West Coast Pest - Phase 2 API package for /pest

Purpose
- Fix auth/session payloads for company-aware API use
- Fix clock-in and clock-out to use company_id safely
- Add work session event logging for CLOCK_IN and CLOCK_OUT
- Keep shared DB compatible with current live testing

Files in this package
- pest/api/helpers.php
- pest/api/attendance-shared.php
- pest/api/login.php
- pest/api/clock-in.php
- pest/api/clock-out.php
- pest/api/logout.php

Deploy target
- /public_html/pest/api/

Overwrite instructions
1) Make sure your /pest copy of the app already exists.
2) Upload this ZIP.
3) Extract it.
4) Copy the files from pest/api/ into /public_html/pest/api/ and overwrite existing files.
5) Do not copy these files into the current live root yet. This package is for /pest testing first.

What changed
1) helpers.php
- requireAuth now returns api_session_id, company_id, staff_code, full_name and role info
- token auth now validates active user and company assignment
- added helper functions for open session and lunch state

2) login.php
- writes company_id into api_sessions when the column exists
- returns company-aware user object
- login still works with email, and also accepts staff_code or employee_code in the same field

3) clock-in.php
- company-scoped open session check
- company-scoped primary worksite lookup
- writes company_id into work_sessions
- logs CLOCK_IN event into work_session_events
- outside-radius remains allowed unless strict_geofence = 1 on the worksite

4) clock-out.php
- company-scoped open session lookup
- company-scoped close update
- logs CLOCK_OUT event into work_session_events
- outside-radius remains allowed unless strict_geofence = 1 on the worksite

5) logout.php
- compatible with the new requireAuth payload

Test order in /pest
1) Login on /pest/attendance/
2) Confirm you stay logged in after reload
3) Clock in on-site
4) Clock out on-site
5) Clock in outside radius and confirm you get allowed + flagged behavior when strict geofence is off
6) Confirm work_sessions row has company_id filled
7) Confirm work_session_events gets CLOCK_IN and CLOCK_OUT rows
8) Confirm old live test area still works because DB changes were additive only

Notes
- This package intentionally does not touch backoffice yet.
- The next package should handle my-worksite, attendance-history, location-ping, and then backoffice auth/dashboard.
