From “chat about email” to an agent that reads it CORE
You have asked an AI for email help before. You pasted a message and said “how should I reply?” or you described a situation and said “write an email to my teacher about an extension.” The model gave you a draft. It was fine, usually. That was not an email agent.
What you used was a model with no access to your inbox. It saw the one message you pasted. It did not know who the sender is to you, what you have said to them before, whether they have sent you three other emails this week, or what is already on your calendar for the day you just proposed. It answered based on one paragraph in isolation. For a single reply, that is often enough.
An email/calendar agent is a different kind of thing. It is an agent with tools that can actually reach into your inbox and your calendar — read messages in a folder you have allowed it to see, search your threads, check your available times, draft a reply in your drafts folder, create a calendar event on a calendar you have designated. The agent has reach into your communication life the way the Module 4 research agent had reach into the live web.
That reach is why the agent can do things the paste-one-message chat could not. It can scan forty messages and give you a five-line digest. It can find the thread where you discussed the final exam date and draft a reply that matches the tone you used there. It can check your calendar, see the three windows that are actually free next week, and write a proposal message that names those three windows. That is real work.
It is also why Module 5 is the module where the safety norms get louder. An agent that can read your inbox can see things the model-with-one-pasted-message could not. An agent that can draft in your name can, if you let it, send in your name. An agent that can edit your calendar can, if you let it, cancel a meeting you had no intention of cancelling. The difference between useful assistant and problem is not model quality. It is how carefully you drew the fence around what the agent is allowed to read and do.
The four moves: read, categorize, draft, review CORE
Every email/calendar task a directed agent performs runs through four moves. The pattern is the same shape as the four moves of research, adapted to relational work. Naming them lets you direct the agent and audit what it did.
Read. The agent pulls the raw material — messages in a specific folder or with a specific label, events on a specific calendar, threads matching a query. Read is where scope lives: the agent can only see what you have permitted it to see. The default is nothing; you extend the default per task.
Categorize. The agent sorts what it read into buckets you can act on. Which of these twenty messages need a reply from you today? Which are newsletters that can wait? Which are commitments you owe a response on? Which calendar invites overlap with existing commitments? A good agent produces a small number of clean categories. A poor one produces a wall of text that recapitulates the inbox without reducing it.
Draft. The agent writes — an email reply, a meeting-prep brief, a proposed calendar invite, a polite decline. The draft goes into your drafts folder, or into a document you can review, or onto a calendar you have designated for draft events. The draft does not go to the recipient. The draft is a proposal the student will evaluate.
Review. A human — you — reads every draft before it leaves your account. You catch the tone mistake the agent could not catch because it does not know the recipient the way you do. You catch the factual error the agent made confidently. You adjust the greeting, the sign-off, the last sentence that sounded too formal or too casual. You click Send when you are satisfied, or you throw the draft away and write the message yourself.
As the director, the split is unambiguous. The agent does read, categorize, and draft well — often better than you would alone, because the agent does not get bored scanning forty messages and does not flinch at writing a difficult reply. You own review, completely. The agent’s confidence does not substitute for your judgment. A student who leaves Module 5 letting an agent send on their behalf has not learned the module; they have bypassed it.
Why Module 5 is different: other people’s trust CORE
Everything the agent touched in earlier modules was private to you until you chose to ship it. In Module 3, the agent edited your code on your machine; no other human saw it until you pushed the branch. In Module 4, the agent wrote a research brief you could read twice before you handed it in. Module 5 is the first place the agent sits next to other people.
Think about what sits in your inbox right now. A thread with a teacher about a late assignment. A message from a cousin you have not answered. A discussion with a potential employer about a summer job. A string of messages from a friend. These are not abstractions — each of them is a person who knows you and who will read whatever comes from your account as if you wrote it. They trust the name on the envelope.
An agent that can draft in your name is, unavoidably, handling that trust. If the agent sends the wrong thing, the recipient does not know there was an agent in the loop. They just think you sent the wrong thing. If the agent cancels a meeting by mistake, the person whose time was respected is the one who shows up to an empty room. If the agent replies too fast with the wrong tone, the relationship absorbs the damage, not the system.
This is not a reason to keep the agent out of your email. Done well, an email agent is one of the highest-leverage tools in this course — the people who have used one for a month do not go back. It is a reason to draw the fence carefully and to keep a human in the sending step until you have lived with the agent’s judgment long enough to know where it is reliable and where it is not. The two safety norms of this module are not paranoia. They are how adults who rely on these tools actually operate.
One more thing before we name the norms. The agent’s drafts will often be better than what you would have written — more patient, more complete, less cranky at 10 p.m. when a difficult email has been sitting in your inbox for three days. That is part of the point. It is also the exact condition under which the reviewing habit slackens. The trap is not the agent writing a bad draft. The trap is the agent writing a draft so fluent that you stop reading it carefully. Review is the discipline that survives the agent being good.
The two safety norms of Module 5 CORE
This module has two non-negotiable operational rules. Both appear on every recipe callout. Both must be visible on every capstone entry.
Drafts, not sends. An agent reads, categorizes, and drafts. A human reviews and sends. Applied uniformly — email replies, meeting invites, calendar RSVPs, any outbound action that another person will see. The agent puts the draft in your drafts folder, in a tentative calendar slot, in a document you can review. The student is the one who clicks Send or Confirm. In this module, no exceptions. After the module, with enough lived experience, you may choose to relax this rule in specific narrow cases (a recurring weekly status email to yourself, say). You do not relax it here.
Least access for the task. Every permission granted to an agent is scoped to the specific job and revoked when the job is done. The student’s default posture is no access, extended deliberately per task and reduced again afterwards. Applied uniformly — the agent does not see your whole inbox to draft one reply, does not touch your whole calendar to prep one meeting. You set the bounds first, then you give the agent work inside them.
These two norms sit together. The first is about what the agent does. The second is about what the agent sees. Either without the other is incomplete. A scoped agent that can still send is dangerous. An unscoped agent that only drafts is reading things it has no reason to read.
You can remember them as a pair: the agent has a small window on your life and a short leash on what it can change. Your job is to set both.
What you are about to do: the bounded access surface CORE
The rest of this module assumes you have done one short setup task: you have set up a bounded access surface — a specific label on your email and a specific dedicated calendar — that is the only place the agent works during the module. Everything the agent reads, drafts, triages, or proposes in Module 5 happens inside that surface.
Email: an agent-accessible label. You create a label (or folder, depending on your provider) called something like agent-access or AI-triage. You set up a filter or a manual habit that moves messages into it when you want the agent involved — the parent’s small-business inbox subset, a subset of school-related mail, a project you are coordinating with friends. The agent is granted read access to that label only. It does not see your private threads, your family group thread, or the email from the doctor’s office. If you later want to extend access, you do it deliberately, one label at a time.
Calendar: a dedicated Agent Access calendar. You create a new calendar in your calendar app called Agent Access (you can pick the name). The agent is allowed to propose events on this calendar, move drafts here, and reference your other calendars read-only for conflict-checking. Final events — the ones you actually commit to — move onto your real calendar when you confirm them. The agent’s drafts live on the Agent Access calendar until then. It is a sandbox for calendar work.
These two surfaces are not permanent. They are the blast radius for the module. After Module 5, you will decide based on your own experience whether to widen, narrow, or dismantle them. What matters right now is that you start from a small, known surface — not from full inbox access granted because it was the default.
A careful way to think about it: you are not giving the agent access to your email. You are giving the agent access to the corner of your email you chose. There is a large difference. Module 9 returns to this distinction and formalizes it; Module 5 installs it as habit.
Creating the bounded access surface RECIPE
| Tool | Gmail + Google Calendar in a browser (Phases 1, 2, 3a). Phase 3 uses the Claude desktop app — Cowork tab (primary). Optional advanced: Claude Code CLI. |
| Last verified | 2026-04-17 |
| Next review | 2026-07-17 |
| Supported OSes | Browser steps: any OS. Phase 3 (Claude desktop app): macOS, Windows. |
Gmail — create the agent-access label.
- Open Gmail in a browser. In the left sidebar, scroll to Labels and click Create new label. Name it agent-access. Save.
- Pick five to fifteen real messages — a mix of replies-needed, FYIs, newsletters, and at least one thread you are actually in the middle of. Label each with agent-access. These are the raw material for Lesson 5.2’s triage run.
- Do not change your default inbox or set up an auto-filter yet. The goal for Module 5 is a static, hand-chosen set of messages inside one label, not an always-on pipe.
Outlook equivalent: create a folder named agent-access under your inbox; move the same five-to-fifteen messages into it. No Outlook-specific settings are required yet.
Google Calendar — create the Agent Access calendar.
- Open Google Calendar. In the left sidebar, next to Other calendars, click + → Create new calendar. Name it Agent Access. Set the time zone. Save.
- Verify the new calendar appears in your sidebar with its own color. Do not share it with anyone yet.
- Leave your other calendars as-is. The agent will read them for conflict-checking (we will set that in Lesson 5.4) but will only write to Agent Access until you explicitly widen the scope.
Outlook equivalent: New Calendar under My Calendars, named Agent Access. Same rule — agent writes here, reads your other calendars for conflicts only.
Phase 3 — Install the Gmail and Calendar MCP connectors and authenticate
The recipes in Lessons 5.2 onward assume your agent has Gmail and Google Calendar MCP connectors installed and authenticated. MCP stands for Model Context Protocol — it's how agents get extra tools like “read Gmail” and “write to a calendar.” (Module 7 covers MCP in depth and walks you through authoring your own. For now, you just need to install pre-built ones from the MCP registry.)
In the Cowork tab (primary path):
- Open the Claude desktop app and switch to the Cowork tab. In a new session, ask: “Search the MCP registry for a Gmail connector and a Google Calendar connector and walk me through installing both.” Cowork will guide you to the registry; pick the official Google connectors (the ones published by an organization you recognize, not random forks).
- When the OAuth screen appears, read every scope listed before clicking allow. For Gmail, this lesson and 5.2 only need read-only access to your inbox — not “send mail,” not “modify mail,” not “delete.” If the OAuth screen asks for any of those, choose the narrower option if available, or stop and look for a connector version that supports drafts-only/read-only scopes. Lesson 5.3 will widen the scope to drafts-write deliberately, but not yet.
- For Google Calendar, this lesson and 5.4 need read access to your primary calendar (for conflict-checking) and write access to the Agent Access calendar only — not write access to your primary calendar. Verify on the OAuth screen.
- After OAuth completes, verify the granted scope in Google's account page (instructions in the next sub-section). Do not skip this — what the OAuth screen asked for and what is actually granted should match, and a student should personally confirm by looking.
Optional advanced — In the Claude Code CLI
The Claude Code CLI is a terminal alternative to the Cowork tab, useful for students with terminal comfort who plan to script triage runs in Modules 6 and 8. Skip this section if the Cowork tab is enough for you — it is for most students.
- From your terminal, run claude in any folder. At the prompt, ask: “Walk me through installing the Gmail and Google Calendar MCP connectors.”
- Claude Code will surface the install steps for the same connectors. Same OAuth review applies — read what's being granted before clicking allow.
- Verify the granted scope in Google's account page (next sub-section). Confirm with /status in the CLI that the connectors show as live tools.
Phase 3a — Verify the OAuth scope in Google's settings
This step is non-negotiable. The OAuth screen and the actually-granted scope can differ; what matters is what the granted token can do, not what the screen advertised.
- Open myaccount.google.com in your browser. Go to Security → Your connections to third-party apps & services (the exact label may differ; look for “Third-party apps with account access”).
- Find the entry for the connector you installed via the Claude desktop app (it may appear under the name of the connector publisher rather than the agent's name — read carefully). Students who also installed via the Claude Code CLI should see a second entry; review both.
- Click into it. Read the listed permissions out loud. They should match what the lesson asked for: Gmail: read-only access. Calendar: read primary, write Agent Access.
- If the listed permissions are wider — Gmail “send” or “modify,” Calendar write to your primary — revoke and re-authenticate. The connector may have multiple scope options; choose the narrower one. If it offers only one scope and that scope is too wide, file a bug or look for an alternative connector. Don't proceed with an over-grant.
Confirm with a screenshot
Take three screenshots:
- Gmail showing the agent-access label with your selected messages in it.
- Google Calendar showing the Agent Access calendar in the sidebar.
- The Google account Third-party apps page showing the connector entry with its scopes visible.
Drop all three into /capstone/inbox-and-calendar-log-v1-draft.md under a section called Access surface. This is your entry 0 — the fence you drew, plus proof that you actually verified the scope you granted.
Do not move to Lesson 5.2 with an over-granted token. The whole module assumes the bounded surface holds. If the OAuth flow gave you a wider scope than the lesson asked for, fix it before reading on.
Safe default
Two safety norms travel with every recipe in this module: Drafts, not sends and Least access for the task.
Try it — Personal data surface CORE
worksheet deliverable · open the printable worksheet →
You are about to give a software system a keyhole into a sensitive corner of your life. Map the keyhole deliberately, in writing, before you open it.
Fill out the worksheet with four sections:
- What the agent will see. List the kinds of messages in your agent-access label. Name the senders by relationship, not identity — “a teacher,” “a cousin,” “a potential summer-job employer.” Describe the tone and the stakes. If the agent can see it, it can draft about it; you want to know what that means in advance.
- What the agent will not see. List the kinds of messages explicitly outside the fence — family group threads, medical mail, anything with a sensitive personal topic, anything from a friend who has not consented to being triaged by a model. Be concrete. This list is as important as the first one.
- What a wrong confident action would cost. For each of three specific plausible mistakes — the agent drafts a reply with the wrong tone to the teacher, the agent proposes a meeting time that overlaps a family commitment it could not see, the agent summarizes a thread and misses the one line that actually mattered — describe the real-world cost. A missed grade? A strained relationship? An apology email? Put numbers or names on it where you can.
- Who reads the output. For each kind of message and for your capstone’s outbound drafts, name the human who will read it. Their relationship to you. Their tolerance for an awkward message from you. This is the same “audience” move you made in Module 4’s synthesis lesson, applied to email.
Deliverable. A one-page worksheet, saved to your capstone folder as personal-data-surface-v1.md alongside the access-surface screenshots. This is the document Lesson 5.5 asks you to revisit after the module to audit what actually happened against what you predicted here.
Done with the hands-on?
When the recipe steps and any activity above are complete, mark this stage to unlock the assessment, reflection, and project checkpoint.
Quick check
Five questions. Tap a question to reveal the answer and the reasoning.
Show explanation
Answer: B. The category difference is reach — tools that can read and act on your inbox and calendar. Model size, locality, and speed are adjacent tradeoffs, not the defining line. An agent with a small local model wired to inbox tools is an email agent; a frontier chat with no such tools is not.
Show explanation
Answer: D. The agent can read forty messages, sort them into clean categories, and draft excellent replies. What it cannot do is know the recipient the way you do, catch the tone mistake that lives in a relationship, or carry responsibility for what leaves your account. Review is the human move that survives the agent being competent at everything before it.
Show explanation
Answer: B. The rule is uniform and applies to anything another person will see — email replies, meeting invites, RSVPs. A is the trap: students routinely decide “routine” means “I do not need to read it,” and that is exactly when the quiet mistake ships. C misunderstands what “send” means. D makes an exception for calendar RSVPs, which in practice cause as many relational problems as email replies — the rule does not have that exception.
Show explanation
Answer: C. Fluency is exactly when review gets skipped — the lesson’s point. A fluent wrong draft is the most common mistake in email agents, because the draft carries the voice of credibility without having earned it. A is the fluent-bypass trap. B is better but still misses tone and factual errors. D confuses rewriting with review; a second agent does not know your friend either.
Show explanation
Answer: B. Least access means the narrowest scope that lets the task actually happen. Triage requires reading the messages in one label; it does not require seeing your whole account, and it does not require write permissions. A and C are over-grants. D is under-grants — you lose the agent’s value entirely. The correct posture is deliberate, minimal, and revocable.
Reflection prompt
Where is the review muscle going to need to be strongest — and where will the agent save the most time?
In 6–8 sentences: Of the relationships represented in your inbox — a teacher, a family member, a friend, an employer, a parent’s business contact — which one makes you most uncomfortable imagining an agent drafting a reply to, and why? What does that discomfort tell you about where the agent’s drafts will need the most careful review? And: which kind of email, if the agent drafted it well, would reclaim the most time in your week?
The last half of the prompt is important. The safety norms this lesson installs matter exactly because the agent is going to be useful enough that you will be tempted to skip review. Naming the high-leverage use before you start makes the module’s work feel like real work, not a compliance exercise.
Project checkpoint
Add a “Personal Data Surface” section to my-first-loop.md.
Open your my-first-loop.md capstone file. You already have sections for Goal, Model, Tools, Secrets, Cost ceiling, Directed Edit Style, and Research Surface. Add a new section called Personal Data Surface with this template:
Personal Data Surface. The agent’s access in Module 5 is bounded to the agent-access label on my email and the Agent Access calendar I created. Inside that surface, the kinds of messages the agent will see are: [1–2 sentences].
The kinds of messages explicitly outside that surface are: [1–2 sentences].
The people whose trust I am handling through this agent are: [list them by relationship, not name — “my teacher, my cousin, my summer-job contact”].
The cost of a wrong confident action would be: [one sentence].
My safety norms for this module are drafts, not sends and least access for the task.
Then, under this section, paste the two screenshots from the recipe callout — the agent-access label and the Agent Access calendar. These are entry 0 of your capstone log.
Do not proceed to Lesson 5.2 until the label, the calendar, and this section are in place. The fence comes before the agent.
Next in Module 5
Lesson 5.2 — Inbox triage: reading before writing.
Run your first real agentic work on an inbox. Read-only triage against the bounded label, in the Cowork tab (with the Claude Code CLI as an Optional Advanced sidebar). The four-step audit (count, placement, invention, missing context) becomes the muscle every later Module 5 task sits on top of.