Authenticate WebSocket upgrade requests via Directus's /users/me:
- src/live/auth.ts: createAuthClient factory; validate() forwards the raw
Cookie: header to Directus, parses the user with zod, and returns
AuthenticatedUser or null. Handles 401/403 (unauthorized), non-2xx (error),
network failures, AbortError (timeout), null data (expired session), and
missing data key (malformed Directus response).
- src/live/server.ts: upgrade handler now calls authClient.validate() before
completing the WS handshake; on null user, writes HTTP 401 and destroys the
socket. LiveConnection gains user: AuthenticatedUser and cookieHeader: string
(needed for per-subscription authz in task 1.5.3). authClient is an optional
parameter so tests without auth still work.
- src/main.ts: wires createAuthClient and passes it to createLiveServer.
- test/live-auth.test.ts: 11 unit tests covering all validate() code paths
including the empty-cookie fast-path, latency histogram observation, and
distinction between unauthorized (401/expired) and error (malformed) results.
