Staff Management API (CRUD)

[inteee]

Context: The Clinic Admin needs to add Doctors and Nurses to their system.
Location: apps/api/src/modules/users
Requirements:

1. POST /users (Create staff): Generates a random temporary password if none provided.
2. GET /users: List all staff strictly scoped to the req.user.clinicId.
3. PATCH /users/:id/status: Deactivate a user (soft delete, isActive: false).
   Acceptance Criteria:

• A Clinic Admin cannot query or modify users belonging to a different clinicId.
• Deactivated users are instantly rejected by the Auth login middleware.