fix(ci): build all 4 images in Gitea CI (GRO-1522)

- Upgrade lint-typecheck, test, build jobs to Node 22
- Add explicit target: runner for API image (matches GH workflow)
- Add migrate, seed, reset images to Gitea docker job
- Per-image cache refs for Gitea registry (git.farh.net/groombook/cache:{service})

Fixes: missing migrate/seed/reset images in Gitea registry.
Related: The Dogfather review comment on PR #44.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -0,0 +1,161 @@
+name: CI
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Branch or ref to run CI against"
+        required: false
+        default: "main"
+
+jobs:
+  lint-typecheck:
+    name: Lint & Typecheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Lint
+        run: pnpm lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run tests
+        run: pnpm test
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [lint-typecheck, test]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+  docker:
+    name: Build & Push Docker Images
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate image tag
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}"
+          else
+            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
+          fi
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "Image tag: $TAG"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.farh.net
+          username: ${{ gitea.actor }}
+          password: ${{ gitea.token }}
+
+      - name: Build and push API image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: runner
+          push: true
+          tags: |
+            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:api
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
+
+      - name: Build and push Migrate image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: migrate
+          push: true
+          tags: |
+            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
+
+      - name: Build and push Seed image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: seed
+          push: true
+          tags: |
+            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
+
+      - name: Build and push Reset image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: reset
+          push: true
+          tags: |
+            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -49,7 +49,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -71,7 +71,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS base
+FROM node:22-alpine AS base
 RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 
@@ -12,7 +12,7 @@ RUN mkdir -p /home/node/.cache/node/corepack
 COPY apps/api/ apps/api/
 RUN pnpm --filter @groombook/api build
 
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 ENV NODE_ENV=production

UAT_PLAYBOOK.md

@@ -21,14 +21,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 
 ## Test Cases
 
-### 4.0 Health Check
-
-| # | Scenario | Steps | Expected |
-|---|----------|-------|----------|
-| TC-API-0.1 | Unauthenticated health check | GET /api/health | 200 OK, `{"status":"ok"}` |
-
-> **Note (GRO-1544):** Health endpoint registered on `api` basePath before auth middleware at `/api/health`. The old path `/health` was incorrect (routed to web pod via HTTPRoute `/*` rule).
-
 ### 4.1 Authentication
 
 | # | Scenario | Steps | Expected |

apps/api/src/__tests__/petsExtendedFields.test.ts

@@ -21,8 +21,8 @@ const MANAGER: StaffRow = {
 
 // ─── Mutable mock state ───────────────────────────────────────────────────────
 
-const CLIENT_ID = "client-uuid-extended";
-const PET_ID = "pet-uuid-extended";
+const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
+const PET_ID = "660e8400-e29b-41d4-a716-446655440002";
 
 let petRows: Record<string, unknown>[] = [];
 let appointmentRows: Record<string, unknown>[] = [];
@@ -134,7 +134,7 @@ function makeDeleteChainable(): unknown {
       }
       if (prop === "returning") {
         return () => {
-          const row = petRows[0];
+          const row = petRows[0]!;
           deletedId = row.id as string;
           return [row];
         };
@@ -163,10 +163,10 @@ vi.mock("../db", () => {
     }),
     pets,
     appointments,
-    and,
-    eq,
-    exists,
-    or,
+    and: vi.fn(),
+    eq: vi.fn(),
+    exists: vi.fn(),
+    or: vi.fn(),
   };
 });
 

apps/api/src/__tests__/portal.test.ts

@@ -67,6 +67,11 @@ vi.mock("../db", () => {
     { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
   );
 
+  const impersonationAuditLogs = new Proxy(
+    { _name: "impersonationAuditLogs" },
+    { get: (t, p) => (p === "_name" ? "impersonationAuditLogs" : { table: "impersonationAuditLogs", column: p }) }
+  );
+
   const appointments = new Proxy(
     { _name: "appointments" },
     { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }
@@ -99,8 +104,12 @@ vi.mock("../db", () => {
           }),
         }),
       }),
+      insert: () => ({
+        values: () => ({ returning: () => [{}] }),
+      }),
     }),
     impersonationSessions,
+    impersonationAuditLogs,
     appointments,
     eq: vi.fn(),
     and: vi.fn(),

apps/api/src/db/factories.ts

@@ -103,6 +103,11 @@ export function buildPet(overrides: Partial<PetRow> & { clientId: string }): Pet
     photoKey: null,
     photoUploadedAt: null,
     image: null,
+    coatType: null,
+    temperamentScore: null,
+    temperamentFlags: [],
+    medicalAlerts: [],
+    preferredCuts: [],
     createdAt: new Date("2025-01-01T00:00:00Z"),
     updatedAt: new Date("2025-01-01T00:00:00Z"),
   };

package.json

@@ -3,5 +3,6 @@
   "version": "0.0.1",
   "private": true,
   "type": "module",
+  "packageManager": "pnpm@9.15.4",
   "license": "AGPL-3.0-only"
 }

src/index.ts

@@ -1,298 +0,0 @@
-import { serve } from "@hono/node-server";
-import { Hono } from "hono";
-import { logger } from "hono/logger";
-import { cors } from "hono/cors";
-import { getAuth, initAuth, getActiveProviders } from "./lib/auth.js";
-import { clientsRouter } from "./routes/clients.js";
-import { petsRouter } from "./routes/pets.js";
-import { servicesRouter } from "./routes/services.js";
-import { appointmentsRouter } from "./routes/appointments.js";
-import { waitlistRouter } from "./routes/waitlist.js";
-import { portalRouter } from "./routes/portal.js";
-import { staffRouter } from "./routes/staff.js";
-import { invoicesRouter } from "./routes/invoices.js";
-import { bookRouter } from "./routes/book.js";
-import { reportsRouter } from "./routes/reports.js";
-import { appointmentGroupsRouter } from "./routes/appointmentGroups.js";
-import { groomingLogsRouter } from "./routes/groomingLogs.js";
-import { impersonationRouter } from "./routes/impersonation.js";
-import { settingsRouter } from "./routes/settings.js";
-import { authProviderRouter } from "./routes/authProvider.js";
-import { searchRouter } from "./routes/search.js";
-import { bufferRulesRouter } from "./routes/buffer-rules.js";
-import { getObject } from "./lib/s3.js";
-import { calendarRouter } from "./routes/calendar.js";
-import { setupRouter } from "./routes/setup.js";
-import { getDb, businessSettings, eq, staff } from "@groombook/db";
-import { authMiddleware } from "./middleware/auth.js";
-import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
-import { devRouter } from "./routes/dev.js";
-import { adminSeedRouter } from "./routes/admin/seed.js";
-import { startReminderScheduler } from "./services/reminders.js";
-import { webhooksRouter } from "./routes/stripe-webhooks.js";
-
-const app = new Hono();
-
-// Global middleware
-const TRUSTED_ORIGINS = (process.env.CORS_ORIGIN ?? "http://localhost:5173")
-  .split(",")
-  .map((o) => o.trim());
-
-const ALLOWED_ORIGIN = process.env.CORS_ORIGIN ?? "http://localhost:5173";
-
-app.use("*", logger());
-app.use(
-  "/api/*",
-  cors({
-    origin: (origin, ctx) => {
-      if (!origin) {
-        return ALLOWED_ORIGIN;
-      }
-      if (TRUSTED_ORIGINS.includes(origin)) {
-        return origin;
-      }
-      ctx.status(403);
-      return null;
-    },
-    credentials: true,
-  })
-);
-
-// Health check — no auth required, registered on app at full path before auth middleware
-app.get("/api/health", (c) => c.json({ status: "ok" }));
-
-// Public booking routes — no auth required, must be registered before auth middleware
-app.route("/api/book", bookRouter);
-
-// Public portal routes — client-facing, authenticated via impersonation session header
-app.route("/api/portal", portalRouter);
-
-// Public Stripe webhook endpoint — signature-verified, no auth required
-app.route("/api/webhooks/stripe", webhooksRouter);
-
-// Dev/demo routes — config is always public, users endpoint is guarded internally
-app.route("/api/dev", devRouter);
-
-// Magic bytes for allowed image types
-const ALLOWED_IMAGE_TYPES: Record<string, Uint8Array> = {
-  "image/png": new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
-  "image/jpeg": new Uint8Array([0xff, 0xd8, 0xff]),
-  "image/gif": new Uint8Array([0x47, 0x49, 0x46, 0x38]),
-  "image/webp": new Uint8Array([0x52, 0x49, 0x46, 0x46]), // followed by size then WEBP
-};
-
-/**
- * Validates that the given base64 content matches the declared MIME type
- * by checking magic bytes. Returns null if valid, or the field to clear if not.
- */
-function validateLogoMagicBytes(
-  logoBase64: string | null,
-  logoMimeType: string | null
-): "logoBase64" | "logoMimeType" | null {
-  if (!logoBase64 || !logoMimeType) return null;
-
-  const expectedMagic = ALLOWED_IMAGE_TYPES[logoMimeType];
-  if (!expectedMagic) return "logoMimeType"; // unknown MIME type — reject
-
-  try {
-    const binary = Buffer.from(logoBase64, "base64");
-    // WebP needs a special check (RIFF....WEBP at offset 0, size at offset 4)
-    if (logoMimeType === "image/webp") {
-      if (binary.length < 12) return "logoBase64";
-      const webpMagic = binary.slice(0, 4);
-      const webpSig = binary.slice(8, 12);
-      if (
-        webpMagic[0] !== 0x52 ||
-        webpMagic[1] !== 0x49 ||
-        webpMagic[2] !== 0x46 ||
-        webpMagic[3] !== 0x46 ||
-        webpSig[0] !== 0x57 ||
-        webpSig[1] !== 0x45 ||
-        webpSig[2] !== 0x42 ||
-        webpSig[3] !== 0x50
-      ) {
-        return "logoBase64";
-      }
-      return null;
-    }
-
-    // All other types: check prefix
-    if (binary.length < expectedMagic.length) return "logoBase64";
-    for (let i = 0; i < expectedMagic.length; i++) {
-      if (binary[i] !== expectedMagic[i]) return "logoBase64";
-    }
-    return null;
-  } catch {
-    return "logoBase64";
-  }
-}
-
-// Public logo proxy — no auth required, streams logo from S3 so browser never sees raw S3 URL
-app.get("/api/branding/logo", async (c) => {
-  const db = getDb();
-  const [row] = await db.select().from(businessSettings).limit(1);
-  if (!row) return c.json({ error: "Settings not found" }, 404);
-  if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
-
-  const { body, contentType } = await getObject(row.logoKey);
-  return new Response(Buffer.from(body), {
-    status: 200,
-    headers: {
-      "Content-Type": contentType,
-      "Cache-Control": "public, max-age=86400",
-    },
-  });
-});
-
-// Public branding endpoint — no auth required, returns business name/colors/logo
-app.get("/api/branding", async (c) => {
-  const db = getDb();
-  const [row] = await db.select().from(businessSettings).limit(1);
-  const settings = row ?? { businessName: "GroomBook", primaryColor: "#4f8a6f", accentColor: "#8b7355", logoBase64: null, logoMimeType: null, logoKey: null };
-
-  // Return the public proxy path so browser never sees a raw S3 URL
-  const logoUrl = settings.logoKey ? "/api/branding/logo" : null;
-
-  // Defensive: validate magic bytes to prevent MIME type confusion attacks
-  // via the legacy base64 logo fields
-  const badField = validateLogoMagicBytes(settings.logoBase64 ?? null, settings.logoMimeType ?? null);
-  const safeLogoBase64 = badField === "logoBase64" ? null : settings.logoBase64;
-  const safeLogoMimeType = badField === "logoMimeType" ? null : settings.logoMimeType;
-
-  return c.json({
-    businessName: settings.businessName,
-    primaryColor: settings.primaryColor,
-    accentColor: settings.accentColor,
-    logoUrl,
-    logoBase64: safeLogoBase64,
-    logoMimeType: safeLogoMimeType,
-  });
-});
-
-// Public iCal calendar feed — token auth in URL, no auth middleware required
-app.route("/api/calendar", calendarRouter);
-
-// Public setup status — no auth required, must be registered before auth middleware
-app.get("/api/setup/status", async (c) => {
-  const db = getDb();
-  const [superUser] = await db
-    .select({ id: staff.id })
-    .from(staff)
-    .where(eq(staff.isSuperUser, true))
-    .limit(1);
-  return c.json({ needsSetup: !superUser });
-});
-
-// Public auth providers endpoint — no auth required, tells frontend which login options are available
-app.get("/api/auth/providers", async (c) => {
-  return c.json({ providers: getActiveProviders() });
-});
-
-// Protected API routes
-const api = app.basePath("/api");
-api.use("*", authMiddleware);
-api.use("*", resolveStaffMiddleware);
-
-// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
-// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
-const authRouter = new Hono();
-authRouter.all("/*", (c) => {
-  try {
-    return getAuth().handler(c.req.raw);
-  } catch {
-    return c.json({ error: "Authentication not configured" }, 503);
-  }
-});
-api.route("/auth", authRouter);
-
-// ── Role guards ────────────────────────────────────────────────────────────────
-// Manager-only: admin settings, reports, invoices, impersonation
-// Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE
-api.on(["GET"], "/staff/*", requireRole("manager", "receptionist", "groomer"));
-// Staff write routes: manager OR super-user (combined guard — avoids AND stacking)
-api.on(["POST", "PATCH", "DELETE"], "/staff/*", requireRoleOrSuperUser("manager"));
-api.use("/admin/*", requireRoleOrSuperUser("manager"));
-api.use("/admin/settings/*", requireSuperUser());
-api.use("/reports/*", requireRole("manager"));
-api.use("/invoices/*", requireRole("manager", "groomer"));
-api.use("/impersonation/*", requireRole("manager"));
-
-// Manager + Receptionist only (groomers have no access): appointment-groups, grooming-logs, waitlist
-api.use("/appointment-groups/*", requireRole("manager", "receptionist"));
-api.use("/grooming-logs/*", requireRole("manager", "receptionist"));
-api.use("/waitlist/*", requireRole("manager", "receptionist"));
-
-// Pet photo routes: all staff roles may upload/delete (groomers take photos during grooms)
-// These must be registered before the general pets write guard. Because Hono path params
-// match single segments, "/pets/:petId" does NOT match "/pets/:petId/photo/:action",
-// so there is no guard overlap.
-api.on(
-  ["POST", "DELETE"],
-  ["/pets/:petId/photo", "/pets/:petId/photo/:action"],
-  requireRole("manager", "receptionist", "groomer")
-);
-
-// Clients, appointments: all roles may read; only manager + receptionist may write
-api.on(
-  ["POST", "PUT", "PATCH", "DELETE"],
-  ["/clients/*", "/appointments/*"],
-  requireRole("manager", "receptionist")
-);
-
-// Pets (non-photo CRUD): manager + receptionist for writes
-// ":petId" matches only single-segment paths — photo sub-routes are unaffected
-api.post("/pets", requireRole("manager", "receptionist"));
-api.on(["PUT", "PATCH", "DELETE"], "/pets/:petId", requireRole("manager", "receptionist"));
-
-// Services: all roles may read; only managers may write
-api.on(
-  ["POST", "PUT", "PATCH", "DELETE"],
-  "/services/*",
-  requireRole("manager")
-);
-// ──────────────────────────────────────────────────────────────────────────────
-
-// Setup: POST /api/setup (authenticated) — requires staff context from auth middleware
-api.route("/setup", setupRouter);
-
-api.route("/clients", clientsRouter);
-api.route("/pets", petsRouter);
-api.route("/services", servicesRouter);
-api.route("/appointments", appointmentsRouter);
-api.route("/waitlist", waitlistRouter);
-api.route("/staff", staffRouter);
-api.route("/invoices", invoicesRouter);
-api.route("/reports", reportsRouter);
-api.route("/appointment-groups", appointmentGroupsRouter);
-api.route("/grooming-logs", groomingLogsRouter);
-api.route("/impersonation", impersonationRouter);
-api.route("/admin/settings", settingsRouter);
-api.route("/admin/auth-provider", authProviderRouter);
-api.route("/admin/seed", adminSeedRouter);
-api.route("/search", searchRouter);
-api.route("/buffer-rules", bufferRulesRouter);
-
-const port = Number(process.env.PORT ?? 3000);
-await initAuth();
-console.log(`API server listening on port ${port}`);
-const server = serve({ fetch: app.fetch, port });
-
-// Start background reminder scheduler (runs every minute to check for upcoming appointments)
-startReminderScheduler();
-
-function shutdown() {
-  console.log("Shutting down gracefully...");
-  server.close(() => {
-    console.log("HTTP server closed");
-    process.exit(0);
-  });
-  setTimeout(() => {
-    console.error("Forced shutdown after timeout");
-    process.exit(1);
-  }, 10_000);
-}
-
-process.on("SIGTERM", shutdown);
-process.on("SIGINT", shutdown);
-
-export default app;