merge: resolve conflicts with dev (keep Node 22 + add Gitea CI images)

- Dockerfile: keep node:22-alpine for both base and runner stages
- package.json: keep dev's full content + add packageManager field
- .gitea/workflows/ci.yml: keep fixed version with all 4 image targets
- petsExtendedFields.test.ts: keep dev UUIDs + PR's vi.fn() mocks

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -49,7 +49,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -59,7 +59,7 @@ jobs:
         run: pnpm test
 
   docker:
-    name: Build & Push Docker Image
+    name: Build & Push Docker Images
     runs-on: ubuntu-latest
     needs: [lint-typecheck, test]
     steps:
@@ -91,9 +91,49 @@ jobs:
         with:
           context: .
           file: Dockerfile
+          target: runner
           push: true
           tags: |
             git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
           cache-from: type=registry,ref=git.farh.net/groombook/cache:api
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
+
+      - name: Build and push Migrate image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: migrate
+          push: true
+          tags: |
+            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
+
+      - name: Build and push Seed image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: seed
+          push: true
+          tags: |
+            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
+
+      - name: Build and push Reset image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: reset
+          push: true
+          tags: |
+            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -49,7 +49,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies
@@ -71,7 +71,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Install dependencies

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS base
+FROM node:22-alpine AS base
 RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 
@@ -20,7 +20,7 @@ RUN pnpm --filter @groombook/types build && \
     pnpm --filter @groombook/api build
 
 # Runtime
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 ENV NODE_ENV=production

UAT_PLAYBOOK.md

@@ -33,6 +33,12 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.8 | Email+password — invalid password | POST /api/auth/sign-in/email with wrong password | 400 Bad Request, error returned |
 | TC-API-1.9 | Email+password — unknown user | POST /api/auth/sign-in/email with non-existent email | 400 Bad Request, error returned |
 | TC-API-1.10 | Auto-provision on first OIDC login | First login as a Better-Auth user with no existing staff record | 200 OK, access granted; groomer staff record auto-created with name/email from user table |
+| TC-API-1.11 | Existing staff unaffected by OIDC login | Login as uat-groomer@groombook.dev (email+password), then GET /api/staff to find that record | 200 OK, staff record unchanged — no duplicate created, original role and isSuperUser preserved |
+| TC-API-1.12 | Auto-provisioned role and superUser flags | After TC-API-1.10, GET /api/staff and inspect the auto-created record | role = "groomer", isSuperUser = false, active = true |
+| TC-API-1.13 | Name fallback — user.name present | Auto-provision where Better-Auth user has name set | Staff name = user.name value from user table |
+| TC-API-1.14 | Name fallback — no name, email present | Auto-provision where Better-Auth user has name = null, email = "test@example.com" | Staff name = "test" (email prefix before @) |
+| TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
+| TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
 ### 4.2 Client Management
 

apps/api/src/__tests__/petsExtendedFields.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
 import { Hono } from "hono";
 import type { AppEnv, StaffRow } from "../middleware/rbac.js";
 import { petsRouter } from "../routes/pets.js";
+import { and, eq, exists, or } from "../db/index.js";
 
 // ─── Mock staff fixtures ──────────────────────────────────────────────────────
 
@@ -134,7 +135,7 @@ function makeDeleteChainable(): unknown {
       }
       if (prop === "returning") {
         return () => {
-          const row = petRows[0];
+          const row = petRows[0]!;
           deletedId = row.id as string;
           return [row];
         };
@@ -164,10 +165,10 @@ vi.mock("../db", async (importOriginal) => {
     }),
     pets,
     appointments,
-and: (...conds: unknown[]) => conds,
-    eq: (col: unknown, val: unknown) => ({ col, val }),
-    exists: (q: unknown) => q,
-    or: (...conds: unknown[]) => conds,
+    and: vi.fn(),
+    eq: vi.fn(),
+    exists: vi.fn(),
+    or: vi.fn(),
   };
 });
 

apps/api/src/__tests__/portal.test.ts

@@ -67,6 +67,11 @@ vi.mock("../db", () => {
     { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
   );
 
+  const impersonationAuditLogs = new Proxy(
+    { _name: "impersonationAuditLogs" },
+    { get: (t, p) => (p === "_name" ? "impersonationAuditLogs" : { table: "impersonationAuditLogs", column: p }) }
+  );
+
   const appointments = new Proxy(
     { _name: "appointments" },
     { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }
@@ -99,8 +104,12 @@ vi.mock("../db", () => {
           }),
         }),
       }),
+      insert: () => ({
+        values: () => ({ returning: () => [{}] }),
+      }),
     }),
     impersonationSessions,
+    impersonationAuditLogs,
     appointments,
     eq: vi.fn(),
     and: vi.fn(),

apps/api/src/index.ts

@@ -26,6 +26,7 @@ import { getDb, businessSettings, eq, staff } from "./db/index.js";
 import { authMiddleware } from "./middleware/auth.js";
 import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
 import { devRouter } from "./routes/dev.js";
+import { bufferRulesRouter } from "./routes/buffer-rules.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
 import { webhooksRouter } from "./routes/stripe-webhooks.js";
@@ -211,6 +212,7 @@ api.on(["GET"], "/staff/*", requireRole("manager", "receptionist", "groomer"));
 // Staff write routes: manager OR super-user (combined guard — avoids AND stacking)
 api.on(["POST", "PATCH", "DELETE"], "/staff/*", requireRoleOrSuperUser("manager"));
 api.use("/admin/*", requireRoleOrSuperUser("manager"));
+api.use("/buffer-rules/*", requireRole("manager"));
 api.use("/admin/settings/*", requireSuperUser());
 api.use("/reports/*", requireRole("manager"));
 api.use("/invoices/*", requireRole("manager", "groomer"));
@@ -268,6 +270,7 @@ api.route("/impersonation", impersonationRouter);
 api.route("/admin/settings", settingsRouter);
 api.route("/admin/auth-provider", authProviderRouter);
 api.route("/admin/seed", adminSeedRouter);
+api.route("/buffer-rules", bufferRulesRouter);
 api.route("/search", searchRouter);
 
 const port = Number(process.env.PORT ?? 3000);

apps/api/src/routes/buffer-rules.ts

@@ -0,0 +1,124 @@
+import { Hono } from "hono";
+import { zValidator } from "@hono/zod-validator";
+import { z } from "zod/v3";
+import { and, eq, getDb, isNull } from "../db/index.js";
+import type { AppEnv } from "../middleware/rbac.js";
+import { bufferRules, services } from "../db/index.js";
+
+export const bufferRulesRouter = new Hono<AppEnv>();
+
+const createBufferRuleSchema = z.object({
+  serviceId: z.string().uuid(),
+  sizeCategory: z
+    .enum(["small", "medium", "large", "extra_large"])
+    .optional(),
+  coatType: z
+    .enum(["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"])
+    .optional(),
+  bufferMinutes: z.number().int().positive(),
+});
+
+const updateBufferRuleSchema = z.object({
+  bufferMinutes: z.number().int().positive(),
+});
+
+// GET / — list all buffer rules, optionally filtered by serviceId
+bufferRulesRouter.get("/", async (c) => {
+  const db = getDb();
+  const serviceId = c.req.query("serviceId");
+
+  const conditions = [];
+  if (serviceId) conditions.push(eq(bufferRules.serviceId, serviceId));
+
+  const rows = await db
+    .select({
+      id: bufferRules.id,
+      serviceId: bufferRules.serviceId,
+      sizeCategory: bufferRules.sizeCategory,
+      coatType: bufferRules.coatType,
+      bufferMinutes: bufferRules.bufferMinutes,
+      createdAt: bufferRules.createdAt,
+      updatedAt: bufferRules.updatedAt,
+      serviceName: services.name,
+    })
+    .from(bufferRules)
+    .innerJoin(services, eq(bufferRules.serviceId, services.id))
+    .where(conditions.length > 0 ? and(...conditions) : undefined)
+    .orderBy(bufferRules.createdAt);
+
+  return c.json(rows);
+});
+
+// POST / — create a buffer rule
+bufferRulesRouter.post(
+  "/",
+  zValidator("json", createBufferRuleSchema),
+  async (c) => {
+    const db = getDb();
+    const body = c.req.valid("json");
+
+    // Validate serviceId exists
+    const [svc] = await db
+      .select({ id: services.id })
+      .from(services)
+      .where(eq(services.id, body.serviceId));
+    if (!svc) return c.json({ error: "Service not found" }, 404);
+
+    // Check for duplicate (service + size + coat)
+    const [existing] = await db
+      .select({ id: bufferRules.id })
+      .from(bufferRules)
+      .where(
+        and(
+          eq(bufferRules.serviceId, body.serviceId),
+          body.sizeCategory !== undefined
+            ? eq(bufferRules.sizeCategory, body.sizeCategory)
+            : isNull(bufferRules.sizeCategory),
+          body.coatType !== undefined
+            ? eq(bufferRules.coatType, body.coatType)
+            : isNull(bufferRules.coatType)
+        )
+      );
+    if (existing) return c.json({ error: "Duplicate rule for this service+size+coat combination" }, 409);
+
+    const [row] = await db
+      .insert(bufferRules)
+      .values({
+        serviceId: body.serviceId,
+        sizeCategory: body.sizeCategory ?? null,
+        coatType: body.coatType ?? null,
+        bufferMinutes: body.bufferMinutes,
+      })
+      .returning();
+
+    return c.json(row, 201);
+  }
+);
+
+// PATCH /:id — update bufferMinutes only
+bufferRulesRouter.patch(
+  "/:id",
+  zValidator("json", updateBufferRuleSchema),
+  async (c) => {
+    const db = getDb();
+    const body = c.req.valid("json");
+    const [row] = await db
+      .update(bufferRules)
+      .set({ bufferMinutes: body.bufferMinutes, updatedAt: new Date() })
+      .where(eq(bufferRules.id, c.req.param("id")))
+      .returning();
+    if (!row) return c.json({ error: "Not found" }, 404);
+    return c.json(row);
+  }
+);
+
+// DELETE /:id — delete a buffer rule
+bufferRulesRouter.delete("/:id", async (c) => {
+  const db = getDb();
+  const [row] = await db
+    .delete(bufferRules)
+    .where(eq(bufferRules.id, c.req.param("id")))
+    .returning();
+  if (!row) return c.json({ error: "Not found" }, 404);
+  return c.json({ ok: true });
+});

apps/api/src/routes/pets.ts

@@ -24,6 +24,7 @@ const createPetSchema = z.object({
   shampooPreference: z.string().max(500).optional(),
   specialCareNotes: z.string().max(2000).optional(),
   customFields: z.record(z.string(), z.string()).optional(),
+  sizeCategory: z.enum(["small", "medium", "large", "extra_large"]).optional(),
   coatType: z.enum(["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]).optional(),
   temperamentScore: z.number().int().min(1).max(5).optional(),
   temperamentFlags: z.array(z.string().max(100)).max(20).optional(),

apps/api/src/routes/services.ts

@@ -13,7 +13,9 @@ const createServiceSchema = z.object({
   active: z.boolean().default(true),
 });
 
-const updateServiceSchema = createServiceSchema.partial();
+const updateServiceSchema = createServiceSchema.partial().extend({
+  defaultBufferMinutes: z.number().int().min(0).optional(),
+});
 
 servicesRouter.get("/", async (c) => {
   const db = getDb();

apps/api/src/types/index.ts

@@ -26,6 +26,19 @@ export interface Client {
   updatedAt: string;
 }
 
+// ─── Medical Alerts ────────────────────────────────────────────────────────────
+
+export type AlertSeverity = "low" | "medium" | "high";
+
+export interface MedicalAlert {
+  type: string;
+  description: string;
+  severity: AlertSeverity;
+}
+
+// ─── Pet Profile Summary ────────────────────────────────────────────────────
+
+export type CoatType = "short" | "medium" | "long" | "double" | "wire" | "silky" | "curly" | "hairless";
 export interface Pet {
   id: string;
   clientId: string;

package.json

@@ -3,6 +3,7 @@
   "version": "0.0.1",
   "private": true,
   "type": "module",
+  "packageManager": "pnpm@9.15.4",
   "scripts": {
     "dev": "tsx watch src/index.ts",
     "build": "tsc --project .",

packages/db/src/schema.ts

@@ -116,6 +116,26 @@ export const verification = pgTable("verification", {
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });
 
+// ─── Pet enums ─────────────────────────────────────────────────────────────────
+
+export const petSizeCategoryEnum = pgEnum("pet_size_category", [
+  "small",
+  "medium",
+  "large",
+  "extra_large",
+]);
+
+export const coatTypeEnum = pgEnum("coat_type", [
+  "short",
+  "medium",
+  "long",
+  "double",
+  "wire",
+  "silky",
+  "curly",
+  "hairless",
+]);
+
 // ─── Tables ───────────────────────────────────────────────────────────────────
 
 export const clients = pgTable(
@@ -178,6 +198,7 @@ export const services = pgTable("services", {
   durationMinutes: integer("duration_minutes").notNull(),
   defaultBufferMinutes: integer("default_buffer_minutes"),
   active: boolean("active").notNull().default(true),
+  defaultBufferMinutes: integer("default_buffer_minutes").notNull().default(0),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });
@@ -640,3 +661,34 @@ export const authProviderConfig = pgTable("auth_provider_config", {
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });
+
+// ─── Buffer Rules ─────────────────────────────────────────────────────────────
+
+// Buffer time rules per service + pet size/coat combination.
+// Covers service-level defaults and pet-specific overrides.
+export const bufferRules = pgTable(
+  "buffer_rules",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    serviceId: uuid("service_id")
+      .notNull()
+      .references(() => services.id, { onDelete: "cascade" }),
+    // null sizeCategory means "any size" (wildcard)
+    sizeCategory: petSizeCategoryEnum("size_category"),
+    // null coatType means "any coat type" (wildcard)
+    coatType: coatTypeEnum("coat_type"),
+    // minutes to add to the service duration for this size/coat combo
+    bufferMinutes: integer("buffer_minutes").notNull(),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [
+    // One rule per unique (service, size, coat) combination
+    unique("uq_buffer_rules_service_size_coat").on(
+      t.serviceId,
+      t.sizeCategory,
+      t.coatType
+    ),
+    index("idx_buffer_rules_service_id").on(t.serviceId),
+  ]
+);

pnpm-lock.yaml

@@ -28,7 +28,7 @@ importers:
         version: 0.7.6(hono@4.12.18)(zod@4.4.3)
       better-auth:
         specifier: ^1.5.6
-        version: 1.6.10(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
+        version: 1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
       drizzle-orm:
         specifier: ^0.38.4
         version: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
@@ -84,6 +84,9 @@ importers:
 
   packages/db:
     dependencies:
+      better-auth:
+        specifier: ^1.5.6
+        version: 1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0))
       drizzle-orm:
         specifier: ^0.38.4
         version: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
@@ -3927,7 +3930,7 @@ snapshots:
 
   balanced-match@4.0.4: {}
 
-  better-auth@1.6.10(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0)):
+  better-auth@1.6.10(drizzle-kit@0.30.6)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))(vitest@3.2.4(@types/node@22.19.18)(tsx@4.21.0)):
     dependencies:
       '@better-auth/core': 1.6.10(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.3))(jose@6.2.3)(kysely@0.28.17)(nanostores@1.3.0)
       '@better-auth/drizzle-adapter': 1.6.10(@better-auth/core@1.6.10(@better-auth/utils@0.4.0)(@better-fetch/fetch@1.1.21)(better-call@1.3.5(zod@4.4.3))(jose@6.2.3)(kysely@0.28.17)(nanostores@1.3.0))(@better-auth/utils@0.4.0)(drizzle-orm@0.38.4(kysely@0.28.17)(postgres@3.4.9))
@@ -3947,6 +3950,7 @@ snapshots:
       nanostores: 1.3.0
       zod: 4.4.3
     optionalDependencies:
+      drizzle-kit: 0.30.6
       drizzle-orm: 0.38.4(kysely@0.28.17)(postgres@3.4.9)
       vitest: 3.2.4(@types/node@22.19.18)(tsx@4.21.0)
     transitivePeerDependencies:

src/lib/auth.ts

@@ -251,6 +251,10 @@ export async function initAuth(): Promise<void> {
         },
       },
       account: {
+        accountLinking: {
+          enabled: true,
+          trustedProviders: ["authentik"],
+        },
         storeStateStrategy: "cookie" as const,
       },
       emailAndPassword: {