Wait, let's look at `index.js` line 354 BEFORE my fix:
```javascript
    const [rows] = await pool.query('SELECT * FROM users WHERE id = ? OR slug = ?', [req.params.idOrSlug, req.params.idOrSlug]);
    if (rows.length === 0) return res.status(404).json({ error: 'Not found' });
    if (req.user.role !== 'super_admin' && rows[0].tenant_id !== req.user.tenant_id) {
```
The ONLY way this throws 500 is if:
1. `pool.query` fails (e.g. database disconnected, which isn't the case).
2. `req.user` is somehow null or undefined (but `authenticateToken` guarantees it exists).
3. `rows[0]` is undefined (but `rows.length === 0` handles that).

Wait, what if `req.user.tenant_id` is null? `null !== 'tenant_xyz'` is true, so it returns 403, not 500.

What if the 500 is coming from `GET /api/users/u_71657ec7` but it's not actually hitting `/users/:idOrSlug`?
Is there a middleware or something? No.

Ah! What if the user you are impersonating was deleted from the database? `rows.length === 0` -> returns 404, not 500.

Let's check the local logs AGAIN after my recent rebuild. I added `console.error('Error in GET /users/:idOrSlug:', error);`
Let's deliberately trigger the error locally to see it. But I don't have the browser.