batch3 T3 review fix: swap req.user! for requireUser; document ws/user guard

Replaces six non-null assertions on req.user with the requireUser helper
from auth.ts, which throws a descriptive error if the auth hook didn't
populate req.user. Adds an inline comment in /api/ws/user explaining the
manual auth check is defensive (the global hook already enforces auth).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/server/src/routes/sessions.ts

@@ -5,6 +5,7 @@ import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Session } from '../types/api.js';
 import { getSetting } from './settings.js';
+import { requireUser } from '../auth.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -88,7 +89,7 @@ export function registerSessionRoutes(
         `;
         return session!;
       });
-      broker.publishUser(req.user!, {
+      broker.publishUser(requireUser(req), {
         type: 'session_created',
         session: row,
         project_id: row.project_id,
@@ -149,7 +150,7 @@ export function registerSessionRoutes(
         return { error: 'not found' };
       }
       const project_id = deleted[0]!.project_id;
-      broker.publishUser(req.user!, { type: 'session_deleted', session_id: id, project_id });
+      broker.publishUser(requireUser(req), { type: 'session_deleted', session_id: id, project_id });
       reply.code(204);
       return null;
     }