fix: restore pet profile summary endpoint from dev (GRO-1177)

Merge dev into promote/dev-to-uat-gro-1790
Resolve .ci-trigger conflict preferring dev version.
2026-05-26 12:30:10 +00:00 · 2026-05-26 12:11:44 +00:00 · 2026-05-26 01:48:12 +00:00 · 2026-05-26 01:34:42 +00:00 · 2026-05-26 00:45:05 +00:00 · 2026-05-26 00:36:15 +00:00
7 changed files with 202 additions and 10 deletions
@@ -0,0 +1 @@
+GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main, dev]
+    branches: [main, dev, uat]
  pull_request:
-    branches: [main, dev]
+    branches: [main, dev, uat]
  workflow_dispatch:
    inputs:
      ref:
@@ -96,7 +96,6 @@ jobs:
          file: Dockerfile
          target: runner
          push: true
-          provenance: false
          tags: |
            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
@@ -111,7 +110,6 @@ jobs:
          file: Dockerfile
          target: migrate
          push: true
-          provenance: false
          tags: |
            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
@@ -126,7 +124,6 @@ jobs:
          file: Dockerfile
          target: seed
          push: true
-          provenance: false
          tags: |
            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
@@ -141,7 +138,6 @@ jobs:
          file: Dockerfile
          target: reset
          push: true
-          provenance: false
          tags: |
            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
@@ -48,6 +48,26 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
 | TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |

+#### SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.17 | SSO redirect to Authentik | Navigate to app → sign-in page shown → click "Sign in with SSO" | Redirected to Authentik at auth.farh.net | 403 error, redirect loop, no SSO button |
+| TC-API-1.18 | Authenticate with valid OIDC credentials | At Authentik login page, enter valid credentials and authenticate | Redirected back to app with valid session | Redirect loop, 403, missing session cookie |
+| TC-API-1.19 | SSO user auto-provisioned as groomer | Complete SSO login as a user with no pre-existing staff record | 200 response; groomer staff record auto-created; session active | 403 Forbidden, staff record not created |
+| TC-API-1.20 | Existing staff record resolves correctly | Complete SSO login as uat-groomer (pre-existing staff) | 200 OK, correct staff identity resolved, no duplicate record created | 403, duplicate record, wrong staff data |
+| TC-API-1.21 | SSO session grants dashboard access | After TC-API-1.18 SSO login, GET /api/staff/me | 200 OK, valid staff record returned, correct role displayed | 401/403, missing session, wrong identity |
+
+#### OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.22 | Fresh DB reports needsSetup | On a fresh DB (no super user), GET /api/setup/status | needsSetup: true returned | needsSetup: false when it should be true |
+| TC-API-1.23 | Configure OIDC via auth-provider endpoint | POST /api/setup/auth-provider with valid OIDC config | 200 OK, auth provider configured, no 403 | 403, setup blocked, invalid config rejected |
+| TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
+| TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
+| TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+
 ### 4.2 Client Management

 | # | Scenario | Steps | Expected |
@@ -46,7 +46,7 @@ const UAT_CLIENT = {

 const UAT_PETS = [
  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short" as const, weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
 ];

 const DEMO_SERVICES = [
@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, exists, getDb, or, pets, appointments } from "../db/index.js";
+import { and, desc, eq, exists, getDb, gte, groomingVisitLogs, or, pets, appointments, staff, services, sql } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
  getPresignedUploadUrl,
@@ -283,3 +283,133 @@ petsRouter.get("/:petId/photo", async (c) => {
  const url = await getPresignedGetUrl(pet.photoKey);
  return c.json({ url, photoKey: pet.photoKey, photoUploadedAt: pet.photoUploadedAt });
 });
+
+// ─── Profile Summary ───────────────────────────────────────────────────────────
+
+async function groomerLinkageCheck(
+  db: ReturnType<typeof getDb>,
+  clientId: string,
+  staffRow: NonNullable<AppEnv["Variables"]["staff"]>
+): Promise<boolean> {
+  const [linkage] = await db
+    .select({ id: appointments.id })
+    .from(appointments)
+    .where(
+      and(
+        eq(appointments.clientId, clientId),
+        or(
+          eq(appointments.staffId, staffRow.id),
+          eq(appointments.batherStaffId, staffRow.id)
+        )
+      )
+    )
+    .limit(1);
+  return !!linkage;
+}
+
+/**
+ * GET /:id/profile-summary
+ * Returns aggregated profile: basic pet fields + grooming history + visit stats + upcoming appointment.
+ * Groomer RBAC: same visibility rules as GET /:id.
+ */
+petsRouter.get("/:id/profile-summary", async (c) => {
+  const db = getDb();
+  const petId = c.req.param("id");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";
+
+  const [row] = await db.select().from(pets).where(eq(pets.id, petId));
+  if (!row) return c.json({ error: "Not found" }, 404);
+
+  if (isGroomer) {
+    const hasLinkage = await groomerLinkageCheck(db, row.clientId, staffRow);
+    if (!hasLinkage) return c.json({ error: "Forbidden" }, 403);
+  }
+
+  // Recent grooming history: last 10, with staff name join
+  const historyRows = await db
+    .select({
+      id: groomingVisitLogs.id,
+      petId: groomingVisitLogs.petId,
+      appointmentId: groomingVisitLogs.appointmentId,
+      staffId: groomingVisitLogs.staffId,
+      staffName: staff.name,
+      cutStyle: groomingVisitLogs.cutStyle,
+      productsUsed: groomingVisitLogs.productsUsed,
+      notes: groomingVisitLogs.notes,
+      groomedAt: groomingVisitLogs.groomedAt,
+      createdAt: groomingVisitLogs.createdAt,
+    })
+    .from(groomingVisitLogs)
+    .leftJoin(staff, eq(staff.id, groomingVisitLogs.staffId))
+    .where(eq(groomingVisitLogs.petId, petId))
+    .orderBy(desc(groomingVisitLogs.groomedAt))
+    .limit(10);
+
+  const recentGroomingHistory = historyRows.map((r) => ({
+    id: r.id,
+    petId: r.petId,
+    appointmentId: r.appointmentId,
+    staffId: r.staffId,
+    staffName: r.staffName,
+    cutStyle: r.cutStyle,
+    productsUsed: r.productsUsed,
+    notes: r.notes,
+    groomedAt: r.groomedAt?.toISOString() ?? null,
+    createdAt: r.createdAt?.toISOString() ?? null,
+  }));
+
+  const lastVisitDate = historyRows[0]?.groomedAt?.toISOString() ?? null;
+
+  // Completed appointment count for this pet
+  const [{ count: visitCount }] = await db
+    .select({ count: sql<number>`count(*)::int` })
+    .from(appointments)
+    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")));
+
+  // Upcoming appointment: next scheduled or confirmed
+  const [nextAppt] = await db
+    .select({
+      id: appointments.id,
+      serviceId: appointments.serviceId,
+      staffId: appointments.staffId,
+      startTime: appointments.startTime,
+      endTime: appointments.endTime,
+      status: appointments.status,
+      serviceName: services.name,
+      staffName: staff.name,
+    })
+    .from(appointments)
+    .leftJoin(services, eq(services.id, appointments.serviceId))
+    .leftJoin(staff, eq(staff.id, appointments.staffId))
+    .where(
+      and(
+        eq(appointments.petId, petId),
+        or(eq(appointments.status, "scheduled"), eq(appointments.status, "confirmed")),
+        gte(appointments.startTime, new Date())
+      )
+    )
+    .orderBy(appointments.startTime)
+    .limit(1);
+
+  const upcomingAppointment = nextAppt
+    ? {
+        id: nextAppt.id,
+        serviceId: nextAppt.serviceId,
+        serviceName: nextAppt.serviceName,
+        staffId: nextAppt.staffId,
+        staffName: nextAppt.staffName,
+        startTime: nextAppt.startTime?.toISOString() ?? null,
+        endTime: nextAppt.endTime?.toISOString() ?? null,
+        status: nextAppt.status,
+      }
+    : null;
+
+  return c.json({
+    ...row,
+    recentGroomingHistory,
+    lastVisitDate,
+    visitCount,
+    upcomingAppointment,
+  });
+});
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { and, eq, getDb, sql, staff, account } from "@groombook/db";

 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,6 +110,51 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
      return;
    }
  }
+
+  // Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
+  // (e.g. authentik). If so, create a groomer staff record on the fly.
+  if (jwt.email) {
+    const [oidcAccount] = await db
+      .select({ id: account.id })
+      .from(account)
+      .where(
+        and(
+          eq(account.userId, jwt.sub),
+          sql`${account.providerId} IN ('authentik', 'google', 'github')`
+        )
+      )
+      .limit(1);
+
+    if (oidcAccount) {
+      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
+      const emailPrefix = jwt.email.split("@")[0] ?? "Unknown";
+      const name = jwt.name?.trim() || emailPrefix;
+
+      const [newStaff] = await db
+        .insert(staff)
+        .values({
+          userId: jwt.sub,
+          email: jwt.email,
+          name,
+          role: "groomer",
+          isSuperUser: false,
+          active: true,
+        })
+        .returning();
+
+      if (!newStaff) {
+        return c.json({ error: "Forbidden: auto-provision failed" }, 500);
+      }
+
+      console.log(
+        `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
+      );
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
+  }
+
  return c.json(
    { error: "Forbidden: no staff record found for authenticated user" },
    403
@@ -46,7 +46,7 @@ const UAT_CLIENT = {

 const UAT_PETS = [
  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short", weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
 ];

 const DEMO_SERVICES = [
Author	SHA1	Message	Date
Flea Flicker	32156e9a45	fix: restore pet profile summary endpoint from dev (GRO-1177) CI / Lint & Typecheck (pull_request) Successful in 13s Details CI / Test (pull_request) Successful in 12s Details CI / Build & Push Docker Images (pull_request) Successful in 41s Details	2026-05-26 12:30:10 +00:00
Flea Flicker	ed3d7df1c9	Merge dev into promote/dev-to-uat-gro-1790 CI / Lint & Typecheck (pull_request) Successful in 11s Details CI / Test (pull_request) Successful in 11s Details CI / Build & Push Docker Images (pull_request) Successful in 1m9s Details Resolve .ci-trigger conflict preferring dev version.	2026-05-26 12:11:44 +00:00
Lint Roller	385ed10211	fix(rbac): guard noUncheckedIndexedAccess in name derivation and newStaff insert CI / Test (push) Successful in 10s Details CI / Lint & Typecheck (push) Successful in 10s Details CI / Build & Push Docker Images (push) Successful in 43s Details CI / Test (pull_request) Successful in 9s Details CI / Lint & Typecheck (pull_request) Successful in 10s Details CI / Build & Push Docker Images (pull_request) Failing after 10s Details With noUncheckedIndexedAccess:true, split("@")[0] returns string\|undefined, making `name` typed as string\|undefined and failing the notNull staff.name insert constraint. Fix by using ?? fallback on the array access. Also add newStaff null guard after .returning() destructure — array destructuring yields T\|undefined with noUncheckedIndexedAccess enabled.	2026-05-26 01:48:12 +00:00
Lint Roller	8e8a87767c	fix(ci): remove duplicate provenance keys + add uat push trigger (GRO-1762) CI / Lint & Typecheck (push) Successful in 12s Details CI / Test (push) Successful in 13s Details CI / Build & Push Docker Images (push) Failing after 41s Details	2026-05-26 01:34:42 +00:00
Flea Flicker	d9ba6045ad	chore: direct push CI trigger for GRO-1757 (`b61d899f`) to include in dev image Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-26 00:45:05 +00:00
The Dogfather	2f17b1ab85	Promo/Gro 1764 Uat (#86 )	2026-05-26 00:36:15 +00:00
Lint Roller	b83a793de4	chore: PR CI build trigger for GRO-1757 image (do not merge) (#87 ) Co-authored-by: Lint Roller <lint@groombook.dev> Co-committed-by: Lint Roller <lint@groombook.dev>	2026-05-26 00:36:04 +00:00
Lint Roller	a610ef9d39	chore: trigger CI for GRO-1757 + GRO-1764 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-26 00:08:02 +00:00
Flea Flicker	2a0b3cf3d3	Merge remote-tracking branch 'origin/dev' into dev-to-uat	2026-05-25 23:54:49 +00:00
Flea Flicker	cf3d30f19e	Merge pull request 'fix(GRO-1764): change Max coat_type short→smooth in UAT seed' (#85 ) from fix/gro-1764-coat-type-enum into dev	2026-05-25 23:54:36 +00:00
Flea Flicker	0625961adf	fix(GRO-1764): change Max coat_type "short" to "smooth" in UAT seed The DB coat_type enum only accepts: smooth, double, wire, curly, long, hairless. "short" is not a valid value — corrected to "smooth". Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 23:52:53 +00:00
Lint Roller	78762b5278	Merge pull request 'promote: dev → uat (GRO-1757 SSO auto-provision fix)' (#84 ) from dev into uat promote: dev → uat (GRO-1757 SSO auto-provision fix)	2026-05-25 23:48:09 +00:00
Scrubs McBarkley	b61d899f81	fix(GRO-1757): auto-provision staff for OIDC users + UAT playbook updates (#83 )	2026-05-25 23:39:57 +00:00
Flea Flicker	38047d5ea3	chore: trigger CI on dev for GRO-1754	2026-05-25 23:27:16 +00:00
Flea Flicker	fbcaedf155	chore: trigger CI for GRO-1754 UAT bump check	2026-05-25 23:20:51 +00:00
Flea Flicker	7cfb24d542	Merge pull request 'chore: trigger CI for GRO-1754' (#80 ) from fix/gro-1754-trigger-ci-v2 into dev	2026-05-25 23:16:05 +00:00
Flea Flicker	b0d9e5816f	chore: trigger CI v2 for GRO-1754	2026-05-25 23:14:01 +00:00
Flea Flicker	7a0662541d	chore: trigger CI for GRO-1754	2026-05-25 19:20:51 +00:00
Flea Flicker	5e78df85f1	chore: trigger CI for GRO-1754 UAT bump	2026-05-25 19:16:53 +00:00
				`@@ -0,0 +1 @@`
				`GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z`