feat: add context propagation, security fixes, and new features

Drive:
- Add context propagation to all API calls
- Add path traversal security fix in download

Gmail:
- Add context propagation to labels and thread commands
- Simplify MIME building (remove unused ReplyTo, BodyHTML)
- Add --from flag for send-as aliases in send and drafts
- Simplify base64 decoding
- Add path traversal security fix in attachments

Calendar:
- Add needsAction status support to respond command
- Add --comment flag for response comments
- Add organizer check to prevent self-response

Auth:
- Add browser-based account management command (auth manage)
- Add web UI for managing connected accounts

Maintenance:
- Update golangci-lint config for v2 compatibility

Author: salmonumbrella

.golangci.yml

@@ -1,3 +1,5 @@
+version: 2
+
 run:
   timeout: 5m
 
@@ -7,7 +9,6 @@ linters:
     - govet
     - ineffassign
     - staticcheck
-    - typecheck
     - unused
 
 linters-settings:

internal/cmd/auth.go

@@ -17,10 +17,7 @@ import (
 	"github.com/steipete/gogcli/internal/ui"
 )
 
-var (
-	openSecretsStore = secrets.OpenDefault
-	authorizeGoogle  = googleauth.Authorize
-)
+var openSecretsStore = secrets.OpenDefault
 
 func newAuthCmd() *cobra.Command {
 	cmd := &cobra.Command{
@@ -33,6 +30,7 @@ func newAuthCmd() *cobra.Command {
 	cmd.AddCommand(newAuthListCmd())
 	cmd.AddCommand(newAuthRemoveCmd())
 	cmd.AddCommand(newAuthTokensCmd())
+	cmd.AddCommand(newAuthManageCmd())
 	return cmd
 }
 
@@ -179,7 +177,7 @@ func newAuthTokensExportCmd() *cobra.Command {
 			if openErr != nil {
 				return openErr
 			}
-			defer f.Close()
+			defer func() { _ = f.Close() }()
 
 			type export struct {
 				Email        string   `json:"email"`
@@ -335,7 +333,7 @@ func newAuthAddCmd() *cobra.Command {
 				return err
 			}
 
-			refreshToken, err := authorizeGoogle(cmd.Context(), googleauth.AuthorizeOptions{
+			refreshToken, err := googleauth.Authorize(cmd.Context(), googleauth.AuthorizeOptions{
 				Services:     services,
 				Scopes:       scopes,
 				Manual:       manual,
@@ -378,7 +376,7 @@ func newAuthAddCmd() *cobra.Command {
 
 	cmd.Flags().BoolVar(&manual, "manual", false, "Browserless auth flow (paste redirect URL)")
 	cmd.Flags().BoolVar(&forceConsent, "force-consent", false, "Force consent screen to obtain a refresh token")
-	cmd.Flags().StringVar(&servicesCSV, "services", "all", "Services to authorize: all or comma-separated gmail,calendar,drive,contacts,tasks,people")
+	cmd.Flags().StringVar(&servicesCSV, "services", "all", "Services to authorize: all or comma-separated gmail,calendar,drive,contacts,sheets")
 	return cmd
 }
 
@@ -463,3 +461,47 @@ func newAuthRemoveCmd() *cobra.Command {
 		},
 	}
 }
+
+func newAuthManageCmd() *cobra.Command {
+	var forceConsent bool
+	var servicesCSV string
+	var timeout time.Duration
+
+	cmd := &cobra.Command{
+		Use:   "manage",
+		Short: "Open accounts manager in browser",
+		Long:  "Opens a browser-based UI to manage Google accounts, add new accounts, set defaults, and remove accounts.",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			var services []googleauth.Service
+			if strings.EqualFold(strings.TrimSpace(servicesCSV), "") || strings.EqualFold(strings.TrimSpace(servicesCSV), "all") {
+				services = googleauth.AllServices()
+			} else {
+				parts := strings.Split(servicesCSV, ",")
+				seen := make(map[googleauth.Service]struct{})
+				for _, p := range parts {
+					svc, err := googleauth.ParseService(p)
+					if err != nil {
+						return err
+					}
+					if _, ok := seen[svc]; ok {
+						continue
+					}
+					seen[svc] = struct{}{}
+					services = append(services, svc)
+				}
+			}
+
+			return googleauth.StartManageServer(cmd.Context(), googleauth.ManageServerOptions{
+				Timeout:      timeout,
+				Services:     services,
+				ForceConsent: forceConsent,
+			})
+		},
+	}
+
+	cmd.Flags().BoolVar(&forceConsent, "force-consent", false, "Force consent screen when adding accounts")
+	cmd.Flags().StringVar(&servicesCSV, "services", "all", "Services to authorize: all or comma-separated gmail,calendar,drive,contacts,sheets")
+	cmd.Flags().DurationVar(&timeout, "timeout", 10*time.Minute, "Server timeout duration")
+	return cmd
+}

internal/cmd/auth_cmd_test.go

@@ -79,6 +79,14 @@ func (s *memSecretsStore) ListTokens() ([]secrets.Token, error) {
 	return out, nil
 }
 
+func (s *memSecretsStore) GetDefaultAccount() (string, error) {
+	return "", nil
+}
+
+func (s *memSecretsStore) SetDefaultAccount(email string) error {
+	return nil
+}
+
 func TestAuthTokens_ExportImportRoundtrip_JSON(t *testing.T) {
 	origOpen := openSecretsStore
 	t.Cleanup(func() { openSecretsStore = origOpen })

internal/cmd/calendar_respond.go

@@ -13,12 +13,21 @@ import (
 
 func newCalendarRespondCmd(flags *rootFlags) *cobra.Command {
 	var status string
-	var sendUpdates string
+	var comment string
 
 	cmd := &cobra.Command{
 		Use:   "respond <calendarId> <eventId>",
-		Short: "Respond to a meeting invitation (accept/decline/tentative)",
-		Args:  cobra.ExactArgs(2),
+		Short: "Respond to a calendar event invitation",
+		Long: `Respond to a calendar event invitation with accepted, declined, tentative, or needsAction.
+
+Status values:
+  - accepted: Accept the invitation
+  - declined: Decline the invitation
+  - tentative: Mark as tentative (maybe)
+  - needsAction: Reset to needs action
+
+You can optionally include a comment with your response.`,
+		Args: cobra.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			u := ui.FromContext(cmd.Context())
 			account, err := requireAccount(flags)
@@ -28,52 +37,61 @@ func newCalendarRespondCmd(flags *rootFlags) *cobra.Command {
 			calendarID := args[0]
 			eventID := args[1]
 
+			// Validate status
 			status = strings.TrimSpace(status)
-			switch status {
-			case "accepted", "declined", "tentative":
-			default:
-				return fmt.Errorf("invalid --status: %q (expected accepted|declined|tentative)", status)
+			validStatuses := []string{"accepted", "declined", "tentative", "needsAction"}
+			isValid := false
+			for _, v := range validStatuses {
+				if status == v {
+					isValid = true
+					break
+				}
 			}
-
-			sendUpdates = strings.TrimSpace(sendUpdates)
-			switch sendUpdates {
-			case "all", "none", "externalOnly":
-			default:
-				return fmt.Errorf("invalid --send-updates: %q (expected all|none|externalOnly)", sendUpdates)
+			if !isValid {
+				return fmt.Errorf("invalid status %q; must be one of: %s", status, strings.Join(validStatuses, ", "))
 			}
 
 			svc, err := newCalendarService(cmd.Context(), account)
 			if err != nil {
 				return err
 			}
 
-			e, err := svc.Events.Get(calendarID, eventID).Do()
+			// Get the event
+			event, err := svc.Events.Get(calendarID, eventID).Do()
 			if err != nil {
 				return err
 			}
-			if e == nil || len(e.Attendees) == 0 {
+
+			// Find the authenticated user in attendees
+			if len(event.Attendees) == 0 {
 				return errors.New("event has no attendees")
 			}
 
-			updatedAny := false
-			for _, a := range e.Attendees {
-				if a == nil {
-					continue
-				}
-				if a.Self || strings.EqualFold(a.Email, account) {
-					a.ResponseStatus = status
-					updatedAny = true
+			var selfAttendee *int
+			for i, a := range event.Attendees {
+				if a.Self {
+					selfAttendee = &i
+					break
 				}
 			}
-			if !updatedAny {
-				return errors.New("no attendee matches the authenticated user")
+
+			if selfAttendee == nil {
+				return errors.New("you are not an attendee of this event")
+			}
+
+			// Check if user is the organizer
+			if event.Attendees[*selfAttendee].Organizer {
+				return errors.New("cannot respond to your own event (you are the organizer)")
 			}
 
-			call := svc.Events.Update(calendarID, eventID, e)
-			if sendUpdates != "none" {
-				call = call.SendUpdates(sendUpdates)
+			// Update the attendee's response status
+			event.Attendees[*selfAttendee].ResponseStatus = status
+			if strings.TrimSpace(comment) != "" {
+				event.Attendees[*selfAttendee].Comment = comment
 			}
-			updated, err := call.Do()
+
+			// Patch the event with updated attendees
+			updated, err := svc.Events.Patch(calendarID, eventID, event).Do()
 			if err != nil {
 				return err
 			}
@@ -83,17 +101,21 @@ func newCalendarRespondCmd(flags *rootFlags) *cobra.Command {
 			}
 
 			u.Out().Printf("id\t%s", updated.Id)
-			u.Out().Printf("status\t%s", status)
-			u.Out().Printf("send_updates\t%s", sendUpdates)
+			u.Out().Printf("summary\t%s", orEmpty(updated.Summary, "(no title)"))
+			u.Out().Printf("response_status\t%s", status)
+			if strings.TrimSpace(comment) != "" {
+				u.Out().Printf("comment\t%s", comment)
+			}
 			if updated.HtmlLink != "" {
 				u.Out().Printf("link\t%s", updated.HtmlLink)
 			}
 			return nil
 		},
 	}
 
-	cmd.Flags().StringVar(&status, "status", "", "Response status: accepted|declined|tentative (required)")
+	cmd.Flags().StringVar(&status, "status", "", "Response status (accepted, declined, tentative, needsAction) (required)")
+	cmd.Flags().StringVar(&comment, "comment", "", "Optional comment/note to include with response")
 	_ = cmd.MarkFlagRequired("status")
-	cmd.Flags().StringVar(&sendUpdates, "send-updates", "none", "Send updates: all|none|externalOnly (default: none)")
+
 	return cmd
 }