Merge pull request 'Promote dev → uat: UAT seed-password source-of-truth playbook (GRO-2000)' (#134 ) from dev into uat

docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000) (#132 )
Merge pull request 'promote(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#133 ) from dev into uat
2026-06-01 17:41:47 +00:00 · 2026-06-01 17:11:12 +00:00 · 2026-06-01 16:30:54 +00:00 · 2026-06-01 16:24:41 +00:00 · 2026-06-01 14:52:13 +00:00 · 2026-06-01 14:49:46 +00:00
5 changed files with 74 additions and 1 deletions
@@ -156,3 +156,32 @@ jobs:
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
+
+      - name: Smoke test seed image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
+          echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
+
+      - name: Smoke test reset image (blackhole npmjs.org)
+        run: |
+          set -euo pipefail
+          IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
+          docker pull "$IMAGE"
+          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
+          # not try to reach registry.npmjs.org on invocation. Validates the
+          # hard requirement from the issue: reset runs offline.
+          docker run --rm \
+            --add-host registry.npmjs.org:127.0.0.1 \
+            --entrypoint="" \
+            "$IMAGE" \
+            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
+          echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"
@@ -3,8 +3,12 @@ FROM node:22-alpine AS base
 # invocations of `pnpm` work without DNS access to registry.npmjs.org.
 # The corepack shim delegates to corepack, which re-validates against
 # npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
-# Jobs. GRO-1983 / GRO-1889 / GRO-1909.
+# Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
 RUN npm install -g pnpm@9.15.4
+# Belt-and-braces: disable Corepack's download fallback so that even if a
+# Corepack shim is somehow invoked at runtime, it will not try to fetch
+# pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app

 # Install deps
@@ -26,6 +30,8 @@ RUN pnpm --filter @groombook/types build && \
 # Runtime
 FROM node:22-alpine AS runner
 RUN npm install -g pnpm@9.15.4
+# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 ENV NODE_ENV=production

@@ -46,12 +52,18 @@ CMD ["node", "dist/index.js"]

 # Migrate stage — runs drizzle-kit migrate against the database
 FROM builder AS migrate
+# pnpm needs a writable HOME for any config/state it writes. With
+# readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
+# The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "migrate"]

 # Seed stage — populates the database with test data
 FROM builder AS seed
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "seed"]

 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
+ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "reset"]
@@ -19,6 +19,27 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)

+### Source of truth for UAT passwords (GRO-2000)
+
+The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
+
+**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
+
+```bash
+SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.super-password}' | base64 -d)
+GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.groomer-password}' | base64 -d)
+TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.tester-password}' | base64 -d)
+CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
+  -o jsonpath='{.data.customer-password}' | base64 -d)
+```
+
+**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
+
+**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
+
 ## Test Cases

 ### 4.0 Health Check
@@ -0,0 +1,4 @@
+-- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
+-- journal timestamp. Re-register extra_large with a monotonic timestamp so
+-- the existing UAT/persistent DBs apply it. Idempotent.
+ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';
@@ -260,6 +260,13 @@
      "when": 1751500000000,
      "tag": "0037_add_extra_large_to_pet_size_category",
      "breakpoints": true
+    },
+    {
+      "idx": 38,
+      "version": "7",
+      "when": 1780000000000,
+      "tag": "0038_register_extra_large_pet_size_category",
+      "breakpoints": true
    }
  ]
 }
Author	SHA1	Message	Date
The Dogfather	6a81a52a50	Merge pull request 'Promote dev → uat: UAT seed-password source-of-truth playbook (GRO-2000)' (#134 ) from dev into uat CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 27s Details CI / Test (pull_request) Successful in 11s Details CI / Lint & Typecheck (pull_request) Successful in 13s Details CI / Build & Push Docker Images (pull_request) Successful in 1m10s Details	2026-06-01 17:41:47 +00:00
Flea Flicker	2251a172e3	docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000) (#132 ) CI / Lint & Typecheck (push) Failing after 5s Details CI / Test (push) Successful in 12s Details CI / Build & Push Docker Images (push) Has been skipped Details CI / Test (pull_request) Successful in 11s Details CI / Lint & Typecheck (pull_request) Successful in 19s Details CI / Build & Push Docker Images (pull_request) Failing after 19s Details	2026-06-01 17:11:12 +00:00
The Dogfather	5a4b9a98bd	Merge pull request 'promote(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#133 ) from dev into uat CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 14s Details CI / Build & Push Docker Images (push) Successful in 40s Details Promote GRO-1985 (parent GRO-1981) dev->uat. cc @cpfarhood	2026-06-01 16:30:54 +00:00
Flea Flicker	1d28adb71a	Merge pull request 'fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#129 ) from flea-flicker/gro-1985-bake-pnpm-offline into dev CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 1m10s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 14s Details CI / Build & Push Docker Images (pull_request) Successful in 24s Details Self-merge per SDLC Phase 1 Step 4 — CTO review approved by gb_dogfather, CI 3/3 green, QA approved by gb_lint. Closes GRO-1985. cc @cpfarhood	2026-06-01 16:24:41 +00:00
The Dogfather	f7f88156e1	Merge pull request 'promote(db): register extra_large via migration 0038 to UAT (GRO-2004)' (#131 ) from dev into uat CI / Test (push) Successful in 11s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 35s Details	2026-06-01 14:52:13 +00:00
The Dogfather	7f8a1f4bcd	Merge pull request 'fix(db): register extra_large via migration 0038 (GRO-1999)' (#130 ) from flea/gro-1999-migration-0038 into dev CI / Test (push) Successful in 13s Details CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 37s Details CI / Lint & Typecheck (push) Successful in 2m23s Details CI / Build & Push Docker Images (push) Successful in 32s Details	2026-06-01 14:49:46 +00:00
Paperclip	423d4bf72d	fix(db): register extra_large via migration 0038 (GRO-1999) CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 1m27s Details GRO-1979 added 0037_add_extra_large_to_pet_size_category with a journal 'when' of 1751500000000 — below the 0033 high-water mark (1779500000000) on existing UAT/persistent DBs. Drizzle only applies a migration when its journal.when is strictly greater than max(applied created_at), so 0037 was silently skipped, leaving pet_size_category without 'extra_large' and crashing the UAT seed-test-data job (22P02 enum error). This adds 0038 with a monotonic 'when' (1780000000000) so it applies on both existing UAT/persistent DBs and fresh DBs. Statement is idempotent (ADD VALUE IF NOT EXISTS) and a single auto-commit DDL (ADD VALUE cannot run inside a transaction block). Do not modify 0033/0034/0036/0037 — re-registering extra_large is correct since the drizzle PetSizeCategory type and seed.ts both use that value. GRO-2004 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 14:41:27 +00:00
Flea Flicker	3e547b8568	fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981) CI / Test (pull_request) Successful in 17s Details CI / Lint & Typecheck (pull_request) Successful in 23s Details CI / Build & Push Docker Images (pull_request) Successful in 1m14s Details The GRO-1983 fast restoration swapped Corepack's pnpm shim for a real `npm install -g pnpm@9.15.4` binary, which is the right move. But the GRO-1997 evidence gate still showed the first `reset-demo-data` pod (...-nh7vg) hitting `getaddrinfo EAI_AGAIN registry.npmjs.org` before a retry succeeded — the cache was writable, the cold-cache registry download wasn't eliminated. This is the durable fix: 1. `ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0` in `base` and `runner`: defence in depth so a Corepack shim can never silently re-download pnpm, even if it is somehow re-introduced. 2. `ENV HOME=/tmp` in the `migrate`, `seed`, and `reset` stages: under `readOnlyRootFilesystem: true` + `runAsUser: 1000`, the default HOME path is read-only, and pnpm fails the first time it tries to write a config or state file. The job pods already mount a writable emptyDir at `/tmp`; point HOME there. 3. CI smoke tests for `seed` and `reset` images (matching the existing `migrate` smoke): point `registry.npmjs.org` at 127.0.0.1 in a throwaway container, assert `which pnpm` resolves to `/usr/local/bin/pnpm` (real binary, not shim), and that `pnpm --version` succeeds without network egress. If Corepack ever sneaks back in, CI catches it on every PR. The vestigial `RUN mkdir -p /home/node/.cache/node/corepack` in the `builder` stage (mentioned in the spec) was already removed in GRO-1909 (commit `0a3eb8a`), so nothing to do there. Follow-on cleanup of the per-job `COREPACK_HOME` env vars and `node-cache` emptyDir mounts in `groombook/infra` is intentionally deferred to a coordinated infra PR once the new image is deployed — keeping the existing infra in place during the transition avoids a flag-day. GRO-1985, hardening follow-up to GRO-1984 / GRO-1983. Closes parent: GRO-1981. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 14:02:38 +00:00
Flea Flicker	a9bac033fd	docs(UAT_PLAYBOOK): add TC-API-3.28 for pet_size_category enum (GRO-1999) (#127 ) CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 36s Details CI / Test (pull_request) Successful in 10s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 37s Details	2026-06-01 13:50:16 +00:00
The Dogfather	8af5a49d14	Merge pull request 'Promote dev→uat: GRO-1982 pet_size_category extra_large enum migration' (#126 ) from dev into uat CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Images (push) Successful in 37s Details Promote dev→uat: GRO-1983 seed-job pnpm fix + GRO-1982 extra_large enum migration Carries the accumulated dev state into uat (PR #125 docker pnpm fix + 0037 migration). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 12:44:20 +00:00