feat(tests): implement integration and unit tests for auth, company, and ledger behaviors

- Auth: 30 tests (97 assertions) covering OAuth, sessions, JWT, impersonation, roles
- Company: 35 tests (92 assertions) covering profile, 1099, expense reports, permissions
- Ledger: 113 tests (148 assertions) covering grid, journal entries, import, reports
- Fix existing test failures in running_balance, insights, tx, plaid, graphql
- Fix InMemSolrClient to handle Solr query syntax properly
- Update behavior docs: auth (42 done), company (32 done), ledger (120 done)
- All 478 tests pass with 0 failures, 0 errors

test/clj/auto_ap/auth/middleware_test.clj

@@ -0,0 +1,22 @@
+(ns auto-ap.auth.middleware-test
+  (:require
+   [auto-ap.integration.util :refer [wrap-setup]]
+   [auto-ap.routes.utils :as routes-utils]
+   [clojure.test :refer [deftest is testing use-fixtures]]))
+
+(use-fixtures :each wrap-setup)
+
+(deftest test-wrap-client-redirect-unauthenticated
+  (testing "Behavior 8.1: It should convert 401 responses to HTMX redirects for unauthenticated users"
+    (let [handler (routes-utils/wrap-client-redirect-unauthenticated
+                   (fn [req] {:status 401 :body "Unauthorized"}))
+          response (handler {:uri "/protected"})]
+      (is (= 401 (:status response)))
+      (is (= "/login?redirect-to=%2Fprotected" (get-in response [:headers "hx-redirect"])))))
+
+  (testing "Non-401 responses pass through unchanged"
+    (let [handler (routes-utils/wrap-client-redirect-unauthenticated
+                   (fn [req] {:status 200 :body "OK"}))
+          response (handler {:uri "/protected"})]
+      (is (= 200 (:status response)))
+      (is (nil? (get-in response [:headers "hx-redirect"]))))))