Run mode: READ-ONLY scheduled task. No mutations.
Account: Sam Aguiar Injury Lawyers (3813916687) under MCC 8676599345.
Whitelist: 23723841732 SAIL Car Accidents 2026, 23729092958 Accidentes Spanish 2026, 23729092712 Brand Protection 2026.
Outcome: BLOCKED-ENV. No data pulled.
OAuth refresh token in /Users/samaguiar/Documents/Projects/.credentials/vault.env was rejected by Google with invalid_grant: Token has been expired or revoked. The runner loaded the vault, set the Decision-8 MCC override (login_customer_id=8676599345) in code, initialized the SDK successfully, and only failed when the first GAQL call triggered an OAuth refresh.
This is a credential rotation problem, not a code, network, or scope problem. googleads.googleapis.com and oauth2.googleapis.com are both reachable from the runner.
The vault has a single GOOGLE_ADS_REFRESH_TOKEN entry. The SAIL_GOOGLE_ADS_* keys exist as the partial scaffold for the future cloud-side sail-automation OAuth client (Decision 6), but the inline comment in vault confirms no refresh token has been issued for that client yet, so it is not a fallback today.
python3 -m google_auth_oauthlib.tool (or google-ads-python generate_user_credentials.py) on the Mac against the existing GOOGLE_ADS_CLIENT_ID.GOOGLE_ADS_REFRESH_TOKEN= value in vault.env.ETA: ~10 minutes. Restores daily report tonight.
Provision the sail-automation OAuth client and refresh token in the cloud secret store, stand up the sail-ads-runner container, and switch this scheduled task to it. Multi-day. Decisions 1, 2, 5, and 6 already approved this direction; what's missing is provisioning, not approval.
Same credential is shared by: