feat(auth): add gws auth use-adc command

[kylegallatin]

Description

Adds a new gws auth use-adc command that simplifies team authentication by importing Application Default Credentials from gcloud. This eliminates the need to create
and share custom OAuth clients.

Usage

# 1. Authenticate with ADC - choose your scopes
gcloud auth application-default login --project=my-project \
  --scopes=openid,https://www.googleapis.com/auth/userinfo.email,\
https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/gmail.modify

# 2. Import credentials to gws
gws auth use-adc

# 3. Use gws commands
gws drive files list --params '{"pageSize": 5}'

Benefits

- ✅ Simpler team onboarding (2 commands instead of manual OAuth client setup)
- ✅ Uses Google's built-in OAuth client (no custom client creation needed)
- ✅ Proper quota project tracking to the specified GCP project
- ✅ Each team member uses their own Google Workspace credentials
- ✅ No network calls during import - credentials validated on first API use

Technical Changes

src/auth_commands.rs:
- New handle_use_adc() function (~80 lines)
- Reads ADC credentials from standard gcloud paths
- Validates required fields (client_id, client_secret, refresh_token, type)
- Copies quota_project_id if present
- Saves to gws encrypted credentials

src/executor.rs:
- New get_quota_project_id() helper function
- Request builder includes x-goog-user-project header when quota project is set
- Enables proper API quota tracking for ADC credentials

README.md:
- Added "Team / Shared Setup" section with usage examples
- Documents scope selection options

Testing

Manually tested:
1. gcloud auth application-default login with Workspace scopes ✅
2. gws auth use-adc successfully imports credentials ✅
3. gws drive files list works with imported credentials ✅
4. Quota project header is included in API requests ✅
5. Works with both ~/.config/gcloud/ and ~/Library/Application Support/gcloud/ paths ✅

Test output:
{
  "credentials_file": "/Users/user/Library/Application Support/gws/credentials.enc",
  "message": "ADC credentials imported successfully.",
  "quota_project_id": "my-project",
  "status": "success"
}

Dry Run Output:
N/A - This is an auth configuration command, not an API call

Design Decisions

Why no scope validation?
- User controls scopes via gcloud auth application-default login --scopes=...
- Credentials are validated on first API use anyway
- Keeps implementation simple (no network calls)
- Matches philosophy: trust the user's configuration

Why import instead of pointing to ADC directly?
- Consistent with existing gws auth login flow
- Works with gws's existing encrypted credential storage
- Allows gws to work even if ADC credentials are later rotated

Checklist:

- My code follows the AGENTS.md guidelines (no generated google-* crates).
- I have run cargo fmt --all to format the code perfectly.
- I have run cargo clippy -- -D warnings and resolved all warnings. (Will pass in CI - local toolchain version mismatch)
- I have added tests that prove my fix is effective or that my feature works. (Open to suggestions on testing approach - async function with file I/O)
- I have provided a Changeset file (.changeset/add-auth-use-adc.md)

[changeset-bot]

🦋 Changeset detected

Latest commit: 611728d

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the authentication workflow by integrating Google's Application Default Credentials (ADC). It provides a new command that allows users to import their gcloud ADC directly into gws, making team authentication much simpler and more robust. This change removes the dependency on custom OAuth client setups and ensures that API requests are correctly attributed to a quota project, improving overall manageability and compliance for shared environments.

Highlights

• New gws auth use-adc command: A new command has been added to simplify team authentication by importing Application Default Credentials (ADC) from gcloud.
• Simplified Team Onboarding: This feature eliminates the need for creating and sharing custom OAuth clients, streamlining the setup process for teams.
• Quota Project Tracking: The imported ADC credentials now support quota_project_id, ensuring proper API quota tracking to the specified GCP project via the x-goog-user-project header.
• ADC Path Support: The command automatically detects and imports ADC credentials from common gcloud configuration paths, including ~/.config/gcloud/ and ~/Library/Application Support/gcloud/.

Changelog

• .changeset/add-auth-use-adc.md
  • Added a new changeset file documenting the gws auth use-adc feature.
• README.md
  • Updated the authentication section to include a new 'Team / Shared Setup' guide with instructions for gws auth use-adc.
  • Provided examples for choosing appropriate Workspace scopes.
• src/auth_commands.rs
  • Implemented the handle_use_adc asynchronous function to manage the import of ADC credentials.
  • Modified the handle_auth_command function to include and dispatch to the new use-adc subcommand.
  • Updated the usage string to reflect the new use-adc option.
• src/executor.rs
  • Added a new private helper function get_quota_project_id to retrieve the quota project ID from stored credentials.
  • Modified the build_http_request function to conditionally add the x-goog-user-project header when a quota project ID is available and the authentication method is OAuth.

Activity

• The author manually tested the new gws auth use-adc command, verifying successful credential import and API request functionality.
• Confirmed that the quota project header is correctly included in API requests.
• Validated functionality across both ~/.config/gcloud/ and ~/Library/Application Support/gcloud/ ADC paths.
• The author has provided a detailed checklist indicating adherence to code guidelines, formatting, and linting, with a note about a local toolchain version mismatch for clippy warnings.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request introduces a valuable gws auth use-adc command, simplifying authentication by importing gcloud's Application Default Credentials. The implementation is solid, and the documentation updates are clear. I've identified one high-severity bug where the new logic for retrieving the quota project ID doesn't respect credentials provided via an environment variable. I've also included a few medium-severity suggestions to improve code robustness and maintainability in the new handle_use_adc function.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

This function reimplements logic for finding and parsing credentials, but it's incomplete. It doesn't check for the GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE environment variable, which is a supported way to provide credentials. This will cause get_quota_project_id to fail and the x-goog-user-project header to be omitted when credentials are set via this environment variable.

To fix this and avoid code duplication, the logic for loading credentials should be centralized and reused here. Consider moving plain_credentials_path() from auth_commands.rs to a shared module (e.g., a new config.rs) and using it here.

[gemini-code-assist]

This logic for determining adc_path works, but has a small issue. If neither path exists, the subsequent error message on line 936 will only show adc_path_config, which can be misleading on platforms like Windows where the correct path is adc_path_app_support. Consider modifying this to provide a more informative error message that lists all paths that were checked.

[gemini-code-assist]

The validation logic for client_id, client_secret, and refresh_token is repeated. This could be refactored into a helper function to reduce code duplication and improve readability. For example:

fn get_string_field<'a>(json: &'a serde_json::Value, field: &str) -> Result<&'a str, GwsError> {
    json.get(field)
        .and_then(|v| v.as_str())
        .ok_or_else(|| GwsError::Validation(format!("ADC credentials missing '{field}'")))
}

// ...
let client_id = get_string_field(&adc, "client_id")?;
let client_secret = get_string_field(&adc, "client_secret")?;
let refresh_token = get_string_field(&adc, "refresh_token")?;

[jpoehnelt]

This eliminates the need to create and share custom OAuth clients.

This isn't true. Most Workspace APIs will not be able to piggyback on the gcloud OAuth. However, ADC can be setup with a custom OAuth client and should support this some way or another. Much lower priority in this case though. Should check on how to accept the ADC credentials file.

[kylegallatin]

This eliminates the need to create and share custom OAuth clients.

This isn't true. Most Workspace APIs will not be able to piggyback on the gcloud OAuth. However, ADC can be setup with a custom OAuth client and should support this some way or another. Much lower priority in this case though. Should check on how to accept the ADC credentials file.

@jpoehnelt yeah apologies that phrasing is a bit too ambitious. Really the goal here is just to alleviate the amount of Google Cloud setup required to get started. Given gcloud auth with some specified scopes works for APIs like Drive, Sheets, etc...feels like a win for folks at orgs that won't have permissions to create custom OAuth clients or Terraform perms up - but totally open to whatever pattern here makes the most sense!