auth login -s people does not include contacts write scope

[StephaneEJ]

Description

When using gws auth login -s people, the scope picker generates People API scopes for reading profiles, but does not include https://www.googleapis.com/auth/contacts which is required for write operations like createContact.

Steps to reproduce

1. gws auth login -s people
2. Approve scopes in browser
3. gws people people createContact --json '{"names":[{"givenName":"Test","familyName":"Contact"}]}'

Expected: Contact is created.
Actual: 403 - Request had insufficient authentication scopes.

Workaround attempted

• --scopes https://www.googleapis.com/auth/contacts works alone but cannot be combined with -s to get other service scopes in the same login.
• --full does not include the contacts scope either.
• Combining multiple full scope URLs in --scopes causes truncation in the OAuth redirect URL, resulting in invalid_scope errors.

Current workaround

Using curl directly with the People API and a dedicated refresh token obtained from a contacts-only gws auth login --scopes https://www.googleapis.com/auth/contacts.

Suggested fix

1. Map -s people (or add -s contacts) to include https://www.googleapis.com/auth/contacts in the scope picker.
2. Support incremental auth (adding scopes to an existing token without replacing it).

Environment

• gws 0.22.5
• macOS (Apple Silicon)
• OAuth app in production mode (not testing)