Fix bugs in roles API, avatar state, toast a11y, meta serialization, and session expiry test

[Copilot]

Five correctness/quality issues identified in PR review across apps/me.

Changes

• roles/route.ts: Strip orgName (and any extra fields) from roles before calling updateUser() by mapping to { orgId, roleName } — matches the same pattern used elsewhere and avoids upstream schema rejection.

• avatar.tsx: Reset imgError via useEffect on src changes so a new valid URL isn't permanently shadowed by a prior load failure.

• toast.tsx: Add type="button" and aria-label="Dismiss" to the close button — prevents accidental form submits and enables screen reader announcements.

• profile/route.ts: Serialize mergedMeta with JSON.stringify() before assigning to updateBody.meta, matching UserUpsert.meta: string contract.

  // Before (sends object, fails schema validation)
  updateBody.meta = mergedMeta;
  // After
  updateBody.meta = JSON.stringify(mergedMeta);

• session.test.ts: Replace the non-functional expired-session test with a real one using vi.useFakeTimers() — advances time past SESSION_COOKIE_MAX_AGE and asserts verifySessionValue returns null.

• README.md: Correct the security note — authorization is resolved by session.email lookup, not sub → user ID binding.

• Tests updated (roles.test.ts, profile.test.ts) to reflect new behavior (no orgName in roles payload; meta is a JSON string that must be parsed before asserting on its fields).

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.