Reference google oauth per account scopes
name: Google OAuth per-account scope split: personal 16, business 22 description: forge_google_user.py uses BASE_SCOPES + BUSINESS_EXTRA_SCOPES; personal=16 scopes (Gmail+YouTube+Drive+etc), business=22 (personal+6 Workspace admin) type: reference
As of 2026-06-08, forge_google_user.py uses a split scope architecture:
BASE_SCOPES (both accounts, 15 scopes): gmail.modify, gmail.send, gmail.settings.basic, gmail.settings.sharing, drive, spreadsheets, documents, presentations, calendar, contacts, tasks, youtube.force-ssl, yt-analytics.readonly, userinfo.email, openid.
BUSINESS_EXTRA_SCOPES (business only, 6 Workspace admin scopes): admin.directory.user, admin.directory.user.alias, admin.directory.group, admin.directory.group.member, admin.directory.domain, admin.directory.orgunit.
Both tokens are live and verified at max power. Personal = 16 scopes, business = 22 scopes.
The admin scopes on business unlock fully API-driven Workspace consolidation: create aliases, groups, add secondary domains (gusoutdoor/gusthebass/sipnserve) without manual admin console clicks.
YouTube scopes on personal unlock channel management (uploads as private/draft per draft-only rule) + analytics.
Tokens live in ~/.forge-secrets/ (chmod 600). Access via forge_google_user.user_token("personal"|"business").
Why: Consumer personal Gmail cannot be granted Workspace admin scopes; a shared scope list would break personal re-consent. Per-account split prevents that.
How to apply: When extending Google scopes in the future, add to BASE (if both accounts need it) or BUSINESS_EXTRA (if Workspace-only). Never re-flatten to a single shared list.
[auto-memory session f1278ae1-5763-4554-985e-a713908f7c4d, confidence 0.90, mode direct]