m365-agent-cli 1.2.0

package/src/commands/verify-token.ts

@@ -0,0 +1,62 @@
+import { Command } from 'commander';
+import { resolveGraphAuth } from '../lib/graph-auth.js';
+
+export const verifyTokenCommand = new Command('verify-token')
+  .description('Verify Graph API token scopes and permissions')
+  .option('--token <token>', 'Use a specific Graph token')
+  .option('--identity <name>', 'Graph token cache identity (default: default)')
+  .option('--json', 'Output as JSON')
+  .action(async (options: { token?: string; json?: boolean; identity?: string }) => {
+    const authResult = await resolveGraphAuth({ token: options.token, identity: options.identity });
+    if (!authResult.success || !authResult.token) {
+      if (options.json) {
+        console.log(JSON.stringify({ error: authResult.error || 'Failed to resolve auth token' }, null, 2));
+      } else {
+        console.error(`Error: ${authResult.error || 'Failed to resolve auth token'}`);
+      }
+      process.exit(1);
+    }
+
+    const token = authResult.token;
+    try {
+      const parts = token.split('.');
+      if (parts.length !== 3) throw new Error('Invalid JWT format');
+      const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+
+      if (options.json) {
+        console.log(JSON.stringify(payload, null, 2));
+        return;
+      }
+
+      console.log('\u2713 Token Verified\n');
+      console.log(`  App ID: ${payload.appid || 'N/A'}`);
+      console.log(`  Tenant: ${payload.tid || 'N/A'}`);
+      console.log(`  User:   ${payload.upn || payload.email || 'N/A'}`);
+      console.log(`  Name:   ${payload.name || 'N/A'}`);
+
+      if (payload.scp) {
+        console.log('\n  Delegated Scopes (scp):');
+        payload.scp.split(' ').forEach((scope: string) => {
+          console.log(`    - ${scope}`);
+        });
+      }
+
+      if (payload.roles && Array.isArray(payload.roles)) {
+        console.log('\n  Application Roles (roles):');
+        payload.roles.forEach((role: string) => {
+          console.log(`    - ${role}`);
+        });
+      }
+
+      if (!payload.scp && (!payload.roles || payload.roles.length === 0)) {
+        console.log('\n  No scopes or roles found in token.');
+      }
+    } catch (err: any) {
+      if (options.json) {
+        console.log(JSON.stringify({ error: `Failed to parse token: ${err.message}` }, null, 2));
+      } else {
+        console.error(`Failed to parse token: ${err.message}`);
+      }
+      process.exit(1);
+    }
+  });

package/src/commands/whoami.ts

@@ -0,0 +1,74 @@
+import { Command } from 'commander';
+import { resolveAuth } from '../lib/auth.js';
+import { getOwaUserInfo } from '../lib/ews-client.js';
+
+export const whoamiCommand = new Command('whoami')
+  .description('Show authenticated user information')
+  .option('--json', 'Output as JSON')
+  .option('--token <token>', 'Use a specific token')
+  .option('--identity <name>', 'Use a specific authentication identity (default: default)')
+  .action(async (options: { json?: boolean; token?: string; identity?: string }) => {
+    const authResult = await resolveAuth({
+      token: options.token,
+      identity: options.identity
+    });
+
+    if (!authResult.success) {
+      if (options.json) {
+        console.log(JSON.stringify({ error: authResult.error }, null, 2));
+      } else {
+        console.error(`Error: ${authResult.error}`);
+        console.error('\nCheck your .env file for EWS_CLIENT_ID and EWS_REFRESH_TOKEN.');
+      }
+      process.exit(1);
+    }
+
+    const userInfo = await getOwaUserInfo(authResult.token!);
+
+    if (!userInfo.ok || !userInfo.data) {
+      if (options.json) {
+        console.log(
+          JSON.stringify(
+            {
+              error: userInfo.error?.message || 'Failed to fetch user info',
+              authenticated: true
+            },
+            null,
+            2
+          )
+        );
+      } else {
+        console.log('\u2713 Authenticated');
+        console.log('  Could not fetch user details from EWS API');
+      }
+      process.exit(0);
+    }
+
+    const { displayName, email } = userInfo.data;
+
+    if (options.json) {
+      const result: { displayName: string; email: string; authenticated: boolean; identity?: string } = {
+        displayName,
+        email,
+        authenticated: true
+      };
+
+      // Only include identity if token-based auth was not used
+      if (!options.token) {
+        result.identity = options.identity || 'default';
+      }
+
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log('\u2713 Authenticated');
+
+      // Only display identity if token-based auth was not used
+      if (!options.token) {
+        const identity = options.identity || 'default';
+        console.log(`  Identity: ${identity}`);
+      }
+
+      console.log(`  Name: ${displayName}`);
+      console.log(`  Email: ${email}`);
+    }
+  });

package/src/index.ts

@@ -0,0 +1,190 @@
+// Library exports for programmatic usage
+
+export type { AuthResult } from './lib/auth.js';
+export { resolveAuth } from './lib/auth.js';
+export type {
+  AddDelegateOptions,
+  DelegateFolderPermissionLevel,
+  DelegateInfo,
+  DelegatePermissions,
+  DeliverMeetingRequests,
+  RemoveDelegateOptions,
+  UpdateDelegateOptions
+} from './lib/delegate-client.js';
+// Delegate management
+export {
+  addDelegate,
+  getDelegates,
+  removeDelegate,
+  updateDelegate
+} from './lib/delegate-client.js';
+export type {
+  Attachment,
+  AttachmentListResponse,
+  AutoReplyRule,
+  CalendarAttendee,
+  CalendarEvent,
+  CreatedEvent,
+  CreateEventOptions,
+  EmailAttachment,
+  EmailListResponse,
+  EmailMessage,
+  FreeBusySlot,
+  GetEmailsOptions,
+  MailFolder,
+  MailFolderListResponse,
+  OwaError,
+  OwaResponse,
+  OwaUserInfo,
+  Recurrence,
+  RecurrencePattern,
+  RecurrenceRange,
+  ReferenceAttachmentInput,
+  RespondToEventOptions,
+  ResponseType,
+  Room,
+  RoomList,
+  ScheduleInfo,
+  UpdateEventOptions
+} from './lib/ews-client.js';
+export {
+  addAttachmentToDraft,
+  addCalendarEventAttachments,
+  addReferenceAttachmentToDraft,
+  cancelEvent,
+  createDraft,
+  createEvent,
+  createMailFolder,
+  deleteDraftById,
+  deleteEvent,
+  deleteMailFolder,
+  forwardEmail,
+  getAttachment,
+  getAttachments,
+  getAutoReplyRule,
+  getCalendarEvent,
+  getCalendarEvents,
+  getEmail,
+  getEmails,
+  getFreeBusy,
+  getMailFolders,
+  getMyFreeBusySlots,
+  getOwaUserInfo,
+  getRoomLists,
+  getRooms,
+  getScheduleViaOutlook,
+  moveEmail,
+  replyToEmail,
+  replyToEmailDraft,
+  resolveNames,
+  respondToEvent,
+  searchRooms,
+  sendDraftById,
+  sendEmail,
+  setAutoReplyRule,
+  updateDraft,
+  updateEmail,
+  updateEvent,
+  updateMailFolder,
+  validateSession
+} from './lib/ews-client.js';
+export type { GraphAuthResult } from './lib/graph-auth.js';
+export { resolveGraphAuth } from './lib/graph-auth.js';
+export type {
+  CheckinResult,
+  DriveItem,
+  DriveItemListResponse,
+  DriveItemReference,
+  GraphError,
+  GraphResponse,
+  OfficeCollabLinkResult,
+  SharingLinkResult,
+  UploadLargeResult
+} from './lib/graph-client.js';
+export {
+  checkinFile,
+  checkoutFile,
+  cleanupDownloadedFile,
+  createOfficeCollaborationLink,
+  defaultDownloadPath,
+  deleteFile,
+  downloadFile,
+  getFileMetadata,
+  listFiles,
+  searchFiles,
+  shareFile,
+  uploadFile,
+  uploadLargeFile
+} from './lib/graph-client.js';
+export type {
+  Group,
+  Person,
+  User
+} from './lib/graph-directory.js';
+export {
+  expandGroup,
+  searchGroups,
+  searchPeople,
+  searchUsers
+} from './lib/graph-directory.js';
+export type {
+  AttendeeBase,
+  FindMeetingTimesRequest,
+  FindMeetingTimesResponse,
+  GetScheduleRequest,
+  GetScheduleResponse,
+  MeetingTimeSuggestion,
+  ScheduleInformation,
+  TimeConstraint
+} from './lib/graph-schedule.js';
+export { findMeetingTimes, getSchedule } from './lib/graph-schedule.js';
+export type { Subscription } from './lib/graph-subscriptions.js';
+export {
+  createSubscription,
+  deleteSubscription,
+  listSubscriptions,
+  renewSubscription
+} from './lib/graph-subscriptions.js';
+export { graphUserPath } from './lib/graph-user-path.js';
+export type { AutomaticRepliesSetting, MailboxSettings, OofStatus } from './lib/oof-client.js';
+export { getMailboxSettings, setMailboxSettings } from './lib/oof-client.js';
+export type { Place as PlaceRoom, RoomList as PlaceRoomList } from './lib/places-client.js';
+// places-client re-exports (aliases from EWS: getRoomLists/getRooms conflict)
+export { listPlaceRoomLists as getPlaceRoomLists, listRoomsInRoomList as getPlaceRooms } from './lib/places-client.js';
+export type {
+  CreateMessageRulePayload,
+  MessageRule,
+  MessageRuleAction,
+  MessageRuleCondition,
+  UpdateMessageRulePayload
+} from './lib/rules-client.js';
+// Inbox rules
+export {
+  createMessageRule,
+  deleteMessageRule,
+  getMessageRule,
+  listMessageRules,
+  updateMessageRule
+} from './lib/rules-client.js';
+export type {
+  CreateTaskOptions,
+  TodoChecklistItem,
+  TodoImportance,
+  TodoLinkedResource,
+  TodoList,
+  TodoStatus,
+  TodoTask,
+  UpdateTaskOptions
+} from './lib/todo-client.js';
+// To-Do
+export {
+  addChecklistItem,
+  createTask,
+  deleteChecklistItem,
+  deleteTask,
+  getTask,
+  getTasks,
+  getTodoList,
+  getTodoLists,
+  updateTask
+} from './lib/todo-client.js';

package/src/lib/atomic-write.ts

@@ -0,0 +1,20 @@
+import { randomBytes } from 'node:crypto';
+import { mkdir, rename, unlink, writeFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+
+/**
+ * Write UTF-8 text atomically (temp file in same directory, then rename).
+ * Avoids readers observing partial writes and pairs well with validation before persist.
+ */
+export async function atomicWriteUtf8File(targetPath: string, data: string, mode: number): Promise<void> {
+  const dir = dirname(targetPath);
+  await mkdir(dir, { recursive: true, mode: 0o700 });
+  const tmp = join(dir, `.${randomBytes(16).toString('hex')}.tmp`);
+  try {
+    await writeFile(tmp, data, { encoding: 'utf8', mode });
+    await rename(tmp, targetPath);
+  } catch (err) {
+    await unlink(tmp).catch(() => {});
+    throw err;
+  }
+}

package/src/lib/attach-link-spec.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, test } from 'bun:test';
+import { AttachmentLinkSpecError, parseAttachLinkSpec, validateHttpsUrlForAttachment } from './attach-link-spec.js';
+
+describe('attach-link-spec', () => {
+  test('validateHttpsUrlForAttachment accepts https', () => {
+    expect(validateHttpsUrlForAttachment('https://example.com/path?q=1')).toBe('https://example.com/path?q=1');
+  });
+
+  test('validateHttpsUrlForAttachment rejects http', () => {
+    expect(() => validateHttpsUrlForAttachment('http://example.com')).toThrow(AttachmentLinkSpecError);
+  });
+
+  test('parseAttachLinkSpec splits name and url', () => {
+    const p = parseAttachLinkSpec('Agenda|https://example.com/doc.pdf');
+    expect(p.name).toBe('Agenda');
+    expect(p.url).toBe('https://example.com/doc.pdf');
+  });
+
+  test('parseAttachLinkSpec bare url derives name', () => {
+    const p = parseAttachLinkSpec('https://example.com/folder/doc.pdf');
+    expect(p.url).toBe('https://example.com/folder/doc.pdf');
+    expect(p.name).toBe('doc.pdf');
+  });
+});

package/src/lib/attach-link-spec.ts

@@ -0,0 +1,70 @@
+/** Parse and validate --attach-link values: "Display name|https://..." or a bare https URL. */
+
+export class AttachmentLinkSpecError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'AttachmentLinkSpecError';
+  }
+}
+
+function deriveNameFromUrl(urlStr: string): string {
+  try {
+    const u = new URL(urlStr);
+    const path = u.pathname.split('/').filter(Boolean);
+    const last = path[path.length - 1];
+    if (last && last.length > 0 && last.length < 120) {
+      return decodeURIComponent(last.replace(/\+/g, ' '));
+    }
+    return u.hostname || 'Link';
+  } catch {
+    return 'Link';
+  }
+}
+
+/** Only https URLs (no javascript:, file:, etc.). */
+export function validateHttpsUrlForAttachment(urlRaw: string): string {
+  const trimmed = urlRaw.trim();
+  if (!trimmed) {
+    throw new AttachmentLinkSpecError('Attachment link URL is empty');
+  }
+  let url: URL;
+  try {
+    url = new URL(trimmed);
+  } catch {
+    throw new AttachmentLinkSpecError(`Invalid attachment link URL: ${trimmed}`);
+  }
+  if (url.protocol !== 'https:') {
+    throw new AttachmentLinkSpecError('Attachment link URL must use https://');
+  }
+  if (url.username || url.password) {
+    throw new AttachmentLinkSpecError('Attachment link URL must not include credentials');
+  }
+  return url.toString();
+}
+
+export interface ParsedAttachLink {
+  name: string;
+  url: string;
+}
+
+export function parseAttachLinkSpec(spec: string): ParsedAttachLink {
+  const s = spec.trim();
+  if (!s) {
+    throw new AttachmentLinkSpecError('Empty --attach-link value');
+  }
+  const pipe = s.indexOf('|');
+  let name: string;
+  let urlRaw: string;
+  if (pipe === -1) {
+    urlRaw = s;
+    name = deriveNameFromUrl(urlRaw);
+  } else {
+    name = s.slice(0, pipe).trim();
+    urlRaw = s.slice(pipe + 1).trim();
+    if (!name) {
+      name = deriveNameFromUrl(urlRaw);
+    }
+  }
+  const url = validateHttpsUrlForAttachment(urlRaw);
+  return { name, url };
+}

package/src/lib/attachments.ts

@@ -0,0 +1,79 @@
+import { lstat, realpath, stat } from 'node:fs/promises';
+import { isAbsolute, normalize, resolve, sep } from 'node:path';
+
+const MAX_ATTACHMENT_SIZE_BYTES = 25 * 1024 * 1024;
+
+export interface ValidatedAttachmentPath {
+  inputPath: string;
+  absolutePath: string;
+  fileName: string;
+  size: number;
+}
+
+export class AttachmentPathError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'AttachmentPathError';
+  }
+}
+
+function hasParentTraversal(inputPath: string): boolean {
+  const normalizedInput = normalize(inputPath);
+  return normalizedInput.split(/[\\/]+/).includes('..');
+}
+
+export async function validateAttachmentPath(
+  inputPath: string,
+  allowedBaseDir: string
+): Promise<ValidatedAttachmentPath> {
+  if (!inputPath?.trim()) {
+    throw new AttachmentPathError('Attachment path cannot be empty');
+  }
+
+  if (hasParentTraversal(inputPath)) {
+    throw new AttachmentPathError(`Path traversal is not allowed in attachment path: ${inputPath}`);
+  }
+
+  if (inputPath.startsWith('~')) {
+    throw new AttachmentPathError(`Home directory shortcuts (~) are not allowed for attachments: ${inputPath}`);
+  }
+
+  if (isAbsolute(inputPath)) {
+    throw new AttachmentPathError(`Absolute paths are not allowed for attachments: ${inputPath}`);
+  }
+
+  const candidatePath = resolve(allowedBaseDir, inputPath);
+  const realAllowedBase = await realpath(allowedBaseDir);
+
+  let realCandidatePath: string;
+  try {
+    realCandidatePath = await realpath(candidatePath);
+  } catch {
+    throw new AttachmentPathError(`Attachment does not exist: ${inputPath}`);
+  }
+
+  if (realCandidatePath !== realAllowedBase && !realCandidatePath.startsWith(`${realAllowedBase}${sep}`)) {
+    throw new AttachmentPathError(`Attachment path escapes the allowed directory: ${inputPath}`);
+  }
+
+  const symbolicLinkInfo = await lstat(candidatePath);
+  if (symbolicLinkInfo.isSymbolicLink()) {
+    throw new AttachmentPathError(`Symbolic links are not allowed for attachments: ${inputPath}`);
+  }
+
+  const fileInfo = await stat(realCandidatePath);
+  if (!fileInfo.isFile()) {
+    throw new AttachmentPathError(`Not a file: ${inputPath}`);
+  }
+
+  if (fileInfo.size > MAX_ATTACHMENT_SIZE_BYTES) {
+    throw new AttachmentPathError(`File too large (>25MB): ${inputPath}`);
+  }
+
+  return {
+    inputPath,
+    absolutePath: realCandidatePath,
+    fileName: realCandidatePath.split(/[\\/]/).pop() || inputPath,
+    size: fileInfo.size
+  };
+}