feat(oauth): drop Cloud Console setup; ship embedded verified client

[cpcloud]

Closes #89.
Closes #259.

What changed

• msgvault ships with an embedded, centrally-verified Google OAuth client. First-time setup no longer requires creating a Google Cloud project.
• BYO ([oauth] client_secrets) and named-app routing (--oauth-app NAME) remain as advanced fallbacks for Workspace orgs that block third-party apps, custom-quota needs, or fallback during the verification window.
• Service-account paths (Workspace domain-wide delegation) are unchanged.

Why

Forcing every user to create a Google Cloud project, enable the Gmail API, and configure an OAuth consent screen before they could sync any mail was the biggest onboarding wall — #89 documented users walking away at this step. Eliminating it makes msgvault usable by people who want to archive Gmail without learning Google's developer console.

Note on embedding OAuth credentials

The "client secret" for a desktop OAuth app isn't actually secret once the binary ships — anyone with the binary can extract it. Google says so directly in their OAuth 2.0 docs under "Installed applications": "The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)"

This PR uses the same hybrid pattern the GitHub CLI uses, where gh bakes its production oauthClientSecret directly into source under the comment // This value is safe to be embedded in version control. Source defaults live in internal/oauth/embedded.go; release builds override them via -X ldflags sourced from GitHub Actions Secrets.

How to use

msgvault init-db
msgvault add-account you@gmail.com   # opens browser; no other setup
msgvault sync-full you@gmail.com
msgvault tui

See README's "Advanced: bring your own OAuth client" for the BYO path. Full design in docs/superpowers/specs/2026-05-20-centralized-oauth-design.md.

Pre-merge checklist

Merge-blocking:

• Resolve internal/oauth/embedded.go TBD-* placeholder defaults: either bake in production credentials at source, or change to empty strings so source builds without ldflags fall back to BYO
• Create production Google Cloud project, configure OAuth consent screen (app name, privacy policy URL, logo, support email), and create a Desktop OAuth 2.0 client
• Add MSGVAULT_OAUTH_CLIENT_ID and MSGVAULT_OAUTH_CLIENT_SECRET to wesm/msgvault GitHub Actions Secrets (release builds now fail-fast if either is empty)
• Cut one release tag and smoke-test the artifact end-to-end on a fresh MSGVAULT_HOME: add-account → consent → sync-full --limit 5

Operational follow-ups (out of band, not merge-blocking but track separately):

• Submit the production OAuth client for Google verification (restricted scopes: gmail.readonly, gmail.modify, mail.google.com/)
• Plan a CASA Tier 2 assessment — required by Google for restricted scopes; the 100-grant lifetime cap on unverified restricted-scope clients applies from the first grant

[roborev-ci]

roborev: Combined Review (b2c83ff)

Medium: the PR has one blocking correctness issue around placeholder embedded OAuth credentials.

Medium

• internal/oauth/embedded.go:20 - The embedded OAuth defaults are non-empty "TBD-..." placeholders, so HasEmbeddedCredentials() treats them as valid. Source builds or local make build runs without injected env vars will fall through to embedded OAuth and attempt authentication with an invalid client, despite the quick start saying no OAuth setup is required.

  Fix: Replace the placeholders with real dev OAuth credentials before merging, or make HasEmbeddedCredentials() reject placeholder values and return an actionable BYO/configuration error.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (5a7e134)

Verdict: No medium, high, or critical findings were reported.

All reported issues were below medium severity, so there are no findings to include under the requested threshold.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (1093c73)

High severity issue found: module path mismatch will break the new resolver/build metadata.

High

• cmd/msgvault/cmd/oauth_resolve.go:6
  The new resolver imports go.kenn.io/msgvault/internal/..., but this repository’s module path is github.com/wesm/msgvault. The same mismatch is also reported in the new tests and Makefile ldflags, so the added code and local build metadata are not consistently targeting this module’s packages.
  Fix: Replace go.kenn.io/msgvault with github.com/wesm/msgvault in the new Go imports and Makefile -X paths.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (1093c73)

High-level verdict: changes need revision due to a module path mismatch that will break builds.

High

• cmd/msgvault/cmd/oauth_resolve.go:6 - The new resolver imports go.kenn.io/msgvault/internal/..., but this repository’s module path is github.com/wesm/msgvault. The same mismatch is also reported in the new tests and Makefile ldflags, so the added code and local build metadata are not consistently targeting this module’s packages.

  Fix: Replace go.kenn.io/msgvault with github.com/wesm/msgvault in the new Go imports and Makefile -X paths.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (670002f)

High-risk issues remain: OAuth build-time injection is inconsistent, one compile issue is reported, and default-token migration has a behavioral gap.

High

• internal/oauth/oauth.go

  • HasScope uses slices.Contains, but slices is not imported.
  • Fix: Add "slices" to the import block.

• .github/workflows/release.yml:64; Makefile:10-12,16-17

  • OAuth/version ldflags -X package paths are inconsistent between the release workflow and Makefile (github.com/wesm/msgvault/... vs go.kenn.io/msgvault/...). If the path does not match the actual built package path, release or local binaries may silently miss injected version metadata and embedded OAuth credentials.
  • Fix: Align all ldflags -X entries in both files to the actual module/package path used by the built package.

Medium

• cmd/msgvault/cmd/addaccount.go:200
  • add-account still skips TokenMatchesClient for the default OAuth binding because needsClientCheck is false when resolvedApp == "". A user with an existing BYO token who removes [oauth] client_secrets may be told the account is already authorized, leaving a token minted for the old client in place; later refresh can fail under the embedded client.
  • Fix: Require the client identity check when resolving through the embedded client, or whenever the active manager’s client ID may differ from the stored token.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (41ef2ee)

Summary verdict: Changes are not ready; module path mismatches will break imports and OAuth credential injection.

High

Inconsistent module path references

Locations: cmd/msgvault/cmd/oauth_resolve.go:8, cmd/msgvault/cmd/oauth_resolve_test.go:10, cmd/msgvault/cmd/addaccount_test.go:15, Makefile:14

The new OAuth resolver code, tests, and linker flags reference go.kenn.io/msgvault/..., but this repository’s module path is github.com/wesm/msgvault. This can cause compilation failures and prevents MSGVAULT_OAUTH_CLIENT_ID / MSGVAULT_OAUTH_CLIENT_SECRET from overriding embedded credentials during make build or make build-release.

Fix: Update all new module references to match go.mod:

github.com/wesm/msgvault/internal/config
github.com/wesm/msgvault/internal/oauth

And update the linker targets to:

github.com/wesm/msgvault/internal/oauth.oauthClientID
github.com/wesm/msgvault/internal/oauth.oauthClientSecret

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[mariusvniekerk]

refine-pr note: the latest roborev PR comment appears stale/incorrect. Current go.mod declares module go.kenn.io/msgvault, and the resolver imports plus Makefile ldflags now use go.kenn.io/msgvault/.... CI confirms this head builds/tests successfully, including nix-build, and the GitHub roborev status for 41ef2ee is passing. roborev wait reports no local job for HEAD to close.

[roborev-ci]

roborev: Fail

Review findings

Review found release-blocking and medium-risk issues that should be fixed before merge.

High

• .github/workflows/release.yml:64
  The release OAuth -X targets use github.com/wesm/msgvault/..., but the module path is go.kenn.io/msgvault. Production OAuth secrets will not override oauthClientID / oauthClientSecret, leaving release binaries on the source/dev client.
  Fix: Change all release workflow -X paths for version metadata and OAuth credentials to go.kenn.io/msgvault/..., or route releases through the corrected Makefile flags.

Medium

• cmd/msgvault/cmd/setup.go:196
  The no-secrets NAS bundle omits [oauth] and relies on the Docker image’s embedded OAuth client, but the Docker build path is not wired to receive production OAuth credentials. Tokens exported from a production desktop binary are bound to that client ID, so a NAS container built with source/default credentials can fail refresh once the access token expires.
  Fix: Add OAuth build args/secrets to the Dockerfile and Docker workflow, or keep bundling explicit OAuth config for NAS deployments until the image is guaranteed to use the same embedded client as release binaries.

• internal/oauth/oauth.go:258
  The OAuth callback handles error before validating state. A malicious page can trigger http://localhost:8089/callback?error=access_denied while msgvault is waiting for OAuth, without knowing the random state. The handler accepts it, sends errAccessDenied, and aborts the OAuth flow.
  Fix: Validate state before processing any callback result, including error; only handle access_denied after the callback state matches the expected state.

• cmd/msgvault/cmd/oauth_resolve_test.go:20
  New or modified Go tests use t.Fatal, t.Fatalf, t.Error, and t.Errorf, which violates the repo rule requiring require.X / assert.X from testify.
  Fix: Replace direct testing.T assertions with require for fatal setup/preconditions and assert for independent checks.

---

Review type: | Agent: codex | Job: 19267

[sweenzor]

This would be huge!

[roborev-ci]

roborev: Combined Review (6bf6848)

Summary verdict: Changes are not clean; one High and one Medium issue remain around OAuth client identity consistency.

High

• cmd/msgvault/cmd/setup.go:200: The NAS bundle now omits [oauth] client_secrets for embedded-OAuth users, but the Docker image referenced by the bundle is still built from Dockerfile without the production OAuth ldflags. Tokens exported from a release desktop binary are minted for the production client, while ghcr.io/kenn-io/msgvault:latest will refresh them with the source-default/dev client and fail.
  • Fix: Add OAuth client ID/secret build args to Dockerfile and pass the GitHub secrets from .github/workflows/docker.yml for published images, or keep requiring a BYO client in NAS bundles until Docker images embed the same production client.

Medium

• cmd/msgvault/cmd/addaccount.go:200: add-account still skips client-ID validation for the default app. If an existing BYO user removes [oauth] client_secrets to migrate to embedded OAuth, the embedded manager will reuse the old BYO token and report “already authorized” instead of reauthorizing with the embedded client; later refresh/sync can fail because the token belongs to a different OAuth client.
  • Fix: Treat the embedded/default-no-config path as requiring TokenMatchesClient, or otherwise force reauthorization when the stored token’s client_id differs from the resolved manager’s client ID.

---

Panel: ci_default_security | Synthesis: codex, 9s | Members: codex_default (codex/default, done, 4m58s), codex_security (codex/security, done, 2m0s) | Total: 7m7s

[roborev-ci]

roborev: Combined Review (64f8b47)

No Medium, High, or Critical issues found across the reviews.

The only reported findings were Low severity, so they are omitted per the requested threshold.

---

Panel: ci_default_security | Synthesis: codex, 5s | Members: codex_default (codex/default, done, 3m51s), codex_security (codex/security, done, 3m27s) | Total: 7m23s

[sweenzor]

Let me know if you need testers!