@chrysb/alphaclaw 0.3.5-beta.1 → 0.4.1-beta.0

package/lib/server/routes/google.js

@@ -1,3 +1,36 @@
+const {
+  kDefaultGoogleClient,
+  kDefaultGoogleScopes,
+  createGoogleAccountId,
+  readGoogleState,
+  writeGoogleState,
+  listGoogleAccounts,
+  getGoogleAccountById,
+  getGoogleAccountByEmailAndClient,
+  upsertGoogleAccount,
+  removeGoogleAccount,
+} = require("../google-state");
+const { syncBootstrapPromptFiles } = require("../onboarding/workspace");
+
+const quoteShellArg = (value) => `"${String(value || "").replace(/(["\\$`])/g, "\\$1")}"`;
+
+const parseJsonSafe = (raw, fallbackValue) => {
+  try {
+    return JSON.parse(String(raw || ""));
+  } catch {
+    return fallbackValue;
+  }
+};
+
+const uniqueServiceLabels = (scopes) =>
+  Array.from(
+    new Set(
+      (scopes || [])
+        .map((scope) => String(scope || "").split(":")[0])
+        .filter(Boolean),
+    ),
+  );
+
 const registerGoogleRoutes = ({
   app,
   fs,
@@ -9,15 +42,136 @@ const registerGoogleRoutes = ({
   constants,
 }) => {
   const {
-    GOG_CREDENTIALS_PATH,
     GOG_CONFIG_DIR,
     GOG_STATE_PATH,
     API_TEST_COMMANDS,
     BASE_SCOPES,
     SCOPE_MAP,
     REVERSE_SCOPE_MAP,
+    kMaxGoogleAccounts,
+    gogClientCredentialsPath,
   } = constants;
 
+  const readState = () => readGoogleState({ fs, statePath: GOG_STATE_PATH });
+  const saveState = (state) => writeGoogleState({ fs, statePath: GOG_STATE_PATH, state });
+  const syncBootstrapTools = (req) => {
+    try {
+      syncBootstrapPromptFiles({
+        fs,
+        workspaceDir: constants.WORKSPACE_DIR,
+        baseUrl: getBaseUrl(req),
+      });
+    } catch {}
+  };
+
+  const listAuthenticatedAccounts = async (state) => {
+    const configuredClients = new Set([kDefaultGoogleClient]);
+    listGoogleAccounts(state).forEach((account) => {
+      const client = String(account.client || kDefaultGoogleClient).trim() || kDefaultGoogleClient;
+      configuredClients.add(client);
+    });
+    const combined = [];
+    for (const client of configuredClients) {
+      const command =
+        client === kDefaultGoogleClient
+          ? "auth list --json --check"
+          : `--client ${quoteShellArg(client)} auth list --json --check`;
+      const result = await gogCmd(command, { quiet: true });
+      if (!result.ok) continue;
+      const parsed = parseJsonSafe(result.stdout, { accounts: [] });
+      const accounts = Array.isArray(parsed?.accounts) ? parsed.accounts : [];
+      accounts.forEach((entry) => {
+        combined.push({
+          ...entry,
+          client: String(entry.client || client || kDefaultGoogleClient).trim() || kDefaultGoogleClient,
+        });
+      });
+    }
+    return combined;
+  };
+
+  const accountIsAuthenticated = ({ account, authenticatedAccounts }) =>
+    authenticatedAccounts.some(
+      (entry) =>
+        String(entry.email || "").trim().toLowerCase() === String(account.email || "").trim().toLowerCase() &&
+        String(entry.client || kDefaultGoogleClient).trim() === String(account.client || kDefaultGoogleClient).trim() &&
+        (entry.valid !== false),
+    );
+
+  const getSelectedAccount = ({ state, accountId, fallbackToFirst = true }) => {
+    if (accountId) {
+      return getGoogleAccountById(state, accountId);
+    }
+    return fallbackToFirst ? listGoogleAccounts(state)[0] || null : null;
+  };
+
+  const clearStoredGoogleAuthForEmail = async ({
+    email,
+    preferredClient = kDefaultGoogleClient,
+    extraClients = [],
+  }) => {
+    const normalizedEmail = String(email || "").trim();
+    if (!normalizedEmail) return;
+    const clientCandidates = new Set([
+      kDefaultGoogleClient,
+      preferredClient,
+      ...extraClients,
+    ]);
+    for (const clientName of clientCandidates) {
+      const safeClientName =
+        String(clientName || "").trim() || kDefaultGoogleClient;
+      const clientArg =
+        safeClientName === kDefaultGoogleClient
+          ? ""
+          : `--client ${quoteShellArg(safeClientName)} `;
+      await gogCmd(
+        `${clientArg}auth remove ${quoteShellArg(normalizedEmail)} --force`,
+        { quiet: true },
+      );
+    }
+  };
+
+  const ensureClientCredentials = ({ client, clientId, clientSecret, req }) => {
+    const credentialsPath = gogClientCredentialsPath(client);
+    fs.mkdirSync(GOG_CONFIG_DIR, { recursive: true });
+    const credentials = {
+      web: {
+        client_id: clientId,
+        client_secret: clientSecret,
+        auth_uri: "https://accounts.google.com/o/oauth2/auth",
+        token_uri: "https://oauth2.googleapis.com/token",
+        redirect_uris: [`${getBaseUrl(req)}/auth/google/callback`],
+      },
+    };
+    fs.writeFileSync(credentialsPath, JSON.stringify(credentials, null, 2));
+    return credentialsPath;
+  };
+
+  app.get("/api/google/accounts", async (req, res) => {
+    const state = readState();
+    const authenticatedAccounts = await listAuthenticatedAccounts(state);
+    const accounts = listGoogleAccounts(state).map((account) => {
+      const activeScopes = account.services || [];
+      const services = uniqueServiceLabels(activeScopes).join(", ");
+      const hasCredentials = fs.existsSync(gogClientCredentialsPath(account.client));
+      return {
+        ...account,
+        services,
+        activeScopes,
+        hasCredentials,
+        authenticated:
+          hasCredentials &&
+          (Boolean(account.authenticated) || accountIsAuthenticated({ account, authenticatedAccounts })),
+      };
+    });
+    res.json({
+      ok: true,
+      hasCompanyCredentials: fs.existsSync(gogClientCredentialsPath(kDefaultGoogleClient)),
+      hasPersonalCredentials: fs.existsSync(gogClientCredentialsPath("personal")),
+      accounts,
+    });
+  });
+
   app.get("/api/google/status", async (req, res) => {
     if (!(await isGatewayRunning())) {
       return res.json({
@@ -25,106 +179,190 @@ const registerGoogleRoutes = ({
         authenticated: false,
         email: "",
         services: "",
+        activeScopes: [],
       });
     }
-    const hasCredentials = fs.existsSync(GOG_CREDENTIALS_PATH);
-    let authenticated = false;
-    let email = "";
-
-    if (hasCredentials) {
-      const result = await gogCmd("auth list --plain", { quiet: true });
-      if (result.ok && result.stdout && !result.stdout.includes("no accounts")) {
-        authenticated = true;
-        email = result.stdout.split("\n")[0]?.split("\t")[0] || "";
-      }
-      if (!email) {
-        try {
-          const state = JSON.parse(fs.readFileSync(GOG_STATE_PATH, "utf8"));
-          email = state.email || "";
-        } catch {}
-      }
+    const state = readState();
+    const selected = getSelectedAccount({
+      state,
+      accountId: String(req.query.accountId || ""),
+      fallbackToFirst: true,
+    });
+    if (!selected) {
+      return res.json({
+        hasCredentials: false,
+        authenticated: false,
+        email: "",
+        services: "",
+        activeScopes: [],
+      });
     }
-
-    let services = "";
-    let activeScopes = [];
-    try {
-      const stateData = JSON.parse(fs.readFileSync(GOG_STATE_PATH, "utf8"));
-      activeScopes = stateData.services || [];
-      services = activeScopes
-        .map((s) => s.split(":")[0])
-        .filter((v, i, a) => a.indexOf(v) === i)
-        .join(", ");
-    } catch {}
-
-    const status = {
+    const authenticatedAccounts = await listAuthenticatedAccounts(state);
+    const activeScopes = selected.services || [];
+    const services = uniqueServiceLabels(activeScopes).join(", ");
+    const hasCredentials = fs.existsSync(gogClientCredentialsPath(selected.client));
+    res.json({
+      accountId: selected.id,
+      client: selected.client,
+      personal: selected.personal,
       hasCredentials,
-      authenticated,
-      email,
+      authenticated:
+        hasCredentials &&
+        (Boolean(selected.authenticated) ||
+          accountIsAuthenticated({ account: selected, authenticatedAccounts })),
+      email: selected.email,
       services,
       activeScopes,
-    };
-    res.json(status);
+    });
+  });
+
+  app.get("/api/google/credentials", (req, res) => {
+    const state = readState();
+    const accountId = String(req.query.accountId || "").trim();
+    const requestedClient = String(req.query.client || "").trim();
+    const account = accountId ? getGoogleAccountById(state, accountId) : null;
+    const client =
+      String(account?.client || requestedClient || kDefaultGoogleClient).trim()
+      || kDefaultGoogleClient;
+    const credentials = readGoogleCredentials(client);
+    const hasCredentials = Boolean(credentials.clientId && credentials.clientSecret);
+    res.json({
+      ok: true,
+      client,
+      hasCredentials,
+      clientId: credentials.clientId || "",
+      clientSecret: credentials.clientSecret || "",
+    });
   });
 
   app.post("/api/google/credentials", async (req, res) => {
-    const { clientId, clientSecret, email } = req.body;
+    const body = req.body || {};
+    const clientId = String(body.clientId || "").trim();
+    const clientSecret = String(body.clientSecret || "").trim();
+    const email = String(body.email || "").trim();
+    const accountId = String(body.accountId || "").trim();
+    const personal = Boolean(body.personal);
+    const client = String(body.client || (personal ? "personal" : kDefaultGoogleClient)).trim()
+      || kDefaultGoogleClient;
     if (!clientId || !clientSecret || !email) {
       return res.json({ ok: false, error: "Missing fields" });
     }
 
     try {
-      fs.mkdirSync(GOG_CONFIG_DIR, { recursive: true });
-      const credentials = {
-        web: {
-          client_id: clientId,
-          client_secret: clientSecret,
-          auth_uri: "https://accounts.google.com/o/oauth2/auth",
-          token_uri: "https://oauth2.googleapis.com/token",
-          redirect_uris: [`${getBaseUrl(req)}/auth/google/callback`],
-        },
-      };
-
-      fs.writeFileSync(GOG_CREDENTIALS_PATH, JSON.stringify(credentials, null, 2));
-      const result = await gogCmd(`auth credentials set ${GOG_CREDENTIALS_PATH}`);
-      console.log(`[alphaclaw] gog credentials set: ${JSON.stringify(result)}`);
+      const state = readState();
+      const existing = accountId ? getGoogleAccountById(state, accountId) : null;
+      const legacyClientsForEmail = listGoogleAccounts(state)
+        .filter(
+          (entry) =>
+            String(entry.email || "").trim().toLowerCase() ===
+            email.toLowerCase(),
+        )
+        .map((entry) => String(entry.client || kDefaultGoogleClient).trim());
+      await clearStoredGoogleAuthForEmail({
+        email,
+        preferredClient: client,
+        extraClients: [
+          ...legacyClientsForEmail,
+          String(existing?.client || "").trim(),
+        ],
+      });
+      const credentialsPath = ensureClientCredentials({
+        client,
+        clientId,
+        clientSecret,
+        req,
+      });
+      const command = client === kDefaultGoogleClient
+        ? `auth credentials set ${quoteShellArg(credentialsPath)}`
+        : `--client ${quoteShellArg(client)} auth credentials set ${quoteShellArg(credentialsPath)}`;
+      const result = await gogCmd(command, { quiet: true });
+      if (!result.ok) {
+        throw new Error(result.stderr || "Failed to set Google client credentials");
+      }
 
-      const services = req.body.services || [
-        "gmail:read",
-        "calendar:read",
-        "calendar:write",
-        "drive:read",
-        "sheets:read",
-        "docs:read",
-      ];
-      fs.writeFileSync(GOG_STATE_PATH, JSON.stringify({ email, services }));
+      const { state: nextState, account } = upsertGoogleAccount({
+        state,
+        maxAccounts: kMaxGoogleAccounts,
+        account: {
+          id: existing?.id || accountId || createGoogleAccountId(),
+          email,
+          personal,
+          client,
+          services: body.services || existing?.services || kDefaultGoogleScopes,
+          authenticated: false,
+        },
+      });
+      saveState(nextState);
+      syncBootstrapTools(req);
 
-      res.json({ ok: true });
+      res.json({ ok: true, accountId: account.id, account });
     } catch (err) {
       console.error("[alphaclaw] Failed to save Google credentials:", err);
       res.json({ ok: false, error: err.message });
     }
   });
 
-  app.get("/api/google/check", async (req, res) => {
-    let email = "";
-    let activeScopes = [];
+  app.post("/api/google/accounts", (req, res) => {
+    const body = req.body || {};
+    const email = String(body.email || "").trim();
+    const accountId = String(body.accountId || "").trim();
+    const personal = Boolean(body.personal);
+    const client = String(body.client || (personal ? "personal" : kDefaultGoogleClient)).trim()
+      || kDefaultGoogleClient;
+    if (!email) {
+      return res.json({ ok: false, error: "Missing fields" });
+    }
+    if (!fs.existsSync(gogClientCredentialsPath(client))) {
+      return res.json({
+        ok: false,
+        error: "Credentials missing for selected client. Save credentials first.",
+      });
+    }
     try {
-      const stateData = JSON.parse(fs.readFileSync(GOG_STATE_PATH, "utf8"));
-      email = stateData.email || "";
-      activeScopes = stateData.services || [];
-    } catch {}
-    if (!email) return res.json({ error: "No Google account configured" });
+      const state = readState();
+      const existing = accountId ? getGoogleAccountById(state, accountId) : null;
+      const { state: nextState, account } = upsertGoogleAccount({
+        state,
+        maxAccounts: kMaxGoogleAccounts,
+        account: {
+          id: existing?.id || accountId || createGoogleAccountId(),
+          email,
+          personal,
+          client,
+          services: body.services || existing?.services || kDefaultGoogleScopes,
+          authenticated: Boolean(existing?.authenticated),
+        },
+      });
+      saveState(nextState);
+      syncBootstrapTools(req);
+      res.json({ ok: true, accountId: account.id, account });
+    } catch (err) {
+      res.json({ ok: false, error: err.message });
+    }
+  });
 
-    const enabledServices = activeScopes
-      .map((s) => s.split(":")[0])
-      .filter((v, i, a) => a.indexOf(v) === i);
+  app.get("/api/google/check", async (req, res) => {
+    const state = readState();
+    const account = getSelectedAccount({
+      state,
+      accountId: String(req.query.accountId || ""),
+      fallbackToFirst: true,
+    });
+    if (!account) return res.json({ error: "No Google account configured" });
+
+    const enabledServices = uniqueServiceLabels(account.services || []);
     const results = {};
-
     for (const svc of enabledServices) {
       const cmd = API_TEST_COMMANDS[svc];
       if (!cmd) continue;
-
-      const result = await gogCmd(`${cmd} --account ${email}`, { quiet: true });
+      const clientArg =
+        account.client === kDefaultGoogleClient
+          ? ""
+          : `--client ${quoteShellArg(account.client)} `;
+      const result = await gogCmd(
+        `${clientArg}${cmd} --account ${quoteShellArg(account.email)}`,
+        { quiet: true },
+      );
       const stderr = result.stderr || "";
       if (stderr.includes("has not been used") || stderr.includes("is not enabled")) {
         const projectMatch = stderr.match(/project=(\d+)/);
@@ -135,7 +373,6 @@ const registerGoogleRoutes = ({
       } else if (result.ok || stderr.includes("not found") || stderr.includes("Not Found")) {
         results[svc] = { status: "ok", enableUrl: getApiEnableUrl(svc) };
       } else {
-        console.log(`[alphaclaw] API check ${svc} error: ${result.stderr?.slice(0, 300)}`);
         results[svc] = {
           status: "error",
           message: result.stderr?.slice(0, 200),
@@ -143,58 +380,47 @@ const registerGoogleRoutes = ({
         };
       }
     }
-
-    res.json({ email, results });
+    res.json({ accountId: account.id, email: account.email, results });
   });
 
   app.post("/api/google/disconnect", async (req, res) => {
+    const accountId = String(req.body?.accountId || "").trim();
+    const state = readState();
+    const account = getSelectedAccount({ state, accountId, fallbackToFirst: true });
+    if (!account) return res.json({ ok: true });
     try {
-      let email = "";
-      try {
-        const stateData = JSON.parse(fs.readFileSync(GOG_STATE_PATH, "utf8"));
-        email = stateData.email || "";
-      } catch {}
-
-      if (email) {
-        const exportResult = await gogCmd(
-          `auth tokens export ${email} --out /tmp/gog-revoke.json --overwrite`,
-          { quiet: true },
-        );
-        if (exportResult.ok) {
-          try {
-            const tokenData = JSON.parse(fs.readFileSync("/tmp/gog-revoke.json", "utf8"));
-            if (tokenData.refresh_token) {
-              await fetch(`https://oauth2.googleapis.com/revoke?token=${tokenData.refresh_token}`, {
-                method: "POST",
-              });
-              console.log(`[alphaclaw] Revoked Google token for ${email}`);
-            }
-            fs.unlinkSync("/tmp/gog-revoke.json");
-          } catch {}
-        }
-        await gogCmd(`auth remove ${email} --force`);
-      }
-
-      for (const f of [GOG_STATE_PATH, GOG_CREDENTIALS_PATH]) {
+      const revokeFile = `/tmp/gog-revoke-${Date.now()}.json`;
+      const clientArg =
+        account.client === kDefaultGoogleClient
+          ? ""
+          : `--client ${quoteShellArg(account.client)} `;
+      const exportResult = await gogCmd(
+        `${clientArg}auth tokens export ${quoteShellArg(account.email)} --out ${quoteShellArg(revokeFile)} --overwrite`,
+        { quiet: true },
+      );
+      if (exportResult.ok && fs.existsSync(revokeFile)) {
         try {
-          fs.unlinkSync(f);
-          console.log(`[alphaclaw] Deleted ${f}`);
-        } catch (e) {
-          if (e.code !== "ENOENT") {
-            console.error(`[alphaclaw] Failed to delete ${f}: ${e.message}`);
+          const tokenData = parseJsonSafe(fs.readFileSync(revokeFile, "utf8"), {});
+          if (tokenData.refresh_token) {
+            await fetch(`https://oauth2.googleapis.com/revoke?token=${tokenData.refresh_token}`, {
+              method: "POST",
+            });
           }
-        }
-      }
-
-      const stateStillExists = fs.existsSync(GOG_STATE_PATH);
-      const credsStillExists = fs.existsSync(GOG_CREDENTIALS_PATH);
-      if (stateStillExists || credsStillExists) {
-        console.error(
-          `[alphaclaw] Files survived deletion! state=${stateStillExists} creds=${credsStillExists}`,
-        );
+        } catch {}
       }
-
-      console.log(`[alphaclaw] Google disconnected: ${email}`);
+      try {
+        fs.unlinkSync(revokeFile);
+      } catch {}
+      await gogCmd(
+        `${clientArg}auth remove ${quoteShellArg(account.email)} --force`,
+        { quiet: true },
+      );
+      const { state: nextState } = removeGoogleAccount({
+        state,
+        accountId: account.id,
+      });
+      saveState(nextState);
+      syncBootstrapTools(req);
       res.json({ ok: true });
     } catch (err) {
       console.error("[alphaclaw] Google disconnect error:", err);
@@ -203,31 +429,44 @@ const registerGoogleRoutes = ({
   });
 
   app.get("/auth/google/start", (req, res) => {
-    const email = req.query.email || "";
+    const state = readState();
+    const requestedAccountId = String(req.query.accountId || "").trim();
+    const requestedClient = String(req.query.client || "").trim();
+    let account = requestedAccountId
+      ? getGoogleAccountById(state, requestedAccountId)
+      : null;
+    if (!account && req.query.email) {
+      account = getGoogleAccountByEmailAndClient(
+        state,
+        String(req.query.email || "").trim(),
+        requestedClient || kDefaultGoogleClient,
+      );
+    }
+    const client = account?.client || requestedClient || kDefaultGoogleClient;
+    const email = account?.email || String(req.query.email || "").trim();
     const services = (
       req.query.services ||
-      "gmail:read,calendar:read,calendar:write,drive:read,sheets:read,docs:read"
+      (account?.services || kDefaultGoogleScopes).join(",")
     )
       .split(",")
+      .map((scope) => String(scope || "").trim())
       .filter(Boolean);
-
     try {
-      const { clientId } = readGoogleCredentials();
+      const { clientId } = readGoogleCredentials(client);
       if (!clientId) throw new Error("No client_id found");
-
       const scopes = [
         ...BASE_SCOPES,
-        ...services.map((s) => SCOPE_MAP[s]).filter(Boolean),
+        ...services.map((scope) => SCOPE_MAP[scope]).filter(Boolean),
       ].join(" ");
-      console.log(
-        `[alphaclaw] Google OAuth scopes: services=${services.join(",")} resolved=${scopes}`,
-      );
-
       const redirectUri = `${getBaseUrl(req)}/auth/google/callback`;
-      const state = Buffer.from(JSON.stringify({ email, services })).toString(
-        "base64url",
-      );
-
+      const encodedState = Buffer.from(
+        JSON.stringify({
+          accountId: account?.id || requestedAccountId || "",
+          client,
+          email,
+          services,
+        }),
+      ).toString("base64url");
       const authUrl = new URL("https://accounts.google.com/o/oauth2/auth");
       authUrl.searchParams.set("client_id", clientId);
       authUrl.searchParams.set("redirect_uri", redirectUri);
@@ -235,31 +474,41 @@ const registerGoogleRoutes = ({
       authUrl.searchParams.set("scope", scopes);
       authUrl.searchParams.set("access_type", "offline");
       authUrl.searchParams.set("prompt", "consent");
-      authUrl.searchParams.set("state", state);
+      authUrl.searchParams.set("state", encodedState);
       if (email) authUrl.searchParams.set("login_hint", email);
-
       res.redirect(authUrl.toString());
     } catch (err) {
       console.error("[alphaclaw] Failed to start Google auth:", err);
-      res.redirect("/setup?google=error&message=" + encodeURIComponent(err.message));
+      res.redirect(`/setup?google=error&message=${encodeURIComponent(err.message)}`);
     }
   });
 
   app.get("/auth/google/callback", async (req, res) => {
     const { code, error, state } = req.query;
-    if (error) return res.redirect("/setup?google=error&message=" + encodeURIComponent(error));
+    if (error) return res.redirect(`/setup?google=error&message=${encodeURIComponent(error)}`);
     if (!code) return res.redirect("/setup?google=error&message=no_code");
 
     try {
-      let email = "";
-      try {
-        const decoded = JSON.parse(Buffer.from(state, "base64url").toString());
-        email = decoded.email || "";
-      } catch {}
-
-      const { clientId, clientSecret } = readGoogleCredentials();
+      const decodedState = parseJsonSafe(
+        Buffer.from(String(state || ""), "base64url").toString(),
+        {},
+      );
+      const accountId = String(decodedState.accountId || "").trim();
+      const requestedClient = String(decodedState.client || "").trim();
+      const stateData = readState();
+      const existingAccount = accountId
+        ? getGoogleAccountById(stateData, accountId)
+        : getGoogleAccountByEmailAndClient(
+            stateData,
+            String(decodedState.email || "").trim(),
+            requestedClient || kDefaultGoogleClient,
+          );
+      const client = existingAccount?.client || requestedClient || kDefaultGoogleClient;
+      const { clientId, clientSecret } = readGoogleCredentials(client);
+      if (!clientId || !clientSecret) {
+        throw new Error(`Google credentials missing for client "${client}"`);
+      }
       const redirectUri = `${getBaseUrl(req)}/auth/google/callback`;
-
       const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -271,42 +520,25 @@ const registerGoogleRoutes = ({
           grant_type: "authorization_code",
         }),
       });
-
       const tokens = await tokenRes.json();
       if (!tokenRes.ok || tokens.error) {
-        console.log(
-          `[alphaclaw] Google token exchange failed: status=${tokenRes.status} error=${tokens.error} desc=${tokens.error_description}`,
-        );
-      }
-      if (tokens.error) {
-        throw new Error(`Google token error: ${tokens.error_description || tokens.error}`);
+        throw new Error(`Google token error: ${tokens.error_description || tokens.error || "exchange_failed"}`);
       }
 
-      if (!tokens.refresh_token) {
-        let hasExisting = false;
-        try {
-          const stateData = JSON.parse(fs.readFileSync(GOG_STATE_PATH, "utf8"));
-          hasExisting = stateData.authenticated;
-        } catch {}
-
-        if (hasExisting) {
-          console.log(
-            "[alphaclaw] No new refresh token (already authorized), keeping existing",
-          );
-        } else {
-          throw new Error(
-            "No refresh token received. Revoke app access at myaccount.google.com/permissions and retry.",
-          );
-        }
+      if (!tokens.refresh_token && !existingAccount?.authenticated) {
+        throw new Error(
+          "No refresh token received. Revoke app access at myaccount.google.com/permissions and retry.",
+        );
       }
 
+      let email = String(existingAccount?.email || decodedState.email || "").trim();
       if (!email && tokens.access_token) {
         try {
           const infoRes = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
             headers: { Authorization: `Bearer ${tokens.access_token}` },
           });
           const info = await infoRes.json();
-          email = info.email || email;
+          email = String(info.email || "").trim();
         } catch {}
       }
 
@@ -314,73 +546,61 @@ const registerGoogleRoutes = ({
         const tokenFile = `/tmp/gog-token-${Date.now()}.json`;
         const tokenData = {
           email,
-          client: "default",
+          client,
           created_at: new Date().toISOString(),
           refresh_token: tokens.refresh_token,
         };
         fs.writeFileSync(tokenFile, JSON.stringify(tokenData, null, 2));
-        const result = await gogCmd(`auth tokens import ${tokenFile}`);
-        if (result.ok) {
-          console.log(`[alphaclaw] Google token imported for ${email}`);
-        } else {
-          console.error(`[alphaclaw] Token import failed: ${result.stderr}`);
-        }
-
-        if (!result.ok) {
-          console.error("[alphaclaw] Token import failed, trying gog auth add --manual");
-          const keyringDir = `${GOG_CONFIG_DIR}/keyring`;
-          fs.mkdirSync(keyringDir, { recursive: true });
-          fs.writeFileSync(
-            `${keyringDir}/token-${email}.json`,
-            JSON.stringify(tokenData, null, 2),
-          );
-          console.log(
-            `[alphaclaw] Token written directly to keyring: ${keyringDir}/token-${email}.json`,
-          );
-        }
-
+        const importCmd =
+          client === kDefaultGoogleClient
+            ? `auth tokens import ${quoteShellArg(tokenFile)}`
+            : `--client ${quoteShellArg(client)} auth tokens import ${quoteShellArg(tokenFile)}`;
+        const result = await gogCmd(importCmd, { quiet: true });
         try {
           fs.unlinkSync(tokenFile);
         } catch {}
+        if (!result.ok) {
+          throw new Error(result.stderr || "Failed to import Google token");
+        }
       }
 
-      let services = [];
-      try {
-        const decoded = JSON.parse(Buffer.from(state, "base64url").toString());
-        services = decoded.services || [];
-      } catch {}
-
+      const requestedServices = Array.isArray(decodedState.services)
+        ? decodedState.services
+        : [];
       const grantedServices = tokens.scope
         ? tokens.scope
             .split(" ")
-            .map((s) => REVERSE_SCOPE_MAP[s])
+            .map((scope) => REVERSE_SCOPE_MAP[scope])
             .filter(Boolean)
-        : services;
-      console.log(
-        `[alphaclaw] Requested: ${services.join(",")} → Granted: ${grantedServices.join(",")}`,
-      );
-
-      fs.writeFileSync(
-        GOG_STATE_PATH,
-        JSON.stringify({
+        : requestedServices;
+      const { state: nextState, account } = upsertGoogleAccount({
+        state: stateData,
+        maxAccounts: kMaxGoogleAccounts,
+        account: {
+          id: existingAccount?.id || accountId || createGoogleAccountId(),
           email,
-          clientId,
-          clientSecret,
-          services: grantedServices,
+          personal: Boolean(existingAccount?.personal),
+          client,
+          services: grantedServices.length ? grantedServices : requestedServices,
           authenticated: true,
-        }),
-      );
+        },
+      });
+      saveState(nextState);
+      syncBootstrapTools(req);
 
+      const safeEmail = String(email || "").replace(/'/g, "\\'");
+      const safeAccountId = String(account.id || "").replace(/'/g, "\\'");
       res.send(`<!DOCTYPE html><html><body><script>
-      window.opener?.postMessage({ google: 'success', email: '${email}' }, '*');
+      window.opener?.postMessage({ google: 'success', accountId: '${safeAccountId}', email: '${safeEmail}' }, '*');
       window.close();
     </script><p>Google connected! You can close this window.</p></body></html>`);
     } catch (err) {
       console.error("[alphaclaw] Google OAuth callback error:", err);
+      const safeMessage = String(err.message || "unknown_error").replace(/'/g, "\\'");
       res.send(`<!DOCTYPE html><html><body><script>
-      window.opener?.postMessage({ google: 'error', message: '${err.message.replace(/'/g, "\\'")}' }, '*');
+      window.opener?.postMessage({ google: 'error', message: '${safeMessage}' }, '*');
       window.close();
-    </script><p>Error: ${err.message}. You can close this window.</p></body></html>`);
+    </script><p>Error: ${safeMessage}. You can close this window.</p></body></html>`);
     }
   });
 };