docs: Phase 2 accounts & roles — roadmap, README, session log

apps/worker/README.md

@@ -39,10 +39,10 @@ From the repo root:
 yarn workspace @solelog/worker dev       # Vite dev server on http://localhost:5173
 ```
 
-Open **http://localhost:5173** in any browser. `db:seed` creates a ready-made **dev login**:
-**`worker@solelog.local`** / **`werkplaats123`** (dev-only — skipped when `NODE_ENV=production`).
-Or use the sign-up affordance on the login screen to create your own account. After signing in you
-land on the Stopwatch tab.
+Open **http://localhost:5173** in any browser. `db:seed` creates two **dev logins** (dev-only —
+skipped when `NODE_ENV=production`): **worker** `worker@solelog.local` / `werkplaats123` and
+**admin** `admin@solelog.local` / `werkplaats-admin`. Public self-registration is disabled — an
+admin creates accounts. After signing in you land on the Stopwatch tab.
 
 The API base URL comes from `VITE_API_URL` (default `http://localhost:3000`).
 
@@ -60,6 +60,7 @@ connected to the same Wi-Fi:
    ```
 
    (On Windows PowerShell: `$env:VITE_API_URL='http://<PC-LAN-IP>:3000'; yarn workspace @solelog/worker dev`.)
+
 4. Allow that origin on the API by setting `CORS_ORIGINS` when you start it — **no code edit**:
 
    ```bash
@@ -91,7 +92,7 @@ yarn workspace @solelog/worker test          # vitest run
 ## Architecture (Phase 1)
 
 - **Server-authoritative timing.** Start / stop / discard are API calls
-  (`POST /api/sessions/start`, `/:id/stop`, `/:id/discard`); the live timer only *displays* elapsed
+  (`POST /api/sessions/start`, `/:id/stop`, `/:id/discard`); the live timer only _displays_ elapsed
   time computed from the server `start_time`. An open session therefore survives a browser/phone
   restart and is recovered on load via `GET /api/sessions/active`.
 - **Shared contracts.** Request/response shapes are zod schemas in `@solelog/shared`, imported here