fix(test): retype petProfileSummary chain mock to satisfy tsc --project build

CI failed on PR #137 because `tsc --project .` (the build path used by the
Docker image) is stricter than `pnpm typecheck` was reporting during local
iteration — two TS2322 errors surfaced in the new mock:

  1. `chain.from = (table: { _name: string }) => ...` was assigned through
     a `Record<string, (...args: unknown[]) => unknown>` index signature,
     and `{ _name: string }` is not assignable from `unknown`.
  2. `chain.then = (onFulfilled?: (v: unknown[]) => unknown) => ...` was
     not assignable to the `PromiseLike<T>.then` signature TS now infers
     for the awaitable, because TS expects `onfulfilled` to also accept
     `null`.

Replace the proxy-based loose chain with a typed `ChainLike` interface so
the build typechecker is satisfied. Behaviour is unchanged — all 7 GRO-2014
regression tests still pass.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -156,3 +156,32 @@ jobs:
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
           cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
           cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
+
+      - name: Smoke test seed image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
+          echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
+
+      - name: Smoke test reset image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation. Validates the
+          # hard requirement from the issue: reset runs offline.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
+          echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"

Dockerfile

@@ -1,7 +1,14 @@
 FROM node:22-alpine AS base
-RUN corepack enable && corepack install -g pnpm@9.15.4
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-ENV COREPACK_ENABLE_STRICT=0
+# Install pnpm as a real binary via npm (not corepack shim) so runtime
+# invocations of `pnpm` work without DNS access to registry.npmjs.org.
+# The corepack shim delegates to corepack, which re-validates against
+# npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
+# Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
+RUN npm install -g pnpm@9.15.4
+# Belt-and-braces: disable Corepack's download fallback so that even if a
+# Corepack shim is somehow invoked at runtime, it will not try to fetch
+# pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 
 # Install deps
@@ -22,9 +29,9 @@ RUN pnpm --filter @groombook/types build && \
 
 # Runtime
 FROM node:22-alpine AS runner
-RUN corepack enable && corepack install -g pnpm@9.15.4
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-ENV COREPACK_ENABLE_STRICT=0
+RUN npm install -g pnpm@9.15.4
+# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 ENV NODE_ENV=production
 
@@ -45,15 +52,18 @@ CMD ["node", "dist/index.js"]
 
 # Migrate stage — runs drizzle-kit migrate against the database
 FROM builder AS migrate
+# pnpm needs a writable HOME for any config/state it writes. With
+# readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
+# The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "migrate"]
 
 # Seed stage — populates the database with test data
 FROM builder AS seed
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "seed"]
 
 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
-RUN corepack enable && corepack install -g pnpm@9.15.4
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-ENV COREPACK_ENABLE_STRICT=0
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "reset"]

UAT_PLAYBOOK.md

@@ -19,6 +19,27 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)
 
+### Source of truth for UAT passwords (GRO-2000)
+
+The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
+
+**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
+
+```bash
+SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.super-password}' | base64 -d)
+GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.groomer-password}' | base64 -d)
+TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.tester-password}' | base64 -d)
+CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.customer-password}' | base64 -d)
+```
+
+**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
+
+**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
+
 ## Test Cases
 
 ### 4.0 Health Check
@@ -41,6 +62,8 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
 | TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
 | TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
+
+> **Note (GRO-1977):** Seed credential provisioning is idempotent — re-running the seed with updated `SEED_UAT_*_PASSWORD` env vars rotates stored credential hashes. TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug).
 | TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
 | TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
@@ -102,6 +125,9 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.17 | Get pet profile summary — groomer restricted | GET /api/pets/{id}/profile-summary as groomer with no pet linkage | 403 Forbidden |
 | TC-API-3.18 | Get pet profile summary — visitCount returns full count | GET /api/pets/{id}/profile-summary with 2+ completed appointments | visitCount >= 2 (not capped at 1) |
 | TC-API-3.19 | Get pet profile summary — upcomingAppointment excludes past | GET /api/pets/{id}/profile-summary with a past confirmed/scheduled appointment | upcomingAppointment is null (past appointments filtered by startTime >= now) |
+| TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
+| TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
+| TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
 
 #### Seed Data Verification (GRO-1898)
 
@@ -117,6 +143,7 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.25 | Verify 30+ total pets in UAT DB | GET /api/pets then count total | 30+ pets returned (UAT seed creates 500 random-pool + 5 UAT test clients + 2 UAT customer = 507 total) |
 | TC-API-3.26 | Verify 25-35% medicalAlerts distribution | GET /api/pets (first 30 pets), count how many have non-empty medicalAlerts | Ratio is 25-35% (seed uses rand() < 0.3 for ~30% distribution) |
 | TC-API-3.27 | Verify coat_type enum has all seed values | After UAT seed completes, inspect the coat_type enum on the UAT DB — it must contain: short, medium, long, double, wire, silky, curly, hairless | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; coat_type includes all 8 values used by seed.ts `coatTypePool` |
+| TC-API-3.28 | Verify pet_size_category enum has all seed values | After UAT seed completes, inspect the pet_size_category enum on the UAT DB — it must contain: small, medium, large, extra_large | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; pet_size_category includes all 4 values used by seed.ts `petSizeCategoryPool` (regression for GRO-1999, mirrors TC-API-3.27) |
 
 ### 4.4 Appointment Scheduling
 

apps/api/src/__tests__/seed-uat-credentials.test.ts

@@ -67,6 +67,7 @@ let dbAccounts: AccountRow[] = [];
 let dbStaff: StaffRow[] = [];
 let insertedUsers: UserRow[] = [];
 let insertedAccounts: AccountRow[] = [];
+let updatedAccounts: Array<{ id: string; password: string }> = [];
 let updatedStaff: Array<{ id: string; userId: string }> = [];
 
 const originalEnv = { ...process.env };
@@ -77,6 +78,7 @@ function resetMock() {
   dbStaff = [];
   insertedUsers = [];
   insertedAccounts = [];
+  updatedAccounts = [];
   updatedStaff = [];
   process.env = { ...originalEnv };
 }
@@ -173,7 +175,11 @@ async function seedUatCredentials(
     );
 
     if (existingAccount) {
-      // skip — already has credential account
+      // Idempotent update: re-hash the current env password and update the stored hash.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      existingAccount.password = passwordHash;
+      updatedAccounts.push({ id: existingAccount.id, password: passwordHash });
     } else {
       // Use Better-Auth's hashPassword so test helper matches production seed.ts
       const { hashPassword } = await import("better-auth/crypto");
@@ -312,9 +318,9 @@ describe("seedUatCredentials — credential provisioning logic", () => {
     expect(updatedStaff).toHaveLength(0);
   });
 
-  // ── AC-5: idempotent — skips when user already exists ───────────────────────
+  // ── AC-5: idempotent — does not insert duplicate records ───────────────────
 
-  it("AC-5: re-running does not duplicate user or account records (idempotent)", async () => {
+  it("AC-5: re-running does not insert duplicate user or account records", async () => {
     process.env.SEED_UAT_CUSTOMER_PASSWORD = TEST_PASSWORD;
 
     const preExistingUsers: UserRow[] = [
@@ -330,25 +336,96 @@ describe("seedUatCredentials — credential provisioning logic", () => {
       },
     ];
 
-    // First call — nothing inserted (user + account pre-exist)
     await seedUatCredentials([UAT_ACCOUNTS[2]!], {
       users: preExistingUsers,
       accounts: preExistingAccounts,
       staff: [],
     });
 
+    // No inserts — user and account already exist
     expect(insertedUsers).toHaveLength(0);
     expect(insertedAccounts).toHaveLength(0);
+  });
+
+  // ── AC-5b: password rotation on re-seed ─────────────────────────────────────
+
+  it("AC-5b: re-running with a new password updates the stored credential hash", async () => {
+    const OLD_PASSWORD = "old-password-abc";
+    const NEW_PASSWORD = "new-password-xyz";
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = NEW_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: await hashPassword(OLD_PASSWORD),
+      },
+    ];
 
-    // Second call — still nothing inserted
     await seedUatCredentials([UAT_ACCOUNTS[2]!], {
       users: preExistingUsers,
       accounts: preExistingAccounts,
       staff: [],
     });
 
+    // No new records inserted
     expect(insertedUsers).toHaveLength(0);
     expect(insertedAccounts).toHaveLength(0);
+    // Password WAS updated to the new env value
+    expect(updatedAccounts).toHaveLength(1);
+    expect(updatedAccounts[0]!.id).toBe("pre-existing-acct");
+    // New hash is valid Better-Auth format (salt:key, each hex)
+    const newHashParts = updatedAccounts[0]!.password.split(":");
+    expect(Buffer.from(newHashParts[0]!, "hex")).toHaveLength(16);
+    expect(Buffer.from(newHashParts[1]!, "hex")).toHaveLength(64);
+  });
+
+  // ── AC-8: existing account password IS updated (not frozen at first-seed) ──
+
+  it("AC-8: re-seeding with a changed password env var updates the stored hash", async () => {
+    const ORIGINAL_PASSWORD = "original-password";
+    const ROTATED_PASSWORD = "rotated-password-456";
+
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = ROTATED_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    // Account was created with the original password on first seed
+    const originalHash = await hashPassword(ORIGINAL_PASSWORD);
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: originalHash,
+      },
+    ];
+
+    // Re-seed with the rotated password env var
+    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
+      users: preExistingUsers,
+      accounts: preExistingAccounts,
+      staff: [],
+    });
+
+    // No new user or account created
+    expect(insertedUsers).toHaveLength(0);
+    expect(insertedAccounts).toHaveLength(0);
+
+    // The pre-existing account's password WAS updated (not frozen at first-seed).
+    // hashPassword uses a random salt so we verify by format + that it is a new,
+    // different valid hash from the original.
+    const updatedAcct = preExistingAccounts[0]!;
+    expect(updatedAcct.password).toBeDefined();
+    expect(updatedAcct.password).toMatch(/^[a-f0-9]{32}:[a-f0-9]{128}$/);
+    expect(updatedAcct.password).not.toBe(originalHash); // it actually changed
   });
 
   // ── AC-6: missing env var skips with warning ────────────────────────────────

apps/api/src/db/seed.ts

@@ -594,7 +594,15 @@ async function seedKnownUsers() {
       .limit(1);
 
     if (existingAccount) {
-      console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
+      // Re-hash and update the password so that re-seeding rotates credentials
+      // when the env var changes (e.g. after a password rotation).  Previously
+      // this branch skipped entirely, freezing the hash at first-seed.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      await db.update(schema.account)
+        .set({ password: passwordHash })
+        .where(eq(schema.account.id, existingAccount.id));
+      console.log(`✓ Updated credential account password for '${acct.email}'`);
     } else {
       // Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
       // better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random

packages/db/migrations/0036_add_missing_coat_type_values.sql

@@ -0,0 +1,9 @@
+-- Migration: 0036_add_missing_coat_type_values.sql
+-- Adds missing values to coat_type enum that seed.ts requires but which were
+-- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
+-- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
+-- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
+
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';

packages/db/migrations/0037_add_extra_large_to_pet_size_category.sql

@@ -0,0 +1,19 @@
+-- Migration: 0037_add_extra_large_to_pet_size_category.sql
+-- GRO-1979: Adds the 'extra_large' value to the pet_size_category enum.
+--
+-- 0031_buffer_rules.sql created pet_size_category with values
+-- ('small', 'medium', 'large', 'xlarge'), but seed.ts and the drizzle
+-- schema (PetSizeCategory type) both use 'extra_large' — a mismatch that
+-- caused the UAT seed job to fail with:
+--   invalid input value for enum pet_size_category: "extra_large"
+--
+-- 0035/0036 (GRO-1971) registered 'short'/'medium'/'silky' in coat_type.
+-- This migration is the pet_size_category counterpart: register
+-- 'extra_large' so seed.ts can write the value the schema declares.
+--
+-- Postgres restriction: ALTER TYPE ADD VALUE cannot run inside a
+-- transaction block. The drizzle migrate runner does not wrap
+-- individual statements in an explicit transaction, so this applies
+-- as a single auto-commit DDL.
+
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';

packages/db/migrations/0038_register_extra_large_pet_size_category.sql

@@ -0,0 +1,4 @@
+-- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
+-- journal timestamp. Re-register extra_large with a monotonic timestamp so
+-- the existing UAT/persistent DBs apply it. Idempotent.
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';

packages/db/migrations/meta/_journal.json

@@ -248,11 +248,25 @@
       "breakpoints": true
     },
     {
-      "idx": 35,
+      "idx": 36,
       "version": "7",
       "when": 1751480000000,
-      "tag": "0035_add_missing_coat_type_values",
+      "tag": "0036_add_missing_coat_type_values",
+      "breakpoints": true
+    },
+    {
+      "idx": 37,
+      "version": "7",
+      "when": 1751500000000,
+      "tag": "0037_add_extra_large_to_pet_size_category",
+      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1780000000000,
+      "tag": "0038_register_extra_large_pet_size_category",
       "breakpoints": true
     }
   ]
-}
+}

packages/db/src/seed.ts

@@ -1106,14 +1106,17 @@ async function seed() {
         temperamentScore: randInt(1, 5),
         temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
         medicalAlerts: (() => {
-          // ~30% of pets get alerts; TestCooper/TestRocky get deterministic types
+          // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
+          // All other UAT test pets follow the 30% random distribution.
+          // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
+          // the overall distribution from the 25-35% target band.
+          if (uc.petName === "TestCooper") {
+            return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
+          }
+          if (uc.petName === "TestRocky") {
+            return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
+          }
           if (rand() < 0.3) {
-            if (uc.petName === "TestCooper") {
-              return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
-            }
-            if (uc.petName === "TestRocky") {
-              return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
-            }
             const count = rand() < 0.7 ? 1 : 2;
             return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
           }
@@ -1136,14 +1139,17 @@ async function seed() {
           temperamentScore: randInt(1, 5),
           temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
           medicalAlerts: (() => {
-            // ~30% of pets get alerts; TestCooper/TestRocky get deterministic types
+            // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
+            // All other UAT test pets follow the 30% random distribution.
+            // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
+            // the overall distribution from the 25-35% target band.
+            if (uc.petName === "TestCooper") {
+              return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
+            }
+            if (uc.petName === "TestRocky") {
+              return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
+            }
             if (rand() < 0.3) {
-              if (uc.petName === "TestCooper") {
-                return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
-              }
-              if (uc.petName === "TestRocky") {
-                return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
-              }
               const count = rand() < 0.7 ? 1 : 2;
               return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
             }

src/__tests__/petProfileSummary.test.ts

@@ -0,0 +1,285 @@
+/**
+ * GET /pets/:id/profile-summary tests
+ *
+ * GRO-2014 regression coverage:
+ *   - Empty-body 500 must never escape the route — the onError handler
+ *     converts unhandled errors into a structured JSON 500.
+ *   - Malformed UUIDs must return 404 (not 500 via a Postgres uuid cast).
+ *   - Missing staff context must return 401 (not TypeError on staffRow.id).
+ *   - Pet not found must return 404.
+ *   - Groomer with no appointment linkage must return 403.
+ *   - Manager and groomer with linkage must receive the summary body.
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Hono } from "hono";
+import type { AppEnv, StaffRow } from "../middleware/rbac.js";
+
+// ─── Fixtures ────────────────────────────────────────────────────────────────
+
+const MANAGER: StaffRow = {
+  id: "00000000-0000-0000-0000-0000000000aa",
+  oidcSub: "oidc-manager-sub",
+  userId: null,
+  role: "manager",
+  isSuperUser: true,
+  name: "Manager McManager",
+  email: "manager@example.com",
+  active: true,
+  icalToken: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+const GROOMER: StaffRow = {
+  ...MANAGER,
+  id: "00000000-0000-0000-0000-0000000000bb",
+  oidcSub: "oidc-groomer-sub",
+  role: "groomer",
+  isSuperUser: false,
+  name: "Groomer Gary",
+  email: "groomer@example.com",
+};
+
+const PET_UUID = "11111111-1111-1111-1111-111111111111";
+const CLIENT_UUID = "22222222-2222-2222-2222-222222222222";
+const UNKNOWN_PET_UUID = "00000000-0000-0000-0000-000000000001";
+
+const PET_ROW = {
+  id: PET_UUID,
+  clientId: CLIENT_UUID,
+  name: "Biscuit",
+  species: "dog",
+  breed: "Beagle",
+  coatType: "short",
+  petSizeCategory: "medium",
+  weightKg: "12.50",
+  dateOfBirth: new Date("2020-01-01"),
+};
+
+// ─── Mutable DB state ─────────────────────────────────────────────────────────
+
+interface DbState {
+  petRow: typeof PET_ROW | null;
+  linkageRow: { id: string } | null;
+  recentHistory: Array<Record<string, unknown>>;
+  visitCount: number;
+  upcoming: Record<string, unknown> | null;
+  throwOnPetSelect: boolean;
+}
+
+let dbState: DbState;
+
+function resetDb() {
+  dbState = {
+    petRow: { ...PET_ROW },
+    linkageRow: { id: "appt-link" },
+    recentHistory: [],
+    visitCount: 0,
+    upcoming: null,
+    throwOnPetSelect: false,
+  };
+}
+
+// ─── @groombook/db mock ──────────────────────────────────────────────────────
+//
+// Each select chain needs to know which table it's targeting and which columns
+// it's projecting so we can return the right mocked rows. We thread that state
+// through a per-call object whose chain methods all return `this`. The chain
+// is also `then`-able so any `await` position resolves to the rows.
+
+vi.mock("@groombook/db", () => {
+  const namedTable = (name: string) =>
+    new Proxy(
+      { _name: name },
+      {
+        get(_t, p) {
+          if (p === "_name") return name;
+          return { table: name, column: p };
+        },
+      }
+    );
+
+  const pets = namedTable("pets");
+  const appointments = namedTable("appointments");
+  const services = namedTable("services");
+  const staff = namedTable("staff");
+
+  // The full chain interface is intentionally loose — only `then` is exposed
+  // with a typed signature so vitest's await resolves to the right shape.
+  interface ChainLike {
+    from: (table: { _name: string }) => ChainLike;
+    where: (...args: unknown[]) => ChainLike;
+    innerJoin: (...args: unknown[]) => ChainLike;
+    leftJoin: (...args: unknown[]) => ChainLike;
+    orderBy: (...args: unknown[]) => ChainLike;
+    limit: (...args: unknown[]) => ChainLike;
+    then: <T = unknown[]>(
+      onfulfilled?: ((value: unknown[]) => T | PromiseLike<T>) | null
+    ) => Promise<T>;
+  }
+
+  function buildSelect(projection?: Record<string, unknown>): ChainLike {
+    let targetTable = "";
+
+    const resolveRows = (): unknown[] => {
+      if (targetTable === "pets") {
+        if (dbState.throwOnPetSelect) {
+          throw new Error("simulated postgres uuid cast failure");
+        }
+        return dbState.petRow ? [dbState.petRow] : [];
+      }
+      if (targetTable === "appointments") {
+        const keys = projection ? Object.keys(projection) : [];
+        if (projection && keys.length === 1 && keys[0] === "id") {
+          return dbState.linkageRow ? [dbState.linkageRow] : [];
+        }
+        if (projection && keys.includes("count")) {
+          return [{ count: dbState.visitCount }];
+        }
+        if (projection && keys.includes("confirmationStatus")) {
+          return dbState.upcoming ? [dbState.upcoming] : [];
+        }
+        return dbState.recentHistory;
+      }
+      return [];
+    };
+
+    const chain: ChainLike = {
+      from(table) {
+        targetTable = table._name;
+        return chain;
+      },
+      where() {
+        return chain;
+      },
+      innerJoin() {
+        return chain;
+      },
+      leftJoin() {
+        return chain;
+      },
+      orderBy() {
+        return chain;
+      },
+      limit() {
+        return chain;
+      },
+      then(onfulfilled) {
+        return Promise.resolve(resolveRows()).then(onfulfilled ?? undefined);
+      },
+    };
+
+    return chain;
+  }
+
+  return {
+    getDb: () => ({
+      select: (projection?: Record<string, unknown>) => buildSelect(projection),
+    }),
+    pets,
+    appointments,
+    services,
+    staff,
+    and: vi.fn(() => ({ _op: "and" })),
+    or: vi.fn(() => ({ _op: "or" })),
+    eq: vi.fn(() => ({ _op: "eq" })),
+    desc: vi.fn((arg: unknown) => arg),
+    exists: vi.fn((arg: unknown) => arg),
+    sql: Object.assign(
+      () => ({ _op: "sql" }),
+      { [Symbol.toPrimitive]: () => "sql" }
+    ),
+  };
+});
+
+vi.mock("../lib/s3.js", () => ({
+  getPresignedUploadUrl: vi.fn().mockResolvedValue("https://example.com/put"),
+  getPresignedGetUrl: vi.fn().mockResolvedValue("https://example.com/get"),
+  deleteObject: vi.fn().mockResolvedValue(undefined),
+}));
+
+const { petsRouter } = await import("../routes/pets.js");
+
+// ─── App builder ─────────────────────────────────────────────────────────────
+
+function buildApp(staffRow: StaffRow | null) {
+  const app = new Hono<AppEnv>();
+  app.use("*", async (c, next) => {
+    if (staffRow) c.set("staff", staffRow);
+    await next();
+  });
+  app.route("/pets", petsRouter);
+  return app;
+}
+
+beforeEach(() => {
+  resetDb();
+  vi.clearAllMocks();
+});
+
+// ─── Tests ───────────────────────────────────────────────────────────────────
+
+describe("GET /pets/:id/profile-summary — GRO-2014 error handling", () => {
+  it("returns 404 (not 500) for a malformed UUID path param", async () => {
+    const app = buildApp(MANAGER);
+    const res = await app.request("/pets/not-a-uuid/profile-summary");
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Not found");
+  });
+
+  it("returns 401 when staff context is missing (defense in depth)", async () => {
+    const app = buildApp(null);
+    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 404 when authenticated and pet does not exist", async () => {
+    dbState.petRow = null;
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Not found");
+  });
+
+  it("returns 403 when groomer has no appointment linkage to the pet's client", async () => {
+    dbState.linkageRow = null;
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Forbidden");
+  });
+
+  it("returns 200 with summary for a manager (no groomer linkage check)", async () => {
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as Record<string, unknown>;
+    expect(body.id).toBe(PET_UUID);
+    expect(body.name).toBe("Biscuit");
+    expect(body.visitCount).toBe(0);
+    expect(body.upcomingAppointment).toBeNull();
+    expect(body.recentGroomingHistory).toEqual([]);
+  });
+
+  it("returns 200 with summary for a groomer with linkage", async () => {
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as Record<string, unknown>;
+    expect(body.id).toBe(PET_UUID);
+  });
+
+  it("returns a JSON envelope (not empty body) when a downstream query throws", async () => {
+    dbState.throwOnPetSelect = true;
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
+    expect(res.status).toBe(500);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Internal Server Error");
+  });
+});

src/routes/pets.ts

@@ -23,6 +23,23 @@ import {
 
 export const petsRouter = new Hono<AppEnv>();
 
+// Convert Zod validation errors from 422 to 400 and ensure any thrown error
+// returns a structured JSON body rather than Hono's default empty-body 500.
+// GRO-2014: profile-summary previously bubbled unhandled errors and produced
+// an empty-body 500. Mirror the onError pattern already used in invoices.ts
+// and reports.ts so every error has a JSON envelope.
+petsRouter.onError((err, c) => {
+  if (err instanceof z.ZodError) {
+    return c.json({ error: "Validation failed", issues: err.issues }, 400);
+  }
+  console.error("[pets] unhandled error", err);
+  return c.json({ error: "Internal Server Error" }, 500);
+});
+
+// UUID format used by all pet routes — guards path params against malformed
+// values before they hit Drizzle / Postgres uuid columns (which would throw).
+const uuidSchema = z.string().uuid();
+
 const createPetSchema = z.object({
   clientId: z.string().uuid(),
   name: z.string().min(1).max(200),
@@ -112,8 +129,24 @@ petsRouter.get("/:id", async (c) => {
 petsRouter.get("/:id/profile-summary", async (c) => {
   const db = getDb();
   const petId = c.req.param("id");
+
+  // GRO-2014: validate UUID format before hitting Postgres. Passing a non-UUID
+  // string to a uuid column makes the driver throw, which previously surfaced
+  // as an empty-body 500 to clients.
+  const parsedId = uuidSchema.safeParse(petId);
+  if (!parsedId.success) {
+    return c.json({ error: "Not found" }, 404);
+  }
+
+  // Defense in depth: resolveStaffMiddleware should always populate `staff`
+  // for protected routes (or short-circuit with 401/403 of its own). Guard
+  // anyway so a misconfigured route mount can't trigger a TypeError on
+  // staffRow.id when the linkage check runs.
   const staffRow = c.get("staff");
-  const isGroomer = staffRow?.role === "groomer";
+  if (!staffRow) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+  const isGroomer = staffRow.role === "groomer";
 
   // Fetch the pet
   const [pet] = await db.select().from(pets).where(eq(pets.id, petId));