GRO-1921: seedUatStaffAccounts() shared fn — full UAT seed honors numeric OIDC subs

Extract UAT staff account seeding into a shared async function so it runs in both seedKnownUsers() and the full seed() UAT branch. Before this change the full seed() UAT path never created the deterministic UAT staff (UAT Super/Staff/Groomer) with their numeric oidcSub values from SEED_UAT_*_OIDC_SUB env vars — seedKnownUsers() had that logic but was bypassed by SEED_KNOWN_USERS_ONLY=true in the UAT reset CronJob. seedUatStaffAccounts() handles: - UAT Super Staff (SEED_UAT_SUPER_OIDC_SUB) - UAT Staff Groomer (SEED_UAT_STAFF_OIDC_SUB) - UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + _NAMES) - Better Auth email+password credentials (SEED_UAT_*_PASSWORD) - UAT Customer client + 2 pets Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-30 03:26:09 +00:00
14 changed files with 19 additions and 646 deletions
@@ -118,17 +118,6 @@ jobs:
          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
      - name: Smoke test migrate image (blackhole npmjs.org)
        run: |
          set -euo pipefail
          IMAGE="git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}"
          docker pull "$IMAGE"
          docker run --rm \
            --add-host registry.npmjs.org:127.0.0.1 \
            --entrypoint="" \
            "$IMAGE" \
            pnpm --version
      - name: Build and push Seed image
        uses: docker/build-push-action@v6
        with:
@@ -156,32 +145,3 @@ jobs:
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
      - name: Smoke test seed image (blackhole npmjs.org)
        run: |
          set -euo pipefail
          IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
          docker pull "$IMAGE"
          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
          # not try to reach registry.npmjs.org on invocation.
          docker run --rm \
            --add-host registry.npmjs.org:127.0.0.1 \
            --entrypoint="" \
            "$IMAGE" \
            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
          echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
      - name: Smoke test reset image (blackhole npmjs.org)
        run: |
          set -euo pipefail
          IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
          docker pull "$IMAGE"
          # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
          # not try to reach registry.npmjs.org on invocation. Validates the
          # hard requirement from the issue: reset runs offline.
          docker run --rm \
            --add-host registry.npmjs.org:127.0.0.1 \
            --entrypoint="" \
            "$IMAGE" \
            sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
          echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"
@@ -1,14 +1,7 @@
 FROM node:22-alpine AS base
-# Install pnpm as a real binary via npm (not corepack shim) so runtime
+RUN corepack enable && corepack install -g pnpm@9.15.4
-# invocations of `pnpm` work without DNS access to registry.npmjs.org.
+ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-# The corepack shim delegates to corepack, which re-validates against
+ENV COREPACK_ENABLE_STRICT=0
 # npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
 # Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
 RUN npm install -g pnpm@9.15.4
 # Belt-and-braces: disable Corepack's download fallback so that even if a
 # Corepack shim is somehow invoked at runtime, it will not try to fetch
 # pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
 ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
 WORKDIR /app
 # Install deps
@@ -29,9 +22,9 @@ RUN pnpm --filter @groombook/types build && \
 # Runtime
 FROM node:22-alpine AS runner
-RUN npm install -g pnpm@9.15.4
+RUN corepack enable && corepack install -g pnpm@9.15.4
-# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
+ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
+ENV COREPACK_ENABLE_STRICT=0
 WORKDIR /app
 ENV NODE_ENV=production
@@ -52,18 +45,15 @@ CMD ["node", "dist/index.js"]
 # Migrate stage — runs drizzle-kit migrate against the database
 FROM builder AS migrate
 # pnpm needs a writable HOME for any config/state it writes. With
 # readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
 # The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
 ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "migrate"]
 # Seed stage — populates the database with test data
 FROM builder AS seed
 ENV HOME=/tmp
 CMD ["pnpm", "--filter", "@groombook/db", "seed"]
 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
-ENV HOME=/tmp
+RUN corepack enable && corepack install -g pnpm@9.15.4
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 ENV COREPACK_ENABLE_STRICT=0
 CMD ["pnpm", "--filter", "@groombook/db", "reset"]
@@ -19,27 +19,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 - OIDC authentication provider configured
 - Seed data present (clients, pets, services, staff)
 ### Source of truth for UAT passwords (GRO-2000)
 The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
 **Canonical recipe** (works from any host with `kubectl` + cluster credentials):
 ```bash
 SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
  -o jsonpath='{.data.super-password}' | base64 -d)
 GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
  -o jsonpath='{.data.groomer-password}' | base64 -d)
 TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
  -o jsonpath='{.data.tester-password}' | base64 -d)
 CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
  -o jsonpath='{.data.customer-password}' | base64 -d)
 ```
 **Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
 **How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
 ## Test Cases
 ### 4.0 Health Check
@@ -62,8 +41,6 @@ CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
 | TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
 | TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
 | TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
 > **Note (GRO-1977):** Seed credential provisioning is idempotent — re-running the seed with updated `SEED_UAT_*_PASSWORD` env vars rotates stored credential hashes. TC-API-1.4 through TC-API-1.7 now return 200 for all 4 UAT personas (previously returned 401 due to frozen-hash bug).
 | TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
 | TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
 | TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
@@ -125,9 +102,6 @@ CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
 | TC-API-3.17 | Get pet profile summary — groomer restricted | GET /api/pets/{id}/profile-summary as groomer with no pet linkage | 403 Forbidden |
 | TC-API-3.18 | Get pet profile summary — visitCount returns full count | GET /api/pets/{id}/profile-summary with 2+ completed appointments | visitCount >= 2 (not capped at 1) |
 | TC-API-3.19 | Get pet profile summary — upcomingAppointment excludes past | GET /api/pets/{id}/profile-summary with a past confirmed/scheduled appointment | upcomingAppointment is null (past appointments filtered by startTime >= now) |
 | TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
 | TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
 | TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
 #### Seed Data Verification (GRO-1898)
@@ -140,10 +114,6 @@ CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
 | TC-API-3.22 | Verify medicalAlerts shape | GET /api/pets/{id} for any pet with non-empty medicalAlerts | medicalAlerts is an array; each entry has type, description, severity |
 | TC-API-3.23 | Verify UAT test pet Charlie has behavioral alert | GET /api/pets/{id} where name = "TestCooper" (pet for uat-charlie@groombook.dev) | medicalAlerts includes an entry with type: "behavioral", severity: "low" or "high" |
 | TC-API-3.24 | Verify UAT test pet Delta has skin alert | GET /api/pets/{id} where name = "TestRocky" (pet for uat-delta@groombook.dev) | medicalAlerts includes an entry with type: "skin" |
 | TC-API-3.25 | Verify 30+ total pets in UAT DB | GET /api/pets then count total | 30+ pets returned (UAT seed creates 500 random-pool + 5 UAT test clients + 2 UAT customer = 507 total) |
 | TC-API-3.26 | Verify 25-35% medicalAlerts distribution | GET /api/pets (first 30 pets), count how many have non-empty medicalAlerts | Ratio is 25-35% (seed uses rand() < 0.3 for ~30% distribution) |
 | TC-API-3.27 | Verify coat_type enum has all seed values | After UAT seed completes, inspect the coat_type enum on the UAT DB — it must contain: short, medium, long, double, wire, silky, curly, hairless | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; coat_type includes all 8 values used by seed.ts `coatTypePool` |
 | TC-API-3.28 | Verify pet_size_category enum has all seed values | After UAT seed completes, inspect the pet_size_category enum on the UAT DB — it must contain: small, medium, large, extra_large | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; pet_size_category includes all 4 values used by seed.ts `petSizeCategoryPool` (regression for GRO-1999, mirrors TC-API-3.27) |
 ### 4.4 Appointment Scheduling
@@ -67,7 +67,6 @@ let dbAccounts: AccountRow[] = [];
 let dbStaff: StaffRow[] = [];
 let insertedUsers: UserRow[] = [];
 let insertedAccounts: AccountRow[] = [];
 let updatedAccounts: Array<{ id: string; password: string }> = [];
 let updatedStaff: Array<{ id: string; userId: string }> = [];
 const originalEnv = { ...process.env };
@@ -78,7 +77,6 @@ function resetMock() {
  dbStaff = [];
  insertedUsers = [];
  insertedAccounts = [];
  updatedAccounts = [];
  updatedStaff = [];
  process.env = { ...originalEnv };
 }
@@ -175,11 +173,7 @@ async function seedUatCredentials(
    );
    if (existingAccount) {
-      // Idempotent update: re-hash the current env password and update the stored hash.
+      // skip — already has credential account
      const { hashPassword } = await import("better-auth/crypto");
      const passwordHash = await hashPassword(password);
      existingAccount.password = passwordHash;
      updatedAccounts.push({ id: existingAccount.id, password: passwordHash });
    } else {
      // Use Better-Auth's hashPassword so test helper matches production seed.ts
      const { hashPassword } = await import("better-auth/crypto");
@@ -318,9 +312,9 @@ describe("seedUatCredentials — credential provisioning logic", () => {
    expect(updatedStaff).toHaveLength(0);
  });
-  // ── AC-5: idempotent — does not insert duplicate records ───────────────────
+  // ── AC-5: idempotent — skips when user already exists ───────────────────────
-  it("AC-5: re-running does not insert duplicate user or account records", async () => {
+  it("AC-5: re-running does not duplicate user or account records (idempotent)", async () => {
    process.env.SEED_UAT_CUSTOMER_PASSWORD = TEST_PASSWORD;
    const preExistingUsers: UserRow[] = [
@@ -336,96 +330,25 @@ describe("seedUatCredentials — credential provisioning logic", () => {
      },
    ];
    // First call — nothing inserted (user + account pre-exist)
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });
    // No inserts — user and account already exist
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
  });
  // ── AC-5b: password rotation on re-seed ─────────────────────────────────────
  it("AC-5b: re-running with a new password updates the stored credential hash", async () => {
    const OLD_PASSWORD = "old-password-abc";
    const NEW_PASSWORD = "new-password-xyz";
    process.env.SEED_UAT_CUSTOMER_PASSWORD = NEW_PASSWORD;
    const preExistingUsers: UserRow[] = [
      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
    ];
    const preExistingAccounts: AccountRow[] = [
      {
        id: "pre-existing-acct",
        accountId: "pre-existing-user",
        providerId: "credential",
        userId: "pre-existing-user",
        password: await hashPassword(OLD_PASSWORD),
      },
    ];
    // Second call — still nothing inserted
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });
    // No new records inserted
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
    // Password WAS updated to the new env value
    expect(updatedAccounts).toHaveLength(1);
    expect(updatedAccounts[0]!.id).toBe("pre-existing-acct");
    // New hash is valid Better-Auth format (salt:key, each hex)
    const newHashParts = updatedAccounts[0]!.password.split(":");
    expect(Buffer.from(newHashParts[0]!, "hex")).toHaveLength(16);
    expect(Buffer.from(newHashParts[1]!, "hex")).toHaveLength(64);
  });
  // ── AC-8: existing account password IS updated (not frozen at first-seed) ──
  it("AC-8: re-seeding with a changed password env var updates the stored hash", async () => {
    const ORIGINAL_PASSWORD = "original-password";
    const ROTATED_PASSWORD = "rotated-password-456";
    process.env.SEED_UAT_CUSTOMER_PASSWORD = ROTATED_PASSWORD;
    const preExistingUsers: UserRow[] = [
      { id: "pre-existing-user", email: "uat-customer@groombook.dev", name: "UAT Customer", emailVerified: true },
    ];
    // Account was created with the original password on first seed
    const originalHash = await hashPassword(ORIGINAL_PASSWORD);
    const preExistingAccounts: AccountRow[] = [
      {
        id: "pre-existing-acct",
        accountId: "pre-existing-user",
        providerId: "credential",
        userId: "pre-existing-user",
        password: originalHash,
      },
    ];
    // Re-seed with the rotated password env var
    await seedUatCredentials([UAT_ACCOUNTS[2]!], {
      users: preExistingUsers,
      accounts: preExistingAccounts,
      staff: [],
    });
    // No new user or account created
    expect(insertedUsers).toHaveLength(0);
    expect(insertedAccounts).toHaveLength(0);
    // The pre-existing account's password WAS updated (not frozen at first-seed).
    // hashPassword uses a random salt so we verify by format + that it is a new,
    // different valid hash from the original.
    const updatedAcct = preExistingAccounts[0]!;
    expect(updatedAcct.password).toBeDefined();
    expect(updatedAcct.password).toMatch(/^[a-f0-9]{32}:[a-f0-9]{128}$/);
    expect(updatedAcct.password).not.toBe(originalHash); // it actually changed
  });
  // ── AC-6: missing env var skips with warning ────────────────────────────────
@@ -594,15 +594,7 @@ async function seedKnownUsers() {
      .limit(1);
    if (existingAccount) {
-      // Re-hash and update the password so that re-seeding rotates credentials
+      console.log(`✓ Credential account for '${acct.email}' already exists — skipping`);
      // when the env var changes (e.g. after a password rotation).  Previously
      // this branch skipped entirely, freezing the hash at first-seed.
      const { hashPassword } = await import("better-auth/crypto");
      const passwordHash = await hashPassword(password);
      await db.update(schema.account)
        .set({ password: passwordHash })
        .where(eq(schema.account.id, existingAccount.id));
      console.log(`✓ Updated credential account password for '${acct.email}'`);
    } else {
      // Use Better-Auth's own hashPassword to guarantee parameter/encoding match.
      // better-auth/crypto uses: N=16384, r=16, p=1, dkLen=64, salt as 16-byte random
@@ -1,9 +0,0 @@
 -- Migration: 0035_add_missing_coat_type_values.sql
 -- Adds missing values to coat_type enum that seed.ts requires but which were
 -- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
 -- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
 -- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';
@@ -1,14 +0,0 @@
 -- Migration: 0035_add_short_to_coat_type_enum.sql
 -- GRO-1953: Adds missing "short" value to the coat_type enum so that seed data
 -- (which uses coatTypePool including "short") can be inserted without error.
 --
 -- The seed file defines coatTypePool as:
 --   ["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]
 -- but migration 0031 created the enum without "short", causing:
 --   PostgresError: invalid input value for enum coat_type: "short"
 BEGIN;
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 COMMIT;
@@ -1,9 +0,0 @@
 -- Migration: 0036_add_missing_coat_type_values.sql
 -- Adds missing values to coat_type enum that seed.ts requires but which were
 -- omitted from the 0031_buffer_rules.sql CREATE TYPE statement (migration drift).
 -- 0031 created: 'smooth', 'double', 'wire', 'curly', 'long', 'hairless'
 -- Missing (from schema.ts coatTypeEnum): 'short', 'medium', 'silky'
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'short';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'medium';
 ALTER TYPE "coat_type" ADD VALUE IF NOT EXISTS 'silky';
@@ -1,19 +0,0 @@
 -- Migration: 0037_add_extra_large_to_pet_size_category.sql
 -- GRO-1979: Adds the 'extra_large' value to the pet_size_category enum.
 --
 -- 0031_buffer_rules.sql created pet_size_category with values
 -- ('small', 'medium', 'large', 'xlarge'), but seed.ts and the drizzle
 -- schema (PetSizeCategory type) both use 'extra_large' — a mismatch that
 -- caused the UAT seed job to fail with:
 --   invalid input value for enum pet_size_category: "extra_large"
 --
 -- 0035/0036 (GRO-1971) registered 'short'/'medium'/'silky' in coat_type.
 -- This migration is the pet_size_category counterpart: register
 -- 'extra_large' so seed.ts can write the value the schema declares.
 --
 -- Postgres restriction: ALTER TYPE ADD VALUE cannot run inside a
 -- transaction block. The drizzle migrate runner does not wrap
 -- individual statements in an explicit transaction, so this applies
 -- as a single auto-commit DDL.
 ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';
@@ -1,4 +0,0 @@
 -- GRO-1999: 0037 was skipped on existing DBs due to a below-high-water-mark
 -- journal timestamp. Re-register extra_large with a monotonic timestamp so
 -- the existing UAT/persistent DBs apply it. Idempotent.
 ALTER TYPE "pet_size_category" ADD VALUE IF NOT EXISTS 'extra_large';
@@ -246,27 +246,6 @@
      "when": 1751140800000,
      "tag": "0034_extend_pet_profile_columns",
      "breakpoints": true
    },
    {
      "idx": 36,
      "version": "7",
      "when": 1751480000000,
      "tag": "0036_add_missing_coat_type_values",
      "breakpoints": true
    },
    {
      "idx": 37,
      "version": "7",
      "when": 1751500000000,
      "tag": "0037_add_extra_large_to_pet_size_category",
      "breakpoints": true
    },
    {
      "idx": 38,
      "version": "7",
      "when": 1780000000000,
      "tag": "0038_register_extra_large_pet_size_category",
      "breakpoints": true
    }
  ]
-}
+}
@@ -270,10 +270,6 @@ const medicalAlertPool: MedicalAlert[] = [
  { id: "", type: "other", description: "Seizure history — avoid flashing lights", severity: "high" },
  { id: "", type: "other", description: "Luxating patella — short walks only", severity: "medium" },
  { id: "", type: "other", description: "Ear infections — dry thoroughly after bath", severity: "low" },
  { id: "", type: "behavioral", description: "Anxiety — calm environment preferred", severity: "low" },
  { id: "", type: "behavioral", description: "Fear-based aggression — approach with caution", severity: "high" },
  { id: "", type: "skin", description: "Contact dermatitis — avoid harsh chemicals", severity: "medium" },
  { id: "", type: "skin", description: "Hot spots — monitor and report any worsening", severity: "high" },
 ];
 const preferredCutPool: string[] = [
@@ -609,45 +605,8 @@ async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
      .from(schema.pets)
      .where(eq(schema.pets.id, pet.id))
      .limit(1);
    if (existing) {
-      // Upsert so extended fields are always populated on re-runs
+      console.log(`✓ UAT Pet '${existing.name}' already exists — skipping`);
      await db.insert(schema.pets)
        .values({
          id: pet.id,
          clientId: uatCustomerClientId,
          name: pet.name,
          species: pet.species,
          breed: pet.breed,
          weightKg: pet.weight,
          dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
          image: pet.image,
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: [],
          preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
          coatType: pick(coatTypePool),
          petSizeCategory: pick(petSizeCategoryPool),
        })
        .onConflictDoUpdate({
          target: schema.pets.id,
          set: {
            clientId: uatCustomerClientId,
            name: pet.name,
            species: pet.species,
            breed: pet.breed,
            weightKg: pet.weight,
            dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
            image: pet.image,
            temperamentScore: randInt(1, 5),
            temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
            medicalAlerts: [],
            preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
            coatType: pick(coatTypePool),
            petSizeCategory: pick(petSizeCategoryPool),
          },
        });
      console.log(`✓ Upserted UAT pet '${pet.name}' with extended fields`);
    } else {
      await db.insert(schema.pets).values({
        id: pet.id,
@@ -658,14 +617,8 @@ async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
        weightKg: pet.weight,
        dateOfBirth: new Date(`${pet.dob}T00:00:00Z`),
        image: pet.image,
        temperamentScore: randInt(1, 5),
        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
        medicalAlerts: [],
        preferredCuts: pickN(preferredCutPool, randInt(1, 2)),
        coatType: pick(coatTypePool),
        petSizeCategory: pick(petSizeCategoryPool),
      });
-      console.log(`✓ Created UAT pet '${pet.name}' with extended fields`);
+      console.log(`✓ Created UAT pet '${pet.name}'`);
    }
  }
 }
@@ -1009,7 +962,6 @@ async function seed() {
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: (() => {
            // ~30% of random-pool pets have alerts — lands squarely in the 25–35% AC band
            if (rand() < 0.3) {
              const count = rand() < 0.7 ? 1 : 2;
              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
@@ -1106,16 +1058,6 @@ async function seed() {
        temperamentScore: randInt(1, 5),
        temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
        medicalAlerts: (() => {
          // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
          // All other UAT test pets follow the 30% random distribution.
          // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
          // the overall distribution from the 25-35% target band.
          if (uc.petName === "TestCooper") {
            return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
          }
          if (uc.petName === "TestRocky") {
            return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
          }
          if (rand() < 0.3) {
            const count = rand() < 0.7 ? 1 : 2;
            return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
@@ -1139,16 +1081,6 @@ async function seed() {
          temperamentScore: randInt(1, 5),
          temperamentFlags: pickN(temperamentFlagPool, randInt(1, 3)),
          medicalAlerts: (() => {
            // TestCooper always has a behavioral alert; TestRocky always has a skin alert.
            // All other UAT test pets follow the 30% random distribution.
            // Deterministic alerts on 2 of 507 pets (~0.4%) do not meaningfully shift
            // the overall distribution from the 25-35% target band.
            if (uc.petName === "TestCooper") {
              return pickN(medicalAlertPool.filter((a) => a.type === "behavioral"), 1).map((a) => ({ ...a, id: uuid() }));
            }
            if (uc.petName === "TestRocky") {
              return pickN(medicalAlertPool.filter((a) => a.type === "skin"), 1).map((a) => ({ ...a, id: uuid() }));
            }
            if (rand() < 0.3) {
              const count = rand() < 0.7 ? 1 : 2;
              return pickN(medicalAlertPool, count).map((a) => ({ ...a, id: uuid() }));
@@ -1,285 +0,0 @@
 /**
 * GET /pets/:id/profile-summary tests
 *
 * GRO-2014 regression coverage:
 *   - Empty-body 500 must never escape the route — the onError handler
 *     converts unhandled errors into a structured JSON 500.
 *   - Malformed UUIDs must return 404 (not 500 via a Postgres uuid cast).
 *   - Missing staff context must return 401 (not TypeError on staffRow.id).
 *   - Pet not found must return 404.
 *   - Groomer with no appointment linkage must return 403.
 *   - Manager and groomer with linkage must receive the summary body.
 */
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import { Hono } from "hono";
 import type { AppEnv, StaffRow } from "../middleware/rbac.js";
 // ─── Fixtures ────────────────────────────────────────────────────────────────
 const MANAGER: StaffRow = {
  id: "00000000-0000-0000-0000-0000000000aa",
  oidcSub: "oidc-manager-sub",
  userId: null,
  role: "manager",
  isSuperUser: true,
  name: "Manager McManager",
  email: "manager@example.com",
  active: true,
  icalToken: null,
  createdAt: new Date(),
  updatedAt: new Date(),
 };
 const GROOMER: StaffRow = {
  ...MANAGER,
  id: "00000000-0000-0000-0000-0000000000bb",
  oidcSub: "oidc-groomer-sub",
  role: "groomer",
  isSuperUser: false,
  name: "Groomer Gary",
  email: "groomer@example.com",
 };
 const PET_UUID = "11111111-1111-1111-1111-111111111111";
 const CLIENT_UUID = "22222222-2222-2222-2222-222222222222";
 const UNKNOWN_PET_UUID = "00000000-0000-0000-0000-000000000001";
 const PET_ROW = {
  id: PET_UUID,
  clientId: CLIENT_UUID,
  name: "Biscuit",
  species: "dog",
  breed: "Beagle",
  coatType: "short",
  petSizeCategory: "medium",
  weightKg: "12.50",
  dateOfBirth: new Date("2020-01-01"),
 };
 // ─── Mutable DB state ─────────────────────────────────────────────────────────
 interface DbState {
  petRow: typeof PET_ROW | null;
  linkageRow: { id: string } | null;
  recentHistory: Array<Record<string, unknown>>;
  visitCount: number;
  upcoming: Record<string, unknown> | null;
  throwOnPetSelect: boolean;
 }
 let dbState: DbState;
 function resetDb() {
  dbState = {
    petRow: { ...PET_ROW },
    linkageRow: { id: "appt-link" },
    recentHistory: [],
    visitCount: 0,
    upcoming: null,
    throwOnPetSelect: false,
  };
 }
 // ─── @groombook/db mock ──────────────────────────────────────────────────────
 //
 // Each select chain needs to know which table it's targeting and which columns
 // it's projecting so we can return the right mocked rows. We thread that state
 // through a per-call object whose chain methods all return `this`. The chain
 // is also `then`-able so any `await` position resolves to the rows.
 vi.mock("@groombook/db", () => {
  const namedTable = (name: string) =>
    new Proxy(
      { _name: name },
      {
        get(_t, p) {
          if (p === "_name") return name;
          return { table: name, column: p };
        },
      }
    );
  const pets = namedTable("pets");
  const appointments = namedTable("appointments");
  const services = namedTable("services");
  const staff = namedTable("staff");
  // The full chain interface is intentionally loose — only `then` is exposed
  // with a typed signature so vitest's await resolves to the right shape.
  interface ChainLike {
    from: (table: { _name: string }) => ChainLike;
    where: (...args: unknown[]) => ChainLike;
    innerJoin: (...args: unknown[]) => ChainLike;
    leftJoin: (...args: unknown[]) => ChainLike;
    orderBy: (...args: unknown[]) => ChainLike;
    limit: (...args: unknown[]) => ChainLike;
    then: <T = unknown[]>(
      onfulfilled?: ((value: unknown[]) => T | PromiseLike<T>) | null
    ) => Promise<T>;
  }
  function buildSelect(projection?: Record<string, unknown>): ChainLike {
    let targetTable = "";
    const resolveRows = (): unknown[] => {
      if (targetTable === "pets") {
        if (dbState.throwOnPetSelect) {
          throw new Error("simulated postgres uuid cast failure");
        }
        return dbState.petRow ? [dbState.petRow] : [];
      }
      if (targetTable === "appointments") {
        const keys = projection ? Object.keys(projection) : [];
        if (projection && keys.length === 1 && keys[0] === "id") {
          return dbState.linkageRow ? [dbState.linkageRow] : [];
        }
        if (projection && keys.includes("count")) {
          return [{ count: dbState.visitCount }];
        }
        if (projection && keys.includes("confirmationStatus")) {
          return dbState.upcoming ? [dbState.upcoming] : [];
        }
        return dbState.recentHistory;
      }
      return [];
    };
    const chain: ChainLike = {
      from(table) {
        targetTable = table._name;
        return chain;
      },
      where() {
        return chain;
      },
      innerJoin() {
        return chain;
      },
      leftJoin() {
        return chain;
      },
      orderBy() {
        return chain;
      },
      limit() {
        return chain;
      },
      then(onfulfilled) {
        return Promise.resolve(resolveRows()).then(onfulfilled ?? undefined);
      },
    };
    return chain;
  }
  return {
    getDb: () => ({
      select: (projection?: Record<string, unknown>) => buildSelect(projection),
    }),
    pets,
    appointments,
    services,
    staff,
    and: vi.fn(() => ({ _op: "and" })),
    or: vi.fn(() => ({ _op: "or" })),
    eq: vi.fn(() => ({ _op: "eq" })),
    desc: vi.fn((arg: unknown) => arg),
    exists: vi.fn((arg: unknown) => arg),
    sql: Object.assign(
      () => ({ _op: "sql" }),
      { [Symbol.toPrimitive]: () => "sql" }
    ),
  };
 });
 vi.mock("../lib/s3.js", () => ({
  getPresignedUploadUrl: vi.fn().mockResolvedValue("https://example.com/put"),
  getPresignedGetUrl: vi.fn().mockResolvedValue("https://example.com/get"),
  deleteObject: vi.fn().mockResolvedValue(undefined),
 }));
 const { petsRouter } = await import("../routes/pets.js");
 // ─── App builder ─────────────────────────────────────────────────────────────
 function buildApp(staffRow: StaffRow | null) {
  const app = new Hono<AppEnv>();
  app.use("*", async (c, next) => {
    if (staffRow) c.set("staff", staffRow);
    await next();
  });
  app.route("/pets", petsRouter);
  return app;
 }
 beforeEach(() => {
  resetDb();
  vi.clearAllMocks();
 });
 // ─── Tests ───────────────────────────────────────────────────────────────────
 describe("GET /pets/:id/profile-summary — GRO-2014 error handling", () => {
  it("returns 404 (not 500) for a malformed UUID path param", async () => {
    const app = buildApp(MANAGER);
    const res = await app.request("/pets/not-a-uuid/profile-summary");
    expect(res.status).toBe(404);
    const body = (await res.json()) as { error: string };
    expect(body.error).toBe("Not found");
  });
  it("returns 401 when staff context is missing (defense in depth)", async () => {
    const app = buildApp(null);
    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
    expect(res.status).toBe(401);
    const body = (await res.json()) as { error: string };
    expect(body.error).toBe("Unauthorized");
  });
  it("returns 404 when authenticated and pet does not exist", async () => {
    dbState.petRow = null;
    const app = buildApp(MANAGER);
    const res = await app.request(`/pets/${UNKNOWN_PET_UUID}/profile-summary`);
    expect(res.status).toBe(404);
    const body = (await res.json()) as { error: string };
    expect(body.error).toBe("Not found");
  });
  it("returns 403 when groomer has no appointment linkage to the pet's client", async () => {
    dbState.linkageRow = null;
    const app = buildApp(GROOMER);
    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
    expect(res.status).toBe(403);
    const body = (await res.json()) as { error: string };
    expect(body.error).toBe("Forbidden");
  });
  it("returns 200 with summary for a manager (no groomer linkage check)", async () => {
    const app = buildApp(MANAGER);
    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
    expect(res.status).toBe(200);
    const body = (await res.json()) as Record<string, unknown>;
    expect(body.id).toBe(PET_UUID);
    expect(body.name).toBe("Biscuit");
    expect(body.visitCount).toBe(0);
    expect(body.upcomingAppointment).toBeNull();
    expect(body.recentGroomingHistory).toEqual([]);
  });
  it("returns 200 with summary for a groomer with linkage", async () => {
    const app = buildApp(GROOMER);
    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
    expect(res.status).toBe(200);
    const body = (await res.json()) as Record<string, unknown>;
    expect(body.id).toBe(PET_UUID);
  });
  it("returns a JSON envelope (not empty body) when a downstream query throws", async () => {
    dbState.throwOnPetSelect = true;
    const app = buildApp(MANAGER);
    const res = await app.request(`/pets/${PET_UUID}/profile-summary`);
    expect(res.status).toBe(500);
    const body = (await res.json()) as { error: string };
    expect(body.error).toBe("Internal Server Error");
  });
 });
@@ -23,23 +23,6 @@ import {
 export const petsRouter = new Hono<AppEnv>();
 // Convert Zod validation errors from 422 to 400 and ensure any thrown error
 // returns a structured JSON body rather than Hono's default empty-body 500.
 // GRO-2014: profile-summary previously bubbled unhandled errors and produced
 // an empty-body 500. Mirror the onError pattern already used in invoices.ts
 // and reports.ts so every error has a JSON envelope.
 petsRouter.onError((err, c) => {
  if (err instanceof z.ZodError) {
    return c.json({ error: "Validation failed", issues: err.issues }, 400);
  }
  console.error("[pets] unhandled error", err);
  return c.json({ error: "Internal Server Error" }, 500);
 });
 // UUID format used by all pet routes — guards path params against malformed
 // values before they hit Drizzle / Postgres uuid columns (which would throw).
 const uuidSchema = z.string().uuid();
 const createPetSchema = z.object({
  clientId: z.string().uuid(),
  name: z.string().min(1).max(200),
@@ -129,24 +112,8 @@ petsRouter.get("/:id", async (c) => {
 petsRouter.get("/:id/profile-summary", async (c) => {
  const db = getDb();
  const petId = c.req.param("id");
  // GRO-2014: validate UUID format before hitting Postgres. Passing a non-UUID
  // string to a uuid column makes the driver throw, which previously surfaced
  // as an empty-body 500 to clients.
  const parsedId = uuidSchema.safeParse(petId);
  if (!parsedId.success) {
    return c.json({ error: "Not found" }, 404);
  }
  // Defense in depth: resolveStaffMiddleware should always populate `staff`
  // for protected routes (or short-circuit with 401/403 of its own). Guard
  // anyway so a misconfigured route mount can't trigger a TypeError on
  // staffRow.id when the linkage check runs.
  const staffRow = c.get("staff");
-  if (!staffRow) {
+  const isGroomer = staffRow?.role === "groomer";
    return c.json({ error: "Unauthorized" }, 401);
  }
  const isGroomer = staffRow.role === "groomer";
  // Fetch the pet
  const [pet] = await db.select().from(pets).where(eq(pets.id, petId));