fix(db): add extra_large to pet_size_category enum (GRO-1999)

GRO-1999: UAT seed-test-data job (image 2026.05.31-5390131) crashes with
22P02 'invalid input value for enum pet_size_category: "extra_large"'.
seed.ts petSizeCategoryPool and the drizzle schema both use
'extra_large', but migration 0031_buffer_rules.sql created the enum
with 'xlarge' instead — same migration drift pattern that GRO-1971
fixed for coat_type.

Add migration 0037_add_extra_large_to_pet_size_category.sql that
ALTERs the enum to add the missing 'extra_large' value (idempotent,
auto-commit because Postgres forbids ALTER TYPE ADD VALUE inside a
transaction block). Register idx 37 in the drizzle journal.

Mirror the UAT_PLAYBOOK entry from GRO-1971: TC-API-3.28 verifies the
pet_size_category enum has all 4 values used by seed.ts after the seed
job completes, so future enum drift is caught at the UAT gate.

Refs: GRO-1950 (UAT regression that surfaced this), GRO-1971
(pattern this fix mirrors), GRO-1979 (parallel fix landed on a
different branch via PR #124 — this is the GRO-1983 baseline equivalent).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -156,32 +156,3 @@ jobs:
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
           cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
           cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
-
-      - name: Smoke test seed image (blackhole npmjs.org)
-        run: |
-          set -euo pipefail
-          IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
-          docker pull "$IMAGE"
-          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
-          # not try to reach registry.npmjs.org on invocation.
-          docker run --rm \
-            --add-host registry.npmjs.org:127.0.0.1 \
-            --entrypoint="" \
-            "$IMAGE" \
-            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
-          echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
-
-      - name: Smoke test reset image (blackhole npmjs.org)
-        run: |
-          set -euo pipefail
-          IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
-          docker pull "$IMAGE"
-          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
-          # not try to reach registry.npmjs.org on invocation. Validates the
-          # hard requirement from the issue: reset runs offline.
-          docker run --rm \
-            --add-host registry.npmjs.org:127.0.0.1 \
-            --entrypoint="" \
-            "$IMAGE" \
-            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
-          echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"

Dockerfile

@@ -3,12 +3,8 @@ FROM node:22-alpine AS base
 # invocations of `pnpm` work without DNS access to registry.npmjs.org.
 # The corepack shim delegates to corepack, which re-validates against
 # npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
-# Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
+# Jobs. GRO-1983 / GRO-1889 / GRO-1909.
 RUN npm install -g pnpm@9.15.4
-# Belt-and-braces: disable Corepack's download fallback so that even if a
-# Corepack shim is somehow invoked at runtime, it will not try to fetch
-# pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
-ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 
 # Install deps
@@ -30,8 +26,6 @@ RUN pnpm --filter @groombook/types build && \
 # Runtime
 FROM node:22-alpine AS runner
 RUN npm install -g pnpm@9.15.4
-# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
-ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 ENV NODE_ENV=production
 
@@ -52,18 +46,12 @@ CMD ["node", "dist/index.js"]
 
 # Migrate stage — runs drizzle-kit migrate against the database
 FROM builder AS migrate
-# pnpm needs a writable HOME for any config/state it writes. With
-# readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
-# The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
-ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "migrate"]
 
 # Seed stage — populates the database with test data
 FROM builder AS seed
-ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "seed"]
 
 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
-ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "reset"]

UAT_PLAYBOOK.md

@@ -19,27 +19,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)
 
-### Source of truth for UAT passwords (GRO-2000)
-
-The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
-
-**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
-
-```bash
-SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
-  -o jsonpath='{.data.super-password}' | base64 -d)
-GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
-  -o jsonpath='{.data.groomer-password}' | base64 -d)
-TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
-  -o jsonpath='{.data.tester-password}' | base64 -d)
-CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
-  -o jsonpath='{.data.customer-password}' | base64 -d)
-```
-
-**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
-
-**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
-
 ## Test Cases
 
 ### 4.0 Health Check

packages/db/migrations/0037_add_extra_large_to_pet_size_category.sql

@@ -1,5 +1,5 @@
 -- Migration: 0037_add_extra_large_to_pet_size_category.sql
--- GRO-1979: Adds the 'extra_large' value to the pet_size_category enum.
+-- GRO-1999: Adds the 'extra_large' value to the pet_size_category enum.
 --
 -- 0031_buffer_rules.sql created pet_size_category with values
 -- ('small', 'medium', 'large', 'xlarge'), but seed.ts and the drizzle

packages/db/migrations/0038_register_extra_large_pet_size_category.sql

@@ -1,4 +0,0 @@
--- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
--- journal timestamp. Re-register extra_large with a monotonic timestamp so
--- the existing UAT/persistent DBs apply it. Idempotent.
-ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';

packages/db/migrations/meta/_journal.json

@@ -260,13 +260,6 @@
       "when": 1751500000000,
       "tag": "0037_add_extra_large_to_pet_size_category",
       "breakpoints": true
-    },
-    {
-      "idx": 38,
-      "version": "7",
-      "when": 1780000000000,
-      "tag": "0038_register_extra_large_pet_size_category",
-      "breakpoints": true
     }
   ]
-}
+}