Fix Google OAuth: explicit IAM policy + strip OIDC scopes from credentials

agentclaw/app/agent_claw_main/tools/google_workspace.py

@@ -38,13 +38,20 @@ def _get_creds(actor_id: str) -> Credentials:
         expiry = exp_aware.replace(tzinfo=None)  # google-auth uses naive UTC datetimes
     else:
         expiry = None
+    stored_scopes = data.get('scopes', [])
+    api_scopes = [s for s in stored_scopes if s.startswith('https://')] if stored_scopes else None
+    # Fix stored scopes if they contain OIDC scopes
+    if stored_scopes and any(s in stored_scopes for s in ['openid', 'email', 'profile']):
+        data['scopes'] = api_scopes
+        _secrets().put_secret_value(SecretId=secret_name, SecretString=json.dumps(data))
+        print('[google] fixed stored scopes: removed OIDC scopes')
     creds = Credentials(
         token=data.get('token'),
         refresh_token=data.get('refresh_token'),
         token_uri=data.get('token_uri', 'https://oauth2.googleapis.com/token'),
         client_id=data.get('client_id'),
         client_secret=data.get('client_secret'),
-        scopes=data.get('scopes'),
+        scopes=api_scopes,
         expiry=expiry,
     )
     print(f'[google] creds loaded, expired={creds.expired}')