fix(ci): run api root lint/typecheck/test scripts; remove dead servicesTable (GRO-2197)

The api gate ran `pnpm --filter @groombook/api <script>`, but @groombook/api
is the workspace ROOT package and pnpm-workspace.yaml only includes packages/*,
so --filter excluded the root and the lint/typecheck/test steps silently
no-op'd (false-green). Invoke the root scripts directly instead.

Now that the gate actually runs eslint, fix the latent unused-var error in
src/__tests__/petProfileSummary.test.ts: servicesTable was declared and
assigned in resetMock but never enqueued/read. Remove the declaration, the
dead write, and the now-orphaned makeService helper (its only caller).

Verified locally: pnpm run typecheck, pnpm --filter @groombook/db typecheck,
pnpm run lint (0 errors), pnpm run test (602 passed) all green.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

UAT_PLAYBOOK.md

@@ -120,24 +120,6 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
 | TC-API-2.5 | Disable client | PATCH /api/clients/{id} with status: "disabled" | 200 OK, client marked as disabled |
 | TC-API-2.6 | Delete client | DELETE /api/clients/{id}?confirm=true | 200 OK, client deleted (if no appointments) |
 
-#### Client Geocoding — Route Optimization (GRO-2154, Phase 1.3)
-
-Geocoding turns a client's street address into `latitude`/`longitude` + `geocodedAt`. Provider is driven by `businessSettings.routeOptimizationProvider` (default Nominatim/OpenStreetMap, 1 req/sec; optional Google fallback). All explicit geocode endpoints are **manager-only**.
-
-| # | Scenario | Steps | Expected |
-|---|----------|-------|----------|
-| TC-API-2.7 | Geocode single client (success) | As **manager**, `POST /api/clients/{id}/geocode` for a client with a valid, real address (e.g. a seed client) | 200 OK; body `{ status: "geocoded", latitude, longitude, geocodedAt, formattedAddress, provider }`. Subsequent `GET /api/clients/{id}` shows the same non-null `latitude`/`longitude`/`geocodedAt` persisted |
-| TC-API-2.8 | Geocode single client — no address | As manager, `POST /api/clients/{id}/geocode` for a client whose `address` is null/blank | 422; `{ status: "no_address", message: "...no address on file..." }` (clear, actionable) |
-| TC-API-2.9 | Geocode single client — unresolvable/ambiguous address | As manager, set a nonsense address (e.g. `"asdkjhqweoui 99999"`) then `POST /api/clients/{id}/geocode` | 422; `{ status: "unresolved", message: "Address could not be resolved..." }` so groomers/managers know to correct it |
-| TC-API-2.10 | Geocode single client — not found | As manager, `POST /api/clients/00000000-0000-0000-0000-000000000000/geocode` | 404 `{ error: "Not found" }` |
-| TC-API-2.11 | Geocode endpoint is manager-only | As **groomer** or **receptionist**, `POST /api/clients/{id}/geocode` | 403 Forbidden (role not permitted) |
-| TC-API-2.12 | Batch geocode un-geocoded clients | As manager, `POST /api/clients/geocode-batch?limit=10` on a DB with un-geocoded clients | 200 OK; body `{ provider, processed, geocoded, unresolved, errors, remaining, outcomes[] }`. `processed` ≤ 10; `remaining` reflects un-geocoded clients beyond this batch. Re-run while `remaining > 0` to finish (throttled to provider rate limit) |
-| TC-API-2.13 | Batch geocode — invalid limit | As manager, `POST /api/clients/geocode-batch?limit=0` (or non-numeric) | 400 `{ error: "limit must be a positive integer" }` |
-| TC-API-2.14 | Batch geocode — manager-only | As groomer/receptionist, `POST /api/clients/geocode-batch` | 403 Forbidden |
-| TC-API-2.15 | Auto-geocode on create | As manager/receptionist, `POST /api/clients` with a valid `address` | 201 Created; response includes a `geocoding` object (`status: "geocoded"` for a resolvable address) and the persisted client carries `latitude`/`longitude`/`geocodedAt`. Creating without an address succeeds with no `geocoding` field |
-| TC-API-2.16 | Auto-geocode on address update | As manager/receptionist, `PATCH /api/clients/{id}` changing `address` to a new valid value | 200 OK; response includes a `geocoding` object and refreshed coordinates. Patching unrelated fields (e.g. `name`) does NOT re-geocode (no `geocoding` field) |
-| TC-API-2.17 | Clearing address drops coordinates | As manager/receptionist, `PATCH /api/clients/{id}` with `address: ""` | 200 OK; `latitude`/`longitude`/`geocodedAt` reset to null (no stale pin) |
-
 ### 4.3 Pet Management
 
 | # | Scenario | Steps | Expected |

packages/db/package.json

@@ -18,10 +18,9 @@
   "scripts": {
     "build": "tsc --project .",
     "generate": "drizzle-kit generate",
-    "wait-for-db": "node ./scripts/wait-for-db.mjs",
+    "migrate": "drizzle-kit migrate",
-    "migrate": "node ./scripts/wait-for-db.mjs && drizzle-kit migrate",
+    "seed": "tsx src/seed.ts",
-    "seed": "node ./scripts/wait-for-db.mjs && tsx src/seed.ts",
+    "reset": "tsx src/reset.ts && drizzle-kit migrate && tsx src/seed.ts",
-    "reset": "node ./scripts/wait-for-db.mjs && tsx src/reset.ts && drizzle-kit migrate && tsx src/seed.ts",
     "studio": "drizzle-kit studio",
     "typecheck": "tsc --noEmit"
   },

packages/db/scripts/wait-for-db.mjs

@@ -1,104 +0,0 @@
-#!/usr/bin/env node
-// wait-for-db.mjs
-//
-// GRO-2163: wait for / retry DNS resolution of the database hostname derived
-// from DATABASE_URL before invoking `drizzle-kit migrate`. The first attempt
-// of a fresh migrate-schema pod occasionally hits a transient CoreDNS miss
-// (EAI_AGAIN) on `groombook-postgres-rw.<ns>.svc`; with backoffLimit: 2 the
-// retry pod usually wins, but three unlucky attempts in a row trips
-// BackoffLimitExceeded. Resolving once here, with backoff, removes the dice
-// roll at the source so the first attempt reliably succeeds.
-//
-// Mirrors the belt-and-braces pattern used in GRO-1985 (no Corepack
-// download fallback): we don't try to outsmart CoreDNS, we just don't ask
-// drizzle-kit to do the very first DNS lookup of a freshly-scheduled pod.
-//
-// Configuration (env):
-//   WAIT_FOR_DB_MAX_ATTEMPTS  default 12  (~30s of total wait at default backoff)
-//   WAIT_FOR_DB_BASE_DELAY_MS default 500
-//   WAIT_FOR_DB_MAX_DELAY_MS  default 5000
-//   WAIT_FOR_DB_SKIP          default unset; set to "1" to skip (debug only)
-//
-// On success: exit 0. On exhaustion: exit 1 so the Job's backoff is
-// preserved (we don't want to silently mask a real outage by giving up
-// after 30s and letting drizzle-kit fail with a less-actionable error).
-
-import { setTimeout as delay } from "node:timers/promises";
-import dns from "node:dns/promises";
-
-const MAX_ATTEMPTS = Number(process.env.WAIT_FOR_DB_MAX_ATTEMPTS ?? 12);
-const BASE_DELAY_MS = Number(process.env.WAIT_FOR_DB_BASE_DELAY_MS ?? 500);
-const MAX_DELAY_MS = Number(process.env.WAIT_FOR_DB_MAX_DELAY_MS ?? 5000);
-
-function parseHost(databaseUrl) {
-  try {
-    return new URL(databaseUrl).hostname || null;
-  } catch {
-    return null;
-  }
-}
-
-async function resolveOnce(host) {
-  const start = Date.now();
-  const result = await dns.lookup(host);
-  return { address: result.address, ms: Date.now() - start };
-}
-
-async function main() {
-  if (process.env.WAIT_FOR_DB_SKIP === "1") {
-    console.log("[wait-for-db] WAIT_FOR_DB_SKIP=1, skipping");
-    return;
-  }
-  const databaseUrl = process.env.DATABASE_URL;
-  if (!databaseUrl) {
-    // Don't gate the migrate on a misconfigured env — let drizzle-kit fail
-    // loudly with its own clear error.
-    console.warn("[wait-for-db] DATABASE_URL not set; skipping");
-    return;
-  }
-  const host = parseHost(databaseUrl);
-  if (!host) {
-    console.warn(`[wait-for-db] could not parse hostname from DATABASE_URL; skipping`);
-    return;
-  }
-  console.log(
-    `[wait-for-db] host=${host} max_attempts=${MAX_ATTEMPTS} ` +
-      `base_delay_ms=${BASE_DELAY_MS} max_delay_ms=${MAX_DELAY_MS}`,
-  );
-
-  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
-    try {
-      const { address, ms } = await resolveOnce(host);
-      console.log(`[wait-for-db] ok attempt=${attempt} host=${host} -> ${address} (${ms}ms)`);
-      return;
-    } catch (err) {
-      const code = err?.code ?? "UNKNOWN";
-      const transient = code === "EAI_AGAIN" || code === "ENOTFOUND" || code === "EAI_NODATA";
-      if (!transient) {
-        // Hard error (e.g. invalid hostname): surface and let drizzle-kit fail
-        // with a real error rather than spinning.
-        console.error(`[wait-for-db] non-transient DNS error attempt=${attempt} code=${code}: ${err.message}`);
-        process.exit(1);
-      }
-      if (attempt === MAX_ATTEMPTS) {
-        console.error(
-          `[wait-for-db] exhausted attempts=${MAX_ATTEMPTS} host=${host} last_code=${code}; exiting 1`,
-        );
-        process.exit(1);
-      }
-      const backoff = Math.min(
-        MAX_DELAY_MS,
-        BASE_DELAY_MS * 2 ** (attempt - 1) + Math.floor(Math.random() * BASE_DELAY_MS),
-      );
-      console.log(
-        `[wait-for-db] transient attempt=${attempt} code=${code} retry_in_ms=${backoff}`,
-      );
-      await delay(backoff);
-    }
-  }
-}
-
-main().catch((err) => {
-  console.error(`[wait-for-db] fatal: ${err?.message ?? err}`);
-  process.exit(1);
-});

src/__tests__/clientGeocoding.test.ts

@@ -1,192 +0,0 @@
-import { describe, it, expect, vi } from "vitest";
-import {
-  geocodeClient,
-  geocodeUngeocodedClients,
-  resolveClientGeocodingProvider,
-} from "../services/clientGeocoding.js";
-import {
-  NominatimGeocodingProvider,
-  type GeocodeResult,
-  type GeocodingProvider,
-} from "../services/geocoding.js";
-
-// ─── Fakes ──────────────────────────────────────────────────────────────────
-
-/** Fake provider with a scripted geocode behaviour and a call log. */
-function fakeProvider(
-  impl: (address: string) => Promise<GeocodeResult | null>
-): GeocodingProvider & { calls: string[] } {
-  const calls: string[] = [];
-  return {
-    name: "nominatim",
-    minRequestIntervalMs: 0,
-    calls,
-    geocode: (address: string) => {
-      calls.push(address);
-      return impl(address);
-    },
-  };
-}
-
-const okResult = (lat: number, lng: number): GeocodeResult => ({
-  latitude: lat,
-  longitude: lng,
-  formattedAddress: "1 Main St, Anytown",
-  provider: "nominatim",
-});
-
-/**
- * Minimal db double recording update() set-values. `select()` chains return the
- * preloaded `selectQueue` shift()ed per call so different statements get
- * different rows (used by geocodeUngeocodedClients: count, then rows).
- */
-function fakeDb(selectQueue: unknown[][]) {
-  const updates: Record<string, unknown>[] = [];
-  const queue = [...selectQueue];
-  const chain = () => {
-    const rows = queue.shift() ?? [];
-    const proxy: Record<string, unknown> = {};
-    for (const k of ["from", "where", "orderBy", "limit"]) {
-      proxy[k] = () => proxy;
-    }
-    // Make the chain awaitable / iterable as the resolved rows.
-    (proxy as { then: unknown }).then = (resolve: (v: unknown) => void) =>
-      resolve(rows);
-    (proxy as { [Symbol.iterator]: unknown })[Symbol.iterator] = () =>
-      (rows as unknown[])[Symbol.iterator]();
-    return proxy;
-  };
-  const db = {
-    select: () => chain(),
-    update: () => ({
-      set: (vals: Record<string, unknown>) => ({
-        where: () => {
-          updates.push(vals);
-          return { returning: async () => [] };
-        },
-      }),
-    }),
-    updates,
-  };
-  return db as unknown as Parameters<typeof geocodeClient>[0] & {
-    updates: Record<string, unknown>[];
-  };
-}
-
-const clientRow = (over: Record<string, unknown> = {}) =>
-  ({
-    id: "client-1",
-    name: "Alice",
-    email: "a@example.com",
-    address: "1 Main St",
-    latitude: null,
-    longitude: null,
-    geocodedAt: null,
-    ...over,
-  }) as unknown as Parameters<typeof geocodeClient>[1];
-
-// ─── geocodeClient ────────────────────────────────────────────────────────────
-
-describe("geocodeClient", () => {
-  it("persists coordinates and returns a geocoded outcome", async () => {
-    const db = fakeDb([]);
-    const provider = fakeProvider(async () => okResult(40.1, -74.2));
-    const outcome = await geocodeClient(db, clientRow(), provider);
-
-    expect(outcome.status).toBe("geocoded");
-    expect(outcome.latitude).toBe(40.1);
-    expect(outcome.longitude).toBe(-74.2);
-    expect(outcome.geocodedAt).toBeTruthy();
-    expect(db.updates).toHaveLength(1);
-    expect(db.updates[0]!.latitude).toBe(40.1);
-    expect(db.updates[0]!.longitude).toBe(-74.2);
-    expect(db.updates[0]!.geocodedAt).toBeInstanceOf(Date);
-  });
-
-  it("returns no_address and does not persist when address is blank", async () => {
-    const db = fakeDb([]);
-    const provider = fakeProvider(async () => okResult(0, 0));
-    const outcome = await geocodeClient(db, clientRow({ address: "   " }), provider);
-
-    expect(outcome.status).toBe("no_address");
-    expect(provider.calls).toHaveLength(0);
-    expect(db.updates).toHaveLength(0);
-  });
-
-  it("returns unresolved when the provider finds no match", async () => {
-    const db = fakeDb([]);
-    const provider = fakeProvider(async () => null);
-    const outcome = await geocodeClient(db, clientRow(), provider);
-
-    expect(outcome.status).toBe("unresolved");
-    expect(outcome.message).toMatch(/could not be resolved/i);
-    expect(db.updates).toHaveLength(0);
-  });
-
-  it("returns error (without throwing) when the provider fails", async () => {
-    const db = fakeDb([]);
-    const provider = fakeProvider(async () => {
-      throw new Error("quota exceeded");
-    });
-    const outcome = await geocodeClient(db, clientRow(), provider);
-
-    expect(outcome.status).toBe("error");
-    expect(outcome.message).toMatch(/quota exceeded/);
-    expect(db.updates).toHaveLength(0);
-  });
-});
-
-// ─── geocodeUngeocodedClients ─────────────────────────────────────────────────
-
-describe("geocodeUngeocodedClients", () => {
-  it("geocodes candidates, tallies outcomes, and reports remaining", async () => {
-    // First select() = count query, second select() = candidate rows.
-    const db = fakeDb([
-      [{ count: 5 }],
-      [
-        clientRow({ id: "c1", address: "1 Main St" }),
-        clientRow({ id: "c2", address: "2 Oak Ave" }),
-        clientRow({ id: "c3", address: "" }), // no_address
-      ],
-    ]);
-    const provider = fakeProvider(async (addr) =>
-      addr === "2 Oak Ave" ? null : okResult(1, 2)
-    );
-
-    const summary = await geocodeUngeocodedClients(db, 50, provider);
-
-    expect(summary.processed).toBe(3);
-    expect(summary.geocoded).toBe(1);
-    expect(summary.unresolved).toBe(1); // "2 Oak Ave"
-    expect(summary.remaining).toBe(2); // 5 total - 3 processed
-    expect(summary.provider).toBe("nominatim");
-    expect(db.updates).toHaveLength(1); // only the successful one persisted
-  });
-
-  it("clamps the limit to the 1..500 range", async () => {
-    const db = fakeDb([[{ count: 0 }], []]);
-    const provider = fakeProvider(async () => okResult(1, 2));
-    const summary = await geocodeUngeocodedClients(db, 0, provider);
-    expect(summary.processed).toBe(0);
-    expect(summary.remaining).toBe(0);
-  });
-});
-
-// ─── resolveClientGeocodingProvider ───────────────────────────────────────────
-
-describe("resolveClientGeocodingProvider", () => {
-  it("defaults to Nominatim when no settings row exists", async () => {
-    const db = fakeDb([[]]); // businessSettings select -> empty
-    const provider = await resolveClientGeocodingProvider(db);
-    expect(provider).toBeInstanceOf(NominatimGeocodingProvider);
-    expect(provider.name).toBe("nominatim");
-  });
-
-  it("defaults to Nominatim when provider is unset on settings", async () => {
-    const db = fakeDb([[{ routeOptimizationProvider: null, googleMapsApiKey: null }]]);
-    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
-    const provider = await resolveClientGeocodingProvider(db);
-    expect(provider.name).toBe("nominatim");
-    warn.mockRestore();
-  });
-});

src/__tests__/portalPets.test.ts

@@ -177,10 +177,7 @@ describe("PATCH /portal/pets/:petId", () => {
     expect(persisted.weightKg).toBe("18.25");
     expect(persisted.groomingNotes).toBe("old grooming notes");
     expect(persisted.healthAlerts).toBe("Allergic to oatmeal shampoo");
-    // photoKey is NOT writable via portal PATCH (GRO-2187 S3 key-hijack fix):
+    expect(persisted.photoKey).toBe("pets/rex.jpg");
-    // the web form round-trips the GET-shaped photoUrl, but the server must not
-    // persist it. Photo changes go through the key-validated upload flow.
-    expect(persisted.photoKey).toBeUndefined();
     expect(persisted.coatType).toBe("double");
     expect(persisted.petSizeCategory).toBe("extra_large");
     expect(persisted.preferredCuts).toEqual(["teddy bear", "puppy cut"]);
@@ -190,55 +187,6 @@ describe("PATCH /portal/pets/:petId", () => {
     expect(persisted.updatedAt).toBeInstanceOf(Date);
   });
 
-  // GRO-2187 security regression: a portal customer must not be able to set the
-  // S3 object key. photoKey is consumed server-side by getPresignedGetUrl /
-  // deleteObject; the upload path guards keys with a pets/{petId}/ prefix, and the
-  // portal PATCH must not offer a bypass. A foreign/arbitrary photoUrl is accepted
-  // (Zod strips the unknown key) but must leave photoKey untouched.
-  it("does not mutate photoKey when a foreign photoUrl is supplied (200)", async () => {
-    selectSessionRow = ACTIVE_SESSION;
-    const ownKey = `pets/${PET_ID}/original.jpg`;
-    selectPetRow = { ...PET, photoKey: ownKey };
-
-    const res = await jsonPatch(
-      `/portal/pets/${PET_ID}`,
-      {
-        name: "Rex",
-        // attacker-chosen key pointing at another tenant's object
-        photoUrl: "pets/00000000-0000-0000-0000-0000000000ff/victim-secret.jpg",
-      },
-      { "X-Impersonation-Session-Id": SESSION_ID }
-    );
-
-    expect(res.status).toBe(200);
-    const persisted = updatedValues[0]!;
-    // The attacker-supplied key never reaches the update payload.
-    expect(persisted.photoKey).toBeUndefined();
-    // And the stored key is unchanged from the pet's own value.
-    const body = await res.json();
-    expect(body.photoUrl).toBe(ownKey);
-  });
-
-  // The length/array caps live in the Zod schema, so violations are rejected by
-  // zValidator with 400 (in-handler enum checks are what return 422).
-  it("returns 400 when a medicalAlert description exceeds the length cap", async () => {
-    selectSessionRow = ACTIVE_SESSION;
-    selectPetRow = PET;
-
-    const res = await jsonPatch(
-      `/portal/pets/${PET_ID}`,
-      {
-        medicalAlerts: [
-          { type: "allergy", description: "x".repeat(2001), severity: "low" },
-        ],
-      },
-      { "X-Impersonation-Session-Id": SESSION_ID }
-    );
-
-    expect(res.status).toBe(400);
-    expect(updatedValues).toHaveLength(0);
-  });
-
   it("falls back to the weight key when weightKg is absent", async () => {
     selectSessionRow = ACTIVE_SESSION;
     selectPetRow = PET;

src/index.ts

@@ -235,15 +235,6 @@ api.on(
   requireRole("manager", "receptionist", "groomer")
 );
 
-// Route-optimization geocoding endpoints are manager-only (GRO-2154), stricter
-// than the general client write guard below. Registered FIRST so receptionists
-// are rejected here before the manager+receptionist guard can admit them.
-api.on(
-  ["POST"],
-  ["/clients/geocode-batch", "/clients/:clientId/geocode"],
-  requireRole("manager")
-);
-
 // Clients, appointments: all roles may read; only manager + receptionist may write
 api.on(
   ["POST", "PUT", "PATCH", "DELETE"],

src/routes/clients.ts

@@ -3,61 +3,9 @@ import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { and, eq, exists, getDb, or, clients, appointments } from "@groombook/db";
 import type { AppEnv } from "../middleware/rbac.js";
-import {
-  geocodeClient,
-  geocodeUngeocodedClients,
-  resolveClientGeocodingProvider,
-  type ClientGeocodeOutcome,
-} from "../services/clientGeocoding.js";
 
 export const clientsRouter = new Hono<AppEnv>();
 
-type ClientRow = typeof clients.$inferSelect;
-
-/**
- * Best-effort auto-geocode of a freshly created/updated client (GRO-2154).
- * Never throws: a flaky geocoding backend must not break client mutations.
- * Returns the (possibly coordinate-enriched) row plus a structured outcome the
- * caller surfaces under a `geocoding` field so ambiguous addresses are visible.
- */
-async function autoGeocodeClient(
-  db: ReturnType<typeof getDb>,
-  row: ClientRow
-): Promise<{ row: ClientRow; outcome: ClientGeocodeOutcome }> {
-  try {
-    const provider = await resolveClientGeocodingProvider(db);
-    const outcome = await geocodeClient(db, row, provider);
-    const enriched =
-      outcome.status === "geocoded"
-        ? {
-            ...row,
-            latitude: outcome.latitude,
-            longitude: outcome.longitude,
-            geocodedAt: outcome.geocodedAt
-              ? new Date(outcome.geocodedAt)
-              : row.geocodedAt,
-          }
-        : row;
-    return { row: enriched, outcome };
-  } catch (err) {
-    return {
-      row,
-      outcome: {
-        clientId: row.id,
-        status: "error",
-        message: `Auto-geocode failed: ${
-          err instanceof Error ? err.message : String(err)
-        }`,
-        latitude: null,
-        longitude: null,
-        geocodedAt: null,
-        formattedAddress: null,
-        provider: null,
-      },
-    };
-  }
-}
-
 const createClientSchema = z.object({
   name: z.string().min(1).max(200),
   email: z.string().email(),
@@ -143,59 +91,9 @@ clientsRouter.post("/", zValidator("json", createClientSchema), async (c) => {
   const db = getDb();
   const body = c.req.valid("json");
   const [row] = await db.insert(clients).values(body).returning();
-  if (!row) return c.json({ error: "Failed to create client" }, 500);
-
-  // Auto-geocode on create when an address is supplied (GRO-2154). Best-effort:
-  // the client is created regardless; the `geocoding` field surfaces failures.
-  if (body.address && body.address.trim()) {
-    const { row: enriched, outcome } = await autoGeocodeClient(db, row);
-    return c.json({ ...enriched, geocoding: outcome }, 201);
-  }
   return c.json(row, 201);
 });
 
-// Geocode a single client's address and persist coordinates (manager-only;
-// enforced by the route guard in index.ts).
-clientsRouter.post("/:clientId/geocode", async (c) => {
-  const db = getDb();
-  const clientId = c.req.param("clientId");
-  const [client] = await db
-    .select()
-    .from(clients)
-    .where(eq(clients.id, clientId));
-  if (!client) return c.json({ error: "Not found" }, 404);
-
-  const provider = await resolveClientGeocodingProvider(db);
-  const outcome = await geocodeClient(db, client, provider);
-
-  // Map outcome to an HTTP status so the result is unambiguous to the caller:
-  //  geocoded -> 200, provider error -> 502, no_address/unresolved -> 422.
-  const status =
-    outcome.status === "geocoded"
-      ? 200
-      : outcome.status === "error"
-        ? 502
-        : 422;
-  return c.json(outcome, status);
-});
-
-// Batch-geocode un-geocoded clients with provider-rate-limited throttling
-// (manager-only). Processes up to ?limit clients (default 50, max 500) per call;
-// re-invoke while `remaining` > 0 to finish large datasets.
-clientsRouter.post("/geocode-batch", async (c) => {
-  const db = getDb();
-  const limitRaw = c.req.query("limit");
-  let limit = 50;
-  if (limitRaw !== undefined) {
-    limit = Number(limitRaw);
-    if (!Number.isFinite(limit) || limit <= 0) {
-      return c.json({ error: "limit must be a positive integer" }, 400);
-    }
-  }
-  const summary = await geocodeUngeocodedClients(db, limit);
-  return c.json(summary);
-});
-
 // Update a client (including status changes)
 const patchClientSchema = createClientSchema.partial().extend({
   status: z.enum(["active", "disabled"]).optional(),
@@ -225,29 +123,13 @@ clientsRouter.patch(
     }
     delete setValues.smsOptOut;
 
-    // Auto-geocode on address change (GRO-2154). If the address was cleared,
+    const [row] = await db
-    // drop any stale coordinates so a disabled/blank address never keeps a pin.
-    const addressProvided = Object.prototype.hasOwnProperty.call(body, "address");
-    const trimmedAddress =
-      typeof body.address === "string" ? body.address.trim() : undefined;
-    if (addressProvided && !trimmedAddress) {
-      setValues.latitude = null;
-      setValues.longitude = null;
-      setValues.geocodedAt = null;
-    }
-
-    const [updated] = await db
       .update(clients)
       .set(setValues)
       .where(eq(clients.id, c.req.param("id")))
       .returning();
-    if (!updated) return c.json({ error: "Not found" }, 404);
+    if (!row) return c.json({ error: "Not found" }, 404);
-
+    return c.json(row);
-    if (addressProvided && trimmedAddress) {
-      const { row: enriched, outcome } = await autoGeocodeClient(db, updated);
-      return c.json({ ...enriched, geocoding: outcome });
-    }
-    return c.json(updated);
   }
 );
 

src/routes/portal.ts

@@ -261,8 +261,8 @@ const PORTAL_PET_SIZE_ALIASES: Record<string, string> = { xlarge: "extra_large"
 
 const portalMedicalAlertSchema = z.object({
   id: z.string().optional(),
-  type: z.string().max(2000),
+  type: z.string(),
-  description: z.string().max(2000),
+  description: z.string(),
   severity: z.enum(["low", "medium", "high"]),
 });
 
@@ -275,16 +275,12 @@ const portalPetUpdateSchema = z.object({
   birthDate: z.string().nullable().optional(),
   notes: z.string().max(2000).nullable().optional(),
   healthAlerts: z.string().max(2000).nullable().optional(),
-  // photoUrl/photoKey are intentionally NOT writable here: photoKey is a trusted
+  photoUrl: z.string().nullable().optional(),
-  // S3 object key consumed server-side (getPresignedGetUrl / deleteObject), and the
-  // upload path (pets.ts) already enforces a pets/{petId}/ prefix guard against key
-  // hijacking. Photo changes go through the dedicated upload + /photo/confirm flow.
-  // The web form round-trips the GET-shaped photoUrl; Zod strips it as an unknown key.
   // coatType / petSizeCategory validated in-handler so bad values return 422.
   coatType: z.string().nullable().optional(),
   petSizeCategory: z.string().nullable().optional(),
-  preferredCuts: z.array(z.string().max(2000)).max(50).nullable().optional(),
+  preferredCuts: z.array(z.string()).nullable().optional(),
-  medicalAlerts: z.array(portalMedicalAlertSchema).max(50).nullable().optional(),
+  medicalAlerts: z.array(portalMedicalAlertSchema).nullable().optional(),
 });
 
 portalRouter.patch(
@@ -326,8 +322,7 @@ portalRouter.patch(
 
     if (body.notes !== undefined) updateData.groomingNotes = body.notes;
     if (body.healthAlerts !== undefined) updateData.healthAlerts = body.healthAlerts;
-    // photoKey is intentionally not writable here — see portalPetUpdateSchema note.
+    if (body.photoUrl !== undefined) updateData.photoKey = body.photoUrl;
-    // Photo changes go through the key-validated upload + /photo/confirm flow.
 
     if (body.coatType !== undefined) {
       if (body.coatType !== null && !PORTAL_COAT_TYPES.includes(body.coatType)) {

src/services/clientGeocoding.ts

@@ -1,212 +0,0 @@
-import {
-  getDb,
-  businessSettings,
-  clients,
-  and,
-  eq,
-  isNull,
-  sql,
-} from "@groombook/db";
-import {
-  resolveGeocodingProvider,
-  type GeocodingProvider,
-  type GeocodeResult,
-} from "./geocoding.js";
-
-/**
- * Client geocoding orchestration (GRO-2154, Phase 1.3 of Route Optimization).
- *
- * Bridges the provider-agnostic {@link GeocodingProvider} layer (GRO-2153) and
- * the `clients` table: resolves the configured provider from `businessSettings`,
- * geocodes a client's address, and persists `latitude`/`longitude`/`geocodedAt`.
- *
- * Outcomes are returned as structured {@link ClientGeocodeOutcome} values so that
- * callers (the geocode endpoints and the auto-geocode create/update hook) can
- * surface clear, actionable feedback — groomers need to know when an address is
- * ambiguous or unresolvable, not just that "something failed".
- */
-
-type Db = ReturnType<typeof getDb>;
-type ClientRow = typeof clients.$inferSelect;
-
-/** Status of a single client geocode attempt. */
-export type ClientGeocodeStatus =
-  /** Coordinates resolved and persisted. */
-  | "geocoded"
-  /** Client has no (non-blank) address on file — nothing to geocode. */
-  | "no_address"
-  /** Provider returned no match; the address is ambiguous or unrecognized. */
-  | "unresolved"
-  /** Provider call failed (transport, quota, bad key). Coordinates unchanged. */
-  | "error";
-
-/** Structured, UI-surfaceable result of geocoding one client. */
-export interface ClientGeocodeOutcome {
-  clientId: string;
-  status: ClientGeocodeStatus;
-  /** Human-readable explanation, safe to show to managers/groomers. */
-  message: string;
-  latitude: number | null;
-  longitude: number | null;
-  geocodedAt: string | null;
-  /** Provider-normalized address, when a match was found. */
-  formattedAddress: string | null;
-  /** Provider that produced (or attempted) this result. */
-  provider: string | null;
-}
-
-/**
- * Builds the geocoding provider for the current business settings. A single
- * provider instance should be reused across a batch so its internal rate limiter
- * throttles the whole run (e.g. Nominatim's 1 req/sec policy).
- */
-export async function resolveClientGeocodingProvider(
-  db: Db
-): Promise<GeocodingProvider> {
-  const [settings] = await db.select().from(businessSettings).limit(1);
-  return resolveGeocodingProvider(settings ?? null);
-}
-
-/**
- * Geocodes a single client row through the given provider and persists the
- * result on success. Never throws on provider failure — transport/quota errors
- * are captured as an `"error"` outcome so callers (especially the create/update
- * auto-geocode hook) are not broken by a flaky geocoding backend.
- */
-export async function geocodeClient(
-  db: Db,
-  client: ClientRow,
-  provider: GeocodingProvider
-): Promise<ClientGeocodeOutcome> {
-  const base = {
-    clientId: client.id,
-    latitude: null as number | null,
-    longitude: null as number | null,
-    geocodedAt: null as string | null,
-    formattedAddress: null as string | null,
-    provider: provider.name as string | null,
-  };
-
-  const address = client.address?.trim();
-  if (!address) {
-    return {
-      ...base,
-      status: "no_address",
-      message: "Client has no address on file, so it cannot be geocoded.",
-    };
-  }
-
-  let result: GeocodeResult | null;
-  try {
-    result = await provider.geocode(address);
-  } catch (err) {
-    return {
-      ...base,
-      status: "error",
-      message: `Geocoding provider (${provider.name}) failed: ${
-        err instanceof Error ? err.message : String(err)
-      }`,
-    };
-  }
-
-  if (!result) {
-    return {
-      ...base,
-      status: "unresolved",
-      message: `Address could not be resolved to a location: "${address}". Please verify or correct the address.`,
-    };
-  }
-
-  const geocodedAt = new Date();
-  await db
-    .update(clients)
-    .set({
-      latitude: result.latitude,
-      longitude: result.longitude,
-      geocodedAt,
-      updatedAt: geocodedAt,
-    })
-    .where(eq(clients.id, client.id));
-
-  return {
-    clientId: client.id,
-    status: "geocoded",
-    message: `Geocoded via ${result.provider} to ${result.latitude}, ${result.longitude}.`,
-    latitude: result.latitude,
-    longitude: result.longitude,
-    geocodedAt: geocodedAt.toISOString(),
-    formattedAddress: result.formattedAddress,
-    provider: result.provider,
-  };
-}
-
-/** Summary returned by {@link geocodeUngeocodedClients}. */
-export interface BatchGeocodeSummary {
-  provider: string;
-  /** Number of clients processed in this invocation. */
-  processed: number;
-  geocoded: number;
-  unresolved: number;
-  errors: number;
-  /** Un-geocoded clients with an address that were NOT processed (over `limit`). */
-  remaining: number;
-  /** Per-client outcomes for everything processed this invocation. */
-  outcomes: ClientGeocodeOutcome[];
-}
-
-/**
- * Batch-geocodes clients that have an address but no `geocodedAt` yet, throttled
- * by the active provider's rate limiter.
- *
- * Because Nominatim allows only ~1 req/sec, geocoding every un-geocoded client in
- * a single HTTP request would risk timeouts on large datasets. Each invocation
- * therefore processes at most `limit` clients (default 50, clamped 1..500) and
- * reports `remaining`; managers re-run until `remaining` is 0.
- */
-export async function geocodeUngeocodedClients(
-  db: Db,
-  limit = 50,
-  injectedProvider?: GeocodingProvider
-): Promise<BatchGeocodeSummary> {
-  const effectiveLimit = Math.min(Math.max(Math.trunc(limit) || 0, 1), 500);
-  const provider =
-    injectedProvider ?? (await resolveClientGeocodingProvider(db));
-
-  // Un-geocoded = geocodedAt IS NULL with a non-blank address.
-  const candidateFilter = and(
-    isNull(clients.geocodedAt),
-    sql`${clients.address} IS NOT NULL AND length(trim(${clients.address})) > 0`
-  );
-
-  const countRows = await db
-    .select({ count: sql<number>`count(*)::int` })
-    .from(clients)
-    .where(candidateFilter);
-  const totalRemaining = countRows[0]?.count ?? 0;
-
-  const rows = await db
-    .select()
-    .from(clients)
-    .where(candidateFilter)
-    .orderBy(clients.createdAt)
-    .limit(effectiveLimit);
-
-  const outcomes: ClientGeocodeOutcome[] = [];
-  for (const row of rows) {
-    outcomes.push(await geocodeClient(db, row, provider));
-  }
-
-  const geocoded = outcomes.filter((o) => o.status === "geocoded").length;
-  const unresolved = outcomes.filter((o) => o.status === "unresolved").length;
-  const errors = outcomes.filter((o) => o.status === "error").length;
-
-  return {
-    provider: provider.name,
-    processed: outcomes.length,
-    geocoded,
-    unresolved,
-    errors,
-    remaining: Math.max(totalRemaining - outcomes.length, 0),
-    outcomes,
-  };
-}