fix: resolve TypeScript errors for CI - add auth middleware plugin

- Create shared authMiddleware plugin with scoped derive for proper type propagation
- Each route file now uses authMiddleware instead of relying on parent derive
- Fix error handler to use instanceof Error checks for message/stack access
- Fix null vs undefined type mismatch in hammer route auth validation
- Fix invite role type assertion for enum compatibility
- Fix test type assertions to avoid impossible comparisons

apps/api/src/index.ts

@@ -8,8 +8,6 @@ import { taskRoutes } from './routes/tasks';
 import { labelRoutes } from './routes/labels';
 import { commentRoutes } from './routes/comments';
 import { hammerRoutes } from './routes/hammer';
-import type { User } from './lib/auth';
-
 const app = new Elysia()
   // CORS
   .use(cors({
@@ -39,21 +37,7 @@ const app = new Elysia()
   // Hammer API (uses separate API key auth)
   .group('/api', app => app.use(hammerRoutes))
   
-  // Protected routes - require auth
-  .derive(async ({ request, set }): Promise<{ user: User }> => {
-    const session = await auth.api.getSession({
-      headers: request.headers,
-    });
-    
-    if (!session?.user) {
-      set.status = 401;
-      throw new Error('Unauthorized');
-    }
-    
-    return { user: session.user as User };
-  })
-  
-  // Authenticated API routes
+  // Authenticated API routes (auth middleware is in each route plugin)
   .group('/api', app => app
     .use(adminRoutes)
     .use(projectRoutes)
@@ -64,30 +48,33 @@ const app = new Elysia()
   
   // Error handler
   .onError(({ code, error, set, path }) => {
+    const message = error instanceof Error ? error.message : String(error);
+    const stack = error instanceof Error ? error.stack : undefined;
+
     console.error(`[${new Date().toISOString()}] ERROR on ${path}:`, {
       code,
-      message: error.message,
-      stack: process.env.NODE_ENV !== 'production' ? error.stack : undefined,
+      message,
+      stack: process.env.NODE_ENV !== 'production' ? stack : undefined,
     });
     
     if (code === 'VALIDATION') {
       set.status = 400;
-      return { error: 'Validation error', details: error.message };
+      return { error: 'Validation error', details: message };
     }
     
-    if (error.message === 'Unauthorized') {
+    if (message === 'Unauthorized') {
       set.status = 401;
       return { error: 'Unauthorized' };
     }
     
-    if (error.message === 'Admin access required') {
+    if (message === 'Admin access required') {
       set.status = 403;
       return { error: 'Forbidden: Admin access required' };
     }
     
-    if (error.message.includes('not found')) {
+    if (message.includes('not found')) {
       set.status = 404;
-      return { error: error.message };
+      return { error: message };
     }
     
     set.status = 500;