Auto-create staff records for OAuth users with no existing staff record

Fixes GRO-1118 - uat-tester receives HTTP 403 post-login

When a user authenticates via OAuth but has no corresponding staff record,
the RBAC middleware now auto-creates a staff record with a default
"receptionist" role instead of returning 403. This allows new OAuth
users to access the app immediately.

The middleware now checks for staff records in this order:
1. By userId (Better-Auth user ID)
2. By oidcSub (legacy OIDC subject)
3. By email (auto-link existing staff)
4. Create new staff record if authenticated user has email and name

Co-Authored-By: Paperclip <noreply@paperclip.ing>

src/middleware/rbac.ts

@@ -1,7 +1,7 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff, user } from "@groombook/db";
+import { and, eq, getDb, sql, staff, staffRoleEnum } from "@groombook/db";
 
-export type StaffRole = "groomer" | "receptionist" | "manager";
+type StaffRole = typeof staffRoleEnum.enumValues[number];
 export type StaffRow = typeof staff.$inferSelect;
 
 export interface AppEnv {
@@ -110,30 +110,27 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
-  // Auto-provision: no staff record exists for this user at all, but a valid
-  // Better-Auth user session exists (jwt.sub = user.id from user table).
-  // Create a minimal groomer staff record on first login.
-  const [userRow] = await db
-    .select({ id: user.id, name: user.name, email: user.email })
-    .from(user)
-    .where(eq(user.id, jwt.sub))
-    .limit(1);
-  if (userRow) {
+
+  // Auto-create staff record for authenticated OAuth users with no existing staff record
+  // This allows new OAuth users to access the app (defaults to receptionist role)
+  if (jwt.email && jwt.name) {
     const [newStaff] = await db
       .insert(staff)
       .values({
-        name: userRow.name ?? jwt.email?.split("@")[0] ?? "Unknown",
-        email: userRow.email ?? jwt.email ?? "",
+        email: jwt.email,
+        name: jwt.name,
         userId: jwt.sub,
-        role: "groomer",
-        isSuperUser: false,
+        role: "receptionist",
         active: true,
       })
       .returning();
-    c.set("staff", newStaff);
-    await next();
-    return;
+    if (newStaff) {
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
   }
+
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403