+ #jDRt^RIHt^RIt^RIt^RIt^RIt^RIt^RIH t ] !] !] 4P4P4t]]P9d]PP!^]4^RIHtHt]!4t]R, t]R, t]R, t.R$Ot.R%OtRtR R lt]3R R lltR RltRRltRtRt Rt!R&RRllt"RRlt#RRlt$RRlt%RRlt&Rt'RR lt(R!t)R"t*]+R#8Xd ]*!4R#R#)'u/Google Workspace OAuth2 setup for Hermes Agent. Fully non-interactive — designed to be driven by the agent via terminal commands. The agent mediates between this script and the user (works on CLI, Telegram, Discord, etc.) Commands: setup.py --check # Is auth valid? Exit 0 = yes, 1 = no setup.py --client-secret /path/to.json # Store OAuth client credentials setup.py --auth-url # Print the OAuth URL for user to visit setup.py --auth-code CODE # Exchange auth code for token setup.py --revoke # Revoke and delete stored token setup.py --install-deps # Install Python dependencies only Agent workflow: 1. Run --check. If exit 0, auth is good — skip setup. 2. Ask user for client_secret.json path. Run --client-secret PATH. 3. Run --auth-url. Send the printed URL to the user. 4. User opens URL, authorizes, gets redirected to a page with a code. 5. User pastes the code. Agent runs --auth-code CODE. 6. Run --check to verify. Done. ) annotationsN)Path)display_hermes_homeget_hermes_homezgoogle_token.jsonzgoogle_client_secret.jsonzgoogle_oauth_pending.jsonzhttp://localhost:1c V^8dQhRRRR/#)payloaddictreturn)formats"l/opt/hermes-venv/lib/python3.14/site-packages/../../../skills/productivity/google-workspace/scripts/setup.py __annotate__r@scT\V4pVPR4'gRVR&V#)typeauthorized_user)r get)r normalizeds& r "_normalize_authorized_user_payloadr@s*gJ >>& ! !. 6 rc V^8dQhRRRR/#)rpathrr r r )r s"r rrGsdDrcr\P!VP44# \d/u#i;iN)jsonloads read_text Exception)rs&r _load_token_payloadrGs1zz$..*++  s #& 66c V^8dQhRRRR/#)rrr r list[str]r )r s"r rrNsEE$E9ErcbaVPR4;'gVPR4pV'g.#\V\4'dVP4MTUu0uF*q"P 4'gKVP 4kK, upo\ V3Rl\ 44#uupi)scopesscopec38<"TFqS9gK VxK R#5irr ).0r#granteds& r /_missing_scopes_from_payload..SsDVEG/C%%Vs )r isinstancestrsplitstripsortedSCOPES)rrawsr&s& @r _missing_scopes_from_payloadr1Ns ++h  7 77;;w#7C  2RPRV44pRV R2#) c3,"TF pRV 2xK R#5i) - Nr )r%r#s& r r')_format_missing_scopes..WsCN5$ugNsz=Token is valid but missing required Google Workspace scopes: zW Run the Google Workspace setup again from this same Hermes profile to refresh consent.)join)r3bulletss& r _format_missing_scopesr;Vs/iiCNCCGH )a arc ^RIp^RIp\R4R# \dMi;i\R4\P !\ PRRRR.\,\PR 7\R 4R# \Pdbp\R T 24\R 4\R 4\R\ P RRP\4 24Rp?R#Rp?ii;i)z@Install Google API packages if missing. Returns True on success.NzDependencies already installed.Tz%Installing Google API dependencies...z-mpipinstallz--quiet)stdoutzDependencies installed.z'ERROR: Failed to install dependencies: zKOn environments without pip (e.g. Nix), install the optional extra instead:z$ pip install 'hermes-agent[google]'z Or manually: z -m pip install  F) googleapiclientgoogle_auth_oauthlibprint ImportError subprocess check_callsys executableREQUIRED_PACKAGESDEVNULLCalledProcessErrorr9)rArBes r install_depsrM_s # /0     12 ^^T5)Y ?BS S%%  '(  ( ( 7s;< Y  45 cnn--=chhGX>Y=Z[\s% %%ABC;AC66C;c^RIp^RIpR# \d.\4'g\P !^4R#R#i;i)z:Check deps are available, install if not, exit on failure.N)rArBrDrMrGexit)rArBs r _ensure_depsrP{s3# ~~ HHQKs 1AAc\RR7'gR#^RIHp^RIHpVP \ \44pV!RRVR7pVP4P^R 7P4\R 4R# \dqp\ T4P4pR T9gR T9d1\R T 24\R4\R4\R4M\RT 24Rp?R#Rp?ii;i)zICheck auth with a real API call to detect disabled_client/account issues.T)quietF)build Credentialscalendarv3) credentials) maxResultsz'LIVE_CHECK_OK: Real API call succeeded.disabled_clientinvalid_clientz5LIVE_CHECK_FAILED: OAuth client or account disabled: z9 1. Check Google Cloud Console for disabled OAuth clientz2 2. Check myaccount.google.com for account statusz) 3. Do NOT retry with a disabled accountzLIVE_CHECK_FAILED: N) check_authgoogleapiclient.discoveryrSgoogle.oauth2.credentialsrUfrom_authorized_user_filer* TOKEN_PATH calendarListlistexecuterCrlower)rSrUcredsservicerLerr_strs r check_auth_liverhs D ! !3955c*oF De<##q#199; 78  a&,,.  '+;w+F I!M N M N F G = > 's+ , sA.B DA%C<<DcV^8dQhRR/#)rrRboolr )r s"r rrsCCdCrc \P4'g\R\ 24R#\4^RIHp^RIHpVP\\44p\\4pTP'd_\T4pT'd0\R\T4 R24TFp\R T 24K T'g\R \ 24R #TP'dTP 'dTP#T!44\P%\&P(!\+\&P,!TP/444^R 74\\\44pT'd0\R \T4 R24TFp\R T 24K T'g\R\ 24R #\R4R# \dp\RT 24Rp?R#Rp?ii;i \dp\T4P14pRT9gRT9d]\RT 24\R4\R4\R4\R4\R4\R4\R4M6RT9gRT9d\RT 24\R4M\RT 24Rp?R#Rp?ii;i)zCCheck if stored credentials are valid. Prints status, exits 0 or 1.zNOT_AUTHENTICATED: No token at FrTRequestzTOKEN_CORRUPT: Nz1AUTHENTICATED (partial): Token valid but missing z scopes:r7zAUTHENTICATED: Token valid at Tindentz5AUTHENTICATED (partial): Token refreshed but missing z"AUTHENTICATED: Token refreshed at rZr[zOAUTH_CLIENT_DISABLED: z7 The OAuth client or Google account has been disabled.z Steps to resolve:uR 1. Check your Google Cloud Console — verify the OAuth client is not disabledzT 2. Check if your Google account itself has been disabled at myaccount.google.comzX 3. If the account is disabled, you can appeal at accounts.google.com/signin/recoveryuW 4. Do NOT retry API calls with a disabled account — this may worsen the situationzP 5. If the OAuth client is disabled, create a new one in Google Cloud Console token_revoked invalid_grantzTOKEN_REVOKED: z" Re-run setup to re-authenticate.zREFRESH_FAILED: zTOKEN_INVALID: Re-run setup.)r`existsrCrPr^rUgoogle.auth.transport.requestsrmr_r*rrvalidr1lenexpired refresh_tokenrefresh write_textrdumpsrrto_jsonrd) rRrUrmrerLrr3r0rgs & r r\r\sX      / |<=N56 55c*oF "*-G {{{5g>  Ec.FYEZZbc d#QCj!$ 2:,? @ }}},,,  MM') $  ! ! 6tzz%--/7RS  ::Mj:YZNMcR`NaMbbjkl'AD*%(::,GH& () g  s#$@ !fllnG G+/?7/J/s34OP+,jklmpqophi G+'/Is+,:;(,-! s8G,CH H, H7H  H K"B9KK"cV^8dQhRR/#)rrr*r )r s"r rrs>>c>rcx\V4P4P4pVP4'g%\ RV 24\ P !^4\P!VP44pRX9d4RV9d-\ R4\ R4\ P !^4\P\P!V^R74\ R\ 24R # \Pd%\ R4\ P !^4Li;i) z4Copy and validate client_secret.json to Hermes home.zERROR: File not found: zERROR: File is not valid JSON. installedwebzGERROR: Not a Google OAuth client secret file (missing 'installed' key).zQDownload the correct file from: https://console.cloud.google.com/apis/credentialsrnzOK: Client secret saved to N)r expanduserresolverrrCrGrOrrrJSONDecodeErrorCLIENT_SECRET_PATHryrz)rsrcdatas& r store_client_secretrs t*   ! ) ) +C ::<< 'u-.  zz#--/* $5#4 WX ab  !!$**T!"<= '(:'; <=    ./  s#$D6D98D9c V^8dQhRRRR/#)rstater* code_verifierr )r s"r rrs   S rc p\P\P!RVRVR\/^R74R#)zAPersist the OAuth session bits needed for a later token exchange.rr redirect_urirnN)PENDING_AUTH_PATHryrrz REDIRECT_URIrrs$$r _save_pending_authrs5         rcV^8dQhRR/#)rr r r )r s"r rr sDrc\P4'g"\R4\P!^4\ P !\P44pXPR4'dVPR4'g-\R4\R4\P!^4V# \d:p\RT 24\R4\P!^4Rp?LRp?ii;i)z9Load the pending OAuth session created by get_auth_url().z! e ##rc\\P4'g"\R4\P!^4\ 4^RIHpVP\\4\\RR7pVPRRR7wr#\W1PR7\V4R #) zAPrint the OAuth authorization URL. User visits this in a browser.:ERROR: No client secret stored. Run --client-secret first.FlowT)r"rautogenerate_code_verifierofflineconsent) access_typepromptrN)rrrrCrGrOrPgoogle_auth_oauthlib.flowrfrom_client_secrets_filer*r.rauthorization_urlrr)rflowauth_urlrs r get_auth_urlr/s  $ $ & & JK  N.  ( ( !#' ) D ,,-OHU2D2DE (OrcV^8dQhRR/#)rrr*r )r s"r rrGs?W?WS?Wrch\P4'g"\R4\P!^4\ 4pTp\ V4wrV'd/W1R,8wd"\R4\P!^4\4^RIH p^RI H pH p\\4p\V\ 4'dyVP#R4'dbV!V!V4P$4pVP'R4;'gR.^,P)4p V 'dV P+4pVP-\!\4VVP'R \.4VR,VR ,R 7p R \0P2R &V P5VR7V P8p \;\<P>!V PA444p \CV R4'd2V PD'd \V PD;'g.4M.pV'dWR&MV\8wdW}R&\GV 4pV'd)\RRPIV4 24\R4\JPM\<PN!V ^R74\PPSRR7\R\J 24\R\U4 R24R# \6d;p \RT 24\R4\P!^4Rp ? ELRp ? ii;i)z8Exchange the authorization code for a token and save it.rrzKERROR: OAuth state mismatch. Run --auth-url again to start a fresh session.rrrr#rr)r"rrr1OAUTHLIB_RELAX_TOKEN_SCOPE)rzERROR: Token exchange failed: z=The code may have expired. Run --auth-url to get a fresh URL.Ngranted_scopesr"z5WARNING: Token missing some Google Workspace scopes: z, z#Some services may not be available.rnT missing_okz"OK: Authenticated. Token saved to zProfile-scoped token location: z/google_token.json)+rrrrCrGrOrrrPrrrrrrbr.r)r*rrrr,r+rrosenviron fetch_tokenrrXrrrr{hasattrrr1r9r`ryrzrunlinkr)r pending_auth raw_callbackreturned_staterrrrr scope_valrrLre token_payloadactually_grantedr3s& r exchange_auth_coderGsw  $ $ & & JK  %'LL248D.,AA [\  N./&\N,$$)@)@)H)H(<0667ZZ(00RD!4::< &__.N  ( ( !%%nlC7#"?3 ) D36 /0 d#   E6tzz%--/7RSM - .zl ;< +,?,A+BBT UV5  .qc23 MN  s%K,, L17/L,,L1c\P4'g\R4R#\4^RIHp^RIHpVP\\4\4pVP'd)VP'dVPV!44^RIpVPP!VPPRVP" 2RRR/R 7^R 7\R 4\P'R R7\(P'R R7\R\ 24R# \$dp\R T 24Rp?L^Rp?ii;i)z"Revoke stored token and delete it.zNo token to revoke.NrTrlz+https://oauth2.googleapis.com/revoke?token=POSTz Content-Typez!application/x-www-form-urlencoded)methodheaders)timeoutzToken revoked with Google.z9Remote revocation failed (token may already be invalid): TrzDeleted )r`rrrCrPr^rUrsrmr_r*r.rvrwrxurllib.requestrequesturlopentokenrrr)rUrmreurllibrLs r revokers      #$N56O55c*ovN ===U000 MM') $ NN " "=ekk]K')LM #     *+&- HZL !" O I!MNNOsAD3A-D33 E>EEc\P!RR7pVPRR7pVPRRRR7VPRRR R7VPR R R R 7VPRRRR7VPRRRR 7VPRRRR7VPRRRR7VP 4pVP 'd)\ P!\4'd^M^4\VRR4'd+\ P!\4'd^M^4R#VP'd\VP4R#VP'd \4R#VP'd\!VP4R#VP"'d \#4R#VP$'d+\ P!\%4'd^M^4R#R#)z'Google Workspace OAuth setup for Hermes) descriptionT)requiredz--check store_truez)Check if auth is valid (exit 0=yes, 1=no))actionhelpz --check-livez9Check auth with a real API call (detects disabled_client)z--client-secretPATHzStore OAuth client_secret.json)metavarrz --auth-urlz!Print OAuth URL for user to visitz --auth-codeCODEzExchange auth code for tokenz--revokezRevoke and delete stored tokenz--install-depszInstall Python dependencies check_liveFN)argparseArgumentParseradd_mutually_exclusive_group add_argument parse_argscheckrGrOr\getattrrh client_secretrrr auth_coderrrM)parsergroupargss r mainrs  $ $1Z [F  / / / >E y>*     lnn!, r__main__)z.https://www.googleapis.com/auth/gmail.readonlyz*https://www.googleapis.com/auth/gmail.sendz,https://www.googleapis.com/auth/gmail.modifyz(https://www.googleapis.com/auth/calendarz%https://www.googleapis.com/auth/drivez1https://www.googleapis.com/auth/contacts.readonlyz,https://www.googleapis.com/auth/spreadsheetsz)https://www.googleapis.com/auth/documents)zgoogle-api-python-clientzgoogle-auth-oauthlibzgoogle-auth-httplib2)F),__doc__ __future__rrrrrErGpathlibrr*__file__rparent _SCRIPTS_DIRrinsert _hermes_homerr HERMES_HOMEr`rrr.rIrrrr1r;rMrPrhr\rrrrrrrr__name__r rr rs,#  4>))+223 sxxHHOOA|$= . .  #>>"== a $ &0E84CL>, *$"0?WD#B-8 zFr