fix(outlook): add Trusted Types policy and extend auth timeout

[conceptblenders]

Outlook on cloud.microsoft enforces a Trusted Types CSP policy that causes zod's allowsEval probe (new Function("")) to log a console violation. Creating a 'default' Trusted Types policy before any zod code runs lets the probe complete silently via its existing try/catch.

Also extends waitForAuth timeout from 5000ms to 30000ms. When Outlook redirects through an OAuth flow (#code= URL fragment), MSAL tokens are not yet in localStorage when the adapter first initializes. The previous 5s window was too short for the OAuth handshake to complete on slower connections or enterprise SSO flows.

Fixes two issues reported in [issue #] affecting Outlook on cloud.microsoft:

Changes

1. Trusted Types policy (index.ts)

Outlook enforces a Trusted Types CSP. Zod's allowsEval probe calls
new Function("") which triggers a console violation. Creating a default
Trusted Types policy before any zod code runs lets the probe complete
silently via its existing try/catch.

2. Extended auth timeout (outlook-api.ts)

waitForAuth timeout increased from 5000ms → 30000ms.

When Outlook loads via an OAuth redirect (#code= URL fragment), MSAL tokens
are not yet in localStorage when the adapter first initializes. The 5s window
was too short for the OAuth handshake + token storage to complete, causing
isReady() to return false permanently.

Test environment

• Microsoft 365 work/school account (enterprise tenant)
• https://outlook.cloud.microsoft/mail/
• Chrome + OpenTabs extension v0.0.103

Summary by CodeRabbit

• New Features

  • Adds a runtime Trusted Types policy and silently handles policy creation errors to avoid startup interruptions.

• Bug Fixes

  • Increased authentication wait time to improve connection reliability during sign-in.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b49e0823-29b5-485b-bc71-369964c91dfe

📥 Commits

Reviewing files that changed from the base of the PR and between 084d7ee and 0e68789.

📒 Files selected for processing (1)

• plugins/outlook/src/index.ts

---

📝 Walkthrough

Walkthrough

Added a runtime Trusted Types policy creation in plugins/outlook/src/index.ts guarded by window and try/catch. Increased waitForAuth() timeout from 5000 ms to 30000 ms in plugins/outlook/src/outlook-api.ts.

Changes

Cohort / File(s)	Summary
Trusted Types Policy plugins/outlook/src/index.ts	Adds a top-level runtime check for window and attempts to create a default Trusted Types policy via window.trustedTypes.createPolicy, with createScript restricted to empty string and wrapped in try/catch to suppress creation errors.
Authentication Timeout plugins/outlook/src/outlook-api.ts	Extends waitForAuth() timeout passed to waitUntil() from 5000 ms to 30000 ms; function signature unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• outlook adapter blocked by Trusted Types policy — TrustedScript assignment fails on Outlook Web App #64: Matches — this PR introduces a runtime Trusted Types default policy to avoid TrustedScript assignment errors described in the issue.

Poem

🔐 Policy set where scripts might roam,
A guarded window builds a safer home.
Thirty seconds now to handshake and wait,
Small changes, secure startup state.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes both main changes: adding a Trusted Types policy and extending the authentication timeout in the Outlook plugin.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/outlook/src/index.ts`:
- Around line 7-10: Replace the unsafe identity createScript policy on the
Trusted Types 'default' policy with a narrow validator: in the block that
defines tt?.createPolicy?.('default', { createScript: ... }) (see the tt
variable and createPolicy usage in plugins/outlook/src/index.ts), change
createScript from returning the input string unconditionally to only accepting
the specific probe string used by Zod/allowsEval (empty string "") and otherwise
throw or reject (so non-empty strings cannot be converted to TrustedScript);
keep the try/catch behavior for unsupported browsers or existing policies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 72dade4f-f86a-4a47-a77a-76d47b413a68

📥 Commits

Reviewing files that changed from the base of the PR and between d3f98ae and 084d7ee.

📒 Files selected for processing (2)

• plugins/outlook/src/index.ts
• plugins/outlook/src/outlook-api.ts