add google-workspace mcp to runner

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

add google drive integration to session frontend

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

update operator to mount mcp configs

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

update credentials file location and fields

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

more config file wrangling

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

google mcp docs update

Signed-off-by: Michael Clifford <mcliffor@redhat.com>

Author: MichaelClifford

GOOGLE_WORKSPACE_MCP_INTEGRATION.md

@@ -0,0 +1,74 @@
+# Google Drive Integration
+
+Connect your Google Drive to agentic sessions so Claude can read and write files in your Drive.
+
+## What It Does
+
+Once connected, Claude can:
+- List files and folders in your Google Drive
+- Read file contents
+- Create new files
+- Update existing files
+- Search your Drive
+
+## How to Use
+
+### 1. Connect Google Drive to a Session
+
+1. Open or create an agentic session
+2. In the left sidebar, expand **"MCP Integrations"**
+3. Click **"Connect"** on the Google Drive card
+4. Authorize in the popup window
+5. Close the popup when you see "Authorization Successful"
+
+### 2. Use Drive in Your Prompts
+
+Once connected, you can ask Claude things like:
+
+- "List the files in my Google Drive"
+- "Read the contents of 'meeting-notes.txt' from my Drive"
+- "Create a new document in my Drive called 'project-summary.md' with this content..."
+- "Find all PDFs in my Drive from last month"
+
+### 3. Disconnect (Optional)
+
+Credentials are automatically removed when the session ends. To disconnect earlier, click "Disconnect" in the MCP Integrations accordion.
+
+## First-Time Setup (Admin)
+
+Administrators need to configure Google OAuth credentials once:
+
+1. Create a Google Cloud project and OAuth 2.0 credentials
+2. Set authorized redirect URI to: `https://your-vteam-backend/oauth2callback`
+3. Create a Kubernetes Secret in the operator namespace:
+
+```bash
+kubectl create secret generic google-workflow-app-secret \
+  --from-literal=GOOGLE_OAUTH_CLIENT_ID='your-client-id' \
+  --from-literal=GOOGLE_OAUTH_CLIENT_SECRET='your-client-secret'
+```
+
+## Security & Privacy
+
+- **Session-scoped**: Credentials only exist for the current session
+- **Automatic cleanup**: Credentials deleted when session ends
+- **No sharing**: Your credentials never accessible to other users or sessions
+- **You control access**: You must explicitly connect for each session
+
+## Troubleshooting
+
+**"Connect" button doesn't work**
+- Check that popup blockers aren't blocking the OAuth window
+
+**Claude says it can't access Drive**
+- Verify you see "Connected" status in MCP Integrations accordion
+- Try disconnecting and reconnecting
+- Check the session logs for errors
+
+**"Invalid scopes" error**
+- You may need to re-authorize with updated permissions
+- Click "Disconnect" then "Connect" again
+
+## Questions?
+
+See the [workspace-mcp documentation](https://github.com/taylorwilsdon/google_workspace_mcp) for details about what Drive operations are supported.

components/backend/OAUTH_INTEGRATION.md

@@ -65,7 +65,11 @@ func getOAuthProvider(provider string) (*OAuthProvider, error) {
 			ClientSecret: clientSecret,
 			TokenURL:     "https://oauth2.googleapis.com/token",
 			Scopes: []string{
+				"openid",
 				"https://www.googleapis.com/auth/userinfo.email",
+				"https://www.googleapis.com/auth/userinfo.profile",
+				"https://www.googleapis.com/auth/drive",
+				"https://www.googleapis.com/auth/drive.readonly",
 				"https://www.googleapis.com/auth/drive.file",
 			},
 		}, nil
@@ -633,13 +637,25 @@ func writeCredentialsToSessionPVC(ctx context.Context, projectName, sessionName,
 func storeCredentialsInSecret(ctx context.Context, projectName, sessionName, provider, accessToken, refreshToken string, expiresIn int64) error {
 	secretName := fmt.Sprintf("%s-%s-oauth", sessionName, provider)
 
-	// Prepare credentials JSON
+	// Get OAuth provider config for client_id and client_secret
+	providerConfig, err := getOAuthProvider(provider)
+	if err != nil {
+		return fmt.Errorf("failed to get OAuth provider config: %w", err)
+	}
+
+	// Calculate expiry time in ISO 8601 format as expected by workspace-mcp
+	// workspace-mcp expects timezone-naive format like Python's datetime.isoformat()
+	expiryTime := time.Now().Add(time.Duration(expiresIn) * time.Second)
+
+	// Prepare credentials JSON in the format expected by workspace-mcp
 	credentials := map[string]interface{}{
-		"access_token":  accessToken,
+		"token":         accessToken,
 		"refresh_token": refreshToken,
-		"token_type":    "Bearer",
-		"expires_in":    expiresIn,
-		"created_at":    time.Now().Unix(),
+		"token_uri":     providerConfig.TokenURL,
+		"client_id":     providerConfig.ClientID,
+		"client_secret": providerConfig.ClientSecret,
+		"scopes":        providerConfig.Scopes,
+		"expiry":        expiryTime.Format("2006-01-02T15:04:05"), // Timezone-naive format for Python compatibility
 	}
 
 	credentialsJSON, err := json.MarshalIndent(credentials, "", "  ")