BOSSTORQUE · INTERNAL

bt-email-monitor — Setup Guide

Three-times-daily inbox brief. Classify unread Gmail inbox messages by priority, render an HTML report, ping #bt-ops in Slack, store everything permanently for archive search.

Open Latest Brief Run OAuth Helper

What's already deployed

Cloudflare Workers

Worker	URL	Purpose
`bt-email-monitor`	bt-email-monitor.jason-8ce.workers.dev	Main cron + report viewer + search
`bt-email-monitor-auth`	bt-email-monitor-auth.jason-8ce.workers.dev	One-shot OAuth helper (delete after setup)

D1 Database

bt-email-monitor · UUID 41e649dc-9f21-46d3-afce-3e390dcee77a. Tables: emails, reports, senders, run_state, plus FTS5 virtual table emails_fts. Nothing ever deletes. Every report and email metadata persists forever for search.

Secrets already set

✓ANTHROPIC_API_KEY — pulled from Apple Notes
✓RUN_TOKEN — for programmatic /run triggers

Three things still needed

1. Gmail OAuth — get the refresh token (~5 min)

Required so the worker can read your inbox.

1 Open Google Cloud Console signed in as jason@bosstorque.ai.

2 Project picker → select existing BOSSTORQUE project, or click New Project named bt-email-monitor.

3 APIs & Services → Library → search "Gmail API" → click result → Enable.

4 APIs & Services → OAuth consent screen.

User Type: External → Create
App name: bt-email-monitor
User support + Developer email: jason@bosstorque.ai
Save past Scopes (don't add any here — we request them in the auth URL)
Test users: Add → jason@bosstorque.ai
Save

5 APIs & Services → Credentials → Create Credentials → OAuth client ID.

Application type: Web application
Name: bt-email-monitor
Authorized redirect URIs — paste exactly:
https://bt-email-monitor-auth.jason-8ce.workers.dev/callback
Click Create — copy the Client ID and Client Secret from the dialog

6 Visit the OAuth helper: bt-email-monitor-auth.jason-8ce.workers.dev. Paste Client ID + Secret, click Authorize.

Google may warn "app not verified" — click Advanced → Go to bt-email-monitor (unsafe). It's your own app.
Grant the read-only Gmail permission.

7 Helper displays three values: Client ID, Client Secret, Refresh Token. Paste all three back into the Cowork chat.

2. Send me the bt-notify NOTIFY_TOKEN

The email monitor authenticates against bt-notify /send with a bearer token. To rotate it cleanly (both workers get the same value), run in Terminal:

TOKEN=$(openssl rand -hex 32)
echo "$TOKEN" | /usr/local/bin/wrangler secret put NOTIFY_TOKEN --name bt-notify
echo "$TOKEN" | /usr/local/bin/wrangler secret put NOTIFY_TOKEN --name bt-email-monitor
echo "Token: $TOKEN"

If you already have the token saved, just paste it in chat and I'll set it on bt-email-monitor only.

3. Lock the report pages behind Cloudflare Access (~3 min)

Restricts the report viewer and search to your Google identity.

1 Open Cloudflare Zero Trust → BOSSTORQUE team.

2 Access → Applications → Add an application → Self-hosted.

3 Configure:

Application name: bt-email-monitor
Session duration: 24 hours
Application domain: bt-email-monitor.jason-8ce.workers.dev
Path: leave empty (protect all paths)
Identity providers: Google

4 Add policy:

Policy name: Owner only
Action: Allow
Include rule: Emails → jason@bosstorque.ai

5 Save. First visit prompts Google login; 24h cookie after.

Don't protect bt-email-monitor-auth with CF Access — Google OAuth callback can't satisfy it. The auth helper is one-shot anyway; delete after setup.

What happens once those three are done

Paste the Gmail Client ID, Client Secret, Refresh Token + NOTIFY_TOKEN status back in chat.
I set the four secrets on bt-email-monitor.
I run a manual end-to-end test against the real inbox.
Verify report renders, Gmail deep links work, Slack ping fires.
Enable the three cron triggers (8 AM / 12 PM / 4 PM Pacific).
First scheduled brief lands tomorrow 8 AM PT in #bt-ops.

How it works once live

URL	Purpose
/latest	Redirects to most recent report
`/r/{slug}`	Specific report (Slack-linked)
/archive	List every past brief
/search	Full-text search across every email ever processed
`/run?slot=manual&token=…`	Manual trigger (requires RUN_TOKEN)
/health	Liveness check (no auth)

Priority ordering

#	Priority	Detection
P1	Sales Conversations	Inbound inquiries, replies to outbound, proposals/quotes, named construction / field-service prospects
P2	Active Client Communications	Existing paying clients (Sperry Tree Care, etc.)
P3	Czech Citizenship	.cz domains, embassy/consulate, attorney Trnka, keywords (občanství, naturalization, MZV, MVCR)
P4	Personal / Operational	Bills, scheduling, vendors needing approval
P5	FYI	Order confirmations, receipts, status updates
P6	Newsletters / System	Hidden by default in report; counted in KPIs

Design notes

✓Per-run cap: 200 messages. Safety guardrail per cron fire, not a time window.
✓Foreign-language handling: Any non-English email gets full original copy + English translation in the report.
✓"New since last check": Each report flags new arrivals with orange border vs. still-unread backlog.
✓Stale flag: Red border on anything unread >24 hours.
✓Action items: P1/P2/P3 emails get a one-line specific action when classifier detects a reply is needed.
✓Attachments: Filenames + MIME on each card. Not downloaded (privacy + size).
✓Gmail never modified: Read-only scope. Nothing marked read, archived, or deleted by this tool.
✓Sender memory: first_seen, last_seen, message_count, czech/sales/client flags. Used for classification stability over time.
✓Self-reporting failures: Cron failures post to #bt-ops automatically. Silent breakage is the worst failure mode.

Reference card

Item	Value
CF Account ID	`8cef3a20d2c22491d2bbbc594cf4865d`
D1 Database UUID	`41e649dc-9f21-46d3-afce-3e390dcee77a`
Main worker	`bt-email-monitor`
OAuth helper	`bt-email-monitor-auth` (delete after setup)
Source code	`/tmp/bt-email-monitor/` on this Mac
Gmail scope	`https://www.googleapis.com/auth/gmail.readonly`
Gmail query	`in:inbox is:unread` (strictly inbox)
Anthropic model	`claude-haiku-4-5-20251001`
Cron (UTC)	`0 15 * * `, `0 19 * `, `0 23 * *` — enabled after validation