@vellumai/assistant 0.4.34 → 0.4.36

package/src/config/bundled-skills/google-oauth-setup/SKILL.md

@@ -1,20 +1,20 @@
 ---
 name: "Google OAuth Setup"
-description: "Set up Google Cloud OAuth credentials for Gmail and Calendar using browser automation"
+description: "Set up Google Cloud OAuth credentials for Gmail and Calendar"
 user-invocable: true
 credential-setup-for: "gmail"
-includes: ["browser", "public-ingress"]
-metadata: {"vellum": {"emoji": "\ud83d\udd11"}}
+includes: ["public-ingress", "browser"]
+metadata: { "vellum": { "emoji": "\ud83d\udd11" } }
 ---
 
 You are helping your user set up Google Cloud OAuth credentials so Gmail and Google Calendar integrations can connect.
 
 ## Client Check
 
-Determine whether the user has browser automation available (macOS desktop app) or is on a non-interactive channel (Telegram, SMS, etc.).
+Determine which setup path to use based on the user's client:
 
-- **macOS desktop app**: Follow the **Automated Setup** path below.
-- **Telegram or other channel** (no browser automation): Follow the **Manual Setup for Channels** path below.
+- **macOS desktop app**: Follow **Path B: CLI Setup** below.
+- **Telegram or other channel** (no browser automation): Follow **Path A: Manual Setup for Channels** below.
 
 ---
 
@@ -29,6 +29,7 @@ Tell the user:
 > **Setting up Gmail & Calendar from Telegram**
 >
 > Since I can't automate the browser from here, I'll walk you through each step with direct links. You'll need:
+>
 > 1. A Google account with access to Google Cloud Console
 > 2. About 5 minutes
 >
@@ -87,6 +88,7 @@ Tell the user:
 >    - `https://www.googleapis.com/auth/calendar.readonly`
 >    - `https://www.googleapis.com/auth/calendar.events`
 >    - `https://www.googleapis.com/auth/userinfo.email`
+>    - `https://www.googleapis.com/auth/contacts.readonly`
 >    - Click **Update**, then **Save and Continue**
 > 5. On the Test users page, add **your email**, click **Save and Continue**
 > 6. On the Summary page, click **Back to Dashboard**
@@ -96,6 +98,7 @@ Tell the user:
 ### Channel Step 5: Create OAuth Credentials (Web Application)
 
 Before sending Step 4 to the user, resolve the concrete callback URL:
+
 - Read the configured public gateway URL (`ingress.publicBaseUrl`). If it is missing, run the `public-ingress` skill first.
 - Build `oauthCallbackUrl` as `<public gateway URL>/webhooks/oauth/callback`.
 - When you send the instructions below, replace `OAUTH_CALLBACK_URL` with that concrete value. Never send placeholders literally.
@@ -140,7 +143,7 @@ credential_store store:
 
 **Step 6b: Client Secret (requires split entry to avoid security filters)**
 
-The Client Secret starts with `GOCSPX-` which triggers the ingress secret scanner on channel messages. To work around this, ask the user to send only the portion *after* the prefix.
+The Client Secret starts with `GOCSPX-` which triggers the ingress secret scanner on channel messages. To work around this, ask the user to send only the portion _after_ the prefix.
 
 Tell the user:
 
@@ -192,229 +195,265 @@ After the user authorizes (they'll come back and say so, or you can suggest they
 
 ---
 
-# Path B: Automated Setup (macOS Desktop App)
+# Path B: CLI Setup (macOS Desktop App)
 
-You will automate the entire GCP setup via the browser while the user watches in the Chrome window on the side. The user's only manual actions are: signing in to their Google account, and copy-pasting credentials from the Chrome window into secure prompts.
+**IMPORTANT: Always use `host_bash` (not `bash`) for all commands in this path.** The `gcloud` and `gws` CLIs need host access for Homebrew/npm installation, browser-based authentication, and interactive terminal prompts — none of which are available inside the sandbox.
+
+You will set up Google Cloud OAuth credentials using the `gcloud` and `gws` command-line tools plus browser automation. The user signs in once via the browser, the CLI handles project setup, and the browser automates credential creation — the user only needs to copy-paste the Client Secret.
 
 ## Browser Interaction Principles
 
-Google Cloud Console's UI changes frequently. Do NOT memorize or depend on specific element IDs, CSS selectors, or DOM structures. Instead:
+Google Cloud Console's UI may change over time. Do NOT memorize or depend on specific element IDs, CSS selectors, or DOM structures. Instead:
 
-1. **Snapshot first, act second.** Before every interaction, use `browser_snapshot` to discover interactive elements and their IDs. This is your primary navigation tool; it gives you the accessibility tree with clickable/typeable element IDs. Use `browser_screenshot` for visual context when the snapshot alone isn't enough.
-2. **Adapt to what you see.** If an element's label or position differs from what you expect, use the snapshot to find the correct element. GCP may rename buttons, reorganize menus, or change form layouts at any time.
-3. **Verify after every action.** After clicking, typing, or navigating, take a new snapshot to confirm the action succeeded. If it didn't, try an alternative interaction (e.g., if a dropdown didn't open on click, try pressing Space or Enter on the element).
-4. **Never assume DOM structure.** Dropdowns may be `<select>`, `<mat-select>`, `<div role="listbox">`, or something else entirely. Use the snapshot to identify element types and interact accordingly.
-5. **When stuck after 2 attempts, describe and ask.** Take a screenshot, describe what you see to the user, and ask for guidance.
+1. **Screenshot first, act second.** Before every interaction, take a `browser_screenshot` to see the current visual state. Use `browser_snapshot` to find interactive elements.
+2. **Adapt to what you see.** If a button's label or position differs from what you expect, use the screenshot to find the correct element.
+3. **Verify after every action.** After clicking, typing, or navigating, take a new screenshot to confirm the action succeeded.
+4. **Never assume DOM structure.** Use the snapshot to identify what's on the page and interact accordingly.
+5. **When stuck, screenshot and describe.** If you cannot find an expected element after 2 attempts, take a screenshot, describe what you see to the user, and ask for guidance.
 
 ## Anti-Loop Guardrails
 
 Each step has a **retry budget of 3 attempts**. An attempt is one try at the step's primary action (e.g., clicking a button, filling a form). If a step fails after 3 attempts:
 
 1. **Stop trying.** Do not continue retrying the same approach.
-2. **Fall back to manual.** Tell the user what you were trying to do and ask them to complete that step manually in the Chrome window (which they can see on the side). Give them the direct URL and clear text instructions.
+2. **Fall back to manual.** Tell the user what you were trying to do and ask them to complete that step manually in the browser. Give them the direct URL and clear text instructions.
 3. **Resume automation** at the next step once the user confirms the manual step is done.
 
-If **two or more steps** require manual fallback, abandon the automated flow entirely and switch to giving the user the remaining steps as clear text instructions with links, using "Desktop app" as the OAuth application type.
+If **two or more steps** require manual fallback, abandon the automated flow entirely and switch to giving the user the remaining steps as clear text instructions with links.
 
-## Things That Do Not Work: Do Not Attempt
+## Things That Do Not Work — Do Not Attempt
 
-These actions are technically impossible in the browser automation environment. Attempting them wastes time and leads to loops:
+These actions are technically impossible in the browser automation environment:
 
-- **Downloading files.** `browser_click` on a Download button does not save files to disk. There is NO JSON file to find at `~/Downloads` or anywhere else. Never click Download buttons.
-- **Clipboard operations.** You cannot copy/paste via browser automation. The user must manually copy values from the Chrome window.
-- **Deleting and recreating OAuth clients** to get a fresh secret. This orphans the stored client_id and causes `invalid_client` errors.
-- **Navigating away from the credential dialog** before both credentials are stored. You will lose the Client Secret display and cannot get it back without creating a new client.
+- **Downloading files.** `browser_click` on a Download button does not save files to disk. Do NOT click "Download JSON" in the OAuth client creation dialog.
+- **Reading the Client Secret from a screenshot.** The secret IS visible in the creation dialog, but you MUST NOT attempt to read it from a screenshot — it is too easy to misread characters, and the value must be exact. Always use the `credential_store prompt` approach to let the user copy-paste it accurately.
+- **Clipboard operations.** You cannot copy/paste via browser automation.
 
-## Step 1: Single Upfront Confirmation
+## Error Handling
+
+- **Page load failures:** Retry navigation once. If it still fails, tell the user and ask them to check their internet connection.
+- **Element not found:** Take a fresh screenshot to re-assess. The GCP Console UI may have changed. Describe what you see and try alternative approaches. If stuck after 2 attempts, ask the user for guidance.
+- **OAuth client already exists with same name:** This is fine — GCP allows multiple clients with the same name. Proceed with creation.
+- **Any unexpected state:** Take a `browser_screenshot`, describe what you see, and ask the user for guidance.
 
-Use `ui_show` with `surface_type: "confirmation"`. Set `message` to just the title, and `detail` to the body:
+## CLI Step 1: Confirm
+
+Use `ui_show` with `surface_type: "confirmation"`:
 
 - **message:** `Set up Google Cloud for Gmail & Calendar`
 - **detail:**
   > Here's what will happen:
-  > 1. **A browser opens on the side** so you can watch everything I do
-  > 2. **You sign in** to your Google account in the browser
-  > 3. **I automate everything** including project creation, APIs, OAuth config, and credentials
-  > 4. **One copy-paste** where I'll ask you to copy the Client Secret from the browser into a secure prompt
-  > 5. **You authorize Vellum** with one click
   >
-  > The whole thing takes 2-3 minutes. Ready?
+  > 1. **Install CLI tools** (`gcloud` and `gws`) if not already installed
+  > 2. **You sign in** to your Google account once via the browser
+  > 3. **CLI automates everything** — project creation, APIs, and consent screen
+  > 4. **I create OAuth credentials** in the browser — you just watch
+  > 5. **One quick copy-paste** — you copy the Client Secret into a secure prompt
+  > 6. **You authorize Vellum** with one click
+  >
+  > Takes about a minute after first-time setup. Ready?
 
-If the user declines, acknowledge and stop. No further confirmations are needed after this point.
+If the user declines, acknowledge and stop.
 
-## Step 2: Open Google Cloud Console and Sign In
+## CLI Step 2: Install Prerequisites
 
-**Goal:** The user is signed in and the Google Cloud Console dashboard is loaded.
+Check for and install each prerequisite. If any installation fails (e.g., Homebrew not available, corporate restrictions), tell the user what went wrong and provide manual installation instructions.
 
-Navigate to `https://console.cloud.google.com/`.
+### gcloud
 
-Take a screenshot to check the page state:
+```bash
+which gcloud
+```
 
-- **Sign-in page:** Tell the user: "Please sign in to your Google account in the Chrome window on the right side of your screen." Then auto-detect sign-in completion by polling with `browser_screenshot` every 5-10 seconds to check if the URL has moved away from `accounts.google.com` to `console.cloud.google.com`. Do NOT ask the user to "let me know when you're done"; detect it automatically. Once sign-in is detected, tell the user: "Signed in! Starting the automated setup now..."
-- **Already signed in:** Tell the user: "Already signed in, starting setup now..." and continue immediately.
-- **CAPTCHA:** The browser automation's built-in handoff will handle this. If it persists, tell the user: "There's a CAPTCHA in the browser, please complete it and I'll continue automatically."
+If missing:
 
-**What you should see when done:** URL contains `console.cloud.google.com` and no sign-in overlay is visible.
+```bash
+brew install google-cloud-sdk
+```
 
-## Step 3: Create or Select a Project
+After installation, verify it works:
 
-**Goal:** A GCP project named "Vellum Assistant" exists and is selected.
+```bash
+gcloud --version
+```
 
-Tell the user: "Creating Google Cloud project..."
+### gws
 
-Navigate to `https://console.cloud.google.com/projectcreate`.
+```bash
+which gws
+```
 
-Take a `browser_snapshot`. Find the project name input field (look for an element with label containing "Project name" or a text input near the top of the form). Type "Vellum Assistant" into it.
+If missing:
 
-Look for a "Create" button in the snapshot and click it. Wait 10-15 seconds for project creation, then take a screenshot to check for:
-- **Success message** or redirect to the new project dashboard. Note the project ID from the URL or page content.
-- **"Project name already in use" error**: that's fine. Navigate to `https://console.cloud.google.com/cloud-resource-manager` to find and select the existing "Vellum Assistant" project. Use `browser_extract` to read the project ID from the page.
-- **Organization restriction or quota error**: tell the user what happened and ask them to resolve it.
+```bash
+npm install -g @googleworkspace/cli
+```
 
-**What you should see when done:** The project selector in the top bar shows the project name, and you have the project ID (something like `vellum-assistant-12345`).
+After installation, verify it works:
 
-Tell the user: "Project created!"
+```bash
+gws --version
+```
 
-## Step 4: Enable Gmail and Calendar APIs
+## CLI Step 3: Sign In to Google
 
-**Goal:** Both the Gmail API and Google Calendar API are enabled for the project.
+Tell the user: "Opening your browser so you can sign in to Google..."
 
-Tell the user: "Enabling Gmail and Calendar APIs..."
+```bash
+gcloud auth login
+```
 
-Navigate to each API's library page and enable it if not already enabled:
-1. `https://console.cloud.google.com/apis/library/gmail.googleapis.com?project=PROJECT_ID`
-2. `https://console.cloud.google.com/apis/library/calendar-json.googleapis.com?project=PROJECT_ID`
+This opens the browser for Google sign-in. Wait for the command to complete — it prints the authenticated account email on success.
 
-For each page: take a `browser_snapshot`. Look for:
-- **"Enable" button**: click it, wait a few seconds, take another snapshot to confirm.
-- **"Manage" button or "API enabled" text**: the API is already enabled. Skip it.
+If the user is already authenticated (`gcloud auth list` shows an active account), skip this step and tell the user: "Already signed in, continuing setup..."
 
-**What you should see when done:** Both API pages show "Manage" or "API enabled" status.
+## CLI Step 4: GCP Project Setup
 
-Tell the user: "APIs enabled!"
+Tell the user: "Setting up your Google Cloud project, APIs, and credentials..."
 
-## Step 5: Configure OAuth Consent Screen
+### Primary: `gws auth setup`
 
-**Goal:** An OAuth consent screen is configured with External user type, the required scopes, and the user added as a test user.
+```bash
+gws auth setup
+```
 
-Tell the user: "Setting up OAuth consent screen. This is the longest step but it's fully automated..."
+This command automates:
 
-Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
+- GCP project creation (or selection of an existing one)
+- OAuth consent screen configuration
+- OAuth credential creation
 
-Take a `browser_snapshot` and `browser_screenshot`. Check the page state:
+Wait for the command to complete. It may have interactive prompts — let them run in the terminal and the user can respond if needed.
 
-### If the consent screen is already configured
+If `gws auth setup` **succeeds**, note the **project ID** from the output and continue to **CLI Step 5**.
 
-You'll see a dashboard showing the app name ("Vellum Assistant" or similar) with an "Edit App" button. **Skip to Step 6.**
+### Fallback: `gcloud` CLI + browser automation
 
-### If you see a user type selection (External / Internal)
+If `gws auth setup` **fails** (common with personal Google accounts due to workspace-admin scope errors), use `gcloud` CLI and browser automation instead.
 
-Select **"External"** and click **Create** or **Get Started**.
+**Step 4f-1: Create GCP project**
 
-### Consent screen form (wizard or single-page)
+Generate a unique suffix (4-6 random alphanumeric characters):
 
-Google Cloud uses either a multi-page wizard or a single-page form. Adapt to what you see:
+```bash
+gcloud projects create vellum-assistant-SUFFIX --name="Vellum Assistant"
+```
 
-**App information section:**
-- **App name**: Type "Vellum Assistant" in the app name field.
-- **User support email**: This is typically a dropdown showing the signed-in user's email. Use `browser_snapshot` to find a `<select>` or clickable dropdown element near "User support email". Select the user's email.
-- **Developer contact email**: Type the user's email into this field. (Use the same email visible in the support email dropdown if you can read it, or use `browser_extract` to find the email shown on the page.)
-- Click **Save and Continue** if on a multi-page wizard.
+If the project already exists, use it. Note the **project ID**.
 
-**Scopes section:**
-- Click **"Add or Remove Scopes"** (or similar button).
-- In the scope picker dialog, look for a text input labeled **"Manually add scopes"** or **"Filter"** at the bottom or top of the dialog.
-- Paste all 6 scopes at once as a comma-separated string into that input:
-  ```
-  https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/userinfo.email
-  ```
-- Click **"Add to Table"** or **"Update"** to confirm the scopes.
-- If no manual input is available, you'll need to search for and check each scope individually using the scope tree. Search for each scope URL in the filter box and check its checkbox.
-- Click **Save and Continue** (or **Update** then **Save and Continue**).
+**Step 4f-2: Enable APIs**
 
-**Test users section:**
-- Click **"Add Users"** or similar.
-- Enter the user's email address.
-- Click **Add** then **Save and Continue**.
+```bash
+gcloud services enable gmail.googleapis.com --project=PROJECT_ID
+gcloud services enable calendar-json.googleapis.com --project=PROJECT_ID
+gcloud services enable people.googleapis.com --project=PROJECT_ID
+```
 
-**Summary section:**
-- Click **"Back to Dashboard"** or **"Submit"**.
+**Step 4f-3: Configure OAuth consent screen via browser**
 
-**What you should see when done:** A consent screen dashboard showing "Vellum Assistant" as the app name.
+Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
 
-Tell the user: "Consent screen configured!"
+Take a screenshot and snapshot, then:
 
-## Step 6: Create OAuth Credentials and Capture Them
+1. Select **"External"** user type, click **Create**
+2. Fill in the app registration form:
+   - App name: **"Vellum Assistant"**
+   - User support email: select the authenticated email from the dropdown
+   - Developer contact email: type the same email
+   - Click **Save and Continue**
+3. On the Scopes page, click **Save and Continue** (scopes are not needed for test-mode apps)
+4. On the Test users page:
+   - Click **+ Add Users**
+   - Enter the authenticated email address
+   - Click **Add**, then **Save and Continue**
+5. On the Summary page, click **Back to Dashboard**
 
-**Goal:** A "Desktop app" OAuth client exists, and both its Client ID and Client Secret are stored in the vault.
+**Verify:** Take a screenshot. The consent screen should show "Testing" publishing status.
 
-Tell the user: "Creating OAuth credentials..."
+After the fallback completes, skip CLI Step 5 (APIs already enabled above) and CLI Step 5c (test user already added above) — continue directly to **CLI Step 6**.
 
-### 6a: Create the credential
+## CLI Step 5: Enable Additional APIs
 
-Navigate to `https://console.cloud.google.com/apis/credentials?project=PROJECT_ID`.
+`gws auth setup` enables the APIs it needs, but Vellum also requires the Calendar and People APIs. Enable them explicitly using the project ID from step 4:
 
-Take a `browser_snapshot`. Find and click a button labeled **"Create Credentials"** or **"+ Create Credentials"**. A dropdown menu should appear. Take another snapshot and click **"OAuth client ID"**.
+```bash
+gcloud services enable calendar-json.googleapis.com --project=PROJECT_ID
+gcloud services enable people.googleapis.com --project=PROJECT_ID
+```
 
-On the creation form (take a snapshot to see the fields):
-- **Application type**: Find the dropdown and select **"Desktop app"**. This may be a `<select>` element or a custom dropdown. Use the snapshot to identify it. You might need to click the dropdown first, then take another snapshot to see the options, then click "Desktop app".
-- **Name**: Type "Vellum Assistant" in the name field.
-- Do NOT add any redirect URIs. The desktop app flow doesn't need them.
+If either command reports the API is already enabled, that's fine — continue.
 
-Click **"Create"** to submit the form.
+## CLI Step 5c: Add Test User
 
-### 6b: Capture credentials from the dialog
+`gws auth setup` does not add test users to the consent screen, and there is no CLI/API for it. Use browser automation to add the authenticated email as a test user.
 
-After creation, a dialog will display the **Client ID** and **Client Secret**. This is the critical step.
+Navigate to `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`.
 
-**First**, try to auto-read the **Client ID** using `browser_extract`. The Client ID matches the pattern `*.apps.googleusercontent.com`. Search the extracted text for this pattern. If found, store it:
+Take a screenshot and snapshot. Find the **Test users** section (you may need to click **Edit App** or navigate to the consent screen edit flow):
 
-```
-credential_store store:
-  service: "integration:gmail"
-  field: "client_id"
-  value: "<the Client ID extracted from the page>"
-```
+1. Find and click the option to add test users (e.g., **+ Add Users** button)
+2. Enter the authenticated email address (from `gcloud auth list`)
+3. Click **Add** or **Save**
+
+**Verify:** Take a screenshot confirming the email appears in the test users list.
+
+If the user is already listed as a test user, skip this step.
+
+## CLI Step 6: Create OAuth Credentials via Browser
+
+**Goal:** Create a Desktop OAuth client in GCP Console and capture both credentials.
+
+Navigate to `https://console.cloud.google.com/apis/credentials?project=PROJECT_ID` (substitute the actual project ID from step 4).
+
+Take a screenshot and snapshot to check the page state:
+
+- **Sign-in page:** Tell the user: "Please sign in to your Google account in the browser." Then auto-detect sign-in completion by polling screenshots every 5-10 seconds. Once signed in, continue.
+- **Already signed in / Credentials page loaded:** Continue immediately.
+
+### Step 6a: Create the OAuth Client
+
+1. Take a screenshot and snapshot. Find and click **+ Create Credentials**, then select **OAuth client ID**.
+2. On the creation form:
+   - Application type: Select **"Desktop app"**
+   - Name: **"Vellum Assistant"**
+   - Click **Create**
+3. **Verify:** Take a screenshot. A dialog should appear showing both the **Client ID** and **Client Secret**.
 
-If `browser_extract` fails to find the Client ID, prompt the user instead:
+### Step 6b: Extract Client ID
+
+Use `browser_extract` to read the Client ID from the creation dialog. It looks like `123456789-xxxxx.apps.googleusercontent.com`.
+
+Store it immediately:
 
 ```
-credential_store prompt:
+credential_store store:
   service: "integration:gmail"
   field: "client_id"
-  label: "Google OAuth Client ID"
-  description: "Copy the Client ID from the dialog in the Chrome window and paste it here. It looks like 123456789-xxxxx.apps.googleusercontent.com"
-  placeholder: "xxxxx.apps.googleusercontent.com"
+  value: "<the extracted Client ID>"
 ```
 
-**Then**, whether the Client ID was auto-read or prompted, tell the user:
+### Step 6c: Capture Client Secret via Secure Prompt
 
-> "Got the Client ID! Now I need the Client Secret. You can see it in the dialog in the Chrome window. It starts with `GOCSPX-`. Please copy it and paste it into the secure prompt below."
+The Client Secret is visible in the same dialog. Do NOT attempt to read it from the screenshot — use a secure prompt so the user copies it accurately.
 
-And present the secure prompt:
+Tell the user: "Your OAuth credentials have been created! Please copy the **Client Secret** shown in the dialog and paste it into the secure prompt below."
 
 ```
 credential_store prompt:
   service: "integration:gmail"
   field: "client_secret"
   label: "Google OAuth Client Secret"
-  description: "Copy the Client Secret from the Google Cloud Console dialog and paste it here."
+  description: "Copy the Client Secret from the dialog on screen. It starts with GOCSPX-"
   placeholder: "GOCSPX-..."
 ```
 
-Wait for the user to complete the prompt. **Do not take any other browser actions until the user has pasted the secret.** The dialog must stay open so they can see and copy the value.
-
-If the user has trouble locating the secret, take a `browser_screenshot` and describe where the secret field is on the screen, but do NOT attempt to read the secret value yourself. It must come from the user for accuracy.
-
-**What you should see when done:** `credential_store list` shows both `client_id` and `client_secret` for `integration:gmail`.
+**CRITICAL — do NOT dismiss the creation dialog before the user has copied the secret.** Wait for the secure prompt to be completed before clicking OK or navigating away.
 
-Tell the user: "Credentials stored securely!"
+After the secret is stored, you may close the dialog.
 
-## Step 7: OAuth2 Authorization
+## CLI Step 7: Authorize
 
-**Goal:** The user authorizes Vellum to access their Gmail and Calendar via OAuth.
-
-Tell the user: "Starting the authorization flow — a Google sign-in page will open in a few seconds. Just click 'Allow' when it appears."
+Tell the user: "Starting the authorization flow — a Google sign-in page will open. Just click 'Allow' when it appears."
 
 Use `credential_store` with:
 
@@ -429,15 +468,6 @@ This auto-reads client_id and client_secret from the secure store and auto-fills
 
 **Verify:** The `oauth2_connect` call returns a success message with the connected account email.
 
-## Step 8: Done!
+## CLI Step 8: Done!
 
 Tell the user: "**Gmail and Calendar are connected!** You can now read, search, and send emails, plus view and manage your calendar. Try asking me to check your inbox or show your upcoming events!"
-
-## Error Handling
-
-- **Page load failures:** Retry navigation once. If it still fails, tell the user and ask them to check their internet connection.
-- **Permission errors in GCP:** The user may need billing enabled or organization-level permissions. Explain clearly and ask them to resolve it.
-- **Consent screen already configured:** Don't overwrite. Skip to credential creation.
-- **Element not found:** Take a fresh `browser_snapshot` to re-assess. The GCP UI may have changed. Describe what you see and try alternative approaches. If stuck after 2 attempts, ask the user for guidance. They can see the Chrome window too.
-- **OAuth flow timeout or failure:** Offer to retry. The credentials are already stored, so reconnecting only requires re-running the authorization flow.
-- **Any unexpected state:** Take a `browser_screenshot`, describe what you see, and ask the user for guidance.

package/src/config/bundled-skills/messaging/tools/shared.ts

@@ -11,6 +11,7 @@ import type { MessagingProvider } from "../../../../messaging/provider.js";
 import {
   getConnectedProviders,
   getMessagingProvider,
+  isPlatformEnabled,
 } from "../../../../messaging/registry.js";
 import { withValidToken } from "../../../../security/token-manager.js";
 import type { ToolExecutionResult } from "../../../../tools/types.js";
@@ -32,7 +33,9 @@ export function err(message: string): ToolExecutionResult {
 export function resolveProvider(platformInput?: string): MessagingProvider {
   if (platformInput) return getMessagingProvider(platformInput);
 
-  const connected = getConnectedProviders();
+  const connected = getConnectedProviders().filter((p) =>
+    isPlatformEnabled(p.id),
+  );
   if (connected.length === 1) return connected[0];
   if (connected.length === 0) {
     throw new Error(