From 2577e33c50a1d9bc8e0968f6a15228d12103fd1e Mon Sep 17 00:00:00 2001
From: "groombook-engineer[bot]"
 <269742240+groombook-engineer[bot]@users.noreply.github.com>
Date: Thu, 16 Apr 2026 11:20:36 +0000
Subject: [PATCH 01/12] feat(GRO-653): add portal session middleware and
 server-side audit logging (#300)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(GRO-653): add portal session middleware and server-side audit logging

- Add validatePortalSession middleware that reads X-Impersonation-Session-Id header,
  queries impersonationSessions, and sets portalClientId + portalSessionId on the context
- Add portalAudit middleware that logs all portal requests to impersonationAuditLogs table
- Apply both middlewares to the portalRouter
- Replace all getClientIdFromSession() calls with c.get("portalClientId")
- Remove getClientIdFromSession() helper and inline session checks in waitlist routes
- Consistent session.expiry > new Date() check across all routes

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(GRO-653): remove unused sessionId variable and and import

Fix lint errors flagged by QA:
- Remove unused `sessionId` variable from PATCH waitlist handler
- Remove unused `and` import from portal.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Flea Flicker <fleaflicker@groombook.farh.net>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Flea Flicker <flea-flicker@groombook.ai>
---
 apps/api/src/middleware/portalAudit.ts   |  45 +++++++
 apps/api/src/middleware/portalSession.ts |  40 +++++++
 apps/api/src/routes/portal.ts            | 145 ++++-------------------
 3 files changed, 108 insertions(+), 122 deletions(-)
 create mode 100644 apps/api/src/middleware/portalAudit.ts
 create mode 100644 apps/api/src/middleware/portalSession.ts

diff --git a/apps/api/src/middleware/portalAudit.ts b/apps/api/src/middleware/portalAudit.ts
new file mode 100644
index 0000000..a18129d
--- /dev/null
+++ b/apps/api/src/middleware/portalAudit.ts
@@ -0,0 +1,45 @@
+import type { MiddlewareHandler } from "hono";
+import { getDb, impersonationAuditLogs } from "@groombook/db";
+import type { PortalEnv } from "./portalSession.js";
+
+/**
+ * Server-side audit logging middleware for portal routes.
+ * Applied after validatePortalSession in the middleware chain.
+ *
+ * After the route handler completes (await next()), inserts an audit log entry
+ * into impersonationAuditLogs:
+ *   - sessionId: from c.get("portalSessionId")
+ *   - action: "{METHOD} {routePath}" (e.g., "GET /portal/appointments")
+ *   - pageVisited: c.req.path
+ *   - metadata: { method, statusCode: c.res.status }
+ *
+ * Log entries are written for both success and error responses.
+ * Does NOT throw if audit logging fails — errors are logged but the user's
+ * request is not affected.
+ */
+export const portalAudit: MiddlewareHandler<PortalEnv> = async (c, next) => {
+  await next();
+
+  const sessionId = c.get("portalSessionId");
+  if (!sessionId) return;
+
+  const method = c.req.method;
+  const routePath = c.req.path;
+  const pageVisited = c.req.path;
+  const statusCode = c.res.status;
+
+  try {
+    const db = getDb();
+    await db
+      .insert(impersonationAuditLogs)
+      .values({
+        sessionId,
+        action: `${method} ${routePath}`,
+        pageVisited,
+        metadata: { method, statusCode },
+      })
+      .returning();
+  } catch (err) {
+    console.error("[portalAudit] Failed to write audit log:", err);
+  }
+};
diff --git a/apps/api/src/middleware/portalSession.ts b/apps/api/src/middleware/portalSession.ts
new file mode 100644
index 0000000..6dfdb03
--- /dev/null
+++ b/apps/api/src/middleware/portalSession.ts
@@ -0,0 +1,40 @@
+import type { MiddlewareHandler } from "hono";
+import { and, eq, getDb, impersonationSessions } from "@groombook/db";
+
+export interface PortalEnv {
+  Variables: {
+    portalClientId: string;
+    portalSessionId: string;
+  };
+}
+
+/**
+ * Validates the X-Impersonation-Session-Id header against the impersonationSessions table.
+ * Must be applied to all portal routes.
+ *
+ * Reads x-session-id from request headers, queries impersonationSessions for a row where
+ * id = sessionId AND status = 'active', and checks session.expiresAt > new Date().
+ * Returns 401 if session is invalid/missing/expired.
+ * On success, sets c.set("portalClientId", session.clientId) and c.set("portalSessionId", session.id).
+ */
+export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, next) => {
+  const sessionId = c.req.header("X-Impersonation-Session-Id");
+  if (!sessionId) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const db = getDb();
+  const [session] = await db
+    .select()
+    .from(impersonationSessions)
+    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
+    .limit(1);
+
+  if (!session || session.expiresAt <= new Date()) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  c.set("portalClientId", session.clientId);
+  c.set("portalSessionId", session.id);
+  await next();
+};
diff --git a/apps/api/src/routes/portal.ts b/apps/api/src/routes/portal.ts
index 8b10b56..d768bc8 100644
--- a/apps/api/src/routes/portal.ts
+++ b/apps/api/src/routes/portal.ts
@@ -1,33 +1,22 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, inArray } from "@groombook/db";
+import { eq, inArray } from "@groombook/db";
 import { getDb, appointments, impersonationSessions, waitlistEntries, clients, pets, services, staff, invoices, invoiceLineItems } from "@groombook/db";
-import type { AppEnv } from "../middleware/rbac.js";
+import { validatePortalSession } from "../middleware/portalSession.js";
+import { portalAudit } from "../middleware/portalAudit.js";
+import type { PortalEnv } from "../middleware/portalSession.js";
 
-export const portalRouter = new Hono<AppEnv>();
+export const portalRouter = new Hono<PortalEnv>();
 
-// ─── Session helper ───────────────────────────────────────────────────────────
-
-async function getClientIdFromSession(sessionId: string | null | undefined): Promise<string | null> {
-  if (!sessionId) return null;
-  const db = getDb();
-  const [session] = await db
-    .select()
-    .from(impersonationSessions)
-    .where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
-    .limit(1);
-  if (!session || session.expiresAt <= new Date()) return null;
-  return session.clientId;
-}
+// Apply middleware to all portal routes
+portalRouter.use("/*", validatePortalSession, portalAudit);
 
 // ─── GET routes ──────────────────────────────────────────────────────────────
 
 portalRouter.get("/me", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const [client] = await db.select().from(clients).where(eq(clients.id, clientId)).limit(1);
   if (!client) return c.json({ error: "Not found" }, 404);
@@ -49,9 +38,7 @@ portalRouter.get("/services", async (c) => {
 
 portalRouter.get("/appointments", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const now = new Date();
   const allAppts = await db
@@ -101,9 +88,7 @@ portalRouter.get("/appointments", async (c) => {
 
 portalRouter.get("/pets", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const clientPets = await db.select().from(pets).where(eq(pets.clientId, clientId));
   return c.json(clientPets.map(p => ({ id: p.id, name: p.name, breed: p.breed, weightKg: p.weightKg, dateOfBirth: p.dateOfBirth, photoKey: p.photoKey, groomingNotes: p.groomingNotes })));
@@ -111,9 +96,7 @@ portalRouter.get("/pets", async (c) => {
 
 portalRouter.get("/invoices", async (c) => {
   const db = getDb();
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const clientInvoices = await db.select().from(invoices).where(eq(invoices.clientId, clientId));
   const invoiceIds = clientInvoices.map(i => i.id);
@@ -148,12 +131,7 @@ portalRouter.patch(
     const db = getDb();
     const id = c.req.param("id");
     const body = c.req.valid("json");
-
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-    const clientId = await getClientIdFromSession(sessionId);
-    if (!clientId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [appt] = await db
       .select()
@@ -196,12 +174,7 @@ portalRouter.patch(
 portalRouter.post("/appointments/:id/confirm", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [appt] = await db
     .select()
@@ -250,12 +223,7 @@ portalRouter.post("/appointments/:id/confirm", async (c) => {
 portalRouter.post("/appointments/:id/cancel", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [appt] = await db
     .select()
@@ -319,28 +287,7 @@ portalRouter.post(
   async (c) => {
     const db = getDb();
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-    let clientId: string | null = null;
-    if (sessionId) {
-      const [session] = await db
-        .select()
-        .from(impersonationSessions)
-        .where(
-          and(
-            eq(impersonationSessions.id, sessionId),
-            eq(impersonationSessions.status, "active")
-          )
-        )
-        .limit(1);
-      if (session && session.expiresAt > new Date()) {
-        clientId = session.clientId;
-      }
-    }
-
-    if (!clientId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [entry] = await db
       .insert(waitlistEntries)
@@ -364,26 +311,7 @@ portalRouter.patch(
     const db = getDb();
     const id = c.req.param("id");
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-    if (!sessionId) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
-
-    const [session] = await db
-      .select()
-      .from(impersonationSessions)
-      .where(
-        and(
-          eq(impersonationSessions.id, sessionId),
-          eq(impersonationSessions.status, "active")
-        )
-      )
-      .limit(1);
-
-    if (!session || session.expiresAt <= new Date()) {
-      return c.json({ error: "Unauthorized" }, 401);
-    }
+    const clientId = c.get("portalClientId");
 
     const [existing] = await db
       .select()
@@ -392,7 +320,7 @@ portalRouter.patch(
       .limit(1);
 
     if (!existing) return c.json({ error: "Not found" }, 404);
-    if (existing.clientId !== session.clientId) {
+    if (existing.clientId !== clientId) {
       return c.json({ error: "Forbidden" }, 403);
     }
 
@@ -414,26 +342,7 @@ portalRouter.patch(
 portalRouter.delete("/waitlist/:id", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-
-  if (!sessionId) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
-
-  const [session] = await db
-    .select()
-    .from(impersonationSessions)
-    .where(
-      and(
-        eq(impersonationSessions.id, sessionId),
-        eq(impersonationSessions.status, "active")
-      )
-    )
-    .limit(1);
-
-  if (!session || session.expiresAt <= new Date()) {
-    return c.json({ error: "Unauthorized" }, 401);
-  }
+  const clientId = c.get("portalClientId");
 
   const [entry] = await db
     .select()
@@ -442,7 +351,7 @@ portalRouter.delete("/waitlist/:id", async (c) => {
     .limit(1);
 
   if (!entry) return c.json({ error: "Not found" }, 404);
-  if (entry.clientId !== session.clientId) {
+  if (entry.clientId !== clientId) {
     return c.json({ error: "Forbidden" }, 403);
   }
 
@@ -475,9 +384,7 @@ portalRouter.post(
   async (c) => {
     const db = getDb();
     const body = c.req.valid("json");
-    const sessionId = c.req.header("X-Impersonation-Session-Id");
-    const clientId = await getClientIdFromSession(sessionId);
-    if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+    const clientId = c.get("portalClientId");
 
     const invoiceRows = await db
       .select()
@@ -514,9 +421,7 @@ portalRouter.post(
 );
 
 portalRouter.get("/payment-methods", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const methods = await listPaymentMethods(clientId);
   if (methods === null) return c.json({ error: "Payment service unavailable" }, 503);
@@ -524,9 +429,7 @@ portalRouter.get("/payment-methods", async (c) => {
 });
 
 portalRouter.post("/payment-methods", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY ?? "";
   const customerId = await getOrCreateStripeCustomer(clientId);
@@ -539,9 +442,7 @@ portalRouter.post("/payment-methods", async (c) => {
 });
 
 portalRouter.delete("/payment-methods/:id", async (c) => {
-  const sessionId = c.req.header("X-Impersonation-Session-Id");
-  const clientId = await getClientIdFromSession(sessionId);
-  if (!clientId) return c.json({ error: "Unauthorized" }, 401);
+  const clientId = c.get("portalClientId");
 
   const paymentMethodId = c.req.param("id");
 
-- 
2.52.0


From c7865443697c858c66d0f8459d7559f8c4a5c6de Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Tue, 14 Apr 2026 15:17:01 +0000
Subject: [PATCH 02/12] Fix frontend error handling and code quality (GRO-642)

HIGH Priority:
1. SetupWizard.jsx -> SetupWizard.tsx: renamed to .tsx with proper TypeScript types
2. deleteAppt missing error handling: added try/catch, response.ok check, alert on failure
3. GlobalSearch missing error state: added error state with user-visible error message

MEDIUM Priority:
4. CustomerPortal unsafe type cast: fixed 'as any' to proper PortalAppointment type
5. Logo upload XSS risk: sanitized MIME types to png/jpeg/gif/webp only, removed SVG
6. Reports error handling: added ok checks before json() parsing to guard against invalid JSON on error responses

LOW Priority:
8. Modal accessibility: added role='dialog', aria-modal='true', focus trap, Escape key handler, restore focus on close
9. PetPhotoUpload file size: added 50MB max file size check before resize
10. Types package: added photoKey and photoUploadedAt to Pet interface

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/App.tsx                          |  2 +-
 apps/web/src/components/GlobalSearch.tsx      | 16 +++-
 apps/web/src/components/PetPhotoUpload.tsx    |  6 ++
 apps/web/src/pages/Appointments.tsx           | 54 ++++++++++-
 apps/web/src/pages/Reports.tsx                | 10 +--
 apps/web/src/pages/Settings.tsx               |  6 +-
 apps/web/src/pages/SetupWizard.d.ts           |  2 +-
 .../{SetupWizard.jsx => SetupWizard.tsx}      | 89 +++++++++----------
 apps/web/src/portal/CustomerPortal.tsx        |  7 +-
 apps/web/src/portal/sections/Appointments.tsx |  2 +-
 packages/types/src/index.ts                   |  2 +
 11 files changed, 131 insertions(+), 65 deletions(-)
 rename apps/web/src/pages/{SetupWizard.jsx => SetupWizard.tsx} (89%)

diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index 28bde7c..83e95d6 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -12,7 +12,7 @@ import { SettingsPage } from "./pages/Settings.js";
 import { BookingConfirmedPage } from "./pages/BookingConfirmed.js";
 import { BookingCancelledPage } from "./pages/BookingCancelled.js";
 import { BookingErrorPage } from "./pages/BookingError.js";
-import { SetupWizard } from "./pages/SetupWizard.jsx";
+import { SetupWizard } from "./pages/SetupWizard.tsx";
 import { CustomerPortal } from "./portal/CustomerPortal.js";
 import { DevLoginSelector, getDevUser } from "./pages/DevLoginSelector.js";
 import { DevSessionIndicator } from "./components/DevSessionIndicator.js";
diff --git a/apps/web/src/components/GlobalSearch.tsx b/apps/web/src/components/GlobalSearch.tsx
index 8971fde..deb4770 100644
--- a/apps/web/src/components/GlobalSearch.tsx
+++ b/apps/web/src/components/GlobalSearch.tsx
@@ -26,6 +26,7 @@ export function GlobalSearch() {
   const [query, setQuery] = useState("");
   const [results, setResults] = useState<SearchResults | null>(null);
   const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
   const [open, setOpen] = useState(false);
   const inputRef = useRef<HTMLInputElement>(null);
   const dropdownRef = useRef<HTMLDivElement>(null);
@@ -45,15 +46,18 @@ export function GlobalSearch() {
 
     debounceRef.current = setTimeout(async () => {
       setLoading(true);
+      setError(null);
       try {
         const res = await fetch(`/api/search?q=${encodeURIComponent(trimmed)}`);
         if (res.ok) {
           const data: SearchResults = await res.json();
           setResults(data);
           setOpen(true);
+        } else {
+          setError("Search failed. Please try again.");
         }
-      } catch (err) {
-        console.warn("GlobalSearch: fetch error", err);
+      } catch {
+        setError("Search failed. Please try again.");
       } finally {
         setLoading(false);
       }
@@ -160,7 +164,13 @@ export function GlobalSearch() {
             </div>
           )}
 
-          {!loading && !hasResults && (
+          {!loading && error && (
+            <div style={{ padding: "12px 16px", fontSize: 13, color: "#dc2626" }}>
+              {error}
+            </div>
+          )}
+
+          {!loading && !error && !hasResults && (
             <div style={{ padding: "12px 16px", fontSize: 13, color: "#6b7280" }}>
               No results found
             </div>
diff --git a/apps/web/src/components/PetPhotoUpload.tsx b/apps/web/src/components/PetPhotoUpload.tsx
index f33ce48..0b479f3 100644
--- a/apps/web/src/components/PetPhotoUpload.tsx
+++ b/apps/web/src/components/PetPhotoUpload.tsx
@@ -71,6 +71,12 @@ export function PetPhotoUpload({ petId, onUploaded }: Props) {
   }
 
   async function handleFile(file: File) {
+    const MAX_FILE_SIZE = 50 * 1024 * 1024;
+    if (file.size > MAX_FILE_SIZE) {
+      setState({ status: "error", message: "File exceeds 50MB limit. Please choose a smaller image." });
+      return;
+    }
+
     if (!ACCEPTED_TYPES.includes(file.type)) {
       setState({ status: "error", message: "Please select a JPEG, PNG, WebP, or GIF image." });
       return;
diff --git a/apps/web/src/pages/Appointments.tsx b/apps/web/src/pages/Appointments.tsx
index 386354d..1dd7046 100644
--- a/apps/web/src/pages/Appointments.tsx
+++ b/apps/web/src/pages/Appointments.tsx
@@ -1,4 +1,4 @@
-import { useEffect, useState, useCallback } from "react";
+import { useEffect, useState, useCallback, useRef } from "react";
 import type { Appointment, Client, Pet, Service, Staff } from "@groombook/types";
 
 // ─── Helpers ────────────────────────────────────────────────────────────────
@@ -273,7 +273,15 @@ export function AppointmentsPage() {
       cascade !== "this_only"
         ? `/api/appointments/${id}?cascade=${cascade}`
         : `/api/appointments/${id}`;
-    await fetch(url, { method: "DELETE" });
+    try {
+      const res = await fetch(url, { method: "DELETE" });
+      if (!res.ok) {
+        const err = (await res.json()) as { error?: string };
+        throw new Error(err.error ?? `HTTP ${res.status}`);
+      }
+    } catch (e: unknown) {
+      alert(e instanceof Error ? e.message : "Failed to delete appointment");
+    }
     setSelectedAppt(null);
     await loadAppointments();
   }
@@ -819,8 +827,49 @@ function AppointmentDetail({
 }
 
 function Modal({ children, onClose }: { children: React.ReactNode; onClose: () => void }) {
+  const modalRef = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const previouslyFocused = document.activeElement as HTMLElement;
+    const focusableSelectors = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = modalRef.current?.querySelectorAll<HTMLElement>(focusableSelectors);
+    const firstFocusable = focusableElements?.[0];
+    firstFocusable?.focus();
+
+    function handleKeyDown(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      if (!modalRef.current) return;
+      const focusables = modalRef.current.querySelectorAll<HTMLElement>(focusableSelectors);
+      const first = focusables[0];
+      const last = focusables[focusables.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    }
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => {
+      document.removeEventListener("keydown", handleKeyDown);
+      previouslyFocused?.focus();
+    };
+  }, [onClose]);
+
   return (
     <div
+      role="dialog"
+      aria-modal="true"
       style={{
         position: "fixed",
         inset: 0,
@@ -833,6 +882,7 @@ function Modal({ children, onClose }: { children: React.ReactNode; onClose: () =
       onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
     >
       <div
+        ref={modalRef}
         style={{
           background: "#fff",
           borderRadius: 8,
diff --git a/apps/web/src/pages/Reports.tsx b/apps/web/src/pages/Reports.tsx
index a3515ce..4cd2631 100644
--- a/apps/web/src/pages/Reports.tsx
+++ b/apps/web/src/pages/Reports.tsx
@@ -199,11 +199,11 @@ export function ReportsPage() {
       }
 
       const [summData, revData, apptData, svcData, clientData] = await Promise.all([
-        summRes.json() as Promise<Summary>,
-        revRes.json() as Promise<{ byPeriod: RevenuePeriod[]; byGroomer: RevenueByGroomer[] }>,
-        apptRes.json() as Promise<{ byPeriod: ApptPeriod[] }>,
-        svcRes.json() as Promise<{ rows: ServiceRow[] }>,
-        clientRes.json() as Promise<ClientReport>,
+        summRes.ok ? summRes.json() as Promise<Summary> : summRes.text().then(() => { throw new Error("summary response not ok"); }),
+        revRes.ok ? revRes.json() as Promise<{ byPeriod: RevenuePeriod[]; byGroomer: RevenueByGroomer[] }> : revRes.text().then(() => { throw new Error("revenue response not ok"); }),
+        apptRes.ok ? apptRes.json() as Promise<{ byPeriod: ApptPeriod[] }> : apptRes.text().then(() => { throw new Error("appointments response not ok"); }),
+        svcRes.ok ? svcRes.json() as Promise<{ rows: ServiceRow[] }> : svcRes.text().then(() => { throw new Error("services response not ok"); }),
+        clientRes.ok ? clientRes.json() as Promise<ClientReport> : clientRes.text().then(() => { throw new Error("clients response not ok"); }),
       ]);
 
       setSummary(summData);
diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx
index 088a685..5ccb943 100644
--- a/apps/web/src/pages/Settings.tsx
+++ b/apps/web/src/pages/Settings.tsx
@@ -149,9 +149,9 @@ export function SettingsPage() {
       return;
     }
 
-    const validTypes = ["image/png", "image/svg+xml", "image/jpeg", "image/webp"];
+    const validTypes = ["image/png", "image/jpeg", "image/gif", "image/webp"];
     if (!validTypes.includes(file.type)) {
-      setMessage({ type: "error", text: "Logo must be PNG, SVG, JPEG, or WebP." });
+      setMessage({ type: "error", text: "Logo must be PNG, JPEG, GIF, or WebP." });
       return;
     }
 
@@ -393,7 +393,7 @@ issuerUrl: authForm.issuerUrl,
             <input
               ref={fileInputRef}
               type="file"
-              accept="image/png,image/svg+xml,image/jpeg,image/webp"
+              accept="image/png,image/jpeg,image/gif,image/webp"
               onChange={handleLogoChange}
               style={{ display: "none" }}
             />
diff --git a/apps/web/src/pages/SetupWizard.d.ts b/apps/web/src/pages/SetupWizard.d.ts
index 5758e2b..786c80d 100644
--- a/apps/web/src/pages/SetupWizard.d.ts
+++ b/apps/web/src/pages/SetupWizard.d.ts
@@ -1 +1 @@
-export { SetupWizard } from "./SetupWizard.jsx";
+export { SetupWizard } from "./SetupWizard.tsx";
diff --git a/apps/web/src/pages/SetupWizard.jsx b/apps/web/src/pages/SetupWizard.tsx
similarity index 89%
rename from apps/web/src/pages/SetupWizard.jsx
rename to apps/web/src/pages/SetupWizard.tsx
index 666b67c..8587519 100644
--- a/apps/web/src/pages/SetupWizard.jsx
+++ b/apps/web/src/pages/SetupWizard.tsx
@@ -2,16 +2,39 @@ import { useState, useEffect } from "react";
 import { useNavigate } from "react-router-dom";
 import { useBranding } from "../BrandingContext.js";
 
-export function SetupWizard({ onSetupComplete }) {
+interface SetupStatus {
+  showAuthProviderStep?: boolean;
+}
+
+interface TestResult {
+  ok: boolean;
+  error?: string;
+}
+
+interface AuthFormState {
+  providerId: string;
+  displayName: string;
+  issuerUrl: string;
+  internalBaseUrl: string;
+  clientId: string;
+  clientSecret: string;
+  scopes: string;
+}
+
+interface Step {
+  id: string;
+  title: string;
+  description: string;
+}
+
+export function SetupWizard({ onSetupComplete }: { onSetupComplete?: () => void }) {
   const navigate = useNavigate();
   const { refresh: refreshBranding } = useBranding();
 
-  // Fetch setup status to determine if auth provider step is needed
-  const [setupStatus, setSetupStatus] = useState(null); // null = loading
+  const [setupStatus, setSetupStatus] = useState<SetupStatus | null>(null);
   const [loadingStatus, setLoadingStatus] = useState(true);
 
-  // Auth provider form state
-  const [authForm, setAuthForm] = useState({
+  const [authForm, setAuthForm] = useState<AuthFormState>({
     providerId: "authentik",
     displayName: "",
     issuerUrl: "",
@@ -21,16 +44,16 @@ export function SetupWizard({ onSetupComplete }) {
     scopes: "openid profile email",
   });
   const [testingConnection, setTestingConnection] = useState(false);
-  const [testResult, setTestResult] = useState(null); // {ok: boolean, error?: string}
+  const [testResult, setTestResult] = useState<TestResult | null>(null);
 
   const [step, setStep] = useState(0);
   const [businessName, setBusinessName] = useState("");
   const [loading, setLoading] = useState(false);
-  const [error, setError] = useState(null);
+  const [error, setError] = useState<string | null>(null);
 
   useEffect(() => {
     fetch("/api/setup/status")
-      .then((r) => r.json())
+      .then((r) => r.json() as Promise<SetupStatus>)
       .then((data) => {
         setSetupStatus(data);
         setLoadingStatus(false);
@@ -40,8 +63,7 @@ export function SetupWizard({ onSetupComplete }) {
       });
   }, []);
 
-  // Build steps dynamically based on setup status
-  const STEPS = setupStatus?.showAuthProviderStep
+  const STEPS: Step[] = setupStatus?.showAuthProviderStep
     ? [
         { id: "welcome", title: "Welcome", description: "Welcome to GroomBook! Let's get your business set up." },
         { id: "auth", title: "Auth Provider", description: "Configure your authentication provider to secure your GroomBook instance." },
@@ -63,9 +85,8 @@ export function SetupWizard({ onSetupComplete }) {
   const isFirst = step === 0;
   const canGoBack = step > 0 && step < STEPS.length - 1;
 
-  // Determine if we can proceed - depends on which step we're on
   const canGoNext = (() => {
-    if (step === STEPS.length - 1) return true; // done step
+    if (step === STEPS.length - 1) return true;
     if (current?.id === "business") return businessName.trim().length > 0;
     if (current?.id === "auth") {
       return (
@@ -94,9 +115,9 @@ export function SetupWizard({ onSetupComplete }) {
           scopes: authForm.scopes,
         }),
       });
-      const data = await res.json();
+      const data = (await res.json()) as TestResult;
       setTestResult(data);
-    } catch (e) {
+    } catch {
       setTestResult({ ok: false, error: "Network error. Please try again." });
     } finally {
       setTestingConnection(false);
@@ -105,12 +126,10 @@ export function SetupWizard({ onSetupComplete }) {
 
   const handleNext = async () => {
     if (step === STEPS.length - 1) {
-      // Done - redirect to admin
       navigate("/admin");
       return;
     }
 
-    // Submit auth provider config
     if (current?.id === "auth") {
       setLoading(true);
       setError(null);
@@ -129,12 +148,12 @@ export function SetupWizard({ onSetupComplete }) {
           }),
         });
         if (!res.ok) {
-          const data = await res.json();
+          const data = (await res.json()) as { error?: string };
           setError(data.error || "Failed to save auth provider configuration. Please try again.");
           setLoading(false);
           return;
         }
-      } catch (e) {
+      } catch {
         setError("Network error. Please try again.");
         setLoading(false);
         return;
@@ -142,7 +161,6 @@ export function SetupWizard({ onSetupComplete }) {
       setLoading(false);
     }
 
-    // Submit business name and complete setup
     if (current?.id === "business" && businessName.trim()) {
       setLoading(true);
       setError(null);
@@ -153,16 +171,14 @@ export function SetupWizard({ onSetupComplete }) {
           body: JSON.stringify({ businessName: businessName.trim() }),
         });
         if (!res.ok) {
-          const data = await res.json();
+          const data = (await res.json()) as { error?: string };
           setError(data.error || "Setup failed. Please try again.");
           setLoading(false);
           return;
         }
-        // Refresh branding so the nav bar shows the new business name
         refreshBranding();
-        // Clear needsSetup state in App so the redirect to /admin sticks
         if (onSetupComplete) onSetupComplete();
-      } catch (e) {
+      } catch {
         setError("Network error. Please try again.");
         setLoading(false);
         return;
@@ -192,7 +208,7 @@ export function SetupWizard({ onSetupComplete }) {
     );
   }
 
-  const inputStyle = {
+  const inputStyle: React.CSSProperties = {
     width: "100%",
     padding: "0.6rem 0.85rem",
     borderRadius: 8,
@@ -220,7 +236,6 @@ export function SetupWizard({ onSetupComplete }) {
         maxWidth: 480,
         width: "100%",
       }}>
-        {/* Progress dots */}
         <div style={{ display: "flex", gap: 6, marginBottom: "2rem", justifyContent: "center" }}>
           {STEPS.map((_, i) => (
             <div
@@ -237,38 +252,32 @@ export function SetupWizard({ onSetupComplete }) {
           ))}
         </div>
 
-        {/* Step indicator */}
         <p style={{ margin: "0 0 0.5rem", fontSize: 13, color: "#6b7280", fontWeight: 500 }}>
           Step {step + 1} of {STEPS.length}
         </p>
 
-        {/* Title */}
         <h2 style={{ margin: "0 0 0.75rem", fontSize: 22, fontWeight: 700, color: "#1a202c" }}>
           {current?.title}
         </h2>
 
-        {/* Description */}
         <p style={{ margin: "0 0 1.5rem", fontSize: 15, color: "#4b5563", lineHeight: 1.6 }}>
           {current?.description}
         </p>
 
-        {/* Step: Business name input */}
         {current?.id === "business" && (
           <input
             type="text"
             placeholder="e.g. Happy Paws Grooming"
             value={businessName}
             onChange={(e) => setBusinessName(e.target.value)}
-            onKeyDown={(e) => e.key === "Enter" && canGoNext && handleNext()}
+            onKeyDown={(e) => e.key === "Enter" && canGoNext && void handleNext()}
             autoFocus
             style={inputStyle}
           />
         )}
 
-        {/* Step: Auth provider config form */}
         {current?.id === "auth" && (
           <div style={{ display: "flex", flexDirection: "column", gap: "0.85rem" }}>
-            {/* Provider ID */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Provider ID
@@ -282,7 +291,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Display Name */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Display Name
@@ -296,7 +304,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Issuer URL */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Issuer URL
@@ -310,7 +317,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Internal Base URL (optional) */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Internal Base URL <span style={{ fontWeight: 400, color: "#6b7280" }}>(optional, for hairpin NAT)</span>
@@ -324,7 +330,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Client ID */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Client ID
@@ -338,7 +343,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Client Secret */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Client Secret
@@ -352,7 +356,6 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Scopes */}
             <div>
               <label style={{ display: "block", fontSize: 13, fontWeight: 600, marginBottom: 4 }}>
                 Scopes
@@ -366,10 +369,9 @@ export function SetupWizard({ onSetupComplete }) {
               />
             </div>
 
-            {/* Test Connection button */}
             <button
               type="button"
-              onClick={handleTestConnection}
+              onClick={() => { void handleTestConnection(); }}
               disabled={testingConnection || !authForm.issuerUrl || !authForm.clientId}
               style={{
                 padding: "0.45rem 0.85rem",
@@ -387,7 +389,6 @@ export function SetupWizard({ onSetupComplete }) {
               {testingConnection ? "Testing..." : "Test Connection"}
             </button>
 
-            {/* Test result */}
             {testResult && (
               <div style={{
                 padding: "0.5rem 0.75rem",
@@ -405,7 +406,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Step: Super user info */}
         {current?.id === "superuser" && (
           <div style={{
             background: "#f0fdf4",
@@ -420,7 +420,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Step: Second admin info */}
         {current?.id === "admin" && (
           <div style={{
             background: "#fffbeb",
@@ -434,7 +433,6 @@ export function SetupWizard({ onSetupComplete }) {
           </div>
         )}
 
-        {/* Error message */}
         {error && (
           <p style={{
             margin: "0.5rem 0 0",
@@ -449,7 +447,6 @@ export function SetupWizard({ onSetupComplete }) {
           </p>
         )}
 
-        {/* Navigation buttons */}
         <div style={{
           display: "flex",
           gap: "0.75rem",
@@ -476,7 +473,7 @@ export function SetupWizard({ onSetupComplete }) {
             </button>
           )}
           <button
-            onClick={handleNext}
+            onClick={() => { void handleNext(); }}
             disabled={(!canGoNext && !isLast) || loading}
             style={{
               padding: "0.55rem 1.25rem",
diff --git a/apps/web/src/portal/CustomerPortal.tsx b/apps/web/src/portal/CustomerPortal.tsx
index a33f51f..89bc750 100644
--- a/apps/web/src/portal/CustomerPortal.tsx
+++ b/apps/web/src/portal/CustomerPortal.tsx
@@ -16,6 +16,7 @@ import { AuditLogViewer } from "./AuditLogViewer.js";
 import { useBranding } from "../BrandingContext.js";
 import { getDevUser } from "../pages/DevLoginSelector.js";
 import type { ImpersonationSession } from "@groombook/types";
+import type { Appointment as PortalAppointment } from "./sections/Appointments.js";
 
 type Section = "dashboard" | "appointments" | "pets" | "reports" | "billing" | "messages" | "settings";
 
@@ -34,7 +35,7 @@ export function CustomerPortal() {
   const [mobileNavOpen, setMobileNavOpen] = useState(false);
   const [showAuditLog, setShowAuditLog] = useState(false);
   const [showReschedule, setShowReschedule] = useState(false);
-  const [rescheduleAppointment, setRescheduleAppointment] = useState<Record<string, unknown> | null>(null);
+  const [rescheduleAppointment, setRescheduleAppointment] = useState<PortalAppointment | null>(null);
   const [session, setSession] = useState<ImpersonationSession | null>(null);
   const [sessionExtended, setSessionExtended] = useState(false);
   const [clientName, setClientName] = useState<string>("");
@@ -149,7 +150,7 @@ export function CustomerPortal() {
   const handleReschedule = useCallback((appointmentId: string) => {
     // Look up the full appointment from Dashboard's displayed data
     // The appointment was already fetched by Dashboard, so we use the ID to find it
-    setRescheduleAppointment({ id: appointmentId } as Record<string, unknown>);
+    setRescheduleAppointment({ id: appointmentId } as PortalAppointment);
     setShowReschedule(true);
   }, []);
 
@@ -227,7 +228,7 @@ export function CustomerPortal() {
 
       {showReschedule && rescheduleAppointment && (
         <RescheduleFlow
-          appointment={rescheduleAppointment as any}
+          appointment={rescheduleAppointment}
           onClose={() => { setShowReschedule(false); setRescheduleAppointment(null); }}
           sessionId={session?.id ?? null}
         />
diff --git a/apps/web/src/portal/sections/Appointments.tsx b/apps/web/src/portal/sections/Appointments.tsx
index 2eb6bc1..65e4c18 100644
--- a/apps/web/src/portal/sections/Appointments.tsx
+++ b/apps/web/src/portal/sections/Appointments.tsx
@@ -1,7 +1,7 @@
 import React, { useState, useEffect } from 'react';
 import { Calendar, Clock, Plus, ChevronRight, ChevronDown, Loader2 } from 'lucide-react';
 
-interface Appointment {
+export interface Appointment {
   id: string;
   petId: string;
   serviceId: string;
diff --git a/packages/types/src/index.ts b/packages/types/src/index.ts
index 198b8b3..753b1cf 100644
--- a/packages/types/src/index.ts
+++ b/packages/types/src/index.ts
@@ -40,6 +40,8 @@ export interface Pet {
   shampooPreference: string | null;
   specialCareNotes: string | null;
   customFields: Record<string, string>;
+  photoKey?: string;
+  photoUploadedAt?: string;
   createdAt: string;
   updatedAt: string;
 }
-- 
2.52.0


From f301b1a5a0b2f2bd6e58d2725e85765f97a96996 Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 00:56:05 +0000
Subject: [PATCH 03/12] fix(GRO-642): add real-time validation for tip split
 percentages

Add pre-submit validation in markPaid() that checks tip split percentages
sum to 100% before allowing the payment to be processed. This addresses
Finding #7 from the frontend code quality review (GRO-628).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/pages/Invoices.tsx | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apps/web/src/pages/Invoices.tsx b/apps/web/src/pages/Invoices.tsx
index 8363695..2cbf3ae 100644
--- a/apps/web/src/pages/Invoices.tsx
+++ b/apps/web/src/pages/Invoices.tsx
@@ -211,6 +211,15 @@ function InvoiceDetailModal({
     setSaving(true);
     setError(null);
     const tipCents = Math.round(parseFloat(tipStr) * 100) || 0;
+    // Real-time validation: prevent submit if tip splits don't sum to 100%
+    if (showSplits && tipCents > 0 && tipSplits.length > 0) {
+      const totalPct = tipSplits.reduce((s, r) => s + r.pct, 0);
+      if (Math.abs(totalPct - 100) >= 0.01) {
+        setError("Tip split percentages must sum to 100%");
+        setSaving(false);
+        return;
+      }
+    }
     try {
       const res = await fetch(`/api/invoices/${invoice.id}`, {
         method: "PATCH",
-- 
2.52.0


From eab97b2ebd2498e78d4f8ab7142bc53909bc1187 Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 01:32:28 +0000
Subject: [PATCH 04/12] fix(GRO-666): leave staff.user_id NULL in seed so
 middleware can auto-link by email

The resolveStaffMiddleware auto-links on first API call when staff.user_id
IS NULL. Setting userId at seed time blocks this path since Better-Auth's
user.id is opaque and unknown pre-auth. Remove userId from all staff inserts
so the middleware can populate it on first authenticated call.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 packages/db/src/seed.ts | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/packages/db/src/seed.ts b/packages/db/src/seed.ts
index a19f254..dca21d4 100644
--- a/packages/db/src/seed.ts
+++ b/packages/db/src/seed.ts
@@ -399,7 +399,6 @@ async function seedKnownUsers() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -426,7 +425,6 @@ async function seedKnownUsers() {
         name: "UAT Super User",
         email: "uat-super@groombook.dev",
         oidcSub: uatSuperOidcSub,
-        userId: uatSuperOidcSub,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -453,7 +451,6 @@ async function seedKnownUsers() {
         name: "UAT Staff Groomer",
         email: "uat-groomer@groombook.dev",
         oidcSub: uatStaffOidcSub,
-        userId: uatStaffOidcSub,
         role: "groomer",
         isSuperUser: false,
         active: true,
@@ -648,7 +645,6 @@ async function seed() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,
-- 
2.52.0


From 0abb79010d303f535885802dff8fddbbc1144793 Mon Sep 17 00:00:00 2001
From: Flea Flicker <fleaflicker@groombook.farh.net>
Date: Thu, 16 Apr 2026 17:41:05 +0000
Subject: [PATCH 05/12] fix(GRO-639): replace sql ANY() with inArray for
 Drizzle compatibility

Use Drizzle's inArray() instead of raw sql template with = ANY()
to avoid PostgreSQL array binding issues in the reminder scheduler
bulk sent-check query.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/services/reminders.ts | 146 +++++++++++++++--------------
 1 file changed, 78 insertions(+), 68 deletions(-)

diff --git a/apps/api/src/services/reminders.ts b/apps/api/src/services/reminders.ts
index 5aa2abc..1981258 100644
--- a/apps/api/src/services/reminders.ts
+++ b/apps/api/src/services/reminders.ts
@@ -5,6 +5,7 @@ import {
   eq,
   getDb,
   gte,
+  inArray,
   lt,
   appointments,
   clients,
@@ -59,68 +60,77 @@ export async function runReminderCheck(): Promise<void> {
         )
       );
 
+    const appointmentIds: string[] = upcoming.map((a) => a.id as string);
+    if (appointmentIds.length === 0) continue;
+
+    // Bulk check: which appointments already have email and SMS reminders sent?
+    const sentRows = await db
+      .select({ appointmentId: reminderLogs.appointmentId, channel: reminderLogs.channel })
+      .from(reminderLogs)
+      .where(
+        and(
+          eq(reminderLogs.reminderType, window.label),
+          appointmentIds.length === 1
+            ? eq(reminderLogs.appointmentId, appointmentIds[0]!)
+            : inArray(reminderLogs.appointmentId, appointmentIds)
+        )
+      );
+
+    const sentEmail = new Set(
+      sentRows.filter((r) => r.channel === "email").map((r) => r.appointmentId)
+    );
+    const sentSms = new Set(
+      sentRows.filter((r) => r.channel === "sms").map((r) => r.appointmentId)
+    );
+
+    // Bulk JOIN: fetch all client/pet/service/staff data in one query
+    const joinedRows = await db
+      .select({
+        appointmentId: appointments.id,
+        startTime: appointments.startTime,
+        clientId: appointments.clientId,
+        petId: appointments.petId,
+        serviceId: appointments.serviceId,
+        staffId: appointments.staffId,
+        confirmationToken: appointments.confirmationToken,
+        clientName: clients.name,
+        clientEmail: clients.email,
+        clientEmailOptOut: clients.emailOptOut,
+        clientSmsOptIn: clients.smsOptIn,
+        clientPhone: clients.phone,
+        petName: pets.name,
+        serviceName: services.name,
+        staffName: staff.name,
+      })
+      .from(appointments)
+      .innerJoin(clients, eq(appointments.clientId, clients.id))
+      .innerJoin(pets, eq(appointments.petId, pets.id))
+      .innerJoin(services, eq(appointments.serviceId, services.id))
+      .leftJoin(staff, eq(appointments.staffId, staff.id))
+      .where(
+        and(
+          gte(appointments.startTime, windowStart),
+          lt(appointments.startTime, windowEnd),
+          eq(appointments.status, "scheduled")
+        )
+      );
+
+    const appointmentMap = new Map<string, typeof joinedRows[number]>();
+    for (const row of joinedRows) {
+      appointmentMap.set(row.appointmentId, row);
+    }
+
     for (const appt of upcoming) {
-      const [emailLog] = await db
-        .select({ id: reminderLogs.id })
-        .from(reminderLogs)
-        .where(
-          and(
-            eq(reminderLogs.appointmentId, appt.id),
-            eq(reminderLogs.reminderType, window.label),
-            eq(reminderLogs.channel, "email")
-          )
-        )
-        .limit(1);
+      const joined = appointmentMap.get(appt.id as string);
+      if (!joined) continue;
 
-      const [smsLog] = await db
-        .select({ id: reminderLogs.id })
-        .from(reminderLogs)
-        .where(
-          and(
-            eq(reminderLogs.appointmentId, appt.id),
-            eq(reminderLogs.reminderType, window.label),
-            eq(reminderLogs.channel, "sms")
-          )
-        )
-        .limit(1);
+      const { clientName, clientEmail, clientEmailOptOut, clientSmsOptIn, clientPhone, petName, serviceName, staffName } = joined;
 
-      const [client] = await db
-        .select({
-          name: clients.name,
-          email: clients.email,
-          emailOptOut: clients.emailOptOut,
-          smsOptIn: clients.smsOptIn,
-          phone: clients.phone,
-        })
-        .from(clients)
-        .where(eq(clients.id, appt.clientId))
-        .limit(1);
+      if (!clientEmail || clientEmailOptOut) continue;
+      if (!petName || !serviceName) continue;
 
-      if (!client || !client.email || client.emailOptOut) continue;
-
-      const [pet] = await db
-        .select({ name: pets.name })
-        .from(pets)
-        .where(eq(pets.id, appt.petId))
-        .limit(1);
-
-      const [service] = await db
-        .select({ name: services.name })
-        .from(services)
-        .where(eq(services.id, appt.serviceId))
-        .limit(1);
-
-      let groomerName: string | null = null;
-      if (appt.staffId) {
-        const [groomer] = await db
-          .select({ name: staff.name })
-          .from(staff)
-          .where(eq(staff.id, appt.staffId))
-          .limit(1);
-        groomerName = groomer?.name ?? null;
-      }
-
-      if (!pet || !service) continue;
+      const emailSent = sentEmail.has(appt.id as string);
+      const smsSent = sentSms.has(appt.id as string);
 
       let confirmationToken = appt.confirmationToken;
       if (!confirmationToken) {
@@ -131,15 +141,15 @@ export async function runReminderCheck(): Promise<void> {
           .where(eq(appointments.id, appt.id));
       }
 
-      if (!emailLog) {
+      if (!emailSent) {
         const sent = await sendEmail(
           buildReminderEmail(
-            client.email,
+            clientEmail,
             {
-              clientName: client.name,
-              petName: pet.name,
-              serviceName: service.name,
-              groomerName,
+              clientName,
+              petName,
+              serviceName,
+              groomerName: staffName,
               startTime: appt.startTime,
             },
             window.hours,
@@ -155,20 +165,20 @@ export async function runReminderCheck(): Promise<void> {
         }
       }
 
-      if (!smsLog && client.smsOptIn && client.phone) {
+      if (!smsSent && clientSmsOptIn && clientPhone) {
         const apiUrl = process.env.API_URL ?? "http://localhost:3000";
         const confirmUrl = `${apiUrl}/api/book/confirm/${confirmationToken}`;
         const cancelUrl = `${apiUrl}/api/book/cancel/${confirmationToken}`;
         const when = window.hours >= 24 ? "tomorrow" : `in ${window.hours} hours`;
         const smsBody = [
-          `Hi ${client.name}, just a reminder: ${pet.name}'s grooming appointment is ${when}.`,
-          `Service: ${service.name}${groomerName ? ` with ${groomerName}` : ""}`,
+          `Hi ${clientName}, just a reminder: ${petName}'s grooming appointment is ${when}.`,
+          `Service: ${serviceName}${staffName ? ` with ${staffName}` : ""}`,
           `Confirm: ${confirmUrl}`,
           `Cancel: ${cancelUrl}`,
           TCPA_OPT_OUT,
         ].join(". ");
         try {
-          const smsOk = await smsSend(client.phone, smsBody);
+          const smsOk = await smsSend(clientPhone, smsBody);
           if (smsOk) {
             await db
               .insert(reminderLogs)
-- 
2.52.0


From 5df8837b5f6eb7c7943f8e94ff181016bf66551d Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 02:08:08 +0000
Subject: [PATCH 06/12] ci: add dev to pull_request branch list

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 19f391c..b95ad64 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev]
   pull_request:
-    branches: [main]
+    branches: [main, dev]
   workflow_dispatch:
     inputs:
       ref:
-- 
2.52.0


From 8182870d38b56d8c2c6e625387abcf8b6ff3842f Mon Sep 17 00:00:00 2001
From: Flea Flicker <fleaflicker@groombook.farh.net>
Date: Fri, 17 Apr 2026 02:58:05 +0000
Subject: [PATCH 07/12] feat(GRO-642): add logo magic-bytes validation to
 prevent MIME confusion attacks

Defensive validation in /api/branding ensures base64-encoded logo content
matches its declared MIME type by checking image magic bytes (PNG, JPEG,
GIF, WebP). If the content doesn't match, the legacy base64 fields are
nulled out before returning to prevent MIME type confusion attacks.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/index.ts | 64 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 62 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index a3d97fd..c6e90a5 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -72,6 +72,60 @@ app.route("/api/webhooks/stripe", webhooksRouter);
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);
 
+// Magic bytes for allowed image types
+const ALLOWED_IMAGE_TYPES: Record<string, Uint8Array> = {
+  "image/png": new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
+  "image/jpeg": new Uint8Array([0xff, 0xd8, 0xff]),
+  "image/gif": new Uint8Array([0x47, 0x49, 0x46, 0x38]),
+  "image/webp": new Uint8Array([0x52, 0x49, 0x46, 0x46]), // followed by size then WEBP
+};
+
+/**
+ * Validates that the given base64 content matches the declared MIME type
+ * by checking magic bytes. Returns null if valid, or the field to clear if not.
+ */
+function validateLogoMagicBytes(
+  logoBase64: string | null,
+  logoMimeType: string | null
+): "logoBase64" | "logoMimeType" | null {
+  if (!logoBase64 || !logoMimeType) return null;
+
+  const expectedMagic = ALLOWED_IMAGE_TYPES[logoMimeType];
+  if (!expectedMagic) return "logoMimeType"; // unknown MIME type — reject
+
+  try {
+    const binary = Buffer.from(logoBase64, "base64");
+    // WebP needs a special check (RIFF....WEBP at offset 0, size at offset 4)
+    if (logoMimeType === "image/webp") {
+      if (binary.length < 12) return "logoBase64";
+      const webpMagic = binary.slice(0, 4);
+      const webpSig = binary.slice(8, 12);
+      if (
+        webpMagic[0] !== 0x52 ||
+        webpMagic[1] !== 0x49 ||
+        webpMagic[2] !== 0x46 ||
+        webpMagic[3] !== 0x46 ||
+        webpSig[0] !== 0x57 ||
+        webpSig[1] !== 0x45 ||
+        webpSig[2] !== 0x42 ||
+        webpSig[3] !== 0x50
+      ) {
+        return "logoBase64";
+      }
+      return null;
+    }
+
+    // All other types: check prefix
+    if (binary.length < expectedMagic.length) return "logoBase64";
+    for (let i = 0; i < expectedMagic.length; i++) {
+      if (binary[i] !== expectedMagic[i]) return "logoBase64";
+    }
+    return null;
+  } catch {
+    return "logoBase64";
+  }
+}
+
 // Public branding endpoint — no auth required, returns business name/colors/logo
 app.get("/api/branding", async (c) => {
   const db = getDb();
@@ -87,13 +141,19 @@ app.get("/api/branding", async (c) => {
     }
   }
 
+  // Defensive: validate magic bytes to prevent MIME type confusion attacks
+  // via the legacy base64 logo fields
+  const badField = validateLogoMagicBytes(settings.logoBase64 ?? null, settings.logoMimeType ?? null);
+  const safeLogoBase64 = badField === "logoBase64" ? null : settings.logoBase64;
+  const safeLogoMimeType = badField === "logoMimeType" ? null : settings.logoMimeType;
+
   return c.json({
     businessName: settings.businessName,
     primaryColor: settings.primaryColor,
     accentColor: settings.accentColor,
     logoUrl,
-    logoBase64: settings.logoBase64,
-    logoMimeType: settings.logoMimeType,
+    logoBase64: safeLogoBase64,
+    logoMimeType: safeLogoMimeType,
   });
 });
 
-- 
2.52.0


From f8ea417799f4caefd7d0b8db534aaf304e6bbaec Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 06:45:06 +0000
Subject: [PATCH 08/12] fix(GRO-642): sanitize logo MIME type to prevent XSS in
 data URL rendering

Add ALLOWED_LOGO_TYPES allowlist check before constructing data URL from
user-controlled logoBase64 and logoMimeType fields. Only MIME types that
the API explicitly accepts (image/png, image/jpeg, image/gif, image/webp,
image/svg+xml) can be rendered as data URLs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/pages/Settings.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx
index 5ccb943..291b5e1 100644
--- a/apps/web/src/pages/Settings.tsx
+++ b/apps/web/src/pages/Settings.tsx
@@ -27,6 +27,8 @@ interface AuthProviderForm {
 
 const REDACTED = "••••••••";
 
+const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp", "image/svg+xml"]);
+
 interface CurrentUser {
   id: string;
   name: string;
@@ -326,7 +328,7 @@ issuerUrl: authForm.issuerUrl,
 
   if (!loaded) return <p>Loading settings...</p>;
 
-  const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null);
+  const logoSrc = form.logoUrl ?? (form.logoBase64 && form.logoMimeType && ALLOWED_LOGO_TYPES.has(form.logoMimeType) ? `data:${form.logoMimeType};base64,${form.logoBase64}` : null);
 
   return (
     <div style={{ maxWidth: 600 }}>
-- 
2.52.0


From b00d6a8ca060dab01fb9a9d5d2f6f02a6bac818c Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 06:46:24 +0000
Subject: [PATCH 09/12] fix(GRO-642): restrict allowed logo MIME types to
 bitmap formats only

Exclude image/svg+xml from the frontend allowlist since SVG poses greater
XSS risk due to its ability to contain scripts, even with proper Content-Type
validation. The server-side validation (commit 8182870) still accepts SVG
and validates magic bytes, but the frontend restrict to safer bitmap formats
as specified in the issue.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/pages/Settings.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx
index 291b5e1..8d70d06 100644
--- a/apps/web/src/pages/Settings.tsx
+++ b/apps/web/src/pages/Settings.tsx
@@ -27,7 +27,7 @@ interface AuthProviderForm {
 
 const REDACTED = "••••••••";
 
-const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp", "image/svg+xml"]);
+const ALLOWED_LOGO_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp"]);
 
 interface CurrentUser {
   id: string;
-- 
2.52.0


From 60d0d53160b77fd25245fe0243ae71f00e5a9c4d Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 07:15:33 +0000
Subject: [PATCH 10/12] fix(GRO-743): add dedicated client detail route with
 unconditional data fetch

Direct navigation to /admin/clients/{id} now:
- Fetches GET /api/clients/{id} on mount (unconditional)
- Fetches GET /api/pets?clientId= on mount
- Shows loading state while fetching
- Shows error state on failure (401/404/5xx)
- Preserves existing link-based navigation from ClientsPage

Added ClientDetailPage.tsx as a standalone route component.
Added 3 E2E tests covering direct nav, loading state, and error state.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/e2e/tests/clients.spec.ts          |  49 +++++
 apps/web/src/App.tsx                    |   2 +
 apps/web/src/pages/ClientDetailPage.tsx | 236 ++++++++++++++++++++++++
 3 files changed, 287 insertions(+)
 create mode 100644 apps/web/src/pages/ClientDetailPage.tsx

diff --git a/apps/e2e/tests/clients.spec.ts b/apps/e2e/tests/clients.spec.ts
index 64cbcbc..eb766f1 100644
--- a/apps/e2e/tests/clients.spec.ts
+++ b/apps/e2e/tests/clients.spec.ts
@@ -63,3 +63,52 @@ test("clicking a client shows their details", async ({ page }) => {
   // Email appears in both the list row and the detail panel once selected
   await expect(page.getByText("alice@example.com")).toHaveCount(2);
 });
+
+test("direct URL navigation to client detail fetches data and renders client name", async ({ page }) => {
+  // Mock individual client fetch for direct navigation
+  await page.route("/api/clients/client-1", (route) =>
+    route.fulfill({ json: MOCK_CLIENTS[0] })
+  );
+  // Mock pets for this client
+  await page.route("/api/pets**", (route) =>
+    route.fulfill({ json: [] })
+  );
+
+  await page.goto("/admin/clients/client-1");
+  // Client name must be visible without any clicking
+  await expect(page.getByText("Alice Johnson")).toBeVisible();
+  // Should show back to list link
+  await expect(page.getByText("← Back to list")).toBeVisible();
+});
+
+test("direct URL navigation shows loading then client", async ({ page }) => {
+  let resolvePets: (value: unknown) => void;
+  const petsPromise = new Promise((resolve) => { resolvePets = resolve; });
+
+  await page.route("/api/clients/client-1", (route) =>
+    route.fulfill({ json: MOCK_CLIENTS[0] })
+  );
+  await page.route("/api/pets**", async (route) => {
+    await petsPromise;
+    await route.fulfill({ json: [] });
+  });
+
+  const navigationPromise = page.goto("/admin/clients/client-1");
+  // Should show loading state briefly
+  await expect(page.getByText("Loading client…")).toBeVisible();
+  // Resolve pets and wait for navigation
+  resolvePets!();
+  await navigationPromise;
+  // After data loads, client name is shown
+  await expect(page.getByText("Alice Johnson")).toBeVisible();
+});
+
+test("direct URL navigation shows error state on failure", async ({ page }) => {
+  await page.route("/api/clients/nonexistent", (route) =>
+    route.fulfill({ status: 404, json: { error: "Client not found" } })
+  );
+
+  await page.goto("/admin/clients/nonexistent");
+  await expect(page.getByText(/client not found/i)).toBeVisible();
+  await expect(page.getByText("← Back to clients")).toBeVisible();
+});
diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index 28bde7c..3b34bfa 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -2,6 +2,7 @@ import { Routes, Route, Link, useLocation, Navigate, useNavigate } from "react-r
 import { useEffect, useState } from "react";
 import { AppointmentsPage } from "./pages/Appointments.js";
 import { ClientsPage } from "./pages/Clients.js";
+import { ClientDetailPage } from "./pages/ClientDetailPage.js";
 import { ServicesPage } from "./pages/Services.js";
 import { StaffPage } from "./pages/Staff.js";
 import { InvoicesPage } from "./pages/Invoices.js";
@@ -296,6 +297,7 @@ function AdminLayout() {
         <Routes>
           <Route path="/" element={<AppointmentsPage />} />
           <Route path="/clients" element={<ClientsPage />} />
+          <Route path="/clients/:clientId" element={<ClientDetailPage />} />
           <Route path="/services" element={<ServicesPage />} />
           <Route path="/staff" element={<StaffPage />} />
           <Route path="/invoices" element={<InvoicesPage />} />
diff --git a/apps/web/src/pages/ClientDetailPage.tsx b/apps/web/src/pages/ClientDetailPage.tsx
new file mode 100644
index 0000000..fdb9d19
--- /dev/null
+++ b/apps/web/src/pages/ClientDetailPage.tsx
@@ -0,0 +1,236 @@
+import { useEffect, useState, useCallback } from "react";
+import { useParams, Link } from "react-router-dom";
+import type { Client, GroomingVisitLog, Pet } from "@groombook/types";
+import { PetPhotoDisplay } from "../components/PetPhotoDisplay.js";
+import { PetPhotoUpload } from "../components/PetPhotoUpload.js";
+
+export function ClientDetailPage() {
+  const { clientId } = useParams<{ clientId: string }>();
+  const [client, setClient] = useState<Client | null>(null);
+  const [pets, setPets] = useState<Pet[]>([]);
+  const [visitLogs, setVisitLogs] = useState<Record<string, GroomingVisitLog[]>>({});
+  const [logsLoading, setLogsLoading] = useState<Record<string, boolean>>({});
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [photoRevisions, setPhotoRevisions] = useState<Record<string, number>>({});
+
+  const handlePhotoUploaded = useCallback((petId: string) => {
+    setPhotoRevisions((prev) => ({ ...prev, [petId]: (prev[petId] ?? 0) + 1 }));
+  }, []);
+
+  useEffect(() => {
+    if (!clientId) {
+      setError("No client ID provided");
+      setLoading(false);
+      return;
+    }
+
+    async function load() {
+      const id = clientId!;
+      setLoading(true);
+      setError(null);
+      try {
+        const [clientRes, petsRes] = await Promise.all([
+          fetch(`/api/clients/${encodeURIComponent(id)}`),
+          fetch(`/api/pets?clientId=${encodeURIComponent(id)}`),
+        ]);
+
+        if (!clientRes.ok) {
+          const err = await clientRes.json().catch(() => ({})) as { error?: string };
+          throw new Error(err.error ?? `Client fetch failed: ${clientRes.status}`);
+        }
+        if (!petsRes.ok) {
+          throw new Error(`Pets fetch failed: ${petsRes.status}`);
+        }
+
+        setClient(await clientRes.json() as Client);
+        setPets(await petsRes.json() as Pet[]);
+      } catch (e) {
+        setError(e instanceof Error ? e.message : "Failed to load client");
+      } finally {
+        setLoading(false);
+      }
+    }
+
+    void load();
+  }, [clientId]);
+
+  async function loadVisitLogs(petId: string) {
+    setLogsLoading((prev) => ({ ...prev, [petId]: true }));
+    const r = await fetch(`/api/grooming-logs?petId=${encodeURIComponent(petId)}`);
+    if (r.ok) {
+      const logs = await r.json() as GroomingVisitLog[];
+      setVisitLogs((prev) => ({ ...prev, [petId]: logs }));
+    }
+    setLogsLoading((prev) => ({ ...prev, [petId]: false }));
+  }
+
+  if (loading) {
+    return (
+      <div style={{ padding: "2rem", textAlign: "center", color: "#6b7280", fontFamily: "system-ui, sans-serif" }}>
+        Loading client…
+      </div>
+    );
+  }
+
+  if (error || !client) {
+    return (
+      <div style={{ padding: "2rem", fontFamily: "system-ui, sans-serif" }}>
+        <div style={{ marginBottom: "1rem" }}>
+          <Link to="/admin/clients" style={{ color: "#4f8a6f", fontSize: 13 }}>← Back to clients</Link>
+        </div>
+        <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "1rem", color: "#991b1b" }}>
+          {error ?? "Client not found"}
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div style={{ fontFamily: "system-ui, sans-serif" }}>
+      {/* Header */}
+      <div style={{ display: "flex", alignItems: "flex-start", marginBottom: "1.5rem", gap: "1rem" }}>
+        <div style={{ flex: 1 }}>
+          <div style={{ display: "flex", alignItems: "center", gap: "0.75rem", marginBottom: "0.25rem" }}>
+            <h1 style={{ margin: 0, fontSize: 22 }}>{client.name}</h1>
+            {client.status === "disabled" && (
+              <span style={{ fontSize: 12, background: "#fef2f2", color: "#dc2626", padding: "0.15rem 0.5rem", borderRadius: 4, fontWeight: 500 }}>
+                Disabled
+              </span>
+            )}
+          </div>
+          {client.email && <div style={{ fontSize: 14, color: "#6b7280" }}>{client.email}</div>}
+          {client.phone && <div style={{ fontSize: 14, color: "#6b7280" }}>{client.phone}</div>}
+          {client.address && <div style={{ fontSize: 13, color: "#6b7280" }}>{client.address}</div>}
+          {client.notes && (
+            <div style={{ fontSize: 13, marginTop: "0.4rem", background: "#fef9c3", padding: "0.4rem 0.6rem", borderRadius: 4, maxWidth: 500 }}>
+              {client.notes}
+            </div>
+          )}
+        </div>
+        <Link
+          to="/admin/clients"
+          style={{
+            padding: "0.4rem 0.85rem",
+            border: "1px solid #d1d5db",
+            borderRadius: 6,
+            background: "#fff",
+            color: "#374151",
+            fontSize: 13,
+            fontWeight: 500,
+            textDecoration: "none",
+            flexShrink: 0,
+          }}
+        >
+          ← Back to list
+        </Link>
+      </div>
+
+      {/* Pets */}
+      <div style={{ display: "flex", alignItems: "center", gap: "0.75rem", marginBottom: "0.75rem" }}>
+        <h2 style={{ margin: 0, fontSize: 18 }}>Pets</h2>
+      </div>
+
+      {pets.length === 0 ? (
+        <p style={{ color: "#6b7280", fontSize: 14 }}>No pets on file for this client.</p>
+      ) : (
+        <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fill, minmax(260px, 1fr))", gap: "0.75rem" }}>
+          {pets.map((p) => (
+            <div key={p.id} style={{ border: "1px solid #e5e7eb", borderRadius: 10, padding: "0.85rem", background: "#fff", boxShadow: "0 1px 3px rgba(0, 0, 0, 0.04)" }}>
+              {/* Photo + header */}
+              <div style={{ display: "flex", gap: "0.75rem", marginBottom: "0.4rem" }}>
+                <PetPhotoDisplay
+                  petId={p.id}
+                  size={56}
+                  key={`${p.id}-photo-${photoRevisions[p.id] ?? 0}`}
+                />
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{ display: "flex", justifyContent: "space-between", alignItems: "flex-start" }}>
+                    <strong style={{ fontSize: 15 }}>{p.name}</strong>
+                  </div>
+                  <div style={{ fontSize: 13, color: "#6b7280", marginTop: "0.15rem" }}>
+                    {p.species}{p.breed ? ` · ${p.breed}` : ""}
+                  </div>
+                  {p.weightKg != null && <div style={{ fontSize: 12, color: "#6b7280" }}>{p.weightKg} kg</div>}
+                  {p.dateOfBirth && <div style={{ fontSize: 12, color: "#6b7280" }}>Born {new Date(p.dateOfBirth).toLocaleDateString()}</div>}
+                  <div style={{ marginTop: "0.3rem" }}>
+                    <PetPhotoUpload petId={p.id} onUploaded={() => handlePhotoUploaded(p.id)} />
+                  </div>
+                </div>
+              </div>
+
+              {p.healthAlerts && (
+                <div style={{ fontSize: 12, marginTop: "0.35rem", background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 4, padding: "0.3rem 0.5rem", color: "#dc2626" }}>
+                  <span style={{ fontWeight: 600 }}>⚠ Health alerts:</span> {p.healthAlerts}
+                </div>
+              )}
+
+              {/* Grooming preferences */}
+              {(p.cutStyle || p.shampooPreference || p.specialCareNotes || p.groomingNotes) && (
+                <div style={{ marginTop: "0.5rem", borderTop: "1px solid #f3f4f6", paddingTop: "0.4rem" }}>
+                  {p.cutStyle && (
+                    <div style={{ fontSize: 12, color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Cut:</span> {p.cutStyle}
+                    </div>
+                  )}
+                  {p.shampooPreference && (
+                    <div style={{ fontSize: 12, color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Shampoo:</span> {p.shampooPreference}
+                    </div>
+                  )}
+                  {p.specialCareNotes && (
+                    <div style={{ fontSize: 12, marginTop: "0.2rem", background: "#fffbeb", border: "1px solid #fde68a", borderRadius: 4, padding: "0.3rem 0.5rem", color: "#92400e" }}>
+                      <span style={{ fontWeight: 600 }}>Special care:</span> {p.specialCareNotes}
+                    </div>
+                  )}
+                  {p.groomingNotes && (
+                    <div style={{ fontSize: 12, marginTop: "0.2rem", color: "#374151" }}>
+                      <span style={{ fontWeight: 600 }}>Notes:</span> {p.groomingNotes}
+                    </div>
+                  )}
+                </div>
+              )}
+
+              {/* Visit history */}
+              {(() => {
+                const logs = visitLogs[p.id];
+                const loadingLogs = logsLoading[p.id];
+                return (
+                  <div style={{ marginTop: "0.5rem", borderTop: "1px solid #f3f4f6", paddingTop: "0.4rem" }}>
+                    <div style={{ display: "flex", alignItems: "center", justifyContent: "space-between", marginBottom: "0.25rem" }}>
+                      <div style={{ fontSize: 11, fontWeight: 600, color: "#6b7280" }}>VISIT HISTORY</div>
+                      {!logs && !loadingLogs && (
+                        <button
+                          onClick={() => { void loadVisitLogs(p.id); }}
+                          style={{ fontSize: 11, color: "#4f8a6f", background: "none", border: "none", cursor: "pointer", padding: 0 }}
+                        >
+                          Load history
+                        </button>
+                      )}
+                    </div>
+                    {loadingLogs && <div style={{ fontSize: 11, color: "#9ca3af" }}>Loading…</div>}
+                    {logs && logs.length === 0 && <div style={{ fontSize: 11, color: "#9ca3af" }}>No visits yet</div>}
+                    {logs && logs.length > 0 && (
+                      <>
+                        {logs.slice(0, 3).map((log) => (
+                          <div key={log.id} style={{ fontSize: 11, color: "#374151", marginBottom: "0.2rem", borderLeft: "2px solid #e2e8f0", paddingLeft: "0.4rem" }}>
+                            <span style={{ color: "#6b7280" }}>{new Date(log.groomedAt).toLocaleDateString()}</span>
+                            {log.cutStyle && <span> · {log.cutStyle}</span>}
+                            {log.notes && <span> · {log.notes}</span>}
+                          </div>
+                        ))}
+                        {logs.length > 3 && (
+                          <div style={{ fontSize: 11, color: "#6b7280" }}>+{logs.length - 3} more visits</div>
+                        )}
+                      </>
+                    )}
+                  </div>
+                );
+              })()}
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
-- 
2.52.0


From ea7bf4f49b6641598ff408d4f9e3e9230b15b46a Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 11:31:06 +0000
Subject: [PATCH 11/12] fix(GRO-749): use correct impersonation header in
 portal Appointments

Replace Authorization: Bearer with X-Impersonation-Session-Id in all 5
mutation handlers in Appointments.tsx (confirm, cancel, save-notes,
reschedule, booking). The portal backend validates X-Impersonation-Session-Id
header, not Authorization Bearer.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/portal/sections/Appointments.tsx | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/web/src/portal/sections/Appointments.tsx b/apps/web/src/portal/sections/Appointments.tsx
index 65e4c18..f5fad62 100644
--- a/apps/web/src/portal/sections/Appointments.tsx
+++ b/apps/web/src/portal/sections/Appointments.tsx
@@ -379,7 +379,7 @@ export function ConfirmationSection({
     try {
       const headers: Record<string, string> = {};
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/confirm`, {
         method: 'POST',
@@ -455,7 +455,7 @@ function CancelAppointmentButton({
     try {
       const headers: Record<string, string> = {};
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/cancel`, {
         method: 'POST',
@@ -507,7 +507,7 @@ export function CustomerNotesSection({
     try {
       const headers: Record<string, string> = { 'Content-Type': 'application/json' };
       if (sessionId) {
-        headers['Authorization'] = `Bearer ${sessionId}`;
+        headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       }
       const res = await fetch(`/api/portal/appointments/${appt.id}/notes`, {
         method: 'PATCH',
@@ -600,7 +600,7 @@ export function RescheduleFlow({
     setError(null);
     try {
       const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-      if (sessionId) headers['Authorization'] = `Bearer ${sessionId}`;
+      if (sessionId) headers['X-Impersonation-Session-Id'] = sessionId ?? '';
       const res = await fetch(`/api/portal/appointments/${appt.id}/reschedule`, {
         method: 'POST',
         headers,
@@ -784,7 +784,7 @@ function BookingFlow({ onClose, sessionId }: BookingFlowProps) {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
-          Authorization: `Bearer ${sessionId}`,
+          'X-Impersonation-Session-Id': sessionId ?? '',
         },
         body: JSON.stringify({
           petId: selectedPet.id,
-- 
2.52.0


From 89505a2363f5c656c074ec77bf6becb9feef90fd Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 12:14:49 +0000
Subject: [PATCH 12/12] fix(GRO-749): update test assertions to use
 X-Impersonation-Session-Id header

QA found test assertion failures - tests were asserting the old (incorrect)
Authorization: Bearer header instead of the correct X-Impersonation-Session-Id.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/src/__tests__/Appointments.test.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/__tests__/Appointments.test.tsx b/apps/web/src/__tests__/Appointments.test.tsx
index b223866..bc42a07 100644
--- a/apps/web/src/__tests__/Appointments.test.tsx
+++ b/apps/web/src/__tests__/Appointments.test.tsx
@@ -93,7 +93,7 @@ describe("CustomerNotesSection", () => {
         "/api/portal/appointments/appt-1/notes",
         expect.objectContaining({
           headers: expect.objectContaining({
-            "Authorization": "Bearer test-session-id",
+            "X-Impersonation-Session-Id": "test-session-id",
           }),
         })
       );
@@ -269,7 +269,7 @@ describe("ConfirmationSection", () => {
         "/api/portal/appointments/appt-1/confirm",
         expect.objectContaining({
           headers: expect.objectContaining({
-            "Authorization": "Bearer test-session-id",
+            "X-Impersonation-Session-Id": "test-session-id",
           }),
         })
       );
-- 
2.52.0