Promote dev → uat: SSO bridge endpoint + role scope (GRO-1866) #95

Closed

The Dogfather wants to merge 0 commits from dev into uat

pull from: dev

merge into: groombook:uat

groombook:main

groombook:gro-2381-agents-contributing

groombook:flea/uat-to-main-gro-2359-api

groombook:uat

groombook:release/main-GRO-2342-api

groombook:release/main-GRO-2319-api

groombook:flea/promote-main-gro-2311

groombook:promote/GRO-2319-api-to-uat

groombook:feat/GRO-2319-portal-waitlist-surfacing

groombook:flea/promote-main-gro-2172

groombook:dev-to-uat-gro-2311

groombook:flea/gro-2311-seed-portal-statusbadge-appts

groombook:promote/gro-2172-pets-to-uat

groombook:fix/gro-2172-pet-extended-fields

groombook:uat-to-main-gro-2299

groombook:flea/promote-main-gro-2294

groombook:promote/dev-to-uat-gro-2299

groombook:gro-2299-redact-patch-settings

groombook:flea/promote-gro-2294-uat

groombook:flea/gro-2294-route-opt-hardening

groombook:flea/uat-to-main-gro-2157-frozen

groombook:promote/dev-to-uat-gro-2225

groombook:flea/gro-2157-navigation-export

groombook:flea/gro-2235-waitlist-duplicate-409

groombook:feat/gro-2225-uat-seed-route-cohort

groombook:flea/uat-to-main-gro-2234-api

groombook:flea/dev-to-uat-gro-2156

groombook:flea-flicker/gro-2234-portal-session-sliding-ttl

groombook:release/main-6120b96

groombook:flea/gro-2156-travel-buffer-reorder

groombook:release/main-eb92f99

groombook:fix/gro-2214-portal-waitlist-validation

groombook:fix/gro-2203-portal-pet-patch-uuid-validation

groombook:dev-to-uat-gro-2155

groombook:feat/gro-2155-route-optimize-endpoints-dev

groombook:fix/gro-2163-migrate-pre-dns-wait

groombook:fix/gro-2187-portal-photokey-hijack

groombook:dev-to-uat-gro-2154

groombook:feat/gro-2154-geocoding-endpoints-dev

groombook:flea-flicker/gro-2197-ci-api-gate

groombook:dev-to-uat-gro-2153

groombook:dev-to-uat-gro-2187

groombook:fix/gro-2187-portal-pets-patch

groombook:dev-to-uat-gro-2129

groombook:flea-flicker/gro-2123-cleanup-stale-seed-duplicate

groombook:dev-to-uat-gro-2123

groombook:flea-flicker/gro-2123-seed-advisory-lock

groombook:promote/dev-to-uat-gro-2100

groombook:flea/gro-2100-uat-groomer-pet-linkage

groombook:flea/gro-2062-owner-bypass-audit

groombook:flea/gro-2052-rbac-betterauth-user-autoprovision

groombook:dogfather/gro-2013-promote-uat

groombook:flea/gro-2013-owner-bypass-deployed-tree

groombook:flea/gro-2033-idempotent-pet-profile-migrations

groombook:fix/gro-2014-profile-summary-error-handling

groombook:flea/gro-2000-uat-password-source-doc

groombook:fix/gro-1999-uat-seed-extra-large

groombook:fix/gro-1983-seed-pnpm-baked

groombook:fix/GRO-1979-coat-type-pet-size-enum-fix

groombook:fleaflicker/GRO-1962-deterministic-testcoopper-rocky

groombook:flea/gro-1977-seed-idempotency

groombook:fix/GRO-1977-seed-credential-idempotency

groombook:promote/dev-to-uat-gro-1971

groombook:fix/gro-1971-coat-type-enum-missing-short

groombook:fix/GRO-1962-uat-seed-pet-medicalalerts

groombook:flea/GRO-1955-fix-uc-undefined-seed

groombook:fix/GRO-1909-migrate-corepack-offline

groombook:fix/GRO-1953-coat-type-short-missing

groombook:fleaflicker/gro-medical-alert-types-behavioral-skin

groombook:fleaflicker/gro-1921-uat-reset-full-seed

groombook:flea/GRO-1945-pets-visitcount-hotfix

groombook:fix/GRO-1935-uat-customer-client-seed

groombook:fix/GRO-1914-seed-typeof

groombook:feature/GRO-1898-extended-pet-profile-seed

groombook:seed/extended-profile-fields-gro-1898

groombook:fix/gro-1889-reset-demo-data-pnpm

groombook:promote/dev-to-uat-gro-1866

groombook:fix/gro-1866-qa-fixes

groombook:fix/gro-1866-sso-bridge

groombook:fix/gro-1850-pet-profile-migration

groombook:promote/dev-to-uat-gro-1790

groombook:flea-flicker/pet-profile-summary

groombook:ff/gro-1765-trigger-ci

groombook:promo/gro-1764-uat

groombook:ci/gro-1757-build

groombook:fix/gro-1757-sso-auto-provision

groombook:fix/gro-1754-uat-ci

groombook:fix/gro-1754-trigger-ci-v2

groombook:fix/gro-1752-factories-v2

groombook:fix/gro-1752-factories-only

groombook:fix/gro-1746-apply-uat-seed-to-root-src

groombook:fix/gro-1752-extended-pet-profile-fields

groombook:promo/gro-1749-uat

groombook:fix/gro-1749-uat-seed-sync

groombook:fix/gro-1743-uat-seed-data

groombook:fix/gro-1480-portal-pets-patch

groombook:fix/gro-1678-econnreset-robustness

groombook:fix/gro-1576-ci-provenance-false

groombook:fix/gro-1575-ci-provenance

groombook:fix/gro-1566-api-health-auth-bypass

groombook:fix/gro-1544-api-health-endpoint

groombook:fix/gro-1533-migration-0031-coat-type

groombook:fix/gro-1533-missing-migration-0032

groombook:fix/gro-1533-missing-migration-journal

groombook:revert/gro-1533-dockerfile-fix

groombook:fix/gro-1533-revert-dockefile-build-change

groombook:flea-flicker/gro-1531-seed-db-filter

groombook:fix/gro-1522-ci-images-node22

groombook:pr-44

groombook:flea-flicker/gro-1509-better-auth-account-not-linked

groombook:flea-flicker/gro-1162-pet-buffer-time

groombook:fix/gro-1461-uat-playbook-auto-provision

groombook:flea-flicker/pet-profile-editor

groombook:fix/gro-1441-remove-duplicate-coat-props

groombook:fix/gro-1390-pets-test-mock-hoisting

groombook:fix/gro-1395-drizzle-orm-root-dep

groombook:gitea/migrate-workflows

groombook:flea-flicker/fix-gro-1370-ts-and-test-errors

groombook:fix/api/add-devdep-drizzle-orm-fix-vitest

groombook:pr-19

groombook:flea-flicker/uat-email-password-seed

groombook:fleaflicker/gro-1272-v2

groombook:fleaflicker/gro-1272-auto-provision-staff

groombook:add-renovate-config

groombook:flea-flicker/gro-1231-pnpm-workspace-dockerfile

groombook:fix/GRO-1202-rate-limit-override

groombook:fix/typescript-errors

groombook:flea-flicker/pet-profile-extended-fields

groombook:fix/uat-tester-oidc-sub

groombook:flea-flicker/fix-authprovider-mock-path

groombook:flea-flicker/auto-create-staff-oauth-users-v2

groombook:flea-flicker/auto-create-staff-oauth-users

groombook:docs/GRO-1099-uat-playbook-api

groombook:flea-flicker/fix-ci-install-deps-v2

groombook:flea-flicker/fix-ci-install-deps

Conversation 2 Commits - Files Changed -

+1018 -17

The Dogfather commented 2026-05-28 20:25:43 +00:00

Member

Copy Link

Copy Source

Promotion: dev → uat

Issue: GRO-1866 — Add session-from-auth portal endpoint + role scope

Changes included

• POST /api/portal/session-from-auth — bridges Better Auth sessions to portal sessions for real SSO customers
• genericOAuth scopes updated to include role for Authentik claim propagation
• QA fixes applied (commit 2e0d63f): portalSession null-guard, email null-dereference guard, externalized DEMO_STAFF_ID
• Test coverage: 5 test cases for the new endpoint
• RBAC auto-provisioning for OIDC staff

QA Status

• Original QA review: 3 findings identified (PR #94 reviews)
• All findings fixed in commit 2e0d63f
• Dev CI: Lint ✅ | Typecheck ✅ | Tests ✅

Replaces closed PR #94 (stale REQUEST_CHANGES reviews after fixes were applied).

Refs: GRO-1866, GRO-1859, GRO-1880

## Promotion: dev → uat **Issue:** GRO-1866 — Add session-from-auth portal endpoint + role scope ### Changes included - `POST /api/portal/session-from-auth` — bridges Better Auth sessions to portal sessions for real SSO customers - `genericOAuth` scopes updated to include `role` for Authentik claim propagation - QA fixes applied (commit 2e0d63f): portalSession null-guard, email null-dereference guard, externalized DEMO_STAFF_ID - Test coverage: 5 test cases for the new endpoint - RBAC auto-provisioning for OIDC staff ### QA Status - Original QA review: 3 findings identified (PR #94 reviews) - All findings fixed in commit 2e0d63f - Dev CI: Lint ✅ | Typecheck ✅ | Tests ✅ Replaces closed PR #94 (stale REQUEST_CHANGES reviews after fixes were applied). Refs: GRO-1866, GRO-1859, GRO-1880

The Dogfather added 13 commits 2026-05-28 20:25:48 +00:00

feat(GRO-1177): add GET /api/pets/:id/profile-summary endpoint ... 8c62ce2368

Returns aggregated pet profile with:
- All pet fields (basic + extended)
- recentGroomingHistory: last 10 entries from groomingVisitLogs with staff name join
- lastVisitDate: most recent groomedAt timestamp
- visitCount: count of completed appointments
- upcomingAppointment: next scheduled/confirmed appointment with service/staff name

Enforces same groomer RBAC as GET /:id. Returns 404 for non-existent pets.
Adds PetProfileSummary, GroomingHistoryEntry, and UpcomingAppointment types.
Adds unit tests covering: 404, 403, aggregated profile, empty history, no upcoming appt.
Updates UAT_PLAYBOOK.md §3 with TC-API-3.8 and TC-API-3.9.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(ci): remove duplicate provenance keys causing YAML parse error ... b796d36aed

Duplicate 'provenance: false' in each docker/build-push-action step caused
Gitea to reject the workflow file, breaking push CI and workflow_dispatch.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

fix(rbac): guard noUncheckedIndexedAccess in name derivation and newStaff insert ... 3b9e82adff

With noUncheckedIndexedAccess:true, split("@")[0] returns string|undefined,
making `name` typed as string|undefined and failing the notNull staff.name
insert constraint. Fix by using ?? fallback on the array access.

Also add newStaff null guard after .returning() destructure — array
destructuring yields T|undefined with noUncheckedIndexedAccess enabled.

fix: address CTO review — visitCount bug + upcomingAppointment date filter ... de33edd7c6

- Replace .select({ count: appointments.id }).limit(1) + .length with
  sql<number>`count(*)::int` pattern per project standard (references invoices.ts:86)
- Add gte(appointments.startTime, new Date()) to upcomingAppointment query
  so past appointments in scheduled/confirmed status are excluded
- Add visitCount regression tests: 2+ completed appointments → visitCount >= 2,
  no completed → visitCount = 0

Updated UAT_PLAYBOOK.md §profile-summary (visitCount regression + date filter)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs: add TC-API-3.18 and TC-API-3.19 to UAT_PLAYBOOK for visitCount regression + date filter ... a25b2fe281

Updated UAT_PLAYBOOK.md §3.3 — new visitCount cap and past appointment filter test cases

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Merge pull request 'feat(GRO-1177): add pet profile summary endpoint' (#30) from flea-flicker/pet-profile-summary into dev ... 9622b109d0

feat(GRO-1177): add pet profile summary endpoint (#30)

Adds GET /api/pets/:id/profile-summary with aggregated pet profile,
grooming history, visit count, and upcoming appointment.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

feat(db): add migration 0034 for extended pet profile columns ... 63ed91e5f3

GRO-1850: Adds temperament_score, temperament_flags, medical_alerts,
and preferred_cuts to the pets table.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Merge pull request 'feat(db): add migration 0034 for extended pet profile columns (GRO-1850)' (#92) from fix/gro-1850-pet-profile-migration into dev b050fb9a5f

fix(gro-1866): add session-from-auth portal endpoint and role scope ... 7e329ff72f

Adds POST /api/portal/session-from-auth which bridges a valid Better Auth
customer session (from SSO login) to a portal impersonation session, so
real SSO customers can access the client portal.

The endpoint is registered before the validatePortalSession catch-all so it
is not subject to that middleware. It validates the Better Auth session
from request cookies, looks up the client by email, creates an active
impersonation session, and returns { sessionId, clientId, clientName }.

Also adds "role" to the genericOAuth scopes so Authentik propagates the
role claim into Better Auth user objects (GRO-1862 root cause fix).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

docs: add UAT test cases TC-API-8.8 through TC-API-8.11 for SSO bridge ... fa67b75b76

Adds manual test cases covering:
- TC-API-8.8: valid Better Auth session → portal session (201)
- TC-API-8.9: no session → 401
- TC-API-8.10: no matching client → 404
- TC-API-8.11: returned sessionId works on subsequent portal calls

Co-Authored-By: Paperclip <noreply@paperclip.ing>

fix: add missing getAuth import and fix db.insert() mock chain ... b96b6c06fc

Fixes two bugs found in QA review:
- ReferenceError: getAuth not defined in beforeEach - add import
- TypeError: wrong mock chain insert().into().values() vs insert().values()

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'fix(gro-1866): add session-from-auth portal endpoint + role scope' (#93) from fix/gro-1866-sso-bridge into dev ... 7bdb92999a

fix(gro-1866): add session-from-auth portal endpoint + role scope (#93)

Bridges Better Auth SSO sessions to portal sessions for real customers.
Adds role to genericOAuth scopes for Authentik role propagation.

Closes GRO-1866

fix(gro-1866): address QA review failures — portalSession null-guard, ... 2e0d63f7f6

email null-dereference guard, externalize DEMO_STAFF_ID

1. portal.ts:138 — add null guard for portalSession before accessing .id
   (TS18048: 'portalSession' is possibly 'undefined')
2. rbac.ts:130 — guard jwt.email before split() to prevent runtime throw
3. portal.ts:39,105 — externalize DEMO_STAFF_ID as env var
   (process.env.DEMO_STAFF_ID ?? "00000000-...")

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

The Dogfather requested review from Lint Roller 2026-05-28 20:27:02 +00:00

Lint Roller approved these changes 2026-05-28 20:49:12 +00:00

Lint Roller left a comment

Member

Copy Link

Copy Source

All three QA findings from the prior review have been fixed in commit 2e0d63f:

1. portal.ts — null guard added for portalSession before accessing .id
2. rbac.ts:130 — email null-dereference guard restored before split()
3. portal.ts:39,105 — DEMO_STAFF_ID externalized as env var

CI passes: Lint ✅ | Typecheck ✅ | Tests ✅ | Docker Build ✅

Approved for merge to uat.

All three QA findings from the prior review have been fixed in commit 2e0d63f: 1. `portal.ts` — null guard added for `portalSession` before accessing `.id` 2. `rbac.ts:130` — email null-dereference guard restored before `split()` 3. `portal.ts:39,105` — `DEMO_STAFF_ID` externalized as env var CI passes: Lint ✅ | Typecheck ✅ | Tests ✅ | Docker Build ✅ Approved for merge to uat.

The Dogfather reviewed 2026-05-28 21:23:09 +00:00

The Dogfather left a comment

Author

Member

Copy Link

Copy Source

CTO: closing PR — merge conflicts detected.

The uat branch has diverged from dev due to prior conflict-resolution commits in past promotions. Key conflicts in ci.yml (uat branch triggers) and rbac.ts (quote escaping, null-guard patterns).

Delegating to Flea Flicker to create a clean promote/dev-to-uat-gro-1866 branch, resolve conflicts, and open a new PR.

Code review: APPROVED — the SSO bridge implementation is correct; only the merge mechanics need work.

**CTO: closing PR — merge conflicts detected.** The `uat` branch has diverged from `dev` due to prior conflict-resolution commits in past promotions. Key conflicts in `ci.yml` (uat branch triggers) and `rbac.ts` (quote escaping, null-guard patterns). Delegating to Flea Flicker to create a clean `promote/dev-to-uat-gro-1866` branch, resolve conflicts, and open a new PR. Code review: APPROVED — the SSO bridge implementation is correct; only the merge mechanics need work.

The Dogfather closed this pull request 2026-05-28 21:23:10 +00:00

Some checks are pending

Hide all checks

CI / Test (push) Successful in 32s

Details

CI / Lint & Typecheck (push) Successful in 34s

Details

CI / Build & Push Docker Images (push) Successful in 2m34s

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Lint Roller

The Dogfather

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#95