Status: BLOCKED-ENV (Day 6 consecutive)

Campaign: SAIL - Car Accidents 2026 (23723841732)

Customer: 3813916687 | MCC: 8676599345

Data source: DIRECT Google Ads API v30 (adspirer not used)

This Notion entry is the storage pointer. The canonical fix-list lives in the repo at google-ads/outputs/fix-lists/neg-candidates-2026-04-30.md. The QA review queue lives at google-ads/outputs/qa-queue-mirror/2026-04-30.md (in-repo because ~/Documents/Codex/_qa-queue is not mounted to the scheduled-task sandbox).

What happened

The daily run attempted authentication and received invalid_grant: Token has been expired or revoked for the sixth consecutive day. The OAuth client is most likely in Testing publishing status (Google expires refresh tokens after 7 days at that tier). No human or agent has rotated the credential since 2026-04-24.

Open Sam-decisions (priority order)

1. Q1-2026-04-30 — Disable the launchd cron now and replace with auth-probe monitor. Recommended A.
2. Q2-2026-04-30 — Permanently fix credential model: dedicated sail-automation service account in cloud secret manager. Recommended A.
3. Q4-2026-04-30 — Add a hard 3-day failsafe to SKILL.md so this never reaches Day 6 again. Recommended A.
4. Q3-2026-04-30 — Migrate this loop to the sail-ads-runner cloud image this week. Recommended A.
5. Q5-2026-04-30 — Keep in-repo QA-queue mirror as canonical until the Codex path is mounted. Recommended A.

Sam's decisions (received 2026-04-30 in-session)

All five questions answered. Recommendation A on every one.

• Q1.A — Disable launchd cron, replace with auth-probe monitor.
• Q2.A — Service account in cloud secrets (kills the 7-day OAuth expiry permanently).
• Q3.A — Migrate to cloud runner this week (existing GitHub Actions workflows already implement most of this; need Q2 migration).
• Q4.A — Hard 3-day failsafe in SKILL.md / auth-probe (already implemented in auth_probe.py).
• Q5.B — Mount ~/Documents/Codex into the Cowork sandbox so the QA queue lands at the canonical path.