If you discover a security vulnerability, please email security@midtowntg.com.

Do NOT open a public issue for security bugs.

This tool uses Microsoft Authentication Library (MSAL) with these modes:

• Windows Authentication Manager (WAM) - Recommended, uses Windows credentials
• Device Code Flow - For remote/SSH scenarios
• Azure CLI - If already authenticated via az login

Create config.json in the application directory:

{
  "tenant_id": "your-tenant-id",
  "client_id": "your-client-id",
  "vault_path": "/path/to/knowledge/graph"
}

Getting credentials:

1. Register app at Azure Portal → Azure Active Directory → App registrations
2. Enable Microsoft Graph permissions: Mail.Read, Calendars.Read, Chat.Read
3. Copy Application (client) ID and Directory (tenant) ID

• Tenant ID / Client ID: Stored in config.json (not secrets, but organization identifiers)
• Access Tokens: DPAPI-encrypted on Windows, stored in ~/.config/work-context-sync/token_cache.bin
• Refresh Tokens: Encrypted, rotated automatically by MSAL

1. File Permissions: Set config.json to user-only access (0600 on Linux/macOS)
2. Token Cache: Never share token_cache.bin between users
3. Least Privilege: Use application with minimal required Graph permissions
4. Rotate: Periodically revoke and re-authenticate tokens

• Email: Metadata only (subject, to, from, sent date) unless include_body: true
• Calendar: Meeting titles, times, attendees
• Teams Chat: Message previews only (not full content by default)
• Tasks: Microsoft To Do tasks and flagged emails

All data is stored locally in your knowledge graph:

• Markdown files in pages/work-context___*.md
• JSON sidecars (optional, for raw API responses)
• No data sent to third parties except Microsoft Graph API

• Synced data: Controlled by your knowledge graph retention
• Token cache: Valid until refresh token expires (typically 90 days)
• Logs: No persistent logging of sensitive data

• All API calls use HTTPS/TLS 1.2+
• Certificate validation enabled (no insecure mode)
• Token refresh happens securely via Microsoft identity platform

Sensitive data is masked in logs:

• Email addresses: th***@example.com
• Access tokens: [REDACTED]
• Client secrets: Never logged

Key security-related dependencies:

• msal - Microsoft Authentication Library (Microsoft maintained)
• pydantic - Input validation and serialization
• cryptography - Token encryption

Run pip check and keep dependencies updated.

This tool requires minimal Graph API permissions:

No write permissions required.

When developing/contribution:

1. Never commit config.json (it's gitignored)
2. Use config.example.json as template
3. Run bandit -r src/ before submitting
4. Test with mock data, not production credentials

• GDPR: Data remains in your tenant; local processing only
• SOX: No financial data access
• HIPAA: No PHI access by default

For enterprise deployments, review with your security team.