Current status

Batch 5 hygiene note, 2026-05-17: Active source of truth for Google OAuth hardening. This page remains Needs Follow-up because tasks #7 through #11 are real unresolved work. Start with the integration scope inventory before changing the consent screen, OAuth clients, API keys, or verification status. Indexed in the SAIL Knowledge Base Hygiene Hub - 2026-05-12.

Date: 2026-05-15

Operator: Sam Aguiar (samaguiar1982@gmail.com)

Project: project-claude (project ID project-claude-489923, project number 76590338058)

Browser used: Personal Chrome on macOS

Run log on disk: /Users/samaguiar/Projects/Codex/oauth-hardening_project-claude_2026-04-25.md

New skill: /Users/samaguiar/Projects/.claude/skills/google-oauth-hardening/SKILL.md

Why this session happened

Sam's Google API connections kept needing manual refresh. Goal was to figure out why and produce a hardening plan.

What I confirmed in the Cloud Console (read-only)

OAuth consent screen — Audience

• Publishing status: In production
• User type: External
• OAuth user cap: 2 / 100 (the cap itself is evidence the app is being treated as unverified for sensitive/restricted scopes)
• Banner: "Your app requires verification."
• Banner: "If your users are seeing the 'unverified app' screen, it is because your OAuth request includes additional scopes that haven't been approved."

OAuth consent screen — Branding

• App logo: not uploaded
• App home page URL: not set