Fix deletion bugs: scope escalation, checkpoint recovery, progress UX

[wesm]

Summary

Fixes #8, #11. Comprehensive fixes to the deletion system covering OAuth scope handling, checkpoint/resume robustness, and CLI output quality.

OAuth scope escalation

When a user runs delete-staged for the first time, the existing OAuth token typically only has gmail.readonly + gmail.modify scopes. The deletion system now:

• Proactively detects insufficient scopes before attempting any API calls by checking stored token scope metadata

• Displays a clear permission upgrade prompt explaining what's needed:

  ======================================================================
  PERMISSION UPGRADE REQUIRED
  ======================================================================
  
  Batch deletion requires elevated Gmail permissions.
  
  Your current OAuth token was granted with limited permissions that
  don't include batch delete. To proceed, msgvault needs to:
  
    1. Delete your existing OAuth token
    2. Re-authorize with full Gmail access (mail.google.com scope)
  
  This elevated permission allows msgvault to permanently delete
  messages in bulk. You can revoke access anytime at:
    https://myaccount.google.com/permissions
  
  Upgrade permissions now? [y/N]:
  

  For trash (non-batch) deletion, a simpler variant is shown requesting gmail.modify scope.

• Canceling is clean: answering "N" returns to the prompt with no error, using a sentinel errUserCanceled error

• Reactive fallback: if the proactive check can't run (legacy tokens without scope metadata), scope errors from the API are caught and the same prompt is shown

• Legacy tokens (saved before scope tracking) are detected via HasScopeMetadata() and handled gracefully

Checkpoint and resume robustness

• Failed message IDs are tracked in ExecuteBatch (previously only in single-message Execute)
• Retry on resume: when resuming a manifest with FailedIDs, those IDs are retried before continuing with remaining messages
• Scope errors save accurate checkpoints: on insufficient-scope errors mid-retry, only unattempted + still-failed IDs are saved (not already-succeeded ones)
• CancelManifest now surfaces real I/O errors instead of silently continuing
• Fallback loop (batch→individual) tracks LastProcessedIndex per-message instead of per-batch
• Bounds checking for corrupted startIndex values

TUI drill-down context fix

• Fixed SourceID overwrite bug where "All Accounts" filter would clear the drill-down filter's source, causing deletion staging to ignore the current subgroup view

CLI output

• Progress bar with visual bar, percentage, count, ETA, and failure count
• ANSI escape sequences guarded by TTY detection — falls back to plain line-per-update when piped/redirected
• Executor logs downgraded to Debug to avoid colliding with progress output
• Clean completion summary line

Test plan

• delete-staged with insufficient scopes → shows permission upgrade prompt
• Canceling scope upgrade → clean return, no error
• Batch deletion with 404s (already deleted) → treated as success
• Resume after partial failure → retries failed IDs first
• Scope error mid-execution → saves checkpoint, propagates error
• make test && make lint pass
• Progress bar displays correctly on TTY
• Output is clean when redirected (delete-staged 2>&1 | cat)

🤖 Generated with Claude Code