feat: lunch.upsertPick with role-aware guard + cutoff

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/server/routers/lunch.ts

@@ -225,6 +225,122 @@ export const lunchRouter = router({
       return { ok: true as const }
     }),
 
+  // ─── Mixed-permission picker ─────────────────────────────────────────────
+
+  /**
+   * Upsert a MemberLunchPick. Permission:
+   *  - admin (SUPER_ADMIN / PROGRAM_ADMIN): always allowed, no deadline cap
+   *  - team lead of the parent project: allowed before deadline
+   *  - the AttendingMember.userId themselves: allowed before deadline
+   *  - everyone else: FORBIDDEN
+   * Audit-logged with the actor role (SELF / TEAM_LEAD / ADMIN).
+   */
+  upsertPick: protectedProcedure
+    .input(
+      z.object({
+        attendingMemberId: z.string(),
+        dishId: z.string().nullable(),
+        allergens,
+        allergenOther: z.string().max(500).nullable(),
+      }),
+    )
+    .mutation(async ({ ctx, input }) => {
+      const am = await ctx.prisma.attendingMember.findUnique({
+        where: { id: input.attendingMemberId },
+        include: {
+          confirmation: {
+            select: {
+              project: {
+                select: {
+                  id: true,
+                  programId: true,
+                  teamMembers: { select: { userId: true, role: true } },
+                },
+              },
+            },
+          },
+          lunchPick: true,
+        },
+      })
+      if (!am) {
+        throw new TRPCError({
+          code: 'NOT_FOUND',
+          message: 'Attending member not found',
+        })
+      }
+
+      const userId = ctx.user.id
+      const userRole = ctx.user.role
+      const isAdmin =
+        userRole === 'SUPER_ADMIN' || userRole === 'PROGRAM_ADMIN'
+      const isSelf = am.userId === userId
+      const isLead = am.confirmation.project.teamMembers.some(
+        (tm) => tm.userId === userId && tm.role === 'LEAD',
+      )
+      if (!isAdmin && !isSelf && !isLead) {
+        throw new TRPCError({
+          code: 'FORBIDDEN',
+          message: 'Not allowed to edit this pick',
+        })
+      }
+
+      // Cutoff check (admins skip)
+      if (!isAdmin) {
+        const event = await ctx.prisma.lunchEvent.findUnique({
+          where: { programId: am.confirmation.project.programId },
+          select: { eventAt: true, changeCutoffHours: true },
+        })
+        if (event?.eventAt) {
+          const deadline = new Date(
+            event.eventAt.getTime() - event.changeCutoffHours * 3_600_000,
+          )
+          if (new Date() > deadline) {
+            throw new TRPCError({
+              code: 'PRECONDITION_FAILED',
+              message: 'Past lunch change deadline. Contact an admin.',
+            })
+          }
+        }
+      }
+
+      const actorRole: 'SELF' | 'TEAM_LEAD' | 'ADMIN' = isAdmin
+        ? 'ADMIN'
+        : isLead && !isSelf
+          ? 'TEAM_LEAD'
+          : 'SELF'
+
+      const pick = await ctx.prisma.memberLunchPick.upsert({
+        where: { attendingMemberId: input.attendingMemberId },
+        create: {
+          attendingMemberId: input.attendingMemberId,
+          dishId: input.dishId,
+          allergens: input.allergens,
+          allergenOther: input.allergenOther,
+          pickedAt: input.dishId ? new Date() : null,
+        },
+        update: {
+          dishId: input.dishId,
+          allergens: input.allergens,
+          allergenOther: input.allergenOther,
+          pickedAt: input.dishId ? new Date() : null,
+        },
+      })
+
+      await logAudit({
+        prisma: ctx.prisma,
+        userId,
+        action: 'LUNCH_PICK_UPDATED',
+        entityType: 'MemberLunchPick',
+        entityId: pick.id,
+        detailsJson: {
+          actorRole,
+          dishId: input.dishId,
+          allergenCount: input.allergens.length,
+        },
+      })
+      return pick
+    }),
+
   /** Patch any subset of LunchEvent config fields. Audit-logged. */
   updateEvent: adminProcedure
     .input(