K-dash
diff --git a/‎crates/nblm-cli/Cargo.toml‎
Lines changed: 2 additions & 2 deletions b/‎crates/nblm-cli/Cargo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/nblm-cli/src/app.rs‎
Lines changed: 8 additions & 6 deletions b/‎crates/nblm-cli/src/app.rs‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎crates/nblm-core/Cargo.toml‎
Lines changed: 15 additions & 3 deletions b/‎crates/nblm-core/Cargo.toml‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎crates/nblm-core/src/auth.rs‎
Lines changed: 168 additions & 0 deletions b/‎crates/nblm-core/src/auth.rs‎
Lines changed: 168 additions & 0 deletions
@@ -1,6 +1,6 @@
 [package]
 name = "nblm-cli"
-version = "0.1.5"
+version = "0.2.0"
 edition = "2021"
 license = "MIT"
 description = "Command-line interface for NotebookLM Enterprise API"
@@ -24,7 +24,7 @@ tokio = { version = "1.48.0", features = ["macros", "rt-multi-thread"] }
 async-trait = "0.1.83"
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.20", features = ["env-filter", "fmt", "json"] }
-nblm-core = { version = "0.1.5", path = "../nblm-core" }
+nblm-core = { version = "0.2.0", path = "../nblm-core" }
 humantime = "2.3.0"
 url = "2.5.7"
 mime_guess = "2.0.5"
 
@@ -62,12 +62,14 @@ impl NblmApp {
     }
 
     pub async fn run(self) -> Result<()> {
-        let json_mode = self.cli.global.json;
-        match self.cli.command {
-            Command::Notebooks(cmd) => notebooks::run(cmd, &self.client, json_mode).await,
-            Command::Sources(cmd) => sources::run(cmd, &self.client, json_mode).await,
-            Command::Audio(cmd) => audio::run(cmd, &self.client, json_mode).await,
-            Command::Share(cmd) => share::run(cmd, &self.client, json_mode).await,
+        let NblmApp { cli, client } = self;
+
+        let json_mode = cli.global.json;
+        match cli.command {
+            Command::Notebooks(cmd) => notebooks::run(cmd, &client, json_mode).await,
+            Command::Sources(cmd) => sources::run(cmd, &client, json_mode).await,
+            Command::Audio(cmd) => audio::run(cmd, &client, json_mode).await,
+            Command::Share(cmd) => share::run(cmd, &client, json_mode).await,
             Command::Doctor(cmd) => doctor::run(cmd).await,
         }
     }
 
@@ -1,6 +1,6 @@
 [package]
 name = "nblm-core"
-version = "0.1.5"
+version = "0.2.0"
 edition = "2021"
 license = "MIT"
 description = "Core library for NotebookLM Enterprise API client"
@@ -17,11 +17,19 @@ doctest = false
 [dependencies]
 anyhow = "1.0.100"
 async-trait = "0.1.89"
-reqwest = { version = "0.12.24", default-features = false, features = ["json", "rustls-tls"] }
+reqwest = { version = "0.12.24", default-features = false, features = [
+    "json",
+    "rustls-tls",
+] }
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.145"
 thiserror = "2.0.17"
-tokio = { version = "1.48.0", features = ["macros", "rt-multi-thread", "process", "time"] }
+tokio = { version = "1.48.0", features = [
+    "macros",
+    "rt-multi-thread",
+    "process",
+    "time",
+] }
 url = "2.5.7"
 backon = "1.6.0"
 tracing = "0.1.41"
@@ -30,3 +38,7 @@ bytes = "1.7.1"
 
 [features]
 default = []
+
+[dev-dependencies]
+wiremock = "0.6.5"
+serial_test = "3.2.0"
@@ -1,6 +1,8 @@
 use std::env;
 
 use async_trait::async_trait;
+use reqwest::Client;
+use serde::Deserialize;
 use tokio::process::Command;
 
 use crate::error::{Error, Result};
@@ -40,6 +42,81 @@ pub trait TokenProvider: Send + Sync {
     }
 }
 
+const TOKENINFO_ENDPOINT: &str = "https://www.googleapis.com/oauth2/v3/tokeninfo";
+const DRIVE_SCOPE: &str = "https://www.googleapis.com/auth/drive";
+const DRIVE_FILE_SCOPE: &str = "https://www.googleapis.com/auth/drive.file";
+
+#[derive(Debug, Deserialize)]
+struct TokenInfoResponse {
+    scope: Option<String>,
+}
+
+pub async fn ensure_drive_scope(provider: &dyn TokenProvider) -> Result<()> {
+    let client = Client::new();
+    let endpoint =
+        std::env::var("NBLM_TOKENINFO_ENDPOINT").unwrap_or_else(|_| TOKENINFO_ENDPOINT.to_string());
+    ensure_drive_scope_internal(provider, &client, &endpoint).await
+}
+
+async fn ensure_drive_scope_internal(
+    provider: &dyn TokenProvider,
+    client: &Client,
+    endpoint: &str,
+) -> Result<()> {
+    let access_token = provider.access_token().await?;
+
+    let response = client
+        .get(endpoint)
+        .query(&[("access_token", access_token.as_str())])
+        .send()
+        .await
+        .map_err(|err| {
+            Error::TokenProvider(format!("failed to validate Google Drive token: {err}"))
+        })?;
+
+    if !response.status().is_success() {
+        let status = response.status();
+        let body = response
+            .text()
+            .await
+            .unwrap_or_else(|_| String::from("<failed to read body>"));
+        return Err(Error::TokenProvider(format!(
+            "failed to validate Google Drive token (status {}): {}",
+            status.as_u16(),
+            body.trim()
+        )));
+    }
+
+    let info: TokenInfoResponse = response
+        .json()
+        .await
+        .map_err(|err| Error::TokenProvider(format!("invalid tokeninfo response: {err}")))?;
+
+    let scopes = info.scope.unwrap_or_default();
+    if scope_grants_drive_access(&scopes) {
+        Ok(())
+    } else {
+        Err(Error::TokenProvider(
+            "Google Drive access token is missing the required drive.file scope. Run `gcloud auth login --enable-gdrive-access` and retry.".to_string(),
+        ))
+    }
+}
+
+fn scope_grants_drive_access(scopes: &str) -> bool {
+    scopes
+        .split_whitespace()
+        .any(|scope| scope == DRIVE_FILE_SCOPE || scope == DRIVE_SCOPE)
+}
+
+#[cfg(test)]
+pub(crate) async fn ensure_drive_scope_with_endpoint(
+    provider: &dyn TokenProvider,
+    client: &Client,
+    endpoint: &str,
+) -> Result<()> {
+    ensure_drive_scope_internal(provider, client, endpoint).await
+}
+
 #[derive(Debug, Default, Clone)]
 pub struct GcloudTokenProvider {
     binary: String,
@@ -137,6 +214,8 @@ impl TokenProvider for StaticTokenProvider {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use wiremock::matchers::{method, path, query_param};
+    use wiremock::{Mock, MockServer, ResponseTemplate};
 
     #[tokio::test]
     async fn static_token_provider_returns_token() {
@@ -199,4 +278,93 @@ mod tests {
         let provider = StaticTokenProvider::new("token");
         assert_eq!(provider.kind(), ProviderKind::StaticToken);
     }
+
+    fn expect_scope_result(scopes: &str, expected: bool) {
+        assert_eq!(scope_grants_drive_access(scopes), expected);
+    }
+
+    #[test]
+    fn scope_grants_drive_access_detects_required_scopes() {
+        expect_scope_result(DRIVE_FILE_SCOPE, true);
+        expect_scope_result(DRIVE_SCOPE, true);
+        expect_scope_result(
+            "https://www.googleapis.com/auth/spreadsheets.readonly",
+            false,
+        );
+        expect_scope_result(
+            &format!("{DRIVE_FILE_SCOPE} https://www.googleapis.com/auth/calendar"),
+            true,
+        );
+    }
+
+    #[tokio::test]
+    async fn ensure_drive_scope_accepts_valid_scope() {
+        let server = MockServer::start().await;
+        Mock::given(method("GET"))
+            .and(path("/oauth2/v3/tokeninfo"))
+            .and(query_param("access_token", "valid-token"))
+            .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
+                "scope": DRIVE_FILE_SCOPE
+            })))
+            .mount(&server)
+            .await;
+
+        let provider = StaticTokenProvider::new("valid-token");
+        let client = reqwest::Client::new();
+        let endpoint = format!("{}/oauth2/v3/tokeninfo", server.uri());
+        let result = ensure_drive_scope_with_endpoint(&provider, &client, &endpoint).await;
+        assert!(result.is_ok());
+    }
+
+    #[tokio::test]
+    async fn ensure_drive_scope_rejects_missing_scope() {
+        let server = MockServer::start().await;
+        Mock::given(method("GET"))
+            .and(path("/oauth2/v3/tokeninfo"))
+            .and(query_param("access_token", "no-scope"))
+            .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
+                "scope": "https://www.googleapis.com/auth/spreadsheets.readonly"
+            })))
+            .mount(&server)
+            .await;
+
+        let provider = StaticTokenProvider::new("no-scope");
+        let client = reqwest::Client::new();
+        let endpoint = format!("{}/oauth2/v3/tokeninfo", server.uri());
+        let err = ensure_drive_scope_with_endpoint(&provider, &client, &endpoint)
+            .await
+            .unwrap_err();
+
+        match err {
+            Error::TokenProvider(message) => {
+                assert!(message.contains("drive.file scope"));
+            }
+            _ => panic!("expected TokenProvider error"),
+        }
+    }
+
+    #[tokio::test]
+    async fn ensure_drive_scope_converts_http_failures() {
+        let server = MockServer::start().await;
+        Mock::given(method("GET"))
+            .and(path("/oauth2/v3/tokeninfo"))
+            .and(query_param("access_token", "bad-token"))
+            .respond_with(ResponseTemplate::new(400).set_body_string("invalid_token"))
+            .mount(&server)
+            .await;
+
+        let provider = StaticTokenProvider::new("bad-token");
+        let client = reqwest::Client::new();
+        let endpoint = format!("{}/oauth2/v3/tokeninfo", server.uri());
+        let err = ensure_drive_scope_with_endpoint(&provider, &client, &endpoint)
+            .await
+            .unwrap_err();
+
+        match err {
+            Error::TokenProvider(message) => {
+                assert!(message.contains("status 400"));
+            }
+            _ => panic!("expected TokenProvider error"),
+        }
+    }
 }