feat: customizable business branding (name, logo, colors) (#63)

* feat: add customizable business branding (name, logo, colors)

Add admin settings for business branding with name, logo upload, and
color scheme via CSS custom properties. Includes database migration,
API endpoints, admin settings page, and dynamic branding in both
admin nav and customer portal.

Closes #61

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address review feedback on branding PR

- Replace dynamic import with static import for @groombook/db in public branding endpoint
- Restore active nav item background highlight (bg-stone-100) in CustomerPortal
- Remove non-null assertion in settings route, add proper error handling

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: trigger CI

* fix: resolve lint error and test failure for branding feature

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: update E2E tests for branding changes

- Update navigation test to expect "GroomBook" (default branding) instead
  of hardcoded "Paws & Reflect" since CustomerPortal now uses dynamic branding
- Add /api/branding mock to shared E2E fixtures so BrandingProvider resolves
  immediately in all tests, preventing unhandled fetch interference

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: GroomBook CTO <cto@groombook.dev>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: GroomBook CTO <cto@groombook.app>

apps/api/src/index.ts

@@ -12,6 +12,8 @@ import { bookRouter } from "./routes/book.js";
 import { reportsRouter } from "./routes/reports.js";
 import { appointmentGroupsRouter } from "./routes/appointmentGroups.js";
 import { groomingLogsRouter } from "./routes/groomingLogs.js";
+import { settingsRouter } from "./routes/settings.js";
+import { getDb, businessSettings } from "@groombook/db";
 import { authMiddleware } from "./middleware/auth.js";
 import { devRouter } from "./routes/dev.js";
 import { startReminderScheduler } from "./services/reminders.js";
@@ -37,6 +39,20 @@ app.route("/api/book", bookRouter);
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);
 
+// Public branding endpoint — no auth required, returns business name/colors/logo
+app.get("/api/branding", async (c) => {
+  const db = getDb();
+  const [row] = await db.select().from(businessSettings).limit(1);
+  const settings = row ?? { businessName: "GroomBook", primaryColor: "#4f8a6f", accentColor: "#8b7355", logoBase64: null, logoMimeType: null };
+  return c.json({
+    businessName: settings.businessName,
+    primaryColor: settings.primaryColor,
+    accentColor: settings.accentColor,
+    logoBase64: settings.logoBase64,
+    logoMimeType: settings.logoMimeType,
+  });
+});
+
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
@@ -50,6 +66,7 @@ api.route("/invoices", invoicesRouter);
 api.route("/reports", reportsRouter);
 api.route("/appointment-groups", appointmentGroupsRouter);
 api.route("/grooming-logs", groomingLogsRouter);
+api.route("/admin/settings", settingsRouter);
 
 const port = Number(process.env.PORT ?? 3000);
 console.log(`API server listening on port ${port}`);

apps/api/src/routes/settings.ts

@@ -0,0 +1,60 @@
+import { Hono } from "hono";
+import { zValidator } from "@hono/zod-validator";
+import { z } from "zod";
+import { eq, getDb, businessSettings } from "@groombook/db";
+
+export const settingsRouter = new Hono();
+
+// GET /api/admin/settings — return current business settings
+settingsRouter.get("/", async (c) => {
+  const db = getDb();
+  const [row] = await db.select().from(businessSettings).limit(1);
+  if (!row) {
+    // Auto-create default settings if none exist
+    const [created] = await db.insert(businessSettings).values({}).returning();
+    return c.json(created);
+  }
+  return c.json(row);
+});
+
+const hexColorRegex = /^#[0-9a-fA-F]{6}$/;
+
+const updateSettingsSchema = z.object({
+  businessName: z.string().min(1).max(200).optional(),
+  primaryColor: z.string().regex(hexColorRegex, "Must be a hex color like #4f8a6f").optional(),
+  accentColor: z.string().regex(hexColorRegex, "Must be a hex color like #8b7355").optional(),
+  logoBase64: z.string().max(700_000).nullable().optional(), // ~512KB base64
+  logoMimeType: z
+    .enum(["image/png", "image/svg+xml", "image/jpeg", "image/webp"])
+    .nullable()
+    .optional(),
+});
+
+// PATCH /api/admin/settings — update business settings
+settingsRouter.patch(
+  "/",
+  zValidator("json", updateSettingsSchema),
+  async (c) => {
+    const db = getDb();
+    const body = c.req.valid("json");
+
+    // Get or create the settings row
+    const rows = await db.select().from(businessSettings).limit(1);
+    let settingsId: string;
+    if (rows[0]) {
+      settingsId = rows[0].id;
+    } else {
+      const [inserted] = await db.insert(businessSettings).values({}).returning();
+      if (!inserted) throw new Error("Failed to create default settings");
+      settingsId = inserted.id;
+    }
+
+    const [updated] = await db
+      .update(businessSettings)
+      .set({ ...body, updatedAt: new Date() })
+      .where(eq(businessSettings.id, settingsId))
+      .returning();
+
+    return c.json(updated);
+  }
+);