Support Google service account auth for headless email #12
Description
Problem
mc currently uses Gmail OAuth which requires a browser flow. This means mc only works on machines with a desktop — it cannot send email from headless servers, CI/CD, or VMs.
Proposed Solution
Add a service account authentication path alongside the existing OAuth flow:
- Detect a service account JSON key file (env var or config path)
- Use
google.oauth2.service_account.Credentialswith domain-wide delegation - Fall back to existing OAuth if no service account key found
- No breaking changes to current desktop workflow
Google Workspace service accounts authenticate with a JSON key file — no browser, no token refresh headaches. The Workspace admin grants the service account permission to send as a specific address (e.g., maps@newgraphenvironment.com).
Context
Improves mc as a standalone package regardless of other initiatives. Also supports headless email from the geomapper VM if needed: NewGraphEnvironment/awshak#58
Relates to NewGraphEnvironment/sred-2025-2026#3