fix(api): remove stale uuid deps from package.json and lockfile

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -340,7 +340,7 @@ jobs:
     name: Update Infra Image Tags
     runs-on: ubuntu-latest
     needs: [docker]
-    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     permissions:
       contents: write
       pull-requests: write

apps/api/UAT_PLAYBOOK.md

@@ -1,63 +0,0 @@
-# GroomBook API — UAT Playbook
-
-This document captures user-acceptance test cases for GroomBook API features. Each section corresponds to a feature or bug-fix PR. Update this file when a PR changes user-facing behaviour.
-
----
-
-## 1. Appointment Booking (`/api/appointments`)
-
-### 1.1 Create Appointment
-- [ ] POST `/api/appointments` with valid payload → 201, appointment returned with generated id
-- [ ] Overlapping staff appointment → 409 conflict error returned
-- [ ] `endTime` before `startTime` → 422 error
-
-### 1.2 Update Appointment (PATCH `/api/appointments/:id`)
-- [ ] Extending `endTime` on a `scheduled` appointment triggers cascade delay prevention if downstream appointments exist
-- [ ] Extending `endTime` returns `cascade` object in response with shifted appointments
-- [ ] Extending `endTime` sends reschedule email to each affected client
-- [ ] Appointments outside business hours after shift are flagged in `cascade.flaggedForReview` instead of auto-shifted
-- [ ] Only `scheduled` and `confirmed` downstream appointments are shifted; `in_progress`, `completed`, `cancelled` are skipped
-- [ ] Cascade stops when a downstream appointment no longer conflicts with the shifted boundary
-- [ ] Shifts are included in API response under `cascade.shifted[]`
-
-### 1.3 Series (Recurring) Appointments
-- [ ] Updating one occurrence with `cascadeMode: "this_and_future"` shifts that occurrence and all future ones
-- [ ] Updating one occurrence with `cascadeMode: "all"` shifts every occurrence in the series
-
----
-
-## 2. Cascade Delay Prevention
-
-### 2.1 Basic Cascade
-- [ ] When a groomer's appointment overruns, the next same-groomer `scheduled` appointment shifts forward
-- [ ] Delta applied to both `startTime` and `endTime` (duration preserved)
-- [ ] Cascade propagates through multiple downstream appointments
-
-### 2.2 Buffer Time
-- [ ] A configurable buffer (default 15 minutes) is added between the overrunning appointment end and the shifted start
-- [ ] Cascade respects the buffer between each consecutive pair of appointments
-
-### 2.3 Business Hours Guard
-- [ ] If a proposed shift would place an appointment start or end outside business hours, it is flagged instead of shifted
-- [ ] Flagged appointments are listed in `cascade.flaggedForReview[]` with reason text
-
-### 2.4 Email Notification
-- [ ] Each shifted appointment triggers a reschedule email to the client
-- [ ] Email includes original time (struck through) and new time
-- [ ] Email is skipped silently if SMTP is not configured
-
-### 2.5 Status Transition Overrun
-- [ ] When an `in_progress` appointment's actual end time exceeds `endTime + bufferMinutes`, the cascade is triggered using the status transition path
-
----
-
-## 3. Authentication & RBAC
-
-### 3.1 Staff Authentication
-- [ ] Unauthenticated request → 401
-- [ ] Groomer role can only view/edit their own appointments → 403 for others
-- [ ] Manager role can view/edit all appointments
-
-### 3.2 Client Authentication
-- [ ] Clients can access their own appointments via tokenized links
-- [ ] Tokenized confirm/cancel links work without authentication

apps/api/package.json

@@ -24,7 +24,6 @@
     "nodemailer": "^6.9.16",
     "stripe": "^22.0.0",
     "telnyx": "^1.23.0",
-
     "zod": "^4.3.6"
   },
   "devDependencies": {

apps/api/src/__tests__/cascade.test.ts

@@ -1,373 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { cascadeDelay } from "../cascade.js";
-
-// ─── Mock the DB ───────────────────────────────────────────────────────────────
-
-const mockDb = {
-  select: vi.fn(),
-  update: vi.fn(),
-};
-
-vi.mock("@groombook/db", () => ({
-  getDb: () => mockDb,
-  appointments: {
-    id: Symbol("id"),
-    staffId: Symbol("staffId"),
-    startTime: Symbol("startTime"),
-    endTime: Symbol("endTime"),
-    status: Symbol("status"),
-  },
-  clients: { id: Symbol("id"), name: Symbol("name"), email: Symbol("email") },
-  pets: { id: Symbol("id"), name: Symbol("name") },
-  services: { id: Symbol("id"), name: Symbol("name") },
-  staff: { id: Symbol("id"), name: Symbol("name") },
-  eq: (a: symbol, b: unknown) => ({ type: "eq", a, b }),
-  and: (...args: unknown[]) => ({ type: "and", args }),
-  gt: (a: symbol, b: unknown) => ({ type: "gt", a, b }),
-  inArray: (a: symbol, vals: unknown[]) => ({ type: "inArray", a, vals }),
-  asc: (a: symbol) => ({ type: "asc", a }),
-}));
-
-vi.mock("../services/email.js", () => ({
-  sendEmail: vi.fn().mockResolvedValue(true),
-}));
-
-const { sendEmail } = await import("../services/email.js");
-const { getDb } = await import("@groombook/db");
-
-// ─── Helpers ────────────────────────────────────────────────────────────────────
-
-function makeAppt(overrides: Partial<Record<string, unknown>> = {}) {
-  return {
-    id: "appt-1",
-    staffId: "groomer-1",
-    startTime: new Date("2026-05-16T10:00:00Z"),
-    endTime: new Date("2026-05-16T11:00:00Z"),
-    status: "scheduled",
-    clientId: "client-1",
-    petId: "pet-1",
-    serviceId: "svc-1",
-    ...overrides,
-  };
-}
-
-function makeEnrichedAppt(id: string, start: Date, end: Date) {
-  return {
-    id,
-    originalStartTime: start,
-    originalEndTime: end,
-    newStartTime: start,
-    newEndTime: end,
-    clientId: "client-1",
-    clientName: "Alice Smith",
-    clientEmail: "alice@example.com",
-    petName: "Buddy",
-    serviceName: "Full Groom",
-    groomerName: "Jamie",
-  };
-}
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("cascadeDelay", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("returns early when the triggering appointment is not found", async () => {
-    mockDb.select.mockResolvedValueOnce([]);
-
-    const result = await cascadeDelay(
-      "nonexistent",
-      new Date("2026-05-16T12:00:00Z"),
-      new Date("2026-05-16T11:00:00Z")
-    );
-
-    expect(result.shifted).toHaveLength(0);
-    expect(result.flaggedForReview).toHaveLength(0);
-  });
-
-  it("returns early when the appointment has no groomer assigned", async () => {
-    mockDb.select.mockResolvedValueOnce([{ ...makeAppt(), staffId: null }]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T12:00:00Z"),
-      new Date("2026-05-16T11:00:00Z")
-    );
-
-    expect(result.shifted).toHaveLength(0);
-  });
-
-  it("returns early when newEndTime does not extend beyond originalEndTime", async () => {
-    mockDb.select.mockResolvedValueOnce([makeAppt()]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T11:30:00Z"), // earlier than original 11:00
-      new Date("2026-05-16T11:00:00Z")
-    );
-
-    expect(result.shifted).toHaveLength(0);
-  });
-
-  it("returns early when there are no downstream appointments", async () => {
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt()])           // triggering appt
-      .mockResolvedValueOnce([]);                     // no downstream
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T11:30:00Z"),
-      new Date("2026-05-16T11:00:00Z")
-    );
-
-    expect(result.shifted).toHaveLength(0);
-  });
-
-  it("shifts a single downstream appointment by the correct delta", async () => {
-    const triggerEnd = new Date("2026-05-16T11:30:00Z"); // 30 min overrun
-    const originalEnd = new Date("2026-05-16T11:00:00Z");
-    const downstreamStart = new Date("2026-05-16T11:00:00Z");
-    const downstreamEnd = new Date("2026-05-16T12:00:00Z");
-
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        makeAppt({
-          id: "downstream-1",
-          startTime: downstreamStart,
-          endTime: downstreamEnd,
-          status: "scheduled",
-        }),
-      ]);
-
-    const updateMock = mockDb.update.mockReturnValueThis();
-    mockDb.select.mockResolvedValueOnce([
-      {
-        clientId: "client-1",
-        clientName: "Alice",
-        clientEmail: "alice@example.com",
-        petName: "Buddy",
-        serviceName: "Full Groom",
-        groomerName: "Jamie",
-      },
-    ]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      triggerEnd,
-      originalEnd,
-      15 // 15 min buffer
-    );
-
-    // effectiveBoundary = 11:30 + 15min = 11:45
-    // delta = 11:45 - 11:00 = 45 min = 2_700_000 ms
-    const expectedDeltaMs = 45 * 60 * 1000;
-
-    expect(result.shifted).toHaveLength(1);
-    expect(result.shifted[0].id).toBe("downstream-1");
-    expect(result.shifted[0].newStartTime.getTime() - result.shifted[0].originalStartTime.getTime())
-      .toBe(expectedDeltaMs);
-    expect(sendEmail).toHaveBeenCalledTimes(1);
-  });
-
-  it("cascades shifts through a chain of appointments", async () => {
-    const triggerEnd = new Date("2026-05-16T12:00:00Z"); // 60 min overrun
-    const originalEnd = new Date("2026-05-16T11:00:00Z");
-
-    // Three downstream appointments, each 1 hour
-    const appt1Start = new Date("2026-05-16T11:00:00Z");
-    const appt1End   = new Date("2026-05-16T12:00:00Z");
-    const appt2Start = new Date("2026-05-16T12:00:00Z");
-    const appt2End   = new Date("2026-05-16T13:00:00Z");
-    const appt3Start = new Date("2026-05-16T13:00:00Z");
-    const appt3End   = new Date("2026-05-16T14:00:00Z");
-
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        makeAppt({ id: "appt-2", startTime: appt2Start, endTime: appt2End, status: "confirmed" }),
-        makeAppt({ id: "appt-3", startTime: appt3Start, endTime: appt3End, status: "scheduled" }),
-      ]);
-
-    mockDb.update.mockReturnValueThis();
-
-    // Two enrich queries for the two shifted appointments
-    mockDb.select
-      .mockResolvedValueOnce([
-        {
-          clientId: "c1", clientName: "Alice", clientEmail: "alice@test.com",
-          petName: "Buddy", serviceName: "Full Groom", groomerName: "Jamie",
-        },
-      ])
-      .mockResolvedValueOnce([
-        {
-          clientId: "c2", clientName: "Bob", clientEmail: "bob@test.com",
-          petName: "Max", serviceName: "Bath", groomerName: "Jamie",
-        },
-      ]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      triggerEnd,
-      originalEnd,
-      15
-    );
-
-    // effectiveBoundary starts at 12:00 + 15 = 12:15
-    // appt-2: 12:00 start conflicts with 12:15 boundary → shift by 15 min → starts 12:15, ends 13:15
-    // new boundary: 13:15 + 15 = 13:30
-    // appt-3: 13:00 start conflicts with 13:30 boundary → shift by 30 min → starts 13:30, ends 14:30
-    expect(result.shifted).toHaveLength(2);
-    expect(result.shifted[0].id).toBe("appt-2");
-    expect(result.shifted[1].id).toBe("appt-3");
-    expect(mockDb.update).toHaveBeenCalledTimes(2);
-    expect(sendEmail).toHaveBeenCalledTimes(2);
-  });
-
-  it("flags but still updates boundary when shift would fall outside business hours", async () => {
-    const triggerEnd = new Date("2026-05-16T17:00:00Z");
-    const originalEnd = new Date("2026-05-16T16:00:00Z");
-
-    // Downstream appt starts at 16:00, business ends at 18:00
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        makeAppt({
-          id: "appt-late",
-          startTime: new Date("2026-05-16T16:00:00Z"),
-          endTime:   new Date("2026-05-16T17:00:00Z"),
-          status: "scheduled",
-        }),
-      ]);
-
-    mockDb.update.mockReturnValueThis();
-    mockDb.select.mockResolvedValueOnce([
-      {
-        clientId: "c1", clientName: "Alice", clientEmail: "alice@test.com",
-        petName: "Buddy", serviceName: "Full Groom", groomerName: "Jamie",
-      },
-    ]);
-
-    // Business hours 08:00–18:00; proposed shift pushes to 17:15 start (still in hours)
-    // Try a late-night boundary: shift would push to 19:15 (outside 08:00–18:00)
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T18:00:00Z"), // larger overrun
-      originalEnd,
-      15,
-      8,  // business start
-      18  // business end — proposed 18:15 start is outside
-    );
-
-    // The appointment at 16:00 with buffer of 15 min after 18:00 trigger:
-    // effectiveBoundary = 18:00 + 15 = 18:15 → outside business hours (18:15 > 18:00)
-    expect(result.flaggedForReview).toHaveLength(1);
-    expect(result.flaggedForReview[0].id).toBe("appt-late");
-    expect(result.flaggedForReview[0].reason).toContain("Manual review required");
-    // The appointment was NOT shifted (only flagged)
-    expect(mockDb.update).not.toHaveBeenCalled();
-  });
-
-  it("skips non-active appointments", async () => {
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        makeAppt({ id: "in-progress-1", status: "in_progress" }),
-        makeAppt({ id: "cancelled-1",  status: "cancelled" }),
-        makeAppt({ id: "scheduled-1",  status: "scheduled" }),
-      ]);
-
-    mockDb.update.mockReturnValueThis();
-    mockDb.select.mockResolvedValueOnce([
-      {
-        clientId: "c1", clientName: "Alice", clientEmail: "alice@test.com",
-        petName: "Buddy", serviceName: "Full Groom", groomerName: "Jamie",
-      },
-    ]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T11:30:00Z"),
-      new Date("2026-05-16T11:00:00Z"),
-      15
-    );
-
-    // Only the scheduled appointment should be shifted
-    expect(result.shifted).toHaveLength(1);
-    expect(result.shifted[0].id).toBe("scheduled-1");
-  });
-
-  it("stops cascading when an appointment no longer conflicts", async () => {
-    // Three downstream: appt-2 overlaps, appt-3 does NOT overlap, appt-4 overlaps
-    // Cascade should stop at appt-3
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        // appt-2: starts at 11:00, ends 12:00 — overlaps boundary 11:45
-        makeAppt({ id: "appt-2", startTime: new Date("2026-05-16T11:00:00Z"), endTime: new Date("2026-05-16T12:00:00Z") }),
-        // appt-3: starts at 13:00 — already clear of shifted appt-2 (ends 12:15 + buffer)
-        makeAppt({ id: "appt-3", startTime: new Date("2026-05-16T13:00:00Z"), endTime: new Date("2026-05-16T14:00:00Z") }),
-        makeAppt({ id: "appt-4", startTime: new Date("2026-05-16T14:00:00Z"), endTime: new Date("2026-05-16T15:00:00Z") }),
-      ]);
-
-    mockDb.update.mockReturnValueThis();
-    mockDb.select.mockResolvedValueOnce([
-      {
-        clientId: "c1", clientName: "Alice", clientEmail: "alice@test.com",
-        petName: "Buddy", serviceName: "Full Groom", groomerName: "Jamie",
-      },
-    ]);
-
-    const result = await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T11:30:00Z"),
-      new Date("2026-05-16T11:00:00Z"),
-      15
-    );
-
-    // Only appt-2 was shifted (appt-3 no longer conflicts after the stop condition check)
-    expect(result.shifted).toHaveLength(1);
-    expect(result.shifted[0].id).toBe("appt-2");
-  });
-
-  it("sends email notification for each shifted appointment", async () => {
-    mockDb.select
-      .mockResolvedValueOnce([makeAppt({ staffId: "groomer-1" })])
-      .mockResolvedValueOnce([
-        makeAppt({
-          id: "appt-email-test",
-          startTime: new Date("2026-05-16T11:00:00Z"),
-          endTime: new Date("2026-05-16T12:00:00Z"),
-          status: "confirmed",
-        }),
-      ]);
-
-    mockDb.update.mockReturnValueThis();
-    mockDb.select.mockResolvedValueOnce([
-      {
-        clientId: "c1",
-        clientName: "Carol",
-        clientEmail: "carol@example.com",
-        petName: "Luna",
-        serviceName: "Nail Trim",
-        groomerName: null,
-      },
-    ]);
-
-    await cascadeDelay(
-      "appt-trigger",
-      new Date("2026-05-16T11:30:00Z"),
-      new Date("2026-05-16T11:00:00Z"),
-      15
-    );
-
-    expect(sendEmail).toHaveBeenCalledWith(
-      expect.objectContaining({
-        to: "carol@example.com",
-        subject: expect.stringContaining("Rescheduled"),
-      })
-    );
-  });
-});

apps/api/src/lib/auth.ts

@@ -97,6 +97,9 @@ export async function initAuth(): Promise<void> {
           window: 10,
           storage: "memory",
           customRules: {
+            "/sign-in/social": { max: 10, window: 60 },
+            "/sign-in/email": { max: 10, window: 60 },
+            "/sign-up/email": { max: 5, window: 60 },
             "/get-session": false,
           },
         },
@@ -247,6 +250,9 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },

apps/api/src/lib/cascade.ts

@@ -1,341 +0,0 @@
-/**
- * Cascade delay prevention — `apps/api/src/lib/cascade.ts`
- *
- * Triggered after a PATCH /appointments/:id call extends an appointment's
- * endTime beyond its original value. Queries same-groomer downstream
- * appointments, shifts them forward by (overrunEnd + buffer − downstreamStart),
- * and cascades the shift through the chain. Clients are notified by email.
- *
- * Guard rails:
- *  - Only shifts `scheduled` and `confirmed` appointments.
- *  - Flags out-of-business-hours shifts for manual review instead of auto-shifting.
- *  - Returns the full list of shifted appointments.
- */
-
-import { eq, and, gt, lte, asc, ne, inArray } from "drizzle-orm";
-import { getDb, appointments, clients, pets, services, staff } from "@groombook/db";
-import { sendEmail } from "../services/email.js";
-
-// ─── Types ──────────────────────────────────────────────────────────────────────
-
-export interface CascadeResult {
-  shifted: ShiftedAppointment[];
-  flaggedForReview: FlaggedAppointment[];
-  /** Time in ms each downstream appointment was pushed forward */
-  cascadeLog: CascadeLogEntry[];
-}
-
-export interface ShiftedAppointment {
-  id: string;
-  originalStartTime: Date;
-  originalEndTime: Date;
-  newStartTime: Date;
-  newEndTime: Date;
-  clientId: string;
-  clientName: string;
-  clientEmail: string;
-  petName: string;
-  serviceName: string;
-  groomerName: string | null;
-}
-
-export interface FlaggedAppointment {
-  id: string;
-  originalStartTime: Date;
-  proposedStartTime: Date;
-  proposedEndTime: Date;
-  reason: string;
-}
-
-export interface CascadeLogEntry {
-  appointmentId: string;
-  deltaMs: number;
-  triggeredBy: string;
-}
-
-// ─── Config ───────────────────────────────────────────────────────────────────
-
-/** Default inter-appointment buffer in minutes. Overridden by services.bufferMinutes. */
-export const DEFAULT_BUFFER_MINUTES = 15;
-
-/** Default business hours (used when no settings row exists). */
-export const DEFAULT_BUSINESS_START_HOUR = 8; // 08:00
-export const DEFAULT_BUSINESS_END_HOUR = 18; // 18:00
-
-// ─── Core cascade ───────────────────────────────────────────────────────────────
-
-/**
- * Detect and cascade appointment overruns.
- *
- * @param triggeringAppointmentId  The appointment that just overran.
- * @param newEndTime               The updated endTime set by the caller.
- * @param originalEndTime          The appointment's endTime before the update.
- * @param bufferMinutes             Minutes of buffer between appointments (default 15).
- * @param businessStartHour         Business opening hour (0–23, default 8).
- * @param businessEndHour           Business closing hour (0–23, default 18).
- */
-export async function cascadeDelay(
-  triggeringAppointmentId: string,
-  newEndTime: Date,
-  originalEndTime: Date,
-  bufferMinutes: number = DEFAULT_BUFFER_MINUTES,
-  businessStartHour: number = DEFAULT_BUSINESS_START_HOUR,
-  businessEndHour: number = DEFAULT_BUSINESS_END_HOUR
-): Promise<CascadeResult> {
-  const db = getDb();
-
-  const bufferMs = bufferMinutes * 60_000;
-  const overrunEnd = newEndTime;
-
-  // ── 1. Load the triggering appointment ────────────────────────────────────────
-  const [triggering] = await db
-    .select()
-    .from(appointments)
-    .where(eq(appointments.id, triggeringAppointmentId))
-    .limit(1);
-
-  if (!triggering) {
-    return { shifted: [], flaggedForReview: [], cascadeLog: [] };
-  }
-
-  if (!triggering.staffId) {
-    // Unassigned appointments cannot cascade
-    return { shifted: [], flaggedForReview: [], cascadeLog: [] };
-  }
-
-  const groomerId = triggering.staffId;
-
-  // ── 2. Guard: only trigger when endTime actually extended ──────────────────────
-  if (overrunEnd <= originalEndTime) {
-    return { shifted: [], flaggedForReview: [], cascadeLog: [] };
-  }
-
-  const result: CascadeResult = { shifted: [], flaggedForReview: [], cascadeLog: [] };
-
-  // ── 3. Fetch all downstream same-groomer active appointments ──────────────────
-  const downstream = await db
-    .select()
-    .from(appointments)
-    .where(
-      and(
-        eq(appointments.staffId, groomerId),
-        gt(appointments.startTime, originalEndTime),
-        inArray(appointments.status, ["scheduled", "confirmed"]),
-      )
-    )
-    .orderBy(asc(appointments.startTime));
-
-  if (downstream.length === 0) return result;
-
-  // ── 4. Cascade loop ────────────────────────────────────────────────────────────
-  // Keep track of current effective boundary after each shift.
-  // Start from the new endTime of the triggering appointment plus buffer.
-  let effectiveBoundary = new Date(overrunEnd.getTime() + bufferMs);
-
-  for (const appt of downstream) {
-    const conflictStart = appt.startTime;
-    const conflictEnd = appt.endTime;
-    const apptDurationMs = conflictEnd.getTime() - conflictStart.getTime();
-
-    // Does this appointment overlap the effective boundary?
-    if (effectiveBoundary.getTime() >= conflictEnd.getTime()) {
-      // No conflict — this appointment and all later ones are unaffected
-      break;
-    }
-
-    const proposedStart = new Date(effectiveBoundary);
-    const proposedEnd = new Date(proposedStart.getTime() + apptDurationMs);
-
-    // ── Business-hours guard ────────────────────────────────────────────────────
-    const proposedStartHour = proposedStart.getHours() + proposedStart.getMinutes() / 60;
-    const proposedEndHour = proposedEnd.getHours() + proposedEnd.getMinutes() / 60;
-    const outOfHours =
-      proposedStartHour < businessStartHour ||
-      proposedEndHour > businessEndHour;
-
-    if (outOfHours) {
-      result.flaggedForReview.push({
-        id: appt.id,
-        originalStartTime: appt.startTime,
-        proposedStartTime: proposedStart,
-        proposedEndTime: proposedEnd,
-        reason:
-          `Would push appointment outside business hours ` +
-          `(${businessStartHour}:00–${businessEndHour}:00). ` +
-          `Manual review required.`,
-      });
-      // Update boundary anyway — later appointments may still conflict
-      effectiveBoundary = new Date(proposedEnd.getTime() + bufferMs);
-      continue;
-    }
-
-    // ── Perform the shift ──────────────────────────────────────────────────────
-    const deltaMs = proposedStart.getTime() - appt.startTime.getTime();
-
-    await db
-      .update(appointments)
-      .set({ startTime: proposedStart, endTime: proposedEnd, updatedAt: new Date() })
-      .where(eq(appointments.id, appt.id));
-
-    result.cascadeLog.push({
-      appointmentId: appt.id,
-      deltaMs,
-      triggeredBy: triggeringAppointmentId,
-    });
-
-    // ── Load client/pet/service info for notification ──────────────────────────
-    const enriched = await enrichAppointment(appt.id);
-    if (enriched) {
-      result.shifted.push({
-        id: appt.id,
-        originalStartTime: appt.startTime,
-        originalEndTime: appt.endTime,
-        newStartTime: proposedStart,
-        newEndTime: proposedEnd,
-        ...enriched,
-      });
-    }
-
-    // Advance boundary to the end of this shifted appointment plus buffer
-    effectiveBoundary = new Date(proposedEnd.getTime() + bufferMs);
-  }
-
-  // ── 5. Send notifications ────────────────────────────────────────────────────
-  for (const shifted of result.shifted) {
-    await sendRescheduleNotification(shifted).catch((err) =>
-      console.error(`[cascade] Failed to send notification for ${shifted.id}:`, err)
-    );
-  }
-
-  return result;
-}
-
-/**
- * Shortcut for status-transition overruns (current time > endTime + bufferMinutes).
- * Delegates to `cascadeDelay` using the current appointment data.
- */
-export async function cascadeOnStatusOverrun(
-  appointmentId: string,
-  bufferMinutes: number = DEFAULT_BUFFER_MINUTES,
-  businessStartHour: number = DEFAULT_BUSINESS_START_HOUR,
-  businessEndHour: number = DEFAULT_BUSINESS_END_HOUR
-): Promise<CascadeResult> {
-  const db = getDb();
-  const [appt] = await db
-    .select()
-    .from(appointments)
-    .where(eq(appointments.id, appointmentId))
-    .limit(1);
-
-  if (!appt) return { shifted: [], flaggedForReview: [], cascadeLog: [] };
-
-  const now = new Date();
-  const bufferMs = bufferMinutes * 60_000;
-
-  if (now.getTime() <= appt.endTime.getTime() + bufferMs) {
-    // Not actually in overrun
-    return { shifted: [], flaggedForReview: [], cascadeLog: [] };
-  }
-
-  // Use current time as the new endTime (the appointment is already running over)
-  return cascadeDelay(
-    appointmentId,
-    now,
-    appt.endTime,
-    bufferMinutes,
-    businessStartHour,
-    businessEndHour
-  );
-}
-
-// ─── Helpers ────────────────────────────────────────────────────────────────────
-
-interface EnrichedFields {
-  clientId: string;
-  clientName: string;
-  clientEmail: string;
-  petName: string;
-  serviceName: string;
-  groomerName: string | null;
-}
-
-async function enrichAppointment(
-  apptId: string
-): Promise<EnrichedFields | null> {
-  const db = getDb();
-  const [row] = await db
-    .select({
-      clientId: appointments.clientId,
-      clientName: clients.name,
-      clientEmail: clients.email,
-      petName: pets.name,
-      serviceName: services.name,
-      groomerName: staff.name,
-    })
-    .from(appointments)
-    .innerJoin(clients, eq(clients.id, appointments.clientId))
-    .innerJoin(pets, eq(pets.id, appointments.petId))
-    .innerJoin(services, eq(services.id, appointments.serviceId))
-    .leftJoin(staff, eq(staff.id, appointments.staffId))
-    .where(eq(appointments.id, apptId))
-    .limit(1);
-
-  if (!row) return null;
-  return {
-    clientId: row.clientId,
-    clientName: row.clientName,
-    clientEmail: row.clientEmail,
-    petName: row.petName,
-    serviceName: row.serviceName,
-    groomerName: row.groomerName,
-  };
-}
-
-async function sendRescheduleNotification(
-  shifted: ShiftedAppointment
-): Promise<void> {
-  const time = formatDateTime(shifted.newStartTime);
-  const original = formatDateTime(shifted.originalStartTime);
-  const groomer = shifted.groomerName ? ` with ${shifted.groomerName}` : "";
-
-  await sendEmail({
-    to: shifted.clientEmail,
-    subject: `Appointment Rescheduled — ${shifted.petName}`,
-    text: [
-      `Hi ${shifted.clientName},`,
-      ``,
-      `Your appointment for ${shifted.petName} has been rescheduled.`,
-      ``,
-      `  Was:    ${original}${groomer}`,
-      `  Now:    ${time}${groomer}`,
-      ``,
-      `We apologize for any inconvenience. If this new time doesn't work for you, please contact us as soon as possible.`,
-      ``,
-      `— Groom Book`,
-    ].join("\n"),
-    html: `<p>Hi ${shifted.clientName},</p>
-<p>Your appointment for <strong>${shifted.petName}</strong> has been rescheduled.</p>
-<table style="border-collapse:collapse;margin:1em 0">
-  <tr><td style="padding:4px 12px 4px 0;font-weight:600;color:#6b7280">Previous time</td><td style="text-decoration:line-through;color:#9ca3af">${original}${groomer}</td></tr>
-  <tr><td style="padding:4px 12px 4px 0;font-weight:600;color:#6b7280">New time</td><td>${time}${groomer}</td></tr>
-</table>
-<p>If this new time doesn't work for you, please contact us as soon as possible.</p>
-<p>— Groom Book</p>`,
-  });
-
-  console.info(
-    `[cascade] Notified ${shifted.clientEmail} of reschedule for ${shifted.petName} ` +
-      `(${shifted.id}): ${original} → ${time}`
-  );
-}
-
-function formatDateTime(d: Date): string {
-  return d.toLocaleString("en-US", {
-    weekday: "long",
-    year: "numeric",
-    month: "long",
-    day: "numeric",
-    hour: "2-digit",
-    minute: "2-digit",
-  });
-}

apps/api/src/routes/appointments.ts

@@ -20,7 +20,6 @@ import {
   staff,
 } from "@groombook/db";
 import { buildConfirmationEmail, sendEmail } from "../services/email.js";
-import { cascadeDelay } from "../lib/cascade.js";
 import { notifyWaitlistForAppointment } from "../services/waitlistNotify.js";
 import type { AppEnv } from "../middleware/rbac.js";
 
@@ -581,15 +580,6 @@ appointmentsRouter.patch(
     if (updateFields.endTime) update.endTime = new Date(updateFields.endTime);
 
     if (needsConflictCheck) {
-      // Capture original endTime before the transaction so we can detect an
-      // overrun and trigger cascade delay prevention after the update.
-      const [preUpdate] = await db
-        .select({ originalEndTime: appointments.endTime })
-        .from(appointments)
-        .where(eq(appointments.id, id))
-        .limit(1);
-      const originalEndTime = preUpdate?.originalEndTime ?? null;
-
       // Wrap conflict check + update in a transaction to prevent race conditions
       // (fixes #18). Also falls back to the existing staffId when staffId is
       // omitted from the request, so rescheduling always checks conflicts (fixes #19).
@@ -694,23 +684,7 @@ appointmentsRouter.patch(
       }
 
       if (!row) return c.json({ error: "Not found" }, 404);
-
-      // Cascade delay prevention: detect if endTime was extended and cascade
-      // downstream appointments if so. Runs after the main update commits.
-      const cascadeResult =
-        updateFields.endTime &&
-        originalEndTime &&
-        new Date(updateFields.endTime) > originalEndTime
-          ? await cascadeDelay(id, new Date(updateFields.endTime), originalEndTime)
-          : { shifted: [], flaggedForReview: [], cascadeLog: [] };
-
-      return c.json({
-        ...row,
-        cascade:
-          cascadeResult.shifted.length > 0 || cascadeResult.flaggedForReview.length > 0
-            ? cascadeResult
-            : undefined,
-      });
+      return c.json(row);
     }
 
     const [row] = await db

apps/e2e/tests/portal-data.spec.ts

@@ -72,9 +72,15 @@ test.describe("Portal Data Integrity", () => {
   });
 
   test("billing section renders without JS errors", async ({ page }) => {
-    // Mock billing endpoint
-    await page.route("**/api/billing**", (route) =>
-      route.fulfill({ json: { invoices: [], balanceCents: 0 } })
+    // Mock portal billing endpoints
+    await page.route("**/api/portal/config**", (route) =>
+      route.fulfill({ json: { stripePublishableKey: "" } })
+    );
+    await page.route("**/api/portal/invoices**", (route) =>
+      route.fulfill({ json: [] })
+    );
+    await page.route("**/api/portal/payment-methods**", (route) =>
+      route.fulfill({ json: [] })
     );
 
     const consoleErrors: string[] = [];

packages/db/migrations/0030_messaging.sql

@@ -0,0 +1,72 @@
+-- Migration: 0030_messaging.sql
+-- Messaging schema: conversations, messages, attachments, consent events + business messaging settings
+
+-- ─── Enums ───────────────────────────────────────────────────────────────────
+
+CREATE TYPE "messaging_channel" AS ENUM ('sms', 'mms');
+CREATE TYPE "message_direction" AS ENUM ('inbound', 'outbound');
+CREATE TYPE "message_status" AS ENUM ('queued', 'sent', 'delivered', 'failed', 'received');
+CREATE TYPE "message_consent_kind" AS ENUM ('opt_in', 'opt_out', 'help');
+
+-- ─── Tables ───────────────────────────────────────────────────────────────────
+
+CREATE TABLE "conversations" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "business_id" uuid NOT NULL,
+  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
+  "channel" "messaging_channel" NOT NULL,
+  "external_number" text NOT NULL,
+  "business_number" text NOT NULL,
+  "last_message_at" timestamp,
+  "status" text NOT NULL DEFAULT 'active',
+  "created_at" timestamp NOT NULL DEFAULT now(),
+  "updated_at" timestamp NOT NULL DEFAULT now()
+);
+
+CREATE INDEX "idx_conversations_business_id_last_message_at" ON "conversations"("business_id", "last_message_at" DESC);
+CREATE UNIQUE INDEX "uq_conversations_business_client_number" ON "conversations"("business_id", "client_id", "business_number");
+
+CREATE TABLE "messages" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "conversation_id" uuid NOT NULL REFERENCES "conversations"("id") ON DELETE CASCADE,
+  "direction" "message_direction" NOT NULL,
+  "body" text,
+  "status" "message_status" NOT NULL DEFAULT 'queued',
+  "provider_message_id" text,
+  "error_code" text,
+  "error_message" text,
+  "sent_by_staff_id" uuid REFERENCES "staff"("id") ON DELETE SET NULL,
+  "created_at" timestamp NOT NULL DEFAULT now(),
+  "delivered_at" timestamp,
+  "read_by_client_at" timestamp
+);
+
+CREATE INDEX "idx_messages_conversation_id_created_at" ON "messages"("conversation_id", "created_at" DESC);
+CREATE UNIQUE INDEX "uq_messages_provider_message_id" ON "messages"("provider_message_id");
+
+CREATE TABLE "message_attachments" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "message_id" uuid NOT NULL REFERENCES "messages"("id") ON DELETE CASCADE,
+  "content_type" text NOT NULL,
+  "url" text NOT NULL,
+  "size" integer NOT NULL,
+  "provider_media_id" text
+);
+
+CREATE INDEX "idx_message_attachments_message_id" ON "message_attachments"("message_id");
+
+CREATE TABLE "message_consent_events" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "client_id" uuid NOT NULL REFERENCES "clients"("id") ON DELETE CASCADE,
+  "business_id" uuid NOT NULL,
+  "kind" "message_consent_kind" NOT NULL,
+  "source" text,
+  "created_at" timestamp NOT NULL DEFAULT now()
+);
+
+CREATE INDEX "idx_message_consent_events_client_id" ON "message_consent_events"("client_id");
+
+-- ─── Business Settings extensions ────────────────────────────────────────────
+
+ALTER TABLE "business_settings" ADD COLUMN "messaging_phone_number" text;
+ALTER TABLE "business_settings" ADD COLUMN "telnyx_messaging_profile_id" text;

packages/db/migrations/meta/_journal.json

@@ -204,6 +204,20 @@
       "when": 1775741667192,
       "tag": "0028_sms_reminders",
       "breakpoints": true
+    },
+    {
+      "idx": 29,
+      "version": "7",
+      "when": 1775784467192,
+      "tag": "0029_db_indexes_constraints",
+      "breakpoints": true
+    },
+    {
+      "idx": 30,
+      "version": "7",
+      "when": 1775828067192,
+      "tag": "0030_messaging",
+      "breakpoints": true
     }
   ]
 }

packages/db/src/schema.ts

@@ -406,6 +406,117 @@ export const impersonationAuditLogs = pgTable(
   (t) => [index("impersonation_audit_logs_session_id_idx").on(t.sessionId)]
 );
 
+// ─── Messaging ───────────────────────────────────────────────────────────────
+
+export const messagingChannelEnum = pgEnum("messaging_channel", ["sms", "mms"]);
+
+export const messageDirectionEnum = pgEnum("message_direction", [
+  "inbound",
+  "outbound",
+]);
+
+export const messageStatusEnum = pgEnum("message_status", [
+  "queued",
+  "sent",
+  "delivered",
+  "failed",
+  "received",
+]);
+
+export const messageConsentKindEnum = pgEnum("message_consent_kind", [
+  "opt_in",
+  "opt_out",
+  "help",
+]);
+
+export const conversations = pgTable(
+  "conversations",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    businessId: uuid("business_id").notNull(),
+    clientId: uuid("client_id")
+      .notNull()
+      .references(() => clients.id, { onDelete: "cascade" }),
+    channel: messagingChannelEnum("channel").notNull(),
+    externalNumber: text("external_number").notNull(),
+    businessNumber: text("business_number").notNull(),
+    lastMessageAt: timestamp("last_message_at"),
+    status: text("status").notNull().default("active"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    updatedAt: timestamp("updated_at").notNull().defaultNow(),
+  },
+  (t) => [
+    index("idx_conversations_business_id_last_message_at").on(
+      t.businessId,
+      t.lastMessageAt.desc()
+    ),
+    unique("uq_conversations_business_client_number").on(
+      t.businessId,
+      t.clientId,
+      t.businessNumber
+    ),
+  ]
+);
+
+export const messages = pgTable(
+  "messages",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    conversationId: uuid("conversation_id")
+      .notNull()
+      .references(() => conversations.id, { onDelete: "cascade" }),
+    direction: messageDirectionEnum("direction").notNull(),
+    body: text("body"),
+    status: messageStatusEnum("status").notNull().default("queued"),
+    providerMessageId: text("provider_message_id"),
+    errorCode: text("error_code"),
+    errorMessage: text("error_message"),
+    sentByStaffId: uuid("sent_by_staff_id").references(() => staff.id, {
+      onDelete: "set null",
+    }),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+    deliveredAt: timestamp("delivered_at"),
+    readByClientAt: timestamp("read_by_client_at"),
+  },
+  (t) => [
+    index("idx_messages_conversation_id_created_at").on(
+      t.conversationId,
+      t.createdAt.desc()
+    ),
+    unique("uq_messages_provider_message_id").on(t.providerMessageId),
+  ]
+);
+
+export const messageAttachments = pgTable(
+  "message_attachments",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    messageId: uuid("message_id")
+      .notNull()
+      .references(() => messages.id, { onDelete: "cascade" }),
+    contentType: text("content_type").notNull(),
+    url: text("url").notNull(),
+    size: integer("size").notNull(),
+    providerMediaId: text("provider_media_id"),
+  },
+  (t) => [index("idx_message_attachments_message_id").on(t.messageId)]
+);
+
+export const messageConsentEvents = pgTable(
+  "message_consent_events",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    clientId: uuid("client_id")
+      .notNull()
+      .references(() => clients.id, { onDelete: "cascade" }),
+    businessId: uuid("business_id").notNull(),
+    kind: messageConsentKindEnum("kind").notNull(),
+    source: text("source"),
+    createdAt: timestamp("created_at").notNull().defaultNow(),
+  },
+  (t) => [index("idx_message_consent_events_client_id").on(t.clientId)]
+);
+
 export const businessSettings = pgTable("business_settings", {
   id: uuid("id").primaryKey().defaultRandom(),
   businessName: text("business_name").notNull().default("GroomBook"),
@@ -414,6 +525,8 @@ export const businessSettings = pgTable("business_settings", {
   logoKey: text("logo_key"),
   primaryColor: text("primary_color").notNull().default("#4f8a6f"),
   accentColor: text("accent_color").notNull().default("#8b7355"),
+  messagingPhoneNumber: text("messaging_phone_number"),
+  telnyxMessagingProfileId: text("telnyx_messaging_profile_id"),
   createdAt: timestamp("created_at").notNull().defaultNow(),
   updatedAt: timestamp("updated_at").notNull().defaultNow(),
 });

packages/db/src/seed.ts

@@ -883,7 +883,6 @@ async function seed() {
   let appointmentCount = 0;
   let invoiceCount = 0;
   let visitLogCount = 0;
-  let paidInvoiceCounter = 0;
 
   // Process in batches per client to keep memory manageable
   const apptBatchSize = 100;
@@ -978,11 +977,8 @@ async function seed() {
 
         const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
         const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
-        paidInvoiceCounter++;
-        const stripePaymentIntentId = invoiceStatus === "paid"
-          ? `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`
-          : null;
 
+        const stripePaymentIntentId = invoiceStatus === "paid" && rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
         invoiceBatch.push({
           id: invoiceId,
           appointmentId: apptId,
@@ -1098,16 +1094,14 @@ async function seed() {
       const taxCents = Math.round(effectivePrice * 0.08);
       const totalCents = effectivePrice + taxCents + tipCents;
       const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
-      paidInvoiceCounter++;
+      const stripePaymentIntentId = rand() < 0.2 ? `pi_test_${uuid().replace(/-/g, "").slice(0, 24)}` : null;
 
       invoiceBatch.push({
         id: invoiceId, appointmentId: apptId, clientId,
         subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
         status: "paid" as const,
         paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
-        paidAt,
-        stripePaymentIntentId: `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`,
-        notes: null,
+        paidAt, stripePaymentIntentId, notes: null,
       });
       lineItemBatch.push({
         id: uuid(), invoiceId, description: svc.name, quantity: 1,

pnpm-lock.yaml

@@ -4346,10 +4346,12 @@ packages:
 
   uuid@8.3.2:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   victory-vendor@37.3.6: