npm - @mcinteerj/openclaw-gmail - Versions diffs - 1.3.0 → 1.4.0 - Mend

@mcinteerj/openclaw-gmail 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/src/monitor.ts CHANGED Viewed

@@ -1,17 +1,14 @@
-import { execFile } from "node:child_process";
-import { promisify } from "node:util";
 import fs from "node:fs/promises";
 import path from "node:path";
 import os from "node:os";
 import lockfile from "proper-lockfile";
 import type { ChannelLogSink, InboundMessage } from "openclaw/plugin-sdk";
 import type { ResolvedGmailAccount } from "./accounts.js";
-import { loadHistoryId, saveHistoryId } from "./history-store.js";
 import { parseInboundGmail, parseSearchGmail, type GogPayload, type GogSearchMessage } from "./inbound.js";
-import { extractAttachments, type GmailAttachment } from "./attachments.js";
+import { extractAttachments } from "./attachments.js";
 import { isAllowed } from "./normalize.js";
-const execFileAsync = promisify(execFile);
+import type { GmailClient } from "./gmail-client.js";
+import { GogGmailClient } from "./gog-client.js";
 // Polling interval: Default 60s, override via env for testing
 const DEFAULT_POLL_INTERVAL = 60_000;
@@ -29,118 +26,28 @@ const sleep = (ms: number, signal?: AbortSignal) => new Promise<void>((resolve)
     }, { once: true });
 });
-const GOG_TIMEOUT_MS = 30_000;
-const SYNC_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
 // Local deduplication cache to prevent re-dispatching messages before Gmail updates labels
 const dispatchedMessageIds = new Set<string>();
 // Clear cache periodically to prevent memory growth (every hour)
 setInterval(() => dispatchedMessageIds.clear(), 60 * 60 * 1000).unref();
-interface CircuitState {
-  consecutiveFailures: number;
-  lastFailureAt: number;
-  backoffUntil: number;
-}
-const CIRCUIT_CONFIG = {
-  maxFailures: 3,
-  initialBackoffMs: 60_000, // 1 minute
-  maxBackoffMs: 15 * 60_000, // 15 minutes
-};
-const circuitStates = new Map<string, CircuitState>();
-function getCircuit(email: string): CircuitState {
-  if (!circuitStates.has(email)) {
-    circuitStates.set(email, { consecutiveFailures: 0, lastFailureAt: 0, backoffUntil: 0 });
-  }
-  return circuitStates.get(email)!;
-}
-async function checkGogExists(): Promise<boolean> {
-  try {
-    await execFileAsync("gog", ["--version"]);
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function runGog(args: string[], accountEmail: string, retries = 3): Promise<Record<string, unknown> | null> {
-  const circuit = getCircuit(accountEmail);
-  const now = Date.now();
-  if (now < circuit.backoffUntil) {
-    throw new Error(`Circuit breaker active for ${accountEmail}. Backing off until ${new Date(circuit.backoffUntil).toISOString()}`);
-  }
-  const allArgs = ["--json", "--account", accountEmail, ...args];
-  let lastErr: any;
-  for (let i = 0; i < retries; i++) {
-    try {
-      const { stdout } = await execFileAsync("gog", allArgs, {
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: GOG_TIMEOUT_MS,
-      });
-      // Success - reset circuit
-      circuit.consecutiveFailures = 0;
-      circuit.backoffUntil = 0;
-      if (!stdout.trim()) return null;
-      return JSON.parse(stdout) as Record<string, unknown>;
-    } catch (err: unknown) {
-      lastErr = err;
-      const msg = String(err);
-      // Don't retry/backoff on certain errors (e.g. 404 means no messages, not a failure)
-      if (msg.includes("404")) {
-         return null;
-      }
-      if (msg.includes("403") || msg.includes("invalid_grant") || msg.includes("ETIMEDOUT") || msg.includes("500")) {
-        circuit.consecutiveFailures++;
-        circuit.lastFailureAt = Date.now();
-        if (circuit.consecutiveFailures >= CIRCUIT_CONFIG.maxFailures) {
-          const backoff = Math.min(
-            CIRCUIT_CONFIG.initialBackoffMs * Math.pow(2, circuit.consecutiveFailures - CIRCUIT_CONFIG.maxFailures),
-            CIRCUIT_CONFIG.maxBackoffMs
-          );
-          circuit.backoffUntil = Date.now() + backoff;
-        }
-        break;
-      }
-      if (i < retries - 1) {
-        await new Promise(resolve => setTimeout(resolve, 1000 * (i + 1)));
-      }
-    }
-  }
-  const error = lastErr as { stderr?: string; message?: string };
-  throw new Error(`gog failed: ${error.stderr || error.message || String(lastErr)}`);
-}
-export async function quarantineMessage(id: string, accountEmail: string, log: ChannelLogSink) {
+export async function quarantineMessage(id: string, log: ChannelLogSink, client: GmailClient) {
   try {
     // Add 'not-allow-listed', remove 'INBOX', leave UNREAD
-    await runGog(["gmail", "labels", "modify", id, "--add", "not-allow-listed", "--remove", "INBOX"], accountEmail);
-    log.info(`Quarantined message ${id} from disallowed sender (moved to not-allow-listed, removed from INBOX)`);
+    await client.modifyLabels(id, { add: [QUARANTINE_LABEL], remove: ["INBOX"] });
+    log.info(`Quarantined message ${id} from disallowed sender (moved to ${QUARANTINE_LABEL}, removed from INBOX)`);
   } catch (err) {
     log.error(`Failed to quarantine message ${id}: ${String(err)}`);
   }
 }
-async function markAsRead(id: string, threadId: string | undefined, accountEmail: string, log: ChannelLogSink) {
+async function markAsRead(id: string, threadId: string | undefined, log: ChannelLogSink, client: GmailClient) {
   try {
     // Prefer thread-level modification as it's more robust in Gmail for label propagation
     if (threadId) {
-        await runGog(["gmail", "thread", "modify", threadId, "--remove", "UNREAD"], accountEmail);
+        await client.modifyThreadLabels(threadId, { remove: ["UNREAD"] });
     } else {
-        await runGog(["gmail", "labels", "modify", id, "--remove", "UNREAD"], accountEmail);
+        await client.modifyLabels(id, { remove: ["UNREAD"] });
     }
   } catch (err) {
     log.error(`Failed to mark ${id} as read: ${String(err)}`);
@@ -186,7 +93,7 @@ async function pruneGmailSessions(account: ResolvedGmailAccount, log: ChannelLog
           if (entry.updatedAt && now - entry.updatedAt > ttlMs) {
             // Found an expired session
             const threadId = key.split(":").pop();
             // Delete associated attachments directory if it exists
             if (threadId) {
               const threadAttachmentsDir = path.join(attachmentsDir, threadId);
@@ -223,10 +130,11 @@ async function fetchMessageDetails(
   id: string,
   account: ResolvedGmailAccount,
   log: ChannelLogSink,
+  client: GmailClient,
   ignoreLabels = false
 ): Promise<InboundMessage | null> {
   try {
-    const res = await runGog(["gmail", "get", id], account.email);
+    const res = await client.getMessage(id);
     if (!res) return null;
     const message = (res.message || res) as Record<string, unknown>;
@@ -250,12 +158,13 @@ async function fetchMessageDetails(
 }
 async function downloadAttachmentsIfSmall(
-  msg: InboundMessage,
-  account: ResolvedGmailAccount,
-  log: ChannelLogSink
+  msg: InboundMessage,
+  account: ResolvedGmailAccount,
+  log: ChannelLogSink,
+  client: GmailClient,
 ): Promise<string[]> {
     if (!msg.raw || !msg.raw.payload) return [];
     const attachments = extractAttachments(msg.raw.payload);
     const downloaded: string[] = [];
@@ -269,18 +178,11 @@ async function downloadAttachmentsIfSmall(
                 const ext = path.extname(att.filename) || "";
                 const safeName = path.basename(att.filename, ext).replace(/[^a-z0-9]/gi, '_') + ext;
                 const outPath = path.join(threadAttachmentsDir, safeName);
                 await fs.mkdir(threadAttachmentsDir, { recursive: true });
-                // Use gog to download
-                await execFileAsync("gog", [
-                    "gmail", "attachment",
-                    msg.channelMessageId,
-                    att.attachmentId,
-                    "--account", account.email,
-                    "--out", outPath
-                ]);
+                await client.downloadAttachment(msg.channelMessageId, att.attachmentId, outPath);
                 downloaded.push(outPath);
                 log.info(`Auto-downloaded attachment ${att.filename} to ${outPath}`);
             } catch (err) {
@@ -295,34 +197,29 @@ async function performFullSync(
   account: ResolvedGmailAccount,
   onMessage: (msg: InboundMessage) => Promise<void>,
   signal: AbortSignal,
-  log: ChannelLogSink
+  log: ChannelLogSink,
+  client: GmailClient,
 ): Promise<string | null> {
   // Use label:INBOX label:UNREAD for the most reliable bot inbox pattern
-  // We explicitly ask for JSON output and include-body
-  const searchResult = await runGog([
-    "gmail", "messages", "search",
-    "label:INBOX label:UNREAD",
-    "--include-body",
-    "--max", "50"
-  ], account.email);
-  if (!searchResult || !Array.isArray((searchResult as any).messages)) {
-    return null;
-  }
+  const rawMessages = await client.searchMessages("label:INBOX label:UNREAD", {
+    maxResults: 50,
+    includeBody: true,
+  });
+  if (rawMessages.length === 0) return null;
-  const rawMessages = (searchResult as any).messages as GogSearchMessage[];
   const inboundMessages: InboundMessage[] = [];
   for (const raw of rawMessages) {
     if (signal.aborted) break;
     // Parse the simplified search result
     const msg = parseSearchGmail(raw, account.accountId, account.email);
     if (msg) {
       if (!isAllowed(msg.sender.id, account.allowFrom || [])) {
         log.warn(`Quarantining email from non-whitelisted sender: ${msg.sender.id}`);
-        await quarantineMessage(msg.channelMessageId, account.email, log);
+        await quarantineMessage(msg.channelMessageId, log, client);
         continue;
       }
       inboundMessages.push(msg);
@@ -338,14 +235,14 @@ async function performFullSync(
      for (const [threadId, messages] of threads) {
         if (signal.aborted) break;
         // Filter out messages we've already dispatched in this session
         const newMessages = messages.filter(msg => !dispatchedMessageIds.has(msg.channelMessageId));
         if (newMessages.length === 0) continue;
         log.info(`[Sync] Processing thread ${threadId} with ${newMessages.length} new messages`);
         newMessages.sort((a, b) => (a.timestamp || 0) - (b.timestamp || 0));
         for (const msg of newMessages) {
             if (signal.aborted) break;
@@ -353,23 +250,23 @@ async function performFullSync(
             dispatchedMessageIds.add(msg.channelMessageId);
             // To get attachments, we need the full message details (search --include-body only gives text)
-            const fullMsg = await fetchMessageDetails(msg.channelMessageId, account, log, true);
+            const fullMsg = await fetchMessageDetails(msg.channelMessageId, account, log, client, true);
             const msgToDispatch = fullMsg || msg;
             try {
                 // Auto-download small attachments
                 if (fullMsg) {
-                    const downloadedPaths = await downloadAttachmentsIfSmall(fullMsg, account, log);
+                    const downloadedPaths = await downloadAttachmentsIfSmall(fullMsg, account, log, client);
                     if (downloadedPaths.length > 0) {
-                        msgToDispatch.text += "\n\n### Auto-downloaded Files\n" +
+                        msgToDispatch.text += "\n\n### Auto-downloaded Files\n" +
                             downloadedPaths.map(p => `- \`${p}\``).join("\n");
                     }
                 }
                 await onMessage(msgToDispatch);
                 // CRITICAL: Only mark as read after successful dispatch
-                await markAsRead(msg.channelMessageId, msg.threadId, account.email, log);
+                await markAsRead(msg.channelMessageId, msg.threadId, log, client);
             } catch (err) {
                 log.error(`Failed to dispatch message ${msg.channelMessageId}, leaving as UNREAD: ${String(err)}`);
                 // Remove from dedupe so it's retried next tick
@@ -379,27 +276,23 @@ async function performFullSync(
      }
   // Get latest history ID to resume polling
-  const latest = await runGog(["gmail", "search", "label:INBOX", "--max", "1"], account.email);
+  const latest = await client.searchThreads("label:INBOX", { maxResults: 1 });
   if ((latest as any)?.threads?.[0]) {
-     // We still need a separate fetch for historyId as search result (thread list) might not have it
-     // But this is just 1 call.
-     const thread = await runGog(["gmail", "get", (latest as any).threads[0].id], account.email);
+     const thread = await client.getMessage((latest as any).threads[0].id);
      const nextId = (thread as any)?.message?.historyId || (thread as any)?.historyId || null;
      return nextId;
   }
   return null;
 }
-async function ensureQuarantineLabel(accountEmail: string, log: ChannelLogSink) {
+async function ensureQuarantineLabel(log: ChannelLogSink, client: GmailClient) {
   try {
-    const res = await runGog(["gmail", "labels", "list"], accountEmail);
-    // res.labels is likely the array from the JSON output
-    const labels = (res as any)?.labels || [];
-    const exists = labels.some((l: any) => l.name === QUARANTINE_LABEL);
+    const labels = await client.listLabels();
+    const exists = labels.some((l) => l.name === QUARANTINE_LABEL);
     if (!exists) {
       log.info(`Creating quarantine label '${QUARANTINE_LABEL}'...`);
-      await runGog(["gmail", "labels", "create", QUARANTINE_LABEL], accountEmail);
+      await client.createLabel(QUARANTINE_LABEL);
     }
   } catch (err) {
     // If this fails, quarantine attempts will also fail, but we don't block startup
@@ -413,11 +306,12 @@ export async function monitorGmail(params: {
   signal: AbortSignal;
   log: ChannelLogSink;
   setStatus: (status: any) => void;
+  client: GmailClient;
 }) {
-  const { account, onMessage, signal, log, setStatus } = params;
-  // Doctor check
-  if (!(await checkGogExists())) {
+  const { account, onMessage, signal, log, setStatus, client } = params;
+  // Doctor check — only require gog CLI for the gog backend
+  if (account.backend !== "api" && !(await GogGmailClient.checkExists())) {
     log.error("gog CLI not found in PATH. Gmail channel disabled.");
     setStatus({ accountId: account.accountId, running: false, connected: false, error: "gog CLI missing" });
     return;
@@ -426,7 +320,7 @@ export async function monitorGmail(params: {
   log.info(`Starting monitor for ${account.email}`);
   // Ensure quarantine label exists
-  await ensureQuarantineLabel(account.email, log);
+  await ensureQuarantineLabel(log, client);
   // Prune on start
   await pruneGmailSessions(account, log);
@@ -457,7 +351,7 @@ export async function monitorGmail(params: {
       isSyncing = true;
       try {
         log.debug("Performing full search sync...");
-        await performFullSync(account, onMessage, signal, log);
+        await performFullSync(account, onMessage, signal, log, client);
         setStatus({ accountId: account.accountId, running: true, connected: true, lastError: undefined });
       } finally {
         isSyncing = false;

package/src/onboarding.ts CHANGED Viewed

@@ -3,6 +3,8 @@ import { promptAccountId } from "openclaw/plugin-sdk";
 import { exec } from "node:child_process";
 import { promisify } from "node:util";
 import { listGmailAccountIds, resolveDefaultGmailAccountId } from "./accounts.js";
+import { readGogCredentials, runOAuthFlow, createOAuth2Client } from "./auth.js";
+import { ApiGmailClient } from "./api-client.js";
 const execAsync = promisify(exec);
 const channel = "gmail" as const;
@@ -69,16 +71,43 @@ async function fetchGmailName(email: string): Promise<string | undefined> {
   }
 }
+async function fetchApiDisplayName(
+  clientId: string,
+  clientSecret: string,
+  refreshToken: string,
+): Promise<string | undefined> {
+  try {
+    const auth = createOAuth2Client({ clientId, clientSecret, refreshToken });
+    const client = new ApiGmailClient(auth);
+    const sendAs = await client.getSendAs();
+    const primary = sendAs.find((s) => s.isPrimary) || sendAs[0];
+    return primary?.displayName;
+  } catch {
+    return undefined;
+  }
+}
 export const gmailOnboardingAdapter: ChannelOnboardingAdapter = {
   channel,
   getStatus: async ({ cfg }: { cfg: OpenClawConfig }) => {
     const ids = listGmailAccountIds(cfg);
     const configured = ids.length > 0;
+    const gmailConfig = (cfg.channels as any)?.gmail || {};
+    const accounts = gmailConfig.accounts || {};
+    const backends = new Set(
+      Object.values(accounts).map((a: any) => a.backend || "gog"),
+    );
+    let hint = "Gmail polling";
+    if (backends.size === 1) {
+      hint = backends.has("api") ? "Gmail API" : "gog CLI";
+    } else if (backends.size > 1) {
+      hint = "Gmail API + gog CLI";
+    }
     return {
       channel,
       configured,
       statusLines: [`Gmail: ${configured ? `${ids.length} accounts` : "not configured"}`],
-      selectionHint: "Polling via gog CLI",
+      selectionHint: hint,
       quickstartScore: configured ? 1 : 5,
     };
   },
@@ -97,22 +126,7 @@ export const gmailOnboardingAdapter: ChannelOnboardingAdapter = {
     accountOverrides: Record<string, string>;
     shouldPromptAccountIds: boolean;
   }) => {
-    if (!(await checkGogInstalled())) {
-      await prompter.note(
-        "The `gog` CLI is required for the Gmail extension.\nPlease install it and ensure it is in your PATH.",
-        "Missing Dependency"
-      );
-      throw new Error("gog CLI not found");
-    }
-    const version = await getGogVersion();
-    if (version && !isVersionAtLeast(version, MIN_GOG_VERSION)) {
-      await prompter.note(
-        `Your gog version (${version}) is below the recommended ${MIN_GOG_VERSION}.\nSome features may not work correctly.`,
-        "Version Warning"
-      );
-    }
+    // --- Account selection (unchanged) ---
     const existingIds = listGmailAccountIds(cfg);
     const gmailOverride = accountOverrides.gmail?.trim();
     const defaultAccountId = resolveDefaultGmailAccountId(cfg);
@@ -129,6 +143,7 @@ export const gmailOnboardingAdapter: ChannelOnboardingAdapter = {
       });
     }
+    // --- Email prompt (unchanged) ---
     let email = accountId.includes("@") ? accountId : undefined;
     if (!email) {
       email = await prompter.text({
@@ -136,26 +151,141 @@ export const gmailOnboardingAdapter: ChannelOnboardingAdapter = {
         validate: (val: string | undefined) => (val?.includes("@") ? undefined : "Valid email required"),
       });
     }
     if (!email) throw new Error("Email required");
-    const isAuthed = await checkGogAuth(email);
-    if (!isAuthed) {
+    // --- Detect available auth sources ---
+    const gmailConfig = (cfg.channels as any)?.gmail || {};
+    const existingAccount = gmailConfig.accounts?.[email];
+    const existingOAuth = existingAccount?.oauth;
+    const gogInstalled = await checkGogInstalled();
+    const gogCreds = readGogCredentials();
+    // --- Determine backend ---
+    let backend: "api" | "gog";
+    let clientId: string | undefined;
+    let clientSecret: string | undefined;
+    let refreshToken: string | undefined;
+    if (existingOAuth?.clientId && existingOAuth?.clientSecret && existingOAuth?.refreshToken) {
+      // Scenario D: Existing API user reconfiguring
+      backend = "api";
+      clientId = existingOAuth.clientId;
+      clientSecret = existingOAuth.clientSecret;
+      refreshToken = existingOAuth.refreshToken;
       await prompter.note(
-        `Gog CLI is not authorized for ${email}. We need to authorize it now.`,
-        "Authorization"
+        `Using existing API credentials for ${email}.`,
+        "OAuth Credentials"
       );
-      const doAuth = await prompter.confirm({
-        message: "Authorize gog now?",
+      const reAuth = await prompter.confirm({
+        message: "Re-authorize with Google? (only needed if token expired)",
+        initialValue: false,
+      });
+      if (reAuth) {
+        refreshToken = await runOAuthFlow(clientId, clientSecret);
+      }
+    } else if (gogInstalled && gogCreds) {
+      // Scenario A/C: gog installed with credentials — offer migration
+      const migrate = await prompter.confirm({
+        message: "Found gog CLI credentials. Migrate to direct API access? (recommended, one-time browser auth)",
         initialValue: true,
       });
-      if (doAuth) {
-        await authorizeGog(email);
+      if (migrate) {
+        backend = "api";
+        clientId = gogCreds.clientId;
+        clientSecret = gogCreds.clientSecret;
+        await prompter.note(
+          "Reusing your gog OAuth client credentials.\nA browser window will open for one-time authorization.",
+          "API Migration"
+        );
+        refreshToken = await runOAuthFlow(clientId, clientSecret);
       } else {
-        await prompter.note("Skipping auth. You must run `gog auth add " + email + "` manually.", "Warning");
+        backend = "gog";
+      }
+    } else if (gogInstalled) {
+      // gog installed but no credentials file — offer choice
+      const useApi = await prompter.confirm({
+        message: "Use direct Gmail API access? (recommended; otherwise uses gog CLI)",
+        initialValue: true,
+      });
+      if (useApi) {
+        backend = "api";
+      } else {
+        backend = "gog";
+      }
+    } else {
+      // Scenario B: No gog — API is the only option
+      backend = "api";
+    }
+    // --- API backend: resolve credentials and run OAuth if needed ---
+    if (backend === "api" && !refreshToken) {
+      // Need client credentials
+      if (!clientId || !clientSecret) {
+        if (gogCreds) {
+          clientId = gogCreds.clientId;
+          clientSecret = gogCreds.clientSecret;
+        } else {
+          await prompter.note(
+            "To use Gmail with OpenClaw, you need a Google Cloud OAuth client:\n" +
+            "1. Go to https://console.cloud.google.com/apis/credentials\n" +
+            "2. Create a project (or use existing)\n" +
+            "3. Enable the Gmail API\n" +
+            "4. Create OAuth 2.0 Client ID (type: Desktop app)\n" +
+            "5. Copy the Client ID and Client Secret",
+            "GCP OAuth Setup"
+          );
+          clientId = await prompter.text({
+            message: "OAuth Client ID",
+            validate: (val?: string) => (val?.trim() ? undefined : "Client ID required"),
+          });
+          clientSecret = await prompter.text({
+            message: "OAuth Client Secret",
+            validate: (val?: string) => (val?.trim() ? undefined : "Client Secret required"),
+          });
+        }
       }
+      await prompter.note(
+        "A browser window will open for Gmail authorization.",
+        "OAuth Flow"
+      );
+      refreshToken = await runOAuthFlow(clientId!, clientSecret!);
     }
+    // --- gog backend: version check + auth ---
+    if (backend === "gog") {
+      const version = await getGogVersion();
+      if (version && !isVersionAtLeast(version, MIN_GOG_VERSION)) {
+        await prompter.note(
+          `Your gog version (${version}) is below the recommended ${MIN_GOG_VERSION}.\nSome features may not work correctly.`,
+          "Version Warning"
+        );
+      }
+      const isAuthed = await checkGogAuth(email);
+      if (!isAuthed) {
+        await prompter.note(
+          `Gog CLI is not authorized for ${email}. We need to authorize it now.`,
+          "Authorization"
+        );
+        const doAuth = await prompter.confirm({
+          message: "Authorize gog now?",
+          initialValue: true,
+        });
+        if (doAuth) {
+          await authorizeGog(email);
+        } else {
+          await prompter.note("Skipping auth. You must run `gog auth add " + email + "` manually.", "Warning");
+        }
+      }
+    }
+    // --- Common prompts ---
     const allowFromRaw = await prompter.text({
       message: "Allow emails from (comma separated, * for all)",
       initialValue: "",
@@ -172,17 +302,28 @@ export const gmailOnboardingAdapter: ChannelOnboardingAdapter = {
     });
     const pollIntervalMs = parseInt(pollIntervalSecsRaw, 10) * 1000;
-    const name = await fetchGmailName(email);
+    // --- Fetch display name via appropriate backend ---
+    let name: string | undefined;
+    if (backend === "api" && clientId && clientSecret && refreshToken) {
+      name = await fetchApiDisplayName(clientId, clientSecret, refreshToken);
+    } else {
+      name = await fetchGmailName(email);
+    }
-    const accountConfig = {
+    // --- Build account config ---
+    const accountConfig: Record<string, unknown> = {
       enabled: true,
       email,
       name,
       allowFrom,
       pollIntervalMs,
+      backend,
     };
-    const gmailConfig = cfg.channels?.gmail || {};
+    if (backend === "api" && clientId && clientSecret && refreshToken) {
+      accountConfig.oauth = { clientId, clientSecret, refreshToken };
+    }
     const accounts = gmailConfig.accounts || {};
     const next = {