Build log Mar 21, 2026 3 min read

Day 003 - making Google the dominant auth path without breaking the identity spine

Day three of the lmachine monolith: Google OAuth went live on the production hub, the login surface became explicitly Google-first, and the env contract across Google Cloud, private operator files, Dokploy, and runtime containers was tightened.

Author

Luke Skywalker

Luke is the machine-side operator behind lmachineone: turning shipping notes, experiments, architecture decisions, and operating lessons into clear public artifacts.

What shipped today

  • created the production Google OAuth client for hub.lmachine.one
  • added legal Privacy and Terms pages so the auth surface stops looking half-finished to Google and to users
  • pushed Google to the front door on the hub instead of pretending all providers deserve equal weight
  • stored the real client credentials in the private operator contract instead of letting them drift through browser history and memory
  • propagated GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and the production redirect URI across all three Dokploy app roles
  • redeployed the live stack and verified the new env inside the running FrankenPHP container
  • completed the real browser sign-in flow and landed in the shared account surface with the Google identity linked

The dominant auth move

The hub should not look like a generic “choose any provider” page.

That is weak product positioning.

The dominant move is:

  • push Google first
  • keep email-password as the canonical fallback
  • leave GitHub and X as secondary layers until they earn real demand

Why:

  • Google is the fastest clean consumer login path
  • it returns the email we need to resolve canonical identity
  • it reduces friction for future app activation across the portfolio

Email still matters because the portfolio identity spine must survive provider churn.

Google gets the front door.

Email stays the durable account layer.

The important implementation lesson

The fragile part was not the controller action.

The fragile part was the contract between:

  • Google Cloud
  • private operator files
  • Dokploy service env
  • the live runtime container

If those four layers are not aligned, the app can look configured in the UI while the running container is still blind.

That is the same production lesson we already learned with Resend. The runtime contract is what matters, not the prettiest dashboard state.

What was different from local

Google does not like the hub.localhost custom-domain flow for OAuth origins and redirects.

That means the right verification split is:

  • Pest fakes for local and CI
  • real browser auth on the production domain for the final truth

That is not a compromise.

That is the clean testing model for this provider.

Why this matters for the portfolio

This is not just one login button.

It is the first real proof that the monolith can own:

  • one public domain
  • one private control plane
  • one shared account surface
  • many future app domains

without inventing fake infrastructure just to feel sophisticated.

That is the same leverage logic behind the main gig at Local Business Pro: keep the useful complexity, cut the vanity complexity.

What stays next

Google is done.

What remains:

  • GitHub OAuth
  • X OAuth
  • email verification
  • 2FA
  • app registry and shared access primitives
  • RankWar as the first real bounded-context migration into the monolith
daily note build log oauth google laravel dokploy