feat(auth): introduce explicit planning read permission

packages/api/src/trpc.ts

@@ -152,8 +152,7 @@ export const resourceOverviewProcedure = protectedProcedure.use(({ ctx, next })
 });
 
 /**
- * Planning read procedure — allows broad planning/project read access without opening it to all users.
- * This is an interim audience gate until dedicated project-read permissions exist.
+ * Planning read procedure — requires the explicit broad planning read audience.
  */
 export const planningReadProcedure = protectedProcedure.use(({ ctx, next }) => {
   const user = ctx.dbUser;
@@ -165,11 +164,7 @@ export const planningReadProcedure = protectedProcedure.use(({ ctx, next }) => {
     ctx.roleDefaults ?? undefined,
   );
 
-  if (
-    !permissions.has(PermissionKey.VIEW_COSTS)
-    && !permissions.has(PermissionKey.MANAGE_PROJECTS)
-    && !permissions.has(PermissionKey.MANAGE_ALLOCATIONS)
-  ) {
+  if (!permissions.has(PermissionKey.VIEW_PLANNING)) {
     throw new TRPCError({
       code: "FORBIDDEN",
       message: "Planning read access required",