Improve error messages with context wrapping (#24)

fullstackjam · claude · web-flow · commit 1f5ef62ece37 · 2026-04-19T16:40:05.000+08:00
* fix: wrap bare returned errors with context

Add fmt.Errorf("context: %w", err) wrapping on previously bare
`return err` sites in auth, shell, npm, and dotfiles. Per
CLAUDE.md convention, callers should get contextual error chains.

* test: skip filesystem-permission tests when running as root

Tests that rely on chmod 0500/0000 to trigger permission denied
silently succeed under root because root bypasses DAC checks,
leaving `err == nil` where the test expected a non-nil error and
panicking on the follow-up nil dereference. Guard these with
`os.Geteuid() == 0` skips; they still run as a non-root user or
in standard CI.

* refactor: make brewInstallURL const

The existing comment described it as a test seam, but no test
reassigns it. A const prevents accidental mutation; if a test
ever needs to override the URL, add a proper seam then.

---------

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
@@ -26,7 +26,7 @@ func TokenPath() (string, error) {
 func LoadToken() (*StoredAuth, error) {
 	path, err := TokenPath()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("load token: %w", err)
 	}
 	data, err := os.ReadFile(path)
 	if err != nil {
@@ -51,7 +51,7 @@ func LoadToken() (*StoredAuth, error) {
 func SaveToken(auth *StoredAuth) error {
 	path, err := TokenPath()
 	if err != nil {
-		return err
+		return fmt.Errorf("save token: %w", err)
 	}
 
 	dir := filepath.Dir(path)
@@ -74,7 +74,7 @@ func SaveToken(auth *StoredAuth) error {
 func DeleteToken() error {
 	path, err := TokenPath()
 	if err != nil {
-		return err
+		return fmt.Errorf("delete token: %w", err)
 	}
 	err = os.Remove(path)
 	if err != nil && !os.IsNotExist(err) {
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
@@ -258,6 +258,10 @@ func TestDeleteToken_FileNotExist(t *testing.T) {
 }
 
 func TestDeleteToken_PermissionError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("root bypasses filesystem permission checks")
+	}
+
 	tmpDir := t.TempDir()
 	authDir := filepath.Join(tmpDir, ".openboot")
 	authFile := filepath.Join(authDir, "auth.json")
@@ -378,6 +382,10 @@ func TestStoredAuth_JSONMarshaling(t *testing.T) {
 }
 
 func TestLoadToken_ReadPermissionError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("root bypasses filesystem permission checks")
+	}
+
 	tmpDir := t.TempDir()
 	authDir := filepath.Join(tmpDir, ".openboot")
 	authFile := filepath.Join(authDir, "auth.json")
diff --git a/internal/auth/login_test.go b/internal/auth/login_test.go
@@ -521,6 +521,9 @@ func TestLoginInteractive_InvalidExpirationFormat(t *testing.T) {
 }
 
 func TestLoginInteractive_SaveTokenError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("root bypasses filesystem permission checks")
+	}
 	withFastPoll(t)
 	withNoBrowser(t)
 	tmpDir := t.TempDir()
diff --git a/internal/cli/login_test.go b/internal/cli/login_test.go
@@ -90,6 +90,9 @@ func TestLogoutCmd_WhenNotAuthenticated(t *testing.T) {
 }
 
 func TestLogoutCmd_DeleteError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("root bypasses filesystem permission checks")
+	}
 	tmpDir := setupTestAuth(t, true)
 	authDir := filepath.Join(tmpDir, ".openboot")
 
diff --git a/internal/dotfiles/dotfiles.go b/internal/dotfiles/dotfiles.go
@@ -43,15 +43,18 @@ func Clone(repoURL string, dryRun bool) error {
 
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("clone dotfiles: %w", err)
 	}
 	dotfilesPath := filepath.Join(home, defaultDotfilesDir)
 
 	if _, err := os.Stat(dotfilesPath); err == nil {
 		// Dotfiles directory already exists — sync or re-clone as appropriate.
 		needsClone, err := handleExistingDotfiles(dotfilesPath, repoURL, dryRun)
-		if err != nil || !needsClone {
-			return err
+		if err != nil {
+			return fmt.Errorf("handle existing dotfiles: %w", err)
+		}
+		if !needsClone {
+			return nil
 		}
 	}
 
@@ -210,7 +213,7 @@ func confirmResetIfDirty(dotfilesPath, branch string) bool {
 func Link(dryRun bool) error {
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("link dotfiles: %w", err)
 	}
 	dotfilesPath := filepath.Join(home, defaultDotfilesDir)
 
@@ -332,17 +335,17 @@ func backupConflicts(pkgDir, targetDir string) ([][2]string, error) {
 
 func linkWithStow(dotfilesPath string, dryRun bool) error {
 	if err := ensureStow(dryRun); err != nil {
-		return err
+		return fmt.Errorf("ensure stow: %w", err)
 	}
 
 	entries, err := os.ReadDir(dotfilesPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("read dotfiles dir: %w", err)
 	}
 
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("link with stow: %w", err)
 	}
 
 	var errs []error
@@ -399,12 +402,12 @@ func linkWithStow(dotfilesPath string, dryRun bool) error {
 func linkDirect(dotfilesPath string, dryRun bool) error {
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("link direct: %w", err)
 	}
 
 	entries, err := os.ReadDir(dotfilesPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("read dotfiles dir: %w", err)
 	}
 
 	for _, entry := range entries {
diff --git a/internal/npm/npm.go b/internal/npm/npm.go
@@ -124,7 +124,7 @@ func Install(packages []string, dryRun bool) error {
 
 	failed, err := installBatch(toInstall)
 	if err != nil {
-		return err
+		return fmt.Errorf("install npm packages: %w", err)
 	}
 
 	if len(failed) > 0 {
diff --git a/internal/shell/shell.go b/internal/shell/shell.go
@@ -119,7 +119,7 @@ func EnsureBrewShellenv(dryRun bool) error {
 
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("ensure brew shellenv: %w", err)
 	}
 	zshrcPath := filepath.Join(home, ".zshrc")
 
@@ -129,7 +129,10 @@ func EnsureBrewShellenv(dryRun bool) error {
 			fmt.Printf("[DRY-RUN] Would create %s with Homebrew shellenv\n", zshrcPath)
 			return nil
 		}
-		return os.WriteFile(zshrcPath, []byte(brewShellenvLine+"\n"), 0600)
+		if err := os.WriteFile(zshrcPath, []byte(brewShellenvLine+"\n"), 0600); err != nil {
+			return fmt.Errorf("create .zshrc: %w", err)
+		}
+		return nil
 	}
 
 	raw, err := os.ReadFile(zshrcPath)
@@ -262,7 +265,7 @@ func RestoreFromSnapshot(ohMyZsh bool, theme string, plugins []string, dryRun bo
 
 	home, err := system.HomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("configure zshrc: %w", err)
 	}
 	zshrcPath := filepath.Join(home, ".zshrc")
 
@@ -272,11 +275,11 @@ func RestoreFromSnapshot(ohMyZsh bool, theme string, plugins []string, dryRun bo
 			return nil
 		}
 		if err := validateShellIdentifier(theme, "ZSH_THEME"); err != nil {
-			return err
+			return fmt.Errorf("validate theme: %w", err)
 		}
 		for _, p := range plugins {
 			if err := validateShellIdentifier(p, "plugin"); err != nil {
-				return err
+				return fmt.Errorf("validate plugin: %w", err)
 			}
 		}
 		template := fmt.Sprintf(`export ZSH="$HOME/.oh-my-zsh"
diff --git a/internal/state/reminder_test.go b/internal/state/reminder_test.go
@@ -176,6 +176,9 @@ func TestRoundTrip_DefaultState(t *testing.T) {
 }
 
 func TestLoadState_ReadError(t *testing.T) {
+	if os.Geteuid() == 0 {
+		t.Skip("root bypasses filesystem permission checks")
+	}
 	tmpDir := t.TempDir()
 	statePath := filepath.Join(tmpDir, "state.json")
 
diff --git a/internal/system/system.go b/internal/system/system.go
@@ -77,8 +77,7 @@ func RunCommandOutput(name string, args ...string) (string, error) {
 //	curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | sha256sum
 const knownBrewInstallHash = "dfd5145fe2aa5956a600e35848765273f5798ce6def01bd08ecec088a1268d91"
 
-// brewInstallURL is a var so tests can redirect it without a real server.
-var brewInstallURL = "https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh"
+const brewInstallURL = "https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh"
 
 // brewHTTPClient is a var so tests can inject a mock transport.
 var brewHTTPClient *http.Client = http.DefaultClient

Original file line number	Diff line number	Diff line change
`@@ -521,6 +521,9 @@ func TestLoginInteractive_InvalidExpirationFormat(t *testing.T) {`
`521`	`521`	`}`
`522`	`522`
`523`	`523`	`func TestLoginInteractive_SaveTokenError(t *testing.T) {`
	`524`	`+ if os.Geteuid() == 0 {`
	`525`	`+ t.Skip("root bypasses filesystem permission checks")`
	`526`	`+ }`
`524`	`527`	`withFastPoll(t)`
`525`	`528`	`withNoBrowser(t)`
`526`	`529`	`tmpDir := t.TempDir()`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ func TestLogoutCmd_WhenNotAuthenticated(t *testing.T) {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`func TestLogoutCmd_DeleteError(t *testing.T) {`
	`93`	`+ if os.Geteuid() == 0 {`
	`94`	`+ t.Skip("root bypasses filesystem permission checks")`
	`95`	`+ }`
`93`	`96`	`tmpDir := setupTestAuth(t, true)`
`94`	`97`	`authDir := filepath.Join(tmpDir, ".openboot")`
`95`	`98`
Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func Install(packages []string, dryRun bool) error {`
`124`	`124`
`125`	`125`	`failed, err := installBatch(toInstall)`
`126`	`126`	`if err != nil {`
`127`		`- return err`
	`127`	`+ return fmt.Errorf("install npm packages: %w", err)`
`128`	`128`	`}`
`129`	`129`
`130`	`130`	`if len(failed) > 0 {`
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ func EnsureBrewShellenv(dryRun bool) error {`
`119`	`119`
`120`	`120`	`home, err := system.HomeDir()`
`121`	`121`	`if err != nil {`
`122`		`- return err`
	`122`	`+ return fmt.Errorf("ensure brew shellenv: %w", err)`
`123`	`123`	`}`
`124`	`124`	`zshrcPath := filepath.Join(home, ".zshrc")`
`125`	`125`
`@@ -129,7 +129,10 @@ func EnsureBrewShellenv(dryRun bool) error {`
`129`	`129`	`fmt.Printf("[DRY-RUN] Would create %s with Homebrew shellenv\n", zshrcPath)`
`130`	`130`	`return nil`
`131`	`131`	`}`
`132`		`- return os.WriteFile(zshrcPath, []byte(brewShellenvLine+"\n"), 0600)`
	`132`	`+ if err := os.WriteFile(zshrcPath, []byte(brewShellenvLine+"\n"), 0600); err != nil {`
	`133`	`+ return fmt.Errorf("create .zshrc: %w", err)`
	`134`	`+ }`
	`135`	`+ return nil`
`133`	`136`	`}`
`134`	`137`
`135`	`138`	`raw, err := os.ReadFile(zshrcPath)`
`@@ -262,7 +265,7 @@ func RestoreFromSnapshot(ohMyZsh bool, theme string, plugins []string, dryRun bo`
`262`	`265`
`263`	`266`	`home, err := system.HomeDir()`
`264`	`267`	`if err != nil {`
`265`		`- return err`
	`268`	`+ return fmt.Errorf("configure zshrc: %w", err)`
`266`	`269`	`}`
`267`	`270`	`zshrcPath := filepath.Join(home, ".zshrc")`
`268`	`271`
`@@ -272,11 +275,11 @@ func RestoreFromSnapshot(ohMyZsh bool, theme string, plugins []string, dryRun bo`
`272`	`275`	`return nil`
`273`	`276`	`}`
`274`	`277`	`if err := validateShellIdentifier(theme, "ZSH_THEME"); err != nil {`
`275`		`- return err`
	`278`	`+ return fmt.Errorf("validate theme: %w", err)`
`276`	`279`	`}`
`277`	`280`	`for _, p := range plugins {`
`278`	`281`	`if err := validateShellIdentifier(p, "plugin"); err != nil {`
`279`		`- return err`
	`282`	`+ return fmt.Errorf("validate plugin: %w", err)`
`280`	`283`	`}`
`281`	`284`	`}`
`282`	`285`	template := fmt.Sprintf(`export ZSH="$HOME/.oh-my-zsh"
Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,9 @@ func TestRoundTrip_DefaultState(t *testing.T) {`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`func TestLoadState_ReadError(t *testing.T) {`
	`179`	`+ if os.Geteuid() == 0 {`
	`180`	`+ t.Skip("root bypasses filesystem permission checks")`
	`181`	`+ }`
`179`	`182`	`tmpDir := t.TempDir()`
`180`	`183`	`statePath := filepath.Join(tmpDir, "state.json")`
`181`	`184`