feat(api): role-aware session helper + admin-only activity writes

apps/api/src/routes/activities.ts

@@ -4,7 +4,7 @@ import { CreateActivityInput, UpdateActivityInput } from '@solelog/shared';
 import type { Activity } from '@solelog/shared';
 import { db } from '../db/client';
 import { activities, workSessions } from '../db/schema';
-import { getSessionUser } from '../lib/require-user';
+import { getSessionUser, isAdmin } from '../lib/require-user';
 
 export const activitiesRoutes = new Hono();
 
@@ -34,6 +34,7 @@ activitiesRoutes.get('/api/activities', async (c) => {
 activitiesRoutes.post('/api/activities', async (c) => {
   const sessionUser = await getSessionUser(c);
   if (!sessionUser) return c.json({ error: 'Unauthorized' }, 401);
+  if (!isAdmin(sessionUser)) return c.json({ error: 'Forbidden' }, 403);
 
   const parsed = CreateActivityInput.safeParse(await c.req.json().catch(() => null));
   if (!parsed.success) return c.json({ error: 'Invalid input' }, 400);
@@ -48,6 +49,7 @@ activitiesRoutes.post('/api/activities', async (c) => {
 activitiesRoutes.put('/api/activities/:id', async (c) => {
   const sessionUser = await getSessionUser(c);
   if (!sessionUser) return c.json({ error: 'Unauthorized' }, 401);
+  if (!isAdmin(sessionUser)) return c.json({ error: 'Forbidden' }, 403);
 
   const id = Number.parseInt(c.req.param('id'), 10);
   if (Number.isNaN(id)) return c.json({ error: 'Activity not found' }, 404);
@@ -67,6 +69,7 @@ activitiesRoutes.put('/api/activities/:id', async (c) => {
 activitiesRoutes.delete('/api/activities/:id', async (c) => {
   const sessionUser = await getSessionUser(c);
   if (!sessionUser) return c.json({ error: 'Unauthorized' }, 401);
+  if (!isAdmin(sessionUser)) return c.json({ error: 'Forbidden' }, 403);
 
   const id = Number.parseInt(c.req.param('id'), 10);
   if (Number.isNaN(id)) return c.json({ error: 'Activity not found' }, 404);