fix(device-agent): dedicated long-lived session per install (CS-280)

fix(device-agent): dedicated long-lived session per install (CS-280)

Author: Marfuen

apps/api/src/auth/hybrid-auth.guard.ts

@@ -218,6 +218,9 @@ export class HybridAuthGuard implements CanActivate {
       request.authType = 'session';
       request.isApiKey = false;
       request.isServiceToken = false;
+      request.sessionId = sessionData.id;
+      request.sessionDeviceAgent =
+        (sessionData as Record<string, unknown>).deviceAgent === true;
       // Resolve isPlatformAdmin from the User.role column (via better-auth session),
       // not from the member relation. This ensures the flag is set regardless of
       // org membership or skipOrgCheck.

apps/api/src/auth/types.ts

@@ -16,6 +16,8 @@ export interface AuthenticatedRequest extends Request {
   memberDepartment?: Departments; // Member department for visibility filtering (only available for session auth)
   apiKeyScopes?: string[]; // Scopes for API key auth (empty = legacy full access)
   impersonatedBy?: string; // User ID of the admin who initiated impersonation (only set during impersonation sessions)
+  sessionId?: string; // Session ID (only set for session auth)
+  sessionDeviceAgent?: boolean; // Whether the session is a device-agent session (only set for session auth)
 }
 
 export interface AuthContext {