@plosson/agentio 0.4.4 → 0.5.1

package/src/commands/gcal.ts

@@ -9,6 +9,7 @@ import { GCalClient } from '../services/gcal/client';
 import { printGCalCalendarList, printGCalEventList, printGCalEvent, printGCalEventCreated, printGCalEventDeleted, printGCalFreeBusy } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 
 async function getGCalClient(profileName?: string): Promise<{ client: GCalClient; profile: string }> {
   const { tokens, profile } = await getValidTokens('gcal', profileName);
@@ -155,7 +156,8 @@ export function registerGCalCommands(program: Command): void {
           return { method: method as 'email' | 'popup', minutes: parseInt(minutes, 10) };
         });
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'create event');
         const event = await client.createEvent({
           calendarId: calendarId || 'primary',
           summary: options.summary,
@@ -210,7 +212,8 @@ export function registerGCalCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Cannot use both --attendee and --add-attendee');
         }
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'update event');
         const event = await client.updateEvent({
           calendarId,
           eventId,
@@ -243,7 +246,8 @@ export function registerGCalCommands(program: Command): void {
     .option('--send-updates <mode>', 'Send notifications: all, externalOnly, none', 'all')
     .action(async (calendarId: string, eventId: string, options) => {
       try {
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'delete event');
         await client.deleteEvent(calendarId, eventId, options.sendUpdates);
         printGCalEventDeleted(calendarId, eventId);
       } catch (error) {
@@ -300,7 +304,8 @@ export function registerGCalCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', `Invalid status: ${options.status}`, 'Use: accepted, declined, or tentative');
         }
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'respond to event');
         const event = await client.respond({
           calendarId,
           eventId,
@@ -353,6 +358,7 @@ export function registerGCalCommands(program: Command): void {
     .command('add')
     .description('Add a new Google Calendar profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Calendar...\n');
@@ -371,11 +377,14 @@ export function registerGCalCommands(program: Command): void {
 
         const profileName = options.profile || email;
 
-        await setProfile('gcal', profileName);
+        await setProfile('gcal', profileName, { readOnly: options.readOnly });
         await setCredentials('gcal', profileName, { ...tokens, email });
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${email}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
       } catch (error) {
         handleError(error);
       }

package/src/commands/gchat.ts

@@ -12,6 +12,7 @@ import { CliError, handleError } from '../utils/errors';
 import { readStdin, prompt } from '../utils/stdin';
 import { interactiveSelect } from '../utils/interactive';
 import { printGChatSendResult, printGChatMessageList, printGChatMessage, printGChatSpaceList } from '../utils/output';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GChatCredentials, GChatWebhookCredentials, GChatOAuthCredentials } from '../types/gchat';
 
 const getGChatClient = createClientGetter<GChatCredentials, GChatClient>({
@@ -95,7 +96,8 @@ export function registerGChatCommands(program: Command): void {
           }
         }
 
-        const { client } = await getGChatClient(options.profile);
+        const { client, profile } = await getGChatClient(options.profile);
+        await enforceWriteAccess('gchat', profile, 'send message');
         const result = await client.send({
           text,
           payload,
@@ -185,6 +187,7 @@ export function registerGChatCommands(program: Command): void {
     .command('add')
     .description('Add a new Google Chat profile (webhook or OAuth)')
     .option('--profile <name>', 'Profile name (required for webhook, auto-detected for OAuth)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nGoogle Chat Setup\n');
@@ -205,9 +208,9 @@ export function registerGChatCommands(program: Command): void {
               'Run: agentio gchat profile add --profile <name>'
             );
           }
-          await setupWebhookProfile(options.profile);
+          await setupWebhookProfile(options.profile, options.readOnly);
         } else {
-          await setupOAuthProfile(options.profile);
+          await setupOAuthProfile(options.profile, options.readOnly);
         }
       } catch (error) {
         handleError(error);
@@ -215,13 +218,16 @@ export function registerGChatCommands(program: Command): void {
     });
 }
 
-function printProfileSetupSuccess(profileName: string, authType: 'webhook' | 'oauth'): void {
+function printProfileSetupSuccess(profileName: string, authType: 'webhook' | 'oauth', readOnly?: boolean): void {
   const typeLabel = authType.charAt(0).toUpperCase() + authType.slice(1);
   console.log(`\nSuccess! ${typeLabel} profile "${profileName}" configured.`);
+  if (readOnly) {
+    console.log(`   Access: read-only`);
+  }
   console.log(`   Test with: agentio gchat send --profile ${profileName} "Hello from agentio"`);
 }
 
-async function setupWebhookProfile(profileName: string): Promise<void> {
+async function setupWebhookProfile(profileName: string, readOnly?: boolean): Promise<void> {
   console.error('Webhook Setup\n');
   console.error('1. In Google Chat, find or create a space');
   console.error('2. Go to Space Settings → Webhooks');
@@ -264,13 +270,13 @@ async function setupWebhookProfile(profileName: string): Promise<void> {
     webhookUrl: webhookUrl,
   };
 
-  await setProfile('gchat', profileName);
+  await setProfile('gchat', profileName, { readOnly });
   await setCredentials('gchat', profileName, credentials);
 
-  printProfileSetupSuccess(profileName, 'webhook');
+  printProfileSetupSuccess(profileName, 'webhook', readOnly);
 }
 
-async function setupOAuthProfile(profileNameOverride?: string): Promise<void> {
+async function setupOAuthProfile(profileNameOverride?: string, readOnly?: boolean): Promise<void> {
   console.error('OAuth Setup\n');
   console.error('Starting OAuth flow for Google Chat profile...\n');
 
@@ -320,8 +326,8 @@ async function setupOAuthProfile(profileNameOverride?: string): Promise<void> {
     email: userEmail,
   };
 
-  await setProfile('gchat', profileName);
+  await setProfile('gchat', profileName, { readOnly });
   await setCredentials('gchat', profileName, credentials);
 
-  printProfileSetupSuccess(profileName, 'oauth');
+  printProfileSetupSuccess(profileName, 'oauth', readOnly);
 }

package/src/commands/gdocs.ts

@@ -11,6 +11,7 @@ import { GDocsClient } from '../services/gdocs/client';
 import { printGDocsList, printGDocCreated, raw } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GDocsCredentials } from '../types/gdocs';
 
 const getGDocsClient = createClientGetter<GDocsCredentials, GDocsClient>({
@@ -77,7 +78,8 @@ export function registerGDocsCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'No content provided', 'Provide --content or pipe markdown via stdin');
         }
 
-        const { client } = await getGDocsClient(options.profile);
+        const { client, profile } = await getGDocsClient(options.profile);
+        await enforceWriteAccess('gdocs', profile, 'create document');
         const result = await client.create(options.title, content, options.folder);
 
         printGDocCreated(result);
@@ -138,6 +140,7 @@ Query Syntax Examples:
     .command('add')
     .description('Add a new Google Docs profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Docs...\n');
@@ -174,11 +177,14 @@ Query Syntax Examples:
           email: userEmail,
         };
 
-        await setProfile('gdocs', profileName);
+        await setProfile('gdocs', profileName, { readOnly: options.readOnly });
         await setCredentials('gdocs', profileName, credentials);
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${userEmail}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio gdocs list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

package/src/commands/gdrive.ts

@@ -10,6 +10,7 @@ import { GDriveClient } from '../services/gdrive/client';
 import { printGDriveFileList, printGDriveFile, printGDriveDownloaded, printGDriveUploaded } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { prompt } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GDriveCredentials, GDriveAccessLevel } from '../types/gdrive';
 
 const getGDriveClient = createClientGetter<GDriveCredentials, GDriveClient>({
@@ -189,7 +190,8 @@ Examples:
 `)
     .action(async (filePath: string, options) => {
       try {
-        const { client } = await getGDriveClient(options.profile);
+        const { client, profile } = await getGDriveClient(options.profile);
+        await enforceWriteAccess('gdrive', profile, 'upload file');
         const result = await client.upload({
           filePath,
           name: options.name,
@@ -220,6 +222,7 @@ Examples:
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
     .option('--readonly', 'Create a read-only profile (skip access level prompt)')
     .option('--full', 'Create a full access profile (skip access level prompt)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Google Drive Setup\n');
@@ -274,12 +277,15 @@ Examples:
           accessLevel,
         };
 
-        await setProfile('gdrive', profileName);
+        await setProfile('gdrive', profileName, { readOnly: options.readOnly });
         await setCredentials('gdrive', profileName, credentials);
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${userEmail}`);
-        console.log(`   Access: ${accessLevel === 'full' ? 'Full (read & write)' : 'Read-only'}`);
+        console.log(`   API Access: ${accessLevel === 'full' ? 'Full (read & write)' : 'Read-only'}`);
+        if (options.readOnly) {
+          console.log(`   Profile Access: read-only`);
+        }
         console.log(`   Test with: agentio gdrive list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

package/src/commands/github.ts

@@ -7,6 +7,7 @@ import { GitHubClient } from '../services/github/client';
 import { performGitHubOAuthFlow } from '../auth/github-oauth';
 import { generateExportData } from './config';
 import { CliError, handleError } from '../utils/errors';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GitHubCredentials } from '../types/github';
 
 const getGitHubClient = createClientGetter<GitHubCredentials, GitHubClient>({
@@ -42,6 +43,7 @@ export function registerGitHubCommands(program: Command): void {
         parseRepo(repo);
 
         const { client, profile } = await getGitHubClient(options.profile);
+        await enforceWriteAccess('github', profile, 'install secrets');
 
         console.error(`Using GitHub profile: ${profile}`);
         console.error(`Installing secrets to: ${repo}`);
@@ -77,6 +79,7 @@ export function registerGitHubCommands(program: Command): void {
         parseRepo(repo);
 
         const { client, profile } = await getGitHubClient(options.profile);
+        await enforceWriteAccess('github', profile, 'uninstall secrets');
 
         console.error(`Using GitHub profile: ${profile}`);
         console.error(`Removing secrets from: ${repo}`);
@@ -105,6 +108,7 @@ export function registerGitHubCommands(program: Command): void {
     .command('add')
     .description('Add a new GitHub profile')
     .option('--profile <name>', 'Profile name (auto-detected from username if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nGitHub Setup\n');
@@ -133,10 +137,13 @@ export function registerGitHubCommands(program: Command): void {
         console.error(`\nAuthenticated as: ${user.login}${user.email ? ` (${user.email})` : ''}`);
 
         // Save credentials
-        await setProfile('github', profileName);
+        await setProfile('github', profileName, { readOnly: options.readOnly });
         await setCredentials('github', profileName, credentials);
 
         console.log(`\nProfile "${profileName}" configured!`);
+        if (options.readOnly) {
+          console.log(`  Access: read-only`);
+        }
         console.log(`  Install secrets: agentio github install owner/repo --profile ${profileName}`);
       } catch (error) {
         handleError(error);

package/src/commands/gmail.ts

@@ -11,6 +11,7 @@ import { GmailClient } from '../services/gmail/client';
 import { printMessageList, printMessage, printSendResult, printArchived, printMarked, printAttachmentList, printAttachmentDownloaded, raw } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GmailAttachment } from '../types/gmail';
 
 function escapeHtml(text: string): string {
@@ -228,7 +229,8 @@ Query Syntax Examples:
             ? [...regularAttachments, ...inlineAttachments]
             : undefined;
 
-        const { client } = await getGmailClient(options.profile);
+        const { client, profile } = await getGmailClient(options.profile);
+        await enforceWriteAccess('gmail', profile, 'send email');
         const result = await client.send({
           to: options.to,
           cc: options.cc.length ? options.cc : undefined,
@@ -263,7 +265,8 @@ Query Syntax Examples:
           throw new CliError('INVALID_PARAMS', 'Body is required. Use --body or pipe via stdin.');
         }
 
-        const { client } = await getGmailClient(options.profile);
+        const { client, profile } = await getGmailClient(options.profile);
+        await enforceWriteAccess('gmail', profile, 'reply to email');
         const result = await client.reply({
           threadId: options.threadId,
           body,
@@ -282,7 +285,8 @@ Query Syntax Examples:
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (messageIds: string[], options) => {
       try {
-        const { client } = await getGmailClient(options.profile);
+        const { client, profile } = await getGmailClient(options.profile);
+        await enforceWriteAccess('gmail', profile, 'archive email');
         for (const messageId of messageIds) {
           await client.archive(messageId);
           printArchived(messageId);
@@ -308,7 +312,8 @@ Query Syntax Examples:
           throw new CliError('INVALID_PARAMS', 'Cannot specify both --read and --unread');
         }
 
-        const { client } = await getGmailClient(options.profile);
+        const { client, profile } = await getGmailClient(options.profile);
+        await enforceWriteAccess('gmail', profile, 'mark email');
         for (const messageId of messageIds) {
           await client.mark(messageId, options.read);
           printMarked(messageId, options.read);
@@ -458,6 +463,7 @@ ${emailHeader}
     .command('add')
     .description('Add a new Gmail profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Gmail...\n');
@@ -476,11 +482,14 @@ ${emailHeader}
 
         const profileName = options.profile || email;
 
-        await setProfile('gmail', profileName);
+        await setProfile('gmail', profileName, { readOnly: options.readOnly });
         await setCredentials('gmail', profileName, { ...tokens, email });
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${email}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
       } catch (error) {
         handleError(error);
       }

package/src/commands/gsheets.ts

@@ -18,6 +18,7 @@ import {
   printGSheetsCreated,
 } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GSheetsCredentials } from '../types/gsheets';
 
 const getGSheetsClient = createClientGetter<GSheetsCredentials, GSheetsClient>({
@@ -152,7 +153,8 @@ Input Options:
     .action(async (spreadsheetId: string, range: string, valueArgs: string[], options) => {
       try {
         const values = parseValues(valueArgs, options.valuesJson);
-        const { client } = await getGSheetsClient(options.profile);
+        const { client, profile } = await getGSheetsClient(options.profile);
+        await enforceWriteAccess('gsheets', profile, 'update values');
         const result = await client.update(spreadsheetId, range, values, {
           valueInputOption: options.input,
         });
@@ -192,7 +194,8 @@ Insert Options:
     .action(async (spreadsheetId: string, range: string, valueArgs: string[], options) => {
       try {
         const values = parseValues(valueArgs, options.valuesJson);
-        const { client } = await getGSheetsClient(options.profile);
+        const { client, profile } = await getGSheetsClient(options.profile);
+        await enforceWriteAccess('gsheets', profile, 'append values');
         const result = await client.append(spreadsheetId, range, values, {
           valueInputOption: options.input,
           insertDataOption: options.insert,
@@ -211,7 +214,8 @@ Insert Options:
     .option('--profile <name>', 'Profile name')
     .action(async (spreadsheetId: string, range: string, options) => {
       try {
-        const { client } = await getGSheetsClient(options.profile);
+        const { client, profile } = await getGSheetsClient(options.profile);
+        await enforceWriteAccess('gsheets', profile, 'clear values');
         const result = await client.clear(spreadsheetId, range);
         printGSheetsClearResult(result);
       } catch (error) {
@@ -242,7 +246,8 @@ Insert Options:
     .option('--sheets <names>', 'Comma-separated sheet names to create')
     .action(async (title: string, options) => {
       try {
-        const { client } = await getGSheetsClient(options.profile);
+        const { client, profile } = await getGSheetsClient(options.profile);
+        await enforceWriteAccess('gsheets', profile, 'create spreadsheet');
         const sheetNames = options.sheets ? options.sheets.split(',').map((n: string) => n.trim()) : undefined;
         const result = await client.create(title, sheetNames);
         printGSheetsCreated(result);
@@ -260,7 +265,8 @@ Insert Options:
     .option('--parent <folder-id>', 'Destination folder ID')
     .action(async (spreadsheetId: string, title: string, options) => {
       try {
-        const { client } = await getGSheetsClient(options.profile);
+        const { client, profile } = await getGSheetsClient(options.profile);
+        await enforceWriteAccess('gsheets', profile, 'copy spreadsheet');
         const result = await client.copy(spreadsheetId, title, options.parent);
         printGSheetsCreated(result);
       } catch (error) {
@@ -320,6 +326,7 @@ Examples:
     .command('add')
     .description('Add a new Google Sheets profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Sheets...\n');
@@ -352,11 +359,14 @@ Examples:
           email: userEmail,
         };
 
-        await setProfile('gsheets', profileName);
+        await setProfile('gsheets', profileName, { readOnly: options.readOnly });
         await setCredentials('gsheets', profileName, credentials);
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${userEmail}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio gsheets list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

package/src/commands/gtasks.ts

@@ -19,6 +19,7 @@ import {
 } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 
 async function getGTasksClient(profileName?: string): Promise<{ client: GTasksClient; profile: string }> {
   const { tokens, profile } = await getValidTokens('gtasks', profileName);
@@ -60,7 +61,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (title: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'create task list');
         const taskList = await client.createTaskList(title);
         printGTaskListCreated(taskList);
       } catch (error) {
@@ -75,7 +77,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (tasklistId: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'delete task list');
         await client.deleteTaskList(tasklistId);
         printGTaskListDeleted(tasklistId);
       } catch (error) {
@@ -146,7 +149,8 @@ export function registerGTasksCommands(program: Command): void {
           if (stdin) notes = stdin;
         }
 
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'create task');
         const task = await client.createTask({
           tasklistId,
           title: options.title,
@@ -182,7 +186,8 @@ export function registerGTasksCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', `Invalid status: ${options.status}`, 'Use: needsAction or completed');
         }
 
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'update task');
         const task = await client.updateTask({
           tasklistId,
           taskId,
@@ -205,7 +210,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (tasklistId: string, taskId: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'complete task');
         const task = await client.completeTask(tasklistId, taskId);
         console.log(`Task completed: ${task.title}`);
         console.log(`ID: ${task.id}`);
@@ -223,7 +229,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (tasklistId: string, taskId: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'uncomplete task');
         const task = await client.uncompleteTask(tasklistId, taskId);
         console.log(`Task uncompleted: ${task.title}`);
         console.log(`ID: ${task.id}`);
@@ -240,7 +247,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (tasklistId: string, taskId: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'delete task');
         await client.deleteTask(tasklistId, taskId);
         printGTaskDeleted(tasklistId, taskId);
       } catch (error) {
@@ -255,7 +263,8 @@ export function registerGTasksCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (tasklistId: string, options) => {
       try {
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'clear tasks');
         await client.clearCompleted(tasklistId);
         printGTasksCleared(tasklistId);
       } catch (error) {
@@ -275,7 +284,8 @@ export function registerGTasksCommands(program: Command): void {
         if (!options.parent && !options.previous) {
           throw new CliError('INVALID_PARAMS', 'At least one of --parent or --previous is required');
         }
-        const { client } = await getGTasksClient(options.profile);
+        const { client, profile } = await getGTasksClient(options.profile);
+        await enforceWriteAccess('gtasks', profile, 'move task');
         const task = await client.moveTask(tasklistId, taskId, options.parent, options.previous);
         console.log(`Task moved: ${task.title}`);
         console.log(`ID: ${task.id}`);
@@ -296,6 +306,7 @@ export function registerGTasksCommands(program: Command): void {
     .command('add')
     .description('Add a new Google Tasks profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Tasks...\n');
@@ -314,11 +325,14 @@ export function registerGTasksCommands(program: Command): void {
 
         const profileName = options.profile || email;
 
-        await setProfile('gtasks', profileName);
+        await setProfile('gtasks', profileName, { readOnly: options.readOnly });
         await setCredentials('gtasks', profileName, { ...tokens, email });
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${email}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
       } catch (error) {
         handleError(error);
       }

package/src/commands/jira.ts

@@ -7,6 +7,7 @@ import { JiraClient } from '../services/jira/client';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
 import { interactiveSelect } from '../utils/interactive';
+import { enforceWriteAccess } from '../utils/read-only';
 import {
   printJiraProjectList,
   printJiraIssueList,
@@ -163,7 +164,8 @@ export function registerJiraCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Comment body is required. Provide as argument or pipe via stdin.');
         }
 
-        const { client } = await getJiraClient(options.profile);
+        const { client, profile } = await getJiraClient(options.profile);
+        await enforceWriteAccess('jira', profile, 'add comment');
         const result = await client.addComment(issueKey, text);
         printJiraCommentResult(result);
       } catch (error) {
@@ -196,7 +198,8 @@ export function registerJiraCommands(program: Command): void {
     .option('--profile <name>', 'Profile name (optional if only one profile exists)')
     .action(async (issueKey: string, transitionId: string, options) => {
       try {
-        const { client } = await getJiraClient(options.profile);
+        const { client, profile } = await getJiraClient(options.profile);
+        await enforceWriteAccess('jira', profile, 'transition issue');
         const result = await client.transitionIssue(issueKey, transitionId);
         printJiraTransitionResult(result);
       } catch (error) {
@@ -215,6 +218,7 @@ export function registerJiraCommands(program: Command): void {
     .command('add')
     .description('Add a new JIRA profile with OAuth authentication')
     .option('--profile <name>', 'Profile name (auto-detected from site URL if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nJIRA OAuth Setup\n');
@@ -248,10 +252,13 @@ export function registerJiraCommands(program: Command): void {
           siteUrl: result.siteUrl,
         };
 
-        await setProfile('jira', profileName);
+        await setProfile('jira', profileName, { readOnly: options.readOnly });
         await setCredentials('jira', profileName, credentials);
 
         console.log(`\nProfile "${profileName}" configured!`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio jira projects --profile ${profileName}`);
       } catch (error) {
         handleError(error);

package/src/commands/slack.ts

@@ -8,6 +8,7 @@ import { SlackClient } from '../services/slack/client';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin, prompt } from '../utils/stdin';
 import { printSlackSendResult } from '../utils/output';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { SlackCredentials, SlackWebhookCredentials } from '../types/slack';
 
 const getSlackClient = createClientGetter<SlackCredentials, SlackClient>({
@@ -89,7 +90,8 @@ export function registerSlackCommands(program: Command): void {
           }
         }
 
-        const { client } = await getSlackClient(options.profile);
+        const { client, profile } = await getSlackClient(options.profile);
+        await enforceWriteAccess('slack', profile, 'send message');
         const result = await client.send({
           text,
           payload,
@@ -112,16 +114,17 @@ export function registerSlackCommands(program: Command): void {
     .command('add')
     .description('Add a new Slack profile (webhook)')
     .requiredOption('--profile <name>', 'Profile name (required)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
-        await setupWebhookProfile(options.profile);
+        await setupWebhookProfile(options.profile, options.readOnly);
       } catch (error) {
         handleError(error);
       }
     });
 }
 
-async function setupWebhookProfile(profileName: string): Promise<void> {
+async function setupWebhookProfile(profileName: string, readOnly?: boolean): Promise<void> {
   console.error('\nSlack Webhook Setup\n');
   console.error('1. Go to https://api.slack.com/apps and create a new app (or use existing)');
   console.error('2. Enable "Incoming Webhooks" in Features');
@@ -177,9 +180,12 @@ async function setupWebhookProfile(profileName: string): Promise<void> {
     channelName: channelName || undefined,
   };
 
-  await setProfile('slack', profileName);
+  await setProfile('slack', profileName, { readOnly });
   await setCredentials('slack', profileName, credentials);
 
   console.log(`\nSuccess! Webhook profile "${profileName}" configured.`);
+  if (readOnly) {
+    console.log(`   Access: read-only`);
+  }
   console.log(`   Test with: agentio slack send --profile ${profileName} "Hello from agentio"`);
 }