promote(uat→main): GRO-2123 seed advisory lock + GRO-2100 uat-groomer linkage ordering #157
@@ -147,6 +147,8 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
|
||||
| TC-API-3.19b | Get pet profile summary — customer cross-tenant blocked (GRO-2013) | Sign in as `uat-customer@groombook.dev`; reuse the customer's sessionId from TC-API-3.19a; `GET /api/pets/{otherClientPetId}/profile-summary` for a pet owned by a different client (`c0000002-...` or any non-customer pet) | 403 Forbidden (owner-bypass requires session.clientId === pet.clientId) |
|
||||
| TC-API-3.19c | Get pet profile summary — customer without portal session header | Same as TC-API-3.19a but omit the `X-Impersonation-Session-Id` header | 403 Forbidden (no owner-bypass without valid portal session) |
|
||||
| TC-API-3.19d | Get pet profile summary — owner-bypass writes audit row (GRO-2063) | Same setup as TC-API-3.19a (sign in as `uat-customer@groombook.dev`, establish a portal session for the customer's own clientId, call `GET /api/pets/{ownPetId}/profile-summary` with `X-Impersonation-Session-Id: {sessionId}` and a 200 OK response). Then call `GET /api/impersonation/sessions/{sessionId}/audit-log` and confirm there is exactly one entry with `action === "read_profile_summary"`, `pageVisited` matching the profile-summary path, and `metadata` containing `petId` and `actorStaffId` for the customer. Repeat TC-API-3.19b (cross-tenant attempt) and confirm NO new `read_profile_summary` row was written for the cross-tenant attempt. | 200 OK on the profile-summary call AND an audit log entry is present with the correct shape (defense-in-depth audit row; bypass attempts against other clients must NOT log) |
|
||||
| TC-UAT-2 | Groomer accesses linked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000002/profile-summary` (UAT Pup Alpha — linked via deterministic completed appointment `a0000001-0000-0000-0000-000000000001`, service `b0000001-…-0001` "Bath & Brush", `startTime` ~7 days ago) | 200 OK, `recentGroomingHistory[]` non-empty (>=1 entry), `visitCount >= 1`, `upcomingAppointment` null (the seeded appointment is in the past) |
|
||||
| TC-UAT-3 | Groomer blocked from unlinked pet profile summary (GRO-2100) | Sign in as `uat-groomer@groombook.dev`; `GET /api/pets/c0000001-0000-0000-0000-000000000003/profile-summary` (UAT Pup Beta — intentionally UNLINKED; no appointment row references this pet's clientId+groomerId combo) | 403 Forbidden (RBAC `groomer` role lacks the appointment-linkage grant for this pet). NOTE: if 404 is returned instead of 403, file a separate RBAC defect (not against the seed) — see GRO-2100 verification note |
|
||||
| TC-API-3.29 | Get pet profile summary — unknown UUID returns 404 (GRO-2014) | GET /api/pets/00000000-0000-0000-0000-000000000001/profile-summary while authenticated (any role) | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014) |
|
||||
| TC-API-3.30 | Get pet profile summary — malformed UUID returns 404 (GRO-2014) | GET /api/pets/not-a-uuid/profile-summary while authenticated | 404 Not Found with body `{"error":"Not found"}` (was empty-body 500 in GRO-2014 — Postgres uuid cast failure) |
|
||||
| TC-API-3.31 | Get pet profile summary — never empty-body 500 (GRO-2014) | GET /api/pets/{anyId}/profile-summary across the test sweep | No response has status 500 with an empty body. Any 500 must include a JSON body `{"error":"Internal Server Error"}` |
|
||||
@@ -166,6 +168,7 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
|
||||
| TC-API-3.26 | Verify 25-35% medicalAlerts distribution | GET /api/pets (first 30 pets), count how many have non-empty medicalAlerts | Ratio is 25-35% (seed uses rand() < 0.3 for ~30% distribution) |
|
||||
| TC-API-3.27 | Verify coat_type enum has all seed values | After UAT seed completes, inspect the coat_type enum on the UAT DB — it must contain: short, medium, long, double, wire, silky, curly, hairless | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; coat_type includes all 8 values used by seed.ts `coatTypePool` |
|
||||
| TC-API-3.28 | Verify pet_size_category enum has all seed values | After UAT seed completes, inspect the pet_size_category enum on the UAT DB — it must contain: small, medium, large, extra_large | UAT seed jobs (`reset-demo-data`, `seed-test-data`) complete 1/1 with no `enum_in` error; pet_size_category includes all 4 values used by seed.ts `petSizeCategoryPool` (regression for GRO-1999, mirrors TC-API-3.27) |
|
||||
| TC-API-3.29 | Verify `reset-demo-data` CronJob does not fail with FK 23503 on `invoice_tip_splits` (GRO-2123) | Trigger the CronJob manually: `kubectl create job --from=cronjob/reset-demo-data verify-gro2123 -n groombook-uat`. Wait for pod to terminate. Inspect logs: `kubectl logs -n groombook-uat -l job-name=verify-gro2123` | Pod reaches `Completed` state; logs show `✓ Acquired seed advisory lock` and `✓ Released seed advisory lock` from `seed.ts`; no `PostgresError: … violates foreign key constraint "invoice_tip_splits_invoice_id_invoices_id_fk"` (code 23503); final counts unchanged (500 clients, ~4000 invoices) |
|
||||
|
||||
### 4.4 Appointment Scheduling
|
||||
|
||||
|
||||
@@ -12,8 +12,8 @@
|
||||
"test": "vitest run",
|
||||
"db:generate": "drizzle-kit generate",
|
||||
"db:migrate": "drizzle-kit migrate",
|
||||
"db:seed": "tsx src/db/seed.ts",
|
||||
"db:reset": "tsx src/db/reset.ts && drizzle-kit migrate && tsx src/db/seed.ts",
|
||||
"db:seed": "pnpm --filter @groombook/db seed",
|
||||
"db:reset": "pnpm --filter @groombook/db reset",
|
||||
"db:studio": "drizzle-kit studio"
|
||||
},
|
||||
"dependencies": {
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
+216
-5
@@ -401,7 +401,9 @@ const servicesDef = [
|
||||
*
|
||||
* In seedKnownUsers() this replaces the inline UAT-staff block.
|
||||
*/
|
||||
async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
|
||||
async function seedUatStaffAccounts(
|
||||
db: ReturnType<typeof drizzle>,
|
||||
): Promise<string | null> {
|
||||
// ── Staff: UAT Super User (oidcSub from SEED_UAT_SUPER_OIDC_SUB env var) ──
|
||||
const uatSuperOidcSub = process.env.SEED_UAT_SUPER_OIDC_SUB;
|
||||
if (uatSuperOidcSub) {
|
||||
@@ -668,6 +670,132 @@ async function seedUatStaffAccounts(db: ReturnType<typeof drizzle>) {
|
||||
console.log(`✓ Created UAT pet '${pet.name}' with extended fields`);
|
||||
}
|
||||
}
|
||||
|
||||
// ── GRO-2100: deterministic uat-groomer ↔ pet linkage ───────────────────────
|
||||
// The UAT groomer (`uat-groomer@groombook.dev`, staffId 00000000-0000-0000-0000-000000000004)
|
||||
// needs at least one linked pet/appointment or GRO-1987 TC-UAT-2/3 cannot run
|
||||
// (the pet profile-summary endpoint returns 404 instead of 200/403).
|
||||
//
|
||||
// We deterministically link the UAT groomer to the UAT customer's first pet
|
||||
// ("UAT Pup Alpha") and leave the second pet ("UAT Pup Beta") UNLINKED so
|
||||
// TC-UAT-2 (200) and TC-UAT-3 (403) can both hardcode the stable petIds.
|
||||
//
|
||||
// The linkage call itself is performed by the caller AFTER the `services`
|
||||
// catalogue has been seeded (this helper runs before services exist,
|
||||
// which previously caused the linkage to be silently skipped on every
|
||||
// reset). GRO-2100 follow-up.
|
||||
return uatCustomerClientId;
|
||||
}
|
||||
|
||||
/**
|
||||
* GRO-2100: create a deterministic completed appointment linking the UAT groomer
|
||||
* to "UAT Pup Alpha" (c0000001-0000-0000-0000-000000000002). "UAT Pup Beta"
|
||||
* (c0000001-0000-0000-0000-000000000003) is intentionally left UNLINKED so
|
||||
* GRO-1987 TC-UAT-3 can verify the 403 forbidden response.
|
||||
*
|
||||
* Idempotent: the deterministic appointment id (`a0000001-…-0001`) is the
|
||||
* upsert key, so re-running the seed on every reset-demo-data CronJob
|
||||
* (hourly per apps/overlays/uat/reset-cronjob.yaml) is safe.
|
||||
*/
|
||||
async function seedUatGroomerLinkage(
|
||||
db: ReturnType<typeof drizzle>,
|
||||
customerClientId: string | null,
|
||||
): Promise<void> {
|
||||
const uatGroomerEmail = "uat-groomer@groombook.dev";
|
||||
const LINKED_PET_ID = "c0000001-0000-0000-0000-000000000002"; // UAT Pup Alpha
|
||||
const APPT_ID = "a0000001-0000-0000-0000-000000000001";
|
||||
|
||||
// Skip silently if the UAT Customer client wasn't created (non-UAT seed
|
||||
// profile, e.g. seedKnownUsers() in an env without the UAT personas).
|
||||
if (!customerClientId) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Only run if the UAT groomer staff record actually exists — dev/test seeds
|
||||
// that don't set SEED_UAT_STAFF_OIDC_SUB should not crash.
|
||||
const [uatGroomerStaff] = await db
|
||||
.select({ id: schema.staff.id })
|
||||
.from(schema.staff)
|
||||
.where(eq(schema.staff.email, uatGroomerEmail))
|
||||
.limit(1);
|
||||
if (!uatGroomerStaff) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Skip if this exact appointment already exists (idempotent on re-seed).
|
||||
const [existing] = await db
|
||||
.select({ id: schema.appointments.id })
|
||||
.from(schema.appointments)
|
||||
.where(eq(schema.appointments.id, APPT_ID))
|
||||
.limit(1);
|
||||
if (existing) {
|
||||
console.log(`✓ GRO-2100: uat-groomer linkage appointment already exists — skipping`);
|
||||
return;
|
||||
}
|
||||
|
||||
// Skip if the linked pet hasn't been seeded yet (defensive: caller should
|
||||
// ensure pets exist; if the helper is re-ordered later we don't want to
|
||||
// crash here).
|
||||
const [linkedPet] = await db
|
||||
.select({ id: schema.pets.id })
|
||||
.from(schema.pets)
|
||||
.where(eq(schema.pets.id, LINKED_PET_ID))
|
||||
.limit(1);
|
||||
if (!linkedPet) {
|
||||
console.warn(`⚠ GRO-2100: UAT Pup Alpha (${LINKED_PET_ID}) not found — skipping uat-groomer linkage`);
|
||||
return;
|
||||
}
|
||||
|
||||
// The "Bath & Brush" service id is stable across the reset; falls back to
|
||||
// any active service if it has not been seeded yet (e.g. seedKnownUsers
|
||||
// runs in isolation).
|
||||
const BATH_AND_BRUSH_ID = "b0000001-0000-0000-0000-000000000001";
|
||||
const [bathService] = await db
|
||||
.select({ id: schema.services.id })
|
||||
.from(schema.services)
|
||||
.where(eq(schema.services.id, BATH_AND_BRUSH_ID))
|
||||
.limit(1);
|
||||
|
||||
let serviceId: string;
|
||||
if (bathService) {
|
||||
serviceId = bathService.id;
|
||||
} else {
|
||||
const [fallback] = await db
|
||||
.select({ id: schema.services.id })
|
||||
.from(schema.services)
|
||||
.where(eq(schema.services.active, true))
|
||||
.limit(1);
|
||||
if (!fallback) {
|
||||
console.warn(`⚠ GRO-2100: no active services found — skipping uat-groomer linkage`);
|
||||
return;
|
||||
}
|
||||
serviceId = fallback.id;
|
||||
}
|
||||
|
||||
// Schedule the completed appointment 7 days ago so the profile-summary's
|
||||
// "recentGroomingHistory" window (last 10) reliably includes it.
|
||||
const startTime = new Date();
|
||||
startTime.setDate(startTime.getDate() - 7);
|
||||
startTime.setHours(10, 0, 0, 0);
|
||||
const endTime = new Date(startTime.getTime() + 45 * 60 * 1000);
|
||||
|
||||
await db.insert(schema.appointments).values({
|
||||
id: APPT_ID,
|
||||
clientId: customerClientId,
|
||||
petId: LINKED_PET_ID,
|
||||
serviceId,
|
||||
staffId: uatGroomerStaff.id,
|
||||
batherStaffId: null,
|
||||
status: "completed",
|
||||
startTime,
|
||||
endTime,
|
||||
notes: "GRO-2100: deterministic uat-groomer linkage for TC-UAT-2/3.",
|
||||
priceCents: null,
|
||||
confirmationStatus: "confirmed",
|
||||
});
|
||||
console.log(
|
||||
`✓ GRO-2100: linked uat-groomer (${uatGroomerStaff.id}) → UAT Pup Alpha (${LINKED_PET_ID}) via appointment ${APPT_ID}`,
|
||||
);
|
||||
}
|
||||
|
||||
// ── Known-users-only seed (prod/demo) ───────────────────────────────────────
|
||||
@@ -745,7 +873,7 @@ async function seedKnownUsers() {
|
||||
// ── UAT staff accounts + Better Auth credentials (shared impl) ──────────────
|
||||
// Extracted into seedUatStaffAccounts() so it runs in both seedKnownUsers()
|
||||
// and the full seed() UAT branch.
|
||||
await seedUatStaffAccounts(db);
|
||||
const uatCustomerClientId = await seedUatStaffAccounts(db);
|
||||
|
||||
// ── Services: idempotent upsert keyed on `id` ─────────────────────────────
|
||||
// GRO-2064: previously keyed on `services.name` while writing a
|
||||
@@ -773,6 +901,12 @@ async function seedKnownUsers() {
|
||||
}
|
||||
console.log(`✓ Seeded ${demoSvcs.length} services`);
|
||||
|
||||
// GRO-2100: deterministic uat-groomer ↔ UAT Pup Alpha linkage. Must run
|
||||
// AFTER services are seeded (this helper looks up an active service id
|
||||
// to attach to the appointment; on a fresh reset there are none yet at
|
||||
// the time seedUatStaffAccounts() returns).
|
||||
await seedUatGroomerLinkage(db, uatCustomerClientId);
|
||||
|
||||
// ── Client: Demo Client ──
|
||||
const [existingClient] = await db
|
||||
.select()
|
||||
@@ -842,6 +976,63 @@ async function seedKnownUsers() {
|
||||
|
||||
// ── Main seed ────────────────────────────────────────────────────────────────
|
||||
|
||||
// ── GRO-2123: serialize reset+seed with a Postgres advisory lock ────────
|
||||
// The reset-demo-data CronJob runs on an hourly schedule. With
|
||||
// concurrencyPolicy=Replace, a new pod can start while the previous one
|
||||
// is still mid-seed; the new pod's TRUNCATE then deletes rows the old pod
|
||||
// is still inserting, producing FK 23503 errors non-deterministically
|
||||
// (see GRO-2123: invoice_tip_splits → invoices).
|
||||
//
|
||||
// We hold a session-level advisory lock for the full duration of the
|
||||
// seed so that overlapping invocations block then proceed in order —
|
||||
// not skip. The key is a stable 32-bit constant so it can be referenced
|
||||
// from runbooks without ambiguity and binds to the single-argument
|
||||
// `pg_advisory_lock(int)` form, which postgres-js serializes as a plain
|
||||
// number (no bigint type plumbing required).
|
||||
const SEED_ADVISORY_LOCK_KEY = 0x47524f4f; // "GROO" in ASCII — arbitrary, stable
|
||||
|
||||
/**
|
||||
* Reserve a dedicated connection from `pool`, take the seed advisory lock
|
||||
* on it, run `fn`, and release the lock + connection in a try/finally.
|
||||
*
|
||||
* CRITICAL: with postgres-js connection pooling, a session-level
|
||||
* `pg_advisory_lock(KEY)` acquired on one pooled connection and released
|
||||
* on a *different* one is a no-op (the lock is bound to the session /
|
||||
* pg-backend that took it). We therefore reserve a dedicated connection
|
||||
* for the lock and release it from the same reserved connection. The
|
||||
* seed work itself still runs on the pooled connections.
|
||||
*/
|
||||
async function withSeedAdvisoryLock<T>(
|
||||
pool: ReturnType<typeof postgres>,
|
||||
fn: () => Promise<T>,
|
||||
): Promise<T> {
|
||||
const lockConnection = await pool.reserve();
|
||||
let lockHeld = false;
|
||||
try {
|
||||
await lockConnection`SELECT pg_advisory_lock(${SEED_ADVISORY_LOCK_KEY})`;
|
||||
lockHeld = true;
|
||||
console.log(`✓ Acquired seed advisory lock (key=${SEED_ADVISORY_LOCK_KEY})`);
|
||||
const result = await fn();
|
||||
await lockConnection`SELECT pg_advisory_unlock(${SEED_ADVISORY_LOCK_KEY})`;
|
||||
lockHeld = false;
|
||||
console.log(`✓ Released seed advisory lock`);
|
||||
return result;
|
||||
} finally {
|
||||
if (lockHeld) {
|
||||
try {
|
||||
await lockConnection`SELECT pg_advisory_unlock(${SEED_ADVISORY_LOCK_KEY})`;
|
||||
} catch (err) {
|
||||
console.error("Failed to release seed advisory lock during cleanup:", err);
|
||||
}
|
||||
}
|
||||
try {
|
||||
lockConnection.release();
|
||||
} catch (err) {
|
||||
console.error("Failed to release reserved lock connection:", err);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
async function seed() {
|
||||
const url = process.env.DATABASE_URL;
|
||||
if (!url) {
|
||||
@@ -859,6 +1050,22 @@ async function seed() {
|
||||
const client = postgres(url, { max: 5 });
|
||||
const db = drizzle(client, { schema });
|
||||
|
||||
// GRO-2123: hold the seed advisory lock for the full body of runSeedBody.
|
||||
// See the withSeedAdvisoryLock comment for why a reserved connection is
|
||||
// required (postgres-js pooling would silently drop the lock otherwise).
|
||||
await withSeedAdvisoryLock(client, async () => {
|
||||
return await runSeedBody(client, db, profile, cfg);
|
||||
});
|
||||
|
||||
await client.end();
|
||||
}
|
||||
|
||||
async function runSeedBody(
|
||||
client: ReturnType<typeof postgres>,
|
||||
db: ReturnType<typeof drizzle>,
|
||||
profile: SeedProfile,
|
||||
cfg: ProfileConfig,
|
||||
): Promise<void> {
|
||||
console.log(`Seeding Groom Book database (profile: ${profile})...\n`);
|
||||
|
||||
// ── Staff ──
|
||||
@@ -929,7 +1136,7 @@ async function seed() {
|
||||
// ── UAT staff accounts + Better Auth credentials (shared impl) ──────────────
|
||||
// Seeds deterministic UAT staff with numeric OIDC subs and Better Auth credentials.
|
||||
// Must run AFTER random staff are created so upserts land correctly.
|
||||
await seedUatStaffAccounts(db);
|
||||
const uatCustomerClientId = await seedUatStaffAccounts(db);
|
||||
|
||||
// ── Services ──
|
||||
// GRO-2064: key the upsert on `services.id` (not `name`) so deterministic
|
||||
@@ -956,6 +1163,12 @@ async function seed() {
|
||||
}
|
||||
console.log(`✓ Created ${servicesDef.length} services`);
|
||||
|
||||
// GRO-2100: deterministic uat-groomer ↔ UAT Pup Alpha linkage. Must run
|
||||
// AFTER services are seeded (this helper looks up an active service id
|
||||
// to attach to the appointment; on a fresh reset there are none yet at
|
||||
// the time seedUatStaffAccounts() returns).
|
||||
await seedUatGroomerLinkage(db, uatCustomerClientId);
|
||||
|
||||
// ── Clients & Pets ──
|
||||
const now = new Date();
|
||||
const appointmentsBackDate = new Date(now);
|
||||
@@ -1474,8 +1687,6 @@ async function seed() {
|
||||
}
|
||||
console.log(`✓ Created ${visitLogCount} grooming visit logs`);
|
||||
console.log("\nSeed complete!");
|
||||
|
||||
await client.end();
|
||||
}
|
||||
|
||||
seed().catch((err) => {
|
||||
|
||||
Reference in New Issue
Block a user