@sonde/packs 0.1.0 → 0.1.1

package/dist/integrations/graph.js

@@ -0,0 +1,290 @@
+let tokenCache = null;
+/** Acquire or reuse a Graph OAuth2 token via client_credentials grant */
+export async function ensureGraphToken(credentials, fetchFn) {
+    if (tokenCache && Date.now() < tokenCache.expiresAt - 30_000) {
+        return tokenCache.accessToken;
+    }
+    const tenantId = credentials.credentials.tenantId ?? '';
+    const clientId = credentials.credentials.clientId ?? '';
+    const clientSecret = credentials.credentials.clientSecret ?? '';
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    const body = new URLSearchParams({
+        grant_type: 'client_credentials',
+        scope: 'https://graph.microsoft.com/.default',
+        client_id: clientId,
+        client_secret: clientSecret,
+    });
+    const res = await fetchFn(tokenUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        throw new Error(`Graph token request failed: ${res.status} ${res.statusText}`);
+    }
+    const data = (await res.json());
+    tokenCache = {
+        accessToken: data.access_token,
+        expiresAt: Date.now() + data.expires_in * 1000,
+    };
+    return tokenCache.accessToken;
+}
+/** Clear the cached token (used for testing) */
+export function clearTokenCache() {
+    tokenCache = null;
+}
+/** Fetch a Graph API endpoint with pagination */
+export async function graphFetch(path, config, credentials, fetchFn, queryParams, maxPages = 5) {
+    const token = await ensureGraphToken(credentials, fetchFn);
+    const baseUrl = `${config.endpoint.replace(/\/$/, '')}${path}`;
+    const url = new URL(baseUrl);
+    if (queryParams) {
+        for (const [key, value] of Object.entries(queryParams)) {
+            url.searchParams.set(key, value);
+        }
+    }
+    const headers = {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/json',
+        ...config.headers,
+    };
+    const results = [];
+    let nextUrl = url.toString();
+    let page = 0;
+    while (nextUrl && page < maxPages) {
+        const res = await fetchFn(nextUrl, { headers });
+        if (!res.ok)
+            throw new Error(`Graph API returned ${res.status}: ${res.statusText}`);
+        const data = (await res.json());
+        results.push(...(data.value ?? []));
+        nextUrl = data['@odata.nextLink'];
+        page++;
+    }
+    return results;
+}
+/** Fetch a Graph API endpoint with 403 handling for Intune endpoints */
+async function graphFetchIntune(path, config, credentials, fetchFn, queryParams, maxPages = 5) {
+    try {
+        return await graphFetch(path, config, credentials, fetchFn, queryParams, maxPages);
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.includes('403')) {
+            throw new Error('Intune license or permissions required. Ensure the app registration has DeviceManagementManagedDevices.Read.All permission and an Intune license is active.');
+        }
+        throw error;
+    }
+}
+// --- Probe handlers ---
+const userLookup = async (params, config, credentials, fetchFn) => {
+    const q = params?.q ?? '';
+    if (!q)
+        throw new Error('q parameter is required (name, email, or UPN)');
+    const filter = `startsWith(displayName,'${q}') or mail eq '${q}' or userPrincipalName eq '${q}'`;
+    const select = 'id,displayName,mail,userPrincipalName,jobTitle,department,officeLocation,accountEnabled';
+    const items = await graphFetch('/users', config, credentials, fetchFn, { $filter: filter, $select: select }, 1);
+    return { users: items, count: items.length };
+};
+const userGroups = async (params, config, credentials, fetchFn) => {
+    const userId = params?.id ?? '';
+    if (!userId)
+        throw new Error('id parameter is required (user object ID or UPN)');
+    const items = (await graphFetch(`/users/${userId}/memberOf`, config, credentials, fetchFn, {
+        $select: 'id,displayName',
+    }));
+    const groups = items.filter((item) => item['@odata.type'] === '#microsoft.graph.group');
+    return {
+        groups: groups.map((g) => ({ id: g.id, displayName: g.displayName })),
+        count: groups.length,
+    };
+};
+const signinRecent = async (params, config, credentials, fetchFn) => {
+    const user = params?.user ?? '';
+    if (!user)
+        throw new Error('user parameter is required (UPN)');
+    const hours = params?.hours || 24;
+    const cutoff = new Date(Date.now() - hours * 60 * 60 * 1000).toISOString();
+    const filter = `userPrincipalName eq '${user}' and createdDateTime ge ${cutoff}`;
+    const select = 'createdDateTime,appDisplayName,ipAddress,status,location,deviceDetail,riskLevelDuringSignIn';
+    const items = await graphFetch('/auditLogs/signIns', config, credentials, fetchFn, {
+        $filter: filter,
+        $select: select,
+    });
+    return { signIns: items, count: items.length, periodHours: hours };
+};
+const usersRisky = async (params, config, credentials, fetchFn) => {
+    const level = params?.level || 'high';
+    const filter = `riskLevel eq '${level}'`;
+    const select = 'id,userDisplayName,userPrincipalName,riskLevel,riskState,riskDetail,riskLastUpdatedDateTime';
+    const items = await graphFetch('/identityProtection/riskyUsers', config, credentials, fetchFn, {
+        $filter: filter,
+        $select: select,
+    });
+    return { riskyUsers: items, count: items.length, riskLevel: level };
+};
+const intuneDevicesCompliance = async (params, config, credentials, fetchFn) => {
+    const user = params?.user;
+    const select = 'id,deviceName,operatingSystem,osVersion,complianceState,lastSyncDateTime,userPrincipalName,model,manufacturer';
+    const queryParams = { $select: select };
+    if (user) {
+        queryParams.$filter = `userPrincipalName eq '${user}'`;
+    }
+    const items = await graphFetchIntune('/deviceManagement/managedDevices', config, credentials, fetchFn, queryParams);
+    return { devices: items, count: items.length };
+};
+const intuneDevicesNoncompliant = async (_params, config, credentials, fetchFn) => {
+    const select = 'id,deviceName,operatingSystem,osVersion,complianceState,lastSyncDateTime,userPrincipalName,model,manufacturer';
+    const items = await graphFetchIntune('/deviceManagement/managedDevices', config, credentials, fetchFn, { $filter: "complianceState eq 'noncompliant'", $select: select });
+    return { devices: items, count: items.length };
+};
+const intuneAppsStatus = async (_params, config, credentials, fetchFn) => {
+    const apps = (await graphFetchIntune('/deviceAppManagement/mobileApps', config, credentials, fetchFn, { $select: 'id,displayName,publisher' }));
+    const token = await ensureGraphToken(credentials, fetchFn);
+    const headers = {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/json',
+        ...config.headers,
+    };
+    const appsWithStatus = await Promise.all(apps.map(async (app) => {
+        try {
+            const summaryUrl = `${config.endpoint.replace(/\/$/, '')}/deviceAppManagement/mobileApps/${app.id}/installSummary`;
+            const res = await fetchFn(summaryUrl, { headers });
+            if (res.ok) {
+                const summary = (await res.json());
+                return { ...app, installSummary: summary };
+            }
+            return { ...app, installSummary: null };
+        }
+        catch {
+            return { ...app, installSummary: null };
+        }
+    }));
+    return { apps: appsWithStatus, count: appsWithStatus.length };
+};
+// --- Pack definition ---
+export const graphPack = {
+    manifest: {
+        name: 'graph',
+        type: 'integration',
+        version: '0.1.0',
+        description: 'Microsoft Graph — Entra ID users, sign-in logs, risky users, Intune device compliance',
+        requires: { groups: [], files: [], commands: [] },
+        probes: [
+            {
+                name: 'user.lookup',
+                description: 'Look up Entra ID users by name, email, or UPN',
+                capability: 'observe',
+                params: {
+                    q: {
+                        type: 'string',
+                        description: 'Search query (display name prefix, email, or UPN)',
+                        required: true,
+                    },
+                },
+                timeout: 15000,
+            },
+            {
+                name: 'user.groups',
+                description: 'List group memberships for a user',
+                capability: 'observe',
+                params: {
+                    id: {
+                        type: 'string',
+                        description: 'User object ID or UPN',
+                        required: true,
+                    },
+                },
+                timeout: 15000,
+            },
+            {
+                name: 'signin.recent',
+                description: 'Recent sign-in logs for a user',
+                capability: 'observe',
+                params: {
+                    user: {
+                        type: 'string',
+                        description: 'User principal name (UPN)',
+                        required: true,
+                    },
+                    hours: {
+                        type: 'number',
+                        description: 'Lookback period in hours (default: 24)',
+                        required: false,
+                    },
+                },
+                timeout: 30000,
+            },
+            {
+                name: 'users.risky',
+                description: 'Users flagged by Identity Protection at a given risk level',
+                capability: 'observe',
+                params: {
+                    level: {
+                        type: 'string',
+                        description: "Risk level filter: 'low', 'medium', or 'high' (default: 'high')",
+                        required: false,
+                    },
+                },
+                timeout: 15000,
+            },
+            {
+                name: 'intune.devices.compliance',
+                description: 'Intune managed device compliance status',
+                capability: 'observe',
+                params: {
+                    user: {
+                        type: 'string',
+                        description: 'Optional UPN filter — if omitted, returns all managed devices',
+                        required: false,
+                    },
+                },
+                timeout: 30000,
+            },
+            {
+                name: 'intune.devices.noncompliant',
+                description: 'Intune devices with noncompliant status',
+                capability: 'observe',
+                params: {},
+                timeout: 30000,
+            },
+            {
+                name: 'intune.apps.status',
+                description: 'Intune mobile app inventory with install summaries',
+                capability: 'observe',
+                params: {},
+                timeout: 30000,
+            },
+        ],
+        runbook: {
+            category: 'identity',
+            probes: ['user.lookup', 'users.risky', 'intune.devices.noncompliant'],
+            parallel: true,
+        },
+    },
+    handlers: {
+        'user.lookup': userLookup,
+        'user.groups': userGroups,
+        'signin.recent': signinRecent,
+        'users.risky': usersRisky,
+        'intune.devices.compliance': intuneDevicesCompliance,
+        'intune.devices.noncompliant': intuneDevicesNoncompliant,
+        'intune.apps.status': intuneAppsStatus,
+    },
+    testConnection: async (config, credentials, fetchFn) => {
+        try {
+            const token = await ensureGraphToken(credentials, fetchFn);
+            const url = `${config.endpoint.replace(/\/$/, '')}/organization?$select=id&$top=1`;
+            const res = await fetchFn(url, {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    Accept: 'application/json',
+                    ...config.headers,
+                },
+            });
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    },
+};
+//# sourceMappingURL=graph.js.map

package/dist/integrations/graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.js","sourceRoot":"","sources":["../../src/integrations/graph.ts"],"names":[],"mappings":"AAeA,IAAI,UAAU,GAAuB,IAAI,CAAC;AAE1C,yEAAyE;AACzE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmC,EACnC,OAAgB;IAEhB,IAAI,UAAU,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;QAC7D,OAAO,UAAU,CAAC,WAAW,CAAC;IAChC,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC;IACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC;IACxD,MAAM,YAAY,GAAG,WAAW,CAAC,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;IAChE,MAAM,QAAQ,GAAG,qCAAqC,QAAQ,oBAAoB,CAAC;IAEnF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,KAAK,EAAE,sCAAsC;QAC7C,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE;QAClC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiD,CAAC;IAChF,UAAU,GAAG;QACX,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;KAC/C,CAAC;IACF,OAAO,UAAU,CAAC,WAAW,CAAC;AAChC,CAAC;AAED,gDAAgD;AAChD,MAAM,UAAU,eAAe;IAC7B,UAAU,GAAG,IAAI,CAAC;AACpB,CAAC;AASD,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAY,EACZ,MAAyB,EACzB,WAAmC,EACnC,OAAgB,EAChB,WAAoC,EACpC,QAAQ,GAAG,CAAC;IAEZ,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC;IAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAA2B;QACtC,aAAa,EAAE,UAAU,KAAK,EAAE;QAChC,MAAM,EAAE,kBAAkB;QAC1B,GAAG,MAAM,CAAC,OAAO;KAClB,CAAC;IAEF,MAAM,OAAO,GAAc,EAAE,CAAC;IAC9B,IAAI,OAAO,GAAuB,GAAG,CAAC,QAAQ,EAAE,CAAC;IACjD,IAAI,IAAI,GAAG,CAAC,CAAC;IAEb,OAAO,OAAO,IAAI,IAAI,GAAG,QAAQ,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QACpF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;QACpC,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAClC,IAAI,EAAE,CAAC;IACT,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,MAAyB,EACzB,WAAmC,EACnC,OAAgB,EAChB,WAAoC,EACpC,QAAQ,GAAG,CAAC;IAEZ,IAAI,CAAC;QACH,OAAO,MAAM,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IACrF,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CACb,6JAA6J,CAC9J,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,yBAAyB;AAEzB,MAAM,UAAU,GAA4B,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;IACzF,MAAM,CAAC,GAAI,MAAM,EAAE,CAAY,IAAI,EAAE,CAAC;IACtC,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAEzE,MAAM,MAAM,GAAG,2BAA2B,CAAC,kBAAkB,CAAC,8BAA8B,CAAC,GAAG,CAAC;IACjG,MAAM,MAAM,GACV,yFAAyF,CAAC;IAE5F,MAAM,KAAK,GAAG,MAAM,UAAU,CAC5B,QAAQ,EACR,MAAM,EACN,WAAW,EACX,OAAO,EACP,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EACpC,CAAC,CACF,CAAC;IAEF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AAC/C,CAAC,CAAC;AAEF,MAAM,UAAU,GAA4B,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;IACzF,MAAM,MAAM,GAAI,MAAM,EAAE,EAAa,IAAI,EAAE,CAAC;IAC5C,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IAEjF,MAAM,KAAK,GAAG,CAAC,MAAM,UAAU,CAAC,UAAU,MAAM,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE;QACzF,OAAO,EAAE,gBAAgB;KAC1B,CAAC,CAAmC,CAAC;IAEtC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CACzB,CAAC,IAAI,EAAE,EAAE,CAAE,IAAI,CAAC,aAAa,CAAY,KAAK,wBAAwB,CACvE,CAAC;IAEF,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACrE,KAAK,EAAE,MAAM,CAAC,MAAM;KACrB,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,YAAY,GAA4B,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;IAC3F,MAAM,IAAI,GAAI,MAAM,EAAE,IAAe,IAAI,EAAE,CAAC;IAC5C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAE/D,MAAM,KAAK,GAAI,MAAM,EAAE,KAAgB,IAAI,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3E,MAAM,MAAM,GAAG,yBAAyB,IAAI,4BAA4B,MAAM,EAAE,CAAC;IACjF,MAAM,MAAM,GACV,6FAA6F,CAAC;IAEhG,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,oBAAoB,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE;QACjF,OAAO,EAAE,MAAM;QACf,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;AACrE,CAAC,CAAC;AAEF,MAAM,UAAU,GAA4B,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;IACzF,MAAM,KAAK,GAAI,MAAM,EAAE,KAAgB,IAAI,MAAM,CAAC;IAClD,MAAM,MAAM,GAAG,iBAAiB,KAAK,GAAG,CAAC;IACzC,MAAM,MAAM,GACV,6FAA6F,CAAC;IAEhG,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,gCAAgC,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE;QAC7F,OAAO,EAAE,MAAM;QACf,OAAO,EAAE,MAAM;KAChB,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACtE,CAAC,CAAC;AAEF,MAAM,uBAAuB,GAA4B,KAAK,EAC5D,MAAM,EACN,MAAM,EACN,WAAW,EACX,OAAO,EACP,EAAE;IACF,MAAM,IAAI,GAAG,MAAM,EAAE,IAA0B,CAAC;IAChD,MAAM,MAAM,GACV,+GAA+G,CAAC;IAClH,MAAM,WAAW,GAA2B,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAEhE,IAAI,IAAI,EAAE,CAAC;QACT,WAAW,CAAC,OAAO,GAAG,yBAAyB,IAAI,GAAG,CAAC;IACzD,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,kCAAkC,EAClC,MAAM,EACN,WAAW,EACX,OAAO,EACP,WAAW,CACZ,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AACjD,CAAC,CAAC;AAEF,MAAM,yBAAyB,GAA4B,KAAK,EAC9D,OAAO,EACP,MAAM,EACN,WAAW,EACX,OAAO,EACP,EAAE;IACF,MAAM,MAAM,GACV,+GAA+G,CAAC;IAElH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,kCAAkC,EAClC,MAAM,EACN,WAAW,EACX,OAAO,EACP,EAAE,OAAO,EAAE,mCAAmC,EAAE,OAAO,EAAE,MAAM,EAAE,CAClE,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AACjD,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAA4B,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;IAChG,MAAM,IAAI,GAAG,CAAC,MAAM,gBAAgB,CAClC,iCAAiC,EACjC,MAAM,EACN,WAAW,EACX,OAAO,EACP,EAAE,OAAO,EAAE,0BAA0B,EAAE,CACxC,CAAmC,CAAC;IAErC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,OAAO,GAA2B;QACtC,aAAa,EAAE,UAAU,KAAK,EAAE;QAChC,MAAM,EAAE,kBAAkB;QAC1B,GAAG,MAAM,CAAC,OAAO;KAClB,CAAC;IAEF,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CACtC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACrB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mCAAmC,GAAG,CAAC,EAAE,iBAAiB,CAAC;YACnH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACnD,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAC9D,OAAO,EAAE,GAAG,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC;YAC7C,CAAC;YACD,OAAO,EAAE,GAAG,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,GAAG,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,cAAc,CAAC,MAAM,EAAE,CAAC;AAChE,CAAC,CAAC;AAEF,0BAA0B;AAE1B,MAAM,CAAC,MAAM,SAAS,GAAoB;IACxC,QAAQ,EAAE;QACR,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,OAAO;QAChB,WAAW,EACT,uFAAuF;QACzF,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;QACjD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,+CAA+C;gBAC5D,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE;oBACN,CAAC,EAAE;wBACD,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,mDAAmD;wBAChE,QAAQ,EAAE,IAAI;qBACf;iBACF;gBACD,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,mCAAmC;gBAChD,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE;oBACN,EAAE,EAAE;wBACF,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,uBAAuB;wBACpC,QAAQ,EAAE,IAAI;qBACf;iBACF;gBACD,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,eAAe;gBACrB,WAAW,EAAE,gCAAgC;gBAC7C,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE;oBACN,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,2BAA2B;wBACxC,QAAQ,EAAE,IAAI;qBACf;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,wCAAwC;wBACrD,QAAQ,EAAE,KAAK;qBAChB;iBACF;gBACD,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,4DAA4D;gBACzE,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE;oBACN,KAAK,EAAE;wBACL,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,iEAAiE;wBAC9E,QAAQ,EAAE,KAAK;qBAChB;iBACF;gBACD,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,2BAA2B;gBACjC,WAAW,EAAE,yCAAyC;gBACtD,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE;oBACN,IAAI,EAAE;wBACJ,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,+DAA+D;wBAC5E,QAAQ,EAAE,KAAK;qBAChB;iBACF;gBACD,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,6BAA6B;gBACnC,WAAW,EAAE,yCAAyC;gBACtD,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,KAAK;aACf;YACD;gBACE,IAAI,EAAE,oBAAoB;gBAC1B,WAAW,EAAE,oDAAoD;gBACjE,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,KAAK;aACf;SACF;QACD,OAAO,EAAE;YACP,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,6BAA6B,CAAC;YACrE,QAAQ,EAAE,IAAI;SACf;KACF;IAED,QAAQ,EAAE;QACR,aAAa,EAAE,UAAU;QACzB,aAAa,EAAE,UAAU;QACzB,eAAe,EAAE,YAAY;QAC7B,aAAa,EAAE,UAAU;QACzB,2BAA2B,EAAE,uBAAuB;QACpD,6BAA6B,EAAE,yBAAyB;QACxD,oBAAoB,EAAE,gBAAgB;KACvC;IAED,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE;QACrD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,iCAAiC,CAAC;YACnF,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;gBAC7B,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,KAAK,EAAE;oBAChC,MAAM,EAAE,kBAAkB;oBAC1B,GAAG,MAAM,CAAC,OAAO;iBAClB;aACF,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/integrations/graph.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=graph.test.d.ts.map

package/dist/integrations/graph.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.test.d.ts","sourceRoot":"","sources":["../../src/integrations/graph.test.ts"],"names":[],"mappings":""}

package/dist/integrations/graph.test.js

@@ -0,0 +1,356 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { clearTokenCache, ensureGraphToken, graphFetch, graphPack } from './graph.js';
+const graphConfig = {
+    endpoint: 'https://graph.microsoft.com/v1.0',
+};
+const graphCreds = {
+    packName: 'graph',
+    authMethod: 'oauth2',
+    credentials: {
+        tenantId: 'tenant-123',
+        clientId: 'client-id',
+        clientSecret: 'client-secret',
+    },
+};
+const handler = (name) => {
+    const h = graphPack.handlers[name];
+    if (!h)
+        throw new Error(`Handler ${name} not found`);
+    return h;
+};
+function callArgs(fn, index) {
+    const args = fn.mock.calls[index];
+    if (!args)
+        throw new Error(`No call at index ${index}`);
+    return args;
+}
+/** Mock fetch that returns a token response on first call, then Graph API responses */
+function mockGraphFetch(graphValue = [], nextLink) {
+    let callCount = 0;
+    return vi.fn().mockImplementation(() => {
+        callCount++;
+        if (callCount === 1) {
+            return Promise.resolve(new Response(JSON.stringify({ access_token: 'graph-token-123', expires_in: 3600 }), {
+                status: 200,
+                headers: { 'Content-Type': 'application/json' },
+            }));
+        }
+        const body = { value: graphValue };
+        if (nextLink)
+            body['@odata.nextLink'] = nextLink;
+        return Promise.resolve(new Response(JSON.stringify(body), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+        }));
+    });
+}
+/** Mock fetch returning paginated Graph responses (token first, then pages) */
+function mockGraphPaginated(pages) {
+    let callCount = 0;
+    return vi.fn().mockImplementation(() => {
+        callCount++;
+        if (callCount === 1) {
+            return Promise.resolve(new Response(JSON.stringify({ access_token: 'graph-token-123', expires_in: 3600 }), {
+                status: 200,
+                headers: { 'Content-Type': 'application/json' },
+            }));
+        }
+        const pageIdx = callCount - 2;
+        const value = pages[pageIdx] ?? [];
+        const nextLink = pageIdx < pages.length - 1
+            ? `https://graph.microsoft.com/v1.0/next?$skip=${(pageIdx + 1) * 100}`
+            : undefined;
+        const body = { value };
+        if (nextLink)
+            body['@odata.nextLink'] = nextLink;
+        return Promise.resolve(new Response(JSON.stringify(body), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+        }));
+    });
+}
+function mockFetchError(status) {
+    return vi.fn().mockResolvedValue(new Response('Error', { status, statusText: 'Error' }));
+}
+/** Mock fetch: token first, then specific status for API call */
+function mockGraphWithApiStatus(apiStatus) {
+    let callCount = 0;
+    return vi.fn().mockImplementation(() => {
+        callCount++;
+        if (callCount === 1) {
+            return Promise.resolve(new Response(JSON.stringify({ access_token: 'graph-token-123', expires_in: 3600 }), {
+                status: 200,
+                headers: { 'Content-Type': 'application/json' },
+            }));
+        }
+        return Promise.resolve(new Response('Error', { status: apiStatus, statusText: 'Forbidden' }));
+    });
+}
+afterEach(() => {
+    clearTokenCache();
+});
+describe('graph pack', () => {
+    describe('token acquisition', () => {
+        it('acquires token via client_credentials grant', async () => {
+            const fetchFn = vi.fn().mockResolvedValue(new Response(JSON.stringify({ access_token: 'tok-abc', expires_in: 3600 }), {
+                status: 200,
+                headers: { 'Content-Type': 'application/json' },
+            }));
+            const token = await ensureGraphToken(graphCreds, fetchFn);
+            expect(token).toBe('tok-abc');
+            const [url, init] = callArgs(fetchFn, 0);
+            expect(url).toContain('login.microsoftonline.com/tenant-123/oauth2/v2.0/token');
+            expect(init.method).toBe('POST');
+            const body = init.body;
+            expect(body).toContain('grant_type=client_credentials');
+            expect(body).toContain('scope=https%3A%2F%2Fgraph.microsoft.com%2F.default');
+            expect(body).toContain('client_id=client-id');
+        });
+        it('caches token and reuses on subsequent calls', async () => {
+            const fetchFn = vi.fn().mockResolvedValue(new Response(JSON.stringify({ access_token: 'tok-cached', expires_in: 3600 }), {
+                status: 200,
+                headers: { 'Content-Type': 'application/json' },
+            }));
+            const t1 = await ensureGraphToken(graphCreds, fetchFn);
+            const t2 = await ensureGraphToken(graphCreds, fetchFn);
+            expect(t1).toBe('tok-cached');
+            expect(t2).toBe('tok-cached');
+            expect(fetchFn).toHaveBeenCalledTimes(1);
+        });
+        it('throws on token request failure', async () => {
+            const fetchFn = mockFetchError(401);
+            await expect(ensureGraphToken(graphCreds, fetchFn)).rejects.toThrow('Graph token request failed: 401');
+        });
+    });
+    describe('pagination', () => {
+        it('fetches a single page when no nextLink', async () => {
+            const fetchFn = mockGraphFetch([{ id: '1' }, { id: '2' }]);
+            const results = await graphFetch('/users', graphConfig, graphCreds, fetchFn);
+            expect(results).toEqual([{ id: '1' }, { id: '2' }]);
+        });
+        it('follows nextLink across multiple pages', async () => {
+            const fetchFn = mockGraphPaginated([[{ id: '1' }], [{ id: '2' }], [{ id: '3' }]]);
+            const results = await graphFetch('/users', graphConfig, graphCreds, fetchFn);
+            expect(results).toEqual([{ id: '1' }, { id: '2' }, { id: '3' }]);
+        });
+        it('caps at maxPages', async () => {
+            const fetchFn = mockGraphPaginated([[{ id: '1' }], [{ id: '2' }], [{ id: '3' }]]);
+            const results = await graphFetch('/users', graphConfig, graphCreds, fetchFn, undefined, 2);
+            expect(results).toEqual([{ id: '1' }, { id: '2' }]);
+        });
+    });
+    describe('testConnection', () => {
+        it('returns true on 200', async () => {
+            const fetchFn = mockGraphFetch([{ id: 'org-1' }]);
+            const result = await graphPack.testConnection(graphConfig, graphCreds, fetchFn);
+            expect(result).toBe(true);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/organization');
+            expect(url).toContain('$select=id');
+        });
+        it('returns false on non-200', async () => {
+            const fetchFn = mockGraphWithApiStatus(403);
+            const result = await graphPack.testConnection(graphConfig, graphCreds, fetchFn);
+            expect(result).toBe(false);
+        });
+        it('returns false on network error', async () => {
+            const fetchFn = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
+            const result = await graphPack.testConnection(graphConfig, graphCreds, fetchFn);
+            expect(result).toBe(false);
+        });
+    });
+    describe('user.lookup', () => {
+        it('searches users by query with correct filter', async () => {
+            const users = [
+                { id: 'u1', displayName: 'Alice', mail: 'alice@corp.com', accountEnabled: true },
+            ];
+            const fetchFn = mockGraphFetch(users);
+            const result = (await handler('user.lookup')({ q: 'alice@corp.com' }, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            expect(result.users).toEqual(users);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/users');
+            expect(url).toContain('alice%40corp.com');
+        });
+        it('throws when q is missing', async () => {
+            const fetchFn = mockGraphFetch([]);
+            await expect(handler('user.lookup')({}, graphConfig, graphCreds, fetchFn)).rejects.toThrow('q parameter is required');
+        });
+    });
+    describe('user.groups', () => {
+        it('returns group memberships filtered to groups', async () => {
+            const memberOf = [
+                {
+                    '@odata.type': '#microsoft.graph.group',
+                    id: 'g1',
+                    displayName: 'SG-Sonde-Users',
+                },
+                {
+                    '@odata.type': '#microsoft.graph.directoryRole',
+                    id: 'r1',
+                    displayName: 'Global Admin',
+                },
+            ];
+            const fetchFn = mockGraphFetch(memberOf);
+            const result = (await handler('user.groups')({ id: 'u1' }, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            expect(result.groups[0]?.displayName).toBe('SG-Sonde-Users');
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/users/u1/memberOf');
+        });
+        it('throws when id is missing', async () => {
+            const fetchFn = mockGraphFetch([]);
+            await expect(handler('user.groups')({}, graphConfig, graphCreds, fetchFn)).rejects.toThrow('id parameter is required');
+        });
+    });
+    describe('signin.recent', () => {
+        it('fetches sign-in logs for a user', async () => {
+            const signIns = [
+                {
+                    createdDateTime: '2026-01-01T12:00:00Z',
+                    appDisplayName: 'Outlook',
+                    ipAddress: '10.0.0.1',
+                },
+            ];
+            const fetchFn = mockGraphFetch(signIns);
+            const result = (await handler('signin.recent')({ user: 'alice@corp.com', hours: 12 }, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            expect(result.periodHours).toBe(12);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/auditLogs/signIns');
+            expect(url).toContain('alice%40corp.com');
+        });
+        it('throws when user is missing', async () => {
+            const fetchFn = mockGraphFetch([]);
+            await expect(handler('signin.recent')({}, graphConfig, graphCreds, fetchFn)).rejects.toThrow('user parameter is required');
+        });
+    });
+    describe('users.risky', () => {
+        it('fetches risky users at specified level', async () => {
+            const risky = [{ id: 'u1', userDisplayName: 'Bob', riskLevel: 'high', riskState: 'atRisk' }];
+            const fetchFn = mockGraphFetch(risky);
+            const result = (await handler('users.risky')({ level: 'medium' }, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            expect(result.riskLevel).toBe('medium');
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/identityProtection/riskyUsers');
+            expect(url).toContain('medium');
+        });
+        it('defaults to high risk level', async () => {
+            const fetchFn = mockGraphFetch([]);
+            const result = (await handler('users.risky')({}, graphConfig, graphCreds, fetchFn));
+            expect(result.riskLevel).toBe('high');
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('high');
+        });
+    });
+    describe('intune.devices.compliance', () => {
+        it('fetches managed devices with optional user filter', async () => {
+            const devices = [
+                {
+                    id: 'd1',
+                    deviceName: 'LAPTOP-01',
+                    complianceState: 'compliant',
+                    userPrincipalName: 'alice@corp.com',
+                },
+            ];
+            const fetchFn = mockGraphFetch(devices);
+            const result = (await handler('intune.devices.compliance')({ user: 'alice@corp.com' }, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/deviceManagement/managedDevices');
+            expect(url).toContain('alice%40corp.com');
+        });
+        it('fetches all devices when no user filter', async () => {
+            const fetchFn = mockGraphFetch([]);
+            await handler('intune.devices.compliance')({}, graphConfig, graphCreds, fetchFn);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('/deviceManagement/managedDevices');
+            expect(url).not.toContain('%24filter');
+        });
+    });
+    describe('intune.devices.noncompliant', () => {
+        it('fetches only noncompliant devices', async () => {
+            const devices = [{ id: 'd2', deviceName: 'LAPTOP-02', complianceState: 'noncompliant' }];
+            const fetchFn = mockGraphFetch(devices);
+            const result = (await handler('intune.devices.noncompliant')({}, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            const [url] = callArgs(fetchFn, 1);
+            expect(url).toContain('noncompliant');
+        });
+    });
+    describe('Intune 403 handling', () => {
+        it('throws friendly error on 403 for Intune endpoints', async () => {
+            const fetchFn = mockGraphWithApiStatus(403);
+            await expect(handler('intune.devices.compliance')({}, graphConfig, graphCreds, fetchFn)).rejects.toThrow('Intune license or permissions required');
+        });
+    });
+    describe('intune.apps.status', () => {
+        it('fetches apps with install summaries', async () => {
+            // Call 1: token, Call 2: mobileApps list, Call 3: token (cached), Call 4: installSummary
+            let callCount = 0;
+            const fetchFn = vi.fn().mockImplementation((url) => {
+                callCount++;
+                if (callCount === 1) {
+                    return Promise.resolve(new Response(JSON.stringify({ access_token: 'graph-token-123', expires_in: 3600 }), {
+                        status: 200,
+                        headers: { 'Content-Type': 'application/json' },
+                    }));
+                }
+                if (callCount === 2) {
+                    return Promise.resolve(new Response(JSON.stringify({ value: [{ id: 'app1', displayName: 'Teams', publisher: 'MS' }] }), { status: 200, headers: { 'Content-Type': 'application/json' } }));
+                }
+                // installSummary call
+                if (typeof url === 'string' && url.includes('installSummary')) {
+                    return Promise.resolve(new Response(JSON.stringify({ installedDeviceCount: 10, failedDeviceCount: 2 }), {
+                        status: 200,
+                        headers: { 'Content-Type': 'application/json' },
+                    }));
+                }
+                return Promise.resolve(new Response('{}', { status: 200 }));
+            });
+            const result = (await handler('intune.apps.status')({}, graphConfig, graphCreds, fetchFn));
+            expect(result.count).toBe(1);
+            expect(result.apps[0]?.displayName).toBe('Teams');
+            expect(result.apps[0]?.installSummary).toEqual({
+                installedDeviceCount: 10,
+                failedDeviceCount: 2,
+            });
+        });
+    });
+    describe('manifest', () => {
+        it('has correct name and probe count', () => {
+            expect(graphPack.manifest.name).toBe('graph');
+            expect(graphPack.manifest.probes).toHaveLength(7);
+        });
+        it('all handlers match manifest probes', () => {
+            const probeNames = graphPack.manifest.probes.map((p) => p.name);
+            const handlerNames = Object.keys(graphPack.handlers);
+            expect(handlerNames.sort()).toEqual(probeNames.sort());
+        });
+        it('has correct timeouts (15s for user probes, 30s for sign-in/Intune)', () => {
+            const probeMap = new Map(graphPack.manifest.probes.map((p) => [p.name, p.timeout]));
+            expect(probeMap.get('user.lookup')).toBe(15000);
+            expect(probeMap.get('user.groups')).toBe(15000);
+            expect(probeMap.get('users.risky')).toBe(15000);
+            expect(probeMap.get('signin.recent')).toBe(30000);
+            expect(probeMap.get('intune.devices.compliance')).toBe(30000);
+            expect(probeMap.get('intune.devices.noncompliant')).toBe(30000);
+            expect(probeMap.get('intune.apps.status')).toBe(30000);
+        });
+        it('has identity runbook', () => {
+            expect(graphPack.manifest.runbook).toEqual({
+                category: 'identity',
+                probes: ['user.lookup', 'users.risky', 'intune.devices.noncompliant'],
+                parallel: true,
+            });
+        });
+    });
+    describe('error handling', () => {
+        it('throws on non-200 API response', async () => {
+            const fetchFn = mockGraphWithApiStatus(500);
+            await expect(handler('user.lookup')({ q: 'test' }, graphConfig, graphCreds, fetchFn)).rejects.toThrow('Graph API returned 500');
+        });
+    });
+});
+//# sourceMappingURL=graph.test.js.map