Reduce Google Workspace MCP OAuth scopes using granular permissions

Changes the Google Workspace MCP configuration from `--tools` to
`--permissions` for more granular OAuth scope control.

**Before:**
- Requested ALL Gmail permissions (send, modify, delete, settings)
- Requested ALL Drive permissions

**After:**
- Gmail: send level only (includes send, readonly, labels, compose)
- Drive: full access (unchanged)

**Removed scopes:**
- gmail.modify (delete/trash emails)
- gmail.settings.basic (change settings)

This follows OAuth best practice of requesting minimum necessary scopes
and reduces the attack surface by removing unnecessary Gmail permissions.

**References:**
- workspace-mcp granular permissions: https://github.com/taylorwilsdon/google_workspace_mcp#granular-permissions
- Gmail permission levels are cumulative (readonly < organize < drafts < send < full)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: Gkrumbach07

components/runners/ambient-runner/.mcp.json

@@ -27,9 +27,9 @@
       "command": "uvx",
       "args": [
         "workspace-mcp@1.14.2",
-        "--tools",
-        "drive",
-        "gmail"
+        "--permissions",
+        "gmail:send",
+        "drive:full"
       ],
       "env": {
         "GOOGLE_MCP_CREDENTIALS_DIR": "${GOOGLE_MCP_CREDENTIALS_DIR}",