The seed.ts password hashing used N=32768, r=8, p=1 with base64 encoding,
which does not match @better-auth/utils@0.4.0's actual implementation
(N=16384, r=16, p=1, dkLen=64, hex encoding). This caused every seeded
UAT credential to fail verifyPassword at sign-in.
Fix: import hashPassword from "better-auth/crypto" in seed.ts and in the
test helper. This delegates to Better-Auth's own implementation,
guaranteeing parameter and encoding match.
Also updates test assertions to expect hex format (saltHex:keyHex) and
verifies the hash using the correct scrypt params (N=16384, r=16, p=1).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Removes types/index.ts and factories.ts changes that belong in PR #21
(GRO-1178), not this PR. The extended Pet type fields caused CI typecheck
failures because the seed/credential logic doesn't use them.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add coatType, temperamentScore, temperamentFlags, medicalAlerts,
preferredCuts to buildPet() defaults — schema recently added these
columns but factories was still missing them, causing TS2739 errors
- Reduce scrypt N from 32768 → 4096 in test helpers only — production
seed.ts is unaffected; CI runners hit memory limit at N=32768
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds seed-uat-credentials.test.ts covering all 7 acceptance criteria:
- AC-1: creates user + account for each UAT account with password env var
- AC-2: emailVerified = true on created users
- AC-3: providerId = "credential", password properly hashed (scrypt, salt:hash)
- AC-4/AC-4b: staff.userId linked when staff exists, not updated if already set
- AC-5: idempotent — re-running creates no duplicates
- AC-6: missing SEED_UAT_*_PASSWORD skips that account with warning (no error)
- AC-7: partial env var coverage — only provisioned accounts get created
References GRO-1326.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a seeding step after UAT staff creation that:
- Creates Better-Auth user records (emailVerified: true) for 4 UAT accounts
- Creates account records with providerId="credential" and scrypt-hashed passwords
- Links staff.userId for accounts with existing staff records (super, groomer, tester)
- Reads passwords from SEED_UAT_*_PASSWORD env vars (guard clause skips if unset)
- Is fully idempotent (upsert-safe)
Bypasses Authentik SSO for UAT login; Shedward can authenticate via
POST /api/auth/sign-in/email using the same UAT password secrets.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The CI workflow referenced wrong paths in groombook/infra:
- apps/groombook/overlays/dev/ → apps/overlays/dev/
- apps/groombook/base/ → apps/base/
These paths don't exist in groombook/infra — the correct structure
is apps/overlays/dev/ and apps/base/.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Without pnpm-workspace.yaml, pnpm install --frozen-lockfile can't discover
the apps/api workspace member, causing "Already up to date" and tsc not found.
Also removes stale packages/* entry from pnpm-workspace.yaml (no packages/
directory exists in the dev branch).
Fixes: GRO-1231
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Port rate limit customRules from groombook/app PR #392 to groombook/api.
Adds per-route limits for /sign-in/social, /sign-in/email, and /sign-up/email
to both AUTH_DISABLED and production better-auth() instances.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pets.ts imports pets, appointments, and, eq, exists, or directly from
"../db". The vi.mock factory only returned getDb, causing vitest to throw
"No 'pets' export is defined" and 7 tests to get 400 instead of 201/200.
Fix adds the missing named exports to the mock return object.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds dedicated SEED_UAT_TESTER_OIDC_SUB handling to create the
uat-tester staff record with proper oidcSub mapping to Authentik user PK 237.
Fixes GRO-1151
- Adds missing drizzle-kit, drizzle-orm, postgres dependencies
- Addresses CI failures from Lint & Typecheck and Test jobs
- Resolves QA feedback from Lint Roller on PR #5
Fixes incorrect vi.mock paths that were causing tests to fail.
The mock path should match the import path in the route files.
This addresses the authProvider test mock path issue on PR #2.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Created comprehensive UAT playbook covering all 13 route groups with test cases for authentication, client management, pet management, appointment scheduling, services, staff management, invoicing & payments, customer portal, waitlist, search, reports, impersonation, and settings & setup.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Phase 2 extraction: groombook/api from groombook/app monorepo.
Changes:
- Move packages/db content to apps/api/src/db/
- Move packages/types content to apps/api/src/types/
- Inline database schema and migrations into api package
- Update Dockerfile to build single package
- Update CI workflow for single-package structure
- Fix vitest.config.ts aliases
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Part of GRO-802 monorepo breakdown.
Changes:
- Extract apps/api/ as the main API service
- Inline packages/db/ (database schema, migrations, utilities)
- Inline packages/types/ (shared TypeScript types)
- Add CI workflow for lint, typecheck, test, build, docker
- Port Dockerfile with 4 stages: runner, migrate, seed, reset
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
The Dogfather
groombook-engineer[bot]