From 1de57f0a40a9f5d1bdc1d2cf2d0c171180475c72 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Sun, 29 Mar 2026 22:42:59 +0000 Subject: [PATCH 1/5] fix(ci): include GitHub SHA in image tag to prevent stale cache reuse Each CI build now produces an immutable tag (pr-N-sha7 or YYYY.MM.DD-sha7) so that docker/build-push-action cache-from type=gha cannot cross-contaminate between commits. Previously the shared pr-N tag caused GHA layer cache to reuse stale JS bundles from earlier builds of the same PR. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee2f56c..b9557c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,8 +122,11 @@ jobs: - name: Generate image tag id: version run: | + # Always include short SHA so each build is immutable and cache-from can never + # cross-contaminate between commits. For PRs the format is pr-N-sha7; for main + # it is YYYY.MM.DD-sha7. if [ "${{ github.event_name }}" = "pull_request" ]; then - TAG="pr-${{ github.event.pull_request.number }}" + TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}" else TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}" fi @@ -209,7 +212,7 @@ jobs: - name: Deploy to groombook-dev env: - TAG: pr-${{ github.event.pull_request.number }} + TAG: pr-${{ github.event.pull_request.number }}-${{ github.sha::7 }} PR_NUM: ${{ github.event.pull_request.number }} run: | echo "Deploying images tagged $TAG to groombook-dev..." -- 2.52.0 From f7dfe4a526e5c516dda6c06d6ce5405a4a89ec5a Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 10:27:27 +0000 Subject: [PATCH 2/5] feat(staff): super user grant/revoke UI + last-super-user guardrail (GRO-206) Backend: - PATCH /api/staff/:id now accepts optional isSuperUser field - Only super users can change isSuperUser (403 otherwise) - Revoke (isSuperUser=false) blocked if target is last super user (400) - Deactivate (active=false) blocked if target is last super user (400) - DELETE /:id blocked if target is last super user (400) - New GET /api/staff/me returns current authenticated staff record Frontend (Staff.tsx): - Super User column in staff table with badge indicator - Grant/Revoke SU button visible only to super users - Last-super-user guardrail disables revoke button with tooltip - API errors shown inline below table header Co-Authored-By: Paperclip --- apps/api/src/routes/staff.ts | 73 +++++++++++++++++++++++++++++++++++- apps/web/src/pages/Staff.tsx | 64 +++++++++++++++++++++++++++++-- 2 files changed, 132 insertions(+), 5 deletions(-) diff --git a/apps/api/src/routes/staff.ts b/apps/api/src/routes/staff.ts index 3316c45..7a4a8b5 100644 --- a/apps/api/src/routes/staff.ts +++ b/apps/api/src/routes/staff.ts @@ -13,10 +13,16 @@ const createStaffSchema = z.object({ role: z.enum(["groomer", "receptionist", "manager"]).default("groomer"), oidcSub: z.string().optional(), active: z.boolean().default(true), + isSuperUser: z.boolean().optional(), }); const updateStaffSchema = createStaffSchema.partial().omit({ email: true }); +staffRouter.get("/me", async (c) => { + const staffRow = c.get("staff"); + return c.json(staffRow); +}); + staffRouter.get("/", async (c) => { const db = getDb(); const includeInactive = c.req.query("includeInactive") === "true"; @@ -46,10 +52,55 @@ staffRouter.post("/", zValidator("json", createStaffSchema), async (c) => { staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => { const db = getDb(); const body = c.req.valid("json"); + const currentStaff = c.get("staff"); + const targetId = c.req.param("id"); + + // Super user check: only super users can change isSuperUser + if (body.isSuperUser !== undefined && !currentStaff.isSuperUser) { + return c.json({ error: "Forbidden: only super users can grant or revoke super user status" }, 403); + } + + // If revoking super user status, check last-super-user guardrail + if (body.isSuperUser === false) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); // just need count; fetch 2 to know if > 1 + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot revoke the last super user. Assign another super user first." }, + 400 + ); + } + } + + // If deactivating a super user, check last-super-user guardrail + if (body.active === false) { + const [target] = await db + .select({ isSuperUser: staff.isSuperUser }) + .from(staff) + .where(eq(staff.id, targetId)) + .limit(1); + if (target?.isSuperUser) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot deactivate the last super user. Assign another super user first." }, + 400 + ); + } + } + } + const [row] = await db .update(staff) .set({ ...body, updatedAt: new Date() }) - .where(eq(staff.id, c.req.param("id"))) + .where(eq(staff.id, targetId)) .returning(); if (!row) return c.json({ error: "Not found" }, 404); return c.json(row); @@ -81,6 +132,26 @@ staffRouter.delete("/:id", async (c) => { ); } + // Prevent deleting the last super user + const [target] = await db + .select({ isSuperUser: staff.isSuperUser }) + .from(staff) + .where(eq(staff.id, id)) + .limit(1); + if (target?.isSuperUser) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot delete the last super user. Assign another super user first." }, + 400 + ); + } + } + const [row] = await db .delete(staff) .where(eq(staff.id, id)) diff --git a/apps/web/src/pages/Staff.tsx b/apps/web/src/pages/Staff.tsx index aac23a7..a521e1c 100644 --- a/apps/web/src/pages/Staff.tsx +++ b/apps/web/src/pages/Staff.tsx @@ -11,6 +11,7 @@ const EMPTY_FORM: StaffForm = { name: "", email: "", role: "groomer" }; export function StaffPage() { const [staff, setStaff] = useState([]); + const [currentUser, setCurrentUser] = useState(null); const [loading, setLoading] = useState(true); const [error, setError] = useState(null); const [editing, setEditing] = useState(null); @@ -18,11 +19,18 @@ export function StaffPage() { const [form, setForm] = useState(EMPTY_FORM); const [formError, setFormError] = useState(null); const [saving, setSaving] = useState(false); + const [togglingId, setTogglingId] = useState(null); + const [toggleError, setToggleError] = useState(null); async function load() { - const r = await fetch("/api/staff?includeInactive=true"); - if (!r.ok) throw new Error(`HTTP ${r.status}`); - setStaff((await r.json()) as Staff[]); + const [staffRes, meRes] = await Promise.all([ + fetch("/api/staff?includeInactive=true"), + fetch("/api/staff/me"), + ]); + if (!staffRes.ok) throw new Error(`HTTP ${staffRes.status}`); + if (!meRes.ok) throw new Error(`HTTP ${meRes.status}`); + setStaff((await staffRes.json()) as Staff[]); + setCurrentUser((await meRes.json()) as Staff); } useEffect(() => { @@ -71,6 +79,29 @@ export function StaffPage() { await load(); } + async function toggleSuperUser(s: Staff) { + setTogglingId(s.id); + setToggleError(null); + try { + const res = await fetch(`/api/staff/${s.id}`, { + method: "PATCH", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ isSuperUser: !s.isSuperUser }), + }); + if (!res.ok) { + const err = (await res.json()) as { error?: string }; + setToggleError(err.error ?? `HTTP ${res.status}`); + return; + } + await load(); + } finally { + setTogglingId(null); + } + } + + const isLastSuperUser = (s: Staff) => + s.isSuperUser && staff.filter((st) => st.isSuperUser).length === 1; + if (loading) return

Loading…

; if (error) return

Error: {error}

; @@ -83,6 +114,10 @@ export function StaffPage() { + {toggleError && ( +

{toggleError}

+ )} + {staff.length === 0 ? (

No staff members yet.

) : ( @@ -90,7 +125,7 @@ export function StaffPage() { - {["Name", "Email", "Role", "Status", ""].map((h) => ( + {["Name", "Email", "Role", "Super User", "Status", ""].map((h) => ( ))} @@ -101,12 +136,33 @@ export function StaffPage() { + -- 2.52.0 From 1ba840d003a9a095cceb2651295798d95fca8ec6 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 10:56:01 +0000 Subject: [PATCH 3/5] ci: trigger build -- 2.52.0 From 1bdc6d50be54b182312d5e4fa75903e57fa3e5b5 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 10:59:00 +0000 Subject: [PATCH 4/5] ci: add workflow_dispatch trigger for manual runs --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9557c1..e78449c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,7 @@ on: branches: [main] pull_request: branches: [main] + workflow_dispatch: jobs: lint-typecheck: -- 2.52.0 From 4662b44ccce370e4e6a11c436a13732fab9cbc89 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 11:11:59 +0000 Subject: [PATCH 5/5] ci: remove workflow_dispatch (not needed) --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e78449c..b9557c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,7 +5,6 @@ on: branches: [main] pull_request: branches: [main] - workflow_dispatch: jobs: lint-typecheck: -- 2.52.0
{h}
{s.name} {s.email} {s.role} + {s.isSuperUser ? ( + + Super User + + ) : ( + + )} + {s.active ? "Active" : "Inactive"} + {currentUser?.isSuperUser && ( + <> + + + )}