From db21947323b1759d497e2322523937475423e2c2 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Sun, 29 Mar 2026 22:42:59 +0000 Subject: [PATCH 1/9] fix(ci): include GitHub SHA in image tag to prevent stale cache reuse Each CI build now produces an immutable tag (pr-N-sha7 or YYYY.MM.DD-sha7) so that docker/build-push-action cache-from type=gha cannot cross-contaminate between commits. Previously the shared pr-N tag caused GHA layer cache to reuse stale JS bundles from earlier builds of the same PR. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11c4f6a..b58a66b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -128,8 +128,11 @@ jobs: - name: Generate image tag id: version run: | + # Always include short SHA so each build is immutable and cache-from can never + # cross-contaminate between commits. For PRs the format is pr-N-sha7; for main + # it is YYYY.MM.DD-sha7. if [ "${{ github.event_name }}" = "pull_request" ]; then - TAG="pr-${{ github.event.pull_request.number }}" + TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}" else TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}" fi @@ -215,7 +218,7 @@ jobs: - name: Deploy to groombook-dev env: - TAG: pr-${{ github.event.pull_request.number }} + TAG: pr-${{ github.event.pull_request.number }}-${{ github.sha::7 }} PR_NUM: ${{ github.event.pull_request.number }} run: | echo "Deploying images tagged $TAG to groombook-dev..." -- 2.52.0 From 0e1c36a4070cb0633427be277c690ece92e3a17c Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 10:27:27 +0000 Subject: [PATCH 2/9] feat(staff): super user grant/revoke UI + last-super-user guardrail (GRO-206) Backend: - PATCH /api/staff/:id now accepts optional isSuperUser field - Only super users can change isSuperUser (403 otherwise) - Revoke (isSuperUser=false) blocked if target is last super user (400) - Deactivate (active=false) blocked if target is last super user (400) - DELETE /:id blocked if target is last super user (400) - New GET /api/staff/me returns current authenticated staff record Frontend (Staff.tsx): - Super User column in staff table with badge indicator - Grant/Revoke SU button visible only to super users - Last-super-user guardrail disables revoke button with tooltip - API errors shown inline below table header Co-Authored-By: Paperclip --- apps/api/src/routes/staff.ts | 73 +++++++++++++++++++++++++++++++++++- apps/web/src/pages/Staff.tsx | 64 +++++++++++++++++++++++++++++-- 2 files changed, 132 insertions(+), 5 deletions(-) diff --git a/apps/api/src/routes/staff.ts b/apps/api/src/routes/staff.ts index 3316c45..7a4a8b5 100644 --- a/apps/api/src/routes/staff.ts +++ b/apps/api/src/routes/staff.ts @@ -13,10 +13,16 @@ const createStaffSchema = z.object({ role: z.enum(["groomer", "receptionist", "manager"]).default("groomer"), oidcSub: z.string().optional(), active: z.boolean().default(true), + isSuperUser: z.boolean().optional(), }); const updateStaffSchema = createStaffSchema.partial().omit({ email: true }); +staffRouter.get("/me", async (c) => { + const staffRow = c.get("staff"); + return c.json(staffRow); +}); + staffRouter.get("/", async (c) => { const db = getDb(); const includeInactive = c.req.query("includeInactive") === "true"; @@ -46,10 +52,55 @@ staffRouter.post("/", zValidator("json", createStaffSchema), async (c) => { staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => { const db = getDb(); const body = c.req.valid("json"); + const currentStaff = c.get("staff"); + const targetId = c.req.param("id"); + + // Super user check: only super users can change isSuperUser + if (body.isSuperUser !== undefined && !currentStaff.isSuperUser) { + return c.json({ error: "Forbidden: only super users can grant or revoke super user status" }, 403); + } + + // If revoking super user status, check last-super-user guardrail + if (body.isSuperUser === false) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); // just need count; fetch 2 to know if > 1 + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot revoke the last super user. Assign another super user first." }, + 400 + ); + } + } + + // If deactivating a super user, check last-super-user guardrail + if (body.active === false) { + const [target] = await db + .select({ isSuperUser: staff.isSuperUser }) + .from(staff) + .where(eq(staff.id, targetId)) + .limit(1); + if (target?.isSuperUser) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot deactivate the last super user. Assign another super user first." }, + 400 + ); + } + } + } + const [row] = await db .update(staff) .set({ ...body, updatedAt: new Date() }) - .where(eq(staff.id, c.req.param("id"))) + .where(eq(staff.id, targetId)) .returning(); if (!row) return c.json({ error: "Not found" }, 404); return c.json(row); @@ -81,6 +132,26 @@ staffRouter.delete("/:id", async (c) => { ); } + // Prevent deleting the last super user + const [target] = await db + .select({ isSuperUser: staff.isSuperUser }) + .from(staff) + .where(eq(staff.id, id)) + .limit(1); + if (target?.isSuperUser) { + const superUserCount = await db + .select({ id: staff.id }) + .from(staff) + .where(eq(staff.isSuperUser, true)) + .limit(2); + if (superUserCount.length <= 1) { + return c.json( + { error: "Cannot delete the last super user. Assign another super user first." }, + 400 + ); + } + } + const [row] = await db .delete(staff) .where(eq(staff.id, id)) diff --git a/apps/web/src/pages/Staff.tsx b/apps/web/src/pages/Staff.tsx index aac23a7..a521e1c 100644 --- a/apps/web/src/pages/Staff.tsx +++ b/apps/web/src/pages/Staff.tsx @@ -11,6 +11,7 @@ const EMPTY_FORM: StaffForm = { name: "", email: "", role: "groomer" }; export function StaffPage() { const [staff, setStaff] = useState([]); + const [currentUser, setCurrentUser] = useState(null); const [loading, setLoading] = useState(true); const [error, setError] = useState(null); const [editing, setEditing] = useState(null); @@ -18,11 +19,18 @@ export function StaffPage() { const [form, setForm] = useState(EMPTY_FORM); const [formError, setFormError] = useState(null); const [saving, setSaving] = useState(false); + const [togglingId, setTogglingId] = useState(null); + const [toggleError, setToggleError] = useState(null); async function load() { - const r = await fetch("/api/staff?includeInactive=true"); - if (!r.ok) throw new Error(`HTTP ${r.status}`); - setStaff((await r.json()) as Staff[]); + const [staffRes, meRes] = await Promise.all([ + fetch("/api/staff?includeInactive=true"), + fetch("/api/staff/me"), + ]); + if (!staffRes.ok) throw new Error(`HTTP ${staffRes.status}`); + if (!meRes.ok) throw new Error(`HTTP ${meRes.status}`); + setStaff((await staffRes.json()) as Staff[]); + setCurrentUser((await meRes.json()) as Staff); } useEffect(() => { @@ -71,6 +79,29 @@ export function StaffPage() { await load(); } + async function toggleSuperUser(s: Staff) { + setTogglingId(s.id); + setToggleError(null); + try { + const res = await fetch(`/api/staff/${s.id}`, { + method: "PATCH", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ isSuperUser: !s.isSuperUser }), + }); + if (!res.ok) { + const err = (await res.json()) as { error?: string }; + setToggleError(err.error ?? `HTTP ${res.status}`); + return; + } + await load(); + } finally { + setTogglingId(null); + } + } + + const isLastSuperUser = (s: Staff) => + s.isSuperUser && staff.filter((st) => st.isSuperUser).length === 1; + if (loading) return

Loading…

; if (error) return

Error: {error}

; @@ -83,6 +114,10 @@ export function StaffPage() { + {toggleError && ( +

{toggleError}

+ )} + {staff.length === 0 ? (

No staff members yet.

) : ( @@ -90,7 +125,7 @@ export function StaffPage() { - {["Name", "Email", "Role", "Status", ""].map((h) => ( + {["Name", "Email", "Role", "Super User", "Status", ""].map((h) => ( ))} @@ -101,12 +136,33 @@ export function StaffPage() { + -- 2.52.0 From 72ecd83d9e686d496c97012c4b10b174ca7ebd5f Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 10:56:01 +0000 Subject: [PATCH 3/9] ci: trigger build -- 2.52.0 From b06314efe241f2a9cd9665661d7499e386b7b167 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 11:43:32 +0000 Subject: [PATCH 4/9] fix(db): guarantee 5 UAT test clients with pending invoices (GRO-290) Before: ~5% probabilistic pending invoices meant UAT couldn't reliably find billing test data. Shedward was blocked from testing Pay Now flows. After: deterministic 5 UAT clients (uat-alpha through uat-echo) each get a completed appointment + pending invoice on every seed run. Client names and emails documented in Shedward AGENTS.md for direct access. Co-Authored-By: Paperclip --- packages/db/src/seed.ts | 58 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/packages/db/src/seed.ts b/packages/db/src/seed.ts index dc6ddfa..645ff18 100644 --- a/packages/db/src/seed.ts +++ b/packages/db/src/seed.ts @@ -546,6 +546,64 @@ async function seed() { console.log(`✓ Created 500 clients with ${petRecords.length} pets`); + // ── UAT test clients (guaranteed pending invoices) ───────────────────────────── + // These 5 clients are deterministic and documented in Shedward AGENTS.md so + // UAT can reliably find billing test data without searching. + interface UatClient { + id: string; + name: string; + email: string; + phone: string; + address: string; + petId: string; + petName: string; + petBreed: string; + } + const uatClients: UatClient[] = [ + { id: uuid(), name: "UAT Test Alpha", email: "uat-alpha@groombook.dev", phone: "(555) 100-0001", address: "100 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestBuddy", petBreed: "Golden Retriever" }, + { id: uuid(), name: "UAT Test Bravo", email: "uat-bravo@groombook.dev", phone: "(555) 100-0002", address: "200 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestMax", petBreed: "Labrador Retriever" }, + { id: uuid(), name: "UAT Test Charlie", email: "uat-charlie@groombook.dev", phone: "(555) 100-0003", address: "300 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestCooper", petBreed: "Poodle" }, + { id: uuid(), name: "UAT Test Delta", email: "uat-delta@groombook.dev", phone: "(555) 100-0004", address: "400 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestRocky", petBreed: "French Bulldog" }, + { id: uuid(), name: "UAT Test Echo", email: "uat-echo@groombook.dev", phone: "(555) 100-0005", address: "500 Test Lane, Springfield, CA 90210", petId: uuid(), petName: "TestDuke", petBreed: "Beagle" }, + ]; + + for (const uc of uatClients) { + await db.insert(schema.clients) + .values({ id: uc.id, name: uc.name, email: uc.email, phone: uc.phone, address: uc.address }) + .onConflictDoUpdate({ target: schema.clients.email, set: { name: uc.name, phone: uc.phone, address: uc.address } }); + await db.insert(schema.pets) + .values({ id: uc.petId, clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z") }) + .onConflictDoUpdate({ target: schema.pets.id, set: { clientId: uc.id, name: uc.petName, species: "Dog", breed: uc.petBreed, weightKg: "25.00", dateOfBirth: new Date("2021-03-15T00:00:00Z") } }); + // Create one completed appointment for this client + const apptId = uuid(); + const svcIdx = 0; + const svc = servicesDef[svcIdx]!; + const completedTime = randDate(oneYearAgo, now); + completedTime.setHours(randInt(8, 16), pick([0, 15, 30, 45]), 0, 0); + const endTime = new Date(completedTime.getTime() + svc.dur * 60 * 1000); + await db.insert(schema.appointments).values({ + id: apptId, clientId: uc.id, petId: uc.petId, serviceId: serviceIds[svcIdx]!, staffId: groomers[0]!.id, + batherStaffId: bathers[0]!.id, status: "completed" as const, startTime: completedTime, endTime, notes: null, priceCents: svc.price, + }); + // Create a PENDING invoice for that appointment + const invoiceId = uuid(); + const taxCents = Math.round(svc.price * 0.08); + const totalCents = svc.price + taxCents; + await db.insert(schema.invoices).values({ + id: invoiceId, appointmentId: apptId, clientId: uc.id, subtotalCents: svc.price, + taxCents, tipCents: 0, totalCents, status: "pending" as const, + paymentMethod: null, paidAt: null, notes: null, + }); + await db.insert(schema.invoiceLineItems).values({ + id: uuid(), invoiceId, description: svc.name, quantity: 1, unitPriceCents: svc.price, totalCents: svc.price, + }); + await db.insert(schema.groomingVisitLogs).values({ + id: uuid(), petId: uc.petId, appointmentId: apptId, staffId: groomers[0]!.id, + cutStyle: null, productsUsed: null, notes: null, groomedAt: endTime, + }); + } + console.log(`✓ Created ${uatClients.length} UAT test clients with guaranteed pending invoices`); + // ── Appointments, Invoices, Visit Logs ── // Generate ~5 appointments per client on average = ~2500 total const statuses: (typeof schema.appointmentStatusEnum.enumValues)[number][] = [ -- 2.52.0 From f58f7fed5a458987d85c22feb65d313096009739 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 11:54:07 +0000 Subject: [PATCH 5/9] ci: trigger CI run for PR 176 -- 2.52.0 From d1e1206e4083940db640faa07dbf85da7bf7fa96 Mon Sep 17 00:00:00 2001 From: "groombook-ci[bot]" Date: Mon, 30 Mar 2026 12:07:35 +0000 Subject: [PATCH 6/9] chore: retrigger CI for PR review -- 2.52.0 From 77593282836e840bc37d1bcddc5ea0f30c27db0a Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Mon, 30 Mar 2026 12:27:50 +0000 Subject: [PATCH 7/9] chore: trigger CI pipeline Co-Authored-By: Paperclip -- 2.52.0 From 1e80fa64e5f7bcc263dfac58244f866d9502beca Mon Sep 17 00:00:00 2001 From: Paperclip Date: Mon, 30 Mar 2026 13:30:48 +0000 Subject: [PATCH 8/9] ci: trigger PR workflow via commit (GRO-290) Co-Authored-By: Paperclip --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 31b725d..3f56855 100644 --- a/README.md +++ b/README.md @@ -215,3 +215,4 @@ All PRs require CI to pass before merge. See [CONTRIBUTING.md](./CONTRIBUTING.md ## License AGPL-3.0 + -- 2.52.0 From f572e0a8f8d361c552817693a90b4cf41f056fd9 Mon Sep 17 00:00:00 2001 From: Paperclip Date: Mon, 30 Mar 2026 13:35:47 +0000 Subject: [PATCH 9/9] fix(ci): use valid GitHub Actions expression syntax for SHA - Replace invalid ${{ github.sha::7 }} with ${{ github.sha }} and shell ${SHA::7} for substring extraction - Add SHA env var to deploy-dev job Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b58a66b..dd48fc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -218,9 +218,10 @@ jobs: - name: Deploy to groombook-dev env: - TAG: pr-${{ github.event.pull_request.number }}-${{ github.sha::7 }} PR_NUM: ${{ github.event.pull_request.number }} + SHA: ${{ github.sha }} run: | + TAG="pr-$PR_NUM-${SHA::7}" echo "Deploying images tagged $TAG to groombook-dev..." # Run migration with PR image -- 2.52.0
{h}
{s.name} {s.email} {s.role} + {s.isSuperUser ? ( + + Super User + + ) : ( + + )} + {s.active ? "Active" : "Inactive"} + {currentUser?.isSuperUser && ( + <> + + + )}