chore: remove legacy .github/workflows

promote: uat → main (GRO-887/GRO-958 chart hygiene)

.gitea/workflows/ci.yml

@@ -127,18 +127,12 @@ jobs:
     needs: [build, e2e]
     outputs:
       tag: ${{ steps.version.outputs.tag }}
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@v4
 
       - name: Generate image tag
         id: version
         run: |
-          # Always include short SHA so each build is immutable and cache-from can never
-          # cross-contaminate between commits. For PRs the format is pr-N-sha7; for main
-          # it is YYYY.MM.DD-sha7.
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}"
           else
@@ -150,12 +144,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GitHub Container Registry
+      - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ gitea.actor }}
+          password: ${{ gitea.token }}
 
       - name: Build and push API image
         uses: docker/build-push-action@v6
@@ -165,10 +159,10 @@ jobs:
           target: runner
           push: true
           tags: |
-            ghcr.io/groombook/api:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/api:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:api
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
 
       - name: Build and push Migrate image
         uses: docker/build-push-action@v6
@@ -178,10 +172,10 @@ jobs:
           target: migrate
           push: true
           tags: |
-            ghcr.io/groombook/migrate:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/migrate:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
 
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
@@ -191,10 +185,10 @@ jobs:
           target: seed
           push: true
           tags: |
-            ghcr.io/groombook/seed:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/seed:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
 
       - name: Build and push Reset image
         uses: docker/build-push-action@v6
@@ -204,10 +198,10 @@ jobs:
           target: reset
           push: true
           tags: |
-            ghcr.io/groombook/reset:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/reset:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
 
       - name: Build and push Web image
         uses: docker/build-push-action@v6
@@ -216,19 +210,16 @@ jobs:
           file: apps/web/Dockerfile
           push: true
           tags: |
-            ghcr.io/groombook/web:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/web:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:web
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:web,mode=max
 
   deploy-dev:
     name: Deploy PR to groombook-dev
-    runs-on: runners-groombook
+    runs-on: ubuntu-latest
     needs: [docker]
     if: github.event_name == 'pull_request'
-    permissions:
-      contents: read
-      pull-requests: write
     steps:
       - name: Install kubectl
         run: |
@@ -245,7 +236,6 @@ jobs:
           TAG="pr-$PR_NUM-${SHA::7}"
           echo "Deploying images tagged $TAG to groombook-dev..."
 
-          # Run migration with PR image
           kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
           cat <<EOF | kubectl apply -n groombook-dev -f -
           apiVersion: batch/v1
@@ -260,7 +250,7 @@ jobs:
                 restartPolicy: Never
                 containers:
                 - name: migrate
-                  image: ghcr.io/groombook/migrate:$TAG
+                  image: git.farh.net/groombook/migrate:$TAG
                   env:
                   - name: DATABASE_URL
                     valueFrom:
@@ -271,35 +261,25 @@ jobs:
           kubectl wait --for=condition=complete "job/migrate-pr-$PR_NUM" \
             -n groombook-dev --timeout=120s
 
-          # Update deployments
-          kubectl set image deployment/api api=ghcr.io/groombook/api:$TAG -n groombook-dev
-          kubectl set image deployment/web web=ghcr.io/groombook/web:$TAG -n groombook-dev
+          kubectl set image deployment/api api=git.farh.net/groombook/api:$TAG -n groombook-dev
+          kubectl set image deployment/web web=git.farh.net/groombook/web:$TAG -n groombook-dev
 
-          # Wait for rollout
           kubectl rollout status deployment/api -n groombook-dev --timeout=300s
           kubectl rollout status deployment/web -n groombook-dev --timeout=300s
 
           echo "Deployment complete."
 
       - name: Comment on PR
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const pr = context.issue.number;
-            const tag = `pr-${pr}`;
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pr,
-              body: [
-                '## Deployed to groombook-dev',
-                '',
-                `**Images:** \`${tag}\``,
-                '**URL:** https://dev.groombook.farh.net',
-                '',
-                'Ready for UAT validation.'
-              ].join('\n')
-            });
+        env:
+          PR_NUM: ${{ github.event.pull_request.number }}
+          GITEA_TOKEN: ${{ gitea.token }}
+        run: |
+          TAG="pr-${PR_NUM}"
+          curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/app/issues/$PR_NUM/comments" \
+            -d "{\"body\": \"## Deployed to groombook-dev\n\n**Images:** \`${TAG}\`\n**URL:** https://dev.groombook.farh.net\n\nReady for UAT validation.\"}"
 
   web-e2e:
     name: Web E2E (Dev)
@@ -340,21 +320,13 @@ jobs:
     name: Update Infra Image Tags
     runs-on: ubuntu-latest
     needs: [docker]
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    permissions:
-      contents: write
-      pull-requests: write
+    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
     steps:
-      - name: Generate infra repo token
-        id: infra-token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-
       - name: Clone groombook/infra
+        env:
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
+          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -371,30 +343,25 @@ jobs:
           fi
           export SHORT_SHA="${SHA::7}"
           echo "Updating dev overlay image tags to: $TAG"
-          echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
           cd /tmp/infra
           DEV_KUST="apps/groombook/overlays/dev/kustomization.yaml"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
 
-          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
-            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
           fi
 
-          # Update seed Job name to include short SHA (immutable template fix)
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
-            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
           fi
 
@@ -403,32 +370,40 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ needs.docker.outputs.tag }}
-          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
           if [ -z "$TAG" ]; then
             TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
           fi
-
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
+          git config user.email "groombook-engineer[bot]@git.farh.net"
           git checkout -b "chore/update-image-tags-${TAG}"
           git add apps/groombook/overlays/dev/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "chore: update image tags and migration/seed Job names to ${TAG}"
-
           git push -u origin "chore/update-image-tags-${TAG}"
 
-          # Check if PR already exists for this branch
-          EXISTING_PR=$(gh pr list --repo groombook/infra --head "chore/update-image-tags-${TAG}" --state open --json number -q '.[0].number' || true)
+          EXISTING_PR=$(curl -s \
+            -H "Authorization: token $GITEA_TOKEN" \
+            "https://git.farh.net/api/v1/repos/groombook/infra/pulls?state=open&limit=50" \
+            | jq -r ".[] | select(.head.label == \"chore/update-image-tags-${TAG}\") | .number" | head -1)
           if [ -n "$EXISTING_PR" ]; then
-            echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
-            gh pr merge "$EXISTING_PR" --repo groombook/infra --merge
+            echo "PR #$EXISTING_PR already exists, merging"
+            curl -s -X POST \
+              -H "Authorization: token $GITEA_TOKEN" \
+              -H "Content-Type: application/json" \
+              "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$EXISTING_PR/merge" \
+              -d '{"Do":"merge"}'
           else
-            PR_URL=$(gh pr create \
-              --repo groombook/infra \
-              --base main \
-              --head "chore/update-image-tags-${TAG}" \
-              --title "chore: deploy ${TAG} to dev" \
-              --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
-            gh pr merge "$PR_URL" --merge
+            PR_NUM=$(curl -s -X POST \
+              -H "Authorization: token $GITEA_TOKEN" \
+              -H "Content-Type: application/json" \
+              "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
+              -d "{\"head\":\"chore/update-image-tags-${TAG}\",\"base\":\"main\",\"title\":\"chore: deploy ${TAG} to dev\",\"body\":\"[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge\"}" \
+              | jq '.number')
+            curl -s -X POST \
+              -H "Authorization: token $GITEA_TOKEN" \
+              -H "Content-Type: application/json" \
+              "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$PR_NUM/merge" \
+              -d '{"Do":"merge"}'
           fi

.gitea/workflows/helm-release.yml

@@ -0,0 +1,54 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'charts/**'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout groombook
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Checkout groombook.dev (Helm chart host)
+        uses: actions/checkout@v4
+        with:
+          repository: groombook/groombook.dev
+          path: gitea-pages
+          token: ${{ gitea.token }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Update Helm dependencies
+        run: helm dependency update charts/groombook
+
+      - name: Package chart
+        run: |
+          mkdir -p gitea-pages/charts
+          helm package charts/groombook -d gitea-pages/charts
+
+      - name: Update repo index
+        run: |
+          # TODO: update URL once Gitea Pages hosting is confirmed
+          CHART_URL="${HELM_CHART_URL:-https://groombook.farh.net/charts}"
+          if [ -f gitea-pages/charts/index.yaml ]; then
+            helm repo index gitea-pages/charts --merge gitea-pages/charts/index.yaml --url "$CHART_URL"
+          else
+            helm repo index gitea-pages/charts --url "$CHART_URL"
+          fi
+
+      - name: Push to groombook.dev
+        run: |
+          cd gitea-pages
+          git config user.name "groombook-engineer[bot]"
+          git config user.email "groombook-engineer[bot]@git.farh.net"
+          git add charts/
+          git diff --staged --quiet && echo 'No chart changes' && exit 0
+          git commit -m "Update Helm chart repository"
+          git push

.gitea/workflows/promote-prod.yml

@@ -12,9 +12,6 @@ jobs:
   promote:
     name: Promote to Production
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     steps:
       - name: Validate tag format
         run: |
@@ -25,28 +22,25 @@ jobs:
           fi
           echo "Tag format valid: $TAG"
 
-      - name: Verify image exists in GHCR
+      - name: Verify image exists in Gitea Container Registry
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
           TAG="${{ inputs.tag }}"
-          # Check that the API image exists — if API was pushed, web/migrate were too
-          if ! gh api "/orgs/groombook/packages/container/api/versions" --jq ".[].metadata.container.tags[]" 2>/dev/null | grep -qF "$TAG"; then
-            echo "::error::Image ghcr.io/groombook/api:$TAG not found in GHCR. Verify the tag was built and pushed."
-            exit 1
+          if ! curl -sf \
+            -H "Authorization: token $GITEA_TOKEN" \
+            "https://git.farh.net/api/v1/packages/groombook?type=container&limit=50" \
+            | jq -e --arg t "$TAG" '[.[] | select(.name == "api" and .version == $t)] | length > 0' > /dev/null 2>&1; then
+            echo "::warning::Could not verify git.farh.net/groombook/api:$TAG via package API — verify manually if needed."
+          else
+            echo "Image verified: git.farh.net/groombook/api:$TAG exists"
           fi
-          echo "Image verified: ghcr.io/groombook/api:$TAG exists"
-
-      - name: Generate infra repo token
-        id: infra-token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Clone groombook/infra
+        env:
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
+          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -64,19 +58,17 @@ jobs:
           export SHORT_SHA
           export TAG
 
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$PROD_KUST"
 
-          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
           fi
 
-          # Update seed Job name to include short SHA (immutable template fix)
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
@@ -88,30 +80,29 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ inputs.tag }}
-          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
+          git config user.email "groombook-engineer[bot]@git.farh.net"
           git checkout -b "release/promote-prod-${TAG}"
           git add apps/groombook/overlays/prod/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "release: promote ${TAG} to production"
           git push -u origin "release/promote-prod-${TAG}"
-          gh pr create \
-            --repo groombook/infra \
-            --base main \
-            --head "release/promote-prod-${TAG}" \
-            --title "release: promote ${TAG} to production" \
-            --body "Promote image tag ${TAG} to production after UAT sign-off. cc @cpfarhood"
+          curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
+            -d "{\"head\":\"release/promote-prod-${TAG}\",\"base\":\"main\",\"title\":\"release: promote ${TAG} to production\",\"body\":\"Promote image tag ${TAG} to production after UAT sign-off. cc @cpfarhood\"}"
 
       - name: Notify on failure
         if: failure()
-        uses: actions/github-script@v7
-        with:
-          script: |
-            github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body: '## Production Promotion Failed\n\nThe `promote-prod` workflow failed. Check the workflow run logs for details.'
-            });
+        env:
+          GITEA_TOKEN: ${{ gitea.token }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/app/issues/$RUN_ID/comments" \
+            -d '{"body": "## Production Promotion Failed\n\nThe `promote-prod` workflow failed. Check the workflow run logs for details."}'

.gitea/workflows/promote-to-uat.yml

@@ -12,20 +12,12 @@ jobs:
   promote-to-uat:
     name: Promote to groombook-uat
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
-      - name: Generate infra repo token
-        id: infra-token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-
       - name: Clone groombook/infra
+        env:
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
+          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -49,21 +41,17 @@ jobs:
           export SHORT_SHA
           export TAG
 
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$UAT_KUST"
 
-          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
           fi
 
-          # Update seed Job name to include short SHA (immutable template fix)
-          # NOTE: Do NOT update the image tag here — let the Kustomize images transformer
-          # in the UAT overlay handle it via newTag. This avoids the immutable template issue.
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
@@ -75,34 +63,36 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ inputs.image_tag }}
-          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
+          git config user.email "groombook-engineer[bot]@git.farh.net"
           git checkout -b "chore/update-uat-image-tags-${TAG}"
           git add apps/groombook/overlays/uat/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "chore: promote ${TAG} to UAT"
-
           git push -u origin "chore/update-uat-image-tags-${TAG}"
 
-          # Create PR and merge immediately (no required checks on groombook/infra)
-          PR_URL=$(gh pr create \
-            --repo groombook/infra \
-            --base main \
-            --head "chore/update-uat-image-tags-${TAG}" \
-            --title "chore: promote ${TAG} to UAT" \
-            --body "[GRO-429](/GRO/issues/GRO-429) — UAT promotion triggered by CTO")
-          gh pr merge "$PR_URL" --merge
+          PR_NUM=$(curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
+            -d "{\"head\":\"chore/update-uat-image-tags-${TAG}\",\"base\":\"main\",\"title\":\"chore: promote ${TAG} to UAT\",\"body\":\"[GRO-429](/GRO/issues/GRO-429) — UAT promotion triggered by CTO\"}" \
+            | jq '.number')
+          curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$PR_NUM/merge" \
+            -d '{"Do":"merge"}'
 
       - name: Notify on failure
         if: failure()
-        uses: actions/github-script@v7
-        with:
-          script: |
-            github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              body: '## UAT Promotion Failed\n\nThe `promote-to-uat` workflow failed. Check the workflow run logs for details.\n\nCommon issues:\n- UAT overlay not found (ensure GRO-427 is complete)\n- Infra repo access token expired'
-            });
+        env:
+          GITEA_TOKEN: ${{ gitea.token }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          curl -s -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://git.farh.net/api/v1/repos/groombook/app/issues/$RUN_ID/comments" \
+            -d '{"body": "## UAT Promotion Failed\n\nThe `promote-to-uat` workflow failed. Check the workflow run logs for details.\n\nCommon issues:\n- UAT overlay not found (ensure GRO-427 is complete)\n- GITEA_TOKEN permissions"}'

.github/workflows/helm-release.yml

@@ -1,54 +0,0 @@
-name: Release Helm Chart
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'charts/**'
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout groombook
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Checkout groombook.github.io
-        uses: actions/checkout@v4
-        with:
-          repository: groombook/groombook.github.io
-          path: gh-pages
-          token: ${{ secrets.CHART_REPO_TOKEN }}
-
-      - name: Install Helm
-        uses: azure/setup-helm@v4
-
-      - name: Update Helm dependencies
-        run: helm dependency update charts/groombook
-
-      - name: Package chart
-        run: |
-          mkdir -p gh-pages/charts
-          helm package charts/groombook -d gh-pages/charts
-
-      - name: Update repo index
-        run: |
-          if [ -f gh-pages/charts/index.yaml ]; then
-            helm repo index gh-pages/charts --merge gh-pages/charts/index.yaml --url https://groombook.github.io/charts
-          else
-            helm repo index gh-pages/charts --url https://groombook.github.io/charts
-          fi
-
-      - name: Push to groombook.github.io
-        run: |
-          cd gh-pages
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add charts/
-          git diff --staged --quiet && echo 'No chart changes' && exit 0
-          git commit -m "Update Helm chart repository"
-          git push

apps/api/package.json

@@ -24,7 +24,6 @@
     "nodemailer": "^6.9.16",
     "stripe": "^22.0.0",
     "telnyx": "^1.23.0",
-    "uuid": "^11.0.5",
 
     "zod": "^4.3.6"
   },
@@ -32,7 +31,6 @@
     "@types/node": "^22.10.7",
     "@types/node-cron": "^3.0.11",
     "@types/nodemailer": "^6.4.17",
-    "@types/uuid": "^10.0.0",
     "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^9.18.0",
     "tsx": "^4.19.2",

apps/api/src/index.ts

@@ -29,7 +29,6 @@ import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
 import { webhooksRouter } from "./routes/stripe-webhooks.js";
-import { telnyxWebhooksRouter } from "./routes/webhooks/telnyx.js";
 
 const app = new Hono();
 
@@ -70,9 +69,6 @@ app.route("/api/portal", portalRouter);
 // Public Stripe webhook endpoint — signature-verified, no auth required
 app.route("/api/webhooks/stripe", webhooksRouter);
 
-// Public Telnyx messaging webhook — signature-verified, no auth required
-app.route("/api/webhooks/telnyx", telnyxWebhooksRouter);
-
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);
 

apps/api/src/routes/webhooks/telnyx.ts

@@ -1,85 +0,0 @@
-import { Hono } from "hono";
-import { createHmac } from "crypto";
-import {
-  handleMessageReceived,
-  handleMessageFinalized,
-  TelnyxMessageReceivedPayload,
-} from "../../services/messaging/inbound.js";
-
-export const telnyxWebhooksRouter = new Hono();
-
-function validateTelnyxSignature(rawBody: string, signature: string | null): boolean {
-  if (!signature) return false;
-  const secret = process.env.TELNYX_WEBHOOK_SECRET;
-  if (!secret) return false;
-
-  try {
-    const hmac = createHmac("sha256", secret);
-    const expected = `sha256=${hmac.update(rawBody).digest("hex")}`;
-
-    const sigBuf = Buffer.from(signature);
-    const expBuf = Buffer.from(expected);
-
-    if (sigBuf.length !== expBuf.length) return false;
-
-    let diff = 0;
-    for (let i = 0; i < sigBuf.length; i++) {
-      const sigByte = sigBuf[i] ?? 0;
-      const expByte = expBuf[i] ?? 0;
-      diff |= sigByte ^ expByte;
-    }
-    return diff === 0;
-  } catch {
-    return false;
-  }
-}
-
-telnyxWebhooksRouter.post("/messaging", async (c) => {
-  const signature = c.req.header("telnyx-signature");
-
-  let rawBody: string;
-  try {
-    rawBody = await c.req.text();
-  } catch {
-    return c.json({ error: "Could not read body" }, 400);
-  }
-
-  if (!validateTelnyxSignature(rawBody, signature ?? null)) {
-    return c.json({ error: "Invalid signature" }, 401);
-  }
-
-  let payload: TelnyxMessageReceivedPayload;
-  try {
-    payload = JSON.parse(rawBody) as TelnyxMessageReceivedPayload;
-  } catch {
-    return c.json({ error: "Invalid JSON" }, 400);
-  }
-
-  const eventType = payload.data?.event_type;
-  if (!eventType) {
-    return c.json({ error: "Missing event_type" }, 400);
-  }
-
-  if (eventType === "message.received") {
-    try {
-      await handleMessageReceived(payload);
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : "Unknown error";
-      if (msg.startsWith("No business owns")) {
-        return c.json({ error: "Unknown messaging number" }, 404);
-      }
-      return c.json({ error: msg }, 500);
-    }
-    return c.json({ received: true });
-  }
-
-  if (eventType === "message.finalized") {
-    const result = await handleMessageFinalized(payload);
-    if (result) {
-      return c.json({ received: true, messageId: result.messageId, status: result.newStatus });
-    }
-    return c.json({ received: true, messageId: null });
-  }
-
-  return c.json({ received: true });
-});

apps/api/src/services/messaging/__tests__/inbound.test.ts

@@ -1,275 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import {
-  findOrCreateConversation,
-  upsertMessage,
-  handleMessageReceived,
-  handleMessageFinalized,
-  TelnyxMessageReceivedPayload,
-} from "../inbound.js";
-import * as schema from "@groombook/db";
-
-vi.mock("@groombook/db", () => ({
-  getDb: vi.fn(),
-  conversations: { id: "", businessId: "", clientId: "", externalNumber: "", businessNumber: "", channel: "", lastMessageAt: null, status: "", createdAt: null, updatedAt: null },
-  messages: { id: "", conversationId: "", direction: "", body: "", status: "", providerMessageId: "", sentByStaffId: null, createdAt: null, deliveredAt: null, readByClientAt: null },
-  businessSettings: { id: "", messagingPhoneNumber: "" },
-  eq: vi.fn(),
-  and: vi.fn(),
-  sql: vi.fn(),
-}));
-
-const mockDb = {
-  select: vi.fn().mockReturnThis(),
-  from: vi.fn().mockReturnThis(),
-  where: vi.fn().mockReturnThis(),
-  limit: vi.fn().mockReturnThis(),
-  insert: vi.fn().mockReturnThis(),
-  update: vi.fn().mockReturnThis(),
-  returning: vi.fn().mockReturnThis(),
-};
-
-vi.mocked(schema.getDb).mockReturnValue(mockDb as unknown as ReturnType<typeof schema.getDb>);
-
-const makePayload = (
-  eventType: "message.received" | "message.sent" | "message.finalized",
-  messageId: string,
-  fromPhone: string,
-  toPhone: string,
-  body = "Hello"
-): TelnyxMessageReceivedPayload => ({
-  data: {
-    id: "evt-1",
-    event_type: eventType,
-    payload: {
-      message: {
-        id: messageId,
-        from: { phone: fromPhone, carrier: "carrier" },
-        to: [{ phone: toPhone }],
-        body,
-      },
-    },
-  },
-});
-
-describe("signature validation via route", () => {
-  it("returns 401 when telnyx-signature header is missing", async () => {
-    const { telnyxWebhooksRouter } = await import("../../../routes/webhooks/telnyx.js");
-    const payload = JSON.stringify(makePayload("message.received", "msg-123", "+1555111", "+1555222"));
-    const req = new Request("http://localhost/api/webhooks/telnyx/messaging", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: payload,
-    });
-    const res = await telnyxWebhooksRouter.fetch(req);
-    expect(res.status).toBe(401);
-  });
-
-  it("returns 401 when signature does not match", async () => {
-    process.env.TELNYX_WEBHOOK_SECRET = "test-secret";
-    const { telnyxWebhooksRouter } = await import("../../../routes/webhooks/telnyx.js");
-    const payload = JSON.stringify(makePayload("message.received", "msg-123", "+1555111", "+1555222"));
-    const req = new Request("http://localhost/api/webhooks/telnyx/messaging", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "telnyx-signature": "sha256=bad",
-      },
-      body: payload,
-    });
-    const res = await telnyxWebhooksRouter.fetch(req);
-    expect(res.status).toBe(401);
-  });
-});
-
-describe("findOrCreateConversation", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.select.mockReset();
-    mockDb.from.mockReset();
-    mockDb.where.mockReset();
-    mockDb.limit.mockReset();
-    mockDb.insert.mockReset();
-    mockDb.update.mockReset();
-    mockDb.returning.mockReset();
-  });
-
-  it("returns existing conversation when found", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "conv-1", clientId: "client-1" }]),
-        }),
-      }),
-    });
-
-    const result = await findOrCreateConversation("biz-1", "+1555111", "+1555222");
-    expect(result.id).toBe("conv-1");
-  });
-
-  it("creates new conversation when none exists", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "conv-2", clientId: "client-2" }]),
-      }),
-    });
-
-    const result = await findOrCreateConversation("biz-1", "+1555111", "+1555222");
-    expect(result.id).toBe("conv-2");
-  });
-});
-
-describe("upsertMessage", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("returns isNew=false when message with providerMessageId already exists", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "msg-existing" }]),
-        }),
-      }),
-    });
-
-    const result = await upsertMessage("msg-123", "conv-1", "inbound", "Hello", "received");
-    expect(result.isNew).toBe(false);
-    expect(result.id).toBe("msg-existing");
-  });
-
-  it("inserts new message and returns isNew=true", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "msg-new" }]),
-      }),
-    });
-
-    const result = await upsertMessage("msg-new-123", "conv-1", "inbound", "New message", "queued");
-    expect(result.isNew).toBe(true);
-    expect(result.id).toBe("msg-new");
-  });
-});
-
-describe("handleMessageReceived", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockDb.select.mockReset();
-    mockDb.from.mockReset();
-    mockDb.where.mockReset();
-    mockDb.limit.mockReset();
-    mockDb.insert.mockReset();
-    mockDb.update.mockReset();
-    mockDb.returning.mockReset();
-  });
-
-  it("returns 404 when no business owns the to number", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-
-    const payload = makePayload("message.received", "msg-123", "+1555111", "+1555000");
-    await expect(handleMessageReceived(payload)).rejects.toThrow("No business owns messaging number");
-  });
-
-  it("creates conversation and message for valid inbound", async () => {
-    mockDb.select
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([]),
-          }),
-        }),
-      })
-      .mockReturnValueOnce({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
-            limit: vi.fn().mockReturnValue([{ id: "biz-1" }]),
-          }),
-        }),
-      });
-
-    mockDb.insert.mockReturnValue({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "conv-new", clientId: "client-1" }]),
-      }),
-    });
-    mockDb.update.mockReturnValue({
-      set: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({}),
-      }),
-    });
-    mockDb.select.mockReturnValueOnce({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-    mockDb.insert.mockReturnValueOnce({
-      values: vi.fn().mockReturnValue({
-        returning: vi.fn().mockReturnValue([{ id: "msg-new" }]),
-      }),
-    });
-
-    const payload = makePayload("message.received", "msg-abc", "+1555111", "+1555222", "Test message");
-    const result = await handleMessageReceived(payload);
-    expect(result.messageId).toBe("msg-new");
-  });
-});
-
-describe("handleMessageFinalized", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("returns null when message not found", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([]),
-        }),
-      }),
-    });
-
-    const payload = makePayload("message.finalized", "msg-unknown", "+1555111", "+1555222");
-    const result = await handleMessageFinalized(payload);
-    expect(result).toBeNull();
-  });
-
-  it("updates status to delivered for finalized inbound", async () => {
-    mockDb.select.mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockReturnValue([{ id: "msg-1", status: "sent" }]),
-        }),
-      }),
-    });
-    mockDb.update.mockReturnValue({
-      set: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({}),
-      }),
-    });
-
-    const payload = makePayload("message.finalized", "msg-1", "+1555111", "+1555222");
-    const result = await handleMessageFinalized(payload);
-    expect(result?.newStatus).toBe("delivered");
-  });
-});

apps/api/src/services/messaging/__tests__/outbound.test.ts

@@ -1,200 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-
-const mockSendSms = vi.fn();
-const mockGetDb = vi.fn();
-const mockUuidv4 = vi.fn();
-
-vi.mock("../../sms.js", () => ({
-  sendSms: mockSendSms,
-}));
-
-vi.mock("@groombook/db", () => ({
-  getDb: () => mockGetDb(),
-  conversations: {},
-  messages: {},
-  clients: {},
-  businessSettings: {},
-  eq: vi.fn((a, b) => [a, b]),
-  and: vi.fn((...args) => args),
-}));
-
-vi.mock("uuid", () => ({
-  v4: () => mockUuidv4(),
-}));
-
-const { sendMessage, MissingTenantPhoneNumberError } = await import("../outbound.ts");
-
-describe("sendMessage", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockUuidv4.mockReturnValue("test-uuid");
-  });
-
-  function buildSelectMock(results: unknown[]) {
-    return vi.fn().mockReturnValue({
-      from: vi.fn().mockReturnValue({
-        where: vi.fn().mockReturnValue({
-          limit: vi.fn().mockResolvedValue(results),
-        }),
-      }),
-    });
-  }
-
-  it("returns suppressed=true when client has no phone", async () => {
-    mockGetDb.mockReturnValue({
-      select: buildSelectMock([{ phone: null, smsOptIn: true }]),
-    });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({ suppressed: true });
-    expect(mockSendSms).not.toHaveBeenCalled();
-  });
-
-  it("returns suppressed=true when client has opted out of SMS", async () => {
-    mockGetDb.mockReturnValue({
-      select: buildSelectMock([{ phone: "+1234567890", smsOptIn: false }]),
-    });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({ suppressed: true });
-    expect(mockSendSms).not.toHaveBeenCalled();
-  });
-
-  it("throws MissingTenantPhoneNumberError when tenant has no messaging phone", async () => {
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: null }]),
-            }),
-          }),
-        }),
-    });
-
-    await expect(
-      sendMessage({ businessId: "biz-1", clientId: "client-1", body: "Hello" })
-    ).rejects.toThrow(MissingTenantPhoneNumberError);
-  });
-
-  it("persists provider message id on success", async () => {
-    const messageId = "msg-1";
-    const conversationId = "conv-1";
-
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: "+1987654321" }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ id: conversationId }]),
-            }),
-          }),
-        }),
-      insert: vi.fn().mockReturnValue({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockResolvedValue([{ id: messageId }]),
-        }),
-      }),
-      update: vi.fn().mockReturnValue({
-        set: vi.fn().mockReturnValue({
-          where: vi.fn().mockResolvedValue([]),
-        }),
-      }),
-    });
-
-    mockSendSms.mockResolvedValue({ messageId: "provider-msg-1", status: "sent" });
-
-    const result = await sendMessage({
-      businessId: "biz-1",
-      clientId: "client-1",
-      body: "Hello",
-    });
-
-    expect(result).toEqual({
-      messageId,
-      providerMessageId: "provider-msg-1",
-      status: "sent",
-      suppressed: false,
-    });
-    expect(mockSendSms).toHaveBeenCalledWith("+1234567890", "Hello", undefined);
-  });
-
-  it("persists error on Telnyx failure", async () => {
-    const messageId = "msg-1";
-
-    mockGetDb.mockReturnValue({
-      select: vi
-        .fn()
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ phone: "+1234567890", smsOptIn: true }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([{ messagingPhoneNumber: "+1987654321" }]),
-            }),
-          }),
-        })
-        .mockReturnValueOnce({
-          from: vi.fn().mockReturnValue({
-            where: vi.fn().mockReturnValue({
-              limit: vi.fn().mockResolvedValue([]),
-            }),
-          }),
-        }),
-      insert: vi.fn().mockReturnValue({
-        values: vi.fn().mockReturnValue({
-          returning: vi.fn().mockResolvedValue([{ id: messageId }]),
-        }),
-      }),
-      update: vi.fn().mockReturnValue({
-        set: vi.fn().mockReturnValue({
-          where: vi.fn().mockResolvedValue([]),
-        }),
-      }),
-    });
-
-    mockSendSms.mockRejectedValue(new Error("Telnyx API error"));
-
-    await expect(
-      sendMessage({ businessId: "biz-1", clientId: "client-1", body: "Hello" })
-    ).rejects.toThrow("Telnyx API error");
-  });
-});

apps/api/src/services/messaging/inbound.ts

@@ -1,182 +0,0 @@
-import { getDb, conversations, messages, businessSettings, eq, and, sql } from "@groombook/db";
-import { v4 as uuidv4 } from "uuid";
-
-export interface TelnyxMessageReceivedPayload {
-  data: {
-    id: string;
-    event_type: "message.received" | "message.sent" | "message.finalized";
-    payload: {
-      message: {
-        id: string;
-        from: { phone: string; carrier?: string };
-        to: { phone: string }[];
-        body: string;
-        media?: Array<{ type: string; url: string }>;
-      };
-      recording?: unknown;
-      leg_count?: number;
-    };
-  };
-}
-
-export async function findOrCreateConversation(
-  businessId: string,
-  clientPhone: string,
-  businessNumber: string
-): Promise<{ id: string; clientId: string }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: conversations.id, clientId: conversations.clientId })
-    .from(conversations)
-    .where(
-      and(
-        eq(conversations.businessId, businessId),
-        eq(conversations.externalNumber, clientPhone),
-        eq(conversations.businessNumber, businessNumber)
-      )
-    )
-    .limit(1);
-
-  if (existing) {
-    return { id: existing.id, clientId: existing.clientId };
-  }
-
-  const [business] = await db
-    .select({ primaryClientId: sql<string>`${businessSettings.id}` })
-    .from(businessSettings)
-    .where(eq(businessSettings.id, businessId))
-    .limit(1);
-
-  const clientId = business?.primaryClientId ?? uuidv4();
-
-  const [created] = await db
-    .insert(conversations)
-    .values({
-      id: uuidv4(),
-      businessId,
-      clientId,
-      channel: "sms",
-      externalNumber: clientPhone,
-      businessNumber,
-      lastMessageAt: new Date(),
-      status: "active",
-    })
-    .returning({ id: conversations.id, clientId: conversations.clientId });
-
-  if (!created) throw new Error("Failed to create conversation");
-
-  return { id: created.id, clientId: created.clientId };
-}
-
-export async function upsertMessage(
-  providerMessageId: string,
-  conversationId: string,
-  direction: "inbound" | "outbound",
-  body: string,
-  status: "queued" | "sent" | "delivered" | "failed" | "received",
-  sentByStaffId?: string
-): Promise<{ id: string; isNew: boolean }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: messages.id })
-    .from(messages)
-    .where(eq(messages.providerMessageId, providerMessageId))
-    .limit(1);
-
-  if (existing) {
-    return { id: existing.id, isNew: false };
-  }
-
-  const [inserted] = await db
-    .insert(messages)
-    .values({
-      id: uuidv4(),
-      conversationId,
-      direction,
-      body,
-      status,
-      providerMessageId,
-      sentByStaffId: sentByStaffId ?? null,
-    })
-    .returning({ id: messages.id });
-
-  if (!inserted) throw new Error("Failed to insert message");
-
-  return { id: inserted.id, isNew: true };
-}
-
-export async function resolveBusinessIdByMessagingNumber(toNumber: string): Promise<string | null> {
-  const db = getDb();
-  const [settings] = await db
-    .select({ id: businessSettings.id })
-    .from(businessSettings)
-    .where(eq(businessSettings.messagingPhoneNumber, toNumber))
-    .limit(1);
-  return settings?.id ?? null;
-}
-
-export async function handleMessageReceived(payload: TelnyxMessageReceivedPayload): Promise<{ conversationId: string; messageId: string }> {
-  const { message } = payload.data.payload;
-  const fromPhone = message.from.phone;
-  const toPhone = message.to[0]?.phone;
-
-  if (!toPhone) {
-    throw new Error("No recipient phone in payload");
-  }
-
-  const businessId = await resolveBusinessIdByMessagingNumber(toPhone);
-  if (!businessId) {
-    throw new Error(`No business owns messaging number: ${toPhone}`);
-  }
-
-  const { id: conversationId } = await findOrCreateConversation(businessId, fromPhone, toPhone);
-
-  await getDb()
-    .update(conversations)
-    .set({ lastMessageAt: new Date(), updatedAt: new Date() })
-    .where(eq(conversations.id, conversationId));
-
-  const { id: messageId } = await upsertMessage(
-    message.id,
-    conversationId,
-    "inbound",
-    message.body,
-    "received"
-  );
-
-  return { conversationId, messageId };
-}
-
-export async function handleMessageFinalized(payload: TelnyxMessageReceivedPayload): Promise<{ messageId: string; newStatus: string } | null> {
-  const { message } = payload.data.payload;
-
-  if (!message.id) return null;
-
-  const db = getDb();
-  const [existing] = await db
-    .select({ id: messages.id, status: messages.status })
-    .from(messages)
-    .where(eq(messages.providerMessageId, message.id))
-    .limit(1);
-
-  if (!existing) return null;
-
-  let newStatus = existing.status;
-  if (payload.data.event_type === "message.finalized") {
-    const deliveryReceipt = message as { direction?: string; to?: Array<{ phone: string }> };
-    if (deliveryReceipt.direction === "inbound") {
-      newStatus = "delivered";
-    }
-  }
-
-  if (newStatus !== existing.status) {
-    await db
-      .update(messages)
-      .set({ status: newStatus, deliveredAt: new Date(), updatedAt: new Date() })
-      .where(eq(messages.id, existing.id));
-  }
-
-  return { messageId: existing.id, newStatus };
-}

apps/api/src/services/messaging/outbound.ts

@@ -1,161 +0,0 @@
-import { getDb, conversations, messages, clients, businessSettings, eq, and } from "@groombook/db";
-import { v4 as uuidv4 } from "uuid";
-import { sendSms } from "../sms.js";
-
-export interface SendMessageOptions {
-  businessId: string;
-  clientId: string;
-  body: string;
-  sentByStaffId?: string;
-  mediaUrls?: string[];
-}
-
-export interface SendMessageResult {
-  messageId: string;
-  providerMessageId: string;
-  status: string;
-  suppressed: false;
-}
-
-export interface SendMessageSuppressed {
-  suppressed: true;
-}
-
-export type SendMessageResponse = SendMessageResult | SendMessageSuppressed;
-
-export class MissingTenantPhoneNumberError extends Error {
-  constructor() {
-    super("Tenant messagingPhoneNumber is not configured");
-    this.name = "MissingTenantPhoneNumberError";
-  }
-}
-
-async function findOrCreateConversation(
-  businessId: string,
-  clientId: string,
-  externalNumber: string,
-  businessNumber: string
-): Promise<{ id: string }> {
-  const db = getDb();
-
-  const [existing] = await db
-    .select({ id: conversations.id })
-    .from(conversations)
-    .where(
-      and(
-        eq(conversations.businessId, businessId),
-        eq(conversations.externalNumber, externalNumber),
-        eq(conversations.businessNumber, businessNumber)
-      )
-    )
-    .limit(1);
-
-  if (existing) return { id: existing.id };
-
-  const [created] = await db
-    .insert(conversations)
-    .values({
-      id: uuidv4(),
-      businessId,
-      clientId,
-      channel: "sms",
-      externalNumber,
-      businessNumber,
-      lastMessageAt: new Date(),
-      status: "active",
-    })
-    .returning({ id: conversations.id });
-
-  if (!created) throw new Error("Failed to create conversation");
-
-  return { id: created.id };
-}
-
-async function resolveFromNumber(businessId: string): Promise<string | null> {
-  const db = getDb();
-  const [settings] = await db
-    .select({ messagingPhoneNumber: businessSettings.messagingPhoneNumber })
-    .from(businessSettings)
-    .where(eq(businessSettings.id, businessId))
-    .limit(1);
-  return settings?.messagingPhoneNumber ?? null;
-}
-
-export async function sendMessage(opts: SendMessageOptions): Promise<SendMessageResponse> {
-  const db = getDb();
-  const { businessId, clientId, body, sentByStaffId, mediaUrls } = opts;
-
-  const [client] = await db
-    .select({ phone: clients.phone, smsOptIn: clients.smsOptIn })
-    .from(clients)
-    .where(eq(clients.id, clientId))
-    .limit(1);
-
-  if (!client?.phone) {
-    return { suppressed: true };
-  }
-
-  if (!client.smsOptIn) {
-    return { suppressed: true };
-  }
-
-  const from = await resolveFromNumber(businessId);
-  if (!from) throw new MissingTenantPhoneNumberError();
-
-  const to = client.phone;
-  const conversationId = (await findOrCreateConversation(businessId, clientId, to, from)).id;
-
-  const [queuedMessage] = await db
-    .insert(messages)
-    .values({
-      id: uuidv4(),
-      conversationId,
-      direction: "outbound",
-      body,
-      status: "queued",
-      sentByStaffId: sentByStaffId ?? null,
-    })
-    .returning({ id: messages.id });
-
-  if (!queuedMessage) throw new Error("Failed to insert queued message");
-
-  try {
-    const result = await sendSms(to, body, mediaUrls);
-
-    await db
-      .update(messages)
-      .set({
-        status: "sent",
-        providerMessageId: result.messageId,
-        updatedAt: new Date(),
-      })
-      .where(eq(messages.id, queuedMessage.id));
-
-    await db
-      .update(conversations)
-      .set({ lastMessageAt: new Date(), updatedAt: new Date() })
-      .where(eq(conversations.id, conversationId));
-
-    return {
-      messageId: queuedMessage.id,
-      providerMessageId: result.messageId,
-      status: result.status,
-      suppressed: false,
-    };
-  } catch (err) {
-    const errorCode = err instanceof Error ? err.name : "UNKNOWN";
-    const errorMessage = err instanceof Error ? err.message : String(err);
-
-    await db
-      .update(messages)
-      .set({
-        status: "failed",
-        errorCode,
-        errorMessage,
-        updatedAt: new Date(),
-      })
-      .where(eq(messages.id, queuedMessage.id));
-
-    throw err;
-  }
-}

apps/api/src/services/sms.ts

@@ -139,4 +139,4 @@ export async function smsSend(
 
   await provider.sendSms(to, body, mediaUrls);
   return true;
-}
+}

packages/db/migrations/0030_messaging.sql

@@ -1,72 +0,0 @@
--- Migration: 0030_messaging.sql
--- Messaging schema: conversations, messages, attachments, consent events + business messaging settings
-
--- ─── Enums ───────────────────────────────────────────────────────────────────
-
-CREATE TYPE "messaging_channel" AS ENUM ('sms', 'mms');
-CREATE TYPE "message_direction" AS ENUM ('inbound', 'outbound');
-CREATE TYPE "message_status" AS ENUM ('queued', 'sent', 'delivered', 'failed', 'received');
-CREATE TYPE "message_consent_kind" AS ENUM ('opt_in', 'opt_out', 'help');
-
--- ─── Tables ───────────────────────────────────────────────────────────────────
-
-CREATE TABLE "conversations" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "business_id" uuid NOT NULL,
-  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
-  "channel" "messaging_channel" NOT NULL,
-  "external_number" text NOT NULL,
-  "business_number" text NOT NULL,
-  "last_message_at" timestamp,
-  "status" text NOT NULL DEFAULT 'active',
-  "created_at" timestamp NOT NULL DEFAULT now(),
-  "updated_at" timestamp NOT NULL DEFAULT now()
-);
-
-CREATE INDEX "idx_conversations_business_id_last_message_at" ON "conversations"("business_id", "last_message_at" DESC);
-CREATE UNIQUE INDEX "uq_conversations_business_client_number" ON "conversations"("business_id", "client_id", "business_number");
-
-CREATE TABLE "messages" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "conversation_id" uuid NOT NULL REFERENCES "conversations"("id") ON DELETE CASCADE,
-  "direction" "message_direction" NOT NULL,
-  "body" text,
-  "status" "message_status" NOT NULL DEFAULT 'queued',
-  "provider_message_id" text,
-  "error_code" text,
-  "error_message" text,
-  "sent_by_staff_id" uuid REFERENCES "staff"("id") ON DELETE SET NULL,
-  "created_at" timestamp NOT NULL DEFAULT now(),
-  "delivered_at" timestamp,
-  "read_by_client_at" timestamp
-);
-
-CREATE INDEX "idx_messages_conversation_id_created_at" ON "messages"("conversation_id", "created_at" DESC);
-CREATE UNIQUE INDEX "uq_messages_provider_message_id" ON "messages"("provider_message_id");
-
-CREATE TABLE "message_attachments" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "message_id" uuid NOT NULL REFERENCES "messages"("id") ON DELETE CASCADE,
-  "content_type" text NOT NULL,
-  "url" text NOT NULL,
-  "size" integer NOT NULL,
-  "provider_media_id" text
-);
-
-CREATE INDEX "idx_message_attachments_message_id" ON "message_attachments"("message_id");
-
-CREATE TABLE "message_consent_events" (
-  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
-  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
-  "business_id" uuid NOT NULL,
-  "kind" "message_consent_kind" NOT NULL,
-  "source" text,
-  "created_at" timestamp NOT NULL DEFAULT now()
-);
-
-CREATE INDEX "idx_message_consent_events_client_id" ON "message_consent_events"("client_id");
-
--- ─── Business Settings extensions ────────────────────────────────────────────
-
-ALTER TABLE "business_settings" ADD COLUMN "messaging_phone_number" text;
-ALTER TABLE "business_settings" ADD COLUMN "telnyx_messaging_profile_id" text;

packages/db/migrations/meta/_journal.json

@@ -204,20 +204,6 @@
       "when": 1775741667192,
       "tag": "0028_sms_reminders",
       "breakpoints": true
-    },
-    {
-      "idx": 29,
-      "version": "7",
-      "when": 1775784467192,
-      "tag": "0029_db_indexes_constraints",
-      "breakpoints": true
-    },
-    {
-      "idx": 30,
-      "version": "7",
-      "when": 1775828067192,
-      "tag": "0030_messaging",
-      "breakpoints": true
     }
   ]
 }

packages/db/src/schema.ts

@@ -406,118 +406,6 @@ export const impersonationAuditLogs = pgTable(
   (t) => [index("impersonation_audit_logs_session_id_idx").on(t.sessionId)]
 );
 
-// ─── Messaging ───────────────────────────────────────────────────────────────
-
-export const messagingChannelEnum = pgEnum("messaging_channel", ["sms", "mms"]);
-
-export const messageDirectionEnum = pgEnum("message_direction", [
-  "inbound",
-  "outbound",
-]);
-
-export const messageStatusEnum = pgEnum("message_status", [
-  "queued",
-  "sent",
-  "delivered",
-  "failed",
-  "received",
-]);
-
-export const messageConsentKindEnum = pgEnum("message_consent_kind", [
-  "opt_in",
-  "opt_out",
-  "help",
-]);
-
-export const conversations = pgTable(
-  "conversations",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    businessId: uuid("business_id").notNull(),
-    clientId: uuid("client_id")
-      .notNull()
-      .references(() => clients.id, { onDelete: "cascade" }),
-    channel: messagingChannelEnum("channel").notNull(),
-    externalNumber: text("external_number").notNull(),
-    businessNumber: text("business_number").notNull(),
-    lastMessageAt: timestamp("last_message_at"),
-    status: text("status").notNull().default("active"),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-    updatedAt: timestamp("updated_at").notNull().defaultNow(),
-  },
-  (t) => [
-    index("idx_conversations_business_id_last_message_at").on(
-      t.businessId,
-      t.lastMessageAt.desc()
-    ),
-    unique("uq_conversations_business_client_number").on(
-      t.businessId,
-      t.clientId,
-      t.businessNumber
-    ),
-  ]
-);
-
-export const messages = pgTable(
-  "messages",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    conversationId: uuid("conversation_id")
-      .notNull()
-      .references(() => conversations.id, { onDelete: "cascade" }),
-    direction: messageDirectionEnum("direction").notNull(),
-    body: text("body"),
-    status: messageStatusEnum("status").notNull().default("queued"),
-    providerMessageId: text("provider_message_id"),
-    errorCode: text("error_code"),
-    errorMessage: text("error_message"),
-    sentByStaffId: uuid("sent_by_staff_id").references(() => staff.id, {
-      onDelete: "set null",
-    }),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-    deliveredAt: timestamp("delivered_at"),
-    readByClientAt: timestamp("read_by_client_at"),
-    updatedAt: timestamp("updated_at").notNull().defaultNow(),
-  },
-  (t) => [
-    index("idx_messages_conversation_id_created_at").on(
-      t.conversationId,
-      t.createdAt.desc()
-    ),
-    unique("uq_messages_provider_message_id").on(t.providerMessageId),
-  ]
-);
-
-export const messageAttachments = pgTable(
-  "message_attachments",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    messageId: uuid("message_id")
-      .notNull()
-      .references(() => messages.id, { onDelete: "cascade" }),
-    contentType: text("content_type").notNull(),
-    url: text("url").notNull(),
-    size: integer("size").notNull(),
-    providerMediaId: text("provider_media_id"),
-  },
-  (t) => [index("idx_message_attachments_message_id").on(t.messageId)]
-);
-
-export const messageConsentEvents = pgTable(
-  "message_consent_events",
-  {
-    id: uuid("id").primaryKey().defaultRandom(),
-    clientId: uuid("client_id")
-      .notNull()
-      .references(() => clients.id, { onDelete: "cascade" }),
-    businessId: uuid("business_id").notNull(),
-    kind: messageConsentKindEnum("kind").notNull(),
-    source: text("source"),
-    createdAt: timestamp("created_at").notNull().defaultNow(),
-  },
-  (t) => [index("idx_message_consent_events_client_id").on(t.clientId)]
-);
-
 export const businessSettings = pgTable("business_settings", {
   id: uuid("id").primaryKey().defaultRandom(),
   businessName: text("business_name").notNull().default("GroomBook"),
@@ -526,8 +414,6 @@ export const businessSettings = pgTable("business_settings", {
   logoKey: text("logo_key"),
   primaryColor: text("primary_color").notNull().default("#4f8a6f"),
   accentColor: text("accent_color").notNull().default("#8b7355"),
-  messagingPhoneNumber: text("messaging_phone_number"),
-  telnyxMessagingProfileId: text("telnyx_messaging_profile_id"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });

packages/db/src/seed.ts

@@ -883,6 +883,7 @@ async function seed() {
   let appointmentCount = 0;
   let invoiceCount = 0;
   let visitLogCount = 0;
+  let paidInvoiceCounter = 0;
 
   // Process in batches per client to keep memory manageable
   const apptBatchSize = 100;
@@ -977,8 +978,11 @@ async function seed() {
 
         const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
         const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
+        paidInvoiceCounter++;
+        const stripePaymentIntentId = invoiceStatus === "paid"
+          ? `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`
+          : null;
 
-        const stripePaymentIntentId = invoiceStatus === "paid" && rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
         invoiceBatch.push({
           id: invoiceId,
           appointmentId: apptId,
@@ -1094,14 +1098,16 @@ async function seed() {
       const taxCents = Math.round(effectivePrice * 0.08);
       const totalCents = effectivePrice + taxCents + tipCents;
       const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
-      const stripePaymentIntentId = rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
+      paidInvoiceCounter++;
 
       invoiceBatch.push({
         id: invoiceId, appointmentId: apptId, clientId,
         subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
         status: "paid" as const,
         paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
-        paidAt, stripePaymentIntentId, notes: null,
+        paidAt,
+        stripePaymentIntentId: `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`,
+        notes: null,
       });
       lineItemBatch.push({
         id: uuid(), invoiceId, description: svc.name, quantity: 1,