Upstream HEAD inspected locally: 30d31e972211c2287e63257a5f5c05eba5d74bba.
Local source mirror: skill/email-assistant/.
Installed skill: .codex/skills/email-assistant/.
Local Adaptation
EXTRACTED: Renamed the installed skill to email-assistant.
EXTRACTED: Added Codex-facing SKILL.md instructions for Vipin’s personal email workflow.
EXTRACTED: Added agents/openai.yaml UI metadata.
EXTRACTED: Reworked auth path resolution so credentials and tokens default to .wiki-tmp/email-assistant/auth/, not the skill source tree.
EXTRACTED: Added .wiki-tmp/email-assistant/logs/ action logging with body/token redaction.
EXTRACTED: Removed high-side-effect upstream scripts for filters, forwarding, token migration, and paywall cleanup.
EXTRACTED: Added an email-message.js helper shared by direct sends and draft creation/update.
EXTRACTED: Updated setup docs to use local D:\devtools\node\corepack.cmd pnpm because npm was not available on PATH during installation and the D-drive tool runtime now lives under D:\devtools.
Safety And Approval Model
EXTRACTED: Default workflow is draft-only.
EXTRACTED: gmail-send.js refuses to send without --confirm-send YES_SEND.
EXTRACTED: gmail-drafts.js --action send refuses to send without --confirm-send YES_SEND.
EXTRACTED: gmail-drafts.js --action delete refuses to delete without --confirm-delete YES_DELETE.
EXTRACTED: gmail-labels.js refuses create/add/remove actions without --confirm-modify YES_MODIFY.
EXTRACTED: Browser automation is documented as fallback only for OAuth login, manual review, or web-only workflows.
INFERRED: This design matches the user’s preference: agent reads and drafts quietly, user reviews, then explicitly approves sending.
Verification
EXTRACTED: pnpm install completed under .codex/skills/email-assistant/; node_modules/ remains ignored and is not intended for Git.
EXTRACTED: quick_validate.py .codex/skills/email-assistant passed after installing PyYAML locally under .wiki-tmp/python.
EXTRACTED: node --check passed for all installed JavaScript scripts.
EXTRACTED: node scripts/manage-accounts.js --list handled no configured accounts cleanly.
EXTRACTED: node scripts/auth/setup-oauth.js --account umn --email test@example.com failed safely when credentials.json was absent and printed the .wiki-tmp/email-assistant/auth/credentials.json path.
EXTRACTED: node scripts/gmail-send.js --to user@example.com --subject Test --body Body failed safely without --confirm-send YES_SEND.
EXTRACTED: Opus performed a read-only privacy/security review and reported no blocker; its main maintenance suggestion was to remove duplicated email-message construction, which was addressed.
Limitations
AMBIGUOUS: Live Gmail read/search/draft tests are pending user OAuth for umn and vipinapple.
AMBIGUOUS: UMN may or may not permit Gmail API OAuth through the user’s account; if it fails, future agents should record umn as pending rather than silently switching to browser-only automation.
INFERRED: Concurrent token refresh could race if multiple mail scripts run at once, but this is low-risk for a personal single-user workflow.