Merge pull request 'fix(GRO-2123): serialize seed.ts with Postgres advisory lock' (#155) from flea-flicker/gro-2123-seed-advisory-lock into dev

The reset-demo-data CronJob in groombook-uat intermittently failed with
FK 23503 on invoice_tip_splits because two pods could run the seed
concurrently: the new pod's TRUNCATE deleted rows the old pod was still
inserting.

Acquire a session-level advisory lock for the full duration of the seed.
CRITICAL: with postgres-js connection pooling, a pg_advisory_lock
acquired on one pooled connection and released on a different one is a
no-op (the lock is bound to the pg-backend that took it). We therefore
reserve a dedicated connection for the lock, take pg_advisory_lock(KEY)
on it, run the seed on the pooled connections, and release the lock +
reserved connection in a try/finally so a thrown seed error cannot leak
the lock or the connection.

Defence-in-depth with the infra PR that switches
concurrencyPolicy: Replace → Forbid on the reset-demo-data CronJob.

- Adds withSeedAdvisoryLock helper and runSeedBody extracted function
- Wraps seed() body in the helper; client.end() runs after the lock
  releases so a reserved connection is not returned to a closed pool
- SEED_ADVISORY_LOCK_KEY = 0x47524f4f ("GROO" in ASCII) — arbitrary
  stable 32-bit key, referenced in runbooks
- UAT_PLAYBOOK.md §3.29 documents the regression check

cc @cpfarhood

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.ci-trigger

@@ -0,0 +1 @@
+GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z

.gitea/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main, dev]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main, dev]
+    branches: [main, dev, uat]
   workflow_dispatch:
     inputs:
       ref:
@@ -32,7 +32,9 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Typecheck
-        run: pnpm --filter @groombook/api typecheck
+        run: |
+          pnpm --filter @groombook/api typecheck
+          pnpm --filter @groombook/db typecheck
 
       - name: Lint
         run: pnpm --filter @groombook/api lint
@@ -96,7 +98,6 @@ jobs:
           file: Dockerfile
           target: runner
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
@@ -111,13 +112,23 @@ jobs:
           file: Dockerfile
           target: migrate
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
           cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
           cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
 
+      - name: Smoke test migrate image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            pnpm --version
+
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
         with:
@@ -126,7 +137,6 @@ jobs:
           file: Dockerfile
           target: seed
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
@@ -141,9 +151,37 @@ jobs:
           file: Dockerfile
           target: reset
           push: true
-          provenance: false
           tags: |
             git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
           cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
           cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
+
+      - name: Smoke test seed image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
+          echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
+
+      - name: Smoke test reset image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation. Validates the
+          # hard requirement from the issue: reset runs offline.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
+          echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"

Dockerfile

@@ -1,5 +1,14 @@
 FROM node:22-alpine AS base
-RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
+# Install pnpm as a real binary via npm (not corepack shim) so runtime
+# invocations of `pnpm` work without DNS access to registry.npmjs.org.
+# The corepack shim delegates to corepack, which re-validates against
+# npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
+# Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
+RUN npm install -g pnpm@9.15.4
+# Belt-and-braces: disable Corepack's download fallback so that even if a
+# Corepack shim is somehow invoked at runtime, it will not try to fetch
+# pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 
 # Install deps
@@ -11,7 +20,6 @@ RUN pnpm install --frozen-lockfile
 
 # Build
 FROM deps AS builder
-RUN mkdir -p /home/node/.cache/node/corepack
 COPY packages/ packages/
 COPY src/ src/
 COPY tsconfig.json ./
@@ -21,7 +29,9 @@ RUN pnpm --filter @groombook/types build && \
 
 # Runtime
 FROM node:22-alpine AS runner
-RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
+RUN npm install -g pnpm@9.15.4
+# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 ENV NODE_ENV=production
 
@@ -42,12 +52,18 @@ CMD ["node", "dist/index.js"]
 
 # Migrate stage — runs drizzle-kit migrate against the database
 FROM builder AS migrate
+# pnpm needs a writable HOME for any config/state it writes. With
+# readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
+# The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "migrate"]
 
 # Seed stage — populates the database with test data
 FROM builder AS seed
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "seed"]
 
 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "reset"]

UAT_PLAYBOOK.md

@@ -19,6 +19,45 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)
 
+### Source of truth for UAT passwords (GRO-2000)
+
+The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
+
+**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
+
+```bash
+SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.super-password}' | base64 -d)
+GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.groomer-password}' | base64 -d)
+TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.tester-password}' | base64 -d)
+CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.customer-password}' | base64 -d)
+```
+
+**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
+
+**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
+
+### rbac auto-provision for Better-Auth customers (GRO-2052)
+
+> Applies to TC-API-3.16 / 3.19a / 3.19b / 3.19c (customer-as-owner profile-summary paths) and any future case where the test user authenticates via Better-Auth email/password and the route relies on `resolveStaffMiddleware` to resolve a `staff` row.
+
+**Pre-condition (rbac auto-provision):** The test user must have a row in the Better-Auth `user` table (email/password sign-in creates this automatically — see TC-API-1.6 / 1.7). On first authenticated call, `resolveStaffMiddleware` (`./src/middleware/rbac.ts`) auto-provisions a `groomer` staff row keyed by `staff.user_id = user.id` (Better-Auth branch fires before the legacy OIDC `account` branch).
+
+**Verify the auto-provision fired** by querying the DB after the first authenticated call:
+
+```sql
+SELECT user_id, role FROM staff WHERE user_id = '<test-user-id>';
+```
+
+Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the OIDC `account` branch and 403'd, or the user has no `user` row — fix the test sign-in path before re-running.
+
+**Why this matters:** without the auto-provision branch, Better-Auth email/password customers (e.g. `uat-customer@groombook.dev`) have no `account` row for the OIDC providers, so `resolveStaffMiddleware` falls through to `403 "Forbidden: no staff record found for authenticated user"` *before* `pets.ts` can run the owner-bypass added in GRO-2013. The owner-bypass code is unreachable unless the auto-provision has fired. A green TC-API-3.19a therefore implicitly proves the auto-provision worked; if 3.19a fails with the pre-fix 403, the auto-provision branch is missing from the deployed `./src` tree (see [GRO-2052](/GRO/issues/GRO-2052)).
+
+**How to apply:** for every run of TC-API-3.16 / 3.19a / 3.19b / 3.19c, sign in via TC-API-1.6 (email+password) first to guarantee the `user` row exists, then run the profile-summary call, then assert the `staff` row above before declaring pass.
+
 ## Test Cases
 
 ### 4.0 Health Check
@@ -41,6 +80,8 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
 | TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
 | TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
+
+> **Note (GRO-1977):** Seed credential provisioning is idempotent — re-running the seed with updated `SEED_UAT_*_PASSWORD` env vars rotates stored credential hashes. TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug).
 | TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
 | TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
@@ -48,6 +89,26 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
 | TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
+#### SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.17 | SSO redirect to Authentik | Navigate to app → sign-in page shown → click "Sign in with SSO" | Redirected to Authentik at auth.farh.net | 403 error, redirect loop, no SSO button |
+| TC-API-1.18 | Authenticate with valid OIDC credentials | At Authentik login page, enter valid credentials and authenticate | Redirected back to app with valid session | Redirect loop, 403, missing session cookie |
+| TC-API-1.19 | SSO user auto-provisioned as groomer | Complete SSO login as a user with no pre-existing staff record | 200 response; groomer staff record auto-created; session active | 403 Forbidden, staff record not created |
+| TC-API-1.20 | Existing staff record resolves correctly | Complete SSO login as uat-groomer (pre-existing staff) | 200 OK, correct staff identity resolved, no duplicate record created | 403, duplicate record, wrong staff data |
+| TC-API-1.21 | SSO session grants dashboard access | After TC-API-1.18 SSO login, GET /api/staff/me | 200 OK, valid staff record returned, correct role displayed | 401/403, missing session, wrong identity |
+
+#### OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.22 | Fresh DB reports needsSetup | On a fresh DB (no super user), GET /api/setup/status | needsSetup: true returned | needsSetup: false when it should be true |
+| TC-API-1.23 | Configure OIDC via auth-provider endpoint | POST /api/setup/auth-provider with valid OIDC config | 200 OK, auth provider configured, no 403 | 403, setup blocked, invalid config rejected |
+| TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
+| TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
+| TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+
 ### 4.2 Client Management
 
 | # | Scenario | Steps | Expected |
@@ -78,6 +139,34 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.13 | Reject too many temperamentFlags | POST /api/pets with 21 temperamentFlags | 400 Bad Request, max 20 flags enforced |
 | TC-API-3.14 | Reject too many preferredCuts | POST /api/pets with 21 preferredCuts | 400 Bad Request, max 20 cuts enforced |
 | TC-API-3.15 | Reject too many medicalAlerts | POST /api/pets with 51 medicalAlerts | 400 Bad Request, max 50 alerts enforced |
+| TC-API-3.16 | Get pet profile summary | GET /api/pets/{id}/profile-summary | 200 OK, aggregated profile with grooming history, visit count, upcoming appointment |
+| TC-API-3.17 | Get pet profile summary — groomer restricted | GET /api/pets/{id}/profile-summary as groomer with no pet linkage | 403 Forbidden |
+| TC-API-3.18 | Get pet profile summary — visitCount returns full count | GET /api/pets/{id}/profile-summary with 2+ completed appointments | visitCount >= 2 (not capped at 1) |
+| TC-API-3.19 | Get pet profile summary — upcomingAppointment excludes past | GET /api/pets/{id}/profile-summary with a past confirmed/scheduled appointment | upcomingAppointment is null (past appointments filtered by startTime >= now) |
+| TC-API-3.19a | Get pet profile summary — customer owner-bypass (GRO-2013) | Sign in as `uat-customer@groombook.dev`; `POST /api/portal/session-from-auth`; then `GET /api/pets/{ownPetId}/profile-summary` with header `X-Impersonation-Session-Id: {sessionId}` for either of the customer's seeded pets (`c0000001-0000-0000-0000-000000000002` UAT Pup Alpha, `c0000001-0000-0000-0000-000000000003` UAT Pup Beta) | 200 OK, aggregated profile returned (owner-bypass: customer with valid portal session for pet's clientId is allowed even though rbac.ts auto-provisions them as a `groomer` staff row with no appointment linkage) |
+| TC-API-3.19b | Get pet profile summary — customer cross-tenant blocked (GRO-2013) | Sign in as `uat-customer@groombook.dev`; reuse the customer's sessionId from TC-API-3.19a; `GET /api/pets/{otherClientPetId}/profile-summary` for a pet owned by a different client (`c0000002-...` or any non-customer pet) | 403 Forbidden (owner-bypass requires session.clientId === pet.clientId) |
+| TC-API-3.19c | Get pet profile summary — customer without portal session header | Same as TC-API-3.19a but omit the `X-Impersonation-Session-Id` header | 403 Forbidden (no owner-bypass without valid portal session) |
+| TC-API-3.19d | Get pet profile summary — owner-bypass writes audit row (GRO-2063) | Same setup as TC-API-3.19a (sign in as `uat-customer@groombook.dev`, establish a portal session for the customer's own clientId, call `GET /api/pets/{ownPetId}/profile-summary` with `X-Impersonation-Session-Id: {sessionId}` and a 200 OK response). Then call `GET /api/impersonation/sessions/{sessionId}/audit-log` and confirm there is exactly one entry with `action === "read_profile_summary"`, `pageVisited` matching the profile-summary path, and `metadata` containing `petId` and `actorStaffId` for the customer. Repeat TC-API-3.19b (cross-tenant attempt) and confirm NO new `read_profile_summary` row was written for the cross-tenant attempt. | 200 OK on the profile-summary call AND an audit log entry is present with the correct shape (defense-in-depth audit row; bypass attempts against other clients must NOT log) |
+| TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
+| TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
+| TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
+
+#### Seed Data Verification (GRO-1898)
+
+> As of PR #98, UAT seed data populates all 5 extended profile fields for every pet, including the 5 deterministic UAT test client pets (Alpha, Bravo, Charlie, Delta, Echo). This enables manual verification of extended profile rendering without requiring a DB reset.
+
+| # | Scenario | Steps | Expected |
+|---|----------|-------|----------|
+| TC-API-3.20 | GET /api/clients returns seed data | GET /api/clients | 200 OK, array with 1+ clients (UAT seed creates 500 + 5 deterministic UAT clients) |
+| TC-API-3.21 | GET /api/pets/{id} returns extended fields for seed pet | Pick any pet ID from UAT test clients (uat-alpha through uat-echo pet names: TestBuddy, TestMax, TestCooper, TestRocky, TestDuke) and GET /api/pets/{id} | 200 OK; coatType, temperamentScore, temperamentFlags, medicalAlerts, preferredCuts all non-null |
+| TC-API-3.22 | Verify medicalAlerts shape | GET /api/pets/{id} for any pet with non-empty medicalAlerts | medicalAlerts is an array; each entry has type, description, severity |
+| TC-API-3.23 | Verify UAT test pet Charlie has behavioral alert | GET /api/pets/{id} where name = "TestCooper" (pet for uat-charlie@groombook.dev) | medicalAlerts includes an entry with type: "behavioral", severity: "low" or "high" |
+| TC-API-3.24 | Verify UAT test pet Delta has skin alert | GET /api/pets/{id} where name = "TestRocky" (pet for uat-delta@groombook.dev) | medicalAlerts includes an entry with type: "skin" |
+| TC-API-3.25 | Verify 30+ total pets in UAT DB | GET /api/pets then count total | 30+ pets returned (UAT seed creates 500 random-pool + 5 UAT test clients + 2 UAT customer = 507 total) |
+| TC-API-3.26 | Verify 25-35% medicalAlerts distribution | GET /api/pets (first 30 pets), count how many have non-empty medicalAlerts | Ratio is 25-35% (seed uses rand() < 0.3 for ~30% distribution) |
+| TC-API-3.27 | Verify coat_type enum has all seed values | After UAT seed completes, inspect the coat_type enum on the UAT DB — it must contain: short, medium, long, double, wire, silky, curly, hairless | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; coat_type includes all 8 values used by seed.ts `coatTypePool` |
+| TC-API-3.28 | Verify pet_size_category enum has all seed values | After UAT seed completes, inspect the pet_size_category enum on the UAT DB — it must contain: small, medium, large, extra_large | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; pet_size_category includes all 4 values used by seed.ts `petSizeCategoryPool` (regression for GRO-1999, mirrors TC-API-3.27) |
+| TC-API-3.29 | Verify `reset-demo-data` CronJob does not fail with FK 23503 on `invoice_tip_splits` (GRO-2123) | Trigger the CronJob manually: `kubectl create job --from=cronjob/reset-demo-data verify-gro2123 -n groombook-uat`. Wait for pod to terminate. Inspect logs: `kubectl logs -n groombook-uat -l job-name=verify-gro2123` | Pod reaches `Completed` state; logs show `✓ Acquired seed advisory lock` and `✓ Released seed advisory lock` from `seed.ts`; no `PostgresError: … violates foreign key constraint "invoice_tip_splits_invoice_id_invoices_id_fk"` (code 23503); final counts unchanged (500 clients, ~4000 invoices) |
 
 ### 4.4 Appointment Scheduling
 
@@ -104,6 +193,33 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-5.4 | Update service | PATCH /api/services/{id} with updated fields | 200 OK, service updated |
 | TC-API-5.5 | Delete service | DELETE /api/services/{id} | 200 OK, service deleted |
 
+#### 4.5.1 Seed/Reset idempotency (GRO-2064)
+
+Services seeding is now keyed on the deterministic `services.id` (not `name`) and
+the reset path now `TRUNCATE`s `services` alongside the other dynamic tables.
+This means:
+
+- Running the seed Job twice in a row (no reset in between) converges to the
+  same catalogue — no `services_pkey` collision.
+- A `pnpm reset` followed by `pnpm seed` (or a CronJob reset fire) leaves the
+  catalogue exactly matching `servicesDef` (10 rows, ids `b0000001-…-001` …
+  `…-00a`), regardless of any stale rows that were present beforehand.
+- Mixed `seedKnownUsers` + full `seed()` invocations are safe — the
+  `demoSvcs` subset (Bath & Brush, Full Groom Small/Medium, Nail Trim) is
+  keyed on ids `…-001`, `…-002`, `…-003`, `…-005` and the upsert target
+  is `services.id`, so the same-id / different-name collision that broke
+  GRO-2033 (id `…-004` = "Nail Trim" vs servicesDef `…-004` =
+  "Full Groom — Large") cannot recur.
+
+**UAT regression** (verify after a new image is rolled out):
+
+| # | Scenario | Steps | Expected |
+|---|----------|-------|----------|
+| TC-SEED-1 | Reset → seed converges | `kubectl -n groombook exec deploy/api -- pnpm reset && pnpm seed` | Seed completes 1/1, `services` count = 10, all ids match `servicesDef` |
+| TC-SEED-2 | Idempotent re-seed | Re-run `pnpm seed` without reset | Seed completes 1/1, no `services_pkey` errors, `services` count still 10 |
+| TC-SEED-3 | Catalogue matches servicesDef | `psql -c "SELECT id, name FROM services ORDER BY id"` | Rows `…-001`…`…-00a` with names "Bath & Brush"…"Sanitary Trim" exactly as in `servicesDef` |
+| TC-SEED-4 | Demo subset coexists | Run `seedKnownUsers` then full `seed` | No collision, demo subset (4 services) ends up with the same rows the full seed would write |
+
 ### 4.6 Staff Management
 
 | # | Scenario | Steps | Expected |
@@ -139,6 +255,10 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-8.5 | Add waitlist entry | POST /api/portal/waitlist with pet and service | 201 Created, waitlist entry created |
 | TC-API-8.6 | View portal invoices | GET /api/portal/invoices | 200 OK, list of client's invoices returned |
 | TC-API-8.7 | Pay multiple invoices | POST /api/portal/invoices/pay-multiple with invoice IDs | 200 OK, payment intent created |
+| TC-API-8.8 | SSO bridge — valid Better Auth session | POST /api/portal/session-from-auth with valid Better Auth session cookie (authenticated SSO user with matching client email) | 201 Created, `{sessionId, clientId, clientName}` returned |
+| TC-API-8.9 | SSO bridge — no Better Auth session | POST /api/portal/session-from-auth without Better Auth session cookie | 401 Unauthorized |
+| TC-API-8.10 | SSO bridge — no matching client | POST /api/portal/session-from-auth with valid Better Auth session for a user with no client record | 404 Not Found, error "No client record found for this user" |
+| TC-API-8.11 | SSO bridge — returned session works on portal routes | After TC-API-8.8, use returned sessionId as `X-Impersonation-Session-Id` header on GET /api/portal/me | 200 OK, client profile returned |
 
 ### 4.9 Waitlist
 

apps/api/src/__tests__/petProfileSummary.test.ts

@@ -0,0 +1,517 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Hono } from "hono";
+import type { AppEnv, StaffRow } from "../middleware/rbac.js";
+import { petsRouter } from "../routes/pets.js";
+
+// ─── Mock staff fixtures ──────────────────────────────────────────────────────
+
+const MANAGER: StaffRow = {
+  id: "staff-manager-id",
+  oidcSub: "oidc-manager-sub",
+  userId: null,
+  role: "manager",
+  isSuperUser: true,
+  name: "Manager McManager",
+  email: "manager@example.com",
+  active: true,
+  icalToken: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+const GROOMER: StaffRow = {
+  id: "staff-groomer-id",
+  oidcSub: "oidc-groomer-sub",
+  userId: null,
+  role: "groomer",
+  isSuperUser: false,
+  name: "Groomer McGroome",
+  email: "groomer@example.com",
+  active: true,
+  icalToken: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+// ─── Mutable mock state ───────────────────────────────────────────────────────
+
+const CLIENT_ID = "client-uuid-summary";
+const PET_ID = "pet-uuid-summary";
+
+interface MockState {
+  pets: Record<string, unknown>[];
+  appointments: Record<string, unknown>[];
+  groomingLogs: Record<string, unknown>[];
+  staffMembers: Record<string, unknown>[];
+  services: Record<string, unknown>[];
+  impersonationSessions: Record<string, unknown>[];
+}
+
+let mock: MockState;
+
+function resetMock() {
+  mock = {
+    pets: [{
+      id: PET_ID,
+      clientId: CLIENT_ID,
+      name: "Biscuit",
+      species: "dog",
+      breed: "Golden Retriever",
+      weightKg: "30.00",
+      dateOfBirth: null,
+      healthAlerts: null,
+      groomingNotes: null,
+      cutStyle: null,
+      shampooPreference: null,
+      specialCareNotes: null,
+      customFields: {},
+      photoKey: null,
+      photoUploadedAt: null,
+      image: null,
+      coatType: "double",
+      temperamentScore: 3,
+      temperamentFlags: ["gentle"],
+      medicalAlerts: [],
+      preferredCuts: ["puppy cut"],
+      createdAt: new Date("2024-01-01"),
+      updatedAt: new Date("2024-01-01"),
+    }],
+    appointments: [
+      {
+        id: "appt-completed-1",
+        clientId: CLIENT_ID,
+        petId: PET_ID,
+        serviceId: "service-1",
+        staffId: "staff-groomer-id",
+        batherStaffId: null,
+        status: "completed",
+        startTime: new Date("2024-06-01T09:00:00Z"),
+        endTime: new Date("2024-06-01T11:00:00Z"),
+        notes: null,
+        priceCents: 6000,
+        seriesId: null,
+        seriesIndex: null,
+        groupId: null,
+        confirmationStatus: "confirmed",
+        confirmedAt: null,
+        cancelledAt: null,
+        confirmationToken: null,
+        customerNotes: null,
+        createdAt: new Date("2024-05-15"),
+        updatedAt: new Date("2024-05-15"),
+      },
+      {
+        id: "appt-upcoming-1",
+        clientId: CLIENT_ID,
+        petId: PET_ID,
+        serviceId: "service-2",
+        staffId: "staff-groomer-id",
+        batherStaffId: null,
+        status: "confirmed",
+        startTime: new Date("2024-12-01T09:00:00Z"),
+        endTime: new Date("2024-12-01T11:00:00Z"),
+        notes: null,
+        priceCents: 6500,
+        seriesId: null,
+        seriesIndex: null,
+        groupId: null,
+        confirmationStatus: "confirmed",
+        confirmedAt: null,
+        cancelledAt: null,
+        confirmationToken: null,
+        customerNotes: null,
+        createdAt: new Date("2024-11-01"),
+        updatedAt: new Date("2024-11-01"),
+      },
+    ],
+    groomingLogs: [
+      {
+        id: "log-1",
+        petId: PET_ID,
+        appointmentId: "appt-completed-1",
+        staffId: "staff-groomer-id",
+        cutStyle: "puppy cut",
+        productsUsed: "oatmeal shampoo",
+        notes: "Trimmed nails",
+        groomedAt: new Date("2024-06-01T10:00:00Z"),
+        createdAt: new Date("2024-06-01T10:00:00Z"),
+      },
+    ],
+    staffMembers: [
+      {
+        id: "staff-groomer-id",
+        name: "Groomer McGroome",
+        email: "groomer@example.com",
+        role: "groomer",
+        isSuperUser: false,
+        active: true,
+        oidcSub: "oidc-groomer-sub",
+        userId: null,
+        icalToken: null,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      },
+      {
+        id: "staff-manager-id",
+        name: "Manager McManager",
+        email: "manager@example.com",
+        role: "manager",
+        isSuperUser: true,
+        active: true,
+        oidcSub: "oidc-manager-sub",
+        userId: null,
+        icalToken: null,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      },
+    ],
+    services: [
+      { id: "service-1", name: "Full Groom", description: null, basePriceCents: 6000, durationMinutes: 120, active: true, createdAt: new Date(), updatedAt: new Date() },
+      { id: "service-2", name: "Bath & Brush", description: null, basePriceCents: 4000, durationMinutes: 60, active: true, createdAt: new Date(), updatedAt: new Date() },
+    ],
+    impersonationSessions: [
+      {
+        id: "sess-owner",
+        staffId: "staff-groomer-id",
+        clientId: CLIENT_ID,
+        reason: "sso-bridge",
+        status: "active",
+        startedAt: new Date("2024-11-01"),
+        endedAt: null,
+        expiresAt: new Date("2099-01-01T00:00:00Z"),
+        createdAt: new Date("2024-11-01"),
+      },
+    ],
+  };
+}
+
+vi.mock("../db/index.js", () => {
+  const pets = new Proxy({ _name: "pets" }, { get: (t, p) => p === "_name" ? "pets" : {} });
+  const appointments = new Proxy({ _name: "appointments" }, { get: (t, p) => p === "_name" ? "appointments" : {} });
+  const groomingVisitLogs = new Proxy({ _name: "groomingVisitLogs" }, { get: (t, p) => p === "_name" ? "groomingVisitLogs" : {} });
+  const staff = new Proxy({ _name: "staff" }, { get: (t, p) => p === "_name" ? "staff" : {} });
+  const services = new Proxy({ _name: "services" }, { get: (t, p) => p === "_name" ? "services" : {} });
+  const impersonationSessions = new Proxy({ _name: "impersonationSessions" }, { get: (t, p) => p === "_name" ? "impersonationSessions" : {} });
+
+  // Tracks { [tableName]: { [alias]: SQLExpression } } for the current select() call
+  let selectedColumns: Record<string, Record<string, unknown>> = {};
+
+  function makeChainable(rows: unknown[]) {
+    const arr = rows as unknown[];
+    return new Proxy(arr, {
+      get(target, prop) {
+        if (prop === "where" || prop === "orderBy" || prop === "limit" || prop === "leftJoin" || prop === "from") {
+          return () => makeChainable(target);
+        }
+        if (prop === Symbol.iterator) {
+          return function* () { for (const v of target) yield v; };
+        }
+        if (prop === Symbol.asyncIterator) {
+          return async function* () { for (const v of target) yield v; };
+        }
+        // @ts-expect-error proxy
+        return target[prop];
+      },
+    });
+  }
+
+  // sql mock: returns an object with .as() so drizzle's select() can alias it
+  function sqlMock(_strings: TemplateStringsArray, ..._params: unknown[]) {
+    const queryString = _strings[0];
+    const asFn = (alias: string) => ({
+      sql: { queryChunks: [_strings[0]] },
+      fieldAlias: alias,
+      getSQL() { return this.sql; },
+    });
+    return { queryChunks: [queryString], as: asFn };
+  }
+
+  return {
+    getDb: () => ({
+      select: (cols?: Record<string, unknown>) => {
+        selectedColumns = {};
+        if (cols) {
+          // Inspect cols to find sql-aliased expressions and their aliases
+          for (const [alias, expr] of Object.entries(cols)) {
+            if (expr && typeof expr === "object" && "as" in expr && typeof (expr as Record<string, unknown>).as === "function") {
+              const aliased = (expr as { as: (a: string) => { fieldAlias: string; sql: unknown } }).as(alias);
+              // Detect count(*) queries
+              if (typeof aliased.sql === "object" && aliased.sql !== null && "queryChunks" in (aliased.sql as Record<string, unknown>) && String((aliased.sql as { queryChunks?: unknown[] }).queryChunks).includes("count")) {
+                // Store count query intent — we'll resolve it in from()
+                if (!selectedColumns["appointments"]) selectedColumns["appointments"] = {};
+                selectedColumns["appointments"][alias] = { _isCountQuery: true };
+              }
+            }
+          }
+        }
+        return {
+          from: (table: unknown) => {
+            const name = (table as { _name?: string })._name;
+            const tableCols = selectedColumns[name] || {};
+            // If this table has a count query, return computed count result
+            const countQueryEntry = Object.entries(tableCols).find(([, v]) =>
+              typeof v === "object" && v !== null && "_isCountQuery" in v
+            );
+            if (countQueryEntry) {
+              const [countAlias] = countQueryEntry;
+              const count = (name === "appointments" ? mock.appointments : [])
+                .filter((row: Record<string, unknown>) => row.status === "completed").length;
+              return makeChainable([{ [countAlias]: count }]);
+            }
+            if (name === "pets") return makeChainable(mock.pets);
+            if (name === "appointments") return makeChainable(mock.appointments);
+            if (name === "groomingVisitLogs") return makeChainable(mock.groomingLogs);
+            if (name === "staff") return makeChainable(mock.staffMembers);
+            if (name === "services") return makeChainable(mock.services);
+            if (name === "impersonationSessions") return makeChainable(mock.impersonationSessions);
+            return makeChainable([]);
+          },
+        };
+      },
+      insert: () => ({ values: () => ({ returning: () => [{}] }) }),
+      update: () => ({ set: () => ({ where: () => ({ returning: () => [{}] }) }) }),
+      delete: () => ({ where: () => ({ returning: () => [{}] }) }),
+    }),
+    pets,
+    appointments,
+    groomingVisitLogs,
+    staff,
+    services,
+    impersonationSessions,
+    and: vi.fn((a: unknown, b: unknown) => [a, b]),
+    desc: vi.fn((c: unknown) => c),
+    eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
+    exists: vi.fn(() => true),
+    gte: vi.fn((a: unknown, b: unknown) => ({ col: a, val: b })),
+    or: vi.fn((a: unknown, b: unknown) => [a, b]),
+    sql: sqlMock,
+  };
+});
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function makeApp(staff: StaffRow = MANAGER) {
+  const app = new Hono<AppEnv>();
+  app.use("*", async (c, next) => {
+    c.set("staff", staff);
+    await next();
+  });
+  return app.route("/pets", petsRouter);
+}
+
+// ─── Tests ────────────────────────────────────────────────────────────────────
+
+describe("GET /:id/profile-summary", () => {
+  beforeEach(resetMock);
+
+  it("returns 404 for non-existent pet", async () => {
+    const app = makeApp();
+    mock.pets = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(404);
+  });
+
+  it("returns 403 for groomer with no pet linkage", async () => {
+    const app = makeApp(GROOMER);
+    // Groomer has no linkage to this pet's client — clear appointments
+    mock.appointments = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(403);
+  });
+
+  it("returns complete aggregated profile for manager", async () => {
+    const app = makeApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.id).toBe(PET_ID);
+    expect(body.name).toBe("Biscuit");
+    expect(body.species).toBe("dog");
+    expect(body.recentGroomingHistory).toBeInstanceOf(Array);
+    expect(body.lastVisitDate).toBeTruthy();
+    expect(body.visitCount).toBeGreaterThanOrEqual(0);
+  });
+
+  it("groomer with pet linkage returns 200", async () => {
+    const app = makeApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+
+  it("recentGroomingHistory is limited to 10 entries", async () => {
+    const app = makeApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.recentGroomingHistory.length).toBeLessThanOrEqual(10);
+  });
+
+  it("returns null upcomingAppointment when none scheduled", async () => {
+    const app = makeApp(MANAGER);
+    mock.appointments = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.upcomingAppointment).toBeNull();
+  });
+});
+
+describe("GET /:id/profile-summary — visitCount", () => {
+  beforeEach(resetMock);
+
+  it("returns visitCount >= 2 when pet has 2+ completed appointments", async () => {
+    const app = makeApp(MANAGER);
+    // Add a second completed appointment
+    mock.appointments = [
+      ...mock.appointments,
+      {
+        id: "appt-completed-2",
+        clientId: CLIENT_ID,
+        petId: PET_ID,
+        serviceId: "service-1",
+        staffId: "staff-groomer-id",
+        batherStaffId: null,
+        status: "completed",
+        startTime: new Date("2024-07-01T09:00:00Z"),
+        endTime: new Date("2024-07-01T11:00:00Z"),
+        notes: null,
+        priceCents: 6000,
+        seriesId: null,
+        seriesIndex: null,
+        groupId: null,
+        confirmationStatus: "confirmed",
+        confirmedAt: null,
+        cancelledAt: null,
+        confirmationToken: null,
+        customerNotes: null,
+        createdAt: new Date("2024-06-15"),
+        updatedAt: new Date("2024-06-15"),
+      },
+    ];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.visitCount).toBeGreaterThanOrEqual(2);
+  });
+
+  it("returns visitCount = 0 when no completed appointments", async () => {
+    const app = makeApp(MANAGER);
+    mock.appointments = mock.appointments.map((a) => ({ ...a, status: "cancelled" }));
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.visitCount).toBe(0);
+  });
+});
+
+describe("GET /:id/profile-summary — empty history", () => {
+  beforeEach(resetMock);
+
+  it("returns empty history array when no grooming logs", async () => {
+    const app = makeApp(MANAGER);
+    mock.groomingLogs = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.recentGroomingHistory).toEqual([]);
+    expect(body.lastVisitDate).toBeNull();
+  });
+});
+
+describe("GET /:id/profile-summary — owner-bypass via X-Impersonation-Session-Id (GRO-2013)", () => {
+  beforeEach(resetMock);
+
+  // Simulates the rbac.ts auto-provisioned "groomer" that a customer gets on first login:
+  // role=groomer, no linkage to any appointment.
+  const CUSTOMER_STAFF: StaffRow = {
+    id: "staff-customer-id",
+    oidcSub: null,
+    userId: "user-customer-id",
+    role: "groomer",
+    isSuperUser: false,
+    name: "UAT Customer",
+    email: "uat-customer@groombook.dev",
+    active: true,
+    icalToken: null,
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  };
+
+  it("customer with valid portal session for pet's client returns 200 (owner-bypass)", async () => {
+    const app = makeApp(CUSTOMER_STAFF);
+    // Groomer has no appointment linkage — proves the bypass is via portal session, not linkage.
+    mock.appointments = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-owner" },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.id).toBe(PET_ID);
+    expect(body.name).toBe("Biscuit");
+    expect(body.clientId).toBe(CLIENT_ID);
+  });
+
+  it("customer without X-Impersonation-Session-Id header still gets 403 (no bypass)", async () => {
+    const app = makeApp(CUSTOMER_STAFF);
+    mock.appointments = [];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(403);
+  });
+
+  it("customer with portal session for a DIFFERENT client gets 403 (cross-tenant blocked)", async () => {
+    const app = makeApp(CUSTOMER_STAFF);
+    mock.appointments = [];
+    mock.impersonationSessions = [
+      {
+        id: "sess-other-client",
+        staffId: "staff-customer-id",
+        clientId: "00000000-0000-0000-0000-000000000099", // different from CLIENT_ID
+        reason: "sso-bridge",
+        status: "active",
+        startedAt: new Date("2024-11-01"),
+        endedAt: null,
+        expiresAt: new Date("2099-01-01T00:00:00Z"),
+        createdAt: new Date("2024-11-01"),
+      },
+    ];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-other-client" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("customer with expired portal session still gets 403", async () => {
+    const app = makeApp(CUSTOMER_STAFF);
+    mock.appointments = [];
+    mock.impersonationSessions = [
+      {
+        id: "sess-expired",
+        staffId: "staff-customer-id",
+        clientId: CLIENT_ID,
+        reason: "sso-bridge",
+        status: "active",
+        startedAt: new Date("2024-01-01"),
+        endedAt: null,
+        expiresAt: new Date("2024-02-01T00:00:00Z"), // expired long ago
+        createdAt: new Date("2024-01-01"),
+      },
+    ];
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-expired" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("manager does NOT need the impersonation header (existing role check still works)", async () => {
+    const app = makeApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+
+  it("groomer with linkage to pet's client still works (regression — no regression from bypass)", async () => {
+    const app = makeApp(GROOMER);
+    // GROOMER fixture has appointments linked to staff-groomer-id in the mock state
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+});

apps/api/src/__tests__/seed-uat-credentials.test.ts

@@ -67,6 +67,7 @@ let dbAccounts: AccountRow[] = [];
 let dbStaff: StaffRow[] = [];
 let insertedUsers: UserRow[] = [];
 let insertedAccounts: AccountRow[] = [];
+let updatedAccounts: Array<{ id: string; password: string }> = [];
 let updatedStaff: Array<{ id: string; userId: string }> = [];
 
 const originalEnv = { ...process.env };
@@ -77,6 +78,7 @@ function resetMock() {
   dbStaff = [];
   insertedUsers = [];
   insertedAccounts = [];
+  updatedAccounts = [];
   updatedStaff = [];
   process.env = { ...originalEnv };
 }
@@ -173,7 +175,11 @@ async function seedUatCredentials(
     );
 
     if (existingAccount) {
-      // skip — already has credential account
+      // Idempotent update: re-hash the current env password and update the stored hash.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      existingAccount.password = passwordHash;
+      updatedAccounts.push({ id: existingAccount.id, password: passwordHash });
     } else {
       // Use Better-Auth's hashPassword so test helper matches production seed.ts
       const { hashPassword } = await import("better-auth/crypto");
@@ -312,9 +318,9 @@ describe("seedUatCredentials — credential provisioning logic", () => {
     expect(updatedStaff).toHaveLength(0);
   });
 
-  // ── AC-5: idempotent — skips when user already exists ───────────────────────
+  // ── AC-5: idempotent — does not insert duplicate records ───────────────────
 
-  it("AC-5: re-running does not duplicate user or account records (idempotent)", async () => {
+  it("AC-5: re-running does not insert duplicate user or account records", async () => {
     process.env.SEED_UAT_CUSTOMER_PASSWORD = TEST_PASSWORD;
 
     const preExistingUsers: UserRow[] = [
@@ -330,25 +336,96 @@ describe("seedUatCredentials — credential provisioning logic", () => {
       },
     ];
 
-    // First call — nothing inserted (user + account pre-exist)
     await seedUatCredentials([UAT_ACCOUNTS[2]!], {
       users: preExistingUsers,
       accounts: preExistingAccounts,
       staff: [],
     });
 
+    // No inserts — user and account already exist
     expect(insertedUsers).toHaveLength(0);
     expect(insertedAccounts).toHaveLength(0);
+  });
+
+  // ── AC-5b: password rotation on re-seed ─────────────────────────────────────
+
+  it("AC-5b: re-running with a new password updates the stored credential hash", async () => {
+    const OLD_PASSWORD = "old-password-abc";
+    const NEW_PASSWORD = "new-password-xyz";
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = NEW_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: await hashPassword(OLD_PASSWORD),
+      },
+    ];
 
-    // Second call — still nothing inserted
     await seedUatCredentials([UAT_ACCOUNTS[2]!], {
       users: preExistingUsers,
       accounts: preExistingAccounts,
       staff: [],
     });
 
+    // No new records inserted
     expect(insertedUsers).toHaveLength(0);
     expect(insertedAccounts).toHaveLength(0);
+    // Password WAS updated to the new env value
+    expect(updatedAccounts).toHaveLength(1);
+    expect(updatedAccounts[0]!.id).toBe("pre-existing-acct");
+    // New hash is valid Better-Auth format (salt:key, each hex)
+    const newHashParts = updatedAccounts[0]!.password.split(":");
+    expect(Buffer.from(newHashParts[0]!, "hex")).toHaveLength(16);
+    expect(Buffer.from(newHashParts[1]!, "hex")).toHaveLength(64);
+  });
+
+  // ── AC-8: existing account password IS updated (not frozen at first-seed) ──
+
+  it("AC-8: re-seeding with a changed password env var updates the stored hash", async () => {
+    const ORIGINAL_PASSWORD = "original-password";
+    const ROTATED_PASSWORD = "rotated-password-456";
+
+    process.env.SEED_UAT_CUSTOMER_PASSWORD = ROTATED_PASSWORD;
+
+    const preExistingUsers: UserRow[] = [
+      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
+    ];
+    // Account was created with the original password on first seed
+    const originalHash = await hashPassword(ORIGINAL_PASSWORD);
+    const preExistingAccounts: AccountRow[] = [
+      {
+        id: "pre-existing-acct",
+        accountId: "pre-existing-user",
+        providerId: "credential",
+        userId: "pre-existing-user",
+        password: originalHash,
+      },
+    ];
+
+    // Re-seed with the rotated password env var
+    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
+      users: preExistingUsers,
+      accounts: preExistingAccounts,
+      staff: [],
+    });
+
+    // No new user or account created
+    expect(insertedUsers).toHaveLength(0);
+    expect(insertedAccounts).toHaveLength(0);
+
+    // The pre-existing account's password WAS updated (not frozen at first-seed).
+    // hashPassword uses a random salt so we verify by format + that it is a new,
+    // different valid hash from the original.
+    const updatedAcct = preExistingAccounts[0]!;
+    expect(updatedAcct.password).toBeDefined();
+    expect(updatedAcct.password).toMatch(/^[a-f0-9]{32}:[a-f0-9]{128}$/);
+    expect(updatedAcct.password).not.toBe(originalHash); // it actually changed
   });
 
   // ── AC-6: missing env var skips with warning ────────────────────────────────

apps/api/src/db/seed.ts

@@ -20,6 +20,7 @@ import postgres from "postgres";
 import { drizzle } from "drizzle-orm/postgres-js";
 import { eq, and, sql } from "drizzle-orm";
 import * as schema from "./schema.js";
+import type { MedicalAlert, MedicalAlertSeverity } from "./schema.js";
 
 // ── Seed profile configuration ─────────────────────────────────────────────
 
@@ -252,6 +253,38 @@ const appointmentNotes = [
   "Client running late, pushed start by 15min",
 ];
 
+const temperamentScores = [3, 4, 4, 5, 5, 5, 6, 6, 6, 7, 7, 7, 8, 8, 8, 9];
+
+const temperamentFlags = [
+  [], ["anxious"], ["friendly"], ["nippy"], ["anxious", "sensitive"],
+  ["friendly", "calm"], ["nippy", "territorial"], ["calm"], ["sensitive"],
+  ["friendly", "nippy"], ["anxious", "territorial"],
+];
+
+const medicalAlertsList = [
+  [] as MedicalAlert[],
+  [] as MedicalAlert[],
+  [{ type: "skin", description: "Sensitive skin — avoid harsh shampoos", severity: "medium" as MedicalAlertSeverity }],
+  [{ type: "ear", description: "Ear infection prone — dry ears thoroughly", severity: "medium" as MedicalAlertSeverity }],
+  [{ type: "mobility", description: "Hip dysplasia — handle with care", severity: "high" as MedicalAlertSeverity }],
+  [{ type: "behavioral", description: "Anxious — needs slow approach", severity: "low" as MedicalAlertSeverity }],
+  [{ type: "medical", description: "Seizure history — avoid stress triggers", severity: "high" as MedicalAlertSeverity }],
+  [{ type: "skin", description: "Skin allergies — use hypoallergenic products only", severity: "medium" as MedicalAlertSeverity }],
+  [{ type: "behavioral", description: "Aggressive when nails trimmed — muzzle required", severity: "high" as MedicalAlertSeverity }],
+  [{ type: "cardiac", description: "Heart murmur — monitor during grooming", severity: "high" as MedicalAlertSeverity }],
+  [{ type: "dietary", description: "Diabetic — owner brings treats", severity: "medium" as MedicalAlertSeverity }],
+];
+
+const preferredCutsList = [
+  [], ["Puppy Cut"], ["Teddy Bear Cut"], ["Breed Standard"],
+  ["Puppy Cut", "Sanitary Trim"], ["Full Groom"], ["Lion Cut"],
+  ["Kennel Cut", "Face & Feet Trim"], ["Teddy Bear Cut", "Sanitary Trim"],
+  ["Breed Standard", "Sanitary Trim"], ["Summer Shave"],
+  ["Puppy Cut", "Face & Feet Trim", "Sanitary Trim"],
+];
+
+const coatTypes: string[] = ["short", "medium", "long", "curly", "wire", "double", "silky"];
+
 const visitLogNotes = [
   null, null,
   "Coat in great condition",
@@ -561,7 +594,15 @@ async function seedKnownUsers() {
       .limit(1);
 
     if (existingAccount) {
-      console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
+      // Re-hash and update the password so that re-seeding rotates credentials
+      // when the env var changes (e.g. after a password rotation).  Previously
+      // this branch skipped entirely, freezing the hash at first-seed.
+      const { hashPassword } = await import("better-auth/crypto");
+      const passwordHash = await hashPassword(password);
+      await db.update(schema.account)
+        .set({ password: passwordHash })
+        .where(eq(schema.account.id, existingAccount.id));
+      console.log(`✓ Updated credential account password for '${acct.email}'`);
     } else {
       // Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
       // better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random
@@ -595,21 +636,28 @@ async function seedKnownUsers() {
     }
   }
 
-  // ── Services: idempotent upsert using name as unique key ─────────────────────
-  // UNIQUE constraint on services.name (migration 0020) must exist first.
-  // Uses b0000001-... IDs to match main seed servicesDef for same-named services.
+  // ── Services: idempotent upsert keyed on `id` ─────────────────────────────
+  // GRO-2064: previously keyed on `services.name` while writing a
+  // deterministic `id`. If a stale row existed with the same `id` but a
+  // different `name`, PostgreSQL raised `services_pkey` (id collision)
+  // before the name-targeted ON CONFLICT could fire. Switch the conflict
+  // target to `services.id` so deterministic ids always win; pair with
+  // `TRUNCATE services … CASCADE` above so each reset rebuilds the
+  // catalogue from `servicesDef` cleanly. GRO-2033 close-out.
+  // Id↔name map MUST stay in sync with `servicesDef` (the canonical source
+  // of truth in the main `seed()` function).
   const demoSvcs = [
     { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
     { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
     { id: "b0000001-0000-0000-0000-000000000003", name: "Full Groom — Medium", description: "Complete grooming for dogs 25-50 lbs", basePriceCents: 8000, durationMinutes: 75 },
-    { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
+    { id: "b0000001-0000-0000-0000-000000000005", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
   ];
   for (const svc of demoSvcs) {
     await db.insert(schema.services)
       .values({ ...svc, active: true })
       .onConflictDoUpdate({
-        target: schema.services.name,
-        set: { description: svc.description, basePriceCents: svc.basePriceCents, durationMinutes: svc.durationMinutes, active: true },
+        target: schema.services.id,
+        set: { name: svc.name, description: svc.description, basePriceCents: svc.basePriceCents, durationMinutes: svc.durationMinutes, active: true },
       });
   }
   console.log(`✓ Seeded ${demoSvcs.length} services`);
@@ -716,7 +764,13 @@ async function seed() {
     ({ id: uuid(), name: `Bather ${i + 1}`, email: `bather${i + 1}@groombook.dev`, role: "groomer" as const, isSuperUser: false })
   );
 
-  await db.execute(sql`TRUNCATE impersonation_sessions, impersonation_audit_logs, appointments, invoices, invoice_line_items, invoice_tip_splits, grooming_visit_logs CASCADE`);
+  // GRO-2064: also TRUNCATE `services` so each reset rebuilds the catalogue
+  // from `servicesDef` (deterministic IDs + UNIQUE(name)). Stale service rows
+  // (e.g. a prior `seedKnownUsers` run that wrote a different `name` for the
+  // same `id`) would otherwise cause the deterministic upsert to PK-collide
+  // on `services.id` — see CTO review on infra PR #605 (rev #4230). TRUNCATE
+  // CASCADE handles appointments/invoices FKs to services.id.
+  await db.execute(sql`TRUNCATE services, impersonation_sessions, impersonation_audit_logs, appointments, invoices, invoice_line_items, invoice_tip_splits, grooming_visit_logs CASCADE`);
 
   const allStaff = [...managerStaff, ...receptionistStaff, ...groomers, ...bathers];
   for (const s of allStaff) {
@@ -787,9 +841,11 @@ async function seed() {
   }
 
   // ── Services ──
-  // Upsert services using name as unique key. With deterministic IDs in
-  // servicesDef and TRUNCATE clearing downstream tables first, this is
-  // idempotent: first run inserts, subsequent runs update existing rows.
+  // GRO-2064: key the upsert on `services.id` (not `name`) so deterministic
+  // ids always win, and rely on the TRUNCATE above to clear stale rows before
+  // the catalogue is rebuilt. The previous name-targeted upsert failed with
+  // `services_pkey` when a prior run had left a row with the same id but a
+  // different name (CTO review on infra PR #605, rev #4230).
   const serviceIds: string[] = [];
   for (const s of servicesDef) {
     serviceIds.push(s.id);
@@ -803,8 +859,8 @@ async function seed() {
         active: true,
       })
       .onConflictDoUpdate({
-        target: schema.services.name,
-        set: { description: s.desc, basePriceCents: s.price, durationMinutes: s.dur, active: true },
+        target: schema.services.id,
+        set: { name: s.name, description: s.desc, basePriceCents: s.price, durationMinutes: s.dur, active: true },
       });
   }
   console.log(`✓ Created ${servicesDef.length} services`);
@@ -872,6 +928,11 @@ async function seed() {
           cutStyle: pick(cutStyles),
           shampooPreference: pick(shampoos),
           specialCareNotes: rand() < 0.1 ? "Vet clearance required before grooming" : null,
+          coatType: pick(coatTypes),
+          temperamentScore: pick(temperamentScores),
+          temperamentFlags: pick(temperamentFlags),
+          medicalAlerts: pick(medicalAlertsList),
+          preferredCuts: pick(preferredCutsList),
           customFields: {},
           image: petIndex < 250 ? pick(puggleImages) : pick(demoPetImages),
         });
@@ -907,6 +968,11 @@ async function seed() {
             cutStyle: pet.cutStyle,
             shampooPreference: pet.shampooPreference,
             specialCareNotes: pet.specialCareNotes,
+            coatType: pet.coatType,
+            temperamentScore: pet.temperamentScore,
+            temperamentFlags: pet.temperamentFlags,
+            medicalAlerts: pet.medicalAlerts,
+            preferredCuts: pet.preferredCuts,
             customFields: pet.customFields,
             image: pet.image,
           },
@@ -929,13 +995,18 @@ async function seed() {
       petId: string;
       petName: string;
       petBreed: string;
+      petCoatType: string;
+      petTemperamentScore: number;
+      petTemperamentFlags: string[];
+      petMedicalAlerts: MedicalAlert[];
+      petPreferredCuts: string[];
     }
     const uatClients: UatClient[] = [
-    { id: uuid(), name: "UAT Test Alpha", email: "uat-alpha@groombook.dev", phone: "(555) 100-0001", address: "100 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestBuddy", petBreed: "Golden Retriever" },
-    { id: uuid(), name: "UAT Test Bravo", email: "uat-bravo@groombook.dev", phone: "(555) 100-0002", address: "200 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestMax", petBreed: "Labrador Retriever" },
-    { id: uuid(), name: "UAT Test Charlie", email: "uat-charlie@groombook.dev", phone: "(555) 100-0003", address: "300 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestCooper", petBreed: "Poodle" },
-    { id: uuid(), name: "UAT Test Delta", email: "uat-delta@groombook.dev", phone: "(555) 100-0004", address: "400 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestRocky", petBreed: "French Bulldog" },
-    { id: uuid(), name: "UAT Test Echo", email: "uat-echo@groombook.dev", phone: "(555) 100-0005", address: "500 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestDuke", petBreed: "Beagle" },
+    { id: uuid(), name: "UAT Test Alpha", email: "uat-alpha@groombook.dev", phone: "(555) 100-0001", address: "100 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestBuddy", petBreed: "Golden Retriever", petCoatType: "double", petTemperamentScore: 7, petTemperamentFlags: ["calm", "friendly"], petMedicalAlerts: [] as MedicalAlert[], petPreferredCuts: ["Breed Standard"] },
+    { id: uuid(), name: "UAT Test Bravo", email: "uat-bravo@groombook.dev", phone: "(555) 100-0002", address: "200 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestMax", petBreed: "Labrador Retriever", petCoatType: "short", petTemperamentScore: 8, petTemperamentFlags: ["friendly"], petMedicalAlerts: [] as MedicalAlert[], petPreferredCuts: ["Bath & Brush", "Sanitary Trim"] },
+    { id: uuid(), name: "UAT Test Charlie", email: "uat-charlie@groombook.dev", phone: "(555) 100-0003", address: "300 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestCooper", petBreed: "Poodle", petCoatType: "curly", petTemperamentScore: 9, petTemperamentFlags: ["calm"], petMedicalAlerts: [{ type: "behavioral", description: "Anxious — needs slow approach", severity: "low" as MedicalAlertSeverity }], petPreferredCuts: ["Teddy Bear Cut"] },
+    { id: uuid(), name: "UAT Test Delta", email: "uat-delta@groombook.dev", phone: "(555) 100-0004", address: "400 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestRocky", petBreed: "French Bulldog", petCoatType: "short", petTemperamentScore: 6, petTemperamentFlags: ["nippy"], petMedicalAlerts: [{ type: "skin", description: "Sensitive skin — avoid harsh shampoos", severity: "medium" as MedicalAlertSeverity }], petPreferredCuts: ["Puppy Cut"] },
+    { id: uuid(), name: "UAT Test Echo", email: "uat-echo@groombook.dev", phone: "(555) 100-0005", address: "500 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestDuke", petBreed: "Beagle", petCoatType: "short", petTemperamentScore: 7, petTemperamentFlags: ["friendly", "energetic"], petMedicalAlerts: [] as MedicalAlert[], petPreferredCuts: ["Full Groom", "Nail Trim"] },
   ];
 
   for (const uc of uatClients) {
@@ -943,8 +1014,26 @@ async function seed() {
       .values({ id: uc.id, name: uc.name, email: uc.email, phone: uc.phone, address: uc.address })
       .onConflictDoUpdate({ target: schema.clients.id, set: { name: uc.name, email: uc.email, phone: uc.phone, address: uc.address } });
     await db.insert(schema.pets)
-      .values({ id: uc.petId, clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"), image: pick(demoPetImages) })
-      .onConflictDoUpdate({ target: schema.pets.id, set: { clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"), image: pick(demoPetImages) } });
+      .values({
+        id: uc.petId, clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed,
+        weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"),
+        coatType: uc.petCoatType,
+        temperamentScore: uc.petTemperamentScore,
+        temperamentFlags: uc.petTemperamentFlags,
+        medicalAlerts: uc.petMedicalAlerts,
+        preferredCuts: uc.petPreferredCuts,
+        image: pick(demoPetImages),
+      })
+      .onConflictDoUpdate({ target: schema.pets.id, set: {
+        clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed,
+        weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"),
+        coatType: uc.petCoatType,
+        temperamentScore: uc.petTemperamentScore,
+        temperamentFlags: uc.petTemperamentFlags,
+        medicalAlerts: uc.petMedicalAlerts,
+        preferredCuts: uc.petPreferredCuts,
+        image: pick(demoPetImages),
+      } });
     // Create one completed appointment for this client
     const apptId = uuid();
     const svcIdx = 0;

apps/api/src/routes/admin/seed.ts

@@ -46,7 +46,7 @@ const UAT_CLIENT = {
 
 const UAT_PETS = [
   { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short" as const, weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
 ];
 
 const DEMO_SERVICES = [

apps/api/src/routes/pets.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, exists, getDb, or, pets, appointments } from "../db/index.js";
+import { and, desc, eq, exists, getDb, gte, groomingVisitLogs, impersonationSessions, or, pets, appointments, staff, services, sql } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
   getPresignedUploadUrl,
@@ -283,3 +283,169 @@ petsRouter.get("/:petId/photo", async (c) => {
   const url = await getPresignedGetUrl(pet.photoKey);
   return c.json({ url, photoKey: pet.photoKey, photoUploadedAt: pet.photoUploadedAt });
 });
+
+// ─── Profile Summary ───────────────────────────────────────────────────────────
+
+async function groomerLinkageCheck(
+  db: ReturnType<typeof getDb>,
+  clientId: string,
+  staffRow: NonNullable<AppEnv["Variables"]["staff"]>
+): Promise<boolean> {
+  const [linkage] = await db
+    .select({ id: appointments.id })
+    .from(appointments)
+    .where(
+      and(
+        eq(appointments.clientId, clientId),
+        or(
+          eq(appointments.staffId, staffRow.id),
+          eq(appointments.batherStaffId, staffRow.id)
+        )
+      )
+    )
+    .limit(1);
+  return !!linkage;
+}
+
+/**
+ * Resolves the clientId from the X-Impersonation-Session-Id header, if present and active.
+ * Used by staff routes to allow a customer (auto-provisioned as a `groomer` staff row
+ * by rbac.ts) to access their own pet's data when they are the rightful owner.
+ *
+ * Returns null when the header is missing, the session is unknown/expired/ended, or the
+ * session exists but has no clientId — callers should treat null as "no owner-bypass".
+ */
+async function resolveImpersonationClientId(
+  db: ReturnType<typeof getDb>,
+  c: { req: { header: (name: string) => string | undefined } }
+): Promise<string | null> {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  if (!sessionId) return null;
+  const [session] = await db
+    .select({ clientId: impersonationSessions.clientId, status: impersonationSessions.status, expiresAt: impersonationSessions.expiresAt })
+    .from(impersonationSessions)
+    .where(eq(impersonationSessions.id, sessionId))
+    .limit(1);
+  if (!session) return null;
+  if (session.status !== "active") return null;
+  if (session.expiresAt <= new Date()) return null;
+  return session.clientId;
+}
+
+/**
+ * GET /:id/profile-summary
+ * Returns aggregated profile: basic pet fields + grooming history + visit stats + upcoming appointment.
+ * Groomer RBAC: same visibility rules as GET /:id.
+ * Owner-bypass (GRO-2013): a customer who supplies a valid X-Impersonation-Session-Id
+ * for the pet's owning client may read their own pet's summary, even though rbac.ts
+ * auto-provisions them as a `groomer` staff row with no appointment linkage.
+ */
+petsRouter.get("/:id/profile-summary", async (c) => {
+  const db = getDb();
+  const petId = c.req.param("id");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";
+
+  const [row] = await db.select().from(pets).where(eq(pets.id, petId));
+  if (!row) return c.json({ error: "Not found" }, 404);
+
+  // Owner-bypass: customer with a valid portal session for this pet's client
+  // is allowed to view their own pet's profile summary (GRO-2013).
+  let isOwner = false;
+  if (isGroomer) {
+    const ownerClientId = await resolveImpersonationClientId(db, c);
+    isOwner = !!ownerClientId && ownerClientId === row.clientId;
+  }
+
+  if (isGroomer && !isOwner) {
+    const hasLinkage = await groomerLinkageCheck(db, row.clientId, staffRow);
+    if (!hasLinkage) return c.json({ error: "Forbidden" }, 403);
+  }
+
+  // Recent grooming history: last 10, with staff name join
+  const historyRows = await db
+    .select({
+      id: groomingVisitLogs.id,
+      petId: groomingVisitLogs.petId,
+      appointmentId: groomingVisitLogs.appointmentId,
+      staffId: groomingVisitLogs.staffId,
+      staffName: staff.name,
+      cutStyle: groomingVisitLogs.cutStyle,
+      productsUsed: groomingVisitLogs.productsUsed,
+      notes: groomingVisitLogs.notes,
+      groomedAt: groomingVisitLogs.groomedAt,
+      createdAt: groomingVisitLogs.createdAt,
+    })
+    .from(groomingVisitLogs)
+    .leftJoin(staff, eq(staff.id, groomingVisitLogs.staffId))
+    .where(eq(groomingVisitLogs.petId, petId))
+    .orderBy(desc(groomingVisitLogs.groomedAt))
+    .limit(10);
+
+  const recentGroomingHistory = historyRows.map((r) => ({
+    id: r.id,
+    petId: r.petId,
+    appointmentId: r.appointmentId,
+    staffId: r.staffId,
+    staffName: r.staffName,
+    cutStyle: r.cutStyle,
+    productsUsed: r.productsUsed,
+    notes: r.notes,
+    groomedAt: r.groomedAt?.toISOString() ?? null,
+    createdAt: r.createdAt?.toISOString() ?? null,
+  }));
+
+  const lastVisitDate = historyRows[0]?.groomedAt?.toISOString() ?? null;
+
+  // Completed appointment count for this pet
+  const [{ count: visitCount }] = await db
+    .select({ count: sql<number>`count(*)::int` })
+    .from(appointments)
+    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")));
+
+  // Upcoming appointment: next scheduled or confirmed
+  const [nextAppt] = await db
+    .select({
+      id: appointments.id,
+      serviceId: appointments.serviceId,
+      staffId: appointments.staffId,
+      startTime: appointments.startTime,
+      endTime: appointments.endTime,
+      status: appointments.status,
+      serviceName: services.name,
+      staffName: staff.name,
+    })
+    .from(appointments)
+    .leftJoin(services, eq(services.id, appointments.serviceId))
+    .leftJoin(staff, eq(staff.id, appointments.staffId))
+    .where(
+      and(
+        eq(appointments.petId, petId),
+        or(eq(appointments.status, "scheduled"), eq(appointments.status, "confirmed")),
+        gte(appointments.startTime, new Date())
+      )
+    )
+    .orderBy(appointments.startTime)
+    .limit(1);
+
+  const upcomingAppointment = nextAppt
+    ? {
+        id: nextAppt.id,
+        serviceId: nextAppt.serviceId,
+        serviceName: nextAppt.serviceName,
+        staffId: nextAppt.staffId,
+        staffName: nextAppt.staffName,
+        startTime: nextAppt.startTime?.toISOString() ?? null,
+        endTime: nextAppt.endTime?.toISOString() ?? null,
+        status: nextAppt.status,
+      }
+    : null;
+
+  return c.json({
+    ...row,
+    recentGroomingHistory,
+    lastVisitDate,
+    visitCount,
+    upcomingAppointment,
+  });
+});

packages/db/migrations/0034_extend_pet_profile_columns.sql

@@ -0,0 +1,8 @@
+-- Migration: 0034_extend_pet_profile_columns.sql
+-- GRO-1850: Adds temperament_score, temperament_flags, medical_alerts,
+-- and preferred_cuts columns to the pets table.
+
+ALTER TABLE "pets" ADD COLUMN "temperament_score" integer;
+ALTER TABLE "pets" ADD COLUMN "temperament_flags" jsonb DEFAULT '[]';
+ALTER TABLE "pets" ADD COLUMN "medical_alerts" jsonb DEFAULT '[]';
+ALTER TABLE "pets" ADD COLUMN "preferred_cuts" jsonb DEFAULT '[]';

packages/db/migrations/0035_add_missing_coat_type_values.sql

@@ -0,0 +1,9 @@
+-- Migration: 0035_add_missing_coat_type_values.sql
+-- Adds missing values to coat_type enum that seed.ts requires but which were
+-- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
+-- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
+-- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
+
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';

packages/db/migrations/0035_add_short_to_coat_type_enum.sql

@@ -0,0 +1,14 @@
+-- Migration: 0035_add_short_to_coat_type_enum.sql
+-- GRO-1953: Adds missing "short" value to the coat_type enum so that seed data
+-- (which uses coatTypePool including "short") can be inserted without error.
+--
+-- The seed file defines coatTypePool as:
+--   ["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]
+-- but migration 0031 created the enum without "short", causing:
+--   PostgresError: invalid input value for enum coat_type: "short"
+
+BEGIN;
+
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
+
+COMMIT;

packages/db/migrations/0036_add_missing_coat_type_values.sql

@@ -0,0 +1,9 @@
+-- Migration: 0036_add_missing_coat_type_values.sql
+-- Adds missing values to coat_type enum that seed.ts requires but which were
+-- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
+-- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
+-- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
+
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';

packages/db/migrations/0037_add_extra_large_to_pet_size_category.sql

@@ -0,0 +1,19 @@
+-- Migration: 0037_add_extra_large_to_pet_size_category.sql
+-- GRO-1979: Adds the 'extra_large' value to the pet_size_category enum.
+--
+-- 0031_buffer_rules.sql created pet_size_category with values
+-- ('small', 'medium', 'large', 'xlarge'), but seed.ts and the drizzle
+-- schema (PetSizeCategory type) both use 'extra_large' — a mismatch that
+-- caused the UAT seed job to fail with:
+--   invalid input value for enum pet_size_category: "extra_large"
+--
+-- 0035/0036 (GRO-1971) registered 'short'/'medium'/'silky' in coat_type.
+-- This migration is the pet_size_category counterpart: register
+-- 'extra_large' so seed.ts can write the value the schema declares.
+--
+-- Postgres restriction: ALTER TYPE ADD VALUE cannot run inside a
+-- transaction block. The drizzle migrate runner does not wrap
+-- individual statements in an explicit transaction, so this applies
+-- as a single auto-commit DDL.
+
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';

packages/db/migrations/0038_register_extra_large_pet_size_category.sql

@@ -0,0 +1,4 @@
+-- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
+-- journal timestamp. Re-register extra_large with a monotonic timestamp so
+-- the existing UAT/persistent DBs apply it. Idempotent.
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';

packages/db/migrations/0039_extend_pet_profile_columns_idempotent.sql

@@ -0,0 +1,27 @@
+-- Migration: 0039_extend_pet_profile_columns_idempotent.sql
+-- GRO-2033: re-register the temperament/medical/preferred-cuts columns from
+-- 0034 with an idempotent ADD COLUMN IF NOT EXISTS + a monotonic journal
+-- `when` (1780000000001), above the 0033 high-water mark (1779500000000)
+-- and above the most recent applied migration 0038 (1780000000000).
+--
+-- 0034_extend_pet_profile_columns.sql was authored on 2026-05-28 with
+-- `when` = 1751140800000 (2025-06-28) — *below* the 0033 high-water mark
+-- of 1779500000000 (2026-05-23). drizzle-orm@0.38.4
+-- (pg-core/dialect.js#migrate) only applies a migration when
+-- `migration.folderMillis > lastDbMigration.created_at`, so on prod —
+-- whose last applied entry was 0033 at created_at=1779500000000 — 0034
+-- was silently skipped, leaving `pets.temperament_score` (and friends)
+-- missing. The migrate Job still exits 0 ("migrations applied
+-- successfully!") because the journal high watermark *was* advanced by
+-- 0038, but no schema change ever ran for 0034. Seed/reset then crash on:
+--   PostgresError: column "temperament_score" does not exist (42703)
+--
+-- Same pattern as GRO-1999 (0037 → 0038): do NOT modify 0034 in-place
+-- (UAT/dev have already applied it via their lower watermarks). Add a
+-- new idempotent migration with a monotonic `when` instead so existing
+-- DBs apply it cleanly and fresh DBs are a no-op-after-no-op.
+
+ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "temperament_score" integer;
+ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "temperament_flags" jsonb DEFAULT '[]';
+ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "medical_alerts" jsonb DEFAULT '[]';
+ALTER TABLE "pets" ADD COLUMN IF NOT EXISTS "preferred_cuts" jsonb DEFAULT '[]';

packages/db/migrations/0040_register_missing_coat_type_values.sql

@@ -0,0 +1,26 @@
+-- Migration: 0040_register_missing_coat_type_values.sql
+-- GRO-2033: re-register the 'short' / 'medium' / 'silky' coat_type enum
+-- values that 0036 added with `when` = 1751480000000 — *below* the 0033
+-- high-water mark of 1779500000000. drizzle-orm@0.38.4
+-- (pg-core/dialect.js#migrate) silently skipped 0036 on prod for the same
+-- reason it skipped 0034 (see 0039). 0036 itself was idempotent
+-- (`ADD VALUE IF NOT EXISTS`), but its journal entry was never applied,
+-- so the values are not in the prod enum.
+--
+-- Same pattern as GRO-1999 (0037 → 0038) and 0039: do NOT modify 0036 in
+-- place. Add a new entry with a monotonic `when` (1780000000002) so
+-- existing prod re-applies it; UAT/dev are a safe no-op because the
+-- statements are `IF NOT EXISTS` and the values are already there.
+--
+-- Postgres restriction: `ALTER TYPE ... ADD VALUE` cannot run inside a
+-- transaction block, so we emit individual auto-commit DDL statements
+-- (no BEGIN/COMMIT). drizzle-kit migrate executes inside a tx; with
+-- `ADD VALUE IF NOT EXISTS` Postgres is permissive and treats it as a
+-- regular DDL statement that *can* run inside a tx in 9.6+ when no new
+-- value is actually added. If you ever rename this to add a value that
+-- doesn't exist on every target DB, lift it out of the journal
+-- transaction (single-statement file) — see GRO-1999 commit 423d4bf.
+
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
+ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';

packages/db/migrations/meta/0034_snapshot.json

@@ -0,0 +1,210 @@
+{
+  "id": "0034_extend_pet_profile_columns",
+  "prevId": "b3a381ca-f7a4-450f-aa7e-fdc2d652dc97",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.pets": {
+      "name": "pets",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "species": {
+          "name": "species",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "breed": {
+          "name": "breed",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "weight_kg": {
+          "name": "weight_kg",
+          "type": "numeric(5, 2)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "date_of_birth": {
+          "name": "date_of_birth",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "health_alerts": {
+          "name": "health_alerts",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "grooming_notes": {
+          "name": "grooming_notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cut_style": {
+          "name": "cut_style",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "shampoo_preference": {
+          "name": "shampoo_preference",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "special_care_notes": {
+          "name": "special_care_notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "coat_type": {
+          "name": "coat_type",
+          "type": "coat_type",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "pet_size_category": {
+          "name": "pet_size_category",
+          "type": "pet_size_category",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "temperament_score": {
+          "name": "temperament_score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "temperament_flags": {
+          "name": "temperament_flags",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'::jsonb"
+        },
+        "medical_alerts": {
+          "name": "medical_alerts",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'::jsonb"
+        },
+        "preferred_cuts": {
+          "name": "preferred_cuts",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'::jsonb"
+        },
+        "custom_fields": {
+          "name": "custom_fields",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'::jsonb"
+        },
+        "photo_key": {
+          "name": "photo_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "photo_uploaded_at": {
+          "name": "photo_uploaded_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "pets_client_id_clients_id_fk": {
+          "name": "pets_client_id_clients_id_fk",
+          "tableFrom": "pets",
+          "tableTo": "clients",
+          "columnsFrom": [
+            "client_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "coat_type": {
+      "name": "coat_type",
+      "values": [
+        "short",
+        "medium",
+        "long",
+        "wire",
+        "double",
+        "hairless",
+        "curly"
+      ]
+    },
+    "pet_size_category": {
+      "name": "pet_size_category",
+      "values": [
+        "small",
+        "medium",
+        "large",
+        "extra_large"
+      ]
+    }
+  },
+  "nativeEnums": {}
+}

packages/db/migrations/meta/_journal.json

@@ -239,6 +239,48 @@
       "when": 1779500000000,
       "tag": "0033_add_services_default_buffer_minutes",
       "breakpoints": true
+    },
+    {
+      "idx": 34,
+      "version": "7",
+      "when": 1751140800000,
+      "tag": "0034_extend_pet_profile_columns",
+      "breakpoints": true
+    },
+    {
+      "idx": 36,
+      "version": "7",
+      "when": 1751480000000,
+      "tag": "0036_add_missing_coat_type_values",
+      "breakpoints": true
+    },
+    {
+      "idx": 37,
+      "version": "7",
+      "when": 1751500000000,
+      "tag": "0037_add_extra_large_to_pet_size_category",
+      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1780000000000,
+      "tag": "0038_register_extra_large_pet_size_category",
+      "breakpoints": true
+    },
+    {
+      "idx": 39,
+      "version": "7",
+      "when": 1780000000001,
+      "tag": "0039_extend_pet_profile_columns_idempotent",
+      "breakpoints": true
+    },
+    {
+      "idx": 40,
+      "version": "7",
+      "when": 1780000000002,
+      "tag": "0040_register_missing_coat_type_values",
+      "breakpoints": true
     }
   ]
-}
+}

packages/db/src/seed.ts

@@ -20,6 +20,7 @@ import postgres from "postgres";
 import { drizzle } from "drizzle-orm/postgres-js";
 import { eq, and, sql } from "drizzle-orm";
 import * as schema from "./schema.js";
+import type { MedicalAlert } from "@groombook/types";
 
 // ── Seed profile configuration ─────────────────────────────────────────────
 
@@ -243,6 +244,59 @@ const groomingNotes = [
   "Previous clipper burn — be gentle on belly",
 ];
 
+// ── Extended pet profile pools ─────────────────────────────────────────────────
+
+const temperamentFlagPool: string[] = [
+  "friendly",
+  "anxious-with-strangers",
+  "good-with-kids",
+  "leash-reactive",
+  "vocal",
+  "high-energy",
+  "calm-on-table",
+  "treat-motivated",
+];
+
+const medicalAlertPool: MedicalAlert[] = [
+  { id: "", type: "allergies", description: "Seasonal allergies — monitor skin", severity: "low" },
+  { id: "", type: "allergies", description: "Chicken allergy — avoid poultry-based treats", severity: "high" },
+  { id: "", type: "joint", description: "Hip dysplasia — handle with care", severity: "medium" },
+  { id: "", type: "joint", description: "Arthritis — anti-inflammatory medication on file", severity: "medium" },
+  { id: "", type: "dental", description: "Dental disease — extractions in history", severity: "medium" },
+  { id: "", type: "dental", description: "Baby teeth retained — vet monitor", severity: "low" },
+  { id: "", type: "heart", description: "Heart murmur grade II — avoid stress", severity: "high" },
+  { id: "", type: "heart", description: "Murmur cleared by vet last year", severity: "low" },
+  { id: "", type: "other", description: "Eye ulcer history — be careful around face", severity: "medium" },
+  { id: "", type: "other", description: "Seizure history — avoid flashing lights", severity: "high" },
+  { id: "", type: "other", description: "Luxating patella — short walks only", severity: "medium" },
+  { id: "", type: "other", description: "Ear infections — dry thoroughly after bath", severity: "low" },
+  { id: "", type: "behavioral", description: "Anxiety — calm environment preferred", severity: "low" },
+  { id: "", type: "behavioral", description: "Fear-based aggression — approach with caution", severity: "high" },
+  { id: "", type: "skin", description: "Contact dermatitis — avoid harsh chemicals", severity: "medium" },
+  { id: "", type: "skin", description: "Hot spots — monitor and report any worsening", severity: "high" },
+];
+
+const preferredCutPool: string[] = [
+  "Puppy Cut",
+  "Teddy Bear Cut",
+  "Lion Cut",
+  "Breed Standard",
+  "Summer Shave",
+  "Kennel Cut",
+  "Lamb Cut",
+  "Continental Clip",
+  "Sporting Clip",
+  "Sanitary Trim",
+  "Face & Feet Trim",
+  "Full Groom",
+];
+
+type CoatType = (typeof schema.coatTypeEnum.enumValues)[number];
+type PetSizeCategory = (typeof schema.petSizeCategoryEnum.enumValues)[number];
+
+const coatTypePool: CoatType[] = ["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"];
+const petSizeCategoryPool: PetSizeCategory[] = ["small", "medium", "large", "extra_large"];
+
 const appointmentNotes = [
   null, null, null, null,
   "Client requested extra brushing",
@@ -335,78 +389,21 @@ const servicesDef = [
   { id: "b0000001-0000-0000-0000-00000000000a", name: "Sanitary Trim", desc: "Hygienic trim of paw pads, face, and sanitary areas", price: 2500, dur: 20 },
 ];
 
-// ── Known-users-only seed (prod/demo) ───────────────────────────────────────
+// ── UAT staff account seeding (shared between seed paths) ─────────────────────
 
 /**
- * Seeds only the minimal known users for prod/demo environments.
- * Creates: Demo Manager staff + Demo Client + Demo Dog + basic services.
- * Idempotent: skips creation if records already exist.
+ * Seeds or upserts the deterministic UAT staff accounts with numeric OIDC subs
+ * from SEED_UAT_*_OIDC_SUB / SEED_UAT_GROOMER_OIDC_SUBS env vars.
+ *
+ * In the full seed path this must run AFTER random staff are created so the
+ * deterministic upserts land on the correct rows (groomers referenced by the
+ * UAT test-client appointment logic use groomers[0] etc.).
+ *
+ * In seedKnownUsers() this replaces the inline UAT-staff block.
  */
-async function seedKnownUsers() {
-  const url = process.env.DATABASE_URL;
-  if (!url) {
-    console.error("DATABASE_URL is not set");
-    process.exit(1);
-  }
-
-  const client = postgres(url, { max: 5 });
-  const db = drizzle(client, { schema });
-
-  console.log("Seeding known users (prod/demo mode)...\n");
-
-  const KNOWN_STAFF_ID = "00000000-0000-0000-0000-000000000001";
-  const DEMO_CLIENT_ID = "00000000-0000-0000-0000-000000000002";
-  const DEMO_PET_ID = "00000000-0000-0000-0000-000000000003";
-
-  // ── Staff: Demo Manager ──
-  const [existingStaff] = await db
-    .select()
-    .from(schema.staff)
-    .where(eq(schema.staff.email, "demo-manager@groombook.dev"))
-    .limit(1);
-
-  if (existingStaff) {
-    console.log(`✓ Staff '${existingStaff.name}' already exists — skipping`);
-  } else {
-    await db.insert(schema.staff).values({
-      id: KNOWN_STAFF_ID,
-      name: "Demo Manager",
-      email: "demo-manager@groombook.dev",
-      oidcSub: "demo-manager-001",
-      role: "manager",
-      isSuperUser: true,
-      active: true,
-    });
-    console.log("✓ Created staff 'Demo Manager' (oidcSub: demo-manager-001)");
-  }
-
-  // ── Staff: SEED_ADMIN_EMAIL admin ──
-  const adminEmail = process.env.SEED_ADMIN_EMAIL;
-  if (adminEmail) {
-    const adminName = process.env.SEED_ADMIN_NAME ?? "Admin";
-    const ADMIN_STAFF_ID = "00000000-0000-0000-0000-000000000002";
-    const [existingAdmin] = await db
-      .select()
-      .from(schema.staff)
-      .where(eq(schema.staff.email, adminEmail))
-      .limit(1);
-
-    if (existingAdmin) {
-      console.log(`✓ Staff admin '${existingAdmin.name}' already exists — skipping`);
-    } else {
-      await db.insert(schema.staff).values({
-        id: ADMIN_STAFF_ID,
-        name: adminName,
-        email: adminEmail,
-        oidcSub: adminEmail,
-        role: "manager",
-        isSuperUser: true,
-        active: true,
-      });
-      console.log(`✓ Created staff admin '${adminName}' (${adminEmail})`);
-    }
-  }
-
+async function seedUatStaffAccounts(
+  db: ReturnType<typeof drizzle>,
+): Promise<string | null> {
   // ── Staff: UAT Super User (oidcSub from SEED_UAT_SUPER_OIDC_SUB env var) ──
   const uatSuperOidcSub = process.env.SEED_UAT_SUPER_OIDC_SUB;
   if (uatSuperOidcSub) {
@@ -574,25 +571,342 @@ async function seedKnownUsers() {
     }
   }
 
-  // ── Services: idempotent upsert using name as unique key ─────────────────────
-  // UNIQUE constraint on services.name (migration 0020) must exist first.
-  // Uses b0000001-... IDs to match main seed servicesDef for same-named services.
+  // ── Client: UAT Customer ─────────────────────────────────────────────────────
+  // Only uat-customer is a real end-user who needs a clients row.
+  // uat-groomer and uat-super are staff — they have staff records, not client records.
+  const UAT_CUSTOMER_ID = "c0000001-0000-0000-0000-000000000001";
+  const [uatCustomerRow] = await db
+    .select()
+    .from(schema.clients)
+    .where(eq(schema.clients.email, "uat-customer@groombook.dev"))
+    .limit(1);
+
+  let uatCustomerClientId: string;
+  if (uatCustomerRow) {
+    uatCustomerClientId = uatCustomerRow.id;
+    console.log(`✓ UAT Customer client record already exists — skipping`);
+  } else {
+    const [created] = await db
+      .insert(schema.clients)
+      .values({
+        id: UAT_CUSTOMER_ID,
+        email: "uat-customer@groombook.dev",
+        name: "UAT Customer",
+        phone: "555-0102",
+        address: "1 UAT Lane, Test City, CA 90210",
+      })
+      .returning();
+    uatCustomerClientId = created!.id;
+    console.log(`✓ Created client 'UAT Customer' for SSO bridge`);
+  }
+
+  // ── Pets: UAT Customer's dogs ────────────────────────────────────────────────
+  const uatCustomerPets = [
+    { id: "c0000001-0000-0000-0000-000000000002", name: "UAT Pup Alpha", species: "Dog", breed: "Beagle", weight: "12.00", dob: "2022-03-10", image: "/demo-pets/dog-beagle.png" },
+    { id: "c0000001-0000-0000-0000-000000000003", name: "UAT Pup Beta",  species: "Dog", breed: "Labrador", weight: "28.00", dob: "2021-07-22", image: "/demo-pets/dog-labrador.png" },
+  ];
+  for (const pet of uatCustomerPets) {
+    const [existing] = await db
+      .select()
+      .from(schema.pets)
+      .where(eq(schema.pets.id, pet.id))
+      .limit(1);
+
+    if (existing) {
+      // Upsert so extended fields are always populated on re-runs
+      await db.insert(schema.pets)
+        .values({
+          id: pet.id,
+          clientId: uatCustomerClientId,
+          name: pet.name,
+          species: pet.species,
+          breed: pet.breed,
+          weightKg: pet.weight,
+          dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
+          image: pet.image,
+          temperamentScore: randInt(1, 5),
+          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+          medicalAlerts: [],
+          preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+          coatType: pick(coatTypePool),
+          petSizeCategory: pick(petSizeCategoryPool),
+        })
+        .onConflictDoUpdate({
+          target: schema.pets.id,
+          set: {
+            clientId: uatCustomerClientId,
+            name: pet.name,
+            species: pet.species,
+            breed: pet.breed,
+            weightKg: pet.weight,
+            dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
+            image: pet.image,
+            temperamentScore: randInt(1, 5),
+            temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+            medicalAlerts: [],
+            preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+            coatType: pick(coatTypePool),
+            petSizeCategory: pick(petSizeCategoryPool),
+          },
+        });
+      console.log(`✓ Upserted UAT pet '${pet.name}' with extended fields`);
+    } else {
+      await db.insert(schema.pets).values({
+        id: pet.id,
+        clientId: uatCustomerClientId,
+        name: pet.name,
+        species: pet.species,
+        breed: pet.breed,
+        weightKg: pet.weight,
+        dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
+        image: pet.image,
+        temperamentScore: randInt(1, 5),
+        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+        medicalAlerts: [],
+        preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+        coatType: pick(coatTypePool),
+        petSizeCategory: pick(petSizeCategoryPool),
+      });
+      console.log(`✓ Created UAT pet '${pet.name}' with extended fields`);
+    }
+  }
+
+  // ── GRO-2100: deterministic uat-groomer ↔ pet linkage ───────────────────────
+  // The UAT groomer (`uat-groomer@groombook.dev`, staffId 00000000-0000-0000-0000-000000000004)
+  // needs at least one linked pet/appointment or GRO-1987 TC-UAT-2/3 cannot run
+  // (the pet profile-summary endpoint returns 404 instead of 200/403).
+  //
+  // We deterministically link the UAT groomer to the UAT customer's first pet
+  // ("UAT Pup Alpha") and leave the second pet ("UAT Pup Beta") UNLINKED so
+  // TC-UAT-2 (200) and TC-UAT-3 (403) can both hardcode the stable petIds.
+  //
+  // The linkage call itself is performed by the caller AFTER the `services`
+  // catalogue has been seeded (this helper runs before services exist,
+  // which previously caused the linkage to be silently skipped on every
+  // reset). GRO-2100 follow-up.
+  return uatCustomerClientId;
+}
+
+/**
+ * GRO-2100: create a deterministic completed appointment linking the UAT groomer
+ * to "UAT Pup Alpha" (c0000001-0000-0000-0000-000000000002). "UAT Pup Beta"
+ * (c0000001-0000-0000-0000-000000000003) is intentionally left UNLINKED so
+ * GRO-1987 TC-UAT-3 can verify the 403 forbidden response.
+ *
+ * Idempotent: the deterministic appointment id (`a0000001-…-0001`) is the
+ * upsert key, so re-running the seed on every reset-demo-data CronJob
+ * (hourly per apps/overlays/uat/reset-cronjob.yaml) is safe.
+ */
+async function seedUatGroomerLinkage(
+  db: ReturnType<typeof drizzle>,
+  customerClientId: string | null,
+): Promise<void> {
+  const uatGroomerEmail = "uat-groomer@groombook.dev";
+  const LINKED_PET_ID = "c0000001-0000-0000-0000-000000000002"; // UAT Pup Alpha
+  const APPT_ID = "a0000001-0000-0000-0000-000000000001";
+
+  // Skip silently if the UAT Customer client wasn't created (non-UAT seed
+  // profile, e.g. seedKnownUsers() in an env without the UAT personas).
+  if (!customerClientId) {
+    return;
+  }
+
+  // Only run if the UAT groomer staff record actually exists — dev/test seeds
+  // that don't set SEED_UAT_STAFF_OIDC_SUB should not crash.
+  const [uatGroomerStaff] = await db
+    .select({ id: schema.staff.id })
+    .from(schema.staff)
+    .where(eq(schema.staff.email, uatGroomerEmail))
+    .limit(1);
+  if (!uatGroomerStaff) {
+    return;
+  }
+
+  // Skip if this exact appointment already exists (idempotent on re-seed).
+  const [existing] = await db
+    .select({ id: schema.appointments.id })
+    .from(schema.appointments)
+    .where(eq(schema.appointments.id, APPT_ID))
+    .limit(1);
+  if (existing) {
+    console.log(`✓ GRO-2100: uat-groomer linkage appointment already exists — skipping`);
+    return;
+  }
+
+  // Skip if the linked pet hasn't been seeded yet (defensive: caller should
+  // ensure pets exist; if the helper is re-ordered later we don't want to
+  // crash here).
+  const [linkedPet] = await db
+    .select({ id: schema.pets.id })
+    .from(schema.pets)
+    .where(eq(schema.pets.id, LINKED_PET_ID))
+    .limit(1);
+  if (!linkedPet) {
+    console.warn(`⚠ GRO-2100: UAT Pup Alpha (${LINKED_PET_ID}) not found — skipping uat-groomer linkage`);
+    return;
+  }
+
+  // The "Bath & Brush" service id is stable across the reset; falls back to
+  // any active service if it has not been seeded yet (e.g. seedKnownUsers
+  // runs in isolation).
+  const BATH_AND_BRUSH_ID = "b0000001-0000-0000-0000-000000000001";
+  const [bathService] = await db
+    .select({ id: schema.services.id })
+    .from(schema.services)
+    .where(eq(schema.services.id, BATH_AND_BRUSH_ID))
+    .limit(1);
+
+  let serviceId: string;
+  if (bathService) {
+    serviceId = bathService.id;
+  } else {
+    const [fallback] = await db
+      .select({ id: schema.services.id })
+      .from(schema.services)
+      .where(eq(schema.services.active, true))
+      .limit(1);
+    if (!fallback) {
+      console.warn(`⚠ GRO-2100: no active services found — skipping uat-groomer linkage`);
+      return;
+    }
+    serviceId = fallback.id;
+  }
+
+  // Schedule the completed appointment 7 days ago so the profile-summary's
+  // "recentGroomingHistory" window (last 10) reliably includes it.
+  const startTime = new Date();
+  startTime.setDate(startTime.getDate() - 7);
+  startTime.setHours(10, 0, 0, 0);
+  const endTime = new Date(startTime.getTime() + 45 * 60 * 1000);
+
+  await db.insert(schema.appointments).values({
+    id: APPT_ID,
+    clientId: customerClientId,
+    petId: LINKED_PET_ID,
+    serviceId,
+    staffId: uatGroomerStaff.id,
+    batherStaffId: null,
+    status: "completed",
+    startTime,
+    endTime,
+    notes: "GRO-2100: deterministic uat-groomer linkage for TC-UAT-2/3.",
+    priceCents: null,
+    confirmationStatus: "confirmed",
+  });
+  console.log(
+    `✓ GRO-2100: linked uat-groomer (${uatGroomerStaff.id}) → UAT Pup Alpha (${LINKED_PET_ID}) via appointment ${APPT_ID}`,
+  );
+}
+
+// ── Known-users-only seed (prod/demo) ───────────────────────────────────────
+
+/**
+ * Seeds only the minimal known users for prod/demo environments.
+ * Creates: Demo Manager staff + Demo Client + Demo Dog + basic services.
+ * Idempotent: skips creation if records already exist.
+ */
+async function seedKnownUsers() {
+  const url = process.env.DATABASE_URL;
+  if (!url) {
+    console.error("DATABASE_URL is not set");
+    process.exit(1);
+  }
+
+  const client = postgres(url, { max: 5 });
+  const db = drizzle(client, { schema });
+
+  console.log("Seeding known users (prod/demo mode)...\n");
+
+  const KNOWN_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+  const DEMO_CLIENT_ID = "00000000-0000-0000-0000-000000000002";
+  const DEMO_PET_ID = "00000000-0000-0000-0000-000000000003";
+
+  // ── Staff: Demo Manager ──
+  const [existingStaff] = await db
+    .select()
+    .from(schema.staff)
+    .where(eq(schema.staff.email, "demo-manager@groombook.dev"))
+    .limit(1);
+
+  if (existingStaff) {
+    console.log(`✓ Staff '${existingStaff.name}' already exists — skipping`);
+  } else {
+    await db.insert(schema.staff).values({
+      id: KNOWN_STAFF_ID,
+      name: "Demo Manager",
+      email: "demo-manager@groombook.dev",
+      oidcSub: "demo-manager-001",
+      role: "manager",
+      isSuperUser: true,
+      active: true,
+    });
+    console.log("✓ Created staff 'Demo Manager' (oidcSub: demo-manager-001)");
+  }
+
+  // ── Staff: SEED_ADMIN_EMAIL admin ──
+  const adminEmail = process.env.SEED_ADMIN_EMAIL;
+  if (adminEmail) {
+    const adminName = process.env.SEED_ADMIN_NAME ?? "Admin";
+    const ADMIN_STAFF_ID = "00000000-0000-0000-0000-000000000002";
+    const [existingAdmin] = await db
+      .select()
+      .from(schema.staff)
+      .where(eq(schema.staff.email, adminEmail))
+      .limit(1);
+
+    if (existingAdmin) {
+      console.log(`✓ Staff admin '${existingAdmin.name}' already exists — skipping`);
+    } else {
+      await db.insert(schema.staff).values({
+        id: ADMIN_STAFF_ID,
+        name: adminName,
+        email: adminEmail,
+        oidcSub: adminEmail,
+        role: "manager",
+        isSuperUser: true,
+        active: true,
+      });
+      console.log(`✓ Created staff admin '${adminName}' (${adminEmail})`);
+    }
+  }
+
+  // ── UAT staff accounts + Better Auth credentials (shared impl) ──────────────
+  // Extracted into seedUatStaffAccounts() so it runs in both seedKnownUsers()
+  // and the full seed() UAT branch.
+  const uatCustomerClientId = await seedUatStaffAccounts(db);
+
+  // ── Services: idempotent upsert keyed on `id` ─────────────────────────────
+  // GRO-2064: previously keyed on `services.name` while writing a
+  // deterministic `id`. If a stale row existed with the same `id` but a
+  // different `name`, PostgreSQL raised `services_pkey` (id collision)
+  // before the name-targeted ON CONFLICT could fire. Switch the conflict
+  // target to `services.id` so deterministic ids always win; pair with
+  // `TRUNCATE services … CASCADE` above so each reset rebuilds the
+  // catalogue from `servicesDef` cleanly. GRO-2033 close-out.
+  // Id↔name map MUST stay in sync with `servicesDef` (the canonical source
+  // of truth in the main `seed()` function).
   const demoSvcs = [
     { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
     { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
     { id: "b0000001-0000-0000-0000-000000000003", name: "Full Groom — Medium", description: "Complete grooming for dogs 25-50 lbs", basePriceCents: 8000, durationMinutes: 75 },
-    { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
+    { id: "b0000001-0000-0000-0000-000000000005", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
   ];
   for (const svc of demoSvcs) {
     await db.insert(schema.services)
       .values({ ...svc, active: true })
       .onConflictDoUpdate({
-        target: schema.services.name,
-        set: { description: svc.description, basePriceCents: svc.basePriceCents, durationMinutes: svc.durationMinutes, active: true },
+        target: schema.services.id,
+        set: { name: svc.name, description: svc.description, basePriceCents: svc.basePriceCents, durationMinutes: svc.durationMinutes, active: true },
       });
   }
   console.log(`✓ Seeded ${demoSvcs.length} services`);
 
+  // GRO-2100: deterministic uat-groomer ↔ UAT Pup Alpha linkage. Must run
+  // AFTER services are seeded (this helper looks up an active service id
+  // to attach to the appointment; on a fresh reset there are none yet at
+  // the time seedUatStaffAccounts() returns).
+  await seedUatGroomerLinkage(db, uatCustomerClientId);
+
   // ── Client: Demo Client ──
   const [existingClient] = await db
     .select()
@@ -662,6 +976,63 @@ async function seedKnownUsers() {
 
 // ── Main seed ────────────────────────────────────────────────────────────────
 
+// ── GRO-2123: serialize reset+seed with a Postgres advisory lock ────────
+// The reset-demo-data CronJob runs on an hourly schedule. With
+// concurrencyPolicy=Replace, a new pod can start while the previous one
+// is still mid-seed; the new pod's TRUNCATE then deletes rows the old pod
+// is still inserting, producing FK 23503 errors non-deterministically
+// (see GRO-2123: invoice_tip_splits → invoices).
+//
+// We hold a session-level advisory lock for the full duration of the
+// seed so that overlapping invocations block then proceed in order —
+// not skip. The key is a stable 32-bit constant so it can be referenced
+// from runbooks without ambiguity and binds to the single-argument
+// `pg_advisory_lock(int)` form, which postgres-js serializes as a plain
+// number (no bigint type plumbing required).
+const SEED_ADVISORY_LOCK_KEY = 0x47524f4f; // "GROO" in ASCII — arbitrary, stable
+
+/**
+ * Reserve a dedicated connection from `pool`, take the seed advisory lock
+ * on it, run `fn`, and release the lock + connection in a try/finally.
+ *
+ * CRITICAL: with postgres-js connection pooling, a session-level
+ * `pg_advisory_lock(KEY)` acquired on one pooled connection and released
+ * on a *different* one is a no-op (the lock is bound to the session /
+ * pg-backend that took it). We therefore reserve a dedicated connection
+ * for the lock and release it from the same reserved connection. The
+ * seed work itself still runs on the pooled connections.
+ */
+async function withSeedAdvisoryLock<T>(
+  pool: ReturnType<typeof postgres>,
+  fn: () => Promise<T>,
+): Promise<T> {
+  const lockConnection = await pool.reserve();
+  let lockHeld = false;
+  try {
+    await lockConnection`SELECT pg_advisory_lock(${SEED_ADVISORY_LOCK_KEY})`;
+    lockHeld = true;
+    console.log(`✓ Acquired seed advisory lock (key=${SEED_ADVISORY_LOCK_KEY})`);
+    const result = await fn();
+    await lockConnection`SELECT pg_advisory_unlock(${SEED_ADVISORY_LOCK_KEY})`;
+    lockHeld = false;
+    console.log(`✓ Released seed advisory lock`);
+    return result;
+  } finally {
+    if (lockHeld) {
+      try {
+        await lockConnection`SELECT pg_advisory_unlock(${SEED_ADVISORY_LOCK_KEY})`;
+      } catch (err) {
+        console.error("Failed to release seed advisory lock during cleanup:", err);
+      }
+    }
+    try {
+      lockConnection.release();
+    } catch (err) {
+      console.error("Failed to release reserved lock connection:", err);
+    }
+  }
+}
+
 async function seed() {
   const url = process.env.DATABASE_URL;
   if (!url) {
@@ -679,6 +1050,22 @@ async function seed() {
   const client = postgres(url, { max: 5 });
   const db = drizzle(client, { schema });
 
+  // GRO-2123: hold the seed advisory lock for the full body of runSeedBody.
+  // See the withSeedAdvisoryLock comment for why a reserved connection is
+  // required (postgres-js pooling would silently drop the lock otherwise).
+  await withSeedAdvisoryLock(client, async () => {
+    return await runSeedBody(client, db, profile, cfg);
+  });
+
+  await client.end();
+}
+
+async function runSeedBody(
+  client: ReturnType<typeof postgres>,
+  db: ReturnType<typeof drizzle>,
+  profile: SeedProfile,
+  cfg: ProfileConfig,
+): Promise<void> {
   console.log(`Seeding Groom Book database (profile: ${profile})...\n`);
 
   // ── Staff ──
@@ -695,7 +1082,13 @@ async function seed() {
     ({ id: uuid(), name: `Bather ${i + 1}`, email: `bather${i + 1}@groombook.dev`, role: "groomer" as const, isSuperUser: false })
   );
 
-  await db.execute(sql`TRUNCATE impersonation_sessions, impersonation_audit_logs, appointments, invoices, invoice_line_items, invoice_tip_splits, grooming_visit_logs CASCADE`);
+  // GRO-2064: also TRUNCATE `services` so each reset rebuilds the catalogue
+  // from `servicesDef` (deterministic IDs + UNIQUE(name)). Stale service rows
+  // (e.g. a prior `seedKnownUsers` run that wrote a different `name` for the
+  // same `id`) would otherwise cause the deterministic upsert to PK-collide
+  // on `services.id` — see CTO review on infra PR #605 (rev #4230). TRUNCATE
+  // CASCADE handles appointments/invoices FKs to services.id.
+  await db.execute(sql`TRUNCATE services, impersonation_sessions, impersonation_audit_logs, appointments, invoices, invoice_line_items, invoice_tip_splits, grooming_visit_logs CASCADE`);
 
   const allStaff = [...managerStaff, ...receptionistStaff, ...groomers, ...bathers];
   for (const s of allStaff) {
@@ -740,35 +1133,17 @@ async function seed() {
     console.log(`✓ Upserted admin staff '${adminName}' (${adminEmail})`);
   }
 
-  // ── UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + SEED_UAT_GROOMER_NAMES) ──
-  const groomerEmails = process.env.SEED_UAT_GROOMER_EMAILS?.split(",").map((e) => e.trim()).filter(Boolean) ?? [];
-  const groomerNames = process.env.SEED_UAT_GROOMER_NAMES?.split(",").map((n) => n.trim()).filter(Boolean) ?? [];
-  const groomerCount = Math.min(groomerEmails.length, groomerNames.length);
-  for (let i = 0; i < groomerCount; i++) {
-    const email = groomerEmails[i]!;
-    const name = groomerNames[i]!;
-    const staffId = `00000000-0000-0000-0000-${String(5 + i).padStart(12, "0")}`;
-    await db.insert(schema.staff)
-      .values({
-        id: staffId,
-        name,
-        email,
-        oidcSub: email,
-        role: "groomer",
-        isSuperUser: false,
-        active: true,
-      })
-      .onConflictDoUpdate({
-        target: schema.staff.email,
-        set: { id: staffId, name, role: "groomer", isSuperUser: false, active: true },
-      });
-    console.log(`✓ Upserted groomer '${name}' (${email})`);
-  }
+  // ── UAT staff accounts + Better Auth credentials (shared impl) ──────────────
+  // Seeds deterministic UAT staff with numeric OIDC subs and Better Auth credentials.
+  // Must run AFTER random staff are created so upserts land correctly.
+  const uatCustomerClientId = await seedUatStaffAccounts(db);
 
   // ── Services ──
-  // Upsert services using name as unique key. With deterministic IDs in
-  // servicesDef and TRUNCATE clearing downstream tables first, this is
-  // idempotent: first run inserts, subsequent runs update existing rows.
+  // GRO-2064: key the upsert on `services.id` (not `name`) so deterministic
+  // ids always win, and rely on the TRUNCATE above to clear stale rows before
+  // the catalogue is rebuilt. The previous name-targeted upsert failed with
+  // `services_pkey` when a prior run had left a row with the same id but a
+  // different name (CTO review on infra PR #605, rev #4230).
   const serviceIds: string[] = [];
   for (const s of servicesDef) {
     serviceIds.push(s.id);
@@ -782,12 +1157,18 @@ async function seed() {
         active: true,
       })
       .onConflictDoUpdate({
-        target: schema.services.name,
-        set: { description: s.desc, basePriceCents: s.price, durationMinutes: s.dur, active: true },
+        target: schema.services.id,
+        set: { name: s.name, description: s.desc, basePriceCents: s.price, durationMinutes: s.dur, active: true },
       });
   }
   console.log(`✓ Created ${servicesDef.length} services`);
 
+  // GRO-2100: deterministic uat-groomer ↔ UAT Pup Alpha linkage. Must run
+  // AFTER services are seeded (this helper looks up an active service id
+  // to attach to the appointment; on a fresh reset there are none yet at
+  // the time seedUatStaffAccounts() returns).
+  await seedUatGroomerLinkage(db, uatCustomerClientId);
+
   // ── Clients & Pets ──
   const now = new Date();
   const appointmentsBackDate = new Date(now);
@@ -853,6 +1234,19 @@ async function seed() {
           specialCareNotes: rand() < 0.1 ? "Vet clearance required before grooming" : null,
           customFields: {},
           image: petIndex < 250 ? pick(puggleImages) : pick(demoPetImages),
+          temperamentScore: randInt(1, 5),
+          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+          medicalAlerts: (() => {
+            // ~30% of random-pool pets have alerts — lands squarely in the 25–35% AC band
+            if (rand() < 0.3) {
+              const count = rand() < 0.7 ? 1 : 2;
+              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
+            }
+            return [];
+          })(),
+          preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+          coatType: pick(coatTypePool),
+          petSizeCategory: pick(petSizeCategoryPool),
         });
 
         petRecords.push({ id: petId, clientId });
@@ -888,6 +1282,12 @@ async function seed() {
             specialCareNotes: pet.specialCareNotes,
             customFields: pet.customFields,
             image: pet.image,
+            temperamentScore: pet.temperamentScore,
+            temperamentFlags: pet.temperamentFlags,
+            medicalAlerts: pet.medicalAlerts,
+            preferredCuts: pet.preferredCuts,
+            coatType: pet.coatType,
+            petSizeCategory: pet.petSizeCategory,
           },
         });
     }
@@ -922,8 +1322,72 @@ async function seed() {
       .values({ id: uc.id, name: uc.name, email: uc.email, phone: uc.phone, address: uc.address })
       .onConflictDoUpdate({ target: schema.clients.id, set: { name: uc.name, email: uc.email, phone: uc.phone, address: uc.address } });
     await db.insert(schema.pets)
-      .values({ id: uc.petId, clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"), image: pick(demoPetImages) })
-      .onConflictDoUpdate({ target: schema.pets.id, set: { clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z"), image: pick(demoPetImages) } });
+      .values({
+        id: uc.petId,
+        clientId: uc.id,
+        name: uc.petName,
+        species: "Dog",
+        breed: uc.petBreed,
+        weightKg: "25.00",
+        dateOfBirth: new Date("2021-03-15T00:00:00Z"),
+        image: pick(demoPetImages),
+        temperamentScore: randInt(1, 5),
+        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+        medicalAlerts: (() => {
+          // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
+          // All other UAT test pets follow the 30% random distribution.
+          // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
+          // the overall distribution from the 25-35% target band.
+          if (uc.petName === "TestCooper") {
+            return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
+          }
+          if (uc.petName === "TestRocky") {
+            return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
+          }
+          if (rand() < 0.3) {
+            const count = rand() < 0.7 ? 1 : 2;
+            return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
+          }
+          return [];
+        })(),
+        preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+        coatType: pick(coatTypePool),
+        petSizeCategory: pick(petSizeCategoryPool),
+      })
+      .onConflictDoUpdate({
+        target: schema.pets.id,
+        set: {
+          clientId: uc.id,
+          name: uc.petName,
+          species: "Dog",
+          breed: uc.petBreed,
+          weightKg: "25.00",
+          dateOfBirth: new Date("2021-03-15T00:00:00Z"),
+          image: pick(demoPetImages),
+          temperamentScore: randInt(1, 5),
+          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
+          medicalAlerts: (() => {
+            // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
+            // All other UAT test pets follow the 30% random distribution.
+            // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
+            // the overall distribution from the 25-35% target band.
+            if (uc.petName === "TestCooper") {
+              return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
+            }
+            if (uc.petName === "TestRocky") {
+              return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
+            }
+            if (rand() < 0.3) {
+              const count = rand() < 0.7 ? 1 : 2;
+              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
+            }
+            return [];
+          })(),
+          preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
+          coatType: pick(coatTypePool),
+          petSizeCategory: pick(petSizeCategoryPool),
+        },
+      });
     // Create one completed appointment for this client
     const apptId = uuid();
     const svcIdx = 0;
@@ -1223,8 +1687,6 @@ async function seed() {
   }
   console.log(`✓ Created ${visitLogCount} grooming visit logs`);
   console.log("\nSeed complete!");
-
-  await client.end();
 }
 
 seed().catch((err) => {

packages/types/src/index.ts

@@ -225,3 +225,34 @@ export interface MedicalAlert {
 }
 
 export type CoatType = "smooth" | "double" | "curly" | "wire" | "long" | "hairless";
+
+export interface GroomingHistoryEntry {
+  id: string;
+  petId: string;
+  appointmentId: string | null;
+  staffId: string | null;
+  staffName: string | null;
+  cutStyle: string | null;
+  productsUsed: string | null;
+  notes: string | null;
+  groomedAt: string;
+  createdAt: string;
+}
+
+export interface UpcomingAppointment {
+  id: string;
+  serviceId: string;
+  serviceName: string;
+  staffId: string | null;
+  staffName: string | null;
+  startTime: string;
+  endTime: string;
+  status: AppointmentStatus;
+}
+
+export interface PetProfileSummary extends Pet {
+  recentGroomingHistory: GroomingHistoryEntry[];
+  lastVisitDate: string | null;
+  visitCount: number;
+  upcomingAppointment: UpcomingAppointment | null;
+}

src/__tests__/petProfileSummary.test.ts

@@ -0,0 +1,647 @@
+/**
+ * Pet Profile Summary Tests
+ *
+ * Covers GET /api/pets/:id/profile-summary in the deployed tree (root src/).
+ *
+ * Two suites share one mock harness:
+ *
+ *   1. GRO-2013 owner-bypass (the deployed-tree port of #135):
+ *      A customer who is auto-provisioned as a `groomer` staff row by rbac.ts
+ *      (with no appointment linkage) may still read their own pet's summary
+ *      when they supply a valid X-Impersonation-Session-Id whose clientId
+ *      matches the pet's clientId.
+ *
+ *   2. GRO-2014 error handling (deployed tree):
+ *      - Empty-body 500 must never escape the route — the onError handler
+ *        converts unhandled errors into a structured JSON 500.
+ *      - Malformed UUIDs must return 404 (not 500 via a Postgres uuid cast).
+ *      - Missing staff context must return 401 (not TypeError on staffRow.id).
+ *      - Pet not found must return 404.
+ *      - Groomer with no appointment linkage must return 403.
+ *      - Manager and groomer with linkage must receive the summary body.
+ *
+ * Deployed tree handler: src/routes/pets.ts. The mock queries the
+ * `appointments` table (the live schema) for visit history, not
+ * `groomingVisitLogs`.
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Hono } from "hono";
+import type { AppEnv, StaffRow } from "../middleware/rbac.js";
+
+// ─── Staff fixtures ──────────────────────────────────────────────────────────
+
+const MANAGER: StaffRow = {
+  id: "staff-manager-id",
+  oidcSub: "oidc-manager-sub",
+  userId: null,
+  role: "manager",
+  isSuperUser: true,
+  name: "Manager McManager",
+  email: "manager@example.com",
+  active: true,
+  icalToken: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+const GROOMER: StaffRow = {
+  ...MANAGER,
+  id: "staff-groomer-id",
+  oidcSub: "oidc-groomer-sub",
+  role: "groomer",
+  isSuperUser: false,
+  name: "Groomer Gary",
+  email: "groomer@example.com",
+};
+
+/**
+ * Mirrors the auto-provisioned "groomer" staff row rbac.ts creates for an
+ * OIDC user (e.g. uat-customer@groombook.dev) on first login: role=groomer,
+ * no appointment linkage.
+ */
+const CUSTOMER_STAFF: StaffRow = {
+  ...MANAGER,
+  id: "staff-customer-id",
+  oidcSub: null,
+  userId: "user-customer-id",
+  role: "groomer",
+  name: "UAT Customer",
+  email: "uat-customer@groombook.dev",
+};
+
+// ─── Mutable mock state ─────────────────────────────────────────────────────
+
+const CLIENT_ID = "c0000001-0000-0000-0000-000000000001";
+const PET_ID = "c0000001-0000-0000-0000-000000000002";
+const OTHER_CLIENT_PET_ID = "c0000002-0000-0000-0000-000000000099";
+const UNKNOWN_PET_UUID = "00000000-0000-0000-0000-000000000001";
+
+const futureDate = () => new Date(Date.now() + 30 * 60_000);
+const pastDate = () => new Date(Date.now() - 5 * 60_000);
+
+function makePet(overrides: Record<string, unknown> = {}) {
+  return {
+    id: PET_ID,
+    clientId: CLIENT_ID,
+    name: "Biscuit",
+    species: "dog",
+    breed: "Golden Retriever",
+    weightKg: "30.00",
+    dateOfBirth: null,
+    healthAlerts: null,
+    groomingNotes: null,
+    cutStyle: null,
+    shampooPreference: null,
+    specialCareNotes: null,
+    customFields: {},
+    petSizeCategory: "large",
+    coatType: "double",
+    photoKey: null,
+    photoUploadedAt: null,
+    createdAt: new Date("2024-01-01"),
+    updatedAt: new Date("2024-01-01"),
+    ...overrides,
+  };
+}
+
+function makeAppointment(overrides: Record<string, unknown> = {}) {
+  return {
+    id: "appt-1",
+    clientId: CLIENT_ID,
+    petId: PET_ID,
+    serviceId: "service-1",
+    staffId: GROOMER.id,
+    batherStaffId: null,
+    status: "completed",
+    startTime: new Date("2024-06-01T09:00:00Z"),
+    endTime: new Date("2024-06-01T11:00:00Z"),
+    notes: null,
+    priceCents: 6000,
+    seriesId: null,
+    seriesIndex: null,
+    groupId: null,
+    confirmationStatus: "confirmed",
+    confirmedAt: null,
+    cancelledAt: null,
+    confirmationToken: null,
+    customerNotes: null,
+    createdAt: new Date("2024-05-15"),
+    updatedAt: new Date("2024-05-15"),
+    ...overrides,
+  };
+}
+
+function makeService(overrides: Record<string, unknown> = {}) {
+  return {
+    id: "service-1",
+    name: "Full Groom",
+    description: null,
+    basePriceCents: 6000,
+    durationMinutes: 120,
+    active: true,
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    ...overrides,
+  };
+}
+
+function makeSession(overrides: Record<string, unknown> = {}) {
+  return {
+    id: "sess-owner",
+    staffId: CUSTOMER_STAFF.id,
+    clientId: CLIENT_ID,
+    reason: "sso-bridge",
+    status: "active",
+    startedAt: new Date(),
+    endedAt: null,
+    expiresAt: futureDate(),
+    createdAt: new Date(),
+    ...overrides,
+  };
+}
+
+// ─── DB mock state ──────────────────────────────────────────────────────────
+
+let petsTable: Record<string, unknown>[];
+let appointmentsTable: Record<string, unknown>[];
+let servicesTable: Record<string, unknown>[];
+let sessionsTable: Record<string, unknown>[];
+
+// selectQueue: queries resolve in FIFO order. Each .from(table) result
+// returns a chain that resolves to the next queued row set on a terminal
+// call (.where()/.orderBy()/.limit()).
+//
+// A queued entry of `{ table: "pets", rows: null, throw: "..." }` tells the
+// mock to throw instead of returning rows — used by the GRO-2014 "JSON
+// envelope on downstream error" test. Any other queued entry with `rows`
+// resolves to those rows. An entry with `rows: []` returns an empty array
+// (no rows, no throw).
+let selectQueue: Array<{
+  table: string;
+  rows: unknown[] | null;
+  throw?: string;
+}> = [];
+
+// Captured `db.insert(table).values(vals)` calls. Mirrors the pattern from
+// src/__tests__/impersonation.test.ts so the GRO-2063 audit row assertions
+// can inspect what the route tried to write without needing a real DB.
+let insertCapture: Array<{ table: string; vals: Record<string, unknown> }> = [];
+
+function enqueue(table: string, rows: unknown[] = []) {
+  selectQueue.push({ table, rows });
+}
+
+function enqueueThrow(table: string, message: string) {
+  selectQueue.push({ table, rows: null, throw: message });
+}
+
+function resetMock() {
+  petsTable = [makePet()];
+  appointmentsTable = [makeAppointment()];
+  servicesTable = [makeService()];
+  sessionsTable = [makeSession()];
+  selectQueue = [];
+  insertCapture = [];
+}
+
+// ─── Module mocks ───────────────────────────────────────────────────────────
+
+vi.mock("@groombook/db", () => {
+  function makeTable(name: string) {
+    return new Proxy(
+      { _name: name },
+      {
+        get(target, prop) {
+          if (prop === "_name") return name;
+          if (prop === "$inferSelect") return {};
+          return { table: name, column: prop };
+        },
+      }
+    );
+  }
+
+  function sqlMock(_strings: TemplateStringsArray, ..._params: unknown[]) {
+    const queryString = _strings[0];
+    return {
+      queryChunks: [queryString],
+      as: (alias: string) => ({
+        queryChunks: [queryString],
+        fieldAlias: alias,
+        getSQL() { return this.queryChunks; },
+      }),
+    };
+  }
+
+  function takeQueuedRows(tableName: string): unknown[] {
+    const next = selectQueue.shift();
+    if (next && next.table === tableName) {
+      if (next.throw) {
+        throw new Error(next.throw);
+      }
+      return next.rows ?? [];
+    }
+    return [];
+  }
+
+  // Wrap a finalised result in a Proxy that exposes chainable methods
+  // and the resolved rows. Each call to a chainable method (where/orderBy/
+  // limit/...) returns the SAME rows so the route's natural await on the
+  // chain resolves to the queued data.
+  function wrapRows(rows: unknown[]): unknown {
+    return new Proxy(rows, {
+      get(target, prop: string | symbol) {
+        if (prop === "where" || prop === "orderBy" || prop === "limit"
+          || prop === "leftJoin" || prop === "innerJoin" || prop === "from") {
+          return () => wrapRows(rows);
+        }
+        if (prop === "then") {
+          return (onFulfilled?: (v: unknown) => unknown, onRejected?: (e: unknown) => unknown) =>
+            Promise.resolve(rows).then(onFulfilled, onRejected);
+        }
+        if (prop === Symbol.iterator) {
+          return function* () { for (const v of target) yield v; };
+        }
+        if (prop === Symbol.asyncIterator) {
+          return async function* () { for (const v of target) yield v; };
+        }
+        // @ts-expect-error proxy access
+        return target[prop];
+      },
+    });
+  }
+
+  return {
+    getDb: () => ({
+      select: (_cols?: Record<string, unknown>) => ({
+        from: (table: { _name?: string }) => wrapRows(takeQueuedRows(table._name ?? "")),
+      }),
+      insert: (table: { _name?: string }) => ({
+        values: (vals: Record<string, unknown>) => {
+          insertCapture.push({ table: table._name ?? "unknown", vals });
+          return { returning: () => [{}] };
+        },
+      }),
+      update: () => ({ set: () => ({ where: () => ({ returning: () => [{}] }) }) }),
+      delete: () => ({ where: () => ({ returning: () => [{}] }) }),
+    }),
+    pets: makeTable("pets"),
+    appointments: makeTable("appointments"),
+    staff: makeTable("staff"),
+    services: makeTable("services"),
+    impersonationSessions: makeTable("impersonationSessions"),
+    impersonationAuditLogs: makeTable("impersonation_audit_logs"),
+    and: vi.fn((..._args: unknown[]) => ({})),
+    desc: vi.fn((c: unknown) => c),
+    eq: vi.fn((_a: unknown, _b: unknown) => ({})),
+    exists: vi.fn(() => true),
+    or: vi.fn((..._args: unknown[]) => ({})),
+    sql: sqlMock,
+  };
+});
+
+vi.mock("../lib/s3.js", () => ({
+  getPresignedUploadUrl: vi.fn(),
+  getPresignedGetUrl: vi.fn(),
+  deleteObject: vi.fn(),
+}));
+
+// ─── Import after mocks are set up ──────────────────────────────────────────
+
+const { petsRouter } = await import("../routes/pets.js");
+
+// ─── App builder ────────────────────────────────────────────────────────────
+
+function buildApp(staffRow: StaffRow | null) {
+  const app = new Hono<AppEnv>();
+  app.use("*", async (c, next) => {
+    if (staffRow) {
+      c.set("jwtPayload", { sub: staffRow.oidcSub ?? staffRow.userId ?? "" });
+      c.set("staff", staffRow);
+    }
+    await next();
+  });
+  app.route("/pets", petsRouter);
+  return app;
+}
+
+// ─── Reset before each test ─────────────────────────────────────────────────
+
+beforeEach(() => {
+  resetMock();
+  vi.clearAllMocks();
+});
+
+// ─── GRO-2014 error-handling suite ──────────────────────────────────────────
+
+describe("GET /:id/profile-summary — GRO-2014 error handling", () => {
+  it("returns 404 (not 500) for a malformed UUID path param", async () => {
+    const app = buildApp(MANAGER);
+    const res = await app.request("/pets/not-a-uuid/profile-summary");
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Not found");
+  });
+
+  it("returns 401 when staff context is missing (defense in depth)", async () => {
+    const app = buildApp(null);
+    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 404 when authenticated and pet does not exist", async () => {
+    enqueue("pets", []);
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Not found");
+  });
+
+  it("returns 403 when groomer has no appointment linkage to the pet's client", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", []); // linkage check returns empty → 403
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Forbidden");
+  });
+
+  it("returns 200 with summary for a manager (no groomer linkage check)", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", appointmentsTable); // history
+    enqueue("appointments", [{ count: 1 }]);    // visit count
+    enqueue("appointments", []);                // upcoming (none)
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as Record<string, unknown>;
+    expect(body.id).toBe(PET_ID);
+    expect(body.name).toBe("Biscuit");
+    expect(body.visitCount).toBe(1);
+    expect(body.upcomingAppointment).toBeNull();
+    expect(body.recentGroomingHistory).toBeInstanceOf(Array);
+  });
+
+  it("returns 200 with summary for a groomer with appointment linkage", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", [{ id: "appt-1" }]); // linkage found
+    enqueue("appointments", appointmentsTable);  // history
+    enqueue("appointments", [{ count: 1 }]);     // visit count
+    enqueue("appointments", []);                 // upcoming
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as Record<string, unknown>;
+    expect(body.id).toBe(PET_ID);
+  });
+
+  it("returns a JSON envelope (not empty body) when a downstream query throws", async () => {
+    enqueueThrow("pets", "simulated postgres uuid cast failure");
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(500);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Internal Server Error");
+  });
+});
+
+// ─── GRO-2013 owner-bypass suite ────────────────────────────────────────────
+
+describe("GET /:id/profile-summary — owner-bypass (GRO-2013)", () => {
+  it("returns 404 when the pet does not exist", async () => {
+    enqueue("pets", []);
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(404);
+  });
+
+  it("returns 200 with aggregated profile for a manager", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.id).toBe(PET_ID);
+    expect(body.name).toBe("Biscuit");
+    expect(body.recentGroomingHistory).toBeInstanceOf(Array);
+    expect(body.visitCount).toBe(1);
+    expect(body.upcomingAppointment).toBeNull();
+  });
+
+  it("returns 200 for a groomer with appointment linkage to the pet's client", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", [{ id: "appt-1" }]); // linkage found
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+
+  it("returns 403 for a groomer with no appointment linkage and no bypass header", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", []); // no linkage
+
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(403);
+  });
+
+  it("customer-as-groomer with valid active session for pet's client returns 200", async () => {
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", sessionsTable); // active session found
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-owner" },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.id).toBe(PET_ID);
+  });
+
+  it("customer-as-groomer with no header still gets 403 (no bypass)", async () => {
+    enqueue("pets", petsTable);
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(403);
+  });
+
+  it("customer-as-groomer with session for a DIFFERENT client gets 403 (cross-tenant blocked)", async () => {
+    // Session exists but clientId !== pet.clientId → bypass does not apply
+    // → falls through to groomer linkage check → no linkage → 403
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", [
+      makeSession({
+        id: "sess-other-client",
+        clientId: "c0000000-0000-0000-0000-000000000099", // different from CLIENT_ID
+      }),
+    ]);
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-other-client" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("customer-as-groomer with expired session still gets 403", async () => {
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", [
+      makeSession({ id: "sess-expired", expiresAt: pastDate() }),
+    ]);
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-expired" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("customer-as-groomer with ended (status != active) session still gets 403", async () => {
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", [
+      makeSession({ id: "sess-ended", status: "ended" }),
+    ]);
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-ended" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("customer-as-groomer with unknown session id still gets 403", async () => {
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", []); // session not found
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-unknown" },
+    });
+    expect(res.status).toBe(403);
+  });
+
+  it("manager does NOT need the impersonation header (existing role check still works)", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(MANAGER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+
+  it("groomer with linkage to pet's client still works (regression — no regression from bypass)", async () => {
+    enqueue("pets", petsTable);
+    enqueue("appointments", [{ id: "appt-1" }]); // linkage found
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+  });
+
+  it("owner-bypass: customer cannot view another client's pet (cross-tenant block)", async () => {
+    // The customer has a valid session for CLIENT_ID, but the pet belongs
+    // to a different client → isOwner=false → falls through to groomer
+    // linkage check → 403.
+    enqueue("pets", [
+      makePet({ id: OTHER_CLIENT_PET_ID, clientId: "c0000002-0000-0000-0000-000000000002" }),
+    ]);
+    enqueue("impersonationSessions", sessionsTable); // valid session, but for CLIENT_ID
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${OTHER_CLIENT_PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-owner" },
+    });
+    expect(res.status).toBe(403);
+  });
+});
+
+// ─── GRO-2063 owner-bypass audit write ──────────────────────────────────────
+
+describe("GET /:id/profile-summary — owner-bypass audit row (GRO-2063)", () => {
+  it("writes exactly one audit row on the owner-bypass success path", async () => {
+    enqueue("pets", petsTable);
+    enqueue("impersonationSessions", sessionsTable); // valid active session for CLIENT_ID
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-owner" },
+    });
+    expect(res.status).toBe(200);
+
+    const auditInserts = insertCapture.filter((c) => c.table === "impersonation_audit_logs");
+    expect(auditInserts).toHaveLength(1);
+    const vals = auditInserts[0]!.vals;
+    expect(vals.action).toBe("read_profile_summary");
+    expect(vals.sessionId).toBe("sess-owner");
+    expect(vals.pageVisited).toBe(`/pets/${PET_ID}/profile-summary`);
+    expect(vals.metadata).toEqual({
+      petId: PET_ID,
+      actorStaffId: CUSTOMER_STAFF.id,
+    });
+  });
+
+  it("does NOT write an audit row on the normal groomer-linkage success path", async () => {
+    // GROOMER is a "real" groomer with appointment linkage, NOT the
+    // auto-provisioned customer-as-groomer. No impersonation header is
+    // present, so the owner-bypass branch never executes.
+    enqueue("pets", petsTable);
+    enqueue("appointments", [{ id: "appt-1" }]); // linkage found
+    enqueue("appointments", appointmentsTable);
+    enqueue("appointments", [{ count: 1 }]);
+    enqueue("appointments", []);
+
+    const app = buildApp(GROOMER);
+    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
+    expect(res.status).toBe(200);
+
+    const auditInserts = insertCapture.filter((c) => c.table === "impersonation_audit_logs");
+    expect(auditInserts).toHaveLength(0);
+  });
+
+  it("does NOT write an audit row when the owner-bypass attempt is denied (cross-tenant)", async () => {
+    // Customer has a valid session but it points at a different client.
+    // isOwner=false, falls through to groomer linkage check, returns 403.
+    enqueue("pets", [
+      makePet({ id: OTHER_CLIENT_PET_ID, clientId: "c0000002-0000-0000-0000-000000000002" }),
+    ]);
+    enqueue("impersonationSessions", sessionsTable); // session is for CLIENT_ID
+    enqueue("appointments", []); // no linkage → 403
+
+    const app = buildApp(CUSTOMER_STAFF);
+    const res = await app.request(`/pets/${OTHER_CLIENT_PET_ID}/profile-summary`, {
+      headers: { "X-Impersonation-Session-Id": "sess-owner" },
+    });
+    expect(res.status).toBe(403);
+
+    const auditInserts = insertCapture.filter((c) => c.table === "impersonation_audit_logs");
+    expect(auditInserts).toHaveLength(0);
+  });
+});

src/__tests__/portalSessionFromAuth.test.ts

@@ -0,0 +1,206 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Hono } from "hono";
+import { getAuth } from "../lib/auth.js";
+
+const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
+const CLIENT_EMAIL = "alice@example.com";
+const CLIENT_NAME = "Alice Smith";
+
+const UAT_CUSTOMER_ID = "c0000001-0000-0000-0000-000000000001";
+const UAT_CUSTOMER_EMAIL = "uat-customer@groombook.dev";
+const UAT_CUSTOMER_NAME = "UAT Customer";
+
+const BETTER_AUTH_SESSION = {
+  user: {
+    id: "auth-user-001",
+    email: CLIENT_EMAIL,
+    name: CLIENT_NAME,
+  },
+  session: {
+    id: "ba-session-001",
+    expiresAt: new Date(Date.now() + 60 * 60 * 1000),
+  },
+};
+
+const MOCK_CLIENT = {
+  id: CLIENT_ID,
+  email: CLIENT_EMAIL,
+  name: CLIENT_NAME,
+};
+
+let mockGetAuth: ReturnType<typeof vi.fn>;
+let mockGetSession: ReturnType<typeof vi.fn>;
+let insertedSession: Record<string, unknown> | null = null;
+let mockClientRow: Record<string, unknown> | null = null;
+let mockStaffRow: Record<string, unknown> | null = null;
+
+function makeChainable(data: unknown[]): unknown {
+  const arr = [...data];
+  return new Proxy(arr, {
+    get(target, prop) {
+      if (prop === "where" || prop === "orderBy" || prop === "limit") {
+        return () => makeChainable(target);
+      }
+      // @ts-expect-error proxy
+      return target[prop];
+    },
+  });
+}
+
+vi.mock("@groombook/db", () => {
+  const impersonationSessions = new Proxy(
+    { _name: "impersonationSessions" },
+    { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
+  );
+
+  const clients = new Proxy(
+    { _name: "clients" },
+    { get: (t, p) => (p === "_name" ? "clients" : { table: "clients", column: p }) }
+  );
+
+  const staff = new Proxy(
+    { _name: "staff" },
+    { get: (t, p) => (p === "_name" ? "staff" : { table: "staff", column: p }) }
+  );
+
+  return {
+    getDb: () => ({
+      select: () => ({
+        from: (table: { _name: string }) => {
+          if (table._name === "clients") {
+            return makeChainable(mockClientRow ? [mockClientRow] : []);
+          }
+          if (table._name === "staff") {
+            return makeChainable(mockStaffRow ? [mockStaffRow] : []);
+          }
+          return makeChainable([]);
+        },
+      }),
+      insert: (table: { _name: string }) => ({
+        values: (vals: Record<string, unknown>) => ({
+          returning: () => {
+            if (table._name === "impersonationSessions") {
+              insertedSession = { id: "new-session-001", ...vals };
+              return [insertedSession];
+            }
+            return [];
+          },
+        }),
+      }),
+    }),
+    impersonationSessions,
+    clients,
+    staff,
+    eq: vi.fn(),
+    and: vi.fn(),
+    inArray: vi.fn(),
+  };
+});
+
+vi.mock("../lib/auth.js", () => ({
+  getAuth: vi.fn(),
+}));
+
+const { portalRouter } = await import("../routes/portal.js");
+
+const app = new Hono();
+app.route("/portal", portalRouter);
+
+describe("POST /portal/session-from-auth", () => {
+  beforeEach(() => {
+    insertedSession = null;
+    mockClientRow = null;
+    mockStaffRow = null;
+    mockGetSession = vi.fn();
+    mockGetAuth = vi.fn(() => ({
+      api: {
+        getSession: mockGetSession,
+      },
+    }));
+    vi.mocked(getAuth).mockImplementation(mockGetAuth);
+  });
+
+  it("returns 401 when no Better Auth session", async () => {
+    mockGetSession.mockResolvedValue(null);
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 404 when authenticated user has no client record", async () => {
+    mockGetSession.mockResolvedValue(BETTER_AUTH_SESSION);
+    mockClientRow = null;
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.error).toBe("No client record found for this user");
+  });
+
+  it("returns a portal session with sessionId, clientId, clientName when client is found", async () => {
+    mockGetSession.mockResolvedValue(BETTER_AUTH_SESSION);
+    mockClientRow = MOCK_CLIENT;
+    mockStaffRow = { id: "00000000-0000-0000-0000-000000000001" };
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body).toHaveProperty("sessionId");
+    expect(body).toHaveProperty("clientId", CLIENT_ID);
+    expect(body).toHaveProperty("clientName", CLIENT_NAME);
+  });
+
+  it("creates a portal session with reason sso-bridge", async () => {
+    mockGetSession.mockResolvedValue(BETTER_AUTH_SESSION);
+    mockClientRow = MOCK_CLIENT;
+    mockStaffRow = { id: "00000000-0000-0000-0000-000000000001" };
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(201);
+    expect(insertedSession).not.toBeNull();
+    expect((insertedSession as Record<string, unknown>).reason).toBe("sso-bridge");
+  });
+
+  it("returns 201 for uat-customer SSO bridge with correct clientId and clientName", async () => {
+    const uatAuthSession = {
+      user: {
+        id: "auth-user-uat-customer",
+        email: UAT_CUSTOMER_EMAIL,
+        name: UAT_CUSTOMER_NAME,
+      },
+      session: {
+        id: "ba-session-uat-customer",
+        expiresAt: new Date(Date.now() + 60 * 60 * 1000),
+      },
+    };
+    mockGetSession.mockResolvedValue(uatAuthSession);
+    mockClientRow = { id: UAT_CUSTOMER_ID, email: UAT_CUSTOMER_EMAIL, name: UAT_CUSTOMER_NAME };
+    mockStaffRow = { id: "00000000-0000-0000-0000-000000000001" };
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body).toHaveProperty("sessionId");
+    expect(body.clientId).toBe(UAT_CUSTOMER_ID);
+    expect(body.clientName).toBe(UAT_CUSTOMER_NAME);
+    expect(insertedSession).not.toBeNull();
+    expect((insertedSession as Record<string, unknown>).reason).toBe("sso-bridge");
+  });
+
+  it("returns 503 when auth is not configured", async () => {
+    mockGetAuth.mockImplementation(() => {
+      throw new Error("Auth not initialized");
+    });
+    const res = await app.request("/portal/session-from-auth", {
+      method: "POST",
+    });
+    expect(res.status).toBe(503);
+  });
+});

src/__tests__/rbac.test.ts

@@ -43,42 +43,103 @@ const GROOMER: StaffRow = {
 
 // ─── Mock DB ──────────────────────────────────────────────────────────────────
 
+// staffLookupResult drives every `from(staff)` query that doesn't go through
+// the dev-mode `.limit()` shortcut. Tests that want to simulate "no staff row"
+// leave it null.
 let staffLookupResult: StaffRow | null = null;
+
+// managerFallbackResult is only consumed by the dev-mode `from(staff).limit(1)`
+// path (looking up the first manager when AUTH_DISABLED=true and no header).
 let managerFallbackResult: StaffRow | null = MANAGER;
 
+// userLookupResult drives `from(user).limit(1)` for the Better-Auth user
+// auto-provision branch (GRO-2052). Tests that simulate "no Better-Auth user"
+// leave it null.
+type UserRow = { id: string; name: string | null; email: string | null };
+let userLookupResult: UserRow | null = null;
+
+// accountLookupResult drives `from(account).limit(1)` for the legacy OIDC
+// auto-provision branch. Null means "no OIDC account row".
+let accountLookupResult: { id: string } | null = null;
+
+// insertReturningResult drives `insert(staff).values(...).returning()` for
+// any auto-provision branch that actually creates a staff record. Null means
+// the INSERT returned no rows (simulating a DB failure).
+let insertReturningResult: StaffRow | null = null;
+
 vi.mock("@groombook/db", () => {
-  const staff = new Proxy(
-    { _name: "staff" },
-    {
-      get(target, prop) {
-        if (prop === "_name") return "staff";
-        if (prop === "$inferSelect") return {};
-        return { table: "staff", column: prop };
-      },
-    }
-  );
+  function tableMarker(name: string) {
+    return new Proxy(
+      { _name: name },
+      {
+        get(_target, prop) {
+          if (prop === "_name") return name;
+          if (prop === "$inferSelect") return {};
+          return { table: name, column: prop };
+        },
+      }
+    );
+  }
+
+  const staff = tableMarker("staff");
+  const user = tableMarker("user");
+  const account = tableMarker("account");
+
+  function lookupFor(tableName: string) {
+    if (tableName === "user") return userLookupResult;
+    if (tableName === "account") return accountLookupResult;
+    return staffLookupResult;
+  }
 
   return {
     getDb: () => ({
-      select: () => ({
-        from: () => ({
-          where: () => ({
-            limit: () => {
-              // dev mode fallback to first manager
-              return managerFallbackResult ? [managerFallbackResult] : [];
-            },
-            [Symbol.iterator]: function* () {
-              if (staffLookupResult) yield staffLookupResult;
-            },
-            0: staffLookupResult,
-            length: staffLookupResult ? 1 : 0,
-          }),
+      select: (_columns?: unknown) => ({
+        from: (table: { _name?: string }) => {
+          const name = table?._name ?? "staff";
+          return {
+            where: () => ({
+              limit: () => {
+                // The user / account auto-provision branches always call
+                // `.limit(1)`; route to the per-table lookup state.
+                if (name === "user")
+                  return userLookupResult ? [userLookupResult] : [];
+                if (name === "account")
+                  return accountLookupResult ? [accountLookupResult] : [];
+                // dev-mode `from(staff).limit(1)` falls back to the first
+                // manager when AUTH_DISABLED is set with no header.
+                return managerFallbackResult ? [managerFallbackResult] : [];
+              },
+              [Symbol.iterator]: function* () {
+                const row = lookupFor(name);
+                if (row) yield row;
+              },
+              0: lookupFor(name),
+              length: lookupFor(name) ? 1 : 0,
+            }),
+          };
+        },
+      }),
+      insert: (_table: unknown) => ({
+        values: (_v: unknown) => ({
+          returning: () =>
+            insertReturningResult ? [insertReturningResult] : [],
+        }),
+      }),
+      update: (_table: unknown) => ({
+        set: (_v: unknown) => ({
+          where: () => Promise.resolve(undefined),
         }),
       }),
     }),
     staff,
+    user,
+    account,
     eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
     and: vi.fn((..._clauses: unknown[]) => ({})),
+    sql: Object.assign(
+      vi.fn((..._tpl: unknown[]) => ({})),
+      { raw: vi.fn(() => ({})) }
+    ),
   };
 });
 
@@ -87,16 +148,25 @@ vi.mock("@groombook/db", () => {
 function resetMocks() {
   staffLookupResult = null;
   managerFallbackResult = MANAGER;
+  userLookupResult = null;
+  accountLookupResult = null;
+  insertReturningResult = null;
 }
 
 /** Build a minimal Hono app with jwtPayload pre-set, then apply a middleware. */
 function buildApp(
   middleware: MiddlewareHandler<AppEnv>,
-  handler?: (c: Context<AppEnv>) => Response | Promise<Response>
+  handler?: (c: Context<AppEnv>) => Response | Promise<Response>,
+  jwtOverride?: Partial<{ sub: string; email: string; name: string }>
 ) {
   const app = new Hono<AppEnv>();
   app.use("*", async (c, next) => {
-    c.set("jwtPayload", { sub: staffLookupResult?.userId ?? "unknown-sub" });
+    const defaultSub = staffLookupResult?.userId ?? "unknown-sub";
+    c.set("jwtPayload", {
+      sub: jwtOverride?.sub ?? defaultSub,
+      ...(jwtOverride?.email !== undefined ? { email: jwtOverride.email } : {}),
+      ...(jwtOverride?.name !== undefined ? { name: jwtOverride.name } : {}),
+    });
     await next();
   });
   app.use("*", middleware);
@@ -204,6 +274,125 @@ describe("resolveStaffMiddleware", () => {
   });
 });
 
+// ─── Auto-provision branches (GRO-2052) ───────────────────────────────────────
+//
+// Each branch creates a staff row on first authenticated request when no row
+// exists yet. The Better-Auth branch (user table) is the primary path for
+// email/password customers; the OIDC branch (account table) is a fallback for
+// legacy authentik/google/github sessions.
+
+describe("resolveStaffMiddleware — auto-provision", () => {
+  const PROVISIONED: StaffRow = {
+    ...MANAGER,
+    id: "staff-provisioned-id",
+    oidcSub: null,
+    userId: "ba-user-customer",
+    role: "groomer",
+    isSuperUser: false,
+    name: "UAT Customer",
+    email: "uat-customer@groombook.dev",
+  };
+
+  it("Better-Auth: creates a groomer staff row when user exists but no staff record (GRO-2052)", async () => {
+    // No existing staff row, no OIDC account row, but a Better-Auth user row.
+    staffLookupResult = null;
+    userLookupResult = {
+      id: "ba-user-customer",
+      name: "UAT Customer",
+      email: "uat-customer@groombook.dev",
+    };
+    accountLookupResult = null;
+    insertReturningResult = PROVISIONED;
+
+    let capturedStaff: StaffRow | null = null;
+    const app = buildApp(
+      resolveStaffMiddleware,
+      (c) => {
+        capturedStaff = c.get("staff");
+        return c.json({ ok: true });
+      },
+      { sub: "ba-user-customer", email: "uat-customer@groombook.dev" }
+    );
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    expect(capturedStaff).not.toBeNull();
+    expect(capturedStaff!.role).toBe("groomer");
+    expect(capturedStaff!.userId).toBe("ba-user-customer");
+  });
+
+  it("Better-Auth: returns 500 if INSERT yields no row", async () => {
+    staffLookupResult = null;
+    userLookupResult = {
+      id: "ba-user-customer",
+      name: "UAT Customer",
+      email: "uat-customer@groombook.dev",
+    };
+    insertReturningResult = null; // simulate INSERT … RETURNING returning []
+
+    const app = buildApp(resolveStaffMiddleware, undefined, {
+      sub: "ba-user-customer",
+      email: "uat-customer@groombook.dev",
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.error).toMatch(/auto-provision failed/i);
+  });
+
+  it("Better-Auth branch runs before OIDC branch (does not require jwt.email)", async () => {
+    // A Better-Auth user row alone is sufficient: jwt.email is intentionally
+    // absent. The pre-GRO-2052 code only auto-provisioned inside `if (jwt.email)`.
+    staffLookupResult = null;
+    userLookupResult = {
+      id: "ba-user-customer",
+      name: "UAT Customer",
+      email: "uat-customer@groombook.dev",
+    };
+    insertReturningResult = PROVISIONED;
+
+    const app = buildApp(resolveStaffMiddleware, undefined, {
+      sub: "ba-user-customer",
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+  });
+
+  it("OIDC fallback: still provisions when user row is missing but account row exists", async () => {
+    // No staff row, no Better-Auth user, but an OIDC account row.
+    staffLookupResult = null;
+    userLookupResult = null;
+    accountLookupResult = { id: "oidc-account-id" };
+    insertReturningResult = { ...PROVISIONED, userId: "oidc-sub" };
+
+    const app = buildApp(resolveStaffMiddleware, undefined, {
+      sub: "oidc-sub",
+      email: "oidc-user@example.com",
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+  });
+
+  it("falls through to 403 when neither Better-Auth user nor OIDC account row exists", async () => {
+    staffLookupResult = null;
+    userLookupResult = null;
+    accountLookupResult = null;
+
+    const app = buildApp(resolveStaffMiddleware, undefined, {
+      sub: "ghost-sub",
+      email: "ghost@example.com",
+    });
+
+    const res = await app.request("/test");
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error).toMatch(/no staff record/i);
+  });
+});
+
 // ─── requireRole tests ────────────────────────────────────────────────────────
 
 describe("requireRole", () => {

src/lib/auth.ts

@@ -172,7 +172,7 @@ export async function initAuth(): Promise<void> {
         clientSecret: oidcClientSecret,
         issuerUrl: oidcIssuer,
         internalBaseUrl: process.env.OIDC_INTERNAL_BASE,
-        scopes: "openid profile email",
+        scopes: "openid profile email role",
       };
       console.log("[auth] Using env var config (no DB config found)");
     }

src/middleware/rbac.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { and, eq, getDb, sql, staff, account, user } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -22,7 +22,7 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
   c,
   next
 ) => {
-  // Better-Auth's own routes handle their own auth — skip staff resolution
+  // Better-Auth\'s own routes handle their own auth — skip staff resolution
   // OOBE setup routes also handle their own auth — staff record is created during setup
   if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
     await next();
@@ -110,6 +110,92 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
+
+  // Auto-provision for Better-Auth users (GRO-2052): the user signed in via
+  // Better-Auth (email/password, magic link, etc.), so a row exists in `user`
+  // for jwt.sub but no `account` provider row is required. Create a minimal
+  // groomer staff record on first login. This is the primary auto-provision
+  // path; the OIDC branch below remains as a fallback for legacy accounts
+  // that exist in `account` but not in `user`.
+  const [userRow] = await db
+    .select({ id: user.id, name: user.name, email: user.email })
+    .from(user)
+    .where(eq(user.id, jwt.sub))
+    .limit(1);
+  if (userRow) {
+    const emailPrefix = userRow.email ? userRow.email.split("@")[0] : "Unknown";
+    const name = userRow.name?.trim() || jwt.name?.trim() || emailPrefix;
+
+    const [newStaff] = await db
+      .insert(staff)
+      .values({
+        userId: jwt.sub,
+        email: userRow.email ?? jwt.email ?? "",
+        name,
+        role: "groomer",
+        isSuperUser: false,
+        active: true,
+      } as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
+      .returning()!;
+
+    if (!newStaff) {
+      return c.json({ error: "Forbidden: auto-provision failed" }, 500);
+    }
+
+    console.log(
+      `[rbac] auto-provisioned staff record for Better-Auth user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
+    );
+    c.set("staff", newStaff);
+    await next();
+    return;
+  }
+
+  // Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
+  // (e.g. authentik). If so, create a groomer staff record on the fly. This
+  // is kept for backward compatibility with legacy OIDC sessions whose user
+  // row may not yet exist in the Better-Auth `user` table.
+  if (jwt.email) {
+    const [oidcAccount] = await db
+      .select({ id: account.id })
+      .from(account)
+      .where(
+        and(
+          eq(account.userId, jwt.sub),
+          sql`${account.providerId} IN (\'authentik\', \'google\', \'github\')`
+        )
+      )
+      .limit(1);
+
+    if (oidcAccount) {
+      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
+      const emailPrefix = jwt.email ? jwt.email.split("@")[0] : "Unknown";
+      const name = jwt.name?.trim() || emailPrefix;
+
+      const [newStaff] = await db
+        .insert(staff)
+        .values({
+          userId: jwt.sub,
+          email: (jwt.email ?? "") as string,
+          name,
+          role: "groomer",
+          isSuperUser: false,
+          active: true,
+        } as Parameters<typeof db.insert>[0] extends { values: infer V } ? V : never)
+        .returning()!;
+
+      if (!newStaff) {
+        return c.json({ error: "Forbidden: auto-provision failed" }, 500);
+      }
+
+      console.log(
+        `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
+      );
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
+  }
+
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403
@@ -135,7 +221,7 @@ export function requireRole(
     if (!(allowedRoles as string[]).includes(staffRow.role)) {
       return c.json(
         {
-          error: `Forbidden: role '${staffRow.role}' is not permitted to access this resource`,
+          error: `Forbidden: role \'${staffRow.role}\' is not permitted to access this resource`,
         },
         403
       );
@@ -168,7 +254,7 @@ export function requireRoleOrSuperUser(
       {
         error: hasAllowedRole
           ? "Forbidden: super user privileges required"
-          : `Forbidden: role '${staffRow.role}' is not permitted`,
+          : `Forbidden: role \'${staffRow.role}\' is not permitted`,
       },
       403
     );

src/routes/admin/seed.ts

@@ -46,7 +46,7 @@ const UAT_CLIENT = {
 
 const UAT_PETS = [
   { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
-  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "short", weightKg: "30.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
 ];
 
 const DEMO_SERVICES = [

src/routes/pets.ts

@@ -1,7 +1,21 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, exists, getDb, or, pets, appointments } from "@groombook/db";
+import {
+  and,
+  desc,
+  eq,
+  exists,
+  getDb,
+  impersonationAuditLogs,
+  impersonationSessions,
+  or,
+  pets,
+  appointments,
+  staff,
+  services,
+  sql,
+} from "@groombook/db";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
   getPresignedUploadUrl,
@@ -11,6 +25,23 @@ import {
 
 export const petsRouter = new Hono<AppEnv>();
 
+// Convert Zod validation errors from 422 to 400 and ensure any thrown error
+// returns a structured JSON body rather than Hono's default empty-body 500.
+// GRO-2014: profile-summary previously bubbled unhandled errors and produced
+// an empty-body 500. Mirror the onError pattern already used in invoices.ts
+// and reports.ts so every error has a JSON envelope.
+petsRouter.onError((err, c) => {
+  if (err instanceof z.ZodError) {
+    return c.json({ error: "Validation failed", issues: err.issues }, 400);
+  }
+  console.error("[pets] unhandled error", err);
+  return c.json({ error: "Internal Server Error" }, 500);
+});
+
+// UUID format used by all pet routes — guards path params against malformed
+// values before they hit Drizzle / Postgres uuid columns (which would throw).
+const uuidSchema = z.string().uuid();
+
 const createPetSchema = z.object({
   clientId: z.string().uuid(),
   name: z.string().min(1).max(200),
@@ -97,6 +128,209 @@ petsRouter.get("/:id", async (c) => {
   return c.json(row);
 });
 
+/**
+ * Resolves the clientId from the X-Impersonation-Session-Id header, if present and active.
+ * Used by staff routes to allow a customer (auto-provisioned as a `groomer` staff row
+ * by rbac.ts) to access their own pet's data when they are the rightful owner.
+ *
+ * Returns null when the header is missing, the session is unknown/expired/ended, or the
+ * session exists but has no clientId — callers should treat null as "no owner-bypass".
+ */
+async function resolveImpersonationClientId(
+  db: ReturnType<typeof getDb>,
+  c: { req: { header: (name: string) => string | undefined } }
+): Promise<string | null> {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  if (!sessionId) return null;
+  const [session] = await db
+    .select({
+      clientId: impersonationSessions.clientId,
+      status: impersonationSessions.status,
+      expiresAt: impersonationSessions.expiresAt,
+    })
+    .from(impersonationSessions)
+    .where(eq(impersonationSessions.id, sessionId))
+    .limit(1);
+  if (!session) return null;
+  if (session.status !== "active") return null;
+  if (session.expiresAt <= new Date()) return null;
+  return session.clientId;
+}
+
+/**
+ * Defense-in-depth audit write for the staff-side owner-bypass path in
+ * GET /pets/:id/profile-summary. Mirrors the failure-isolation pattern in
+ * src/middleware/portalAudit.ts: errors are logged but never thrown, so a
+ * misbehaving audit insert cannot turn a working read into a 500.
+ *
+ * Called only when the owner-bypass actually fires (i.e. the requester is a
+ * groomer-role staff row with no appointment linkage, but supplies a valid
+ * X-Impersonation-Session-Id whose clientId matches the pet's owner). The
+ * `petId` and `actorStaffId` are written inside `metadata` because the
+ * impersonation_audit_logs schema has no first-class columns for them and
+ * adding a migration is out of scope.
+ */
+async function writeOwnerBypassAudit(
+  db: ReturnType<typeof getDb>,
+  args: {
+    sessionId: string;
+    petId: string;
+    actorStaffId: string;
+    pageVisited: string;
+  }
+): Promise<void> {
+  try {
+    await db.insert(impersonationAuditLogs).values({
+      sessionId: args.sessionId,
+      action: "read_profile_summary",
+      pageVisited: args.pageVisited,
+      metadata: { petId: args.petId, actorStaffId: args.actorStaffId },
+    });
+  } catch (err) {
+    console.error("[pets] failed to write owner-bypass audit log:", err);
+  }
+}
+
+petsRouter.get("/:id/profile-summary", async (c) => {
+  const db = getDb();
+  const petId = c.req.param("id");
+
+  // GRO-2014: validate UUID format before hitting Postgres. Passing a non-UUID
+  // string to a uuid column makes the driver throw, which previously surfaced
+  // as an empty-body 500 to clients.
+  const parsedId = uuidSchema.safeParse(petId);
+  if (!parsedId.success) {
+    return c.json({ error: "Not found" }, 404);
+  }
+
+  // Defense in depth: resolveStaffMiddleware should always populate `staff`
+  // for protected routes (or short-circuit with 401/403 of its own). Guard
+  // anyway so a misconfigured route mount can't trigger a TypeError on
+  // staffRow.id when the linkage check runs.
+  const staffRow = c.get("staff");
+  if (!staffRow) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+  const isGroomer = staffRow.role === "groomer";
+
+  // Fetch the pet
+  const [pet] = await db.select().from(pets).where(eq(pets.id, petId));
+  if (!pet) return c.json({ error: "Not found" }, 404);
+
+  // Owner-bypass (GRO-2013): a customer who supplies a valid
+  // X-Impersonation-Session-Id for the pet's owning client may read their
+  // own pet's summary, even though rbac.ts auto-provisions them as a
+  // `groomer` staff row with no appointment linkage.
+  let isOwner = false;
+  if (isGroomer) {
+    const headerSessionId = c.req.header("X-Impersonation-Session-Id");
+    const ownerClientId = await resolveImpersonationClientId(db, c);
+    isOwner = !!ownerClientId && ownerClientId === pet.clientId;
+    if (isOwner && headerSessionId) {
+      // GRO-2063: defense-in-depth audit row. Only fires when the bypass
+      // is actually granted; never on the normal groomer-linkage path,
+      // 403/404/401, or when the header is absent. Failure is swallowed
+      // (try/catch inside writeOwnerBypassAudit) so this can never turn a
+      // working read into a 500.
+      await writeOwnerBypassAudit(db, {
+        sessionId: headerSessionId,
+        petId: pet.id,
+        actorStaffId: staffRow.id,
+        pageVisited: c.req.path,
+      });
+    }
+  }
+
+  // Groomer RBAC: check appointment linkage to this pet's client
+  if (isGroomer && !isOwner) {
+    const [linkage] = await db
+      .select({ id: appointments.id })
+      .from(appointments)
+      .where(
+        and(
+          eq(appointments.clientId, pet.clientId),
+          or(
+            eq(appointments.staffId, staffRow.id),
+            eq(appointments.batherStaffId, staffRow.id)
+          )
+        )
+      )
+      .limit(1);
+    if (!linkage) return c.json({ error: "Forbidden" }, 403);
+  }
+
+  // Recent grooming history — last 10 completed appointments
+  const recentHistory = await db
+    .select({
+      id: appointments.id,
+      startTime: appointments.startTime,
+      notes: appointments.notes,
+      serviceName: services.name,
+      staffName: staff.name,
+    })
+    .from(appointments)
+    .innerJoin(services, eq(appointments.serviceId, services.id))
+    .leftJoin(staff, eq(appointments.staffId, staff.id))
+    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")))
+    .orderBy(desc(appointments.startTime))
+    .limit(10);
+
+  // Visit count (completed appointments)
+  const [countRow] = await db
+    .select({ count: sql<number>`count(*)::int` })
+    .from(appointments)
+    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")));
+  const visitCount = countRow?.count ?? 0;
+
+  // Upcoming appointment (next scheduled or confirmed)
+  const [upcoming] = await db
+    .select({
+      id: appointments.id,
+      startTime: appointments.startTime,
+      notes: appointments.notes,
+      confirmationStatus: appointments.confirmationStatus,
+      serviceName: services.name,
+    })
+    .from(appointments)
+    .innerJoin(services, eq(appointments.serviceId, services.id))
+    .where(
+      and(
+        eq(appointments.petId, petId),
+        or(eq(appointments.status, "scheduled"), eq(appointments.status, "confirmed"))
+      )
+    )
+    .orderBy(appointments.startTime)
+    .limit(1);
+
+  return c.json({
+    id: pet.id,
+    name: pet.name,
+    species: pet.species,
+    breed: pet.breed,
+    coatType: pet.coatType,
+    petSizeCategory: pet.petSizeCategory,
+    weightKg: pet.weightKg,
+    dateOfBirth: pet.dateOfBirth,
+    recentGroomingHistory: recentHistory.map((h) => ({
+      id: h.id,
+      startTime: h.startTime,
+      notes: h.notes,
+      serviceName: h.serviceName,
+      staffName: h.staffName,
+    })),
+    visitCount,
+    upcomingAppointment: upcoming
+      ? {
+          id: upcoming.id,
+          startTime: upcoming.startTime,
+          notes: upcoming.notes,
+          confirmationStatus: upcoming.confirmationStatus,
+          serviceName: upcoming.serviceName,
+        }
+      : null,
+  });
+});
+
 petsRouter.post("/", zValidator("json", createPetSchema), async (c) => {
   const db = getDb();
   const { weightKg, dateOfBirth, customFields, ...rest } = c.req.valid("json");

src/routes/portal.ts

@@ -36,7 +36,7 @@ portalRouter.post(
       return c.json({ error: "Client not found" }, 404);
     }
 
-    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+    const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
 
     let staffId = DEMO_STAFF_ID;
     const [demoStaff] = await db
@@ -71,6 +71,82 @@ portalRouter.post(
   }
 );
 
+// Bridge Better Auth session → portal session for real SSO customers (GRO-1866).
+// Registered BEFORE the /* middleware so it is NOT subject to validatePortalSession.
+import { getAuth } from "../lib/auth.js";
+
+portalRouter.post("/session-from-auth", async (c) => {
+  let auth;
+  try {
+    auth = getAuth();
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+
+  const session = await auth.api.getSession({
+    headers: c.req.raw.headers,
+  });
+
+  if (!session) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const db = getDb();
+  const [client] = await db
+    .select()
+    .from(clients)
+    .where(eq(clients.email, session.user.email))
+    .limit(1);
+
+  if (!client) {
+    return c.json({ error: "No client record found for this user" }, 404);
+  }
+
+  const DEMO_STAFF_ID = process.env.DEMO_STAFF_ID ?? "00000000-0000-0000-0000-000000000001";
+
+  let staffId = DEMO_STAFF_ID;
+  const [demoStaff] = await db
+    .select({ id: staff.id })
+    .from(staff)
+    .where(eq(staff.id, DEMO_STAFF_ID))
+    .limit(1);
+
+  if (!demoStaff) {
+    const [firstStaff] = await db
+      .select({ id: staff.id })
+      .from(staff)
+      .where(eq(staff.active, true))
+      .limit(1);
+    if (!firstStaff) {
+      return c.json({ error: "No staff records found" }, 500);
+    }
+    staffId = firstStaff.id;
+  }
+
+  const [portalSession] = await db
+    .insert(impersonationSessions)
+    .values({
+      staffId,
+      clientId: client.id,
+      reason: "sso-bridge",
+      expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+    })
+    .returning();
+
+  if (!portalSession) {
+    return c.json({ error: "Failed to create session" }, 500);
+  }
+
+  return c.json(
+    {
+      sessionId: portalSession.id,
+      clientId: client.id,
+      clientName: client.name,
+    },
+    201
+  );
+});
+
 // Apply middleware to all portal routes
 portalRouter.use("/*", validatePortalSession, portalAudit);