feat(auth): support env var token injection for op run workflows

[Leechael]

Summary

• Allow bypassing OAuth flow and keyring by setting GOG_CLIENT_ID, GOG_CLIENT_SECRET, and GOG_REFRESH_TOKEN environment variables
• Enables 1Password CLI (op run) injection of credentials without touching keyring or credentials.json
• Resolution order: Service Account JSON → Env vars → Keyring
• Clear error message when token env vars are set but GOG_ACCOUNT is missing

Usage

export GOG_CLIENT_ID="op://vault/item/client_id"
export GOG_CLIENT_SECRET="op://vault/item/client_secret"
export GOG_REFRESH_TOKEN="op://vault/item/refresh_token"
export GOG_ACCOUNT="user@gmail.com"
op run -- gogcli gmail search -q "is:unread"

Files changed

File	Change
internal/googleapi/client_env.go	New — tokenSourceFromEnv()
internal/googleapi/client_env_test.go	New — 5 tests
internal/googleapi/client.go	Modified — insert env var path in resolution order
internal/cmd/account.go	Modified — guard for missing GOG_ACCOUNT

Test plan

• go build ./...
• go test ./internal/googleapi/...
• Manual: set 3 env vars + GOG_ACCOUNT, run gogcli gmail search, confirm no keyring access

---

Summary by cubic

Adds env var-based token source so op run can inject Google OAuth credentials without using the keyring or OAuth flow. Service account JSON remains preferred, then env vars, then keyring.

• New Features
  • Support GOG_CLIENT_ID, GOG_CLIENT_SECRET, and GOG_REFRESH_TOKEN to build an OAuth2 token source from env vars.
  • Works with 1Password CLI (op run) for ephemeral credential injection.
  • Clear error if token env vars are set but GOG_ACCOUNT is missing; set GOG_ACCOUNT or use --account.

^{Written for commit f0ae9b7. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 4 files