feat(role): scope planning-linked role reads to planning audience

packages/api/src/router/assistant.ts

@@ -229,6 +229,7 @@ const COST_TOOLS = new Set([
 const PLANNING_READ_TOOLS = new Set([
   "list_allocations",
   "list_demands",
+  "list_roles",
   "check_resource_availability",
   "get_staffing_suggestions",
   "find_capacity",

packages/api/src/router/role.ts

@@ -5,7 +5,13 @@ import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
 import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
 import { emitRoleCreated, emitRoleDeleted, emitRoleUpdated } from "../sse/event-bus.js";
-import { createTRPCRouter, managerProcedure, protectedProcedure, requirePermission } from "../trpc.js";
+import {
+  createTRPCRouter,
+  managerProcedure,
+  planningReadProcedure,
+  protectedProcedure,
+  requirePermission,
+} from "../trpc.js";
 
 async function loadRolePlanningEntryCounts(
   db: Pick<import("@capakraken/db").PrismaClient, "demandRequirement" | "assignment">,
@@ -54,7 +60,7 @@ async function attachSinglePlanningEntryCount<
 }
 
 export const roleRouter = createTRPCRouter({
-  list: protectedProcedure
+  list: planningReadProcedure
     .input(
       z.object({
         isActive: z.boolean().optional(),
@@ -120,7 +126,7 @@ export const roleRouter = createTRPCRouter({
       return role;
     }),
 
-  getByIdentifier: protectedProcedure
+  getByIdentifier: planningReadProcedure
     .input(z.object({ identifier: z.string() }))
     .query(async ({ ctx, input }) => {
       const select = {
@@ -161,7 +167,7 @@ export const roleRouter = createTRPCRouter({
       return attachSinglePlanningEntryCount(ctx.db, role);
     }),
 
-  getById: protectedProcedure
+  getById: planningReadProcedure
     .input(z.object({ id: z.string() }))
     .query(async ({ ctx, input }) => {
       const role = await findUniqueOrThrow(