feat(auth): add --extra-scopes flag for fine-grained custom OAuth scope selection

[peteradams2026]

Summary

Adds a new --extra-scopes flag to gog auth add that lets users specify additional raw Google API OAuth scope URIs, appended to (and deduplicated against) the scopes already requested by --services, --readonly, --drive-scope, and --gmail-scope.

Closes #420

Problem

The existing predefined scope bundles don't support mixed permission sets. A concrete example: an AI assistant that needs to read Gmail (gmail.readonly) and manage labels (gmail.labels) — but absolutely must not be able to send or delete. Currently, gmail.labels requires granting gmail.modify (full read/write), which is a larger surface than necessary.

Changes

• internal/googleauth/service.go — Added ExtraScopes []string to ScopeOptions; ScopesForManageWithOptions merges and deduplicates them after building service scopes
• internal/cmd/auth.go — Added --extra-scopes kong flag to AuthAddCmd; parses comma-separated URIs, trims whitespace, filters empties, passes to ScopeOptions; included in dry-run JSON output as extra_scopes
• internal/cmd/auth_add_test.go — TestAuthAddCmd_ExtraScopes: verifies extra scopes are included, work alongside --gmail-scope=readonly, and duplicates are deduplicated
• internal/googleauth/service_test.go — TestScopesForManageWithOptions_ExtraScopes: unit test for core scope-merging logic
• CHANGELOG.md — entry under Unreleased

Usage

# Gmail read-only + label management only (no send, no delete)
gog auth add user@example.com \
  --services gmail \
  --gmail-scope=readonly \
  --extra-scopes="https://www.googleapis.com/auth/gmail.labels"

# Calendar read-only + manage calendar subscriptions
gog auth add user@example.com \
  --services calendar \
  --readonly \
  --extra-scopes="https://www.googleapis.com/auth/calendar.calendarlist"

# Multiple extra scopes
gog auth add user@example.com \
  --services gmail,drive \
  --gmail-scope=readonly \
  --drive-scope=readonly \
  --extra-scopes="https://www.googleapis.com/auth/gmail.labels,https://www.googleapis.com/auth/drive.metadata"

Testing

make ci           # all lint + tests pass
# Smoke test:
./bin/gog auth add --extra-scopes=https://www.googleapis.com/auth/gmail.labels --dry-run test@example.com
# → scopes list includes gmail.labels; extra_scopes field appears in JSON

[steipete]

Landed directly on main from the rebased PR branch because GitHub kept reporting a stale conflict state for the PR UI even after the branch was rebased cleanly.

• Gate: go test ./internal/cmd ./internal/googleauth -run 'TestAuthAddCmd_|TestScopesForManageWithOptions_ExtraScopes' && make fmt && make lint && make test && make worker-ci && make ci\n- Land commit: 2bd8c34\n- Main commit: 2bd8c34\n\nFixups included: replay --extra-scopes in remote step-2 guidance, auth docs/spec updates, and regression coverage for the replay path.\n\nThanks @peteradams2026!

[xinbenlv]

Thank you. Do you prefer that I restart a new PR based on the main branch's current head, or would you prefer that I don't submit this PR and instead withdraw the proposed issue? @steipete

（OP @peteradams2026 is my openclaw）