Skip to content

Google Workspace Setup

Dedicated Google bot account for Hermes agent access to Gmail, Calendar, Drive, Docs, Sheets.

Status: Operational (OAuth complete, some scopes pending)

Architecture Decision

Using a dedicated Google account (not direct OAuth to Adam's personal account): - Security boundary β€” compromised credentials = only bot account, not Adam's digital life - Clean revocation β€” nuke the account anytime, zero side-effects - Clear audit trail β€” all actions under distinct identity - Limited OAuth scopes shared TO the bot account

Completed Steps

  1. Create Google account βœ… β€” hermesparrott@gmail.com
  2. Cloud Console project βœ… β€” Project ID datashare-493411
  3. Enable APIs βœ… β€” Gmail, Calendar, Drive, Docs (People and Sheets still blocked β€” unverified app)
  4. OAuth 2.0 Client ID βœ… β€” Desktop app type, token at ~/.hermes/google_token.json
  5. gws auth βœ… β€” gws 0.22.5, authenticated with scopes: gmail.readonly, gmail.send, gmail.modify, calendar, drive, documents
  6. Calendar sharing βœ… β€” Adam's calendar (ajaparrott1993@gmail.com) shared with bot account ("Make changes to events" permission)
  7. Morning briefing script βœ… β€” Created at ~/.hermes/skills/productivity/morning-briefing/
  8. Morning briefing cron βœ… β€” 6am daily (job 2b5ea95e45cc)
  9. Queries both primary and Adam's shared calendar

Remaining

  • Gmail forwarding rules β€” deferred until needed
  • Health API scopes β€” cloud-platform scope added, but Health API still 403 (needs Health-specific scopes)
  • People and Sheets APIs β€” blocked for unverified apps

Crons

  • Morning briefing: 6am daily (job 2b5ea95e45cc, skill: morning-briefing)

Hard Rules

  • Never delete calendar events without Adam's explicit confirmation
  • British English only
  • [[Bio Bridge]]
  • [[Hermes Infrastructure]]
  • [[Security Posture]]