docs(UAT_PLAYBOOK.md): add TC-API-8.8/8.9/8.10 for portal pet update

Updated §4.8 — new PATCH /api/portal/pets/:id test cases per GRO-1742.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.ci-trigger

@@ -1 +0,0 @@
-GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z

.gitea/workflows/ci.yml

@@ -91,7 +91,6 @@ jobs:
       - name: Build and push API image
         uses: docker/build-push-action@v6
         with:
-          provenance: false
           context: .
           file: Dockerfile
           target: runner
@@ -106,7 +105,6 @@ jobs:
       - name: Build and push Migrate image
         uses: docker/build-push-action@v6
         with:
-          provenance: false
           context: .
           file: Dockerfile
           target: migrate
@@ -121,7 +119,6 @@ jobs:
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
         with:
-          provenance: false
           context: .
           file: Dockerfile
           target: seed
@@ -136,7 +133,6 @@ jobs:
       - name: Build and push Reset image
         uses: docker/build-push-action@v6
         with:
-          provenance: false
           context: .
           file: Dockerfile
           target: reset

UAT_PLAYBOOK.md

@@ -48,26 +48,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
 | TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
-#### SSO Login Journey (Authentik OIDC end-to-end)
-
-| # | Scenario | Steps | Pass Criteria | Fail Criteria |
-|---|----------|-------|---------------|---------------|
-| TC-API-1.17 | SSO redirect to Authentik | Navigate to app → sign-in page shown → click "Sign in with SSO" | Redirected to Authentik at auth.farh.net | 403 error, redirect loop, no SSO button |
-| TC-API-1.18 | Authenticate with valid OIDC credentials | At Authentik login page, enter valid credentials and authenticate | Redirected back to app with valid session | Redirect loop, 403, missing session cookie |
-| TC-API-1.19 | SSO user auto-provisioned as groomer | Complete SSO login as a user with no pre-existing staff record | 200 response; groomer staff record auto-created; session active | 403 Forbidden, staff record not created |
-| TC-API-1.20 | Existing staff record resolves correctly | Complete SSO login as uat-groomer (pre-existing staff) | 200 OK, correct staff identity resolved, no duplicate record created | 403, duplicate record, wrong staff data |
-| TC-API-1.21 | SSO session grants dashboard access | After TC-API-1.18 SSO login, GET /api/staff/me | 200 OK, valid staff record returned, correct role displayed | 401/403, missing session, wrong identity |
-
-#### OOBE Flow Post-Login
-
-| # | Scenario | Steps | Pass Criteria | Fail Criteria |
-|---|----------|-------|---------------|---------------|
-| TC-API-1.22 | Fresh DB reports needsSetup | On a fresh DB (no super user), GET /api/setup/status | needsSetup: true returned | needsSetup: false when it should be true |
-| TC-API-1.23 | Configure OIDC via auth-provider endpoint | POST /api/setup/auth-provider with valid OIDC config | 200 OK, auth provider configured, no 403 | 403, setup blocked, invalid config rejected |
-| TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
-| TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
-| TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
-
 ### 4.2 Client Management
 
 | # | Scenario | Steps | Expected |
@@ -159,6 +139,9 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-8.5 | Add waitlist entry | POST /api/portal/waitlist with pet and service | 201 Created, waitlist entry created |
 | TC-API-8.6 | View portal invoices | GET /api/portal/invoices | 200 OK, list of client's invoices returned |
 | TC-API-8.7 | Pay multiple invoices | POST /api/portal/invoices/pay-multiple with invoice IDs | 200 OK, payment intent created |
+| TC-API-8.8 | Update pet profile | PATCH /api/portal/pets/{id} with name, breed, groomingNotes | 200 OK, pet updated in portal shape |
+| TC-API-8.9 | Update pet — ownership check | PATCH /api/portal/pets/{id} with session for different client | 403 Forbidden, pet belongs to another client |
+| TC-API-8.10 | Update pet — not found | PATCH /api/portal/pets/{nonexistent-id} | 404 Not Found |
 
 ### 4.9 Waitlist
 

apps/api/src/routes/admin/seed.ts

@@ -36,19 +36,6 @@ const DEMO_PET = {
   weightKg: "30.00",
 };
 
-const UAT_CLIENT = {
-  name: "UAT Customer",
-  email: "uat-customer@groombook.dev",
-  phone: "555-0100",
-  address: "1 UAT Lane, Test City, CA 90210",
-  status: "active" as const,
-};
-
-const UAT_PETS = [
-  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
-];
-
 const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
   { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
@@ -56,7 +43,7 @@ const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
 ];
 
-adminSeedRouter.post("/", async (c) => {
+adminSeedRouter.post("/seed", async (c) => {
   // Refuse to run when AUTH_DISABLED — dev environments use direct-DB seeding
   if (process.env.AUTH_DISABLED === "true") {
     return c.json(
@@ -141,51 +128,6 @@ adminSeedRouter.post("/", async (c) => {
     results.push(`Created pet '${DEMO_PET.name}' for Demo Client (id: ${created!.id})`);
   }
 
-  // ── Client: UAT Customer ──────────────────────────────────────────────────
-  const [existingUatClient] = await db
-    .select()
-    .from(clients)
-    .where(eq(clients.email, UAT_CLIENT.email));
-
-  let uatClientId: string;
-  if (existingUatClient) {
-    uatClientId = existingUatClient.id;
-    results.push(`Client '${UAT_CLIENT.name}' already exists (id: ${uatClientId})`);
-  } else {
-    const [created] = await db.insert(clients).values(UAT_CLIENT).returning();
-    uatClientId = created!.id;
-    results.push(`Created client '${UAT_CLIENT.name}' (id: ${uatClientId})`);
-  }
-
-  // ── Pets: UAT Customer's Pets ─────────────────────────────────────────────
-  const existingUatPets = await db
-    .select()
-    .from(pets)
-    .where(eq(pets.clientId, uatClientId));
-
-  for (const uatPet of UAT_PETS) {
-    const existingPet = existingUatPets.find(
-      (p) => p.name === uatPet.name && p.species === uatPet.species
-    );
-    if (existingPet) {
-      results.push(`Pet '${uatPet.name}' already exists for UAT Customer (id: ${existingPet.id})`);
-    } else {
-      const [created] = await db
-        .insert(pets)
-        .values({
-          clientId: uatClientId,
-          name: uatPet.name,
-          species: uatPet.species,
-          breed: uatPet.breed,
-          coatType: uatPet.coatType,
-          weightKg: uatPet.weightKg,
-          dateOfBirth: new Date("2019-01-01T00:00:00Z"),
-        })
-        .returning();
-      results.push(`Created pet '${uatPet.name}' for UAT Customer (id: ${created!.id})`);
-    }
-  }
-
   return c.json({
     message: "Seed complete",
     details: results,
@@ -194,4 +136,4 @@ adminSeedRouter.post("/", async (c) => {
       staffOidcSub: KNOWN_STAFF.oidcSub,
     },
   });
-});
+});

packages/db/src/factories.ts

@@ -105,10 +105,6 @@ export function buildPet(overrides: Partial<PetRow> & { clientId: string }): Pet
     photoKey: null,
     photoUploadedAt: null,
     image: null,
-    temperamentScore: null,
-    temperamentFlags: [],
-    medicalAlerts: [],
-    preferredCuts: [],
     createdAt: new Date("2025-01-01T00:00:00Z"),
     updatedAt: new Date("2025-01-01T00:00:00Z"),
   };

packages/db/src/schema.ts

@@ -11,7 +11,6 @@ import {
   unique,
   uuid,
 } from "drizzle-orm/pg-core";
-import type { MedicalAlert } from "@groombook/types";
 
 // ─── Enums ────────────────────────────────────────────────────────────────────
 
@@ -165,10 +164,6 @@ export const pets = pgTable(
     specialCareNotes: text("special_care_notes"),
     coatType: coatTypeEnum("coat_type"),
     petSizeCategory: petSizeCategoryEnum("pet_size_category"),
-    temperamentScore: integer("temperament_score"),
-    temperamentFlags: jsonb("temperament_flags").$type<string[]>().default([]),
-    medicalAlerts: jsonb("medical_alerts").$type<MedicalAlert[]>().default([]),
-    preferredCuts: jsonb("preferred_cuts").$type<string[]>().default([]),
     customFields: jsonb("custom_fields").$type<Record<string, string>>().notNull().default({}),
     photoKey: text("photo_key"),
     photoUploadedAt: timestamp("photo_uploaded_at"),

src/__tests__/portal.test.ts

@@ -4,6 +4,7 @@ import { Hono } from "hono";
 const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
 const APPOINTMENT_ID = "660e8400-e29b-41d4-a716-446655440002";
 const SESSION_ID = "770e8400-e29b-41d4-a716-446655440003";
+const PET_ID = "880e8400-e29b-41d4-a716-446655440004";
 
 const futureDate = () => new Date(Date.now() + 30 * 60 * 1000);
 const pastDate = () => new Date(Date.now() - 5 * 60 * 1000);
@@ -37,13 +38,38 @@ const APPOINTMENT = {
   cancelledAt: null,
 };
 
+const PET = {
+  id: PET_ID,
+  clientId: CLIENT_ID,
+  name: "Fido",
+  species: "dog",
+  breed: "Labrador",
+  weightKg: "30.00",
+  dateOfBirth: null,
+  healthAlerts: null,
+  groomingNotes: null,
+  cutStyle: null,
+  shampooPreference: null,
+  specialCareNotes: null,
+  coatType: null,
+  petSizeCategory: null,
+  customFields: {},
+  photoKey: null,
+  photoUploadedAt: null,
+  image: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
 let selectSessionRow: Record<string, unknown> | null = null;
 let selectAppointmentRow: Record<string, unknown> | null = null;
+let selectPetRow: Record<string, unknown> | null = null;
 let updatedValues: Record<string, unknown>[] = [];
 
 function resetMock() {
   selectSessionRow = null;
   selectAppointmentRow = null;
+  selectPetRow = null;
   updatedValues = [];
 }
 
@@ -62,6 +88,8 @@ vi.mock("@groombook/db", () => {
     return chain;
   }
 
+  let activeUpdateTable: string | null = null;
+
   const impersonationSessions = new Proxy(
     { _name: "impersonationSessions" },
     { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
@@ -72,6 +100,16 @@ vi.mock("@groombook/db", () => {
     { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }
   );
 
+  const pets = new Proxy(
+    { _name: "pets" },
+    { get: (t, p) => (p === "_name" ? "pets" : { table: "pets", column: p }) }
+  );
+
+  const impersonationAuditLogs = new Proxy(
+    { _name: "impersonationAuditLogs" },
+    { get: (t, p) => (p === "_name" ? "impersonationAuditLogs" : { table: "impersonationAuditLogs", column: p }) }
+  );
+
   return {
     getDb: () => ({
       select: () => ({
@@ -82,26 +120,44 @@ vi.mock("@groombook/db", () => {
           if (table._name === "appointments") {
             return makeChainable(selectAppointmentRow ? [selectAppointmentRow] : []);
           }
+          if (table._name === "pets") {
+            return makeChainable(selectPetRow ? [selectPetRow] : []);
+          }
           return makeChainable([]);
         },
       }),
-      update: () => ({
+      insert: () => ({
-        set: (vals: Record<string, unknown>) => ({
+        values: () => ({
-          where: () => ({
+          returning: () => [{}],
-            returning: () => {
-              if (selectAppointmentRow) {
-                const updated = { ...selectAppointmentRow, ...vals };
-                updatedValues.push(vals);
-                return [updated];
-              }
-              return [];
-            },
-          }),
         }),
       }),
+      update: (table: { _name: string }) => {
+        activeUpdateTable = table._name;
+        return {
+          set: (vals: Record<string, unknown>) => ({
+            where: () => ({
+              returning: () => {
+                if (activeUpdateTable === "appointments" && selectAppointmentRow) {
+                  const updated = { ...selectAppointmentRow, ...vals };
+                  updatedValues.push(vals);
+                  return [updated];
+                }
+                if (activeUpdateTable === "pets" && selectPetRow) {
+                  const updated = { ...selectPetRow, ...vals };
+                  updatedValues.push(vals);
+                  return [updated];
+                }
+                return [];
+              },
+            }),
+          }),
+        };
+      },
     }),
     impersonationSessions,
     appointments,
+    pets,
+    impersonationAuditLogs,
     eq: vi.fn(),
     and: vi.fn(),
   };
@@ -420,4 +476,81 @@ describe("POST /portal/appointments/:id/cancel", () => {
     );
     expect(res.status).toBe(404);
   });
+});
+
+// ─── PATCH /portal/pets/:id ───────────────────────────────────────────────────
+
+function jsonPetPatch(path: string, body: unknown, headers?: Record<string, string>) {
+  return app.request(path, {
+    method: "PATCH",
+    headers: {
+      "Content-Type": "application/json",
+      ...headers,
+    },
+    body: JSON.stringify(body),
+  });
+}
+
+describe("PATCH /portal/pets/:id", () => {
+  it("updates a pet and returns the updated pet in portal shape", async () => {
+    selectSessionRow = ACTIVE_SESSION;
+    selectPetRow = { ...PET, dateOfBirth: new Date("2020-01-15"), photoKey: "pets/test.jpg" };
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Fido Jr.", groomingNotes: "Needs extra brushing" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body).toHaveProperty("id");
+    expect(body).toHaveProperty("name", "Fido Jr.");
+    expect(body).toHaveProperty("notes", "Needs extra brushing");
+    expect(body).toHaveProperty("breed");
+    expect(body).toHaveProperty("photoUrl");
+    expect(body).not.toHaveProperty("clientId");
+    expect(body).not.toHaveProperty("customFields");
+  });
+
+  it("returns 401 without X-Impersonation-Session-Id header", async () => {
+    const res = await jsonPetPatch(`/portal/pets/${PET_ID}`, { name: "Test" });
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 401 with expired session", async () => {
+    selectSessionRow = EXPIRED_SESSION;
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Test" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 403 when pet belongs to a different client", async () => {
+    selectSessionRow = { ...ACTIVE_SESSION, clientId: "different-client-id" };
+    selectPetRow = { ...PET };
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Hacked" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error).toBe("Forbidden");
+  });
+
+  it("returns 404 when pet not found", async () => {
+    selectSessionRow = ACTIVE_SESSION;
+    selectPetRow = null;
+    const res = await jsonPetPatch(
+      `/portal/pets/nonexistent-id`,
+      { name: "Ghost" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(404);
+  });
 });

src/middleware/rbac.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff, account } from "@groombook/db";
+import { and, eq, getDb, sql, staff } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,48 +110,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
-
-  // Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
-  // (e.g. authentik). If so, create a groomer staff record on the fly.
-  if (jwt.email) {
-    const [oidcAccount] = await db
-      .select({ id: account.id })
-      .from(account)
-      .where(
-        and(
-          eq(account.userId, jwt.sub),
-          sql`${account.providerId} IN ('authentik', 'google', 'github')`
-        )
-      )
-      .limit(1);
-
-    if (oidcAccount) {
-      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
-      const name =
-        jwt.name?.trim() ||
-        (jwt.email ? jwt.email.split("@")[0] : "Unknown");
-
-      const [newStaff] = await db
-        .insert(staff)
-        .values({
-          userId: jwt.sub,
-          email: jwt.email ?? "",
-          name,
-          role: "groomer",
-          isSuperUser: false,
-          active: true,
-        })
-        .returning();
-
-      console.log(
-        `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
-      );
-      c.set("staff", newStaff);
-      await next();
-      return;
-    }
-  }
-
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403

src/routes/admin/seed.ts

@@ -36,19 +36,6 @@ const DEMO_PET = {
   weightKg: "30.00",
 };
 
-const UAT_CLIENT = {
-  name: "UAT Customer",
-  email: "uat-customer@groombook.dev",
-  phone: "555-0100",
-  address: "1 UAT Lane, Test City, CA 90210",
-  status: "active" as const,
-};
-
-const UAT_PETS = [
-  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
-];
-
 const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
   { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
@@ -56,7 +43,7 @@ const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
 ];
 
-adminSeedRouter.post("/", async (c) => {
+adminSeedRouter.post("/seed", async (c) => {
   // Refuse to run when AUTH_DISABLED — dev environments use direct-DB seeding
   if (process.env.AUTH_DISABLED === "true") {
     return c.json(
@@ -141,51 +128,6 @@ adminSeedRouter.post("/", async (c) => {
     results.push(`Created pet '${DEMO_PET.name}' for Demo Client (id: ${created!.id})`);
   }
 
-  // ── Client: UAT Customer ──────────────────────────────────────────────────
-  const [existingUatClient] = await db
-    .select()
-    .from(clients)
-    .where(eq(clients.email, UAT_CLIENT.email));
-
-  let uatClientId: string;
-  if (existingUatClient) {
-    uatClientId = existingUatClient.id;
-    results.push(`Client '${UAT_CLIENT.name}' already exists (id: ${uatClientId})`);
-  } else {
-    const [created] = await db.insert(clients).values(UAT_CLIENT).returning();
-    uatClientId = created!.id;
-    results.push(`Created client '${UAT_CLIENT.name}' (id: ${uatClientId})`);
-  }
-
-  // ── Pets: UAT Customer's Pets ─────────────────────────────────────────────
-  const existingUatPets = await db
-    .select()
-    .from(pets)
-    .where(eq(pets.clientId, uatClientId));
-
-  for (const uatPet of UAT_PETS) {
-    const existing = existingUatPets.find(
-      (p) => p.name === uatPet.name && p.species === uatPet.species
-    );
-    if (existing) {
-      results.push(`Pet '${uatPet.name}' already exists for UAT Customer (id: ${existing.id})`);
-    } else {
-      const [created] = await db
-        .insert(pets)
-        .values({
-          clientId: uatClientId,
-          name: uatPet.name,
-          species: uatPet.species,
-          breed: uatPet.breed,
-          coatType: uatPet.coatType as any,
-          weightKg: uatPet.weightKg,
-          dateOfBirth: new Date("2019-01-01T00:00:00Z"),
-        })
-        .returning();
-      results.push(`Created pet '${uatPet.name}' for UAT Customer (id: ${created!.id})`);
-    }
-  }
-
   return c.json({
     message: "Seed complete",
     details: results,

src/routes/portal.ts

@@ -152,6 +152,67 @@ portalRouter.get("/pets", async (c) => {
   return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weight: p.weightKg, birthDate: p.dateOfBirth, photoUrl: p.photoKey, notes: p.groomingNotes })));
 });
 
+const portalUpdatePetSchema = z.object({
+  name: z.string().min(1).max(200).optional(),
+  species: z.string().min(1).max(100).optional(),
+  breed: z.string().max(200).optional(),
+  weightKg: z.number().positive().optional(),
+  dateOfBirth: z.string().datetime().optional(),
+  healthAlerts: z.string().max(2000).optional(),
+  groomingNotes: z.string().max(2000).optional(),
+  cutStyle: z.string().max(500).optional(),
+  shampooPreference: z.string().max(500).optional(),
+  specialCareNotes: z.string().max(2000).optional(),
+  customFields: z.record(z.string(), z.string()).optional(),
+  petSizeCategory: z.enum(["small", "medium", "large", "extra_large"]).optional(),
+  coatType: z.enum(["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]).optional(),
+});
+
+portalRouter.patch(
+  "/pets/:id",
+  zValidator("json", portalUpdatePetSchema),
+  async (c) => {
+    const db = getDb();
+    const petId = c.req.param("id");
+    const clientId = c.get("portalClientId");
+    const body = c.req.valid("json");
+
+    const [existing] = await db
+      .select()
+      .from(pets)
+      .where(eq(pets.id, petId))
+      .limit(1);
+
+    if (!existing) return c.json({ error: "Not found" }, 404);
+    if (existing.clientId !== clientId) return c.json({ error: "Forbidden" }, 403);
+
+    const { weightKg, dateOfBirth, customFields, ...rest } = body;
+    const [updated] = await db
+      .update(pets)
+      .set({
+        ...rest,
+        weightKg: weightKg?.toString(),
+        dateOfBirth: dateOfBirth ? new Date(dateOfBirth) : undefined,
+        ...(customFields !== undefined ? { customFields } : {}),
+        updatedAt: new Date(),
+      })
+      .where(eq(pets.id, petId))
+      .returning();
+
+    if (!updated) return c.json({ error: "Not found" }, 404);
+
+    return c.json({
+      id: updated.id,
+      name: updated.name,
+      breed: updated.breed,
+      weight: updated.weightKg,
+      birthDate: updated.dateOfBirth,
+      photoUrl: updated.photoKey,
+      notes: updated.groomingNotes,
+    });
+  }
+);
+
 portalRouter.get("/invoices", async (c) => {
   const db = getDb();
   const clientId = c.get("portalClientId");