What I changed

• Updated .credentials/CREDENTIAL-INDEX.md to declare the canonical business lane, separate Gmail lane, and compatibility-alias behavior.
• Updated .credentials/API Keys & App Secrets.md with the same canonical state.
• Updated _Credentials/vault.env comments so future agents see the canonical model immediately.
• Added google-ads-cloud-runner/REMOTE_MIGRATION_NEXT.md with the remote-ready checklist.

What remains blocked

• I could not directly verify whether the SAIL OAuth app under lunar-arc-493119-a6 is in In production because this session does not currently have an authenticated Google Cloud shell or logged-in browser lane wired into Codex.

Canonical operating model

• Repair and keep one business lane: aguiarlawmarketing@gmail.com.
• Keep one separate Gmail lane: samaguiar1982@gmail.com.
• Do not mint additional Google Ads OAuth clients or casually rotate tokens.

Local artifacts

• C:UsersSAguiarDocumentsCodexgoogle-ads2026-04-29_215733-oauth-diagnosticoauth-diagnostic.md
• C:UsersSAguiarDocumentsCodexgoogle-ads2026-04-29_220345-oauth-consolidation-closeoutcloseout.md

Next recommended action

• Verify the SAIL OAuth consent-screen publishing status from a logged-in Google Cloud session, then repair only the aguiarlawmarketing@gmail.com business lane and rerun guarded preflight.