fix(GRO-1544): register health endpoint at /api/health on app

Corrected: use app.get("/api/health", ...) instead of api.get("/health", ...).
api is not declared until ~130 lines later — const has no hoisting,
causing TDZ ReferenceError at startup.

Health endpoint registered on app at full path /api/health, before
any auth middleware, so it's reachable from outside the cluster.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -202,20 +202,20 @@ jobs:
           echo "Updating dev overlay image tags to: $TAG"
           echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
           cd /tmp/infra
-          DEV_KUST="apps/groombook/overlays/dev/kustomization.yaml"
+          DEV_KUST="apps/overlays/dev/kustomization.yaml"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
 
-          MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
+          MIGRATE_JOB="apps/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
           fi
 
-          SEED_JOB="apps/groombook/base/seed-job.yaml"
+          SEED_JOB="apps/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
@@ -237,7 +237,7 @@ jobs:
           git config user.name "groombook-engineer[bot]"
           git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "chore/update-image-tags-${TAG}"
-          git add apps/groombook/overlays/dev/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
+          git add apps/overlays/dev/ apps/base/migrate-job.yaml apps/base/seed-job.yaml
           git commit -m "chore: update image tags and migration/seed Job names to ${TAG}"
 
           git push -u origin "chore/update-image-tags-${TAG}"

Dockerfile

@@ -3,7 +3,7 @@ RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 
 FROM base AS deps
-COPY package.json pnpm-lock.yaml ./
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY apps/api/package.json apps/api/
 RUN pnpm install --frozen-lockfile
 
@@ -17,7 +17,7 @@ RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 ENV NODE_ENV=production
 
-COPY package.json pnpm-lock.yaml ./
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY --from=builder /app/apps/api/package.json apps/api/
 COPY --from=builder /app/apps/api/dist apps/api/dist
 RUN pnpm install --frozen-lockfile --prod

UAT_PLAYBOOK.md

@@ -21,6 +21,14 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 
 ## Test Cases
 
+### 4.0 Health Check
+
+| # | Scenario | Steps | Expected |
+|---|----------|-------|----------|
+| TC-API-0.1 | Unauthenticated health check | GET /api/health | 200 OK, `{"status":"ok"}` |
+
+> **Note (GRO-1544):** Health endpoint registered on `api` basePath before auth middleware at `/api/health`. The old path `/health` was incorrect (routed to web pod via HTTPRoute `/*` rule).
+
 ### 4.1 Authentication
 
 | # | Scenario | Steps | Expected |

apps/api/drizzle.config.ts

@@ -1,7 +1,7 @@
 import { defineConfig } from "drizzle-kit";
 
 export default defineConfig({
-  schema: "./src/schema.ts",
+  schema: "./src/db/schema.ts",
   out: "./migrations",
   dialect: "postgresql",
   dbCredentials: {

apps/api/migrations/0030_extended_pet_profile.sql

@@ -0,0 +1,12 @@
+-- Migration: 0030_extended_pet_profile
+-- Adds extended profile fields to the pets table
+
+BEGIN;
+
+ALTER TABLE pets ADD COLUMN coat_type text;
+ALTER TABLE pets ADD COLUMN temperament_score integer;
+ALTER TABLE pets ADD COLUMN temperament_flags jsonb DEFAULT '[]'::jsonb;
+ALTER TABLE pets ADD COLUMN medical_alerts jsonb DEFAULT '[]'::jsonb;
+ALTER TABLE pets ADD COLUMN preferred_cuts jsonb DEFAULT '[]'::jsonb;
+
+COMMIT;

apps/api/migrations/meta/0030_snapshot.json

@@ -0,0 +1,48 @@
+{
+  "id": "0030_extended_pet_profile",
+  "prevId": "0028_sms_reminders",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.pets": {
+      "name": "pets",
+      "schema": "",
+      "columns": {
+        "id": { "name": "id", "type": "uuid", "primaryKey": true, "default": "gen_random_uuid()", "isNullable": false },
+        "client_id": { "name": "client_id", "type": "uuid", "isNullable": false },
+        "name": { "name": "name", "type": "text", "isNullable": false },
+        "species": { "name": "species", "type": "text", "isNullable": false },
+        "breed": { "name": "breed", "type": "text", "isNullable": true },
+        "weight_kg": { "name": "weight_kg", "type": "numeric(5, 2)", "isNullable": true },
+        "date_of_birth": { "name": "date_of_birth", "type": "timestamp", "isNullable": true },
+        "health_alerts": { "name": "health_alerts", "type": "text", "isNullable": true },
+        "grooming_notes": { "name": "grooming_notes", "type": "text", "isNullable": true },
+        "cut_style": { "name": "cut_style", "type": "text", "isNullable": true },
+        "shampoo_preference": { "name": "shampoo_preference", "type": "text", "isNullable": true },
+        "special_care_notes": { "name": "special_care_notes", "type": "text", "isNullable": true },
+        "custom_fields": { "name": "custom_fields", "type": "jsonb", "isNullable": false, "default": "'{}'::jsonb" },
+        "photo_key": { "name": "photo_key", "type": "text", "isNullable": true },
+        "photo_uploaded_at": { "name": "photo_uploaded_at", "type": "timestamp", "isNullable": true },
+        "image": { "name": "image", "type": "text", "isNullable": true },
+        "coat_type": { "name": "coat_type", "type": "text", "isNullable": true },
+        "temperament_score": { "name": "temperament_score", "type": "integer", "isNullable": true },
+        "temperament_flags": { "name": "temperament_flags", "type": "jsonb", "isNullable": true, "default": "'[]'::jsonb" },
+        "medical_alerts": { "name": "medical_alerts", "type": "jsonb", "isNullable": true, "default": "'[]'::jsonb" },
+        "preferred_cuts": { "name": "preferred_cuts", "type": "jsonb", "isNullable": true, "default": "'[]'::jsonb" },
+        "created_at": { "name": "created_at", "type": "timestamp", "isNullable": false, "default": "now()" },
+        "updated_at": { "name": "updated_at", "type": "timestamp", "isNullable": false, "default": "now()" }
+      },
+      "indexes": { "idx_pets_client_id": { "name": "idx_pets_client_id", "columns": [{ "expression": "client_id", "isExpression": false, "asc": true, "nulls": "last" }], "isUnique": false } },
+      "foreignKeys": { "pets_client_id_clients_id_fk": { "name": "pets_client_id_clients_id_fk", "tableFrom": "pets", "tableTo": "clients", "columnsFrom": ["client_id"], "columnsTo": ["id"], "onDelete": "cascade" } },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {}
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": { "columns": {}, "schemas": {}, "tables": {} }
+}

apps/api/migrations/meta/_journal.json

@@ -204,6 +204,20 @@
       "when": 1775741667192,
       "tag": "0028_sms_reminders",
       "breakpoints": true
+    },
+    {
+      "idx": 29,
+      "version": "7",
+      "when": 1775828067192,
+      "tag": "0029_db_indexes_constraints",
+      "breakpoints": true
+    },
+    {
+      "idx": 30,
+      "version": "7",
+      "when": 1775914467192,
+      "tag": "0030_extended_pet_profile",
+      "breakpoints": true
     }
   ]
 }

apps/api/src/__tests__/auth.test.ts

@@ -5,7 +5,7 @@ let dbSelectResult: unknown[] = [];
 const mockEq = vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val }));
 const mockDecryptSecret = vi.fn((s: string) => `decrypted:${s}`);
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const authProviderConfig = new Proxy(
     { _name: "auth_provider_config" },
     {

apps/api/src/__tests__/authProvider.test.ts

@@ -38,7 +38,7 @@ const mockGroomer: MockStaff = { id: "staff-3", role: "groomer", isSuperUser: fa
 
 // ─── Mock db module ───────────────────────────────────────────────────────────
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const authProviderConfig = new Proxy(
     { _name: "auth_provider_config" },
     {

apps/api/src/__tests__/clients.test.ts

@@ -40,7 +40,7 @@ function resetMock() {
   deletedId = null;
 }
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   function makeChainable(data: unknown[]): unknown {
     const arr = [...data];
     const chain = new Proxy(arr, {

apps/api/src/__tests__/confirmation.test.ts

@@ -39,7 +39,7 @@ function resetMock() {
   lastUpdate = {};
 }
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const appointments = new Proxy(
     { _name: "appointments" },
     { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }

apps/api/src/__tests__/impersonation.test.ts

@@ -76,7 +76,7 @@ function makeChainableResult(data: unknown[]): unknown {
   });
 }
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   function makeTable(name: string) {
     return new Proxy(
       { _name: name },

apps/api/src/__tests__/petPhotos.test.ts

@@ -40,7 +40,7 @@ function resetDb() {
 
 // ─── Module mocks ─────────────────────────────────────────────────────────────
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const pets = new Proxy(
     { _name: "pets" },
     { get(t, p) { return p === "_name" ? "pets" : {}; } }

apps/api/src/__tests__/petsExtendedFields.test.ts

@@ -0,0 +1,414 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Hono } from "hono";
+import type { AppEnv, StaffRow } from "../middleware/rbac.js";
+import { petsRouter } from "../routes/pets.js";
+
+// ─── Mock staff fixtures ──────────────────────────────────────────────────────
+
+const MANAGER: StaffRow = {
+  id: "staff-manager-id",
+  oidcSub: "oidc-manager-sub",
+  userId: null,
+  role: "manager",
+  isSuperUser: true,
+  name: "Manager McManager",
+  email: "manager@example.com",
+  active: true,
+  icalToken: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+// ─── Mutable mock state ───────────────────────────────────────────────────────
+
+const CLIENT_ID = "client-uuid-extended";
+const PET_ID = "pet-uuid-extended";
+
+let petRows: Record<string, unknown>[] = [];
+let appointmentRows: Record<string, unknown>[] = [];
+let insertedValues: Record<string, unknown>[] = [];
+let updatedValues: Record<string, unknown>[] = [];
+let deletedId: string | null = null;
+
+function resetMock() {
+  petRows = [{
+    id: PET_ID,
+    clientId: CLIENT_ID,
+    name: "Biscuit",
+    species: "dog",
+    breed: "Golden Retriever",
+    weightKg: "30.00",
+    dateOfBirth: null,
+    healthAlerts: null,
+    groomingNotes: null,
+    cutStyle: null,
+    shampooPreference: null,
+    specialCareNotes: null,
+    customFields: {},
+    photoKey: null,
+    photoUploadedAt: null,
+    image: null,
+    coatType: null,
+    temperamentScore: null,
+    temperamentFlags: [],
+    medicalAlerts: [],
+    preferredCuts: [],
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  }];
+  appointmentRows = [];
+  insertedValues = [];
+  updatedValues = [];
+  deletedId = null;
+}
+
+function makeSelectChainable(rows: unknown[]): unknown {
+  const chain = new Proxy([...rows], {
+    get(target, prop) {
+      if (prop === "where" || prop === "orderBy" || prop === "limit") {
+        return () => chain;
+      }
+      // @ts-expect-error proxy
+      return target[prop];
+    },
+  });
+  return chain;
+}
+
+function makeInsertChainable(): unknown {
+  let vals: Record<string, unknown> = {};
+  const chain = new Proxy({}, {
+    get(target, prop) {
+      if (prop === "values") {
+        return (v: Record<string, unknown>) => { vals = v; return chain; };
+      }
+      if (prop === "returning") {
+        return () => {
+          insertedValues.push(vals);
+          return [vals.id ? { ...vals, id: vals.id ?? PET_ID } : { ...vals, id: PET_ID }];
+        };
+      }
+      return chain;
+    },
+  });
+  return chain;
+}
+
+function makeUpdateChainable(): unknown {
+  let vals: Record<string, unknown> = {};
+  let whereId: string | null = null;
+  const chain = new Proxy({}, {
+    get(target, prop) {
+      if (prop === "set") {
+        return (v: Record<string, unknown>) => { vals = v; return chain; };
+      }
+      if (prop === "where") {
+        return (cond: unknown) => {
+          // Extract id from condition if it's an eq call
+          if (whereId) vals = { ...vals };
+          return chain;
+        };
+      }
+      if (prop === "returning") {
+        return () => {
+          const merged = { ...petRows[0], ...vals };
+          updatedValues.push(vals);
+          return [merged];
+        };
+      }
+      return chain;
+    },
+  });
+  return chain;
+}
+
+function makeDeleteChainable(): unknown {
+  let whereId: string | null = null;
+  const chain = new Proxy({}, {
+    get(target, prop) {
+      if (prop === "where") {
+        return (cond: unknown) => {
+          whereId = PET_ID;
+          return chain;
+        };
+      }
+      if (prop === "returning") {
+        return () => {
+          const row = petRows[0];
+          deletedId = row.id as string;
+          return [row];
+        };
+      }
+      return chain;
+    },
+  });
+  return chain;
+}
+
+vi.mock("../db", () => {
+  const pets = new Proxy({ _name: "pets" }, { get: (t, p) => p === "_name" ? "pets" : {} });
+  const appointments = new Proxy({ _name: "appointments" }, { get: (t, p) => p === "_name" ? "appointments" : {} });
+  return {
+    getDb: () => ({
+      select: () => ({
+        from: (table: unknown) => {
+          const name = (table as { _name?: string })._name;
+          if (name === "appointments") return makeSelectChainable(appointmentRows);
+          return makeSelectChainable(petRows);
+        },
+      }),
+      insert: () => makeInsertChainable(),
+      update: () => makeUpdateChainable(),
+      delete: () => makeDeleteChainable(),
+    }),
+    pets,
+    appointments,
+    and,
+    eq,
+    exists,
+    or,
+  };
+});
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function makeApp(staff: StaffRow = MANAGER) {
+  const app = new Hono<AppEnv>();
+  app.use("*", async (c, next) => {
+    c.set("staff", staff);
+    await next();
+  });
+  return app.route("/pets", petsRouter);
+}
+
+function createApp() {
+  const app = makeApp(MANAGER);
+  return app;
+}
+
+// ─── Tests ────────────────────────────────────────────────────────────────────
+
+describe("Extended pet profile fields — validation", () => {
+  beforeEach(resetMock);
+
+  it("rejects temperamentScore of 0 (below min)", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", temperamentScore: 0 }),
+    });
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+  });
+
+  it("rejects temperamentScore of 6 (above max)", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", temperamentScore: 6 }),
+    });
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+  });
+
+  it("rejects non-integer temperamentScore", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", temperamentScore: 3.5 }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects invalid medicalAlert severity", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        clientId: CLIENT_ID,
+        name: "Test",
+        species: "dog",
+        medicalAlerts: [{ type: "seizure", description: "xyz", severity: "critical" }],
+      }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("accepts valid temperamentScore 1–5", async () => {
+    const app = createApp();
+    for (const score of [1, 2, 3, 4, 5]) {
+      resetMock();
+      const res = await app.request("/pets", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", temperamentScore: score }),
+      });
+      expect(res.status).toBe(201);
+    }
+  });
+
+  it("accepts all valid medicalAlert severity values", async () => {
+    const app = createApp();
+    for (const severity of ["low", "medium", "high"] as const) {
+      resetMock();
+      const res = await app.request("/pets", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          clientId: CLIENT_ID,
+          name: "Test",
+          species: "dog",
+          medicalAlerts: [{ type: "allergy", description: "Sensitive to chicken", severity }],
+        }),
+      });
+      expect(res.status).toBe(201);
+    }
+  });
+});
+
+describe("Extended pet profile fields — create", () => {
+  beforeEach(resetMock);
+
+  it("accepts all extended fields on create", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        clientId: CLIENT_ID,
+        name: "Biscuit",
+        species: "dog",
+        breed: "Golden Retriever",
+        coatType: "double",
+        temperamentScore: 4,
+        temperamentFlags: ["anxious_with_dryers", "gentle"],
+        medicalAlerts: [
+          { type: "seizure", description: "Occasional episodes", severity: "medium" },
+        ],
+        preferredCuts: ["puppy cut", "teddy bear"],
+      }),
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body.coatType).toBe("double");
+    expect(body.temperamentScore).toBe(4);
+    expect(body.temperamentFlags).toEqual(["anxious_with_dryers", "gentle"]);
+    expect(body.medicalAlerts).toEqual([{ type: "seizure", description: "Occasional episodes", severity: "medium" }]);
+    expect(body.preferredCuts).toEqual(["puppy cut", "teddy bear"]);
+  });
+
+  it("create without extended fields works (all optional)", async () => {
+    const app = createApp();
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Basil", species: "cat" }),
+    });
+    expect(res.status).toBe(201);
+  });
+});
+
+describe("Extended pet profile fields — update", () => {
+  beforeEach(resetMock);
+
+  it("updates coatType", async () => {
+    const app = createApp();
+    const res = await app.request(`/pets/${PET_ID}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ coatType: "smooth" }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.coatType).toBe("smooth");
+  });
+
+  it("updates temperamentScore", async () => {
+    const app = createApp();
+    const res = await app.request(`/pets/${PET_ID}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ temperamentScore: 2 }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.temperamentScore).toBe(2);
+  });
+
+  it("rejects temperamentScore 0 on update", async () => {
+    const app = createApp();
+    const res = await app.request(`/pets/${PET_ID}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ temperamentScore: 0 }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects invalid severity on update", async () => {
+    const app = createApp();
+    const res = await app.request(`/pets/${PET_ID}`, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        medicalAlerts: [{ type: "x", description: "y", severity: "urgent" }],
+      }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects too many temperamentFlags (>20)", async () => {
+    const app = createApp();
+    const flags = Array.from({ length: 21 }, (_, i) => `flag_${i}`);
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", temperamentFlags: flags }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects too many preferredCuts (>20)", async () => {
+    const app = createApp();
+    const cuts = Array.from({ length: 21 }, (_, i) => `cut_${i}`);
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", preferredCuts: cuts }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects too many medicalAlerts (>50)", async () => {
+    const app = createApp();
+    const alerts = Array.from({ length: 51 }, (_, i) => ({
+      type: `type_${i}`,
+      description: `desc_${i}`,
+      severity: "low" as const,
+    }));
+    const res = await app.request("/pets", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ clientId: CLIENT_ID, name: "Test", species: "dog", medicalAlerts: alerts }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("returns extended fields in GET response", async () => {
+    petRows = [{ ...petRows[0], coatType: "wire", temperamentScore: 3, temperamentFlags: ["gentle"], medicalAlerts: [], preferredCuts: ["scissor cut"] }];
+    const app = createApp();
+    const res = await app.request(`/pets/${PET_ID}`);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.coatType).toBe("wire");
+    expect(body.temperamentScore).toBe(3);
+    expect(body.temperamentFlags).toEqual(["gentle"]);
+    expect(body.preferredCuts).toEqual(["scissor cut"]);
+  });
+});

apps/api/src/__tests__/portal.test.ts

@@ -47,7 +47,7 @@ function resetMock() {
   updatedValues = [];
 }
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   function makeChainable(data: unknown[]): unknown {
     const arr = [...data];
     const chain = new Proxy(arr, {

apps/api/src/__tests__/rbac.test.ts

@@ -46,7 +46,7 @@ const GROOMER: StaffRow = {
 let staffLookupResult: StaffRow | null = null;
 let managerFallbackResult: StaffRow | null = MANAGER;
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const staff = new Proxy(
     { _name: "staff" },
     {

apps/api/src/__tests__/search.test.ts

@@ -23,7 +23,7 @@ const PET_ROW = {
 let clientResults: typeof ACTIVE_CLIENT[] = [];
 let petResults: typeof PET_ROW[] = [];
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   // Proxy objects for table/column references — values don't matter for tests
   const tableProxy = (name: string) =>
     new Proxy(

apps/api/src/__tests__/setup.test.ts

@@ -39,7 +39,7 @@ function clearAuthEnv() {
 
 // ─── Mock db module ───────────────────────────────────────────────────────────
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   const authProviderConfig = new Proxy(
     { _name: "auth_provider_config" },
     {

apps/api/src/__tests__/waitlist.test.ts

@@ -49,7 +49,7 @@ function resetMock() {
   updatedValues = [];
 }
 
-vi.mock("./db", () => {
+vi.mock("../db", () => {
   function makeChainable(data: unknown[]): unknown {
     const arr = [...data];
     const chain = new Proxy(arr, {

apps/api/src/db/schema.ts

@@ -12,6 +12,16 @@ import {
   uuid,
 } from "drizzle-orm/pg-core";
 
+// ─── Shared types ───────────────────────────────────────────────────────────────
+
+export type MedicalAlertSeverity = "low" | "medium" | "high";
+
+export interface MedicalAlert {
+  type: string;
+  description: string;
+  severity: MedicalAlertSeverity;
+}
+
 // ─── Enums ────────────────────────────────────────────────────────────────────
 
 export const appointmentStatusEnum = pgEnum("appointment_status", [
@@ -146,6 +156,12 @@ export const pets = pgTable(
     photoKey: text("photo_key"),
     photoUploadedAt: timestamp("photo_uploaded_at"),
     image: text("image"),
+    // Extended profile fields
+    coatType: text("coat_type"),
+    temperamentScore: integer("temperament_score"),
+    temperamentFlags: jsonb("temperament_flags").$type<string[]>().default([]),
+    medicalAlerts: jsonb("medical_alerts").$type<MedicalAlert[]>().default([]),
+    preferredCuts: jsonb("preferred_cuts").$type<string[]>().default([]),
     createdAt: timestamp("created_at").notNull().defaultNow(),
     updatedAt: timestamp("updated_at").notNull().defaultNow(),
   },

apps/api/src/db/seed.ts

@@ -94,11 +94,6 @@ function pick<T>(arr: T[]): T {
   return arr[Math.floor(rand() * arr.length)]!;
 }
 
-/** Return n distinct random elements from an array. */
-function pickN<T>(arr: T[], n: number): T[] {
-  const shuffled = [...arr].sort(() => rand() - 0.5);
-  return shuffled.slice(0, n);
-}
 
 function randInt(min: number, max: number): number {
   return Math.floor(rand() * (max - min + 1)) + min;
@@ -1105,7 +1100,7 @@ async function seed() {
       const groomer = pick(groomers);
       const bather = bathers.length > 0 && rand() < 0.6 ? pick(bathers) : null;
 
-      let startTime = randDate(appointmentsBackDate, now);
+      const startTime = randDate(appointmentsBackDate, now);
       startTime.setHours(randInt(8, 16), pick([0, 15, 30, 45]), 0, 0);
       const endTime = new Date(startTime.getTime() + svc.dur * 60 * 1000);
       const effectivePrice = svc.price;

apps/api/src/index.ts

@@ -22,7 +22,7 @@ import { searchRouter } from "./routes/search.js";
 import { getObject } from "./lib/s3.js";
 import { calendarRouter } from "./routes/calendar.js";
 import { setupRouter } from "./routes/setup.js";
-import { getDb, businessSettings, eq, staff } from "./db";
+import { getDb, businessSettings, eq, staff } from "./db/index.js";
 import { authMiddleware } from "./middleware/auth.js";
 import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
 import { devRouter } from "./routes/dev.js";

apps/api/src/lib/auth.ts

@@ -1,8 +1,8 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { genericOAuth } from "better-auth/plugins";
-import { getDb, authProviderConfig, eq } from "./db";
-import { decryptSecret } from "./db";
+import { getDb, authProviderConfig, eq } from "../db/index.js";
+import { decryptSecret } from "../db/index.js";
 import { sendEmail } from "../services/email.js";
 
 const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
@@ -97,6 +97,9 @@ export async function initAuth(): Promise<void> {
           window: 10,
           storage: "memory",
           customRules: {
+            "/sign-in/social": { max: 10, window: 60 },
+            "/sign-in/email": { max: 10, window: 60 },
+            "/sign-up/email": { max: 5, window: 60 },
             "/get-session": false,
           },
         },
@@ -247,6 +250,9 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },

apps/api/src/middleware/portalAudit.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { getDb, impersonationAuditLogs } from "../db";
+import { getDb, impersonationAuditLogs } from "../db/index.js";
 import type { PortalEnv } from "./portalSession.js";
 
 /**

apps/api/src/middleware/portalSession.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, impersonationSessions } from "../db";
+import { and, eq, getDb, impersonationSessions } from "../db/index.js";
 
 export interface PortalEnv {
   Variables: {

apps/api/src/middleware/rbac.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "../db";
+import { and, eq, getDb, sql, staff } from "../db/index.js";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;

apps/api/src/routes/admin/seed.ts

@@ -10,7 +10,7 @@
  */
 
 import { Hono } from "hono";
-import { eq, getDb, staff, clients, pets, services } from "./db";
+import { eq, getDb, staff, clients, pets, services } from "../../db/index.js";
 
 export const adminSeedRouter = new Hono();
 

apps/api/src/routes/appointmentGroups.ts

@@ -15,7 +15,7 @@ import {
   pets,
   services,
   staff,
-} from "../db";
+} from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const appointmentGroupsRouter = new Hono<AppEnv>();

apps/api/src/routes/appointments.ts

@@ -18,7 +18,7 @@ import {
   reminderLogs,
   services,
   staff,
-} from "../db";
+} from "../db/index.js";
 import { buildConfirmationEmail, sendEmail } from "../services/email.js";
 import { notifyWaitlistForAppointment } from "../services/waitlistNotify.js";
 import type { AppEnv } from "../middleware/rbac.js";

apps/api/src/routes/authProvider.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { eq, getDb, authProviderConfig, encryptSecret } from "../db";
+import { eq, getDb, authProviderConfig, encryptSecret } from "../db/index.js";
 import { requireSuperUser } from "../middleware/rbac.js";
 import { reinitAuth } from "../lib/auth.js";
 

apps/api/src/routes/book.ts

@@ -14,7 +14,7 @@ import {
   appointments,
   clients,
   pets,
-} from "../db";
+} from "../db/index.js";
 import {
   generateAvailableSlots,
   BUSINESS_START_HOUR,

apps/api/src/routes/calendar.ts

@@ -10,7 +10,7 @@ import {
   pets,
   services,
   staff,
-} from "../db";
+} from "../db/index.js";
 
 export const calendarRouter = new Hono();
 

apps/api/src/routes/clients.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, exists, getDb, or, clients, appointments } from "../db";
+import { and, eq, exists, getDb, or, clients, appointments } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const clientsRouter = new Hono<AppEnv>();

apps/api/src/routes/dev.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { getDb, staff, clients, eq, sql } from "../db";
+import { getDb, staff, clients, eq, sql } from "../db/index.js";
 
 const devRouter = new Hono();
 

apps/api/src/routes/groomingLogs.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, desc, eq, getDb, groomingVisitLogs, appointments, or } from "../db";
+import { and, desc, eq, getDb, groomingVisitLogs, appointments, or } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const groomingLogsRouter = new Hono<AppEnv>();

apps/api/src/routes/impersonation.ts

@@ -9,7 +9,7 @@ import {
   impersonationAuditLogs,
   clients,
   desc,
-} from "../db";
+} from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const impersonationRouter = new Hono<AppEnv>();

apps/api/src/routes/invoices.ts

@@ -13,7 +13,7 @@ import {
   services,
   clients,
   sql,
-} from "../db";
+} from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const invoicesRouter = new Hono<AppEnv>();

apps/api/src/routes/pets.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, exists, getDb, or, pets, appointments } from "../db";
+import { and, eq, exists, getDb, or, pets, appointments } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
   getPresignedUploadUrl,
@@ -24,6 +24,15 @@ const createPetSchema = z.object({
   shampooPreference: z.string().max(500).optional(),
   specialCareNotes: z.string().max(2000).optional(),
   customFields: z.record(z.string(), z.string()).optional(),
+  coatType: z.string().max(100).optional(),
+  temperamentScore: z.number().int().min(1).max(5).optional(),
+  temperamentFlags: z.array(z.string().max(100)).max(20).optional(),
+  medicalAlerts: z.array(z.object({
+    type: z.string().max(100),
+    description: z.string().max(1000),
+    severity: z.enum(["low", "medium", "high"]),
+  })).max(50).optional(),
+  preferredCuts: z.array(z.string().max(200)).max(20).optional(),
 });
 
 const updatePetSchema = createPetSchema.partial().omit({ clientId: true });

apps/api/src/routes/portal.ts

@@ -1,8 +1,8 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { eq, inArray } from "../db";
-import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "../db";
+import { eq, inArray } from "../db/index.js";
+import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "../db/index.js";
 import { validatePortalSession } from "../middleware/portalSession.js";
 import { portalAudit } from "../middleware/portalAudit.js";
 import type { PortalEnv } from "../middleware/portalSession.js";

apps/api/src/routes/reports.ts

@@ -12,7 +12,7 @@ import {
   invoiceTipSplits,
   services,
   staff,
-} from "../db";
+} from "../db/index.js";
 
 export const reportsRouter = new Hono();
 

apps/api/src/routes/search.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { and, eq, getDb, clients, ilike, or, pets } from "../db";
+import { and, eq, getDb, clients, ilike, or, pets } from "../db/index.js";
 
 export const searchRouter = new Hono();
 

apps/api/src/routes/services.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { eq, getDb, services } from "../db";
+import { eq, getDb, services } from "../db/index.js";
 
 export const servicesRouter = new Hono();
 

apps/api/src/routes/settings.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { eq, getDb, businessSettings } from "../db";
+import { eq, getDb, businessSettings } from "../db/index.js";
 import { getPresignedUploadUrl, deleteObject, putObject, getObject } from "../lib/s3.js";
 import { requireSuperUser } from "../middleware/rbac.js";
 

apps/api/src/routes/setup.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "../db";
+import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 const RATE_LIMIT_WINDOW_MS = 60_000;

apps/api/src/routes/staff.ts

@@ -2,7 +2,7 @@ import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { randomBytes } from "node:crypto";
-import { and, eq, getDb, ne, staff, appointments } from "../db";
+import { and, eq, getDb, ne, staff, appointments } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const staffRouter = new Hono<AppEnv>();

apps/api/src/routes/stripe-webhooks.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import Stripe from "stripe";
 import { z } from "zod/v3";
-import { eq, getDb, invoices } from "../db";
+import { eq, getDb, invoices } from "../db/index.js";
 import { getStripeClient } from "../services/payment.js";
 
 export const webhooksRouter = new Hono();

apps/api/src/routes/waitlist.ts

@@ -8,7 +8,7 @@ import {
   clients,
   pets,
   services,
-} from "../db";
+} from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const waitlistRouter = new Hono<AppEnv>();

apps/api/src/services/payment.ts

@@ -1,5 +1,5 @@
 import Stripe from "stripe";
-import { getDb, clients, eq, inArray, invoices } from "../db";
+import { getDb, clients, eq, inArray, invoices } from "../db/index.js";
 
 let _stripe: Stripe | null | undefined;
 

apps/api/src/services/reminders.ts

@@ -14,7 +14,7 @@ import {
   staff,
   reminderLogs,
   session,
-} from "../db";
+} from "../db/index.js";
 import {
   buildReminderEmail,
   sendEmail,

apps/api/src/services/waitlistNotify.ts

@@ -1,4 +1,4 @@
-import { and, eq, getDb, waitlistEntries, clients, pets, services } from "../db";
+import { and, eq, getDb, waitlistEntries, clients, pets, services } from "../db/index.js";
 import { buildWaitlistNotificationEmail, sendEmail } from "./email.js";
 
 export async function notifyWaitlistForAppointment(

apps/api/src/types/index.ts

@@ -42,10 +42,23 @@ export interface Pet {
   customFields: Record<string, string>;
   photoKey?: string;
   photoUploadedAt?: string;
+  coatType?: string | null;
+  temperamentScore?: number | null;
+  temperamentFlags?: string[];
+  medicalAlerts?: MedicalAlert[];
+  preferredCuts?: string[];
   createdAt: string;
   updatedAt: string;
 }
 
+export type MedicalAlertSeverity = "low" | "medium" | "high";
+
+export interface MedicalAlert {
+  type: string;
+  description: string;
+  severity: MedicalAlertSeverity;
+}
+
 export interface GroomingVisitLog {
   id: string;
   petId: string;

pnpm-lock.yaml

@@ -16,12 +16,6 @@ importers:
       '@aws-sdk/s3-request-presigner':
         specifier: ^3.800.0
         version: 3.1041.0
-      '@groombook/db':
-        specifier: workspace:*
-        version: link:../../packages/db
-      '@groombook/types':
-        specifier: workspace:*
-        version: link:../../packages/types
       '@hono/node-server':
         specifier: ^1.13.7
         version: 1.19.14(hono@4.12.16)
@@ -30,7 +24,10 @@ importers:
         version: 0.7.6(hono@4.12.16)(zod@4.4.2)
       better-auth:
         specifier: ^1.5.6
-        version: 1.6.9(vitest@3.2.4(@types/node@22.19.17)(tsx@4.21.0))
+        version: 1.6.9(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.16)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.17)(tsx@4.21.0))
+      drizzle-orm:
+        specifier: ^0.38.4
+        version: 0.38.4(kysely@0.28.16)(postgres@3.4.9)
       hono:
         specifier: ^4.6.17
         version: 4.12.16
@@ -40,6 +37,9 @@ importers:
       nodemailer:
         specifier: ^6.9.16
         version: 6.10.1
+      postgres:
+        specifier: ^3.4.5
+        version: 3.4.9
       stripe:
         specifier: ^22.0.0
         version: 22.1.0(@types/node@22.19.17)
@@ -62,6 +62,9 @@ importers:
       '@vitest/coverage-v8':
         specifier: ^3.2.4
         version: 3.2.4(vitest@3.2.4(@types/node@22.19.17)(tsx@4.21.0))
+      drizzle-kit:
+        specifier: ^0.30.4
+        version: 0.30.6
       eslint:
         specifier: ^9.18.0
         version: 9.39.4
@@ -78,34 +81,6 @@ importers:
         specifier: ^3.2.4
         version: 3.2.4(@types/node@22.19.17)(tsx@4.21.0)
 
-  packages/db:
-    dependencies:
-      drizzle-orm:
-        specifier: ^0.38.4
-        version: 0.38.4(kysely@0.28.16)(postgres@3.4.9)
-      postgres:
-        specifier: ^3.4.5
-        version: 3.4.9
-    devDependencies:
-      '@types/node':
-        specifier: ^22.10.7
-        version: 22.19.17
-      drizzle-kit:
-        specifier: ^0.30.4
-        version: 0.30.6
-      tsx:
-        specifier: ^4.19.0
-        version: 4.21.0
-      typescript:
-        specifier: ^5.7.3
-        version: 5.9.3
-
-  packages/types:
-    devDependencies:
-      typescript:
-        specifier: ^5.7.3
-        version: 5.9.3
-
 packages:
 
   '@ampproject/remapping@2.3.0':
@@ -2932,10 +2907,12 @@ snapshots:
       nanostores: 1.3.0
       zod: 4.4.2
 
-  '@better-auth/drizzle-adapter@1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)':
+  '@better-auth/drizzle-adapter@1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(drizzle-orm@0.38.4(kysely@0.28.16)(postgres@3.4.9))':
     dependencies:
       '@better-auth/core': 1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0)
       '@better-auth/utils': 0.4.0
+    optionalDependencies:
+      drizzle-orm: 0.38.4(kysely@0.28.16)(postgres@3.4.9)
 
   '@better-auth/kysely-adapter@1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(kysely@0.28.16)':
     dependencies:
@@ -3925,10 +3902,10 @@ snapshots:
 
   balanced-match@4.0.4: {}
 
-  better-auth@1.6.9(vitest@3.2.4(@types/node@22.19.17)(tsx@4.21.0)):
+  better-auth@1.6.9(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.16)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.17)(tsx@4.21.0)):
     dependencies:
       '@better-auth/core': 1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0)
-      '@better-auth/drizzle-adapter': 1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)
+      '@better-auth/drizzle-adapter': 1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(drizzle-orm@0.38.4(kysely@0.28.16)(postgres@3.4.9))
       '@better-auth/kysely-adapter': 1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(kysely@0.28.16)
       '@better-auth/memory-adapter': 1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)
       '@better-auth/mongo-adapter': 1.6.9(@better-auth/core@1.6.9(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.2))(jose@6.2.3)(kysely@0.28.16)(nanostores@1.3.0))(@better-auth/utils@0.4.0)
@@ -3945,6 +3922,8 @@ snapshots:
       nanostores: 1.3.0
       zod: 4.4.2
     optionalDependencies:
+      drizzle-kit: 0.30.6
+      drizzle-orm: 0.38.4(kysely@0.28.16)(postgres@3.4.9)
       vitest: 3.2.4(@types/node@22.19.17)(tsx@4.21.0)
     transitivePeerDependencies:
       - '@cloudflare/workers-types'

pnpm-workspace.yaml

@@ -1,3 +1,2 @@
 packages:
   - "apps/*"
-  - "packages/*"

src/index.ts

@@ -0,0 +1,298 @@
+import { serve } from "@hono/node-server";
+import { Hono } from "hono";
+import { logger } from "hono/logger";
+import { cors } from "hono/cors";
+import { getAuth, initAuth, getActiveProviders } from "./lib/auth.js";
+import { clientsRouter } from "./routes/clients.js";
+import { petsRouter } from "./routes/pets.js";
+import { servicesRouter } from "./routes/services.js";
+import { appointmentsRouter } from "./routes/appointments.js";
+import { waitlistRouter } from "./routes/waitlist.js";
+import { portalRouter } from "./routes/portal.js";
+import { staffRouter } from "./routes/staff.js";
+import { invoicesRouter } from "./routes/invoices.js";
+import { bookRouter } from "./routes/book.js";
+import { reportsRouter } from "./routes/reports.js";
+import { appointmentGroupsRouter } from "./routes/appointmentGroups.js";
+import { groomingLogsRouter } from "./routes/groomingLogs.js";
+import { impersonationRouter } from "./routes/impersonation.js";
+import { settingsRouter } from "./routes/settings.js";
+import { authProviderRouter } from "./routes/authProvider.js";
+import { searchRouter } from "./routes/search.js";
+import { bufferRulesRouter } from "./routes/buffer-rules.js";
+import { getObject } from "./lib/s3.js";
+import { calendarRouter } from "./routes/calendar.js";
+import { setupRouter } from "./routes/setup.js";
+import { getDb, businessSettings, eq, staff } from "@groombook/db";
+import { authMiddleware } from "./middleware/auth.js";
+import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
+import { devRouter } from "./routes/dev.js";
+import { adminSeedRouter } from "./routes/admin/seed.js";
+import { startReminderScheduler } from "./services/reminders.js";
+import { webhooksRouter } from "./routes/stripe-webhooks.js";
+
+const app = new Hono();
+
+// Global middleware
+const TRUSTED_ORIGINS = (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+  .split(",")
+  .map((o) => o.trim());
+
+const ALLOWED_ORIGIN = process.env.CORS_ORIGIN ?? "http://localhost:5173";
+
+app.use("*", logger());
+app.use(
+  "/api/*",
+  cors({
+    origin: (origin, ctx) => {
+      if (!origin) {
+        return ALLOWED_ORIGIN;
+      }
+      if (TRUSTED_ORIGINS.includes(origin)) {
+        return origin;
+      }
+      ctx.status(403);
+      return null;
+    },
+    credentials: true,
+  })
+);
+
+// Health check — no auth required, registered on app at full path before auth middleware
+app.get("/api/health", (c) => c.json({ status: "ok" }));
+
+// Public booking routes — no auth required, must be registered before auth middleware
+app.route("/api/book", bookRouter);
+
+// Public portal routes — client-facing, authenticated via impersonation session header
+app.route("/api/portal", portalRouter);
+
+// Public Stripe webhook endpoint — signature-verified, no auth required
+app.route("/api/webhooks/stripe", webhooksRouter);
+
+// Dev/demo routes — config is always public, users endpoint is guarded internally
+app.route("/api/dev", devRouter);
+
+// Magic bytes for allowed image types
+const ALLOWED_IMAGE_TYPES: Record<string, Uint8Array> = {
+  "image/png": new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
+  "image/jpeg": new Uint8Array([0xff, 0xd8, 0xff]),
+  "image/gif": new Uint8Array([0x47, 0x49, 0x46, 0x38]),
+  "image/webp": new Uint8Array([0x52, 0x49, 0x46, 0x46]), // followed by size then WEBP
+};
+
+/**
+ * Validates that the given base64 content matches the declared MIME type
+ * by checking magic bytes. Returns null if valid, or the field to clear if not.
+ */
+function validateLogoMagicBytes(
+  logoBase64: string | null,
+  logoMimeType: string | null
+): "logoBase64" | "logoMimeType" | null {
+  if (!logoBase64 || !logoMimeType) return null;
+
+  const expectedMagic = ALLOWED_IMAGE_TYPES[logoMimeType];
+  if (!expectedMagic) return "logoMimeType"; // unknown MIME type — reject
+
+  try {
+    const binary = Buffer.from(logoBase64, "base64");
+    // WebP needs a special check (RIFF....WEBP at offset 0, size at offset 4)
+    if (logoMimeType === "image/webp") {
+      if (binary.length < 12) return "logoBase64";
+      const webpMagic = binary.slice(0, 4);
+      const webpSig = binary.slice(8, 12);
+      if (
+        webpMagic[0] !== 0x52 ||
+        webpMagic[1] !== 0x49 ||
+        webpMagic[2] !== 0x46 ||
+        webpMagic[3] !== 0x46 ||
+        webpSig[0] !== 0x57 ||
+        webpSig[1] !== 0x45 ||
+        webpSig[2] !== 0x42 ||
+        webpSig[3] !== 0x50
+      ) {
+        return "logoBase64";
+      }
+      return null;
+    }
+
+    // All other types: check prefix
+    if (binary.length < expectedMagic.length) return "logoBase64";
+    for (let i = 0; i < expectedMagic.length; i++) {
+      if (binary[i] !== expectedMagic[i]) return "logoBase64";
+    }
+    return null;
+  } catch {
+    return "logoBase64";
+  }
+}
+
+// Public logo proxy — no auth required, streams logo from S3 so browser never sees raw S3 URL
+app.get("/api/branding/logo", async (c) => {
+  const db = getDb();
+  const [row] = await db.select().from(businessSettings).limit(1);
+  if (!row) return c.json({ error: "Settings not found" }, 404);
+  if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
+
+  const { body, contentType } = await getObject(row.logoKey);
+  return new Response(Buffer.from(body), {
+    status: 200,
+    headers: {
+      "Content-Type": contentType,
+      "Cache-Control": "public, max-age=86400",
+    },
+  });
+});
+
+// Public branding endpoint — no auth required, returns business name/colors/logo
+app.get("/api/branding", async (c) => {
+  const db = getDb();
+  const [row] = await db.select().from(businessSettings).limit(1);
+  const settings = row ?? { businessName: "GroomBook", primaryColor: "#4f8a6f", accentColor: "#8b7355", logoBase64: null, logoMimeType: null, logoKey: null };
+
+  // Return the public proxy path so browser never sees a raw S3 URL
+  const logoUrl = settings.logoKey ? "/api/branding/logo" : null;
+
+  // Defensive: validate magic bytes to prevent MIME type confusion attacks
+  // via the legacy base64 logo fields
+  const badField = validateLogoMagicBytes(settings.logoBase64 ?? null, settings.logoMimeType ?? null);
+  const safeLogoBase64 = badField === "logoBase64" ? null : settings.logoBase64;
+  const safeLogoMimeType = badField === "logoMimeType" ? null : settings.logoMimeType;
+
+  return c.json({
+    businessName: settings.businessName,
+    primaryColor: settings.primaryColor,
+    accentColor: settings.accentColor,
+    logoUrl,
+    logoBase64: safeLogoBase64,
+    logoMimeType: safeLogoMimeType,
+  });
+});
+
+// Public iCal calendar feed — token auth in URL, no auth middleware required
+app.route("/api/calendar", calendarRouter);
+
+// Public setup status — no auth required, must be registered before auth middleware
+app.get("/api/setup/status", async (c) => {
+  const db = getDb();
+  const [superUser] = await db
+    .select({ id: staff.id })
+    .from(staff)
+    .where(eq(staff.isSuperUser, true))
+    .limit(1);
+  return c.json({ needsSetup: !superUser });
+});
+
+// Public auth providers endpoint — no auth required, tells frontend which login options are available
+app.get("/api/auth/providers", async (c) => {
+  return c.json({ providers: getActiveProviders() });
+});
+
+// Protected API routes
+const api = app.basePath("/api");
+api.use("*", authMiddleware);
+api.use("*", resolveStaffMiddleware);
+
+// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
+// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
+const authRouter = new Hono();
+authRouter.all("/*", (c) => {
+  try {
+    return getAuth().handler(c.req.raw);
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+});
+api.route("/auth", authRouter);
+
+// ── Role guards ────────────────────────────────────────────────────────────────
+// Manager-only: admin settings, reports, invoices, impersonation
+// Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE
+api.on(["GET"], "/staff/*", requireRole("manager", "receptionist", "groomer"));
+// Staff write routes: manager OR super-user (combined guard — avoids AND stacking)
+api.on(["POST", "PATCH", "DELETE"], "/staff/*", requireRoleOrSuperUser("manager"));
+api.use("/admin/*", requireRoleOrSuperUser("manager"));
+api.use("/admin/settings/*", requireSuperUser());
+api.use("/reports/*", requireRole("manager"));
+api.use("/invoices/*", requireRole("manager", "groomer"));
+api.use("/impersonation/*", requireRole("manager"));
+
+// Manager + Receptionist only (groomers have no access): appointment-groups, grooming-logs, waitlist
+api.use("/appointment-groups/*", requireRole("manager", "receptionist"));
+api.use("/grooming-logs/*", requireRole("manager", "receptionist"));
+api.use("/waitlist/*", requireRole("manager", "receptionist"));
+
+// Pet photo routes: all staff roles may upload/delete (groomers take photos during grooms)
+// These must be registered before the general pets write guard. Because Hono path params
+// match single segments, "/pets/:petId" does NOT match "/pets/:petId/photo/:action",
+// so there is no guard overlap.
+api.on(
+  ["POST", "DELETE"],
+  ["/pets/:petId/photo", "/pets/:petId/photo/:action"],
+  requireRole("manager", "receptionist", "groomer")
+);
+
+// Clients, appointments: all roles may read; only manager + receptionist may write
+api.on(
+  ["POST", "PUT", "PATCH", "DELETE"],
+  ["/clients/*", "/appointments/*"],
+  requireRole("manager", "receptionist")
+);
+
+// Pets (non-photo CRUD): manager + receptionist for writes
+// ":petId" matches only single-segment paths — photo sub-routes are unaffected
+api.post("/pets", requireRole("manager", "receptionist"));
+api.on(["PUT", "PATCH", "DELETE"], "/pets/:petId", requireRole("manager", "receptionist"));
+
+// Services: all roles may read; only managers may write
+api.on(
+  ["POST", "PUT", "PATCH", "DELETE"],
+  "/services/*",
+  requireRole("manager")
+);
+// ──────────────────────────────────────────────────────────────────────────────
+
+// Setup: POST /api/setup (authenticated) — requires staff context from auth middleware
+api.route("/setup", setupRouter);
+
+api.route("/clients", clientsRouter);
+api.route("/pets", petsRouter);
+api.route("/services", servicesRouter);
+api.route("/appointments", appointmentsRouter);
+api.route("/waitlist", waitlistRouter);
+api.route("/staff", staffRouter);
+api.route("/invoices", invoicesRouter);
+api.route("/reports", reportsRouter);
+api.route("/appointment-groups", appointmentGroupsRouter);
+api.route("/grooming-logs", groomingLogsRouter);
+api.route("/impersonation", impersonationRouter);
+api.route("/admin/settings", settingsRouter);
+api.route("/admin/auth-provider", authProviderRouter);
+api.route("/admin/seed", adminSeedRouter);
+api.route("/search", searchRouter);
+api.route("/buffer-rules", bufferRulesRouter);
+
+const port = Number(process.env.PORT ?? 3000);
+await initAuth();
+console.log(`API server listening on port ${port}`);
+const server = serve({ fetch: app.fetch, port });
+
+// Start background reminder scheduler (runs every minute to check for upcoming appointments)
+startReminderScheduler();
+
+function shutdown() {
+  console.log("Shutting down gracefully...");
+  server.close(() => {
+    console.log("HTTP server closed");
+    process.exit(0);
+  });
+  setTimeout(() => {
+    console.error("Forced shutdown after timeout");
+    process.exit(1);
+  }, 10_000);
+}
+
+process.on("SIGTERM", shutdown);
+process.on("SIGINT", shutdown);
+
+export default app;