import { createError, type H3Event } from "h3";

/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
export function ownerOf(event: H3Event): string {
  const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
  if (typeof sub !== "string" || !sub) {
    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
  }
  return sub;
}