feat(api): include role in /api/me + allow admin origin in CORS

Add `role: Role` to the shared `PublicUser` contract and return it from
`GET /api/me` (defaulting to 'worker' when the session user has no role).
This lets the planned admin app gate access by role.

Also add the admin dev origin `http://localhost:5174` to the default
`WEB_ORIGINS` (env.ts) and to `.env.example`, so the admin SPA on :5174 can
reach the API at :3000 cross-origin (drives both hono/cors and better-auth
trustedOrigins).

apps/api/src/env.ts

@@ -9,6 +9,10 @@ export const env = {
   PORT: Number(process.env.PORT ?? 3000),
   // Browser origins allowed for CORS + better-auth trustedOrigins. Set CORS_ORIGINS to a
   // comma-separated list (e.g. "http://localhost:5173,http://192.168.1.50:5173") to let a
-  // phone on the LAN reach the API — no code edit needed. Defaults to the local Vite origin.
-  WEB_ORIGINS: webOrigins && webOrigins.length ? webOrigins : ['http://localhost:5173'],
+  // phone on the LAN reach the API — no code edit needed. Defaults to the local Vite origins
+  // for the worker (5173) and admin (5174) SPAs.
+  WEB_ORIGINS:
+    webOrigins && webOrigins.length
+      ? webOrigins
+      : ['http://localhost:5173', 'http://localhost:5174'],
 };

apps/api/src/routes/me.ts

@@ -1,5 +1,5 @@
 import { Hono } from 'hono';
-import type { MeResponse } from '@solelog/shared';
+import type { MeResponse, Role } from '@solelog/shared';
 import { auth } from '../auth';
 
 export const me = new Hono();
@@ -14,6 +14,7 @@ me.get('/api/me', async (c) => {
       id: session.user.id,
       email: session.user.email,
       name: session.user.name,
+      role: ((session.user as { role?: string | null }).role ?? 'worker') as Role,
     },
   };
   return c.json(body);