From b61d899f814d4e091efa6db9ad61d4a887d02e7a Mon Sep 17 00:00:00 2001
From: Scrubs McBarkley <18+gb_scrubs@noreply.git.farh.net>
Date: Mon, 25 May 2026 23:39:57 +0000
Subject: [PATCH 1/5] fix(GRO-1757): auto-provision staff for OIDC users + UAT
 playbook updates (#83)

---
 UAT_PLAYBOOK.md        | 20 +++++++++++++++++++
 src/middleware/rbac.ts | 44 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index d5887c6..d03aeea 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -48,6 +48,26 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
 | TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
+#### SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.17 | SSO redirect to Authentik | Navigate to app → sign-in page shown → click "Sign in with SSO" | Redirected to Authentik at auth.farh.net | 403 error, redirect loop, no SSO button |
+| TC-API-1.18 | Authenticate with valid OIDC credentials | At Authentik login page, enter valid credentials and authenticate | Redirected back to app with valid session | Redirect loop, 403, missing session cookie |
+| TC-API-1.19 | SSO user auto-provisioned as groomer | Complete SSO login as a user with no pre-existing staff record | 200 response; groomer staff record auto-created; session active | 403 Forbidden, staff record not created |
+| TC-API-1.20 | Existing staff record resolves correctly | Complete SSO login as uat-groomer (pre-existing staff) | 200 OK, correct staff identity resolved, no duplicate record created | 403, duplicate record, wrong staff data |
+| TC-API-1.21 | SSO session grants dashboard access | After TC-API-1.18 SSO login, GET /api/staff/me | 200 OK, valid staff record returned, correct role displayed | 401/403, missing session, wrong identity |
+
+#### OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.22 | Fresh DB reports needsSetup | On a fresh DB (no super user), GET /api/setup/status | needsSetup: true returned | needsSetup: false when it should be true |
+| TC-API-1.23 | Configure OIDC via auth-provider endpoint | POST /api/setup/auth-provider with valid OIDC config | 200 OK, auth provider configured, no 403 | 403, setup blocked, invalid config rejected |
+| TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
+| TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
+| TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+
 ### 4.2 Client Management
 
 | # | Scenario | Steps | Expected |
diff --git a/src/middleware/rbac.ts b/src/middleware/rbac.ts
index 1277b2c..bace747 100644
--- a/src/middleware/rbac.ts
+++ b/src/middleware/rbac.ts
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { and, eq, getDb, sql, staff, account } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,6 +110,48 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
+
+  // Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
+  // (e.g. authentik). If so, create a groomer staff record on the fly.
+  if (jwt.email) {
+    const [oidcAccount] = await db
+      .select({ id: account.id })
+      .from(account)
+      .where(
+        and(
+          eq(account.userId, jwt.sub),
+          sql`${account.providerId} IN ('authentik', 'google', 'github')`
+        )
+      )
+      .limit(1);
+
+    if (oidcAccount) {
+      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
+      const name =
+        jwt.name?.trim() ||
+        (jwt.email ? jwt.email.split("@")[0] : "Unknown");
+
+      const [newStaff] = await db
+        .insert(staff)
+        .values({
+          userId: jwt.sub,
+          email: jwt.email ?? "",
+          name,
+          role: "groomer",
+          isSuperUser: false,
+          active: true,
+        })
+        .returning();
+
+      console.log(
+        `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
+      );
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
+  }
+
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403

From 0625961adfed3eba0770712bdc8409076ff9f3dc Mon Sep 17 00:00:00 2001
From: Flea Flicker <fleaflicker@groombook.dev>
Date: Mon, 25 May 2026 23:52:53 +0000
Subject: [PATCH 2/5] fix(GRO-1764): change Max coat_type "short" to "smooth"
 in UAT seed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The DB coat_type enum only accepts: smooth, double, wire, curly, long, hairless.
"short" is not a valid value — corrected to "smooth".

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/routes/admin/seed.ts | 2 +-
 src/routes/admin/seed.ts          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/routes/admin/seed.ts b/apps/api/src/routes/admin/seed.ts
index 0f3dbe2..38bc8ac 100644
--- a/apps/api/src/routes/admin/seed.ts
+++ b/apps/api/src/routes/admin/seed.ts
@@ -46,7 +46,7 @@ const UAT_CLIENT = {
 
 const UAT_PETS = [
   { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short" as const, weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
 ];
 
 const DEMO_SERVICES = [
diff --git a/src/routes/admin/seed.ts b/src/routes/admin/seed.ts
index 114461f..da96650 100644
--- a/src/routes/admin/seed.ts
+++ b/src/routes/admin/seed.ts
@@ -46,7 +46,7 @@ const UAT_CLIENT = {
 
 const UAT_PETS = [
   { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short", weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
 ];
 
 const DEMO_SERVICES = [

From 2f17b1ab85db5d9b2481a9823dda57aec78ef497 Mon Sep 17 00:00:00 2001
From: The Dogfather <20+gb_dogfather@noreply.git.farh.net>
Date: Tue, 26 May 2026 00:36:15 +0000
Subject: [PATCH 3/5] Promo/Gro 1764 Uat (#86)

---
 .ci-trigger | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .ci-trigger

diff --git a/.ci-trigger b/.ci-trigger
new file mode 100644
index 0000000..bc10555
--- /dev/null
+++ b/.ci-trigger
@@ -0,0 +1 @@
+GRO-1757+GRO-1764 CI trigger 2026-05-26
\ No newline at end of file

From 8e8a87767cca255d88dab719c9692349a8774b8a Mon Sep 17 00:00:00 2001
From: Lint Roller <23+gb_lint@noreply.git.farh.net>
Date: Tue, 26 May 2026 01:34:42 +0000
Subject: [PATCH 4/5] fix(ci): remove duplicate provenance keys + add uat push
 trigger (GRO-1762)

---
 .gitea/workflows/ci.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index b08c640..dfb785b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main, dev]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main, dev]
+    branches: [main, dev, uat]
   workflow_dispatch:
     inputs:
       ref:
@@ -96,7 +96,6 @@ jobs:
           file: Dockerfile
           target: runner
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
@@ -111,7 +110,6 @@ jobs:
           file: Dockerfile
           target: migrate
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
@@ -126,7 +124,6 @@ jobs:
           file: Dockerfile
           target: seed
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
@@ -141,7 +138,6 @@ jobs:
           file: Dockerfile
           target: reset
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}

From 385ed102119c7d68ddc96c7556df9ec80d7bc4b5 Mon Sep 17 00:00:00 2001
From: Lint Roller <gb_lint@groombook.dev>
Date: Tue, 26 May 2026 01:48:12 +0000
Subject: [PATCH 5/5] fix(rbac): guard noUncheckedIndexedAccess in name
 derivation and newStaff insert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With noUncheckedIndexedAccess:true, split("@")[0] returns string|undefined,
making `name` typed as string|undefined and failing the notNull staff.name
insert constraint. Fix by using ?? fallback on the array access.

Also add newStaff null guard after .returning() destructure — array
destructuring yields T|undefined with noUncheckedIndexedAccess enabled.
---
 src/middleware/rbac.ts | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/middleware/rbac.ts b/src/middleware/rbac.ts
index bace747..f8dbc14 100644
--- a/src/middleware/rbac.ts
+++ b/src/middleware/rbac.ts
@@ -127,15 +127,14 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
 
     if (oidcAccount) {
       // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
-      const name =
-        jwt.name?.trim() ||
-        (jwt.email ? jwt.email.split("@")[0] : "Unknown");
+      const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
+      const name = jwt.name?.trim() || emailPrefix;
 
       const [newStaff] = await db
         .insert(staff)
         .values({
           userId: jwt.sub,
-          email: jwt.email ?? "",
+          email: jwt.email,
           name,
           role: "groomer",
           isSuperUser: false,
@@ -143,6 +142,10 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
         })
         .returning();
 
+      if (!newStaff) {
+        return c.json({ error: "Forbidden: auto-provision failed" }, 500);
+      }
+
       console.log(
         `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
       );