diff --git a/src/middleware/rbac.ts b/src/middleware/rbac.ts
index 9c5a75e..de1fdec 100644
--- a/src/middleware/rbac.ts
+++ b/src/middleware/rbac.ts
@@ -127,20 +127,20 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
 
     if (oidcAccount) {
       // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
-      const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
+      const emailPrefix = jwt.email ? jwt.email.split("@")[0] : "Unknown";
       const name = jwt.name?.trim() || emailPrefix;
 
       const [newStaff] = await db
         .insert(staff)
         .values({
           userId: jwt.sub,
-          email: jwt.email,
+          email: (jwt.email ?? "") as string,
           name,
           role: "groomer",
           isSuperUser: false,
           active: true,
-        })
-        .returning();
+        } as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
+        .returning()!;
 
       if (!newStaff) {
         return c.json({ error: "Forbidden: auto-provision failed" }, 500);
diff --git a/src/routes/portal.ts b/src/routes/portal.ts
index 05b09ed..7b7b160 100644
--- a/src/routes/portal.ts
+++ b/src/routes/portal.ts
@@ -36,7 +36,7 @@ portalRouter.post(
       return c.json({ error: "Client not found" }, 404);
     }
 
-    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+    const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
 
     let staffId = DEMO_STAFF_ID;
     const [demoStaff] = await db
@@ -102,7 +102,7 @@ portalRouter.post("/session-from-auth", async (c) => {
     return c.json({ error: "No client record found for this user" }, 404);
   }
 
-  const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+  const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
 
   let staffId = DEMO_STAFF_ID;
   const [demoStaff] = await db
@@ -133,6 +133,10 @@ portalRouter.post("/session-from-auth", async (c) => {
     })
     .returning();
 
+  if (!portalSession) {
+    return c.json({ error: "Failed to create session" }, 500);
+  }
+
   return c.json(
     {
       sessionId: portalSession.id,