4.3 KiB
summary, read_when
| summary | read_when | ||
|---|---|---|---|
| Gmail Pub/Sub push wired into Clawdis webhooks via gogcli |
|
Gmail Pub/Sub -> Clawdis
Goal: Gmail watch -> Pub/Sub push -> gog gmail watch serve -> Clawdis webhook.
Prereqs
gcloudinstalled and logged in.gog(gogcli) installed and authorized for the Gmail account.- Clawdis hooks enabled (see
docs/webhook.md). tailscalelogged in if you want a public HTTPS endpoint via Funnel.
Example hook config (enable Gmail preset mapping):
{
hooks: {
enabled: true,
token: "CLAWDIS_HOOK_TOKEN",
path: "/hooks",
presets: ["gmail"]
}
}
To customize payload handling, add hooks.mappings or a JS/TS transform module
under hooks.transformsDir (see docs/webhook.md).
Wizard (recommended)
Use the Clawdis helper to wire everything together (installs deps on macOS via brew):
clawdis hooks gmail setup \
--account clawdbot@gmail.com
Defaults:
- Uses Tailscale Funnel for the public push endpoint.
- Writes
hooks.gmailconfig forclawdis hooks gmail run. - Enables the Gmail hook preset (
hooks.presets: ["gmail"]).
Want a custom endpoint? Use --push-endpoint <url> or --tailscale off.
Platform note: on macOS the wizard installs gcloud, gogcli, and tailscale
via Homebrew; on Linux install them manually first.
Run the daemon (starts gog gmail watch serve + auto-renew):
clawdis hooks gmail run
One-time setup
- Select the GCP project that owns the OAuth client used by
gog.
gcloud auth login
gcloud config set project <project-id>
Note: Gmail watch requires the Pub/Sub topic to live in the same project as the OAuth client.
- Enable APIs:
gcloud services enable gmail.googleapis.com pubsub.googleapis.com
- Create a topic:
gcloud pubsub topics create gog-gmail-watch
- Allow Gmail push to publish:
gcloud pubsub topics add-iam-policy-binding gog-gmail-watch \
--member=serviceAccount:gmail-api-push@system.gserviceaccount.com \
--role=roles/pubsub.publisher
Start the watch
gog gmail watch start \
--account clawdbot@gmail.com \
--label INBOX \
--topic projects/<project-id>/topics/gog-gmail-watch
Save the history_id from the output (for debugging).
Run the push handler
Local example (shared token auth):
gog gmail watch serve \
--account clawdbot@gmail.com \
--bind 127.0.0.1 \
--port 8788 \
--path /gmail-pubsub \
--token <shared> \
--hook-url http://127.0.0.1:18789/hooks/gmail \
--hook-token CLAWDIS_HOOK_TOKEN \
--include-body \
--max-bytes 20000
Notes:
--tokenprotects the push endpoint (x-gog-tokenor?token=).--hook-urlpoints to Clawdis/hooks/gmail(mapped; isolated run + summary to main).--include-bodyand--max-bytescontrol the body snippet sent to Clawdis.
Recommended: clawdis hooks gmail run wraps the same flow and auto-renews the watch.
Expose the handler (dev)
For local testing, tunnel the handler and use the public URL in the push subscription:
cloudflared tunnel --url http://127.0.0.1:8788 --no-autoupdate
Use the generated URL as the push endpoint:
gcloud pubsub subscriptions create gog-gmail-watch-push \
--topic gog-gmail-watch \
--push-endpoint "https://<public-url>/gmail-pubsub?token=<shared>"
Production: use a stable HTTPS endpoint and configure Pub/Sub OIDC JWT, then run:
gog gmail watch serve --verify-oidc --oidc-email <svc@...>
Test
Send a message to the watched inbox:
gog gmail send \
--account clawdbot@gmail.com \
--to clawdbot@gmail.com \
--subject "watch test" \
--body "ping"
Check watch state and history:
gog gmail watch status --account clawdbot@gmail.com
gog gmail history --account clawdbot@gmail.com --since <historyId>
Troubleshooting
Invalid topicName: project mismatch (topic not in the OAuth client project).User not authorized: missingroles/pubsub.publisheron the topic.- Empty messages: Gmail push only provides
historyId; fetch viagog gmail history.
Cleanup
gog gmail watch stop --account clawdbot@gmail.com
gcloud pubsub subscriptions delete gog-gmail-watch-push
gcloud pubsub topics delete gog-gmail-watch