# BUG-196: Admin Page Redirect Issue

## Problem

Admin page redirects to /chat for users with admin role because role check fails.

## Root Cause

The `role` field is defined as an `additionalField` in better-auth's user configuration, but
better-auth v1.5.5 does not automatically include additionalFields in the session response from
the `getSession()` API. This causes the admin role check to fail:

- Frontend: `AdminRoleGuard` checks `user?.role !== 'admin'`
- Backend: `AdminGuard` checks `user.role !== 'admin'`
- When `role` is `undefined`, both checks treat the user as non-admin and deny access

## Solution

Implemented a defensive check in the backend `AdminGuard` that:

1. First tries to use the `role` field from the session (if better-auth includes it)
2. Falls back to fetching the role directly from the database if it's missing
3. Defaults to 'member' if the user has no role set

This ensures that admin users can always access the admin panel, and also protects against
the case where better-auth doesn't include the additionalField in future versions.

## Files Changed

1. `/apps/gateway/src/admin/admin.guard.ts` - Added fallback role lookup
2. `/packages/auth/src/auth.ts` - No changes needed (better-auth config is correct)

## Verification

- All three quality gates pass: `typecheck`, `lint`, `format:check`
- Backend admin guard now explicitly handles missing role field
- Frontend admin guard remains unchanged (will work once role is available)