fix(api): derive secure sse subscriptions

apps/web/src/app/api/sse/timeline/route.ts

@@ -1,8 +1,8 @@
 import { loadRoleDefaults } from "@capakraken/api";
-import { eventBus, permissionAudience, resourceAudience, roleAudience, userAudience } from "@capakraken/api/sse";
+import { deriveUserSseSubscription, eventBus } from "@capakraken/api/sse";
 import { startReminderScheduler } from "@capakraken/api/lib/reminder-scheduler";
 import { prisma } from "@capakraken/db";
-import { resolvePermissions, SSE_EVENT_TYPES, SystemRole, type PermissionOverrides } from "@capakraken/shared";
+import { SSE_EVENT_TYPES, SystemRole, type PermissionOverrides } from "@capakraken/shared";
 import { auth } from "~/server/auth.js";
 
 // Start the reminder scheduler (idempotent — only starts once)
@@ -42,21 +42,15 @@ export async function GET() {
   }
 
   const roleDefaults = await loadRoleDefaults();
-  const permissions = resolvePermissions(
-    dbUser.systemRole as SystemRole,
-    dbUser.permissionOverrides as PermissionOverrides | null,
+  const subscription = deriveUserSseSubscription(
+    {
+      userId: dbUser.id,
+      systemRole: dbUser.systemRole as SystemRole,
+      permissionOverrides: dbUser.permissionOverrides as PermissionOverrides | null,
+      resourceId: dbUser.resource?.id ?? null,
+    },
     roleDefaults,
   );
-  const audiences = new Set<string>([
-    userAudience(dbUser.id),
-    roleAudience(dbUser.systemRole),
-  ]);
-  if (dbUser.resource?.id) {
-    audiences.add(resourceAudience(dbUser.resource.id));
-  }
-  for (const permission of permissions) {
-    audiences.add(permissionAudience(permission));
-  }
 
   const encoder = new TextEncoder();
 
@@ -76,10 +70,7 @@ export async function GET() {
             // Client disconnected
           }
         },
-        {
-          audiences,
-          includeUnscoped: false,
-        },
+        subscription,
       );
 
       // Heartbeat every 30 seconds