From 50c4f3de5787c05ad0b543bdc2e7af7e414b3fe6 Mon Sep 17 00:00:00 2001 From: William Valentin Date: Sun, 22 Feb 2026 22:27:57 -0800 Subject: [PATCH] feat(gmail-auth): request full Gmail scope for filter permissions --- README.md | 4 ++-- config/default.yaml | 2 +- docs/plans/state.json | 16 +++++++++++++++- src/cli/gmail-auth.test.ts | 3 +-- src/cli/gmail-auth.ts | 4 ++-- 5 files changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6005dc9..5641dcc 100644 --- a/README.md +++ b/README.md @@ -1154,7 +1154,7 @@ Supported delivery modes: 1. Create a Google Cloud project with the Gmail API enabled 2. Create OAuth2 credentials (Desktop application type) and download the JSON file 3. Run `flynn gmail-auth` to complete the OAuth2 flow and store the refresh token - - Requests scopes for both mailbox reads and filter management (`gmail.readonly` + `gmail.settings.basic`) + - Requests full Gmail access scope (`https://mail.google.com/`) so all filter operations are allowed For Pub/Sub delivery (push/pull), also enable the Pub/Sub API and create: - A topic (e.g. `projects/your-project/topics/gmail-push`) @@ -1218,7 +1218,7 @@ When `automation.gmail.enabled: true`, Flynn registers Gmail tools: - `gmail.read` — fetch full message body by ID - `gmail.filter.create` — create Gmail filters (criteria + actions like archive/label/forward) -`gmail.filter.create` requires a token with `gmail.settings.basic`. If your token was created before this scope was added, re-run `flynn gmail-auth`. +`gmail.filter.create` requires a token issued with current scopes. If your token predates this change, re-run `flynn gmail-auth`. ### Template Variables diff --git a/config/default.yaml b/config/default.yaml index c6ffa24..788cf2d 100644 --- a/config/default.yaml +++ b/config/default.yaml @@ -452,7 +452,7 @@ memory: # credentials_file: ~/.config/flynn/gmail-credentials.json # token_file: ~/.config/flynn/gmail-token.json # # Authenticate with: flynn gmail-auth -# # (requests gmail.readonly + gmail.settings.basic for gmail.filter.create support) +# # (requests full Gmail scope https://mail.google.com/ for complete Gmail filter permissions) # # # Optional Pub/Sub delivery # # Push mode: configure a topic and a push subscription that POSTs to /gmail/push diff --git a/docs/plans/state.json b/docs/plans/state.json index 469cdff..86cc8f9 100644 --- a/docs/plans/state.json +++ b/docs/plans/state.json @@ -3,6 +3,20 @@ "updated_at": "2026-02-23", "description": "Tracks the status of all Flynn plans and implementation phases", "plans": { + "gmail-filter-full-scope-auth": { + "status": "completed", + "date": "2026-02-23", + "updated": "2026-02-23", + "summary": "Expanded `flynn gmail-auth` to request full Gmail OAuth scope (`https://mail.google.com/`) so Flynn tokens have complete Gmail filter permissions. Updated auth URL tests and operator docs/comments to reflect the broader scope and re-auth guidance.", + "files_modified": [ + "src/cli/gmail-auth.ts", + "src/cli/gmail-auth.test.ts", + "README.md", + "config/default.yaml", + "docs/plans/state.json" + ], + "test_status": "pnpm test:run src/cli/gmail-auth.test.ts + pnpm typecheck passing" + }, "gmail-filter-creation-tooling": { "status": "completed", "date": "2026-02-23", @@ -6292,7 +6306,7 @@ "operator_dx_milestone": "Phase 3 (Live Ops Dashboard): 2/2 plans complete — milestone done", "dashboard_observability": "completed — service health graphs + core service log viewer added to web UI via observability RPCs and bounded backend sampling", "gmail_auth_cli": "flynn gmail-auth command implemented with OAuth2 flow, doctor check, config routed to Telegram", - "gmail_filter_creation": "completed — gmail.filter.create tool added with criteria/action validation; gmail-auth now requests gmail.settings.basic for filter-management permissions", + "gmail_filter_creation": "completed — gmail.filter.create tool added with criteria/action validation; gmail-auth now requests full Gmail scope (https://mail.google.com/) for complete filter permissions", "native_audio_support": "completed — smart routing for native audio (Gemini/OpenAI/GitHub) vs Whisper transcription fallback, plus 2026-02-23 arg hydration hardening, tool.args_rewritten audit metric, transient fetch retry/timeout hardening, localhost->127.0.0.1 fallback for transcription endpoint connectivity, and whisper docker-compose entrypoint arg fix for port 18801", "remaining_phases_completion": "Phase 1: 3/3 (100%) — context levels, command registry, memory structure. Phase 2: 3/3 (100%) — component registry, confidence routing, history index. Phase 3: 2/2 (100%) — adaptive memory/compaction, truthfulness/autonomy hardening", "next_up": "Track OpenClaw evolution regularly for inspiration and feature ideas" diff --git a/src/cli/gmail-auth.test.ts b/src/cli/gmail-auth.test.ts index 83e7f59..752c247 100644 --- a/src/cli/gmail-auth.test.ts +++ b/src/cli/gmail-auth.test.ts @@ -71,8 +71,7 @@ describe('gmail-auth', () => { expect(url).toContain('https://accounts.google.com/o/oauth2/v2/auth'); expect(url).toContain('client_id=my-client-id'); expect(url).toContain('redirect_uri=http%3A%2F%2Flocalhost%3A3000'); - expect(url).toContain('scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly'); - expect(url).toContain('https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.settings.basic'); + expect(url).toContain('scope=https%3A%2F%2Fmail.google.com%2F'); expect(url).toContain('access_type=offline'); expect(url).toContain('prompt=consent'); }); diff --git a/src/cli/gmail-auth.ts b/src/cli/gmail-auth.ts index 1ffe543..714ed3b 100644 --- a/src/cli/gmail-auth.ts +++ b/src/cli/gmail-auth.ts @@ -7,8 +7,8 @@ import { URL } from 'url'; import { loadConfigSafe } from './shared.js'; const SCOPES = [ - 'https://www.googleapis.com/auth/gmail.readonly', - 'https://www.googleapis.com/auth/gmail.settings.basic', + // Full Gmail access (includes all filter operations and settings APIs). + 'https://mail.google.com/', ]; const REDIRECT_PORT = 3000; const REDIRECT_URI = `http://localhost:${REDIRECT_PORT}`;