From a8aff2c62b96ffe346def29fa9c99fa7a61100f2 Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Sun, 3 May 2026 23:00:38 +0100
Subject: [PATCH] server: cover HTMX auth-redirect path in repo-ops tests

---
 internal/server/http/repo_ops_test.go | 31 +++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/internal/server/http/repo_ops_test.go b/internal/server/http/repo_ops_test.go
index a3b7a88..65ec9bb 100644
--- a/internal/server/http/repo_ops_test.go
+++ b/internal/server/http/repo_ops_test.go
@@ -328,4 +328,35 @@ func TestRunOpsRequireAuth(t *testing.T) {
 			}
 		})
 	}
+
+	// HTMX path: unauthenticated POST with HX-Request: true → 303 to /login.
+	// Auth check fires before host lookup so the host ID doesn't need to exist.
+	for _, path := range []string{
+		"/hosts/" + hostID + "/repo/prune",
+		"/hosts/" + hostID + "/repo/check",
+		"/hosts/" + hostID + "/repo/unlock",
+	} {
+		path := path
+		t.Run("htmx"+path, func(t *testing.T) {
+			t.Parallel()
+			client := &stdhttp.Client{
+				CheckRedirect: func(_ *stdhttp.Request, _ []*stdhttp.Request) error {
+					return stdhttp.ErrUseLastResponse
+				},
+			}
+			req, _ := stdhttp.NewRequest("POST", url+path, nil)
+			req.Header.Set("HX-Request", "true")
+			res, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("do: %v", err)
+			}
+			defer res.Body.Close()
+			if res.StatusCode != stdhttp.StatusSeeOther {
+				t.Errorf("want 303, got %d", res.StatusCode)
+			}
+			if loc := res.Header.Get("Location"); loc != "/login" {
+				t.Errorf("want Location=/login, got %q", loc)
+			}
+		})
+	}
 }