Google Cloud OAuth Setup — Step by Step
Step 1: Create Google Cloud Project (or use existing)
- Go to https://console.cloud.google.com/
- Sign in with
hoffmann.family.manager@gmail.com - Create new project (or select existing):
- Project name:hoffmann-icarus(or your preference)
- Organization: None (personal project)
Step 2: Enable Google Calendar API
- In the project, go to APIs & Services → Library
- Search "Google Calendar API"
- Click Enable
Step 3: Configure OAuth Consent Screen
- Go to APIs & Services → OAuth consent screen
- Choose External (since this is a personal/family app)
- Fill in:
- App name:Icarus Family Assistant
- User support email:hoffmann.family.manager@gmail.com
- Developer contact:hoffmann.family.manager@gmail.com - Click Save and Continue
- Scopes — Add:
-https://www.googleapis.com/auth/calendar.readonly
- (Search "calendar.readonly", check the box, click Update) - Click Save and Continue
- Test users — Add your email:
-hoffmann.family.manager@gmail.com - Click Save and Continue → Back to Dashboard
Step 4: Create OAuth 2.0 Credentials
- Go to APIs & Services → Credentials
- Click + Create Credentials → OAuth client ID
- Application type: Desktop app
- Name:
Icarus Desktop Client - Click Create
- Download the JSON file — this is your
client_secret.json
Step 5: Secure the Credential File
Important: This file contains sensitive secrets.
- Move it to the Beelink (via secure transfer — scp, Tailscale, etc.)
- Place at:
/home/hoffmann_admin/.config/gog/client_secret.json - Set permissions:
chmod 600 /home/hoffmann_admin/.config/gog/client_secret.json - Never commit to git, never share
Step 6: Authenticate with gog
On the Beelink (titanium-butler), run:
# Create config directory
mkdir -p /home/hoffmann_admin/.config/gog
# Set credentials
gog auth credentials /home/hoffmann_admin/.config/gog/client_secret.json
# Add account with calendar scope (readonly enforced)
gog auth add hoffmann.family.manager@gmail.com --services calendar
# This will open a browser for OAuth consent. Since you're on SSH, use:
# Option A: Local browser + copy-paste code
# Option B: Run on a machine with browser, copy token to Beelink
Step 7: Verify Read-Only Scope
# Check token scopes
gog auth list --json
# Should show:
# {
# "email": "hoffmann.family.manager@gmail.com",
# "scopes": ["https://www.googleapis.com/auth/calendar.readonly"]
# }
# Test query (should work)
gog calendar events primary --from 2026-05-01T00:00:00Z --to 2026-05-07T23:59:59Z
# Test write (should FAIL — confirming read-only)
# This command should error with "insufficient permissions"
Step 8: Icarus Integration
Once gog is authenticated, I'll configure:
- CalendarValidator class in
services/icarus/calendar_adapter.py - Read-only enforcement — Code checks token scope before every query
- Event-driven queries — Only called from
shadow_bot.pyafter tripwire fire - Rate limiting — Max 50 queries/day, tracked in staging.db
Security Checklist
| Check | Status |
|---|---|
OAuth scope = calendar.readonly only |
⏳ Verify after setup |
| Client secret file permissions = 600 | ⏳ Set after transfer |
| No write API calls in code | ✅ Enforced in spec |
| Rate limiting configured | ✅ Will implement |
| Token refresh handled | ✅ gog handles automatically |
Troubleshooting
| Issue | Fix |
|---|---|
| "Access blocked: app not verified" | OAuth consent screen → click "Advanced" → "Go to Icarus Family Assistant (unsafe)" |
| "Token expired" | gog auth refresh hoffmann.family.manager@gmail.com |
| "API not enabled" | Go to Library → search "Calendar API" → Enable |
| "Insufficient permissions" on write | Expected! Confirms read-only is working. |
Next Step
After you complete Steps 1-5, transfer the client_secret.json to the Beelink and let me know the path. I'll run gog auth and verify the read-only scope, then dispatch Socrates for the CalendarValidator implementation.
Questions or blockers? Ping me at any step.