fix(attendance): reject seat_id on room-less slots

backend/src/routes/checkin.rs

@@ -181,14 +181,15 @@ async fn post_checkin(
         return Err(AppError::Conflict("check-in not available".into()));
     }
 
-    // If room_id is set, seat_id is required
-    if slot.room_id.is_some() && req.seat_id.is_none() {
-        return Err(AppError::BadRequest("seat required".into()));
-    }
-
-    // Validate seat_id against room layout
-    if let Some(ref seat_id) = req.seat_id {
-        if let Some(room_id) = slot.room_id {
+    // seat_id / room_id cross-validation
+    match (slot.room_id, req.seat_id.as_ref()) {
+        (None, Some(_)) => {
+            return Err(AppError::BadRequest("seat_id provided but slot has no room".into()));
+        }
+        (Some(_), None) => {
+            return Err(AppError::BadRequest("seat required".into()));
+        }
+        (Some(room_id), Some(seat_id)) => {
             let room = sqlx::query_as::<_, Room>(
                 "SELECT id, name, layout_json FROM rooms WHERE id = ?",
             )
@@ -207,6 +208,7 @@ async fn post_checkin(
                 }
             }
         }
+        (None, None) => {}
     }
 
     // Cookie identity check