The Google OAuth routes tell you to delete them after you use them

The Google Calendar integration needs a refresh token. Getting a refresh token from Google requires a one-time OAuth consent flow. The site has two API routes dedicated to this — /api/auth/google and /api/auth/google/callback. The first route creates an OAuth2 client with the Google client ID and secret, generates an authorization URL with offline access and the consent prompt forced, and redirects the browser to Google. The scope is calendar only. After the user consents, Google redirects to the callback route with an authorization code in the query string. The callback route exchanges the code for tokens using the same OAuth2 client. Then it renders a full HTML page — not a JSON response, not a redirect, a styled HTML page with a monospace font on a dark background that looks like the rest of the site. The page shows the refresh token in a pre block with user-select all so you can click and copy. Below the token it tells you exactly what to do — add GOOGLE_REFRESH_TOKEN to your env file, restart the dev server, then delete the entire src/app/api/auth/google directory. The routes are designed to be used once and thrown away. They exist in the codebase as a setup tool, not as a production feature. The comment at the top of each file says the same thing — delete these routes after you have your refresh token. The callback page says it again in the rendered HTML. Three reminders across two files. Once the refresh token is in the environment, the Google Calendar client in google-calendar.ts uses it to generate access tokens on every request. The OAuth routes never run again. They are scaffolding that documents its own removal.