@mcpher/gas-fakes 2.2.3 → 2.2.4

package/.msgraph-token.json

@@ -1,4 +1,4 @@
 {
-  "token": "EwBIBMl6BAAU9BatlgMxts2T1B5e3Mucgfs4jcAAAbOrFhh1DT9JCqHVvaxoNywXCmplxIRVetyLelc3EqF4pkc+xDtUROr/cPZLcma18ccSkLGBiLR0o6a2WF56j74Nry+iyd3laxPf5Ih7Pz10JZyxeK1gdoVflReeCqE08g0C9gUQw8V0s7S/hQmVdy304vlAaeAm+EbuzX4ApDd2/TvqFuiVlAHjNihBg/mkubYhJnsCOfvPWH+lokQ2d5hL3E/24FQuqE+C/4vspC87Ez6QASXit/Mvd7Cf3pAQIFYroM4yfNe8jQ3FTG+S/S7b/vVJXUYF4joomDkexVsp53Z6EgHvTifHe1Vai13kcKn885hhWC+NOaYpXpW4sqAQZgAAEI+JST+25WEaGMjW83FcpHoQA+WeXVDhjZFqXdnCt7zXBnhJylglnRyRdA3AdAqu/RNPJoBYqmS7v2Db7cIu7aG7nTod/RvrNXrjewvfbVlgwqBCkVMTVmRwbZl+fQa1NMjYr457YGUmfub/hF/z6FwWJmFSSSQnXCmf3LZZI6K3z19NAD4tNGBDU4z0JtS0hr0hQTW4hp/3unpz9S36dbIllqzZr9FI9Q6Q/bJ1mGNxrAarvqyaFS4RKpmoyWYOMTt49E/hQXs05VQtO5Gwq805tAgBqzeakmPLBphHAxi3+frd0T1JrrZu1YQJud68qDxHFaizNKIJHBk1CmaPQvBDbwKUa9Sa9Gr4/tLvn+TcgaZNjmcZk/Jr6XRLrAVV5wx+ID7UduAKoyER6nRY4Lhq3b2d2Fjj4+AUpL+ljuYOJz+s5wT6j8fbMG7VXb7bTowST4QQCsC8MNYNKNii/xsigr5NPiHAmV9kWE2XZ7nj0n29LWHkVotHuWcn0R4BWypDry/ZD852kOZ2QCZW3ssniSGW2fzXGMKHQ7oi/pWiS6RaDM+dxvFPgxYNYogEopddgyyZ57B2ONOIcysQL2lRR3dxctM6+1QTykB4vQXe6QYk35uFgKaglz2PEu7byCBcpSBaUQ97XQQPeQW8Mn8jL7imytUzGqE23y28WxZVRPpNG+ffZWG0wCqQ68kdn2xn+BkRRqClGCIm2shHaY0fRVkkNgkpiHtby28eITyUWfpJ7rNjmG8VsVNCGAM3gu84siIg+QDaOUpvuTd9uAeemWun9l38ysiifbgWkQBqy1vGIVljhNfew0QpfMNuCY8ayElb2LWqi11y8ZvLvQEvEGYJ0YfdzeHzPGS/Rs4gTl5IrWLgaD3AB4Oj3mShEYUtgNEssOnejVGOTUDEVdZKEw0c2uu+xyfW3+FjtsDDWqy8Mbsiqrsdty5O5oFTyXrNU6wcallx/qjXHNHbQBnqP6yskCZxYZW3NIm4e8guz/oOcPpEECRNROivvnaJkz4hxdYhoufTrFtvdUTC6Mw3H/QDHL2zeYQvucH3Virws+ZQAw==",
-  "expiresOn": 1773398645000
+  "token": "EwBIBMl6BAAU9BatlgMxts2T1B5e3Mucgfs4jcAAAQbE+FWxF2964+qK5G5uaQ3pUy/MCJC0oOchzzIsAfEdZe5onY2EsmZQ4PATW2I6PuEagYUz7AKj565RuN8TB7q1URYyKGIajrSzsf1QSnzdOZqMr+dssABUDNjK+u8IEJViuglmAwJOIRzxRVsu3/cVoNzAi1V/RWmeQPD/BR7lUhmmNbQ0YYvlooW5GDu5M+vk3YZiz3ejDeHmFTJiMwHDohEKesRv4sVDXiFwukVOXtQ5C1ZRRt4y7zWJJyrIwHlmOYrhB33J9pa4xyRH7jXeNk04rnvTnFCLnrYLWqdlzOyWlJDzOQi7Y6rOubBMgkflSCk/cVLR6MO3YXQL5LkQZgAAEORwrlKhRbHoA3g6b8T1IkAQA99XwtXwfOoj8PC9RMUXN4qVo0gWDk1Lt/bsl9eqCQNkeXi/Li9mdnt+SLJa0DW50Gpk4OOVdH2SZ96d7aAUA30oLLsi5rdUD1TrjWLPO4uYeqvVOsT61whhVQJNHKsVQQcG3Cmm3iWGl+c7G0K/QZuNNvTNKh6GynIyNDJwVNRuk8FbqkC+WA2GnolDjstc28D2MZpFRQ7A0fG9Ik4tZUNtmUHWLKn6SQum6QVqbUGo4dayFwD/kYEUOYi/YVLmBZyVSpZAjbTFTNZqRp8rZzB3XOD7+ih362c/6ngEp7SpD55lLS0rtQUrByDQNXuLKcRjfNTv39YhgwGvDX9pARUK7Xu18t3gBt593nl3eDojClyCwlIDVzxR7UUGyZH1xYojiCPvWqsvnf6hxZZXDbNYWZt4xs/kjnKCr/5A7C5V8990/Zpxe52JbHDMxbCqoyl8L3CpTVymAyuP3PtwDXUBJfD20kvSNGfH6UiTX5uwCUr7MbhEwzAAnPehDVQcOFJ928WDWA3GPEOnK4+sQWl3M6W8CZPXGW3oHj8BraOu5yS226zT9MOQJSXPAiuFTaFOPsX+MJZqYectkSuJUa2ZbKYtSntbS3LAkv0bukTgDz+CwfXa/Sqq5dZtfx4CB1hM+fUsmBbcSQEi6BJnYpfyhCkU26NfTRhZv7sjbP9TGUAGtMuOHZSwxqflPAr2EdeYcaRt68pwQAtwrFQAkyeS9QiDItpVE3FMS6neWd07Yhua/ZIYzd2U8aSUQuHaEb74nqt2IvWZkUAkTA1RhRxDtSGtLEv3drrrLCkRSOP8gnCxJqVvMZz6nkXUI5lJIY57XP9n72n05nXvrSDMSuEi7fAHTgX0B80yAZywVSQgtBs/IPrkhV5ih16Py6CC5kf3mQBviITgBdgScvTi0FxAfpDRPNVTHrCCmvPGy4XG5d01YAkZh1OwIaZ/M01GspinBgVLVpH5wdPUnwYIOMHNk956KWQmDCU2TLWQv/kM2e898XIk0cmQ8PTUukOwP46Qjx1n9ZkRMoxvtwd6bAJMAw==",
+  "expiresOn": 1773667833000
 }

package/README.md

@@ -161,6 +161,13 @@ As I mentioned earlier, to take this further, I'm going to need a lot of help to
 
 ## <img src="./logo.png" alt="gas-fakes logo" width="50" align="top"> Further Reading
 
+## Watch the video
+
+[![Watch the video](introvideo.png)](https://youtu.be/oEjpIrkYpEM)
+
+## Read more docs
+
+- [gas fakes intro video](https://youtu.be/oEjpIrkYpEM)
 - [getting started](GETTING_STARTED.md) - how to handle authentication for restricted scopes.
 - [readme](README.md)
 - [gas fakes cli](gas-fakes-cli.md)

package/package.json

@@ -26,12 +26,6 @@
     "unzipper": "^0.12.3",
     "zod": "^4.3.6"
   },
-  "overrides": {
-    "glob": "^13.0.0",
-    "rimraf": "^6.1.3",
-    "minimatch": "^10.2.1",
-    "node-domexception": "^1.0.0"
-  },
   "type": "module",
   "scripts": {
     "pub": "npm publish --access public",
@@ -41,7 +35,7 @@
   },
   "name": "@mcpher/gas-fakes",
   "author": "bruce mcpherson",
-  "version": "2.2.3",
+  "version": "2.2.4",
   "license": "MIT",
   "main": "main.js",
   "description": "An implementation of the Google Workspace Apps Script runtime: Run native App Script Code on Node and Cloud Run",

package/src/cli/app.js

@@ -10,6 +10,7 @@ import {
   enableGoogleAPIs,
 } from "./setup.js";
 import { startMcpServer } from "./mcp.js";
+import { Platforms, PlatformDefaults } from "../services/enums/platformenums.js";
 
 export async function main() {
   const program = new Command();
@@ -121,11 +122,12 @@ export async function main() {
     });
 
   // --- Setup Commands ---
+  const validPlatforms = Object.values(Platforms).join(", ");
   program
     .command("init")
     .description("Initializes the configuration (.env).")
     .option("-e, --env <path>", "Path to a custom .env file.")
-    .option("-b, --backends <string...>", "List of backends to initialize (google, ksuite).", ["google"])
+    .option("-b, --backends <string...>", `List of backends to initialize (${validPlatforms}).`, [PlatformDefaults.DEFAULT])
     .addOption(
       new Option(
         "--at,--auth-type <string>",
@@ -139,7 +141,7 @@ export async function main() {
   program
     .command("auth")
     .description("Runs the authentication flow for a backend.")
-    .option("-b, --backend <string>", "Backend to authenticate (google, ksuite).", "google")
+    .option("-b, --backend <string>", `Backend to authenticate (${validPlatforms}). Defaults to configured platforms.`)
     .action(authenticateUser);
 
   program

package/src/cli/setup.js

@@ -7,6 +7,7 @@ import { randomUUID } from "node:crypto";
 import { execSync } from "child_process";
 import { checkForGcloudCli, checkForAzCli, runCommandSync } from "./utils.js";
 import { getMsGraphToken, mapGasScopesToMsGraph } from "../support/msgraph/msauth.js";
+import { Platforms, PlatformDefaults } from "../services/enums/platformenums.js";
 
 // --- Utility Functions ---
 

package/src/services/driveapp/fakedrivemeta.js

@@ -32,6 +32,32 @@ export class FakeDriveMeta {
   constructor(meta) {
     this.meta = meta
     this.__gas_fake_service = "DriveApp"
+    // The resource platform takes precedence over ScriptApp.__platform.
+    // ScriptApp.__platform is only used to determine the backend for new resources.
+    this.platform = ScriptApp.__platform || "google"
+  }
+
+  /**
+   * Internal helper to get the platform ID.
+   * @returns {string} The platform ID.
+   */
+  __getPlatform() {
+    return this.platform
+  }
+
+  /**
+   * Execute a function within the context of this resource's platform.
+   * This ensures the correct backend is used regardless of the global ScriptApp.__platform setting.
+   * @param {function} fn 
+   */
+  __withPlatform(fn) {
+    const currentPlatform = ScriptApp.__platform;
+    try {
+      ScriptApp.__platform = this.platform;
+      return fn();
+    } finally {
+      ScriptApp.__platform = currentPlatform;
+    }
   }
 
   __preventRootDamage = (operation) => {
@@ -62,7 +88,7 @@ export class FakeDriveMeta {
       return this
     }
 
-    const newMeta = Drive.Files.get(this.getId(), { fields }, { allow404: false })
+    const newMeta = this.__withPlatform(() => Drive.Files.get(this.getId(), { fields }, { allow404: false }))
     // need to merge this with already known fields
     this.meta = { ...this.meta, ...newMeta }
     improveFileCache(this.getId(), this.meta, fields)
@@ -103,7 +129,7 @@ export class FakeDriveMeta {
     const file = {}
     file[prop] = value
 
-    const data = Drive.Files.update(file, this.getId(), null, prop)
+    const data = this.__withPlatform(() => Drive.Files.update(file, this.getId(), null, prop))
     this.meta = { ...this.meta, ...data }
     improveFileCache(this.getId(), data)
 
@@ -232,7 +258,7 @@ export class FakeDriveMeta {
     }
 
     // need to make sure we get the new parents field back to improve cache with
-    const data = Drive.Files.update({}, this.getId(), null, "parents", params)
+    const data = this.__withPlatform(() => Drive.Files.update({}, this.getId(), null, "parents", params))
 
     // merge this with already known fields and improve cache   
     this.meta = { ...this.meta, ...data }
@@ -294,10 +320,10 @@ export class FakeDriveMeta {
       allowFileDiscovery = (access === Access.DOMAIN);
     } else if (access === Access.PRIVATE) {
       // For PRIVATE, we typically remove any 'anyone' or 'domain' permissions.
-      const { permissions } = Drive.Permissions.list(this.getId());
+      const { permissions } = this.__withPlatform(() => Drive.Permissions.list(this.getId()));
       permissions.forEach(p => {
         if (p.type === 'anyone' || p.type === 'domain') {
-          Drive.Permissions.delete(this.getId(), p.id);
+          this.__withPlatform(() => Drive.Permissions.delete(this.getId(), p.id));
         }
       });
       return this;
@@ -315,9 +341,9 @@ export class FakeDriveMeta {
     }
 
     // 3. Find existing permission of this type or create new
-    const { permissions } = Drive.Permissions.list(this.getId(), {
+    const { permissions } = this.__withPlatform(() => Drive.Permissions.list(this.getId(), {
       fields: "permissions(id,role,type,allowFileDiscovery,domain)"
-    });
+    }));
     const existing = permissions.find(p => p.type === type);
 
     if (existing) {
@@ -327,18 +353,18 @@ export class FakeDriveMeta {
         (type === 'domain' && existing.domain !== domain);
 
       if (identityChanged) {
-        Drive.Permissions.delete(this.getId(), existing.id);
+        this.__withPlatform(() => Drive.Permissions.delete(this.getId(), existing.id));
         const resource = { role, type, allowFileDiscovery };
         if (type === 'domain') resource.domain = domain;
-        Drive.Permissions.create(resource, this.getId());
+        this.__withPlatform(() => Drive.Permissions.create(resource, this.getId()));
       } else {
         // Only role is writable in update
-        Drive.Permissions.update({ role }, this.getId(), existing.id);
+        this.__withPlatform(() => Drive.Permissions.update({ role }, this.getId(), existing.id));
       }
     } else {
       const resource = { role, type, allowFileDiscovery };
       if (type === 'domain') resource.domain = Session.getActiveUser().getDomain();
-      Drive.Permissions.create(resource, this.getId());
+      this.__withPlatform(() => Drive.Permissions.create(resource, this.getId()));
     }
 
     improveFileCache(this.getId(), null);
@@ -379,18 +405,18 @@ export class FakeDriveMeta {
       // In Apps Script, this is not atomic. It just loops.
       emailAddresses.forEach(emailAddress => {
         const resource = { role, type: 'user', emailAddress };
-        Drive.Permissions.create(resource, this.getId());
+        this.__withPlatform(() => Drive.Permissions.create(resource, this.getId()));
       });
     } else {
       // To remove, we need to find the permission ID for each email.
-      const { permissions } = Drive.Permissions.list(this.getId(), {
+      const { permissions } = this.__withPlatform(() => Drive.Permissions.list(this.getId(), {
         fields: 'permissions(id,role,emailAddress)'
-      });
+      }));
 
       emailAddresses.forEach(emailAddress => {
         const permission = permissions.find(p => p.emailAddress === emailAddress && p.role === role);
         if (permission) {
-          Drive.Permissions.delete(this.getId(), permission.id);
+          this.__withPlatform(() => Drive.Permissions.delete(this.getId(), permission.id));
         }
         // Apps Script doesn't throw an error if the user isn't found.
       });

package/src/services/enums/platformenums.js

@@ -0,0 +1,9 @@
+export const Platforms = {
+  GOOGLE: 'google',
+  KSUITE: 'ksuite',
+  MSGRAPH: 'msgraph'
+};
+
+export const PlatformDefaults = {
+  DEFAULT: Platforms.GOOGLE
+};

package/src/services/libhandlerapp/fakelibrary.js

@@ -35,10 +35,17 @@ class FakeLibrary {
   get libContent() {
     if (!this.__libContent) {
       this.__allowSandboxAccess();
-      const data = Drive.Files.export(
-        this.libraryId,
-        'application/vnd.google-apps.script+json',
-      );
+      const currentPlatform = ScriptApp.__platform;
+      let data;
+      try {
+        ScriptApp.__platform = 'google';
+        data = Drive.Files.export(
+          this.libraryId,
+          'application/vnd.google-apps.script+json',
+        );
+      } finally {
+        ScriptApp.__platform = currentPlatform;
+      }
       if (!data) {
         throw new Error(`Library ${this.libraryId} not found`);
       }

package/src/services/scriptapp/app.js

@@ -160,7 +160,7 @@ if (typeof globalThis[name] === typeof undefined) {
           return Auth.getScriptId()
         },
         get __platform() {
-          return Auth.getPlatform()
+          return Auth.getPlatform() || 'google'
         },
         set __platform(value) {
           Auth.setPlatform(value)

package/src/services/scriptapp/behavior.js

@@ -251,13 +251,13 @@ class FakeBehavior {
     // this is a set of all the files this instance of gas-fakes has created
     // the idea is that we can use this to clean up after tests or to emulate drive.file scope
     // key is the file id
-    this.__createdIds = new Set();
-    this.__createdGmailIds = new Set();
-    this.__createdCalendarIds = new Set();
+    this.__createdIds = new Map();
+    this.__createdGmailIds = new Map();
+    this.__createdCalendarIds = new Map();
     // Specifically for sandbox mode - files created when sandbox mode is on
-    this.__allowedIds = new Set();
-    this.__allowedGmailIds = new Set();
-    this.__allowedCalendarIds = new Set();
+    this.__allowedIds = new Map();
+    this.__allowedGmailIds = new Map();
+    this.__allowedCalendarIds = new Map();
     // in sandbox mode we only allow access to files created in this instance
     // this is to emulate the behavior of a drive.file scope
     this.__sandboxMode = false;
@@ -406,40 +406,75 @@ class FakeBehavior {
     if (isRootId) return id;
 
     if (this.sandboxMode || force) {
-      this.__createdIds.add(id);
-      if (!this.__allowedIds.has(id)) {
-        slogger.log(`...adding file ${id} to sandbox allowed list`);
-        this.__allowedIds.add(id);
-      }
+      const platform = ScriptApp.__platform;
+      this.__createdIds.set(id, platform);
+      this.whitelistFile(id);
     }
     return id
   }
+  
+  whitelistFile(id) {
+    if (!is.nonEmptyString(id)) {
+      throw new Error(`Invalid sandbox id parameter (${id}) - must be a non-empty string`);
+    }
+    const isRootId = id === 'root' || (globalThis.DriveApp?.getRootFolder()?.getId() === id);
+    if (isRootId) return id;
+
+    const platform = ScriptApp.__platform;
+    if (!this.__allowedIds.has(id)) {
+      slogger.log(`...whitelisting file ${id} on ${platform}`);
+      this.__allowedIds.set(id, platform);
+    }
+    return id;
+  }
+
   addGmailId(id, force = false) {
     if (!is.nonEmptyString(id)) {
       throw new Error(`Invalid sandbox id parameter (${id}) - must be a non-empty string`);
     }
     if (this.sandboxMode || force) {
-      this.__createdGmailIds.add(id);
-      if (!this.__allowedGmailIds.has(id)) {
-        slogger.log(`...adding gmail id ${id} to sandbox allowed list`);
-        this.__allowedGmailIds.add(id);
-      }
+      const platform = ScriptApp.__platform;
+      this.__createdGmailIds.set(id, platform);
+      this.whitelistGmailId(id);
     }
     return id
   }
+  
+  whitelistGmailId(id) {
+    if (!is.nonEmptyString(id)) {
+      throw new Error(`Invalid sandbox id parameter (${id}) - must be a non-empty string`);
+    }
+    const platform = ScriptApp.__platform;
+    if (!this.__allowedGmailIds.has(id)) {
+      slogger.log(`...whitelisting gmail id ${id} on ${platform}`);
+      this.__allowedGmailIds.set(id, platform);
+    }
+    return id;
+  }
+
   addCalendarId(id, force = false) {
     if (!is.nonEmptyString(id)) {
       throw new Error(`Invalid sandbox id parameter (${id}) - must be a non-empty string`);
     }
     if (this.sandboxMode || force) {
-      this.__createdCalendarIds.add(id);
-      if (!this.__allowedCalendarIds.has(id)) {
-        slogger.log(`...adding calendar id ${id} to sandbox allowed list`);
-        this.__allowedCalendarIds.add(id);
-      }
+      const platform = ScriptApp.__platform;
+      this.__createdCalendarIds.set(id, platform);
+      this.whitelistCalendarId(id);
     }
     return id
   }
+  
+  whitelistCalendarId(id) {
+    if (!is.nonEmptyString(id)) {
+      throw new Error(`Invalid sandbox id parameter (${id}) - must be a non-empty string`);
+    }
+    const platform = ScriptApp.__platform;
+    if (!this.__allowedCalendarIds.has(id)) {
+      slogger.log(`...whitelisting calendar id ${id} on ${platform}`);
+      this.__allowedCalendarIds.set(id, platform);
+    }
+    return id;
+  }
   isAccessible(id, serviceName, accessType = 'read') {
     if (!is.nonEmptyString(id)) {
       throw new Error(`API call to ${serviceName} failed with error: Invalid argument: id`);
@@ -528,21 +563,24 @@ class FakeBehavior {
   trash() {
     let trashed = [];
     const wasSandbox = this.sandboxMode;
+    const currentPlatform = ScriptApp.__platform;
     this.sandboxMode = false;
     try {
       // Drive cleanup
       if (this.__cleanup) {
         const rootId = DriveApp.getRootFolder().getId();
-        trashed = Array.from(this.__createdIds).reduce((acc, id) => {
+        trashed = Array.from(this.__createdIds.entries()).reduce((acc, [id, platform]) => {
           if (id === rootId) {
             slogger.log(`...skipping trashing of root folder`);
             return acc;
           }
           let d = null
           try {
+            ScriptApp.__platform = platform;
             d = DriveApp.getFileById(id)
           } catch (e) {
             try {
+              ScriptApp.__platform = platform;
               d = DriveApp.getFolderById(id)
             } catch (ee) {
               // Ignore if not found
@@ -550,10 +588,11 @@ class FakeBehavior {
           }
           if (d && d.getId() !== rootId) {
             try {
+              ScriptApp.__platform = platform;
               d.setTrashed(true);
               const name = d.getName();
               const logLabel = name ? `${name} (${id})` : id;
-              slogger.log(`...trashed file ${logLabel}`);
+              slogger.log(`...trashed file ${logLabel} on ${platform}`);
               acc.push(id);
             } catch (e) {
               slogger.error(`...failed to trash file ${id}: ${e.message}`);
@@ -573,8 +612,9 @@ class FakeBehavior {
       const gmailCleanup = gmailSettings && gmailSettings.cleanup; // This will return true/false (inherits or specific)
 
       if (gmailCleanup) {
-        trashedGmail = Array.from(this.__createdGmailIds).reduce((acc, id) => {
+        trashedGmail = Array.from(this.__createdGmailIds.entries()).reduce((acc, [id, platform]) => {
           try {
+            ScriptApp.__platform = platform;
             // Try as label
             Gmail.Users.Labels.remove('me', id);
             slogger.log(`...deleted gmail label ${id}`);
@@ -583,6 +623,7 @@ class FakeBehavior {
           } catch (e) { /* not a label or failed */ }
 
           try {
+            ScriptApp.__platform = platform;
             // Try as thread - move to trash
             Gmail.Users.Threads.trash('me', id);
             slogger.log(`...trashed gmail thread ${id}`);
@@ -591,6 +632,7 @@ class FakeBehavior {
           } catch (e) { /* not a thread */ }
 
           try {
+            ScriptApp.__platform = platform;
             Gmail.Users.Messages.trash('me', id);
             slogger.log(`...trashed gmail message ${id}`);
             acc.push(id);
@@ -611,8 +653,9 @@ class FakeBehavior {
       const calendarCleanup = calendarSettings && calendarSettings.cleanup;
 
       if (calendarCleanup) {
-        trashedCalendars = Array.from(this.__createdCalendarIds).reduce((acc, id) => {
+        trashedCalendars = Array.from(this.__createdCalendarIds.entries()).reduce((acc, [id, platform]) => {
           try {
+            ScriptApp.__platform = platform;
             // Delete calendar
             Calendar.Calendars.delete(id, { noLog404: true });
             slogger.log(`...deleted calendar ${id}`);
@@ -631,6 +674,7 @@ class FakeBehavior {
       slogger.log(`...trashed ${trashed.length} sandboxed files, ${trashedGmail.length} gmail items, and ${trashedCalendars.length} calendars`);
     } finally {
       this.sandboxMode = wasSandbox;
+      ScriptApp.__platform = currentPlatform;
     }
     return trashed;
   }

package/src/support/auth.js

@@ -6,9 +6,8 @@ import { clearFileCache } from "./filecache.js";
 
 // Multi-identity storage
 export const _identities = new Map();
-// Default to the first authorized platform if specified in environment
-// Default to the first authorized platform if specified in environment
-let _platform = process.env.GF_PLATFORM_AUTH ? process.env.GF_PLATFORM_AUTH.split(',')[0] : 'google';
+// Prefer 'google' as the default platform if it is authorized in the environment
+let _platform = process.env.GF_PLATFORM_AUTH ? (process.env.GF_PLATFORM_AUTH.includes('google') ? 'google' : process.env.GF_PLATFORM_AUTH.split(',')[0]) : 'google';
 let _manifest = null;
 let _clasp = null;
 let _settings = null;

package/src/support/msgraph/msauth.js

@@ -7,6 +7,7 @@ import { readFile, writeFile } from 'fs/promises';
 import { existsSync } from 'fs';
 import path from 'path';
 import { chmodSync } from 'fs';
+import got from 'got';
 
 const TOKEN_CACHE_FILE = path.join(process.cwd(), '.msgraph-token.json');
 
@@ -71,6 +72,11 @@ export function mapGasScopesToMsGraph(gasScopes = []) {
   return Array.from(msScopes);
 }
 
+async function isGcpEnv() {
+  if (process.env.K_SERVICE || process.env.FUNCTION_NAME) return true;
+  return false;
+}
+
 /**
  * Gets a Microsoft Graph token.
  */
@@ -78,13 +84,9 @@ export async function getMsGraphToken(scopes = ['User.Read']) {
   const envTenant = process.env.MS_GRAPH_TENANT_ID || 'common';
   const clientId = process.env.MS_GRAPH_CLIENT_ID;
   const clientSecret = process.env.MS_GRAPH_CLIENT_SECRET;
+  const msAuthType = process.env.MS_AUTH_TYPE;
 
-  // No local token caching - strictly "Keyless"
-
-  // Ensure no duplicate or empty scopes
   const uniqueScopes = Array.from(new Set(scopes)).filter(s => s);
-
-  // Format for MS Graph: core scopes are as are, resource scopes with full URL prefix
   const msScopes = uniqueScopes.map(s => {
     const core = ['openid', 'profile', 'email', 'offline_access'];
     if (core.some(c => s.startsWith(c))) return s;
@@ -92,17 +94,63 @@ export async function getMsGraphToken(scopes = ['User.Read']) {
     return `https://graph.microsoft.com/${s.startsWith('/') ? s.slice(1) : s}`;
   });
 
-  // Check local cache first
-  const cachedToken = await loadTokenCache();
-  if (cachedToken) {
-    syncLog('...retrieved MS Graph token via local file cache');
-    return cachedToken;
+  // Federated/WIF bypasses cache to ensure fresh identity exchange
+  if (msAuthType !== 'federated') {
+    const cachedToken = await loadTokenCache();
+    if (cachedToken) {
+      syncLog('...retrieved MS Graph token via local file cache');
+      return cachedToken;
+    }
   }
 
   try {
-    // 1. Service Principal (if configured) - "Keyless" for Business
+    // 1. Federated Flow (WIF) - For Cloud Run/GKE only
+    if (msAuthType === 'federated') {
+      const isGcp = await isGcpEnv();
+      if (isGcp) {
+        try {
+          syncLog('...initiating MS Graph Federated Identity (WIF) exchange (GCP)');
+          const audience = clientId || 'api://AzureADTokenExchange';
+          const metadataUrl = `http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=${audience}`;
+          
+          const googleTokenResponse = await got(metadataUrl, {
+            headers: { 'Metadata-Flavor': 'Google' },
+            timeout: { request: 2000 },
+            retry: { limit: 0 }
+          });
+          const googleIdToken = googleTokenResponse.body;
+
+          // Note: Personal apps registered in 'consumers' typically do not support WIF.
+          // This flow expects an App Registration in a Work/School tenant.
+          const tenant = (envTenant && envTenant !== 'common' && envTenant !== 'consumers') ? envTenant : 'organizations';
+          const msTokenUrl = `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`;
+
+          const form = {
+            client_id: clientId,
+            grant_type: 'client_credentials',
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: googleIdToken,
+            scope: 'https://graph.microsoft.com/.default'
+          };
+
+          const msTokenResponse = await got.post(msTokenUrl, { form, timeout: { request: 5000 } }).json();
+          const token = msTokenResponse.access_token;
+          const expiresOn = new Date(Date.now() + (msTokenResponse.expires_in * 1000)).toISOString();
+
+          syncLog('...retrieved MS Graph token via Federated Identity (WIF)');
+          await saveTokenCache(token, expiresOn);
+          return token;
+        } catch (wifErr) {
+          syncLog(`...MS WIF exchange failed: ${wifErr.message}`);
+        }
+      } else {
+        syncLog('...skipping Federated Identity (Local environment)');
+      }
+    }
+
+    // 2. Service Principal
     if (clientId && clientSecret) {
-      const tenantId = envTenant === 'common' || envTenant === 'consumers' ? 'organizations' : envTenant;
+      const tenantId = (envTenant === 'common' || envTenant === 'consumers') ? 'organizations' : envTenant;
       const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
       const tokenResponse = await credential.getToken(msScopes);
       syncLog('...retrieved MS Graph token via Client Secret (Service Principal)');
@@ -110,64 +158,62 @@ export async function getMsGraphToken(scopes = ['User.Read']) {
       return tokenResponse.token;
     }
 
-    // 2. Azure CLI Direct Exec (Silent flow - OS level "Keyless")
+    // 3. Azure CLI Direct Exec (Silent) - Primary Local "Keyless" Path
     const isAuthFlow = process.env.GF_AUTH_FLOW === 'true';
-    const targetTenant = envTenant === 'common' ? 'consumers' : envTenant;
-    const scopeArg = msScopes.join(' ');
-
-    if (!isAuthFlow) {
-      // Revert to strictly tenant-aware fallback to avoid picking up business/EXT sessions.
-      const tenantArg = targetTenant ? `--tenant "${targetTenant}" ` : '';
-      const clientArg = clientId ? `--client-id "${clientId}" ` : '';
+    if (!isAuthFlow && !clientId) {
+      const tenantArg = (envTenant && envTenant !== 'common' && envTenant !== 'consumers') ? `--tenant "${envTenant}" ` : '';
 
       try {
-        // Strategy 1: Custom Client ID + Tenant
-        const cmd = `az account get-access-token --resource-type ms-graph ${tenantArg}${clientArg}--scope "https://graph.microsoft.com/.default" --output json`;
+        const cmd = `az account get-access-token --resource-type ms-graph ${tenantArg}--output json`;
         const stdout = execSync(cmd, { encoding: 'utf-8', stdio: ['ignore', 'pipe', 'ignore'], shell: true });
         const res = JSON.parse(stdout);
         const token = res.accessToken;
         if (token && (token.match(/\./g) || []).length >= 2) {
           syncLog('...retrieved valid MS Graph token via Azure CLI (silent)');
-          // az returns expiresOn in a format new Date() can parse
           await saveTokenCache(token, res.expiresOn);
           return token;
         }
       } catch (e) {
-        try {
-          // Strategy 2: First-party + Tenant (Magic bullet for SPO license fix)
-          const fallbackCmd = `az account get-access-token --resource-type ms-graph ${tenantArg}--scope "https://graph.microsoft.com/.default" --output json`;
-          const stdout = execSync(fallbackCmd, { encoding: 'utf-8', stdio: ['ignore', 'pipe', 'ignore'], shell: true });
-          const res = JSON.parse(stdout);
-          const token = res.accessToken;
-          if (token && (token.match(/\./g) || []).length >= 2) {
-            syncLog(`...retrieved valid MS Graph token via Azure CLI (first-party ${targetTenant} fallback)`);
-            await saveTokenCache(token, res.expiresOn);
-            return token;
-          }
-        } catch (ee) {
-          syncLog(`...silent CLI fallback failed: ${ee.message}`);
-        }
+        syncLog(`...silent CLI fallback failed: ${e.message}`);
       }
     }
 
-    // 3. Auth Flow - Interactive Fallback
-
-    // If we're not in the dedicated auth flow, we still attempt interactive fallback
-    // if silent login failed, as requested by the user for "asynchronous" operations in the worker.
-    if (!isAuthFlow) {
+    // 4. Interactive Fallback
+    if (!isAuthFlow && !clientId) {
       console.log(`...silent CLI login failed. Falling back to interactive SDK login in the worker...`);
+    } else if (!isAuthFlow && clientId) {
+      console.log(`...using custom MS_GRAPH_CLIENT_ID. Bypassing Azure CLI for Interactive SDK login...`);
     }
 
-    // Interactive login for setup or runtime fallback
-    const credential = new InteractiveBrowserCredential({
+    // Try silent refresh first, then interactive if required
+    let promptBehavior = isAuthFlow ? 'select_account' : 'none';
+    const credentialSilent = new InteractiveBrowserCredential({
       tenantId: envTenant === 'common' ? 'consumers' : envTenant,
       clientId,
-      prompt: 'select_account consent'
+      prompt: promptBehavior
     });
-    const tokenResponse = await credential.getToken(msScopes);
-    syncLog('...retrieved MS Graph token via interactive login');
-    await saveTokenCache(tokenResponse.token, tokenResponse.expiresOnTimestamp);
-    return tokenResponse.token;
+
+    try {
+      const tokenResponse = await credentialSilent.getToken(msScopes);
+      syncLog(`...retrieved MS Graph token via interactive login (prompt: ${promptBehavior})`);
+      await saveTokenCache(tokenResponse.token, tokenResponse.expiresOnTimestamp);
+      return tokenResponse.token;
+    } catch (silentErr) {
+       if (promptBehavior === 'none') {
+         console.log(`...silent refresh failed, prompting user...`);
+         const credentialInteractive = new InteractiveBrowserCredential({
+           tenantId: envTenant === 'common' ? 'consumers' : envTenant,
+           clientId,
+           prompt: 'select_account consent'
+         });
+         const tokenResponse = await credentialInteractive.getToken(msScopes);
+         syncLog('...retrieved MS Graph token via interactive login');
+         await saveTokenCache(tokenResponse.token, tokenResponse.expiresOnTimestamp);
+         return tokenResponse.token;
+       } else {
+         throw silentErr;
+       }
+    }
 
   } catch (err) {
     throw new Error(`MS Graph Auth failed. Error: ${err.message}`);
@@ -175,6 +221,5 @@ export async function getMsGraphToken(scopes = ['User.Read']) {
 }
 
 function syncLog(msg) {
-  // Use worker sync log if available, otherwise console
   console.log(msg);
 }

package/src/support/msgraph/onedrive.js

@@ -205,7 +205,8 @@ export class OneDrive {
 
     const response = await this._request('PATCH', `${this.userPath}/drive/items/${fileId}`, {
       json: {
-        parentReference: { id: destId }
+        parentReference: { id: destId },
+        "@microsoft.graph.conflictBehavior": "replace"
       }
     });
     return this.translateFile(response.body);

package/src/support/syncit.js

@@ -324,8 +324,9 @@ export const fxInit = ({
   const currentPlatform = Auth.getPlatform();
   if (currentPlatform === 'google' || !currentPlatform) {
     const initialPlatforms = platformAuth || global.ScriptApp?.__platformAuth || ['google'];
-    const firstPlatform = initialPlatforms[0];
-    Auth.setPlatform(firstPlatform);
+    // Prefer google if available in authorized platforms, otherwise use the first available.
+    const defaultPlatform = initialPlatforms.includes('google') ? 'google' : initialPlatforms[0];
+    Auth.setPlatform(defaultPlatform);
   }
 
   return synced;