- Add user table mock and db.insert returning chain to rbac.test.ts
- Add three new tests: happy-path auto-provision, email-prefix fallback,
and miss-path (no user → 403)
- Add TC-API-1.4 to UAT_PLAYBOOK.md §4.1 for first-login auto-provision
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
When a user authenticates via OIDC but has no staff record (userId NULL,
oidcSub mismatch, email mismatch), resolveStaffMiddleware now checks for
a Better-Auth user record by jwt.sub and auto-creates a minimal groomer
staff record on first login.
This fixes the UAT regression where all API routes returned 403 for all
authenticated users after GRO-1207, because seedKnownUsers() sets
oidcSub to Authentik integer PKs or emails rather than the actual Authentik
OIDC sub (a UUID). The auto-provision path bridges the gap for all UAT
personas without requiring seed/Terraform changes.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The CI workflow referenced wrong paths in groombook/infra:
- apps/groombook/overlays/dev/ → apps/overlays/dev/
- apps/groombook/base/ → apps/base/
These paths don't exist in groombook/infra — the correct structure
is apps/overlays/dev/ and apps/base/.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Without pnpm-workspace.yaml, pnpm install --frozen-lockfile can't discover
the apps/api workspace member, causing "Already up to date" and tsc not found.
Also removes stale packages/* entry from pnpm-workspace.yaml (no packages/
directory exists in the dev branch).
Fixes: GRO-1231
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Port rate limit customRules from groombook/app PR #392 to groombook/api.
Adds per-route limits for /sign-in/social, /sign-in/email, and /sign-up/email
to both AUTH_DISABLED and production better-auth() instances.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds dedicated SEED_UAT_TESTER_OIDC_SUB handling to create the
uat-tester staff record with proper oidcSub mapping to Authentik user PK 237.
Fixes GRO-1151
- Adds missing drizzle-kit, drizzle-orm, postgres dependencies
- Addresses CI failures from Lint & Typecheck and Test jobs
- Resolves QA feedback from Lint Roller on PR #5
Fixes incorrect vi.mock paths that were causing tests to fail.
The mock path should match the import path in the route files.
This addresses the authProvider test mock path issue on PR #2.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Created comprehensive UAT playbook covering all 13 route groups with test cases for authentication, client management, pet management, appointment scheduling, services, staff management, invoicing & payments, customer portal, waitlist, search, reports, impersonation, and settings & setup.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Phase 2 extraction: groombook/api from groombook/app monorepo.
Changes:
- Move packages/db content to apps/api/src/db/
- Move packages/types content to apps/api/src/types/
- Inline database schema and migrations into api package
- Update Dockerfile to build single package
- Update CI workflow for single-package structure
- Fix vitest.config.ts aliases
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Part of GRO-802 monorepo breakdown.
Changes:
- Extract apps/api/ as the main API service
- Inline packages/db/ (database schema, migrations, utilities)
- Inline packages/types/ (shared TypeScript types)
- Add CI workflow for lint, typecheck, test, build, docker
- Port Dockerfile with 4 stages: runner, migrate, seed, reset
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
groombook-engineer[bot]