diff --git a/src/middleware/rbac.ts b/src/middleware/rbac.ts
index 1277b2c..222442e 100644
--- a/src/middleware/rbac.ts
+++ b/src/middleware/rbac.ts
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { and, eq, getDb, sql, staff, user } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,6 +110,30 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
+  // Auto-provision: no staff record exists for this user at all, but a valid
+  // Better-Auth user session exists (jwt.sub = user.id from user table).
+  // Create a minimal groomer staff record on first login.
+  const [userRow] = await db
+    .select({ id: user.id, name: user.name, email: user.email })
+    .from(user)
+    .where(eq(user.id, jwt.sub))
+    .limit(1);
+  if (userRow) {
+    const [newStaff] = await db
+      .insert(staff)
+      .values({
+        name: userRow.name ?? jwt.email?.split("@")[0] ?? "Unknown",
+        email: userRow.email ?? jwt.email ?? "",
+        userId: jwt.sub,
+        role: "groomer",
+        isSuperUser: false,
+        active: true,
+      })
+      .returning();
+    c.set("staff", newStaff);
+    await next();
+    return;
+  }
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403