🔐 Backend Access Registry

1. Google Accounts & GCP Auth-critical

1a. OAuth client projects

1b. Accounts authenticated against each OAuth client

Single-primary-admin model: BNS Ltd is the parent legal entity, so [email protected] is the canonical permanent business identity. Per-brand admins ([email protected]) become specialised secondaries. Banked rule: memory/feedback_bns_primary_admin_canonical.md.

2. New GCP Project Walkthrough Historical — project already exists

Exact steps for standing up a new Internal-mode OAuth project inside the betternutritionalscience.co.uk Workspace. Produces a credentials JSON that will issue permanent (non-expiring) refresh tokens for any @betternutritionalscience.co.uk account.

1. Sign in to Google Cloud Console as [email protected] — visit console.cloud.google.com. Top-left, verify the org name shows “betternutritionalscience.co.uk”, not “No organisation” — this is the check that unlocks Internal mode later.
2. Create a new project. Top nav → project dropdown → New Project. Name: Brainzyme Google Access. Organisation: betternutritionalscience.co.uk. Location: betternutritionalscience.co.uk. Click Create. Wait for the notification, then select it.
3. Link a billing account (optional but recommended). Billing → Link Billing Account. Drive/Sheets/Docs/Gmail/Calendar APIs are all within free-tier for this project’s traffic, but billing-linked projects have higher quotas and are harder to accidentally disable.
4. Enable the APIs — APIs & Services → Library. Enable each in sequence (see §3 below for the exact list — minimum: Drive API). Click Enable on each; each takes ~5–10 seconds.
5. Configure OAuth consent screen. APIs & Services → OAuth consent screen.
   • User Type: Internal (only visible because this project sits inside a Workspace org — the whole point of step 1's verification)
   • App name: Brainzyme Google Access
   • User support email: [email protected]
   • Developer contact: [email protected]
   • Leave App logo, App domain, Authorised domains blank (not required for Internal)
   • Save and continue
6. Add scopes. Click Add or Remove Scopes. For a Drive-only MCP, add: .../auth/drive.readonly and .../auth/drive.file. For full Workspace: add Sheets, Docs, Gmail, Calendar read/write scopes as needed. Save and Continue. (Internal mode doesn't need test users — skip that page.)
7. Create OAuth 2.0 Client ID. APIs & Services → Credentials → Create Credentials → OAuth client ID.
   • Application type: Desktop app
   • Name: Claude Code MCP
   • Create → Download JSON
8. Store the credentials file. Save the downloaded JSON as F:\Claude Root\gdrive-credentials-bns.json. Matches the existing naming convention, keeps it alongside the brainzyme.co.uk credentials but clearly namespaced.
9. Wire up a second MCP instance in .mcp.json. Add a new gdrive-bns server entry pointing at the new credentials and a fresh token path (gdrive-token-bns.json). Pattern + examples in project_multi_account_google_mcp.md. Restart Claude Code.
10. Run initial auth flow and verify permanent token. First MCP call triggers a browser auth prompt → sign in as [email protected] → grant scopes. Refresh token written to gdrive-token-bns.json. Because the project is Internal, this token will not expire in 7 days. After completing, update the §1b table above with the new entry and add a line to the Change Log.

3. GCP API Enablement Map Reference

Original side-by-side: APIs enabled on legacy claude-use-calum8999 vs the new claude01-cli. As of 2026-04-26, claude01-cli has Cloud Resource Manager + BigQuery family + Cloud Storage + Logging + Monitoring + Dataform + Service Management + Service Usage + Telemetry + Cloud Trace + Cloud SQL + Datastore + Dataplex enabled. 2026-05-04 update: cloud-platform scope removed from bns-token.json (triggers RAPT failures). BigQuery now uses dedicated bq-token.json with just the bigquery scope. BigQuery API is still enabled on claude01-cli — the token file governs access, not the scope list. Stay-on-existing-project items (Ads, Gemini) aren't per-account OAuth — they use different credential models.

Minimum viable for new BNS project: Drive API only (matches current MCP scope). Enable Sheets + Docs if planning to wire gws CLI against the BNS account too.

3a. Scopes Expansion — 2026-05-18 LIVE WALKTHROUGH Calum to execute

Approved scope set

Cloud Console walkthrough — one session, ~25 min

1. Sign in to console.cloud.google.com as [email protected] — top-left org dropdown must show betternutritionalscience.co.uk. PENDING
2. Select project claude01-cli (the canonical primary OAuth project — see §1a above). All new scopes attach to this single project so we keep one consent screen and one app to manage. PENDING
3. Enable APIs in Library. APIs & Services → Library → search and click Enable on each:
   • datamanager.googleapis.com — Data Manager API
   • indexing.googleapis.com — Indexing API
   • pagespeedonline.googleapis.com — PageSpeed Insights API
   • siteverification.googleapis.com — Google Site Verification API
   • tagmanager.googleapis.com — Tag Manager API
   • cloudresourcemanager.googleapis.com — already enabled (verify only)
   • cloudbilling.googleapis.com — Cloud Billing API
   • mybusinessaccountmanagement.googleapis.com — My Business Account Management API
   • mybusinessbusinessinformation.googleapis.com — My Business Business Information API
   • gmailpostmastertools.googleapis.com — Gmail Postmaster Tools API
   Each takes 5-10 seconds. DONE 2026-05-19 — all 9 APIs confirmed enabled in Cloud Console, plus bonus Cloud Logging/Monitoring/Trace/SQL/Storage/Compute Engine APIs that come "free" with the cloud-platform scope.
4. Edit OAuth consent screen scopes. APIs & Services → OAuth consent screen → Edit App. Navigate to the Scopes step. Click Add or Remove Scopes. In the panel, paste each scope URL from the table above into the "Manually add scopes" field (one at a time). Tick the boxes that appear, then "Update". Confirm all 9 new scopes are listed in the granted scopes panel before continuing through the wizard. Save and Continue through the remaining steps. DONE 2026-05-19 — all 9 OAuth scope groups confirmed on consent screen (10 non-sensitive incl. 3 Postmaster + 1 paginated, 20 sensitive incl. 6 Tag Manager + datamanager.partnerlink bonus, 2 restricted incl. full Gmail restored). PSI uses API key path instead of OAuth scope (see row 3).
5. Accept Customer Match Terms of Service. SKIPPABLE — this step was the precondition for building our OWN Customer Match uploader (Path C). Per the 2026-05-19 diagnostic: the Shopify Google & YouTube channel app is already syncing CM records on our behalf using ITS allowlisted token (5 RUNNING offline_user_data_jobs as of the audit, EEA lists succeeding). Our own dev token is NOT allowlisted for Customer Match API writes (Step 0 smoke confirmed). Skip unless / until we apply for Customer Match API allowlisting separately (weeks-long Google process). The Cloud Console may also not show this option at all without prior allowlisting — expected, not a bug. Calum 2026-05-19: was unable to find the path — correct, this is gated. DEFERRED
6. Register Postmaster Tools domains — OR add [email protected] as a user on the existing registrations. ROUTING FIX 2026-05-19 Domains are already registered under [email protected] (personal Gmail) per Calum's existing Postmaster setup at postmaster.google.com/u/0/managedomains. Personal-Gmail can't auth with our Internal-mode claude01-cli OAuth project (same wall as YouTube channel ownership, which is why youtube-audit is separate). Clean fix: in Postmaster Tools UI, click each domain → Manage users → add [email protected] as manager/owner. DNS TXT verification carries over — the DOMAIN owns it, not the account. Fallback if no multi-user UI: register each domain a SECOND time under [email protected]; same TXT works; two registrations coexist independently. PENDING
7. Confirm Business Profile manager access. Open business.google.com → Brainzyme profile → Users. Confirm [email protected] appears as a Manager (or Owner). If not, add yourself. PENDING
8. Maps Platform API key (parallel path — NOT OAuth). APIs & Services → Library → enable: Maps JavaScript API, Places API (New), Geocoding API. Then Credentials → Create Credentials → API key. Restrict the key:
   • Application restrictions: HTTP referrers — add *.brainzyme.com/*, *.brainzyme.us/*, *.brainzyme.de/*, *.brainzyme.fr/*, localhost:*
   • API restrictions: only the 3 Maps APIs enabled above
   Copy the key → add to F:/Agentic-OS/.env as MAPS_API_KEY=AIza.... PENDING
9. Mint refresh tokens for each cluster. Once steps 1-7 are done, run these 5 scripts from the Agentic-OS root (each opens a browser auth flow):
   • python tools/data_manager_first_auth.py → data-manager-token.json
   • python tools/seo_first_auth.py → seo-token.json (indexing + pagespeedonline + siteverification)
   • python tools/gcp_first_auth.py → gcp-token.json (cloud-platform + cloud-billing.readonly + tagmanager.*)
   • python tools/business_profile_first_auth.py → business-profile-token.json
   • python tools/postmaster_first_auth.py → postmaster-token.json
   Each script: sign in as [email protected], click Allow. Token writes to disk. Scripts will be created in the same Claude session that authored this walkthrough — not yet on disk. PENDING
10. Smoke-test each new token. Claude will write tmp/scope_expansion_smoke.py that loads each new token, hits a minimal-side-effect endpoint per service (e.g. OfflineUserDataJobService.list, indexing.urlNotifications.getMetadata, pagespeedonline.pagespeedapi.runpagespeed, etc.), and reports GREEN/RED per service. Run it once Calum finishes the GCP UI work. PENDING

Per-cluster token-file map (after walkthrough)

Deliverability Stack NEW 2026-05-19

Calum has recurring SPF / DKIM / DMARC / inbox-placement pain. Postmaster Tools API (row 9 above) gives the Gmail telemetry, but on its own it's data without an operator. This 3-piece stack closes the loop: telemetry + the operator who reads it + the missing DMARC report parser.

What this DOES and DOES NOT change

• ✓ Does add 9 new OAuth scopes to the claude01-cli consent screen (was 10 — Tag Manager scopes consolidated by Google 2026).
• ✓ Does create 5 new per-cluster token files (data-manager, seo, gcp, business-profile, postmaster).
• ✓ Does add 1 new API key (Maps Platform, .env).
• ✓ Does enable 9 new GCP APIs in the claude01-cli project.
• ✓ Does add the mkt-email-deliverability skill + DMARC aggregator + (optional) MXToolbox API key.
• ✗ Does NOT modify the existing 7 token files or the scopes they hold.
• ✗ Does NOT require a new GCP project — reuses claude01-cli.
• ✗ Does NOT require Google verification — claude01-cli is Internal-mode (Workspace-restricted).
• ✗ Does NOT need Cloud Billing changes — all new APIs have generous free tiers; the Cloud Billing scope is just for monitoring.

Cost outlook

All new APIs have free tiers that easily cover Brainzyme's traffic:

• Data Manager API — free; rate-limited by request quotas, not paywalls.
• Indexing API — 200 requests/day per project free.
• PageSpeed Insights API — 25,000 requests/day free (with API key); unlimited via OAuth.
• Site Verification — free.
• Tag Manager API — free.
• Cloud Platform / Cloud Billing — read-side free; writes only billed when actually using the resources (Cloud Run, Functions, etc.).
• Business Profile — free.
• Postmaster Tools — free.
• Maps Platform — $200/month free credit, then per-call. At expected pickup-locator volume: zero $ for the foreseeable future.

Decisions still open

When Calum finishes the walkthrough, Claude updates each row above from PENDING → DONE and re-publishes the dashboard. Per-cluster token-file paths get cross-linked into reference/connections-registry.md + new reference/services/{data-manager,indexing,pagespeed,business-profile,postmaster}.md contracts in the same session.

4. GitHub Summary

Two GitHub accounts in play. Full detail — emails, repo visibility, deploy flow — in reference_hosting_infrastructure.md.

The Main VPS carries both accounts — Calum Edinburgh for Francis's company projects, HappyUser89 for the apps/dashboards project (separate projects on one box). The Testing VPS and the new Cloudflare hosting are both on HappyUser89. ("Joe SEO" is a Hostinger hosting account — see §5 — not a GitHub account.)

5. Hosting — VPSes + Cloudflare Summary

Two Hostinger VPSes, both running Coolify v4 — plus a new Cloudflare Pages static-hosting layer (§5b). Docker cleanup runbook, troubleshooting, deploy architecture: reference_hosting_infrastructure.md. Per-VPS API + root access: Connections Registry services/hostinger.md + services/coolify.md.

Hostinger panel: hpanel.hostinger.com → VPS → select server → Browser terminal (runs as root on host). Programmatic VPS / firewall management via tools/hostinger_api.py (per-account tokens HOSTINGER_API_CALUM842 / HOSTINGER_API_JOESEO). The Main VPS Coolify has had recurring disk-fill incidents — runbook in memory/feedback_calum842_vps_disk_fill_post_mortem.md + feedback_coolify_prune_minus_a_required.md.

5a. Main VPS edge gate — Coolify HTTP Basic Auth LIVE 2026-04-22

Traefik basicauth middleware applied per-app in Coolify. Currently enforced on the Command Centre application (uuid s8sk0ks4gk40kwsgco480cgg) which owns the root FQDN — so every subfolder app under apps.nutritionalproducts.org inherits the gate.

To rotate: open the Coolify app → Configuration → HTTP Basic Authentication section → change password via the Livewire UI (never direct DB write) → Force deploy (without cache). Update the .env value (APPS_NP_BASIC_AUTH_PASSWORD) and §5 of project_backend_access_registry.md. Verify: curl -sI -k -H "Host: apps.nutritionalproducts.org" https://168.231.115.117/ → expect 401; with -u admin:<pass> → 200.

5b. Cloudflare Pages — new static-hosting layer NEW — 2026-05

Static dashboards / sites are moving to Cloudflare Pages, deployed from the HappyUser89 GitHub account. 4 CF Pages projects live: brainzyme, public, team-shared, bns-daily-intelligence — 3 of them gated by Cloudflare Zero Trust Access apps (email allowlist). CF account team divine-unit-8d4e (Free plan).

6. MCP Servers in .mcp.json Who auths as what Hardened 2026-05-08

7. .env API Keys Names only Refreshed 2026-05-08

Two .env files exist: F:\Agentic-OS\.env (canonical for active sessions) and F:\Claude Root\.env (legacy parallel). Per Connections Registry policy, Agentic-OS wins. Never committed.

Full per-service auth recipes + failure modes live at F:\Agentic-OS\reference\services\*.md. This table is the executive summary.

For changes to this table, edit F:\Agentic-OS\.env.example + add a service contract under reference/services/ + run python tools/check-connections-registry.py. The validator catches drift between this list and the actual tooling.

8. Other Integrations

Integrations not covered by the service sections above. Full per-service auth in the Connections Registry (services/*.md).

10. Tool Map & Preflight NEW — 2026-05-12 Session 49

Single-page directory of every active tool in the Claude Code stack — so a fresh session can find the right tool first time. Built after the 2026-05-12 incident exposed both the user-scope backup gap AND the cost of misfiring on tool calls.

Canonical: F:/Agentic-OS/reference/tool-map.md (13 sections, full detail) · Smoke test: python tools/preflight_smoke.py or /preflight slash command (covers all 13 areas in ~10s) · SOP: apps.nutritionalproducts.org/it-sop/system-state-mirror/

Sheet view (queryable mirror): Master Sheet → Tool Map tab (97 rows, sheetId 1038784443; new 2026-05-13). The markdown is canonical — the Sheet is a derived mirror, auto-refreshed by python tools/sync_registries_to_master_sheet.py. Sibling tabs: Connections Registry (40 rows) · Page Build Registry (5 rows). Drift validator: python tools/check-tool-map.py (exit 0 = clean; runs as preflight Stage 9).

Tool inventory (the 13 sections)

Skills inventory — 77 total available in any session

Trigger pattern (how Claude picks a skill)

Claude does not wait for the user to name a skill. The available-skills list is injected at session start with every skill's YAML description (trigger phrases + negative triggers). Claude reads the user's message, matches against triggers, and invokes the relevant skill via the Skill tool. Example: "audit my campaigns" → triggers ads-audit; "write some ad copy for FOCUS PRO" → triggers mkt-ad-copy; "/preflight" → goes to the slash command file directly. Missed triggers should be flagged to the maintainer — fix the frontmatter description.

11. Change Log

• 2026-05-19 — Hosting + services full refresh. Audited the whole registry against the 39-service Connections Registry (canonical). §5 Hosting rewritten to the current 2-VPS reality — Main VPS (calum842 / srv843884) + Testing VPS (Joe SEO / srv1376875, hosts the n8n ads-agent dev); added §5b Cloudflare Pages as the new static-hosting layer (HappyUser89 GitHub, 4 projects, Zero Trust Access). §4 GitHub corrected to 2 accounts (Calum Edinburgh + HappyUser89; “Joe SEO” is a Hostinger account, not a GitHub one). §6 MCP +n8n-mcp (→7 servers). §7 .env added the n8n dual-host, Coolify dual-VPS, Hostinger API, ClickUp, Reamaze, Google Chat, and Cloudflare Account-API keys. §8 refreshed — Coolify dual-VPS, ClickUp now a REST API (not connector-only), +Tailscale / Reamaze / Google Chat. §10 tool-map counts refreshed (+n8n-mcp-skills plugin, 7 skills). Verified against connections-registry.md + connections.yaml + memory.
• 2026-05-12 — Session 49: Tool Map + Preflight + System-State Mirror shipped. New F:/Agentic-OS/reference/tool-map.md indexes 13 areas of the live Claude Code stack — GSD bridge, all 6 MCP servers, Google services (MCP vs bns_docs.py vs gws), Shopify (4 layers complementary), browser tools routing, Pinecone (2 indexes), Codex+Gemini, 13 hooks, system-state mirror, 70 skills inventory, 7 common pitfalls, ~25 specialist QC/probing tools (Lighthouse, SEO suite, compliance gates, scrapers, Xero audits). Verification via python tools/preflight_smoke.py or /preflight slash command (~10s, 8 deterministic stages + Claude-side live MCP probe). System-state-mirror Stop hook mirrors load-bearing user-scope files (~/.claude/settings.json, Windows Terminal settings) into reference/system-state/ — closes the only backup gap exposed by today's PowerShell trailing-space incident (canonical ~/.claude/ nuked when PowerShell silently trimmed the trailing-space path argument; recovered from Claude Code's internal file-history). SOP at apps.nutritionalproducts.org/it-sop/system-state-mirror/. Reviewed by Codex 5.5 (REFINE on shadow-dir delete plan, all refinements applied: use Python shutil.rmtree with \\?\ prefix — cmd.exe + rd does not work; PowerShell silently trims).
• 2026-05-08 — Connections Registry shipped. New F:/Agentic-OS/reference/connections-registry.md indexes 24 external services (REST/GraphQL/MCP/CLI) with per-service contracts at reference/services/{name}.md. Every contract documents auth flow + env-var names + common failure modes + refresh recipe. Tier 1 services (shopify, cloudflare, browserbase-mcp, google-workspace, codex-cli) get full contracts + tool docstring headers + self-diagnostic prompts on auth failure. Mandatory pre-tool-lookup rule added to AGENTS.md and CLAUDE.md. Drift validator at tools/check-connections-registry.py. Triggered by recurring auth-discovery failures across sessions (most recent: hour-long Shopify token detour). Service contracts win over memory files on conflict. Reviewed by Codex 5.5 + Gemini before implementation.
• 2026-05-04 — RAPT fix + BigQuery token isolation. cloud-platform scope removed from bns-token.json (13→12 scopes) after discovering it triggers Workspace RAPT re-auth failures after ~30 days. All 7 BNS Python tools fixed to not pass explicit SCOPES to from_authorized_user_file(). Separate bq-token.json minted with bigquery-only scope via new tools/bq_first_auth.py. ga4_bq.py credential chain updated: bq-sa.json → bq-token.json → bns-token.json. Smoke-tested all 4 market GA4 BigQuery datasets. bns_sheets.py verified_update() extended with partial-range write support. Diagnostic: tools/bns_token_diagnose.py (tests each scope individually, can --fix). Canonical rule: memory/feedback_bns_token_scope_rapt.md.
• 2026-04-26 — STRATEGIC SHIFT: BNS becomes new PRIMARY admin. [email protected] is canonical going forward; [email protected] = LEGACY. bns-token.json minted with 13 scopes (openid, userinfo.email/profile, drive, spreadsheets, documents, gmail.modify, calendar, webmasters, analytics.readonly + analytics + analytics.edit, cloud-platform). All 9 Google services smoke-tested working. 5 Python helper scripts written and tested (tools/bns_drive.py, bns_sheets.py, bns_docs.py, bns_gmail.py, bns_calendar.py). Search Console: admin@bns added at siteFullUser for all 6 sites (4 Brainzyme stores + recoverup.co.uk + mynutrition365.com). Brand registry (config/brands.json) updated — mynutrition365 added as dormant stub, recoverup.co.uk domain added. Memory: new canonical feedback_bns_primary_admin_canonical.md; project_backend_access_registry.md and project_multi_account_google_mcp.md rewritten for Python-only path. Pending: drop Google MCPs from .mcp.json, migrate Brainzyme-side integrations (HubSpot/GHL/ClickUp/Shopify) to BNS where feasible.
• 2026-04-22 — apps.nutritionalproducts.org basic-auth gate LIVE. Coolify v4.0.0-beta.463 HTTP Basic Authentication enabled for app s8sk0ks4gk40kwsgco480cgg. Creds: admin / correct-horse-battery-staple-success. Traefik middleware http-basic-auth-s8sk0ks4gk40kwsgco480cgg returns 401 without creds, 200 with. Two upstream Coolify bugs hit and documented: (1) schema column http_basic_auth_password was varchar(255) but Laravel-encrypted output is 256 chars — widened to TEXT via ALTER TABLE; (2) direct DB writes via encrypt() are PHP-serialised but model cast uses decryptString() which does not deserialise — must save via Livewire UI (or Crypt::encryptString()) to get a value that round-trips correctly.
• 2026-04-21 — Registry and exec-summary dashboard created. Seeded Google ([email protected] on claude-use-calum8999), GitHub 3-account summary, 3 Hostinger VPSes, MCP auth map, .env key index. Incoming BNS Workspace flagged as pending.