R1.3.1 (NIX-OS-67) — Cashier picker before PIN (local)

2/2 local Gate 1 checks passed. Verified: DAO list + collision-safe verify — created two cashiers with the same PIN "4321" on the same shop, plus one null-shop cashier. Picker returns all three; unmapped-register picker returns only the null-shop one; verifyPinForIdentity by Alice's id resolves to Alice (not Bob), and by Bob's id resolves to Bob. Deactivated cashier disappears from picker and fails verify even with correct PIN. HTTP smoke on /cafe/pos/register/1 still 307.

Gate 2 (prod) will capture both flows. Screenshots planned: (a) Lock screen with Manager override button + cashier tile grid; (b) click cashier tile → PIN keypad with cashier badge; (c) click Manager override → straight to PreShift (no PIN). Plus DB assertion that the cafe.sessions row records opened_by_user_id (not opened_by_pin_id) when the manager path is used.

00What's new in the codebase

lib/auth/active-cashier.ts — cookie now carries actorKind: 'pin' | 'user' + actorId. Legacy R1.3 {pinId} payloads still decode (upgraded in read).
lib/db/pin_identities.ts — new listCashiersForRegister (shop-scoped + null-shop cashiers), new verifyPinForIdentity (verifies against one row, by id).
lib/actions/register.ts — unlockRegisterAction now takes {posConfigId, cashierId, pin}. New unlockRegisterAsUserAction({posConfigId}) — gated on nix_cafe.pos.session_open, no PIN. openShift / closeShift write to opened_by_pin_id or opened_by_user_id based on cookie's actorKind.
register-shell.tsx — Lock screen renders a green "Unlock as {manager-name}" button at the top (if web user has session_open), a divider ("Or pick a cashier"), then the cashier tile grid. Clicking the manager button bypasses the PIN keypad entirely.

R1.3.1 — Cashier picker + manager override on Lock screen LOCAL

00What's new in the codebase

01DAO — picker list + collision-safe verify✓ 11 assertions