The customer portal chrome (Home, Appointments, My Pets, Report Cards,
Billing, Messages, Settings) had no visible sign-out control. Only the
OOBE and the no-access card exposed one. Users had to clear cookies or
use devtools to sign out.
The CMPO ruling for GRO-2355 required the logout control to be
reachable from the OOBE screen, the in-portal screen, and the
deleted-portal deep-link. GRO-2358 (P1) covered no-access + OOBE but
missed the in-portal chrome.
Fix: add a 'Sign out' button in the sidebar footer (next to 'End
Impersonation') wired to the existing handleSignOut(), which calls the
canonical signOut() from lib/auth-client — the SAME handler used by
OOBE, the no-access card, and AdminLayout's top-bar Logout.
Test: portal.test.tsx renders the CustomerPortal with a successful SSO
bridge, lands on the chrome, clicks the new portal-chrome-signout
button, and asserts the shared signOutSpy fires + window.location.href
navigates to /login.
UAT_PLAYBOOK.md: added TC-WEB-5.25.6f covering the new chrome
sign-out reachability.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker