feat(googlechat): Google Chat channel integration

[tuntran]

Summary

• Add Google Chat channel with webhook endpoint, OIDC token verification, and emoji reactions
• Store service account JSON content directly in DB instead of requiring file path on disk
• Add google_chat to valid channel types allowlist
• Wire GoogleChat factory into instance loader and config-based channel registration
• UI fields for GoogleChat channel setup with SA JSON textarea

Convention Fixes (vs PR #135)

• Add default GroupPolicy "pairing" for DB instances (security parity with Discord/Feishu/Slack)
• Fix BaseChannel name to use channels.TypeGoogleChat constant ("google_chat")
• Warn at startup when OIDC verification is disabled (no project_number)
• Extract resolveServiceAccountJSON to credentials.go (channel.go under 200 lines)
• Coolify deployment separated out — not included in this PR

Changes

• internal/channels/googlechat/ — full channel implementation (webhook handler, bot API, factory, types, credentials)
• internal/config/config_channels.go — add GoogleChatConfig struct with service_account_json field
• internal/channels/channel.go — add TypeGoogleChat constant
• cmd/gateway.go — register GoogleChat factory in instance loader
• cmd/gateway_channels_setup.go — add GoogleChat to config-based channel registration
• ui/web/src/pages/channels/ — UI fields for GoogleChat channel setup
• internal/config/config_secrets.go — mark SA JSON as sensitive

[viettranx]

Code Review: Google Chat Channel Integration

Risk Level: Medium | Verdict: Request Changes

Overall the implementation follows existing channel patterns well. However, there are 2 critical security issues and several important items to address before merge.

---

Critical (must fix before merge)

C1. UI default policy is "open" instead of "pairing"
ui/web/src/pages/channels/channel-schemas.ts — The GoogleChat schema uses inline policy options with default "open" for both group_policy and dm_policy. All other channels use the shared groupPolicyOptions/dmPolicyOptions with default "pairing". This is a security regression — anyone in the Google Workspace can talk to the bot without approval.

Fix: Use the shared groupPolicyOptions/dmPolicyOptions arrays and set default to "pairing", consistent with all other channels.

C2. Config-based path missing default GroupPolicy "pairing"
cmd/gateway_channels_setup.go — The GoogleChat config registration doesn't set a default GroupPolicy: "pairing". When a user leaves the field empty, bot.go will default to "open".

Fix: Add GroupPolicy: "pairing" default in the config-based registration path, matching what Discord/Feishu/Slack do.

---

Important (should fix)

H1. Dedup goroutine leak potential
channel.go — Each incoming message spawns a new goroutine with go func() { time.Sleep(5*time.Minute); cache.Delete(key) }() for dedup cleanup. Under high traffic this can accumulate thousands of sleeping goroutines.

Fix: Use time.AfterFunc(5*time.Minute, func() { cache.Delete(key) }) instead — it uses the runtime timer heap without blocking a goroutine.

H2. ServiceAccountFile allows arbitrary file reads
credentials.go — os.ReadFile(path) with no path validation. This is a potential path traversal vector. Since ServiceAccountJSON inline already works, consider removing the file-based path entirely, or at minimum validate the path is within an expected directory.

H3. Unsafe type assertion
channel.go — val.(*reactionState) will panic if the sync.Map contains a value of unexpected type. Use the comma-ok pattern:

rs, ok := val.(*reactionState)
if !ok {
    return
}

---

Suggestions

M1. No test coverage — There are zero unit tests for this channel. Other channels like Slack have tests. At minimum, consider tests for extractSenderInfo, isBotMentioned, resolveServiceAccountJSON, and the message chunking logic.

M2. ReactionLevel not validated — Invalid values fall through silently. Consider logging a warning for unrecognized levels.

M3. io.ReadAll error ignored in api.go — The error from reading the response body should be checked.

M4. Trailing blank line at end of channel.go — minor cleanup.

---

Nice work on the overall structure — the modular split (api/bot/channel/handler/factory/types/credentials) is clean and follows the project's file-size guidelines well. Just need to nail the security defaults and the items above before merging. 👍

[tuntran]

All review feedback addressed in c29b075:

Critical

• C1 ✅ UI defaults changed to "pairing", using shared
  dmPolicyOptions/groupPolicyOptions
• C2 ✅ Runtime fallback in bot.go now defaults to "pairing". Note: checked
  Discord/Slack/Feishu — none set GroupPolicy at config registration level in
  gateway_channels_setup.go either; all rely on runtime fallback in bot.go. Kept consistent.

Important

• H1 ✅ Replaced go func() { time.Sleep(); delete } with time.AfterFunc
• H2 ✅ Removed ServiceAccountFile entirely — only inline JSON supported now
• H3 ✅ Comma-ok type assertion in removeReaction

Suggestions

• M1 ✅ Added unit tests: credentials_test.go, handler_test.go, bot_test.go
  (concurrent dedup, cleanup, helpers)
• M2 ✅ slog.Warn on unrecognized reaction_level
• M3 ✅ io.ReadAll error checked in api.go
• M4 ✅ Trailing blank line removed

Ready for re-review.