# WAPD Email Agent — Outlook add-in (task pane)

Outlook message-read task pane for the WAPD Email Agent. Lets a user watch the
sender of the open message (and later toggle "draft suggested replies"). It calls
the backend API (`wapd-email-agent.azurewebsites.net`) authenticated as the
signed-in user via **Office SSO** (`getAccessToken`).

- **Add-in-only XML manifest** (`manifest.xml`) — Mac/classic Outlook compatible.
- **Hosting:** static files at `https://mailagent.workshopapd.com` (its own
  Azure App Service `wapd-mailagent-addin`).
- **API/add-in app registration:** `ff92e55d-7930-43c8-ae10-1fbf88f34182`
  (separate from the app-only Graph machine identity `cb18a91f`).

## Status — Milestone 1, Gate-A slice only

This repo currently contains the **auth-first acceptance gate**: SSO →
`GET /api/watch` → render the caller's own watches. The "watch this sender" UI
(reading `item.from`, `POST`/`PATCH /api/watch`, the draft checkbox) is **not
built yet** — held until Gate A passes on a real token.

**Gate A pass condition:** opening the pane on a real Outlook message signs in
via SSO and lists *only your* watch entries (HTTP 200). Failure triage:
- CORS error in `taskpane.js` → backend CORS (already deployed; check origin).
- SSO error `13002`/`13003` → Entra scope / Office-client pre-authorization / consent.
- API `401`/`403` → token audience/scope mismatch (`API_AUDIENCE` accepts both
  `api://<id>` and the bare GUID).

## Files
- `manifest.xml` — add-in manifest (`WebApplicationInfo` → app reg `ff92e55d`).
- `taskpane.html` / `taskpane.js` / `taskpane.css` — the task pane (Gate-A slice).
- `commands.html` — manifest `FunctionFile` (loads office.js; no functions yet).
- `assets/icon-*.png` — ribbon/store icons.
- `.github/workflows/deploy.yml` — OIDC deploy to `wapd-mailagent-addin`.

## Hosting (Azure App Service, static)
Linux App Service serving these files over HTTPS. Suggested **startup command**
(pure static, no build/deps):

```
python -m http.server $PORT --bind 0.0.0.0
```

Files deploy to `/home/site/wwwroot`, so `taskpane.html` is served at
`/taskpane.html`. Bind the custom domain `mailagent.workshopapd.com` + an App
Service Managed Certificate.

## Local dev (optional)
`python -m http.server 3000` then sideload the manifest pointing at
`http://localhost:3000`. (The backend CORS allowlist already includes
`http://localhost:3000`.)

## API endpoints used
- `GET /api/watch` — list the caller's watches (Gate A).
- Later: `POST /api/watch`, `PATCH /api/watch/{id}` (draft_enabled), `DELETE /api/watch/{id}`.

Auth is per-user SSO; the backend derives identity from the validated token and
enforces ownership (a caller only ever sees/changes their own rows).