# LFCS Email Access — 2026-05-12 Session Notes

## What happened
Rocky asked to forward latest emails from tenders.dec to admin@lfcs.com.au.

Attempted himalaya CLI — not installed on this Hermes instance.
Attempted google_api.py — token expired/permission error ("Caller does not have required permission to use project opsman-lfcs-27665").

## State of email access on this Hermes
- himalaya: NOT installed → `curl -sSL https://raw.githubusercontent.com/pimalaya/himalaya/master/install.sh | PREFIX=~/.local sh`
- Google OAuth token: `/root/.hermes/google_token.json` — token is expired, bound to wrong project
  - Need to re-auth via: `python /root/.hermes/skills/productivity/google-workspace/scripts/setup.py --auth-url`
  - User pastes auth URL → gets redirect → pastes code back → `setup.py --auth-code "CODE"`
- Google Workspace OAuth does have gmail.readonly + gmail.send scopes — IF token is refreshed, it works

## Workaround for email forwarding
If email access is broken in Hermes, route through OpsMan (clawdbot-opsman) which may have a working connection.
Or: Rocky can forward manually from his phone/desktop while on the road.

## Fix sequence (when Rocky is at desktop)
1. Generate auth URL: `python /root/.hermes/skills/productivity/google-workspace/scripts/setup.py --auth-url`
2. Rocky opens URL → signs in → copies redirect URL
3. Exchange: `python /root/.hermes/skills/productivity/google-workspace/scripts/setup.py --auth-code "CODE_FROM_URL"`
4. Verify: `python3 -c "from googleapiclient.discovery import build; from google.oauth2.credentials import Credentials; creds = Credentials.from_authorized_user_file('/root/.hermes/google_token.json', ['https://www.googleapis.com/auth/gmail.readonly']); print('OK')"`