Fixes GRO-1118 - uat-tester receives HTTP 403 post-login
When a user authenticates via OAuth but has no corresponding staff record,
the RBAC middleware now auto-creates a staff record with a default
"receptionist" role instead of returning 403. This allows new OAuth
users to access the app immediately.
The middleware now checks for staff records in this order:
1. By userId (Better-Auth user ID)
2. By oidcSub (legacy OIDC subject)
3. By email (auto-link existing staff)
4. Create new staff record if authenticated user has email and name
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
91af671c4e