msteams-mcp 0.18.2 → 0.19.0

package/dist/auth/token-refresh.d.ts

@@ -2,8 +2,13 @@
  * Token refresh via headless browser.
  *
  * Teams uses SPA OAuth2 which restricts refresh tokens to browser-based CORS
- * requests. We open a headless browser with saved session state, let MSAL
- * silently refresh tokens, then save the updated state. Seamless to the user.
+ * requests. We open a headless browser with the persistent profile, let MSAL
+ * silently refresh tokens using the profile's long-lived session cookies,
+ * then save the updated state. Seamless to the user — no browser window shown.
+ *
+ * The persistent profile is shared with visible login, so only one browser
+ * can use it at a time (Chromium profile lock). A module-level flag prevents
+ * concurrent refresh attempts.
  */
 import { type Result } from '../types/result.js';
 /** Result of a successful token refresh. */
@@ -18,8 +23,9 @@ export interface TokenRefreshResult {
     refreshNeeded: boolean;
 }
 /**
- * Refreshes tokens by opening a headless browser with saved session state.
- * MSAL only refreshes tokens when an API call requires them, so we trigger
- * a search via ensureAuthenticated to force token acquisition.
+ * Refreshes tokens by opening a headless browser with the persistent profile.
+ * The profile's long-lived Microsoft session cookies enable silent re-auth
+ * without user interaction. MSAL only refreshes tokens when an API call
+ * requires them, so we trigger a search via ensureAuthenticated.
  */
 export declare function refreshTokensViaBrowser(): Promise<Result<TokenRefreshResult>>;

package/dist/auth/token-refresh.js

@@ -2,26 +2,30 @@
  * Token refresh via headless browser.
  *
  * Teams uses SPA OAuth2 which restricts refresh tokens to browser-based CORS
- * requests. We open a headless browser with saved session state, let MSAL
- * silently refresh tokens, then save the updated state. Seamless to the user.
+ * requests. We open a headless browser with the persistent profile, let MSAL
+ * silently refresh tokens using the profile's long-lived session cookies,
+ * then save the updated state. Seamless to the user — no browser window shown.
+ *
+ * The persistent profile is shared with visible login, so only one browser
+ * can use it at a time (Chromium profile lock). A module-level flag prevents
+ * concurrent refresh attempts.
  */
 import { TOKEN_REFRESH_THRESHOLD_MS } from '../constants.js';
 import { ErrorCode, createError } from '../types/errors.js';
 import { ok, err } from '../types/result.js';
 import { extractSubstrateToken, clearTokenCache, } from './token-extractor.js';
-import { hasSessionState, isSessionLikelyExpired, } from './session-store.js';
+/** Module-level flag to prevent concurrent browser profile access. */
+let refreshInProgress = false;
 /**
- * Refreshes tokens by opening a headless browser with saved session state.
- * MSAL only refreshes tokens when an API call requires them, so we trigger
- * a search via ensureAuthenticated to force token acquisition.
+ * Refreshes tokens by opening a headless browser with the persistent profile.
+ * The profile's long-lived Microsoft session cookies enable silent re-auth
+ * without user interaction. MSAL only refreshes tokens when an API call
+ * requires them, so we trigger a search via ensureAuthenticated.
  */
 export async function refreshTokensViaBrowser() {
-    // Check we have a session to work with
-    if (!hasSessionState()) {
-        return err(createError(ErrorCode.AUTH_REQUIRED, 'No session state available. Please run teams_login to authenticate.', { suggestions: ['Call teams_login to authenticate'] }));
-    }
-    if (isSessionLikelyExpired()) {
-        return err(createError(ErrorCode.AUTH_EXPIRED, 'Session is too old and likely expired. Please re-authenticate.', { suggestions: ['Call teams_login to re-authenticate'] }));
+    // Prevent concurrent access to the shared browser profile
+    if (refreshInProgress) {
+        return err(createError(ErrorCode.UNKNOWN, 'Token refresh already in progress. Please wait and try again.', { retryable: true, suggestions: ['Wait a moment and retry the request'] }));
     }
     // Get current token expiry for comparison
     const beforeToken = extractSubstrateToken();
@@ -32,8 +36,9 @@ export async function refreshTokensViaBrowser() {
     // Import browser functions dynamically to avoid circular dependencies
     const { createBrowserContext, closeBrowser } = await import('../browser/context.js');
     let manager = null;
+    refreshInProgress = true;
     try {
-        // Open headless browser with saved session
+        // Open headless browser with persistent profile
         manager = await createBrowserContext({ headless: true });
         // Import auth functions
         const { ensureAuthenticated } = await import('../browser/auth.js');
@@ -82,4 +87,7 @@ export async function refreshTokensViaBrowser() {
         const message = error instanceof Error ? error.message : 'Unknown error';
         return err(createError(ErrorCode.UNKNOWN, `Token refresh via browser failed: ${message}`, { suggestions: ['Call teams_login to re-authenticate'] }));
     }
+    finally {
+        refreshInProgress = false;
+    }
 }

package/dist/browser/auth.js

@@ -23,10 +23,6 @@ const OVERLAY_CONTENT = {
         message: "You're signed in!",
         detail: 'Setting up your connection to Teams...',
     },
-    'acquiring': {
-        message: 'Acquiring permissions...',
-        detail: 'Getting access to search and messages...',
-    },
     'saving': {
         message: 'Saving your session...',
         detail: "So you won't need to log in again.",
@@ -35,31 +31,11 @@ const OVERLAY_CONTENT = {
         message: 'All done!',
         detail: 'This window will close automatically.',
     },
-    'refreshing': {
-        message: 'Refreshing your session...',
-        detail: 'Updating your access tokens...',
-    },
     'error': {
         message: 'Something went wrong',
         detail: 'Please try again or check the console for details.',
     },
 };
-/** Detail messages that cycle during the acquiring/refreshing phases. */
-const ACQUIRING_DETAILS = [
-    'Preparing Teams connection...',
-    'Navigating to search...',
-    'Waiting for API response...',
-    'Acquiring search permissions...',
-    'Convincing Microsoft we mean well...',
-    'Negotiating with the UI...',
-    'Gathering auth tokens...',
-    'Good things come to those who wait...',
-    'Almost there...',
-];
-/** Interval for cycling detail messages (ms). */
-const DETAIL_CYCLE_INTERVAL_MS = 3000;
-/** ID for the detail text element (for cycling updates). */
-const DETAIL_ELEMENT_ID = 'mcp-login-detail';
 /**
  * Shows a progress overlay for a specific phase.
  * Handles injection, content, and optional pause.
@@ -69,43 +45,12 @@ async function showLoginProgress(page, phase, options = {}) {
     const content = OVERLAY_CONTENT[phase];
     const isComplete = phase === 'complete';
     const isError = phase === 'error';
-    const isAnimated = phase === 'acquiring' || phase === 'refreshing';
     try {
-        await page.evaluate(({ id, detailId, message, detail, complete, error, animated, cycleDetails, cycleInterval }) => {
-            // Remove existing overlay if present, clearing any running timer
+        await page.evaluate(({ id, message, detail, complete, error }) => {
+            // Remove existing overlay if present
             const existing = document.getElementById(id);
-            if (existing) {
-                const existingWithTimer = existing;
-                if (existingWithTimer._cycleTimer) {
-                    clearInterval(existingWithTimer._cycleTimer);
-                }
+            if (existing)
                 existing.remove();
-            }
-            // Remove any existing style element
-            const existingStyle = document.getElementById(`${id}-style`);
-            if (existingStyle) {
-                existingStyle.remove();
-            }
-            // Add keyframe animations for spinner
-            const style = document.createElement('style');
-            style.id = `${id}-style`;
-            style.textContent = `
-        @keyframes mcp-spin {
-          0% { transform: rotate(0deg); }
-          100% { transform: rotate(360deg); }
-        }
-        @keyframes mcp-pulse {
-          0%, 100% { opacity: 1; }
-          50% { opacity: 0.6; }
-        }
-        @keyframes mcp-fade {
-          0% { opacity: 0; transform: translateY(4px); }
-          15% { opacity: 1; transform: translateY(0); }
-          85% { opacity: 1; transform: translateY(0); }
-          100% { opacity: 0; transform: translateY(-4px); }
-        }
-      `;
-            document.head.appendChild(style);
             // Create overlay container
             const overlay = document.createElement('div');
             overlay.id = id;
@@ -132,14 +77,6 @@ async function showLoginProgress(page, phase, options = {}) {
                 textAlign: 'center',
                 boxShadow: '0 8px 32px rgba(0, 0, 0, 0.3)',
             });
-            // Create icon container (for animation)
-            const iconContainer = document.createElement('div');
-            Object.assign(iconContainer.style, {
-                width: '64px',
-                height: '64px',
-                margin: '0 auto 24px',
-                position: 'relative',
-            });
             // Create icon
             const icon = document.createElement('div');
             const iconBg = error ? '#c42b1c' : complete ? '#107c10' : '#5b5fc7';
@@ -153,30 +90,9 @@ async function showLoginProgress(page, phase, options = {}) {
                 fontSize: '32px',
                 background: iconBg,
                 color: 'white',
+                margin: '0 auto 24px',
             });
-            if (animated) {
-                // Spinner ring for animated states
-                const spinner = document.createElement('div');
-                Object.assign(spinner.style, {
-                    position: 'absolute',
-                    top: '-4px',
-                    left: '-4px',
-                    width: '72px',
-                    height: '72px',
-                    borderRadius: '50%',
-                    border: '3px solid transparent',
-                    borderTopColor: iconBg,
-                    borderRightColor: iconBg,
-                    animation: 'mcp-spin 1.2s linear infinite',
-                });
-                iconContainer.appendChild(spinner);
-                icon.textContent = '⋯';
-                icon.style.animation = 'mcp-pulse 2s ease-in-out infinite';
-            }
-            else {
-                icon.textContent = error ? '✕' : complete ? '✓' : '⋯';
-            }
-            iconContainer.appendChild(icon);
+            icon.textContent = error ? '✕' : complete ? '✓' : '⋯';
             // Create title
             const title = document.createElement('h2');
             Object.assign(title.style, {
@@ -188,50 +104,25 @@ async function showLoginProgress(page, phase, options = {}) {
             title.textContent = message;
             // Create detail text
             const detailEl = document.createElement('p');
-            detailEl.id = detailId;
             Object.assign(detailEl.style, {
                 margin: '0',
                 fontSize: '14px',
                 color: '#616161',
                 lineHeight: '1.5',
-                minHeight: '21px', // Prevent layout shift
             });
-            if (animated) {
-                detailEl.style.animation = `mcp-fade ${cycleInterval}ms ease-in-out infinite`;
-            }
             detailEl.textContent = detail;
             // Assemble and append
-            modal.appendChild(iconContainer);
+            modal.appendChild(icon);
             modal.appendChild(title);
             modal.appendChild(detailEl);
             overlay.appendChild(modal);
             document.body.appendChild(overlay);
-            // Set up detail cycling for animated states
-            if (animated && cycleDetails && cycleDetails.length > 0) {
-                let detailIndex = 0;
-                const cycleTimer = setInterval(() => {
-                    const el = document.getElementById(detailId);
-                    if (el) {
-                        el.textContent = cycleDetails[detailIndex];
-                        detailIndex = (detailIndex + 1) % cycleDetails.length;
-                    }
-                    else {
-                        clearInterval(cycleTimer);
-                    }
-                }, cycleInterval);
-                // Store timer ID on overlay for potential future cleanup
-                overlay._cycleTimer = cycleTimer;
-            }
         }, {
             id: PROGRESS_OVERLAY_ID,
-            detailId: DETAIL_ELEMENT_ID,
             message: content.message,
             detail: content.detail,
             complete: isComplete,
             error: isError,
-            animated: isAnimated,
-            cycleDetails: isAnimated ? ACQUIRING_DETAILS : [],
-            cycleInterval: DETAIL_CYCLE_INTERVAL_MS,
         });
         // Pause if requested (for steps that need user to see the message)
         if (options.pause) {
@@ -241,7 +132,6 @@ async function showLoginProgress(page, phase, options = {}) {
     }
     catch {
         // Overlay is cosmetic - don't fail login if it can't be shown
-        // To debug: change to `catch (e)` and add `console.debug('[overlay]', e);`
     }
 }
 // ─────────────────────────────────────────────────────────────────────────────
@@ -284,145 +174,6 @@ async function hasAuthenticatedContent(page) {
     }
     return false;
 }
-/**
- * Waits for the Teams SPA to be fully loaded and interactive.
- *
- * Teams is a heavy SPA — after navigation, the shell loads quickly but MSAL
- * (which manages tokens) needs time to bootstrap. We wait for key UI elements
- * that only render after the app has fully initialised, then wait for network
- * activity to settle (indicating MSAL token requests have completed).
- */
-async function waitForTeamsReady(page, log, timeoutMs = 60000) {
-    log('Waiting for Teams to fully load...');
-    try {
-        // Wait for any SPA UI element that indicates the app has bootstrapped
-        await page.waitForSelector(AUTH_SUCCESS_SELECTORS.join(', '), { timeout: timeoutMs });
-        log('Teams UI elements detected.');
-        // Wait for network to settle — MSAL token refresh requests should complete
-        try {
-            await page.waitForLoadState('networkidle', { timeout: 15000 });
-            log('Network settled.');
-        }
-        catch {
-            // Network may not become fully idle (websockets, polling), that's OK
-            log('Network did not fully settle, continuing...');
-        }
-        return true;
-    }
-    catch {
-        log('Teams did not fully load within timeout.');
-        return false;
-    }
-}
-/**
- * Triggers MSAL to acquire the Substrate token.
- *
- * MSAL only acquires tokens for specific scopes when the app makes API calls
- * requiring those scopes. The Substrate API is only used for search, so we
- * perform a search to trigger token acquisition.
- *
- * Returns true if a Substrate API call was detected, false otherwise.
- */
-async function triggerTokenAcquisition(page, log) {
-    log('Triggering token acquisition...');
-    try {
-        // Wait for Teams SPA to be fully loaded (MSAL must bootstrap first)
-        const ready = await waitForTeamsReady(page, log);
-        if (!ready) {
-            log('Teams did not load — cannot trigger token acquisition.');
-            return false;
-        }
-        // Set up Substrate API listener BEFORE triggering search
-        let substrateDetected = false;
-        const substratePromise = page.waitForResponse(resp => resp.url().includes('substrate.office.com') && resp.status() === 200, { timeout: 30000 }).then(() => {
-            substrateDetected = true;
-        }).catch(() => {
-            // Timeout — no Substrate call detected
-        });
-        // Try multiple methods to trigger search
-        let searchTriggered = false;
-        // Method 1: Navigate to search results URL (triggers Substrate API call directly)
-        log('Navigating to search results...');
-        try {
-            await page.goto('https://teams.microsoft.com/v2/#/search?query=test', {
-                waitUntil: 'domcontentloaded',
-                timeout: 30000,
-            });
-            searchTriggered = true;
-            log('Search results page loaded.');
-        }
-        catch (e) {
-            log(`Search navigation failed: ${e instanceof Error ? e.message : String(e)}`);
-        }
-        // Method 2: Fallback - focus and type
-        if (!searchTriggered) {
-            log('Trying focus+type fallback...');
-            try {
-                const focused = await page.evaluate(() => {
-                    const selectors = [
-                        '#ms-searchux-input',
-                        '[data-tid="searchInputField"]',
-                        'input[placeholder*="Search"]',
-                    ];
-                    for (const sel of selectors) {
-                        const el = document.querySelector(sel);
-                        if (el) {
-                            el.focus();
-                            el.click();
-                            return true;
-                        }
-                    }
-                    return false;
-                });
-                if (focused) {
-                    await page.waitForTimeout(500);
-                    await page.keyboard.type('test', { delay: 30 });
-                    await page.keyboard.press('Enter');
-                    searchTriggered = true;
-                    log('Search submitted via typing.');
-                }
-            }
-            catch {
-                // Continue
-            }
-        }
-        // Method 3: Keyboard shortcut fallback
-        if (!searchTriggered) {
-            log('Trying keyboard shortcut...');
-            const isMac = process.platform === 'darwin';
-            await page.keyboard.press(isMac ? 'Meta+e' : 'Control+e');
-            await page.waitForTimeout(1000);
-            await page.keyboard.type('is:Messages', { delay: 30 });
-            await page.keyboard.press('Enter');
-            searchTriggered = true;
-        }
-        // Wait for the Substrate API response
-        log('Waiting for Substrate API...');
-        await substratePromise;
-        if (substrateDetected) {
-            log('Substrate API call detected — tokens acquired.');
-        }
-        else {
-            log('No Substrate API call detected within timeout.');
-        }
-        // Give MSAL a moment to persist tokens to localStorage
-        await page.waitForTimeout(2000);
-        // Close search and reset
-        try {
-            await page.keyboard.press('Escape');
-            await page.waitForTimeout(500);
-        }
-        catch {
-            // Page may have navigated, ignore
-        }
-        log('Token acquisition complete.');
-        return substrateDetected;
-    }
-    catch (error) {
-        log(`Token acquisition warning: ${error instanceof Error ? error.message : String(error)}`);
-        return false;
-    }
-}
 /**
  * Gets the current authentication status.
  */
@@ -555,24 +306,12 @@ export async function waitForManualLogin(page, context, timeoutMs = 5 * 60 * 100
         const status = await getAuthStatus(page);
         if (status.isAuthenticated) {
             log('Authentication successful!');
-            // Show progress through login steps (only if overlay enabled)
             if (showOverlay) {
                 await showLoginProgress(page, 'signed-in', { pause: true });
-                await showLoginProgress(page, 'acquiring');
-            }
-            // Trigger a search to cause MSAL to acquire the Substrate token
-            const acquired = await triggerTokenAcquisition(page, log);
-            if (!acquired) {
-                log('Warning: Substrate API call was not detected after login.');
-                if (showOverlay) {
-                    await showLoginProgress(page, 'error', { pause: true });
-                }
-                throw new Error('Login completed but token acquisition failed. Please try again.');
-            }
-            if (showOverlay) {
                 await showLoginProgress(page, 'saving');
             }
-            // Save the session state with fresh tokens
+            // The persistent browser profile already has MSAL tokens in localStorage
+            // from the login flow. Just save the session state directly.
             await saveSessionState(context);
             log('Session state saved.');
             if (showOverlay) {
@@ -606,27 +345,13 @@ export async function ensureAuthenticated(page, context, onProgress, showOverlay
     log('Navigating to Teams...');
     const status = await navigateToTeams(page);
     if (status.isAuthenticated) {
-        log('Already authenticated.');
-        if (showOverlay) {
-            await showLoginProgress(page, 'refreshing');
-        }
-        // Trigger a search to cause MSAL to acquire/refresh the Substrate token
-        const acquired = await triggerTokenAcquisition(page, log);
-        if (!acquired) {
-            log('Token refresh failed: Substrate API call was not detected.');
-            if (showOverlay) {
-                await showLoginProgress(page, 'error', { pause: true });
-            }
-            throw new Error('Token refresh failed. Please use teams_login with forceNew to re-authenticate.');
-        }
-        if (showOverlay) {
-            await showLoginProgress(page, 'saving');
-        }
-        // Save the session state with fresh tokens
+        log('Already authenticated — saving session state.');
+        // The persistent browser profile already has valid MSAL tokens in localStorage.
+        // Just save the session state directly — no need to trigger a search and wait
+        // for Substrate API calls. Token acquisition is only needed after a fresh
+        // manual login where MSAL hasn't yet acquired the Substrate token.
         await saveSessionState(context);
-        if (showOverlay) {
-            await showLoginProgress(page, 'complete', { pause: true });
-        }
+        log('Session state saved.');
         return;
     }
     // User interaction required - fail fast if headless
@@ -639,8 +364,6 @@ export async function ensureAuthenticated(page, context, onProgress, showOverlay
     if (status.isOnLoginPage) {
         log('Login required. Please complete authentication in the browser window.');
         await waitForManualLogin(page, context, undefined, onProgress, showOverlay);
-        // Navigate back to Teams after login (in case we're on a callback URL)
-        await navigateToTeams(page);
     }
     else {
         // Unexpected state - might need manual intervention

package/dist/browser/context.d.ts

@@ -4,13 +4,23 @@
  *
  * Uses the system's installed Chrome or Edge browser rather than downloading
  * Playwright's bundled Chromium. This significantly reduces install size.
+ *
+ * All modes (headless and visible) use a persistent browser profile stored at
+ * ~/.teams-mcp-server/browser-profile/. This means:
+ * - Microsoft session cookies persist across launches (longer-lived than MSAL tokens)
+ * - Headless token refresh can silently re-authenticate using the profile's session
+ * - Visible login retains extensions (e.g. Bitwarden) and form autofill data
+ * - No need for storageState temp files or encrypted session restoration for browser use
  */
-import { type Browser, type BrowserContext, type Page } from 'playwright';
+import { type BrowserContext, type Page } from 'playwright';
 export interface BrowserManager {
-    browser: Browser;
+    /** Always null — persistent contexts have no separate Browser object. */
+    browser: null;
     context: BrowserContext;
     page: Page;
     isNewSession: boolean;
+    /** Always true — all contexts use the persistent browser profile. */
+    persistent: true;
 }
 export interface CreateBrowserOptions {
     headless?: boolean;
@@ -20,13 +30,23 @@ export interface CreateBrowserOptions {
     };
 }
 /**
- * Creates a browser context with optional session state restoration.
+ * Creates a browser context using a persistent profile.
  *
  * Uses the system's installed Chrome or Edge browser rather than downloading
  * Playwright's bundled Chromium (~180MB savings).
  *
+ * The persistent profile at ~/.teams-mcp-server/browser-profile/ is shared
+ * between headless and visible modes. This provides:
+ * - Silent headless re-auth via long-lived Microsoft session cookies
+ * - Extensions (e.g. Bitwarden) and form autofill for visible login
+ * - No storageState temp file management needed
+ *
+ * Note: Only one process can use the profile at a time (Chromium profile lock).
+ * The MCP server serialises tool calls, and token-refresh checks for an active
+ * browser before attempting refresh to avoid lock contention.
+ *
  * @param options - Browser configuration options
- * @returns Browser manager with browser, context, and page
+ * @returns Browser manager with context and page
  * @throws Error if system browser is not found (with helpful suggestions)
  */
 export declare function createBrowserContext(options?: CreateBrowserOptions): Promise<BrowserManager>;
@@ -35,6 +55,6 @@ export declare function createBrowserContext(options?: CreateBrowserOptions): Pr
  */
 export declare function saveSessionState(context: BrowserContext): Promise<void>;
 /**
- * Closes the browser and optionally saves session state.
+ * Closes the browser context and optionally saves session state.
  */
 export declare function closeBrowser(manager: BrowserManager, saveSession?: boolean): Promise<void>;

package/dist/browser/context.js

@@ -4,14 +4,32 @@
  *
  * Uses the system's installed Chrome or Edge browser rather than downloading
  * Playwright's bundled Chromium. This significantly reduces install size.
+ *
+ * All modes (headless and visible) use a persistent browser profile stored at
+ * ~/.teams-mcp-server/browser-profile/. This means:
+ * - Microsoft session cookies persist across launches (longer-lived than MSAL tokens)
+ * - Headless token refresh can silently re-authenticate using the profile's session
+ * - Visible login retains extensions (e.g. Bitwarden) and form autofill data
+ * - No need for storageState temp files or encrypted session restoration for browser use
  */
 import { chromium } from 'playwright';
-import { ensureUserDataDir, hasSessionState, SESSION_STATE_PATH, isSessionLikelyExpired, writeSessionState, readSessionState, } from '../auth/session-store.js';
+import * as path from 'path';
+import { ensureUserDataDir, CONFIG_DIR, writeSessionState, } from '../auth/session-store.js';
 import { clearRegionCache } from '../utils/auth-guards.js';
 const DEFAULT_OPTIONS = {
     headless: true,
     viewport: { width: 1280, height: 800 },
 };
+/**
+ * Directory for the persistent browser profile.
+ * This is a dedicated Chrome/Edge profile within the config dir, so extensions
+ * (e.g. Bitwarden) and form autofill data persist across login sessions
+ * without conflicting with the user's running browser instance.
+ *
+ * Both headless and visible modes share this profile, so Microsoft's long-lived
+ * session cookies enable silent headless re-authentication without user interaction.
+ */
+const BROWSER_PROFILE_DIR = path.join(CONFIG_DIR, 'browser-profile');
 /**
  * Determines the browser channel to use based on the platform.
  * - Windows: Use Microsoft Edge (always installed on Windows 10+)
@@ -23,25 +41,45 @@ function getBrowserChannel() {
     return process.platform === 'win32' ? 'msedge' : 'chrome';
 }
 /**
- * Creates a browser context with optional session state restoration.
+ * Creates a browser context using a persistent profile.
  *
  * Uses the system's installed Chrome or Edge browser rather than downloading
  * Playwright's bundled Chromium (~180MB savings).
  *
+ * The persistent profile at ~/.teams-mcp-server/browser-profile/ is shared
+ * between headless and visible modes. This provides:
+ * - Silent headless re-auth via long-lived Microsoft session cookies
+ * - Extensions (e.g. Bitwarden) and form autofill for visible login
+ * - No storageState temp file management needed
+ *
+ * Note: Only one process can use the profile at a time (Chromium profile lock).
+ * The MCP server serialises tool calls, and token-refresh checks for an active
+ * browser before attempting refresh to avoid lock contention.
+ *
  * @param options - Browser configuration options
- * @returns Browser manager with browser, context, and page
+ * @returns Browser manager with context and page
  * @throws Error if system browser is not found (with helpful suggestions)
  */
 export async function createBrowserContext(options = {}) {
     const opts = { ...DEFAULT_OPTIONS, ...options };
     ensureUserDataDir();
     const channel = getBrowserChannel();
-    let browser;
     try {
-        browser = await chromium.launch({
+        const context = await chromium.launchPersistentContext(BROWSER_PROFILE_DIR, {
             headless: opts.headless,
             channel,
+            viewport: opts.viewport,
+            acceptDownloads: false,
         });
+        // Persistent contexts start with one page; use it or create one
+        const page = context.pages()[0] ?? await context.newPage();
+        return {
+            browser: null,
+            context,
+            page,
+            isNewSession: true,
+            persistent: true,
+        };
     }
     catch (error) {
         const browserName = channel === 'msedge' ? 'Microsoft Edge' : 'Google Chrome';
@@ -51,55 +89,6 @@ export async function createBrowserContext(options = {}) {
         throw new Error(`Could not launch ${browserName}. ${installHint}\n\n` +
             `Original error: ${error instanceof Error ? error.message : String(error)}`);
     }
-    const hasSession = hasSessionState();
-    const sessionExpired = isSessionLikelyExpired();
-    // Restore session if we have one and it's not ancient
-    const shouldRestoreSession = hasSession && !sessionExpired;
-    let context;
-    if (shouldRestoreSession) {
-        try {
-            // Read the decrypted session state
-            const state = readSessionState();
-            if (state) {
-                // Create a temporary file for Playwright (it needs a file path)
-                // We write the decrypted state to a temp location
-                const tempPath = SESSION_STATE_PATH + '.tmp';
-                const fs = await import('fs');
-                fs.writeFileSync(tempPath, JSON.stringify(state), { mode: 0o600 });
-                try {
-                    context = await browser.newContext({
-                        storageState: tempPath,
-                        viewport: opts.viewport,
-                    });
-                }
-                finally {
-                    // Clean up temp file
-                    fs.unlinkSync(tempPath);
-                }
-            }
-            else {
-                throw new Error('Failed to read session state');
-            }
-        }
-        catch (error) {
-            console.warn('Failed to restore session state, starting fresh:', error);
-            context = await browser.newContext({
-                viewport: opts.viewport,
-            });
-        }
-    }
-    else {
-        context = await browser.newContext({
-            viewport: opts.viewport,
-        });
-    }
-    const page = await context.newPage();
-    return {
-        browser,
-        context,
-        page,
-        isNewSession: !shouldRestoreSession,
-    };
 }
 /**
  * Saves the current browser context's session state.
@@ -111,12 +100,11 @@ export async function saveSessionState(context) {
     clearRegionCache();
 }
 /**
- * Closes the browser and optionally saves session state.
+ * Closes the browser context and optionally saves session state.
  */
 export async function closeBrowser(manager, saveSession = true) {
     if (saveSession) {
         await saveSessionState(manager.context);
     }
     await manager.context.close();
-    await manager.browser.close();
 }

package/dist/constants.d.ts

@@ -28,20 +28,8 @@ export declare const MAX_CONTACTS_LIMIT = 500;
 export declare const DEFAULT_CHANNEL_LIMIT = 10;
 /** Maximum limit for channel search. */
 export declare const MAX_CHANNEL_LIMIT = 50;
-/** Default timeout for waiting for search results. */
-export declare const SEARCH_RESULT_TIMEOUT_MS = 10000;
 /** Default HTTP request timeout. */
 export declare const HTTP_REQUEST_TIMEOUT_MS = 30000;
-/** Short delay for UI interactions. */
-export declare const UI_SHORT_DELAY_MS = 300;
-/** Medium delay for UI state changes. */
-export declare const UI_MEDIUM_DELAY_MS = 1000;
-/** Long delay for API responses to settle. */
-export declare const UI_LONG_DELAY_MS = 2000;
-/** Authentication check interval. */
-export declare const AUTH_CHECK_INTERVAL_MS = 2000;
-/** Default login timeout (5 minutes). */
-export declare const LOGIN_TIMEOUT_MS: number;
 /** Pause after showing progress overlay step (ms). */
 export declare const OVERLAY_STEP_PAUSE_MS = 1500;
 /** Pause after showing final "All done" overlay (ms). */

package/dist/constants.js

@@ -37,20 +37,8 @@ export const MAX_CHANNEL_LIMIT = 50;
 // ─────────────────────────────────────────────────────────────────────────────
 // Timeouts (milliseconds)
 // ─────────────────────────────────────────────────────────────────────────────
-/** Default timeout for waiting for search results. */
-export const SEARCH_RESULT_TIMEOUT_MS = 10000;
 /** Default HTTP request timeout. */
 export const HTTP_REQUEST_TIMEOUT_MS = 30000;
-/** Short delay for UI interactions. */
-export const UI_SHORT_DELAY_MS = 300;
-/** Medium delay for UI state changes. */
-export const UI_MEDIUM_DELAY_MS = 1000;
-/** Long delay for API responses to settle. */
-export const UI_LONG_DELAY_MS = 2000;
-/** Authentication check interval. */
-export const AUTH_CHECK_INTERVAL_MS = 2000;
-/** Default login timeout (5 minutes). */
-export const LOGIN_TIMEOUT_MS = 5 * 60 * 1000;
 /** Pause after showing progress overlay step (ms). */
 export const OVERLAY_STEP_PAUSE_MS = 1500;
 /** Pause after showing final "All done" overlay (ms). */

package/dist/tools/auth-tools.js

@@ -72,13 +72,11 @@ async function handleLogin(input, ctx) {
             };
         }
     }
-    // Smart headless strategy:
-    // 1. No session or session too old → visible browser (definitely need login)
-    // 2. Session exists and is recent (< 12 hours) → try headless first (SSO likely)
-    // 3. forceNew requested → visible browser (user wants fresh login)
-    const hasRecentSession = hasSessionState() && !isSessionLikelyExpired();
-    const shouldTryHeadless = hasRecentSession && !input.forceNew;
-    if (shouldTryHeadless) {
+    // Headless-first strategy:
+    // The persistent browser profile retains Microsoft's long-lived session cookies,
+    // so headless SSO can succeed even without a session-state file. Always try
+    // headless first unless the user explicitly wants a fresh login.
+    if (!input.forceNew) {
         // Try headless first - SSO may complete silently
         const headlessManager = await createBrowserContext({ headless: true });
         ctx.server.setBrowserManager(headlessManager);

package/dist/tools/search-tools.d.ts

@@ -28,12 +28,12 @@ export declare const GetThreadInputSchema: z.ZodObject<{
     conversationId: string;
     limit: number;
     markRead: boolean;
-    order: "desc" | "asc";
+    order: "asc" | "desc";
 }, {
     conversationId: string;
     limit?: number | undefined;
     markRead?: boolean | undefined;
-    order?: "desc" | "asc" | undefined;
+    order?: "asc" | "desc" | undefined;
 }>;
 export declare const FindChannelInputSchema: z.ZodObject<{
     query: z.ZodString;
@@ -73,12 +73,12 @@ export declare const searchTools: (RegisteredTool<z.ZodObject<{
     conversationId: string;
     limit: number;
     markRead: boolean;
-    order: "desc" | "asc";
+    order: "asc" | "desc";
 }, {
     conversationId: string;
     limit?: number | undefined;
     markRead?: boolean | undefined;
-    order?: "desc" | "asc" | undefined;
+    order?: "asc" | "desc" | undefined;
 }>> | RegisteredTool<z.ZodObject<{
     query: z.ZodString;
     limit: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "msteams-mcp",
-  "version": "0.18.2",
+  "version": "0.19.0",
   "description": "MCP server for Microsoft Teams - search messages, send replies, manage favourites",
   "type": "module",
   "main": "dist/index.js",