fix(gro-540): add missing OIDC env vars to prod API deployment

Updates infra submodule to include OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_CLIENT_SECRET, and OIDC_INTERNAL_BASE env vars in prod api-patch.yaml.

This fixes the auth initialization failure where initAuth() found no
provider config because OIDC env vars were missing from the prod deployment
even though the groombook-auth sealed secret contained the credentials.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/promote-to-uat.yml

@@ -62,6 +62,8 @@ jobs:
           fi
 
           # Update seed Job name to include short SHA (immutable template fix)
+          # NOTE: Do NOT update the image tag here — let the Kustomize images transformer
+          # in the UAT overlay handle it via newTag. This avoids the immutable template issue.
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"

apps/api/src/index.ts

@@ -2,7 +2,7 @@ import { serve } from "@hono/node-server";
 import { Hono } from "hono";
 import { logger } from "hono/logger";
 import { cors } from "hono/cors";
-import { getAuth, initAuth } from "./lib/auth.js";
+import { getAuth, initAuth, getActiveProviders } from "./lib/auth.js";
 import { clientsRouter } from "./routes/clients.js";
 import { petsRouter } from "./routes/pets.js";
 import { servicesRouter } from "./routes/services.js";
@@ -92,6 +92,11 @@ app.get("/api/setup/status", async (c) => {
   return c.json({ needsSetup: !superUser });
 });
 
+// Public auth providers endpoint — no auth required, tells frontend which login options are available
+app.get("/api/auth/providers", async (c) => {
+  return c.json({ providers: getActiveProviders() });
+});
+
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);

apps/api/src/lib/auth.ts

@@ -1,6 +1,7 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { genericOAuth } from "better-auth/plugins";
+import { google, github } from "better-auth/social-providers";
 import { getDb, authProviderConfig, eq } from "@groombook/db";
 import { decryptSecret } from "@groombook/db";
 
@@ -27,6 +28,21 @@ export function getAuthPromise() {
   return authInitPromise;
 }
 
+/** Returns which OAuth/social providers are configured via env vars. */
+export function getActiveProviders(): string[] {
+  const providers: string[] = [];
+  if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
+    providers.push("google");
+  }
+  if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {
+    providers.push("github");
+  }
+  if (process.env.OIDC_ISSUER && process.env.OIDC_CLIENT_ID && process.env.OIDC_CLIENT_SECRET) {
+    providers.push("authentik");
+  }
+  return providers;
+}
+
 /**
  * Re-initializes the Better-Auth instance after auth config changes.
  *
@@ -152,6 +168,23 @@ export async function initAuth(): Promise<void> {
       console.log("[auth] Using env var config (no DB config found)");
     }
 
+    const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
+    const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
+
+    const socialPlugins = [];
+    if (hasGoogle) {
+      socialPlugins.push(google({
+        clientId: process.env.GOOGLE_CLIENT_ID!,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+      }));
+    }
+    if (hasGitHub) {
+      socialPlugins.push(github({
+        clientId: process.env.GITHUB_CLIENT_ID!,
+        clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+      }));
+    }
+
     // Build Better-Auth instance using resolved config
     authInstance = betterAuth({
       database: drizzleAdapter(db, {
@@ -179,7 +212,8 @@ export async function initAuth(): Promise<void> {
             },
           ],
         }),
-            ],
+        ...socialPlugins,
+      ],
       session: {
         expiresIn: 60 * 60 * 24 * 7, // 7 days
         updateAge: 60 * 60 * 24, // 1 day

apps/web/src/App.tsx

@@ -22,12 +22,24 @@ import { useSession, signIn } from "./lib/auth-client.js";
 
 function LoginPage() {
   const [isLoading, setIsLoading] = useState(false);
+  const [providers, setProviders] = useState<string[]>([]);
 
-  const handleLogin = async () => {
+  useEffect(() => {
+    fetch("/api/auth/providers")
+      .then((r) => r.json())
+      .then((data) => setProviders(data.providers ?? []))
+      .catch(() => setProviders([]));
+  }, []);
+
+  const handleSocialLogin = async (provider: string) => {
     setIsLoading(true);
-    await signIn.social({ provider: "authentik", callbackURL: window.location.origin });
+    await signIn.social({ provider, callbackURL: window.location.origin });
   };
 
+  const isGoogle = providers.includes("google");
+  const isGitHub = providers.includes("github");
+  const isAuthentik = providers.includes("authentik");
+
   return (
     <div
       style={{
@@ -53,23 +65,89 @@ function LoginPage() {
         <p style={{ color: "#6b7280", marginBottom: "1.5rem", fontSize: 14 }}>
           Sign in to continue
         </p>
-        <button
-          onClick={handleLogin}
-          disabled={isLoading}
-          style={{
-            padding: "0.6rem 1.5rem",
-            borderRadius: 6,
-            border: "none",
-            background: "#4f8a6f",
-            color: "#fff",
-            fontWeight: 600,
-            fontSize: 14,
-            cursor: isLoading ? "wait" : "pointer",
-            opacity: isLoading ? 0.7 : 1,
-          }}
-        >
-          {isLoading ? "Redirecting…" : "Sign in with SSO"}
-        </button>
+        {isGoogle && (
+          <button
+            onClick={() => handleSocialLogin("google")}
+            disabled={isLoading}
+            style={{
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "center",
+              gap: 8,
+              width: "100%",
+              padding: "0.6rem 1.5rem",
+              borderRadius: 6,
+              border: "1px solid #e2e8f0",
+              background: "#fff",
+              color: "#1a202c",
+              fontWeight: 600,
+              fontSize: 14,
+              cursor: isLoading ? "wait" : "pointer",
+              opacity: isLoading ? 0.7 : 1,
+              marginBottom: "0.5rem",
+            }}
+          >
+            <svg width="18" height="18" viewBox="0 0 24 24">
+              <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"/>
+              <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"/>
+              <path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"/>
+              <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"/>
+            </svg>
+            Sign in with Google
+          </button>
+        )}
+        {isGitHub && (
+          <button
+            onClick={() => handleSocialLogin("github")}
+            disabled={isLoading}
+            style={{
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "center",
+              gap: 8,
+              width: "100%",
+              padding: "0.6rem 1.5rem",
+              borderRadius: 6,
+              border: "1px solid #e2e8f0",
+              background: "#24292f",
+              color: "#fff",
+              fontWeight: 600,
+              fontSize: 14,
+              cursor: isLoading ? "wait" : "pointer",
+              opacity: isLoading ? 0.7 : 1,
+              marginBottom: isAuthentik ? "0.5rem" : 0,
+            }}
+          >
+            <svg width="18" height="18" viewBox="0 0 24 24" fill="#fff">
+              <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
+            </svg>
+            Sign in with GitHub
+          </button>
+        )}
+        {isAuthentik && (
+          <button
+            onClick={() => handleSocialLogin("authentik")}
+            disabled={isLoading}
+            style={{
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "center",
+              gap: 8,
+              width: "100%",
+              padding: "0.6rem 1.5rem",
+              borderRadius: 6,
+              border: "none",
+              background: "#4f8a6f",
+              color: "#fff",
+              fontWeight: 600,
+              fontSize: 14,
+              cursor: isLoading ? "wait" : "pointer",
+              opacity: isLoading ? 0.7 : 1,
+            }}
+          >
+            {isLoading ? "Redirecting…" : "Sign in with SSO"}
+          </button>
+        )}
       </div>
     </div>
   );

docs/seed-strategy.md

@@ -1,93 +0,0 @@
-# Seed Strategy Runbook
-
-This document describes the GroomBook seeding system across environments.
-
-## Environment Profiles
-
-| Profile | Staff | Clients | Invoices | Appointment Window | Auth |
-|---------|-------|---------|----------|-------------------|------|
-| `dev`   | 4 (1 manager, 1 receptionist, 2 groomers) | ~100 | ~1,000 | 7 days back / 30 days forward | Disabled |
-| `uat`   | 8 (1 manager, 1 receptionist, 3 groomers, 3 bathers) | ~500 | ~4,000 | 30 days back / 90 days forward | Enabled |
-| `demo`  | 8 (1 manager, 1 receptionist, 3 groomers, 3 bathers) | ~500 | ~4,000 | 30 days back / 90 days forward | Enabled, OOBE enabled |
-
-## Seed Script Environment Variables
-
-| Variable | Values | Effect |
-|----------|--------|--------|
-| `SEED_PROFILE` | `dev`, `uat`, `demo` | Selects data volume profile (see above). Defaults to `uat` if unset. |
-| `SEED_KNOWN_USERS_ONLY` | `true` | Minimal prod/demo seed with demo users only. Overrides `SEED_PROFILE`. |
-| `SEED_ADMIN_EMAIL` | email address | Creates an admin staff account with the given email. |
-| `SEED_ADMIN_NAME` | name | Display name for admin account. Defaults to "Admin". |
-
-## Re-seeding Environments
-
-### Dev
-
-```bash
-# Run seed job manually
-kubectl -n groombook-dev exec -it deploy/groombook-api -- \
-  sh -c 'DATABASE_URL=$DATABASE_URL SEED_PROFILE=dev npm run db:seed'
-```
-
-Dev uses `AUTH_DISABLED=true` and accepts the `X-Dev-User-Id` header for staff impersonation.
-
-### UAT
-
-```bash
-# Run seed job manually
-kubectl -n groombook-uat exec -it deploy/groombook-api -- \
-  sh -c 'DATABASE_URL=$DATABASE_URL SEED_PROFILE=uat npm run db:seed'
-```
-
-UAT uses Authentik OIDC. See Authentik UAT Personas below.
-
-### Demo (Production-like)
-
-Demo uses the same data volume as UAT but with `SEED_KNOWN_USERS_ONLY=true` or is provisioned via the standard seed with OOBE enabled.
-
-```bash
-# Trigger seed CronJob
-kubectl -n groombook cronjob trigger seed-job --latest
-```
-
-## Authentik UAT User Personas
-
-Credentials are stored in sealed secrets — never use plaintext values.
-
-| Persona | Email | Role | Access Level |
-|---------|-------|------|--------------|
-| UAT Super User | `uat-super@groombook.dev` | Super User | Full admin access |
-| UAT Staff | `uat-staff@groombook.dev` | Staff | Standard staff operations |
-| UAT Customer | `uat-customer@groombook.dev` | Customer | Customer portal access |
-
-Sealed secret: `authentik-credentials` in `groombook-uat` namespace.
-
-## OOBE (Out-of-Box Experience) Flag
-
-The OOBE flag controls first-run setup flow in Demo/Production environments.
-
-- **Demo/Production**: OOBE is enabled, users see setup wizard on first login
-- **Dev/UAT**: OOBE is disabled, full access granted immediately
-
-When `SEED_KNOWN_USERS_ONLY=true`, the demo users are created but OOBE state must be initialized separately.
-
-## Dev-Mode Access
-
-Dev environment disables authentication for local development convenience.
-
-```bash
-AUTH_DISABLED=true
-```
-
-To impersonate a specific staff user, use the `X-Dev-User-Id` header:
-
-```bash
-curl -H "X-Dev-User-Id: <staff-id>" http://localhost:3000/api/...
-```
-
-## Seed Idempotency
-
-The seed script is idempotent and deterministic:
-- Same `SEED_PROFILE` produces identical data with same IDs
-- Re-running seed updates existing records rather than creating duplicates
-- Appointments, invoices, and visit logs are truncated before each seed to ensure clean state

packages/db/src/seed.ts

@@ -1,20 +1,19 @@
 /**
  * Seed script — generates deterministic, PII-free test data for Groom Book.
  *
- * Supports three profiles via SEED_PROFILE env var:
- *  - dev:   4 staff, 100 clients, ~1000 invoices, appointments 7d back / 30d forward
- *  - uat:   8 staff, 500 clients, ~4000 invoices, appointments 30d back / 90d forward
- *  - demo:  Same data volume as UAT (for production-like demo environments)
- *
- * Default (SEED_PROFILE unset): UAT-like behavior for backwards compatibility.
- *
- * SEED_KNOWN_USERS_ONLY=true: Minimal prod/demo seed with demo users only.
+ * Creates:
+ *  - 1 manager + 1 receptionist + 3 groomers + 3 bathers (8 staff total)
+ *  - 10 services
+ *  - 500 clients, each with 1-3 dogs
+ *  - ~2 500 appointments spread across the past 12 months
+ *  - Invoices for completed appointments with line items and tip splits
+ *  - Grooming visit logs for completed appointments
  *
  * Output is fully deterministic: the same seed value always produces the
  * same rows with the same IDs.
  *
  * Usage:
- *   DATABASE_URL=postgres://... SEED_PROFILE=dev npx tsx packages/db/src/seed.ts
+ *   DATABASE_URL=postgres://... npx tsx packages/db/src/seed.ts
  */
 
 import postgres from "postgres";
@@ -22,6 +21,54 @@ import { drizzle } from "drizzle-orm/postgres-js";
 import { eq, sql } from "drizzle-orm";
 import * as schema from "./schema.js";
 
+// ── Seed profile configuration ─────────────────────────────────────────────
+
+type SeedProfile = "dev" | "uat" | "demo";
+
+interface ProfileConfig {
+  staffCount: { manager: number; receptionist: number; groomer: number; bather: number };
+  clientCount: number;
+  appointmentsBackDays: number;
+  appointmentsForwardDays: number;
+  invoiceCount: number;
+  includeUatClients: boolean;
+}
+
+const profiles: Record<SeedProfile, ProfileConfig> = {
+  dev: {
+    staffCount: { manager: 1, receptionist: 1, groomer: 2, bather: 0 },
+    clientCount: 100,
+    appointmentsBackDays: 7,
+    appointmentsForwardDays: 30,
+    invoiceCount: 1000,
+    includeUatClients: false,
+  },
+  uat: {
+    staffCount: { manager: 1, receptionist: 1, groomer: 3, bather: 3 },
+    clientCount: 500,
+    appointmentsBackDays: 30,
+    appointmentsForwardDays: 90,
+    invoiceCount: 4000,
+    includeUatClients: true,
+  },
+  demo: {
+    staffCount: { manager: 1, receptionist: 1, groomer: 3, bather: 3 },
+    clientCount: 500,
+    appointmentsBackDays: 30,
+    appointmentsForwardDays: 90,
+    invoiceCount: 4000,
+    includeUatClients: true,
+  },
+};
+
+function getProfile(): SeedProfile {
+  const raw = process.env.SEED_PROFILE?.toLowerCase();
+  if (raw === "dev" || raw === "uat" || raw === "demo") {
+    return raw;
+  }
+  return "uat";
+}
+
 // ── Deterministic PRNG (Mulberry32) ──────────────────────────────────────────
 
 /**
@@ -40,50 +87,6 @@ function createPrng(seed: number): () => number {
 
 const rand = createPrng(42);
 
-// ── Seed profile configuration ───────────────────────────────────────────────
-
-type SeedProfile = "dev" | "uat" | "demo";
-
-interface ProfileConfig {
-  staff: {
-    manager: number;
-    receptionist: number;
-    groomer: number;
-    bather: number;
-  };
-  clients: number;
-  appointments: {
-    daysBack: number;
-    daysForward: number;
-  };
-  targetInvoices: number;
-}
-
-function getProfileConfig(profile: SeedProfile | undefined): ProfileConfig {
-  const profiles: Record<SeedProfile, ProfileConfig> = {
-    dev: {
-      staff: { manager: 1, receptionist: 1, groomer: 2, bather: 0 },
-      clients: 100,
-      appointments: { daysBack: 7, daysForward: 30 },
-      targetInvoices: 1000,
-    },
-    uat: {
-      staff: { manager: 1, receptionist: 1, groomer: 3, bather: 3 },
-      clients: 500,
-      appointments: { daysBack: 30, daysForward: 90 },
-      targetInvoices: 4000,
-    },
-    demo: {
-      staff: { manager: 1, receptionist: 1, groomer: 3, bather: 3 },
-      clients: 500,
-      appointments: { daysBack: 30, daysForward: 90 },
-      targetInvoices: 4000,
-    },
-  };
-  if (!profile || profile === "uat") return profiles.uat;
-  return profiles[profile] ?? profiles.uat;
-}
-
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
 /** Return a random element from an array using the seeded PRNG. */
@@ -512,61 +515,32 @@ async function seed() {
     process.exit(1);
   }
 
-  // Lean prod/demo seed — known users only, no large dataset
   if (process.env.SEED_KNOWN_USERS_ONLY === "true") {
     await seedKnownUsers();
     return;
   }
 
-  const rawProfile = process.env.SEED_PROFILE?.toLowerCase();
-  const profile: SeedProfile | undefined = (rawProfile === "dev" || rawProfile === "uat" || rawProfile === "demo")
-    ? rawProfile
-    : undefined;
-  const config = getProfileConfig(profile);
-
+  const profile = getProfile();
+  const cfg = profiles[profile];
   const client = postgres(url, { max: 5 });
   const db = drizzle(client, { schema });
 
-  const profileLabel = profile ? ` (${profile})` : "";
-  console.log(`Seeding Groom Book database${profileLabel}...\n`);
+  console.log(`Seeding Groom Book database (profile: ${profile})...\n`);
 
   // ── Staff ──
-  // Deterministic staff IDs so they can be referenced in scripts/tests
-  const staffNames = [
-    { name: "Jordan Lee", email: "jordan@groombook.dev" },
-    { name: "Sam Rivera", email: "sam@groombook.dev" },
-    { name: "Sarah Mitchell", email: "sarah@groombook.dev" },
-    { name: "James Park", email: "james@groombook.dev" },
-    { name: "Maria Gonzalez", email: "maria@groombook.dev" },
-    { name: "Tyler Johnson", email: "tyler@groombook.dev" },
-    { name: "Ashley Chen", email: "ashley@groombook.dev" },
-    { name: "Devon Williams", email: "devon@groombook.dev" },
-  ];
-
-  const managerStaff = staffNames.slice(0, config.staff.manager).map(
-    (s) => ({ id: uuid(), name: s.name, email: s.email, role: "manager" as const, isSuperUser: false }),
+  const managerStaff = Array.from({ length: cfg.staffCount.manager }, (_, i) =>
+    ({ id: uuid(), name: `Manager ${i + 1}`, email: `manager${i + 1}@groombook.dev`, role: "manager" as const, isSuperUser: false })
+  );
+  const receptionistStaff = Array.from({ length: cfg.staffCount.receptionist }, (_, i) =>
+    ({ id: uuid(), name: `Receptionist ${i + 1}`, email: `receptionist${i + 1}@groombook.dev`, role: "receptionist" as const, isSuperUser: false })
+  );
+  const groomers = Array.from({ length: cfg.staffCount.groomer }, (_, i) =>
+    ({ id: uuid(), name: `Groomer ${i + 1}`, email: `groomer${i + 1}@groombook.dev`, role: "groomer" as const, isSuperUser: false })
+  );
+  const bathers = Array.from({ length: cfg.staffCount.bather }, (_, i) =>
+    ({ id: uuid(), name: `Bather ${i + 1}`, email: `bather${i + 1}@groombook.dev`, role: "groomer" as const, isSuperUser: false })
   );
 
-  const receptionistStaff = staffNames.slice(config.staff.manager, config.staff.manager + config.staff.receptionist).map(
-    (s) => ({ id: uuid(), name: s.name, email: s.email, role: "receptionist" as const, isSuperUser: false }),
-  );
-
-  const groomers = staffNames.slice(config.staff.manager + config.staff.receptionist, config.staff.manager + config.staff.receptionist + config.staff.groomer).map(
-    (s) => ({ id: uuid(), name: s.name, email: s.email, role: "groomer" as const, isSuperUser: false }),
-  );
-
-  // Bathers are groomers by role but serve as the secondary staff (bather) on appointments
-  const bathers = staffNames.slice(config.staff.manager + config.staff.receptionist + config.staff.groomer, config.staff.manager + config.staff.receptionist + config.staff.groomer + config.staff.bather).map(
-    (s) => ({ id: uuid(), name: s.name, email: s.email, role: "groomer" as const, isSuperUser: false }),
-  );
-
-  const totalStaff = config.staff.manager + config.staff.receptionist + config.staff.groomer + config.staff.bather;
-  console.log(`✓ Creating ${totalStaff} staff (${config.staff.manager} manager, ${config.staff.receptionist} receptionist, ${config.staff.groomer} groomers, ${config.staff.bather} bathers)`);
-
-  // Truncate downstream tables before staff upsert — clears stale impersonation
-  // sessions from prior seed runs so the FK constraint on staff_id is never
-  // violated when ON CONFLICT DO UPDATE touches staff rows that still have
-  // impersonation_sessions references.
   await db.execute(sql`TRUNCATE impersonation_sessions, impersonation_audit_logs, appointments, invoices, invoice_line_items, invoice_tip_splits, grooming_visit_logs CASCADE`);
 
   const allStaff = [...managerStaff, ...receptionistStaff, ...groomers, ...bathers];
@@ -585,6 +559,10 @@ async function seed() {
         set: { id: s.id, name: s.name, role: s.role, isSuperUser: s.isSuperUser, active: true },
       });
   }
+  const staffLabel = cfg.staffCount.bather > 0
+    ? `${allStaff.length} staff (${cfg.staffCount.manager} manager, ${cfg.staffCount.receptionist} receptionist, ${cfg.staffCount.groomer} groomers, ${cfg.staffCount.bather} bathers)`
+    : `${allStaff.length} staff (${cfg.staffCount.manager} manager, ${cfg.staffCount.receptionist} receptionist, ${cfg.staffCount.groomer} groomers)`;
+  console.log(`✓ Created ${staffLabel}`);
 
   // ── SEED_ADMIN_EMAIL admin ──
   const adminEmail = process.env.SEED_ADMIN_EMAIL;
@@ -632,10 +610,10 @@ async function seed() {
 
   // ── Clients & Pets ──
   const now = new Date();
-  const appointmentsBack = new Date(now);
-  appointmentsBack.setDate(appointmentsBack.getDate() - config.appointments.daysBack);
-  const appointmentsForward = new Date(now);
-  appointmentsForward.setDate(appointmentsForward.getDate() + config.appointments.daysForward);
+  const appointmentsBackDate = new Date(now);
+  appointmentsBackDate.setDate(appointmentsBackDate.getDate() - cfg.appointmentsBackDays);
+  const appointmentsForwardDate = new Date(now);
+  appointmentsForwardDate.setDate(appointmentsForwardDate.getDate() + cfg.appointmentsForwardDays);
 
   interface ClientRecord { id: string; name: string }
   interface PetRecord { id: string; clientId: string }
@@ -643,9 +621,8 @@ async function seed() {
   const clientRecords: ClientRecord[] = [];
   const petRecords: PetRecord[] = [];
 
-  // Batch insert clients and pets
   const clientBatchSize = 50;
-  for (let batch = 0; batch < Math.ceil(config.clients / clientBatchSize); batch++) {
+  for (let batch = 0; batch < Math.ceil(cfg.clientCount / clientBatchSize); batch++) {
     const clientBatch: (typeof schema.clients.$inferInsert)[] = [];
     const petBatch: (typeof schema.pets.$inferInsert)[] = [];
 
@@ -732,22 +709,23 @@ async function seed() {
     }
   }
 
-  console.log(`✓ Created ${config.clients} clients with ${petRecords.length} pets`);
+  console.log(`✓ Created ${cfg.clientCount} clients with ${petRecords.length} pets`);
 
   // ── UAT test clients (guaranteed pending invoices) ─────────────────────────────
   // These 5 clients are deterministic and documented in Shedward AGENTS.md so
   // UAT can reliably find billing test data without searching.
-  interface UatClient {
-    id: string;
-    name: string;
-    email: string;
-    phone: string;
-    address: string;
-    petId: string;
-    petName: string;
-    petBreed: string;
-  }
-  const uatClients: UatClient[] = [
+  if (cfg.includeUatClients) {
+    interface UatClient {
+      id: string;
+      name: string;
+      email: string;
+      phone: string;
+      address: string;
+      petId: string;
+      petName: string;
+      petBreed: string;
+    }
+    const uatClients: UatClient[] = [
     { id: uuid(), name: "UAT Test Alpha", email: "uat-alpha@groombook.dev", phone: "(555) 100-0001", address: "100 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestBuddy", petBreed: "Golden Retriever" },
     { id: uuid(), name: "UAT Test Bravo", email: "uat-bravo@groombook.dev", phone: "(555) 100-0002", address: "200 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestMax", petBreed: "Labrador Retriever" },
     { id: uuid(), name: "UAT Test Charlie", email: "uat-charlie@groombook.dev", phone: "(555) 100-0003", address: "300 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestCooper", petBreed: "Poodle" },
@@ -766,12 +744,14 @@ async function seed() {
     const apptId = uuid();
     const svcIdx = 0;
     const svc = servicesDef[svcIdx]!;
-    const completedTime = randDate(appointmentsBack, now);
+    const completedTime = randDate(appointmentsBackDate, now);
     completedTime.setHours(randInt(8, 16), pick([0, 15, 30, 45]), 0, 0);
     const endTime = new Date(completedTime.getTime() + svc.dur * 60 * 1000);
+    const uatGroomer = groomers[0]!;
+    const uatBather = bathers.length > 0 ? bathers[0]! : uatGroomer;
     await db.insert(schema.appointments).values({
-      id: apptId, clientId: uc.id, petId: uc.petId, serviceId: serviceIds[svcIdx]!, staffId: groomers[0]!.id,
-      batherStaffId: bathers[0]!.id, status: "completed" as const, startTime: completedTime, endTime, notes: null, priceCents: svc.price,
+      id: apptId, clientId: uc.id, petId: uc.petId, serviceId: serviceIds[svcIdx]!, staffId: uatGroomer.id,
+      batherStaffId: uatBather.id, status: "completed" as const, startTime: completedTime, endTime, notes: null, priceCents: svc.price,
     });
     // Create a PENDING invoice for that appointment
     const invoiceId = uuid();
@@ -789,17 +769,12 @@ async function seed() {
       id: uuid(), petId: uc.petId, appointmentId: apptId, staffId: groomers[0]!.id,
       cutStyle: null, productsUsed: null, notes: null, groomedAt: endTime,
     });
+    }
+    console.log(`✓ Created ${uatClients.length} UAT test clients with guaranteed pending invoices`);
   }
-  console.log(`✓ Created ${uatClients.length} UAT test clients with guaranteed pending invoices`);
 
   // ── Appointments, Invoices, Visit Logs ──
-  // Calculate visit count to achieve targetInvoices based on ~65% completion rate
-  const completedRatio = 0.65;
-  const totalVisitsNeeded = Math.ceil(config.targetInvoices / completedRatio);
-  const avgVisitsPerClient = Math.ceil(totalVisitsNeeded / clientRecords.length);
-  const visitCountMin = Math.max(1, Math.floor(avgVisitsPerClient * 0.7));
-  const visitCountMax = Math.max(visitCountMin + 1, Math.ceil(avgVisitsPerClient * 1.3));
-
+  // Generate ~5 appointments per client on average = ~2500 total
   const statuses: (typeof schema.appointmentStatusEnum.enumValues)[number][] = [
     "completed", "completed", "completed", "completed", "completed",
     "completed", "completed", "scheduled", "confirmed", "cancelled", "no_show",
@@ -850,7 +825,8 @@ async function seed() {
 
   for (const client of clientRecords) {
     const pets = petsByClient.get(client.id) ?? [];
-    const visitCount = randInt(visitCountMin, visitCountMax);
+    // Each client visits ~3-8 times over the year
+    const visitCount = randInt(3, 8);
 
     for (let v = 0; v < visitCount; v++) {
       // Pick a random pet for this visit
@@ -859,15 +835,15 @@ async function seed() {
       const serviceId = serviceIds[serviceIdx]!;
       const svc = servicesDef[serviceIdx]!;
       const groomer = pick(groomers);
-      const bather = rand() < 0.6 && bathers.length > 0 ? pick(bathers) : null;
+      const bather = rand() < 0.6 ? pick(bathers) : null;
       const status = pick(statuses);
 
       // Schedule within the configured appointment window
       let startTime: Date;
       if (status === "scheduled" || status === "confirmed") {
-        startTime = randDate(now, appointmentsForward);
+        startTime = randDate(now, appointmentsForwardDate);
       } else {
-        startTime = randDate(appointmentsBack, now);
+        startTime = randDate(appointmentsBackDate, now);
       }
       // Snap to business hours (8am - 5pm)
       startTime.setHours(randInt(8, 16), pick([0, 15, 30, 45]), 0, 0);
@@ -971,6 +947,93 @@ async function seed() {
 
   console.log(`✓ Created ${appointmentCount} appointments`);
   console.log(`✓ Created ${invoiceCount} invoices with line items and tip splits`);
+
+  // ── Enforce target invoice count ───────────────────────────────────────────
+  // If current invoice count is below target (due to profile having fewer
+  // clients/appointments than the target ratio), generate supplemental
+  // completed appointments for existing clients to fill the gap.
+  if (invoiceCount < cfg.invoiceCount) {
+    const additionalNeeded = cfg.invoiceCount - invoiceCount;
+    console.log(`  → Generating ${additionalNeeded} supplemental completed appointments to meet profile target...`);
+
+    const existingClientIds = clientRecords.map(c => c.id);
+    const apptsToGenerate = Math.min(additionalNeeded, existingClientIds.length * 20);
+    let supplementalCount = 0;
+    let supplementalInvoices = 0;
+
+    for (let i = 0; i < apptsToGenerate && supplementalInvoices < additionalNeeded; i++) {
+      const clientId = pick(existingClientIds);
+      const pets = petsByClient.get(clientId) ?? [];
+      if (pets.length === 0) continue;
+
+      const petId = pick(pets);
+      const serviceIdx = randInt(0, serviceIds.length - 1);
+      const serviceId = serviceIds[serviceIdx]!;
+      const svc = servicesDef[serviceIdx]!;
+      const groomer = pick(groomers);
+      const bather = bathers.length > 0 && rand() < 0.6 ? pick(bathers) : null;
+
+      let startTime = randDate(appointmentsBackDate, now);
+      startTime.setHours(randInt(8, 16), pick([0, 15, 30, 45]), 0, 0);
+      const endTime = new Date(startTime.getTime() + svc.dur * 60 * 1000);
+      const effectivePrice = svc.price;
+
+      const apptId = uuid();
+      apptBatch.push({
+        id: apptId, clientId, petId, serviceId,
+        staffId: groomer.id, batherStaffId: bather?.id ?? null,
+        status: "completed", startTime, endTime, notes: null, priceCents: null,
+      });
+      appointmentCount++;
+      supplementalCount++;
+
+      const invoiceId = uuid();
+      const tipCents = rand() < 0.7 ? randInt(200, 3000) : 0;
+      const taxCents = Math.round(effectivePrice * 0.08);
+      const totalCents = effectivePrice + taxCents + tipCents;
+      const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
+
+      invoiceBatch.push({
+        id: invoiceId, appointmentId: apptId, clientId,
+        subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
+        status: "paid" as const,
+        paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
+        paidAt, notes: null,
+      });
+      lineItemBatch.push({
+        id: uuid(), invoiceId, description: svc.name, quantity: 1,
+        unitPriceCents: effectivePrice, totalCents: effectivePrice,
+      });
+      if (tipCents > 0) {
+        if (bather) {
+          const groomerShare = Math.round(tipCents * 0.6);
+          const batherShare = tipCents - groomerShare;
+          tipSplitBatch.push(
+            { id: uuid(), invoiceId, staffId: groomer.id, staffName: groomer.name, sharePct: "60.00", shareCents: groomerShare },
+            { id: uuid(), invoiceId, staffId: bather.id, staffName: bather.name, sharePct: "40.00", shareCents: batherShare },
+          );
+        } else {
+          tipSplitBatch.push({ id: uuid(), invoiceId, staffId: groomer.id, staffName: groomer.name, sharePct: "100.00", shareCents: tipCents });
+        }
+      }
+      visitLogBatch.push({
+        id: uuid(), petId, appointmentId: apptId, staffId: groomer.id,
+        cutStyle: pick(cutStyles), productsUsed: pick(productsUsed),
+        notes: pick(visitLogNotes), groomedAt: endTime,
+      });
+      invoiceCount++;
+      supplementalInvoices++;
+      visitLogCount++;
+
+      if (apptBatch.length >= apptBatchSize) {
+        await flushBatches();
+      }
+    }
+
+    await flushBatches();
+    console.log(`  → Added ${supplementalCount} supplemental appointments (${supplementalInvoices} invoices)`);
+    console.log(`✓ Created ${invoiceCount} invoices with line items and tip splits`);
+  }
   console.log(`✓ Created ${visitLogCount} grooming visit logs`);
   console.log("\nSeed complete!");