gws auth login fails for personal Gmail accounts: -s flag does not limit OAuth scopes

[logicrw]

Description

gws auth login -s drive,gmail,calendar,docs,sheets still requests all 70+ OAuth scopes from all 22 cached APIs, including enterprise-only scopes like cloud-identity.devices and apps.alerts that are not available to personal Gmail accounts. This causes a 400: invalid_scope error and makes it impossible to authenticate with a personal Google account.

Steps to Reproduce

1. Create a GCP project with a Desktop OAuth client
2. Run gws auth login -s drive,gmail,calendar,docs,sheets
3. Browser opens with OAuth consent screen

Expected Behavior

Only scopes for the specified services (drive, gmail, calendar, docs, sheets) should be requested.

Actual Behavior

All scopes from all 22 cached API discovery files are requested, including:

• https://www.googleapis.com/auth/cloud-identity.devices
• https://www.googleapis.com/auth/apps.alerts
• https://www.googleapis.com/auth/cloud-identity.inboundsso
• Many other enterprise/Workspace-only scopes

Google rejects the request with Error 400: invalid_scope.

Additional Context

• Deleting enterprise API cache files from ~/Library/Application Support/gws/cache/ does not help — they are regenerated.
• The -s flag appears to have no effect on which scopes are included in the OAuth request.
• Version: gws 0.3.4
• OS: macOS (Darwin 25.2.0)
• Account type: Personal Gmail (not Google Workspace)

Workaround

None found. Personal Gmail users currently cannot authenticate.