feat: ownerOf(event) helper and ownerId in task DTO

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

server/utils/dto.ts

@@ -7,6 +7,7 @@ export interface TaskDto {
   description: string | null;
   source: string;
   consumed: boolean;
+  ownerId: string | null;
   createdAt: string;
 }
 
@@ -18,6 +19,7 @@ export function toTaskDto(row: TaskRow): TaskDto {
     description: row.description,
     source: row.source,
     consumed: row.consumed,
+    ownerId: row.owner_id,
     createdAt: new Date(row.created_at).toISOString(),
   };
 }

server/utils/session.ts

@@ -0,0 +1,10 @@
+import { createError, type H3Event } from "h3";
+
+/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
+export function ownerOf(event: H3Event): string {
+  const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
+  if (typeof sub !== "string" || !sub) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+  return sub;
+}