fix(api): harden user self-service and resource linking

packages/api/src/__tests__/assistant-tools-user-self-service-auth-guard.test.ts

@@ -0,0 +1,59 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { SystemRole } from "@capakraken/shared";
+
+vi.mock("@capakraken/application", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@capakraken/application")>();
+  return {
+    ...actual,
+    getDashboardBudgetForecast: vi.fn().mockResolvedValue([]),
+    getDashboardPeakTimes: vi.fn().mockResolvedValue([]),
+    listAssignmentBookings: vi.fn().mockResolvedValue([]),
+  };
+});
+
+import { executeTool, type ToolContext } from "../router/assistant-tools.js";
+import { createToolContext } from "./assistant-tools-user-self-service-test-helpers.js";
+
+describe("assistant user self-service auth guard tools", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("returns a stable assistant error when authenticated assistant context is missing for a self-service read tool", async () => {
+    const ctx = {
+      ...createToolContext({}, SystemRole.ADMIN),
+      session: null,
+      dbUser: null,
+    } as unknown as ToolContext;
+
+    const result = await executeTool("get_current_user", "{}", ctx);
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "Authenticated assistant context is required for this tool.",
+    });
+  });
+
+  it("returns a stable assistant error when authenticated assistant context is missing for a self-service mutation tool", async () => {
+    const ctx = {
+      ...createToolContext({}, SystemRole.ADMIN),
+      session: null,
+      dbUser: null,
+    } as unknown as ToolContext;
+
+    const result = await executeTool(
+      "save_dashboard_layout",
+      JSON.stringify({
+        layout: {
+          version: 2,
+          gridCols: 12,
+          widgets: [],
+        },
+      }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "Authenticated assistant context is required for this tool.",
+    });
+  });
+});