feat(api): role-aware session helper + admin-only activity writes

apps/api/src/lib/require-user.ts

@@ -1,8 +1,18 @@
 import type { Context } from 'hono';
 import { auth } from '../auth';
 
-export async function getSessionUser(c: Context): Promise<{ id: string } | null> {
+export interface SessionUser {
+  id: string;
+  role: string;
+}
+
+export async function getSessionUser(c: Context): Promise<SessionUser | null> {
   const session = await auth.api.getSession({ headers: c.req.raw.headers });
   if (!session) return null;
-  return { id: session.user.id };
+  const role = (session.user as { role?: string | null }).role ?? 'worker';
+  return { id: session.user.id, role };
+}
+
+export function isAdmin(u: SessionUser | null): boolean {
+  return u?.role === 'admin';
 }

apps/api/src/lib/work-session.ts

@@ -0,0 +1,27 @@
+import type { WorkSession } from '@solelog/shared';
+import type { workSessions } from '../db/schema';
+
+type WorkSessionRow = typeof workSessions.$inferSelect;
+
+export function toWorkSession(
+  row: WorkSessionRow,
+  opts: { activityName?: string | null; userName?: string | null; userEmail?: string | null } = {}
+): WorkSession {
+  return {
+    id: row.id,
+    user_id: row.userId,
+    activity_id: row.activityId,
+    activity_name: opts.activityName ?? undefined,
+    user_name: opts.userName ?? undefined,
+    user_email: opts.userEmail ?? undefined,
+    insole_type: (row.insoleType ?? null) as WorkSession['insole_type'],
+    pair_count: row.pairCount,
+    start_time: new Date(row.startTime).toISOString(),
+    end_time: row.endTime ? new Date(row.endTime).toISOString() : null,
+    duration_seconds: row.durationSeconds ?? null,
+    status: row.status as WorkSession['status'],
+    source: row.source as WorkSession['source'],
+    notes: row.notes ?? null,
+    created_at: new Date(row.createdAt).toISOString(),
+  };
+}