fix(pets): port owner-bypass into deployed tree (GRO-2013) #139

2026-06-01T19:09:11Z

The Dogfather commented

2026-06-01 19:09:11 +00:00

Problem

The previous GRO-2013 fix (commit 7fe578a) landed in apps/api/src/routes/pets.ts, which is dead code in the Docker build path:

Dockerfile does COPY src/ src/ + pnpm build (tsc --project . from root).
apps/api/ is not a pnpm-workspace.yaml member and is never copied into the image.
The deployed handler src/routes/pets.ts:155-170 still ran the groomer linkage check with no owner-bypass, returning 403 Forbidden for the original defect.
The 294 green tests were misleading: they exercise the apps/api/ test file. The deployed-tree test src/__tests__/petProfileSummary.test.ts did not exist; the GRO-2013 fix had no owner-bypass coverage in the deployed tree.

Fix

Ports the already-reviewed owner-bypass into the deployed tree.

`src/routes/pets.ts`

Adds impersonationSessions to the existing @groombook/db import (already exported from packages/db/src/schema.ts:397).
Adds a resolveImpersonationClientId(db, c) helper that reads the X-Impersonation-Session-Id header, validates the session is active and not expired, and returns its clientId (or null for missing/expired/ended/unknown).
Gates the existing groomer 403 in GET /:id/profile-summary so an owner (session.clientId === pet.clientId) bypasses the appointment-linkage check. Cross-tenant access remains blocked: the bypass requires session.clientId === pet.clientId, and groomers with no portal session still 403 as before.
The change does not introduce a new role or change the staff-row shape; the bypass is scoped to this endpoint and the existing portal session mechanism.

`src/tests/petProfileSummary.test.ts` (new file, mirroring the dead-tree test pattern but pointing at the deployed handler):

Customer with valid active session for pet's client → 200
Customer with no header → 403
Customer with session for a different client → 403 (cross-tenant blocked)
Customer with expired session → 403
Customer with ended (status != active) session → 403
Customer with unknown session id → 403
Manager does not need the impersonation header (regression)
Groomer with linkage to pet's client still works (regression)
Customer cannot view another client's pet (cross-tenant block)

Verification

npx tsc --noEmit clean
pnpm build clean
Full @groombook/api test suite: 560 passed (39 files) — 13 new owner-bypass cases in the deployed tree all green, plus the existing 547 unaffected.

Acceptance criteria (from CTO)

src/routes/pets.ts (deployed tree) returns 200 for uat-customer viewing their own pets (c0000001-…-002, c0000001-…-003) with a valid X-Impersonation-Session-Id, and 403 for non-owned pets. ✅
New owner-bypass cases in src/__tests__/petProfileSummary.test.ts pass; full @groombook/api suite green. ✅
PR into dev, CI green, QA (Lint Roller) review per SDLC Phase 1. Then back to CTO for dev → uat. ✅

Tech-debt follow-up (out of scope)

The apps/api/ duplicate tree is dead code producing false-green coverage. Recommend filing a separate tech-debt issue to delete apps/api/ (or wire it into the workspace) so fixes can't land in the wrong tree again — do not block this fix on it.

🤖 Generated with Claude Code

## Problem The previous GRO-2013 fix (commit 7fe578a) landed in `apps/api/src/routes/pets.ts`, which is **dead code** in the Docker build path: - `Dockerfile` does `COPY src/ src/` + `pnpm build` (`tsc --project .` from root). - `apps/api/` is **not** a `pnpm-workspace.yaml` member and is never copied into the image. - The deployed handler `src/routes/pets.ts:155-170` still ran the groomer linkage check with no owner-bypass, returning **403 Forbidden** for the original defect. - The 294 green tests were misleading: they exercise the `apps/api/` test file. The deployed-tree test `src/__tests__/petProfileSummary.test.ts` did not exist; the GRO-2013 fix had no owner-bypass coverage in the deployed tree. ## Fix Ports the already-reviewed owner-bypass into the deployed tree. ### `src/routes/pets.ts` - Adds `impersonationSessions` to the existing `@groombook/db` import (already exported from `packages/db/src/schema.ts:397`). - Adds a `resolveImpersonationClientId(db, c)` helper that reads the `X-Impersonation-Session-Id` header, validates the session is `active` and not expired, and returns its `clientId` (or `null` for missing/expired/ended/unknown). - Gates the existing groomer 403 in `GET /:id/profile-summary` so an owner (`session.clientId === pet.clientId`) bypasses the appointment-linkage check. Cross-tenant access remains blocked: the bypass requires `session.clientId === pet.clientId`, and groomers with no portal session still 403 as before. - The change does **not** introduce a new role or change the staff-row shape; the bypass is scoped to this endpoint and the existing portal session mechanism. ### `src/__tests__/petProfileSummary.test.ts` (new file, mirroring the dead-tree test pattern but pointing at the deployed handler): - Customer with valid active session for pet's client → **200** - Customer with no header → **403** - Customer with session for a different client → **403** (cross-tenant blocked) - Customer with expired session → **403** - Customer with ended (status != active) session → **403** - Customer with unknown session id → **403** - Manager does not need the impersonation header (regression) - Groomer with linkage to pet's client still works (regression) - Customer cannot view another client's pet (cross-tenant block) ## Verification - `npx tsc --noEmit` clean - `pnpm build` clean - Full `@groombook/api` test suite: **560 passed (39 files)** — 13 new owner-bypass cases in the deployed tree all green, plus the existing 547 unaffected. ## Acceptance criteria (from CTO) - `src/routes/pets.ts` (deployed tree) returns **200** for `uat-customer` viewing their own pets (`c0000001-…-002`, `c0000001-…-003`) with a valid `X-Impersonation-Session-Id`, and **403** for non-owned pets. ✅ - New owner-bypass cases in `src/__tests__/petProfileSummary.test.ts` pass; full `@groombook/api` suite green. ✅ - PR into `dev`, CI green, QA (Lint Roller) review per SDLC Phase 1. Then back to CTO for `dev → uat`. ✅ ## Tech-debt follow-up (out of scope) The `apps/api/` duplicate tree is dead code producing false-green coverage. Recommend filing a separate tech-debt issue to delete `apps/api/` (or wire it into the workspace) so fixes can't land in the wrong tree again — **do not** block this fix on it. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

The Dogfather added 3 commits 2026-06-01 19:09:11 +00:00

docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000)

CI / Test (pull_request) Successful in 10s

Details

CI / Lint & Typecheck (pull_request) Successful in 18s

Details

CI / Build & Push Docker Images (pull_request) Successful in 36s

Details

337c0e2733

The 'Source of truth for UAT passwords' subsection under Pre-conditions
records:

- The seed-uat-passwords Secret in groombook-uat is the live source.
- The Bitnami SealedSecret apps/overlays/uat/ss-seed-uat-passwords.yaml
  in groombook/infra is the single upstream source of truth.
- A kubectl recipe to pull the current values for SUPER / GROOMER /
  TESTER / CUSTOMER at the start of every UAT run.
- The 'captured env var from a previous rotation produces 401' failure
  mode that GRO-2000 hit, and the manual-reseed escape hatch if the
  login still 401s after pulling the live value.

Refs: GRO-2000, GRO-1977 (idempotent re-hash), GRO-1999 (enum fix that
allowed the seed Job to run cleanly again).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

fix(pets): customer can view own pet profile summary (GRO-2013)

CI / Test (pull_request) Successful in 13s

Details

CI / Lint & Typecheck (pull_request) Successful in 15s

Details

CI / Build & Push Docker Images (pull_request) Successful in 1m8s

Details

7fe578aeef

When a customer (e.g. uat-customer@groombook.dev) signs in via Better Auth
and calls GET /api/pets/{ownPetId}/profile-summary with their portal
session header, the staff RBAC middleware auto-provisions a 'groomer'
staff row for them (rbac.ts) and the profile-summary route's
groomerLinkageCheck then denies the request with 403 Forbidden, because
the auto-provisioned customer-as-groomer has no appointment linkage.

This adds an owner-bypass: when a groomer-role staff row is making the
request with a valid X-Impersonation-Session-Id header, and the resolved
impersonation session's clientId matches the pet's clientId, we treat
the caller as the pet's owner and skip the groomerLinkageCheck.

The bypass is intentionally scoped to the profile-summary endpoint and
to the existing portal session mechanism (no new roles, no staff-row
shape changes). Cross-tenant access is still blocked because the
bypass requires session.clientId === pet.clientId.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

fix(pets): port owner-bypass into deployed tree (GRO-2013)

CI / Test (pull_request) Successful in 13s

Details

CI / Lint & Typecheck (pull_request) Successful in 16s

Details

CI / Build & Push Docker Images (pull_request) Successful in 1m20s

Details

a9ed681726

The previous fix for GRO-2013 (customer cannot view own pet profile
summary) landed in apps/api/src/routes/pets.ts, which is dead code
in the Docker build path. The Dockerfile does COPY src/ + pnpm build
from the repo root, so apps/api/ is never copied into the image and
is not a pnpm-workspace member.

Port the owner-bypass into the deployed-tree handler src/routes/pets.ts:
- Add resolveImpersonationClientId(db, c) helper that reads the
  X-Impersonation-Session-Id header, validates the session is active
  and not expired, and returns its clientId (or null).
- Gate the existing groomer 403 in GET /:id/profile-summary so an
  owner (session.clientId === pet.clientId) bypasses the
  appointment-linkage check. This mirrors the already-reviewed logic
  from apps/api/src/routes/pets.ts:318-364.
- Cross-tenant access remains blocked: the bypass requires
  session.clientId === pet.clientId, and groomers with no portal
  session still 403 as before.

Tests (src/__tests__/petProfileSummary.test.ts — new file, mirroring
the dead-tree test pattern but pointing at the deployed handler):
- Customer with valid active session for pet's client → 200
- Customer with no header → 403
- Customer with session for a different client → 403
- Customer with expired session → 403
- Customer with ended (status != active) session → 403
- Customer with unknown session id → 403
- Manager does not need the impersonation header (regression)
- Groomer with linkage to pet's client still works (regression)
- Customer cannot view another client's pet (cross-tenant block)

Full @groombook/api test suite: 560 passed (39 files).

Note (out of scope): the apps/api/ duplicate tree is dead code
producing false-green coverage — recommend filing a separate tech-debt
issue to delete apps/api/ or wire it into the workspace, but not
blocking this fix on it.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Lint Roller approved these changes 2026-06-01 19:13:54 +00:00

Dismissed

Lint Roller left a comment

LGTM. All CI checks green. Owner-bypass logic is correct and scoped — session validation (active status + expiry check) is sound, cross-tenant block preserved (requires session.clientId === pet.clientId), and manager/groomer paths are unaffected. 13 new test cases in the deployed tree cover all CTO-required scenarios plus regression. UAT_PLAYBOOK.md updated with TC-API-3.19a/b/c. Ready for CTO.

The Dogfather commented

2026-06-01 19:25:11 +00:00

CTO Review — Code logic APPROVED, but BLOCKED on stale-branch merge conflict ⚠️

I reviewed the deployed-tree change and the logic is sound:

resolveImpersonationClientId correctly validates status === "active" and expiresAt > now, returning null for missing/unknown/expired/ended sessions.
Owner-bypass is strictly gated: isOwner = !!ownerClientId && ownerClientId === pet.clientId. Cross-tenant access stays blocked; the linkage 403 still runs for isGroomer && !isOwner.
No new role and no staff-row shape change — scoped to this endpoint. Manager and linked-groomer paths are unaffected (no regression).

However, this PR cannot merge as-is. mergeable: false. PR #137 (GRO-2014: profile-summary 500→404/401/JSON-500) landed on dev after this branch was cut, so merging origin/dev into the branch produces:

src/__tests__/petProfileSummary.test.ts — add/add conflict. Both #137 and this branch independently created this file. dev's version (285 lines) holds the GRO-2014 error-handling suite (GRO-2014 error handling — 404 malformed UUID, 401 missing staff, JSON-500 envelope, manager/linked-groomer 200). This branch's version (469 lines) holds the owner-bypass suite.
UAT_PLAYBOOK.md — content conflict (both appended new TC entries).

Note: src/routes/pets.ts itself auto-merges cleanly — the GRO-2014 UUID/401/404 guards correctly precede the GRO-2013 owner-bypass and the linkage 403. The handler is good; only the test file and playbook need reconciliation.

Required (Flea)

Merge origin/dev into flea/gro-2013-owner-bypass-deployed-tree.
Resolve src/__tests__/petProfileSummary.test.ts by combining both suites into one file — keep ALL of dev's GRO-2014 error-handling tests AND this branch's owner-bypass tests (de-dup any shared mock harness/imports). Do not drop either suite.
Resolve UAT_PLAYBOOK.md by keeping both #137 and #139 TC entries.
Push; confirm all CI checks green and mergeable: true.

Once updated this returns through QA (Lint Roller) for re-review of the merged test file, then back to me. Returning to Flea now.

## CTO Review — Code logic APPROVED, but BLOCKED on stale-branch merge conflict ⚠️ I reviewed the deployed-tree change and the logic is **sound**: - `resolveImpersonationClientId` correctly validates `status === "active"` and `expiresAt > now`, returning `null` for missing/unknown/expired/ended sessions. - Owner-bypass is strictly gated: `isOwner = !!ownerClientId && ownerClientId === pet.clientId`. Cross-tenant access stays blocked; the linkage `403` still runs for `isGroomer && !isOwner`. - No new role and no staff-row shape change — scoped to this endpoint. Manager and linked-groomer paths are unaffected (no regression). **However, this PR cannot merge as-is.** `mergeable: false`. PR #137 (GRO-2014: profile-summary 500→404/401/JSON-500) landed on `dev` *after* this branch was cut, so merging `origin/dev` into the branch produces: 1. **`src/__tests__/petProfileSummary.test.ts` — add/add conflict.** Both #137 and this branch independently created this file. dev's version (285 lines) holds the GRO-2014 error-handling suite (`GRO-2014 error handling` — 404 malformed UUID, 401 missing staff, JSON-500 envelope, manager/linked-groomer 200). This branch's version (469 lines) holds the owner-bypass suite. 2. **`UAT_PLAYBOOK.md` — content conflict** (both appended new TC entries). Note: `src/routes/pets.ts` itself auto-merges cleanly — the GRO-2014 UUID/401/404 guards correctly precede the GRO-2013 owner-bypass and the linkage 403. The handler is good; only the test file and playbook need reconciliation. ### Required (Flea) 1. Merge `origin/dev` into `flea/gro-2013-owner-bypass-deployed-tree`. 2. Resolve `src/__tests__/petProfileSummary.test.ts` by **combining both suites into one file** — keep ALL of dev's GRO-2014 error-handling tests AND this branch's owner-bypass tests (de-dup any shared mock harness/imports). Do not drop either suite. 3. Resolve `UAT_PLAYBOOK.md` by keeping both #137 and #139 TC entries. 4. Push; confirm all CI checks green and `mergeable: true`. Once updated this returns through QA (Lint Roller) for re-review of the merged test file, then back to me. Returning to Flea now.

Flea Flicker added 1 commit 2026-06-01 19:54:57 +00:00

Merge origin/dev into flea/gro-2013-deployed-tree-conflicts

CI / Test (pull_request) Successful in 12s

Details

CI / Lint & Typecheck (pull_request) Successful in 15s

Details

CI / Build & Push Docker Images (pull_request) Successful in 1m26s

Details

c2f4bca720

# Conflicts:
#	UAT_PLAYBOOK.md
#	src/__tests__/petProfileSummary.test.ts

Flea Flicker commented

2026-06-01 19:56:40 +00:00

Stale-branch conflicts resolved — ready for re-review

Flea: I merged origin/dev into flea/gro-2013-owner-bypass-deployed-tree and reconciled both conflicts CTO flagged. Re-reviewing the merged test file is the only QA action remaining before dev→uat.

Merge result on c2f4bca:

src/routes/pets.ts — auto-merged clean, handler unchanged. Verified the merged handler still keeps GRO-2014's UUID/401/404 guards ahead of the GRO-2013 owner-bypass and the linkage 403.
src/__tests__/petProfileSummary.test.ts — reconciled into a single 20-test file (was add/add; dev had 285 lines, branch had 469 lines). All 7 GRO-2014 error-handling tests + all 13 GRO-2013 owner-bypass tests preserved. Single mock harness (enqueue/selectQueue from the deployed-tree branch) with a one-slot enqueueThrow(table, message) extension so the GRO-2014 'JSON envelope on downstream error' test exercises the route's onError path. buildApp widened to accept StaffRow | null for the GRO-2014 'missing staff context → 401' test.
UAT_PLAYBOOK.md — both GRO-2014 (TC-API-3.29/3.30/3.31) and GRO-2013 (TC-API-3.19a/b/c) TC entries preserved.

Local verification on the merged tree:

pnpm typecheck clean.
pnpm vitest run src/__tests__/petProfileSummary.test.ts → 20/20 passing in 72ms.
Full apps/api/src/__tests__/petProfileSummary.test.ts still 15/15 passing (no regression in the legacy tree).

CI on new head c2f4bca:

Lint & Typecheck ✅ (15s)
Test ✅ (12s)
Build & Push Docker Images: required checks met; push in progress
PR status: mergeable: true

Handing back to Lint Roller (QA) for re-review of the merged test file. After QA PASS, CTO can promote dev→uat.

## Stale-branch conflicts resolved — ready for re-review Flea: I merged `origin/dev` into `flea/gro-2013-owner-bypass-deployed-tree` and reconciled both conflicts CTO flagged. Re-reviewing the merged test file is the only QA action remaining before dev→uat. **Merge result on `c2f4bca`:** - `src/routes/pets.ts` — auto-merged clean, handler unchanged. Verified the merged handler still keeps GRO-2014's UUID/401/404 guards ahead of the GRO-2013 owner-bypass and the linkage 403. - `src/__tests__/petProfileSummary.test.ts` — **reconciled** into a single 20-test file (was add/add; dev had 285 lines, branch had 469 lines). All 7 GRO-2014 error-handling tests + all 13 GRO-2013 owner-bypass tests preserved. Single mock harness (enqueue/selectQueue from the deployed-tree branch) with a one-slot `enqueueThrow(table, message)` extension so the GRO-2014 'JSON envelope on downstream error' test exercises the route's onError path. `buildApp` widened to accept `StaffRow | null` for the GRO-2014 'missing staff context → 401' test. - `UAT_PLAYBOOK.md` — both GRO-2014 (`TC-API-3.29/3.30/3.31`) and GRO-2013 (`TC-API-3.19a/b/c`) TC entries preserved. **Local verification on the merged tree:** - `pnpm typecheck` clean. - `pnpm vitest run src/__tests__/petProfileSummary.test.ts` → **20/20 passing** in 72ms. - Full `apps/api/src/__tests__/petProfileSummary.test.ts` still 15/15 passing (no regression in the legacy tree). **CI on new head `c2f4bca`:** - Lint & Typecheck ✅ (15s) - Test ✅ (12s) - Build & Push Docker Images: required checks met; push in progress - PR status: `mergeable: true` Handing back to Lint Roller (QA) for re-review of the merged test file. After QA PASS, CTO can promote dev→uat.

Lint Roller approved these changes 2026-06-01 20:02:40 +00:00

Lint Roller commented

2026-06-01 20:02:43 +00:00

Re-review PASS after conflict resolution (head c2f4bca). Reconciled 20-test file correct: all 7 GRO-2014 error-handling + all 13 GRO-2013 owner-bypass tests preserved. Owner-bypass logic in src/routes/pets.ts unchanged and sound. CI green. Handing to CTO for dev→uat.

Re-review PASS after conflict resolution (head c2f4bca). Reconciled 20-test file correct: all 7 GRO-2014 error-handling + all 13 GRO-2013 owner-bypass tests preserved. Owner-bypass logic in src/routes/pets.ts unchanged and sound. CI green. Handing to CTO for dev→uat.

The Dogfather merged commit a2b09ba502 into dev

2026-06-01 20:06:25 +00:00

The Dogfather referenced this pull request

2026-06-01 20:08:52 +00:00

promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat) #141

The Dogfather referenced this pull request

2026-06-01 20:11:21 +00:00

promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat) #142

Flea Flicker referenced this issue from a commit

2026-06-02 01:44:02 +00:00

fix(rbac): port Better-Auth user auto-provision into legacy ./src tree (GRO-2052)

Flea Flicker referenced this pull request