# Google OAuth Token Auto-Refresh via Cronjob

## Problem

Google Cloud projects in "Testing" status expire OAuth refresh tokens after **7 days**. After expiry, every API call fails with `REFRESH_FAILED: invalid_grant: Token has been expired or revoked`. The user must manually re-authenticate.

## Solution: Daily cronjob

A cronjob that runs `setup.py --check` once per day keeps the token alive by triggering a refresh before the 7-day window closes.

### Script

Create `~/.hermes/scripts/refresh-google-token.sh`:

```bash
#!/bin/bash
# Daily Google OAuth token refresh — silent on success, alerts on failure
RESULT=$(python /DATA/.hermes/skills/productivity/google-workspace/scripts/setup.py --check 2>&1)
EXIT=$?
if [ $EXIT -ne 0 ]; then
    echo "⚠️ Google OAuth Token-Refresh FEHLGESCHLAGEN: $RESULT"
    exit 1
fi
# Success → silent (no output, exit 0)
```

### Cronjob

```bash
hermes cron create \
  --name "Google OAuth Token Refresh" \
  --schedule "0 9 * * *" \
  --script refresh-google-token.sh \
  --no-agent \
  --deliver origin
```

- `--no-agent`: Runs as a pure shell script, no LLM invocation — saves tokens
- `--deliver origin`: Sends output only on failure (the script is silent on success)
- Schedule: daily at 09:00 local time

### Verification

```bash
hermes cron list
# Check next_run_at and last_status
```

## Alternative: Publish to Production

The permanent fix is publishing the Google Cloud project's OAuth consent screen to "Production" status. This removes the 7-day limit entirely. However, Google requires app verification for sensitive scopes, which can take weeks. The cronjob is the immediate workaround.