feat(provider): add Google provider setup wizard with GCP automation

[qasim-nylas]

Summary

Implements nylas provider setup google — an interactive wizard that fully automates Google Cloud Platform integration with Nylas. Reduces a 30+ minute manual setup process to a single guided command.

Interactive wizard demo

$ nylas provider setup google

  Checking prerequisites...
  ✓ gcloud CLI found
  ✓ Authenticated as user@example.com

  Your GCP Projects:
  [1] my-existing-project (My App)
  [2] another-project (Another App)
  [3] Create a new project

  Select a project (1-3): 3
  Enter project name: My Nylas App
  Generated project ID: my-nylas-app-nylas (ok? Y/n/custom): y

  Which features will you use?
  [1] Email (Gmail API)
  [2] Calendar (Google Calendar API)
  [3] Contacts (People API)
  [4] Real-time sync via Pub/Sub
  Select (1-4, comma-separated, or 'all'): all

  Which Nylas region? (us/eu): us

━━━ Phase 1: Automated GCP setup ━━━━━━━━━━━━━━━━━━━━

  Creating GCP project "my-nylas-app-nylas"...
  ✓ Project created

  Enabling APIs...
  ✓ 4 APIs enabled

  Add support@nylas.com as project owner? (Y/n) y
  ✓ IAM policy updated

  Setting up Pub/Sub...
  ✓ Topic created: nylas-gmail-realtime
  ✓ Service account created: nylas-gmail-realtime@my-nylas-app-nylas.iam.gserviceaccount.com
  ✓ Publisher role granted

━━━ Phase 2: Browser configuration ━━━━━━━━━━━━━━━━━━

  Step 1/2: OAuth Consent Screen
  Opening: https://console.cloud.google.com/apis/credentials/consent?project=my-nylas-app-nylas

  Instructions:
    1. Select 'External' user type → Create
    2. Fill in App name and User support email
    3. Add your developer contact email
    4. Click 'Save and Continue' through remaining steps
    5. On the Summary page, click 'Back to Dashboard'

  Press Enter when done...

  Step 2/2: OAuth Credentials
  Opening: https://console.cloud.google.com/apis/credentials/oauthclient?project=my-nylas-app-nylas

  Instructions:
    1. Select 'Web application' as the application type
    2. Give it a name (e.g., 'Nylas Integration')
    3. Add authorized redirect URI: https://api.us.nylas.com/v3/connect/callback
    4. Click 'Create'
    5. Copy the Client ID and Client Secret below

  Paste Client ID: 123456789-abcdef.apps.googleusercontent.com
  Paste Client Secret (hidden): ••••••••

━━━ Phase 3: Connecting to Nylas ━━━━━━━━━━━━━━━━━━━━

  Creating Google connector...
  ✓ Connector created!

  Connector ID: google-abc123
  Scopes: https://www.googleapis.com/auth/gmail.modify, ...

  Setup complete! Next steps:
    1. Run 'nylas auth login' to authenticate a Google account
    2. Run 'nylas email list' to verify email access
    3. Run 'nylas calendar list' to verify calendar access

  Dashboard: https://dashboard.nylas.com

Resume support — if interrupted mid-setup, re-running picks up where you left off:

$ nylas provider setup google

  Found previous setup for project "my-nylas-app-nylas"
  (started 15 minutes ago, last step: enable_apis)
  Resume from where you left off? (Y/n): y

━━━ Phase 1: Automated GCP setup ━━━━━━━━━━━━━━━━━━━━

  ✓ Project created (already done)
  ✓ APIs enabled (already done)
  Add support@nylas.com as project owner? (Y/n) y
  ...

Status command — verify everything is configured:

$ nylas provider status google --project-id my-nylas-app-nylas

  Google Provider Status for project "my-nylas-app-nylas"

  GCP Project .............. ✓ exists
  Gmail API ................ ✓ enabled
  Calendar API ............. ✓ enabled
  People API ............... ✓ enabled
  Pub/Sub API .............. ✓ enabled
  IAM (support@nylas.com) .. ✓ owner
  Pub/Sub Topic ............ ✓ nylas-gmail-realtime
  Service Account .......... ✓ nylas-gmail-realtime@...
  Publisher Role ........... ✓ granted
  OAuth Consent Screen ..... ? (cannot verify via API)
  OAuth Credentials ........ ? (cannot verify via API)
  Nylas Connector .......... ✓ connected (connector ID: abc123)

What it does

The wizard runs in three phases:

Phase 1 — Automated GCP Setup

• Creates a new GCP project (or uses an existing one)
• Enables required Google APIs (Gmail, Calendar, People, Pub/Sub)
• Adds support@nylas.com as project owner (with user confirmation)
• Sets up Pub/Sub: topic, service account, publisher role

Phase 2 — Guided Browser Configuration

• Opens OAuth Consent Screen in browser with step-by-step instructions
• Opens OAuth Credentials page with correct redirect URI for region
• Securely collects Client ID and Client Secret (term.ReadPassword)

Phase 3 — Nylas Connection

• Creates the Google connector in Nylas with correct scopes and settings
• Validates the connector was created successfully
• Prints next steps

Additional features

• Resume/checkpoint support — State saved to ~/.config/nylas/provider-setup-state.json after each step. If interrupted, re-running the command offers to resume from where it left off. State expires after 24 hours. --fresh flag to start over.
• Status command — nylas provider status google --project-id <id> checks the state of all GCP resources, IAM, and Nylas connector with a ✓/✗/? table.
• Post-setup validation — Verifies the connector exists and prints connector ID and scopes.
• Idempotent operations — 409 Conflict from GCP treated as success (safe to re-run).

Architecture

Follows the project's hexagonal architecture:

Layer	Files	Purpose
Domain	internal/domain/gcloud.go	Types, constants, feature/step enums
Ports	internal/ports/gcloud.go	GCPClient interface, IAMPolicy helpers
Adapters	internal/adapters/gcp/	Google SDK implementation (ADC-based auth)
CLI	internal/cli/provider/	Cobra commands, wizard orchestration

Auth approach: Google Application Default Credentials (ADC) via gcloud auth application-default login. The Google Go SDK picks up ADC automatically — zero token management code.

Files added/modified

New files (25):

• internal/domain/gcloud.go — Domain types and constants
• internal/ports/gcloud.go — GCPClient interface + IAMPolicy types
• internal/adapters/gcp/ — client.go, projects.go, iam.go, pubsub.go, mock.go
• internal/cli/provider/ — provider.go, setup.go, google_cmd.go, google_setup.go, google_steps.go, google_state.go, google_helpers.go, status.go
• Test files for all packages

Modified files (4):

• cmd/nylas/main.go — Register provider command
• internal/domain/admin.go — Add TopicName to ConnectorSettings
• go.mod / go.sum — Add google.golang.org/api SDK

Flags

nylas provider setup google [flags]

Flags:
  --region string      Nylas region (us/eu)
  --project-id string  Use existing GCP project
  --email              Enable Email (Gmail API)
  --calendar           Enable Calendar API
  --contacts           Enable Contacts (People API)
  --pubsub             Enable Pub/Sub real-time sync
  --yes                Skip confirmation prompts
  --fresh              Ignore saved state, start fresh

Test plan

• All unit tests pass (go test ./internal/adapters/gcp/... ./internal/cli/provider/... ./internal/ports/... ./internal/domain/...)
• CLI provider coverage at 75.9% (target: 50%)
• GCP mock coverage at 100%
• Zero lint errors (golangci-lint run)
• Race detector clean (go test -race)
• Security scan clean (make security)
• All files under 500-line limit
• Manual E2E: nylas provider setup google --help shows flags
• Manual E2E: nylas provider status google --project-id <id> shows status table
• Manual E2E: Full wizard flow with real GCP project

[qasim-nylas]

Implemented all requested review fixes in commit 376f102.

✅ Fixed finding 1: project ID validation

• Updated generateProjectID to always produce IDs that start with a letter.
• Added fallback for empty normalized names (project) before suffixing.
• Added test coverage for numeric-leading names and updated empty-name expectations.
• Files:
  • internal/cli/provider/google_helpers.go
  • internal/cli/provider/google_helpers_test.go

✅ Fixed finding 2: connector verification by wrong key

• Replaced GetConnector(ctx, "google") status check with ListConnectors + provider match (google).
• Added helper hasProviderConnector with case-insensitive provider matching.
• Added tests for positive/negative/case-insensitive behavior.
• Files:
  • internal/cli/provider/status.go
  • internal/cli/provider/status_test.go

✅ Fixed finding 3: resume flow can skip credentials incorrectly

• In Phase 2, credential prompt now runs when credentials are missing in memory, even if StepCredentials is marked completed in saved state.
• Prevents resume runs from reaching connector creation with empty ClientID/ClientSecret.
• Added regression test for resumed-state + missing credentials.
• Files:
  • internal/cli/provider/google_setup.go
  • internal/cli/provider/google_setup_test.go

Additional hardening

• Connector post-create validation now uses the created connector ID instead of a provider slug.
• Updated related tests accordingly.
• Files:
  • internal/cli/provider/google_setup.go
  • internal/cli/provider/google_steps.go
  • internal/cli/provider/google_setup_test.go
  • internal/cli/provider/google_remaining_test.go

Verification

• Ran: go test ./internal/cli/provider/... ./internal/adapters/gcp/... ./internal/ports/...
• Result: all passing.