test(client): mock headers.get() so 401 tests survive HIGH-8 WWW-Authenticate read

Audit 2026-05-10 HIGH-8 closure landed a parseWWWAuthenticateCause()
call in api/client.ts (line 144) that reads res.headers.get(...) on the
401 path. The two test files in web/src/api/ both provide a Response
mock with no headers property, so every 401 test threw 'Cannot read
properties of undefined (reading get)' instead of the expected
'Authentication required'.

13 tests fail without this fix: 12 in client.error.test.ts (one per
401-mapped endpoint helper) + 1 in client.test.ts (the auth-required
event-dispatch test).

Fix: add headers: { get: () => null } to both mockErrorResponse helpers.
The null return short-circuits parseWWWAuthenticateCause to the default
'Authentication required' message, so every existing 401 assertion
keeps passing.

web/src/api/client.error.test.ts

@@ -51,6 +51,10 @@ function mockErrorResponse(status: number, body: { message?: string; error?: str
     status,
     json: () => Promise.resolve(body),
     statusText: 'Error',
+    // Audit 2026-05-10 HIGH-8 closure landed a WWW-Authenticate-header
+    // read in the 401 path (src/api/client.ts L144). The mock needs a
+    // headers.get() so the read doesn't throw against an undefined.
+    headers: { get: () => null } as unknown as Headers,
   } as Response);
 }
 

web/src/api/client.test.ts

@@ -120,6 +120,10 @@ function mockErrorResponse(status: number, body: { message?: string; error?: str
     status,
     json: () => Promise.resolve(body),
     statusText: 'Error',
+    // Audit 2026-05-10 HIGH-8 closure landed a WWW-Authenticate-header
+    // read in the 401 path (src/api/client.ts L144). The mock needs a
+    // headers.get() so the read doesn't throw against an undefined.
+    headers: { get: () => null } as unknown as Headers,
   } as Response);
 }