feat: Add USER_GOOGLE_EMAIL to server instructions for single-user mode

[gpminsuk]

Closes #424

Summary

When USER_GOOGLE_EMAIL environment variable is set, include it in the MCP server instructions so that AI clients (like Claude) know which email to use for Google Workspace tools without asking the user.

Problem

In single-user mode with USER_GOOGLE_EMAIL set, Claude still asks for the user's email address when using Google Workspace tools because:

1. The user_google_email parameter is required in all tool schemas
2. Claude has no visibility into the USER_GOOGLE_EMAIL env var
3. No server instructions currently tell Claude which email to use

Solution

When USER_GOOGLE_EMAIL is set, pass it as server instructions via the MCP protocol:

_server_instructions = None
if USER_GOOGLE_EMAIL:
    _server_instructions = f"""Connected Google account: {USER_GOOGLE_EMAIL}

When using Google Workspace tools, always use `{USER_GOOGLE_EMAIL}` as the `user_google_email` parameter. Do not ask the user for their email address."""

server = SecureFastMCP(
    name="google_workspace",
    auth=None,
    instructions=_server_instructions,
)

Use Case

Desktop apps (like Gobi Desktop) that handle OAuth externally and pass credentials via GOOGLE_MCP_CREDENTIALS_DIR + USER_GOOGLE_EMAIL. Currently users must tell Claude their email every time, even though the server already knows it.

Test Plan

• Start server with [email protected] uvx workspace-mcp --single-user
• Connect via Claude and ask to read emails
• Verify Claude uses the email from instructions without asking

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Server now receives and processes configuration instructions for single-user mode.

• Chores

  • Server configuration is now logged for visibility during initialization.

[gpminsuk]

✅ Test Results

Test 1: With USER_GOOGLE_EMAIL set

$ USER_GOOGLE_EMAIL="[email protected]" uvx --from . python -c "from core.server import server; print(server.instructions)"

INFO:core.server:Server instructions configured for user: [email protected]
Connected Google account: [email protected]

When using Google Workspace tools, always use `[email protected]` as the `user_google_email` parameter. Do not ask the user for their email address.

Result: ✅ PASSED - Instructions include the email

Test 2: Without USER_GOOGLE_EMAIL

$ uvx --from . python -c "from core.server import server; print('Has instructions:', server.instructions is not None)"

Has instructions: False

Result: ✅ PASSED - No instructions when env var not set

---

Both tests confirm the implementation works correctly:

• When USER_GOOGLE_EMAIL is set, server instructions include the email
• When USER_GOOGLE_EMAIL is not set, no instructions are added (backward compatible)

[taylorwilsdon]

@coderabbitai ready

[coderabbitai]

@taylorwilsdon, I'll review the changes now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change adds server instructions to the MCP server initialization in single-user mode by incorporating the USER_GOOGLE_EMAIL environment variable. When this variable is set, instructions are constructed and passed to the SecureFastMCP server to inform Claude which email to use for Google Workspace tool operations.

Changes

Cohort / File(s)	Summary
Server Instructions Configuration core/server.py	Added conditional logic to build server instructions from USER_GOOGLE_EMAIL and pass them to SecureFastMCP via the new instructions parameter, enabling Claude to automatically use the configured email for Google Workspace tools without prompting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A whisper of instructions, soft and clear,
Email now travels for Claude to hear,
No more questions from the Workspace door,
Just smooth operations, forevermore! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding USER_GOOGLE_EMAIL to server instructions for single-user mode configuration.
Description check	✅ Passed	The PR description provides a clear summary, problem statement, solution, use case, and test plan. The description does not follow the template structure, but contains all essential information needed to understand the change.
Linked Issues check	✅ Passed	The code changes directly address issue #424 by implementing server instructions with USER_GOOGLE_EMAIL when the env var is set, allowing Claude to use the email without prompting, and maintaining backward compatibility.
Out of Scope Changes check	✅ Passed	The changes are limited to adding server instructions logic in core/server.py when USER_GOOGLE_EMAIL is set, with no modifications to authentication flow or other unrelated functionality.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/server.py`:
- Line 63: The current log call prints raw USER_GOOGLE_EMAIL which exposes PII;
change the logger.info call that references USER_GOOGLE_EMAIL to avoid writing
the full address (e.g., log a masked version or only the domain/confirmation
flag). Locate the logger.info(...) usage in core/server.py that references
USER_GOOGLE_EMAIL and replace it with a message that either masks the local part
(keep USER_GOOGLE_EMAIL but transform it before logging), logs only the domain
or a non-sensitive confirmation like "User instructions configured for an
authenticated user", or call a small helper (e.g., mask_email) to produce the
sanitized value before passing to logger.info.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 802ea78 and 4f6b64c.

📒 Files selected for processing (2)

• .github/instructions/general.instructions.md
• core/server.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging raw email address (PII) in application logs.

Line 63 logs full USER_GOOGLE_EMAIL, which is unnecessary PII exposure. Prefer a non-sensitive confirmation log.

🔒 Proposed fix

-    logger.info(f"Server instructions configured for user: {USER_GOOGLE_EMAIL}")
+    logger.info("Server instructions configured from USER_GOOGLE_EMAIL")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	logger.info(f"Server instructions configured for user: {USER_GOOGLE_EMAIL}")
	logger.info("Server instructions configured from USER_GOOGLE_EMAIL")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/server.py` at line 63, The current log call prints raw USER_GOOGLE_EMAIL
which exposes PII; change the logger.info call that references USER_GOOGLE_EMAIL
to avoid writing the full address (e.g., log a masked version or only the
domain/confirmation flag). Locate the logger.info(...) usage in core/server.py
that references USER_GOOGLE_EMAIL and replace it with a message that either
masks the local part (keep USER_GOOGLE_EMAIL but transform it before logging),
logs only the domain or a non-sensitive confirmation like "User instructions
configured for an authenticated user", or call a small helper (e.g., mask_email)
to produce the sanitized value before passing to logger.info.