Add Google Developer Expert agent with OAuth 2.0 and Google API integration

[Copilot]

Implements a production-ready agent for secure Google API access (Gmail, Docs, Drive) with zero-trust token management that prevents OAuth credentials from reaching the LLM context.

Security Architecture

Zero plaintext in pRing 0: OAuth tokens are sealed via pwosCrypto immediately upon receipt, stored as pwenc:v1:... in /vault/google/*, and only decrypted in TypeScript at API call time.

• RFC 0016 compliant encryption (AES-256-GCM, SSH agent key derivation)
• RFC 0018 compliant vault storage (ciphertext-only enforcement)
• OAuth 2.0 with PKCE (RFC 7636)
• Automatic token refresh with expiration detection

Components

OAuth Infrastructure (21KB TypeScript)

• oauth-auth.ts: Authorization code flow with PKCE, local callback server
• oauth-token.ts: Token lifecycle (get, refresh, validate, revoke)

API Wrappers (25KB TypeScript)

• gmail-api.ts: list, get, send, search, labels, threads
• gdocs-api.ts: get, create, update, list documents
• gdrive-api.ts: list, upload, download, search, folder management

Agent & Skill (51KB)

• google-expert.md: Agent persona with interaction patterns
• SKILL.md: Complete usage guide with OAuth workflows
• DESIGN.md: Architecture rationale and threat model
• TESTING.md: Verification procedures
• skill.test.ts: RFC 0012 compliance tests

Example Usage

// First-time setup
await pwosSyscall("exec", "oauth-auth.ts start");  // Opens browser, seals tokens

// Load agent
await pwosIngest("os://agents/google-expert.md");

// Agent automatically handles token retrieval/refresh for API calls
// User: "Send email to alice@example.com with subject 'Update'"
// → gmail-api.ts send --to alice@example.com --subject Update --body ...

// Token storage (vault enforces pwenc format)
/vault/google/access_token  → pwenc:v1:eyJ2IjoxLCJraWQiOi...
/vault/google/refresh_token → pwenc:v1:eyJ2IjoxLCJraWQiOi...

Implementation Notes

All tools follow PromptWare OS microkernel patterns:

• RFC 0012 compliant (--help, --description ≤1024 chars)
• Subprocess isolation for syscall boundaries
• Atomic operations composable via pwosSyscall
• Zero-footprint execution (URL-based invocation)

Token refresh is transparent: API wrappers detect 401 errors, call oauth-token.ts refresh, and retry the original request.

Files: 11 total (1 agent, 5 tools, 5 docs)
Size: 3,922 lines (~116KB)

Original prompt

The task is to design a new agent with the name "Google Developer Expert" with a skill set of using all the Google Drive API features. Include Gmail, Google Docs first. The goal is to leverage all the Google Drive official API, encapsulate all of them to this skills tool, and write how to use this tool in the skills prompt so that the agent can load this skill and know how to use the tool which can leverage all the operations of the Google Drive. When the first time run, the scale should require user to input to follow the OAuth authentication flow and finish authentication. After that, the scale should save the OAuth token in the memory vault. All the OAuth authentication processes should be written in TypeScript, and the cleartext token should never reach prompt ring 0. It should be saved directly to the memory vault through the TypeScript. Make this concept complete and design the basic framework with skeleton source code as the first version for my reviewing. Explain all your design reasoning steps and philosophies and the principles.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.