chore(GRO-720): harden .gitignore against agent runtime leaks

- Add .gh-token, *.gh-token to block token files
- Add .config/gh/ and **/.config/gh/ to block gh CLI config dirs
- Add infra-repo and infra-repo/ to block infra checkouts
- Add **/instructions/.gh-token to block per-agent token files
- Add **/AGENT_HOME/** and $AGENT_HOME/** to block agent home dirs
- Add .claude/ and .codex/ to block runtime directories

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev]
   pull_request:
-    branches: [main]
+    branches: [main, dev]
   workflow_dispatch:
     inputs:
       ref:

.gitignore

@@ -8,3 +8,16 @@ dist/
 .turbo/
 coverage/
 minimax-output/
+
+# Agent runtime artifacts — never commit
+.gh-token
+*.gh-token
+.config/gh/
+**/.config/gh/
+infra-repo
+infra-repo/
+**/instructions/.gh-token
+**/AGENT_HOME/**
+$AGENT_HOME/**
+.claude/
+.codex/

apps/api/src/index.ts

@@ -72,6 +72,60 @@ app.route("/api/webhooks/stripe", webhooksRouter);
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);
 
+// Magic bytes for allowed image types
+const ALLOWED_IMAGE_TYPES: Record<string, Uint8Array> = {
+  "image/png": new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
+  "image/jpeg": new Uint8Array([0xff, 0xd8, 0xff]),
+  "image/gif": new Uint8Array([0x47, 0x49, 0x46, 0x38]),
+  "image/webp": new Uint8Array([0x52, 0x49, 0x46, 0x46]), // followed by size then WEBP
+};
+
+/**
+ * Validates that the given base64 content matches the declared MIME type
+ * by checking magic bytes. Returns null if valid, or the field to clear if not.
+ */
+function validateLogoMagicBytes(
+  logoBase64: string | null,
+  logoMimeType: string | null
+): "logoBase64" | "logoMimeType" | null {
+  if (!logoBase64 || !logoMimeType) return null;
+
+  const expectedMagic = ALLOWED_IMAGE_TYPES[logoMimeType];
+  if (!expectedMagic) return "logoMimeType"; // unknown MIME type — reject
+
+  try {
+    const binary = Buffer.from(logoBase64, "base64");
+    // WebP needs a special check (RIFF....WEBP at offset 0, size at offset 4)
+    if (logoMimeType === "image/webp") {
+      if (binary.length < 12) return "logoBase64";
+      const webpMagic = binary.slice(0, 4);
+      const webpSig = binary.slice(8, 12);
+      if (
+        webpMagic[0] !== 0x52 ||
+        webpMagic[1] !== 0x49 ||
+        webpMagic[2] !== 0x46 ||
+        webpMagic[3] !== 0x46 ||
+        webpSig[0] !== 0x57 ||
+        webpSig[1] !== 0x45 ||
+        webpSig[2] !== 0x42 ||
+        webpSig[3] !== 0x50
+      ) {
+        return "logoBase64";
+      }
+      return null;
+    }
+
+    // All other types: check prefix
+    if (binary.length < expectedMagic.length) return "logoBase64";
+    for (let i = 0; i < expectedMagic.length; i++) {
+      if (binary[i] !== expectedMagic[i]) return "logoBase64";
+    }
+    return null;
+  } catch {
+    return "logoBase64";
+  }
+}
+
 // Public branding endpoint — no auth required, returns business name/colors/logo
 app.get("/api/branding", async (c) => {
   const db = getDb();
@@ -87,13 +141,19 @@ app.get("/api/branding", async (c) => {
     }
   }
 
+  // Defensive: validate magic bytes to prevent MIME type confusion attacks
+  // via the legacy base64 logo fields
+  const badField = validateLogoMagicBytes(settings.logoBase64 ?? null, settings.logoMimeType ?? null);
+  const safeLogoBase64 = badField === "logoBase64" ? null : settings.logoBase64;
+  const safeLogoMimeType = badField === "logoMimeType" ? null : settings.logoMimeType;
+
   return c.json({
     businessName: settings.businessName,
     primaryColor: settings.primaryColor,
     accentColor: settings.accentColor,
     logoUrl,
-    logoBase64: settings.logoBase64,
-    logoMimeType: settings.logoMimeType,
+    logoBase64: safeLogoBase64,
+    logoMimeType: safeLogoMimeType,
   });
 });
 

apps/api/src/lib/auth.ts

@@ -93,9 +93,12 @@ export async function initAuth(): Promise<void> {
         baseURL: BETTER_AUTH_URL,
         rateLimit: {
           enabled: true,
-          max: 10,
-          window: 60,
+          max: 100,
+          window: 10,
           storage: "memory",
+          customRules: {
+            "/get-session": false,
+          },
         },
         plugins: [
           genericOAuth({
@@ -240,9 +243,12 @@ export async function initAuth(): Promise<void> {
       baseURL: BETTER_AUTH_URL,
       rateLimit: {
         enabled: true,
-        max: 10,
-        window: 60,
+        max: 100,
+        window: 10,
         storage: "memory",
+        customRules: {
+          "/get-session": false,
+        },
       },
       account: {
         storeStateStrategy: "cookie" as const,

apps/api/src/lib/s3.ts

@@ -67,3 +67,22 @@ export async function deleteObject(key: string): Promise<void> {
     })
   );
 }
+
+/** Upload an object directly to S3 (server-side only, not a pre-signed URL). */
+export async function putObject(
+  key: string,
+  body: Buffer | Uint8Array | string,
+  contentType: string,
+  contentLength: number
+): Promise<void> {
+  const client = getS3Client();
+  await client.send(
+    new PutObjectCommand({
+      Bucket: getBucket(),
+      Key: key,
+      Body: body,
+      ContentType: contentType,
+      ContentLength: contentLength,
+    })
+  );
+}

apps/api/src/middleware/portalAudit.ts

@@ -0,0 +1,45 @@
+import type { MiddlewareHandler } from "hono";
+import { getDb, impersonationAuditLogs } from "@groombook/db";
+import type { PortalEnv } from "./portalSession.js";
+
+/**
+ * Server-side audit logging middleware for portal routes.
+ * Applied after validatePortalSession in the middleware chain.
+ *
+ * After the route handler completes (await next()), inserts an audit log entry
+ * into impersonationAuditLogs:
+ *   - sessionId: from c.get("portalSessionId")
+ *   - action: "{METHOD} {routePath}" (e.g., "GET /portal/appointments")
+ *   - pageVisited: c.req.path
+ *   - metadata: { method, statusCode: c.res.status }
+ *
+ * Log entries are written for both success and error responses.
+ * Does NOT throw if audit logging fails — errors are logged but the user's
+ * request is not affected.
+ */
+export const portalAudit: MiddlewareHandler<PortalEnv> = async (c, next) => {
+  await next();
+
+  const sessionId = c.get("portalSessionId");
+  if (!sessionId) return;
+
+  const method = c.req.method;
+  const routePath = c.req.path;
+  const pageVisited = c.req.path;
+  const statusCode = c.res.status;
+
+  try {
+    const db = getDb();
+    await db
+      .insert(impersonationAuditLogs)
+      .values({
+        sessionId,
+        action: `${method} ${routePath}`,
+        pageVisited,
+        metadata: { method, statusCode },
+      })
+      .returning();
+  } catch (err) {
+    console.error("[portalAudit] Failed to write audit log:", err);
+  }
+};

apps/api/src/middleware/portalSession.ts

@@ -0,0 +1,40 @@
+import type { MiddlewareHandler } from "hono";
+import { and, eq, getDb, impersonationSessions } from "@groombook/db";
+
+export interface PortalEnv {
+  Variables: {
+    portalClientId: string;
+    portalSessionId: string;
+  };
+}
+
+/**
+ * Validates the X-Impersonation-Session-Id header against the impersonationSessions table.
+ * Must be applied to all portal routes.
+ *
+ * Reads x-session-id from request headers, queries impersonationSessions for a row where
+ * id = sessionId AND status = 'active', and checks session.expiresAt > new Date().
+ * Returns 401 if session is invalid/missing/expired.
+ * On success, sets c.set("portalClientId", session.clientId) and c.set("portalSessionId", session.id).
+ */
+export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, next) => {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  if (!sessionId) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const db = getDb();
+  const [session] = await db
+    .select()
+    .from(impersonationSessions)
+    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
+    .limit(1);
+
+  if (!session || session.expiresAt <= new Date()) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  c.set("portalClientId", session.clientId);
+  c.set("portalSessionId", session.id);
+  await next();
+};

apps/api/src/routes/invoices.ts

@@ -18,6 +18,14 @@ import type { AppEnv } from "../middleware/rbac.js";
 
 export const invoicesRouter = new Hono<AppEnv>();
 
+// Convert Zod validation errors from 422 to 400
+invoicesRouter.onError((err, c) => {
+  if (err instanceof z.ZodError) {
+    return c.json({ error: "Validation failed", issues: err.issues }, 400);
+  }
+  throw err;
+});
+
 const createInvoiceSchema = z.object({
   appointmentId: z.string().uuid().optional(),
   clientId: z.string().uuid(),
@@ -42,6 +50,13 @@ const updateInvoiceSchema = z.object({
   taxCents: z.number().int().nonnegative().optional(),
   tipCents: z.number().int().nonnegative().optional(),
   notes: z.string().max(2000).nullable().optional(),
+  tipSplits: z.array(
+    z.object({
+      staffId: z.string().uuid().nullable(),
+      staffName: z.string().min(1).max(200),
+      sharePct: z.number().min(0).max(100),
+    })
+  ).optional(),
 });
 
 // List invoices
@@ -334,7 +349,23 @@ invoicesRouter.patch(
       }
     }
 
-    const update: Record<string, unknown> = { ...body, updatedAt: new Date() };
+    const tipCents = body.tipCents ?? current.tipCents;
+
+    // Validate tip splits when marking invoice as paid
+    if (body.status === "paid" && tipCents > 0 && body.tipSplits !== undefined) {
+      if (body.tipSplits.length === 0) {
+        return c.json({ error: "Tip splits are required when tip amount is greater than zero" }, 400);
+      }
+      const totalPct = body.tipSplits.reduce((sum, s) => sum + s.sharePct, 0);
+      if (Math.abs(totalPct - 100) > 0.01) {
+        return c.json({ error: "Tip split percentages must sum to 100%" }, 400);
+      }
+    }
+
+    // Destructure tipSplits out — it belongs to a separate table, not the invoices column
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const { tipSplits: _tipSplits, ...updateBody } = body as Record<string, unknown>;
+    const update: Record<string, unknown> = { ...updateBody, updatedAt: new Date() };
 
     // Auto-set paidAt when marking as paid
     if (body.status === "paid" && !body.paidAt && !current.paidAt) {
@@ -348,16 +379,42 @@ invoicesRouter.patch(
       update.totalCents = current.subtotalCents + newTaxCents + newTipCents;
     }
 
-    const [updated] = await db
-      .update(invoices)
-      .set(update)
-      .where(eq(invoices.id, id))
-      .returning();
+    // Wrap tip split persistence and invoice update in a single atomic transaction
+    const [updated, lineItems] = await db.transaction(async (tx) => {
+      if (body.status === "paid" && tipCents > 0 && body.tipSplits !== undefined) {
+        await tx.delete(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id));
+        const splits = body.tipSplits;
+        if (splits.length > 0) {
+          let remaining = tipCents;
+          const rows = splits.map((s, i) => {
+            const isLast = i === splits.length - 1;
+            const shareCents = isLast ? remaining : Math.round((s.sharePct / 100) * tipCents);
+            if (!isLast) remaining -= shareCents;
+            return {
+              invoiceId: id,
+              staffId: s.staffId,
+              staffName: s.staffName,
+              sharePct: s.sharePct.toFixed(2),
+              shareCents,
+            };
+          });
+          await tx.insert(invoiceTipSplits).values(rows);
+        }
+      }
 
-    const lineItems = await db
-      .select()
-      .from(invoiceLineItems)
-      .where(eq(invoiceLineItems.invoiceId, id));
+      const [updatedInvoice] = await tx
+        .update(invoices)
+        .set(update)
+        .where(eq(invoices.id, id))
+        .returning();
+
+      const lineItems = await tx
+        .select()
+        .from(invoiceLineItems)
+        .where(eq(invoiceLineItems.invoiceId, id));
+
+      return [updatedInvoice, lineItems];
+    });
 
     return c.json({ ...updated, lineItems });
   }

apps/api/src/routes/pets.ts

@@ -213,7 +213,11 @@ petsRouter.post(
 
     // Delete the previous photo from storage to avoid orphaned objects
     if (pet.photoKey) {
-      await deleteObject(pet.photoKey);
+      try {
+        await deleteObject(pet.photoKey);
+      } catch (err) {
+        console.warn(`Failed to delete previous photo ${pet.photoKey}, orphaned object may remain:`, err);
+      }
     }
 
     const [row] = await db
@@ -240,7 +244,11 @@ petsRouter.delete("/:petId/photo", async (c) => {
   if (!pet) return c.json({ error: "Pet not found" }, 404);
   if (!pet.photoKey) return c.json({ error: "No photo on file" }, 404);
 
-  await deleteObject(pet.photoKey);
+  try {
+    await deleteObject(pet.photoKey);
+  } catch (err) {
+    console.warn(`Failed to delete photo ${pet.photoKey} from S3, orphaned object may remain:`, err);
+  }
   await db
     .update(pets)
     .set({ photoKey: null, photoUploadedAt: null, updatedAt: new Date() })

apps/api/src/routes/portal.ts

@@ -1,33 +1,84 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, inArray } from "@groombook/db";
+import { eq, inArray } from "@groombook/db";
 import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "@groombook/db";
-import type { AppEnv } from "../middleware/rbac.js";
+import { validatePortalSession } from "../middleware/portalSession.js";
+import { portalAudit } from "../middleware/portalAudit.js";
+import type { PortalEnv } from "../middleware/portalSession.js";
 
-export const portalRouter = new Hono<AppEnv>();
+export const portalRouter = new Hono<PortalEnv>();
 
-// ─── Session helper ───────────────────────────────────────────────────────────
+// Dev-mode session creation — must be registered BEFORE the /* middleware so it is
+// NOT subject to validatePortalSession/portalAudit (GRO-778 fix). This endpoint creates
+// the impersonation session and has no X-Impersonation-Session-Id header yet.
+const devSessionSchema = z.object({
+  clientId: z.string().uuid(),
+});
 
-async function getClientIdFromSession(sessionId: string | null | undefined): Promise<string | null> {
-  if (!sessionId) return null;
-  const db = getDb();
-  const [session] = await db
-    .select()
-    .from(impersonationSessions)
-    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
-    .limit(1);
-  if (!session || session.expiresAt <= new Date()) return null;
-  return session.clientId;
-}
+portalRouter.post(
+  "/dev-session",
+  zValidator("json", devSessionSchema),
+  async (c) => {
+    if (process.env.AUTH_DISABLED !== "true") {
+      return c.json({ error: "Not available when auth is enabled" }, 403);
+    }
+
+    const db = getDb();
+    const body = c.req.valid("json");
+
+    const [client] = await db
+      .select()
+      .from(clients)
+      .where(eq(clients.id, body.clientId))
+      .limit(1);
+    if (!client) {
+      return c.json({ error: "Client not found" }, 404);
+    }
+
+    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
+
+    let staffId = DEMO_STAFF_ID;
+    const [demoStaff] = await db
+      .select({ id: staff.id })
+      .from(staff)
+      .where(eq(staff.id, DEMO_STAFF_ID))
+      .limit(1);
+
+    if (!demoStaff) {
+      const [firstStaff] = await db
+        .select({ id: staff.id })
+        .from(staff)
+        .where(eq(staff.active, true))
+        .limit(1);
+      if (!firstStaff) {
+        return c.json({ error: "No staff records found. Run the database seed." }, 500);
+      }
+      staffId = firstStaff.id;
+    }
+
+    const [session] = await db
+      .insert(impersonationSessions)
+      .values({
+        staffId,
+        clientId: body.clientId,
+        reason: "dev-mode-client-portal",
+        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000),
+      })
+      .returning();
+
+    return c.json(session, 201);
+  }
+);
+
+// Apply middleware to all portal routes
+portalRouter.use("/*", validatePortalSession, portalAudit);
 
 // ─── GET routes ──────────────────────────────────────────────────────────────
 
 portalRouter.get("/me", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const [client] = await db.select().from(clients).where(eq(clients.id, clientId)).limit(1);
   if (!client) return c.json({ error: "Not found" }, 404);
@@ -49,9 +100,7 @@ portalRouter.get("/services", async (c) => {
 
 portalRouter.get("/appointments", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const now = new Date();
   const allAppts = await db
@@ -101,9 +150,7 @@ portalRouter.get("/appointments", async (c) => {
 
 portalRouter.get("/pets", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const clientPets = await db.select().from(pets).where(eq(pets.clientId, clientId));
   return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weightKg: p.weightKg, dateOfBirth: p.dateOfBirth, photoKey: p.photoKey, groomingNotes: p.groomingNotes })));
@@ -111,9 +158,7 @@ portalRouter.get("/pets", async (c) => {
 
 portalRouter.get("/invoices", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const clientInvoices = await db.select().from(invoices).where(eq(invoices.clientId, clientId));
   const invoiceIds = clientInvoices.map(i => i.id);
@@ -148,12 +193,7 @@ portalRouter.patch(
     const db = getDb();
     const id = c.req.param("id");
     const body = c.req.valid("json");
-
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-    const clientId = await getClientIdFromSession(sessionId);
-    if (!clientId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [appt] = await db
       .select()
@@ -196,12 +236,7 @@ portalRouter.patch(
 portalRouter.post("/appointments/:id/confirm", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [appt] = await db
     .select()
@@ -250,12 +285,7 @@ portalRouter.post("/appointments/:id/confirm", async (c) => {
 portalRouter.post("/appointments/:id/cancel", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [appt] = await db
     .select()
@@ -319,28 +349,7 @@ portalRouter.post(
   async (c) => {
     const db = getDb();
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-    let clientId: string | null = null;
-    if (sessionId) {
-      const [session] = await db
-        .select()
-        .from(impersonationSessions)
-        .where(
-          and(
-            eq(impersonationSessions.id, sessionId),
-            eq(impersonationSessions.status, "active")
-          )
-        )
-        .limit(1);
-      if (session && session.expiresAt > new Date()) {
-        clientId = session.clientId;
-      }
-    }
-
-    if (!clientId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [entry] = await db
       .insert(waitlistEntries)
@@ -364,26 +373,7 @@ portalRouter.patch(
     const db = getDb();
     const id = c.req.param("id");
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-    if (!sessionId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
-
-    const [session] = await db
-      .select()
-      .from(impersonationSessions)
-      .where(
-        and(
-          eq(impersonationSessions.id, sessionId),
-          eq(impersonationSessions.status, "active")
-        )
-      )
-      .limit(1);
-
-    if (!session || session.expiresAt <= new Date()) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [existing] = await db
       .select()
@@ -392,7 +382,7 @@ portalRouter.patch(
       .limit(1);
 
     if (!existing) return c.json({ error: "Not found" }, 404);
-    if (existing.clientId !== session.clientId) {
+    if (existing.clientId !== clientId) {
       return c.json({ error: "Forbidden" }, 403);
     }
 
@@ -414,26 +404,7 @@ portalRouter.patch(
 portalRouter.delete("/waitlist/:id", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-  if (!sessionId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
-
-  const [session] = await db
-    .select()
-    .from(impersonationSessions)
-    .where(
-      and(
-        eq(impersonationSessions.id, sessionId),
-        eq(impersonationSessions.status, "active")
-      )
-    )
-    .limit(1);
-
-  if (!session || session.expiresAt <= new Date()) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [entry] = await db
     .select()
@@ -442,7 +413,7 @@ portalRouter.delete("/waitlist/:id", async (c) => {
     .limit(1);
 
   if (!entry) return c.json({ error: "Not found" }, 404);
-  if (entry.clientId !== session.clientId) {
+  if (entry.clientId !== clientId) {
     return c.json({ error: "Forbidden" }, 403);
   }
 
@@ -475,9 +446,7 @@ portalRouter.post(
   async (c) => {
     const db = getDb();
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-    const clientId = await getClientIdFromSession(sessionId);
-    if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+    const clientId = c.get("portalClientId");
 
     const invoiceRows = await db
       .select()
@@ -514,9 +483,7 @@ portalRouter.post(
 );
 
 portalRouter.get("/payment-methods", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const methods = await listPaymentMethods(clientId);
   if (methods === null) return c.json({ error: "Payment service unavailable" }, 503);
@@ -524,9 +491,7 @@ portalRouter.get("/payment-methods", async (c) => {
 });
 
 portalRouter.post("/payment-methods", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY ?? "";
   const customerId = await getOrCreateStripeCustomer(clientId);
@@ -539,9 +504,7 @@ portalRouter.post("/payment-methods", async (c) => {
 });
 
 portalRouter.delete("/payment-methods/:id", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const paymentMethodId = c.req.param("id");
 
@@ -559,73 +522,4 @@ portalRouter.delete("/payment-methods/:id", async (c) => {
   const ok = await detachPaymentMethod(paymentMethodId);
   if (!ok) return c.json({ error: "Failed to detach payment method" }, 500);
   return c.json({ ok: true });
-});
-
-// ─── Dev-mode session creation ──────────────────────────────────────────────
-// Allows the dev login selector to vend an impersonation session for a client
-// without requiring manager auth. Only available when AUTH_DISABLED=true.
-
-const devSessionSchema = z.object({
-  clientId: z.string().uuid(),
-});
-
-portalRouter.post(
-  "/dev-session",
-  zValidator("json", devSessionSchema),
-  async (c) => {
-    if (process.env.AUTH_DISABLED !== "true") {
-      return c.json({ error: "Not available when auth is enabled" }, 403);
-    }
-
-    const db = getDb();
-    const body = c.req.valid("json");
-
-    // Verify client exists
-    const [client] = await db
-      .select()
-      .from(clients)
-      .where(eq(clients.id, body.clientId))
-      .limit(1);
-    if (!client) {
-      return c.json({ error: "Client not found" }, 404);
-    }
-
-    // Find a staff record to associate with the dev impersonation session.
-    // Use the demo-manager if it exists (created by seed with known ID),
-    // otherwise fall back to the first active staff record.
-    // This avoids hardcoding a UUID that may not exist in all environments.
-    const DEMO_STAFF_ID = "00000000-0000-0000-0000-000000000001";
-
-    let staffId = DEMO_STAFF_ID;
-    const [demoStaff] = await db
-      .select({ id: staff.id })
-      .from(staff)
-      .where(eq(staff.id, DEMO_STAFF_ID))
-      .limit(1);
-
-    if (!demoStaff) {
-      // Fall back to any active staff member
-      const [firstStaff] = await db
-        .select({ id: staff.id })
-        .from(staff)
-        .where(eq(staff.active, true))
-        .limit(1);
-      if (!firstStaff) {
-        return c.json({ error: "No staff records found. Run the database seed." }, 500);
-      }
-      staffId = firstStaff.id;
-    }
-
-    const [session] = await db
-      .insert(impersonationSessions)
-      .values({
-        staffId,
-        clientId: body.clientId,
-        reason: "dev-mode-client-portal",
-        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours
-      })
-      .returning();
-
-    return c.json(session, 201);
-  }
-);
+});

apps/api/src/routes/settings.ts

@@ -2,7 +2,7 @@ import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { eq, getDb, businessSettings } from "@groombook/db";
-import { getPresignedUploadUrl, getPresignedGetUrl, deleteObject } from "../lib/s3.js";
+import { getPresignedUploadUrl, getPresignedGetUrl, deleteObject, putObject } from "../lib/s3.js";
 import { requireSuperUser } from "../middleware/rbac.js";
 
 export const settingsRouter = new Hono();
@@ -100,6 +100,77 @@ settingsRouter.post(
   }
 );
 
+/**
+ * POST /api/admin/settings/logo/upload
+ * Proxy upload through the API server to avoid mixed-content issues with
+ * pre-signed URLs that use the internal HTTP endpoint. The file is uploaded
+ * directly to S3 from the server using the internal endpoint.
+ */
+settingsRouter.post("/logo/upload", requireSuperUser(), async (c) => {
+  const db = getDb();
+
+  // Parse multipart form data (file field)
+  const body = await c.req.parseBody({ all: true });
+  const file = body["file"];
+
+  if (!file || !(file instanceof File)) {
+    return c.json({ error: "No file provided" }, 400);
+  }
+
+  const contentType = file.type;
+  if (!ALLOWED_LOGO_TYPES.has(contentType)) {
+    return c.json(
+      {
+        error:
+          "contentType must be one of: image/png, image/svg+xml, image/jpeg, image/webp",
+      },
+      400
+    );
+  }
+
+  const fileSizeBytes = file.size;
+  if (fileSizeBytes > MAX_LOGO_SIZE) {
+    return c.json({ error: "File must not exceed 512 KB" }, 400);
+  }
+
+  const rows = await db.select().from(businessSettings).limit(1);
+  if (!rows[0]) {
+    return c.json({ error: "Settings not found" }, 404);
+  }
+  const settingsId = rows[0].id;
+
+  const ext = contentType.split("/")[1] ?? "png";
+  const key = `logos/${settingsId}/${Date.now()}.${ext}`;
+
+  // Read file into buffer and upload directly to S3 (bypasses pre-signed URL)
+  const arrayBuffer = await file.arrayBuffer();
+  const buffer = Buffer.from(arrayBuffer);
+  await putObject(key, buffer, contentType, fileSizeBytes);
+
+  // Delete previous S3 object if any
+  if (rows[0].logoKey) {
+    await deleteObject(rows[0].logoKey);
+  }
+
+  // Update database with new logo key
+  const [updated] = await db
+    .update(businessSettings)
+    .set({
+      logoKey: key,
+      logoBase64: null,
+      logoMimeType: null,
+      updatedAt: new Date(),
+    })
+    .where(eq(businessSettings.id, settingsId))
+    .returning();
+
+  if (!updated) {
+    return c.json({ error: "Settings not found" }, 404);
+  }
+
+  return c.json({ ok: true, logoKey: updated.logoKey });
+});
+
 /**
  * POST /api/admin/settings/logo/confirm
  * Called after the client has successfully uploaded to the presigned URL.

apps/api/src/services/reminders.ts

@@ -5,6 +5,7 @@ import {
   eq,
   getDb,
   gte,
+  inArray,
   lt,
   appointments,
   clients,
@@ -59,68 +60,77 @@ export async function runReminderCheck(): Promise<void> {
         )
       );
 
+    const appointmentIds: string[] = upcoming.map((a) => a.id as string);
+    if (appointmentIds.length === 0) continue;
+
+    // Bulk check: which appointments already have email and SMS reminders sent?
+    const sentRows = await db
+      .select({ appointmentId: reminderLogs.appointmentId, channel: reminderLogs.channel })
+      .from(reminderLogs)
+      .where(
+        and(
+          eq(reminderLogs.reminderType, window.label),
+          appointmentIds.length === 1
+            ? eq(reminderLogs.appointmentId, appointmentIds[0]!)
+            : inArray(reminderLogs.appointmentId, appointmentIds)
+        )
+      );
+
+    const sentEmail = new Set(
+      sentRows.filter((r) => r.channel === "email").map((r) => r.appointmentId)
+    );
+    const sentSms = new Set(
+      sentRows.filter((r) => r.channel === "sms").map((r) => r.appointmentId)
+    );
+
+    // Bulk JOIN: fetch all client/pet/service/staff data in one query
+    const joinedRows = await db
+      .select({
+        appointmentId: appointments.id,
+        startTime: appointments.startTime,
+        clientId: appointments.clientId,
+        petId: appointments.petId,
+        serviceId: appointments.serviceId,
+        staffId: appointments.staffId,
+        confirmationToken: appointments.confirmationToken,
+        clientName: clients.name,
+        clientEmail: clients.email,
+        clientEmailOptOut: clients.emailOptOut,
+        clientSmsOptIn: clients.smsOptIn,
+        clientPhone: clients.phone,
+        petName: pets.name,
+        serviceName: services.name,
+        staffName: staff.name,
+      })
+      .from(appointments)
+      .innerJoin(clients, eq(appointments.clientId, clients.id))
+      .innerJoin(pets, eq(appointments.petId, pets.id))
+      .innerJoin(services, eq(appointments.serviceId, services.id))
+      .leftJoin(staff, eq(appointments.staffId, staff.id))
+      .where(
+        and(
+          gte(appointments.startTime, windowStart),
+          lt(appointments.startTime, windowEnd),
+          eq(appointments.status, "scheduled")
+        )
+      );
+
+    const appointmentMap = new Map<string, typeof joinedRows[number]>();
+    for (const row of joinedRows) {
+      appointmentMap.set(row.appointmentId, row);
+    }
+
     for (const appt of upcoming) {
-      const [emailLog] = await db
-        .select({ id: reminderLogs.id })
-        .from(reminderLogs)
-        .where(
-          and(
-            eq(reminderLogs.appointmentId, appt.id),
-            eq(reminderLogs.reminderType, window.label),
-            eq(reminderLogs.channel, "email")
-          )
-        )
-        .limit(1);
+      const joined = appointmentMap.get(appt.id as string);
+      if (!joined) continue;
 
-      const [smsLog] = await db
-        .select({ id: reminderLogs.id })
-        .from(reminderLogs)
-        .where(
-          and(
-            eq(reminderLogs.appointmentId, appt.id),
-            eq(reminderLogs.reminderType, window.label),
-            eq(reminderLogs.channel, "sms")
-          )
-        )
-        .limit(1);
+      const { clientName, clientEmail, clientEmailOptOut, clientSmsOptIn, clientPhone, petName, serviceName, staffName } = joined;
 
-      const [client] = await db
-        .select({
-          name: clients.name,
-          email: clients.email,
-          emailOptOut: clients.emailOptOut,
-          smsOptIn: clients.smsOptIn,
-          phone: clients.phone,
-        })
-        .from(clients)
-        .where(eq(clients.id, appt.clientId))
-        .limit(1);
+      if (!clientEmail || clientEmailOptOut) continue;
+      if (!petName || !serviceName) continue;
 
-      if (!client || !client.email || client.emailOptOut) continue;
-
-      const [pet] = await db
-        .select({ name: pets.name })
-        .from(pets)
-        .where(eq(pets.id, appt.petId))
-        .limit(1);
-
-      const [service] = await db
-        .select({ name: services.name })
-        .from(services)
-        .where(eq(services.id, appt.serviceId))
-        .limit(1);
-
-      let groomerName: string | null = null;
-      if (appt.staffId) {
-        const [groomer] = await db
-          .select({ name: staff.name })
-          .from(staff)
-          .where(eq(staff.id, appt.staffId))
-          .limit(1);
-        groomerName = groomer?.name ?? null;
-      }
-
-      if (!pet || !service) continue;
+      const emailSent = sentEmail.has(appt.id as string);
+      const smsSent = sentSms.has(appt.id as string);
 
       let confirmationToken = appt.confirmationToken;
       if (!confirmationToken) {
@@ -131,15 +141,15 @@ export async function runReminderCheck(): Promise<void> {
           .where(eq(appointments.id, appt.id));
       }
 
-      if (!emailLog) {
+      if (!emailSent) {
         const sent = await sendEmail(
           buildReminderEmail(
-            client.email,
+            clientEmail,
             {
-              clientName: client.name,
-              petName: pet.name,
-              serviceName: service.name,
-              groomerName,
+              clientName,
+              petName,
+              serviceName,
+              groomerName: staffName,
               startTime: appt.startTime,
             },
             window.hours,
@@ -155,20 +165,20 @@ export async function runReminderCheck(): Promise<void> {
         }
       }
 
-      if (!smsLog && client.smsOptIn && client.phone) {
+      if (!smsSent && clientSmsOptIn && clientPhone) {
         const apiUrl = process.env.API_URL ?? "http://localhost:3000";
         const confirmUrl = `${apiUrl}/api/book/confirm/${confirmationToken}`;
         const cancelUrl = `${apiUrl}/api/book/cancel/${confirmationToken}`;
         const when = window.hours >= 24 ? "tomorrow" : `in ${window.hours} hours`;
         const smsBody = [
-          `Hi ${client.name}, just a reminder: ${pet.name}'s grooming appointment is ${when}.`,
-          `Service: ${service.name}${groomerName ? ` with ${groomerName}` : ""}`,
+          `Hi ${clientName}, just a reminder: ${petName}'s grooming appointment is ${when}.`,
+          `Service: ${serviceName}${staffName ? ` with ${staffName}` : ""}`,
           `Confirm: ${confirmUrl}`,
           `Cancel: ${cancelUrl}`,
           TCPA_OPT_OUT,
         ].join(". ");
         try {
-          const smsOk = await smsSend(client.phone, smsBody);
+          const smsOk = await smsSend(clientPhone, smsBody);
           if (smsOk) {
             await db
               .insert(reminderLogs)

apps/e2e/tests/clients.spec.ts

@@ -63,3 +63,52 @@ test("clicking a client shows their details", async ({ page }) => {
   // Email appears in both the list row and the detail panel once selected
   await expect(page.getByText("alice@example.com")).toHaveCount(2);
 });
+
+test("direct URL navigation to client detail fetches data and renders client name", async ({ page }) => {
+  // Mock individual client fetch for direct navigation
+  await page.route("/api/clients/client-1", (route) =>
+    route.fulfill({ json: MOCK_CLIENTS[0] })
+  );
+  // Mock pets for this client
+  await page.route("/api/pets**", (route) =>
+    route.fulfill({ json: [] })
+  );
+
+  await page.goto("/admin/clients/client-1");
+  // Client name must be visible without any clicking
+  await expect(page.getByText("Alice Johnson")).toBeVisible();
+  // Should show back to list link
+  await expect(page.getByText("← Back to list")).toBeVisible();
+});
+
+test("direct URL navigation shows loading then client", async ({ page }) => {
+  let resolvePets: (value: unknown) => void;
+  const petsPromise = new Promise((resolve) => { resolvePets = resolve; });
+
+  await page.route("/api/clients/client-1", (route) =>
+    route.fulfill({ json: MOCK_CLIENTS[0] })
+  );
+  await page.route("/api/pets**", async (route) => {
+    await petsPromise;
+    await route.fulfill({ json: [] });
+  });
+
+  const navigationPromise = page.goto("/admin/clients/client-1");
+  // Should show loading state briefly
+  await expect(page.getByText("Loading client…")).toBeVisible();
+  // Resolve pets and wait for navigation
+  resolvePets!();
+  await navigationPromise;
+  // After data loads, client name is shown
+  await expect(page.getByText("Alice Johnson")).toBeVisible();
+});
+
+test("direct URL navigation shows error state on failure", async ({ page }) => {
+  await page.route("/api/clients/nonexistent", (route) =>
+    route.fulfill({ status: 404, json: { error: "Client not found" } })
+  );
+
+  await page.goto("/admin/clients/nonexistent");
+  await expect(page.getByText(/client not found/i)).toBeVisible();
+  await expect(page.getByText("← Back to clients")).toBeVisible();
+});

apps/web/e2e/playwright.config.ts

@@ -3,7 +3,7 @@ import { defineConfig, devices } from "@playwright/test";
 /**
  * Playwright configuration for GroomBook Web E2E tests.
  *
- * Targets the deployed dev environment at groombook.dev.farh.net.
+ * Targets the deployed dev environment at dev.groombook.dev.
  * Uses the dev login selector (/login) for authentication — no hardcoded credentials.
  *
  * Run locally:
@@ -19,7 +19,7 @@ export default defineConfig({
   reporter: process.env.CI ? "github" : "list",
 
   use: {
-    baseURL: "https://groombook.dev.farh.net",
+    baseURL: "https://dev.groombook.dev",
     trace: "on-first-retry",
     screenshot: "only-on-failure",
     serviceWorkers: "block",

apps/web/src/App.tsx

@@ -2,6 +2,7 @@ import { Routes, Route, Link, useLocation, Navigate, useNavigate } from "react-r
 import { useEffect, useState } from "react";
 import { AppointmentsPage } from "./pages/Appointments.js";
 import { ClientsPage } from "./pages/Clients.js";
+import { ClientDetailPage } from "./pages/ClientDetailPage.js";
 import { ServicesPage } from "./pages/Services.js";
 import { StaffPage } from "./pages/Staff.js";
 import { InvoicesPage } from "./pages/Invoices.js";
@@ -12,7 +13,7 @@ import { SettingsPage } from "./pages/Settings.js";
 import { BookingConfirmedPage } from "./pages/BookingConfirmed.js";
 import { BookingCancelledPage } from "./pages/BookingCancelled.js";
 import { BookingErrorPage } from "./pages/BookingError.js";
-import { SetupWizard } from "./pages/SetupWizard.jsx";
+import { SetupWizard } from "./pages/SetupWizard.tsx";
 import { CustomerPortal } from "./portal/CustomerPortal.js";
 import { DevLoginSelector, getDevUser } from "./pages/DevLoginSelector.js";
 import { DevSessionIndicator } from "./components/DevSessionIndicator.js";
@@ -296,6 +297,7 @@ function AdminLayout() {
         <Routes>
           <Route path="/" element={<AppointmentsPage />} />
           <Route path="/clients" element={<ClientsPage />} />
+          <Route path="/clients/:clientId" element={<ClientDetailPage />} />
           <Route path="/services" element={<ServicesPage />} />
           <Route path="/staff" element={<StaffPage />} />
           <Route path="/invoices" element={<InvoicesPage />} />

apps/web/src/__tests__/Appointments.test.tsx

@@ -93,7 +93,7 @@ describe("CustomerNotesSection", () => {
         "/api/portal/appointments/appt-1/notes",
         expect.objectContaining({
           headers: expect.objectContaining({
-            "Authorization": "Bearer test-session-id",
+            "X-Impersonation-Session-Id": "test-session-id",
           }),
         })
       );
@@ -269,7 +269,7 @@ describe("ConfirmationSection", () => {
         "/api/portal/appointments/appt-1/confirm",
         expect.objectContaining({
           headers: expect.objectContaining({
-            "Authorization": "Bearer test-session-id",
+            "X-Impersonation-Session-Id": "test-session-id",
           }),
         })
       );

apps/web/src/components/GlobalSearch.tsx

@@ -26,6 +26,7 @@ export function GlobalSearch() {
   const [query, setQuery] = useState("");
   const [results, setResults] = useState<SearchResults | null>(null);
   const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
   const [open, setOpen] = useState(false);
   const inputRef = useRef<HTMLInputElement>(null);
   const dropdownRef = useRef<HTMLDivElement>(null);
@@ -45,15 +46,18 @@ export function GlobalSearch() {
 
     debounceRef.current = setTimeout(async () => {
       setLoading(true);
+      setError(null);
       try {
         const res = await fetch(`/api/search?q=${encodeURIComponent(trimmed)}`);
         if (res.ok) {
           const data: SearchResults = await res.json();
           setResults(data);
           setOpen(true);
+        } else {
+          setError("Search failed. Please try again.");
         }
-      } catch (err) {
-        console.warn("GlobalSearch: fetch error", err);
+      } catch {
+        setError("Search failed. Please try again.");
       } finally {
         setLoading(false);
       }
@@ -160,7 +164,13 @@ export function GlobalSearch() {
             </div>
           )}
 
-          {!loading && !hasResults && (
+          {!loading && error && (
+            <div style={{ padding: "12px 16px", fontSize: 13, color: "#dc2626" }}>
+              {error}
+            </div>
+          )}
+
+          {!loading && !error && !hasResults && (
             <div style={{ padding: "12px 16px", fontSize: 13, color: "#6b7280" }}>
               No results found
             </div>

apps/web/src/components/PetPhotoUpload.tsx

@@ -71,6 +71,12 @@ export function PetPhotoUpload({ petId, onUploaded }: Props) {
   }
 
   async function handleFile(file: File) {
+    const MAX_FILE_SIZE = 50 * 1024 * 1024;
+    if (file.size > MAX_FILE_SIZE) {
+      setState({ status: "error", message: "File exceeds 50MB limit. Please choose a smaller image." });
+      return;
+    }
+
     if (!ACCEPTED_TYPES.includes(file.type)) {
       setState({ status: "error", message: "Please select a JPEG, PNG, WebP, or GIF image." });
       return;

apps/web/src/pages/Appointments.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState, useCallback } from "react";
+import { useEffect, useState, useCallback, useRef } from "react";
 import type { Appointment, Client, Pet, Service, Staff } from "@groombook/types";
 
 // ─── Helpers ────────────────────────────────────────────────────────────────
@@ -273,7 +273,15 @@ export function AppointmentsPage() {
       cascade !== "this_only"
         ? `/api/appointments/${id}?cascade=${cascade}`
         : `/api/appointments/${id}`;
-    await fetch(url, { method: "DELETE" });
+    try {
+      const res = await fetch(url, { method: "DELETE" });
+      if (!res.ok) {
+        const err = (await res.json()) as { error?: string };
+        throw new Error(err.error ?? `HTTP ${res.status}`);
+      }
+    } catch (e: unknown) {
+      alert(e instanceof Error ? e.message : "Failed to delete appointment");
+    }
     setSelectedAppt(null);
     await loadAppointments();
   }
@@ -819,8 +827,49 @@ function AppointmentDetail({
 }
 
 function Modal({ children, onClose }: { children: React.ReactNode; onClose: () => void }) {
+  const modalRef = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const previouslyFocused = document.activeElement as HTMLElement;
+    const focusableSelectors = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = modalRef.current?.querySelectorAll<HTMLElement>(focusableSelectors);
+    const firstFocusable = focusableElements?.[0];
+    firstFocusable?.focus();
+
+    function handleKeyDown(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      if (!modalRef.current) return;
+      const focusables = modalRef.current.querySelectorAll<HTMLElement>(focusableSelectors);
+      const first = focusables[0];
+      const last = focusables[focusables.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    }
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => {
+      document.removeEventListener("keydown", handleKeyDown);
+      previouslyFocused?.focus();
+    };
+  }, [onClose]);
+
   return (
     <div
+      role="dialog"
+      aria-modal="true"
       style={{
         position: "fixed",
         inset: 0,
@@ -833,6 +882,7 @@ function Modal({ children, onClose }: { children: React.ReactNode; onClose: () =
       onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
     >
       <div
+        ref={modalRef}
         style={{
           background: "#fff",
           borderRadius: 8,

apps/web/src/pages/ClientDetailPage.tsx

@@ -0,0 +1,236 @@
+import { useEffect, useState, useCallback } from "react";
+import { useParams, Link } from "react-router-dom";
+import type { Client, GroomingVisitLog, Pet } from "@groombook/types";
+import { PetPhotoDisplay } from "../components/PetPhotoDisplay.js";
+import { PetPhotoUpload } from "../components/PetPhotoUpload.js";
+
+export function ClientDetailPage() {
+  const { clientId } = useParams<{ clientId: string }>();
+  const [client, setClient] = useState<Client | null>(null);
+  const [pets, setPets] = useState<Pet[]>([]);
+  const [visitLogs, setVisitLogs] = useState<Record<string, GroomingVisitLog[]>>({});
+  const [logsLoading, setLogsLoading] = useState<Record<string, boolean>>({});
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [photoRevisions, setPhotoRevisions] = useState<Record<string, number>>({});
+
+  const handlePhotoUploaded = useCallback((petId: string) => {
+    setPhotoRevisions((prev) => ({ ...prev, [petId]: (prev[petId] ?? 0) + 1 }));
+  }, []);
+
+  useEffect(() => {
+    if (!clientId) {
+      setError("No client ID provided");
+      setLoading(false);
+      return;
+    }
+
+    async function load() {
+      const id = clientId!;
+      setLoading(true);
+      setError(null);
+      try {
+        const [clientRes, petsRes] = await Promise.all([
+          fetch(`/api/clients/${encodeURIComponent(id)}`),
+          fetch(`/api/pets?clientId=${encodeURIComponent(id)}`),
+        ]);
+
+        if (!clientRes.ok) {
+          const err = await clientRes.json().catch(() => ({})) as { error?: string };
+          throw new Error(err.error ?? `Client fetch failed: ${clientRes.status}`);
+        }
+        if (!petsRes.ok) {
+          throw new Error(`Pets fetch failed: ${petsRes.status}`);
+        }
+
+        setClient(await clientRes.json() as Client);
+        setPets(await petsRes.json() as Pet[]);
+      } catch (e) {
+        setError(e instanceof Error ? e.message : "Failed to load client");
+      } finally {
+        setLoading(false);
+      }
+    }
+
+    void load();
+  }, [clientId]);
+
+  async function loadVisitLogs(petId: string) {
+    setLogsLoading((prev) => ({ ...prev, [petId]: true }));
+    const r = await fetch(`/api/grooming-logs?petId=${encodeURIComponent(petId)}`);
+    if (r.ok) {
+      const logs = await r.json() as GroomingVisitLog[];
+      setVisitLogs((prev) => ({ ...prev, [petId]: logs }));
+    }
+    setLogsLoading((prev) => ({ ...prev, [petId]: false }));
+  }
+
+  if (loading) {
+    return (
+      <div style={{ padding: "2rem", textAlign: "center", color: "#6b7280", fontFamily: "system-ui, sans-serif" }}>
+        Loading client…
+      </div>
+    );
+  }
+
+  if (error || !client) {
+    return (
+      <div style={{ padding: "2rem", fontFamily: "system-ui, sans-serif" }}>
+        <div style={{ marginBottom: "1rem" }}>
+          <Link to="/admin/clients" style={{ color: "#4f8a6f", fontSize: 13 }}>← Back to clients</Link>
+        </div>
+        <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "1rem", color: "#991b1b" }}>
+          {error ?? "Client not found"}
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div style={{ fontFamily: "system-ui, sans-serif" }}>
+      {/* Header */}
+      <div style={{ display: "flex", alignItems: "flex-start", marginBottom: "1.5rem", gap: "1rem" }}>
+        <div style={{ flex: 1 }}>
+          <div style={{ display: "flex", alignItems: "center", gap: "0.75rem", marginBottom: "0.25rem" }}>
+            <h1 style={{ margin: 0, fontSize: 22 }}>{client.name}</h1>
+            {client.status === "disabled" && (
+              <span style={{ fontSize: 12, background: "#fef2f2", color: "#dc2626", padding: "0.15rem 0.5rem", borderRadius: 4, fontWeight: 500 }}>
+                Disabled
+              </span>
+            )}
+          </div>
+          {client.email && <div style={{ fontSize: 14, color: "#6b7280" }}>{client.email}</div>}
+          {client.phone && <div style={{ fontSize: 14, color: "#6b7280" }}>{client.phone}</div>}
+          {client.address && <div style={{ fontSize: 13, color: "#6b7280" }}>{client.address}</div>}
+          {client.notes && (
+            <div style={{ fontSize: 13, marginTop: "0.4rem", background: "#fef9c3", padding: "0.4rem 0.6rem", borderRadius: 4, maxWidth: 500 }}>
+              {client.notes}
+            </div>
+          )}
+        </div>
+        <Link
+          to="/admin/clients"
+          style={{
+            padding: "0.4rem 0.85rem",
+            border: "1px solid #d1d5db",
+            borderRadius: 6,
+            background: "#fff",
+            color: "#374151",
+            fontSize: 13,
+            fontWeight: 500,
+            textDecoration: "none",
+            flexShrink: 0,
+          }}
+        >
+          ← Back to list
+        </Link>
+      </div>
+
+      {/* Pets */}
+      <div style={{ display: "flex", alignItems: "center", gap: "0.75rem", marginBottom: "0.75rem" }}>
+        <h2 style={{ margin: 0, fontSize: 18 }}>Pets</h2>
+      </div>
+
+      {pets.length === 0 ? (
+        <p style={{ color: "#6b7280", fontSize: 14 }}>No pets on file for this client.</p>
+      ) : (
+        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fill, minmax(260px, 1fr))", gap: "0.75rem" }}>
+          {pets.map((p) => (
+            <div key={p.id} style={{ border: "1px solid #e5e7eb", borderRadius: 10, padding: "0.85rem", background: "#fff", boxShadow: "0 1px 3px rgba(0, 0, 0, 0.04)" }}>
+              {/* Photo + header */}
+              <div style={{ display: "flex", gap: "0.75rem", marginBottom: "0.4rem" }}>
+                <PetPhotoDisplay
+                  petId={p.id}
+                  size={56}
+                  key={`${p.id}-photo-${photoRevisions[p.id] ?? 0}`}
+                />
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{ display: "flex", justifyContent: "space-between", alignItems: "flex-start" }}>
+                    <strong style={{ fontSize: 15 }}>{p.name}</strong>
+                  </div>
+                  <div style={{ fontSize: 13, color: "#6b7280", marginTop: "0.15rem" }}>
+                    {p.species}{p.breed ? ` · ${p.breed}` : ""}
+                  </div>
+                  {p.weightKg != null && <div style={{ fontSize: 12, color: "#6b7280" }}>{p.weightKg} kg</div>}
+                  {p.dateOfBirth && <div style={{ fontSize: 12, color: "#6b7280" }}>Born {new Date(p.dateOfBirth).toLocaleDateString()}</div>}
+                  <div style={{ marginTop: "0.3rem" }}>
+                    <PetPhotoUpload petId={p.id} onUploaded={() => handlePhotoUploaded(p.id)} />
+                  </div>
+                </div>
+              </div>
+
+              {p.healthAlerts && (
+                <div style={{ fontSize: 12, marginTop: "0.35rem", background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 4, padding: "0.3rem 0.5rem", color: "#dc2626" }}>
+                  <span style={{ fontWeight: 600 }}>⚠ Health alerts:</span> {p.healthAlerts}
+                </div>
+              )}
+
+              {/* Grooming preferences */}
+              {(p.cutStyle || p.shampooPreference || p.specialCareNotes || p.groomingNotes) && (
+                <div style={{ marginTop: "0.5rem", borderTop: "1px solid #f3f4f6", paddingTop: "0.4rem" }}>
+                  {p.cutStyle && (
+                    <div style={{ fontSize: 12, color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Cut:</span> {p.cutStyle}
+                    </div>
+                  )}
+                  {p.shampooPreference && (
+                    <div style={{ fontSize: 12, color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Shampoo:</span> {p.shampooPreference}
+                    </div>
+                  )}
+                  {p.specialCareNotes && (
+                    <div style={{ fontSize: 12, marginTop: "0.2rem", background: "#fffbeb", border: "1px solid #fde68a", borderRadius: 4, padding: "0.3rem 0.5rem", color: "#92400e" }}>
+                      <span style={{ fontWeight: 600 }}>Special care:</span> {p.specialCareNotes}
+                    </div>
+                  )}
+                  {p.groomingNotes && (
+                    <div style={{ fontSize: 12, marginTop: "0.2rem", color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Notes:</span> {p.groomingNotes}
+                    </div>
+                  )}
+                </div>
+              )}
+
+              {/* Visit history */}
+              {(() => {
+                const logs = visitLogs[p.id];
+                const loadingLogs = logsLoading[p.id];
+                return (
+                  <div style={{ marginTop: "0.5rem", borderTop: "1px solid #f3f4f6", paddingTop: "0.4rem" }}>
+                    <div style={{ display: "flex", alignItems: "center", justifyContent: "space-between", marginBottom: "0.25rem" }}>
+                      <div style={{ fontSize: 11, fontWeight: 600, color: "#6b7280" }}>VISIT HISTORY</div>
+                      {!logs && !loadingLogs && (
+                        <button
+                          onClick={() => { void loadVisitLogs(p.id); }}
+                          style={{ fontSize: 11, color: "#4f8a6f", background: "none", border: "none", cursor: "pointer", padding: 0 }}
+                        >
+                          Load history
+                        </button>
+                      )}
+                    </div>
+                    {loadingLogs && <div style={{ fontSize: 11, color: "#9ca3af" }}>Loading…</div>}
+                    {logs && logs.length === 0 && <div style={{ fontSize: 11, color: "#9ca3af" }}>No visits yet</div>}
+                    {logs && logs.length > 0 && (
+                      <>
+                        {logs.slice(0, 3).map((log) => (
+                          <div key={log.id} style={{ fontSize: 11, color: "#374151", marginBottom: "0.2rem", borderLeft: "2px solid #e2e8f0", paddingLeft: "0.4rem" }}>
+                            <span style={{ color: "#6b7280" }}>{new Date(log.groomedAt).toLocaleDateString()}</span>
+                            {log.cutStyle && <span> · {log.cutStyle}</span>}
+                            {log.notes && <span> · {log.notes}</span>}
+                          </div>
+                        ))}
+                        {logs.length > 3 && (
+                          <div style={{ fontSize: 11, color: "#6b7280" }}>+{logs.length - 3} more visits</div>
+                        )}
+                      </>
+                    )}
+                  </div>
+                );
+              })()}
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}

apps/web/src/pages/Clients.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState, useCallback, useRef } from "react";
+import { useEffect, useState, useCallback, useRef, useId } from "react";
 import { useSearchParams } from "react-router-dom";
 import type { Client, GroomingVisitLog, Pet } from "@groombook/types";
 import { PetPhotoDisplay } from "../components/PetPhotoDisplay.js";
@@ -647,8 +647,7 @@ export function ClientsPage() {
 
       {/* ── Client modal ── */}
       {showClientForm && (
-        <Modal onClose={() => setShowClientForm(false)}>
-          <h2 style={{ marginTop: 0 }}>{editingClient ? "Edit Client" : "New Client"}</h2>
+        <Modal title={editingClient ? "Edit Client" : "New Client"} onClose={() => setShowClientForm(false)}>
           <form onSubmit={submitClient}>
             <Field label="Full name">
               <input value={clientForm.name} onChange={(e) => setClientForm((f) => ({ ...f, name: e.target.value }))} required style={inputStyle} />
@@ -678,8 +677,7 @@ export function ClientsPage() {
 
       {/* ── Pet modal ── */}
       {showPetForm && (
-        <Modal onClose={() => setShowPetForm(false)}>
-          <h2 style={{ marginTop: 0 }}>{editingPet ? "Edit Pet" : "Add Pet"}</h2>
+        <Modal title={editingPet ? "Edit Pet" : "Add Pet"} onClose={() => setShowPetForm(false)}>
           <form onSubmit={submitPet}>
             <Field label="Pet name">
               <input value={petForm.name} onChange={(e) => setPetForm((f) => ({ ...f, name: e.target.value }))} required style={inputStyle} />
@@ -753,8 +751,7 @@ export function ClientsPage() {
 
       {/* ── Visit log modal ── */}
       {showLogForm && logPetId && (
-        <Modal onClose={() => setShowLogForm(false)}>
-          <h2 style={{ marginTop: 0 }}>Log Grooming Visit</h2>
+        <Modal title="Log Grooming Visit" onClose={() => setShowLogForm(false)}>
           {logsLoading[logPetId] && <p style={{ fontSize: 13, color: "#6b7280" }}>Loading history…</p>}
           {visitLogs[logPetId] && visitLogs[logPetId].length > 0 && (
             <div style={{ marginBottom: "1rem" }}>
@@ -817,8 +814,7 @@ export function ClientsPage() {
 
       {/* ── Delete confirmation modal ── */}
       {showDeleteConfirm && selectedClient && (
-        <Modal onClose={() => setShowDeleteConfirm(false)}>
-          <h2 style={{ marginTop: 0, color: "#dc2626" }}>Permanently Delete Client</h2>
+        <Modal title="Permanently Delete Client" titleStyle={{ color: "#dc2626" }} onClose={() => setShowDeleteConfirm(false)}>
           <p style={{ fontSize: 14, color: "#374151" }}>
             This will permanently delete <strong>{selectedClient.name}</strong> and all their pets. This action cannot be undone.
           </p>
@@ -856,13 +852,60 @@ export function ClientsPage() {
 
 // ─── Shared UI ───────────────────────────────────────────────────────────────
 
-function Modal({ children, onClose }: { children: React.ReactNode; onClose: () => void }) {
+function Modal({ children, onClose, title, titleStyle }: { children: React.ReactNode; onClose: () => void; title: string; titleStyle?: React.CSSProperties }) {
+  const titleId = useId();
+  const modalRef = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const previouslyFocused = document.activeElement as HTMLElement;
+    const focusableSelectors = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = modalRef.current?.querySelectorAll<HTMLElement>(focusableSelectors);
+    const firstFocusable = focusableElements?.[0];
+    firstFocusable?.focus();
+
+    function handleKeyDown(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      if (!modalRef.current) return;
+      const focusables = modalRef.current.querySelectorAll<HTMLElement>(focusableSelectors);
+      const first = focusables[0];
+      const last = focusables[focusables.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    }
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => {
+      document.removeEventListener("keydown", handleKeyDown);
+      previouslyFocused?.focus();
+    };
+  }, [onClose]);
+
   return (
     <div
       style={{ position: "fixed", inset: 0, background: "rgba(0,0,0,0.45)", display: "flex", alignItems: "center", justifyContent: "center", zIndex: 100 }}
       onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
     >
-      <div style={{ background: "#fff", borderRadius: 8, padding: "1.5rem", maxWidth: 480, width: "calc(100% - 2rem)", maxHeight: "90vh", overflowY: "auto", boxShadow: "0 20px 60px rgba(0,0,0,0.3)" }}>
+      <div
+        ref={modalRef}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby={titleId}
+        style={{ background: "#fff", borderRadius: 8, padding: "1.5rem", maxWidth: 480, width: "calc(100% - 2rem)", maxHeight: "90vh", overflowY: "auto", boxShadow: "0 20px 60px rgba(0,0,0,0.3)" }}
+      >
+        <h2 id={titleId} style={{ marginTop: 0, ...titleStyle }}>{title}</h2>
         {children}
       </div>
     </div>

apps/web/src/pages/Invoices.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState } from "react";
+import { useEffect, useState, useRef } from "react";
 import type { Invoice, Client, Appointment, Service, Staff, InvoiceTipSplit } from "@groombook/types";
 
 // ─── Types ────────────────────────────────────────────────────────────────────
@@ -211,36 +211,41 @@ function InvoiceDetailModal({
     setSaving(true);
     setError(null);
     const tipCents = Math.round(parseFloat(tipStr) * 100) || 0;
+    // Real-time validation: prevent submit if tip splits don't sum to 100%
+    if (showSplits && tipCents > 0 && tipSplits.length > 0) {
+      const totalPct = tipSplits.reduce((s, r) => s + r.pct, 0);
+      if (Math.abs(totalPct - 100) >= 0.01) {
+        setError("Tip split percentages must sum to 100%");
+        setSaving(false);
+        return;
+      }
+    }
     try {
+      const patchBody: {
+        status: string;
+        paymentMethod: string;
+        tipCents: number;
+        tipSplits?: Array<{ staffId: string | null; staffName: string; sharePct: number }>;
+      } = { status: "paid", paymentMethod, tipCents };
+
+      if (showSplits && tipCents > 0 && tipSplits.length > 0) {
+        patchBody.tipSplits = tipSplits.map((r) => ({
+          staffId: r.staffId,
+          staffName: r.staffName,
+          sharePct: r.pct,
+        }));
+      }
+
       const res = await fetch(`/api/invoices/${invoice.id}`, {
         method: "PATCH",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ status: "paid", paymentMethod, tipCents }),
+        body: JSON.stringify(patchBody),
       });
       if (!res.ok) {
         const err = (await res.json()) as { error?: string };
         throw new Error(err.error ?? `HTTP ${res.status}`);
       }
 
-      // Save tip splits if applicable and tip > 0
-      if (showSplits && tipCents > 0 && tipSplits.length > 0) {
-        const totalPct = tipSplits.reduce((s, r) => s + r.pct, 0);
-        if (Math.abs(totalPct - 100) < 0.01) {
-          const splitsRes = await fetch(`/api/invoices/${invoice.id}/tip-splits`, {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({
-              splits: tipSplits.map((r) => ({
-                staffId: r.staffId,
-                staffName: r.staffName,
-                sharePct: r.pct,
-              })),
-            }),
-          });
-          if (!splitsRes.ok) console.warn("Tip split save failed (non-blocking)");
-        }
-      }
-
       onUpdated();
     } catch (e: unknown) {
       setError(e instanceof Error ? e.message : "Failed to update");
@@ -677,19 +682,63 @@ export function InvoicesPage() {
 // ─── Shared UI helpers ────────────────────────────────────────────────────────
 
 function Modal({ children, onClose }: { children: React.ReactNode; onClose: () => void }) {
+  const modalRef = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const previouslyFocused = document.activeElement as HTMLElement;
+    const focusableSelectors = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = modalRef.current?.querySelectorAll<HTMLElement>(focusableSelectors);
+    const firstFocusable = focusableElements?.[0];
+    firstFocusable?.focus();
+
+    function handleKeyDown(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      if (!modalRef.current) return;
+      const focusables = modalRef.current.querySelectorAll<HTMLElement>(focusableSelectors);
+      const first = focusables[0];
+      const last = focusables[focusables.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    }
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => {
+      document.removeEventListener("keydown", handleKeyDown);
+      previouslyFocused?.focus();
+    };
+  }, [onClose]);
+
   return (
     <div
+      role="dialog"
+      aria-modal="true"
       style={{
         position: "fixed", inset: 0, background: "rgba(0,0,0,0.45)",
         display: "flex", alignItems: "center", justifyContent: "center", zIndex: 100,
       }}
       onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
     >
-      <div style={{
-        background: "#fff", borderRadius: 8, padding: "1.5rem",
-        maxWidth: 520, width: "calc(100% - 2rem)", maxHeight: "90vh", overflowY: "auto",
-        boxShadow: "0 20px 60px rgba(0,0,0,0.3)",
-      }}>
+      <div
+        ref={modalRef}
+        style={{
+          background: "#fff", borderRadius: 8, padding: "1.5rem",
+          maxWidth: 520, width: "calc(100% - 2rem)", maxHeight: "90vh", overflowY: "auto",
+          boxShadow: "0 20px 60px rgba(0,0,0,0.3)",
+        }}
+      >
         {children}
       </div>
     </div>

apps/web/src/pages/Reports.tsx

@@ -199,11 +199,11 @@ export function ReportsPage() {
       }
 
       const [summData, revData, apptData, svcData, clientData] = await Promise.all([
-        summRes.json() as Promise<Summary>,
-        revRes.json() as Promise<{ byPeriod: RevenuePeriod[]; byGroomer: RevenueByGroomer[] }>,
-        apptRes.json() as Promise<{ byPeriod: ApptPeriod[] }>,
-        svcRes.json() as Promise<{ rows: ServiceRow[] }>,
-        clientRes.json() as Promise<ClientReport>,
+        summRes.ok ? summRes.json() as Promise<Summary> : summRes.text().then(() => { throw new Error("summary response not ok"); }),
+        revRes.ok ? revRes.json() as Promise<{ byPeriod: RevenuePeriod[]; byGroomer: RevenueByGroomer[] }> : revRes.text().then(() => { throw new Error("revenue response not ok"); }),
+        apptRes.ok ? apptRes.json() as Promise<{ byPeriod: ApptPeriod[] }> : apptRes.text().then(() => { throw new Error("appointments response not ok"); }),
+        svcRes.ok ? svcRes.json() as Promise<{ rows: ServiceRow[] }> : svcRes.text().then(() => { throw new Error("services response not ok"); }),
+        clientRes.ok ? clientRes.json() as Promise<ClientReport> : clientRes.text().then(() => { throw new Error("clients response not ok"); }),
       ]);
 
       setSummary(summData);

apps/web/src/pages/Settings.tsx

@@ -27,6 +27,8 @@ interface AuthProviderForm {
 
 const REDACTED = "••••••••";
 
+const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp"]);
+
 interface CurrentUser {
   id: string;
   name: string;
@@ -149,53 +151,35 @@ export function SettingsPage() {
       return;
     }
 
-    const validTypes = ["image/png", "image/svg+xml", "image/jpeg", "image/webp"];
+    const validTypes = ["image/png", "image/jpeg", "image/gif", "image/webp"];
     if (!validTypes.includes(file.type)) {
-      setMessage({ type: "error", text: "Logo must be PNG, SVG, JPEG, or WebP." });
+      setMessage({ type: "error", text: "Logo must be PNG, JPEG, GIF, or WebP." });
       return;
     }
 
     try {
-      // Step 1: Get presigned upload URL
-      const uploadRes = await fetch("/api/admin/settings/logo/upload-url", {
+      // Upload directly through the API server to avoid mixed-content issues
+      // with pre-signed URLs that use the internal HTTP endpoint
+      const formData = new FormData();
+      formData.append("file", file);
+
+      const uploadRes = await fetch("/api/admin/settings/logo/upload", {
         method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ contentType: file.type, fileSizeBytes: file.size }),
+        body: formData,
       });
       if (!uploadRes.ok) {
         const err = await uploadRes.json().catch(() => null);
-        throw new Error(err?.error ?? "Failed to get upload URL");
+        throw new Error(err?.error ?? "Failed to upload logo");
       }
-      const { uploadUrl, key } = await uploadRes.json();
+      const { logoKey } = await uploadRes.json();
 
-      // Step 2: PUT the file directly to S3
-      const putRes = await fetch(uploadUrl, {
-        method: "PUT",
-        headers: { "Content-Type": file.type },
-        body: file,
-      });
-      if (!putRes.ok) {
-        throw new Error("Failed to upload logo to storage");
-      }
-
-      // Step 3: Confirm the upload
-      const confirmRes = await fetch("/api/admin/settings/logo/confirm", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ key }),
-      });
-      if (!confirmRes.ok) {
-        const err = await confirmRes.json().catch(() => null);
-        throw new Error(err?.error ?? "Failed to confirm logo upload");
-      }
-
-      // Step 4: Fetch the presigned GET URL for display
+      // Fetch the presigned GET URL for display
       const logoRes = await fetch("/api/admin/settings/logo");
       if (logoRes.ok) {
         const logoData = await logoRes.json();
-        setForm((f) => ({ ...f, logoKey: key, logoUrl: logoData.url, logoBase64: null, logoMimeType: null }));
+        setForm((f) => ({ ...f, logoKey, logoUrl: logoData.url, logoBase64: null, logoMimeType: null }));
       } else {
-        setForm((f) => ({ ...f, logoKey: key, logoUrl: null, logoBase64: null, logoMimeType: null }));
+        setForm((f) => ({ ...f, logoKey, logoUrl: null, logoBase64: null, logoMimeType: null }));
       }
       setMessage({ type: "success", text: "Logo uploaded." });
       refresh();
@@ -326,7 +310,7 @@ issuerUrl: authForm.issuerUrl,
 
   if (!loaded) return <p>Loading settings...</p>;
 
-  const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null);
+  const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType && ALLOWED_LOGO_TYPES.has(form.logoMimeType) ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null);
 
   return (
     <div style={{ maxWidth: 600 }}>
@@ -393,7 +377,7 @@ issuerUrl: authForm.issuerUrl,
             <input
               ref={fileInputRef}
               type="file"
-              accept="image/png,image/svg+xml,image/jpeg,image/webp"
+              accept="image/png,image/jpeg,image/gif,image/webp"
               onChange={handleLogoChange}
               style={{ display: "none" }}
             />

apps/web/src/pages/SetupWizard.d.ts

@@ -1 +1 @@
-export { SetupWizard } from "./SetupWizard.jsx";
+export { SetupWizard } from "./SetupWizard.tsx";

apps/web/src/pages/SetupWizard.tsx

@@ -2,16 +2,39 @@ import { useState, useEffect } from "react";
 import { useNavigate } from "react-router-dom";
 import { useBranding } from "../BrandingContext.js";
 
-export function SetupWizard({ onSetupComplete }) {
+interface SetupStatus {
+  showAuthProviderStep?: boolean;
+}
+
+interface TestResult {
+  ok: boolean;
+  error?: string;
+}
+
+interface AuthFormState {
+  providerId: string;
+  displayName: string;
+  issuerUrl: string;
+  internalBaseUrl: string;
+  clientId: string;
+  clientSecret: string;
+  scopes: string;
+}
+
+interface Step {
+  id: string;
+  title: string;
+  description: string;
+}
+
+export function SetupWizard({ onSetupComplete }: { onSetupComplete?: () => void }) {
   const navigate = useNavigate();
   const { refresh: refreshBranding } = useBranding();
 
-  // Fetch setup status to determine if auth provider step is needed
-  const [setupStatus, setSetupStatus] = useState(null); // null = loading
+  const [setupStatus, setSetupStatus] = useState<SetupStatus | null>(null);
   const [loadingStatus, setLoadingStatus] = useState(true);
 
-  // Auth provider form state
-  const [authForm, setAuthForm] = useState({
+  const [authForm, setAuthForm] = useState<AuthFormState>({
     providerId: "authentik",
     displayName: "",
     issuerUrl: "",
@@ -21,16 +44,16 @@ export function SetupWizard({ onSetupComplete }) {
     scopes: "openid profile email",
   });
   const [testingConnection, setTestingConnection] = useState(false);
-  const [testResult, setTestResult] = useState(null); // {ok: boolean, error?: string}
+  const [testResult, setTestResult] = useState<TestResult | null>(null);
 
   const [step, setStep] = useState(0);
   const [businessName, setBusinessName] = useState("");
   const [loading, setLoading] = useState(false);
-  const [error, setError] = useState(null);
+  const [error, setError] = useState<string | null>(null);
 
   useEffect(() => {
     fetch("/api/setup/status")
-      .then((r) => r.json())
+      .then((r) => r.json() as Promise<SetupStatus>)
       .then((data) => {
         setSetupStatus(data);
         setLoadingStatus(false);
@@ -40,8 +63,7 @@ export function SetupWizard({ onSetupComplete }) {
       });
   }, []);
 
-  // Build steps dynamically based on setup status
-  const STEPS = setupStatus?.showAuthProviderStep
+  const STEPS: Step[] = setupStatus?.showAuthProviderStep
     ? [
         { id: "welcome", title: "Welcome", description: "Welcome to GroomBook! Let's get your business set up." },
         { id: "auth", title: "Auth Provider", description: "Configure your authentication provider to secure your GroomBook instance." },
@@ -63,9 +85,8 @@ export function SetupWizard({ onSetupComplete }) {
   const isFirst = step === 0;
   const canGoBack = step > 0 && step < STEPS.length - 1;
 
-  // Determine if we can proceed - depends on which step we're on
   const canGoNext = (() => {
-    if (step === STEPS.length - 1) return true; // done step
+    if (step === STEPS.length - 1) return true;
     if (current?.id === "business") return businessName.trim().length > 0;
     if (current?.id === "auth") {
       return (
@@ -94,9 +115,9 @@ export function SetupWizard({ onSetupComplete }) {
           scopes: authForm.scopes,
         }),
       });
-      const data = await res.json();
+      const data = (await res.json()) as TestResult;
       setTestResult(data);
-    } catch (e) {
+    } catch {
       setTestResult({ ok: false, error: "Network error. Please try again." });
     } finally {
       setTestingConnection(false);
@@ -105,12 +126,10 @@ export function SetupWizard({ onSetupComplete }) {
 
   const handleNext = async () => {
     if (step === STEPS.length - 1) {
-      // Done - redirect to admin
       navigate("/admin");
       return;
     }
 
-    // Submit auth provider config
     if (current?.id === "auth") {
       setLoading(true);
       setError(null);
@@ -129,12 +148,12 @@ export function SetupWizard({ onSetupComplete }) {
           }),
         });
         if (!res.ok) {
-          const data = await res.json();
+          const data = (await res.json()) as { error?: string };
           setError(data.error || "Failed to save auth provider configuration. Please try again.");
           setLoading(false);
           return;
         }
-      } catch (e) {
+      } catch {
         setError("Network error. Please try again.");
         setLoading(false);
         return;
@@ -142,7 +161,6 @@ export function SetupWizard({ onSetupComplete }) {
       setLoading(false);
     }
 
-    // Submit business name and complete setup
     if (current?.id === "business" && businessName.trim()) {
       setLoading(true);
       setError(null);
@@ -153,16 +171,14 @@ export function SetupWizard({ onSetupComplete }) {
           body: JSON.stringify({ businessName: businessName.trim() }),
         });
         if (!res.ok) {
-          const data = await res.json();
+          const data = (await res.json()) as { error?: string };
           setError(data.error || "Setup failed. Please try again.");
           setLoading(false);
           return;
         }
-        // Refresh branding so the nav bar shows the new business name
         refreshBranding();
-        // Clear needsSetup state in App so the redirect to /admin sticks
         if (onSetupComplete) onSetupComplete();
-      } catch (e) {
+      } catch {
         setError("Network error. Please try again.");
         setLoading(false);
         return;
@@ -192,7 +208,7 @@ export function SetupWizard({ onSetupComplete }) {
     );
   }
 
-  const inputStyle = {
+  const inputStyle: React.CSSProperties = {
     width: "100%",
     padding: "0.6rem 0.85rem",
     borderRadius: 8,
@@ -220,7 +236,6 @@ export function SetupWizard({ onSetupComplete }) {
         maxWidth: 480,
         width: "100%",
       }}>
-        {/* Progress dots */}
         <div style={{ display: "flex", gap: 6, marginBottom: "2rem", justifyContent: "center" }}>
           {STEPS.map((_, i) => (
             <div
@@ -237,38 +252,32 @@ export function SetupWizard({ onSetupComplete }) {
           ))}
         </div>
 
-        {/* Step indicator */}
         <p style={{ margin: "0 0 0.5rem", fontSize: 13, color: "#6b7280", fontWeight: 500 }}>
           Step {step + 1} of {STEPS.length}
         </p>
 
-        {/* Title */}
         <h2 style={{ margin: "0 0 0.75rem", fontSize: 22, fontWeight: 700, color: "#1a202c" }}>
           {current?.title}
         </h2>
 
-        {/* Description */}
         <p style={{ margin: "0 0 1.5rem", fontSize: 15, color: "#4b5563", lineHeight: 1.6 }}>
           {current?.description}
         </p>
 
-        {/* Step: Business name input */}
         {current?.id === "business" && (
           <input
             type="text"
             placeholder="e.g. Happy Paws Grooming"
             value={businessName}
             onChange={(e) => setBusinessName(e.target.value)}
-            onKeyDown={(e) => e.key === "Enter" && canGoNext && handleNext()}
+            onKeyDown={(e) => e.key === "Enter" && canGoNext && void handleNext()}
             autoFocus
             style={inputStyle}
           />
         )}
 
-        {/* Step: Auth provider config form */}
         {current?.id === "auth" && (
           <div style={{ display: "flex", flexDirection: "column", gap: "0.85rem" }}>
-            {/* Provider ID */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Provider ID
@@ -282,7 +291,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Display Name */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Display Name
@@ -296,7 +304,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Issuer URL */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Issuer URL
@@ -310,7 +317,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Internal Base URL (optional) */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Internal Base URL <span style={{ fontWeight: 400, color: "#6b7280" }}>(optional, for hairpin NAT)</span>
@@ -324,7 +330,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Client ID */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Client ID
@@ -338,7 +343,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Client Secret */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Client Secret
@@ -352,7 +356,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Scopes */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Scopes
@@ -366,10 +369,9 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Test Connection button */}
             <button
               type="button"
-              onClick={handleTestConnection}
+              onClick={() => { void handleTestConnection(); }}
               disabled={testingConnection || !authForm.issuerUrl || !authForm.clientId}
               style={{
                 padding: "0.45rem 0.85rem",
@@ -387,7 +389,6 @@ export function SetupWizard({ onSetupComplete }) {
               {testingConnection ? "Testing..." : "Test Connection"}
             </button>
 
-            {/* Test result */}
             {testResult && (
               <div style={{
                 padding: "0.5rem 0.75rem",
@@ -405,7 +406,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Step: Super user info */}
         {current?.id === "superuser" && (
           <div style={{
             background: "#f0fdf4",
@@ -420,7 +420,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Step: Second admin info */}
         {current?.id === "admin" && (
           <div style={{
             background: "#fffbeb",
@@ -434,7 +433,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Error message */}
         {error && (
           <p style={{
             margin: "0.5rem 0 0",
@@ -449,7 +447,6 @@ export function SetupWizard({ onSetupComplete }) {
           </p>
         )}
 
-        {/* Navigation buttons */}
         <div style={{
           display: "flex",
           gap: "0.75rem",
@@ -476,7 +473,7 @@ export function SetupWizard({ onSetupComplete }) {
             </button>
           )}
           <button
-            onClick={handleNext}
+            onClick={() => { void handleNext(); }}
             disabled={(!canGoNext && !isLast) || loading}
             style={{
               padding: "0.55rem 1.25rem",

apps/web/src/portal/CustomerPortal.tsx

@@ -16,6 +16,7 @@ import { AuditLogViewer } from "./AuditLogViewer.js";
 import { useBranding } from "../BrandingContext.js";
 import { getDevUser } from "../pages/DevLoginSelector.js";
 import type { ImpersonationSession } from "@groombook/types";
+import type { Appointment as PortalAppointment } from "./sections/Appointments.js";
 
 type Section = "dashboard" | "appointments" | "pets" | "reports" | "billing" | "messages" | "settings";
 
@@ -34,7 +35,7 @@ export function CustomerPortal() {
   const [mobileNavOpen, setMobileNavOpen] = useState(false);
   const [showAuditLog, setShowAuditLog] = useState(false);
   const [showReschedule, setShowReschedule] = useState(false);
-  const [rescheduleAppointment, setRescheduleAppointment] = useState<Record<string, unknown> | null>(null);
+  const [rescheduleAppointment, setRescheduleAppointment] = useState<PortalAppointment | null>(null);
   const [session, setSession] = useState<ImpersonationSession | null>(null);
   const [sessionExtended, setSessionExtended] = useState(false);
   const [clientName, setClientName] = useState<string>("");
@@ -149,7 +150,7 @@ export function CustomerPortal() {
   const handleReschedule = useCallback((appointmentId: string) => {
     // Look up the full appointment from Dashboard's displayed data
     // The appointment was already fetched by Dashboard, so we use the ID to find it
-    setRescheduleAppointment({ id: appointmentId } as Record<string, unknown>);
+    setRescheduleAppointment({ id: appointmentId } as PortalAppointment);
     setShowReschedule(true);
   }, []);
 
@@ -227,7 +228,7 @@ export function CustomerPortal() {
 
       {showReschedule && rescheduleAppointment && (
         <RescheduleFlow
-          appointment={rescheduleAppointment as any}
+          appointment={rescheduleAppointment}
           onClose={() => { setShowReschedule(false); setRescheduleAppointment(null); }}
           sessionId={session?.id ?? null}
         />
@@ -325,7 +326,7 @@ export function CustomerPortal() {
         )}
 
         {/* Main Content */}
-        <main className="flex-1 min-h-screen">
+        <main className="flex-1 min-h-screen overflow-x-hidden">
           <div className="hidden md:flex items-center justify-between px-8 py-4 border-b border-stone-200 bg-white">
             <div>
               <h1 className="text-lg font-semibold text-stone-800">
@@ -339,7 +340,7 @@ export function CustomerPortal() {
               </div>
             </div>
           </div>
-          <div className="p-4 md:p-8 max-w-6xl">
+          <div className="p-4 md:p-8 max-w-6xl w-full overflow-hidden">
             {renderSection()}
           </div>
         </main>

apps/web/src/portal/sections/Appointments.tsx

@@ -1,7 +1,7 @@
 import React, { useState, useEffect } from 'react';
 import { Calendar, Clock, Plus, ChevronRight, ChevronDown, Loader2 } from 'lucide-react';
 
-interface Appointment {
+export interface Appointment {
   id: string;
   petId: string;
   serviceId: string;
@@ -379,7 +379,7 @@ export function ConfirmationSection({
     try {
       const headers: Record<string, string> = {};
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/confirm`, {
         method: 'POST',
@@ -455,7 +455,7 @@ function CancelAppointmentButton({
     try {
       const headers: Record<string, string> = {};
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/cancel`, {
         method: 'POST',
@@ -507,7 +507,7 @@ export function CustomerNotesSection({
     try {
       const headers: Record<string, string> = { 'Content-Type': 'application/json' };
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/notes`, {
         method: 'PATCH',
@@ -600,7 +600,7 @@ export function RescheduleFlow({
     setError(null);
     try {
       const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-      if (sessionId) headers['Authorization'] = `Bearer ${sessionId}`;
+      if (sessionId) headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       const res = await fetch(`/api/portal/appointments/${appt.id}/reschedule`, {
         method: 'POST',
         headers,
@@ -784,7 +784,7 @@ function BookingFlow({ onClose, sessionId }: BookingFlowProps) {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
-          Authorization: `Bearer ${sessionId}`,
+          'X-Impersonation-Session-Id': sessionId ?? '',
         },
         body: JSON.stringify({
           petId: selectedPet.id,

apps/web/src/portal/sections/BillingPayments.tsx

@@ -1,4 +1,4 @@
-import { useState, useEffect } from "react";
+import { useState, useEffect, useRef } from "react";
 import { loadStripe } from "@stripe/stripe-js";
 import { Elements, PaymentElement, useStripe, useElements } from "@stripe/react-stripe-js";
 import { CreditCard, DollarSign, Package, Zap } from "lucide-react";
@@ -130,7 +130,7 @@ function BillingPaymentsInner({ sessionId, readOnly }: BillingPaymentsProps) {
         </div>
       )}
 
-      <div className="flex gap-2">
+      <div className="flex gap-2 flex-wrap">
         {([
           { id: "invoices" as const, label: "Invoices", icon: DollarSign },
           { id: "payment" as const, label: "Payment Methods", icon: CreditCard },
@@ -356,6 +356,48 @@ function PaymentModal({ sessionId, pending, onClose, onSuccess }: PaymentModalPr
   const [isProcessing, setIsProcessing] = useState(false);
   const [isComplete, setIsComplete] = useState(false);
   const [error, setError] = useState<string | null>(null);
+  const completeModalRef = useRef<HTMLDivElement>(null);
+  const paymentModalRef = useRef<HTMLDivElement>(null);
+
+  // Focus trap + Escape-to-close for both inline modals
+  useEffect(() => {
+    const modalRef = isComplete ? completeModalRef.current : paymentModalRef.current;
+    if (!modalRef) return;
+
+    const previouslyFocused = document.activeElement as HTMLElement;
+    const focusableSelectors = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = modalRef.querySelectorAll<HTMLElement>(focusableSelectors);
+    const firstFocusable = focusableElements[0];
+    firstFocusable?.focus();
+
+    function handleKeyDown(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab" || !modalRef) return;
+      const focusables = modalRef.querySelectorAll<HTMLElement>(focusableSelectors);
+      const first = focusables[0];
+      const last = focusables[focusables.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    }
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => {
+      document.removeEventListener("keydown", handleKeyDown);
+      previouslyFocused?.focus();
+    };
+  }, [isComplete, onClose]);
 
   const formatCents = (cents: number) =>
     new Intl.NumberFormat("en-US", { style: "currency", currency: "USD" }).format(cents / 100);
@@ -420,8 +462,8 @@ function PaymentModal({ sessionId, pending, onClose, onSuccess }: PaymentModalPr
 
   if (isComplete) {
     return (
-      <div className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
-        <div className="bg-white rounded-2xl shadow-xl max-w-md w-full p-8 text-center">
+      <div role="dialog" aria-modal="true" className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
+        <div ref={completeModalRef} className="bg-white rounded-2xl shadow-xl max-w-md w-full p-8 text-center">
           <div className="w-16 h-16 bg-green-100 rounded-full flex items-center justify-center mx-auto mb-4">
             <svg className="w-8 h-8 text-green-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
               <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
@@ -440,8 +482,8 @@ function PaymentModal({ sessionId, pending, onClose, onSuccess }: PaymentModalPr
   }
 
   return (
-    <div className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
-      <div className="bg-white rounded-2xl shadow-xl max-w-md w-full p-6">
+    <div role="dialog" aria-modal="true" className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
+      <div ref={paymentModalRef} className="bg-white rounded-2xl shadow-xl max-w-md w-full p-6">
         <div className="flex items-center justify-between mb-6">
           <h2 className="font-semibold text-stone-800 text-lg">Pay Outstanding Balance</h2>
           <button onClick={onClose} className="text-stone-400 hover:text-stone-600">

packages/db/src/schema.ts

@@ -200,51 +200,60 @@ export const appointmentGroups = pgTable("appointment_groups", {
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });
 
-export const appointments = pgTable("appointments", {
-  id: uuid("id").primaryKey().defaultRandom(),
-  clientId: uuid("client_id")
-    .notNull()
-    .references(() => clients.id, { onDelete: "restrict" }),
-  petId: uuid("pet_id")
-    .notNull()
-    .references(() => pets.id, { onDelete: "restrict" }),
-  serviceId: uuid("service_id")
-    .notNull()
-    .references(() => services.id, { onDelete: "restrict" }),
-  staffId: uuid("staff_id").references(() => staff.id, {
-    onDelete: "set null",
-  }),
-  // Optional secondary staff (bather/assistant) for tip-split tracking
-  batherStaffId: uuid("bather_staff_id").references(() => staff.id, {
-    onDelete: "set null",
-  }),
-  status: appointmentStatusEnum("status").notNull().default("scheduled"),
-  startTime: timestamp("start_time").notNull(),
-  endTime: timestamp("end_time").notNull(),
-  notes: text("notes"),
-  // Override price at time of booking (null = use service base price)
-  priceCents: integer("price_cents"),
-  // Recurring series support
-  seriesId: uuid("series_id").references(() => recurringSeries.id, {
-    onDelete: "set null",
-  }),
-  seriesIndex: integer("series_index"),
-  // Multi-pet group booking: links this appointment to others in the same visit
-  groupId: uuid("group_id").references(() => appointmentGroups.id, {
-    onDelete: "set null",
-  }),
-  // Customer confirmation/cancellation tracking
-  // Values: "pending" | "confirmed" | "cancelled"
-  confirmationStatus: text("confirmation_status").notNull().default("pending"),
-  confirmedAt: timestamp("confirmed_at"),
-  cancelledAt: timestamp("cancelled_at"),
-  // Token for tokenized email confirm/cancel links (no auth required)
-  confirmationToken: text("confirmation_token").unique(),
-  // Customer-provided note visible to groomer (500 char max, editable until appointment starts)
-  customerNotes: text("customer_notes"),
-  createdAt: timestamp("created_at").notNull().defaultNow(),
-  updatedAt: timestamp("updated_at").notNull().defaultNow(),
-});
+export const appointments = pgTable(
+  "appointments",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    clientId: uuid("client_id")
+      .notNull()
+      .references(() => clients.id, { onDelete: "restrict" }),
+    petId: uuid("pet_id")
+      .notNull()
+      .references(() => pets.id, { onDelete: "restrict" }),
+    serviceId: uuid("service_id")
+      .notNull()
+      .references(() => services.id, { onDelete: "restrict" }),
+    staffId: uuid("staff_id").references(() => staff.id, {
+      onDelete: "set null",
+    }),
+    // Optional secondary staff (bather/assistant) for tip-split tracking
+    batherStaffId: uuid("bather_staff_id").references(() => staff.id, {
+      onDelete: "set null",
+    }),
+    status: appointmentStatusEnum("status").notNull().default("scheduled"),
+    startTime: timestamp("start_time").notNull(),
+    endTime: timestamp("end_time").notNull(),
+    notes: text("notes"),
+    // Override price at time of booking (null = use service base price)
+    priceCents: integer("price_cents"),
+    // Recurring series support
+    seriesId: uuid("series_id").references(() => recurringSeries.id, {
+      onDelete: "set null",
+    }),
+    seriesIndex: integer("series_index"),
+    // Multi-pet group booking: links this appointment to others in the same visit
+    groupId: uuid("group_id").references(() => appointmentGroups.id, {
+      onDelete: "set null",
+    }),
+    // Customer confirmation/cancellation tracking
+    // Values: "pending" | "confirmed" | "cancelled"
+    confirmationStatus: text("confirmation_status").notNull().default("pending"),
+    confirmedAt: timestamp("confirmed_at"),
+    cancelledAt: timestamp("cancelled_at"),
+    // Token for tokenized email confirm/cancel links (no auth required)
+    confirmationToken: text("confirmation_token").unique(),
+    // Customer-provided note visible to groomer (500 char max, editable until appointment starts)
+    customerNotes: text("customer_notes"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [
+    index("idx_appointments_client_id").on(t.clientId),
+    index("idx_appointments_staff_id").on(t.staffId),
+    index("idx_appointments_start_time").on(t.startTime),
+    index("idx_appointments_status").on(t.status),
+  ]
+);
 
 export const invoices = pgTable(
   "invoices",

packages/db/src/seed.ts

@@ -399,7 +399,6 @@ async function seedKnownUsers() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -426,7 +425,6 @@ async function seedKnownUsers() {
         name: "UAT Super User",
         email: "uat-super@groombook.dev",
         oidcSub: uatSuperOidcSub,
-        userId: uatSuperOidcSub,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -453,7 +451,6 @@ async function seedKnownUsers() {
         name: "UAT Staff Groomer",
         email: "uat-groomer@groombook.dev",
         oidcSub: uatStaffOidcSub,
-        userId: uatStaffOidcSub,
         role: "groomer",
         isSuperUser: false,
         active: true,
@@ -648,7 +645,6 @@ async function seed() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,

packages/types/src/index.ts

@@ -40,6 +40,8 @@ export interface Pet {
   shampooPreference: string | null;
   specialCareNotes: string | null;
   customFields: Record<string, string>;
+  photoKey?: string;
+  photoUploadedAt?: string;
   createdAt: string;
   updatedAt: string;
 }