fix(auth): stop TUI from force-injecting cloud-platform scope

The interactive scope picker unconditionally appended cloud-platform
after every selection, contradicting DEFAULT_SCOPES which explicitly
excludes it.  This broke org-restricted accounts with admin_policy_enforced.

Closes #562

Author: anshul-garg27

.changeset/fix-tui-cloud-platform-scope.md

@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Stop TUI scope picker from unconditionally injecting cloud-platform scope

crates/google-workspace-cli/src/auth_commands.rs

@@ -930,7 +930,7 @@ fn run_discovery_scope_picker(
     relevant_scopes: &[crate::setup::DiscoveredScope],
     services_filter: Option<&HashSet<String>>,
 ) -> Option<Vec<String>> {
-    use crate::setup::{ScopeClassification, PLATFORM_SCOPE};
+    use crate::setup::ScopeClassification;
     use crate::setup_tui::{PickerResult, SelectItem};
 
     let mut recommended_scopes = vec![];
@@ -1102,11 +1102,6 @@ fn run_discovery_scope_picker(
                 }
             }
 
-            // Always include cloud-platform scope
-            if !selected.contains(&PLATFORM_SCOPE.to_string()) {
-                selected.push(PLATFORM_SCOPE.to_string());
-            }
-
             // Hierarchical dedup: if we have both a broad scope (e.g. `.../auth/drive`)
             // and a narrower scope (e.g. `.../auth/drive.metadata`, `.../auth/drive.readonly`),
             // drop the narrower one since the broad scope subsumes it.

crates/google-workspace-cli/src/setup.rs

@@ -235,8 +235,6 @@ pub enum ScopeClassification {
     Restricted,
 }
 
-pub const PLATFORM_SCOPE: &str = "https://www.googleapis.com/auth/cloud-platform";
-
 /// A scope discovered from a Discovery Document.
 #[derive(Clone)]
 pub struct DiscoveredScope {