feat(staff): super user grant/revoke UI + last-super-user guardrail (GRO-206) #175

Closed

the-dogfather-cto[bot] wants to merge 9 commits from fix/gro-206-superuser-revoke-bug into main

pull from: fix/gro-206-superuser-revoke-bug

merge into: groombook:main

groombook:main

groombook:dev

groombook:flea/gro-1636-better-auth-seed

groombook:pr-434

groombook:uat

groombook:docs/GRO-1502-uat-mcp-migration

groombook:flea/gro-1496-e2e-err-connection-refused

groombook:flea-flicker/gro-1489-lint-fixes

groombook:cpfarhood/gro-1162-pet-buffer

groombook:flea-flicker/gro-1162-pet-buffer

groombook:fix/gro-1368-consent-ts

groombook:fix/ci-e2e-dind-networking-registry-auth

groombook:fix/gro-1369-types-sync

groombook:fix/ci-registry-auth-main

groombook:gitea/migrate-workflows

groombook:flea-flicker/gro-1162-pet-buffer-time

groombook:feat/GRO-106-portal-communication-real

groombook:archived-readme

groombook:feat/GRO-106-stop-help

groombook:fix/gro-1248-path-prefixes

groombook:fix/GRO-1212-portal-test-mock-imports

groombook:fix/GRO-1108-test-mocks

groombook:feat/GRO-106-stop-help-v2

groombook:docs/GRO-1099-uat-playbook-app

groombook:fleaflicker/deploy-telnyx-webhook-secret

groombook:fix/gro-1024-clean

groombook:fix/gro-1021-auth-rate-limit

groombook:fix/gro-1021-auth-rate-limit-v2

groombook:feat/GRO-984-outbound-sms-persistence

groombook:fix/GRO-980-indentation

groombook:docs/GRO-106-10dlc-runbook

groombook:fix/gro-898-demo-sso-env-vars

groombook:fix/gro-609-cherry-pick

groombook:fix/gro-866-uat-seed-personas

groombook:fix/gro-867-logo-proxy

groombook:fix/gro-816-portal-pets-crash

groombook:fix/gro-844-network-policy

groombook:fix/gro-820-e2e-invoices-mock

groombook:feature/gro-609-refund-payment-stats

groombook:fix/gro-765-portal-appointments-service

groombook:fix/gro-805-allow-groomer-invoices

groombook:fix/gro-720-gitignore-hardening

groombook:fix/gro-721-harden-gitignore

groombook:feature/gro-633-db-indexes-constraints

groombook:fix/gro-639-n-plus-one-reminder-scheduler

groombook:ci-dev-trigger2

groombook:fix/gro-624-input-validation

groombook:feature/gro-653-portal-session-middleware

groombook:fix/gro-640-n-plus-one-email

groombook:clean-gro-639

groombook:fix/gro-637-invoice-refund-fixes

groombook:fix/gro-665-staff-auto-link

groombook:fix/gro-636-input-validation-v3

groombook:fix-gro-624-input-validation

groombook:fix/gro-655-corepack-only

groombook:feature/gro-597-payment-admin

groombook:feature/gro-631-graceful-shutdown

groombook:fix/gro-660-uat-seed-manager-superuser

groombook:fix/gro-655-corepack-enoent

groombook:feature/gro-623-groomer-isolation

groombook:feature/gro-632-impersonation-session-hardening

groombook:feature/gro-607-payment-ui

groombook:feature/gro-597-payment-backend

groombook:feature/gro-597-payment-ui

groombook:feature/gro-597-stripe-webhooks

groombook:feature/gro-597-payment-api

groombook:GRO-574-rate-limit-migration

groombook:chore/gro-575-promote-gro-574-to-uat

groombook:fix/gro-566-skip-oobe

groombook:fix/gro-557-e2e-stability

groombook:chore/gro-558-agents-instructions

groombook:fix/gro-531-social-login

groombook:fix/gro-545-social-providers-config

groombook:fix/gro-540-prod-oidc-env-vars

groombook:feat/gro-526-seed-profile-param

Conversation 11 Commits 9 Files Changed 3

+41 -158

9 Commits

Author	SHA1	Message	Date
Barkley Trimsworth	c0e9c37982	ci: restore workflow_dispatch for manual CI trigger ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 13:55:55 +00:00
Barkley Trimsworth	7fdb32f95b	fix(GRO-206): CTO review fixes — active filter on super user count + CI TAG fix ... - Add active=true filter to all 3 super user count queries in staff.ts (revoke, deactivate, delete) so inactive super users aren't counted - Fix ci.yml deploy step: use steps.version.outputs.tag instead of invalid github.sha::7 expression - Remove GRO-206 CI trigger junk line from README.md Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 13:55:00 +00:00
groombook-ci[bot]	c6a08be4c6	chore: trigger PR CI for GRO-206 ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 12:37:44 +00:00
groombook-ci[bot]	0098e36fa6	ci: trigger PR CI for GRO-206 ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 12:30:10 +00:00
groombook-ci[bot]	4662b44ccc	ci: remove workflow_dispatch (not needed)	2026-03-30 11:11:59 +00:00
groombook-ci[bot]	1bdc6d50be	ci: add workflow_dispatch trigger for manual runs	2026-03-30 11:05:30 +00:00
groombook-ci[bot]	1ba840d003	ci: trigger build	2026-03-30 11:05:30 +00:00
groombook-ci[bot]	f7dfe4a526	feat(staff): super user grant/revoke UI + last-super-user guardrail (GRO-206) ... Backend: - PATCH /api/staff/:id now accepts optional isSuperUser field - Only super users can change isSuperUser (403 otherwise) - Revoke (isSuperUser=false) blocked if target is last super user (400) - Deactivate (active=false) blocked if target is last super user (400) - DELETE /:id blocked if target is last super user (400) - New GET /api/staff/me returns current authenticated staff record Frontend (Staff.tsx): - Super User column in staff table with badge indicator - Grant/Revoke SU button visible only to super users - Last-super-user guardrail disables revoke button with tooltip - API errors shown inline below table header Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-30 11:05:30 +00:00
groombook-ci[bot]	1de57f0a40	fix(ci): include GitHub SHA in image tag to prevent stale cache reuse ... Each CI build now produces an immutable tag (pr-N-sha7 or YYYY.MM.DD-sha7) so that docker/build-push-action cache-from type=gha cannot cross-contaminate between commits. Previously the shared pr-N tag caused GHA layer cache to reuse stale JS bundles from earlier builds of the same PR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-30 11:05:30 +00:00