mindseye-google-auth is the authentication and identity authority for the MindsEye Google Fabric.
This repository is security, not execution.
It issues authenticated principals and scoped tokens used by:
mindseye-google-gatewaymindscript-google-executor- any Google-facing Fabric component
Google APIs require identity. MindsEye requires explicit authority.
This repo provides:
- OAuth2 user flows
- Service Account flows
- Deterministic token caching
- Explicit scope enforcement
- Stable principal identity mapping
No silent permissions. No implicit trust.
- OAuth2 and Service Account token handling
- Token cache (memory / file / pluggable)
- Principal identity model
- Scope policy enforcement
- Auth errors and failure modes
- Protocol schemas (
mindseye-protocol) - MindScript execution
- Google API calls
- Gateway routing
- UI / Apps Script
If it performs an action, it does not belong here.
Google OAuth / IAM │ ▼ ┌──────────────────────────────┐ │ mindseye-google-auth │ ← THIS REPO │ (identity + scope authority) │ └───────────────┬──────────────┘ │ ┌───────▼────────┐ │ gateway / exec │ └────────────────┘
yaml Copy code
All identities resolve to explicit principals:
orch:<name>→ human operatoragent:<name>→ AI agentsvc:<name>→ service account
Tokens never float without a principal.
Scopes are:
- declared
- validated
- enforced
If a scope is not allowed, the token is rejected. No automatic expansion.
Apache License 2.0