dev → uat: GRO-2203 portal pet PATCH malformed-petId 500→404 (#178 )

dev → uat: GRO-2155 route optimization endpoints (carries GRO-2163) (#176 )
dev → uat: portal photoKey S3 key-hijack fix (GRO-2187/GRO-2198) (#173 )
2026-06-08 17:53:01 +00:00 · 2026-06-08 16:45:44 +00:00 · 2026-06-08 12:39:52 +00:00 · 2026-06-08 12:06:43 +00:00 · 2026-06-08 10:51:17 +00:00 · 2026-06-08 10:02:17 +00:00
1 changed files with 2 additions and 0 deletions
@@ -165,6 +165,8 @@ Geocoding turns a client's street address into `latitude`/`longitude` + `geocode
 | TC-API-3.19b | Get pet profile summary — customer cross-tenant blocked (GRO-2013) | Sign in as `uat-customer@groombook.dev`; reuse the customer's sessionId from TC-API-3.19a; `GET /api/pets/{otherClientPetId}/profile-summary` for a pet owned by a different client (`c0000002-...` or any non-customer pet) | 403 Forbidden (owner-bypass requires session.clientId === pet.clientId) |
 | TC-API-3.19c | Get pet profile summary — customer without portal session header | Same as TC-API-3.19a but omit the `X-Impersonation-Session-Id` header | 403 Forbidden (no owner-bypass without valid portal session) |
 | TC-API-3.19d | Get pet profile summary — owner-bypass writes audit row (GRO-2063) | Same setup as TC-API-3.19a (sign in as `uat-customer@groombook.dev`, establish a portal session for the customer's own clientId, call `GET /api/pets/{ownPetId}/profile-summary` with `X-Impersonation-Session-Id: {sessionId}` and a 200 OK response). Then call `GET /api/impersonation/sessions/{sessionId}/audit-log` and confirm there is exactly one entry with `action === "read_profile_summary"`, `pageVisited` matching the profile-summary path, and `metadata` containing `petId` and `actorStaffId` for the customer. Repeat TC-API-3.19b (cross-tenant attempt) and confirm NO new `read_profile_summary` row was written for the cross-tenant attempt. | 200 OK on the profile-summary call AND an audit log entry is present with the correct shape (defense-in-depth audit row; bypass attempts against other clients must NOT log) |
+| TC-UAT-2 | Groomer accesses linked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000002/profile-summary` (UAT Pup Alpha — linked via deterministic completed appointment `a0000001-0000-0000-0000-000000000001`, service `b0000001-…-0001` "Bath & Brush", `startTime` ~7 days ago) | 200 OK, `recentGroomingHistory[]` non-empty (>=1 entry), `visitCount >= 1`, `upcomingAppointment` null (the seeded appointment is in the past) |
+| TC-UAT-3 | Groomer blocked from unlinked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000003/profile-summary` (UAT Pup Beta — intentionally UNLINKED; no appointment row references this pet's clientId+groomerId combo) | 403 Forbidden (RBAC `groomer` role lacks the appointment-linkage grant for this pet). NOTE: if 404 is returned instead of 403, file a separate RBAC defect (not against the seed) — see GRO-2100 verification note |
 | TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
 | TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
 | TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
Author	SHA1	Message	Date
Flea Flicker	eb92f99c4a	dev → uat: GRO-2203 portal pet PATCH malformed-petId 500→404 (#178 ) CI / Test (push) Successful in 27s Details CI / Lint & Typecheck (push) Successful in 32s Details CI / Build & Push Docker Images (push) Successful in 1m1s Details CI / Test (pull_request) Successful in 27s Details CI / Lint & Typecheck (pull_request) Successful in 31s Details CI / Build & Push Docker Images (pull_request) Successful in 1m4s Details	2026-06-08 17:53:01 +00:00
Flea Flicker	587fd4ec95	dev → uat: GRO-2155 route optimization endpoints (carries GRO-2163) (#176 ) CI / Test (push) Successful in 26s Details CI / Lint & Typecheck (push) Successful in 27s Details CI / Build & Push Docker Images (push) Successful in 25s Details	2026-06-08 16:45:44 +00:00
Flea Flicker	8cf72d926d	dev → uat: portal photoKey S3 key-hijack fix (GRO-2187/GRO-2198) (#173 ) CI / Test (push) Successful in 22s Details CI / Lint & Typecheck (push) Successful in 27s Details CI / Build & Push Docker Images (push) Successful in 43s Details CI / Test (pull_request) Successful in 27s Details CI / Lint & Typecheck (pull_request) Successful in 32s Details CI / Build & Push Docker Images (pull_request) Successful in 39s Details	2026-06-08 12:39:52 +00:00
Flea Flicker	8721f0b63c	dev → uat: GRO-2154 geocoding endpoints (Phase 1.3) (#171 ) CI / Test (push) Successful in 24s Details CI / Lint & Typecheck (push) Successful in 27s Details CI / Build & Push Docker Images (push) Successful in 35s Details	2026-06-08 12:06:43 +00:00
Flea Flicker	027e012a58	Merge pull request 'dev → uat: GRO-2153 abstracted geocoding service' (#168 ) from dev-to-uat-gro-2153 into uat CI / Test (push) Successful in 1m5s Details CI / Lint & Typecheck (push) Successful in 43m29s Details CI / Build & Push Docker Images (push) Successful in 1m7s Details	2026-06-08 10:51:17 +00:00
Flea Flicker	b3db206588	Merge pull request 'dev → uat: GRO-2187 portal pet PATCH + GET enrichment (carries GRO-2152)' (#166 ) from dev-to-uat-gro-2187 into uat CI / Test (push) Successful in 1m19s Details CI / Lint & Typecheck (push) Successful in 1m25s Details CI / Build & Push Docker Images (push) Successful in 3m58s Details	2026-06-08 10:02:17 +00:00
Flea Flicker	6538406db2	Merge pull request 'chore: delete stale apps/api/src/db/seed.ts duplicate (GRO-2129)' (#158 ) from dev into uat CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 18s Details CI / Build & Push Docker Images (push) Successful in 38s Details CI / Test (pull_request) Successful in 22s Details CI / Lint & Typecheck (pull_request) Successful in 25s Details CI / Build & Push Docker Images (pull_request) Successful in 38s Details	2026-06-04 12:45:24 +00:00
Flea Flicker	e2eacbc9fe	Merge pull request 'dev → uat: GRO-2123 seed advisory lock' (#156 ) from dev-to-uat-gro-2123 into uat CI / Test (push) Successful in 16s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Images (push) Successful in 40s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 39s Details	2026-06-04 11:32:06 +00:00
Flea Flicker	e639cc82d1	chore(uat): GRO-2100 promote uat-groomer seed-linkage ordering fix to uat (#154 ) CI / Test (push) Successful in 16s Details CI / Lint & Typecheck (push) Successful in 19s Details CI / Build & Push Docker Images (push) Successful in 27s Details Co-authored-by: Flea Flicker <flea@groombook.dev> Co-committed-by: Flea Flicker <flea@groombook.dev>	2026-06-02 20:23:54 +00:00
Flea Flicker	f2931d7be2	Merge pull request 'Promote dev→uat: GRO-2100 uat-groomer ↔ UAT Pup Alpha linkage' (#152 ) from promote/dev-to-uat-gro-2100 into uat CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 18s Details CI / Build & Push Docker Images (push) Successful in 26s Details Merge pull request #152 from groombook/promote/dev-to-uat-gro-2100 Promote dev→uat: GRO-2100 uat-groomer ↔ UAT Pup Alpha linkage	2026-06-02 19:11:46 +00:00
Paperclip	d4a4ddce37	ci: retrigger GRO-2100 PR #152 Build & Push Docker Images (Reset image build failed — docker registry flake) CI / Test (pull_request) Successful in 13s Details CI / Lint & Typecheck (pull_request) Successful in 17s Details CI / Build & Push Docker Images (pull_request) Successful in 40s Details	2026-06-02 18:28:17 +00:00
Paperclip	bd384bdf5c	docs(UAT_PLAYBOOK): add TC-UAT-2/3 for uat-groomer linked/unlinked pet profile-summary (GRO-2100) CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Test (pull_request) Successful in 2m20s Details CI / Build & Push Docker Images (pull_request) Failing after 36s Details Lint Roller review on PR #152 flagged that the GRO-2100 seed change produces new observable UAT API behavior that the playbook must reflect. Add two deterministic rows pinning the contract GRO-1987 TC-UAT-2/3 will exercise: - TC-UAT-2: uat-groomer + linked pet c0000001-...-002 (UAT Pup Alpha) → 200 - TC-UAT-3: uat-groomer + unlinked pet c0000001-...-003 (UAT Pup Beta) → 403 The 403-vs-404 note in TC-UAT-3 mirrors the verification note in the GRO-2100 issue body so the QA runner knows where to file if the API returns 404 (a separate RBAC defect, not against the seed).	2026-06-02 18:24:40 +00:00
The Dogfather	411c42b2c4	Merge pull request 'Promote dev→uat: GRO-2033 services_pkey seed fix (`fc6c6ef7`)' (#149 ) from dev into uat CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Images (push) Successful in 39s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 38s Details	2026-06-02 05:06:34 +00:00
The Dogfather	bf97849324	promote(dev→uat): owner-bypass read audit row (GRO-2063) (#147 ) CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Build & Push Docker Images (push) Successful in 41s Details Promote GRO-2063 defense-in-depth audit row to uat. CI green. QA + CTO approved on dev PR #146. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 04:21:43 +00:00
The Dogfather	7181d41b24	Merge pull request 'Promote dev→uat: rbac Better-Auth auto-provision (GRO-2052)' (#144 ) from dev into uat CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Failing after 13s Details CI / Test (pull_request) Successful in 12s Details CI / Lint & Typecheck (pull_request) Successful in 15s Details CI / Build & Push Docker Images (pull_request) Successful in 41s Details Promote dev→uat: rbac Better-Auth auto-provision (GRO-2052) Makes the pets.ts owner-bypass reachable for Better-Auth email/password customers by auto-provisioning a groomer staff row keyed on user.id. Unblocks GRO-2050 and GRO-2035. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-02 02:42:19 +00:00
The Dogfather	4e9c4c5e08	Merge pull request 'promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat)' (#142 ) from dogfather/gro-2013-promote-uat into uat CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 18s Details CI / Build & Push Docker Images (push) Successful in 39s Details	2026-06-01 20:14:14 +00:00
The Dogfather	16c959434b	promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat) CI / Test (pull_request) Successful in 11s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Images (pull_request) Successful in 41s Details Merge dev into uat. Resolves test-file/playbook conflicts created by PR #138's squash merge by taking dev's superset versions (verified: all GRO-2014 tests + TC ids preserved, plus GRO-2013 additions). No-ff merge so dev becomes an ancestor of uat, preventing future squash-divergence conflicts. Carries: - GRO-2013 deployed-tree owner-bypass (src/routes/pets.ts, reconciled 20-test file) - GRO-2033 idempotent migrations 0039/0040 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 20:10:51 +00:00
The Dogfather	23484dc90a	promote(uat): GRO-2014 profile-summary error-handling fix (dev→uat) (#138 ) CI / Test (push) Successful in 10s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Images (push) Successful in 39s Details	2026-06-01 18:27:42 +00:00
The Dogfather	6a81a52a50	Merge pull request 'Promote dev → uat: UAT seed-password source-of-truth playbook (GRO-2000)' (#134 ) from dev into uat CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 27s Details CI / Test (pull_request) Successful in 11s Details CI / Lint & Typecheck (pull_request) Successful in 13s Details CI / Build & Push Docker Images (pull_request) Successful in 1m10s Details	2026-06-01 17:41:47 +00:00
The Dogfather	5a4b9a98bd	Merge pull request 'promote(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#133 ) from dev into uat CI / Test (push) Successful in 12s Details CI / Lint & Typecheck (push) Successful in 14s Details CI / Build & Push Docker Images (push) Successful in 40s Details Promote GRO-1985 (parent GRO-1981) dev->uat. cc @cpfarhood	2026-06-01 16:30:54 +00:00
The Dogfather	f7f88156e1	Merge pull request 'promote(db): register extra_large via migration 0038 to UAT (GRO-2004)' (#131 ) from dev into uat CI / Test (push) Successful in 11s Details CI / Lint & Typecheck (push) Successful in 15s Details CI / Build & Push Docker Images (push) Successful in 35s Details	2026-06-01 14:52:13 +00:00
The Dogfather	8af5a49d14	Merge pull request 'Promote dev→uat: GRO-1982 pet_size_category extra_large enum migration' (#126 ) from dev into uat CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Images (push) Successful in 37s Details Promote dev→uat: GRO-1983 seed-job pnpm fix + GRO-1982 extra_large enum migration Carries the accumulated dev state into uat (PR #125 docker pnpm fix + 0037 migration). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 12:44:20 +00:00