feat!: remove multi-account, DWD, and impersonation support

.changeset/remove-dwd.md

@@ -2,4 +2,4 @@
 "@googleworkspace/cli": minor
 ---
 
-Remove domain wide delegation support
+Remove multi-account, domain-wide delegation, and impersonation support. Removes `gws auth list`, `gws auth default`, `--account` flag, `GOOGLE_WORKSPACE_CLI_ACCOUNT` and `GOOGLE_WORKSPACE_CLI_IMPERSONATED_USER` env vars.

.env.example

@@ -9,12 +9,6 @@
 # Path to OAuth credentials JSON (user or service account)
 # GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=
 
-# Default account email for multi-account usage (overridden by --account flag)
-# GOOGLE_WORKSPACE_CLI_ACCOUNT=
-
-# Email of user to impersonate via Domain-Wide Delegation (service accounts only)
-# GOOGLE_WORKSPACE_CLI_IMPERSONATED_USER=
-
 # ── OAuth Client ──────────────────────────────────────────────────
 # OAuth client ID and secret (alternative to saving client_secret.json)
 # GOOGLE_WORKSPACE_CLI_CLIENT_ID=

AGENTS.md

@@ -46,13 +46,12 @@ The CLI uses a **two-phase argument parsing** strategy:
 
 | File                      | Purpose                                                                                   |
 | ------------------------- | ----------------------------------------------------------------------------------------- |
-| `src/main.rs`             | Entrypoint, two-phase CLI parsing, `--account` global flag extraction, method resolution  |
+| `src/main.rs`             | Entrypoint, two-phase CLI parsing, method resolution                                      |
 | `src/discovery.rs`        | Serde models for Discovery Document + fetch/cache                                         |
 | `src/services.rs`         | Service alias → Discovery API name/version mapping                                        |
-| `src/auth.rs`             | OAuth2 token acquisition with multi-account support via `accounts.json` registry          |
-| `src/accounts.rs`         | Multi-account registry (`accounts.json`), email normalisation, base64 encoding            |
-| `src/credential_store.rs` | AES-256-GCM encryption/decryption, per-account credential file paths                      |
-| `src/auth_commands.rs`    | `gws auth` subcommands: `login`, `logout`, `list`, `default`, `setup`, `status`, `export` |
+| `src/auth.rs`             | OAuth2 token acquisition via env vars, encrypted credentials, or ADC                      |
+| `src/credential_store.rs` | AES-256-GCM encryption/decryption of credential files                                     |
+| `src/auth_commands.rs`    | `gws auth` subcommands: `login`, `logout`, `setup`, `status`, `export`                    |
 | `src/commands.rs`         | Recursive `clap::Command` builder from Discovery resources                                |
 | `src/executor.rs`         | HTTP request construction, response handling, schema validation                           |
 | `src/schema.rs`           | `gws schema` command — introspect API method schemas                                      |
@@ -174,7 +173,7 @@ Use these labels to categorize pull requests and issues:
 |---|---|
 | `GOOGLE_WORKSPACE_CLI_TOKEN` | Pre-obtained OAuth2 access token (highest priority; bypasses all credential file loading) |
 | `GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE` | Path to OAuth credentials JSON (no default; if unset, falls back to credentials secured by the OS Keyring and encrypted in `~/.config/gws/`) |
-| `GOOGLE_WORKSPACE_CLI_ACCOUNT` | Default account email for multi-account usage (overridden by `--account` flag) |
+
 | `GOOGLE_APPLICATION_CREDENTIALS` | Standard Google ADC path; used as fallback when no gws-specific credentials are configured |
 
 ### Configuration

README.md

@@ -137,22 +137,6 @@ gws auth login       # subsequent scope selection and login
 > gws auth login -s drive,gmail,sheets
 > ```
 
-### Multiple accounts
-
-You can authenticate with more than one Google account and switch between them:
-
-```bash
-gws auth login --account work@corp.com  # login and register an account
-gws auth login --account personal@gmail.com
-
-gws auth list  # list registered accounts
-gws auth default work@corp.com. # set the default
-
-gws --account personal@gmail.com drive files list  # one-off override
-export GOOGLE_WORKSPACE_CLI_ACCOUNT=personal@gmail.com  # env var override
-```
-
-Credentials are stored per-account as `credentials.<b64-email>.enc` in `~/.config/gws/`, with an `accounts.json` registry tracking defaults.
 
 ### Manual OAuth setup (Google Cloud Console)
 
@@ -222,14 +206,12 @@ export GOOGLE_WORKSPACE_CLI_TOKEN=$(gcloud auth print-access-token)
 
 ### Precedence
 
-| Priority | Source                            | Set via                                 |
-| -------- | --------------------------------- | --------------------------------------- |
-| 1        | Access token                      | `GOOGLE_WORKSPACE_CLI_TOKEN`            |
-| 2        | Credentials file                  | `GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE` |
-| 3        | Per-account encrypted credentials | `gws auth login --account EMAIL`        |
-| 4        | Plaintext credentials             | `~/.config/gws/credentials.json`        |
-
-Account resolution: `--account` flag > `GOOGLE_WORKSPACE_CLI_ACCOUNT` env var > default in `accounts.json`.
+| Priority | Source                 | Set via                                 |
+| -------- | ---------------------- | --------------------------------------- |
+| 1        | Access token           | `GOOGLE_WORKSPACE_CLI_TOKEN`            |
+| 2        | Credentials file       | `GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE` |
+| 3        | Encrypted credentials  | `gws auth login`                        |
+| 4        | Plaintext credentials  | `~/.config/gws/credentials.json`        |
 
 Environment variables can also live in a `.env` file.
 
@@ -362,7 +344,7 @@ All variables are optional. See [`.env.example`](.env.example) for a copy-paste
 |---|---|
 | `GOOGLE_WORKSPACE_CLI_TOKEN` | Pre-obtained OAuth2 access token (highest priority) |
 | `GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE` | Path to OAuth credentials JSON (user or service account) |
-| `GOOGLE_WORKSPACE_CLI_ACCOUNT` | Default account email (overridden by `--account` flag) |
+
 | `GOOGLE_WORKSPACE_CLI_CLIENT_ID` | OAuth client ID (alternative to `client_secret.json`) |
 | `GOOGLE_WORKSPACE_CLI_CLIENT_SECRET` | OAuth client secret (paired with `CLIENT_ID`) |
 | `GOOGLE_WORKSPACE_CLI_CONFIG_DIR` | Override config directory (default: `~/.config/gws`) |