refactor: move business logic out of presentation — ReadAssetFile, checksum, auth checks, MetadataValue conversions

crates/application/tests/organization/queries/get_album.rs

@@ -24,6 +24,7 @@ async fn returns_album() {
     let found = query_handler
         .execute(GetAlbumQuery {
             album_id: album.album_id,
+            user_id: creator,
         })
         .await
         .unwrap();
@@ -39,7 +40,33 @@ async fn rejects_nonexistent() {
     let result = handler
         .execute(GetAlbumQuery {
             album_id: SystemId::new(),
+            user_id: SystemId::new(),
         })
         .await;
     assert!(matches!(result, Err(DomainError::NotFound(_))));
 }
+
+#[tokio::test]
+async fn rejects_forbidden_access() {
+    let repo = Arc::new(InMemoryAlbumRepository::new());
+    let creator = SystemId::new();
+
+    let create_handler = CreateAlbumHandler::new(repo.clone());
+    let album = create_handler
+        .execute(CreateAlbumCommand {
+            title: "Private Album".into(),
+            creator_id: creator,
+        })
+        .await
+        .unwrap();
+
+    let query_handler = GetAlbumHandler::new(repo);
+    let other_user = SystemId::new();
+    let result = query_handler
+        .execute(GetAlbumQuery {
+            album_id: album.album_id,
+            user_id: other_user,
+        })
+        .await;
+    assert!(matches!(result, Err(DomainError::Forbidden(_))));
+}