Tech Story: Restrict local Station login to station_super_admin accounts only

[GitAddRemote]

User Story

As a Station platform owner, I need local username/password login restricted to station_super_admin accounts only so customer-facing users must authenticate through Discord OAuth2 while platform support retains a break-glass path if Discord authentication is unavailable.

Definition of Done

• Station local login rejects any non-station_super_admin user even when AUTH_LOCAL_LOGIN_ENABLED=true
• Station local registration is disabled for normal customer users in the production auth model for this epic
• Discord OAuth2 remains the primary interactive login path for all non-super-admin users, including guild_owner and guild_admin
• The same Station user record can still be linked to Discord without forcing duplicate-user creation when email/account matching is valid
• Password-reset and password-change flows do not accidentally reopen normal local-login access for non-super-admin users
• Auth responses for blocked local-login attempts are explicit and safe, without leaking unnecessary account details
• Tests cover allowed super-admin local login, blocked non-super-admin local login, blocked local registration, Discord-linked account behavior, and password-reset edge cases
• pnpm typecheck passes

Acceptance Criteria

• A station_super_admin can log in locally when local auth is enabled for break-glass use
• A non-super-admin user with a valid local password cannot log in through the local login endpoint
• A Discord-authenticated non-super-admin user is still able to access Station normally through Discord OAuth2 using the same underlying Station account when linked by email/Discord identity
• Password reset for a non-super-admin user does not create a supported alternate local-login path
• Station does not require a user to create a second Station account in order to move from local-first to Discord-linked authentication

Technical Elaboration

Current Station behavior already supports mixed account data on a single user row via email, password, and nullable discordId, and Discord callback handling already links an existing local account by email when discordId is null. However, current local auth remains generally available when enabled, which conflicts with the desired policy for this epic.

This ticket should harden the auth policy by:

• enforcing a station_super_admin check in the local-login path
• preventing normal customer local registration in the intended production policy
• ensuring password reset/change flows do not restore local-login eligibility for non-super-admin users
• preserving account-linking behavior so Discord and local credentials can refer to the same Station user when appropriate

Recommended implementation areas to inspect:

• backend/src/modules/auth/local.strategy.ts
• backend/src/modules/auth/auth.service.ts
• backend/src/modules/auth/auth.controller.ts
• any role/system-permission source used to identify station_super_admin

This issue is intentionally narrower than the broader authn story in #241. It exists to make the break-glass local-login rule explicit and testable.

Design Elaboration

From the user perspective, Station should present one clear rule: normal users sign in with Discord; local login is a support continuity mechanism for the platform operator only. The UI and error handling should reinforce that expectation instead of implying that local and Discord login are equal first-class options for all users.

---

Parent Epic: #231
Depends on: #241, #242
Blocks: #233