schema-level-roles-without-router-enforcement-provides-no-security
Defining role fields (admin/member) in the database schema without enforcing them in API route handlers provides zero authorization protection. In the TaskFlow codebase, any authenticated user could call tasks.allTasks or tasks.updateStatus on any task regardless of role. The pattern ‘protectedProcedure’ only validates authentication (is the user logged in?) not authorization (does this user own or have access to this resource?). Every mutation and sensitive query must include an explicit ownership/role check against the calling user’s identity.