feat(scouts): gmail pub/sub webhook with JWT verification

2026-05-16 04:31:57 +02:00
parent 0c0299808c
commit d3497a1908
4 changed files with 239 additions and 7 deletions
--- a/app/config/settings.py
+++ b/app/config/settings.py
@@ -62,6 +62,11 @@ class Settings(BaseSettings):
    # Full resource name, e.g. "projects/my-project/topics/gmail-push".
    # Leave empty in dev — setup_watch will skip registration gracefully.
    GMAIL_PUBSUB_TOPIC: str = ""
+    # OIDC token audience for Pub/Sub push subscription JWT verification.
+    # Set to the service account email or audience string configured in the
+    # Pub/Sub push subscription. Leave empty in dev to skip verification
+    # (a warning is logged — never silent in production).
+    GMAIL_PUBSUB_AUDIENCE: str = ""

    # Fernet key (URL-safe base64, 32-byte key) for at-rest encryption of OAuth
    # tokens stored in cloud_agent_configs.oauth_token_encrypted.