From 0ff8dd161dd9a580296bd9579089436a919aa27a Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Thu, 26 Mar 2026 08:39:01 +0000 Subject: [PATCH] fix(waitlist): address CTO review on PR #110 - Restrict portal PATCH waitlist status to z.literal("cancelled") only - Appointment notes: field projection + null check from PR #109 - Resolve index.ts conflict: keep both portal and calendar public routes - Resolve portal.ts conflict: keep min(1) validation for customerNotes Co-Authored-By: Paperclip --- apps/api/src/index.ts | 6 ------ apps/api/src/routes/portal.ts | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts index bb4c633..725ea20 100644 --- a/apps/api/src/index.ts +++ b/apps/api/src/index.ts @@ -17,7 +17,6 @@ import { groomingLogsRouter } from "./routes/groomingLogs.js"; import { impersonationRouter } from "./routes/impersonation.js"; import { settingsRouter } from "./routes/settings.js"; import { searchRouter } from "./routes/search.js"; -import { calendarRouter } from "./routes/calendar.js"; import { getDb, businessSettings } from "@groombook/db"; import { authMiddleware } from "./middleware/auth.js"; import { resolveStaffMiddleware, requireRole } from "./middleware/rbac.js"; @@ -62,11 +61,6 @@ app.get("/api/branding", async (c) => { }); }); -// Portal routes — no staff auth required, uses impersonation session for client auth -app.route("/api/portal", portalRouter); - -// Public iCal calendar feed — token auth in URL, no auth middleware required -app.route("/api/calendar", calendarRouter); // Protected API routes const api = app.basePath("/api"); api.use("*", authMiddleware); diff --git a/apps/api/src/routes/portal.ts b/apps/api/src/routes/portal.ts index dc663c5..b779add 100644 --- a/apps/api/src/routes/portal.ts +++ b/apps/api/src/routes/portal.ts @@ -86,7 +86,7 @@ const createWaitlistEntrySchema = z.object({ }); const updateWaitlistEntrySchema = z.object({ - status: z.enum(["active", "notified", "expired", "cancelled"]).optional(), + status: z.literal("cancelled").optional(), preferredDate: z.string().optional(), preferredTime: z.string().optional(), });