server: cover HTMX auth-redirect path in repo-ops tests

internal/server/http/repo_ops_test.go

@@ -328,4 +328,35 @@ func TestRunOpsRequireAuth(t *testing.T) {
 			}
 		})
 	}
+
+	// HTMX path: unauthenticated POST with HX-Request: true → 303 to /login.
+	// Auth check fires before host lookup so the host ID doesn't need to exist.
+	for _, path := range []string{
+		"/hosts/" + hostID + "/repo/prune",
+		"/hosts/" + hostID + "/repo/check",
+		"/hosts/" + hostID + "/repo/unlock",
+	} {
+		path := path
+		t.Run("htmx"+path, func(t *testing.T) {
+			t.Parallel()
+			client := &stdhttp.Client{
+				CheckRedirect: func(_ *stdhttp.Request, _ []*stdhttp.Request) error {
+					return stdhttp.ErrUseLastResponse
+				},
+			}
+			req, _ := stdhttp.NewRequest("POST", url+path, nil)
+			req.Header.Set("HX-Request", "true")
+			res, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("do: %v", err)
+			}
+			defer res.Body.Close()
+			if res.StatusCode != stdhttp.StatusSeeOther {
+				t.Errorf("want 303, got %d", res.StatusCode)
+			}
+			if loc := res.Header.Get("Location"); loc != "/login" {
+				t.Errorf("want Location=/login, got %q", loc)
+			}
+		})
+	}
 }