# GCP Operator Reauthentication From the `teleo-infrastructure` repository root, inspect the current local operator state without opening a dialog: ```bash scripts/gcp-operator-reauth.sh --status ``` Store or update the current Google password through a native secure prompt: ```bash scripts/gcp-operator-reauth.sh --store-password ``` With no option, the script asks before opening that prompt. It uses `pinentry-mac` when installed. Otherwise it compiles a temporary AppKit helper that uses `NSAlert` and `NSSecureTextField`. The helper stores the value as a non-synchronizing generic password in this Mac's encrypted Keychain. The password is never printed, copied to the clipboard, submitted to Google, or placed in a process argument or plaintext file. The stored password is only an emergency operator convenience. A Google password cannot refresh or satisfy gcloud OAuth by itself, and this script does not attempt to automate Google login. When OAuth is stale, follow the one `clear_CTA` printed by the script and rerun `--status`. `--status` verifies the selected account and project, checks token refresh without printing the token, reads the expected VM identity, and asks gcloud to construct the IAP SSH command with `--dry-run`. It does not create a tunnel or start SSH. `iap_ssh_preflight=ready_dry_run_only` must not be reported as a live IAP connection. The durable unattended operator is `.github/workflows/gcp-iap-operator.yml`. It uses GitHub OIDC, Workload Identity Federation, fixed reviewed operations, and IAP after the one-time authenticated bootstrap. No stored Google password is an alternative to that route.