fix(auth): dev login resolve staff by id, not userId

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/__tests__/rbac.test.ts

@@ -168,7 +168,7 @@ describe("resolveStaffMiddleware", () => {
     });
 
     const res = await app.request("/test", {
-      headers: { "X-Dev-User-Id": GROOMER.userId! },
+      headers: { "X-Dev-User-Id": GROOMER.id },
     });
     expect(res.status).toBe(200);
     expect(capturedStaff!.role).toBe("groomer");

apps/api/src/middleware/rbac.ts

@@ -40,11 +40,11 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       await next();
       return;
     }
-    // Treat X-Dev-User-Id as the Better-Auth user ID
+    // Treat X-Dev-User-Id as the staff database id (the frontend stores staff.id)
     const [row] = await db
       .select()
       .from(staff)
-      .where(eq(staff.userId, devUserId));
+      .where(eq(staff.id, devUserId));
     if (!row) {
       return c.json(
         { error: "Forbidden: no staff record found for X-Dev-User-Id" },