docs(audit): add report, google auth runbook, and agent repo map

README.md

@@ -51,6 +51,10 @@ make install
 cp config/default.yaml ~/.config/flynn/config.yaml
 # Edit config with your API keys and Telegram bot token
 
+# Optional: regenerate/check derived config profiles
+pnpm config:profiles:generate
+pnpm config:profiles:check
+
 # Run
 flynn start
 
@@ -76,6 +80,10 @@ Flynn provides a full CLI via the `flynn` binary (or `npx tsx src/cli/index.ts`
 | `flynn onboard` | Guided onboarding alias for setup wizard |
 | `flynn gmail-auth` | Authenticate with Gmail via OAuth2 |
 | `flynn gcal-auth` | Authenticate with Google Calendar via OAuth2 |
+| `flynn gdocs-auth` | Authenticate with Google Docs via OAuth2 |
+| `flynn gdrive-auth` | Authenticate with Google Drive via OAuth2 |
+| `flynn gtasks-auth` | Authenticate with Google Tasks via OAuth2 |
+| `flynn google-auth --service <name>` | Unified Google OAuth entrypoint (`gmail`, `gcal`, `gdocs`, `gdrive`, `gtasks`) |
 | `flynn gemini-auth` | Store a Gemini API key in `~/.config/flynn/auth.json` |
 | `flynn skills` | List/install/manage skills |
 | `flynn companion` | Run a minimal companion node client against the gateway |
@@ -1155,6 +1163,7 @@ Supported delivery modes:
 2. Create OAuth2 credentials (Desktop application type) and download the JSON file
 3. Run `flynn gmail-auth` to complete the OAuth2 flow and store the refresh token
    - Requests Gmail scopes for settings + read access (`gmail.settings.basic` + `gmail.readonly`)
+   - Flynn stores service tokens in `~/.config/flynn/auth.json` and keeps per-service token files for compatibility
 
 For Pub/Sub delivery (push/pull), also enable the Pub/Sub API and create:
 - A topic (e.g. `projects/your-project/topics/gmail-push`)
@@ -1241,6 +1250,7 @@ Query Google Calendar events from within conversations. Provides three tools: `c
 1. A Google Cloud project with the **Calendar API** enabled
 2. OAuth2 credentials (Desktop application type) — the same credentials file used for Gmail works
 3. Run `flynn gcal-auth` to complete the OAuth2 flow and store the refresh token
+   - Also persisted in `~/.config/flynn/auth.json` for shared runtime refresh handling
 
 ### Configuration
 
@@ -1262,6 +1272,43 @@ automation:
 | `token_file` | no | Path to stored OAuth2 refresh token (default: `~/.config/flynn/gcal-token.json`) |
 | `calendar_ids` | no | Calendar IDs available for queries (default: `[primary]`) |
 
+For full local operation guidance (token acquisition, storage, migration, refresh/renewal, and service scopes), see [Google OAuth Runbook](docs/operations/GOOGLE_AUTH.md).
+
+## Google Docs, Drive, and Tasks Tools
+
+Flynn also supports Google Docs, Drive, and Tasks tools:
+
+- Docs: `docs.list`, `docs.search`, `docs.read`
+- Drive: `drive.list`, `drive.search`, `drive.read`
+- Tasks: `tasks.lists`, `tasks.list`
+
+Enable in config:
+
+```yaml
+automation:
+  gdocs:
+    enabled: true
+    credentials_file: ~/.config/flynn/gmail-credentials.json
+    token_file: ~/.config/flynn/gdocs-token.json
+  gdrive:
+    enabled: true
+    credentials_file: ~/.config/flynn/gmail-credentials.json
+    token_file: ~/.config/flynn/gdrive-token.json
+  gtasks:
+    enabled: true
+    credentials_file: ~/.config/flynn/gmail-credentials.json
+    token_file: ~/.config/flynn/gtasks-token.json
+```
+
+Authenticate with:
+
+```bash
+flynn gdocs-auth
+flynn gdrive-auth
+flynn gtasks-auth
+# or: flynn google-auth --service gdocs|gdrive|gtasks
+```
+
 ## Vector Memory Search
 
 The memory system supports hybrid search combining keyword matching with semantic vector similarity. When embeddings are enabled, `memory.search` uses both approaches and merges results with configurable weighting.