hughdbrown
diff --git a/‎cmd/msgvault/cmd/addaccount.go‎
Lines changed: 3 additions & 3 deletions b/‎cmd/msgvault/cmd/addaccount.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cmd/msgvault/cmd/deletions.go‎
Lines changed: 5 additions & 2 deletions b/‎cmd/msgvault/cmd/deletions.go‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎cmd/msgvault/cmd/root.go‎
Lines changed: 29 additions & 13 deletions b/‎cmd/msgvault/cmd/root.go‎
Lines changed: 29 additions & 13 deletions
@@ -23,7 +23,8 @@ By default, opens a browser for authorization. Use --headless to see instruction
 for authorizing on headless servers (Google does not support Gmail in device flow).
 
 If a token already exists, the command skips authorization. Use --force to delete
-the existing token and re-authorize (useful when a token has expired or been revoked).
+the existing token and start a fresh OAuth flow (most token issues are handled
+automatically during sync and verify).
 
 Examples:
   msgvault add-account you@gmail.com
@@ -95,7 +96,6 @@ Examples:
 			}
 			fmt.Printf("Account %s is already authorized.\n", email)
 			fmt.Println("Next step: msgvault sync-full", email)
-			fmt.Println("To re-authorize (e.g., expired token), run: msgvault add-account", email, "--force")
 			return nil
 		}
 
@@ -128,7 +128,7 @@ Examples:
 
 func init() {
 	addAccountCmd.Flags().BoolVar(&headless, "headless", false, "Show instructions for headless server setup")
-	addAccountCmd.Flags().BoolVar(&forceReauth, "force", false, "Delete existing token and re-authorize (use when token is expired or revoked)")
+	addAccountCmd.Flags().BoolVar(&forceReauth, "force", false, "Delete existing token and re-authorize")
 	addAccountCmd.Flags().StringVar(&accountDisplayName, "display-name", "", "Display name for the account (e.g., \"Work\", \"Personal\")")
 	rootCmd.AddCommand(addAccountCmd)
 }
@@ -11,6 +11,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/mattn/go-isatty"
 	"github.com/spf13/cobra"
 	"github.com/wesm/msgvault/internal/deletion"
 	"github.com/wesm/msgvault/internal/gmail"
@@ -410,9 +411,11 @@ Examples:
 			// If no scope metadata at all (legacy token), fall through to reactive detection
 		}
 
-		tokenSource, err := oauthMgr.TokenSource(ctx, account)
+		interactive := isatty.IsTerminal(os.Stdin.Fd()) ||
+			isatty.IsCygwinTerminal(os.Stdin.Fd())
+		tokenSource, err := getTokenSourceWithReauth(ctx, oauthMgr, account, interactive)
 		if err != nil {
-			return fmt.Errorf("get token source: %w", err)
+			return err
 		}
 
 		// Create Gmail client
 
@@ -8,10 +8,8 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/mattn/go-isatty"
 	"github.com/spf13/cobra"
 	"github.com/wesm/msgvault/internal/config"
-	"github.com/wesm/msgvault/internal/oauth"
 	"golang.org/x/oauth2"
 )
 
@@ -158,22 +156,35 @@ func isAuthInvalidError(err error) bool {
 	return false
 }
 
+// tokenReauthorizer abstracts the oauth.Manager methods used by
+// getTokenSourceWithReauth, making the function testable without real OAuth.
+type tokenReauthorizer interface {
+	TokenSource(ctx context.Context, email string) (oauth2.TokenSource, error)
+	HasToken(email string) bool
+	DeleteToken(email string) error
+	Authorize(ctx context.Context, email string) error
+}
+
 // getTokenSourceWithReauth tries to get a token source for the given email.
 // If the token exists but is expired/revoked (invalid_grant), it automatically
 // deletes the old token and re-initiates the OAuth browser flow.
 // Transient errors (network, context cancellation) are returned as-is without
 // deleting the token.
-// NOTE: This function requires a browser and an interactive terminal for
-// re-authorization. Only use from interactive CLI commands (sync, sync-full,
-// verify), not from daemon mode (serve).
-func getTokenSourceWithReauth(ctx context.Context, oauthMgr *oauth.Manager, email string) (oauth2.TokenSource, error) {
-	tokenSource, err := oauthMgr.TokenSource(ctx, email)
+// The interactive parameter controls whether the function can open a browser
+// for re-authorization. Callers should pass the result of an isatty check.
+func getTokenSourceWithReauth(
+	ctx context.Context,
+	mgr tokenReauthorizer,
+	email string,
+	interactive bool,
+) (oauth2.TokenSource, error) {
+	tokenSource, err := mgr.TokenSource(ctx, email)
 	if err == nil {
 		return tokenSource, nil
 	}
 
 	// No token at all — user needs to run add-account
-	if !oauthMgr.HasToken(email) {
+	if !mgr.HasToken(email) {
 		return nil, fmt.Errorf("get token source: %w (run 'add-account %s' first)", err, email)
 	}
 
@@ -183,22 +194,27 @@ func getTokenSourceWithReauth(ctx context.Context, oauthMgr *oauth.Manager, emai
 	}
 
 	// Non-interactive session cannot open a browser for reauth
-	if !isatty.IsTerminal(os.Stdin.Fd()) && !isatty.IsCygwinTerminal(os.Stdin.Fd()) {
-		return nil, fmt.Errorf("token for %s is expired or revoked, but cannot re-authorize in a non-interactive session (run 'add-account --force %s' from a terminal)", email, email)
+	if !interactive {
+		return nil, fmt.Errorf(
+			"token for %s is expired or revoked, but cannot re-authorize "+
+				"in a non-interactive session (run this command from an "+
+				"interactive terminal to re-authorize automatically)",
+			email,
+		)
 	}
 
 	fmt.Printf("Token for %s is expired or revoked. Re-authorizing...\n", email)
 
-	if delErr := oauthMgr.DeleteToken(email); delErr != nil {
+	if delErr := mgr.DeleteToken(email); delErr != nil {
 		return nil, fmt.Errorf("delete expired token: %w", delErr)
 	}
 
-	if authErr := oauthMgr.Authorize(ctx, email); authErr != nil {
+	if authErr := mgr.Authorize(ctx, email); authErr != nil {
 		return nil, fmt.Errorf("re-authorize %s: %w", email, authErr)
 	}
 
 	// Retry with the new token
-	tokenSource, err = oauthMgr.TokenSource(ctx, email)
+	tokenSource, err = mgr.TokenSource(ctx, email)
 	if err != nil {
 		return nil, fmt.Errorf("get token source after re-authorization: %w", err)
 	}