Problem
Applications using gwsa currently need to import gwsa SDK at runtime to access Gmail/Calendar/Drive APIs. This creates a tight coupling where:
- gwsa must be installed as a runtime dependency
- Code must use gwsa's auth wrappers instead of standard
google.auth.default()
- Testing and deployment require gwsa-specific credential handling
The maintenance burden is real: We're constantly wrapping and extending Google's libraries, always behind on features or missing something. It's an extra layer of abstraction that adds no value beyond profile management.
Proposed Solution
Add a profile activation mode that writes the active profile's credentials to ADC location, allowing applications to use standard google.auth.default() without any gwsa imports at runtime.
Workflow:
# List profiles (existing)
gwsa profiles list
# Activate a profile for ADC (new)
gwsa profiles activate mytexoma
# Now any code using google.auth.default() uses mytexoma's credentials
python -c "import google.auth; creds, _ = google.auth.default(); print(creds)"
Implementation approach:
gwsa profiles activate <name> writes the profile's OAuth token to ~/.config/gcloud/application_default_credentials.json (or respects GOOGLE_APPLICATION_CREDENTIALS)- Existing profile management (add, remove, list, refresh) stays the same
- Applications can then use
google-auth + google-api-python-client directly
Benefits
- No auth code needed: ADC "just works" - no wrapper code, no auth handling, nothing
- Multiple credential sources: ADC automatically checks env vars, gcloud config, GCE metadata, etc.
- GCP integration: Works seamlessly with
GOOGLE_APPLICATION_CREDENTIALS, workload identity, and other GCP patterns
- Decoupled runtime: Applications don't need gwsa as a dependency - just google-auth
- Standard patterns: Code works identically locally and in Cloud Run
- Stop playing catch-up: No more wrapping Google APIs that already work fine
- gwsa stays focused: Profile management is the value-add, not API wrappers
Use Case
The agentic-consult MCP server currently uses gwsa SDK for Gmail label operations locally, but uses google-auth in Cloud Run (via service account). This dual-path is fragile. With ADC activation, both paths would use the same code: google.auth.default().
What gwsa becomes
A profile management CLI tool:
gwsa profiles add - OAuth flow, store credentialsgwsa profiles list - Show available profilesgwsa profiles activate - Write to ADC locationgwsa profiles refresh - Refresh expired tokens
No SDK, no API wrappers, no runtime dependency. Just credential management.
Problem
Applications using gwsa currently need to import gwsa SDK at runtime to access Gmail/Calendar/Drive APIs. This creates a tight coupling where:
google.auth.default()The maintenance burden is real: We're constantly wrapping and extending Google's libraries, always behind on features or missing something. It's an extra layer of abstraction that adds no value beyond profile management.
Proposed Solution
Add a profile activation mode that writes the active profile's credentials to ADC location, allowing applications to use standard
google.auth.default()without any gwsa imports at runtime.Workflow:
Implementation approach:
gwsa profiles activate <name>writes the profile's OAuth token to~/.config/gcloud/application_default_credentials.json(or respectsGOOGLE_APPLICATION_CREDENTIALS)google-auth+google-api-python-clientdirectlyBenefits
GOOGLE_APPLICATION_CREDENTIALS, workload identity, and other GCP patternsUse Case
The agentic-consult MCP server currently uses gwsa SDK for Gmail label operations locally, but uses google-auth in Cloud Run (via service account). This dual-path is fragile. With ADC activation, both paths would use the same code:
google.auth.default().What gwsa becomes
A profile management CLI tool:
gwsa profiles add- OAuth flow, store credentialsgwsa profiles list- Show available profilesgwsa profiles activate- Write to ADC locationgwsa profiles refresh- Refresh expired tokensNo SDK, no API wrappers, no runtime dependency. Just credential management.