@prbartosh/poczta-mcp 0.1.0

package/.env.example

@@ -0,0 +1,19 @@
+# Sekrety. Skopiuj do .env i uzupelnij. NIE commitowac (.env jest w .gitignore).
+# Nazwy zmiennych musza zgadzac sie z *Env w config.json.
+
+# --- konto password (np. AGH, firmowe IMAP) ---
+AGH_APP_PASS=app-password-z-panelu-webmail
+
+# --- Gmail app-password (najprostsze, wymaga 2FA; provider=generic/password) ---
+# GMAIL_PASSWORD=
+
+# --- Gmail OAuth2 (alternatywa) ---
+GMAIL_CLIENT_SECRET=
+GMAIL_REFRESH_TOKEN=
+
+# --- Microsoft 365 OAuth2 ---
+FIRMA_CLIENT_SECRET=
+FIRMA_REFRESH_TOKEN=
+
+# --- kanal digestu: webhook (opcjonalnie) ---
+# DIGEST_WEBHOOK_URL=

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 prbartosh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,141 @@
+# poczta-mcp
+
+> Pakiet npm: **`@prbartosh/poczta-mcp`**. Komendy: `npx -y @prbartosh/poczta-mcp <setup|install|server|doctor|digest|oauth>`. Binarka po globalnej instalacji nazywa sie `poczta-mcp`.
+
+Serwer MCP do obslugi wielu skrzynek pocztowych (IMAP/SMTP) z jednego miejsca, instalowany przez `npx`. Plus codzienny przeglad: agent zbiera nieprzeczytane, mowi co wazne i co wymaga akcji, dostarcza podsumowanie i oznacza jako przeczytane tylko maile bez akcji.
+
+Obsluga auth: zwykle haslo / app-password (AGH, firmowe IMAP), Gmail OAuth2, Microsoft 365 OAuth2 (basic auth IMAP w M365 jest wycofany, dlatego OAuth2).
+
+## Jak to dziala
+
+- `poczta-mcp` to lokalny serwer MCP (transport stdio). Wystawia tooly do poczty, sam z siebie nic nie robi cyklicznie.
+- Codzienny automat = **osobny scheduled agent** (`claude -p` z lokalnego crona) ktory uzywa tych tooli i skilla `daily-briefing`.
+- Wszystko lokalnie: config i hasla nie wychodza na zewnatrz. "Podglad zewszad" robi sie przez kanal digestu (mail do siebie / Slack), a nie przez hostowanie serwera.
+
+## Tooly
+
+| Tool | Opis |
+|---|---|
+| `list_accounts` | lista skonfigurowanych kont |
+| `get_unread` | nieprzeczytane; bez `account` ze WSZYSTKICH kont |
+| `get_email_body` | pelna tresc maila (account + uid) |
+| `search_emails` | szukanie po nadawcy/temacie/dacie |
+| `mark_as_read` | oznacz przeczytane (batch uid per konto) |
+| `send_email` | wyslij (tylko po potwierdzeniu; poza przegladem) |
+| `deliver_digest` | dostarcz podsumowanie kanalami z config |
+| `get_folders` | lista folderow IMAP konta |
+
+## Wymagania
+
+- Node >= 20.12
+- Claude Code CLI (do codziennego automatu) albo Claude Desktop (do recznego uzycia)
+
+## Instalacja i konfiguracja
+
+```bash
+npx poczta-mcp setup
+```
+
+Wizard pyta o konta i kanaly, zapisuje:
+- `config.json` — struktura (konta, hosty, porty, kanaly digestu). Bez sekretow, tylko NAZWY zmiennych env.
+- `.env` — sekrety (hasla, client secret, refresh token). W `.gitignore`.
+
+Ponowne `setup` wykrywa istniejacy `config.json` i wchodzi w **menu** (nie zaczyna od zera): dodaj konto / usun konto / zmien kanaly podsumowania / test polaczen / zapisz. Edycja jednego konta nie rusza sekretow pozostalych.
+
+Test polaczen:
+
+```bash
+npx poczta-mcp doctor        # sprawdza auth kazdego konta
+npx poczta-mcp digest        # surowy (bez AI) digest -> kanaly, do testu pipeline
+```
+
+Reczna edycja zamiast wizarda: skopiuj `config.example.json` -> `config.json` i `.env.example` -> `.env`.
+
+### Globalna instalacja + rejestracja w agencie
+
+```bash
+npx poczta-mcp install     # lub: node dist/index.js install
+```
+
+- Opcjonalnie `npm i -g` (komenda `poczta-mcp` globalnie). Jak odmowisz, wpis uzyje `node <abs sciezka>/dist/index.js`.
+- Rejestruje serwer MCP (multiselect) w:
+  - **Claude Code** — przez `claude mcp add poczta -s user` (fallback: `~/.claude.json`),
+  - **Claude Desktop** — `claude_desktop_config.json` (restart aplikacji),
+  - **Codex CLI** — `~/.codex/config.toml` (`[mcp_servers.poczta]`).
+- Wpis zawiera `POCZTA_MCP_CONFIG` i `POCZTA_MCP_ENV` (absolutne sciezki do Twojego config.json / .env), wiec dziala niezaleznie od katalogu.
+
+Po instalacji zrestartuj klienta i zapytaj agenta np. "co mam nieprzeczytane".
+
+### Sciezki config
+
+Domyslnie `./config.json` i `./.env` w katalogu uruchomienia. Nadpisanie:
+`POCZTA_MCP_CONFIG=/abs/config.json`, `POCZTA_MCP_ENV=/abs/.env`.
+
+## Auth per dostawca
+
+### Password / app-password (AGH, firmowe IMAP)
+W panelu webmail wygeneruj **app password** (AGH: Ustawienia -> Hasla do aplikacji). Wpisz do `.env` pod nazwa z `passwordEnv`.
+
+### Gmail — dwie drogi
+
+**A) App-password (najprostsze, jak email+haslo w Thunderbird).** Wymaga 2FA na koncie Google.
+1. myaccount.google.com -> Bezpieczenstwo -> wlacz weryfikacje 2-etapowa.
+2. Haslo do aplikacji (App passwords) -> Mail -> skopiuj 16 znakow.
+3. W Gmailu wlacz IMAP (Ustawienia -> Przekazywanie i POP/IMAP).
+4. W kreatorze wybierz Gmail -> "App-password". To NIE jest zwykle haslo konta.
+   (Uwaga: Thunderbird "tylko email+haslo" dziala bo ma wbudowany wlasny clientId i robi OAuth w tle. Tu odpowiednik bez clientId to app-password.)
+
+**B) OAuth2.** Kreator otwiera przegladarke i sam zlapie refresh token (loopback).
+1. Google Cloud Console -> projekt -> OAuth consent screen (Test user + scope `https://mail.google.com/`).
+2. Credentials -> OAuth client typu **Desktop app** -> masz `clientId` i `client secret`.
+3. Kreator (Gmail -> OAuth2) otworzy przegladarke, klikasz zgode, token laduje do `.env`.
+   Samodzielnie: `npx poczta-mcp oauth google`.
+
+### Microsoft 365 (OAuth2)
+Azure Portal -> Microsoft Entra ID -> App registrations -> New registration.
+- `tenantId`, `clientId` -> config.json; client secret -> `.env`.
+- Dwa tryby (`auth.flow` w config):
+  - `refresh` (delegowany): API permissions (delegated) `IMAP.AccessAsUser.All`, `SMTP.Send`, `offline_access`. W Authentication dodaj platforme "Mobile and desktop applications" z redirect `http://localhost:3000`. Kreator (M365 -> refresh) otworzy przegladarke i zlapie token. Samodzielnie: `npx poczta-mcp oauth microsoft`.
+  - `client_credentials` (app-only, bez uzytkownika, pod automat): permission **application** `IMAP.AccessAsUser.All` + zgoda admina, oraz per-skrzynka `New-ApplicationAccessPolicy` w Exchange Online PowerShell.
+- SMTP M365: host `smtp.office365.com`, port `587`, `secure:false` (STARTTLS).
+
+## Codzienny automat
+
+1. Skopiuj skilla do projektu:
+   ```bash
+   mkdir -p .claude/skills && cp -r skills/daily-briefing .claude/skills/daily-briefing
+   ```
+2. Skopiuj `.mcp.json.example` -> `.mcp.json`, uzupelnij sciezki do `config.json` i `.env`.
+3. Test recznie:
+   ```bash
+   claude -p "Wykonaj skill daily-briefing." --allowedTools "mcp__poczta__get_unread mcp__poczta__get_email_body mcp__poczta__mark_as_read mcp__poczta__deliver_digest mcp__poczta__list_accounts"
+   ```
+4. Cron: patrz `cron.example`.
+
+Regula oznaczania (w skillu): 🔴 wazne i 🟠 wymaga akcji zostaja **unread**; 🟡 warto wiedziec i ⚪ opcjonalne -> oznaczone przeczytane. `send_email` nie jest na liscie allowedTools przegladu.
+
+## Podglad w Claude Desktop (reczne uzycie)
+
+`~/Library/Application Support/Claude/claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "poczta": {
+      "command": "npx",
+      "args": ["-y", "poczta-mcp", "server"],
+      "env": { "POCZTA_MCP_CONFIG": "/abs/config.json", "POCZTA_MCP_ENV": "/abs/.env" }
+    }
+  }
+}
+```
+
+Pytaj np. "co mam nieprzeczytane na wszystkich kontach", "podsumuj poczte".
+
+## Bezpieczenstwo
+
+- `.env` i `config.json` w `.gitignore`. Sekrety tylko w `.env`.
+- Serwer lokalny (stdio). Brak wystawiania po sieci = brak zewnetrznej powierzchni ataku.
+- `send_email` poza przegladem i tylko po potwierdzeniu tresci.
+
+Stary jednoplikowy serwer Python jest w `legacy/`.

package/config.example.json

@@ -0,0 +1,50 @@
+{
+  "accounts": [
+    {
+      "id": "agh",
+      "label": "AGH",
+      "email": "123456@student.agh.edu.pl",
+      "imap": { "host": "poczta.agh.edu.pl", "port": 993, "secure": true },
+      "smtp": { "host": "poczta.agh.edu.pl", "port": 465, "secure": true },
+      "auth": { "type": "password", "passwordEnv": "AGH_APP_PASS" }
+    },
+    {
+      "id": "gmail",
+      "label": "Gmail prywatny",
+      "email": "ktos@gmail.com",
+      "imap": { "host": "imap.gmail.com", "port": 993, "secure": true },
+      "smtp": { "host": "smtp.gmail.com", "port": 465, "secure": true },
+      "auth": {
+        "type": "oauth2",
+        "provider": "google",
+        "clientId": "xxxxx.apps.googleusercontent.com",
+        "clientSecretEnv": "GMAIL_CLIENT_SECRET",
+        "refreshTokenEnv": "GMAIL_REFRESH_TOKEN"
+      }
+    },
+    {
+      "id": "firma",
+      "label": "ERES M365",
+      "email": "ktos@eresholding.com",
+      "imap": { "host": "outlook.office365.com", "port": 993, "secure": true },
+      "smtp": { "host": "smtp.office365.com", "port": 587, "secure": false },
+      "auth": {
+        "type": "oauth2",
+        "provider": "microsoft",
+        "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+        "clientId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
+        "clientSecretEnv": "FIRMA_CLIENT_SECRET",
+        "flow": "refresh",
+        "refreshTokenEnv": "FIRMA_REFRESH_TOKEN"
+      }
+    }
+  ],
+  "digest": {
+    "timezone": "Europe/Warsaw",
+    "channels": [
+      { "type": "chat" },
+      { "type": "file", "path": "~/poczta-digest/{date}.md" },
+      { "type": "email", "to": "ja@eresholding.com", "fromAccount": "firma", "subject": "Przeglad poczty {date}" }
+    ]
+  }
+}

package/cron.example

@@ -0,0 +1,19 @@
+# Codzienny przeglad poczty — lokalny cron (run zostaje na tej maszynie, creds nie wychodza).
+# Edycja: crontab -e
+#
+# Wymaga:
+#   - zainstalowany Claude Code CLI (claude) i zalogowany
+#   - w katalogu projektu .mcp.json (skopiowany z .mcp.json.example, sciezki uzupelnione)
+#   - skill daily-briefing dostepny: skopiuj skills/daily-briefing do .claude/skills/daily-briefing
+#       cp -r skills/daily-briefing .claude/skills/daily-briefing
+#
+# Codziennie o 7:30:
+
+30 7 * * * cd /ABS/PATH/poczta-agh-mcp && /usr/local/bin/claude -p "Wykonaj skill daily-briefing: codzienny przeglad nieprzeczytanej poczty ze wszystkich kont." --allowedTools "mcp__poczta__get_unread mcp__poczta__get_email_body mcp__poczta__mark_as_read mcp__poczta__deliver_digest mcp__poczta__list_accounts" >> $HOME/poczta-digest/run.log 2>&1
+
+# Uwagi:
+#  - send_email celowo NIE jest na allowedTools (przeglad nigdy nie wysyla maili do ludzi).
+#  - 'which claude' poda wlasciwa sciezke do binarki, podmien /usr/local/bin/claude.
+#  - Podglad zewszad: ustaw w config.json kanal digestu 'email' lub 'webhook' (Slack),
+#    wtedy podsumowanie laduje tam gdzie czytasz, a MCP/.env zostaja lokalnie.
+#  - Maszyna musi byc wlaczona o tej godzinie. Dla automatu 24/7 odpal cron na serwerze IT.

package/dist/auth/google.js

@@ -0,0 +1,29 @@
+import { requireEnv } from "../config.js";
+const TOKEN_URL = "https://oauth2.googleapis.com/token";
+/**
+ * Exchange a long-lived refresh token for a short-lived access token.
+ *
+ * Prereqs (one-time, done in setup):
+ *   - Google Cloud project, OAuth client of type "Desktop app".
+ *   - Consent with scope https://mail.google.com/ to obtain a refresh token.
+ *   - The Gmail account must allow IMAP (Settings -> Forwarding and POP/IMAP).
+ */
+export async function getGoogleAccessToken(acc) {
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: acc.clientId,
+        client_secret: requireEnv(acc.clientSecretEnv),
+        refresh_token: requireEnv(acc.refreshTokenEnv),
+    });
+    const res = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "content-type": "application/x-www-form-urlencoded" },
+        body,
+    });
+    const json = (await res.json());
+    if (!res.ok || !json.access_token) {
+        throw new Error(`Google token refresh failed (${res.status}): ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+    }
+    return { accessToken: json.access_token, expiresInSec: json.expires_in ?? 3600 };
+}
+//# sourceMappingURL=google.js.map

package/dist/auth/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/auth/google.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,MAAM,SAAS,GAAG,qCAAqC,CAAC;AAExD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAqD;IAErD,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,aAAa,EAAE,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC;QAC9C,aAAa,EAAE,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC;KAC/C,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,EAAE,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAC1G,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;AACnF,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,31 @@
+import { requireEnv } from "../config.js";
+import { getGoogleAccessToken } from "./google.js";
+import { getMicrosoftAccessToken } from "./microsoft.js";
+const tokenCache = new Map();
+// Refresh a bit before actual expiry to avoid races on long-running ops.
+const SKEW_MS = 60_000;
+function nowMs() {
+    // Date.now is allowed in the running server/CLI (only workflow scripts forbid it).
+    return Date.now();
+}
+async function accessTokenFor(acc) {
+    const cached = tokenCache.get(acc.id);
+    if (cached && cached.expiresAtMs - SKEW_MS > nowMs())
+        return cached.accessToken;
+    if (acc.auth.type !== "oauth2")
+        throw new Error("accessTokenFor called on non-oauth account");
+    const { accessToken, expiresInSec } = acc.auth.provider === "google"
+        ? await getGoogleAccessToken(acc.auth)
+        : await getMicrosoftAccessToken(acc.auth);
+    tokenCache.set(acc.id, { accessToken, expiresAtMs: nowMs() + expiresInSec * 1000 });
+    return accessToken;
+}
+/** Resolve credentials for an account, refreshing/caching OAuth tokens as needed. */
+export async function resolveCreds(acc) {
+    if (acc.auth.type === "password") {
+        return { kind: "password", user: acc.email, pass: requireEnv(acc.auth.passwordEnv) };
+    }
+    const accessToken = await accessTokenFor(acc);
+    return { kind: "oauth2", user: acc.email, accessToken };
+}
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAQzD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,yEAAyE;AACzE,MAAM,OAAO,GAAG,MAAM,CAAC;AAEvB,SAAS,KAAK;IACZ,mFAAmF;IACnF,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAY;IACxC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,MAAM,CAAC,WAAW,GAAG,OAAO,GAAG,KAAK,EAAE;QAAE,OAAO,MAAM,CAAC,WAAW,CAAC;IAEhF,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAE9F,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GACjC,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAC5B,CAAC,CAAC,MAAM,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC;QACtC,CAAC,CAAC,MAAM,uBAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAE9C,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,YAAY,GAAG,IAAI,EAAE,CAAC,CAAC;IACpF,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,qFAAqF;AACrF,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAY;IAC7C,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;IACvF,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;AAC1D,CAAC"}

package/dist/auth/microsoft.js

@@ -0,0 +1,44 @@
+import { requireEnv } from "../config.js";
+const OUTLOOK = "https://outlook.office365.com";
+/**
+ * Acquire an access token for Outlook/Microsoft 365 IMAP+SMTP.
+ *
+ * Two flows (set in config: auth.flow):
+ *
+ *  refresh (delegated): interactive consent once -> refresh token stored in .env.
+ *    scopes: IMAP.AccessAsUser.All, SMTP.Send, offline_access.
+ *
+ *  client_credentials (app-only, unattended): no user, no refresh token. Requires:
+ *    - Azure app with APPLICATION permission IMAP.AccessAsUser.All (admin consent), and
+ *    - per-mailbox grant: New-ApplicationAccessPolicy in Exchange Online PowerShell.
+ *    scope: https://outlook.office365.com/.default
+ *
+ * Note: Microsoft has retired IMAP/SMTP basic auth for most M365 tenants, so OAuth2 is the path.
+ */
+export async function getMicrosoftAccessToken(acc) {
+    const tokenUrl = `https://login.microsoftonline.com/${acc.tenantId}/oauth2/v2.0/token`;
+    const body = new URLSearchParams({
+        client_id: acc.clientId,
+        client_secret: requireEnv(acc.clientSecretEnv),
+    });
+    if (acc.flow === "client_credentials") {
+        body.set("grant_type", "client_credentials");
+        body.set("scope", `${OUTLOOK}/.default`);
+    }
+    else {
+        body.set("grant_type", "refresh_token");
+        body.set("refresh_token", requireEnv(acc.refreshTokenEnv));
+        body.set("scope", `${OUTLOOK}/IMAP.AccessAsUser.All ${OUTLOOK}/SMTP.Send offline_access`);
+    }
+    const res = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "content-type": "application/x-www-form-urlencoded" },
+        body,
+    });
+    const json = (await res.json());
+    if (!res.ok || !json.access_token) {
+        throw new Error(`Microsoft token (${acc.flow}) failed (${res.status}): ${json.error ?? ""} ${json.error_description ?? ""}`.trim());
+    }
+    return { accessToken: json.access_token, expiresInSec: json.expires_in ?? 3600 };
+}
+//# sourceMappingURL=microsoft.js.map

package/dist/auth/microsoft.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft.js","sourceRoot":"","sources":["../../src/auth/microsoft.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,MAAM,OAAO,GAAG,+BAA+B,CAAC;AAEhD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAwD;IAExD,MAAM,QAAQ,GAAG,qCAAqC,GAAG,CAAC,QAAQ,oBAAoB,CAAC;IAEvF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,GAAG,CAAC,QAAQ;QACvB,aAAa,EAAE,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC;KAC/C,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QACtC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;QAC7C,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,OAAO,WAAW,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QACxC,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,GAAG,CAAC,eAAgB,CAAC,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,CACN,OAAO,EACP,GAAG,OAAO,0BAA0B,OAAO,2BAA2B,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,oBAAoB,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,EAAE,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CACnH,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;AACnF,CAAC"}

package/dist/config.js

@@ -0,0 +1,201 @@
+import { readFileSync, existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, isAbsolute, resolve } from "node:path";
+import { z } from "zod";
+/**
+ * Config model.
+ *
+ * Split of responsibilities:
+ *   - config.json  -> structure (accounts, hosts, ports, digest channels). Safe to read.
+ *   - .env         -> secrets only. config.json references env-var NAMES (fields ending *Env),
+ *                     never the secret value itself. Keeps secrets out of any committed/synced file.
+ */
+const endpoint = z.object({
+    host: z.string().min(1),
+    port: z.number().int().positive(),
+    secure: z.boolean().default(true), // true = implicit TLS (993/465); false = STARTTLS (143/587)
+});
+const passwordAuth = z.object({
+    type: z.literal("password"),
+    /** env var holding the password / app-password */
+    passwordEnv: z.string().min(1),
+});
+const googleAuth = z.object({
+    type: z.literal("oauth2"),
+    provider: z.literal("google"),
+    clientId: z.string().min(1),
+    clientSecretEnv: z.string().min(1),
+    refreshTokenEnv: z.string().min(1),
+});
+const microsoftAuth = z.object({
+    type: z.literal("oauth2"),
+    provider: z.literal("microsoft"),
+    tenantId: z.string().min(1),
+    clientId: z.string().min(1),
+    clientSecretEnv: z.string().min(1),
+    /**
+     * "refresh"            -> delegated, uses a stored refresh token (interactive once).
+     * "client_credentials" -> app-only, unattended. Requires Azure admin to grant the
+     *                         IMAP.AccessAsUser.All application permission AND a per-mailbox
+     *                         ApplicationAccessPolicy (New-ApplicationAccessPolicy).
+     */
+    flow: z.enum(["refresh", "client_credentials"]).default("refresh"),
+    refreshTokenEnv: z.string().optional(),
+});
+// Not a discriminatedUnion on "type": google and microsoft share type:"oauth2".
+// z.union resolves by trying each (provider literal disambiguates the oauth2 pair).
+const authSchema = z.union([passwordAuth, googleAuth, microsoftAuth]);
+const accountSchema = z
+    .object({
+    /** stable key used in every tool call (e.g. "agh", "gmail", "firma") */
+    id: z.string().min(1).regex(/^[a-z0-9_-]+$/i, "id: only letters, digits, _ and -"),
+    label: z.string().optional(),
+    email: z.string().email(),
+    imap: endpoint,
+    smtp: endpoint,
+    auth: authSchema,
+})
+    .superRefine((acc, ctx) => {
+    if (acc.auth.type === "oauth2" && acc.auth.provider === "microsoft") {
+        if (acc.auth.flow === "refresh" && !acc.auth.refreshTokenEnv) {
+            ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: "microsoft flow 'refresh' requires refreshTokenEnv",
+                path: ["auth", "refreshTokenEnv"],
+            });
+        }
+    }
+});
+const digestChannel = z.discriminatedUnion("type", [
+    z.object({ type: z.literal("chat") }),
+    z.object({
+        type: z.literal("file"),
+        /** {date} and {datetime} are substituted. ~ expands to home. */
+        path: z.string().min(1),
+    }),
+    z.object({
+        type: z.literal("email"),
+        to: z.string().email(),
+        /** id of the account used to send */
+        fromAccount: z.string().min(1),
+        subject: z.string().default("Codzienny przeglad poczty {date}"),
+    }),
+    z.object({
+        type: z.literal("webhook"),
+        /** env var holding the webhook URL (e.g. Slack/Teams incoming webhook) */
+        urlEnv: z.string().min(1),
+        /** "slack" -> {text}, "raw" -> {markdown,date} */
+        format: z.enum(["slack", "raw"]).default("raw"),
+    }),
+]);
+export const configSchema = z.object({
+    accounts: z.array(accountSchema).min(1, "at least one account"),
+    digest: z
+        .object({
+        channels: z.array(digestChannel).default([{ type: "chat" }]),
+        timezone: z.string().optional(),
+    })
+        .default({ channels: [{ type: "chat" }] }),
+});
+/** Resolve the config.json path. Override with POCZTA_MCP_CONFIG. */
+export function configPath() {
+    const fromEnv = process.env.POCZTA_MCP_CONFIG;
+    if (fromEnv)
+        return isAbsolute(fromEnv) ? fromEnv : resolve(process.cwd(), fromEnv);
+    // Prefer a project-local config.json, fall back to XDG-ish home location.
+    const local = resolve(process.cwd(), "config.json");
+    if (existsSync(local))
+        return local;
+    return join(homedir(), ".config", "poczta-mcp", "config.json");
+}
+/** Default .env path, sits next to config.json unless POCZTA_MCP_ENV overrides. */
+export function envPath() {
+    const fromEnv = process.env.POCZTA_MCP_ENV;
+    if (fromEnv)
+        return isAbsolute(fromEnv) ? fromEnv : resolve(process.cwd(), fromEnv);
+    const local = resolve(process.cwd(), ".env");
+    if (existsSync(local))
+        return local;
+    return join(homedir(), ".config", "poczta-mcp", ".env");
+}
+/** Load secrets from .env into process.env (does not overwrite already-set vars). */
+export function loadEnv() {
+    const p = envPath();
+    if (!existsSync(p))
+        return;
+    try {
+        // Node >=20.12 ships process.loadEnvFile; fall back to a tiny parser otherwise.
+        const loader = process.loadEnvFile;
+        if (typeof loader === "function") {
+            loader.call(process, p);
+            return;
+        }
+    }
+    catch {
+        /* fall through to manual parse */
+    }
+    for (const line of readFileSync(p, "utf8").split("\n")) {
+        const m = line.match(/^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\s*$/);
+        if (!m)
+            continue;
+        const key = m[1];
+        let val = m[2];
+        if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.slice(1, -1);
+        }
+        if (process.env[key] === undefined)
+            process.env[key] = val;
+    }
+}
+/** Read an env var by name, throwing a clear error if missing. */
+export function requireEnv(name) {
+    const v = process.env[name];
+    if (v === undefined || v === "") {
+        throw new Error(`Missing secret: env var ${name} is not set (referenced from config.json)`);
+    }
+    return v;
+}
+export function loadConfig() {
+    loadEnv();
+    const p = configPath();
+    if (!existsSync(p)) {
+        throw new Error(`Config not found at ${p}. Run 'npx poczta-mcp setup' to create it, or set POCZTA_MCP_CONFIG.`);
+    }
+    let raw;
+    try {
+        raw = JSON.parse(readFileSync(p, "utf8"));
+    }
+    catch (e) {
+        throw new Error(`Config at ${p} is not valid JSON: ${e.message}`);
+    }
+    const parsed = configSchema.safeParse(raw);
+    if (!parsed.success) {
+        const issues = parsed.error.issues
+            .map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`)
+            .join("\n");
+        throw new Error(`Config at ${p} is invalid:\n${issues}`);
+    }
+    const cfg = parsed.data;
+    const ids = new Set();
+    for (const a of cfg.accounts) {
+        if (ids.has(a.id))
+            throw new Error(`Duplicate account id: ${a.id}`);
+        ids.add(a.id);
+    }
+    // digest email channels must point at a real account
+    for (const ch of cfg.digest.channels) {
+        if (ch.type === "email" && !ids.has(ch.fromAccount)) {
+            throw new Error(`digest email channel fromAccount '${ch.fromAccount}' is not a known account id`);
+        }
+    }
+    return cfg;
+}
+export function getAccount(cfg, id) {
+    const a = cfg.accounts.find((x) => x.id === id);
+    if (!a) {
+        const known = cfg.accounts.map((x) => x.id).join(", ");
+        throw new Error(`Unknown account '${id}'. Known: ${known}`);
+    }
+    return a;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;GAOG;AAEH,MAAM,QAAQ,GAAG,CAAC,CAAC,MAAM,CAAC;IACxB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,4DAA4D;CAChG,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC3B,kDAAkD;IAClD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC/B,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC7B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACnC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAClC;;;;;OAKG;IACH,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAClE,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACvC,CAAC,CAAC;AAEH,gFAAgF;AAChF,oFAAoF;AACpF,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC;AAEtE,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,CAAC;IACN,wEAAwE;IACxE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,gBAAgB,EAAE,mCAAmC,CAAC;IAClF,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACzB,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,UAAU;CACjB,CAAC;KACD,WAAW,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IACxB,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpE,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC7D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,mDAAmD;gBAC5D,IAAI,EAAE,CAAC,MAAM,EAAE,iBAAiB,CAAC;aAClC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,aAAa,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACjD,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;IACrC,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,gEAAgE;QAChE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KACxB,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;QACxB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;QACtB,qCAAqC;QACrC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kCAAkC,CAAC;KAChE,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QAC1B,0EAA0E;QAC1E,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,kDAAkD;QAClD,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;KAChD,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;IAC/D,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5D,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC;SACD,OAAO,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;CAC7C,CAAC,CAAC;AAQH,qEAAqE;AACrE,MAAM,UAAU,UAAU;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC9C,IAAI,OAAO;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;IAEpF,0EAA0E;IAC1E,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,CAAC;IACpD,IAAI,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;AACjE,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,OAAO;IACrB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC3C,IAAI,OAAO;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;IACpF,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC7C,IAAI,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,OAAO;IACrB,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO;IAC3B,IAAI,CAAC;QACH,gFAAgF;QAChF,MAAM,MAAM,GAAI,OAA+D,CAAC,WAAW,CAAC;QAC5F,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACxB,OAAO;QACT,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACpE,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QAClB,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QAChB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC7F,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,SAAS;YAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,2CAA2C,CAAC,CAAC;IAC9F,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,EAAE,CAAC;IACV,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;IACvB,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uBAAuB,CAAC,sEAAsE,CAC/F,CAAC;IACJ,CAAC;IACD,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,uBAAwB,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC/D,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC;IACxB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;IACD,qDAAqD;IACrD,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,EAAE,CAAC,WAAW,6BAA6B,CAAC,CAAC;QACpG,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,EAAU;IAChD,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAChD,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,oBAAoB,EAAE,aAAa,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}