test(api): harden assistant tool error handling

packages/api/src/router/user.ts

@@ -135,10 +135,13 @@ export const userRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
-      const user = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.userId },
-        select: { id: true, name: true, email: true },
-      });
+      const user = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { id: true, name: true, email: true },
+        }),
+        "User",
+      );
 
       const { hash } = await import("@node-rs/argon2");
       const passwordHash = await hash(input.password);
@@ -170,10 +173,13 @@ export const userRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
-      const before = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.id },
-        select: { id: true, name: true, email: true, systemRole: true },
-      });
+      const before = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.id },
+          select: { id: true, name: true, email: true, systemRole: true },
+        }),
+        "User",
+      );
 
       const updated = await ctx.db.user.update({
         where: { id: input.id },
@@ -205,10 +211,13 @@ export const userRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
-      const before = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.id },
-        select: { id: true, name: true, email: true },
-      });
+      const before = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.id },
+          select: { id: true, name: true, email: true },
+        }),
+        "User",
+      );
 
       const updated = await ctx.db.user.update({
         where: { id: input.id },
@@ -237,7 +246,23 @@ export const userRouter = createTRPCRouter({
   linkResource: adminProcedure
     .input(z.object({ userId: z.string(), resourceId: z.string().nullable() }))
     .mutation(async ({ ctx, input }) => {
+      await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { id: true },
+        }),
+        "User",
+      );
+
       if (input.resourceId) {
+        await findUniqueOrThrow(
+          ctx.db.resource.findUnique({
+            where: { id: input.resourceId },
+            select: { id: true },
+          }),
+          "Resource",
+        );
+
         // Unlink any resource previously linked to this user
         await ctx.db.resource.updateMany({
           where: { userId: input.userId },
@@ -345,10 +370,13 @@ export const userRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
-      const before = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.userId },
-        select: { id: true, name: true, email: true, permissionOverrides: true },
-      });
+      const before = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { id: true, name: true, email: true, permissionOverrides: true },
+        }),
+        "User",
+      );
 
       const user = await ctx.db.user.update({
         where: { id: input.userId },
@@ -376,10 +404,13 @@ export const userRouter = createTRPCRouter({
   resetPermissions: adminProcedure
     .input(z.object({ userId: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      const before = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.userId },
-        select: { id: true, name: true, email: true, permissionOverrides: true },
-      });
+      const before = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { id: true, name: true, email: true, permissionOverrides: true },
+        }),
+        "User",
+      );
 
       const updated = await ctx.db.user.update({
         where: { id: input.userId },
@@ -453,10 +484,13 @@ export const userRouter = createTRPCRouter({
   getEffectivePermissions: adminProcedure
     .input(z.object({ userId: z.string() }))
     .query(async ({ ctx, input }) => {
-      const user = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.userId },
-        select: { systemRole: true, permissionOverrides: true },
-      });
+      const user = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { systemRole: true, permissionOverrides: true },
+        }),
+        "User",
+      );
       const permissions = resolvePermissions(
         user.systemRole as SystemRole,
         user.permissionOverrides as PermissionOverrides | null,
@@ -547,10 +581,13 @@ export const userRouter = createTRPCRouter({
   disableTotp: adminProcedure
     .input(z.object({ userId: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      const user = await ctx.db.user.findUniqueOrThrow({
-        where: { id: input.userId },
-        select: { id: true, name: true, email: true, totpEnabled: true },
-      });
+      const user = await findUniqueOrThrow(
+        ctx.db.user.findUnique({
+          where: { id: input.userId },
+          select: { id: true, name: true, email: true, totpEnabled: true },
+        }),
+        "User",
+      );
 
       await ctx.db.user.update({
         where: { id: input.userId },