Defect: GET /api/pets/:id/profile-summary previously returned an empty-body
500 Internal Server Error for any UUID that the caller had no linkage to
(and presumably also for any malformed/non-UUID path param), because the
route had no upfront UUID validation, no defensive staff context guard,
and no router-level onError to catch downstream Drizzle/Postgres errors.
Changes:
- src/routes/pets.ts
- Add router.onError that returns a JSON envelope (`{"error":"Internal Server
Error"}`) instead of Hono's default empty-body 500. Mirrors the pattern
already used in invoices.ts and reports.ts.
- profile-summary: validate the :id path param with z.string().uuid()
before hitting Postgres. Malformed UUIDs now return 404 Not Found
instead of triggering a Postgres uuid cast that throws and bubbles
up as a 500.
- profile-summary: explicit `if (!staffRow)` guard returns 401 instead
of relying on optional chaining and risking a TypeError later in the
groomer linkage check on staffRow.id.
- src/__tests__/petProfileSummary.test.ts (new)
- 7 regression tests covering: malformed UUID → 404; missing staff →
401; pet not found → 404; groomer with no linkage → 403; manager
happy path → 200; groomer with linkage → 200; downstream DB throw
→ 500 with JSON body (never empty body).
- UAT_PLAYBOOK.md §3 (TC-API-3.29 / 3.30 / 3.31)
- Document the new 404 behaviour for unknown and malformed UUIDs and
the JSON-envelope requirement for any 500.
Notes for QA:
- Spec from GRO-2014: 404 if pet does not exist, 403 if no linkage, 401
if not authenticated. The "Forbidden if no linkage" path was already
correct for groomers; the 500 → 404/JSON-500 collapse is the actual
change in observable behaviour.
- The route's customer-as-groomer auto-provision issue (GRO-2013) is
*not* addressed here. It remains the customer-side defect; this PR
only fixes the error-handling regression.
Refs: GRO-1892, GRO-2013
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Updated UAT_PLAYBOOK.md §4.3 — new seed data verification tests.
GRO-1898: After populating extended profile fields in the UAT seed, add
test cases to verify the data is actually present and shaped correctly.
Test cases cover:
- /api/clients returns seed data
- /api/pets/{id} returns all 5 extended fields for UAT test pets
- medicalAlerts shape is correct ({type, description, severity})
- Deterministic UAT pets (Charlie = behavioral alert, Delta = skin alert)
are verifiably populated
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(gro-1866): add session-from-auth portal endpoint + role scope (#93)
Bridges Better Auth SSO sessions to portal sessions for real customers.
Adds role to genericOAuth scopes for Authentik role propagation.
Closes GRO-1866
feat(GRO-1177): add pet profile summary endpoint (#30)
Adds GET /api/pets/:id/profile-summary with aggregated pet profile,
grooming history, visit count, and upcoming appointment.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Returns aggregated pet profile with:
- All pet fields (basic + extended)
- recentGroomingHistory: last 10 entries from groomingVisitLogs with staff name join
- lastVisitDate: most recent groomedAt timestamp
- visitCount: count of completed appointments
- upcomingAppointment: next scheduled/confirmed appointment with service/staff name
Enforces same groomer RBAC as GET /:id. Returns 404 for non-existent pets.
Adds PetProfileSummary, GroomingHistoryEntry, and UpcomingAppointment types.
Adds unit tests covering: 404, 403, aggregated profile, empty history, no upcoming appt.
Updates UAT_PLAYBOOK.md §3 with TC-API-3.8 and TC-API-3.9.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Added TC-API-0.1 for GET /api/health (unauthenticated).
Corrected path from /health to /api/health (GRO-1544).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add TC-API-1.11 through TC-API-1.15 covering existing staff unaffected by
OIDC login, auto-provisioned role/superUser flags, and name fallback
variants (name present, no name+email present, no name+no email).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
1. Fix vi.mock factory: importOriginal -> db.and/eq/exists/or stubs
(removes ReferenceError from undeclared imports in test)
2. Remove MedicalAlert.id — not in schema/migration/DB, only in types
3. Replace z.string().max(100) coatType with z.enum for CoatType union
4. Fix test expecting coatType "smooth" (invalid) -> "double" (valid)
5. Add TC-API-3.8 through TC-API-3.15 to UAT_PLAYBOOK.md §4.3
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(GRO-1272): auto-provision staff record on first OIDC login (#19)
Fixes HTTP 403 on all authenticated routes for new OIDC users by auto-creating
a minimal groomer staff record on first login when a Better-Auth user exists
but no staff record is found.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Address QA review findings on PR #12:
- Add coatType and petSizeCategory to buildPet defaults in packages/db/src/factories.ts
to fix TypeScript typecheck failure
- Restore UAT_PLAYBOOK.md (was deleted during monorepo extraction) and add
§4.15 Buffer Rules test cases
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add user table mock and db.insert returning chain to rbac.test.ts
- Add three new tests: happy-path auto-provision, email-prefix fallback,
and miss-path (no user → 403)
- Add TC-API-1.4 to UAT_PLAYBOOK.md §4.1 for first-login auto-provision
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a seeding step after UAT staff creation that:
- Creates Better-Auth user records (emailVerified: true) for 4 UAT accounts
- Creates account records with providerId="credential" and scrypt-hashed passwords
- Links staff.userId for accounts with existing staff records (super, groomer, tester)
- Reads passwords from SEED_UAT_*_PASSWORD env vars (guard clause skips if unset)
- Is fully idempotent (upsert-safe)
Bypasses Authentik SSO for UAT login; Shedward can authenticate via
POST /api/auth/sign-in/email using the same UAT password secrets.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Created comprehensive UAT playbook covering all 13 route groups with test cases for authentication, client management, pet management, appointment scheduling, services, staff management, invoicing & payments, customer portal, waitlist, search, reports, impersonation, and settings & setup.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker
Flea Flicker
The Dogfather
Scrubs McBarkley
Chris Farhood