fix(auth): register Better-Auth handler on api sub-app, not parent app

Hono's basePath() creates a sub-app that captures /api/* requests.
Route handlers on the parent app are not reachable for paths that
match the sub-app's middleware. Moving the handler to the api sub-app
(with path /auth/** instead of /api/auth/**) fixes the 404.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/index.ts

@@ -67,20 +67,17 @@ app.get("/api/branding", async (c) => {
 // Public iCal calendar feed — token auth in URL, no auth middleware required
 app.route("/api/calendar", calendarRouter);
 
-// Better-Auth handler — public, handles OAuth callbacks, session management
-// Mounted BEFORE auth middleware so it's accessible without authentication
-app.on(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], "/api/auth/**", async (c) => {
-  console.log("[better-auth] handler called:", c.req.method, c.req.path, c.req.url);
-  const response = await auth.handler(c.req.raw);
-  console.log("[better-auth] response:", response.status);
-  return response;
-});
-
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
 
+// Better-Auth handler — registered on api sub-app so it shares the middleware chain
+// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
+api.on(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], "/auth/**", (c) => {
+  return auth.handler(c.req.raw);
+});
+
 // ── Role guards ────────────────────────────────────────────────────────────────
 // Manager-only: admin settings, reports, invoices, impersonation
 // Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE