fix(gmail-auth): request explicit filter settings scope

src/cli/gmail-auth.test.ts

@@ -71,7 +71,8 @@ describe('gmail-auth', () => {
       expect(url).toContain('https://accounts.google.com/o/oauth2/v2/auth');
       expect(url).toContain('client_id=my-client-id');
       expect(url).toContain('redirect_uri=http%3A%2F%2Flocalhost%3A3000');
-      expect(url).toContain('scope=https%3A%2F%2Fmail.google.com%2F');
+      expect(url).toContain('scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.settings.basic');
+      expect(url).toContain('https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly');
       expect(url).toContain('access_type=offline');
       expect(url).toContain('prompt=consent');
     });

src/cli/gmail-auth.ts

@@ -7,8 +7,10 @@ import { URL } from 'url';
 import { loadConfigSafe } from './shared.js';
 
 const SCOPES = [
-  // Full Gmail access (includes all filter operations and settings APIs).
-  'https://mail.google.com/',
+  // Explicitly request Gmail settings scope required by filters.create.
+  'https://www.googleapis.com/auth/gmail.settings.basic',
+  // Keep readonly mailbox access for list/search/read tooling.
+  'https://www.googleapis.com/auth/gmail.readonly',
 ];
 const REDIRECT_PORT = 3000;
 const REDIRECT_URI = `http://localhost:${REDIRECT_PORT}`;