@rubytech/create-maxy 1.0.762 → 1.0.764

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.762",
+  "version": "1.0.764",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/neo4j/schema.cypher

@@ -802,6 +802,56 @@ FOR (tc:ToolCall) REQUIRE tc.callId IS UNIQUE;
 CREATE INDEX tool_call_account_started IF NOT EXISTS
 FOR (tc:ToolCall) ON (tc.accountId, tc.startedAt);
 
+// ----------------------------------------------------------
+// Component — Task 815 admin-resume rehydration.
+//
+// Every render-component event emitted on an assistant turn
+// produces one Component node linked to its parent Message via
+// (Message)-[:HAS_COMPONENT]->(Component). The agent's narrative
+// text stays on Message.content; component name + data JSON +
+// position-relative-to-text live here. Sibling-node design (not
+// JSON-on-Message) avoids Neo4j's 128KB property soft-limit when
+// document-editor bodies are large.
+//
+// Atomicity: persisted in the same Cypher transaction as the
+// parent Message — no orphan Component possible. Reader is a
+// single round-trip via OPTIONAL MATCH + collect (sort-before-
+// collect: WITH m, c ORDER BY c.ordinal ASC, then collect).
+//
+// Properties:
+//   componentId  — UUID, primary key
+//   conversationId / accountId / messageId — denormalised for
+//     account-scoped reads and cross-account isolation audits
+//   name         — component name (document-editor, action-buttons,
+//                   single-select, etc.)
+//   data         — JSON-encoded payload string. Validated structurally
+//                   on read (parseable, non-null object); per-component
+//                   schema validation lives in validateComponentData.
+//   ordinal      — 0-indexed sequence within the parent Message,
+//                   tiebreak for components with the same textOffset.
+//   textOffset   — length of Message.content at the moment this
+//                   component arrived in the SSE stream. Reader uses
+//                   it to interleave text-runs and components when
+//                   reconstructing events: AdminEvent[].
+//   submitted    — true once a PERSISTENT_COMPONENT (action-list,
+//                   document-editor, rich-content-editor, grid-editor)
+//                   was submitted by the user. Server-side detection
+//                   of `_componentDone:true` user turns flips this.
+//   submittedAt  — datetime when submitted=true was set (null otherwise)
+//   createdAt    — datetime when the component was persisted
+//
+// (:Message)-[:HAS_COMPONENT]->(:Component)
+// ----------------------------------------------------------
+
+CREATE CONSTRAINT component_id_unique IF NOT EXISTS
+FOR (c:Component) REQUIRE c.componentId IS UNIQUE;
+
+CREATE INDEX component_message IF NOT EXISTS
+FOR (c:Component) ON (c.messageId);
+
+CREATE INDEX component_account IF NOT EXISTS
+FOR (c:Component) ON (c.accountId);
+
 // ----------------------------------------------------------
 // :Trashed — Task 576 soft-delete primitive.
 //

package/payload/platform/package-lock.json

@@ -207,6 +207,10 @@
       "resolved": "plugins/telegram/mcp",
       "link": true
     },
+    "node_modules/@maxy/outlook": {
+      "resolved": "plugins/outlook/mcp",
+      "link": true
+    },
     "node_modules/@maxy/replicate": {
       "resolved": "plugins/replicate/mcp",
       "link": true
@@ -231,6 +235,33 @@
       "resolved": "plugins/workflows/mcp",
       "link": true
     },
+    "node_modules/@microsoft/microsoft-graph-client": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/@microsoft/microsoft-graph-client/-/microsoft-graph-client-3.0.7.tgz",
+      "integrity": "sha512-/AazAV/F+HK4LIywF9C+NYHcJo038zEnWkteilcxC1FM/uK/4NVGDKGrxx7nNq1ybspAroRKT4I1FHfxQzxkUw==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/runtime": "^7.12.5",
+        "tslib": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@azure/identity": {
+          "optional": true
+        },
+        "@azure/msal-browser": {
+          "optional": true
+        },
+        "buffer": {
+          "optional": true
+        },
+        "stream-browserify": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@modelcontextprotocol/sdk": {
       "version": "1.27.1",
       "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz",
@@ -3485,11 +3516,34 @@
         "@modelcontextprotocol/sdk": "^1.12.1",
         "neo4j-driver": "^5.28.1"
       },
+      "devDependencies": {
+        "@types/node": "^22.0.0",
+        "typescript": "^5.7.0",
+        "vitest": "^4.1.2"
+      }
+    },
+    "plugins/outlook/mcp": {
+      "name": "@maxy/outlook",
+      "version": "0.1.0",
+      "dependencies": {
+        "@microsoft/microsoft-graph-client": "^3.0.7",
+        "@modelcontextprotocol/sdk": "^1.12.1",
+        "zod": "^3.24.0"
+      },
       "devDependencies": {
         "@types/node": "^22.0.0",
         "typescript": "^5.7.0"
       }
     },
+    "plugins/outlook/mcp/node_modules/zod": {
+      "version": "3.25.76",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
+      "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    },
     "plugins/replicate/mcp": {
       "name": "@maxy/replicate",
       "version": "0.1.0",
@@ -3524,7 +3578,8 @@
       },
       "devDependencies": {
         "@types/node": "^22.0.0",
-        "typescript": "^5.7.0"
+        "typescript": "^5.7.0",
+        "vitest": "^4.1.2"
       }
     },
     "plugins/scheduling/mcp/node_modules/zod": {

package/payload/platform/package.json

@@ -15,6 +15,7 @@
     "build:cloudflare": "tsc -p plugins/cloudflare/mcp/tsconfig.json",
     "build:tasks": "tsc -p plugins/tasks/mcp/tsconfig.json",
     "build:email": "tsc -p plugins/email/mcp/tsconfig.json",
+    "build:outlook": "tsc -p plugins/outlook/mcp/tsconfig.json",
     "build:workflows": "tsc -p plugins/workflows/mcp/tsconfig.json",
     "build:stubs": "tsc -p plugins/scheduling/mcp/tsconfig.json",
     "build:replicate": "tsc -p plugins/replicate/mcp/tsconfig.json"

package/payload/platform/plugins/docs/references/outlook-guide.md

@@ -0,0 +1,69 @@
+# Outlook Plugin — Operator Guide
+
+The `outlook` plugin gives the admin agent read-only access to Microsoft 365 / Outlook.com via Microsoft Graph. Per-account OAuth (Auth Code + PKCE), encrypted token storage, automatic refresh.
+
+## Quickstart
+
+1. **Register an Entra app once per Maxy install** — see `platform/plugins/outlook/references/auth.md` for full steps. Set `OUTLOOK_CLIENT_ID` (and `OUTLOOK_TENANT_ID`, default `common`) in the operator's environment.
+2. **Per account: register the Outlook account** — in admin chat, ask the agent to "register my Outlook account". The agent runs `outlook-account-register`, which prints an authorization URL.
+3. **Open the URL in the VNC browser** — sign in to your Microsoft account, consent to the requested scopes (`offline_access`, `User.Read`, `Mail.Read`, `Calendars.Read`, `Contacts.Read`).
+4. **Done.** Subsequent tool calls (mail, calendar, contacts) use the persisted refresh token transparently.
+
+## Tools
+
+| Tool | Purpose |
+|------|---------|
+| `outlook-account-register` | Run the PKCE flow for this account. One-time per account; re-run if tokens expire (90 days) or consent is revoked. |
+| `outlook-mail-list` | Recent mail. Default top=25, folder=Inbox. |
+| `outlook-mail-search` | Microsoft Graph `$search` over the mailbox. |
+| `outlook-calendar-list` | Calendar events in next rangeDays days (default 7, max 365). |
+| `outlook-calendar-event` | Full detail of a single event by id. |
+| `outlook-contacts-list` | Top contacts. Default top=50. |
+| `outlook-mailbox-info` | Health probe — auth state, refresh-window, folder count. |
+
+## Observability
+
+All log lines start with `[outlook-mcp]` and write to `server.log`. They are key=value, account-scoped:
+
+| Event | Line shape |
+|-------|------------|
+| Auth init | `auth-init account=<id> codeChallenge=<sha256-prefix-8> redirectPath=<callback-path>` |
+| Auth callback | `auth-callback account=<id> elapsedMs=<N>` |
+| Auth ok | `auth-ok account=<id> graphUserId=<id> scopes=<csv> tokenExpSec=<N>` |
+| Token refreshed | `token-refreshed account=<id> oldExpSec=<N> newExpSec=<N>` |
+| Refresh failed | `token-refresh-failed account=<id> reason=<err>` (terminal) |
+| Mail list | `mail-list account=<id> folder=<id-or-Inbox> count=<N> elapsedMs=<N>` |
+| Mail search | `mail-search account=<id> query=<trunc-32> count=<N> elapsedMs=<N>` |
+| Calendar list | `calendar-list account=<id> rangeDays=<N> count=<N> elapsedMs=<N>` |
+| Calendar event | `calendar-event account=<id> eventId=<trunc-12> elapsedMs=<N>` |
+| Contacts list | `contacts-list account=<id> count=<N> elapsedMs=<N>` |
+| Mailbox info | `mailbox-info account=<id> tokenWithinRefreshWindow=<bool> folderCount=<N>` |
+| Graph error | `graph-error account=<id> status=<N> code=<graphErrorCode> retryAfterMs=<N-or-null>` |
+| On-prem rejected | `on-prem-rejected account=<id> mailServer=<host>` (terminal) |
+
+## Diagnostic paths
+
+```bash
+# All outlook lines for one account, last 50
+ssh laptop 'grep -E "^\[outlook-mcp\]" ~/.maxy/logs/server.log | grep "account=<id>" | tail -50'
+
+# Token-leak audit — must always return zero
+grep -rn -iE "Bearer |access_token=" ~/.maxy/logs/server.log | head
+```
+
+Latency triage: `mail-list count=0 elapsedMs<200` consistent → permissions issue; `elapsedMs > 5000` → Graph slowness or DNS.
+
+## Failure modes
+
+| Operator-visible message | Cause | Fix |
+|---|---|---|
+| `Outlook not connected for account=X; run outlook-account-register` | Tokens never saved | Run register tool |
+| `Outlook refresh token expired for account=X; run outlook-account-register` | >90 days since last refresh, or consent revoked | Run register tool |
+| `Outlook token refresh failed for account=X; re-auth required` | Network down at refresh time, or refresh token invalidated | Verify network; re-register |
+| `Outlook auth expired for account=X; run outlook-account-register` | Refresh-then-retry still got 401 | Re-register |
+| `Outlook rate-limited without Retry-After hint` | Graph 429 with no backoff guidance | Wait + retry; if persistent, file bug |
+| `Microsoft Graph does not support on-premises Exchange. Use Task 769 (IMAP).` | Mailbox is on hybrid Exchange | Use the `email` plugin |
+
+## Out of scope
+
+Write tools (send, draft, move, flag), OneDrive / Files, push notifications, on-premises Exchange, M365 admin scopes (`User.Read.All`, `AuditLog.Read.All`), public-agent exposure, multi-tenant federation. See `platform/plugins/outlook/PLUGIN.md` for the full out-of-scope list.

package/payload/platform/plugins/outlook/PLUGIN.md

@@ -0,0 +1,48 @@
+---
+name: outlook
+description: Microsoft 365 / Outlook.com via Microsoft Graph (read-only first cut). Per-account OAuth Auth Code + PKCE; no client secret. Tools — outlook-account-register: PKCE register; outlook-mail-list / outlook-mail-search: inbox; outlook-calendar-list / outlook-calendar-event: calendar; outlook-contacts-list: contacts; outlook-mailbox-info: auth state + folder count.
+tools:
+  - outlook-account-register
+  - outlook-mail-list
+  - outlook-mail-search
+  - outlook-calendar-list
+  - outlook-calendar-event
+  - outlook-contacts-list
+  - outlook-mailbox-info
+always: false
+embed: ["admin"]
+metadata: {"platform":{"optional":true}}
+---
+
+# Outlook
+
+Read-only Microsoft Graph access for Outlook.com / Microsoft 365 mailboxes. Admin agent only — public agent surface is explicitly excluded.
+
+## Capabilities
+
+- **Register:** `outlook-account-register` — initiates OAuth Auth Code + PKCE flow against the operator's Entra app. Returns an authorization URL the operator opens in the VNC browser to consent. Tokens persist per-account, encrypted on disk (AES-256-CBC).
+- **Mail (read-only):** `outlook-mail-list` returns recent messages; `outlook-mail-search` runs a Graph `$search` query.
+- **Calendar (read-only):** `outlook-calendar-list` returns events in a future range; `outlook-calendar-event` returns a single event with full body + attendees.
+- **Contacts (read-only):** `outlook-contacts-list` returns contacts.
+- **Health:** `outlook-mailbox-info` reports auth state, refresh-window status, and top-level folder count. Use this to answer "did account X auth?" without grepping logs.
+
+## Out of scope
+
+- Send / draft / move / flag — write surfaces are deferred to a follow-up task.
+- OneDrive, Files, Sites — separate plugin; different endpoints.
+- Push notifications via `/subscriptions` — first cut polls.
+- On-premises Exchange — Microsoft Graph deprecated hybrid REST 2023-07. The plugin detects on-prem mailboxes and routes the operator to the IMAP path (`email` plugin).
+- M365 admin scopes (`User.Read.All`, `AuditLog.Read.All`) — separate plugin.
+
+## References
+
+| Reference | Topics |
+|-----------|--------|
+| [auth.md](references/auth.md) | Entra app registration, PKCE flow, vendored upstream SHA, re-vendor procedure |
+| [graph-surfaces.md](references/graph-surfaces.md) | Graph endpoint and response shape per tool |
+
+## Skills
+
+| Skill | Purpose |
+|-------|---------|
+| [outlook](skills/outlook/SKILL.md) | When to activate; how to register a new Outlook account |

package/payload/platform/plugins/outlook/mcp/dist/__tests__/graph-client.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=graph-client.test.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/graph-client.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-client.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/graph-client.test.ts"],"names":[],"mappings":""}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/graph-client.test.js

@@ -0,0 +1,94 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { classifyGraphError } from "../lib/graph-client.js";
+test("classifyGraphError 401 → auth", () => {
+    const cls = classifyGraphError({
+        statusCode: 401,
+        code: "InvalidAuthenticationToken",
+        body: '{"error":{"code":"InvalidAuthenticationToken"}}',
+    });
+    assert.equal(cls.kind, "auth");
+    assert.equal(cls.statusCode, 401);
+});
+test("classifyGraphError 429 with Retry-After → rate-limit-recoverable", () => {
+    const cls = classifyGraphError({
+        statusCode: 429,
+        headers: { "Retry-After": "30" },
+    });
+    assert.equal(cls.kind, "rate-limit-recoverable");
+    if (cls.kind === "rate-limit-recoverable") {
+        assert.equal(cls.retryAfterMs, 30000);
+    }
+});
+test("classifyGraphError 429 lowercase Retry-After header still parsed", () => {
+    const cls = classifyGraphError({
+        statusCode: 429,
+        headers: { "retry-after": "5" },
+    });
+    assert.equal(cls.kind, "rate-limit-recoverable");
+    if (cls.kind === "rate-limit-recoverable") {
+        assert.equal(cls.retryAfterMs, 5000);
+    }
+});
+test("classifyGraphError 429 without Retry-After → rate-limit-terminal", () => {
+    const cls = classifyGraphError({
+        statusCode: 429,
+        headers: {},
+    });
+    assert.equal(cls.kind, "rate-limit-terminal");
+});
+test("classifyGraphError 503 + MailboxNotEnabledForRESTAPI → on-prem", () => {
+    const cls = classifyGraphError({
+        statusCode: 503,
+        code: "MailboxNotEnabledForRESTAPI",
+        body: '{"error":{"code":"MailboxNotEnabledForRESTAPI","message":"REST API is not yet supported for this mailbox."}}',
+        headers: { "x-mailbox-server": "ex2019.acme.local" },
+    });
+    assert.equal(cls.kind, "on-prem");
+    if (cls.kind === "on-prem") {
+        assert.equal(cls.statusCode, 503);
+        assert.equal(cls.mailServer, "ex2019.acme.local");
+    }
+});
+test("classifyGraphError 503 without MailboxNotEnabledForRESTAPI → 5xx (NOT on-prem)", () => {
+    // Critical: on-prem detection keys off the structured code field, not body
+    // prose. A generic 503 must NOT be misclassified as on-prem.
+    const cls = classifyGraphError({
+        statusCode: 503,
+        code: "ServiceUnavailable",
+        body: '{"error":{"code":"ServiceUnavailable","message":"REST API on-premises mailboxes are temporarily unavailable for everyone, somehow"}}',
+    });
+    assert.equal(cls.kind, "5xx", "must not infer on-prem from prose body");
+});
+test("classifyGraphError parses code from body when not on top-level", () => {
+    const cls = classifyGraphError({
+        statusCode: 503,
+        body: '{"error":{"code":"MailboxNotEnabledForRESTAPI","message":"foo"}}',
+    });
+    assert.equal(cls.kind, "on-prem");
+});
+test("classifyGraphError 500 → 5xx", () => {
+    const cls = classifyGraphError({ statusCode: 500, code: "InternalServerError" });
+    assert.equal(cls.kind, "5xx");
+});
+test("classifyGraphError 404 → other", () => {
+    const cls = classifyGraphError({ statusCode: 404, code: "ItemNotFound" });
+    assert.equal(cls.kind, "other");
+    if (cls.kind === "other") {
+        assert.equal(cls.statusCode, 404);
+        assert.equal(cls.code, "ItemNotFound");
+    }
+});
+test("classifyGraphError reads Retry-After via fetch-style response.headers.get", () => {
+    const cls = classifyGraphError({
+        statusCode: 429,
+        response: {
+            headers: { get: (h) => (h.toLowerCase() === "retry-after" ? "10" : null) },
+        },
+    });
+    assert.equal(cls.kind, "rate-limit-recoverable");
+    if (cls.kind === "rate-limit-recoverable") {
+        assert.equal(cls.retryAfterMs, 10000);
+    }
+});
+//# sourceMappingURL=graph-client.test.js.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/graph-client.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-client.test.js","sourceRoot":"","sources":["../../src/__tests__/graph-client.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAE5D,IAAI,CAAC,+BAA+B,EAAE,GAAG,EAAE;IACzC,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,iDAAiD;KACxD,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;AACpC,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAC5E,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;KACjC,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAC5E,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,aAAa,EAAE,GAAG,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAC5E,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE;KACZ,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,gEAAgE,EAAE,GAAG,EAAE;IAC1E,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,6BAA6B;QACnC,IAAI,EAAE,8GAA8G;QACpH,OAAO,EAAE,EAAE,kBAAkB,EAAE,mBAAmB,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAClC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;IACpD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,gFAAgF,EAAE,GAAG,EAAE;IAC1F,2EAA2E;IAC3E,6DAA6D;IAC7D,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,sIAAsI;KAC7I,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,wCAAwC,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,gEAAgE,EAAE,GAAG,EAAE;IAC1E,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,kEAAkE;KACzE,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;AACpC,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,8BAA8B,EAAE,GAAG,EAAE;IACxC,MAAM,GAAG,GAAG,kBAAkB,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACjF,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAChC,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC1C,MAAM,GAAG,GAAG,kBAAkB,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;IAC1E,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAChC,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACzC,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,2EAA2E,EAAE,GAAG,EAAE;IACrF,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,UAAU,EAAE,GAAG;QACf,QAAQ,EAAE;YACR,OAAO,EAAE,EAAE,GAAG,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE;SACnF;KACF,CAAC,CAAC;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACxC,CAAC;AACH,CAAC,CAAC,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/log.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=log.test.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/log.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/log.test.ts"],"names":[],"mappings":""}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/log.test.js

@@ -0,0 +1,31 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { redact, trunc } from "../lib/log.js";
+test("redact masks Bearer tokens", () => {
+    const input = "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.signature";
+    assert.match(redact(input), /Bearer <REDACTED>/);
+    assert.doesNotMatch(redact(input), /eyJhbGciOiJIUzI1NiJ9/);
+});
+test("redact masks access_token query strings", () => {
+    const input = "https://login.microsoftonline.com/cb?access_token=abc123_secret&state=xyz";
+    const out = redact(input);
+    assert.match(out, /access_token=<REDACTED>/);
+    assert.doesNotMatch(out, /abc123_secret/);
+    // Other query params survive.
+    assert.match(out, /state=xyz/);
+});
+test("redact is a no-op on safe text", () => {
+    assert.equal(redact("user logged in account=abc count=5"), "user logged in account=abc count=5");
+});
+test("redact handles multiple Bearer tokens in one string", () => {
+    const input = "first Bearer aaaaa second Bearer bbbbb";
+    const out = redact(input);
+    assert.match(out, /first Bearer <REDACTED> second Bearer <REDACTED>/);
+});
+test("trunc preserves short values verbatim", () => {
+    assert.equal(trunc("short", 10), "short");
+});
+test("trunc shortens long values with ellipsis", () => {
+    assert.equal(trunc("abcdefghijklmnop", 10), "abcdefghi…");
+});
+//# sourceMappingURL=log.test.js.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/log.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.test.js","sourceRoot":"","sources":["../../src/__tests__/log.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAE9C,IAAI,CAAC,4BAA4B,EAAE,GAAG,EAAE;IACtC,MAAM,KAAK,GAAG,8DAA8D,CAAC;IAC7E,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,mBAAmB,CAAC,CAAC;IACjD,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,sBAAsB,CAAC,CAAC;AAC7D,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,yCAAyC,EAAE,GAAG,EAAE;IACnD,MAAM,KAAK,GAAG,2EAA2E,CAAC;IAC1F,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IAC7C,MAAM,CAAC,YAAY,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC1C,8BAA8B;IAC9B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC1C,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,oCAAoC,CAAC,EAAE,oCAAoC,CAAC,CAAC;AACnG,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,qDAAqD,EAAE,GAAG,EAAE;IAC/D,MAAM,KAAK,GAAG,wCAAwC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,kDAAkD,CAAC,CAAC;AACxE,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACjD,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACpD,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;AAC5D,CAAC,CAAC,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/pkce-flow.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=pkce-flow.test.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/pkce-flow.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce-flow.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/pkce-flow.test.ts"],"names":[],"mappings":""}