@frustrated/ms-graph-mcp 0.1.4 → 0.1.5

package/.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add:*)",
+      "Bash(git push:*)"
+    ]
+  }
+}

package/README.md

@@ -8,7 +8,7 @@
   <b>Seamless Microsoft Graph Integration for AI Agents.</b>
 </p>
 
-A JSR-based TypeScript MCP (Model Context Protocol) package for personal Microsoft Graph access via CLI. This package enables AI agents to interact with personal Microsoft Graph APIs (Outlook, OneDrive, Calendar, etc.) through a local CLI interface.
+A TypeScript MCP (Model Context Protocol) package for personal Microsoft Graph access via CLI. This package enables AI agents to interact with personal Microsoft Graph APIs (Outlook, Calendar, etc.) through a local CLI interface.
 
 ## Overview
 
@@ -17,7 +17,7 @@ A JSR-based TypeScript MCP (Model Context Protocol) package for personal Microso
 - **Local-First:** Prioritizes local execution and user data control.
 - **Multi-Tenant Support:** Works with both personal Microsoft accounts and enterprise tenants.
 - **Secure Authentication:** Implements OAuth 2.0 Authorization Code Flow with PKCE.
-- **Secure Token Storage:** Uses OS-specific credential managers for token protection.
+- **Secure Token Storage:** Stores the MSAL token cache at `~/.config/ms-graph-mcp/msal_cache.json` with restricted file permissions (`0600`).
 - **User Control:** Provides CLI commands for permission management and revocation.
 - **MCP Standard:** Adheres to the Model Context Protocol for broad agent compatibility.
 
@@ -29,59 +29,30 @@ This package is designed to be integrated as a connection within the Manus UI, a
 
 Before using the MCP CLI, you need to initialize it once to authenticate with your Microsoft account. This process will guide you through granting necessary permissions.
 
-#### Using Bun (`bunx`)
-
-```bash
-bunx jsr:@frustrated/ms-graph-mcp init
-```
-
-#### Using Deno (`deno run`)
-
-```bash
-deno run -A jsr:@frustrated/ms-graph-mcp init
-```
-
-#### Using Node.js (`npx`)
-
 ```bash
-npx jsr @frustrated/ms-graph-mcp init
+bunx --bun github:usually-frustrated/ms-graph-mcp init
 ```
 
-These commands will:
-1.  Prompt you to authenticate with your Microsoft account (personal or organizational).
-2.  Open your browser to the Microsoft identity platform.
-3.  Grant consent for the requested scopes.
-4.  Securely store your refresh token locally using `keytar`.
+This will:
+1. Start a local HTTP server to receive the OAuth callback.
+2. Print an authentication URL — open it in your browser to sign in.
+3. Grant consent for the requested scopes.
+4. Save the MSAL token cache to `~/.config/ms-graph-mcp/msal_cache.json`.
 
 ### Running the MCP Server
 
 Once initialized, Manus agents will typically run the MCP server to interact with Microsoft Graph. The server listens for JSON requests on `stdin` and outputs JSON responses to `stdout`.
 
-#### Using Bun (`bunx`)
-
-```bash
-bunx jsr:@frustrated/ms-graph-mcp run
-```
-
-#### Using Deno (`deno run`)
-
-```bash
-deno run -A jsr:@frustrated/ms-graph-mcp run
-```
-
-#### Using Node.js (`npx`)
-
 ```bash
-npx jsr @frustrated/ms-graph-mcp run
+bunx --bun github:usually-frustrated/ms-graph-mcp run
 ```
 
 ### Top-Level Tools
 
-The Microsoft Graph MCP CLI exposes various top-level tools, each corresponding to a major Microsoft Graph service. AI agents can discover sub-tools within these categories as needed.
+The Microsoft Graph MCP CLI exposes the following tools:
 
-*   **`mail`**: Manage email communications (e.g., list messages, send messages).
-*   **`calendar`**: Organize calendar events (e.g., create events, list events).
-*   **`onedrive`**: Interact with OneDrive files and folders (e.g., list files, upload files).
+*   **`mail`**: Manage email communications (e.g., list messages).
+*   **`calendar`**: Organize calendar events (e.g., create events).
 
 For detailed information on specific tools and their functionalities, refer to the [Tools Documentation](./docs/tools/README.md).
 
@@ -89,44 +60,16 @@ For detailed information on specific tools and their functionalities, refer to t
 
 To view the currently configured Client ID, Tenant ID, and enabled/disabled tools:
 
-#### Using Bun (`bunx`)
-
-```bash
-bunx jsr:@frustrated/ms-graph-mcp permissions
-```
-
-#### Using Deno (`deno run`)
-
-```bash
-deno run -A jsr:@frustrated/ms-graph-mcp permissions
-```
-
-#### Using Node.js (`npx`)
-
 ```bash
-npx jsr @frustrated/ms-graph-mcp permissions
+bunx --bun github:usually-frustrated/ms-graph-mcp permissions
 ```
 
 ### Revoking Access
 
-To revoke the refresh token and disconnect the package from your Microsoft account:
-
-#### Using Bun (`bunx`)
-
-```bash
-bunx jsr:@frustrated/ms-graph-mcp revoke
-```
-
-#### Using Deno (`deno run`)
-
-```bash
-deno run -A jsr:@frustrated/ms-graph-mcp revoke
-```
-
-#### Using Node.js (`npx`)
+To revoke authentication and clear all stored tokens:
 
 ```bash
-npx jsr @frustrated/ms-graph-mcp revoke
+bunx --bun github:usually-frustrated/ms-graph-mcp revoke
 ```
 
 ## Documentation
@@ -137,7 +80,7 @@ npx jsr @frustrated/ms-graph-mcp revoke
 
 ## Security Considerations
 
-- Refresh tokens are stored using OS-specific credential managers (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux).
+- The MSAL token cache is stored at `~/.config/ms-graph-mcp/msal_cache.json` with `0600` permissions (owner read/write only).
 - All communication with Microsoft Graph is over HTTPS.
 - Input validation is performed on all incoming MCP requests.
 - Output from Microsoft Graph is sanitized before being passed to AI agents.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frustrated/ms-graph-mcp",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "A JSR-based TypeScript MCP package for personal Microsoft Graph access via CLI",
   "type": "module",
   "main": "./src/index.ts",

package/src/auth.ts

@@ -1,14 +1,19 @@
-import { PublicClientApplication, Configuration, LogLevel, CryptoProvider } from '@azure/msal-node';
-import { AddressInfo } from 'node:net';
-import { promises as fs } from 'node:fs';
-import * as path from 'node:path';
-import * as os from 'node:os';
-import { createServer } from 'node:http';
+import {
+  PublicClientApplication,
+  Configuration,
+  LogLevel,
+  CryptoProvider,
+} from "@azure/msal-node";
+import { AddressInfo } from "node:net";
+import { promises as fs } from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
+import { createServer } from "node:http";
 
 const MSAL_CONFIG: Configuration = {
   auth: {
-    clientId: process.env.MS_GRAPH_CLIENT_ID || 'YOUR_CENTRALIZED_CLIENT_ID_HERE', // Replace with actual Client ID
-    authority: 'https://login.microsoftonline.com/common',
+    clientId: "0a74e52a-4d5b-4005-8dad-6b7cf45ec5fe", // Replace with actual Client ID
+    authority: "https://login.microsoftonline.com/common",
   },
   system: {
     loggerOptions: {
@@ -21,9 +26,20 @@ const MSAL_CONFIG: Configuration = {
   },
 };
 
-const REDIRECT_URI_PATH = '/auth-callback';
-const TOKEN_CACHE_FILE = path.join(os.homedir(), '.config', 'ms-graph-mcp', 'msal_cache.json');
-const SCOPES = ['User.Read', 'Mail.ReadWrite', 'Calendars.ReadWrite', 'Files.ReadWrite.All', 'offline_access'];
+const REDIRECT_URI_PATH = "/auth-callback";
+const TOKEN_CACHE_FILE = path.join(
+  os.homedir(),
+  ".config",
+  "ms-graph-mcp",
+  "msal_cache.json",
+);
+const SCOPES = [
+  "User.Read",
+  "Mail.ReadWrite",
+  "Calendars.ReadWrite",
+  "Files.ReadWrite.All",
+  "offline_access",
+];
 
 const pca = new PublicClientApplication(MSAL_CONFIG);
 
@@ -35,7 +51,7 @@ async function saveTokenCache() {
 
 async function loadTokenCache(): Promise<boolean> {
   try {
-    const data = await fs.readFile(TOKEN_CACHE_FILE, 'utf-8');
+    const data = await fs.readFile(TOKEN_CACHE_FILE, "utf-8");
     pca.getTokenCache().deserialize(data);
     return true;
   } catch {
@@ -44,8 +60,10 @@ async function loadTokenCache(): Promise<boolean> {
 }
 
 export async function initAuth(): Promise<void> {
-  console.log('Initiating Microsoft Graph authentication...');
-  console.log('Please ensure you have registered a multi-tenant application in Azure AD with the following redirect URI: http://localhost:PORT/auth-callback');
+  console.log("Initiating Microsoft Graph authentication...");
+  console.log(
+    "Please ensure you have registered a multi-tenant application in Azure AD with the following redirect URI: http://localhost:PORT/auth-callback",
+  );
 
   const cryptoProvider = new CryptoProvider();
   const pkceCodes = await cryptoProvider.generatePkceCodes();
@@ -54,7 +72,7 @@ export async function initAuth(): Promise<void> {
     scopes: SCOPES,
     redirectUri: `http://localhost:0${REDIRECT_URI_PATH}`,
     codeChallenge: pkceCodes.challenge,
-    codeChallengeMethod: 'S256' as const,
+    codeChallengeMethod: "S256" as const,
   };
 
   const authCodeUrl = await pca.getAuthCodeUrl(authCodeUrlParameters);
@@ -63,7 +81,7 @@ export async function initAuth(): Promise<void> {
     const server = createServer(async (req, res) => {
       if (req.url?.startsWith(REDIRECT_URI_PATH)) {
         const url = new URL(`http://localhost${req.url}`);
-        const code = url.searchParams.get('code');
+        const code = url.searchParams.get("code");
 
         if (code) {
           try {
@@ -77,39 +95,48 @@ export async function initAuth(): Promise<void> {
 
             if (tokenResult) {
               await saveTokenCache();
-              res.writeHead(200, { 'Content-Type': 'text/plain' });
-              res.end('Authentication successful! You can close this window.');
-              console.log('Authentication successful. Tokens saved securely.');
+              res.writeHead(200, { "Content-Type": "text/plain" });
+              res.end("Authentication successful! You can close this window.");
+              console.log("Authentication successful. Tokens saved securely.");
               server.close(() => resolve());
             } else {
-              throw new Error('Authentication failed: no token result received.');
+              throw new Error(
+                "Authentication failed: no token result received.",
+              );
             }
           } catch (error) {
-            console.error('Error acquiring token:', error);
-            res.writeHead(500, { 'Content-Type': 'text/plain' });
-            res.end('Authentication failed. Check console for details.');
+            console.error("Error acquiring token:", error);
+            res.writeHead(500, { "Content-Type": "text/plain" });
+            res.end("Authentication failed. Check console for details.");
             server.close(() => reject(error));
           }
         } else {
-          res.writeHead(400, { 'Content-Type': 'text/plain' });
-          res.end('Authorization code not found in redirect.');
-          server.close(() => reject(new Error('Authorization code not found.')));
+          res.writeHead(400, { "Content-Type": "text/plain" });
+          res.end("Authorization code not found in redirect.");
+          server.close(() =>
+            reject(new Error("Authorization code not found.")),
+          );
         }
       } else {
-        res.writeHead(404, { 'Content-Type': 'text/plain' });
-        res.end('Not Found');
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not Found");
       }
     });
 
     server.listen(0, () => {
       const addr = server.address() as AddressInfo;
       const finalRedirectUri = `http://localhost:${addr.port}${REDIRECT_URI_PATH}`;
-      const finalAuthUrl = authCodeUrl.replace(`http://localhost:0${REDIRECT_URI_PATH}`, finalRedirectUri);
-      console.log(`\nOpen this URL in your browser to authenticate:\n\n  ${finalAuthUrl}\n`);
+      const finalAuthUrl = authCodeUrl.replace(
+        `http://localhost:0${REDIRECT_URI_PATH}`,
+        finalRedirectUri,
+      );
+      console.log(
+        `\nOpen this URL in your browser to authenticate:\n\n  ${finalAuthUrl}\n`,
+      );
     });
 
-    server.on('error', (err) => {
-      console.error('Server error:', err);
+    server.on("error", (err) => {
+      console.error("Server error:", err);
       reject(err);
     });
   });
@@ -120,7 +147,7 @@ export async function getAccessToken(): Promise<string> {
 
   const accounts = await pca.getAllAccounts();
   if (accounts.length === 0) {
-    throw new Error('No account found. Please run `ms-graph-mcp init` first.');
+    throw new Error("No account found. Please run `ms-graph-mcp init` first.");
   }
 
   try {
@@ -130,36 +157,43 @@ export async function getAccessToken(): Promise<string> {
     });
 
     if (!tokenResult) {
-      throw new Error('Failed to acquire access token silently.');
+      throw new Error("Failed to acquire access token silently.");
     }
 
     await saveTokenCache();
     return tokenResult.accessToken;
   } catch (error) {
-    console.error('Error refreshing token:', error);
+    console.error("Error refreshing token:", error);
     await fs.unlink(TOKEN_CACHE_FILE).catch(() => {});
-    throw new Error('Failed to refresh access token. Please re-authenticate using `ms-graph-mcp init`.');
+    throw new Error(
+      "Failed to refresh access token. Please re-authenticate using `ms-graph-mcp init`.",
+    );
   }
 }
 
 export async function revokeAuth(): Promise<void> {
   try {
     await fs.unlink(TOKEN_CACHE_FILE).catch(() => {});
-    console.log('Authentication revoked. All tokens cleared.');
+    console.log("Authentication revoked. All tokens cleared.");
   } catch (error) {
-    console.error('Error revoking authentication:', error);
+    console.error("Error revoking authentication:", error);
     throw error;
   }
 }
 
-export async function getAuthStatus(): Promise<{ clientId: string; tenantId: string; isAuthenticated: boolean }> {
+export async function getAuthStatus(): Promise<{
+  clientId: string;
+  tenantId: string;
+  isAuthenticated: boolean;
+}> {
   await loadTokenCache();
   const accounts = await pca.getAllAccounts();
   const isAuthenticated = accounts.length > 0;
-  const authority = MSAL_CONFIG.auth.authority ?? 'https://login.microsoftonline.com/common';
+  const authority =
+    MSAL_CONFIG.auth.authority ?? "https://login.microsoftonline.com/common";
   return {
     clientId: MSAL_CONFIG.auth.clientId,
-    tenantId: authority.split('/').pop() || 'common',
+    tenantId: authority.split("/").pop() || "common",
     isAuthenticated,
   };
 }

package/src/config.ts

@@ -1,9 +1,9 @@
-import { promises as fs } from 'node:fs';
-import * as path from 'node:path';
-import * as os from 'node:os';
+import { promises as fs } from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
 
-const CONFIG_DIR = path.join(os.homedir(), '.ms-graph-mcp');
-const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const CONFIG_DIR = path.join(os.homedir(), ".ms-graph-mcp");
+const CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
 
 interface AppConfig {
   clientId: string;
@@ -12,18 +12,20 @@ interface AppConfig {
 }
 
 let appConfig: AppConfig = {
-  clientId: process.env.MS_GRAPH_CLIENT_ID || 'YOUR_CENTRALIZED_CLIENT_ID_HERE', // Default centralized client ID
-  tenantId: 'common',
+  clientId: "0a74e52a-4d5b-4005-8dad-6b7cf45ec5fe", // Default centralized client ID
+  tenantId: "common",
   enabledTools: [],
 };
 
 export async function loadConfig(): Promise<AppConfig> {
   try {
-    const configContent = await fs.readFile(CONFIG_FILE, 'utf-8');
+    const configContent = await fs.readFile(CONFIG_FILE, "utf-8");
     appConfig = { ...appConfig, ...JSON.parse(configContent) };
   } catch (error) {
     // If file doesn't exist or is invalid, use default config
-    console.warn('No existing config found or config file is invalid. Using default configuration.');
+    console.warn(
+      "No existing config found or config file is invalid. Using default configuration.",
+    );
   }
   return appConfig;
 }