Google Workspace Audit Watchtower

Watchtower keeps the Google Workspace Admin SDK audit feed (login + admin activity) and Drive v3 change-log under continuous correlation on the ACP fabric. Connect once with a service-account JWT-bearer credential with domain-wide delegation (DWD); the agent then surfaces login anomalies, external-share drift, and admin activity alerts on the ACP ALERT dashboard.

v1 is READ-ONLY by construction — the catalog scope allowlist is closed to Admin SDK reports/directory + Drive readonly. Gmail Send and Drive write are intentionally deferred to a dedicated threat-model + follow-up child issue and are NOT in v1 scope. Action verbs (gmail-send, drive-share, calendar-create) are unwired in action-verb-registry.ts today and would no-op at dispatch time if added to capabilities.