@agenticmail/enterprise 0.5.71 → 0.5.73

package/dist/cli-recover-JYCMVLVL.js

@@ -0,0 +1,97 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-recover.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+async function runRecover(args) {
+  const { default: inquirer } = await import("inquirer");
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Recovery"));
+  console.log(chalk.dim("  Recover your domain registration on a new machine."));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  if (!domain) {
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to recover:",
+      suffix: chalk.dim("  (e.g. agents.agenticmail.io)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain"
+    }]);
+    domain = answer.domain;
+  }
+  let key = getFlag(args, "--key");
+  if (!key) {
+    const answer = await inquirer.prompt([{
+      type: "password",
+      name: "key",
+      message: "Deployment key:",
+      mask: "*",
+      validate: (v) => {
+        if (v.length !== 64) return "Deployment key should be 64 hex characters";
+        if (!/^[0-9a-fA-F]+$/.test(v)) return "Deployment key should be hexadecimal";
+        return true;
+      }
+    }]);
+    key = answer.key;
+  }
+  const spinner = ora("Contacting AgenticMail registry...").start();
+  const lock = new DomainLock();
+  const result = await lock.recover(domain, key);
+  if (!result.success) {
+    spinner.fail("Recovery failed");
+    console.log("");
+    console.error(chalk.red(`  ${result.error}`));
+    console.log("");
+    process.exit(1);
+  }
+  spinner.succeed("Domain recovery initiated");
+  const { default: bcrypt } = await import("bcryptjs");
+  const keyHash = await bcrypt.hash(key, 12);
+  const dbPath = getFlag(args, "--db");
+  const dbType = getFlag(args, "--db-type") || "sqlite";
+  if (dbPath) {
+    try {
+      const spinnerDb = ora("Saving to local database...").start();
+      const { createAdapter } = await import("./factory-GT6SUZSQ.js");
+      const db = await createAdapter({ type: dbType, connectionString: dbPath });
+      await db.migrate();
+      await db.updateSettings({
+        domain,
+        deploymentKeyHash: keyHash,
+        domainRegistrationId: result.registrationId,
+        domainDnsChallenge: result.dnsChallenge,
+        domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
+        domainStatus: "pending_dns"
+      });
+      spinnerDb.succeed("Local database updated");
+      await db.disconnect();
+    } catch (err) {
+      console.log(chalk.yellow(`
+  Could not update local DB: ${err.message}`));
+      console.log(chalk.dim("  You can manually update settings after setup."));
+    }
+  }
+  console.log("");
+  console.log(chalk.green.bold("  Domain recovery successful!"));
+  console.log("");
+  console.log(chalk.bold("  Update your DNS TXT record:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(result.dnsChallenge)}`);
+  console.log("");
+  console.log(chalk.dim("  Then run: npx @agenticmail/enterprise verify-domain"));
+  console.log("");
+}
+export {
+  runRecover
+};

package/dist/cli-verify-F7R5RO65.js

@@ -0,0 +1,98 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-verify.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+async function runVerifyDomain(args) {
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Verification"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  let dnsChallenge;
+  let dbConnected = false;
+  let db = null;
+  if (!domain) {
+    const dbPath = getFlag(args, "--db");
+    const dbType = getFlag(args, "--db-type") || "sqlite";
+    if (dbPath) {
+      try {
+        const { createAdapter } = await import("./factory-GT6SUZSQ.js");
+        db = await createAdapter({ type: dbType, connectionString: dbPath });
+        await db.migrate();
+        const settings = await db.getSettings();
+        domain = settings?.domain;
+        dnsChallenge = settings?.domainDnsChallenge;
+        dbConnected = true;
+      } catch {
+      }
+    }
+  }
+  if (!domain) {
+    const { default: inquirer } = await import("inquirer");
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to verify:",
+      suffix: chalk.dim("  (e.g. agents.agenticmail.io)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain"
+    }]);
+    domain = answer.domain;
+  }
+  const spinner = ora("Checking DNS verification...").start();
+  const lock = new DomainLock();
+  const result = await lock.checkVerification(domain);
+  if (!result.success) {
+    spinner.fail("Verification check failed");
+    console.log("");
+    console.error(chalk.red(`  ${result.error}`));
+    console.log("");
+    if (db) await db.disconnect();
+    process.exit(1);
+  }
+  if (result.verified) {
+    spinner.succeed("Domain verified!");
+    if (dbConnected && db) {
+      try {
+        await db.updateSettings({
+          domainStatus: "verified",
+          domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+        });
+      } catch {
+      }
+    }
+    console.log("");
+    console.log(chalk.green.bold(`  ${domain} is verified and protected.`));
+    console.log(chalk.dim("  Your deployment domain is locked. No other instance can claim it."));
+    console.log("");
+  } else {
+    spinner.info("DNS record not found yet");
+    console.log("");
+    console.log(chalk.yellow("  The DNS TXT record has not been detected."));
+    console.log("");
+    console.log(chalk.bold("  Make sure this record exists:"));
+    console.log("");
+    console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+    console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+    if (dnsChallenge) {
+      console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+    } else {
+      console.log(`  ${chalk.bold("Value:")}  ${chalk.dim("(check your setup records or dashboard)")}`);
+    }
+    console.log("");
+    console.log(chalk.dim("  DNS changes can take up to 48 hours to propagate."));
+    console.log(chalk.dim("  Run this command again after adding the record."));
+    console.log("");
+  }
+  if (db) await db.disconnect();
+}
+export {
+  runVerifyDomain
+};

package/dist/cli.js

@@ -14,10 +14,10 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-C72I57LB.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-JYCMVLVL.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
-    import("./cli-verify-HKS5O6Q2.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
+    import("./cli-verify-F7R5RO65.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
     break;
   case "--help":
   case "-h":
@@ -48,7 +48,7 @@ Skill Development:
     break;
   case "setup":
   default:
-    import("./setup-N7RALR7Z.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-TPYVQULV.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/pages/agent-detail.js

@@ -3875,6 +3875,23 @@ function EmailSection(props) {
 
   useEffect(function() { loadConfig(); }, [agentId]);
 
+  // Listen for OAuth popup completion
+  useEffect(function() {
+    function onMessage(e) {
+      if (e.data && e.data.type === 'oauth-result') {
+        if (e.data.status === 'success') {
+          toast('Email connected successfully', 'success');
+        } else {
+          toast('OAuth failed: ' + (e.data.message || 'Unknown error'), 'error');
+        }
+        loadConfig();
+        if (reload) reload();
+      }
+    }
+    window.addEventListener('message', onMessage);
+    return function() { window.removeEventListener('message', onMessage); };
+  }, []);
+
   // Preset changed → auto-fill hosts
   var PRESETS = {
     microsoft365: { label: 'Microsoft 365 / Outlook', imapHost: 'outlook.office365.com', imapPort: 993, smtpHost: 'smtp.office365.com', smtpPort: 587 },
@@ -3908,18 +3925,22 @@ function EmailSection(props) {
         });
       } else if (form.provider === 'microsoft') {
         var baseUrl = window.location.origin;
+        var hasOrgMs = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'microsoft';
         Object.assign(body, {
-          oauthClientId: form.oauthClientId,
-          oauthClientSecret: form.oauthClientSecret,
+          oauthClientId: form.oauthClientId || undefined,
+          oauthClientSecret: form.oauthClientSecret || undefined,
           oauthTenantId: form.oauthTenantId,
           oauthRedirectUri: baseUrl + '/api/engine/oauth/callback',
+          useOrgConfig: hasOrgMs && !form.oauthClientId ? true : undefined,
         });
       } else if (form.provider === 'google') {
         var gBaseUrl = window.location.origin;
+        var hasOrgG = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'google';
         Object.assign(body, {
-          oauthClientId: form.oauthClientId,
-          oauthClientSecret: form.oauthClientSecret,
+          oauthClientId: form.oauthClientId || undefined,
+          oauthClientSecret: form.oauthClientSecret || undefined,
           oauthRedirectUri: gBaseUrl + '/api/engine/oauth/callback',
+          useOrgConfig: hasOrgG && !form.oauthClientId ? true : undefined,
         });
       }
 
@@ -4006,6 +4027,15 @@ function EmailSection(props) {
     ),
     h('div', { className: 'card-body' },
 
+      // ─── Org Email Config Banner ──────────────────────
+      emailConfig && emailConfig.orgEmailConfig && h('div', { style: { padding: '12px 16px', background: 'var(--success-soft)', borderRadius: 'var(--radius)', marginBottom: 16, display: 'flex', alignItems: 'center', gap: 10 } },
+        h('span', { style: { fontSize: 18 } }, '\u2705'),
+        h('div', null,
+          h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Your organization has configured ', emailConfig.orgEmailConfig.label || emailConfig.orgEmailConfig.provider),
+          h('div', { style: { fontSize: 12, color: 'var(--text-muted)' } }, 'Select ', emailConfig.orgEmailConfig.provider === 'google' ? 'Google OAuth' : 'Microsoft OAuth', ' below — Client ID and Secret will be inherited automatically.')
+        )
+      ),
+
       // ─── Provider Selection ─────────────────────────
       h('div', { style: { marginBottom: 20 } },
         h('label', { style: labelStyle }, 'Connection Method'),
@@ -4128,16 +4158,24 @@ function EmailSection(props) {
       ),
 
       // ─── Google OAuth Config ────────────────────────
-      form.provider === 'google' && h(Fragment, null,
-        h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
-          h('strong', null, 'Setup Instructions:'), h('br'),
-          '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console → Credentials'), h('br'),
-          '2. Create an OAuth 2.0 Client ID (Web application) → add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
-          '3. Enable the Gmail API in your project', h('br'),
-          '4. Copy the Client ID and Client Secret below'
-        ),
+      form.provider === 'google' && (function() {
+        var hasOrg = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'google';
+        return h(Fragment, null,
+        hasOrg
+          ? h('div', { style: { padding: '12px 16px', background: 'var(--success-soft)', borderRadius: 'var(--radius)', fontSize: 12, marginBottom: 16 } },
+              h('strong', null, '\u2705 Using organization Google Workspace credentials'), h('br'),
+              'Client ID: ', h('code', { style: { fontSize: 11 } }, emailConfig.orgEmailConfig.oauthClientId), h('br'),
+              h('span', { style: { color: 'var(--text-muted)' } }, 'Just click "Save Configuration" then authorize with the agent\'s Google account.')
+            )
+          : h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
+              h('strong', null, 'Setup Instructions:'), h('br'),
+              '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console \u2192 Credentials'), h('br'),
+              '2. Create an OAuth 2.0 Client ID (Web application) \u2192 add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+              '3. Enable the Gmail API in your project', h('br'),
+              '4. Copy the Client ID and Client Secret below'
+            ),
 
-        h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 16 } },
+        !hasOrg && h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 16 } },
           h('div', null,
             h('label', { style: labelStyle }, 'OAuth Client ID *'),
             h('input', { style: inputStyle, value: form.oauthClientId, placeholder: 'xxxx.apps.googleusercontent.com', onChange: function(e) { set('oauthClientId', e.target.value); } })
@@ -4153,7 +4191,7 @@ function EmailSection(props) {
           h('p', { style: { fontSize: 12, margin: '0 0 8px', color: 'var(--text-secondary)' } }, 'Click the button below to sign in with the agent\'s Google account and grant Gmail permissions.'),
           h('button', { className: 'btn btn-primary btn-sm', onClick: openOAuth }, 'Authorize with Google')
         )
-      ),
+      ); })(),
 
       // ─── Test Result ─────────────────────────────────
       testResult && h('div', { style: { padding: '12px 16px', borderRadius: 'var(--radius)', marginBottom: 16, background: testResult.success ? 'var(--success-soft)' : 'var(--danger-soft)' } },

package/dist/dashboard/pages/settings.js

@@ -53,6 +53,12 @@ export function SettingsPage() {
   var _apiKeyInput = useState('');
   var apiKeyInput = _apiKeyInput[0]; var setApiKeyInput = _apiKeyInput[1];
 
+  // Org Email Config
+  var _orgEmail = useState({ configured: false, provider: '', oauthClientId: '', oauthClientSecret: '', oauthTenantId: 'common', label: '' });
+  var orgEmail = _orgEmail[0]; var setOrgEmail = _orgEmail[1];
+  var _orgEmailSaving = useState(false);
+  var orgEmailSaving = _orgEmailSaving[0]; var setOrgEmailSaving = _orgEmailSaving[1];
+
   useEffect(() => {
     apiCall('/settings').then(d => { const s = d.settings || d || {}; setSettings(s); if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
     apiCall('/api-keys').then(d => setApiKeys(d.keys || [])).catch(() => {});
@@ -66,6 +72,9 @@ export function SettingsPage() {
       }));
     }).catch(() => {});
     engineCall('/deploy-credentials?orgId=' + getOrgId()).then(d => setDeployCreds(d.credentials || [])).catch(() => {});
+    apiCall('/settings/org-email').then(d => {
+      if (d.configured) setOrgEmail({ configured: true, provider: d.provider, oauthClientId: d.oauthClientId || '', oauthClientSecret: '', oauthTenantId: d.oauthTenantId || 'common', label: d.label || '' });
+    }).catch(() => {});
     apiCall('/settings/tool-security').then(d => {
       var cfg = d.toolSecurityConfig || {};
       setToolSec({
@@ -108,6 +117,29 @@ export function SettingsPage() {
     try { await apiCall('/settings', { method: 'PATCH', body: JSON.stringify({ [key]: value }) }); toast('Settings saved', 'success'); } catch (e) { toast(e.message, 'error'); }
   };
 
+  const saveOrgEmail = async () => {
+    if (!orgEmail.provider) { toast('Select a provider', 'error'); return; }
+    if (!orgEmail.oauthClientId) { toast('Enter Client ID', 'error'); return; }
+    if (!orgEmail.oauthClientSecret) { toast('Enter Client Secret', 'error'); return; }
+    setOrgEmailSaving(true);
+    try {
+      var result = await apiCall('/settings/org-email', { method: 'PUT', body: JSON.stringify({ provider: orgEmail.provider, oauthClientId: orgEmail.oauthClientId, oauthClientSecret: orgEmail.oauthClientSecret, oauthTenantId: orgEmail.oauthTenantId }) });
+      setOrgEmail(function(prev) { return Object.assign({}, prev, { configured: true, label: result.orgEmailConfig?.label || prev.label, oauthClientSecret: '' }); });
+      toast('Organization email configuration saved', 'success');
+    } catch (e) { toast(e.message, 'error'); }
+    setOrgEmailSaving(false);
+  };
+
+  const removeOrgEmail = async () => {
+    var ok = await showConfirm({ title: 'Remove Organization Email', message: 'Agents using this org-level config will need to be individually configured.', danger: true, confirmText: 'Remove' });
+    if (!ok) return;
+    try {
+      await apiCall('/settings/org-email', { method: 'DELETE' });
+      setOrgEmail({ configured: false, provider: '', oauthClientId: '', oauthClientSecret: '', oauthTenantId: 'common', label: '' });
+      toast('Organization email configuration removed', 'success');
+    } catch (e) { toast(e.message, 'error'); }
+  };
+
   const saveSaml = async () => {
     try {
       await apiCall('/settings/sso/saml', { method: 'PUT', body: JSON.stringify({ entityId: settings.samlEntityId, ssoUrl: settings.samlSsoUrl, certificate: settings.samlCertificate }) });
@@ -225,14 +257,76 @@ export function SettingsPage() {
         )
       ),
       h('div', { className: 'card' },
-        h('div', { className: 'card-header' }, h('h3', null, 'Email Configuration')),
+        h('div', { className: 'card-header' },
+          h('h3', null, 'Organization Email'),
+          orgEmail.configured && h('span', { className: 'badge badge-success', style: { marginLeft: 8 } }, orgEmail.label || 'Configured')
+        ),
         h('div', { className: 'card-body' },
-          h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: 16, background: 'var(--bg-tertiary)', borderRadius: 'var(--radius)' } },
-            h('div', { style: { fontSize: 24 } }, '\u2709\uFE0F'),
-            h('div', null,
-              h('p', { style: { fontSize: 14, fontWeight: 600, marginBottom: 4 } }, 'Email is configured per agent'),
-              h('p', { style: { fontSize: 13, color: 'var(--text-muted)' } }, 'Each agent has its own email credentials (IMAP/SMTP, Microsoft 365 OAuth, or Google OAuth). Configure email from each agent\'s detail page under the Email tab.')
+          h('p', { style: { fontSize: 13, color: 'var(--text-muted)', marginBottom: 16 } }, 'Set up a shared OAuth application for all agents. Each agent will still authorize individually with their own account, but they\'ll use the same Client ID and Secret.'),
+
+          // Provider selector
+          h('div', { style: { display: 'flex', gap: 12, marginBottom: 16 } },
+            h('div', {
+              onClick: function() { setOrgEmail(function(p) { return Object.assign({}, p, { provider: 'google' }); }); },
+              style: { flex: 1, padding: '16px 12px', border: '2px solid ' + (orgEmail.provider === 'google' ? 'var(--accent)' : 'var(--border)'), borderRadius: 'var(--radius)', cursor: 'pointer', textAlign: 'center', background: orgEmail.provider === 'google' ? 'var(--accent-soft)' : 'var(--bg-primary)' }
+            },
+              h('div', { style: { fontSize: 20, marginBottom: 4 } }, '\uD83D\uDD35'),
+              h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Google Workspace'),
+              h('div', { style: { fontSize: 11, color: 'var(--text-muted)' } }, 'Gmail API OAuth')
+            ),
+            h('div', {
+              onClick: function() { setOrgEmail(function(p) { return Object.assign({}, p, { provider: 'microsoft' }); }); },
+              style: { flex: 1, padding: '16px 12px', border: '2px solid ' + (orgEmail.provider === 'microsoft' ? 'var(--accent)' : 'var(--border)'), borderRadius: 'var(--radius)', cursor: 'pointer', textAlign: 'center', background: orgEmail.provider === 'microsoft' ? 'var(--accent-soft)' : 'var(--bg-primary)' }
+            },
+              h('div', { style: { fontSize: 20, marginBottom: 4 } }, '\uD83C\uDFE2'),
+              h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Microsoft 365'),
+              h('div', { style: { fontSize: 11, color: 'var(--text-muted)' } }, 'Azure AD / Entra ID')
+            )
+          ),
+
+          // Setup instructions
+          orgEmail.provider && h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', marginBottom: 16, fontSize: 12, color: 'var(--text-secondary)' } },
+            h('strong', { style: { color: 'var(--accent)' } }, 'Setup Instructions:'), h('br'),
+            orgEmail.provider === 'google'
+              ? h(Fragment, null,
+                  '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console \u2192 Credentials'), h('br'),
+                  '2. Create an OAuth 2.0 Client ID (Web application) \u2192 add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3, fontSize: 11 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+                  '3. Enable the Gmail API in your project', h('br'),
+                  '4. Copy the Client ID and Client Secret below'
+                )
+              : h(Fragment, null,
+                  '1. Go to ', h('a', { href: 'https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade', target: '_blank', style: { color: 'var(--accent)' } }, 'Azure Portal \u2192 App Registrations'), h('br'),
+                  '2. Click "New Registration" \u2192 set redirect URI to: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3, fontSize: 11 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+                  '3. Copy the Client ID and create a Client Secret below'
+                )
+          ),
+
+          // Credentials form
+          orgEmail.provider && h(Fragment, null,
+            h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 12 } },
+              h('div', null,
+                h('label', { className: 'form-label' }, 'OAuth Client ID *'),
+                h('input', { className: 'input', value: orgEmail.oauthClientId, placeholder: orgEmail.provider === 'google' ? 'xxxx.apps.googleusercontent.com' : 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthClientId: e.target.value }); }); } })
+              ),
+              h('div', null,
+                h('label', { className: 'form-label' }, 'Client Secret *'),
+                h('input', { className: 'input', type: 'password', value: orgEmail.oauthClientSecret, placeholder: orgEmail.configured ? '\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022 (saved)' : 'Enter client secret', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthClientSecret: e.target.value }); }); } })
+              )
+            ),
+            orgEmail.provider === 'microsoft' && h('div', { style: { marginBottom: 12 } },
+              h('label', { className: 'form-label' }, 'Tenant ID'),
+              h('input', { className: 'input', style: { maxWidth: 400 }, value: orgEmail.oauthTenantId, placeholder: 'common', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthTenantId: e.target.value }); }); } }),
+              h('p', { className: 'form-help' }, 'Use "common" for multi-tenant or your specific tenant ID')
+            ),
+            h('div', { style: { display: 'flex', gap: 8 } },
+              h('button', { className: 'btn btn-primary', disabled: orgEmailSaving, onClick: saveOrgEmail }, orgEmailSaving ? 'Saving...' : (orgEmail.configured ? 'Update Configuration' : 'Save Configuration')),
+              orgEmail.configured && h('button', { className: 'btn btn-danger', onClick: removeOrgEmail }, 'Remove')
             )
+          ),
+
+          // Info about per-agent auth
+          orgEmail.configured && h('div', { style: { marginTop: 16, padding: '12px 16px', background: 'var(--bg-tertiary)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--text-muted)' } },
+            '\u2139\uFE0F Each agent still needs to individually authorize via their Email tab. This org config provides the shared OAuth app credentials so agents don\'t need to enter Client ID/Secret individually.'
           )
         )
       ),

package/dist/factory-GT6SUZSQ.js

@@ -0,0 +1,9 @@
+import {
+  createAdapter,
+  getSupportedDatabases
+} from "./chunk-QDXUZP7Y.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createAdapter,
+  getSupportedDatabases
+};

package/dist/index.js

@@ -35,7 +35,7 @@ import {
   executeTool,
   runAgentLoop,
   toolsToDefinitions
-} from "./chunk-WH2LORAG.js";
+} from "./chunk-WBHMHTF3.js";
 import "./chunk-TYW5XTOW.js";
 import {
   ValidationError,
@@ -50,11 +50,11 @@ import {
   requireRole,
   securityHeaders,
   validate
-} from "./chunk-PB2APZMU.js";
+} from "./chunk-KQCDQUAK.js";
 import {
   provision,
   runSetupWizard
-} from "./chunk-UGBWZJ5G.js";
+} from "./chunk-G7BU3BUW.js";
 import {
   ENGINE_TABLES,
   ENGINE_TABLES_POSTGRES,
@@ -99,7 +99,7 @@ import {
 import {
   createAdapter,
   getSupportedDatabases
-} from "./chunk-WP76IB36.js";
+} from "./chunk-QDXUZP7Y.js";
 import {
   AGENTICMAIL_TOOLS,
   ALL_TOOLS,