batch3 T3 review fix: swap req.user! for requireUser; document ws/user guard

Replaces six non-null assertions on req.user with the requireUser helper
from auth.ts, which throws a descriptive error if the auth hook didn't
populate req.user. Adds an inline comment in /api/ws/user explaining the
manual auth check is defensive (the global hook already enforces auth).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/server/src/routes/messages.ts

@@ -2,6 +2,7 @@ import type { FastifyInstance } from 'fastify';
 import { z } from 'zod';
 import type { Sql } from '../db.js';
 import type { Message, Session } from '../types/api.js';
+import { requireUser } from '../auth.js';
 
 const SendBody = z.object({
   content: z.string().min(1).max(64_000),
@@ -76,7 +77,7 @@ export function registerMessageRoutes(
         result.user_message_id,
         parsed.data.content
       );
-      handlers.enqueueInference(req.params.id, result.assistant_message_id, req.user!);
+      handlers.enqueueInference(req.params.id, result.assistant_message_id, requireUser(req));
 
       reply.code(202);
       return result;
@@ -132,7 +133,7 @@ export function registerMessageRoutes(
       });
 
       handlers.publishMessagesDeleted(sessionId, deletedIds);
-      handlers.enqueueInference(sessionId, newAssistantId, req.user!);
+      handlers.enqueueInference(sessionId, newAssistantId, requireUser(req));
 
       reply.code(202);
       return { assistant_message_id: newAssistantId };

apps/server/src/routes/projects.ts

@@ -6,6 +6,7 @@ import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Project, AvailableProject } from '../types/api.js';
+import { requireUser } from '../auth.js';
 
 const AddProjectBody = z.object({
   path: z.string().min(1),
@@ -73,7 +74,7 @@ export function registerProjectRoutes(
         VALUES (${name}, ${resolved.real})
         RETURNING id, name, path, added_at, last_session_id
       `;
-      broker.publishUser(req.user!, { type: 'project_created', project: row as unknown as Project });
+      broker.publishUser(requireUser(req), { type: 'project_created', project: row as unknown as Project });
       reply.code(201);
       return row;
     } catch (err) {
@@ -92,7 +93,7 @@ export function registerProjectRoutes(
       reply.code(404);
       return { error: 'not found' };
     }
-    broker.publishUser(req.user!, { type: 'project_deleted', project_id: id });
+    broker.publishUser(requireUser(req), { type: 'project_deleted', project_id: id });
     reply.code(204);
     return null;
   });

apps/server/src/routes/sessions.ts

@@ -5,6 +5,7 @@ import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Session } from '../types/api.js';
 import { getSetting } from './settings.js';
+import { requireUser } from '../auth.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -88,7 +89,7 @@ export function registerSessionRoutes(
         `;
         return session!;
       });
-      broker.publishUser(req.user!, {
+      broker.publishUser(requireUser(req), {
         type: 'session_created',
         session: row,
         project_id: row.project_id,
@@ -149,7 +150,7 @@ export function registerSessionRoutes(
         return { error: 'not found' };
       }
       const project_id = deleted[0]!.project_id;
-      broker.publishUser(req.user!, { type: 'session_deleted', session_id: id, project_id });
+      broker.publishUser(requireUser(req), { type: 'session_deleted', session_id: id, project_id });
       reply.code(204);
       return null;
     }

apps/server/src/routes/ws.ts

@@ -46,6 +46,8 @@ export function registerWebSocket(
 
   app.get('/api/ws/user', { websocket: true }, async (socket, req) => {
     const user = req.user;
+    // defensive: global auth hook (auth.ts) already rejects unauthenticated /api/* requests;
+    // keep the explicit check here to close the WS cleanly (1008) rather than throwing.
     if (!user) {
       socket.close(1008, 'unauthenticated');
       return;