Google Workspace Connectors
This sheet covers the first-party Gmail and Google Drive connector manifests.
| Item | Value |
|---|---|
| Manifests | addons/gmail-connect/src/manifest.ts, addons/google-drive-connect/src/manifest.ts |
| Runtime | composition/connectors/user-managed-google-workspace-connector.ts |
| Registry | composition/connectors/registry.ts |
| Status | beta |
Contract
Section titled “Contract”- arka-deck does not own a Google OAuth client for these connectors.
- The user supplies a runtime token or gateway token when creating the installation.
- The secret is encrypted by the connector store and never returned in public DTOs.
- API roots are fixed to Google-owned roots declared in the manifests.
- A user-managed MCP endpoint can be attached through installation
config.mcpEndpoint. - Remote HTTP MCP endpoints are refused; remote endpoints must use HTTPS. Loopback HTTP is accepted for local MCP servers.
- If no MCP endpoint is configured, no fake MCP endpoint is exposed.
- Agent exposure then happens per project through
/api/projects/:id/mcp-connectors/from-installation/:installationId.
Current actions
Section titled “Current actions”| Connector | Read | Governed write/trigger |
|---|---|---|
| Gmail | gmail.search_messages, gmail.get_message, gmail.list_labels | gmail.create_draft, gmail.send_draft |
| Google Drive | google_drive.search_files, google_drive.get_file, google_drive.export_file | google_drive.create_shortcut |
adapters/inbound/web/server/src/__tests__/connectors/google-workspace-user-runtime.test.tsadapters/inbound/web/server/src/__tests__/connectors/core-installations.test.ts
Remaining integration
Section titled “Remaining integration”Prompt bundle synchronization to Cortex Lite still happens only when the connector module is active.
Project MCP
Section titled “Project MCP”When a Gmail or Google Drive installation carries an MCP endpoint, the External sources → Project MCP UI can attach it to the current project. The backend derives the MCP spec from the installation, applies the connector_installation auth policy, tests the server and exposes the MCP to the provider runtime under a connector_* name.
Secrets are not duplicated in the project MCP file. Removing the project MCP only removes runtime exposure; the connector installation remains available.