fix(#337): Propagate database errors from guards instead of masking as access denied

SEC-API-2: WorkspaceGuard now propagates database errors as 500s instead of
returning "access denied". Only Prisma P2025 (record not found) is treated
as "user not a member".

SEC-API-3: PermissionGuard now propagates database errors as 500s instead of
returning null role (which caused permission denied). Only Prisma P2025 is
treated as "not a member".

This prevents connection timeouts, pool exhaustion, and other infrastructure
errors from being misreported to users as authorization failures.

Refs #337

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/common/guards/workspace.guard.spec.ts

@@ -1,6 +1,12 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
-import { ExecutionContext, ForbiddenException, BadRequestException } from "@nestjs/common";
+import {
+  ExecutionContext,
+  ForbiddenException,
+  BadRequestException,
+  InternalServerErrorException,
+} from "@nestjs/common";
+import { Prisma } from "@prisma/client";
 import { WorkspaceGuard } from "./workspace.guard";
 import { PrismaService } from "../../prisma/prisma.service";
 
@@ -253,14 +259,60 @@ describe("WorkspaceGuard", () => {
       );
     });
 
-    it("should handle database errors gracefully", async () => {
+    it("should throw InternalServerErrorException on database connection errors", async () => {
       const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
 
       mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
         new Error("Database connection failed")
       );
 
+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+      await expect(guard.canActivate(context)).rejects.toThrow("Failed to verify workspace access");
+    });
+
+    it("should throw InternalServerErrorException on Prisma connection timeout", async () => {
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Connection timed out", {
+        code: "P1001", // Authentication failed (connection error)
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+    });
+
+    it("should return false for Prisma not found error (P2025)", async () => {
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Record not found", {
+        code: "P2025", // Record not found
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      // P2025 should be treated as "not a member" -> ForbiddenException
       await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
+      await expect(guard.canActivate(context)).rejects.toThrow(
+        "You do not have access to this workspace"
+      );
+    });
+
+    it("should NOT mask database pool exhaustion as access denied", async () => {
+      const context = createMockExecutionContext({ id: userId }, { "x-workspace-id": workspaceId });
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Connection pool exhausted", {
+        code: "P2024", // Connection pool timeout
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      // Should NOT throw ForbiddenException for DB errors
+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+      await expect(guard.canActivate(context)).rejects.not.toThrow(ForbiddenException);
     });
   });
 });