) tenant. Authentication succeeds, tenant is fully provisioned, and Copilot works in the browser — but all programmatic access via WorkIQ fails with 403.

Environment

• Platform: macOS (Apple Silicon), Windows 11
• WorkIQ version: 0.4.0.16790
• Cloud: GCC (not GCC High or DoD) — uses commercial login.microsoftonline.com and graph.microsoft.com endpoints
• Account: Global Admin with Microsoft 365 Copilot license assigned

Steps to Reproduce

1. Run Enable-WorkIQToolsForTenant.ps1 — completes successfully
2. Run Verify-WorkIQTenant.ps1 — all checks pass (all 10 MCP server service principals, CLI service principal, all 7 Graph scopes, all 13 MCP server scopes)
3. Run workiq ask -q "hello"
4. Result: Error: Exception of type 'ApiSdk.Models.CopilotConversation403Error' was thrown.

The same error occurs via the MCP server (ask_work_iq returns {"response":null,"conversationId":null,"error":"An error occurred while processing your request."}).

What Works

• Copilot in the browser (Teams/M365) responds correctly to the same queries
• Authentication completes without error (WAM broker provides token silently)
• Tenant verification script confirms all service principals and permission grants are in place

Question

Is GCC supported? If not, is there a timeline for GCC support, or a workaround?