feat(auth): tighten allocation read audiences

packages/api/src/router/allocation.ts

@@ -43,7 +43,7 @@ import {
   countEffectiveWorkingDays,
   loadResourceDailyAvailabilityContexts,
 } from "../lib/resource-capacity.js";
-import { createTRPCRouter, managerProcedure, protectedProcedure, requirePermission } from "../trpc.js";
+import { createTRPCRouter, managerProcedure, planningReadProcedure, requirePermission } from "../trpc.js";
 import { PROJECT_BRIEF_SELECT, RESOURCE_BRIEF_SELECT, ROLE_BRIEF_SELECT } from "../db/selects.js";
 
 const DEMAND_INCLUDE = {
@@ -658,7 +658,7 @@ function buildResourceAvailabilitySummary(
 }
 
 export const allocationRouter = createTRPCRouter({
-  list: protectedProcedure
+  list: planningReadProcedure
     .input(
       z.object({
         projectId: z.string().optional(),
@@ -671,7 +671,7 @@ export const allocationRouter = createTRPCRouter({
       return readModel.allocations;
     }),
 
-  listView: protectedProcedure
+  listView: planningReadProcedure
     .input(
       z.object({
         projectId: z.string().optional(),
@@ -746,7 +746,7 @@ export const allocationRouter = createTRPCRouter({
       return allocation;
     }),
 
-  listDemands: protectedProcedure
+  listDemands: planningReadProcedure
     .input(
       z.object({
         projectId: z.string().optional(),
@@ -774,7 +774,7 @@ export const allocationRouter = createTRPCRouter({
       }));
     }),
 
-  listAssignments: protectedProcedure
+  listAssignments: planningReadProcedure
     .input(
       z.object({
         projectId: z.string().optional(),
@@ -801,7 +801,7 @@ export const allocationRouter = createTRPCRouter({
       );
     }),
 
-  getAssignmentById: protectedProcedure
+  getAssignmentById: planningReadProcedure
     .input(z.object({ id: z.string() }))
     .query(async ({ ctx, input }) => {
       const assignment = await findUniqueOrThrow(
@@ -821,7 +821,7 @@ export const allocationRouter = createTRPCRouter({
       };
     }),
 
-  resolveAssignment: protectedProcedure
+  resolveAssignment: planningReadProcedure
     .input(z.object({
       assignmentId: z.string().optional(),
       resourceId: z.string().optional(),
@@ -833,7 +833,7 @@ export const allocationRouter = createTRPCRouter({
     }))
     .query(async ({ ctx, input }) => resolveAssignmentBySelection(ctx.db, input)),
 
-  getDemandRequirementById: protectedProcedure
+  getDemandRequirementById: planningReadProcedure
     .input(z.object({ id: z.string() }))
     .query(async ({ ctx, input }) => getDemandRequirementByIdOrThrow(ctx.db, input.id)),
 
@@ -841,7 +841,7 @@ export const allocationRouter = createTRPCRouter({
    * Check a resource's availability for a date range.
    * Returns working days, existing allocations, conflict days, and available capacity.
    */
-  checkResourceAvailability: protectedProcedure
+  checkResourceAvailability: planningReadProcedure
     .input(z.object({
       resourceId: z.string(),
       startDate: z.coerce.date(),
@@ -853,7 +853,7 @@ export const allocationRouter = createTRPCRouter({
       return availability;
     }),
 
-  getResourceAvailabilityView: protectedProcedure
+  getResourceAvailabilityView: planningReadProcedure
     .input(z.object({
       resourceId: z.string(),
       startDate: z.coerce.date(),
@@ -862,7 +862,7 @@ export const allocationRouter = createTRPCRouter({
     }))
     .query(async ({ ctx, input }) => buildResourceAvailabilityView(ctx.db, input)),
 
-  getResourceAvailabilitySummary: protectedProcedure
+  getResourceAvailabilitySummary: planningReadProcedure
     .input(z.object({
       resourceId: z.string(),
       startDate: z.coerce.date(),