GRO-1921: seedUatStaffAccounts() shared fn — full UAT seed honors numeric OIDC subs

Extract UAT staff account seeding into a shared async function so it runs in both seedKnownUsers() and the full seed() UAT branch. Before this change the full seed() UAT path never created the deterministic UAT staff (UAT Super/Staff/Groomer) with their numeric oidcSub values from SEED_UAT_*_OIDC_SUB env vars — seedKnownUsers() had that logic but was bypassed by SEED_KNOWN_USERS_ONLY=true in the UAT reset CronJob. seedUatStaffAccounts() handles: - UAT Super Staff (SEED_UAT_SUPER_OIDC_SUB) - UAT Staff Groomer (SEED_UAT_STAFF_OIDC_SUB) - UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + _NAMES) - Better Auth email+password credentials (SEED_UAT_*_PASSWORD) - UAT Customer client + 2 pets Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-30 03:26:09 +00:00
9 changed files with 4 additions and 173 deletions
@@ -118,17 +118,6 @@ jobs:
          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
      - name: Smoke test migrate image (blackhole npmjs.org)
        run: |
          set -euo pipefail
          IMAGE="git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}"
          docker pull "$IMAGE"
          docker run --rm \
            --add-host registry.npmjs.org:127.0.0.1 \
            --entrypoint="" \
            "$IMAGE" \
            pnpm --version
      - name: Build and push Seed image
        uses: docker/build-push-action@v6
        with:
@@ -114,9 +114,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.22 | Verify medicalAlerts shape | GET /api/pets/{id} for any pet with non-empty medicalAlerts | medicalAlerts is an array; each entry has type, description, severity |
 | TC-API-3.23 | Verify UAT test pet Charlie has behavioral alert | GET /api/pets/{id} where name = "TestCooper" (pet for uat-charlie@groombook.dev) | medicalAlerts includes an entry with type: "behavioral", severity: "low" or "high" |
 | TC-API-3.24 | Verify UAT test pet Delta has skin alert | GET /api/pets/{id} where name = "TestRocky" (pet for uat-delta@groombook.dev) | medicalAlerts includes an entry with type: "skin" |
 | TC-API-3.25 | Verify 30+ total pets in UAT DB | GET /api/pets then count total | 30+ pets returned (UAT seed creates 500 random-pool + 5 UAT test clients + 2 UAT customer = 507 total) |
 | TC-API-3.26 | Verify 25-35% medicalAlerts distribution | GET /api/pets (first 30 pets), count how many have non-empty medicalAlerts | Ratio is 25-35% (seed uses rand() < 0.3 for ~30% distribution) |
 | TC-API-3.27 | Verify coat_type enum has all seed values | After UAT seed completes, inspect the coat_type enum on the UAT DB — it must contain: short, medium, long, double, wire, silky, curly, hairless | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; coat_type includes all 8 values used by seed.ts `coatTypePool` |
 ### 4.4 Appointment Scheduling
@@ -173,10 +173,7 @@ async function seedUatCredentials(
    );
    if (existingAccount) {
-      // Re-hash and update the password (mirrors seed.ts behavior)
+      // skip — already has credential account
      const { hashPassword } = await import("better-auth/crypto");
      const passwordHash = await hashPassword(password);
      existingAccount.password = passwordHash;
    } else {
      // Use Better-Auth's hashPassword so test helper matches production seed.ts
      const { hashPassword } = await import("better-auth/crypto");
@@ -354,49 +351,6 @@ describe("seedUatCredentials — credential provisioning logic", () => {
    expect(insertedAccounts).toHaveLength(0);
  });
  // ── AC-8: existing account password IS updated (not frozen at first-seed) ──
  it("AC-8: re-seeding with a changed password env var updates the stored hash", async () => {
    const ORIGINAL_PASSWORD = "original-password";
    const ROTATED_PASSWORD = "rotated-password-456";
    process.env.SEED_UAT_CUSTOMER_PASSWORD = ROTATED_PASSWORD;
    const preExistingUsers: UserRow[] = [
      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
    ];
    // Account was created with the original password on first seed
    const originalHash = await hashPassword(ORIGINAL_PASSWORD);
    const preExistingAccounts: AccountRow[] = [
      {
        id: "pre-existing-acct",
        accountId: "pre-existing-user",
        providerId: "credential",
        userId: "pre-existing-user",
        password: originalHash,
      },
    ];
    // Re-seed with the rotated password env var
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });
    // No new user or account created
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
    // The pre-existing account's password WAS updated (not frozen at first-seed).
    // hashPassword uses a random salt so we verify by format + that it is a new,
    // different valid hash from the original.
    const updatedAcct = preExistingAccounts[0]!;
    expect(updatedAcct.password).toBeDefined();
    expect(updatedAcct.password).toMatch(/^[a-f0-9]{32}:[a-f0-9]{128}$/);
    expect(updatedAcct.password).not.toBe(originalHash); // it actually changed
  });
  // ── AC-6: missing env var skips with warning ────────────────────────────────
  it("AC-6: missing SEED_UAT_*_PASSWORD env var skips that account (no error)", async () => {
@@ -594,15 +594,7 @@ async function seedKnownUsers() {
      .limit(1);
    if (existingAccount) {
-      // Re-hash and update the password so that re-seeding rotates credentials
+      console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
      // when the env var changes (e.g. after a password rotation).  Previously
      // this branch skipped entirely, freezing the hash at first-seed.
      const { hashPassword } = await import("better-auth/crypto");
      const passwordHash = await hashPassword(password);
      await db.update(schema.account)
        .set({ password: passwordHash })
        .where(eq(schema.account.id, existingAccount.id));
      console.log(`✓ Credential account for '${acct.email}' already exists — password updated`);
    } else {
      // Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
      // better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random
@@ -1,9 +0,0 @@
 -- Migration: 0035_add_missing_coat_type_values.sql
 -- Adds missing values to coat_type enum that seed.ts requires but which were
 -- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
 -- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
 -- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';
@@ -1,14 +0,0 @@
 -- Migration: 0035_add_short_to_coat_type_enum.sql
 -- GRO-1953: Adds missing "short" value to the coat_type enum so that seed data
 -- (which uses coatTypePool including "short") can be inserted without error.
 --
 -- The seed file defines coatTypePool as:
 --   ["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]
 -- but migration 0031 created the enum without "short", causing:
 --   PostgresError: invalid input value for enum coat_type: "short"
 BEGIN;
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 COMMIT;
@@ -1,9 +0,0 @@
 -- Migration: 0036_add_missing_coat_type_values.sql
 -- Adds missing values to coat_type enum that seed.ts requires but which were
 -- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
 -- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
 -- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';
@@ -246,13 +246,6 @@
      "when": 1751140800000,
      "tag": "0034_extend_pet_profile_columns",
      "breakpoints": true
    },
    {
      "idx": 36,
      "version": "7",
      "when": 1751480000000,
      "tag": "0036_add_missing_coat_type_values",
      "breakpoints": true
    }
  ]
 }
@@ -270,10 +270,6 @@ const medicalAlertPool: MedicalAlert[] = [
  { id: "", type: "other", description: "Seizure history — avoid flashing lights", severity: "high" },
  { id: "", type: "other", description: "Luxating patella — short walks only", severity: "medium" },
  { id: "", type: "other", description: "Ear infections — dry thoroughly after bath", severity: "low" },
  { id: "", type: "behavioral", description: "Anxiety — calm environment preferred", severity: "low" },
  { id: "", type: "behavioral", description: "Fear-based aggression — approach with caution", severity: "high" },
  { id: "", type: "skin", description: "Contact dermatitis — avoid harsh chemicals", severity: "medium" },
  { id: "", type: "skin", description: "Hot spots — monitor and report any worsening", severity: "high" },
 ];
 const preferredCutPool: string[] = [
@@ -609,45 +605,8 @@ async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
      .from(schema.pets)
      .where(eq(schema.pets.id, pet.id))
      .limit(1);
    if (existing) {
-      // Upsert so extended fields are always populated on re-runs
+      console.log(`✓ UAT Pet '${existing.name}' already exists — skipping`);
      await db.insert(schema.pets)
        .values({
          id: pet.id,
          clientId: uatCustomerClientId,
          name: pet.name,
          species: pet.species,
          breed: pet.breed,
          weightKg: pet.weight,
          dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
          image: pet.image,
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: [],
          preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
          coatType: pick(coatTypePool),
          petSizeCategory: pick(petSizeCategoryPool),
        })
        .onConflictDoUpdate({
          target: schema.pets.id,
          set: {
            clientId: uatCustomerClientId,
            name: pet.name,
            species: pet.species,
            breed: pet.breed,
            weightKg: pet.weight,
            dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
            image: pet.image,
            temperamentScore: randInt(1, 5),
            temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
            medicalAlerts: [],
            preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
            coatType: pick(coatTypePool),
            petSizeCategory: pick(petSizeCategoryPool),
          },
        });
      console.log(`✓ Upserted UAT pet '${pet.name}' with extended fields`);
    } else {
      await db.insert(schema.pets).values({
        id: pet.id,
@@ -658,14 +617,8 @@ async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
        weightKg: pet.weight,
        dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
        image: pet.image,
        temperamentScore: randInt(1, 5),
        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
        medicalAlerts: [],
        preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
        coatType: pick(coatTypePool),
        petSizeCategory: pick(petSizeCategoryPool),
      });
-      console.log(`✓ Created UAT pet '${pet.name}' with extended fields`);
+      console.log(`✓ Created UAT pet '${pet.name}'`);
    }
  }
 }
@@ -1009,7 +962,6 @@ async function seed() {
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: (() => {
            // ~30% of random-pool pets have alerts — lands squarely in the 25–35% AC band
            if (rand() < 0.3) {
              const count = rand() < 0.7 ? 1 : 2;
              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
@@ -1106,14 +1058,7 @@ async function seed() {
        temperamentScore: randInt(1, 5),
        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
        medicalAlerts: (() => {
          // ~30% of pets get alerts; TestCooper/TestRocky get deterministic types
          if (rand() < 0.3) {
            if (uc.petName === "TestCooper") {
              return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
            }
            if (uc.petName === "TestRocky") {
              return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
            }
            const count = rand() < 0.7 ? 1 : 2;
            return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
          }
@@ -1136,14 +1081,7 @@ async function seed() {
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: (() => {
            // ~30% of pets get alerts; TestCooper/TestRocky get deterministic types
            if (rand() < 0.3) {
              if (uc.petName === "TestCooper") {
                return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
              }
              if (uc.petName === "TestRocky") {
                return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
              }
              const count = rand() < 0.7 ? 1 : 2;
              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
            }