CRITICAL: Previously the entire setupRouter was mounted on the public `app`
(pre-auth), meaning POST /api/setup had no authentication and any anonymous
user could claim super user.
Now:
- GET /api/setup/status remains public (needed for OOBE redirect check)
- POST /api/setup is mounted on the authenticated /api basePath, requiring
authMiddleware + resolveStaffMiddleware to run first
Co-Authored-By: Paperclip <noreply@paperclip.ing>
groombook-ci[bot]
30b49e82e8