fix(stripe-webhooks): validate invoice IDs as UUIDs before DB lookup

fix(services): cap durationMinutes at 480 (8 hours max)
fix(appointments): cap recurrence series at 1 year max
2026-04-15 04:08:39 +00:00 · 2026-04-15 04:08:39 +00:00 · 2026-04-15 04:08:39 +00:00 · 2026-04-15 04:08:39 +00:00 · 2026-04-15 04:08:34 +00:00 · 2026-04-15 02:08:54 +00:00
43 changed files with 1533 additions and 254 deletions
@@ -7,3 +7,5 @@ apps/web/dist
 apps/api/dist
 packages/db/dist
 packages/types/dist
+.turbo
+screenshots/
@@ -11,6 +11,12 @@ AUTH_DISABLED=false
 OIDC_ISSUER=https://authentik.example.com
 OIDC_AUDIENCE=groombook

+# ── Setup Wizard ─────────────────────────────────────────────────────────────
+# When SKIP_OOBE=true, the setup wizard is bypassed regardless of whether a
+# super user exists in the database. Useful in dev/test environments where the
+# database has data but the setup wizard would otherwise block access.
+SKIP_OOBE=false
+
 # ── API ───────────────────────────────────────────────────────────────────────
 PORT=3000
 CORS_ORIGIN=http://localhost:8080
@@ -20,6 +20,8 @@ jobs:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
@@ -42,6 +44,8 @@ jobs:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
@@ -62,6 +66,8 @@ jobs:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
@@ -101,6 +107,8 @@ jobs:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
@@ -238,7 +246,6 @@ jobs:
          echo "Deploying images tagged $TAG to groombook-dev..."

          # Run migration with PR image
-          kubectl delete job migrate-schema -n groombook-dev --ignore-not-found
          kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
          cat <<EOF | kubectl apply -n groombook-dev -f -
          apiVersion: batch/v1
@@ -303,6 +310,8 @@ jobs:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
+        with:
+          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
@@ -409,11 +418,17 @@ jobs:

          git push -u origin "chore/update-image-tags-${TAG}"

-          # Create PR and merge immediately (no required checks on groombook/infra)
-          PR_URL=$(gh pr create \
-            --repo groombook/infra \
-            --base main \
-            --head "chore/update-image-tags-${TAG}" \
-            --title "chore: deploy ${TAG} to dev" \
-            --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
-          gh pr merge "$PR_URL" --merge
+          # Check if PR already exists for this branch
+          EXISTING_PR=$(gh pr list --repo groombook/infra --head "chore/update-image-tags-${TAG}" --state open --json number -q '.[0].number' || true)
+          if [ -n "$EXISTING_PR" ]; then
+            echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
+            gh pr merge "$EXISTING_PR" --repo groombook/infra --merge
+          else
+            PR_URL=$(gh pr create \
+              --repo groombook/infra \
+              --base main \
+              --head "chore/update-image-tags-${TAG}" \
+              --title "chore: deploy ${TAG} to dev" \
+              --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
+            gh pr merge "$PR_URL" --merge
+          fi
@@ -14,7 +14,29 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
+      packages: read
    steps:
+      - name: Validate tag format
+        run: |
+          TAG="${{ inputs.tag }}"
+          if ! echo "$TAG" | grep -qE '^[0-9]{4}\.[0-9]{2}\.[0-9]{2}-[a-f0-9]{7}$'; then
+            echo "::error::Invalid tag format: '$TAG'. Expected format: YYYY.MM.DD-sha7 (e.g. 2026.03.28-f1b85bf)"
+            exit 1
+          fi
+          echo "Tag format valid: $TAG"
+
+      - name: Verify image exists in GHCR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ inputs.tag }}"
+          # Check that the API image exists — if API was pushed, web/migrate were too
+          if ! gh api "/orgs/groombook/packages/container/api/versions" --jq ".[].metadata.container.tags[]" 2>/dev/null | grep -qF "$TAG"; then
+            echo "::error::Image ghcr.io/groombook/api:$TAG not found in GHCR. Verify the tag was built and pushed."
+            exit 1
+          fi
+          echo "Image verified: ghcr.io/groombook/api:$TAG exists"
+
      - name: Generate infra repo token
        id: infra-token
        uses: tibdex/github-app-token@v2
@@ -12,6 +12,7 @@ RUN pnpm install --frozen-lockfile

 # Build
 FROM deps AS builder
+RUN mkdir -p /home/node/.cache/node/corepack
 COPY packages/ packages/
 COPY apps/api/ apps/api/
 RUN pnpm --filter @groombook/types build && \
@@ -34,6 +35,9 @@ COPY --from=builder /app/packages/types/dist packages/types/dist
 RUN pnpm install --frozen-lockfile --prod

 EXPOSE 3000
+RUN apk add --no-cache curl
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD curl -f http://localhost:3000/health || exit 1
 CMD ["node", "apps/api/dist/index.js"]

 # Migrate stage — runs drizzle-kit migrate against the database
@@ -46,4 +50,4 @@ CMD ["pnpm", "db:seed"]

 # Reset stage — drops all tables, re-runs migrations, and re-seeds
 FROM builder AS reset
-CMD ["pnpm", "db:reset"]
+CMD ["pnpm", "db:reset"]
@@ -22,6 +22,8 @@
    "hono": "^4.6.17",
    "node-cron": "^3.0.3",
    "nodemailer": "^6.9.16",
+    "stripe": "^22.0.0",
+
    "zod": "^4.3.6"
  },
  "devDependencies": {
@@ -418,6 +418,48 @@ describe("GET /setup/status — OOBE bootstrap logic", () => {
    expect(body.showAuthProviderStep).toBe(false); // DB config already exists
    expect(body.authConfigExists).toBe(true);
  });
+
+  it("SKIP_OOBE=true bypasses setup check regardless of DB state", async () => {
+    dbStaffRows = []; // no super user
+    dbAuthConfigRows = [];
+    process.env.SKIP_OOBE = "true";
+
+    const app = makeApp();
+    const { status, body } = await getStatus(app);
+
+    expect(status).toBe(200);
+    expect(body.needsSetup).toBe(false);
+    expect(body.showAuthProviderStep).toBe(false);
+    expect(body.authConfigExists).toBe(false);
+    expect(body.authEnvVarsSet).toBe(false);
+    expect(body.skipped).toBe(true);
+  });
+
+  it("SKIP_OOBE=1 also bypasses setup check", async () => {
+    dbStaffRows = [];
+    dbAuthConfigRows = [];
+    process.env.SKIP_OOBE = "1";
+
+    const app = makeApp();
+    const { status, body } = await getStatus(app);
+
+    expect(status).toBe(200);
+    expect(body.needsSetup).toBe(false);
+    expect(body.skipped).toBe(true);
+  });
+
+  it("SKIP_OOBE=yes also bypasses setup check", async () => {
+    dbStaffRows = [];
+    dbAuthConfigRows = [];
+    process.env.SKIP_OOBE = "yes";
+
+    const app = makeApp();
+    const { status, body } = await getStatus(app);
+
+    expect(status).toBe(200);
+    expect(body.needsSetup).toBe(false);
+    expect(body.skipped).toBe(true);
+  });
 });

 describe("POST /setup/auth-provider — OOBE bootstrap", () => {
@@ -28,6 +28,7 @@ import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSup
 import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
+import { webhooksRouter } from "./routes/stripe-webhooks.js";

 const app = new Hono();

@@ -50,6 +51,9 @@ app.route("/api/book", bookRouter);
 // Public portal routes — client-facing, authenticated via impersonation session header
 app.route("/api/portal", portalRouter);

+// Public Stripe webhook endpoint — signature-verified, no auth required
+app.route("/api/webhooks/stripe", webhooksRouter);
+
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);

@@ -105,7 +109,13 @@ api.use("*", resolveStaffMiddleware);
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
 const authRouter = new Hono();
-authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
+authRouter.all("/*", (c) => {
+  try {
+    return getAuth().handler(c.req.raw);
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+});
 api.route("/auth", authRouter);

 // ── Role guards ────────────────────────────────────────────────────────────────
@@ -177,9 +187,24 @@ api.route("/search", searchRouter);
 const port = Number(process.env.PORT ?? 3000);
 await initAuth();
 console.log(`API server listening on port ${port}`);
-serve({ fetch: app.fetch, port });
+const server = serve({ fetch: app.fetch, port });

 // Start background reminder scheduler (runs every minute to check for upcoming appointments)
 startReminderScheduler();

+function shutdown() {
+  console.log("Shutting down gracefully...");
+  server.close(() => {
+    console.log("HTTP server closed");
+    process.exit(0);
+  });
+  setTimeout(() => {
+    console.error("Forced shutdown after timeout");
+    process.exit(1);
+  }, 10_000);
+}
+
+process.on("SIGTERM", shutdown);
+process.on("SIGINT", shutdown);
+
 export default app;
@@ -3,6 +3,7 @@ import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { genericOAuth } from "better-auth/plugins";
 import { getDb, authProviderConfig, eq } from "@groombook/db";
 import { decryptSecret } from "@groombook/db";
+import { sendEmail } from "../services/email.js";

 const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
 const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://localhost:3000";
@@ -90,6 +91,12 @@ export async function initAuth(): Promise<void> {
        database: drizzleAdapter(getDb(), { provider: "pg" }),
        secret: BETTER_AUTH_SECRET ?? "placeholder-secret-do-not-use-in-prod",
        baseURL: BETTER_AUTH_URL,
+        rateLimit: {
+          enabled: true,
+          max: 10,
+          window: 60,
+          storage: "memory",
+        },
        plugins: [
          genericOAuth({
            config: [
@@ -170,7 +177,51 @@ export async function initAuth(): Promise<void> {
    const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
    const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);

-    const callbackBase = `${BETTER_AUTH_URL}/api/auth/callback`;
+    // Fetch OIDC discovery document to derive canonical provider URLs.
+    // Replace the host of token/userinfo endpoints with internalBaseUrl when set,
+    // while keeping authorizationUrl public for browser redirects.
+    const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
+    let oidcConfig: Record<string, string> = {};
+    try {
+      const discoveryRes = await fetch(discoveryUrlStr);
+      if (discoveryRes.ok) {
+        const discovery = await discoveryRes.json() as {
+          authorization_endpoint?: string;
+          token_endpoint?: string;
+          userinfo_endpoint?: string;
+        };
+        const replaceHost = (url: string, newHost: string) => {
+          try {
+            const parsed = new URL(url);
+            const newParsed = new URL(newHost);
+            return `${newParsed.origin}${parsed.pathname}${parsed.search}`;
+          } catch {
+            return url;
+          }
+        };
+        const authzUrl = discovery.authorization_endpoint;
+        const tokenUrl = discovery.token_endpoint;
+        const userInfoUrl = discovery.userinfo_endpoint;
+        if (authzUrl && tokenUrl && userInfoUrl) {
+          oidcConfig = {
+            authorizationUrl: authzUrl,
+            tokenUrl: providerConfig.internalBaseUrl
+              ? replaceHost(tokenUrl, providerConfig.internalBaseUrl)
+              : tokenUrl,
+            userInfoUrl: providerConfig.internalBaseUrl
+              ? replaceHost(userInfoUrl, providerConfig.internalBaseUrl)
+              : userInfoUrl,
+          };
+          console.log("[auth] OIDC discovery successful, provider:", providerConfig.providerId);
+        } else {
+          console.warn("[auth] OIDC discovery missing required endpoints, using discoveryUrl only");
+        }
+      } else {
+        console.warn(`[auth] OIDC discovery failed (${discoveryRes.status}), using discoveryUrl only`);
+      }
+    } catch (err) {
+      console.warn(`[auth] OIDC discovery fetch failed: ${err}, using discoveryUrl only`);
+    }

    // Build Better-Auth instance using resolved config
    authInstance = betterAuth({
@@ -179,6 +230,28 @@ export async function initAuth(): Promise<void> {
      }),
      secret: BETTER_AUTH_SECRET,
      baseURL: BETTER_AUTH_URL,
+      rateLimit: {
+        enabled: true,
+        max: 10,
+        window: 60,
+        storage: "memory",
+      },
+      account: {
+        storeStateStrategy: "cookie" as const,
+      },
+      emailAndPassword: {
+        enabled: true,
+        emailVerification: {
+          sendVerificationEmail: async ({ user, url }: { user: { email: string }; url: string }) => {
+            await sendEmail({
+              to: user.email,
+              subject: "Verify your GroomBook email",
+              text: `Click the link to verify your email: ${url}`,
+              html: `<p>Click the link to verify your email:</p><a href="${url}">${url}</a>`,
+            });
+          },
+        },
+      },
      plugins: [
        genericOAuth({
          config: [
@@ -186,15 +259,8 @@ export async function initAuth(): Promise<void> {
              providerId: providerConfig.providerId,
              clientId: providerConfig.clientId,
              clientSecret: providerConfig.clientSecret,
-              ...(providerConfig.internalBaseUrl
-                ? {
-                    authorizationUrl: `${new URL(providerConfig.issuerUrl).origin}/application/o/authorize/`,
-                    tokenUrl: `${providerConfig.internalBaseUrl}/application/o/token/`,
-                    userInfoUrl: `${providerConfig.internalBaseUrl}/application/o/userinfo/`,
-                  }
-                : {
-                    discoveryUrl: `${providerConfig.issuerUrl}/.well-known/openid-configuration`,
-                  }),
+              discoveryUrl: discoveryUrlStr,
+              ...(Object.keys(oidcConfig).length > 0 ? oidcConfig : {}),
              scopes: providerConfig.scopes.split(" ").filter(Boolean),
            },
          ],
@@ -205,14 +271,12 @@ export async function initAuth(): Promise<void> {
          google: {
            clientId: process.env.GOOGLE_CLIENT_ID!,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/google`,
          },
        } : {}),
        ...(hasGitHub ? {
          github: {
            clientId: process.env.GITHUB_CLIENT_ID!,
            clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/github`,
          },
        } : {}),
      },
@@ -23,7 +23,6 @@ if (process.env.AUTH_DISABLED === "true") {
 }

 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
  if (c.req.path.startsWith("/api/auth/")) {
    await next();
    return;
@@ -37,7 +36,14 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
    return;
  }

-  const session = await getAuth().api.getSession({
+  let auth;
+  try {
+    auth = getAuth();
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+
+  const session = await auth.api.getSession({
    headers: c.req.raw.headers,
  });

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, isNull, staff } from "@groombook/db";
+import { eq, getDb, staff } from "@groombook/db";

 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -90,25 +90,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
    .from(staff)
    .where(eq(staff.oidcSub, jwt.sub));
  if (!fallbackRow) {
-    // Auto-link: staff record exists with matching email but no userId — link it now
-    if (jwt.email) {
-      const [linkedStaff] = await db
-        .select()
-        .from(staff)
-        .where(and(eq(staff.email, jwt.email), isNull(staff.userId)));
-      if (linkedStaff) {
-        await db
-          .update(staff)
-          .set({ userId: jwt.sub })
-          .where(eq(staff.id, linkedStaff.id));
-        console.log(
-          `[rbac] Auto-linked staff ${linkedStaff.id} to Better-Auth user ${jwt.sub} via email ${jwt.email}`
-        );
-        c.set("staff", linkedStaff);
-        await next();
-        return;
-      }
-    }
    return c.json(
      { error: "Forbidden: no staff record found for authenticated user" },
      403
@@ -16,8 +16,9 @@ import {
  services,
  staff,
 } from "@groombook/db";
+import type { AppEnv } from "../middleware/rbac.js";

-export const appointmentGroupsRouter = new Hono();
+export const appointmentGroupsRouter = new Hono<AppEnv>();

 // ─── Schemas ──────────────────────────────────────────────────────────────────

@@ -49,6 +50,8 @@ appointmentGroupsRouter.get("/", async (c) => {
  const clientId = c.req.query("clientId");
  const from = c.req.query("from");
  const to = c.req.query("to");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";

  const groupConditions = clientId
    ? [eq(appointmentGroups.clientId, clientId)]
@@ -88,6 +91,16 @@ appointmentGroupsRouter.get("/", async (c) => {
    }))
    .filter((g) => !from || g.appointments.length > 0);

+  if (isGroomer) {
+    return c.json(
+      result.filter((g) =>
+        g.appointments.some(
+          (a) => a.staffId === staffRow.id || a.batherStaffId === staffRow.id
+        )
+      )
+    );
+  }
+
  return c.json(result);
 });

@@ -96,6 +109,8 @@ appointmentGroupsRouter.get("/", async (c) => {
 appointmentGroupsRouter.get("/:id", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";

  const [group] = await db
    .select()
@@ -111,6 +126,7 @@ appointmentGroupsRouter.get("/:id", async (c) => {
      serviceId: appointments.serviceId,
      serviceName: services.name,
      staffId: appointments.staffId,
+      batherStaffId: appointments.batherStaffId,
      staffName: staff.name,
      status: appointments.status,
      startTime: appointments.startTime,
@@ -125,6 +141,15 @@ appointmentGroupsRouter.get("/:id", async (c) => {
    .where(eq(appointments.groupId, id))
    .orderBy(appointments.startTime);

+  if (
+    isGroomer &&
+    !groupAppts.some(
+      (a) => a.staffId === staffRow.id || a.batherStaffId === staffRow.id
+    )
+  ) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
  const [client] = await db
    .select({ name: clients.name, email: clients.email })
    .from(clients)
@@ -140,6 +165,13 @@ appointmentGroupsRouter.post(
  zValidator("json", createGroupSchema),
  async (c) => {
    const db = getDb();
+    const staffRow = c.get("staff");
+    if (staffRow?.role === "groomer") {
+      return c.json(
+        { error: "Forbidden: groomers cannot create group bookings" },
+        403
+      );
+    }
    const body = c.req.valid("json");
    const startTime = new Date(body.startTime);

@@ -244,6 +276,28 @@ appointmentGroupsRouter.patch(
    const db = getDb();
    const id = c.req.param("id");
    const body = c.req.valid("json");
+    const staffRow = c.get("staff");
+    const isGroomer = staffRow?.role === "groomer";
+
+    const [group] = await db
+      .select({ id: appointmentGroups.id })
+      .from(appointmentGroups)
+      .where(eq(appointmentGroups.id, id));
+    if (!group) return c.json({ error: "Not found" }, 404);
+
+    if (isGroomer) {
+      const groupAppts = await db
+        .select({ staffId: appointments.staffId, batherStaffId: appointments.batherStaffId })
+        .from(appointments)
+        .where(eq(appointments.groupId, id));
+      if (
+        !groupAppts.some(
+          (a) => a.staffId === staffRow.id || a.batherStaffId === staffRow.id
+        )
+      ) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+    }

    const [updated] = await db
      .update(appointmentGroups)
@@ -261,6 +315,8 @@ appointmentGroupsRouter.patch(
 appointmentGroupsRouter.delete("/:id", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";

  const [group] = await db
    .select({ id: appointmentGroups.id })
@@ -268,6 +324,20 @@ appointmentGroupsRouter.delete("/:id", async (c) => {
    .where(eq(appointmentGroups.id, id));
  if (!group) return c.json({ error: "Not found" }, 404);

+  if (isGroomer) {
+    const groupAppts = await db
+      .select({ staffId: appointments.staffId, batherStaffId: appointments.batherStaffId })
+      .from(appointments)
+      .where(eq(appointments.groupId, id));
+    if (
+      !groupAppts.some(
+        (a) => a.staffId === staffRow.id || a.batherStaffId === staffRow.id
+      )
+    ) {
+      return c.json({ error: "Forbidden" }, 403);
+    }
+  }
+
  await db
    .update(appointments)
    .set({ status: "cancelled", updatedAt: new Date() })
@@ -41,6 +41,10 @@ const createAppointmentSchema = z.object({
      frequencyWeeks: z.number().int().min(1).max(52),
      count: z.number().int().min(2).max(52),
    })
+    .refine(
+      (r) => r.frequencyWeeks * r.count <= 52,
+      { message: "Recurrence series must not exceed 1 year" }
+    )
    .optional(),
 });

@@ -163,6 +167,28 @@ appointmentsRouter.post(
          }
        }

+        if (apptFields.batherStaffId) {
+          const bathConflicts = await tx
+            .select({ id: appointments.id })
+            .from(appointments)
+            .where(
+              and(
+                or(
+                  eq(appointments.staffId, apptFields.batherStaffId),
+                  eq(appointments.batherStaffId, apptFields.batherStaffId)
+                ),
+                lt(appointments.startTime, end),
+                gte(appointments.endTime, start),
+                ne(appointments.status, "cancelled"),
+                ne(appointments.status, "no_show"),
+              )
+            )
+            .limit(1);
+          if (bathConflicts.length > 0) {
+            throw Object.assign(new Error("conflict"), { statusCode: 409 });
+          }
+        }
+
        if (!recurrence) {
          // Single appointment
          const [inserted] = await tx
@@ -398,7 +424,8 @@ appointmentsRouter.patch(
    const needsConflictCheck =
      updateFields.startTime !== undefined ||
      updateFields.endTime !== undefined ||
-      updateFields.staffId !== undefined;
+      updateFields.staffId !== undefined ||
+      updateFields.batherStaffId !== undefined;

    const update: Record<string, unknown> = {
      ...updateFields,
@@ -434,6 +461,11 @@ appointmentsRouter.patch(
            updateFields.staffId !== undefined
              ? updateFields.staffId
              : current.staffId;
+          // Use provided batherStaffId (may be null to unassign); fall back to existing
+          const batherStaffId =
+            updateFields.batherStaffId !== undefined
+              ? updateFields.batherStaffId
+              : current.batherStaffId;

          if (end <= start) {
            throw Object.assign(new Error("end before start"), {
@@ -461,6 +493,29 @@ appointmentsRouter.patch(
            }
          }

+          if (batherStaffId) {
+            const bathConflicts = await tx
+              .select({ id: appointments.id })
+              .from(appointments)
+              .where(
+                and(
+                  or(
+                    eq(appointments.staffId, batherStaffId),
+                    eq(appointments.batherStaffId, batherStaffId)
+                  ),
+                  lt(appointments.startTime, end),
+                  gte(appointments.endTime, start),
+                  ne(appointments.status, "cancelled"),
+                  ne(appointments.status, "no_show"),
+                  ne(appointments.id, id),
+                )
+              )
+              .limit(1);
+            if (bathConflicts.length > 0) {
+              throw Object.assign(new Error("conflict"), { statusCode: 409 });
+            }
+          }
+
          const [updated] = await tx
            .update(appointments)
            .set(update)
@@ -102,7 +102,10 @@ bookRouter.get("/availability", async (c) => {

 const bookingSchema = z.object({
  serviceId: z.string().uuid(),
-  startTime: z.string().datetime(),
+  startTime: z.string().datetime().refine(
+    (dt) => new Date(dt) > new Date(),
+    { message: "Appointment must be in the future" }
+  ),
  clientName: z.string().min(1).max(200),
  clientEmail: z.string().email(),
  clientPhone: z.string().max(50).optional(),
@@ -1,9 +1,10 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { desc, eq, getDb, groomingVisitLogs } from "@groombook/db";
+import { and, desc, eq, getDb, groomingVisitLogs, appointments, or } from "@groombook/db";
+import type { AppEnv } from "../middleware/rbac.js";

-export const groomingLogsRouter = new Hono();
+export const groomingLogsRouter = new Hono<AppEnv>();

 const createLogSchema = z.object({
  petId: z.string().uuid(),
@@ -20,6 +21,26 @@ groomingLogsRouter.get("/", async (c) => {
  const db = getDb();
  const petId = c.req.query("petId");
  if (!petId) return c.json({ error: "petId is required" }, 400);
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";
+
+  if (isGroomer) {
+    const [appt] = await db
+      .select({ id: appointments.id })
+      .from(appointments)
+      .where(
+        and(
+          eq(appointments.petId, petId),
+          or(
+            eq(appointments.staffId, staffRow.id),
+            eq(appointments.batherStaffId, staffRow.id)
+          )
+        )
+      )
+      .limit(1);
+    if (!appt) return c.json({ error: "Forbidden" }, 403);
+  }
+
  const rows = await db
    .select()
    .from(groomingVisitLogs)
@@ -33,11 +54,50 @@ groomingLogsRouter.post(
  zValidator("json", createLogSchema),
  async (c) => {
    const db = getDb();
-    const { groomedAt, ...rest } = c.req.valid("json");
+    const { groomedAt, petId, appointmentId, ...rest } = c.req.valid("json");
+    const staffRow = c.get("staff");
+    const isGroomer = staffRow?.role === "groomer";
+
+    if (isGroomer) {
+      if (appointmentId) {
+        const [appt] = await db
+          .select({ id: appointments.id })
+          .from(appointments)
+          .where(
+            and(
+              eq(appointments.id, appointmentId),
+              or(
+                eq(appointments.staffId, staffRow.id),
+                eq(appointments.batherStaffId, staffRow.id)
+              )
+            )
+          )
+          .limit(1);
+        if (!appt) return c.json({ error: "Forbidden" }, 403);
+      } else {
+        const [appt] = await db
+          .select({ id: appointments.id })
+          .from(appointments)
+          .where(
+            and(
+              eq(appointments.petId, petId),
+              or(
+                eq(appointments.staffId, staffRow.id),
+                eq(appointments.batherStaffId, staffRow.id)
+              )
+            )
+          )
+          .limit(1);
+        if (!appt) return c.json({ error: "Forbidden" }, 403);
+      }
+    }
+
    const [row] = await db
      .insert(groomingVisitLogs)
      .values({
        ...rest,
+        petId,
+        appointmentId: appointmentId ?? null,
        groomedAt: groomedAt ? new Date(groomedAt) : new Date(),
      })
      .returning();
@@ -47,10 +107,37 @@ groomingLogsRouter.post(

 groomingLogsRouter.delete("/:id", async (c) => {
  const db = getDb();
-  const [row] = await db
+  const id = c.req.param("id");
+  const staffRow = c.get("staff");
+  const isGroomer = staffRow?.role === "groomer";
+
+  const [log] = await db
+    .select()
+    .from(groomingVisitLogs)
+    .where(eq(groomingVisitLogs.id, id))
+    .limit(1);
+  if (!log) return c.json({ error: "Not found" }, 404);
+
+  if (isGroomer) {
+    const [appt] = await db
+      .select({ id: appointments.id })
+      .from(appointments)
+      .where(
+        and(
+          eq(appointments.petId, log.petId),
+          or(
+            eq(appointments.staffId, staffRow.id),
+            eq(appointments.batherStaffId, staffRow.id)
+          )
+        )
+      )
+      .limit(1);
+    if (!appt) return c.json({ error: "Forbidden" }, 403);
+  }
+
+  await db
    .delete(groomingVisitLogs)
-    .where(eq(groomingVisitLogs.id, c.req.param("id")))
+    .where(eq(groomingVisitLogs.id, id))
    .returning();
-  if (!row) return c.json({ error: "Not found" }, 404);
  return c.json({ ok: true });
 });
@@ -13,8 +13,9 @@ import {
  clients,
  sql,
 } from "@groombook/db";
+import type { AppEnv } from "../middleware/rbac.js";

-export const invoicesRouter = new Hono();
+export const invoicesRouter = new Hono<AppEnv>();

 const createInvoiceSchema = z.object({
  appointmentId: z.string().uuid().optional(),
@@ -43,53 +44,61 @@ const updateInvoiceSchema = z.object({
 });

 // List invoices
-invoicesRouter.get("/", async (c) => {
-  const db = getDb();
-  const clientId = c.req.query("clientId");
-  const appointmentId = c.req.query("appointmentId");
-  const status = c.req.query("status");
-  const limit = Math.min(parseInt(c.req.query("limit") || "50", 10), 200);
-  const offset = parseInt(c.req.query("offset") || "0", 10);
-
-  const conditions = [];
-  if (clientId) conditions.push(eq(invoices.clientId, clientId));
-  if (appointmentId) conditions.push(eq(invoices.appointmentId, appointmentId));
-  if (status) conditions.push(eq(invoices.status, status as "draft" | "pending" | "paid" | "void"));
-
-  const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
-
-  const [totalResult] = await db
-    .select({ count: sql<number>`count(*)` })
-    .from(invoices)
-    .where(whereClause);
-
-  const rows = await db
-    .select({
-      id: invoices.id,
-      appointmentId: invoices.appointmentId,
-      clientId: invoices.clientId,
-      clientName: clients.name,
-      subtotalCents: invoices.subtotalCents,
-      taxCents: invoices.taxCents,
-      tipCents: invoices.tipCents,
-      totalCents: invoices.totalCents,
-      status: invoices.status,
-      paymentMethod: invoices.paymentMethod,
-      paidAt: invoices.paidAt,
-      notes: invoices.notes,
-      createdAt: invoices.createdAt,
-      updatedAt: invoices.updatedAt,
-    })
-    .from(invoices)
-    .leftJoin(clients, eq(invoices.clientId, clients.id))
-    .where(whereClause)
-    .orderBy(invoices.createdAt)
-    .limit(limit)
-    .offset(offset);
-
-  return c.json({ data: rows, total: totalResult?.count ?? 0 });
+const listInvoicesQuerySchema = z.object({
+  clientId: z.string().uuid().optional(),
+  appointmentId: z.string().uuid().optional(),
+  status: z.enum(["draft", "pending", "paid", "void"]).optional(),
+  limit: z.coerce.number().int().min(1).max(200).default(50),
+  offset: z.coerce.number().int().min(0).default(0),
 });

+invoicesRouter.get(
+  "/",
+  zValidator("query", listInvoicesQuerySchema),
+  async (c) => {
+    const db = getDb();
+    const { clientId, appointmentId, status, limit, offset } = c.req.valid("query");
+
+    const conditions = [];
+    if (clientId) conditions.push(eq(invoices.clientId, clientId));
+    if (appointmentId) conditions.push(eq(invoices.appointmentId, appointmentId));
+    if (status) conditions.push(eq(invoices.status, status as "draft" | "pending" | "paid" | "void"));
+
+    const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
+
+    const [totalResult] = await db
+      .select({ count: sql<number>`count(*)` })
+      .from(invoices)
+      .where(whereClause);
+
+    const rows = await db
+      .select({
+        id: invoices.id,
+        appointmentId: invoices.appointmentId,
+        clientId: invoices.clientId,
+        clientName: clients.name,
+        subtotalCents: invoices.subtotalCents,
+        taxCents: invoices.taxCents,
+        tipCents: invoices.tipCents,
+        totalCents: invoices.totalCents,
+        status: invoices.status,
+        paymentMethod: invoices.paymentMethod,
+        paidAt: invoices.paidAt,
+        notes: invoices.notes,
+        createdAt: invoices.createdAt,
+        updatedAt: invoices.updatedAt,
+      })
+      .from(invoices)
+      .leftJoin(clients, eq(invoices.clientId, clients.id))
+      .where(whereClause)
+      .orderBy(invoices.createdAt)
+      .limit(limit)
+      .offset(offset);
+
+    return c.json({ data: rows, total: totalResult?.count ?? 0 });
+  }
+);
+
 // Get single invoice with line items and tip splits
 invoicesRouter.get("/:id", async (c) => {
  const db = getDb();
@@ -338,3 +347,41 @@ invoicesRouter.patch(
    return c.json({ ...updated, lineItems });
  }
 );
+
+// ─── Refund ───────────────────────────────────────────────────────────────────
+
+import { processRefund } from "../services/payment.js";
+
+const refundSchema = z.object({
+  amountCents: z.number().int().nonnegative().optional(),
+});
+
+invoicesRouter.post(
+  "/:id/refund",
+  zValidator("json", refundSchema),
+  async (c) => {
+    const db = getDb();
+    const staff = c.get("staff");
+    if (!staff) return c.json({ error: "Forbidden" }, 403);
+    if (staff.role !== "manager" && !staff.isSuperUser) {
+      return c.json({ error: "Manager role required" }, 403);
+    }
+
+    const id = c.req.param("id");
+    const body = c.req.valid("json");
+
+    const [invoice] = await db.select().from(invoices).where(eq(invoices.id, id));
+    if (!invoice) return c.json({ error: "Not found" }, 404);
+    if (invoice.status !== "paid") {
+      return c.json({ error: "Refund only allowed on paid invoices" }, 422);
+    }
+    if (!invoice.stripePaymentIntentId) {
+      return c.json({ error: "No Stripe payment intent found for this invoice" }, 422);
+    }
+
+    const result = await processRefund(id, body.amountCents);
+    if (!result) return c.json({ error: "Refund failed" }, 500);
+
+    return c.json({ refundId: result.refundId });
+  }
+);
@@ -35,6 +35,12 @@ portalRouter.get("/me", async (c) => {
  return c.json({ id: client.id, name: client.name, email: client.email, phone: client.phone });
 });

+portalRouter.get("/config", async (c) => {
+  return c.json({
+    stripePublishableKey: process.env.STRIPE_PUBLISHABLE_KEY ?? "",
+  });
+});
+
 portalRouter.get("/services", async (c) => {
  const db = getDb();
  const allServices = await db.select().from(services).where(eq(services.active, true));
@@ -123,7 +129,7 @@ portalRouter.get("/invoices", async (c) => {
    id: inv.id,
    status: inv.status,
    totalCents: inv.totalCents,
-    createdAt: inv.createdAt,
+    date: inv.createdAt,
    lineItems: (itemsByInvoice[inv.id] || []).map(li => ({ id: li.id, description: li.description, quantity: li.quantity, unitPriceCents: li.unitPriceCents, totalCents: li.totalCents })),
  })));
 });
@@ -448,6 +454,113 @@ portalRouter.delete("/waitlist/:id", async (c) => {
  return c.json({ ok: true });
 });

+// ─── Payment routes ───────────────────────────────────────────────────────────
+
+import {
+  createPaymentIntent,
+  listPaymentMethods,
+  detachPaymentMethod,
+  createSetupIntent,
+  getOrCreateStripeCustomer,
+  getStripeClient,
+} from "../services/payment.js";
+
+const payMultipleSchema = z.object({
+  invoiceIds: z.array(z.string().uuid()).min(1),
+});
+
+portalRouter.post(
+  "/invoices/pay-multiple",
+  zValidator("json", payMultipleSchema),
+  async (c) => {
+    const db = getDb();
+    const body = c.req.valid("json");
+    const sessionId = c.req.header("X-Impersonation-Session-Id");
+    const clientId = await getClientIdFromSession(sessionId);
+    if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+
+    const invoiceRows = await db
+      .select()
+      .from(invoices)
+      .where(inArray(invoices.id, body.invoiceIds));
+
+    if (invoiceRows.length !== body.invoiceIds.length) {
+      return c.json({ error: "One or more invoices not found" }, 404);
+    }
+
+    for (const inv of invoiceRows) {
+      if (inv.clientId !== clientId) return c.json({ error: "Forbidden" }, 403);
+      if (inv.status === "draft" || inv.status === "void") {
+        return c.json({ error: `Invoice ${inv.id} cannot be paid (draft or void)` }, 422);
+      }
+      if (inv.status === "paid") {
+        return c.json({ error: `Invoice ${inv.id} is already paid` }, 422);
+      }
+    }
+
+    const firstInvoice = invoiceRows[0];
+    if (!firstInvoice) return c.json({ error: "No invoices found" }, 400);
+    const allSameClient = invoiceRows.every(inv => inv.clientId === firstInvoice.clientId);
+    if (!allSameClient) {
+      return c.json({ error: "All invoices must belong to the same client" }, 422);
+    }
+
+    const stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY ?? "";
+    const result = await createPaymentIntent(body.invoiceIds, clientId);
+    if (!result) return c.json({ error: "Payment service unavailable" }, 503);
+
+    return c.json({ clientSecret: result.clientSecret, publishableKey: stripePublishableKey });
+  }
+);
+
+portalRouter.get("/payment-methods", async (c) => {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  const clientId = await getClientIdFromSession(sessionId);
+  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+
+  const methods = await listPaymentMethods(clientId);
+  if (methods === null) return c.json({ error: "Payment service unavailable" }, 503);
+  return c.json(methods);
+});
+
+portalRouter.post("/payment-methods", async (c) => {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  const clientId = await getClientIdFromSession(sessionId);
+  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+
+  const stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY ?? "";
+  const customerId = await getOrCreateStripeCustomer(clientId);
+  if (!customerId) return c.json({ error: "Could not create customer" }, 500);
+
+  const result = await createSetupIntent(customerId);
+  if (!result) return c.json({ error: "Payment service unavailable" }, 503);
+
+  return c.json({ clientSecret: result.clientSecret, publishableKey: stripePublishableKey });
+});
+
+portalRouter.delete("/payment-methods/:id", async (c) => {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  const clientId = await getClientIdFromSession(sessionId);
+  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+
+  const paymentMethodId = c.req.param("id");
+
+  const stripeCustomerId = await getOrCreateStripeCustomer(clientId);
+  if (!stripeCustomerId) return c.json({ error: "No payment method found" }, 404);
+
+  const stripe = getStripeClient();
+  if (!stripe) return c.json({ error: "Payment service unavailable" }, 503);
+
+  const paymentMethod = await stripe.paymentMethods.retrieve(paymentMethodId);
+  if (!paymentMethod || paymentMethod.customer !== stripeCustomerId) {
+    return c.json({ error: "Payment method not found" }, 404);
+  }
+
+  const ok = await detachPaymentMethod(paymentMethodId);
+  if (!ok) return c.json({ error: "Failed to detach payment method" }, 500);
+  return c.json({ ok: true });
+});
+
 // ─── Dev-mode session creation ──────────────────────────────────────────────
 // Allows the dev login selector to vend an impersonation session for a client
 // without requiring manager auth. Only available when AUTH_DISABLED=true.
@@ -286,6 +286,10 @@ reportsRouter.get("/clients", async (c) => {
  ninetyDaysAgo.setUTCDate(ninetyDaysAgo.getUTCDate() - 90);
  const ninetyDaysAgoISO = ninetyDaysAgo.toISOString();

+  const page = Math.max(1, parseInt(c.req.query("page") ?? "1", 10) || 1);
+  const limit = Math.min(100, Math.max(1, parseInt(c.req.query("limit") ?? "20", 10) || 20));
+  const offset = (page - 1) * limit;
+
  const churnRisk = await db
    .select({
      clientId: clients.id,
@@ -298,15 +302,34 @@ reportsRouter.get("/clients", async (c) => {
    .having(
      sql`MAX(${appointments.startTime}) < ${ninetyDaysAgoISO}::timestamptz OR MAX(${appointments.startTime}) IS NULL`
    )
-    .orderBy(sql`MAX(${appointments.startTime}) ASC NULLS FIRST`);
+    .orderBy(sql`MAX(${appointments.startTime}) ASC NULLS FIRST`)
+    .limit(limit)
+    .offset(offset);
+
+  const [churnCountRow] = await db
+    .select({ total: sql<number>`count(*)::int` })
+    .from(
+      db
+        .select({ id: clients.id })
+        .from(clients)
+        .leftJoin(appointments, eq(appointments.clientId, clients.id))
+        .groupBy(clients.id)
+        .having(
+          sql`MAX(${appointments.startTime}) < ${ninetyDaysAgoISO}::timestamptz OR MAX(${appointments.startTime}) IS NULL`
+        )
+        .as("churn_count")
+    );
+  const churnRiskTotal = churnCountRow?.total ?? 0;

  return c.json({
    from: from.toISOString(),
    to: to.toISOString(),
    newClients,
    activeInPeriodCount: activeInPeriod.length,
-    churnRisk: churnRisk.slice(0, 20), // top 20 at-risk clients
-    churnRiskTotal: churnRisk.length,
+    churnRisk,
+    churnRiskTotal,
+    page,
+    limit,
  });
 });

@@ -9,7 +9,7 @@ const createServiceSchema = z.object({
  name: z.string().min(1).max(200),
  description: z.string().max(2000).optional(),
  basePriceCents: z.number().int().positive(),
-  durationMinutes: z.number().int().positive(),
+  durationMinutes: z.number().int().positive().max(480),
  active: z.boolean().default(true),
 });

@@ -9,6 +9,17 @@ export const setupRouter = new Hono<AppEnv>();
 // GET /api/setup/status — public (no auth), returns whether setup is needed
 // and whether the auth provider bootstrap step should be shown
 setupRouter.get("/status", async (c) => {
+  const skipOobe = ["true", "1", "yes"].includes((process.env.SKIP_OOBE || "").toLowerCase());
+  if (skipOobe) {
+    return c.json({
+      needsSetup: false,
+      showAuthProviderStep: false,
+      authConfigExists: false,
+      authEnvVarsSet: false,
+      skipped: true,
+    });
+  }
+
  const db = getDb();

  // Check if any super user exists
@@ -18,6 +18,10 @@ const createStaffSchema = z.object({

 const updateStaffSchema = createStaffSchema.partial().omit({ email: true });

+const linkUserSchema = z.object({
+  userId: z.string().min(1),
+});
+
 staffRouter.get("/me", async (c) => {
  const staffRow = c.get("staff");
  return c.json(staffRow);
@@ -106,6 +110,32 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
  return c.json(row);
 });

+staffRouter.patch("/:id/link-user", zValidator("json", linkUserSchema), async (c) => {
+  const db = getDb();
+  const targetId = c.req.param("id");
+  const body = c.req.valid("json");
+  const currentStaff = c.get("staff");
+
+  if (currentStaff.role !== "manager" && !currentStaff.isSuperUser) {
+    return c.json({ error: "Forbidden: only managers or super users can link staff to users" }, 403);
+  }
+
+  const [existing] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.id, targetId))
+    .limit(1);
+  if (!existing) return c.json({ error: "Not found" }, 404);
+
+  const [updated] = await db
+    .update(staff)
+    .set({ userId: body.userId, updatedAt: new Date() })
+    .where(eq(staff.id, targetId))
+    .returning();
+
+  return c.json(updated);
+});
+
 staffRouter.delete("/:id", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
@@ -0,0 +1,119 @@
+import { Hono } from "hono";
+import Stripe from "stripe";
+import { z } from "zod/v3";
+import { eq, getDb, invoices } from "@groombook/db";
+import { getStripeClient } from "../services/payment.js";
+
+export const webhooksRouter = new Hono();
+
+webhooksRouter.post("/stripe", async (c) => {
+  const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+  if (!webhookSecret) {
+    return c.json({ error: "Webhook secret not configured" }, 503);
+  }
+
+  const signature = c.req.header("stripe-signature");
+  if (!signature) {
+    return c.json({ error: "Missing signature" }, 401);
+  }
+
+  let rawBody: string;
+  try {
+    rawBody = await c.req.text();
+  } catch {
+    return c.json({ error: "Could not read body" }, 400);
+  }
+
+  const stripe = getStripeClient();
+  if (!stripe) {
+    return c.json({ error: "Stripe not configured" }, 503);
+  }
+
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(rawBody, signature, webhookSecret);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Invalid signature";
+    return c.json({ error: message }, 401);
+  }
+
+  const db = getDb();
+
+  if (event.type === "payment_intent.succeeded") {
+    const pi = event.data.object as Stripe.PaymentIntent;
+    if (pi.metadata?.groombook_invoice_ids) {
+      const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
+      for (const invoiceId of invoiceIds) {
+        if (!invoiceId) continue;
+        const parsed = z.string().uuid().safeParse(invoiceId.trim());
+        if (!parsed.success) continue;
+        const invoiceIdTrimmed = invoiceId.trim();
+        const [inv] = await db
+          .select()
+          .from(invoices)
+          .where(eq(invoices.id, invoiceIdTrimmed))
+          .limit(1);
+        if (!inv) continue;
+        if (inv.stripePaymentIntentId && inv.stripePaymentIntentId !== pi.id) continue;
+        await db
+          .update(invoices)
+          .set({
+            status: "paid",
+            paymentMethod: "card",
+            paidAt: new Date(),
+            stripePaymentIntentId: pi.id,
+            updatedAt: new Date(),
+          })
+          .where(eq(invoices.id, invoiceIdTrimmed));
+      }
+    }
+  } else if (event.type === "payment_intent.payment_failed") {
+    const pi = event.data.object as Stripe.PaymentIntent;
+    if (pi.metadata?.groombook_invoice_ids) {
+      const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
+      for (const invoiceId of invoiceIds) {
+        if (!invoiceId) continue;
+        const parsed = z.string().uuid().safeParse(invoiceId.trim());
+        if (!parsed.success) continue;
+        const invoiceIdTrimmed = invoiceId.trim();
+        await db
+          .update(invoices)
+          .set({
+            paymentFailureReason: pi.last_payment_error?.message ?? "Payment failed",
+            updatedAt: new Date(),
+          })
+          .where(eq(invoices.id, invoiceIdTrimmed));
+      }
+    }
+  } else if (event.type === "charge.refunded") {
+    const charge = event.data.object as Stripe.Charge;
+    if (typeof charge.payment_intent === "string" && charge.payment_intent) {
+      const [inv] = await db
+        .select({ id: invoices.id })
+        .from(invoices)
+        .where(eq(invoices.stripePaymentIntentId, charge.payment_intent))
+        .limit(1);
+      if (inv) {
+        const refundId =
+          typeof charge.refunded === "boolean" && charge.refunded
+            ? `ch_${charge.id}_refund`
+            : null;
+        await db
+          .update(invoices)
+          .set({
+            status: "void",
+            stripeRefundId: refundId,
+            updatedAt: new Date(),
+          })
+          .where(eq(invoices.id, inv.id));
+      }
+    }
+  } else if (event.type === "charge.dispute.created") {
+    const dispute = event.data.object as Stripe.Dispute;
+    console.error(
+      `[Stripe Webhook] Dispute created for payment intent: ${dispute.payment_intent}`
+    );
+  }
+
+  return c.json({ received: true });
+});
@@ -0,0 +1,164 @@
+import Stripe from "stripe";
+import { getDb, clients, eq, inArray, invoices } from "@groombook/db";
+
+let _stripe: Stripe | null | undefined;
+
+export function getStripeClient(): Stripe | null {
+  if (_stripe === undefined) {
+    const secretKey = process.env.STRIPE_SECRET_KEY;
+    if (!secretKey) return null;
+    _stripe = new Stripe(secretKey);
+  }
+  return _stripe;
+}
+
+export async function getOrCreateStripeCustomer(clientId: string): Promise<string | null> {
+  const stripe = getStripeClient();
+  if (!stripe) return null;
+
+  const db = getDb();
+  const [client] = await db.select().from(clients).where(eq(clients.id, clientId)).limit(1);
+  if (!client) return null;
+
+  if (client.stripeCustomerId) return client.stripeCustomerId;
+
+  const customer = await stripe.customers.create({
+    metadata: { groombook_client_id: clientId },
+  });
+
+  await db
+    .update(clients)
+    .set({ stripeCustomerId: customer.id, updatedAt: new Date() })
+    .where(eq(clients.id, clientId));
+
+  return customer.id;
+}
+
+export async function createPaymentIntent(
+  invoiceIdOrIds: string | string[],
+  clientId: string
+): Promise<{ clientSecret: string; paymentIntentId: string } | null> {
+  const stripe = getStripeClient();
+  if (!stripe) return null;
+
+  const db = getDb();
+  const invoiceIds = Array.isArray(invoiceIdOrIds) ? invoiceIdOrIds : [invoiceIdOrIds];
+  const firstInvoiceId = invoiceIds[0];
+  if (!firstInvoiceId) return null;
+
+  const invoiceRows = await db
+    .select()
+    .from(invoices)
+    .where(eq(invoices.id, firstInvoiceId));
+
+  const [invoice] = invoiceRows;
+  if (!invoice) return null;
+
+  let totalCents = invoice.totalCents;
+  if (invoiceIds.length > 1) {
+    const allInvoices = await db
+      .select({ totalCents: invoices.totalCents })
+      .from(invoices)
+      .where(inArray(invoices.id, invoiceIds));
+    totalCents = allInvoices.reduce((sum, inv) => sum + inv.totalCents, 0);
+  }
+
+  const stripeCustomerId = await getOrCreateStripeCustomer(clientId);
+  if (!stripeCustomerId) return null;
+
+  const paymentIntent = await stripe.paymentIntents.create({
+    amount: totalCents,
+    currency: "usd",
+    customer: stripeCustomerId,
+    metadata: {
+      groombook_invoice_ids: invoiceIds.join(","),
+      groombook_client_id: clientId,
+    },
+    automatic_payment_methods: { enabled: true },
+  });
+
+  for (const invId of invoiceIds) {
+    await db
+      .update(invoices)
+      .set({ stripePaymentIntentId: paymentIntent.id, updatedAt: new Date() })
+      .where(eq(invoices.id, invId));
+  }
+
+  const clientSecret = paymentIntent.client_secret;
+  if (!clientSecret) return null;
+
+  return { clientSecret, paymentIntentId: paymentIntent.id };
+}
+
+export async function processRefund(
+  invoiceId: string,
+  amountCents?: number
+): Promise<{ refundId: string } | null> {
+  const stripe = getStripeClient();
+  if (!stripe) return null;
+
+  const db = getDb();
+  const [invoice] = await db.select().from(invoices).where(eq(invoices.id, invoiceId)).limit(1);
+  if (!invoice?.stripePaymentIntentId) return null;
+
+  const refund = await stripe.refunds.create({
+    payment_intent: invoice.stripePaymentIntentId,
+    amount: amountCents,
+  });
+
+  await db
+    .update(invoices)
+    .set({ stripeRefundId: refund.id, updatedAt: new Date() })
+    .where(eq(invoices.id, invoiceId));
+
+  return { refundId: refund.id };
+}
+
+export async function listPaymentMethods(clientId: string): Promise<Stripe.PaymentMethod[] | null> {
+  const stripe = getStripeClient();
+  if (!stripe) return null;
+
+  const stripeCustomerId = await getOrCreateStripeCustomer(clientId);
+  if (!stripeCustomerId) return null;
+
+  const methods = await stripe.paymentMethods.list({
+    customer: stripeCustomerId,
+    type: "card",
+  });
+
+  return methods.data;
+}
+
+export async function attachPaymentMethod(
+  clientId: string,
+  paymentMethodId: string
+): Promise<boolean> {
+  const stripe = getStripeClient();
+  if (!stripe) return false;
+
+  const stripeCustomerId = await getOrCreateStripeCustomer(clientId);
+  if (!stripeCustomerId) return false;
+
+  await stripe.paymentMethods.attach(paymentMethodId, { customer: stripeCustomerId });
+  return true;
+}
+
+export async function detachPaymentMethod(paymentMethodId: string): Promise<boolean> {
+  const stripe = getStripeClient();
+  if (!stripe) return false;
+
+  await stripe.paymentMethods.detach(paymentMethodId);
+  return true;
+}
+
+export async function createSetupIntent(customerId: string): Promise<{ clientSecret: string } | null> {
+  const stripe = getStripeClient();
+  if (!stripe) return null;
+
+  const setupIntent = await stripe.setupIntents.create({
+    customer: customerId,
+    payment_method_types: ["card"],
+  });
+
+  return { clientSecret: setupIntent.client_secret! };
+}
@@ -12,6 +12,7 @@ import {
  services,
  staff,
  reminderLogs,
+  session,
 } from "@groombook/db";
 import {
  buildReminderEmail,
@@ -155,6 +156,19 @@ export function startReminderScheduler(): void {
    runReminderCheck().catch((err) => {
      console.error("[reminders] Error during reminder check:", err);
    });
+    runSessionCleanup().catch((err) => {
+      console.error("[reminders] Error during session cleanup:", err);
+    });
  });
  console.log("[reminders] Reminder scheduler started");
 }
+
+// Deletes expired sessions from the database.
+// Runs every minute alongside reminder checks.
+export async function runSessionCleanup(): Promise<void> {
+  const db = getDb();
+  const now = new Date();
+  await db
+    .delete(session)
+    .where(lt(session.expiresAt, now));
+}
@@ -85,6 +85,7 @@ test("admin staff page loads", async ({ page }) => {

 test("admin invoices page loads", async ({ page }) => {
  await page.goto("/admin/invoices");
+  await page.waitForLoadState("domcontentloaded");
  await expect(page.getByText("GroomBook")).toBeVisible();
  await expect(page.getByRole("link", { name: "Invoices" })).toBeVisible();
 });
@@ -20,3 +20,5 @@ FROM nginx:alpine AS runner
 COPY apps/web/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/apps/web/dist /usr/share/nginx/html
 EXPOSE 80
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:80/ || exit 1
@@ -3,10 +3,22 @@ server {
    root /usr/share/nginx/html;
    index index.html;

+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
    # Cache static assets
    location ~* \.(js|css|png|svg|ico|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    }

    # Proxy API calls to the API service
@@ -14,8 +14,10 @@
  },
  "dependencies": {
    "@groombook/types": "workspace:*",
+    "@stripe/react-stripe-js": "^6.1.0",
+    "@stripe/stripe-js": "^9.1.0",
    "@tailwindcss/vite": "^4.2.2",
-    "better-auth": "^1.0.0",
+    "better-auth": "^1.5.6",
    "lucide-react": "^0.577.0",
    "react": "^19.0.0",
    "react-dom": "^19.0.0",
@@ -1,4 +1,4 @@
-import { Routes, Route, Link, useLocation, Navigate } from "react-router-dom";
+import { Routes, Route, Link, useLocation, Navigate, useNavigate } from "react-router-dom";
 import { useEffect, useState } from "react";
 import { AppointmentsPage } from "./pages/Appointments.js";
 import { ClientsPage } from "./pages/Clients.js";
@@ -18,22 +18,31 @@ import { DevLoginSelector, getDevUser } from "./pages/DevLoginSelector.js";
 import { DevSessionIndicator } from "./components/DevSessionIndicator.js";
 import { BrandingProvider, useBranding } from "./BrandingContext.js";
 import { GlobalSearch } from "./components/GlobalSearch.js";
-import { useSession, signIn } from "./lib/auth-client.js";
+import { useSession, signIn, signOut } from "./lib/auth-client.js";

 function LoginPage() {
  const [isLoading, setIsLoading] = useState(false);
  const [providers, setProviders] = useState<string[]>([]);
+  const [error, setError] = useState<string | null>(null);

  useEffect(() => {
    fetch("/api/auth/providers")
      .then((r) => r.json())
      .then((data) => setProviders(data.providers ?? []))
      .catch(() => setProviders([]));
+    const params = new URLSearchParams(window.location.search);
+    const authError = params.get("error");
+    if (authError) setError(authError.replace(/_/g, " "));
  }, []);

  const handleSocialLogin = async (provider: string) => {
    setIsLoading(true);
-    await signIn.social({ provider, callbackURL: window.location.origin });
+    setError(null);
+    const result = await signIn.social({ provider, callbackURL: window.location.origin });
+    if (result?.error) {
+      setError(result.error.message ?? "Sign-in failed");
+      setIsLoading(false);
+    }
  };

  const isGoogle = providers.includes("google");
@@ -65,6 +74,11 @@ function LoginPage() {
        <p style={{ color: "#6b7280", marginBottom: "1.5rem", fontSize: 14 }}>
          Sign in to continue
        </p>
+        {error && (
+          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 6, padding: "0.5rem 0.75rem", marginBottom: "1rem", color: "#991b1b", fontSize: 13 }}>
+            {error}
+          </div>
+        )}
        {isGoogle && (
          <button
            onClick={() => handleSocialLogin("google")}
@@ -167,6 +181,7 @@ const NAV_LINKS = [

 function AdminLayout() {
  const location = useLocation();
+  const navigate = useNavigate();
  const { branding } = useBranding();

  const logoSrc = branding.logoBase64 && branding.logoMimeType
@@ -195,6 +210,7 @@ function AdminLayout() {
          alignItems: "center",
          gap: 8,
          marginRight: "1.25rem",
+          flexShrink: 0,
        }}>
          {logoSrc && (
            <img src={logoSrc} alt="" style={{ width: 24, height: 24, objectFit: "contain" }} />
@@ -208,45 +224,73 @@ function AdminLayout() {
          </strong>
        </div>
        <GlobalSearch />
-        <Link
-          to="/admin/book"
+        <div style={{
+          display: "flex",
+          overflowX: "auto",
+          flex: 1,
+          minWidth: 0,
+          gap: "0.25rem",
+        }}>
+          <Link
+            to="/admin/book"
+            style={{
+              padding: "0.4rem 0.85rem",
+              borderRadius: 6,
+              textDecoration: "none",
+              fontSize: 13,
+              fontWeight: 600,
+              color: "#fff",
+              background: branding.primaryColor,
+              boxShadow: "0 1px 2px rgba(79, 138, 111, 0.3)",
+              flexShrink: 0,
+            }}
+          >
+            Book
+          </Link>
+          {NAV_LINKS.map(({ to, label }) => {
+            const active =
+              to === "/admin"
+                ? location.pathname === "/admin"
+                : location.pathname.startsWith(to);
+            return (
+              <Link
+                key={to}
+                to={to}
+                style={{
+                  padding: "0.4rem 0.75rem",
+                  borderRadius: 6,
+                  textDecoration: "none",
+                  fontSize: 13,
+                  fontWeight: active ? 600 : 500,
+                  color: active ? "#2d6a4f" : "#4b5563",
+                  background: active ? "#ecfdf5" : "transparent",
+                  flexShrink: 0,
+                }}
+              >
+                {label}
+              </Link>
+            );
+          })}
+        </div>
+        <button
+          onClick={async () => {
+            await signOut();
+            navigate("/login");
+          }}
          style={{
+            flexShrink: 0,
            padding: "0.4rem 0.85rem",
            borderRadius: 6,
-            textDecoration: "none",
+            border: "1px solid #e2e8f0",
+            background: "#fff",
+            color: "#4b5563",
            fontSize: 13,
-            fontWeight: 600,
-            color: "#fff",
-            background: branding.primaryColor,
-            marginRight: "0.5rem",
-            boxShadow: "0 1px 2px rgba(79, 138, 111, 0.3)",
+            fontWeight: 500,
+            cursor: "pointer",
          }}
        >
-          Book
-        </Link>
-        {NAV_LINKS.map(({ to, label }) => {
-          const active =
-            to === "/admin"
-              ? location.pathname === "/admin"
-              : location.pathname.startsWith(to);
-          return (
-            <Link
-              key={to}
-              to={to}
-              style={{
-                padding: "0.4rem 0.75rem",
-                borderRadius: 6,
-                textDecoration: "none",
-                fontSize: 13,
-                fontWeight: active ? 600 : 500,
-                color: active ? "#2d6a4f" : "#4b5563",
-                background: active ? "#ecfdf5" : "transparent",
-              }}
-            >
-              {label}
-            </Link>
-          );
-        })}
+          Logout
+        </button>
      </nav>
      <main style={{ padding: "1.25rem 1.5rem" }}>
        <Routes>
@@ -4,4 +4,4 @@ export const authClient = createAuthClient({
  baseURL: import.meta.env.VITE_API_URL ?? "",
 });

-export const { signIn, signOut, useSession } = authClient;
+export const { signIn, signOut, useSession, changePassword } = authClient;
@@ -226,7 +226,6 @@ export function CustomerPortal() {
      )}

      {showReschedule && rescheduleAppointment && (
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        <RescheduleFlow
          appointment={rescheduleAppointment as any}
          onClose={() => { setShowReschedule(false); setRescheduleAppointment(null); }}
@@ -1,6 +1,7 @@
 import React, { useState, useEffect } from "react";
 import { User, Lock, PawPrint, FileCheck, Plus, Archive } from "lucide-react";
 import { PetForm } from "./PetForm.js";
+import { authClient } from "../../lib/auth-client.js";

 interface Props {
  sessionId: string | null;
@@ -148,9 +149,11 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
  const [newPassword, setNewPassword] = useState("");
  const [confirmPassword, setConfirmPassword] = useState("");
  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState(false);
+  const [loading, setLoading] = useState(false);

  const passwordsMatch = newPassword === confirmPassword;
-  const canSubmit = currentPassword.length > 0 && newPassword.length > 0 && passwordsMatch;
+  const canSubmit = newPassword.length > 0 && passwordsMatch && !loading;

  if (readOnly) {
    return (
@@ -160,17 +163,34 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
    );
  }

-  function handleSubmit() {
+  async function handleSubmit() {
    if (!canSubmit) return;
    if (newPassword !== confirmPassword) {
      setError("Passwords do not match.");
      return;
    }
-    // TODO: Wire up to actual password-change API endpoint once backend support exists
    setError(null);
-    setCurrentPassword("");
-    setNewPassword("");
-    setConfirmPassword("");
+    setLoading(true);
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const result = await (authClient as any).changePassword({
+        currentPassword,
+        newPassword,
+      });
+      if (result.error) {
+        setError(result.error.message ?? "Failed to change password.");
+      } else {
+        setSuccess(true);
+        setCurrentPassword("");
+        setNewPassword("");
+        setConfirmPassword("");
+        setTimeout(() => setSuccess(false), 4000);
+      }
+    } catch {
+      setError("An unexpected error occurred.");
+    } finally {
+      setLoading(false);
+    }
  }

  return (
@@ -205,12 +225,13 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
          />
        </div>
        {error && <p className="text-sm text-red-500">{error}</p>}
+        {success && <p className="text-sm text-green-600">Password updated successfully.</p>}
        <button
          onClick={handleSubmit}
          disabled={!canSubmit}
          className="px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover) disabled:opacity-50 disabled:cursor-not-allowed"
        >
-          Update Password
+          {loading ? "Updating..." : "Update Password"}
        </button>
      </div>
    </div>
@@ -1,4 +1,6 @@
 import { useState, useEffect } from "react";
+import { loadStripe } from "@stripe/stripe-js";
+import { Elements, PaymentElement, useStripe, useElements } from "@stripe/react-stripe-js";
 import { CreditCard, DollarSign, Package, Zap } from "lucide-react";

 interface Invoice {
@@ -10,31 +12,28 @@ interface Invoice {
 }

 interface PaymentMethod {
+  id: string;
  brand: string;
  last4: string;
  expiryMonth: number;
  expiryYear: number;
 }

-interface Package {
-  name: string;
-  remaining: number;
-}
-
 interface BillingPaymentsProps {
  sessionId: string | null;
  readOnly: boolean;
 }

-export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
+function BillingPaymentsInner({ sessionId, readOnly }: BillingPaymentsProps) {
  const [invoices, setInvoices] = useState<Invoice[]>([]);
  const [paymentMethods, setPaymentMethods] = useState<PaymentMethod[]>([]);
-  const [packages, setPackages] = useState<Package[]>([]);
+  const [packages] = useState<{ name: string; remaining: number }[]>([]);
  const [loading, setLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [tab, setTab] = useState<"invoices" | "payment" | "packages">("invoices");
  const [autopay, setAutopay] = useState(false);
  const [showPaymentModal, setShowPaymentModal] = useState(false);
+  const [publishableKey, setPublishableKey] = useState<string>("");

  useEffect(() => {
    async function fetchData() {
@@ -44,20 +43,37 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
      }

      try {
-        const response = await fetch("/api/portal/invoices", {
-          headers: {
-            "X-Impersonation-Session-Id": sessionId,
-          },
-        });
+        const [configRes, invoicesRes, methodsRes] = await Promise.all([
+          fetch("/api/portal/config", {
+            headers: { "X-Impersonation-Session-Id": sessionId },
+          }),
+          fetch("/api/portal/invoices", {
+            headers: { "X-Impersonation-Session-Id": sessionId },
+          }),
+          fetch("/api/portal/payment-methods", {
+            headers: { "X-Impersonation-Session-Id": sessionId },
+          }),
+        ]);

-        if (!response.ok) {
-          throw new Error("Failed to fetch invoices");
+        if (!configRes.ok) throw new Error("Failed to fetch config");
+        const configData = await configRes.json();
+        setPublishableKey(configData.stripePublishableKey ?? "");
+
+        const invoicesData = await invoicesRes.json();
+        setInvoices(Array.isArray(invoicesData) ? invoicesData : invoicesData.invoices || []);
+
+        if (methodsRes.ok) {
+          const methodsData = await methodsRes.json();
+          setPaymentMethods(
+            (methodsData ?? []).map((m: { id: string; card: { brand: string; last4: string; exp_month: number; exp_year: number } }) => ({
+              id: m.id,
+              brand: m.card?.brand ?? "unknown",
+              last4: m.card?.last4 ?? "****",
+              expiryMonth: m.card?.exp_month ?? 0,
+              expiryYear: m.card?.exp_year ?? 0,
+            }))
+          );
        }
-
-        const data = await response.json();
-        setInvoices(Array.isArray(data) ? data : data.invoices || []);
-        setPaymentMethods(data.paymentMethods || []);
-        setPackages(data.packages || []);
      } catch (err) {
        setError(err instanceof Error ? err.message : "An error occurred");
      } finally {
@@ -68,12 +84,8 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
    fetchData();
  }, [sessionId]);

-  const formatCents = (cents: number) => {
-    return new Intl.NumberFormat("en-US", {
-      style: "currency",
-      currency: "USD",
-    }).format(cents / 100);
-  };
+  const formatCents = (cents: number) =>
+    new Intl.NumberFormat("en-US", { style: "currency", currency: "USD" }).format(cents / 100);

  const pending = invoices.filter((i) => i.status === "pending");
  const totalPending = pending.reduce((sum, i) => sum + i.totalCents, 0);
@@ -82,9 +94,9 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
    return (
      <div className="p-6">
        <div className="animate-pulse space-y-4">
-          <div className="h-6 bg-gray-200 rounded w-1/3"></div>
-          <div className="h-24 bg-gray-200 rounded"></div>
-          <div className="h-24 bg-gray-200 rounded"></div>
+          <div className="h-6 bg-gray-200 rounded w-1/3" />
+          <div className="h-24 bg-gray-200 rounded" />
+          <div className="h-24 bg-gray-200 rounded" />
        </div>
      </div>
    );
@@ -100,7 +112,6 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {

  return (
    <div className="space-y-6">
-      {/* Outstanding Balance Banner */}
      {totalPending > 0 && (
        <div className="bg-white rounded-2xl border border-stone-200 p-5 shadow-sm flex flex-col sm:flex-row items-start sm:items-center justify-between gap-4">
          <div>
@@ -110,16 +121,15 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
              {pending.length} unpaid invoice{pending.length > 1 ? "s" : ""}
            </p>
          </div>
-            <button
-              onClick={() => setShowPaymentModal(true)}
-              className="px-6 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover)"
-            >
-              Pay Now
-            </button>
+          <button
+            onClick={() => setShowPaymentModal(true)}
+            className="px-6 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover)"
+          >
+            Pay Now
+          </button>
        </div>
      )}

-      {/* Tabs */}
      <div className="flex gap-2">
        {([
          { id: "invoices" as const, label: "Invoices", icon: DollarSign },
@@ -141,7 +151,6 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
        ))}
      </div>

-      {/* Invoices */}
      {tab === "invoices" && (
        <div className="bg-white rounded-2xl border border-stone-200 shadow-sm overflow-hidden">
          <div className="overflow-x-auto">
@@ -152,7 +161,7 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
                  <th className="px-5 py-3 font-medium">Description</th>
                  <th className="px-5 py-3 font-medium">Amount</th>
                  <th className="px-5 py-3 font-medium">Status</th>
-                  <th className="px-5 py-3 font-medium"></th>
+                  <th className="px-5 py-3 font-medium" />
                </tr>
              </thead>
              <tbody>
@@ -160,9 +169,7 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
                  <tr key={inv.id} className="border-b border-stone-50 hover:bg-stone-50/50">
                    <td className="px-5 py-3 text-stone-700">
                      {new Date(inv.date).toLocaleDateString("en-US", {
-                        month: "short",
-                        day: "numeric",
-                        year: "numeric",
+                        month: "short", day: "numeric", year: "numeric",
                      })}
                    </td>
                    <td className="px-5 py-3 text-stone-600">
@@ -201,7 +208,6 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
        </div>
      )}

-      {/* Payment Methods */}
      {tab === "payment" && (
        <div className="space-y-4">
          {paymentMethods.length === 0 ? (
@@ -210,7 +216,7 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
            <div className="space-y-3">
              {paymentMethods.map((method) => (
                <div
-                  key={`${method.brand}-${method.last4}`}
+                  key={method.id}
                  className="flex items-center justify-between p-4 border border-stone-200 rounded-lg bg-white"
                >
                  <div className="flex items-center gap-3">
@@ -223,7 +229,18 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
                    </span>
                  </div>
                  {!readOnly && (
-                    <button className="text-sm text-blue-600 hover:underline">
+                    <button
+                      onClick={async () => {
+                        const res = await fetch(`/api/portal/payment-methods/${method.id}`, {
+                          method: "DELETE",
+                          headers: { "X-Impersonation-Session-Id": sessionId ?? "" },
+                        });
+                        if (res.ok) {
+                          setPaymentMethods((prev) => prev.filter((m) => m.id !== method.id));
+                        }
+                      }}
+                      className="text-sm text-blue-600 hover:underline"
+                    >
                      Remove
                    </button>
                  )}
@@ -232,7 +249,6 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
            </div>
          )}

-          {/* Autopay */}
          <div className="bg-white rounded-2xl border border-stone-200 p-5 shadow-sm">
            <div className="flex items-center justify-between">
              <div className="flex items-center gap-3">
@@ -241,9 +257,7 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
                </div>
                <div>
                  <p className="text-sm font-medium text-stone-800">Autopay</p>
-                  <p className="text-xs text-stone-500">
-                    Automatically charge after each appointment
-                  </p>
+                  <p className="text-xs text-stone-500">Automatically charge after each appointment</p>
                </div>
              </div>
              {!readOnly ? (
@@ -269,17 +283,13 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
        </div>
      )}

-      {/* Packages */}
      {tab === "packages" && (
        <div className="space-y-4">
          {packages.length === 0 ? (
            <p className="text-gray-500 italic">No packages purchased</p>
          ) : (
            packages.map((pkg, index) => (
-              <div
-                key={index}
-                className="bg-white rounded-2xl border border-stone-200 p-5 shadow-sm"
-              >
+              <div key={index} className="bg-white rounded-2xl border border-stone-200 p-5 shadow-sm">
                <div className="flex items-center justify-between">
                  <span className="font-medium text-stone-800">{pkg.name}</span>
                  <span className="text-stone-600">{pkg.remaining} remaining</span>
@@ -290,59 +300,123 @@ export function BillingPayments({ sessionId, readOnly }: BillingPaymentsProps) {
        </div>
      )}

-      {/* Payment Modal */}
-      {showPaymentModal && (
-        <PaymentModal
+      {showPaymentModal && publishableKey && (
+        <PaymentModalWrapper
+          key={Date.now()}
+          sessionId={sessionId ?? ""}
+          publishableKey={publishableKey}
          pending={pending}
-          totalPending={totalPending}
          onClose={() => setShowPaymentModal(false)}
+          onSuccess={() => {
+            setInvoices((prev) =>
+              prev.map((inv) =>
+                pending.some((p) => p.id === inv.id) ? { ...inv, status: "paid" as const } : inv
+              )
+            );
+            setShowPaymentModal(false);
+          }}
        />
      )}
    </div>
  );
 }

-function PaymentModal({
-  pending,
-  totalPending: _totalPending,
-  onClose,
-}: {
+interface PaymentModalWrapperProps {
+  sessionId: string;
+  publishableKey: string;
  pending: Invoice[];
-  totalPending: number;
  onClose: () => void;
-}) {
-  const [selectedInvoices, setSelectedInvoices] = useState<Set<string>>(
-    new Set(pending.map((i) => i.id))
+  onSuccess: () => void;
+}
+
+function PaymentModalWrapper({ sessionId, publishableKey, pending, onClose, onSuccess }: PaymentModalWrapperProps) {
+  const [stripePromise] = useState(() =>
+    publishableKey ? loadStripe(publishableKey) : Promise.resolve(null)
  );
+
+  return (
+    <Elements stripe={stripePromise} options={{ mode: "payment", amount: pending.reduce((s, i) => s + i.totalCents, 0), currency: "usd" }}>
+      <PaymentModal sessionId={sessionId} pending={pending} onClose={onClose} onSuccess={onSuccess} />
+    </Elements>
+  );
+}
+
+interface PaymentModalProps {
+  sessionId: string;
+  pending: Invoice[];
+  onClose: () => void;
+  onSuccess: () => void;
+}
+
+function PaymentModal({ sessionId, pending, onClose, onSuccess }: PaymentModalProps) {
+  const stripe = useStripe();
+  const elements = useElements();
+  const [selectedInvoices, setSelectedInvoices] = useState<Set<string>>(new Set(pending.map((i) => i.id)));
+  const [saveCard, setSaveCard] = useState(false);
  const [isProcessing, setIsProcessing] = useState(false);
  const [isComplete, setIsComplete] = useState(false);
+  const [error, setError] = useState<string | null>(null);

  const formatCents = (cents: number) =>
-    new Intl.NumberFormat("en-US", {
-      style: "currency",
-      currency: "USD",
-    }).format(cents / 100);
+    new Intl.NumberFormat("en-US", { style: "currency", currency: "USD" }).format(cents / 100);

  const toggleInvoice = (id: string) => {
    const next = new Set(selectedInvoices);
-    if (next.has(id)) {
-      next.delete(id);
-    } else {
-      next.add(id);
-    }
+    if (next.has(id)) next.delete(id);
+    else next.add(id);
    setSelectedInvoices(next);
  };

-  const handlePay = async () => {
-    setIsProcessing(true);
-    await new Promise((resolve) => setTimeout(resolve, 1500));
-    setIsProcessing(false);
-    setIsComplete(true);
-  };
+  const selectedTotal = pending.filter((i) => selectedInvoices.has(i.id)).reduce((sum, i) => sum + i.totalCents, 0);

-  const selectedTotal = pending
-    .filter((i) => selectedInvoices.has(i.id))
-    .reduce((sum, i) => sum + i.totalCents, 0);
+  const handlePay = async () => {
+    if (!stripe || !elements) return;
+    setIsProcessing(true);
+    setError(null);
+
+    try {
+      const isMulti = selectedInvoices.size > 1;
+      const endpoint = isMulti ? "/api/portal/invoices/pay-multiple" : `/api/portal/invoices/${[...selectedInvoices][0]}/pay`;
+      const body = isMulti ? { invoiceIds: [...selectedInvoices] } : {};
+
+      const res = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Impersonation-Session-Id": sessionId,
+        },
+        body: JSON.stringify(body),
+      });
+
+      if (!res.ok) {
+        const data = await res.json();
+        throw new Error(data.error ?? "Failed to initialize payment");
+      }
+
+      const { clientSecret } = await res.json();
+
+      const { error: stripeError } = await stripe.confirmPayment({
+        elements,
+        clientSecret,
+        confirmParams: saveCard
+          ? { setup_future_usage: "off_session" }
+          : undefined,
+        redirect: "if_required",
+      });
+
+      if (stripeError) {
+        setError(stripeError.message ?? "Payment failed");
+        setIsProcessing(false);
+        return;
+      }
+
+      setIsComplete(true);
+      onSuccess();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "An unexpected error occurred");
+      setIsProcessing(false);
+    }
+  };

  if (isComplete) {
    return (
@@ -357,10 +431,7 @@ function PaymentModal({
          <p className="text-stone-500 text-sm mb-6">
            Your payment of {formatCents(selectedTotal)} has been processed. A receipt has been sent to your email.
          </p>
-          <button
-            onClick={onClose}
-            className="w-full px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium"
-          >
+          <button onClick={onClose} className="w-full px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium">
            Done
          </button>
        </div>
@@ -408,22 +479,36 @@ function PaymentModal({
                  </p>
                </div>
              </div>
-              <span className="text-sm font-medium text-stone-800">
-                {formatCents(inv.totalCents)}
-              </span>
+              <span className="text-sm font-medium text-stone-800">{formatCents(inv.totalCents)}</span>
            </label>
          ))}
        </div>

        <div className="border-t border-stone-200 pt-4 mb-6">
-          <div className="flex justify-between items-center">
+          <div className="flex justify-between items-center mb-4">
            <span className="text-sm text-stone-600">Total</span>
-            <span className="text-lg font-bold text-stone-800">
-              {formatCents(selectedTotal)}
-            </span>
+            <span className="text-lg font-bold text-stone-800">{formatCents(selectedTotal)}</span>
          </div>
+
+          <PaymentElement />
        </div>

+        <label className="flex items-center gap-2 mb-4">
+          <input
+            type="checkbox"
+            checked={saveCard}
+            onChange={(e) => setSaveCard(e.target.checked)}
+            className="w-4 h-4 rounded border-stone-300 text-(--color-accent) focus:ring-(--color-accent)"
+          />
+          <span className="text-sm text-stone-600">Save card for future payments</span>
+        </label>
+
+        {error && (
+          <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg text-sm text-red-700">
+            {error}
+          </div>
+        )}
+
        <div className="flex gap-3">
          <button
            onClick={onClose}
@@ -433,7 +518,7 @@ function PaymentModal({
          </button>
          <button
            onClick={handlePay}
-            disabled={selectedInvoices.size === 0 || isProcessing}
+            disabled={selectedInvoices.size === 0 || isProcessing || !stripe}
            className="flex-1 px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover) disabled:opacity-50 disabled:cursor-not-allowed"
          >
            {isProcessing ? "Processing..." : "Pay Now"}
@@ -444,4 +529,8 @@ function PaymentModal({
  );
 }

+export function BillingPayments(props: BillingPaymentsProps) {
+  return <BillingPaymentsInner {...props} />;
+}
+
 export default BillingPayments;
@@ -41,11 +41,11 @@ export default defineConfig({
      workbox: {
        globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
        navigateFallbackDenylist: [
-          /^\/api\/auth\/oauth2\/callback\//,
+          /^\/api\/auth\//,
        ],
        runtimeCaching: [
          {
-            urlPattern: /^http.*\/api\/.*/i,
+            urlPattern: /^http.*\/api\/(?!auth\/).*/i,
            handler: "NetworkFirst",
            options: {
              cacheName: "api-cache",
@@ -0,0 +1,6 @@
+-- Better-Auth rate limiting table (GRO-574)
+CREATE TABLE "rate_limit" (
+  key TEXT NOT NULL PRIMARY KEY,
+  count INTEGER NOT NULL,
+  last_request BIGINT NOT NULL
+);
@@ -0,0 +1,6 @@
+ALTER TABLE "clients" ADD COLUMN "stripe_customer_id" text;
+ALTER TABLE "clients" ADD CONSTRAINT "idx_clients_stripe_customer_id" UNIQUE("stripe_customer_id");
+ALTER TABLE "invoices" ADD COLUMN "stripe_payment_intent_id" text;
+ALTER TABLE "invoices" ADD COLUMN "stripe_refund_id" text;
+ALTER TABLE "invoices" ADD COLUMN "payment_failure_reason" text;
+ALTER TABLE "invoices" ADD CONSTRAINT "idx_invoices_stripe_payment_intent_id" UNIQUE("stripe_payment_intent_id");
@@ -0,0 +1,103 @@
+{
+  "id": "0026_stripe_payment",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "authProviderConfig": {
+      "name": "auth_provider_config",
+      "columns": {
+        "id": { "name": "id", "type": "uuid", "primaryKey": true, "default": "gen_random_uuid()", "isNullable": false },
+        "providerId": { "name": "provider_id", "type": "text", "isNullable": false },
+        "displayName": { "name": "display_name", "type": "text", "isNullable": false },
+        "issuerUrl": { "name": "issuer_url", "type": "text", "isNullable": false },
+        "internalBaseUrl": { "name": "internal_base_url", "type": "text", "isNullable": true },
+        "clientId": { "name": "client_id", "type": "text", "isNullable": false },
+        "clientSecret": { "name": "client_secret", "type": "text", "isNullable": false },
+        "scopes": { "name": "scopes", "type": "text", "isNullable": false, "default": "'openid profile email'" },
+        "enabled": { "name": "enabled", "type": "boolean", "isNullable": false, "default": "true" },
+        "createdAt": { "name": "created_at", "type": "timestamp", "isNullable": false, "default": "now()" },
+        "updatedAt": { "name": "updated_at", "type": "timestamp", "isNullable": false, "default": "now()" }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {}
+    },
+    "businessSettings": {
+      "name": "business_settings",
+      "columns": {
+        "id": { "name": "id", "type": "uuid", "primaryKey": true, "default": "gen_random_uuid()", "isNullable": false },
+        "businessName": { "name": "business_name", "type": "text", "isNullable": false, "default": "'GroomBook'" },
+        "logoBase64": { "name": "logo_base64", "type": "text", "isNullable": true },
+        "logoMimeType": { "name": "logo_mime_type", "type": "text", "isNullable": true },
+        "logoKey": { "name": "logo_key", "type": "text", "isNullable": true },
+        "primaryColor": { "name": "primary_color", "type": "text", "isNullable": false, "default": "'#4f8a6f'" },
+        "accentColor": { "name": "accent_color", "type": "text", "isNullable": false, "default": "'#8b7355'" },
+        "createdAt": { "name": "created_at", "type": "timestamp", "isNullable": false, "default": "now()" },
+        "updatedAt": { "name": "updated_at", "type": "timestamp", "isNullable": false, "default": "now()" }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {}
+    },
+    "clients": {
+      "name": "clients",
+      "columns": {
+        "id": { "name": "id", "type": "uuid", "primaryKey": true, "default": "gen_random_uuid()", "isNullable": false },
+        "name": { "name": "name", "type": "text", "isNullable": false },
+        "email": { "name": "email", "type": "text", "isNullable": true },
+        "phone": { "name": "phone", "type": "text", "isNullable": true },
+        "address": { "name": "address", "type": "text", "isNullable": true },
+        "notes": { "name": "notes", "type": "text", "isNullable": true },
+        "emailOptOut": { "name": "email_opt_out", "type": "boolean", "isNullable": false, "default": "false" },
+        "smsOptIn": { "name": "sms_opt_in", "type": "boolean", "isNullable": false, "default": "false" },
+        "smsConsentDate": { "name": "sms_consent_date", "type": "timestamp", "isNullable": true },
+        "smsOptOutDate": { "name": "sms_opt_out_date", "type": "timestamp", "isNullable": true },
+        "smsConsentText": { "name": "sms_consent_text", "type": "text", "isNullable": true },
+        "stripeCustomerId": { "name": "stripe_customer_id", "type": "text", "isNullable": true },
+        "status": { "name": "status", "type": "client_status", "isNullable": false, "default": "'active'" },
+        "disabledAt": { "name": "disabled_at", "type": "timestamp", "isNullable": true },
+        "createdAt": { "name": "created_at", "type": "timestamp", "isNullable": false, "default": "now()" },
+        "updatedAt": { "name": "updated_at", "type": "timestamp", "isNullable": false, "default": "now()" }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": { "idx_clients_stripe_customer_id": { "columns": ["stripe_customer_id"] } }
+    },
+    "invoices": {
+      "name": "invoices",
+      "columns": {
+        "id": { "name": "id", "type": "uuid", "primaryKey": true, "default": "gen_random_uuid()", "isNullable": false },
+        "appointmentId": { "name": "appointment_id", "type": "uuid", "isNullable": true },
+        "clientId": { "name": "client_id", "type": "uuid", "isNullable": false },
+        "subtotalCents": { "name": "subtotal_cents", "type": "integer", "isNullable": false },
+        "taxCents": { "name": "tax_cents", "type": "integer", "isNullable": false, "default": "0" },
+        "tipCents": { "name": "tip_cents", "type": "integer", "isNullable": false, "default": "0" },
+        "totalCents": { "name": "total_cents", "type": "integer", "isNullable": false },
+        "status": { "name": "status", "type": "invoice_status", "isNullable": false, "default": "'draft'" },
+        "paymentMethod": { "name": "payment_method", "type": "payment_method", "isNullable": true },
+        "paidAt": { "name": "paid_at", "type": "timestamp", "isNullable": true },
+        "stripePaymentIntentId": { "name": "stripe_payment_intent_id", "type": "text", "isNullable": true },
+        "stripeRefundId": { "name": "stripe_refund_id", "type": "text", "isNullable": true },
+        "paymentFailureReason": { "name": "payment_failure_reason", "type": "text", "isNullable": true },
+        "notes": { "name": "notes", "type": "text", "isNullable": true },
+        "createdAt": { "name": "created_at", "type": "timestamp", "isNullable": false, "default": "now()" },
+        "updatedAt": { "name": "updated_at", "type": "timestamp", "isNullable": false, "default": "now()" }
+      },
+      "indexes": { "idx_invoices_client_id": { "columns": ["client_id"] }, "idx_invoices_status": { "columns": ["status"] }, "idx_invoices_created_at": { "columns": ["created_at"] } },
+      "foreignKeys": { "invoices_appointment_id_fkey": { "columns": ["appointmentId"], "reference": { "table": "appointments", "columns": ["id"] } }, "invoices_client_id_fkey": { "columns": ["clientId"], "reference": { "table": "clients", "columns": ["id"] } } },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": { "idx_invoices_stripe_payment_intent_id": { "columns": ["stripe_payment_intent_id"] } }
+    }
+  },
+  "enums": {
+    "appointment_status": { "name": "appointment_status", "values": ["scheduled", "confirmed", "in_progress", "completed", "cancelled", "no_show"] },
+    "client_status": { "name": "client_status", "values": ["active", "disabled"] },
+    "impersonation_session_status": { "name": "impersonation_session_status", "values": ["active", "ended", "expired"] },
+    "invoice_status": { "name": "invoice_status", "values": ["draft", "pending", "paid", "void"] },
+    "payment_method": { "name": "payment_method", "values": ["cash", "card", "check", "other"] },
+    "staff_role": { "name": "staff_role", "values": ["groomer", "receptionist", "manager"] },
+    "waitlist_status": { "name": "waitlist_status", "values": ["active", "notified", "expired", "cancelled"] }
+  },
+  "nativeEnums": {}
+}
@@ -176,6 +176,20 @@
      "when": 1775396067192,
      "tag": "0024_invoice_indexes",
      "breakpoints": true
+    },
+    {
+      "idx": 25,
+      "version": "7",
+      "when": 1775482467192,
+      "tag": "0025_rate_limit",
+      "breakpoints": true
+    },
+    {
+      "idx": 26,
+      "version": "7",
+      "when": 1775568867192,
+      "tag": "0026_stripe_payment",
+      "breakpoints": true
    }
  ]
 }
@@ -71,6 +71,7 @@ export function buildClient(overrides: Partial<ClientRow> = {}): ClientRow {
    address: "1 Main St, Springfield, CA 90000",
    notes: null,
    emailOptOut: false,
+    stripeCustomerId: null,
    status: "active",
    disabledAt: null,
    createdAt: new Date("2025-01-01T00:00:00Z"),
@@ -109,8 +109,8 @@ export const clients = pgTable("clients", {
  phone: text("phone"),
  address: text("address"),
  notes: text("notes"),
-  // Set to true if the client has opted out of email reminders/notifications
  emailOptOut: boolean("email_opt_out").notNull().default(false),
+  stripeCustomerId: text("stripe_customer_id"),
  status: clientStatusEnum("status").notNull().default("active"),
  disabledAt: timestamp("disabled_at"),
  createdAt: timestamp("created_at").notNull().defaultNow(),
@@ -251,6 +251,9 @@ export const invoices = pgTable(
    status: invoiceStatusEnum("status").notNull().default("draft"),
    paymentMethod: paymentMethodEnum("payment_method"),
    paidAt: timestamp("paid_at"),
+    stripePaymentIntentId: text("stripe_payment_intent_id"),
+    stripeRefundId: text("stripe_refund_id"),
+    paymentFailureReason: text("payment_failure_reason"),
    notes: text("notes"),
    createdAt: timestamp("created_at").notNull().defaultNow(),
    updatedAt: timestamp("updated_at").notNull().defaultNow(),
@@ -259,6 +262,7 @@ export const invoices = pgTable(
    index("idx_invoices_client_id").on(t.clientId),
    index("idx_invoices_status").on(t.status),
    index("idx_invoices_created_at").on(t.createdAt),
+    index("idx_invoices_stripe_payment_intent_id").on(t.stripePaymentIntentId),
  ]
 );

@@ -567,7 +567,7 @@ async function seed() {

  // ── Staff ──
  const managerStaff = Array.from({ length: cfg.staffCount.manager }, (_, i) =>
-    ({ id: uuid(), name: `Manager ${i + 1}`, email: `manager${i + 1}@groombook.dev`, role: "manager" as const, isSuperUser: false })
+    ({ id: uuid(), name: `Manager ${i + 1}`, email: `manager${i + 1}@groombook.dev`, role: "manager" as const, isSuperUser: profile === "uat" && i === 0 })
  );
  const receptionistStaff = Array.from({ length: cfg.staffCount.receptionist }, (_, i) =>
    ({ id: uuid(), name: `Receptionist ${i + 1}`, email: `receptionist${i + 1}@groombook.dev`, role: "receptionist" as const, isSuperUser: false })
@@ -40,6 +40,9 @@ importers:
      nodemailer:
        specifier: ^6.9.16
        version: 6.10.1
+      stripe:
+        specifier: ^22.0.0
+        version: 22.0.1(@types/node@22.19.15)
      zod:
        specifier: ^4.3.6
        version: 4.3.6
@@ -83,11 +86,17 @@ importers:
      '@groombook/types':
        specifier: workspace:*
        version: link:../../packages/types
+      '@stripe/react-stripe-js':
+        specifier: ^6.1.0
+        version: 6.1.0(@stripe/stripe-js@9.1.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      '@stripe/stripe-js':
+        specifier: ^9.1.0
+        version: 9.1.0
      '@tailwindcss/vite':
        specifier: ^4.2.2
        version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      better-auth:
-        specifier: ^1.0.0
+        specifier: ^1.5.6
        version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      lucide-react:
        specifier: ^0.577.0
@@ -2109,6 +2118,17 @@ packages:
  '@standard-schema/utils@0.3.0':
    resolution: {integrity: sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==}

+  '@stripe/react-stripe-js@6.1.0':
+    resolution: {integrity: sha512-LbKbRv4+wUSHLb5VNxqiYcKaqXPvTju0bJaF0RrzH0h4+aKWDXAk4RzUBcpNxxj8KtjuxICElANs1Li7aTv1IQ==}
+    peerDependencies:
+      '@stripe/stripe-js': '>=9.0.0 <10.0.0'
+      react: '>=16.8.0 <20.0.0'
+      react-dom: '>=16.8.0 <20.0.0'
+
+  '@stripe/stripe-js@9.1.0':
+    resolution: {integrity: sha512-v51LoEfZNiNS/5DcarWPCYgn24w4dqwwALR4GTbMW/N0DDzzj4DgYNoixX6PYvpt6uIJMucGUabn/BHhylggIQ==}
+    engines: {node: '>=12.16'}
+
  '@surma/rollup-plugin-off-main-thread@2.2.3':
    resolution: {integrity: sha512-lR8q/9W7hZpMWweNiAKU7NQerBnzQQLvi8qnTDU/fxItPhtZVMbPV3lbCwjhIlNBe9Bbr5V+KHshvWmVSG9cxQ==}

@@ -3608,6 +3628,10 @@ packages:
  lodash@4.17.23:
    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}

+  loose-envify@1.4.0:
+    resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
+    hasBin: true
+
  loupe@3.2.1:
    resolution: {integrity: sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==}

@@ -3699,6 +3723,10 @@ packages:
  nwsapi@2.2.23:
    resolution: {integrity: sha512-7wfH4sLbt4M0gCDzGE6vzQBo0bfTKjU7Sfpqy/7gs1qBfYz2vEJH6vXcBKpO3+6Yu1telwd0t9HpyOoLEQQbIQ==}

+  object-assign@4.1.1:
+    resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
+    engines: {node: '>=0.10.0'}
+
  object-inspect@1.13.4:
    resolution: {integrity: sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==}
    engines: {node: '>= 0.4'}
@@ -3816,6 +3844,9 @@ packages:
    resolution: {integrity: sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==}
    engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0}

+  prop-types@15.8.1:
+    resolution: {integrity: sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==}
+
  punycode@2.3.1:
    resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
    engines: {node: '>=6'}
@@ -3828,6 +3859,9 @@ packages:
    peerDependencies:
      react: ^19.2.4

+  react-is@16.13.1:
+    resolution: {integrity: sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==}
+
  react-is@17.0.2:
    resolution: {integrity: sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==}

@@ -4124,6 +4158,15 @@ packages:
  strip-literal@3.1.0:
    resolution: {integrity: sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==}

+  stripe@22.0.1:
+    resolution: {integrity: sha512-Yw764pZ6s8Xu4CtUZdD5uWOkw6gc9xzO9OKylCuj1gMhMDLbyGbDtaPNNSFE4mB6njYSHESYIVbF1iIzUfAl2g==}
+    engines: {node: '>=18'}
+    peerDependencies:
+      '@types/node': '>=18'
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+
  strnum@2.2.1:
    resolution: {integrity: sha512-BwRvNd5/QoAtyW1na1y1LsJGQNvRlkde6Q/ipqqEaivoMdV+B1OMOTVdwR+N/cwVUcIt9PYyHmV8HyexCZSupg==}

@@ -6671,6 +6714,15 @@ snapshots:

  '@standard-schema/utils@0.3.0': {}

+  '@stripe/react-stripe-js@6.1.0(@stripe/stripe-js@9.1.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
+    dependencies:
+      '@stripe/stripe-js': 9.1.0
+      prop-types: 15.8.1
+      react: 19.2.4
+      react-dom: 19.2.4(react@19.2.4)
+
+  '@stripe/stripe-js@9.1.0': {}
+
  '@surma/rollup-plugin-off-main-thread@2.2.3':
    dependencies:
      ejs: 3.1.10
@@ -8225,6 +8277,10 @@ snapshots:

  lodash@4.17.23: {}

+  loose-envify@1.4.0:
+    dependencies:
+      js-tokens: 4.0.0
+
  loupe@3.2.1: {}

  lru-cache@10.4.3: {}
@@ -8299,6 +8355,8 @@ snapshots:

  nwsapi@2.2.23: {}

+  object-assign@4.1.1: {}
+
  object-inspect@1.13.4: {}

  object-keys@1.1.1: {}
@@ -8403,6 +8461,12 @@ snapshots:
      ansi-styles: 5.2.0
      react-is: 17.0.2

+  prop-types@15.8.1:
+    dependencies:
+      loose-envify: 1.4.0
+      object-assign: 4.1.1
+      react-is: 16.13.1
+
  punycode@2.3.1: {}

  randombytes@2.1.0:
@@ -8414,6 +8478,8 @@ snapshots:
      react: 19.2.4
      scheduler: 0.27.0

+  react-is@16.13.1: {}
+
  react-is@17.0.2: {}

  react-redux@9.2.0(@types/react@19.2.14)(react@19.2.4)(redux@5.0.1):
@@ -8774,6 +8840,10 @@ snapshots:
    dependencies:
      js-tokens: 9.0.1

+  stripe@22.0.1(@types/node@22.19.15):
+    optionalDependencies:
+      '@types/node': 22.19.15
+
  strnum@2.2.1: {}

  supports-color@7.2.0:
Author	SHA1	Message	Date
Paperclip	8de1eb048c	fix(stripe-webhooks): validate invoice IDs as UUIDs before DB lookup	2026-04-15 04:08:39 +00:00
Paperclip	007643a03c	fix(services): cap durationMinutes at 480 (8 hours max)	2026-04-15 04:08:39 +00:00
Paperclip	636f6a47ec	fix(appointments): cap recurrence series at 1 year max	2026-04-15 04:08:39 +00:00
Paperclip	8ae43d524a	fix(book): add future-time refinement to booking startTime	2026-04-15 04:08:39 +00:00
Paperclip	05293574aa	fix(invoices): add Zod query param validation to GET /	2026-04-15 04:08:34 +00:00
groombook-ceo[bot]	80b66fe20c	fix(GRO-655): create corepack cache dir in builder stage Co-authored-by: groombook-cto[bot] <269737991+groombook-cto[bot]@users.noreply.github.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-15 02:08:54 +00:00
groombook-cto[bot]	67e2157975	feat(GRO-631): add graceful shutdown to API server (#292 ) - Capture server instance from serve() call - Add SIGTERM and SIGINT handlers for graceful shutdown - Add 10-second forced exit timeout Co-authored-by: Flea Flicker <flea-flicker@groombook.ai> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-15 01:54:00 +00:00
groombook-ceo[bot]	4fa4859eaf	fix: set Manager 1 as super user in UAT seed to resolve OOBE redirect Co-authored-by: Flea Flicker <flea-flicker@paperclip.ing> Co-authored-by: groombook-cto[bot] <269737991+groombook-cto[bot]@users.noreply.github.com>	2026-04-15 00:47:09 +00:00
groombook-cto[bot]	ca88385b8d	fix(api): add server-side pagination to churn risk query (GRO-641) fix(api): add server-side pagination to churn risk query (GRO-641)	2026-04-15 00:32:11 +00:00
groombook-cto[bot]	3f2769a43a	Merge branch 'main' into fix/gro-641-churn-pagination	2026-04-15 00:25:55 +00:00
Flea Flicker	0ed87f9ed8	fix(api): add server-side pagination to churn risk query (GRO-641) - Add SQL-level LIMIT/OFFSET pagination to churn risk query - Add separate COUNT(*) subquery for total without fetching all rows - Accept page and limit query params with sensible defaults and bounds - Return page, limit, and churnRiskTotal in response Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 00:12:01 +00:00
groombook-cto[bot]	648755eee5	fix: add corepack cache dir to Dockerfile (GRO-655) Adds mkdir -p /home/node/.cache/node/corepack in builder stage to fix ENOENT crash in migration/seed jobs. Root cause: `c438f57` image regression — container user's home cache directory not pre-created for corepack. Blocking: GRO-618 (UAT promotion), GRO-607 (payment UI), GRO-609 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 23:02:37 +00:00
Flea Flicker	77a6319459	fix(GRO-655): create corepack cache dir in builder stage Prevents ENOENT crash in migrate and seed jobs. Root cause: corepack tries to mkdir /home/node/.cache/node/corepack/v1 but the directory does not exist in the builder stage. This was a regression in `c438f57` where the cache directory was not pre-created. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 22:45:37 +00:00
groombook-cto[bot]	df07f2d6dc	fix(GRO-635): implement groomer data isolation in appointmentGroups, groomingLogs + batherStaffId conflict check - appointmentGroups: Hono<AppEnv>() + groomer isolation on all 5 endpoints - groomingLogs: Hono<AppEnv>() + groomer isolation on GET, POST, DELETE with appointmentId preserved - appointments: batherStaffId conflict checks in POST and PATCH handlers - Non-groomer roles retain full access Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 18:15:05 +00:00
groombook-cto[bot]	dadabb0ea7	fix(GRO-631): pin pnpm version and guard against duplicate CD PRs fix(GRO-631): pin pnpm version and guard against duplicate CD PRs	2026-04-14 17:41:07 +00:00
groombook-cto[bot]	d5a8b19322	Merge branch 'main' into feature/gro-631-ci-pnpm-pin	2026-04-14 17:34:02 +00:00
groombook-cto[bot]	4d1d94296f	fix(GRO-631): add tag validation to promote-prod workflow (#282 ) CTO review approved. Tag format validation and GHCR image existence check are correct and well-placed.	2026-04-14 16:40:07 +00:00
groombook-cto[bot]	c6800a6144	Merge branch 'main' into feature/gro-631-prod-tag-validation	2026-04-14 16:35:46 +00:00
groombook-cto[bot]	000e90a617	feat(GRO-631): add security headers to nginx.conf feat(GRO-631): add security headers to nginx.conf	2026-04-14 16:25:57 +00:00
Flea Flicker	70e9465b68	fix(GRO-631): add tag validation to promote-prod workflow - Validate tag format against regex YYYY.MM.DD-sha7 before proceeding - Verify image exists in GHCR using gh api with packages: read permission - Add packages: read permission to job permissions block Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 16:22:23 +00:00
Flea Flicker	8c3e0f9554	feat(GRO-631): add security headers to nginx.conf Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, X-XSS-Protection, and Permissions-Policy headers to server block and static assets location. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 16:10:04 +00:00
Flea Flicker	f4f522d5e6	fix(GRO-631): pin pnpm version and guard against duplicate CD PRs - Pin pnpm/action-setup@v4 to version 9.15.4 in all 5 jobs - Add duplicate PR guard in CD job before gh pr create - Remove stale kubectl delete job migrate-schema command Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 15:56:15 +00:00
Flea Flicker	e8455195ee	feat(GRO-631): add Docker HEALTHCHECK and update .dockerignore Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 15:47:06 +00:00
groombook-cto[bot]	c438f5772c	feat(GRO-607): Stripe Elements payment UI replacing mock flow * GRO-605: Stripe SDK integration + payment service Co-Authored-By: Paperclip <noreply@paperclip.ing> * GRO-606: Add payment API endpoints (pay invoice, payment methods, refunds) Co-Authored-By: Paperclip <noreply@paperclip.ing> * feat(GRO-597): Stripe payment backend — schema, service, API, webhooks Consolidates GRO-605, GRO-606, GRO-608 into a single clean PR: - GRO-605: Stripe SDK integration + payment service - GRO-606: Payment API endpoints (pay invoice, payment methods, refunds) - GRO-608: Stripe webhook handler Migration consolidation: - Single 0026_stripe_payment.sql migration adds stripeCustomerId to clients and stripe_payment_intent_id, stripe_refund_id, payment_failure_reason to invoices - Removed duplicate 0027_stripe_identifiers.sql Co-Authored-By: Paperclip <noreply@paperclip.ing> * GRO-607: Install Stripe frontend packages Co-Authored-By: Paperclip <noreply@paperclip.ing> * GRO-607: Add /portal/config endpoint + rename date field Co-Authored-By: Paperclip <noreply@paperclip.ing> * GRO-607: Replace mock payment flow with real Stripe Elements Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-607): Stripe Elements payment UI - lint/type fixes Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-607): remove unused eslint-disable directive in CustomerPortal Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-607): CTO review fixes — payment security and correctness - Fix multi-invoice total calculation: use inArray() instead of eq() on single ID, sum all invoices not just first - Add ownership check to payment method deletion: verify the payment method belongs to the authenticated Stripe customer before detaching - Remove duplicate /config endpoint in portal.ts - Fix webhook Stripe client: use getStripeClient() from payment service instead of constructing with WEBHOOK_SECRET - Remove unnecessary body validator on /invoices/:id/pay route - Export getStripeClient() for use by stripe-webhooks.ts - Add inArray import to payment.ts Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-14 08:27:03 +00:00
groombook-qa[bot]	4f6a1e8149	fix(GRO-574): switch rate limit to memory storage to unblock UAT * feat(GRO-566): add SKIP_OOBE env var to bypass setup wizard Co-Authored-By: Paperclip <noreply@paperclip.ing> * Add rate_limit table migration for Better Auth (GRO-574) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-574): switch rate limit to memory storage to unblock UAT Better Auth rate_limit table migration exists on branch but hasn't been deployed to UAT. Switching to memory storage bypasses the missing table entirely, restoring auth functionality immediately. Memory storage is per-instance (not shared) — rate limiting still functions but won't be distributed across pods. This is acceptable for UAT while the migration is being promoted through the pipeline. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: groombook-qa[bot] <269744346+groombook-qa[bot]@users.noreply.github.com>	2026-04-12 12:20:00 +00:00
groombook-cto[bot]	be3cfa9a54	Merge pull request #268 from groombook/feature/gro-565-better-auth-phase3 feat(GRO-565): Better Auth Phase 3 - password change, OIDC discovery, session cleanup, email verification	2026-04-12 11:29:06 +00:00
groombook-cto[bot]	06e7ddaa61	Merge branch 'main' into feature/gro-565-better-auth-phase3	2026-04-12 11:25:35 +00:00
groombook-cto[bot]	15131b72f0	fix(GRO-574): add rate_limit table migration for Better Auth Adds the missing rate_limit table that Better Auth v1.5.6 requires when rateLimit.storage is set to 'database'. Without this table, all auth endpoints return HTTP 500. Also includes GRO-566: SKIP_OOBE env var to bypass setup wizard in dev/test. cc @cpfarhood	2026-04-12 03:30:45 +00:00
Paperclip	bc1f11a901	feat(GRO-565): Better Auth Phase 3 - password change, OIDC discovery, session cleanup, email verification Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-12 02:47:17 +00:00
groombook-cto[bot]	f4e34f2826	fix(GRO-564): prevent admin nav logout button overflow fix(GRO-564): prevent admin nav logout button overflow	2026-04-12 02:31:46 +00:00
Paperclip	2396eaab4d	fix(GRO-564): wrap admin nav links in scrollable div to prevent logout overflow - Add flexShrink:0 to logo div to prevent shrinking - Wrap Book + NAV_LINKS in scrollable div with overflow-x:auto, flex:1, minWidth:0 - Add flexShrink:0 to all nav links - Move logout button outside scrollable div with flexShrink:0 instead of marginLeft:auto - Keeps logout button always visible regardless of nav item count Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-12 02:07:04 +00:00
groombook-ceo[bot]	97b71d5396	feat(GRO-564): Better Auth Phase 2 Security Hardening feat(GRO-564): Better Auth Phase 2 Security Hardening	2026-04-11 23:07:36 +00:00
Paperclip	bbe95df9ca	merge: resolve conflict with main for GRO-564 security hardening Keep rate limiting config from feature branch during merge with main. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 22:59:50 +00:00
Paperclip	1380d5a9d3	feat(GRO-564): Better Auth Phase 2 security hardening - Add logout button to admin layout header (signOut from better-auth) - AUTH_DISABLED production guard already present in auth.ts middleware - Remove automatic email-based staff-user linking (security fix) - Add PATCH /api/staff/:id/link-user endpoint for manual linking by admins - Add rate limiting to Better Auth (10 req/min, database storage) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 22:53:00 +00:00
groombook-cto[bot]	41dff6f0e2	fix(GRO-563): stabilize OAuth login - upgrade better-auth, fix service worker, add 503 handling Phase 1 Better Auth stabilization: - Upgrade better-auth to ^1.5.6 in apps/web (matches api) - Switch OAuth state to cookie storage (BA v1.5+ requirement) - Remove manual redirectURI overrides - Exclude /api/auth/* from service worker caching - Add 503 error handling when auth not configured - Display login errors inline on login page - Update infra submodule with social auth env vars Closes GRO-563 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 21:07:41 +00:00
Paperclip	8002a3db96	fix(GRO-563): stabilize OAuth login - upgrade better-auth, fix service worker, add 503 handling - apps/web: upgrade better-auth from ^1.0.0 to ^1.5.6 (matches API) - apps/web/vite.config.ts: exclude /api/auth/* from service worker caching - apps/api/index.ts: return 503 when auth not configured - apps/api/middleware/auth.ts: return 503 when auth not initialized Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 20:35:10 +00:00
Paperclip	88e6845027	chore: update infra submodule to include social auth env vars (GRO-545) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 18:13:24 +00:00
Paperclip	085c8b9cfa	fix(GRO-545): switch OAuth state to cookie storage and add login error display The OAuth callback was failing with "please_restart_the_process" because Better-Auth's default DB-backed state (verification table) was unreliable — the UAT hourly reset wipes all tables including verification records. Switch to cookie-based state storage so the encrypted state survives in the browser cookie across the redirect flow. Also removes explicit redirectURI from socialProviders (Better-Auth derives it from baseURL) and adds visible error feedback on the login page when OAuth callbacks fail. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-11 18:01:59 +00:00
groombook-qa[bot]	1d76c63137	fix(e2e): use domcontentloaded instead of networkidle in admin invoices test The networkidle wait causes flakiness in CI due to slow external resource loading. Use domcontentloaded which fires earlier and is sufficient for SPA navigation checks. Co-authored-by: Pawla Abdul (Bot) <pawla@groombook.dev> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-11 16:50:35 +00:00