Merge origin/dev into flea/gro-2013-deployed-tree-conflicts

# Conflicts: # UAT_PLAYBOOK.md # src/__tests__/petProfileSummary.test.ts
fix(pets): port owner-bypass into deployed tree (GRO-2013)
2026-06-01 19:54:22 +00:00 · 2026-06-01 19:08:28 +00:00 · 2026-06-01 17:42:59 +00:00 · 2026-06-01 15:30:34 +00:00
3 changed files with 0 additions and 67 deletions
@@ -1,27 +0,0 @@
-- Migration: 0039_extend_pet_profile_columns_idempotent.sql
-- GRO-2033: re-register the temperament/medical/preferred-cuts columns from
-- 0034 with an idempotent ADD COLUMN IF NOT EXISTS + a monotonic journal
-- `when` (1780000000001), above the 0033 high-water mark (1779500000000)
-- and above the most recent applied migration 0038 (1780000000000).
--
-- 0034_extend_pet_profile_columns.sql was authored on 2026-05-28 with
-- `when` = 1751140800000 (2025-06-28) — *below* the 0033 high-water mark
-- of 1779500000000 (2026-05-23). drizzle-orm@0.38.4
-- (pg-core/dialect.js#migrate) only applies a migration when
-- `migration.folderMillis > lastDbMigration.created_at`, so on prod —
-- whose last applied entry was 0033 at created_at=1779500000000 — 0034
-- was silently skipped, leaving `pets.temperament_score` (and friends)
-- missing. The migrate Job still exits 0 ("migrations applied
-- successfully!") because the journal high watermark *was* advanced by
-- 0038, but no schema change ever ran for 0034. Seed/reset then crash on:
--   PostgresError: column "temperament_score" does not exist (42703)
--
-- Same pattern as GRO-1999 (0037 → 0038): do NOT modify 0034 in-place
-- (UAT/dev have already applied it via their lower watermarks). Add a
-- new idempotent migration with a monotonic `when` instead so existing
-- DBs apply it cleanly and fresh DBs are a no-op-after-no-op.
-
-ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "temperament_score" integer;
-ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "temperament_flags" jsonb DEFAULT '[]';
-ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "medical_alerts" jsonb DEFAULT '[]';
-ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "preferred_cuts" jsonb DEFAULT '[]';
@@ -1,26 +0,0 @@
-- Migration: 0040_register_missing_coat_type_values.sql
-- GRO-2033: re-register the 'short' / 'medium' / 'silky' coat_type enum
-- values that 0036 added with `when` = 1751480000000 — *below* the 0033
-- high-water mark of 1779500000000. drizzle-orm@0.38.4
-- (pg-core/dialect.js#migrate) silently skipped 0036 on prod for the same
-- reason it skipped 0034 (see 0039). 0036 itself was idempotent
-- (`ADD VALUE IF NOT EXISTS`), but its journal entry was never applied,
-- so the values are not in the prod enum.
--
-- Same pattern as GRO-1999 (0037 → 0038) and 0039: do NOT modify 0036 in
-- place. Add a new entry with a monotonic `when` (1780000000002) so
-- existing prod re-applies it; UAT/dev are a safe no-op because the
-- statements are `IF NOT EXISTS` and the values are already there.
--
-- Postgres restriction: `ALTER TYPE ... ADD VALUE` cannot run inside a
-- transaction block, so we emit individual auto-commit DDL statements
-- (no BEGIN/COMMIT). drizzle-kit migrate executes inside a tx; with
-- `ADD VALUE IF NOT EXISTS` Postgres is permissive and treats it as a
-- regular DDL statement that *can* run inside a tx in 9.6+ when no new
-- value is actually added. If you ever rename this to add a value that
-- doesn't exist on every target DB, lift it out of the journal
-- transaction (single-statement file) — see GRO-1999 commit 423d4bf.
-
-ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
-ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
-ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';
@@ -267,20 +267,6 @@
      "when": 1780000000000,
      "tag": "0038_register_extra_large_pet_size_category",
      "breakpoints": true
-    },
-    {
-      "idx": 39,
-      "version": "7",
-      "when": 1780000000001,
-      "tag": "0039_extend_pet_profile_columns_idempotent",
-      "breakpoints": true
-    },
-    {
-      "idx": 40,
-      "version": "7",
-      "when": 1780000000002,
-      "tag": "0040_register_missing_coat_type_values",
-      "breakpoints": true
    }
  ]
 }
Author	SHA1	Message	Date
Flea Flicker	c2f4bca720	Merge origin/dev into flea/gro-2013-deployed-tree-conflicts CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 1m26s Details # Conflicts: # UAT_PLAYBOOK.md # src/__tests__/petProfileSummary.test.ts	2026-06-01 19:54:22 +00:00
Paperclip	a9ed681726	fix(pets): port owner-bypass into deployed tree (GRO-2013) CI / Test (pull_request) Successful in 13s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 1m20s Details The previous fix for GRO-2013 (customer cannot view own pet profile summary) landed in apps/api/src/routes/pets.ts, which is dead code in the Docker build path. The Dockerfile does COPY src/ + pnpm build from the repo root, so apps/api/ is never copied into the image and is not a pnpm-workspace member. Port the owner-bypass into the deployed-tree handler src/routes/pets.ts: - Add resolveImpersonationClientId(db, c) helper that reads the X-Impersonation-Session-Id header, validates the session is active and not expired, and returns its clientId (or null). - Gate the existing groomer 403 in GET /:id/profile-summary so an owner (session.clientId === pet.clientId) bypasses the appointment-linkage check. This mirrors the already-reviewed logic from apps/api/src/routes/pets.ts:318-364. - Cross-tenant access remains blocked: the bypass requires session.clientId === pet.clientId, and groomers with no portal session still 403 as before. Tests (src/__tests__/petProfileSummary.test.ts — new file, mirroring the dead-tree test pattern but pointing at the deployed handler): - Customer with valid active session for pet's client → 200 - Customer with no header → 403 - Customer with session for a different client → 403 - Customer with expired session → 403 - Customer with ended (status != active) session → 403 - Customer with unknown session id → 403 - Manager does not need the impersonation header (regression) - Groomer with linkage to pet's client still works (regression) - Customer cannot view another client's pet (cross-tenant block) Full @groombook/api test suite: 560 passed (39 files). Note (out of scope): the apps/api/ duplicate tree is dead code producing false-green coverage — recommend filing a separate tech-debt issue to delete apps/api/ or wire it into the workspace, but not blocking this fix on it. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 19:08:28 +00:00
Paperclip	7fe578aeef	fix(pets): customer can view own pet profile summary (GRO-2013) CI / Test (pull_request) Successful in 13s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 1m8s Details When a customer (e.g. uat-customer@groombook.dev) signs in via Better Auth and calls GET /api/pets/{ownPetId}/profile-summary with their portal session header, the staff RBAC middleware auto-provisions a 'groomer' staff row for them (rbac.ts) and the profile-summary route's groomerLinkageCheck then denies the request with 403 Forbidden, because the auto-provisioned customer-as-groomer has no appointment linkage. This adds an owner-bypass: when a groomer-role staff row is making the request with a valid X-Impersonation-Session-Id header, and the resolved impersonation session's clientId matches the pet's clientId, we treat the caller as the pet's owner and skip the groomerLinkageCheck. The bypass is intentionally scoped to the profile-summary endpoint and to the existing portal session mechanism (no new roles, no staff-row shape changes). Cross-tenant access is still blocked because the bypass requires session.clientId === pet.clientId. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 17:42:59 +00:00
Paperclip	337c0e2733	docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000) CI / Test (pull_request) Successful in 10s Details CI / Lint & Typecheck (pull_request) Successful in 18s Details CI / Build & Push Docker Images (pull_request) Successful in 36s Details The 'Source of truth for UAT passwords' subsection under Pre-conditions records: - The seed-uat-passwords Secret in groombook-uat is the live source. - The Bitnami SealedSecret apps/overlays/uat/ss-seed-uat-passwords.yaml in groombook/infra is the single upstream source of truth. - A kubectl recipe to pull the current values for SUPER / GROOMER / TESTER / CUSTOMER at the start of every UAT run. - The 'captured env var from a previous rotation produces 401' failure mode that GRO-2000 hit, and the manual-reseed escape hatch if the login still 401s after pulling the live value. Refs: GRO-2000, GRO-1977 (idempotent re-hash), GRO-1999 (enum fix that allowed the seed Job to run cleanly again). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 15:30:34 +00:00