fix(auth): dev login 403 — resolve staff by id, not oidcSub (GRO-150)

Merges fix for critical crash affecting all users on login.

Root cause: RBAC middleware looked up staff by oidcSub but DevLoginSelector sends staff.id, causing 403 on all data endpoints and blank screen after login.

Fix: eq(staff.oidcSub, devUserId) → eq(staff.id, devUserId) in rbac.ts:48

Resolves GRO-150. UAT to follow in GRO-152.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/__tests__/rbac.test.ts

@@ -165,7 +165,7 @@ describe("resolveStaffMiddleware", () => {
     });
 
     const res = await app.request("/test", {
-      headers: { "X-Dev-User-Id": GROOMER.oidcSub! },
+      headers: { "X-Dev-User-Id": GROOMER.id },
     });
     expect(res.status).toBe(200);
     expect(capturedStaff!.role).toBe("groomer");

apps/api/src/middleware/rbac.ts

@@ -41,11 +41,11 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       await next();
       return;
     }
-    // Treat X-Dev-User-Id as the oidcSub
+    // Treat X-Dev-User-Id as the staff database id (the frontend stores staff.id)
     const [row] = await db
       .select()
       .from(staff)
-      .where(eq(staff.oidcSub, devUserId));
+      .where(eq(staff.id, devUserId));
     if (!row) {
       return c.json(
         { error: "Forbidden: no staff record found for X-Dev-User-Id" },