feat: add read-only profile support

Add --read-only flag to profile creation that prevents write/destructive
operations when the profile is used. This enables safer sharing of
credentials for monitoring or read-only use cases.

Changes:
- Add ProfileEntry interface with optional readOnly field
- Add enforceWriteAccess() utility for write operation enforcement
- Add profile update command with --read-only/--no-read-only flags
- Show [read-only] indicator in profile list and [RO] in status
- Enforce read-only on all write operations across 14 services

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: plosson

src/commands/config.ts

@@ -8,7 +8,7 @@ import { getAllCredentials, setAllCredentials } from '../auth/token-store';
 import { CliError, handleError } from '../utils/errors';
 import { confirm } from '../utils/stdin';
 import { isInteractive, interactiveCheckbox, interactiveSelect } from '../utils/interactive';
-import type { Config, ServiceName } from '../types/config';
+import type { Config, ServiceName, ProfileValue } from '../types/config';
 import type { StoredCredentials } from '../types/tokens';
 
 interface ProfileSelection {
@@ -126,8 +126,9 @@ export function registerConfigCommands(program: Command): void {
         const allProfiles: ProfileSelection[] = [];
         for (const [service, profiles] of Object.entries(configData.profiles)) {
           if (profiles) {
-            for (const profile of profiles) {
-              allProfiles.push({ service: service as ServiceName, profile });
+            for (const entry of profiles) {
+              const profileName = typeof entry === 'string' ? entry : entry.name;
+              allProfiles.push({ service: service as ServiceName, profile: profileName });
             }
           }
         }
@@ -309,11 +310,16 @@ export function registerConfigCommands(program: Command): void {
           for (const [service, profiles] of Object.entries(exportData.config.profiles)) {
             if (profiles) {
               if (!currentConfig.profiles[service as keyof typeof currentConfig.profiles]) {
-                (currentConfig.profiles as Record<string, string[]>)[service] = [];
+                (currentConfig.profiles as Record<string, ProfileValue[]>)[service] = [];
               }
-              for (const profile of profiles) {
-                if (!(currentConfig.profiles as Record<string, string[]>)[service].includes(profile)) {
-                  (currentConfig.profiles as Record<string, string[]>)[service].push(profile);
+              for (const entry of profiles) {
+                const profileName = typeof entry === 'string' ? entry : entry.name;
+                const currentProfiles = (currentConfig.profiles as Record<string, ProfileValue[]>)[service];
+                const exists = currentProfiles.some((p) =>
+                  (typeof p === 'string' ? p : p.name) === profileName
+                );
+                if (!exists) {
+                  currentProfiles.push(entry);
                 }
               }
             }

src/commands/discourse.ts

@@ -88,6 +88,7 @@ export function registerDiscourseCommands(program: Command): void {
     .command('add')
     .description('Add a new Discourse profile')
     .option('--profile <name>', 'Profile name (auto-detected from username if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nDiscourse Setup\n');
@@ -173,10 +174,13 @@ export function registerDiscourseCommands(program: Command): void {
         const profileName = options.profile || username.trim();
 
         // Save credentials
-        await setProfile('discourse', profileName);
+        await setProfile('discourse', profileName, { readOnly: options.readOnly });
         await setCredentials('discourse', profileName, credentials);
 
         console.log(`\nProfile "${profileName}" configured!`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio discourse list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

src/commands/gcal.ts

@@ -9,6 +9,7 @@ import { GCalClient } from '../services/gcal/client';
 import { printGCalCalendarList, printGCalEventList, printGCalEvent, printGCalEventCreated, printGCalEventDeleted, printGCalFreeBusy } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 
 async function getGCalClient(profileName?: string): Promise<{ client: GCalClient; profile: string }> {
   const { tokens, profile } = await getValidTokens('gcal', profileName);
@@ -155,7 +156,8 @@ export function registerGCalCommands(program: Command): void {
           return { method: method as 'email' | 'popup', minutes: parseInt(minutes, 10) };
         });
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'create event');
         const event = await client.createEvent({
           calendarId: calendarId || 'primary',
           summary: options.summary,
@@ -210,7 +212,8 @@ export function registerGCalCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'Cannot use both --attendee and --add-attendee');
         }
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'update event');
         const event = await client.updateEvent({
           calendarId,
           eventId,
@@ -243,7 +246,8 @@ export function registerGCalCommands(program: Command): void {
     .option('--send-updates <mode>', 'Send notifications: all, externalOnly, none', 'all')
     .action(async (calendarId: string, eventId: string, options) => {
       try {
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'delete event');
         await client.deleteEvent(calendarId, eventId, options.sendUpdates);
         printGCalEventDeleted(calendarId, eventId);
       } catch (error) {
@@ -300,7 +304,8 @@ export function registerGCalCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', `Invalid status: ${options.status}`, 'Use: accepted, declined, or tentative');
         }
 
-        const { client } = await getGCalClient(options.profile);
+        const { client, profile } = await getGCalClient(options.profile);
+        await enforceWriteAccess('gcal', profile, 'respond to event');
         const event = await client.respond({
           calendarId,
           eventId,
@@ -353,6 +358,7 @@ export function registerGCalCommands(program: Command): void {
     .command('add')
     .description('Add a new Google Calendar profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Calendar...\n');
@@ -371,11 +377,14 @@ export function registerGCalCommands(program: Command): void {
 
         const profileName = options.profile || email;
 
-        await setProfile('gcal', profileName);
+        await setProfile('gcal', profileName, { readOnly: options.readOnly });
         await setCredentials('gcal', profileName, { ...tokens, email });
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${email}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
       } catch (error) {
         handleError(error);
       }

src/commands/gchat.ts

@@ -12,6 +12,7 @@ import { CliError, handleError } from '../utils/errors';
 import { readStdin, prompt } from '../utils/stdin';
 import { interactiveSelect } from '../utils/interactive';
 import { printGChatSendResult, printGChatMessageList, printGChatMessage, printGChatSpaceList } from '../utils/output';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GChatCredentials, GChatWebhookCredentials, GChatOAuthCredentials } from '../types/gchat';
 
 const getGChatClient = createClientGetter<GChatCredentials, GChatClient>({
@@ -95,7 +96,8 @@ export function registerGChatCommands(program: Command): void {
           }
         }
 
-        const { client } = await getGChatClient(options.profile);
+        const { client, profile } = await getGChatClient(options.profile);
+        await enforceWriteAccess('gchat', profile, 'send message');
         const result = await client.send({
           text,
           payload,
@@ -185,6 +187,7 @@ export function registerGChatCommands(program: Command): void {
     .command('add')
     .description('Add a new Google Chat profile (webhook or OAuth)')
     .option('--profile <name>', 'Profile name (required for webhook, auto-detected for OAuth)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nGoogle Chat Setup\n');
@@ -205,23 +208,26 @@ export function registerGChatCommands(program: Command): void {
               'Run: agentio gchat profile add --profile <name>'
             );
           }
-          await setupWebhookProfile(options.profile);
+          await setupWebhookProfile(options.profile, options.readOnly);
         } else {
-          await setupOAuthProfile(options.profile);
+          await setupOAuthProfile(options.profile, options.readOnly);
         }
       } catch (error) {
         handleError(error);
       }
     });
 }
 
-function printProfileSetupSuccess(profileName: string, authType: 'webhook' | 'oauth'): void {
+function printProfileSetupSuccess(profileName: string, authType: 'webhook' | 'oauth', readOnly?: boolean): void {
   const typeLabel = authType.charAt(0).toUpperCase() + authType.slice(1);
   console.log(`\nSuccess! ${typeLabel} profile "${profileName}" configured.`);
+  if (readOnly) {
+    console.log(`   Access: read-only`);
+  }
   console.log(`   Test with: agentio gchat send --profile ${profileName} "Hello from agentio"`);
 }
 
-async function setupWebhookProfile(profileName: string): Promise<void> {
+async function setupWebhookProfile(profileName: string, readOnly?: boolean): Promise<void> {
   console.error('Webhook Setup\n');
   console.error('1. In Google Chat, find or create a space');
   console.error('2. Go to Space Settings → Webhooks');
@@ -264,13 +270,13 @@ async function setupWebhookProfile(profileName: string): Promise<void> {
     webhookUrl: webhookUrl,
   };
 
-  await setProfile('gchat', profileName);
+  await setProfile('gchat', profileName, { readOnly });
   await setCredentials('gchat', profileName, credentials);
 
-  printProfileSetupSuccess(profileName, 'webhook');
+  printProfileSetupSuccess(profileName, 'webhook', readOnly);
 }
 
-async function setupOAuthProfile(profileNameOverride?: string): Promise<void> {
+async function setupOAuthProfile(profileNameOverride?: string, readOnly?: boolean): Promise<void> {
   console.error('OAuth Setup\n');
   console.error('Starting OAuth flow for Google Chat profile...\n');
 
@@ -320,8 +326,8 @@ async function setupOAuthProfile(profileNameOverride?: string): Promise<void> {
     email: userEmail,
   };
 
-  await setProfile('gchat', profileName);
+  await setProfile('gchat', profileName, { readOnly });
   await setCredentials('gchat', profileName, credentials);
 
-  printProfileSetupSuccess(profileName, 'oauth');
+  printProfileSetupSuccess(profileName, 'oauth', readOnly);
 }

src/commands/gdocs.ts

@@ -11,6 +11,7 @@ import { GDocsClient } from '../services/gdocs/client';
 import { printGDocsList, printGDocCreated, raw } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { readStdin } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GDocsCredentials } from '../types/gdocs';
 
 const getGDocsClient = createClientGetter<GDocsCredentials, GDocsClient>({
@@ -77,7 +78,8 @@ export function registerGDocsCommands(program: Command): void {
           throw new CliError('INVALID_PARAMS', 'No content provided', 'Provide --content or pipe markdown via stdin');
         }
 
-        const { client } = await getGDocsClient(options.profile);
+        const { client, profile } = await getGDocsClient(options.profile);
+        await enforceWriteAccess('gdocs', profile, 'create document');
         const result = await client.create(options.title, content, options.folder);
 
         printGDocCreated(result);
@@ -138,6 +140,7 @@ Query Syntax Examples:
     .command('add')
     .description('Add a new Google Docs profile')
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Starting OAuth flow for Google Docs...\n');
@@ -174,11 +177,14 @@ Query Syntax Examples:
           email: userEmail,
         };
 
-        await setProfile('gdocs', profileName);
+        await setProfile('gdocs', profileName, { readOnly: options.readOnly });
         await setCredentials('gdocs', profileName, credentials);
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${userEmail}`);
+        if (options.readOnly) {
+          console.log(`   Access: read-only`);
+        }
         console.log(`   Test with: agentio gdocs list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

src/commands/gdrive.ts

@@ -10,6 +10,7 @@ import { GDriveClient } from '../services/gdrive/client';
 import { printGDriveFileList, printGDriveFile, printGDriveDownloaded, printGDriveUploaded } from '../utils/output';
 import { CliError, handleError } from '../utils/errors';
 import { prompt } from '../utils/stdin';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GDriveCredentials, GDriveAccessLevel } from '../types/gdrive';
 
 const getGDriveClient = createClientGetter<GDriveCredentials, GDriveClient>({
@@ -189,7 +190,8 @@ Examples:
 `)
     .action(async (filePath: string, options) => {
       try {
-        const { client } = await getGDriveClient(options.profile);
+        const { client, profile } = await getGDriveClient(options.profile);
+        await enforceWriteAccess('gdrive', profile, 'upload file');
         const result = await client.upload({
           filePath,
           name: options.name,
@@ -220,6 +222,7 @@ Examples:
     .option('--profile <name>', 'Profile name (auto-detected from email if not provided)')
     .option('--readonly', 'Create a read-only profile (skip access level prompt)')
     .option('--full', 'Create a full access profile (skip access level prompt)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('Google Drive Setup\n');
@@ -274,12 +277,15 @@ Examples:
           accessLevel,
         };
 
-        await setProfile('gdrive', profileName);
+        await setProfile('gdrive', profileName, { readOnly: options.readOnly });
         await setCredentials('gdrive', profileName, credentials);
 
         console.log(`\nSuccess! Profile "${profileName}" configured.`);
         console.log(`   Email: ${userEmail}`);
-        console.log(`   Access: ${accessLevel === 'full' ? 'Full (read & write)' : 'Read-only'}`);
+        console.log(`   API Access: ${accessLevel === 'full' ? 'Full (read & write)' : 'Read-only'}`);
+        if (options.readOnly) {
+          console.log(`   Profile Access: read-only`);
+        }
         console.log(`   Test with: agentio gdrive list --profile ${profileName}`);
       } catch (error) {
         handleError(error);

src/commands/github.ts

@@ -7,6 +7,7 @@ import { GitHubClient } from '../services/github/client';
 import { performGitHubOAuthFlow } from '../auth/github-oauth';
 import { generateExportData } from './config';
 import { CliError, handleError } from '../utils/errors';
+import { enforceWriteAccess } from '../utils/read-only';
 import type { GitHubCredentials } from '../types/github';
 
 const getGitHubClient = createClientGetter<GitHubCredentials, GitHubClient>({
@@ -42,6 +43,7 @@ export function registerGitHubCommands(program: Command): void {
         parseRepo(repo);
 
         const { client, profile } = await getGitHubClient(options.profile);
+        await enforceWriteAccess('github', profile, 'install secrets');
 
         console.error(`Using GitHub profile: ${profile}`);
         console.error(`Installing secrets to: ${repo}`);
@@ -77,6 +79,7 @@ export function registerGitHubCommands(program: Command): void {
         parseRepo(repo);
 
         const { client, profile } = await getGitHubClient(options.profile);
+        await enforceWriteAccess('github', profile, 'uninstall secrets');
 
         console.error(`Using GitHub profile: ${profile}`);
         console.error(`Removing secrets from: ${repo}`);
@@ -105,6 +108,7 @@ export function registerGitHubCommands(program: Command): void {
     .command('add')
     .description('Add a new GitHub profile')
     .option('--profile <name>', 'Profile name (auto-detected from username if not provided)')
+    .option('--read-only', 'Create as read-only profile (blocks write operations)')
     .action(async (options) => {
       try {
         console.error('\nGitHub Setup\n');
@@ -133,10 +137,13 @@ export function registerGitHubCommands(program: Command): void {
         console.error(`\nAuthenticated as: ${user.login}${user.email ? ` (${user.email})` : ''}`);
 
         // Save credentials
-        await setProfile('github', profileName);
+        await setProfile('github', profileName, { readOnly: options.readOnly });
         await setCredentials('github', profileName, credentials);
 
         console.log(`\nProfile "${profileName}" configured!`);
+        if (options.readOnly) {
+          console.log(`  Access: read-only`);
+        }
         console.log(`  Install secrets: agentio github install owner/repo --profile ${profileName}`);
       } catch (error) {
         handleError(error);