feat: add Application Default Credentials (ADC) support

[zerone0x]

Description

Closes #103

Adds Application Default Credentials (ADC) as a 4th credential source in get_token().

New credential lookup order

Priority	Source
0	GOOGLE_WORKSPACE_CLI_TOKEN env var (raw token)
1	GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE env var
2	Encrypted credentials (~/.config/gws/credentials.enc)
3	Plaintext credentials (~/.config/gws/credentials.json)
4	ADC — GOOGLE_APPLICATION_CREDENTIALS env var, then ~/.config/gcloud/application_default_credentials.json

Supported ADC flows

This unlocks two common setups:

1. User OAuth via gcloud ADC (recommended for personal accounts):

   gcloud auth application-default login --client-id-file=client_secret.json
   # No need to run `gws auth login` separately

2. Service account via GOOGLE_APPLICATION_CREDENTIALS:

   export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
   gws drive files list

Both authorized_user and service_account ADC formats are detected automatically via the type field.

As noted in the issue, most Workspace APIs require scopes granted to a specific user OAuth client, so service account ADC coverage is limited to APIs that support domain-wide delegation. User OAuth ADC with a custom client (via --client-id-file) works for all standard Workspace APIs.

Dry Run Output:

// Not applicable — credential loading logic change, no HTTP request generated

Checklist:

• My code follows the AGENTS.md guidelines (no generated google-* crates).
• I have run cargo fmt --all to format the code perfectly. (no Rust toolchain on build host — CI will verify)
• I have run cargo clippy -- -D warnings and resolved all warnings. (CI will verify)
• I have added tests that prove my fix is effective or that my feature works. (test_load_credentials_adc_env_var_authorized_user, test_load_credentials_adc_env_var_missing_file)
• I have provided a Changeset file to document my changes.

---

🤖 Generated with Claude Code

[changeset-bot]

🦋 Changeset detected

Latest commit: 0739dd5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[jpoehnelt]

/gemini review

[codecov]

Codecov Report

❌ Patch coverage is 95.68966% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.46%. Comparing base (7fa8bda) to head (0739dd5).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
src/auth.rs	95.68%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #125      +/-   ##
==========================================
+ Coverage   54.88%   55.46%   +0.57%     
==========================================
  Files          38       38              
  Lines       13085    13254     +169     
==========================================
+ Hits         7182     7351     +169     
  Misses       5903     5903              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jpoehnelt]

duplicated credential-parsing logic that should be extracted, missing service_account ADC test, incorrect well-known path on macOS (dirs::config_dir vs ~/.config/gcloud), silent fallthrough when GOOGLE_APPLICATION_CREDENTIALS points to missing file, incomplete changeset priority list, and a note on unsafe env var usage in tests.

[gemini-code-assist]

Code Review

This pull request introduces support for Application Default Credentials (ADC). While the implementation is generally robust, a significant logic flaw was identified: the application may silently fall back to ADC even when a specific account is requested via the --account flag. This can lead to actions being performed by the wrong identity and incorrect token caching. Additionally, consider improvements for documentation consistency in the changeset file, a minor performance optimization in JSON parsing, and the removal of unnecessary unsafe blocks in tests.

[zerone0x]

good catches, updated:

• extracted the JSON parsing into a helper (parse_credential_file) so the env file and ADC paths share the same logic, also switched to from_value to skip the second string parse
• fixed the macOS path — dirs::config_dir() gives ~/Library/Application Support on mac which is wrong, now using home_dir().join(".config/gcloud/...")
• GOOGLE_APPLICATION_CREDENTIALS pointing to a missing file now hard-errors instead of silently falling through
• added the missing service_account test for ADC
• removed the unsafe blocks, they were misleading
• updated the changeset to include GOOGLE_WORKSPACE_CLI_TOKEN at the top

[jpoehnelt]

Re: the Gemini review concern about --account silently falling through to ADC — after tracing the code, this is a false positive. resolve_account() already hard-errors when an explicit --account is passed and the account isn't in the registry (both the (Some, Some) and (Some, None) arms bail). ADC is only reachable via the (None, None) path — no --account flag, no registry, no legacy creds — which is exactly the "fresh install with only gcloud configured" scenario where ADC should kick in.

[jpoehnelt]

Re: the Gemini review concern about --account silently falling through to ADC — this is a false positive. resolve_account() already hard-errors when an explicit --account is passed and the account isn't in the registry (both the (Some, Some) and (Some, None) arms bail). ADC is only reachable via the (None, None) path — no --account flag, no registry, no legacy creds — which is the fresh-install-with-gcloud scenario where ADC should kick in.

[jpoehnelt]

Re: the Gemini review concern about --account silently falling through to ADC — this is a false positive. resolve_account() already hard-errors when an explicit --account is passed and the account isn't in the registry (both the (Some, Some) and (Some, None) arms bail). ADC is only reachable via the (None, None) path — no --account flag, no registry, no legacy creds — which is the fresh-install-with-gcloud scenario where ADC should kick in.