feat(api): role-aware session helper + admin-only activity writes

apps/api/test/export.test.ts

@@ -5,17 +5,7 @@ import { db } from '../src/db/client';
 import { workSessions } from '../src/db/schema';
 import { eq } from 'drizzle-orm';
 import { quote, formatDuration } from '../src/lib/csv';
-import { authToken, bearer } from './helpers';
-
-async function createActivity(app: Hono, token: string, name: string): Promise<number> {
-  const res = await app.request('/api/activities', {
-    method: 'POST',
-    headers: bearer(token),
-    body: JSON.stringify({ name, insole_types: ['Kurk', 'Berk', '3D'] }),
-  });
-  const body = await res.json();
-  return body.id as number;
-}
+import { authToken, bearer, seedActivity } from './helpers';
 
 // Start a session, backdate its start_time by `durationSeconds`, then stop it,
 // producing a completed session with an exact duration.
@@ -50,7 +40,7 @@ describe('csv export', () => {
   it('exports completed sessions as CSV with the legacy header', async () => {
     const app = createApp();
     const token = await authToken(app, 'export-basic@example.com');
-    const activityId = await createActivity(app, token, 'Frezen');
+    const activityId = await seedActivity('Frezen');
     await completedSession(app, token, activityId, 'Kurk', 90);
 
     const res = await app.request('/api/export', { headers: bearer(token) });
@@ -75,7 +65,7 @@ describe('csv export', () => {
     const app = createApp();
     const tokenA = await authToken(app, 'export-scopeA@example.com');
     const tokenB = await authToken(app, 'export-scopeB@example.com');
-    const activityId = await createActivity(app, tokenA, 'Slijpen');
+    const activityId = await seedActivity('Slijpen');
 
     // User A: one completed session.
     await completedSession(app, tokenA, activityId, 'Kurk', 30);