fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass (#206)

* fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass

- Add requireSuperUser() middleware to PATCH /api/admin/settings route
  to ensure only super users can modify business settings

- Fix dev-mode (AUTH_DISABLED=true) force-set of isSuperUser:true
  for all staff records in resolveStaffMiddleware. Now preserves
  actual database value with isSuperUser ?? false fallback.
  This prevents non-super-users (e.g., receptionists) from
  bypassing RBAC checks in dev mode.

- Fix test data: RECEPTIONIST and GROOMER now correctly have
  isSuperUser: false (was incorrectly inheriting true from MANAGER)

- Add 7 new tests for requireSuperUser middleware covering:
  - Super user access allowed
  - Non-super-user receptionist blocked with 403
  - Non-super-user groomer blocked with 403
  - Unresolved staff record returns 403
  - Receptionist cannot grant super user via PATCH
  - JSON error response format

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(api): remove dead code in rbac test

Remove unused `app` variable from 'returns 403 when staff record is
not resolved' test - the test uses `testApp` instead.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: groombook-engineer[bot] <3141748+groombook-engineer[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>

apps/api/src/routes/settings.ts

@@ -2,6 +2,7 @@ import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { eq, getDb, businessSettings } from "@groombook/db";
+import { requireSuperUser } from "../middleware/rbac.js";
 
 export const settingsRouter = new Hono();
 
@@ -33,6 +34,7 @@ const updateSettingsSchema = z.object({
 // PATCH /api/admin/settings — update business settings
 settingsRouter.patch(
   "/",
+  requireSuperUser(),
   zValidator("json", updateSettingsSchema),
   async (c) => {
     const db = getDb();