@frustrated/ms-graph-mcp 0.1.4

package/CONTRIBUTING.md

@@ -0,0 +1,3 @@
+## Contributing
+
+Contributions are welcome. Please open an issue or submit a pull request.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Manus AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,151 @@
+<p align="center">
+  <img src="./icon-512.png" alt="Microsoft Graph MCP Icon" width="150"/>
+</p>
+
+<h1 align="center">Microsoft Graph MCP Package</h1>
+
+<p align="center">
+  <b>Seamless Microsoft Graph Integration for AI Agents.</b>
+</p>
+
+A JSR-based TypeScript MCP (Model Context Protocol) package for personal Microsoft Graph access via CLI. This package enables AI agents to interact with personal Microsoft Graph APIs (Outlook, OneDrive, Calendar, etc.) through a local CLI interface.
+
+## Overview
+
+## Features
+
+- **Local-First:** Prioritizes local execution and user data control.
+- **Multi-Tenant Support:** Works with both personal Microsoft accounts and enterprise tenants.
+- **Secure Authentication:** Implements OAuth 2.0 Authorization Code Flow with PKCE.
+- **Secure Token Storage:** Uses OS-specific credential managers for token protection.
+- **User Control:** Provides CLI commands for permission management and revocation.
+- **MCP Standard:** Adheres to the Model Context Protocol for broad agent compatibility.
+
+## Usage with Manus Agents
+
+This package is designed to be integrated as a connection within the Manus UI, allowing AI agents to directly invoke its functionalities. It communicates via `stdio`, sending and receiving JSON payloads.
+
+### Installation and Initialization
+
+Before using the MCP CLI, you need to initialize it once to authenticate with your Microsoft account. This process will guide you through granting necessary permissions.
+
+#### Using Bun (`bunx`)
+
+```bash
+bunx jsr:@frustrated/ms-graph-mcp init
+```
+
+#### Using Deno (`deno run`)
+
+```bash
+deno run -A jsr:@frustrated/ms-graph-mcp init
+```
+
+#### Using Node.js (`npx`)
+
+```bash
+npx jsr @frustrated/ms-graph-mcp init
+```
+
+These commands will:
+1.  Prompt you to authenticate with your Microsoft account (personal or organizational).
+2.  Open your browser to the Microsoft identity platform.
+3.  Grant consent for the requested scopes.
+4.  Securely store your refresh token locally using `keytar`.
+
+### Running the MCP Server
+
+Once initialized, Manus agents will typically run the MCP server to interact with Microsoft Graph. The server listens for JSON requests on `stdin` and outputs JSON responses to `stdout`.
+
+#### Using Bun (`bunx`)
+
+```bash
+bunx jsr:@frustrated/ms-graph-mcp run
+```
+
+#### Using Deno (`deno run`)
+
+```bash
+deno run -A jsr:@frustrated/ms-graph-mcp run
+```
+
+#### Using Node.js (`npx`)
+
+```bash
+npx jsr @frustrated/ms-graph-mcp run
+```
+
+### Top-Level Tools
+
+The Microsoft Graph MCP CLI exposes various top-level tools, each corresponding to a major Microsoft Graph service. AI agents can discover sub-tools within these categories as needed.
+
+*   **`mail`**: Manage email communications (e.g., list messages, send messages).
+*   **`calendar`**: Organize calendar events (e.g., create events, list events).
+*   **`onedrive`**: Interact with OneDrive files and folders (e.g., list files, upload files).
+
+For detailed information on specific tools and their functionalities, refer to the [Tools Documentation](./docs/tools/README.md).
+
+### Managing Permissions
+
+To view the currently configured Client ID, Tenant ID, and enabled/disabled tools:
+
+#### Using Bun (`bunx`)
+
+```bash
+bunx jsr:@frustrated/ms-graph-mcp permissions
+```
+
+#### Using Deno (`deno run`)
+
+```bash
+deno run -A jsr:@frustrated/ms-graph-mcp permissions
+```
+
+#### Using Node.js (`npx`)
+
+```bash
+npx jsr @frustrated/ms-graph-mcp permissions
+```
+
+### Revoking Access
+
+To revoke the refresh token and disconnect the package from your Microsoft account:
+
+#### Using Bun (`bunx`)
+
+```bash
+bunx jsr:@frustrated/ms-graph-mcp revoke
+```
+
+#### Using Deno (`deno run`)
+
+```bash
+deno run -A jsr:@frustrated/ms-graph-mcp revoke
+```
+
+#### Using Node.js (`npx`)
+
+```bash
+npx jsr @frustrated/ms-graph-mcp revoke
+```
+
+## Documentation
+
+- [Ideation Document](./docs/ms_graph_mcp_ideation.md) - Conceptual design and motivation.
+- [Technical Specification](./docs/ms_graph_mcp_spec.md) - Detailed implementation guide.
+- [Tools Documentation](./docs/tools/README.md) - Comprehensive guide to all available MCP tools.
+
+## Security Considerations
+
+- Refresh tokens are stored using OS-specific credential managers (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux).
+- All communication with Microsoft Graph is over HTTPS.
+- Input validation is performed on all incoming MCP requests.
+- Output from Microsoft Graph is sanitized before being passed to AI agents.
+
+## License
+
+MIT
+
+## Contributing
+
+Refer to the [CONTRIBUTING.md](./CONTRIBUTING.md) guide for details on how to contribute to this project.

package/bun.lock

@@ -0,0 +1,74 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "@frustrated/ms-graph-mcp",
+      "dependencies": {
+        "@azure/msal-node": "latest",
+        "@commander-js/extra-typings": "^14.0.0",
+        "@microsoft/microsoft-graph-client": "^3.0.0",
+      },
+      "devDependencies": {
+        "@types/node": "^20.10.0",
+        "bun-types": "latest",
+        "typescript": "^5.3.0",
+      },
+    },
+  },
+  "packages": {
+    "@azure/msal-common": ["@azure/msal-common@15.17.0", "", {}, "sha512-VQ5/gTLFADkwue+FohVuCqlzFPUq4xSrX8jeZe+iwZuY6moliNC8xt86qPVNYdtbQfELDf2Nu6LI+demFPHGgw=="],
+
+    "@azure/msal-node": ["@azure/msal-node@3.8.10", "", { "dependencies": { "@azure/msal-common": "15.17.0", "jsonwebtoken": "^9.0.0", "uuid": "^8.3.0" } }, "sha512-0Hz7Kx4hs70KZWep/Rd7aw/qOLUF92wUOhn7ZsOuB5xNR/06NL1E2RAI9+UKH1FtvN8nD6mFjH7UKSjv6vOWvQ=="],
+
+    "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="],
+
+    "@commander-js/extra-typings": ["@commander-js/extra-typings@14.0.0", "", { "peerDependencies": { "commander": "~14.0.0" } }, "sha512-hIn0ncNaJRLkZrxBIp5AsW/eXEHNKYQBh0aPdoUqNgD+Io3NIykQqpKFyKcuasZhicGaEZJX/JBSIkZ4e5x8Dg=="],
+
+    "@microsoft/microsoft-graph-client": ["@microsoft/microsoft-graph-client@3.0.7", "", { "dependencies": { "@babel/runtime": "^7.12.5", "tslib": "^2.2.0" } }, "sha512-/AazAV/F+HK4LIywF9C+NYHcJo038zEnWkteilcxC1FM/uK/4NVGDKGrxx7nNq1ybspAroRKT4I1FHfxQzxkUw=="],
+
+    "@types/node": ["@types/node@20.19.37", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-8kzdPJ3FsNsVIurqBs7oodNnCEVbni9yUEkaHbgptDACOPW04jimGagZ51E6+lXUwJjgnBw+hyko/lkFWCldqw=="],
+
+    "buffer-equal-constant-time": ["buffer-equal-constant-time@1.0.1", "", {}, "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="],
+
+    "bun-types": ["bun-types@1.3.11", "", { "dependencies": { "@types/node": "*" } }, "sha512-1KGPpoxQWl9f6wcZh57LvrPIInQMn2TQ7jsgxqpRzg+l0QPOFvJVH7HmvHo/AiPgwXy+/Thf6Ov3EdVn1vOabg=="],
+
+    "commander": ["commander@14.0.3", "", {}, "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw=="],
+
+    "ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="],
+
+    "jsonwebtoken": ["jsonwebtoken@9.0.3", "", { "dependencies": { "jws": "^4.0.1", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } }, "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g=="],
+
+    "jwa": ["jwa@2.0.1", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg=="],
+
+    "jws": ["jws@4.0.1", "", { "dependencies": { "jwa": "^2.0.1", "safe-buffer": "^5.0.1" } }, "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA=="],
+
+    "lodash.includes": ["lodash.includes@4.3.0", "", {}, "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w=="],
+
+    "lodash.isboolean": ["lodash.isboolean@3.0.3", "", {}, "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg=="],
+
+    "lodash.isinteger": ["lodash.isinteger@4.0.4", "", {}, "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA=="],
+
+    "lodash.isnumber": ["lodash.isnumber@3.0.3", "", {}, "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw=="],
+
+    "lodash.isplainobject": ["lodash.isplainobject@4.0.6", "", {}, "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA=="],
+
+    "lodash.isstring": ["lodash.isstring@4.0.1", "", {}, "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw=="],
+
+    "lodash.once": ["lodash.once@4.1.1", "", {}, "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg=="],
+
+    "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
+
+    "safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
+
+    "semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
+
+    "tslib": ["tslib@2.8.1", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="],
+
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+
+    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
+
+    "uuid": ["uuid@8.3.2", "", { "bin": { "uuid": "dist/bin/uuid" } }, "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="],
+  }
+}

package/docs/jsr_mcp_ideation.md

@@ -0,0 +1,83 @@
+# Ideation: JSR-Based TypeScript MCP Package for Personal Microsoft Graph Access
+
+This document outlines a revised conceptual design for providing AI agents with access to personal Microsoft Graph APIs. The previous ideation focused on a hosted HTTP/SSE server. This revision pivots to a **non-HTTP, JSR-based TypeScript package** designed for local execution via `bunx` and `stdio`, addressing concerns about platform independence, cost, and potential competition from Microsoft.
+
+## 1. Core Concept: Local, Portable, and User-Controlled
+
+The core idea is to empower users with a self-hosted, easily runnable MCP solution for their personal Microsoft accounts. Instead of a centralized hosted service, this approach leverages modern JavaScript ecosystem tools to create a portable package that users can run on their local machines or in their preferred execution environments. This provides maximum control over data and permissions, mitigating concerns about vendor lock-in or service deprecation.
+
+## 2. Architectural Framework: JSR, Bunx, and Stdio
+
+The revised architecture centers around a TypeScript package distributed via JSR, executed by `bunx`, and communicating via standard input/output (stdio).
+
+### 2.1 JSR (JavaScript Registry) for Distribution
+
+JSR is a modern package registry optimized for TypeScript and compatible with various JavaScript runtimes, including Node.js, Deno, and Bun [1].
+
+- **Benefits:**
+    - **Native TypeScript Support:** JSR natively understands TypeScript, eliminating the need for complex build configurations for package authors [1].
+    - **Universal Compatibility:** Packages published to JSR can be consumed by `npm`, `yarn`, `pnpm`, `bun`, and `deno` [1]. This ensures broad accessibility for users regardless of their preferred package manager or runtime.
+    - **ESM-first:** JSR promotes web-standard ECMAScript modules, aligning with modern JavaScript development practices [1].
+
+### 2.2 Bunx for Execution
+
+`bunx` is a lightweight CLI tool that comes with the Bun runtime. It allows users to execute npm packages and their binaries on demand without requiring global installation [2].
+
+- **Benefits:**
+    - **Zero-Install Execution:** Users can run the MCP package directly using `bunx <package-name>`, simplifying the setup process significantly [2].
+    - **Performance:** Bun is known for its high performance, which can lead to faster startup times and execution of the MCP server logic [3].
+    - **TypeScript Support:** Bun has native TypeScript support, allowing direct execution of TypeScript files without a separate compilation step [4].
+
+### 2.3 Stdio for Communication
+
+Instead of HTTP/SSE, the MCP server will communicate with AI agents via standard input/output (stdio). This means the agent would spawn the MCP package as a child process and exchange messages over `stdin` and `stdout`.
+
+- **Benefits:**
+    - **Local-First:** Ideal for local AI agents or development environments where direct process communication is simpler and more efficient than network calls.
+    - **Reduced Overhead:** Eliminates the need for network stacks, HTTP servers, and associated complexities, potentially reducing resource consumption.
+    - **Security:** Communication is confined to the local machine, reducing the attack surface compared to an exposed HTTP endpoint.
+
+### Data Flow (Revised)
+
+1.  **User Setup:** User installs Bun and runs `bunx @your-org/ms-graph-mcp-package init` to configure their Microsoft application registration (Client ID, Tenant ID) and initiate the OAuth 2.0 Authorization Code Flow with PKCE. This step stores the refresh token securely on the local machine.
+2.  **Agent Integration:** The AI agent is configured to spawn the MCP package (e.g., `bunx @your-org/ms-graph-mcp-package run`) and communicate with it via `stdin`/`stdout`.
+3.  **Tool Execution:**
+    - The AI agent sends an MCP request (JSON) to the package's `stdin`.
+    - The package reads the request, retrieves the user's access token (refreshing if necessary), calls the Microsoft Graph API, and formats the response.
+    - The result (JSON) is written to the package's `stdout`, which the AI agent then reads.
+
+## 3. Authentication Flow (Local Context)
+
+The authentication flow remains OAuth 2.0 Authorization Code Flow with PKCE, but adapted for a local CLI context.
+
+1.  **Initial Authorization:** When the user runs `bunx @your-org/ms-graph-mcp-package init`:
+    - The package opens a browser window to the Microsoft identity platform authorization endpoint.
+    - The user logs in and grants consent for the requested scopes.
+    - The redirect URI will be a custom URI scheme (e.g., `ms-graph-mcp://auth-callback`) or a local web server that the package temporarily spins up to capture the authorization code.
+    - The package exchanges the authorization code for an access token and a refresh token.
+2.  **Token Storage:** The refresh token is stored securely on the local machine, potentially using OS-specific credential managers or encrypted files, to minimize exposure.
+3.  **Token Refresh:** When an access token expires, the package uses the stored refresh token to obtain a new access token silently.
+
+## 4. Permission Transparency and User Control (Local Context)
+
+While a web-based dashboard is no longer central, the principles of transparency and control can be maintained through CLI commands and local configuration.
+
+- **CLI Commands:**
+    - `bunx @your-org/ms-graph-mcp-package permissions`: Displays currently granted scopes and their status.
+    - `bunx @your-org/ms-graph-mcp-package revoke`: Revokes the refresh token, disconnecting the package from the Microsoft account.
+    - `bunx @your-org/ms-graph-mcp-package audit`: Shows a local log of API calls made by the package (if logging is enabled).
+- **Configuration File:** A local configuration file (e.g., `~/.config/ms-graph-mcp.json`) can allow users to disable specific tools or scope categories.
+
+## 5. Technical Challenges and Considerations
+
+- **Cross-Platform Credential Storage:** Securely storing refresh tokens across different operating systems (Windows, macOS, Linux) requires careful implementation using platform-specific APIs or well-vetted libraries.
+- **User Experience for Auth:** The initial OAuth flow needs to be as smooth as possible, handling browser redirects and code exchange gracefully within a CLI context.
+- **Error Handling:** Robust error handling for API calls, token refreshes, and stdio communication is crucial for a reliable user experience.
+- **Tool Mapping:** The mapping of Microsoft Graph APIs to MCP tools will need to be well-defined and potentially configurable.
+
+## References
+
+[1] JSR. *JSR: the JavaScript Registry*. Available at: https://jsr.io/
+[2] Bun. *bunx*. Available at: https://bun.com/docs/pm/bunx
+[3] Bun. *Bun*. Available at: https://bun.com/
+[4] Bun. *Install TypeScript declarations for Bun*. Available at: https://bun.com/docs/guides/runtime/typescript

package/docs/ms_graph_mcp_spec.md

@@ -0,0 +1,212 @@
+# Technical Specification: JSR-Based Microsoft Graph MCP Package
+
+This document provides a detailed technical specification for the implementation of a JSR-based TypeScript package designed to expose personal Microsoft Graph APIs via the Model Context Protocol (MCP). This package will operate as a local CLI tool, executed by `bunx`, and communicate with AI agents through standard input/output (stdio). The primary goal is to enable secure, user-controlled access to Microsoft Graph data for AI agents without relying on a hosted service.
+
+## 1. Project Overview
+
+### 1.1 Goal
+To develop a robust, cross-platform, and user-friendly MCP package that allows AI agents to interact with personal Microsoft Graph APIs (Outlook, OneDrive, Calendar, etc.) through a local CLI interface, leveraging JSR for distribution and Bun for execution.
+
+### 1.2 Key Principles
+- **Local-First:** Prioritize local execution and data control.
+- **Security:** Implement strong authentication and secure token storage.
+- **User Control:** Provide clear mechanisms for permission management and revocation.
+- **Simplicity:** Minimize setup complexity for end-users.
+- **Interoperability:** Adhere to MCP standards for broad agent compatibility.
+
+## 2. Project Structure
+
+The project will follow a standard TypeScript package structure, distributed via JSR.
+
+```
+/ms-graph-mcp-package
+├── src/
+│   ├── index.ts             # Main entry point for CLI commands (init, run, permissions, revoke)
+│   ├── auth.ts              # Handles OAuth 2.0 flow and token management
+│   ├── config.ts            # Manages local configuration (app registration details, tool permissions)
+│   ├── tools/               # Directory for individual MCP tool implementations
+│   │   ├── mail.ts          # MCP tools for Outlook Mail API
+│   │   ├── calendar.ts      # MCP tools for Outlook Calendar API
+│   │   ├── onedrive.ts      # MCP tools for OneDrive API
+│   │   └── ...              # Other Microsoft Graph service tools
+│   ├── mcp-interface.ts     # Defines MCP message formats and stdio communication logic
+│   └── utils.ts             # Utility functions (logging, error handling, platform-specific helpers)
+├── package.json
+├── tsconfig.json
+├── jsr.json                 # JSR specific configuration
+├── README.md
+└── .env.example             # Example environment variables
+```
+
+## 3. Dependencies
+
+Core dependencies will include:
+
+-   `@microsoft/microsoft-graph-client`: Official Microsoft Graph SDK for Node.js (compatible with Bun).
+-   `msal-node`: Microsoft Authentication Library for Node.js, for handling OAuth 2.0.
+-   `commander`: For building the CLI interface.
+-   `keytar` (or similar): For secure, cross-platform credential storage.
+-   `zod` (or similar): For schema validation of MCP messages and configuration.
+-   `bun` (as dev dependency for types and runtime).
+
+## 4. Authentication Flow
+
+The package will implement the OAuth 2.0 Authorization Code Flow with PKCE, adapted for a CLI environment.
+
+### 4.1 Centralized Application Registration
+The package is designed to work with a **single, pre-registered Multi-tenant application** in the Microsoft Entra ID portal. This application is configured to support:
+-   **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)**
+-   **Personal Microsoft accounts (e.g. Skype, Xbox)**
+
+**Pre-configured Application Details:**
+-   **Application (Client) ID:** `[PRE_REGISTERED_CLIENT_ID]`
+-   **Tenant ID:** `common` (This endpoint allows both organizational and personal accounts to sign in [1]).
+-   **Redirect URI:** `http://localhost:PORT/auth-callback` (A dynamic local web server will be started by the CLI to capture the authorization code).
+
+### 4.2 `init` Command (`bunx @org/package init`)
+This command initiates the simplified authentication process:
+1.  Displays a message explaining the authentication process and the scopes being requested.
+2.  Constructs the authorization URL using the centralized Client ID and the `common` tenant endpoint.
+3.  Starts a temporary local web server on a random available port to listen for the redirect.
+4.  Opens the authorization URL in the user's default web browser.
+5.  The user signs in with their personal or organizational account and grants consent.
+6.  Upon redirect to `localhost`, the CLI captures the authorization code.
+7.  Exchanges the authorization code for an access token and a refresh token using `msal-node` and the PKCE challenge.
+8.  Securely stores the refresh token using `keytar` or an encrypted file.
+9.  Stores the centralized Client ID and the user's tenant information (if applicable) in a local configuration file.
+
+**Note for Advanced Users:** The CLI should provide an option (e.g., `--custom-app`) to override the centralized Client ID with their own application registration for maximum privacy and control.
+
+### 4.3 Token Refresh
+-   The `auth.ts` module will handle automatic token refreshing using the stored refresh token. This should occur transparently before any Microsoft Graph API call if the current access token is expired or near expiration.
+
+## 5. Token Management
+
+### 5.1 Secure Storage
+Refresh tokens are highly sensitive and must be stored securely.
+-   **Primary Method:** Utilize `keytar` for OS-specific credential storage (macOS Keychain, Windows Credential Manager, Linux Secret Service). This is the most secure option for local applications.
+-   **Fallback Method:** If `keytar` is unavailable or fails, fall back to an encrypted file storage. The encryption key could be derived from a user-provided passphrase or an OS-generated key, ensuring the file is not readable without proper authorization.
+
+### 5.2 Scope Management
+-   The `init` command will request a base set of common scopes. Users can manually add or remove scopes in their Azure App Registration. The package will respect the scopes granted to the application.
+
+## 6. MCP Tool Definitions
+
+Each Microsoft Graph API will be exposed as one or more MCP tools. Tools will be defined with clear input and output schemas using `zod` for validation.
+
+### 6.1 Example: `mail.list_messages`
+
+-   **Description:** Lists mail messages from the user's inbox or specified folder.
+-   **Input Schema:**
+    ```typescript
+    interface ListMailMessagesInput {
+      folderId?: string; // Optional: ID of the mail folder (e.g., 'inbox', 'sentitems')
+      top?: number;     // Optional: Number of messages to retrieve (default: 10)
+      filter?: string;  // Optional: OData filter string
+    }
+    ```
+-   **Output Schema:**
+    ```typescript
+    interface ListMailMessagesOutput {
+      messages: Array<{ // Array of simplified mail message objects
+        id: string;
+        subject: string;
+        from: { name: string; address: string };
+        receivedDateTime: string;
+        isRead: boolean;
+        bodyPreview: string;
+        webLink: string; // Link to the message in Outlook Web App
+      }>;
+      nextLink?: string; // OData nextLink for pagination
+    }
+    ```
+
+### 6.2 Example: `calendar.create_event`
+
+-   **Description:** Creates a new calendar event.
+-   **Input Schema:**
+    ```typescript
+    interface CreateCalendarEventInput {
+      subject: string;
+      start: { dateTime: string; timeZone: string };
+      end: { dateTime: string; timeZone: string };
+      content?: string; // Optional: Body content of the event
+      attendees?: Array<{ emailAddress: string; type: 'required' | 'optional' }>;
+      location?: string;
+    }
+    ```
+-   **Output Schema:**
+    ```typescript
+    interface CreateCalendarEventOutput {
+      id: string;
+      webLink: string; // Link to the event in Outlook Web App
+      status: 'created' | 'failed';
+      errorMessage?: string;
+    }
+    ```
+
+## 7. Communication Protocol (Stdio)
+
+The package will communicate with AI agents by reading JSON messages from `stdin` and writing JSON responses to `stdout`.
+
+### 7.1 Request Format (from Agent to MCP Package)
+
+```json
+{
+  "type": "request",
+  "id": "<unique-request-id>",
+  "tool": "<tool-name>",
+  "input": { /* tool-specific input parameters */ }
+}
+```
+
+### 7.2 Response Format (from MCP Package to Agent)
+
+```json
+{
+  "type": "response",
+  "id": "<unique-request-id>",
+  "status": "success" | "error",
+  "output": { /* tool-specific output data */ },
+  "error": { "code": "<code>", "message": "<message>" } // Only if status is "error"
+}
+```
+
+## 8. Error Handling
+
+-   **Graph API Errors:** Translate Microsoft Graph API errors into a standardized MCP error format, including status codes and messages.
+-   **Validation Errors:** Use `zod` to validate incoming MCP requests. Return clear error messages for invalid inputs.
+-   **Authentication Errors:** Handle token expiration, invalid refresh tokens, and insufficient permissions gracefully, prompting the user for re-authentication if necessary.
+
+## 9. Configuration and User Control
+
+### 9.1 Configuration File
+A local JSON configuration file (e.g., `~/.config/ms-graph-mcp/config.json`) will store:
+-   `clientId`: The Microsoft Entra Application (Client) ID.
+-   `tenantId`: The Microsoft Entra Tenant ID.
+-   `enabledTools`: An array of strings or a map to enable/disable specific MCP tools or categories.
+
+### 9.2 CLI Commands for User Control
+-   `bunx @org/package permissions`: Displays the configured Client ID, Tenant ID, and a list of currently enabled/disabled tools.
+-   `bunx @org/package revoke`: Revokes the refresh token from local storage and optionally from Microsoft Entra ID (if supported by MSAL), effectively disconnecting the package.
+-   `bunx @org/package audit`: (Optional, future enhancement) Displays a local log of tool invocations.
+
+## 10. Security Considerations
+
+-   **Refresh Token Protection:** As detailed in Section 5.1, refresh tokens must be stored using the most secure method available for the operating system.
+-   **Least Privilege:** Encourage users to grant only the necessary Microsoft Graph scopes to their registered application.
+-   **Input Validation:** Strictly validate all incoming MCP requests to prevent injection attacks or unexpected behavior.
+-   **Output Sanitization:** Ensure that any data returned from Microsoft Graph is properly sanitized before being passed back to the AI agent, especially if the agent might display it to the user.
+
+## 11. References
+
+[1] JSR. *JSR: the JavaScript Registry*. Available at: https://jsr.io/
+[2] Bun. *bunx*. Available at: https://bun.com/docs/pm/bunx
+[3] Bun. *Bun*. Available at: https://bun.com/
+[4] Bun. *Install TypeScript declarations for Bun*. Available at: https://bun.com/docs/guides/runtime/typescript
+[5] Microsoft. *Microsoft Graph SDK for JavaScript*. Available at: https://learn.microsoft.com/en-us/graph/sdks/sdk-overview#javascript-sdk
+[6] Microsoft. *Microsoft Authentication Library for Node.js (MSAL Node)*. Available at: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node
+[7] Commander. *Commander.js*. Available at: https://github.com/tj/commander.js
+[8] Keytar. *keytar*. Available at: https://github.com/atom/node-keytar
+[9] Zod. *Zod*. Available at: https://zod.dev/
+[10] Microsoft. *Getting Microsoft entra oauth login to work with personal accounts*. Available at: https://learn.microsoft.com/en-us/answers/questions/1525326/getting-microsoft-entra-oauth-login-to-work-with-p

package/docs/tools/README.md

@@ -0,0 +1,13 @@
+# Microsoft Graph MCP Tools Documentation
+
+This document provides an overview of the top-level tools available in the Microsoft Graph MCP CLI. Each top-level tool corresponds to a major Microsoft Graph service and contains a set of sub-tools for specific operations.
+
+## Top-Level Tools
+
+*   **[Mail](./mail.md)**: Interact with email messages, folders, and other mail-related functionalities.
+*   **[Calendar](./calendar.md)**: Manage calendar events, schedules, and attendees.
+*   **OneDrive (Coming Soon)**: Interact with files and folders in OneDrive.
+
+## How to Discover Sub-Tools
+
+AI agents can discover the specific sub-tools available within each top-level tool by referring to their respective documentation files (e.g., `mail.md` for mail-related operations). When interacting with the MCP CLI, agents can specify the full tool path (e.g., `mail.list_messages`) to invoke a particular function.

package/docs/tools/calendar.md

@@ -0,0 +1,31 @@
+# Calendar Tools
+
+This document details the sub-tools available under the `calendar` top-level tool. These tools allow interaction with the user's Microsoft 365 calendar.
+
+## `calendar.create_event`
+
+Creates a new event in the user's calendar.
+
+### Parameters
+
+*   `subject` (string, required): The subject of the event.
+*   `start` (object, required): The start date and time of the event.
+    *   `dateTime` (string, required): The date and time in ISO 8601 format (e.g., `2026-03-20T09:00:00`).
+    *   `timeZone` (string, required): The time zone of the start time (e.g., `America/Los_Angeles`).
+*   `end` (object, required): The end date and time of the event.
+    *   `dateTime` (string, required): The date and time in ISO 8601 format (e.g., `2026-03-20T10:00:00`).
+    *   `timeZone` (string, required): The time zone of the end time (e.g., `America/Los_Angeles`).
+*   `content` (string, optional): The body content of the event, in HTML format.
+*   `attendees` (array of objects, optional): A list of attendees for the event.
+    *   Each object contains:
+        *   `emailAddress` (string, required): The email address of the attendee.
+        *   `type` (string, required): The attendee type, either `required` or `optional`.
+*   `location` (string, optional): The display name of the event location.
+
+### Returns
+
+An object containing:
+*   `id` (string): The unique identifier of the created event.
+*   `webLink` (string): A URL to open the event in Outlook Web App.
+*   `status` (string): The status of the event creation, either `created` or `failed`.
+*   `errorMessage` (string, optional): An error message if the event creation failed.

package/docs/tools/mail.md

@@ -0,0 +1,26 @@
+# Mail Tools
+
+This document details the sub-tools available under the `mail` top-level tool. These tools allow interaction with the user's Microsoft 365 mailbox.
+
+## `mail.list_messages`
+
+Lists messages from the user's mailbox.
+
+### Parameters
+
+*   `folderId` (string, optional): The ID of the mail folder to retrieve messages from. If not provided, defaults to the inbox (`/me/messages`).
+*   `top` (number, optional): The maximum number of messages to return in the response.
+*   `filter` (string, optional): An OData filter query to apply to the messages (e.g., `isRead eq false`).
+
+### Returns
+
+An object containing:
+*   `messages` (array): A list of message objects, each containing:
+    *   `id` (string): The unique identifier of the message.
+    *   `subject` (string): The subject of the message.
+    *   `from` (object): Information about the sender.
+    *   `receivedDateTime` (string): The date and time the message was received.
+    *   `isRead` (boolean): Indicates whether the message has been read.
+    *   `bodyPreview` (string): A short preview of the message body.
+    *   `webLink` (string): A URL to open the message in Outlook Web App.
+*   `nextLink` (string, optional): A URL to retrieve the next page of messages, if available.

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@frustrated/ms-graph-mcp",
+  "version": "0.1.4",
+  "description": "A JSR-based TypeScript MCP package for personal Microsoft Graph access via CLI",
+  "type": "module",
+  "main": "./src/index.ts",
+  "bin": {
+    "ms-graph-mcp": "./src/index.ts"
+  },
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "scripts": {
+    "dev": "bun run src/index.ts",
+    "test": "bun test",
+    "typecheck": "bun run tsc --noEmit"
+  },
+  "nodeModulesDir": "auto",
+  "imports": {
+    "@azure/msal-node": "npm:@azure/msal-node@^3.0.0",
+    "@microsoft/microsoft-graph-client": "npm:@microsoft/microsoft-graph-client@^3.0.0",
+    "@commander-js/extra-typings": "npm:@commander-js/extra-typings@^14.0.0"
+  },
+  "dependencies": {
+    "@azure/msal-node": "^3.0.0",
+    "@microsoft/microsoft-graph-client": "^3.0.0",
+    "@commander-js/extra-typings": "^14.0.0"
+  },
+  "publish": {
+    "include": [
+      "src/",
+      "README.md",
+      "LICENSE"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/usually-frustrated/ms-graph-mcp.git"
+  },
+  "devDependencies": {
+    "bun-types": "latest",
+    "typescript": "^5.3.0",
+    "@types/node": "^20.10.0"
+  }
+}

package/src/auth.ts

@@ -0,0 +1,165 @@
+import { PublicClientApplication, Configuration, LogLevel, CryptoProvider } from '@azure/msal-node';
+import { AddressInfo } from 'node:net';
+import { promises as fs } from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { createServer } from 'node:http';
+
+const MSAL_CONFIG: Configuration = {
+  auth: {
+    clientId: process.env.MS_GRAPH_CLIENT_ID || 'YOUR_CENTRALIZED_CLIENT_ID_HERE', // Replace with actual Client ID
+    authority: 'https://login.microsoftonline.com/common',
+  },
+  system: {
+    loggerOptions: {
+      loggerCallback(loglevel, message, containsPii) {
+        console.log(message);
+      },
+      piiLoggingEnabled: false,
+      logLevel: LogLevel.Verbose,
+    },
+  },
+};
+
+const REDIRECT_URI_PATH = '/auth-callback';
+const TOKEN_CACHE_FILE = path.join(os.homedir(), '.config', 'ms-graph-mcp', 'msal_cache.json');
+const SCOPES = ['User.Read', 'Mail.ReadWrite', 'Calendars.ReadWrite', 'Files.ReadWrite.All', 'offline_access'];
+
+const pca = new PublicClientApplication(MSAL_CONFIG);
+
+async function saveTokenCache() {
+  const serialized = pca.getTokenCache().serialize();
+  await fs.mkdir(path.dirname(TOKEN_CACHE_FILE), { recursive: true });
+  await fs.writeFile(TOKEN_CACHE_FILE, serialized, { mode: 0o600 });
+}
+
+async function loadTokenCache(): Promise<boolean> {
+  try {
+    const data = await fs.readFile(TOKEN_CACHE_FILE, 'utf-8');
+    pca.getTokenCache().deserialize(data);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export async function initAuth(): Promise<void> {
+  console.log('Initiating Microsoft Graph authentication...');
+  console.log('Please ensure you have registered a multi-tenant application in Azure AD with the following redirect URI: http://localhost:PORT/auth-callback');
+
+  const cryptoProvider = new CryptoProvider();
+  const pkceCodes = await cryptoProvider.generatePkceCodes();
+
+  const authCodeUrlParameters = {
+    scopes: SCOPES,
+    redirectUri: `http://localhost:0${REDIRECT_URI_PATH}`,
+    codeChallenge: pkceCodes.challenge,
+    codeChallengeMethod: 'S256' as const,
+  };
+
+  const authCodeUrl = await pca.getAuthCodeUrl(authCodeUrlParameters);
+
+  return new Promise((resolve, reject) => {
+    const server = createServer(async (req, res) => {
+      if (req.url?.startsWith(REDIRECT_URI_PATH)) {
+        const url = new URL(`http://localhost${req.url}`);
+        const code = url.searchParams.get('code');
+
+        if (code) {
+          try {
+            const addr = server.address() as AddressInfo;
+            const tokenResult = await pca.acquireTokenByCode({
+              code,
+              scopes: SCOPES,
+              redirectUri: `http://localhost:${addr.port}${REDIRECT_URI_PATH}`,
+              codeVerifier: pkceCodes.verifier,
+            });
+
+            if (tokenResult) {
+              await saveTokenCache();
+              res.writeHead(200, { 'Content-Type': 'text/plain' });
+              res.end('Authentication successful! You can close this window.');
+              console.log('Authentication successful. Tokens saved securely.');
+              server.close(() => resolve());
+            } else {
+              throw new Error('Authentication failed: no token result received.');
+            }
+          } catch (error) {
+            console.error('Error acquiring token:', error);
+            res.writeHead(500, { 'Content-Type': 'text/plain' });
+            res.end('Authentication failed. Check console for details.');
+            server.close(() => reject(error));
+          }
+        } else {
+          res.writeHead(400, { 'Content-Type': 'text/plain' });
+          res.end('Authorization code not found in redirect.');
+          server.close(() => reject(new Error('Authorization code not found.')));
+        }
+      } else {
+        res.writeHead(404, { 'Content-Type': 'text/plain' });
+        res.end('Not Found');
+      }
+    });
+
+    server.listen(0, () => {
+      const addr = server.address() as AddressInfo;
+      const finalRedirectUri = `http://localhost:${addr.port}${REDIRECT_URI_PATH}`;
+      const finalAuthUrl = authCodeUrl.replace(`http://localhost:0${REDIRECT_URI_PATH}`, finalRedirectUri);
+      console.log(`\nOpen this URL in your browser to authenticate:\n\n  ${finalAuthUrl}\n`);
+    });
+
+    server.on('error', (err) => {
+      console.error('Server error:', err);
+      reject(err);
+    });
+  });
+}
+
+export async function getAccessToken(): Promise<string> {
+  await loadTokenCache();
+
+  const accounts = await pca.getAllAccounts();
+  if (accounts.length === 0) {
+    throw new Error('No account found. Please run `ms-graph-mcp init` first.');
+  }
+
+  try {
+    const tokenResult = await pca.acquireTokenSilent({
+      account: accounts[0],
+      scopes: SCOPES,
+    });
+
+    if (!tokenResult) {
+      throw new Error('Failed to acquire access token silently.');
+    }
+
+    await saveTokenCache();
+    return tokenResult.accessToken;
+  } catch (error) {
+    console.error('Error refreshing token:', error);
+    await fs.unlink(TOKEN_CACHE_FILE).catch(() => {});
+    throw new Error('Failed to refresh access token. Please re-authenticate using `ms-graph-mcp init`.');
+  }
+}
+
+export async function revokeAuth(): Promise<void> {
+  try {
+    await fs.unlink(TOKEN_CACHE_FILE).catch(() => {});
+    console.log('Authentication revoked. All tokens cleared.');
+  } catch (error) {
+    console.error('Error revoking authentication:', error);
+    throw error;
+  }
+}
+
+export async function getAuthStatus(): Promise<{ clientId: string; tenantId: string; isAuthenticated: boolean }> {
+  await loadTokenCache();
+  const accounts = await pca.getAllAccounts();
+  const isAuthenticated = accounts.length > 0;
+  const authority = MSAL_CONFIG.auth.authority ?? 'https://login.microsoftonline.com/common';
+  return {
+    clientId: MSAL_CONFIG.auth.clientId,
+    tenantId: authority.split('/').pop() || 'common',
+    isAuthenticated,
+  };
+}

package/src/config.ts

@@ -0,0 +1,46 @@
+import { promises as fs } from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+
+const CONFIG_DIR = path.join(os.homedir(), '.ms-graph-mcp');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+interface AppConfig {
+  clientId: string;
+  tenantId: string;
+  enabledTools: string[]; // List of tool names that are enabled
+}
+
+let appConfig: AppConfig = {
+  clientId: process.env.MS_GRAPH_CLIENT_ID || 'YOUR_CENTRALIZED_CLIENT_ID_HERE', // Default centralized client ID
+  tenantId: 'common',
+  enabledTools: [],
+};
+
+export async function loadConfig(): Promise<AppConfig> {
+  try {
+    const configContent = await fs.readFile(CONFIG_FILE, 'utf-8');
+    appConfig = { ...appConfig, ...JSON.parse(configContent) };
+  } catch (error) {
+    // If file doesn't exist or is invalid, use default config
+    console.warn('No existing config found or config file is invalid. Using default configuration.');
+  }
+  return appConfig;
+}
+
+export async function saveConfig(newConfig: Partial<AppConfig>): Promise<void> {
+  appConfig = { ...appConfig, ...newConfig };
+  await fs.mkdir(CONFIG_DIR, { recursive: true });
+  await fs.writeFile(CONFIG_FILE, JSON.stringify(appConfig, null, 2));
+}
+
+export function getConfig(): AppConfig {
+  return appConfig;
+}
+
+export function isToolEnabled(toolName: string): boolean {
+  return appConfig.enabledTools.includes(toolName);
+}
+
+// Initialize config on module load
+loadConfig();

package/src/index.ts

@@ -0,0 +1,80 @@
+#!/usr/bin/env node
+import { Command } from "@commander-js/extra-typings";
+import { initAuth, revokeAuth, getAuthStatus } from "./auth.ts";
+import { getConfig, saveConfig } from "./config.ts";
+import { startMcpServer } from "./mcp-interface.ts";
+
+const program = new Command();
+
+program
+  .name("ms-graph-mcp")
+  .description("CLI for JSR-based Microsoft Graph MCP package")
+  .version("0.1.0");
+
+program
+  .command("init")
+  .description("Initialize authentication with Microsoft Graph")
+  .action(async () => {
+    try {
+      await initAuth();
+      console.log("Authentication process completed.");
+    } catch (error) {
+      console.error("Authentication failed:", error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    }
+  });
+
+program
+  .command("revoke")
+  .description("Revoke Microsoft Graph authentication and clear tokens")
+  .action(async () => {
+    try {
+      await revokeAuth();
+      console.log("Authentication revoked successfully.");
+    } catch (error) {
+      console.error("Failed to revoke authentication:", error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    }
+  });
+
+program
+  .command("permissions")
+  .description(
+    "Display current authentication status and configured permissions",
+  )
+  .action(async () => {
+    try {
+      const authStatus = await getAuthStatus();
+      const config = getConfig();
+      console.log("--- Microsoft Graph MCP Status ---");
+      console.log(`Client ID: ${authStatus.clientId}`);
+      console.log(`Tenant ID: ${authStatus.tenantId}`);
+      console.log(
+        `Authenticated: ${authStatus.isAuthenticated ? "Yes" : "No"}`,
+      );
+      console.log("\nEnabled Tools:");
+      if (config.enabledTools.length > 0) {
+        config.enabledTools.forEach((tool) => console.log(`- ${tool}`));
+      } else {
+        console.log(
+          "No specific tools are explicitly enabled in config. All available tools will be used.",
+        );
+      }
+      console.log("----------------------------------");
+    } catch (error) {
+      console.error("Failed to retrieve status:", error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    }
+  });
+
+program
+  .command("run")
+  .description("Start the MCP server to listen for commands via stdin/stdout")
+  .action(async () => {
+    console.log("MCP server started. Listening for commands on stdin...");
+    // Placeholder for MCP interface logic
+    // This will be implemented in src/mcp-interface.ts and called here
+    startMcpServer();
+  });
+
+program.parse(process.argv);

package/src/mcp-interface.ts

@@ -0,0 +1,122 @@
+import { getAccessToken } from './auth.ts';
+import { getConfig, isToolEnabled } from './config.ts';
+import { error, log } from './utils.ts';
+import { Client } from '@microsoft/microsoft-graph-client';
+
+// Define MCP message interfaces
+interface McpRequest {
+  type: 'request';
+  id: string;
+  tool: string;
+  input: any;
+}
+
+interface McpResponse {
+  type: 'response';
+  id: string;
+  status: 'success' | 'error';
+  output?: any;
+  error?: { code: string; message: string };
+}
+
+// Placeholder for registered tools
+import { tools as registeredTools } from './tools/index.ts';
+
+
+async function processMcpRequest(request: McpRequest): Promise<McpResponse> {
+  const config = getConfig();
+
+  if (!isToolEnabled(request.tool)) {
+    return {
+      type: 'response',
+      id: request.id,
+      status: 'error',
+      error: { code: 'TOOL_DISABLED', message: `Tool '${request.tool}' is disabled.` },
+    };
+  }
+
+  const toolHandler = (registeredTools as Record<string, ((graphClient: Client, input: any) => Promise<any>) | undefined>)[request.tool];
+  if (!toolHandler) {
+    return {
+      type: 'response',
+      id: request.id,
+      status: 'error',
+      error: { code: 'TOOL_NOT_FOUND', message: `Tool '${request.tool}' not found.` },
+    };
+  }
+
+  try {
+    const accessToken = await getAccessToken();
+    const graphClient = Client.init({
+      authProvider: (done) => {
+        done(null, accessToken);
+      },
+    });
+
+    const output = await toolHandler(graphClient, request.input);
+    return {
+      type: 'response',
+      id: request.id,
+      status: 'success',
+      output,
+    };
+  } catch (err: any) {
+    error(`Error executing tool '${request.tool}':`, err);
+    return {
+      type: 'response',
+      id: request.id,
+      status: 'error',
+      error: { code: err.code || 'TOOL_EXECUTION_ERROR', message: err.message || 'An unknown error occurred.' },
+    };
+  }
+}
+
+export function startMcpServer() {
+  log('MCP server started. Listening for commands on stdin...');
+
+  process.stdin.setEncoding('utf8');
+
+  let buffer = '';
+  process.stdin.on('data', async (chunk) => {
+    buffer += chunk;
+    let newlineIndex;
+    while ((newlineIndex = buffer.indexOf('\n')) !== -1) {
+      const line = buffer.substring(0, newlineIndex).trim();
+      buffer = buffer.substring(newlineIndex + 1);
+
+      if (line) {
+        try {
+          const request: McpRequest = JSON.parse(line);
+          if (request.type === 'request' && request.id && request.tool) {
+            const response = await processMcpRequest(request);
+            process.stdout.write(JSON.stringify(response) + '\n');
+          } else {
+            error('Invalid MCP request format:', new Error(line));
+            process.stdout.write(JSON.stringify({
+              type: 'response',
+              id: request.id || 'unknown',
+              status: 'error',
+              error: { code: 'INVALID_REQUEST', message: 'Invalid MCP request format.' },
+            }) + '\n');
+          }
+        } catch (parseError: any) {
+          error('Failed to parse stdin input as JSON:', parseError);
+          process.stdout.write(JSON.stringify({
+            type: 'response',
+            id: 'unknown',
+            status: 'error',
+            error: { code: 'JSON_PARSE_ERROR', message: 'Invalid JSON input.' },
+          }) + '\n');
+        }
+      }
+    }
+  });
+
+  process.stdin.on('end', () => {
+    log('Stdin closed. MCP server shutting down.');
+  });
+
+  process.stdin.on('error', (err) => {
+    error('Stdin error:', err);
+  });
+}

package/src/tools/calendar.ts

@@ -0,0 +1,41 @@
+import { Client } from '@microsoft/microsoft-graph-client';
+import { log, error } from '../utils.ts';
+
+export async function createEvent(graphClient: Client, input: {
+  subject: string;
+  start: { dateTime: string; timeZone: string };
+  end: { dateTime: string; timeZone: string };
+  content?: string;
+  attendees?: Array<{ emailAddress: string; type: 'required' | 'optional' }>;
+  location?: string;
+}): Promise<any> {
+  try {
+    const event = {
+      subject: input.subject,
+      start: input.start,
+      end: input.end,
+      body: input.content ? { contentType: 'HTML', content: input.content } : undefined,
+      attendees: input.attendees?.map(att => ({
+        emailAddress: { address: att.emailAddress },
+        type: att.type,
+      })),
+      location: input.location ? { displayName: input.location } : undefined,
+    };
+
+    const response = await graphClient.api('/me/events').post(event);
+    log(`Created calendar event: ${response.subject} (ID: ${response.id})`);
+    return {
+      id: response.id,
+      webLink: response.webLink,
+      status: 'created',
+    };
+  } catch (err: any) {
+    error('Error creating calendar event:', err);
+    return {
+      id: null,
+      webLink: null,
+      status: 'failed',
+      errorMessage: err.message,
+    };
+  }
+}

package/src/tools/index.ts

@@ -0,0 +1,9 @@
+import * as mail from './mail.ts';
+import * as calendar from './calendar.ts';
+// import * as onedrive from './onedrive'; // Placeholder for future tools
+
+export const tools = {
+  'mail.list_messages': mail.listMessages,
+  'calendar.create_event': calendar.createEvent,
+  // 'onedrive.list_files': onedrive.listFiles,
+};

package/src/tools/mail.ts

@@ -0,0 +1,34 @@
+import { Client } from '@microsoft/microsoft-graph-client';
+import { log, error } from '../utils.ts';
+
+export async function listMessages(graphClient: Client, input: { folderId?: string; top?: number; filter?: string }): Promise<any> {
+  try {
+    let request = graphClient.api(input.folderId ? `/me/mailFolders/${input.folderId}/messages` : 
+'/me/messages');
+
+    if (input.top) {
+      request = request.top(input.top);
+    }
+    if (input.filter) {
+      request = request.filter(input.filter);
+    }
+
+    const response = await request.select('id,subject,from,receivedDateTime,isRead,bodyPreview,webLink').get();
+    log(`Listed ${response.value.length} messages.`);
+    return {
+      messages: response.value.map((msg: any) => ({
+        id: msg.id,
+        subject: msg.subject,
+        from: msg.from,
+        receivedDateTime: msg.receivedDateTime,
+        isRead: msg.isRead,
+        bodyPreview: msg.bodyPreview,
+        webLink: msg.webLink,
+      })),
+      nextLink: response['@odata.nextLink'],
+    };
+  } catch (err: any) {
+    error('Error listing messages:', err);
+    throw err;
+  }
+}

package/src/utils.ts

@@ -0,0 +1,20 @@
+import { promises as fs } from 'node:fs';
+import * as path from 'node:path';
+
+export function log(message: string, level: 'info' | 'warn' | 'error' = 'info') {
+  const timestamp = new Date().toISOString();
+  console.log(`[${timestamp}] [${level.toUpperCase()}] ${message}`);
+}
+
+export function error(message: string, err?: Error) {
+  log(message, 'error');
+  if (err) {
+    console.error(err);
+  }
+}
+
+export function warn(message: string) {
+  log(message, 'warn');
+}
+
+// Placeholder for future file-based logging or other utilities

package/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "lib": ["ESNext", "DOM"],
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "allowJs": true,
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "allowImportingTsExtensions": true,
+    "noEmit": true,
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"],
+}