docs(deploy): 说明 AI Studio OAuth Client 需发布为正式版本

README.md:
- 添加第 7 步：发布 OAuth 应用到正式版本
- 说明 Testing 模式限制（100 用户、7 天 token 过期）
- 说明 sensitive scope 可能需要 Google 审核

.env.example:
- 添加 OAuth Client 需发布为正式版本的说明

deploy/.env.example

@@ -67,14 +67,18 @@ JWT_EXPIRE_HOUR=24
 #
 # 2. AI Studio OAuth (不需要 project_id)
 #    - Uses: generativelanguage.googleapis.com (AI Studio API)
-#    - Default scopes: cloud-platform (+ userinfo.*)
-#    - OAuth Client: Leave empty to use built-in Gemini CLI client; or provide your own.
-#    - Requires: Create OAuth 2.0 Client in GCP Console
+#    - Default scopes: generative-language
+#    - OAuth Client: Requires your own OAuth 2.0 Client (内置 Gemini CLI client 不能申请 generative-language scope)
+#    - Requires: Create OAuth 2.0 Client in GCP Console + OAuth consent screen
 #    - Setup Guide: https://ai.google.dev/gemini-api/docs/oauth
+#    - ⚠️ IMPORTANT: OAuth Client 必须发布为正式版本 (Production)
+#      Testing 模式限制: 只能添加 100 个测试用户, refresh token 7 天后过期
+#      发布步骤: GCP Console → OAuth consent screen → PUBLISH APP
 #
 # Configuration:
-# Use Gemini CLI's public OAuth credentials (same as official Google Gemini CLI tool):
-GEMINI_OAUTH_CLIENT_ID=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com
-GEMINI_OAUTH_CLIENT_SECRET=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
+# Leave empty to use the built-in Gemini CLI OAuth client (Code Assist OAuth only).
+# To enable AI Studio OAuth, set your own OAuth client ID/secret here.
+GEMINI_OAUTH_CLIENT_ID=
+GEMINI_OAUTH_CLIENT_SECRET=
 # Optional; leave empty to auto-select scopes based on oauth_type
 GEMINI_OAUTH_SCOPES=

deploy/README.md

@@ -110,12 +110,15 @@ Sub2API supports three methods to connect to Gemini:
 
 ### Method 1: Code Assist OAuth (Recommended for GCP Users)
 
-**No configuration needed** - uses built-in Gemini CLI OAuth client.
+**No configuration needed** - always uses the built-in Gemini CLI OAuth client (public).
 
 1. Leave `GEMINI_OAUTH_CLIENT_ID` and `GEMINI_OAUTH_CLIENT_SECRET` empty
 2. In the Admin UI, create a Gemini OAuth account and select **"Code Assist"** type
 3. Complete the OAuth flow in your browser
 
+> Note: Even if you configure `GEMINI_OAUTH_CLIENT_ID` / `GEMINI_OAUTH_CLIENT_SECRET` for AI Studio OAuth,
+> Code Assist OAuth will still use the built-in Gemini CLI client.
+
 **Requirements:**
 - Google account with access to Google Cloud Platform
 - A GCP project (auto-detected or manually specified)
@@ -142,15 +145,24 @@ Requires your own OAuth client credentials.
    - Go to "APIs & Services" → "OAuth consent screen"
    - Choose "External" user type
    - Fill in app name, user support email, developer contact
-   - Add scopes: `https://www.googleapis.com/auth/generative-language`
+   - Add scopes: `https://www.googleapis.com/auth/generative-language.retriever` (and optionally `https://www.googleapis.com/auth/cloud-platform`)
    - Add test users (your Google account email)
 5. **Create OAuth 2.0 credentials:**
    - Go to "APIs & Services" → "Credentials"
    - Click "Create Credentials" → "OAuth client ID"
-   - Application type: **Web application**
+   - Application type: **Web application** (or **Desktop app**)
    - Name: e.g., "Sub2API Gemini"
-   - Authorized redirect URIs: Add `https://your-domain.com/admin/accounts` (your frontend URL)
+   - Authorized redirect URIs: Add `http://localhost:1455/auth/callback`
 6. Copy the **Client ID** and **Client Secret**
+7. **⚠️ Publish to Production (IMPORTANT):**
+   - Go to "APIs & Services" → "OAuth consent screen"
+   - Click "PUBLISH APP" to move from Testing to Production
+   - **Testing mode limitations:**
+     - Only manually added test users can authenticate (max 100 users)
+     - Refresh tokens expire after 7 days
+     - Users must be re-added periodically
+   - **Production mode:** Any Google user can authenticate, tokens don't expire
+   - Note: For sensitive scopes, Google may require verification (demo video, privacy policy)
 
 **Step 2: Configure Environment Variables**
 
@@ -163,6 +175,8 @@ GEMINI_OAUTH_CLIENT_SECRET=GOCSPX-your-client-secret
 
 1. Create a Gemini OAuth account and select **"AI Studio"** type
 2. Complete the OAuth flow
+   - After consent, your browser will be redirected to `http://localhost:1455/auth/callback?code=...&state=...`
+   - Copy the full callback URL (recommended) or just the `code` and paste it back into the Admin UI
 
 ### Method 3: API Key (Simplest)