From 7f715ecdfcd977e024b2ecba1616d3d90b96669a Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Fri, 17 Apr 2026 02:42:06 +0000
Subject: [PATCH 1/2] fix(GRO-666): leave staff.user_id NULL in seed so
 middleware can auto-link by email

The resolveStaffMiddleware auto-links on first API call when staff.user_id
IS NULL. Setting userId at seed time blocks this path since Better-Auth's
user.id is opaque and unknown pre-auth. Remove userId from all staff inserts
so the middleware can populate it on first authenticated call.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 packages/db/src/seed.ts | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/packages/db/src/seed.ts b/packages/db/src/seed.ts
index a19f254..dca21d4 100644
--- a/packages/db/src/seed.ts
+++ b/packages/db/src/seed.ts
@@ -399,7 +399,6 @@ async function seedKnownUsers() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -426,7 +425,6 @@ async function seedKnownUsers() {
         name: "UAT Super User",
         email: "uat-super@groombook.dev",
         oidcSub: uatSuperOidcSub,
-        userId: uatSuperOidcSub,
         role: "manager",
         isSuperUser: true,
         active: true,
@@ -453,7 +451,6 @@ async function seedKnownUsers() {
         name: "UAT Staff Groomer",
         email: "uat-groomer@groombook.dev",
         oidcSub: uatStaffOidcSub,
-        userId: uatStaffOidcSub,
         role: "groomer",
         isSuperUser: false,
         active: true,
@@ -648,7 +645,6 @@ async function seed() {
         name: adminName,
         email: adminEmail,
         oidcSub: adminEmail,
-        userId: adminEmail,
         role: "manager",
         isSuperUser: true,
         active: true,
-- 
2.52.0


From ff2851eda20555cca2f63e0270629de8a4086ed4 Mon Sep 17 00:00:00 2001
From: Flea Flicker <fleaflicker@groombook.farh.net>
Date: Sat, 18 Apr 2026 10:18:29 +0000
Subject: [PATCH 2/2] chore(GRO-720): harden .gitignore against agent runtime
 leaks

- Add .gh-token, *.gh-token to block token files
- Add .config/gh/ and **/.config/gh/ to block gh CLI config dirs
- Add infra-repo and infra-repo/ to block infra checkouts
- Add **/instructions/.gh-token to block per-agent token files
- Add **/AGENT_HOME/** and $AGENT_HOME/** to block agent home dirs
- Add .claude/ and .codex/ to block runtime directories

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitignore | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.gitignore b/.gitignore
index 14923ee..112405c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,16 @@ dist/
 .turbo/
 coverage/
 minimax-output/
+
+# Agent runtime artifacts — never commit
+.gh-token
+*.gh-token
+.config/gh/
+**/.config/gh/
+infra-repo
+infra-repo/
+**/instructions/.gh-token
+**/AGENT_HOME/**
+$AGENT_HOME/**
+.claude/
+.codex/
-- 
2.52.0