chore: direct push CI trigger for GRO-1757 (b61d899f) to include in dev image

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.ci-trigger

@@ -0,0 +1 @@
+GRO-1757 direct push CI trigger - 2026-05-26T00:15:41Z

.gitea/workflows/ci.yml

@@ -91,6 +91,7 @@ jobs:
       - name: Build and push API image
         uses: docker/build-push-action@v6
         with:
+          provenance: false
           context: .
           file: Dockerfile
           target: runner
@@ -105,6 +106,7 @@ jobs:
       - name: Build and push Migrate image
         uses: docker/build-push-action@v6
         with:
+          provenance: false
           context: .
           file: Dockerfile
           target: migrate
@@ -119,6 +121,7 @@ jobs:
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
         with:
+          provenance: false
           context: .
           file: Dockerfile
           target: seed
@@ -133,6 +136,7 @@ jobs:
       - name: Build and push Reset image
         uses: docker/build-push-action@v6
         with:
+          provenance: false
           context: .
           file: Dockerfile
           target: reset

UAT_PLAYBOOK.md

@@ -48,6 +48,26 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-1.15 | Name fallback — no name, no email | Auto-provision where Better-Auth user has name = null, email = null | Staff name = "Unknown" |
 | TC-API-1.16 | OIDC login — Terraform-provisioned user | Initiate OIDC login as any UAT persona (uat-super, uat-groomer, uat-customer, uat-tester), complete authentik callback | 200 OK, session created — no account_not_linked error |
 
+#### SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.17 | SSO redirect to Authentik | Navigate to app → sign-in page shown → click "Sign in with SSO" | Redirected to Authentik at auth.farh.net | 403 error, redirect loop, no SSO button |
+| TC-API-1.18 | Authenticate with valid OIDC credentials | At Authentik login page, enter valid credentials and authenticate | Redirected back to app with valid session | Redirect loop, 403, missing session cookie |
+| TC-API-1.19 | SSO user auto-provisioned as groomer | Complete SSO login as a user with no pre-existing staff record | 200 response; groomer staff record auto-created; session active | 403 Forbidden, staff record not created |
+| TC-API-1.20 | Existing staff record resolves correctly | Complete SSO login as uat-groomer (pre-existing staff) | 200 OK, correct staff identity resolved, no duplicate record created | 403, duplicate record, wrong staff data |
+| TC-API-1.21 | SSO session grants dashboard access | After TC-API-1.18 SSO login, GET /api/staff/me | 200 OK, valid staff record returned, correct role displayed | 401/403, missing session, wrong identity |
+
+#### OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-API-1.22 | Fresh DB reports needsSetup | On a fresh DB (no super user), GET /api/setup/status | needsSetup: true returned | needsSetup: false when it should be true |
+| TC-API-1.23 | Configure OIDC via auth-provider endpoint | POST /api/setup/auth-provider with valid OIDC config | 200 OK, auth provider configured, no 403 | 403, setup blocked, invalid config rejected |
+| TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
+| TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
+| TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+
 ### 4.2 Client Management
 
 | # | Scenario | Steps | Expected |
@@ -78,10 +98,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.13 | Reject too many temperamentFlags | POST /api/pets with 21 temperamentFlags | 400 Bad Request, max 20 flags enforced |
 | TC-API-3.14 | Reject too many preferredCuts | POST /api/pets with 21 preferredCuts | 400 Bad Request, max 20 cuts enforced |
 | TC-API-3.15 | Reject too many medicalAlerts | POST /api/pets with 51 medicalAlerts | 400 Bad Request, max 50 alerts enforced |
-| TC-API-3.16 | Get pet profile summary | GET /api/pets/{id}/profile-summary | 200 OK, aggregated profile with grooming history, visit count, upcoming appointment |
-| TC-API-3.17 | Get pet profile summary — groomer restricted | GET /api/pets/{id}/profile-summary as groomer with no pet linkage | 403 Forbidden |
-| TC-API-3.18 | Get pet profile summary — visitCount returns full count | GET /api/pets/{id}/profile-summary with 2+ completed appointments | visitCount >= 2 (not capped at 1) |
-| TC-API-3.19 | Get pet profile summary — upcomingAppointment excludes past | GET /api/pets/{id}/profile-summary with a past confirmed/scheduled appointment | upcomingAppointment is null (past appointments filtered by startTime >= now) |
 
 ### 4.4 Appointment Scheduling
 

apps/api/src/__tests__/petProfileSummary.test.ts

@@ -1,357 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { Hono } from "hono";
-import type { AppEnv, StaffRow } from "../middleware/rbac.js";
-import { petsRouter } from "../routes/pets.js";
-
-// ─── Mock staff fixtures ──────────────────────────────────────────────────────
-
-const MANAGER: StaffRow = {
-  id: "staff-manager-id",
-  oidcSub: "oidc-manager-sub",
-  userId: null,
-  role: "manager",
-  isSuperUser: true,
-  name: "Manager McManager",
-  email: "manager@example.com",
-  active: true,
-  icalToken: null,
-  createdAt: new Date(),
-  updatedAt: new Date(),
-};
-
-const GROOMER: StaffRow = {
-  id: "staff-groomer-id",
-  oidcSub: "oidc-groomer-sub",
-  userId: null,
-  role: "groomer",
-  isSuperUser: false,
-  name: "Groomer McGroome",
-  email: "groomer@example.com",
-  active: true,
-  icalToken: null,
-  createdAt: new Date(),
-  updatedAt: new Date(),
-};
-
-// ─── Mutable mock state ───────────────────────────────────────────────────────
-
-const CLIENT_ID = "client-uuid-summary";
-const PET_ID = "pet-uuid-summary";
-
-interface MockState {
-  pets: Record<string, unknown>[];
-  appointments: Record<string, unknown>[];
-  groomingLogs: Record<string, unknown>[];
-  staffMembers: Record<string, unknown>[];
-  services: Record<string, unknown>[];
-}
-
-let mock: MockState;
-
-function resetMock() {
-  mock = {
-    pets: [{
-      id: PET_ID,
-      clientId: CLIENT_ID,
-      name: "Biscuit",
-      species: "dog",
-      breed: "Golden Retriever",
-      weightKg: "30.00",
-      dateOfBirth: null,
-      healthAlerts: null,
-      groomingNotes: null,
-      cutStyle: null,
-      shampooPreference: null,
-      specialCareNotes: null,
-      customFields: {},
-      photoKey: null,
-      photoUploadedAt: null,
-      image: null,
-      coatType: "double",
-      temperamentScore: 3,
-      temperamentFlags: ["gentle"],
-      medicalAlerts: [],
-      preferredCuts: ["puppy cut"],
-      createdAt: new Date("2024-01-01"),
-      updatedAt: new Date("2024-01-01"),
-    }],
-    appointments: [
-      {
-        id: "appt-completed-1",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-1",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "completed",
-        startTime: new Date("2024-06-01T09:00:00Z"),
-        endTime: new Date("2024-06-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6000,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-05-15"),
-        updatedAt: new Date("2024-05-15"),
-      },
-      {
-        id: "appt-upcoming-1",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-2",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "confirmed",
-        startTime: new Date("2024-12-01T09:00:00Z"),
-        endTime: new Date("2024-12-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6500,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-11-01"),
-        updatedAt: new Date("2024-11-01"),
-      },
-    ],
-    groomingLogs: [
-      {
-        id: "log-1",
-        petId: PET_ID,
-        appointmentId: "appt-completed-1",
-        staffId: "staff-groomer-id",
-        cutStyle: "puppy cut",
-        productsUsed: "oatmeal shampoo",
-        notes: "Trimmed nails",
-        groomedAt: new Date("2024-06-01T10:00:00Z"),
-        createdAt: new Date("2024-06-01T10:00:00Z"),
-      },
-    ],
-    staffMembers: [
-      {
-        id: "staff-groomer-id",
-        name: "Groomer McGroome",
-        email: "groomer@example.com",
-        role: "groomer",
-        isSuperUser: false,
-        active: true,
-        oidcSub: "oidc-groomer-sub",
-        userId: null,
-        icalToken: null,
-        createdAt: new Date(),
-        updatedAt: new Date(),
-      },
-      {
-        id: "staff-manager-id",
-        name: "Manager McManager",
-        email: "manager@example.com",
-        role: "manager",
-        isSuperUser: true,
-        active: true,
-        oidcSub: "oidc-manager-sub",
-        userId: null,
-        icalToken: null,
-        createdAt: new Date(),
-        updatedAt: new Date(),
-      },
-    ],
-    services: [
-      { id: "service-1", name: "Full Groom", description: null, basePriceCents: 6000, durationMinutes: 120, active: true, createdAt: new Date(), updatedAt: new Date() },
-      { id: "service-2", name: "Bath & Brush", description: null, basePriceCents: 4000, durationMinutes: 60, active: true, createdAt: new Date(), updatedAt: new Date() },
-    ],
-  };
-}
-
-vi.mock("../db/index.js", () => {
-  const pets = new Proxy({ _name: "pets" }, { get: (t, p) => p === "_name" ? "pets" : {} });
-  const appointments = new Proxy({ _name: "appointments" }, { get: (t, p) => p === "_name" ? "appointments" : {} });
-  const groomingVisitLogs = new Proxy({ _name: "groomingVisitLogs" }, { get: (t, p) => p === "_name" ? "groomingVisitLogs" : {} });
-  const staff = new Proxy({ _name: "staff" }, { get: (t, p) => p === "_name" ? "staff" : {} });
-  const services = new Proxy({ _name: "services" }, { get: (t, p) => p === "_name" ? "services" : {} });
-
-  function makeChainable(rows: unknown[]) {
-    const arr = rows as unknown[];
-    return new Proxy(arr, {
-      get(target, prop) {
-        if (prop === "where" || prop === "orderBy" || prop === "limit" || prop === "leftJoin" || prop === "from") {
-          return () => makeChainable(target);
-        }
-        if (prop === Symbol.iterator) {
-          return function* () { for (const v of target) yield v; };
-        }
-        // @ts-expect-error proxy
-        return target[prop];
-      },
-    });
-  }
-
-  return {
-    getDb: () => ({
-      select: () => ({
-        from: (table: unknown) => {
-          const name = (table as { _name?: string })._name;
-          if (name === "pets") return makeChainable(mock.pets);
-          if (name === "appointments") return makeChainable(mock.appointments);
-          if (name === "groomingVisitLogs") return makeChainable(mock.groomingLogs);
-          if (name === "staff") return makeChainable(mock.staffMembers);
-          if (name === "services") return makeChainable(mock.services);
-          return makeChainable([]);
-        },
-      }),
-      insert: () => ({ values: () => ({ returning: () => [{}] }) }),
-      update: () => ({ set: () => ({ where: () => ({ returning: () => [{}] }) }) }),
-      delete: () => ({ where: () => ({ returning: () => [{}] }) }),
-    }),
-    pets,
-    appointments,
-    groomingVisitLogs,
-    staff,
-    services,
-    and: vi.fn((a: unknown, b: unknown) => [a, b]),
-    desc: vi.fn((c: unknown) => c),
-    eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
-    exists: vi.fn(() => true),
-    gte: vi.fn((a: unknown, b: unknown) => ({ col: a, val: b })),
-    or: vi.fn((a: unknown, b: unknown) => [a, b]),
-    sql: vi.fn((str: string) => str),
-  };
-});
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-function makeApp(staff: StaffRow = MANAGER) {
-  const app = new Hono<AppEnv>();
-  app.use("*", async (c, next) => {
-    c.set("staff", staff);
-    await next();
-  });
-  return app.route("/pets", petsRouter);
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("GET /:id/profile-summary", () => {
-  beforeEach(resetMock);
-
-  it("returns 404 for non-existent pet", async () => {
-    const app = makeApp();
-    mock.pets = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(404);
-  });
-
-  it("returns 403 for groomer with no pet linkage", async () => {
-    const app = makeApp(GROOMER);
-    // Groomer has no linkage to this pet's client — clear appointments
-    mock.appointments = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(403);
-  });
-
-  it("returns complete aggregated profile for manager", async () => {
-    const app = makeApp(MANAGER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.id).toBe(PET_ID);
-    expect(body.name).toBe("Biscuit");
-    expect(body.species).toBe("dog");
-    expect(body.recentGroomingHistory).toBeInstanceOf(Array);
-    expect(body.lastVisitDate).toBeTruthy();
-    expect(body.visitCount).toBeGreaterThanOrEqual(0);
-  });
-
-  it("groomer with pet linkage returns 200", async () => {
-    const app = makeApp(GROOMER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-  });
-
-  it("recentGroomingHistory is limited to 10 entries", async () => {
-    const app = makeApp(MANAGER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.recentGroomingHistory.length).toBeLessThanOrEqual(10);
-  });
-
-  it("returns null upcomingAppointment when none scheduled", async () => {
-    const app = makeApp(MANAGER);
-    mock.appointments = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.upcomingAppointment).toBeNull();
-  });
-});
-
-describe("GET /:id/profile-summary — visitCount", () => {
-  beforeEach(resetMock);
-
-  it("returns visitCount >= 2 when pet has 2+ completed appointments", async () => {
-    const app = makeApp(MANAGER);
-    // Add a second completed appointment
-    mock.appointments = [
-      ...mock.appointments,
-      {
-        id: "appt-completed-2",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-1",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "completed",
-        startTime: new Date("2024-07-01T09:00:00Z"),
-        endTime: new Date("2024-07-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6000,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-06-15"),
-        updatedAt: new Date("2024-06-15"),
-      },
-    ];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.visitCount).toBeGreaterThanOrEqual(2);
-  });
-
-  it("returns visitCount = 0 when no completed appointments", async () => {
-    const app = makeApp(MANAGER);
-    mock.appointments = mock.appointments.map((a) => ({ ...a, status: "cancelled" }));
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.visitCount).toBe(0);
-  });
-});
-
-describe("GET /:id/profile-summary — empty history", () => {
-  beforeEach(resetMock);
-
-  it("returns empty history array when no grooming logs", async () => {
-    const app = makeApp(MANAGER);
-    mock.groomingLogs = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.recentGroomingHistory).toEqual([]);
-    expect(body.lastVisitDate).toBeNull();
-  });
-});

apps/api/src/routes/admin/seed.ts

@@ -36,6 +36,19 @@ const DEMO_PET = {
   weightKg: "30.00",
 };
 
+const UAT_CLIENT = {
+  name: "UAT Customer",
+  email: "uat-customer@groombook.dev",
+  phone: "555-0100",
+  address: "1 UAT Lane, Test City, CA 90210",
+  status: "active" as const,
+};
+
+const UAT_PETS = [
+  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly" as const, weightKg: "20.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth" as const, weightKg: "30.00" },
+];
+
 const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
   { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
@@ -43,7 +56,7 @@ const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
 ];
 
-adminSeedRouter.post("/seed", async (c) => {
+adminSeedRouter.post("/", async (c) => {
   // Refuse to run when AUTH_DISABLED — dev environments use direct-DB seeding
   if (process.env.AUTH_DISABLED === "true") {
     return c.json(
@@ -128,6 +141,51 @@ adminSeedRouter.post("/seed", async (c) => {
     results.push(`Created pet '${DEMO_PET.name}' for Demo Client (id: ${created!.id})`);
   }
 
+  // ── Client: UAT Customer ──────────────────────────────────────────────────
+  const [existingUatClient] = await db
+    .select()
+    .from(clients)
+    .where(eq(clients.email, UAT_CLIENT.email));
+
+  let uatClientId: string;
+  if (existingUatClient) {
+    uatClientId = existingUatClient.id;
+    results.push(`Client '${UAT_CLIENT.name}' already exists (id: ${uatClientId})`);
+  } else {
+    const [created] = await db.insert(clients).values(UAT_CLIENT).returning();
+    uatClientId = created!.id;
+    results.push(`Created client '${UAT_CLIENT.name}' (id: ${uatClientId})`);
+  }
+
+  // ── Pets: UAT Customer's Pets ─────────────────────────────────────────────
+  const existingUatPets = await db
+    .select()
+    .from(pets)
+    .where(eq(pets.clientId, uatClientId));
+
+  for (const uatPet of UAT_PETS) {
+    const existingPet = existingUatPets.find(
+      (p) => p.name === uatPet.name && p.species === uatPet.species
+    );
+    if (existingPet) {
+      results.push(`Pet '${uatPet.name}' already exists for UAT Customer (id: ${existingPet.id})`);
+    } else {
+      const [created] = await db
+        .insert(pets)
+        .values({
+          clientId: uatClientId,
+          name: uatPet.name,
+          species: uatPet.species,
+          breed: uatPet.breed,
+          coatType: uatPet.coatType,
+          weightKg: uatPet.weightKg,
+          dateOfBirth: new Date("2019-01-01T00:00:00Z"),
+        })
+        .returning();
+      results.push(`Created pet '${uatPet.name}' for UAT Customer (id: ${created!.id})`);
+    }
+  }
+
   return c.json({
     message: "Seed complete",
     details: results,
@@ -136,4 +194,4 @@ adminSeedRouter.post("/seed", async (c) => {
       staffOidcSub: KNOWN_STAFF.oidcSub,
     },
   });
-});
+});

apps/api/src/routes/pets.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, desc, eq, exists, getDb, gte, groomingVisitLogs, or, pets, appointments, staff, services, sql } from "../db/index.js";
+import { and, eq, exists, getDb, or, pets, appointments } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
   getPresignedUploadUrl,
@@ -283,133 +283,3 @@ petsRouter.get("/:petId/photo", async (c) => {
   const url = await getPresignedGetUrl(pet.photoKey);
   return c.json({ url, photoKey: pet.photoKey, photoUploadedAt: pet.photoUploadedAt });
 });
-
-// ─── Profile Summary ───────────────────────────────────────────────────────────
-
-async function groomerLinkageCheck(
-  db: ReturnType<typeof getDb>,
-  clientId: string,
-  staffRow: NonNullable<AppEnv["Variables"]["staff"]>
-): Promise<boolean> {
-  const [linkage] = await db
-    .select({ id: appointments.id })
-    .from(appointments)
-    .where(
-      and(
-        eq(appointments.clientId, clientId),
-        or(
-          eq(appointments.staffId, staffRow.id),
-          eq(appointments.batherStaffId, staffRow.id)
-        )
-      )
-    )
-    .limit(1);
-  return !!linkage;
-}
-
-/**
- * GET /:id/profile-summary
- * Returns aggregated profile: basic pet fields + grooming history + visit stats + upcoming appointment.
- * Groomer RBAC: same visibility rules as GET /:id.
- */
-petsRouter.get("/:id/profile-summary", async (c) => {
-  const db = getDb();
-  const petId = c.req.param("id");
-  const staffRow = c.get("staff");
-  const isGroomer = staffRow?.role === "groomer";
-
-  const [row] = await db.select().from(pets).where(eq(pets.id, petId));
-  if (!row) return c.json({ error: "Not found" }, 404);
-
-  if (isGroomer) {
-    const hasLinkage = await groomerLinkageCheck(db, row.clientId, staffRow);
-    if (!hasLinkage) return c.json({ error: "Forbidden" }, 403);
-  }
-
-  // Recent grooming history: last 10, with staff name join
-  const historyRows = await db
-    .select({
-      id: groomingVisitLogs.id,
-      petId: groomingVisitLogs.petId,
-      appointmentId: groomingVisitLogs.appointmentId,
-      staffId: groomingVisitLogs.staffId,
-      staffName: staff.name,
-      cutStyle: groomingVisitLogs.cutStyle,
-      productsUsed: groomingVisitLogs.productsUsed,
-      notes: groomingVisitLogs.notes,
-      groomedAt: groomingVisitLogs.groomedAt,
-      createdAt: groomingVisitLogs.createdAt,
-    })
-    .from(groomingVisitLogs)
-    .leftJoin(staff, eq(staff.id, groomingVisitLogs.staffId))
-    .where(eq(groomingVisitLogs.petId, petId))
-    .orderBy(desc(groomingVisitLogs.groomedAt))
-    .limit(10);
-
-  const recentGroomingHistory = historyRows.map((r) => ({
-    id: r.id,
-    petId: r.petId,
-    appointmentId: r.appointmentId,
-    staffId: r.staffId,
-    staffName: r.staffName,
-    cutStyle: r.cutStyle,
-    productsUsed: r.productsUsed,
-    notes: r.notes,
-    groomedAt: r.groomedAt?.toISOString() ?? null,
-    createdAt: r.createdAt?.toISOString() ?? null,
-  }));
-
-  const lastVisitDate = historyRows[0]?.groomedAt?.toISOString() ?? null;
-
-  // Completed appointment count for this pet
-  const [{ count: visitCount }] = await db
-    .select({ count: sql<number>`count(*)::int` })
-    .from(appointments)
-    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")));
-
-  // Upcoming appointment: next scheduled or confirmed
-  const [nextAppt] = await db
-    .select({
-      id: appointments.id,
-      serviceId: appointments.serviceId,
-      staffId: appointments.staffId,
-      startTime: appointments.startTime,
-      endTime: appointments.endTime,
-      status: appointments.status,
-      serviceName: services.name,
-      staffName: staff.name,
-    })
-    .from(appointments)
-    .leftJoin(services, eq(services.id, appointments.serviceId))
-    .leftJoin(staff, eq(staff.id, appointments.staffId))
-    .where(
-      and(
-        eq(appointments.petId, petId),
-        or(eq(appointments.status, "scheduled"), eq(appointments.status, "confirmed")),
-        gte(appointments.startTime, new Date())
-      )
-    )
-    .orderBy(appointments.startTime)
-    .limit(1);
-
-  const upcomingAppointment = nextAppt
-    ? {
-        id: nextAppt.id,
-        serviceId: nextAppt.serviceId,
-        serviceName: nextAppt.serviceName,
-        staffId: nextAppt.staffId,
-        staffName: nextAppt.staffName,
-        startTime: nextAppt.startTime?.toISOString() ?? null,
-        endTime: nextAppt.endTime?.toISOString() ?? null,
-        status: nextAppt.status,
-      }
-    : null;
-
-  return c.json({
-    ...row,
-    recentGroomingHistory,
-    lastVisitDate,
-    visitCount,
-    upcomingAppointment,
-  });
-});

packages/db/src/factories.ts

@@ -105,6 +105,10 @@ export function buildPet(overrides: Partial<PetRow> & { clientId: string }): Pet
     photoKey: null,
     photoUploadedAt: null,
     image: null,
+    temperamentScore: null,
+    temperamentFlags: [],
+    medicalAlerts: [],
+    preferredCuts: [],
     createdAt: new Date("2025-01-01T00:00:00Z"),
     updatedAt: new Date("2025-01-01T00:00:00Z"),
   };

packages/db/src/index.ts

@@ -12,7 +12,7 @@ export function getDb() {
   if (_db) return _db;
   const url = process.env.DATABASE_URL;
   if (!url) throw new Error("DATABASE_URL is not set");
-  const client = postgres(url, { max: 10 });
+  const client = postgres(url, { max: 10, connect_timeout: 5 });
   _db = drizzle(client, { schema });
   return _db;
 }

packages/db/src/schema.ts

@@ -11,6 +11,7 @@ import {
   unique,
   uuid,
 } from "drizzle-orm/pg-core";
+import type { MedicalAlert } from "@groombook/types";
 
 // ─── Enums ────────────────────────────────────────────────────────────────────
 
@@ -164,6 +165,10 @@ export const pets = pgTable(
     specialCareNotes: text("special_care_notes"),
     coatType: coatTypeEnum("coat_type"),
     petSizeCategory: petSizeCategoryEnum("pet_size_category"),
+    temperamentScore: integer("temperament_score"),
+    temperamentFlags: jsonb("temperament_flags").$type<string[]>().default([]),
+    medicalAlerts: jsonb("medical_alerts").$type<MedicalAlert[]>().default([]),
+    preferredCuts: jsonb("preferred_cuts").$type<string[]>().default([]),
     customFields: jsonb("custom_fields").$type<Record<string, string>>().notNull().default({}),
     photoKey: text("photo_key"),
     photoUploadedAt: timestamp("photo_uploaded_at"),

packages/types/src/index.ts

@@ -225,34 +225,3 @@ export interface MedicalAlert {
 }
 
 export type CoatType = "smooth" | "double" | "curly" | "wire" | "long" | "hairless";
-
-export interface GroomingHistoryEntry {
-  id: string;
-  petId: string;
-  appointmentId: string | null;
-  staffId: string | null;
-  staffName: string | null;
-  cutStyle: string | null;
-  productsUsed: string | null;
-  notes: string | null;
-  groomedAt: string;
-  createdAt: string;
-}
-
-export interface UpcomingAppointment {
-  id: string;
-  serviceId: string;
-  serviceName: string;
-  staffId: string | null;
-  staffName: string | null;
-  startTime: string;
-  endTime: string;
-  status: AppointmentStatus;
-}
-
-export interface PetProfileSummary extends Pet {
-  recentGroomingHistory: GroomingHistoryEntry[];
-  lastVisitDate: string | null;
-  visitCount: number;
-  upcomingAppointment: UpcomingAppointment | null;
-}

src/index.ts

@@ -285,14 +285,16 @@ startReminderScheduler();
 
 function shutdown() {
   console.log("Shutting down gracefully...");
+  // SIGTERM/SIGINT → server.close() → callback → process.exit(0)
+  // If graceful close takes >8s, force-exit to avoid being killed undrained
+  setTimeout(() => {
+    console.error("Graceful close timeout — forcing exit");
+    process.exit(1);
+  }, 8_000);
   server.close(() => {
     console.log("HTTP server closed");
     process.exit(0);
   });
-  setTimeout(() => {
-    console.error("Forced shutdown after timeout");
-    process.exit(1);
-  }, 10_000);
 }
 
 process.on("SIGTERM", shutdown);

src/lib/auth.ts

@@ -186,7 +186,9 @@ export async function initAuth(): Promise<void> {
     const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
     let oidcConfig: Record<string, string> = {};
     try {
-      const discoveryRes = await fetch(discoveryUrlStr);
+      const discoveryRes = await fetch(discoveryUrlStr, {
+        signal: AbortSignal.timeout(5000),
+      });
       if (discoveryRes.ok) {
         const discovery = await discoveryRes.json() as {
           authorization_endpoint?: string;

src/middleware/rbac.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { and, eq, getDb, sql, staff, account } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -110,6 +110,48 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
       return;
     }
   }
+
+  // Auto-provision for OIDC users: check if jwt.sub has an OAuth/OIDC account
+  // (e.g. authentik). If so, create a groomer staff record on the fly.
+  if (jwt.email) {
+    const [oidcAccount] = await db
+      .select({ id: account.id })
+      .from(account)
+      .where(
+        and(
+          eq(account.userId, jwt.sub),
+          sql`${account.providerId} IN ('authentik', 'google', 'github')`
+        )
+      )
+      .limit(1);
+
+    if (oidcAccount) {
+      // Derive name: prefer jwt.name, fall back to email prefix, then "Unknown"
+      const name =
+        jwt.name?.trim() ||
+        (jwt.email ? jwt.email.split("@")[0] : "Unknown");
+
+      const [newStaff] = await db
+        .insert(staff)
+        .values({
+          userId: jwt.sub,
+          email: jwt.email ?? "",
+          name,
+          role: "groomer",
+          isSuperUser: false,
+          active: true,
+        })
+        .returning();
+
+      console.log(
+        `[rbac] auto-provisioned staff record for OIDC user: ${jwt.sub} -> staff:${newStaff.id} (${name})`
+      );
+      c.set("staff", newStaff);
+      await next();
+      return;
+    }
+  }
+
   return c.json(
     { error: "Forbidden: no staff record found for authenticated user" },
     403

src/routes/admin/seed.ts

@@ -36,6 +36,19 @@ const DEMO_PET = {
   weightKg: "30.00",
 };
 
+const UAT_CLIENT = {
+  name: "UAT Customer",
+  email: "uat-customer@groombook.dev",
+  phone: "555-0100",
+  address: "1 UAT Lane, Test City, CA 90210",
+  status: "active" as const,
+};
+
+const UAT_PETS = [
+  { name: "Bella", species: "Dog", breed: "Poodle", coatType: "curly", weightKg: "20.00" },
+  { name: "Max", species: "Dog", breed: "Labrador Retriever", coatType: "smooth", weightKg: "30.00" },
+];
+
 const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000001", name: "Bath & Brush", description: "Full bath, blow-dry, brush out, and ear cleaning", basePriceCents: 4500, durationMinutes: 45 },
   { id: "b0000001-0000-0000-0000-000000000002", name: "Full Groom — Small", description: "Complete grooming for dogs under 25 lbs", basePriceCents: 6500, durationMinutes: 60 },
@@ -43,7 +56,7 @@ const DEMO_SERVICES = [
   { id: "b0000001-0000-0000-0000-000000000004", name: "Nail Trim", description: "Nail clipping and filing", basePriceCents: 1500, durationMinutes: 15 },
 ];
 
-adminSeedRouter.post("/seed", async (c) => {
+adminSeedRouter.post("/", async (c) => {
   // Refuse to run when AUTH_DISABLED — dev environments use direct-DB seeding
   if (process.env.AUTH_DISABLED === "true") {
     return c.json(
@@ -128,6 +141,51 @@ adminSeedRouter.post("/seed", async (c) => {
     results.push(`Created pet '${DEMO_PET.name}' for Demo Client (id: ${created!.id})`);
   }
 
+  // ── Client: UAT Customer ──────────────────────────────────────────────────
+  const [existingUatClient] = await db
+    .select()
+    .from(clients)
+    .where(eq(clients.email, UAT_CLIENT.email));
+
+  let uatClientId: string;
+  if (existingUatClient) {
+    uatClientId = existingUatClient.id;
+    results.push(`Client '${UAT_CLIENT.name}' already exists (id: ${uatClientId})`);
+  } else {
+    const [created] = await db.insert(clients).values(UAT_CLIENT).returning();
+    uatClientId = created!.id;
+    results.push(`Created client '${UAT_CLIENT.name}' (id: ${uatClientId})`);
+  }
+
+  // ── Pets: UAT Customer's Pets ─────────────────────────────────────────────
+  const existingUatPets = await db
+    .select()
+    .from(pets)
+    .where(eq(pets.clientId, uatClientId));
+
+  for (const uatPet of UAT_PETS) {
+    const existing = existingUatPets.find(
+      (p) => p.name === uatPet.name && p.species === uatPet.species
+    );
+    if (existing) {
+      results.push(`Pet '${uatPet.name}' already exists for UAT Customer (id: ${existing.id})`);
+    } else {
+      const [created] = await db
+        .insert(pets)
+        .values({
+          clientId: uatClientId,
+          name: uatPet.name,
+          species: uatPet.species,
+          breed: uatPet.breed,
+          coatType: uatPet.coatType as any,
+          weightKg: uatPet.weightKg,
+          dateOfBirth: new Date("2019-01-01T00:00:00Z"),
+        })
+        .returning();
+      results.push(`Created pet '${uatPet.name}' for UAT Customer (id: ${created!.id})`);
+    }
+  }
+
   return c.json({
     message: "Seed complete",
     details: results,