fix(GRO-874): add requireSuperUser() to GET /api/admin/settings/logo

The logo proxy route was missing auth middleware, allowing any
unauthenticated caller to receive the presigned S3 URL and exposing
the internal Ceph RGW hostname. Matches auth pattern used by all
other /api/admin/* routes in this file.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.env.example

@@ -11,10 +11,6 @@ AUTH_DISABLED=false
 OIDC_ISSUER=https://authentik.example.com
 OIDC_AUDIENCE=groombook
 
-# ── Webhooks ─────────────────────────────────────────────────────────────────
-# Telnyx webhook secret for validating inbound message webhooks.
-TELNYX_WEBHOOK_SECRET=your-telnyx-webhook-secret-here
-
 # ── Setup Wizard ─────────────────────────────────────────────────────────────
 # When SKIP_OOBE=true, the setup wizard is bypassed regardless of whether a
 # super user exists in the database. Useful in dev/test environments where the

apps/api/package.json

@@ -24,14 +24,13 @@
     "nodemailer": "^6.9.16",
     "stripe": "^22.0.0",
     "telnyx": "^1.23.0",
-    "uuid": "^11.1.1",
+
     "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/node": "^22.10.7",
     "@types/node-cron": "^3.0.11",
     "@types/nodemailer": "^6.4.17",
-    "@types/uuid": "^10.0.0",
     "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^9.18.0",
     "tsx": "^4.19.2",

apps/api/src/index.ts

@@ -29,7 +29,6 @@ import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
 import { webhooksRouter } from "./routes/stripe-webhooks.js";
-import { telnyxWebhooksRouter } from "./routes/webhooks/telnyx.js";
 
 const app = new Hono();
 
@@ -70,9 +69,6 @@ app.route("/api/portal", portalRouter);
 // Public Stripe webhook endpoint — signature-verified, no auth required
 app.route("/api/webhooks/stripe", webhooksRouter);
 
-// Public Telnyx messaging webhook — signature-verified, no auth required
-app.route("/api/webhooks/telnyx", telnyxWebhooksRouter);
-
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);
 

apps/api/src/lib/auth.ts

@@ -97,9 +97,6 @@ export async function initAuth(): Promise<void> {
           window: 10,
           storage: "memory",
           customRules: {
-            "/sign-in/social": { max: 10, window: 60 },
-            "/sign-in/email": { max: 10, window: 60 },
-            "/sign-up/email": { max: 5, window: 60 },
             "/get-session": false,
           },
         },
@@ -250,9 +247,6 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
-          "/sign-in/social": { max: 10, window: 60 },
-          "/sign-in/email": { max: 10, window: 60 },
-          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },

apps/api/src/routes/invoices.ts

@@ -14,8 +14,7 @@ import {
   clients,
   sql,
 } from "@groombook/db";
-import type { AppEnv, StaffRole } from "../middleware/rbac.js";
-import { requireRole } from "../middleware/rbac.js";
+import type { AppEnv } from "../middleware/rbac.js";
 
 export const invoicesRouter = new Hono<AppEnv>();
 
@@ -102,8 +101,6 @@ invoicesRouter.get(
         paymentMethod: invoices.paymentMethod,
         paidAt: invoices.paidAt,
         notes: invoices.notes,
-        stripePaymentIntentId: invoices.stripePaymentIntentId,
-        stripeRefundId: invoices.stripeRefundId,
         createdAt: invoices.createdAt,
         updatedAt: invoices.updatedAt,
       })
@@ -131,17 +128,7 @@ invoicesRouter.get("/:id", async (c) => {
     db.select().from(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id)),
   ]);
 
-  let cardLast4: string | null = null;
-  let paymentStatus: string | null = null;
-  if (invoice.stripePaymentIntentId) {
-    const details = await getPaymentIntentDetails(invoice.stripePaymentIntentId);
-    if (details) {
-      cardLast4 = details.cardLast4;
-      paymentStatus = details.paymentStatus;
-    }
-  }
-
-  return c.json({ ...invoice, lineItems, tipSplits, cardLast4, paymentStatus });
+  return c.json({ ...invoice, lineItems, tipSplits });
 });
 
 // Save tip splits for an invoice (replaces existing splits)
@@ -462,7 +449,7 @@ invoicesRouter.post(
       return c.json({ error: "Refund only allowed on paid invoices" }, 422);
     }
     if (!invoice.stripePaymentIntentId) {
-      return c.json({ error: "Invoice has no Stripe payment intent" }, 422);
+      return c.json({ error: "No Stripe payment intent found for this invoice" }, 422);
     }
 
     return await db.transaction(async (tx) => {
@@ -478,66 +465,55 @@ invoicesRouter.post(
 
       const result = await processRefund(id, body.amountCents);
       if (!result) return c.json({ error: "Refund failed" }, 500);
-      const refundId = result.refundId;
 
       await tx.insert(refunds).values({
         invoiceId: id,
-        stripeRefundId: refundId,
+        stripeRefundId: result.refundId,
         idempotencyKey: body.idempotencyKey ?? null,
         amountCents: body.amountCents ?? null,
       });
 
-      return c.json({ refundId });
+      return c.json({ refundId: result.refundId });
     });
   }
 );
 
 // Payment stats for admin dashboard
-invoicesRouter.get("/stats/summary", requireRole("manager" as StaffRole), async (c) => {
-  try {
-    const db = getDb();
-    const now = new Date();
-    const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
+invoicesRouter.get("/stats/summary", async (c) => {
+  const db = getDb();
+  const now = new Date();
+  const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
 
-    const [revenueResult] = await db
-      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-      .from(invoices)
-      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
+  const [revenueResult] = await db
+    .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
+    .from(invoices)
+    .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
 
-    const [outstandingResult] = await db
-      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-      .from(invoices)
-      .where(eq(invoices.status, "pending"));
+  const [outstandingResult] = await db
+    .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
+    .from(invoices)
+    .where(eq(invoices.status, "pending"));
 
-    const [refundsResult] = await db
-      .select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
-      .from(refunds)
-      .where(sql`${refunds.createdAt} >= ${startOfMonth}`);
+  const [refundsResult] = await db
+    .select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
+    .from(refunds)
+    .where(sql`${refunds.createdAt} >= ${startOfMonth}`);
 
-    const methodBreakdown = await db
-      .select({
-        method: invoices.paymentMethod,
-        total: sql<number>`count(*)`,
-      })
-      .from(invoices)
-      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
-      .groupBy(invoices.paymentMethod);
+  const methodBreakdown = await db
+    .select({
+      method: invoices.paymentMethod,
+      total: sql<number>`count(*)`,
+    })
+    .from(invoices)
+    .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
+    .groupBy(invoices.paymentMethod);
 
-    return c.json({
-      revenueThisMonth: revenueResult?.total ?? 0,
-      outstanding: outstandingResult?.total ?? 0,
-      refundsThisMonth: refundsResult?.total ?? 0,
-      methodBreakdown,
-    });
-  } catch (err) {
-    console.error("stats/summary error:", err);
-    return c.json({
-      revenueThisMonth: 0,
-      outstanding: 0,
-      refundsThisMonth: 0,
-      methodBreakdown: [],
-    });
-  }
+  return c.json({
+    revenueThisMonth: revenueResult?.total ?? 0,
+    outstanding: outstandingResult?.total ?? 0,
+    refundsThisMonth: refundsResult?.total ?? 0,
+    methodBreakdown,
+  });
 });
 
 // Get Stripe payment details for an invoice (card last4, payment status, refund status)

apps/api/src/routes/settings.ts

@@ -218,7 +218,7 @@ settingsRouter.post(
  * Proxies the logo from S3 so the browser never sees an S3 URL.
  * Returns the image bytes with proper Content-Type.
  */
-settingsRouter.get("/logo", async (c) => {
+settingsRouter.get("/logo", requireSuperUser(), async (c) => {
   const db = getDb();
 
   const [row] = await db.select().from(businessSettings).limit(1);

apps/api/src/routes/webhooks/telnyx.ts

@@ -1,59 +0,0 @@
-import { Hono } from "hono";
-import { validateTelnyxSignature } from "../../services/sms.js";
-import {
-  handleMessageReceived,
-  handleMessageFinalized,
-  TelnyxMessageReceivedPayload,
-} from "../../services/messaging/inbound.js";
-
-export const telnyxWebhooksRouter = new Hono();
-
-telnyxWebhooksRouter.post("/messaging", async (c) => {
-  const signature = c.req.header("telnyx-signature");
-
-  let rawBody: string;
-  try {
-    rawBody = await c.req.text();
-  } catch {
-    return c.json({ error: "Could not read body" }, 400);
-  }
-
-  if (!validateTelnyxSignature(rawBody, signature)) {
-    return c.json({ error: "Invalid signature" }, 401);
-  }
-
-  let payload: TelnyxMessageReceivedPayload;
-  try {
-    payload = JSON.parse(rawBody) as TelnyxMessageReceivedPayload;
-  } catch {
-    return c.json({ error: "Invalid JSON" }, 400);
-  }
-
-  const eventType = payload.data?.event_type;
-  if (!eventType) {
-    return c.json({ error: "Missing event_type" }, 400);
-  }
-
-  if (eventType === "message.received") {
-    try {
-      await handleMessageReceived(payload);
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : "Unknown error";
-      if (msg.startsWith("No business owns")) {
-        return c.json({ error: "Unknown messaging number" }, 404);
-      }
-      return c.json({ error: msg }, 500);
-    }
-    return c.json({ received: true });
-  }
-
-  if (eventType === "message.finalized") {
-    const result = await handleMessageFinalized(payload);
-    if (result) {
-      return c.json({ received: true, messageId: result.messageId, status: result.newStatus });
-    }
-    return c.json({ received: true, messageId: null });
-  }
-
-  return c.json({ received: true });
-});

apps/api/src/services/messaging/__tests__/consent.test.ts

@@ -1,214 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { detectKeyword } from "../consent.js";
-
-const mockDb = {
-  insert: vi.fn(),
-  update: vi.fn(),
-  select: vi.fn(),
-};
-
-vi.mock("@groombook/db", () => ({
-  getDb: () => mockDb,
-  clients: {},
-  messageConsentEvents: {},
-  businessSettings: {},
-  eq: vi.fn(),
-}));
-
-const { handleConsentKeyword } = await import("../consent.js");
-
-describe("detectKeyword", () => {
-  it.each([
-    ["STOP", "opt_out"],
-    ["STOPALL", "opt_out"],
-    ["UNSUBSCRIBE", "opt_out"],
-    ["CANCEL", "opt_out"],
-    ["END", "opt_out"],
-    ["QUIT", "opt_out"],
-  ])("opt-out keyword %s → opt_out", (keyword, expected) => {
-    expect(detectKeyword(keyword)).toEqual({ kind: expected });
-  });
-
-  it.each([
-    ["START", "opt_in"],
-    ["UNSTOP", "opt_in"],
-    ["YES", "opt_in"],
-    ["SUBSCRIBE", "opt_in"],
-  ])("opt-in keyword %s → opt_in", (keyword, expected) => {
-    expect(detectKeyword(keyword)).toEqual({ kind: expected });
-  });
-
-  it.each([
-    ["HELP", "help"],
-    ["INFO", "help"],
-  ])("help keyword %s → help", (keyword, expected) => {
-    expect(detectKeyword(keyword)).toEqual({ kind: expected });
-  });
-
-  it("is case insensitive", () => {
-    expect(detectKeyword("stop")).toEqual({ kind: "opt_out" });
-    expect(detectKeyword("Stop")).toEqual({ kind: "opt_out" });
-    expect(detectKeyword("sToP")).toEqual({ kind: "opt_out" });
-  });
-
-  it("trims whitespace", () => {
-    expect(detectKeyword("  STOP  ")).toEqual({ kind: "opt_out" });
-    expect(detectKeyword("\tSTART\n")).toEqual({ kind: "opt_in" });
-  });
-
-  it("returns null for non-keyword messages", () => {
-    expect(detectKeyword("hello")).toBeNull();
-    expect(detectKeyword("STOP IT")).toBeNull();
-    expect(detectKeyword("help me")).toBeNull();
-  });
-});
-
-describe("handleConsentKeyword", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockResolvedValue([{ id: "event-1" }]),
-    } as any);
-    mockDb.update.mockReturnValue({
-      set: vi.fn().mockReturnValue({
-        where: vi.fn().mockResolvedValue([]),
-      }),
-    } as any);
-  });
-
-  const baseOpts = {
-    clientId: "client-1",
-    businessId: "biz-1",
-    db: mockDb as unknown as ReturnType<typeof import("@groombook/db").getDb>,
-  };
-
-  describe("opt_out", () => {
-    it("inserts consent event with sms_keyword source", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: true }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_out" });
-
-      expect(mockDb.insert).toHaveBeenCalledOnce();
-    });
-
-    it("sets smsOptIn=false and smsOptOutDate when currently opted in", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: true }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_out" });
-
-      expect(mockDb.update).toHaveBeenCalled();
-    });
-
-    it("is idempotent — second opt-out logs event but skips client update", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: false }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_out" });
-
-      expect(mockDb.update).not.toHaveBeenCalled();
-    });
-
-    it("returns unsubscribe reply text", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: true }]),
-          }),
-        }),
-      } as any);
-
-      const result = await handleConsentKeyword({ ...baseOpts, kind: "opt_out" });
-      expect(result.replyText).toBe(
-        "You have been unsubscribed and will no longer receive messages. Reply START to resubscribe."
-      );
-    });
-  });
-
-  describe("opt_in", () => {
-    it("sets smsOptIn=true and smsConsentDate when currently opted out", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: false, smsConsentDate: null }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_in" });
-
-      expect(mockDb.update).toHaveBeenCalled();
-    });
-
-    it("clears smsOptOutDate on opt-in after opt-out", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: false }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_in" });
-
-      expect(mockDb.update).toHaveBeenCalled();
-    });
-
-    it("is idempotent — second opt-in skips client update", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: true }]),
-          }),
-        }),
-      } as any);
-
-      await handleConsentKeyword({ ...baseOpts, kind: "opt_in" });
-
-      expect(mockDb.update).not.toHaveBeenCalled();
-    });
-
-    it("returns resubscribe reply text", async () => {
-      mockDb.select.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockResolvedValue([{ smsOptIn: false }]),
-          }),
-        }),
-      } as any);
-
-      const result = await handleConsentKeyword({ ...baseOpts, kind: "opt_in" });
-      expect(result.replyText).toBe(
-        "You have been resubscribed to messages. Reply STOP to unsubscribe. Msg & data rates may apply."
-      );
-    });
-  });
-
-  describe("help", () => {
-    it("returns default help reply without querying businessSettings", async () => {
-      const result = await handleConsentKeyword({ ...baseOpts, kind: "help" });
-
-      expect(mockDb.update).not.toHaveBeenCalled();
-      expect(mockDb.select).not.toHaveBeenCalled();
-      expect(result.replyText).toBe(
-        "Reply STOP to unsubscribe or START to resubscribe. For help, contact your groomer directly."
-      );
-    });
-  });
-});

apps/api/src/services/messaging/__tests__/inbound.test.ts

@@ -1,313 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import {
-  findOrCreateConversation,
-  upsertMessage,
-  handleMessageReceived,
-  handleMessageFinalized,
-  TelnyxMessageReceivedPayload,
-} from "../inbound.js";
-import * as schema from "@groombook/db";
-
-vi.mock("@groombook/db", () => ({
-  getDb: vi.fn(),
-  conversations: { id: "", businessId: "", clientId: "", externalNumber: "", businessNumber: "", channel: "", lastMessageAt: null, status: "", createdAt: null, updatedAt: null },
-  messages: { id: "", conversationId: "", direction: "", body: "", status: "", providerMessageId: "", sentByStaffId: null, createdAt: null, deliveredAt: null, readByClientAt: null },
-  businessSettings: { id: "", messagingPhoneNumber: "" },
-  clients: { id: "", name: "", email: "", phone: "", status: "" },
-  eq: vi.fn(),
-  and: vi.fn(),
-  sql: vi.fn(),
-}));
-
-const mockDb = {
-  select: vi.fn().mockReturnThis(),
-  from: vi.fn().mockReturnThis(),
-  where: vi.fn().mockReturnThis(),
-  limit: vi.fn().mockReturnThis(),
-  insert: vi.fn().mockReturnThis(),
-  update: vi.fn().mockReturnThis(),
-  returning: vi.fn().mockReturnThis(),
-};
-
-vi.mocked(schema.getDb).mockReturnValue(mockDb as unknown as ReturnType<typeof schema.getDb>);
-
-const makePayload = (
-  eventType: "message.received" | "message.sent" | "message.finalized",
-  messageId: string,
-  fromPhone: string,
-  toPhone: string,
-  body = "Hello"
-): TelnyxMessageReceivedPayload => ({
-  data: {
-    id: "evt-1",
-    event_type: eventType,
-    payload: {
-      message: {
-        id: messageId,
-        from: { phone: fromPhone, carrier: "carrier" },
-        to: [{ phone: toPhone }],
-        body,
-      },
-    },
-  },
-});
-
-describe("signature validation via route", () => {
-  beforeEach(() => {
-    vi.resetModules();
-  });
-
-  it("returns 401 when telnyx-signature header is missing", async () => {
-    const { telnyxWebhooksRouter } = await import("../../../routes/webhooks/telnyx.js");
-    const payload = JSON.stringify(makePayload("message.received", "msg-123", "+1555111", "+1555222"));
-    const req = new Request("http://localhost/messaging", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: payload,
-    });
-    const res = await telnyxWebhooksRouter.fetch(req);
-    expect(res.status).toBe(401);
-  });
-
-  it("returns 401 when signature does not match", async () => {
-    process.env.TELNYX_WEBHOOK_SECRET = "test-secret";
-    const { telnyxWebhooksRouter } = await import("../../../routes/webhooks/telnyx.js");
-    const payload = JSON.stringify(makePayload("message.received", "msg-123", "+1555111", "+1555222"));
-    const req = new Request("http://localhost/messaging", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "telnyx-signature": "sha256=bad",
-      },
-      body: payload,
-    });
-    const res = await telnyxWebhooksRouter.fetch(req);
-    expect(res.status).toBe(401);
-  });
-});
-
-describe("findOrCreateConversation", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.select.mockReset();
-    mockDb.from.mockReset();
-    mockDb.where.mockReset();
-    mockDb.limit.mockReset();
-    mockDb.insert.mockReset();
-    mockDb.update.mockReset();
-    mockDb.returning.mockReset();
-  });
-
-  it("returns existing conversation when found", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "conv-1", clientId: "client-1" }]),
-        }),
-      }),
-    });
-
-    const result = await findOrCreateConversation("biz-1", "+1555111", "+1555222");
-    expect(result.id).toBe("conv-1");
-  });
-
-  it("creates new conversation when none exists", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "conv-2", clientId: "client-2" }]),
-      }),
-    });
-
-    const result = await findOrCreateConversation("biz-1", "+1555111", "+1555222");
-    expect(result.id).toBe("conv-2");
-  });
-
-  it("creates placeholder client for unknown phone then creates conversation", async () => {
-    mockDb.select
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([]),
-          }),
-        }),
-      })
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([]),
-          }),
-        }),
-      });
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "conv-3", clientId: "client-3" }]),
-      }),
-    });
-
-    const result = await findOrCreateConversation("biz-1", "+1555111", "+1555222");
-    expect(result.id).toBe("conv-3");
-    expect(result.clientId).toBe("client-3");
-  });
-});
-
-describe("upsertMessage", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("returns isNew=false when message with providerMessageId already exists", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "msg-existing" }]),
-        }),
-      }),
-    });
-
-    const result = await upsertMessage("msg-123", "conv-1", "inbound", "Hello", "received");
-    expect(result.isNew).toBe(false);
-    expect(result.id).toBe("msg-existing");
-  });
-
-  it("inserts new message and returns isNew=true", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "msg-new" }]),
-      }),
-    });
-
-    const result = await upsertMessage("msg-new-123", "conv-1", "inbound", "New message", "queued");
-    expect(result.isNew).toBe(true);
-    expect(result.id).toBe("msg-new");
-  });
-});
-
-describe("handleMessageReceived", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.select.mockReset();
-    mockDb.from.mockReset();
-    mockDb.where.mockReset();
-    mockDb.limit.mockReset();
-    mockDb.insert.mockReset();
-    mockDb.update.mockReset();
-    mockDb.returning.mockReset();
-    mockDb.select.mockImplementation(() => ({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    }));
-  });
-
-  it("returns 404 when no business owns the to number", async () => {
-    const payload = makePayload("message.received", "msg-123", "+1555111", "+1555000");
-    await expect(handleMessageReceived(payload)).rejects.toThrow("No business owns messaging number");
-  });
-
-  it("creates conversation and message for valid inbound", async () => {
-    mockDb.select
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([{ id: "biz-1" }]),
-          }),
-        }),
-      })
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([]),
-          }),
-        }),
-      });
-    mockDb.insert
-      .mockReturnValueOnce({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockReturnValue([{ id: "client-new" }]),
-        }),
-      })
-      .mockReturnValueOnce({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockReturnValue([{ id: "conv-new", clientId: "client-new" }]),
-        }),
-      });
-    mockDb.update.mockReturnValueOnce({
-      set: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({}),
-      }),
-    });
-    mockDb.insert.mockReturnValueOnce({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "msg-new" }]),
-      }),
-    });
-
-    const payload = makePayload("message.received", "msg-abc", "+1555111", "+1555222", "Test message");
-    const result = await handleMessageReceived(payload);
-    expect(result.messageId).toBe("msg-new");
-  });
-});
-
-describe("handleMessageFinalized", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.select.mockReset();
-    mockDb.from.mockReset();
-    mockDb.where.mockReset();
-    mockDb.limit.mockReset();
-    mockDb.insert.mockReset();
-    mockDb.update.mockReset();
-    mockDb.returning.mockReset();
-  });
-
-  it("returns null when message not found", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-
-    const payload = makePayload("message.finalized", "msg-unknown", "+1555111", "+1555222");
-    const result = await handleMessageFinalized(payload);
-    expect(result).toBeNull();
-  });
-
-  it("updates status to delivered for finalized inbound", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "msg-1", status: "sent" }]),
-        }),
-      }),
-    });
-    mockDb.update.mockReturnValue({
-      set: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          returning: vi.fn().mockReturnValue([{ id: "msg-1" }]),
-        }),
-      }),
-    });
-
-    const payload = makePayload("message.finalized", "msg-1", "+1555111", "+1555222");
-    const result = await handleMessageFinalized(payload);
-    expect(result?.newStatus).toBe("delivered");
-  });
-});

apps/api/src/services/messaging/__tests__/outbound.test.ts

@@ -1,200 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-
-const mockSendSms = vi.fn();
-const mockGetDb = vi.fn();
-const mockUuidv4 = vi.fn();
-
-vi.mock("../../sms.js", () => ({
-  sendSms: mockSendSms,
-}));
-
-vi.mock("@groombook/db", () => ({
-  getDb: () => mockGetDb(),
-  conversations: {},
-  messages: {},
-  clients: {},
-  businessSettings: {},
-  eq: vi.fn((a, b) => [a, b]),
-  and: vi.fn((...args) => args),
-}));
-
-vi.mock("uuid", () => ({
-  v4: () => mockUuidv4(),
-}));
-
-const { sendMessage, MissingTenantPhoneNumberError } = await import("../outbound.js");
-
-describe("sendMessage", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockUuidv4.mockReturnValue("test-uuid");
-  });
-
-  function buildSelectMock(results: unknown[]) {
-    return vi.fn().mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockResolvedValue(results),
-        }),
-      }),
-    });
-  }
-
-  it("returns suppressed=true when client has no phone", async () => {
-    mockGetDb.mockReturnValue({
-      select: buildSelectMock([{ phone: null, smsOptIn: true }]),
-    });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({ suppressed: true });
-    expect(mockSendSms).not.toHaveBeenCalled();
-  });
-
-  it("returns suppressed=true when client has opted out of SMS", async () => {
-    mockGetDb.mockReturnValue({
-      select: buildSelectMock([{ phone: "+1234567890", smsOptIn: false }]),
-    });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({ suppressed: true });
-    expect(mockSendSms).not.toHaveBeenCalled();
-  });
-
-  it("throws MissingTenantPhoneNumberError when tenant has no messaging phone", async () => {
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: null }]),
-            }),
-          }),
-        }),
-    });
-
-    await expect(
-      sendMessage({ businessId: "biz-1", clientId: "client-1", body: "Hello" })
-    ).rejects.toThrow(MissingTenantPhoneNumberError);
-  });
-
-  it("persists provider message id on success", async () => {
-    const messageId = "msg-1";
-    const conversationId = "conv-1";
-
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: "+1987654321" }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ id: conversationId }]),
-            }),
-          }),
-        }),
-      insert: vi.fn().mockReturnValue({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockResolvedValue([{ id: messageId }]),
-        }),
-      }),
-      update: vi.fn().mockReturnValue({
-        set: vi.fn().mockReturnValue({
-          where: vi.fn().mockResolvedValue([]),
-        }),
-      }),
-    });
-
-    mockSendSms.mockResolvedValue({ messageId: "provider-msg-1", status: "sent" });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({
-      messageId,
-      providerMessageId: "provider-msg-1",
-      status: "sent",
-      suppressed: false,
-    });
-    expect(mockSendSms).toHaveBeenCalledWith("+1234567890", "Hello", undefined);
-  });
-
-  it("persists error on Telnyx failure", async () => {
-    const messageId = "msg-1";
-
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: "+1987654321" }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([]),
-            }),
-          }),
-        }),
-      insert: vi.fn().mockReturnValue({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockResolvedValue([{ id: messageId }]),
-        }),
-      }),
-      update: vi.fn().mockReturnValue({
-        set: vi.fn().mockReturnValue({
-          where: vi.fn().mockResolvedValue([]),
-        }),
-      }),
-    });
-
-    mockSendSms.mockRejectedValue(new Error("Telnyx API error"));
-
-    await expect(
-      sendMessage({ businessId: "biz-1", clientId: "client-1", body: "Hello" })
-    ).rejects.toThrow("Telnyx API error");
-  });
-});

apps/api/src/services/messaging/consent.ts

@@ -1,77 +0,0 @@
-import { getDb, clients, messageConsentEvents, eq } from "@groombook/db";
-import type { Db } from "@groombook/db";
-
-export type KeywordKind = "opt_in" | "opt_out" | "help";
-
-const OPT_OUT_KEYWORDS = new Set(["STOP", "STOPALL", "UNSUBSCRIBE", "CANCEL", "END", "QUIT"]);
-const OPT_IN_KEYWORDS = new Set(["START", "UNSTOP", "YES", "SUBSCRIBE"]);
-const HELP_KEYWORDS = new Set(["HELP", "INFO"]);
-
-export function detectKeyword(body: string): { kind: KeywordKind } | null {
-  const normalized = body.trim().toUpperCase();
-  if (OPT_OUT_KEYWORDS.has(normalized)) return { kind: "opt_out" };
-  if (OPT_IN_KEYWORDS.has(normalized)) return { kind: "opt_in" };
-  if (HELP_KEYWORDS.has(normalized)) return { kind: "help" };
-  return null;
-}
-
-export async function handleConsentKeyword(opts: {
-  clientId: string;
-  businessId: string;
-  kind: KeywordKind;
-  db: Db;
-}): Promise<{ replyText: string }> {
-  const { clientId, businessId, kind, db: database } = opts;
-
-  await database.insert(messageConsentEvents).values({
-    clientId,
-    businessId,
-    kind,
-    source: "sms_keyword",
-  });
-
-  if (kind === "opt_out") {
-    const [existing] = await database
-      .select({ smsOptIn: clients.smsOptIn })
-      .from(clients)
-      .where(eq(clients.id, clientId))
-      .limit(1);
-
-    if (existing?.smsOptIn !== false) {
-      await database
-        .update(clients)
-        .set({ smsOptIn: false, smsOptOutDate: new Date() })
-        .where(eq(clients.id, clientId));
-    }
-
-    return {
-      replyText: "You have been unsubscribed and will no longer receive messages. Reply START to resubscribe.",
-    };
-  }
-
-  if (kind === "opt_in") {
-    const [existing] = await database
-      .select({ smsOptIn: clients.smsOptIn, smsConsentDate: clients.smsConsentDate })
-      .from(clients)
-      .where(eq(clients.id, clientId))
-      .limit(1);
-
-    if (existing?.smsOptIn !== true) {
-      await database
-        .update(clients)
-        .set({ smsOptIn: true, smsConsentDate: new Date(), smsOptOutDate: null })
-        .where(eq(clients.id, clientId));
-    }
-
-    return {
-      replyText:
-        "You have been resubscribed to messages. Reply STOP to unsubscribe. Msg & data rates may apply.",
-    };
-  }
-
-  // kind === "help"
-  const replyText =
-    "Reply STOP to unsubscribe or START to resubscribe. For help, contact your groomer directly.";
-
-  return { replyText };
-}

apps/api/src/services/messaging/inbound.ts

@@ -1,218 +0,0 @@
-import { getDb, conversations, messages, businessSettings, clients, eq, and } from "@groombook/db";
-import { v4 as uuidv4 } from "uuid";
-import { detectKeyword, handleConsentKeyword } from "./consent.js";
-import { sendMessage } from "./outbound.js";
-
-export interface TelnyxMessageReceivedPayload {
-  data: {
-    id: string;
-    event_type: "message.received" | "message.sent" | "message.finalized";
-    payload: {
-      message: {
-        id: string;
-        from: { phone: string; carrier?: string };
-        to: { phone: string }[];
-        body: string;
-        media?: Array<{ type: string; url: string }>;
-      };
-      recording?: unknown;
-      leg_count?: number;
-    };
-  };
-}
-
-export async function findOrCreateConversation(
-  businessId: string,
-  clientPhone: string,
-  businessNumber: string
-): Promise<{ id: string; clientId: string }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: conversations.id, clientId: conversations.clientId })
-    .from(conversations)
-    .where(
-      and(
-        eq(conversations.businessId, businessId),
-        eq(conversations.externalNumber, clientPhone),
-        eq(conversations.businessNumber, businessNumber)
-      )
-    )
-    .limit(1);
-
-  if (existing) {
-    return { id: existing.id, clientId: existing.clientId };
-  }
-
-  const [existingClient] = await db
-    .select({ id: clients.id })
-    .from(clients)
-    .where(eq(clients.phone, clientPhone))
-    .limit(1);
-
-  const clientId = existingClient?.id ?? uuidv4();
-
-  if (!existingClient) {
-    await db.insert(clients).values({
-      id: clientId,
-      name: clientPhone,
-      email: `sms-${uuidv4()}@placeholder.local`,
-      phone: clientPhone,
-      status: "active",
-    });
-  }
-
-  const [created] = await db
-    .insert(conversations)
-    .values({
-      id: crypto.randomUUID(),
-      businessId,
-      clientId,
-      channel: "sms",
-      externalNumber: clientPhone,
-      businessNumber,
-      lastMessageAt: new Date(),
-      status: "active",
-    })
-    .returning({ id: conversations.id, clientId: conversations.clientId });
-
-  if (!created) throw new Error("Failed to create conversation");
-
-  return { id: created.id, clientId: created.clientId };
-}
-
-export async function upsertMessage(
-  providerMessageId: string,
-  conversationId: string,
-  direction: "inbound" | "outbound",
-  body: string,
-  status: "queued" | "sent" | "delivered" | "failed" | "received",
-  sentByStaffId?: string
-): Promise<{ id: string; isNew: boolean }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: messages.id })
-    .from(messages)
-    .where(eq(messages.providerMessageId, providerMessageId))
-    .limit(1);
-
-  if (existing) {
-    return { id: existing.id, isNew: false };
-  }
-
-  try {
-    const [inserted] = await db
-      .insert(messages)
-      .values({
-        id: crypto.randomUUID(),
-        conversationId,
-        direction,
-        body,
-        status,
-        providerMessageId,
-        sentByStaffId: sentByStaffId ?? null,
-      })
-      .returning({ id: messages.id });
-
-    if (!inserted) throw new Error("Failed to insert message");
-    return { id: inserted.id, isNew: true };
-  } catch (err) {
-    if (err instanceof Error && err.message.includes("unique")) {
-      const [existing] = await db
-        .select({ id: messages.id })
-        .from(messages)
-        .where(eq(messages.providerMessageId, providerMessageId))
-        .limit(1);
-      if (existing) return { id: existing.id, isNew: false };
-    }
-    throw err;
-  }
-}
-
-export async function resolveBusinessIdByMessagingNumber(toNumber: string): Promise<string | null> {
-  const db = getDb();
-  const [settings] = await db
-    .select({ id: businessSettings.id })
-    .from(businessSettings)
-    .where(eq(businessSettings.messagingPhoneNumber, toNumber))
-    .limit(1);
-  return settings?.id ?? null;
-}
-
-export async function handleMessageReceived(payload: TelnyxMessageReceivedPayload): Promise<{ conversationId: string; messageId: string }> {
-  const { message } = payload.data.payload;
-  const fromPhone = message.from.phone;
-  const toPhone = message.to[0]?.phone;
-
-  if (!toPhone) {
-    throw new Error("No recipient phone in payload");
-  }
-
-  const businessId = await resolveBusinessIdByMessagingNumber(toPhone);
-  if (!businessId) {
-    throw new Error(`No business owns messaging number: ${toPhone}`);
-  }
-
-  const { id: conversationId, clientId } = await findOrCreateConversation(businessId, fromPhone, toPhone);
-
-  await getDb()
-    .update(conversations)
-    .set({ lastMessageAt: new Date(), updatedAt: new Date() })
-    .where(eq(conversations.id, conversationId));
-
-  const { id: messageId } = await upsertMessage(
-    message.id,
-    conversationId,
-    "inbound",
-    message.body,
-    "received"
-  );
-
-  const keyword = detectKeyword(message.body ?? "");
-  if (keyword) {
-    const { replyText } = await handleConsentKeyword({
-      clientId,
-      businessId,
-      kind: keyword.kind,
-      db: getDb(),
-    });
-    await sendMessage({
-      businessId,
-      clientId,
-      body: replyText,
-      sentByStaffId: undefined,
-    });
-  }
-
-  return { conversationId, messageId };
-}
-
-export async function handleMessageFinalized(payload: TelnyxMessageReceivedPayload): Promise<{ messageId: string; newStatus: string } | null> {
-  const { message } = payload.data.payload;
-
-  if (!message.id) return null;
-
-  const db = getDb();
-  const [existing] = await db
-    .select({ id: messages.id, status: messages.status })
-    .from(messages)
-    .where(eq(messages.providerMessageId, message.id))
-    .limit(1);
-
-  if (!existing) return null;
-
-  let newStatus = existing.status;
-  if (payload.data.event_type === "message.finalized") {
-    newStatus = "delivered";
-  }
-
-  if (newStatus !== existing.status) {
-    await db
-      .update(messages)
-      .set({ status: newStatus, deliveredAt: new Date() })
-      .where(eq(messages.id, existing.id));
-  }
-
-  return { messageId: existing.id, newStatus };
-}

apps/api/src/services/messaging/outbound.ts

@@ -1,159 +0,0 @@
-import { getDb, conversations, messages, clients, businessSettings, eq, and } from "@groombook/db";
-import { v4 as uuidv4 } from "uuid";
-import { sendSms } from "../sms.js";
-
-export interface SendMessageOptions {
-  businessId: string;
-  clientId: string;
-  body: string;
-  sentByStaffId?: string;
-  mediaUrls?: string[];
-}
-
-export interface SendMessageResult {
-  messageId: string;
-  providerMessageId: string;
-  status: string;
-  suppressed: false;
-}
-
-export interface SendMessageSuppressed {
-  suppressed: true;
-}
-
-export type SendMessageResponse = SendMessageResult | SendMessageSuppressed;
-
-export class MissingTenantPhoneNumberError extends Error {
-  constructor() {
-    super("Tenant messagingPhoneNumber is not configured");
-    this.name = "MissingTenantPhoneNumberError";
-  }
-}
-
-async function findOrCreateConversation(
-  businessId: string,
-  clientId: string,
-  externalNumber: string,
-  businessNumber: string
-): Promise<{ id: string }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: conversations.id })
-    .from(conversations)
-    .where(
-      and(
-        eq(conversations.businessId, businessId),
-        eq(conversations.externalNumber, externalNumber),
-        eq(conversations.businessNumber, businessNumber)
-      )
-    )
-    .limit(1);
-
-  if (existing) return { id: existing.id };
-
-  const [created] = await db
-    .insert(conversations)
-    .values({
-      id: uuidv4(),
-      businessId,
-      clientId,
-      channel: "sms",
-      externalNumber,
-      businessNumber,
-      lastMessageAt: new Date(),
-      status: "active",
-    })
-    .returning({ id: conversations.id });
-
-  if (!created) throw new Error("Failed to create conversation");
-
-  return { id: created.id };
-}
-
-async function resolveFromNumber(businessId: string): Promise<string | null> {
-  const db = getDb();
-  const [settings] = await db
-    .select({ messagingPhoneNumber: businessSettings.messagingPhoneNumber })
-    .from(businessSettings)
-    .where(eq(businessSettings.id, businessId))
-    .limit(1);
-  return settings?.messagingPhoneNumber ?? null;
-}
-
-export async function sendMessage(opts: SendMessageOptions): Promise<SendMessageResponse> {
-  const db = getDb();
-  const { businessId, clientId, body, sentByStaffId, mediaUrls } = opts;
-
-  const [client] = await db
-    .select({ phone: clients.phone, smsOptIn: clients.smsOptIn })
-    .from(clients)
-    .where(eq(clients.id, clientId))
-    .limit(1);
-
-  if (!client?.phone) {
-    return { suppressed: true };
-  }
-
-  if (!client.smsOptIn) {
-    return { suppressed: true };
-  }
-
-  const from = await resolveFromNumber(businessId);
-  if (!from) throw new MissingTenantPhoneNumberError();
-
-  const to = client.phone;
-  const conversationId = (await findOrCreateConversation(businessId, clientId, to, from)).id;
-
-  const [queuedMessage] = await db
-    .insert(messages)
-    .values({
-      id: uuidv4(),
-      conversationId,
-      direction: "outbound",
-      body,
-      status: "queued",
-      sentByStaffId: sentByStaffId ?? null,
-    })
-    .returning({ id: messages.id });
-
-  if (!queuedMessage) throw new Error("Failed to insert queued message");
-
-  try {
-    const result = await sendSms(to, body, mediaUrls);
-
-    await db
-      .update(messages)
-      .set({
-        status: "sent",
-        providerMessageId: result.messageId,
-      })
-      .where(eq(messages.id, queuedMessage.id));
-
-    await db
-      .update(conversations)
-      .set({ lastMessageAt: new Date() })
-      .where(eq(conversations.id, conversationId));
-
-    return {
-      messageId: queuedMessage.id,
-      providerMessageId: result.messageId,
-      status: result.status,
-      suppressed: false,
-    };
-  } catch (err) {
-    const errorCode = err instanceof Error ? err.name : "UNKNOWN";
-    const errorMessage = err instanceof Error ? err.message : String(err);
-
-    await db
-      .update(messages)
-      .set({
-        status: "failed",
-        errorCode,
-        errorMessage,
-      })
-      .where(eq(messages.id, queuedMessage.id));
-
-    throw err;
-  }
-}

apps/api/src/services/sms.ts

@@ -32,35 +32,6 @@ function isE164(phone: string): boolean {
   return /^\+[1-9]\d{7,14}$/.test(phone);
 }
 
-export function validateTelnyxSignature(
-  rawBody: string,
-  signature: string | undefined | null
-): boolean {
-  if (!signature) return false;
-  const secret = process.env.TELNYX_WEBHOOK_SECRET;
-  if (!secret) return false;
-
-  try {
-    const hmac = createHmac("sha256", secret);
-    const expected = `sha256=${hmac.update(rawBody).digest("hex")}`;
-
-    const sigBuf = Buffer.from(signature);
-    const expBuf = Buffer.from(expected);
-
-    if (sigBuf.length !== expBuf.length) return false;
-
-    let diff = 0;
-    for (let i = 0; i < sigBuf.length; i++) {
-      const sigByte = sigBuf[i] ?? 0;
-      const expByte = expBuf[i] ?? 0;
-      diff |= sigByte ^ expByte;
-    }
-    return diff === 0;
-  } catch {
-    return false;
-  }
-}
-
 export async function sendSms(
   to: string,
   body: string,
@@ -103,7 +74,33 @@ export class TelnyxProvider implements SmsProvider {
   }
 
   validateWebhookSignature(req: Request): boolean {
-    return validateTelnyxSignature(JSON.stringify(req.body), req.headers.get("telnyx-signature"));
+    const secret = process.env.TELNYX_WEBHOOK_SECRET;
+    if (!secret) return false;
+
+    const signature = req.headers.get("telnyx-signature");
+    if (!signature) return false;
+
+    const payload = JSON.stringify(req.body);
+
+    try {
+      const hmac = createHmac("sha256", secret);
+      const expected = `sha256=${hmac.update(payload).digest("hex")}`;
+
+      const sigBuf = Buffer.from(signature);
+      const expBuf = Buffer.from(expected);
+
+      if (sigBuf.length !== expBuf.length) return false;
+
+      let diff = 0;
+      for (let i = 0; i < sigBuf.length; i++) {
+        const sigByte = sigBuf[i] ?? 0;
+        const expByte = expBuf[i] ?? 0;
+        diff |= sigByte ^ expByte;
+      }
+      return diff === 0;
+    } catch {
+      return false;
+    }
   }
 }
 

apps/e2e/tests/portal-data.spec.ts

@@ -72,15 +72,9 @@ test.describe("Portal Data Integrity", () => {
   });
 
   test("billing section renders without JS errors", async ({ page }) => {
-    // Mock portal billing endpoints
-    await page.route("**/api/portal/config**", (route) =>
-      route.fulfill({ json: { stripePublishableKey: "" } })
-    );
-    await page.route("**/api/portal/invoices**", (route) =>
-      route.fulfill({ json: [] })
-    );
-    await page.route("**/api/portal/payment-methods**", (route) =>
-      route.fulfill({ json: [] })
+    // Mock billing endpoint
+    await page.route("**/api/billing**", (route) =>
+      route.fulfill({ json: { invoices: [], balanceCents: 0 } })
     );
 
     const consoleErrors: string[] = [];

apps/web/src/index.css

@@ -82,13 +82,3 @@ input:focus, select:focus, textarea:focus {
 ::-webkit-scrollbar-thumb:hover {
   background: #94a3b8;
 }
-
-/* ─── Scrollbar hide utility ─── */
-.scrollbar-hide {
-  -ms-overflow-style: none;
-  scrollbar-width: none;
-}
-
-.scrollbar-hide::-webkit-scrollbar {
-  display: none;
-}

apps/web/src/pages/Appointments.tsx

@@ -112,17 +112,9 @@ export function AppointmentsPage() {
   const [viewMode, setViewMode] = useState<"status" | "groomer">("status");
   // null key = unassigned; staffId string = that groomer; undefined set = all visible
   const [hiddenGroomers, setHiddenGroomers] = useState<Set<string | null>>(new Set());
-  const [paymentStats, setPaymentStats] = useState<{ revenueThisMonth: number; outstanding: number; refundsThisMonth: number; methodBreakdown: { method: string | null; total: number }[] } | null>(null);
 
   const weekEnd = addDays(weekStart, 6);
 
-  useEffect(() => {
-    fetch("/api/invoices/stats/summary")
-      .then((r) => r.ok ? r.json() : null)
-      .then((data) => { if (data) setPaymentStats(data); })
-      .catch(() => {});
-  }, []);
-
   const loadAppointments = useCallback(() => {
     const from = weekStart.toISOString();
     const to = addDays(weekStart, 7).toISOString();
@@ -322,24 +314,6 @@ export function AppointmentsPage() {
         </button>
       </div>
 
-      {/* Payment Stats Summary */}
-      {paymentStats && (
-        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(160px, 1fr))", gap: "0.75rem", marginBottom: "1.25rem" }}>
-          <div style={{ background: "#f0fdf4", border: "1px solid #bbf7d0", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#166534", fontWeight: 600, marginBottom: "0.25rem" }}>Revenue (paid)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#15803d" }}>${(paymentStats.revenueThisMonth / 100).toFixed(2)}</div>
-          </div>
-          <div style={{ background: "#fefce8", border: "1px solid #fde047", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#854d0e", fontWeight: 600, marginBottom: "0.25rem" }}>Outstanding</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#a16207" }}>${(paymentStats.outstanding / 100).toFixed(2)}</div>
-          </div>
-          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#991b1b", fontWeight: 600, marginBottom: "0.25rem" }}>Refunds (this mo.)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#dc2626" }}>${(paymentStats.refundsThisMonth / 100).toFixed(2)}</div>
-          </div>
-        </div>
-      )}
-
       {/* ── View Mode + Groomer Filters ── */}
       <div style={{ display: "flex", alignItems: "center", gap: "0.5rem", marginBottom: "0.75rem", flexWrap: "wrap" }}>
         <span style={{ fontSize: 13, fontWeight: 600, color: "#374151" }}>Color by:</span>

apps/web/src/pages/Invoices.tsx

@@ -173,21 +173,22 @@ function InvoiceDetailModal({
   const [error, setError] = useState<string | null>(null);
   const [tipStr, setTipStr] = useState((invoice.tipCents / 100).toFixed(2));
   const [paymentMethod, setPaymentMethod] = useState<string>(invoice.paymentMethod ?? "cash");
-const [showRefundDialog, setShowRefundDialog] = useState(false);
+  const [showRefundDialog, setShowRefundDialog] = useState(false);
   const [refundType, setRefundType] = useState<"full" | "partial">("full");
-  const [refundAmount, setRefundAmount] = useState("");
-  const [refundError, setRefundError] = useState<string | null>(null);
-  const [refunding, setRefunding] = useState(false);
+  const [partialAmount, setPartialAmount] = useState("");
+  const [stripeDetails, setStripeDetails] = useState<{ cardLast4: string | null; paymentStatus: string | null; stripeRefundId: string | null } | null>(null);
 
-  // Fetch current staff role to determine manager access
-  const [staffMe, setStaffMe] = useState<{ role: string; isSuperUser: boolean } | null>(null);
+  // Fetch Stripe details when modal opens for paid invoices with a payment intent
   useEffect(() => {
-    fetch("/api/staff/me")
-      .then((r) => r.json())
-      .then((d) => setStaffMe(d))
-      .catch(() => setStaffMe(null));
-  }, []);
-  const isManager = staffMe && (staffMe.role === "manager" || staffMe.isSuperUser);
+    if (invoice.status === "paid" && invoice.stripePaymentIntentId) {
+      fetch(`/api/invoices/${invoice.id}/stripe-details`)
+        .then((r) => r.ok ? r.json() : null)
+        .then((data) => { if (data) setStripeDetails(data); })
+        .catch(() => {});
+    } else {
+      setStripeDetails(null);
+    }
+  }, [invoice.id, invoice.status, invoice.stripePaymentIntentId]);
 
   // Tip split state: array of {staffId, staffName, pct}
   const linkedAppt = invoice.appointmentId
@@ -291,6 +292,35 @@ const [showRefundDialog, setShowRefundDialog] = useState(false);
     }
   }
 
+  async function issueRefund() {
+    const amountCents = refundType === "partial"
+      ? Math.round(parseFloat(partialAmount) * 100)
+      : undefined;
+    if (refundType === "partial" && (!amountCents || amountCents <= 0)) {
+      setError("Enter a valid refund amount");
+      return;
+    }
+    setSaving(true);
+    setError(null);
+    try {
+      const res = await fetch(`/api/invoices/${invoice.id}/refund`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(amountCents ? { amountCents } : {}),
+      });
+      if (!res.ok) {
+        const err = (await res.json()) as { error?: string };
+        throw new Error(err.error ?? `HTTP ${res.status}`);
+      }
+      setShowRefundDialog(false);
+      onUpdated();
+    } catch (e: unknown) {
+      setError(e instanceof Error ? e.message : "Failed to issue refund");
+    } finally {
+      setSaving(false);
+    }
+  }
+
   if (loading) return <Modal onClose={onClose}><p style={{ padding: "1rem" }}>Loading…</p></Modal>;
 
   const tipCentsCalc = Math.round(parseFloat(tipStr) * 100) || 0;
@@ -350,15 +380,15 @@ const [showRefundDialog, setShowRefundDialog] = useState(false);
         />
         {invoice.paidAt && <SummaryRow label="Paid on" value={fmtDate(invoice.paidAt)} />}
         {invoice.paymentMethod && <SummaryRow label="Payment" value={invoice.paymentMethod} />}
-        {invoice.stripePaymentIntentId && (
+        {stripeDetails && (
           <>
-            {invoice.cardLast4 && (
-              <SummaryRow label="Card" value={`•••• ${invoice.cardLast4}`} />
+            {stripeDetails.cardLast4 && (
+              <SummaryRow label="Card" value={`•••• ${stripeDetails.cardLast4}`} />
             )}
-            {invoice.paymentStatus && (
-              <SummaryRow label="Stripe status" value={invoice.paymentStatus} />
+            {stripeDetails.paymentStatus && (
+              <SummaryRow label="Stripe status" value={stripeDetails.paymentStatus} />
             )}
-            {invoice.stripeRefundId && (
+            {stripeDetails.stripeRefundId && (
               <SummaryRow label="Refund" value="Refunded" />
             )}
           </>
@@ -480,92 +510,77 @@ const [showRefundDialog, setShowRefundDialog] = useState(false);
         </div>
       )}
       {(invoice.status === "paid" || invoice.status === "void") && (
-        <div style={{ marginTop: "1rem", borderTop: "1px solid #e2e8f0", paddingTop: "1rem" }}>
-          {invoice.stripeRefundId && (
-            <div style={{ marginBottom: "0.75rem", display: "flex", alignItems: "center", gap: "0.5rem" }}>
-              <span style={{ background: "#fef3c7", color: "#92400e", padding: "0.2rem 0.6rem", borderRadius: 4, fontSize: 13, fontWeight: 600 }}>Refunded</span>
-            </div>
+        <div style={{ marginTop: "1rem", display: "flex", justifyContent: "flex-end", gap: "0.5rem" }}>
+          {invoice.status === "paid" && invoice.stripePaymentIntentId && (
+            <button
+              onClick={() => setShowRefundDialog(true)}
+              style={{ ...btnStyle, color: "#b45309", borderColor: "#b45309" }}
+            >
+              Refund
+            </button>
           )}
-          <div style={{ display: "flex", gap: "0.5rem", justifyContent: "flex-end" }}>
-            {invoice.status === "paid" && !invoice.stripeRefundId && isManager && (
-              <button onClick={() => setShowRefundDialog(true)} style={{ ...btnStyle, color: "#fff", backgroundColor: "#7c3aed", borderColor: "#7c3aed" }}>
-                Refund
-              </button>
-            )}
-            <button onClick={onClose} style={btnStyle}>Close</button>
-          </div>
+          <button onClick={onClose} style={btnStyle}>Close</button>
         </div>
       )}
 
+      {/* Refund Dialog */}
       {showRefundDialog && (
-        <div style={{ marginTop: "1rem", border: "1px solid #e2e8f0", borderRadius: 8, padding: "1rem", background: "#f9fafb" }}>
-          <p style={{ fontWeight: 600, margin: "0 0 0.75rem" }}>Process Refund</p>
-          <div style={{ display: "flex", gap: "0.75rem", marginBottom: "0.75rem" }}>
-            <label style={{ display: "flex", alignItems: "center", gap: "0.25rem", cursor: "pointer" }}>
-              <input type="radio" checked={refundType === "full"} onChange={() => setRefundType("full")} />
+        <Modal onClose={() => setShowRefundDialog(false)}>
+          <h2 style={{ marginTop: 0 }}>Issue Refund</h2>
+          <p style={{ fontSize: 14, color: "#6b7280", marginBottom: "1rem" }}>
+            Invoice total: <strong>{fmtMoney(invoice.totalCents)}</strong>
+          </p>
+          <div style={{ marginBottom: "0.75rem" }}>
+            <label style={{ display: "flex", alignItems: "center", gap: "0.5rem", fontWeight: 600, marginBottom: "0.5rem" }}>
+              <input
+                type="radio"
+                name="refundType"
+                value="full"
+                checked={refundType === "full"}
+                onChange={() => setRefundType("full")}
+              />
               Full refund
             </label>
-            <label style={{ display: "flex", alignItems: "center", gap: "0.25rem", cursor: "pointer" }}>
-              <input type="radio" checked={refundType === "partial"} onChange={() => setRefundType("partial")} />
+            <label style={{ display: "flex", alignItems: "center", gap: "0.5rem", fontWeight: 600 }}>
+              <input
+                type="radio"
+                name="refundType"
+                value="partial"
+                checked={refundType === "partial"}
+                onChange={() => setRefundType("partial")}
+              />
               Partial refund
             </label>
           </div>
           {refundType === "partial" && (
-            <div style={{ marginBottom: "0.75rem" }}>
+            <div style={{ marginBottom: "1rem" }}>
               <input
                 type="number"
                 min="0.01"
                 step="0.01"
-                placeholder="Amount ($)"
-                value={refundAmount}
-                onChange={(e) => setRefundAmount(e.target.value)}
-                style={{ ...inputStyle, width: 100 }}
+                placeholder="0.00"
+                value={partialAmount}
+                onChange={(e) => setPartialAmount(e.target.value)}
+                style={{ ...inputStyle, width: 120 }}
               />
             </div>
           )}
-          {refundError && <p style={{ color: "red", margin: "0 0 0.5rem", fontSize: 13 }}>{refundError}</p>}
-          <div style={{ display: "flex", gap: "0.5rem" }}>
+          {error && <p style={{ color: "red", margin: "0.5rem 0" }}>{error}</p>}
+          <div style={{ display: "flex", gap: "0.5rem", marginTop: "0.75rem" }}>
             <button
-              onClick={async () => {
-                setRefunding(true);
-                setRefundError(null);
-                try {
-                  if (refundType === "partial") {
-                    const parsed = parseFloat(refundAmount);
-                    if (isNaN(parsed) || parsed <= 0) {
-                      setRefundError("Please enter a valid amount greater than zero.");
-                      setRefunding(false);
-                      return;
-                    }
-                  }
-                  const body = refundType === "partial" ? { amountCents: Math.round(parseFloat(refundAmount) * 100) } : {};
-                  const res = await fetch(`/api/invoices/${invoice.id}/refund`, {
-                    method: "POST",
-                    headers: { "Content-Type": "application/json" },
-                    body: JSON.stringify(body),
-                  });
-                  if (!res.ok) {
-                    const err = (await res.json()) as { error?: string };
-                    throw new Error(err.error ?? `HTTP ${res.status}`);
-                  }
-                  setShowRefundDialog(false);
-                  onUpdated();
-                } catch (e: unknown) {
-                  setRefundError(e instanceof Error ? e.message : "Refund failed");
-                } finally {
-                  setRefunding(false);
-                }
-              }}
-              disabled={refunding}
-              style={{ ...btnStyle, color: "#fff", backgroundColor: "#7c3aed", borderColor: "#7c3aed" }}
+              onClick={issueRefund}
+              disabled={saving}
+              style={{ ...btnStyle, backgroundColor: "#b45309", color: "#fff", borderColor: "#b45309" }}
             >
-              {refunding ? "Processing…" : "Process Refund"}
+              {saving ? "Processing…" : "Issue Refund"}
+            </button>
+            <button onClick={() => setShowRefundDialog(false)} style={btnStyle}>
+              Cancel
             </button>
-            <button onClick={() => { setShowRefundDialog(false); setRefundError(null); }} style={btnStyle}>Cancel</button>
           </div>
-        </div>
+        </Modal>
       )}
-      </Modal>
+    </Modal>
   );
 }
 

apps/web/src/portal/CustomerPortal.tsx

@@ -326,7 +326,7 @@ export function CustomerPortal() {
         )}
 
         {/* Main Content */}
-        <main className="flex-1 min-h-screen overflow-hidden">
+        <main className="flex-1 min-h-screen overflow-x-hidden">
           <div className="hidden md:flex items-center justify-between px-8 py-4 border-b border-stone-200 bg-white">
             <div>
               <h1 className="text-lg font-semibold text-stone-800">

apps/web/src/portal/sections/BillingPayments.tsx

@@ -130,7 +130,7 @@ function BillingPaymentsInner({ sessionId, readOnly }: BillingPaymentsProps) {
         </div>
       )}
 
-      <div className="flex gap-2 overflow-x-auto scrollbar-hide">
+      <div className="flex gap-2 flex-wrap">
         {([
           { id: "invoices" as const, label: "Invoices", icon: DollarSign },
           { id: "payment" as const, label: "Payment Methods", icon: CreditCard },

apps/web/src/portal/sections/PetProfiles.tsx

@@ -182,7 +182,7 @@ export function PetProfiles({ sessionId, readOnly }: Props) {
       )}
 
       {/* Tabs */}
-      <div className="flex gap-1 bg-white rounded-xl border border-stone-200 p-1 overflow-x-auto scrollbar-hide">
+      <div className="flex gap-1 bg-white rounded-xl border border-stone-200 p-1 overflow-x-auto">
         {([
           { id: "info", label: "Basic Info", icon: PawPrint },
           { id: "medical", label: "Medical", icon: Heart },

charts/groombook/templates/_helpers.tpl

@@ -119,10 +119,3 @@ uri
 database-url
 {{- end -}}
 {{- end }}
-
-{{/*
-Auth secret name — always use groombook-auth (sealed secret name)
-*/}}
-{{- define "groombook.authSecretName" -}}
-{{- printf "%s" "groombook-auth" }}
-{{- end }}

charts/groombook/templates/api-deployment.yaml

@@ -50,27 +50,6 @@ spec:
             - name: OIDC_AUDIENCE
               value: {{ .Values.api.env.oidcAudience | quote }}
             {{- end }}
-            {{- if .Values.api.env.internalBaseUrl }}
-            - name: OIDC_INTERNAL_BASE
-              value: {{ .Values.api.env.internalBaseUrl | quote }}
-            {{- end }}
-            - name: BETTER_AUTH_URL
-              value: {{ .Values.api.env.betterAuthUrl | quote }}
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: OIDC_CLIENT_ID
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: OIDC_CLIENT_SECRET
-            - name: BETTER_AUTH_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: BETTER_AUTH_SECRET
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:

charts/groombook/values.yaml

@@ -18,8 +18,6 @@ api:
     corsOrigin: ""
     oidcIssuer: ""
     oidcAudience: groombook
-    betterAuthUrl: ""
-    internalBaseUrl: ""
     port: "3000"
   service:
     type: ClusterIP

docs/runbooks/10dlc-pilot-registration.md

@@ -1,309 +0,0 @@
-# 10DLC Pilot Tenant Registration Runbook
-
-Authored for GRO-106 Phase 1.
-
----
-
-## Pre-Flight Checklist
-
-Before starting Telnyx registration, collect the following:
-
-| Item | Details |
-|------|---------|
-| Legal business name | Exact name on EIN / business registration |
-| EIN (Employer Identification Number) | 9-digit IRS format: XX-XXXXXXX |
-| Business type | Sole Proprietor / LLC / Corporation |
-| Primary contact email | General contact address (postmaster@, info@, etc.) |
-| Primary contact phone | Direct line for carrier verification |
-| Website URL | Must be live and contain privacy policy |
-| Sample message templates | See [Sample Templates](#sample-message-templates) below |
-| Messaging use case | Customer Care / Account Notification |
-
----
-
-## Step 1 — Telnyx Account Requirements
-
-- Active Telnyx account with billing configured.
-- Role required: **Admin** or **Super User** to register brands and campaigns.
-
----
-
-## Step 2 — Brand Registration
-
-### Via Telnyx Console
-
-1. Log in to [Telnyx Portal](https://portal.telnyx.com).
-2. Navigate to **Messaging → A2P 10DLC → Brands**.
-3. Click **Register Brand**.
-4. Fill in:
-   - **Brand Name**: Legal business name
-   - **Legal Company Name**: Exact EIN name
-   - **Company Type**: Select from dropdown
-   - **EIN**: XX-XXXXXXX
-   - **Primary Contact**: Name, email, phone
-   - **Website**: Must be accessible
-   - **BusinessVertical**: Select appropriate vertical
-5. Acknowledge the **Terms of Service**.
-6. Submit.
-
-### Via API
-
-```bash
-curl -X POST https://api.telnyx.com/v2/10dlc/brands \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "name": "Your Legal Business Name",
-    "legal_company_name": "Your Legal Business Name",
-    "company_type": "llc",
-    "ein": "XX-XXXXXXX",
-    "primary_contact": {
-      "name": "Jane Doe",
-      "email": "compliance@example.com",
-      "phone": "+1XXXXXXXXXX"
-    },
-    "website": "https://www.example.com",
-    "business_vertical": "PROFESSIONAL_SERVICES"
-  }'
-```
-
-**Response fields to record:**
-- `brand_id` — required for campaign registration
-- `brand_score` — affects campaign vetting speed
-
-### Expected Fees
-
-| Fee Type | Amount |
-|----------|--------|
-| Brand registration fee | ~$0 (no direct fee from Telnyx) |
-| Campaign registration fee | ~$15–$25 per campaign (Telnyx fee, subject to change) |
-| Carrier fees | Passed through from T-Mobile/AT&T/Verizon |
-
-### Expected Approval Window
-
-- **Vetting by Telnyx**: 1–3 business days after submission.
-- **Carrier (T-Mobile/AT&T/Verizon) review**: 2–5 business days after Telnyx approval.
-- Total end-to-end: **3–8 business days**.
-
----
-
-## Step 3 — Campaign Registration
-
-### Use Case Selection
-
-- **Primary**: Customer Care
-- **Secondary**: Account Notification
-
-### Via Telnyx Console
-
-1. Navigate to **Messaging → A2P 10DLC → Campaigns**.
-2. Click **Register Campaign**.
-3. Select **Brand** (use the brand registered in Step 2).
-4. Fill in:
-   - **Campaign Name**: e.g., `groombook-pilot-customer-care`
-   - **Use Case**: Customer Care / Account Notification
-   - **Sample Messages**: Paste exactly the templates from [Sample Templates](#sample-message-templates) below.
-   - **Description**: Brief description of messaging program
-   - **Estimated Volume**: Enter monthly estimate (e.g., 500)
-5. Submit.
-
-### Via API
-
-```bash
-curl -X POST https://api.telnyx.com/v2/10dlc/campaigns \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "brand_id": "YOUR_BRAND_ID",
-    "name": "groombook-pilot-customer-care",
-    "use_case": "CUSTOMER_CARE",
-    "sample_messages": [
-      "Hi {{first_name}}, this is a reminder from {{business_name}} that your appointment is scheduled for {{date}} at {{time}}. Reply STOP to opt out.",
-      "Your appointment with {{business_name}} is confirmed for {{date}}. Need to reschedule? Reply HELP or call us at {{phone}}."
-    ],
-    "description": "Appointment reminders and account notifications for grooming clients",
-    "estimated_monthly_volume": 500
-  }'
-```
-
-**Response fields to record:**
-- `campaign_id` — required for messaging profile
-- `status` — initially `PENDING`, transitions to `ACTIVE` after carrier approval
-
-### Campaign Vetting — STOP/HELP Language Requirements
-
-Every campaign **must** include compliant STOP/HELP messaging. The following must appear in your sample messages or be included in your terms of service:
-
-- **STOP**: Users can text `STOP` to opt out of all messages.
-- **HELP**: Users can text `HELP` to receive contact information.
-
-Example STOP/HELP block:
-
-```
-Text STOP to opt out. Text HELP for help. Msg & data rates may apply.
-```
-
----
-
-## Step 4 — Messaging Profile + Phone Number Provisioning
-
-### Create Messaging Profile
-
-1. In Telnyx Portal, navigate to **Messaging → Messaging Profiles**.
-2. Click **Create Messaging Profile**.
-3. Name it (e.g., `groombook-pilot-prod`).
-4. Copy the **Messaging Profile ID** (`messaging_profile_id`) — record this in the DB.
-
-### Provision a 10DLC Phone Number
-
-1. Navigate to **Messaging → Phone Numbers**.
-2. Search for a number in your desired area code.
-3. Confirm the number is 10DLC-capable.
-4. Purchase the number.
-
-### Associate Number with Messaging Profile
-
-```bash
-# Assign number to messaging profile
-curl -X PATCH https://api.telnyx.com/v2/phone_numbers/YOUR_PHONE_NUMBER_ID \
-  -H "Authorization: Bearer $TELNYX_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "messaging_profile_id": "YOUR_MESSAGING_PROFILE_ID"
-  }'
-```
-
----
-
-## Step 5 — Record in Database
-
-Once GRO-981 lands, record the following against the business record:
-
-### SQL Path (when GRO-981 is complete)
-
-```sql
-UPDATE businesses
-SET
-  messaging_phone_number = '+1XXXXXXXXXX',
-  telnyx_messaging_profile_id = 'YOUR_MESSAGING_PROFILE_ID',
-  telnyx_brand_id = 'YOUR_BRAND_ID',
-  telnyx_campaign_id = 'YOUR_CAMPAIGN_ID',
-  telnyx_brand_status = 'APPROVED',
-  telnyx_campaign_status = 'ACTIVE',
-  updated_at = NOW()
-WHERE id = 'pilot_business_id';
-```
-
-### Manual Admin Path (before GRO-981)
-
-Until GRO-981 is complete, use the Telnyx Portal to verify and record values manually in your internal ops sheet:
-
-| Field | Value |
-|-------|-------|
-| `messagingPhoneNumber` | +1XXXXXXXXXX |
-| `telnyxMessagingProfileId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `telnyxBrandId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `telnyxCampaignId` | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-| `brandStatus` | APPROVED / PENDING |
-| `campaignStatus` | ACTIVE / PENDING |
-
----
-
-## Sample Message Templates
-
-These must match exactly what your system will send. Vetting reviewers compare templates against actual traffic.
-
-### Transactional Appointment Reminder
-
-```
-Hi {{first_name}}, this is a reminder from {{business_name}} that your appointment is scheduled for {{date}} at {{time}}. Reply STOP to opt out. Msg & data rates may apply.
-```
-
-### Manual Staff Message
-
-```
-Your appointment with {{business_name}} is confirmed for {{date}}. Need to reschedule? Reply HELP for assistance or call us at {{phone}}. Msg & data rates may apply.
-```
-
----
-
-## Failure Modes + Retry Guidance
-
-### Vetting Rejection — Brand
-
-| Rejection Reason | Common Fix |
-|-----------------|------------|
-| Legal name mismatch with EIN | Ensure exact EIN name matches legal company name exactly |
-| Website not accessible / missing privacy policy | Add privacy policy page to website before resubmitting |
-| Incomplete primary contact | Provide direct phone and real email (no noreply) |
-| High-risk business vertical | Contact Telnyx support for pre-screening before resubmitting |
-
-### Campaign Rejection
-
-| Rejection Reason | Common Fix |
-|-----------------|------------|
-| Sample messages do not match actual traffic | Update sample messages to match exactly what the system sends |
-| Missing STOP/HELP language | Add compliant STOP/HELP block to sample messages |
-| Volume estimate too low/high | Revise estimate to be realistic |
-| Use case mismatch | Re-select use case that matches actual messaging |
-
-### Re-submission
-
-After fixing the rejection reason, re-submit via the same API endpoint. Telnyx will re-run vetting (typically 24–48 hours).
-
----
-
-## Cost Summary
-
-### Telnyx Fees (as of 2026)
-
-| Fee Type | Amount | Notes |
-|----------|--------|-------|
-| 10DLC number (monthly) | ~$1.00–$2.50/number | Varies by type and area code |
-| Outbound message | $0.005–$0.015/message | Depends on destination carrier |
-| Inbound message | Included | No charge for received messages |
-| Campaign registration | ~$15–$25 one-time | Per campaign, subject to change |
-
-### Carrier Fees (T-Mobile / AT&T / Verizon)
-
-| Carrier | Outbound Fee | Notes |
-|---------|-------------|-------|
-| T-Mobile | ~$0.005–$0.01/message | Varies by message size (segment) |
-| AT&T | ~$0.005–$0.015/message | Varies by message size (segment) |
-| Verizon | ~$0.005–$0.01/message | Varies by message size (segment) |
-
-**Note**: Carrier fees are subject to change. Check [Telnyx pricing page](https://telnyx.com/pricing) and carrier fee schedules for current rates.
-
-### Example Monthly Cost (Pilot — 500 messages/month)
-
-| Line Item | Cost |
-|-----------|------|
-| 1x 10DLC number | ~$2.00 |
-| 500 outbound messages | ~$5.00–$7.50 |
-| Carrier pass-through | ~$2.50–$7.50 |
-| **Estimated Monthly Total** | **~$9.50–$17.00** |
-
----
-
-## Rollback / De-provisioning
-
-If the pilot tenant must be de-provisioned:
-
-1. Release the phone number: Telnyx Portal → Phone Numbers → Release.
-2. Archive the campaign: set status to `INACTIVE` via API or console.
-3. Remove DB record: clear `messagingPhoneNumber`, `telnyxMessagingProfileId`, `telnyxCampaignId` fields in the business record.
-4. Brand can remain registered (no harm) but will not be used.
-
----
-
-## Contacts
-
-| Resource | Contact |
-|----------|---------|
-| Telnyx Support | support@telnyx.com |
-| Telnyx Dashboard | portal.telnyx.com |
-| Internal Engineering | Raise issue in GRO-106 |
-
----
-
-_Owner: Engineering · Last updated: 2026-05-04_

docs/runbooks/README.md

@@ -1,11 +0,0 @@
-# GroomBook Runbooks
-
-Operational runbooks for GroomBook staff and operators.
-
-| Runbook | Description | Status |
-|---------|-------------|--------|
-| [10DLC Pilot Registration](./10dlc-pilot-registration.md) | Register a pilot grooming business as an A2P 10DLC brand + campaign on Telnyx | Active |
-
----
-
-_To add a runbook, create a markdown file in this directory and update this table._

packages/db/migrations/0030_messaging.sql

@@ -1,72 +0,0 @@
--- Migration: 0030_messaging.sql
--- Messaging schema: conversations, messages, attachments, consent events + business messaging settings
-
--- ─── Enums ───────────────────────────────────────────────────────────────────
-
-CREATE TYPE "messaging_channel" AS ENUM ('sms', 'mms');
-CREATE TYPE "message_direction" AS ENUM ('inbound', 'outbound');
-CREATE TYPE "message_status" AS ENUM ('queued', 'sent', 'delivered', 'failed', 'received');
-CREATE TYPE "message_consent_kind" AS ENUM ('opt_in', 'opt_out', 'help');
-
--- ─── Tables ───────────────────────────────────────────────────────────────────
-
-CREATE TABLE "conversations" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "business_id" uuid NOT NULL,
-  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
-  "channel" "messaging_channel" NOT NULL,
-  "external_number" text NOT NULL,
-  "business_number" text NOT NULL,
-  "last_message_at" timestamp,
-  "status" text NOT NULL DEFAULT 'active',
-  "created_at" timestamp NOT NULL DEFAULT now(),
-  "updated_at" timestamp NOT NULL DEFAULT now()
-);
-
-CREATE INDEX "idx_conversations_business_id_last_message_at" ON "conversations"("business_id", "last_message_at" DESC);
-CREATE UNIQUE INDEX "uq_conversations_business_client_number" ON "conversations"("business_id", "client_id", "business_number");
-
-CREATE TABLE "messages" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "conversation_id" uuid NOT NULL REFERENCES "conversations"("id") ON DELETE CASCADE,
-  "direction" "message_direction" NOT NULL,
-  "body" text,
-  "status" "message_status" NOT NULL DEFAULT 'queued',
-  "provider_message_id" text,
-  "error_code" text,
-  "error_message" text,
-  "sent_by_staff_id" uuid REFERENCES "staff"("id") ON DELETE SET NULL,
-  "created_at" timestamp NOT NULL DEFAULT now(),
-  "delivered_at" timestamp,
-  "read_by_client_at" timestamp
-);
-
-CREATE INDEX "idx_messages_conversation_id_created_at" ON "messages"("conversation_id", "created_at" DESC);
-CREATE UNIQUE INDEX "uq_messages_provider_message_id" ON "messages"("provider_message_id");
-
-CREATE TABLE "message_attachments" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "message_id" uuid NOT NULL REFERENCES "messages"("id") ON DELETE CASCADE,
-  "content_type" text NOT NULL,
-  "url" text NOT NULL,
-  "size" integer NOT NULL,
-  "provider_media_id" text
-);
-
-CREATE INDEX "idx_message_attachments_message_id" ON "message_attachments"("message_id");
-
-CREATE TABLE "message_consent_events" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
-  "business_id" uuid NOT NULL,
-  "kind" "message_consent_kind" NOT NULL,
-  "source" text,
-  "created_at" timestamp NOT NULL DEFAULT now()
-);
-
-CREATE INDEX "idx_message_consent_events_client_id" ON "message_consent_events"("client_id");
-
--- ─── Business Settings extensions ────────────────────────────────────────────
-
-ALTER TABLE "business_settings" ADD COLUMN "messaging_phone_number" text;
-ALTER TABLE "business_settings" ADD COLUMN "telnyx_messaging_profile_id" text;

packages/db/migrations/meta/_journal.json

@@ -204,20 +204,6 @@
       "when": 1775741667192,
       "tag": "0028_sms_reminders",
       "breakpoints": true
-    },
-    {
-      "idx": 29,
-      "version": "7",
-      "when": 1775784467192,
-      "tag": "0029_db_indexes_constraints",
-      "breakpoints": true
-    },
-    {
-      "idx": 30,
-      "version": "7",
-      "when": 1775828067192,
-      "tag": "0030_messaging",
-      "breakpoints": true
     }
   ]
 }

packages/db/src/schema.ts

@@ -406,117 +406,6 @@ export const impersonationAuditLogs = pgTable(
   (t) => [index("impersonation_audit_logs_session_id_idx").on(t.sessionId)]
 );
 
-// ─── Messaging ───────────────────────────────────────────────────────────────
-
-export const messagingChannelEnum = pgEnum("messaging_channel", ["sms", "mms"]);
-
-export const messageDirectionEnum = pgEnum("message_direction", [
-  "inbound",
-  "outbound",
-]);
-
-export const messageStatusEnum = pgEnum("message_status", [
-  "queued",
-  "sent",
-  "delivered",
-  "failed",
-  "received",
-]);
-
-export const messageConsentKindEnum = pgEnum("message_consent_kind", [
-  "opt_in",
-  "opt_out",
-  "help",
-]);
-
-export const conversations = pgTable(
-  "conversations",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    businessId: uuid("business_id").notNull(),
-    clientId: uuid("client_id")
-      .notNull()
-      .references(() => clients.id, { onDelete: "cascade" }),
-    channel: messagingChannelEnum("channel").notNull(),
-    externalNumber: text("external_number").notNull(),
-    businessNumber: text("business_number").notNull(),
-    lastMessageAt: timestamp("last_message_at"),
-    status: text("status").notNull().default("active"),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-    updatedAt: timestamp("updated_at").notNull().defaultNow(),
-  },
-  (t) => [
-    index("idx_conversations_business_id_last_message_at").on(
-      t.businessId,
-      t.lastMessageAt.desc()
-    ),
-    unique("uq_conversations_business_client_number").on(
-      t.businessId,
-      t.clientId,
-      t.businessNumber
-    ),
-  ]
-);
-
-export const messages = pgTable(
-  "messages",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    conversationId: uuid("conversation_id")
-      .notNull()
-      .references(() => conversations.id, { onDelete: "cascade" }),
-    direction: messageDirectionEnum("direction").notNull(),
-    body: text("body"),
-    status: messageStatusEnum("status").notNull().default("queued"),
-    providerMessageId: text("provider_message_id"),
-    errorCode: text("error_code"),
-    errorMessage: text("error_message"),
-    sentByStaffId: uuid("sent_by_staff_id").references(() => staff.id, {
-      onDelete: "set null",
-    }),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-    deliveredAt: timestamp("delivered_at"),
-    readByClientAt: timestamp("read_by_client_at"),
-  },
-  (t) => [
-    index("idx_messages_conversation_id_created_at").on(
-      t.conversationId,
-      t.createdAt.desc()
-    ),
-    unique("uq_messages_provider_message_id").on(t.providerMessageId),
-  ]
-);
-
-export const messageAttachments = pgTable(
-  "message_attachments",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    messageId: uuid("message_id")
-      .notNull()
-      .references(() => messages.id, { onDelete: "cascade" }),
-    contentType: text("content_type").notNull(),
-    url: text("url").notNull(),
-    size: integer("size").notNull(),
-    providerMediaId: text("provider_media_id"),
-  },
-  (t) => [index("idx_message_attachments_message_id").on(t.messageId)]
-);
-
-export const messageConsentEvents = pgTable(
-  "message_consent_events",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    clientId: uuid("client_id")
-      .notNull()
-      .references(() => clients.id, { onDelete: "cascade" }),
-    businessId: uuid("business_id").notNull(),
-    kind: messageConsentKindEnum("kind").notNull(),
-    source: text("source"),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-  },
-  (t) => [index("idx_message_consent_events_client_id").on(t.clientId)]
-);
-
 export const businessSettings = pgTable("business_settings", {
   id: uuid("id").primaryKey().defaultRandom(),
   businessName: text("business_name").notNull().default("GroomBook"),
@@ -525,8 +414,6 @@ export const businessSettings = pgTable("business_settings", {
   logoKey: text("logo_key"),
   primaryColor: text("primary_color").notNull().default("#4f8a6f"),
   accentColor: text("accent_color").notNull().default("#8b7355"),
-  messagingPhoneNumber: text("messaging_phone_number"),
-  telnyxMessagingProfileId: text("telnyx_messaging_profile_id"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });

packages/db/src/seed.ts

@@ -978,7 +978,6 @@ async function seed() {
         const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
         const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
 
-        const stripePaymentIntentId = invoiceStatus === "paid" && rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
         invoiceBatch.push({
           id: invoiceId,
           appointmentId: apptId,
@@ -990,7 +989,6 @@ async function seed() {
           status: invoiceStatus,
           paymentMethod: invoiceStatus === "paid" ? pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check" : null,
           paidAt,
-          stripePaymentIntentId,
           notes: rand() < 0.05 ? "Added extra service at checkout" : null,
         });
 
@@ -1094,14 +1092,13 @@ async function seed() {
       const taxCents = Math.round(effectivePrice * 0.08);
       const totalCents = effectivePrice + taxCents + tipCents;
       const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
-      const stripePaymentIntentId = rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
 
       invoiceBatch.push({
         id: invoiceId, appointmentId: apptId, clientId,
         subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
         status: "paid" as const,
         paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
-        paidAt, stripePaymentIntentId, notes: null,
+        paidAt, notes: null,
       });
       lineItemBatch.push({
         id: uuid(), invoiceId, description: svc.name, quantity: 1,

pnpm-lock.yaml

@@ -46,9 +46,6 @@ importers:
       telnyx:
         specifier: ^1.23.0
         version: 1.27.0
-      uuid:
-        specifier: ^11.1.1
-        version: 11.1.1
       zod:
         specifier: ^4.3.6
         version: 4.3.6
@@ -62,9 +59,6 @@ importers:
       '@types/nodemailer':
         specifier: ^6.4.17
         version: 6.4.23
-      '@types/uuid':
-        specifier: ^10.0.0
-        version: 10.0.0
       '@vitest/coverage-v8':
         specifier: ^3.2.4
         version: 3.2.4(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
@@ -2340,9 +2334,6 @@ packages:
   '@types/use-sync-external-store@0.0.6':
     resolution: {integrity: sha512-zFDAD+tlpf2r4asuHEj0XH6pY6i0g5NeAHPn+15wk3BV6JA69eERFXC1gyGThDkVa1zCyKr5jox1+2LbV/AMLg==}
 
-  '@types/uuid@10.0.0':
-    resolution: {integrity: sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==}
-
   '@typescript-eslint/eslint-plugin@8.57.1':
     resolution: {integrity: sha512-Gn3aqnvNl4NGc6x3/Bqk1AOn0thyTU9bqDRhiRnUWezgvr2OnhYCWCgC8zXXRVqBsIL1pSDt7T9nJUe0oM0kDQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
@@ -4353,18 +4344,12 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  uuid@11.1.1:
-    resolution: {integrity: sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==}
-    hasBin: true
-
   uuid@8.3.2:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
-    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
-    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   victory-vendor@37.3.6:
@@ -6925,8 +6910,6 @@ snapshots:
 
   '@types/use-sync-external-store@0.0.6': {}
 
-  '@types/uuid@10.0.0': {}
-
   '@typescript-eslint/eslint-plugin@8.57.1(@typescript-eslint/parser@8.57.1(eslint@9.39.4(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.4(jiti@2.6.1))(typescript@5.9.3)':
     dependencies:
       '@eslint-community/regexpp': 4.12.2
@@ -9031,8 +9014,6 @@ snapshots:
     dependencies:
       react: 19.2.4
 
-  uuid@11.1.1: {}
-
   uuid@8.3.2: {}
 
   uuid@9.0.1: {}