| §1 |
Exit Codes & Status Signaling |
Critical |
1/3 |
2026-05-14 |
Auth errors exit 0 on list, exit 2 on get — inconsistent. Validation errors exit 3. No documented exit code table. HTTP code (401) in JSON, not symbolic |
| §2 |
Output Format & Parseability |
Critical |
1/3 |
2026-05-14 |
JSON output by default and via --format json; but no top-level ok/data/meta envelope. Error struct is {error:{code,message,reason}}. Prose line also emitted to stderr |
| §10 |
Interactivity & TTY Requirements |
Critical |
2/3 |
2026-05-14 |
Exits immediately with JSON error when stdin=DEVNULL — no hang. No interactive prompts in API commands. No --non-interactive flag and no explicit TTY auto-detection |
| §11 |
Timeouts & Hanging Processes |
Critical |
0/3 |
2026-05-14 |
No --timeout flag. No structured timeout error. Network timeouts handled silently by HTTP stack with no defined exit code or JSON error code |
| §12 |
Idempotency & Safe Retries |
Critical |
1/3 |
2026-05-14 |
--dry-run on destructive commands (validates locally). No --idempotency-key. No effect field in responses. No noop signal on duplicate writes |
| §13 |
Partial Failure & Atomicity |
Critical |
0/3 |
2026-05-14 |
No completed_steps, no resume_from token, no --rollback-on-failure. Workflow commands exist but structured partial failure output absent |
| §23 |
Side Effects & Destructive Operations |
Critical |
1/3 |
2026-05-14 |
--dry-run exists on files delete and workflow commands (validates without sending). No effect: "would_delete" response, no danger_level in schema, no reversible field |
| §24 |
Authentication & Secret Handling |
Critical |
2/3 |
2026-05-14 |
Credentials via env vars only (no --token flag). Secret value not echoed in error output (verified). No auto-redaction framework, no --secret-from-file |
| §25 |
Prompt Injection via Output |
Critical |
0/3 |
2026-05-14 |
No trusted/untrusted markers on external data fields. API responses return external content (doc bodies, email subjects) as raw strings in same JSON as CLI metadata |
| §34 |
Shell Injection via Agent-Constructed Commands |
Critical |
1/3 |
2026-05-14 |
Compiled Rust binary — no shell=True. --params JSON passed directly to API, not shell-interpolated. No metacharacter rejection (../../, %2F) — validation deferred to API layer |
| §37 |
REPL / Interactive Mode Accidental Triggering |
Critical |
3/3 |
2026-05-14 |
No REPL or interactive mode exists — not applicable. All commands are single API-call operations |
| §42 |
Debug / Trace Mode Secret Leakage |
Critical |
1/3 |
2026-05-14 |
No --debug/--verbose flags (returns validation error). GOOGLE_WORKSPACE_CLI_LOG=gws=debug emits structured debug to stderr. Token not echoed in error output. No sensitive: true field declarations |
| §43 |
Tool Output Result Size Unboundedness |
Critical |
1/3 |
2026-05-14 |
--page-all with --page-limit N (default 10) controls pagination. No meta.truncated/meta.total_bytes signal. No default size limit on individual response bodies (large docs/files returned in full) |
| §45 |
Headless Authentication / OAuth Browser Flow Blocking |
Critical |
1/3 |
2026-05-14 |
API calls without credentials exit immediately with JSON error (no hang). But exit code is 0 (not a dedicated auth code) and error uses reason: "authError" not structured AUTH_REQUIRED. No auth_methods array |
| §50 |
Stdin Consumption Deadlock |
Critical |
3/3 |
2026-05-14 |
No commands read from stdin. API input via --params/--json flags; uploads via --upload <file>. stdin=DEVNULL causes no deadlock |
| §53 |
Credential Expiry Mid-Session |
Critical |
0/3 |
2026-05-14 |
Expired credentials return reason: "authError" — identical to permission denial. No CREDENTIALS_EXPIRED code, no reauth_command, no expired_at. Cannot distinguish expiry from permanent denial |
| §60 |
OS Output Buffer Deadlock |
Critical |
1/3 |
2026-05-14 |
Single-shot API call model — full JSON response emitted at once. Debug output to stderr has ANSI codes. No heartbeat, no explicit line-buffering guarantee, no elapsed_ms in output |
| §61 |
Bidirectional Pipe Payload Deadlock |
Critical |
2/3 |
2026-05-14 |
Data input via --json string arg and --upload <file> (file path, not pipe). No stdin data path for normal operations. No --input-file alternative, but no stdin data reading to create deadlock |
| §62 |
$EDITOR and $VISUAL Trap |
Critical |
3/3 |
2026-05-14 |
No editor-launching commands. Write operations use --json flag for content. Not applicable |
| §64 |
Headless Display and GUI Launch Blocking |
Critical |
1/3 |
2026-05-14 |
gws auth login opens browser. GOOGLE_WORKSPACE_CLI_TOKEN env var bypasses auth entirely. No --print-url or --no-browser flag. No headless_behavior in schema |
| §71 |
Non-Interactive Installation Absence |
Critical |
1/3 |
2026-05-14 |
Installed via Homebrew (brew install googleworkspace-cli) — non-interactive and effectively idempotent. Not documented in AGENTS.md. No verify command documented. Update available: 0.17.0 → 0.22.5 |
| §74 |
Credential Scope Declaration Absence |
Critical |
1/3 |
2026-05-14 |
gws schema <method> returns scopes listing all possible OAuth scopes. No required_scopes minimal set. No over-privileged warning. No check-permissions command |