Merge dev into uat: promote GRO-2156 route travel buffer + reorder (Phase 2.2)

Resolves UAT_PLAYBOOK.md conflict by unioning uat-only TC-UAT-2/3 (GRO-2100)
with dev's §4.16 update + new §4.17. Code files taken from dev (superset).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

UAT_PLAYBOOK.md

@@ -165,6 +165,8 @@ Geocoding turns a client's street address into `latitude`/`longitude` + `geocode
 | TC-API-3.19b | Get pet profile summary — customer cross-tenant blocked (GRO-2013) | Sign in as `uat-customer@groombook.dev`; reuse the customer's sessionId from TC-API-3.19a; `GET /api/pets/{otherClientPetId}/profile-summary` for a pet owned by a different client (`c0000002-...` or any non-customer pet) | 403 Forbidden (owner-bypass requires session.clientId === pet.clientId) |
 | TC-API-3.19c | Get pet profile summary — customer without portal session header | Same as TC-API-3.19a but omit the `X-Impersonation-Session-Id` header | 403 Forbidden (no owner-bypass without valid portal session) |
 | TC-API-3.19d | Get pet profile summary — owner-bypass writes audit row (GRO-2063) | Same setup as TC-API-3.19a (sign in as `uat-customer@groombook.dev`, establish a portal session for the customer's own clientId, call `GET /api/pets/{ownPetId}/profile-summary` with `X-Impersonation-Session-Id: {sessionId}` and a 200 OK response). Then call `GET /api/impersonation/sessions/{sessionId}/audit-log` and confirm there is exactly one entry with `action === "read_profile_summary"`, `pageVisited` matching the profile-summary path, and `metadata` containing `petId` and `actorStaffId` for the customer. Repeat TC-API-3.19b (cross-tenant attempt) and confirm NO new `read_profile_summary` row was written for the cross-tenant attempt. | 200 OK on the profile-summary call AND an audit log entry is present with the correct shape (defense-in-depth audit row; bypass attempts against other clients must NOT log) |
+| TC-UAT-2 | Groomer accesses linked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000002/profile-summary` (UAT Pup Alpha — linked via deterministic completed appointment `a0000001-0000-0000-0000-000000000001`, service `b0000001-…-0001` "Bath & Brush", `startTime` ~7 days ago) | 200 OK, `recentGroomingHistory[]` non-empty (>=1 entry), `visitCount >= 1`, `upcomingAppointment` null (the seeded appointment is in the past) |
+| TC-UAT-3 | Groomer blocked from unlinked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000003/profile-summary` (UAT Pup Beta — intentionally UNLINKED; no appointment row references this pet's clientId+groomerId combo) | 403 Forbidden (RBAC `groomer` role lacks the appointment-linkage grant for this pet). NOTE: if 404 is returned instead of 403, file a separate RBAC defect (not against the seed) — see GRO-2100 verification note |
 | TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
 | TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
 | TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
@@ -282,8 +284,6 @@ This means:
 | TC-API-8.14 | Portal pet update — non-owner blocked (GRO-2187) | `PATCH /api/portal/pets/{petId}` for a pet owned by a different client, using another client's portal session | 403 Forbidden (or 404 if pet id is unknown); no mutation persisted |
 | TC-API-8.15 | Portal pet update — invalid enum rejected (GRO-2187) | `PATCH /api/portal/pets/{petId}` with `coatType: "fluffy"` or `petSizeCategory: "gigantic"` | 422 Unprocessable Entity; pet unchanged |
 | TC-API-8.16 | Portal pet update — malformed (non-UUID) petId returns 404 (GRO-2203) | With a valid portal session, `PATCH /api/portal/pets/not-a-uuid` with header `X-Impersonation-Session-Id` and body `{"coatType":"short"}` | 404 Not Found with body `{"error":"Not found"}` (was an unhandled 500 from the Postgres uuid cast in GRO-2203; mirrors the GRO-2014 guard). No mutation persisted |
-| TC-API-8.17 | SSO portal session slides on activity (GRO-2234) | Establish a portal session (TC-API-8.8). Note the returned `sessionId`. Make any authenticated portal call (e.g. `GET /api/portal/me`) several times spaced over ≥1 minute, each with `X-Impersonation-Session-Id: {sessionId}`. | Every call returns 200; the session's `expiresAt` is extended (slid forward to ~30 min from each request) so the session stays valid during continuous use — it does NOT lapse mid-session. SSO-bridge sessions mint with a 30-min idle TTL bounded by an 8h absolute cap from `startedAt`. |
-| TC-API-8.18 | Slow-wizard Book New submit succeeds (GRO-2234) | Establish a portal session (TC-API-8.8). Wait >2 minutes while making at least one intervening authenticated portal call (mimicking the multi-step Book New wizard: pet/service/groomer/date GETs). Then `POST /api/portal/waitlist` with a valid pet+service payload and the same `X-Impersonation-Session-Id`. | 201 Created — the deliberately-paced wizard no longer 401s on submit because activity slid the session forward. (Regression guard for the GRO-2234 "session TTL too short → 401" defect.) |
 
 ### 4.9 Waitlist
 
@@ -363,12 +363,7 @@ This means:
 
 ### 4.16 Route Optimization — Route CRUD + Optimize (GRO-2155, Phase 2.1)
 
-A groomer's daily route is one row per `(staffId, routeDate)` in `groomer_routes`, with ordered `route_stops`. `POST /api/routes/optimize` pulls the day's non-cancelled appointments whose client is geocoded (GRO-2154), orders them (Google Directions `optimizeWaypoints` when a key is configured in `businessSettings.googleMapsApiKey`, else an offline nearest-neighbor heuristic), and persists `stopOrder`, `travelMinsFromPrev`, `travelDistanceKmFromPrev` plus route `totalTravelMins`/`totalDistanceKm`/`optimizedAt`. **Auth: manager (any groomer's route) or groomer (own route only); receptionists have no access.**
-
-**Pre-condition (GRO-2225 — zero-touch; no manual PATCH/geocoding needed).** A fresh UAT reset+seed now provisions a deterministic route cohort, so §4.16 runs directly against seed data:
-- **Groomer:** `uat-groomer@groombook.dev` (staffId `00000000-0000-0000-0000-000000000004`). Resolve its id via `GET /api/staff` or sign in as the groomer and omit `staffId`.
-- **Date:** `2026-09-15` (fixed). On this date the groomer has **12** confirmed appointments: **10 pre-geocoded** clients clustered in the Seattle metro (multi-stop route) + **2 intentionally un-geocoded** clients (exercise the skip-and-surface path, TC-API-16.4). Cohort clients are named `Route Demo — …` (emails `route-client-NN@uat.groombook.dev`).
-- **Receptionist (TC-API-16.9 403):** sign in as `uat-receptionist@groombook.dev` (password from the `seed-uat-passwords` secret, key `SEED_UAT_RECEPTIONIST_PASSWORD`) — a standing receptionist login; no hand-built session required.
+A groomer's daily route is one row per `(staffId, routeDate)` in `groomer_routes`, with ordered `route_stops`. `POST /api/routes/optimize` pulls the day's non-cancelled appointments whose client is geocoded (GRO-2154), orders them (Google Directions `optimizeWaypoints` when a key is configured in `businessSettings.googleMapsApiKey`, else an offline nearest-neighbor heuristic), and persists `stopOrder`, `travelMinsFromPrev`, `travelDistanceKmFromPrev` plus route `totalTravelMins`/`totalDistanceKm`/`optimizedAt`. **Auth: manager (any groomer's route) or groomer (own route only); receptionists have no access.** Pre-condition: at least one geocoded client with appointments on the target date for the staff member (use §4.2 geocoding + a seed groomer).
 
 | # | Scenario | Steps | Expected |
 |---|----------|-------|----------|
@@ -406,29 +401,6 @@ Builds on §4.16. After optimization each consecutive leg carries a travel `buff
 | TC-API-17.7 | Reorder invalid routeId | `PATCH /api/routes/not-a-uuid/reorder` | 400 `{ error: "routeId must be a UUID" }` |
 | TC-API-17.8 | Groomer cannot reorder another's route | As groomer, reorder a route owned by a different groomer | 403 Forbidden (`groomers may only access their own route`) |
 
-### 4.18 Route Optimization — Navigation Export (GRO-2157, Phase 2.3)
-
-Builds on §4.16/§4.17. Two read-only endpoints turn an optimized route into a native-navigation deep-link URL the frontend opens on the groomer's phone:
-
-- `GET /api/routes/:routeId/export/google-maps` → Google Maps URLs API link (`https://www.google.com/maps/dir/?api=1&travelmode=driving&origin=…&destination=…&waypoints=…`)
-- `GET /api/routes/:routeId/export/apple-maps` → Apple Maps URL scheme (`maps://?saddr=…&daddr=<first>+to:<next>…&dirflg=d`)
-
-Both use the stops' stored `latitude`/`longitude` in `stopOrder`: **origin = first stop, destination = last stop, the rest are ordered intermediate waypoints**. Each response body is `{ platform, url, stopCount, waypointCount }` where `waypointCount` = stops minus origin and destination. Waypoint limits are validated per platform: **Google Maps ≤ 9**, **Apple Maps ≤ 15** intermediate waypoints; over-limit routes return 400. **Auth: manager (any route) or groomer (own route only); receptionists have no access.**
-
-| ID | Scenario | Steps | Expected |
-|----|----------|-------|----------|
-| TC-API-18.1 | Google Maps export of a multi-stop route | As manager, optimize a multi-stop day (§4.16), then `GET /api/routes/{routeId}/export/google-maps` | 200 OK; `platform:"google-maps"`, `url` starts `https://www.google.com/maps/dir/?api=1`, contains `travelmode=driving`, `origin`/`destination` are the first/last stop coords, `waypoints` lists the middle stops in order (pipe-separated). `stopCount` = total stops, `waypointCount` = `stopCount − 2` |
-| TC-API-18.2 | Apple Maps export of a multi-stop route | As manager, `GET /api/routes/{routeId}/export/apple-maps` for the same route | 200 OK; `platform:"apple-maps"`, `url` starts `maps://?saddr=`, `daddr` chains the remaining stops with `+to:`, ends `&dirflg=d`; `stopCount`/`waypointCount` as above |
-| TC-API-18.3 | Single-stop route | Export a route (google-maps and apple-maps) that has exactly one stop | 200 OK; `waypointCount:0`. Google url has `destination` and no `waypoints=`; Apple url is `maps://?daddr=<coord>&dirflg=d` (no `saddr`) |
-| TC-API-18.4 | Empty route rejected | Export a route with no stops (a fresh `draft` route) | 400 `{ error: "route has no stops to export" }` |
-| TC-API-18.5 | Google waypoint limit | Export (google-maps) a route with >11 stops (>9 intermediate waypoints) | 400 with an `error` mentioning Google Maps' limit of 9 |
-| TC-API-18.6 | Apple waypoint limit | Export (apple-maps) a route with >17 stops (>15 intermediate waypoints) | 400 with an `error` mentioning Apple Maps' limit of 15 |
-| TC-API-18.7 | Unknown route | `GET /api/routes/{randomUuid}/export/google-maps` | 404 `{ error: "Route not found" }` |
-| TC-API-18.8 | Invalid routeId | `GET /api/routes/not-a-uuid/export/apple-maps` | 400 `{ error: "routeId must be a UUID" }` |
-| TC-API-18.9 | Groomer exports own route | As **groomer**, export a route owned by self | 200 OK; deep-link returned |
-| TC-API-18.10 | Groomer cannot export another's route | As groomer, export a route owned by a different groomer | 403 Forbidden (`groomers may only access their own route`) |
-| TC-API-18.11 | Receptionist denied | As **receptionist**, export any route | 403 Forbidden (role not permitted) |
-
 ## Pass/Fail Criteria
 
 **Pass:**

packages/db/src/seed.ts

@@ -456,36 +456,6 @@ async function seedUatStaffAccounts(
     }
   }
 
-  // ── Staff: UAT Receptionist (GRO-2225) ──────────────────────────────────────
-  // Standing receptionist staff record so the route-optimization 403 path
-  // (TC-API-16.9: receptionist GET/POST /api/routes → 403) is reproducible
-  // without a hand-built session. The matching Better-Auth credential is
-  // provisioned below from SEED_UAT_RECEPTIONIST_PASSWORD. Created here (gated
-  // on the password env) so the credential loop's staff-link step finds it.
-  if (process.env.SEED_UAT_RECEPTIONIST_PASSWORD) {
-    const UAT_RECEPTIONIST_STAFF_ID = "00000000-0000-0000-0000-000000000099";
-    const [existingReceptionist] = await db
-      .select()
-      .from(schema.staff)
-      .where(eq(schema.staff.email, "uat-receptionist@groombook.dev"))
-      .limit(1);
-
-    if (existingReceptionist) {
-      console.log(`✓ Staff 'UAT Receptionist' already exists — skipping`);
-    } else {
-      await db.insert(schema.staff).values({
-        id: UAT_RECEPTIONIST_STAFF_ID,
-        name: "UAT Receptionist",
-        email: "uat-receptionist@groombook.dev",
-        oidcSub: "uat-receptionist@groombook.dev",
-        role: "receptionist",
-        isSuperUser: false,
-        active: true,
-      });
-      console.log(`✓ Created staff 'UAT Receptionist' (uat-receptionist@groombook.dev)`);
-    }
-  }
-
   // ── Staff: UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + SEED_UAT_GROOMER_NAMES) ──
   const groomerEmails = process.env.SEED_UAT_GROOMER_EMAILS?.split(",").map((e) => e.trim()).filter(Boolean) ?? [];
   const groomerNames = process.env.SEED_UAT_GROOMER_NAMES?.split(",").map((n) => n.trim()).filter(Boolean) ?? [];
@@ -525,8 +495,6 @@ async function seedUatStaffAccounts(
     { email: "uat-groomer@groombook.dev", name: "UAT Staff Groomer", passwordEnv: "SEED_UAT_GROOMER_PASSWORD", staffEmail: "uat-groomer@groombook.dev" },
     { email: "uat-customer@groombook.dev", name: "UAT Customer", passwordEnv: "SEED_UAT_CUSTOMER_PASSWORD", staffEmail: null },
     { email: "uat-tester@groombook.dev", name: "UAT Tester", passwordEnv: "SEED_UAT_TESTER_PASSWORD", staffEmail: "uat-tester@groombook.dev" },
-    // GRO-2225: standing receptionist login for the route-optimization 403 path (TC-API-16.9).
-    { email: "uat-receptionist@groombook.dev", name: "UAT Receptionist", passwordEnv: "SEED_UAT_RECEPTIONIST_PASSWORD", staffEmail: "uat-receptionist@groombook.dev" },
   ];
 
   for (const acct of uatPasswordAccounts) {
@@ -830,179 +798,6 @@ async function seedUatGroomerLinkage(
   );
 }
 
-// ── GRO-2225: deterministic route-optimization cohort ────────────────────────
-
-/**
- * GRO-2225: seed a deterministic, pre-geocoded client cohort + a fixed-date set
- * of appointments for the UAT groomer so the route-optimization endpoints
- * (`GET /api/routes/daily`, `POST /api/routes/optimize`, UAT §4.16
- * TC-API-16.1…16.11) are exercisable with ZERO manual PATCHing.
- *
- * Design (no live geocoder — UAT has no Google Maps key, provider is
- * nearest_neighbor; coordinates are hand-picked fixtures clustered in the
- * Seattle metro):
- *   - All appointments are on a FIXED calendar date (ROUTE_DATE) and assigned to
- *     the UAT groomer (`uat-groomer@groombook.dev`). The optimize endpoint pulls
- *     non-cancelled appointments in [date 00:00Z, +24h) joined to client coords.
- *   - 10 clients carry deterministic lat/lng → a multi-stop optimized route.
- *   - 2 clients are intentionally left UN-geocoded so the "skipped + surfaced"
- *     path (TC-API-16.5) stays reproducible.
- *
- * Idempotent: clients/pets are upserted by fixed UUID (they are NOT truncated on
- * reset); appointments are upserted by fixed UUID too (they ARE truncated on
- * reset, but the upsert keeps re-runs safe in non-truncating dev/test paths).
- * Skips cleanly when the UAT groomer staff record is absent (e.g. prod/demo or a
- * dev seed without the UAT personas).
- */
-async function seedUatRouteCohort(db: ReturnType<typeof drizzle>): Promise<void> {
-  // Fixed calendar date the UAT playbook hardcodes for §4.16. Times are UTC so
-  // they fall inside the optimize endpoint's [date 00:00Z, +24h) day window.
-  const ROUTE_DATE = "2026-09-15";
-
-  const [uatGroomer] = await db
-    .select({ id: schema.staff.id })
-    .from(schema.staff)
-    .where(eq(schema.staff.email, "uat-groomer@groombook.dev"))
-    .limit(1);
-  if (!uatGroomer) {
-    console.log("✓ GRO-2225: uat-groomer not present — skipping route cohort");
-    return;
-  }
-
-  // Resolve a service for the appointments: prefer Bath & Brush, else any active.
-  const BATH_AND_BRUSH_ID = "b0000001-0000-0000-0000-000000000001";
-  const [bathService] = await db
-    .select({ id: schema.services.id })
-    .from(schema.services)
-    .where(eq(schema.services.id, BATH_AND_BRUSH_ID))
-    .limit(1);
-  let serviceId: string;
-  if (bathService) {
-    serviceId = bathService.id;
-  } else {
-    const [fallback] = await db
-      .select({ id: schema.services.id })
-      .from(schema.services)
-      .where(eq(schema.services.active, true))
-      .limit(1);
-    if (!fallback) {
-      console.warn("⚠ GRO-2225: no active services found — skipping route cohort");
-      return;
-    }
-    serviceId = fallback.id;
-  }
-
-  // Hand-picked fixture coordinates clustered in the Seattle metro. `coords:null`
-  // marks an intentionally un-geocoded client (skip-and-surface path TC-16.5).
-  const cohort: Array<{
-    n: number;
-    name: string;
-    coords: { lat: number; lng: number } | null;
-  }> = [
-    { n: 1, name: "Route Demo — Ada Lovelace", coords: { lat: 47.6097, lng: -122.3331 } },
-    { n: 2, name: "Route Demo — Grace Hopper", coords: { lat: 47.6205, lng: -122.3493 } },
-    { n: 3, name: "Route Demo — Alan Turing", coords: { lat: 47.5990, lng: -122.3300 } },
-    { n: 4, name: "Route Demo — Katherine Johnson", coords: { lat: 47.6150, lng: -122.3200 } },
-    { n: 5, name: "Route Demo — Edsger Dijkstra", coords: { lat: 47.6280, lng: -122.3550 } },
-    { n: 6, name: "Route Demo — Barbara Liskov", coords: { lat: 47.5920, lng: -122.3150 } },
-    { n: 7, name: "Route Demo — Donald Knuth", coords: { lat: 47.6350, lng: -122.3400 } },
-    { n: 8, name: "Route Demo — Margaret Hamilton", coords: { lat: 47.6050, lng: -122.3600 } },
-    { n: 9, name: "Route Demo — Ken Thompson", coords: { lat: 47.6420, lng: -122.3250 } },
-    { n: 10, name: "Route Demo — Radia Perlman", coords: { lat: 47.5880, lng: -122.3450 } },
-    // Intentionally un-geocoded — exercises the skip-and-surface path.
-    { n: 11, name: "Route Demo — Ungeocoded One", coords: null },
-    { n: 12, name: "Route Demo — Ungeocoded Two", coords: null },
-  ];
-
-  // Stagger appointments 45 min apart starting 15:00Z on ROUTE_DATE.
-  const dayStartMs = new Date(`${ROUTE_DATE}T15:00:00.000Z`).getTime();
-  const SLOT_MS = 45 * 60 * 1000;
-
-  let geocodedCount = 0;
-  let ungeocodedCount = 0;
-  for (const c of cohort) {
-    const pad = String(c.n).padStart(2, "0");
-    const clientId = `d0000000-0000-0000-0000-0000000000${pad}`;
-    const petId = `d0000000-0000-0000-0000-0000000001${pad}`;
-    const apptId = `d0000000-0000-0000-0000-0000000002${pad}`;
-    const geocodedAt = c.coords ? new Date(`${ROUTE_DATE}T00:00:00.000Z`) : null;
-
-    await db.insert(schema.clients)
-      .values({
-        id: clientId,
-        name: c.name,
-        email: `route-client-${pad}@uat.groombook.dev`,
-        phone: `(206) 555-01${pad}`,
-        address: `${100 + c.n} Pike Street, Seattle, WA 98101`,
-        status: "active",
-        latitude: c.coords?.lat ?? null,
-        longitude: c.coords?.lng ?? null,
-        geocodedAt,
-      })
-      .onConflictDoUpdate({
-        target: schema.clients.id,
-        set: {
-          name: c.name,
-          address: `${100 + c.n} Pike Street, Seattle, WA 98101`,
-          latitude: c.coords?.lat ?? null,
-          longitude: c.coords?.lng ?? null,
-          geocodedAt,
-        },
-      });
-
-    await db.insert(schema.pets)
-      .values({
-        id: petId,
-        clientId,
-        name: `Route Pup ${c.n}`,
-        species: "Dog",
-        breed: "Mixed",
-        weightKg: "18.00",
-      })
-      .onConflictDoUpdate({
-        target: schema.pets.id,
-        set: { clientId, name: `Route Pup ${c.n}`, species: "Dog" },
-      });
-
-    const startTime = new Date(dayStartMs + (c.n - 1) * SLOT_MS);
-    const endTime = new Date(startTime.getTime() + SLOT_MS);
-    await db.insert(schema.appointments)
-      .values({
-        id: apptId,
-        clientId,
-        petId,
-        serviceId,
-        staffId: uatGroomer.id,
-        batherStaffId: null,
-        status: "confirmed",
-        startTime,
-        endTime,
-        notes: "GRO-2225: deterministic route-optimization cohort appointment.",
-        priceCents: null,
-        confirmationStatus: "confirmed",
-      })
-      .onConflictDoUpdate({
-        target: schema.appointments.id,
-        set: {
-          clientId,
-          petId,
-          serviceId,
-          staffId: uatGroomer.id,
-          status: "confirmed",
-          startTime,
-          endTime,
-        },
-      });
-
-    if (c.coords) geocodedCount++;
-    else ungeocodedCount++;
-  }
-
-  console.log(
-    `✓ GRO-2225: seeded route cohort for ${ROUTE_DATE} — ${geocodedCount} geocoded + ${ungeocodedCount} un-geocoded appointment(s) for uat-groomer (${uatGroomer.id})`,
-  );
-}
-
 // ── Known-users-only seed (prod/demo) ───────────────────────────────────────
 
 /**
@@ -1374,11 +1169,6 @@ async function runSeedBody(
   // the time seedUatStaffAccounts() returns).
   await seedUatGroomerLinkage(db, uatCustomerClientId);
 
-  // GRO-2225: deterministic pre-geocoded route cohort + fixed-date appointments
-  // for the UAT groomer. Must run AFTER services are seeded (it looks up a
-  // service id for the appointments). Skips cleanly if uat-groomer is absent.
-  await seedUatRouteCohort(db);
-
   // ── Clients & Pets ──
   const now = new Date();
   const appointmentsBackDate = new Date(now);

src/__tests__/navigationExport.test.ts

@@ -1,140 +0,0 @@
-import { describe, it, expect } from "vitest";
-import {
-  buildGoogleMapsUrl,
-  buildAppleMapsUrl,
-  buildNavigationUrl,
-  intermediateWaypointCount,
-  GOOGLE_MAPS_MAX_WAYPOINTS,
-  APPLE_MAPS_MAX_WAYPOINTS,
-  type NavigationStop,
-} from "../services/navigationExport.js";
-
-function stops(n: number): NavigationStop[] {
-  return Array.from({ length: n }, (_, i) => ({
-    latitude: 47 + i / 100,
-    longitude: -122 - i / 100,
-    label: `Stop ${i + 1}`,
-  }));
-}
-
-describe("intermediateWaypointCount", () => {
-  it("excludes origin and destination", () => {
-    expect(intermediateWaypointCount(0)).toBe(0);
-    expect(intermediateWaypointCount(1)).toBe(0);
-    expect(intermediateWaypointCount(2)).toBe(0);
-    expect(intermediateWaypointCount(5)).toBe(3);
-  });
-});
-
-describe("buildGoogleMapsUrl", () => {
-  it("rejects an empty route", () => {
-    const r = buildGoogleMapsUrl([]);
-    expect(r).toEqual({ error: "route has no stops to export", status: 400 });
-  });
-
-  it("builds a single-stop link (destination only, no waypoints)", () => {
-    const r = buildGoogleMapsUrl(stops(1));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.platform).toBe("google-maps");
-    expect(r.stopCount).toBe(1);
-    expect(r.waypointCount).toBe(0);
-    expect(r.url).toContain("https://www.google.com/maps/dir/?");
-    expect(r.url).toContain("api=1");
-    expect(r.url).toContain("travelmode=driving");
-    expect(r.url).toContain("origin=47%2C-122");
-    expect(r.url).toContain("destination=47%2C-122");
-    expect(r.url).not.toContain("waypoints=");
-  });
-
-  it("builds origin/destination only for two stops", () => {
-    const r = buildGoogleMapsUrl(stops(2));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.waypointCount).toBe(0);
-    expect(r.url).not.toContain("waypoints=");
-    expect(r.url).toContain("origin=47%2C-122");
-    expect(r.url).toContain("destination=47.01%2C-122.01");
-  });
-
-  it("includes intermediate waypoints in order, pipe-separated", () => {
-    const r = buildGoogleMapsUrl(stops(4));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.stopCount).toBe(4);
-    expect(r.waypointCount).toBe(2);
-    // waypoints param holds stops[1] and stops[2], pipe-joined (encoded %7C)
-    const url = new URL(r.url);
-    expect(url.searchParams.get("origin")).toBe("47,-122");
-    expect(url.searchParams.get("destination")).toBe("47.03,-122.03");
-    expect(url.searchParams.get("waypoints")).toBe(
-      "47.01,-122.01|47.02,-122.02"
-    );
-  });
-
-  it("accepts a route at exactly the waypoint limit", () => {
-    const r = buildGoogleMapsUrl(stops(GOOGLE_MAPS_MAX_WAYPOINTS + 2));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.waypointCount).toBe(GOOGLE_MAPS_MAX_WAYPOINTS);
-  });
-
-  it("rejects a route over the waypoint limit", () => {
-    const r = buildGoogleMapsUrl(stops(GOOGLE_MAPS_MAX_WAYPOINTS + 3));
-    expect("error" in r).toBe(true);
-    if ("error" in r) {
-      expect(r.status).toBe(400);
-      expect(r.error).toContain(`${GOOGLE_MAPS_MAX_WAYPOINTS}`);
-    }
-  });
-});
-
-describe("buildAppleMapsUrl", () => {
-  it("rejects an empty route", () => {
-    const r = buildAppleMapsUrl([]);
-    expect(r).toEqual({ error: "route has no stops to export", status: 400 });
-  });
-
-  it("builds a destination-only link for one stop", () => {
-    const r = buildAppleMapsUrl(stops(1));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.platform).toBe("apple-maps");
-    expect(r.url).toBe("maps://?daddr=47,-122&dirflg=d");
-    expect(r.url).not.toContain("saddr=");
-  });
-
-  it("chains destinations with +to: for multiple stops", () => {
-    const r = buildAppleMapsUrl(stops(3));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.stopCount).toBe(3);
-    expect(r.waypointCount).toBe(1);
-    expect(r.url).toBe(
-      "maps://?saddr=47,-122&daddr=47.01,-122.01+to:47.02,-122.02&dirflg=d"
-    );
-  });
-
-  it("accepts a route at exactly the waypoint limit", () => {
-    const r = buildAppleMapsUrl(stops(APPLE_MAPS_MAX_WAYPOINTS + 2));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.waypointCount).toBe(APPLE_MAPS_MAX_WAYPOINTS);
-  });
-
-  it("rejects a route over the waypoint limit", () => {
-    const r = buildAppleMapsUrl(stops(APPLE_MAPS_MAX_WAYPOINTS + 3));
-    expect("error" in r).toBe(true);
-    if ("error" in r) {
-      expect(r.status).toBe(400);
-      expect(r.error).toContain(`${APPLE_MAPS_MAX_WAYPOINTS}`);
-    }
-  });
-});
-
-describe("buildNavigationUrl", () => {
-  it("dispatches to the google-maps builder", () => {
-    const r = buildNavigationUrl("google-maps", stops(2));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.platform).toBe("google-maps");
-  });
-
-  it("dispatches to the apple-maps builder", () => {
-    const r = buildNavigationUrl("apple-maps", stops(2));
-    if ("error" in r) throw new Error(r.error);
-    expect(r.platform).toBe("apple-maps");
-  });
-});

src/__tests__/portalSessionSliding.test.ts

@@ -1,188 +0,0 @@
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { Hono } from "hono";
-import {
-  validatePortalSession,
-  PORTAL_SESSION_IDLE_TTL_MS,
-  PORTAL_SESSION_MAX_LIFETIME_MS,
-  type PortalEnv,
-} from "../middleware/portalSession.js";
-
-const SESSION_ID = "770e8400-e29b-41d4-a716-446655440003";
-const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
-
-// Mutable test state driven per-case.
-let selectSessionRow: Record<string, unknown> | null = null;
-let sessionUpdates: Record<string, unknown>[] = [];
-
-function resetMock() {
-  selectSessionRow = null;
-  sessionUpdates = [];
-}
-
-vi.mock("@groombook/db", () => {
-  function makeChainable(data: unknown[]): unknown {
-    const arr = [...data];
-    const chain = new Proxy(arr, {
-      get(target, prop) {
-        if (prop === "where" || prop === "orderBy" || prop === "limit") {
-          return () => chain;
-        }
-        // @ts-expect-error proxy index
-        return target[prop];
-      },
-    });
-    return chain;
-  }
-
-  const impersonationSessions = new Proxy(
-    { _name: "impersonationSessions" },
-    { get: (t, p) => (p === "_name" ? "impersonationSessions" : { table: "impersonationSessions", column: p }) }
-  );
-
-  return {
-    getDb: () => ({
-      select: () => ({
-        from: (table: { _name: string }) => {
-          if (table._name === "impersonationSessions") {
-            return makeChainable(selectSessionRow ? [selectSessionRow] : []);
-          }
-          return makeChainable([]);
-        },
-      }),
-      update: () => ({
-        set: (vals: Record<string, unknown>) => {
-          sessionUpdates.push(vals);
-          return { where: () => Promise.resolve(undefined) };
-        },
-      }),
-    }),
-    impersonationSessions,
-    eq: vi.fn(),
-    and: vi.fn(),
-  };
-});
-
-const app = new Hono<PortalEnv>();
-app.use("/portal/*", validatePortalSession);
-app.get("/portal/ping", (c) => c.json({ ok: true, clientId: c.get("portalClientId") }));
-
-function ping(headers?: Record<string, string>) {
-  return app.request("/portal/ping", { method: "GET", headers });
-}
-
-beforeEach(() => resetMock());
-
-describe("validatePortalSession — sliding expiration (GRO-2234)", () => {
-  it("extends an sso-bridge session's expiresAt on each authenticated request", async () => {
-    const now = Date.now();
-    // Session minted ~28 min ago, originally a 30-min idle window: it is still
-    // valid (2 min left) but a slow wizard would otherwise let it lapse.
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "sso-bridge",
-      startedAt: new Date(now - 28 * 60 * 1000),
-      expiresAt: new Date(now + 2 * 60 * 1000),
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(200);
-
-    expect(sessionUpdates).toHaveLength(1);
-    const newExpiry = sessionUpdates[0]!.expiresAt as Date;
-    // Slid forward to ~now + 30 min (well past the original 2-min-left window).
-    expect(newExpiry.getTime()).toBeGreaterThan(now + PORTAL_SESSION_IDLE_TTL_MS - 5_000);
-    expect(newExpiry.getTime()).toBeLessThanOrEqual(now + PORTAL_SESSION_IDLE_TTL_MS + 5_000);
-  });
-
-  it("keeps a slow-wizard customer authorized past the original mint TTL", async () => {
-    const now = Date.now();
-    // Original mint window has fully elapsed in wall-clock terms, but the session
-    // was slid forward on the previous request, so it is still valid now.
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "sso-bridge",
-      startedAt: new Date(now - 35 * 60 * 1000),
-      expiresAt: new Date(now + 10 * 60 * 1000), // previously slid
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.clientId).toBe(CLIENT_ID);
-  });
-
-  it("never extends beyond startedAt + MAX_LIFETIME (bounded)", async () => {
-    const now = Date.now();
-    // Session started right at the absolute cap boundary minus a hair.
-    const startedAt = now - (PORTAL_SESSION_MAX_LIFETIME_MS - 5 * 60 * 1000);
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "sso-bridge",
-      startedAt: new Date(startedAt),
-      expiresAt: new Date(now + 60 * 1000),
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(200);
-    expect(sessionUpdates).toHaveLength(1);
-    const newExpiry = (sessionUpdates[0]!.expiresAt as Date).getTime();
-    // Capped at startedAt + MAX_LIFETIME, NOT now + IDLE_TTL.
-    expect(newExpiry).toBeLessThanOrEqual(startedAt + PORTAL_SESSION_MAX_LIFETIME_MS + 1_000);
-    expect(newExpiry).toBeGreaterThan(now); // still extends at least a little
-  });
-
-  it("does NOT slide a staff-initiated impersonation session (no regression)", async () => {
-    const now = Date.now();
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "manager reviewing booking", // staff-console reason, free text
-      startedAt: new Date(now - 5 * 60 * 1000),
-      expiresAt: new Date(now + 20 * 60 * 1000),
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(200);
-    expect(sessionUpdates).toHaveLength(0);
-  });
-
-  it("still rejects an already-expired session (no resurrection)", async () => {
-    const now = Date.now();
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "sso-bridge",
-      startedAt: new Date(now - 40 * 60 * 1000),
-      expiresAt: new Date(now - 60 * 1000), // already lapsed
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(401);
-    expect(sessionUpdates).toHaveLength(0);
-  });
-
-  it("skips the write when the extension is below the slide threshold", async () => {
-    const now = Date.now();
-    // Already slid this minute: expiresAt is essentially now + IDLE_TTL already.
-    selectSessionRow = {
-      id: SESSION_ID,
-      clientId: CLIENT_ID,
-      status: "active",
-      reason: "sso-bridge",
-      startedAt: new Date(now - 2 * 60 * 1000),
-      expiresAt: new Date(now + PORTAL_SESSION_IDLE_TTL_MS - 2_000),
-    };
-
-    const res = await ping({ "X-Impersonation-Session-Id": SESSION_ID });
-    expect(res.status).toBe(200);
-    expect(sessionUpdates).toHaveLength(0);
-  });
-});

src/__tests__/portalWaitlistDuplicate.test.ts

@@ -1,154 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { Hono } from "hono";
-
-// GRO-2235: a duplicate active waitlist entry violates the partial unique index
-// idx_waitlist_active_unique. postgres-js surfaces it as SQLSTATE 23505 — the
-// handler must return a friendly 409, not a generic 500. The first insert still
-// returns 201, and unrelated errors still surface as 500.
-
-const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440001";
-const SESSION_ID = "770e8400-e29b-41d4-a716-446655440003";
-const PET_ID = "880e8400-e29b-41d4-a716-446655440004";
-const SERVICE_ID = "990e8400-e29b-41d4-a716-446655440005";
-
-const futureDate = () => new Date(Date.now() + 30 * 60 * 1000);
-
-const ACTIVE_SESSION = {
-  id: SESSION_ID,
-  clientId: CLIENT_ID,
-  status: "active" as const,
-  reason: "manual",
-  startedAt: new Date(),
-  expiresAt: futureDate(),
-  createdAt: new Date(),
-};
-
-// Behaviour knob for the waitlist insert: "ok" returns a row, "duplicate" throws
-// a postgres-js-shaped unique-violation, "other" throws an unrelated error.
-let waitlistInsertMode: "ok" | "duplicate" | "other" = "ok";
-
-function resetMock() {
-  waitlistInsertMode = "ok";
-}
-
-function tableProxy(name: string) {
-  return new Proxy(
-    { _name: name },
-    { get: (t, p) => (p === "_name" ? name : { table: name, column: p }) }
-  );
-}
-
-vi.mock("@groombook/db", () => {
-  function makeChainable(data: unknown[]): unknown {
-    const arr = [...data];
-    const chain = new Proxy(arr, {
-      get(target, prop) {
-        if (prop === "where" || prop === "orderBy" || prop === "limit") {
-          return () => chain;
-        }
-        // @ts-expect-error proxy
-        return target[prop];
-      },
-    });
-    return chain;
-  }
-
-  const impersonationSessions = tableProxy("impersonationSessions");
-  const waitlistEntries = tableProxy("waitlistEntries");
-  const impersonationAuditLogs = tableProxy("impersonationAuditLogs");
-
-  return {
-    getDb: () => ({
-      select: () => ({
-        from: (table: { _name: string }) => {
-          if (table._name === "impersonationSessions") {
-            return makeChainable([ACTIVE_SESSION]);
-          }
-          return makeChainable([]);
-        },
-      }),
-      insert: (table: { _name: string }) => ({
-        values: (vals: Record<string, unknown>) => ({
-          returning: () => {
-            if (table._name === "waitlistEntries") {
-              if (waitlistInsertMode === "duplicate") {
-                throw Object.assign(new Error("duplicate key value"), { code: "23505" });
-              }
-              if (waitlistInsertMode === "other") {
-                throw Object.assign(new Error("not null violation"), { code: "23502" });
-              }
-              return [{ id: "entry-1", ...vals }];
-            }
-            // impersonationAuditLogs and anything else: succeed silently.
-            return [{ id: "audit-1", ...vals }];
-          },
-        }),
-      }),
-      update: () => ({
-        set: () => ({ where: () => Promise.resolve() }),
-      }),
-    }),
-    impersonationSessions,
-    waitlistEntries,
-    impersonationAuditLogs,
-    appointments: tableProxy("appointments"),
-    clients: tableProxy("clients"),
-    pets: tableProxy("pets"),
-    services: tableProxy("services"),
-    staff: tableProxy("staff"),
-    invoices: tableProxy("invoices"),
-    invoiceLineItems: tableProxy("invoiceLineItems"),
-    eq: vi.fn(),
-    and: vi.fn(),
-    inArray: vi.fn(),
-  };
-});
-
-const { portalRouter } = await import("../routes/portal.js");
-
-const app = new Hono();
-app.route("/portal", portalRouter);
-
-function postWaitlist(body: unknown) {
-  return app.request("/portal/waitlist", {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-Impersonation-Session-Id": SESSION_ID,
-    },
-    body: JSON.stringify(body),
-  });
-}
-
-const VALID_BODY = {
-  petId: PET_ID,
-  serviceId: SERVICE_ID,
-  preferredDate: "2026-07-01",
-  preferredTime: "09:00",
-};
-
-beforeEach(() => resetMock());
-
-describe("POST /portal/waitlist duplicate handling (GRO-2235)", () => {
-  it("returns 201 for the first insert", async () => {
-    waitlistInsertMode = "ok";
-    const res = await postWaitlist(VALID_BODY);
-    expect(res.status).toBe(201);
-  });
-
-  it("returns 409 with a friendly message for a duplicate (23505)", async () => {
-    waitlistInsertMode = "duplicate";
-    const res = await postWaitlist(VALID_BODY);
-    expect(res.status).toBe(409);
-    const json = (await res.json()) as { error: string };
-    expect(json.error).toBe(
-      "You already have a booking for this pet at that date and time."
-    );
-  });
-
-  it("still surfaces unrelated DB errors as 500", async () => {
-    waitlistInsertMode = "other";
-    const res = await postWaitlist(VALID_BODY);
-    expect(res.status).toBe(500);
-  });
-});

src/middleware/portalSession.ts

@@ -8,32 +8,6 @@ export interface PortalEnv {
   };
 }
 
-/**
- * Idle lifetime of an SSO-bridge portal impersonation session. Each authenticated
- * portal request slides `expiresAt` forward to `now + IDLE_TTL`, so an actively-used
- * session (e.g. a customer working through the multi-step Book New wizard) never
- * lapses mid-flow. Matches the staff-console impersonation idle window
- * (SESSION_TIMEOUT_MINUTES in routes/impersonation.ts). (GRO-2234)
- */
-export const PORTAL_SESSION_IDLE_TTL_MS = 30 * 60 * 1000;
-
-/**
- * Absolute cap on a single SSO-bridge portal session's lifetime, measured from
- * `startedAt`. Sliding can never extend a session beyond this bound, keeping the
- * impersonation model bounded regardless of how long a customer keeps the tab
- * active. Deliberately tighter than the previous static 24h mint. (GRO-2234)
- */
-export const PORTAL_SESSION_MAX_LIFETIME_MS = 8 * 60 * 60 * 1000;
-
-/**
- * Minimum extension before we issue a sliding-expiration write. Avoids a DB write
- * on every rapid successive request — at most one slide per minute per session.
- */
-const PORTAL_SESSION_SLIDE_THRESHOLD_MS = 60 * 1000;
-
-/** Reason marker for sessions minted by the Better Auth -> portal bridge. */
-const SSO_BRIDGE_REASON = "sso-bridge";
-
 /**
  * Validates the X-Impersonation-Session-Id header against the impersonationSessions table.
  * Must be applied to all portal routes.
@@ -42,12 +16,6 @@ const SSO_BRIDGE_REASON = "sso-bridge";
  * id = sessionId AND status = 'active', and checks session.expiresAt > new Date().
  * Returns 401 if session is invalid/missing/expired.
  * On success, sets c.set("portalClientId", session.clientId) and c.set("portalSessionId", session.id).
- *
- * Sliding expiration (GRO-2234): for SSO-bridge sessions, each successful request
- * extends `expiresAt` to `now + PORTAL_SESSION_IDLE_TTL_MS`, bounded by
- * `startedAt + PORTAL_SESSION_MAX_LIFETIME_MS`. Staff-initiated impersonation
- * sessions (any other `reason`) are left untouched, preserving their existing
- * console-enforced timeout behavior.
  */
 export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, next) => {
   const sessionId = c.req.header("X-Impersonation-Session-Id");
@@ -56,29 +24,16 @@ export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, nex
   }
 
   const db = getDb();
-  const now = new Date();
   const [session] = await db
     .select()
     .from(impersonationSessions)
     .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
     .limit(1);
 
-  if (!session || session.expiresAt <= now) {
+  if (!session || session.expiresAt <= new Date()) {
     return c.json({ error: "Unauthorized" }, 401);
   }
 
-  // Sliding expiration for SSO-bridge portal sessions only (GRO-2234).
-  if (session.reason === SSO_BRIDGE_REASON) {
-    const maxExpiry = session.startedAt.getTime() + PORTAL_SESSION_MAX_LIFETIME_MS;
-    const slidExpiry = Math.min(now.getTime() + PORTAL_SESSION_IDLE_TTL_MS, maxExpiry);
-    if (slidExpiry - session.expiresAt.getTime() >= PORTAL_SESSION_SLIDE_THRESHOLD_MS) {
-      await db
-        .update(impersonationSessions)
-        .set({ expiresAt: new Date(slidExpiry) })
-        .where(eq(impersonationSessions.id, session.id));
-    }
-  }
-
   c.set("portalClientId", session.clientId);
   c.set("portalSessionId", session.id);
   await next();

src/routes/portal.ts

@@ -3,7 +3,7 @@ import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { eq, inArray } from "@groombook/db";
 import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "@groombook/db";
-import { validatePortalSession, PORTAL_SESSION_IDLE_TTL_MS } from "../middleware/portalSession.js";
+import { validatePortalSession } from "../middleware/portalSession.js";
 import { portalAudit } from "../middleware/portalAudit.js";
 import type { PortalEnv } from "../middleware/portalSession.js";
 
@@ -129,7 +129,7 @@ portalRouter.post("/session-from-auth", async (c) => {
       staffId,
       clientId: client.id,
       reason: "sso-bridge",
-      expiresAt: new Date(Date.now() + PORTAL_SESSION_IDLE_TTL_MS),
+      expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
     })
     .returning();
 
@@ -596,32 +596,16 @@ portalRouter.post(
     const body = c.req.valid("json");
     const clientId = c.get("portalClientId");
 
-    let entry;
-    try {
-      [entry] = await db
-        .insert(waitlistEntries)
-        .values({
-          clientId,
-          petId: body.petId,
-          serviceId: body.serviceId,
-          preferredDate: body.preferredDate,
-          preferredTime: normalizeTime(body.preferredTime),
-        })
-        .returning();
-    } catch (err) {
-      // An exact duplicate active waitlist entry violates the partial unique
-      // index idx_waitlist_active_unique (client_id, pet_id, service_id,
-      // preferred_date, preferred_time WHERE status='active'). postgres-js
-      // surfaces this as SQLSTATE 23505 — return a friendly 409 rather than a
-      // generic 500 (GRO-2235). Unrelated errors still surface as 500.
-      if ((err as { code?: string })?.code === "23505") {
-        return c.json(
-          { error: "You already have a booking for this pet at that date and time." },
-          409
-        );
-      }
-      throw err;
-    }
+    const [entry] = await db
+      .insert(waitlistEntries)
+      .values({
+        clientId,
+        petId: body.petId,
+        serviceId: body.serviceId,
+        preferredDate: body.preferredDate,
+        preferredTime: normalizeTime(body.preferredTime),
+      })
+      .returning();
 
     return c.json(entry, 201);
   }

src/routes/routes.ts

@@ -1,4 +1,4 @@
-import { Hono, type Context } from "hono";
+import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import {
@@ -24,11 +24,6 @@ import {
   type RouteStopInput,
   type StopConflictFlags,
 } from "../services/routeOptimization.js";
-import {
-  buildNavigationUrl,
-  type NavigationPlatform,
-  type NavigationStop,
-} from "../services/navigationExport.js";
 
 export const routesRouter = new Hono<AppEnv>();
 
@@ -465,65 +460,3 @@ routesRouter.patch(
     });
   }
 );
-
-/**
- * GET /:routeId/export/:platform — build a native-navigation deep-link URL for an
- * optimized route. Origin = first stop, destination = last stop, the rest carried
- * as ordered intermediate waypoints. Waypoint count is validated against the
- * platform's limit. Auth: manager (any route) or groomer (own route only).
- */
-async function handleNavigationExport(
-  c: Context<AppEnv>,
-  platform: NavigationPlatform
-) {
-  const db = getDb();
-  const routeId = c.req.param("routeId");
-  if (!routeId || !z.string().uuid().safeParse(routeId).success) {
-    return c.json({ error: "routeId must be a UUID" }, 400);
-  }
-
-  const [route] = await db
-    .select()
-    .from(groomerRoutes)
-    .where(eq(groomerRoutes.id, routeId));
-  if (!route) {
-    return c.json({ error: "Route not found" }, 404);
-  }
-
-  // Reuse the groomer-own / manager authorization rule against the route owner.
-  const resolved = resolveTargetStaffId(c.get("staff"), route.staffId);
-  if ("error" in resolved) {
-    return c.json({ error: resolved.error }, resolved.status);
-  }
-
-  const stops = await loadRouteStops(db, routeId);
-  if (stops.length === 0) {
-    return c.json({ error: "route has no stops to export" }, 400);
-  }
-
-  const navStops: NavigationStop[] = stops.map((s) => ({
-    latitude: s.latitude,
-    longitude: s.longitude,
-    label: s.clientName,
-  }));
-
-  const result = buildNavigationUrl(platform, navStops);
-  if ("error" in result) {
-    return c.json({ error: result.error }, result.status);
-  }
-
-  return c.json({
-    platform: result.platform,
-    url: result.url,
-    stopCount: result.stopCount,
-    waypointCount: result.waypointCount,
-  });
-}
-
-routesRouter.get("/:routeId/export/google-maps", (c) =>
-  handleNavigationExport(c, "google-maps")
-);
-
-routesRouter.get("/:routeId/export/apple-maps", (c) =>
-  handleNavigationExport(c, "apple-maps")
-);

src/services/navigationExport.ts

@@ -1,155 +0,0 @@
-// Navigation export — turn an optimized groomer route into a deep-link URL that
-// opens the device's native navigation app (Google Maps / Apple Maps).
-//
-// A route is exported as: origin = first stop, destination = last stop, with the
-// in-between stops carried as ordered intermediate waypoints. Each platform caps
-// how many intermediate waypoints a deep link may carry, so callers must validate
-// the route length before handing the URL to the client.
-
-/**
- * Max intermediate waypoints a Google Maps URLs API deep link supports
- * (`https://www.google.com/maps/dir/?api=1&...&waypoints=...`). Google documents
- * a ceiling of 9 waypoints between origin and destination.
- */
-export const GOOGLE_MAPS_MAX_WAYPOINTS = 9;
-
-/**
- * Max intermediate waypoints we allow in an Apple Maps `maps://` deep link. Apple's
- * URL scheme chains destinations with `+to:` but does not publish a hard cap; 15 is
- * a conservative practical limit that keeps the URL well under length limits.
- */
-export const APPLE_MAPS_MAX_WAYPOINTS = 15;
-
-export type NavigationPlatform = "google-maps" | "apple-maps";
-
-/** A single ordered point on the route. `label` is optional, for display only. */
-export interface NavigationStop {
-  latitude: number;
-  longitude: number;
-  label?: string | null;
-}
-
-export interface NavigationExportSuccess {
-  platform: NavigationPlatform;
-  url: string;
-  /** Total stops included (origin + waypoints + destination). */
-  stopCount: number;
-  /** Intermediate waypoints only (excludes origin and destination). */
-  waypointCount: number;
-}
-
-export interface NavigationExportError {
-  error: string;
-  status: 400;
-}
-
-export type NavigationExportResult =
-  | NavigationExportSuccess
-  | NavigationExportError;
-
-function isError(r: NavigationExportResult): r is NavigationExportError {
-  return "error" in r;
-}
-
-/** Intermediate waypoints = every stop that is neither origin nor destination. */
-export function intermediateWaypointCount(stopCount: number): number {
-  return Math.max(0, stopCount - 2);
-}
-
-function coord(stop: NavigationStop): string {
-  return `${stop.latitude},${stop.longitude}`;
-}
-
-/**
- * Builds a Google Maps URLs API driving deep link. On mobile this opens the
- * native Google Maps app; on desktop it opens maps.google.com.
- */
-export function buildGoogleMapsUrl(
-  stops: NavigationStop[]
-): NavigationExportResult {
-  if (stops.length === 0) {
-    return { error: "route has no stops to export", status: 400 };
-  }
-  const waypointCount = intermediateWaypointCount(stops.length);
-  if (waypointCount > GOOGLE_MAPS_MAX_WAYPOINTS) {
-    return {
-      error: `route has ${waypointCount} intermediate waypoints, exceeding Google Maps' limit of ${GOOGLE_MAPS_MAX_WAYPOINTS}`,
-      status: 400,
-    };
-  }
-
-  const origin = stops[0]!;
-  const destination = stops[stops.length - 1]!;
-  const params = new URLSearchParams();
-  params.set("api", "1");
-  params.set("travelmode", "driving");
-  params.set("origin", coord(origin));
-  params.set("destination", coord(destination));
-  if (stops.length > 2) {
-    const mids = stops
-      .slice(1, -1)
-      .map(coord)
-      .join("|");
-    params.set("waypoints", mids);
-  }
-
-  return {
-    platform: "google-maps",
-    url: `https://www.google.com/maps/dir/?${params.toString()}`,
-    stopCount: stops.length,
-    waypointCount,
-  };
-}
-
-/**
- * Builds an Apple Maps `maps://` driving deep link. The first stop is the source
- * (`saddr`); the remaining stops are chained as destinations with `+to:` (`daddr`).
- * Built by hand because the `+to:` separators are part of Apple's scheme and must
- * not be percent-encoded.
- */
-export function buildAppleMapsUrl(
-  stops: NavigationStop[]
-): NavigationExportResult {
-  if (stops.length === 0) {
-    return { error: "route has no stops to export", status: 400 };
-  }
-  const waypointCount = intermediateWaypointCount(stops.length);
-  if (waypointCount > APPLE_MAPS_MAX_WAYPOINTS) {
-    return {
-      error: `route has ${waypointCount} intermediate waypoints, exceeding Apple Maps' limit of ${APPLE_MAPS_MAX_WAYPOINTS}`,
-      status: 400,
-    };
-  }
-
-  const params: string[] = ["dirflg=d"];
-  if (stops.length === 1) {
-    // Single stop: destination only, no source.
-    params.unshift(`daddr=${coord(stops[0]!)}`);
-  } else {
-    const daddr = stops
-      .slice(1)
-      .map(coord)
-      .join("+to:");
-    params.unshift(`daddr=${daddr}`);
-    params.unshift(`saddr=${coord(stops[0]!)}`);
-  }
-
-  return {
-    platform: "apple-maps",
-    url: `maps://?${params.join("&")}`,
-    stopCount: stops.length,
-    waypointCount,
-  };
-}
-
-/** Dispatches to the correct builder for the requested platform. */
-export function buildNavigationUrl(
-  platform: NavigationPlatform,
-  stops: NavigationStop[]
-): NavigationExportResult {
-  return platform === "google-maps"
-    ? buildGoogleMapsUrl(stops)
-    : buildAppleMapsUrl(stops);
-}
-
-export { isError as isNavigationExportError };