feat: implement iCal calendar feed (GRO-107)

- Add icalToken column to staff table
- Add public calendar feed endpoint GET /api/calendar/:staffId.ics
- Add token management routes POST/DELETE /api/staff/:id/ical-token
- Hand-build iCal output (RFC 5545)
- Update staff factory with icalToken field

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/routes/calendar.ts

@@ -0,0 +1,135 @@
+import { Hono } from "hono";
+import { randomBytes } from "node:crypto";
+import {
+  and,
+  eq,
+  gte,
+  getDb,
+  appointments,
+  clients,
+  pets,
+  services,
+  staff,
+} from "@groombook/db";
+
+export const calendarRouter = new Hono();
+
+function formatIcalDate(date: Date): string {
+  return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
+}
+
+function escapeIcalText(text: string | null): string {
+  if (!text) return "";
+  return text.replace(/\\/g, "\\\\").replace(/;/g, "\\;").replace(/,/g, "\\,").replace(/\n/g, "\\n");
+}
+
+function buildIcalFeed(
+  appointments: Array<{
+    id: string;
+    startTime: Date;
+    endTime: Date;
+    status: string;
+    clientName: string | null;
+    petName: string | null;
+    serviceName: string | null;
+  }>,
+  staffName: string
+): string {
+  const lines: string[] = [
+    "BEGIN:VCALENDAR",
+    "VERSION:2.0",
+    "PRODID:-//GroomBook//EN",
+    "CALSCALE:GREGORIAN",
+    "METHOD:PUBLISH",
+    `X-WR-CALNAME:${escapeIcalText(staffName)} - GroomBook`,
+  ];
+
+  for (const appt of appointments) {
+    const status = appt.status === "cancelled" ? "CANCELLED" : "CONFIRMED";
+    const summary = `${appt.petName ?? "Pet"} - ${appt.serviceName ?? "Appointment"}`;
+    const description = `Client: ${appt.clientName ?? "Unknown"}\nPet: ${appt.petName ?? "Unknown"}\nService: ${appt.serviceName ?? "Unknown"}`;
+
+    lines.push(
+      "BEGIN:VEVENT",
+      `UID:${appt.id}@groombook`,
+      `DTSTAMP:${formatIcalDate(new Date())}`,
+      `DTSTART:${formatIcalDate(new Date(appt.startTime))}`,
+      `DTEND:${formatIcalDate(new Date(appt.endTime))}`,
+      `SUMMARY:${escapeIcalText(summary)}`,
+      `DESCRIPTION:${escapeIcalText(description)}`,
+      `STATUS:${status}`,
+      "END:VEVENT"
+    );
+  }
+
+  lines.push("END:VCALENDAR");
+  return lines.join("\r\n");
+}
+
+calendarRouter.get("/:staffId.ics", async (c) => {
+  const db = getDb();
+  const staffId = c.req.param("staffId") as string;
+  const token = c.req.query("token") as string;
+
+  if (!token) {
+    return c.json({ error: "Missing token parameter" }, 401);
+  }
+
+  const [staffMember] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.id, staffId))
+    .limit(1);
+
+  if (!staffMember || staffMember.icalToken !== token) {
+    return c.json({ error: "Invalid token" }, 401);
+  }
+
+  const now = new Date();
+  const rows = await db
+    .select()
+    .from(appointments)
+    .where(
+      and(
+        eq(appointments.staffId, staffId),
+        gte(appointments.startTime, now)
+      )
+    )
+    .orderBy(appointments.startTime);
+
+  const enriched = await Promise.all(
+    rows.map(async (appt) => {
+      const [client] = await db
+        .select({ name: clients.name })
+        .from(clients)
+        .where(eq(clients.id, appt.clientId))
+        .limit(1);
+      const [pet] = await db
+        .select({ name: pets.name })
+        .from(pets)
+        .where(eq(pets.id, appt.petId))
+        .limit(1);
+      const [service] = await db
+        .select({ name: services.name })
+        .from(services)
+        .where(eq(services.id, appt.serviceId))
+        .limit(1);
+      return {
+        ...appt,
+        clientName: client?.name ?? null,
+        petName: pet?.name ?? null,
+        serviceName: service?.name ?? null,
+      };
+    })
+  );
+
+  const ical = buildIcalFeed(enriched, staffMember.name);
+  return c.text(ical, 200, {
+    "Content-Type": "text/calendar; charset=utf-8",
+    "Content-Disposition": `attachment; filename="${staffMember.name.replace(/\s+/g, "_")}_calendar.ics"`,
+  });
+});
+
+export function generateIcalToken(): string {
+  return randomBytes(32).toString("hex");
+}

apps/api/src/routes/staff.ts

@@ -1,9 +1,11 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod";
+import { randomBytes } from "node:crypto";
 import { and, eq, getDb, ne, staff, appointments } from "@groombook/db";
+import type { AppEnv } from "../middleware/rbac.js";
 
-export const staffRouter = new Hono();
+export const staffRouter = new Hono<AppEnv>();
 
 const createStaffSchema = z.object({
   name: z.string().min(1).max(200),
@@ -86,3 +88,56 @@ staffRouter.delete("/:id", async (c) => {
   if (!row) return c.json({ error: "Not found" }, 404);
   return c.json({ ok: true });
 });
+
+staffRouter.post("/:id/ical-token", async (c) => {
+  const db = getDb();
+  const id = c.req.param("id");
+  const staffRow = c.get("staff");
+
+  if (staffRow.role !== "manager" && staffRow.id !== id) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
+  const [member] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.id, id))
+    .limit(1);
+
+  if (!member) return c.json({ error: "Not found" }, 404);
+
+  const token = randomBytes(32).toString("hex");
+  const [updated] = await db
+    .update(staff)
+    .set({ icalToken: token, updatedAt: new Date() })
+    .where(eq(staff.id, id))
+    .returning();
+
+  if (!updated) return c.json({ error: "Not found" }, 404);
+  return c.json({ icalToken: updated.icalToken });
+});
+
+staffRouter.delete("/:id/ical-token", async (c) => {
+  const db = getDb();
+  const id = c.req.param("id");
+  const staffRow = c.get("staff");
+
+  if (staffRow.role !== "manager" && staffRow.id !== id) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
+  const [member] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.id, id))
+    .limit(1);
+
+  if (!member) return c.json({ error: "Not found" }, 404);
+
+  await db
+    .update(staff)
+    .set({ icalToken: null, updatedAt: new Date() })
+    .where(eq(staff.id, id));
+
+  return c.json({ ok: true });
+});

packages/db/migrations/0016_ical_token.sql

@@ -0,0 +1 @@
+ALTER TABLE staff ADD COLUMN ical_token TEXT UNIQUE;

packages/db/src/factories.ts

@@ -52,6 +52,7 @@ export function buildStaff(overrides: Partial<StaffRow> = {}): StaffRow {
     oidcSub: `oidc-${id}`,
     role: "groomer",
     active: true,
+    icalToken: null,
     createdAt: new Date("2025-01-01T00:00:00Z"),
     updatedAt: new Date("2025-01-01T00:00:00Z"),
     ...overrides,

packages/db/src/schema.ts

@@ -106,6 +106,8 @@ export const staff = pgTable("staff", {
   oidcSub: text("oidc_sub").unique(),
   role: staffRoleEnum("role").notNull().default("groomer"),
   active: boolean("active").notNull().default(true),
+  // Token for iCal calendar feed subscription (no auth required)
+  icalToken: text("ical_token").unique(),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });