- App.tsx AdminLayout: fetch /api/staff/me on mount, filter NAV_LINKS so
Settings only appears for role=manager or isSuperUser (fail-closed while
loading). Guard /admin/settings route to redirect non-managers to /admin.
- Settings.tsx: replace parallel-fire useEffects with a single sequential
flow — fetch /api/staff/me first, then only call /api/admin/settings for
managers/super-users and /api/admin/auth-provider for super-users only.
Groomers/receptionists never trigger the 403.
- UAT_PLAYBOOK.md §5.14: updated with role-gated test cases (TC-WEB-5.14.1–8)
covering manager-sees-tab, groomer-no-tab, direct-URL redirect, zero-403,
and shared-endpoint regression.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Stockboy Steve
c7b96eebc4