fix(action_cable): allow employee to subscribe to supplier channel

- Employee authenticates via auth_token, acts on behalf of a Supplier
- Connection now accepts ?supplier_id=ID query param
- identified_by :current_supplier_id added
- MozoChannel#authorized? allows :employee to subscribe to supplier_<id>
  when current_supplier_id matches

app/channels/application_cable/connection.rb

@@ -4,7 +4,13 @@ module ApplicationCable
   class Connection < ActionCable::Connection::Base
     # Authenticate via auth_token (same mechanism used in ApplicationController#authenticate_employee!)
     # Clients should pass ?auth_token=TOKEN when connecting to the WebSocket.
-    identified_by :current_user, :current_entity_type
+    #
+    # Auth flows:
+    #   User app:     ?auth_token=<user_token>
+    #   Supplier app: ?auth_token=<employee_token>&supplier_id=<id>
+    #     (Employee logs in, acts on behalf of a specific Supplier)
+    #
+    identified_by :current_user, :current_entity_type, :current_supplier_id
 
     def connect
       token = request.params[:auth_token].presence
@@ -13,6 +19,8 @@ module ApplicationCable
       if (employee = Employee.find_by_authentication_token(token))
         self.current_user = employee
         self.current_entity_type = :employee
+        # Employee acts on behalf of a supplier — passed as query param
+        self.current_supplier_id = request.params[:supplier_id]
       elsif (user = User.find_by_authentication_token(token))
         self.current_user = user
         self.current_entity_type = :user