b635d8f574
- oauth_google.py (stdlib): PKCE, auth URL, code exchange, ID-token claim validation (iss/aud/exp/email_verified — token comes straight from Google's token endpoint over TLS, so no signature re-verify / JWKS needed). - API: GET /api/auth/google/start (302 to Google, PKCE + signed state cookie binding the flow to the browser) and /callback (CSRF-checked state, exchange, find-or-create by verified email → links to an existing magic-link account, session cookie, redirect home). Errors land on /auth/verify?error=google. - SignIn modal: "Continue with Google" + an "or email link" divider. - 112 tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>