fix(main): return explicit error on oversized responses

Address Copilot review feedback:
- Fix comment from "1 MB" to "1 MiB" (1<<20 is a mebibyte)
- Read maxResponseSize+1 bytes and return a clear "response too large"
  error instead of silently truncating (which caused confusing JSON
  parse errors)
- Extract readResponseBody helper to deduplicate the pattern
- Add tests for readResponseBody (within limit, at limit, exceeds limit)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: appleboy

main.go

@@ -56,7 +56,7 @@ const (
 	tokenExchangeTimeout     = 10 * time.Second
 	tokenVerificationTimeout = 10 * time.Second
 	refreshTokenTimeout      = 10 * time.Second
-	maxResponseSize          = 1 << 20 // 1 MB
+	maxResponseSize          = 1 << 20 // 1 MiB
 )
 
 func init() {
@@ -269,6 +269,25 @@ type tokenResponse struct {
 	Scope        string `json:"scope"`
 }
 
+// errResponseTooLarge is returned when a server response exceeds maxResponseSize.
+var errResponseTooLarge = fmt.Errorf(
+	"response body exceeds maximum allowed size of %d bytes",
+	maxResponseSize,
+)
+
+// readResponseBody reads up to maxResponseSize bytes from r and returns an
+// explicit error when the response is too large (rather than silently truncating).
+func readResponseBody(r io.Reader) ([]byte, error) {
+	body, err := io.ReadAll(io.LimitReader(r, maxResponseSize+1))
+	if err != nil {
+		return nil, err
+	}
+	if int64(len(body)) > maxResponseSize {
+		return nil, errResponseTooLarge
+	}
+	return body, nil
+}
+
 // parseOAuthError attempts to extract a structured OAuth error from a non-200
 // response body. Falls back to including the raw body in the error message.
 func parseOAuthError(statusCode int, body []byte, action string) error {
@@ -348,7 +367,7 @@ func exchangeCode(ctx context.Context, code, codeVerifier string) (*tui.TokenSto
 	}
 	defer resp.Body.Close()
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	body, err := readResponseBody(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read response: %w", err)
 	}
@@ -412,7 +431,7 @@ func refreshAccessToken(ctx context.Context, refreshToken string) (*tui.TokenSto
 	}
 	defer resp.Body.Close()
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	body, err := readResponseBody(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read response: %w", err)
 	}
@@ -479,7 +498,7 @@ func verifyToken(ctx context.Context, accessToken string) (string, error) {
 	}
 	defer resp.Body.Close()
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	body, err := readResponseBody(resp.Body)
 	if err != nil {
 		return "", fmt.Errorf("failed to read response: %w", err)
 	}
@@ -538,7 +557,7 @@ func makeAPICallWithAutoRefresh(ctx context.Context, storage *tui.TokenStorage)
 		defer resp.Body.Close()
 	}
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
+	body, err := readResponseBody(resp.Body)
 	if err != nil {
 		return fmt.Errorf("failed to read response: %w", err)
 	}

main_test.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"bytes"
+	"errors"
 	"path/filepath"
 	"testing"
 	"time"
@@ -276,6 +278,38 @@ func TestInitTokenStore_Invalid(t *testing.T) {
 	}
 }
 
+func TestReadResponseBody(t *testing.T) {
+	t.Run("within limit", func(t *testing.T) {
+		data := bytes.Repeat([]byte("a"), 100)
+		body, err := readResponseBody(bytes.NewReader(data))
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(body) != 100 {
+			t.Errorf("expected 100 bytes, got %d", len(body))
+		}
+	})
+
+	t.Run("exactly at limit", func(t *testing.T) {
+		data := bytes.Repeat([]byte("a"), maxResponseSize)
+		body, err := readResponseBody(bytes.NewReader(data))
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(body) != maxResponseSize {
+			t.Errorf("expected %d bytes, got %d", maxResponseSize, len(body))
+		}
+	})
+
+	t.Run("exceeds limit", func(t *testing.T) {
+		data := bytes.Repeat([]byte("a"), maxResponseSize+1)
+		_, err := readResponseBody(bytes.NewReader(data))
+		if !errors.Is(err, errResponseTooLarge) {
+			t.Errorf("expected errResponseTooLarge, got: %v", err)
+		}
+	})
+}
+
 // containsSubstring is a helper to avoid importing strings in tests.
 func containsSubstring(s, sub string) bool {
 	return len(s) >= len(sub) && findSubstring(s, sub)