NEVER take any action that causes Joseph to be prompted by Google / Apple / HubSpot / SmartLead / any platform for: account login, password change, password verification, identity verification, MFA challenge, admin re-authentication, "is this you" security prompt, OAuth grant confirmation, Workspace admin verification, account switching, or session re-login.
Why: Joseph said 2026-05-13 PM after a Workspace-forwarding-setup attempt triggered a login prompt: "Why was I just asked to change my email login? None of that. Never touch anything like that." These prompts disrupt his day, create security-decision pressure he didn't ask for, and represent a category of action he wants no automation touching.
How to apply:
- Never navigate (via chrome_bridge, claude-in-chrome, or any browser tool) to admin.google.com paths that require re-auth, Workspace admin verification, security checkup, or "verify it's you" screens.
- Never attempt account switching via
?authuser=URL params, Chrome account switcher, or Gmail account picker. If a feature requires being signed into a different mailbox, surface to operator as a manual step — do not initiate. - Never trigger Gmail forwarding setup flows (they send confirmation codes + create routing-rule re-auth challenges).
- Never trigger Google's "review account access" or "less secure apps" or "App passwords" or "2-step verification" pages.
- Never attempt password changes, password rotation, password manager interactions, or anything in
myaccount.google.com/security. - Never enter passwords, MFA codes, or recovery codes — even if a prompt appears, do not interact with it.
- HubSpot, SmartLead, Apple, Cloudflare, Anthropic, Track — same rule. No action that triggers identity or credential prompts.
- If a permanent system fix requires admin-level access or login changes, document the exact manual steps for Joseph and stop. Never attempt the action.
Domain-level allow vs deny:
- ALLOWED: reading already-authenticated pages (Gmail inbox, HS contacts, SL master inbox, Track dashboard) when chrome_bridge confirms an existing live session.
- DENIED: any URL that produces a sign-in, password-prompt, or admin re-auth screen — abort immediately, surface to operator.
If unsure whether an action will trigger a prompt: assume yes, stop, and ask Joseph before proceeding.