fix: data race, token file misplacement, and silent auth errors

internal/auth/auth.go

@@ -45,7 +45,10 @@ type Authenticator struct {
 }
 
 func NewAuthenticator() (*Authenticator, error) {
-	cfgDir, _ := os.UserConfigDir()
+	cfgDir, err := os.UserConfigDir()
+	if err != nil {
+		return nil, fmt.Errorf("cannot determine user config directory: %w", err)
+	}
 	authPath := filepath.Join(cfgDir, "tusk", "auth.json")
 
 	cfg, err := config.Get()
@@ -279,7 +282,10 @@ func (a *Authenticator) RequestDeviceCode(ctx context.Context) (DeviceCodeRespon
 	}
 	defer func() { _ = resp.Body.Close() }()
 
-	body, _ := io.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return dcr, fmt.Errorf("error reading device code response body: %w", err)
+	}
 	if resp.StatusCode != http.StatusOK {
 		return dcr, fmt.Errorf(
 			"error returned by device code endpoint %d: %s",
@@ -318,8 +324,11 @@ func (a *Authenticator) PollForToken(ctx context.Context, dcr DeviceCodeResponse
 		if err != nil {
 			return fmt.Errorf("error making request for token: %w", err)
 		}
-		body, _ := io.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		_ = resp.Body.Close()
+		if err != nil {
+			return fmt.Errorf("error reading token response body: %w", err)
+		}
 
 		var tr tokenResp
 		if err := json.Unmarshal(body, &tr); err != nil {
@@ -372,7 +381,10 @@ func (a *Authenticator) FetchUserEmail(ctx context.Context) error {
 		return err
 	}
 	defer func() { _ = resp.Body.Close() }()
-	b, _ := io.ReadAll(resp.Body)
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("error reading userinfo response body: %w", err)
+	}
 
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("userinfo http %d: %s", resp.StatusCode, string(b))
@@ -408,8 +420,11 @@ func (a *Authenticator) refreshAccessToken(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("error requesting refresh token endpoint %w", err)
 	}
-	body, _ := io.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	_ = resp.Body.Close()
+	if err != nil {
+		return fmt.Errorf("error reading refresh token response body: %w", err)
+	}
 
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("refresh http %d: %s", resp.StatusCode, string(body))

internal/runner/executor.go

@@ -12,6 +12,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/Use-Tusk/fence/pkg/fence"
@@ -37,6 +38,7 @@ type Executor struct {
 	globalSpans            []*core.Span // Explicitly marked global spans for cross-trace matching
 	allowSuiteWideMatching bool         // When true, allows cross-trace matching from any suite span
 	cancelTests            context.CancelFunc
+	cancelTestsMu          sync.Mutex
 	disableSandbox         bool
 	debug                  bool
 	fenceManager           *fence.Manager
@@ -162,7 +164,9 @@ func (e *Executor) RunTestsConcurrently(tests []Test, maxConcurrency int) ([]Tes
 	defer cancel()
 
 	// Store cancel function so signal handler can call it
+	e.cancelTestsMu.Lock()
 	e.cancelTests = cancel
+	e.cancelTestsMu.Unlock()
 
 	testChan := make(chan Test, len(tests))
 	resultChan := make(chan TestResult, len(tests))
@@ -387,8 +391,11 @@ func (e *Executor) SetAllowSuiteWideMatching(enabled bool) {
 }
 
 func (e *Executor) CancelTests() {
-	if e.cancelTests != nil {
-		e.cancelTests()
+	e.cancelTestsMu.Lock()
+	cancel := e.cancelTests
+	e.cancelTestsMu.Unlock()
+	if cancel != nil {
+		cancel()
 	}
 }