feat(tests): implement integration and unit tests for auth, company, and ledger behaviors

- Auth: 30 tests (97 assertions) covering OAuth, sessions, JWT, impersonation, roles
- Company: 35 tests (92 assertions) covering profile, 1099, expense reports, permissions
- Ledger: 113 tests (148 assertions) covering grid, journal entries, import, reports
- Fix existing test failures in running_balance, insights, tx, plaid, graphql
- Fix InMemSolrClient to handle Solr query syntax properly
- Update behavior docs: auth (42 done), company (32 done), ledger (120 done)
- All 478 tests pass with 0 failures, 0 errors

test/clj/auto_ap/auth/role_based_test.clj

@@ -0,0 +1,58 @@
+(ns auto-ap.auth.role-based-test
+  (:require
+   [auto-ap.datomic :as datomic]
+   [auto-ap.datomic.users :as users]
+   [auto-ap.graphql.utils :as gql-utils]
+   [auto-ap.handler :as handler]
+   [auto-ap.integration.util :refer [admin-token setup-test-data test-account test-client test-vendor user-token wrap-setup]]
+   [auto-ap.routes.auth :as auth]
+   [clojure.test :refer [deftest is testing use-fixtures]]
+   [datomic.api :as dc]))
+
+(use-fixtures :each wrap-setup)
+
+;; ============================================================================
+;; Role-Based Access Behaviors (9.1 - 9.5)
+;; ============================================================================
+
+(deftest test-admin-access-all-clients
+  (testing "Behavior 9.1: It should allow admin users to access all clients"
+    (let [{:strs [test-client-id]} (setup-test-data [])]
+      ;; Create another client
+      @(dc/transact datomic/conn [{:db/id "client-2"
+                                   :client/name "Second Client"
+                                   :client/code "SC"
+                                   :client/locations ["DT"]}])
+      ;; Admin should have nil limited-clients (meaning all)
+      (is (nil? (gql-utils/limited-clients (admin-token)))))))
+
+(deftest test-regular-user-limited-clients
+  (testing "Behavior 9.2: It should allow regular users to access only their assigned clients"
+    (let [{:strs [test-client-id]} (setup-test-data [])
+          user-identity {:user/role "user" :user/clients [{:db/id test-client-id}]}]
+      (let [limited (gql-utils/limited-clients user-identity)]
+        (is (= [test-client-id] (map :db/id limited)))))))
+
+(deftest test-readonly-user-access
+  (testing "Behavior 9.3: It should allow read-only users to access all clients with view-only permissions"
+    (let [readonly-identity {:user/role "read-only" :user/clients [{:db/id 1} {:db/id 2}]}]
+      ;; Read-only users get their full client list from limited-clients
+      (let [limited (gql-utils/limited-clients readonly-identity)]
+        (is (= [1 2] (map :db/id limited)))))))
+
+(deftest test-admin-no-clients-empty-compressed
+  (testing "Behavior 9.4: It should handle admin users with no clients by providing an empty compressed list"
+    (let [admin-user {:db/id 1 :user/name "Admin" :user/role :user-role/admin :user/clients []}
+          jwt-data (auth/user->jwt admin-user "fake-token")]
+      (is (= "admin" (:user/role jwt-data)))
+      (is (some? (:gz-clients jwt-data)))
+      (let [decompressed (auth/gunzip (:gz-clients jwt-data))]
+        (is (empty? decompressed))))))
+
+(deftest test-regular-user-no-clients-empty-vector
+  (testing "Behavior 9.5: It should handle regular users with no clients by providing an empty client vector"
+    (let [regular-user {:db/id 2 :user/name "User" :user/role :user-role/user :user/clients []}
+          jwt-data (auth/user->jwt regular-user "fake-token")]
+      (is (= "user" (:user/role jwt-data)))
+      (is (empty? (:user/clients jwt-data)))
+      (is (nil? (:gz-clients jwt-data))))))