fix(api): add UAT Tester staff creation in seed script

Adds dedicated SEED_UAT_TESTER_OIDC_SUB handling to create the
uat-tester staff record with proper oidcSub mapping to Authentik user PK 237.

Fixes GRO-1151

apps/api/src/db/seed.ts

@@ -459,6 +459,32 @@ async function seedKnownUsers() {
     }
   }
 
+  // ── Staff: UAT Tester (oidcSub from SEED_UAT_TESTER_OIDC_SUB env var) ──
+  const uatTesterOidcSub = process.env.SEED_UAT_TESTER_OIDC_SUB;
+  if (uatTesterOidcSub) {
+    const UAT_TESTER_STAFF_ID = "00000000-0000-0000-0000-000000000007";
+    const [existingUatTester] = await db
+      .select()
+      .from(schema.staff)
+      .where(eq(schema.staff.email, "uat-tester@groombook.dev"))
+      .limit(1);
+
+    if (existingUatTester) {
+      console.log(`✓ Staff 'UAT Tester' already exists — skipping`);
+    } else {
+      await db.insert(schema.staff).values({
+        id: UAT_TESTER_STAFF_ID,
+        name: "UAT Tester",
+        email: "uat-tester@groombook.dev",
+        oidcSub: uatTesterOidcSub,
+        role: "groomer",
+        isSuperUser: false,
+        active: true,
+      });
+      console.log(`✓ Created staff 'UAT Tester' (oidcSub: ${uatTesterOidcSub})`);
+    }
+  }
+
   // ── Staff: UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + SEED_UAT_GROOMER_NAMES) ──
   const groomerEmails = process.env.SEED_UAT_GROOMER_EMAILS?.split(",").map((e) => e.trim()).filter(Boolean) ?? [];
   const groomerNames = process.env.SEED_UAT_GROOMER_NAMES?.split(",").map((n) => n.trim()).filter(Boolean) ?? [];

apps/api/src/middleware/rbac.ts

@@ -1,7 +1,7 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff, staffRoleEnum } from "../db";
+import { and, eq, getDb, sql, staff } from "../db";
 
-type StaffRole = typeof staffRoleEnum.enumValues[number];
+export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
 
 export interface AppEnv {
@@ -110,27 +110,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
-
-  // Auto-create staff record for authenticated OAuth users with no existing staff record
-  // This allows new OAuth users to access the app (defaults to receptionist role)
-  if (jwt.email && jwt.name) {
-    const [newStaff] = await db
-      .insert(staff)
-      .values({
-        email: jwt.email,
-        name: jwt.name,
-        userId: jwt.sub,
-        role: "receptionist",
-        active: true,
-      })
-      .returning();
-    if (newStaff) {
-      c.set("staff", newStaff);
-      await next();
-      return;
-    }
-  }
-
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403