fix(GRO-2299): redact googleMapsApiKey from PATCH /api/admin/settings response

The PATCH handler returned the full businessSettings row via .returning(),
echoing the encrypted googleMapsApiKey ciphertext back to the caller. Wrap the
return in the existing redactSettings() helper (after a !updated guard) so
redaction is applied symmetrically with the GET projection (GRO-2294).

- src/routes/settings.ts: guard + redactSettings(updated) on PATCH return
- src/__tests__/settings.test.ts: assert PATCH omits googleMapsApiKey
  (existing-row and auto-create-then-update branches)
- UAT_PLAYBOOK.md §13 TC-API-13.2: assert PATCH response omits the secret

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.mcp.json

@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "gitea": {
+      "type": "http",
+      "url": "https://git-mcp.farh.net/mcp",
+      "headers": {
+        "Authorization": "Bearer ${GITEA_TOKEN}"
+      }
+    }
+  }
+}

packages/db/src/seed.ts

@@ -830,168 +830,6 @@ async function seedUatGroomerLinkage(
   );
 }
 
-// ── GRO-2311 / GRO-2313: portal customer StatusBadge coverage ────────────────
-
-/**
- * GRO-2311 / GRO-2313: give the UAT portal customer (`uat-customer@groombook.dev`)
- * a deterministic spread of appointments so the customer-portal StatusBadge
- * palette can be LIVE-observed (not just code-verified against the bundle).
- *
- * Scope is the subset of badge states reachable from the `appointment_status`
- * enum (`scheduled, confirmed, in_progress, completed, cancelled, no_show`) —
- * the portal's <StatusBadge> renders `appointment.status` verbatim. `pending`
- * and `waitlisted` are NOT valid appointment statuses and cannot be seeded; the
- * styled `no_show`→`no-show` badge fix and any pending/waitlisted derivation are
- * tracked separately in GRO-2319 (web). CTO-approved Option A on GRO-2313.
- *
- *   - confirmed  → future startTime → renders as an Upcoming card (Confirmed badge)
- *   - scheduled  → future startTime → renders as an Upcoming card (Scheduled badge)
- *   - cancelled  → past startTime   → Past tab (isUpcoming excludes cancelled)
- *   - no_show    → past startTime   → Past tab (raw `no_show` label until GRO-2319)
- *
- * The existing GRO-2100 `completed` appointment (a0000001-…-0001) is left
- * untouched (AC #4), so Completed is also covered.
- *
- * Idempotent: each appointment uses a fixed UUID and is upserted with
- * onConflictDoNothing, so the hourly reset-demo-data CronJob (which TRUNCATEs
- * then re-seeds) and non-truncating dev re-seeds never dup-key
- * (see GRO-2033 for the dup-key class).
- */
-async function seedUatCustomerPortalAppointments(
-  db: ReturnType<typeof drizzle>,
-  customerClientId: string | null,
-): Promise<void> {
-  const LINKED_PET_ID = "c0000001-0000-0000-0000-000000000002"; // UAT Pup Alpha
-
-  // Skip silently outside the UAT persona profile (e.g. a dev/test seed that
-  // never created the UAT Customer client).
-  if (!customerClientId) {
-    return;
-  }
-
-  // The customer's pet must exist (pets are NOT truncated on reset, so this is
-  // stable). Defensive: bail cleanly if the persona pet is absent.
-  const [linkedPet] = await db
-    .select({ id: schema.pets.id })
-    .from(schema.pets)
-    .where(eq(schema.pets.id, LINKED_PET_ID))
-    .limit(1);
-  if (!linkedPet) {
-    console.warn(`⚠ GRO-2311: UAT Pup Alpha (${LINKED_PET_ID}) not found — skipping portal appointment seed`);
-    return;
-  }
-
-  // Stable "Bath & Brush" service; fall back to any active service.
-  const BATH_AND_BRUSH_ID = "b0000001-0000-0000-0000-000000000001";
-  const [bathService] = await db
-    .select({ id: schema.services.id })
-    .from(schema.services)
-    .where(eq(schema.services.id, BATH_AND_BRUSH_ID))
-    .limit(1);
-
-  let serviceId: string;
-  if (bathService) {
-    serviceId = bathService.id;
-  } else {
-    const [fallback] = await db
-      .select({ id: schema.services.id })
-      .from(schema.services)
-      .where(eq(schema.services.active, true))
-      .limit(1);
-    if (!fallback) {
-      console.warn(`⚠ GRO-2311: no active services found — skipping portal appointment seed`);
-      return;
-    }
-    serviceId = fallback.id;
-  }
-
-  // Attach the UAT groomer when present (nicer "with <groomer>" card); else null
-  // ("First Available"). Either way these are the customer's own appointments —
-  // no new groomer↔pet linkage invariant is created (uses the already-linked
-  // Pup Alpha), so GRO-1987 TC-UAT-3 (403 on the UNLINKED Pup Beta) is unaffected.
-  const [uatGroomerStaff] = await db
-    .select({ id: schema.staff.id })
-    .from(schema.staff)
-    .where(eq(schema.staff.email, "uat-groomer@groombook.dev"))
-    .limit(1);
-  const staffId = uatGroomerStaff?.id ?? null;
-
-  // Anchor all times to local wall-clock so future/past holds regardless of the
-  // hourly reset cadence.
-  const at = (deltaDays: number, hour: number): Date => {
-    const d = new Date();
-    d.setDate(d.getDate() + deltaDays);
-    d.setHours(hour, 0, 0, 0);
-    return d;
-  };
-  const DURATION_MS = 45 * 60 * 1000;
-
-  const rows = [
-    {
-      id: "a0000001-0000-0000-0000-000000000002",
-      status: "confirmed" as const,
-      start: at(3, 10),
-      confirmationStatus: "confirmed",
-      confirmedAt: new Date(),
-      cancelledAt: null as Date | null,
-      notes: "GRO-2311: upcoming confirmed appointment for portal StatusBadge coverage.",
-    },
-    {
-      id: "a0000001-0000-0000-0000-000000000003",
-      status: "scheduled" as const,
-      start: at(5, 14),
-      confirmationStatus: "pending",
-      confirmedAt: null as Date | null,
-      cancelledAt: null as Date | null,
-      notes: "GRO-2311: upcoming scheduled appointment for portal StatusBadge coverage.",
-    },
-    {
-      id: "a0000001-0000-0000-0000-000000000004",
-      status: "cancelled" as const,
-      start: at(-3, 11),
-      confirmationStatus: "cancelled",
-      confirmedAt: null as Date | null,
-      cancelledAt: new Date(),
-      notes: "GRO-2311: cancelled appointment (Past tab) for portal StatusBadge coverage.",
-    },
-    {
-      id: "a0000001-0000-0000-0000-000000000005",
-      status: "no_show" as const,
-      start: at(-10, 9),
-      confirmationStatus: "confirmed",
-      confirmedAt: null as Date | null,
-      cancelledAt: null as Date | null,
-      notes: "GRO-2311: no_show appointment (Past tab) for portal StatusBadge coverage.",
-    },
-  ];
-
-  await db
-    .insert(schema.appointments)
-    .values(
-      rows.map((r) => ({
-        id: r.id,
-        clientId: customerClientId,
-        petId: LINKED_PET_ID,
-        serviceId,
-        staffId,
-        batherStaffId: null,
-        status: r.status,
-        startTime: r.start,
-        endTime: new Date(r.start.getTime() + DURATION_MS),
-        notes: r.notes,
-        priceCents: null,
-        confirmationStatus: r.confirmationStatus,
-        confirmedAt: r.confirmedAt,
-        cancelledAt: r.cancelledAt,
-      })),
-    )
-    .onConflictDoNothing({ target: schema.appointments.id });
-
-  console.log(
-    `✓ GRO-2311: seeded ${rows.length} portal StatusBadge appointments (confirmed/scheduled/cancelled/no_show) for UAT customer`,
-  );
-}
-
 // ── GRO-2225: deterministic route-optimization cohort ────────────────────────
 
 /**
@@ -1273,10 +1111,6 @@ async function seedKnownUsers() {
   // to attach to the appointment; on a fresh reset there are none yet at
   // the time seedUatStaffAccounts() returns).
   await seedUatGroomerLinkage(db, uatCustomerClientId);
-  // GRO-2311 / GRO-2313: portal customer StatusBadge palette coverage (reachable
-  // appointment statuses only). Runs after the groomer linkage so the customer
-  // client + Pup Alpha already exist.
-  await seedUatCustomerPortalAppointments(db, uatCustomerClientId);
 
   // ── Client: Demo Client ──
   const [existingClient] = await db
@@ -1539,10 +1373,6 @@ async function runSeedBody(
   // to attach to the appointment; on a fresh reset there are none yet at
   // the time seedUatStaffAccounts() returns).
   await seedUatGroomerLinkage(db, uatCustomerClientId);
-  // GRO-2311 / GRO-2313: portal customer StatusBadge palette coverage (reachable
-  // appointment statuses only). Runs after the groomer linkage so the customer
-  // client + Pup Alpha already exist.
-  await seedUatCustomerPortalAppointments(db, uatCustomerClientId);
 
   // GRO-2225: deterministic pre-geocoded route cohort + fixed-date appointments
   // for the UAT groomer. Must run AFTER services are seeded (it looks up a

src/routes/pets.ts

@@ -57,23 +57,6 @@ const createPetSchema = z.object({
   customFields: z.record(z.string(), z.string()).optional(),
   petSizeCategory: z.enum(["small", "medium", "large", "extra_large"]).optional(),
   coatType: z.enum(["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]).optional(),
-  // Extended pet profile fields (api/#39, GRO-1178).
-  // GRO-2172: these were missing from the schema, causing POST/PATCH to
-  // silently drop them even though migrations 0034/0036 and seed data
-  // populate them. GRO-1472 was the original UAT regression.
-  temperamentScore: z.number().int().min(1).max(5).optional(),
-  temperamentFlags: z.array(z.string().max(100)).max(20).optional(),
-  medicalAlerts: z
-    .array(
-      z.object({
-        type: z.string().max(100),
-        description: z.string().max(1000),
-        severity: z.enum(["low", "medium", "high"]),
-      })
-    )
-    .max(50)
-    .optional(),
-  preferredCuts: z.array(z.string().max(200)).max(20).optional(),
 });
 
 const updatePetSchema = createPetSchema.partial().omit({ clientId: true });
@@ -350,8 +333,7 @@ petsRouter.get("/:id/profile-summary", async (c) => {
 
 petsRouter.post("/", zValidator("json", createPetSchema), async (c) => {
   const db = getDb();
-  const { weightKg, dateOfBirth, customFields, medicalAlerts, ...rest } =
-    c.req.valid("json");
+  const { weightKg, dateOfBirth, customFields, ...rest } = c.req.valid("json");
   const [row] = await db
     .insert(pets)
     .values({
@@ -359,10 +341,6 @@ petsRouter.post("/", zValidator("json", createPetSchema), async (c) => {
       weightKg: weightKg?.toString(),
       dateOfBirth: dateOfBirth ? new Date(dateOfBirth) : undefined,
       customFields: customFields ?? {},
-      // GRO-2172: medicalAlerts shape from the API request is
-      // { type, description, severity } — the @groombook/types MedicalAlert
-      // has an optional server-generated `id`, so cast for the jsonb column.
-      medicalAlerts: medicalAlerts as never,
     })
     .returning();
   return c.json(row, 201);
@@ -373,8 +351,7 @@ petsRouter.patch(
   zValidator("json", updatePetSchema),
   async (c) => {
     const db = getDb();
-    const { weightKg, dateOfBirth, customFields, medicalAlerts, ...rest } =
-      c.req.valid("json");
+    const { weightKg, dateOfBirth, customFields, ...rest } = c.req.valid("json");
     const [row] = await db
       .update(pets)
       .set({
@@ -382,7 +359,6 @@ petsRouter.patch(
         weightKg: weightKg?.toString(),
         dateOfBirth: dateOfBirth ? new Date(dateOfBirth) : undefined,
         ...(customFields !== undefined ? { customFields } : {}),
-        medicalAlerts: medicalAlerts as never,
         updatedAt: new Date(),
       })
       .where(eq(pets.id, c.req.param("id")))