Skip to content

Pin gws to 0.7.0 and switch to per-account isolated config dirs#2

Open
mquinnv wants to merge 1 commit into
evolsb:mainfrom
mquinnv:gws-per-account-isolation
Open

Pin gws to 0.7.0 and switch to per-account isolated config dirs#2
mquinnv wants to merge 1 commit into
evolsb:mainfrom
mquinnv:gws-per-account-isolation

Conversation

@mquinnv
Copy link
Copy Markdown

@mquinnv mquinnv commented May 13, 2026

Summary

Two related fixes:

  1. Pin @googleworkspace/cli to 0.7.0. The gws mcp subcommand was removed in v0.8.0 / PR #275 ("BREAKING CHANGE: Remove MCP server mode" — no detailed rationale in the changelog). Anyone running npm install -g @googleworkspace/cli today gets 0.22.x and the wrapper fails with Unknown service 'mcp'. 0.7.0 is the last version where gws mcp exists.

  2. Replace the mint-token-at-startup wrapper with per-account isolated config dirs. The previous approach (Python-mint an access token from the exported refresh token, pass via GOOGLE_WORKSPACE_CLI_TOKEN) worked for Claude Code where sessions are short, but in Claude Desktop the access token expires after ~1hr and gws mcp can't refresh it (it doesn't have access to the refresh token). The fix is to give each account its own GOOGLE_WORKSPACE_CLI_CONFIG_DIR with GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file, so gws mcp has its own encrypted credential store per account and can refresh tokens internally. Tested running for >1hr in Claude Desktop without re-auth issues.

The new wrapper is a 5-line shim that sets the two env vars and execs gws mcp — no Python token-minting needed.

Other improvements

  • CLAUDE.md: explicit Claude Desktop / Cowork instructions, including the gotcha that Claude Desktop's built-in claude.ai Gmail/Drive/Calendar connectors are read-only and may intercept tool calls from our write-capable MCPs (disable them in Settings → Connectors).
  • README.md: gotcha table expanded with the new failure modes (gws 0.8.0 removal, keyring contention, Claude Desktop built-in connectors, Homebrew gws collision).
  • docs/manual-setup.md: full rewrite for the per-account-dir flow.
  • docs/research-notes.md: callout at top pointing at the two superseded conclusions, but the rest of the historical document is preserved as-is.

Test plan

  • All 3 accounts (personal Gmail, two Google Workspace) registered as separate MCPs at Claude Code user scope and in Claude Desktop config
  • Drive read + write, Gmail, Calendar all work across all 3 accounts
  • Verified each account routes correctly (gws drive about get returns the matching email)
  • Run for > 1hr in Claude Desktop without "invalid authentication credentials" reappearing

🤖 Generated with Claude Code

@mquinnv @claude
Pin gws to 0.7.0 and switch to per-account isolated config dirs
f8b3e6a 
`gws mcp` was removed in v0.8.0, and the previous mint-token-once-at-startup
wrapper died after 1hr — fatal for Claude Desktop. Replace with isolated
per-account config dirs at ~/.config/gws/accounts/<name>/ using KEYRING_BACKEND=file,
so `gws mcp` refreshes access tokens internally with no expiry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mquinnv