test(auth): add negative test for keychain access failure

Adds ensureKeychainAccess check before OAuth flow to fail early when
keychain is locked. Includes test to verify authorizeGoogle is not
called when keychain check fails.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: salmonumbrella

internal/cmd/auth.go

@@ -19,12 +19,24 @@ import (
 )
 
 var (
-	openSecretsStore  = secrets.OpenDefault
-	authorizeGoogle   = googleauth.Authorize
-	startManageServer = googleauth.StartManageServer
-	checkRefreshToken = googleauth.CheckRefreshToken
+	openSecretsStore    = secrets.OpenDefault
+	authorizeGoogle     = googleauth.Authorize
+	startManageServer   = googleauth.StartManageServer
+	checkRefreshToken   = googleauth.CheckRefreshToken
+	ensureKeychainAccess = defaultEnsureKeychainAccess
 )
 
+// defaultEnsureKeychainAccess verifies keychain is accessible before starting OAuth flow.
+func defaultEnsureKeychainAccess() error {
+	store, err := secrets.OpenDefault()
+	if err != nil {
+		return fmt.Errorf("keychain access: %w", err)
+	}
+	// Trigger a read to verify keychain access
+	_, _ = store.Keys()
+	return nil
+}
+
 type AuthCmd struct {
 	Credentials AuthCredentialsCmd `cmd:"" name:"credentials" help:"Store OAuth client credentials"`
 	Add         AuthAddCmd         `cmd:"" name:"add" help:"Authorize and store a refresh token"`
@@ -300,6 +312,11 @@ type AuthAddCmd struct {
 func (c *AuthAddCmd) Run(ctx context.Context) error {
 	u := ui.FromContext(ctx)
 
+	// Verify keychain access before starting the OAuth flow
+	if err := ensureKeychainAccess(); err != nil {
+		return err
+	}
+
 	var services []googleauth.Service
 	if strings.EqualFold(strings.TrimSpace(c.ServicesCSV), "") || strings.EqualFold(strings.TrimSpace(c.ServicesCSV), "all") {
 		services = googleauth.AllServices()

internal/cmd/auth_add_test.go

@@ -3,11 +3,14 @@ package cmd
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"io"
 	"strings"
 	"testing"
 
 	"github.com/steipete/gogcli/internal/googleauth"
 	"github.com/steipete/gogcli/internal/secrets"
+	"github.com/steipete/gogcli/internal/ui"
 )
 
 func TestAuthAddCmd_JSON(t *testing.T) {
@@ -70,3 +73,43 @@ func TestAuthAddCmd_JSON(t *testing.T) {
 		t.Fatalf("unexpected token: %#v", tok)
 	}
 }
+
+func TestAuthAddCmd_KeychainError(t *testing.T) {
+	origAuth := authorizeGoogle
+	origOpen := openSecretsStore
+	origKeychain := ensureKeychainAccess
+	t.Cleanup(func() {
+		authorizeGoogle = origAuth
+		openSecretsStore = origOpen
+		ensureKeychainAccess = origKeychain
+	})
+
+	// Simulate keychain locked error
+	ensureKeychainAccess = func() error {
+		return errors.New("keychain is locked")
+	}
+
+	authCalled := false
+	authorizeGoogle = func(ctx context.Context, opts googleauth.AuthorizeOptions) (string, error) {
+		authCalled = true
+		return "rt", nil
+	}
+
+	cmd := &AuthAddCmd{Email: "test@example.com", ServicesCSV: "gmail"}
+	u, uiErr := ui.New(ui.Options{Stdout: io.Discard, Stderr: io.Discard, Color: "never"})
+	if uiErr != nil {
+		t.Fatalf("ui.New: %v", uiErr)
+	}
+	ctx := ui.WithUI(context.Background(), u)
+	err := cmd.Run(ctx)
+
+	if err == nil {
+		t.Fatal("expected error when keychain is locked")
+	}
+	if !strings.Contains(err.Error(), "keychain") {
+		t.Errorf("expected error to mention keychain, got: %v", err)
+	}
+	if authCalled {
+		t.Error("authorizeGoogle should not be called when keychain check fails")
+	}
+}