feat(GRO-564): Better Auth Phase 2 security hardening

- Add logout button to admin layout header (signOut from better-auth)
- AUTH_DISABLED production guard already present in auth.ts middleware
- Remove automatic email-based staff-user linking (security fix)
- Add PATCH /api/staff/:id/link-user endpoint for manual linking by admins
- Add rate limiting to Better Auth (10 req/min, database storage)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/middleware/rbac.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, isNull, staff } from "@groombook/db";
+import { eq, getDb, staff } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -90,25 +90,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
     .from(staff)
     .where(eq(staff.oidcSub, jwt.sub));
   if (!fallbackRow) {
-    // Auto-link: staff record exists with matching email but no userId — link it now
-    if (jwt.email) {
-      const [linkedStaff] = await db
-        .select()
-        .from(staff)
-        .where(and(eq(staff.email, jwt.email), isNull(staff.userId)));
-      if (linkedStaff) {
-        await db
-          .update(staff)
-          .set({ userId: jwt.sub })
-          .where(eq(staff.id, linkedStaff.id));
-        console.log(
-          `[rbac] Auto-linked staff ${linkedStaff.id} to Better-Auth user ${jwt.sub} via email ${jwt.email}`
-        );
-        c.set("staff", linkedStaff);
-        await next();
-        return;
-      }
-    }
     return c.json(
       { error: "Forbidden: no staff record found for authenticated user" },
       403