Cowork setup

The Cowork operating layer.

Cowork is where the daily ops happen. Connectors talk to 12 categories of tools. 8 scheduled tasks fire while Vlad's away from the keyboard. This page is the public-safe version of that — task shapes, connector categories, service names — never workspace IDs, contacts, or account-level data.

Why this is sanitized

Cowork's local app data contains live OAuth tokens, channel IDs, mentee names, deal names, customer emails, vault paths. Surfacing any of that is one screenshot from a leak. This page works backwards instead — it shows the shape of the setup, derived from Vlad's published chapters (Ch 7, Ch 12, Ch 24). Same teaching value, zero surface area.

12 categories · 23 services · 8 scheduled tasks · $0 manual triage

A Cowork day, in shape

What fires when. Most of these run without Vlad opening Cowork. The Slack channel is the consumer.

6:30 AM

Morning briefing fires

→ Slack DM lands while coffee brews
7:30 AM

Pipeline ticker

→ What moved overnight in the funnel
8:00 AM

Read briefing on phone

→ Decisions for the day, before tabs open
~30 min before

Pre-meeting prep auto-runs

→ Attendee context, open threads, agenda
5:00 PM ET

Deal-advancement alerts

→ Slack canvas to leadership channel
7:00 PM

End-of-day vault sync

→ Tomorrow's instance starts smart
Friday 4 PM

Friday wrap-up cross-system synthesis

→ Saturday-morning canvas
Monday 9 AM

Process-mining scan

→ Candidate skills for next week

Connectors by category

Twelve categories. One source of truth per category. Read-only by default; write-access only where a workflow demands it. The S/A/B tags mirror the chapter 24 taxonomy.

Filesystem & storage

Filesystem S read-write

The agent's hands. Without it, none of the rest matters.
Google Drive A read

Read-only first; expand only when the workflow needs write.

Communication

Slack S read-write

Read everything; writes go through a confirmation step.
Gmail / Outlook A read

Inbox = highest-ROI connector after filesystem.

Sales & CRM

HubSpot A read-write

No autoclose without human-in-the-loop.

Billing & finance

Stripe A read

MRR motion, dispute trends. Read-only.

Engineering

GitHub S read-write
Vercel B read

Build logs, deploys, runtime errors.
Sentry B read

Errors, stack traces, regression context.

Data & analytics

Postgres / Supabase A read

Warehouse-shape SQL on demand.
Ahrefs B read

Keyword + backlink data inline.
Google Search Console B read

Marketing

Customer.io B read

Pulling segments + campaign analytics through Claude.
Klaviyo B read

Voice & AV

ElevenLabs A read-write

Output voice — no second place.
Whisper B read

Voice-to-text. Solid. Mostly invisible.

Calendar

Google Calendar A read

Half the questions need calendar context.

Meeting transcripts

Fireflies B read

Pick ONE transcriber, not three.
Granola B read
Gong B read

Knowledge & vault

Notion A read

Read-only at minimum for teams that live in Notion.
Obsidian (community connector) A read-write

Where the second brain lives.

Browser & web

Playwright B read-write

Lock down the agent's allowlist tightly.

Ten connector deep-dives

The Cowork stack lives or dies on its connector list. Ten of the fifteen services wired across the categories carry the load. Each one written for an operator who is about to wire their own and wants the failure mode in advance.

Reference voice: chapter 12. Pattern: one CRM, one inbox, one calendar, one knowledge store per company — no duplicates. Read-only first, expand when a workflow demands it.

filesystem

S read-write

tier S · load-bearing

What Vlad wires through it

The agent's hands. Every vault read, every skill write, every plan file lives here. End-of-day vault sync (7 PM) reads what shipped today and writes back so tomorrow's instance starts smart. Process-mining scan (Monday 9 AM) writes candidate-skill files. Without filesystem, none of the other connectors compose — Slack output has nowhere to land, Gong transcripts have nowhere to cache.

.mcp.json / Cowork config

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/vlad/Vlad-Brain",
        "/Users/vlad/Desktop/AI Products"
      ]
    }
  }
}

The security gotcha

Filesystem scope is the entire blast radius of the agent. Point it at / and an agent that goes wrong can rm-rf your laptop — point it at one vault and one project root and the worst-case is a noisy git diff. Two explicit paths, never the home directory.

When NOT to wire this · Never not. But never wire it at ~/ — always at the narrowest folder the workflow actually needs.

Cross-link · Ch 12 (transport: stdio), Ch 9 (don't get owned — filesystem is the most-abused vector in compromised agents).

slack

S read-write

tier S · load-bearing

What Vlad wires through it

Output channel for everything. Morning briefing (7:30 AM weekdays) lands as DM. Deal-advancement alerts (5 PM ET) post to leadership canvas. Friday wrap-up cross-system synthesis lands Saturday-morning canvas. Reads everything — channels, threads, DMs — for context. Writes go through a confirmation step, because an agent that posts to #general without a gate is one bad cron away from a Monday-morning HR conversation.

.mcp.json / Cowork config

{
  "mcpServers": {
    "slack": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-slack"],
      "env": {
        "SLACK_BOT_TOKEN": "xoxb-***",
        "SLACK_TEAM_ID": "T***",
        "SLACK_CHANNEL_IDS": "C0123,C0456"
      }
    }
  }
}

The security gotcha

chat:write lets the agent post as the bot user in any channel it has been invited to. Restrict the bot's channel membership at the Slack-admin layer, not at the prompt layer — prompts are advisory, channel ACLs are enforced.

When NOT to wire this · Agencies and shared workspaces where one wrong message blows up client trust. Stay read-only and use a separate webhook for outbound.

Cross-link · Ch 12 (Communication category), Ch 7 (scheduled tasks all terminate at Slack).

gmail

A read

tier A · high-value

What Vlad wires through it

Inbox = highest-ROI connector after filesystem. Morning briefing pulls overnight thread context. Pre-meeting prep (30 min before each meeting) pulls last interaction with the attendees. Cross-references HubSpot contact email to build deal summaries — the inbox-CRM join is where most "what's going on with this account" questions actually get answered.

.mcp.json / Cowork config

{
  "mcpServers": {
    "gmail": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-gmail"],
      "env": {
        "GMAIL_OAUTH_CLIENT_ID": "***.apps.googleusercontent.com",
        "GMAIL_OAUTH_CLIENT_SECRET": "***",
        "GMAIL_OAUTH_SCOPES": "gmail.readonly,gmail.labels"
      }
    }
  }
}

The security gotcha

gmail.send means the agent can email anyone in your contact graph as you — including your investors, your bank, and your in-laws. Gate sends with a hook that requires explicit human confirmation per message, or stay on gmail.readonly and draft-only via the Drafts API. Never grant full mailbox scope on a fresh setup.

When NOT to wire this · Until you have a confirmation hook tested in a sandbox account. Sent emails do not unsend.

Cross-link · Ch 12 (OAuth scopes section), Ch 9 (impersonation risk).

hubspot

A read-write

tier A · high-value

What Vlad wires through it

Sales pipeline ticker (9 AM weekdays) pulls overnight deal motion — what advanced, what stalled, what went dark. Deal-advancement alerts (5 PM) read stage changes since 5 PM yesterday and write one paragraph each, "why this matters," back to a leadership Slack canvas. Writes are scoped to notes and tasks — never deal-stage changes, never close-won, never amount edits.

.mcp.json / Cowork config

{
  "mcpServers": {
    "hubspot": {
      "command": "npx",
      "args": ["-y", "@hubspot/mcp-server"],
      "env": {
        "HUBSPOT_ACCESS_TOKEN": "pat-na1-***",
        "HUBSPOT_ALLOWED_OPERATIONS": "deals.read,contacts.read,notes.write,tasks.write"
      }
    }
  }
}

The security gotcha

deals.write means the agent can shift a deal to Closed-Won, which fires commission calculations, attribution reports, and downstream notifications. No autoclose without human-in-the-loop. Whitelist write operations explicitly — notes and tasks are safe, stage and amount are not.

When NOT to wire this · Anywhere commission or forecasting depends on stage accuracy. Read-only until you have a smoke-eval suite for every write path.

Cross-link · Ch 12 (Sales and CRM), Ch 7 (pipeline ticker).

stripe

A read

tier A · high-value

What Vlad wires through it

Folderly's MRR motion, dispute trends, churn signals. "What was MRR last week" returns a real number, not a vibe. Friday wrap-up pulls week-over-week revenue delta for the Saturday-morning canvas. Read-only, full stop — billing is the one place where a hallucinated tool call has direct cash-impact downside.

.mcp.json / Cowork config

{
  "mcpServers": {
    "stripe": {
      "command": "npx",
      "args": ["-y", "@stripe/mcp-server"],
      "env": {
        "STRIPE_API_KEY": "rk_live_***",
        "STRIPE_MODE": "read-only"
      }
    }
  }
}

The security gotcha

Use a restricted key (rk_live_*) with read-only resource scopes — never a secret key (sk_live_*). Stripe MCP blocks webhook and event endpoints by default, but a full secret key gives the agent refund + payout authority. One bad agent call against a sk_live_* key is a real-money incident.

When NOT to wire this · Always. Charges, refunds, payouts — keep them in a separate human-only surface. The agent reads; humans transact.

Cross-link · Ch 12 (Billing and finance), feedback_stripe_mcp_capability_matrix.md for what MCP exposes vs. blocks.

github

S read-write

tier S · load-bearing

What Vlad wires through it

Hourly Sentry watcher fires Codex-style auto-PRs for non-trivial bugs — reviewed like junior-engineer work, never auto-merged. Friday wrap-up pulls repo health (open PRs, stale branches, failing builds) across every codebase. Reads issues for triage context, writes commits and PR descriptions through scoped fine-grained tokens.

.mcp.json / Cowork config

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": {
        "GITHUB_TOKEN": "github_pat_***",
        "GITHUB_ALLOWED_REPOS": "Belkins/linkagent,Belkins/folderly"
      }
    }
  }
}

The security gotcha

A classic ghp_* token has org-wide blast radius — any repo you can see, the agent can touch. Use a fine-grained PAT scoped to specific repos + specific permissions (contents:write, pull-requests:write, issues:write). Never give an agent admin:org or delete_repo. Branch protection on main is non-negotiable.

When NOT to wire this · Repos with auto-deploy on push and no human review gate. The combination of agent-writes + auto-deploy is how production goes down on a Sunday.

Cross-link · Ch 12 (Engineering), Ch 7 (Sentry watcher cron).

google calendar

A read

tier A · high-value

What Vlad wires through it

Half the questions an agent gets need calendar context — "when am I free Thursday," "who am I meeting with at 2," "what's on the day shape." Morning briefing pulls today + tomorrow. Pre-meeting prep (30 min before each meeting) joins the attendee list against HubSpot contacts and Gmail thread history. Read-only is enough for 95% of workflows — time-block suggestions get drafted, not booked.

.mcp.json / Cowork config

{
  "mcpServers": {
    "gcal": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-google-calendar"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "***.apps.googleusercontent.com",
        "GOOGLE_OAUTH_CLIENT_SECRET": "***",
        "GOOGLE_OAUTH_SCOPES": "calendar.readonly,calendar.events.readonly"
      }
    }
  }
}

The security gotcha

calendar.events write scope lets the agent create, modify, and delete events — including dialing into other people's meetings as a guest. An agent that misparses a reschedule and deletes a board meeting is a real story. Stay on calendar.readonly until you have a confirmed write workflow.

When NOT to wire this · Calendars that include external attendees. Internal-only calendars are a safer first write target.

Cross-link · Ch 12 (Calendar and scheduling), Ch 7 (pre-meeting prep event trigger).

notion

A read

tier A · high-value

What Vlad wires through it

Newsletter canonical store — everything else is a mirror. Vault sync (7 PM) doesn't write to Notion directly; it writes to the Obsidian vault, and Notion stays the human-curated surface. Reads page content, database queries, and comments to ground responses in the team's actual docs. For Belkins, Notion is read-only context; for the Newsletter, it's the source of truth.

.mcp.json / Cowork config

{
  "mcpServers": {
    "notion": {
      "command": "npx",
      "args": ["-y", "@notionhq/mcp-server"],
      "env": {
        "NOTION_INTEGRATION_TOKEN": "ntn_***",
        "NOTION_ALLOWED_DATABASES": "db-id-1,db-id-2"
      }
    }
  }
}

The security gotcha

A Notion integration token grants access to every page the integration is connected to — and "connected to" is set page-by-page in the Notion UI, not in your .mcp.json. Audit which pages the integration sees inside Notion itself; a misconfigured share extends the agent's read scope to every child page, including HR docs and legal templates.

When NOT to wire this · Teams where doc structure has political meaning. An agent that reorganizes a wiki without consent loses trust fast.

Cross-link · Ch 12 (Vault and knowledge), obsidian_vault_reference.md for the mirror pattern.

gong

B read

tier B · situational

What Vlad wires through it

Call transcript ingestion for deal summaries and follow-up drafts. Sales pipeline ticker joins Gong transcripts to HubSpot deal state — "deal advanced, here's the moment in the call that moved it." Pre-meeting prep pulls the last call transcript with the same buyer so the next conversation doesn't repeat ground. Pick ONE transcriber — Gong, Fireflies, or Granola — not three. The agent gets confused when the same call appears in two systems with two summaries.

.mcp.json / Cowork config

{
  "mcpServers": {
    "gong": {
      "command": "npx",
      "args": ["-y", "@gong/mcp-server"],
      "env": {
        "GONG_ACCESS_KEY": "***",
        "GONG_ACCESS_KEY_SECRET": "***",
        "GONG_ALLOWED_OPERATIONS": "calls.read,transcripts.read"
      }
    }
  }
}

The security gotcha

Gong transcripts contain customer PII, pricing discussions, and competitive intel. The MCP server returns full transcript text — anything that hits the agent's context window is now in your AI vendor's logs. Confirm your AI vendor's data retention policy before wiring Gong, and never pipe transcripts through a third-party model proxy.

When NOT to wire this · Regulated industries (healthcare, finance) where call recordings have explicit retention rules. The compliance overhead outweighs the agent uplift.

Cross-link · Ch 12 (Meeting transcripts — pick ONE), Ch 7 (deal-advancement alerts).

ahrefs

B read

tier B · situational

What Vlad wires through it

Newsletter SEO motion. Keyword volume checks inline ("does this title have search demand"), backlink data for outreach targeting, competitor organic-keyword overlap for editorial planning. Friday wrap-up pulls week-over-week SEO movement across vladsnewsletter.com. Read-only by definition — Ahrefs doesn't expose write endpoints.

.mcp.json / Cowork config

{
  "mcpServers": {
    "ahrefs": {
      "command": "npx",
      "args": ["-y", "@ahrefs/mcp-server"],
      "env": {
        "AHREFS_API_TOKEN": "***",
        "AHREFS_DEFAULT_TARGET": "vladsnewsletter.com"
      }
    }
  }
}

The security gotcha

API units burn fast. A single keywords-explorer-overview call costs ~50 units minimum; a serp-overview is variable; site-explorer-organic-keywords starts at 25 and scales. An agent in a loop hits the monthly quota before you notice. Preflight every batch with a subscription-info-limits-and-usage check — the ahrefs-budget-check skill exists for exactly this.

When NOT to wire this · Companies without organic SEO motion. The unit cost isn't worth the marginal value if no one acts on the data.

Cross-link · Ch 12 (Data and analytics), ahrefs-budget-check skill.

Wiring order

If you're starting fresh, wire in this order: filesystem, slack, gmail, calendar, hubspot, github, stripe, notion, gong, ahrefs. The first four cover 80% of daily-driver use. The next three add operating context. The last three are situational — wire them only when a real workflow demands it. One source of truth per category. No duplicates.

Scheduled tasks

Cron expression on the left, task on the right. None of these names a deal, person, channel, or workspace. The shape is portable — copy any pattern, swap your own inputs, ship.

30 7 * * 1-5

Daily 7:30 AM weekdays

briefing

Morning briefing

Calendar, overnight Slack, portfolio metrics. Lands as a Slack DM by the time the coffee is poured.

→ delivers as Slack DM

0 9 * * 1-5

Daily 9 AM weekdays

briefing

Sales pipeline ticker

Overnight HubSpot motion + recent call notes — what advanced, what stalled, what went dark.

→ delivers as Slack DM

0 17 * * 1-5

Daily 5 PM ET weekdays

alert

Deal-advancement alerts

Stage changes since 5 PM yesterday. One paragraph each, "why this matters."

→ delivers as Slack DM + leadership canvas

0 19 * * *

Daily 7 PM

sync

Vault sync

Reads what shipped today, writes back to the vault so tomorrow's instance starts smarter.

→ delivers as Vault file

0 16 * * 5

Friday 4 PM

wrap

Friday wrap-up

Cross-system synthesis — pipeline, revenue, SEO, leadership signal, Monday priorities.

→ delivers as Slack canvas

0 9 * * 1

Monday 9 AM

10 specific workflows

Concrete scenes — what fired, what landed, what would have been lost without it. Time-stamps are real; numbers are real; channel names are not. Read these as patterns to copy, not configs to clone.

06:30 Tuesday

The morning brief

Coffee hot. dog unimpressed. cron fires at 06:30. instance pulls HubSpot deal motion from the last 12 hours, Gong call signals from yesterday's three sales calls, and Google Calendar conflicts before noon. synthesizes into 420 words, lands as a single Slack DM in #ops. by 06:47 I've read it on my phone, in bed, and I know which of yesterday's $48K deals needs a nudge before stand-up.

Without Cowork: open six tabs, copy four numbers into my head, lose half of them by tab seven. 25 minutes before first decision.

4:02 AM ET

The deal-quiet alert

event-triggered, not cron. HubSpot connector notices a stage-3 deal worth $62K has had zero activity for 4 days, 6 hours. fires an alert into Slack with the last touch summary, the AE owner, and a suggested re-engage line lifted from the previous winning thread. AE sees it before the standup. deal moved to stage 4 by EOD.

Without Cowork: dead deal noticed at Friday pipeline review, three days too late, after the buyer's already gone cold.

Friday 16:00

The wrap-up aggregator

one cron, five companies. pulls Stripe MRR deltas, HubSpot pipeline movement, GitHub shipped PRs, Slack leadership signal, and Google Calendar archaeology across the week. runtime: 28 minutes. output: a 412-word Slack canvas in the leadership channel by 16:30 Friday. COO reads it Saturday morning over breakfast. I read it Sunday from a beach. Monday priorities are pre-ranked.

Without Cowork: three hours of Friday-afternoon ritual, half the week unremembered by Sunday, no one else has the synthesis until Monday standup.

Thursday 17:45

The post-call debrief

sales call ends 17:30. Gong webhook fires. instance reads the transcript, strips the politeness layer, returns three lines: the actual objection (price, not features), the actual ask (a 60-day pilot, not the annual), the actual blocker (their CFO, who wasn't on the call). lands in Slack DM at 17:45. AE re-frames the follow-up before they close their laptop. 240 words in, 60 words out.

Without Cowork: the AE writes a summary from memory two days later, anchors on what they wanted to hear, ships the wrong follow-up.

Monday 10:00

The mentee pre-session prep

24 hours before a paid mentoring call. instance pulls the last session's notes from Obsidian, scans WhatsApp for inbound async messages since, and grabs one metric the mentee committed to (placements count, MRR, hire status). produces a 1-page Obsidian note: what they said they'd do, what they actually did, the one question to open with. 7 minutes of prep instead of a Monday evening.

Without Cowork: 45 minutes of scrolling vault files and WhatsApp, half of it forgotten by call time anyway.

Sunday 19:00

The newsletter idea harvester

weekly cron, Sunday evening. instance skims 7 days of Obsidian vault notes via the community connector, scores recurring themes against the last 12 newsletter issues for novelty. surfaces the top 3 candidate angles for next Tuesday's issue — each with a hook line, a number that anchors it, and the chapter or memo it traces back to. lands as a vault file. I pick one by Monday morning.

Without Cowork: blank-page panic at 09:00 Tuesday, two hours of grasping, ship the third-best idea because it was the one I could remember.

First Monday 08:00

The board-update generator

monthly cron. pulls Stripe MRR plus delta vs prior month, HubSpot pipeline weighted forecast, GitHub shipped feature count, and headcount from the people-ops vault note. compresses into a 4-line update — MRR, pipeline, ship velocity, hire status. lands in a vault file at 08:00 first Monday of the month. I edit it for context for 6 minutes, paste into the board email, send by 09:00. used to be a 90-minute exercise.

Without Cowork: that monthly update slips by a week, board chair asks twice, the narrative ships under pressure instead of with care.

Wednesday 14:20

The customer-call truth extractor

customer success call ends 14:00. Fireflies transcript syncs at 14:15. instance reads it, strips hedging language, returns the no-politeness version: what the customer actually likes (one feature, not three), what they actually hate (the onboarding sequence, not the pricing), what they'll churn over (the missing Salesforce sync). 22-minute call collapses to 130 words. CSM acts on it the same day.

Without Cowork: the AE's optimistic recap goes into the CRM, the actual signal dies in the transcript no one re-reads.

Any time, T+8 min

The agent-stall watchdog

a background instance hits 8 minutes wall-clock. watchdog cron polls every minute; once the threshold trips, fires a Slack DM with the instance name, the last tool call, and a one-line "kill or wait" prompt. lessons learned the hard way — general-purpose agents stall right before writing the deliverable. 8 minutes is the empirical line; past it, recovery cost > restart cost.

Without Cowork: the agent dies at 14 minutes, I notice at 30, the deliverable is gone, the context is cold.

Daily 09:00

The CFO bill audit

daily cron reads the Anthropic API spend dashboard via the engineering connector layer. yesterday's burn against a $380 daily threshold. if over, the instance runs three checks — cache hit rate (target >70%), unattended headless runs in flight, eval gate pass rate. produces a 3-line Slack DM with the specific lever to pull. one Tuesday last month it caught a runaway swarm at $612 before lunch.

Without Cowork: the bill arrives at month-end, the swarm has been bleeding for 19 days, the CFO finds it before I do.

Why scheduled tasks

Ch 7 — Cron, while you sleep

How connectors work

Ch 12 — Connectors and MCP

A note on what's missing

This page deliberately does not show: workspace IDs, OAuth scopes per integration, channel names, contact lists, deal pipelines, mentee names, account-level configurations, or any vault path beyond ~/Vault/. If the question is "which exact Slack channel does the morning briefing land in," the answer is "not on this page, by design." The book teaches the pattern; the pattern is enough.

The Cowork operating layer.

A Cowork day, in shape

Connectors by category

Ten connector deep-dives

filesystem

slack

gmail

hubspot

stripe

github

google calendar

notion

gong

ahrefs

Scheduled tasks

10 specific workflows

The morning brief

The deal-quiet alert

The wrap-up aggregator

The post-call debrief

The mentee pre-session prep

The newsletter idea harvester

The board-update generator

The customer-call truth extractor

The agent-stall watchdog

The CFO bill audit

The next edition lands when this list says it does.