fix: redirect unauthenticated users from subscriptions page

[FaisalMisbah23]

Summary

Fix unauthenticated access handling for the subscriptions page.

Previously, a logged-out user could navigate directly to /subscriptions. The page would render and then display an authentication error after a subscription-related API request returned 401.

This change adds an authentication check at the subscriptions layout level using getUserFromAuthOrRedirect(), ensuring unauthenticated users are redirected before subscription content is rendered.

Fixes #4136

Verification

• Logged out and attempted to access /subscriptions
• Confirmed unauthenticated users are redirected instead of seeing the authentication error
• Added test coverage for the subscriptions layout authentication requirement

Visual Changes

N/A

Reviewer Notes

This change applies the authentication guard at the layout level so all routes under /subscriptions require authentication before rendering.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• apps/web/src/app/(app)/subscriptions/layout.test.ts
• apps/web/src/lib/impact/kilo-pass-referrals.test.ts

Previous Review Summaries (2 snapshots, latest commit 14cfce1)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit 14cfce1)

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• apps/web/src/app/(app)/subscriptions/layout.test.ts
• apps/web/src/app/(app)/subscriptions/layout.test.tsx

Previous review (commit 469300f)

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• apps/web/src/app/(app)/subscriptions/layout.tsx
• apps/web/src/app/(app)/subscriptions/layout.test.tsx

---

_{Reviewed by gpt-5.4-20260305 · Input: 51K · Output: 4.8K · Cached: 184.6K}

_{Review guidance: REVIEW.md from base branch main}

[jeanduplessis]

Thanks for reporting and fixing this. I reproduced the issue and confirmed the layout-level guard is the right approach and matches existing protected-layout patterns in this codebase. I am requesting changes only for regression coverage: the new test is not currently discovered, it does not exercise the unauthenticated path, and its local User fixture hides schema drift. Once those items are addressed, the production change looks good.

[FaisalMisbah23]

@jeanduplessis Thanks for your feedback I missed the test discovery issue. I have updated layout.test.ts to use defineTestUser() and added the unauthenticated redirect sentinel case.