From 35b4b6b07fdf0812332fa2639b070bd0a7b8277c Mon Sep 17 00:00:00 2001
From: Lubrsy706 <lubrsy706@gmail.com>
Date: Thu, 14 May 2026 10:24:48 +0800
Subject: [PATCH 1/3] fix(auth): include admin reports scopes

---
 .../google-workspace-cli/src/auth_commands.rs | 42 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/crates/google-workspace-cli/src/auth_commands.rs b/crates/google-workspace-cli/src/auth_commands.rs
index d7571e74..0a667553 100644
--- a/crates/google-workspace-cli/src/auth_commands.rs
+++ b/crates/google-workspace-cli/src/auth_commands.rs
@@ -293,6 +293,8 @@ pub const FULL_SCOPES: &[&str] = &[
     "https://www.googleapis.com/auth/documents",
     "https://www.googleapis.com/auth/presentations",
     "https://www.googleapis.com/auth/tasks",
+    "https://www.googleapis.com/auth/admin.reports.audit.readonly",
+    "https://www.googleapis.com/auth/admin.reports.usage.readonly",
     "https://www.googleapis.com/auth/pubsub",
     "https://www.googleapis.com/auth/cloud-platform",
 ];
@@ -306,6 +308,8 @@ const READONLY_SCOPES: &[&str] = &[
     "https://www.googleapis.com/auth/documents.readonly",
     "https://www.googleapis.com/auth/presentations.readonly",
     "https://www.googleapis.com/auth/tasks.readonly",
+    "https://www.googleapis.com/auth/admin.reports.audit.readonly",
+    "https://www.googleapis.com/auth/admin.reports.usage.readonly",
 ];
 
 pub fn config_dir() -> PathBuf {
@@ -841,6 +845,7 @@ fn map_service_to_scope_prefixes(service: &str) -> Vec<&str> {
         "slides" => vec!["presentations"],
         "docs" => vec!["documents"],
         "people" => vec!["contacts", "directory"],
+        "admin-reports" => vec!["admin.reports"],
         s => vec![s],
     }
 }
@@ -1565,6 +1570,14 @@ const SCOPE_ENTRIES: &[ScopeEntry] = &[
         scope: "https://www.googleapis.com/auth/tasks",
         label: "Google Tasks",
     },
+    ScopeEntry {
+        scope: "https://www.googleapis.com/auth/admin.reports.audit.readonly",
+        label: "Admin Reports Audit",
+    },
+    ScopeEntry {
+        scope: "https://www.googleapis.com/auth/admin.reports.usage.readonly",
+        label: "Admin Reports Usage",
+    },
     ScopeEntry {
         scope: "https://www.googleapis.com/auth/pubsub",
         label: "Cloud Pub/Sub",
@@ -1595,6 +1608,7 @@ fn is_app_only_scope(url: &str) -> bool {
 /// They are excluded from the "Recommended" preset to avoid login failures.
 ///
 /// Affected scope families:
+/// - `admin.reports.*`  — Admin Reports API audit and usage reports
 /// - `apps.*`            — Alert Center, Groups Settings, Licensing, Reseller
 /// - `cloud-identity.*`  — Cloud Identity: devices, groups, inbound SSO, policies
 /// - `ediscovery`        — Google Vault
@@ -1604,7 +1618,8 @@ fn is_workspace_admin_scope(url: &str) -> bool {
     let short = url
         .strip_prefix("https://www.googleapis.com/auth/")
         .unwrap_or(url);
-    short.starts_with("apps.")
+    short.starts_with("admin.reports.")
+        || short.starts_with("apps.")
         || short.starts_with("cloud-identity.")
         || short.starts_with("chat.admin.")
         || short.starts_with("classroom.")
@@ -1791,6 +1806,18 @@ mod tests {
         assert_eq!(scopes.len(), FULL_SCOPES.len());
     }
 
+    #[test]
+    fn admin_reports_scopes_are_available_in_presets_and_picker() {
+        for scope in [
+            "https://www.googleapis.com/auth/admin.reports.audit.readonly",
+            "https://www.googleapis.com/auth/admin.reports.usage.readonly",
+        ] {
+            assert!(FULL_SCOPES.contains(&scope));
+            assert!(READONLY_SCOPES.contains(&scope));
+            assert!(SCOPE_ENTRIES.iter().any(|entry| entry.scope == scope));
+        }
+    }
+
     #[test]
     #[serial_test::serial]
     fn resolve_client_credentials_from_env_vars() {
@@ -2236,6 +2263,19 @@ mod tests {
         ));
     }
 
+    #[test]
+    fn scope_matches_service_admin_reports() {
+        let services: HashSet<String> = ["admin-reports"].iter().map(|s| s.to_string()).collect();
+        assert!(scope_matches_service(
+            "https://www.googleapis.com/auth/admin.reports.audit.readonly",
+            &services
+        ));
+        assert!(scope_matches_service(
+            "https://www.googleapis.com/auth/admin.reports.usage.readonly",
+            &services
+        ));
+    }
+
     // ── services filter integration tests ────────────────────────────────
 
     #[test]

From df4b7e8b3ecc837700215584bdd7ce73195e102a Mon Sep 17 00:00:00 2001
From: Lubrsy706 <lubrsy706@gmail.com>
Date: Thu, 14 May 2026 10:43:48 +0800
Subject: [PATCH 2/3] fix(auth): treat admin scopes consistently

---
 crates/google-workspace-cli/src/auth_commands.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/crates/google-workspace-cli/src/auth_commands.rs b/crates/google-workspace-cli/src/auth_commands.rs
index 0a667553..846be22f 100644
--- a/crates/google-workspace-cli/src/auth_commands.rs
+++ b/crates/google-workspace-cli/src/auth_commands.rs
@@ -1608,7 +1608,7 @@ fn is_app_only_scope(url: &str) -> bool {
 /// They are excluded from the "Recommended" preset to avoid login failures.
 ///
 /// Affected scope families:
-/// - `admin.reports.*`  — Admin Reports API audit and usage reports
+/// - `admin.*`           — Admin SDK APIs (Directory, Reports, etc.)
 /// - `apps.*`            — Alert Center, Groups Settings, Licensing, Reseller
 /// - `cloud-identity.*`  — Cloud Identity: devices, groups, inbound SSO, policies
 /// - `ediscovery`        — Google Vault
@@ -1618,7 +1618,7 @@ fn is_workspace_admin_scope(url: &str) -> bool {
     let short = url
         .strip_prefix("https://www.googleapis.com/auth/")
         .unwrap_or(url);
-    short.starts_with("admin.reports.")
+    short.starts_with("admin.")
         || short.starts_with("apps.")
         || short.starts_with("cloud-identity.")
         || short.starts_with("chat.admin.")
@@ -2276,6 +2276,16 @@ mod tests {
         ));
     }
 
+    #[test]
+    fn workspace_admin_scope_detects_admin_family() {
+        assert!(is_workspace_admin_scope(
+            "https://www.googleapis.com/auth/admin.directory.user.readonly"
+        ));
+        assert!(is_workspace_admin_scope(
+            "https://www.googleapis.com/auth/admin.reports.audit.readonly"
+        ));
+    }
+
     // ── services filter integration tests ────────────────────────────────
 
     #[test]

From 14ded8c7819384546c895053ec7887334128c2c2 Mon Sep 17 00:00:00 2001
From: Lubrsy706 <lubrsy706@gmail.com>
Date: Thu, 14 May 2026 11:19:06 +0800
Subject: [PATCH 3/3] fix(auth): classify top-level admin scope

---
 crates/google-workspace-cli/src/auth_commands.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/crates/google-workspace-cli/src/auth_commands.rs b/crates/google-workspace-cli/src/auth_commands.rs
index 846be22f..27e8f3b1 100644
--- a/crates/google-workspace-cli/src/auth_commands.rs
+++ b/crates/google-workspace-cli/src/auth_commands.rs
@@ -1618,7 +1618,8 @@ fn is_workspace_admin_scope(url: &str) -> bool {
     let short = url
         .strip_prefix("https://www.googleapis.com/auth/")
         .unwrap_or(url);
-    short.starts_with("admin.")
+    short == "admin"
+        || short.starts_with("admin.")
         || short.starts_with("apps.")
         || short.starts_with("cloud-identity.")
         || short.starts_with("chat.admin.")
@@ -2278,6 +2279,9 @@ mod tests {
 
     #[test]
     fn workspace_admin_scope_detects_admin_family() {
+        assert!(is_workspace_admin_scope(
+            "https://www.googleapis.com/auth/admin"
+        ));
         assert!(is_workspace_admin_scope(
             "https://www.googleapis.com/auth/admin.directory.user.readonly"
         ));