The /login route is now guarded by import.meta.env.DEV (fix from
GRO-56), so the DevLoginSelector never renders in production builds.
All 7 tests in login.spec.ts tested this dev-only page and were
correctly failing in the E2E suite. Remove them entirely.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Properly type the test app with AppEnv so c.set("staff", ...) satisfies
TypeScript's strict overload check. Fixes TS2769 typecheck failure on CI.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
RBAC Phase 2 added row-level scoping that reads c.get("staff") on every
clients route. The test app had no middleware setting this context, causing
a TypeError (undefined.role) and 500 responses on all GET tests.
Add a manager-role mock staff middleware to the test Hono app so the
existing tests continue to cover the non-groomer code path.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The DevLoginSelector page (including the "Continue as default dev user"
button) was rendering in production when AUTH_DISABLED=true. This guards
the /login route so the page only renders in Vite development mode
(import.meta.env.DEV). Also removes the skip-login button entirely since
it bypassed user selection without any identity assertion.
- Guard /login route with import.meta.env.DEV in App.tsx
- Remove skipLogin button from DevLoginSelector.tsx
- Add vite/client types to web tsconfig
- Remove corresponding e2e test
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Filter query results at the route handler level when the authenticated
staff role is 'groomer':
- GET /api/appointments: WHERE staffId = <groomer id>
- GET /api/appointments/🆔 403 if not assigned to groomer
- GET /api/clients: clients with ≥1 appointment for this groomer
- GET /api/clients/🆔 403 if no appointment linkage
- GET /api/pets: pets owned by groomer-linked clients
- GET /api/pets/:petId: 403 if no appointment linkage
Managers and receptionists: no change.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add POST /api/admin/seed — a manager-only API endpoint that creates
minimal known users (Demo Manager staff + Demo Client + Demo Dog + basic
services) via the API instead of direct DB writes.
Add SEED_KNOWN_USERS_ONLY=true env var to seed.ts for lean prod/demo
seeding. Known users get deterministic UUIDs so seeding is idempotent.
Note: infra changes (disabling AUTH_DISABLED in prod/demo, fixing the
failing seed job) require updates to groombook/infra repo.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Now that portal clients are restricted to status:"cancelled" only,
update the PATCH /portal/waitlist/:id tests to send a valid value
so auth and ownership checks are exercised correctly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Restrict portal PATCH waitlist status to z.literal("cancelled") only
- Appointment notes: field projection + null check from PR #109
- Resolve index.ts conflict: keep both portal and calendar public routes
- Resolve portal.ts conflict: keep min(1) validation for customerNotes
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Move client-facing POST/PATCH/DELETE waitlist routes to portalRouter
so impersonation sessions can reach them (were blocked by requireRole guard)
- Fix portalRouter double-mount: remove from auth-protected api block,
register publicly at app.route("/api/portal", ...) instead
- Replace N+1 queries in GET /waitlist with a single JOIN across
clients, pets, and services tables
- Remove dead expiredIds variable in markExpiredEntries; use .some()
instead of computing an array only for its length
- Fix stray indentation in appointments.ts DELETE handler (line 487)
- Update waitlist tests to exercise routes at new /portal/waitlist paths;
add leftJoin and lt to chainable mock
Co-Authored-By: Paperclip <noreply@paperclip.ing>
TypeScript's split()[0] is typed as string | undefined in strict mode.
Using slice(0, 10) is cleaner and avoids the type issue.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When reading waitlist entries, active entries with preferredDate < today
are marked as expired both in the database and in the response.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add 401 when DELETE /waitlist/:id has no session (auth bypass fix)
- Add auth to PATCH /waitlist/:id (was zero auth)
- Add RBAC guard for /waitlist/* routes
- Fix migration to use proper ENUM type instead of TEXT
- Add unit tests for auth scenarios
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker