m365-agent-cli 1.2.0

package/src/lib/graph-auth.ts

@@ -0,0 +1,223 @@
+import { mkdir, readFile, rename, stat } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { atomicWriteUtf8File } from './atomic-write.js';
+import { getJwtExpiration, getMicrosoftTenantPathSegment, isValidJwtStructure } from './jwt-utils.js';
+
+export interface GraphAuthResult {
+  success: boolean;
+  token?: string;
+  error?: string;
+}
+
+interface CachedGraphToken {
+  accessToken: string;
+  refreshToken: string;
+  expiresAt: number;
+}
+
+function assertCachedGraphToken(data: unknown): CachedGraphToken {
+  if (!data || typeof data !== 'object') throw new Error('invalid graph token cache');
+  const o = data as Record<string, unknown>;
+  if (typeof o.accessToken !== 'string' || o.accessToken.length > 100_000) throw new Error('invalid graph token cache');
+  if (typeof o.refreshToken !== 'string' || o.refreshToken.length > 100_000)
+    throw new Error('invalid graph token cache');
+  if (typeof o.expiresAt !== 'number' || !Number.isFinite(o.expiresAt)) throw new Error('invalid graph token cache');
+  return { accessToken: o.accessToken, refreshToken: o.refreshToken, expiresAt: o.expiresAt };
+}
+
+const GRAPH_TOKEN_CACHE_TEMPLATE = join(homedir(), '.config', 'm365-agent-cli', 'graph-token-cache-{identity}.json');
+const LEGACY_GRAPH_TOKEN_CACHE_FILE = join(homedir(), '.config', 'm365-agent-cli', 'graph-token-cache.json');
+const OLD_GRAPH_TOKEN_CACHE_FILE = join(homedir(), '.config', 'clippy', 'graph-token-cache.json');
+
+function graphTokenCachePath(identity: string): string {
+  return GRAPH_TOKEN_CACHE_TEMPLATE.replace('{identity}', identity);
+}
+
+async function migrateGraphTokenCache(): Promise<void> {
+  try {
+    const dir = join(homedir(), '.config', 'm365-agent-cli');
+    const defaultPath = graphTokenCachePath('default');
+    const defaultStats = await stat(defaultPath).catch(() => null);
+    if (!defaultStats) {
+      const legacyStats = await stat(LEGACY_GRAPH_TOKEN_CACHE_FILE).catch(() => null);
+      if (legacyStats) {
+        await mkdir(dir, { recursive: true, mode: 0o700 });
+        await rename(LEGACY_GRAPH_TOKEN_CACHE_FILE, defaultPath);
+        return;
+      }
+      const oldClippyStats = await stat(OLD_GRAPH_TOKEN_CACHE_FILE).catch(() => null);
+      if (oldClippyStats) {
+        await mkdir(dir, { recursive: true, mode: 0o700 });
+        await rename(OLD_GRAPH_TOKEN_CACHE_FILE, defaultPath);
+      }
+    }
+  } catch (_err) {
+    // Ignore migration errors
+  }
+}
+
+const GRAPH_SCOPES = [
+  'https://graph.microsoft.com/Files.ReadWrite offline_access User.Read',
+  'https://graph.microsoft.com/Files.ReadWrite.All offline_access User.Read',
+  'https://graph.microsoft.com/Sites.ReadWrite.All offline_access User.Read',
+  'https://graph.microsoft.com/.default offline_access',
+  'https://graph.microsoft.com/Tasks.ReadWrite offline_access User.Read',
+  'https://graph.microsoft.com/Group.ReadWrite.All offline_access User.Read',
+  'https://graph.microsoft.com/Files.Read offline_access User.Read'
+];
+
+async function loadCachedGraphToken(identity: string): Promise<CachedGraphToken | null> {
+  await migrateGraphTokenCache();
+  try {
+    const data = await readFile(graphTokenCachePath(identity), 'utf-8');
+    return assertCachedGraphToken(JSON.parse(data));
+  } catch {
+    return null;
+  }
+}
+
+async function saveCachedGraphToken(identity: string, token: CachedGraphToken): Promise<void> {
+  try {
+    const safe = assertCachedGraphToken(token);
+    await atomicWriteUtf8File(graphTokenCachePath(identity), JSON.stringify(safe, null, 2), 0o600);
+  } catch (err) {
+    console.error('Failed to write Graph token cache:', err instanceof Error ? err.message : err);
+  }
+}
+
+async function refreshGraphAccessToken(
+  clientId: string,
+  refreshToken: string,
+  tenant: string
+): Promise<CachedGraphToken> {
+  let lastError = '';
+
+  for (const scope of GRAPH_SCOPES) {
+    const response = await fetch(`https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: clientId,
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        scope
+      }).toString()
+    });
+
+    const json = (await response.json()) as {
+      access_token?: string;
+      refresh_token?: string;
+      expires_in?: number;
+      error?: string;
+      error_description?: string;
+    };
+
+    if (response.ok && json.access_token) {
+      const accessToken = json.access_token;
+
+      // Refuse to cache tokens that are not well-formed JWTs
+      if (!isValidJwtStructure(accessToken)) {
+        throw new Error('OAuth server returned an invalid token structure — refusing to cache');
+      }
+
+      const expiresAt = getJwtExpiration(accessToken) ?? Date.now() + (json.expires_in || 3600) * 1000;
+      if (expiresAt <= Date.now()) {
+        throw new Error('OAuth server returned an already-expired token — refusing to cache');
+      }
+
+      return {
+        accessToken,
+        refreshToken: json.refresh_token || refreshToken,
+        expiresAt
+      };
+    }
+
+    lastError = [json.error, json.error_description].filter(Boolean).join(': ') || `HTTP ${response.status}`;
+  }
+
+  throw new Error(`Graph token refresh failed: ${lastError}`);
+}
+
+export async function resolveGraphAuth(options?: { token?: string; identity?: string }): Promise<GraphAuthResult> {
+  if (options?.token) {
+    return { success: true, token: options.token };
+  }
+
+  try {
+    const clientId = process.env.EWS_CLIENT_ID;
+    const graphRefreshToken = process.env.GRAPH_REFRESH_TOKEN;
+
+    if (!clientId) {
+      return {
+        success: false,
+        error: 'Missing EWS_CLIENT_ID in environment. Check your .env file or Azure app registration.'
+      };
+    }
+
+    if (!graphRefreshToken) {
+      if (process.env.EWS_REFRESH_TOKEN) {
+        console.warn(
+          '[graph-auth] EWS_REFRESH_TOKEN is set but GRAPH_REFRESH_TOKEN is not. ' +
+            'EWS tokens cannot be used for Microsoft Graph operations — they have different OAuth scopes. ' +
+            'Please set GRAPH_REFRESH_TOKEN to your Graph API refresh token.'
+        );
+      }
+      return {
+        success: false,
+        error:
+          'Missing GRAPH_REFRESH_TOKEN in environment. ' +
+          'Note: EWS_REFRESH_TOKEN cannot be used for Graph operations — Graph requires its own token with Graph scopes.'
+      };
+    }
+
+    const identity = options?.identity || 'default';
+    if (!/^[a-zA-Z0-9_-]+$/.test(identity)) {
+      return {
+        success: false,
+        error: 'Invalid identity name. Only alphanumeric characters, hyphens, and underscores are allowed.'
+      };
+    }
+
+    const tenant = getMicrosoftTenantPathSegment();
+
+    const cached = await loadCachedGraphToken(identity);
+    if (cached && cached.expiresAt > Date.now() + 60_000) {
+      // Guard against corrupted cache: validate JWT structure before returning
+      if (!isValidJwtStructure(cached.accessToken)) {
+        console.warn(
+          '[graph-auth] Cached Graph token has an invalid JWT structure — falling back to token refresh. ' +
+            'You may need to re-authenticate if this persists.'
+        );
+      } else {
+        return { success: true, token: cached.accessToken };
+      }
+    }
+
+    const refreshTokens = [...new Set([cached?.refreshToken, graphRefreshToken].filter((t): t is string => !!t))];
+
+    for (let i = 0; i < refreshTokens.length; i++) {
+      try {
+        const result = await refreshGraphAccessToken(clientId, refreshTokens[i], tenant);
+        await saveCachedGraphToken(identity, result);
+        return { success: true, token: result.accessToken };
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const isLast = i === refreshTokens.length - 1;
+        console.warn(
+          `[graph-auth] Token refresh attempt failed: ${msg}${isLast ? '.' : ' — trying next token candidate.'}`
+        );
+      }
+    }
+
+    return {
+      success: false,
+      error: 'Graph token refresh failed. You may need to update GRAPH_REFRESH_TOKEN in .env.'
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : 'Graph authentication failed'
+    };
+  }
+}

package/src/lib/graph-calendar-client.test.ts

@@ -0,0 +1,118 @@
+import { describe, expect, it } from 'bun:test';
+
+const token = 'test-token';
+const baseUrl = 'https://graph.microsoft.com/v1.0';
+
+describe('listCalendars', () => {
+  it('GETs /calendars collection', async () => {
+    process.env.GRAPH_BASE_URL = baseUrl;
+    const urls: string[] = [];
+    const originalFetch = globalThis.fetch;
+
+    try {
+      globalThis.fetch = (async (input: string | URL | Request) => {
+        urls.push(typeof input === 'string' ? input : input.toString());
+        return new Response(
+          JSON.stringify({
+            value: [{ id: 'cal-1', name: 'Calendar' }]
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } }
+        );
+      }) as typeof fetch;
+
+      const { listCalendars } = await import('./graph-calendar-client.js');
+      const r = await listCalendars(token);
+
+      expect(r.ok).toBe(true);
+      expect(r.data?.[0]?.name).toBe('Calendar');
+      expect(urls[0]).toContain('/me/calendars');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+});
+
+describe('listCalendarView', () => {
+  it('GETs default /calendar/calendarView with start and end', async () => {
+    process.env.GRAPH_BASE_URL = baseUrl;
+    const urls: string[] = [];
+    const originalFetch = globalThis.fetch;
+
+    try {
+      globalThis.fetch = (async (input: string | URL | Request) => {
+        urls.push(typeof input === 'string' ? input : input.toString());
+        return new Response(
+          JSON.stringify({
+            value: [{ id: 'evt-1', subject: 'Standup' }]
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } }
+        );
+      }) as typeof fetch;
+
+      const { listCalendarView } = await import('./graph-calendar-client.js');
+      const r = await listCalendarView(token, '2026-04-01T00:00:00Z', '2026-04-02T00:00:00Z', {});
+
+      expect(r.ok).toBe(true);
+      expect(r.data?.[0]?.subject).toBe('Standup');
+      expect(urls[0]).toContain('/me/calendar/calendarView');
+      expect(urls[0]).toContain('startDateTime=');
+      expect(urls[0]).toContain('endDateTime=');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+
+  it('GETs /calendars/{id}/calendarView when calendarId set', async () => {
+    process.env.GRAPH_BASE_URL = baseUrl;
+    const urls: string[] = [];
+    const originalFetch = globalThis.fetch;
+
+    try {
+      globalThis.fetch = (async (input: string | URL | Request) => {
+        urls.push(typeof input === 'string' ? input : input.toString());
+        return new Response(JSON.stringify({ value: [] }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' }
+        });
+      }) as typeof fetch;
+
+      const { listCalendarView } = await import('./graph-calendar-client.js');
+      const r = await listCalendarView(token, '2026-04-01T00:00:00Z', '2026-04-02T00:00:00Z', {
+        calendarId: 'abc/def'
+      });
+
+      expect(r.ok).toBe(true);
+      expect(urls[0]).toContain('/me/calendars/abc%2Fdef/calendarView');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+});
+
+describe('getEvent', () => {
+  it('GETs /events/{id}', async () => {
+    process.env.GRAPH_BASE_URL = baseUrl;
+    const urls: string[] = [];
+    const originalFetch = globalThis.fetch;
+
+    try {
+      globalThis.fetch = (async (input: string | URL | Request) => {
+        urls.push(typeof input === 'string' ? input : input.toString());
+        return new Response(JSON.stringify({ id: 'evt-1', subject: 'Hi' }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' }
+        });
+      }) as typeof fetch;
+
+      const { getEvent } = await import('./graph-calendar-client.js');
+      const r = await getEvent(token, 'evt-1', undefined, 'subject,id');
+
+      expect(r.ok).toBe(true);
+      expect(r.data?.subject).toBe('Hi');
+      expect(urls[0]).toContain('/me/events/evt-1');
+      expect(urls[0]).toContain('$select=');
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+});

package/src/lib/graph-calendar-client.ts

@@ -0,0 +1,112 @@
+import {
+  callGraph,
+  fetchAllPages,
+  GraphApiError,
+  type GraphResponse,
+  graphError,
+  graphResult
+} from './graph-client.js';
+import { graphUserPath } from './graph-user-path.js';
+
+/** Graph [calendar](https://learn.microsoft.com/en-us/graph/api/resources/calendar) (subset). */
+export interface GraphCalendarResource {
+  id: string;
+  name?: string;
+  color?: string;
+  hexColor?: string;
+  owner?: { name?: string; address?: string };
+  canEdit?: boolean;
+  canShare?: boolean;
+  canViewPrivateItems?: boolean;
+  defaultOnlineMeetingProvider?: string;
+}
+
+/** Graph [event](https://learn.microsoft.com/en-us/graph/api/resources/event) (subset). */
+export interface GraphCalendarEvent {
+  id: string;
+  subject?: string;
+  bodyPreview?: string;
+  start?: { dateTime: string; timeZone: string };
+  end?: { dateTime: string; timeZone: string };
+  isAllDay?: boolean;
+  isCancelled?: boolean;
+  organizer?: { emailAddress?: { name?: string; address?: string } };
+  attendees?: Array<{
+    emailAddress?: { name?: string; address?: string };
+    status?: { response?: string };
+  }>;
+  location?: { displayName?: string };
+  webLink?: string;
+  onlineMeeting?: { joinUrl?: string };
+}
+
+function calendarsRoot(user?: string): string {
+  return graphUserPath(user, 'calendars');
+}
+
+export async function listCalendars(token: string, user?: string): Promise<GraphResponse<GraphCalendarResource[]>> {
+  return fetchAllPages<GraphCalendarResource>(token, calendarsRoot(user), 'Failed to list calendars');
+}
+
+export async function getCalendar(
+  token: string,
+  calendarId: string,
+  user?: string
+): Promise<GraphResponse<GraphCalendarResource>> {
+  try {
+    const result = await callGraph<GraphCalendarResource>(
+      token,
+      `${calendarsRoot(user)}/${encodeURIComponent(calendarId)}`
+    );
+    if (!result.ok || !result.data) {
+      return graphError(result.error?.message || 'Failed to get calendar', result.error?.code, result.error?.status);
+    }
+    return graphResult(result.data);
+  } catch (err) {
+    if (err instanceof GraphApiError) return graphError(err.message, err.code, err.status);
+    return graphError(err instanceof Error ? err.message : 'Failed to get calendar');
+  }
+}
+
+/**
+ * List events in a time range (Graph [calendarView](https://learn.microsoft.com/en-us/graph/api/calendar-list-calendarview)).
+ * Omit `calendarId` to use the user's default calendar (`/me/calendar/calendarView`).
+ */
+export async function listCalendarView(
+  token: string,
+  startDateTime: string,
+  endDateTime: string,
+  options?: { calendarId?: string; user?: string }
+): Promise<GraphResponse<GraphCalendarEvent[]>> {
+  const params = new URLSearchParams();
+  params.set('startDateTime', startDateTime);
+  params.set('endDateTime', endDateTime);
+  const qs = `?${params.toString()}`;
+  const path = options?.calendarId
+    ? `${calendarsRoot(options.user)}/${encodeURIComponent(options.calendarId)}/calendarView${qs}`
+    : `${graphUserPath(options?.user, 'calendar/calendarView')}${qs}`;
+
+  return fetchAllPages<GraphCalendarEvent>(token, path, 'Failed to list calendar view');
+}
+
+export async function getEvent(
+  token: string,
+  eventId: string,
+  user?: string,
+  select?: string
+): Promise<GraphResponse<GraphCalendarEvent>> {
+  let path = `${graphUserPath(user, `events/${encodeURIComponent(eventId)}`)}`;
+  if (select?.trim()) {
+    path += `?$select=${encodeURIComponent(select.trim())}`;
+  }
+  try {
+    const result = await callGraph<GraphCalendarEvent>(token, path);
+    if (!result.ok || !result.data) {
+      return graphError(result.error?.message || 'Failed to get event', result.error?.code, result.error?.status);
+    }
+    return graphResult(result.data);
+  } catch (err) {
+    if (err instanceof GraphApiError) return graphError(err.message, err.code, err.status);
+    return graphError(err instanceof Error ? err.message : 'Failed to get event');
+  }
+}

package/src/lib/graph-client.test.ts

@@ -0,0 +1,107 @@
+import { describe, expect, it } from 'bun:test';
+import { writeFileSync } from 'node:fs';
+import { mkdtemp, unlink } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { uploadLargeFile } from './graph-client.js';
+
+const token = 'test-token';
+const baseUrl = 'https://graph.microsoft.com/v1.0';
+
+describe('searchFiles query encoding', () => {
+  it('encodes single quotes in search query before interpolation', async () => {
+    process.env.GRAPH_BASE_URL = baseUrl;
+
+    const fetchCalls: string[] = [];
+    const originalFetch = globalThis.fetch;
+
+    try {
+      globalThis.fetch = (async (input: string | URL | Request) => {
+        fetchCalls.push(typeof input === 'string' ? input : input.toString());
+        return new Response(JSON.stringify({ value: [] }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' }
+        });
+      }) as typeof fetch;
+
+      const { searchFiles } = await import('./graph-client.js');
+      await searchFiles(token, "') and name='anything");
+
+      expect(fetchCalls).toHaveLength(1);
+      expect(fetchCalls[0]).toContain("/me/drive/root/search(q='%27%29%20and%20name%3D%27anything')");
+      expect(fetchCalls[0]).not.toContain("q=') and name='anything'");
+    } finally {
+      globalThis.fetch = originalFetch;
+    }
+  });
+});
+
+describe('uploadLargeFile chunking', () => {
+  it('uploads file in chunks and returns DriveItem', async () => {
+    const dir = await mkdtemp(join(tmpdir(), 'm365-graph-upload-'));
+    const tmpFile = join(dir, 'chunk.bin');
+    const fileSize = 25 * 1024 * 1024; // 25MB
+    const buffer = new Uint8Array(fileSize);
+    buffer.fill(42);
+    writeFileSync(tmpFile, buffer);
+
+    const originalFetch = globalThis.fetch;
+    const fetchCalls: any[] = [];
+
+    try {
+      globalThis.fetch = (async (input: any, init?: any) => {
+        const url = typeof input === 'string' ? input : input.toString();
+
+        // 1. Create session POST
+        if (url.includes('createUploadSession')) {
+          return new Response(
+            JSON.stringify({
+              uploadUrl: 'https://upload.example.com/session-123',
+              expirationDateTime: '2026-04-01T00:00:00.000Z'
+            }),
+            { status: 200, headers: { 'content-type': 'application/json' } }
+          );
+        }
+
+        // 2. Chunk PUTs
+        if (init?.method === 'PUT') {
+          fetchCalls.push({
+            url,
+            range: (init.headers as any)?.['Content-Range'],
+            bodySize: (init.body as any)?.length
+          });
+          const range = (init.headers as any)?.['Content-Range'];
+          if (range?.endsWith('-26214399/26214400')) {
+            // Last chunk 10MB*2 to 25MB
+            return new Response(JSON.stringify({ id: 'item-123', name: 'test.tmp' }), {
+              status: 201,
+              headers: { 'content-type': 'application/json' }
+            });
+          }
+          return new Response('{"expirationDateTime": "..."}', { status: 202 });
+        }
+
+        return new Response('{}', { status: 200 });
+      }) as any;
+
+      const result = await uploadLargeFile('token', tmpFile);
+
+      if (!result.ok) throw new Error(JSON.stringify(result));
+      expect(result.data?.driveItem?.id).toBe('item-123');
+      expect(fetchCalls.length).toBeGreaterThanOrEqual(3);
+
+      const firstCall = fetchCalls[0];
+      expect(firstCall.range).toContain('bytes 0-');
+      expect(firstCall.range).toContain('/26214400');
+
+      const lastCall = fetchCalls[fetchCalls.length - 1];
+      expect(lastCall.range).toContain('-26214399/26214400');
+      expect(lastCall.bodySize).toBeGreaterThan(0);
+    } finally {
+      globalThis.fetch = originalFetch;
+      try {
+        await unlink(tmpFile).catch(() => {});
+      } catch {}
+    }
+  });
+});