Thanks to visit codestin.com
Credit goes to github.com

Skip to content

docs(plans): Outlook via Power Automate enterprise bypass plan#954

Merged
itomek merged 1 commit into
mainfrom
kalin/power-automate-outlook-plan
May 5, 2026
Merged

docs(plans): Outlook via Power Automate enterprise bypass plan#954
itomek merged 1 commit into
mainfrom
kalin/power-automate-outlook-plan

Conversation

@kovtcharov-amd

Copy link
Copy Markdown
Collaborator

On IT-managed machines, Azure AD app registration is blocked — making the existing mcp-outlook connector (which requires MS_CLIENT_ID / MS_CLIENT_SECRET) and the planned native MS Graph OAuth connector unusable. This plan introduces Power Automate HTTP triggers as a relay: the user imports 4 flow templates into their already-IT-approved Power Automate license, pastes the trigger URLs into GAIA Settings, and Outlook email + calendar works without any Azure AD app registration.

Before: no viable Outlook integration path on corporate machines. After: "check my email" works via Power Automate in ~10 minutes of setup.

Key decisions:

  • New webhook connector type in the connectors framework — generic (works for Zapier/Make/n8n too), not Power Automate-specific
  • No new ConnectorSpec fields — webhook endpoints derived from config_schema, following the framework's "type-driven, not connector-driven" principle
  • Per-agent scope vocabulary (email.read, email.send, calendar.read) so the existing grants system works without special-casing
  • SAS token expiry detection — parsed at configure time, warns 14 days before expiry
  • Ships alongside, not instead of, the planned native MS Graph OAuth connector

Reviewed by architecture-reviewer and code-reviewer agents; 14 findings incorporated (Appendix A in the plan).

Test plan

  • Read docs/plans/power-automate-outlook.md — verify architectural consistency with connectors framework plan (docs/plans/connectors.mdx)
  • Verify scope vocabulary (§3.5) aligns with email triage agent plan's EmailSource interface
  • Verify no contradictions with email-calendar-integration.mdx or email-triage-agent.mdx (priority ordering for Outlook is intentionally different — §6 explains why)

Adds a plan for integrating with Outlook on IT-managed machines where
Azure AD app registration is blocked, using Power Automate HTTP triggers
as a relay to the built-in Outlook connector.

Introduces a generic `webhook` connector type for the connectors framework
and Power Automate flow templates for inbox, email read, send, and calendar
operations.

Reviewed by architecture-reviewer and code-reviewer agents; 14 findings
incorporated (see Appendix A).
@github-actions github-actions Bot added the documentation Documentation changes label May 4, 2026
@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Documentation-only PR adding a 853-line draft plan for an Outlook integration via Power Automate HTTP triggers — a workaround for IT-managed machines where Azure AD app registration is blocked. The plan is unusually thorough: it accurately references the existing connectors framework (src/gaia/connectors/spec.py, mcp_server.py), proposes a clean generic webhook connector type rather than a Power-Automate-specific shim, and already incorporates 14 findings from prior architecture/code review passes (Appendix A). Most important thing for the author to know: a few small inconsistencies between this plan and the conventions in CLAUDE.md are worth tightening before this drives implementation.

Issues Found

🟢 Minor: disconnect() example uses except … pass (docs/plans/power-automate-outlook.md:189-196)

The example handler catches PasswordDeleteError with pass. It is typed (not bare) and the comment documents the intent, so it's not a CLAUDE.md "No Silent Fallbacks" violation in spirit — but readers cargo-cult plan code into implementation. Consider making the example log at debug level so the eventual implementation doesn't drop a silent-swallow into the codebase.

                try:
                    keyring.delete_password(SERVICE_NAME, f"{spec.id}:{field.key}")
                except keyring.errors.PasswordDeleteError:
                    logger.debug(
                        "keyring entry %s:%s already absent — disconnect is idempotent",
                        spec.id, field.key,
                    )

🟢 Minor: docs_url and the docs file path don't agree (docs/plans/power-automate-outlook.md:256 vs. :610)

§4 sets docs_url="https://amd-gaia.ai/connectors/power-automate-outlook", but §7.3 ships the guide at docs/guides/power-automate-outlook.mdx. Under Mintlify's docs.json routing, that file renders at /guides/power-automate-outlook, not /connectors/.... Either pick docs/connectors/power-automate-outlook.mdx (and add a connectors section to docs/docs.json) or change the spec entry:

    docs_url="https://amd-gaia.ai/guides/power-automate-outlook",

🟢 Minor: Cross-link drive-by note is slightly inaccurate (docs/plans/power-automate-outlook.md:726)

The Phase 1 task says "Cross-link mcp-outlookpower-automate-outlook help text" pointing at catalog/mcp_servers.py. The catalog actually lives at src/gaia/connectors/catalog/mcp_servers.py (verified) — fine — but worth being explicit so the implementer doesn't search for the file in the plan path.

🟢 Minor: Section 9's table claims aiohttp respects HTTPS_PROXY automatically (docs/plans/power-automate-outlook.md:706-711)

aiohttp does not read HTTPS_PROXY automatically the way requests does — it requires either trust_env=True on the ClientSession or explicit proxy= per request. Worth a one-line clarification in §9 so the implementer wires it correctly:

- Respect ``HTTPS_PROXY`` / ``NO_PROXY`` environment variables — `aiohttp` requires
  passing ``trust_env=True`` to the ``ClientSession`` constructor; otherwise it
  ignores environment proxy settings.

🟢 Minor: Plan is not in docs/docs.json

CLAUDE.md says "New pages must be added to docs/docs.json navigation," but this file is .md (not .mdx) and other internal-only plan drafts (agent-ui-eval-benchmark.md, cpp-webui-integration.md, axis-gaia-integration.md) follow the same opt-out-of-nav pattern. Consistent with precedent — flagging only so the author can confirm it was an intentional "internal-only draft" choice rather than an oversight. If the plan should ship publicly when finalized, rename to .mdx and add to docs.json.

Strengths

  • Accurate references to live code. ConnectorType literal at src/gaia/connectors/spec.py:23, _VALID_TYPES at :28, McpServerHandler keyring pattern at mcp_server.py:186/232, and verify_keyring_backend() in store.py all match what the plan claims. The Open Question 7 callout about McpServerHandler not currently calling verify_keyring_backend() is correct — verified.
  • Security thinking is genuinely good. SAS-token-as-bearer treatment, query-string stripping from aiohttp error messages (a real footgun), scope vocabulary that plugs into the existing grants.json, and the _gaia_test flag for safe test() on write endpoints all show the plan was iterated on, not first-drafted.
  • Clear "before / after" framing in the PR description and §1. Lead-with-impact style — easy for a reviewer to decide whether to merge in under 30 seconds.
  • Section 11 (Alternatives Considered) earns its place — explicitly rejects EWS, COM, OAuth-wait, and PAD with reasons rather than ignoring them.

Verdict

Approve with suggestions. Documentation-only draft plan; nothing implementation-affecting yet. The minor fixes above (docs_url mismatch, aiohttp proxy clarification, optional logging in the disconnect example) are worth applying before this drives the Phase 1 PR, but none of them block merging the plan itself.

@itomek itomek added this pull request to the merge queue May 5, 2026
Merged via the queue into main with commit fd82de1 May 5, 2026
23 checks passed
@itomek itomek deleted the kalin/power-automate-outlook-plan branch May 5, 2026 12:21
theonlychant pushed a commit to theonlychant/gaia that referenced this pull request May 7, 2026
## Why this matters

Ships the v0.17.6 patch: a new Email Triage Agent with Gmail (every
email body stays on local Lemonade), the OAuth PKCE foundation that
backs it, settings UI card layout, and a sweep of installer fixes that
close the remaining first-launch failures uncovered after v0.17.5.
Custom Python agents that follow the template's
`super().__init__(**kwargs)` pattern no longer crash on the first
message in the Agent UI.

Full notes: `docs/releases/v0.17.6.mdx`.

## What's New

- **Email Triage Agent with Gmail**
([amd#965](amd#965)) — `EmailTriageAgent` with
25 tools across read / organize / reply / delete / calendar mixins.
Every email body processed locally on Lemonade; seven destructive tools
confirmation-gated; three layers of prompt-injection defense; SQLite
undo log via `DatabaseMixin`.
- **OAuth PKCE foundation for Google connections**
([amd#926](amd#926)) — Self-contained
`gaia.connections` module: refresh tokens in the OS keychain (Keychain /
DPAPI / SecretService), per-agent grants in
`~/.gaia/connections/grants.json`, async token cache with refresh
rotation. Baseline for the v0.17.7 connectors framework.
- **Settings UI card layout**
([amd#969](amd#969)) — Outlined cards with
accent left-stripe replace margin-separated blocks across all settings
sections; light + dark themes both updated.

## Bug Fixes

- **Custom Python agents crashed on first message**
([amd#974](amd#974), closes
[amd#973](amd#973)) — `python_factory` now
introspects the target class's `__init__` chain and only forwards kwargs
the chain accepts, so the bare `super().__init__(**kwargs)` template
pattern no longer crashes with `unexpected keyword argument
'rag_documents'`.
- **Windows installer failed at `ensure-uv`**
([amd#968](amd#968), closes
[amd#966](amd#966)) — `uv` binary now
bundled for `win-x64`; packaged Windows rescue installer included.
- **macOS installer failed at `ensure-uv` on clean Apple Silicon**
([amd#967](amd#967), closes
[amd#941](amd#941)) — Pinned `uv` v0.5.14
(`aarch64-apple-darwin`) shipped in the DMG; new `dmg-structural-smoke`
CI job blocks future drift.
- **AppImage users hit `gaia: command not found`**
([amd#942](amd#942), closes
[amd#782](amd#782)) — Startup writes a
`~/.local/bin/gaia` shim so `gaia` is on PATH after first launch (skips
creation if already present).
- **Windows fell back to Qwen instead of Gemma 4 default**
([amd#949](amd#949), closes
[amd#948](amd#948)) — Model-resolution logic
fixed so Gemma loads correctly on Windows.

## Tooling & Docs

- **`gaia-release` skill**
([amd#939](amd#939)) — Phased release flow
with hard gates before every irreversible step; encodes the manual
pre-tag verification that caught two release-blocking bugs in v0.17.4.
- **Internal-task issue template**
([amd#906](amd#906)) — Third issue template
for agent-assignable internal work.
- **Outlook via Power Automate plan**
([amd#954](amd#954)) — Enterprise-bypass spec
for v0.17.7 Outlook integration.
- **PR description guidance sharpened**
([amd#947](amd#947)) — `CLAUDE.md` "tight and
value-focused" rule with anti-patterns.
- **Stale `macOS uv fetch removed` orphan comment removed**
([amd#975](amd#975)).

## Thanks

External contributors in this release:

- [@theonlychant](https://github.com/theonlychant) — installer fixes
([amd#968](amd#968),
[amd#942](amd#942),
[amd#949](amd#949))
- [@BlueriteSoul](https://github.com/BlueriteSoul) — reported AppImage
`gaia: command not found`
([amd#782](amd#782))
- [@nuts23](https://github.com/nuts23) — reported Windows Gemma/Qwen
fallback ([amd#948](amd#948))

## Release checklist

- [x] `util/validate_release_notes.py docs/releases/v0.17.6.mdx --tag
v0.17.6` passes
- [x] `src/gaia/version.py` → `0.17.6`
- [x] `src/gaia/apps/webui/package.json` → `0.17.6`
- [x] Navbar label in `docs/docs.json` → `v0.17.6 · Lemonade 10.2.0`
- [x] All 14 commits in the range (v0.17.5..HEAD) are represented in the
notes
- [ ] Review from @kovtcharov-amd addressed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Documentation changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants