Curious about the security model here. Giving an agent access to SMS, contacts, and the ability to send email from my phone is a pretty large capability surface — what's the approval flow look like? Is it per-tool-call, per-session, or do you grant broad scopes up front? The MCP tool-use pattern where everything gets pre-approved feels risky for something like "send email," and I'd be interested to know how you're thinking about the difference between "agent reads my calendar" and "agent sends an email as me.
this is exactly where it gets tricky
once you give something the ability to send messages or trigger actions, it’s not just read access anymore, it’s execution on your behalf
it looks simple from the outside, but there’s usually a lot of hidden behavior underneath (routing, timing, provider handling, etc)
so the question becomes less about access and more about how controlled and observable that execution actually is
curious if you’re thinking about exposing that layer, or keeping it abstracted away