fix(auth): BizGaze-only login + admin sees all sessions

When BIZGAZE_LOGIN_URL is configured, verify credentials ONLY against BizGaze
(no local-password fallback) so stale in-app accounts can't shadow a BizGaze
login. Everyone is then provisioned into the same tenant, restoring the admin's
team-scoped "see all sessions" report.

- login: BizGaze-only when the IdP is configured; local path kept for dev/tests
- provisionFromBizgaze: keep role in sync with BizGaze (isAdmin) on every login;
  optional ADMIN_EMAILS allowlist as a lockout safety net
- block POST /api/users (add local agent) when BizGaze is the IdP — this is what
  previously split tenants
- scripts/migrate-bizgaze-only.js: one-time, dry-run-by-default cleanup that
  deletes pre-BizGaze local accounts (no sso_user_created audit entry)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/routes.js

@@ -42,44 +42,49 @@ route('POST', '/api/mfa/enable', async (req, res) => {
 // Provision (or refresh) a local user from a successful BizGaze identity check.
 // The local row exists so sessions, audit, and team-scoped data work; BizGaze stays
 // the source of truth for credentials (the local password is random + unused).
+// Emails that must always be admins regardless of what BizGaze returns (safety net so an
+// admin can't be locked out of the report if BizGaze doesn't flag them isAdmin). Optional.
+const ADMIN_EMAILS = (process.env.ADMIN_EMAILS || '').split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
 function provisionFromBizgaze(email, bz) {
+  const role = (bz.isAdmin || ADMIN_EMAILS.includes(String(email).toLowerCase())) ? 'admin' : 'technician';
   const existing = R.users.byEmail(email);
   if (!existing) {
     const team = R.teams.first() || R.teams.create('BizGaze');
     const { hash, salt } = A.hashPassword(A.token());
-    const role = bz.isAdmin ? 'admin' : 'technician';
     const id = R.users.create({ tenantId: team.id, email, hash, salt, role, name: bz.name || null, mfaSecret: A.newMfaSecret() });
     audit({ team_id: team.id, user_id: id, user_email: email, action: 'sso_user_created', detail: 'via BizGaze' });
     return R.users.byId(id);
   }
+  // BizGaze is the source of truth: keep name + role in sync on each login.
   if (bz.name && bz.name !== existing.name) R.users.setName(existing.id, bz.name);
+  if (existing.role !== role) R.users.setRole(existing.id, role);
   return R.users.byId(existing.id);
 }
 
-// Login: validates locally first (seeded/bootstrap accounts), then against BizGaze
-// (the identity provider) when BIZGAZE_LOGIN_URL is configured. Sets a session cookie.
+// Login: when BizGaze (BIZGAZE_LOGIN_URL) is configured it is the ONLY authority — the
+// credentials are verified against BizGaze and the user is provisioned/synced locally
+// (local passwords are not accepted). Without it (dev/tests) the local password is
+// checked. Sets a session cookie.
 route('POST', '/api/login', async (req, res) => {
   const { email, password, remember } = await readBody(req);
   if (!email || !password) return json(res, 400, { error: 'email and password required' });
   const existing = R.users.byEmail(email);
   if (existing && existing.active === 0) return json(res, 403, { error: 'This account has been deactivated' });
 
-  let u = (existing && A.verifyPassword(password, existing.pw_salt, existing.pw_hash)) ? existing : null;
-  let bzMsg = null;
-  if (!u) {
+  let u = null;
+  if (BZ.isEnabled()) {
+    // BizGaze is the identity provider: credentials are ALWAYS verified against BizGaze.
+    // Local passwords are NOT accepted, so stale in-app accounts can't shadow a BizGaze
+    // login and everyone provisions into the same tenant (admins then see all sessions).
     const bz = await BZ.validateLogin(email, password);
-    if (bz.ok) u = provisionFromBizgaze(email, bz);
-    else if (bz.error) return json(res, 503, { error: bz.error });
-    else bzMsg = bz.message || null; // BizGaze was configured and rejected the credentials
-  }
-  if (!u) {
-    // Specific feedback where we can be truthful:
-    if (existing) return json(res, 401, { error: 'Incorrect password. Please try again.' });
-    // No local account. BizGaze (the identity provider) doesn't reveal whether an email
-    // exists, so when it rejects we surface its own message (covers wrong password +
-    // any lockout warning). Only when BizGaze isn't in play can we say "not registered".
-    if (bzMsg) return json(res, 401, { error: bzMsg });
-    return json(res, 404, { error: 'This email is not registered.' });
+    if (bz.error) return json(res, 503, { error: bz.error });
+    if (!bz.ok) return json(res, 401, { error: bz.message || 'Username or password do not match.' });
+    u = provisionFromBizgaze(email, bz);
+    if (u && u.active === 0) return json(res, 403, { error: 'This account has been deactivated' });
+  } else {
+    // No identity provider configured (local/dev/tests): verify the local password.
+    u = (existing && A.verifyPassword(password, existing.pw_salt, existing.pw_hash)) ? existing : null;
+    if (!u) return json(res, existing ? 401 : 404, { error: existing ? 'Incorrect password. Please try again.' : 'This email is not registered.' });
   }
 
   const tok = A.token();
@@ -177,6 +182,9 @@ route('POST', '/api/users', async (req, res) => {
   const u = currentUser(req);
   if (!u) return json(res, 401, { error: 'unauthorized' });
   if (u.role !== 'admin') return json(res, 403, { error: 'only admins can add agents' });
+  // With BizGaze as the identity provider, logins are created in BizGaze — not here.
+  // (Creating local accounts is what previously shadowed BizGaze and split tenants.)
+  if (BZ.isEnabled()) return json(res, 400, { error: 'Logins are managed in BizGaze. Add the user in BizGaze; they appear here on first sign-in.' });
   const { email, password, name, role } = await readBody(req);
   if (!email || !password) return json(res, 400, { error: 'email and temporary password required' });
   if (R.users.emailExists(email))