@agenticmail/enterprise 0.5.71 → 0.5.73

package/dist/runtime-LID6KTDP.js

@@ -0,0 +1,47 @@
+import {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  runAgentLoop,
+  toolsToDefinitions
+} from "./chunk-WBHMHTF3.js";
+import "./chunk-TYW5XTOW.js";
+import "./chunk-JLSQOQ5L.js";
+import {
+  PROVIDER_REGISTRY,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider
+} from "./chunk-67KZYSLU.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  PROVIDER_REGISTRY,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider,
+  runAgentLoop,
+  toolsToDefinitions
+};

package/dist/server-LSDU47XE.js

@@ -0,0 +1,12 @@
+import {
+  createServer
+} from "./chunk-KQCDQUAK.js";
+import "./chunk-3SMTCIR4.js";
+import "./chunk-JLSQOQ5L.js";
+import "./chunk-RO537U6H.js";
+import "./chunk-DRXMYYKN.js";
+import "./chunk-67KZYSLU.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/setup-TPYVQULV.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-G7BU3BUW.js";
+import "./chunk-QDXUZP7Y.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.71",
+  "version": "0.5.73",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/admin/routes.ts

@@ -602,6 +602,49 @@ export function createAdminRoutes(db: DatabaseAdapter) {
     }
   });
 
+  // ─── Organization Email Config ─────────────────────
+
+  api.get('/settings/org-email', requireRole('admin'), async (c) => {
+    const settings = await db.getSettings();
+    const cfg = settings?.orgEmailConfig;
+    if (!cfg) return c.json({ configured: false });
+    return c.json({
+      configured: cfg.configured || false,
+      provider: cfg.provider,
+      label: cfg.label,
+      oauthClientId: cfg.oauthClientId,
+      oauthTenantId: cfg.oauthTenantId,
+    });
+  });
+
+  api.put('/settings/org-email', requireRole('admin'), async (c) => {
+    const body = await c.req.json();
+    const { provider, oauthClientId, oauthClientSecret, oauthTenantId } = body;
+    if (!provider || !['google', 'microsoft'].includes(provider)) {
+      return c.json({ error: 'provider must be "google" or "microsoft"' }, 400);
+    }
+    if (!oauthClientId || !oauthClientSecret) {
+      return c.json({ error: 'oauthClientId and oauthClientSecret are required' }, 400);
+    }
+    const label = provider === 'google' ? 'Google Workspace' : 'Microsoft 365';
+    const orgEmailConfig = {
+      provider,
+      oauthClientId,
+      oauthClientSecret,
+      oauthTenantId: provider === 'microsoft' ? (oauthTenantId || 'common') : undefined,
+      oauthRedirectUri: '', // Will be set per-agent at OAuth time
+      configured: true,
+      label,
+    };
+    await db.updateSettings({ orgEmailConfig } as any);
+    return c.json({ success: true, orgEmailConfig: { configured: true, provider, label, oauthClientId, oauthTenantId: orgEmailConfig.oauthTenantId } });
+  });
+
+  api.delete('/settings/org-email', requireRole('admin'), async (c) => {
+    await db.updateSettings({ orgEmailConfig: null } as any);
+    return c.json({ success: true });
+  });
+
   // ─── Tool Security Config ─────────────────────────
 
   api.get('/settings/tool-security', requireRole('admin'), async (c) => {

package/src/dashboard/pages/agent-detail.js

@@ -3875,6 +3875,23 @@ function EmailSection(props) {
 
   useEffect(function() { loadConfig(); }, [agentId]);
 
+  // Listen for OAuth popup completion
+  useEffect(function() {
+    function onMessage(e) {
+      if (e.data && e.data.type === 'oauth-result') {
+        if (e.data.status === 'success') {
+          toast('Email connected successfully', 'success');
+        } else {
+          toast('OAuth failed: ' + (e.data.message || 'Unknown error'), 'error');
+        }
+        loadConfig();
+        if (reload) reload();
+      }
+    }
+    window.addEventListener('message', onMessage);
+    return function() { window.removeEventListener('message', onMessage); };
+  }, []);
+
   // Preset changed → auto-fill hosts
   var PRESETS = {
     microsoft365: { label: 'Microsoft 365 / Outlook', imapHost: 'outlook.office365.com', imapPort: 993, smtpHost: 'smtp.office365.com', smtpPort: 587 },
@@ -3908,18 +3925,22 @@ function EmailSection(props) {
         });
       } else if (form.provider === 'microsoft') {
         var baseUrl = window.location.origin;
+        var hasOrgMs = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'microsoft';
         Object.assign(body, {
-          oauthClientId: form.oauthClientId,
-          oauthClientSecret: form.oauthClientSecret,
+          oauthClientId: form.oauthClientId || undefined,
+          oauthClientSecret: form.oauthClientSecret || undefined,
           oauthTenantId: form.oauthTenantId,
           oauthRedirectUri: baseUrl + '/api/engine/oauth/callback',
+          useOrgConfig: hasOrgMs && !form.oauthClientId ? true : undefined,
         });
       } else if (form.provider === 'google') {
         var gBaseUrl = window.location.origin;
+        var hasOrgG = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'google';
         Object.assign(body, {
-          oauthClientId: form.oauthClientId,
-          oauthClientSecret: form.oauthClientSecret,
+          oauthClientId: form.oauthClientId || undefined,
+          oauthClientSecret: form.oauthClientSecret || undefined,
           oauthRedirectUri: gBaseUrl + '/api/engine/oauth/callback',
+          useOrgConfig: hasOrgG && !form.oauthClientId ? true : undefined,
         });
       }
 
@@ -4006,6 +4027,15 @@ function EmailSection(props) {
     ),
     h('div', { className: 'card-body' },
 
+      // ─── Org Email Config Banner ──────────────────────
+      emailConfig && emailConfig.orgEmailConfig && h('div', { style: { padding: '12px 16px', background: 'var(--success-soft)', borderRadius: 'var(--radius)', marginBottom: 16, display: 'flex', alignItems: 'center', gap: 10 } },
+        h('span', { style: { fontSize: 18 } }, '\u2705'),
+        h('div', null,
+          h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Your organization has configured ', emailConfig.orgEmailConfig.label || emailConfig.orgEmailConfig.provider),
+          h('div', { style: { fontSize: 12, color: 'var(--text-muted)' } }, 'Select ', emailConfig.orgEmailConfig.provider === 'google' ? 'Google OAuth' : 'Microsoft OAuth', ' below — Client ID and Secret will be inherited automatically.')
+        )
+      ),
+
       // ─── Provider Selection ─────────────────────────
       h('div', { style: { marginBottom: 20 } },
         h('label', { style: labelStyle }, 'Connection Method'),
@@ -4128,16 +4158,24 @@ function EmailSection(props) {
       ),
 
       // ─── Google OAuth Config ────────────────────────
-      form.provider === 'google' && h(Fragment, null,
-        h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
-          h('strong', null, 'Setup Instructions:'), h('br'),
-          '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console → Credentials'), h('br'),
-          '2. Create an OAuth 2.0 Client ID (Web application) → add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
-          '3. Enable the Gmail API in your project', h('br'),
-          '4. Copy the Client ID and Client Secret below'
-        ),
+      form.provider === 'google' && (function() {
+        var hasOrg = emailConfig && emailConfig.orgEmailConfig && emailConfig.orgEmailConfig.provider === 'google';
+        return h(Fragment, null,
+        hasOrg
+          ? h('div', { style: { padding: '12px 16px', background: 'var(--success-soft)', borderRadius: 'var(--radius)', fontSize: 12, marginBottom: 16 } },
+              h('strong', null, '\u2705 Using organization Google Workspace credentials'), h('br'),
+              'Client ID: ', h('code', { style: { fontSize: 11 } }, emailConfig.orgEmailConfig.oauthClientId), h('br'),
+              h('span', { style: { color: 'var(--text-muted)' } }, 'Just click "Save Configuration" then authorize with the agent\'s Google account.')
+            )
+          : h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)', marginBottom: 16 } },
+              h('strong', null, 'Setup Instructions:'), h('br'),
+              '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console \u2192 Credentials'), h('br'),
+              '2. Create an OAuth 2.0 Client ID (Web application) \u2192 add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+              '3. Enable the Gmail API in your project', h('br'),
+              '4. Copy the Client ID and Client Secret below'
+            ),
 
-        h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 16 } },
+        !hasOrg && h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 16 } },
           h('div', null,
             h('label', { style: labelStyle }, 'OAuth Client ID *'),
             h('input', { style: inputStyle, value: form.oauthClientId, placeholder: 'xxxx.apps.googleusercontent.com', onChange: function(e) { set('oauthClientId', e.target.value); } })
@@ -4153,7 +4191,7 @@ function EmailSection(props) {
           h('p', { style: { fontSize: 12, margin: '0 0 8px', color: 'var(--text-secondary)' } }, 'Click the button below to sign in with the agent\'s Google account and grant Gmail permissions.'),
           h('button', { className: 'btn btn-primary btn-sm', onClick: openOAuth }, 'Authorize with Google')
         )
-      ),
+      ); })(),
 
       // ─── Test Result ─────────────────────────────────
       testResult && h('div', { style: { padding: '12px 16px', borderRadius: 'var(--radius)', marginBottom: 16, background: testResult.success ? 'var(--success-soft)' : 'var(--danger-soft)' } },

package/src/dashboard/pages/settings.js

@@ -53,6 +53,12 @@ export function SettingsPage() {
   var _apiKeyInput = useState('');
   var apiKeyInput = _apiKeyInput[0]; var setApiKeyInput = _apiKeyInput[1];
 
+  // Org Email Config
+  var _orgEmail = useState({ configured: false, provider: '', oauthClientId: '', oauthClientSecret: '', oauthTenantId: 'common', label: '' });
+  var orgEmail = _orgEmail[0]; var setOrgEmail = _orgEmail[1];
+  var _orgEmailSaving = useState(false);
+  var orgEmailSaving = _orgEmailSaving[0]; var setOrgEmailSaving = _orgEmailSaving[1];
+
   useEffect(() => {
     apiCall('/settings').then(d => { const s = d.settings || d || {}; setSettings(s); if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
     apiCall('/api-keys').then(d => setApiKeys(d.keys || [])).catch(() => {});
@@ -66,6 +72,9 @@ export function SettingsPage() {
       }));
     }).catch(() => {});
     engineCall('/deploy-credentials?orgId=' + getOrgId()).then(d => setDeployCreds(d.credentials || [])).catch(() => {});
+    apiCall('/settings/org-email').then(d => {
+      if (d.configured) setOrgEmail({ configured: true, provider: d.provider, oauthClientId: d.oauthClientId || '', oauthClientSecret: '', oauthTenantId: d.oauthTenantId || 'common', label: d.label || '' });
+    }).catch(() => {});
     apiCall('/settings/tool-security').then(d => {
       var cfg = d.toolSecurityConfig || {};
       setToolSec({
@@ -108,6 +117,29 @@ export function SettingsPage() {
     try { await apiCall('/settings', { method: 'PATCH', body: JSON.stringify({ [key]: value }) }); toast('Settings saved', 'success'); } catch (e) { toast(e.message, 'error'); }
   };
 
+  const saveOrgEmail = async () => {
+    if (!orgEmail.provider) { toast('Select a provider', 'error'); return; }
+    if (!orgEmail.oauthClientId) { toast('Enter Client ID', 'error'); return; }
+    if (!orgEmail.oauthClientSecret) { toast('Enter Client Secret', 'error'); return; }
+    setOrgEmailSaving(true);
+    try {
+      var result = await apiCall('/settings/org-email', { method: 'PUT', body: JSON.stringify({ provider: orgEmail.provider, oauthClientId: orgEmail.oauthClientId, oauthClientSecret: orgEmail.oauthClientSecret, oauthTenantId: orgEmail.oauthTenantId }) });
+      setOrgEmail(function(prev) { return Object.assign({}, prev, { configured: true, label: result.orgEmailConfig?.label || prev.label, oauthClientSecret: '' }); });
+      toast('Organization email configuration saved', 'success');
+    } catch (e) { toast(e.message, 'error'); }
+    setOrgEmailSaving(false);
+  };
+
+  const removeOrgEmail = async () => {
+    var ok = await showConfirm({ title: 'Remove Organization Email', message: 'Agents using this org-level config will need to be individually configured.', danger: true, confirmText: 'Remove' });
+    if (!ok) return;
+    try {
+      await apiCall('/settings/org-email', { method: 'DELETE' });
+      setOrgEmail({ configured: false, provider: '', oauthClientId: '', oauthClientSecret: '', oauthTenantId: 'common', label: '' });
+      toast('Organization email configuration removed', 'success');
+    } catch (e) { toast(e.message, 'error'); }
+  };
+
   const saveSaml = async () => {
     try {
       await apiCall('/settings/sso/saml', { method: 'PUT', body: JSON.stringify({ entityId: settings.samlEntityId, ssoUrl: settings.samlSsoUrl, certificate: settings.samlCertificate }) });
@@ -225,14 +257,76 @@ export function SettingsPage() {
         )
       ),
       h('div', { className: 'card' },
-        h('div', { className: 'card-header' }, h('h3', null, 'Email Configuration')),
+        h('div', { className: 'card-header' },
+          h('h3', null, 'Organization Email'),
+          orgEmail.configured && h('span', { className: 'badge badge-success', style: { marginLeft: 8 } }, orgEmail.label || 'Configured')
+        ),
         h('div', { className: 'card-body' },
-          h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: 16, background: 'var(--bg-tertiary)', borderRadius: 'var(--radius)' } },
-            h('div', { style: { fontSize: 24 } }, '\u2709\uFE0F'),
-            h('div', null,
-              h('p', { style: { fontSize: 14, fontWeight: 600, marginBottom: 4 } }, 'Email is configured per agent'),
-              h('p', { style: { fontSize: 13, color: 'var(--text-muted)' } }, 'Each agent has its own email credentials (IMAP/SMTP, Microsoft 365 OAuth, or Google OAuth). Configure email from each agent\'s detail page under the Email tab.')
+          h('p', { style: { fontSize: 13, color: 'var(--text-muted)', marginBottom: 16 } }, 'Set up a shared OAuth application for all agents. Each agent will still authorize individually with their own account, but they\'ll use the same Client ID and Secret.'),
+
+          // Provider selector
+          h('div', { style: { display: 'flex', gap: 12, marginBottom: 16 } },
+            h('div', {
+              onClick: function() { setOrgEmail(function(p) { return Object.assign({}, p, { provider: 'google' }); }); },
+              style: { flex: 1, padding: '16px 12px', border: '2px solid ' + (orgEmail.provider === 'google' ? 'var(--accent)' : 'var(--border)'), borderRadius: 'var(--radius)', cursor: 'pointer', textAlign: 'center', background: orgEmail.provider === 'google' ? 'var(--accent-soft)' : 'var(--bg-primary)' }
+            },
+              h('div', { style: { fontSize: 20, marginBottom: 4 } }, '\uD83D\uDD35'),
+              h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Google Workspace'),
+              h('div', { style: { fontSize: 11, color: 'var(--text-muted)' } }, 'Gmail API OAuth')
+            ),
+            h('div', {
+              onClick: function() { setOrgEmail(function(p) { return Object.assign({}, p, { provider: 'microsoft' }); }); },
+              style: { flex: 1, padding: '16px 12px', border: '2px solid ' + (orgEmail.provider === 'microsoft' ? 'var(--accent)' : 'var(--border)'), borderRadius: 'var(--radius)', cursor: 'pointer', textAlign: 'center', background: orgEmail.provider === 'microsoft' ? 'var(--accent-soft)' : 'var(--bg-primary)' }
+            },
+              h('div', { style: { fontSize: 20, marginBottom: 4 } }, '\uD83C\uDFE2'),
+              h('div', { style: { fontSize: 13, fontWeight: 600 } }, 'Microsoft 365'),
+              h('div', { style: { fontSize: 11, color: 'var(--text-muted)' } }, 'Azure AD / Entra ID')
+            )
+          ),
+
+          // Setup instructions
+          orgEmail.provider && h('div', { style: { padding: '12px 16px', background: 'var(--info-soft)', borderRadius: 'var(--radius)', marginBottom: 16, fontSize: 12, color: 'var(--text-secondary)' } },
+            h('strong', { style: { color: 'var(--accent)' } }, 'Setup Instructions:'), h('br'),
+            orgEmail.provider === 'google'
+              ? h(Fragment, null,
+                  '1. Go to ', h('a', { href: 'https://console.cloud.google.com/apis/credentials', target: '_blank', style: { color: 'var(--accent)' } }, 'Google Cloud Console \u2192 Credentials'), h('br'),
+                  '2. Create an OAuth 2.0 Client ID (Web application) \u2192 add redirect URI: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3, fontSize: 11 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+                  '3. Enable the Gmail API in your project', h('br'),
+                  '4. Copy the Client ID and Client Secret below'
+                )
+              : h(Fragment, null,
+                  '1. Go to ', h('a', { href: 'https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade', target: '_blank', style: { color: 'var(--accent)' } }, 'Azure Portal \u2192 App Registrations'), h('br'),
+                  '2. Click "New Registration" \u2192 set redirect URI to: ', h('code', { style: { background: 'var(--bg-tertiary)', padding: '1px 4px', borderRadius: 3, fontSize: 11 } }, window.location.origin + '/api/engine/oauth/callback'), h('br'),
+                  '3. Copy the Client ID and create a Client Secret below'
+                )
+          ),
+
+          // Credentials form
+          orgEmail.provider && h(Fragment, null,
+            h('div', { style: { display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 12 } },
+              h('div', null,
+                h('label', { className: 'form-label' }, 'OAuth Client ID *'),
+                h('input', { className: 'input', value: orgEmail.oauthClientId, placeholder: orgEmail.provider === 'google' ? 'xxxx.apps.googleusercontent.com' : 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthClientId: e.target.value }); }); } })
+              ),
+              h('div', null,
+                h('label', { className: 'form-label' }, 'Client Secret *'),
+                h('input', { className: 'input', type: 'password', value: orgEmail.oauthClientSecret, placeholder: orgEmail.configured ? '\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022 (saved)' : 'Enter client secret', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthClientSecret: e.target.value }); }); } })
+              )
+            ),
+            orgEmail.provider === 'microsoft' && h('div', { style: { marginBottom: 12 } },
+              h('label', { className: 'form-label' }, 'Tenant ID'),
+              h('input', { className: 'input', style: { maxWidth: 400 }, value: orgEmail.oauthTenantId, placeholder: 'common', onChange: function(e) { setOrgEmail(function(p) { return Object.assign({}, p, { oauthTenantId: e.target.value }); }); } }),
+              h('p', { className: 'form-help' }, 'Use "common" for multi-tenant or your specific tenant ID')
+            ),
+            h('div', { style: { display: 'flex', gap: 8 } },
+              h('button', { className: 'btn btn-primary', disabled: orgEmailSaving, onClick: saveOrgEmail }, orgEmailSaving ? 'Saving...' : (orgEmail.configured ? 'Update Configuration' : 'Save Configuration')),
+              orgEmail.configured && h('button', { className: 'btn btn-danger', onClick: removeOrgEmail }, 'Remove')
             )
+          ),
+
+          // Info about per-agent auth
+          orgEmail.configured && h('div', { style: { marginTop: 16, padding: '12px 16px', background: 'var(--bg-tertiary)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--text-muted)' } },
+            '\u2139\uFE0F Each agent still needs to individually authorize via their Email tab. This org config provides the shared OAuth app credentials so agents don\'t need to enter Client ID/Secret individually.'
           )
         )
       ),

package/src/db/adapter.ts

@@ -200,10 +200,22 @@ export interface CompanySettings {
   toolSecurityConfig?: Record<string, any>;
   firewallConfig?: FirewallConfig;
   modelPricingConfig?: ModelPricingConfig;
+  orgEmailConfig?: OrgEmailConfig;
   createdAt: Date;
   updatedAt: Date;
 }
 
+export interface OrgEmailConfig {
+  provider: 'google' | 'microsoft';
+  oauthClientId: string;
+  oauthClientSecret: string;
+  oauthTenantId?: string; // Microsoft only
+  oauthRedirectUri?: string;
+  oauthScopes?: string[];
+  configured: boolean;
+  label?: string; // e.g. "Google Workspace" or "Microsoft 365"
+}
+
 export interface FirewallConfig {
   ipAccess?: {
     enabled?: boolean;

package/src/db/postgres.ts

@@ -106,6 +106,9 @@ export class PostgresAdapter extends DatabaseAdapter {
         ALTER TABLE company_settings ADD COLUMN IF NOT EXISTS cf_api_token TEXT;
         ALTER TABLE company_settings ADD COLUMN IF NOT EXISTS cf_account_id TEXT;
       `).catch(() => {});
+      await client.query(`
+        ALTER TABLE company_settings ADD COLUMN IF NOT EXISTS org_email_config JSONB;
+      `).catch(() => {});
       await client.query('COMMIT');
     } catch (err) {
       await client.query('ROLLBACK');
@@ -175,6 +178,11 @@ export class PostgresAdapter extends DatabaseAdapter {
       values.push(JSON.stringify(updates.modelPricingConfig));
       i++;
     }
+    if (updates.orgEmailConfig !== undefined) {
+      fields.push(`org_email_config = $${i}`);
+      values.push(JSON.stringify(updates.orgEmailConfig));
+      i++;
+    }
     fields.push(`updated_at = NOW()`);
     values.push('default');
     const { rows } = await this.pool.query(
@@ -553,6 +561,7 @@ export class PostgresAdapter extends DatabaseAdapter {
       domainStatus: r.domain_status || 'unregistered',
       cfApiToken: r.cf_api_token || undefined,
       cfAccountId: r.cf_account_id || undefined,
+      orgEmailConfig: r.org_email_config ? (typeof r.org_email_config === 'string' ? JSON.parse(r.org_email_config) : r.org_email_config) : undefined,
     };
   }
 }

package/src/engine/agent-routes.ts

@@ -410,13 +410,30 @@ export function createAgentRoutes(opts: {
   /**
    * GET /bridge/agents/:id/email-config — Get agent's email configuration (without password).
    */
-  router.get('/bridge/agents/:id/email-config', (c) => {
+  router.get('/bridge/agents/:id/email-config', async (c) => {
     const agentId = c.req.param('id');
     const managed = lifecycle.getAgent(agentId);
     if (!managed) return c.json({ error: 'Agent not found' }, 404);
 
+    // Fetch org-level email config
+    let orgEmailConfig: any = null;
+    try {
+      const adminDb = getAdminDb();
+      if (adminDb) {
+        const settings = await adminDb.getSettings();
+        if (settings?.orgEmailConfig?.configured) {
+          orgEmailConfig = {
+            provider: settings.orgEmailConfig.provider,
+            label: settings.orgEmailConfig.label,
+            oauthClientId: settings.orgEmailConfig.oauthClientId,
+            oauthTenantId: settings.orgEmailConfig.oauthTenantId,
+          };
+        }
+      }
+    } catch {}
+
     const emailConfig = managed.config?.emailConfig || null;
-    if (!emailConfig) return c.json({ configured: false });
+    if (!emailConfig) return c.json({ configured: false, orgEmailConfig });
 
     // Return config without sensitive data
     return c.json({
@@ -436,6 +453,7 @@ export function createAgentRoutes(opts: {
       oauthAuthUrl: emailConfig.oauthAuthUrl || undefined,
       lastConnected: emailConfig.lastConnected,
       lastError: emailConfig.lastError,
+      orgEmailConfig,
     });
   });
 
@@ -455,10 +473,28 @@ export function createAgentRoutes(opts: {
     if (!managed) return c.json({ error: 'Agent not found' }, 404);
 
     const body = await c.req.json();
-    const { provider, email, password, imapHost, imapPort, smtpHost, smtpPort, preset,
+    let { provider, email, password, imapHost, imapPort, smtpHost, smtpPort, preset,
             oauthClientId, oauthClientSecret, oauthTenantId, oauthRedirectUri } = body;
+    const useOrgConfig = body.useOrgConfig === true;
 
     if (!provider) return c.json({ error: 'provider is required (imap, microsoft, or google)' }, 400);
+
+    // If using org-level OAuth config, inherit client credentials
+    if (useOrgConfig && (provider === 'google' || provider === 'microsoft')) {
+      try {
+        const adminDb = getAdminDb();
+        if (adminDb) {
+          const settings = await adminDb.getSettings();
+          if (settings?.orgEmailConfig?.configured && settings.orgEmailConfig.provider === provider) {
+            oauthClientId = oauthClientId || settings.orgEmailConfig.oauthClientId;
+            oauthClientSecret = oauthClientSecret || settings.orgEmailConfig.oauthClientSecret;
+            if (provider === 'microsoft') oauthTenantId = oauthTenantId || settings.orgEmailConfig.oauthTenantId;
+          } else {
+            return c.json({ error: 'Organization email config not found or provider mismatch' }, 400);
+          }
+        }
+      } catch {}
+    }
     if (!email && provider === 'imap') return c.json({ error: 'email is required' }, 400);
 
     const emailConfig: any = {