Enriched Shadow Mode — Implementation
Status: Ready to dispatch
Blocker: Google Calendar OAuth not yet configured
What We Need
The gog skill requires OAuth setup before calendar queries work:
# Step 1: Set credentials (client_secret.json from Google Cloud Console)
gog auth credentials /path/to/client_secret.json
# Step 2: Add account with calendar scope
gog auth add hoffmann.family.manager@gmail.com --services calendar
# Step 3: Verify
gog auth list
Security Checklist
- [ ] Client ID from Google Cloud Console (project: hoffmann-icarus)
- [ ] OAuth consent screen configured (internal/limited)
- [ ]
calendar.readonlyscope only (NOTcalendarread-write) - [ ] API key restricted to Tailscale IPs
- [ ] No
events.insert()orevents.update()calls in code - [ ] Rate limiting: max 50 queries/day
What I Need From You
- Google Cloud Console access — Do you have a project set up? Or should I guide you through creating one?
- Client Secret file — Is
client_secret.jsonalready on the Beelink? If so, where? - Calendar ID — Which Google Calendar holds the family schedule? (e.g.,
hoffmann.family.manager@gmail.comor a shared calendar ID)
Alternative Path
If OAuth setup is complex, we can use a service account with domain-wide delegation (read-only). This avoids the OAuth consent flow but requires:
- Google Workspace admin access
- Service account key file (JSON)
- Domain-wide delegation for calendar.readonly
My Recommendation
Use OAuth (not service account) for now — it's the standard path and easier to scope to read-only. Service accounts are overkill for family use and harder to audit.
Next Step: Get me the client_secret.json path or confirm you need help setting it up.
Files:
- services/icarus/docs/ENRICHED-SHADOW-SPEC.md — Full spec
- ~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md — gog usage
Staging database: ~/.icarus/shadow/shadow.db (isolated, no production data)
When OAuth is ready: I'll dispatch Socrates to implement CalendarValidator class, fuzzy matching, and Admin DM exhaust.