Add authentication to tRPC routers

[ng]

Priority: CRITICAL

All tRPC endpoints are currently public and unprotected. Authentication and authorization must be implemented before production deployment.

Current State

All routers use publicProcedure:

• device.* - Anyone can control hardware
• settings.* - Anyone can modify configuration
• schedules.* - Anyone can change automation
• biometrics.* - Anyone can access health data

Required Changes

1. Add Auth Context

// src/server/context.ts
export const createContext = async ({ req, res }) => {
  const session = await getSession({ req })
  return { session, req, res }
}

export type Context = Awaited<ReturnType<typeof createContext>>

2. Create Protected Procedure

// src/server/trpc.ts
const t = initTRPC.context<Context>().create({ transformer })

export const protectedProcedure = t.procedure.use(async ({ ctx, next }) => {
  if (!ctx.session?.user) {
    throw new TRPCError({ code: 'UNAUTHORIZED' })
  }
  return next({
    ctx: {
      ...ctx,
      user: ctx.session.user,
    },
  })
})

3. Update All Routers

Replace publicProcedure with protectedProcedure in:

• src/server/routers/device.ts
• src/server/routers/settings.ts
• src/server/routers/schedules.ts
• src/server/routers/biometrics.ts

Keep healthcheck as public for monitoring.

Security Considerations

• Device control - Prevent unauthorized hardware access
• Health data - HIPAA/privacy compliance for biometrics
• Configuration - Prevent tampering with settings
• Rate limiting - Add per-user rate limits for hardware commands

Related

• PR feat(trpc): add comprehensive API routers #106 - tRPC routers implementation
• Depends on auth provider setup (NextAuth, Clerk, etc.)

---

DO NOT merge tRPC routers to production without this fix.