fix(api): remove stale uuid deps from package.json and lockfile

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/package.json

@@ -24,7 +24,6 @@
     "nodemailer": "^6.9.16",
     "stripe": "^22.0.0",
     "telnyx": "^1.23.0",
-
     "zod": "^4.3.6"
   },
   "devDependencies": {

apps/api/src/lib/auth.ts

@@ -97,6 +97,9 @@ export async function initAuth(): Promise<void> {
           window: 10,
           storage: "memory",
           customRules: {
+            "/sign-in/social": { max: 10, window: 60 },
+            "/sign-in/email": { max: 10, window: 60 },
+            "/sign-up/email": { max: 5, window: 60 },
             "/get-session": false,
           },
         },
@@ -247,6 +250,9 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },

apps/e2e/tests/portal-data.spec.ts

@@ -72,9 +72,15 @@ test.describe("Portal Data Integrity", () => {
   });
 
   test("billing section renders without JS errors", async ({ page }) => {
-    // Mock billing endpoint
-    await page.route("**/api/billing**", (route) =>
-      route.fulfill({ json: { invoices: [], balanceCents: 0 } })
+    // Mock portal billing endpoints
+    await page.route("**/api/portal/config**", (route) =>
+      route.fulfill({ json: { stripePublishableKey: "" } })
+    );
+    await page.route("**/api/portal/invoices**", (route) =>
+      route.fulfill({ json: [] })
+    );
+    await page.route("**/api/portal/payment-methods**", (route) =>
+      route.fulfill({ json: [] })
     );
 
     const consoleErrors: string[] = [];

docs/runbooks/10dlc-pilot-registration.md

@@ -1,309 +0,0 @@
-# 10DLC Pilot Tenant Registration Runbook
-
-Authored for [GRO-106](/GRO/issues/GRO-106) Phase 1.
-
----
-
-## Pre-Flight Checklist
-
-Before starting Telnyx registration, collect the following:
-
-| Item | Details |
-|------|---------|
-| Legal business name | Exact name on EIN / business registration |
-| EIN (Employer Identification Number) | 9-digit IRS format: XX-XXXXXXX |
-| Business type | Sole Proprietor / LLC / Corporation |
-| Primary contact email | General contact address (postmaster@, info@, etc.) |
-| Primary contact phone | Direct line for carrier verification |
-| Website URL | Must be live and contain privacy policy |
-| Sample message templates | See [Sample Templates](#sample-message-templates) below |
-| Messaging use case | Customer Care / Account Notification |
-
----
-
-## Step 1 — Telnyx Account Requirements
-
-- Active Telnyx account with billing configured.
-- Role required: **Admin** or **Super User** to register brands and campaigns.
-
----
-
-## Step 2 — Brand Registration
-
-### Via Telnyx Console
-
-1. Log in to [Telnyx Portal](https://portal.telnyx.com).
-2. Navigate to **Messaging → A2P 10DLC → Brands**.
-3. Click **Register Brand**.
-4. Fill in:
-   - **Brand Name**: Legal business name
-   - **Legal Company Name**: Exact EIN name
-   - **Company Type**: Select from dropdown
-   - **EIN**: XX-XXXXXXX
-   - **Primary Contact**: Name, email, phone
-   - **Website**: Must be accessible
-   - **BusinessVertical**: Select appropriate vertical
-5. Acknowledge the **Terms of Service**.
-6. Submit.
-
-### Via API
-
-```bash
-curl -X POST https://api.telnyx.com/v2/10dlc/brands \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "name": "Your Legal Business Name",
-    "legal_company_name": "Your Legal Business Name",
-    "company_type": "llc",
-    "ein": "XX-XXXXXXX",
-    "primary_contact": {
-      "name": "Jane Doe",
-      "email": "compliance@example.com",
-      "phone": "+13125551000"
-    },
-    "website": "https://www.example.com",
-    "business_vertical": "FINANCE_INSURANCE_BANKING"
-  }'
-```
-
-**Response fields to record:**
-- `brand_id` — required for campaign registration
-- `brand_score` — affects campaign vetting speed
-
-### Expected Fees
-
-| Fee Type | Amount |
-|----------|--------|
-| Brand registration fee | ~$0 (no direct fee from Telnyx) |
-| Campaign registration fee | ~$15–$25 per campaign (Telnyx fee, subject to change) |
-| Carrier fees | Passed through from T-Mobile/AT&T/Verizon |
-
-### Expected Approval Window
-
-- **Vetting by Telnyx**: 1–3 business days after submission.
-- **Carrier (T-Mobile/AT&T/Verizon) review**: 2–5 business days after Telnyx approval.
-- Total end-to-end: **3–8 business days**.
-
----
-
-## Step 3 — Campaign Registration
-
-### Use Case Selection
-
-- **Primary**: Customer Care
-- **Secondary**: Account Notification
-
-### Via Telnyx Console
-
-1. Navigate to **Messaging → A2P 10DLC → Campaigns**.
-2. Click **Register Campaign**.
-3. Select **Brand** (use the brand registered in Step 2).
-4. Fill in:
-   - **Campaign Name**: e.g., `groombook-pilot-customer-care`
-   - **Use Case**: Customer Care / Account Notification
-   - **Sample Messages**: Paste exactly the templates from [Sample Templates](#sample-message-templates) below.
-   - **Description**: Brief description of messaging program
-   - **Estimated Volume**: Enter monthly estimate (e.g., 500)
-5. Submit.
-
-### Via API
-
-```bash
-curl -X POST https://api.telnyx.com/v2/10dlc/campaigns \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "brand_id": "YOUR_BRAND_ID",
-    "name": "groombook-pilot-customer-care",
-    "use_case": "CUSTOMER_CARE",
-    "sample_messages": [
-      "Hi {{first_name}}, this is a reminder from {{business_name}} that your appointment is scheduled for {{date}} at {{time}}. Reply STOP to opt out.",
-      "Your appointment with {{business_name}} is confirmed for {{date}}. Need to reschedule? Reply HELP or call us at {{phone}}."
-    ],
-    "description": "Appointment reminders and account notifications for grooming clients",
-    "estimated_monthly_volume": 500
-  }'
-```
-
-**Response fields to record:**
-- `campaign_id` — required for messaging profile
-- `status` — initially `PENDING`, transitions to `ACTIVE` after carrier approval
-
-### Campaign Vetting — STOP/HELP Language Requirements
-
-Every campaign **must** include compliant STOP/HELP messaging. The following must appear in your sample messages or be included in your terms of service:
-
-- **STOP**: Users can text `STOP` to opt out of all messages.
-- **HELP**: Users can text `HELP` to receive contact information.
-
-Example STOP/HELP block:
-
-```
-Text STOP to opt out. Text HELP for help. Msg & data rates may apply.
-```
-
----
-
-## Step 4 — Messaging Profile + Phone Number Provisioning
-
-### Create Messaging Profile
-
-1. In Telnyx Portal, navigate to **Messaging → Messaging Profiles**.
-2. Click **Create Messaging Profile**.
-3. Name it (e.g., `groombook-pilot-prod`).
-4. Copy the **Messaging Profile ID** (`messaging_profile_id`) — record this in the DB.
-
-### Provision a 10DLC Phone Number
-
-1. Navigate to **Messaging → Phone Numbers**.
-2. Search for a number in your desired area code.
-3. Confirm the number is 10DLC-capable.
-4. Purchase the number.
-
-### Associate Number with Messaging Profile
-
-```bash
-# Assign number to messaging profile
-curl -X PATCH https://api.telnyx.com/v2/phone_numbers/YOUR_PHONE_NUMBER_ID \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "messaging_profile_id": "YOUR_MESSAGING_PROFILE_ID"
-  }'
-```
-
----
-
-## Step 5 — Record in Database
-
-Once [GRO-981](/GRO/issues/GRO-981) lands, record the following against the business record:
-
-### SQL Path (when GRO-981 is complete)
-
-```sql
-UPDATE businesses
-SET
-  messaging_phone_number = '+13125551000',
-  telnyx_messaging_profile_id = 'YOUR_MESSAGING_PROFILE_ID',
-  telnyx_brand_id = 'YOUR_BRAND_ID',
-  telnyx_campaign_id = 'YOUR_CAMPAIGN_ID',
-  telnyx_brand_status = 'APPROVED',
-  telnyx_campaign_status = 'ACTIVE',
-  updated_at = NOW()
-WHERE id = 'pilot_business_id';
-```
-
-### Manual Admin Path (before GRO-981)
-
-Until GRO-981 is complete, use the Telnyx Portal to verify and record values manually in your internal ops sheet:
-
-| Field | Value |
-|-------|-------|
-| `messagingPhoneNumber` | +1XXXXXXXXXX |
-| `telnyxMessagingProfileId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `telnyxBrandId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `telnyxCampaignId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `brandStatus` | APPROVED / PENDING |
-| `campaignStatus` | ACTIVE / PENDING |
-
----
-
-## Sample Message Templates
-
-These must match exactly what your system will send. Vetting reviewers compare templates against actual traffic.
-
-### Transactional Appointment Reminder
-
-```
-Hi {{first_name}}, this is a reminder from {{business_name}} that your appointment is scheduled for {{date}} at {{time}}. Reply STOP to opt out. Msg & data rates may apply.
-```
-
-### Manual Staff Message
-
-```
-Your appointment with {{business_name}} is confirmed for {{date}}. Need to reschedule? Reply HELP for assistance or call us at {{phone}}. Msg & data rates may apply.
-```
-
----
-
-## Failure Modes + Retry Guidance
-
-### Vetting Rejection — Brand
-
-| Rejection Reason | Common Fix |
-|-----------------|------------|
-| Legal name mismatch with EIN | Ensure exact EIN name matches legal company name exactly |
-| Website not accessible / missing privacy policy | Add privacy policy page to website before resubmitting |
-| Incomplete primary contact | Provide direct phone and real email (no noreply) |
-| High-risk business vertical | Contact Telnyx support for pre-screening before resubmitting |
-
-### Campaign Rejection
-
-| Rejection Reason | Common Fix |
-|-----------------|------------|
-| Sample messages do not match actual traffic | Update sample messages to match exactly what the system sends |
-| Missing STOP/HELP language | Add compliant STOP/HELP block to sample messages |
-| Volume estimate too low/high | Revise estimate to be realistic |
-| Use case mismatch | Re-select use case that matches actual messaging |
-
-### Re-submission
-
-After fixing the rejection reason, re-submit via the same API endpoint. Telnyx will re-run vetting (typically 24–48 hours).
-
----
-
-## Cost Summary
-
-### Telnyx Fees (as of 2026)
-
-| Fee Type | Amount | Notes |
-|----------|--------|-------|
-| 10DLC number (monthly) | ~$1.00–$2.50/number | Varies by type and area code |
-| Outbound message | $0.005–$0.015/message | Depends on destination carrier |
-| Inbound message | Included | No charge for received messages |
-| Campaign registration | ~$15–$25 one-time | Per campaign, subject to change |
-
-### Carrier Fees (T-Mobile / AT&T / Verizon)
-
-| Carrier | Outbound Fee | Notes |
-|---------|-------------|-------|
-| T-Mobile | ~$0.005–$0.01/message | Varies by message size (segment) |
-| AT&T | ~$0.005–$0.015/message | Varies by message size (segment) |
-| Verizon | ~$0.005–$0.01/message | Varies by message size (segment) |
-
-**Note**: Carrier fees are subject to change. Check [Telnyx pricing page](https://telnyx.com/pricing) and carrier fee schedules for current rates.
-
-### Example Monthly Cost (Pilot — 500 messages/month)
-
-| Line Item | Cost |
-|-----------|------|
-| 1x 10DLC number | ~$2.00 |
-| 500 outbound messages | ~$5.00–$7.50 |
-| Carrier pass-through | ~$2.50–$7.50 |
-| **Estimated Monthly Total** | **~$9.50–$17.00** |
-
----
-
-## Rollback / De-provisioning
-
-If the pilot tenant must be de-provisioned:
-
-1. Release the phone number: Telnyx Portal → Phone Numbers → Release.
-2. Archive the campaign: set status to `INACTIVE` via API or console.
-3. Remove DB record: clear `messagingPhoneNumber`, `telnyxMessagingProfileId`, `telnyxCampaignId` fields in the business record.
-4. Brand can remain registered (no harm) but will not be used.
-
----
-
-## Contacts
-
-| Resource | Contact |
-|----------|---------|
-| Telnyx Support | support@telnyx.com |
-| Telnyx Dashboard | portal.telnyx.com |
-| Internal Engineering | Raise issue in [GRO-106](/GRO/issues/GRO-106) |
-
----
-
-_Last updated: 2026-05-04_

docs/runbooks/README.md

@@ -1,11 +0,0 @@
-# GroomBook Runbooks
-
-Operational runbooks for GroomBook staff and operators.
-
-| Runbook | Description | Status |
-|---------|-------------|--------|
-| [10DLC Pilot Registration](./10dlc-pilot-registration.md) | Register a pilot grooming business as an A2P 10DLC brand + campaign on Telnyx | Active |
-
----
-
-_To add a runbook, create a markdown file in this directory and update this table._

packages/db/migrations/0030_messaging.sql

@@ -0,0 +1,72 @@
+-- Migration: 0030_messaging.sql
+-- Messaging schema: conversations, messages, attachments, consent events + business messaging settings
+
+-- ─── Enums ───────────────────────────────────────────────────────────────────
+
+CREATE TYPE "messaging_channel" AS ENUM ('sms', 'mms');
+CREATE TYPE "message_direction" AS ENUM ('inbound', 'outbound');
+CREATE TYPE "message_status" AS ENUM ('queued', 'sent', 'delivered', 'failed', 'received');
+CREATE TYPE "message_consent_kind" AS ENUM ('opt_in', 'opt_out', 'help');
+
+-- ─── Tables ───────────────────────────────────────────────────────────────────
+
+CREATE TABLE "conversations" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "business_id" uuid NOT NULL,
+  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
+  "channel" "messaging_channel" NOT NULL,
+  "external_number" text NOT NULL,
+  "business_number" text NOT NULL,
+  "last_message_at" timestamp,
+  "status" text NOT NULL DEFAULT 'active',
+  "created_at" timestamp NOT NULL DEFAULT now(),
+  "updated_at" timestamp NOT NULL DEFAULT now()
+);
+
+CREATE INDEX "idx_conversations_business_id_last_message_at" ON "conversations"("business_id", "last_message_at" DESC);
+CREATE UNIQUE INDEX "uq_conversations_business_client_number" ON "conversations"("business_id", "client_id", "business_number");
+
+CREATE TABLE "messages" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "conversation_id" uuid NOT NULL REFERENCES "conversations"("id") ON DELETE CASCADE,
+  "direction" "message_direction" NOT NULL,
+  "body" text,
+  "status" "message_status" NOT NULL DEFAULT 'queued',
+  "provider_message_id" text,
+  "error_code" text,
+  "error_message" text,
+  "sent_by_staff_id" uuid REFERENCES "staff"("id") ON DELETE SET NULL,
+  "created_at" timestamp NOT NULL DEFAULT now(),
+  "delivered_at" timestamp,
+  "read_by_client_at" timestamp
+);
+
+CREATE INDEX "idx_messages_conversation_id_created_at" ON "messages"("conversation_id", "created_at" DESC);
+CREATE UNIQUE INDEX "uq_messages_provider_message_id" ON "messages"("provider_message_id");
+
+CREATE TABLE "message_attachments" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "message_id" uuid NOT NULL REFERENCES "messages"("id") ON DELETE CASCADE,
+  "content_type" text NOT NULL,
+  "url" text NOT NULL,
+  "size" integer NOT NULL,
+  "provider_media_id" text
+);
+
+CREATE INDEX "idx_message_attachments_message_id" ON "message_attachments"("message_id");
+
+CREATE TABLE "message_consent_events" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
+  "business_id" uuid NOT NULL,
+  "kind" "message_consent_kind" NOT NULL,
+  "source" text,
+  "created_at" timestamp NOT NULL DEFAULT now()
+);
+
+CREATE INDEX "idx_message_consent_events_client_id" ON "message_consent_events"("client_id");
+
+-- ─── Business Settings extensions ────────────────────────────────────────────
+
+ALTER TABLE "business_settings" ADD COLUMN "messaging_phone_number" text;
+ALTER TABLE "business_settings" ADD COLUMN "telnyx_messaging_profile_id" text;

packages/db/migrations/meta/_journal.json

@@ -204,6 +204,20 @@
       "when": 1775741667192,
       "tag": "0028_sms_reminders",
       "breakpoints": true
+    },
+    {
+      "idx": 29,
+      "version": "7",
+      "when": 1775784467192,
+      "tag": "0029_db_indexes_constraints",
+      "breakpoints": true
+    },
+    {
+      "idx": 30,
+      "version": "7",
+      "when": 1775828067192,
+      "tag": "0030_messaging",
+      "breakpoints": true
     }
   ]
 }

packages/db/src/schema.ts

@@ -406,6 +406,117 @@ export const impersonationAuditLogs = pgTable(
   (t) => [index("impersonation_audit_logs_session_id_idx").on(t.sessionId)]
 );
 
+// ─── Messaging ───────────────────────────────────────────────────────────────
+
+export const messagingChannelEnum = pgEnum("messaging_channel", ["sms", "mms"]);
+
+export const messageDirectionEnum = pgEnum("message_direction", [
+  "inbound",
+  "outbound",
+]);
+
+export const messageStatusEnum = pgEnum("message_status", [
+  "queued",
+  "sent",
+  "delivered",
+  "failed",
+  "received",
+]);
+
+export const messageConsentKindEnum = pgEnum("message_consent_kind", [
+  "opt_in",
+  "opt_out",
+  "help",
+]);
+
+export const conversations = pgTable(
+  "conversations",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    businessId: uuid("business_id").notNull(),
+    clientId: uuid("client_id")
+      .notNull()
+      .references(() => clients.id, { onDelete: "cascade" }),
+    channel: messagingChannelEnum("channel").notNull(),
+    externalNumber: text("external_number").notNull(),
+    businessNumber: text("business_number").notNull(),
+    lastMessageAt: timestamp("last_message_at"),
+    status: text("status").notNull().default("active"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [
+    index("idx_conversations_business_id_last_message_at").on(
+      t.businessId,
+      t.lastMessageAt.desc()
+    ),
+    unique("uq_conversations_business_client_number").on(
+      t.businessId,
+      t.clientId,
+      t.businessNumber
+    ),
+  ]
+);
+
+export const messages = pgTable(
+  "messages",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    conversationId: uuid("conversation_id")
+      .notNull()
+      .references(() => conversations.id, { onDelete: "cascade" }),
+    direction: messageDirectionEnum("direction").notNull(),
+    body: text("body"),
+    status: messageStatusEnum("status").notNull().default("queued"),
+    providerMessageId: text("provider_message_id"),
+    errorCode: text("error_code"),
+    errorMessage: text("error_message"),
+    sentByStaffId: uuid("sent_by_staff_id").references(() => staff.id, {
+      onDelete: "set null",
+    }),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    deliveredAt: timestamp("delivered_at"),
+    readByClientAt: timestamp("read_by_client_at"),
+  },
+  (t) => [
+    index("idx_messages_conversation_id_created_at").on(
+      t.conversationId,
+      t.createdAt.desc()
+    ),
+    unique("uq_messages_provider_message_id").on(t.providerMessageId),
+  ]
+);
+
+export const messageAttachments = pgTable(
+  "message_attachments",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    messageId: uuid("message_id")
+      .notNull()
+      .references(() => messages.id, { onDelete: "cascade" }),
+    contentType: text("content_type").notNull(),
+    url: text("url").notNull(),
+    size: integer("size").notNull(),
+    providerMediaId: text("provider_media_id"),
+  },
+  (t) => [index("idx_message_attachments_message_id").on(t.messageId)]
+);
+
+export const messageConsentEvents = pgTable(
+  "message_consent_events",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    clientId: uuid("client_id")
+      .notNull()
+      .references(() => clients.id, { onDelete: "cascade" }),
+    businessId: uuid("business_id").notNull(),
+    kind: messageConsentKindEnum("kind").notNull(),
+    source: text("source"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [index("idx_message_consent_events_client_id").on(t.clientId)]
+);
+
 export const businessSettings = pgTable("business_settings", {
   id: uuid("id").primaryKey().defaultRandom(),
   businessName: text("business_name").notNull().default("GroomBook"),
@@ -414,6 +525,8 @@ export const businessSettings = pgTable("business_settings", {
   logoKey: text("logo_key"),
   primaryColor: text("primary_color").notNull().default("#4f8a6f"),
   accentColor: text("accent_color").notNull().default("#8b7355"),
+  messagingPhoneNumber: text("messaging_phone_number"),
+  telnyxMessagingProfileId: text("telnyx_messaging_profile_id"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });

pnpm-lock.yaml

@@ -4346,10 +4346,12 @@ packages:
 
   uuid@8.3.2:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   victory-vendor@37.3.6: