nothumanallowed 4.1.0 → 5.0.0

package/src/services/microsoft-mail.mjs

@@ -0,0 +1,308 @@
+/**
+ * Outlook Mail API wrapper via Microsoft Graph — zero dependencies.
+ * All calls via native fetch to Microsoft Graph REST API.
+ * Auto-refreshes tokens on 401.
+ *
+ * Output format matches google-gmail.mjs parsed shape for unified consumption.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { getMicrosoftAccessToken } from './microsoft-oauth.mjs';
+import { NHA_DIR } from '../constants.mjs';
+
+const GRAPH_BASE = 'https://graph.microsoft.com/v1.0/me';
+const MAIL_DIR = path.join(NHA_DIR, 'ops', 'mail');
+const INBOX_DIR = path.join(MAIL_DIR, 'inbox');
+
+/** Authenticated fetch with auto-retry on 401 */
+async function graphFetch(config, urlPath, options = {}) {
+  const token = await getMicrosoftAccessToken(config);
+  const url = urlPath.startsWith('http') ? urlPath : `${GRAPH_BASE}${urlPath}`;
+
+  let res = await fetch(url, {
+    ...options,
+    headers: {
+      ...options.headers,
+      'Authorization': `Bearer ${token}`,
+    },
+  });
+
+  // Retry once on 401 (token may have expired between check and request)
+  if (res.status === 401) {
+    const newToken = await getMicrosoftAccessToken(config);
+    res = await fetch(url, {
+      ...options,
+      headers: {
+        ...options.headers,
+        'Authorization': `Bearer ${newToken}`,
+      },
+    });
+  }
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Microsoft Graph API ${res.status}: ${err}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * List messages matching a query.
+ * @param {object} config
+ * @param {string} query — Microsoft Graph $search or $filter compatible string.
+ *   Supports natural language search (e.g., "from:boss@company.com subject:report").
+ * @param {number} maxResults — max messages (default 20)
+ * @returns {Promise<Array<object>>} parsed messages
+ */
+export async function listMessages(config, query = '', maxResults = 20) {
+  const params = new URLSearchParams({
+    '$top': String(maxResults),
+    '$orderby': 'receivedDateTime desc',
+    '$select': 'id,conversationId,from,toRecipients,ccRecipients,subject,receivedDateTime,bodyPreview,body,isRead,importance,flag,webLink,hasAttachments',
+  });
+
+  // Microsoft Graph $search uses KQL (Keyword Query Language)
+  if (query) {
+    params.set('$search', `"${query}"`);
+  }
+
+  const data = await graphFetch(config, `/messages?${params}`);
+  return (data.value || []).map(parseMessage);
+}
+
+/**
+ * Get a full message by ID.
+ * @param {object} config
+ * @param {string} messageId
+ * @returns {Promise<object>} parsed message
+ */
+export async function getMessage(config, messageId) {
+  const data = await graphFetch(config, `/messages/${messageId}`);
+  return parseMessage(data);
+}
+
+/**
+ * Get unread important emails (for daily planner).
+ * @param {object} config
+ * @param {number} maxResults
+ * @returns {Promise<Array>} parsed messages
+ */
+export async function getUnreadImportant(config, maxResults = 30) {
+  const params = new URLSearchParams({
+    '$top': String(maxResults),
+    '$orderby': 'receivedDateTime desc',
+    '$filter': 'isRead eq false',
+    '$select': 'id,conversationId,from,toRecipients,ccRecipients,subject,receivedDateTime,bodyPreview,body,isRead,importance,flag,webLink,hasAttachments',
+  });
+
+  const data = await graphFetch(config, `/messages?${params}`);
+  const messages = (data.value || []).map(parseMessage);
+
+  // Cache messages locally
+  cacheMessages(messages);
+  return messages;
+}
+
+/**
+ * Get emails from today (read + unread).
+ */
+export async function getTodayEmails(config, maxResults = 50) {
+  const today = new Date();
+  today.setHours(0, 0, 0, 0);
+  const todayISO = today.toISOString();
+
+  const params = new URLSearchParams({
+    '$top': String(maxResults),
+    '$orderby': 'receivedDateTime desc',
+    '$filter': `receivedDateTime ge ${todayISO}`,
+    '$select': 'id,conversationId,from,toRecipients,ccRecipients,subject,receivedDateTime,bodyPreview,body,isRead,importance,flag,webLink,hasAttachments',
+  });
+
+  const data = await graphFetch(config, `/messages?${params}`);
+  const messages = (data.value || []).map(parseMessage);
+
+  cacheMessages(messages);
+  return messages;
+}
+
+/**
+ * Send an email via Microsoft Graph.
+ * @param {object} config
+ * @param {string} to — recipient email
+ * @param {string} subject
+ * @param {string} body — plain text body
+ * @param {object} opts — { cc, bcc, replyToMessageId, threadId }
+ */
+export async function sendEmail(config, to, subject, body, opts = {}) {
+  if (opts.replyToMessageId) {
+    // Reply to existing message
+    const replyBody = {
+      message: {
+        toRecipients: [{ emailAddress: { address: to } }],
+      },
+      comment: body,
+    };
+    return graphFetch(config, `/messages/${opts.replyToMessageId}/reply`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(replyBody),
+    });
+  }
+
+  const message = {
+    message: {
+      subject,
+      body: {
+        contentType: 'Text',
+        content: body,
+      },
+      toRecipients: to.split(',').map(addr => ({
+        emailAddress: { address: addr.trim() },
+      })),
+    },
+    saveToSentItems: true,
+  };
+
+  if (opts.cc) {
+    message.message.ccRecipients = opts.cc.split(',').map(addr => ({
+      emailAddress: { address: addr.trim() },
+    }));
+  }
+
+  if (opts.bcc) {
+    message.message.bccRecipients = opts.bcc.split(',').map(addr => ({
+      emailAddress: { address: addr.trim() },
+    }));
+  }
+
+  return graphFetch(config, '/sendMail', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(message),
+  });
+}
+
+/**
+ * Create a draft email.
+ */
+export async function createDraft(config, to, subject, body) {
+  const draft = {
+    subject,
+    body: {
+      contentType: 'Text',
+      content: body,
+    },
+    toRecipients: to.split(',').map(addr => ({
+      emailAddress: { address: addr.trim() },
+    })),
+  };
+
+  return graphFetch(config, '/messages', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(draft),
+  });
+}
+
+/**
+ * Get user's email profile.
+ */
+export async function getProfile(config) {
+  const data = await graphFetch(config, '');
+  return {
+    emailAddress: data.mail || data.userPrincipalName || '',
+    displayName: data.displayName || '',
+    id: data.id || '',
+  };
+}
+
+// ── Message Parser ─────────────────────────────────────────────────────────
+
+/**
+ * Parse Microsoft Graph message to unified format matching Gmail parser output.
+ */
+function parseMessage(raw) {
+  const from = raw.from?.emailAddress
+    ? `${raw.from.emailAddress.name || ''} <${raw.from.emailAddress.address}>`
+    : '';
+
+  const to = (raw.toRecipients || [])
+    .map(r => `${r.emailAddress?.name || ''} <${r.emailAddress?.address}>`)
+    .join(', ');
+
+  // Extract plain text body (Graph returns HTML by default)
+  let body = '';
+  if (raw.body?.content) {
+    if (raw.body.contentType === 'text') {
+      body = raw.body.content;
+    } else {
+      // Strip HTML tags for plain text representation
+      body = raw.body.content
+        .replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '')
+        .replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
+        .replace(/<[^>]+>/g, ' ')
+        .replace(/&nbsp;/g, ' ')
+        .replace(/&amp;/g, '&')
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&quot;/g, '"')
+        .replace(/&#39;/g, "'")
+        .replace(/\s+/g, ' ')
+        .trim();
+    }
+  }
+
+  // Extract URLs from body
+  const urls = (body.match(/https?:\/\/[^\s<>"']+/g) || []).slice(0, 10);
+
+  // Map Microsoft importance to labels
+  const labels = [];
+  if (!raw.isRead) labels.push('UNREAD');
+  if (raw.importance === 'high') labels.push('IMPORTANT');
+  if (raw.flag?.flagStatus === 'flagged') labels.push('FLAGGED');
+
+  return {
+    id: raw.id,
+    threadId: raw.conversationId || raw.id,
+    from,
+    to,
+    subject: raw.subject || '(no subject)',
+    date: raw.receivedDateTime || '',
+    snippet: (raw.bodyPreview || '').slice(0, 200),
+    body: body.slice(0, 5000), // cap for LLM context
+    urls,
+    labels,
+    isUnread: !raw.isRead,
+    isImportant: raw.importance === 'high',
+    sizeEstimate: 0, // Graph API doesn't expose this directly
+    provider: 'microsoft',
+  };
+}
+
+// ── Local Cache ────────────────────────────────────────────────────────────
+
+function cacheMessages(messages) {
+  fs.mkdirSync(INBOX_DIR, { recursive: true });
+  for (const msg of messages) {
+    const safeId = msg.id.replace(/[^a-zA-Z0-9_-]/g, '_').slice(0, 120);
+    const file = path.join(INBOX_DIR, `ms_${safeId}.json`);
+    fs.writeFileSync(file, JSON.stringify(msg, null, 2), { mode: 0o600 });
+  }
+}
+
+/**
+ * Load cached messages from disk.
+ * @returns {Array} cached messages
+ */
+export function loadCachedMessages() {
+  if (!fs.existsSync(INBOX_DIR)) return [];
+  return fs.readdirSync(INBOX_DIR)
+    .filter(f => f.startsWith('ms_') && f.endsWith('.json'))
+    .map(f => {
+      try { return JSON.parse(fs.readFileSync(path.join(INBOX_DIR, f), 'utf-8')); }
+      catch { return null; }
+    })
+    .filter(Boolean);
+}

package/src/services/microsoft-oauth.mjs

@@ -0,0 +1,345 @@
+/**
+ * Microsoft OAuth 2.0 with PKCE — browser-based consent flow.
+ * Uses Microsoft identity platform (login.microsoftonline.com).
+ * Runs ephemeral local HTTP server for callback.
+ * Zero dependencies — uses Node.js native http + crypto.
+ */
+
+import http from 'http';
+import crypto from 'crypto';
+import { execSync } from 'child_process';
+import os from 'os';
+import { saveTokens, loadTokens, deleteTokens } from './token-store.mjs';
+import { info, ok, fail, warn } from '../ui.mjs';
+
+const SCOPES = [
+  'openid',
+  'offline_access',
+  'User.Read',
+  'Mail.Read',
+  'Mail.Send',
+  'Calendars.ReadWrite',
+  'Tasks.ReadWrite',
+].join(' ');
+
+const CALLBACK_PORTS = [19852, 19853, 19854, 19855, 19856];
+
+const PROVIDER = 'microsoft';
+
+/**
+ * Generate PKCE code_verifier and code_challenge.
+ */
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString('base64url');
+  const challenge = crypto.createHash('sha256').update(verifier).digest('base64url');
+  return { verifier, challenge };
+}
+
+/**
+ * Open URL in user's default browser.
+ */
+function openBrowser(url) {
+  const platform = os.platform();
+  try {
+    if (platform === 'darwin') execSync(`open "${url}"`);
+    else if (platform === 'win32') execSync(`start "" "${url}"`);
+    else execSync(`xdg-open "${url}"`);
+  } catch {
+    warn('Could not open browser automatically.');
+    info(`Open this URL manually:\n\n  ${url}\n`);
+  }
+}
+
+/**
+ * Start ephemeral HTTP server and wait for OAuth callback.
+ * @returns {Promise<{code: string, port: number}>}
+ */
+function waitForCallback(state, port) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://127.0.0.1:${port}`);
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+
+      const code = url.searchParams.get('code');
+      const returnedState = url.searchParams.get('state');
+      const error = url.searchParams.get('error');
+      const errorDesc = url.searchParams.get('error_description');
+
+      if (error) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(`<html><body><h2>Authorization failed</h2><p>${error}: ${errorDesc || ''}</p><p>You can close this tab.</p></body></html>`);
+        server.close();
+        reject(new Error(`OAuth error: ${error} — ${errorDesc || ''}`));
+        return;
+      }
+
+      if (!code || returnedState !== state) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end('<html><body><h2>Invalid callback</h2><p>Missing code or state mismatch.</p></body></html>');
+        server.close();
+        reject(new Error('Invalid OAuth callback'));
+        return;
+      }
+
+      res.writeHead(200, { 'Content-Type': 'text/html' });
+      res.end(`
+        <html>
+        <head><style>body{font-family:monospace;background:#0a0a0a;color:#00ff41;display:flex;align-items:center;justify-content:center;height:100vh;margin:0}
+        .box{text-align:center;border:1px solid #00ff41;padding:40px;border-radius:8px}</style></head>
+        <body><div class="box">
+          <h2>NHA Connected</h2>
+          <p>Microsoft account linked successfully.</p>
+          <p style="color:#666">You can close this tab and return to the terminal.</p>
+        </div></body></html>
+      `);
+
+      server.close();
+      resolve({ code, port });
+    });
+
+    server.listen(port, '127.0.0.1');
+    server.on('error', () => reject(new Error(`Port ${port} in use`)));
+
+    // 5 minute timeout
+    setTimeout(() => {
+      server.close();
+      reject(new Error('OAuth timeout — no callback received within 5 minutes'));
+    }, 300_000);
+  });
+}
+
+/**
+ * Exchange authorization code for tokens via Microsoft identity platform.
+ */
+async function exchangeCode(code, codeVerifier, clientId, clientSecret, redirectUri, tenantId) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    scope: SCOPES,
+    code,
+    redirect_uri: redirectUri,
+    grant_type: 'authorization_code',
+    code_verifier: codeVerifier,
+  });
+
+  if (clientSecret) {
+    params.set('client_secret', clientSecret);
+  }
+
+  const res = await fetch(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: params.toString(),
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Token exchange failed: ${err}`);
+  }
+
+  return res.json();
+}
+
+/**
+ * Refresh access token using refresh_token.
+ */
+export async function refreshMicrosoftToken(clientId, clientSecret, refreshToken, tenantId) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    scope: SCOPES,
+    refresh_token: refreshToken,
+    grant_type: 'refresh_token',
+  });
+
+  if (clientSecret) {
+    params.set('client_secret', clientSecret);
+  }
+
+  const res = await fetch(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: params.toString(),
+  });
+
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Microsoft token refresh failed: ${err}`);
+  }
+
+  const data = await res.json();
+  return {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token || refreshToken,
+    expires_at: Date.now() + (data.expires_in * 1000),
+    scope: data.scope,
+  };
+}
+
+/**
+ * Fetch authenticated user's profile from Microsoft Graph.
+ */
+async function getUserProfile(accessToken) {
+  const res = await fetch('https://graph.microsoft.com/v1.0/me', {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+  if (!res.ok) return null;
+  return res.json();
+}
+
+/**
+ * Get a valid Microsoft access token — refreshes automatically if expired.
+ * @param {object} config — NHA config with microsoft.clientId etc.
+ * @returns {Promise<string>} access_token
+ */
+export async function getMicrosoftAccessToken(config) {
+  let tokens = loadTokens(PROVIDER);
+  if (!tokens) throw new Error('Not authenticated with Microsoft. Run: nha microsoft auth');
+
+  const expired = Date.now() >= (tokens.expires_at || 0) - 300_000;
+  if (expired) {
+    const clientId = config.microsoft?.clientId;
+    const clientSecret = config.microsoft?.clientSecret || '';
+    const tenantId = config.microsoft?.tenantId || 'common';
+    if (!clientId) throw new Error('Microsoft client ID not configured');
+
+    const refreshed = await refreshMicrosoftToken(clientId, clientSecret, tokens.refresh_token, tenantId);
+    tokens = {
+      ...tokens,
+      access_token: refreshed.access_token,
+      refresh_token: refreshed.refresh_token,
+      expires_at: refreshed.expires_at,
+      scope: refreshed.scope,
+    };
+    saveTokens(tokens, PROVIDER);
+  }
+
+  return tokens.access_token;
+}
+
+/**
+ * Run the full Microsoft OAuth consent flow.
+ * @param {object} config — NHA config
+ */
+export async function runMicrosoftAuthFlow(config) {
+  const clientId = config.microsoft?.clientId;
+  const clientSecret = config.microsoft?.clientSecret || '';
+  const tenantId = config.microsoft?.tenantId || 'common';
+
+  if (!clientId) {
+    fail('Microsoft OAuth client ID not configured.');
+    info('Get credentials from Azure Portal:');
+    info('  1. Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps');
+    info('  2. Register an application (Personal accounts or Org + Personal)');
+    info('  3. Add a "Mobile and desktop" platform with redirect URI');
+    info('     http://127.0.0.1:19852/callback');
+    info('  4. Under API permissions, add: Mail.Read, Mail.Send, Calendars.ReadWrite, Tasks.ReadWrite, User.Read');
+    info('  5. Run:');
+    info('     nha config set microsoft-client-id YOUR_CLIENT_ID');
+    info('     nha config set microsoft-client-secret YOUR_CLIENT_SECRET  (optional for public clients)');
+    info('     nha config set microsoft-tenant common  (or your tenant ID)');
+    info('  6. Run: nha microsoft auth');
+    return false;
+  }
+
+  // Find available port
+  let port = 0;
+  for (const p of CALLBACK_PORTS) {
+    try {
+      const srv = http.createServer();
+      await new Promise((resolve, reject) => {
+        srv.listen(p, '127.0.0.1', () => { srv.close(); resolve(true); });
+        srv.on('error', () => reject());
+      });
+      port = p;
+      break;
+    } catch { continue; }
+  }
+  if (!port) {
+    fail('No available port for OAuth callback (tried 19852-19856)');
+    return false;
+  }
+
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const { verifier, challenge } = generatePKCE();
+  const state = crypto.randomBytes(32).toString('hex');
+
+  const authUrl = new URL(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`);
+  authUrl.searchParams.set('client_id', clientId);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('response_mode', 'query');
+  authUrl.searchParams.set('scope', SCOPES);
+  authUrl.searchParams.set('state', state);
+  authUrl.searchParams.set('code_challenge', challenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+  authUrl.searchParams.set('prompt', 'consent');
+
+  info('Opening browser for Microsoft authorization...');
+  openBrowser(authUrl.toString());
+  info('Waiting for authorization (5 min timeout)...\n');
+
+  try {
+    const { code } = await waitForCallback(state, port);
+    info('Authorization code received. Exchanging for tokens...');
+
+    const tokenData = await exchangeCode(code, verifier, clientId, clientSecret, redirectUri, tenantId);
+    const profile = await getUserProfile(tokenData.access_token);
+
+    const tokens = {
+      access_token: tokenData.access_token,
+      refresh_token: tokenData.refresh_token,
+      expires_at: Date.now() + (tokenData.expires_in * 1000),
+      scope: tokenData.scope,
+      email: profile?.mail || profile?.userPrincipalName || 'unknown',
+      displayName: profile?.displayName || '',
+    };
+
+    saveTokens(tokens, PROVIDER);
+    ok(`Microsoft account connected: ${tokens.email}`);
+    ok('Outlook Mail + Calendar + Tasks access granted.');
+    info('Run "nha plan" to generate your first daily plan.');
+    return true;
+  } catch (err) {
+    fail(err.message);
+    return false;
+  }
+}
+
+/**
+ * Show Microsoft connection status.
+ */
+export function showMicrosoftStatus() {
+  const tokens = loadTokens(PROVIDER);
+  if (!tokens) {
+    info('Not connected to Microsoft. Run: nha microsoft auth');
+    return;
+  }
+
+  const expired = Date.now() >= tokens.expires_at;
+  console.log(`\n  Microsoft Account:  ${tokens.email || 'unknown'}`);
+  if (tokens.displayName) console.log(`  Display Name:       ${tokens.displayName}`);
+  console.log(`  Token Status:       ${expired ? '\x1b[0;31mexpired\x1b[0m' : '\x1b[0;32mactive\x1b[0m'}`);
+  console.log(`  Expires:            ${new Date(tokens.expires_at).toLocaleString()}`);
+  console.log(`  Scopes:             ${tokens.scope || 'unknown'}\n`);
+}
+
+/**
+ * Revoke tokens and delete local storage.
+ */
+export async function revokeMicrosoftAuth() {
+  const tokens = loadTokens(PROVIDER);
+  if (!tokens) {
+    info('No Microsoft tokens found.');
+    return;
+  }
+
+  // Microsoft doesn't have a simple revoke endpoint like Google.
+  // Best effort: sign out via logout URL (this invalidates the session in browser).
+  // The refresh token will expire naturally. Local deletion is the primary action.
+  deleteTokens(PROVIDER);
+  ok('Microsoft account disconnected. Local tokens deleted.');
+  info('To fully revoke access, visit: https://account.live.com/consent/Manage');
+}