Auto-detect missing scopes and re-auth

Added token_has_all_scopes() to ApiClient — reads stored
token.json and checks if all requested scopes are present.
If token exists but lacks calendar.readonly, the auth popup
is shown instead of silently failing in the sync engine.

src/app.rs

@@ -69,7 +69,7 @@ pub enum SyncCommand {
 
 impl App {
     pub fn new(db: Arc<Db>, api_client: Arc<ApiClient>, sync_tx: mpsc::Sender<SyncCommand>, _calendar_events_shared: Arc<tokio::sync::Mutex<Vec<CalendarEvent>>>) -> Self {
-        let has_token = api_client.has_token();
+        let has_token = api_client.has_token() && api_client.token_has_all_scopes();
         let (auth_tx, auth_rx) = std_mpsc::channel();
 
         let show_popup = if has_token {

src/infrastructure/api.rs

@@ -73,6 +73,22 @@ impl ApiClient {
         self.token_path.exists()
     }
 
+    pub fn token_has_all_scopes(&self) -> bool {
+        let content = match std::fs::read_to_string(&self.token_path) {
+            Ok(c) => c,
+            Err(_) => return false,
+        };
+        let value: serde_json::Value = match serde_json::from_str(&content) {
+            Ok(v) => v,
+            Err(_) => return false,
+        };
+        let scope = match value["scope"].as_str() {
+            Some(s) => s,
+            None => return false,
+        };
+        SCOPES.iter().all(|s| scope.contains(s))
+    }
+
     pub async fn start_and_wait_for_auth(&self) -> Result<(), ApiError> {
         self.authenticator.token(SCOPES).await.map_err(|e| {
             ApiError::Auth(format!("Authorization failed: {}", e))