Add OTP login flow and multi-cafe role switching

Introduce an OTP input box on login/register, surface user roles and a
cafe chooser, add a dashboard switch button in the POS screen, and
register OTP validators explicitly to survive Docker layer caching.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Meezi.API/Controllers/AuthController.cs

@@ -6,6 +6,7 @@ using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using Meezi.API.Models.Auth;
 using Meezi.API.Services;
+using Meezi.API.Services;
 using Meezi.Core.Constants;
 using Meezi.Shared;
 
@@ -62,7 +63,28 @@ public class AuthController : ControllerBase
         if (!validation.IsValid)
             return BadRequest(ValidationError(validation));
 
-        var (success, data, code, message) = await _authService.VerifyOtpAsync(request, cancellationToken);
+        var (success, data, code, message, choices) = await _authService.VerifyOtpAsync(request, cancellationToken);
+
+        if (!success && code == "CHOOSE_CAFE")
+            return Ok(new ApiResponse<CafeChoicesResponse>(false, choices, new ApiError("CHOOSE_CAFE", "Please select a café to continue.")));
+
+        if (!success)
+            return ErrorResult(code!, message!);
+
+        return Ok(new ApiResponse<AuthTokenResponse>(true, data));
+    }
+
+    [HttpPost("switch-cafe")]
+    [Authorize]
+    [ProducesResponseType(typeof(ApiResponse<AuthTokenResponse>), StatusCodes.Status200OK)]
+    public async Task<IActionResult> SwitchCafe([FromBody] SwitchCafeRequest request, CancellationToken cancellationToken)
+    {
+        var userId = User.FindFirstValue(JwtRegisteredClaimNames.Sub)
+            ?? User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrEmpty(userId))
+            return Unauthorized();
+
+        var (success, data, code, message) = await _authService.SwitchCafeAsync(userId, request.CafeId, cancellationToken);
         if (!success)
             return ErrorResult(code!, message!);