@squadbase/vite-server 0.1.7-dev.7 → 0.1.8-dev.468a970

package/dist/connectors/gmail.js

@@ -42,71 +42,28 @@ var ParameterDefinition = class {
   }
 };
 
-// ../connectors/src/connectors/gmail/sdk/index.ts
-import * as crypto from "crypto";
-
 // ../connectors/src/connectors/gmail/parameters.ts
 var parameters = {
   serviceAccountKeyJsonBase64: new ParameterDefinition({
     slug: "service-account-key-json-base64",
     name: "Google Cloud Service Account JSON",
-    description: "The service account JSON key used to authenticate with Google Cloud Platform. The service account must have domain-wide delegation enabled and be granted the Gmail API scope in Google Workspace admin.",
+    description: "The service account JSON key. Domain-wide Delegation must be authorized in the Google Workspace admin console for the Gmail API scope. The user to impersonate is supplied per call as the `subject` argument.",
     envVarBaseKey: "GMAIL_SERVICE_ACCOUNT_JSON_BASE64",
     type: "base64EncodedJson",
     secret: true,
     required: true
   })
 };
-var delegatedUserEmailParameter = new ParameterDefinition({
-  slug: "delegated-user-email",
-  name: "Delegated User Email",
-  description: "The email address of the Google Workspace user whose Gmail mailbox the service account will access via domain-wide delegation. Collected during the setup flow.",
-  envVarBaseKey: "GMAIL_DELEGATED_USER_EMAIL",
-  type: "text",
-  secret: false,
-  required: false
-});
 
 // ../connectors/src/connectors/gmail/sdk/index.ts
-var TOKEN_URL = "https://oauth2.googleapis.com/token";
 var BASE_URL = "https://gmail.googleapis.com/gmail/v1/users";
-var SCOPE = "https://www.googleapis.com/auth/gmail.readonly";
-function base64url(input) {
-  const buf = typeof input === "string" ? Buffer.from(input) : input;
-  return buf.toString("base64url");
-}
-function buildJwt(clientEmail, privateKey, subject, nowSec) {
-  const header = base64url(JSON.stringify({ alg: "RS256", typ: "JWT" }));
-  const payload = base64url(
-    JSON.stringify({
-      iss: clientEmail,
-      sub: subject,
-      scope: SCOPE,
-      aud: TOKEN_URL,
-      iat: nowSec,
-      exp: nowSec + 3600
-    })
-  );
-  const signingInput = `${header}.${payload}`;
-  const sign = crypto.createSign("RSA-SHA256");
-  sign.update(signingInput);
-  sign.end();
-  const signature = base64url(sign.sign(privateKey));
-  return `${signingInput}.${signature}`;
-}
 function createClient(params) {
   const serviceAccountKeyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
-  const delegatedUserEmail = params[delegatedUserEmailParameter.slug];
   if (!serviceAccountKeyJsonBase64) {
     throw new Error(
       `gmail: missing required parameter: ${parameters.serviceAccountKeyJsonBase64.slug}`
     );
   }
-  if (!delegatedUserEmail) {
-    throw new Error(
-      `gmail: missing required parameter: ${delegatedUserEmailParameter.slug}`
-    );
-  }
   let serviceAccountKey;
   try {
     const decoded = Buffer.from(
@@ -124,143 +81,28 @@ function createClient(params) {
       "gmail: service account key JSON must contain client_email and private_key"
     );
   }
-  let cachedToken = null;
-  let tokenExpiresAt = 0;
-  async function getAccessToken() {
-    const nowSec = Math.floor(Date.now() / 1e3);
-    if (cachedToken && nowSec < tokenExpiresAt - 60) {
-      return cachedToken;
-    }
-    const jwt = buildJwt(
-      serviceAccountKey.client_email,
-      serviceAccountKey.private_key,
-      delegatedUserEmail,
-      nowSec
-    );
-    const response = await fetch(TOKEN_URL, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-        assertion: jwt
-      })
-    });
-    if (!response.ok) {
-      const text = await response.text();
-      throw new Error(
-        `gmail: token exchange failed (${response.status}): ${text}`
-      );
-    }
-    const data = await response.json();
-    cachedToken = data.access_token;
-    tokenExpiresAt = nowSec + data.expires_in;
-    return cachedToken;
-  }
-  async function request(path2, init) {
-    const accessToken = await getAccessToken();
-    const url = `${BASE_URL}${path2.startsWith("/") ? "" : "/"}${path2}`;
-    const headers = new Headers(init?.headers);
-    headers.set("Authorization", `Bearer ${accessToken}`);
-    return fetch(url, { ...init, headers });
-  }
-  async function getProfile() {
-    const response = await request("/me/profile");
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: getProfile failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  async function listLabels() {
-    const response = await request("/me/labels");
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: listLabels failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  async function listMessages(options) {
-    const params2 = new URLSearchParams();
-    if (options?.q) params2.set("q", options.q);
-    if (options?.maxResults) params2.set("maxResults", String(options.maxResults));
-    if (options?.pageToken) params2.set("pageToken", options.pageToken);
-    if (options?.labelIds) {
-      for (const labelId of options.labelIds) {
-        params2.append("labelIds", labelId);
-      }
-    }
-    const qs = params2.toString();
-    const response = await request(`/me/messages${qs ? `?${qs}` : ""}`);
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: listMessages failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  async function getMessage(messageId, format) {
-    const p = new URLSearchParams();
-    if (format) p.set("format", format);
-    const qs = p.toString();
-    const response = await request(
-      `/me/messages/${encodeURIComponent(messageId)}${qs ? `?${qs}` : ""}`
-    );
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: getMessage failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  async function listThreads(options) {
-    const params2 = new URLSearchParams();
-    if (options?.q) params2.set("q", options.q);
-    if (options?.maxResults) params2.set("maxResults", String(options.maxResults));
-    if (options?.pageToken) params2.set("pageToken", options.pageToken);
-    if (options?.labelIds) {
-      for (const labelId of options.labelIds) {
-        params2.append("labelIds", labelId);
+  return {
+    async requestWithDelegation(path2, { subject, scopes, init }) {
+      const { GoogleAuth } = await import("google-auth-library");
+      const auth = new GoogleAuth({
+        credentials: {
+          client_email: serviceAccountKey.client_email,
+          private_key: serviceAccountKey.private_key
+        },
+        scopes,
+        clientOptions: { subject }
+      });
+      const token = await auth.getAccessToken();
+      if (!token) {
+        throw new Error(
+          `gmail: failed to obtain access token for ${subject}`
+        );
       }
+      const url = `${BASE_URL}${path2.startsWith("/") ? "" : "/"}${path2}`;
+      const headers = new Headers(init?.headers);
+      headers.set("Authorization", `Bearer ${token}`);
+      return fetch(url, { ...init, headers });
     }
-    const qs = params2.toString();
-    const response = await request(`/me/threads${qs ? `?${qs}` : ""}`);
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: listThreads failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  async function getThread(threadId, format) {
-    const p = new URLSearchParams();
-    if (format) p.set("format", format);
-    const qs = p.toString();
-    const response = await request(
-      `/me/threads/${encodeURIComponent(threadId)}${qs ? `?${qs}` : ""}`
-    );
-    if (!response.ok) {
-      const body = await response.text();
-      throw new Error(
-        `gmail: getThread failed (${response.status}): ${body}`
-      );
-    }
-    return await response.json();
-  }
-  return {
-    request,
-    getProfile,
-    listLabels,
-    listMessages,
-    getMessage,
-    listThreads,
-    getThread
   };
 }
 
@@ -411,22 +253,33 @@ var AUTH_TYPES = {
   USER_PASSWORD: "user-password"
 };
 
-// ../connectors/src/connectors/gmail/tools/request.ts
+// ../connectors/src/connectors/gmail/tools/request-with-delegation.ts
 import { z } from "zod";
 var BASE_URL2 = "https://gmail.googleapis.com/gmail/v1/users";
 var REQUEST_TIMEOUT_MS = 6e4;
+function decodeServiceAccount(keyJsonBase64) {
+  const decoded = Buffer.from(keyJsonBase64, "base64").toString("utf-8");
+  return JSON.parse(decoded);
+}
 var inputSchema = z.object({
   toolUseIntent: z.string().optional().describe(
     "Brief description of what you intend to accomplish with this tool call"
   ),
   connectionId: z.string().describe("ID of the Gmail service account connection to use"),
-  method: z.enum(["GET"]).describe("HTTP method (read-only, GET only)"),
+  method: z.enum(["GET", "POST", "PUT", "PATCH", "DELETE"]).describe("HTTP method"),
   path: z.string().describe(
-    "API path appended to https://gmail.googleapis.com/gmail/v1/users (e.g., '/me/messages', '/me/messages/{id}', '/me/labels'). Use '/me' as the userId."
+    "API path appended to https://gmail.googleapis.com/gmail/v1/users (e.g., '/me/messages', '/me/messages/{id}', '/me/labels'). Use '/me' as the userId \u2014 the impersonated user."
+  ),
+  subject: z.string().describe(
+    "Email of the Workspace user to impersonate via Domain-wide Delegation. The token will be issued as this user."
+  ),
+  scopes: z.array(z.string()).describe(
+    "OAuth scopes the token must include. This connector currently supports read-only operations only \u2014 pass ['https://www.googleapis.com/auth/gmail.readonly']. Per-endpoint scope reference: https://developers.google.com/gmail/api/auth/scopes"
   ),
   queryParams: z.record(z.string(), z.string()).optional().describe(
     "Query parameters to append to the URL (e.g., { q: 'from:example@gmail.com', maxResults: '10' })"
-  )
+  ),
+  body: z.record(z.string(), z.unknown()).optional().describe("JSON request body for POST/PUT/PATCH")
 });
 var outputSchema = z.discriminatedUnion("success", [
   z.object({
@@ -436,17 +289,16 @@ var outputSchema = z.discriminatedUnion("success", [
   }),
   z.object({
     success: z.literal(false),
-    error: z.string()
+    error: z.string(),
+    serviceAccountEmail: z.string().optional()
   })
 ]);
-var requestTool = new ConnectorTool({
-  name: "request",
-  description: `Send authenticated GET requests to the Gmail API v1.
-Authentication is handled automatically using a service account with domain-wide delegation.
-All paths are relative to https://gmail.googleapis.com/gmail/v1/users. Use '/me' as the userId prefix (e.g., '/me/messages').`,
+var requestWithDelegationTool = new ConnectorTool({
+  name: "request_with_delegation",
+  description: "Call the Gmail API on behalf of the specified Workspace user via Domain-wide Delegation. Read-only operations only. Pass `subject` as the target user email and `scopes` as ['https://www.googleapis.com/auth/gmail.readonly']. Paths are relative to https://gmail.googleapis.com/gmail/v1/users \u2014 use '/me' as the userId prefix (e.g., '/me/messages'). Requires DwD to be authorized for the service account in the Workspace admin console.",
   inputSchema,
   outputSchema,
-  async execute({ connectionId, method, path: path2, queryParams }, connections) {
+  async execute({ connectionId, method, path: path2, subject, scopes, queryParams, body }, connections) {
     const connection2 = connections.find((c) => c.id === connectionId);
     if (!connection2) {
       return {
@@ -454,28 +306,37 @@ All paths are relative to https://gmail.googleapis.com/gmail/v1/users. Use '/me'
         error: `Connection ${connectionId} not found`
       };
     }
+    const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
+    let serviceAccount;
+    try {
+      serviceAccount = decodeServiceAccount(keyJsonBase64);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: `Failed to decode service account key: ${msg}`
+      };
+    }
+    const serviceAccountEmail = serviceAccount.client_email;
     console.log(
-      `[connector-request] gmail/${connection2.name}: ${method} ${path2}`
+      `[connector-request] gmail/${connection2.name}: ${method} ${path2} subject=${subject}`
     );
     try {
       const { GoogleAuth } = await import("google-auth-library");
-      const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
-      const delegatedUserEmail = delegatedUserEmailParameter.getValue(connection2);
-      const credentials = JSON.parse(
-        Buffer.from(keyJsonBase64, "base64").toString("utf-8")
-      );
       const auth = new GoogleAuth({
-        credentials,
-        scopes: ["https://www.googleapis.com/auth/gmail.readonly"],
-        clientOptions: {
-          subject: delegatedUserEmail
-        }
+        credentials: {
+          client_email: serviceAccount.client_email,
+          private_key: serviceAccount.private_key
+        },
+        scopes,
+        clientOptions: { subject }
       });
       const token = await auth.getAccessToken();
       if (!token) {
         return {
           success: false,
-          error: "Failed to obtain access token"
+          error: "Failed to obtain access token",
+          serviceAccountEmail
         };
       }
       let url = `${BASE_URL2}${path2.startsWith("/") ? "" : "/"}${path2}`;
@@ -486,18 +347,25 @@ All paths are relative to https://gmail.googleapis.com/gmail/v1/users. Use '/me'
       const controller = new AbortController();
       const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
       try {
+        const hasBody = body != null && ["POST", "PUT", "PATCH"].includes(method);
         const response = await fetch(url, {
           method,
           headers: {
             Authorization: `Bearer ${token}`,
             "Content-Type": "application/json"
           },
+          body: hasBody ? JSON.stringify(body) : void 0,
           signal: controller.signal
         });
-        const data = await response.json();
+        const data = await response.json().catch(() => ({}));
         if (!response.ok) {
-          const errorMessage = typeof data?.error === "string" ? data.error : typeof data?.message === "string" ? data.message : `HTTP ${response.status} ${response.statusText}`;
-          return { success: false, error: errorMessage };
+          const errorObj = data?.error;
+          const errorMessage = errorObj?.message ?? (typeof data?.message === "string" ? data.message : `HTTP ${response.status} ${response.statusText}`);
+          return {
+            success: false,
+            error: errorMessage,
+            serviceAccountEmail
+          };
         }
         return { success: true, status: response.status, data };
       } finally {
@@ -505,79 +373,92 @@ All paths are relative to https://gmail.googleapis.com/gmail/v1/users. Use '/me'
       }
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      return { success: false, error: msg };
+      return {
+        success: false,
+        error: msg,
+        serviceAccountEmail
+      };
     }
   }
 });
 
 // ../connectors/src/connectors/gmail/setup.ts
-var requestToolName = `gmail-service-account_${requestTool.name}`;
+var requestWithDelegationToolName = `gmail-service-account_${requestWithDelegationTool.name}`;
+var READONLY_SCOPES = '["https://www.googleapis.com/auth/gmail.readonly"]';
 var gmailOnboarding = new ConnectorOnboarding({
   connectionSetupInstructions: {
-    ja: `\u4EE5\u4E0B\u306E\u624B\u9806\u3067Gmail\uFF08\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\uFF09\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u3092\u884C\u3063\u3066\u304F\u3060\u3055\u3044\u3002\u63A5\u7D9A\u4F5C\u6210\u6642\u306B\u306F\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8JSON\u306E\u307F\u304C\u8A2D\u5B9A\u6E08\u307F\u3067\u3001\u59D4\u4EFB\u5BFE\u8C61\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u3053\u306E\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u4E2D\u306B\u53D6\u5F97\u3057\u307E\u3059\u3002
+    ja: `Gmail\uFF08\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\uFF09\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u3092\u884C\u3044\u307E\u3059\u3002\u30A2\u30AF\u30BB\u30B9\u5BFE\u8C61\u306E Workspace \u30E6\u30FC\u30B6\u30FC\u3092\u30E6\u30FC\u30B6\u30FC\u304B\u3089\u805E\u304D\u3001Project Knowledge \u306B\u8A18\u9332\u3057\u307E\u3059\u3002
 
-1. \`askUserQuestion\` \u3067\u3001\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u304CDomain-wide Delegation\u3067\u4EE3\u7406\u30A2\u30AF\u30BB\u30B9\u3059\u308BGoogle Workspace\u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u30D2\u30A2\u30EA\u30F3\u30B0\u3059\u308B:
+1. \`askUserQuestion\` \u3067\u5BFE\u8C61\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u805E\u304F:
    - \`type\`: \`"freeText"\`
-   - \`question\`: \u300CGmail\u3092\u53C2\u7167\u3059\u308BGoogle Workspace\u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044\u300D
-   - \`placeholder\`: \`"user@example.com"\`
-2. \u53D7\u3051\u53D6\u3063\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092 \`updateConnectionParameters\` \u3067\u4FDD\u5B58\u3059\u308B:
-   - \`parameterSlug\`: \`"delegated-user-email"\`
-   - \`options\`: \`[{ value: <\u5165\u529B\u3055\u308C\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9>, label: <\u540C\u3058\u5024> }]\`\uFF081\u4EF6\u306E\u307F\u306E\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u81EA\u52D5\u9078\u629E\u3055\u308C\u308B\uFF09
-3. \`${requestToolName}\` \u3092\u547C\u3073\u51FA\u3057\u3066\u30E6\u30FC\u30B6\u30FC\u306E\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u3092\u53D6\u5F97\u3059\u308B:
+   - \`question\`: \u300CGmail \u3092\u53C2\u7167\u3059\u308B Google Workspace \u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u53EF\u3001\u30AB\u30F3\u30DE\u533A\u5207\u308A\uFF09\u300D
+   - \`placeholder\`: \`"alice@example.com, bob@example.com"\`
+
+2. \u30E6\u30FC\u30B6\u30FC\u304B\u3089\u53D7\u3051\u53D6\u3063\u305F\u6587\u5B57\u5217\u304B\u3089\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u62BD\u51FA\u3059\u308B\u3002\u5404 \`<email>\` \u306B\u3064\u3044\u3066 \`${requestWithDelegationToolName}\` \u3092\u4EE5\u4E0B\u306E\u5F15\u6570\u3067\u547C\u3073\u3001Domain-wide Delegation \u7D4C\u7531\u3067\u30A2\u30AF\u30BB\u30B9\u53EF\u80FD\u304B\u3092\u78BA\u8A8D\u3059\u308B:
    - \`method\`: \`"GET"\`
    - \`path\`: \`"/me/profile"\`
-4. \u30A8\u30E9\u30FC\u304C\u8FD4\u3055\u308C\u305F\u5834\u5408\u3001\u4EE5\u4E0B\u3092\u78BA\u8A8D\u3059\u308B\u3088\u3046\u30E6\u30FC\u30B6\u30FC\u306B\u4F1D\u3048\u308B:
-   - \u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30C9\u30E1\u30A4\u30F3\u5168\u4F53\u306E\u59D4\u4EFB\u304C\u6709\u52B9\u304B
-   - Google Workspace\u7BA1\u7406\u30B3\u30F3\u30BD\u30FC\u30EB\u3067Gmail API\u30B9\u30B3\u30FC\u30D7\u304C\u8A31\u53EF\u3055\u308C\u3066\u3044\u308B\u304B
-   - \u5165\u529B\u3055\u308C\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u304C\u6B63\u3057\u3044\u304B
-5. \`${requestToolName}\` \u3092\u547C\u3073\u51FA\u3057\u3066\u30E9\u30D9\u30EB\u4E00\u89A7\u3092\u53D6\u5F97\u3059\u308B:
-   - \`method\`: \`"GET"\`
-   - \`path\`: \`"/me/labels"\`
+   - \`subject\`: \`<email>\`
+   - \`scopes\`: \`${READONLY_SCOPES}\`
+
+3. \u5931\u6557\u3057\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u304C\u3042\u308C\u3070\u3001\u30A8\u30E9\u30FC\u30EC\u30B9\u30DD\u30F3\u30B9\u306E \`serviceAccountEmail\` \u30D5\u30A3\u30FC\u30EB\u30C9\u304B\u3089\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u53D6\u308A\u51FA\u3057\u3001\`askUserQuestion\` \u3067\u6B21\u306E\u9078\u629E\u80A2\u3092\u63D0\u793A\u3059\u308B\u3002\`question\` \u306B\u306F\u6B21\u306E\u6848\u5185\u6587\u3092\u542B\u3081\u308B: \u300C\u6B21\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306B\u30A2\u30AF\u30BB\u30B9\u3067\u304D\u307E\u305B\u3093\u3067\u3057\u305F: {\u5931\u6557\u30A2\u30C9\u30EC\u30B9\u4E00\u89A7}\u3002\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8 \`<serviceAccountEmail>\` \u306E Domain-wide Delegation \u304C Workspace \u7BA1\u7406\u30B3\u30F3\u30BD\u30FC\u30EB\u3067\u627F\u8A8D\u3055\u308C\u3066\u3044\u308B\u304B\u78BA\u8A8D\u3057\u3066\u304F\u3060\u3055\u3044\uFF08[\u8A2D\u5B9A\u30AC\u30A4\u30C9](https://support.google.com/a/answer/162106)\uFF09\u300D\u3002
+   - \`options\`: \`[{ label: "DwD \u3092\u627F\u8A8D\u3057\u305F\u306E\u3067\u30EA\u30C8\u30E9\u30A4", value: "retry" }, { label: "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u5165\u529B\u3057\u76F4\u3059", value: "restart" }]\`
+   - \u300C\u30EA\u30C8\u30E9\u30A4\u300D: \u76F4\u524D\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u30EA\u30B9\u30C8\u3067\u30B9\u30C6\u30C3\u30D7 2 \u3092\u518D\u5B9F\u884C
+   - \u300C\u5165\u529B\u3057\u76F4\u3059\u300D: \u30B9\u30C6\u30C3\u30D7 1 \u304B\u3089\u518D\u5B9F\u884C
+
+4. \u5168\u30A2\u30C9\u30EC\u30B9\u304C\u6210\u529F\u3057\u305F\u3089 \`finalizeSetup\` \u3092\u547C\u3076\u3002\`projectKnowledge\` \u306E \`#### \u30B9\u30B3\u30FC\u30D7\` \u7BC0\u306B\u5404\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092 1 \u884C\u305A\u3064\u5217\u6319\u3059\u308B:
+   - \`- subject: alice@example.com\`
+   - \`- subject: bob@example.com\`
 
 #### \u5236\u7D04
-- **\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u4E2D\u306B\u30E1\u30C3\u30BB\u30FC\u30B8\u672C\u6587\u3092\u8AAD\u307F\u53D6\u3089\u306A\u3044\u3053\u3068**\u3002\u5B9F\u884C\u3057\u3066\u3088\u3044\u306E\u306F\u4E0A\u8A18\u624B\u9806\u3067\u6307\u5B9A\u3055\u308C\u305F\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u53D6\u5F97\u3068\u30E9\u30D9\u30EB\u4E00\u89A7\u53D6\u5F97\u306E\u307F
-- \u30C4\u30FC\u30EB\u9593\u306F1\u6587\u3060\u3051\u66F8\u3044\u3066\u5373\u6B21\u306E\u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057\u3002\u4E0D\u8981\u306A\u8AAC\u660E\u306F\u7701\u7565\u3057\u3001\u52B9\u7387\u7684\u306B\u9032\u3081\u308B`,
-    en: `Follow these steps to set up the Gmail (Service Account) connection. Only the service account JSON is provided at connection creation time \u2014 the delegated user email is collected during this setup flow.
+- \u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u4E2D\u306B\u30E1\u30C3\u30BB\u30FC\u30B8\u672C\u6587\u3092\u8AAD\u307F\u53D6\u3089\u306A\u3044\u3053\u3068\u3002\u8A31\u53EF\u3055\u308C\u3066\u3044\u308B\u306E\u306F\u30B9\u30C6\u30C3\u30D7 2 \u306E \`/me/profile\` \u78BA\u8A8D\u306E\u307F
+- \u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057\u306E\u9593\u306F 1 \u6587\u3060\u3051\u66F8\u3044\u3066\u5373\u6B21\u306E\u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057`,
+    en: `Set up the Gmail (Service Account) connection. Ask the user which Workspace users to access, verify each via Domain-wide Delegation, and record them in Project Knowledge.
 
-1. Call \`askUserQuestion\` to ask the user for the Google Workspace user email the service account will impersonate via Domain-wide Delegation:
+1. Call \`askUserQuestion\` to collect target emails:
    - \`type\`: \`"freeText"\`
-   - \`question\`: "Please enter the email address of the Google Workspace user whose Gmail mailbox you want to access"
-   - \`placeholder\`: \`"user@example.com"\`
-2. Save the email via \`updateConnectionParameters\`:
-   - \`parameterSlug\`: \`"delegated-user-email"\`
-   - \`options\`: \`[{ value: <entered email>, label: <same value> }]\` (a single option is auto-selected)
-3. Call \`${requestToolName}\` to get the user's profile:
+   - \`question\`: "Enter the Google Workspace user email(s) whose Gmail mailbox you want to access (comma-separated for multiple)"
+   - \`placeholder\`: \`"alice@example.com, bob@example.com"\`
+
+2. Extract individual emails from the response. For each \`<email>\`, verify Domain-wide Delegation access by calling \`${requestWithDelegationToolName}\`:
    - \`method\`: \`"GET"\`
    - \`path\`: \`"/me/profile"\`
-4. If an error is returned, ask the user to verify:
-   - Domain-wide delegation is enabled for the service account
-   - Gmail API scope is authorized in Google Workspace admin console
-   - The entered email address is correct
-5. Call \`${requestToolName}\` to get the label list:
-   - \`method\`: \`"GET"\`
-   - \`path\`: \`"/me/labels"\`
+   - \`subject\`: \`<email>\`
+   - \`scopes\`: \`${READONLY_SCOPES}\`
+
+3. For any failed email, take \`serviceAccountEmail\` from the error response and call \`askUserQuestion\`. Include this guidance in \`question\`: "Could not access Gmail for {failed emails}. Verify Domain-wide Delegation for service account \`<serviceAccountEmail>\` in the Workspace admin console ([setup guide](https://support.google.com/a/answer/162106))".
+   - \`options\`: \`[{ label: "Authorized DwD \u2014 retry", value: "retry" }, { label: "Re-enter the email addresses", value: "restart" }]\`
+   - On "retry" \u2192 re-run step 2 with the previously entered email list
+   - On "Re-enter" \u2192 re-run step 1
+
+4. Once every email succeeds, call \`finalizeSetup\`. Under \`#### \u30B9\u30B3\u30FC\u30D7\` in \`projectKnowledge\`, list each email on its own line:
+   - \`- subject: alice@example.com\`
+   - \`- subject: bob@example.com\`
 
 #### Constraints
-- **Do NOT read message bodies during setup**. Only the profile and label list requests specified above are allowed
-- Write only 1 sentence between tool calls, then immediately call the next tool. Skip unnecessary explanations and proceed efficiently`
+- Do NOT read message bodies during setup. Only the \`/me/profile\` verification is permitted
+- Write at most 1 sentence between tool calls`
   },
   dataOverviewInstructions: {
-    en: `1. Call gmail-service-account_request with GET /me/labels to list all labels
-2. Call gmail-service-account_request with GET /me/messages?maxResults=5 to get recent message IDs
-3. Call gmail-service-account_request with GET /me/messages/{id}?format=metadata for each message to see subjects and senders`,
-    ja: `1. gmail-service-account_request \u3067 GET /me/labels \u3092\u547C\u3073\u51FA\u3057\u3001\u5168\u30E9\u30D9\u30EB\u4E00\u89A7\u3092\u53D6\u5F97
-2. gmail-service-account_request \u3067 GET /me/messages?maxResults=5 \u3092\u547C\u3073\u51FA\u3057\u3001\u6700\u65B0\u30E1\u30C3\u30BB\u30FC\u30B8ID\u3092\u53D6\u5F97
-3. \u5404\u30E1\u30C3\u30BB\u30FC\u30B8\u306B\u3064\u3044\u3066 gmail-service-account_request \u3067 GET /me/messages/{id}?format=metadata \u3092\u547C\u3073\u51FA\u3057\u3001\u4EF6\u540D\u3068\u9001\u4FE1\u8005\u3092\u78BA\u8A8D`
+    en: `Pick ONE email from \`#### \u30B9\u30B3\u30FC\u30D7\` (a \`- subject: <email>\` line) and use it as \`subject\` for every call below. Pass \`scopes: ${READONLY_SCOPES}\` every time.
+
+1. \`method=GET\`, \`path=/me/labels\` to list labels.
+2. \`method=GET\`, \`path=/me/messages?maxResults=5\` to fetch recent message IDs.
+3. For each message id, \`method=GET\`, \`path=/me/messages/{id}?format=metadata\`.`,
+    ja: `\`#### \u30B9\u30B3\u30FC\u30D7\` \u306E \`- subject: <email>\` \u884C\u304B\u3089 1 \u3064\u9078\u3073\u3001\u4EE5\u4E0B\u306E\u30B9\u30C6\u30C3\u30D7\u3067 \`subject\` \u5F15\u6570\u3068\u3057\u3066\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044\u3002\`scopes\` \u306F\u6BCE\u56DE \`${READONLY_SCOPES}\` \u3092\u6E21\u3057\u307E\u3059\u3002
+
+1. \`method=GET\`\u3001\`path=/me/labels\` \u3067\u30E9\u30D9\u30EB\u4E00\u89A7\u3092\u53D6\u5F97
+2. \`method=GET\`\u3001\`path=/me/messages?maxResults=5\` \u3067\u6700\u8FD1\u306E\u30E1\u30C3\u30BB\u30FC\u30B8 ID \u3092\u53D6\u5F97
+3. \u5404\u30E1\u30C3\u30BB\u30FC\u30B8 ID \u306B\u3064\u3044\u3066 \`method=GET\`\u3001\`path=/me/messages/{id}?format=metadata\``
   }
 });
 
 // ../connectors/src/connectors/gmail/index.ts
-var tools = { request: requestTool };
+var tools = { request_with_delegation: requestWithDelegationTool };
 var gmailConnector = new ConnectorPlugin({
   slug: "gmail",
   authType: AUTH_TYPES.SERVICE_ACCOUNT,
   name: "Gmail",
-  description: "Connect to Gmail for email data access using a service account with domain-wide delegation. Read-only access to messages, threads, and labels.",
+  description: "Connect to Gmail for email data access using a service account with domain-wide delegation. Currently read-only (messages, threads, labels).",
   iconUrl: "https://images.ctfassets.net/9ncizv60xc5y/4V3rfaSc1ksFIt2eHBNIwJ/7f3be41a154a6d96dcf229ed0e5858c9/Gmail_icon__2020_.svg.png",
   parameters,
   releaseFlag: { dev1: true, dev2: true, prod: true },
@@ -585,12 +466,22 @@ var gmailConnector = new ConnectorPlugin({
   systemPrompt: {
     en: `### Tools
 
-- \`gmail-service-account_request\`: The only way to call the Gmail API (read-only). Use it to list messages, get message details, list labels, list threads, and get user profile. Authentication is handled automatically using a service account with domain-wide delegation.
+- \`gmail-service-account_request_with_delegation\`: Call the Gmail API on behalf of the specified Workspace user via Domain-wide Delegation. Pass \`subject\` as the target user email; the token will be issued as that user. The set of users this connection works with is recorded in the project knowledge under "#### \u30B9\u30B3\u30FC\u30D7" as \`- subject: <email>\` lines \u2014 read those and pick a subject before calling. Always pass \`scopes\`.
+
+### OAuth Scopes (pass as \`scopes\` argument)
+
+This connector is currently read-only. Pass:
+
+- \`https://www.googleapis.com/auth/gmail.readonly\` \u2014 read-only access (profile, labels, messages, threads)
+
+The Workspace admin must have authorized this scope for the service account in the Domain-wide Delegation settings, otherwise token issuance will fail with \`unauthorized_client\`.
+
+Per-endpoint scope reference: https://developers.google.com/gmail/api/auth/scopes
 
 ### Gmail API Reference
 
 #### Available Endpoints
-- GET \`/me/profile\` \u2014 Get the delegated user's profile (email address, total messages/threads)
+- GET \`/me/profile\` \u2014 Get the impersonated user's profile (email address, total messages/threads)
 - GET \`/me/labels\` \u2014 List all labels in the mailbox
 - GET \`/me/labels/{id}\` \u2014 Get details for a specific label
 - GET \`/me/messages\` \u2014 List messages (returns IDs only; use format param on individual messages)
@@ -615,7 +506,7 @@ var gmailConnector = new ConnectorPlugin({
   - \`raw\` \u2014 Full RFC 2822 formatted message in base64url
 
 #### Tips
-- Always use \`/me\` as the userId \u2014 it refers to the delegated user
+- Always use \`/me\` as the userId in the path \u2014 it refers to the user you passed as \`subject\`
 - List endpoints return only IDs; fetch individual resources for details
 - Use \`format=metadata\` to efficiently get subject/sender without full body
 - Message body content is base64url encoded in \`payload.body.data\` or nested \`payload.parts[].body.data\`
@@ -626,6 +517,12 @@ var gmailConnector = new ConnectorPlugin({
 
 The business logic type for this connector is "typescript". Write handler code using the connector SDK shown below. Do NOT access credentials directly from environment variables.
 
+SDK methods (client created via \`connection(connectionId)\`):
+
+- \`client.requestWithDelegation(path, { subject, scopes, init? })\` \u2014 call the Gmail API as the impersonated Workspace user via Domain-wide Delegation. Pass the minimum scopes required by the endpoint.
+
+The method returns a standard \`Response\`. Read the body with \`.json()\`. Same path conventions as the tool.
+
 #### Example
 
 \`\`\`ts
@@ -633,37 +530,51 @@ import { connection } from "@squadbase/vite-server/connectors/gmail";
 
 const gmail = connection("<connectionId>");
 
-// Get user profile
-const profile = await gmail.getProfile();
+// Pick the impersonated user from project knowledge ("#### \u30B9\u30B3\u30FC\u30D7").
+const subject = "alice@example.com";
+const READ = ["https://www.googleapis.com/auth/gmail.readonly"];
+
+const profileRes = await gmail.requestWithDelegation("/me/profile", {
+  subject,
+  scopes: READ,
+});
+const profile = await profileRes.json();
 console.log(profile.emailAddress, profile.messagesTotal);
 
-// List recent messages
-const messages = await gmail.listMessages({ maxResults: 10 });
-for (const msg of messages.messages) {
-  const detail = await gmail.getMessage(msg.id, "metadata");
-  const subject = detail.payload.headers.find(h => h.name === "Subject")?.value;
-  console.log(subject, detail.snippet);
+const messagesRes = await gmail.requestWithDelegation(
+  "/me/messages?maxResults=10",
+  { subject, scopes: READ },
+);
+const messages = await messagesRes.json();
+
+for (const msg of messages.messages ?? []) {
+  const detailRes = await gmail.requestWithDelegation(
+    \`/me/messages/\${msg.id}?format=metadata\`,
+    { subject, scopes: READ },
+  );
+  const detail = await detailRes.json();
+  const subjectHeader = detail.payload.headers.find(h => h.name === "Subject")?.value;
+  console.log(subjectHeader, detail.snippet);
 }
+\`\`\``,
+    ja: `### \u30C4\u30FC\u30EB
 
-// Search messages
-const results = await gmail.listMessages({ q: "from:boss@company.com is:unread" });
+- \`gmail-service-account_request_with_delegation\`: \u6307\u5B9A\u3055\u308C\u305F Workspace \u30E6\u30FC\u30B6\u30FC\u306B\u4EE3\u308F\u3063\u3066 Domain-wide Delegation \u7D4C\u7531\u3067 Gmail API \u3092\u547C\u3073\u51FA\u3057\u307E\u3059\u3002\u4EE3\u7406\u5BFE\u8C61\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092 \`subject\` \u3068\u3057\u3066\u6E21\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u30C8\u30FC\u30AF\u30F3\u306F\u305D\u306E\u30E6\u30FC\u30B6\u30FC\u3068\u3057\u3066\u767A\u884C\u3055\u308C\u307E\u3059\u3002\u3053\u306E\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u304C\u5BFE\u8C61\u3068\u3059\u308B\u30E6\u30FC\u30B6\u30FC\u306F Project Knowledge \u306E "#### \u30B9\u30B3\u30FC\u30D7" \u306B \`- subject: <email>\` \u5F62\u5F0F\u3067\u8A18\u9332\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\u547C\u3073\u51FA\u3057\u524D\u306B\u305D\u3053\u3092\u8AAD\u3093\u3067 subject \u3092\u6C7A\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044\u3002\`scopes\` \u3082\u6BCE\u56DE\u6E21\u3057\u3066\u304F\u3060\u3055\u3044\u3002
 
-// List labels
-const labels = await gmail.listLabels();
-labels.labels.forEach(l => console.log(l.name, l.messagesTotal));
+### OAuth \u30B9\u30B3\u30FC\u30D7 (\`scopes\` \u5F15\u6570\u3067\u6E21\u3059)
 
-// Get a thread
-const thread = await gmail.getThread("<threadId>");
-thread.messages.forEach(m => console.log(m.snippet));
-\`\`\``,
-    ja: `### \u30C4\u30FC\u30EB
+\u3053\u306E\u30B3\u30CD\u30AF\u30BF\u30FC\u306F\u73FE\u72B6\u8AAD\u307F\u53D6\u308A\u5C02\u7528\u3067\u3059\u3002\u6B21\u3092\u6E21\u3057\u3066\u304F\u3060\u3055\u3044:
+
+- \`https://www.googleapis.com/auth/gmail.readonly\` \u2014 \u8AAD\u307F\u53D6\u308A\uFF08\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u3001\u30E9\u30D9\u30EB\u3001\u30E1\u30C3\u30BB\u30FC\u30B8\u3001\u30B9\u30EC\u30C3\u30C9\uFF09
 
-- \`gmail-service-account_request\`: Gmail API\u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\uFF08\u8AAD\u307F\u53D6\u308A\u5C02\u7528\uFF09\u3002\u30E1\u30C3\u30BB\u30FC\u30B8\u4E00\u89A7\u306E\u53D6\u5F97\u3001\u30E1\u30C3\u30BB\u30FC\u30B8\u8A73\u7D30\u306E\u53D6\u5F97\u3001\u30E9\u30D9\u30EB\u4E00\u89A7\u3001\u30B9\u30EC\u30C3\u30C9\u4E00\u89A7\u3001\u30E6\u30FC\u30B6\u30FC\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u306E\u53D6\u5F97\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30C9\u30E1\u30A4\u30F3\u5168\u4F53\u306E\u59D4\u4EFB\u3092\u4F7F\u7528\u3057\u3066\u8A8D\u8A3C\u306F\u81EA\u52D5\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002
+\u8981\u6C42\u3059\u308B scope \u306F Workspace \u7BA1\u7406\u8005\u304C Domain-wide Delegation \u8A2D\u5B9A\u3067\u5F53\u8A72 Service Account \u306B\u5BFE\u3057\u3066\u627F\u8A8D\u3057\u3066\u3044\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\u627F\u8A8D\u3055\u308C\u3066\u3044\u306A\u3044\u5834\u5408\u30C8\u30FC\u30AF\u30F3\u767A\u884C\u304C \`unauthorized_client\` \u3067\u5931\u6557\u3057\u307E\u3059\u3002
+
+\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u5225\u306E\u6B63\u78BA\u306A scope \u30EA\u30D5\u30A1\u30EC\u30F3\u30B9: https://developers.google.com/gmail/api/auth/scopes
 
 ### Gmail API \u30EA\u30D5\u30A1\u30EC\u30F3\u30B9
 
 #### \u5229\u7528\u53EF\u80FD\u306A\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8
-- GET \`/me/profile\` \u2014 \u59D4\u4EFB\u30E6\u30FC\u30B6\u30FC\u306E\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u3092\u53D6\u5F97\uFF08\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3001\u30E1\u30C3\u30BB\u30FC\u30B8/\u30B9\u30EC\u30C3\u30C9\u7DCF\u6570\uFF09
+- GET \`/me/profile\` \u2014 \u4EE3\u7406\u5BFE\u8C61\u30E6\u30FC\u30B6\u30FC\u306E\u30D7\u30ED\u30D5\u30A3\u30FC\u30EB\u3092\u53D6\u5F97\uFF08\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3001\u30E1\u30C3\u30BB\u30FC\u30B8/\u30B9\u30EC\u30C3\u30C9\u7DCF\u6570\uFF09
 - GET \`/me/labels\` \u2014 \u30E1\u30FC\u30EB\u30DC\u30C3\u30AF\u30B9\u306E\u5168\u30E9\u30D9\u30EB\u3092\u4E00\u89A7
 - GET \`/me/labels/{id}\` \u2014 \u7279\u5B9A\u30E9\u30D9\u30EB\u306E\u8A73\u7D30\u3092\u53D6\u5F97
 - GET \`/me/messages\` \u2014 \u30E1\u30C3\u30BB\u30FC\u30B8\u4E00\u89A7\uFF08ID\u306E\u307F\u8FD4\u5374\u3002\u500B\u5225\u30E1\u30C3\u30BB\u30FC\u30B8\u3067format\u30D1\u30E9\u30E1\u30FC\u30BF\u3092\u4F7F\u7528\uFF09
@@ -688,7 +599,7 @@ thread.messages.forEach(m => console.log(m.snippet));
   - \`raw\` \u2014 base64url\u30A8\u30F3\u30B3\u30FC\u30C9\u3055\u308C\u305F\u5B8C\u5168\u306ARFC 2822\u30D5\u30A9\u30FC\u30DE\u30C3\u30C8\u30E1\u30C3\u30BB\u30FC\u30B8
 
 #### \u30D2\u30F3\u30C8
-- userId\u306B\u306F\u5E38\u306B \`/me\` \u3092\u4F7F\u7528 \u2014 \u59D4\u4EFB\u30E6\u30FC\u30B6\u30FC\u3092\u6307\u3057\u307E\u3059
+- \u30D1\u30B9\u306E userId \u306B\u306F\u5E38\u306B \`/me\` \u3092\u4F7F\u7528 \u2014 \`subject\` \u306B\u6E21\u3057\u305F\u30E6\u30FC\u30B6\u30FC\u3092\u6307\u3057\u307E\u3059
 - \u4E00\u89A7\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u306FID\u306E\u307F\u8FD4\u5374\u3057\u307E\u3059\u3002\u8A73\u7D30\u306F\u500B\u5225\u30EA\u30BD\u30FC\u30B9\u3092\u53D6\u5F97\u3057\u3066\u304F\u3060\u3055\u3044
 - \u4EF6\u540D/\u9001\u4FE1\u8005\u3092\u52B9\u7387\u7684\u306B\u53D6\u5F97\u3059\u308B\u306B\u306F \`format=metadata\` \u3092\u4F7F\u7528\u3057\u307E\u3059
 - \u30E1\u30C3\u30BB\u30FC\u30B8\u672C\u6587\u306F \`payload.body.data\` \u307E\u305F\u306F\u30CD\u30B9\u30C8\u3055\u308C\u305F \`payload.parts[].body.data\` \u306Bbase64url\u30A8\u30F3\u30B3\u30FC\u30C9\u3067\u683C\u7D0D\u3055\u308C\u3066\u3044\u307E\u3059
@@ -699,6 +610,12 @@ thread.messages.forEach(m => console.log(m.snippet));
 
 \u3053\u306E\u30B3\u30CD\u30AF\u30BF\u306E\u30D3\u30B8\u30CD\u30B9\u30ED\u30B8\u30C3\u30AF\u30BF\u30A4\u30D7\u306F "typescript" \u3067\u3059\u3002\u4EE5\u4E0B\u306B\u793A\u3059\u30B3\u30CD\u30AF\u30BFSDK\u3092\u4F7F\u7528\u3057\u3066\u30CF\u30F3\u30C9\u30E9\u30B3\u30FC\u30C9\u3092\u8A18\u8FF0\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u74B0\u5883\u5909\u6570\u304B\u3089\u76F4\u63A5\u8A8D\u8A3C\u60C5\u5831\u306B\u30A2\u30AF\u30BB\u30B9\u3057\u306A\u3044\u3067\u304F\u3060\u3055\u3044\u3002
 
+SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u3067\u4F5C\u6210\u3057\u305F\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8):
+
+- \`client.requestWithDelegation(path, { subject, scopes, init? })\` \u2014 DwD \u3067 Workspace \u30E6\u30FC\u30B6\u30FC\u306B\u306A\u308A\u3059\u307E\u3057\u3066 Gmail API \u3092\u547C\u3076\u3002\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u306B\u5FC5\u8981\u306A\u6700\u5C0F scope \u3092\u6E21\u3059\u3002
+
+\u30E1\u30BD\u30C3\u30C9\u306F\u6A19\u6E96\u306E \`Response\` \u3092\u8FD4\u3057\u307E\u3059\u3002\`response.json()\` \u3067\u30DC\u30C7\u30A3\u3092\u53D6\u5F97\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u30D1\u30B9\u306E\u66F8\u304D\u65B9\u306F\u30C4\u30FC\u30EB\u3068\u540C\u3058\u3002
+
 #### Example
 
 \`\`\`ts
@@ -706,86 +623,35 @@ import { connection } from "@squadbase/vite-server/connectors/gmail";
 
 const gmail = connection("<connectionId>");
 
-// Get user profile
-const profile = await gmail.getProfile();
-console.log(profile.emailAddress, profile.messagesTotal);
-
-// List recent messages
-const messages = await gmail.listMessages({ maxResults: 10 });
-for (const msg of messages.messages) {
-  const detail = await gmail.getMessage(msg.id, "metadata");
-  const subject = detail.payload.headers.find(h => h.name === "Subject")?.value;
-  console.log(subject, detail.snippet);
-}
+// \u4EE3\u7406\u5BFE\u8C61\u30E6\u30FC\u30B6\u30FC\u306F Project Knowledge ("#### \u30B9\u30B3\u30FC\u30D7") \u304B\u3089\u9078\u3076
+const subject = "alice@example.com";
+const READ = ["https://www.googleapis.com/auth/gmail.readonly"];
 
-// Search messages
-const results = await gmail.listMessages({ q: "from:boss@company.com is:unread" });
+const profileRes = await gmail.requestWithDelegation("/me/profile", {
+  subject,
+  scopes: READ,
+});
+const profile = await profileRes.json();
+console.log(profile.emailAddress, profile.messagesTotal);
 
-// List labels
-const labels = await gmail.listLabels();
-labels.labels.forEach(l => console.log(l.name, l.messagesTotal));
+const messagesRes = await gmail.requestWithDelegation(
+  "/me/messages?maxResults=10",
+  { subject, scopes: READ },
+);
+const messages = await messagesRes.json();
 
-// Get a thread
-const thread = await gmail.getThread("<threadId>");
-thread.messages.forEach(m => console.log(m.snippet));
+for (const msg of messages.messages ?? []) {
+  const detailRes = await gmail.requestWithDelegation(
+    \`/me/messages/\${msg.id}?format=metadata\`,
+    { subject, scopes: READ },
+  );
+  const detail = await detailRes.json();
+  const subjectHeader = detail.payload.headers.find(h => h.name === "Subject")?.value;
+  console.log(subjectHeader, detail.snippet);
+}
 \`\`\``
   },
-  tools,
-  async checkConnection(params, _config) {
-    const { GoogleAuth } = await import("google-auth-library");
-    const credentials = JSON.parse(
-      Buffer.from(
-        params[parameters.serviceAccountKeyJsonBase64.slug],
-        "base64"
-      ).toString("utf-8")
-    );
-    const delegatedUserEmail = params[delegatedUserEmailParameter.slug];
-    if (!delegatedUserEmail) {
-      if (!credentials.client_email || !credentials.private_key) {
-        return {
-          success: false,
-          error: "Service account JSON must contain client_email and private_key"
-        };
-      }
-      return { success: true };
-    }
-    const auth = new GoogleAuth({
-      credentials,
-      scopes: ["https://www.googleapis.com/auth/gmail.readonly"],
-      clientOptions: {
-        subject: delegatedUserEmail
-      }
-    });
-    try {
-      const token = await auth.getAccessToken();
-      if (!token) {
-        return {
-          success: false,
-          error: "Failed to obtain access token"
-        };
-      }
-      const res = await fetch(
-        "https://gmail.googleapis.com/gmail/v1/users/me/profile",
-        {
-          method: "GET",
-          headers: { Authorization: `Bearer ${token}` }
-        }
-      );
-      if (!res.ok) {
-        const errorText = await res.text().catch(() => res.statusText);
-        return {
-          success: false,
-          error: `Gmail API failed: HTTP ${res.status} ${errorText}`
-        };
-      }
-      return { success: true };
-    } catch (error) {
-      return {
-        success: false,
-        error: error instanceof Error ? error.message : String(error)
-      };
-    }
-  }
+  tools
 });
 
 // src/connectors/create-connector-sdk.ts