feat(auth): classify planning and resource read audiences

packages/api/src/__tests__/project-router.test.ts

@@ -666,7 +666,7 @@ describe("project router", () => {
         },
       };
 
-      const caller = createProtectedCaller(db);
+      const caller = createControllerCaller(db);
       const result = await caller.searchSummaries({ search: "Gelddruckmaschine", limit: 10 });
 
       expect(result).toEqual([
@@ -735,6 +735,19 @@ describe("project router", () => {
       ).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
     });
 
+    it("blocks USER role from lightweight project search summaries", async () => {
+      const db = {
+        project: {
+          findMany: vi.fn(),
+        },
+      };
+
+      const caller = createProtectedCaller(db);
+      await expect(
+        caller.searchSummaries({ search: "Gelddruckmaschine", limit: 10 }),
+      ).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
+    });
+
     it("returns lightweight project identifier reads from the canonical router", async () => {
       const db = {
         project: {
@@ -750,7 +763,7 @@ describe("project router", () => {
         },
       };
 
-      const caller = createProtectedCaller(db);
+      const caller = createControllerCaller(db);
       const result = await caller.getByIdentifier({ identifier: "GDM" });
 
       expect(result).toEqual({
@@ -854,5 +867,19 @@ describe("project router", () => {
         caller.getByIdentifierDetail({ identifier: "GDM" }),
       ).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
     });
+
+    it("blocks USER role from lightweight project identifier reads", async () => {
+      const db = {
+        project: {
+          findUnique: vi.fn(),
+          findFirst: vi.fn(),
+        },
+      };
+
+      const caller = createProtectedCaller(db);
+      await expect(
+        caller.getByIdentifier({ identifier: "GDM" }),
+      ).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
+    });
   });
 });