Revert RBAC/authorization changes in appointmentGroups and groomingLogs

These files are out of scope for the input validation PR. Only the 5-route validation changes (invoices, book, appointments, services, stripe-webhooks) should be included. Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(stripe-webhooks): validate invoice IDs as UUIDs before DB lookup
2026-04-15 02:09:29 +00:00 · 2026-04-14 14:00:02 +00:00 · 2026-04-14 13:59:59 +00:00 · 2026-04-14 13:59:54 +00:00 · 2026-04-14 13:59:51 +00:00 · 2026-04-14 13:59:50 +00:00
34 changed files with 406 additions and 1166 deletions
@@ -7,5 +7,3 @@ apps/web/dist
 apps/api/dist
 packages/db/dist
 packages/types/dist
 .turbo
 screenshots/
@@ -20,8 +20,6 @@ jobs:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'
      - uses: actions/setup-node@v4
        with:
@@ -44,8 +42,6 @@ jobs:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'
      - uses: actions/setup-node@v4
        with:
@@ -66,8 +62,6 @@ jobs:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'
      - uses: actions/setup-node@v4
        with:
@@ -107,8 +101,6 @@ jobs:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'
      - uses: actions/setup-node@v4
        with:
@@ -246,6 +238,7 @@ jobs:
          echo "Deploying images tagged $TAG to groombook-dev..."
          # Run migration with PR image
          kubectl delete job migrate-schema -n groombook-dev --ignore-not-found
          kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
          cat <<EOF | kubectl apply -n groombook-dev -f -
          apiVersion: batch/v1
@@ -310,8 +303,6 @@ jobs:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'
      - uses: actions/setup-node@v4
        with:
@@ -418,12 +409,7 @@ jobs:
          git push -u origin "chore/update-image-tags-${TAG}"
-          # Check if PR already exists for this branch
+          # Create PR and merge immediately (no required checks on groombook/infra)
          EXISTING_PR=$(gh pr list --repo groombook/infra --head "chore/update-image-tags-${TAG}" --state open --json number -q '.[0].number' || true)
          if [ -n "$EXISTING_PR" ]; then
            echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
            gh pr merge "$EXISTING_PR" --repo groombook/infra --merge
          else
          PR_URL=$(gh pr create \
            --repo groombook/infra \
            --base main \
@@ -431,4 +417,3 @@ jobs:
            --title "chore: deploy ${TAG} to dev" \
            --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
          gh pr merge "$PR_URL" --merge
          fi
@@ -14,29 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
    steps:
      - name: Validate tag format
        run: |
          TAG="${{ inputs.tag }}"
          if ! echo "$TAG" | grep -qE '^[0-9]{4}\.[0-9]{2}\.[0-9]{2}-[a-f0-9]{7}$'; then
            echo "::error::Invalid tag format: '$TAG'. Expected format: YYYY.MM.DD-sha7 (e.g. 2026.03.28-f1b85bf)"
            exit 1
          fi
          echo "Tag format valid: $TAG"
      - name: Verify image exists in GHCR
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ inputs.tag }}"
          # Check that the API image exists — if API was pushed, web/migrate were too
          if ! gh api "/orgs/groombook/packages/container/api/versions" --jq ".[].metadata.container.tags[]" 2>/dev/null | grep -qF "$TAG"; then
            echo "::error::Image ghcr.io/groombook/api:$TAG not found in GHCR. Verify the tag was built and pushed."
            exit 1
          fi
          echo "Image verified: ghcr.io/groombook/api:$TAG exists"
      - name: Generate infra repo token
        id: infra-token
        uses: tibdex/github-app-token@v2
@@ -12,7 +12,6 @@ RUN pnpm install --frozen-lockfile
 # Build
 FROM deps AS builder
 RUN mkdir -p /home/node/.cache/node/corepack
 COPY packages/ packages/
 COPY apps/api/ apps/api/
 RUN pnpm --filter @groombook/types build && \
@@ -35,9 +34,6 @@ COPY --from=builder /app/packages/types/dist packages/types/dist
 RUN pnpm install --frozen-lockfile --prod
 EXPOSE 3000
 RUN apk add --no-cache curl
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1
 CMD ["node", "apps/api/dist/index.js"]
 # Migrate stage — runs drizzle-kit migrate against the database
@@ -23,7 +23,6 @@
    "node-cron": "^3.0.3",
    "nodemailer": "^6.9.16",
    "stripe": "^22.0.0",
    "telnyx": "^1.23.0",
    "zod": "^4.3.6"
  },
@@ -27,14 +27,12 @@ const DISABLED_CLIENT = {
 // ─── Queue-based mock DB ──────────────────────────────────────────────────────
 let selectRows: Record<string, unknown>[] = [];
 let appointmentRows: Record<string, unknown>[] = [];
 let insertedValues: Record<string, unknown>[] = [];
 let updatedValues: Record<string, unknown>[] = [];
 let deletedId: string | null = null;
 function resetMock() {
  selectRows = [];
  appointmentRows = [];
  insertedValues = [];
  updatedValues = [];
  deletedId = null;
@@ -60,19 +58,10 @@ vi.mock("@groombook/db", () => {
    { get: (t, p) => (p === "_name" ? "clients" : { table: "clients", column: p }) }
  );
  const appointments = new Proxy(
    { _name: "appointments" },
    { get: (t, p) => (p === "_name" ? "appointments" : { table: "appointments", column: p }) }
  );
  return {
    getDb: () => ({
      select: () => ({
-        from: (table: unknown) => {
+        from: () => makeChainable(selectRows),
          const tableName = (table as { _name?: string })._name;
          const rows = tableName === "appointments" ? appointmentRows : selectRows;
          return makeChainable(rows);
        },
      }),
      insert: () => ({
        values: (vals: Record<string, unknown>) => {
@@ -106,10 +95,8 @@ vi.mock("@groombook/db", () => {
      }),
    }),
    clients,
    appointments,
    eq: vi.fn(),
    and: vi.fn(),
    or: vi.fn(),
  };
 });
@@ -195,11 +182,10 @@ describe("POST /clients", () => {
    expect(insertedValues[0]!.name).toBe("Charlie");
  });
-  it("creates a client with name and email", async () => {
+  it("creates a client with only required name field", async () => {
-    const res = await jsonRequest("POST", "/clients", { name: "Dana", email: "dana@example.com" });
+    const res = await jsonRequest("POST", "/clients", { name: "Dana" });
    expect(res.status).toBe(201);
    expect(insertedValues[0]!.name).toBe("Dana");
    expect(insertedValues[0]!.email).toBe("dana@example.com");
  });
  it("rejects empty name", async () => {
@@ -68,7 +68,6 @@ vi.mock("@groombook/db", () => {
    }),
    appointments,
    eq: () => ({}),
    and: (..._clauses: unknown[]) => ({}),
  };
 });
@@ -78,7 +78,6 @@ vi.mock("@groombook/db", () => {
    }),
    staff,
    eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
    and: vi.fn((..._clauses: unknown[]) => ({})),
  };
 });
@@ -363,7 +362,7 @@ describe("requireRoleOrSuperUser", () => {
    const res = await app.request("/test");
    expect(res.status).toBe(403);
    const body = await res.json();
-    expect(body.error).toMatch(/role.*not permitted/i);
+    expect(body.error).toMatch(/super user privileges required/i);
  });
  it("blocks a non-super-user groomer from manager-only routes", async () => {
@@ -371,7 +370,7 @@ describe("requireRoleOrSuperUser", () => {
    const res = await app.request("/test");
    expect(res.status).toBe(403);
    const body = await res.json();
-    expect(body.error).toMatch(/role.*not permitted/i);
+    expect(body.error).toMatch(/super user privileges required/i);
  });
  it("allows a manager with multiple allowed roles", async () => {
@@ -33,26 +33,11 @@ import { webhooksRouter } from "./routes/stripe-webhooks.js";
 const app = new Hono();
 // Global middleware
 const TRUSTED_ORIGINS = (process.env.CORS_ORIGIN ?? "http://localhost:5173")
  .split(",")
  .map((o) => o.trim());
 const ALLOWED_ORIGIN = process.env.CORS_ORIGIN ?? "http://localhost:5173";
 app.use("*", logger());
 app.use(
  "/api/*",
  cors({
-    origin: (origin, ctx) => {
+    origin: process.env.CORS_ORIGIN ?? "http://localhost:5173",
      if (!origin) {
        return ALLOWED_ORIGIN;
      }
      if (TRUSTED_ORIGINS.includes(origin)) {
        return origin;
      }
      ctx.status(403);
      return null;
    },
    credentials: true,
  })
 );
@@ -202,24 +187,9 @@ api.route("/search", searchRouter);
 const port = Number(process.env.PORT ?? 3000);
 await initAuth();
 console.log(`API server listening on port ${port}`);
-const server = serve({ fetch: app.fetch, port });
+serve({ fetch: app.fetch, port });
 // Start background reminder scheduler (runs every minute to check for upcoming appointments)
 startReminderScheduler();
 function shutdown() {
  console.log("Shutting down gracefully...");
  server.close(() => {
    console.log("HTTP server closed");
    process.exit(0);
  });
  setTimeout(() => {
    console.error("Forced shutdown after timeout");
    process.exit(1);
  }, 10_000);
 }
 process.on("SIGTERM", shutdown);
 process.on("SIGINT", shutdown);
 export default app;
@@ -89,7 +89,7 @@ export async function initAuth(): Promise<void> {
      console.warn("[auth] AUTH_DISABLED=true — building placeholder auth instance");
      authInstance = betterAuth({
        database: drizzleAdapter(getDb(), { provider: "pg" }),
-        secret: BETTER_AUTH_SECRET!,
+        secret: BETTER_AUTH_SECRET ?? "placeholder-secret-do-not-use-in-prod",
        baseURL: BETTER_AUTH_URL,
        rateLimit: {
          enabled: true,
@@ -177,9 +177,9 @@ export async function initAuth(): Promise<void> {
    const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
    const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
-    const issuerUrlObj = new URL(providerConfig.issuerUrl);
+    // Fetch OIDC discovery document to derive canonical provider URLs.
-    const issuerHostname = issuerUrlObj.hostname;
+    // Replace the host of token/userinfo endpoints with internalBaseUrl when set,
-
+    // while keeping authorizationUrl public for browser redirects.
    const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
    let oidcConfig: Record<string, string> = {};
    try {
@@ -203,14 +203,6 @@ export async function initAuth(): Promise<void> {
        const tokenUrl = discovery.token_endpoint;
        const userInfoUrl = discovery.userinfo_endpoint;
        if (authzUrl && tokenUrl && userInfoUrl) {
          const authzUrlObj = new URL(authzUrl);
          // Only validate authorizationUrl hostname against issuer — token/userinfo
          // may legitimately use internal hostnames (OIDC_INTERNAL_BASE) for server-to-server calls.
          if (authzUrlObj.hostname !== issuerHostname) {
            throw new Error(
              `[FATAL] OIDC discovery URL hostname mismatch: expected '${issuerHostname}' but got '${authzUrlObj.hostname}'. This may indicate a man-in-the-middle attack.`
            );
          }
          oidcConfig = {
            authorizationUrl: authzUrl,
            tokenUrl: providerConfig.internalBaseUrl
@@ -1,45 +0,0 @@
 import type { MiddlewareHandler } from "hono";
 import { getDb, impersonationAuditLogs } from "@groombook/db";
 import type { PortalEnv } from "./portalSession.js";
 /**
 * Server-side audit logging middleware for portal routes.
 * Applied after validatePortalSession in the middleware chain.
 *
 * After the route handler completes (await next()), inserts an audit log entry
 * into impersonationAuditLogs:
 *   - sessionId: from c.get("portalSessionId")
 *   - action: "{METHOD} {routePath}" (e.g., "GET /portal/appointments")
 *   - pageVisited: c.req.path
 *   - metadata: { method, statusCode: c.res.status }
 *
 * Log entries are written for both success and error responses.
 * Does NOT throw if audit logging fails — errors are logged but the user's
 * request is not affected.
 */
 export const portalAudit: MiddlewareHandler<PortalEnv> = async (c, next) => {
  await next();
  const sessionId = c.get("portalSessionId");
  if (!sessionId) return;
  const method = c.req.method;
  const routePath = c.req.path;
  const pageVisited = c.req.path;
  const statusCode = c.res.status;
  try {
    const db = getDb();
    await db
      .insert(impersonationAuditLogs)
      .values({
        sessionId,
        action: `${method} ${routePath}`,
        pageVisited,
        metadata: { method, statusCode },
      })
      .returning();
  } catch (err) {
    console.error("[portalAudit] Failed to write audit log:", err);
  }
 };
@@ -1,40 +0,0 @@
 import type { MiddlewareHandler } from "hono";
 import { and, eq, getDb, impersonationSessions } from "@groombook/db";
 export interface PortalEnv {
  Variables: {
    portalClientId: string;
    portalSessionId: string;
  };
 }
 /**
 * Validates the X-Impersonation-Session-Id header against the impersonationSessions table.
 * Must be applied to all portal routes.
 *
 * Reads x-session-id from request headers, queries impersonationSessions for a row where
 * id = sessionId AND status = 'active', and checks session.expiresAt > new Date().
 * Returns 401 if session is invalid/missing/expired.
 * On success, sets c.set("portalClientId", session.clientId) and c.set("portalSessionId", session.id).
 */
 export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, next) => {
  const sessionId = c.req.header("X-Impersonation-Session-Id");
  if (!sessionId) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  const db = getDb();
  const [session] = await db
    .select()
    .from(impersonationSessions)
    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
    .limit(1);
  if (!session || session.expiresAt <= new Date()) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  c.set("portalClientId", session.clientId);
  c.set("portalSessionId", session.id);
  await next();
 };
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, sql, staff } from "@groombook/db";
+import { eq, getDb, staff } from "@groombook/db";
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -89,31 +89,14 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
    .select()
    .from(staff)
    .where(eq(staff.oidcSub, jwt.sub));
-  if (fallbackRow) {
+  if (!fallbackRow) {
    c.set("staff", fallbackRow);
    await next();
    return;
  }
  // Auto-link by email: staff record exists with matching email but no userId
  if (jwt.email) {
    const [byEmail] = await db
      .select()
      .from(staff)
      .where(and(eq(staff.email, jwt.email), sql`${staff.userId} IS NULL`));
    if (byEmail) {
      await db
        .update(staff)
        .set({ userId: jwt.sub, updatedAt: new Date() })
        .where(eq(staff.id, byEmail.id));
      c.set("staff", { ...byEmail, userId: jwt.sub });
      await next();
      return;
    }
  }
    return c.json(
      { error: "Forbidden: no staff record found for authenticated user" },
      403
    );
  }
  c.set("staff", fallbackRow);
  await next();
 };
 /**
@@ -166,9 +149,9 @@ export function requireRoleOrSuperUser(
    }
    return c.json(
      {
-        error: hasAllowedRole
+        error: staffRow.isSuperUser
-          ? "Forbidden: super user privileges required"
+          ? `Forbidden: role '${staffRow.role}' is not permitted`
-          : `Forbidden: role '${staffRow.role}' is not permitted`,
+          : "Forbidden: super user privileges required",
      },
      403
    );
@@ -23,27 +23,6 @@ import { buildConfirmationEmail, sendEmail } from "../services/email.js";
 import { notifyWaitlistForAppointment } from "../services/waitlistNotify.js";
 import type { AppEnv } from "../middleware/rbac.js";
 async function withRetry<T>(
  fn: () => Promise<T>,
  maxRetries: number,
  delayMs: number,
  context: string
 ): Promise<void> {
  let lastError: unknown;
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    try {
      await fn();
      return;
    } catch (err) {
      lastError = err;
      if (attempt < maxRetries) {
        await new Promise((resolve) => setTimeout(resolve, delayMs));
      }
    }
  }
  console.error(`[appointments] ${context}: ${lastError}`);
 }
 export const appointmentsRouter = new Hono<AppEnv>();
 const createAppointmentSchema = z.object({
@@ -188,8 +167,9 @@ appointmentsRouter.post(
          }
        }
        // Check batherStaffId conflicts if set
        if (apptFields.batherStaffId) {
-          const bathConflicts = await tx
+          const conflicts = await tx
            .select({ id: appointments.id })
            .from(appointments)
            .where(
@@ -205,7 +185,7 @@ appointmentsRouter.post(
              )
            )
            .limit(1);
-          if (bathConflicts.length > 0) {
+          if (conflicts.length > 0) {
            throw Object.assign(new Error("conflict"), { statusCode: 409 });
          }
        }
@@ -233,54 +213,11 @@ appointmentsRouter.post(
          recurrence.frequencyWeeks * 7 * 24 * 60 * 60 * 1000;
        let first: typeof appointments.$inferSelect | undefined;
        const conflictingInstances: number[] = [];
        for (let i = 0; i < recurrence.count; i++) {
          const instanceStart = new Date(start.getTime() + i * intervalMs);
          const instanceEnd = new Date(
            instanceStart.getTime() + durationMs
          );
          if (apptFields.staffId) {
            const conflicts = await tx
              .select({ id: appointments.id })
              .from(appointments)
              .where(
                and(
                  eq(appointments.staffId, apptFields.staffId),
                  lt(appointments.startTime, instanceEnd),
                  gte(appointments.endTime, instanceStart),
                  ne(appointments.status, "cancelled"),
                  ne(appointments.status, "no_show"),
                )
              )
              .limit(1);
            if (conflicts.length > 0) {
              conflictingInstances.push(i);
            }
          }
          if (apptFields.batherStaffId) {
            const conflicts = await tx
              .select({ id: appointments.id })
              .from(appointments)
              .where(
                and(
                  or(
                    eq(appointments.staffId, apptFields.batherStaffId),
                    eq(appointments.batherStaffId, apptFields.batherStaffId)
                  ),
                  lt(appointments.startTime, instanceEnd),
                  gte(appointments.endTime, instanceStart),
                  ne(appointments.status, "cancelled"),
                  ne(appointments.status, "no_show"),
                )
              )
              .limit(1);
            if (conflicts.length > 0) {
              conflictingInstances.push(i);
            }
          }
          const [inserted] = await tx
            .insert(appointments)
            .values({
@@ -291,19 +228,9 @@ appointmentsRouter.post(
              seriesIndex: i,
            })
            .returning();
          if (!inserted) throw new Error(`Insert failed for occurrence ${i}`);
          if (i === 0) first = inserted;
        }
        if (conflictingInstances.length > 0) {
          throw Object.assign(
            new Error(
              `Conflicts detected at occurrence(s): ${conflictingInstances.join(", ")}`
            ),
            { statusCode: 409 }
          );
        }
        if (!first) throw new Error("No appointments created");
        return first;
      });
@@ -321,12 +248,9 @@ appointmentsRouter.post(
    }
    // Send confirmation email (fire-and-forget — never fails the request)
-    withRetry(
+    sendConfirmationEmail(db, firstRow).catch((err) => {
-      () => sendConfirmationEmail(db, firstRow),
+      console.error("[appointments] Failed to send confirmation email:", err);
-      2,
+    });
      1000,
      `Failed to send confirmation email for appointment ${firstRow.id}`
    );
    return c.json(firstRow, 201);
  }
@@ -338,35 +262,44 @@ async function sendConfirmationEmail(
  db: ReturnType<typeof getDb>,
  appt: typeof appointments.$inferSelect
 ): Promise<void> {
-  const [row] = await db
+  const [client] = await db
-    .select({
+    .select({ name: clients.name, email: clients.email, emailOptOut: clients.emailOptOut })
-      clientName: clients.name,
+    .from(clients)
-      clientEmail: clients.email,
+    .where(eq(clients.id, appt.clientId))
      clientEmailOptOut: clients.emailOptOut,
      petName: pets.name,
      serviceName: services.name,
      groomerName: staff.name,
    })
    .from(appointments)
    .innerJoin(clients, eq(clients.id, appointments.clientId))
    .innerJoin(pets, eq(pets.id, appointments.petId))
    .innerJoin(services, eq(services.id, appointments.serviceId))
    .leftJoin(staff, eq(staff.id, appointments.staffId))
    .where(eq(appointments.id, appt.id))
    .limit(1);
-  if (!row) return;
+  if (!client || !client.email || client.emailOptOut) return;
  const { clientName, clientEmail, clientEmailOptOut, petName, serviceName, groomerName } = row;
-  if (!clientEmail || clientEmailOptOut) return;
+  const [pet] = await db
-  if (!petName || !serviceName) return;
+    .select({ name: pets.name })
    .from(pets)
    .where(eq(pets.id, appt.petId))
    .limit(1);
  const [service] = await db
    .select({ name: services.name })
    .from(services)
    .where(eq(services.id, appt.serviceId))
    .limit(1);
  let groomerName: string | null = null;
  if (appt.staffId) {
    const [groomer] = await db
      .select({ name: staff.name })
      .from(staff)
      .where(eq(staff.id, appt.staffId))
      .limit(1);
    groomerName = groomer?.name ?? null;
  }
  if (!pet || !service) return;
  const sent = await sendEmail(
-    buildConfirmationEmail(clientEmail, {
+    buildConfirmationEmail(client.email, {
-      clientName,
+      clientName: client.name,
-      petName,
+      petName: pet.name,
-      serviceName,
+      serviceName: service.name,
-      groomerName: groomerName ?? null,
+      groomerName,
      startTime: appt.startTime,
    })
  );
@@ -446,76 +379,6 @@ appointmentsRouter.patch(
          let firstUpdated: typeof appointments.$inferSelect | undefined;
          for (const appt of affected) {
            const newStart =
              startDeltaMs !== 0
                ? new Date(appt.startTime.getTime() + startDeltaMs)
                : appt.startTime;
            const newEnd =
              endDeltaMs !== 0
                ? new Date(appt.endTime.getTime() + endDeltaMs)
                : appt.endTime;
            const newStaffId =
              updateFields.staffId !== undefined
                ? updateFields.staffId
                : appt.staffId;
            const newBatherStaffId =
              updateFields.batherStaffId !== undefined
                ? updateFields.batherStaffId
                : appt.batherStaffId;
            if (
              newStaffId &&
              (startDeltaMs !== 0 ||
                endDeltaMs !== 0 ||
                updateFields.staffId !== undefined)
            ) {
              const conflicts = await tx
                .select({ id: appointments.id })
                .from(appointments)
                .where(
                  and(
                    eq(appointments.staffId, newStaffId),
                    lt(appointments.startTime, newEnd),
                    gte(appointments.endTime, newStart),
                    ne(appointments.status, "cancelled"),
                    ne(appointments.status, "no_show"),
                    ne(appointments.id, appt.id),
                  )
                )
                .limit(1);
              if (conflicts.length > 0) {
                throw Object.assign(new Error("conflict"), { statusCode: 409 });
              }
            }
            if (
              newBatherStaffId &&
              (startDeltaMs !== 0 ||
                endDeltaMs !== 0 ||
                updateFields.batherStaffId !== undefined)
            ) {
              const conflicts = await tx
                .select({ id: appointments.id })
                .from(appointments)
                .where(
                  and(
                    or(
                      eq(appointments.staffId, newBatherStaffId),
                      eq(appointments.batherStaffId, newBatherStaffId)
                    ),
                    lt(appointments.startTime, newEnd),
                    gte(appointments.endTime, newStart),
                    ne(appointments.status, "cancelled"),
                    ne(appointments.status, "no_show"),
                    ne(appointments.id, appt.id),
                  )
                )
                .limit(1);
              if (conflicts.length > 0) {
                throw Object.assign(new Error("conflict"), { statusCode: 409 });
              }
            }
            const apptUpdate: Record<string, unknown> = {
              updatedAt: new Date(),
            };
@@ -551,13 +414,6 @@ appointmentsRouter.patch(
        if (statusCode === 404) return c.json({ error: "Not found" }, 404);
        if (statusCode === 422)
          return c.json({ error: "endTime must be after startTime" }, 422);
        if (statusCode === 409)
          return c.json(
            {
              error: "Staff member has a conflicting appointment at this time",
            },
            409
          );
        throw err;
      }
@@ -569,8 +425,7 @@ appointmentsRouter.patch(
    const needsConflictCheck =
      updateFields.startTime !== undefined ||
      updateFields.endTime !== undefined ||
-      updateFields.staffId !== undefined ||
+      updateFields.staffId !== undefined;
      updateFields.batherStaffId !== undefined;
    const update: Record<string, unknown> = {
      ...updateFields,
@@ -606,11 +461,6 @@ appointmentsRouter.patch(
            updateFields.staffId !== undefined
              ? updateFields.staffId
              : current.staffId;
          // Use provided batherStaffId (may be null to unassign); fall back to existing
          const batherStaffId =
            updateFields.batherStaffId !== undefined
              ? updateFields.batherStaffId
              : current.batherStaffId;
          if (end <= start) {
            throw Object.assign(new Error("end before start"), {
@@ -638,8 +488,13 @@ appointmentsRouter.patch(
            }
          }
          // Check batherStaffId conflicts if being updated or already set
          const batherStaffId =
            updateFields.batherStaffId !== undefined
              ? updateFields.batherStaffId
              : current.batherStaffId;
          if (batherStaffId) {
-            const bathConflicts = await tx
+            const conflicts = await tx
              .select({ id: appointments.id })
              .from(appointments)
              .where(
@@ -656,7 +511,7 @@ appointmentsRouter.patch(
                )
              )
              .limit(1);
-            if (bathConflicts.length > 0) {
+            if (conflicts.length > 0) {
              throw Object.assign(new Error("conflict"), { statusCode: 409 });
            }
          }
@@ -735,12 +590,9 @@ appointmentsRouter.delete("/:id", async (c) => {
    const apptDate = current.startTime.toISOString().slice(0, 10);
    const apptTime = current.startTime.toLocaleTimeString("en-US", { hour: "2-digit", minute: "2-digit", hour12: true });
-    withRetry(
+    notifyWaitlistForAppointment(id, apptDate, apptTime, current.serviceId).catch((err) => {
-      () => notifyWaitlistForAppointment(id, apptDate, apptTime, current.serviceId),
+      console.error("[appointments] Failed to notify waitlist:", err);
-      2,
+    });
      1000,
      `Failed to notify waitlist for appointment ${id}`
    );
    return c.json({ ok: true });
  }
@@ -763,12 +615,9 @@ appointmentsRouter.delete("/:id", async (c) => {
    .returning();
  if (!row) return c.json({ error: "Not found" }, 404);
-  withRetry(
+  notifyWaitlistForAppointment(id, apptDate, apptTime, current.serviceId).catch((err) => {
-    () => notifyWaitlistForAppointment(id, apptDate, apptTime, current.serviceId),
+    console.error("[appointments] Failed to notify waitlist:", err);
-    2,
+  });
    1000,
    `Failed to notify waitlist for appointment ${id}`
  );
  return c.json({ ok: true });
 });
@@ -268,36 +268,29 @@ bookRouter.get("/confirm/:token", async (c) => {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  // Reject if appointment is in the past
  if (appt.startTime < new Date()) {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  // Idempotent confirm: if already confirmed, redirect to success
  if (appt.confirmationStatus === "confirmed") {
    return c.redirect(`${BASE_URL()}/booking/confirmed`);
  }
  // Reject if already cancelled
  if (appt.confirmationStatus === "cancelled") {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
-  const updated = await db
+  await db
    .update(appointments)
    .set({
      confirmationStatus: "confirmed",
      confirmedAt: new Date(),
      updatedAt: new Date(),
    })
-    .where(
+    .where(eq(appointments.id, appt.id));
      and(
        eq(appointments.confirmationToken, token),
        eq(appointments.confirmationStatus, "pending")
      )
    )
    .returning();
  if (updated.length === 0) {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  return c.redirect(`${BASE_URL()}/booking/confirmed`);
 });
@@ -319,15 +312,19 @@ bookRouter.get("/cancel/:token", async (c) => {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  // Reject if appointment is in the past
  if (appt.startTime < new Date()) {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  // Reject if already cancelled (token was nullified — this path won't normally hit,
  // but guard against edge cases where token lookup still works)
  if (appt.confirmationStatus === "cancelled") {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
-  const updated = await db
+  // Single-use cancellation: nullify token after use
  await db
    .update(appointments)
    .set({
      confirmationStatus: "cancelled",
@@ -335,17 +332,7 @@ bookRouter.get("/cancel/:token", async (c) => {
      confirmationToken: null,
      updatedAt: new Date(),
    })
-    .where(
+    .where(eq(appointments.id, appt.id));
      and(
        eq(appointments.confirmationToken, token),
        eq(appointments.confirmationStatus, "pending")
      )
    )
    .returning();
  if (updated.length === 0) {
    return c.redirect(`${BASE_URL()}/booking/error`);
  }
  return c.redirect(`${BASE_URL()}/booking/cancelled`);
 });
@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { randomBytes, timingSafeEqual } from "node:crypto";
+import { randomBytes } from "node:crypto";
 import {
  and,
  eq,
@@ -84,18 +84,7 @@ calendarRouter.get("/:staffId.ics", async (c) => {
    .where(eq(staff.id, staffId))
    .limit(1);
-  if (!staffMember || !staffMember.icalToken) {
+  if (!staffMember || staffMember.icalToken !== token) {
    return c.text("Unauthorized", 401);
  }
  const storedToken = staffMember.icalToken;
  const incomingToken = token;
  const storedBuf = Buffer.from(storedToken, "utf8");
  const incomingBuf = Buffer.from(incomingToken, "utf8");
  if (
    storedBuf.length !== incomingBuf.length ||
    !timingSafeEqual(storedBuf, incomingBuf)
  ) {
    return c.text("Unauthorized", 401);
  }
@@ -8,12 +8,10 @@ export const clientsRouter = new Hono<AppEnv>();
 const createClientSchema = z.object({
  name: z.string().min(1).max(200),
-  email: z.string().email(),
+  email: z.string().email().optional(),
  phone: z.string().max(50).optional(),
  address: z.string().max(500).optional(),
  notes: z.string().max(2000).optional(),
  smsOptIn: z.boolean().optional(),
  smsConsentText: z.string().max(1000).optional(),
 });
@@ -97,7 +95,6 @@ clientsRouter.post("/", zValidator("json", createClientSchema), async (c) => {
 // Update a client (including status changes)
 const patchClientSchema = createClientSchema.partial().extend({
  status: z.enum(["active", "disabled"]).optional(),
  smsOptOut: z.boolean().optional(),
 });
 clientsRouter.patch(
@@ -110,19 +107,13 @@ clientsRouter.patch(
    const setValues: Record<string, unknown> = { ...body, updatedAt: now };
    // When disabling, set disabledAt; when re-enabling, clear it
    if (body.status === "disabled") {
      setValues.disabledAt = now;
    } else if (body.status === "active") {
      setValues.disabledAt = null;
    }
    if (body.smsOptOut === true) {
      setValues.smsOptIn = false;
      setValues.smsOptOutDate = now;
      delete setValues.smsOptOut;
    }
    delete setValues.smsOptOut;
    const [row] = await db
      .update(clients)
      .set(setValues)
@@ -144,24 +135,9 @@ clientsRouter.delete("/:id", async (c) => {
  }
  const db = getDb();
  const clientId = c.req.param("id");
  const [existingAppt] = await db
    .select({ id: appointments.id })
    .from(appointments)
    .where(eq(appointments.clientId, clientId))
    .limit(1);
  if (existingAppt) {
    return c.json(
      { error: "Cannot delete client with existing appointments. Cancel or reassign appointments first." },
      409
    );
  }
  const [row] = await db
    .delete(clients)
-    .where(eq(clients.id, clientId))
+    .where(eq(clients.id, c.req.param("id")))
    .returning();
  if (!row) return c.json({ error: "Not found" }, 404);
  return c.json({ ok: true });
@@ -8,7 +8,6 @@ import {
  invoices,
  invoiceLineItems,
  invoiceTipSplits,
  refunds,
  appointments,
  services,
  clients,
@@ -126,8 +125,8 @@ const tipSplitSchema = z.object({
    })
  ).min(1).refine(
    (splits) => {
-      const totalBps = splits.reduce((sum, s) => sum + Math.round(s.sharePct * 100), 0);
+      const total = splits.reduce((sum, s) => sum + s.sharePct, 0);
-      return totalBps === 10000;
+      return Math.abs(total - 100) < 0.01;
    },
    { message: "Split percentages must sum to 100" }
  ),
@@ -171,13 +170,12 @@ invoicesRouter.post(
      }
    });
-    const [updatedInvoice] = await db.select().from(invoices).where(eq(invoices.id, id));
+    const splits = await db
-    const [lineItems, tipSplits] = await Promise.all([
+      .select()
-      db.select().from(invoiceLineItems).where(eq(invoiceLineItems.invoiceId, id)),
+      .from(invoiceTipSplits)
-      db.select().from(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id)),
+      .where(eq(invoiceTipSplits.invoiceId, id));
    ]);
-    return c.json({ ...updatedInvoice, lineItems, tipSplits }, 201);
+    return c.json(splits, 201);
  }
 );
@@ -302,13 +300,6 @@ invoicesRouter.post("/from-appointment/:appointmentId", async (c) => {
  return c.json({ ...invoice, lineItems: [lineItem] }, 201);
 });
 const ALLOWED_TRANSITIONS: Record<string, string[]> = {
  draft: ["pending", "void"],
  pending: ["draft", "paid", "void"],
  paid: ["void"],
  void: [],
 };
 // Update invoice
 invoicesRouter.patch(
  "/:id",
@@ -324,14 +315,8 @@ invoicesRouter.patch(
      .where(eq(invoices.id, id));
    if (!current) return c.json({ error: "Not found" }, 404);
-    if (body.status !== undefined) {
+    if (current.status === "void") {
-      const allowed = ALLOWED_TRANSITIONS[current.status] ?? [];
+      return c.json({ error: "Cannot modify a voided invoice" }, 422);
      if (!allowed.includes(body.status)) {
        return c.json(
          { error: `Invalid status transition from ${current.status} to ${body.status}` },
          422
        );
      }
    }
    const update: Record<string, unknown> = { ...body, updatedAt: new Date() };
@@ -369,7 +354,6 @@ import { processRefund } from "../services/payment.js";
 const refundSchema = z.object({
  amountCents: z.number().int().nonnegative().optional(),
  idempotencyKey: z.string().max(255).optional(),
 });
 invoicesRouter.post(
@@ -395,28 +379,9 @@ invoicesRouter.post(
      return c.json({ error: "No Stripe payment intent found for this invoice" }, 422);
    }
    return await db.transaction(async (tx) => {
      if (body.idempotencyKey) {
        const [existing] = await tx
          .select()
          .from(refunds)
          .where(eq(refunds.idempotencyKey, body.idempotencyKey));
        if (existing) {
          return c.json({ refundId: existing.stripeRefundId });
        }
      }
    const result = await processRefund(id, body.amountCents);
    if (!result) return c.json({ error: "Refund failed" }, 500);
      await tx.insert(refunds).values({
        invoiceId: id,
        stripeRefundId: result.refundId,
        idempotencyKey: body.idempotencyKey ?? null,
        amountCents: body.amountCents ?? null,
      });
    return c.json({ refundId: result.refundId });
    });
  }
 );
@@ -1,22 +1,33 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { eq, inArray } from "@groombook/db";
+import { and, eq, inArray } from "@groombook/db";
 import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "@groombook/db";
-import { validatePortalSession } from "../middleware/portalSession.js";
+import type { AppEnv } from "../middleware/rbac.js";
 import { portalAudit } from "../middleware/portalAudit.js";
 import type { PortalEnv } from "../middleware/portalSession.js";
-export const portalRouter = new Hono<PortalEnv>();
+export const portalRouter = new Hono<AppEnv>();
-// Apply middleware to all portal routes
+// ─── Session helper ───────────────────────────────────────────────────────────
-portalRouter.use("/*", validatePortalSession, portalAudit);
+
 async function getClientIdFromSession(sessionId: string | null | undefined): Promise<string | null> {
  if (!sessionId) return null;
  const db = getDb();
  const [session] = await db
    .select()
    .from(impersonationSessions)
    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
    .limit(1);
  if (!session || session.expiresAt <= new Date()) return null;
  return session.clientId;
 }
 // ─── GET routes ──────────────────────────────────────────────────────────────
 portalRouter.get("/me", async (c) => {
  const db = getDb();
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const [client] = await db.select().from(clients).where(eq(clients.id, clientId)).limit(1);
  if (!client) return c.json({ error: "Not found" }, 404);
@@ -38,7 +49,9 @@ portalRouter.get("/services", async (c) => {
 portalRouter.get("/appointments", async (c) => {
  const db = getDb();
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const now = new Date();
  const allAppts = await db
@@ -88,7 +101,9 @@ portalRouter.get("/appointments", async (c) => {
 portalRouter.get("/pets", async (c) => {
  const db = getDb();
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const clientPets = await db.select().from(pets).where(eq(pets.clientId, clientId));
  return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weightKg: p.weightKg, dateOfBirth: p.dateOfBirth, photoKey: p.photoKey, groomingNotes: p.groomingNotes })));
@@ -96,7 +111,9 @@ portalRouter.get("/pets", async (c) => {
 portalRouter.get("/invoices", async (c) => {
  const db = getDb();
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const clientInvoices = await db.select().from(invoices).where(eq(invoices.clientId, clientId));
  const invoiceIds = clientInvoices.map(i => i.id);
@@ -131,7 +148,12 @@ portalRouter.patch(
    const db = getDb();
    const id = c.req.param("id");
    const body = c.req.valid("json");
-    const clientId = c.get("portalClientId");
+
    const sessionId = c.req.header("X-Impersonation-Session-Id");
    const clientId = await getClientIdFromSession(sessionId);
    if (!clientId) {
      return c.json({ error: "Unauthorized" }, 401);
    }
    const [appt] = await db
      .select()
@@ -174,7 +196,12 @@ portalRouter.patch(
 portalRouter.post("/appointments/:id/confirm", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
-  const clientId = c.get("portalClientId");
+
  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  const [appt] = await db
    .select()
@@ -223,7 +250,12 @@ portalRouter.post("/appointments/:id/confirm", async (c) => {
 portalRouter.post("/appointments/:id/cancel", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
-  const clientId = c.get("portalClientId");
+
  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  const [appt] = await db
    .select()
@@ -287,7 +319,28 @@ portalRouter.post(
  async (c) => {
    const db = getDb();
    const body = c.req.valid("json");
-    const clientId = c.get("portalClientId");
+    const sessionId = c.req.header("X-Impersonation-Session-Id");
    let clientId: string | null = null;
    if (sessionId) {
      const [session] = await db
        .select()
        .from(impersonationSessions)
        .where(
          and(
            eq(impersonationSessions.id, sessionId),
            eq(impersonationSessions.status, "active")
          )
        )
        .limit(1);
      if (session && session.expiresAt > new Date()) {
        clientId = session.clientId;
      }
    }
    if (!clientId) {
      return c.json({ error: "Unauthorized" }, 401);
    }
    const [entry] = await db
      .insert(waitlistEntries)
@@ -311,7 +364,26 @@ portalRouter.patch(
    const db = getDb();
    const id = c.req.param("id");
    const body = c.req.valid("json");
-    const clientId = c.get("portalClientId");
+    const sessionId = c.req.header("X-Impersonation-Session-Id");
    if (!sessionId) {
      return c.json({ error: "Unauthorized" }, 401);
    }
    const [session] = await db
      .select()
      .from(impersonationSessions)
      .where(
        and(
          eq(impersonationSessions.id, sessionId),
          eq(impersonationSessions.status, "active")
        )
      )
      .limit(1);
    if (!session || session.expiresAt <= new Date()) {
      return c.json({ error: "Unauthorized" }, 401);
    }
    const [existing] = await db
      .select()
@@ -320,7 +392,7 @@ portalRouter.patch(
      .limit(1);
    if (!existing) return c.json({ error: "Not found" }, 404);
-    if (existing.clientId !== clientId) {
+    if (existing.clientId !== session.clientId) {
      return c.json({ error: "Forbidden" }, 403);
    }
@@ -342,7 +414,26 @@ portalRouter.patch(
 portalRouter.delete("/waitlist/:id", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  if (!sessionId) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  const [session] = await db
    .select()
    .from(impersonationSessions)
    .where(
      and(
        eq(impersonationSessions.id, sessionId),
        eq(impersonationSessions.status, "active")
      )
    )
    .limit(1);
  if (!session || session.expiresAt <= new Date()) {
    return c.json({ error: "Unauthorized" }, 401);
  }
  const [entry] = await db
    .select()
@@ -351,7 +442,7 @@ portalRouter.delete("/waitlist/:id", async (c) => {
    .limit(1);
  if (!entry) return c.json({ error: "Not found" }, 404);
-  if (entry.clientId !== clientId) {
+  if (entry.clientId !== session.clientId) {
    return c.json({ error: "Forbidden" }, 403);
  }
@@ -384,7 +475,9 @@ portalRouter.post(
  async (c) => {
    const db = getDb();
    const body = c.req.valid("json");
-    const clientId = c.get("portalClientId");
+    const sessionId = c.req.header("X-Impersonation-Session-Id");
    const clientId = await getClientIdFromSession(sessionId);
    if (!clientId) return c.json({ error: "Unauthorized" }, 401);
    const invoiceRows = await db
      .select()
@@ -421,7 +514,9 @@ portalRouter.post(
 );
 portalRouter.get("/payment-methods", async (c) => {
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const methods = await listPaymentMethods(clientId);
  if (methods === null) return c.json({ error: "Payment service unavailable" }, 503);
@@ -429,7 +524,9 @@ portalRouter.get("/payment-methods", async (c) => {
 });
 portalRouter.post("/payment-methods", async (c) => {
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY ?? "";
  const customerId = await getOrCreateStripeCustomer(clientId);
@@ -442,7 +539,9 @@ portalRouter.post("/payment-methods", async (c) => {
 });
 portalRouter.delete("/payment-methods/:id", async (c) => {
-  const clientId = c.get("portalClientId");
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
  const clientId = await getClientIdFromSession(sessionId);
  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
  const paymentMethodId = c.req.param("id");
@@ -286,10 +286,6 @@ reportsRouter.get("/clients", async (c) => {
  ninetyDaysAgo.setUTCDate(ninetyDaysAgo.getUTCDate() - 90);
  const ninetyDaysAgoISO = ninetyDaysAgo.toISOString();
  const page = Math.max(1, parseInt(c.req.query("page") ?? "1", 10) || 1);
  const limit = Math.min(100, Math.max(1, parseInt(c.req.query("limit") ?? "20", 10) || 20));
  const offset = (page - 1) * limit;
  const churnRisk = await db
    .select({
      clientId: clients.id,
@@ -302,34 +298,15 @@ reportsRouter.get("/clients", async (c) => {
    .having(
      sql`MAX(${appointments.startTime}) < ${ninetyDaysAgoISO}::timestamptz OR MAX(${appointments.startTime}) IS NULL`
    )
-    .orderBy(sql`MAX(${appointments.startTime}) ASC NULLS FIRST`)
+    .orderBy(sql`MAX(${appointments.startTime}) ASC NULLS FIRST`);
    .limit(limit)
    .offset(offset);
  const [churnCountRow] = await db
    .select({ total: sql<number>`count(*)::int` })
    .from(
      db
        .select({ id: clients.id })
        .from(clients)
        .leftJoin(appointments, eq(appointments.clientId, clients.id))
        .groupBy(clients.id)
        .having(
          sql`MAX(${appointments.startTime}) < ${ninetyDaysAgoISO}::timestamptz OR MAX(${appointments.startTime}) IS NULL`
        )
        .as("churn_count")
    );
  const churnRiskTotal = churnCountRow?.total ?? 0;
  return c.json({
    from: from.toISOString(),
    to: to.toISOString(),
    newClients,
    activeInPeriodCount: activeInPeriod.length,
-    churnRisk,
+    churnRisk: churnRisk.slice(0, 20), // top 20 at-risk clients
-    churnRiskTotal,
+    churnRiskTotal: churnRisk.length,
    page,
    limit,
  });
 });
@@ -4,24 +4,6 @@ import { z } from "zod/v3";
 import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db";
 import type { AppEnv } from "../middleware/rbac.js";
 const RATE_LIMIT_WINDOW_MS = 60_000;
 const RATE_LIMIT_MAX = 10;
 const rateLimitMap = new Map<string, { count: number; resetAt: number }>();
 function rateLimitByIp(ip: string): { allowed: boolean; remaining: number } {
  const now = Date.now();
  const entry = rateLimitMap.get(ip);
  if (!entry || now > entry.resetAt) {
    rateLimitMap.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
    return { allowed: true, remaining: RATE_LIMIT_MAX - 1 };
  }
  if (entry.count >= RATE_LIMIT_MAX) {
    return { allowed: false, remaining: 0 };
  }
  entry.count++;
  return { allowed: true, remaining: RATE_LIMIT_MAX - entry.count };
 }
 export const setupRouter = new Hono<AppEnv>();
 // GET /api/setup/status — public (no auth), returns whether setup is needed
@@ -203,43 +185,37 @@ const authProviderTestSchema = z.object({
 * After setup completes, this endpoint permanently returns 403.
 */
 setupRouter.post("/auth-provider", async (c) => {
  const ip = c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";
  const { allowed, remaining } = rateLimitByIp(ip);
  c.res.headers.set("x-rate-limit-remaining", String(remaining));
  if (!allowed) {
    return c.json({ error: "Too many requests. Please try again later." }, 429);
  }
  const db = getDb();
-  let row: typeof authProviderConfig.$inferSelect;
+  // Guard: only allow during fresh install (no super user yet)
-  try {
+  const [superUser] = await db
    row = await db.transaction(async (tx) => {
      const [superUser] = await tx
    .select({ id: staff.id })
    .from(staff)
    .where(eq(staff.isSuperUser, true))
    .limit(1);
  if (superUser) {
-        throw Object.assign(new Error("setup-complete"), { code: 403 });
+    // Setup already completed — lock this endpoint permanently
    return c.json({ error: "Setup has already been completed. This endpoint is no longer available." }, 403);
  }
-      const [existingConfig] = await tx
+  // Guard: ensure no DB config already exists (should be redundant with status check but defensive)
  const [existingConfig] = await db
    .select({ id: authProviderConfig.id })
    .from(authProviderConfig)
    .where(eq(authProviderConfig.enabled, true))
    .limit(1);
  if (existingConfig) {
-        throw Object.assign(new Error("config-exists"), { code: 409 });
+    return c.json({ error: "Auth provider is already configured." }, 409);
  }
  const body = authProviderBootstrapSchema.parse(await c.req.json());
  // Encrypt clientSecret before storing
  const encryptedSecret = encryptSecret(body.clientSecret);
-      const [configRow] = await tx
+  const [row] = await db
    .insert(authProviderConfig)
    .values({
      providerId: body.providerId,
@@ -253,24 +229,8 @@ setupRouter.post("/auth-provider", async (c) => {
    })
    .returning();
-      if (!configRow) {
+  if (!row) {
-        throw Object.assign(new Error("insert-failed"), { code: 500 });
+    return c.json({ error: "Failed to save auth provider configuration." }, 500);
      }
      return configRow;
    });
  } catch (err: unknown) {
    const e = err as Error & { code?: number };
    if (e.message === "setup-complete") {
      return c.json({ error: "Setup has already been completed. This endpoint is no longer available." }, e.code as 403);
    }
    if (e.message === "config-exists") {
      return c.json({ error: "Auth provider is already configured." }, e.code as 409);
    }
    if (e.message === "insert-failed") {
      return c.json({ error: "Failed to save auth provider configuration." }, e.code as 500);
    }
    throw err;
  }
  return c.json({
@@ -294,13 +254,6 @@ setupRouter.post("/auth-provider", async (c) => {
 * Only available when needsSetup is true (no super user = fresh install).
 */
 setupRouter.post("/auth-provider/test", async (c) => {
  const ip = c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";
  const { allowed, remaining } = rateLimitByIp(ip);
  c.res.headers.set("x-rate-limit-remaining", String(remaining));
  if (!allowed) {
    return c.json({ ok: false, error: "Too many requests. Please try again later." }, 429);
  }
  const db = getDb();
  // Guard: only allow during fresh install (no super user yet)
@@ -18,10 +18,9 @@ import {
  buildReminderEmail,
  sendEmail,
 } from "./email.js";
 import { smsSend } from "./sms.js";
 const TCPA_OPT_OUT = "Reply STOP to opt out. Msg & data rates may apply.";
 // How many hours before the appointment to send each reminder.
 // Override via env: REMINDER_HOURS_EARLY (default 24) and REMINDER_HOURS_LATE (default 2).
 function getReminderWindows(): { label: string; hours: number }[] {
  const early = Number(process.env.REMINDER_HOURS_EARLY ?? 24);
  const late = Number(process.env.REMINDER_HOURS_LATE ?? 2);
@@ -31,14 +30,20 @@ function getReminderWindows(): { label: string; hours: number }[] {
  ];
 }
 // Checks for upcoming appointments that need reminders and sends them.
 // Runs every minute — idempotent via reminder_logs unique constraint.
 export async function runReminderCheck(): Promise<void> {
  const db = getDb();
  const now = new Date();
  for (const window of getReminderWindows()) {
    // Target window: appointments starting between (hours - 1) and hours from now.
    // Running every minute means we check a 1-minute slice; the 1-hour window
    // ensures we catch appointments that started between heartbeats.
    const windowStart = new Date(now.getTime() + (window.hours - 1) * 3600_000);
    const windowEnd = new Date(now.getTime() + window.hours * 3600_000);
    // Find upcoming appointments in this time window that haven't been cancelled/completed
    const upcoming = await db
      .select({
        id: appointments.id,
@@ -60,38 +65,23 @@ export async function runReminderCheck(): Promise<void> {
      );
    for (const appt of upcoming) {
-      const [emailLog] = await db
+      // Check if reminder already sent (unique constraint prevents double-send)
      const existing = await db
        .select({ id: reminderLogs.id })
        .from(reminderLogs)
        .where(
          and(
            eq(reminderLogs.appointmentId, appt.id),
-            eq(reminderLogs.reminderType, window.label),
+            eq(reminderLogs.reminderType, window.label)
            eq(reminderLogs.channel, "email")
          )
        )
        .limit(1);
-      const [smsLog] = await db
+      if (existing.length > 0) continue; // already sent
        .select({ id: reminderLogs.id })
        .from(reminderLogs)
        .where(
          and(
            eq(reminderLogs.appointmentId, appt.id),
            eq(reminderLogs.reminderType, window.label),
            eq(reminderLogs.channel, "sms")
          )
        )
        .limit(1);
      // Fetch related records for the email
      const [client] = await db
-        .select({
+        .select({ name: clients.name, email: clients.email, emailOptOut: clients.emailOptOut })
          name: clients.name,
          email: clients.email,
          emailOptOut: clients.emailOptOut,
          smsOptIn: clients.smsOptIn,
          phone: clients.phone,
        })
        .from(clients)
        .where(eq(clients.id, appt.clientId))
        .limit(1);
@@ -122,6 +112,8 @@ export async function runReminderCheck(): Promise<void> {
      if (!pet || !service) continue;
      // Ensure the appointment has a confirmation token before sending the reminder.
      // Generate one if it doesn't have one yet (e.g. pre-existing appointments).
      let confirmationToken = appt.confirmationToken;
      if (!confirmationToken) {
        confirmationToken = randomBytes(32).toString("hex");
@@ -131,7 +123,6 @@ export async function runReminderCheck(): Promise<void> {
          .where(eq(appointments.id, appt.id));
      }
      if (!emailLog) {
      const sent = await sendEmail(
        buildReminderEmail(
          client.email,
@@ -148,42 +139,19 @@ export async function runReminderCheck(): Promise<void> {
      );
      if (sent) {
        // Record send — ignore conflicts (race condition between instances)
        await db
          .insert(reminderLogs)
-            .values({ appointmentId: appt.id, reminderType: window.label, channel: "email" })
+          .values({ appointmentId: appt.id, reminderType: window.label })
          .onConflictDoNothing();
      }
    }
      if (!smsLog && client.smsOptIn && client.phone) {
        const apiUrl = process.env.API_URL ?? "http://localhost:3000";
        const confirmUrl = `${apiUrl}/api/book/confirm/${confirmationToken}`;
        const cancelUrl = `${apiUrl}/api/book/cancel/${confirmationToken}`;
        const when = window.hours >= 24 ? "tomorrow" : `in ${window.hours} hours`;
        const smsBody = [
          `Hi ${client.name}, just a reminder: ${pet.name}'s grooming appointment is ${when}.`,
          `Service: ${service.name}${groomerName ? ` with ${groomerName}` : ""}`,
          `Confirm: ${confirmUrl}`,
          `Cancel: ${cancelUrl}`,
          TCPA_OPT_OUT,
        ].join(". ");
        try {
          const smsOk = await smsSend(client.phone, smsBody);
          if (smsOk) {
            await db
              .insert(reminderLogs)
              .values({ appointmentId: appt.id, reminderType: window.label, channel: "sms" })
              .onConflictDoNothing();
          }
        } catch (err) {
          console.error("[reminders] SMS send failed:", err);
        }
      }
    }
  }
 }
 // Starts the cron scheduler. Call once at server startup.
 export function startReminderScheduler(): void {
  // Run every minute
  cron.schedule("* * * * *", () => {
    runReminderCheck().catch((err) => {
      console.error("[reminders] Error during reminder check:", err);
@@ -195,6 +163,8 @@ export function startReminderScheduler(): void {
  console.log("[reminders] Reminder scheduler started");
 }
 // Deletes expired sessions from the database.
 // Runs every minute alongside reminder checks.
 export async function runSessionCleanup(): Promise<void> {
  const db = getDb();
  const now = new Date();
@@ -1,142 +0,0 @@
 import { Telnyx } from "telnyx";
 import { createHmac } from "crypto";
 export interface SmsProvider {
  sendSms(to: string, body: string, mediaUrls?: string[]): Promise<{ messageId: string; status: string }>;
  validateWebhookSignature(req: Request): boolean;
 }
 interface TelnyxSmsResult {
  message_id: string;
  status: string;
 }
 function createTelnyxClient(): Telnyx | null {
  const apiKey = process.env.TELNYX_API_KEY;
  if (!apiKey) return null;
  return new Telnyx(apiKey);
 }
 let _client: Telnyx | null | undefined;
 function getClient(): Telnyx | null {
  if (_client === undefined) _client = createTelnyxClient();
  return _client;
 }
 function getFromNumber(): string | null {
  return process.env.TELNYX_FROM_NUMBER ?? null;
 }
 function isE164(phone: string): boolean {
  return /^\+[1-9]\d{7,14}$/.test(phone);
 }
 export async function sendSms(
  to: string,
  body: string,
  mediaUrls?: string[]
 ): Promise<{ messageId: string; status: string }> {
  const client = getClient();
  if (!client) throw new Error("Telnyx client not initialized. Set TELNYX_API_KEY.");
  const from = getFromNumber();
  if (!from) throw new Error("TELNYX_FROM_NUMBER is not set");
  if (!isE164(to)) throw new Error(`Invalid recipient phone format: ${to}. Expected E.164.`);
  if (!isE164(from)) throw new Error(`Invalid sender phone format: ${from}. Expected E.164.`);
  const payload: Record<string, unknown> = {
    from,
    to,
    body,
  };
  if (mediaUrls && mediaUrls.length > 0) {
    payload.media_urls = mediaUrls;
  }
  const result = await client.messages.create(payload as Record<string, string | string[]>);
  const smsResult = result.data as unknown as TelnyxSmsResult;
  return {
    messageId: smsResult.message_id,
    status: smsResult.status,
  };
 }
 export class TelnyxProvider implements SmsProvider {
  async sendSms(
    to: string,
    body: string,
    mediaUrls?: string[]
  ): Promise<{ messageId: string; status: string }> {
    return sendSms(to, body, mediaUrls);
  }
  validateWebhookSignature(req: Request): boolean {
    const secret = process.env.TELNYX_WEBHOOK_SECRET;
    if (!secret) return false;
    const signature = req.headers.get("telnyx-signature");
    if (!signature) return false;
    const payload = JSON.stringify(req.body);
    try {
      const hmac = createHmac("sha256", secret);
      const expected = `sha256=${hmac.update(payload).digest("hex")}`;
      const sigBuf = Buffer.from(signature);
      const expBuf = Buffer.from(expected);
      if (sigBuf.length !== expBuf.length) return false;
      let diff = 0;
      for (let i = 0; i < sigBuf.length; i++) {
        const sigByte = sigBuf[i] ?? 0;
        const expByte = expBuf[i] ?? 0;
        diff |= sigByte ^ expByte;
      }
      return diff === 0;
    } catch {
      return false;
    }
  }
 }
 let _provider: SmsProvider | null | undefined;
 export function createSmsProvider(): SmsProvider | null {
  if (_provider === undefined) {
    if (process.env.SMS_ENABLED !== "true") {
      _provider = null;
      return null;
    }
    switch (process.env.SMS_PROVIDER) {
      case "telnyx": {
        const client = getClient();
        if (!client) {
          _provider = null;
          return null;
        }
        _provider = new TelnyxProvider();
        break;
      }
      default:
        _provider = null;
    }
  }
  return _provider;
 }
 export async function smsSend(
  to: string,
  body: string,
  mediaUrls?: string[]
 ): Promise<boolean> {
  const provider = createSmsProvider();
  if (!provider) return false;
  await provider.sendSms(to, body, mediaUrls);
  return true;
 }
@@ -1,19 +0,0 @@
 declare module "telnyx" {
  export interface MessageResult {
    data: unknown;
  }
  export interface MessagesCreateParams {
    from: string;
    to: string;
    body: string;
    media_urls?: string[];
  }
  export class Telnyx {
    constructor(apiKey: string);
    messages: {
      create(params: Record<string, string | string[]>): Promise<MessageResult>;
    };
  }
 }
@@ -20,5 +20,3 @@ FROM nginx:alpine AS runner
 COPY apps/web/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/apps/web/dist /usr/share/nginx/html
 EXPOSE 80
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:80/ || exit 1
@@ -3,22 +3,10 @@ server {
    root /usr/share/nginx/html;
    index index.html;
    # Security headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    # Cache static assets
    location ~* \.(js|css|png|svg|ico|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    }
    # Proxy API calls to the API service
@@ -1,11 +0,0 @@
 CREATE TABLE "refunds" (
  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  "invoice_id" uuid NOT NULL REFERENCES "invoices"("id") ON DELETE RESTRICT,
  "stripe_refund_id" text NOT NULL,
  "idempotency_key" text UNIQUE,
  "amount_cents" integer,
  "created_at" timestamp NOT NULL DEFAULT NOW()
 );
 CREATE INDEX "idx_refunds_invoice_id" ON "refunds"("invoice_id");
 CREATE INDEX "idx_refunds_idempotency_key" ON "refunds"("idempotency_key");
@@ -1,15 +0,0 @@
 -- SMS opt-in fields for clients (idempotent)
 ALTER TABLE "clients" ADD COLUMN IF NOT EXISTS "sms_opt_in" boolean NOT NULL DEFAULT false;
 ALTER TABLE "clients" ADD COLUMN IF NOT EXISTS "sms_consent_date" timestamp;
 ALTER TABLE "clients" ADD COLUMN IF NOT EXISTS "sms_opt_out_date" timestamp;
 ALTER TABLE "clients" ADD COLUMN IF NOT EXISTS "sms_consent_text" text;
 -- Add channel column to reminder_logs with default 'email' (idempotent)
 ALTER TABLE "reminder_logs" ADD COLUMN IF NOT EXISTS "channel" text NOT NULL DEFAULT 'email';
 -- Drop old unique constraints if they exist (idempotent)
 ALTER TABLE "reminder_logs" DROP CONSTRAINT IF EXISTS "reminder_logs_appointment_id_reminder_type_key";
 ALTER TABLE "reminder_logs" DROP CONSTRAINT IF EXISTS "reminder_logs_appointment_id_reminder_type_unique";
 -- Add new unique constraint with channel
 ALTER TABLE "reminder_logs" ADD CONSTRAINT "reminder_logs_appointment_id_reminder_type_channel_unique" UNIQUE ("appointment_id", "reminder_type", "channel");
@@ -1,20 +0,0 @@
 -- Migration: 0029_db_indexes_constraints.sql
 -- Add missing indexes on appointments, pets, clients tables and NOT NULL constraint on clients.email
 -- Backfill NULL emails before setting NOT NULL
 UPDATE clients SET email = concat('unknown-', id::text, '@placeholder.local') WHERE email IS NULL;
 -- Add indexes on appointments table
 CREATE INDEX idx_appointments_client_id ON appointments(client_id);
 CREATE INDEX idx_appointments_staff_id ON appointments(staff_id);
 CREATE INDEX idx_appointments_start_time ON appointments(start_time);
 CREATE INDEX idx_appointments_status ON appointments(status);
 -- Add index on pets table
 CREATE INDEX idx_pets_client_id ON pets(client_id);
 -- Add index on clients table
 CREATE INDEX idx_clients_email ON clients(email);
 -- Set NOT NULL on clients.email (after backfill)
 ALTER TABLE clients ALTER COLUMN email SET NOT NULL;
@@ -190,20 +190,6 @@
      "when": 1775568867192,
      "tag": "0026_stripe_payment",
      "breakpoints": true
    },
    {
      "idx": 27,
      "version": "7",
      "when": 1775655267192,
      "tag": "0027_refunds",
      "breakpoints": true
    },
    {
      "idx": 28,
      "version": "7",
      "when": 1775741667192,
      "tag": "0028_sms_reminders",
      "breakpoints": true
    }
  ]
 }
@@ -71,10 +71,6 @@ export function buildClient(overrides: Partial<ClientRow> = {}): ClientRow {
    address: "1 Main St, Springfield, CA 90000",
    notes: null,
    emailOptOut: false,
    smsOptIn: false,
    smsConsentDate: null,
    smsOptOutDate: null,
    smsConsentText: null,
    stripeCustomerId: null,
    status: "active",
    disabledAt: null,
@@ -102,32 +102,22 @@ export const verification = pgTable("verification", {
 // ─── Tables ───────────────────────────────────────────────────────────────────
-export const clients = pgTable(
+export const clients = pgTable("clients", {
  "clients",
  {
  id: uuid("id").primaryKey().defaultRandom(),
  name: text("name").notNull(),
-    email: text("email").notNull(),
+  email: text("email"),
  phone: text("phone"),
  address: text("address"),
  notes: text("notes"),
  emailOptOut: boolean("email_opt_out").notNull().default(false),
    smsOptIn: boolean("sms_opt_in").notNull().default(false),
    smsConsentDate: timestamp("sms_consent_date"),
    smsOptOutDate: timestamp("sms_opt_out_date"),
    smsConsentText: text("sms_consent_text"),
  stripeCustomerId: text("stripe_customer_id"),
  status: clientStatusEnum("status").notNull().default("active"),
  disabledAt: timestamp("disabled_at"),
  createdAt: timestamp("created_at").notNull().defaultNow(),
  updatedAt: timestamp("updated_at").notNull().defaultNow(),
-  },
+});
  (t) => [index("idx_clients_email").on(t.email)]
 );
-export const pets = pgTable(
+export const pets = pgTable("pets", {
  "pets",
  {
  id: uuid("id").primaryKey().defaultRandom(),
  clientId: uuid("client_id")
    .notNull()
@@ -148,9 +138,7 @@ export const pets = pgTable(
  image: text("image"),
  createdAt: timestamp("created_at").notNull().defaultNow(),
  updatedAt: timestamp("updated_at").notNull().defaultNow(),
-  },
+});
  (t) => [index("idx_pets_client_id").on(t.clientId)]
 );
 export const services = pgTable("services", {
  id: uuid("id").primaryKey().defaultRandom(),
@@ -312,28 +300,8 @@ export const invoiceTipSplits = pgTable(
  (t) => [index("idx_invoice_tip_splits_invoice_id").on(t.invoiceId)]
 );
 // Refund records with idempotency key support
 export const refunds = pgTable(
  "refunds",
  {
    id: uuid("id").primaryKey().defaultRandom(),
    invoiceId: uuid("invoice_id")
      .notNull()
      .references(() => invoices.id, { onDelete: "restrict" }),
    stripeRefundId: text("stripe_refund_id").notNull(),
    idempotencyKey: text("idempotency_key").unique(),
    amountCents: integer("amount_cents"),
    createdAt: timestamp("created_at").notNull().defaultNow(),
  },
  (t) => [
    index("idx_refunds_invoice_id").on(t.invoiceId),
    index("idx_refunds_idempotency_key").on(t.idempotencyKey),
  ]
 );
 // Tracks which reminder emails have been sent per appointment (prevents duplicates).
 // reminder_type values: "confirmation", "24h", "2h"
 // channel values: "email", "sms"
 export const reminderLogs = pgTable(
  "reminder_logs",
  {
@@ -343,11 +311,9 @@ export const reminderLogs = pgTable(
      .references(() => appointments.id, { onDelete: "cascade" }),
    // "confirmation" | "24h" | "2h"
    reminderType: text("reminder_type").notNull(),
    // "email" | "sms"
    channel: text("channel").notNull().default("email"),
    sentAt: timestamp("sent_at").notNull().defaultNow(),
  },
-  (t) => [unique().on(t.appointmentId, t.reminderType, t.channel)]
+  (t) => [unique().on(t.appointmentId, t.reminderType)]
 );
 // ─── Impersonation ──────────────────────────────────────────────────────────
@@ -398,8 +398,6 @@ async function seedKnownUsers() {
        id: ADMIN_STAFF_ID,
        name: adminName,
        email: adminEmail,
        oidcSub: adminEmail,
        userId: adminEmail,
        role: "manager",
        isSuperUser: true,
        active: true,
@@ -426,7 +424,6 @@ async function seedKnownUsers() {
        name: "UAT Super User",
        email: "uat-super@groombook.dev",
        oidcSub: uatSuperOidcSub,
        userId: uatSuperOidcSub,
        role: "manager",
        isSuperUser: true,
        active: true,
@@ -453,7 +450,6 @@ async function seedKnownUsers() {
        name: "UAT Staff Groomer",
        email: "uat-groomer@groombook.dev",
        oidcSub: uatStaffOidcSub,
        userId: uatStaffOidcSub,
        role: "groomer",
        isSuperUser: false,
        active: true,
@@ -462,37 +458,6 @@ async function seedKnownUsers() {
    }
  }
  // ── Staff: UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + SEED_UAT_GROOMER_NAMES) ──
  const groomerEmails = process.env.SEED_UAT_GROOMER_EMAILS?.split(",").map((e) => e.trim()).filter(Boolean) ?? [];
  const groomerNames = process.env.SEED_UAT_GROOMER_NAMES?.split(",").map((n) => n.trim()).filter(Boolean) ?? [];
  const groomerCount = Math.min(groomerEmails.length, groomerNames.length);
  for (let i = 0; i < groomerCount; i++) {
    const email = groomerEmails[i]!;
    const name = groomerNames[i]!;
    // Use deterministic IDs in the 00000000-0000-0000-0000-000000000005+ range
    const staffId = `00000000-0000-0000-0000-${String(5 + i).padStart(12, "0")}`;
    const [existingGroomer] = await db
      .select()
      .from(schema.staff)
      .where(eq(schema.staff.email, email))
      .limit(1);
    if (existingGroomer) {
      console.log(`✓ Staff groomer '${existingGroomer.name}' already exists — skipping`);
    } else {
      await db.insert(schema.staff).values({
        id: staffId,
        name,
        email,
        oidcSub: email,
        role: "groomer",
        isSuperUser: false,
        active: true,
      });
      console.log(`✓ Created staff groomer '${name}' (${email})`);
    }
  }
  // ── Services: idempotent upsert using name as unique key ─────────────────────
  // UNIQUE constraint on services.name (migration 0020) must exist first.
  // Uses b0000001-... IDs to match main seed servicesDef for same-named services.
@@ -602,7 +567,7 @@ async function seed() {
  // ── Staff ──
  const managerStaff = Array.from({ length: cfg.staffCount.manager }, (_, i) =>
-    ({ id: uuid(), name: `Manager ${i + 1}`, email: `manager${i + 1}@groombook.dev`, role: "manager" as const, isSuperUser: profile === "uat" && i === 0 })
+    ({ id: uuid(), name: `Manager ${i + 1}`, email: `manager${i + 1}@groombook.dev`, role: "manager" as const, isSuperUser: false })
  );
  const receptionistStaff = Array.from({ length: cfg.staffCount.receptionist }, (_, i) =>
    ({ id: uuid(), name: `Receptionist ${i + 1}`, email: `receptionist${i + 1}@groombook.dev`, role: "receptionist" as const, isSuperUser: false })
@@ -647,8 +612,6 @@ async function seed() {
        id: ADMIN_STAFF_ID,
        name: adminName,
        email: adminEmail,
        oidcSub: adminEmail,
        userId: adminEmail,
        role: "manager",
        isSuperUser: true,
        active: true,
@@ -660,31 +623,6 @@ async function seed() {
    console.log(`✓ Upserted admin staff '${adminName}' (${adminEmail})`);
  }
  // ── UAT Groomer Personas (SEED_UAT_GROOMER_EMAILS + SEED_UAT_GROOMER_NAMES) ──
  const groomerEmails = process.env.SEED_UAT_GROOMER_EMAILS?.split(",").map((e) => e.trim()).filter(Boolean) ?? [];
  const groomerNames = process.env.SEED_UAT_GROOMER_NAMES?.split(",").map((n) => n.trim()).filter(Boolean) ?? [];
  const groomerCount = Math.min(groomerEmails.length, groomerNames.length);
  for (let i = 0; i < groomerCount; i++) {
    const email = groomerEmails[i]!;
    const name = groomerNames[i]!;
    const staffId = `00000000-0000-0000-0000-${String(5 + i).padStart(12, "0")}`;
    await db.insert(schema.staff)
      .values({
        id: staffId,
        name,
        email,
        oidcSub: email,
        role: "groomer",
        isSuperUser: false,
        active: true,
      })
      .onConflictDoUpdate({
        target: schema.staff.email,
        set: { id: staffId, name, role: "groomer", isSuperUser: false, active: true },
      });
    console.log(`✓ Upserted groomer '${name}' (${email})`);
  }
  // ── Services ──
  // Upsert services using name as unique key. With deterministic IDs in
  // servicesDef and TRUNCATE clearing downstream tables first, this is
@@ -43,9 +43,6 @@ importers:
      stripe:
        specifier: ^22.0.0
        version: 22.0.1(@types/node@22.19.15)
      telnyx:
        specifier: ^1.23.0
        version: 1.27.0
      zod:
        specifier: ^4.3.6
        version: 4.3.6
@@ -180,7 +177,7 @@ importers:
        version: 22.19.15
      drizzle-kit:
        specifier: ^0.30.4
-        version: 0.30.4
+        version: 0.30.6
      tsx:
        specifier: ^4.19.0
        version: 4.21.0
@@ -1699,6 +1696,9 @@ packages:
    resolution: {integrity: sha512-cifvXDhcqMwwTlTK04GBNeIe7yyo28Mfby85QXFe1Yk8nmi36Ab/5UQwptOx84SsoGNRg+EVSjwzfSZMy6pmlw==}
    engines: {node: '>=14'}
  '@petamoriken/float16@3.9.3':
    resolution: {integrity: sha512-8awtpHXCx/bNpFt4mt2xdkgtgVvKqty8VbjHI/WWWQuEw+KLzFot3f4+LkQY9YmOtq7A5GdOnqoIC8Pdygjk2g==}
  '@pkgjs/parseargs@0.11.0':
    resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
    engines: {node: '>=14'}
@@ -2830,8 +2830,8 @@ packages:
  dom-accessibility-api@0.6.3:
    resolution: {integrity: sha512-7ZgogeTnjuHbo+ct10G9Ffp0mif17idi0IyWNVA/wcwcm7NPOD/WEHVP3n7n3MhXqxoIYm8d6MuZohYWIZ4T3w==}
-  drizzle-kit@0.30.4:
+  drizzle-kit@0.30.6:
-    resolution: {integrity: sha512-B2oJN5UkvwwNHscPWXDG5KqAixu7AUzZ3qbe++KU9SsQ+cZWR4DXEPYcvWplyFAno0dhRJECNEhNxiDmFaPGyQ==}
+    resolution: {integrity: sha512-U4wWit0fyZuGuP7iNmRleQyK2V8wCuv57vf5l3MnG4z4fzNTjY/U13M8owyQ5RavqvqxBifWORaR3wIUzlN64g==}
    hasBin: true
  drizzle-orm@0.38.4:
@@ -2955,6 +2955,10 @@ packages:
    resolution: {integrity: sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==}
    engines: {node: '>=0.12'}
  env-paths@3.0.0:
    resolution: {integrity: sha512-dtJUTepzMW3Lm/NPxRf3wP4642UWhjL2sQxc+ym2YMj1m/H2zDNQOlezafzkHwn6sMstjHTwG6iQQsctDW/b1A==}
    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
  es-abstract@1.24.1:
    resolution: {integrity: sha512-zHXBLhP+QehSSbsS9Pt23Gg964240DPd6QCf8WpkqEXxQ7fhdZzYsocOr5u7apWonsS5EjZDmTF+/slGMyasvw==}
    engines: {node: '>= 0.4'}
@@ -3158,6 +3162,11 @@ packages:
  functions-have-names@1.2.3:
    resolution: {integrity: sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==}
  gel@2.2.0:
    resolution: {integrity: sha512-q0ma7z2swmoamHQusey8ayo8+ilVdzDt4WTxSPzq/yRqvucWRfymRVMvNgmSC0XK7eNjjEZEcplxpgaNojKdmQ==}
    engines: {node: '>= 18.0.0'}
    hasBin: true
  generator-function@2.0.1:
    resolution: {integrity: sha512-SFdFmIJi+ybC0vjlHN0ZGVGHc3lgE0DxPAT0djjVg+kjOnSqclqmj0KQ7ykTOLP6YxoqOvuAODGdcHJn+43q3g==}
    engines: {node: '>= 0.4'}
@@ -3425,6 +3434,10 @@ packages:
  isexe@2.0.0:
    resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
  isexe@3.1.5:
    resolution: {integrity: sha512-6B3tLtFqtQS4ekarvLVMZ+X+VlvQekbe4taUkf/rhVO3d/h0M2rfARm/pXLcPEsjjMsFgrFgSrhQIxcSVrBz8w==}
    engines: {node: '>=18'}
  istanbul-lib-coverage@3.2.2:
    resolution: {integrity: sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==}
    engines: {node: '>=8'}
@@ -3606,9 +3619,6 @@ packages:
  lodash.debounce@4.0.8:
    resolution: {integrity: sha512-FT1yDzDYEoYWhnSGnpE/4Kj1fLZkDFyqRb7fNt6FdYOSxlUWAtp42Eh6Wb0rGIv/m9Bgo7x4GhQbm5Ys4SG5ow==}
  lodash.isplainobject@4.0.6:
    resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==}
  lodash.merge@4.6.2:
    resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
@@ -3841,10 +3851,6 @@ packages:
    resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
    engines: {node: '>=6'}
  qs@6.15.1:
    resolution: {integrity: sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==}
    engines: {node: '>=0.6'}
  randombytes@2.1.0:
    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
@@ -4040,6 +4046,10 @@ packages:
    resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
    engines: {node: '>=8'}
  shell-quote@1.8.3:
    resolution: {integrity: sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==}
    engines: {node: '>= 0.4'}
  side-channel-list@1.0.0:
    resolution: {integrity: sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==}
    engines: {node: '>= 0.4'}
@@ -4178,10 +4188,6 @@ packages:
    resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==}
    engines: {node: '>=6'}
  telnyx@1.27.0:
    resolution: {integrity: sha512-cVbP3jEW4TbmNL5U0UbZc3OkLg+6dHRnMYByYfJnrGw5ZRn0XKb17Hx3fLMWmGgRFow7eqVP4hlCogbIB6T3+w==}
    engines: {node: ^6 || >=8}
  temp-dir@2.0.0:
    resolution: {integrity: sha512-aoBAniQmmwtcKp/7BzsH8Cxzv8OL736p7v1ihGb5e9DJ9kTwGWHrQrVB5+lfVDzfGrdRzXch+ig7LHaY1JTOrg==}
    engines: {node: '>=8'}
@@ -4256,9 +4262,6 @@ packages:
    engines: {node: '>=18.0.0'}
    hasBin: true
  tweetnacl@1.0.3:
    resolution: {integrity: sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw==}
  type-check@0.4.0:
    resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
    engines: {node: '>= 0.8.0'}
@@ -4348,10 +4351,6 @@ packages:
    resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
    hasBin: true
  uuid@9.0.1:
    resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
    hasBin: true
  victory-vendor@37.3.6:
    resolution: {integrity: sha512-SbPDPdDBYp+5MJHhBCAyI7wKM3d5ivekigc2Dk2s7pgbZ9wIgIBYGVw4zGHBml/qTFbexrofXW6Gu4noGxrOwQ==}
@@ -4488,6 +4487,11 @@ packages:
    engines: {node: '>= 8'}
    hasBin: true
  which@4.0.0:
    resolution: {integrity: sha512-GlaYyEb07DPxYCKhKzplCWBJtvxZcZMrL+4UkrTSJHHPyZU4mYYTv3qaOe77H7EODLSSopAUFAc6W8U4yqvscg==}
    engines: {node: ^16.13.0 || >=18.0.0}
    hasBin: true
  why-is-node-running@2.3.0:
    resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==}
    engines: {node: '>=8'}
@@ -6219,6 +6223,8 @@ snapshots:
  '@opentelemetry/semantic-conventions@1.40.0': {}
  '@petamoriken/float16@3.9.3': {}
  '@pkgjs/parseargs@0.11.0':
    optional: true
@@ -7414,12 +7420,13 @@ snapshots:
  dom-accessibility-api@0.6.3: {}
-  drizzle-kit@0.30.4:
+  drizzle-kit@0.30.6:
    dependencies:
      '@drizzle-team/brocli': 0.10.2
      '@esbuild-kit/esm-loader': 2.6.5
      esbuild: 0.19.12
      esbuild-register: 3.6.0(esbuild@0.19.12)
      gel: 2.2.0
    transitivePeerDependencies:
      - supports-color
@@ -7456,6 +7463,8 @@ snapshots:
  entities@6.0.1: {}
  env-paths@3.0.0: {}
  es-abstract@1.24.1:
    dependencies:
      array-buffer-byte-length: 1.0.2
@@ -7817,6 +7826,17 @@ snapshots:
  functions-have-names@1.2.3: {}
  gel@2.2.0:
    dependencies:
      '@petamoriken/float16': 3.9.3
      debug: 4.4.3
      env-paths: 3.0.0
      semver: 7.7.4
      shell-quote: 1.8.3
      which: 4.0.0
    transitivePeerDependencies:
      - supports-color
  generator-function@2.0.1: {}
  gensync@1.0.0-beta.2: {}
@@ -8081,6 +8101,8 @@ snapshots:
  isexe@2.0.0: {}
  isexe@3.1.5: {}
  istanbul-lib-coverage@3.2.2: {}
  istanbul-lib-report@3.0.1:
@@ -8249,8 +8271,6 @@ snapshots:
  lodash.debounce@4.0.8: {}
  lodash.isplainobject@4.0.6: {}
  lodash.merge@4.6.2: {}
  lodash.sortby@4.7.0: {}
@@ -8449,10 +8469,6 @@ snapshots:
  punycode@2.3.1: {}
  qs@6.15.1:
    dependencies:
      side-channel: 1.1.0
  randombytes@2.1.0:
    dependencies:
      safe-buffer: 5.2.1
@@ -8687,6 +8703,8 @@ snapshots:
  shebang-regex@3.0.0: {}
  shell-quote@1.8.3: {}
  side-channel-list@1.0.0:
    dependencies:
      es-errors: 1.3.0
@@ -8840,14 +8858,6 @@ snapshots:
  tapable@2.3.0: {}
  telnyx@1.27.0:
    dependencies:
      lodash.isplainobject: 4.0.6
      qs: 6.15.1
      safe-buffer: 5.2.1
      tweetnacl: 1.0.3
      uuid: 9.0.1
  temp-dir@2.0.0: {}
  tempy@0.6.0:
@@ -8918,8 +8928,6 @@ snapshots:
    optionalDependencies:
      fsevents: 2.3.3
  tweetnacl@1.0.3: {}
  type-check@0.4.0:
    dependencies:
      prelude-ls: 1.2.1
@@ -9016,8 +9024,6 @@ snapshots:
  uuid@8.3.2: {}
  uuid@9.0.1: {}
  victory-vendor@37.3.6:
    dependencies:
      '@types/d3-array': 3.2.2
@@ -9195,6 +9201,10 @@ snapshots:
    dependencies:
      isexe: 2.0.0
  which@4.0.0:
    dependencies:
      isexe: 3.1.5
  why-is-node-running@2.3.0:
    dependencies:
      siginfo: 2.0.0
Author	SHA1	Message	Date
Flea Flicker	c89c2fd6b4	Revert RBAC/authorization changes in appointmentGroups and groomingLogs These files are out of scope for the input validation PR. Only the 5-route validation changes (invoices, book, appointments, services, stripe-webhooks) should be included. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 02:09:29 +00:00
Paperclip	203b600713	fix(stripe-webhooks): validate invoice IDs as UUIDs before DB lookup	2026-04-14 14:00:02 +00:00
Paperclip	b230e015c2	fix(services): cap durationMinutes at 480 (8 hours max)	2026-04-14 13:59:59 +00:00
Paperclip	53b2dc6067	fix(appointments): cap recurrence series at 1 year max	2026-04-14 13:59:54 +00:00
Paperclip	1bdfa9f3d2	fix(book): add future-time refinement to booking startTime	2026-04-14 13:59:51 +00:00
Paperclip	369c2ce182	fix(invoices): add Zod query param validation to GET /	2026-04-14 13:59:50 +00:00
Paperclip	5e24678fa5	feat(GRO-635): implement groomer data isolation in appointmentGroups, groomingLogs + fix batherStaffId conflict check - appointmentGroups: use Hono<AppEnv>(), add groomer isolation on all endpoints - groomingLogs: use Hono<AppEnv>(), add groomer isolation on all endpoints - appointments: add batherStaffId conflict check in POST and PATCH handlers - Non-groomer roles retain full access on all endpoints Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 13:50:03 +00:00