Merge pull request 'Promote dev → uat: fix(e2e) PLAYWRIGHT_BASE_URL + host.docker.internal (GRO-1496)' (#431) from dev into uat

Promote dev → uat: fix(e2e) PLAYWRIGHT_BASE_URL + host.docker.internal (GRO-1496) (#431)

.github/workflows/ci.yml

@@ -53,6 +53,41 @@ jobs:
       - name: Run tests
         run: pnpm test
 
+  e2e:
+    name: E2E Tests
+    runs-on: ubuntu-latest
+    needs: [lint-typecheck, test]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Install Playwright browsers
+        run: pnpm --filter @groombook/e2e exec playwright install --with-deps chromium
+
+      - name: Start Docker Compose stack
+        run: docker compose up -d --wait
+        timeout-minutes: 5
+
+      - name: Run E2E tests
+        run: pnpm --filter @groombook/e2e test
+        env:
+          PLAYWRIGHT_BASE_URL: http://localhost:8080
+
+      - name: Stop Docker Compose stack
+        if: always()
+        run: docker compose down
+
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -80,7 +115,7 @@ jobs:
   docker:
     name: Build & Push Docker Images
     runs-on: ubuntu-latest
-    needs: [build]
+    needs: [build, e2e]
     outputs:
       tag: ${{ steps.version.outputs.tag }}
     steps:

SHEDWARD_INSTRUCTIONS.md

@@ -1,50 +0,0 @@
-# Shedward Scissorhands — UAT Agent Instructions
-
-You are the GroomBook User Acceptance Tester. Your sole job is to execute UAT playbooks against deployed environments and report results.
-
-## Mandatory Tooling
-
-You MUST use the **groombook-playwright MCP server** (`mcp__playwright-groombook__*` tools) for ALL browser interaction. Do not:
-
-- Run scripted Playwright suites (`npx playwright test`, `pnpm test:e2e`, etc.)
-- Use manual browser commands or shell-based browser automation
-- Open browsers outside the MCP server
-
-Every page navigation, click, form fill, and verification MUST go through MCP tools.
-
-## Available MCP Tools
-
-| Tool | When to use |
-|------|-------------|
-| `browser_navigate` | Open a URL |
-| `browser_snapshot` | Read page state (preferred over screenshot for assertions) |
-| `browser_take_screenshot` | Capture visual evidence |
-| `browser_click` | Click an element (use ref from snapshot) |
-| `browser_fill_form` | Fill form fields |
-| `browser_type` | Type text into focused element |
-| `browser_press_key` | Press keyboard keys |
-| `browser_select_option` | Select dropdown options |
-| `browser_hover` | Hover over elements |
-| `browser_wait_for` | Wait for elements or navigation |
-| `browser_console_messages` | Check for JS errors |
-| `browser_network_requests` | Inspect API calls |
-| `browser_evaluate` | Run JS in page context |
-| `browser_resize` | Test responsive layouts |
-| `browser_close` | Close browser session |
-
-## Execution Workflow
-
-1. Read the `UAT_PLAYBOOK.md` in the repo being tested.
-2. For each test case, translate the human-readable steps into MCP tool calls.
-3. Capture evidence: use `browser_snapshot` for assertions, `browser_take_screenshot` for visual proof.
-4. Report pass/fail per test case with evidence.
-5. If a test fails, document: severity, steps to reproduce, actual vs expected, and attach screenshots.
-
-## Environments
-
-| Environment | URL | Auth |
-|-------------|-----|------|
-| Dev | `https://dev.groombook.dev` | Dev login selector (no OIDC) |
-| UAT | `https://uat.groombook.dev` | Authentik OIDC at `https://auth.farh.net` |
-| Production | `https://demo.groombook.dev` | Authentik OIDC |
-| Site | `https://groombook.farh.net` | No auth required |

UAT_PLAYBOOK.md

@@ -4,49 +4,7 @@
 
 GroomBook is an open-source, self-hostable pet grooming business management & CRM platform. The monorepo contains the Hono API (`apps/api`), React PWA web app (`apps/web`), E2E tests (`apps/e2e`), and shared packages (`packages/db`, `packages/types`). Tech stack: Hono + React 19 + Vite + PostgreSQL + Drizzle ORM + Authentik OIDC.
 
-## 2. Execution Method
-
-All UAT is executed by **Shedward Scissorhands** via the **groombook-playwright MCP server**. No manual browser checks or scripted Playwright suites are used for UAT.
-
-### MCP Tools
-
-Shedward uses the `mcp__playwright-groombook__*` tool family:
-
-| Tool | Purpose |
-|------|---------|
-| `browser_navigate` | Navigate to a URL |
-| `browser_snapshot` | Capture accessibility snapshot (preferred over screenshot) |
-| `browser_take_screenshot` | Capture visual screenshot when needed |
-| `browser_click` | Click an element by ref or selector |
-| `browser_fill_form` | Fill form fields |
-| `browser_type` | Type text into focused element |
-| `browser_press_key` | Press keyboard keys (Enter, Tab, etc.) |
-| `browser_select_option` | Select dropdown options |
-| `browser_hover` | Hover over elements |
-| `browser_wait_for` | Wait for elements or conditions |
-| `browser_console_messages` | Check console for errors |
-| `browser_network_requests` | Inspect network traffic |
-| `browser_evaluate` | Run JavaScript in page context |
-| `browser_tabs` | Manage browser tabs |
-| `browser_close` | Close browser |
-
-### How Test Cases Map to MCP Calls
-
-Each test case in Section 4 describes steps like "Navigate to X" or "Click Y". Shedward translates these to MCP tool calls:
-
-- **"Navigate to [URL]"** → `browser_navigate` with the environment URL
-- **"Click [element]"** → `browser_snapshot` to find the element ref, then `browser_click`
-- **"Fill in [field]"** → `browser_fill_form` or `browser_click` + `browser_type`
-- **"Verify [state]"** → `browser_snapshot` and inspect the accessibility tree
-- **"Check for errors"** → `browser_console_messages` + `browser_snapshot`
-
-Shedward reads this playbook, executes each test case via MCP tools, captures evidence (snapshots/screenshots), and reports pass/fail per test case.
-
-### Legacy CI Tests
-
-The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained for CI regression testing only. They are **not** the primary UAT mechanism. UAT is exclusively MCP-driven by Shedward.
-
-## 3. Environments
+## 2. Environments
 
 | Environment | URL | Notes |
 |-------------|-----|-------|
@@ -56,7 +14,7 @@ The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained f
 
 **Local Development:** Run `docker compose up --build` at repository root. Web app available at `localhost:8080`, API at `localhost:3000`.
 
-## 4. Pre-conditions
+## 3. Pre-conditions
 
 - UAT environment is accessible at `https://uat.groombook.dev`
 - Test accounts are seeded with the following personas:
@@ -71,23 +29,18 @@ The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained f
 - Stripe test keys are configured for payment flow testing
 - Email/SMS providers (Telnyx, etc.) are configured for notification testing
 
-## 5. Test Cases
+## 4. Test Cases
 
 ### 4.1 Authentication
 
 | # | Scenario | Steps | Expected |
 |---|----------|-------|----------|
-| TC-APP-4.1.1 | OIDC login (Authentik) | 1. Navigate to UAT environment<br>2. Click "Login with Authentik"<br>3. Enter test credentials<br>4. Authorize the application | User is redirected to app dashboard, session is established |
-| TC-APP-4.1.2 | Email + password login (UAT Super) | 1. Navigate to UAT environment sign-in page<br>2. Select email+password flow<br>3. Enter `uat-super@groombook.dev` and UAT super password<br>4. Submit | User is logged in and redirected to dashboard with manager access |
-| TC-APP-4.1.3 | Email + password login (UAT Groomer) | 1. Navigate to UAT environment sign-in page<br>2. Select email+password flow<br>3. Enter `uat-groomer@groombook.dev` and UAT groomer password<br>4. Submit | User is logged in and redirected to dashboard with staff/groomer access |
-| TC-APP-4.1.4 | Email + password login (UAT Customer) | 1. Navigate to UAT environment sign-in page<br>2. Select email+password flow<br>3. Enter `uat-customer@groombook.dev` and UAT customer password<br>4. Submit | User is logged in with client portal access |
-| TC-APP-4.1.5 | Email + password login (UAT Tester) | 1. Navigate to UAT environment sign-in page<br>2. Select email+password flow<br>3. Enter `uat-tester@groombook.dev` and UAT tester password<br>4. Submit | User is logged in with staff/tester access |
-| TC-APP-4.1.6 | Session persistence | 1. Log in as any user<br>2. Close browser tab<br>3. Reopen browser and navigate to UAT | User remains logged in, no re-authentication required |
-| TC-APP-4.1.7 | Logout | 1. Log in as any user<br>2. Click logout button<br>3. Attempt to access protected route | User is logged out and redirected to login page |
-| TC-APP-4.1.8 | RBAC - Manager access | 1. Log in as Manager (OIDC or email+password)<br>2. Navigate to Settings, Staff Management, Reports | All administrative features are accessible |
-| TC-APP-4.1.9 | RBAC - Staff access | 1. Log in as Staff (OIDC or email+password)<br>2. Attempt to access Settings, Staff Management | Access denied or limited view, staff can only see assigned appointments |
-| TC-APP-4.1.10 | RBAC - Client access | 1. Log in as Client (email+password)<br>2. Navigate to portal<br>3. Attempt to access admin areas | Client can only view their own appointments, pets, and profile |
-| TC-APP-4.1.11 | Login after hourly reset | 1. Wait for or trigger `reset-demo-data` CronJob to run<br>2. Attempt email+password login as any UAT persona | Login succeeds — Better Auth credential accounts survive the reset cycle |
+| TC-APP-4.1.1 | OIDC login | 1. Navigate to UAT environment<br>2. Click "Login with Authentik"<br>3. Enter test credentials<br>4. Authorize the application | User is redirected to app dashboard, session is established |
+| TC-APP-4.1.2 | Session persistence | 1. Log in as any user<br>2. Close browser tab<br>3. Reopen browser and navigate to UAT | User remains logged in, no re-authentication required |
+| TC-APP-4.1.3 | Logout | 1. Log in as any user<br>2. Click logout button<br>3. Attempt to access protected route | User is logged out and redirected to login page |
+| TC-APP-4.1.4 | RBAC - Manager access | 1. Log in as Manager<br>2. Navigate to Settings, Staff Management, Reports | All administrative features are accessible |
+| TC-APP-4.1.5 | RBAC - Staff access | 1. Log in as Staff<br>2. Attempt to access Settings, Staff Management | Access denied or limited view, staff can only see assigned appointments |
+| TC-APP-4.1.6 | RBAC - Client access | 1. Log in as Client<br>2. Navigate to portal<br>3. Attempt to access admin areas | Client can only view their own appointments, pets, and profile |
 
 ### 4.2 Setup Wizard / OOBE
 
@@ -126,7 +79,7 @@ The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained f
 | TC-APP-4.5.5 | Appointment groups | 1. Create multiple appointments for same time slot<br>2. View in calendar | Appointments are grouped/linked appropriately |
 | TC-APP-4.5.6 | Appointment availability check | 1. Attempt to book appointment during unavailable slot | System shows conflict or prevents double-booking |
 | TC-APP-4.5.7 | Booking wizard — size/coat selection | 1. Start new appointment booking wizard<br>2. Select a pet with sizeCategory and coatType set<br>3. Observe the service/slot selection step | Size and coat type dropdowns are displayed and persist the pet's existing values |
-| TC-APP-4.5.8 | Large/Xlarge pet slot duration reflects buffer | 1. Add a pet with sizeCategory = "large" or "xlarge" to an appointment<br>2. Note the service duration<br>3. Complete booking and inspect the appointment | Appointment slot includes the service duration plus the configured buffer for the pet's size category |
+| TC-APP-4.5.8 | Large/X-Large pet slot duration reflects buffer | 1. Add a pet with sizeCategory = "large" or "x-large" to an appointment<br>2. Note the service duration<br>3. Complete booking and inspect the appointment | Appointment slot includes the service duration plus the configured buffer for the pet's size category |
 | TC-APP-4.5.9 | Appointment overrun cascades downstream | 1. Book three consecutive same-groomer appointments (A → B → C)<br>2. Manually extend appointment A's endTime so it overlaps B's startTime by ≥15 min<br>3. Observe appointment B | Appointment B (and C if still overlapping) is automatically shifted forward by the overrun delta + buffer; no error thrown |
 | TC-APP-4.5.10 | Cascaded appointments appear at new times | 1. Complete TC-APP-4.5.9<br>2. Check the calendar/list view | Appointments B and C are now shown at their shifted start/end times |
 | TC-APP-4.5.11 | Client receives reschedule notification email | 1. Complete TC-APP-4.5.9<br>2. Check the client's email (or notification log) | Client receives an email with subject/lines indicating their appointment was rescheduled from original time to new time |
@@ -299,7 +252,7 @@ The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained f
 | TC-APP-4.21.10 | Whitespace trimming | 1. Send `  START  ` or `\tSTOP\n` | Keywords are trimmed before matching |
 | TC-APP-4.21.11 | Non-keyword messages ignored | 1. Send `STOP IT`, `help me`, `hello` | Returns null from `detectKeyword`, no consent event inserted, no reply sent |
 | TC-APP-4.21.12 | Consent event audit log | 1. After any keyword, query `messageConsentEvents` table | Record exists with correct `clientId`, `businessId`, `kind`, and `source: "sms_keyword"` |
-## 6. Pass/Fail Criteria
+## 5. Pass/Fail Criteria
 
 **Pass:** All test cases execute without errors. Expected results match actual results. No regressions are observed. All functionality works as documented.
 
@@ -312,7 +265,7 @@ The scripted Playwright suites in `apps/e2e/` and `apps/web/e2e/` are retained f
 
 **Regressions:** If a previously working feature fails during this UAT run, it is considered a regression and must be addressed before the release can proceed.
 
-## 7. Update Policy
+## 6. Update Policy
 
 **Any PR that changes user-facing behaviour MUST update this file.**
 
@@ -322,4 +275,4 @@ When modifying features that affect:
 - Configuration (settings, integrations)
 - Data visibility (reports, search, filtering)
 
-The corresponding test case(s) in Section 5 must be updated to reflect the new behaviour. The PR description must reference which playbook section was updated (e.g., "Updated UAT_PLAYBOOK.md §4.5 — new appointment group scheduling feature").
+The corresponding test case(s) in Section 4 must be updated to reflect the new behaviour. The PR description must reference which playbook section was updated (e.g., "Updated UAT_PLAYBOOK.md §4.5 — new appointment group scheduling feature").

docker-compose.yml

@@ -43,12 +43,6 @@ services:
         condition: service_healthy
       migrate:
         condition: service_completed_successfully
-    healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:3000/health || exit 1"]
-      interval: 5s
-      timeout: 5s
-      retries: 20
-      start_period: 10s
 
   web:
     build:
@@ -59,14 +53,7 @@ services:
     extra_hosts:
       - "host.docker.internal:host-gateway"
     depends_on:
-      api:
-        condition: service_healthy
-    healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:80 || exit 1"]
-      interval: 5s
-      timeout: 5s
-      retries: 20
-      start_period: 10s
+      - api
 
 volumes:
   postgres_data:

packages/db/src/seed.ts

@@ -20,7 +20,6 @@ import postgres from "postgres";
 import { drizzle } from "drizzle-orm/postgres-js";
 import { eq, sql } from "drizzle-orm";
 import * as schema from "./schema.js";
-import { randomBytes, scrypt } from "node:crypto";
 
 // ── Seed profile configuration ─────────────────────────────────────────────
 
@@ -510,81 +509,6 @@ async function seedKnownUsers() {
   }
   console.log(`✓ Seeded ${demoSvcs.length} services`);
 
-  // ── Better Auth credential accounts for UAT personas ─────────────────────
-  // Creates user + account rows so UAT personas can email+password login.
-  // Uses the same scrypt config as better-auth (keylen=64, N=16384, r=8, p=1).
-  const uatCredAccounts: Array<{ email: string; passwordEnvKey: string; staffId: string }> = [
-    { email: "uat-super@groombook.dev", passwordEnvKey: "SEED_UAT_SUPER_PASSWORD", staffId: "00000000-0000-0000-0000-000000000003" },
-    { email: "uat-groomer@groombook.dev", passwordEnvKey: "SEED_UAT_GROOMER_PASSWORD", staffId: "00000000-0000-0000-0000-000000000004" },
-    { email: "uat-customer@groombook.dev", passwordEnvKey: "SEED_UAT_CUSTOMER_PASSWORD", staffId: "" },
-    { email: "uat-tester@groombook.dev", passwordEnvKey: "SEED_UAT_TESTER_PASSWORD", staffId: "" },
-  ];
-
-  for (const acct of uatCredAccounts) {
-    const password = process.env[acct.passwordEnvKey];
-    if (!password) {
-      console.log(`⊘ No ${acct.passwordEnvKey} set — skipping Better Auth account for ${acct.email}`);
-      continue;
-    }
-
-    // Check if user already exists
-    const [existingUser] = await db
-      .select()
-      .from(schema.user)
-      .where(eq(schema.user.email, acct.email))
-      .limit(1);
-
-    let userId: string;
-    if (existingUser) {
-      userId = existingUser.id;
-      console.log(`✓ Better Auth user '${acct.email}' already exists — skipping`);
-    } else {
-      // Hash with same scrypt params as better-auth: keylen=64, N=16384, r=8, p=1
-      // Use Promise-based scrypt API (callback pattern, wrapped in Promise)
-      const salt = randomBytes(16);
-      const key = await new Promise<Buffer>((resolve, reject) => {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        scrypt(password.normalize("NFKC"), salt, 64, { N: 16384, r: 8, p: 1 } as any, (err: Error | null, derivedKey: Buffer) => {
-          if (err) reject(err);
-          else resolve(derivedKey);
-        });
-      });
-      const passwordHash = `${salt.toString("hex")}:${key.toString("hex")}`;
-
-      const [newUser] = await db.insert(schema.user).values({
-        id: uuid(),
-        name: acct.email.split("@")[0]!,
-        email: acct.email,
-        emailVerified: true,
-      }).returning();
-      userId = newUser!.id;
-
-      await db.insert(schema.account).values({
-        id: uuid(),
-        accountId: userId,
-        providerId: "credential",
-        userId,
-        password: passwordHash,
-      });
-      console.log(`✓ Created Better Auth credential account for '${acct.email}'`);
-    }
-
-    // Link staff record to Better Auth user if staff exists and has no userId yet
-    if (acct.staffId) {
-      const [existingStaff] = await db
-        .select()
-        .from(schema.staff)
-        .where(eq(schema.staff.id, acct.staffId))
-        .limit(1);
-      if (existingStaff && !existingStaff.userId) {
-        await db.update(schema.staff)
-          .set({ userId })
-          .where(eq(schema.staff.id, acct.staffId));
-        console.log(`  ↳ Linked staff '${acct.email}' to Better Auth user`);
-      }
-    }
-  }
-
   // ── Client: Demo Client ──
   const [existingClient] = await db
     .select()