OOBE/Super User — Engineering Implementation (GRO-198) #149

New Issue

Closed

opened 2026-03-28 20:16:51 +00:00 by the-dogfather-cto[bot] · 1 comment

the-dogfather-cto[bot] commented 2026-03-28 20:16:51 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

Implement the OOBE (out-of-box experience) and super user permission system for GroomBook.

Paperclip tracking: GRO-198 (parent: GRO-182)

Scope

1. Schema: Add is_super_user boolean to staff table + Drizzle migration
2. OOBE flow: Detect first-run (no super user in DB), redirect to /setup wizard
3. RBAC middleware: requireSuperUser() for business settings, staff CRUD, billing, data export
4. Super user management UI: Grant/Revoke toggle on Staff page
5. Guardrail: API-level prevention of deleting/deactivating last super user
6. Dev mode: Update AUTH_DISABLED to inject mock super user
7. QA/UAT: Integration tests + browser-based acceptance testing

Acceptance Criteria

• Fresh install redirects first login to /setup
• Super user claim persists; subsequent logins skip OOBE
• Business settings, staff CRUD return 403 for non-super-users
• Appointment/client/service routes remain accessible to manager role
• Last super user cannot be deleted or deactivated (clear API error)
• Second super user can be granted from Staff page by an existing super user
• AUTH_DISABLED dev mode works without regression

Subtasks

• Schema + Migration + Types (GRO-201)
• RBAC Middleware + Route Guards + Dev Mode (GRO-203)
• OOBE Backend + Frontend (GRO-205)
• Super User Management UI + API (GRO-206)
• Integration Tests (GRO-207)
• UAT Pass (GRO-208)

cc @cpfarhood

## Summary Implement the OOBE (out-of-box experience) and super user permission system for GroomBook. Paperclip tracking: GRO-198 (parent: GRO-182) ## Scope 1. **Schema**: Add `is_super_user` boolean to `staff` table + Drizzle migration 2. **OOBE flow**: Detect first-run (no super user in DB), redirect to `/setup` wizard 3. **RBAC middleware**: `requireSuperUser()` for business settings, staff CRUD, billing, data export 4. **Super user management UI**: Grant/Revoke toggle on Staff page 5. **Guardrail**: API-level prevention of deleting/deactivating last super user 6. **Dev mode**: Update `AUTH_DISABLED` to inject mock super user 7. **QA/UAT**: Integration tests + browser-based acceptance testing ## Acceptance Criteria - Fresh install redirects first login to `/setup` - Super user claim persists; subsequent logins skip OOBE - Business settings, staff CRUD return 403 for non-super-users - Appointment/client/service routes remain accessible to manager role - Last super user cannot be deleted or deactivated (clear API error) - Second super user can be granted from Staff page by an existing super user - `AUTH_DISABLED` dev mode works without regression ## Subtasks - [ ] Schema + Migration + Types (GRO-201) - [ ] RBAC Middleware + Route Guards + Dev Mode (GRO-203) - [ ] OOBE Backend + Frontend (GRO-205) - [ ] Super User Management UI + API (GRO-206) - [ ] Integration Tests (GRO-207) - [ ] UAT Pass (GRO-208) cc @cpfarhood

the-dogfather-cto[bot] commented 2026-04-01 10:15:32 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Closing — the corresponding Paperclip issue GRO-198 (OOBE/Super User) is marked done. All implementation work has been completed and merged.

Closing — the corresponding Paperclip issue GRO-198 (OOBE/Super User) is marked done. All implementation work has been completed and merged.

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

dev

flea/gro-1636-better-auth-seed

pr-434

uat

docs/GRO-1502-uat-mcp-migration

flea/gro-1496-e2e-err-connection-refused

flea-flicker/gro-1489-lint-fixes

cpfarhood/gro-1162-pet-buffer

flea-flicker/gro-1162-pet-buffer

fix/gro-1368-consent-ts

fix/ci-e2e-dind-networking-registry-auth

fix/gro-1369-types-sync

fix/ci-registry-auth-main

gitea/migrate-workflows

flea-flicker/gro-1162-pet-buffer-time

feat/GRO-106-portal-communication-real

archived-readme

feat/GRO-106-stop-help

fix/gro-1248-path-prefixes

fix/GRO-1212-portal-test-mock-imports

fix/GRO-1108-test-mocks

feat/GRO-106-stop-help-v2

docs/GRO-1099-uat-playbook-app

fleaflicker/deploy-telnyx-webhook-secret

fix/gro-1024-clean

fix/gro-1021-auth-rate-limit

fix/gro-1021-auth-rate-limit-v2

feat/GRO-984-outbound-sms-persistence

fix/GRO-980-indentation

docs/GRO-106-10dlc-runbook

fix/gro-898-demo-sso-env-vars

fix/gro-609-cherry-pick

fix/gro-866-uat-seed-personas

fix/gro-867-logo-proxy

fix/gro-816-portal-pets-crash

fix/gro-844-network-policy

fix/gro-820-e2e-invoices-mock

feature/gro-609-refund-payment-stats

fix/gro-765-portal-appointments-service

fix/gro-805-allow-groomer-invoices

fix/gro-720-gitignore-hardening

fix/gro-721-harden-gitignore

feature/gro-633-db-indexes-constraints

fix/gro-639-n-plus-one-reminder-scheduler

ci-dev-trigger2

fix/gro-624-input-validation

feature/gro-653-portal-session-middleware

fix/gro-640-n-plus-one-email

clean-gro-639

fix/gro-637-invoice-refund-fixes

fix/gro-665-staff-auto-link

fix/gro-636-input-validation-v3

fix-gro-624-input-validation

fix/gro-655-corepack-only

feature/gro-597-payment-admin

feature/gro-631-graceful-shutdown

fix/gro-660-uat-seed-manager-superuser

fix/gro-655-corepack-enoent

feature/gro-623-groomer-isolation

feature/gro-632-impersonation-session-hardening

feature/gro-607-payment-ui

feature/gro-597-payment-backend

feature/gro-597-payment-ui

feature/gro-597-stripe-webhooks

feature/gro-597-payment-api

GRO-574-rate-limit-migration

chore/gro-575-promote-gro-574-to-uat

fix/gro-566-skip-oobe

fix/gro-557-e2e-stability

chore/gro-558-agents-instructions

fix/gro-531-social-login

fix/gro-545-social-providers-config

fix/gro-540-prod-oidc-env-vars

feat/gro-526-seed-profile-param

No results found.

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#149