`f110af6`

Add Microsoft provider integration

Authored by

espadonne 2 weeks ago

SHA: f110af6d6f1029dfac7126c498f0c3b93ef49aa4
Parents: 630db76
Tree: bec72a2

11 changed files

Status	File	+	-
M	`Cargo.lock`	12	0
M	`Cargo.toml`	2	0
M	`README.md`	30	5
M	`src/agenda.rs`	175	3
M	`src/app.rs`	2	2
M	`src/calendar.rs`	32	0
M	`src/cli.rs`	523	5
M	`src/config.rs`	225	1
M	`src/lib.rs`	1	0
A	`src/providers.rs`	2841	0
M	`src/reminders.rs`	15	1

Cargo.lockmodified

   "thiserror 2.0.18",
+ ]
 +[[package]]
 +name = "keyring"
 +version = "3.6.3"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "eebcc3aff044e5944a8fbaf69eb277d11986064cba30c468730e8b9909fb551c"
 +dependencies = [
 + "log",
 + "zeroize",
 +]
++
  [[package]]
  name = "lab"
  version = "0.11.0"
   "crossterm",
   "directories",
   "fs2",
 + "keyring",
   "notify-rust",
   "ratatui",
   "reqwest",
   "serde",
   "serde_json",
 + "sha2",
   "time",
   "toml",
+ ]

Cargo.tomlmodified

  crossterm = "0.29.0"
  directories = "6.0.0"
  fs2 = "0.4.3"
 +keyring = "3"
  notify-rust = "4"
  ratatui = "0.30.0"
  reqwest = { version = "0.12.24", default-features = false, features = ["blocking", "rustls-tls"] }
  serde = { version = "1.0.228", features = ["derive"] }
  serde_json = "1.0.145"
 +sha2 = "0.10"
  time = { version = "0.3.47", features = ["local-offset", "parsing"] }
  toml = "0.9.8"

README.mdmodified

  ```sh
  rcal [--config PATH|--no-config] [--date YYYY-MM-DD] [--events-file PATH] [--holiday-source off|us-federal|nager] [--holiday-country CC]
  rcal config init [--path PATH] [--force]
 +rcal providers microsoft auth login --account ID [--browser]
 +rcal providers microsoft auth logout --account ID
 +rcal providers microsoft calendars list --account ID
 +rcal providers microsoft sync [--account ID]
 +rcal providers microsoft status
  rcal reminders run [--events-file PATH] [--state-file PATH] [--once]
  rcal reminders install [--events-file PATH] [--state-file PATH]
  rcal reminders uninstall
  `rcal config init` to write a commented starter file. Omitted settings keep
  built-in defaults, and CLI flags override config values. Config can set the
  events file, holiday source and country, reminder state file, and normal-mode
 -keybindings. Modal/form keys stay fixed for now.
 +keybindings. It can also configure the Microsoft provider. Modal/form keys stay
 +fixed for now.
  Nager.Date is cache-first and opt-in. Default startup does not need network
  access.
 +## Microsoft Provider
++
 +Microsoft Graph is the first remote provider. It is cache-first: the TUI reads
 +the local Microsoft cache instantly, and you refresh remote data explicitly:
++
 +```sh
 +rcal providers microsoft auth login --account work
 +rcal providers microsoft calendars list --account work
 +rcal providers microsoft sync --account work
 +```
++
 +Users provide their own Azure app `client_id` and tenant in `config.toml`.
 +Tokens are stored in the OS keychain. The provider syncs configured calendars
 +through Graph `calendarView`, caches selected events separately from the local
 +events JSON, and routes create/edit/delete/copy operations for Microsoft events
 +back through Graph. Provider reminders fire from cached provider events after a
 +sync; the reminder daemon does not sync remote calendars itself.
++
  ## Controls
  - Arrow keys move the selected date.
  - `?` opens contextual help.
  - `+` opens the Create event modal.
 -- In day view, `c` opens the Copy confirmation for the selected local event.
 -- In day view, `d` opens the Delete confirmation for the selected local event.
 +- In day view, `c` opens the Copy confirmation for the selected editable event.
 +- In day view, `d` opens the Delete confirmation for the selected editable event.
  - `Enter` opens the focused day view.
  - `Esc` returns from day view to month view.
  - `q` exits.
  ## Current Limits
 -- Real account integrations for Outlook, Google Calendar, Exchange, and similar
 -  providers are not implemented yet.
 +- Google Calendar, CalDAV, and other providers are not implemented yet.
 +- Microsoft sync is manual and cache-first; there is no background provider
 +  sync daemon yet.
  - Packaging is currently source-based through Cargo.
  ## Development

src/agenda.rsmodified

      time::{Duration, SystemTime, UNIX_EPOCH},
  };
 -use serde::{Deserialize, Serialize};
 +use serde::{Deserialize, Deserializer, Serialize, Serializer, de};
  use time::{Month, Time, Weekday};
 -use crate::calendar::CalendarDate;
 +use crate::{
 +    calendar::CalendarDate,
 +    providers::{
 +        KeyringMicrosoftTokenStore, MicrosoftProviderConfig, MicrosoftProviderRuntime,
 +        ProviderCreateTarget, ProviderError, ReqwestMicrosoftHttpClient,
 +    },
 +};
  #[derive(Debug, Clone, Copy, PartialEq, Eq)]
  pub struct DateRange {
+     }
+ }
 +impl Serialize for EventDateTime {
 +    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
 +    where
 +        S: Serializer,
 +    {
 +        serializer.serialize_str(&format!(
 +            "{}T{:02}:{:02}",
 +            self.date,
 +            self.time.hour(),
 +            self.time.minute()
 +        ))
 +    }
 +}
++
 +impl<'de> Deserialize<'de> for EventDateTime {
 +    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
 +    where
 +        D: Deserializer<'de>,
 +    {
 +        let value = String::deserialize(deserializer)?;
 +        parse_event_datetime_record(&value)
 +            .ok_or_else(|| de::Error::custom(format!("invalid event datetime '{value}'")))
 +    }
 +}
++
  #[derive(Debug, Clone, PartialEq, Eq)]
  pub struct SourceMetadata {
      pub source_id: String,
          self.source.source_id == "local"
+     }
 +    pub fn is_microsoft(&self) -> bool {
 +        self.source.source_id.starts_with("microsoft:")
 +    }
++
 +    pub fn is_editable(&self) -> bool {
 +        self.is_local() || self.is_microsoft()
 +    }
++
      pub const fn is_recurring_series(&self) -> bool {
          self.recurrence.is_some()
+     }
      fn local_event_by_id(&self, _id: &str) -> Option<Event> {
          None
+     }
++
 +    fn editable_event_by_id(&self, id: &str) -> Option<Event> {
 +        self.local_event_by_id(id)
 +    }
+ }
  #[derive(Debug)]
      events: InMemoryAgendaSource,
      holidays: HolidayProvider,
      events_file: Option<PathBuf>,
 +    create_target: ProviderCreateTarget,
 +    microsoft: Option<MicrosoftProviderRuntime>,
+ }
  impl ConfiguredAgendaSource {
              events,
              holidays,
              events_file: None,
 +            create_target: ProviderCreateTarget::Local,
 +            microsoft: None,
+         }
+     }
              events,
              holidays,
              events_file: Some(events_file),
 +            create_target: ProviderCreateTarget::Local,
 +            microsoft: None,
          })
+     }
 +    pub fn with_microsoft_provider(
 +        mut self,
 +        config: MicrosoftProviderConfig,
 +        create_target: ProviderCreateTarget,
 +    ) -> Result<Self, LocalEventStoreError> {
 +        if config.enabled {
 +            self.microsoft = Some(MicrosoftProviderRuntime::load(config).map_err(provider_error)?);
 +            self.create_target = create_target;
 +        }
 +        Ok(self)
 +    }
++
      pub fn create_event(&mut self, draft: CreateEventDraft) -> Result<Event, LocalEventStoreError> {
 +        if self.create_target == ProviderCreateTarget::Microsoft
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .create_event(draft, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let id = self.next_local_event_id(&draft.title);
          let event = draft
              .into_event(id)
          id: &str,
          draft: CreateEventDraft,
      ) -> Result<Event, LocalEventStoreError> {
 +        if self.events.local_event_by_id(id).is_none()
 +            && id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .update_event(id, draft, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let mut events = self.events.events().to_vec();
          let Some(index) = events.iter().position(|event| event.id == id) else {
              return Err(LocalEventStoreError::EventNotFound { id: id.to_string() });
          anchor: OccurrenceAnchor,
          draft: CreateEventDraft,
      ) -> Result<Event, LocalEventStoreError> {
 +        if self.events.local_event_by_id(series_id).is_none()
 +            && series_id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .update_occurrence(series_id, anchor, draft, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let mut events = self.events.events().to_vec();
          let Some(index) = events.iter().position(|event| event.id == series_id) else {
              return Err(LocalEventStoreError::EventNotFound {
+     }
      pub fn delete_event(&mut self, id: &str) -> Result<Event, LocalEventStoreError> {
 +        if self.events.local_event_by_id(id).is_none()
 +            && id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .delete_event(id, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let mut events = self.events.events().to_vec();
          let Some(index) = events.iter().position(|event| event.id == id) else {
              return Err(LocalEventStoreError::EventNotFound { id: id.to_string() });
+     }
      pub fn duplicate_event(&mut self, id: &str) -> Result<Event, LocalEventStoreError> {
 +        if self.events.local_event_by_id(id).is_none()
 +            && id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .duplicate_event(id, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let event = self
              .events
              .local_event_by_id(id)
          series_id: &str,
          anchor: OccurrenceAnchor,
      ) -> Result<Event, LocalEventStoreError> {
 +        if self.events.local_event_by_id(series_id).is_none()
 +            && series_id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .duplicate_occurrence(series_id, anchor, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let series = self.events.local_event_by_id(series_id).ok_or_else(|| {
              LocalEventStoreError::EventNotFound {
                  id: series_id.to_string(),
          series_id: &str,
          anchor: OccurrenceAnchor,
      ) -> Result<(), LocalEventStoreError> {
 +        if self.events.local_event_by_id(series_id).is_none()
 +            && series_id.starts_with("microsoft:")
 +            && let Some(microsoft) = &mut self.microsoft
 +        {
 +            let http = ReqwestMicrosoftHttpClient;
 +            let token_store = KeyringMicrosoftTokenStore;
 +            return microsoft
 +                .delete_occurrence(series_id, anchor, &http, &token_store)
 +                .map_err(provider_error);
 +        }
++
          let mut events = self.events.events().to_vec();
          let Some(index) = events.iter().position(|event| event.id == series_id) else {
              return Err(LocalEventStoreError::EventNotFound {
  impl AgendaSource for ConfiguredAgendaSource {
      fn events_intersecting(&self, range: DateRange) -> Vec<Event> {
 -        self.events.events_intersecting(range)
 +        let mut events = self.events.events_intersecting(range);
 +        if let Some(microsoft) = &self.microsoft {
 +            events.extend(microsoft.agenda_source().events_intersecting(range));
 +        }
 +        events.sort_by(|left, right| {
 +            event_sort_key(left)
 +                .cmp(&event_sort_key(right))
 +                .then(left.id.cmp(&right.id))
 +        });
 +        events
+     }
      fn holidays_in(&self, range: DateRange) -> Vec<Holiday> {
      fn local_event_by_id(&self, id: &str) -> Option<Event> {
          self.events.local_event_by_id(id)
+     }
++
 +    fn editable_event_by_id(&self, id: &str) -> Option<Event> {
 +        self.events.local_event_by_id(id).or_else(|| {
 +            self.microsoft
 +                .as_ref()
 +                .and_then(|microsoft| microsoft.agenda_source().event_by_id(id))
 +        })
 +    }
 +}
++
 +fn provider_error(err: ProviderError) -> LocalEventStoreError {
 +    LocalEventStoreError::Provider {
 +        reason: err.to_string(),
 +    }
+ }
  #[derive(Debug)]
          path: Option<PathBuf>,
          reason: String,
      },
 +    Provider {
 +        reason: String,
 +    },
      Write {
          path: PathBuf,
          reason: String,
                      write!(f, "failed to encode local event: {reason}")
+                 }
+             }
 +            Self::Provider { reason } => write!(f, "{reason}"),
              Self::Write { path, reason } => {
                  write!(f, "failed to write {}: {reason}", path.display())
+             }
      })
+ }
 +fn parse_event_datetime_record(value: &str) -> Option<EventDateTime> {
 +    let (date, time) = value.split_once('T')?;
 +    Some(EventDateTime::new(
 +        parse_iso_date(date)?,
 +        parse_hhmm_time(time)?,
 +    ))
 +}
++
  fn parse_local_date(value: &str, path: &Path) -> Result<CalendarDate, LocalEventStoreError> {
      parse_iso_date(value).ok_or_else(|| LocalEventStoreError::Parse {
          path: path.to_path_buf(),

src/app.rsmodified

                  RecurrenceEditChoiceAction::Series => {
                      let series_id = choice.series_id.clone();
                      self.recurrence_choice = None;
 -                    if let Some(event) = source.local_event_by_id(&series_id) {
 +                    if let Some(event) = source.editable_event_by_id(&series_id) {
                          self.create_form = Some(CreateEventForm::edit(&event));
+                     }
                      RecurrenceChoiceInputResult::Continue
                  .into_iter()
                  .map(|agenda_event| agenda_event.event),
+         )
 -        .filter(Event::is_local)
 +        .filter(Event::is_editable)
          .collect()
+ }

src/calendar.rsmodified

  use std::{array, fmt};
 +use serde::{Deserialize, Deserializer, Serialize, Serializer, de};
  use time::{Date, Month, Weekday};
  pub const DAYS_PER_WEEK: usize = 7;
+     }
+ }
 +impl Serialize for CalendarDate {
 +    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
 +    where
 +        S: Serializer,
 +    {
 +        serializer.serialize_str(&self.to_string())
 +    }
 +}
++
 +impl<'de> Deserialize<'de> for CalendarDate {
 +    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
 +    where
 +        D: Deserializer<'de>,
 +    {
 +        let value = String::deserialize(deserializer)?;
 +        parse_calendar_date(&value)
 +            .ok_or_else(|| de::Error::custom(format!("invalid calendar date '{value}'")))
 +    }
 +}
++
 +fn parse_calendar_date(value: &str) -> Option<CalendarDate> {
 +    let mut parts = value.split('-');
 +    let year = parts.next()?.parse().ok()?;
 +    let month = Month::try_from(parts.next()?.parse::<u8>().ok()?).ok()?;
 +    let day = parts.next()?.parse().ok()?;
 +    if parts.next().is_some() {
 +        return None;
 +    }
 +    CalendarDate::from_ymd(year, month, day).ok()
 +}
++
  #[derive(Debug, Clone, Copy, PartialEq, Eq)]
  pub struct MonthId {
      pub year: i32,

src/cli.rsmodified

          ConfigError, ConfigHolidaySource, UserConfig, init_config_file, load_discovered_config,
          load_explicit_config,
      },
 +    providers::{
 +        KeyringMicrosoftTokenStore, MicrosoftProviderConfig, MicrosoftProviderRuntime,
 +        ProviderConfig, ProviderError, ReqwestMicrosoftHttpClient, list_calendars,
 +        login_device_code_or_browser, logout,
 +    },
      reminders::{
          ReminderDaemonConfig, ReminderError, SystemNotifier, default_state_file,
          notification_backend_name, run_daemon, run_once, test_notification,
      "Usage:\n",
      "  rcal [--config PATH|--no-config] [--date YYYY-MM-DD] [--events-file PATH] [--holiday-source off|us-federal|nager] [--holiday-country CC]\n",
      "  rcal config init [--path PATH] [--force]\n\n",
 +    "  rcal providers microsoft auth login --account ID [--browser]\n",
 +    "  rcal providers microsoft auth logout --account ID\n",
 +    "  rcal providers microsoft calendars list --account ID\n",
 +    "  rcal providers microsoft sync [--account ID]\n",
 +    "  rcal providers microsoft status\n\n",
      "  rcal reminders run [--events-file PATH] [--state-file PATH] [--once]\n",
      "  rcal reminders install [--events-file PATH] [--state-file PATH]\n",
      "  rcal reminders uninstall\n",
      "  Arrow keys move selection; Enter opens day view; Esc returns to month; q exits.\n",
      "  ? opens contextual help.\n",
      "  + opens the Create event modal.\n",
 -    "  In day view, c opens the Copy confirmation for the selected local event.\n",
 -    "  In day view, d opens the Delete confirmation for the selected local event.\n",
 +    "  In day view, c opens the Copy confirmation for the selected editable event.\n",
 +    "  In day view, d opens the Delete confirmation for the selected editable event.\n",
      "  In day view, Left/Right move to the previous or next day.\n",
      "  Digits jump immediately; a quick second digit refines the selected day.\n",
      "  Weekday initials jump within the selected week.\n\n",
      "Mouse:\n",
      "  Left click selects a visible date; double-click a visible date to open day view.\n\n",
      "Notes:\n",
 -    "  Reminder services are user-level background jobs. Provider account integration is not in this milestone.\n",
 +    "  Microsoft provider data is cache-first. Run `rcal providers microsoft sync` to refresh it.\n",
  );
  const VERSION: &str = concat!(env!("CARGO_PKG_NAME"), " ", env!("CARGO_PKG_VERSION"), "\n");
      pub holiday_source: HolidaySourceConfig,
      pub holiday_country: String,
      pub keybindings: KeyBindings,
 +    pub providers: ProviderConfig,
+ }
  impl AppConfig {
              holiday_source: HolidaySourceConfig::UsFederal,
              holiday_country: "US".to_string(),
              keybindings: KeyBindings::default(),
 +            providers: ProviderConfig::default(),
+         }
+     }
+ }
      Run(AppConfig),
      Reminders(ReminderCliAction),
      Config(ConfigCliAction),
 +    Providers(ProviderCliAction),
      Help,
      Version,
+ }
      Init { path: Option<PathBuf>, force: bool },
+ }
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub enum ProviderCliAction {
 +    Microsoft(MicrosoftCliAction),
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub enum MicrosoftCliAction {
 +    AuthLogin {
 +        account: String,
 +        browser: bool,
 +        config: MicrosoftProviderConfig,
 +    },
 +    AuthLogout {
 +        account: String,
 +    },
 +    CalendarsList {
 +        account: String,
 +        config: MicrosoftProviderConfig,
 +    },
 +    Sync {
 +        account: Option<String>,
 +        config: MicrosoftProviderConfig,
 +    },
 +    Status {
 +        config: MicrosoftProviderConfig,
 +    },
 +}
++
  #[derive(Debug, Clone, PartialEq, Eq)]
  pub enum ReminderCliAction {
      Run(ReminderRunConfig),
  pub struct ReminderRunConfig {
      pub events_file: PathBuf,
      pub state_file: PathBuf,
 +    pub providers: ProviderConfig,
      pub once: bool,
+ }
      DuplicateConfigInitPath,
      MissingConfigInitPathValue,
      Config(ConfigError),
 +    Provider(ProviderError),
 +    MissingProviderCommand,
 +    UnknownProviderCommand(String),
 +    MissingProviderAccount,
 +    DuplicateProviderAccount,
      MissingReminderCommand,
      UnknownReminderCommand(String),
      DuplicateStateFile,
+             }
              Self::MissingConfigInitPathValue => write!(f, "config init --path requires a path"),
              Self::Config(err) => write!(f, "{err}"),
 +            Self::Provider(err) => write!(f, "{err}"),
 +            Self::MissingProviderCommand => write!(f, "providers requires a command: microsoft"),
 +            Self::UnknownProviderCommand(command) => {
 +                write!(f, "unknown providers command: {command}")
 +            }
 +            Self::MissingProviderAccount => write!(f, "--account requires a Microsoft account id"),
 +            Self::DuplicateProviderAccount => write!(f, "--account may only be provided once"),
              Self::MissingReminderCommand => write!(
                  f,
                  "reminders requires one of: run, install, uninstall, status, test"
+     }
+ }
 +impl From<ProviderError> for CliError {
 +    fn from(err: ProviderError) -> Self {
 +        Self::Provider(err)
 +    }
 +}
++
  pub fn run_terminal<I>(args: I) -> std::process::ExitCode
  where
      I: IntoIterator<Item = OsString>,
+         }
          Ok(CliAction::Reminders(action)) => run_reminder_action(action, &mut stdout, &mut stderr),
          Ok(CliAction::Config(action)) => run_config_action(action, &mut stdout, &mut stderr),
 +        Ok(CliAction::Providers(action)) => run_provider_action(action, &mut stdout, &mut stderr),
          Ok(CliAction::Help) => match write!(stdout, "{HELP}") {
              Ok(()) => std::process::ExitCode::SUCCESS,
              Err(err) => io_error_exit(&mut stderr, err),
+         }
          Ok(CliAction::Reminders(action)) => run_reminder_action(action, &mut stdout, &mut stderr),
          Ok(CliAction::Config(action)) => run_config_action(action, &mut stdout, &mut stderr),
 +        Ok(CliAction::Providers(action)) => run_provider_action(action, &mut stdout, &mut stderr),
          Ok(CliAction::Help) => match write!(stdout, "{HELP}") {
              Ok(()) => std::process::ExitCode::SUCCESS,
              Err(err) => io_error_exit(&mut stderr, err),
          return parse_reminder_args(args.into_iter().skip(1), &user_config);
+     }
 +    if let Some(first) = args.first()
 +        && first == "providers"
 +    {
 +        return parse_provider_args(args.into_iter().skip(1), &user_config);
 +    }
++
      parse_calendar_args(args, today, user_config)
+ }
+     {
          return Some(CliAction::Help);
+     }
 +    if first == "providers"
 +        && let Some(second) = args.get(1)
 +        && (second == "--help" || second == "-h")
 +    {
 +        return Some(CliAction::Help);
 +    }
      None
+ }
          config.holiday_country = holiday_country;
+     }
      config.keybindings = user_config.keybindings;
 +    config.providers = user_config.providers;
      if let Some(events_file) = events_file {
          config.events_file = events_file;
      Ok(CliAction::Config(ConfigCliAction::Init { path, force }))
+ }
 +fn parse_provider_args<I>(args: I, user_config: &UserConfig) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut args = args.into_iter();
 +    let command = args.next().ok_or(CliError::MissingProviderCommand)?;
 +    let Some(command) = command.to_str() else {
 +        return Err(CliError::UnknownProviderCommand(display_arg(&command)));
 +    };
++
 +    match command {
 +        "microsoft" => parse_microsoft_provider_args(args, &user_config.providers.microsoft),
 +        "--help" | "-h" => Ok(CliAction::Help),
 +        _ => Err(CliError::UnknownProviderCommand(command.to_string())),
 +    }
 +}
++
 +fn parse_microsoft_provider_args<I>(
 +    args: I,
 +    config: &MicrosoftProviderConfig,
 +) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut args = args.into_iter();
 +    let command = args.next().ok_or(CliError::MissingProviderCommand)?;
 +    let Some(command) = command.to_str() else {
 +        return Err(CliError::UnknownProviderCommand(display_arg(&command)));
 +    };
++
 +    match command {
 +        "auth" => parse_microsoft_auth_args(args, config),
 +        "calendars" => parse_microsoft_calendars_args(args, config),
 +        "sync" => parse_microsoft_sync_args(args, config),
 +        "status" => no_extra_provider_args(
 +            args,
 +            MicrosoftCliAction::Status {
 +                config: config.clone(),
 +            },
 +        ),
 +        "--help" | "-h" => Ok(CliAction::Help),
 +        _ => Err(CliError::UnknownProviderCommand(format!(
 +            "microsoft {command}"
 +        ))),
 +    }
 +}
++
 +fn parse_microsoft_auth_args<I>(
 +    args: I,
 +    config: &MicrosoftProviderConfig,
 +) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut args = args.into_iter();
 +    let command = args.next().ok_or(CliError::MissingProviderCommand)?;
 +    let Some(command) = command.to_str() else {
 +        return Err(CliError::UnknownProviderCommand(display_arg(&command)));
 +    };
++
 +    match command {
 +        "login" => {
 +            let (account, browser) = parse_account_and_browser(args)?;
 +            Ok(CliAction::Providers(ProviderCliAction::Microsoft(
 +                MicrosoftCliAction::AuthLogin {
 +                    account,
 +                    browser,
 +                    config: config.clone(),
 +                },
 +            )))
 +        }
 +        "logout" => {
 +            let account = parse_required_account(args)?;
 +            Ok(CliAction::Providers(ProviderCliAction::Microsoft(
 +                MicrosoftCliAction::AuthLogout { account },
 +            )))
 +        }
 +        _ => Err(CliError::UnknownProviderCommand(format!(
 +            "microsoft auth {command}"
 +        ))),
 +    }
 +}
++
 +fn parse_microsoft_calendars_args<I>(
 +    args: I,
 +    config: &MicrosoftProviderConfig,
 +) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut args = args.into_iter();
 +    let command = args.next().ok_or(CliError::MissingProviderCommand)?;
 +    let Some(command) = command.to_str() else {
 +        return Err(CliError::UnknownProviderCommand(display_arg(&command)));
 +    };
 +    match command {
 +        "list" => {
 +            let account = parse_required_account(args)?;
 +            Ok(CliAction::Providers(ProviderCliAction::Microsoft(
 +                MicrosoftCliAction::CalendarsList {
 +                    account,
 +                    config: config.clone(),
 +                },
 +            )))
 +        }
 +        _ => Err(CliError::UnknownProviderCommand(format!(
 +            "microsoft calendars {command}"
 +        ))),
 +    }
 +}
++
 +fn parse_microsoft_sync_args<I>(
 +    args: I,
 +    config: &MicrosoftProviderConfig,
 +) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let account = parse_optional_account(args)?;
 +    Ok(CliAction::Providers(ProviderCliAction::Microsoft(
 +        MicrosoftCliAction::Sync {
 +            account,
 +            config: config.clone(),
 +        },
 +    )))
 +}
++
 +fn no_extra_provider_args<I>(args: I, action: MicrosoftCliAction) -> Result<CliAction, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut args = args.into_iter();
 +    if let Some(arg) = args.next() {
 +        return Err(CliError::UnknownArgument(display_arg(&arg)));
 +    }
 +    Ok(CliAction::Providers(ProviderCliAction::Microsoft(action)))
 +}
++
 +fn parse_required_account<I>(args: I) -> Result<String, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    parse_optional_account(args)?.ok_or(CliError::MissingProviderAccount)
 +}
++
 +fn parse_account_and_browser<I>(args: I) -> Result<(String, bool), CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut browser = false;
 +    let mut account = None;
 +    let mut args = args.into_iter();
 +    while let Some(arg) = args.next() {
 +        if arg == "--browser" {
 +            browser = true;
 +            continue;
 +        }
 +        parse_account_arg(arg, &mut args, &mut account)?;
 +    }
 +    Ok((account.ok_or(CliError::MissingProviderAccount)?, browser))
 +}
++
 +fn parse_optional_account<I>(args: I) -> Result<Option<String>, CliError>
 +where
 +    I: IntoIterator<Item = OsString>,
 +{
 +    let mut account = None;
 +    let mut args = args.into_iter();
 +    while let Some(arg) = args.next() {
 +        parse_account_arg(arg, &mut args, &mut account)?;
 +    }
 +    Ok(account)
 +}
++
 +fn parse_account_arg<I>(
 +    arg: OsString,
 +    args: &mut I,
 +    account: &mut Option<String>,
 +) -> Result<(), CliError>
 +where
 +    I: Iterator<Item = OsString>,
 +{
 +    if arg == "--account" {
 +        if account.is_some() {
 +            return Err(CliError::DuplicateProviderAccount);
 +        }
 +        *account = Some(display_arg(
 +            &args.next().ok_or(CliError::MissingProviderAccount)?,
 +        ));
 +        return Ok(());
 +    }
 +    if let Some(value) = arg
 +        .to_str()
 +        .and_then(|value| value.strip_prefix("--account="))
 +    {
 +        if account.is_some() {
 +            return Err(CliError::DuplicateProviderAccount);
 +        }
 +        *account = Some(value.to_string());
 +        return Ok(());
 +    }
 +    Err(CliError::UnknownArgument(display_arg(&arg)))
 +}
++
  fn parse_reminder_args<I>(args: I, user_config: &UserConfig) -> Result<CliAction, CliError>
  where
      I: IntoIterator<Item = OsString>,
                      .clone()
                      .unwrap_or_else(default_state_file)
              }),
 +            providers: user_config.providers.clone(),
              once,
          },
      )))
          HolidaySourceConfig::Nager => HolidayProvider::nager(config.holiday_country.clone()),
      };
 -    ConfiguredAgendaSource::from_events_file(config.events_file.clone(), holidays)
 +    ConfiguredAgendaSource::from_events_file(config.events_file.clone(), holidays).and_then(
 +        |source| {
 +            source.with_microsoft_provider(
 +                config.providers.microsoft.clone(),
 +                config.providers.create_target,
 +            )
 +        },
 +    )
+ }
  fn run_config_action(
+     }
+ }
 +fn run_provider_action(
 +    action: ProviderCliAction,
 +    stdout: &mut impl Write,
 +    stderr: &mut impl Write,
 +) -> std::process::ExitCode {
 +    match action {
 +        ProviderCliAction::Microsoft(action) => run_microsoft_action(action, stdout, stderr),
 +    }
 +}
++
 +fn run_microsoft_action(
 +    action: MicrosoftCliAction,
 +    stdout: &mut impl Write,
 +    stderr: &mut impl Write,
 +) -> std::process::ExitCode {
 +    let http = ReqwestMicrosoftHttpClient;
 +    let token_store = KeyringMicrosoftTokenStore;
 +    let result = match action {
 +        MicrosoftCliAction::AuthLogin {
 +            account,
 +            browser,
 +            config,
 +        } => {
 +            let Some(account_config) = config.account(&account) else {
 +                return provider_error_exit(
 +                    stderr,
 +                    ProviderError::Config(format!(
 +                        "Microsoft account '{account}' is not configured"
 +                    )),
 +                );
 +            };
 +            login_device_code_or_browser(account_config, &http, &token_store, stdout, browser)
 +        }
 +        MicrosoftCliAction::AuthLogout { account } => logout(&account, &token_store).map(|()| {
 +            let _ = writeln!(stdout, "removed Microsoft credentials for '{account}'");
 +        }),
 +        MicrosoftCliAction::CalendarsList { account, config } => {
 +            let Some(account_config) = config.account(&account) else {
 +                return provider_error_exit(
 +                    stderr,
 +                    ProviderError::Config(format!(
 +                        "Microsoft account '{account}' is not configured"
 +                    )),
 +                );
 +            };
 +            list_calendars(account_config, &http, &token_store).map(|calendars| {
 +                for calendar in calendars {
 +                    let _ = writeln!(
 +                        stdout,
 +                        "{}\t{}\tcan_edit={}\tdefault={}",
 +                        calendar.id, calendar.name, calendar.can_edit, calendar.is_default
 +                    );
 +                }
 +            })
 +        }
 +        MicrosoftCliAction::Sync { account, config } => {
 +            let mut runtime = match MicrosoftProviderRuntime::load(config) {
 +                Ok(runtime) => runtime,
 +                Err(err) => return provider_error_exit(stderr, err),
 +            };
 +            runtime
 +                .sync(
 +                    account.as_deref(),
 +                    &http,
 +                    &token_store,
 +                    CalendarDate::from(default_start_date()),
 +                )
 +                .map(|summary| {
 +                    let _ = writeln!(
 +                        stdout,
 +                        "synced accounts={} calendars={} events={}",
 +                        summary.accounts, summary.calendars, summary.events
 +                    );
 +                })
 +        }
 +        MicrosoftCliAction::Status { config } => {
 +            let runtime = match MicrosoftProviderRuntime::load(config.clone()) {
 +                Ok(runtime) => runtime,
 +                Err(err) => return provider_error_exit(stderr, err),
 +            };
 +            let status = runtime.status(&token_store);
 +            let _ = writeln!(
 +                stdout,
 +                "enabled={} cache={} cached_events={}",
 +                status.enabled,
 +                status.cache_file.display(),
 +                status.event_count
 +            );
 +            for account in status.accounts {
 +                let _ = writeln!(
 +                    stdout,
 +                    "account={} authenticated={} calendars={}",
 +                    account.id,
 +                    account.authenticated,
 +                    account.calendars.join(",")
 +                );
 +            }
 +            Ok(())
 +        }
 +    };
++
 +    match result {
 +        Ok(()) => std::process::ExitCode::SUCCESS,
 +        Err(err) => provider_error_exit(stderr, err),
 +    }
 +}
++
  fn run_reminder_action(
      action: ReminderCliAction,
      stdout: &mut impl Write,
  ) -> std::process::ExitCode {
      match action {
          ReminderCliAction::Run(config) => {
 -            let daemon_config = ReminderDaemonConfig::new(config.events_file, config.state_file);
 +            let daemon_config = ReminderDaemonConfig::new(config.events_file, config.state_file)
 +                .with_providers(config.providers);
              let mut notifier = SystemNotifier;
              if config.once {
                  match run_once(
      std::process::ExitCode::FAILURE
+ }
 +fn provider_error_exit(stderr: &mut impl Write, err: ProviderError) -> std::process::ExitCode {
 +    let _ = writeln!(stderr, "error: {err}");
 +    std::process::ExitCode::FAILURE
 +}
++
  #[cfg(test)]
  mod tests {
      use super::*;
      use crate::app::{KeyBindingOverrides, KeyCommand};
      use crate::calendar::CalendarMonth;
 +    use crate::providers::{MicrosoftAccountConfig, ProviderCreateTarget};
      use time::Month;
      fn date(year: i32, month: Month, day: u8) -> CalendarDate {
                  ..KeyBindingOverrides::default()
              })
              .expect("test bindings are valid"),
 +            providers: ProviderConfig::default(),
 +        }
 +    }
++
 +    fn microsoft_provider_config() -> MicrosoftProviderConfig {
 +        MicrosoftProviderConfig {
 +            enabled: true,
 +            default_account: Some("work".to_string()),
 +            default_calendar: Some("cal-1".to_string()),
 +            sync_past_days: 30,
 +            sync_future_days: 365,
 +            cache_file: PathBuf::from("/tmp/microsoft-cache.json"),
 +            accounts: vec![MicrosoftAccountConfig {
 +                id: "work".to_string(),
 +                client_id: "client-id".to_string(),
 +                tenant: "organizations".to_string(),
 +                redirect_port: 8765,
 +                calendars: vec!["cal-1".to_string()],
 +            }],
 +        }
 +    }
++
 +    fn config_with_microsoft_provider() -> UserConfig {
 +        UserConfig {
 +            providers: ProviderConfig {
 +                create_target: ProviderCreateTarget::Microsoft,
 +                microsoft: microsoft_provider_config(),
 +            },
 +            ..UserConfig::empty()
+         }
+     }
              CliAction::Reminders(ReminderCliAction::Run(ReminderRunConfig {
                  events_file: PathBuf::from("/tmp/events.json"),
                  state_file: PathBuf::from("/tmp/state.json"),
 +                providers: ProviderConfig::default(),
                  once: true,
              }))
          );
              CliAction::Reminders(ReminderCliAction::Run(ReminderRunConfig {
                  events_file: PathBuf::from("/tmp/config-events.json"),
                  state_file: PathBuf::from("/tmp/config-state.json"),
 +                providers: ProviderConfig::default(),
                  once: true,
              }))
          );
          );
+     }
 +    #[test]
 +    fn microsoft_provider_commands_parse_configured_account() {
 +        let today = date(2026, Month::April, 23);
 +        let user_config = config_with_microsoft_provider();
 +        let microsoft = user_config.providers.microsoft.clone();
++
 +        let sync_action = parse_args_with_config(
 +            [
 +                arg("providers"),
 +                arg("microsoft"),
 +                arg("sync"),
 +                arg("--account"),
 +                arg("work"),
 +            ],
 +            today.into(),
 +            user_config.clone(),
 +            None,
 +        )
 +        .expect("sync parses");
 +        assert_eq!(
 +            sync_action,
 +            CliAction::Providers(ProviderCliAction::Microsoft(MicrosoftCliAction::Sync {
 +                account: Some("work".to_string()),
 +                config: microsoft.clone(),
 +            }))
 +        );
++
 +        let login_action = parse_args_with_config(
 +            [
 +                arg("providers"),
 +                arg("microsoft"),
 +                arg("auth"),
 +                arg("login"),
 +                arg("--account=work"),
 +                arg("--browser"),
 +            ],
 +            today.into(),
 +            user_config,
 +            None,
 +        )
 +        .expect("login parses");
 +        assert_eq!(
 +            login_action,
 +            CliAction::Providers(ProviderCliAction::Microsoft(
 +                MicrosoftCliAction::AuthLogin {
 +                    account: "work".to_string(),
 +                    browser: true,
 +                    config: microsoft,
 +                },
 +            ))
 +        );
 +    }
++
 +    #[test]
 +    fn microsoft_provider_args_reject_missing_and_duplicate_accounts() {
 +        let today = date(2026, Month::April, 23);
++
 +        assert_eq!(
 +            parse_args(
 +                [
 +                    arg("providers"),
 +                    arg("microsoft"),
 +                    arg("auth"),
 +                    arg("login")
 +                ],
 +                today.into(),
 +            )
 +            .expect_err("missing account fails"),
 +            CliError::MissingProviderAccount
 +        );
 +        assert_eq!(
 +            parse_args(
 +                [
 +                    arg("providers"),
 +                    arg("microsoft"),
 +                    arg("sync"),
 +                    arg("--account=one"),
 +                    arg("--account=two"),
 +                ],
 +                today.into(),
 +            )
 +            .expect_err("duplicate account fails"),
 +            CliError::DuplicateProviderAccount
 +        );
 +    }
++
      #[test]
      fn invalid_holiday_options_are_rejected() {
          let today = date(2026, Month::April, 23);

src/config.rsmodified

  use serde::Deserialize;
 -use crate::app::{KeyBindingError, KeyBindingOverrides, KeyBindings};
 +use crate::{
 +    app::{KeyBindingError, KeyBindingOverrides, KeyBindings},
 +    providers::{
 +        MicrosoftAccountConfig, MicrosoftProviderConfig, ProviderConfig, ProviderCreateTarget,
 +    },
 +};
  pub const DEFAULT_CONFIG_TOML: &str = r#"# rcal configuration
  # Generate this file with `rcal config init`.
  # Delivered/skipped reminder state. Services snapshot this path at install time.
  state_file = "~/.local/state/rcal/reminders-state.json"
 +[providers]
 +# Where newly created events go when provider support is enabled: "local" or "microsoft".
 +create_target = "local"
++
 +[providers.microsoft]
 +# Microsoft Graph provider for Outlook / Microsoft 365 calendars.
 +enabled = false
 +default_account = "work"
 +default_calendar = "CALENDAR_ID"
 +sync_past_days = 30
 +sync_future_days = 365
 +# Provider cache is separate from the local events file.
 +# cache_file = "~/.cache/rcal/microsoft-cache.json"
++
 +[[providers.microsoft.accounts]]
 +id = "work"
 +client_id = "AZURE_APP_CLIENT_ID"
 +tenant = "organizations"
 +redirect_port = 8765
 +calendars = ["CALENDAR_ID"]
++
  [keybindings]
  # Normal month/day app commands. Modal/form editing keys are fixed for now.
  move_left = ["left"]
      pub holiday_country: Option<String>,
      pub reminder_state_file: Option<PathBuf>,
      pub keybindings: KeyBindings,
 +    pub providers: ProviderConfig,
+ }
  impl UserConfig {
              holiday_country: None,
              reminder_state_file: None,
              keybindings: KeyBindings::default(),
 +            providers: ProviderConfig::default(),
+         }
+     }
+ }
      } else {
          KeyBindings::default()
      };
 +    let providers = raw
 +        .providers
 +        .map(|providers| providers.into_config(path, base_dir))
 +        .transpose()?
 +        .unwrap_or_default();
      Ok(UserConfig {
          path: Some(path.to_path_buf()),
          holiday_country,
          reminder_state_file,
          keybindings,
 +        providers,
      })
+ }
      paths: Option<RawPathsConfig>,
      holidays: Option<RawHolidaysConfig>,
      reminders: Option<RawRemindersConfig>,
 +    providers: Option<RawProvidersConfig>,
      keybindings: Option<RawKeyBindingsConfig>,
+ }
      state_file: Option<String>,
+ }
 +#[derive(Debug, Default, Deserialize)]
 +#[serde(deny_unknown_fields)]
 +struct RawProvidersConfig {
 +    create_target: Option<String>,
 +    microsoft: Option<RawMicrosoftProviderConfig>,
 +}
++
 +#[derive(Debug, Default, Deserialize)]
 +#[serde(deny_unknown_fields)]
 +struct RawMicrosoftProviderConfig {
 +    enabled: Option<bool>,
 +    default_account: Option<String>,
 +    default_calendar: Option<String>,
 +    sync_past_days: Option<i32>,
 +    sync_future_days: Option<i32>,
 +    cache_file: Option<String>,
 +    accounts: Option<Vec<RawMicrosoftAccountConfig>>,
 +}
++
 +#[derive(Debug, Deserialize)]
 +#[serde(deny_unknown_fields)]
 +struct RawMicrosoftAccountConfig {
 +    id: String,
 +    client_id: String,
 +    tenant: String,
 +    redirect_port: Option<u16>,
 +    calendars: Option<Vec<String>>,
 +}
++
  #[derive(Debug, Default, Deserialize)]
  #[serde(deny_unknown_fields)]
  struct RawKeyBindingsConfig {
+     }
+ }
 +impl RawProvidersConfig {
 +    fn into_config(self, path: &Path, base_dir: &Path) -> Result<ProviderConfig, ConfigError> {
 +        let mut config = ProviderConfig::default();
 +        let create_target_was_set = self.create_target.is_some();
 +        if let Some(create_target) = self.create_target {
 +            config.create_target = parse_create_target(&create_target, path)?;
 +        }
 +        if let Some(microsoft) = self.microsoft {
 +            config.microsoft = microsoft.into_config(path, base_dir)?;
 +            if config.microsoft.enabled && !create_target_was_set {
 +                config.create_target = ProviderCreateTarget::Microsoft;
 +            }
 +        }
 +        config
 +            .microsoft
 +            .validate()
 +            .map_err(|err| ConfigError::Invalid {
 +                path: path.to_path_buf(),
 +                reason: err.to_string(),
 +            })?;
 +        Ok(config)
 +    }
 +}
++
 +impl RawMicrosoftProviderConfig {
 +    fn into_config(
 +        self,
 +        path: &Path,
 +        base_dir: &Path,
 +    ) -> Result<MicrosoftProviderConfig, ConfigError> {
 +        let mut config = MicrosoftProviderConfig::default();
 +        if let Some(enabled) = self.enabled {
 +            config.enabled = enabled;
 +        }
 +        config.default_account = self.default_account;
 +        config.default_calendar = self.default_calendar;
 +        if let Some(sync_past_days) = self.sync_past_days {
 +            config.sync_past_days = sync_past_days.max(0);
 +        }
 +        if let Some(sync_future_days) = self.sync_future_days {
 +            config.sync_future_days = sync_future_days.max(1);
 +        }
 +        if let Some(cache_file) = self.cache_file {
 +            config.cache_file = resolve_config_path(&cache_file, base_dir)?;
 +        }
 +        config.accounts = self
 +            .accounts
 +            .unwrap_or_default()
 +            .into_iter()
 +            .map(RawMicrosoftAccountConfig::into_config)
 +            .collect();
 +        config.validate().map_err(|err| ConfigError::Invalid {
 +            path: path.to_path_buf(),
 +            reason: err.to_string(),
 +        })?;
 +        Ok(config)
 +    }
 +}
++
 +impl RawMicrosoftAccountConfig {
 +    fn into_config(self) -> MicrosoftAccountConfig {
 +        MicrosoftAccountConfig {
 +            id: self.id,
 +            client_id: self.client_id,
 +            tenant: self.tenant,
 +            redirect_port: self.redirect_port.unwrap_or(8765),
 +            calendars: self.calendars.unwrap_or_default(),
 +        }
 +    }
 +}
++
 +fn parse_create_target(value: &str, path: &Path) -> Result<ProviderCreateTarget, ConfigError> {
 +    match value {
 +        "local" => Ok(ProviderCreateTarget::Local),
 +        "microsoft" => Ok(ProviderCreateTarget::Microsoft),
 +        _ => Err(ConfigError::Invalid {
 +            path: path.to_path_buf(),
 +            reason: format!(
 +                "invalid providers.create_target '{value}'; expected local or microsoft"
 +            ),
 +        }),
 +    }
 +}
++
  #[derive(Debug, Clone, PartialEq, Eq)]
  pub enum ConfigError {
      Missing { path: PathBuf },
          assert!(parsed.keybindings.expect("keybindings").quit.is_some());
+     }
 +    #[test]
 +    fn microsoft_provider_config_parses_and_resolves_paths() {
 +        let path = temp_config_path("providers/config.toml");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
 +        fs::create_dir_all(path.parent().expect("config dir")).expect("dir creates");
 +        fs::write(
 +            &path,
 +            r#"
 +[providers]
 +create_target = "microsoft"
++
 +[providers.microsoft]
 +enabled = true
 +default_account = "work"
 +default_calendar = "cal-1"
 +sync_past_days = 7
 +sync_future_days = 90
 +cache_file = "microsoft-cache.json"
++
 +[[providers.microsoft.accounts]]
 +id = "work"
 +client_id = "client-id"
 +tenant = "organizations"
 +redirect_port = 9001
 +calendars = ["cal-1"]
 +"#,
 +        )
 +        .expect("config writes");
++
 +        let config = load_config_file(&path).expect("config loads");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
++
 +        assert_eq!(
 +            config.providers.create_target,
 +            ProviderCreateTarget::Microsoft
 +        );
 +        assert!(config.providers.microsoft.enabled);
 +        assert_eq!(
 +            config.providers.microsoft.cache_file,
 +            path.parent()
 +                .expect("config dir")
 +                .join("microsoft-cache.json")
 +        );
 +        assert_eq!(config.providers.microsoft.sync_past_days, 7);
 +        assert_eq!(config.providers.microsoft.sync_future_days, 90);
 +        assert_eq!(config.providers.microsoft.accounts[0].redirect_port, 9001);
 +    }
++
 +    #[test]
 +    fn invalid_microsoft_provider_config_fails_clearly() {
 +        let path = temp_config_path("providers-invalid/config.toml");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
 +        fs::create_dir_all(path.parent().expect("config dir")).expect("dir creates");
 +        fs::write(
 +            &path,
 +            r#"
 +[providers.microsoft]
 +enabled = true
 +default_account = "work"
 +default_calendar = "missing"
++
 +[[providers.microsoft.accounts]]
 +id = "work"
 +client_id = "client-id"
 +tenant = "organizations"
 +calendars = ["cal-1"]
 +"#,
 +        )
 +        .expect("config writes");
++
 +        let err = load_config_file(&path).expect_err("invalid provider config fails");
 +        let _ = fs::remove_dir_all(path.parent().and_then(Path::parent).expect("test root"));
++
 +        assert!(err.to_string().contains("default calendar"));
 +    }
++
      #[test]
      fn malformed_and_unknown_config_fail_clearly() {
          assert!(toml::from_str::<RawConfig>("not = [").is_err());

src/lib.rsmodified

  pub mod cli;
  pub mod config;
  pub mod layout;
 +pub mod providers;
  pub mod reminders;
  pub mod services;
  pub mod tui;

src/providers.rsadded

2841 lines changed — click to load

 +use std::{
 +    collections::{BTreeMap, HashMap, HashSet},
 +    env,
 +    error::Error,
 +    fmt, fs, io,
 +    io::{BufRead, BufReader, Read, Write},
 +    net::TcpListener,
 +    path::{Path, PathBuf},
 +    process::Command,
 +    thread,
 +    time::{Duration as StdDuration, SystemTime, UNIX_EPOCH},
 +};
++
 +use serde::{Deserialize, Serialize};
 +use serde_json::{Map, Value, json};
 +use sha2::{Digest, Sha256};
 +use time::{Month, Time, Weekday};
++
 +use crate::{
 +    agenda::{
 +        AgendaError, AgendaSource, CreateEventDraft, CreateEventTiming, DateRange, Event,
 +        EventDateTime, Holiday, InMemoryAgendaSource, OccurrenceAnchor, OccurrenceMetadata,
 +        RecurrenceEnd, RecurrenceFrequency, RecurrenceMonthlyRule, RecurrenceOrdinal,
 +        RecurrenceRule, RecurrenceYearlyRule, Reminder, SourceMetadata,
 +    },
 +    calendar::CalendarDate,
 +};
++
 +const MICROSOFT_CACHE_VERSION: u8 = 1;
 +const GRAPH_BASE_URL: &str = "https://graph.microsoft.com/v1.0";
 +const LOGIN_BASE_URL: &str = "https://login.microsoftonline.com";
 +const MICROSOFT_SCOPES: &str = "offline_access User.Read Calendars.ReadWrite";
 +const KEYRING_SERVICE: &str = "rcal.microsoft";
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct ProviderConfig {
 +    pub create_target: ProviderCreateTarget,
 +    pub microsoft: MicrosoftProviderConfig,
 +}
++
 +impl Default for ProviderConfig {
 +    fn default() -> Self {
 +        Self {
 +            create_target: ProviderCreateTarget::Local,
 +            microsoft: MicrosoftProviderConfig::default(),
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, PartialEq, Eq)]
 +pub enum ProviderCreateTarget {
 +    Local,
 +    Microsoft,
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftProviderConfig {
 +    pub enabled: bool,
 +    pub default_account: Option<String>,
 +    pub default_calendar: Option<String>,
 +    pub sync_past_days: i32,
 +    pub sync_future_days: i32,
 +    pub cache_file: PathBuf,
 +    pub accounts: Vec<MicrosoftAccountConfig>,
 +}
++
 +impl Default for MicrosoftProviderConfig {
 +    fn default() -> Self {
 +        Self {
 +            enabled: false,
 +            default_account: None,
 +            default_calendar: None,
 +            sync_past_days: 30,
 +            sync_future_days: 365,
 +            cache_file: default_microsoft_cache_file(),
 +            accounts: Vec::new(),
 +        }
 +    }
 +}
++
 +impl MicrosoftProviderConfig {
 +    pub fn account(&self, id: &str) -> Option<&MicrosoftAccountConfig> {
 +        self.accounts.iter().find(|account| account.id == id)
 +    }
++
 +    pub fn default_account(&self) -> Option<&MicrosoftAccountConfig> {
 +        self.default_account
 +            .as_deref()
 +            .and_then(|id| self.account(id))
 +            .or_else(|| self.accounts.first())
 +    }
++
 +    pub fn default_calendar(&self) -> Option<(&MicrosoftAccountConfig, &str)> {
 +        let account = self.default_account()?;
 +        let calendar = self
 +            .default_calendar
 +            .as_deref()
 +            .or_else(|| account.calendars.first().map(String::as_str))?;
 +        Some((account, calendar))
 +    }
++
 +    pub fn validate(&self) -> Result<(), ProviderError> {
 +        if !self.enabled {
 +            return Ok(());
 +        }
 +        if self.accounts.is_empty() {
 +            return Err(ProviderError::Config(
 +                "providers.microsoft.enabled requires at least one account".to_string(),
 +            ));
 +        }
 +        let mut seen = HashMap::new();
 +        for account in &self.accounts {
 +            if account.id.trim().is_empty() {
 +                return Err(ProviderError::Config(
 +                    "Microsoft account id may not be empty".to_string(),
 +                ));
 +            }
 +            if seen.insert(account.id.clone(), ()).is_some() {
 +                return Err(ProviderError::Config(format!(
 +                    "duplicate Microsoft account id '{}'",
 +                    account.id
 +                )));
 +            }
 +            if account.client_id.trim().is_empty() {
 +                return Err(ProviderError::Config(format!(
 +                    "Microsoft account '{}' requires client_id",
 +                    account.id
 +                )));
 +            }
 +            if account.tenant.trim().is_empty() {
 +                return Err(ProviderError::Config(format!(
 +                    "Microsoft account '{}' requires tenant",
 +                    account.id
 +                )));
 +            }
 +            if account
 +                .calendars
 +                .iter()
 +                .any(|calendar| calendar.trim().is_empty())
 +            {
 +                return Err(ProviderError::Config(format!(
 +                    "Microsoft account '{}' has an empty calendar id",
 +                    account.id
 +                )));
 +            }
 +        }
 +        if let Some(default_account) = &self.default_account
 +            && self.account(default_account).is_none()
 +        {
 +            return Err(ProviderError::Config(format!(
 +                "providers.microsoft.default_account '{}' is not configured",
 +                default_account
 +            )));
 +        }
 +        if let Some(default_calendar) = &self.default_calendar {
 +            let Some(account) = self.default_account() else {
 +                return Err(ProviderError::Config(
 +                    "providers.microsoft.default_calendar requires a default account".to_string(),
 +                ));
 +            };
 +            if !account
 +                .calendars
 +                .iter()
 +                .any(|calendar| calendar == default_calendar)
 +            {
 +                return Err(ProviderError::Config(format!(
 +                    "default calendar '{}' is not listed for account '{}'",
 +                    default_calendar, account.id
 +                )));
 +            }
 +        }
 +        Ok(())
 +    }
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftAccountConfig {
 +    pub id: String,
 +    pub client_id: String,
 +    pub tenant: String,
 +    pub redirect_port: u16,
 +    pub calendars: Vec<String>,
 +}
++
 +impl MicrosoftAccountConfig {
 +    pub fn token_url(&self) -> String {
 +        format!("{LOGIN_BASE_URL}/{}/oauth2/v2.0/token", self.tenant)
 +    }
++
 +    pub fn device_code_url(&self) -> String {
 +        format!("{LOGIN_BASE_URL}/{}/oauth2/v2.0/devicecode", self.tenant)
 +    }
++
 +    pub fn authorize_url(&self) -> String {
 +        format!("{LOGIN_BASE_URL}/{}/oauth2/v2.0/authorize", self.tenant)
 +    }
++
 +    fn redirect_uri(&self) -> String {
 +        format!("http://localhost:{}/callback", self.redirect_port)
 +    }
 +}
++
 +pub fn default_microsoft_cache_file() -> PathBuf {
 +    if let Some(cache_home) = env::var_os("XDG_CACHE_HOME") {
 +        return PathBuf::from(cache_home)
 +            .join("rcal")
 +            .join("microsoft-cache.json");
 +    }
 +    if let Some(home) = env::var_os("HOME") {
 +        return PathBuf::from(home)
 +            .join(".cache")
 +            .join("rcal")
 +            .join("microsoft-cache.json");
 +    }
 +    env::temp_dir().join("rcal").join("microsoft-cache.json")
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftCalendarInfo {
 +    pub id: String,
 +    pub name: String,
 +    pub can_edit: bool,
 +    pub is_default: bool,
 +}
++
 +#[derive(Debug, Default, Clone)]
 +pub struct MicrosoftAgendaSource {
 +    cache: MicrosoftCacheFile,
 +}
++
 +impl MicrosoftAgendaSource {
 +    pub fn load(path: &Path) -> Result<Self, ProviderError> {
 +        Ok(Self {
 +            cache: MicrosoftCacheFile::load(path)?,
 +        })
 +    }
++
 +    pub fn empty() -> Self {
 +        Self {
 +            cache: MicrosoftCacheFile::empty(),
 +        }
 +    }
++
 +    pub fn event_by_id(&self, id: &str) -> Option<Event> {
 +        self.cache
 +            .accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .find(|event| event.id == id)
 +            .and_then(MicrosoftCachedEvent::to_event)
 +    }
++
 +    pub fn metadata_for_event(&self, id: &str) -> Option<MicrosoftEventMetadata> {
 +        self.cache
 +            .accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .find(|event| event.id == id)
 +            .map(MicrosoftCachedEvent::metadata)
 +    }
++
 +    pub fn event_count(&self) -> usize {
 +        self.cache
 +            .accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .map(|calendar| calendar.events.len())
 +            .sum()
 +    }
 +}
++
 +impl AgendaSource for MicrosoftAgendaSource {
 +    fn events_intersecting(&self, range: DateRange) -> Vec<Event> {
 +        let cached_events = self
 +            .cache
 +            .accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .collect::<Vec<_>>();
 +        let concrete_occurrence_series_ids = cached_events
 +            .iter()
 +            .filter_map(|event| event.series_master_app_id.clone())
 +            .collect::<HashSet<_>>();
 +        let events = cached_events
 +            .into_iter()
 +            .filter(|event| {
 +                event.event_type.as_deref() != Some("seriesMaster")
 +                    || !concrete_occurrence_series_ids.contains(&event.id)
 +            })
 +            .filter_map(MicrosoftCachedEvent::to_event)
 +            .collect::<Vec<_>>();
 +        let mut events = InMemoryAgendaSource::with_events_and_holidays(events, Vec::new())
 +            .events_intersecting(range);
 +        events.sort_by(|left, right| left.id.cmp(&right.id));
 +        events
 +    }
++
 +    fn holidays_in(&self, _range: DateRange) -> Vec<Holiday> {
 +        Vec::new()
 +    }
++
 +    fn editable_event_by_id(&self, id: &str) -> Option<Event> {
 +        self.event_by_id(id)
 +    }
 +}
++
 +#[derive(Debug)]
 +pub struct MicrosoftProviderRuntime {
 +    config: MicrosoftProviderConfig,
 +    cache: MicrosoftCacheFile,
 +}
++
 +impl MicrosoftProviderRuntime {
 +    pub fn load(config: MicrosoftProviderConfig) -> Result<Self, ProviderError> {
 +        config.validate()?;
 +        let cache = MicrosoftCacheFile::load(&config.cache_file)?;
 +        Ok(Self { config, cache })
 +    }
++
 +    pub fn agenda_source(&self) -> MicrosoftAgendaSource {
 +        MicrosoftAgendaSource {
 +            cache: self.cache.clone(),
 +        }
 +    }
++
 +    pub fn status(&self, token_store: &dyn MicrosoftTokenStore) -> MicrosoftProviderStatus {
 +        let accounts = self
 +            .config
 +            .accounts
 +            .iter()
 +            .map(|account| MicrosoftAccountStatus {
 +                id: account.id.clone(),
 +                authenticated: token_store.load(&account.id).ok().flatten().is_some(),
 +                calendars: account.calendars.clone(),
 +            })
 +            .collect::<Vec<_>>();
 +        MicrosoftProviderStatus {
 +            enabled: self.config.enabled,
 +            cache_file: self.config.cache_file.clone(),
 +            event_count: self.agenda_source().event_count(),
 +            accounts,
 +        }
 +    }
++
 +    pub fn sync(
 +        &mut self,
 +        account_filter: Option<&str>,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +        now: CalendarDate,
 +    ) -> Result<MicrosoftSyncSummary, ProviderError> {
 +        if !self.config.enabled {
 +            return Err(ProviderError::Config(
 +                "Microsoft provider is disabled".to_string(),
 +            ));
 +        }
++
 +        let mut summary = MicrosoftSyncSummary::default();
 +        let accounts = self
 +            .config
 +            .accounts
 +            .iter()
 +            .filter(|account| account_filter.map(|id| id == account.id).unwrap_or(true))
 +            .cloned()
 +            .collect::<Vec<_>>();
++
 +        if accounts.is_empty() {
 +            return Err(ProviderError::Config(format!(
 +                "Microsoft account '{}' is not configured",
 +                account_filter.unwrap_or("<none>")
 +            )));
 +        }
++
 +        for account in accounts {
 +            let token = access_token(&account, http, token_store)?;
 +            let calendar_ids = account.calendars.clone();
 +            for calendar_id in calendar_ids {
 +                let calendar = fetch_calendar(http, &token, &calendar_id)?;
 +                let start = now.add_days(-self.config.sync_past_days);
 +                let end = now.add_days(self.config.sync_future_days);
 +                let events = fetch_calendar_view(http, &token, &account.id, &calendar, start, end)?;
 +                summary.events += events.len();
 +                summary.calendars += 1;
 +                self.cache
 +                    .replace_calendar(&account.id, calendar, events, current_epoch_seconds());
 +            }
 +            summary.accounts += 1;
 +        }
++
 +        self.cache.save(&self.config.cache_file)?;
 +        Ok(summary)
 +    }
++
 +    pub fn create_event(
 +        &mut self,
 +        draft: CreateEventDraft,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let (account, calendar_id) = self.config.default_calendar().ok_or_else(|| {
 +            ProviderError::Config("no Microsoft default calendar configured".to_string())
 +        })?;
 +        let account = account.clone();
 +        let calendar_id = calendar_id.to_string();
 +        let token = access_token(&account, http, token_store)?;
 +        let body = graph_event_payload(&draft, false)?;
 +        let response = graph_request(
 +            http,
 +            "POST",
 +            &format!(
 +                "{GRAPH_BASE_URL}/me/calendars/{}/events",
 +                percent_encode(&calendar_id)
 +            ),
 +            &token,
 +            Some(body.to_string()),
 +        )?;
 +        let value = parse_graph_success_json(response)?;
 +        let calendar =
 +            fetch_calendar(http, &token, &calendar_id).unwrap_or(MicrosoftCalendarRecord {
 +                id: calendar_id.clone(),
 +                name: calendar_id.clone(),
 +                can_edit: true,
 +                is_default: false,
 +            });
 +        let cached = MicrosoftCachedEvent::from_graph(&account.id, &calendar, value)?;
 +        self.cache
 +            .upsert_event(&account.id, calendar, cached.clone());
 +        self.cache.save(&self.config.cache_file)?;
 +        cached.to_event().ok_or_else(|| {
 +            ProviderError::Mapping("created Microsoft event could not be converted".to_string())
 +        })
 +    }
++
 +    pub fn update_event(
 +        &mut self,
 +        id: &str,
 +        draft: CreateEventDraft,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let metadata = self
 +            .cache
 +            .metadata_for_event(id)
 +            .ok_or_else(|| ProviderError::NotFound(id.to_string()))?;
 +        let account = self
 +            .config
 +            .account(&metadata.account_id)
 +            .ok_or_else(|| {
 +                ProviderError::Config(format!(
 +                    "account '{}' is not configured",
 +                    metadata.account_id
 +                ))
 +            })?
 +            .clone();
 +        let token = access_token(&account, http, token_store)?;
 +        let body = graph_event_payload(&draft, true)?;
 +        let response = graph_request(
 +            http,
 +            "PATCH",
 +            &format!(
 +                "{GRAPH_BASE_URL}/me/events/{}",
 +                percent_encode(&metadata.graph_id)
 +            ),
 +            &token,
 +            Some(body.to_string()),
 +        )?;
 +        let value = parse_graph_success_json(response)?;
 +        let calendar = self
 +            .cache
 +            .calendar_record(&metadata.account_id, &metadata.calendar_id)
 +            .unwrap_or(MicrosoftCalendarRecord {
 +                id: metadata.calendar_id.clone(),
 +                name: metadata.calendar_id.clone(),
 +                can_edit: true,
 +                is_default: false,
 +            });
 +        let cached = MicrosoftCachedEvent::from_graph(&metadata.account_id, &calendar, value)?;
 +        self.cache.remove_occurrences_for_series(&cached.id);
 +        self.cache
 +            .upsert_event(&metadata.account_id, calendar, cached.clone());
 +        self.cache.save(&self.config.cache_file)?;
 +        cached.to_event().ok_or_else(|| {
 +            ProviderError::Mapping("updated Microsoft event could not be converted".to_string())
 +        })
 +    }
++
 +    pub fn update_occurrence(
 +        &mut self,
 +        series_id: &str,
 +        anchor: OccurrenceAnchor,
 +        draft: CreateEventDraft,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let id = self
 +            .cache
 +            .event_id_for_anchor(series_id, anchor)
 +            .ok_or_else(|| {
 +                ProviderError::NotFound(format!("{series_id}:{}", anchor_label(anchor)))
 +            })?;
 +        self.update_event(
 +            &id,
 +            draft.without_recurrence_for_provider(),
 +            http,
 +            token_store,
 +        )
 +    }
++
 +    pub fn delete_event(
 +        &mut self,
 +        id: &str,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let metadata = self
 +            .cache
 +            .metadata_for_event(id)
 +            .ok_or_else(|| ProviderError::NotFound(id.to_string()))?;
 +        let event = self
 +            .cache
 +            .event_by_id(id)
 +            .and_then(|cached| cached.to_event())
 +            .ok_or_else(|| ProviderError::NotFound(id.to_string()))?;
 +        let account = self
 +            .config
 +            .account(&metadata.account_id)
 +            .ok_or_else(|| {
 +                ProviderError::Config(format!(
 +                    "account '{}' is not configured",
 +                    metadata.account_id
 +                ))
 +            })?
 +            .clone();
 +        let token = access_token(&account, http, token_store)?;
 +        let response = graph_request(
 +            http,
 +            "DELETE",
 +            &format!(
 +                "{GRAPH_BASE_URL}/me/events/{}",
 +                percent_encode(&metadata.graph_id)
 +            ),
 +            &token,
 +            None,
 +        )?;
 +        parse_graph_empty_success(response)?;
 +        self.cache.remove_event(id);
 +        self.cache.save(&self.config.cache_file)?;
 +        Ok(event)
 +    }
++
 +    pub fn delete_occurrence(
 +        &mut self,
 +        series_id: &str,
 +        anchor: OccurrenceAnchor,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<(), ProviderError> {
 +        let id = self
 +            .cache
 +            .event_id_for_anchor(series_id, anchor)
 +            .ok_or_else(|| {
 +                ProviderError::NotFound(format!("{series_id}:{}", anchor_label(anchor)))
 +            })?;
 +        self.delete_event(&id, http, token_store).map(|_| ())
 +    }
++
 +    pub fn duplicate_event(
 +        &mut self,
 +        id: &str,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let event = self
 +            .cache
 +            .event_by_id(id)
 +            .and_then(|cached| cached.to_event())
 +            .ok_or_else(|| ProviderError::NotFound(id.to_string()))?;
 +        self.create_event(
 +            CreateEventDraft::from_event(&event).without_recurrence_for_provider(),
 +            http,
 +            token_store,
 +        )
 +    }
++
 +    pub fn duplicate_occurrence(
 +        &mut self,
 +        series_id: &str,
 +        anchor: OccurrenceAnchor,
 +        http: &dyn MicrosoftHttpClient,
 +        token_store: &dyn MicrosoftTokenStore,
 +    ) -> Result<Event, ProviderError> {
 +        let id = self
 +            .cache
 +            .event_id_for_anchor(series_id, anchor)
 +            .ok_or_else(|| {
 +                ProviderError::NotFound(format!("{series_id}:{}", anchor_label(anchor)))
 +            })?;
 +        self.duplicate_event(&id, http, token_store)
 +    }
 +}
++
 +trait ProviderDraftExt {
 +    fn without_recurrence_for_provider(self) -> Self;
 +}
++
 +impl ProviderDraftExt for CreateEventDraft {
 +    fn without_recurrence_for_provider(mut self) -> Self {
 +        self.recurrence = None;
 +        self
 +    }
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftProviderStatus {
 +    pub enabled: bool,
 +    pub cache_file: PathBuf,
 +    pub event_count: usize,
 +    pub accounts: Vec<MicrosoftAccountStatus>,
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftAccountStatus {
 +    pub id: String,
 +    pub authenticated: bool,
 +    pub calendars: Vec<String>,
 +}
++
 +#[derive(Debug, Default, Clone, PartialEq, Eq)]
 +pub struct MicrosoftSyncSummary {
 +    pub accounts: usize,
 +    pub calendars: usize,
 +    pub events: usize,
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftEventMetadata {
 +    pub account_id: String,
 +    pub calendar_id: String,
 +    pub graph_id: String,
 +    pub series_master_id: Option<String>,
 +    pub occurrence_anchor: Option<OccurrenceAnchor>,
 +}
++
 +#[derive(Debug, Default, Clone, Serialize, Deserialize)]
 +struct MicrosoftCacheFile {
 +    version: u8,
 +    #[serde(default)]
 +    accounts: Vec<MicrosoftCacheAccount>,
 +}
++
 +impl MicrosoftCacheFile {
 +    fn empty() -> Self {
 +        Self {
 +            version: MICROSOFT_CACHE_VERSION,
 +            accounts: Vec::new(),
 +        }
 +    }
++
 +    fn load(path: &Path) -> Result<Self, ProviderError> {
 +        let body = match fs::read_to_string(path) {
 +            Ok(body) => body,
 +            Err(err) if err.kind() == io::ErrorKind::NotFound => return Ok(Self::empty()),
 +            Err(err) => {
 +                return Err(ProviderError::CacheRead {
 +                    path: path.to_path_buf(),
 +                    reason: err.to_string(),
 +                });
 +            }
 +        };
 +        let file =
 +            serde_json::from_str::<Self>(&body).map_err(|err| ProviderError::CacheParse {
 +                path: path.to_path_buf(),
 +                reason: err.to_string(),
 +            })?;
 +        if file.version != MICROSOFT_CACHE_VERSION {
 +            return Err(ProviderError::CacheParse {
 +                path: path.to_path_buf(),
 +                reason: format!("unsupported Microsoft cache version {}", file.version),
 +            });
 +        }
 +        Ok(file)
 +    }
++
 +    fn save(&self, path: &Path) -> Result<(), ProviderError> {
 +        if let Some(parent) = path.parent() {
 +            fs::create_dir_all(parent).map_err(|err| ProviderError::CacheWrite {
 +                path: parent.to_path_buf(),
 +                reason: err.to_string(),
 +            })?;
 +        }
 +        let body = serde_json::to_string_pretty(self).map_err(|err| ProviderError::CacheWrite {
 +            path: path.to_path_buf(),
 +            reason: err.to_string(),
 +        })?;
 +        let temp_path = path.with_extension("json.tmp");
 +        fs::write(&temp_path, body).map_err(|err| ProviderError::CacheWrite {
 +            path: temp_path.clone(),
 +            reason: err.to_string(),
 +        })?;
 +        fs::rename(&temp_path, path).map_err(|err| ProviderError::CacheWrite {
 +            path: path.to_path_buf(),
 +            reason: err.to_string(),
 +        })
 +    }
++
 +    fn replace_calendar(
 +        &mut self,
 +        account_id: &str,
 +        calendar: MicrosoftCalendarRecord,
 +        events: Vec<MicrosoftCachedEvent>,
 +        synced_at_epoch_seconds: u64,
 +    ) {
 +        let account = self.account_mut(account_id);
 +        if let Some(existing) = account
 +            .calendars
 +            .iter_mut()
 +            .find(|existing| existing.id == calendar.id)
 +        {
 +            existing.name = calendar.name;
 +            existing.can_edit = calendar.can_edit;
 +            existing.is_default = calendar.is_default;
 +            existing.last_synced_at_epoch_seconds = Some(synced_at_epoch_seconds);
 +            existing.events = events;
 +        } else {
 +            account.calendars.push(MicrosoftCacheCalendar {
 +                id: calendar.id,
 +                name: calendar.name,
 +                can_edit: calendar.can_edit,
 +                is_default: calendar.is_default,
 +                delta_link: None,
 +                last_synced_at_epoch_seconds: Some(synced_at_epoch_seconds),
 +                events,
 +            });
 +        }
 +        account
 +            .calendars
 +            .sort_by(|left, right| left.id.cmp(&right.id));
 +    }
++
 +    fn upsert_event(
 +        &mut self,
 +        account_id: &str,
 +        calendar: MicrosoftCalendarRecord,
 +        event: MicrosoftCachedEvent,
 +    ) {
 +        let account = self.account_mut(account_id);
 +        let calendar_record = if let Some(existing) = account
 +            .calendars
 +            .iter_mut()
 +            .find(|existing| existing.id == calendar.id)
 +        {
 +            existing
 +        } else {
 +            account.calendars.push(MicrosoftCacheCalendar {
 +                id: calendar.id.clone(),
 +                name: calendar.name.clone(),
 +                can_edit: calendar.can_edit,
 +                is_default: calendar.is_default,
 +                delta_link: None,
 +                last_synced_at_epoch_seconds: None,
 +                events: Vec::new(),
 +            });
 +            account.calendars.last_mut().expect("calendar was pushed")
 +        };
 +        if let Some(existing) = calendar_record
 +            .events
 +            .iter_mut()
 +            .find(|existing| existing.id == event.id)
 +        {
 +            *existing = event;
 +        } else {
 +            calendar_record.events.push(event);
 +        }
 +        calendar_record
 +            .events
 +            .sort_by(|left, right| left.id.cmp(&right.id));
 +    }
++
 +    fn remove_event(&mut self, id: &str) {
 +        for calendar in self
 +            .accounts
 +            .iter_mut()
 +            .flat_map(|account| &mut account.calendars)
 +        {
 +            calendar.events.retain(|event| {
 +                event.id != id && event.series_master_app_id.as_deref() != Some(id)
 +            });
 +        }
 +    }
++
 +    fn remove_occurrences_for_series(&mut self, series_id: &str) {
 +        for calendar in self
 +            .accounts
 +            .iter_mut()
 +            .flat_map(|account| &mut account.calendars)
 +        {
 +            calendar
 +                .events
 +                .retain(|event| event.series_master_app_id.as_deref() != Some(series_id));
 +        }
 +    }
++
 +    fn metadata_for_event(&self, id: &str) -> Option<MicrosoftEventMetadata> {
 +        self.accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .find(|event| event.id == id)
 +            .map(MicrosoftCachedEvent::metadata)
 +    }
++
 +    fn event_by_id(&self, id: &str) -> Option<MicrosoftCachedEvent> {
 +        self.accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .find(|event| event.id == id)
 +            .cloned()
 +    }
++
 +    fn event_id_for_anchor(&self, series_id: &str, anchor: OccurrenceAnchor) -> Option<String> {
 +        self.accounts
 +            .iter()
 +            .flat_map(|account| &account.calendars)
 +            .flat_map(|calendar| &calendar.events)
 +            .find(|event| {
 +                event
 +                    .occurrence_anchor()
 +                    .map(|event_anchor| event_anchor == anchor)
 +                    .unwrap_or(false)
 +                    && event.series_master_app_id.as_deref() == Some(series_id)
 +            })
 +            .map(|event| event.id.clone())
 +    }
++
 +    fn calendar_record(
 +        &self,
 +        account_id: &str,
 +        calendar_id: &str,
 +    ) -> Option<MicrosoftCalendarRecord> {
 +        self.accounts
 +            .iter()
 +            .find(|account| account.id == account_id)?
 +            .calendars
 +            .iter()
 +            .find(|calendar| calendar.id == calendar_id)
 +            .map(|calendar| MicrosoftCalendarRecord {
 +                id: calendar.id.clone(),
 +                name: calendar.name.clone(),
 +                can_edit: calendar.can_edit,
 +                is_default: calendar.is_default,
 +            })
 +    }
++
 +    fn account_mut(&mut self, account_id: &str) -> &mut MicrosoftCacheAccount {
 +        if let Some(index) = self
 +            .accounts
 +            .iter()
 +            .position(|account| account.id == account_id)
 +        {
 +            &mut self.accounts[index]
 +        } else {
 +            self.accounts.push(MicrosoftCacheAccount {
 +                id: account_id.to_string(),
 +                calendars: Vec::new(),
 +            });
 +            self.accounts.last_mut().expect("account was pushed")
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +struct MicrosoftCacheAccount {
 +    id: String,
 +    #[serde(default)]
 +    calendars: Vec<MicrosoftCacheCalendar>,
 +}
++
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +struct MicrosoftCacheCalendar {
 +    id: String,
 +    name: String,
 +    #[serde(default)]
 +    can_edit: bool,
 +    #[serde(default)]
 +    is_default: bool,
 +    #[serde(default)]
 +    delta_link: Option<String>,
 +    #[serde(default)]
 +    last_synced_at_epoch_seconds: Option<u64>,
 +    #[serde(default)]
 +    events: Vec<MicrosoftCachedEvent>,
 +}
++
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +struct MicrosoftCachedEvent {
 +    id: String,
 +    account_id: String,
 +    calendar_id: String,
 +    calendar_name: String,
 +    graph_id: String,
 +    #[serde(default)]
 +    event_type: Option<String>,
 +    #[serde(default)]
 +    series_master_id: Option<String>,
 +    #[serde(default)]
 +    series_master_app_id: Option<String>,
 +    #[serde(default)]
 +    occurrence_id: Option<String>,
 +    #[serde(default)]
 +    change_key: Option<String>,
 +    title: String,
 +    timing: MicrosoftCachedTiming,
 +    #[serde(default)]
 +    location: Option<String>,
 +    #[serde(default)]
 +    notes: Option<String>,
 +    #[serde(default)]
 +    reminders_minutes_before: Vec<u16>,
 +    #[serde(default)]
 +    recurrence: Option<MicrosoftCachedRecurrence>,
 +    #[serde(default)]
 +    raw: Value,
 +}
++
 +impl MicrosoftCachedEvent {
 +    fn from_graph(
 +        account_id: &str,
 +        calendar: &MicrosoftCalendarRecord,
 +        raw: Value,
 +    ) -> Result<Self, ProviderError> {
 +        let graph_id = graph_string(&raw, "id")
 +            .ok_or_else(|| ProviderError::Mapping("Graph event is missing id".to_string()))?;
 +        let event_type = graph_string(&raw, "type");
 +        let title = graph_string(&raw, "subject").unwrap_or_else(|| "(Untitled)".to_string());
 +        let is_all_day = graph_bool(&raw, "isAllDay").unwrap_or(false);
 +        let start = graph_datetime(&raw, "start")?;
 +        let end = graph_datetime(&raw, "end")?;
 +        let timing = if is_all_day {
 +            MicrosoftCachedTiming::AllDay { date: start.date }
 +        } else {
 +            MicrosoftCachedTiming::Timed { start, end }
 +        };
 +        let series_master_id = graph_string(&raw, "seriesMasterId");
 +        let series_master_app_id = series_master_id
 +            .as_ref()
 +            .map(|id| microsoft_event_app_id(account_id, &calendar.id, id));
 +        let recurrence = raw
 +            .get("recurrence")
 +            .filter(|value| !value.is_null())
 +            .map(graph_recurrence_to_cache)
 +            .transpose()?;
++
 +        let reminders_minutes_before = if graph_bool(&raw, "isReminderOn").unwrap_or(false) {
 +            graph_i64(&raw, "reminderMinutesBeforeStart")
 +                .and_then(|value| u16::try_from(value).ok())
 +                .into_iter()
 +                .collect()
 +        } else {
 +            Vec::new()
 +        };
++
 +        Ok(Self {
 +            id: microsoft_event_app_id(account_id, &calendar.id, &graph_id),
 +            account_id: account_id.to_string(),
 +            calendar_id: calendar.id.clone(),
 +            calendar_name: calendar.name.clone(),
 +            graph_id,
 +            event_type,
 +            series_master_id,
 +            series_master_app_id,
 +            occurrence_id: graph_string(&raw, "occurrenceId"),
 +            change_key: graph_string(&raw, "changeKey"),
 +            title,
 +            timing,
 +            location: raw
 +                .get("location")
 +                .and_then(|location| graph_string(location, "displayName"))
 +                .filter(|value| !value.trim().is_empty()),
 +            notes: graph_string(&raw, "bodyPreview")
 +                .or_else(|| {
 +                    raw.get("body")
 +                        .and_then(|body| graph_string(body, "content"))
 +                })
 +                .filter(|value| !value.trim().is_empty()),
 +            reminders_minutes_before,
 +            recurrence,
 +            raw,
 +        })
 +    }
++
 +    fn to_event(&self) -> Option<Event> {
 +        let source = SourceMetadata::new(
 +            format!("microsoft:{}:{}", self.account_id, self.calendar_id),
 +            format!("Microsoft {}/{}", self.account_id, self.calendar_name),
 +        )
 +        .with_external_id(self.graph_id.clone());
 +        let mut event = match self.timing {
 +            MicrosoftCachedTiming::AllDay { date } => {
 +                Event::all_day(self.id.clone(), self.title.clone(), date, source)
 +            }
 +            MicrosoftCachedTiming::Timed { start, end } => {
 +                Event::timed(self.id.clone(), self.title.clone(), start, end, source).ok()?
 +            }
 +        };
 +        event.location = self.location.clone();
 +        event.notes = self.notes.clone();
 +        event.reminders = self
 +            .reminders_minutes_before
 +            .iter()
 +            .copied()
 +            .map(Reminder::minutes_before)
 +            .collect();
 +        event.recurrence = self
 +            .recurrence
 +            .as_ref()
 +            .and_then(MicrosoftCachedRecurrence::to_rule);
 +        if let Some(series_master_app_id) = &self.series_master_app_id {
 +            event.occurrence = Some(OccurrenceMetadata {
 +                series_id: series_master_app_id.clone(),
 +                anchor: self.occurrence_anchor()?,
 +            });
 +        }
 +        Some(event)
 +    }
++
 +    fn metadata(&self) -> MicrosoftEventMetadata {
 +        MicrosoftEventMetadata {
 +            account_id: self.account_id.clone(),
 +            calendar_id: self.calendar_id.clone(),
 +            graph_id: self.graph_id.clone(),
 +            series_master_id: self.series_master_id.clone(),
 +            occurrence_anchor: self.occurrence_anchor(),
 +        }
 +    }
++
 +    fn occurrence_anchor(&self) -> Option<OccurrenceAnchor> {
 +        match self.timing {
 +            MicrosoftCachedTiming::AllDay { date } => Some(OccurrenceAnchor::AllDay { date }),
 +            MicrosoftCachedTiming::Timed { start, .. } => Some(OccurrenceAnchor::Timed { start }),
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case", tag = "kind")]
 +enum MicrosoftCachedTiming {
 +    AllDay {
 +        date: CalendarDate,
 +    },
 +    Timed {
 +        start: EventDateTime,
 +        end: EventDateTime,
 +    },
 +}
++
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +struct MicrosoftCachedRecurrence {
 +    frequency: RecurrenceFrequencyRecord,
 +    interval: u16,
 +    end: RecurrenceEndRecord,
 +    #[serde(default)]
 +    weekdays: Vec<WeekdayRecord>,
 +    #[serde(default)]
 +    monthly: Option<MonthlyRuleRecord>,
 +    #[serde(default)]
 +    yearly: Option<YearlyRuleRecord>,
 +}
++
 +impl MicrosoftCachedRecurrence {
 +    fn to_rule(&self) -> Option<RecurrenceRule> {
 +        let frequency = match self.frequency {
 +            RecurrenceFrequencyRecord::Daily => RecurrenceFrequency::Daily,
 +            RecurrenceFrequencyRecord::Weekly => RecurrenceFrequency::Weekly,
 +            RecurrenceFrequencyRecord::Monthly => RecurrenceFrequency::Monthly,
 +            RecurrenceFrequencyRecord::Yearly => RecurrenceFrequency::Yearly,
 +        };
 +        Some(RecurrenceRule {
 +            frequency,
 +            interval: self.interval.max(1),
 +            end: self.end.to_rule()?,
 +            weekdays: self
 +                .weekdays
 +                .iter()
 +                .copied()
 +                .map(WeekdayRecord::to_weekday)
 +                .collect::<Option<Vec<_>>>()?,
 +            monthly: self.monthly.and_then(MonthlyRuleRecord::to_rule),
 +            yearly: self.yearly.and_then(YearlyRuleRecord::to_rule),
 +        })
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case")]
 +enum RecurrenceFrequencyRecord {
 +    Daily,
 +    Weekly,
 +    Monthly,
 +    Yearly,
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case", tag = "kind")]
 +enum RecurrenceEndRecord {
 +    Never,
 +    Until { date: CalendarDate },
 +    Count { count: u32 },
 +}
++
 +impl RecurrenceEndRecord {
 +    fn to_rule(self) -> Option<RecurrenceEnd> {
 +        match self {
 +            Self::Never => Some(RecurrenceEnd::Never),
 +            Self::Until { date } => Some(RecurrenceEnd::Until(date)),
 +            Self::Count { count } => Some(RecurrenceEnd::Count(count)),
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case")]
 +enum WeekdayRecord {
 +    Sunday,
 +    Monday,
 +    Tuesday,
 +    Wednesday,
 +    Thursday,
 +    Friday,
 +    Saturday,
 +}
++
 +impl WeekdayRecord {
 +    fn from_weekday(weekday: Weekday) -> Self {
 +        match weekday {
 +            Weekday::Sunday => Self::Sunday,
 +            Weekday::Monday => Self::Monday,
 +            Weekday::Tuesday => Self::Tuesday,
 +            Weekday::Wednesday => Self::Wednesday,
 +            Weekday::Thursday => Self::Thursday,
 +            Weekday::Friday => Self::Friday,
 +            Weekday::Saturday => Self::Saturday,
 +        }
 +    }
++
 +    fn to_weekday(self) -> Option<Weekday> {
 +        Some(match self {
 +            Self::Sunday => Weekday::Sunday,
 +            Self::Monday => Weekday::Monday,
 +            Self::Tuesday => Weekday::Tuesday,
 +            Self::Wednesday => Weekday::Wednesday,
 +            Self::Thursday => Weekday::Thursday,
 +            Self::Friday => Weekday::Friday,
 +            Self::Saturday => Weekday::Saturday,
 +        })
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case", tag = "kind")]
 +enum MonthlyRuleRecord {
 +    DayOfMonth {
 +        day: u8,
 +    },
 +    WeekdayOrdinal {
 +        ordinal: OrdinalRecord,
 +        weekday: WeekdayRecord,
 +    },
 +}
++
 +impl MonthlyRuleRecord {
 +    fn to_rule(self) -> Option<RecurrenceMonthlyRule> {
 +        match self {
 +            Self::DayOfMonth { day } => Some(RecurrenceMonthlyRule::DayOfMonth(day)),
 +            Self::WeekdayOrdinal { ordinal, weekday } => {
 +                Some(RecurrenceMonthlyRule::WeekdayOrdinal {
 +                    ordinal: ordinal.to_rule(),
 +                    weekday: weekday.to_weekday()?,
 +                })
 +            }
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case", tag = "kind")]
 +enum YearlyRuleRecord {
 +    Date {
 +        month: u8,
 +        day: u8,
 +    },
 +    WeekdayOrdinal {
 +        month: u8,
 +        ordinal: OrdinalRecord,
 +        weekday: WeekdayRecord,
 +    },
 +}
++
 +impl YearlyRuleRecord {
 +    fn to_rule(self) -> Option<RecurrenceYearlyRule> {
 +        match self {
 +            Self::Date { month, day } => Some(RecurrenceYearlyRule::Date {
 +                month: Month::try_from(month).ok()?,
 +                day,
 +            }),
 +            Self::WeekdayOrdinal {
 +                month,
 +                ordinal,
 +                weekday,
 +            } => Some(RecurrenceYearlyRule::WeekdayOrdinal {
 +                month: Month::try_from(month).ok()?,
 +                ordinal: ordinal.to_rule(),
 +                weekday: weekday.to_weekday()?,
 +            }),
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 +#[serde(rename_all = "snake_case")]
 +enum OrdinalRecord {
 +    First,
 +    Second,
 +    Third,
 +    Fourth,
 +    Last,
 +}
++
 +impl OrdinalRecord {
 +    fn from_rule(ordinal: RecurrenceOrdinal) -> Self {
 +        match ordinal {
 +            RecurrenceOrdinal::Number(1) => Self::First,
 +            RecurrenceOrdinal::Number(2) => Self::Second,
 +            RecurrenceOrdinal::Number(3) => Self::Third,
 +            RecurrenceOrdinal::Number(_) => Self::Fourth,
 +            RecurrenceOrdinal::Last => Self::Last,
 +        }
 +    }
++
 +    fn to_rule(self) -> RecurrenceOrdinal {
 +        match self {
 +            Self::First => RecurrenceOrdinal::Number(1),
 +            Self::Second => RecurrenceOrdinal::Number(2),
 +            Self::Third => RecurrenceOrdinal::Number(3),
 +            Self::Fourth => RecurrenceOrdinal::Number(4),
 +            Self::Last => RecurrenceOrdinal::Last,
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone)]
 +struct MicrosoftCalendarRecord {
 +    id: String,
 +    name: String,
 +    can_edit: bool,
 +    is_default: bool,
 +}
++
 +pub trait MicrosoftTokenStore {
 +    fn load(&self, account_id: &str) -> Result<Option<MicrosoftToken>, ProviderError>;
 +    fn save(&self, account_id: &str, token: &MicrosoftToken) -> Result<(), ProviderError>;
 +    fn delete(&self, account_id: &str) -> Result<(), ProviderError>;
 +}
++
 +#[derive(Debug, Default)]
 +pub struct KeyringMicrosoftTokenStore;
++
 +impl MicrosoftTokenStore for KeyringMicrosoftTokenStore {
 +    fn load(&self, account_id: &str) -> Result<Option<MicrosoftToken>, ProviderError> {
 +        let entry = keyring::Entry::new(KEYRING_SERVICE, account_id)
 +            .map_err(|err| ProviderError::Keyring(err.to_string()))?;
 +        match entry.get_password() {
 +            Ok(body) => serde_json::from_str(&body)
 +                .map(Some)
 +                .map_err(|err| ProviderError::Keyring(err.to_string())),
 +            Err(keyring::Error::NoEntry) => Ok(None),
 +            Err(err) => Err(ProviderError::Keyring(err.to_string())),
 +        }
 +    }
++
 +    fn save(&self, account_id: &str, token: &MicrosoftToken) -> Result<(), ProviderError> {
 +        let entry = keyring::Entry::new(KEYRING_SERVICE, account_id)
 +            .map_err(|err| ProviderError::Keyring(err.to_string()))?;
 +        let body =
 +            serde_json::to_string(token).map_err(|err| ProviderError::Keyring(err.to_string()))?;
 +        entry
 +            .set_password(&body)
 +            .map_err(|err| ProviderError::Keyring(err.to_string()))
 +    }
++
 +    fn delete(&self, account_id: &str) -> Result<(), ProviderError> {
 +        let entry = keyring::Entry::new(KEYRING_SERVICE, account_id)
 +            .map_err(|err| ProviderError::Keyring(err.to_string()))?;
 +        match entry.delete_credential() {
 +            Ok(()) | Err(keyring::Error::NoEntry) => Ok(()),
 +            Err(err) => Err(ProviderError::Keyring(err.to_string())),
 +        }
 +    }
 +}
++
 +#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 +pub struct MicrosoftToken {
 +    pub access_token: String,
 +    pub refresh_token: String,
 +    pub expires_at_epoch_seconds: u64,
 +}
++
 +pub trait MicrosoftHttpClient {
 +    fn request(
 +        &self,
 +        request: MicrosoftHttpRequest,
 +    ) -> Result<MicrosoftHttpResponse, ProviderError>;
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftHttpRequest {
 +    pub method: String,
 +    pub url: String,
 +    pub headers: Vec<(String, String)>,
 +    pub body: Option<String>,
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub struct MicrosoftHttpResponse {
 +    pub status: u16,
 +    pub body: String,
 +}
++
 +#[derive(Debug, Default)]
 +pub struct ReqwestMicrosoftHttpClient;
++
 +impl MicrosoftHttpClient for ReqwestMicrosoftHttpClient {
 +    fn request(
 +        &self,
 +        request: MicrosoftHttpRequest,
 +    ) -> Result<MicrosoftHttpResponse, ProviderError> {
 +        let client = reqwest::blocking::Client::builder()
 +            .timeout(StdDuration::from_secs(20))
 +            .user_agent("rcal/0.1")
 +            .build()
 +            .map_err(|err| ProviderError::Http(err.to_string()))?;
 +        let method = reqwest::Method::from_bytes(request.method.as_bytes())
 +            .map_err(|err| ProviderError::Http(err.to_string()))?;
 +        let mut builder = client.request(method, request.url);
 +        for (name, value) in request.headers {
 +            builder = builder.header(name, value);
 +        }
 +        if let Some(body) = request.body {
 +            builder = builder.body(body);
 +        }
 +        let response = builder
 +            .send()
 +            .map_err(|err| ProviderError::Http(err.to_string()))?;
 +        let status = response.status().as_u16();
 +        let body = response
 +            .text()
 +            .map_err(|err| ProviderError::Http(err.to_string()))?;
 +        Ok(MicrosoftHttpResponse { status, body })
 +    }
 +}
++
 +pub fn login_device_code_or_browser(
 +    account: &MicrosoftAccountConfig,
 +    http: &dyn MicrosoftHttpClient,
 +    token_store: &dyn MicrosoftTokenStore,
 +    stdout: &mut dyn Write,
 +    prefer_browser: bool,
 +) -> Result<(), ProviderError> {
 +    let result = if prefer_browser {
 +        login_browser(account, http, token_store, stdout)
 +    } else {
 +        login_device_code(account, http, token_store, stdout)
 +    };
 +    match result {
 +        Ok(()) => Ok(()),
 +        Err(err) if !prefer_browser => {
 +            let _ = writeln!(stdout, "device-code login failed: {err}");
 +            let _ = writeln!(stdout, "falling back to browser login");
 +            login_browser(account, http, token_store, stdout)
 +        }
 +        Err(err) => Err(err),
 +    }
 +}
++
 +pub fn logout(
 +    account_id: &str,
 +    token_store: &dyn MicrosoftTokenStore,
 +) -> Result<(), ProviderError> {
 +    token_store.delete(account_id)
 +}
++
 +fn login_device_code(
 +    account: &MicrosoftAccountConfig,
 +    http: &dyn MicrosoftHttpClient,
 +    token_store: &dyn MicrosoftTokenStore,
 +    stdout: &mut dyn Write,
 +) -> Result<(), ProviderError> {
 +    let body = form_body(&[
 +        ("client_id", account.client_id.as_str()),
 +        ("scope", MICROSOFT_SCOPES),
 +    ]);
 +    let response = http.request(MicrosoftHttpRequest {
 +        method: "POST".to_string(),
 +        url: account.device_code_url(),
 +        headers: vec![(
 +            "Content-Type".to_string(),
 +            "application/x-www-form-urlencoded".to_string(),
 +        )],
 +        body: Some(body),
 +    })?;
 +    let value = parse_oauth_json(response)?;
 +    let device_code = required_json_string(&value, "device_code")?;
 +    let user_code = required_json_string(&value, "user_code")?;
 +    let verification_uri = graph_string(&value, "verification_uri")
 +        .or_else(|| graph_string(&value, "verification_url"))
 +        .ok_or_else(|| {
 +            ProviderError::Auth("device-code response is missing verification URL".to_string())
 +        })?;
 +    let message = graph_string(&value, "message")
 +        .unwrap_or_else(|| format!("Visit {verification_uri} and enter code {user_code}"));
 +    let expires_in = graph_i64(&value, "expires_in").unwrap_or(900).max(1) as u64;
 +    let mut interval = graph_i64(&value, "interval").unwrap_or(5).max(1) as u64;
 +    writeln!(stdout, "{message}").map_err(|err| ProviderError::Auth(err.to_string()))?;
++
 +    let started = current_epoch_seconds();
 +    loop {
 +        if current_epoch_seconds().saturating_sub(started) > expires_in {
 +            return Err(ProviderError::Auth(
 +                "device-code login timed out".to_string(),
 +            ));
 +        }
 +        thread::sleep(StdDuration::from_secs(interval));
 +        let body = form_body(&[
 +            ("grant_type", "urn:ietf:params:oauth:grant-type:device_code"),
 +            ("client_id", account.client_id.as_str()),
 +            ("device_code", &device_code),
 +        ]);
 +        let response = http.request(MicrosoftHttpRequest {
 +            method: "POST".to_string(),
 +            url: account.token_url(),
 +            headers: vec![(
 +                "Content-Type".to_string(),
 +                "application/x-www-form-urlencoded".to_string(),
 +            )],
 +            body: Some(body),
 +        })?;
 +        if response.status == 200 {
 +            let token = token_from_response(response)?;
 +            token_store.save(&account.id, &token)?;
 +            writeln!(stdout, "authenticated Microsoft account '{}'", account.id)
 +                .map_err(|err| ProviderError::Auth(err.to_string()))?;
 +            return Ok(());
 +        }
 +        let value = serde_json::from_str::<Value>(&response.body)
 +            .map_err(|err| ProviderError::Auth(err.to_string()))?;
 +        match graph_string(&value, "error").as_deref() {
 +            Some("authorization_pending") => {}
 +            Some("slow_down") => interval = interval.saturating_add(5),
 +            Some("authorization_declined") => {
 +                return Err(ProviderError::Auth(
 +                    "authorization was declined".to_string(),
 +                ));
 +            }
 +            Some("expired_token") => {
 +                return Err(ProviderError::Auth("device code expired".to_string()));
 +            }
 +            Some(error) => {
 +                return Err(ProviderError::Auth(format!(
 +                    "{error}: {}",
 +                    graph_string(&value, "error_description").unwrap_or_default()
 +                )));
 +            }
 +            None => return Err(ProviderError::Auth(response.body)),
 +        }
 +    }
 +}
++
 +fn login_browser(
 +    account: &MicrosoftAccountConfig,
 +    http: &dyn MicrosoftHttpClient,
 +    token_store: &dyn MicrosoftTokenStore,
 +    stdout: &mut dyn Write,
 +) -> Result<(), ProviderError> {
 +    let verifier = pkce_verifier();
 +    let challenge = pkce_challenge(&verifier);
 +    let state = pkce_verifier();
 +    let redirect_uri = account.redirect_uri();
 +    let listener = TcpListener::bind(("127.0.0.1", account.redirect_port)).map_err(|err| {
 +        ProviderError::Auth(format!("failed to listen for OAuth callback: {err}"))
 +    })?;
 +    let auth_url = format!(
 +        "{}?client_id={}&response_type=code&redirect_uri={}&response_mode=query&scope={}&state={}&code_challenge={}&code_challenge_method=S256",
 +        account.authorize_url(),
 +        percent_encode(&account.client_id),
 +        percent_encode(&redirect_uri),
 +        percent_encode(MICROSOFT_SCOPES),
 +        percent_encode(&state),
 +        percent_encode(&challenge),
 +    );
 +    writeln!(stdout, "opening browser for Microsoft login")
 +        .map_err(|err| ProviderError::Auth(err.to_string()))?;
 +    open_browser(&auth_url)?;
 +    let (mut stream, _) = listener
 +        .accept()
 +        .map_err(|err| ProviderError::Auth(err.to_string()))?;
 +    let mut request = String::new();
 +    BufReader::new(
 +        stream
 +            .try_clone()
 +            .map_err(|err| ProviderError::Auth(err.to_string()))?,
 +    )
 +    .read_line(&mut request)
 +    .map_err(|err| ProviderError::Auth(err.to_string()))?;
 +    let query = request
 +        .split_whitespace()
 +        .nth(1)
 +        .and_then(|path| path.split_once('?').map(|(_, query)| query))
 +        .ok_or_else(|| ProviderError::Auth("OAuth callback did not include a query".to_string()))?;
 +    let params = parse_query(query);
 +    let code = params
 +        .get("code")
 +        .ok_or_else(|| ProviderError::Auth("OAuth callback did not include code".to_string()))?;
 +    if params.get("state") != Some(&state) {
 +        return Err(ProviderError::Auth(
 +            "OAuth callback state mismatch".to_string(),
 +        ));
 +    }
 +    let response_body = "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\nrcal Microsoft login complete. You can close this tab.\n";
 +    let _ = stream.write_all(response_body.as_bytes());
 +    let body = form_body(&[
 +        ("grant_type", "authorization_code"),
 +        ("client_id", account.client_id.as_str()),
 +        ("scope", MICROSOFT_SCOPES),
 +        ("code", code),
 +        ("redirect_uri", &redirect_uri),
 +        ("code_verifier", &verifier),
 +    ]);
 +    let response = http.request(MicrosoftHttpRequest {
 +        method: "POST".to_string(),
 +        url: account.token_url(),
 +        headers: vec![(
 +            "Content-Type".to_string(),
 +            "application/x-www-form-urlencoded".to_string(),
 +        )],
 +        body: Some(body),
 +    })?;
 +    let token = token_from_response(response)?;
 +    token_store.save(&account.id, &token)?;
 +    writeln!(stdout, "authenticated Microsoft account '{}'", account.id)
 +        .map_err(|err| ProviderError::Auth(err.to_string()))
 +}
++
 +fn access_token(
 +    account: &MicrosoftAccountConfig,
 +    http: &dyn MicrosoftHttpClient,
 +    token_store: &dyn MicrosoftTokenStore,
 +) -> Result<String, ProviderError> {
 +    let token = token_store.load(&account.id)?.ok_or_else(|| {
 +        ProviderError::Auth(format!(
 +            "Microsoft account '{}' is not authenticated",
 +            account.id
 +        ))
 +    })?;
 +    if token.expires_at_epoch_seconds > current_epoch_seconds().saturating_add(120) {
 +        return Ok(token.access_token);
 +    }
 +    let body = form_body(&[
 +        ("grant_type", "refresh_token"),
 +        ("client_id", account.client_id.as_str()),
 +        ("refresh_token", token.refresh_token.as_str()),
 +        ("scope", MICROSOFT_SCOPES),
 +    ]);
 +    let response = http.request(MicrosoftHttpRequest {
 +        method: "POST".to_string(),
 +        url: account.token_url(),
 +        headers: vec![(
 +            "Content-Type".to_string(),
 +            "application/x-www-form-urlencoded".to_string(),
 +        )],
 +        body: Some(body),
 +    })?;
 +    let refreshed = token_from_response(response)?;
 +    token_store.save(&account.id, &refreshed)?;
 +    Ok(refreshed.access_token)
 +}
++
 +pub fn list_calendars(
 +    account: &MicrosoftAccountConfig,
 +    http: &dyn MicrosoftHttpClient,
 +    token_store: &dyn MicrosoftTokenStore,
 +) -> Result<Vec<MicrosoftCalendarInfo>, ProviderError> {
 +    let token = access_token(account, http, token_store)?;
 +    let response = graph_request(
 +        http,
 +        "GET",
 +        &format!("{GRAPH_BASE_URL}/me/calendars?$select=id,name,canEdit,isDefaultCalendar"),
 +        &token,
 +        None,
 +    )?;
 +    let value = parse_graph_success_json(response)?;
 +    let calendars = value
 +        .get("value")
 +        .and_then(Value::as_array)
 +        .ok_or_else(|| {
 +            ProviderError::Mapping("calendar list response is missing value".to_string())
 +        })?
 +        .iter()
 +        .map(|calendar| MicrosoftCalendarInfo {
 +            id: graph_string(calendar, "id").unwrap_or_default(),
 +            name: graph_string(calendar, "name").unwrap_or_default(),
 +            can_edit: graph_bool(calendar, "canEdit").unwrap_or(false),
 +            is_default: graph_bool(calendar, "isDefaultCalendar").unwrap_or(false),
 +        })
 +        .filter(|calendar| !calendar.id.is_empty())
 +        .collect::<Vec<_>>();
 +    Ok(calendars)
 +}
++
 +fn fetch_calendar(
 +    http: &dyn MicrosoftHttpClient,
 +    token: &str,
 +    calendar_id: &str,
 +) -> Result<MicrosoftCalendarRecord, ProviderError> {
 +    let response = graph_request(
 +        http,
 +        "GET",
 +        &format!(
 +            "{GRAPH_BASE_URL}/me/calendars/{}?$select=id,name,canEdit,isDefaultCalendar",
 +            percent_encode(calendar_id)
 +        ),
 +        token,
 +        None,
 +    )?;
 +    let value = parse_graph_success_json(response)?;
 +    Ok(MicrosoftCalendarRecord {
 +        id: graph_string(&value, "id").unwrap_or_else(|| calendar_id.to_string()),
 +        name: graph_string(&value, "name").unwrap_or_else(|| calendar_id.to_string()),
 +        can_edit: graph_bool(&value, "canEdit").unwrap_or(true),
 +        is_default: graph_bool(&value, "isDefaultCalendar").unwrap_or(false),
 +    })
 +}
++
 +fn fetch_calendar_view(
 +    http: &dyn MicrosoftHttpClient,
 +    token: &str,
 +    account_id: &str,
 +    calendar: &MicrosoftCalendarRecord,
 +    start: CalendarDate,
 +    end: CalendarDate,
 +) -> Result<Vec<MicrosoftCachedEvent>, ProviderError> {
 +    let mut url = format!(
 +        "{GRAPH_BASE_URL}/me/calendars/{}/calendarView?startDateTime={}T00:00:00&endDateTime={}T00:00:00&$top=200",
 +        percent_encode(&calendar.id),
 +        start,
 +        end
 +    );
 +    let mut events = Vec::new();
 +    let mut series_master_ids = HashSet::new();
 +    loop {
 +        let response = graph_request(http, "GET", &url, token, None)?;
 +        let value = parse_graph_success_json(response)?;
 +        if let Some(values) = value.get("value").and_then(Value::as_array) {
 +            for event in values {
 +                if event.get("@removed").is_some() {
 +                    continue;
 +                }
 +                if let Some(series_master_id) = graph_string(event, "seriesMasterId") {
 +                    series_master_ids.insert(series_master_id);
 +                }
 +                events.push(MicrosoftCachedEvent::from_graph(
 +                    account_id,
 +                    calendar,
 +                    event.clone(),
 +                )?);
 +            }
 +        }
 +        if let Some(next_link) = graph_string(&value, "@odata.nextLink") {
 +            url = next_link;
 +        } else {
 +            break;
 +        }
 +    }
 +    for series_master_id in series_master_ids {
 +        if events
 +            .iter()
 +            .any(|event| event.graph_id == series_master_id)
 +        {
 +            continue;
 +        }
 +        let raw = fetch_event(http, token, &series_master_id)?;
 +        events.push(MicrosoftCachedEvent::from_graph(account_id, calendar, raw)?);
 +    }
 +    Ok(events)
 +}
++
 +fn fetch_event(
 +    http: &dyn MicrosoftHttpClient,
 +    token: &str,
 +    graph_id: &str,
 +) -> Result<Value, ProviderError> {
 +    let response = graph_request(
 +        http,
 +        "GET",
 +        &format!("{GRAPH_BASE_URL}/me/events/{}", percent_encode(graph_id)),
 +        token,
 +        None,
 +    )?;
 +    parse_graph_success_json(response)
 +}
++
 +fn graph_request(
 +    http: &dyn MicrosoftHttpClient,
 +    method: &str,
 +    url: &str,
 +    token: &str,
 +    body: Option<String>,
 +) -> Result<MicrosoftHttpResponse, ProviderError> {
 +    let mut headers = vec![
 +        ("Authorization".to_string(), format!("Bearer {token}")),
 +        ("Accept".to_string(), "application/json".to_string()),
 +        ("Prefer".to_string(), "outlook.timezone=\"UTC\"".to_string()),
 +    ];
 +    if body.is_some() {
 +        headers.push(("Content-Type".to_string(), "application/json".to_string()));
 +    }
 +    http.request(MicrosoftHttpRequest {
 +        method: method.to_string(),
 +        url: url.to_string(),
 +        headers,
 +        body,
 +    })
 +}
++
 +fn parse_graph_success_json(response: MicrosoftHttpResponse) -> Result<Value, ProviderError> {
 +    if (200..300).contains(&response.status) {
 +        return serde_json::from_str(&response.body)
 +            .map_err(|err| ProviderError::Mapping(err.to_string()));
 +    }
 +    Err(ProviderError::Graph(graph_error_message(response)))
 +}
++
 +fn parse_graph_empty_success(response: MicrosoftHttpResponse) -> Result<(), ProviderError> {
 +    if (200..300).contains(&response.status) {
 +        Ok(())
 +    } else {
 +        Err(ProviderError::Graph(graph_error_message(response)))
 +    }
 +}
++
 +fn graph_error_message(response: MicrosoftHttpResponse) -> String {
 +    if let Ok(value) = serde_json::from_str::<Value>(&response.body)
 +        && let Some(error) = value.get("error")
 +    {
 +        let code = graph_string(error, "code").unwrap_or_else(|| response.status.to_string());
 +        let message = graph_string(error, "message").unwrap_or_else(|| response.body.clone());
 +        return format!("{code}: {message}");
 +    }
 +    format!("HTTP {}: {}", response.status, response.body)
 +}
++
 +fn parse_oauth_json(response: MicrosoftHttpResponse) -> Result<Value, ProviderError> {
 +    if response.status != 200 {
 +        return Err(ProviderError::Auth(graph_error_message(response)));
 +    }
 +    serde_json::from_str::<Value>(&response.body)
 +        .map_err(|err| ProviderError::Auth(err.to_string()))
 +}
++
 +fn token_from_response(response: MicrosoftHttpResponse) -> Result<MicrosoftToken, ProviderError> {
 +    let value = parse_oauth_json(response)?;
 +    let access_token = required_json_string(&value, "access_token")?;
 +    let refresh_token = graph_string(&value, "refresh_token").unwrap_or_default();
 +    let expires_in = graph_i64(&value, "expires_in").unwrap_or(3600).max(1) as u64;
 +    Ok(MicrosoftToken {
 +        access_token,
 +        refresh_token,
 +        expires_at_epoch_seconds: current_epoch_seconds().saturating_add(expires_in),
 +    })
 +}
++
 +fn required_json_string(value: &Value, key: &str) -> Result<String, ProviderError> {
 +    graph_string(value, key)
 +        .ok_or_else(|| ProviderError::Auth(format!("OAuth response is missing {key}")))
 +}
++
 +pub fn graph_event_payload(
 +    draft: &CreateEventDraft,
 +    is_update: bool,
 +) -> Result<Value, ProviderError> {
 +    if draft.reminders.len() > 1 {
 +        return Err(ProviderError::Validation(
 +            "Microsoft events support only one reminder".to_string(),
 +        ));
 +    }
 +    let mut payload = Map::new();
 +    payload.insert("subject".to_string(), Value::String(draft.title.clone()));
 +    if let Some(notes) = &draft.notes {
 +        payload.insert(
 +            "body".to_string(),
 +            json!({
 +                "contentType": "text",
 +                "content": notes
 +            }),
 +        );
 +    }
 +    if let Some(location) = &draft.location {
 +        payload.insert("location".to_string(), json!({ "displayName": location }));
 +    }
 +    if let Some(reminder) = draft.reminders.first() {
 +        payload.insert("isReminderOn".to_string(), Value::Bool(true));
 +        payload.insert(
 +            "reminderMinutesBeforeStart".to_string(),
 +            Value::Number(serde_json::Number::from(reminder.minutes_before)),
 +        );
 +    } else if !is_update {
 +        payload.insert("isReminderOn".to_string(), Value::Bool(false));
 +    }
 +    match draft.timing {
 +        CreateEventTiming::AllDay { date } => {
 +            payload.insert("isAllDay".to_string(), Value::Bool(true));
 +            payload.insert(
 +                "start".to_string(),
 +                graph_datetime_payload(date, Time::MIDNIGHT),
 +            );
 +            payload.insert(
 +                "end".to_string(),
 +                graph_datetime_payload(date.add_days(1), Time::MIDNIGHT),
 +            );
 +        }
 +        CreateEventTiming::Timed { start, end } => {
 +            payload.insert("isAllDay".to_string(), Value::Bool(false));
 +            payload.insert(
 +                "start".to_string(),
 +                graph_datetime_payload(start.date, start.time),
 +            );
 +            payload.insert(
 +                "end".to_string(),
 +                graph_datetime_payload(end.date, end.time),
 +            );
 +        }
 +    }
 +    if let Some(recurrence) = &draft.recurrence {
 +        payload.insert(
 +            "recurrence".to_string(),
 +            graph_recurrence_payload(recurrence, draft)?,
 +        );
 +    }
 +    Ok(Value::Object(payload))
 +}
++
 +fn graph_datetime_payload(date: CalendarDate, time: Time) -> Value {
 +    json!({
 +        "dateTime": format!("{}T{:02}:{:02}:00", date, time.hour(), time.minute()),
 +        "timeZone": "UTC"
 +    })
 +}
++
 +fn graph_recurrence_payload(
 +    rule: &RecurrenceRule,
 +    draft: &CreateEventDraft,
 +) -> Result<Value, ProviderError> {
 +    let start_date = match draft.timing {
 +        CreateEventTiming::AllDay { date } => date,
 +        CreateEventTiming::Timed { start, .. } => start.date,
 +    };
 +    let mut pattern = Map::new();
 +    pattern.insert(
 +        "interval".to_string(),
 +        Value::Number(serde_json::Number::from(rule.interval().max(1))),
 +    );
 +    match rule.frequency {
 +        RecurrenceFrequency::Daily => {
 +            pattern.insert("type".to_string(), Value::String("daily".to_string()));
 +        }
 +        RecurrenceFrequency::Weekly => {
 +            pattern.insert("type".to_string(), Value::String("weekly".to_string()));
 +            pattern.insert(
 +                "daysOfWeek".to_string(),
 +                Value::Array(
 +                    rule.weekdays
 +                        .iter()
 +                        .copied()
 +                        .map(graph_weekday)
 +                        .map(Value::String)
 +                        .collect(),
 +                ),
 +            );
 +            pattern.insert(
 +                "firstDayOfWeek".to_string(),
 +                Value::String("sunday".to_string()),
 +            );
 +        }
 +        RecurrenceFrequency::Monthly => match rule.monthly {
 +            Some(RecurrenceMonthlyRule::DayOfMonth(day)) => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("absoluteMonthly".to_string()),
 +                );
 +                pattern.insert(
 +                    "dayOfMonth".to_string(),
 +                    Value::Number(serde_json::Number::from(day)),
 +                );
 +            }
 +            Some(RecurrenceMonthlyRule::WeekdayOrdinal { ordinal, weekday }) => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("relativeMonthly".to_string()),
 +                );
 +                pattern.insert("index".to_string(), Value::String(graph_ordinal(ordinal)));
 +                pattern.insert(
 +                    "daysOfWeek".to_string(),
 +                    Value::Array(vec![Value::String(graph_weekday(weekday))]),
 +                );
 +            }
 +            None => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("absoluteMonthly".to_string()),
 +                );
 +                pattern.insert(
 +                    "dayOfMonth".to_string(),
 +                    Value::Number(serde_json::Number::from(start_date.day())),
 +                );
 +            }
 +        },
 +        RecurrenceFrequency::Yearly => match rule.yearly {
 +            Some(RecurrenceYearlyRule::Date { month, day }) => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("absoluteYearly".to_string()),
 +                );
 +                pattern.insert(
 +                    "month".to_string(),
 +                    Value::Number(serde_json::Number::from(u8::from(month))),
 +                );
 +                pattern.insert(
 +                    "dayOfMonth".to_string(),
 +                    Value::Number(serde_json::Number::from(day)),
 +                );
 +            }
 +            Some(RecurrenceYearlyRule::WeekdayOrdinal {
 +                month,
 +                ordinal,
 +                weekday,
 +            }) => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("relativeYearly".to_string()),
 +                );
 +                pattern.insert(
 +                    "month".to_string(),
 +                    Value::Number(serde_json::Number::from(u8::from(month))),
 +                );
 +                pattern.insert("index".to_string(), Value::String(graph_ordinal(ordinal)));
 +                pattern.insert(
 +                    "daysOfWeek".to_string(),
 +                    Value::Array(vec![Value::String(graph_weekday(weekday))]),
 +                );
 +            }
 +            None => {
 +                pattern.insert(
 +                    "type".to_string(),
 +                    Value::String("absoluteYearly".to_string()),
 +                );
 +                pattern.insert(
 +                    "month".to_string(),
 +                    Value::Number(serde_json::Number::from(u8::from(start_date.month()))),
 +                );
 +                pattern.insert(
 +                    "dayOfMonth".to_string(),
 +                    Value::Number(serde_json::Number::from(start_date.day())),
 +                );
 +            }
 +        },
 +    }
 +    let range = match rule.end {
 +        RecurrenceEnd::Never => json!({
 +            "type": "noEnd",
 +            "startDate": start_date.to_string(),
 +            "recurrenceTimeZone": "UTC"
 +        }),
 +        RecurrenceEnd::Until(date) => json!({
 +            "type": "endDate",
 +            "startDate": start_date.to_string(),
 +            "endDate": date.to_string(),
 +            "recurrenceTimeZone": "UTC"
 +        }),
 +        RecurrenceEnd::Count(count) => json!({
 +            "type": "numbered",
 +            "startDate": start_date.to_string(),
 +            "numberOfOccurrences": count,
 +            "recurrenceTimeZone": "UTC"
 +        }),
 +    };
 +    Ok(json!({
 +        "pattern": Value::Object(pattern),
 +        "range": range
 +    }))
 +}
++
 +fn graph_recurrence_to_cache(value: &Value) -> Result<MicrosoftCachedRecurrence, ProviderError> {
 +    let pattern = value
 +        .get("pattern")
 +        .ok_or_else(|| ProviderError::Mapping("recurrence is missing pattern".to_string()))?;
 +    let range = value
 +        .get("range")
 +        .ok_or_else(|| ProviderError::Mapping("recurrence is missing range".to_string()))?;
 +    let interval = graph_i64(pattern, "interval")
 +        .and_then(|value| u16::try_from(value).ok())
 +        .unwrap_or(1)
 +        .max(1);
 +    let end = match graph_string(range, "type").as_deref() {
 +        Some("noEnd") => RecurrenceEndRecord::Never,
 +        Some("endDate") => RecurrenceEndRecord::Until {
 +            date: graph_string(range, "endDate")
 +                .and_then(|value| parse_date(&value))
 +                .ok_or_else(|| {
 +                    ProviderError::Mapping("recurrence endDate is invalid".to_string())
 +                })?,
 +        },
 +        Some("numbered") => RecurrenceEndRecord::Count {
 +            count: graph_i64(range, "numberOfOccurrences")
 +                .and_then(|value| u32::try_from(value).ok())
 +                .unwrap_or(1),
 +        },
 +        _ => RecurrenceEndRecord::Never,
 +    };
 +    let weekdays = pattern
 +        .get("daysOfWeek")
 +        .and_then(Value::as_array)
 +        .into_iter()
 +        .flatten()
 +        .filter_map(Value::as_str)
 +        .filter_map(parse_graph_weekday)
 +        .map(WeekdayRecord::from_weekday)
 +        .collect::<Vec<_>>();
 +    match graph_string(pattern, "type").as_deref() {
 +        Some("daily") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Daily,
 +            interval,
 +            end,
 +            weekdays: Vec::new(),
 +            monthly: None,
 +            yearly: None,
 +        }),
 +        Some("weekly") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Weekly,
 +            interval,
 +            end,
 +            weekdays,
 +            monthly: None,
 +            yearly: None,
 +        }),
 +        Some("absoluteMonthly") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Monthly,
 +            interval,
 +            end,
 +            weekdays: Vec::new(),
 +            monthly: Some(MonthlyRuleRecord::DayOfMonth {
 +                day: graph_i64(pattern, "dayOfMonth")
 +                    .and_then(|value| u8::try_from(value).ok())
 +                    .unwrap_or(1),
 +            }),
 +            yearly: None,
 +        }),
 +        Some("relativeMonthly") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Monthly,
 +            interval,
 +            end,
 +            weekdays: Vec::new(),
 +            monthly: Some(MonthlyRuleRecord::WeekdayOrdinal {
 +                ordinal: parse_graph_ordinal(&graph_string(pattern, "index").unwrap_or_default()),
 +                weekday: weekdays.first().copied().unwrap_or(WeekdayRecord::Monday),
 +            }),
 +            yearly: None,
 +        }),
 +        Some("absoluteYearly") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Yearly,
 +            interval,
 +            end,
 +            weekdays: Vec::new(),
 +            monthly: None,
 +            yearly: Some(YearlyRuleRecord::Date {
 +                month: graph_i64(pattern, "month")
 +                    .and_then(|value| u8::try_from(value).ok())
 +                    .unwrap_or(1),
 +                day: graph_i64(pattern, "dayOfMonth")
 +                    .and_then(|value| u8::try_from(value).ok())
 +                    .unwrap_or(1),
 +            }),
 +        }),
 +        Some("relativeYearly") => Ok(MicrosoftCachedRecurrence {
 +            frequency: RecurrenceFrequencyRecord::Yearly,
 +            interval,
 +            end,
 +            weekdays: Vec::new(),
 +            monthly: None,
 +            yearly: Some(YearlyRuleRecord::WeekdayOrdinal {
 +                month: graph_i64(pattern, "month")
 +                    .and_then(|value| u8::try_from(value).ok())
 +                    .unwrap_or(1),
 +                ordinal: parse_graph_ordinal(&graph_string(pattern, "index").unwrap_or_default()),
 +                weekday: weekdays.first().copied().unwrap_or(WeekdayRecord::Monday),
 +            }),
 +        }),
 +        other => Err(ProviderError::Mapping(format!(
 +            "unsupported Microsoft recurrence type '{}'",
 +            other.unwrap_or("<missing>")
 +        ))),
 +    }
 +}
++
 +fn graph_weekday(weekday: Weekday) -> String {
 +    match weekday {
 +        Weekday::Sunday => "sunday",
 +        Weekday::Monday => "monday",
 +        Weekday::Tuesday => "tuesday",
 +        Weekday::Wednesday => "wednesday",
 +        Weekday::Thursday => "thursday",
 +        Weekday::Friday => "friday",
 +        Weekday::Saturday => "saturday",
 +    }
 +    .to_string()
 +}
++
 +fn parse_graph_weekday(value: &str) -> Option<Weekday> {
 +    match value {
 +        "sunday" => Some(Weekday::Sunday),
 +        "monday" => Some(Weekday::Monday),
 +        "tuesday" => Some(Weekday::Tuesday),
 +        "wednesday" => Some(Weekday::Wednesday),
 +        "thursday" => Some(Weekday::Thursday),
 +        "friday" => Some(Weekday::Friday),
 +        "saturday" => Some(Weekday::Saturday),
 +        _ => None,
 +    }
 +}
++
 +fn graph_ordinal(ordinal: RecurrenceOrdinal) -> String {
 +    match OrdinalRecord::from_rule(ordinal) {
 +        OrdinalRecord::First => "first",
 +        OrdinalRecord::Second => "second",
 +        OrdinalRecord::Third => "third",
 +        OrdinalRecord::Fourth => "fourth",
 +        OrdinalRecord::Last => "last",
 +    }
 +    .to_string()
 +}
++
 +fn parse_graph_ordinal(value: &str) -> OrdinalRecord {
 +    match value {
 +        "first" => OrdinalRecord::First,
 +        "second" => OrdinalRecord::Second,
 +        "third" => OrdinalRecord::Third,
 +        "fourth" => OrdinalRecord::Fourth,
 +        "last" => OrdinalRecord::Last,
 +        _ => OrdinalRecord::First,
 +    }
 +}
++
 +fn graph_datetime(value: &Value, key: &str) -> Result<EventDateTime, ProviderError> {
 +    let date_time = value
 +        .get(key)
 +        .and_then(|date_time| graph_string(date_time, "dateTime"))
 +        .ok_or_else(|| ProviderError::Mapping(format!("Graph event is missing {key}.dateTime")))?;
 +    parse_event_datetime(&date_time)
 +        .ok_or_else(|| ProviderError::Mapping(format!("invalid Graph dateTime '{date_time}'")))
 +}
++
 +fn parse_event_datetime(value: &str) -> Option<EventDateTime> {
 +    let (date, rest) = value.split_once('T')?;
 +    let date = parse_date(date)?;
 +    let time_part = rest.split(['.', 'Z', '+', '-']).next()?;
 +    let time = parse_time(time_part)?;
 +    Some(EventDateTime::new(date, time))
 +}
++
 +fn parse_date(value: &str) -> Option<CalendarDate> {
 +    let mut parts = value.split('-');
 +    let year = parts.next()?.parse().ok()?;
 +    let month = Month::try_from(parts.next()?.parse::<u8>().ok()?).ok()?;
 +    let day = parts.next()?.parse().ok()?;
 +    if parts.next().is_some() {
 +        return None;
 +    }
 +    CalendarDate::from_ymd(year, month, day).ok()
 +}
++
 +fn parse_time(value: &str) -> Option<Time> {
 +    let mut parts = value.split(':');
 +    let hour = parts.next()?.parse().ok()?;
 +    let minute = parts.next()?.parse().ok()?;
 +    let second = parts.next().unwrap_or("0").parse().ok()?;
 +    if parts.next().is_some() {
 +        return None;
 +    }
 +    Time::from_hms(hour, minute, second).ok()
 +}
++
 +fn graph_string(value: &Value, key: &str) -> Option<String> {
 +    value.get(key)?.as_str().map(ToOwned::to_owned)
 +}
++
 +fn graph_bool(value: &Value, key: &str) -> Option<bool> {
 +    value.get(key)?.as_bool()
 +}
++
 +fn graph_i64(value: &Value, key: &str) -> Option<i64> {
 +    value.get(key)?.as_i64()
 +}
++
 +fn microsoft_event_app_id(account_id: &str, calendar_id: &str, graph_id: &str) -> String {
 +    format!("microsoft:{account_id}:{calendar_id}:{graph_id}")
 +}
++
 +fn anchor_label(anchor: OccurrenceAnchor) -> String {
 +    match anchor {
 +        OccurrenceAnchor::AllDay { date } => date.to_string(),
 +        OccurrenceAnchor::Timed { start } => {
 +            format!(
 +                "{}T{:02}:{:02}",
 +                start.date,
 +                start.time.hour(),
 +                start.time.minute()
 +            )
 +        }
 +    }
 +}
++
 +fn current_epoch_seconds() -> u64 {
 +    SystemTime::now()
 +        .duration_since(UNIX_EPOCH)
 +        .map(|duration| duration.as_secs())
 +        .unwrap_or_default()
 +}
++
 +fn form_body(params: &[(&str, &str)]) -> String {
 +    params
 +        .iter()
 +        .map(|(key, value)| format!("{}={}", percent_encode(key), percent_encode(value)))
 +        .collect::<Vec<_>>()
 +        .join("&")
 +}
++
 +fn percent_encode(value: &str) -> String {
 +    let mut encoded = String::new();
 +    for byte in value.bytes() {
 +        if byte.is_ascii_alphanumeric() || matches!(byte, b'-' | b'.' | b'_' | b'~') {
 +            encoded.push(char::from(byte));
 +        } else {
 +            encoded.push_str(&format!("%{byte:02X}"));
 +        }
 +    }
 +    encoded
 +}
++
 +fn percent_decode(value: &str) -> String {
 +    let mut output = Vec::new();
 +    let bytes = value.as_bytes();
 +    let mut index = 0;
 +    while index < bytes.len() {
 +        if bytes[index] == b'%'
 +            && index + 2 < bytes.len()
 +            && let Ok(hex) = u8::from_str_radix(&value[index + 1..index + 3], 16)
 +        {
 +            output.push(hex);
 +            index += 3;
 +            continue;
 +        }
 +        output.push(if bytes[index] == b'+' {
 +            b' '
 +        } else {
 +            bytes[index]
 +        });
 +        index += 1;
 +    }
 +    String::from_utf8_lossy(&output).into_owned()
 +}
++
 +fn parse_query(query: &str) -> BTreeMap<String, String> {
 +    query
 +        .split('&')
 +        .filter_map(|part| {
 +            let (key, value) = part.split_once('=')?;
 +            Some((percent_decode(key), percent_decode(value)))
 +        })
 +        .collect()
 +}
++
 +fn pkce_verifier() -> String {
 +    let mut bytes = [0_u8; 32];
 +    if let Ok(mut file) = fs::File::open("/dev/urandom") {
 +        let _ = file.read_exact(&mut bytes);
 +    } else {
 +        bytes[..8].copy_from_slice(&current_epoch_seconds().to_le_bytes());
 +    }
 +    base64_url_no_pad(&bytes)
 +}
++
 +fn pkce_challenge(verifier: &str) -> String {
 +    let digest = Sha256::digest(verifier.as_bytes());
 +    base64_url_no_pad(&digest)
 +}
++
 +fn base64_url_no_pad(bytes: &[u8]) -> String {
 +    const TABLE: &[u8; 64] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
 +    let mut output = String::new();
 +    let mut index = 0;
 +    while index + 3 <= bytes.len() {
 +        let chunk = &bytes[index..index + 3];
 +        output.push(TABLE[(chunk[0] >> 2) as usize] as char);
 +        output.push(TABLE[(((chunk[0] & 0b11) << 4) | (chunk[1] >> 4)) as usize] as char);
 +        output.push(TABLE[(((chunk[1] & 0b1111) << 2) | (chunk[2] >> 6)) as usize] as char);
 +        output.push(TABLE[(chunk[2] & 0b111111) as usize] as char);
 +        index += 3;
 +    }
 +    match bytes.len() - index {
 +        1 => {
 +            let byte = bytes[index];
 +            output.push(TABLE[(byte >> 2) as usize] as char);
 +            output.push(TABLE[((byte & 0b11) << 4) as usize] as char);
 +        }
 +        2 => {
 +            let first = bytes[index];
 +            let second = bytes[index + 1];
 +            output.push(TABLE[(first >> 2) as usize] as char);
 +            output.push(TABLE[(((first & 0b11) << 4) | (second >> 4)) as usize] as char);
 +            output.push(TABLE[((second & 0b1111) << 2) as usize] as char);
 +        }
 +        _ => {}
 +    }
 +    output
 +}
++
 +fn open_browser(url: &str) -> Result<(), ProviderError> {
 +    #[cfg(target_os = "macos")]
 +    let result = Command::new("open").arg(url).status();
 +    #[cfg(target_os = "linux")]
 +    let result = Command::new("xdg-open").arg(url).status();
 +    #[cfg(target_os = "windows")]
 +    let result = Command::new("cmd").args(["/C", "start", url]).status();
 +    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
 +    let result: Result<std::process::ExitStatus, io::Error> =
 +        Err(io::Error::new(io::ErrorKind::Other, "unsupported platform"));
++
 +    match result {
 +        Ok(status) if status.success() => Ok(()),
 +        Ok(status) => Err(ProviderError::Auth(format!(
 +            "failed to open browser: exited with {status}"
 +        ))),
 +        Err(err) => Err(ProviderError::Auth(format!(
 +            "failed to open browser: {err}"
 +        ))),
 +    }
 +}
++
 +#[derive(Debug, Clone, PartialEq, Eq)]
 +pub enum ProviderError {
 +    Config(String),
 +    Auth(String),
 +    Keyring(String),
 +    Http(String),
 +    Graph(String),
 +    Mapping(String),
 +    Validation(String),
 +    NotFound(String),
 +    CacheRead { path: PathBuf, reason: String },
 +    CacheParse { path: PathBuf, reason: String },
 +    CacheWrite { path: PathBuf, reason: String },
 +    Agenda(String),
 +}
++
 +impl fmt::Display for ProviderError {
 +    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 +        match self {
 +            Self::Config(reason) => write!(f, "provider config error: {reason}"),
 +            Self::Auth(reason) => write!(f, "Microsoft auth error: {reason}"),
 +            Self::Keyring(reason) => write!(f, "Microsoft token keyring error: {reason}"),
 +            Self::Http(reason) => write!(f, "Microsoft HTTP error: {reason}"),
 +            Self::Graph(reason) => write!(f, "Microsoft Graph error: {reason}"),
 +            Self::Mapping(reason) => write!(f, "Microsoft event mapping error: {reason}"),
 +            Self::Validation(reason) => write!(f, "{reason}"),
 +            Self::NotFound(id) => write!(f, "Microsoft event '{id}' was not found"),
 +            Self::CacheRead { path, reason } => {
 +                write!(
 +                    f,
 +                    "failed to read Microsoft cache {}: {reason}",
 +                    path.display()
 +                )
 +            }
 +            Self::CacheParse { path, reason } => {
 +                write!(
 +                    f,
 +                    "failed to parse Microsoft cache {}: {reason}",
 +                    path.display()
 +                )
 +            }
 +            Self::CacheWrite { path, reason } => {
 +                write!(
 +                    f,
 +                    "failed to write Microsoft cache {}: {reason}",
 +                    path.display()
 +                )
 +            }
 +            Self::Agenda(reason) => write!(f, "{reason}"),
 +        }
 +    }
 +}
++
 +impl Error for ProviderError {}
++
 +impl From<AgendaError> for ProviderError {
 +    fn from(err: AgendaError) -> Self {
 +        Self::Agenda(err.to_string())
 +    }
 +}
++
 +#[cfg(test)]
 +mod tests {
 +    use super::*;
 +    use crate::agenda::{CreateEventTiming, RecurrenceEnd, RecurrenceFrequency};
 +    use std::{
 +        cell::RefCell,
 +        collections::{HashMap, VecDeque},
 +    };
++
 +    fn date(year: i32, month: Month, day: u8) -> CalendarDate {
 +        CalendarDate::from_ymd(year, month, day).expect("valid date")
 +    }
++
 +    fn at(date: CalendarDate, hour: u8, minute: u8) -> EventDateTime {
 +        EventDateTime::new(date, Time::from_hms(hour, minute, 0).expect("valid time"))
 +    }
++
 +    fn temp_path(name: &str) -> PathBuf {
 +        env::temp_dir()
 +            .join(format!("rcal-provider-test-{}", std::process::id()))
 +            .join(name)
 +    }
++
 +    fn account() -> MicrosoftAccountConfig {
 +        MicrosoftAccountConfig {
 +            id: "work".to_string(),
 +            client_id: "client-id".to_string(),
 +            tenant: "organizations".to_string(),
 +            redirect_port: 8765,
 +            calendars: vec!["cal".to_string()],
 +        }
 +    }
++
 +    fn provider_config(cache_file: PathBuf) -> MicrosoftProviderConfig {
 +        MicrosoftProviderConfig {
 +            enabled: true,
 +            default_account: Some("work".to_string()),
 +            default_calendar: Some("cal".to_string()),
 +            sync_past_days: 30,
 +            sync_future_days: 365,
 +            cache_file,
 +            accounts: vec![account()],
 +        }
 +    }
++
 +    #[derive(Default)]
 +    struct MemoryTokenStore {
 +        tokens: RefCell<HashMap<String, MicrosoftToken>>,
 +    }
++
 +    impl MemoryTokenStore {
 +        fn with_token(account_id: &str) -> Self {
 +            let store = Self::default();
 +            store.tokens.borrow_mut().insert(
 +                account_id.to_string(),
 +                MicrosoftToken {
 +                    access_token: "access-token".to_string(),
 +                    refresh_token: "refresh-token".to_string(),
 +                    expires_at_epoch_seconds: current_epoch_seconds().saturating_add(3600),
 +                },
 +            );
 +            store
 +        }
 +    }
++
 +    impl MicrosoftTokenStore for MemoryTokenStore {
 +        fn load(&self, account_id: &str) -> Result<Option<MicrosoftToken>, ProviderError> {
 +            Ok(self.tokens.borrow().get(account_id).cloned())
 +        }
++
 +        fn save(&self, account_id: &str, token: &MicrosoftToken) -> Result<(), ProviderError> {
 +            self.tokens
 +                .borrow_mut()
 +                .insert(account_id.to_string(), token.clone());
 +            Ok(())
 +        }
++
 +        fn delete(&self, account_id: &str) -> Result<(), ProviderError> {
 +            self.tokens.borrow_mut().remove(account_id);
 +            Ok(())
 +        }
 +    }
++
 +    struct RecordingHttpClient {
 +        responses: RefCell<VecDeque<MicrosoftHttpResponse>>,
 +        requests: RefCell<Vec<MicrosoftHttpRequest>>,
 +    }
++
 +    impl RecordingHttpClient {
 +        fn new(responses: Vec<MicrosoftHttpResponse>) -> Self {
 +            Self {
 +                responses: RefCell::new(VecDeque::from(responses)),
 +                requests: RefCell::new(Vec::new()),
 +            }
 +        }
++
 +        fn json(status: u16, value: Value) -> MicrosoftHttpResponse {
 +            MicrosoftHttpResponse {
 +                status,
 +                body: value.to_string(),
 +            }
 +        }
 +    }
++
 +    impl MicrosoftHttpClient for RecordingHttpClient {
 +        fn request(
 +            &self,
 +            request: MicrosoftHttpRequest,
 +        ) -> Result<MicrosoftHttpResponse, ProviderError> {
 +            self.requests.borrow_mut().push(request);
 +            self.responses
 +                .borrow_mut()
 +                .pop_front()
 +                .ok_or_else(|| ProviderError::Http("unexpected request".to_string()))
 +        }
 +    }
++
 +    #[test]
 +    fn graph_timed_event_maps_to_rcal_event() {
 +        let calendar = MicrosoftCalendarRecord {
 +            id: "cal".to_string(),
 +            name: "Work".to_string(),
 +            can_edit: true,
 +            is_default: true,
 +        };
 +        let raw = json!({
 +            "id": "abc",
 +            "subject": "Standup",
 +            "type": "singleInstance",
 +            "isAllDay": false,
 +            "start": {"dateTime": "2026-04-23T09:00:00", "timeZone": "UTC"},
 +            "end": {"dateTime": "2026-04-23T09:30:00", "timeZone": "UTC"},
 +            "location": {"displayName": "Room"},
 +            "bodyPreview": "Notes",
 +            "isReminderOn": true,
 +            "reminderMinutesBeforeStart": 15
 +        });
++
 +        let cached = MicrosoftCachedEvent::from_graph("work", &calendar, raw).expect("maps");
 +        let event = cached.to_event().expect("event converts");
++
 +        assert_eq!(event.id, "microsoft:work:cal:abc");
 +        assert_eq!(event.title, "Standup");
 +        assert_eq!(event.location.as_deref(), Some("Room"));
 +        assert_eq!(event.reminders, vec![Reminder::minutes_before(15)]);
 +        assert!(event.source.source_id.starts_with("microsoft:work:cal"));
 +    }
++
 +    #[test]
 +    fn graph_all_day_recurring_occurrence_maps_anchor() {
 +        let calendar = MicrosoftCalendarRecord {
 +            id: "cal".to_string(),
 +            name: "Work".to_string(),
 +            can_edit: true,
 +            is_default: true,
 +        };
 +        let raw = json!({
 +            "id": "occ",
 +            "subject": "OOO",
 +            "type": "occurrence",
 +            "seriesMasterId": "master",
 +            "isAllDay": true,
 +            "start": {"dateTime": "2026-04-23T00:00:00", "timeZone": "UTC"},
 +            "end": {"dateTime": "2026-04-24T00:00:00", "timeZone": "UTC"}
 +        });
++
 +        let event = MicrosoftCachedEvent::from_graph("work", &calendar, raw)
 +            .expect("maps")
 +            .to_event()
 +            .expect("event converts");
++
 +        assert_eq!(
 +            event.occurrence(),
 +            Some(&OccurrenceMetadata {
 +                series_id: "microsoft:work:cal:master".to_string(),
 +                anchor: OccurrenceAnchor::AllDay {
 +                    date: date(2026, Month::April, 23)
 +                },
 +            })
 +        );
 +    }
++
 +    #[test]
 +    fn draft_payload_rejects_multiple_microsoft_reminders() {
 +        let draft = CreateEventDraft {
 +            title: "Focus".to_string(),
 +            timing: CreateEventTiming::Timed {
 +                start: at(date(2026, Month::April, 23), 9, 0),
 +                end: at(date(2026, Month::April, 23), 10, 0),
 +            },
 +            location: None,
 +            notes: None,
 +            reminders: vec![Reminder::minutes_before(5), Reminder::minutes_before(10)],
 +            recurrence: None,
 +        };
++
 +        let err = graph_event_payload(&draft, false).expect_err("multiple reminders fail");
 +        assert!(err.to_string().contains("only one reminder"));
 +    }
++
 +    #[test]
 +    fn weekly_recurrence_payload_uses_graph_pattern() {
 +        let draft = CreateEventDraft {
 +            title: "Class".to_string(),
 +            timing: CreateEventTiming::Timed {
 +                start: at(date(2026, Month::April, 20), 13, 50),
 +                end: at(date(2026, Month::April, 20), 14, 40),
 +            },
 +            location: None,
 +            notes: None,
 +            reminders: Vec::new(),
 +            recurrence: Some(RecurrenceRule {
 +                frequency: RecurrenceFrequency::Weekly,
 +                interval: 1,
 +                end: RecurrenceEnd::Count(10),
 +                weekdays: vec![Weekday::Monday, Weekday::Wednesday, Weekday::Friday],
 +                monthly: None,
 +                yearly: None,
 +            }),
 +        };
++
 +        let payload = graph_event_payload(&draft, false).expect("payload builds");
 +        let recurrence = payload.get("recurrence").expect("recurrence included");
++
 +        assert_eq!(recurrence["pattern"]["type"], "weekly");
 +        assert_eq!(
 +            recurrence["pattern"]["daysOfWeek"],
 +            json!(["monday", "wednesday", "friday"])
 +        );
 +        assert_eq!(recurrence["range"]["type"], "numbered");
 +        assert_eq!(recurrence["range"]["numberOfOccurrences"], 10);
 +    }
++
 +    #[test]
 +    fn list_calendars_uses_stored_token_and_maps_response() {
 +        let store = MemoryTokenStore::with_token("work");
 +        let http = RecordingHttpClient::new(vec![RecordingHttpClient::json(
 +            200,
 +            json!({
 +                "value": [
 +                    {
 +                        "id": "cal",
 +                        "name": "Calendar",
 +                        "canEdit": true,
 +                        "isDefaultCalendar": true
 +                    }
 +                ]
 +            }),
 +        )]);
++
 +        let calendars = list_calendars(&account(), &http, &store).expect("calendars list");
++
 +        assert_eq!(
 +            calendars,
 +            vec![MicrosoftCalendarInfo {
 +                id: "cal".to_string(),
 +                name: "Calendar".to_string(),
 +                can_edit: true,
 +                is_default: true,
 +            }]
 +        );
 +        let requests = http.requests.borrow();
 +        assert_eq!(requests[0].method, "GET");
 +        assert!(
 +            requests[0]
 +                .url
 +                .ends_with("/me/calendars?$select=id,name,canEdit,isDefaultCalendar")
 +        );
 +        assert!(
 +            requests[0]
 +                .headers
 +                .iter()
 +                .any(|(name, value)| name == "Authorization" && value == "Bearer access-token")
 +        );
 +    }
++
 +    #[test]
 +    fn sync_writes_selected_calendar_cache_and_renders_provider_event() {
 +        let cache_file = temp_path("sync/microsoft-cache.json");
 +        let _ = fs::remove_dir_all(
 +            cache_file
 +                .parent()
 +                .and_then(Path::parent)
 +                .expect("test root"),
 +        );
 +        let store = MemoryTokenStore::with_token("work");
 +        let http = RecordingHttpClient::new(vec![
 +            RecordingHttpClient::json(
 +                200,
 +                json!({
 +                    "id": "cal",
 +                    "name": "Work",
 +                    "canEdit": true,
 +                    "isDefaultCalendar": true
 +                }),
 +            ),
 +            RecordingHttpClient::json(
 +                200,
 +                json!({
 +                    "value": [
 +                        {
 +                            "id": "evt",
 +                            "subject": "Focus",
 +                            "type": "singleInstance",
 +                            "isAllDay": false,
 +                            "start": {"dateTime": "2026-04-23T09:00:00", "timeZone": "UTC"},
 +                            "end": {"dateTime": "2026-04-23T10:00:00", "timeZone": "UTC"}
 +                        }
 +                    ]
 +                }),
 +            ),
 +        ]);
 +        let mut runtime =
 +            MicrosoftProviderRuntime::load(provider_config(cache_file.clone())).expect("load");
++
 +        let summary = runtime
 +            .sync(None, &http, &store, date(2026, Month::April, 23))
 +            .expect("sync succeeds");
 +        let source = MicrosoftAgendaSource::load(&cache_file).expect("cache reloads");
 +        let events = source.events_intersecting(DateRange::day(date(2026, Month::April, 23)));
++
 +        let _ = fs::remove_dir_all(
 +            cache_file
 +                .parent()
 +                .and_then(Path::parent)
 +                .expect("test root"),
 +        );
 +        assert_eq!(summary.accounts, 1);
 +        assert_eq!(summary.calendars, 1);
 +        assert_eq!(summary.events, 1);
 +        assert_eq!(events.len(), 1);
 +        assert_eq!(events[0].id, "microsoft:work:cal:evt");
 +        assert_eq!(events[0].title, "Focus");
 +        assert!(events[0].is_microsoft());
 +    }
++
 +    #[test]
 +    fn sync_fetches_series_master_for_provider_series_edit_without_render_duplicate() {
 +        let cache_file = temp_path("series/microsoft-cache.json");
 +        let _ = fs::remove_dir_all(
 +            cache_file
 +                .parent()
 +                .and_then(Path::parent)
 +                .expect("test root"),
 +        );
 +        let store = MemoryTokenStore::with_token("work");
 +        let http = RecordingHttpClient::new(vec![
 +            RecordingHttpClient::json(
 +                200,
 +                json!({
 +                    "id": "cal",
 +                    "name": "Work",
 +                    "canEdit": true,
 +                    "isDefaultCalendar": true
 +                }),
 +            ),
 +            RecordingHttpClient::json(
 +                200,
 +                json!({
 +                    "value": [
 +                        {
 +                            "id": "occ-1",
 +                            "subject": "Class",
 +                            "type": "occurrence",
 +                            "seriesMasterId": "master",
 +                            "isAllDay": false,
 +                            "start": {"dateTime": "2026-04-24T13:50:00", "timeZone": "UTC"},
 +                            "end": {"dateTime": "2026-04-24T14:40:00", "timeZone": "UTC"}
 +                        }
 +                    ]
 +                }),
 +            ),
 +            RecordingHttpClient::json(
 +                200,
 +                json!({
 +                    "id": "master",
 +                    "subject": "Class",
 +                    "type": "seriesMaster",
 +                    "isAllDay": false,
 +                    "start": {"dateTime": "2026-04-20T13:50:00", "timeZone": "UTC"},
 +                    "end": {"dateTime": "2026-04-20T14:40:00", "timeZone": "UTC"},
 +                    "recurrence": {
 +                        "pattern": {
 +                            "type": "weekly",
 +                            "interval": 1,
 +                            "daysOfWeek": ["monday", "wednesday", "friday"],
 +                            "firstDayOfWeek": "sunday"
 +                        },
 +                        "range": {
 +                            "type": "noEnd",
 +                            "startDate": "2026-04-20",
 +                            "recurrenceTimeZone": "UTC"
 +                        }
 +                    }
 +                }),
 +            ),
 +        ]);
 +        let mut runtime =
 +            MicrosoftProviderRuntime::load(provider_config(cache_file.clone())).expect("load");
++
 +        runtime
 +            .sync(None, &http, &store, date(2026, Month::April, 23))
 +            .expect("sync succeeds");
 +        let source = MicrosoftAgendaSource::load(&cache_file).expect("cache reloads");
 +        let events = source.events_intersecting(DateRange::day(date(2026, Month::April, 24)));
 +        let series = source
 +            .editable_event_by_id("microsoft:work:cal:master")
 +            .expect("series master is cached for editing");
++
 +        let _ = fs::remove_dir_all(
 +            cache_file
 +                .parent()
 +                .and_then(Path::parent)
 +                .expect("test root"),
 +        );
 +        assert_eq!(events.len(), 1);
 +        assert_eq!(events[0].id, "microsoft:work:cal:occ-1");
 +        assert!(events[0].occurrence().is_some());
 +        assert!(series.recurrence.is_some());
 +    }
 +}

src/reminders.rsmodified

          HolidayProvider,
      },
      calendar::CalendarDate,
 +    providers::ProviderConfig,
  };
  const STATE_VERSION: u8 = 1;
  pub struct ReminderDaemonConfig {
      pub events_file: PathBuf,
      pub state_file: PathBuf,
 +    pub providers: ProviderConfig,
      pub poll_interval: StdDuration,
      pub grace: Duration,
+ }
          Self {
              events_file,
              state_file,
 +            providers: ProviderConfig::default(),
              poll_interval: POLL_INTERVAL,
              grace: Duration::minutes(GRACE_MINUTES),
+         }
+     }
 +    pub fn with_providers(mut self, providers: ProviderConfig) -> Self {
 +        self.providers = providers;
 +        self
 +    }
++
      pub fn lock_file(&self) -> PathBuf {
          self.state_file.with_extension("lock")
+     }
  ) -> Result<ReminderRunSummary, ReminderError> {
      let source =
          ConfiguredAgendaSource::from_events_file(&config.events_file, HolidayProvider::off())
 +            .and_then(|source| {
 +                source.with_microsoft_provider(
 +                    config.providers.microsoft.clone(),
 +                    config.providers.create_target,
 +                )
 +            })
              .map_err(|err| ReminderError::Events(err.to_string()))?;
      let mut state = ReminderState::load(&config.state_file)?;
      let instances = reminder_instances(&source, now);
      let mut instances = source
          .events_intersecting(range)
          .into_iter()
 -        .filter(Event::is_local)
 +        .filter(Event::is_editable)
          .flat_map(reminders_for_event)
          .collect::<Vec<_>>();
      instances.sort_by(|left, right| {