feat: wire GoogleAuth with DB-backed token storage for per-user OAuth

- GoogleAuth instance shared across Gmail + Calendar toolkits
- store_token_in_db=True enables DB-backed credential storage
- OAuth callback router mounted at /google/oauth/callback
- Tokens stored per user_id in agno_auth_tokens table

Requires: agno-agi/agno#7404 (per-run toolkit cloning)

Author: Mustafa-Esoofally

app/main.py

@@ -18,7 +18,7 @@
 from db import get_postgres_db
 from pal.agents import compiler, linter, navigator, researcher, syncer
 from pal.agents.settings import pal_knowledge, pal_learnings
-from pal.config import GIT_SYNC_ENABLED, PAL_REPO_URL, SLACK_SIGNING_SECRET, SLACK_TOKEN
+from pal.config import GIT_SYNC_ENABLED, GOOGLE_INTEGRATION_ENABLED, PAL_REPO_URL, SLACK_SIGNING_SECRET, SLACK_TOKEN
 from pal.team import pal
 
 # ---------------------------------------------------------------------------
@@ -78,6 +78,13 @@ async def lifespan(app):  # type: ignore[no-untyped-def]
 app = agent_os.get_app()
 app.include_router(create_router(agent_os.settings))
 
+# Google OAuth callback — exchanges auth code for tokens, stores in DB
+if GOOGLE_INTEGRATION_ENABLED:
+    from pal.tools.build import google_auth_instance
+
+    if google_auth_instance:
+        app.include_router(google_auth_instance.get_oauth_router(db=get_postgres_db()))
+
 
 # ---------------------------------------------------------------------------
 # Startup helpers

pal/tools/build.py

@@ -12,6 +12,13 @@
     GOOGLE_INTEGRATION_ENABLED,
     PAL_CONTEXT_DIR,
 )
+
+# Shared GoogleAuth coordinator — one instance for tools + OAuth callback router
+google_auth_instance = None
+if GOOGLE_INTEGRATION_ENABLED:
+    from agno.tools.google.auth import GoogleAuth
+
+    google_auth_instance = GoogleAuth()
 from pal.tools.git import create_sync_tools
 from pal.tools.ingest import create_ingest_tools
 from pal.tools.knowledge import create_update_knowledge
@@ -38,12 +45,13 @@ def build_navigator_tools(knowledge: Knowledge) -> list:
     _, _, read_manifest, _ = create_ingest_tools(RAW_DIR)
     tools.append(read_manifest)
 
-    if GOOGLE_INTEGRATION_ENABLED:
+    if GOOGLE_INTEGRATION_ENABLED and google_auth_instance:
         from agno.tools.google.calendar import GoogleCalendarTools
         from agno.tools.google.gmail import GmailTools
 
-        tools.append(GmailTools(send_email=False, send_email_reply=False, list_labels=True))
-        tools.append(GoogleCalendarTools(allow_update=True))
+        tools.append(google_auth_instance)
+        tools.append(GmailTools(google_auth=google_auth_instance, store_token_in_db=True, send_email=False, send_email_reply=False, list_labels=True))
+        tools.append(GoogleCalendarTools(google_auth=google_auth_instance, store_token_in_db=True, allow_update=True))
 
     return tools