fix(auth): validate --services names and remove automatic cloud-platform injection

[hoyt-harness]

Summary

Fixes two related bugs in gws auth login -s / --services reported in #741:

• Unknown service names were silently dropped. parse_login_args() now validates every token in the -s list against the built-in service registry (crate::services::SERVICES) before opening the browser. If any token is unrecognised, the command exits non-zero with a clear error that names the bad token(s) and lists all valid service names. Tokens are lowercased before checking, so -s Drive and -s drive both work.

• cloud-platform was unconditionally injected when a services filter was active. scope_matches_service() previously returned true for cloud-platform regardless of what services the user asked for, so -s drive silently included cloud-platform in the resulting token. The unconditional pass-through is removed; cloud-platform is now filtered the same way as any other scope. run_discovery_scope_picker() retains the auto-add behaviour when no services filter is active (the existing unfiltered-interactive flow is unchanged).

Behaviour change note: Users who relied on -s <anything> always producing a token that includes cloud-platform will need to add cloud-platform explicitly via --scopes or omit the -s filter. This is an intentional correction: the previous injection violated the principle of least privilege and contradicted explicitly declined scopes.

Also fixes a pre-existing clippy::collapsible_match in helpers/script.rs (same lint fixed in #744, which targets the same upstream/main base).

Test plan

• parse_login_args_rejects_unknown_service — error returned for typo token, message names the bad token and lists valid services
• parse_login_args_accepts_known_services — Drive,Gmail accepted and lowercased correctly
• scope_matches_service_cloud_platform_does_not_match_unrelated_service — cloud-platform no longer auto-passes the drive filter
• resolve_scopes_with_services_filter — filtered result contains only drive/gmail scopes, no cloud-platform
• resolve_scopes_services_takes_priority_with_readonly — readonly + drive filter: only drive scopes
• resolve_scopes_services_takes_priority_with_full — full + gmail filter: only gmail scopes
• Full test suite: cargo test -p google-workspace-cli — 701 passed, 2 pre-existing failures (unrelated to this change), 0 new failures
• cargo clippy -- -D warnings — clean

🤖 Generated with Claude Code

[changeset-bot]

🦋 Changeset detected

Latest commit: c6dd35b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the reliability and security of the authentication login flow by enforcing stricter input validation for service names and correcting the scope filtering logic. By removing the automatic injection of the cloud-platform scope when specific services are requested, the tool now provides more predictable and secure behavior, while also ensuring users are immediately notified of typos in their service filter arguments.

Highlights

• Service Name Validation: Added strict validation for the --services argument, ensuring only recognized service names are accepted and providing a helpful error message with valid options if an unknown name is provided.
• Cloud Platform Scope Injection: Removed the unconditional injection of the cloud-platform scope when a services filter is active, adhering to the principle of least privilege.
• Code Cleanup: Refactored a match statement in helpers/script.rs to resolve a clippy::collapsible_match lint.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces validation for the --services flag in the auth login command, ensuring that unknown service names are rejected with a descriptive error message. It also modifies the handling of the cloud-platform scope, which is no longer automatically included when a service filter is applied. Review feedback indicates that the current validation is overly restrictive as it excludes valid scopes like cloud-platform and pubsub. Additionally, it is recommended to sanitize user-provided input in error messages using .escape_debug() to prevent potential escape sequence injection vulnerabilities.

[googleworkspace-bot]

/gemini review

[hoyt-harness]

Thanks for the review feedback. Both issues addressed in the latest commit:

1. Platform scope allowlist — Added PLATFORM_SCOPES = ["cloud-platform", "pubsub"] to the validation predicate and the valid-names list in the error message. These scopes exist in SCOPE_ENTRIES/FULL_SCOPES but have no entry in the Workspace service registry (SERVICES), so the original check incorrectly rejected them. Since this PR also removes the automatic cloud-platform injection, without this fix users would have had no way to request that scope when using -s.

2. Escape sequence injection — Applied .escape_debug() on unknown tokens before including them in the error string.

New test: parse_login_args_accepts_platform_scopes covers the accept path for both tokens.

[gemini-code-assist]

Code Review

This pull request introduces validation for service names provided via the auth login --services flag, ensuring that unknown tokens result in a clear error message rather than being silently ignored. It also modifies the handling of the cloud-platform scope so that it is no longer automatically included when a specific services filter is applied. Furthermore, the file processing logic in the script helper was refactored for better readability using match guards. I have no feedback to provide.