googleworkspace
diff --git a/‎.changeset/stderr-output-hygiene.md‎
Lines changed: 10 additions & 0 deletions b/‎.changeset/stderr-output-hygiene.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/credential_store.rs‎
Lines changed: 10 additions & 2 deletions b/‎src/credential_store.rs‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎src/error.rs‎
Lines changed: 117 additions & 8 deletions b/‎src/error.rs‎
Lines changed: 117 additions & 8 deletions
diff --git a/‎src/executor.rs‎
Lines changed: 5 additions & 2 deletions b/‎src/executor.rs‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/generate_skills.rs‎
Lines changed: 5 additions & 2 deletions b/‎src/generate_skills.rs‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/helpers/calendar.rs‎
Lines changed: 2 additions & 1 deletion b/‎src/helpers/calendar.rs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/helpers/chat.rs‎
Lines changed: 2 additions & 1 deletion b/‎src/helpers/chat.rs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/helpers/docs.rs‎
Lines changed: 2 additions & 1 deletion b/‎src/helpers/docs.rs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/helpers/drive.rs‎
Lines changed: 2 additions & 1 deletion b/‎src/helpers/drive.rs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/helpers/events/subscribe.rs‎
Lines changed: 6 additions & 1 deletion b/‎src/helpers/events/subscribe.rs‎
Lines changed: 6 additions & 1 deletion
@@ -0,0 +1,10 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Stderr/output hygiene rollup: route diagnostics to stderr, add colored error labels, propagate auth errors.
+
+- **triage.rs**: "No messages found" sent to stderr so stdout stays valid JSON for pipes
+- **modelarmor.rs**: response body printed only on success; error message now includes body for diagnostics
+- **error.rs**: colored `error[variant]:` labels on stderr (respects `NO_COLOR` env var), `hint:` prefix for accessNotConfigured guidance
+- **calendar, chat, docs, drive, script, sheets**: auth failures now propagate as `GwsError::Auth` instead of silently proceeding unauthenticated (dry-run still works without auth)
@@ -14,6 +14,8 @@
 
 use std::path::PathBuf;
 
+use crate::error::sanitize_for_terminal;
+
 use aes_gcm::aead::{Aead, KeyInit, OsRng};
 use aes_gcm::{AeadCore, Aes256Gcm, Nonce};
 
@@ -31,7 +33,10 @@ fn ensure_key_dir(path: &std::path::Path) -> std::io::Result<()> {
             use std::os::unix::fs::PermissionsExt;
             if let Err(e) = std::fs::set_permissions(parent, std::fs::Permissions::from_mode(0o700))
             {
-                eprintln!("Warning: failed to set secure permissions on key directory: {e}");
+                eprintln!(
+                    "Warning: failed to set secure permissions on key directory: {}",
+                    sanitize_for_terminal(&e.to_string())
+                );
             }
         }
     }
@@ -251,7 +256,10 @@ fn resolve_key(
                 }
             }
             Err(e) => {
-                eprintln!("Warning: keyring access failed, falling back to file storage: {e}");
+                eprintln!(
+                    "Warning: keyring access failed, falling back to file storage: {}",
+                    sanitize_for_terminal(&e.to_string())
+                );
             }
         }
     }
 
@@ -148,34 +148,89 @@ impl GwsError {
     }
 }
 
+/// Returns true when stderr is connected to an interactive terminal,
+/// meaning ANSI color codes will be visible to the user.
+fn stderr_supports_color() -> bool {
+    use std::io::IsTerminal;
+    std::io::stderr().is_terminal() && std::env::var_os("NO_COLOR").is_none()
+}
+
+/// Wrap `text` in ANSI bold + the given color code, resetting afterwards.
+/// Returns the plain text unchanged when stderr is not a TTY.
+fn colorize(text: &str, ansi_color: &str) -> String {
+    if stderr_supports_color() {
+        format!("\x1b[1;{ansi_color}m{text}\x1b[0m")
+    } else {
+        text.to_string()
+    }
+}
+
+/// Strip terminal control characters from `text` to prevent escape-sequence
+/// injection when printing untrusted content (API responses, user input) to
+/// stderr.  Preserves newlines and tabs for readability.
+pub(crate) fn sanitize_for_terminal(text: &str) -> String {
+    text.chars()
+        .filter(|&c| {
+            if c == '\n' || c == '\t' {
+                return true;
+            }
+            !c.is_control()
+        })
+        .collect()
+}
+
+/// Format a colored error label for the given error variant.
+fn error_label(err: &GwsError) -> String {
+    match err {
+        GwsError::Api { .. } => colorize("error[api]:", "31"), // red
+        GwsError::Auth(_) => colorize("error[auth]:", "31"),   // red
+        GwsError::Validation(_) => colorize("error[validation]:", "33"), // yellow
+        GwsError::Discovery(_) => colorize("error[discovery]:", "31"), // red
+        GwsError::Other(_) => colorize("error:", "31"),        // red
+    }
+}
+
 /// Formats any error as a JSON object and prints to stdout.
 ///
-/// For `accessNotConfigured` errors (HTTP 403, reason `accessNotConfigured`),
-/// additional human-readable guidance is printed to stderr explaining how to
-/// enable the API in GCP. The JSON output on stdout is unchanged (machine-readable).
+/// A human-readable colored label is printed to stderr when connected to a
+/// TTY. For `accessNotConfigured` errors (HTTP 403, reason
+/// `accessNotConfigured`), additional guidance is printed to stderr.
+/// The JSON output on stdout is unchanged (machine-readable).
 pub fn print_error_json(err: &GwsError) {
     let json = err.to_json();
     println!(
         "{}",
         serde_json::to_string_pretty(&json).unwrap_or_default()
     );
 
-    // Print actionable guidance to stderr for accessNotConfigured errors
+    // Print a colored summary to stderr. For accessNotConfigured errors,
+    // print specialized guidance instead of the generic message to avoid
+    // redundant output (the full API error already appears in the JSON).
     if let GwsError::Api {
         reason, enable_url, ..
     } = err
     {
         if reason == "accessNotConfigured" {
             eprintln!();
-            eprintln!("💡 API not enabled for your GCP project.");
+            let hint = colorize("hint:", "36"); // cyan
+            eprintln!(
+                "{} {hint} API not enabled for your GCP project.",
+                error_label(err)
+            );
             if let Some(url) = enable_url {
-                eprintln!("   Enable it at: {url}");
+                eprintln!("      Enable it at: {url}");
             } else {
-                eprintln!("   Visit the GCP Console → APIs & Services → Library to enable the required API.");
+                eprintln!("      Visit the GCP Console → APIs & Services → Library to enable the required API.");
             }
-            eprintln!("   After enabling, wait a few seconds and retry your command.");
+            eprintln!("      After enabling, wait a few seconds and retry your command.");
+            return;
         }
     }
+    eprintln!(
+        "{} {}",
+        error_label(err),
+        sanitize_for_terminal(&err.to_string())
+    );
 }
 
 #[cfg(test)]
@@ -327,4 +382,58 @@ mod tests {
         // enable_url key should not appear in JSON when None
         assert!(json["error"]["enable_url"].is_null());
     }
+
+    // --- colored output tests ---
+
+    #[test]
+    #[serial_test::serial]
+    fn test_colorize_respects_no_color_env() {
+        // NO_COLOR is the de-facto standard for disabling colors.
+        // When set, colorize() should return the plain text.
+        std::env::set_var("NO_COLOR", "1");
+        let result = colorize("hello", "31");
+        std::env::remove_var("NO_COLOR");
+        assert_eq!(result, "hello");
+    }
+
+    #[test]
+    fn test_error_label_contains_variant_name() {
+        let api_err = GwsError::Api {
+            code: 400,
+            message: "bad".to_string(),
+            reason: "r".to_string(),
+            enable_url: None,
+        };
+        let label = error_label(&api_err);
+        assert!(label.contains("error[api]:"));
+
+        let auth_err = GwsError::Auth("fail".to_string());
+        assert!(error_label(&auth_err).contains("error[auth]:"));
+
+        let val_err = GwsError::Validation("bad input".to_string());
+        assert!(error_label(&val_err).contains("error[validation]:"));
+
+        let disc_err = GwsError::Discovery("missing".to_string());
+        assert!(error_label(&disc_err).contains("error[discovery]:"));
+
+        let other_err = GwsError::Other(anyhow::anyhow!("oops"));
+        assert!(error_label(&other_err).contains("error:"));
+    }
+
+    #[test]
+    fn test_sanitize_for_terminal_strips_control_chars() {
+        // ANSI escape sequence should be stripped
+        let input = "normal \x1b[31mred text\x1b[0m end";
+        let sanitized = sanitize_for_terminal(input);
+        assert_eq!(sanitized, "normal [31mred text[0m end");
+        assert!(!sanitized.contains('\x1b'));
+
+        // Newlines and tabs preserved
+        let input2 = "line1\nline2\ttab";
+        assert_eq!(sanitize_for_terminal(input2), "line1\nline2\ttab");
+
+        // Other control characters stripped
+        let input3 = "hello\x07bell\x08backspace";
+        assert_eq!(sanitize_for_terminal(input3), "hellobellbackspace");
+    }
 }
@@ -28,7 +28,7 @@ use serde_json::{json, Map, Value};
 use tokio::io::AsyncWriteExt;
 
 use crate::discovery::{RestDescription, RestMethod};
-use crate::error::GwsError;
+use crate::error::{sanitize_for_terminal, GwsError};
 
 /// Tracks what authentication method was used for the request.
 #[derive(Debug, Clone, PartialEq)]
@@ -261,7 +261,10 @@ async fn handle_json_response(
                     }
                 }
                 Err(e) => {
-                    eprintln!("⚠️  Model Armor sanitization failed: {e}");
+                    eprintln!(
+                        "⚠️  Model Armor sanitization failed: {}",
+                        sanitize_for_terminal(&e.to_string())
+                    );
                 }
             }
         }
 
@@ -18,7 +18,7 @@
 
 use crate::commands;
 use crate::discovery;
-use crate::error::GwsError;
+use crate::error::{sanitize_for_terminal, GwsError};
 use crate::services;
 use clap::Command;
 use std::path::Path;
@@ -123,7 +123,10 @@ pub async fn handle_generate_skills(args: &[String]) -> Result<(), GwsError> {
             match discovery::fetch_discovery_document(entry.api_name, entry.version).await {
                 Ok(d) => d,
                 Err(e) => {
-                    eprintln!("  WARNING: Failed to fetch discovery doc for {alias}: {e}");
+                    eprintln!(
+                        "  WARNING: Failed to fetch discovery doc for {alias}: {}",
+                        sanitize_for_terminal(&e.to_string())
+                    );
                     continue;
                 }
             }
 
@@ -167,7 +167,8 @@ TIPS:
                 let scopes_str: Vec<&str> = scopes.iter().map(|s| s.as_str()).collect();
                 let (token, auth_method) = match auth::get_token(&scopes_str).await {
                     Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-                    Err(_) => (None, executor::AuthMethod::None),
+                    Err(_) if matches.get_flag("dry-run") => (None, executor::AuthMethod::None),
+                    Err(e) => return Err(GwsError::Auth(format!("Calendar auth failed: {e}"))),
                 };
 
                 let events_res = doc.resources.get("events").ok_or_else(|| {
 
@@ -80,7 +80,8 @@ TIPS:
                 let scope_strs: Vec<&str> = scopes.iter().map(|s| s.as_str()).collect();
                 let (token, auth_method) = match auth::get_token(&scope_strs).await {
                     Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-                    Err(_) => (None, executor::AuthMethod::None),
+                    Err(_) if matches.get_flag("dry-run") => (None, executor::AuthMethod::None),
+                    Err(e) => return Err(GwsError::Auth(format!("Chat auth failed: {e}"))),
                 };
 
                 // Method: spaces.messages.create
 
@@ -72,7 +72,8 @@ TIPS:
                 let scope_strs: Vec<&str> = scopes.iter().map(|s| s.as_str()).collect();
                 let (token, auth_method) = match auth::get_token(&scope_strs).await {
                     Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-                    Err(_) => (None, executor::AuthMethod::None),
+                    Err(_) if matches.get_flag("dry-run") => (None, executor::AuthMethod::None),
+                    Err(e) => return Err(GwsError::Auth(format!("Docs auth failed: {e}"))),
                 };
 
                 // Method: documents.batchUpdate
 
@@ -98,7 +98,8 @@ TIPS:
                 let scopes: Vec<&str> = create_method.scopes.iter().map(|s| s.as_str()).collect();
                 let (token, auth_method) = match auth::get_token(&scopes).await {
                     Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-                    Err(_) => (None, executor::AuthMethod::None),
+                    Err(_) if matches.get_flag("dry-run") => (None, executor::AuthMethod::None),
+                    Err(e) => return Err(GwsError::Auth(format!("Drive auth failed: {e}"))),
                 };
 
                 executor::execute_method(
 
@@ -1,5 +1,6 @@
 use super::*;
 use crate::auth::AccessTokenProvider;
+use crate::error::sanitize_for_terminal;
 use crate::helpers::PUBSUB_API_BASE;
 use std::path::PathBuf;
 
@@ -375,7 +376,11 @@ async fn pull_loop(
                     .unwrap_or(0);
                 let path = dir.join(format!("{ts}_{file_counter}.json"));
                 if let Err(e) = std::fs::write(&path, &json_str) {
-                    eprintln!("Warning: failed to write {}: {e}", path.display());
+                    eprintln!(
+                        "Warning: failed to write {}: {}",
+                        path.display(),
+                        sanitize_for_terminal(&e.to_string())
+                    );
                 } else {
                     eprintln!("Wrote {}", path.display());
                 }
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,8 @@`
`14`	`14`
`15`	`15`	`use std::path::PathBuf;`
`16`	`16`
	`17`	`+use crate::error::sanitize_for_terminal;`
	`18`	`+`
`17`	`19`	`use aes_gcm::aead::{Aead, KeyInit, OsRng};`
`18`	`20`	`use aes_gcm::{AeadCore, Aes256Gcm, Nonce};`
`19`	`21`
`@@ -31,7 +33,10 @@ fn ensure_key_dir(path: &std::path::Path) -> std::io::Result<()> {`
`31`	`33`	`use std::os::unix::fs::PermissionsExt;`
`32`	`34`	`if let Err(e) = std::fs::set_permissions(parent, std::fs::Permissions::from_mode(0o700))`
`33`	`35`	`{`
`34`		`- eprintln!("Warning: failed to set secure permissions on key directory: {e}");`
	`36`	`+ eprintln!(`
	`37`	`+ "Warning: failed to set secure permissions on key directory: {}",`
	`38`	`+ sanitize_for_terminal(&e.to_string())`
	`39`	`+ );`
`35`	`40`	`}`
`36`	`41`	`}`
`37`	`42`	`}`
`@@ -251,7 +256,10 @@ fn resolve_key(`
`251`	`256`	`}`
`252`	`257`	`}`
`253`	`258`	`Err(e) => {`
`254`		`- eprintln!("Warning: keyring access failed, falling back to file storage: {e}");`
	`259`	`+ eprintln!(`
	`260`	`+ "Warning: keyring access failed, falling back to file storage: {}",`
	`261`	`+ sanitize_for_terminal(&e.to_string())`
	`262`	`+ );`
`255`	`263`	`}`
`256`	`264`	`}`
`257`	`265`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ use serde_json::{json, Map, Value};`
`28`	`28`	`use tokio::io::AsyncWriteExt;`
`29`	`29`
`30`	`30`	`use crate::discovery::{RestDescription, RestMethod};`
`31`		`-use crate::error::GwsError;`
	`31`	`+use crate::error::{sanitize_for_terminal, GwsError};`
`32`	`32`
`33`	`33`	`/// Tracks what authentication method was used for the request.`
`34`	`34`	`#[derive(Debug, Clone, PartialEq)]`
`@@ -261,7 +261,10 @@ async fn handle_json_response(`
`261`	`261`	`}`
`262`	`262`	`}`
`263`	`263`	`Err(e) => {`
`264`		`- eprintln!("⚠️ Model Armor sanitization failed: {e}");`
	`264`	`+ eprintln!(`
	`265`	`+ "⚠️ Model Armor sanitization failed: {}",`
	`266`	`+ sanitize_for_terminal(&e.to_string())`
	`267`	`+ );`
`265`	`268`	`}`
`266`	`269`	`}`
`267`	`270`	`}`