From 98b786f1ba78c60ca561f225e06f68a6bd3bb0ed Mon Sep 17 00:00:00 2001
From: Anshul Garg <anshulgarg.garg509@gmail.com>
Date: Wed, 1 Apr 2026 20:24:16 +0530
Subject: [PATCH] fix(auth): stop TUI from force-injecting cloud-platform scope

The interactive scope picker unconditionally appended cloud-platform
after every selection, contradicting DEFAULT_SCOPES which explicitly
excludes it.  This broke org-restricted accounts with admin_policy_enforced.

Closes #562
---
 .changeset/fix-tui-cloud-platform-scope.md       | 5 +++++
 crates/google-workspace-cli/src/auth_commands.rs | 7 +------
 crates/google-workspace-cli/src/setup.rs         | 2 --
 3 files changed, 6 insertions(+), 8 deletions(-)
 create mode 100644 .changeset/fix-tui-cloud-platform-scope.md

diff --git a/.changeset/fix-tui-cloud-platform-scope.md b/.changeset/fix-tui-cloud-platform-scope.md
new file mode 100644
index 00000000..89d843c2
--- /dev/null
+++ b/.changeset/fix-tui-cloud-platform-scope.md
@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Stop TUI scope picker from unconditionally injecting cloud-platform scope
diff --git a/crates/google-workspace-cli/src/auth_commands.rs b/crates/google-workspace-cli/src/auth_commands.rs
index d7571e74..85cd3962 100644
--- a/crates/google-workspace-cli/src/auth_commands.rs
+++ b/crates/google-workspace-cli/src/auth_commands.rs
@@ -930,7 +930,7 @@ fn run_discovery_scope_picker(
     relevant_scopes: &[crate::setup::DiscoveredScope],
     services_filter: Option<&HashSet<String>>,
 ) -> Option<Vec<String>> {
-    use crate::setup::{ScopeClassification, PLATFORM_SCOPE};
+    use crate::setup::ScopeClassification;
     use crate::setup_tui::{PickerResult, SelectItem};
 
     let mut recommended_scopes = vec![];
@@ -1102,11 +1102,6 @@ fn run_discovery_scope_picker(
                 }
             }
 
-            // Always include cloud-platform scope
-            if !selected.contains(&PLATFORM_SCOPE.to_string()) {
-                selected.push(PLATFORM_SCOPE.to_string());
-            }
-
             // Hierarchical dedup: if we have both a broad scope (e.g. `.../auth/drive`)
             // and a narrower scope (e.g. `.../auth/drive.metadata`, `.../auth/drive.readonly`),
             // drop the narrower one since the broad scope subsumes it.
diff --git a/crates/google-workspace-cli/src/setup.rs b/crates/google-workspace-cli/src/setup.rs
index 9ebd19cb..f25f7ae6 100644
--- a/crates/google-workspace-cli/src/setup.rs
+++ b/crates/google-workspace-cli/src/setup.rs
@@ -235,8 +235,6 @@ pub enum ScopeClassification {
     Restricted,
 }
 
-pub const PLATFORM_SCOPE: &str = "https://www.googleapis.com/auth/cloud-platform";
-
 /// A scope discovered from a Discovery Document.
 #[derive(Clone)]
 pub struct DiscoveredScope {