fix(GRO-1822): add role check before /admin redirect — customers access portal

App.tsx lines 389-393 redirected ALL authenticated users to /admin, breaking customer portal access after SSO login. Now checks `session.user.role === "staff"` before redirecting. Customers (role !== "staff") can access the portal at /. Co-Authored-By: Paperclip <noreply@paperclip.ing>
GRO-1793: Update UAT_PLAYBOOK.md §5.12b — new dynamic time slots tests
2026-05-27 01:01:28 +00:00 · 2026-05-26 12:25:54 +00:00 · 2026-05-26 12:23:29 +00:00 · 2026-05-25 23:39:46 +00:00 · 2026-05-24 22:08:59 +00:00 · 2026-05-23 18:31:05 +00:00
19 changed files with 243 additions and 118 deletions
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main, dev]
+    branches: [main, dev, uat]
  pull_request:
-    branches: [main, dev]
+    branches: [main, dev, uat]
  workflow_dispatch:
    inputs:
      ref:
@@ -78,6 +78,8 @@ jobs:

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=host

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
@@ -92,6 +94,7 @@ jobs:
          context: .
          file: Dockerfile
          push: true
+          provenance: false
          tags: |
            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
@@ -18,4 +18,4 @@ COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/dist /usr/share/nginx/html
 EXPOSE 80
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
-  CMD curl -f http://localhost:80/ || exit 1
+  CMD wget --spider -q http://localhost:80/ || exit 1
@@ -69,6 +69,7 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-AUTH-5.3.1 | Auth client falls back to window.location.origin | Do not set `VITE_API_URL`, load app | Auth client uses `window.location.origin` as base URL |
 | TC-AUTH-5.3.2 | Sign-in on localhost | Load app without `VITE_API_URL` on localhost:3000 | Auth client uses `http://localhost:3000` as base URL |
 | TC-AUTH-5.3.3 | Sign-in on dev environment | Load app without `VITE_API_URL` on `https://dev.groombook.dev` | Auth client uses `https://dev.groombook.dev` as base URL |
+| TC-AUTH-5.3.4 | SSO cookie set after Authentik callback (GRO-1592) | Complete Authentik SSO login on UAT without `VITE_API_URL` set | `__Secure-better-auth.session_token` cookie is present in browser; subsequent `/api/*` calls include the cookie and return 200 |

 ### 5.4 Session Persistence

@@ -77,6 +78,26 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-AUTH-5.4.1 | Session persists across page reload | Sign in, reload page | Session remains active |
 | TC-AUTH-5.4.2 | Session clears on sign-out | Sign in, sign out | User is logged out, redirected to login |

+### 5.4.1 SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-WEB-SSO-1 | Sign-in page shows SSO button | Navigate to app root URL | Sign-in page displayed with "Sign in with SSO" button visible | No SSO button, 403 before page loads |
+| TC-WEB-SSO-2 | Click SSO redirects to Authentik | Click "Sign in with SSO" button | Browser redirected to Authentik login at auth.farh.net | No redirect, error shown, button does nothing |
+| TC-WEB-SSO-3 | Valid OIDC credentials authenticate | At Authentik, enter valid credentials and authenticate | Redirected back to app with active session | Redirect loop, 403, session not established |
+| TC-WEB-SSO-4 | Post-login dashboard accessible | After SSO flow completes, dashboard loads | Dashboard displays correctly with user identity shown | Blank page, 403, session not active |
+| TC-WEB-SSO-5 | User identity displayed correctly | After SSO login, check header/nav | User name/email/initials shown in nav, role reflected in UI | No user indicator, wrong user shown |
+
+### 5.4.2 OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-WEB-OOBE-1 | Fresh DB shows setup wizard | On fresh DB (no super user), navigate to app | Setup wizard / OOBE screen displayed | Regular login page shown instead of setup |
+| TC-WEB-OOBE-2 | Configure OIDC via setup | During OOBE, configure OIDC auth provider via /api/setup/auth-provider | OIDC configured successfully, no 403 | 403 during setup, config rejected |
+| TC-WEB-OOBE-3 | Setup completes and redirects | Complete OOBE setup with business name | Redirected to app dashboard as super user, setup bypassed on reload | Setup errors, wrong redirect, setup reappears |
+| TC-WEB-OOBE-4 | Admin panel accessible after setup | After completing OOBE, navigate to admin panel | Admin features accessible | 403 on admin panel, insufficient permissions |
+| TC-WEB-OOBE-5 | SSO login during OOBE does not interfere | During fresh OOBE, attempt SSO login before completing setup | SSO login redirected appropriately, setup can still complete | Auto-provision creates staff prematurely, setup flow broken |
+
 ### 5.5 Dashboard

 | # | Scenario | Steps | Expected |
@@ -162,6 +183,18 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-WEB-5.12.3 | Confirm appointment | Click confirm on pending appointment | Appointment status updated to confirmed |
 | TC-WEB-5.12.4 | Cancel appointment | Click cancel on appointment | Appointment marked as cancelled |

+#### 5.12b Dynamic Portal Time Slots (GRO-1793)
+
+| # | Scenario | Steps | Expected |
+|---|----------|-------|----------|
+| TC-WEB-5.12.5 | BookingFlow dynamic slots | Open Book New, select pet and service, pick a date | Time slots fetched from API; "Checking availability…" shown while loading |
+| TC-WEB-5.12.6 | BookingFlow slots match wizard | Compare BookingFlow slot times with public booking wizard for same date | Same slots displayed |
+| TC-WEB-5.12.7 | BookingFlow error state | Mock API failure on availability fetch | "Failed to load time slots" error shown |
+| TC-WEB-5.12.8 | BookingFlow no slots | Select date with no availability | "No available slots on this date" shown |
+| TC-WEB-5.12.9 | RescheduleFlow dynamic slots | Open reschedule, pick a new date | Time slots fetched from API; loading state shown |
+| TC-WEB-5.12.10 | RescheduleFlow error state | Mock API failure on availability fetch | "Failed to load time slots" error shown |
+| TC-WEB-5.12.11 | RescheduleFlow no slots | Select date with no availability | "No available slots on this date" shown |
+
 ### 5.13 Reports UI

 | # | Scenario | Steps | Expected |
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96C853FAECD363909C4A0</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96CFC84D7A9333708F278</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96D48D7892E37386B9ACB</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96C25663D703833F23607</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96D89851C843332073968</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96C9C5A03D33730C61AD8</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96BEB91911B30317E3BE8</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96BFB7B92D33535D6D90D</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96B8BDF4B473630A2E120</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Error>
-  <Code>AccessDenied</Code>
-  <Message>You have no right to access this object because of bucket acl.</Message>
-  <RequestId>69D96D78BFFCAD343037C27C</RequestId>
-  <HostId>hailuo-image-algeng-data-us.oss-us-east-1.aliyuncs.com</HostId>
-  <EC>0003-00000001</EC>
-  <RecommendDoc>https://api.alibabacloud.com/troubleshoot?q=0003-00000001</RecommendDoc>
-</Error>
@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended", ":pinAllExceptPeerDependencies", "helpers:pinGitHubActionDigests"],
+  "labels": ["dependencies"],
+  "prConcurrentLimit": 5,
+  "packageRules": [
+    {"matchUpdateTypes": ["minor", "patch"], "groupName": "minor and patch dependencies", "automerge": false},
+    {"matchDepTypes": ["devDependencies"], "matchUpdateTypes": ["minor", "patch"], "automerge": true, "automergeType": "pr"}
+  ]
+}
@@ -386,9 +386,10 @@ export function App() {
    return <Navigate to="/setup" replace />;
  }

-  // Redirect authenticated users to /admin (but preserve impersonation flow via ?sessionId=)
+  // Redirect staff to /admin; allow customers to access portal (preserve impersonation via ?sessionId=)
  const searchParams = new URLSearchParams(location.search);
-  if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId")) {
+  const isStaff = session?.user && (session.user as any).role === "staff";
+  if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId") && isStaff) {
    return <Navigate to="/admin" replace />;
  }

@@ -1,5 +1,5 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, waitFor } from "@testing-library/react";
+import { render, screen, fireEvent, waitFor, act } from "@testing-library/react";
 import { parseTimeTo24Hour, isUpcoming, CustomerNotesSection, ConfirmationSection } from "../portal/sections/Appointments.tsx";

 const UPCOMING_APPT = {
@@ -379,4 +379,142 @@ describe("ConfirmationSection", () => {
      expect(screen.getByText(/Confirmed!/i)).toBeInTheDocument();
    });
  });
+});
+
+describe("RescheduleFlow dynamic time slots", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    global.fetch = vi.fn();
+  });
+
+  const RESCHEDULE_APPT = {
+    id: "appt-r1",
+    petId: "pet-1",
+    petName: "Buddy",
+    groomerId: "groomer-1",
+    groomerName: "Sarah",
+    services: ["Bath & Brush"],
+    serviceId: "service-1",
+    addOns: [],
+    date: "2027-01-01",
+    time: "10:00 AM",
+    duration: 60,
+    price: 50,
+    status: "confirmed" as const,
+    notes: "",
+    customerNotes: "",
+    confirmationStatus: "confirmed" as const,
+  };
+
+  it("shows loading state while fetching availability", async () => {
+    vi.mocked(global.fetch).mockReturnValue(new Promise(() => {})); // Never resolves
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+    fireEvent.change(dateInput, { target: { value: "2027-01-15" } });
+
+    await waitFor(() => {
+      expect(screen.getByText(/Checking availability/i)).toBeInTheDocument();
+    });
+  });
+
+  it("displays fetched time slots from API", async () => {
+    vi.mocked(global.fetch).mockResolvedValue({
+      ok: true,
+      json: async () => ["9:00 AM", "10:00 AM", "2:00 PM"],
+    } as Response);
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+    fireEvent.change(dateInput, { target: { value: "2027-01-15" } });
+
+    await waitFor(() => {
+      expect(screen.getByText("9:00 AM")).toBeInTheDocument();
+      expect(screen.getByText("10:00 AM")).toBeInTheDocument();
+      expect(screen.getByText("2:00 PM")).toBeInTheDocument();
+    });
+  });
+
+  it("shows error state when availability fetch fails", async () => {
+    vi.mocked(global.fetch).mockRejectedValue(new Error("Network error"));
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+    fireEvent.change(dateInput, { target: { value: "2027-01-15" } });
+
+    await waitFor(() => {
+      expect(screen.getByText(/Failed to load time slots/i)).toBeInTheDocument();
+    });
+  });
+
+  it("shows no slots message when API returns empty array", async () => {
+    vi.mocked(global.fetch).mockResolvedValue({
+      ok: true,
+      json: async () => [] as string[],
+    } as Response);
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+    fireEvent.change(dateInput, { target: { value: "2027-01-15" } });
+
+    await waitFor(() => {
+      expect(screen.getByText(/No available slots on this date/i)).toBeInTheDocument();
+    });
+  });
+
+  it("calls /api/book/availability with the selected date", async () => {
+    vi.mocked(global.fetch).mockResolvedValue({
+      ok: true,
+      json: async () => ["9:00 AM"] as string[],
+    } as Response);
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+    fireEvent.change(dateInput, { target: { value: "2027-02-20" } });
+
+    await waitFor(() => {
+      expect(global.fetch).toHaveBeenCalledWith(
+        "/api/book/availability?date=2027-02-20",
+        expect.objectContaining({
+          headers: expect.objectContaining({ "X-Impersonation-Session-Id": "test-session-id" }),
+        })
+      );
+    });
+  });
+
+  it("re-fetches slots when date changes", async () => {
+    vi.mocked(global.fetch)
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ["9:00 AM"] as string[],
+      } as Response)
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ["11:00 AM", "1:00 PM"] as string[],
+      } as Response);
+
+    const { RescheduleFlow } = await import("../portal/sections/Appointments.tsx");
+    render(<RescheduleFlow appointment={RESCHEDULE_APPT} onClose={() => {}} sessionId="test-session-id" />);
+
+    const dateInput = screen.getByLabelText(/date/i) || screen.getByRole("textbox", { name: /date/i });
+
+    fireEvent.change(dateInput, { target: { value: "2027-01-10" } });
+    await waitFor(() => expect(screen.getByText("9:00 AM")).toBeInTheDocument());
+
+    fireEvent.change(dateInput, { target: { value: "2027-01-15" } });
+    await waitFor(() => {
+      expect(screen.getByText("11:00 AM")).toBeInTheDocument();
+      expect(screen.getByText("1:00 PM")).toBeInTheDocument();
+    });
+  });
 });
@@ -1,7 +1,7 @@
 import { createAuthClient } from "better-auth/react";

 export const authClient = createAuthClient({
-  baseURL: import.meta.env.VITE_API_URL ?? "",
+  baseURL: import.meta.env.VITE_API_URL || (typeof window !== "undefined" ? window.location.origin : ""),
 });

 export const { signIn, signOut, useSession, changePassword } = authClient;
@@ -519,7 +519,7 @@ export function BookPage() {
                    <option value="small">Small (under 15 lbs)</option>
                    <option value="medium">Medium (15–40 lbs)</option>
                    <option value="large">Large (40–80 lbs)</option>
-                    <option value="x-large">X-Large (over 80 lbs)</option>
+                    <option value="xlarge">X-Large (over 80 lbs)</option>
                  </select>
                </div>
                <div>
@@ -573,16 +573,26 @@ export function RescheduleFlow({
  const [submitting, setSubmitting] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [success, setSuccess] = useState(false);
+  const [slotsLoading, setSlotsLoading] = useState(false);
+  const [slotsError, setSlotsError] = useState<string | null>(null);
+  const [availableTimes, setAvailableTimes] = useState<string[]>([]);

-  const availableTimes = [
-    '9:00 AM',
-    '10:00 AM',
-    '11:00 AM',
-    '1:00 PM',
-    '2:00 PM',
-    '3:00 PM',
-    '4:00 PM',
-  ];
+  useEffect(() => {
+    if (!selectedDate || !sessionId) {
+      setAvailableTimes([]);
+      return;
+    }
+    const params = new URLSearchParams({ date: selectedDate });
+    setSlotsLoading(true);
+    setSlotsError(null);
+    fetch(`/api/book/availability?${params.toString()}`, {
+      headers: { "X-Impersonation-Session-Id": sessionId ?? "" },
+    })
+      .then((r) => r.json() as Promise<string[]>)
+      .then(setAvailableTimes)
+      .catch(() => setSlotsError('Failed to load time slots'))
+      .finally(() => setSlotsLoading(false));
+  }, [selectedDate, sessionId]);

  async function handleSubmit() {
    if (!selectedDate || !selectedTime) return;
@@ -661,7 +671,12 @@ export function RescheduleFlow({
              />
              {selectedDate && (
                <div className="grid grid-cols-3 gap-2 mb-4">
-                  {availableTimes.map((time) => (
+                  {slotsLoading && <p className="col-span-3 text-sm text-stone-500 py-2">Checking availability…</p>}
+                  {!slotsLoading && slotsError && <p className="col-span-3 text-sm text-red-500 py-2">{slotsError}</p>}
+                  {!slotsLoading && availableTimes.length === 0 && !slotsError && (
+                    <p className="col-span-3 text-sm text-stone-500 py-2">No available slots on this date.</p>
+                  )}
+                  {!slotsLoading && availableTimes.map((time) => (
                    <button
                      key={time}
                      onClick={() => setSelectedTime(time)}
@@ -723,16 +738,26 @@ function BookingFlow({ onClose, sessionId }: BookingFlowProps) {
  const [loading, setLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [submitting, setSubmitting] = useState(false);
+  const [slotsLoading, setSlotsLoading] = useState(false);
+  const [slotsError, setSlotsError] = useState<string | null>(null);
+  const [availableTimes, setAvailableTimes] = useState<string[]>([]);

-  const availableTimes = [
-    '9:00 AM',
-    '10:00 AM',
-    '11:00 AM',
-    '1:00 PM',
-    '2:00 PM',
-    '3:00 PM',
-    '4:00 PM',
-  ];
+  useEffect(() => {
+    if (!selectedDate || !sessionId) {
+      setAvailableTimes([]);
+      return;
+    }
+    const params = new URLSearchParams({ date: selectedDate });
+    setSlotsLoading(true);
+    setSlotsError(null);
+    fetch(`/api/book/availability?${params.toString()}`, {
+      headers: { "X-Impersonation-Session-Id": sessionId ?? "" },
+    })
+      .then((r) => r.json() as Promise<string[]>)
+      .then(setAvailableTimes)
+      .catch(() => setSlotsError('Failed to load time slots'))
+      .finally(() => setSlotsLoading(false));
+  }, [selectedDate, sessionId]);

  useEffect(() => {
    const fetchData = async () => {
@@ -1055,7 +1080,12 @@ function BookingFlow({ onClose, sessionId }: BookingFlowProps) {
                  />
                  {selectedDate && (
                    <div className="grid grid-cols-3 gap-2 mb-4">
-                      {availableTimes.map((time) => (
+                      {slotsLoading && <p className="col-span-3 text-sm text-stone-500 py-2">Checking availability…</p>}
+                      {!slotsLoading && slotsError && <p className="col-span-3 text-sm text-red-500 py-2">{slotsError}</p>}
+                      {!slotsLoading && availableTimes.length === 0 && !slotsError && (
+                        <p className="col-span-3 text-sm text-stone-500 py-2">No available slots on this date.</p>
+                      )}
+                      {!slotsLoading && availableTimes.map((time) => (
                        <button
                          key={time}
                          onClick={() => setSelectedTime(time)}
Author	SHA1	Message	Date
Flea Flicker	4e487db6f1	fix(GRO-1822): add role check before /admin redirect — customers access portal CI / Test (pull_request) Failing after 14s Details CI / Lint & Typecheck (pull_request) Failing after 17s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details App.tsx lines 389-393 redirected ALL authenticated users to /admin, breaking customer portal access after SSO login. Now checks `session.user.role === "staff"` before redirecting. Customers (role !== "staff") can access the portal at /. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-27 01:01:28 +00:00
Barcode Betty	a873369a9b	GRO-1793: Update UAT_PLAYBOOK.md §5.12b — new dynamic time slots tests CI / Test (pull_request) Failing after 22s Details CI / Lint & Typecheck (pull_request) Failing after 28s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Added TC-WEB-5.12.5 through TC-WEB-5.12.11 covering BookingFlow and RescheduleFlow dynamic slot fetching, loading state, error state, and empty state scenarios. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-26 12:25:54 +00:00
Barcode Betty	d78c859c2b	Replace hardcoded time slots with dynamic API availability CI / Lint & Typecheck (pull_request) Failing after 15s Details CI / Test (pull_request) Failing after 17s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details Both BookingFlow and RescheduleFlow in Appointments.tsx now fetch from /api/book/availability when a date is selected, matching the public booking wizard behavior. Loading and error states shown. - Removed hardcoded availableTimes arrays from both flows - Added useEffect that fetches availability on date change - Shows "Checking availability…" while loading - Shows error message on fetch failure - Shows "No available slots" when API returns empty Added tests for RescheduleFlow dynamic slot fetching covering: loading, fetched slots, error, empty, API params, and re-fetch on date change. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-26 12:23:29 +00:00
Scrubs McBarkley	b630b40c92	fix(GRO-1757): add SSO + OOBE test cases to groombook-web UAT_PLAYBOOK (#18 ) CI / Test (push) Successful in 22s Details CI / Lint & Typecheck (push) Successful in 28s Details CI / Build & Push Docker Image (push) Successful in 9s Details CI / Test (pull_request) Successful in 20s Details CI / Lint & Typecheck (pull_request) Successful in 29s Details CI / Build & Push Docker Image (pull_request) Successful in 17s Details	2026-05-25 23:39:46 +00:00
Flea Flicker	db892409ef	fix(GRO-1633): add buildx network=host and provenance:false to web CI (#17 ) CI / Test (push) Successful in 17s Details CI / Lint & Typecheck (push) Successful in 19s Details CI / Build & Push Docker Image (push) Successful in 9s Details	2026-05-24 22:08:59 +00:00
The Dogfather	c83214cf42	Merge pull request 'fix(GRO-1414): update pet size value from x-large to xlarge' (#12 ) from fix/gro-1414-pet-size-enum into dev CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 21s Details CI / Build & Push Docker Image (push) Failing after 2m20s Details fix(GRO-1414): update pet size value from x-large to xlarge (#12)	2026-05-23 18:31:05 +00:00
The Dogfather	80101fc37c	Merge pull request 'fix(GRO-1592): fallback auth baseURL to window.location.origin' (#15 ) from fix/gro-1592-sso-session-cookie into dev CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Image (push) Failing after 39s Details	2026-05-23 14:13:01 +00:00
Flea Flicker	8ee58471b2	docs(UAT_PLAYBOOK): add TC-AUTH-5.3.4 — SSO cookie after Authentik callback CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Image (pull_request) Failing after 38s Details Documents the acceptance criteria for GRO-1592: after completing Authentik SSO login without VITE_API_URL set, the __Secure-better-auth.session_token cookie must be present in the browser and sent with subsequent /api/* calls. Updated: UAT_PLAYBOOK.md §5.3 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 14:02:16 +00:00
Flea Flicker	35d31a984d	fix(GRO-1592): fallback auth baseURL to window.location.origin CI / Test (pull_request) Successful in 18s Details CI / Lint & Typecheck (pull_request) Successful in 19s Details CI / Build & Push Docker Image (pull_request) Failing after 38s Details When VITE_API_URL is not set (e.g. in Docker/container deployments where the env var was never injected), fallback to window.location.origin so the auth client uses relative URLs and cookies are sent to the correct origin. Previously the fallback was empty string "", which caused the auth client to default to http://localhost:3000 — the nginx sub_filter workaround only handles strings baked into the JS bundle at build time, not runtime-constructed URLs. Fixes: SSO session cookie not set in browser after Authentik callback Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 13:57:47 +00:00
The Dogfather	f62c0b112d	Merge pull request 'feat(GRO-1173): admin UI buffer rules, service default buffer, pet size/coat' (#13 ) from flea-flicker/pet-profile-editor into dev CI / Test (push) Successful in 15s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Build & Push Docker Image (push) Successful in 10s Details CI / Test (pull_request) Successful in 15s Details CI / Lint & Typecheck (pull_request) Successful in 17s Details CI / Build & Push Docker Image (pull_request) Successful in 10s Details feat(GRO-1173): admin UI buffer rules, service default buffer, pet size/coat (#13) Merged-By: The Dogfather (CTO) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 19:46:01 +00:00
Flea Flicker	f1bb7c4fa6	fix(GRO-1414): update pet size value from x-large to xlarge CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 18s Details CI / Build & Push Docker Image (pull_request) Successful in 35s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 06:58:56 +00:00
The Dogfather	56b11befe9	Merge pull request 'feat(GRO-1174): add pet size/coat dropdowns to booking wizard' (#8 ) from flea-flicker/pet-profile-editor into dev CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Build & Push Docker Image (push) Successful in 37s Details test merge	2026-05-21 00:43:10 +00:00
Scrubs McBarkley	f70dd96c65	Merge pull request 'feat: extract groombook/web from monorepo (GRO-903)' (#1 ) from dev into main CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Image (push) Successful in 14s Details feat: extract groombook/web from monorepo (GRO-903) Bootstrap exception: dev → main QA: Lint Roller (#2753) CTO: The Dogfather (#2764) CI: Lint & Typecheck ✓, Tests ✓, Docker Build ✓ UAT_PLAYBOOK.md: present	2026-05-20 15:26:27 +00:00
Chris Farhood	42f3e3211a	fix(GRO-903): resolve CI/CD blockers on groombook/web PR #1 CI / Test (push) Successful in 15s Details CI / Test (pull_request) Successful in 15s Details CI / Lint & Typecheck (push) Successful in 17s Details CI / Lint & Typecheck (pull_request) Successful in 17s Details CI / Build & Push Docker Image (push) Successful in 10s Details CI / Build & Push Docker Image (pull_request) Successful in 11s Details - Move CI workflow from .github/workflows/ to .gitea/workflows/ - Add uat branch to CI triggers (push and pull_request) - Fix Dockerfile HEALTHCHECK to use wget instead of curl Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 15:01:46 +00:00
Chris Farhood	465db89ab4	fix(GRO-1361): remove unused X import and delete corrupted demo-pet images CI / Test (push) Successful in 16s Details CI / Test (pull_request) Successful in 15s Details CI / Lint & Typecheck (push) Successful in 19s Details CI / Lint & Typecheck (pull_request) Successful in 19s Details CI / Build & Push Docker Image (pull_request) Successful in 41s Details CI / Build & Push Docker Image (push) Successful in 2m55s Details - Remove unused 'X' import from lucide-react in PetProfiles.tsx - Delete 10 corrupted demo-pet PNG files that contain Alibaba AccessDenied XML Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 14:09:20 +00:00
The Dogfather	ee7fc2e9bf	Merge pull request 'chore: add Renovate config (GRO-1081)' (#4 ) from add-renovate-config into dev CI / Test (push) Successful in 15s Details CI / Lint & Typecheck (push) Failing after 17s Details CI / Build & Push Docker Image (push) Has been skipped Details CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Failing after 18s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details chore: add Renovate config (GRO-1081) Merge PR #4: add-renovate-config → dev Approved by QA (Lint Roller) and CTO (The Dogfather).	2026-05-20 12:41:45 +00:00
The Dogfather	c8610ec28d	Merge pull request 'fix(ci): use Gitea registry for Docker push' (#9 ) from fix/ci-registry-auth into dev CI / Test (push) Successful in 15s Details CI / Lint & Typecheck (push) Failing after 17s Details CI / Build & Push Docker Image (push) Has been skipped Details CI / Lint & Typecheck (pull_request) Failing after 17s Details CI / Test (pull_request) Successful in 13s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details fix(ci): use Gitea registry for Docker push (#9) GRO-1348 - Change Docker login from ghcr.io/GITHUB_TOKEN to git.farh.net/REGISTRY_TOKEN - Update image tags from ghcr.io/groombook/web to git.farh.net/groombook/web - Replace GitHub Actions cache with registry cache	2026-05-20 11:17:01 +00:00
Chris Farhood	a582bd04b7	fix(ci): use Gitea registry for Docker push CI / Lint & Typecheck (pull_request) Failing after 18s Details CI / Test (pull_request) Successful in 15s Details CI / Build & Push Docker Image (pull_request) Has been skipped Details - Change Docker login from ghcr.io/GITHUB_TOKEN to git.farh.net/REGISTRY_TOKEN - Update image tags from ghcr.io/groombook/web to git.farh.net/groombook/web - Replace GitHub Actions cache (type=gha) with registry cache - Remove GitHub Actions-specific permissions block - GRO-1348 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 10:57:02 +00:00
Chris Farhood	b8a9e8cc09	chore: add Renovate config GRO-1081: add renovate.json to successor repos Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 17:42:22 +00:00