diff --git a/src/middleware/rbac.ts b/src/middleware/rbac.ts
index bace747..9c5a75e 100644
--- a/src/middleware/rbac.ts
+++ b/src/middleware/rbac.ts
@@ -22,7 +22,7 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
   c,
   next
 ) => {
-  // Better-Auth's own routes handle their own auth — skip staff resolution
+  // Better-Auth\'s own routes handle their own auth — skip staff resolution
   // OOBE setup routes also handle their own auth — staff record is created during setup
   if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
     await next();
@@ -120,22 +120,21 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       .where(
         and(
           eq(account.userId, jwt.sub),
-          sql`${account.providerId} IN ('authentik', 'google', 'github')`
+          sql`${account.providerId} IN (\'authentik\', \'google\', \'github\')`
         )
       )
       .limit(1);
 
     if (oidcAccount) {
       // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
-      const name =
-        jwt.name?.trim() ||
-        (jwt.email ? jwt.email.split("@")[0] : "Unknown");
+      const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
+      const name = jwt.name?.trim() || emailPrefix;
 
       const [newStaff] = await db
         .insert(staff)
         .values({
           userId: jwt.sub,
-          email: jwt.email ?? "",
+          email: jwt.email,
           name,
           role: "groomer",
           isSuperUser: false,
@@ -143,6 +142,10 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
         })
         .returning();
 
+      if (!newStaff) {
+        return c.json({ error: "Forbidden: auto-provision failed" }, 500);
+      }
+
       console.log(
         `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
       );
@@ -177,7 +180,7 @@ export function requireRole(
     if (!(allowedRoles as string[]).includes(staffRow.role)) {
       return c.json(
         {
-          error: `Forbidden: role '${staffRow.role}' is not permitted to access this resource`,
+          error: `Forbidden: role \'${staffRow.role}\' is not permitted to access this resource`,
         },
         403
       );
@@ -210,7 +213,7 @@ export function requireRoleOrSuperUser(
       {
         error: hasAllowedRole
           ? "Forbidden: super user privileges required"
-          : `Forbidden: role '${staffRow.role}' is not permitted`,
+          : `Forbidden: role \'${staffRow.role}\' is not permitted`,
       },
       403
     );