feat(holiday-calendar): restrict catalog reads to admins

packages/api/src/router/assistant.ts

@@ -360,6 +360,8 @@ const ADMIN_ONLY_TOOLS = new Set([
   "create_metro_city",
   "update_metro_city",
   "delete_metro_city",
+  "list_holiday_calendars",
+  "get_holiday_calendar",
   "create_holiday_calendar",
   "update_holiday_calendar",
   "delete_holiday_calendar",

packages/api/src/router/holiday-calendar.ts

@@ -548,7 +548,7 @@ async function assertScopeConsistency(
 }
 
 export const holidayCalendarRouter = createTRPCRouter({
-  listCalendars: protectedProcedure
+  listCalendars: adminProcedure
     .input(z.object({
       includeInactive: z.boolean().optional(),
       countryCode: z.string().trim().min(1).optional(),
@@ -558,7 +558,7 @@ export const holidayCalendarRouter = createTRPCRouter({
     }).optional())
     .query(async ({ ctx, input }) => readCalendarsSnapshot(ctx, input)),
 
-  listCalendarsDetail: protectedProcedure
+  listCalendarsDetail: adminProcedure
     .input(z.object({
       includeInactive: z.boolean().optional(),
       countryCode: z.string().trim().min(1).optional(),
@@ -574,18 +574,18 @@ export const holidayCalendarRouter = createTRPCRouter({
       };
     }),
 
-  getCalendarByIdentifier: protectedProcedure
+  getCalendarByIdentifier: adminProcedure
     .input(z.object({ identifier: z.string().trim().min(1) }))
     .query(async ({ ctx, input }) => readCalendarByIdentifierSnapshot(ctx, input.identifier)),
 
-  getCalendarByIdentifierDetail: protectedProcedure
+  getCalendarByIdentifierDetail: adminProcedure
     .input(z.object({ identifier: z.string().trim().min(1) }))
     .query(async ({ ctx, input }) => {
       const calendar = await readCalendarByIdentifierSnapshot(ctx, input.identifier);
       return formatHolidayCalendarDetail(calendar);
     }),
 
-  getCalendarById: protectedProcedure
+  getCalendarById: adminProcedure
     .input(z.object({ id: z.string() }))
     .query(async ({ ctx, input }) => {
       const db = asHolidayCalendarDb(ctx.db);