n3: validate SQLite with PingContext after Open

Call db.PingContext in storage.Open and authkeys.OpenStore; close DB and
return wrapped errors on failure. Add tests for canceled context and
invalid directory path.

Made-with: Cursor

2 files changed, 18 insertions, 0 deletions

diff --git a/internal/authkeys/store.go b/internal/authkeys/store.go
index 9f0a8b2..7848ef8 100644
--- a/internal/authkeys/store.go
+++ b/internal/authkeys/store.go
@@ -38,6 +38,10 @@ func OpenStore(ctx context.Context, path string) (*Store, error) {
 	if err != nil {
 		return nil, fmt.Errorf("open auth db: %w", err)
 	}
+	if err := db.PingContext(ctx); err != nil {
+		db.Close()
+		return nil, fmt.Errorf("ping auth db: %w", err)
+	}
 	if _, err := db.ExecContext(ctx, "PRAGMA foreign_keys = OFF"); err != nil {
 		db.Close()
 		return nil, fmt.Errorf("pragma: %w", err)
diff --git a/internal/authkeys/store_test.go b/internal/authkeys/store_test.go
index b8da623..797b683 100644
--- a/internal/authkeys/store_test.go
+++ b/internal/authkeys/store_test.go
@@ -2,11 +2,25 @@ package authkeys
 
 import (
 	"context"
+	"errors"
 	"path/filepath"
 	"strings"
 	"testing"
 )
 
+func TestOpenStore_ContextCanceled(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+	path := filepath.Join(t.TempDir(), "auth.db")
+	_, err := OpenStore(ctx, path)
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !errors.Is(err, context.Canceled) {
+		t.Fatalf("expected context.Canceled, got %v", err)
+	}
+}
+
 func TestCreateVerifyReplace(t *testing.T) {
 	ctx := context.Background()
 	path := filepath.Join(t.TempDir(), "auth.db")