msteams-mcp 0.23.0 → 0.23.1

package/dist/api/chatsvc-activity.js

@@ -72,7 +72,8 @@ export async function getActivityFeed(options = {}) {
     let syncState;
     if (metadata?.syncState) {
         try {
-            syncState = new URL(metadata.syncState).searchParams.get('syncState') ?? undefined;
+            const metaUrl = new URL(metadata.syncState);
+            syncState = metaUrl.searchParams.get('syncState') ?? undefined;
         }
         catch {
             syncState = metadata.syncState;

package/dist/api/chatsvc-messaging.d.ts

@@ -125,14 +125,12 @@ export declare function getThreadMessages(conversationId: string, options?: {
 /**
  * Edits an existing message.
  *
- * Uses the same content pipeline as {@link sendMessage} (markdown, @[mentions], links).
- *
  * Note: You can only edit your own messages. The API will reject
  * attempts to edit messages from other users.
  *
  * @param conversationId - The conversation containing the message
  * @param messageId - The ID of the message to edit
- * @param newContent - New content (markdown; supports mentions like sendMessage)
+ * @param newContent - The new content for the message
  */
 export declare function editMessage(conversationId: string, messageId: string, newContent: string): Promise<Result<EditMessageResult>>;
 /**

package/dist/api/chatsvc-messaging.js

@@ -268,14 +268,12 @@ export async function getThreadMessages(conversationId, options = {}) {
 /**
  * Edits an existing message.
  *
- * Uses the same content pipeline as {@link sendMessage} (markdown, @[mentions], links).
- *
  * Note: You can only edit your own messages. The API will reject
  * attempts to edit messages from other users.
  *
  * @param conversationId - The conversation containing the message
  * @param messageId - The ID of the message to edit
- * @param newContent - New content (markdown; supports mentions like sendMessage)
+ * @param newContent - The new content for the message
  */
 export async function editMessage(conversationId, messageId, newContent) {
     const authResult = requireMessageAuthWithConfig();
@@ -284,10 +282,11 @@ export async function editMessage(conversationId, messageId, newContent) {
     }
     const { auth, region, baseUrl } = authResult.value;
     const displayName = getUserDisplayName() || 'User';
-    // Same pipeline as sendMessage: markdown, @[mentions](mri), links, then mentions property.
-    const parsed = parseContentWithMentionsAndLinks(newContent);
-    const htmlContent = parsed.html;
-    const mentionsToSend = parsed.mentions;
+    // Always convert through markdown→HTML pipeline (never pass raw HTML through,
+    // as Teams requires proper block-level wrapping like <p> tags)
+    const htmlContent = markdownToTeamsHtml(newContent);
+    // Build the edit request body
+    // The API requires the message structure with updated content
     const body = {
         id: messageId,
         type: 'Message',
@@ -297,11 +296,6 @@ export async function editMessage(conversationId, messageId, newContent) {
         contenttype: 'text',
         imdisplayname: displayName,
     };
-    if (mentionsToSend.length > 0) {
-        body.properties = {
-            mentions: buildMentionsProperty(mentionsToSend),
-        };
-    }
     const url = CHATSVC_API.editMessage(region, conversationId, messageId, baseUrl);
     const response = await httpRequest(url, {
         method: 'PUT',

package/dist/api/chatsvc-readstatus.js

@@ -158,8 +158,6 @@ export async function getUnreadConversations() {
         if (!lastMsg?.id)
             continue;
         const lastMsgTime = parseInt(lastMsg.id, 10);
-        if (isNaN(lastMsgTime))
-            continue;
         const fromMe = lastMsg.from?.includes(auth.userMri);
         const isChannel = tp.threadType === 'channel' || c.id.includes('@thread.tacv2');
         const displayName = tp.topic || lastMsg.imdisplayname;
@@ -179,17 +177,12 @@ export async function getUnreadConversations() {
             continue;
         }
         const readUpTo = parseInt(horizon.split(';')[0], 10);
-        if (isNaN(readUpTo))
-            continue; // malformed horizon — skip rather than misclassify
         if (lastMsgTime <= readUpTo)
             continue; // Already read
         // For channels, preserve original behavior (skip if last msg is ours).
         // For chats, only skip if read horizon is within 2s of our reply —
         // a larger gap means unread messages exist before our reply.
-        // 2-second (2000 ms) window: if the read horizon is this close to our last message,
-        // assume we've read everything and there's no unread gap before our reply.
-        const SELF_REPLY_READ_WINDOW_MS = 2000;
-        if (fromMe && (isChannel || (lastMsgTime - readUpTo) < SELF_REPLY_READ_WINDOW_MS))
+        if (fromMe && (isChannel || (lastMsgTime - readUpTo) < 2000))
             continue;
         const entry = {
             conversationId: c.id,

package/dist/api/graph-api.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Microsoft Graph API - Spike for sending messages.
+ *
+ * This is a spike/experiment to test whether we can use the Graph API
+ * with tokens extracted from the Teams browser session (no Azure App
+ * registration required).
+ *
+ * Graph API send message endpoint:
+ * POST https://graph.microsoft.com/v1.0/chats/{chatId}/messages
+ *
+ * Note: Graph API uses a different chat ID format than chatsvc. The
+ * conversationId from Teams (e.g., "19:xxx@thread.v2") should work
+ * directly as the Graph chatId.
+ */
+import { type Result } from '../types/result.js';
+/** Result of sending a message via Graph API. */
+export interface GraphSendMessageResult {
+    /** The Graph-assigned message ID. */
+    id: string;
+    /** When the message was created (ISO 8601). */
+    createdDateTime?: string;
+    /** The web URL for the message (if returned). */
+    webUrl?: string;
+    /** Raw Graph API response for debugging in spike. */
+    _raw?: unknown;
+}
+/**
+ * Sends a message to a Teams chat via the Microsoft Graph API.
+ *
+ * This is a spike to test Graph API access using tokens from the Teams
+ * browser session. The Graph API endpoint is:
+ * POST /v1.0/chats/{chatId}/messages
+ *
+ * For channel messages, the endpoint would be:
+ * POST /v1.0/teams/{teamId}/channels/{channelId}/messages
+ *
+ * @param chatId - The Teams conversation ID (e.g., "19:xxx@thread.v2")
+ * @param content - The message content (plain text or HTML)
+ * @param contentType - "text" for plain text, "html" for HTML (default: "text")
+ */
+export declare function graphSendMessage(chatId: string, content: string, contentType?: 'text' | 'html'): Promise<Result<GraphSendMessageResult>>;
+/**
+ * Sends a message to a Teams channel via the Microsoft Graph API.
+ *
+ * POST /v1.0/teams/{teamId}/channels/{channelId}/messages
+ *
+ * Note: For channels, we need the teamId (group ID) and channelId separately.
+ * This is different from the chatsvc API which uses a single conversationId.
+ *
+ * @param teamId - The team's group ID (GUID)
+ * @param channelId - The channel ID (e.g., "19:xxx@thread.tacv2")
+ * @param content - The message content
+ * @param contentType - "text" for plain text, "html" for HTML (default: "text")
+ */
+export declare function graphSendChannelMessage(teamId: string, channelId: string, content: string, contentType?: 'text' | 'html'): Promise<Result<GraphSendMessageResult>>;

package/dist/api/graph-api.js

@@ -0,0 +1,148 @@
+/**
+ * Microsoft Graph API - Spike for sending messages.
+ *
+ * This is a spike/experiment to test whether we can use the Graph API
+ * with tokens extracted from the Teams browser session (no Azure App
+ * registration required).
+ *
+ * Graph API send message endpoint:
+ * POST https://graph.microsoft.com/v1.0/chats/{chatId}/messages
+ *
+ * Note: Graph API uses a different chat ID format than chatsvc. The
+ * conversationId from Teams (e.g., "19:xxx@thread.v2") should work
+ * directly as the Graph chatId.
+ */
+import { httpRequest } from '../utils/http.js';
+import { ErrorCode, createError } from '../types/errors.js';
+import { ok, err } from '../types/result.js';
+import { requireGraphAuth } from '../utils/auth-guards.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// Constants
+// ─────────────────────────────────────────────────────────────────────────────
+const GRAPH_BASE_URL = 'https://graph.microsoft.com/v1.0';
+// ─────────────────────────────────────────────────────────────────────────────
+// Send Message via Graph API
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Sends a message to a Teams chat via the Microsoft Graph API.
+ *
+ * This is a spike to test Graph API access using tokens from the Teams
+ * browser session. The Graph API endpoint is:
+ * POST /v1.0/chats/{chatId}/messages
+ *
+ * For channel messages, the endpoint would be:
+ * POST /v1.0/teams/{teamId}/channels/{channelId}/messages
+ *
+ * @param chatId - The Teams conversation ID (e.g., "19:xxx@thread.v2")
+ * @param content - The message content (plain text or HTML)
+ * @param contentType - "text" for plain text, "html" for HTML (default: "text")
+ */
+export async function graphSendMessage(chatId, content, contentType = 'text') {
+    const authResult = requireGraphAuth();
+    if (!authResult.ok) {
+        return authResult;
+    }
+    const { graphToken } = authResult.value;
+    const url = `${GRAPH_BASE_URL}/chats/${encodeURIComponent(chatId)}/messages`;
+    const body = {
+        body: {
+            contentType,
+            content,
+        },
+    };
+    const response = await httpRequest(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${graphToken}`,
+        },
+        body: JSON.stringify(body),
+        // Don't retry auth errors - they indicate the token doesn't have the right scopes
+        maxRetries: 1,
+    });
+    if (!response.ok) {
+        // Enhance error message with Graph-specific context
+        const errorMessage = response.error.message;
+        // Check for common Graph API permission errors
+        if (errorMessage.includes('Authorization_RequestDenied') ||
+            errorMessage.includes('Forbidden') ||
+            errorMessage.includes('403')) {
+            return err(createError(ErrorCode.AUTH_REQUIRED, `Graph API permission denied. The token from the Teams session may not have Chat.ReadWrite scope. Error: ${errorMessage}`, {
+                retryable: false,
+                suggestions: [
+                    'The Teams SPA client ID may not have delegated Chat.ReadWrite permission',
+                    'Check the token scopes by decoding the JWT at jwt.ms',
+                ],
+            }));
+        }
+        return response;
+    }
+    const data = response.value.data;
+    // Check if the response is an error response
+    if ('error' in data && data.error) {
+        return err(createError(ErrorCode.API_ERROR, `Graph API error: ${data.error.code}: ${data.error.message}`, { retryable: false }));
+    }
+    const msgData = data;
+    if (!msgData.id) {
+        return err(createError(ErrorCode.UNKNOWN, 'Graph API returned success but no message ID', { retryable: false }));
+    }
+    return ok({
+        id: msgData.id,
+        createdDateTime: msgData.createdDateTime,
+        webUrl: msgData.webUrl,
+        _raw: msgData,
+    });
+}
+/**
+ * Sends a message to a Teams channel via the Microsoft Graph API.
+ *
+ * POST /v1.0/teams/{teamId}/channels/{channelId}/messages
+ *
+ * Note: For channels, we need the teamId (group ID) and channelId separately.
+ * This is different from the chatsvc API which uses a single conversationId.
+ *
+ * @param teamId - The team's group ID (GUID)
+ * @param channelId - The channel ID (e.g., "19:xxx@thread.tacv2")
+ * @param content - The message content
+ * @param contentType - "text" for plain text, "html" for HTML (default: "text")
+ */
+export async function graphSendChannelMessage(teamId, channelId, content, contentType = 'text') {
+    const authResult = requireGraphAuth();
+    if (!authResult.ok) {
+        return authResult;
+    }
+    const { graphToken } = authResult.value;
+    const url = `${GRAPH_BASE_URL}/teams/${encodeURIComponent(teamId)}/channels/${encodeURIComponent(channelId)}/messages`;
+    const body = {
+        body: {
+            contentType,
+            content,
+        },
+    };
+    const response = await httpRequest(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${graphToken}`,
+        },
+        body: JSON.stringify(body),
+        maxRetries: 1,
+    });
+    if (!response.ok) {
+        return response;
+    }
+    const data = response.value.data;
+    if ('error' in data && data.error) {
+        return err(createError(ErrorCode.API_ERROR, `Graph API error: ${data.error.code}: ${data.error.message}`, { retryable: false }));
+    }
+    const msgData = data;
+    if (!msgData.id) {
+        return err(createError(ErrorCode.UNKNOWN, 'Graph API returned success but no message ID', { retryable: false }));
+    }
+    return ok({
+        id: msgData.id,
+        createdDateTime: msgData.createdDateTime,
+        webUrl: msgData.webUrl,
+        _raw: msgData,
+    });
+}

package/dist/browser/chrome-cookie-import.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Import Microsoft SSO cookies from the user's Chrome profile into a Playwright context.
+ *
+ * When the Teams MCP server needs to open a visible browser for login,
+ * the Playwright profile is isolated from the user's real Chrome — so Microsoft
+ * can't recognise the user via SSO. This module copies the relevant Microsoft
+ * cookies from the user's actual Chrome work profile, enabling silent SSO in
+ * the Playwright browser and eliminating the need to re-type credentials.
+ *
+ * macOS only (Chrome cookies are encrypted with a Keychain-backed key).
+ * Fails gracefully on other platforms or when Chrome isn't available.
+ *
+ * Configuration:
+ *   TEAMS_MCP_CHROME_PROFILE env var — Chrome profile directory name
+ *   (e.g. "Profile 1"). If unset, auto-detects from Chrome's Local State.
+ */
+import type { BrowserContext } from 'playwright';
+/**
+ * Imports Microsoft SSO cookies from the user's Chrome profile into a Playwright context.
+ *
+ * This enables SSO in the Playwright browser so the user doesn't have to type
+ * credentials when Microsoft redirects to the login page.
+ *
+ * Fails silently — cookie import is best-effort. If it doesn't work,
+ * the user just has to log in manually as before.
+ */
+export declare function importMicrosoftCookies(context: BrowserContext): Promise<void>;

package/dist/browser/chrome-cookie-import.js

@@ -0,0 +1,294 @@
+/**
+ * Import Microsoft SSO cookies from the user's Chrome profile into a Playwright context.
+ *
+ * When the Teams MCP server needs to open a visible browser for login,
+ * the Playwright profile is isolated from the user's real Chrome — so Microsoft
+ * can't recognise the user via SSO. This module copies the relevant Microsoft
+ * cookies from the user's actual Chrome work profile, enabling silent SSO in
+ * the Playwright browser and eliminating the need to re-type credentials.
+ *
+ * macOS only (Chrome cookies are encrypted with a Keychain-backed key).
+ * Fails gracefully on other platforms or when Chrome isn't available.
+ *
+ * Configuration:
+ *   TEAMS_MCP_CHROME_PROFILE env var — Chrome profile directory name
+ *   (e.g. "Profile 1"). If unset, auto-detects from Chrome's Local State.
+ */
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import * as log from '../utils/logger.js';
+// Microsoft domains whose cookies enable SSO
+const MICROSOFT_DOMAINS = [
+    '%microsoftonline%',
+    '%login.live.com%',
+    '%login.microsoft.com%',
+    '%microsoft.com%',
+    '%office.com%',
+    '%office365.com%',
+];
+const CHROME_DATA_DIR = path.join(os.homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+// ─────────────────────────────────────────────────────────────────────────────
+// Chrome Profile Detection
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Lists Chrome profiles from the Local State file.
+ */
+function listChromeProfiles() {
+    const localStatePath = path.join(CHROME_DATA_DIR, 'Local State');
+    if (!fs.existsSync(localStatePath))
+        return [];
+    try {
+        const localState = JSON.parse(fs.readFileSync(localStatePath, 'utf8'));
+        const infoCache = localState?.profile?.info_cache;
+        if (!infoCache || typeof infoCache !== 'object')
+            return [];
+        return Object.entries(infoCache).map(([dirName, info]) => {
+            const i = info;
+            return {
+                dirName,
+                name: String(i.name ?? ''),
+                gaiaName: String(i.gaia_name ?? ''),
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Selects the Chrome profile to import cookies from.
+ *
+ * Priority:
+ * 1. TEAMS_MCP_CHROME_PROFILE env var (exact dir name like "Profile 1")
+ * 2. Auto-detect: first profile whose name looks like a work/corporate account
+ * 3. null if no suitable profile found
+ */
+function selectChromeProfile() {
+    const profiles = listChromeProfiles();
+    if (profiles.length === 0)
+        return null;
+    // Priority 1: explicit env var
+    const envProfile = process.env.TEAMS_MCP_CHROME_PROFILE;
+    if (envProfile) {
+        const match = profiles.find(p => p.dirName === envProfile);
+        if (match)
+            return match;
+        log.warn('cookie-import', `TEAMS_MCP_CHROME_PROFILE="${envProfile}" not found. Available: ${profiles.map(p => `${p.dirName} (${p.name})`).join(', ')}`);
+        return null;
+    }
+    // Priority 2: auto-detect work profile (contains a domain-like name)
+    const workProfile = profiles.find(p => /\.[a-z]{2,}$/i.test(p.name) || // name contains a domain (e.g. "corp.example.com")
+        p.name.toLowerCase().includes('work') ||
+        p.name.toLowerCase().includes('corp'));
+    if (workProfile)
+        return workProfile;
+    // Skip auto-import if we can't identify a work profile
+    return null;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Cookie Decryption (macOS)
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Cached AES key derived from the Chrome Safe Storage Keychain password.
+ * Cached for the lifetime of the MCP server process so the Keychain
+ * prompt only appears once (on first cookie import after server start).
+ *
+ * Tip: click "Always Allow" on the macOS Keychain dialog to permanently
+ * authorize this process — then no prompt appears at all.
+ */
+let cachedKey = null;
+/**
+ * Gets (or retrieves from cache) the AES key for Chrome cookie decryption.
+ * Accesses the macOS Keychain only on first call, caches for process lifetime.
+ */
+function getDecryptionKey() {
+    if (cachedKey)
+        return cachedKey;
+    let password;
+    try {
+        password = execSync('security find-generic-password -s "Chrome Safe Storage" -w', { encoding: 'utf8', timeout: 5000 }).trim();
+    }
+    catch {
+        return null;
+    }
+    cachedKey = crypto.pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1');
+    return cachedKey;
+}
+/**
+ * Decrypts a Chrome cookie value.
+ * Chrome macOS cookies are prefixed with 'v10' followed by AES-128-CBC ciphertext.
+ */
+function decryptCookieValue(hexValue, key) {
+    try {
+        const encrypted = Buffer.from(hexValue, 'hex');
+        // v10 prefix check (0x76 0x31 0x30)
+        if (encrypted.length < 4 || encrypted[0] !== 0x76 || encrypted[1] !== 0x31 || encrypted[2] !== 0x30) {
+            // Not encrypted or unknown format — try as plain text
+            return encrypted.toString('utf8');
+        }
+        const ciphertext = encrypted.subarray(3);
+        const iv = Buffer.alloc(16, 0x20); // 16 bytes of space (0x20)
+        const decipher = crypto.createDecipheriv('aes-128-cbc', key, iv);
+        decipher.setAutoPadding(true);
+        const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        return decrypted.toString('utf8');
+    }
+    catch {
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Cookie Reading (via sqlite3 CLI)
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Reads Microsoft-related cookies from a Chrome profile's Cookies database.
+ * Copies the DB to a temp file to avoid locking conflicts with running Chrome.
+ */
+function readChromeCookies(profileDir) {
+    const cookiesDb = path.join(CHROME_DATA_DIR, profileDir, 'Cookies');
+    if (!fs.existsSync(cookiesDb))
+        return [];
+    // Copy to temp to avoid lock conflicts with running Chrome
+    const tmpDb = path.join(os.tmpdir(), `teams-mcp-cookies-${Date.now()}.db`);
+    try {
+        fs.copyFileSync(cookiesDb, tmpDb);
+        // Also copy WAL/SHM if they exist (needed for consistent reads)
+        for (const ext of ['-wal', '-shm']) {
+            const src = cookiesDb + ext;
+            if (fs.existsSync(src)) {
+                fs.copyFileSync(src, tmpDb + ext);
+            }
+        }
+        const whereClause = MICROSOFT_DOMAINS.map(d => `host_key LIKE '${d}'`).join(' OR ');
+        const sql = `SELECT host_key, name, hex(encrypted_value) as ev, path, expires_utc, is_secure, is_httponly, samesite FROM cookies WHERE (${whereClause}) AND expires_utc > 0`;
+        const output = execSync(`sqlite3 -separator '|||' "${tmpDb}" "${sql}"`, { encoding: 'utf8', timeout: 10000, maxBuffer: 1024 * 1024 });
+        return output
+            .trim()
+            .split('\n')
+            .filter(line => line.includes('|||'))
+            .map(line => {
+            const [host_key, name, encrypted_value_hex, cookiePath, expires_utc, is_secure, is_httponly, samesite] = line.split('|||');
+            return {
+                host_key,
+                name,
+                encrypted_value_hex,
+                path: cookiePath,
+                expires_utc: parseInt(expires_utc, 10),
+                is_secure: parseInt(is_secure, 10),
+                is_httponly: parseInt(is_httponly, 10),
+                samesite: parseInt(samesite, 10),
+            };
+        });
+    }
+    catch (err) {
+        log.warn('cookie-import', `Failed to read Chrome cookies: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    finally {
+        // Clean up temp files
+        for (const f of [tmpDb, tmpDb + '-wal', tmpDb + '-shm']) {
+            try {
+                fs.unlinkSync(f);
+            }
+            catch { /* ignore */ }
+        }
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Cookie Conversion
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Converts Chrome epoch (microseconds since 1601-01-01) to Unix epoch (seconds since 1970-01-01).
+ */
+function chromeEpochToUnix(chromeTimestamp) {
+    // Chrome epoch starts 11644473600 seconds before Unix epoch
+    return Math.floor(chromeTimestamp / 1_000_000) - 11644473600;
+}
+/**
+ * Maps Chrome's samesite integer to Playwright's string value.
+ */
+function chromeSameSiteToPlaywright(samesite) {
+    switch (samesite) {
+        case 2: return 'Strict';
+        case 1: return 'Lax';
+        default: return 'None';
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Public API
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Imports Microsoft SSO cookies from the user's Chrome profile into a Playwright context.
+ *
+ * This enables SSO in the Playwright browser so the user doesn't have to type
+ * credentials when Microsoft redirects to the login page.
+ *
+ * Fails silently — cookie import is best-effort. If it doesn't work,
+ * the user just has to log in manually as before.
+ */
+export async function importMicrosoftCookies(context) {
+    // Only supported on macOS
+    if (process.platform !== 'darwin') {
+        log.debug('cookie-import', 'Skipping cookie import (not macOS)');
+        return;
+    }
+    // Check if Chrome is installed
+    if (!fs.existsSync(CHROME_DATA_DIR)) {
+        log.debug('cookie-import', 'Skipping cookie import (Chrome not found)');
+        return;
+    }
+    const profile = selectChromeProfile();
+    if (!profile) {
+        log.debug('cookie-import', 'No Chrome work profile found. Set TEAMS_MCP_CHROME_PROFILE env var.');
+        return;
+    }
+    log.info('cookie-import', `Importing Microsoft cookies from Chrome profile: ${profile.dirName} (${profile.name})`);
+    // Get decryption key (cached after first access — only one Keychain prompt per server lifetime)
+    const key = getDecryptionKey();
+    if (!key) {
+        log.warn('cookie-import', 'Could not get Chrome Safe Storage password from Keychain. ' +
+            'To fix, run: security set-generic-password-partition-list -S "apple-tool:,apple:" ' +
+            '-a "Chrome" -s "Chrome Safe Storage" ~/Library/Keychains/login.keychain-db');
+        return;
+    }
+    // Read and decrypt cookies
+    const rawCookies = readChromeCookies(profile.dirName);
+    if (rawCookies.length === 0) {
+        log.info('cookie-import', 'No Microsoft cookies found in Chrome profile');
+        return;
+    }
+    const playwrightCookies = [];
+    for (const raw of rawCookies) {
+        const value = decryptCookieValue(raw.encrypted_value_hex, key);
+        if (!value)
+            continue;
+        const expires = chromeEpochToUnix(raw.expires_utc);
+        // Skip expired cookies
+        if (expires <= Math.floor(Date.now() / 1000))
+            continue;
+        playwrightCookies.push({
+            name: raw.name,
+            value,
+            domain: raw.host_key,
+            path: raw.path,
+            expires,
+            httpOnly: raw.is_httponly === 1,
+            secure: raw.is_secure === 1,
+            sameSite: chromeSameSiteToPlaywright(raw.samesite),
+        });
+    }
+    if (playwrightCookies.length === 0) {
+        log.info('cookie-import', 'No valid Microsoft cookies to import');
+        return;
+    }
+    try {
+        await context.addCookies(playwrightCookies);
+        log.info('cookie-import', `Imported ${playwrightCookies.length} Microsoft cookies from Chrome "${profile.name}" profile`);
+    }
+    catch (err) {
+        log.warn('cookie-import', `Failed to inject cookies: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}

package/dist/browser/chrome-cookie-import.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/browser/chrome-cookie-import.test.js

@@ -0,0 +1,122 @@
+import { describe, it, expect } from 'vitest';
+import * as crypto from 'crypto';
+/**
+ * Tests for the cookie import logic.
+ *
+ * The public importMicrosoftCookies() function depends on filesystem, Keychain,
+ * and sqlite3 — so we test the pure cryptographic and conversion logic directly.
+ */
+describe('chrome-cookie-import logic', () => {
+    describe('cookie decryption (v10 AES-128-CBC)', () => {
+        // Replicate Chrome macOS encryption: PBKDF2-SHA1, salt='saltysalt', 1003 iters
+        const password = 'test-password';
+        const key = crypto.pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1');
+        const iv = Buffer.alloc(16, 0x20); // 16 spaces
+        function encrypt(plaintext) {
+            const cipher = crypto.createCipheriv('aes-128-cbc', key, iv);
+            const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+            return Buffer.concat([Buffer.from('v10'), encrypted]).toString('hex');
+        }
+        function decrypt(hexValue) {
+            const buf = Buffer.from(hexValue, 'hex');
+            if (buf.length < 4 || buf[0] !== 0x76 || buf[1] !== 0x31 || buf[2] !== 0x30) {
+                return buf.toString('utf8');
+            }
+            try {
+                const decipher = crypto.createDecipheriv('aes-128-cbc', key, iv);
+                decipher.setAutoPadding(true);
+                return Buffer.concat([decipher.update(buf.subarray(3)), decipher.final()]).toString('utf8');
+            }
+            catch {
+                return null;
+            }
+        }
+        it('round-trips a short cookie value', () => {
+            const value = 'ESTSAUTHPERSISTENT_VALUE_HERE';
+            expect(decrypt(encrypt(value))).toBe(value);
+        });
+        it('round-trips an empty string', () => {
+            expect(decrypt(encrypt(''))).toBe('');
+        });
+        it('round-trips a long value (>1 AES block)', () => {
+            const value = 'A'.repeat(200);
+            expect(decrypt(encrypt(value))).toBe(value);
+        });
+        it('returns raw string for non-v10 prefix', () => {
+            const plain = Buffer.from('hello');
+            expect(decrypt(plain.toString('hex'))).toBe('hello');
+        });
+        it('returns null for corrupted ciphertext', () => {
+            // Valid v10 prefix but garbage data
+            const garbage = Buffer.concat([Buffer.from('v10'), Buffer.from('not-valid-ciphertext-at-all!!')]);
+            expect(decrypt(garbage.toString('hex'))).toBeNull();
+        });
+    });
+    describe('Chrome epoch conversion', () => {
+        function chromeEpochToUnix(chromeTimestamp) {
+            return Math.floor(chromeTimestamp / 1_000_000) - 11644473600;
+        }
+        it('converts a known Chrome timestamp to Unix', () => {
+            // 2025-01-01T00:00:00Z in Unix = 1735689600
+            // In Chrome epoch = (1735689600 + 11644473600) * 1_000_000 = 13380163200000000
+            const chromeTs = 13380163200000000;
+            expect(chromeEpochToUnix(chromeTs)).toBe(1735689600);
+        });
+        it('returns 0 for the Unix epoch in Chrome time', () => {
+            const chromeTs = 11644473600 * 1_000_000;
+            expect(chromeEpochToUnix(chromeTs)).toBe(0);
+        });
+    });
+    describe('samesite mapping', () => {
+        function chromeSameSiteToPlaywright(samesite) {
+            switch (samesite) {
+                case 2: return 'Strict';
+                case 1: return 'Lax';
+                default: return 'None';
+            }
+        }
+        it('maps Chrome samesite values', () => {
+            expect(chromeSameSiteToPlaywright(-1)).toBe('None');
+            expect(chromeSameSiteToPlaywright(0)).toBe('None');
+            expect(chromeSameSiteToPlaywright(1)).toBe('Lax');
+            expect(chromeSameSiteToPlaywright(2)).toBe('Strict');
+        });
+    });
+    describe('profile detection heuristics', () => {
+        const profiles = [
+            { dirName: 'Default', name: 'Person 1', gaiaName: 'Test' },
+            { dirName: 'Profile 1', name: 'corp.example.com', gaiaName: 'Jane Smith' },
+            { dirName: 'Profile 2', name: 'Jane', gaiaName: 'Jane Smith' },
+            { dirName: 'Profile 4', name: 'Test', gaiaName: '' },
+        ];
+        function selectWorkProfile(profiles) {
+            return profiles.find(p => /\.[a-z]{2,}$/i.test(p.name) ||
+                p.name.toLowerCase().includes('work') ||
+                p.name.toLowerCase().includes('corp')) ?? null;
+        }
+        it('selects profile with domain-like name', () => {
+            expect(selectWorkProfile(profiles)?.dirName).toBe('Profile 1');
+        });
+        it('selects profile with "work" in name', () => {
+            const custom = [
+                { dirName: 'Default', name: 'Personal' },
+                { dirName: 'Profile 1', name: 'Work Account' },
+            ];
+            expect(selectWorkProfile(custom)?.dirName).toBe('Profile 1');
+        });
+        it('selects profile with "corp" in name', () => {
+            const custom = [
+                { dirName: 'Default', name: 'Me' },
+                { dirName: 'Profile 1', name: 'CorpNet' },
+            ];
+            expect(selectWorkProfile(custom)?.dirName).toBe('Profile 1');
+        });
+        it('returns null when no work profile found', () => {
+            const custom = [
+                { dirName: 'Default', name: 'Person 1' },
+                { dirName: 'Profile 2', name: 'Gaming' },
+            ];
+            expect(selectWorkProfile(custom)).toBeNull();
+        });
+    });
+});

package/dist/browser/context.js

@@ -18,6 +18,7 @@ import * as path from 'path';
 import { ensureUserDataDir, CONFIG_DIR, writeSessionState, } from '../auth/session-store.js';
 import { clearRegionCache } from '../utils/auth-guards.js';
 import * as log from '../utils/logger.js';
+import { importMicrosoftCookies } from './chrome-cookie-import.js';
 const DEFAULT_OPTIONS = {
     headless: true,
     viewport: { width: 1280, height: 800 },
@@ -142,6 +143,14 @@ export async function createBrowserContext(options = {}) {
             viewport: opts.viewport,
             acceptDownloads: false,
         });
+        // Import Microsoft SSO cookies from the user's real Chrome profile.
+        // Only for visible (interactive) logins — enables SSO so user doesn't have
+        // to type credentials. Headless refresh uses the persistent profile's saved
+        // cookies, avoiding Keychain access on every hourly auto-refresh cycle.
+        // (forceNew login imports cookies explicitly via auth-tools.ts)
+        if (!opts.headless) {
+            await importMicrosoftCookies(context);
+        }
         // Persistent contexts start with one page; use it or create one
         const page = context.pages()[0] ?? await context.newPage();
         return {

package/dist/test/dump-tokens.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env tsx
+/**
+ * Quick diagnostic: dump all MSAL token targets from the session.
+ * Run: npm run build && node dist/test/dump-tokens.js
+ * Or:  npx tsx src/test/dump-tokens.ts
+ */
+export {};

package/dist/test/dump-tokens.js

@@ -0,0 +1,90 @@
+#!/usr/bin/env tsx
+/**
+ * Quick diagnostic: dump all MSAL token targets from the session.
+ * Run: npm run build && node dist/test/dump-tokens.js
+ * Or:  npx tsx src/test/dump-tokens.ts
+ */
+import { readSessionState, getTeamsOrigin } from '../auth/session-store.js';
+function decodeJwtPayload(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length < 2)
+            return null;
+        return JSON.parse(Buffer.from(parts[1], 'base64').toString());
+    }
+    catch {
+        return null;
+    }
+}
+const sessionState = readSessionState();
+if (!sessionState) {
+    console.log('No session state found. Run teams_login first.');
+    process.exit(1);
+}
+const teamsOrigin = getTeamsOrigin(sessionState);
+const localStorage = teamsOrigin?.localStorage ?? [];
+console.log(`Found ${localStorage.length} localStorage entries\n`);
+// Collect all tokens with their targets
+const tokens = [];
+for (const item of localStorage) {
+    try {
+        const entry = JSON.parse(item.value);
+        const target = entry.target;
+        const secret = entry.secret;
+        if (!target || !secret || !secret.startsWith('ey'))
+            continue;
+        const payload = decodeJwtPayload(secret);
+        if (!payload?.exp || typeof payload.exp !== 'number')
+            continue;
+        const expiry = new Date(payload.exp * 1000);
+        const minutesLeft = Math.round((expiry.getTime() - Date.now()) / 1000 / 60);
+        // Extract scopes from the token's scp claim
+        const scp = payload.scp;
+        const scopes = scp ? scp.split(' ') : [];
+        tokens.push({
+            target,
+            scopes,
+            expiry: expiry.toISOString(),
+            minutesLeft,
+            hasGraph: target.includes('graph.microsoft.com'),
+        });
+    }
+    catch {
+        continue;
+    }
+}
+console.log('=== ALL MSAL TOKENS ===\n');
+for (const t of tokens) {
+    const status = t.minutesLeft > 0 ? `✅ ${t.minutesLeft}m left` : '❌ EXPIRED';
+    console.log(`Target: ${t.target}`);
+    console.log(`Status: ${status}`);
+    if (t.scopes.length > 0) {
+        console.log(`Scopes: ${t.scopes.join(', ')}`);
+    }
+    console.log();
+}
+// Highlight Graph tokens
+const graphTokens = tokens.filter(t => t.hasGraph);
+console.log('=== GRAPH TOKENS ===\n');
+if (graphTokens.length === 0) {
+    console.log('⚠️  No graph.microsoft.com tokens found in session.');
+    console.log('   The Teams web app may not store Graph tokens in localStorage.');
+    console.log('   Transcript API will need to use the middle tier instead.');
+}
+else {
+    for (const t of graphTokens) {
+        console.log(`Target: ${t.target}`);
+        console.log(`Scopes: ${t.scopes.join(', ')}`);
+        console.log(`Expiry: ${t.expiry} (${t.minutesLeft}m left)`);
+        const hasTranscriptScope = t.scopes.some(s => s.toLowerCase().includes('transcript') ||
+            s.toLowerCase().includes('onlinemeeting'));
+        if (hasTranscriptScope) {
+            console.log('✅ Has transcript-related scopes!');
+        }
+        else {
+            console.log('⚠️  No transcript-specific scopes found in this token.');
+            console.log('   May still work if the first-party Teams app has implicit access.');
+        }
+        console.log();
+    }
+}

package/dist/test/test-transcript.d.ts

@@ -0,0 +1,6 @@
+#!/usr/bin/env tsx
+/**
+ * Test the transcript API end-to-end.
+ * Run: npx tsx src/test/test-transcript.ts
+ */
+export {};

package/dist/test/test-transcript.js

@@ -0,0 +1,47 @@
+#!/usr/bin/env tsx
+/**
+ * Test the transcript API end-to-end.
+ * Run: npx tsx src/test/test-transcript.ts
+ */
+import { getCalendarView } from '../api/calendar-api.js';
+import { getTranscriptContent } from '../api/transcript-api.js';
+async function main() {
+    console.log('=== Get recent meetings with threadId ===');
+    const now = new Date();
+    const pastWeek = new Date(now);
+    pastWeek.setDate(pastWeek.getDate() - 14);
+    const meetingsResult = await getCalendarView({
+        startDate: pastWeek.toISOString(),
+        endDate: now.toISOString(),
+        limit: 50,
+    });
+    if (!meetingsResult.ok) {
+        console.log(`❌ ${meetingsResult.error.message}`);
+        process.exit(1);
+    }
+    const meetings = meetingsResult.value.meetings.filter(m => m.threadId);
+    console.log(`Found ${meetings.length} meetings with threadId\n`);
+    // Try each meeting until we find one with a transcript
+    for (const meeting of meetings.slice(0, 10)) {
+        console.log(`--- "${meeting.subject}" (${meeting.startTime}) ---`);
+        console.log(`Thread: ${meeting.threadId}`);
+        const result = await getTranscriptContent(meeting.threadId, meeting.startTime);
+        if (result.ok) {
+            console.log(`\n✅ SUCCESS!`);
+            console.log(`Title: ${result.value.meetingTitle}`);
+            console.log(`Speakers: ${result.value.speakers.join(', ')}`);
+            console.log(`Entries: ${result.value.entryCount}`);
+            console.log(`Recording: ${result.value.recordingStartTime} → ${result.value.recordingEndTime}`);
+            console.log(`\nFirst 800 chars:\n${result.value.formattedText.substring(0, 800)}`);
+            process.exit(0);
+        }
+        else {
+            console.log(`  ❌ ${result.error.code}: ${result.error.message}\n`);
+        }
+    }
+    console.log('No transcripts found for any recent meeting.');
+}
+main().catch(e => {
+    console.error('Fatal error:', e);
+    process.exit(1);
+});

package/dist/tools/auth-tools.js

@@ -76,14 +76,20 @@ async function handleLogin(input, ctx) {
     // Headless-first strategy:
     // The persistent browser profile retains Microsoft's long-lived session cookies,
     // so headless SSO can succeed even without a session-state file. Always try
-    // headless first — even for forceNew. Most recovery scenarios complete silently.
+    // headless first — even for forceNew. Chrome cookie import enables headless SSO
+    // to succeed without a session file, so most recovery scenarios complete silently.
     {
         const headlessManager = await createBrowserContext({ headless: true });
         ctx.server.setBrowserManager(headlessManager);
         try {
             if (input.forceNew) {
-                // Clear persistent profile cookies to force fresh authentication
+                // Clear persistent profile cookies, then import Chrome's Microsoft SSO
+                // cookies so headless SSO can succeed without a session file.
+                // (createBrowserContext skips cookie import in headless mode to avoid
+                // Keychain access on routine refresh — this is the intentional exception.)
                 await headlessManager.context.clearCookies();
+                const { importMicrosoftCookies } = await import('../browser/chrome-cookie-import.js');
+                await importMicrosoftCookies(headlessManager.context);
             }
             await ensureAuthenticated(headlessManager.page, headlessManager.context, (msg) => log.info('login:headless', msg), false, // No overlay in headless
             true // Headless mode - throw immediately if user interaction required

package/dist/tools/graph-tools.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Graph API spike tool handlers.
+ *
+ * Experimental tools to test Microsoft Graph API access using tokens
+ * extracted from the Teams browser session.
+ */
+import { z } from 'zod';
+import type { RegisteredTool } from './index.js';
+export declare const GraphSendMessageInputSchema: z.ZodObject<{
+    chatId: z.ZodString;
+    content: z.ZodString;
+    contentType: z.ZodDefault<z.ZodOptional<z.ZodEnum<["text", "html"]>>>;
+}, "strip", z.ZodTypeAny, {
+    content: string;
+    contentType: "text" | "html";
+    chatId: string;
+}, {
+    content: string;
+    chatId: string;
+    contentType?: "text" | "html" | undefined;
+}>;
+export declare const GraphTokenStatusInputSchema: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
+export declare const graphSendMessageTool: RegisteredTool<typeof GraphSendMessageInputSchema>;
+export declare const graphTokenStatusTool: RegisteredTool<z.ZodObject<Record<string, never>>>;
+/** All Graph API spike tools. */
+export declare const graphTools: (RegisteredTool<z.ZodObject<Record<string, never>, z.UnknownKeysParam, z.ZodTypeAny, {
+    [x: string]: never;
+}, {
+    [x: string]: never;
+}>> | RegisteredTool<z.ZodObject<{
+    chatId: z.ZodString;
+    content: z.ZodString;
+    contentType: z.ZodDefault<z.ZodOptional<z.ZodEnum<["text", "html"]>>>;
+}, "strip", z.ZodTypeAny, {
+    content: string;
+    contentType: "text" | "html";
+    chatId: string;
+}, {
+    content: string;
+    chatId: string;
+    contentType?: "text" | "html" | undefined;
+}>>)[];

package/dist/tools/graph-tools.js

@@ -0,0 +1,99 @@
+/**
+ * Graph API spike tool handlers.
+ *
+ * Experimental tools to test Microsoft Graph API access using tokens
+ * extracted from the Teams browser session.
+ */
+import { z } from 'zod';
+import { graphSendMessage } from '../api/graph-api.js';
+import { getGraphTokenStatus } from '../auth/token-extractor.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// Schemas
+// ─────────────────────────────────────────────────────────────────────────────
+export const GraphSendMessageInputSchema = z.object({
+    chatId: z.string().min(1, 'Chat ID cannot be empty'),
+    content: z.string().min(1, 'Message content cannot be empty'),
+    contentType: z.enum(['text', 'html']).optional().default('text'),
+});
+export const GraphTokenStatusInputSchema = z.object({});
+// ─────────────────────────────────────────────────────────────────────────────
+// Tool Definitions
+// ─────────────────────────────────────────────────────────────────────────────
+const graphSendMessageToolDefinition = {
+    name: 'teams_graph_send_message',
+    description: '[SPIKE] Send a message via Microsoft Graph API instead of chatsvc. This is an experimental tool to test Graph API access. Use the chatId from teams_get_thread or teams_search (the conversationId). Content can be plain text or HTML.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            chatId: {
+                type: 'string',
+                description: 'The Teams chat/conversation ID (e.g., "19:xxx@thread.v2"). Use the conversationId from other tools.',
+            },
+            content: {
+                type: 'string',
+                description: 'The message content. Plain text by default, or HTML if contentType is "html".',
+            },
+            contentType: {
+                type: 'string',
+                enum: ['text', 'html'],
+                description: 'Content type: "text" (default) or "html".',
+            },
+        },
+        required: ['chatId', 'content'],
+    },
+};
+const graphTokenStatusToolDefinition = {
+    name: 'teams_graph_token_status',
+    description: '[SPIKE] Check the status of the Microsoft Graph API token. Shows whether a Graph token is available and when it expires.',
+    inputSchema: {
+        type: 'object',
+        properties: {},
+    },
+};
+// ─────────────────────────────────────────────────────────────────────────────
+// Handlers
+// ─────────────────────────────────────────────────────────────────────────────
+async function handleGraphSendMessage(input, _ctx) {
+    const result = await graphSendMessage(input.chatId, input.content, input.contentType);
+    if (!result.ok) {
+        return { success: false, error: result.error };
+    }
+    return {
+        success: true,
+        data: {
+            id: result.value.id,
+            createdDateTime: result.value.createdDateTime,
+            webUrl: result.value.webUrl,
+            note: '[SPIKE] Message sent via Microsoft Graph API. This is experimental.',
+            _raw: result.value._raw,
+        },
+    };
+}
+async function handleGraphTokenStatus(_input, _ctx) {
+    const status = getGraphTokenStatus();
+    return {
+        success: true,
+        data: {
+            graphToken: status,
+            note: '[SPIKE] Graph token is acquired during token refresh. If no token is available, try teams_login first, then check again.',
+        },
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Exports
+// ─────────────────────────────────────────────────────────────────────────────
+export const graphSendMessageTool = {
+    definition: graphSendMessageToolDefinition,
+    schema: GraphSendMessageInputSchema,
+    handler: handleGraphSendMessage,
+};
+export const graphTokenStatusTool = {
+    definition: graphTokenStatusToolDefinition,
+    schema: z.object({}),
+    handler: handleGraphTokenStatus,
+};
+/** All Graph API spike tools. */
+export const graphTools = [
+    graphSendMessageTool,
+    graphTokenStatusTool,
+];

package/dist/tools/message-tools.js

@@ -76,13 +76,13 @@ export const GetMessageInputSchema = z.object({
 // ─────────────────────────────────────────────────────────────────────────────
 const sendMessageToolDefinition = {
     name: 'teams_send_message',
-    description: 'Send a message to a Teams conversation. Use markdown for formatting (not HTML): **bold**, *italic*, ~~strikethrough~~, `code`, ```code blocks```, lists, and newlines. Supports @mentions: people with @[Name](mri) (MRI from teams_search_people) and channel tags with @[TagName](tag:tagId) (IDs from teams_get_tags). Defaults to self-notes (48:notes). For channel thread replies, provide replyToMessageId.',
+    description: 'Send a message to a Teams conversation. Use markdown for formatting (not HTML): **bold**, *italic*, ~~strikethrough~~, `code`, ```code blocks```, lists, and newlines. Supports @mentions using @[Name](mri) syntax inline. Example: "Hey @[John Smith](8:orgid:abc...), check this". Get MRI from teams_search_people. Defaults to self-notes (48:notes). For channel thread replies, provide replyToMessageId.',
     inputSchema: {
         type: 'object',
         properties: {
             content: {
                 type: 'string',
-                description: 'The message content in markdown (not HTML). Supports: **bold**, *italic*, ~~strikethrough~~, `inline code`, ```code blocks```, bullet lists (- item), numbered lists (1. item), and newlines. Do NOT send raw HTML tags. For people @mentions use @[DisplayName](mri) (MRI from teams_search_people). For channel tag @mentions use @[DisplayName](tag:tagId) (tag IDs from teams_get_tags). Markdown links [text](url) are supported.',
+                description: 'The message content in markdown (not HTML). Supports: **bold**, *italic*, ~~strikethrough~~, `inline code`, ```code blocks```, bullet lists (- item), numbered lists (1. item), and newlines. Do NOT send raw HTML tags. For @mentions, use @[DisplayName](mri) syntax. Example: "Hey @[John Smith](8:orgid:abc...), can you review this?"',
             },
             conversationId: {
                 type: 'string',
@@ -212,7 +212,7 @@ const createGroupChatToolDefinition = {
 };
 const editMessageToolDefinition = {
     name: 'teams_edit_message',
-    description: 'Edit one of your own messages (same markdown and @mention rules as teams_send_message: people @[Name](mri), channel tags @[TagName](tag:tagId) from teams_get_tags). You can only edit messages you sent.',
+    description: 'Edit one of your own messages. You can only edit messages you sent. The API will reject attempts to edit other users\' messages.',
     inputSchema: {
         type: 'object',
         properties: {
@@ -226,7 +226,7 @@ const editMessageToolDefinition = {
             },
             content: {
                 type: 'string',
-                description: 'New content in markdown (not raw HTML): **bold**, *italic*, lists, code, @[Person](mri), @[Tag](tag:id), [text](url) — same as teams_send_message.',
+                description: 'The new content for the message. Can include basic HTML formatting.',
             },
         },
         required: ['conversationId', 'messageId', 'content'],
@@ -252,13 +252,13 @@ const deleteMessageToolDefinition = {
 };
 const getUnreadToolDefinition = {
     name: 'teams_get_unread',
-    description: 'Get unread status. Without conversationId: one bulk API call over your recent conversations (up to 200), returns separate lists of unread chats and channels (conversationId, displayName, lastMessageFrom) plus counts. With conversationId: unread count for that chat/channel using read horizon vs recent messages.',
+    description: 'Get unread message status. Without parameters, returns aggregate unread counts across all favourite/pinned conversations. With a conversationId, returns unread status for that specific conversation.',
     inputSchema: {
         type: 'object',
         properties: {
             conversationId: {
                 type: 'string',
-                description: 'Optional. If set, returns unreadCount (and related fields) for this conversation only. If omitted, returns bulk unreadChats/unreadChannels across recent conversations.',
+                description: 'Optional. A specific conversation ID to check. If omitted, checks all favourites.',
             },
         },
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "msteams-mcp",
-  "version": "0.23.0",
+  "version": "0.23.1",
   "description": "MCP server for Microsoft Teams - search messages, send replies, manage favourites",
   "type": "module",
   "main": "dist/index.js",