feat(auth): add permission upgrade UI and missing service icons

- Add clickable account cards with pointer cursor
- Add "Permissions" button on hover to trigger re-auth
- Add /auth/upgrade endpoint with force-consent and login_hint
- Add service icons for classroom, groups, docs, keep
- Show all services on success page with missing ones greyed out

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: salmonumbrella

internal/googleauth/accounts_server.go

@@ -108,6 +108,7 @@ func StartManageServer(ctx context.Context, opts ManageServerOptions) error {
 	mux.HandleFunc("/", ms.handleAccountsPage)
 	mux.HandleFunc("/accounts", ms.handleListAccounts)
 	mux.HandleFunc("/auth/start", ms.handleAuthStart)
+	mux.HandleFunc("/auth/upgrade", ms.handleAuthUpgrade)
 	mux.HandleFunc("/oauth2/callback", ms.handleOAuthCallback)
 	mux.HandleFunc("/set-default", ms.handleSetDefault)
 	mux.HandleFunc("/remove-account", ms.handleRemoveAccount)
@@ -245,6 +246,56 @@ func (ms *ManageServer) handleAuthStart(w http.ResponseWriter, r *http.Request)
 	http.Redirect(w, r, authURL, http.StatusFound)
 }
 
+func (ms *ManageServer) handleAuthUpgrade(w http.ResponseWriter, r *http.Request) {
+	// Similar to handleAuthStart, but always forces consent to get new scopes
+	email := r.URL.Query().Get("email")
+	if email == "" {
+		http.Error(w, "Missing email parameter", http.StatusBadRequest)
+		return
+	}
+
+	creds, err := readClientCredentials()
+	if err != nil {
+		http.Error(w, "OAuth credentials not configured. Run: gog auth credentials <file>", http.StatusInternalServerError)
+		return
+	}
+
+	state, err := randomStateFn()
+	if err != nil {
+		http.Error(w, "Failed to generate state", http.StatusInternalServerError)
+		return
+	}
+	ms.oauthState = state
+
+	// Always use all services for upgrade
+	services := AllServices()
+
+	scopes, err := ScopesForManage(services)
+	if err != nil {
+		http.Error(w, "Failed to get scopes", http.StatusInternalServerError)
+		return
+	}
+
+	port := ms.listener.Addr().(*net.TCPAddr).Port
+	redirectURI := fmt.Sprintf("http://127.0.0.1:%d/oauth2/callback", port)
+
+	cfg := oauth2.Config{
+		ClientID:     creds.ClientID,
+		ClientSecret: creds.ClientSecret,
+		Endpoint:     oauthEndpoint,
+		RedirectURL:  redirectURI,
+		Scopes:       scopes,
+	}
+
+	// Always force consent for upgrades to ensure user sees all scopes
+	// Add login_hint to pre-select the account
+	authURL := cfg.AuthCodeURL(state,
+		append(authURLParams(true),
+			oauth2.SetAuthURLParam("login_hint", email))...)
+
+	http.Redirect(w, r, authURL, http.StatusFound)
+}
+
 func (ms *ManageServer) handleOAuthCallback(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 
@@ -566,9 +617,17 @@ func renderSuccessPageWithDetails(w http.ResponseWriter, email string, services
 		_, _ = w.Write([]byte("Success! You can close this window."))
 		return
 	}
+
+	// Get all available services for showing connected vs missing
+	allServices := make([]string, 0, len(serviceOrder))
+	for _, svc := range serviceOrder {
+		allServices = append(allServices, string(svc))
+	}
+
 	data := successTemplateData{
 		Email:            email,
 		Services:         services,
+		AllServices:      allServices,
 		CountdownSeconds: postSuccessDisplaySeconds,
 	}
 	_ = tmpl.Execute(w, data)

internal/googleauth/oauth_flow.go

@@ -38,6 +38,7 @@ const postSuccessDisplaySeconds = 30
 type successTemplateData struct {
 	Email            string
 	Services         []string
+	AllServices      []string
 	CountdownSeconds int
 }
 

internal/googleauth/templates/accounts.html

@@ -303,6 +303,34 @@
             background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M22 5.18L10.59 16.6l-4.24-4.24 1.41-1.41 2.83 2.83 10-10L22 5.18zm-2.21 5.04c.13.57.21 1.17.21 1.78 0 4.42-3.58 8-8 8s-8-3.58-8-8 3.58-8 8-8c1.58 0 3.04.46 4.28 1.25l1.44-1.44A9.9 9.9 0 0012 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10c0-1.19-.22-2.33-.6-3.39l-1.61 1.61z'/%3E%3C/svg%3E");
         }
 
+        .service-tag.classroom {
+            color: var(--g-green);
+            background-color: var(--g-green-dim);
+            border-color: rgba(52, 168, 83, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%2334A853' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 3L1 9l4 2.18v6L12 21l7-3.82v-6l2-1.09V17h2V9L12 3zm6.82 6L12 12.72 5.18 9 12 5.28 18.82 9zM17 15.99l-5 2.73-5-2.73v-3.72L12 15l5-2.73v3.72z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.groups {
+            color: var(--g-blue);
+            background-color: var(--g-blue-dim);
+            border-color: rgba(66, 133, 244, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 12.75c1.63 0 3.07.39 4.24.9 1.08.48 1.76 1.56 1.76 2.73V18H6v-1.61c0-1.18.68-2.26 1.76-2.73 1.17-.52 2.61-.91 4.24-.91zM4 13c1.1 0 2-.9 2-2s-.9-2-2-2-2 .9-2 2 .9 2 2 2zm1.13 1.1c-.37-.06-.74-.1-1.13-.1-.99 0-1.93.21-2.78.58A2.01 2.01 0 0 0 0 16.43V18h4.5v-1.61c0-.83.23-1.61.63-2.29zM20 13c1.1 0 2-.9 2-2s-.9-2-2-2-2 .9-2 2 .9 2 2 2zm4 3.43c0-.81-.48-1.53-1.22-1.85A6.95 6.95 0 0 0 20 14c-.39 0-.76.04-1.13.1.4.68.63 1.46.63 2.29V18H24v-1.57zM12 6c1.66 0 3 1.34 3 3s-1.34 3-3 3-3-1.34-3-3 1.34-3 3-3z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.docs {
+            color: var(--g-blue);
+            background-color: var(--g-blue-dim);
+            border-color: rgba(66, 133, 244, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M14.727 0v6h6l-6-6zm1.364 10.636H7.91v1.91h8.181v-1.91zm0 3.273H7.91v1.91h8.181v-1.91zM20.727 6.5v15.864c0 .904-.732 1.636-1.636 1.636H4.909a1.636 1.636 0 0 1-1.636-1.636V1.636C3.273.732 4.005 0 4.909 0h9.318v6.5h6.5zM16.091 7.727H7.91v1.91h8.181v-1.91z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.keep {
+            color: var(--g-yellow);
+            background-color: var(--g-yellow-dim);
+            border-color: rgba(251, 188, 5, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%23FBBC05' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 2C8.14 2 5 5.14 5 9c0 2.38 1.19 4.47 3 5.74V17c0 .55.45 1 1 1h6c.55 0 1-.45 1-1v-2.26c1.81-1.27 3-3.36 3-5.74 0-3.86-3.14-7-7-7zm2 15H10v-1h4v1zm0-2H10v-1h4v1zm-1.5-4.59V13h-1v-2.59L9.67 8.59 10.41 7.85 12 9.44l1.59-1.59.74.74-1.83 1.82z'/%3E%3C/svg%3E");
+        }
+
         .account-actions {
             display: flex;
             align-items: center;
@@ -382,6 +410,37 @@
             height: 16px;
         }
 
+        .upgrade-btn {
+            font-size: 11px;
+            font-weight: 500;
+            color: var(--g-green);
+            background: var(--g-green-dim);
+            border: 1px solid rgba(52, 168, 83, 0.3);
+            padding: 5px 10px;
+            border-radius: 99px;
+            cursor: pointer;
+            transition: all 0.2s ease;
+            opacity: 0;
+            font-family: inherit;
+            display: inline-flex;
+            align-items: center;
+            gap: 4px;
+        }
+
+        .account-card:hover .upgrade-btn {
+            opacity: 1;
+        }
+
+        .upgrade-btn:hover {
+            background: rgba(52, 168, 83, 0.2);
+            border-color: var(--g-green);
+        }
+
+        .upgrade-btn svg {
+            width: 12px;
+            height: 12px;
+        }
+
         /* Add Account Button */
         .add-account-btn {
             width: 100%;
@@ -754,7 +813,7 @@ <h4>Use from terminal</h4>
                     const services = acc.services || ['calendar', 'gmail', 'drive'];
 
                     return `
-                        <div class="account-card ${isDefault ? 'default' : ''}" data-email="${acc.email}">
+                        <div class="account-card ${isDefault ? 'default' : ''}" data-email="${acc.email}" onclick="upgradePermissions('${acc.email}', event)">
                             <div class="account-avatar" style="background: ${getAvatarGradient(acc.email)}">
                                 ${initial}
                             </div>
@@ -765,6 +824,13 @@ <h4>Use from terminal</h4>
                                 </div>
                             </div>
                             <div class="account-actions">
+                                <button class="upgrade-btn" onclick="upgradePermissions('${acc.email}', event)" title="Add more permissions">
+                                    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round">
+                                        <line x1="12" y1="5" x2="12" y2="19"/>
+                                        <line x1="5" y1="12" x2="19" y2="12"/>
+                                    </svg>
+                                    Permissions
+                                </button>
                                 ${isDefault ? `
                                     <span class="default-badge">
                                         <svg viewBox="0 0 24 24" fill="currentColor">
@@ -773,9 +839,9 @@ <h4>Use from terminal</h4>
                                         Default
                                     </span>
                                 ` : `
-                                    <button class="set-default-btn" onclick="setDefault('${acc.email}')">Set default</button>
+                                    <button class="set-default-btn" onclick="event.stopPropagation(); setDefault('${acc.email}')">Set default</button>
                                 `}
-                                <button class="remove-btn" onclick="removeAccount('${acc.email}')" title="Remove account">
+                                <button class="remove-btn" onclick="event.stopPropagation(); removeAccount('${acc.email}')" title="Remove account">
                                     <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round">
                                         <line x1="18" y1="6" x2="6" y2="18"/>
                                         <line x1="6" y1="6" x2="18" y2="18"/>
@@ -793,6 +859,12 @@ <h4>Use from terminal</h4>
             window.location.href = '/auth/start';
         }
 
+        function upgradePermissions(email, event) {
+            event.stopPropagation();
+            // Redirect to OAuth flow with force consent to get all permissions
+            window.location.href = '/auth/upgrade?email=' + encodeURIComponent(email);
+        }
+
         async function setDefault(email) {
             try {
                 const response = await fetch('/set-default', {

internal/googleauth/templates/success.html

@@ -252,6 +252,41 @@
             background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M22 5.18L10.59 16.6l-4.24-4.24 1.41-1.41 2.83 2.83 10-10L22 5.18zm-2.21 5.04c.13.57.21 1.17.21 1.78 0 4.42-3.58 8-8 8s-8-3.58-8-8 3.58-8 8-8c1.58 0 3.04.46 4.28 1.25l1.44-1.44A9.9 9.9 0 0012 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10c0-1.19-.22-2.33-.6-3.39l-1.61 1.61z'/%3E%3C/svg%3E");
         }
 
+        .service-tag.classroom {
+            color: var(--g-green);
+            background-color: var(--g-green-dim);
+            border-color: rgba(52, 168, 83, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%2334A853' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 3L1 9l4 2.18v6L12 21l7-3.82v-6l2-1.09V17h2V9L12 3zm6.82 6L12 12.72 5.18 9 12 5.28 18.82 9zM17 15.99l-5 2.73-5-2.73v-3.72L12 15l5-2.73v3.72z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.groups {
+            color: var(--g-blue);
+            background-color: var(--g-blue-dim);
+            border-color: rgba(66, 133, 244, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 12.75c1.63 0 3.07.39 4.24.9 1.08.48 1.76 1.56 1.76 2.73V18H6v-1.61c0-1.18.68-2.26 1.76-2.73 1.17-.52 2.61-.91 4.24-.91zM4 13c1.1 0 2-.9 2-2s-.9-2-2-2-2 .9-2 2 .9 2 2 2zm1.13 1.1c-.37-.06-.74-.1-1.13-.1-.99 0-1.93.21-2.78.58A2.01 2.01 0 0 0 0 16.43V18h4.5v-1.61c0-.83.23-1.61.63-2.29zM20 13c1.1 0 2-.9 2-2s-.9-2-2-2-2 .9-2 2 .9 2 2 2zm4 3.43c0-.81-.48-1.53-1.22-1.85A6.95 6.95 0 0 0 20 14c-.39 0-.76.04-1.13.1.4.68.63 1.46.63 2.29V18H24v-1.57zM12 6c1.66 0 3 1.34 3 3s-1.34 3-3 3-3-1.34-3-3 1.34-3 3-3z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.docs {
+            color: var(--g-blue);
+            background-color: var(--g-blue-dim);
+            border-color: rgba(66, 133, 244, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%234285F4' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M14.727 0v6h6l-6-6zm1.364 10.636H7.91v1.91h8.181v-1.91zm0 3.273H7.91v1.91h8.181v-1.91zM20.727 6.5v15.864c0 .904-.732 1.636-1.636 1.636H4.909a1.636 1.636 0 0 1-1.636-1.636V1.636C3.273.732 4.005 0 4.909 0h9.318v6.5h6.5zM16.091 7.727H7.91v1.91h8.181v-1.91z'/%3E%3C/svg%3E");
+        }
+
+        .service-tag.keep {
+            color: var(--g-yellow);
+            background-color: var(--g-yellow-dim);
+            border-color: rgba(251, 188, 5, 0.2);
+            background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' fill='%23FBBC05' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12 2C8.14 2 5 5.14 5 9c0 2.38 1.19 4.47 3 5.74V17c0 .55.45 1 1 1h6c.55 0 1-.45 1-1v-2.26c1.81-1.27 3-3.36 3-5.74 0-3.86-3.14-7-7-7zm2 15H10v-1h4v1zm0-2H10v-1h4v1zm-1.5-4.59V13h-1v-2.59L9.67 8.59 10.41 7.85 12 9.44l1.59-1.59.74.74-1.83 1.82z'/%3E%3C/svg%3E");
+        }
+
+        /* Missing/greyed-out service state */
+        .service-tag.missing {
+            opacity: 0.4;
+            filter: grayscale(100%);
+            border-color: rgba(255, 255, 255, 0.1) !important;
+        }
+
         /* Terminal Card */
         .terminal-card {
             background: var(--bg-surface);
@@ -557,13 +592,9 @@ <h1>You're connected</h1>
             <p class="account-email">gog is now authorized to access <strong>Google Workspace</strong></p>
             {{end}}
 
-            {{if .Services}}
-            <div class="services-row">
-                {{range .Services}}
-                <span class="service-tag {{.}}">{{.}}</span>
-                {{end}}
+            <div class="services-row" id="servicesRow">
+                <!-- Services will be rendered by JavaScript to show connected vs missing -->
             </div>
-            {{end}}
         </header>
 
         <div class="terminal-card">
@@ -642,6 +673,20 @@ <h4>Return to your terminal</h4>
         </footer>
     </div>
     <script>
+        // Render services with connected ones colored and missing ones greyed out
+        const connectedServices = [{{range $i, $s := .Services}}{{if $i}},{{end}}"{{$s}}"{{end}}];
+        const allServices = [{{range $i, $s := .AllServices}}{{if $i}},{{end}}"{{$s}}"{{end}}];
+        const servicesRow = document.getElementById('servicesRow');
+
+        if (allServices.length > 0) {
+            servicesRow.innerHTML = allServices.map(svc => {
+                const isConnected = connectedServices.includes(svc);
+                const classes = isConnected ? `service-tag ${svc}` : `service-tag ${svc} missing`;
+                return `<span class="${classes}">${svc}</span>`;
+            }).join('');
+        }
+
+        // Countdown timer
         let seconds = {{.CountdownSeconds}};
         const countdownEl = document.getElementById('countdown');
         const interval = setInterval(() => {