test(secrets): add coverage for keyring backend validation

- Add table-driven tests for allowedBackendsFromEnv()
- Add errInvalidKeyringBackend sentinel for testable error checking
- Fix formatting alignment in auth.go and store.go

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: salmonumbrella

internal/cmd/auth.go

@@ -19,10 +19,10 @@ import (
 )
 
 var (
-	openSecretsStore    = secrets.OpenDefault
-	authorizeGoogle     = googleauth.Authorize
-	startManageServer   = googleauth.StartManageServer
-	checkRefreshToken   = googleauth.CheckRefreshToken
+	openSecretsStore     = secrets.OpenDefault
+	authorizeGoogle      = googleauth.Authorize
+	startManageServer    = googleauth.StartManageServer
+	checkRefreshToken    = googleauth.CheckRefreshToken
 	ensureKeychainAccess = defaultEnsureKeychainAccess
 )
 

internal/secrets/store.go

@@ -37,13 +37,16 @@ type Token struct {
 	RefreshToken string    `json:"-"`
 }
 
-const keyringPasswordEnv = "GOG_KEYRING_PASSWORD" //nolint:gosec // env var name, not a credential
-const keyringBackendEnv = "GOG_KEYRING_BACKEND"   //nolint:gosec // env var name, not a credential
+const (
+	keyringPasswordEnv = "GOG_KEYRING_PASSWORD" //nolint:gosec // env var name, not a credential
+	keyringBackendEnv  = "GOG_KEYRING_BACKEND"  //nolint:gosec // env var name, not a credential
+)
 
 var (
-	errMissingEmail        = errors.New("missing email")
-	errMissingRefreshToken = errors.New("missing refresh token")
-	errNoTTY               = errors.New("no TTY available for keyring file backend password prompt")
+	errMissingEmail          = errors.New("missing email")
+	errMissingRefreshToken   = errors.New("missing refresh token")
+	errNoTTY                 = errors.New("no TTY available for keyring file backend password prompt")
+	errInvalidKeyringBackend = errors.New("invalid keyring backend")
 )
 
 func allowedBackendsFromEnv() ([]keyring.BackendType, error) {
@@ -55,7 +58,7 @@ func allowedBackendsFromEnv() ([]keyring.BackendType, error) {
 	case "file":
 		return []keyring.BackendType{keyring.FileBackend}, nil
 	default:
-		return nil, fmt.Errorf("invalid %s (expected auto, keychain, or file)", keyringBackendEnv)
+		return nil, fmt.Errorf("%w: %s (expected auto, keychain, or file)", errInvalidKeyringBackend, keyringBackendEnv)
 	}
 }
 

internal/secrets/store_more_test.go

@@ -1,6 +1,7 @@
 package secrets
 
 import (
+	"errors"
 	"testing"
 
 	"github.com/99designs/keyring"
@@ -86,3 +87,44 @@ func TestFileKeyringPasswordFunc(t *testing.T) {
 		t.Fatalf("expected secret, got %q err=%v", res.got, res.err)
 	}
 }
+
+func TestAllowedBackendsFromEnv(t *testing.T) {
+	tests := []struct {
+		name    string
+		envVal  string
+		wantLen int
+		wantErr bool
+	}{
+		{"empty defaults to nil", "", 0, false},
+		{"auto defaults to nil", "auto", 0, false},
+		{"keychain returns one backend", "keychain", 1, false},
+		{"file returns one backend", "file", 1, false},
+		{"invalid returns error", "invalid", 0, true},
+		{"whitespace trimmed", "  keychain  ", 1, false},
+		{"case insensitive", "KEYCHAIN", 1, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv(keyringBackendEnv, tt.envVal)
+			backends, err := allowedBackendsFromEnv()
+
+			if tt.wantErr {
+				if err == nil {
+					t.Fatal("expected error")
+				}
+				if !errors.Is(err, errInvalidKeyringBackend) {
+					t.Errorf("expected errInvalidKeyringBackend, got %v", err)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(backends) != tt.wantLen {
+				t.Errorf("expected %d backends, got %d", tt.wantLen, len(backends))
+			}
+		})
+	}
+}