From 0e167386249a8d580fee870573cb695364087324 Mon Sep 17 00:00:00 2001
From: Claude <claude@kuns.dev>
Date: Thu, 11 Jun 2026 08:26:23 +0000
Subject: [PATCH] feat: ownerOf(event) helper and ownerId in task DTO

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 server/utils/dto.ts     |  2 ++
 server/utils/session.ts | 10 ++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 server/utils/session.ts

diff --git a/server/utils/dto.ts b/server/utils/dto.ts
index 035333a..2fa93ec 100644
--- a/server/utils/dto.ts
+++ b/server/utils/dto.ts
@@ -7,6 +7,7 @@ export interface TaskDto {
   description: string | null;
   source: string;
   consumed: boolean;
+  ownerId: string | null;
   createdAt: string;
 }
 
@@ -18,6 +19,7 @@ export function toTaskDto(row: TaskRow): TaskDto {
     description: row.description,
     source: row.source,
     consumed: row.consumed,
+    ownerId: row.owner_id,
     createdAt: new Date(row.created_at).toISOString(),
   };
 }
diff --git a/server/utils/session.ts b/server/utils/session.ts
new file mode 100644
index 0000000..d4a7da6
--- /dev/null
+++ b/server/utils/session.ts
@@ -0,0 +1,10 @@
+import { createError, type H3Event } from "h3";
+
+/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
+export function ownerOf(event: H3Event): string {
+  const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
+  if (typeof sub !== "string" || !sub) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+  return sub;
+}