From b99b08e557dd742c4d4593cbb9b3e01756d1c3ba Mon Sep 17 00:00:00 2001 From: chenhuang Date: Thu, 9 Apr 2026 06:12:34 +0000 Subject: [PATCH 1/3] fix(mail): add missing event scope for mail watch The mail +watch shortcut requires scope mail:user_mailbox.event.mail_address:read to receive the mail_address field in WebSocket event payloads, but this scope was neither declared in the shortcut's Scopes list nor included in the auto-approve (recommend.allow) set. Without this scope, +watch events arrive without the mail_address field, which breaks mailbox filtering and fetch-mailbox resolution. - Add scope to mail +watch Scopes declaration - Add scope to scope_overrides.json recommend.allow list so that auth login --recommend requests it automatically --- internal/registry/scope_overrides.json | 1 + shortcuts/mail/mail_watch.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/registry/scope_overrides.json b/internal/registry/scope_overrides.json index 8287248e8..b8c3aebd0 100644 --- a/internal/registry/scope_overrides.json +++ b/internal/registry/scope_overrides.json @@ -25,6 +25,7 @@ "calendar:calendar:update", "contact:user.basic_profile:readonly", "mail:event", + "mail:user_mailbox.event.mail_address:read", "mail:user_mailbox.mail_contact:read", "mail:user_mailbox.mail_contact:write", "mail:user_mailbox.message.address:read", diff --git a/shortcuts/mail/mail_watch.go b/shortcuts/mail/mail_watch.go index c56994270..69e9592cc 100644 --- a/shortcuts/mail/mail_watch.go +++ b/shortcuts/mail/mail_watch.go @@ -81,7 +81,7 @@ var MailWatch = common.Shortcut{ Command: "+watch", Description: "Watch for incoming mail events via WebSocket (requires scope mail:event and bot event mail.user_mailbox.event.message_received_v1 added). Run with --print-output-schema to see per-format field reference before parsing output.", Risk: "read", - Scopes: []string{"mail:event", "mail:user_mailbox.message:readonly", "mail:user_mailbox.message.address:read", "mail:user_mailbox.message.subject:read", "mail:user_mailbox.message.body:read"}, + Scopes: []string{"mail:event", "mail:user_mailbox.event.mail_address:read", "mail:user_mailbox.message:readonly", "mail:user_mailbox.message.address:read", "mail:user_mailbox.message.subject:read", "mail:user_mailbox.message.body:read"}, AuthTypes: []string{"user"}, Flags: []common.Flag{ {Name: "format", Default: "data", Desc: "json: NDJSON stream with ok/data envelope; data: bare NDJSON stream"}, From 6f5a4b8241415386075d10adecf16e87252a56c3 Mon Sep 17 00:00:00 2001 From: chenhuang Date: Thu, 9 Apr 2026 06:37:05 +0000 Subject: [PATCH 2/3] fix(mail): add missing mailbox profile scope for mail watch The +watch shortcut calls fetchMailboxPrimaryEmail (GET user_mailboxes/me/profile) to resolve the mailbox address for event filtering, which requires scope mail:user_mailbox:readonly. All other mail shortcuts that call this API (send, reply, forward, draft-create, draft-edit) already declare this scope, but +watch did not. --- shortcuts/mail/mail_watch.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shortcuts/mail/mail_watch.go b/shortcuts/mail/mail_watch.go index 69e9592cc..cf3c6b516 100644 --- a/shortcuts/mail/mail_watch.go +++ b/shortcuts/mail/mail_watch.go @@ -81,7 +81,7 @@ var MailWatch = common.Shortcut{ Command: "+watch", Description: "Watch for incoming mail events via WebSocket (requires scope mail:event and bot event mail.user_mailbox.event.message_received_v1 added). Run with --print-output-schema to see per-format field reference before parsing output.", Risk: "read", - Scopes: []string{"mail:event", "mail:user_mailbox.event.mail_address:read", "mail:user_mailbox.message:readonly", "mail:user_mailbox.message.address:read", "mail:user_mailbox.message.subject:read", "mail:user_mailbox.message.body:read"}, + Scopes: []string{"mail:event", "mail:user_mailbox.event.mail_address:read", "mail:user_mailbox:readonly", "mail:user_mailbox.message:readonly", "mail:user_mailbox.message.address:read", "mail:user_mailbox.message.subject:read", "mail:user_mailbox.message.body:read"}, AuthTypes: []string{"user"}, Flags: []common.Flag{ {Name: "format", Default: "data", Desc: "json: NDJSON stream with ok/data envelope; data: bare NDJSON stream"}, From e2220947568c4542d1c94dc5f51365d543f5b2bd Mon Sep 17 00:00:00 2001 From: chenhuang Date: Mon, 13 Apr 2026 08:23:32 +0000 Subject: [PATCH 3/3] fix(mail): remove event scope from scope_overrides.json The mail:user_mailbox.event.mail_address:read scope only needs to be declared in the +watch shortcut's Scopes list, not in the global recommend.allow set. --- internal/registry/scope_overrides.json | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/registry/scope_overrides.json b/internal/registry/scope_overrides.json index b8c3aebd0..8287248e8 100644 --- a/internal/registry/scope_overrides.json +++ b/internal/registry/scope_overrides.json @@ -25,7 +25,6 @@ "calendar:calendar:update", "contact:user.basic_profile:readonly", "mail:event", - "mail:user_mailbox.event.mail_address:read", "mail:user_mailbox.mail_contact:read", "mail:user_mailbox.mail_contact:write", "mail:user_mailbox.message.address:read",