fix: detect mid-push auth rotation and abort cleanly

[tomasz-tomczyk]

Summary

• crit push now detects HTTP 401 from gh api calls and aborts the rest of the push loop instead of spamming per-item errors. Each per-call failure is wrapped with errGHAuthFailed so the loop can short-circuit via errors.Is.
• On auth failure, push prints Pushed K of N comments before auth failed. Run 'gh auth refresh' then re-run 'crit push' to post the rest. and exits non-zero.
• runPushLive was refactored from os.Exit(1) to returning an int so the new test can drive it without terminating the process; only call site is runPush.
• 401 detection is anchored to gh's canonical error-line shapes (gh: HTTP 401: and HTTP/x 401 at line start) rather than loose substring match — avoids false-positives when comment bodies in the PR happen to contain "HTTP 401" or "Bad credentials".
• Dedup safety verified: re-running push after gh auth refresh only retries comments where github_id == 0 (and items still in the pending-deletes queue) — no double-post of already-pushed work.

Review

• Code review: passed (Phase 3 surfaced a false-positive risk in the matcher; fixed before pushing)
• Parity audit: N/A (server-side push, no review-page surface)

Test plan

• New push_auth_rotation_test.go: stubs gh with a fake binary that returns 201 then gh: HTTP 401: Bad credentials. Asserts non-zero exit, K-of-N message in stderr, fake gh invoked exactly twice (loop aborted), only the first reply got github_id set. Then re-runs with healthy fake — only the un-pushed replies are retried, already-pushed github_id is unchanged.
• New github_auth_test.go: table-driven coverage of the matcher — positives (gh: HTTP 401:, all HTTP/x 401 include shapes) and negatives (HTTP 401 mid-line, Bad credentials mid-line, 200/404 status lines, indented variants).
• go test -race -count=1 ./... green.

Closes #452

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 66.98113% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.04%. Comparing base (5175895) to head (af7c318).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
main.go	67.05%	27 Missing and 1 partial ⚠️
github.go	66.66%	6 Missing and 1 partial ⚠️

❌ Your patch status has failed because the patch coverage (66.98%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #463      +/-   ##
==========================================
+ Coverage   68.72%   69.04%   +0.31%     
==========================================
  Files          36       36              
  Lines       10634    10698      +64     
==========================================
+ Hits         7308     7386      +78     
+ Misses       2764     2748      -16     
- Partials      562      564       +2     

Flag	Coverage Δ
e2e	32.53% <0.00%> (-0.20%)	⬇️
unit	66.55% <66.98%> (+0.33%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.