fix: resolve all clippy warnings in test files (zero warnings remaining)

- api_auth_test.rs: replace len() > 0 with !is_empty() (3 occurrences)
- api_admin_test.rs: suppress type_complexity on complex tuple Vec annotation
- api_sources_preferred_test.rs: replace assert_eq!(x, false) with assert!(!x)
- api_sources_test.rs: remove needless & on format!() in .uri() calls (5 occurrences)
- api_syntheses_test.rs: remove needless & on format!() in .uri() call

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tests/api_admin_test.rs

@@ -929,6 +929,7 @@ async fn audit_log_created_on_role_change() {
     assert_eq!(status, StatusCode::OK);
 
     // Query the audit log
+    #[allow(clippy::type_complexity)]
     let audit_entries: Vec<(String, Option<uuid::Uuid>, Option<String>, Option<String>)> = sqlx::query_as(
         "SELECT action, admin_user_id, target_type, target_id FROM audit_log WHERE action = 'update_user_role' ORDER BY created_at DESC LIMIT 1"
     )

backend/tests/api_auth_test.rs

@@ -28,7 +28,7 @@ async fn register_with_valid_email_returns_200() {
 
     assert_eq!(status, StatusCode::OK, "Register should return 200");
     assert!(
-        body["message"].as_str().unwrap_or("").len() > 0,
+        !body["message"].as_str().unwrap_or("").is_empty(),
         "Response should contain a message"
     );
 }
@@ -123,7 +123,7 @@ async fn login_existing_user_returns_200() {
 
     assert_eq!(status, StatusCode::OK, "Login should return 200");
     assert!(
-        resp["message"].as_str().unwrap_or("").len() > 0,
+        !resp["message"].as_str().unwrap_or("").is_empty(),
         "Response should contain a message"
     );
 }
@@ -149,7 +149,7 @@ async fn login_nonexistent_user_returns_200_anti_enumeration() {
         "Login with non-existing email should also return 200 (anti-enumeration)"
     );
     assert!(
-        resp["message"].as_str().unwrap_or("").len() > 0,
+        !resp["message"].as_str().unwrap_or("").is_empty(),
         "Response should contain a message"
     );
 }

backend/tests/api_sources_preferred_test.rs

@@ -155,9 +155,8 @@ async fn update_preferred_clears_all_when_empty() {
 
     let sources = list_body.as_array().expect("Should be an array");
     for source in sources {
-        assert_eq!(
-            source["is_preferred"].as_bool().unwrap(),
-            false,
+        assert!(
+            !source["is_preferred"].as_bool().unwrap(),
             "All sources should be non-preferred after clearing"
         );
     }

backend/tests/api_sources_test.rs

@@ -93,7 +93,7 @@ async fn delete_source_without_auth_returns_401() {
     // Build a DELETE request without session
     let req = Request::builder()
         .method(Method::DELETE)
-        .uri(&format!("/api/v1/sources/{}", fake_id))
+        .uri(format!("/api/v1/sources/{}", fake_id))
         .header("X-Requested-With", "XMLHttpRequest")
         .body(Body::empty())
         .unwrap();
@@ -937,7 +937,7 @@ async fn export_csv_with_sources_returns_csv() {
     // Export CSV
     let req = Request::builder()
         .method(Method::GET)
-        .uri(&format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
+        .uri(format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
         .header(
             "Cookie",
             format!("ai_synth_session={}", session),
@@ -1002,7 +1002,7 @@ async fn export_csv_with_no_sources_returns_header_only() {
 
     let req = Request::builder()
         .method(Method::GET)
-        .uri(&format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
+        .uri(format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
         .header(
             "Cookie",
             format!("ai_synth_session={}", session),
@@ -1065,7 +1065,7 @@ fn build_csv_multipart_request(
 
     Request::builder()
         .method(Method::POST)
-        .uri(&format!("/api/v1/sources/import-csv?theme_id={}", theme_id))
+        .uri(format!("/api/v1/sources/import-csv?theme_id={}", theme_id))
         .header(
             "Content-Type",
             format!("multipart/form-data; boundary={}", boundary),
@@ -1242,7 +1242,7 @@ async fn csv_export_roundtrip() {
     // Export CSV
     let req = Request::builder()
         .method(Method::GET)
-        .uri(&format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
+        .uri(format!("/api/v1/sources/export-csv?theme_id={}", theme_id))
         .header("Cookie", format!("ai_synth_session={}", session))
         .body(Body::empty())
         .unwrap();

backend/tests/api_syntheses_test.rs

@@ -127,7 +127,7 @@ async fn delete_synthesis_without_auth_returns_401() {
     // DELETE without session — use raw request to include CSRF header
     let req = axum::http::Request::builder()
         .method(axum::http::Method::DELETE)
-        .uri(&format!("/api/v1/syntheses/{}", fake_id))
+        .uri(format!("/api/v1/syntheses/{}", fake_id))
         .header("X-Requested-With", "XMLHttpRequest")
         .body(axum::body::Body::empty())
         .unwrap();