fix(e2e): add /api/invoices/stats/summary mock before broad /api/invoices catch-all

PR #341 added a useEffect in the Invoices page that fetches
/api/invoices/stats/summary. The existing /api/invoices mock was too broad
and intercepted this URL, returning { data: [], total: 0 } instead of the
stats shape { revenueThisMonth, outstanding, refundsThisMonth, methodBreakdown }.
This caused a runtime crash when rendering paymentStats.revenueThisMonth.

The fix adds a specific mock for /api/invoices/stats/summary before the general
/api/invoices mock, so the stats endpoint returns the correct shape.

Fixes GRO-820.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/helm-release.yml

@@ -1,54 +0,0 @@
-name: Release Helm Chart
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'charts/**'
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout groombook
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Checkout groombook.dev (Helm chart host)
-        uses: actions/checkout@v4
-        with:
-          repository: groombook/groombook.dev
-          path: gitea-pages
-          token: ${{ gitea.token }}
-
-      - name: Install Helm
-        uses: azure/setup-helm@v4
-
-      - name: Update Helm dependencies
-        run: helm dependency update charts/groombook
-
-      - name: Package chart
-        run: |
-          mkdir -p gitea-pages/charts
-          helm package charts/groombook -d gitea-pages/charts
-
-      - name: Update repo index
-        run: |
-          # TODO: update URL once Gitea Pages hosting is confirmed
-          CHART_URL="${HELM_CHART_URL:-https://groombook.farh.net/charts}"
-          if [ -f gitea-pages/charts/index.yaml ]; then
-            helm repo index gitea-pages/charts --merge gitea-pages/charts/index.yaml --url "$CHART_URL"
-          else
-            helm repo index gitea-pages/charts --url "$CHART_URL"
-          fi
-
-      - name: Push to groombook.dev
-        run: |
-          cd gitea-pages
-          git config user.name "groombook-engineer[bot]"
-          git config user.email "groombook-engineer[bot]@git.farh.net"
-          git add charts/
-          git diff --staged --quiet && echo 'No chart changes' && exit 0
-          git commit -m "Update Helm chart repository"
-          git push

.github/workflows/ci.yml

@@ -86,8 +86,6 @@ jobs:
 
       - name: Run E2E tests
         run: pnpm --filter @groombook/e2e test
-        env:
-          PLAYWRIGHT_BASE_URL: http://host.docker.internal:8080
 
       - name: Upload Playwright report
         if: failure()
@@ -129,12 +127,18 @@ jobs:
     needs: [build, e2e]
     outputs:
       tag: ${{ steps.version.outputs.tag }}
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v4
 
       - name: Generate image tag
         id: version
         run: |
+          # Always include short SHA so each build is immutable and cache-from can never
+          # cross-contaminate between commits. For PRs the format is pr-N-sha7; for main
+          # it is YYYY.MM.DD-sha7.
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}"
           else
@@ -146,12 +150,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Gitea Container Registry
+      - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: git.farh.net
-          username: ${{ gitea.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@v6
@@ -161,10 +165,10 @@ jobs:
           target: runner
           push: true
           tags: |
-            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
-          cache-from: type=registry,ref=git.farh.net/groombook/cache:api
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
+            ghcr.io/groombook/api:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/api:latest' || '' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Build and push Migrate image
         uses: docker/build-push-action@v6
@@ -174,10 +178,10 @@ jobs:
           target: migrate
           push: true
           tags: |
-            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
-          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
+            ghcr.io/groombook/migrate:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/migrate:latest' || '' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
@@ -187,10 +191,10 @@ jobs:
           target: seed
           push: true
           tags: |
-            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
-          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
+            ghcr.io/groombook/seed:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/seed:latest' || '' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Build and push Reset image
         uses: docker/build-push-action@v6
@@ -200,10 +204,10 @@ jobs:
           target: reset
           push: true
           tags: |
-            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
-          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
+            ghcr.io/groombook/reset:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/reset:latest' || '' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Build and push Web image
         uses: docker/build-push-action@v6
@@ -212,16 +216,19 @@ jobs:
           file: apps/web/Dockerfile
           push: true
           tags: |
-            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
-          cache-from: type=registry,ref=git.farh.net/groombook/cache:web
-          cache-to: type=registry,ref=git.farh.net/groombook/cache:web,mode=max
+            ghcr.io/groombook/web:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/web:latest' || '' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
   deploy-dev:
     name: Deploy PR to groombook-dev
-    runs-on: ubuntu-latest
+    runs-on: runners-groombook
     needs: [docker]
     if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Install kubectl
         run: |
@@ -238,6 +245,7 @@ jobs:
           TAG="pr-$PR_NUM-${SHA::7}"
           echo "Deploying images tagged $TAG to groombook-dev..."
 
+          # Run migration with PR image
           kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
           cat <<EOF | kubectl apply -n groombook-dev -f -
           apiVersion: batch/v1
@@ -252,7 +260,7 @@ jobs:
                 restartPolicy: Never
                 containers:
                 - name: migrate
-                  image: git.farh.net/groombook/migrate:$TAG
+                  image: ghcr.io/groombook/migrate:$TAG
                   env:
                   - name: DATABASE_URL
                     valueFrom:
@@ -263,25 +271,35 @@ jobs:
           kubectl wait --for=condition=complete "job/migrate-pr-$PR_NUM" \
             -n groombook-dev --timeout=120s
 
-          kubectl set image deployment/api api=git.farh.net/groombook/api:$TAG -n groombook-dev
-          kubectl set image deployment/web web=git.farh.net/groombook/web:$TAG -n groombook-dev
+          # Update deployments
+          kubectl set image deployment/api api=ghcr.io/groombook/api:$TAG -n groombook-dev
+          kubectl set image deployment/web web=ghcr.io/groombook/web:$TAG -n groombook-dev
 
+          # Wait for rollout
           kubectl rollout status deployment/api -n groombook-dev --timeout=300s
           kubectl rollout status deployment/web -n groombook-dev --timeout=300s
 
           echo "Deployment complete."
 
       - name: Comment on PR
-        env:
-          PR_NUM: ${{ github.event.pull_request.number }}
-          GITEA_TOKEN: ${{ gitea.token }}
-        run: |
-          TAG="pr-${PR_NUM}"
-          curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/app/issues/$PR_NUM/comments" \
-            -d "{\"body\": \"## Deployed to groombook-dev\n\n**Images:** \`${TAG}\`\n**URL:** https://dev.groombook.farh.net\n\nReady for UAT validation.\"}"
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.issue.number;
+            const tag = `pr-${pr}`;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr,
+              body: [
+                '## Deployed to groombook-dev',
+                '',
+                `**Images:** \`${tag}\``,
+                '**URL:** https://dev.groombook.farh.net',
+                '',
+                'Ready for UAT validation.'
+              ].join('\n')
+            });
 
   web-e2e:
     name: Web E2E (Dev)
@@ -322,13 +340,21 @@ jobs:
     name: Update Infra Image Tags
     runs-on: ubuntu-latest
     needs: [docker]
-    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
+      - name: Generate infra repo token
+        id: infra-token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ vars.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Clone groombook/infra
-        env:
-          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
+          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -345,25 +371,30 @@ jobs:
           fi
           export SHORT_SHA="${SHA::7}"
           echo "Updating dev overlay image tags to: $TAG"
+          echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
           cd /tmp/infra
           DEV_KUST="apps/groombook/overlays/dev/kustomization.yaml"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
 
+          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
+            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
           fi
 
+          # Update seed Job name to include short SHA (immutable template fix)
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
+            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
           fi
 
@@ -372,40 +403,32 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ needs.docker.outputs.tag }}
-          GITEA_TOKEN: ${{ gitea.token }}
+          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
         run: |
           if [ -z "$TAG" ]; then
             TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
           fi
+
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "groombook-engineer[bot]@git.farh.net"
+          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "chore/update-image-tags-${TAG}"
           git add apps/groombook/overlays/dev/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "chore: update image tags and migration/seed Job names to ${TAG}"
+
           git push -u origin "chore/update-image-tags-${TAG}"
 
-          EXISTING_PR=$(curl -s \
-            -H "Authorization: token $GITEA_TOKEN" \
-            "https://git.farh.net/api/v1/repos/groombook/infra/pulls?state=open&limit=50" \
-            | jq -r ".[] | select(.head.label == \"chore/update-image-tags-${TAG}\") | .number" | head -1)
+          # Check if PR already exists for this branch
+          EXISTING_PR=$(gh pr list --repo groombook/infra --head "chore/update-image-tags-${TAG}" --state open --json number -q '.[0].number' || true)
           if [ -n "$EXISTING_PR" ]; then
-            echo "PR #$EXISTING_PR already exists, merging"
-            curl -s -X POST \
-              -H "Authorization: token $GITEA_TOKEN" \
-              -H "Content-Type: application/json" \
-              "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$EXISTING_PR/merge" \
-              -d '{"Do":"merge"}'
+            echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
+            gh pr merge "$EXISTING_PR" --repo groombook/infra --merge
           else
-            PR_NUM=$(curl -s -X POST \
-              -H "Authorization: token $GITEA_TOKEN" \
-              -H "Content-Type: application/json" \
-              "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
-              -d "{\"head\":\"chore/update-image-tags-${TAG}\",\"base\":\"main\",\"title\":\"chore: deploy ${TAG} to dev\",\"body\":\"[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge\"}" \
-              | jq '.number')
-            curl -s -X POST \
-              -H "Authorization: token $GITEA_TOKEN" \
-              -H "Content-Type: application/json" \
-              "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$PR_NUM/merge" \
-              -d '{"Do":"merge"}'
+            PR_URL=$(gh pr create \
+              --repo groombook/infra \
+              --base main \
+              --head "chore/update-image-tags-${TAG}" \
+              --title "chore: deploy ${TAG} to dev" \
+              --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
+            gh pr merge "$PR_URL" --merge
           fi

.github/workflows/helm-release.yml

@@ -0,0 +1,54 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'charts/**'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout groombook
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Checkout groombook.github.io
+        uses: actions/checkout@v4
+        with:
+          repository: groombook/groombook.github.io
+          path: gh-pages
+          token: ${{ secrets.CHART_REPO_TOKEN }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Update Helm dependencies
+        run: helm dependency update charts/groombook
+
+      - name: Package chart
+        run: |
+          mkdir -p gh-pages/charts
+          helm package charts/groombook -d gh-pages/charts
+
+      - name: Update repo index
+        run: |
+          if [ -f gh-pages/charts/index.yaml ]; then
+            helm repo index gh-pages/charts --merge gh-pages/charts/index.yaml --url https://groombook.github.io/charts
+          else
+            helm repo index gh-pages/charts --url https://groombook.github.io/charts
+          fi
+
+      - name: Push to groombook.github.io
+        run: |
+          cd gh-pages
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add charts/
+          git diff --staged --quiet && echo 'No chart changes' && exit 0
+          git commit -m "Update Helm chart repository"
+          git push

.github/workflows/promote-prod.yml

@@ -12,6 +12,9 @@ jobs:
   promote:
     name: Promote to Production
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Validate tag format
         run: |
@@ -22,25 +25,28 @@ jobs:
           fi
           echo "Tag format valid: $TAG"
 
-      - name: Verify image exists in Gitea Container Registry
+      - name: Verify image exists in GHCR
         env:
-          GITEA_TOKEN: ${{ gitea.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           TAG="${{ inputs.tag }}"
-          if ! curl -sf \
-            -H "Authorization: token $GITEA_TOKEN" \
-            "https://git.farh.net/api/v1/packages/groombook?type=container&limit=50" \
-            | jq -e --arg t "$TAG" '[.[] | select(.name == "api" and .version == $t)] | length > 0' > /dev/null 2>&1; then
-            echo "::warning::Could not verify git.farh.net/groombook/api:$TAG via package API — verify manually if needed."
-          else
-            echo "Image verified: git.farh.net/groombook/api:$TAG exists"
+          # Check that the API image exists — if API was pushed, web/migrate were too
+          if ! gh api "/orgs/groombook/packages/container/api/versions" --jq ".[].metadata.container.tags[]" 2>/dev/null | grep -qF "$TAG"; then
+            echo "::error::Image ghcr.io/groombook/api:$TAG not found in GHCR. Verify the tag was built and pushed."
+            exit 1
           fi
+          echo "Image verified: ghcr.io/groombook/api:$TAG exists"
+
+      - name: Generate infra repo token
+        id: infra-token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ vars.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Clone groombook/infra
-        env:
-          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
+          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -58,17 +64,19 @@ jobs:
           export SHORT_SHA
           export TAG
 
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$PROD_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$PROD_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$PROD_KUST"
 
+          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
           fi
 
+          # Update seed Job name to include short SHA (immutable template fix)
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
@@ -80,29 +88,30 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ inputs.tag }}
-          GITEA_TOKEN: ${{ gitea.token }}
+          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
         run: |
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "groombook-engineer[bot]@git.farh.net"
+          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "release/promote-prod-${TAG}"
           git add apps/groombook/overlays/prod/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "release: promote ${TAG} to production"
           git push -u origin "release/promote-prod-${TAG}"
-          curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
-            -d "{\"head\":\"release/promote-prod-${TAG}\",\"base\":\"main\",\"title\":\"release: promote ${TAG} to production\",\"body\":\"Promote image tag ${TAG} to production after UAT sign-off. cc @cpfarhood\"}"
+          gh pr create \
+            --repo groombook/infra \
+            --base main \
+            --head "release/promote-prod-${TAG}" \
+            --title "release: promote ${TAG} to production" \
+            --body "Promote image tag ${TAG} to production after UAT sign-off. cc @cpfarhood"
 
       - name: Notify on failure
         if: failure()
-        env:
-          GITEA_TOKEN: ${{ gitea.token }}
-          RUN_ID: ${{ github.run_id }}
-        run: |
-          curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/app/issues/$RUN_ID/comments" \
-            -d '{"body": "## Production Promotion Failed\n\nThe `promote-prod` workflow failed. Check the workflow run logs for details."}'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: '## Production Promotion Failed\n\nThe `promote-prod` workflow failed. Check the workflow run logs for details.'
+            });

.github/workflows/promote-to-uat.yml

@@ -12,12 +12,20 @@ jobs:
   promote-to-uat:
     name: Promote to groombook-uat
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
+      - name: Generate infra repo token
+        id: infra-token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ vars.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Clone groombook/infra
-        env:
-          GITEA_TOKEN: ${{ gitea.token }}
         run: |
-          git clone https://oauth2:$GITEA_TOKEN@git.farh.net/groombook/infra.git /tmp/infra
+          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -41,17 +49,21 @@ jobs:
           export SHORT_SHA
           export TAG
 
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$UAT_KUST"
-          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$UAT_KUST"
+          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$UAT_KUST"
 
+          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
           fi
 
+          # Update seed Job name to include short SHA (immutable template fix)
+          # NOTE: Do NOT update the image tag here — let the Kustomize images transformer
+          # in the UAT overlay handle it via newTag. This avoids the immutable template issue.
           SEED_JOB="apps/groombook/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
@@ -63,36 +75,34 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ inputs.image_tag }}
-          GITEA_TOKEN: ${{ gitea.token }}
+          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
         run: |
           cd /tmp/infra
           git config user.name "groombook-engineer[bot]"
-          git config user.email "groombook-engineer[bot]@git.farh.net"
+          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "chore/update-uat-image-tags-${TAG}"
           git add apps/groombook/overlays/uat/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "chore: promote ${TAG} to UAT"
+
           git push -u origin "chore/update-uat-image-tags-${TAG}"
 
-          PR_NUM=$(curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
-            -d "{\"head\":\"chore/update-uat-image-tags-${TAG}\",\"base\":\"main\",\"title\":\"chore: promote ${TAG} to UAT\",\"body\":\"[GRO-429](/GRO/issues/GRO-429) — UAT promotion triggered by CTO\"}" \
-            | jq '.number')
-          curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/infra/pulls/$PR_NUM/merge" \
-            -d '{"Do":"merge"}'
+          # Create PR and merge immediately (no required checks on groombook/infra)
+          PR_URL=$(gh pr create \
+            --repo groombook/infra \
+            --base main \
+            --head "chore/update-uat-image-tags-${TAG}" \
+            --title "chore: promote ${TAG} to UAT" \
+            --body "[GRO-429](/GRO/issues/GRO-429) — UAT promotion triggered by CTO")
+          gh pr merge "$PR_URL" --merge
 
       - name: Notify on failure
         if: failure()
-        env:
-          GITEA_TOKEN: ${{ gitea.token }}
-          RUN_ID: ${{ github.run_id }}
-        run: |
-          curl -s -X POST \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/groombook/app/issues/$RUN_ID/comments" \
-            -d '{"body": "## UAT Promotion Failed\n\nThe `promote-to-uat` workflow failed. Check the workflow run logs for details.\n\nCommon issues:\n- UAT overlay not found (ensure GRO-427 is complete)\n- GITEA_TOKEN permissions"}'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: '## UAT Promotion Failed\n\nThe `promote-to-uat` workflow failed. Check the workflow run logs for details.\n\nCommon issues:\n- UAT overlay not found (ensure GRO-427 is complete)\n- Infra repo access token expired'
+            });

.gitignore

@@ -8,16 +8,3 @@ dist/
 .turbo/
 coverage/
 minimax-output/
-
-# Agent runtime artifacts — never commit
-.gh-token
-*.gh-token
-.config/gh/
-**/.config/gh/
-infra-repo
-infra-repo/
-**/instructions/.gh-token
-**/AGENT_HOME/**
-$AGENT_HOME/**
-.claude/
-.codex/

.mcp.json

@@ -1,11 +0,0 @@
-{
-  "mcpServers": {
-    "gitea": {
-      "type": "http",
-      "url": "https://git-mcp.farh.net/mcp",
-      "headers": {
-        "Authorization": "Bearer ${GITEA_TOKEN}"
-      }
-    }
-  }
-}

README.md

@@ -1,43 +1,218 @@
-# GroomBook Monorepo — Archived
+# GroomBook
 
-> **This repository has been archived and replaced by standalone repositories.**
+> **The open-source scheduling and client management platform built specifically for independent pet groomers** — giving you the tools of enterprise software without the enterprise price tag or vendor lock-in.
 
-## Successor Repositories
-
-| Repository | Description |
-|---|---|
-| [groombook/api](https://github.com/groombook/api) | Hono REST API (TypeScript, Node.js) |
-| [groombook/web](https://github.com/groombook/web) | React PWA frontend |
-| [groombook/charts](https://github.com/groombook/charts) | Helm charts for Kubernetes deployment |
-
-## What Changed
-
-- **Monorepo split complete** — The former `apps/api`, `apps/web`, and `packages/*` are now standalone repos
-- **`@groombook/types`** — Inlined directly into `groombook/api` and `groombook/web`
-- **E2E testing** — Now via Playwright MCP, no standalone repo needed
-- **CI/CD** — Each repo has its own pipeline; see individual repos for status
-
-## Migration Notes
-
-If you were cloning `groombook/groombook` for local development:
-
-```bash
-# API
-git clone https://github.com/groombook/api.git
-cd api && pnpm install && pnpm dev
-
-# Web (in a new terminal)
-git clone https://github.com/groombook/web.git
-cd web && pnpm install && pnpm dev
-```
-
-For full Docker Compose setup, see each repo's README.
-
-## Archive Info
-
-This repository was archived on 2026-05-14 as part of the monorepo decommission ([GRO-1081]).
-The history is preserved but the repo is read-only.
+**Built for groomers, not corporations.**
 
 ---
 
-*For Kubernetes deployments, see [groombook/infra](https://github.com/groombook/infra) (private).*
+## Key Features
+
+**Stop chasing confirmations**
+- **Customer portal** — Clients confirm or cancel appointments on their own. Reduce no-shows with an automated waitlist.
+
+**Your calendar, your way**
+- **iCal calendar feed** — Push GroomBook appointments directly into Google Calendar or Apple Calendar. No app switching.
+
+**Know every pet at a glance**
+- **Client & pet records** — Detailed profiles with grooming history, preferences, and breed-specific notes. Full appointment notes for context on every regular.
+- **Quick-find search** — Find clients and pets instantly without digging through spreadsheets.
+
+**Staff access without stress**
+- **Role-based access control (RBAC)** — Front desk sees bookings; only you see financials. Right access for every role.
+
+**Everything else**
+- **Appointment scheduling** — Calendar management for single or multiple groomers
+- **Service management** — Pricing, duration, and service catalog
+- **POS & invoicing** — Payments, tips, and receipt generation
+- **Automated reminders** — SMS and email notifications
+- **Reporting dashboard** — Revenue, utilization, and trend analytics
+- **Staff impersonation** — Managers can view the customer portal as any client, with full audit logging and session controls
+- **PWA** — Installable on mobile devices, works offline
+
+---
+
+## 🚀 Try the Demo
+
+[**Live Demo**](https://demo.groombook.app) — explore GroomBook without installing anything.
+
+---
+
+## Quick Start
+
+### Docker Compose (recommended for indie groomers)
+
+Run GroomBook on your own hardware in minutes. Everything you need is in the box — no subscription, no vendor lock-in.
+
+```bash
+git clone https://github.com/groombook/groombook.git
+cd groombook
+
+# Start everything (Postgres + database migrations + API + web UI)
+docker compose up --build
+```
+
+- **Web UI**: http://localhost:8080
+- **API**: http://localhost:3000
+
+The default `docker-compose.yml` sets `AUTH_DISABLED=true` so you can explore the app without configuring an OIDC provider. **Important:** Disable this in any internet-facing deployment.
+
+---
+
+## Tech Stack
+
+| Layer | Technology |
+|---|---|
+| Backend | [Hono](https://hono.dev/) (TypeScript, Node.js) |
+| Frontend | React 19 + Vite + [vite-plugin-pwa](https://vite-pwa-org.netlify.app/) |
+| Database | PostgreSQL via [CNPG](https://cloudnative-pg.io/) + [Drizzle ORM](https://orm.drizzle.team/) |
+| Auth | OIDC via [Authentik](https://goauthentik.io/) |
+| Infra | Kubernetes (namespace: `groombook`), Flux GitOps |
+| CI | GitHub Actions (self-hosted `groombook-runners`) |
+
+## Repository Structure
+
+```
+groombook/
+├── apps/
+│   ├── api/          # Hono REST API
+│   └── web/          # React PWA
+├── packages/
+│   ├── db/           # Drizzle schema + migrations
+│   └── types/        # Shared TypeScript types
+├── .github/
+│   └── workflows/    # CI/CD pipelines
+└── docker-compose.yml
+```
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js >= 20
+- pnpm >= 9 (`npm install -g pnpm`)
+- Docker & Docker Compose (for local Postgres)
+
+### Local Development
+
+```bash
+# Clone the repo
+git clone https://github.com/groombook/groombook.git
+cd groombook
+
+# Install dependencies
+pnpm install
+
+# Start local Postgres
+docker compose up postgres -d
+
+# Run database migrations
+DATABASE_URL=postgres://groombook:groombook@localhost:5432/groombook pnpm db:migrate
+
+# Start API and Web in parallel
+pnpm dev
+```
+
+API will be available at http://localhost:3000
+Web will be available at http://localhost:5173
+
+### Environment Variables
+
+#### API (`apps/api/.env`)
+
+```env
+DATABASE_URL=postgres://groombook:groombook@localhost:5432/groombook
+OIDC_ISSUER=https://authentik.example.com
+OIDC_AUDIENCE=groombook
+CORS_ORIGIN=http://localhost:5173
+PORT=3000
+```
+
+### Running Tests
+
+```bash
+# Unit tests (vitest)
+pnpm test
+
+# E2E tests (Playwright) — requires the full Docker Compose stack to be running
+docker compose up -d --wait
+pnpm --filter @groombook/e2e test
+
+# Open the Playwright UI (interactive test runner)
+pnpm --filter @groombook/e2e test:ui
+
+# View the last E2E test report
+pnpm --filter @groombook/e2e test:report
+```
+
+E2E tests target the Docker Compose stack (`http://localhost:8080`). They use API route mocking where needed so happy-path tests are deterministic without requiring seed data.
+
+### Building
+
+```bash
+pnpm build
+```
+
+## Self-Hosting
+
+### Production Configuration
+
+Copy `.env.example` to `.env` and configure:
+
+```bash
+cp .env.example .env
+```
+
+Key variables to update for production:
+
+| Variable | Description |
+|---|---|
+| `DATABASE_URL` | PostgreSQL connection string |
+| `AUTH_DISABLED` | Set to `false` in production |
+| `OIDC_ISSUER` | Authentik issuer URL |
+| `OIDC_AUDIENCE` | OAuth2 audience (default: `groombook`) |
+| `CORS_ORIGIN` | Public URL of the web frontend |
+
+To use your `.env` file with Docker Compose:
+
+```bash
+docker compose --env-file .env up --build
+```
+
+### Kubernetes (production-grade deployments)
+
+See the [groombook/infra](https://github.com/groombook/infra) repository for Kubernetes manifests and Flux configuration.
+
+Groom Book is deployed in the `groombook` Kubernetes namespace using:
+- **CNPG** for PostgreSQL
+- **Authentik** for OIDC authentication
+- **Flux** for GitOps-managed deployments
+
+---
+
+## Contributing
+
+GroomBook thrives on contributions from the grooming community. Whether you're a groomer with a feature request, a developer fixing a bug, or someone improving docs — we'd love your help.
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/my-feature`)
+3. Commit your changes
+4. Open a pull request
+
+All PRs require CI to pass before merge. See [CONTRIBUTING.md](./CONTRIBUTING.md) for details.
+
+---
+
+## Why GroomBook?
+
+- **Open source** — You own your data. No vendor lock-in.
+- **Purpose-built** — Features designed for grooming workflows, not generic scheduling.
+- **Self-hosted or managed** — Run it yourself for free, or pay for hosted support (coming soon).
+- **Community-driven** — Used and built by actual groomers.
+
+---
+
+## License
+
+AGPL-3.0
+

apps/api/src/index.ts

@@ -19,7 +19,7 @@ import { impersonationRouter } from "./routes/impersonation.js";
 import { settingsRouter } from "./routes/settings.js";
 import { authProviderRouter } from "./routes/authProvider.js";
 import { searchRouter } from "./routes/search.js";
-import { getObject } from "./lib/s3.js";
+import { getPresignedGetUrl } from "./lib/s3.js";
 import { calendarRouter } from "./routes/calendar.js";
 import { setupRouter } from "./routes/setup.js";
 import { getDb, businessSettings, eq, staff } from "@groombook/db";
@@ -126,31 +126,20 @@ function validateLogoMagicBytes(
   }
 }
 
-// Public logo proxy — no auth required, streams logo from S3 so browser never sees raw S3 URL
-app.get("/api/branding/logo", async (c) => {
-  const db = getDb();
-  const [row] = await db.select().from(businessSettings).limit(1);
-  if (!row) return c.json({ error: "Settings not found" }, 404);
-  if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
-
-  const { body, contentType } = await getObject(row.logoKey);
-  return new Response(Buffer.from(body), {
-    status: 200,
-    headers: {
-      "Content-Type": contentType,
-      "Cache-Control": "public, max-age=86400",
-    },
-  });
-});
-
 // Public branding endpoint — no auth required, returns business name/colors/logo
 app.get("/api/branding", async (c) => {
   const db = getDb();
   const [row] = await db.select().from(businessSettings).limit(1);
   const settings = row ?? { businessName: "GroomBook", primaryColor: "#4f8a6f", accentColor: "#8b7355", logoBase64: null, logoMimeType: null, logoKey: null };
 
-  // Return the public proxy path so browser never sees a raw S3 URL
-  const logoUrl = settings.logoKey ? "/api/branding/logo" : null;
+  let logoUrl: string | null = null;
+  if (settings.logoKey) {
+    try {
+      logoUrl = await getPresignedGetUrl(settings.logoKey);
+    } catch {
+      // If S3 URL generation fails, fall back to legacy base64
+    }
+  }
 
   // Defensive: validate magic bytes to prevent MIME type confusion attacks
   // via the legacy base64 logo fields
@@ -213,7 +202,7 @@ api.on(["POST", "PATCH", "DELETE"], "/staff/*", requireRoleOrSuperUser("manager"
 api.use("/admin/*", requireRoleOrSuperUser("manager"));
 api.use("/admin/settings/*", requireSuperUser());
 api.use("/reports/*", requireRole("manager"));
-api.use("/invoices/*", requireRole("manager", "groomer"));
+api.use("/invoices/*", requireRole("manager"));
 api.use("/impersonation/*", requireRole("manager"));
 
 // Manager + Receptionist only (groomers have no access): appointment-groups, grooming-logs, waitlist

apps/api/src/lib/s3.ts

@@ -68,25 +68,6 @@ export async function deleteObject(key: string): Promise<void> {
   );
 }
 
-/** Read an object from S3 and return its body buffer and content type. */
-export async function getObject(key: string): Promise<{ body: Buffer; contentType: string }> {
-  const client = getS3Client();
-  const response = await client.send(
-    new GetObjectCommand({
-      Bucket: getBucket(),
-      Key: key,
-    })
-  );
-  const chunks: Uint8Array[] = [];
-  // response.Body is a Readable stream; collect chunks into a buffer
-  for await (const chunk of response.Body as AsyncIterable<Uint8Array>) {
-    chunks.push(chunk);
-  }
-  const body = Buffer.concat(chunks);
-  const contentType = response.ContentType ?? "application/octet-stream";
-  return { body, contentType };
-}
-
 /** Upload an object directly to S3 (server-side only, not a pre-signed URL). */
 export async function putObject(
   key: string,

apps/api/src/routes/invoices.ts

@@ -18,14 +18,6 @@ import type { AppEnv } from "../middleware/rbac.js";
 
 export const invoicesRouter = new Hono<AppEnv>();
 
-// Convert Zod validation errors from 422 to 400
-invoicesRouter.onError((err, c) => {
-  if (err instanceof z.ZodError) {
-    return c.json({ error: "Validation failed", issues: err.issues }, 400);
-  }
-  throw err;
-});
-
 const createInvoiceSchema = z.object({
   appointmentId: z.string().uuid().optional(),
   clientId: z.string().uuid(),
@@ -101,8 +93,6 @@ invoicesRouter.get(
         paymentMethod: invoices.paymentMethod,
         paidAt: invoices.paidAt,
         notes: invoices.notes,
-        stripePaymentIntentId: invoices.stripePaymentIntentId,
-        stripeRefundId: invoices.stripeRefundId,
         createdAt: invoices.createdAt,
         updatedAt: invoices.updatedAt,
       })
@@ -130,17 +120,7 @@ invoicesRouter.get("/:id", async (c) => {
     db.select().from(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id)),
   ]);
 
-  let cardLast4: string | null = null;
-  let paymentStatus: string | null = null;
-  if (invoice.stripePaymentIntentId) {
-    const details = await getPaymentIntentDetails(invoice.stripePaymentIntentId);
-    if (details) {
-      cardLast4 = details.cardLast4;
-      paymentStatus = details.paymentStatus;
-    }
-  }
-
-  return c.json({ ...invoice, lineItems, tipSplits, cardLast4, paymentStatus });
+  return c.json({ ...invoice, lineItems, tipSplits });
 });
 
 // Save tip splits for an invoice (replaces existing splits)
@@ -361,23 +341,30 @@ invoicesRouter.patch(
       }
     }
 
-    const tipCents = body.tipCents ?? current.tipCents;
-
-    // Validate tip splits when marking invoice as paid
-    if (body.status === "paid" && tipCents > 0 && body.tipSplits !== undefined) {
-      if (body.tipSplits.length === 0) {
-        return c.json({ error: "Tip splits are required when tip amount is greater than zero" }, 400);
-      }
-      const totalPct = body.tipSplits.reduce((sum, s) => sum + s.sharePct, 0);
-      if (Math.abs(totalPct - 100) > 0.01) {
-        return c.json({ error: "Tip split percentages must sum to 100%" }, 400);
+    // Tip split validation when marking as paid with a tip
+    const effectiveTipCents = body.tipCents ?? current.tipCents;
+    if (body.status === "paid" && effectiveTipCents > 0) {
+      if (body.tipSplits !== undefined) {
+        if (body.tipSplits.length === 0) {
+          return c.json({ error: "Tip splits required when tip amount is greater than zero" }, 422);
+        }
+        const totalBps = body.tipSplits.reduce((sum, s) => sum + Math.round(s.sharePct * 100), 0);
+        if (totalBps !== 10000) {
+          return c.json({ error: "Split percentages must sum to 100" }, 422);
+        }
+      } else {
+        const existingSplits = await db
+          .select({ id: invoiceTipSplits.id })
+          .from(invoiceTipSplits)
+          .where(eq(invoiceTipSplits.invoiceId, id));
+        if (existingSplits.length === 0) {
+          return c.json({ error: "Tip splits required when tip amount is greater than zero" }, 422);
+        }
       }
     }
 
-    // Destructure tipSplits out — it belongs to a separate table, not the invoices column
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const { tipSplits: _tipSplits, ...updateBody } = body as Record<string, unknown>;
-    const update: Record<string, unknown> = { ...updateBody, updatedAt: new Date() };
+    const { tipSplits: incomingTipSplits, ...bodyWithoutSplits } = body;
+    const update: Record<string, unknown> = { ...bodyWithoutSplits, updatedAt: new Date() };
 
     // Auto-set paidAt when marking as paid
     if (body.status === "paid" && !body.paidAt && !current.paidAt) {
@@ -391,50 +378,54 @@ invoicesRouter.patch(
       update.totalCents = current.subtotalCents + newTaxCents + newTipCents;
     }
 
-    // Wrap tip split persistence and invoice update in a single atomic transaction
-    const [updated, lineItems] = await db.transaction(async (tx) => {
-      if (body.status === "paid" && tipCents > 0 && body.tipSplits !== undefined) {
-        await tx.delete(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id));
-        const splits = body.tipSplits;
-        if (splits.length > 0) {
-          let remaining = tipCents;
-          const rows = splits.map((s, i) => {
-            const isLast = i === splits.length - 1;
-            const shareCents = isLast ? remaining : Math.round((s.sharePct / 100) * tipCents);
-            if (!isLast) remaining -= shareCents;
-            return {
-              invoiceId: id,
-              staffId: s.staffId,
-              staffName: s.staffName,
-              sharePct: s.sharePct.toFixed(2),
-              shareCents,
-            };
-          });
-          await tx.insert(invoiceTipSplits).values(rows);
-        }
-      }
-
-      const [updatedInvoice] = await tx
+    const [updated] = await db.transaction(async (tx) => {
+      const [upd] = await tx
         .update(invoices)
         .set(update)
         .where(eq(invoices.id, id))
         .returning();
 
-      const lineItems = await tx
-        .select()
-        .from(invoiceLineItems)
-        .where(eq(invoiceLineItems.invoiceId, id));
+      // Atomically save tip splits when marking paid with provided splits
+      if (
+        body.status === "paid" &&
+        effectiveTipCents > 0 &&
+        incomingTipSplits !== undefined &&
+        incomingTipSplits.length > 0
+      ) {
+        await tx.delete(invoiceTipSplits).where(eq(invoiceTipSplits.invoiceId, id));
 
-      return [updatedInvoice, lineItems];
+        let remaining = effectiveTipCents;
+        const rows = incomingTipSplits.map((s, i) => {
+          const isLast = i === incomingTipSplits.length - 1;
+          const shareCents = isLast ? remaining : Math.round((s.sharePct / 100) * effectiveTipCents);
+          if (!isLast) remaining -= shareCents;
+          return {
+            invoiceId: id,
+            staffId: s.staffId,
+            staffName: s.staffName,
+            sharePct: s.sharePct.toFixed(2),
+            shareCents,
+          };
+        });
+
+        await tx.insert(invoiceTipSplits).values(rows);
+      }
+
+      return [upd];
     });
 
+    const lineItems = await db
+      .select()
+      .from(invoiceLineItems)
+      .where(eq(invoiceLineItems.invoiceId, id));
+
     return c.json({ ...updated, lineItems });
   }
 );
 
 // ─── Refund ───────────────────────────────────────────────────────────────────
 
-import { processRefund, getPaymentIntentDetails } from "../services/payment.js";
+import { processRefund } from "../services/payment.js";
 
 const refundSchema = z.object({
   amountCents: z.number().int().nonnegative().optional(),
@@ -460,6 +451,9 @@ invoicesRouter.post(
     if (invoice.status !== "paid") {
       return c.json({ error: "Refund only allowed on paid invoices" }, 422);
     }
+    if (!invoice.stripePaymentIntentId) {
+      return c.json({ error: "No Stripe payment intent found for this invoice" }, 422);
+    }
 
     return await db.transaction(async (tx) => {
       if (body.idempotencyKey) {
@@ -472,100 +466,17 @@ invoicesRouter.post(
         }
       }
 
-      let refundId: string;
-
-      if (invoice.stripePaymentIntentId) {
-        const result = await processRefund(id, body.amountCents);
-        if (!result) return c.json({ error: "Refund failed" }, 500);
-        refundId = result.refundId;
-      } else {
-        // Manual refund — no Stripe call needed
-        refundId = `manual_${id}_${Date.now()}`;
-      }
+      const result = await processRefund(id, body.amountCents);
+      if (!result) return c.json({ error: "Refund failed" }, 500);
 
       await tx.insert(refunds).values({
         invoiceId: id,
-        stripeRefundId: refundId,
+        stripeRefundId: result.refundId,
         idempotencyKey: body.idempotencyKey ?? null,
         amountCents: body.amountCents ?? null,
       });
 
-      return c.json({ refundId });
+      return c.json({ refundId: result.refundId });
     });
   }
 );
-
-// Payment stats for admin dashboard
-invoicesRouter.get("/stats/summary", async (c) => {
-  try {
-    const db = getDb();
-    const now = new Date();
-    const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
-
-    const [revenueResult] = await db
-      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-      .from(invoices)
-      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
-
-    const [outstandingResult] = await db
-      .select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
-      .from(invoices)
-      .where(eq(invoices.status, "pending"));
-
-    const [refundsResult] = await db
-      .select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
-      .from(refunds)
-      .where(sql`${refunds.createdAt} >= ${startOfMonth}`);
-
-    const methodBreakdown = await db
-      .select({
-        method: invoices.paymentMethod,
-        total: sql<number>`count(*)`,
-      })
-      .from(invoices)
-      .where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
-      .groupBy(invoices.paymentMethod);
-
-    return c.json({
-      revenueThisMonth: revenueResult?.total ?? 0,
-      outstanding: outstandingResult?.total ?? 0,
-      refundsThisMonth: refundsResult?.total ?? 0,
-      methodBreakdown,
-    });
-  } catch (err) {
-    console.error("stats/summary error:", err);
-    return c.json({
-      revenueThisMonth: 0,
-      outstanding: 0,
-      refundsThisMonth: 0,
-      methodBreakdown: [],
-    });
-  }
-});
-
-// Get Stripe payment details for an invoice (card last4, payment status, refund status)
-invoicesRouter.get("/:id/stripe-details", async (c) => {
-  const db = getDb();
-  const id = c.req.param("id");
-
-  const [invoice] = await db.select().from(invoices).where(eq(invoices.id, id));
-  if (!invoice) return c.json({ error: "Not found" }, 404);
-
-  let cardLast4: string | null = null;
-  let paymentStatus: string | null = null;
-
-  if (invoice.stripePaymentIntentId) {
-    const details = await getPaymentIntentDetails(invoice.stripePaymentIntentId);
-    if (details) {
-      cardLast4 = details.cardLast4;
-      paymentStatus = details.paymentStatus;
-    }
-  }
-
-  return c.json({
-    stripePaymentIntentId: invoice.stripePaymentIntentId,
-    stripeRefundId: invoice.stripeRefundId,
-    cardLast4,
-    paymentStatus,
-  });
-});

apps/api/src/routes/portal.ts

@@ -102,6 +102,7 @@ portalRouter.get("/appointments", async (c) => {
   const db = getDb();
   const clientId = c.get("portalClientId");
 
+  const now = new Date();
   const allAppts = await db
     .select({
       id: appointments.id,
@@ -141,7 +142,10 @@ portalRouter.get("/appointments", async (c) => {
     staff: a.staffId ? { id: staffMap[a.staffId]?.id, name: staffMap[a.staffId]?.name } : null,
   }));
 
-  return c.json({ appointments: appts });
+  const upcoming = appts.filter(a => a.startTime > now && a.status !== "cancelled");
+  const past = appts.filter(a => a.startTime <= now || a.status === "cancelled");
+
+  return c.json({ upcoming, past });
 });
 
 portalRouter.get("/pets", async (c) => {
@@ -149,7 +153,7 @@ portalRouter.get("/pets", async (c) => {
   const clientId = c.get("portalClientId");
 
   const clientPets = await db.select().from(pets).where(eq(pets.clientId, clientId));
-  return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weight: p.weightKg, birthDate: p.dateOfBirth, photoUrl: p.photoKey, notes: p.groomingNotes })));
+  return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weightKg: p.weightKg, dateOfBirth: p.dateOfBirth, photoKey: p.photoKey, groomingNotes: p.groomingNotes })));
 });
 
 portalRouter.get("/invoices", async (c) => {

apps/api/src/routes/settings.ts

@@ -2,7 +2,7 @@ import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { eq, getDb, businessSettings } from "@groombook/db";
-import { getPresignedUploadUrl, deleteObject, putObject, getObject } from "../lib/s3.js";
+import { getPresignedUploadUrl, getPresignedGetUrl, deleteObject, putObject } from "../lib/s3.js";
 import { requireSuperUser } from "../middleware/rbac.js";
 
 export const settingsRouter = new Hono();
@@ -215,8 +215,7 @@ settingsRouter.post(
 
 /**
  * GET /api/admin/settings/logo
- * Proxies the logo from S3 so the browser never sees an S3 URL.
- * Returns the image bytes with proper Content-Type.
+ * Returns a presigned GET URL for the logo.
  */
 settingsRouter.get("/logo", async (c) => {
   const db = getDb();
@@ -225,14 +224,8 @@ settingsRouter.get("/logo", async (c) => {
   if (!row) return c.json({ error: "Settings not found" }, 404);
   if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
 
-  const { body, contentType } = await getObject(row.logoKey);
-  return new Response(Buffer.from(body), {
-    status: 200,
-    headers: {
-      "Content-Type": contentType,
-      "Cache-Control": "public, max-age=86400",
-    },
-  });
+  const url = await getPresignedGetUrl(row.logoKey);
+  return c.json({ url, logoKey: row.logoKey });
 });
 
 /**

apps/api/src/routes/setup.ts

@@ -9,8 +9,8 @@ const RATE_LIMIT_MAX = 10;
 const rateLimitMap = new Map<string, { count: number; resetAt: number }>();
 
 function rateLimitByIp(ip: string): { allowed: boolean; remaining: number } {
-  const entry = rateLimitMap.get(ip);
   const now = Date.now();
+  const entry = rateLimitMap.get(ip);
   if (!entry || now > entry.resetAt) {
     rateLimitMap.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
     return { allowed: true, remaining: RATE_LIMIT_MAX - 1 };

apps/api/src/services/payment.ts

@@ -162,19 +162,3 @@ export async function createSetupIntent(customerId: string): Promise<{ clientSec
 
   return { clientSecret: setupIntent.client_secret! };
 }
-
-export async function getPaymentIntentDetails(
-  paymentIntentId: string
-): Promise<{ cardLast4: string | null; paymentStatus: string | null } | null> {
-  const stripe = getStripeClient();
-  if (!stripe) return null;
-
-  const pi = await stripe.paymentIntents.retrieve(paymentIntentId, { expand: ["payment_method"] });
-  const cardLast4 = pi.payment_method
-    ? (pi.payment_method as Stripe.PaymentMethod).card?.last4 ?? null
-    : null;
-  return {
-    cardLast4,
-    paymentStatus: pi.status ?? null,
-  };
-}

apps/e2e/tests/navigation.spec.ts

@@ -44,6 +44,7 @@ test.beforeEach(async ({ page }) => {
         json: { newClients: [], activeInPeriodCount: 0, churnRisk: [], churnRiskTotal: 0 },
       });
     }
+    // Specific route must come before /api/invoices to avoid intercepting stats/summary
     if (url.includes("/api/invoices/stats/summary")) {
       return route.fulfill({
         json: {

apps/web/src/pages/Appointments.tsx

@@ -112,17 +112,9 @@ export function AppointmentsPage() {
   const [viewMode, setViewMode] = useState<"status" | "groomer">("status");
   // null key = unassigned; staffId string = that groomer; undefined set = all visible
   const [hiddenGroomers, setHiddenGroomers] = useState<Set<string | null>>(new Set());
-  const [paymentStats, setPaymentStats] = useState<{ revenueThisMonth: number; outstanding: number; refundsThisMonth: number; methodBreakdown: { method: string | null; total: number }[] } | null>(null);
 
   const weekEnd = addDays(weekStart, 6);
 
-  useEffect(() => {
-    fetch("/api/invoices/stats/summary")
-      .then((r) => r.ok ? r.json() : null)
-      .then((data) => { if (data) setPaymentStats(data); })
-      .catch(() => {});
-  }, []);
-
   const loadAppointments = useCallback(() => {
     const from = weekStart.toISOString();
     const to = addDays(weekStart, 7).toISOString();
@@ -322,24 +314,6 @@ export function AppointmentsPage() {
         </button>
       </div>
 
-      {/* Payment Stats Summary */}
-      {paymentStats && (
-        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(160px, 1fr))", gap: "0.75rem", marginBottom: "1.25rem" }}>
-          <div style={{ background: "#f0fdf4", border: "1px solid #bbf7d0", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#166534", fontWeight: 600, marginBottom: "0.25rem" }}>Revenue (paid)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#15803d" }}>${(paymentStats.revenueThisMonth / 100).toFixed(2)}</div>
-          </div>
-          <div style={{ background: "#fefce8", border: "1px solid #fde047", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#854d0e", fontWeight: 600, marginBottom: "0.25rem" }}>Outstanding</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#a16207" }}>${(paymentStats.outstanding / 100).toFixed(2)}</div>
-          </div>
-          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#991b1b", fontWeight: 600, marginBottom: "0.25rem" }}>Refunds (this mo.)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#dc2626" }}>${(paymentStats.refundsThisMonth / 100).toFixed(2)}</div>
-          </div>
-        </div>
-      )}
-
       {/* ── View Mode + Groomer Filters ── */}
       <div style={{ display: "flex", alignItems: "center", gap: "0.5rem", marginBottom: "0.75rem", flexWrap: "wrap" }}>
         <span style={{ fontSize: 13, fontWeight: 600, color: "#374151" }}>Color by:</span>

apps/web/src/pages/Clients.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState, useCallback, useRef, useId } from "react";
+import { useEffect, useState, useCallback, useRef } from "react";
 import { useSearchParams } from "react-router-dom";
 import type { Client, GroomingVisitLog, Pet } from "@groombook/types";
 import { PetPhotoDisplay } from "../components/PetPhotoDisplay.js";
@@ -647,7 +647,8 @@ export function ClientsPage() {
 
       {/* ── Client modal ── */}
       {showClientForm && (
-        <Modal title={editingClient ? "Edit Client" : "New Client"} onClose={() => setShowClientForm(false)}>
+        <Modal onClose={() => setShowClientForm(false)}>
+          <h2 style={{ marginTop: 0 }}>{editingClient ? "Edit Client" : "New Client"}</h2>
           <form onSubmit={submitClient}>
             <Field label="Full name">
               <input value={clientForm.name} onChange={(e) => setClientForm((f) => ({ ...f, name: e.target.value }))} required style={inputStyle} />
@@ -677,7 +678,8 @@ export function ClientsPage() {
 
       {/* ── Pet modal ── */}
       {showPetForm && (
-        <Modal title={editingPet ? "Edit Pet" : "Add Pet"} onClose={() => setShowPetForm(false)}>
+        <Modal onClose={() => setShowPetForm(false)}>
+          <h2 style={{ marginTop: 0 }}>{editingPet ? "Edit Pet" : "Add Pet"}</h2>
           <form onSubmit={submitPet}>
             <Field label="Pet name">
               <input value={petForm.name} onChange={(e) => setPetForm((f) => ({ ...f, name: e.target.value }))} required style={inputStyle} />
@@ -751,7 +753,8 @@ export function ClientsPage() {
 
       {/* ── Visit log modal ── */}
       {showLogForm && logPetId && (
-        <Modal title="Log Grooming Visit" onClose={() => setShowLogForm(false)}>
+        <Modal onClose={() => setShowLogForm(false)}>
+          <h2 style={{ marginTop: 0 }}>Log Grooming Visit</h2>
           {logsLoading[logPetId] && <p style={{ fontSize: 13, color: "#6b7280" }}>Loading history…</p>}
           {visitLogs[logPetId] && visitLogs[logPetId].length > 0 && (
             <div style={{ marginBottom: "1rem" }}>
@@ -814,7 +817,8 @@ export function ClientsPage() {
 
       {/* ── Delete confirmation modal ── */}
       {showDeleteConfirm && selectedClient && (
-        <Modal title="Permanently Delete Client" titleStyle={{ color: "#dc2626" }} onClose={() => setShowDeleteConfirm(false)}>
+        <Modal onClose={() => setShowDeleteConfirm(false)}>
+          <h2 style={{ marginTop: 0, color: "#dc2626" }}>Permanently Delete Client</h2>
           <p style={{ fontSize: 14, color: "#374151" }}>
             This will permanently delete <strong>{selectedClient.name}</strong> and all their pets. This action cannot be undone.
           </p>
@@ -852,8 +856,7 @@ export function ClientsPage() {
 
 // ─── Shared UI ───────────────────────────────────────────────────────────────
 
-function Modal({ children, onClose, title, titleStyle }: { children: React.ReactNode; onClose: () => void; title: string; titleStyle?: React.CSSProperties }) {
-  const titleId = useId();
+function Modal({ children, onClose }: { children: React.ReactNode; onClose: () => void }) {
   const modalRef = useRef<HTMLDivElement>(null);
 
   useEffect(() => {
@@ -895,17 +898,15 @@ function Modal({ children, onClose, title, titleStyle }: { children: React.React
 
   return (
     <div
+      role="dialog"
+      aria-modal="true"
       style={{ position: "fixed", inset: 0, background: "rgba(0,0,0,0.45)", display: "flex", alignItems: "center", justifyContent: "center", zIndex: 100 }}
       onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
     >
       <div
         ref={modalRef}
-        role="dialog"
-        aria-modal="true"
-        aria-labelledby={titleId}
         style={{ background: "#fff", borderRadius: 8, padding: "1.5rem", maxWidth: 480, width: "calc(100% - 2rem)", maxHeight: "90vh", overflowY: "auto", boxShadow: "0 20px 60px rgba(0,0,0,0.3)" }}
       >
-        <h2 id={titleId} style={{ marginTop: 0, ...titleStyle }}>{title}</h2>
         {children}
       </div>
     </div>

apps/web/src/pages/Invoices.tsx

@@ -173,21 +173,6 @@ function InvoiceDetailModal({
   const [error, setError] = useState<string | null>(null);
   const [tipStr, setTipStr] = useState((invoice.tipCents / 100).toFixed(2));
   const [paymentMethod, setPaymentMethod] = useState<string>(invoice.paymentMethod ?? "cash");
-const [showRefundDialog, setShowRefundDialog] = useState(false);
-  const [refundType, setRefundType] = useState<"full" | "partial">("full");
-  const [refundAmount, setRefundAmount] = useState("");
-  const [refundError, setRefundError] = useState<string | null>(null);
-  const [refunding, setRefunding] = useState(false);
-
-  // Fetch current staff role to determine manager access
-  const [staffMe, setStaffMe] = useState<{ role: string; isSuperUser: boolean } | null>(null);
-  useEffect(() => {
-    fetch("/api/staff/me")
-      .then((r) => r.json())
-      .then((d) => setStaffMe(d))
-      .catch(() => setStaffMe(null));
-  }, []);
-  const isManager = staffMe && (staffMe.role === "manager" || staffMe.isSuperUser);
 
   // Tip split state: array of {staffId, staffName, pct}
   const linkedAppt = invoice.appointmentId
@@ -350,19 +335,6 @@ const [showRefundDialog, setShowRefundDialog] = useState(false);
         />
         {invoice.paidAt && <SummaryRow label="Paid on" value={fmtDate(invoice.paidAt)} />}
         {invoice.paymentMethod && <SummaryRow label="Payment" value={invoice.paymentMethod} />}
-        {invoice.stripePaymentIntentId && (
-          <>
-            {invoice.cardLast4 && (
-              <SummaryRow label="Card" value={`•••• ${invoice.cardLast4}`} />
-            )}
-            {invoice.paymentStatus && (
-              <SummaryRow label="Stripe status" value={invoice.paymentStatus} />
-            )}
-            {invoice.stripeRefundId && (
-              <SummaryRow label="Refund" value="Refunded" />
-            )}
-          </>
-        )}
       </div>
 
       {/* ── Tip Distribution ── */}
@@ -480,92 +452,11 @@ const [showRefundDialog, setShowRefundDialog] = useState(false);
         </div>
       )}
       {(invoice.status === "paid" || invoice.status === "void") && (
-        <div style={{ marginTop: "1rem", borderTop: "1px solid #e2e8f0", paddingTop: "1rem" }}>
-          {invoice.stripeRefundId && (
-            <div style={{ marginBottom: "0.75rem", display: "flex", alignItems: "center", gap: "0.5rem" }}>
-              <span style={{ background: "#fef3c7", color: "#92400e", padding: "0.2rem 0.6rem", borderRadius: 4, fontSize: 13, fontWeight: 600 }}>Refunded</span>
-            </div>
-          )}
-          <div style={{ display: "flex", gap: "0.5rem", justifyContent: "flex-end" }}>
-            {invoice.status === "paid" && !invoice.stripeRefundId && isManager && (
-              <button onClick={() => setShowRefundDialog(true)} style={{ ...btnStyle, color: "#fff", backgroundColor: "#7c3aed", borderColor: "#7c3aed" }}>
-                Refund
-              </button>
-            )}
-            <button onClick={onClose} style={btnStyle}>Close</button>
-          </div>
+        <div style={{ marginTop: "1rem", display: "flex", justifyContent: "flex-end" }}>
+          <button onClick={onClose} style={btnStyle}>Close</button>
         </div>
       )}
-
-      {showRefundDialog && (
-        <div style={{ marginTop: "1rem", border: "1px solid #e2e8f0", borderRadius: 8, padding: "1rem", background: "#f9fafb" }}>
-          <p style={{ fontWeight: 600, margin: "0 0 0.75rem" }}>Process Refund</p>
-          <div style={{ display: "flex", gap: "0.75rem", marginBottom: "0.75rem" }}>
-            <label style={{ display: "flex", alignItems: "center", gap: "0.25rem", cursor: "pointer" }}>
-              <input type="radio" checked={refundType === "full"} onChange={() => setRefundType("full")} />
-              Full refund
-            </label>
-            <label style={{ display: "flex", alignItems: "center", gap: "0.25rem", cursor: "pointer" }}>
-              <input type="radio" checked={refundType === "partial"} onChange={() => setRefundType("partial")} />
-              Partial refund
-            </label>
-          </div>
-          {refundType === "partial" && (
-            <div style={{ marginBottom: "0.75rem" }}>
-              <input
-                type="number"
-                min="0.01"
-                step="0.01"
-                placeholder="Amount ($)"
-                value={refundAmount}
-                onChange={(e) => setRefundAmount(e.target.value)}
-                style={{ ...inputStyle, width: 100 }}
-              />
-            </div>
-          )}
-          {refundError && <p style={{ color: "red", margin: "0 0 0.5rem", fontSize: 13 }}>{refundError}</p>}
-          <div style={{ display: "flex", gap: "0.5rem" }}>
-            <button
-              onClick={async () => {
-                setRefunding(true);
-                setRefundError(null);
-                try {
-                  if (refundType === "partial") {
-                    const parsed = parseFloat(refundAmount);
-                    if (isNaN(parsed) || parsed <= 0) {
-                      setRefundError("Please enter a valid amount greater than zero.");
-                      setRefunding(false);
-                      return;
-                    }
-                  }
-                  const body = refundType === "partial" ? { amountCents: Math.round(parseFloat(refundAmount) * 100) } : {};
-                  const res = await fetch(`/api/invoices/${invoice.id}/refund`, {
-                    method: "POST",
-                    headers: { "Content-Type": "application/json" },
-                    body: JSON.stringify(body),
-                  });
-                  if (!res.ok) {
-                    const err = (await res.json()) as { error?: string };
-                    throw new Error(err.error ?? `HTTP ${res.status}`);
-                  }
-                  setShowRefundDialog(false);
-                  onUpdated();
-                } catch (e: unknown) {
-                  setRefundError(e instanceof Error ? e.message : "Refund failed");
-                } finally {
-                  setRefunding(false);
-                }
-              }}
-              disabled={refunding}
-              style={{ ...btnStyle, color: "#fff", backgroundColor: "#7c3aed", borderColor: "#7c3aed" }}
-            >
-              {refunding ? "Processing…" : "Process Refund"}
-            </button>
-            <button onClick={() => { setShowRefundDialog(false); setRefundError(null); }} style={btnStyle}>Cancel</button>
-          </div>
-        </div>
-      )}
-      </Modal>
+    </Modal>
   );
 }
 
@@ -606,17 +497,9 @@ export function InvoicesPage() {
   const [createLoading, setCreateLoading] = useState(false);
   const [detailData, setDetailData] = useState<{ staff: Staff[]; appointments: Appointment[] } | null>(null);
   const [detailLoading, setDetailLoading] = useState(false);
-  const [paymentStats, setPaymentStats] = useState<{ revenueThisMonth: number; outstanding: number; refundsThisMonth: number; methodBreakdown: { method: string | null; total: number }[] } | null>(null);
 
   const LIMIT = 50;
 
-  useEffect(() => {
-    fetch("/api/invoices/stats/summary")
-      .then((r) => r.ok ? r.json() : null)
-      .then((data) => { if (data) setPaymentStats(data); })
-      .catch(() => {});
-  }, []);
-
   async function loadInvoices(newOffset: number) {
     const params = new URLSearchParams({ limit: String(LIMIT), offset: String(newOffset) });
     if (statusFilter) params.set("status", statusFilter);
@@ -695,34 +578,6 @@ export function InvoicesPage() {
         </button>
       </div>
 
-      {/* Payment Stats Summary */}
-      {paymentStats && (
-        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(160px, 1fr))", gap: "0.75rem", marginBottom: "1.25rem" }}>
-          <div style={{ background: "#f0fdf4", border: "1px solid #bbf7d0", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#166534", fontWeight: 600, marginBottom: "0.25rem" }}>Revenue (paid)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#15803d" }}>{fmtMoney(paymentStats.revenueThisMonth)}</div>
-          </div>
-          <div style={{ background: "#fefce8", border: "1px solid #fde047", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#854d0e", fontWeight: 600, marginBottom: "0.25rem" }}>Outstanding</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#a16207" }}>{fmtMoney(paymentStats.outstanding)}</div>
-          </div>
-          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "0.75rem 1rem" }}>
-            <div style={{ fontSize: 12, color: "#991b1b", fontWeight: 600, marginBottom: "0.25rem" }}>Refunds (this mo.)</div>
-            <div style={{ fontSize: 20, fontWeight: 700, color: "#dc2626" }}>{fmtMoney(paymentStats.refundsThisMonth)}</div>
-          </div>
-          {paymentStats.methodBreakdown.length > 0 && (
-            <div style={{ background: "#f8fafc", border: "1px solid #e2e8f0", borderRadius: 8, padding: "0.75rem 1rem" }}>
-              <div style={{ fontSize: 12, color: "#475569", fontWeight: 600, marginBottom: "0.25rem" }}>By method</div>
-              <div style={{ fontSize: 13, color: "#64748b" }}>
-                {paymentStats.methodBreakdown.map((b) => (
-                  <div key={b.method ?? "unknown"}>{b.method ?? "other"}: {b.total}</div>
-                ))}
-              </div>
-            </div>
-          )}
-        </div>
-      )}
-
       {invoiceList.length === 0 ? (
         <p style={{ color: "#6b7280" }}>
           No invoices yet. Create one from a completed appointment.

apps/web/src/pages/Settings.tsx

@@ -89,14 +89,24 @@ export function SettingsPage() {
     fetch("/api/admin/settings")
       .then((r) => r.json())
       .then(async (data) => {
-        // The logo is now proxied through the API server so the browser
-        // never receives an S3 URL — use the proxy path directly as the src.
+        let logoUrl: string | null = null;
+        if (data.logoKey) {
+          try {
+            const logoRes = await fetch("/api/admin/settings/logo");
+            if (logoRes.ok) {
+              const logoData = await logoRes.json();
+              logoUrl = logoData.url;
+            }
+          } catch {
+            // ignore
+          }
+        }
         setForm({
           businessName: data.businessName ?? "GroomBook",
           primaryColor: data.primaryColor ?? "#4f8a6f",
           accentColor: data.accentColor ?? "#8b7355",
           logoKey: data.logoKey ?? null,
-          logoUrl: data.logoKey ? "/api/admin/settings/logo" : null,
+          logoUrl,
           logoBase64: data.logoBase64 ?? null,
           logoMimeType: data.logoMimeType ?? null,
         });
@@ -162,7 +172,15 @@ export function SettingsPage() {
         throw new Error(err?.error ?? "Failed to upload logo");
       }
       const { logoKey } = await uploadRes.json();
-      setForm((f) => ({ ...f, logoKey, logoUrl: `/api/admin/settings/logo?t=${Date.now()}`, logoBase64: null, logoMimeType: null }));
+
+      // Fetch the presigned GET URL for display
+      const logoRes = await fetch("/api/admin/settings/logo");
+      if (logoRes.ok) {
+        const logoData = await logoRes.json();
+        setForm((f) => ({ ...f, logoKey, logoUrl: logoData.url, logoBase64: null, logoMimeType: null }));
+      } else {
+        setForm((f) => ({ ...f, logoKey, logoUrl: null, logoBase64: null, logoMimeType: null }));
+      }
       setMessage({ type: "success", text: "Logo uploaded." });
       refresh();
     } catch (err: unknown) {

apps/web/src/portal/CustomerPortal.tsx

@@ -326,7 +326,7 @@ export function CustomerPortal() {
         )}
 
         {/* Main Content */}
-        <main className="flex-1 min-h-screen overflow-hidden">
+        <main className="flex-1 min-h-screen overflow-x-hidden">
           <div className="hidden md:flex items-center justify-between px-8 py-4 border-b border-stone-200 bg-white">
             <div>
               <h1 className="text-lg font-semibold text-stone-800">

apps/web/src/portal/sections/BillingPayments.tsx

@@ -130,7 +130,7 @@ function BillingPaymentsInner({ sessionId, readOnly }: BillingPaymentsProps) {
         </div>
       )}
 
-      <div className="flex gap-2 flex-wrap overflow-x-auto">
+      <div className="flex gap-2 flex-wrap">
         {([
           { id: "invoices" as const, label: "Invoices", icon: DollarSign },
           { id: "payment" as const, label: "Payment Methods", icon: CreditCard },

apps/web/src/portal/sections/PetProfiles.tsx

@@ -27,7 +27,8 @@ interface Appointment {
 }
 
 interface AppointmentsResponse {
-  appointments: Appointment[];
+  upcoming: Appointment[];
+  past: Appointment[];
 }
 
 interface Props {
@@ -45,7 +46,7 @@ function buildHeaders(sessionId: string | null): Record<string, string> {
 
 export function PetProfiles({ sessionId, readOnly }: Props) {
   const [pets, setPets] = useState<Pet[]>([]);
-  const [appointments, setAppointments] = useState<AppointmentsResponse>({ appointments: [] });
+  const [appointments, setAppointments] = useState<AppointmentsResponse>({ upcoming: [], past: [] });
   const [selectedPetId, setSelectedPetId] = useState<string>("");
   const [activeTab, setActiveTab] = useState<"info" | "medical" | "grooming" | "history">("info");
   const [editingPetId, setEditingPetId] = useState<string | null>(null);
@@ -89,7 +90,7 @@ export function PetProfiles({ sessionId, readOnly }: Props) {
   }, [sessionId]);
 
   const selectedPet = pets.find(p => p.id === selectedPetId) ?? null;
-  const petHistory = appointments.appointments.filter(a => a.pet?.id === selectedPetId && new Date(a.startTime) <= new Date());
+  const petHistory = appointments.past.filter(a => a.pet?.id === selectedPetId);
   const editingPet = editingPetId ? pets.find(p => p.id === editingPetId) ?? null : null;
 
   function handlePetSave(updatedPet: Pet) {

charts/groombook/templates/_helpers.tpl

@@ -119,10 +119,3 @@ uri
 database-url
 {{- end -}}
 {{- end }}
-
-{{/*
-Auth secret name — always use groombook-auth (sealed secret name)
-*/}}
-{{- define "groombook.authSecretName" -}}
-{{- printf "%s" "groombook-auth" }}
-{{- end }}

charts/groombook/templates/api-deployment.yaml

@@ -50,27 +50,6 @@ spec:
             - name: OIDC_AUDIENCE
               value: {{ .Values.api.env.oidcAudience | quote }}
             {{- end }}
-            {{- if .Values.api.env.internalBaseUrl }}
-            - name: OIDC_INTERNAL_BASE
-              value: {{ .Values.api.env.internalBaseUrl | quote }}
-            {{- end }}
-            - name: BETTER_AUTH_URL
-              value: {{ .Values.api.env.betterAuthUrl | quote }}
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: OIDC_CLIENT_ID
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: OIDC_CLIENT_SECRET
-            - name: BETTER_AUTH_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "groombook.authSecretName" . }}
-                  key: BETTER_AUTH_SECRET
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:

charts/groombook/values.yaml

@@ -18,8 +18,6 @@ api:
     corsOrigin: ""
     oidcIssuer: ""
     oidcAudience: groombook
-    betterAuthUrl: ""
-    internalBaseUrl: ""
     port: "3000"
   service:
     type: ClusterIP

opencode.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "permission": "allow",
+  "experimental": {
+    "snapshots": false
+  }
+}

packages/db/src/seed.ts

@@ -883,7 +883,6 @@ async function seed() {
   let appointmentCount = 0;
   let invoiceCount = 0;
   let visitLogCount = 0;
-  let paidInvoiceCounter = 0;
 
   // Process in batches per client to keep memory manageable
   const apptBatchSize = 100;
@@ -978,10 +977,6 @@ async function seed() {
 
         const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
         const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
-        paidInvoiceCounter++;
-        const stripePaymentIntentId = invoiceStatus === "paid"
-          ? `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`
-          : null;
 
         invoiceBatch.push({
           id: invoiceId,
@@ -994,7 +989,6 @@ async function seed() {
           status: invoiceStatus,
           paymentMethod: invoiceStatus === "paid" ? pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check" : null,
           paidAt,
-          stripePaymentIntentId,
           notes: rand() < 0.05 ? "Added extra service at checkout" : null,
         });
 
@@ -1098,16 +1092,13 @@ async function seed() {
       const taxCents = Math.round(effectivePrice * 0.08);
       const totalCents = effectivePrice + taxCents + tipCents;
       const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
-      paidInvoiceCounter++;
 
       invoiceBatch.push({
         id: invoiceId, appointmentId: apptId, clientId,
         subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
         status: "paid" as const,
         paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
-        paidAt,
-        stripePaymentIntentId: `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`,
-        notes: null,
+        paidAt, notes: null,
       });
       lineItemBatch.push({
         id: uuid(), invoiceId, description: svc.name, quantity: 1,

packages/types/src/index.ts

@@ -152,16 +152,10 @@ export interface Invoice {
   status: InvoiceStatus;
   paymentMethod: PaymentMethod | null;
   paidAt: string | null;
-  stripePaymentIntentId: string | null;
-  stripeRefundId: string | null;
-  paymentFailureReason: string | null;
   notes: string | null;
   createdAt: string;
   updatedAt: string;
   lineItems?: InvoiceLineItem[];
-  // Transient fields populated from Stripe API (not stored in DB)
-  cardLast4?: string | null;
-  paymentStatus?: string | null;
   tipSplits?: InvoiceTipSplit[];
 }