m365-agent-cli 1.2.0

package/src/lib/auth.ts

@@ -0,0 +1,192 @@
+import { mkdir, readFile, rename, stat } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { atomicWriteUtf8File } from './atomic-write.js';
+import { getJwtExpiration, getMicrosoftTenantPathSegment, isValidJwtStructure } from './jwt-utils.js';
+
+export interface AuthResult {
+  success: boolean;
+  token?: string;
+  error?: string;
+}
+
+interface CachedToken {
+  accessToken: string;
+  refreshToken: string;
+  expiresAt: number;
+}
+
+function assertCachedToken(data: unknown): CachedToken {
+  if (!data || typeof data !== 'object') throw new Error('invalid token cache');
+  const o = data as Record<string, unknown>;
+  if (typeof o.accessToken !== 'string' || o.accessToken.length > 100_000) throw new Error('invalid token cache');
+  if (typeof o.refreshToken !== 'string' || o.refreshToken.length > 100_000) throw new Error('invalid token cache');
+  if (typeof o.expiresAt !== 'number' || !Number.isFinite(o.expiresAt)) throw new Error('invalid token cache');
+  return { accessToken: o.accessToken, refreshToken: o.refreshToken, expiresAt: o.expiresAt };
+}
+
+// Security model: cache file stores bearer/refresh tokens and must be owner-only.
+// Directory is created as 0700 and file writes enforce 0600 to satisfy least-privilege.
+// The cache path is anchored to a fixed, local per-user directory under homedir();
+// network values (token contents) are written only as file data, never used to select
+// an arbitrary write location.
+const TOKEN_CACHE_FILE_TEMPLATE = join(homedir(), '.config', 'm365-agent-cli', 'token-cache-{identity}.json');
+const OLD_TOKEN_CACHE_FILE_TEMPLATE = join(homedir(), '.config', 'clippy', 'token-cache-{identity}.json');
+
+async function migrateTokenCache(identity: string): Promise<void> {
+  const TOKEN_CACHE_FILE = TOKEN_CACHE_FILE_TEMPLATE.replace('{identity}', identity);
+  const OLD_TOKEN_CACHE_FILE = OLD_TOKEN_CACHE_FILE_TEMPLATE.replace('{identity}', identity);
+
+  try {
+    const newStats = await stat(TOKEN_CACHE_FILE).catch(() => null);
+    if (!newStats) {
+      const oldStats = await stat(OLD_TOKEN_CACHE_FILE).catch(() => null);
+      if (oldStats) {
+        const dir = join(homedir(), '.config', 'm365-agent-cli');
+        await mkdir(dir, { recursive: true, mode: 0o700 });
+        await rename(OLD_TOKEN_CACHE_FILE, TOKEN_CACHE_FILE);
+      }
+    }
+  } catch (_err) {
+    // Ignore migration errors
+  }
+}
+
+async function loadCachedToken(identity: string): Promise<CachedToken | null> {
+  await migrateTokenCache(identity);
+  try {
+    const TOKEN_CACHE_FILE = TOKEN_CACHE_FILE_TEMPLATE.replace('{identity}', identity);
+    const data = await readFile(TOKEN_CACHE_FILE, 'utf-8');
+    return assertCachedToken(JSON.parse(data));
+  } catch {
+    return null;
+  }
+}
+
+async function saveCachedToken(identity: string, token: CachedToken): Promise<void> {
+  try {
+    const safe = assertCachedToken(token);
+    const TOKEN_CACHE_FILE = TOKEN_CACHE_FILE_TEMPLATE.replace('{identity}', identity);
+    await atomicWriteUtf8File(TOKEN_CACHE_FILE, JSON.stringify(safe, null, 2), 0o600);
+  } catch (err) {
+    console.error(`Failed to write token cache for identity '${identity}':`, err instanceof Error ? err.message : err);
+  }
+}
+
+async function refreshAccessToken(clientId: string, refreshToken: string, tenant: string): Promise<CachedToken> {
+  const scopes = [
+    'https://outlook.office365.com/EWS.AccessAsUser.All offline_access',
+    'https://outlook.office365.com/.default offline_access'
+  ];
+
+  let lastError = '';
+
+  for (const scope of scopes) {
+    const response = await fetch(`https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: clientId,
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        scope
+      }).toString()
+    });
+
+    const json = (await response.json()) as {
+      access_token?: string;
+      refresh_token?: string;
+      expires_in?: number;
+      error?: string;
+      error_description?: string;
+    };
+
+    if (response.ok && json.access_token) {
+      const accessToken = json.access_token;
+
+      // Refuse to cache tokens that are not well-formed JWTs
+      if (!isValidJwtStructure(accessToken)) {
+        throw new Error('OAuth server returned an invalid token structure — refusing to cache');
+      }
+
+      const expiresAt = getJwtExpiration(accessToken) ?? Date.now() + (json.expires_in || 3600) * 1000;
+      if (expiresAt <= Date.now()) {
+        throw new Error('OAuth server returned an already-expired token — refusing to cache');
+      }
+
+      return {
+        accessToken,
+        refreshToken: json.refresh_token || refreshToken,
+        expiresAt
+      };
+    }
+
+    lastError = [json.error, json.error_description].filter(Boolean).join(': ') || `HTTP ${response.status}`;
+  }
+
+  throw new Error(`Token refresh failed: ${lastError}`);
+}
+
+export async function resolveAuth(options?: { token?: string; identity?: string }): Promise<AuthResult> {
+  if (options?.token) {
+    return { success: true, token: options.token };
+  }
+
+  try {
+    const clientId = process.env.EWS_CLIENT_ID;
+    const envRefreshToken = process.env.EWS_REFRESH_TOKEN;
+
+    if (!clientId || !envRefreshToken) {
+      return {
+        success: false,
+        error: 'Missing EWS_CLIENT_ID or EWS_REFRESH_TOKEN in environment. Check your .env file.'
+      };
+    }
+
+    const identity = options?.identity || 'default';
+
+    // Validate identity to prevent path traversal
+    if (!/^[a-zA-Z0-9_-]+$/.test(identity)) {
+      return {
+        success: false,
+        error: 'Invalid identity name. Only alphanumeric characters, hyphens, and underscores are allowed.'
+      };
+    }
+
+    const tenant = getMicrosoftTenantPathSegment();
+
+    // Check cached token
+    const cached = await loadCachedToken(identity);
+    if (cached && cached.expiresAt > Date.now() + 60_000) {
+      // Guard against corrupted cache: validate JWT structure before returning
+      if (!isValidJwtStructure(cached.accessToken)) {
+        // Treat a malformed cached token as if there were no cache
+      } else {
+        return { success: true, token: cached.accessToken };
+      }
+    }
+
+    // Refresh - try cached refresh token first (may have been rotated), then .env
+    const refreshTokens = [...new Set([cached?.refreshToken, envRefreshToken].filter((t): t is string => !!t))];
+
+    for (const rt of refreshTokens) {
+      try {
+        const result = await refreshAccessToken(clientId, rt, tenant);
+        await saveCachedToken(identity, result);
+        return { success: true, token: result.accessToken };
+      } catch {
+        // Try next
+      }
+    }
+
+    return {
+      success: false,
+      error: 'Token refresh failed. You may need to update EWS_REFRESH_TOKEN in .env.'
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : 'Authentication failed'
+    };
+  }
+}

package/src/lib/calendar-range.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, test } from 'bun:test';
+import {
+  businessDaysBackward,
+  businessDaysForward,
+  calendarDaysBackward,
+  calendarDaysForward
+} from './calendar-range.js';
+
+describe('calendar-range', () => {
+  test('calendarDaysForward: 3 days from Thu', () => {
+    const anchor = new Date(2026, 3, 2); // Thu Apr 2 2026
+    const { start, endExclusive } = calendarDaysForward(anchor, 3);
+    expect(start.getDate()).toBe(2);
+    expect(endExclusive.getDate()).toBe(5); // exclusive end = Apr 5 00:00
+  });
+
+  test('calendarDaysBackward: 3 days ending Wed', () => {
+    const anchor = new Date(2026, 3, 8); // Wed Apr 8
+    const { start, endExclusive } = calendarDaysBackward(anchor, 3);
+    expect(start.getDate()).toBe(6);
+    expect(endExclusive.getDate()).toBe(9);
+  });
+
+  test('businessDaysForward: 5 days from Thu skips weekend', () => {
+    const anchor = new Date(2026, 3, 2); // Thu
+    const { start, endExclusive } = businessDaysForward(anchor, 5);
+    expect(start.getDay()).toBe(4); // Thu
+    const last = new Date(endExclusive);
+    last.setDate(last.getDate() - 1);
+    expect(last.getDay()).toBe(3); // Wed next week
+  });
+
+  test('businessDaysBackward: 5 days ending Wed', () => {
+    const anchor = new Date(2026, 3, 8); // Wed
+    const { start, endExclusive } = businessDaysBackward(anchor, 5);
+    expect(start.getDate()).toBe(2); // Thu prior week
+    const last = new Date(endExclusive);
+    last.setDate(last.getDate() - 1);
+    expect(last.getDate()).toBe(8);
+  });
+});

package/src/lib/calendar-range.ts

@@ -0,0 +1,103 @@
+/** Helpers for calendar date windows (business days vs calendar days). */
+
+export function isWeekend(d: Date): boolean {
+  const day = d.getDay();
+  return day === 0 || day === 6;
+}
+
+const WEEK_KEYWORDS = new Set(['week', 'thisweek', 'lastweek', 'nextweek']);
+
+export function isWeekRangeKeyword(startDay: string): boolean {
+  return WEEK_KEYWORDS.has(startDay.toLowerCase().trim());
+}
+
+/** Forward N calendar days inclusive from anchor (first day = anchor at local midnight). */
+export function calendarDaysForward(anchor: Date, n: number): { start: Date; endExclusive: Date } {
+  if (!Number.isFinite(n) || n < 1) {
+    throw new Error('--days must be a positive integer');
+  }
+  const start = new Date(anchor);
+  start.setHours(0, 0, 0, 0);
+  const lastDay = new Date(start);
+  lastDay.setDate(lastDay.getDate() + n - 1);
+  const endExclusive = new Date(lastDay);
+  endExclusive.setDate(endExclusive.getDate() + 1);
+  endExclusive.setHours(0, 0, 0, 0);
+  return { start, endExclusive };
+}
+
+/** Last N calendar days inclusive ending on anchor (anchor day included). */
+export function calendarDaysBackward(anchor: Date, n: number): { start: Date; endExclusive: Date } {
+  if (!Number.isFinite(n) || n < 1) {
+    throw new Error('--previous-days must be a positive integer');
+  }
+  const endDay = new Date(anchor);
+  endDay.setHours(0, 0, 0, 0);
+  const start = new Date(endDay);
+  start.setDate(start.getDate() - (n - 1));
+  const endExclusive = new Date(endDay);
+  endExclusive.setDate(endExclusive.getDate() + 1);
+  endExclusive.setHours(0, 0, 0, 0);
+  return { start, endExclusive };
+}
+
+/** N weekdays (Mon–Fri) inclusive forward; if anchor is Sat/Sun, first counted day is next Monday. */
+export function businessDaysForward(anchor: Date, n: number): { start: Date; endExclusive: Date } {
+  if (!Number.isFinite(n) || n < 1) {
+    throw new Error('--business-days must be a positive integer');
+  }
+  const cur = new Date(anchor);
+  cur.setHours(0, 0, 0, 0);
+  while (isWeekend(cur)) {
+    cur.setDate(cur.getDate() + 1);
+  }
+  const start = new Date(cur);
+  let count = 0;
+  while (count < n) {
+    if (!isWeekend(cur)) {
+      count++;
+    }
+    if (count === n) {
+      break;
+    }
+    cur.setDate(cur.getDate() + 1);
+  }
+  const endExclusive = new Date(cur);
+  endExclusive.setDate(endExclusive.getDate() + 1);
+  endExclusive.setHours(0, 0, 0, 0);
+  return { start, endExclusive };
+}
+
+/** N weekdays inclusive looking backward from anchor; if anchor is Sat/Sun, range ends on previous Friday. */
+export function businessDaysBackward(anchor: Date, n: number): { start: Date; endExclusive: Date } {
+  if (!Number.isFinite(n) || n < 1) {
+    throw new Error('--previous-business-days must be a positive integer');
+  }
+  const cur = new Date(anchor);
+  cur.setHours(0, 0, 0, 0);
+  while (isWeekend(cur)) {
+    cur.setDate(cur.getDate() - 1);
+  }
+  let count = 0;
+  let start = new Date(cur);
+  while (count < n) {
+    if (!isWeekend(cur)) {
+      count++;
+      start = new Date(cur);
+    }
+    if (count === n) {
+      break;
+    }
+    cur.setDate(cur.getDate() - 1);
+  }
+  start.setHours(0, 0, 0, 0);
+  const endDay = new Date(anchor);
+  endDay.setHours(0, 0, 0, 0);
+  while (isWeekend(endDay)) {
+    endDay.setDate(endDay.getDate() - 1);
+  }
+  const endExclusive = new Date(endDay);
+  endExclusive.setDate(endExclusive.getDate() + 1);
+  endExclusive.setHours(0, 0, 0, 0);
+  return { start, endExclusive };
+}

package/src/lib/dates.test.ts

@@ -0,0 +1,74 @@
+import { describe, expect, it } from 'bun:test';
+import { parseDay, parseTimeToDate, toLocalUnzonedISOString, toUTCISOString } from './dates.js';
+
+describe('dates helpers', () => {
+  it('parseTimeToDate handles HH:MM and am/pm inputs', () => {
+    const base = new Date('2026-03-27T00:00:00');
+
+    expect(parseTimeToDate('13:45', base).getHours()).toBe(13);
+    expect(parseTimeToDate('13:45', base).getMinutes()).toBe(45);
+    expect(parseTimeToDate('1pm', base).getHours()).toBe(13);
+    expect(parseTimeToDate('12am', base).getHours()).toBe(0);
+  });
+
+  it('toLocalUnzonedISOString formats as local time without Z', () => {
+    const date = new Date(2026, 2, 27, 9, 5, 7); // local time
+    const result = toLocalUnzonedISOString(date);
+    expect(result).toBe('2026-03-27T09:05:07');
+  });
+
+  it('parseTimeToDate throws on invalid input when configured', () => {
+    const base = new Date('2026-03-27T00:00:00');
+    const opts = { throwOnInvalid: true };
+
+    // Format errors
+    expect(() => parseTimeToDate('not-a-time', base, opts)).toThrow(
+      'Invalid time format: "not-a-time" — expected HH:MM, H:MM, or H(am|pm)'
+    );
+
+    // Value bounds
+    expect(() => parseTimeToDate('25:00', base, opts)).toThrow(
+      'Invalid time: "25:00" — hours must be 0–23 and minutes 0–59'
+    );
+    expect(() => parseTimeToDate('9:60', base, opts)).toThrow(
+      'Invalid time: "9:60" — hours must be 0–23 and minutes 0–59'
+    );
+
+    // AM/PM bounds
+    expect(() => parseTimeToDate('13pm', base, opts)).toThrow('Invalid time: "13pm" — 12-hour values must be 1–12');
+    expect(() => parseTimeToDate('0am', base, opts)).toThrow('Invalid time: "0am" — 12-hour values must be 1–12');
+
+    // 24-hour hour-only bounds
+    expect(() => parseTimeToDate('24', base, opts)).toThrow('Invalid time: "24" — 24-hour values must be 0–23');
+  });
+
+  it('toUTCISOString formats as UTC with Z suffix', () => {
+    const date = new Date(Date.UTC(2026, 2, 27, 9, 5, 7));
+    const result = toUTCISOString(date);
+    expect(result).toBe('2026-03-27T09:05:07.000Z');
+  });
+
+  it('parseDay supports relative values and weekday directions', () => {
+    const base = new Date('2026-03-25T10:00:00'); // Wednesday
+
+    expect(parseDay('today', { baseDate: base }).getDate()).toBe(25);
+    expect(parseDay('tomorrow', { baseDate: base }).getDate()).toBe(26);
+    expect(parseDay('yesterday', { baseDate: base }).getDate()).toBe(24);
+
+    const nextMonday = parseDay('monday', { baseDate: base, weekdayDirection: 'next' });
+    expect(nextMonday.toISOString().slice(0, 10)).toBe('2026-03-30');
+
+    const prevMonday = parseDay('monday', { baseDate: base, weekdayDirection: 'previous' });
+    expect(prevMonday.toISOString().slice(0, 10)).toBe('2026-03-23');
+
+    const forwardMonday = parseDay('monday', {
+      baseDate: new Date('2026-03-30T10:00:00'),
+      weekdayDirection: 'nearestForward'
+    });
+    expect(forwardMonday.toISOString().slice(0, 10)).toBe('2026-03-30');
+  });
+
+  it('parseDay throws on invalid input when configured', () => {
+    expect(() => parseDay('not-a-date', { throwOnInvalid: true })).toThrow('Invalid day value: not-a-date');
+  });
+});

package/src/lib/dates.ts

@@ -0,0 +1,137 @@
+const WEEKDAYS = ['sunday', 'monday', 'tuesday', 'wednesday', 'thursday', 'friday', 'saturday'] as const;
+
+export interface ParseDayOptions {
+  baseDate?: Date;
+  weekdayDirection?: 'next' | 'previous' | 'nearestForward';
+  throwOnInvalid?: boolean;
+}
+
+export interface ParseTimeToDateOptions {
+  throwOnInvalid?: boolean;
+}
+
+export function parseTimeToDate(
+  timeStr: string,
+  baseDate: Date = new Date(),
+  options: ParseTimeToDateOptions = {}
+): Date {
+  const { throwOnInvalid = false } = options;
+  const result = new Date(baseDate);
+
+  const timeMatch = timeStr.match(/^(\d{1,2}):(\d{2})$/);
+  if (timeMatch) {
+    const hours = parseInt(timeMatch[1], 10);
+    const minutes = parseInt(timeMatch[2], 10);
+    if (throwOnInvalid && (hours < 0 || hours > 23 || minutes < 0 || minutes > 59)) {
+      throw new Error(`Invalid time: "${timeStr}" — hours must be 0–23 and minutes 0–59`);
+    }
+    result.setHours(hours, minutes, 0, 0);
+    return result;
+  }
+
+  const hourMatch = timeStr.match(/^(\d{1,2})(am|pm)?$/i);
+  if (hourMatch) {
+    const rawHour = parseInt(hourMatch[1], 10);
+    const isPM = hourMatch[2]?.toLowerCase() === 'pm';
+    if (throwOnInvalid) {
+      if (hourMatch[2]) {
+        if (rawHour < 1 || rawHour > 12) {
+          throw new Error(`Invalid time: "${timeStr}" — 12-hour values must be 1–12`);
+        }
+      } else {
+        if (rawHour < 0 || rawHour > 23) {
+          throw new Error(`Invalid time: "${timeStr}" — 24-hour values must be 0–23`);
+        }
+      }
+    }
+    let hour = rawHour;
+    if (hourMatch[2]) {
+      if (isPM && rawHour < 12) hour += 12;
+      if (!isPM && rawHour === 12) hour = 0;
+    }
+    result.setHours(hour, 0, 0, 0);
+    return result;
+  }
+
+  if (throwOnInvalid) {
+    throw new Error(`Invalid time format: "${timeStr}" — expected HH:MM, H:MM, or H(am|pm)`);
+  }
+  return result;
+}
+
+export function toUTCISOString(date: Date): string {
+  return date.toISOString();
+}
+
+/**
+ * Parse a date string that may have a timezone offset suffix (e.g. "+01:00")
+ * and return the local date components in the user's system timezone.
+ * This avoids the bug where `new Date("2026-03-29")` defaults to midnight UTC
+ * instead of interpreting it as the local date.
+ */
+export function parseLocalDate(dateStr: string): Date {
+  // Handle date-only strings (YYYY-MM-DD) as local midnight
+  const dateOnlyMatch = dateStr.match(/^(\d{4})-(\d{2})-(\d{2})$/);
+  if (dateOnlyMatch) {
+    const [, yearStr, monthStr, dayOfMonthStr] = dateOnlyMatch;
+    return new Date(parseInt(yearStr, 10), parseInt(monthStr, 10) - 1, parseInt(dayOfMonthStr, 10), 0, 0, 0, 0);
+  }
+  // Handle the "+01:00" suffix format by inserting a 'T' before the time
+  const withTime = dateStr.replace(' ', 'T');
+  return new Date(withTime);
+}
+
+export function parseDay(day: string, options: ParseDayOptions = {}): Date {
+  const { baseDate = new Date(), weekdayDirection = 'next', throwOnInvalid = false } = options;
+
+  const now = new Date(baseDate);
+  const normalized = day.toLowerCase();
+
+  if (normalized === 'today') return now;
+  if (normalized === 'tomorrow') {
+    now.setDate(now.getDate() + 1);
+    return now;
+  }
+  if (normalized === 'yesterday') {
+    now.setDate(now.getDate() - 1);
+    return now;
+  }
+
+  const targetDay = WEEKDAYS.indexOf(normalized as (typeof WEEKDAYS)[number]);
+  if (targetDay >= 0) {
+    const currentDay = now.getDay();
+    let diff = targetDay - currentDay;
+
+    if (weekdayDirection === 'next') {
+      if (diff <= 0) diff += 7;
+    } else if (weekdayDirection === 'previous') {
+      if (diff > 0) diff -= 7;
+    } else {
+      if (diff < 0) diff += 7;
+    }
+
+    now.setDate(now.getDate() + diff);
+    return now;
+  }
+
+  // Parse YYYY-MM-DD as local midnight to avoid UTC off-by-one
+  const parsed = parseLocalDate(day);
+  if (Number.isNaN(parsed.getTime())) {
+    if (throwOnInvalid) {
+      throw new Error(`Invalid day value: ${day}`);
+    }
+    return now;
+  }
+
+  return parsed;
+}
+
+export function toLocalUnzonedISOString(date: Date): string {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, '0');
+  const day = String(date.getDate()).padStart(2, '0');
+  const hours = String(date.getHours()).padStart(2, '0');
+  const minutes = String(date.getMinutes()).padStart(2, '0');
+  const seconds = String(date.getSeconds()).padStart(2, '0');
+  return `${year}-${month}-${day}T${hours}:${minutes}:${seconds}`;
+}

package/src/lib/delegate-client.test.ts

@@ -0,0 +1,74 @@
+import { describe, expect, it } from 'bun:test';
+import { addDelegate, getDelegates } from './delegate-client.js';
+
+describe('delegate-client', () => {
+  const token = 'test-token';
+
+  it('getDelegates parses SOAP response properly', async () => {
+    const fetchCalls: any[] = [];
+    const originalFetch = globalThis.fetch;
+    try {
+      globalThis.fetch = (async (input, init) => {
+        fetchCalls.push({ input, init });
+        const xml = `
+          <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
+            <s:Body>
+              <m:GetDelegateResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
+                <m:ResponseMessages>
+                  <m:DelegateUserResponseMessageType ResponseClass="Success">
+                    <m:DelegateUser>
+                      <t:UserId>
+                        <t:PrimarySmtpAddress>del@example.com</t:PrimarySmtpAddress>
+                      </t:UserId>
+                      <t:DelegatePermissions>
+                        <t:CalendarFolderPermissionLevel>Editor</t:CalendarFolderPermissionLevel>
+                      </t:DelegatePermissions>
+                      <t:ViewPrivateItems>true</t:ViewPrivateItems>
+                    </m:DelegateUser>
+                  </m:DelegateUserResponseMessageType>
+                </m:ResponseMessages>
+                <m:DeliverMeetingRequests>DelegatesAndSendInformationToMe</m:DeliverMeetingRequests>
+              </m:GetDelegateResponse>
+            </s:Body>
+          </s:Envelope>
+        `;
+        return new Response(xml, { status: 200, headers: { 'content-type': 'text/xml' } });
+      }) as typeof fetch;
+
+      const res = await getDelegates(token, 'me@example.com');
+      expect(res.ok).toBe(true);
+      expect(res.data?.length).toBe(1);
+      expect(res.data?.[0].userId).toBe('del@example.com');
+      expect(res.data?.[0].permissions.calendar).toBe('Editor');
+      expect(res.data?.[0].viewPrivateItems).toBe(true);
+      expect(res.data?.[0].deliverMeetingRequests).toBe('DelegatesAndSendInformationToMe');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+
+  it('addDelegate generates correct SOAP body', async () => {
+    const fetchCalls: any[] = [];
+    const originalFetch = globalThis.fetch;
+    try {
+      globalThis.fetch = (async (input, init) => {
+        fetchCalls.push({ input, init });
+        const xml = `<m:AddDelegateResponse ResponseClass="Success"></m:AddDelegateResponse>`;
+        return new Response(xml, { status: 200, headers: { 'content-type': 'text/xml' } });
+      }) as typeof fetch;
+
+      await addDelegate({
+        token,
+        delegateEmail: 'del@example.com',
+        permissions: { inbox: 'Reviewer' },
+        deliverMeetingRequests: 'DelegatesAndSendInformationToMe'
+      });
+
+      const body = fetchCalls[0].init.body as string;
+      expect(body).toContain('<m:DeliverMeetingRequests>DelegatesAndSendInformationToMe</m:DeliverMeetingRequests>');
+      expect(body).toContain('<t:InboxFolderPermissionLevel>Reviewer</t:InboxFolderPermissionLevel>');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+});