feat(auth): classify planning and resource read audiences

packages/api/src/router/project.ts

@@ -12,7 +12,7 @@ import { paginate, paginateCursor, PaginationInputSchema, CursorInputSchema } fr
 import { assertBlueprintDynamicFields } from "./blueprint-validation.js";
 import { buildDynamicFieldWhereClauses } from "./custom-field-filters.js";
 import { loadProjectPlanningReadModel } from "./project-planning-read-model.js";
-import { adminProcedure, controllerProcedure, createTRPCRouter, managerProcedure, protectedProcedure, requirePermission } from "../trpc.js";
+import { adminProcedure, controllerProcedure, createTRPCRouter, managerProcedure, planningReadProcedure, protectedProcedure, requirePermission } from "../trpc.js";
 import { createDalleClient, isDalleConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
 import { generateGeminiImage, isGeminiConfigured, parseGeminiError } from "../gemini-client.js";
 import { invalidateDashboardCache } from "../lib/cache.js";
@@ -411,7 +411,7 @@ async function readProjectByIdentifierDetailSnapshot(
 }
 
 export const projectRouter = createTRPCRouter({
-  resolveByIdentifier: protectedProcedure
+  resolveByIdentifier: planningReadProcedure
     .input(z.object({ identifier: z.string() }))
     .query(async ({ ctx, input }) => {
       const select = {
@@ -454,7 +454,7 @@ export const projectRouter = createTRPCRouter({
       return project;
     }),
 
-  searchSummaries: protectedProcedure
+  searchSummaries: planningReadProcedure
     .input(z.object({
       search: z.string().optional(),
       status: z.nativeEnum(ProjectStatus).optional(),
@@ -577,7 +577,7 @@ export const projectRouter = createTRPCRouter({
       };
     }),
 
-  getByIdentifier: protectedProcedure
+  getByIdentifier: planningReadProcedure
     .input(z.object({ identifier: z.string() }))
     .query(async ({ ctx, input }) => resolveProjectIdentifierSnapshot(ctx, input.identifier)),