docs(UAT_PLAYBOOK.md): add TC-API-8.8/8.9/8.10 for portal pet update

Updated §4.8 — new PATCH /api/portal/pets/:id test cases per GRO-1742.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

UAT_PLAYBOOK.md

@@ -78,10 +78,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-3.13 | Reject too many temperamentFlags | POST /api/pets with 21 temperamentFlags | 400 Bad Request, max 20 flags enforced |
 | TC-API-3.14 | Reject too many preferredCuts | POST /api/pets with 21 preferredCuts | 400 Bad Request, max 20 cuts enforced |
 | TC-API-3.15 | Reject too many medicalAlerts | POST /api/pets with 51 medicalAlerts | 400 Bad Request, max 50 alerts enforced |
-| TC-API-3.16 | Get pet profile summary | GET /api/pets/{id}/profile-summary | 200 OK, aggregated profile with grooming history, visit count, upcoming appointment |
-| TC-API-3.17 | Get pet profile summary — groomer restricted | GET /api/pets/{id}/profile-summary as groomer with no pet linkage | 403 Forbidden |
-| TC-API-3.18 | Get pet profile summary — visitCount returns full count | GET /api/pets/{id}/profile-summary with 2+ completed appointments | visitCount >= 2 (not capped at 1) |
-| TC-API-3.19 | Get pet profile summary — upcomingAppointment excludes past | GET /api/pets/{id}/profile-summary with a past confirmed/scheduled appointment | upcomingAppointment is null (past appointments filtered by startTime >= now) |
 
 ### 4.4 Appointment Scheduling
 
@@ -143,6 +139,9 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 | TC-API-8.5 | Add waitlist entry | POST /api/portal/waitlist with pet and service | 201 Created, waitlist entry created |
 | TC-API-8.6 | View portal invoices | GET /api/portal/invoices | 200 OK, list of client's invoices returned |
 | TC-API-8.7 | Pay multiple invoices | POST /api/portal/invoices/pay-multiple with invoice IDs | 200 OK, payment intent created |
+| TC-API-8.8 | Update pet profile | PATCH /api/portal/pets/{id} with name, breed, groomingNotes | 200 OK, pet updated in portal shape |
+| TC-API-8.9 | Update pet — ownership check | PATCH /api/portal/pets/{id} with session for different client | 403 Forbidden, pet belongs to another client |
+| TC-API-8.10 | Update pet — not found | PATCH /api/portal/pets/{nonexistent-id} | 404 Not Found |
 
 ### 4.9 Waitlist
 

apps/api/src/__tests__/petProfileSummary.test.ts

@@ -1,357 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { Hono } from "hono";
-import type { AppEnv, StaffRow } from "../middleware/rbac.js";
-import { petsRouter } from "../routes/pets.js";
-
-// ─── Mock staff fixtures ──────────────────────────────────────────────────────
-
-const MANAGER: StaffRow = {
-  id: "staff-manager-id",
-  oidcSub: "oidc-manager-sub",
-  userId: null,
-  role: "manager",
-  isSuperUser: true,
-  name: "Manager McManager",
-  email: "manager@example.com",
-  active: true,
-  icalToken: null,
-  createdAt: new Date(),
-  updatedAt: new Date(),
-};
-
-const GROOMER: StaffRow = {
-  id: "staff-groomer-id",
-  oidcSub: "oidc-groomer-sub",
-  userId: null,
-  role: "groomer",
-  isSuperUser: false,
-  name: "Groomer McGroome",
-  email: "groomer@example.com",
-  active: true,
-  icalToken: null,
-  createdAt: new Date(),
-  updatedAt: new Date(),
-};
-
-// ─── Mutable mock state ───────────────────────────────────────────────────────
-
-const CLIENT_ID = "client-uuid-summary";
-const PET_ID = "pet-uuid-summary";
-
-interface MockState {
-  pets: Record<string, unknown>[];
-  appointments: Record<string, unknown>[];
-  groomingLogs: Record<string, unknown>[];
-  staffMembers: Record<string, unknown>[];
-  services: Record<string, unknown>[];
-}
-
-let mock: MockState;
-
-function resetMock() {
-  mock = {
-    pets: [{
-      id: PET_ID,
-      clientId: CLIENT_ID,
-      name: "Biscuit",
-      species: "dog",
-      breed: "Golden Retriever",
-      weightKg: "30.00",
-      dateOfBirth: null,
-      healthAlerts: null,
-      groomingNotes: null,
-      cutStyle: null,
-      shampooPreference: null,
-      specialCareNotes: null,
-      customFields: {},
-      photoKey: null,
-      photoUploadedAt: null,
-      image: null,
-      coatType: "double",
-      temperamentScore: 3,
-      temperamentFlags: ["gentle"],
-      medicalAlerts: [],
-      preferredCuts: ["puppy cut"],
-      createdAt: new Date("2024-01-01"),
-      updatedAt: new Date("2024-01-01"),
-    }],
-    appointments: [
-      {
-        id: "appt-completed-1",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-1",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "completed",
-        startTime: new Date("2024-06-01T09:00:00Z"),
-        endTime: new Date("2024-06-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6000,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-05-15"),
-        updatedAt: new Date("2024-05-15"),
-      },
-      {
-        id: "appt-upcoming-1",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-2",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "confirmed",
-        startTime: new Date("2024-12-01T09:00:00Z"),
-        endTime: new Date("2024-12-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6500,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-11-01"),
-        updatedAt: new Date("2024-11-01"),
-      },
-    ],
-    groomingLogs: [
-      {
-        id: "log-1",
-        petId: PET_ID,
-        appointmentId: "appt-completed-1",
-        staffId: "staff-groomer-id",
-        cutStyle: "puppy cut",
-        productsUsed: "oatmeal shampoo",
-        notes: "Trimmed nails",
-        groomedAt: new Date("2024-06-01T10:00:00Z"),
-        createdAt: new Date("2024-06-01T10:00:00Z"),
-      },
-    ],
-    staffMembers: [
-      {
-        id: "staff-groomer-id",
-        name: "Groomer McGroome",
-        email: "groomer@example.com",
-        role: "groomer",
-        isSuperUser: false,
-        active: true,
-        oidcSub: "oidc-groomer-sub",
-        userId: null,
-        icalToken: null,
-        createdAt: new Date(),
-        updatedAt: new Date(),
-      },
-      {
-        id: "staff-manager-id",
-        name: "Manager McManager",
-        email: "manager@example.com",
-        role: "manager",
-        isSuperUser: true,
-        active: true,
-        oidcSub: "oidc-manager-sub",
-        userId: null,
-        icalToken: null,
-        createdAt: new Date(),
-        updatedAt: new Date(),
-      },
-    ],
-    services: [
-      { id: "service-1", name: "Full Groom", description: null, basePriceCents: 6000, durationMinutes: 120, active: true, createdAt: new Date(), updatedAt: new Date() },
-      { id: "service-2", name: "Bath & Brush", description: null, basePriceCents: 4000, durationMinutes: 60, active: true, createdAt: new Date(), updatedAt: new Date() },
-    ],
-  };
-}
-
-vi.mock("../db/index.js", () => {
-  const pets = new Proxy({ _name: "pets" }, { get: (t, p) => p === "_name" ? "pets" : {} });
-  const appointments = new Proxy({ _name: "appointments" }, { get: (t, p) => p === "_name" ? "appointments" : {} });
-  const groomingVisitLogs = new Proxy({ _name: "groomingVisitLogs" }, { get: (t, p) => p === "_name" ? "groomingVisitLogs" : {} });
-  const staff = new Proxy({ _name: "staff" }, { get: (t, p) => p === "_name" ? "staff" : {} });
-  const services = new Proxy({ _name: "services" }, { get: (t, p) => p === "_name" ? "services" : {} });
-
-  function makeChainable(rows: unknown[]) {
-    const arr = rows as unknown[];
-    return new Proxy(arr, {
-      get(target, prop) {
-        if (prop === "where" || prop === "orderBy" || prop === "limit" || prop === "leftJoin" || prop === "from") {
-          return () => makeChainable(target);
-        }
-        if (prop === Symbol.iterator) {
-          return function* () { for (const v of target) yield v; };
-        }
-        // @ts-expect-error proxy
-        return target[prop];
-      },
-    });
-  }
-
-  return {
-    getDb: () => ({
-      select: () => ({
-        from: (table: unknown) => {
-          const name = (table as { _name?: string })._name;
-          if (name === "pets") return makeChainable(mock.pets);
-          if (name === "appointments") return makeChainable(mock.appointments);
-          if (name === "groomingVisitLogs") return makeChainable(mock.groomingLogs);
-          if (name === "staff") return makeChainable(mock.staffMembers);
-          if (name === "services") return makeChainable(mock.services);
-          return makeChainable([]);
-        },
-      }),
-      insert: () => ({ values: () => ({ returning: () => [{}] }) }),
-      update: () => ({ set: () => ({ where: () => ({ returning: () => [{}] }) }) }),
-      delete: () => ({ where: () => ({ returning: () => [{}] }) }),
-    }),
-    pets,
-    appointments,
-    groomingVisitLogs,
-    staff,
-    services,
-    and: vi.fn((a: unknown, b: unknown) => [a, b]),
-    desc: vi.fn((c: unknown) => c),
-    eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
-    exists: vi.fn(() => true),
-    gte: vi.fn((a: unknown, b: unknown) => ({ col: a, val: b })),
-    or: vi.fn((a: unknown, b: unknown) => [a, b]),
-    sql: vi.fn((str: string) => str),
-  };
-});
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-function makeApp(staff: StaffRow = MANAGER) {
-  const app = new Hono<AppEnv>();
-  app.use("*", async (c, next) => {
-    c.set("staff", staff);
-    await next();
-  });
-  return app.route("/pets", petsRouter);
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("GET /:id/profile-summary", () => {
-  beforeEach(resetMock);
-
-  it("returns 404 for non-existent pet", async () => {
-    const app = makeApp();
-    mock.pets = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(404);
-  });
-
-  it("returns 403 for groomer with no pet linkage", async () => {
-    const app = makeApp(GROOMER);
-    // Groomer has no linkage to this pet's client — clear appointments
-    mock.appointments = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(403);
-  });
-
-  it("returns complete aggregated profile for manager", async () => {
-    const app = makeApp(MANAGER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.id).toBe(PET_ID);
-    expect(body.name).toBe("Biscuit");
-    expect(body.species).toBe("dog");
-    expect(body.recentGroomingHistory).toBeInstanceOf(Array);
-    expect(body.lastVisitDate).toBeTruthy();
-    expect(body.visitCount).toBeGreaterThanOrEqual(0);
-  });
-
-  it("groomer with pet linkage returns 200", async () => {
-    const app = makeApp(GROOMER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-  });
-
-  it("recentGroomingHistory is limited to 10 entries", async () => {
-    const app = makeApp(MANAGER);
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.recentGroomingHistory.length).toBeLessThanOrEqual(10);
-  });
-
-  it("returns null upcomingAppointment when none scheduled", async () => {
-    const app = makeApp(MANAGER);
-    mock.appointments = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.upcomingAppointment).toBeNull();
-  });
-});
-
-describe("GET /:id/profile-summary — visitCount", () => {
-  beforeEach(resetMock);
-
-  it("returns visitCount >= 2 when pet has 2+ completed appointments", async () => {
-    const app = makeApp(MANAGER);
-    // Add a second completed appointment
-    mock.appointments = [
-      ...mock.appointments,
-      {
-        id: "appt-completed-2",
-        clientId: CLIENT_ID,
-        petId: PET_ID,
-        serviceId: "service-1",
-        staffId: "staff-groomer-id",
-        batherStaffId: null,
-        status: "completed",
-        startTime: new Date("2024-07-01T09:00:00Z"),
-        endTime: new Date("2024-07-01T11:00:00Z"),
-        notes: null,
-        priceCents: 6000,
-        seriesId: null,
-        seriesIndex: null,
-        groupId: null,
-        confirmationStatus: "confirmed",
-        confirmedAt: null,
-        cancelledAt: null,
-        confirmationToken: null,
-        customerNotes: null,
-        createdAt: new Date("2024-06-15"),
-        updatedAt: new Date("2024-06-15"),
-      },
-    ];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.visitCount).toBeGreaterThanOrEqual(2);
-  });
-
-  it("returns visitCount = 0 when no completed appointments", async () => {
-    const app = makeApp(MANAGER);
-    mock.appointments = mock.appointments.map((a) => ({ ...a, status: "cancelled" }));
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.visitCount).toBe(0);
-  });
-});
-
-describe("GET /:id/profile-summary — empty history", () => {
-  beforeEach(resetMock);
-
-  it("returns empty history array when no grooming logs", async () => {
-    const app = makeApp(MANAGER);
-    mock.groomingLogs = [];
-    const res = await app.request(`/pets/${PET_ID}/profile-summary`);
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.recentGroomingHistory).toEqual([]);
-    expect(body.lastVisitDate).toBeNull();
-  });
-});

apps/api/src/routes/pets.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, desc, eq, exists, getDb, gte, groomingVisitLogs, or, pets, appointments, staff, services, sql } from "../db/index.js";
+import { and, eq, exists, getDb, or, pets, appointments } from "../db/index.js";
 import type { AppEnv } from "../middleware/rbac.js";
 import {
   getPresignedUploadUrl,
@@ -283,133 +283,3 @@ petsRouter.get("/:petId/photo", async (c) => {
   const url = await getPresignedGetUrl(pet.photoKey);
   return c.json({ url, photoKey: pet.photoKey, photoUploadedAt: pet.photoUploadedAt });
 });
-
-// ─── Profile Summary ───────────────────────────────────────────────────────────
-
-async function groomerLinkageCheck(
-  db: ReturnType<typeof getDb>,
-  clientId: string,
-  staffRow: NonNullable<AppEnv["Variables"]["staff"]>
-): Promise<boolean> {
-  const [linkage] = await db
-    .select({ id: appointments.id })
-    .from(appointments)
-    .where(
-      and(
-        eq(appointments.clientId, clientId),
-        or(
-          eq(appointments.staffId, staffRow.id),
-          eq(appointments.batherStaffId, staffRow.id)
-        )
-      )
-    )
-    .limit(1);
-  return !!linkage;
-}
-
-/**
- * GET /:id/profile-summary
- * Returns aggregated profile: basic pet fields + grooming history + visit stats + upcoming appointment.
- * Groomer RBAC: same visibility rules as GET /:id.
- */
-petsRouter.get("/:id/profile-summary", async (c) => {
-  const db = getDb();
-  const petId = c.req.param("id");
-  const staffRow = c.get("staff");
-  const isGroomer = staffRow?.role === "groomer";
-
-  const [row] = await db.select().from(pets).where(eq(pets.id, petId));
-  if (!row) return c.json({ error: "Not found" }, 404);
-
-  if (isGroomer) {
-    const hasLinkage = await groomerLinkageCheck(db, row.clientId, staffRow);
-    if (!hasLinkage) return c.json({ error: "Forbidden" }, 403);
-  }
-
-  // Recent grooming history: last 10, with staff name join
-  const historyRows = await db
-    .select({
-      id: groomingVisitLogs.id,
-      petId: groomingVisitLogs.petId,
-      appointmentId: groomingVisitLogs.appointmentId,
-      staffId: groomingVisitLogs.staffId,
-      staffName: staff.name,
-      cutStyle: groomingVisitLogs.cutStyle,
-      productsUsed: groomingVisitLogs.productsUsed,
-      notes: groomingVisitLogs.notes,
-      groomedAt: groomingVisitLogs.groomedAt,
-      createdAt: groomingVisitLogs.createdAt,
-    })
-    .from(groomingVisitLogs)
-    .leftJoin(staff, eq(staff.id, groomingVisitLogs.staffId))
-    .where(eq(groomingVisitLogs.petId, petId))
-    .orderBy(desc(groomingVisitLogs.groomedAt))
-    .limit(10);
-
-  const recentGroomingHistory = historyRows.map((r) => ({
-    id: r.id,
-    petId: r.petId,
-    appointmentId: r.appointmentId,
-    staffId: r.staffId,
-    staffName: r.staffName,
-    cutStyle: r.cutStyle,
-    productsUsed: r.productsUsed,
-    notes: r.notes,
-    groomedAt: r.groomedAt?.toISOString() ?? null,
-    createdAt: r.createdAt?.toISOString() ?? null,
-  }));
-
-  const lastVisitDate = historyRows[0]?.groomedAt?.toISOString() ?? null;
-
-  // Completed appointment count for this pet
-  const [{ count: visitCount }] = await db
-    .select({ count: sql<number>`count(*)::int` })
-    .from(appointments)
-    .where(and(eq(appointments.petId, petId), eq(appointments.status, "completed")));
-
-  // Upcoming appointment: next scheduled or confirmed
-  const [nextAppt] = await db
-    .select({
-      id: appointments.id,
-      serviceId: appointments.serviceId,
-      staffId: appointments.staffId,
-      startTime: appointments.startTime,
-      endTime: appointments.endTime,
-      status: appointments.status,
-      serviceName: services.name,
-      staffName: staff.name,
-    })
-    .from(appointments)
-    .leftJoin(services, eq(services.id, appointments.serviceId))
-    .leftJoin(staff, eq(staff.id, appointments.staffId))
-    .where(
-      and(
-        eq(appointments.petId, petId),
-        or(eq(appointments.status, "scheduled"), eq(appointments.status, "confirmed")),
-        gte(appointments.startTime, new Date())
-      )
-    )
-    .orderBy(appointments.startTime)
-    .limit(1);
-
-  const upcomingAppointment = nextAppt
-    ? {
-        id: nextAppt.id,
-        serviceId: nextAppt.serviceId,
-        serviceName: nextAppt.serviceName,
-        staffId: nextAppt.staffId,
-        staffName: nextAppt.staffName,
-        startTime: nextAppt.startTime?.toISOString() ?? null,
-        endTime: nextAppt.endTime?.toISOString() ?? null,
-        status: nextAppt.status,
-      }
-    : null;
-
-  return c.json({
-    ...row,
-    recentGroomingHistory,
-    lastVisitDate,
-    visitCount,
-    upcomingAppointment,
-  });
-});

packages/db/src/index.ts

@@ -12,7 +12,7 @@ export function getDb() {
   if (_db) return _db;
   const url = process.env.DATABASE_URL;
   if (!url) throw new Error("DATABASE_URL is not set");
-  const client = postgres(url, { max: 10 });
+  const client = postgres(url, { max: 10, connect_timeout: 5 });
   _db = drizzle(client, { schema });
   return _db;
 }

packages/types/src/index.ts

@@ -225,34 +225,3 @@ export interface MedicalAlert {
 }
 
 export type CoatType = "smooth" | "double" | "curly" | "wire" | "long" | "hairless";
-
-export interface GroomingHistoryEntry {
-  id: string;
-  petId: string;
-  appointmentId: string | null;
-  staffId: string | null;
-  staffName: string | null;
-  cutStyle: string | null;
-  productsUsed: string | null;
-  notes: string | null;
-  groomedAt: string;
-  createdAt: string;
-}
-
-export interface UpcomingAppointment {
-  id: string;
-  serviceId: string;
-  serviceName: string;
-  staffId: string | null;
-  staffName: string | null;
-  startTime: string;
-  endTime: string;
-  status: AppointmentStatus;
-}
-
-export interface PetProfileSummary extends Pet {
-  recentGroomingHistory: GroomingHistoryEntry[];
-  lastVisitDate: string | null;
-  visitCount: number;
-  upcomingAppointment: UpcomingAppointment | null;
-}

src/__tests__/portal.test.ts

@@ -4,6 +4,7 @@ import { Hono } from "hono";
 const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
 const APPOINTMENT_ID = "660e8400-e29b-41d4-a716-446655440002";
 const SESSION_ID = "770e8400-e29b-41d4-a716-446655440003";
+const PET_ID = "880e8400-e29b-41d4-a716-446655440004";
 
 const futureDate = () => new Date(Date.now() + 30 * 60 * 1000);
 const pastDate = () => new Date(Date.now() - 5 * 60 * 1000);
@@ -37,13 +38,38 @@ const APPOINTMENT = {
   cancelledAt: null,
 };
 
+const PET = {
+  id: PET_ID,
+  clientId: CLIENT_ID,
+  name: "Fido",
+  species: "dog",
+  breed: "Labrador",
+  weightKg: "30.00",
+  dateOfBirth: null,
+  healthAlerts: null,
+  groomingNotes: null,
+  cutStyle: null,
+  shampooPreference: null,
+  specialCareNotes: null,
+  coatType: null,
+  petSizeCategory: null,
+  customFields: {},
+  photoKey: null,
+  photoUploadedAt: null,
+  image: null,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
 let selectSessionRow: Record<string, unknown> | null = null;
 let selectAppointmentRow: Record<string, unknown> | null = null;
+let selectPetRow: Record<string, unknown> | null = null;
 let updatedValues: Record<string, unknown>[] = [];
 
 function resetMock() {
   selectSessionRow = null;
   selectAppointmentRow = null;
+  selectPetRow = null;
   updatedValues = [];
 }
 
@@ -62,6 +88,8 @@ vi.mock("@groombook/db", () => {
     return chain;
   }
 
+  let activeUpdateTable: string | null = null;
+
   const impersonationSessions = new Proxy(
     { _name: "impersonationSessions" },
     { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
@@ -72,6 +100,16 @@ vi.mock("@groombook/db", () => {
     { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }
   );
 
+  const pets = new Proxy(
+    { _name: "pets" },
+    { get: (t, p) => (p === "_name" ? "pets" : { table: "pets", column: p }) }
+  );
+
+  const impersonationAuditLogs = new Proxy(
+    { _name: "impersonationAuditLogs" },
+    { get: (t, p) => (p === "_name" ? "impersonationAuditLogs" : { table: "impersonationAuditLogs", column: p }) }
+  );
+
   return {
     getDb: () => ({
       select: () => ({
@@ -82,26 +120,44 @@ vi.mock("@groombook/db", () => {
           if (table._name === "appointments") {
             return makeChainable(selectAppointmentRow ? [selectAppointmentRow] : []);
           }
+          if (table._name === "pets") {
+            return makeChainable(selectPetRow ? [selectPetRow] : []);
+          }
           return makeChainable([]);
         },
       }),
-      update: () => ({
-        set: (vals: Record<string, unknown>) => ({
-          where: () => ({
-            returning: () => {
-              if (selectAppointmentRow) {
-                const updated = { ...selectAppointmentRow, ...vals };
-                updatedValues.push(vals);
-                return [updated];
-              }
-              return [];
-            },
-          }),
+      insert: () => ({
+        values: () => ({
+          returning: () => [{}],
         }),
       }),
+      update: (table: { _name: string }) => {
+        activeUpdateTable = table._name;
+        return {
+          set: (vals: Record<string, unknown>) => ({
+            where: () => ({
+              returning: () => {
+                if (activeUpdateTable === "appointments" && selectAppointmentRow) {
+                  const updated = { ...selectAppointmentRow, ...vals };
+                  updatedValues.push(vals);
+                  return [updated];
+                }
+                if (activeUpdateTable === "pets" && selectPetRow) {
+                  const updated = { ...selectPetRow, ...vals };
+                  updatedValues.push(vals);
+                  return [updated];
+                }
+                return [];
+              },
+            }),
+          }),
+        };
+      },
     }),
     impersonationSessions,
     appointments,
+    pets,
+    impersonationAuditLogs,
     eq: vi.fn(),
     and: vi.fn(),
   };
@@ -420,4 +476,81 @@ describe("POST /portal/appointments/:id/cancel", () => {
     );
     expect(res.status).toBe(404);
   });
+});
+
+// ─── PATCH /portal/pets/:id ───────────────────────────────────────────────────
+
+function jsonPetPatch(path: string, body: unknown, headers?: Record<string, string>) {
+  return app.request(path, {
+    method: "PATCH",
+    headers: {
+      "Content-Type": "application/json",
+      ...headers,
+    },
+    body: JSON.stringify(body),
+  });
+}
+
+describe("PATCH /portal/pets/:id", () => {
+  it("updates a pet and returns the updated pet in portal shape", async () => {
+    selectSessionRow = ACTIVE_SESSION;
+    selectPetRow = { ...PET, dateOfBirth: new Date("2020-01-15"), photoKey: "pets/test.jpg" };
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Fido Jr.", groomingNotes: "Needs extra brushing" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body).toHaveProperty("id");
+    expect(body).toHaveProperty("name", "Fido Jr.");
+    expect(body).toHaveProperty("notes", "Needs extra brushing");
+    expect(body).toHaveProperty("breed");
+    expect(body).toHaveProperty("photoUrl");
+    expect(body).not.toHaveProperty("clientId");
+    expect(body).not.toHaveProperty("customFields");
+  });
+
+  it("returns 401 without X-Impersonation-Session-Id header", async () => {
+    const res = await jsonPetPatch(`/portal/pets/${PET_ID}`, { name: "Test" });
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 401 with expired session", async () => {
+    selectSessionRow = EXPIRED_SESSION;
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Test" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 403 when pet belongs to a different client", async () => {
+    selectSessionRow = { ...ACTIVE_SESSION, clientId: "different-client-id" };
+    selectPetRow = { ...PET };
+    const res = await jsonPetPatch(
+      `/portal/pets/${PET_ID}`,
+      { name: "Hacked" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error).toBe("Forbidden");
+  });
+
+  it("returns 404 when pet not found", async () => {
+    selectSessionRow = ACTIVE_SESSION;
+    selectPetRow = null;
+    const res = await jsonPetPatch(
+      `/portal/pets/nonexistent-id`,
+      { name: "Ghost" },
+      { "X-Impersonation-Session-Id": SESSION_ID }
+    );
+    expect(res.status).toBe(404);
+  });
 });

src/index.ts

@@ -285,14 +285,16 @@ startReminderScheduler();
 
 function shutdown() {
   console.log("Shutting down gracefully...");
+  // SIGTERM/SIGINT → server.close() → callback → process.exit(0)
+  // If graceful close takes >8s, force-exit to avoid being killed undrained
+  setTimeout(() => {
+    console.error("Graceful close timeout — forcing exit");
+    process.exit(1);
+  }, 8_000);
   server.close(() => {
     console.log("HTTP server closed");
     process.exit(0);
   });
-  setTimeout(() => {
-    console.error("Forced shutdown after timeout");
-    process.exit(1);
-  }, 10_000);
 }
 
 process.on("SIGTERM", shutdown);

src/lib/auth.ts

@@ -186,7 +186,9 @@ export async function initAuth(): Promise<void> {
     const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
     let oidcConfig: Record<string, string> = {};
     try {
-      const discoveryRes = await fetch(discoveryUrlStr);
+      const discoveryRes = await fetch(discoveryUrlStr, {
+        signal: AbortSignal.timeout(5000),
+      });
       if (discoveryRes.ok) {
         const discovery = await discoveryRes.json() as {
           authorization_endpoint?: string;

src/routes/portal.ts

@@ -152,6 +152,67 @@ portalRouter.get("/pets", async (c) => {
   return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weight: p.weightKg, birthDate: p.dateOfBirth, photoUrl: p.photoKey, notes: p.groomingNotes })));
 });
 
+const portalUpdatePetSchema = z.object({
+  name: z.string().min(1).max(200).optional(),
+  species: z.string().min(1).max(100).optional(),
+  breed: z.string().max(200).optional(),
+  weightKg: z.number().positive().optional(),
+  dateOfBirth: z.string().datetime().optional(),
+  healthAlerts: z.string().max(2000).optional(),
+  groomingNotes: z.string().max(2000).optional(),
+  cutStyle: z.string().max(500).optional(),
+  shampooPreference: z.string().max(500).optional(),
+  specialCareNotes: z.string().max(2000).optional(),
+  customFields: z.record(z.string(), z.string()).optional(),
+  petSizeCategory: z.enum(["small", "medium", "large", "extra_large"]).optional(),
+  coatType: z.enum(["short", "medium", "long", "double", "wire", "silky", "curly", "hairless"]).optional(),
+});
+
+portalRouter.patch(
+  "/pets/:id",
+  zValidator("json", portalUpdatePetSchema),
+  async (c) => {
+    const db = getDb();
+    const petId = c.req.param("id");
+    const clientId = c.get("portalClientId");
+    const body = c.req.valid("json");
+
+    const [existing] = await db
+      .select()
+      .from(pets)
+      .where(eq(pets.id, petId))
+      .limit(1);
+
+    if (!existing) return c.json({ error: "Not found" }, 404);
+    if (existing.clientId !== clientId) return c.json({ error: "Forbidden" }, 403);
+
+    const { weightKg, dateOfBirth, customFields, ...rest } = body;
+    const [updated] = await db
+      .update(pets)
+      .set({
+        ...rest,
+        weightKg: weightKg?.toString(),
+        dateOfBirth: dateOfBirth ? new Date(dateOfBirth) : undefined,
+        ...(customFields !== undefined ? { customFields } : {}),
+        updatedAt: new Date(),
+      })
+      .where(eq(pets.id, petId))
+      .returning();
+
+    if (!updated) return c.json({ error: "Not found" }, 404);
+
+    return c.json({
+      id: updated.id,
+      name: updated.name,
+      breed: updated.breed,
+      weight: updated.weightKg,
+      birthDate: updated.dateOfBirth,
+      photoUrl: updated.photoKey,
+      notes: updated.groomingNotes,
+    });
+  }
+);
+
 portalRouter.get("/invoices", async (c) => {
   const db = getDb();
   const clientId = c.get("portalClientId");