MgGraphCommunity.psd1

@{
    RootModule           = 'MgGraphCommunity.psm1'
    ModuleVersion        = '1.4.0'
    GUID                 = 'a7c1f4b8-5d20-4e6e-9a3b-2e8f0d1c7b42'
    Author               = 'MgGraphCommunity contributors'
    CompanyName          = 'Community'
    Copyright            = '(c) MgGraphCommunity contributors. Licensed under MIT.'
    Description          = 'A self-contained, community-maintained drop-in alternative to Connect-MgGraph. Pure-PowerShell OAuth 2.0 flows (PKCE, device code, client credentials, certificate, managed identity, BYO token) plus its own Invoke-MgGraphCommunityRequest for calling Graph endpoints. No required dependencies. No WAM. No MSAL.'
    PowerShellVersion    = '5.1'
    CompatiblePSEditions = @('Desktop','Core')

    # No required modules - MgGraphCommunity is fully self-contained.
    # If Microsoft.Graph.Authentication happens to be installed, we hand off
    # the access token so existing Microsoft.Graph.* cmdlets also work.

    FunctionsToExport    = @(
        'Connect-MgGraphCommunity',
        'Disconnect-MgGraphCommunity',
        'Get-MgGraphCommunityContext',
        'Select-MgGraphCommunityContext',
        'Invoke-MgGraphCommunityRequest',
        'Invoke-MgGraphCommunityBatch',
        'Add-MgGraphCommunityDefaultHeader',
        'Remove-MgGraphCommunityDefaultHeader',
        'Get-MgGraphCommunityDefaultHeader'
    )
    CmdletsToExport      = @()
    VariablesToExport    = @()
    AliasesToExport      = @('Invoke-MgcRequest','Invoke-MgcBatch','Select-MgcContext','Add-MgcHeader','Remove-MgcHeader','Get-MgcHeader')

    PrivateData = @{
        PSData = @{
            Tags         = @('Microsoft','Graph','MgGraph','Authentication','OAuth','PKCE','Intune','Entra','EntraID','Community')
            LicenseUri   = 'https://github.com/ugurkocde/MgGraphCommunity/blob/main/LICENSE'
            ProjectUri   = 'https://github.com/ugurkocde/MgGraphCommunity'
            ReleaseNotes = @'
1.4.0
- New: Invoke-MgGraphCommunityBatch (alias Invoke-MgcBatch) - combine up to 20 Graph
  requests per $batch call, auto-chunking larger sets and auto-retrying throttled
  sub-responses. Returns one { id, status, headers, body } per request, in order.
- New: multi-connection switching. Connect now registers every connection; switch the
  active one with Select-MgGraphCommunityContext (alias Select-MgcContext) by
  -TenantId / -ClientId / -Index / -CacheKey, and enumerate them with
  Get-MgGraphCommunityContext -ListAvailable. No re-authentication required.
- New: binary I/O on Invoke-MgGraphCommunityRequest - -InputFilePath (upload file bytes),
  -OutputFilePath (stream the raw response to disk, binary-safe across PS 5.1/7.x), and
  -ContentType (send non-JSON bodies as-is). Useful for photo/$value and upload sessions.
- New: -MaxRetry on Invoke-MgGraphCommunityRequest. Transient errors (429 / 503 / 504)
  are now retried up to MaxRetry times (default 3) with backoff; Retry-After is honored.
  Previously 429 and 504 were retried once each and 503 was not retried.
- New: every request sends a client-request-id; Graph request-id / client-request-id are
  surfaced in thrown errors for support correlation.
- Change: relative URIs now default to the /beta endpoint (more Graph surface) instead of
  /v1.0. Use -V1 on Invoke-MgGraphCommunityRequest / Invoke-MgGraphCommunityBatch for the
  stable /v1.0 endpoint. -Beta is retained for compatibility and now matches the default.
- Change: the AccessToken (BYO) flow derives its lifetime from the token's JWT exp claim
  instead of assuming 3600 seconds (opaque tokens still fall back to 3600).
- Build: PSScriptAnalyzer now runs in CI (settings in PSScriptAnalyzerSettings.psd1).

1.3.1
- Fix: certificate auth (-Certificate / -CertificateThumbprint / -CertificateName) built
  client assertions with nbf/exp skewed by the machine's UTC offset, so Entra ID rejected
  them in most non-UTC timezones. Timestamps are now timezone- and culture-safe.
- Interactive flow: loopback listener retries when an OS-assigned port is grabbed in the
  bind race; stray local requests (favicon.ico, preconnects) get a 404 instead of aborting
  the sign-in; CSRF state now comes from a cryptographic RNG; the browser result page
  reflects the state check.
- Token cache: only the refresh token (plus minimal metadata) is persisted - access tokens
  no longer touch disk. On macOS/Linux, permissions (700 dir / 600 file) are applied BEFORE
  the payload is written and failures warn instead of staying silent. Explicit UTF-8 I/O.
- Request layer: the Authorization header can no longer be overwritten by default or
  per-call headers; Add-MgGraphCommunityDefaultHeader rejects 'Authorization'.
  -FollowPagination keys on the presence of .value, so empty first pages page correctly and
  single-page collections return the same merged-array shape as multi-page results.
- Managed identity (Azure Arc): the challenge-file path from WWW-Authenticate is validated
  (Arc tokens directory, .key extension, size cap) before being read.
- Module load fails fast with a clear message on .NET Framework < 4.6 (PS 5.1 on Windows 7 /
  Server 2008 R2), which the module's crypto/time APIs require.

1.3.0
- Cross-version support: module now runs on Windows PowerShell 5.1 in addition to PowerShell 7+.
  CompatiblePSEditions = Desktop, Core. PowerShellVersion = 5.1.
- Replaced PS 7-only constructs with cross-version equivalents:
  * Null-coalescing (??) -> first-non-empty helper in Set-MgcConnectionContext.
  * [SHA256]::HashData / [SHA1]::HashData / [RandomNumberGenerator]::Fill (PS 7.1+ static methods)
    replaced with Create()+ComputeHash / Create()+GetBytes that work in .NET Framework 4.x.
  * ConvertFrom-SecureString -AsPlainText replaced with Marshal BSTR round-trip.
  * ConvertFrom-Json -AsHashtable falls back to manual PSObject->Hashtable conversion on PS 5.1.
  * Invoke-WebRequest -SkipHttpErrorCheck abstracted behind new private Invoke-MgcHttpRequest
    helper that catches WebException on PS 5.1 and exposes a uniform response.
  * $IsWindows replaced with Test-MgcIsWindows helper.
- Module auto-enables TLS 1.2 on PowerShell 5.1 (PS 5.1 still defaults to TLS 1.0/1.1).

1.2.1
- Hotfix: Invoke-MgGraphCommunityRequest crashed on PowerShell 7.4+ with
  "Cannot convert ... GetString to type System.Byte[]". On PS 7.4+, Invoke-WebRequest
  returns the Content property as a string for text/JSON responses, not byte[].
  The cmdlet now handles both shapes so it works on PS 7.1 through 7.4+.

1.2.0
- Fix: removed -StatusCodeVariable usage in Invoke-MgGraphCommunityRequest. That parameter is
  PowerShell 7.4+ only and broke the cmdlet on PS 7.0-7.3. Now reads status directly from the
  response object, works on PS 7.1+.
- Change: Connect-MgGraphCommunity no longer returns the context object to the pipeline.
  -NoWelcome now produces a truly silent connect. Use Get-MgGraphCommunityContext to retrieve
  the active connection details.
- New: proactive token refresh. If the access token expires within 5 minutes,
  Invoke-MgGraphCommunityRequest refreshes silently BEFORE the call (in addition to the
  reactive 401-retry path that already existed).
- New: HTTP 504 Gateway Timeout is retried once after a 60-second sleep.
- New: Add-MgGraphCommunityDefaultHeader / Remove-MgGraphCommunityDefaultHeader /
  Get-MgGraphCommunityDefaultHeader. Set sticky session headers (e.g. ConsistencyLevel) without
  re-passing -Headers on every call. Aliases: Add-MgcHeader / Remove-MgcHeader / Get-MgcHeader.
- Manifest PowerShellVersion bumped from 7.0 to 7.1 to honestly document the .NET 5+ static-method
  usage already present in PKCE / SHA256 helpers.

1.1.0
- New: Invoke-MgGraphCommunityRequest (alias Invoke-MgcRequest) - pure-PowerShell Graph caller.
- Removed Microsoft.Graph.Authentication as a RequiredModule. The module is now fully self-contained.
- SDK handoff is opportunistic: if Microsoft.Graph.Authentication is installed we still hand
  the token to Connect-MgGraph so Microsoft.Graph.* cmdlets continue to work.

1.0.0
- Initial community release
- Interactive (PKCE + loopback), DeviceCode, ClientSecret, Certificate (X509/Thumbprint/Subject), AccessToken, ManagedIdentity flows
- Environment selection: Global, USGov, USGovDoD, China
- In-memory token cache by default; opt-in DPAPI-encrypted persistence via -PersistRefreshToken
- Pure PowerShell, no MSAL DLL hunting, no compiled C#
'@

        }
    }
}