potiuk opened a new pull request, #465: URL: https://github.com/apache/airflow-steward/pull/465
## What Make `oauth_curl` (the oauth-draft backend) the strongly-preferred Gmail drafting backend across the framework, and document a privacy regression in the claude.ai Gmail MCP. ## Why As of **2026-06-05**, the claude.ai Gmail MCP `create_draft` tool silently rewrites every bare URL in the draft body into a Google tracking-redirect wrapper: ``` https://www.google.com/url?q=<original-url>&source=gmail&ust=<ts>&sa=E ``` The rewrite is baked into the **stored** draft MIME (both `text/plain` and `text/html` — confirmed via `drafts.get?format=raw`), so a sent message carries the redirect, not the canonical link. This: - leaks click metadata (recipient, link, time) to a third party on security-sensitive correspondence; - corrupts reporter-facing **paste-ready blocks** (an ASF-security relay would paste a `google.com/url?q=...` redirect onto a public GHSA advisory); - mangles CVE-record / advisory / PR links that must reach recipients verbatim. `oauth_curl` builds its own RFC822 MIME and preserves URLs verbatim, so it is now the preferred backend for **all** drafting. ## Changes - `tools/gmail/draft-backends.md`: flip the recommendation; add a "Privacy warning" section; rewrite "Why oauth_curl is preferred" and the backend-selection logic. - Cross-references made consistent: `operations.md`, `threading.md`, `tool.md`, `oauth-draft/README.md`. - Skills: `security-issue-sync` (apply-and-push / gather / signals-to-actions), `security-issue-import`, `security-issue-invalidate`, `security-cve-allocate` — flip "default = MCP" to "preferred = oauth_curl; MCP discouraged". Docs-only. doctoc / markdownlint / typos / skill-validate pass; new anchors verified with lychee. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
