Created: May 28, 2026

Importance: High

Status: Pending build (scoped, not started)

Owner direction: Sam asked for this as a handoff (May 28).

Why this exists

The direct Google Ads REST API lane is DEAD. Both OAuth clients (canonical 76590338058-... / project-claude-489923, and the deprecated lunar-arc 961786446236-...) return deleted_client because Sam deleted the Google Cloud projects on 2026-04-26 after a security incident. Verified again 2026-05-28 by direct token-endpoint call: still deleted_client.

Consequence: anything the NotFair connector does not expose cannot be changed. The concrete blocker that surfaced this session is the phone-call conversion duration (needs 180 to 480 seconds; NotFair's updateConversionAction does not expose phone_call_duration_seconds). There will be more fields like this. Restoring a real Google Ads API credential is the durable fix.

What NotFair already covers (so scope is clear)

NotFair handles: campaign/budget/bidding reads, conversion action click-through window, negative keywords, ad final URLs, ad asset (headline/description) edits, sitelinks, experiments, runScript GAQL reads. The OAuth rebuild is for the gaps: phone_call_duration_seconds, value_settings nuances, audience writes, billing reads, account-access/user-management reads, and anything Tooling-like.

Recommended build (cloud-resident, agent-executable)

Mirror the proven Salesforce MCP pattern (mcp.aguiarinjurylawyers.com): a Cloudflare Worker holding the Google Ads OAuth refresh token server-side, exposing an authenticated HTTPS endpoint any agent can call with a bearer token. HTTPS/443 is never egress-blocked (SSH is, in Cowork), so this works from every environment.

Sequence:

1. Sam creates ONE Google Cloud project under aguiarlawmarketing@gmail.com, enables the Google Ads API, creates an OAuth 2.0 Desktop client. (This is the only step that requires Sam: Google will not let an agent sign in as the account owner. ~5 min.) Sam pastes client_id + client_secret back.
2. Agent generates the consent URL; Sam clicks Allow once; agent captures the refresh token.
3. Reuse the existing developer token (hsQ-65334MAZh6s02rXBJA) and login-customer / MCC IDs from the vault.
4. Agent mirrors the new client_id/secret/refresh_token to BOTH .credentials/vault.env AND Notion "API Keys & App Secrets" in the same pass (replace the dead canonical block; the vault note already documents the 6 mirror locations).
5. Agent builds + deploys the Worker (Cloudflare account 0dc22e0ac4cd713541be49cfbcbb2955, same as the SF MCP), bearer-protected, exposing the Google Ads endpoints needed.
6. Agent uses the restored lane to set phone_call_duration_seconds = 480 on conversion actions 7387417086 (Call From Website) and 7387417083 (Calls from ads). That closes the one tracking gap left from the May 28 session.
7. Register the connector in Claude.ai / Code / Codex / Cursor like the SF MCP.

Interim option (no rebuild)