google-gmaillisted

Drive Gmail via `curl + jq`. The user's OAuth bearer token is in `$GOOGLE_GMAIL_TOKEN`; every call needs it as `Authorization: Bearer $GOOGLE_GMAIL_TOKEN`. At minimum the token carries `gmail.readonly` plus the identity scopes (`openid email profile`); if the user opted in to write at install time it also carries `gmail.modify` (label / archive / trash) and/or `gmail.send` (compose + send). Always assume the narrowest scope until a write actually fails — don't ask Google for new scopes from here. The Gmail API returns standard JSON; failures surface as `{"error": {"code": 401|403|..., "message": "..."}}` — show that error verbatim. `401` means the token expired (re-install). `403 insufficientPermissions` means the user didn't grant the write scope this call needs — explain which scope is missing and suggest re-installing the connector with the matching write box checked. **Before any destructive write** (trashing a thread, sending an email) show the user the exact target / draft and ask them to confirm. Don't fan out across many messages without an explicit go-ahead. **Always start with `users/me/profile`** to confirm the connection works AND learn which Gmail account you're operating against. Mailbox payloads can be huge — fetch metadata first, only `format=full` when the user actually wants the body of a specific message. ## Optional: Google Workspace CLI (`gws`) for outbound mail [`gws`](https://github.com/googleworkspace/cli) is Google's official CLI (not officially