@juvantlabs/m365-graph-mcp-server 0.1.0

package/SECURITY.md

@@ -0,0 +1,64 @@
+# Security
+
+## Reporting a vulnerability
+
+Please report vulnerabilities **privately** via one of these channels:
+
+1. **GitHub Security Advisory** (preferred) — go to this repo's
+   `Security` tab → `Report a vulnerability`. Your report stays
+   private between you and the maintainer until we publish a
+   coordinated advisory.
+2. **Email** — `security@juvant.io`. Reports go to the primary
+   maintainer.
+
+**Please do NOT** open a public issue or pull request that contains
+reproduction details for the vulnerability. Once a public artifact
+exposes the issue, the coordinated-disclosure window collapses.
+
+## What we commit to
+
+This repo follows the
+[juvantlabs Security Disclosure Process](https://github.com/juvantlabs/handbook/blob/main/docs/security/disclosure-process.md).
+SLOs:
+
+| State | Target |
+|---|---|
+| Acknowledge receipt | ≤ 7 days |
+| Initial triage + severity classification | ≤ 14 days |
+| Patch prepared (high/critical) | ≤ 30 days |
+| Patch prepared (moderate) | ≤ 90 days |
+| Public advisory + CVE | Patch + 1–7 days |
+
+## Supported versions
+
+| Version | Supported |
+|---|---|
+| Latest `0.x` (current) | ✅ |
+| Older `0.x` | ❌ End-of-life with each new release until `1.0` |
+
+Once `1.0` ships, the supported-versions matrix expands to formally
+back-port security fixes to the `N-1` major.
+
+## Out of scope
+
+- Issues in dependencies — please report those upstream. We track
+  upstream advisories via Dependabot and bump promptly.
+- Issues in adopter customizations / forks of this server.
+- Theoretical vulnerabilities without a reproduction path.
+
+## Security-relevant dependencies
+
+| Dependency | Version | Why it matters |
+|---|---|---|
+| `@modelcontextprotocol/sdk` | `^1.25.2` | ≥ 1.25.2 required to avoid ReDoS (`GHSA-8r9q-7v3j-jr4g`) and DNS rebinding (`GHSA-w48q-cv73-mx4w`) advisories on earlier versions |
+| _(vendor SDK)_ | | _(fill in as the vendor SDK is selected)_ |
+
+## Crediting
+
+Reporters are credited by name in advisories unless they request
+anonymity at report time. Past reports + reporter acknowledgments
+will be listed in `SECURITY-CREDITS.md` (created on first disclosure).
+
+## Acknowledgments
+
+No disclosures yet.

package/dist/auth/confirmation_tokens.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Server-side state for the spec/approval confirmation-token pattern
+ * used by destructive tools (delete_file, cancel_event).
+ *
+ * Per the handbook MCP server spec § Tool design and ADR 0002:
+ *   1. First call: agent submits a spec describing what to delete /
+ *      cancel; tool returns a preview + a confirmation_token.
+ *   2. Agent reviews the preview, returns a second call with the same
+ *      destructive-op args plus the confirmation_token.
+ *   3. Tool verifies (token exists, not expired, not used, tied to
+ *      THIS tool, args match the original spec) and executes. Token
+ *      is then consumed (single-use).
+ *
+ * Token lifetime: 5 minutes. State lives in a module-level Map keyed
+ * by token. Cleared on process exit (per-tenant subprocess per
+ * handbook spec — no cross-process leakage). Garbage-collected on
+ * each issue/consume pass.
+ *
+ * Spec match is via SHA-256 of canonical JSON (keys sorted) so the
+ * agent can't pass a token issued for {item_id: "A"} together with
+ * args {item_id: "B"} and have the destructive call go through.
+ */
+export interface IssuedToken {
+    confirmation_token: string;
+    expires_at: string;
+    expires_in_seconds: number;
+}
+export declare function issueConfirmation(toolName: string, spec: Record<string, unknown>): IssuedToken;
+export type ConsumeError = "token_unknown" | "token_expired" | "token_wrong_tool" | "spec_mismatch";
+export type ConsumeResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: ConsumeError;
+};
+export declare function consumeConfirmation(token: string, toolName: string, spec: Record<string, unknown>): ConsumeResult;
+export declare function _resetConfirmationTokens(): void;
+//# sourceMappingURL=confirmation_tokens.d.ts.map

package/dist/auth/confirmation_tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirmation_tokens.d.ts","sourceRoot":"","sources":["../../src/auth/confirmation_tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAmCH,MAAM,WAAW,WAAW;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,WAAW,CAcb;AAED,MAAM,MAAM,YAAY,GACpB,eAAe,GACf,eAAe,GACf,kBAAkB,GAClB,eAAe,CAAC;AAEpB,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,YAAY,CAAA;CAAE,CAAC;AAEvC,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,aAAa,CAiBf;AAID,wBAAgB,wBAAwB,IAAI,IAAI,CAE/C"}

package/dist/auth/confirmation_tokens.js

@@ -0,0 +1,85 @@
+/**
+ * Server-side state for the spec/approval confirmation-token pattern
+ * used by destructive tools (delete_file, cancel_event).
+ *
+ * Per the handbook MCP server spec § Tool design and ADR 0002:
+ *   1. First call: agent submits a spec describing what to delete /
+ *      cancel; tool returns a preview + a confirmation_token.
+ *   2. Agent reviews the preview, returns a second call with the same
+ *      destructive-op args plus the confirmation_token.
+ *   3. Tool verifies (token exists, not expired, not used, tied to
+ *      THIS tool, args match the original spec) and executes. Token
+ *      is then consumed (single-use).
+ *
+ * Token lifetime: 5 minutes. State lives in a module-level Map keyed
+ * by token. Cleared on process exit (per-tenant subprocess per
+ * handbook spec — no cross-process leakage). Garbage-collected on
+ * each issue/consume pass.
+ *
+ * Spec match is via SHA-256 of canonical JSON (keys sorted) so the
+ * agent can't pass a token issued for {item_id: "A"} together with
+ * args {item_id: "B"} and have the destructive call go through.
+ */
+import crypto from "node:crypto";
+const EXPIRY_MS = 5 * 60 * 1000;
+const pending = new Map();
+function canonicalize(spec) {
+    // Stable JSON: keys sorted alphabetically. Sufficient for our specs
+    // which are flat objects of primitives (strings, numbers, booleans);
+    // we don't need full recursive canonicalization.
+    const sortedKeys = Object.keys(spec).sort();
+    const sorted = {};
+    for (const k of sortedKeys)
+        sorted[k] = spec[k];
+    return JSON.stringify(sorted);
+}
+function hashSpec(spec) {
+    return crypto.createHash("sha256").update(canonicalize(spec)).digest("hex");
+}
+function gc() {
+    const now = Date.now();
+    for (const [k, v] of pending) {
+        if (v.expiresAt <= now)
+            pending.delete(k);
+    }
+}
+export function issueConfirmation(toolName, spec) {
+    gc();
+    const token = crypto.randomBytes(16).toString("hex");
+    const expiresAt = Date.now() + EXPIRY_MS;
+    pending.set(token, {
+        toolName,
+        specHash: hashSpec(spec),
+        expiresAt,
+    });
+    return {
+        confirmation_token: token,
+        expires_at: new Date(expiresAt).toISOString(),
+        expires_in_seconds: Math.floor(EXPIRY_MS / 1000),
+    };
+}
+export function consumeConfirmation(token, toolName, spec) {
+    gc();
+    const entry = pending.get(token);
+    if (!entry)
+        return { ok: false, error: "token_unknown" };
+    if (entry.expiresAt <= Date.now()) {
+        pending.delete(token);
+        return { ok: false, error: "token_expired" };
+    }
+    if (entry.toolName !== toolName) {
+        return { ok: false, error: "token_wrong_tool" };
+    }
+    if (entry.specHash !== hashSpec(spec)) {
+        return { ok: false, error: "spec_mismatch" };
+    }
+    // Single-use: consume on success.
+    pending.delete(token);
+    return { ok: true };
+}
+// Test helper — clears the in-memory token store. Not exported as a
+// tool. Tests import this directly to ensure isolation.
+export function _resetConfirmationTokens() {
+    pending.clear();
+}
+//# sourceMappingURL=confirmation_tokens.js.map

package/dist/auth/confirmation_tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirmation_tokens.js","sourceRoot":"","sources":["../../src/auth/confirmation_tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAQhC,MAAM,OAAO,GAAqC,IAAI,GAAG,EAAE,CAAC;AAE5D,SAAS,YAAY,CAAC,IAA6B;IACjD,oEAAoE;IACpE,qEAAqE;IACrE,iDAAiD;IACjD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,UAAU;QAAE,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAChD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,QAAQ,CAAC,IAA6B;IAC7C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,EAAE;IACT,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG;YAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAQD,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,IAA6B;IAE7B,EAAE,EAAE,CAAC;IACL,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE;QACjB,QAAQ;QACR,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC;QACxB,SAAS;KACV,CAAC,CAAC;IACH,OAAO;QACL,kBAAkB,EAAE,KAAK;QACzB,UAAU,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;QAC7C,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC;KACjD,CAAC;AACJ,CAAC;AAYD,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,QAAgB,EAChB,IAA6B;IAE7B,EAAE,EAAE,CAAC;IACL,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;IACzD,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IACD,kCAAkC;IAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,oEAAoE;AACpE,wDAAwD;AACxD,MAAM,UAAU,wBAAwB;IACtC,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}

package/dist/auth/keyring.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Token persistence via the OS keychain.
+ *
+ * Uses `@napi-rs/keyring` (NOT `keytar` — archived since 2022 per
+ * handbook spec anti-pattern #10). Tokens are stored under a
+ * (service, account) pair where the account is keyed by tenant ID
+ * so multiple tenant configs don't collide.
+ *
+ * Platform backends:
+ *   macOS    → Keychain
+ *   Linux    → Secret Service / GNOME keyring
+ *   Windows  → Credential Manager
+ */
+export interface TokenStore {
+    load(): string | null;
+    save(serialized: string): void;
+    clear(): void;
+}
+export declare function getTokenStore(tenantId: string): TokenStore;
+//# sourceMappingURL=keyring.d.ts.map

package/dist/auth/keyring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/auth/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,MAAM,WAAW,UAAU;IACzB,IAAI,IAAI,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,KAAK,IAAI,IAAI,CAAC;CACf;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAsB1D"}

package/dist/auth/keyring.js

@@ -0,0 +1,41 @@
+/**
+ * Token persistence via the OS keychain.
+ *
+ * Uses `@napi-rs/keyring` (NOT `keytar` — archived since 2022 per
+ * handbook spec anti-pattern #10). Tokens are stored under a
+ * (service, account) pair where the account is keyed by tenant ID
+ * so multiple tenant configs don't collide.
+ *
+ * Platform backends:
+ *   macOS    → Keychain
+ *   Linux    → Secret Service / GNOME keyring
+ *   Windows  → Credential Manager
+ */
+import { Entry } from "@napi-rs/keyring";
+const SERVICE = "juvantlabs-m365-graph-mcp-server";
+export function getTokenStore(tenantId) {
+    const entry = new Entry(SERVICE, `tenant:${tenantId}`);
+    return {
+        load() {
+            try {
+                return entry.getPassword();
+            }
+            catch {
+                // No entry yet — first run before setup, or it was cleared.
+                return null;
+            }
+        },
+        save(serialized) {
+            entry.setPassword(serialized);
+        },
+        clear() {
+            try {
+                entry.deletePassword();
+            }
+            catch {
+                // already absent
+            }
+        },
+    };
+}
+//# sourceMappingURL=keyring.js.map

package/dist/auth/keyring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/auth/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAEzC,MAAM,OAAO,GAAG,kCAAkC,CAAC;AAQnD,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;IACvD,OAAO;QACL,IAAI;YACF,IAAI,CAAC;gBACH,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACP,4DAA4D;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,IAAI,CAAC,UAAkB;YACrB,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QACD,KAAK;YACH,IAAI,CAAC;gBACH,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/msal.d.ts

@@ -0,0 +1,42 @@
+/**
+ * MSAL Node client factory + cache plugin wiring.
+ *
+ * Uses ConfidentialClientApplication (we have a client_secret) with the
+ * Authorization Code flow for delegated permissions. Per the handbook
+ * spec § Auth, we never roll our own OAuth — MSAL Node is Microsoft's
+ * official library and handles refresh, revocation, and edge cases.
+ *
+ * Tokens persist in the OS keychain via `src/auth/keyring.ts`. The MSAL
+ * cache plugin pattern is: load on first access, save when it changes.
+ */
+import { ConfidentialClientApplication, type ICachePlugin } from "@azure/msal-node";
+/**
+ * Delegated scopes the MCP server requests. Order is irrelevant; MSAL
+ * normalizes. `offline_access` is required to get a refresh token.
+ *
+ * Add scopes here as new tools land — Files.ReadWrite for upload tools,
+ * Calendars.ReadWrite for calendar write tools, etc. (per handbook spec
+ * § Auth › Scopes: per-tool minimum, justified in ARCHITECTURE.md).
+ */
+export declare const DELEGATED_SCOPES: string[];
+/**
+ * The redirect URI registered in the Entra app for the OAuth callback.
+ * Must exactly match one of the redirect URIs configured in the Entra
+ * app registration. See README § Local development.
+ */
+export declare const REDIRECT_URI = "http://localhost:3000/auth/callback";
+/**
+ * Build the MSAL cache plugin for a given tenant. Exported so tests
+ * can drive the load/save lifecycle directly with a fake
+ * TokenCacheContext + spied keychain store.
+ */
+export declare function makeCachePlugin(tenantId: string): ICachePlugin;
+export declare function makeMsalClient(): ConfidentialClientApplication;
+/**
+ * Acquire an access token silently from the cache. Refreshes via the
+ * cached refresh token if the access token is expired. Throws if no
+ * cached account exists — the caller should run `npm run setup` to
+ * complete the initial OAuth flow.
+ */
+export declare function getAccessToken(client: ConfidentialClientApplication): Promise<string>;
+//# sourceMappingURL=msal.d.ts.map

package/dist/auth/msal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"msal.d.ts","sourceRoot":"","sources":["../../src/auth/msal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,6BAA6B,EAE7B,KAAK,YAAY,EAElB,MAAM,kBAAkB,CAAC;AAI1B;;;;;;;GAOG;AAKH,eAAO,MAAM,gBAAgB,UAK5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,wCAAwC,CAAC;AAElE;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY,CAe9D;AAED,wBAAgB,cAAc,IAAI,6BAA6B,CAa9D;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,MAAM,CAAC,CAoBjB"}

package/dist/auth/msal.js

@@ -0,0 +1,96 @@
+/**
+ * MSAL Node client factory + cache plugin wiring.
+ *
+ * Uses ConfidentialClientApplication (we have a client_secret) with the
+ * Authorization Code flow for delegated permissions. Per the handbook
+ * spec § Auth, we never roll our own OAuth — MSAL Node is Microsoft's
+ * official library and handles refresh, revocation, and edge cases.
+ *
+ * Tokens persist in the OS keychain via `src/auth/keyring.ts`. The MSAL
+ * cache plugin pattern is: load on first access, save when it changes.
+ */
+import { ConfidentialClientApplication, } from "@azure/msal-node";
+import { getTokenStore } from "./keyring.js";
+/**
+ * Delegated scopes the MCP server requests. Order is irrelevant; MSAL
+ * normalizes. `offline_access` is required to get a refresh token.
+ *
+ * Add scopes here as new tools land — Files.ReadWrite for upload tools,
+ * Calendars.ReadWrite for calendar write tools, etc. (per handbook spec
+ * § Auth › Scopes: per-tool minimum, justified in ARCHITECTURE.md).
+ */
+// Files.ReadWrite subsumes Files.Read; Calendars.ReadWrite subsumes
+// Calendars.Read. The Entra app permissions list still includes the
+// narrower scopes (granted earlier) — they're harmless, just not
+// requested at token acquisition time.
+export const DELEGATED_SCOPES = [
+    "User.Read",
+    "Files.ReadWrite",
+    "Calendars.ReadWrite",
+    "offline_access",
+];
+/**
+ * The redirect URI registered in the Entra app for the OAuth callback.
+ * Must exactly match one of the redirect URIs configured in the Entra
+ * app registration. See README § Local development.
+ */
+export const REDIRECT_URI = "http://localhost:3000/auth/callback";
+/**
+ * Build the MSAL cache plugin for a given tenant. Exported so tests
+ * can drive the load/save lifecycle directly with a fake
+ * TokenCacheContext + spied keychain store.
+ */
+export function makeCachePlugin(tenantId) {
+    const store = getTokenStore(tenantId);
+    return {
+        async beforeCacheAccess(cacheContext) {
+            const data = store.load();
+            if (data) {
+                cacheContext.tokenCache.deserialize(data);
+            }
+        },
+        async afterCacheAccess(cacheContext) {
+            if (cacheContext.cacheHasChanged) {
+                store.save(cacheContext.tokenCache.serialize());
+            }
+        },
+    };
+}
+export function makeMsalClient() {
+    const tenantId = process.env.M365_TENANT_ID ?? "";
+    const config = {
+        auth: {
+            clientId: process.env.M365_CLIENT_ID ?? "",
+            clientSecret: process.env.M365_CLIENT_SECRET ?? "",
+            authority: `https://login.microsoftonline.com/${tenantId}`,
+        },
+        cache: {
+            cachePlugin: makeCachePlugin(tenantId),
+        },
+    };
+    return new ConfidentialClientApplication(config);
+}
+/**
+ * Acquire an access token silently from the cache. Refreshes via the
+ * cached refresh token if the access token is expired. Throws if no
+ * cached account exists — the caller should run `npm run setup` to
+ * complete the initial OAuth flow.
+ */
+export async function getAccessToken(client) {
+    const cache = client.getTokenCache();
+    const accounts = await cache.getAllAccounts();
+    if (accounts.length === 0) {
+        throw new Error("No cached account found in the keychain. Run `npm run setup` (or " +
+            "`m365-graph-mcp-server setup`) once to complete the OAuth flow.");
+    }
+    const result = await client.acquireTokenSilent({
+        account: accounts[0],
+        scopes: DELEGATED_SCOPES,
+    });
+    if (!result?.accessToken) {
+        throw new Error("Silent token acquisition returned no access token. The refresh " +
+            "token may have been revoked or expired. Re-run `npm run setup`.");
+    }
+    return result.accessToken;
+}
+//# sourceMappingURL=msal.js.map

package/dist/auth/msal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"msal.js","sourceRoot":"","sources":["../../src/auth/msal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,6BAA6B,GAI9B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C;;;;;;;GAOG;AACH,oEAAoE;AACpE,oEAAoE;AACpE,iEAAiE;AACjE,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,WAAW;IACX,iBAAiB;IACjB,qBAAqB;IACrB,gBAAgB;CACjB,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,qCAAqC,CAAC;AAElE;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,KAAK,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtC,OAAO;QACL,KAAK,CAAC,iBAAiB,CAAC,YAA+B;YACrD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,IAAI,EAAE,CAAC;gBACT,YAAY,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;QACD,KAAK,CAAC,gBAAgB,CAAC,YAA+B;YACpD,IAAI,YAAY,CAAC,eAAe,EAAE,CAAC;gBACjC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;IAClD,MAAM,MAAM,GAAkB;QAC5B,IAAI,EAAE;YACJ,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE;YAC1C,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE;YAClD,SAAS,EAAE,qCAAqC,QAAQ,EAAE;SAC3D;QACD,KAAK,EAAE;YACL,WAAW,EAAE,eAAe,CAAC,QAAQ,CAAC;SACvC;KACF,CAAC;IACF,OAAO,IAAI,6BAA6B,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAqC;IAErC,MAAM,KAAK,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,mEAAmE;YACjE,iEAAiE,CACpE,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC;QAC7C,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,iEAAiE;YAC/D,iEAAiE,CACpE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,WAAW,CAAC;AAC5B,CAAC"}

package/dist/auth/setup.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Interactive OAuth setup — run once via `npm run setup` (or
+ * `m365-graph-mcp-server setup`) to populate the OS keychain with the
+ * initial token cache. After this, `npm run dev` (or `npx ...`) uses
+ * the cached refresh token silently for the lifetime of the refresh
+ * grant (Microsoft default ~90 days; rolling).
+ *
+ * Flow:
+ *   1. Build the authorization URL via MSAL.
+ *   2. Open the user's default browser at that URL.
+ *   3. Listen on http://localhost:3000/auth/callback for the
+ *      ?code=... redirect.
+ *   4. Exchange the code for tokens (MSAL writes to the cache plugin
+ *      → keychain).
+ *   5. Close the localhost listener and exit.
+ */
+export declare function runSetup(): Promise<void>;
+//# sourceMappingURL=setup.d.ts.map

package/dist/auth/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAkFH,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAoC9C"}

package/dist/auth/setup.js

@@ -0,0 +1,110 @@
+/**
+ * Interactive OAuth setup — run once via `npm run setup` (or
+ * `m365-graph-mcp-server setup`) to populate the OS keychain with the
+ * initial token cache. After this, `npm run dev` (or `npx ...`) uses
+ * the cached refresh token silently for the lifetime of the refresh
+ * grant (Microsoft default ~90 days; rolling).
+ *
+ * Flow:
+ *   1. Build the authorization URL via MSAL.
+ *   2. Open the user's default browser at that URL.
+ *   3. Listen on http://localhost:3000/auth/callback for the
+ *      ?code=... redirect.
+ *   4. Exchange the code for tokens (MSAL writes to the cache plugin
+ *      → keychain).
+ *   5. Close the localhost listener and exit.
+ */
+import { exec } from "node:child_process";
+import http from "node:http";
+import { URL } from "node:url";
+import { DELEGATED_SCOPES, REDIRECT_URI, makeMsalClient } from "./msal.js";
+const CALLBACK_PORT = 3000;
+const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+function openInBrowser(url) {
+    const cmd = process.platform === "darwin"
+        ? `open "${url}"`
+        : process.platform === "win32"
+            ? `start "" "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd, (err) => {
+        if (err) {
+            console.error("[setup] Could not open browser automatically. Visit the URL above manually.");
+        }
+    });
+}
+function waitForAuthCode() {
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            server.close();
+            reject(new Error(`Timed out waiting for OAuth callback after ${CALLBACK_TIMEOUT_MS / 1000}s`));
+        }, CALLBACK_TIMEOUT_MS);
+        const server = http.createServer((req, res) => {
+            const requestUrl = new URL(req.url ?? "/", `http://localhost:${CALLBACK_PORT}`);
+            if (requestUrl.pathname !== "/auth/callback") {
+                res.writeHead(404, { "Content-Type": "text/plain" });
+                res.end("Not Found");
+                return;
+            }
+            const code = requestUrl.searchParams.get("code");
+            const error = requestUrl.searchParams.get("error");
+            const errorDescription = requestUrl.searchParams.get("error_description");
+            if (error) {
+                res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(`<html><body><h2>OAuth error</h2><p><b>${error}</b></p>` +
+                    `<pre>${errorDescription ?? ""}</pre></body></html>`);
+                clearTimeout(timer);
+                server.close();
+                reject(new Error(`${error}: ${errorDescription ?? "(no description)"}`));
+                return;
+            }
+            if (!code) {
+                res.writeHead(400, { "Content-Type": "text/plain" });
+                res.end("Missing authorization code in callback URL.");
+                return;
+            }
+            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+            res.end("<html><body><h2>Authentication successful</h2>" +
+                "<p>You can close this tab and return to the terminal.</p></body></html>");
+            clearTimeout(timer);
+            server.close();
+            resolve(code);
+        });
+        server.on("error", (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+        server.listen(CALLBACK_PORT, "127.0.0.1");
+    });
+}
+export async function runSetup() {
+    const client = makeMsalClient();
+    const authUrl = await client.getAuthCodeUrl({
+        scopes: DELEGATED_SCOPES,
+        redirectUri: REDIRECT_URI,
+        prompt: "select_account",
+    });
+    console.error("[setup] Starting OAuth flow against tenant:", process.env.M365_TENANT_ID);
+    console.error("[setup] If your browser does not open automatically, visit:");
+    console.error("");
+    console.error(`  ${authUrl}`);
+    console.error("");
+    console.error(`[setup] Listening for callback on ${REDIRECT_URI}`);
+    console.error("");
+    openInBrowser(authUrl);
+    const code = await waitForAuthCode();
+    console.error("[setup] Authorization code received. Exchanging for tokens…");
+    const tokenResponse = await client.acquireTokenByCode({
+        code,
+        scopes: DELEGATED_SCOPES,
+        redirectUri: REDIRECT_URI,
+    });
+    if (!tokenResponse?.account) {
+        throw new Error("Token acquisition succeeded but no account info was returned.");
+    }
+    console.error("[setup] ✓ Tokens cached in OS keychain for:");
+    console.error(`        username: ${tokenResponse.account.username}`);
+    console.error(`        homeAccountId: ${tokenResponse.account.homeAccountId}`);
+    console.error("");
+    console.error("[setup] You can now run `npm run dev` (or `npx @juvantlabs/m365-graph-mcp-server`).");
+}
+//# sourceMappingURL=setup.js.map

package/dist/auth/setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3E,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEvD,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,GAAG,GACP,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAC3B,CAAC,CAAC,SAAS,GAAG,GAAG;QACjB,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO;YAC5B,CAAC,CAAC,aAAa,GAAG,GAAG;YACrB,CAAC,CAAC,aAAa,GAAG,GAAG,CAAC;IAC5B,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;QAChB,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,8CAA8C,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;QACjG,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAExB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,aAAa,EAAE,CAAC,CAAC;YAChF,IAAI,UAAU,CAAC,QAAQ,KAAK,gBAAgB,EAAE,CAAC;gBAC7C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;gBACrD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,gBAAgB,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAE1E,IAAI,KAAK,EAAE,CAAC;gBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;gBACnE,GAAG,CAAC,GAAG,CACL,yCAAyC,KAAK,UAAU;oBACtD,QAAQ,gBAAgB,IAAI,EAAE,sBAAsB,CACvD,CAAC;gBACF,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,gBAAgB,IAAI,kBAAkB,EAAE,CAAC,CAAC,CAAC;gBACzE,OAAO;YACT,CAAC;YAED,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;gBACrD,GAAG,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBACvD,OAAO;YACT,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;YACnE,GAAG,CAAC,GAAG,CACL,gDAAgD;gBAC9C,yEAAyE,CAC5E,CAAC;YACF,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAEhC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC;QAC1C,MAAM,EAAE,gBAAgB;QACxB,WAAW,EAAE,YAAY;QACzB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;IAEH,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzF,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IAC7E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,KAAK,OAAO,EAAE,CAAC,CAAC;IAC9B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,qCAAqC,YAAY,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAElB,aAAa,CAAC,OAAO,CAAC,CAAC;IACvB,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;IAErC,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC;QACpD,IAAI;QACJ,MAAM,EAAE,gBAAgB;QACxB,WAAW,EAAE,YAAY;KAC1B,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;IAC7D,OAAO,CAAC,KAAK,CAAC,qBAAqB,aAAa,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrE,OAAO,CAAC,KAAK,CAAC,0BAA0B,aAAa,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IAC/E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,qFAAqF,CAAC,CAAC;AACvG,CAAC"}

package/dist/client/graph.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Microsoft Graph client factory.
+ *
+ * Wraps the official `@microsoft/microsoft-graph-client` with an auth
+ * provider that pulls cached tokens from MSAL on every request. MSAL
+ * handles refresh transparently; if the refresh fails (revoked
+ * token), the auth provider surfaces the error to the caller.
+ *
+ * Uses isomorphic-fetch (peer dep of the Graph client per its docs).
+ * Imported once at module load.
+ */
+import "isomorphic-fetch";
+import { Client, type AuthenticationProvider, type AuthenticationProviderOptions } from "@microsoft/microsoft-graph-client";
+import type { ConfidentialClientApplication } from "@azure/msal-node";
+/**
+ * Authentication provider that bridges MSAL's token cache → the
+ * Microsoft Graph client. Each Graph request triggers
+ * `getAccessToken()`, which lets MSAL refresh transparently if the
+ * cached token is expired.
+ *
+ * Exported so tests can verify the bridge without instantiating the
+ * full Graph client.
+ */
+export declare class MsalAuthProvider implements AuthenticationProvider {
+    private readonly msal;
+    constructor(msal: ConfidentialClientApplication);
+    getAccessToken(_options?: AuthenticationProviderOptions): Promise<string>;
+}
+export declare function makeGraphClient(msal: ConfidentialClientApplication): Client;
+//# sourceMappingURL=graph.d.ts.map

package/dist/client/graph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../src/client/graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EACL,MAAM,EACN,KAAK,sBAAsB,EAC3B,KAAK,6BAA6B,EACnC,MAAM,mCAAmC,CAAC;AAC3C,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kBAAkB,CAAC;AAItE;;;;;;;;GAQG;AACH,qBAAa,gBAAiB,YAAW,sBAAsB;IACjD,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,6BAA6B;IAE1D,cAAc,CAAC,QAAQ,CAAC,EAAE,6BAA6B,GAAG,OAAO,CAAC,MAAM,CAAC;CAGhF;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,6BAA6B,GAAG,MAAM,CAI3E"}

package/dist/client/graph.js

@@ -0,0 +1,38 @@
+/**
+ * Microsoft Graph client factory.
+ *
+ * Wraps the official `@microsoft/microsoft-graph-client` with an auth
+ * provider that pulls cached tokens from MSAL on every request. MSAL
+ * handles refresh transparently; if the refresh fails (revoked
+ * token), the auth provider surfaces the error to the caller.
+ *
+ * Uses isomorphic-fetch (peer dep of the Graph client per its docs).
+ * Imported once at module load.
+ */
+import "isomorphic-fetch";
+import { Client, } from "@microsoft/microsoft-graph-client";
+import { getAccessToken } from "../auth/msal.js";
+/**
+ * Authentication provider that bridges MSAL's token cache → the
+ * Microsoft Graph client. Each Graph request triggers
+ * `getAccessToken()`, which lets MSAL refresh transparently if the
+ * cached token is expired.
+ *
+ * Exported so tests can verify the bridge without instantiating the
+ * full Graph client.
+ */
+export class MsalAuthProvider {
+    msal;
+    constructor(msal) {
+        this.msal = msal;
+    }
+    async getAccessToken(_options) {
+        return getAccessToken(this.msal);
+    }
+}
+export function makeGraphClient(msal) {
+    return Client.initWithMiddleware({
+        authProvider: new MsalAuthProvider(msal),
+    });
+}
+//# sourceMappingURL=graph.js.map

package/dist/client/graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.js","sourceRoot":"","sources":["../../src/client/graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,kBAAkB,CAAC;AAE1B,OAAO,EACL,MAAM,GAGP,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEjD;;;;;;;;GAQG;AACH,MAAM,OAAO,gBAAgB;IACE;IAA7B,YAA6B,IAAmC;QAAnC,SAAI,GAAJ,IAAI,CAA+B;IAAG,CAAC;IAEpE,KAAK,CAAC,cAAc,CAAC,QAAwC;QAC3D,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CACF;AAED,MAAM,UAAU,eAAe,CAAC,IAAmC;IACjE,OAAO,MAAM,CAAC,kBAAkB,CAAC;QAC/B,YAAY,EAAE,IAAI,gBAAgB,CAAC,IAAI,CAAC;KACzC,CAAC,CAAC;AACL,CAAC"}