batch3 T3 review fix: swap req.user! for requireUser; document ws/user guard

Replaces six non-null assertions on req.user with the requireUser helper
from auth.ts, which throws a descriptive error if the auth hook didn't
populate req.user. Adds an inline comment in /api/ws/user explaining the
manual auth check is defensive (the global hook already enforces auth).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/server/src/routes/projects.ts

@@ -6,6 +6,7 @@ import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Project, AvailableProject } from '../types/api.js';
+import { requireUser } from '../auth.js';
 
 const AddProjectBody = z.object({
   path: z.string().min(1),
@@ -73,7 +74,7 @@ export function registerProjectRoutes(
         VALUES (${name}, ${resolved.real})
         RETURNING id, name, path, added_at, last_session_id
       `;
-      broker.publishUser(req.user!, { type: 'project_created', project: row as unknown as Project });
+      broker.publishUser(requireUser(req), { type: 'project_created', project: row as unknown as Project });
       reply.code(201);
       return row;
     } catch (err) {
@@ -92,7 +93,7 @@ export function registerProjectRoutes(
       reply.code(404);
       return { error: 'not found' };
     }
-    broker.publishUser(req.user!, { type: 'project_deleted', project_id: id });
+    broker.publishUser(requireUser(req), { type: 'project_deleted', project_id: id });
     reply.code(204);
     return null;
   });