"""
Shared Google OAuth 2.0 handler.
Covers: Gmail, Google Calendar, Google Tasks, Google Keep.
Place credentials.json (downloaded from Google Cloud Console) in project root.
"""
import os
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials
from google_auth_oauthlib.flow import InstalledAppFlow

SCOPES = [
    'https://www.googleapis.com/auth/gmail.readonly',
    'https://www.googleapis.com/auth/calendar',
    'https://www.googleapis.com/auth/tasks',
    # 'https://www.googleapis.com/auth/keep',  # Uncomment if Workspace Enterprise
]

def get_credentials() -> Credentials:
    """
    Returns valid Google OAuth credentials.
    Opens browser on first run. Saves/refreshes token.json automatically.
    """
    creds = None
    if os.path.exists('token.json'):
        creds = Credentials.from_authorized_user_file('token.json', SCOPES)
    if not creds or not creds.valid:
        if creds and creds.expired and creds.refresh_token:
            creds.refresh(Request())
        else:
            flow = InstalledAppFlow.from_client_secrets_file('credentials.json', SCOPES)
            creds = flow.run_local_server(port=0)
        with open('token.json', 'w') as token:
            token.write(creds.to_json())
    return creds