fix(GRO-898): wire BETTER_AUTH_URL and OIDC_* secret refs into API deployment

The base API deployment chart was missing the auth env var wiring needed for Better Auth + OIDC Authentik SSO: - BETTER_AUTH_URL: explicit base URL (was hardcoded in kustomize patch only) - OIDC_CLIENT_ID / OIDC_CLIENT_SECRET: secret refs (were missing entirely) - BETTER_AUTH_SECRET: secret ref (was missing entirely) - OIDC_INTERNAL_BASE: conditional env var (was missing from base chart) The groombook-auth sealed secret already holds all three encrypted values (BETTER_AUTH_SECRET, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET). The chart just wasn't referencing them for the base deployment. Also rename oidcIssuer → oidcIssuer in values for consistency, and add new values betterAuthUrl + internalBaseUrl to cover all required vars. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request #366 from groombook/fix/gro-898-ci-dev-branch
2026-04-29 23:43:12 +00:00 · 2026-04-24 15:53:15 +00:00 · 2026-04-24 15:46:50 +00:00 · 2026-04-23 22:36:27 +00:00 · 2026-04-23 19:29:45 +00:00 · 2026-04-23 14:01:41 +00:00
7 changed files with 107 additions and 31 deletions
@@ -340,7 +340,7 @@ jobs:
    name: Update Infra Image Tags
    runs-on: ubuntu-latest
    needs: [docker]
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
    permissions:
      contents: write
      pull-requests: write
@@ -101,6 +101,7 @@ invoicesRouter.get(
        paymentMethod: invoices.paymentMethod,
        paidAt: invoices.paidAt,
        notes: invoices.notes,
+        stripePaymentIntentId: invoices.stripePaymentIntentId,
        createdAt: invoices.createdAt,
        updatedAt: invoices.updatedAt,
      })
@@ -480,40 +481,50 @@ invoicesRouter.post(

 // Payment stats for admin dashboard
 invoicesRouter.get("/stats/summary", async (c) => {
-  const db = getDb();
-  const now = new Date();
-  const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
+  try {
+    const db = getDb();
+    const now = new Date();
+    const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);

-  const [revenueResult] = await db
-    .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-    .from(invoices)
-    .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
+    const [revenueResult] = await db
+      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
+      .from(invoices)
+      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));

-  const [outstandingResult] = await db
-    .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-    .from(invoices)
-    .where(eq(invoices.status, "pending"));
+    const [outstandingResult] = await db
+      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
+      .from(invoices)
+      .where(eq(invoices.status, "pending"));

-  const [refundsResult] = await db
-    .select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
-    .from(refunds)
-    .where(sql`${refunds.createdAt} >= ${startOfMonth}`);
+    const [refundsResult] = await db
+      .select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
+      .from(refunds)
+      .where(sql`${refunds.createdAt} >= ${startOfMonth}`);

-  const methodBreakdown = await db
-    .select({
-      method: invoices.paymentMethod,
-      total: sql<number>`count(*)`,
-    })
-    .from(invoices)
-    .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
-    .groupBy(invoices.paymentMethod);
+    const methodBreakdown = await db
+      .select({
+        method: invoices.paymentMethod,
+        total: sql<number>`count(*)`,
+      })
+      .from(invoices)
+      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
+      .groupBy(invoices.paymentMethod);

-  return c.json({
-    revenueThisMonth: revenueResult?.total ?? 0,
-    outstanding: outstandingResult?.total ?? 0,
-    refundsThisMonth: refundsResult?.total ?? 0,
-    methodBreakdown,
-  });
+    return c.json({
+      revenueThisMonth: revenueResult?.total ?? 0,
+      outstanding: outstandingResult?.total ?? 0,
+      refundsThisMonth: refundsResult?.total ?? 0,
+      methodBreakdown,
+    });
+  } catch (err) {
+    console.error("stats/summary error:", err);
+    return c.json({
+      revenueThisMonth: 0,
+      outstanding: 0,
+      refundsThisMonth: 0,
+      methodBreakdown: [],
+    });
+  }
 });

 // Get Stripe payment details for an invoice (card last4, payment status, refund status)
@@ -112,9 +112,17 @@ export function AppointmentsPage() {
  const [viewMode, setViewMode] = useState<"status" | "groomer">("status");
  // null key = unassigned; staffId string = that groomer; undefined set = all visible
  const [hiddenGroomers, setHiddenGroomers] = useState<Set<string | null>>(new Set());
+  const [paymentStats, setPaymentStats] = useState<{ revenueThisMonth: number; outstanding: number; refundsThisMonth: number; methodBreakdown: { method: string | null; total: number }[] } | null>(null);

  const weekEnd = addDays(weekStart, 6);

+  useEffect(() => {
+    fetch("/api/invoices/stats/summary")
+      .then((r) => r.ok ? r.json() : null)
+      .then((data) => { if (data) setPaymentStats(data); })
+      .catch(() => {});
+  }, []);
+
  const loadAppointments = useCallback(() => {
    const from = weekStart.toISOString();
    const to = addDays(weekStart, 7).toISOString();
@@ -314,6 +322,24 @@ export function AppointmentsPage() {
        </button>
      </div>

+      {/* Payment Stats Summary */}
+      {paymentStats && (
+        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(160px, 1fr))", gap: "0.75rem", marginBottom: "1.25rem" }}>
+          <div style={{ background: "#f0fdf4", border: "1px solid #bbf7d0", borderRadius: 8, padding: "0.75rem 1rem" }}>
+            <div style={{ fontSize: 12, color: "#166534", fontWeight: 600, marginBottom: "0.25rem" }}>Revenue (paid)</div>
+            <div style={{ fontSize: 20, fontWeight: 700, color: "#15803d" }}>${(paymentStats.revenueThisMonth / 100).toFixed(2)}</div>
+          </div>
+          <div style={{ background: "#fefce8", border: "1px solid #fde047", borderRadius: 8, padding: "0.75rem 1rem" }}>
+            <div style={{ fontSize: 12, color: "#854d0e", fontWeight: 600, marginBottom: "0.25rem" }}>Outstanding</div>
+            <div style={{ fontSize: 20, fontWeight: 700, color: "#a16207" }}>${(paymentStats.outstanding / 100).toFixed(2)}</div>
+          </div>
+          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "0.75rem 1rem" }}>
+            <div style={{ fontSize: 12, color: "#991b1b", fontWeight: 600, marginBottom: "0.25rem" }}>Refunds (this mo.)</div>
+            <div style={{ fontSize: 20, fontWeight: 700, color: "#dc2626" }}>${(paymentStats.refundsThisMonth / 100).toFixed(2)}</div>
+          </div>
+        </div>
+      )}
+
      {/* ── View Mode + Groomer Filters ── */}
      <div style={{ display: "flex", alignItems: "center", gap: "0.5rem", marginBottom: "0.75rem", flexWrap: "wrap" }}>
        <span style={{ fontSize: 13, fontWeight: 600, color: "#374151" }}>Color by:</span>
@@ -119,3 +119,10 @@ uri
 database-url
 {{- end -}}
 {{- end }}
+
+{{/*
+Auth secret name — always use groombook-auth (sealed secret name)
+*/}}
+{{- define "groombook.authSecretName" -}}
+{{- printf "%s" "groombook-auth" }}
+{{- end }}
@@ -50,6 +50,27 @@ spec:
            - name: OIDC_AUDIENCE
              value: {{ .Values.api.env.oidcAudience | quote }}
            {{- end }}
+            {{- if .Values.api.env.internalBaseUrl }}
+            - name: OIDC_INTERNAL_BASE
+              value: {{ .Values.api.env.internalBaseUrl | quote }}
+            {{- end }}
+            - name: BETTER_AUTH_URL
+              value: {{ .Values.api.env.betterAuthUrl | quote }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_SECRET
+            - name: BETTER_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: BETTER_AUTH_SECRET
            - name: DATABASE_URL
              valueFrom:
                secretKeyRef:
@@ -18,6 +18,8 @@ api:
    corsOrigin: ""
    oidcIssuer: ""
    oidcAudience: groombook
+    betterAuthUrl: ""
+    internalBaseUrl: ""
    port: "3000"
  service:
    type: ClusterIP
@@ -883,6 +883,7 @@ async function seed() {
  let appointmentCount = 0;
  let invoiceCount = 0;
  let visitLogCount = 0;
+  let paidInvoiceCounter = 0;

  // Process in batches per client to keep memory manageable
  const apptBatchSize = 100;
@@ -977,6 +978,10 @@ async function seed() {

        const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
        const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
+        paidInvoiceCounter++;
+        const stripePaymentIntentId = invoiceStatus === "paid"
+          ? `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`
+          : null;

        invoiceBatch.push({
          id: invoiceId,
@@ -989,6 +994,7 @@ async function seed() {
          status: invoiceStatus,
          paymentMethod: invoiceStatus === "paid" ? pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check" : null,
          paidAt,
+          stripePaymentIntentId,
          notes: rand() < 0.05 ? "Added extra service at checkout" : null,
        });

@@ -1092,13 +1098,16 @@ async function seed() {
      const taxCents = Math.round(effectivePrice * 0.08);
      const totalCents = effectivePrice + taxCents + tipCents;
      const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
+      paidInvoiceCounter++;

      invoiceBatch.push({
        id: invoiceId, appointmentId: apptId, clientId,
        subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
        status: "paid" as const,
        paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
-        paidAt, notes: null,
+        paidAt,
+        stripePaymentIntentId: `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`,
+        notes: null,
      });
      lineItemBatch.push({
        id: uuid(), invoiceId, description: svc.name, quantity: 1,
Author	SHA1	Message	Date
Hugh Hackman	e26718be4e	fix(GRO-898): wire BETTER_AUTH_URL and OIDC_* secret refs into API deployment The base API deployment chart was missing the auth env var wiring needed for Better Auth + OIDC Authentik SSO: - BETTER_AUTH_URL: explicit base URL (was hardcoded in kustomize patch only) - OIDC_CLIENT_ID / OIDC_CLIENT_SECRET: secret refs (were missing entirely) - BETTER_AUTH_SECRET: secret ref (was missing entirely) - OIDC_INTERNAL_BASE: conditional env var (was missing from base chart) The groombook-auth sealed secret already holds all three encrypted values (BETTER_AUTH_SECRET, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET). The chart just wasn't referencing them for the base deployment. Also rename oidcIssuer → oidcIssuer in values for consistency, and add new values betterAuthUrl + internalBaseUrl to cover all required vars. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-29 23:43:12 +00:00
the-dogfather-cto[bot]	cd25d98384	Merge pull request #366 from groombook/fix/gro-898-ci-dev-branch fix(GRO-898): update CI to deploy on dev branch pushes	2026-04-24 15:53:15 +00:00
Test User	e9fceb78b3	fix(GRO-898): update CI to deploy on dev branch pushes Update the Update Infra Image Tags job condition to also trigger on pushes to the dev branch, not just main. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-24 15:46:50 +00:00
the-dogfather-cto[bot]	7bf9cf9734	Merge pull request #359 from groombook/fix/gro-890-seed-stripe-payment-intent fix(GRO-890): populate stripePaymentIntentId on paid seed invoices	2026-04-23 22:36:27 +00:00
groombook-engineer[bot]	bf159f8b1f	fix(GRO-890): populate stripePaymentIntentId on all paid seed invoices All paid invoices created by the seed script now get a deterministic stripePaymentIntentId of the form pi_test_seed_NNNNNN, unblocking the refund button conditional in Invoices.tsx:514 during UAT. Pending/draft invoices retain null as before. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-23 19:29:45 +00:00
the-dogfather-cto[bot]	2f3d4d8d01	fix(gro-609): refund button, stats 5xx, dashboard payment stats (#357 ) fix(gro-609): include stripePaymentIntentId in invoice list and wrap stats endpoint in try/catch	2026-04-23 14:01:41 +00:00
Test User	db9bb31702	fix(gro-609): add payment stats to admin dashboard (AppointmentsPage) - Fetch /api/invoices/stats/summary on mount and display Revenue/Outstanding/Refunds summary cards above the calendar view on /admin - Mirrors the same stats section already on /admin/invoices - Gracefully handles errors via try/catch on the stats endpoint Parent: GRO-882 Grandparent: GRO-816 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-23 13:51:15 +00:00
Test User	b38db65dde	fix(gro-609): include stripePaymentIntentId in invoice list and wrap stats endpoint in try/catch - Add stripePaymentIntentId to the GET /invoices list query so the refund button renders when seed data includes a payment intent ID - Wrap /api/invoices/stats/summary in try/catch so errors return 200 with zero defaults instead of 5xx, preventing the Invoices page from crashing on mount for groomer-role sessions Parent: GRO-882 Grandparent: GRO-816 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-23 13:47:27 +00:00
scrubs-mcbarkley-ceo[bot]	3178f81b99	promote: uat → main (GRO-865 logo proxy mixed content fix) All SDLC gates cleared. Logo proxy fix ships to production. cc @cpfarhood	2026-04-22 03:50:15 +00:00
scrubs-mcbarkley-ceo[bot]	544d65959d	promote: dev → uat (GRO-867 + GRO-870 logo proxy fixes) Promoting logo proxy fixes to UAT. All SDLC gates passed. cc @cpfarhood	2026-04-22 03:49:30 +00:00
the-dogfather-cto[bot]	fe2e093b92	Merge pull request #353 from groombook/fix/gro-867-logo-proxy fix(GRO-870): /api/branding returns raw S3 URL — add public logo proxy	2026-04-22 03:21:15 +00:00
the-dogfather-cto[bot]	ad80722eee	Merge pull request #352 from groombook/fix/gro-867-logo-proxy fix(GRO-867): proxy logo download through API server — eliminate mixed content	2026-04-22 02:48:54 +00:00
lint-roller-qa[bot]	f38bb244a4	Merge pull request #339 from groombook/dev Promote dev → uat	2026-04-20 14:06:22 +00:00
the-dogfather-cto[bot]	abee344ca4	Promote dev → uat: ARIA modal fix + tip split atomicity (#335 ) * feat(GRO-785): validate tip split totals before marking invoice paid - PATCH /invoices/:id returns 400 when tipCents > 0 but no tip splits exist or splits don't sum to 100% - POST /invoices/:id/tip-splits now returns 400 (not 422) on validation failure via router-level ZodError handler Co-Authored-By: Paperclip <noreply@paperclip.ing> * feat(GRO-786): add ARIA label attributes to Modal dialog component - Update Modal component to accept title and titleStyle props - Add role="dialog", aria-modal="true", and aria-labelledby attributes - Use useId() to generate stable ID for title heading association - Update all 4 Modal call sites (New/Edit Client, Add/Edit Pet, Log Grooming Visit, Permanently Delete Client) with title props - Delete modal passes titleStyle for red color on warning Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-786): remove duplicate dialog role and restore focus trap - Remove role="dialog" and aria-modal="true" from outer backdrop div - Keep ARIA attributes only on inner dialog div (the actual modal) - Restore useEffect focus management: auto-focus first element, Tab cycle wrapping, Escape key handler, focus restore on close Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-785): restore atomic tip split save in PATCH and fix error message - When body.tipSplits is provided in PATCH /invoices/:id, validate sum first then atomically replace existing splits (delete + insert) - When no incoming splits, validate existing DB splits with corrected message: "Tip splits are required when tip amount is greater than zero" (previously misleading "must sum to 100%" when no splits existed) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-785): address invoice tip split regression - Use body.tipCents ?? current.tipCents for validation condition so that simultaneous status=paid + tipCents=0 skip split validation - Use body.tipCents (now aliased as tipCents) instead of current.tipCents inside the atomic transaction for shareCents calculation - Add explicit check for empty tipSplits array with appropriate error message ("Tip splits are required when tip amount is greater than zero") before the sum-to-100% check - Destructure tipSplits out of body before spreading into update object to prevent it from leaking into the invoices table SET clause Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-785): wrap tip split save + invoice update in single transaction Both tip split persistence (delete + insert) and the invoice PATCH update are now inside one db.transaction() block. If the invoice update fails after splits are written, the entire operation rolls back. Also removed unnecessary eslint-disable comment on _tipSplits. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(GRO-785): restore eslint-disable for intentionally unused _tipSplits var Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Flea Flicker <fleaflicker@groombook.farh.net> Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: the-dogfather-cto[bot] <269737991+the-dogfather-cto[bot]@users.noreply.github.com>	2026-04-17 22:58:00 +00:00