docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000)

The 'Source of truth for UAT passwords' subsection under Pre-conditions records: - The seed-uat-passwords Secret in groombook-uat is the live source. - The Bitnami SealedSecret apps/overlays/uat/ss-seed-uat-passwords.yaml in groombook/infra is the single upstream source of truth. - A kubectl recipe to pull the current values for SUPER / GROOMER / TESTER / CUSTOMER at the start of every UAT run. - The 'captured env var from a previous rotation produces 401' failure mode that GRO-2000 hit, and the manual-reseed escape hatch if the login still 401s after pulling the live value. Refs: GRO-2000, GRO-1977 (idempotent re-hash), GRO-1999 (enum fix that allowed the seed Job to run cleanly again). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(db): register extra_large via migration 0038 (GRO-1999)
2026-06-01 15:30:34 +00:00 · 2026-06-01 14:41:27 +00:00 · 2026-06-01 13:50:16 +00:00 · 2026-06-01 12:38:32 +00:00 · 2026-06-01 12:32:28 +00:00 · 2026-06-01 12:28:48 +00:00
4 changed files with 34 additions and 2 deletions
@@ -19,6 +19,27 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)

+### Source of truth for UAT passwords (GRO-2000)
+
+The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
+
+**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
+
+```bash
+SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.super-password}' | base64 -d)
+GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.groomer-password}' | base64 -d)
+TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.tester-password}' | base64 -d)
+CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.customer-password}' | base64 -d)
+```
+
+**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
+
+**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
+
 ## Test Cases

 ### 4.0 Health Check
@@ -1,5 +1,5 @@
 -- Migration: 0037_add_extra_large_to_pet_size_category.sql
-- GRO-1999: Adds the 'extra_large' value to the pet_size_category enum.
+-- GRO-1979: Adds the 'extra_large' value to the pet_size_category enum.
 --
 -- 0031_buffer_rules.sql created pet_size_category with values
 -- ('small', 'medium', 'large', 'xlarge'), but seed.ts and the drizzle
@@ -0,0 +1,4 @@
+-- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
+-- journal timestamp. Re-register extra_large with a monotonic timestamp so
+-- the existing UAT/persistent DBs apply it. Idempotent.
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';
@@ -260,6 +260,13 @@
      "when": 1751500000000,
      "tag": "0037_add_extra_large_to_pet_size_category",
      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1780000000000,
+      "tag": "0038_register_extra_large_pet_size_category",
+      "breakpoints": true
    }
  ]
-}
+}
Author	SHA1	Message	Date
Paperclip	337c0e2733	docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000) CI / Test (pull_request) Successful in 10s Details CI / Lint & Typecheck (pull_request) Successful in 18s Details CI / Build & Push Docker Images (pull_request) Successful in 36s Details The 'Source of truth for UAT passwords' subsection under Pre-conditions records: - The seed-uat-passwords Secret in groombook-uat is the live source. - The Bitnami SealedSecret apps/overlays/uat/ss-seed-uat-passwords.yaml in groombook/infra is the single upstream source of truth. - A kubectl recipe to pull the current values for SUPER / GROOMER / TESTER / CUSTOMER at the start of every UAT run. - The 'captured env var from a previous rotation produces 401' failure mode that GRO-2000 hit, and the manual-reseed escape hatch if the login still 401s after pulling the live value. Refs: GRO-2000, GRO-1977 (idempotent re-hash), GRO-1999 (enum fix that allowed the seed Job to run cleanly again). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 15:30:34 +00:00
Paperclip	423d4bf72d	fix(db): register extra_large via migration 0038 (GRO-1999) CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 1m27s Details GRO-1979 added 0037_add_extra_large_to_pet_size_category with a journal 'when' of 1751500000000 — below the 0033 high-water mark (1779500000000) on existing UAT/persistent DBs. Drizzle only applies a migration when its journal.when is strictly greater than max(applied created_at), so 0037 was silently skipped, leaving pet_size_category without 'extra_large' and crashing the UAT seed-test-data job (22P02 enum error). This adds 0038 with a monotonic 'when' (1780000000000) so it applies on both existing UAT/persistent DBs and fresh DBs. Statement is idempotent (ADD VALUE IF NOT EXISTS) and a single auto-commit DDL (ADD VALUE cannot run inside a transaction block). Do not modify 0033/0034/0036/0037 — re-registering extra_large is correct since the drizzle PetSizeCategory type and seed.ts both use that value. GRO-2004 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 14:41:27 +00:00
Flea Flicker	a9bac033fd	docs(UAT_PLAYBOOK): add TC-API-3.28 for pet_size_category enum (GRO-1999) (#127 ) CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 36s Details CI / Test (pull_request) Successful in 10s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 37s Details	2026-06-01 13:50:16 +00:00
Lint Roller	5fab813215	Merge pull request 'fix(docker): install pnpm via npm instead of corepack shim (GRO-1983)' (#125 ) from fix/gro-1983-seed-pnpm-baked into dev CI / Test (push) Successful in 12s Details CI / Test (pull_request) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Lint & Typecheck (pull_request) Successful in 17s Details CI / Build & Push Docker Images (push) Failing after 13s Details CI / Build & Push Docker Images (pull_request) Successful in 1m29s Details	2026-06-01 12:38:32 +00:00
Flea Flicker	84d923a707	Merge branch 'uat' into dev to sync before dev→uat promotion CI / Test (push) Successful in 15s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 18s Details CI / Build & Push Docker Images (push) Failing after 8s Details CI / Build & Push Docker Images (pull_request) Successful in 1m2s Details This merge resolves a journal conflict between dev's idx 37 entry (0037_add_extra_large_to_pet_size_category) and the diverged uat branch. Both branches want the idx 37 entry; keeping the dev version which adds the migration. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 12:32:28 +00:00
Flea Flicker	944a4e161f	Merge pull request 'fix(db): GRO-1979 add 0037 — register extra_large in pet_size_category enum' (#124 ) from fix/GRO-1979-coat-type-pet-size-enum-fix into dev CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 38s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 30s Details	2026-06-01 12:28:48 +00:00
Flea Flicker	f262c19561	feat(db): add 0037_add_extra_large_to_pet_size_category — register extra_large in journal CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 1m24s Details GRO-1979: The pet_size_category enum created in 0031_buffer_rules.sql contained ('small', 'medium', 'large', 'xlarge'), but the drizzle schema and seed.ts both use 'extra_large'. The mismatch caused the UAT seed job to fail with: invalid input value for enum pet_size_category: "extra_large" This migration adds the 'extra_large' value to pet_size_category and registers it at idx 37 in the drizzle journal (sequel to 0035/0036 which registered short/medium/silky in coat_type under GRO-1971). Non-transactional per Postgres restriction on ALTER TYPE ADD VALUE. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 12:05:06 +00:00
The Dogfather	e5fe005986	Promote dev→uat: restore deterministic TestCooper/TestRocky alerts (GRO-1962) (#123 ) CI / Lint & Typecheck (push) Successful in 16s Details CI / Test (push) Successful in 12s Details CI / Build & Push Docker Images (push) Failing after 36s Details Co-authored-by: The Dogfather <20+gb_dogfather@noreply.git.farh.net> Co-committed-by: The Dogfather <20+gb_dogfather@noreply.git.farh.net>	2026-06-01 00:36:36 +00:00
The Dogfather	b15a53a19b	fix(seed): restore deterministic alerts for TestCooper/TestRocky (GRO-1962) (#122 ) CI / Test (push) Successful in 11s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 45s Details CI / Build & Push Docker Images (push) Successful in 1m7s Details Co-authored-by: The Dogfather <20+gb_dogfather@noreply.git.farh.net> Co-committed-by: The Dogfather <20+gb_dogfather@noreply.git.farh.net>	2026-06-01 00:35:35 +00:00
The Dogfather	5390131a6a	Promote dev→uat: add missing coat_type enum values (GRO-1971) (#119 ) CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 39s Details	2026-05-31 23:12:58 +00:00
The Dogfather	8cce9c4d35	Merge pull request 'Promote dev→uat: expand UAT seed to 30+ pets with medicalAlerts 25-35% distribution (GRO-1962)' (#117 ) from dev into uat CI / Lint & Typecheck (push) Successful in 14s Details CI / Test (push) Successful in 12s Details CI / Build & Push Docker Images (push) Successful in 1m9s Details	2026-05-31 22:47:11 +00:00
The Dogfather	f80f781b23	ci: promote dev→uat (GRO-1939 smoke + GRO-1953/1955/1949 seed/db) (#113 ) CI / Test (push) Successful in 11s Details CI / Lint & Typecheck (push) Successful in 14s Details CI / Build & Push Docker Images (push) Successful in 24s Details Promotes 6 dev commits to uat. PR #111 (latest dev tip) QA-approved by Lint Roller. CI all-green. Follow-up: Shedward UAT regression task to be created.	2026-05-30 11:16:43 +00:00
The Dogfather	a5bd9c915c	Promote: dev → uat (GRO-1945 visit-count hotfix + GRO-1921 UAT reset CronJob fix) CI / Lint & Typecheck (push) Successful in 15s Details CI / Test (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 30s Details Carries: - `a14bb5e17d` — GRO-1945 visit-count query hotfix - `981a257d2d` — Merge of GRO-1945 hotfix into dev - `0ab16b82e0` — GRO-1921 UAT reset CronJob full-seed fix (PR #106) QA approved (PR #108, Lint Roller). CI green on head SHA `0ab16b82e0`.	2026-05-30 03:45:38 +00:00