fix(auth): sanitize os keyring error strings and handle missing file fallbacks

This commit removes the inadvertently included skills, uses output::sanitize_for_terminal to protect the user from escape sequence injection via keyring errors, and ensures removal of the fallback file properly alerts the user when an io error occurs.

Author: jpoehnelt-bot

crates/google-workspace-cli/src/credential_store.rs

@@ -212,7 +212,15 @@ fn resolve_key(
                             arr.copy_from_slice(&decoded);
                             // Cleanup insecure file fallback if it still exists.
                             // TOCTOU race condition is a known limitation.
-                            let _ = std::fs::remove_file(key_file);
+                            if let Err(e) = std::fs::remove_file(key_file) {
+                                if e.kind() != std::io::ErrorKind::NotFound {
+                                    eprintln!(
+                                        "Warning: failed to remove legacy key file at '{}': {}",
+                                        key_file.display(),
+                                        e
+                                    );
+                                }
+                            }
                             return Ok(arr);
                         }
                     }
@@ -222,17 +230,28 @@ fn resolve_key(
                     // Keyring is empty — fall through to generate new.
                 }
                 Err(e) => {
-                    anyhow::bail!("OS keyring failed: {e}. Set GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file to use file storage.");
+                    anyhow::bail!("OS keyring failed: {}. Set GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file to use file storage.", sanitize_for_terminal(&e.to_string()));
                 }
             }
 
             // Generate a new key if keyring was empty or contained invalid data.
             let key = generate_random_key();
             let b64_key = STANDARD.encode(key);
             if let Err(e) = provider.set_password(&b64_key) {
-                anyhow::bail!("Failed to set key in OS keyring: {e}");
+                anyhow::bail!(
+                    "Failed to set key in OS keyring: {}",
+                    sanitize_for_terminal(&e.to_string())
+                );
+            }
+            if let Err(e) = std::fs::remove_file(key_file) {
+                if e.kind() != std::io::ErrorKind::NotFound {
+                    eprintln!(
+                        "Warning: failed to remove legacy key file at '{}': {}",
+                        key_file.display(),
+                        e
+                    );
+                }
             }
-            let _ = std::fs::remove_file(key_file);
             return Ok(key);
         }
 

docs/skills.md

@@ -26,7 +26,6 @@ Core Google Workspace API skills.
 | [gws-events](../skills/gws-events/SKILL.md) | Subscribe to Google Workspace events. |
 | [gws-modelarmor](../skills/gws-modelarmor/SKILL.md) | Google Model Armor: Filter user-generated content for safety. |
 | [gws-workflow](../skills/gws-workflow/SKILL.md) | Google Workflow: Cross-service productivity workflows. |
-| [gws-script](../skills/gws-script/SKILL.md) | Manage Google Apps Script projects. |
 
 ## Helpers
 
@@ -58,7 +57,6 @@ Shortcut commands for common operations.
 | [gws-workflow-email-to-task](../skills/gws-workflow-email-to-task/SKILL.md) | Google Workflow: Convert a Gmail message into a Google Tasks entry. |
 | [gws-workflow-weekly-digest](../skills/gws-workflow-weekly-digest/SKILL.md) | Google Workflow: Weekly summary: this week's meetings + unread email count. |
 | [gws-workflow-file-announce](../skills/gws-workflow-file-announce/SKILL.md) | Google Workflow: Announce a Drive file in a Chat space. |
-| [gws-script-push](../skills/gws-script-push/SKILL.md) | Google Apps Script: Upload local files to an Apps Script project. |
 
 ## Personas