@agenticmail/enterprise 0.5.69 → 0.5.70

package/dist/runtime-3M2QQDTA.js

@@ -0,0 +1,47 @@
+import {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  runAgentLoop,
+  toolsToDefinitions
+} from "./chunk-SWD4HRGX.js";
+import "./chunk-TYW5XTOW.js";
+import "./chunk-JLSQOQ5L.js";
+import {
+  PROVIDER_REGISTRY,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider
+} from "./chunk-67KZYSLU.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  PROVIDER_REGISTRY,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider,
+  runAgentLoop,
+  toolsToDefinitions
+};

package/dist/server-N5QXQO5K.js

@@ -0,0 +1,12 @@
+import {
+  createServer
+} from "./chunk-5KWBRCXT.js";
+import "./chunk-3SMTCIR4.js";
+import "./chunk-JLSQOQ5L.js";
+import "./chunk-RO537U6H.js";
+import "./chunk-DRXMYYKN.js";
+import "./chunk-67KZYSLU.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/setup-CTHP4V2A.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-77QJHMFG.js";
+import "./chunk-WP76IB36.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.69",
+  "version": "0.5.70",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/dashboard/pages/agent-detail.js

@@ -3912,14 +3912,14 @@ function EmailSection(props) {
           oauthClientId: form.oauthClientId,
           oauthClientSecret: form.oauthClientSecret,
           oauthTenantId: form.oauthTenantId,
-          oauthRedirectUri: baseUrl + '/oauth/callback',
+          oauthRedirectUri: baseUrl + '/api/engine/oauth/callback',
         });
       } else if (form.provider === 'google') {
         var gBaseUrl = window.location.origin;
         Object.assign(body, {
           oauthClientId: form.oauthClientId,
           oauthClientSecret: form.oauthClientSecret,
-          oauthRedirectUri: gBaseUrl + '/oauth/callback',
+          oauthRedirectUri: gBaseUrl + '/api/engine/oauth/callback',
         });
       }
 
@@ -4098,7 +4098,7 @@ function EmailSection(props) {
         h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
           h('strong', null, 'Setup Instructions:'), h('br'),
           '1. Go to ', h('a', { href: 'https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade', target: '_blank', style: { color: 'var(--accent)' } }, 'Azure Portal → App Registrations'), h('br'),
-          '2. Click "New Registration" → name it (e.g., "AgenticMail Agent") → set redirect URI to: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/oauth/callback'), h('br'),
+          '2. Click "New Registration" → name it (e.g., "AgenticMail Agent") → set redirect URI to: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
           '3. Under "Certificates & Secrets" → create a Client Secret', h('br'),
           '4. Under "API Permissions" → add Microsoft Graph: Mail.ReadWrite, Mail.Send, offline_access', h('br'),
           '5. Copy the Application (client) ID and Client Secret below'
@@ -4132,7 +4132,7 @@ function EmailSection(props) {
         h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
           h('strong', null, 'Setup Instructions:'), h('br'),
           '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console → Credentials'), h('br'),
-          '2. Create an OAuth 2.0 Client ID (Web application) → add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/oauth/callback'), h('br'),
+          '2. Create an OAuth 2.0 Client ID (Web application) → add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
           '3. Enable the Gmail API in your project', h('br'),
           '4. Copy the Client ID and Client Secret below'
         ),

package/src/engine/oauth-connect-routes.ts

@@ -68,7 +68,7 @@ async function findVaultEntryByName(
 
 // ─── Route Factory ──────────────────────────────────────
 
-export function createOAuthConnectRoutes(vault: SecureVault) {
+export function createOAuthConnectRoutes(vault: SecureVault, lifecycle?: any) {
   const router = new Hono();
 
   // ─── GET /authorize/:skillId — Start OAuth flow ─────
@@ -195,9 +195,16 @@ export function createOAuthConnectRoutes(vault: SecureVault) {
         return c.html(oauthResultPage(false, 'Missing code or state parameter'));
       }
 
-      // Validate state
+      // Validate state — check skill OAuth states first, then agent email OAuth
       const pending = pendingOAuthStates.get(state);
       if (!pending) {
+        // Check if state is an agent ID (agent email OAuth flow)
+        if (lifecycle) {
+          const managed = lifecycle.getAgent(state);
+          if (managed?.config?.emailConfig?.status === 'awaiting_oauth') {
+            return await handleAgentEmailOAuthCallback(c, state, code, managed, lifecycle);
+          }
+        }
         return c.html(oauthResultPage(false, 'Invalid or expired OAuth state'));
       }
 
@@ -338,6 +345,95 @@ export function createOAuthConnectRoutes(vault: SecureVault) {
   return router;
 }
 
+// ─── Agent Email OAuth Callback Handler ─────────────────
+
+async function handleAgentEmailOAuthCallback(c: any, agentId: string, code: string, managed: any, lifecycle: any) {
+  const emailConfig = managed.config.emailConfig;
+  try {
+    if (emailConfig.oauthProvider === 'microsoft') {
+      const tokenRes = await fetch(`https://login.microsoftonline.com/${emailConfig.oauthTenantId || 'common'}/oauth2/v2.0/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          client_id: emailConfig.oauthClientId,
+          client_secret: emailConfig.oauthClientSecret,
+          code,
+          redirect_uri: emailConfig.oauthRedirectUri,
+          grant_type: 'authorization_code',
+          scope: emailConfig.oauthScopes.join(' '),
+        }),
+      });
+      if (!tokenRes.ok) {
+        const errText = await tokenRes.text();
+        return c.html(oauthResultPage(false, `Microsoft token exchange failed: ${errText}`));
+      }
+      const tokens = await tokenRes.json() as any;
+      emailConfig.oauthAccessToken = tokens.access_token;
+      emailConfig.oauthRefreshToken = tokens.refresh_token;
+      emailConfig.oauthTokenExpiry = new Date(Date.now() + (tokens.expires_in * 1000)).toISOString();
+
+      // Get user email from Graph
+      try {
+        const profileRes = await fetch('https://graph.microsoft.com/v1.0/me?$select=mail,displayName', {
+          headers: { Authorization: `Bearer ${tokens.access_token}` },
+        });
+        if (profileRes.ok) {
+          const profile = await profileRes.json() as any;
+          if (profile.mail) emailConfig.email = profile.mail;
+        }
+      } catch {}
+
+    } else if (emailConfig.oauthProvider === 'google') {
+      const tokenRes = await fetch('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          client_id: emailConfig.oauthClientId,
+          client_secret: emailConfig.oauthClientSecret,
+          code,
+          redirect_uri: emailConfig.oauthRedirectUri,
+          grant_type: 'authorization_code',
+        }),
+      });
+      if (!tokenRes.ok) {
+        const errText = await tokenRes.text();
+        return c.html(oauthResultPage(false, `Google token exchange failed: ${errText}`));
+      }
+      const tokens = await tokenRes.json() as any;
+      emailConfig.oauthAccessToken = tokens.access_token;
+      emailConfig.oauthRefreshToken = tokens.refresh_token;
+      emailConfig.oauthTokenExpiry = tokens.expires_in
+        ? new Date(Date.now() + (tokens.expires_in * 1000)).toISOString()
+        : undefined;
+
+      // Get user email from Google
+      try {
+        const profileRes = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+          headers: { Authorization: `Bearer ${tokens.access_token}` },
+        });
+        if (profileRes.ok) {
+          const profile = await profileRes.json() as any;
+          if (profile.email) emailConfig.email = profile.email;
+        }
+      } catch {}
+
+    } else {
+      return c.html(oauthResultPage(false, `Unknown OAuth provider: ${emailConfig.oauthProvider}`));
+    }
+
+    emailConfig.status = 'connected';
+    emailConfig.configured = true;
+    delete emailConfig.oauthAuthUrl;
+    managed.config.emailConfig = emailConfig;
+    managed.updatedAt = new Date().toISOString();
+    await lifecycle.saveAgent(agentId);
+
+    return c.html(oauthResultPage(true, `Email connected via ${emailConfig.oauthProvider === 'google' ? 'Google' : 'Microsoft'} OAuth`));
+  } catch (e: any) {
+    return c.html(oauthResultPage(false, e.message || 'OAuth token exchange failed'));
+  }
+}
+
 // ─── HTML Callback Page ─────────────────────────────────
 
 /**

package/src/engine/routes.ts

@@ -214,7 +214,7 @@ engine.route('/storage', createStorageRoutes(storageManager));
 engine.route('/policies', createPolicyImportRoutes(policyImporter));
 engine.route('/knowledge-contribution', createKnowledgeContributionRoutes(knowledgeContribution));
 engine.route('/skill-updates', createSkillUpdaterRoutes(skillUpdater));
-engine.route('/oauth', createOAuthConnectRoutes(vault));
+engine.route('/oauth', createOAuthConnectRoutes(vault, lifecycle));
 
 // ─── setEngineDb ────────────────────────────────────────
 

package/src/server.ts

@@ -177,6 +177,11 @@ export function createServer(config: ServerConfig): ServerInstance {
 
   // Authentication middleware
   api.use('*', async (c, next) => {
+    // Skip auth for OAuth callback (browser redirect from Google/Microsoft)
+    if (c.req.path.endsWith('/oauth/callback') && c.req.method === 'GET') {
+      return next();
+    }
+
     // Check API key first
     const apiKeyHeader = c.req.header('X-API-Key');
     if (apiKeyHeader) {