refactor(sse): narrow canonical audience scopes

packages/api/src/__tests__/event-bus-debounce.test.ts

@@ -265,4 +265,24 @@ describe("event-bus debounce", () => {
     unsubscribeManager();
     unsubscribeResource();
   });
+
+  it("rejects invalid subscription audiences", () => {
+    expect(() =>
+      eventBus.subscribe(
+        () => undefined,
+        {
+          audiences: ["chapter:capex" as never],
+          includeUnscoped: false,
+        },
+      )).toThrowError("Invalid SSE audience: chapter:capex");
+  });
+
+  it("rejects invalid emitted audiences", () => {
+    expect(() =>
+      eventBus.emit(
+        SSE_EVENT_TYPES.NOTIFICATION_CREATED,
+        { notificationId: "n1" },
+        ["user:" as never],
+      )).toThrowError("Invalid SSE audience: user:");
+  });
 });

packages/api/src/__tests__/sse-subscription-policy.test.ts

@@ -5,7 +5,6 @@ import {
   eventBus,
   permissionAudience,
   resourceAudience,
-  roleAudience,
   type SseEvent,
   userAudience,
 } from "../sse/event-bus.js";
@@ -36,7 +35,7 @@ describe("sse subscription policy", () => {
     vi.useRealTimers();
   });
 
-  it("derives canonical user, role, resource, and permission audiences server-side", () => {
+  it("derives canonical user, resource, and permission audiences server-side", () => {
     const subscription = deriveUserSseSubscription({
       userId: "user_1",
       systemRole: SystemRole.USER,
@@ -55,7 +54,6 @@ describe("sse subscription policy", () => {
       permissionAudience(PermissionKey.MANAGE_ALLOCATIONS),
       permissionAudience(PermissionKey.VIEW_PLANNING),
       resourceAudience("res_1"),
-      roleAudience(SystemRole.USER),
       userAudience("user_1"),
     ]);
   });