`b688449`

Add Microsoft provider setup flow

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 weeks ago

SHA: b6884493ef21817d9af4653572c8779281b0deee
Parents: 38753e4
Tree: cbb2db3

4 changed files

Status	File	+	-
M	`README.md`	25	35
M	`src/cli.rs`	351	11
M	`src/config.rs`	232	12
M	`src/providers.rs`	12	0

README.mdmodified

  rcal config init [--path PATH] [--force]
  rcal providers microsoft auth login --account ID [--browser]
  rcal providers microsoft auth logout --account ID
 +rcal providers microsoft auth inspect --account ID
  rcal providers microsoft calendars list --account ID
 +rcal providers microsoft setup --account ID [--browser] [--calendar ID]
  rcal providers microsoft sync [--account ID]
  rcal providers microsoft status
  rcal reminders run [--events-file PATH] [--state-file PATH] [--once]
  the local Microsoft cache instantly, and you refresh remote data explicitly:
  ```sh
 -rcal providers microsoft auth login --account work
 -rcal providers microsoft calendars list --account work
 -rcal providers microsoft sync --account work
 +rcal providers microsoft setup --account work --browser
 +rcal
  ```
 -For the current development release, users provide their own Microsoft Entra
 -app registration `client_id` in `config.toml`. A future production release can
 -ship an rcal-owned public/native client ID so end users do not need to create an
 -Azure app. No client secret is used or stored; rcal stores user tokens in the OS
 -keychain.
 +The setup command uses rcal's official public/native Microsoft client ID, opens
 +the Microsoft login flow, selects your default editable calendar, writes
 +`~/.config/rcal/config.toml`, performs the first sync, and sets new event
 +creation to Microsoft by default. No client secret is used or stored; rcal
 +stores user tokens in the OS keychain.
 -### Microsoft Account Setup
+-
 -Create a config file:
 +Use `--calendar CALENDAR_ID` if you already know which editable calendar to use.
 +You can list calendars later with:
  ```sh
 -rcal config init
 +rcal providers microsoft calendars list --account work
  ```
 -Register a temporary local test app in the Microsoft Entra admin center:
 +### Microsoft Account Setup
++
 +The normal setup flow is:
 -- Name: `rcal local test` or similar.
 -- Supported account type:
 -  - Personal Outlook/Hotmail/Live accounts: **Personal Microsoft accounts
 -    only**.
 -  - Work or school Microsoft 365 accounts: **Accounts in any organizational
 -    directory**.
 -- Redirect URI: platform **Mobile and desktop applications**, value
 -  `http://localhost:8765/callback`.
 -- API permissions: Microsoft Graph delegated `User.Read` and
 -  `Calendars.ReadWrite`.
 -- If Azure refuses the account type change with
 -  `api.requestedAccessTokenVersion`, set the app manifest's
 -  `requestedAccessTokenVersion` or `accessTokenAcceptedVersion` to `2`.
 +```sh
 +rcal providers microsoft setup --account work --browser
 +rcal providers microsoft status
 +rcal
 +```
 -Then edit `~/.config/rcal/config.toml`:
 +For advanced testing, you may still override the Microsoft app registration in
 +`config.toml`. Omit `client_id` and `tenant` to use rcal's official public app:
  ```toml
  [providers]
  [[providers.microsoft.accounts]]
  id = "work"
 -client_id = "AZURE_APP_CLIENT_ID"
 -tenant = "consumers"      # personal accounts
 -# tenant = "organizations" # work/school accounts
 +# client_id = "AZURE_APP_CLIENT_ID"
 +# tenant = "common"
  redirect_port = 8765
  calendars = ["CALENDAR_ID"]
  ```
 -Authenticate, list calendars, then copy the editable calendar ID into both
 -`default_calendar` and `calendars`:
 +Manual sync remains available:
  ```sh
 -rcal providers microsoft auth login --account work --browser
 -rcal providers microsoft calendars list --account work
  rcal providers microsoft sync --account work
 -rcal
  ```
  Use `rcal providers microsoft auth inspect --account work` to inspect safe

src/cli.rsmodified

      },
      calendar::CalendarDate,
      config::{
 -        ConfigError, ConfigHolidaySource, UserConfig, init_config_file, load_discovered_config,
 -        load_explicit_config,
 +        ConfigError, ConfigHolidaySource, MicrosoftSetupConfig, UserConfig, default_config_file,
 +        init_config_file, load_discovered_config, load_explicit_config,
 +        write_microsoft_setup_config,
      },
      providers::{
 -        KeyringMicrosoftTokenStore, MicrosoftProviderConfig, MicrosoftProviderRuntime,
 -        ProviderConfig, ProviderError, ReqwestMicrosoftHttpClient, inspect_token, list_calendars,
 -        login_device_code_or_browser, logout,
 +        KeyringMicrosoftTokenStore, MicrosoftAccountConfig, MicrosoftCalendarInfo,
 +        MicrosoftProviderConfig, MicrosoftProviderRuntime, ProviderConfig, ProviderError,
 +        ReqwestMicrosoftHttpClient, inspect_token, list_calendars, login_device_code_or_browser,
 +        logout,
      },
      reminders::{
          ReminderDaemonConfig, ReminderError, SystemNotifier, default_state_file,
      "  rcal providers microsoft auth logout --account ID\n",
      "  rcal providers microsoft auth inspect --account ID\n",
      "  rcal providers microsoft calendars list --account ID\n",
 +    "  rcal providers microsoft setup --account ID [--browser] [--calendar ID]\n",
      "  rcal providers microsoft sync [--account ID]\n",
      "  rcal providers microsoft status\n\n",
      "  rcal reminders run [--events-file PATH] [--state-file PATH] [--once]\n",
  #[derive(Debug, Clone, PartialEq, Eq)]
  pub enum MicrosoftCliAction {
 +    Setup {
 +        account: String,
 +        browser: bool,
 +        calendar: Option<String>,
 +        config_path: PathBuf,
 +        config: MicrosoftProviderConfig,
 +    },
      AuthLogin {
          account: String,
          browser: bool,
      UnknownProviderCommand(String),
      MissingProviderAccount,
      DuplicateProviderAccount,
 +    MissingProviderCalendar,
 +    DuplicateProviderCalendar,
      MissingReminderCommand,
      UnknownReminderCommand(String),
      DuplicateStateFile,
+             }
              Self::MissingProviderAccount => write!(f, "--account requires a Microsoft account id"),
              Self::DuplicateProviderAccount => write!(f, "--account may only be provided once"),
 +            Self::MissingProviderCalendar => {
 +                write!(f, "--calendar requires a Microsoft calendar id")
 +            }
 +            Self::DuplicateProviderCalendar => write!(f, "--calendar may only be provided once"),
              Self::MissingReminderCommand => write!(
                  f,
                  "reminders requires one of: run, install, uninstall, status, test"
          return parse_config_args(args.into_iter().skip(1), config_selection.path);
+     }
 +    let is_setup = is_microsoft_setup_command(&args);
      let config = match &config_selection {
          ConfigSelection {
              no_config: true, ..
          } => UserConfig::empty(),
 +        ConfigSelection {
 +            path: Some(path), ..
 +        } if is_setup => match load_explicit_config(path.clone()) {
 +            Ok(config) => config,
 +            Err(ConfigError::Missing { .. }) => UserConfig::empty(),
 +            Err(err) => return Err(err.into()),
 +        },
          ConfigSelection {
              path: Some(path), ..
          } => load_explicit_config(path.clone())?,
      parse_args_with_config(args, today, config, config_selection.path)
+ }
 +fn is_microsoft_setup_command(args: &[OsString]) -> bool {
 +    matches!(
 +        (args.first(), args.get(1), args.get(2)),
 +        (Some(first), Some(second), Some(third))
 +            if first == "providers" && second == "microsoft" && third == "setup"
 +    )
 +}
++
  fn parse_args_with_config<I>(
      args: I,
      today: Date,
      if let Some(first) = args.first()
          && first == "providers"
+     {
 -        return parse_provider_args(args.into_iter().skip(1), &user_config);
 +        let config_path = explicit_config_path
 +            .or_else(|| user_config.path.clone())
 +            .unwrap_or_else(default_config_file);
 +        return parse_provider_args(args.into_iter().skip(1), &user_config, config_path);
+     }
      parse_calendar_args(args, today, user_config)
      Ok(CliAction::Config(ConfigCliAction::Init { path, force }))
+ }
 -fn parse_provider_args<I>(args: I, user_config: &UserConfig) -> Result<CliAction, CliError>
 +fn parse_provider_args<I>(
 +    args: I,
 +    user_config: &UserConfig,
 +    config_path: PathBuf,
 +) -> Result<CliAction, CliError>
  where
      I: IntoIterator<Item = OsString>,
+ {
      };
      match command {
 -        "microsoft" => parse_microsoft_provider_args(args, &user_config.providers.microsoft),
 +        "microsoft" => {
 +            parse_microsoft_provider_args(args, &user_config.providers.microsoft, config_path)
 +        }
          "--help" | "-h" => Ok(CliAction::Help),
          _ => Err(CliError::UnknownProviderCommand(command.to_string())),
+     }
  fn parse_microsoft_provider_args<I>(
      args: I,
      config: &MicrosoftProviderConfig,
 +    config_path: PathBuf,
  ) -> Result<CliAction, CliError>
  where
      I: IntoIterator<Item = OsString>,
      match command {
          "auth" => parse_microsoft_auth_args(args, config),
          "calendars" => parse_microsoft_calendars_args(args, config),
 +        "setup" => parse_microsoft_setup_args(args, config, config_path),
          "sync" => parse_microsoft_sync_args(args, config),
          "status" => no_extra_provider_args(
              args,
+     }
+ }
 +fn parse_microsoft_setup_args<I>(
 +    args: I,
 +    config: &MicrosoftProviderConfig,
 +    config_path: PathBuf,
 +) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut browser = false;
 +    let mut account = None;
 +    let mut calendar = None;
 +    let mut args = args.into_iter();
 +    while let Some(arg) = args.next() {
 +        if arg == "--browser" {
 +            browser = true;
 +            continue;
 +        }
 +        if arg == "--calendar" {
 +            if calendar.is_some() {
 +                return Err(CliError::DuplicateProviderCalendar);
 +            }
 +            calendar = Some(display_arg(
 +                &args.next().ok_or(CliError::MissingProviderCalendar)?,
 +            ));
 +            continue;
 +        }
 +        if let Some(value) = arg
 +            .to_str()
 +            .and_then(|value| value.strip_prefix("--calendar="))
 +        {
 +            if calendar.is_some() {
 +                return Err(CliError::DuplicateProviderCalendar);
 +            }
 +            calendar = Some(value.to_string());
 +            continue;
 +        }
 +        parse_account_arg(arg, &mut args, &mut account)?;
 +    }
++
 +    Ok(CliAction::Providers(ProviderCliAction::Microsoft(
 +        MicrosoftCliAction::Setup {
 +            account: account.ok_or(CliError::MissingProviderAccount)?,
 +            browser,
 +            calendar,
 +            config_path,
 +            config: config.clone(),
 +        },
 +    )))
 +}
++
  fn parse_microsoft_calendars_args<I>(
      args: I,
      config: &MicrosoftProviderConfig,
      let http = ReqwestMicrosoftHttpClient;
      let token_store = KeyringMicrosoftTokenStore;
      let result = match action {
 +        MicrosoftCliAction::Setup {
 +            account,
 +            browser,
 +            calendar,
 +            config_path,
 +            config,
 +        } => (|| {
 +            let account_config = MicrosoftAccountConfig::new_official(account.clone());
 +            login_device_code_or_browser(&account_config, &http, &token_store, stdout, browser)?;
 +            let calendars = list_calendars(&account_config, &http, &token_store)?;
 +            let calendar = choose_setup_calendar(&calendars, calendar.as_deref())?;
 +            let setup = MicrosoftSetupConfig {
 +                account_id: account.clone(),
 +                calendar_id: calendar.id.clone(),
 +                calendar_name: calendar.name.clone(),
 +                sync_past_days: config.sync_past_days,
 +                sync_future_days: config.sync_future_days,
 +                redirect_port: account_config.redirect_port,
 +            };
 +            let written = write_microsoft_setup_config(Some(config_path), &setup)
 +                .map_err(|err| ProviderError::Config(err.to_string()))?;
 +            let _ = writeln!(
 +                stdout,
 +                "selected Microsoft calendar '{}' ({})",
 +                calendar.name, calendar.id
 +            );
 +            let _ = writeln!(stdout, "wrote config {}", written.display());
 +            let setup_config = microsoft_setup_provider_config(config, account_config, calendar);
 +            let mut runtime = MicrosoftProviderRuntime::load(setup_config)?;
 +            let summary = runtime.sync(
 +                Some(&account),
 +                &http,
 +                &token_store,
 +                CalendarDate::from(default_start_date()),
 +            )?;
 +            let _ = writeln!(
 +                stdout,
 +                "synced accounts={} calendars={} events={}",
 +                summary.accounts, summary.calendars, summary.events
 +            );
 +            Ok(())
 +        })(),
          MicrosoftCliAction::AuthLogin {
              account,
              browser,
+     }
+ }
 +fn choose_setup_calendar<'a>(
 +    calendars: &'a [MicrosoftCalendarInfo],
 +    requested: Option<&str>,
 +) -> Result<&'a MicrosoftCalendarInfo, ProviderError> {
 +    if let Some(requested) = requested {
 +        let calendar = calendars
 +            .iter()
 +            .find(|calendar| calendar.id == requested)
 +            .ok_or_else(|| {
 +                ProviderError::Config(format!(
 +                    "Microsoft calendar '{requested}' was not found for this account"
 +                ))
 +            })?;
 +        if !calendar.can_edit {
 +            return Err(ProviderError::Config(format!(
 +                "Microsoft calendar '{}' is read-only; choose an editable calendar",
 +                calendar.name
 +            )));
 +        }
 +        return Ok(calendar);
 +    }
++
 +    calendars
 +        .iter()
 +        .find(|calendar| calendar.can_edit && calendar.is_default)
 +        .or_else(|| calendars.iter().find(|calendar| calendar.can_edit))
 +        .ok_or_else(|| {
 +            ProviderError::Config(
 +                "no editable Microsoft calendars were found for this account".to_string(),
 +            )
 +        })
 +}
++
 +fn microsoft_setup_provider_config(
 +    mut config: MicrosoftProviderConfig,
 +    mut account: MicrosoftAccountConfig,
 +    calendar: &MicrosoftCalendarInfo,
 +) -> MicrosoftProviderConfig {
 +    config.enabled = true;
 +    config.default_account = Some(account.id.clone());
 +    config.default_calendar = Some(calendar.id.clone());
 +    account.calendars = vec![calendar.id.clone()];
++
 +    if let Some(existing) = config
 +        .accounts
 +        .iter_mut()
 +        .find(|existing| existing.id == account.id)
 +    {
 +        *existing = account;
 +    } else {
 +        config.accounts.push(account);
 +    }
++
 +    config
 +}
++
  fn run_reminder_action(
      action: ReminderCliAction,
      stdout: &mut impl Write,
  #[cfg(test)]
  mod tests {
      use super::*;
 -    use std::{env, fs};
 +    use std::{
 +        env, fs,
 +        sync::atomic::{AtomicUsize, Ordering},
 +    };
      use crate::app::{KeyBindingOverrides, KeyCommand};
      use crate::calendar::CalendarMonth;
 -    use crate::providers::{MicrosoftAccountConfig, ProviderCreateTarget};
 +    use crate::providers::{MicrosoftAccountConfig, MicrosoftCalendarInfo, ProviderCreateTarget};
      use time::Month;
      fn date(year: i32, month: Month, day: u8) -> CalendarDate {
          OsString::from(value)
+     }
 +    static TEMP_COUNTER: AtomicUsize = AtomicUsize::new(0);
++
      fn temp_path(name: &str) -> PathBuf {
 +        let counter = TEMP_COUNTER.fetch_add(1, Ordering::Relaxed);
          env::temp_dir()
 -            .join(format!("rcal-cli-test-{}", std::process::id()))
 +            .join(format!("rcal-cli-test-{}-{counter}", std::process::id()))
              .join(name)
+     }
          );
+     }
 +    #[test]
 +    fn microsoft_setup_command_parses_with_calendar_and_config_path() {
 +        let today = date(2026, Month::April, 23);
 +        let user_config = config_with_microsoft_provider();
 +        let microsoft = user_config.providers.microsoft.clone();
 +        let config_path = PathBuf::from("/tmp/rcal/setup-config.toml");
++
 +        let action = parse_args_with_config(
 +            [
 +                arg("providers"),
 +                arg("microsoft"),
 +                arg("setup"),
 +                arg("--account"),
 +                arg("work"),
 +                arg("--browser"),
 +                arg("--calendar=cal-2"),
 +            ],
 +            today.into(),
 +            user_config,
 +            Some(config_path.clone()),
 +        )
 +        .expect("setup parses");
++
 +        assert_eq!(
 +            action,
 +            CliAction::Providers(ProviderCliAction::Microsoft(MicrosoftCliAction::Setup {
 +                account: "work".to_string(),
 +                browser: true,
 +                calendar: Some("cal-2".to_string()),
 +                config_path,
 +                config: microsoft,
 +            }))
 +        );
 +    }
++
 +    #[test]
 +    fn microsoft_setup_allows_missing_explicit_config_file() {
 +        let today = date(2026, Month::April, 23);
 +        let path = temp_path("missing-setup/config.toml");
 +        let root = path
 +            .parent()
 +            .expect("config dir")
 +            .parent()
 +            .expect("test root")
 +            .to_path_buf();
 +        let _ = fs::remove_dir_all(&root);
++
 +        let action = parse_runtime_args(
 +            [
 +                arg("--config"),
 +                path.as_os_str().to_os_string(),
 +                arg("providers"),
 +                arg("microsoft"),
 +                arg("setup"),
 +                arg("--account"),
 +                arg("work"),
 +            ],
 +            today.into(),
 +        )
 +        .expect("setup parses without a preexisting config");
++
 +        assert_eq!(
 +            action,
 +            CliAction::Providers(ProviderCliAction::Microsoft(MicrosoftCliAction::Setup {
 +                account: "work".to_string(),
 +                browser: false,
 +                calendar: None,
 +                config_path: path,
 +                config: MicrosoftProviderConfig::default(),
 +            }))
 +        );
 +    }
++
 +    #[test]
 +    fn microsoft_setup_calendar_selection_prefers_editable_default() {
 +        let calendars = vec![
 +            MicrosoftCalendarInfo {
 +                id: "readonly".to_string(),
 +                name: "Holidays".to_string(),
 +                can_edit: false,
 +                is_default: true,
 +            },
 +            MicrosoftCalendarInfo {
 +                id: "cal".to_string(),
 +                name: "Calendar".to_string(),
 +                can_edit: true,
 +                is_default: true,
 +            },
 +            MicrosoftCalendarInfo {
 +                id: "other".to_string(),
 +                name: "Other".to_string(),
 +                can_edit: true,
 +                is_default: false,
 +            },
 +        ];
++
 +        let calendar =
 +            choose_setup_calendar(&calendars, None).expect("default editable calendar selected");
++
 +        assert_eq!(calendar.id, "cal");
 +    }
++
 +    #[test]
 +    fn microsoft_setup_calendar_selection_uses_first_editable_fallback() {
 +        let calendars = vec![
 +            MicrosoftCalendarInfo {
 +                id: "readonly".to_string(),
 +                name: "Holidays".to_string(),
 +                can_edit: false,
 +                is_default: true,
 +            },
 +            MicrosoftCalendarInfo {
 +                id: "work".to_string(),
 +                name: "Work".to_string(),
 +                can_edit: true,
 +                is_default: false,
 +            },
 +        ];
++
 +        let calendar =
 +            choose_setup_calendar(&calendars, None).expect("first editable calendar selected");
++
 +        assert_eq!(calendar.id, "work");
 +    }
++
 +    #[test]
 +    fn microsoft_setup_calendar_selection_rejects_missing_or_readonly_requested_calendar() {
 +        let calendars = vec![MicrosoftCalendarInfo {
 +            id: "readonly".to_string(),
 +            name: "Holidays".to_string(),
 +            can_edit: false,
 +            is_default: false,
 +        }];
++
 +        let missing =
 +            choose_setup_calendar(&calendars, Some("missing")).expect_err("missing calendar fails");
 +        let readonly = choose_setup_calendar(&calendars, Some("readonly"))
 +            .expect_err("readonly calendar fails");
++
 +        assert!(missing.to_string().contains("was not found"));
 +        assert!(readonly.to_string().contains("read-only"));
 +    }
++
      #[test]
      fn microsoft_provider_args_reject_missing_and_duplicate_accounts() {
          let today = date(2026, Month::April, 23);

src/config.rsmodified

  use crate::{
      app::{KeyBindingError, KeyBindingOverrides, KeyBindings},
      providers::{
 -        MicrosoftAccountConfig, MicrosoftProviderConfig, ProviderConfig, ProviderCreateTarget,
 +        MICROSOFT_DEFAULT_TENANT, MICROSOFT_OFFICIAL_CLIENT_ID, MicrosoftAccountConfig,
 +        MicrosoftProviderConfig, ProviderConfig, ProviderCreateTarget,
      },
  };
  [providers.microsoft]
  # Microsoft Graph provider for Outlook / Microsoft 365 calendars.
 -# Current development builds require your own Microsoft Entra app client_id.
 -# Use tenant = "consumers" for personal Outlook/Hotmail accounts and
 -# tenant = "organizations" for work or school Microsoft 365 accounts.
 +# rcal ships an official public/native Microsoft client ID.
 +# Advanced users may override client_id and tenant inside an account block.
  enabled = false
  default_account = "work"
 -default_calendar = "CALENDAR_ID"
  sync_past_days = 30
  sync_future_days = 365
  # Provider cache is separate from the local events file.
  [[providers.microsoft.accounts]]
  id = "work"
 -client_id = "AZURE_APP_CLIENT_ID"
 -tenant = "organizations"
  redirect_port = 8765
 -calendars = ["CALENDAR_ID"]
 +calendars = []
  [keybindings]
  # Normal month/day app commands. Modal/form editing keys are fixed for now.
      Ok(path)
+ }
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftSetupConfig {
 +    pub account_id: String,
 +    pub calendar_id: String,
 +    pub calendar_name: String,
 +    pub sync_past_days: i32,
 +    pub sync_future_days: i32,
 +    pub redirect_port: u16,
 +}
++
 +pub fn write_microsoft_setup_config(
 +    path: Option<PathBuf>,
 +    setup: &MicrosoftSetupConfig,
 +) -> Result<PathBuf, ConfigError> {
 +    let path = match path {
 +        Some(path) => expand_user_path(path)?,
 +        None => default_config_file(),
 +    };
 +    let existing = if path.exists() {
 +        fs::read_to_string(&path).map_err(|err| ConfigError::Read {
 +            path: path.clone(),
 +            reason: err.to_string(),
 +        })?
 +    } else {
 +        String::new()
 +    };
 +    let body = microsoft_setup_config_body(&existing, setup);
 +    if let Some(parent) = path.parent() {
 +        fs::create_dir_all(parent).map_err(|err| ConfigError::Write {
 +            path: parent.to_path_buf(),
 +            reason: err.to_string(),
 +        })?;
 +    }
 +    fs::write(&path, body).map_err(|err| ConfigError::Write {
 +        path: path.clone(),
 +        reason: err.to_string(),
 +    })?;
 +    Ok(path)
 +}
++
 +fn microsoft_setup_config_body(existing: &str, setup: &MicrosoftSetupConfig) -> String {
 +    let mut kept = Vec::new();
 +    let mut skipping = false;
 +    for line in existing.lines() {
 +        if is_toml_table_header(line) {
 +            skipping = is_managed_provider_header(line);
 +        }
 +        if !skipping {
 +            kept.push(line);
 +        }
 +    }
 +    while kept.last().is_some_and(|line| line.trim().is_empty()) {
 +        kept.pop();
 +    }
++
 +    let mut body = kept.join("\n");
 +    if !body.is_empty() {
 +        body.push_str("\n\n");
 +    }
 +    body.push_str(&format!(
 +        concat!(
 +            "[providers]\n",
 +            "create_target = \"microsoft\"\n\n",
 +            "[providers.microsoft]\n",
 +            "enabled = true\n",
 +            "default_account = {account}\n",
 +            "default_calendar = {calendar}\n",
 +            "sync_past_days = {sync_past_days}\n",
 +            "sync_future_days = {sync_future_days}\n\n",
 +            "[[providers.microsoft.accounts]]\n",
 +            "id = {account}\n",
 +            "redirect_port = {redirect_port}\n",
 +            "calendars = [{calendar}]\n",
 +            "# Selected calendar: {calendar_name}\n"
 +        ),
 +        account = toml_string(&setup.account_id),
 +        calendar = toml_string(&setup.calendar_id),
 +        calendar_name = toml_comment_value(&setup.calendar_name),
 +        redirect_port = setup.redirect_port,
 +        sync_past_days = setup.sync_past_days.max(0),
 +        sync_future_days = setup.sync_future_days.max(1),
 +    ));
 +    body
 +}
++
 +fn is_toml_table_header(line: &str) -> bool {
 +    let trimmed = line.trim();
 +    trimmed.starts_with('[') && trimmed.ends_with(']')
 +}
++
 +fn is_managed_provider_header(line: &str) -> bool {
 +    let trimmed = line.trim();
 +    let name = trimmed
 +        .trim_start_matches('[')
 +        .trim_start_matches('[')
 +        .trim_end_matches(']')
 +        .trim_end_matches(']')
 +        .trim();
 +    name == "providers" || name == "providers.microsoft" || name == "providers.microsoft.accounts"
 +}
++
 +fn toml_string(value: &str) -> String {
 +    let mut quoted = String::from("\"");
 +    for character in value.chars() {
 +        match character {
 +            '\\' => quoted.push_str("\\\\"),
 +            '"' => quoted.push_str("\\\""),
 +            '\n' => quoted.push_str("\\n"),
 +            '\r' => quoted.push_str("\\r"),
 +            '\t' => quoted.push_str("\\t"),
 +            value if value.is_control() => {
 +                quoted.push_str(&format!("\\u{:04x}", u32::from(value)));
 +            }
 +            value => quoted.push(value),
 +        }
 +    }
 +    quoted.push('"');
 +    quoted
 +}
++
 +fn toml_comment_value(value: &str) -> String {
 +    value
 +        .chars()
 +        .map(|character| {
 +            if character.is_control() {
 +                ' '
 +            } else {
 +                character
 +            }
 +        })
 +        .collect::<String>()
 +}
++
  fn raw_config_to_user_config(raw: RawConfig, path: &Path) -> Result<UserConfig, ConfigError> {
      let base_dir = path.parent().unwrap_or_else(|| Path::new("."));
      let events_file = raw
  #[serde(deny_unknown_fields)]
  struct RawMicrosoftAccountConfig {
      id: String,
 -    client_id: String,
 -    tenant: String,
 +    client_id: Option<String>,
 +    tenant: Option<String>,
      redirect_port: Option<u16>,
      calendars: Option<Vec<String>>,
+ }
      fn into_config(self) -> MicrosoftAccountConfig {
          MicrosoftAccountConfig {
              id: self.id,
 -            client_id: self.client_id,
 -            tenant: self.tenant,
 +            client_id: self
 +                .client_id
 +                .unwrap_or_else(|| MICROSOFT_OFFICIAL_CLIENT_ID.to_string()),
 +            tenant: self
 +                .tenant
 +                .unwrap_or_else(|| MICROSOFT_DEFAULT_TENANT.to_string()),
              redirect_port: self.redirect_port.unwrap_or(8765),
              calendars: self.calendars.unwrap_or_default(),
+         }
          assert_eq!(config.providers.microsoft.accounts[0].redirect_port, 9001);
+     }
 +    #[test]
 +    fn microsoft_provider_defaults_to_official_public_client() {
 +        let path = temp_config_path("providers-official/config.toml");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
 +        fs::create_dir_all(path.parent().expect("config dir")).expect("dir creates");
 +        fs::write(
 +            &path,
 +            r#"
 +[providers.microsoft]
 +enabled = true
 +default_account = "work"
 +default_calendar = "cal-1"
++
 +[[providers.microsoft.accounts]]
 +id = "work"
 +calendars = ["cal-1"]
 +"#,
 +        )
 +        .expect("config writes");
++
 +        let config = load_config_file(&path).expect("config loads");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
++
 +        let account = &config.providers.microsoft.accounts[0];
 +        assert_eq!(account.client_id, MICROSOFT_OFFICIAL_CLIENT_ID);
 +        assert_eq!(account.tenant, MICROSOFT_DEFAULT_TENANT);
 +    }
++
 +    #[test]
 +    fn microsoft_setup_config_preserves_unrelated_sections() {
 +        let path = temp_config_path("providers-setup/config.toml");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
 +        fs::create_dir_all(path.parent().expect("config dir")).expect("dir creates");
 +        fs::write(
 +            &path,
 +            r#"
 +[paths]
 +events_file = "./events.json"
++
 +[providers]
 +create_target = "local"
++
 +[providers.microsoft]
 +enabled = false
++
 +[[providers.microsoft.accounts]]
 +id = "old"
 +calendars = []
++
 +[keybindings]
 +quit = ["q"]
 +"#,
 +        )
 +        .expect("config writes");
++
 +        write_microsoft_setup_config(
 +            Some(path.clone()),
 +            &MicrosoftSetupConfig {
 +                account_id: "work".to_string(),
 +                calendar_id: "cal-1".to_string(),
 +                calendar_name: "Calendar\nInjected".to_string(),
 +                sync_past_days: 7,
 +                sync_future_days: 90,
 +                redirect_port: 9001,
 +            },
 +        )
 +        .expect("setup config writes");
 +        let body = fs::read_to_string(&path).expect("config reads");
 +        let config = load_config_file(&path).expect("config loads");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
++
 +        assert!(body.contains("[paths]"));
 +        assert!(body.contains("[keybindings]"));
 +        assert!(body.contains("# Selected calendar: Calendar Injected"));
 +        assert!(!body.contains("id = \"old\""));
 +        assert_eq!(
 +            config.providers.create_target,
 +            ProviderCreateTarget::Microsoft
 +        );
 +        assert_eq!(
 +            config.providers.microsoft.default_calendar.as_deref(),
 +            Some("cal-1")
 +        );
 +        assert_eq!(config.providers.microsoft.accounts[0].redirect_port, 9001);
 +    }
++
      #[test]
      fn invalid_microsoft_provider_config_fails_clearly() {
          let path = temp_config_path("providers-invalid/config.toml");

src/providers.rsmodified

  const LOGIN_BASE_URL: &str = "https://login.microsoftonline.com";
  const MICROSOFT_SCOPES: &str = "offline_access User.Read Calendars.ReadWrite";
  const KEYRING_SERVICE: &str = "rcal.microsoft";
 +pub const MICROSOFT_OFFICIAL_CLIENT_ID: &str = "9a49eaac-422b-4192-a65d-82dc8f43c11d";
 +pub const MICROSOFT_DEFAULT_TENANT: &str = "common";
  #[derive(Debug, Clone, PartialEq, Eq)]
  pub struct ProviderConfig {
+ }
  impl MicrosoftAccountConfig {
 +    pub fn new_official(id: impl Into<String>) -> Self {
 +        Self {
 +            id: id.into(),
 +            client_id: MICROSOFT_OFFICIAL_CLIENT_ID.to_string(),
 +            tenant: MICROSOFT_DEFAULT_TENANT.to_string(),
 +            redirect_port: 8765,
 +            calendars: Vec::new(),
 +        }
 +    }
++
      pub fn token_url(&self) -> String {
          format!("{LOGIN_BASE_URL}/{}/oauth2/v2.0/token", self.tenant)
+     }