Google Workspace Setup¶
Dedicated Google bot account for Hermes agent access to Gmail, Calendar, Drive, Docs, Sheets.
Status: Operational (OAuth complete, some scopes pending)¶
Architecture Decision¶
Using a dedicated Google account (not direct OAuth to Adam's personal account): - Security boundary β compromised credentials = only bot account, not Adam's digital life - Clean revocation β nuke the account anytime, zero side-effects - Clear audit trail β all actions under distinct identity - Limited OAuth scopes shared TO the bot account
Completed Steps¶
- Create Google account β β hermesparrott@gmail.com
- Cloud Console project β β Project ID datashare-493411
- Enable APIs β β Gmail, Calendar, Drive, Docs (People and Sheets still blocked β unverified app)
- OAuth 2.0 Client ID β β Desktop app type, token at ~/.hermes/google_token.json
- gws auth β β gws 0.22.5, authenticated with scopes: gmail.readonly, gmail.send, gmail.modify, calendar, drive, documents
- Calendar sharing β β Adam's calendar (ajaparrott1993@gmail.com) shared with bot account ("Make changes to events" permission)
- Morning briefing script β β Created at ~/.hermes/skills/productivity/morning-briefing/
- Morning briefing cron β β 6am daily (job 2b5ea95e45cc)
- Queries both primary and Adam's shared calendar
Remaining¶
- Gmail forwarding rules β deferred until needed
- Health API scopes β cloud-platform scope added, but Health API still 403 (needs Health-specific scopes)
- People and Sheets APIs β blocked for unverified apps
Crons¶
- Morning briefing: 6am daily (job 2b5ea95e45cc, skill: morning-briefing)
Hard Rules¶
- Never delete calendar events without Adam's explicit confirmation
- British English only
Related¶
- [[Bio Bridge]]
- [[Hermes Infrastructure]]
- [[Security Posture]]