PASS. Independently drove the live portal (:3011 → API :4011) in a headless browser with an injected CRM session and exercised every acceptance criterion in the real UI. Both Nordic rails are configurable per org (Autogiro SE + Betalingsservice DK shown Active in Settings → Payment Providers); a mandate is created and activated; a recurring premium is scheduled, submitted via the collection batch, and settled; and — the clause that failed QA round 1 — the settled premium reconciles to its policy: the Schedule dialog's new Policy selector links the collection, and after settlement PolicyOrder P100010000191 was promoted pending→active with externalPaymentRef/provider stamped (confirmed both in the Policy column and via API). A failed collection retries to 3/3 then flags with a manual retry. test:api shows 230 passed / 5 failed / 12 skipped, but all 5 failures are pre-existing and unrelated to #462: 06-product-translations and 06-policy-suspension-reinstatement (the documented baseline) plus 02-bulk-renewals, 04-ledger-counts and 05-verify-count (known shared-DB count/ledger pollution from concurrent worktrees, e.g. 198 vs ≤10). The new 09-direct-debit spec passes. No new failures, feature fully usable in the UI → PASS.
Task 4 done. Task 5 — routes, plus/index registration, providerKey enum, batch job.
{"taskId":"4","status":"completed"}Updated task #4 status
{"taskId":"5","status":"in_progress"}Updated task #5 status
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts","content":"import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';\nimport { StatusError } from '@/error/error.js';\nimport { DirectDebitMandate } from '@/models/DirectDebitMandate.js';\nimport { DirectDebitCollection } from '@/models/DirectDebitCollection.js';\nimport {\n createMandate,\n activateMandate,\n revokeMandate,\n buildMandateFile,\n scheduleCollection,\n submitDueCollections,\n buildCurrentCollectionFile,\n retryCollection,\n ingestReturnFile,\n simulateReturnForCollection,\n} from '@/services/directDebitService.js';\n\nconst TAG = 'Sherpa Plus — Direct Debit';\nconst PROVIDER_KEYS = ['autogiro', 'betalingsservice'];\n\nfunction requireOrg(request: FastifyRequest): string {\n const organizationId = request.userAuth?.organizationId;\n if (!organizationId) {\n throw new StatusError(401, 'Organization context required');\n }\n return organizationId;\n}\n\nconst directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {\n fastify.addHook('preHandler', fastify.authenticate);\n\n // ── Mandates ────────────────────────────────────────────────────────────────\n\n fastify.get('/mandates', {\n schema: {\n description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',\n tags: [TAG],\n security: [{ clientCredentials: [] }],\n querystring: {\n type: 'object',\n properties: {\n status: { type: 'string', enum: ['pending', 'active', 'revoked'] },\n providerKey: { type: 'string', enum: PROVIDER_KEYS },\n productId: { type: 'integer' },\n },\n },\n },\n }, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {\n const organizationId = requireOrg(request);\n const where: Record<string, unknown> = {};\n if (request.query.status) where.status = request.query.status;\n if (request.query.providerKey) where.providerKey = request.query.providerKey;\n if (request.query.productId) where.productId = request.query.productId;\n\n const data = await DirectDebitMandate.findAll({ organizationId }, {\n where,\n order: [['createdAt', 'DESC']],\n });\n return { status: 'success', data };\n });\n\n fastify.get('/mandates/:id', {\n schema: {\n description: 'Fetch a single direct-debit mandate by ID, scoped to the authenticated organization.',\n tags: [TAG],\n security: [{ clientCredentials: [] }],\n params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },\n },\n }, async (request: FastifyRequest<{ Params: { id: string } }>) => {\n const organizationId = requireOrg(request);\n const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);\n if (!mandate) throw new StatusError(404, 'Mandate not found');\n return { status: 'success', data: mandate };\n });\n\n fastify.post('/mandates', {\n schema: {\n description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',\n tags: [TAG],\n security: [{ clientCredentials: [] }],\n body: {\n type: 'object',\n required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],\n properties: {\n providerKey: { type: 'string', enum: PROVIDER_KEYS },\n productId: { type: 'integer' },\n customerId: { type: 'string', format: 'uuid' },\n accountHolder: { type: 'string', minLength: 1 },\n country: { type: 'string', minLength: 2, maxLength: 2 },\n clearingNumber: { type: 'string' },\n accountNumber: { type: 'string', minLength: 1 },\n bankName: { type: 'string' },\n },\n },\n },\n }, async (request: FastifyRequest<{ Body: {\n providerKey: string; productId: number; customerId?: string; accountHolder: string;\n country: string; clearingNumber?: string; accountNumber: string; bankName?: string;\n } }>, reply: FastifyReply) => {\n const organizationId = requireOrg(request);\n const mandate = await createMandate(organizationId, request.body);\n return reply.code(201).send({ status: 'success', data: mandate });\n });\n\n fastify.get('/mandates/:id/file', {\n schema: {\n description: 'Generate the bank mandate-request file content for a mandate (Autogiro/Betalingsservice fixed-width format).',\n tags: [TAG],\n security: [{ clientCredentials: [] }],\n params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },\n },\n }, async (request: FastifyRequest<{ Params: { id: string } }>) => {\n const organizationId = requireOrg(request);\n const file = await buildMandateFile(organizationId, request.params.id);\n return { status: 'success', data: file };\n });\n\n fastify.post('/mandates/:id/activate', {\n schema: {\n description: 'Activate a mandate after the bank has confirmed it. Optionally records the bank-assigned payer number.',\n tags: [TAG],\n security: [{ clientCredentials: [] }],\n params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },\n body: { type: 'object', properties: { payerNumber: { type: 'string' } } },\n },\n }, async (request: FastifyRequest<{ Params: { id: string }; Body: { payerNumber?: string } }>) => {\n const organizationId = requireOrg(request);\n const mandate = await activateMandate(organizationId, request.params.id, request.body?.payerNumber);\n return { status: 'success', data: mandate };\n });\n\n fastify.post('/mandates/:id/revoke', {\n schema: {\n description: 'Revoke a mandatFile created successfully at: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts (file state is current in your context — no need to Read it back)
Register routes in plus/index + extend providerKey enum in payment-provider-config create route.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts","old_string":"import { paymentProviderConfigRoutes } from './paymentProviderConfigRoutes.js';","new_string":"import { paymentProviderConfigRoutes } from './paymentProviderConfigRoutes.js';\nimport { directDebitRoutes } from './directDebitRoutes.js';"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts","old_string":" await fastify.register(paymentProviderConfigRoutes, { prefix: '/payment-provider-configs' });","new_string":" await fastify.register(paymentProviderConfigRoutes, { prefix: '/payment-provider-configs' });\n await fastify.register(directDebitRoutes, { prefix: '/direct-debit' });"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/paymentProviderConfigRoutes.ts","old_string":" providerKey: { type: 'string', enum: ['stripe'], description: 'Payment provider key' },","new_string":" providerKey: { type: 'string', enum: ['stripe', 'autogiro', 'betalingsservice'], description: 'Payment provider key' },"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/paymentProviderConfigRoutes.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Now the hourly batch job + register in jobs/index.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts","content":"import { Organization } from '@/models/Organization.js';\nimport { jobQueue } from '@/services/jobQueue.js';\nimport { submitDueCollections } from '@/services/directDebitService.js';\nimport logger from '@/logger.js';\n\nconst JOB_TYPE = 'direct_debit_collection_batch';\n\n/**\n * Hourly picker for due direct-debit collections. Runs per-org so RLS context is\n * enforced on every read (same pattern as claim-payout-batch). Submitting due\n * collections is idempotent at the row level — submitDueCollections only moves\n * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a\n * worker restart self-heals on the next run.\n */\nasync function handleDirectDebitCollectionBatch() {\n const organizations = await Organization.findAll({ attributes: ['id'] });\n let totalSubmitted = 0;\n\n for (const org of organizations) {\n try {\n const files = await submitDueCollections(org.id);\n totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);\n } catch (err) {\n logger.error(\n { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },\n 'Direct-debit collection batch: failed to process organization',\n );\n }\n }\n\n if (totalSubmitted > 0) {\n logger.info(\n { count: totalSubmitted, orgCount: organizations.length },\n 'Direct-debit collection batch: submitted due collections',\n );\n }\n}\n\nexport function registerDirectDebitCollectionBatchJob() {\n jobQueue.register(JOB_TYPE, handleDirectDebitCollectionBatch, {\n concurrency: 1,\n defaultJobOptions: {\n attempts: 3,\n backoff: { type: 'exponential', delay: 30_000 },\n removeOnComplete: { age: 24 * 3600, count: 100 },\n removeOnFail: { age: 7 * 24 * 3600 },\n },\n });\n}\n\n/**\n * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes by\n * jobId. Call once on worker startup.\n */\nexport async function scheduleDirectDebitCollectionBatch() {\n await jobQueue.scheduleRepeating(\n JOB_TYPE,\n {},\n '0 * * * *', // every hour on the hour, UTC\n `${JOB_TYPE}:hourly`,\n );\n}\n"}File created successfully at: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts","old_string":"import { registerClaimPayoutBatchJob, scheduleClaimPayoutBatch } from './claimPayoutBatchJob.js';\nimport { registerPolicyRenewalJob } from './policyRenewalJob.js';","new_string":"import { registerClaimPayoutBatchJob, scheduleClaimPayoutBatch } from './claimPayoutBatchJob.js';\nimport { registerDirectDebitCollectionBatchJob, scheduleDirectDebitCollectionBatch } from './directDebitCollectionBatchJob.js';\nimport { registerPolicyRenewalJob } from './policyRenewalJob.js';"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts","old_string":" registerClaimPayoutBatchJob();\n registerPolicyRenewalJob();\n\n // Start recurring schedulers. BullMQ dedupes by jobId, so it's safe for this\n // to run in every process that imports jobs (API + workers).\n scheduleClaimPayoutBatch().catch((err) =>\n logger.error({ err }, 'Failed to schedule claim_payout_batch'),\n );","new_string":" registerClaimPayoutBatchJob();\n registerDirectDebitCollectionBatchJob();\n registerPolicyRenewalJob();\n\n // Start recurring schedulers. BullMQ dedupes by jobId, so it's safe for this\n // to run in every process that imports jobs (API + workers).\n scheduleClaimPayoutBatch().catch((err) =>\n logger.error({ err }, 'Failed to schedule claim_payout_batch'),\n );\n scheduleDirectDebitCollectionBatch().catch((err) =>\n logger.error({ err }, 'Failed to schedule direct_debit_collection_batch'),\n );"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts has been updated successfully. (file state is current in your context — no need to Read it back)
Backend complete. Task 6 — migrate + typecheck + lint + smoke test. Kicking off migrate (applies new migration) + recon for how to run tsc/lint in the container.
{"command":"curl -fsS -m 30 -X POST http://localhost:7777/api/api-action -H 'Content-Type: application/json' -d '{\"path\":\"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\",\"action\":\"migrate\"}' 2>&1 | head -c 500 ; echo","description":"Run migrate to apply new migration"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\necho \"=== compose file ===\"; fd -d 1 'docker-compose|compose.ya?ml' . 2>/dev/null\necho \"=== host node_modules/.bin/tsc? ===\"; test -f node_modules/.bin/tsc && echo yes || echo no\necho \"=== package.json scripts (typecheck/lint/check) ===\"; rg -n '\"(typecheck|tsc|lint|check:migrations|build)\"\\s*:' package.json\necho \"=== docker compose ps (service name) ===\"; docker compose ps --format '{{.Service}} {{.Name}} {{.State}}' 2>&1 | head","description":"Recon compose + tsc availability + scripts"}{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir","action":"migrate","status":"running","startedAt":1780314802251,"endedAt":null,"exitCode":null,"error":null,"logPath":"/var/folders/pr/7k4xc3v1715_0zbbw8tgwl5r0000gn/T/worktree-dashboard-logs/sherpa-api-api-462-nordic-bank-direct-debit-autogir-migrate.log","tail":""}=== compose file === ./docker-compose.yml === host node_modules/.bin/tsc? === no === package.json scripts (typecheck/lint/check) === 39: "check:migrations": "tsx scripts/check-migration-tenant-rls.ts", 40: "lint": "eslint . && npm run check:imports && npm run check:migrations", === docker compose ps (service name) === api sherpa-api-api-462-nordic-bank-direct-debit-autogir running
cd works (no prompt); host has no tsc → run in container (docker compose exec -T api). Polling migrate + running tsc + migration/import checks in the container.
{"command":"curl -fsS -m 15 \"http://localhost:7777/api/api-action?path=/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\" 2>&1 | head -c 400 ; echo","description":"Poll migrate status"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\necho \"=== TSC ===\"; docker compose exec -T api npx tsc --noEmit 2>&1 | rg -i 'directDebit|DirectDebit|error TS|payments/|jobs/|models/db' | head -50 || true\necho \"=== TSC exit summary (full count) ===\"; docker compose exec -T api npx tsc --noEmit 2>&1 | rg -c 'error TS' || echo \"0 errors\"","description":"Run tsc --noEmit in container","timeout":300000}{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir","action":"migrate","status":"done","startedAt":1780314802251,"endedAt":1780314803031,"exitCode":0,"error":null,"logPath":"/var/folders/pr/7k4xc3v1715_0zbbw8tgwl5r0000gn/T/worktree-dashboard-logs/sherpa-api-api-462-nordic-bank-direct-debit-autogir-migrate.log","tail":"\n> Sherpa [email protected] db:migrate:up\n> tsx s=== TSC === === TSC exit summary (full count) === 0 errors
Migrate ✓ (exit 0). tsc: 0 errors ✓. Now the migration RLS check + import guard (the CI gates most relevant to my changes).
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\necho \"=== check:migrations ===\"; docker compose exec -T -e VERBOSE=1 api npm run check:migrations 2>&1 | tail -15\necho \"=== check:imports ===\"; docker compose exec -T api npm run check:imports 2>&1 | tail -20","description":"Run migration RLS check + internal-import guard","timeout":120000}=== check:migrations === > Sherpa [email protected] check:migrations > tsx scripts/check-migration-tenant-rls.ts check-migration-tenant-rls: ok (49 tenant tables from createTable) === check:imports === > Sherpa [email protected] check:imports > bash scripts/check-internal-imports.sh
check:migrations ✓ (49 tables, incl. my 2). check:imports ✓. Running eslint on my new files (memory flags container eslint as sometimes broken — scoping to my files for a clean signal).
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\ndocker compose exec -T api npx eslint src/domains/payments/directDebit src/services/directDebitService.ts src/routes/plus/directDebitRoutes.ts src/services/jobs/directDebitCollectionBatchJob.ts src/models/internal/_DirectDebitMandate.ts src/models/internal/_DirectDebitCollection.ts src/models/DirectDebitMandate.ts src/models/DirectDebitCollection.ts 2>&1 | tail -40 || true","description":"eslint my new files","timeout":120000}NOT SUPPORTED: option missingRefs. Pass empty schema with $id that should be ignored to ajv.addSchema.
Oops! Something went wrong! :(
ESLint: 9.39.2
TypeError: Cannot set properties of undefined (setting 'defaultMeta')
at ajvOrig (/app/node_modules/@eslint/eslintrc/dist/eslintrc-universal.cjs:385:27)
at Object.<anonymous> (/app/node_modules/@eslint/eslintrc/dist/eslintrc-universal.cjs:740:13)
at Module._compile (node:internal/modules/cjs/loader:1730:14)
at Object..js (node:internal/modules/cjs/loader:1895:10)
at Module.load (node:internal/modules/cjs/loader:1465:32)
at Function._load (node:internal/modules/cjs/loader:1282:12)
at TracingChannel.traceSync (node:diagnostics_channel:322:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:235:24)
at Module.require (node:internal/modules/cjs/loader:1487:12)
at require (node:internal/modules/helpers:135:16)Confirmed: container eslint is infra-broken (ajv/missingRefs error — pre-existing, matches my memory note, not my code). The meaningful gates pass: tsc 0 errors, check:migrations ok, check:imports ok.
Restarting API (new routes/models/migration; tsx-watch can miss reloads) then probing routes are registered.
{"command":"curl -fsS -m 90 -X POST http://localhost:7777/api/restart -H 'Content-Type: application/json' -d '{\"paths\":[\"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\"]}' 2>&1 | head -c 400 ; echo \" <-restart\"","description":"Restart API after code changes"}{"results":[{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir","ok":true,"freedPort":4011,"readyMs":20715}]} <-restart{"command":"echo \"=== route registered? (expect 401, NOT 404) ===\"\nfor path in \"direct-debit/mandates\" \"direct-debit/collections\" \"payment-provider-configs\"; do\n code=$(curl -s -m 10 -o /dev/null -w \"%{http_code}\" \"http://localhost:4011/v1/plus/$path\")\n echo \"GET /v1/plus/$path -> $code\"\ndone\necho \"=== POST return-file unauth (expect 401) ===\"\ncurl -s -m 10 -o /dev/null -w \"%{http_code}\\n\" -X POST \"http://localhost:4011/v1/plus/direct-debit/return-file\" -H 'content-type: application/json' -d '{}'\necho \"=== api alive ===\"\ncurl -s -m 10 -o /dev/null -w \"root %{http_code}\\n\" http://localhost:4011/","description":"Probe new routes are registered (401 vs 404)"}Exit code 127 === route registered? (expect 401, NOT 404) === (eval):3: command not found: curl GET /v1/plus/direct-debit/mandates -> (eval):3: command not found: curl GET /v1/plus/direct-debit/collections -> (eval):3: command not found: curl GET /v1/plus/payment-provider-configs -> === POST return-file unauth (expect 401) === (eval):7: command not found: curl === api alive === (eval):9: command not found: curl
Shell is fish — my bash for loop broke. Using bash -c for the probe.
{"command":"bash -c '\necho \"=== routes registered? (expect 401, NOT 404) ===\"\nfor path in \"direct-debit/mandates\" \"direct-debit/collections\" \"direct-debit/collections/file?providerKey=autogiro\" \"payment-provider-configs\"; do\n code=$(curl -s -m 10 -o /dev/null -w \"%{http_code}\" \"http://localhost:4011/v1/plus/$path\")\n echo \"GET /v1/plus/$path -> $code\"\ndone\necho \"=== POST return-file unauth (expect 401) ===\"\ncurl -s -m 10 -o /dev/null -w \"%{http_code}\\n\" -X POST \"http://localhost:4011/v1/plus/direct-debit/return-file\" -H \"content-type: application/json\" -d \"{}\"\necho \"=== api root ===\"\ncurl -s -m 10 -o /dev/null -w \"root %{http_code}\\n\" http://localhost:4011/\n'","description":"Probe new routes via bash -c"}=== routes registered? (expect 401, NOT 404) === GET /v1/plus/direct-debit/mandates -> 401 GET /v1/plus/direct-debit/collections -> 401 GET /v1/plus/direct-debit/collections/file?providerKey=autogiro -> 401 GET /v1/plus/payment-provider-configs -> 401 === POST return-file unauth (expect 401) === 400 === api root === root 200
All routes registered (401 = auth-gated, exists; the 400 on empty POST is body-validation before auth — also proves it exists). API root 200. Now an authenticated end-to-end API smoke test to de-risk the portal build — invoking the api-auth skill for the token method.
{"skill":"api-auth","args":"Need a client-credentials access token to call http://localhost:4011/v1/plus endpoints for a smoke test of new direct-debit routes."}Launching skill: api-auth
Auth = Authorization: Client {ID}:{SECRET} from .env. Reading creds + running the full end-to-end smoke test against localhost:4011.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\necho \"client id present: ${SHERPA_TEST_CLIENT_ID:0:8}...\"\necho \"=== list a few products (id, name, country, paymentProvider) ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/products?limit=50\" -H \"$AUTH\" \\\n | python3 -c \"import sys,json; d=json.load(sys.stdin); items=d if isinstance(d,list) else d.get(\\\"data\\\",d); items=items if isinstance(items,list) else items.get(\\\"data\\\",[]); [print(p.get(\\\"id\\\"), \\\"|\\\", p.get(\\\"productName\\\"), \\\"|\\\", p.get(\\\"country\\\"), \\\"|\\\", p.get(\\\"paymentProvider\\\")) for p in (items[:12] if isinstance(items,list) else [])]\" 2>&1 | head -20\n'","description":"Read creds + list products"}client id present: cl_faf23... === list a few products (id, name, country, paymentProvider) ===
Products response shape unclear. Dumping raw to see the structure + endpoint.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\necho \"=== /v1/plus/products raw (first 600 chars) ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/products\" -H \"$AUTH\" | head -c 600\necho \"\"\necho \"=== auth probe (whoami via payment-provider-configs) ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/payment-provider-configs\" -H \"$AUTH\" | head -c 400\n'","description":"Dump raw products + auth probe"}=== /v1/plus/products raw (first 600 chars) ===
{"status":"success","data":{"products":[{"id":291,"productTitle":"QE Recurring 1780312863885","productName":"qe_recurring_1780312863885","productDescription":"Independent QE (#463)","country":"US","availableCountries":["US"],"insuranceTypeId":14,"currency":"USD","inputCurrency":"USD","currencyPosition":"prefix","decimalSeparator":".","groupSeparator":",","decimalsAmount":2,"dateFormat":"MM-DD-YYYY","active":true,"paymentProvider":"stripe","paymentMethods":[],"activeLocales":null,"translationOverrides":null,"sourceLocale":"en","paymentUiMode":"iframe","isEmbedded":false,"primaryProductTitle":"T
=== auth probe (whoami via payment-provider-configs) ===
{"status":"success","data":[{"id":8,"organizationId":"22222222-2222-2222-2222-222222222222","providerKey":"adyen","config":{},"active":true,"createdAt":"2026-06-01T05:50:06.166Z","updatedAt":"2026-06-01T05:50:06.166Z"},{"id":7,"organizationId":"22222222-2222-2222-2222-222222222222","providerKey":"stripe","config":{},"active":true,"createdAt":"2026-06-01T05:50:06.096Z","updatedAt":"2026-06-01T05:50Auth works (org 2222..., products under data.products, e.g. id 291). Writing a Python end-to-end smoke test (cleaner JSON handling than bash) to validate the whole flow.
{"file_path":"/tmp/dd_smoke.py","content":"import json, os, sys, urllib.request, urllib.error\n\nBASE = \"http://localhost:4011/v1/plus\"\nAUTH = f\"Client {os.environ['SHERPA_TEST_CLIENT_ID']}:{os.environ['SHERPA_TEST_CLIENT_SECRET']}\"\n\ndef call(method, path, body=None):\n data = json.dumps(body).encode() if body is not None else None\n req = urllib.request.Request(BASE + path, data=data, method=method)\n req.add_header(\"Authorization\", AUTH)\n req.add_header(\"Content-Type\", \"application/json\")\n try:\n with urllib.request.urlopen(req, timeout=20) as r:\n return r.status, json.loads(r.read() or \"{}\")\n except urllib.error.HTTPError as e:\n return e.code, json.loads(e.read() or \"{}\")\n\ndef d(resp): # unwrap {status,data}\n return resp.get(\"data\", resp)\n\nprint(\"== 1. configure autogiro provider (org-level) ==\")\ns, r = call(\"POST\", \"/payment-provider-configs\", {\"providerKey\": \"autogiro\", \"config\": {\"bankgiroNumber\": \"9912346\"}, \"active\": True})\nprint(s, \"autogiro config\", \"(created)\" if s == 201 else r.get(\"message\", r))\n\n# pick a product\ns, r = call(\"GET\", \"/products\")\nprod = d(r)[\"products\"][0]\npid = prod[\"id\"]\nprint(\"using product\", pid, prod[\"productName\"])\n\nprint(\"== 2. create mandate (SE / Autogiro) ==\")\ns, r = call(\"POST\", \"/direct-debit/mandates\", {\n \"providerKey\": \"autogiro\", \"productId\": pid, \"accountHolder\": \"Sven Svensson\",\n \"country\": \"SE\", \"clearingNumber\": \"8327\", \"accountNumber\": \"1234567\", \"bankName\": \"Swedbank\"})\nassert s == 201, (s, r)\nm = d(r); mid = m[\"id\"]\nprint(s, \"mandate\", mid, \"status:\", m[\"status\"], \"ref:\", m[\"mandateReference\"])\n\nprint(\"== 3. mandate file ==\")\ns, r = call(\"GET\", f\"/direct-debit/mandates/{mid}/file\")\nprint(s, \"file lines:\");\nfor ln in d(r)[\"content\"].splitlines(): print(\" |\" + ln + \"|\")\n\nprint(\"== 4. activate mandate ==\")\ns, r = call(\"POST\", f\"/direct-debit/mandates/{mid}/activate\")\nprint(s, \"status:\", d(r)[\"status\"])\n\nprint(\"== 5. schedule collection #1 (settle path) ==\")\ns, r = call(\"POST\", \"/direct-debit/collections\", {\"mandateId\": mid, \"amount\": 199.00, \"currency\": \"SEK\"})\nassert s == 201, (s, r)\nc1 = d(r)[\"id\"]; print(s, \"collection\", c1, \"status:\", d(r)[\"status\"])\n\nprint(\"== 6. run due collections (autogiro) ==\")\ns, r = call(\"POST\", \"/direct-debit/collections/run\", {\"providerKey\": \"autogiro\"})\nprint(s, \"submitted:\", d(r)[\"submitted\"])\nfor f in d(r)[\"files\"]:\n print(\" collection file\", f[\"fileReference\"], \"count\", f[\"count\"])\n for ln in f[\"content\"].splitlines(): print(\" |\" + ln + \"|\")\n\nprint(\"== 7. simulate SETTLED return ==\")\ns, r = call(\"POST\", f\"/direct-debit/collections/{c1}/simulate-return\", {\"outcome\": \"settled\"})\nprint(s, \"summary:\", d(r))\ns, r = call(\"GET\", f\"/direct-debit/collections?mandateId={mid}\")\nfor c in d(r):\n if c[\"id\"] == c1: print(\" collection #1 now:\", c[\"status\"], \"settledAt:\", c[\"settledAt\"])\n\nprint(\"== 8. schedule collection #2 (failure -> retry) ==\")\ns, r = call(\"POST\", \"/direct-debit/collections\", {\"mandateId\": mid, \"amount\": 199.00, \"currency\": \"SEK\"})\nc2 = d(r)[\"id\"]; print(s, \"collection\", c2)\ns, r = call(\"POST\", \"/direct-debit/collections/run\", {\"providerKey\": \"autogiro\"})\nprint(\" run submitted:\", d(r)[\"submitted\"])\ns, r = call(\"POST\", f\"/direct-debit/collections/{c2}/simulate-return\", {\"outcome\": \"failed\", \"reason\": \"08\"})\nprint(s, \"fail#1 summary:\", d(r))\ns, r = call(\"GET\", f\"/direct-debit/collections?status=retrying\")\nprint(\" retrying collections:\", [(c[\"id\"][:8], \"retry\", c[\"retryCount\"]) for c in d(r)])\n\nprint(\"== 9. exhaust retries -> FAILED + flagged ==\")\nfor i in range(4):\n call(\"POST\", \"/direct-debit/collections/run\", {\"providerKey\": \"autogiro\"})\n s, r = call(\"POST\", f\"/direct-debit/collections/{c2}/simulate-return\", {\"outcome\": \"failed\", \"reason\": \"08\"})\ns, r = call(\"GET\", f\"/direct-debit/collections?mandateId={mid}\")\nfor c in d(r):\n if c[\"id\"] == c2:\n print(\" collection #2 final:\", c[\"status\"], \"retryCount:\", c[\"retryCount\"], \"flagged:\", c[\"flagged\"], \"reason:\", c[\"failureReason\"])\n\nprint(\"\\nSMOKE TEST OK\")\n"}File created successfully at: /tmp/dd_smoke.py (file state is current in your context — no need to Read it back)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c 'set -a; source .env 2>/dev/null; set +a; python3 /tmp/dd_smoke.py'","description":"Run end-to-end direct-debit smoke test"}Exit code 1
== 1. configure autogiro provider (org-level) ==
201 autogiro config (created)
using product 291 qe_recurring_1780312863885
== 2. create mandate (SE / Autogiro) ==
201 mandate 9506b0d3-5997-4712-a476-fdb4de123591 status: pending ref: AG-MND-E2123DDF
== 3. mandate file ==
200 file lines:
|0120260601AUTOGIRO0009912346MEDGIVANDE |
|04AG-MND-E2123DDF 08327000001234567Sven Svensson |
== 4. activate mandate ==
Traceback (most recent call last):
File "/tmp/dd_smoke.py", line 45, in <module>
print(s, "status:", d(r)["status"])
KeyError: 'status'Steps 1–3 ✓ (mandate file renders as proper fixed-width records). Activate errored — debugging its raw response.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\nMID=9506b0d3-5997-4712-a476-fdb4de123591\necho \"=== activate (no body) ===\"\ncurl -s -m 15 -X POST \"http://localhost:4011/v1/plus/direct-debit/mandates/$MID/activate\" -H \"$AUTH\" -H \"content-type: application/json\" | head -c 500\necho \"\"\necho \"=== activate (empty json body) ===\"\ncurl -s -m 15 -X POST \"http://localhost:4011/v1/plus/direct-debit/mandates/$MID/activate\" -H \"$AUTH\" -H \"content-type: application/json\" -d \"{}\" | head -c 500\n'","description":"Debug activate endpoint raw response"}=== activate (no body) ===
{"error":{"message":"Body cannot be empty when content-type is set to 'application/json'"}}
=== activate (empty json body) ===
{"status":"success","data":{"id":"9506b0d3-5997-4712-a476-fdb4de123591","organizationId":"22222222-2222-2222-2222-222222222222","providerKey":"autogiro","productId":291,"customerId":null,"status":"active","country":"SE","accountHolder":"Sven Svensson","clearingNumber":"8327","accountNumber":"1234567","bankName":"Swedbank","mandateReference":"AG-MND-E2123DDF","payerNumber":"AG-MND-E2123DDF","signedAt":"2026-06-01T11:56:39.339Z","activatedAt":"2026-06-01T11:56:56.412Z","revokedAt":null,"failureReaNot an API bug — my test sent a null body; Fastify rejects empty-body JSON POSTs (portal will always send {}). Fixing the helper and rerunning.
{"replace_all":false,"file_path":"/tmp/dd_smoke.py","old_string":"def call(method, path, body=None):\n data = json.dumps(body).encode() if body is not None else None","new_string":"def call(method, path, body=None):\n if body is None and method != \"GET\":\n body = {}\n data = json.dumps(body).encode() if body is not None else None"}The file /tmp/dd_smoke.py has been updated successfully. (file state is current in your context — no need to Read it back)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c 'set -a; source .env 2>/dev/null; set +a; python3 /tmp/dd_smoke.py'","description":"Rerun end-to-end smoke test"}== 1. configure autogiro provider (org-level) ==
409 autogiro config {'error': {'message': 'A config for provider "autogiro" already exists for this organization'}}
using product 291 qe_recurring_1780312863885
== 2. create mandate (SE / Autogiro) ==
201 mandate b1efd8ab-7f63-4d77-8f2e-3be8f68bd587 status: pending ref: AG-MND-A8D307C1
== 3. mandate file ==
200 file lines:
|0120260601AUTOGIRO0009912346MEDGIVANDE |
|04AG-MND-A8D307C1 08327000001234567Sven Svensson |
== 4. activate mandate ==
200 status: active
== 5. schedule collection #1 (settle path) ==
201 collection a998503a-6b50-46ea-9e0e-da8f84aeb7b4 status: scheduled
== 6. run due collections (autogiro) ==
200 submitted: 1
collection file AG-FILE-99ECDC65 count 1
|0120260601AUTOGIRO0009912346AG-FILE-99EC |
|8220260601AG-MND-A8D307C1 000000019900AG-COL-EA27675D a998503a-6b50-46ea-9e0|
|09000991234600000001000000000000019900 |
== 7. simulate SETTLED return ==
200 summary: {'settled': 1, 'failed': 0, 'retrying': 0, 'flagged': 0, 'unmatched': []}
collection #1 now: settled settledAt: 2026-06-01T11:57:10.621Z
== 8. schedule collection #2 (failure -> retry) ==
201 collection 63f5e208-1c78-4ebc-ac11-c7101c5be9b9
run submitted: 1
200 fail#1 summary: {'settled': 0, 'failed': 0, 'retrying': 1, 'flagged': 0, 'unmatched': []}
retrying collections: [('63f5e208', 'retry', 1)]
== 9. exhaust retries -> FAILED + flagged ==
collection #2 final: failed retryCount: 3 flagged: True reason: 08
SMOKE TEST OKSmoke test fully passes — entire flow validated: configure → mandate (pending→active) → mandate file (fixed-width TK01/TK04) → schedule → run (collection file TK01/TK82/TK09, öre amounts) → settle+reconcile → fail→retry→flagged after 3 retries. Quick DK/Betalingsservice check (acceptance needs both rails):
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\nBASE=http://localhost:4011/v1/plus\ncurl -s -X POST \"$BASE/payment-provider-configs\" -H \"$AUTH\" -H \"content-type: application/json\" -d \"{\\\"providerKey\\\":\\\"betalingsservice\\\",\\\"config\\\":{\\\"pbsNumber\\\":\\\"00054321\\\"},\\\"active\\\":true}\" >/dev/null\necho \"=== DK invalid account (reg must be 4 digits) -> expect 400 ===\"\ncurl -s -X POST \"$BASE/direct-debit/mandates\" -H \"$AUTH\" -H \"content-type: application/json\" -d \"{\\\"providerKey\\\":\\\"betalingsservice\\\",\\\"productId\\\":291,\\\"accountHolder\\\":\\\"Mads Nielsen\\\",\\\"country\\\":\\\"DK\\\",\\\"clearingNumber\\\":\\\"12\\\",\\\"accountNumber\\\":\\\"1234567890\\\"}\" | head -c 300\necho \"\"\necho \"=== DK valid mandate -> 201 + file ===\"\nMID=$(curl -s -X POST \"$BASE/direct-debit/mandates\" -H \"$AUTH\" -H \"content-type: application/json\" -d \"{\\\"providerKey\\\":\\\"betalingsservice\\\",\\\"productId\\\":291,\\\"accountHolder\\\":\\\"Mads Nielsen\\\",\\\"country\\\":\\\"DK\\\",\\\"clearingNumber\\\":\\\"1234\\\",\\\"accountNumber\\\":\\\"1234567890\\\",\\\"bankName\\\":\\\"Danske Bank\\\"}\" | python3 -c \"import sys,json;print(json.load(sys.stdin)[\\\"data\\\"][\\\"id\\\"])\")\necho \"mandate $MID\"\ncurl -s -X POST \"$BASE/direct-debit/mandates/$MID/activate\" -H \"$AUTH\" -H \"content-type: application/json\" -d \"{}\" >/dev/null\ncurl -s \"$BASE/direct-debit/mandates/$MID/file\" -H \"$AUTH\" | python3 -c \"import sys,json;[print(\\\" |\\\"+l+\\\"|\\\") for l in json.load(sys.stdin)[\\\"data\\\"][\\\"content\\\"].splitlines()]\"\n'","description":"Validate Betalingsservice DK rail"}=== DK invalid account (reg must be 4 digits) -> expect 400 ===
{"error":{"message":"Invalid bank account: clearingNumber must be a 4-digit registreringsnummer"}}
=== DK valid mandate -> 201 + file ===
mandate f9087776-41f0-4add-a080-e88489a5d027
|HD00000000005432120260601TILMELDING|
|MDBS-MND-6699F65912341234567890Mads Nielsen |Both rails validated end-to-end (DK validation rejects bad reg numbers, generates HD/MD records). Task 6 complete.
Now Tasks 7 + 8 in parallel (different repos, no conflict) — delegating portal UI and sherpa-test spec to implementer subagents with the exact validated API contract.
{"taskId":"5","status":"completed"}Updated task #5 status
{"taskId":"6","status":"completed"}Updated task #6 status
{"taskId":"7","status":"in_progress"}Updated task #7 status
{"taskId":"8","status":"in_progress"}Updated task #8 status
{"description":"Build sherpa-portal direct-debit UI","prompt":"You are implementing the FRONT-END for GitHub ticket sherpa-api#462 \"Nordic bank direct debit (Autogiro / Betalingsservice)\" in the sherpa-portal worktree. The backend is DONE and validated; you build the portal UI that proves it. Next.js 16 (app router) + React 19 + Tailwind v4 + TS. Use `rg`/`fd`, never grep/find.\n\nWORKTREE (only edit here): /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir\nThe portal dev server is already running at http://localhost:3011 wired to the api at http://localhost:4011.\n\n## STEP 0 — Read the real code first (do NOT trust my line numbers; verify)\nRead these to learn exact conventions, component APIs, and import paths:\n- app/components/settings/PaymentProvidersTab.tsx (provider list `AVAILABLE_PROVIDERS` + create/edit form)\n- app/components/AppLayout.tsx (find `productMenuItems` array AND the `PRODUCT_PHASE_BY_KEY` map)\n- app/products/[id]/claims/page.tsx (CLONE this page's scaffolding: \"use client\", params unwrap, ProtectedRoute/CRMOnlyRoute/AppLayout wrappers, loading, table)\n- app/src/utils/api.ts (the axios wrapper — default import `api`; it auto-prefixes `/v1/plus`)\n- app/components/ui/{table,badge,button,input,select,dialog,switch}.tsx and app/components/Toast.tsx (exact props)\n- How `useTranslation` from `@gangkharai/lmt/client` is used (call it `t`).\n\n## VALIDATED API CONTRACT (I tested all of these live; the portal `api` client prefixes `/v1/plus`)\nResponses are `{ status:'success', data: ... }` → read `res.data.data`.\nIMPORTANT: every POST MUST send a JSON body object (at least `{}`). An empty-body JSON POST returns 400. So `api.post(url, {})` not `api.post(url)`.\n\nMandates:\n- GET `/direct-debit/mandates?productId={id}` → data: Mandate[]\n- POST `/direct-debit/mandates` body `{providerKey, productId, accountHolder, country, clearingNumber?, accountNumber, bankName?, customerId?}` → 201 {data: Mandate}\n- GET `/direct-debit/mandates/{id}/file` → data `{fileReference, content}` (fixed-width text; show in a <pre>)\n- POST `/direct-debit/mandates/{id}/activate` body `{}` → {data: Mandate}\n- POST `/direct-debit/mandates/{id}/revoke` body `{}` → {data: Mandate}\nMandate = {id, providerKey:'autogiro'|'betalingsservice', productId, status:'pending'|'active'|'revoked', country, accountHolder, clearingNumber, accountNumber, bankName, mandateReference, payerNumber, signedAt, activatedAt, revokedAt, failureReason, createdAt}\n\nCollections:\n- GET `/direct-debit/collections?mandateId={id}` (and optional &status=&providerKey=) → data: Collection[]\n- POST `/direct-debit/collections` body `{mandateId, amount, currency, policyOrderId?, scheduledFor?}` → 201 {data: Collection}\n- POST `/direct-debit/collections/run` body `{providerKey?}` → data `{submitted, files:[{providerKey,fileReference,content,count}]}`\n- POST `/direct-debit/collections/{id}/simulate-return` body `{outcome:'settled'|'failed', reason?}` → data summary {settled,failed,retrying,flagged,unmatched}\n- POST `/direct-debit/collections/{id}/retry` body `{}` → {data: Collection}\nCollection = {id, mandateId, policyOrderId, providerKey, amount(string), currency, status:'scheduled'|'submitted'|'settled'|'failed'|'retrying'|'cancelled', scheduledFor, submittedAt, settledAt, retryCount, maxRetries, failureReason, externalReference, fileReference, flagged(bool), createdAt}\n\nProvider keys: `autogiro` (Sweden, SE), `betalingsservice` (Denmark, DK).\n\n## DELIVERABLES\n\n### 1. Extend the org payment-provider config (config-via-portal)\nIn app/components/settings/PaymentProvidersTab.tsx, add to `AVAILABLE_PROVIDERS`:\n`{ key: \"autogiro\", label: \"Autogiro (Sweden)\" }` and `{ key: \"betalingsservice\", label: \"Betalingsservice (Denmark)\" }`.\nFor these two providers, the config form must capture a creditor identifier text field (label \"Creditor number (Bankgiro / PBS)\") saved as `config.creditorId`. Keep Stripe's existing fields untouched — only show the creditor field when the selected provider is autogiro/betalingsservice. Minimal, match the existing form's style.\n\n### 2. NEW page: app/products/[id]/direct-debit/page.tsx (plus components if cleaner)\nClone the claims page scaffolding (same wrappers/imports). A \"Direct Debit\" management screen scoped to the product (`productId` from route param). It must let a user do the full demo and SEE status:\n- Header \"Direct Debit\" + subtitle \"Autogiro (SE) & Betalingsservice (DK) recurring direct debit\".\n- MANDATES section: table (Account holder, Provider, Reference, Status badge, Created). Status badge colors: pending=amber, active=green, revoked=red.\n - \"Create mandate\" button → dialog: provider Select (Autogiro/Betalingsservice), Account holder, Country (default SE for autogiro, DK for betalingsservice), Clearing/Reg number, Account number, Bank name. POST and refresh. Show validation errors from the API (error.response.data.error.message) via showErrorToast.\n - Row actions: when pending → \"Activate\"; when pending/active → \"Revoke\"; always → \"View file\" (dialog showing the mandate file content in a <pre> monospace block).\n - Selecting a mandate row filters the collections section to that mandate.\n- COLLECTIONS section (for the selected mandate, or all for the product): table (Amount+currency, Status badge, Retries (retryCount/maxRetries), Flagged ⚑ when flagged, Scheduled, Failure reason). Status colors: scheduled=gray, submitted=blue, settled=green, failed=red, retrying=amber, cancelled=gray.\n - \"Schedule collection\" button (enabled only if a selected mandate is active) → dialog: amount, currency (default SEK for autogiro / DKK for betalingsservice). POST and refresh.\n - \"Run due collections\" button → POST /direct-debit/collections/run {providerKey of selected mandate or omit}, then refresh + toast \"{submitted} collection(s) submitted\".\n - Row actions: when submitted → \"Simulate settled\" and \"Simu{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && pwd && fd -t f -e tsx -e ts . app/components/settings/ app/products/ 2>/dev/null | head -50","description":"List worktree files in settings and products"}/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir app/components/settings/APIDocsTab.tsx app/components/settings/ClaimRulesTab.tsx app/components/settings/ClientDetails.tsx app/components/settings/ClientForm.tsx app/components/settings/ClientsTab.tsx app/components/settings/CredentialsModal.tsx app/components/settings/GeneralTab.tsx app/components/settings/ImportHistoryChart.tsx app/components/settings/ImportHistoryTab.tsx app/components/settings/PaymentProvidersTab.tsx app/components/settings/PolicyStatusesTab.tsx app/components/settings/TranslationsTab.tsx app/components/settings/UploadCredentialsTab.tsx app/components/settings/UploadFileTab.tsx app/components/settings/UploadsTab.tsx app/components/settings/WidgetTokenForm.tsx app/components/settings/WidgetTokensTab.tsx app/products/[id]/acceptance/page.tsx app/products/[id]/api-documentation/page.tsx app/products/[id]/claim-rules/page.tsx app/products/[id]/claims/[claimId]/page.tsx app/products/[id]/claims/new/page.tsx app/products/[id]/claims/page.tsx app/products/[id]/commissions/[commissionId]/page.tsx app/products/[id]/commissions/page.tsx app/products/[id]/compliance/page.tsx app/products/[id]/discounts/page.tsx app/products/[id]/documents/page.tsx app/products/[id]/embed/page.tsx app/products/[id]/funnel-templates/page.tsx app/products/[id]/funnel-templates/useFunnelTemplateData.ts app/products/[id]/optimizations/page.tsx app/products/[id]/page.tsx app/products/[id]/payment-methods/page.tsx app/products/[id]/policy/[policyId]/page.tsx app/products/[id]/policy/new/page.tsx app/products/[id]/policy/page.tsx app/products/[id]/product-plans/[planId]/page.tsx app/products/[id]/product-plans/new/page.tsx app/products/[id]/product-plans/page.tsx app/products/[id]/quote/[quoteId]/edit/page.tsx app/products/[id]/quote/[quoteId]/page.tsx app/products/[id]/quote/new/page.tsx app/products/[id]/quote/page.tsx app/products/[id]/settings/page.tsx app/products/[id]/taxes/[taxId]/page.tsx app/products/[id]/taxes/page.tsx app/products/[id]/templates/[templateId]/page.tsx app/products/[id]/templates/page.tsx app/products/[id]/terms/[termId]/page.tsx
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Plus, Pencil, Trash2, ChevronDown, ChevronRight } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { Button } from "@/app/components/ui/button";
9 import {
10 Dialog,
11 DialogContent,
12 DialogFooter,
13 DialogHeader,
14 DialogTitle,
15 } from "@/app/components/ui/dialog";
16 import { Input } from "@/app/components/ui/input";
17 import { Switch } from "@/app/components/ui/switch";
18 import {
19 Select,
20 SelectContent,
21 SelectItem,
22 SelectTrigger,
23 SelectValue,
24 } from "@/app/components/ui/select";
25 import ConfirmDialog from "@/app/components/admin/ConfirmDialog";
26 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
27 import ProviderLogo from "@/app/components/payments/ProviderLogo";
28 import api from "@/app/src/utils/api";
29 import { PaymentProviderConfig, PaymentMethod, PayoutCadence, PayoutWeekday } from "@/app/types/paymentProvider";
30
31 const WEEKDAY_VALUES: PayoutWeekday[] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
32
33 const weekdayLabel = (value: PayoutWeekday, t: (s: string) => string): string => {
34 switch (value) {
35 case "mon": return t("Monday");
36 case "tue": return t("Tuesday");
37 case "wed": return t("Wednesday");
38 case "thu": return t("Thursday");
39 case "fri": return t("Friday");
40 case "sat": return t("Saturday");
41 case "sun": return t("Sunday");
42 }
43 };
44
45 const AVAILABLE_PROVIDERS = [
46 { key: "stripe", label: "Stripe" },
47 ];
48
49 const PaymentProvidersTab: React.FC = () => {
50 const t = useTranslation();
51 const [configs, setConfigs] = useState<PaymentProviderConfig[]>([]);
52 const [loading, setLoading] = useState(false);
53 const [formOpen, setFormOpen] = useState(false);
54 const [editing, setEditing] = useState<PaymentProviderConfig | null>(null);
55 const [deleteId, setDeleteId] = useState<number | null>(null);
56
57 const [formProviderKey, setFormProviderKey] = useState("stripe");
58 const [formConnectedAccountId, setFormConnectedAccountId] = useState("");
59 const [formActive, setFormActive] = useState(true);
60 const [formAutomaticPayoutEnabled, setFormAutomaticPayoutEnabled] = useState(false);
61 const [formPayoutCadence, setFormPayoutCadence] = useState<PayoutCadence>("immediate");
62 const [formPayoutWeeklyRunDay, setFormPayoutWeeklyRunDay] = useState<PayoutWeekday>("mon");
63 const [formPayoutWeeklyRunHour, setFormPayoutWeeklyRunHour] = useState(9);
64 const [saving, setSaving] = useState(false);
65
66 // Payment methods state per config
67 const [expandedConfigId, setExpandedConfigId] = useState<number | null>(null);
68 const [paymentMethods, setPaymentMethods] = useState<PaymentMethod[]>([]);
69 const [loadingMethods, setLoadingMethods] = useState(false);
70
71 const load = useCallback(async () => {
72 try {
73 setLoading(true);
74 const res = await api.get("/payment-provider-configs");
75 if (res.data.status === "success") {
76 setConfigs(res.data.data || []);
77 }
78 } catch (error) {
79 console.error("Error loading payment provider configs:", error);
80 showErrorToast(t("Failed to load payment providers"));
81 } finally {
82 setLoading(false);
83 }
84 }, [t]);
85
86 useEffect(() => {
87 load();
88 }, [load]);
89
90 const loadPaymentMethods = useCallback(async (configId: number) => {
91 try {
92 setLoadingMethods(true);
93 const res = await api.get(`/payment-provider-configs/${configId}/payment-methods`);
94 if (res.data.status === "success") {
95 setPaymentMethods(res.data.data || []);
96 }
97 } catch (error) {
98 console.error("Error loading payment methods:", error);
99 showErrorToast(t("Failed to load payment methods"));
100 } finally {
101 setLoadingMethods(false);
102 }
103 }, [t]);
104
105 const handleToggleExpand = (configId: number) => {
106 if (expandedConfigId === configId) {
107 setExpandedConfigId(null);
108 setPaymentMethods([]);
109 } else {
110 setExpandedConfigId(configId);
111 loadPaymentMethods(configId);
112 }
113 };
114
115 const handleToggleMethod = async (configId: number, method: PaymentMethod) => {
116 try {
117 await api.put(
118 `/payment-provider-configs/${configId}/payment-methods/${method.id}`,
119 { enabled: !method.enabled }
120 );
121 setPaymentMethods((prev) =>
122 prev.map((m) =>
123 m.id === method.id ? { ...m, enabled: !m.enabled } : m
124 )
125 );
126 showSuccessToast(
127 method.enabled
128 ? t("{name} disabled", { name: method.name })
129 : t("{name} enabled", { name: method.name })
130 );
131 } catch (error) {
132 console.error("Error toggling payment method:", error);
133 showErrorToast(t("Failed to update payment method"));
134 }
135 };
136
137 const openCreate = () => {
138 setEditing(null);
139 setFormProviderKey("stripe");
140 setFormConnectedAccountId("");
141 setFormActive(true);
142 setFormAutomaticPayoutEnabled(false);
143 setFormPayoutCadence("immediate");
144 setFormPayoutWeeklyRunDay("mon");
145 setFormPayoutWeeklyRunHour(9);
146 setFormOpen(true);
147 };
148
149 const openEdit = (config: PaymentProviderConfig) => {
150 setEditing(config);
151 setFormProviderKey(config.providerKey);
152 setFormConnectedAccountId(config.config?.connectedAccountId || "");
153 setFormActive(config.active);
154 setFormAutomaticPayoutEnabled(Boolean(config.config?.automaticPayoutEnabled));
155 setFormPayoutCadence(config.config?.payoutCadence === "weekly" ? "weekly" : "immediate");
156 setFormPayoutWeeklyRunDay(
157 WEEKDAY_VALUES.find((v) => v === config.config?.payoutWeeklyRunDay) ?? "mon"
158 );
159 const hourRaw = config.config?.payoutWeeklyRunHour;
160 setFormPayoutWeeklyRunHour(typeof hourRaw === "number" && hourRaw >= 0 && hourRaw < 24 ? hourRaw : 9);
161 setFormOpen(true);
162 };
163
164 const handleSave = async () => {
165 if (!formConnectedAccountId.trim()) {
166 showErrorToast(t("Connected Account ID is required"));
167 return;
168 }
169
170 setSaving(true);
171 try {
172 const payload = {
173 providerKey: formProviderKey,
174 config: {
175 connectedAccountId: formConnectedAccountId.trim(),
176 automaticPayoutEnabled: formAutomaticPayoutEnabled,
177 payoutCadence: formPayoutCadence,
178 payoutWeeklyRunDay: formPayoutWeeklyRunDay,
179 payoutWeeklyRunHour: formPayoutWeeklyRunHour,
180 },
181 active: formActive,
182 };
183
184 if (editing) {
185 await api.put(`/payment-provider-configs/${editing.id}`, payload);
186 showSuccessToast(t("Payment provider updated successfully"));
187 } else {
188 await api.post("/payment-provider-configs", payload);
189 showSuccessToast(t("Payment provider added successfully"));
190 }
191
192 setFormOpen(false);
193 load();
194 } catch (error) {
195 console.error("Error saving payment provider config:", error);
196 showErrorToast(t("Failed to save payment provider"));
197 } finally {
198 setSaving(false);
199 }
200 };
201
202 const handleDelete = async () => {
203 if (deleteId === null) return;
204 try {
205 await api.delete(`/payment-provider-configs/${deleteId}`);
206 showSuccessToast(t("Payment provider removed successfully"));
207 if (expandedConfigId === deleteId) {
208 setExpandedConfigId(null);
209 setPaymentMethods([]);
210 }
211 setDelet{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/claims/page.tsx"}1 // Processed for translation - checking for string literals
2 "use client";
3
4 import React, { useState, useEffect } from "react";
5 import { useRouter } from "next/navigation";
6 import { PlusCircle, Trash2 } from "lucide-react";
7 import { useTranslation } from "@gangkharai/lmt/client";
8
9 import AppLayout from "@/app/components/AppLayout";
10 import { Button } from "@/app/components/ui/button";
11 import {
12 Dialog,
13 DialogContent,
14 DialogDescription,
15 DialogFooter,
16 DialogHeader,
17 DialogTitle,
18 } from "@/app/components/ui/dialog";
19 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
20 import { ProtectedRoute } from "@/app/components/ProtectedRoute";
21 import { CRMOnlyRoute } from "@/app/components/UserTypeRoute";
22 import api from "@/app/src/utils/api";
23 import { ProductData } from "@/app/types/product";
24 import { ClaimData } from "@/app/types/claim";
25
26 export default function ProductClaimsPage({ params }: { params: { id: string } }) {
27 const t = useTranslation();
28 // Unwrap params using React.use() if it's a promise
29 const unwrappedParams = params instanceof Promise ? React.use(params) : params;
30 const productId = unwrappedParams?.id || "";
31 const router = useRouter();
32
33 const [product, setProduct] = useState<ProductData | null>(null);
34 const [claims, setClaims] = useState<ClaimData[]>([]);
35 const [loading, setLoading] = useState(true);
36 const [error, setError] = useState<React.ReactNode | null>(null);
37 const [isDeleting, setIsDeleting] = useState(false);
38 const [deletingClaim, setDeletingClaim] = useState<ClaimData | null>(null);
39 const [deleteLoading, setDeleteLoading] = useState(false);
40
41 useEffect(() => {
42 if (!productId) {
43 setError(t('Invalid product ID'));
44 setLoading(false);
45 return;
46 }
47
48 const fetchData = async () => {
49 try {
50 setLoading(true);
51 const [productResponse, claimsResponse] = await Promise.all([
52 api.get(`/products/${productId}`),
53 api.get(`/claims/products/${productId}/claims`),
54 ]);
55
56 setProduct(productResponse.data.data);
57 setClaims(claimsResponse.data.data || []);
58 setLoading(false);
59 } catch (error) {
60 console.error("Error fetching data:", error);
61 setError(t('Failed to load data'));
62 setLoading(false);
63 }
64 };
65
66 fetchData();
67 }, [productId]);
68
69 const handleCreateClaim = () => {
70 router.push(`/products/${productId}/claims/new`);
71 };
72
73 const handleViewClaim = (claim: ClaimData) => {
74 router.push(`/products/${productId}/claims/${claim.id}`);
75 };
76
77 const handleDeleteClaim = (claim: ClaimData, event: React.MouseEvent) => {
78 event.stopPropagation();
79 setDeletingClaim(claim);
80 setIsDeleting(true);
81 };
82
83 const handleCancelDelete = () => {
84 setIsDeleting(false);
85 setDeletingClaim(null);
86 };
87
88 const handleConfirmDelete = async () => {
89 if (!deletingClaim || !productId) {
90 return;
91 }
92
93 try {
94 setDeleteLoading(true);
95 await api.delete(`/claims/${deletingClaim.id}`);
96
97 // Refresh the claims list
98 const claimsResponse = await api.get(`/claims/products/${productId}/claims`);
99 setClaims(claimsResponse.data.data || []);
100
101 setIsDeleting(false);
102 setDeletingClaim(null);
103 showSuccessToast(t('Claim deleted successfully'));
104 } catch (error) {
105 console.error("Error deleting claim:", error);
106 showErrorToast(t('Failed to delete claim'));
107 } finally {
108 setDeleteLoading(false);
109 }
110 };
111
112 if (loading) {
113 return (
114 <ProtectedRoute>
115 <CRMOnlyRoute>
116 <AppLayout>
117 <div className="px-4 py-6 sm:px-0">
118 <div className="overflow-hidden rounded-md bg-white shadow-md">
119 <div className="flex h-64 items-center justify-center">
120 <div className="text-center">
121 <div className="mb-4 h-12 w-12 animate-spin rounded-full border-4 border-blue-600 border-t-transparent"></div>
122 <p className="text-gray-600">{t('Loading claims...')}</p>
123 </div>
124 </div>
125 </div>
126 </div>
127 </AppLayout>
128 </CRMOnlyRoute>
129 </ProtectedRoute>
130 );
131 }
132
133 if (error || !product) {
134 return (
135 <ProtectedRoute>
136 <CRMOnlyRoute>
137 <AppLayout>
138 <div className="px-4 py-6 sm:px-0">
139 <div className="overflow-hidden rounded-md bg-white shadow-md">
140 <div className="p-6 text-center">
141 <p className="text-red-600">{error || t('Product not found')}</p>
142 </div>
143 </div>
144 </div>
145 </AppLayout>
146 </CRMOnlyRoute>
147 </ProtectedRoute>
148 );
149 }
150
151 return (
152 <ProtectedRoute>
153 <CRMOnlyRoute>
154 <AppLayout>
155 <div className="px-4 py-6 sm:px-0">
156 <div className="overflow-hidden rounded-md bg-white shadow-md">
157 <div className="p-6">
158 <div className="mb-6 flex items-center justify-between">
159 <div>
160 <h2 className="text-2xl font-bold text-gray-900">{t('Claims')}</h2>
161 <p className="text-sm text-gray-600">
162 {t('Manage claim templates and processing workflows for this product')}
163 </p>
164 </div>
165 <Button onClick={handleCreateClaim}>
166 <PlusCircle className="mr-2 h-4 w-4" />
167 {t('Create New Claim')}
168 </Button>
169 </div>
170
171 {claims.length === 0 ? (
172 <div className="rounded-md border py-8 text-center">
173 <p className="text-gray-500">{t('No claims created yet for this product.')}</p>
174 <Button onClick={handleCreateClaim} variant="outline" className="mt-4">
175 <PlusCircle className="mr-2 h-4 w-4" />
176 {t('Create First Claim')}
177 </Button>
178 </div>
179 ) : (
180 <div className="overflow-hidden rounded-md border">
181 <table className="min-w-full divide-y divide-gray-300">
182 <thead className="bg-gray-50">
183 <tr>
184 <th
185 scope="col"
186 className="px-6 py-3 text-left text-sm font-medium text-gray-700"
187 >
188 <div className="flex items-center">
189 <span>{t('Name')}</span>
190 </div>
191 </th>
192 <th
193 scope="col"
194 className="px-6 py-3 text-left text-sm font-medium text-gray-700"
195 >
196 <div className="flex items-center">
197 <span>{t('Status')}</span>
198 </div>
199 </th>
200 <th
201 scope="col"
202 className="px-6 py-3 text-left text-sm font-medium text-gray-700"
203 >
204 <div className="flex{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx"}1 "use client";
2
3 import React, { useEffect, useState } from "react";
4
5 import Image from "next/image";
6 import Link from "next/link";
7 import { usePathname, useRouter, useSearchParams } from "next/navigation";
8
9 import {
10 Menu,
11 X,
12 XCircle,
13 User,
14 LogOut,
15 Settings,
16 Users,
17 ShoppingBag,
18 LayoutDashboard,
19 UserCircle,
20 FileText,
21 ClipboardList,
22 Calculator,
23 Shield,
24 ChevronLeft,
25 ChevronRight,
26 ChevronDown,
27 ArrowLeft,
28 Eye,
29 DollarSign,
30 Package,
31 FileCheck,
32 AlertCircle,
33 ScrollText,
34 Mail,
35 Tag,
36 Code,
37 Receipt,
38 BookOpen,
39 Layers,
40 Database,
41 FolderOpen,
42 Zap,
43 MessageCircle,
44 Server,
45 CreditCard,
46 } from "lucide-react";
47
48 import { useTranslation } from "@gangkharai/lmt/client";
49 import { EnhancedLocaleSwitcher } from "./EnhancedLocaleSwitcher";
50 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
51 import { DevFlagsSummary } from "../dev/flags/components/DevFlagsSummary";
52 import { DevPreviewBadge } from "../dev/flags/components/DevPreviewBadge";
53 import { useDevFlags } from "../dev/flags/components/DevFlagsProvider";
54 import Loader from "./Loader";
55 import Toast, { showErrorToast } from "./Toast";
56 import { useAuth } from "../components/AuthProvider";
57 import { useOrganization } from "../components/OrganizationProvider";
58 import { usePermissions } from "../src/contexts/PermissionsContext";
59 import { PERMISSIONS } from "../types/permissions";
60 import { MenuItem, ProductGroup, NavigationMode } from "../types/navigation";
61 import { NavigationProvider } from "./navigation/NavigationContext";
62 import { useProductReadiness, SidebarKey } from "../src/hooks/useProductReadiness";
63 import { NavigationItem } from "./navigation/NavigationItem";
64 import { ProductGroupNav } from "./navigation/ProductGroupNav";
65 import { OrganizationSwitcherSection } from "./navigation/OrganizationSwitcherSection";
66 import { OrganizationContextBanner } from "./OrganizationContextBanner";
67 import { useAssistantSidebarStore } from "@/app/src/store/assistantSidebarStore";
68
69 interface AppLayoutProps {
70 children: React.ReactNode;
71 chatMode?: boolean;
72 }
73
74 const AppLayout: React.FC<AppLayoutProps> = ({ children, chatMode = false }) => {
75 const t = useTranslation();
76 const { user, logout } = useAuth();
77 const { organization } = useOrganization();
78 const { hasPermission } = usePermissions();
79 const { flags } = useDevFlags();
80 const router = useRouter();
81 const pathname = usePathname();
82 const searchParams = useSearchParams();
83 const [isSidebarCollapsed, setIsSidebarCollapsed] = useState(false);
84 const isAssistantOpen = useAssistantSidebarStore((s) => s.isOpen);
85 const assistantActive = flags.sherpaAssistant && isAssistantOpen;
86 const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
87 const [isProfileDropdownOpen, setIsProfileDropdownOpen] = useState(false);
88
89 useEffect(() => {
90 try {
91 const pending = sessionStorage.getItem("pendingErrorToast");
92 if (pending) {
93 showErrorToast(pending);
94 sessionStorage.removeItem("pendingErrorToast");
95 }
96 } catch {}
97 }, []);
98
99 useEffect(() => {
100 const sidebarWidth = isSidebarCollapsed ? 80 : 256;
101 document.documentElement.style.setProperty("--sidebar-width", `${sidebarWidth}px`);
102 }, [isSidebarCollapsed]);
103
104 // Route through AuthProvider.logout, which calls endSession({ captureIntent:
105 // false }) — the single termination path (§6.2). endSession does its own
106 // full-page navigation to /login, so no router.push afterwards.
107 const handleLogout = () => {
108 logout();
109 };
110
111 const hasAdminAccess = hasPermission(PERMISSIONS.organizations.manage_all.value);
112
113 // Shared items that appear above product groups (no label)
114 const topItems: MenuItem[] = [
115 ...(flags.chatV1 ? [{
116 name: t('Chat'),
117 href: "/chat",
118 icon: MessageCircle,
119 key: "chat",
120 badge: <DevPreviewBadge />
121 }] : []),
122 ];
123
124 // Product groups for normal mode navigation
125 const sherpaPlusItems: MenuItem[] = [
126 { name: t('Products'), href: "/products", icon: ShoppingBag, key: "products" },
127 {
128 name: t('Policy Management'),
129 href: "/policy-management",
130 icon: ClipboardList,
131 key: "policy-management",
132 },
133 { name: t('Customers'), href: "/customers", icon: Users, key: "customers" },
134 { name: t('Financials'), href: "/financials", icon: Calculator, key: "financials" },
135 ...(hasAdminAccess ? [{ name: t('Admin'), href: "/admin", icon: Users, key: "admin" }] : []),
136 ];
137
138 const sherpaLensItems: MenuItem[] = [
139 {
140 name: t('Optimizations'),
141 href: "/lens/optimizations",
142 icon: Zap,
143 key: "lens-optimizations",
144 },
145 ];
146
147 // Shared items (bottom group, no label)
148 const sharedItems: MenuItem[] = [
149 { name: t('Data'), href: "/data", icon: Database, key: "data" },
150 ...(flags.mcp ? [{
151 name: t('MCP'),
152 href: "/mcp",
153 icon: Server,
154 key: "mcp",
155 badge: <DevPreviewBadge />
156 }] : []),
157 ];
158
159 const productGroups: ProductGroup[] = [
160 { id: "top", name: null, items: topItems },
161 { id: "sherpa-plus", name: t('Sherpa Plus'), items: sherpaPlusItems },
162 ...(sherpaLensItems.length > 0
163 ? [{ id: "sherpa-lens", name: t('Sherpa Lens'), items: sherpaLensItems }]
164 : []),
165 ...(sharedItems.length > 0 ? [{ id: "shared", name: null, items: sharedItems }] : []),
166 ];
167
168 // Profile menu items (shown in footer dropdown)
169 const profileMenuItems: MenuItem[] = [
170 { name: t('Settings'), href: "/settings", icon: Settings, key: "settings" },
171 { name: t('Profile'), href: "/profile", icon: UserCircle, key: "profile" },
172 ];
173
174 const settingsItem = profileMenuItems.find((item) => item.key === "settings");
175 const profileItem = profileMenuItems.find((item) => item.key === "profile");
176
177 const toggleSidebar = () => {
178 setIsSidebarCollapsed(!isSidebarCollapsed);
179 };
180
181 const toggleMobileMenu = () => {
182 setIsMobileMenuOpen(!isMobileMenuOpen);
183 };
184
185 const toggleProfileDropdown = () => {
186 setIsProfileDropdownOpen(!isProfileDropdownOpen);
187 };
188
189 const productIdMatch = pathname.match(/^\/products\/(\d+)/);
190 const isProductContext = !!productIdMatch;
191 const productId = productIdMatch?.[1] || null;
192 const productIdForReadiness = productId ? parseInt(productId, 10) : null;
193 const { readiness: productReadiness } = useProductReadiness(productIdForReadiness);
194
195 if (!user) {
196 return <Loader />;
197 }
198
199 const bundleIdMatch = pathname.match(/^\/bundles\/(\d+)/);
200 const isBundleContext = !!bundleIdMatch;
201 const bundleId = bundleIdMatch?.[1] || null;
202
203 const isAdminContext = pathname === "/admin";
204 const isFinancialsContext = pathname.startsWith("/financials");
205
206 const navigationMode: NavigationMode = isProductContext
207 ? "product"
208 : isBundleContext
209 ? "bundle"
210 : isAdminContext
211 ? "admin"
212 : isFinancialsContext
213 ? "financials"
214 : "normal";
215
216 const navigationContextValue = {
217 pathname,
218 searchParams,
219 mode: navigationMode,
220 productId,
221 bundleId,
222 collapsed: isSidebarCollapsed,
223 };
224
225 const productMenuItems: MenuItem[] = [
226 {
227 name: t('Overview'),
228 href: `/products/${productId}`,
229 icon: Eye,
230 key: "o{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/src/utils/api.ts"}1 import axios, { AxiosInstance, InternalAxiosRequestConfig, AxiosRequestConfig } from "axios";
2 import { jwtDecode } from "jwt-decode";
3
4 import { getSherpaApiUrl } from "./env";
5 import { endSession } from "./session";
6 import useAuthStore from "../store/authStore";
7 import useConnectionStore from "../store/connectionStore";
8
9 // Paths that never carry a user's Authorization header. The request
10 // interceptor skips both the attach and the pre-refresh check on these; the
11 // response interceptor skips the refresh-and-retry chain on 401 from these.
12 // A 401 from a credential-less request is not a verdict on the user's session
13 // — see rfc/ideas/organization-resolution-and-auth-policy.md §6.1.
14 //
15 // INVARIANT: every entry MUST start with `/v1/`. The request interceptor
16 // rewrites legacy `/auth/...` and bare paths into `/v1/...` BEFORE this list
17 // is consulted, so any non-`/v1/` entry here is unreachable and indicates a
18 // refactor drift. The module-load assertion below fails fast if violated.
19 const NO_AUTH_PATHS = [
20 "/v1/auth/login",
21 "/v1/auth/customer/login",
22 "/v1/auth/register",
23 "/v1/auth/forgot-password",
24 "/v1/auth/refresh-token",
25 "/v1/auth/customer/refresh-token",
26 "/v1/organization",
27 "/v1/health/self",
28 ];
29
30 // Fail fast on refactor breakage: surfaces a missing rewrite or a stale entry
31 // at startup rather than as a silent auth-attach regression at runtime.
32 for (const path of NO_AUTH_PATHS) {
33 if (!path.startsWith("/v1/")) {
34 throw new Error(
35 `NO_AUTH_PATHS invariant violated: "${path}" must start with "/v1/". ` +
36 `The request interceptor only sees rewritten /v1/* URLs.`,
37 );
38 }
39 }
40
41 function stripQuery(url: string | undefined): string {
42 return (url || "").split("?")[0];
43 }
44
45 function isNoAuthPath(url: string | undefined): boolean {
46 return NO_AUTH_PATHS.includes(stripQuery(url));
47 }
48
49 class ApiService {
50 private static instance: ApiService;
51 private api: AxiosInstance;
52 private isRefreshing: boolean = false;
53
54 private constructor() {
55 this.api = axios.create({
56 baseURL: getSherpaApiUrl(),
57 validateStatus: (status) => (status >= 200 && status < 300) || status === 304,
58 });
59
60 this.setupInterceptors();
61 }
62
63 private failedQueue: Array<{
64 resolve: (value?: unknown) => void;
65 reject: (reason?: unknown) => void;
66 }> = [];
67
68 private processQueue(error: Error | null = null): void {
69 this.failedQueue.forEach((promise) => {
70 if (error) {
71 promise.reject(error);
72 } else {
73 promise.resolve();
74 }
75 });
76 this.failedQueue = [];
77 }
78
79 public static getInstance(): ApiService {
80 if (!ApiService.instance) {
81 ApiService.instance = new ApiService();
82 }
83 return ApiService.instance;
84 }
85
86 public getAxiosInstance(): AxiosInstance {
87 return this.api;
88 }
89
90 public isTokenExpired(token: string): boolean {
91 try {
92 const decoded = jwtDecode(token);
93 const currentTime = Date.now() / 1000;
94 return decoded.exp ? decoded.exp < currentTime : false;
95 } catch {
96 return true;
97 }
98 }
99
100 public isCustomerToken(token: string): boolean {
101 try {
102 const decoded = jwtDecode<{ tokenType?: string }>(token);
103 return decoded.tokenType === "customer";
104 } catch {
105 return false;
106 }
107 }
108
109 public async refreshAuthToken(): Promise<string | null> {
110 try {
111 const refreshToken = useAuthStore.getState().refreshToken;
112 if (!refreshToken) {
113 // No refresh token to use — the session was already over.
114 endSession({ captureIntent: true });
115 return null;
116 }
117
118 const isCustomer = this.isCustomerToken(refreshToken);
119 const refreshUrl = isCustomer
120 ? `${getSherpaApiUrl()}/v1/auth/customer/refresh-token`
121 : `${getSherpaApiUrl()}/v1/auth/refresh-token`;
122
123 const localeValue = this.getLocaleCookie();
124 const response = await axios.post(
125 refreshUrl,
126 { refreshToken },
127 {
128 headers: localeValue
129 ? {
130 "Content-Type": "application/json",
131 "locale": localeValue,
132 }
133 : {
134 "Content-Type": "application/json",
135 },
136 validateStatus: (status) => (status >= 200 && status < 300) || status === 304,
137 }
138 );
139
140 if (response.data.status !== "success") {
141 throw new Error("Refresh token response status is not success");
142 }
143
144 const { accessToken, refreshToken: newRefreshToken } = response.data.data;
145 if (!accessToken || !newRefreshToken) {
146 throw new Error("Missing tokens in refresh response");
147 }
148
149 useAuthStore.getState().setTokens(accessToken, newRefreshToken);
150 return accessToken;
151 } catch (err) {
152 // Distinguish "the refresh endpoint rejected the token" (4xx → real
153 // session-end signal per §6.1) from "the refresh request itself failed
154 // because the network/server is having a moment" (transient → keep the
155 // session, let the health poller recover). Only the former ends session.
156 const e = err as { response?: { status?: number }; code?: string };
157 const status = e?.response?.status;
158 const isCredentialRejection = status === 401 || status === 403;
159 if (isCredentialRejection) {
160 endSession({ captureIntent: true });
161 } else if (
162 !e?.response &&
163 (e?.code === "ERR_NETWORK" || e?.code === "ERR_CONNECTION_REFUSED")
164 ) {
165 useConnectionStore.getState().markFailure();
166 }
167 return null;
168 }
169 }
170
171 private getLocaleCookie(): string | null {
172 if (typeof document === "undefined") return null;
173
174 const cookies = document.cookie.split(";");
175 const localeCookie = cookies.find((cookie) => cookie.trim().startsWith("locale="));
176 if (localeCookie) {
177 return localeCookie.split("=")[1].trim();
178 }
179 return null;
180 }
181
182 private setupInterceptors(): void {
183 this.api.interceptors.request.use(
184 async (config: InternalAxiosRequestConfig & { sherpaAdmin?: boolean }) => {
185 const rawUrl = config.url || "/";
186 const ensured = rawUrl.startsWith("/") ? rawUrl : `/${rawUrl}`;
187 if (!ensured.startsWith("/v1/")) {
188 const isAdmin = config.sherpaAdmin !== false;
189 if (ensured.startsWith("/auth")) {
190 config.url = `/v1${ensured}`;
191 } else {
192 config.url = isAdmin ? `/v1/plus${ensured}` : `/v1${ensured}`;
193 }
194 } else {
195 config.url = ensured;
196 }
197 try {
198 void useAuthStore.getState().accessToken;
199 } catch {}
200 const localeValue = this.getLocaleCookie();
201 if (localeValue) {
202 config.headers["locale"] = localeValue;
203 }
204
205 // Credential-less routes: don't attach Authorization and don't trigger
206 // a pre-refresh on expired tokens. A response from these routes is
207 // never a verdict on the user's session.
208 if (isNoAuthPath(config.url)) {
209 return config;
210 }
211
212 let accessToken = useAuthStore.getState().accessToken;
213
214 // If a refresh is already in progress, wait for it to complete
215 if (this.isRefreshing) {
216 return new Promise((resolve, reject) => {
217 this.failedQueue{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/Toast.tsx"}1 import React from "react";
2
3 import { X } from "lucide-react";
4 import { ToastContainer, toast, cssTransition } from "react-toastify";
5 import "react-toastify/dist/ReactToastify.css";
6
7 // Toast component - no translatable strings (utility component)
8 // Custom animations for our toasts
9 const slideDown = cssTransition({
10 enter: "animate__animated animate__slideInDown",
11 exit: "animate__animated animate__slideOutUp",
12 });
13
14 // Create a custom toast notification system
15 export const showSuccessToast = (message: React.ReactNode) => {
16 toast.success(<SuccessToast message={message} />, {
17 position: "top-center",
18 autoClose: 4000,
19 hideProgressBar: false,
20 closeOnClick: true,
21 pauseOnHover: true,
22 draggable: false,
23 className: "toast-success-container",
24 progressClassName: "toast-success-progress",
25 });
26 };
27
28 export const showErrorToast = (message: React.ReactNode) => {
29 toast.error(<ErrorToast message={message} />, {
30 position: "top-center",
31 autoClose: 5000,
32 hideProgressBar: false,
33 closeOnClick: true,
34 pauseOnHover: true,
35 draggable: false,
36 className: "toast-error-container",
37 progressClassName: "toast-error-progress",
38 });
39 };
40
41 // Custom toast components for success and error messages
42 export const SuccessToast = ({ message }: { message: React.ReactNode }) => (
43 <div className="flex items-center">
44 <span className="font-medium text-white">{message}</span>
45 </div>
46 );
47
48 export const ErrorToast = ({ message }: { message: React.ReactNode }) => (
49 <div className="flex items-center">
50 <span className="font-medium text-white">{message}</span>
51 </div>
52 );
53
54 // Custom close button
55 const CloseButton = ({ closeToast }: { closeToast: () => void }) => (
56 <button
57 onClick={closeToast}
58 className="hover:bg-opacity-20 ml-4 flex-shrink-0 rounded-full p-1 transition-colors duration-200 hover:bg-white"
59 >
60 <X className="h-4 w-4 text-white" />
61 </button>
62 );
63
64 // Toast styles to be included in the component
65 const toastStyles = `
66 .toast-success-container {
67 background: linear-gradient(to right, #10B981, #059669) !important;
68 box-shadow: 0 8px 16px rgba(16, 185, 129, 0.2) !important;
69 border-radius: 8px !important;
70 padding: 12px 16px !important;
71 margin-top: 16px !important;
72 transform: translateY(-5px);
73 }
74
75 .toast-error-container {
76 background: linear-gradient(to right, #EF4444, #DC2626) !important;
77 box-shadow: 0 8px 16px rgba(239, 68, 68, 0.2) !important;
78 border-radius: 8px !important;
79 padding: 12px 16px !important;
80 margin-top: 16px !important;
81 transform: translateY(-5px);
82 }
83
84 .toast-success-progress {
85 background: rgba(255, 255, 255, 0.4) !important;
86 }
87
88 .toast-error-progress {
89 background: rgba(255, 255, 255, 0.4) !important;
90 }
91
92 .Toastify__toast {
93 min-height: 56px !important;
94 border-radius: 8px !important;
95 transition: transform 0.3s ease !important;
96 }
97
98 .Toastify__toast:hover {
99 transform: translateY(-3px) !important;
100 }
101
102 .Toastify__toast-body {
103 align-items: center !important;
104 color: white !important;
105 font-weight: 500 !important;
106 }
107
108 @keyframes slideInDown {
109 from {
110 transform: translateY(-100%);
111 opacity: 0;
112 }
113 to {
114 transform: translateY(0);
115 opacity: 1;
116 }
117 }
118
119 @keyframes slideOutUp {
120 from {
121 transform: translateY(0);
122 opacity: 1;
123 }
124 to {
125 transform: translateY(-100%);
126 opacity: 0;
127 }
128 }
129
130 .animate__animated {
131 animation-duration: 0.5s;
132 animation-fill-mode: both;
133 }
134
135 .animate__slideInDown {
136 animation-name: slideInDown;
137 }
138
139 .animate__slideOutUp {
140 animation-name: slideOutUp;
141 }
142 `;
143
144 // Main Toast container component
145 const Toast = () => {
146 return (
147 <>
148 <style dangerouslySetInnerHTML={{ __html: toastStyles }} />
149 <ToastContainer
150 position="top-center"
151 autoClose={4000}
152 hideProgressBar={false}
153 newestOnTop
154 closeOnClick
155 rtl={false}
156 pauseOnFocusLoss
157 draggable={false}
158 pauseOnHover
159 theme="colored"
160 closeButton={CloseButton}
161 transition={slideDown}
162 limit={3}
163 />
164 </>
165 );
166 };
167
168 export default Toast;
169 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/claim.ts"}1 // Define types for Claims and related entities
2 export interface ClaimFormCoverage {
3 id: number;
4 name: string;
5 title: string | null;
6 code: string | null;
7 }
8
9 export interface ClaimData {
10 id: number;
11 name: string;
12 title?: string | null;
13 description: string | null;
14 version: number;
15 active: boolean;
16 productId: number;
17 parameters: ClaimParameter[];
18 coverages?: ClaimFormCoverage[];
19 createdAt: string;
20 updatedAt: string;
21 settings?: ClaimSetting[];
22 }
23
24 // Define a Parameter Category Page interface
25 export interface ClaimParameterCategoryPage {
26 id: number;
27 name: string;
28 label?: string;
29 description?: string | null;
30 order: number;
31 claimId: number;
32 categories?: ClaimParameterCategory[];
33 }
34
35 // Define a Parameter Category interface
36 export interface ClaimParameterCategory {
37 id: number;
38 name: string;
39 description?: string | null;
40 order: number;
41 claimId: number;
42 claimParameterCategoryPageId?: number | null;
43 page?: ClaimParameterCategoryPage;
44 parameters?: ClaimParameter[];
45 }
46
47 // Define a Parameter interface for claim parameters
48 export interface ClaimParameter {
49 id: number;
50 name: string;
51 label: string;
52 description?: string | null;
53 technicalDescription?: string | null;
54 required: boolean;
55 type: "string" | "number" | "boolean" | "date" | "datetime" | "select" | "singleChoice" | "multiChoice" | "multiSelect" | "object" | "textarea" | "file" | "address" | "location";
56 defaultValue?: string | number | boolean | null;
57 enumValues?: (string | number | boolean | { value: string; label?: string; description?: string; icon?: string })[];
58 pattern?: string | null;
59 options?: { label: string; value: string | number | boolean; description?: string; icon?: string }[];
60 path?: string | null;
61 order?: number;
62 dynamicEnumSource?: string | null;
63 dynamicEnumFilter?: string | null;
64 claimParameterCategoryId?: number | null;
65 category?: ClaimParameterCategory;
66 displayConditions?: import("./displayConditions").DisplayConditions | null;
67 dateConstraints?: import("./dateConstraints").DateConstraints | null;
68 // Semantic role decoupled from name. Set to "incidentDate" on the field
69 // used as the incident-date input when ProductSetting
70 // claimRequiresPolicyDateMatch is on for the product. Empty/null = no role.
71 role?: string | null;
72 }
73
74 // Parameter types that can carry a role. Only show the Role select on the
75 // claim parameter editor when the param's type is in this set. Add more
76 // types here as new role consumers are introduced.
77 export const CLAIM_PARAMETER_ROLE_ALLOWED_TYPES = ['date', 'datetime'] as const;
78 export type ClaimParameterRoleAllowedType =
79 (typeof CLAIM_PARAMETER_ROLE_ALLOWED_TYPES)[number];
80
81 // Define the parameter hierarchy structure
82 export interface ClaimParameterHierarchy {
83 pages: ClaimParameterCategoryPageWithData[];
84 uncategorizedParameters: ClaimParameter[];
85 }
86
87 export interface ClaimParameterCategoryPageWithData extends ClaimParameterCategoryPage {
88 categories: ClaimParameterCategoryWithData[];
89 }
90
91 export interface ClaimParameterCategoryWithData extends ClaimParameterCategory {
92 parameters: ClaimParameter[];
93 }
94
95 // Define a Setting interface for claim settings
96 export interface ClaimSetting {
97 id: number;
98 name: string;
99 label: string;
100 description?: string | null;
101 type: "string" | "number" | "boolean" | "date" | "datetime" | "select" | "singleChoice" | "multiChoice" | "multiSelect";
102 value: unknown;
103 options?: { label: string; value: string | number | boolean; description?: string; icon?: string }[];
104 claimId: number;
105 }
106
107 // Define a type for claim setting fields that can be selected when creating/editing claims
108 export interface ClaimSettingFieldType {
109 id: number;
110 name: string;
111 label: string;
112 description?: string;
113 type: "string" | "number" | "boolean" | "date" | "datetime" | "select" | "singleChoice" | "multiChoice" | "multiSelect";
114 defaultValue?: string | number | boolean | string[] | null;
115 options?: { label: string; value: string | number | boolean; description?: string; icon?: string }[];
116 }
117
118 // Parameters grouped by categories
119 export interface ClaimParametersType {
120 [key: string]: Record<string, unknown>;
121 }
122
123 // Related to displaying and executing claims
124 export interface ClaimDisplayData {
125 id?: string;
126 claimId?: string;
127 status?: string;
128 identifier?: string;
129 createdAt: string;
130 parameters?: ClaimParametersType | ClaimParameter[];
131 active?: boolean;
132 version?: string | number;
133 [key: string]: unknown;
134 }
135 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/table.tsx"}1 import * as React from "react";
2 import { cn } from "@/app/lib/utils";
3
4 const Table = React.forwardRef<HTMLTableElement, React.HTMLAttributes<HTMLTableElement>>(
5 ({ className, ...props }, ref) => (
6 <div className="relative w-full overflow-auto">
7 <table ref={ref} className={cn("w-full caption-bottom text-sm", className)} {...props} />
8 </div>
9 )
10 );
11 Table.displayName = "Table";
12
13 const TableHeader = React.forwardRef<
14 HTMLTableSectionElement,
15 React.HTMLAttributes<HTMLTableSectionElement>
16 >(({ className, ...props }, ref) => (
17 <thead ref={ref} className={cn("[&_tr]:border-b", className)} {...props} />
18 ));
19 TableHeader.displayName = "TableHeader";
20
21 const TableBody = React.forwardRef<
22 HTMLTableSectionElement,
23 React.HTMLAttributes<HTMLTableSectionElement>
24 >(({ className, ...props }, ref) => (
25 <tbody ref={ref} className={cn("[&_tr:last-child]:border-0", className)} {...props} />
26 ));
27 TableBody.displayName = "TableBody";
28
29 const TableFooter = React.forwardRef<
30 HTMLTableSectionElement,
31 React.HTMLAttributes<HTMLTableSectionElement>
32 >(({ className, ...props }, ref) => (
33 <tfoot
34 ref={ref}
35 className={cn("bg-muted/50 border-t font-medium [&>tr]:last:border-b-0", className)}
36 {...props}
37 />
38 ));
39 TableFooter.displayName = "TableFooter";
40
41 const TableRow = React.forwardRef<HTMLTableRowElement, React.HTMLAttributes<HTMLTableRowElement>>(
42 ({ className, ...props }, ref) => (
43 <tr
44 ref={ref}
45 className={cn(
46 "hover:bg-muted/50 data-[state=selected]:bg-muted border-b transition-colors",
47 className
48 )}
49 {...props}
50 />
51 )
52 );
53 TableRow.displayName = "TableRow";
54
55 const TableHead = React.forwardRef<
56 HTMLTableCellElement,
57 React.ThHTMLAttributes<HTMLTableCellElement>
58 >(({ className, ...props }, ref) => (
59 <th
60 ref={ref}
61 className={cn(
62 "text-muted-foreground h-12 px-4 text-left align-middle font-medium [&:has([role=checkbox])]:pr-0",
63 className
64 )}
65 {...props}
66 />
67 ));
68 TableHead.displayName = "TableHead";
69
70 const TableCell = React.forwardRef<
71 HTMLTableCellElement,
72 React.TdHTMLAttributes<HTMLTableCellElement>
73 >(({ className, ...props }, ref) => (
74 <td
75 ref={ref}
76 className={cn("p-4 align-middle [&:has([role=checkbox])]:pr-0", className)}
77 {...props}
78 />
79 ));
80 TableCell.displayName = "TableCell";
81
82 const TableCaption = React.forwardRef<
83 HTMLTableCaptionElement,
84 React.HTMLAttributes<HTMLTableCaptionElement>
85 >(({ className, ...props }, ref) => (
86 <caption ref={ref} className={cn("text-muted-foreground mt-4 text-sm", className)} {...props} />
87 ));
88 TableCaption.displayName = "TableCaption";
89
90 export { Table, TableHeader, TableBody, TableFooter, TableHead, TableRow, TableCell, TableCaption };
91 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/badge.tsx"}1 "use client";
2
3 import * as React from "react";
4
5 import { cva, type VariantProps } from "class-variance-authority";
6
7 import { cn } from "@/app/lib/utils";
8
9 const badgeVariants = cva(
10 "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2",
11 {
12 variants: {
13 variant: {
14 default: "border-transparent bg-primary text-primary-foreground hover:bg-primary/80",
15 secondary:
16 "border-transparent bg-secondary text-secondary-foreground hover:bg-secondary/80",
17 destructive:
18 "border-transparent bg-destructive text-destructive-foreground hover:bg-destructive/80",
19 outline: "text-foreground",
20 },
21 },
22 defaultVariants: {
23 variant: "default",
24 },
25 }
26 );
27
28 export interface BadgeProps
29 extends React.HTMLAttributes<HTMLDivElement>,
30 VariantProps<typeof badgeVariants> {}
31
32 function Badge({ className, variant, ...props }: BadgeProps) {
33 return <div className={cn(badgeVariants({ variant }), className)} {...props} />;
34 }
35
36 export { Badge, badgeVariants };
37
38 // Badge UI component - no translatable strings
39 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/button.tsx"}1 "use client";
2
3 // Processed for translation
4 import * as React from "react";
5
6 import { cva, type VariantProps } from "class-variance-authority";
7
8 import { cn } from "@/app/lib/utils";
9
10 // Button UI component - no translatable strings
11 const buttonVariants = cva(
12 "inline-flex items-center justify-center rounded-md text-sm font-medium shadow-sm transition-colors duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:pointer-events-none",
13 {
14 variants: {
15 variant: {
16 default:
17 "bg-primary-dynamic hover:bg-primary-dynamic-700 text-white ring-primary-dynamic-700",
18 destructive:
19 "bg-destructive text-destructive-foreground hover:bg-destructive/90 focus:ring-destructive",
20 outline:
21 "border border-input bg-white hover:bg-accent hover:text-accent-foreground ring-primary-dynamic-700",
22 secondary:
23 "bg-secondary text-secondary-foreground hover:bg-secondary/80 focus:ring-secondary",
24 ghost: "hover:bg-accent hover:text-accent-foreground focus:ring-accent",
25 link: "underline-offset-4 hover:underline text-primary focus:ring-primary",
26 green: "bg-green-600 hover:bg-green-700 focus:ring-green-500 text-white",
27 red: "bg-red-100 text-red-700 hover:bg-red-200 focus:ring-red-500",
28 none: "bg-none text-primary-dynamic border-none shadow-none mt-0 cursor-pointer hover:text-blue-500",
29 },
30 size: {
31 default: "h-10 py-2 px-4",
32 sm: "h-9 px-3 rounded-md",
33 lg: "h-11 px-8 rounded-md",
34 },
35 },
36 compoundVariants: [
37 {
38 variant: "none",
39 class: "h-auto p-0 rounded-none",
40 },
41 ],
42 defaultVariants: {
43 variant: "default",
44 size: "default",
45 },
46 }
47 );
48
49 export interface ButtonProps
50 extends React.ButtonHTMLAttributes<HTMLButtonElement>,
51 VariantProps<typeof buttonVariants> {}
52
53 const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
54 ({ className, variant, size, ...props }, ref) => {
55 return (
56 <button className={cn(buttonVariants({ variant, size, className }))} ref={ref} {...props} />
57 );
58 }
59 );
60 Button.displayName = "Button";
61
62 export { Button, buttonVariants };
63 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/input.tsx"}1 "use client";
2
3 // Processed for translation
4 import React, { useState, forwardRef, useId } from "react";
5
6 import { Eye, EyeOff } from "lucide-react";
7 import { useTranslation } from "@gangkharai/lmt/client";
8
9 interface CustomInputProps extends React.InputHTMLAttributes<HTMLInputElement> {
10 isInvalid?: boolean;
11 label?: string;
12 helperText?: string;
13 errorMessage?: string;
14 showPasswordToggle?: boolean;
15 wrapperClassName?: string;
16 }
17
18 export const Input = forwardRef<HTMLInputElement, CustomInputProps>(
19 (
20 {
21 className = "",
22 isInvalid = false,
23 label,
24 helperText,
25 errorMessage,
26 id,
27 type = "text",
28 showPasswordToggle = true,
29 wrapperClassName = "",
30 ...rest
31 },
32 ref
33 ) => {
34 const t = useTranslation();
35 const [showPassword, setShowPassword] = useState(false);
36 const generatedId = useId();
37 // Use provided id or fall back to a stable generated ID
38 const inputId = id || `input-${generatedId}`;
39
40 // Handle special input types
41 const isCheckbox = type === "checkbox";
42 const isRadio = type === "radio";
43 const isPassword = type === "password";
44 const inputType = isPassword && showPassword ? "text" : type;
45
46 // Base className for standard inputs (not checkbox/radio)
47 const standardInputClassName = `block w-full appearance-none rounded-md border px-3 py-2 placeholder-gray-400 shadow-sm focus:border-blue-500 focus:outline-none focus:ring-blue-500 sm:text-sm ${
48 isInvalid ? "border-red-500" : "border-gray-300"
49 }`;
50
51 // Determine the final className
52 let inputClassName = "";
53 if (isCheckbox || isRadio) {
54 // Keep original className for checkboxes and radios
55 inputClassName = className;
56 } else {
57 // For other inputs, merge our standard styling with any provided class
58 inputClassName = `${standardInputClassName} ${className}`;
59 }
60
61 const togglePasswordVisibility = () => {
62 setShowPassword(!showPassword);
63 };
64
65 // Different rendering for checkboxes and radios vs other inputs
66 if (isCheckbox || isRadio) {
67 return (
68 <div className={wrapperClassName}>
69 <input ref={ref} id={inputId} type={type} className={inputClassName} {...rest} />
70 {label && (
71 <label htmlFor={inputId} className="ml-2 text-sm text-gray-700">
72 {label}
73 </label>
74 )}
75 {helperText && !isInvalid && <p className="mt-1 text-sm text-gray-500">{helperText}</p>}
76 {errorMessage && isInvalid && <p className="mt-1 text-sm text-red-600">{errorMessage}</p>}
77 </div>
78 );
79 }
80
81 return (
82 <div className={wrapperClassName}>
83 {label && (
84 <label htmlFor={inputId} className="block text-sm font-medium text-gray-700">
85 {label}
86 </label>
87 )}
88 <div className="relative mt-1">
89 <input ref={ref} id={inputId} className={inputClassName} type={inputType} {...rest} />
90 {isPassword && showPasswordToggle && (
91 <button
92 type="button"
93 onClick={togglePasswordVisibility}
94 className="absolute inset-y-0 right-0 flex items-center px-3 focus:outline-none"
95 tabIndex={-1}
96 aria-label={showPassword ? t("Hide password") : t("Show password")}
97 >
98 {showPassword ? (
99 <EyeOff className="h-4 w-4 text-gray-500" />
100 ) : (
101 <Eye className="h-4 w-4 text-gray-500" />
102 )}
103 </button>
104 )}
105 </div>
106 {helperText && !isInvalid && <p className="mt-1 text-sm text-gray-500">{helperText}</p>}
107 {errorMessage && isInvalid && <p className="mt-1 text-sm text-red-600">{errorMessage}</p>}
108 </div>
109 );
110 }
111 );
112
113 Input.displayName = "Input";
114
115 // Input UI component - no translatable strings
116 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/dialog.tsx"}1 "use client";
2
3 import * as React from "react";
4
5 import * as DialogPrimitive from "@radix-ui/react-dialog";
6 import { X } from "lucide-react";
7
8 import { cn } from "@/app/lib/utils";
9
10 // Dialog UI component - processed for translation
11 const Dialog = DialogPrimitive.Root;
12
13 const DialogTrigger = DialogPrimitive.Trigger;
14
15 const DialogPortal = ({ ...props }: DialogPrimitive.DialogPortalProps) => (
16 <DialogPrimitive.Portal {...props} />
17 );
18 DialogPortal.displayName = DialogPrimitive.Portal.displayName;
19
20 const DialogOverlay = React.forwardRef<
21 React.ElementRef<typeof DialogPrimitive.Overlay>,
22 React.ComponentPropsWithoutRef<typeof DialogPrimitive.Overlay>
23 >(({ className, ...props }, ref) => (
24 <DialogPrimitive.Overlay
25 ref={ref}
26 className={cn(
27 "data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-50 bg-black/80 backdrop-blur-sm",
28 className
29 )}
30 {...props}
31 />
32 ));
33 DialogOverlay.displayName = DialogPrimitive.Overlay.displayName;
34
35 const DialogContent = React.forwardRef<
36 React.ElementRef<typeof DialogPrimitive.Content>,
37 React.ComponentPropsWithoutRef<typeof DialogPrimitive.Content>
38 >(({ className, children, ...props }, ref) => (
39 <DialogPortal>
40 <DialogOverlay />
41 <DialogPrimitive.Content
42 ref={ref}
43 className={cn(
44 "data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[state=closed]:slide-out-to-left-1/2 data-[state=closed]:slide-out-to-top-[48%] data-[state=open]:slide-in-from-left-1/2 data-[state=open]:slide-in-from-top-[48%] fixed left-[50%] top-[50%] z-50 grid w-full max-w-lg translate-x-[-50%] translate-y-[-50%] gap-4 border bg-white p-6 shadow-lg duration-200 sm:rounded-md md:w-full",
45 className
46 )}
47 {...props}
48 >
49 {children}
50 <DialogPrimitive.Close className="absolute top-4 right-4 rounded-sm opacity-70 ring-offset-white transition-opacity hover:opacity-100 focus:ring-2 focus:ring-gray-950 focus:ring-offset-2 focus:outline-none disabled:pointer-events-none data-[state=open]:bg-gray-100 data-[state=open]:text-gray-500">
51 <X className="h-4 w-4" />
52 <span className="sr-only">Close</span>
53 </DialogPrimitive.Close>
54 </DialogPrimitive.Content>
55 </DialogPortal>
56 ));
57 DialogContent.displayName = DialogPrimitive.Content.displayName;
58
59 const DialogHeader = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
60 <div className={cn("flex flex-col space-y-1.5 text-center sm:text-left", className)} {...props} />
61 );
62 DialogHeader.displayName = "DialogHeader";
63
64 const DialogFooter = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
65 <div
66 className={cn("flex flex-col-reverse sm:flex-row sm:justify-end sm:space-x-2", className)}
67 {...props}
68 />
69 );
70 DialogFooter.displayName = "DialogFooter";
71
72 const DialogTitle = React.forwardRef<
73 React.ElementRef<typeof DialogPrimitive.Title>,
74 React.ComponentPropsWithoutRef<typeof DialogPrimitive.Title>
75 >(({ className, ...props }, ref) => (
76 <DialogPrimitive.Title
77 ref={ref}
78 className={cn("text-lg leading-none font-semibold tracking-tight", className)}
79 {...props}
80 />
81 ));
82 DialogTitle.displayName = DialogPrimitive.Title.displayName;
83
84 const DialogDescription = React.forwardRef<
85 React.ElementRef<typeof DialogPrimitive.Description>,
86 React.ComponentPropsWithoutRef<typeof DialogPrimitive.Description>
87 >(({ className, ...props }, ref) => (
88 <DialogPrimitive.Description
89 ref={ref}
90 className={cn("text-sm text-gray-500", className)}
91 {...props}
92 />
93 ));
94 DialogDescription.displayName = DialogPrimitive.Description.displayName;
95
96 export {
97 Dialog,
98 DialogTrigger,
99 DialogContent,
100 DialogHeader,
101 DialogFooter,
102 DialogTitle,
103 DialogDescription,
104 };
105 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/paymentProvider.ts"}1 export type PayoutCadence = "immediate" | "weekly";
2 export type PayoutWeekday = "mon" | "tue" | "wed" | "thu" | "fri" | "sat" | "sun";
3
4 export interface PaymentProviderConfigBody {
5 // Provider credentials (e.g. Stripe connectedAccountId)
6 connectedAccountId?: string;
7 // Payout behavior — read by the backend's readPayoutBehavior() before
8 // any outbound transfer. All fields optional in JSONB; backend applies
9 // a fail-safe default of automaticPayoutEnabled=false when missing.
10 automaticPayoutEnabled?: boolean;
11 payoutCadence?: PayoutCadence;
12 payoutWeeklyRunDay?: PayoutWeekday;
13 payoutWeeklyRunHour?: number; // 0-23 UTC
14 // Provider may stash other arbitrary keys we don't model here
15 [key: string]: unknown;
16 }
17
18 export interface PaymentProviderConfig {
19 id: number;
20 providerKey: string;
21 config: PaymentProviderConfigBody;
22 active: boolean;
23 createdAt: string;
24 updatedAt: string;
25 }
26
27 export interface PaymentMethod {
28 id: string;
29 name: string;
30 enabled: boolean;
31 }
32 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/select.tsx"}1 "use client";
2
3 // Processed for translation
4 import * as React from "react";
5
6 import * as SelectPrimitive from "@radix-ui/react-select";
7 import { Check, ChevronDown, ChevronUp } from "lucide-react";
8
9 import { cn } from "@/app/lib/utils";
10
11 const Select = SelectPrimitive.Root;
12
13 const SelectGroup = SelectPrimitive.Group;
14
15 const SelectValue = SelectPrimitive.Value;
16
17 const SelectTrigger = React.forwardRef<
18 React.ElementRef<typeof SelectPrimitive.Trigger>,
19 React.ComponentPropsWithoutRef<typeof SelectPrimitive.Trigger>
20 >(({ className, children, ...props }, ref) => (
21 <SelectPrimitive.Trigger
22 ref={ref}
23 className={cn(
24 "border-input bg-background ring-offset-background placeholder:text-muted-foreground focus:ring-ring flex h-10 w-full items-center justify-between rounded-md border px-3 py-2 text-sm focus:ring-2 focus:ring-offset-2 focus:outline-none disabled:cursor-not-allowed disabled:opacity-50 [&>span]:line-clamp-1",
25 className
26 )}
27 {...props}
28 >
29 {children}
30 <SelectPrimitive.Icon asChild>
31 <ChevronDown className="h-4 w-4 opacity-50" />
32 </SelectPrimitive.Icon>
33 </SelectPrimitive.Trigger>
34 ));
35 SelectTrigger.displayName = SelectPrimitive.Trigger.displayName;
36
37 const SelectScrollUpButton = React.forwardRef<
38 React.ElementRef<typeof SelectPrimitive.ScrollUpButton>,
39 React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollUpButton>
40 >(({ className, ...props }, ref) => (
41 <SelectPrimitive.ScrollUpButton
42 ref={ref}
43 className={cn("flex cursor-default items-center justify-center py-1", className)}
44 {...props}
45 >
46 <ChevronUp className="h-4 w-4" />
47 </SelectPrimitive.ScrollUpButton>
48 ));
49 SelectScrollUpButton.displayName = SelectPrimitive.ScrollUpButton.displayName;
50
51 const SelectScrollDownButton = React.forwardRef<
52 React.ElementRef<typeof SelectPrimitive.ScrollDownButton>,
53 React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollDownButton>
54 >(({ className, ...props }, ref) => (
55 <SelectPrimitive.ScrollDownButton
56 ref={ref}
57 className={cn("flex cursor-default items-center justify-center py-1", className)}
58 {...props}
59 >
60 <ChevronDown className="h-4 w-4" />
61 </SelectPrimitive.ScrollDownButton>
62 ));
63 SelectScrollDownButton.displayName = SelectPrimitive.ScrollDownButton.displayName;
64
65 const SelectContent = React.forwardRef<
66 React.ElementRef<typeof SelectPrimitive.Content>,
67 React.ComponentPropsWithoutRef<typeof SelectPrimitive.Content>
68 >(({ className, children, position = "popper", ...props }, ref) => (
69 <SelectPrimitive.Portal>
70 <SelectPrimitive.Content
71 ref={ref}
72 className={cn(
73 "text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 relative z-50 max-h-96 min-w-[8rem] overflow-hidden rounded-md border bg-white shadow-md",
74 position === "popper" &&
75 "data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1",
76 className
77 )}
78 position={position}
79 {...props}
80 >
81 <SelectScrollUpButton />
82 <SelectPrimitive.Viewport
83 className={cn(
84 "p-1",
85 position === "popper" &&
86 "h-[var(--radix-select-trigger-height)] w-full min-w-[var(--radix-select-trigger-width)]"
87 )}
88 >
89 {children}
90 </SelectPrimitive.Viewport>
91 <SelectScrollDownButton />
92 </SelectPrimitive.Content>
93 </SelectPrimitive.Portal>
94 ));
95 SelectContent.displayName = SelectPrimitive.Content.displayName;
96
97 const SelectLabel = React.forwardRef<
98 React.ElementRef<typeof SelectPrimitive.Label>,
99 React.ComponentPropsWithoutRef<typeof SelectPrimitive.Label>
100 >(({ className, ...props }, ref) => (
101 <SelectPrimitive.Label
102 ref={ref}
103 className={cn("py-1.5 pr-2 pl-8 text-sm font-semibold", className)}
104 {...props}
105 />
106 ));
107 SelectLabel.displayName = SelectPrimitive.Label.displayName;
108
109 const SelectItem = React.forwardRef<
110 React.ElementRef<typeof SelectPrimitive.Item>,
111 React.ComponentPropsWithoutRef<typeof SelectPrimitive.Item>
112 >(({ className, children, ...props }, ref) => (
113 <SelectPrimitive.Item
114 ref={ref}
115 className={cn(
116 "focus:bg-accent focus:text-accent-foreground relative flex w-full cursor-pointer items-center rounded-sm py-1.5 pr-2 pl-8 text-sm outline-none select-none hover:bg-gray-100 data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
117 className
118 )}
119 {...props}
120 >
121 <span className="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
122 <SelectPrimitive.ItemIndicator>
123 <Check className="h-4 w-4" />
124 </SelectPrimitive.ItemIndicator>
125 </span>
126
127 <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
128 </SelectPrimitive.Item>
129 ));
130 SelectItem.displayName = SelectPrimitive.Item.displayName;
131
132 const SelectSeparator = React.forwardRef<
133 React.ElementRef<typeof SelectPrimitive.Separator>,
134 React.ComponentPropsWithoutRef<typeof SelectPrimitive.Separator>
135 >(({ className, ...props }, ref) => (
136 <SelectPrimitive.Separator
137 ref={ref}
138 className={cn("bg-muted -mx-1 my-1 h-px", className)}
139 {...props}
140 />
141 ));
142 SelectSeparator.displayName = SelectPrimitive.Separator.displayName;
143
144 export {
145 Select,
146 SelectGroup,
147 SelectValue,
148 SelectTrigger,
149 SelectContent,
150 SelectLabel,
151 SelectItem,
152 SelectSeparator,
153 SelectScrollUpButton,
154 SelectScrollDownButton,
155 };
156 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/ui/switch.tsx"}1 "use client";
2
3 import * as React from "react";
4
5 import * as SwitchPrimitives from "@radix-ui/react-switch";
6
7 import { cn } from "../../lib/utils";
8
9 // Switch UI component - no translatable strings
10
11 const Switch = React.forwardRef<
12 React.ElementRef<typeof SwitchPrimitives.Root>,
13 React.ComponentPropsWithoutRef<typeof SwitchPrimitives.Root>
14 >(({ className, ...props }, ref) => (
15 <SwitchPrimitives.Root
16 className={cn(
17 "peer focus-visible:ring-ring focus-visible:ring-offset-background inline-flex h-[24px] w-[44px] shrink-0 cursor-pointer items-center rounded-full border-2 border-transparent transition-colors focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:outline-none disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-blue-600 data-[state=unchecked]:bg-gray-200",
18 className
19 )}
20 {...props}
21 ref={ref}
22 >
23 <SwitchPrimitives.Thumb
24 className={cn(
25 "pointer-events-none block h-5 w-5 rounded-full bg-white shadow-lg ring-0 transition-transform data-[state=checked]:translate-x-5 data-[state=unchecked]:translate-x-0"
26 )}
27 />
28 </SwitchPrimitives.Root>
29 ));
30 Switch.displayName = SwitchPrimitives.Root.displayName;
31
32 export { Switch };
33 {"skill":"production-code"}{"description":"Write sherpa-test direct-debit API spec","prompt":"You are adding an API test spec for GitHub ticket sherpa-api#462 \"Nordic bank direct debit (Autogiro / Betalingsservice)\" in the sherpa-test worktree. The backend is DONE and validated. Use `rg`/`fd`, never grep/find.\n\nWORKTREE (only edit here): /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir\nThe api under test is at http://localhost:4011 (this worktree's .env should point there; verify).\n\n## STEP 0 — Learn the conventions (read real files first)\n- Look at playwright.config.* and package.json scripts to find the `test:api` project, its testDir, and how baseURL/api URL is configured.\n- Read 1–2 existing API specs (find them under tests/ — `rg -l \"v1/plus\" tests` or similar) to copy EXACTLY: how they authenticate (client credentials `Authorization: Client {id}:{secret}` from env, or an ApiClient helper), how they build the request context, and the expect() style.\n- Find the env var names for client credentials (e.g. SHERPA_TEST_CLIENT_ID / SHERPA_TEST_CLIENT_SECRET) and base URL. Note: a known gotcha — the shared ApiClient forces JSON content-type, so bodyless POSTs 400; always send a body object (even `{}`) on POST actions.\n\n## VALIDATED API CONTRACT (base http://localhost:4011, all under /v1/plus; auth header `Authorization: Client {SHERPA_TEST_CLIENT_ID}:{SHERPA_TEST_CLIENT_SECRET}`)\nResponses are `{ status:'success', data: ... }`. Every POST needs a JSON body (≥ `{}`).\n- POST `/v1/plus/payment-provider-configs` `{providerKey:'autogiro', config:{bankgiroNumber:'9912346'}, active:true}` → 201 (or 409 if already configured — treat 409 as OK).\n- GET `/v1/plus/products` → `data.products[]` (use `data.products[0].id` as a productId).\n- POST `/v1/plus/direct-debit/mandates` `{providerKey:'autogiro', productId, accountHolder:'Sven Svensson', country:'SE', clearingNumber:'8327', accountNumber:'1234567', bankName:'Swedbank'}` → 201 {data:{id,status:'pending',mandateReference,...}}.\n- POST `/v1/plus/direct-debit/mandates/{id}/activate` `{}` → {data:{status:'active'}}.\n- GET `/v1/plus/direct-debit/mandates/{id}/file` → {data:{content}} (non-empty fixed-width text).\n- POST `/v1/plus/direct-debit/collections` `{mandateId, amount:199, currency:'SEK'}` → 201 {data:{id,status:'scheduled'}}.\n- POST `/v1/plus/direct-debit/collections/run` `{providerKey:'autogiro'}` → {data:{submitted, files:[...]}}.\n- POST `/v1/plus/direct-debit/collections/{id}/simulate-return` `{outcome:'settled'}` → {data:{settled:1,...}}. With `{outcome:'failed', reason:'08'}` → {data:{retrying:1,...}} (until retries exhausted, then it flags).\n- GET `/v1/plus/direct-debit/collections?mandateId={id}` → {data: Collection[]} where Collection has {id,status,retryCount,maxRetries,flagged,settledAt,failureReason}.\nAlso validation: POST mandate with `country:'DK', clearingNumber:'12'` for providerKey 'betalingsservice' → 400 (reg number must be 4 digits).\n\n## DELIVERABLE — one spec file in the right place for the `test:api` project\nName it like the others (e.g. tests/api/direct-debit.spec.ts — match the actual testDir). It should cover, with clear test names and assertions:\n1. \"configures Autogiro provider\" — POST provider config, expect 201 or 409.\n2. \"rejects an invalid Betalingsservice account\" — POST betalingsservice mandate with a 2-digit clearingNumber, expect 400.\n3. \"completes a recurring direct-debit collection end-to-end (Autogiro SE)\":\n - create mandate (pending) → activate (active) → assert mandate file content is non-empty\n - schedule collection (scheduled) → run (submitted>=1) → simulate-return settled → GET collection, assert status === 'settled'.\n4. \"retries and flags a failed collection\":\n - schedule another collection → run → simulate-return failed → assert that collection is 'retrying' with retryCount 1\n - loop: run + simulate-return failed until the collection's status becomes 'failed'; assert flagged === true and retryCount === maxRetries (maxRetries is 3).\nMake tests resilient (configure provider with 409-tolerance; fetch a productId dynamically). Keep amounts SEK/DKK.\n\n## VERIFY\nRun ONLY your new spec to confirm it passes: from the worktree, `npx playwright test <your-spec> --project=<the api project name>` (find the exact project name in playwright.config). Iterate until it passes. If auth/setup can't run headlessly, report exactly why.\n\n## REPORT BACK\nReturn: file path created, the exact command to run it, the PASS/FAIL result with the test count, and any caveats. Do not commit.","subagent_type":"general-purpose"}Launching skill: production-code
{"command":"ls -la /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/","description":"List worktree root contents"}total 160 drwxr-xr-x@ 17 bakker staff 544 Jun 1 04:35 . drwxr-xr-x 66 bakker staff 2112 Jun 1 04:31 .. drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:31 .claude drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:31 .cursor -rw-r--r--@ 1 bakker staff 999 Jun 1 04:31 .env -rw-r--r--@ 1 bakker staff 1009 Jun 1 04:31 .env.reference -rw-r--r--@ 1 bakker staff 115 Jun 1 04:31 .git -rw-r--r--@ 1 bakker staff 326 Jun 1 04:31 .gitignore -rw-r--r--@ 1 bakker staff 4825 Jun 1 04:31 CLAUDE.md -rw-r--r--@ 1 bakker staff 9874 Jun 1 04:31 README.md drwxr-xr-x@ 63 bakker staff 2016 Jun 1 04:35 node_modules -rw-r--r--@ 1 bakker staff 27202 Jun 1 04:35 package-lock.json -rw-r--r--@ 1 bakker staff 5040 Jun 1 04:31 package.json drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:35 playwright -rw-r--r--@ 1 bakker staff 4085 Jun 1 04:31 playwright.config.ts drwxr-xr-x@ 21 bakker staff 672 Jun 1 04:31 tests -rw-r--r--@ 1 bakker staff 351 Jun 1 04:31 tsconfig.json
{"pattern":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/playwright.config.*"}/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/playwright.config.ts
{"pattern":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env*"}/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env.reference /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env
{"pattern":"error\\.response\\?\\.data\\?\\.error\\?\\.message|response\\?\\.data\\?\\.error\\?\\.message|\\.data\\.error\\.message","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app","output_mode":"content","head_limit":15}/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/src/utils/validationUtils.ts:13: if (error?.response?.data?.error?.message) {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/src/utils/validationUtils.ts:14: const message = error.response.data.error.message;
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/create-account/page.tsx:129: const apiErrorMessage = axiosError.response?.data?.error?.message;
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/customer-portal/policies/[policyId]/claim/DefaultClaimPage.tsx:349: axiosErr.response?.data?.error?.message
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/embed-customer-portal/lib/TemplateDataProvider.tsx:137: const apiMessage = (err as any)?.response?.data?.error?.message as string | undefined;
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/embed-customer-portal/lib/TemplateDataProvider.tsx:313: const apiMessage = (err as any)?.response?.data?.error?.message as
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/policy-management/PolicyQuoteForm.tsx:441: ?.response?.data?.error?.message;
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/commissions/CommissionStructureForm.tsx:381: error?.response?.data?.error?.message ||
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/DuplicateProductDialog.tsx:59: if (error.response?.data?.error?.message) {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/DuplicateProductDialog.tsx:60: setVersionError(error.response.data.error.message);
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/users/UserDetail.tsx:98: if (err?.response?.data?.error?.message === "Access denied") {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/ProductDetail.tsx:230: if (error.response?.data?.error?.message) {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/ProductDetail.tsx:231: setNewVersionError(error.response.data.error.message);
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/coverage/CoveragePricingCalculate.tsx:218: typeof responseObj.data.error.message === "string"
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/products/coverage/CoveragePricingCalculate.tsx:220: errorMessage = responseObj.data.error.message;
[Showing results with pagination = limit: 15]{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && cat package.json | rg -A2 '\"scripts\"' ; echo \"---TYPECHECK SCRIPTS---\"; rg '\"(type-check|typecheck|tsc|lint|build)\"' package.json","description":"Inspect package.json scripts"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/playwright.config.ts"} "scripts": {
"dev": "next dev --turbopack",
"dev:https": "next dev --turbopack --experimental-https --experimental-https-key ./ssl/localhost-key.pem --experimental-https-cert ./ssl/localhost-cert.pem",
---TYPECHECK SCRIPTS---
"build": "next build",
"lint": "next lint",
"type-check": "tsc --noEmit",{"pattern":"app/lib/utils.ts"}No files found
1 import { defineConfig, devices } from '@playwright/test';
2 import dotenv from 'dotenv';
3 import path from 'path';
4
5 dotenv.config({ path: path.resolve(__dirname, '.env') });
6
7 /**
8 * See https://playwright.dev/docs/test-configuration.
9 */
10 export default defineConfig({
11 testDir: './tests',
12 fullyParallel: false,
13 forbidOnly: !!process.env.CI,
14 retries: process.env.CI ? 2 : 0,
15 workers: 3,
16 /* Reporter to use. See https://playwright.dev/docs/test-reporters */
17 reporter: 'html',
18 /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
19 use: {
20 /* Base URL to use in actions like `await page.goto('')`. */
21 // baseURL: 'http://localhost:3000',
22
23 /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
24 trace: 'on-first-retry',
25 screenshot: 'only-on-failure',
26 },
27
28 /* Configure projects for major browsers */
29 projects: [
30 {
31 name: 'plus-insurance',
32 testMatch: /plus-insurance\/.*\.spec\.ts/,
33 use: {},
34 fullyParallel: false,
35 workers: 1,
36 },
37 {
38 name: 'embed-translations',
39 testMatch: /embed-translations\/.*\.spec\.ts/,
40 timeout: 60_000,
41 use: {
42 ...devices['Desktop Chrome'],
43 storageState: 'playwright/.auth/user.json',
44 },
45 fullyParallel: false,
46 workers: 1,
47 dependencies: ['setup'],
48 },
49 {
50 name: 'payments',
51 testMatch: /payments\/.*\.spec\.ts/,
52 use: {},
53 fullyParallel: false,
54 workers: 1,
55 },
56 {
57 name: 'multi-currency',
58 testMatch: /multi-currency\/.*\.spec\.ts/,
59 use: {},
60 fullyParallel: false,
61 workers: 1,
62 },
63 {
64 name: 'widget',
65 testMatch: /widget\/.*\.spec\.ts/,
66 use: {},
67 fullyParallel: false,
68 workers: 1,
69 },
70 {
71 name: 'api',
72 testMatch: /security\.spec\.ts/,
73 use: {},
74 },
75 {
76 name: 'customer-auth',
77 testMatch: /customer-auth\.spec\.ts/,
78 use: {},
79 dependencies: ['plus-insurance'],
80 },
81 {
82 name: 'frontend-security',
83 testMatch: /security-frontend\.spec\.ts/,
84 use: {},
85 },
86 {
87 name: 'setup',
88 testMatch: /.*\.setup\.ts/,
89 timeout: 120_000,
90 use: {
91 headless: false,
92 },
93 },
94 {
95 name: 'chromium',
96 testMatch: /.*\.spec\.ts/,
97 testIgnore: [/security\.spec\.ts/, /customer-auth\.spec\.ts/, /plus-insurance\//, /payments\//, /embed-translations\//, /widget\//],
98 use: {
99 ...devices['Desktop Chrome'],
100 storageState: 'playwright/.auth/user.json',
101 },
102 dependencies: ['setup'],
103 },
104
105 {
106 name: 'firefox',
107 testMatch: /.*\.spec\.ts/,
108 testIgnore: [/security\.spec\.ts/, /customer-auth\.spec\.ts/, /plus-insurance\//, /payments\//, /embed-translations\//, /widget\//],
109 use: {
110 ...devices['Desktop Firefox'],
111 storageState: 'playwright/.auth/user.json',
112 },
113 dependencies: ['setup'],
114 },
115
116 {
117 name: 'webkit',
118 testMatch: /.*\.spec\.ts/,
119 testIgnore: [/security\.spec\.ts/, /customer-auth\.spec\.ts/, /plus-insurance\//, /payments\//, /embed-translations\//, /widget\//],
120 use: {
121 ...devices['Desktop Safari'],
122 storageState: 'playwright/.auth/user.json',
123 },
124 dependencies: ['setup'],
125 },
126
127 /* Test against mobile viewports. */
128 // {
129 // name: 'Mobile Chrome',
130 // use: { ...devices['Pixel 5'] },
131 // },
132 // {
133 // name: 'Mobile Safari',
134 // use: { ...devices['iPhone 12'] },
135 // },
136
137 /* Test against branded browsers. */
138 // {
139 // name: 'Microsoft Edge',
140 // use: { ...devices['Desktop Edge'], channel: 'msedge' },
141 // },
142 // {
143 // name: 'Google Chrome',
144 // use: { ...devices['Desktop Chrome'], channel: 'chrome' },
145 // },
146 ],
147
148 /* Run your local dev server before starting the tests */
149 // webServer: {
150 // command: 'npm run start',
151 // url: 'http://localhost:3000',
152 // reuseExistingServer: !process.env.CI,
153 // },
154 });
155 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/package.json"}1 {
2 "name": "sherpa-test",
3 "version": "1.0.0",
4 "description": "Playwright Testing",
5 "main": "index.js",
6 "scripts": {
7 "test": "playwright test",
8 "test:headed": "playwright test --headed",
9 "test:ui": "playwright test --ui",
10 "test:debug": "playwright test --headed --debug --workers=1 --project=chromium",
11 "test:chromium": "playwright test --project=chromium",
12 "test:chromium:headed": "playwright test --project=chromium --headed",
13 "test:firefox": "playwright test --project=firefox",
14 "test:firefox:headed": "playwright test --project=firefox --headed",
15 "test:webkit": "playwright test --project=webkit",
16 "test:webkit:headed": "playwright test --project=webkit --headed",
17 "test:plus": "playwright test --project=plus-insurance",
18 "test:plus:list": "playwright test --project=plus-insurance --reporter=list",
19 "test:embed-translations": "playwright test --project=embed-translations",
20 "test:embed-translations:headed": "playwright test --project=embed-translations --headed",
21 "test:local:embed-translations": "ENV=local playwright test --project=embed-translations",
22 "test:dev:embed-translations": "ENV=dev playwright test --project=embed-translations",
23 "test:staging:embed-translations": "ENV=staging playwright test --project=embed-translations",
24 "test:payments": "playwright test --project=payments --reporter=list",
25 "test:security": "playwright test --project=api && npm run report",
26 "test:security:local": "ENV=local playwright test --project=api && npm run report",
27 "test:security:staging": "ENV=staging playwright test --project=api && npm run report",
28 "test:security:prod": "ENV=production playwright test --project=api && npm run report",
29 "test:api": "playwright test --project=plus-insurance --project=payments --project=multi-currency --project=api --project=frontend-security",
30 "test:local": "ENV=local playwright test",
31 "test:local:headed": "ENV=local playwright test --headed",
32 "test:local:chromium": "ENV=local playwright test --project=chromium",
33 "test:local:chromium:headed": "ENV=local playwright test --project=chromium --headed",
34 "test:local:firefox": "ENV=local playwright test --project=firefox",
35 "test:local:firefox:headed": "ENV=local playwright test --project=firefox --headed",
36 "test:local:webkit": "ENV=local playwright test --project=webkit",
37 "test:local:webkit:headed": "ENV=local playwright test --project=webkit --headed",
38 "test:dev": "ENV=dev playwright test",
39 "test:dev:headed": "ENV=dev playwright test --headed",
40 "test:dev:chromium": "ENV=dev playwright test --project=chromium",
41 "test:dev:chromium:headed": "ENV=dev playwright test --project=chromium --headed",
42 "test:dev:firefox": "ENV=dev playwright test --project=firefox",
43 "test:dev:firefox:headed": "ENV=dev playwright test --project=firefox --headed",
44 "test:dev:webkit": "ENV=dev playwright test --project=webkit",
45 "test:dev:webkit:headed": "ENV=dev playwright test --project=webkit --headed",
46 "test:staging": "ENV=staging playwright test",
47 "test:staging:headed": "ENV=staging playwright test --headed",
48 "test:staging:chromium": "ENV=staging playwright test --project=chromium",
49 "test:staging:chromium:headed": "ENV=staging playwright test --project=chromium --headed",
50 "test:staging:firefox": "ENV=staging playwright test --project=firefox",
51 "test:staging:firefox:headed": "ENV=staging playwright test --project=firefox --headed",
52 "test:staging:webkit": "ENV=staging playwright test --project=webkit",
53 "test:staging:webkit:headed": "ENV=staging playwright test --project=webkit --headed",
54 "test:prod": "ENV=production playwright test",
55 "test:prod:headed": "ENV=production playwright test --headed",
56 "test:prod:chromium": "ENV=production playwright test --project=chromium",
57 "test:prod:chromium:headed": "ENV=production playwright test --project=chromium --headed",
58 "test:prod:firefox": "ENV=production playwright test --project=firefox",
59 "test:prod:firefox:headed": "ENV=production playwright test --project=firefox --headed",
60 "test:prod:webkit": "ENV=production playwright test --project=webkit",
61 "test:prod:webkit:headed": "ENV=production playwright test --project=webkit --headed",
62 "test:all": "npm run test:local && npm run test:dev && npm run test:staging && npm run test:prod",
63 "report": "playwright show-report",
64 "postinstall": "npm rebuild better-sqlite3"
65 },
66 "repository": {
67 "type": "git",
68 "url": "git+https://github.com/gangkharai/sherpa-test.git"
69 },
70 "keywords": [],
71 "author": "",
72 "license": "ISC",
73 "bugs": {
74 "url": "https://github.com/gangkharai/sherpa-test/issues"
75 },
76 "homepage": "https://github.com/gangkharai/sherpa-test#readme",
77 "devDependencies": {
78 "@playwright/test": "^1.59.1",
79 "@types/better-sqlite3": "^7.6.13",
80 "@types/node": "^24.9.2",
81 "@types/pg": "^8.16.0",
82 "better-sqlite3": "^12.8.0",
83 "dotenv": "^16.4.5",
84 "pg": "^8.16.3"
85 }
86 }
87 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env"}{"pattern":"interpolat|t\\(['\"][^'\"]*\\{[a-zA-Z]+\\}","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings","output_mode":"content","head_limit":10}/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx:128: ? t("{name} disabled", { name: method.name })
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx:129: : t("{name} enabled", { name: method.name })
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/TranslationsTab.tsx:73: ? t("Translated {count} new string(s). Dictionary now has {total} entries.", {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/ImportHistoryTab.tsx:346: {t("Page {page} of {pages}", {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/ImportHistoryTab.tsx:358: {t("Showing {start} to {end} of {total} runs", {
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PolicyStatusesTab.tsx:251: {t("{count} statuses", { count: list.length })}
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PolicyStatusesTab.tsx:286: {t("On inception → {target}", { target: categoryLabel(row.autoTransitionOnInceptionTo) })}
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PolicyStatusesTab.tsx:294: {t("On expiry → {target}", { target: categoryLabel(row.autoTransitionOnExpiryTo) })}
/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/UploadCredentialsTab.tsx:462: ? t("View connection information for this {method} credential", {1 DEVELOPER_NAME=chris
2 ENV=local
3
4 SHERPA_PORTAL_HTTP=http://localhost:3000
5 SHERPA_PORTAL_HTTPS=https://portal.${DEVELOPER_NAME}.dev.gangkhar.dev
6 SHERPA_API_HTTP=http://localhost:4000
7 SHERPA_API_HTTPS=https://api.${DEVELOPER_NAME}.dev.gangkhar.dev
8
9 SHERPA_PORTAL_DEV_HTTPS=https://portal.dev.gangkhar.dev
10 SHERPA_API_DEV_HTTPS=https://sherpa-api.dev.gangkhar.dev
11
12 SHERPA_PORTAL_STAGING_HTTPS=https://portal.staging.gangkhar.dev
13 SHERPA_API_STAGING_HTTPS=https://sherpa-api.staging.gangkhar.dev
14
15 SHERPA_PORTAL_PROD_HTTPS=https://portal.your-domain.com
16 SHERPA_API_PROD_HTTPS=https://api.your-domain.com
17
18 WAYNI_PORTAL_URL=https://portal.wayni.${DEVELOPER_NAME}.dev.gangkhar.dev
19 WAYNI_PORTAL_DEV_URL=https://portal.wayni.dev.gangkhar.dev
20 WAYNI_PORTAL_STAGING_URL=https://portal.wayni.staging.gangkhar.dev
21
22 [email protected]
23 TEST_USER_PASSWORD="TestPass123!@#"
24
25 SHERPA_TEST_CLIENT_ID=cl_faf23d26-93db-4a72-af6f-462dff015c96
26 SHERPA_TEST_CLIENT_SECRET=cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/CLAUDE.md"}1 # CLAUDE.md
2
3 Project-specific instructions for Claude Code.
4
5 ## Project Overview
6
7 This is a Playwright E2E test suite for the Sherpa Portal application.
8
9 ## Playwright E2E Testing Guidelines
10
11 ### Selector Priority (Cross-Browser)
12
13 1. `getByRole()` - ALWAYS try first
14 2. `getByLabel()` - For forms
15 3. `getByPlaceholder()` - Inputs without labels
16 4. `getByText()` - Visible content
17 5. `getByTestId()` - Last resort
18
19 **AVOID:** CSS `:nth-child()`, XPath, complex descendant selectors
20
21 ### Dropdowns (Custom Components)
22
23 Chromium uses ARIA roles, Firefox/WebKit often don't:
24
25 ```typescript
26 // ✅ Works everywhere
27 page.locator('li, [role="option"]').filter({ hasText: 'text' })
28 page.locator('input[placeholder="exact text"]')
29
30 // ❌ Chromium only
31 page.getByRole('option')
32 page.getByRole('searchbox')
33 ```
34
35 ### Button Disambiguation
36
37 ```typescript
38 page.getByRole('button', { name: 'Next', exact: true })
39 ```
40
41 ### Interactions
42
43 ```typescript
44 await element.waitFor({ state: 'visible' });
45 await element.click({ force: false });
46 await input.clear(); await input.fill('text');
47 ```
48
49 ### Authentication (Azure AD)
50
51 - Setup project with `storageState: 'playwright/.auth/user.json'`
52 - Non-headless mode for MFA
53 - Poll for MFA prompts (500ms-1s intervals)
54
55 ### Environment Variables
56
57 Quote passwords with special chars: `PASSWORD="Pass123!@#"`
58
59 ### Network Testing
60
61 ```typescript
62 const [response] = await Promise.all([
63 page.waitForResponse(r => r.url().includes('/api') && r.status() === 200),
64 page.reload()
65 ]);
66 ```
67
68 ### Timing
69
70 - Small waits (500ms) after dropdown selections for validation to complete
71 - Explicit `waitFor({ state: 'visible', timeout: 2-3s })` for dropdown elements
72 - Increase timeout only for slow operations (API calls, page loads)
73 - Prefer `waitFor()` over `waitForTimeout()`
74
75 ### Dropdown Retry Logic
76
77 - Add retry logic if dropdown doesn't open on first click (WebKit issue)
78 - Add explicit waits with timeout for input visibility
79
80 ### Test Organization
81
82 - One test file per feature (e.g., `insurance-products.spec.ts`)
83 - Authenticated tests automatically inherit session - no additional setup needed
84 - Use `getPortalUrl()` and `getApiUrl()` helpers for multi-environment testing
85
86 ## MANDATORY: Inspect HTML Before Writing Tests
87
88 **CRITICAL RULE - NO EXCEPTIONS:** Before writing ANY test or selector, you MUST:
89
90 1. ✅ **OPEN THE BROWSER** - Navigate to the actual page
91 2. ✅ **SNAPSHOT FOR OVERVIEW** - Use browser snapshot to see the accessibility tree (roles, text content)
92 3. ✅ **INSPECT ACTUAL HTML/DOM** - Get real HTML structure, attributes, classes, SVG paths
93 4. ✅ **VERIFY EVERY ELEMENT** - Check types, attributes, roles, classes, data attributes, and hierarchy
94 5. ✅ **THE TRUTH IS WHAT YOU INSPECT** - The actual HTML in the browser is the ONLY source of truth
95 6. ❌ **NEVER MAKE ASSUMPTIONS** - Do NOT guess element structure based on:
96 - Visual appearance
97 - Screenshots
98 - Common patterns
99 - Previous experience
100 - What "should" be there
101
102 ### Inspection Process
103
104 1. Navigate to the page in browser
105 2. Get accessibility overview (snapshot) - shows roles, text, structure
106 3. Inspect actual HTML/DOM - shows classes, attributes, SVG, etc.
107 4. Write selectors based on what you ACTUALLY see
108 5. Test the selectors work
109
110 ### Element Inspection Example
111
112 ```typescript
113 // Step 1: Use browser snapshot to find the element
114 // Shows: button "Add Parameter" [ref=e290] with lucide-circle-plus icon
115
116 // Step 2: Inspect actual HTML/DOM
117 const buttonInfo = await browser_evaluate({
118 function: `() => {
119 const buttons = document.querySelectorAll('button');
120 const targetBtn = Array.from(buttons).find(b => b.querySelector('.lucide-circle-plus'));
121 return {
122 outerHTML: targetBtn?.outerHTML.substring(0, 800),
123 className: targetBtn?.className,
124 ariaLabel: targetBtn?.getAttribute('aria-label'),
125 svgClass: targetBtn?.querySelector('svg')?.className
126 };
127 }`
128 });
129
130 // Step 3: Write selector based on ACTUAL inspection
131 const addParamBtn = page.locator('button').filter({
132 has: page.locator('.lucide-circle-plus')
133 });
134 ```
135
136 ## Sherpa Portal Component Patterns
137
138 The portal uses custom components - always verify these patterns via inspection:
139
140 | Component | Actual Implementation |
141 |-----------|----------------------|
142 | Checkboxes | `<button role="checkbox">` NOT `<input type="checkbox">` |
143 | Dropdowns | `<button aria-haspopup="listbox">` + `<div role="listbox">` |
144 | Options | `<li role="option" aria-selected="true">` |
145 | Multi-selects | Visual checkmarks but use `aria-selected` |
146 | Hidden form data | `<input type="hidden" id="setting-name-X" value="fieldName">` |
147 | Action buttons | Icons with SVG classes like `lucide-circle-plus` |
148
149 Always check `role`, `aria-*`, `data-*`, and class attributes.
150
151 **NEVER ASSUME - ALWAYS INSPECT THE ACTUAL HTML IN THE BROWSER!**
152 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/src/utils/validationUtils.ts","limit":40}1 export const validateRequiredFields = (
2 fields: { name: string; value: string; label: string }[]
3 ): string | null => {
4 for (const field of fields) {
5 if (!field.value.trim()) {
6 return `${field.label} is required`;
7 }
8 }
9 return null;
10 };
11
12 export const parseSequelizeError = (error: any): string => {
13 if (error?.response?.data?.error?.message) {
14 const message = error.response.data.error.message;
15
16 if (message.includes("Validation notEmpty on name failed")) {
17 return "Name field cannot be empty";
18 }
19
20 if (message.includes("Validation notEmpty on label failed")) {
21 return "Label field cannot be empty";
22 }
23
24 if (message.includes("Validation notEmpty")) {
25 const fieldMatch = message.match(/Validation notEmpty on (\w+) failed/);
26 if (fieldMatch) {
27 const fieldName = fieldMatch[1].charAt(0).toUpperCase() + fieldMatch[1].slice(1);
28 return `${fieldName} field cannot be empty`;
29 }
30 }
31
32 if (message.includes("Validation error")) {
33 return "Please check your input and try again";
34 }
35 }
36
37 return "An unexpected error occurred";
38 };
39 {"pattern":"app/components/UserTypeRoute.tsx"}No files found
{"pattern":"app/components/ProtectedRoute.tsx"}{"pattern":"app/lib/utils.*"}No files found
No files found
{"command":"ls -R /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/ | head -100","description":"List tests directory tree"}api-outage-banner.spec.ts auth.setup.ts customer-auth.spec.ts customer-portal-typed-signal.spec.ts embed-translations flows insurance-product.spec.ts multi-currency organization-public-session.spec.ts payments plus-insurance product-readiness.spec.ts security-frontend.spec.ts security.spec.ts session-credential-rejection.spec.ts session-intent-capture.spec.ts utils wayni.spec.ts widget /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//embed-translations: api-overrides.spec.ts helpers navigation-propagation.spec.ts persistence.spec.ts postmessage.spec.ts snippet-shape.spec.ts static-ui.spec.ts url-config.spec.ts validation.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//embed-translations/helpers: embed-page.ts expected-translations.ts translation-product.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//flows: 01-sherpa-portal.flow.ts 02-insurance-products.flow.ts 03-quote-creation.flow.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//multi-currency: 00-reset.spec.ts 01-multi-currency.spec.ts helpers /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//multi-currency/helpers: constants.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//payments: 00-reset-payments-organization.spec.ts 00-stripe-payment-flow.spec.ts 01-embed-checkout-flow.spec.ts helpers /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//payments/helpers: test-data.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//plus-insurance: 00-reset-organization.spec.ts 01-product-setup.spec.ts 02-bulk-policy-creation.spec.ts 02-product-unhappy-paths.spec.ts 04-quote-policy-flow.spec.ts 05-policy-orders-and-financials.spec.ts 06-policy-status-guards-and-recovery.spec.ts 06-policy-suspension-reinstatement.spec.ts 06-product-translations.spec.ts 07-audit-log.spec.ts 08-compliance-checks.spec.ts README.md helpers /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//plus-insurance/helpers: api-client.ts api-helpers.ts assertions.ts ledger-db.ts test-data.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//utils: mock-organization-resolution.ts session-state.ts urls.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests//widget: widget-token-embed.spec.ts
{"pattern":"v1/plus","path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests","output_mode":"files_with_matches"}Found 19 files /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/widget/widget-token-embed.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/utils/mock-organization-resolution.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/session-credential-rejection.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-helpers.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/08-compliance-checks.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/07-audit-log.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/06-product-translations.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/06-policy-suspension-reinstatement.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/06-policy-status-guards-and-recovery.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/05-policy-orders-and-financials.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/04-quote-policy-flow.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/02-product-unhappy-paths.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/02-bulk-policy-creation.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/01-product-setup.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/payments/01-embed-checkout-flow.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/payments/00-stripe-payment-flow.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/multi-currency/01-multi-currency.spec.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/embed-translations/helpers/translation-product.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/customer-auth.spec.ts
{"pattern":"Authorization.*Client","path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests","output_mode":"files_with_matches"}Found 2 files /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-client.ts /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/customer-auth.spec.ts
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && fd -t f 'ProtectedRoute|UserTypeRoute' app/components && echo \"---utils---\" && fd -t f 'utils' app/lib && echo \"---tsconfig paths---\" && rg -A6 '\"paths\"' tsconfig.json","description":"Locate route components and utils, check tsconfig paths"}app/components/ProtectedRoute.tsx
app/components/UserTypeRoute.tsx
---utils---
app/lib/utils.ts
---tsconfig paths---
"paths": {
"@/*": ["./*"],
"@root/*": ["../*"]
},
"target": "ES2017"
},
"include": [{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-client.ts"}1 import { APIRequestContext, APIResponse } from '@playwright/test';
2
3 function toCurl(method: string, url: string, headers: Record<string, string>, data?: any): string {
4 const parts = [`curl -X ${method.toUpperCase()} '${url}'`];
5 for (const [key, value] of Object.entries(headers)) {
6 parts.push(` -H '${key}: ${value}'`);
7 }
8 if (data !== undefined) {
9 parts.push(` -d '${JSON.stringify(data)}'`);
10 }
11 return parts.join(' \\\n');
12 }
13
14 async function logIfFailed(response: APIResponse, method: string, url: string, headers: Record<string, string>, data?: any, silent = false): Promise<APIResponse> {
15 if (response.status() >= 400 && !silent) {
16 let body: any;
17 try { body = await response.json(); } catch { body = await response.text(); }
18 console.error(`\n❌ API ${method.toUpperCase()} ${url} → ${response.status()}`);
19 console.error(`Response body: ${JSON.stringify(body, null, 2)}`);
20 console.error(`cURL:\n${toCurl(method, url, headers, data)}\n`);
21 }
22 return response;
23 }
24
25 export class ApiClient {
26 /** Set to true to suppress error logging (for unhappy-path tests that expect 4xx/5xx) */
27 expectErrors = false;
28
29 constructor(
30 private request: APIRequestContext,
31 private baseURL: string,
32 private clientId: string,
33 private clientSecret: string
34 ) {}
35
36 private getHeaders() {
37 return {
38 'Authorization': `Client ${this.clientId}:${this.clientSecret}`,
39 'Content-Type': 'application/json',
40 };
41 }
42
43 async post(endpoint: string, data: any) {
44 const url = `${this.baseURL}${endpoint}`;
45 const headers = this.getHeaders();
46 const response = await this.request.post(url, { headers, data });
47 return logIfFailed(response, 'POST', url, headers, data, this.expectErrors);
48 }
49
50 async patch(endpoint: string, data: any) {
51 const url = `${this.baseURL}${endpoint}`;
52 const headers = this.getHeaders();
53 const response = await this.request.patch(url, { headers, data });
54 return logIfFailed(response, 'PATCH', url, headers, data, this.expectErrors);
55 }
56
57 async put(endpoint: string, data: any) {
58 const url = `${this.baseURL}${endpoint}`;
59 const headers = this.getHeaders();
60 const response = await this.request.put(url, { headers, data });
61 return logIfFailed(response, 'PUT', url, headers, data, this.expectErrors);
62 }
63
64 async get(endpoint: string) {
65 const url = `${this.baseURL}${endpoint}`;
66 const headers = this.getHeaders();
67 const response = await this.request.get(url, { headers });
68 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
69 }
70
71 async delete(endpoint: string) {
72 const url = `${this.baseURL}${endpoint}`;
73 const headers = this.getHeaders();
74 const response = await this.request.delete(url, { headers });
75 return logIfFailed(response, 'DELETE', url, headers, undefined, this.expectErrors);
76 }
77 }
78
79 export class WidgetApiClient {
80 /** Set to true to suppress error logging (for unhappy-path tests that expect 4xx/5xx) */
81 expectErrors = false;
82
83 constructor(
84 private request: APIRequestContext,
85 private baseURL: string,
86 private widgetToken: string,
87 private parentDomain: string = 'localhost'
88 ) {}
89
90 private getHeaders() {
91 return {
92 'X-Widget-Token': this.widgetToken,
93 'X-Parent-Domain': this.parentDomain,
94 'Content-Type': 'application/json',
95 };
96 }
97
98 async post(endpoint: string, data: any) {
99 const url = `${this.baseURL}${endpoint}`;
100 const headers = this.getHeaders();
101 const response = await this.request.post(url, { headers, data });
102 return logIfFailed(response, 'POST', url, headers, data, this.expectErrors);
103 }
104
105 async get(endpoint: string) {
106 const url = `${this.baseURL}${endpoint}`;
107 const headers = this.getHeaders();
108 const response = await this.request.get(url, { headers });
109 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
110 }
111
112 async getAllowPdf(endpoint: string) {
113 const url = `${this.baseURL}${endpoint}`;
114 const headers = { ...this.getHeaders(), Accept: 'application/pdf,*/*' };
115 const response = await this.request.get(url, { headers });
116 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
117 }
118 }
119 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-helpers.ts"}1 import { ApiClient } from './api-client';
2
3 /**
4 * Get coverage pricing table ID by fetching coverage pricing via API
5 * @param client - API client instance
6 * @param coverageId - The coverage ID (not coveragePricingId)
7 * @returns The first pricing table ID found
8 */
9 export async function getCoveragePricingTableIdViaApi(
10 client: ApiClient,
11 coverageId: number
12 ): Promise<number> {
13 // Retry logic for eventual consistency
14 for (let attempt = 0; attempt < 5; attempt++) {
15 const response = await client.get(`/v1/plus/coverages/${coverageId}/pricing`);
16
17 if (response.status() !== 200) {
18 if (attempt < 4) {
19 await new Promise(resolve => setTimeout(resolve, 200));
20 continue;
21 }
22 throw new Error(`Failed to get coverage pricing for coverageId ${coverageId}: ${response.status()}`);
23 }
24
25 const body = await response.json();
26 const pricings = body.data || body;
27
28 if (Array.isArray(pricings) && pricings.length > 0) {
29 const pricing = pricings[0];
30 if (pricing.tables && pricing.tables.length > 0) {
31 return pricing.tables[0].id;
32 }
33 }
34
35 if (attempt < 4) {
36 await new Promise(resolve => setTimeout(resolve, 200));
37 }
38 }
39
40 throw new Error(`No pricing table found for coverageId ${coverageId}`);
41 }
42
43 /**
44 * Get main pricing table ID by fetching pricing via API
45 * Uses GET /v1/plus/pricing/:id which includes tables in the response
46 * @param client - API client instance
47 * @param pricingId - The pricing ID
48 * @returns The first pricing table ID found
49 */
50 export async function getMainPricingTableIdViaApi(
51 client: ApiClient,
52 pricingId: number
53 ): Promise<number> {
54 // Retry logic for eventual consistency
55 for (let attempt = 0; attempt < 5; attempt++) {
56 // GET /v1/plus/pricing/:id returns the full pricing including tables
57 const response = await client.get(`/v1/plus/pricing/${pricingId}`);
58
59 if (response.status() === 200) {
60 const body = await response.json();
61 const pricing = body.data || body;
62
63 // Tables are included in the pricing response
64 if (pricing.tables && Array.isArray(pricing.tables) && pricing.tables.length > 0) {
65 return pricing.tables[0].id;
66 }
67 }
68
69 if (attempt < 4) {
70 await new Promise(resolve => setTimeout(resolve, 200));
71 }
72 }
73
74 throw new Error(`No pricing table found for pricingId ${pricingId}`);
75 }
76
77 /**
78 * Get widget token via API
79 * @param client - API client instance
80 * @param clientId - The client ID to fetch tokens for
81 * @returns The widget token string
82 */
83 export async function getWidgetTokenViaApi(
84 client: ApiClient,
85 clientId: string
86 ): Promise<string> {
87 const response = await client.get(`/v1/plus/widget-tokens/client/${clientId}`);
88
89 if (response.status() !== 200) {
90 throw new Error(`Failed to get widget tokens: ${response.status()}`);
91 }
92
93 const body = await response.json();
94 const tokens = body.data?.tokens || [];
95 const testToken = tokens.find((t: any) => t.name === 'Test User Widget' && !t.revoked);
96
97 if (!testToken || !testToken.token) {
98 throw new Error('Test widget token not found - ensure migrations have run');
99 }
100
101 return testToken.token;
102 }
103
104 /**
105 * Ensure widget token exists, creating it if necessary
106 * @param client - API client instance
107 * @param clientId - The client ID to create token for
108 * @returns The widget token string
109 */
110 export async function ensureWidgetTokenExists(
111 client: ApiClient,
112 clientId: string
113 ): Promise<string> {
114 // Check if token already exists
115 const response = await client.get(`/v1/plus/widget-tokens/client/${clientId}`);
116
117 if (response.status() === 200) {
118 const body = await response.json();
119 const tokens = body.data?.tokens || [];
120 // Look for any active widget token, not just 'Test User Widget'
121 const existingToken = tokens.find((t: any) => !t.revoked && t.token);
122
123 if (existingToken && existingToken.token) {
124 return existingToken.token;
125 }
126 }
127
128 // Token doesn't exist, try to create it
129 // Use minimal permissions that should be available on the client
130 const createResponse = await client.post('/v1/plus/widget-tokens/generate', {
131 clientId,
132 name: 'Test User Widget',
133 description: 'Widget token for E2E testing',
134 authorizedParents: ['*'],
135 permissions: ['claims:create', 'claims:read', 'policies:create', 'policies:read', 'quotes:create'],
136 expiresAt: null,
137 });
138
139 if (createResponse.status() !== 200 && createResponse.status() !== 201) {
140 const errorBody = await createResponse.text();
141
142 // Provide helpful error message about migrations
143 throw new Error(
144 `Failed to create widget token (${createResponse.status()}). ` +
145 `This usually means the widget token migrations haven't run on this environment. ` +
146 `Run: cd ../sherpa-api && npm run migrate:up\n\n` +
147 `Server error: ${errorBody}`
148 );
149 }
150
151 const createBody = await createResponse.json();
152 const token = createBody.data?.token || createBody.token;
153
154 if (!token) {
155 throw new Error('Widget token creation succeeded but no token returned');
156 }
157
158 return token;
159 }
160 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/commissions/CommissionStructureForm.tsx","offset":374,"limit":14}374 showSuccessToast(t('Commission structure created successfully'));
375 onSave(response.data.data);
376 }
377 }
378 } catch (error: any) {
379 console.error("Error saving commission structure:", error);
380 const errorMessage =
381 error?.response?.data?.error?.message ||
382 error?.response?.data?.message ||
383 t('Failed to save commission structure');
384 showErrorToast(errorMessage);
385 } finally {
386 setIsLoading(false);
387 }{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/product.ts","limit":30}1 export interface ProductData {
2 id: number;
3 productTitle: string;
4 productName: string;
5 productDescription: string | null;
6 country: string;
7 availableCountries?: string[];
8 productType: string;
9 currency: string;
10 inputCurrency?: string;
11 displayCurrencies?: string[];
12 pricingCurrencies?: string[];
13 active: boolean;
14 version: number;
15 startDate: string;
16 endDate: string | null;
17 isCurrent?: boolean;
18 userId?: string;
19 createdAt: string;
20 updatedAt: string;
21 isEmbedded?: boolean;
22 primaryProductTitle?: string;
23 insuranceTypeId?: string;
24 insuranceType?: {
25 id: number;
26 name: string;
27 title: string;
28 };
29 organizationId?: string;
30 organization?: {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/utils/urls.ts"}1 export function getPortalUrl(): string {
2 const env = process.env.ENV || 'local';
3
4 if (env === 'local') {
5 return process.env.SHERPA_PORTAL_HTTP || 'http://localhost:3000';
6 }
7
8 if (env === 'dev') {
9 return process.env.SHERPA_PORTAL_DEV_HTTPS || '';
10 }
11
12 if (env === 'staging') {
13 return process.env.SHERPA_PORTAL_STAGING_HTTPS || '';
14 }
15
16 if (env === 'production') {
17 return process.env.SHERPA_PORTAL_PROD_HTTPS || '';
18 }
19
20 return process.env.SHERPA_PORTAL_HTTPS || '';
21 }
22
23 export function getApiUrl(): string {
24 const env = process.env.ENV || 'local';
25
26 if (env === 'local') {
27 return process.env.SHERPA_API_HTTP || 'http://localhost:4000';
28 }
29
30 if (env === 'dev') {
31 return process.env.SHERPA_API_DEV_HTTPS || '';
32 }
33
34 if (env === 'staging') {
35 return process.env.SHERPA_API_STAGING_HTTPS || '';
36 }
37
38 if (env === 'production') {
39 return process.env.SHERPA_API_PROD_HTTPS || '';
40 }
41
42 return process.env.SHERPA_API_HTTPS || '';
43 }
44
45 export function getEmbedUrl(): string {
46 const env = process.env.ENV || 'local';
47
48 if (env === 'local') {
49 return process.env.SHERPA_EMBED_HTTP || 'http://localhost:3101';
50 }
51
52 if (env === 'dev') {
53 return process.env.SHERPA_EMBED_DEV_HTTPS || '';
54 }
55
56 if (env === 'staging') {
57 return process.env.SHERPA_EMBED_STAGING_HTTPS || '';
58 }
59
60 if (env === 'production') {
61 return process.env.SHERPA_EMBED_PROD_HTTPS || '';
62 }
63
64 return process.env.SHERPA_EMBED_HTTPS || '';
65 }
66
67 export function getWayniPortalUrl(): string {
68 const env = process.env.ENV || 'local';
69
70 if (env === 'local') {
71 return process.env.WAYNI_PORTAL_URL || 'https://portal.wayni.chris.dev.gangkhar.dev';
72 }
73
74 if (env === 'dev') {
75 return process.env.WAYNI_PORTAL_DEV_URL || 'https://portal.wayni.dev.gangkhar.dev';
76 }
77
78 if (env === 'staging') {
79 return process.env.WAYNI_PORTAL_STAGING_URL || 'https://portal.wayni.staging.gangkhar.dev';
80 }
81
82 return process.env.WAYNI_PORTAL_URL || 'https://portal.wayni.chris.dev.gangkhar.dev';
83 }
84
85 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/08-compliance-checks.spec.ts"}1 import { test, expect } from '@playwright/test';
2 import { ApiClient } from './helpers/api-client';
3 import { ORGANIZATION_ID } from './helpers/test-data';
4 import { getApiUrl } from '../utils/urls';
5
6 const API_URL = getApiUrl();
7 const CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID!;
8 const CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET!;
9
10 /**
11 * Compliance checks API coverage — capability + parties shape.
12 *
13 * - PUT /products/:id with complianceChecks.{capability:{parties, triggers, ...}}
14 * - GET /products/:id reflects the persisted shape
15 * - Setting complianceChecks=null removes the configuration
16 * - Schema rejects malformed bodies
17 * - Multiple capabilities coexist on a single product
18 * - CLAIM trigger accepted by the schema
19 */
20 test.describe.serial('Plus · Product compliance checks', () => {
21 test.setTimeout(60000);
22
23 let productId: number;
24 let integrationId: string;
25
26 test('seed: pick a screening integration + a product', async ({ request }) => {
27 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
28
29 const integrationsRes = await api.get(`/v1/plus/external-integrations`);
30 expect(integrationsRes.status()).toBe(200);
31 const integrations = (await integrationsRes.json()).data ?? [];
32 let screening = integrations.find(
33 (i: { capability: string; active: boolean }) =>
34 i.capability === 'sanction_screening' && i.active,
35 );
36 if (!screening) {
37 const createRes = await api.post('/v1/plus/external-integrations', {
38 name: 'E2E Sanction Screening',
39 slug: `e2e-sanction-screening-${Date.now()}`,
40 capability: 'sanction_screening',
41 kind: 'generic_rest',
42 defaultEnvironment: 'test',
43 active: true,
44 });
45 expect(createRes.status()).toBe(201);
46 screening = (await createRes.json()).data;
47 }
48 integrationId = screening.id;
49
50 const productsRes = await api.get(`/v1/plus/products?organizationId=${ORGANIZATION_ID}&limit=1`);
51 expect(productsRes.status()).toBe(200);
52 const products = (await productsRes.json()).data?.products ?? [];
53 test.skip(products.length === 0, 'No products in test organization');
54 productId = products[0].id;
55 });
56
57 test('PUT complianceChecks.sanction_screening — persisted + readable', async ({
58 request,
59 }) => {
60 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
61 const config = {
62 enabled: true,
63 integrationId,
64 triggers: ['NEW_BUSINESS', 'RENEWAL'],
65 parties: {
66 policyholder: 'personal',
67 additional: [] as string[],
68 },
69 outcomeRules: {
70 passWhen: { maxScore: 0.5 },
71 failWhen: { minScore: 0.85, onTopics: ['sanction'] },
72 },
73 };
74
75 const putRes = await api.put(`/v1/plus/products/${productId}`, {
76 complianceChecks: { sanction_screening: config },
77 });
78 expect(putRes.status()).toBe(200);
79
80 const getRes = await api.get(`/v1/plus/products/${productId}`);
81 expect(getRes.status()).toBe(200);
82 const body = await getRes.json();
83 expect(body.data.complianceChecks).toEqual({ sanction_screening: config });
84 });
85
86 test('PUT complianceChecks=null — removes the configuration', async ({ request }) => {
87 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
88
89 const putRes = await api.put(`/v1/plus/products/${productId}`, {
90 complianceChecks: null,
91 });
92 expect(putRes.status()).toBe(200);
93
94 const getRes = await api.get(`/v1/plus/products/${productId}`);
95 const body = await getRes.json();
96 expect(body.data.complianceChecks).toBeNull();
97 });
98
99 test('schema rejects malformed shape', async ({ request }) => {
100 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
101 api.expectErrors = true;
102
103 // outcomeRules.passWhen.maxScore must be 0..1; 2 is out of range
104 const res = await api.put(`/v1/plus/products/${productId}`, {
105 complianceChecks: {
106 sanction_screening: {
107 enabled: true,
108 integrationId,
109 triggers: ['NEW_BUSINESS'],
110 parties: {
111 policyholder: 'personal',
112 additional: [],
113 },
114 outcomeRules: {
115 passWhen: { maxScore: 2 },
116 failWhen: { minScore: 0.85, onTopics: ['sanction'] },
117 },
118 },
119 },
120 });
121 expect(res.status()).toBe(400);
122 });
123
124 test('schema rejects empty policyholder path', async ({ request }) => {
125 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
126 api.expectErrors = true;
127
128 const res = await api.put(`/v1/plus/products/${productId}`, {
129 complianceChecks: {
130 sanction_screening: {
131 enabled: true,
132 integrationId,
133 triggers: ['NEW_BUSINESS'],
134 parties: {
135 policyholder: '',
136 additional: [],
137 },
138 outcomeRules: {
139 passWhen: { maxScore: 0.5 },
140 failWhen: { minScore: 0.85, onTopics: ['sanction'] },
141 },
142 },
143 },
144 });
145 expect(res.status()).toBe(400);
146 });
147
148 test('multi-capability round-trip — sanction + kyc share the same product', async ({ request }) => {
149 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
150 const baseConfig = (capability: string, triggers: string[]) => ({
151 enabled: true,
152 integrationId,
153 triggers,
154 parties: {
155 policyholder: 'personal',
156 additional: [] as string[],
157 },
158 outcomeRules: {
159 passWhen: { maxScore: 0.5 },
160 failWhen: {
161 minScore: 0.85,
162 onTopics: capability === 'kyc' ? ['kyc.failed'] : ['sanction'],
163 },
164 },
165 });
166
167 const putRes = await api.put(`/v1/plus/products/${productId}`, {
168 complianceChecks: {
169 sanction_screening: baseConfig('sanction_screening', ['NEW_BUSINESS', 'RENEWAL']),
170 kyc: baseConfig('kyc', ['NEW_BUSINESS']),
171 },
172 });
173 expect(putRes.status()).toBe(200);
174
175 const getRes = await api.get(`/v1/plus/products/${productId}`);
176 const body = await getRes.json();
177 expect(Object.keys(body.data.complianceChecks).sort()).toEqual(['kyc', 'sanction_screening']);
178 expect(body.data.complianceChecks.kyc.triggers).toEqual(['NEW_BUSINESS']);
179 expect(body.data.complianceChecks.kyc.parties).toEqual({ policyholder: 'personal', additional: [] });
180 expect(body.data.complianceChecks.sanction_screening.triggers).toEqual([
181 'NEW_BUSINESS',
182 'RENEWAL',
183 ]);
184 });
185
186 test('CLAIM trigger accepted by schema (fraud_detection at claim time)', async ({ request }) => {
187 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
188 const putRes = await api.put(`/v1/plus/products/${productId}`, {
189 complianceChecks: {
190 fraud_detection: {
191 enabled: false,
192 integrationId,
193 triggers: ['CLAIM'],
194 parties: {
195 policyholder: 'personal',
196 additional: [],
197 },
198 outcomeRules: {
199 passWhen: { maxScore: 0.5 },
200 failWhen: { minScore: 0.85, onTopics: ['fraud.high_risk'] },
201 },
202 },
203 },
204 });
205 expect(putRes.status()).toBe(200);
206
207 const getRes = await api.get(`/v1/plus/products/${productId}`);
208 const b{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts","content":"// Types for Nordic bank direct debit (Autogiro / Betalingsservice).\n// Mirrors the sherpa-api /v1/plus/direct-debit contract.\n\nexport type DirectDebitProviderKey = \"autogiro\" | \"betalingsservice\";\n\nexport type MandateStatus = \"pending\" | \"active\" | \"revoked\";\n\nexport interface Mandate {\n id: number;\n providerKey: DirectDebitProviderKey;\n productId: number;\n status: MandateStatus;\n country: string;\n accountHolder: string;\n clearingNumber: string | null;\n accountNumber: string;\n bankName: string | null;\n mandateReference: string | null;\n payerNumber: string | null;\n signedAt: string | null;\n activatedAt: string | null;\n revokedAt: string | null;\n failureReason: string | null;\n createdAt: string;\n}\n\nexport type CollectionStatus =\n | \"scheduled\"\n | \"submitted\"\n | \"settled\"\n | \"failed\"\n | \"retrying\"\n | \"cancelled\";\n\nexport interface Collection {\n id: number;\n mandateId: number;\n policyOrderId: number | null;\n providerKey: DirectDebitProviderKey;\n amount: string;\n currency: string;\n status: CollectionStatus;\n scheduledFor: string | null;\n submittedAt: string | null;\n settledAt: string | null;\n retryCount: number;\n maxRetries: number;\n failureReason: string | null;\n externalReference: string | null;\n fileReference: string | null;\n flagged: boolean;\n createdAt: string;\n}\n\nexport interface MandateFile {\n fileReference: string;\n content: string;\n}\n\nexport interface CollectionRunResult {\n submitted: number;\n files: {\n providerKey: DirectDebitProviderKey;\n fileReference: string;\n content: string;\n count: number;\n }[];\n}\n\nexport interface SimulateReturnSummary {\n settled: number;\n failed: number;\n retrying: number;\n flagged: number;\n unmatched: number;\n}\n"}File created successfully at: /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/test-data.ts"}1 export const ORGANIZATION_ID = '22222222-2222-2222-2222-222222222222';
2
3 const timestamp = Date.now();
4 export const productData = {
5 productTitle: `Extended Warranty Insurance ${timestamp}`,
6 productName: `extended_warranty_${timestamp}`,
7 productDescription: 'Test Product automatically created for testing purposes',
8 country: 'US',
9 productType: 'extended_warranty',
10 currency: 'USD',
11 active: true,
12 version: 1,
13 startDate: '2026-01-08',
14 endDate: null,
15 isEmbedded: true,
16 primaryProductTitle: 'Loans',
17 productId: null,
18 organizationId: ORGANIZATION_ID,
19 policyNumberPrefix: 'P',
20 policyNumberSequence: '100010000000',
21 autoCreatePolicy: false,
22 sendEmails: true,
23 renewalWindowDays: 30,
24 currencyPosition: 'prefix',
25 decimalSeparator: '.',
26 groupSeparator: ',',
27 dateFormat: 'MM-DD-YYYY',
28 };
29
30 export const commissionData = (productId: number) => ({
31 productId,
32 name: 'Commissions',
33 baselineCommissionPercentage: 20,
34 parties: [
35 {
36 partyType: 'ORGANIZATION',
37 referenceId: ORGANIZATION_ID,
38 basePercentage: 10,
39 priority: 1,
40 },
41 {
42 partyType: 'GANGKHAR',
43 referenceId: null,
44 basePercentage: 10,
45 priority: 2,
46 },
47 ],
48 allocationRules: {
49 positive: {
50 ruleType: 'PROPORTIONAL_DISTRIBUTION',
51 name: 'Proportional Increase',
52 description: 'Allocate commission increase will be allocated proportionally based on each party\'s base percentage',
53 },
54 negative: {
55 ruleType: 'PROPORTIONAL_DISTRIBUTION',
56 name: 'Proportional Reduction',
57 description: 'Allocate commission reduction will be allocated proportionally based on each party\'s base percentage',
58 },
59 },
60 });
61
62 export const productSettings = [
63 {
64 value: 'tableDefinedPremiums',
65 name: 'pricingMode',
66 label: 'Pricing Calculation Mode',
67 description: 'How premium and fees/taxes are calculated',
68 type: 'select',
69 options: [
70 { label: 'Percentage Tax', value: 'percentageTax' },
71 { label: 'Table-Defined Premiums', value: 'tableDefinedPremiums' },
72 ],
73 active: true,
74 },
75 {
76 value: true,
77 name: 'autoRenew',
78 label: 'Auto Renewal',
79 description: 'Whether to automatically renew the policy',
80 type: 'boolean',
81 options: null,
82 active: true,
83 },
84 {
85 value: 'year',
86 name: 'policyTerm',
87 label: 'Policy Term',
88 description: 'The term of the policy',
89 type: 'select',
90 options: [
91 { label: 'Monthly', value: 'month' },
92 { label: 'Quarterly', value: 'quarter' },
93 { label: 'Yearly', value: 'year' },
94 { label: 'One Time', value: 'one-time' },
95 { label: 'Daily', value: 'day' },
96 { label: '2 Years', value: '2year' },
97 { label: '3 Years', value: '3year' },
98 { label: '4 Years', value: '4year' },
99 { label: '5 Years', value: '5year' },
100 { label: '6 Years', value: '6year' },
101 { label: '7 Years', value: '7year' },
102 { label: '8 Years', value: '8year' },
103 { label: '9 Years', value: '9year' },
104 { label: '10 Years', value: '10year' },
105 { label: 'Ongoing', value: 'ongoing' },
106 ],
107 active: true,
108 },
109 {
110 value: ['month'],
111 name: 'premiumPaymentFrequency',
112 label: 'Payment Frequency Options',
113 description: 'What Payment Frequency Options are available?',
114 type: 'multiSelect',
115 options: [
116 { label: 'Monthly', value: 'month', base: true, adjustment: 0 },
117 { label: 'Quarterly', value: 'quarter', base: false, adjustment: 0 },
118 { label: 'Yearly', value: 'year', base: false, adjustment: 0 },
119 { label: 'One Time', value: 'one-time', base: false, adjustment: 0 },
120 { label: 'Daily', value: 'day', base: false, adjustment: 0 },
121 ],
122 active: true,
123 },
124 {
125 value: ['ANNIVERSARY'],
126 name: 'billingCycleAlignment',
127 label: 'Billing Cycle Alignment',
128 description: 'Should the billing cycle follow the policy start date or a specific day of the month?',
129 type: 'select',
130 options: [
131 { label: 'Anniversary (Policy Start Date)', value: 'ANNIVERSARY' },
132 { label: 'Fixed Day of Month', value: 'FIXED_DAY' },
133 ],
134 active: true,
135 },
136 {
137 value: 1,
138 name: 'billingFixedAnchorDay',
139 label: 'Fixed Billing Day',
140 description: 'Which day of the month should the bill be generated? (1-28)',
141 type: 'number',
142 options: null,
143 parentId: 59,
144 active: true,
145 },
146 {
147 value: ['basePremium', 'premiumWithoutTax', 'premiumWithTax'],
148 name: 'priceTypes',
149 label: 'Premium Types',
150 description: 'What premium types should be available?',
151 type: 'multiSelect',
152 options: [
153 { label: 'Base Premium', value: 'basePremium' },
154 { label: 'Net Premium', value: 'premiumWithoutTax' },
155 { label: 'Total Premium', value: 'premiumWithTax' },
156 ],
157 parentId: 55,
158 active: true,
159 },
160 ];
161
162 export const quoteParameters = (categoryId: number) => ({
163 parameters: [
164 {
165 name: 'gender',
166 label: 'Gender',
167 type: 'select',
168 required: true,
169 defaultValue: '',
170 enumValues: ['male', 'female', 'other'],
171 options: [
172 { value: 'male', label: 'Male' },
173 { value: 'female', label: 'Female' },
174 { value: 'other', label: 'Other' },
175 ],
176 pattern: '',
177 description: 'Gender identifier',
178 order: 1,
179 quoteParameterCategoryId: categoryId,
180 path: 'personal.gender',
181 },
182 {
183 name: 'birthDate',
184 label: 'Date of Birth',
185 type: 'date',
186 required: true,
187 defaultValue: '',
188 enumValues: [],
189 options: [],
190 pattern: '^\\d{4}-\\d{2}-\\d{2}$',
191 description: 'Date of birth in ISO 8601-1:2019 format',
192 order: 2,
193 quoteParameterCategoryId: categoryId,
194 path: 'personal.birthDate',
195 },
196 ],
197 });
198
199 export const coverageImportData = (productId: number, productPlanId: number) => ({
200 data: {
201 coverages: [
202 {
203 code: '11',
204 name: 'Death',
205 title: 'Passing from any cause',
206 description: '',
207 active: true,
208 included: false,
209 terms: null,
210 minIssueAge: 18,
211 maxIssueAge: 70,
212 maturityAge: 71,
213 baseCoverage: false,
214 amountType: 'Value',
215 coverageAmount: '0',
216 minCoverageAmount: null,
217 maxCoverageAmount: null,
218 exclusionType: '',
219 exclusionPeriod: 0,
220 waitingPeriod: 30,
221 coverageFormula: null,
222 },
223 {
224 code: '12',
225 name: 'Disablity',
226 title: 'Total and Permanent Disability',
227 description: '',
228 active: true,
229 included: true,
230 terms: null,
231 minIssueAge: 18,
232 maxIssueAge: 70,
233 maturityAge: 70,
234 baseCoverage: true,
235 amountType: 'Value',
236 coverageAmount: '200000',
237 minCoverageAmount: null,
238 maxCoverageAmount: null,
239 exclusionType: 'Pre-existing condition',
240 exclusionPeriod: 730,
241 waitingPeriod: 0,
242 coverageFormula: null,
243 },
244 {
245 code: '11',
246 name: 'Death',
247 title: 'Passing from any cause',
248 description: '',
249 {"command":"curl -s -o /dev/null -w \"4011 -> %{http_code}\\n\" http://localhost:4011/health 2>&1; curl -s -o /dev/null -w \"4000 -> %{http_code}\\n\" http://localhost:4000/health 2>&1; echo \"---probe /v1/plus on 4011---\"; curl -s -o /dev/null -w \"%{http_code}\\n\" http://localhost:4011/v1/plus/products 2>&1","description":"Probe API health on ports 4011 and 4000"}4011 -> 404 4000 -> 404 ---probe /v1/plus on 4011--- 401
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":"const AVAILABLE_PROVIDERS = [\n { key: \"stripe\", label: \"Stripe\" },\n];","new_string":"const AVAILABLE_PROVIDERS = [\n { key: \"stripe\", label: \"Stripe\" },\n { key: \"autogiro\", label: \"Autogiro (Sweden)\" },\n { key: \"betalingsservice\", label: \"Betalingsservice (Denmark)\" },\n];\n\n// Direct-debit providers configured by a creditor identifier (Bankgiro number\n// for Autogiro, PBS/creditor number for Betalingsservice) rather than a Stripe\n// connected account.\nconst DIRECT_DEBIT_PROVIDER_KEYS = [\"autogiro\", \"betalingsservice\"];"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" const [formProviderKey, setFormProviderKey] = useState(\"stripe\");\n const [formConnectedAccountId, setFormConnectedAccountId] = useState(\"\");","new_string":" const [formProviderKey, setFormProviderKey] = useState(\"stripe\");\n const [formConnectedAccountId, setFormConnectedAccountId] = useState(\"\");\n const [formCreditorId, setFormCreditorId] = useState(\"\");"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"command":"AUTH=\"Authorization: Client cl_faf23d26-93db-4a72-af6f-462dff015c96:cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63\"\necho \"=== 4011 direct-debit mandates (POST {}) ===\"\ncurl -s -o /dev/null -w \"%{http_code}\\n\" -X POST -H \"$AUTH\" -H \"Content-Type: application/json\" -d '{}' http://localhost:4011/v1/plus/direct-debit/mandates\necho \"=== 4000 direct-debit mandates (POST {}) ===\"\ncurl -s -o /dev/null -w \"%{http_code}\\n\" -X POST -H \"$AUTH\" -H \"Content-Type: application/json\" -d '{}' http://localhost:4000/v1/plus/direct-debit/mandates\necho \"=== 4011 products (GET) ===\"\ncurl -s -o /dev/null -w \"%{http_code}\\n\" -H \"$AUTH\" http://localhost:4011/v1/plus/products\necho \"=== 4011 payment-provider-configs (GET, just route existence) ===\"\ncurl -s -o /dev/null -w \"%{http_code}\\n\" -H \"$AUTH\" http://localhost:4011/v1/plus/payment-provider-configs","description":"Check direct-debit route existence on both ports with auth"}=== 4011 direct-debit mandates (POST {}) ===
400
=== 4000 direct-debit mandates (POST {}) ===
404
=== 4011 products (GET) ===
200
=== 4011 payment-provider-configs (GET, just route existence) ===
200{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" setEditing(null);\n setFormProviderKey(\"stripe\");\n setFormConnectedAccountId(\"\");\n setFormActive(true);","new_string":" setEditing(null);\n setFormProviderKey(\"stripe\");\n setFormConnectedAccountId(\"\");\n setFormCreditorId(\"\");\n setFormActive(true);"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" setEditing(config);\n setFormProviderKey(config.providerKey);\n setFormConnectedAccountId(config.config?.connectedAccountId || \"\");\n setFormActive(config.active);","new_string":" setEditing(config);\n setFormProviderKey(config.providerKey);\n setFormConnectedAccountId(config.config?.connectedAccountId || \"\");\n setFormCreditorId(\n typeof config.config?.creditorId === \"string\" ? config.config.creditorId : \"\"\n );\n setFormActive(config.active);"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env","old_string":"SHERPA_API_HTTP=http://localhost:4000","new_string":"SHERPA_API_HTTP=http://localhost:4011"}The file /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env has been updated successfully. (file state is current in your context — no need to Read it back)
{"command":"set -e\nAUTH=\"Authorization: Client cl_faf23d26-93db-4a72-af6f-462dff015c96:cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63\"\nCT=\"Content-Type: application/json\"\nB=http://localhost:4011\n\necho \"=== 1. provider config ===\"\ncurl -s -w \"\\nHTTP %{http_code}\\n\" -X POST -H \"$AUTH\" -H \"$CT\" -d '{\"providerKey\":\"autogiro\",\"config\":{\"bankgiroNumber\":\"9912346\"},\"active\":true}' $B/v1/plus/payment-provider-configs\n\necho \"\"\necho \"=== 2. products ===\"\nPID=$(curl -s -H \"$AUTH\" $B/v1/plus/products | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{const j=JSON.parse(d);console.log(j.data.products[0].id)})')\necho \"productId=$PID\"\n\necho \"\"\necho \"=== 3. create mandate ===\"\nMRES=$(curl -s -X POST -H \"$AUTH\" -H \"$CT\" -d \"{\\\"providerKey\\\":\\\"autogiro\\\",\\\"productId\\\":$PID,\\\"accountHolder\\\":\\\"Sven Svensson\\\",\\\"country\\\":\\\"SE\\\",\\\"clearingNumber\\\":\\\"8327\\\",\\\"accountNumber\\\":\\\"1234567\\\",\\\"bankName\\\":\\\"Swedbank\\\"}\" $B/v1/plus/direct-debit/mandates)\necho \"$MRES\"\nMID=$(echo \"$MRES\" | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{console.log(JSON.parse(d).data.id)})')\necho \"mandateId=$MID\"","description":"Verify provider config, products, mandate creation"}=== 1. provider config ===
{"error":{"message":"A config for provider \"autogiro\" already exists for this organization"}}
HTTP 409
=== 2. products ===
productId=291
=== 3. create mandate ===
{"status":"success","data":{"id":"df997f2e-13ce-44a3-9809-2295542c8581","organizationId":"22222222-2222-2222-2222-222222222222","providerKey":"autogiro","productId":291,"customerId":null,"status":"pending","country":"SE","accountHolder":"Sven Svensson","clearingNumber":"8327","accountNumber":"1234567","bankName":"Swedbank","mandateReference":"AG-MND-2BD71A48","payerNumber":"AG-MND-2BD71A48","signedAt":"2026-06-01T12:00:55.075Z","metadata":null,"updatedAt":"2026-06-01T12:00:55.076Z","createdAt":"2026-06-01T12:00:55.076Z","activatedAt":null,"revokedAt":null,"failureReason":null}}
mandateId=df997f2e-13ce-44a3-9809-2295542c8581{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" const handleSave = async () => {\n if (!formConnectedAccountId.trim()) {\n showErrorToast(t(\"Connected Account ID is required\"));\n return;\n }\n\n setSaving(true);\n try {\n const payload = {\n providerKey: formProviderKey,\n config: {\n connectedAccountId: formConnectedAccountId.trim(),\n automaticPayoutEnabled: formAutomaticPayoutEnabled,\n payoutCadence: formPayoutCadence,\n payoutWeeklyRunDay: formPayoutWeeklyRunDay,\n payoutWeeklyRunHour: formPayoutWeeklyRunHour,\n },\n active: formActive,\n };","new_string":" const isDirectDebitProvider = DIRECT_DEBIT_PROVIDER_KEYS.includes(formProviderKey);\n\n const handleSave = async () => {\n if (isDirectDebitProvider) {\n if (!formCreditorId.trim()) {\n showErrorToast(t(\"Creditor number (Bankgiro / PBS) is required\"));\n return;\n }\n } else if (!formConnectedAccountId.trim()) {\n showErrorToast(t(\"Connected Account ID is required\"));\n return;\n }\n\n setSaving(true);\n try {\n const payload = isDirectDebitProvider\n ? {\n providerKey: formProviderKey,\n config: {\n creditorId: formCreditorId.trim(),\n },\n active: formActive,\n }\n : {\n providerKey: formProviderKey,\n config: {\n connectedAccountId: formConnectedAccountId.trim(),\n automaticPayoutEnabled: formAutomaticPayoutEnabled,\n payoutCadence: formPayoutCadence,\n payoutWeeklyRunDay: formPayoutWeeklyRunDay,\n payoutWeeklyRunHour: formPayoutWeeklyRunHour,\n },\n active: formActive,\n };"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","offset":418,"limit":50}418 <div className="space-y-4 py-2">
419 <div>
420 <label className="mb-1 block text-sm font-medium text-gray-700">
421 {t("Provider")}
422 </label>
423 <Select
424 value={formProviderKey}
425 onValueChange={setFormProviderKey}
426 disabled={!!editing}
427 >
428 <SelectTrigger className="w-full">
429 <SelectValue />
430 </SelectTrigger>
431 <SelectContent>
432 {AVAILABLE_PROVIDERS.map((p) => (
433 <SelectItem key={p.key} value={p.key}>
434 {p.label}
435 </SelectItem>
436 ))}
437 </SelectContent>
438 </Select>
439 </div>
440 <div>
441 <label className="mb-1 block text-sm font-medium text-gray-700">
442 {t("Connected Account ID")}
443 </label>
444 <Input
445 value={formConnectedAccountId}
446 onChange={(e) => setFormConnectedAccountId(e.target.value)}
447 placeholder="acct_..."
448 />
449 </div>
450 <div className="flex items-center gap-2">
451 <Switch
452 checked={formActive}
453 onCheckedChange={setFormActive}
454 className="relative inline-flex h-6 w-11 data-[state=checked]:bg-blue-600 data-[state=unchecked]:bg-gray-200 [&>span]:bg-white"
455 />
456 <label className="text-sm font-medium text-gray-700">
457 {formActive ? t("Active") : t("Inactive")}
458 </label>
459 </div>
460
461 {/* Claim Payout behavior — controls outbound (Connect Transfer) flow */}
462 <div className="mt-2 rounded-md border border-gray-200 bg-gray-50 p-4 space-y-3">
463 <div>
464 <h3 className="text-sm font-semibold text-gray-900">{t("Claim Payouts")}</h3>
465 <p className="text-xs text-gray-500">
466 {t("Controls whether the platform automatically disburses approved claims and on what cadence.")}
467 </p>{"command":"set -e\nAUTH=\"Authorization: Client cl_faf23d26-93db-4a72-af6f-462dff015c96:cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63\"\nCT=\"Content-Type: application/json\"\nB=http://localhost:4011\nMID=df997f2e-13ce-44a3-9809-2295542c8581\n\necho \"=== 4. activate ===\"\ncurl -s -w \"\\nHTTP %{http_code}\\n\" -X POST -H \"$AUTH\" -H \"$CT\" -d '{}' $B/v1/plus/direct-debit/mandates/$MID/activate\n\necho \"\"\necho \"=== 5. mandate file (length of content) ===\"\ncurl -s -H \"$AUTH\" $B/v1/plus/direct-debit/mandates/$MID/file | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{const j=JSON.parse(d);console.log(\"status keys:\",Object.keys(j));console.log(\"data keys:\",Object.keys(j.data));console.log(\"content length:\",(j.data.content||\"\").length);console.log(\"first 120:\",JSON.stringify((j.data.content||\"\").slice(0,120)))})'\n\necho \"\"\necho \"=== 6. schedule collection ===\"\nCRES=$(curl -s -X POST -H \"$AUTH\" -H \"$CT\" -d \"{\\\"mandateId\\\":\\\"$MID\\\",\\\"amount\\\":199,\\\"currency\\\":\\\"SEK\\\"}\" $B/v1/plus/direct-debit/collections)\necho \"$CRES\"\nCID=$(echo \"$CRES\" | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{console.log(JSON.parse(d).data.id)})')\necho \"collectionId=$CID\"\n\necho \"\"\necho \"=== 7. run ===\"\ncurl -s -w \"\\nHTTP %{http_code}\\n\" -X POST -H \"$AUTH\" -H \"$CT\" -d '{\"providerKey\":\"autogiro\"}' $B/v1/plus/direct-debit/collections/run\n\necho \"\"\necho \"=== 8. simulate-return settled ===\"\ncurl -s -w \"\\nHTTP %{http_code}\\n\" -X POST -H \"$AUTH\" -H \"$CT\" -d '{\"outcome\":\"settled\"}' $B/v1/plus/direct-debit/collections/$CID/simulate-return\n\necho \"\"\necho \"=== 9. GET collections?mandateId ===\"\ncurl -s -H \"$AUTH\" \"$B/v1/plus/direct-debit/collections?mandateId=$MID\" | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{const j=JSON.parse(d);console.log(\"data is array:\",Array.isArray(j.data));console.log(JSON.stringify(j.data,null,2))})'","description":"Verify activate, file, collection schedule/run/settle/list"}=== 4. activate ===
{"status":"success","data":{"id":"df997f2e-13ce-44a3-9809-2295542c8581","organizationId":"22222222-2222-2222-2222-222222222222","providerKey":"autogiro","productId":291,"customerId":null,"status":"active","country":"SE","accountHolder":"Sven Svensson","clearingNumber":"8327","accountNumber":"1234567","bankName":"Swedbank","mandateReference":"AG-MND-2BD71A48","payerNumber":"AG-MND-2BD71A48","signedAt":"2026-06-01T12:00:55.075Z","activatedAt":"2026-06-01T12:01:07.294Z","revokedAt":null,"failureReason":null,"metadata":null,"createdAt":"2026-06-01T12:00:55.076Z","updatedAt":"2026-06-01T12:01:07.295Z"}}
HTTP 200
=== 5. mandate file (length of content) ===
status keys: [ 'status', 'data' ]
data keys: [ 'fileReference', 'content' ]
content length: 162
first 120: "0120260601AUTOGIRO0009912346MEDGIVANDE \n04AG-MND-2BD71A48 08327000001234567Sven"
=== 6. schedule collection ===
{"status":"success","data":{"id":"57c7c9e3-e56b-4b43-9c74-ef68dc236da9","maxRetries":3,"flagged":false,"organizationId":"22222222-2222-2222-2222-222222222222","mandateId":"df997f2e-13ce-44a3-9809-2295542c8581","policyOrderId":null,"providerKey":"autogiro","amount":"199.00","currency":"SEK","status":"scheduled","scheduledFor":"2026-06-01T12:01:07.445Z","retryCount":0,"updatedAt":"2026-06-01T12:01:07.445Z","createdAt":"2026-06-01T12:01:07.445Z","submittedAt":null,"settledAt":null,"failureReason":null,"externalReference":null,"fileReference":null,"metadata":null}}
collectionId=57c7c9e3-e56b-4b43-9c74-ef68dc236da9
=== 7. run ===
{"status":"success","data":{"submitted":1,"files":[{"providerKey":"autogiro","fileReference":"AG-FILE-D209454A","content":"0120260601AUTOGIRO0009912346AG-FILE-D209 \n8220260601AG-MND-2BD71A48 000000019900AG-COL-F42DC39C 57c7c9e3-e56b-4b43-9c7\n09000991234600000001000000000000019900 \n","count":1}]}}
HTTP 200
=== 8. simulate-return settled ===
{"status":"success","data":{"settled":1,"failed":0,"retrying":0,"flagged":0,"unmatched":[]}}
HTTP 200
=== 9. GET collections?mandateId ===
data is array: true
[
{
"id": "57c7c9e3-e56b-4b43-9c74-ef68dc236da9",
"organizationId": "22222222-2222-2222-2222-222222222222",
"mandateId": "df997f2e-13ce-44a3-9809-2295542c8581",
"policyOrderId": null,
"providerKey": "autogiro",
"amount": "199.00",
"currency": "SEK",
"status": "settled",
"scheduledFor": "2026-06-01T12:01:07.445Z",
"submittedAt": "2026-06-01T12:01:07.578Z",
"settledAt": "2026-06-01T12:01:07.640Z",
"retryCount": 0,
"maxRetries": 3,
"failureReason": null,
"externalReference": "AG-COL-F42DC39C",
"fileReference": "AG-FILE-D209454A",
"flagged": false,
"metadata": null,
"createdAt": "2026-06-01T12:01:07.445Z",
"updatedAt": "2026-06-01T12:01:07.640Z"
}
]{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" <div>\n <label className=\"mb-1 block text-sm font-medium text-gray-700\">\n {t(\"Connected Account ID\")}\n </label>\n <Input\n value={formConnectedAccountId}\n onChange={(e) => setFormConnectedAccountId(e.target.value)}\n placeholder=\"acct_...\"\n />\n </div>\n <div className=\"flex items-center gap-2\">","new_string":" {isDirectDebitProvider ? (\n <div>\n <label className=\"mb-1 block text-sm font-medium text-gray-700\">\n {t(\"Creditor number (Bankgiro / PBS)\")}\n </label>\n <Input\n value={formCreditorId}\n onChange={(e) => setFormCreditorId(e.target.value)}\n placeholder={formProviderKey === \"autogiro\" ? \"Bankgiro\" : \"PBS / CID\"}\n />\n </div>\n ) : (\n <div>\n <label className=\"mb-1 block text-sm font-medium text-gray-700\">\n {t(\"Connected Account ID\")}\n </label>\n <Input\n value={formConnectedAccountId}\n onChange={(e) => setFormConnectedAccountId(e.target.value)}\n placeholder=\"acct_...\"\n />\n </div>\n )}\n <div className=\"flex items-center gap-2\">"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","offset":472,"limit":75}472 </div>
473
474 {/* Claim Payout behavior — controls outbound (Connect Transfer) flow */}
475 <div className="mt-2 rounded-md border border-gray-200 bg-gray-50 p-4 space-y-3">
476 <div>
477 <h3 className="text-sm font-semibold text-gray-900">{t("Claim Payouts")}</h3>
478 <p className="text-xs text-gray-500">
479 {t("Controls whether the platform automatically disburses approved claims and on what cadence.")}
480 </p>
481 </div>
482
483 <div className="flex items-center gap-2">
484 <Switch
485 checked={formAutomaticPayoutEnabled}
486 onCheckedChange={setFormAutomaticPayoutEnabled}
487 className="relative inline-flex h-6 w-11 data-[state=checked]:bg-blue-600 data-[state=unchecked]:bg-gray-200 [&>span]:bg-white"
488 />
489 <label className="text-sm font-medium text-gray-700">
490 {t("Enable automatic claim payouts")}
491 </label>
492 </div>
493
494 {formAutomaticPayoutEnabled && (
495 <>
496 <div>
497 <label className="mb-1 block text-sm font-medium text-gray-700">
498 {t("Payout cadence")}
499 </label>
500 <Select
501 value={formPayoutCadence}
502 onValueChange={(v) => setFormPayoutCadence(v as PayoutCadence)}
503 >
504 <SelectTrigger className="w-full">
505 <SelectValue />
506 </SelectTrigger>
507 <SelectContent>
508 <SelectItem value="immediate">{t("Immediate — disburse as soon as approved")}</SelectItem>
509 <SelectItem value="weekly">{t("Weekly — batch on a scheduled day/hour")}</SelectItem>
510 </SelectContent>
511 </Select>
512 </div>
513
514 {formPayoutCadence === "weekly" && (
515 <div className="grid grid-cols-2 gap-3">
516 <div>
517 <label className="mb-1 block text-sm font-medium text-gray-700">
518 {t("Run day")}
519 </label>
520 <Select
521 value={formPayoutWeeklyRunDay}
522 onValueChange={(v) => setFormPayoutWeeklyRunDay(v as PayoutWeekday)}
523 >
524 <SelectTrigger className="w-full">
525 <SelectValue />
526 </SelectTrigger>
527 <SelectContent>
528 {WEEKDAY_VALUES.map((v) => (
529 <SelectItem key={v} value={v}>
530 {weekdayLabel(v, t)}
531 </SelectItem>
532 ))}
533 </SelectContent>
534 </Select>
535 </div>
536 <div>
537 <label className="mb-1 block text-sm font-medium text-gray-700">
538 {t("Run hour (0–23 UTC)")}
539 </label>
540 <Input
541 type="number"
542 min={0}
543 max={23}
544 value={formPayoutWeeklyRunHour}
545 onChange={(e) => {
546 const parsed = parseInt(e.target.value, 10);{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","offset":546,"limit":22}546 const parsed = parseInt(e.target.value, 10);
547 if (!Number.isNaN(parsed) && parsed >= 0 && parsed < 24) {
548 setFormPayoutWeeklyRunHour(parsed);
549 }
550 }}
551 />
552 </div>
553 </div>
554 )}
555 </>
556 )}
557 </div>
558 </div>
559 <DialogFooter>
560 <Button variant="outline" onClick={() => setFormOpen(false)} disabled={saving}>
561 {t("Cancel")}
562 </Button>
563 <Button onClick={handleSave} disabled={saving}>
564 {saving ? t("Saving...") : editing ? t("Update") : t("Add")}
565 </Button>
566 </DialogFooter>
567 </DialogContent>{"command":"set -e\nAUTH=\"Authorization: Client cl_faf23d26-93db-4a72-af6f-462dff015c96:cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63\"\nCT=\"Content-Type: application/json\"\nB=http://localhost:4011\nMID=df997f2e-13ce-44a3-9809-2295542c8581\n\necho \"=== schedule a 2nd collection (for failure path) ===\"\nCRES=$(curl -s -X POST -H \"$AUTH\" -H \"$CT\" -d \"{\\\"mandateId\\\":\\\"$MID\\\",\\\"amount\\\":299,\\\"currency\\\":\\\"SEK\\\"}\" $B/v1/plus/direct-debit/collections)\nCID=$(echo \"$CRES\" | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{console.log(JSON.parse(d).data.id)})')\necho \"collectionId=$CID\"\n\nfor i in 1 2 3 4; do\n echo \"\"\n echo \"--- iteration $i: run ---\"\n curl -s -X POST -H \"$AUTH\" -H \"$CT\" -d '{\"providerKey\":\"autogiro\"}' $B/v1/plus/direct-debit/collections/run | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{const j=JSON.parse(d);console.log(\"submitted:\",j.data.submitted)})'\n echo \"--- iteration $i: simulate-return failed reason 08 ---\"\n curl -s -X POST -H \"$AUTH\" -H \"$CT\" -d '{\"outcome\":\"failed\",\"reason\":\"08\"}' $B/v1/plus/direct-debit/collections/$CID/simulate-return | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{console.log(\"return:\",JSON.stringify(JSON.parse(d).data))})'\n echo \"--- iteration $i: collection state ---\"\n curl -s -H \"$AUTH\" \"$B/v1/plus/direct-debit/collections?mandateId=$MID\" | node -e 'let d=\"\";process.stdin.on(\"data\",c=>d+=c);process.stdin.on(\"end\",()=>{const j=JSON.parse(d).data.find(c=>c.id===\"'\"$CID\"'\");console.log(\"status:\",j.status,\"retryCount:\",j.retryCount,\"maxRetries:\",j.maxRetries,\"flagged:\",j.flagged,\"failureReason:\",j.failureReason)})'\ndone\n\necho \"\"\necho \"=== Betalingsservice validation: country DK, clearingNumber 12 (2-digit) ===\"\ncurl -s -w \"\\nHTTP %{http_code}\\n\" -X POST -H \"$AUTH\" -H \"$CT\" -d \"{\\\"providerKey\\\":\\\"betalingsservice\\\",\\\"productId\\\":291,\\\"accountHolder\\\":\\\"Lars Larsen\\\",\\\"country\\\":\\\"DK\\\",\\\"clearingNumber\\\":\\\"12\\\",\\\"accountNumber\\\":\\\"1234567\\\",\\\"bankName\\\":\\\"Danske Bank\\\"}\" $B/v1/plus/direct-debit/mandates","description":"Verify retry/flag loop and Betalingsservice validation rejection"}=== schedule a 2nd collection (for failure path) ===
collectionId=4fb257a7-59c2-4005-87d6-f963c2528c1d
--- iteration 1: run ---
submitted: 1
--- iteration 1: simulate-return failed reason 08 ---
return: {"settled":0,"failed":0,"retrying":1,"flagged":0,"unmatched":[]}
--- iteration 1: collection state ---
status: retrying retryCount: 1 maxRetries: 3 flagged: false failureReason: 08
--- iteration 2: run ---
submitted: 1
--- iteration 2: simulate-return failed reason 08 ---
return: {"settled":0,"failed":0,"retrying":1,"flagged":0,"unmatched":[]}
--- iteration 2: collection state ---
status: retrying retryCount: 2 maxRetries: 3 flagged: false failureReason: 08
--- iteration 3: run ---
submitted: 1
--- iteration 3: simulate-return failed reason 08 ---
return: {"settled":0,"failed":0,"retrying":1,"flagged":0,"unmatched":[]}
--- iteration 3: collection state ---
status: retrying retryCount: 3 maxRetries: 3 flagged: false failureReason: 08
--- iteration 4: run ---
submitted: 1
--- iteration 4: simulate-return failed reason 08 ---
return: {"settled":0,"failed":1,"retrying":0,"flagged":1,"unmatched":[]}
--- iteration 4: collection state ---
status: failed retryCount: 3 maxRetries: 3 flagged: true failureReason: 08
=== Betalingsservice validation: country DK, clearingNumber 12 (2-digit) ===
{"error":{"message":"Invalid bank account: clearingNumber must be a 4-digit registreringsnummer"}}
HTTP 400{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" {/* Claim Payout behavior — controls outbound (Connect Transfer) flow */}\n <div className=\"mt-2 rounded-md border border-gray-200 bg-gray-50 p-4 space-y-3\">\n <div>\n <h3 className=\"text-sm font-semibold text-gray-900\">{t(\"Claim Payouts\")}</h3>","new_string":" {/* Claim Payout behavior — controls outbound (Connect Transfer) flow.\n Stripe-only: direct-debit providers handle inbound collections,\n not outbound claim payouts. */}\n {!isDirectDebitProvider && (\n <div className=\"mt-2 rounded-md border border-gray-200 bg-gray-50 p-4 space-y-3\">\n <div>\n <h3 className=\"text-sm font-semibold text-gray-900\">{t(\"Claim Payouts\")}</h3>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" )}\n </>\n )}\n </div>\n </div>\n <DialogFooter>","new_string":" )}\n </>\n )}\n </div>\n )}\n </div>\n <DialogFooter>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx","old_string":" {\n name: t('Payments'),\n href: `/products/${productId}/payment-methods`,\n icon: CreditCard,\n key: \"payment-methods\",\n },\n {\n name: t('Settings'),\n href: `/products/${productId}/settings`,\n icon: Settings,\n key: \"settings\",\n },\n ];","new_string":" {\n name: t('Payments'),\n href: `/products/${productId}/payment-methods`,\n icon: CreditCard,\n key: \"payment-methods\",\n },\n {\n name: t('Direct Debit'),\n href: `/products/${productId}/direct-debit`,\n icon: CreditCard,\n key: \"direct-debit\",\n },\n {\n name: t('Settings'),\n href: `/products/${productId}/settings`,\n icon: Settings,\n key: \"settings\",\n },\n ];"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/README.md"}1 # Sherpa Plus - Insurance Product Configuration Tests 2 3 ## Overview 4 5 Comprehensive API test suite for Sherpa Plus Insurance Product Configuration using Playwright. 6 7 ## Test Structure 8 9 ``` 10 tests/plus-insurance/ 11 ├── helpers/ 12 │ ├── api-client.ts # HTTP client wrapper (ApiClient, WidgetApiClient) 13 │ ├── api-helpers.ts # Shared API helper functions 14 │ ├── assertions.ts # Custom test assertions (expectSuccess, expectCreated, expectError) 15 │ ├── financial-tracker.ts # Tracks financial data across test runs 16 │ └── test-data.ts # Test data fixtures and constants 17 ├── 00-reset-organization.spec.ts # Resets org to clean state 18 ├── 01-product-setup.spec.ts # Happy path product setup 19 ├── 02-bulk-policy-creation.spec.ts # Bulk policy creation, endorsements, renewals, cancellations 20 ├── 02-product-unhappy-paths.spec.ts # Error scenario validations 21 ├── 04-quote-policy-flow.spec.ts # Quote and policy lifecycle flows 22 ├── 05-policy-orders-and-financials.spec.ts # Financial verification 23 ├── financial-tracking-data.json # Tracked financial data from test runs 24 ├── financial-tracking-data-bulk.json # Tracked financial data from bulk tests 25 └── README.md # This file 26 ``` 27 28 ## Running Tests 29 30 ### Run all Plus Insurance tests 31 ```bash 32 npm test -- --project=plus-insurance 33 ``` 34 35 ### Run happy path tests only 36 ```bash 37 npm test -- --project=plus-insurance tests/plus-insurance/01-product-setup.spec.ts 38 ``` 39 40 ### Run unhappy path tests only 41 ```bash 42 npm test -- --project=plus-insurance tests/plus-insurance/02-product-unhappy-paths.spec.ts 43 ``` 44 45 ### Run with UI mode 46 ```bash 47 npx playwright test --project=plus-insurance --ui 48 ``` 49 50 ## Test Suite 51 52 | File | Description | 53 |------|-------------| 54 | `00-reset-organization.spec.ts` | Resets organization to clean state | 55 | `01-product-setup.spec.ts` | Creates 2 products with full config (quotes, commissions, plans, coverages, pricing) | 56 | `02-bulk-policy-creation.spec.ts` | Creates 100 policies with endorsements, renewals, cancellations, invoices | 57 | `02-product-unhappy-paths.spec.ts` | Tests validation errors and edge cases | 58 | `04-quote-policy-flow.spec.ts` | Verifies quote and policy lifecycle flows | 59 | `05-policy-orders-and-financials.spec.ts` | Cent-perfect financial verification against API | 60 61 ## Environment Variables 62 63 Required environment variables in `.env`: 64 65 ``` 66 SHERPA_TEST_CLIENT_ID=<your_client_id> 67 SHERPA_TEST_CLIENT_SECRET=<your_client_secret> 68 API_URL=http://localhost:4000 (optional, defaults to localhost:4000) 69 ``` 70 71 ## Test Data 72 73 All test data is managed in `helpers/test-data.ts`: 74 75 - **Organization ID:** `22222222-2222-2222-2222-222222222222` 76 - **Product Name:** `extended_warranty_<timestamp>` (unique per run) 77 - **Country:** US 78 - **Currency:** USD 79 - **Commission:** 20% baseline (10% Organization, 10% Gangkhar) 80 81 ## Notes 82 83 ### Test Execution 84 85 - Tests run in **serial mode** (`test.describe.serial`) to maintain state across steps 86 - Each test run creates a new product with a unique timestamp 87 - Tests share variables at the describe block level for sequential workflows 88 89 ### API Behavior Notes 90 91 Some tests verify that the API accepts data gracefully rather than rejecting it: 92 93 1. **Missing required parameters** - API processes requests with missing data 94 2. **Negative prices** - API accepts negative base prices 95 3. **Empty table rows** - API accepts tables without rows 96 4. **Invalid coverage IDs in pricing** - API handles gracefully 97 98 These tests pass by verifying the API responds with 200 OK, demonstrating the API's fault-tolerant design. 99 100 ## Troubleshooting 101 102 ### Tests failing with authentication errors 103 - Check that `SHERPA_TEST_CLIENT_ID` and `SHERPA_TEST_CLIENT_SECRET` are set in `.env` 104 - Verify the test organization exists with ID `22222222-2222-2222-2222-222222222222` 105 106 ### Tests failing with 500 errors 107 - Ensure the sherpa-api server is running on `http://localhost:4000` 108 - Check server logs for detailed error messages 109 - Verify database migrations are up to date 110 111 ### Tests timing out 112 - Increase timeout in `playwright.config.ts` 113 - Check for slow network or database connections 114 115 ## Success Criteria 116 117 ✅ Product successfully created 118 ✅ Commission structure configured 119 ✅ Product settings updated 120 ✅ Quote configuration complete 121 ✅ Policy configuration complete 122 ✅ Claims configuration complete 123 ✅ Main pricing created 124 ✅ All validation tests passing 125 126
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/05-policy-orders-and-financials.spec.ts","limit":60}1 import { test, expect } from '@playwright/test';
2 import { ApiClient } from './helpers/api-client';
3 import { ORGANIZATION_ID } from './helpers/test-data';
4 import { ledgerDb } from './helpers/ledger-db';
5 import { getApiUrl } from '../utils/urls';
6
7 const API_URL = getApiUrl();
8 const CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID!;
9 const CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET!;
10
11 const LEDGER_API_COUNT_DRIFT = 10;
12
13 const ledgerApiMonetaryTolerance = (expectedVal: number) =>
14 Math.max(5000, Math.abs(expectedVal) * 0.02);
15
16 test.describe.serial('Policy Orders and Financials API - Verification', () => {
17 const startDate = '2025-01-01';
18 const endDate = new Date().toISOString().split('T')[0];
19 const currency = 'USD';
20 const groupBy = 'day';
21 const dateField = 'billingPeriod';
22 let expected: ReturnType<typeof ledgerDb.getTotals>;
23
24 test('Step 0: Load Financial Ledger', async () => {
25 expected = ledgerDb.getTotals();
26
27 console.log(`\n📊 Ledger Expected Totals:`);
28 console.log(` Records: ${expected.totalRecords}`);
29 console.log(` Policies: ${expected.totalPolicyCount} (NB: ${expected.newBusinessCount}, Renewal: ${expected.renewalCount})`);
30 console.log(` Active: ${expected.activePolicyCount}, Cancelled: ${expected.cancelledPolicyCount}`);
31 console.log(` Premium With Tax: $${expected.premiumWithTax.toFixed(2)}`);
32 console.log(` Commissions: $${expected.commissions.toFixed(2)}\n`);
33 });
34
35 test('Test 1: Get Active Policy Orders - Verify Count', async ({ request }) => {
36 const client = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
37 const response = await client.get(`/v1/plus/policy-orders?page=1&limit=200&startDate=${startDate}&endDate=${endDate}&status=active`);
38
39 expect(response.status()).toBe(200);
40 const body = await response.json();
41
42 expect(body.status).toBe('success');
43 expect(body.data.policyOrders).toBeDefined();
44 expect(Array.isArray(body.data.policyOrders)).toBe(true);
45
46 const actualCount = body.data.totalCount;
47 const expectedCount = expected.activePolicyCount;
48 const discrepancy = actualCount - expectedCount;
49
50 console.log(`✅ Active Policy Orders: Expected ${expectedCount}, Actual ${actualCount}`);
51 if (discrepancy !== 0) console.log(` ⚠️ DISCREPANCY: ${discrepancy}`);
52
53 const allActive = body.data.policyOrders.every((p: any) => p.status === 'active');
54 expect(allActive).toBe(true);
55
56 const allInOrganization = body.data.policyOrders.every((p: any) => p.organizationId === ORGANIZATION_ID);
57 expect(allInOrganization).toBe(true);
58
59 expect(Math.abs(discrepancy)).toBeLessThanOrEqual(LEDGER_API_COUNT_DRIFT);
60 });{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx","old_string":" // Operate = runtime / post-launch concerns.\n claims: \"operate\",\n \"claim-rules\": \"operate\",\n \"payment-methods\": \"operate\",\n optimizations: \"operate\",\n settings: \"operate\",\n };","new_string":" // Operate = runtime / post-launch concerns.\n claims: \"operate\",\n \"claim-rules\": \"operate\",\n \"payment-methods\": \"operate\",\n \"direct-debit\": \"operate\",\n optimizations: \"operate\",\n settings: \"operate\",\n };"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts","content":"import { test, expect } from '@playwright/test';\nimport { ApiClient } from './helpers/api-client';\nimport { getApiUrl } from '../utils/urls';\n\nconst API_URL = getApiUrl();\nconst CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID!;\nconst CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET!;\n\n/**\n * Nordic bank direct debit (Autogiro / Betalingsservice) — sherpa-api#462.\n *\n * Covers the /v1/plus/direct-debit surface end-to-end against a live API:\n * - Provider configuration (Autogiro), tolerant of an already-configured org.\n * - Account validation for Betalingsservice (DK registreringsnummer = 4 digits).\n * - Recurring collection happy path: mandate → activate → file → schedule →\n * run → simulate settled return.\n * - Retry + flag path: a failed return retries up to maxRetries, then flags\n * the collection as permanently failed.\n *\n * Every POST sends a JSON body (>= {}) because the shared ApiClient always sets\n * Content-Type: application/json; a bodyless POST would 400.\n */\n\n/** Fetch a usable productId from the test organization. */\nasync function getProductId(api: ApiClient): Promise<number> {\n const res = await api.get('/v1/plus/products');\n expect(res.status()).toBe(200);\n const body = await res.json();\n const products = body.data?.products ?? [];\n expect(products.length).toBeGreaterThan(0);\n return products[0].id;\n}\n\n/** Find a single collection by id within the mandate's collection list. */\nasync function getCollection(api: ApiClient, mandateId: string, collectionId: string) {\n const res = await api.get(`/v1/plus/direct-debit/collections?mandateId=${mandateId}`);\n expect(res.status()).toBe(200);\n const body = await res.json();\n expect(Array.isArray(body.data)).toBe(true);\n const collection = body.data.find((c: { id: string }) => c.id === collectionId);\n expect(collection, `collection ${collectionId} not found for mandate ${mandateId}`).toBeTruthy();\n return collection;\n}\n\ntest.describe.serial('Plus · Nordic direct debit (Autogiro / Betalingsservice)', () => {\n test.setTimeout(60000);\n\n test('configures Autogiro provider', async ({ request }) => {\n const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);\n // 409 (already configured for this org) is an acceptable, idempotent outcome.\n api.expectErrors = true;\n\n const res = await api.post('/v1/plus/payment-provider-configs', {\n providerKey: 'autogiro',\n config: { bankgiroNumber: '9912346' },\n active: true,\n });\n\n expect([201, 409]).toContain(res.status());\n });\n\n test('rejects an invalid Betalingsservice account', async ({ request }) => {\n const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);\n api.expectErrors = true;\n\n const productId = await getProductId(api);\n\n // DK registreringsnummer must be 4 digits; \"12\" is invalid.\n const res = await api.post('/v1/plus/direct-debit/mandates', {\n providerKey: 'betalingsservice',\n productId,\n accountHolder: 'Lars Larsen',\n country: 'DK',\n clearingNumber: '12',\n accountNumber: '1234567',\n bankName: 'Danske Bank',\n });\n\n expect(res.status()).toBe(400);\n });\n\n test('completes a recurring direct-debit collection end-to-end (Autogiro SE)', async ({\n request,\n }) => {\n const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);\n const productId = await getProductId(api);\n\n // 1. Create mandate — starts pending.\n const createRes = await api.post('/v1/plus/direct-debit/mandates', {\n providerKey: 'autogiro',\n productId,\n accountHolder: 'Sven Svensson',\n country: 'SE',\n clearingNumber: '8327',\n accountNumber: '1234567',\n bankName: 'Swedbank',\n });\n expect(createRes.status()).toBe(201);\n const mandate = (await createRes.json()).data;\n expect(mandate.status).toBe('pending');\n expect(mandate.mandateReference).toBeTruthy();\n const mandateId: string = mandate.id;\n\n // 2. Activate — becomes active.\n const activateRes = await api.post(\n `/v1/plus/direct-debit/mandates/${mandateId}/activate`,\n {},\n );\n expect(activateRes.status()).toBe(200);\n expect((await activateRes.json()).data.status).toBe('active');\n\n // 3. Mandate file content is non-empty fixed-width text.\n const fileRes = await api.get(`/v1/plus/direct-debit/mandates/${mandateId}/file`);\n expect(fileRes.status()).toBe(200);\n const fileContent: string = (await fileRes.json()).data.content;\n expect(typeof fileContent).toBe('string');\n expect(fileContent.trim().length).toBeGreaterThan(0);\n\n // 4. Schedule a collection — starts scheduled.\n const collectionRes = await api.post('/v1/plus/direct-debit/collections', {\n mandateId,\n amount: 199,\n currency: 'SEK',\n });\n expect(collectionRes.status()).toBe(201);\n const collection = (await collectionRes.json()).data;\n expect(collection.status).toBe('scheduled');\n const collectionId: string = collection.id;\n\n // 5. Run the batch — at least this collection is submitted.\n const runRes = await api.post('/v1/plus/direct-debit/collections/run', {\n providerKey: 'autogiro',\n });\n expect(runRes.status()).toBe(200);\n const runBody = (await runRes.json()).data;\n expect(runBody.submitted).toBeGreaterThanOrEqual(1);\n expect(Array.isArray(runBody.files)).toBe(true);\n\n // 6. Simulate a settled return.\n const returnRes = await api.post(\n `/v1/plus/direct-debit/collections/${collectionId}/simulate-return`,\n { outcome: 'settled' },\n );\n expect(returnRes.status()).toBe(200);\n expect((await returnRes.json()).data.settled).toBe(1);\n\n // 7. The collection is now settled.\n const settFile created successfully at: /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts (file state is current in your context — no need to Read it back)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && npx playwright test tests/plus-insurance/09-direct-debit.spec.ts --project=plus-insurance --reporter=list 2>&1 | tail -40","description":"Run the new direct-debit spec under plus-insurance project","timeout":180000}Running 4 tests using 1 worker ✓ 1 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:48:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › configures Autogiro provider (88ms) ✓ 2 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:62:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › rejects an invalid Betalingsservice account (117ms) ✓ 3 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:82:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › completes a recurring direct-debit collection end-to-end (Autogiro SE) (492ms) ✓ 4 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:154:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › retries and flags a failed collection (987ms) 4 passed (2.0s)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && npx playwright test tests/plus-insurance/09-direct-debit.spec.ts --project=plus-insurance --reporter=list 2>&1 | tail -12","description":"Re-run spec to confirm idempotency against shared DB","timeout":180000}Running 4 tests using 1 worker ✓ 1 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:48:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › configures Autogiro provider (99ms) ✓ 2 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:62:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › rejects an invalid Betalingsservice account (114ms) ✓ 3 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:82:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › completes a recurring direct-debit collection end-to-end (Autogiro SE) (501ms) ✓ 4 [plus-insurance] › tests/plus-insurance/09-direct-debit.spec.ts:154:7 › Plus · Nordic direct debit (Autogiro / Betalingsservice) › retries and flags a failed collection (986ms) 4 passed (2.0s)
Both runs pass cleanly (idempotent). The task is complete.
## Report
**File created:**
`/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts`
I placed it in `tests/plus-insurance/` because that's the directory matched by the `plus-insurance` Playwright project (`testMatch: /plus-insurance\/.*\.spec\.ts/`), which is one of the projects bundled into the `test:api` npm script. The `09-` prefix follows the existing numeric naming convention (after `08-compliance-checks.spec.ts`).
**Exact command to run it:**
```bash
cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir
npx playwright test tests/plus-insurance/09-direct-debit.spec.ts --project=plus-insurance --reporter=list
```
**Result: PASS — 4 passed (2.0s)**, confirmed on two consecutive runs (idempotent against the shared DB).
The 4 tests:
1. configures Autogiro provider (201-or-409 tolerant)
2. rejects an invalid Betalingsservice account (400 on 2-digit DK clearingNumber)
3. completes a recurring direct-debit collection end-to-end (Autogiro SE): mandate pending → activate active → non-empty file → schedule scheduled → run submitted≥1 → simulate-return settled → GET asserts `status === 'settled'`
4. retries and flags a failed collection: first failure → `retrying`/retryCount 1; loop run+fail until `status === 'failed'`, then asserts `flagged === true` and `retryCount === maxRetries (3)`
**Conventions copied from existing specs** (`08-compliance-checks.spec.ts`, `05-policy-orders-and-financials.spec.ts`): `ApiClient` from `./helpers/api-client`, `getApiUrl()` from `../utils/urls`, env-derived `CLIENT_ID`/`CLIENT_SECRET`, `Authorization: Client {id}:{secret}` (handled by `ApiClient`), `test.describe.serial` + `test.setTimeout(60000)`, `(await res.json()).data` shape, and `api.expectErrors = true` on unhappy-path tests to suppress noise logging. Every POST sends a body (`{}` for the activate call) per the JSON-content-type gotcha. `productId` is fetched dynamically from `GET /v1/plus/products` → `data.products[0].id`. Fresh mandates are created per run so the suite doesn't accumulate state.
**Caveats / one change I had to make:**
- **`.env` was pointing to the wrong port.** `getApiUrl()` resolves to `SHERPA_API_HTTP`, which was `http://localhost:4000`. I verified via authenticated curl that the direct-debit feature exists only on **4011** (route returns 400 on empty body) and is 404 on 4000. I updated `.env` line 6 to `SHERPA_API_HTTP=http://localhost:4011`. This is the only file I edited besides creating the spec.
- The suite ran fully headless with the client credentials already in `.env` — no auth/setup obstacles.
- As noted in your memory, the broader `plus-insurance` suite has unrelated shared-DB count-drift failures; this new spec is self-contained and does not depend on or touch those.
Not committed, as instructed.agentId: a32560bfc59cd7278 (use SendMessage with to: 'a32560bfc59cd7278' to continue this agent)
<usage>subagent_tokens: 67099
tool_uses: 26
duration_ms: 174850</usage>{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","content":"\"use client\";\n\nimport React, { useCallback, useEffect, useState } from \"react\";\n\nimport { PlusCircle, Play, FileText, Flag } from \"lucide-react\";\nimport { useTranslation } from \"@gangkharai/lmt/client\";\n\nimport AppLayout from \"@/app/components/AppLayout\";\nimport { Button } from \"@/app/components/ui/button\";\nimport { Input } from \"@/app/components/ui/input\";\nimport {\n Dialog,\n DialogContent,\n DialogDescription,\n DialogFooter,\n DialogHeader,\n DialogTitle,\n} from \"@/app/components/ui/dialog\";\nimport {\n Select,\n SelectContent,\n SelectItem,\n SelectTrigger,\n SelectValue,\n} from \"@/app/components/ui/select\";\nimport { showErrorToast, showSuccessToast } from \"@/app/components/Toast\";\nimport { ProtectedRoute } from \"@/app/components/ProtectedRoute\";\nimport { CRMOnlyRoute } from \"@/app/components/UserTypeRoute\";\nimport api from \"@/app/src/utils/api\";\nimport { ProductData } from \"@/app/types/product\";\nimport {\n Collection,\n CollectionRunResult,\n DirectDebitProviderKey,\n Mandate,\n MandateFile,\n} from \"@/app/types/directDebit\";\n\nconst PROVIDER_LABELS: Record<DirectDebitProviderKey, string> = {\n autogiro: \"Autogiro (SE)\",\n betalingsservice: \"Betalingsservice (DK)\",\n};\n\nconst PROVIDER_DEFAULT_COUNTRY: Record<DirectDebitProviderKey, string> = {\n autogiro: \"SE\",\n betalingsservice: \"DK\",\n};\n\nconst PROVIDER_DEFAULT_CURRENCY: Record<DirectDebitProviderKey, string> = {\n autogiro: \"SEK\",\n betalingsservice: \"DKK\",\n};\n\nconst MANDATE_STATUS_CLASSES: Record<Mandate[\"status\"], string> = {\n pending: \"bg-amber-100 text-amber-800\",\n active: \"bg-green-100 text-green-800\",\n revoked: \"bg-red-100 text-red-800\",\n};\n\nconst COLLECTION_STATUS_CLASSES: Record<Collection[\"status\"], string> = {\n scheduled: \"bg-gray-100 text-gray-800\",\n submitted: \"bg-blue-100 text-blue-800\",\n settled: \"bg-green-100 text-green-800\",\n failed: \"bg-red-100 text-red-800\",\n retrying: \"bg-amber-100 text-amber-800\",\n cancelled: \"bg-gray-100 text-gray-800\",\n};\n\nconst StatusBadge: React.FC<{ label: string; className: string }> = ({ label, className }) => (\n <span\n className={`inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium ${className}`}\n >\n {label}\n </span>\n);\n\nfunction extractApiError(error: unknown, fallback: string): string {\n const err = error as { response?: { data?: { error?: { message?: string }; message?: string } } };\n return (\n err?.response?.data?.error?.message || err?.response?.data?.message || fallback\n );\n}\n\nexport default function ProductDirectDebitPage({ params }: { params: { id: string } }) {\n const t = useTranslation();\n // Unwrap params using React.use() if it's a promise\n const unwrappedParams = params instanceof Promise ? React.use(params) : params;\n const productId = unwrappedParams?.id || \"\";\n\n const [product, setProduct] = useState<ProductData | null>(null);\n const [mandates, setMandates] = useState<Mandate[]>([]);\n const [collections, setCollections] = useState<Collection[]>([]);\n const [loading, setLoading] = useState(true);\n const [error, setError] = useState<React.ReactNode | null>(null);\n const [selectedMandateId, setSelectedMandateId] = useState<number | null>(null);\n const [collectionsLoading, setCollectionsLoading] = useState(false);\n const [running, setRunning] = useState(false);\n\n // Create mandate dialog\n const [mandateDialogOpen, setMandateDialogOpen] = useState(false);\n const [mandateSaving, setMandateSaving] = useState(false);\n const [formProvider, setFormProvider] = useState<DirectDebitProviderKey>(\"autogiro\");\n const [formAccountHolder, setFormAccountHolder] = useState(\"\");\n const [formCountry, setFormCountry] = useState(\"SE\");\n const [formClearingNumber, setFormClearingNumber] = useState(\"\");\n const [formAccountNumber, setFormAccountNumber] = useState(\"\");\n const [formBankName, setFormBankName] = useState(\"\");\n\n // Schedule collection dialog\n const [collectionDialogOpen, setCollectionDialogOpen] = useState(false);\n const [collectionSaving, setCollectionSaving] = useState(false);\n const [formAmount, setFormAmount] = useState(\"\");\n const [formCurrency, setFormCurrency] = useState(\"SEK\");\n\n // View file dialog\n const [fileDialogOpen, setFileDialogOpen] = useState(false);\n const [fileLoading, setFileLoading] = useState(false);\n const [mandateFile, setMandateFile] = useState<MandateFile | null>(null);\n\n const selectedMandate = mandates.find((m) => m.id === selectedMandateId) || null;\n\n const loadMandates = useCallback(async (): Promise<Mandate[]> => {\n const res = await api.get(`/direct-debit/mandates?productId=${productId}`);\n const list: Mandate[] = res.data.data || [];\n setMandates(list);\n return list;\n }, [productId]);\n\n // Collections are fetched per mandate (the API filters by mandateId). When a\n // mandate is selected we fetch just its collections; otherwise we aggregate\n // across every mandate of the product so the user sees a product-wide view.\n const loadCollections = useCallback(\n async (mandateList: Mandate[], mandateId: number | null) => {\n setCollectionsLoading(true);\n try {\n const targets =\n mandateId !== null\n ? mandateList.filter((m) => m.id === mandateId)\n : mandateList;\n const responses = await Promise.all(\n targets.map((m) => api.get(`/direct-debit/collections?mandateId=${m.id}`))\n );\n const merged = responses\n .flatMap((res) => (res.data.data as Collection[]) || [])\n .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());\n setCollections(merged);\n } catch (err) {\n coFile created successfully at: /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx (file state is current in your context — no need to Read it back)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-api-462-nordic-bank-direct-debit-autogir 2>/dev/null; cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && rg '^export (const|function|class) (ProtectedRoute|CRMOnlyRoute)' app/components/ProtectedRoute.tsx app/components/UserTypeRoute.tsx","description":"Confirm named exports for route guards"}app/components/ProtectedRoute.tsx:export function ProtectedRoute({ children }: { children: React.ReactNode }) {
app/components/UserTypeRoute.tsx:export function CRMOnlyRoute({ children }: { children: React.ReactNode }) {{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && npx tsc --noEmit 2>&1 | head -60","description":"Run TypeScript type check","timeout":300000}app/lens/optimizations/commission/[id]/health/MABTimeSeriesChart.tsx(77,25): error TS2322: Type '(v: number) => string' is not assignable to type 'Formatter<number, NameType> & ((value: number, name: NameType, item: Payload<number, NameType>, index: number, payload: Payload<number, NameType>[]) => ReactNode | [...])'.
Type '(v: number) => string' is not assignable to type 'Formatter<number, NameType>'.
Types of parameters 'v' and 'value' are incompatible.
Type 'number | undefined' is not assignable to type 'number'.
Type 'undefined' is not assignable to type 'number'.{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && npx tsc --noEmit 2>&1 | rg -i 'direct-debit|directDebit|PaymentProvidersTab|AppLayout' ; echo \"EXIT: $?\"; echo \"---ALL ERRORS---\"; npx tsc --noEmit 2>&1 | rg 'error TS' | wc -l","description":"Filter tsc errors for touched files and count total","timeout":300000}EXIT: 1
---ALL ERRORS---
1{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && git status --short 2>/dev/null; echo \"---\"; git diff --stat 2>/dev/null | tail -10","description":"Show changed and new files"}M app/components/AppLayout.tsx M app/components/settings/PaymentProvidersTab.tsx ?? app/products/[id]/direct-debit/ ?? app/types/directDebit.ts --- app/components/AppLayout.tsx | 7 ++ app/components/settings/PaymentProvidersTab.tsx | 90 ++++++++++++++++++------- 2 files changed, 74 insertions(+), 23 deletions(-)
{"command":"curl -s -o /dev/null -w \"%{http_code}\" \"http://localhost:3011/products/1/direct-debit\" 2>/dev/null; echo \" <- /products/1/direct-debit\"; curl -s -o /dev/null -w \"%{http_code}\" \"http://localhost:3011/products/1/claims\" 2>/dev/null; echo \" <- /products/1/claims (reference)\"","description":"Hit new route and reference route on dev server"}200 <- /products/1/direct-debit 200 <- /products/1/claims (reference)
The new route compiles and serves a 200 on the running dev server, matching the reference claims page exactly. Everything is verified and working.
## Report
All three deliverables are implemented, type-checked, and the new route serves a 200 on the running dev server.
### (a) Files created / modified (absolute paths)
**Created:**
- `/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts` — `Mandate`, `Collection`, plus supporting types (`MandateFile`, `CollectionRunResult`, `SimulateReturnSummary`, `DirectDebitProviderKey`, status unions).
- `/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx` — the Direct Debit management page.
**Modified:**
- `/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx` — added `autogiro`/`betalingsservice` to `AVAILABLE_PROVIDERS`; added a `formCreditorId` field shown only for those two providers (label "Creditor number (Bankgiro / PBS)", saved as `config.creditorId`); Stripe's Connected Account ID + Claim Payouts block now render only for non-direct-debit providers. Validation and save payload branch accordingly; Stripe path untouched.
- `/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx` — nav registration (two edits below).
### (b) Exact AppLayout edits
1. **`productMenuItems` array** (inserted between the `payment-methods` and `settings` entries):
```ts
{
name: t('Direct Debit'),
href: `/products/${productId}/direct-debit`,
icon: CreditCard,
key: "direct-debit",
},
```
2. **`PRODUCT_PHASE_BY_KEY` map** (in the Operate group): added `"direct-debit": "operate",`.
`CreditCard` was already imported in AppLayout — no new import added.
### (c) tsc result
`npx tsc --noEmit`: **zero errors in any file I touched.** The full run reports exactly **1 error**, pre-existing and unrelated — `app/lens/optimizations/commission/[id]/health/MABTimeSeriesChart.tsx:77` (a recharts `Formatter<number>` typing issue). I did not touch that file; flagging it per the type-check rule.
### (d) Route path
`http://localhost:3011/products/{id}/direct-debit` — verified returning HTTP 200 on the live dev server (same as the reference `/products/{id}/claims`).
### (e) Notes / things worth knowing
- **Collections "all for the product" view:** the validated contract only filters collections by `mandateId` (no productId param). So when no mandate row is selected, the page fetches collections for every mandate of the product in parallel and merges them (sorted newest-first). Selecting a row narrows to that mandate. This honors the contract exactly while still giving a product-wide view.
- **Every POST sends a JSON body object** (`activate`/`revoke`/`retry` send `{}`; `run` sends `{providerKey}` or `{}`), per the empty-body-400 warning.
- API errors surface via `showErrorToast` reading `error.response.data.error.message` (with `.data.message` and a translated fallback), matching the existing `CommissionStructureForm` pattern.
- Status badge colors match spec exactly: mandate pending=amber/active=green/revoked=red; collection scheduled=gray/submitted=blue/settled=green/failed=red/retrying=amber/cancelled=gray. Flagged collections show a red ⚑ (lucide `Flag`).
- "Schedule collection" is disabled unless the selected mandate is `active`; "Run due collections" is always enabled and toasts `"{n} collection(s) submitted"`.
- All labels go through `t()`; status badge labels use `t(mandate.status)` / `t(collection.status)` so the raw enum strings (`pending`, `settled`, etc.) are the English source strings.
- I did not commit — left for the orchestrator. No production build run (only `tsc --noEmit`, per instructions).agentId: a80e4fc81684f1432 (use SendMessage with to: 'a80e4fc81684f1432' to continue this agent)
<usage>subagent_tokens: 112480
tool_uses: 47
duration_ms: 299049</usage>Both subagents succeeded — portal UI (page + provider config + nav, tsc clean) and sherpa-test spec (4 passed; also fixed the worktree .env that pointed at port 4000 instead of 4011). Tasks 7+8 done.
Quick stack health check post-edits, then the mandatory iterative-review skill (Task 9).
{"taskId":"7","status":"completed"}Updated task #7 status
{"taskId":"8","status":"completed"}Updated task #8 status
{"taskId":"9","status":"in_progress"}Updated task #9 status
{"command":"bash -c '\necho \"api 4011: $(curl -s -m 10 -o /dev/null -w \"%{http_code}\" http://localhost:4011/)\"\necho \"portal 3011:$(curl -s -m 10 -o /dev/null -w \"%{http_code}\" http://localhost:3011)\"\necho \"embed 3111: $(curl -s -m 10 -o /dev/null -w \"%{http_code}\" http://localhost:3111)\"\n'","description":"Stack health after subagent edits"}api 4011: 200 portal 3011:200 embed 3111: 200
Stack green. Now the mandatory iterative-review skill across all changes:
{"skill":"iterative-review","args":"Review uncommitted changes for ticket sherpa-api#462 (Nordic bank direct debit) across THREE git worktrees:\n- API: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir (new migration, models, directDebit connectors, directDebitService, directDebitRoutes, batch job, plus/index + paymentProviderConfigRoutes + db.ts + jobs/index edits)\n- Portal: /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir (app/products/[id]/direct-debit/page.tsx, app/types/directDebit.ts, PaymentProvidersTab.tsx, AppLayout.tsx)\n- Test: /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir (tests/plus-insurance/09-direct-debit.spec.ts)\nFocus on correctness, RLS/tenant-safety, the direct-debit orchestration logic (retry/flag/reconcile), and front-end correctness. Fix all HIGH/MEDIUM findings between rounds."}Launching skill: iterative-review
Iterative-review — Step 1: gather diffs across the three worktrees.
{"command":"bash -c '\nfor wt in sherpa-api-api-462-nordic-bank-direct-debit-autogir sherpa-portal-api-462-nordic-bank-direct-debit-autogir sherpa-test-api-462-nordic-bank-direct-debit-autogir; do\n echo \"===== $wt =====\"\n git -C /Users/bakker/dev/gangkhar/$wt status --porcelain 2>&1 | head -40\ndone\n'","description":"Get changed files in all three worktrees"}===== sherpa-api-api-462-nordic-bank-direct-debit-autogir ===== M src/models/db.ts M src/routes/plus/index.ts M src/routes/plus/paymentProviderConfigRoutes.ts M src/services/jobs/index.ts ?? src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts ?? src/domains/payments/directDebit/ ?? src/models/DirectDebitCollection.ts ?? src/models/DirectDebitMandate.ts ?? src/models/internal/_DirectDebitCollection.ts ?? src/models/internal/_DirectDebitMandate.ts ?? src/routes/plus/directDebitRoutes.ts ?? src/services/directDebitService.ts ?? src/services/jobs/directDebitCollectionBatchJob.ts ===== sherpa-portal-api-462-nordic-bank-direct-debit-autogir ===== M app/components/AppLayout.tsx M app/components/settings/PaymentProvidersTab.tsx ?? app/products/[id]/direct-debit/ ?? app/types/directDebit.ts ===== sherpa-test-api-462-nordic-bank-direct-debit-autogir ===== ?? tests/plus-insurance/09-direct-debit.spec.ts
Round 1 — launching 2 parallel Explore review agents (Agent 1: API correctness/RLS/orchestration; Agent 2: portal + test).
{"description":"Review API direct-debit (round 1)","prompt":"You are a senior reviewer auditing NEW backend code for ticket sherpa-api#462 (Nordic bank direct debit) in worktree /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir. Read ACTUAL FILE CONTENT (use rg/fd, not grep/find). Be rigorous and concrete.\n\nChanged/new files:\n- src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts (2 tenant tables)\n- src/models/internal/_DirectDebitMandate.ts, _DirectDebitCollection.ts (+ safe wrappers src/models/DirectDebitMandate.ts, DirectDebitCollection.ts)\n- src/models/db.ts (registered both models)\n- src/domains/payments/directDebit/{interface.ts,format.ts,autogiro.ts,betalingsservice.ts,registry.ts} (stateless connectors)\n- src/services/directDebitService.ts (orchestration: mandate lifecycle, schedule/submit, ingestReturnFile → settle+reconcile / fail→retry→flag)\n- src/routes/plus/directDebitRoutes.ts (/v1/plus/direct-debit)\n- src/routes/plus/index.ts (registered routes), src/routes/plus/paymentProviderConfigRoutes.ts (providerKey enum += autogiro,betalingsservice)\n- src/services/jobs/directDebitCollectionBatchJob.ts + src/services/jobs/index.ts (hourly batch)\n\nCheck for HIGH (runtime failure / data-integrity / security) and MEDIUM (logic bug / type error) issues, with file:line:\n\n1. **RLS / tenant safety**: Migration MUST use the permissive template `NULLIF(current_setting('app.current_organization', true), '') IS NULL OR \"organizationId\" = ...::uuid` with ENABLE+FORCE+CREATE POLICY tenant_isolation per table, and GRANT SELECT to dashboard_user. Compare to src/db/migrations/2026.05.27T00.00.05.create-policy-acceptance-configs.ts. Confirm `npm run check:migrations` would pass. Do the safe models live in internal/_*.ts and go through toSafeModel? Any raw sequelize.query / systemSequelize misuse? (There should be none.)\n2. **Orchestration correctness** (directDebitService.ts): \n - Retry/flag logic in applyReturnRecord: with maxRetries=3, does a failed collection retry exactly 3 times then become FAILED+flagged? Off-by-one? \n - Idempotency: re-ingesting a settled collection — guarded? Re-ingesting after flagged?\n - submitDueCollections: does it correctly transition SCHEDULED/RETRYING→SUBMITTED, generate externalReference per collection, handle a non-active mandate?\n - reconcileSettlementToPolicy: correct use of getCategoryForCode / getDefaultCodeForCategory / PolicyStatusLifecycleCategory? Is it correctly best-effort (try/catch)? Could it throw and break ingest?\n - Decimal handling: amount is DECIMAL (comes back as string) — are Number() conversions correct everywhere (minorUnits, totals)?\n3. **Connectors** (autogiro.ts, betalingsservice.ts, format.ts): parseReturnFile vs buildReturnFile round-trip — do slice offsets match the build widths EXACTLY? (Verify the byte positions: e.g. autogiro buildReturnFile writes ref(35)+status(2)+amount(12)+reason; parseReturnFile slices (2,37),(37,39),(39,51),(51) — confirm consistency. Same for betalingsservice RT records.) Any padZero truncation bug for long values? minorUnits negative/NaN handling?\n4. **Routes** (directDebitRoutes.ts): every handler requires org (requireOrg → 401)? Body/param/querystring schemas correct? Does returning `{status,data}` with no response schema risk leaking? Are enums consistent with model enums?\n5. **Models**: column types/nullability match the migration EXACTLY (e.g. ENUM values, STRING widths, defaults, FKs)? Any mismatch between migration and model that would cause drift or runtime errors? Indexes duplicated correctly?\n6. **Job**: directDebitCollectionBatchJob iterates orgs and calls submitDueCollections per org — RLS-safe? Matches claimPayoutBatchJob pattern? Registered + scheduled correctly in jobs/index.ts?\n\nReport findings as HIGH / MEDIUM / LOW with exact file:line and a concrete fix suggestion. If clean, say \"NO REMAINING HIGH OR MEDIUM ISSUES\". Do not modify files.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"}1 import type { MigrationFn } from 'umzug';
2 import { QueryInterface, DataTypes } from 'sequelize';
3
4 // Nordic bank direct debit (Autogiro SE / Betalingsservice DK).
5 //
6 // `DirectDebitMandates` — the customer's standing authorization to debit a bank
7 // account, with a pending → active → revoked lifecycle. One row per
8 // customer+product authorization; `mandateReference` is our stable identifier
9 // (also written into the generated bank file).
10 //
11 // `DirectDebitCollections` — one recurring debit instruction against a mandate.
12 // Scheduled → submitted (written into a collection file) → settled OR failed.
13 // A failed collection reschedules as `retrying` until `maxRetries`, then sets
14 // `flagged` so an operator can intervene. Settlement reconciles back to the
15 // linked PolicyOrder's payment status.
16 //
17 // Both are tenant-scoped tables using the standard permissive RLS template
18 // (check:migrations enforces it for new tenant tables — see src/db/AGENTS.md).
19
20 const rlsTables = ['DirectDebitMandates', 'DirectDebitCollections'];
21
22 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
23 await context.createTable('DirectDebitMandates', {
24 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
25 organizationId: { type: DataTypes.UUID, allowNull: false },
26 providerKey: { type: DataTypes.STRING(50), allowNull: false },
27 productId: {
28 type: DataTypes.INTEGER,
29 allowNull: false,
30 references: { model: 'Products', key: 'id' },
31 onDelete: 'CASCADE',
32 },
33 customerId: { type: DataTypes.UUID, allowNull: true },
34 status: {
35 type: DataTypes.ENUM('pending', 'active', 'revoked'),
36 allowNull: false,
37 defaultValue: 'pending',
38 },
39 country: { type: DataTypes.STRING(2), allowNull: false },
40 accountHolder: { type: DataTypes.STRING(255), allowNull: false },
41 // SE: clearing number; DK: registreringsnummer. Optional because some
42 // schemes identify the payer by `payerNumber` alone after activation.
43 clearingNumber: { type: DataTypes.STRING(20), allowNull: true },
44 accountNumber: { type: DataTypes.STRING(50), allowNull: false },
45 bankName: { type: DataTypes.STRING(255), allowNull: true },
46 // Our stable mandate identifier, written into the bank mandate-request file.
47 mandateReference: { type: DataTypes.STRING(100), allowNull: false },
48 // Provider/bank-assigned payer number, captured from the mandate return file.
49 payerNumber: { type: DataTypes.STRING(50), allowNull: true },
50 signedAt: { type: DataTypes.DATE, allowNull: true },
51 activatedAt: { type: DataTypes.DATE, allowNull: true },
52 revokedAt: { type: DataTypes.DATE, allowNull: true },
53 failureReason: { type: DataTypes.TEXT, allowNull: true },
54 metadata: { type: DataTypes.JSONB, allowNull: true },
55 createdAt: { type: DataTypes.DATE, allowNull: false },
56 updatedAt: { type: DataTypes.DATE, allowNull: false },
57 });
58 await context.addIndex('DirectDebitMandates', ['organizationId', 'mandateReference'], {
59 unique: true,
60 name: 'direct_debit_mandates_org_reference_unique',
61 });
62 await context.addIndex('DirectDebitMandates', ['organizationId', 'status'], {
63 name: 'idx_direct_debit_mandates_org_status',
64 });
65 await context.addIndex('DirectDebitMandates', ['organizationId', 'productId'], {
66 name: 'idx_direct_debit_mandates_org_product',
67 });
68
69 await context.createTable('DirectDebitCollections', {
70 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
71 organizationId: { type: DataTypes.UUID, allowNull: false },
72 mandateId: {
73 type: DataTypes.UUID,
74 allowNull: false,
75 references: { model: 'DirectDebitMandates', key: 'id' },
76 onDelete: 'CASCADE',
77 },
78 policyOrderId: {
79 type: DataTypes.INTEGER,
80 allowNull: true,
81 references: { model: 'PolicyOrders', key: 'id' },
82 onDelete: 'SET NULL',
83 },
84 providerKey: { type: DataTypes.STRING(50), allowNull: false },
85 amount: { type: DataTypes.DECIMAL(15, 2), allowNull: false },
86 currency: { type: DataTypes.STRING(3), allowNull: false },
87 status: {
88 type: DataTypes.ENUM('scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'),
89 allowNull: false,
90 defaultValue: 'scheduled',
91 },
92 scheduledFor: { type: DataTypes.DATE, allowNull: false },
93 submittedAt: { type: DataTypes.DATE, allowNull: true },
94 settledAt: { type: DataTypes.DATE, allowNull: true },
95 retryCount: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
96 maxRetries: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 3 },
97 failureReason: { type: DataTypes.TEXT, allowNull: true },
98 // Bank/provider transaction reference, also used to reconcile the return file.
99 externalReference: { type: DataTypes.STRING(255), allowNull: true },
100 // Identifier of the collection file this debit was submitted in.
101 fileReference: { type: DataTypes.STRING(255), allowNull: true },
102 // Set when retries are exhausted — surfaces in the CRM for operator action.
103 flagged: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false },
104 metadata: { type: DataTypes.JSONB, allowNull: true },
105 createdAt: { type: DataTypes.DATE, allowNull: false },
106 updatedAt: { type: DataTypes.DATE, allowNull: false },
107 });
108 await context.addIndex('DirectDebitCollections', ['mandateId'], {
109 name: 'idx_direct_debit_collections_mandate',
110 });
111 await context.addIndex('DirectDebitCollections', ['organizationId', 'status'], {
112 name: 'idx_direct_debit_collections_org_status',
113 });
114 await context.addIndex('DirectDebitCollections', ['organizationId', 'status', 'scheduledFor'], {
115 name: 'idx_direct_debit_collections_org_status_scheduled',
116 });
117 await context.addIndex('DirectDebitCollections', ['externalReference'], {
118 name: 'idx_direct_debit_collections_external_ref',
119 });
120
121 // RLS — permissive template (unset GUC OR org match); safe-model WHERE is the
122 // primary filter. See src/db/AGENTS.md.
123 for (const table of rlsTables) {
124 await context.sequelize.query(`ALTER TABLE "${table}" ENABLE ROW LEVEL SECURITY`);
125 await context.sequelize.query(`ALTER TABLE "${table}" FORCE ROW LEVEL SECURITY`);
126 await context.sequelize.query(`DROP POLICY IF EXISTS tenant_isolation ON "${table}"`);
127 await context.sequelize.query(`
128 CREATE POLICY tenant_isolation ON "${table}"
129 FOR ALL
130 USING (
131 NULLIF(current_setting('app.current_organization', true), '') IS NULL
132 OR "organizationId" = NULLIF(current_setting('app.current_organization', true), '')::uuid
133 )
134 `);
135 await context.sequelize.query(`GRANT SELECT ON "${table}" TO dashboard_user`);
136 }
137 };
138
139 export const down: MigrationFn<QueryInterface> = async () => {
140 // Forward-only deployment
141 };
142 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _Product } from './_Product.js';
3
4 // Provider keys for the Nordic direct-debit schemes. Match the values stored on
5 // Products.paymentProvider and PaymentProviderConfigs.providerKey.
6 export enum DirectDebitProvider {
7 AUTOGIRO = 'autogiro',
8 BETALINGSSERVICE = 'betalingsservice',
9 }
10
11 // Mandate lifecycle. A mandate is created `PENDING` when the bank file is
12 // generated, becomes `ACTIVE` once the bank confirms it (mandate return file or
13 // an operator activation), and `REVOKED` when the customer or bank cancels it.
14 export enum MandateStatus {
15 PENDING = 'pending',
16 ACTIVE = 'active',
17 REVOKED = 'revoked',
18 }
19
20 @Table({
21 modelName: 'DirectDebitMandate',
22 tableName: 'DirectDebitMandates',
23 timestamps: true,
24 indexes: [
25 {
26 unique: true,
27 fields: ['organizationId', 'mandateReference'],
28 name: 'direct_debit_mandates_org_reference_unique',
29 },
30 {
31 fields: ['organizationId', 'status'],
32 name: 'idx_direct_debit_mandates_org_status',
33 },
34 {
35 fields: ['organizationId', 'productId'],
36 name: 'idx_direct_debit_mandates_org_product',
37 },
38 ],
39 })
40 export class _DirectDebitMandate extends Model {
41 @Column({
42 type: DataType.UUID,
43 primaryKey: true,
44 defaultValue: DataType.UUIDV4,
45 })
46 declare id: string;
47
48 @Column({
49 type: DataType.UUID,
50 allowNull: false,
51 })
52 declare organizationId: string;
53
54 @Column({
55 type: DataType.ENUM(...Object.values(DirectDebitProvider)),
56 allowNull: false,
57 })
58 declare providerKey: DirectDebitProvider;
59
60 @ForeignKey(() => _Product)
61 @Column({
62 type: DataType.INTEGER,
63 allowNull: false,
64 })
65 declare productId: number;
66
67 @BelongsTo(() => _Product)
68 declare product: _Product;
69
70 @Column({
71 type: DataType.UUID,
72 allowNull: true,
73 })
74 declare customerId: string | null;
75
76 @Column({
77 type: DataType.ENUM(...Object.values(MandateStatus)),
78 allowNull: false,
79 defaultValue: MandateStatus.PENDING,
80 })
81 declare status: MandateStatus;
82
83 @Column({
84 type: DataType.STRING(2),
85 allowNull: false,
86 })
87 declare country: string;
88
89 @Column({
90 type: DataType.STRING(255),
91 allowNull: false,
92 })
93 declare accountHolder: string;
94
95 @Column({
96 type: DataType.STRING(20),
97 allowNull: true,
98 })
99 declare clearingNumber: string | null;
100
101 @Column({
102 type: DataType.STRING(50),
103 allowNull: false,
104 })
105 declare accountNumber: string;
106
107 @Column({
108 type: DataType.STRING(255),
109 allowNull: true,
110 })
111 declare bankName: string | null;
112
113 @Column({
114 type: DataType.STRING(100),
115 allowNull: false,
116 })
117 declare mandateReference: string;
118
119 @Column({
120 type: DataType.STRING(50),
121 allowNull: true,
122 })
123 declare payerNumber: string | null;
124
125 @Column({
126 type: DataType.DATE,
127 allowNull: true,
128 })
129 declare signedAt: Date | null;
130
131 @Column({
132 type: DataType.DATE,
133 allowNull: true,
134 })
135 declare activatedAt: Date | null;
136
137 @Column({
138 type: DataType.DATE,
139 allowNull: true,
140 })
141 declare revokedAt: Date | null;
142
143 @Column({
144 type: DataType.TEXT,
145 allowNull: true,
146 })
147 declare failureReason: string | null;
148
149 @Column({
150 type: DataType.JSONB,
151 allowNull: true,
152 })
153 declare metadata: Record<string, unknown> | null;
154
155 declare createdAt: Date;
156 declare updatedAt: Date;
157 }
158 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _DirectDebitMandate } from './_DirectDebitMandate.js';
3
4 // Collection lifecycle:
5 // SCHEDULED → created, waiting for the next collection-file run
6 // SUBMITTED → written into a collection file and sent to the bank
7 // SETTLED → bank confirmed the debit (return file) → policy reconciled
8 // FAILED → bank rejected the debit (return file)
9 // RETRYING → a failed debit rescheduled for another attempt
10 // CANCELLED → manually cancelled before submission
11 export enum CollectionStatus {
12 SCHEDULED = 'scheduled',
13 SUBMITTED = 'submitted',
14 SETTLED = 'settled',
15 FAILED = 'failed',
16 RETRYING = 'retrying',
17 CANCELLED = 'cancelled',
18 }
19
20 @Table({
21 modelName: 'DirectDebitCollection',
22 tableName: 'DirectDebitCollections',
23 timestamps: true,
24 indexes: [
25 {
26 fields: ['mandateId'],
27 name: 'idx_direct_debit_collections_mandate',
28 },
29 {
30 fields: ['organizationId', 'status'],
31 name: 'idx_direct_debit_collections_org_status',
32 },
33 {
34 fields: ['organizationId', 'status', 'scheduledFor'],
35 name: 'idx_direct_debit_collections_org_status_scheduled',
36 },
37 {
38 fields: ['externalReference'],
39 name: 'idx_direct_debit_collections_external_ref',
40 },
41 ],
42 })
43 export class _DirectDebitCollection extends Model {
44 @Column({
45 type: DataType.UUID,
46 primaryKey: true,
47 defaultValue: DataType.UUIDV4,
48 })
49 declare id: string;
50
51 @Column({
52 type: DataType.UUID,
53 allowNull: false,
54 })
55 declare organizationId: string;
56
57 @ForeignKey(() => _DirectDebitMandate)
58 @Column({
59 type: DataType.UUID,
60 allowNull: false,
61 })
62 declare mandateId: string;
63
64 @BelongsTo(() => _DirectDebitMandate)
65 declare mandate: _DirectDebitMandate;
66
67 @Column({
68 type: DataType.INTEGER,
69 allowNull: true,
70 })
71 declare policyOrderId: number | null;
72
73 @Column({
74 type: DataType.STRING(50),
75 allowNull: false,
76 })
77 declare providerKey: string;
78
79 @Column({
80 type: DataType.DECIMAL(15, 2),
81 allowNull: false,
82 })
83 declare amount: number;
84
85 @Column({
86 type: DataType.STRING(3),
87 allowNull: false,
88 })
89 declare currency: string;
90
91 @Column({
92 type: DataType.ENUM(...Object.values(CollectionStatus)),
93 allowNull: false,
94 defaultValue: CollectionStatus.SCHEDULED,
95 })
96 declare status: CollectionStatus;
97
98 @Column({
99 type: DataType.DATE,
100 allowNull: false,
101 })
102 declare scheduledFor: Date;
103
104 @Column({
105 type: DataType.DATE,
106 allowNull: true,
107 })
108 declare submittedAt: Date | null;
109
110 @Column({
111 type: DataType.DATE,
112 allowNull: true,
113 })
114 declare settledAt: Date | null;
115
116 @Column({
117 type: DataType.INTEGER,
118 allowNull: false,
119 defaultValue: 0,
120 })
121 declare retryCount: number;
122
123 @Column({
124 type: DataType.INTEGER,
125 allowNull: false,
126 defaultValue: 3,
127 })
128 declare maxRetries: number;
129
130 @Column({
131 type: DataType.TEXT,
132 allowNull: true,
133 })
134 declare failureReason: string | null;
135
136 @Column({
137 type: DataType.STRING(255),
138 allowNull: true,
139 })
140 declare externalReference: string | null;
141
142 @Column({
143 type: DataType.STRING(255),
144 allowNull: true,
145 })
146 declare fileReference: string | null;
147
148 @Column({
149 type: DataType.BOOLEAN,
150 allowNull: false,
151 defaultValue: false,
152 })
153 declare flagged: boolean;
154
155 @Column({
156 type: DataType.JSONB,
157 allowNull: true,
158 })
159 declare metadata: Record<string, unknown> | null;
160
161 declare createdAt: Date;
162 declare updatedAt: Date;
163 }
164 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitMandate.ts"}1 import { _DirectDebitMandate } from './internal/_DirectDebitMandate.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitMandate = toSafeModel(_DirectDebitMandate);
5 export type DirectDebitMandate = _DirectDebitMandate;
6
7 export { DirectDebitProvider, MandateStatus } from './internal/_DirectDebitMandate.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitMandate };
11 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitCollection.ts"}1 import { _DirectDebitCollection } from './internal/_DirectDebitCollection.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitCollection = toSafeModel(_DirectDebitCollection);
5 export type DirectDebitCollection = _DirectDebitCollection;
6
7 export { CollectionStatus } from './internal/_DirectDebitCollection.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitCollection };
11 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/db.ts","limit":150}1 import { Sequelize } from 'sequelize-typescript';
2
3 // Models — raw internal classes for Sequelize registration
4 import { _AuditLog } from './internal/_AuditLog';
5 import { _BundleDiscountTier } from './internal/_BundleDiscountTier';
6 import { _BundleQuoteSession } from './internal/_BundleQuoteSession';
7 import { _BundleSubscription } from './internal/_BundleSubscription';
8 import { _CancellationTerms } from './internal/_CancellationTerms';
9 import { _SuspensionTerms } from './internal/_SuspensionTerms';
10 import { _Claim } from './internal/_Claim';
11 import { _ClaimCoverage } from './internal/_ClaimCoverage';
12 import { _ClaimParameter } from './internal/_ClaimParameter';
13 import { _ClaimParameterCategory } from './internal/_ClaimParameterCategory';
14 import { _ClaimParameterCategoryPage } from './internal/_ClaimParameterCategoryPage';
15 import { _ClaimRecord } from './internal/_ClaimRecord';
16 import { _ClaimRecordError } from './internal/_ClaimRecordError';
17 import { _ClaimRule } from './internal/_ClaimRule.js';
18 import { _ClaimPayout } from './internal/_ClaimPayout.js';
19 import { _ClaimMessage } from './internal/_ClaimMessage';
20 import { _ClaimAttachment } from './internal/_ClaimAttachment';
21 import { _CustomerNotification } from './internal/_CustomerNotification';
22 import { _PolicyMessage } from './internal/_PolicyMessage';
23 import { _PolicyAttachment } from './internal/_PolicyAttachment';
24 import { _Client } from './internal/_Client';
25 import { _CommissionAllocationRule } from './internal/_CommissionAllocationRule';
26 import { _CommissionParty } from './internal/_CommissionParty';
27 import { _CommissionStructure } from './internal/_CommissionStructure';
28 import { Country } from './Country';
29 import { _Customer } from './internal/_Customer';
30 import { _Coverage } from './internal/_Coverage';
31 import { CurrencyRate } from './CurrencyRate.js';
32 import { _CoveragePricing } from './internal/_CoveragePricing';
33 import { _CoveragePricingOption } from './internal/_CoveragePricingOption';
34 import { _CommissionOptimization } from '@/domains/lens/optimizations/commission/models/internal/_CommissionOptimization.js';
35 import { _CommissionOptimizationModel } from '@/domains/lens/optimizations/commission/models/internal/_CommissionOptimizationModel.js';
36 import { CommissionOptimizationStage } from '@/domains/lens/optimizations/commission/models/CommissionOptimizationStage.js';
37 import { _CommissionOptimizationStageActivation } from '@/domains/lens/optimizations/commission/models/internal/_CommissionOptimizationStageActivation.js';
38 import { _CommissionQuote } from '@/domains/lens/optimizations/commission/models/internal/_CommissionQuote.js';
39 import { _JourneyEvent } from '@/domains/lens/journey/models/internal/_JourneyEvent.js';
40 import { _DataFile } from './internal/_DataFile';
41 import { DataModelCategory } from './DataModelCategory';
42 import { DataModelField } from './DataModelField';
43 import { InsuranceType } from './InsuranceType';
44 import { Insurer } from './Insurer.js';
45 import { InvalidatedToken } from './InvalidatedToken';
46 import { StripeWebhookEvent } from './StripeWebhookEvent.js';
47 import { _Invoice } from './internal/_Invoice';
48 import { _InvoiceLineItem } from './internal/_InvoiceLineItem';
49 import { Module } from './Module';
50 import { ModuleEndpoint } from './ModuleEndpoint';
51 import { Organization } from './Organization';
52 import { _OrganizationModule } from './internal/_OrganizationModule';
53 import { _OrganizationPolicyStatus } from './internal/_OrganizationPolicyStatus';
54 import { Partner } from './Partner';
55 import { PartnerAuthConfig } from './PartnerAuthConfig';
56 import { _ExternalIntegration } from './internal/_ExternalIntegration';
57 import { _ExternalIntegrationEnvironment } from './internal/_ExternalIntegrationEnvironment';
58 import { _ExternalIntegrationAuthConfig } from './internal/_ExternalIntegrationAuthConfig';
59 import { _ExternalIntegrationCallLog } from './internal/_ExternalIntegrationCallLog';
60 import { _ExternalIntegrationRequestTemplate } from './internal/_ExternalIntegrationRequestTemplate';
61 import { _ExternalIntegrationFieldMapping } from './internal/_ExternalIntegrationFieldMapping';
62 import { _ComplianceCheck } from './internal/_ComplianceCheck';
63 import { _PaymentAttempt } from './internal/_PaymentAttempt';
64 import { _PaymentProviderConfig } from './internal/_PaymentProviderConfig';
65 import { _DirectDebitMandate } from './internal/_DirectDebitMandate';
66 import { _DirectDebitCollection } from './internal/_DirectDebitCollection';
67 import { PartnerEndpointMapping } from './PartnerEndpointMapping';
68 import { PartnerEnvironment } from './PartnerEnvironment';
69 import { PartnerFieldMapping } from './PartnerFieldMapping';
70 import { _Policy } from './internal/_Policy';
71 import { _PolicyOrder } from './internal/_PolicyOrder';
72 import { _PolicyOrderError } from './internal/_PolicyOrderError';
73 import { _EmbedCheckoutSession } from './internal/_EmbedCheckoutSession.js';
74 import { _PolicyRenewalRun } from './internal/_PolicyRenewalRun';
75 import { _PolicyParameter } from './internal/_PolicyParameter';
76 import { _PolicyParameterCategory } from './internal/_PolicyParameterCategory';
77 import { _PolicyParameterCategoryPage } from './internal/_PolicyParameterCategoryPage';
78 import { _PolicyAcceptanceConfig } from './internal/_PolicyAcceptanceConfig';
79 import { _AcceptancePage } from './internal/_AcceptancePage';
80 import { _AcceptanceCategory } from './internal/_AcceptanceCategory';
81 import { _AcceptanceItem } from './internal/_AcceptanceItem';
82 import { _PolicySetting } from './internal/_PolicySetting';
83 import { PolicySettingField } from './PolicySettingField';
84 import { _Pricing } from './internal/_Pricing';
85 import { _PricingRule } from './internal/_PricingRule';
86 import { _PricingTable } from './internal/_PricingTable';
87 import { _PricingTableRow } from './internal/_PricingTableRow';
88 import { _Product } from './internal/_Product';
89 import { _ProductBundle } from './internal/_ProductBundle';
90 import { _ProductBundleItem } from './internal/_ProductBundleItem';
91 import { ProductLibrary } from './ProductLibrary.js';
92 import { _ProductModulePartner } from './internal/_ProductModulePartner';
93 import { ProductOptimization } from './ProductOptimization.js';
94 import { _ProductPlan } from './internal/_ProductPlan';
95 import { _ProductTemplate } from './internal/_ProductTemplate';
96 import { _Quote } from './internal/_Quote';
97 import { _QuoteParameter } from './internal/_QuoteParameter';
98 import { _QuoteParameterCategory } from './internal/_QuoteParameterCategory';
99 import { _QuoteParameterCategoryPage } from './internal/_QuoteParameterCategoryPage';
100 import { _QuoteSession } from './internal/_QuoteSession';
101 import { _QuoteSessionError } from './internal/_QuoteSessionError';
102 import { _ProductSetting } from './internal/_ProductSetting';
103 import { ProductSettingField } from './ProductSettingField';
104 import { Region } from './Region';
105 import { Scope } from './Scope';
106 import { _Simulation } from './internal/_Simulation';
107 import { _SimulationTask } from './internal/_SimulationTask';
108 import { SocialAuthProvider } from './SocialAuthProvider';
109 import { _SystemSetting } from './internal/_SystemSetting';
110 import { _Tax } from './internal/_Tax';
111 import { _TemplateLibrary } from './internal/_TemplateLibrary';
112 import { DefaultFunnelTemplate } from './DefaultFunnelTemplate';
113 import { _FunnelTemplateSet } from './internal/_FunnelTemplateSet';
114 import { _FunnelTemplatesLibrary } from './internal/_FunnelTemplatesLibrary';
115 import { _Upload } from './internal/_Upload';
116 import { _UploadCredential } from './internal/_UploadCredential';
117 import { User } from './User';
118 import { _UserOrganization } from './internal/_Use{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}1 import { randomUUID } from 'crypto';
2 import { Op } from 'sequelize';
3 import { StatusError } from '@/error/error.js';
4 import logger from '@/logger.js';
5 import {
6 DirectDebitMandate,
7 MandateStatus,
8 DirectDebitProvider,
9 } from '@/models/DirectDebitMandate.js';
10 import { DirectDebitCollection, CollectionStatus } from '@/models/DirectDebitCollection.js';
11 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
12 import { PolicyOrder } from '@/models/PolicyOrder.js';
13 import { PolicyStatusLifecycleCategory } from '@/models/OrganizationPolicyStatus.js';
14 import { getCategoryForCode, getDefaultCodeForCategory } from '@/services/policyStatusService.js';
15 import {
16 getDirectDebitProvider,
17 isDirectDebitProvider,
18 } from '@/domains/payments/directDebit/registry.js';
19 import type {
20 BankAccount,
21 BankDirectDebitProvider,
22 CollectionFileEntry,
23 ReturnRecord,
24 } from '@/domains/payments/directDebit/interface.js';
25
26 // directDebitService — orchestration for the Nordic bank direct-debit rails.
27 //
28 // The connectors in domains/payments/directDebit are stateless file builders /
29 // parsers. This service owns everything stateful: mandate lifecycle, collection
30 // scheduling, building the outbound files, ingesting return files, retry +
31 // flagging, and reconciling settlements back to the policy's payment status.
32
33 type Ctx = { organizationId: string };
34
35 const PROVIDER_PREFIX: Record<string, string> = {
36 autogiro: 'AG',
37 betalingsservice: 'BS',
38 };
39
40 // ── Helpers ──────────────────────────────────────────────────────────────────
41
42 function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
43 if (!isDirectDebitProvider(providerKey)) {
44 throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
45 }
46 return getDirectDebitProvider(providerKey);
47 }
48
49 function generateReference(providerKey: string, kind: 'MND' | 'COL'): string {
50 const prefix = PROVIDER_PREFIX[providerKey] ?? 'DD';
51 return `${prefix}-${kind}-${randomUUID().slice(0, 8).toUpperCase()}`;
52 }
53
54 /**
55 * Resolve the payee identity for a scheme from the org's payment provider
56 * config. Enforces the config-via-portal rule: a direct-debit collection cannot
57 * be submitted until the provider is configured for the organization.
58 */
59 async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
60 const config = await PaymentProviderConfig.findOne(ctx, {
61 where: { providerKey, active: true },
62 });
63 if (!config) {
64 throw new StatusError(
65 400,
66 `No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
67 );
68 }
69 const c = config.config as Record<string, unknown>;
70 const creditorId =
71 (typeof c.creditorId === 'string' && c.creditorId) ||
72 (typeof c.bankgiroNumber === 'string' && c.bankgiroNumber) ||
73 (typeof c.pbsNumber === 'string' && c.pbsNumber) ||
74 '';
75 return creditorId || '0000000';
76 }
77
78 function mandateAccount(mandate: DirectDebitMandate): BankAccount {
79 return {
80 country: mandate.country,
81 clearingNumber: mandate.clearingNumber,
82 accountNumber: mandate.accountNumber,
83 accountHolder: mandate.accountHolder,
84 };
85 }
86
87 // ── Mandate lifecycle ─────────────────────────────────────────────────────────
88
89 export interface CreateMandateInput {
90 providerKey: string;
91 productId: number;
92 customerId?: string | null;
93 accountHolder: string;
94 country: string;
95 clearingNumber?: string | null;
96 accountNumber: string;
97 bankName?: string | null;
98 metadata?: Record<string, unknown> | null;
99 }
100
101 export async function createMandate(
102 organizationId: string,
103 input: CreateMandateInput,
104 ): Promise<DirectDebitMandate> {
105 const ctx = { organizationId };
106 const provider = assertDirectDebitProvider(input.providerKey);
107
108 const account: BankAccount = {
109 country: input.country,
110 clearingNumber: input.clearingNumber,
111 accountNumber: input.accountNumber,
112 accountHolder: input.accountHolder,
113 };
114 const validation = provider.validateAccount(account);
115 if (!validation.valid) {
116 throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
117 }
118
119 const mandateReference = generateReference(input.providerKey, 'MND');
120 const mandate = await DirectDebitMandate.create(ctx, {
121 organizationId,
122 providerKey: input.providerKey as DirectDebitProvider,
123 productId: input.productId,
124 customerId: input.customerId ?? null,
125 status: MandateStatus.PENDING,
126 country: input.country.toUpperCase(),
127 accountHolder: input.accountHolder,
128 clearingNumber: input.clearingNumber ?? null,
129 accountNumber: input.accountNumber,
130 bankName: input.bankName ?? null,
131 mandateReference,
132 payerNumber: mandateReference,
133 signedAt: new Date(),
134 metadata: input.metadata ?? null,
135 });
136
137 logger.info(
138 { organizationId, mandateId: mandate.id, providerKey: input.providerKey },
139 'Direct-debit mandate created (pending bank confirmation)',
140 );
141 return mandate;
142 }
143
144 async function loadMandate(ctx: Ctx, mandateId: string): Promise<DirectDebitMandate> {
145 const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
146 if (!mandate) {
147 throw new StatusError(404, `Mandate ${mandateId} not found`);
148 }
149 return mandate;
150 }
151
152 /**
153 * Activate a mandate once the bank confirms it. In production this is driven by
154 * the mandate return file; the route also exposes it as an explicit operator
155 * action so a confirmed mandate can be activated from the CRM.
156 */
157 export async function activateMandate(
158 organizationId: string,
159 mandateId: string,
160 payerNumber?: string,
161 ): Promise<DirectDebitMandate> {
162 const ctx = { organizationId };
163 const mandate = await loadMandate(ctx, mandateId);
164 if (mandate.status === MandateStatus.REVOKED) {
165 throw new StatusError(400, 'Cannot activate a revoked mandate');
166 }
167 await mandate.update({
168 status: MandateStatus.ACTIVE,
169 activatedAt: new Date(),
170 failureReason: null,
171 ...(payerNumber ? { payerNumber } : {}),
172 });
173 logger.info({ organizationId, mandateId }, 'Direct-debit mandate activated');
174 return mandate;
175 }
176
177 export async function revokeMandate(
178 organizationId: string,
179 mandateId: string,
180 ): Promise<DirectDebitMandate> {
181 const ctx = { organizationId };
182 const mandate = await loadMandate(ctx, mandateId);
183 if (mandate.status === MandateStatus.REVOKED) {
184 return mandate;
185 }
186 await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
187 logger.info({ organizationId, mandateId }, 'Direct-debit mandate revoked');
188 return mandate;
189 }
190
191 /** Generate the bank mandate-request file for a single mandate (download/preview). */
192 export async function buildMandateFile(
193 organizationId: string,
194 mandateId: string,
195 ): Promise<{ fileReference: string; content: string }> {
196 const ctx = { organizationId };
197 const mandate = await loadMandate(ctx, mandateId);
198 const provider = assertDirectDebitProvider(mandate.providerKey);
199 const creditorId = await resolveCreditorId(ctx, mandate.providerKey);
200 const content = provider.buildMandateFile(
201 [
202 {
203 mandateReference: mandate.mandateReference,
204 payerNumber: mandate.payerNumber,
205 account: mandateAccount(mandate),
206 },
207 ],
208 creditorId,
209 );
210 return { fileRefer{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit"}EISDIR: illegal operation on a directory, read '/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit'
{"pattern":"src/domains/payments/directDebit/*.ts","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir"}src/domains/payments/directDebit/format.ts src/domains/payments/directDebit/interface.ts src/domains/payments/directDebit/autogiro.ts src/domains/payments/directDebit/betalingsservice.ts src/domains/payments/directDebit/registry.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts"}1 // ─────────────────────────────────────────────────────────────────────────────
2 // Bank direct-debit connectors (Nordic rails: Autogiro SE, Betalingsservice DK).
3 //
4 // These are STATELESS, like the card-provider connectors in ../providers: they
5 // receive plain data and return file content / parsed records. They never touch
6 // the database or import models — orchestration (mandates, scheduling, retries,
7 // reconciliation) lives in src/services/directDebitService.ts.
8 //
9 // The schemes are file-based batch rails, not real-time APIs: we GENERATE a
10 // mandate-request file and a collection (payment) file to send to the bank, and
11 // CONSUME a return/settlement file the bank sends back. `buildReturnFile` exists
12 // so dev/test (and the CRM "simulate" action) can synthesise a bank response;
13 // production ingests the bank's own file through `parseReturnFile`.
14 // ─────────────────────────────────────────────────────────────────────────────
15
16 export interface BankAccount {
17 country: string;
18 // SE: clearing number (4–5 digits). DK: registreringsnummer (4 digits).
19 clearingNumber?: string | null;
20 accountNumber: string;
21 accountHolder: string;
22 }
23
24 export interface AccountValidationResult {
25 valid: boolean;
26 errors: string[];
27 }
28
29 export interface MandateFileEntry {
30 mandateReference: string;
31 payerNumber?: string | null;
32 account: BankAccount;
33 }
34
35 export interface CollectionFileEntry {
36 // Unique per debit — written into the file and echoed back in the return file.
37 externalReference: string;
38 mandateReference: string;
39 payerNumber?: string | null;
40 account: BankAccount;
41 amount: number; // major units, e.g. 199.00
42 currency: string;
43 dueDate: Date;
44 reference?: string; // free-text payment reference (e.g. policy id)
45 }
46
47 export type ReturnOutcome = 'settled' | 'failed';
48
49 export interface ReturnRecord {
50 externalReference: string;
51 outcome: ReturnOutcome;
52 reason?: string;
53 settledAmount?: number;
54 }
55
56 export interface BankDirectDebitProvider {
57 readonly key: string;
58 readonly country: string;
59 readonly scheme: string;
60
61 validateAccount(account: BankAccount): AccountValidationResult;
62
63 // Outbound: file sent to the bank to register new mandates. `creditorId` is
64 // the payee identity from org config (SE Bankgiro number / DK PBS number).
65 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string;
66
67 // Outbound: file sent to the bank requesting the listed debits.
68 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string;
69
70 // Outbound (dev/test/simulation only): synthesise a bank return file.
71 buildReturnFile(records: ReturnRecord[]): string;
72
73 // Inbound: parse the bank's return/settlement file into normalized records.
74 parseReturnFile(content: string): ReturnRecord[];
75 }
76 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts"}1 // Shared fixed-width formatting helpers for the Nordic direct-debit file formats.
2 // Both Autogiro and Betalingsservice are positional fixed-width text rails, so
3 // the connectors share these primitives. Pure functions — no side effects.
4
5 /** Right-pad with spaces (truncating if longer) to a fixed width. */
6 export function padRight(value: string, width: number): string {
7 const v = value ?? '';
8 return v.length >= width ? v.slice(0, width) : v + ' '.repeat(width - v.length);
9 }
10
11 /** Left-pad with zeros (truncating the most-significant side if longer). */
12 export function padZero(value: string, width: number): string {
13 const v = (value ?? '').replace(/\s+/g, '');
14 return v.length >= width ? v.slice(v.length - width) : '0'.repeat(width - v.length) + v;
15 }
16
17 /** Format a major-unit amount as zero-padded minor units (öre/øre). */
18 export function minorUnits(amount: number, width: number): string {
19 const minor = Math.round(Number(amount) * 100);
20 if (!Number.isFinite(minor) || minor < 0) {
21 throw new Error(`Invalid amount for direct-debit file: ${amount}`);
22 }
23 return padZero(String(minor), width);
24 }
25
26 /** Parse zero-padded minor units back into a major-unit amount. */
27 export function fromMinorUnits(raw: string): number {
28 const minor = parseInt(raw.trim() || '0', 10);
29 return Math.round(minor) / 100;
30 }
31
32 /** Format a date as YYYYMMDD (UTC). */
33 export function yyyymmdd(date: Date): string {
34 const y = date.getUTCFullYear().toString().padStart(4, '0');
35 const m = (date.getUTCMonth() + 1).toString().padStart(2, '0');
36 const d = date.getUTCDate().toString().padStart(2, '0');
37 return `${y}${m}${d}`;
38 }
39
40 /** Keep only digits (used to normalise clearing/account numbers). */
41 export function digitsOnly(value: string): string {
42 return (value ?? '').replace(/\D/g, '');
43 }
44 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts","limit":300}1 // Autogiro (Bankgirot, Sweden) — file-based recurring direct debit.
2 //
3 // Implements the BankDirectDebitProvider contract with the Autogiro
4 // "Betalningsspecifikation" fixed-width 80-char record layout. Transaction
5 // codes (TK) follow the Bankgirot Autogiro spec: TK01 opening, TK04 new
6 // mandate, TK82 incoming debit, TK09 end. This is a faithful structural model
7 // of the rail (positional records, öre amounts, payer/Bankgiro numbers) — not a
8 // byte-certified bank submission, which would be finalized against Bankgirot's
9 // test environment during go-live.
10
11 import type {
12 AccountValidationResult,
13 BankAccount,
14 BankDirectDebitProvider,
15 CollectionFileEntry,
16 MandateFileEntry,
17 ReturnRecord,
18 } from './interface.js';
19 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
20
21 const RECORD_WIDTH = 80;
22
23 function fit(line: string): string {
24 return padRight(line, RECORD_WIDTH);
25 }
26
27 export class AutogiroProvider implements BankDirectDebitProvider {
28 readonly key = 'autogiro';
29 readonly country = 'SE';
30 readonly scheme = 'Autogiro';
31
32 validateAccount(account: BankAccount): AccountValidationResult {
33 const errors: string[] = [];
34 if (account.country && account.country.toUpperCase() !== 'SE') {
35 errors.push(`Autogiro requires a Swedish (SE) account, got "${account.country}"`);
36 }
37 if (!account.accountHolder?.trim()) {
38 errors.push('accountHolder is required');
39 }
40 const clearing = digitsOnly(account.clearingNumber ?? '');
41 if (clearing.length < 4 || clearing.length > 5) {
42 errors.push('clearingNumber must be 4–5 digits (Swedish clearing number)');
43 }
44 const acc = digitsOnly(account.accountNumber ?? '');
45 if (acc.length < 7 || acc.length > 12) {
46 errors.push('accountNumber must be 7–12 digits');
47 }
48 return { valid: errors.length === 0, errors };
49 }
50
51 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
52 const lines: string[] = [];
53 // TK01 — opening record: date, "AUTOGIRO", payee Bankgiro number.
54 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}MEDGIVANDE`));
55 for (const e of entries) {
56 // TK04 — new mandate (medgivande). Payer number defaults to our mandate
57 // reference when the payee hasn't assigned a separate Betalarnummer.
58 const payer = padRight(e.payerNumber || e.mandateReference, 16);
59 const clearing = padZero(digitsOnly(e.account.clearingNumber ?? ''), 5);
60 const acct = padZero(digitsOnly(e.account.accountNumber), 12);
61 const holder = padRight(e.account.accountHolder, 24);
62 lines.push(fit(`04${payer}${clearing}${acct}${holder}`));
63 }
64 return lines.join('\n') + '\n';
65 }
66
67 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
68 const lines: string[] = [];
69 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}${padRight(fileReference, 12)}`));
70 let total = 0;
71 for (const e of entries) {
72 // TK82 — incoming debit. due date | payer number | amount (öre) |
73 // our external reference | free-text reference.
74 const due = yyyymmdd(e.dueDate);
75 const payer = padRight(e.payerNumber || e.mandateReference, 16);
76 const amount = minorUnits(e.amount, 12);
77 const ref = padRight(e.externalReference, 20);
78 const text = padRight(e.reference ?? '', 22);
79 lines.push(`82${due}${payer}${amount}${ref}${text}`);
80 total += Math.round(Number(e.amount) * 100);
81 }
82 // TK09 — end record: payee Bankgiro | record count | total (öre).
83 lines.push(fit(`09${padZero(digitsOnly(creditorId), 10)}${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`));
84 return lines.join('\n') + '\n';
85 }
86
87 buildReturnFile(records: ReturnRecord[]): string {
88 // TK82 settlement/return: status "00" = settled, otherwise a reject code.
89 const lines = records.map((r) => {
90 const ref = padRight(r.externalReference, 35);
91 const status = r.outcome === 'settled' ? '00' : padZero(digitsOnly(r.reason ?? '') || '99', 2);
92 const amount = minorUnits(r.settledAmount ?? 0, 12);
93 const reason = padRight(r.outcome === 'settled' ? 'GODKAND' : (r.reason ?? 'AVVISAD'), 29);
94 return `82${ref}${status}${amount}${reason}`;
95 });
96 return lines.join('\n') + '\n';
97 }
98
99 parseReturnFile(content: string): ReturnRecord[] {
100 const records: ReturnRecord[] = [];
101 for (const raw of content.split(/\r?\n/)) {
102 if (!raw.startsWith('82')) continue;
103 const ref = raw.slice(2, 37).trim();
104 if (!ref) continue;
105 const status = raw.slice(37, 39).trim();
106 const amount = raw.slice(39, 51);
107 const reason = raw.slice(51).trim();
108 const settled = status === '00';
109 records.push({
110 externalReference: ref,
111 outcome: settled ? 'settled' : 'failed',
112 reason: settled ? undefined : reason || `reject ${status}`,
113 settledAmount: settled ? fromMinorUnits(amount) : undefined,
114 });
115 }
116 return records;
117 }
118 }
119 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts","limit":300}1 // Betalingsservice (Nets / Mastercard Payment Services, Denmark) — file-based
2 // recurring direct debit.
3 //
4 // Implements the BankDirectDebitProvider contract with a fixed-width record
5 // layout modelled on the Betalingsservice "leverance" structure: a header
6 // (HD) carrying the creditor's PBS/debitor-group number, mandate records (MD),
7 // payment records (BT) with registreringsnummer + kontonummer + amount in øre,
8 // and a trailer (SL) with totals. As with the Autogiro connector this is a
9 // faithful structural model of the rail, to be byte-certified against the Nets
10 // test environment at go-live.
11
12 import type {
13 AccountValidationResult,
14 BankAccount,
15 BankDirectDebitProvider,
16 CollectionFileEntry,
17 MandateFileEntry,
18 ReturnRecord,
19 } from './interface.js';
20 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
21
22 export class BetalingsserviceProvider implements BankDirectDebitProvider {
23 readonly key = 'betalingsservice';
24 readonly country = 'DK';
25 readonly scheme = 'Betalingsservice';
26
27 validateAccount(account: BankAccount): AccountValidationResult {
28 const errors: string[] = [];
29 if (account.country && account.country.toUpperCase() !== 'DK') {
30 errors.push(`Betalingsservice requires a Danish (DK) account, got "${account.country}"`);
31 }
32 if (!account.accountHolder?.trim()) {
33 errors.push('accountHolder is required');
34 }
35 const reg = digitsOnly(account.clearingNumber ?? '');
36 if (reg.length !== 4) {
37 errors.push('clearingNumber must be a 4-digit registreringsnummer');
38 }
39 const acc = digitsOnly(account.accountNumber ?? '');
40 if (acc.length < 1 || acc.length > 10) {
41 errors.push('accountNumber must be 1–10 digits (kontonummer)');
42 }
43 return { valid: errors.length === 0, errors };
44 }
45
46 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
47 const lines: string[] = [];
48 // HD — header: PBS/debitor-group number + delivery date.
49 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}TILMELDING`);
50 for (const e of entries) {
51 // MD — new mandate (tilmelding). Debitor (payer) number defaults to our
52 // mandate reference. reg number (4) + account (10).
53 const payer = padRight(e.payerNumber || e.mandateReference, 15);
54 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
55 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
56 const holder = padRight(e.account.accountHolder, 32);
57 lines.push(`MD${payer}${reg}${acct}${holder}`);
58 }
59 return lines.join('\n') + '\n';
60 }
61
62 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
63 const lines: string[] = [];
64 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}${padRight(fileReference, 12)}`);
65 let total = 0;
66 for (const e of entries) {
67 // BT — betaling (debit). due date | debitor number | reg | account |
68 // amount (øre) | external reference | free-text.
69 const due = yyyymmdd(e.dueDate);
70 const payer = padRight(e.payerNumber || e.mandateReference, 15);
71 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
72 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
73 const amount = minorUnits(e.amount, 13);
74 const ref = padRight(e.externalReference, 20);
75 const text = padRight(e.reference ?? '', 20);
76 lines.push(`BT${due}${payer}${reg}${acct}${amount}${ref}${text}`);
77 total += Math.round(Number(e.amount) * 100);
78 }
79 // SL — trailer: record count + total (øre).
80 lines.push(`SL${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`);
81 return lines.join('\n') + '\n';
82 }
83
84 buildReturnFile(records: ReturnRecord[]): string {
85 // RT — return record. status "0000" = settled (gennemført), else reject.
86 const lines = records.map((r) => {
87 const ref = padRight(r.externalReference, 35);
88 const status = r.outcome === 'settled' ? '0000' : padZero(digitsOnly(r.reason ?? '') || '0099', 4);
89 const amount = minorUnits(r.settledAmount ?? 0, 13);
90 const reason = padRight(r.outcome === 'settled' ? 'GENNEMFOERT' : (r.reason ?? 'AFVIST'), 28);
91 return `RT${ref}${status}${amount}${reason}`;
92 });
93 return lines.join('\n') + '\n';
94 }
95
96 parseReturnFile(content: string): ReturnRecord[] {
97 const records: ReturnRecord[] = [];
98 for (const raw of content.split(/\r?\n/)) {
99 if (!raw.startsWith('RT')) continue;
100 const ref = raw.slice(2, 37).trim();
101 if (!ref) continue;
102 const status = raw.slice(37, 41).trim();
103 const amount = raw.slice(41, 54);
104 const reason = raw.slice(54).trim();
105 const settled = status === '0000';
106 records.push({
107 externalReference: ref,
108 outcome: settled ? 'settled' : 'failed',
109 reason: settled ? undefined : reason || `reject ${status}`,
110 settledAmount: settled ? fromMinorUnits(amount) : undefined,
111 });
112 }
113 return records;
114 }
115 }
116 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts"}1 import type { BankDirectDebitProvider } from './interface.js';
2 import { AutogiroProvider } from './autogiro.js';
3 import { BetalingsserviceProvider } from './betalingsservice.js';
4
5 // Stateless connectors — instantiate once and reuse. Unlike the card providers,
6 // these hold no per-org credentials (the creditor identity is passed per call),
7 // so a singleton instance per scheme is safe.
8 const providers: Record<string, BankDirectDebitProvider> = {
9 autogiro: new AutogiroProvider(),
10 betalingsservice: new BetalingsserviceProvider(),
11 };
12
13 export const DIRECT_DEBIT_PROVIDER_KEYS = Object.keys(providers);
14
15 export function isDirectDebitProvider(providerKey: string): boolean {
16 return providerKey in providers;
17 }
18
19 export function getDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
20 const provider = providers[providerKey];
21 if (!provider) {
22 throw new Error(`Unknown direct-debit provider: ${providerKey}`);
23 }
24 return provider;
25 }
26 {"description":"Review portal+test direct-debit (round 1)","prompt":"You are a senior reviewer auditing NEW front-end + test code for ticket sherpa-api#462 (Nordic bank direct debit). Read ACTUAL FILE CONTENT (use rg/fd, not grep/find). Be concrete.\n\nPORTAL worktree /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir, changed/new:\n- app/products/[id]/direct-debit/page.tsx (NEW — mandates + collections management UI)\n- app/types/directDebit.ts (NEW types)\n- app/components/settings/PaymentProvidersTab.tsx (added autogiro/betalingsservice providers + creditorId field)\n- app/components/AppLayout.tsx (nav: productMenuItems entry + PRODUCT_PHASE_BY_KEY \"direct-debit\":\"operate\")\n\nTEST worktree /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir:\n- tests/plus-insurance/09-direct-debit.spec.ts (NEW)\n- .env (changed SHERPA_API_HTTP 4000→4011)\n\nThe API contract (responses are `{status:'success', data:...}`, portal `api` client auto-prefixes `/v1/plus`, EVERY POST must send a JSON body object or it 400s):\n- GET/POST /direct-debit/mandates ; /mandates/:id/file ; /mandates/:id/activate ; /mandates/:id/revoke\n- GET/POST /direct-debit/collections ; /collections/run ; /collections/:id/simulate-return ; /collections/:id/retry\nMandate.status: pending|active|revoked. Collection.status: scheduled|submitted|settled|failed|retrying|cancelled. Collection.amount is a STRING (decimal). Collection.flagged is bool.\n\nCheck for HIGH (runtime crash / broken feature) and MEDIUM (logic/UX bug, type error) with file:line:\n1. **page.tsx correctness**: Does it read `res.data.data` correctly? Does EVERY api.post send a body object (activate/revoke/retry must pass `{}` — an omitted body 400s)? Are React hooks used correctly (deps arrays, no conditional hooks, params unwrap for Next 16 — does it use React.use(params) or await)? Any state update after unmount risk? Does it handle `amount` being a string (Number() before formatting)? Empty/loading/error states present? Does it refetch after mutations?\n2. **Status badges**: all statuses mapped to a color? Unknown status fallback? Flagged indicator shown?\n3. **Nav registration** (AppLayout.tsx): is the productMenuItems entry shape EXACTLY like its siblings (same keys: name/href/icon/key)? Is `productId` the correct variable in scope at that point? Is \"direct-debit\" added to PRODUCT_PHASE_BY_KEY? (Both are required — verify both exist.) Is the CreditCard icon actually imported?\n4. **PaymentProvidersTab.tsx**: does the creditorId field only render for autogiro/betalingsservice, and save to `config.creditorId`? Is Stripe's existing flow untouched (connectedAccountId, payout fields)? Does the save payload branch correctly so Stripe still works?\n5. **Types** (directDebit.ts): do they match the API shapes? amount: string or number? status unions correct?\n6. **Test spec**: does it use the project's ApiClient + auth correctly, send bodies on POSTs, assert settled / retrying / failed+flagged correctly, and is it resilient (409-tolerant provider config, dynamic productId)? Is the .env port change (4011) correct and not going to break other specs? Any hardcoded IDs?\n\nReport HIGH / MEDIUM / LOW with exact file:line + concrete fix. If clean, say \"NO REMAINING HIGH OR MEDIUM ISSUES\". Do not modify files.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts","limit":300}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { PlusCircle, Play, FileText, Flag } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import AppLayout from "@/app/components/AppLayout";
9 import { Button } from "@/app/components/ui/button";
10 import { Input } from "@/app/components/ui/input";
11 import {
12 Dialog,
13 DialogContent,
14 DialogDescription,
15 DialogFooter,
16 DialogHeader,
17 DialogTitle,
18 } from "@/app/components/ui/dialog";
19 import {
20 Select,
21 SelectContent,
22 SelectItem,
23 SelectTrigger,
24 SelectValue,
25 } from "@/app/components/ui/select";
26 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
27 import { ProtectedRoute } from "@/app/components/ProtectedRoute";
28 import { CRMOnlyRoute } from "@/app/components/UserTypeRoute";
29 import api from "@/app/src/utils/api";
30 import { ProductData } from "@/app/types/product";
31 import {
32 Collection,
33 CollectionRunResult,
34 DirectDebitProviderKey,
35 Mandate,
36 MandateFile,
37 } from "@/app/types/directDebit";
38
39 const PROVIDER_LABELS: Record<DirectDebitProviderKey, string> = {
40 autogiro: "Autogiro (SE)",
41 betalingsservice: "Betalingsservice (DK)",
42 };
43
44 const PROVIDER_DEFAULT_COUNTRY: Record<DirectDebitProviderKey, string> = {
45 autogiro: "SE",
46 betalingsservice: "DK",
47 };
48
49 const PROVIDER_DEFAULT_CURRENCY: Record<DirectDebitProviderKey, string> = {
50 autogiro: "SEK",
51 betalingsservice: "DKK",
52 };
53
54 const MANDATE_STATUS_CLASSES: Record<Mandate["status"], string> = {
55 pending: "bg-amber-100 text-amber-800",
56 active: "bg-green-100 text-green-800",
57 revoked: "bg-red-100 text-red-800",
58 };
59
60 const COLLECTION_STATUS_CLASSES: Record<Collection["status"], string> = {
61 scheduled: "bg-gray-100 text-gray-800",
62 submitted: "bg-blue-100 text-blue-800",
63 settled: "bg-green-100 text-green-800",
64 failed: "bg-red-100 text-red-800",
65 retrying: "bg-amber-100 text-amber-800",
66 cancelled: "bg-gray-100 text-gray-800",
67 };
68
69 const StatusBadge: React.FC<{ label: string; className: string }> = ({ label, className }) => (
70 <span
71 className={`inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium ${className}`}
72 >
73 {label}
74 </span>
75 );
76
77 function extractApiError(error: unknown, fallback: string): string {
78 const err = error as { response?: { data?: { error?: { message?: string }; message?: string } } };
79 return (
80 err?.response?.data?.error?.message || err?.response?.data?.message || fallback
81 );
82 }
83
84 export default function ProductDirectDebitPage({ params }: { params: { id: string } }) {
85 const t = useTranslation();
86 // Unwrap params using React.use() if it's a promise
87 const unwrappedParams = params instanceof Promise ? React.use(params) : params;
88 const productId = unwrappedParams?.id || "";
89
90 const [product, setProduct] = useState<ProductData | null>(null);
91 const [mandates, setMandates] = useState<Mandate[]>([]);
92 const [collections, setCollections] = useState<Collection[]>([]);
93 const [loading, setLoading] = useState(true);
94 const [error, setError] = useState<React.ReactNode | null>(null);
95 const [selectedMandateId, setSelectedMandateId] = useState<number | null>(null);
96 const [collectionsLoading, setCollectionsLoading] = useState(false);
97 const [running, setRunning] = useState(false);
98
99 // Create mandate dialog
100 const [mandateDialogOpen, setMandateDialogOpen] = useState(false);
101 const [mandateSaving, setMandateSaving] = useState(false);
102 const [formProvider, setFormProvider] = useState<DirectDebitProviderKey>("autogiro");
103 const [formAccountHolder, setFormAccountHolder] = useState("");
104 const [formCountry, setFormCountry] = useState("SE");
105 const [formClearingNumber, setFormClearingNumber] = useState("");
106 const [formAccountNumber, setFormAccountNumber] = useState("");
107 const [formBankName, setFormBankName] = useState("");
108
109 // Schedule collection dialog
110 const [collectionDialogOpen, setCollectionDialogOpen] = useState(false);
111 const [collectionSaving, setCollectionSaving] = useState(false);
112 const [formAmount, setFormAmount] = useState("");
113 const [formCurrency, setFormCurrency] = useState("SEK");
114
115 // View file dialog
116 const [fileDialogOpen, setFileDialogOpen] = useState(false);
117 const [fileLoading, setFileLoading] = useState(false);
118 const [mandateFile, setMandateFile] = useState<MandateFile | null>(null);
119
120 const selectedMandate = mandates.find((m) => m.id === selectedMandateId) || null;
121
122 const loadMandates = useCallback(async (): Promise<Mandate[]> => {
123 const res = await api.get(`/direct-debit/mandates?productId=${productId}`);
124 const list: Mandate[] = res.data.data || [];
125 setMandates(list);
126 return list;
127 }, [productId]);
128
129 // Collections are fetched per mandate (the API filters by mandateId). When a
130 // mandate is selected we fetch just its collections; otherwise we aggregate
131 // across every mandate of the product so the user sees a product-wide view.
132 const loadCollections = useCallback(
133 async (mandateList: Mandate[], mandateId: number | null) => {
134 setCollectionsLoading(true);
135 try {
136 const targets =
137 mandateId !== null
138 ? mandateList.filter((m) => m.id === mandateId)
139 : mandateList;
140 const responses = await Promise.all(
141 targets.map((m) => api.get(`/direct-debit/collections?mandateId=${m.id}`))
142 );
143 const merged = responses
144 .flatMap((res) => (res.data.data as Collection[]) || [])
145 .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
146 setCollections(merged);
147 } catch (err) {
148 console.error("Error loading collections:", err);
149 showErrorToast(extractApiError(err, t("Failed to load collections")));
150 } finally {
151 setCollectionsLoading(false);
152 }
153 },
154 [t]
155 );
156
157 useEffect(() => {
158 if (!productId) {
159 setError(t("Invalid product ID"));
160 setLoading(false);
161 return;
162 }
163
164 const fetchData = async () => {
165 try {
166 setLoading(true);
167 const [productResponse, mandateList] = await Promise.all([
168 api.get(`/products/${productId}`),
169 loadMandates(),
170 ]);
171 setProduct(productResponse.data.data);
172 await loadCollections(mandateList, null);
173 } catch (err) {
174 console.error("Error fetching data:", err);
175 setError(t("Failed to load data"));
176 } finally {
177 setLoading(false);
178 }
179 };
180
181 fetchData();
182 // eslint-disable-next-line react-hooks/exhaustive-deps
183 }, [productId]);
184
185 const refresh = useCallback(
186 async (mandateId: number | null = selectedMandateId) => {
187 const list = await loadMandates();
188 await loadCollections(list, mandateId);
189 },
190 [loadMandates, loadCollections, selectedMandateId]
191 );
192
193 const handleSelectMandate = async (mandate: Mandate) => {
194 const next = selectedMandateId === mandate.id ? null : mandate.id;
195 setSelectedMandateId(next);
196 await loadCollections(mandates, next);
197 };
198
199 const openCreateMandate = () => {
200 setFormProvider("autogiro");
201 setFormAccountHolder("");
202 setFormCountry(PROVIDER_DEFAULT_COUNTRY.autogiro);
203 setFormClearingNumber("");
204 setFormAccountNumber("");
205 setFormBankName("");
206 setMandateDialogOpe{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts"}1 import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { DirectDebitMandate } from '@/models/DirectDebitMandate.js';
4 import { DirectDebitCollection } from '@/models/DirectDebitCollection.js';
5 import {
6 createMandate,
7 activateMandate,
8 revokeMandate,
9 buildMandateFile,
10 scheduleCollection,
11 submitDueCollections,
12 buildCurrentCollectionFile,
13 retryCollection,
14 ingestReturnFile,
15 simulateReturnForCollection,
16 } from '@/services/directDebitService.js';
17
18 const TAG = 'Sherpa Plus — Direct Debit';
19 const PROVIDER_KEYS = ['autogiro', 'betalingsservice'];
20
21 function requireOrg(request: FastifyRequest): string {
22 const organizationId = request.userAuth?.organizationId;
23 if (!organizationId) {
24 throw new StatusError(401, 'Organization context required');
25 }
26 return organizationId;
27 }
28
29 const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
30 fastify.addHook('preHandler', fastify.authenticate);
31
32 // ── Mandates ────────────────────────────────────────────────────────────────
33
34 fastify.get('/mandates', {
35 schema: {
36 description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',
37 tags: [TAG],
38 security: [{ clientCredentials: [] }],
39 querystring: {
40 type: 'object',
41 properties: {
42 status: { type: 'string', enum: ['pending', 'active', 'revoked'] },
43 providerKey: { type: 'string', enum: PROVIDER_KEYS },
44 productId: { type: 'integer' },
45 },
46 },
47 },
48 }, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {
49 const organizationId = requireOrg(request);
50 const where: Record<string, unknown> = {};
51 if (request.query.status) where.status = request.query.status;
52 if (request.query.providerKey) where.providerKey = request.query.providerKey;
53 if (request.query.productId) where.productId = request.query.productId;
54
55 const data = await DirectDebitMandate.findAll({ organizationId }, {
56 where,
57 order: [['createdAt', 'DESC']],
58 });
59 return { status: 'success', data };
60 });
61
62 fastify.get('/mandates/:id', {
63 schema: {
64 description: 'Fetch a single direct-debit mandate by ID, scoped to the authenticated organization.',
65 tags: [TAG],
66 security: [{ clientCredentials: [] }],
67 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
68 },
69 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
70 const organizationId = requireOrg(request);
71 const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);
72 if (!mandate) throw new StatusError(404, 'Mandate not found');
73 return { status: 'success', data: mandate };
74 });
75
76 fastify.post('/mandates', {
77 schema: {
78 description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',
79 tags: [TAG],
80 security: [{ clientCredentials: [] }],
81 body: {
82 type: 'object',
83 required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
84 properties: {
85 providerKey: { type: 'string', enum: PROVIDER_KEYS },
86 productId: { type: 'integer' },
87 customerId: { type: 'string', format: 'uuid' },
88 accountHolder: { type: 'string', minLength: 1 },
89 country: { type: 'string', minLength: 2, maxLength: 2 },
90 clearingNumber: { type: 'string' },
91 accountNumber: { type: 'string', minLength: 1 },
92 bankName: { type: 'string' },
93 },
94 },
95 },
96 }, async (request: FastifyRequest<{ Body: {
97 providerKey: string; productId: number; customerId?: string; accountHolder: string;
98 country: string; clearingNumber?: string; accountNumber: string; bankName?: string;
99 } }>, reply: FastifyReply) => {
100 const organizationId = requireOrg(request);
101 const mandate = await createMandate(organizationId, request.body);
102 return reply.code(201).send({ status: 'success', data: mandate });
103 });
104
105 fastify.get('/mandates/:id/file', {
106 schema: {
107 description: 'Generate the bank mandate-request file content for a mandate (Autogiro/Betalingsservice fixed-width format).',
108 tags: [TAG],
109 security: [{ clientCredentials: [] }],
110 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
111 },
112 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
113 const organizationId = requireOrg(request);
114 const file = await buildMandateFile(organizationId, request.params.id);
115 return { status: 'success', data: file };
116 });
117
118 fastify.post('/mandates/:id/activate', {
119 schema: {
120 description: 'Activate a mandate after the bank has confirmed it. Optionally records the bank-assigned payer number.',
121 tags: [TAG],
122 security: [{ clientCredentials: [] }],
123 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
124 body: { type: 'object', properties: { payerNumber: { type: 'string' } } },
125 },
126 }, async (request: FastifyRequest<{ Params: { id: string }; Body: { payerNumber?: string } }>) => {
127 const organizationId = requireOrg(request);
128 const mandate = await activateMandate(organizationId, request.params.id, request.body?.payerNumber);
129 return { status: 'success', data: mandate };
130 });
131
132 fastify.post('/mandates/:id/revoke', {
133 schema: {
134 description: 'Revoke a mandate. No further collections can be scheduled against it.',
135 tags: [TAG],
136 security: [{ clientCredentials: [] }],
137 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
138 },
139 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
140 const organizationId = requireOrg(request);
141 const mandate = await revokeMandate(organizationId, request.params.id);
142 return { status: 'success', data: mandate };
143 });
144
145 // ── Collections ─────────────────────────────────────────────────────────────
146
147 fastify.get('/collections', {
148 schema: {
149 description: 'List direct-debit collections. Optional filters: mandateId, status, providerKey.',
150 tags: [TAG],
151 security: [{ clientCredentials: [] }],
152 querystring: {
153 type: 'object',
154 properties: {
155 mandateId: { type: 'string' },
156 status: { type: 'string', enum: ['scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'] },
157 providerKey: { type: 'string', enum: PROVIDER_KEYS },
158 },
159 },
160 },
161 }, async (request: FastifyRequest<{ Querystring: { mandateId?: string; status?: string; providerKey?: string } }>) => {
162 const organizationId = requireOrg(request);
163 const where: Record<string, unknown> = {};
164 if (request.query.mandateId) where.mandateId = request.query.mandateId;
165 if (request.query.status) where.status = request.query.status;
166 if (request.query.providerKey) where.providerKey = request.query.providerKey;
167
168 const data = await DirectDebitCollection.findAll({ organizationId }, {
169 where,
170 order: [['createdAt', 'DESC']],
171 });
172 return { status: 'success', dat{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts"}1 // Types for Nordic bank direct debit (Autogiro / Betalingsservice).
2 // Mirrors the sherpa-api /v1/plus/direct-debit contract.
3
4 export type DirectDebitProviderKey = "autogiro" | "betalingsservice";
5
6 export type MandateStatus = "pending" | "active" | "revoked";
7
8 export interface Mandate {
9 id: number;
10 providerKey: DirectDebitProviderKey;
11 productId: number;
12 status: MandateStatus;
13 country: string;
14 accountHolder: string;
15 clearingNumber: string | null;
16 accountNumber: string;
17 bankName: string | null;
18 mandateReference: string | null;
19 payerNumber: string | null;
20 signedAt: string | null;
21 activatedAt: string | null;
22 revokedAt: string | null;
23 failureReason: string | null;
24 createdAt: string;
25 }
26
27 export type CollectionStatus =
28 | "scheduled"
29 | "submitted"
30 | "settled"
31 | "failed"
32 | "retrying"
33 | "cancelled";
34
35 export interface Collection {
36 id: number;
37 mandateId: number;
38 policyOrderId: number | null;
39 providerKey: DirectDebitProviderKey;
40 amount: string;
41 currency: string;
42 status: CollectionStatus;
43 scheduledFor: string | null;
44 submittedAt: string | null;
45 settledAt: string | null;
46 retryCount: number;
47 maxRetries: number;
48 failureReason: string | null;
49 externalReference: string | null;
50 fileReference: string | null;
51 flagged: boolean;
52 createdAt: string;
53 }
54
55 export interface MandateFile {
56 fileReference: string;
57 content: string;
58 }
59
60 export interface CollectionRunResult {
61 submitted: number;
62 files: {
63 providerKey: DirectDebitProviderKey;
64 fileReference: string;
65 content: string;
66 count: number;
67 }[];
68 }
69
70 export interface SimulateReturnSummary {
71 settled: number;
72 failed: number;
73 retrying: number;
74 flagged: number;
75 unmatched: number;
76 }
77 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx"}1 import { FastifyInstance, FastifyPluginAsync } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { bundleRoutes } from './bundleRoutes.js';
4 import { financialsRoutes } from './financialsRoutes.js';
5 import { auditLogRoutes } from './auditLogRoutes.js';
6 import { cancellationTermsRoutes } from './cancellationTermsRoutes.js';
7 import { suspensionTermsRoutes } from './suspensionTermsRoutes.js';
8 import { claimRoutes } from './claimRoutes.js';
9 import { clientRoutes } from './clientRoutes.js';
10 import { customerRoutes } from './customerRoutes.js';
11 import commissionStructureRoutes from './commissionStructureRoutes.js';
12 import { coverageRoutes } from './coverageRoutes.js';
13 import { coveragePricingRoutes } from './coveragePricingRoutes.js';
14 import { dataModelRoutes } from './dataModelRoutes.js';
15 import { insuranceTypeRoutes } from './insuranceTypeRoutes.js';
16 import { insurerRoutes } from './insurerRoutes.js';
17 import { llmRoutes } from './llmRoutes.js';
18 import { locationRoutes } from './locationRoutes.js';
19 import { moduleEndpointRoutes } from './moduleEndpointRoutes.js';
20 import { moduleRoutes } from './moduleRoutes.js';
21 import { organizationModuleRoutes } from './organizationModuleRoutes.js';
22 import { organizationRoutes } from './organizationRoutes.js';
23 import { partnerApiRoutes } from './partnerApiRoutes.js';
24 import { partnerAuthConfigRoutes } from './partnerAuthConfigRoutes.js';
25 import { partnerEndpointMappingRoutes } from './partnerEndpointMappingRoutes.js';
26 import { partnerEnvironmentRoutes } from './partnerEnvironmentRoutes.js';
27 import { partnerFieldMappingRoutes } from './partnerFieldMappingRoutes.js';
28 import { partnerRoutes } from './partnerRoutes.js';
29 import {
30 externalIntegrationsRoutes,
31 externalIntegrationEnvironmentsRoutes,
32 externalIntegrationAuthConfigsRoutes,
33 externalIntegrationRequestTemplatesRoutes,
34 externalIntegrationFieldMappingsRoutes,
35 } from './externalIntegrationsRoutes.js';
36 import { sanctionScreeningRoutes } from './sanctionScreeningRoutes.js';
37 import { policyRoutes } from './policyRoutes.js';
38 import { policyStatusRoutes } from '@/routes/policyStatusRoutes.js';
39 import { policySettingFieldRoutes } from './policySettingFieldRoutes.js';
40 import { pricingRoutes } from './pricingRoutes.js';
41 import { productLibraryRoutes } from './productLibraryRoutes.js';
42 import { productPlanRoutes } from './productPlanRoutes.js';
43 import { productRoutes } from './productRoutes.js';
44 import { productOptimizationRoutes } from './productOptimizationRoutes.js';
45 import { productModulePartnerRoutes } from './productModulePartnerRoutes.js';
46 import { productSettingRoutes } from './productSettingRoutes.js';
47 import { policyAcceptanceConfigRoutes } from './policyAcceptanceConfigRoutes.js';
48 import { quoteRoutes } from './quoteRoutes.js';
49 import { productSettingFieldRoutes } from './productSettingFieldRoutes.js';
50 import { scopeRoutes } from './scopeRoutes.js';
51 import { simulationRoutes } from './simulationRoutes.js';
52 import { taxRoutes } from './taxRoutes.js';
53 import { templateRoutes } from './templateRoutes.js';
54 import { userRoutes } from './userRoutes.js';
55 import { permissionsRoutes } from './permissionsRoutes.js';
56 import { widgetTokenRoutes } from './widgetTokens.js';
57 import uploadCredentialRoutes from './uploadCredentialRoutes.js';
58 import automatedPolicyRoutes from './automatedPolicyRoutes.js';
59 import { claimRecordRoutes } from './claimRecordRoutes.js';
60 import { claimMessageRoutes } from './claimMessageRoutes.js';
61 import { claimRuleRoutes } from './claimRuleRoutes.js';
62 import { claimPayoutRoutes } from './claimPayoutRoutes.js';
63 import { invoiceRoutes } from './invoiceRoutes.js';
64 import { currencyRoutes } from './currencyRoutes.js';
65 import { mcpRoutes } from './mcpRoutes.js';
66 import { paymentProviderConfigRoutes } from './paymentProviderConfigRoutes.js';
67 import { directDebitRoutes } from './directDebitRoutes.js';
68 import { policyOrderRoutes } from './policyOrderRoutes.js';
69 import { policyMessageRoutes } from './policyMessageRoutes.js';
70 import { orgNotificationRoutes } from './orgNotificationRoutes.js';
71 import { embedCheckoutSessionRoutes } from './embedCheckoutSessionRoutes.js';
72 import { scopedPlugin } from '@/routes/lib/scoped-plugin.js';
73
74 export const plusRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
75 // Widget tokens are for customer-facing endpoints only
76 fastify.addHook('preHandler', async (request) => {
77 const widgetTokenHeader = request.headers['x-widget-token'];
78 if (widgetTokenHeader) {
79 throw new StatusError(403, 'Widget tokens cannot access CRM resources');
80 }
81 });
82
83 await fastify.register(quoteRoutes, { prefix: '/quotes' });
84 await fastify.register(policyRoutes, { prefix: '/policies' });
85 await fastify.register(claimRoutes, { prefix: '/claims' });
86 await fastify.register(templateRoutes, { prefix: '/templates' });
87 await fastify.register(commissionStructureRoutes, { prefix: '/commission-structures' });
88 await fastify.register(dataModelRoutes, { prefix: '/data-model' });
89 await fastify.register(simulationRoutes, { prefix: '/simulations' });
90 await fastify.register(llmRoutes, { prefix: '/llm' });
91 await fastify.register(insuranceTypeRoutes, { prefix: '/insurance-types' });
92 await fastify.register(insurerRoutes, { prefix: '/insurers' });
93 await fastify.register(pricingRoutes, { prefix: '/pricing' });
94 await fastify.register(productLibraryRoutes, { prefix: '/product-library' });
95 await fastify.register(coverageRoutes, { prefix: '/coverages' });
96 await fastify.register(coveragePricingRoutes);
97 await fastify.register(auditLogRoutes, { prefix: '/audit-logs' });
98 await fastify.register(userRoutes, { prefix: '/users' });
99 await fastify.register(customerRoutes, { prefix: '/customers' });
100 await fastify.register(permissionsRoutes, { prefix: '/permissions' });
101 await fastify.register(clientRoutes, { prefix: '/clients' });
102 await fastify.register(productRoutes, { prefix: '/products' });
103 await fastify.register(productOptimizationRoutes, { prefix: '/products' });
104 await fastify.register(productSettingRoutes, { prefix: '/products' });
105 await fastify.register(policyAcceptanceConfigRoutes, { prefix: '/products' });
106 await fastify.register(organizationRoutes, { prefix: '/organizations' });
107 await fastify.register(partnerApiRoutes, { prefix: '/partner-api' });
108 await fastify.register(locationRoutes, { prefix: '/location' });
109 await fastify.register(moduleRoutes, { prefix: '/modules' });
110 await fastify.register(scopeRoutes, { prefix: '/scopes' });
111 await fastify.register(taxRoutes, { prefix: '/taxes' });
112 await fastify.register(widgetTokenRoutes, { prefix: '/widget-tokens' });
113 await fastify.register(productPlanRoutes, { prefix: '/product-plans' });
114 await fastify.register(productSettingFieldRoutes, { prefix: '/product-setting-fields' });
115 await fastify.register(policySettingFieldRoutes, { prefix: '/policy-setting-fields' });
116 await fastify.register(partnerRoutes, { prefix: '/partners' });
117 await fastify.register(partnerEnvironmentRoutes, { prefix: '/partner-environments' });
118 await fastify.register(partnerAuthConfigRoutes, { prefix: '/partner-auth-configs' });
119 await fastify.register(moduleEndpointRoutes, { prefix: '/module-endpoints' });
120 await fastify.register(partnerEndpointMappingRoutes, { prefix: '/partner-endpoint-mappings' });
121 await fastify.register(partnerFieldMappingRoutes, { prefix: '/partner-field-mappings' });
122 await fastify.register(productModulePartnerRoutes, { prefix: '/product-module-partners' }){"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Plus, Pencil, Trash2, ChevronDown, ChevronRight } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { Button } from "@/app/components/ui/button";
9 import {
10 Dialog,
11 DialogContent,
12 DialogFooter,
13 DialogHeader,
14 DialogTitle,
15 } from "@/app/components/ui/dialog";
16 import { Input } from "@/app/components/ui/input";
17 import { Switch } from "@/app/components/ui/switch";
18 import {
19 Select,
20 SelectContent,
21 SelectItem,
22 SelectTrigger,
23 SelectValue,
24 } from "@/app/components/ui/select";
25 import ConfirmDialog from "@/app/components/admin/ConfirmDialog";
26 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
27 import ProviderLogo from "@/app/components/payments/ProviderLogo";
28 import api from "@/app/src/utils/api";
29 import { PaymentProviderConfig, PaymentMethod, PayoutCadence, PayoutWeekday } from "@/app/types/paymentProvider";
30
31 const WEEKDAY_VALUES: PayoutWeekday[] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
32
33 const weekdayLabel = (value: PayoutWeekday, t: (s: string) => string): string => {
34 switch (value) {
35 case "mon": return t("Monday");
36 case "tue": return t("Tuesday");
37 case "wed": return t("Wednesday");
38 case "thu": return t("Thursday");
39 case "fri": return t("Friday");
40 case "sat": return t("Saturday");
41 case "sun": return t("Sunday");
42 }
43 };
44
45 const AVAILABLE_PROVIDERS = [
46 { key: "stripe", label: "Stripe" },
47 { key: "autogiro", label: "Autogiro (Sweden)" },
48 { key: "betalingsservice", label: "Betalingsservice (Denmark)" },
49 ];
50
51 // Direct-debit providers configured by a creditor identifier (Bankgiro number
52 // for Autogiro, PBS/creditor number for Betalingsservice) rather than a Stripe
53 // connected account.
54 const DIRECT_DEBIT_PROVIDER_KEYS = ["autogiro", "betalingsservice"];
55
56 const PaymentProvidersTab: React.FC = () => {
57 const t = useTranslation();
58 const [configs, setConfigs] = useState<PaymentProviderConfig[]>([]);
59 const [loading, setLoading] = useState(false);
60 const [formOpen, setFormOpen] = useState(false);
61 const [editing, setEditing] = useState<PaymentProviderConfig | null>(null);
62 const [deleteId, setDeleteId] = useState<number | null>(null);
63
64 const [formProviderKey, setFormProviderKey] = useState("stripe");
65 const [formConnectedAccountId, setFormConnectedAccountId] = useState("");
66 const [formCreditorId, setFormCreditorId] = useState("");
67 const [formActive, setFormActive] = useState(true);
68 const [formAutomaticPayoutEnabled, setFormAutomaticPayoutEnabled] = useState(false);
69 const [formPayoutCadence, setFormPayoutCadence] = useState<PayoutCadence>("immediate");
70 const [formPayoutWeeklyRunDay, setFormPayoutWeeklyRunDay] = useState<PayoutWeekday>("mon");
71 const [formPayoutWeeklyRunHour, setFormPayoutWeeklyRunHour] = useState(9);
72 const [saving, setSaving] = useState(false);
73
74 // Payment methods state per config
75 const [expandedConfigId, setExpandedConfigId] = useState<number | null>(null);
76 const [paymentMethods, setPaymentMethods] = useState<PaymentMethod[]>([]);
77 const [loadingMethods, setLoadingMethods] = useState(false);
78
79 const load = useCallback(async () => {
80 try {
81 setLoading(true);
82 const res = await api.get("/payment-provider-configs");
83 if (res.data.status === "success") {
84 setConfigs(res.data.data || []);
85 }
86 } catch (error) {
87 console.error("Error loading payment provider configs:", error);
88 showErrorToast(t("Failed to load payment providers"));
89 } finally {
90 setLoading(false);
91 }
92 }, [t]);
93
94 useEffect(() => {
95 load();
96 }, [load]);
97
98 const loadPaymentMethods = useCallback(async (configId: number) => {
99 try {
100 setLoadingMethods(true);
101 const res = await api.get(`/payment-provider-configs/${configId}/payment-methods`);
102 if (res.data.status === "success") {
103 setPaymentMethods(res.data.data || []);
104 }
105 } catch (error) {
106 console.error("Error loading payment methods:", error);
107 showErrorToast(t("Failed to load payment methods"));
108 } finally {
109 setLoadingMethods(false);
110 }
111 }, [t]);
112
113 const handleToggleExpand = (configId: number) => {
114 if (expandedConfigId === configId) {
115 setExpandedConfigId(null);
116 setPaymentMethods([]);
117 } else {
118 setExpandedConfigId(configId);
119 loadPaymentMethods(configId);
120 }
121 };
122
123 const handleToggleMethod = async (configId: number, method: PaymentMethod) => {
124 try {
125 await api.put(
126 `/payment-provider-configs/${configId}/payment-methods/${method.id}`,
127 { enabled: !method.enabled }
128 );
129 setPaymentMethods((prev) =>
130 prev.map((m) =>
131 m.id === method.id ? { ...m, enabled: !m.enabled } : m
132 )
133 );
134 showSuccessToast(
135 method.enabled
136 ? t("{name} disabled", { name: method.name })
137 : t("{name} enabled", { name: method.name })
138 );
139 } catch (error) {
140 console.error("Error toggling payment method:", error);
141 showErrorToast(t("Failed to update payment method"));
142 }
143 };
144
145 const openCreate = () => {
146 setEditing(null);
147 setFormProviderKey("stripe");
148 setFormConnectedAccountId("");
149 setFormCreditorId("");
150 setFormActive(true);
151 setFormAutomaticPayoutEnabled(false);
152 setFormPayoutCadence("immediate");
153 setFormPayoutWeeklyRunDay("mon");
154 setFormPayoutWeeklyRunHour(9);
155 setFormOpen(true);
156 };
157
158 const openEdit = (config: PaymentProviderConfig) => {
159 setEditing(config);
160 setFormProviderKey(config.providerKey);
161 setFormConnectedAccountId(config.config?.connectedAccountId || "");
162 setFormCreditorId(
163 typeof config.config?.creditorId === "string" ? config.config.creditorId : ""
164 );
165 setFormActive(config.active);
166 setFormAutomaticPayoutEnabled(Boolean(config.config?.automaticPayoutEnabled));
167 setFormPayoutCadence(config.config?.payoutCadence === "weekly" ? "weekly" : "immediate");
168 setFormPayoutWeeklyRunDay(
169 WEEKDAY_VALUES.find((v) => v === config.config?.payoutWeeklyRunDay) ?? "mon"
170 );
171 const hourRaw = config.config?.payoutWeeklyRunHour;
172 setFormPayoutWeeklyRunHour(typeof hourRaw === "number" && hourRaw >= 0 && hourRaw < 24 ? hourRaw : 9);
173 setFormOpen(true);
174 };
175
176 const isDirectDebitProvider = DIRECT_DEBIT_PROVIDER_KEYS.includes(formProviderKey);
177
178 const handleSave = async () => {
179 if (isDirectDebitProvider) {
180 if (!formCreditorId.trim()) {
181 showErrorToast(t("Creditor number (Bankgiro / PBS) is required"));
182 return;
183 }
184 } else if (!formConnectedAccountId.trim()) {
185 showErrorToast(t("Connected Account ID is required"));
186 return;
187 }
188
189 setSaving(true);
190 try {
191 const payload = isDirectDebitProvider
192 ? {
193 providerKey: formProviderKey,
194 config: {
195 creditorId: formCreditorId.trim(),
196 },
197 active: formActive,
198 }
199 : {
200 providerKey: formProviderKey,
201 config: {
202 connectedAccountId: formConnectedAccountId.trim(),
203 automaticPayoutEnabled: formAutomaticPayoutEnabled,
204 payoutCadence: formPayoutCadence,
205 payoutWee{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx"}1 import { Organization } from '@/models/Organization.js';
2 import { jobQueue } from '@/services/jobQueue.js';
3 import { submitDueCollections } from '@/services/directDebitService.js';
4 import logger from '@/logger.js';
5
6 const JOB_TYPE = 'direct_debit_collection_batch';
7
8 /**
9 * Hourly picker for due direct-debit collections. Runs per-org so RLS context is
10 * enforced on every read (same pattern as claim-payout-batch). Submitting due
11 * collections is idempotent at the row level — submitDueCollections only moves
12 * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a
13 * worker restart self-heals on the next run.
14 */
15 async function handleDirectDebitCollectionBatch() {
16 const organizations = await Organization.findAll({ attributes: ['id'] });
17 let totalSubmitted = 0;
18
19 for (const org of organizations) {
20 try {
21 const files = await submitDueCollections(org.id);
22 totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);
23 } catch (err) {
24 logger.error(
25 { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },
26 'Direct-debit collection batch: failed to process organization',
27 );
28 }
29 }
30
31 if (totalSubmitted > 0) {
32 logger.info(
33 { count: totalSubmitted, orgCount: organizations.length },
34 'Direct-debit collection batch: submitted due collections',
35 );
36 }
37 }
38
39 export function registerDirectDebitCollectionBatchJob() {
40 jobQueue.register(JOB_TYPE, handleDirectDebitCollectionBatch, {
41 concurrency: 1,
42 defaultJobOptions: {
43 attempts: 3,
44 backoff: { type: 'exponential', delay: 30_000 },
45 removeOnComplete: { age: 24 * 3600, count: 100 },
46 removeOnFail: { age: 7 * 24 * 3600 },
47 },
48 });
49 }
50
51 /**
52 * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes by
53 * jobId. Call once on worker startup.
54 */
55 export async function scheduleDirectDebitCollectionBatch() {
56 await jobQueue.scheduleRepeating(
57 JOB_TYPE,
58 {},
59 '0 * * * *', // every hour on the hour, UTC
60 `${JOB_TYPE}:hourly`,
61 );
62 }
63 1 "use client";
2
3 import React, { useEffect, useState } from "react";
4
5 import Image from "next/image";
6 import Link from "next/link";
7 import { usePathname, useRouter, useSearchParams } from "next/navigation";
8
9 import {
10 Menu,
11 X,
12 XCircle,
13 User,
14 LogOut,
15 Settings,
16 Users,
17 ShoppingBag,
18 LayoutDashboard,
19 UserCircle,
20 FileText,
21 ClipboardList,
22 Calculator,
23 Shield,
24 ChevronLeft,
25 ChevronRight,
26 ChevronDown,
27 ArrowLeft,
28 Eye,
29 DollarSign,
30 Package,
31 FileCheck,
32 AlertCircle,
33 ScrollText,
34 Mail,
35 Tag,
36 Code,
37 Receipt,
38 BookOpen,
39 Layers,
40 Database,
41 FolderOpen,
42 Zap,
43 MessageCircle,
44 Server,
45 CreditCard,
46 } from "lucide-react";
47
48 import { useTranslation } from "@gangkharai/lmt/client";
49 import { EnhancedLocaleSwitcher } from "./EnhancedLocaleSwitcher";
50 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
51 import { DevFlagsSummary } from "../dev/flags/components/DevFlagsSummary";
52 import { DevPreviewBadge } from "../dev/flags/components/DevPreviewBadge";
53 import { useDevFlags } from "../dev/flags/components/DevFlagsProvider";
54 import Loader from "./Loader";
55 import Toast, { showErrorToast } from "./Toast";
56 import { useAuth } from "../components/AuthProvider";
57 import { useOrganization } from "../components/OrganizationProvider";
58 import { usePermissions } from "../src/contexts/PermissionsContext";
59 import { PERMISSIONS } from "../types/permissions";
60 import { MenuItem, ProductGroup, NavigationMode } from "../types/navigation";
61 import { NavigationProvider } from "./navigation/NavigationContext";
62 import { useProductReadiness, SidebarKey } from "../src/hooks/useProductReadiness";
63 import { NavigationItem } from "./navigation/NavigationItem";
64 import { ProductGroupNav } from "./navigation/ProductGroupNav";
65 import { OrganizationSwitcherSection } from "./navigation/OrganizationSwitcherSection";
66 import { OrganizationContextBanner } from "./OrganizationContextBanner";
67 import { useAssistantSidebarStore } from "@/app/src/store/assistantSidebarStore";
68
69 interface AppLayoutProps {
70 children: React.ReactNode;
71 chatMode?: boolean;
72 }
73
74 const AppLayout: React.FC<AppLayoutProps> = ({ children, chatMode = false }) => {
75 const t = useTranslation();
76 const { user, logout } = useAuth();
77 const { organization } = useOrganization();
78 const { hasPermission } = usePermissions();
79 const { flags } = useDevFlags();
80 const router = useRouter();
81 const pathname = usePathname();
82 const searchParams = useSearchParams();
83 const [isSidebarCollapsed, setIsSidebarCollapsed] = useState(false);
84 const isAssistantOpen = useAssistantSidebarStore((s) => s.isOpen);
85 const assistantActive = flags.sherpaAssistant && isAssistantOpen;
86 const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
87 const [isProfileDropdownOpen, setIsProfileDropdownOpen] = useState(false);
88
89 useEffect(() => {
90 try {
91 const pending = sessionStorage.getItem("pendingErrorToast");
92 if (pending) {
93 showErrorToast(pending);
94 sessionStorage.removeItem("pendingErrorToast");
95 }
96 } catch {}
97 }, []);
98
99 useEffect(() => {
100 const sidebarWidth = isSidebarCollapsed ? 80 : 256;
101 document.documentElement.style.setProperty("--sidebar-width", `${sidebarWidth}px`);
102 }, [isSidebarCollapsed]);
103
104 // Route through AuthProvider.logout, which calls endSession({ captureIntent:
105 // false }) — the single termination path (§6.2). endSession does its own
106 // full-page navigation to /login, so no router.push afterwards.
107 const handleLogout = () => {
108 logout();
109 };
110
111 const hasAdminAccess = hasPermission(PERMISSIONS.organizations.manage_all.value);
112
113 // Shared items that appear above product groups (no label)
114 const topItems: MenuItem[] = [
115 ...(flags.chatV1 ? [{
116 name: t('Chat'),
117 href: "/chat",
118 icon: MessageCircle,
119 key: "chat",
120 badge: <DevPreviewBadge />
121 }] : []),
122 ];
123
124 // Product groups for normal mode navigation
125 const sherpaPlusItems: MenuItem[] = [
126 { name: t('Products'), href: "/products", icon: ShoppingBag, key: "products" },
127 {
128 name: t('Policy Management'),
129 href: "/policy-management",
130 icon: ClipboardList,
131 key: "policy-management",
132 },
133 { name: t('Customers'), href: "/customers", icon: Users, key: "customers" },
134 { name: t('Financials'), href: "/financials", icon: Calculator, key: "financials" },
135 ...(hasAdminAccess ? [{ name: t('Admin'), href: "/admin", icon: Users, key: "admin" }] : []),
136 ];
137
138 const sherpaLensItems: MenuItem[] = [
139 {
140 name: t('Optimizations'),
141 href: "/lens/optimizations",
142 icon: Zap,
143 key: "lens-optimizations",
144 },
145 ];
146
147 // Shared items (bottom group, no label)
148 const sharedItems: MenuItem[] = [
149 { name: t('Data'), href: "/data", icon: Database, key: "data" },
150 ...(flags.mcp ? [{
151 name: t('MCP'),
152 href: "/mcp",
153 icon: Server,
154 key: "mcp",
155 badge: <DevPreviewBadge />
156 }] : []),
157 ];
158
159 const productGroups: ProductGroup[] = [
160 { id: "top", name: null, items: topItems },
161 { id: "sherpa-plus", name: t('Sherpa Plus'), items: sherpaPlusItems },
162 ...(sherpaLensItems.length > 0
163 ? [{ id: "sherpa-lens", name: t('Sherpa Lens'), items: sherpaLensItems }]
164 : []),
165 ...(sharedItems.length > 0 ? [{ id: "shared", name: null, items: sharedItems }] : []),
166 ];
167
168 // Profile menu items (shown in footer dropdown)
169 const profileMenuItems: MenuItem[] = [
170 { name: t('Settings'), href: "/settings", icon: Settings, key: "settings" },
171 { name: t('Profile'), href: "/profile", icon: UserCircle, key: "profile" },
172 ];
173
174 const settingsItem = profileMenuItems.find((item) => item.key === "settings");
175 const profileItem = profileMenuItems.find((item) => item.key === "profile");
176
177 const toggleSidebar = () => {
178 setIsSidebarCollapsed(!isSidebarCollapsed);
179 };
180
181 const toggleMobileMenu = () => {
182 setIsMobileMenuOpen(!isMobileMenuOpen);
183 };
184
185 const toggleProfileDropdown = () => {
186 setIsProfileDropdownOpen(!isProfileDropdownOpen);
187 };
188
189 const productIdMatch = pathname.match(/^\/products\/(\d+)/);
190 const isProductContext = !!productIdMatch;
191 const productId = productIdMatch?.[1] || null;
192 const productIdForReadiness = productId ? parseInt(productId, 10) : null;
193 const { readiness: productReadiness } = useProductReadiness(productIdForReadiness);
194
195 if (!user) {
196 return <Loader />;
197 }
198
199 const bundleIdMatch = pathname.match(/^\/bundles\/(\d+)/);
200 const isBundleContext = !!bundleIdMatch;
201 const bundleId = bundleIdMatch?.[1] || null;
202
203 const isAdminContext = pathname === "/admin";
204 const isFinancialsContext = pathname.startsWith("/financials");
205
206 const navigationMode: NavigationMode = isProductContext
207 ? "product"
208 : isBundleContext
209 ? "bundle"
210 : isAdminContext
211 ? "admin"
212 : isFinancialsContext
213 ? "financials"
214 : "normal";
215
216 const navigationContextValue = {
217 pathname,
218 searchParams,
219 mode: navigationMode,
220 productId,
221 bundleId,
222 collapsed: isSidebarCollapsed,
223 };
224
225 const productMenuItems: MenuItem[] = [
226 {
227 name: t('Overview'),
228 href: `/products/${productId}`,
229 icon: Eye,
230 key: "o{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts"}1 import { test, expect } from '@playwright/test';
2 import { ApiClient } from './helpers/api-client';
3 import { getApiUrl } from '../utils/urls';
4
5 const API_URL = getApiUrl();
6 const CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID!;
7 const CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET!;
8
9 /**
10 * Nordic bank direct debit (Autogiro / Betalingsservice) — sherpa-api#462.
11 *
12 * Covers the /v1/plus/direct-debit surface end-to-end against a live API:
13 * - Provider configuration (Autogiro), tolerant of an already-configured org.
14 * - Account validation for Betalingsservice (DK registreringsnummer = 4 digits).
15 * - Recurring collection happy path: mandate → activate → file → schedule →
16 * run → simulate settled return.
17 * - Retry + flag path: a failed return retries up to maxRetries, then flags
18 * the collection as permanently failed.
19 *
20 * Every POST sends a JSON body (>= {}) because the shared ApiClient always sets
21 * Content-Type: application/json; a bodyless POST would 400.
22 */
23
24 /** Fetch a usable productId from the test organization. */
25 async function getProductId(api: ApiClient): Promise<number> {
26 const res = await api.get('/v1/plus/products');
27 expect(res.status()).toBe(200);
28 const body = await res.json();
29 const products = body.data?.products ?? [];
30 expect(products.length).toBeGreaterThan(0);
31 return products[0].id;
32 }
33
34 /** Find a single collection by id within the mandate's collection list. */
35 async function getCollection(api: ApiClient, mandateId: string, collectionId: string) {
36 const res = await api.get(`/v1/plus/direct-debit/collections?mandateId=${mandateId}`);
37 expect(res.status()).toBe(200);
38 const body = await res.json();
39 expect(Array.isArray(body.data)).toBe(true);
40 const collection = body.data.find((c: { id: string }) => c.id === collectionId);
41 expect(collection, `collection ${collectionId} not found for mandate ${mandateId}`).toBeTruthy();
42 return collection;
43 }
44
45 test.describe.serial('Plus · Nordic direct debit (Autogiro / Betalingsservice)', () => {
46 test.setTimeout(60000);
47
48 test('configures Autogiro provider', async ({ request }) => {
49 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
50 // 409 (already configured for this org) is an acceptable, idempotent outcome.
51 api.expectErrors = true;
52
53 const res = await api.post('/v1/plus/payment-provider-configs', {
54 providerKey: 'autogiro',
55 config: { bankgiroNumber: '9912346' },
56 active: true,
57 });
58
59 expect([201, 409]).toContain(res.status());
60 });
61
62 test('rejects an invalid Betalingsservice account', async ({ request }) => {
63 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
64 api.expectErrors = true;
65
66 const productId = await getProductId(api);
67
68 // DK registreringsnummer must be 4 digits; "12" is invalid.
69 const res = await api.post('/v1/plus/direct-debit/mandates', {
70 providerKey: 'betalingsservice',
71 productId,
72 accountHolder: 'Lars Larsen',
73 country: 'DK',
74 clearingNumber: '12',
75 accountNumber: '1234567',
76 bankName: 'Danske Bank',
77 });
78
79 expect(res.status()).toBe(400);
80 });
81
82 test('completes a recurring direct-debit collection end-to-end (Autogiro SE)', async ({
83 request,
84 }) => {
85 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
86 const productId = await getProductId(api);
87
88 // 1. Create mandate — starts pending.
89 const createRes = await api.post('/v1/plus/direct-debit/mandates', {
90 providerKey: 'autogiro',
91 productId,
92 accountHolder: 'Sven Svensson',
93 country: 'SE',
94 clearingNumber: '8327',
95 accountNumber: '1234567',
96 bankName: 'Swedbank',
97 });
98 expect(createRes.status()).toBe(201);
99 const mandate = (await createRes.json()).data;
100 expect(mandate.status).toBe('pending');
101 expect(mandate.mandateReference).toBeTruthy();
102 const mandateId: string = mandate.id;
103
104 // 2. Activate — becomes active.
105 const activateRes = await api.post(
106 `/v1/plus/direct-debit/mandates/${mandateId}/activate`,
107 {},
108 );
109 expect(activateRes.status()).toBe(200);
110 expect((await activateRes.json()).data.status).toBe('active');
111
112 // 3. Mandate file content is non-empty fixed-width text.
113 const fileRes = await api.get(`/v1/plus/direct-debit/mandates/${mandateId}/file`);
114 expect(fileRes.status()).toBe(200);
115 const fileContent: string = (await fileRes.json()).data.content;
116 expect(typeof fileContent).toBe('string');
117 expect(fileContent.trim().length).toBeGreaterThan(0);
118
119 // 4. Schedule a collection — starts scheduled.
120 const collectionRes = await api.post('/v1/plus/direct-debit/collections', {
121 mandateId,
122 amount: 199,
123 currency: 'SEK',
124 });
125 expect(collectionRes.status()).toBe(201);
126 const collection = (await collectionRes.json()).data;
127 expect(collection.status).toBe('scheduled');
128 const collectionId: string = collection.id;
129
130 // 5. Run the batch — at least this collection is submitted.
131 const runRes = await api.post('/v1/plus/direct-debit/collections/run', {
132 providerKey: 'autogiro',
133 });
134 expect(runRes.status()).toBe(200);
135 const runBody = (await runRes.json()).data;
136 expect(runBody.submitted).toBeGreaterThanOrEqual(1);
137 expect(Array.isArray(runBody.files)).toBe(true);
138
139 // 6. Simulate a settled return.
140 const returnRes = await api.post(
141 `/v1/plus/direct-debit/collections/${collectionId}/simulate-return`,
142 { outcome: 'settled' },
143 );
144 expect(returnRes.status()).toBe(200);
145 expect((await returnRes.json()).data.settled).toBe(1);
146
147 // 7. The collection is now settled.
148 const settled = await getCollection(api, mandateId, collectionId);
149 expect(settled.status).toBe('settled');
150 expect(settled.settledAt).toBeTruthy();
151 expect(settled.flagged).toBe(false);
152 });
153
154 test('retries and flags a failed collection', async ({ request }) => {
155 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
156 const productId = await getProductId(api);
157
158 // Mandate must be active before it can be collected against.
159 const createRes = await api.post('/v1/plus/direct-debit/mandates', {
160 providerKey: 'autogiro',
161 productId,
162 accountHolder: 'Astrid Lindgren',
163 country: 'SE',
164 clearingNumber: '8327',
165 accountNumber: '7654321',
166 bankName: 'Swedbank',
167 });
168 expect(createRes.status()).toBe(201);
169 const mandateId: string = (await createRes.json()).data.id;
170
171 const activateRes = await api.post(
172 `/v1/plus/direct-debit/mandates/${mandateId}/activate`,
173 {},
174 );
175 expect(activateRes.status()).toBe(200);
176
177 // Schedule a collection to fail.
178 const collectionRes = await api.post('/v1/plus/direct-debit/collections', {
179 mandateId,
180 amount: 299,
181 currency: 'SEK',
182 });
183 expect(collectionRes.status()).toBe(201);
184 const collectionId: string = (await collectionRes.json()).data.id;
185
186 // First run + failed return: collection enters retry (retryCount 1).
187 const firstRun = await api.post('/v1/plus/direct-debit/collections/run', {
188 providerKey: 'autogiro',
189 });
190 expect(firstRun.status()).toBe(200);
191 expect((await firstRun.json()).data.submitted).toBeGreaterThanOrEqual(1);
192
193 const first{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env"}1 DEVELOPER_NAME=chris
2 ENV=local
3
4 SHERPA_PORTAL_HTTP=http://localhost:3000
5 SHERPA_PORTAL_HTTPS=https://portal.${DEVELOPER_NAME}.dev.gangkhar.dev
6 SHERPA_API_HTTP=http://localhost:4011
7 SHERPA_API_HTTPS=https://api.${DEVELOPER_NAME}.dev.gangkhar.dev
8
9 SHERPA_PORTAL_DEV_HTTPS=https://portal.dev.gangkhar.dev
10 SHERPA_API_DEV_HTTPS=https://sherpa-api.dev.gangkhar.dev
11
12 SHERPA_PORTAL_STAGING_HTTPS=https://portal.staging.gangkhar.dev
13 SHERPA_API_STAGING_HTTPS=https://sherpa-api.staging.gangkhar.dev
14
15 SHERPA_PORTAL_PROD_HTTPS=https://portal.your-domain.com
16 SHERPA_API_PROD_HTTPS=https://api.your-domain.com
17
18 WAYNI_PORTAL_URL=https://portal.wayni.${DEVELOPER_NAME}.dev.gangkhar.dev
19 WAYNI_PORTAL_DEV_URL=https://portal.wayni.dev.gangkhar.dev
20 WAYNI_PORTAL_STAGING_URL=https://portal.wayni.staging.gangkhar.dev
21
22 [email protected]
23 TEST_USER_PASSWORD="TestPass123!@#"
24
25 SHERPA_TEST_CLIENT_ID=cl_faf23d26-93db-4a72-af6f-462dff015c96
26 SHERPA_TEST_CLIENT_SECRET=cs_0a644bc5-8b9f-4ffd-b680-9ff0087f3f63{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/paymentProviderConfigRoutes.ts","limit":150}1 import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
4 import { getProvider } from '@/domains/payments/registry.js';
5
6 const paymentProviderConfigRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
7 fastify.addHook('preHandler', fastify.authenticate);
8
9 // List all configs for the authenticated org
10 fastify.get('/', {
11 schema: {
12 description: 'List every payment provider configuration registered for the authenticated organization. Each row is the credentials/settings used to drive a single provider integration (e.g. Stripe). Results are sorted alphabetically by providerKey.',
13 tags: ['Sherpa Plus — Payment Provider Config'],
14 security: [{ clientCredentials: [] }],
15 response: {
16 200: {
17 type: 'object',
18 additionalProperties: true,
19 properties: {
20 status: { type: 'string', example: 'success' },
21 data: {
22 type: 'array',
23 items: {
24 type: 'object',
25 additionalProperties: true,
26 properties: {
27 id: { type: 'integer' },
28 organizationId: { type: 'string', format: 'uuid' },
29 providerKey: { type: 'string', description: 'Stable provider identifier (e.g. "stripe").' },
30 config: { type: 'object', additionalProperties: true, description: 'Provider-specific settings.' },
31 active: { type: 'boolean' },
32 createdAt: { type: 'string', format: 'date-time' },
33 updatedAt: { type: 'string', format: 'date-time' },
34 },
35 },
36 },
37 },
38 },
39 },
40 },
41 }, async (request: FastifyRequest, reply: FastifyReply) => {
42 const organizationId = request.userAuth?.organizationId;
43 if (!organizationId) {
44 throw new StatusError(401, 'Organization context required');
45 }
46
47 const configs = await PaymentProviderConfig.findAll({ organizationId }, {
48 where: { organizationId },
49 order: [['providerKey', 'ASC']],
50 });
51
52 return reply.send({
53 status: 'success',
54 data: configs,
55 });
56 });
57
58 // Get a single config by ID
59 fastify.get('/:id', {
60 schema: {
61 description: 'Fetch a single payment provider config by numeric ID, scoped to the authenticated organization. Returns 404 when the record does not exist or belongs to a different organization.',
62 tags: ['Sherpa Plus — Payment Provider Config'],
63 security: [{ clientCredentials: [] }],
64 params: {
65 type: 'object',
66 required: ['id'],
67 properties: { id: { type: 'integer', description: 'Payment provider config ID.' } },
68 },
69 response: {
70 200: {
71 type: 'object',
72 additionalProperties: true,
73 properties: {
74 status: { type: 'string', example: 'success' },
75 data: {
76 type: 'object',
77 additionalProperties: true,
78 properties: {
79 id: { type: 'integer' },
80 organizationId: { type: 'string', format: 'uuid' },
81 providerKey: { type: 'string' },
82 config: { type: 'object', additionalProperties: true },
83 active: { type: 'boolean' },
84 },
85 },
86 },
87 },
88 },
89 },
90 }, async (request: FastifyRequest, reply: FastifyReply) => {
91 const organizationId = request.userAuth?.organizationId;
92 if (!organizationId) {
93 throw new StatusError(401, 'Organization context required');
94 }
95
96 const { id } = request.params as { id: string };
97 const config = await PaymentProviderConfig.findOne({ organizationId }, {
98 where: { id: parseInt(id, 10), organizationId },
99 });
100
101 if (!config) {
102 throw new StatusError(404, 'Payment provider config not found');
103 }
104
105 return reply.send({
106 status: 'success',
107 data: config,
108 });
109 });
110
111 // Create a new config
112 fastify.post('/', {
113 schema: {
114 description: 'Create a new payment provider config for the authenticated organization. Each providerKey may only be configured once per organization — duplicates fail with 409. The config object is provider-specific (e.g. Stripe API keys, account IDs).',
115 tags: ['Sherpa Plus — Payment Provider Config'],
116 security: [{ clientCredentials: [] }],
117 body: {
118 type: 'object',
119 required: ['providerKey'],
120 properties: {
121 providerKey: { type: 'string', enum: ['stripe', 'autogiro', 'betalingsservice'], description: 'Payment provider key' },
122 config: { type: 'object', additionalProperties: true, description: 'Provider-specific configuration' },
123 active: { type: 'boolean', description: 'Whether the config is active' },
124 },
125 },
126 response: {
127 201: {
128 type: 'object',
129 additionalProperties: true,
130 properties: {
131 status: { type: 'string', example: 'success' },
132 data: {
133 type: 'object',
134 additionalProperties: true,
135 properties: {
136 id: { type: 'integer' },
137 organizationId: { type: 'string', format: 'uuid' },
138 providerKey: { type: 'string' },
139 active: { type: 'boolean' },
140 },
141 },
142 },
143 },
144 },
145 },
146 }, async (request: FastifyRequest, reply: FastifyReply) => {
147 const organizationId = request.userAuth?.organizationId;
148 if (!organizationId) {
149 throw new StatusError(401, 'Organization context required');
150 }{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && grep -rn \"res\\.data\\.data\" app/products/\\[id\\]/direct-debit/page.tsx"}app/products/[id]/direct-debit/page.tsx:124: const list: Mandate[] = res.data.data || []; app/products/[id]/direct-debit/page.tsx:144: .flatMap((res) => (res.data.data as Collection[]) || []) app/products/[id]/direct-debit/page.tsx:274: setMandateFile(res.data.data as MandateFile); app/products/[id]/direct-debit/page.tsx:324: const result = res.data.data as CollectionRunResult;
{"pattern":"directDebit|scheduleDirectDebitCollectionBatch","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs","type":"ts"}Found 2 files src/services/jobs/index.ts src/services/jobs/directDebitCollectionBatchJob.ts
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && grep -n \"amount:\" tests/plus-insurance/09-direct-debit.spec.ts"}122: amount: 199, 180: amount: 299,
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts","limit":100}1 import { registerWelcomeEmailJobs } from './welcomeEmailJob.js';
2 import { registerBundleWelcomeEmailJob } from './bundleWelcomeEmailJob.js';
3 import { registerPaymentRetryEmailJob } from './paymentRetryEmailJob.js';
4 import { registerClaimEmailJob } from './claimEmailJob.js';
5 import { registerClaimDocumentIntelligenceJob } from './claimDocumentIntelligenceJob.js';
6 import { registerClaimRuleEvaluationJob } from './claimRuleEvaluationJob.js';
7 import { registerClaimPayoutJob } from './claimPayoutJob.js';
8 import { registerClaimPayoutEvaluationJob } from './claimPayoutEvaluationJob.js';
9 import { registerClaimPayoutBatchJob, scheduleClaimPayoutBatch } from './claimPayoutBatchJob.js';
10 import { registerDirectDebitCollectionBatchJob, scheduleDirectDebitCollectionBatch } from './directDebitCollectionBatchJob.js';
11 import { registerPolicyRenewalJob } from './policyRenewalJob.js';
12 import logger from '@/logger.js';
13 import { registerSanctionScreeningJob } from './sanctionScreeningJob.js';
14
15 export function registerAllJobs() {
16 registerWelcomeEmailJobs();
17 registerBundleWelcomeEmailJob();
18 registerPaymentRetryEmailJob();
19 registerClaimEmailJob();
20 registerClaimDocumentIntelligenceJob();
21 registerClaimRuleEvaluationJob();
22 registerClaimPayoutJob();
23 registerClaimPayoutEvaluationJob();
24 registerClaimPayoutBatchJob();
25 registerDirectDebitCollectionBatchJob();
26 registerPolicyRenewalJob();
27
28 // Start recurring schedulers. BullMQ dedupes by jobId, so it's safe for this
29 // to run in every process that imports jobs (API + workers).
30 scheduleClaimPayoutBatch().catch((err) =>
31 logger.error({ err }, 'Failed to schedule claim_payout_batch'),
32 );
33 scheduleDirectDebitCollectionBatch().catch((err) =>
34 logger.error({ err }, 'Failed to schedule direct_debit_collection_batch'),
35 );
36 registerSanctionScreeningJob();
37 }
38 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && grep -A 5 \"handleScheduleCollection\" app/products/\\[id\\]/direct-debit/page.tsx | head -20"} const handleScheduleCollection = async () => {
if (!selectedMandate) {
return;
}
if (!formAmount.trim()) {
showErrorToast(t("Amount is required"));
--
<Button onClick={handleScheduleCollection} disabled={collectionSaving}>
{collectionSaving ? t("Saving...") : t("Schedule")}
</Button>
</DialogFooter>
</DialogContent>
</Dialog>{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations -name \"*create-policy-acceptance*\" -type f"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.05.27T00.00.05.create-policy-acceptance-configs.ts
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && sed -n '327,340p' app/components/settings/PaymentProvidersTab.tsx"} <ProviderLogo providerKey={config.providerKey} className="h-5 w-auto" />
<div>
<p className="text-sm font-medium text-gray-900">
{getProviderLabel(config.providerKey)}
</p>
<p className="text-xs text-gray-500">
{config.config?.connectedAccountId || "-"}
</p>
</div>
</div>
<div className="flex items-center gap-4">
<div className="flex items-center gap-2">
<Switch
checked={config.active}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.05.27T00.00.05.create-policy-acceptance-configs.ts","limit":100}1 import type { MigrationFn } from 'umzug';
2 import { QueryInterface, DataTypes } from 'sequelize';
3
4 // Config for the customer quote/policy acceptance page, modelled as the same
5 // pages → categories → items hierarchy used by policy/quote/claim parameters
6 // (so the admin editor, API, and embed render are consistent). `PolicyAcceptanceConfigs`
7 // is one row per product holding page-level settings; `AcceptancePages` →
8 // `AcceptanceCategories` → `AcceptanceItems` is the orderable tree. Items carry
9 // an `itemType` (parameter/price/plan/coverage/terms/static_text) — the only
10 // difference from a parameter hierarchy. Tenant tables with the standard
11 // permissive RLS template (check:migrations enforces it for new tenant tables).
12
13 const rlsTables = [
14 'PolicyAcceptanceConfigs',
15 'AcceptancePages',
16 'AcceptanceCategories',
17 'AcceptanceItems',
18 ];
19
20 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
21 await context.createTable('PolicyAcceptanceConfigs', {
22 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
23 organizationId: { type: DataTypes.UUID, allowNull: false },
24 productId: {
25 type: DataTypes.INTEGER,
26 allowNull: false,
27 references: { model: 'Products', key: 'id' },
28 onDelete: 'CASCADE',
29 },
30 name: { type: DataTypes.STRING(255), allowNull: false },
31 title: { type: DataTypes.STRING(255), allowNull: true },
32 subtitle: { type: DataTypes.TEXT, allowNull: true },
33 showEditButton: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: true },
34 acceptanceMode: {
35 type: DataTypes.ENUM('checkbox', 'button'),
36 allowNull: false,
37 defaultValue: 'checkbox',
38 },
39 active: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: true },
40 createdAt: { type: DataTypes.DATE, allowNull: false },
41 updatedAt: { type: DataTypes.DATE, allowNull: false },
42 });
43 await context.addIndex('PolicyAcceptanceConfigs', ['organizationId', 'productId', 'active'], {
44 name: 'idx_acceptance_config_org_product_active',
45 });
46
47 await context.createTable('AcceptancePages', {
48 id: { type: DataTypes.INTEGER, autoIncrement: true, primaryKey: true },
49 organizationId: { type: DataTypes.UUID, allowNull: false },
50 acceptanceConfigId: {
51 type: DataTypes.UUID,
52 allowNull: false,
53 references: { model: 'PolicyAcceptanceConfigs', key: 'id' },
54 onDelete: 'CASCADE',
55 },
56 name: { type: DataTypes.STRING(255), allowNull: false },
57 label: { type: DataTypes.STRING(255), allowNull: true },
58 description: { type: DataTypes.TEXT, allowNull: true },
59 order: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
60 createdAt: { type: DataTypes.DATE, allowNull: false },
61 updatedAt: { type: DataTypes.DATE, allowNull: false },
62 });
63 await context.addIndex('AcceptancePages', ['acceptanceConfigId', 'order'], {
64 name: 'idx_acceptance_page_config_order',
65 });
66
67 await context.createTable('AcceptanceCategories', {
68 id: { type: DataTypes.INTEGER, autoIncrement: true, primaryKey: true },
69 organizationId: { type: DataTypes.UUID, allowNull: false },
70 acceptanceConfigId: {
71 type: DataTypes.UUID,
72 allowNull: false,
73 references: { model: 'PolicyAcceptanceConfigs', key: 'id' },
74 onDelete: 'CASCADE',
75 },
76 acceptancePageId: {
77 type: DataTypes.INTEGER,
78 allowNull: true,
79 references: { model: 'AcceptancePages', key: 'id' },
80 onDelete: 'CASCADE',
81 },
82 name: { type: DataTypes.STRING(255), allowNull: false },
83 label: { type: DataTypes.STRING(255), allowNull: true },
84 description: { type: DataTypes.TEXT, allowNull: true },
85 order: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
86 createdAt: { type: DataTypes.DATE, allowNull: false },
87 updatedAt: { type: DataTypes.DATE, allowNull: false },
88 });
89 await context.addIndex('AcceptanceCategories', ['acceptanceConfigId', 'order'], {
90 name: 'idx_acceptance_category_config_order',
91 });
92 await context.addIndex('AcceptanceCategories', ['acceptancePageId'], {
93 name: 'idx_acceptance_category_page',
94 });
95
96 await context.createTable('AcceptanceItems', {
97 id: { type: DataTypes.INTEGER, autoIncrement: true, primaryKey: true },
98 organizationId: { type: DataTypes.UUID, allowNull: false },
99 acceptanceConfigId: {
100 type: DataTypes.UUID,{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && sed -n '48,60p' tests/plus-insurance/09-direct-debit.spec.ts"} test('configures Autogiro provider', async ({ request }) => {
const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
// 409 (already configured for this org) is an acceptable, idempotent outcome.
api.expectErrors = true;
const res = await api.post('/v1/plus/payment-provider-configs', {
providerKey: 'autogiro',
config: { bankgiroNumber: '9912346' },
active: true,
});
expect([201, 409]).toContain(res.status());
});{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && grep -n \"creditorId\" app/components/settings/PaymentProvidersTab.tsx"}163: typeof config.config?.creditorId === "string" ? config.config.creditorId : "" 195: creditorId: formCreditorId.trim(),
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.05.27T00.00.05.create-policy-acceptance-configs.ts","offset":115,"limit":50}115 },
116 parameterPath: { type: DataTypes.STRING(255), allowNull: true },
117 label: { type: DataTypes.STRING(255), allowNull: true },
118 termsTemplateType: { type: DataTypes.STRING(100), allowNull: true },
119 termsTemplateId: { type: DataTypes.INTEGER, allowNull: true },
120 staticHtml: { type: DataTypes.TEXT, allowNull: true },
121 displayOptions: { type: DataTypes.JSONB, allowNull: true },
122 required: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false },
123 createdAt: { type: DataTypes.DATE, allowNull: false },
124 updatedAt: { type: DataTypes.DATE, allowNull: false },
125 });
126 await context.addIndex('AcceptanceItems', ['acceptanceCategoryId', 'order'], {
127 name: 'idx_acceptance_item_category_order',
128 });
129 await context.addIndex('AcceptanceItems', ['acceptanceConfigId'], {
130 name: 'idx_acceptance_item_config',
131 });
132
133 // RLS — permissive template (unset GUC OR org match); safe-model WHERE is the
134 // primary filter. See src/db/AGENTS.md.
135 for (const table of rlsTables) {
136 await context.sequelize.query(`ALTER TABLE "${table}" ENABLE ROW LEVEL SECURITY`);
137 await context.sequelize.query(`ALTER TABLE "${table}" FORCE ROW LEVEL SECURITY`);
138 await context.sequelize.query(`DROP POLICY IF EXISTS tenant_isolation ON "${table}"`);
139 await context.sequelize.query(`
140 CREATE POLICY tenant_isolation ON "${table}"
141 FOR ALL
142 USING (
143 NULLIF(current_setting('app.current_organization', true), '') IS NULL
144 OR "organizationId" = NULLIF(current_setting('app.current_organization', true), '')::uuid
145 )
146 `);
147 await context.sequelize.query(`GRANT SELECT ON "${table}" TO dashboard_user`);
148 }
149 };
150
151 export const down: MigrationFn<QueryInterface> = async () => {
152 // Forward-only deployment
153 };
154 {"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && grep -n \"bankgiroNumber\\|creditorId\" tests/plus-insurance/09-direct-debit.spec.ts"}55: config: { bankgiroNumber: '9912346' },{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts","offset":87,"limit":30}87 buildReturnFile(records: ReturnRecord[]): string {
88 // TK82 settlement/return: status "00" = settled, otherwise a reject code.
89 const lines = records.map((r) => {
90 const ref = padRight(r.externalReference, 35);
91 const status = r.outcome === 'settled' ? '00' : padZero(digitsOnly(r.reason ?? '') || '99', 2);
92 const amount = minorUnits(r.settledAmount ?? 0, 12);
93 const reason = padRight(r.outcome === 'settled' ? 'GODKAND' : (r.reason ?? 'AVVISAD'), 29);
94 return `82${ref}${status}${amount}${reason}`;
95 });
96 return lines.join('\n') + '\n';
97 }
98
99 parseReturnFile(content: string): ReturnRecord[] {
100 const records: ReturnRecord[] = [];
101 for (const raw of content.split(/\r?\n/)) {
102 if (!raw.startsWith('82')) continue;
103 const ref = raw.slice(2, 37).trim();
104 if (!ref) continue;
105 const status = raw.slice(37, 39).trim();
106 const amount = raw.slice(39, 51);
107 const reason = raw.slice(51).trim();
108 const settled = status === '00';
109 records.push({
110 externalReference: ref,
111 outcome: settled ? 'settled' : 'failed',
112 reason: settled ? undefined : reason || `reject ${status}`,
113 settledAmount: settled ? fromMinorUnits(amount) : undefined,
114 });
115 }
116 return records;{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir && sed -n '119,125p' tests/plus-insurance/09-direct-debit.spec.ts"} // 4. Schedule a collection — starts scheduled.
const collectionRes = await api.post('/v1/plus/direct-debit/collections', {
mandateId,
amount: 199,
currency: 'SEK',
});
expect(collectionRes.status()).toBe(201);{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && sed -n '292,317p' app/products/\\[id\\]/direct-debit/page.tsx"} const handleScheduleCollection = async () => {
if (!selectedMandate) {
return;
}
if (!formAmount.trim()) {
showErrorToast(t("Amount is required"));
return;
}
setCollectionSaving(true);
try {
await api.post("/direct-debit/collections", {
mandateId: selectedMandate.id,
amount: formAmount.trim(),
currency: formCurrency.trim(),
});
showSuccessToast(t("Collection scheduled successfully"));
setCollectionDialogOpen(false);
await refresh();
} catch (err) {
console.error("Error scheduling collection:", err);
showErrorToast(extractApiError(err, t("Failed to schedule collection")));
} finally {
setCollectionSaving(false);
}
};{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && sed -n '35,53p' app/types/directDebit.ts"}{"command":"node -e \"\n// Test autogiro format round-trip\nconst buildLine = \\`82\\${' '.repeat(35)}\\${'00'}\\${'0'.padStart(12, '0')}\\${' '.repeat(29)}\\`;\nconsole.log('Autogiro line length:', buildLine.length);\nconsole.log('Build: ref(35) + status(2) + amount(12) + reason(29)');\n\n// Slice test: 82 prefix + ref(2-37) + status(37-39) + amount(39-51) + reason(51+)\nconst slice_ref = buildLine.slice(2, 37);\nconst slice_status = buildLine.slice(37, 39);\nconst slice_amount = buildLine.slice(39, 51);\nconst slice_reason = buildLine.slice(51);\n\nconsole.log('ref:', slice_ref.length, 'chars');\nconsole.log('status:', slice_status.length, 'chars');\nconsole.log('amount:', slice_amount.length, 'chars');\nconsole.log('reason:', slice_reason.length, 'chars');\n\n// Betalingsservice: RT02ref(35)+status(4)+amount(13)+reason(28)\nconst buildLineBS = \\`RT\\${' '.repeat(35)}\\${'0000'}\\${'0'.padStart(13, '0')}\\${' '.repeat(28)}\\`;\nconsole.log('\\\\nBetalingsservice line length:', buildLineBS.length);\nconst slice_ref_bs = buildLineBS.slice(2, 37);\nconst slice_status_bs = buildLineBS.slice(37, 41);\nconst slice_amount_bs = buildLineBS.slice(41, 54);\nconst slice_reason_bs = buildLineBS.slice(54);\nconsole.log('ref:', slice_ref_bs.length, '| status:', slice_status_bs.length, '| amount:', slice_amount_bs.length, '| reason:', slice_reason_bs.length);\n\"\n"}export interface Collection {
id: number;
mandateId: number;
policyOrderId: number | null;
providerKey: DirectDebitProviderKey;
amount: string;
currency: string;
status: CollectionStatus;
scheduledFor: string | null;
submittedAt: string | null;
settledAt: string | null;
retryCount: number;
maxRetries: number;
failureReason: string | null;
externalReference: string | null;
fileReference: string | null;
flagged: boolean;
createdAt: string;
}Autogiro line length: 80 Build: ref(35) + status(2) + amount(12) + reason(29) ref: 35 chars status: 2 chars amount: 12 chars reason: 29 chars Betalingsservice line length: 82 ref: 35 | status: 4 | amount: 13 | reason: 28
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir && sed -n '604,610p' app/products/\\[id\\]/direct-debit/page.tsx"} {collections.map((collection) => (
<tr key={collection.id} className="hover:bg-gray-50">
<td className="px-6 py-4 text-sm font-medium whitespace-nowrap text-gray-900">
{collection.amount} {collection.currency}
</td>
<td className="px-6 py-4 whitespace-nowrap">
<StatusBadge{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":428,"limit":60}428 async function applyReturnRecord(
429 ctx: Ctx,
430 record: ReturnRecord,
431 summary: IngestSummary,
432 ): Promise<void> {
433 const collection = await DirectDebitCollection.findOne(ctx, {
434 where: { externalReference: record.externalReference },
435 });
436 if (!collection) {
437 summary.unmatched.push(record.externalReference);
438 return;
439 }
440 // Idempotency: ignore return records for already-terminal collections.
441 if (collection.status === CollectionStatus.SETTLED) {
442 return;
443 }
444
445 if (record.outcome === 'settled') {
446 await collection.update({
447 status: CollectionStatus.SETTLED,
448 settledAt: new Date(),
449 failureReason: null,
450 flagged: false,
451 });
452 await reconcileSettlementToPolicy(ctx, collection);
453 summary.settled += 1;
454 return;
455 }
456
457 // Failed: retry until maxRetries, then flag for operator intervention.
458 const nextRetry = collection.retryCount + 1;
459 const reason = record.reason ?? 'Collection rejected by bank';
460 if (nextRetry <= collection.maxRetries) {
461 await collection.update({
462 status: CollectionStatus.RETRYING,
463 retryCount: nextRetry,
464 // Eligible for the next collection run immediately. Production would apply
465 // a backoff window before re-presenting; recorded as a hint in metadata.
466 scheduledFor: new Date(),
467 failureReason: reason,
468 flagged: false,
469 metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
470 });
471 summary.retrying += 1;
472 } else {
473 await collection.update({
474 status: CollectionStatus.FAILED,
475 failureReason: reason,
476 flagged: true,
477 });
478 summary.failed += 1;
479 summary.flagged += 1;
480 logger.warn(
481 { organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
482 'Direct-debit collection flagged after exhausting retries',
483 );
484 }
485 }
486
487 /** Parse and reconcile a bank return/settlement file. */{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":440,"limit":5}440 // Idempotency: ignore return records for already-terminal collections.
441 if (collection.status === CollectionStatus.SETTLED) {
442 return;
443 }
444 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts","offset":1,"limit":20}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _DirectDebitMandate } from './_DirectDebitMandate.js';
3
4 // Collection lifecycle:
5 // SCHEDULED → created, waiting for the next collection-file run
6 // SUBMITTED → written into a collection file and sent to the bank
7 // SETTLED → bank confirmed the debit (return file) → policy reconciled
8 // FAILED → bank rejected the debit (return file)
9 // RETRYING → a failed debit rescheduled for another attempt
10 // CANCELLED → manually cancelled before submission
11 export enum CollectionStatus {
12 SCHEDULED = 'scheduled',
13 SUBMITTED = 'submitted',
14 SETTLED = 'settled',
15 FAILED = 'failed',
16 RETRYING = 'retrying',
17 CANCELLED = 'cancelled',
18 }
19
20 @Table({{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts","offset":16,"limit":15}16
17 /** Format a major-unit amount as zero-padded minor units (öre/øre). */
18 export function minorUnits(amount: number, width: number): string {
19 const minor = Math.round(Number(amount) * 100);
20 if (!Number.isFinite(minor) || minor < 0) {
21 throw new Error(`Invalid amount for direct-debit file: ${amount}`);
22 }
23 return padZero(String(minor), width);
24 }
25
26 /** Parse zero-padded minor units back into a major-unit amount. */
27 export function fromMinorUnits(raw: string): number {
28 const minor = parseInt(raw.trim() || '0', 10);
29 return Math.round(minor) / 100;
30 }{"command":"grep -n \"Number(collection.amount)\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}264: amount: Number(collection.amount), 529: settledAmount: outcome === 'settled' ? Number(collection.amount) : undefined,
{"command":"grep -A3 -B3 \"collection.amount\\|mandate.amount\\|DirectDebitCollection.*DECIMAL\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts | head -20"}(Bash completed with no output)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts","offset":79,"limit":10}79 @Column({
80 type: DataType.DECIMAL(15, 2),
81 allowNull: false,
82 })
83 declare amount: number;
84
85 @Column({
86 type: DataType.STRING(3),
87 allowNull: false,
88 }){"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":440,"limit":50}440 // Idempotency: ignore return records for already-terminal collections.
441 if (collection.status === CollectionStatus.SETTLED) {
442 return;
443 }
444
445 if (record.outcome === 'settled') {
446 await collection.update({
447 status: CollectionStatus.SETTLED,
448 settledAt: new Date(),
449 failureReason: null,
450 flagged: false,
451 });
452 await reconcileSettlementToPolicy(ctx, collection);
453 summary.settled += 1;
454 return;
455 }
456
457 // Failed: retry until maxRetries, then flag for operator intervention.
458 const nextRetry = collection.retryCount + 1;
459 const reason = record.reason ?? 'Collection rejected by bank';
460 if (nextRetry <= collection.maxRetries) {
461 await collection.update({
462 status: CollectionStatus.RETRYING,
463 retryCount: nextRetry,
464 // Eligible for the next collection run immediately. Production would apply
465 // a backoff window before re-presenting; recorded as a hint in metadata.
466 scheduledFor: new Date(),
467 failureReason: reason,
468 flagged: false,
469 metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
470 });
471 summary.retrying += 1;
472 } else {
473 await collection.update({
474 status: CollectionStatus.FAILED,
475 failureReason: reason,
476 flagged: true,
477 });
478 summary.failed += 1;
479 summary.flagged += 1;
480 logger.warn(
481 { organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
482 'Direct-debit collection flagged after exhausting retries',
483 );
484 }
485 }
486
487 /** Parse and reconcile a bank return/settlement file. */
488 export async function ingestReturnFile(
489 organizationId: string,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":395,"limit":32}395 async function reconcileSettlementToPolicy(
396 ctx: Ctx,
397 collection: DirectDebitCollection,
398 ): Promise<void> {
399 if (!collection.policyOrderId) return;
400 try {
401 const policyOrder = await PolicyOrder.findByPk(ctx, collection.policyOrderId);
402 if (!policyOrder) return;
403
404 const update: Record<string, unknown> = {
405 externalPaymentRef: collection.externalReference,
406 externalPaymentProvider: collection.providerKey,
407 };
408 const category = await getCategoryForCode(ctx.organizationId, policyOrder.status);
409 if (category === PolicyStatusLifecycleCategory.PENDING) {
410 update.status = await getDefaultCodeForCategory(
411 ctx.organizationId,
412 PolicyStatusLifecycleCategory.ACTIVE,
413 );
414 }
415 await policyOrder.update(update);
416 logger.info(
417 { organizationId: ctx.organizationId, policyOrderId: collection.policyOrderId, collectionId: collection.id },
418 'Reconciled direct-debit settlement to policy',
419 );
420 } catch (err) {
421 logger.warn(
422 { err, collectionId: collection.id, policyOrderId: collection.policyOrderId },
423 'Failed to reconcile direct-debit settlement to policy',
424 );
425 }
426 }Good - displaying the string directly. Now let me compile my audit findings. Let me create a comprehensive summary:
## AUDIT REPORT: sherpa-api#462 Frontend + Test Code
### HIGH ISSUES
**HIGH-1: Test Payload Field Mismatch — `bankgiroNumber` vs `creditorId`**
- **File & Line:** `/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts:55`
- **Issue:** Test sends `config: { bankgiroNumber: '9912346' }` but portal code expects `config: { creditorId: '...' }` (PaymentProvidersTab.tsx:195). The field names don't match—test will fail or 400 at the API.
- **Fix:** Change line 55 to:
```typescript
config: { creditorId: '9912346' },
```
**HIGH-2: Test Collection Amount is Numeric, API Expects String**
- **File & Line:** `/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts:122, 180`
- **Issue:** Test sends `amount: 199` (number) but Collection type defines `amount: string`. API will reject numeric amount or type-coerce unexpectedly. Direct-debit APIs are strict about decimal strings.
- **Fix:** Change to:
```typescript
amount: '199', // Line 122
amount: '299', // Line 180
```
### MEDIUM ISSUES
**MEDIUM-1: PaymentProvidersTab Displays Wrong Field for Direct-Debit Providers**
- **File & Line:** `/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx:333`
- **Issue:** Line 333 always displays `config.config?.connectedAccountId || "-"` even for direct-debit providers (autogiro/betalingsservice). Direct-debit configs store `creditorId`, not `connectedAccountId`, so the UI shows "-" incorrectly. When editing a direct-debit provider, the field appears empty/missing.
- **Fix:** Change lines 331–335 to:
```typescript
<p className="text-xs text-gray-500">
{DIRECT_DEBIT_PROVIDER_KEYS.includes(config.providerKey)
? config.config?.creditorId || "-"
: config.config?.connectedAccountId || "-"}
</p>
```
**MEDIUM-2: Status Badge Classes Don't Cover All Statuses (Incomplete Mapping)**
- **File & Line:** `/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx:60–67`
- **Issue:** The COLLECTION_STATUS_CLASSES record has 6 statuses, and the code accesses it at line 612 without a fallback. If an unknown status arrives (API contract change or bug), accessing `COLLECTION_STATUS_CLASSES[collection.status]` will return `undefined`, rendering `className={undefined}` — the badge won't style. No explicit unknown-status fallback.
- **Fix:** Add a fallback:
```typescript
className={COLLECTION_STATUS_CLASSES[collection.status] || "bg-gray-100 text-gray-800"}
```
(Or add a catch in the status mapping logic.)
**MEDIUM-3: .env Port Change (4000→4011) May Affect Other Test Suites**
- **File & Line:** `/sherpa-test-api-462-nordic-bank-direct-debit-autogir/.env:6`
- **Issue:** `SHERPA_API_HTTP=http://localhost:4011` changed from 4000. If other test specs rely on `.env` and don't override it, they'll target port 4011 instead of 4000, breaking them.
- **Fix:** Verify that:
- Other test specs in the same repo either hard-code `localhost:4000` or use their own env override.
- Or revert to 4000 and configure the new spec to explicitly use 4011 via a local override or environment variable.
### LOW ISSUES (Style/Conventions)
**LOW-1: Params Unwrapping Conditional Logic**
- **File & Line:** `/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx:86–88`
- **Issue:** Line 87 checks `params instanceof Promise` to call `React.use()`. In Next.js 16+, params is a Promise by default in app router, so this conditional is always true (no gain from the check). Not wrong, but simplifies to always calling `React.use(params)`.
- **Fix:** For clarity:
```typescript
const unwrappedParams = React.use(params);
const productId = unwrappedParams?.id || "";
```
**LOW-2: Missing Fallback for Expanded Collection Rows with Flagged Indicator**
- **File & Line:** `/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx:619–628`
- **Issue:** Flagged indicator shows a `Flag` icon if `flagged=true`, else a dash. This is fine, but there's no visual/title distinction that helps UX. For a "flagged" state (critical), consider a tooltip or more prominent styling.
- **Fix:** Add `title` or tooltip:
```typescript
{collection.flagged ? (
<span className="inline-flex items-center text-red-600" title={t("Flagged for manual review")}>
<Flag className="h-4 w-4" />
</span>
) : (
<span className="text-gray-300">-</span>
)}
```
**LOW-3: useCallback Dependencies — Potential Stale Refresh**
- **File & Line:** `/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx:185–191`
- **Issue:** Line 185 `refresh()` includes `selectedMandateId` in deps, but line 186 default arg `mandateId = selectedMandateId` captures the stale value if `refresh` is called before state updates. Not a runtime crash, but could miss a collection refetch if mandate selection changes mid-flight. Unlikely in practice but fragile.
- **Fix:** No change needed unless seen in QA, but document intent:
```typescript
// refresh defaults to selectedMandateId at call time; if it changes,
// caller should pass the new value explicitly.
```
---
## SUMMARY
| Severity | Count | Issues |
|----------|-------|--------|
| **HIGH** | 2 | Mismatched field name (`bankgiroNumber`), numeric amount in test |
| **MEDIUM** | 3 | Wrong field display in PaymentProvidersTab, missing status fallback, port change risk |
| **LOW** | 3 | Conditional params check, missing flagged tooltip, stale refresh capture |
**NO REMAINING HIGH OR MEDIUM ISSUES** after fixes applied.{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":277,"limit":60}277 export async function submitDueCollections(
278 organizationId: string,
279 providerKey?: string,
280 ): Promise<{ providerKey: string; fileReference: string; content: string; count: number }[]> {
281 const ctx = { organizationId };
282 const providerKeys = providerKey ? [providerKey] : Object.values(DirectDebitProvider);
283 const results: { providerKey: string; fileReference: string; content: string; count: number }[] = [];
284
285 for (const key of providerKeys) {
286 const provider = assertDirectDebitProvider(key);
287 const due = await DirectDebitCollection.findAll(ctx, {
288 where: {
289 providerKey: key,
290 status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
291 scheduledFor: { [Op.lte]: new Date() },
292 },
293 order: [['scheduledFor', 'ASC']],
294 limit: 500,
295 });
296 if (due.length === 0) continue;
297
298 const creditorId = await resolveCreditorId(ctx, key);
299 const fileReference = `${PROVIDER_PREFIX[key] ?? 'DD'}-FILE-${randomUUID().slice(0, 8).toUpperCase()}`;
300 const entries: CollectionFileEntry[] = [];
301
302 for (const collection of due) {
303 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
304 if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
305 await collection.update({
306 status: CollectionStatus.FAILED,
307 failureReason: 'Mandate is not active',
308 flagged: true,
309 });
310 continue;
311 }
312 const externalReference = generateReference(key, 'COL');
313 await collection.update({
314 status: CollectionStatus.SUBMITTED,
315 submittedAt: new Date(),
316 externalReference,
317 fileReference,
318 failureReason: null,
319 });
320 entries.push(toFileEntry(collection, mandate));
321 }
322
323 if (entries.length === 0) continue;
324 const content = provider.buildCollectionFile(entries, fileReference, creditorId);
325 results.push({ providerKey: key, fileReference, content, count: entries.length });
326 logger.info(
327 { organizationId, providerKey: key, fileReference, count: entries.length },
328 'Direct-debit collection file generated',
329 );
330 }
331
332 return results;
333 }
334
335 /** Render the outbound collection file for already-submitted debits (download). */
336 export async function buildCurrentCollectionFile({"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts","offset":[14,30]}<tool_use_error>InputValidationError: Read failed due to the following issue: The parameter `offset` type is expected as `number` but provided as `array`</tool_use_error>
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts"}Wasted call — file unchanged since your last Read. Refer to that earlier tool_result instead.
Perfect. Based on my thorough review of the Nordic bank direct debit implementation, I've completed the audit. Let me compile my findings:
---
## AUDIT REPORT: sherpa-api#462 Nordic Bank Direct Debit (Autogiro SE / Betalingsservice DK)
### FINDINGS
#### **HIGH ISSUES**
**1. Idempotency Guard Incomplete in applyReturnRecord**
- **File:Line** `src/services/directDebitService.ts:440-443`
- **Issue:** The idempotency check only guards `SETTLED` collections, but a `FAILED` collection (status with `flagged: true`) could receive a duplicate return record and transition to `RETRYING` or be flagged again, violating the invariant that flagged collections are terminal.
- **Risk:** A flagged collection (operator intervention required) could be silently un-flagged or re-attempted if a return file is re-ingested.
- **Fix:** Change line 441 to check both terminal states:
```typescript
if ([CollectionStatus.SETTLED, CollectionStatus.FAILED].includes(collection.status)) {
return;
}
```
---
#### **MEDIUM ISSUES**
None found.
---
#### **LOW ISSUES & CONFIRMATIONS**
✅ **RLS/Tenant Safety (CLEAN)**: Migration uses the permissive template correctly — `NULLIF(current_setting(...), '') IS NULL OR "organizationId" = ...::uuid` with ENABLE+FORCE ROW LEVEL SECURITY + GRANT SELECT to dashboard_user. Matches the reference pattern in `2026.05.27T00.00.05.create-policy-acceptance-configs.ts` exactly.
✅ **Models (CLEAN)**: Column types, nullability, ENUMs, and ForeignKeys match migration exactly. Safe wrappers use `toSafeModel()`. Indexed correctly.
✅ **Orchestration Correctness (CLEAN)**:
- Retry logic: maxRetries=3 → off-by-one checked: at retryCount=0,1,2 it retries (nextRetry=1,2,3 ≤ 3); at retryCount=3 it flags (nextRetry=4 > 3). Correct.
- reconcileSettlementToPolicy: Uses getCategoryForCode/getDefaultCodeForCategory correctly, wrapped in try/catch (best-effort), won't break ingest.
- Mandate validation in submitDueCollections: Checks `mandate.status !== MandateStatus.ACTIVE` and fails+flags, preventing submission of inactive mandates.
✅ **File Format Round-Trip (CLEAN)**:
- **Autogiro buildReturnFile** → parseReturnFile: `82` + ref(35) + status(2) + amount(12) + reason(29) → slices (2,37)/(37,39)/(39,51)/(51) match exactly. ✓
- **Betalingsservice buildReturnFile** → parseReturnFile: `RT` + ref(35) + status(4) + amount(13) + reason(28) → slices (2,37)/(37,41)/(41,54)/(54) match exactly. ✓
- padZero handles long values correctly (truncates from left via `slice(v.length - width)`). minorUnits validates finite/non-negative.
✅ **Decimal Handling (CLEAN)**: DECIMAL(15,2) columns correctly converted with `Number(collection.amount)` before minorUnits/totals. minorUnits validates and rejects NaN/negative.
✅ **Routes (CLEAN)**: Every handler calls `requireOrg()` → 401 if missing. Body/param schemas match enums ['autogiro', 'betalingsservice']. Response format consistent `{status, data}`.
✅ **Batch Job (CLEAN)**: directDebitCollectionBatchJob iterates orgs, calls submitDueCollections per org → RLS enforced. Registered in jobs/index.ts and scheduled at `0 * * * *` (hourly). Matches claimPayoutBatchJob pattern. Error handling per-org (won't fail entire batch).
✅ **DB Registration (CLEAN)**: Both `_DirectDebitMandate` and `_DirectDebitCollection` imported and registered in src/models/db.ts at lines 65-66.
✅ **Enum Consistency (CLEAN)**: Routes use PROVIDER_KEYS=['autogiro','betalingsservice']; paymentProviderConfigRoutes line 121 includes both; DirectDebitProvider enum matches.
---
### SUMMARY
**Issues Found:** 1 HIGH (idempotency guard), 0 MEDIUM, 0 LOW.
The implementation is production-ready with one critical fix required to guard flagged collections from re-ingestion. All other aspects (RLS, models, orchestration, file formats, routes, batch job) are correct and secure.Round 1 triage:
Agent 1 (API) — 1 HIGH (idempotency guard only covers SETTLED; a flagged/RETRYING collection could be re-processed on duplicate ingest). Valid — but the stronger correct fix is: a return record is only meaningful for a SUBMITTED collection. Everything else verified clean (RLS, round-trip offsets, retry math).
Agent 2 (portal/test) — its 2 "HIGH"s are false positives (the test passed 4/4: API input amount is type:number and resolveCreditorId accepts bankgiroNumber||creditorId). Genuine MEDIUMs: provider-list display shows connectedAccountId for DD providers; collection badge lacks unknown-status fallback. MEDIUM-3 (.env 4011) is correct-not-a-risk (worktree api IS 4011).
Applying API guard fix + reading portal files for the two MEDIUM fixes.
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","old_string":" // Idempotency: ignore return records for already-terminal collections.\n if (collection.status === CollectionStatus.SETTLED) {\n return;\n }","new_string":" // A return record is only meaningful for a collection awaiting settlement\n // (SUBMITTED). Anything else — already settled, already failed/flagged, or a\n // duplicate arriving after we processed a prior return for this reference — is\n // ignored idempotently so re-ingesting a file can't double-count retries or\n // un-flag an exhausted collection.\n if (collection.status !== CollectionStatus.SUBMITTED) {\n return;\n }"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts has been updated successfully. (file state is current in your context — no need to Read it back)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","offset":40,"limit":20}40 case "sat": return t("Saturday");
41 case "sun": return t("Sunday");
42 }
43 };
44
45 const AVAILABLE_PROVIDERS = [
46 { key: "stripe", label: "Stripe" },
47 { key: "autogiro", label: "Autogiro (Sweden)" },
48 { key: "betalingsservice", label: "Betalingsservice (Denmark)" },
49 ];
50
51 // Direct-debit providers configured by a creditor identifier (Bankgiro number
52 // for Autogiro, PBS/creditor number for Betalingsservice) rather than a Stripe
53 // connected account.
54 const DIRECT_DEBIT_PROVIDER_KEYS = ["autogiro", "betalingsservice"];
55
56 const PaymentProvidersTab: React.FC = () => {
57 const t = useTranslation();
58 const [configs, setConfigs] = useState<PaymentProviderConfig[]>([]);
59 const [loading, setLoading] = useState(false);DIRECT_DEBIT_PROVIDER_KEYS already defined. Reading the list-display region + collection badge usage in page.tsx to apply the two MEDIUM fixes.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","offset":322,"limit":18}322 <ChevronDown className="h-5 w-5" />
323 ) : (
324 <ChevronRight className="h-5 w-5" />
325 )}
326 </button>
327 <ProviderLogo providerKey={config.providerKey} className="h-5 w-auto" />
328 <div>
329 <p className="text-sm font-medium text-gray-900">
330 {getProviderLabel(config.providerKey)}
331 </p>
332 <p className="text-xs text-gray-500">
333 {config.config?.connectedAccountId || "-"}
334 </p>
335 </div>
336 </div>
337 <div className="flex items-center gap-4">
338 <div className="flex items-center gap-2">
339 <Switch{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","offset":40,"limit":52}40 autogiro: "Autogiro (SE)",
41 betalingsservice: "Betalingsservice (DK)",
42 };
43
44 const PROVIDER_DEFAULT_COUNTRY: Record<DirectDebitProviderKey, string> = {
45 autogiro: "SE",
46 betalingsservice: "DK",
47 };
48
49 const PROVIDER_DEFAULT_CURRENCY: Record<DirectDebitProviderKey, string> = {
50 autogiro: "SEK",
51 betalingsservice: "DKK",
52 };
53
54 const MANDATE_STATUS_CLASSES: Record<Mandate["status"], string> = {
55 pending: "bg-amber-100 text-amber-800",
56 active: "bg-green-100 text-green-800",
57 revoked: "bg-red-100 text-red-800",
58 };
59
60 const COLLECTION_STATUS_CLASSES: Record<Collection["status"], string> = {
61 scheduled: "bg-gray-100 text-gray-800",
62 submitted: "bg-blue-100 text-blue-800",
63 settled: "bg-green-100 text-green-800",
64 failed: "bg-red-100 text-red-800",
65 retrying: "bg-amber-100 text-amber-800",
66 cancelled: "bg-gray-100 text-gray-800",
67 };
68
69 const StatusBadge: React.FC<{ label: string; className: string }> = ({ label, className }) => (
70 <span
71 className={`inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium ${className}`}
72 >
73 {label}
74 </span>
75 );
76
77 function extractApiError(error: unknown, fallback: string): string {
78 const err = error as { response?: { data?: { error?: { message?: string }; message?: string } } };
79 return (
80 err?.response?.data?.error?.message || err?.response?.data?.message || fallback
81 );
82 }
83
84 export default function ProductDirectDebitPage({ params }: { params: { id: string } }) {
85 const t = useTranslation();
86 // Unwrap params using React.use() if it's a promise
87 const unwrappedParams = params instanceof Promise ? React.use(params) : params;
88 const productId = unwrappedParams?.id || "";
89
90 const [product, setProduct] = useState<ProductData | null>(null);
91 const [mandates, setMandates] = useState<Mandate[]>([]);{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" <p className=\"text-xs text-gray-500\">\n {config.config?.connectedAccountId || \"-\"}\n </p>","new_string":" <p className=\"text-xs text-gray-500\">\n {(DIRECT_DEBIT_PROVIDER_KEYS.includes(config.providerKey)\n ? config.config?.creditorId\n : config.config?.connectedAccountId) || \"-\"}\n </p>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"pattern":"STATUS_CLASSES\\[","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","output_mode":"content","-n":true}487: className={MANDATE_STATUS_CLASSES[mandate.status]}
612: className={COLLECTION_STATUS_CLASSES[collection.status]}I'll add defensive fallbacks at both badge sites:
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","old_string":" className={MANDATE_STATUS_CLASSES[mandate.status]}","new_string":" className={MANDATE_STATUS_CLASSES[mandate.status] || \"bg-gray-100 text-gray-800\"}"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","old_string":" className={COLLECTION_STATUS_CLASSES[collection.status]}","new_string":" className={COLLECTION_STATUS_CLASSES[collection.status] || \"bg-gray-100 text-gray-800\"}"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Verifying portal sends amount correctly on schedule + running both type-checks after Round-1 fixes.
{"pattern":"collections|amount|Number\\(|parseFloat","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","output_mode":"content","-n":true,"head_limit":30}92: const [collections, setCollections] = useState<Collection[]>([]);
96: const [collectionsLoading, setCollectionsLoading] = useState(false);
130: // mandate is selected we fetch just its collections; otherwise we aggregate
141: targets.map((m) => api.get(`/direct-debit/collections?mandateId=${m.id}`))
148: console.error("Error loading collections:", err);
149: showErrorToast(extractApiError(err, t("Failed to load collections")));
203: setFormClearingNumber("");
204: setFormAccountNumber("");
228: productId: Number(productId),
303: await api.post("/direct-debit/collections", {
305: amount: formAmount.trim(),
323: const res = await api.post("/direct-debit/collections/run", body);
330: console.error("Error running collections:", err);
331: showErrorToast(extractApiError(err, t("Failed to run collections")));
342: await api.post(`/direct-debit/collections/${collection.id}/simulate-return`, {
359: await api.post(`/direct-debit/collections/${collection.id}/retry`, {});
426: {t("Select a mandate to view its collections")}
545: ? t("Showing collections for {holder}", {
548: : t("Showing all collections for this product")}
562: {running ? t("Running...") : t("Run due collections")}
567: {collectionsLoading ? (
571: ) : collections.length === 0 ? (
573: <p className="text-gray-500">{t("No collections yet.")}</p>
604: {collections.map((collection) => (
607: {collection.amount} {collection.currency}
737: onChange={(e) => setFormClearingNumber(e.target.value)}
746: onChange={(e) => setFormAccountNumber(e.target.value)}Line 305 sends amount: formAmount.trim() (string). Fastify coerces string→number by default, but explicit is safer. Reading the block to fix precisely.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","offset":288,"limit":35}288 );
289 setCollectionDialogOpen(true);
290 };
291
292 const handleScheduleCollection = async () => {
293 if (!selectedMandate) {
294 return;
295 }
296 if (!formAmount.trim()) {
297 showErrorToast(t("Amount is required"));
298 return;
299 }
300
301 setCollectionSaving(true);
302 try {
303 await api.post("/direct-debit/collections", {
304 mandateId: selectedMandate.id,
305 amount: formAmount.trim(),
306 currency: formCurrency.trim(),
307 });
308 showSuccessToast(t("Collection scheduled successfully"));
309 setCollectionDialogOpen(false);
310 await refresh();
311 } catch (err) {
312 console.error("Error scheduling collection:", err);
313 showErrorToast(extractApiError(err, t("Failed to schedule collection")));
314 } finally {
315 setCollectionSaving(false);
316 }
317 };
318
319 const handleRunCollections = async () => {
320 setRunning(true);
321 try {
322 const body = selectedMandate ? { providerKey: selectedMandate.providerKey } : {};{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","old_string":" if (!formAmount.trim()) {\n showErrorToast(t(\"Amount is required\"));\n return;\n }\n\n setCollectionSaving(true);\n try {\n await api.post(\"/direct-debit/collections\", {\n mandateId: selectedMandate.id,\n amount: formAmount.trim(),\n currency: formCurrency.trim(),\n });","new_string":" const amountValue = Number(formAmount);\n if (!formAmount.trim() || !Number.isFinite(amountValue) || amountValue <= 0) {\n showErrorToast(t(\"Enter a valid amount greater than zero\"));\n return;\n }\n\n setCollectionSaving(true);\n try {\n await api.post(\"/direct-debit/collections\", {\n mandateId: selectedMandate.id,\n amount: amountValue,\n currency: formCurrency.trim(),\n });"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
Aligning test config field is cosmetic (test passed; bankgiroNumber is a valid API field) — leaving it. Running both type-checks after Round-1 fixes.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\necho \"=== API tsc ===\"; docker compose exec -T api npx tsc --noEmit 2>&1 | rg -c 'error TS' || echo \"0 errors\"","description":"API tsc after round-1 fixes","timeout":180000}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir\necho \"=== Portal tsc (my files only) ===\"; npx tsc --noEmit 2>&1 | rg 'direct-debit|PaymentProvidersTab|AppLayout|app/types/directDebit' || echo \"no errors in my files\"\necho \"=== Portal total error count ===\"; npx tsc --noEmit 2>&1 | rg -c 'error TS' || echo 0","description":"Portal tsc after round-1 fixes","timeout":180000}=== API tsc === 0 errors
=== Portal tsc (my files only) ===
app/components/settings/PaymentProvidersTab.tsx(333,23): error TS2322: Type '{}' is not assignable to type 'ReactNode'.
=== Portal total error count ===
2Portal error at my line 333 — config.config typing doesn't include creditorId. Fixing with a typed record access (the other error is the pre-existing MABTimeSeriesChart one).
{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","old_string":" <p className=\"text-xs text-gray-500\">\n {(DIRECT_DEBIT_PROVIDER_KEYS.includes(config.providerKey)\n ? config.config?.creditorId\n : config.config?.connectedAccountId) || \"-\"}\n </p>","new_string":" <p className=\"text-xs text-gray-500\">\n {(config.config as Record<string, string> | undefined)?.[\n DIRECT_DEBIT_PROVIDER_KEYS.includes(config.providerKey)\n ? \"creditorId\"\n : \"connectedAccountId\"\n ] || \"-\"}\n </p>"}The file /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx has been updated successfully. (file state is current in your context — no need to Read it back)
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir\necho \"=== Portal tsc (my files) ===\"; npx tsc --noEmit 2>&1 | rg 'direct-debit|PaymentProvidersTab|AppLayout|app/types/directDebit' || echo \"no errors in my files\"\necho \"=== remaining total errors (pre-existing) ===\"; npx tsc --noEmit 2>&1 | rg 'error TS' | head","description":"Re-check portal tsc","timeout":180000}=== Portal tsc (my files) === no errors in my files === remaining total errors (pre-existing) === app/lens/optimizations/commission/[id]/health/MABTimeSeriesChart.tsx(77,25): error TS2322: Type '(v: number) => string' is not assignable to type 'Formatter<number, NameType> & ((value: number, name: NameType, item: Payload<number, NameType>, index: number, payload: Payload<number, NameType>[]) => ReactNode | [...])'.
Portal: my files clean; the 1 remaining error is pre-existing (MABTimeSeriesChart.tsx, unrelated app/lens feature). API tsc 0 errors. Verified the idempotency fix preserves the retry flow (resubmit assigns a new externalReference + resets to SUBMITTED, so retries still process; duplicates/terminal states skip).
Round 2 — 2 parallel agents to verify fixes + catch anything missed.
{"description":"Review API direct-debit (round 2)","prompt":"Round-2 verification review of backend code for sherpa-api#462 (Nordic direct debit) in /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir. Read ACTUAL file content (rg/fd, not grep/find).\n\nROUND-1 FIX ALREADY APPLIED (verify it's correct, don't re-flag as new): in src/services/directDebitService.ts `applyReturnRecord`, the guard now skips any collection whose status !== SUBMITTED (was: only SETTLED). Confirm this:\n- does NOT break the legitimate retry flow: submitDueCollections must transition RETRYING→SUBMITTED and assign a NEW externalReference on each resubmit (so a later return for the new ref re-enters with status SUBMITTED). Verify submitDueCollections actually does this.\n- correctly makes duplicate/terminal ingests idempotent.\n\nNow do a FRESH pass on areas NOT deeply checked in round 1. Focus HIGH/MEDIUM with file:line:\n1. **Model ↔ migration drift**: compare EVERY column in src/models/internal/_DirectDebitMandate.ts and _DirectDebitCollection.ts against the migration src/db/migrations/2026.06.01T00.00.00.*.ts — type, width, nullability, default, enum values, FK, index names. Any mismatch (sequelize sync/drift test would catch) is HIGH.\n2. **directDebitService.ts** remaining edge cases: \n - `metadata: { ...(collection.metadata ?? {}), ... }` spread — safe if metadata is null?\n - `Number(collection.amount)` everywhere amounts are used — any place a raw DECIMAL string leaks into arithmetic or the file builders?\n - submitDueCollections: when a mandate is inactive it marks the collection FAILED+flagged — is that the right call vs just skipping? (judgement; flag MEDIUM if it could wrongly flag a collection whose mandate was temporarily revoked)\n - resolveCreditorId fallback '0000000' — acceptable?\n - any unhandled promise / missing await?\n3. **routes** directDebitRoutes.ts: param/body/querystring schemas vs handler usage; any handler that can throw an unhandled error (e.g. provider not found) → does it surface as a clean 4xx/5xx? Is `productId` filter coerced correctly (querystring integer)?\n4. **connectors**: re-verify autogiro.ts & betalingsservice.ts buildCollectionFile field widths sum correctly and parseReturnFile offsets exactly match buildReturnFile widths (recompute the byte ranges). Check digitsOnly/padZero edge cases (empty clearingNumber, very long account).\n5. **job** directDebitCollectionBatchJob.ts: correctness vs claimPayoutBatchJob.\n\nReport HIGH/MEDIUM/LOW with file:line + concrete fix. If clean say \"NO REMAINING HIGH OR MEDIUM ISSUES\". Do not modify files.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}1 import { randomUUID } from 'crypto';
2 import { Op } from 'sequelize';
3 import { StatusError } from '@/error/error.js';
4 import logger from '@/logger.js';
5 import {
6 DirectDebitMandate,
7 MandateStatus,
8 DirectDebitProvider,
9 } from '@/models/DirectDebitMandate.js';
10 import { DirectDebitCollection, CollectionStatus } from '@/models/DirectDebitCollection.js';
11 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
12 import { PolicyOrder } from '@/models/PolicyOrder.js';
13 import { PolicyStatusLifecycleCategory } from '@/models/OrganizationPolicyStatus.js';
14 import { getCategoryForCode, getDefaultCodeForCategory } from '@/services/policyStatusService.js';
15 import {
16 getDirectDebitProvider,
17 isDirectDebitProvider,
18 } from '@/domains/payments/directDebit/registry.js';
19 import type {
20 BankAccount,
21 BankDirectDebitProvider,
22 CollectionFileEntry,
23 ReturnRecord,
24 } from '@/domains/payments/directDebit/interface.js';
25
26 // directDebitService — orchestration for the Nordic bank direct-debit rails.
27 //
28 // The connectors in domains/payments/directDebit are stateless file builders /
29 // parsers. This service owns everything stateful: mandate lifecycle, collection
30 // scheduling, building the outbound files, ingesting return files, retry +
31 // flagging, and reconciling settlements back to the policy's payment status.
32
33 type Ctx = { organizationId: string };
34
35 const PROVIDER_PREFIX: Record<string, string> = {
36 autogiro: 'AG',
37 betalingsservice: 'BS',
38 };
39
40 // ── Helpers ──────────────────────────────────────────────────────────────────
41
42 function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
43 if (!isDirectDebitProvider(providerKey)) {
44 throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
45 }
46 return getDirectDebitProvider(providerKey);
47 }
48
49 function generateReference(providerKey: string, kind: 'MND' | 'COL'): string {
50 const prefix = PROVIDER_PREFIX[providerKey] ?? 'DD';
51 return `${prefix}-${kind}-${randomUUID().slice(0, 8).toUpperCase()}`;
52 }
53
54 /**
55 * Resolve the payee identity for a scheme from the org's payment provider
56 * config. Enforces the config-via-portal rule: a direct-debit collection cannot
57 * be submitted until the provider is configured for the organization.
58 */
59 async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
60 const config = await PaymentProviderConfig.findOne(ctx, {
61 where: { providerKey, active: true },
62 });
63 if (!config) {
64 throw new StatusError(
65 400,
66 `No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
67 );
68 }
69 const c = config.config as Record<string, unknown>;
70 const creditorId =
71 (typeof c.creditorId === 'string' && c.creditorId) ||
72 (typeof c.bankgiroNumber === 'string' && c.bankgiroNumber) ||
73 (typeof c.pbsNumber === 'string' && c.pbsNumber) ||
74 '';
75 return creditorId || '0000000';
76 }
77
78 function mandateAccount(mandate: DirectDebitMandate): BankAccount {
79 return {
80 country: mandate.country,
81 clearingNumber: mandate.clearingNumber,
82 accountNumber: mandate.accountNumber,
83 accountHolder: mandate.accountHolder,
84 };
85 }
86
87 // ── Mandate lifecycle ─────────────────────────────────────────────────────────
88
89 export interface CreateMandateInput {
90 providerKey: string;
91 productId: number;
92 customerId?: string | null;
93 accountHolder: string;
94 country: string;
95 clearingNumber?: string | null;
96 accountNumber: string;
97 bankName?: string | null;
98 metadata?: Record<string, unknown> | null;
99 }
100
101 export async function createMandate(
102 organizationId: string,
103 input: CreateMandateInput,
104 ): Promise<DirectDebitMandate> {
105 const ctx = { organizationId };
106 const provider = assertDirectDebitProvider(input.providerKey);
107
108 const account: BankAccount = {
109 country: input.country,
110 clearingNumber: input.clearingNumber,
111 accountNumber: input.accountNumber,
112 accountHolder: input.accountHolder,
113 };
114 const validation = provider.validateAccount(account);
115 if (!validation.valid) {
116 throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
117 }
118
119 const mandateReference = generateReference(input.providerKey, 'MND');
120 const mandate = await DirectDebitMandate.create(ctx, {
121 organizationId,
122 providerKey: input.providerKey as DirectDebitProvider,
123 productId: input.productId,
124 customerId: input.customerId ?? null,
125 status: MandateStatus.PENDING,
126 country: input.country.toUpperCase(),
127 accountHolder: input.accountHolder,
128 clearingNumber: input.clearingNumber ?? null,
129 accountNumber: input.accountNumber,
130 bankName: input.bankName ?? null,
131 mandateReference,
132 payerNumber: mandateReference,
133 signedAt: new Date(),
134 metadata: input.metadata ?? null,
135 });
136
137 logger.info(
138 { organizationId, mandateId: mandate.id, providerKey: input.providerKey },
139 'Direct-debit mandate created (pending bank confirmation)',
140 );
141 return mandate;
142 }
143
144 async function loadMandate(ctx: Ctx, mandateId: string): Promise<DirectDebitMandate> {
145 const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
146 if (!mandate) {
147 throw new StatusError(404, `Mandate ${mandateId} not found`);
148 }
149 return mandate;
150 }
151
152 /**
153 * Activate a mandate once the bank confirms it. In production this is driven by
154 * the mandate return file; the route also exposes it as an explicit operator
155 * action so a confirmed mandate can be activated from the CRM.
156 */
157 export async function activateMandate(
158 organizationId: string,
159 mandateId: string,
160 payerNumber?: string,
161 ): Promise<DirectDebitMandate> {
162 const ctx = { organizationId };
163 const mandate = await loadMandate(ctx, mandateId);
164 if (mandate.status === MandateStatus.REVOKED) {
165 throw new StatusError(400, 'Cannot activate a revoked mandate');
166 }
167 await mandate.update({
168 status: MandateStatus.ACTIVE,
169 activatedAt: new Date(),
170 failureReason: null,
171 ...(payerNumber ? { payerNumber } : {}),
172 });
173 logger.info({ organizationId, mandateId }, 'Direct-debit mandate activated');
174 return mandate;
175 }
176
177 export async function revokeMandate(
178 organizationId: string,
179 mandateId: string,
180 ): Promise<DirectDebitMandate> {
181 const ctx = { organizationId };
182 const mandate = await loadMandate(ctx, mandateId);
183 if (mandate.status === MandateStatus.REVOKED) {
184 return mandate;
185 }
186 await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
187 logger.info({ organizationId, mandateId }, 'Direct-debit mandate revoked');
188 return mandate;
189 }
190
191 /** Generate the bank mandate-request file for a single mandate (download/preview). */
192 export async function buildMandateFile(
193 organizationId: string,
194 mandateId: string,
195 ): Promise<{ fileReference: string; content: string }> {
196 const ctx = { organizationId };
197 const mandate = await loadMandate(ctx, mandateId);
198 const provider = assertDirectDebitProvider(mandate.providerKey);
199 const creditorId = await resolveCreditorId(ctx, mandate.providerKey);
200 const content = provider.buildMandateFile(
201 [
202 {
203 mandateReference: mandate.mandateReference,
204 payerNumber: mandate.payerNumber,
205 account: mandateAccount(mandate),
206 },
207 ],
208 creditorId,
209 );
210 return { fileRefer{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _Product } from './_Product.js';
3
4 // Provider keys for the Nordic direct-debit schemes. Match the values stored on
5 // Products.paymentProvider and PaymentProviderConfigs.providerKey.
6 export enum DirectDebitProvider {
7 AUTOGIRO = 'autogiro',
8 BETALINGSSERVICE = 'betalingsservice',
9 }
10
11 // Mandate lifecycle. A mandate is created `PENDING` when the bank file is
12 // generated, becomes `ACTIVE` once the bank confirms it (mandate return file or
13 // an operator activation), and `REVOKED` when the customer or bank cancels it.
14 export enum MandateStatus {
15 PENDING = 'pending',
16 ACTIVE = 'active',
17 REVOKED = 'revoked',
18 }
19
20 @Table({
21 modelName: 'DirectDebitMandate',
22 tableName: 'DirectDebitMandates',
23 timestamps: true,
24 indexes: [
25 {
26 unique: true,
27 fields: ['organizationId', 'mandateReference'],
28 name: 'direct_debit_mandates_org_reference_unique',
29 },
30 {
31 fields: ['organizationId', 'status'],
32 name: 'idx_direct_debit_mandates_org_status',
33 },
34 {
35 fields: ['organizationId', 'productId'],
36 name: 'idx_direct_debit_mandates_org_product',
37 },
38 ],
39 })
40 export class _DirectDebitMandate extends Model {
41 @Column({
42 type: DataType.UUID,
43 primaryKey: true,
44 defaultValue: DataType.UUIDV4,
45 })
46 declare id: string;
47
48 @Column({
49 type: DataType.UUID,
50 allowNull: false,
51 })
52 declare organizationId: string;
53
54 @Column({
55 type: DataType.ENUM(...Object.values(DirectDebitProvider)),
56 allowNull: false,
57 })
58 declare providerKey: DirectDebitProvider;
59
60 @ForeignKey(() => _Product)
61 @Column({
62 type: DataType.INTEGER,
63 allowNull: false,
64 })
65 declare productId: number;
66
67 @BelongsTo(() => _Product)
68 declare product: _Product;
69
70 @Column({
71 type: DataType.UUID,
72 allowNull: true,
73 })
74 declare customerId: string | null;
75
76 @Column({
77 type: DataType.ENUM(...Object.values(MandateStatus)),
78 allowNull: false,
79 defaultValue: MandateStatus.PENDING,
80 })
81 declare status: MandateStatus;
82
83 @Column({
84 type: DataType.STRING(2),
85 allowNull: false,
86 })
87 declare country: string;
88
89 @Column({
90 type: DataType.STRING(255),
91 allowNull: false,
92 })
93 declare accountHolder: string;
94
95 @Column({
96 type: DataType.STRING(20),
97 allowNull: true,
98 })
99 declare clearingNumber: string | null;
100
101 @Column({
102 type: DataType.STRING(50),
103 allowNull: false,
104 })
105 declare accountNumber: string;
106
107 @Column({
108 type: DataType.STRING(255),
109 allowNull: true,
110 })
111 declare bankName: string | null;
112
113 @Column({
114 type: DataType.STRING(100),
115 allowNull: false,
116 })
117 declare mandateReference: string;
118
119 @Column({
120 type: DataType.STRING(50),
121 allowNull: true,
122 })
123 declare payerNumber: string | null;
124
125 @Column({
126 type: DataType.DATE,
127 allowNull: true,
128 })
129 declare signedAt: Date | null;
130
131 @Column({
132 type: DataType.DATE,
133 allowNull: true,
134 })
135 declare activatedAt: Date | null;
136
137 @Column({
138 type: DataType.DATE,
139 allowNull: true,
140 })
141 declare revokedAt: Date | null;
142
143 @Column({
144 type: DataType.TEXT,
145 allowNull: true,
146 })
147 declare failureReason: string | null;
148
149 @Column({
150 type: DataType.JSONB,
151 allowNull: true,
152 })
153 declare metadata: Record<string, unknown> | null;
154
155 declare createdAt: Date;
156 declare updatedAt: Date;
157 }
158 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _DirectDebitMandate } from './_DirectDebitMandate.js';
3
4 // Collection lifecycle:
5 // SCHEDULED → created, waiting for the next collection-file run
6 // SUBMITTED → written into a collection file and sent to the bank
7 // SETTLED → bank confirmed the debit (return file) → policy reconciled
8 // FAILED → bank rejected the debit (return file)
9 // RETRYING → a failed debit rescheduled for another attempt
10 // CANCELLED → manually cancelled before submission
11 export enum CollectionStatus {
12 SCHEDULED = 'scheduled',
13 SUBMITTED = 'submitted',
14 SETTLED = 'settled',
15 FAILED = 'failed',
16 RETRYING = 'retrying',
17 CANCELLED = 'cancelled',
18 }
19
20 @Table({
21 modelName: 'DirectDebitCollection',
22 tableName: 'DirectDebitCollections',
23 timestamps: true,
24 indexes: [
25 {
26 fields: ['mandateId'],
27 name: 'idx_direct_debit_collections_mandate',
28 },
29 {
30 fields: ['organizationId', 'status'],
31 name: 'idx_direct_debit_collections_org_status',
32 },
33 {
34 fields: ['organizationId', 'status', 'scheduledFor'],
35 name: 'idx_direct_debit_collections_org_status_scheduled',
36 },
37 {
38 fields: ['externalReference'],
39 name: 'idx_direct_debit_collections_external_ref',
40 },
41 ],
42 })
43 export class _DirectDebitCollection extends Model {
44 @Column({
45 type: DataType.UUID,
46 primaryKey: true,
47 defaultValue: DataType.UUIDV4,
48 })
49 declare id: string;
50
51 @Column({
52 type: DataType.UUID,
53 allowNull: false,
54 })
55 declare organizationId: string;
56
57 @ForeignKey(() => _DirectDebitMandate)
58 @Column({
59 type: DataType.UUID,
60 allowNull: false,
61 })
62 declare mandateId: string;
63
64 @BelongsTo(() => _DirectDebitMandate)
65 declare mandate: _DirectDebitMandate;
66
67 @Column({
68 type: DataType.INTEGER,
69 allowNull: true,
70 })
71 declare policyOrderId: number | null;
72
73 @Column({
74 type: DataType.STRING(50),
75 allowNull: false,
76 })
77 declare providerKey: string;
78
79 @Column({
80 type: DataType.DECIMAL(15, 2),
81 allowNull: false,
82 })
83 declare amount: number;
84
85 @Column({
86 type: DataType.STRING(3),
87 allowNull: false,
88 })
89 declare currency: string;
90
91 @Column({
92 type: DataType.ENUM(...Object.values(CollectionStatus)),
93 allowNull: false,
94 defaultValue: CollectionStatus.SCHEDULED,
95 })
96 declare status: CollectionStatus;
97
98 @Column({
99 type: DataType.DATE,
100 allowNull: false,
101 })
102 declare scheduledFor: Date;
103
104 @Column({
105 type: DataType.DATE,
106 allowNull: true,
107 })
108 declare submittedAt: Date | null;
109
110 @Column({
111 type: DataType.DATE,
112 allowNull: true,
113 })
114 declare settledAt: Date | null;
115
116 @Column({
117 type: DataType.INTEGER,
118 allowNull: false,
119 defaultValue: 0,
120 })
121 declare retryCount: number;
122
123 @Column({
124 type: DataType.INTEGER,
125 allowNull: false,
126 defaultValue: 3,
127 })
128 declare maxRetries: number;
129
130 @Column({
131 type: DataType.TEXT,
132 allowNull: true,
133 })
134 declare failureReason: string | null;
135
136 @Column({
137 type: DataType.STRING(255),
138 allowNull: true,
139 })
140 declare externalReference: string | null;
141
142 @Column({
143 type: DataType.STRING(255),
144 allowNull: true,
145 })
146 declare fileReference: string | null;
147
148 @Column({
149 type: DataType.BOOLEAN,
150 allowNull: false,
151 defaultValue: false,
152 })
153 declare flagged: boolean;
154
155 @Column({
156 type: DataType.JSONB,
157 allowNull: true,
158 })
159 declare metadata: Record<string, unknown> | null;
160
161 declare createdAt: Date;
162 declare updatedAt: Date;
163 }
164 {"pattern":"**/migrations/2026.06.01T*.ts"}No files found
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -name \"*DirectDebit*\" -type f | grep -i migration"}(Bash completed with no output)
{"pattern":"**/migrations/*.ts"}No files found
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -type f -name \"*.ts\" | grep -i migrat | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/scripts/check-migration-tenant-rls.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/migrations/2025.07.30T00.00.01.create-task-requests.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/migrations/2025.09.25T00.00.04.add-id-to-simulation-tasks.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/migrations/2025.07.30T00.00.02.create-task-results.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/migrations/2025.09.25T00.00.06.add-organization-id-to-simulation-tasks.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/migrations/2025.07.30T00.00.03.create-simulation-tasks-junction.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.15T00.00.01.make-rls-permissive-when-context-unset.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.28T00.00.01.seed-suspension-reinstatement-templates.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.11.10T00.00.06.remove-coverage-pricing-version.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.30T19.54.01.fix-claim-foreign-key-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.01.30T00.00.00.create-customers-table.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.19T00.00.01.create-user-organizations.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.01.17.add-organization-id-to-business-tables.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.03.26T00.00.03.add-title-to-claims-policies-quotes.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.16T17.01.00.fix-policy-parameter-category-page-id-nullable-v2.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.08.26T12.30.00.seed-module-endpoint-cancel-policy.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.10.04T00.00.08.fix-user-email-unique-constraint.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.00.22.create-user-social-auths.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.03.23T00.00.02.add-external-transaction-id-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.10.09T00.00.01.add-cancelled-by-to-policy-orders.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations -type f -name \"*2026.06*\" | sort"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"}1 import type { MigrationFn } from 'umzug';
2 import { QueryInterface, DataTypes } from 'sequelize';
3
4 // Nordic bank direct debit (Autogiro SE / Betalingsservice DK).
5 //
6 // `DirectDebitMandates` — the customer's standing authorization to debit a bank
7 // account, with a pending → active → revoked lifecycle. One row per
8 // customer+product authorization; `mandateReference` is our stable identifier
9 // (also written into the generated bank file).
10 //
11 // `DirectDebitCollections` — one recurring debit instruction against a mandate.
12 // Scheduled → submitted (written into a collection file) → settled OR failed.
13 // A failed collection reschedules as `retrying` until `maxRetries`, then sets
14 // `flagged` so an operator can intervene. Settlement reconciles back to the
15 // linked PolicyOrder's payment status.
16 //
17 // Both are tenant-scoped tables using the standard permissive RLS template
18 // (check:migrations enforces it for new tenant tables — see src/db/AGENTS.md).
19
20 const rlsTables = ['DirectDebitMandates', 'DirectDebitCollections'];
21
22 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
23 await context.createTable('DirectDebitMandates', {
24 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
25 organizationId: { type: DataTypes.UUID, allowNull: false },
26 providerKey: { type: DataTypes.STRING(50), allowNull: false },
27 productId: {
28 type: DataTypes.INTEGER,
29 allowNull: false,
30 references: { model: 'Products', key: 'id' },
31 onDelete: 'CASCADE',
32 },
33 customerId: { type: DataTypes.UUID, allowNull: true },
34 status: {
35 type: DataTypes.ENUM('pending', 'active', 'revoked'),
36 allowNull: false,
37 defaultValue: 'pending',
38 },
39 country: { type: DataTypes.STRING(2), allowNull: false },
40 accountHolder: { type: DataTypes.STRING(255), allowNull: false },
41 // SE: clearing number; DK: registreringsnummer. Optional because some
42 // schemes identify the payer by `payerNumber` alone after activation.
43 clearingNumber: { type: DataTypes.STRING(20), allowNull: true },
44 accountNumber: { type: DataTypes.STRING(50), allowNull: false },
45 bankName: { type: DataTypes.STRING(255), allowNull: true },
46 // Our stable mandate identifier, written into the bank mandate-request file.
47 mandateReference: { type: DataTypes.STRING(100), allowNull: false },
48 // Provider/bank-assigned payer number, captured from the mandate return file.
49 payerNumber: { type: DataTypes.STRING(50), allowNull: true },
50 signedAt: { type: DataTypes.DATE, allowNull: true },
51 activatedAt: { type: DataTypes.DATE, allowNull: true },
52 revokedAt: { type: DataTypes.DATE, allowNull: true },
53 failureReason: { type: DataTypes.TEXT, allowNull: true },
54 metadata: { type: DataTypes.JSONB, allowNull: true },
55 createdAt: { type: DataTypes.DATE, allowNull: false },
56 updatedAt: { type: DataTypes.DATE, allowNull: false },
57 });
58 await context.addIndex('DirectDebitMandates', ['organizationId', 'mandateReference'], {
59 unique: true,
60 name: 'direct_debit_mandates_org_reference_unique',
61 });
62 await context.addIndex('DirectDebitMandates', ['organizationId', 'status'], {
63 name: 'idx_direct_debit_mandates_org_status',
64 });
65 await context.addIndex('DirectDebitMandates', ['organizationId', 'productId'], {
66 name: 'idx_direct_debit_mandates_org_product',
67 });
68
69 await context.createTable('DirectDebitCollections', {
70 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
71 organizationId: { type: DataTypes.UUID, allowNull: false },
72 mandateId: {
73 type: DataTypes.UUID,
74 allowNull: false,
75 references: { model: 'DirectDebitMandates', key: 'id' },
76 onDelete: 'CASCADE',
77 },
78 policyOrderId: {
79 type: DataTypes.INTEGER,
80 allowNull: true,
81 references: { model: 'PolicyOrders', key: 'id' },
82 onDelete: 'SET NULL',
83 },
84 providerKey: { type: DataTypes.STRING(50), allowNull: false },
85 amount: { type: DataTypes.DECIMAL(15, 2), allowNull: false },
86 currency: { type: DataTypes.STRING(3), allowNull: false },
87 status: {
88 type: DataTypes.ENUM('scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'),
89 allowNull: false,
90 defaultValue: 'scheduled',
91 },
92 scheduledFor: { type: DataTypes.DATE, allowNull: false },
93 submittedAt: { type: DataTypes.DATE, allowNull: true },
94 settledAt: { type: DataTypes.DATE, allowNull: true },
95 retryCount: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
96 maxRetries: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 3 },
97 failureReason: { type: DataTypes.TEXT, allowNull: true },
98 // Bank/provider transaction reference, also used to reconcile the return file.
99 externalReference: { type: DataTypes.STRING(255), allowNull: true },
100 // Identifier of the collection file this debit was submitted in.
101 fileReference: { type: DataTypes.STRING(255), allowNull: true },
102 // Set when retries are exhausted — surfaces in the CRM for operator action.
103 flagged: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false },
104 metadata: { type: DataTypes.JSONB, allowNull: true },
105 createdAt: { type: DataTypes.DATE, allowNull: false },
106 updatedAt: { type: DataTypes.DATE, allowNull: false },
107 });
108 await context.addIndex('DirectDebitCollections', ['mandateId'], {
109 name: 'idx_direct_debit_collections_mandate',
110 });
111 await context.addIndex('DirectDebitCollections', ['organizationId', 'status'], {
112 name: 'idx_direct_debit_collections_org_status',
113 });
114 await context.addIndex('DirectDebitCollections', ['organizationId', 'status', 'scheduledFor'], {
115 name: 'idx_direct_debit_collections_org_status_scheduled',
116 });
117 await context.addIndex('DirectDebitCollections', ['externalReference'], {
118 name: 'idx_direct_debit_collections_external_ref',
119 });
120
121 // RLS — permissive template (unset GUC OR org match); safe-model WHERE is the
122 // primary filter. See src/db/AGENTS.md.
123 for (const table of rlsTables) {
124 await context.sequelize.query(`ALTER TABLE "${table}" ENABLE ROW LEVEL SECURITY`);
125 await context.sequelize.query(`ALTER TABLE "${table}" FORCE ROW LEVEL SECURITY`);
126 await context.sequelize.query(`DROP POLICY IF EXISTS tenant_isolation ON "${table}"`);
127 await context.sequelize.query(`
128 CREATE POLICY tenant_isolation ON "${table}"
129 FOR ALL
130 USING (
131 NULLIF(current_setting('app.current_organization', true), '') IS NULL
132 OR "organizationId" = NULLIF(current_setting('app.current_organization', true), '')::uuid
133 )
134 `);
135 await context.sequelize.query(`GRANT SELECT ON "${table}" TO dashboard_user`);
136 }
137 };
138
139 export const down: MigrationFn<QueryInterface> = async () => {
140 // Forward-only deployment
141 };
142 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/directDebitRoutes.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/jobs/directDebitCollectionBatchJob.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir.
{"command":"ls -la /Users/bakker/dev/gangkhar/ | grep -i \"462\""}drwxr-xr-x@ 45 bakker staff 1440 Jun 1 04:31 sherpa-api-api-462-nordic-bank-direct-debit-autogir drwxr-xr-x@ 30 bakker staff 960 Jun 1 04:31 sherpa-embed-api-462-nordic-bank-direct-debit-autogir drwxr-xr-x@ 55 bakker staff 1760 Jun 1 05:03 sherpa-portal-api-462-nordic-bank-direct-debit-autogir drwxr-xr-x@ 18 bakker staff 576 Jun 1 05:02 sherpa-test-api-462-nordic-bank-direct-debit-autogir
{"description":"Review portal+test direct-debit (round 2)","prompt":"Round-2 verification review of front-end + test for sherpa-api#462 (Nordic direct debit). Read ACTUAL file content (rg/fd, not grep/find).\n\nROUND-1 FIXES ALREADY APPLIED in /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir (verify correct, don't re-flag):\n- app/components/settings/PaymentProvidersTab.tsx line ~333: list now shows creditorId for autogiro/betalingsservice, connectedAccountId otherwise (via `(config.config as Record<string,string>|undefined)?.[...]`).\n- app/products/[id]/direct-debit/page.tsx: MANDATE_STATUS_CLASSES/COLLECTION_STATUS_CLASSES badge lookups now have `|| \"bg-gray-100 text-gray-800\"` fallback; handleScheduleCollection now sends `amount: Number(formAmount)` after validating it's a finite >0 number.\nPortal `npx tsc --noEmit` shows ZERO errors in these files (one unrelated pre-existing error remains in app/lens/optimizations/.../MABTimeSeriesChart.tsx — ignore it).\n\nFresh pass, focus HIGH/MEDIUM with file:line:\n1. **page.tsx full data-flow correctness** (read the whole file ~750 lines): \n - The aggregate-collections path (Promise.all over all mandates when none selected) — error handling, race conditions, does it set loading correctly, what if a product has many mandates?\n - All dialogs (create mandate, schedule collection, view file): are required fields validated before POST? Do selects use the right values? Country/currency defaults per provider applied?\n - Every api.post sends a body object (activate/revoke/retry → `{}`)? \n - Hooks: no conditional hook calls, deps arrays correct, no setState-after-unmount, params unwrap correct for Next 16?\n - After each mutation does the relevant list refetch?\n - Any place that renders `collection.amount` (string) doing string concatenation that's fine, or arithmetic that would break?\n2. **AppLayout.tsx**: confirm the productMenuItems entry shape matches siblings EXACTLY and \"direct-debit\" is in PRODUCT_PHASE_BY_KEY (both required). Confirm `productId` variable is in scope where the entry is defined.\n3. **types/directDebit.ts**: match API shapes; amount typed as string (response) — does page.tsx treat input amount correctly given the Number() fix?\n4. **PaymentProvidersTab.tsx**: Stripe flow fully intact? The creditorId field renders only for dd providers and saves to config.creditorId on create AND edit? Load path populates it when editing a dd provider?\n5. **test** tests/plus-insurance/09-direct-debit.spec.ts: still correct; assertions sound; resilient; the .env=4011 is correct for THIS worktree (the worktree's own api runs on 4011 — confirm this is right, not a regression).\n\nReport HIGH/MEDIUM/LOW with file:line + concrete fix. If clean say \"NO REMAINING HIGH OR MEDIUM ISSUES\". Do not modify files.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/directDebitRoutes.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/jobs/directDebitCollectionBatchJob.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts"}1 // Autogiro (Bankgirot, Sweden) — file-based recurring direct debit.
2 //
3 // Implements the BankDirectDebitProvider contract with the Autogiro
4 // "Betalningsspecifikation" fixed-width 80-char record layout. Transaction
5 // codes (TK) follow the Bankgirot Autogiro spec: TK01 opening, TK04 new
6 // mandate, TK82 incoming debit, TK09 end. This is a faithful structural model
7 // of the rail (positional records, öre amounts, payer/Bankgiro numbers) — not a
8 // byte-certified bank submission, which would be finalized against Bankgirot's
9 // test environment during go-live.
10
11 import type {
12 AccountValidationResult,
13 BankAccount,
14 BankDirectDebitProvider,
15 CollectionFileEntry,
16 MandateFileEntry,
17 ReturnRecord,
18 } from './interface.js';
19 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
20
21 const RECORD_WIDTH = 80;
22
23 function fit(line: string): string {
24 return padRight(line, RECORD_WIDTH);
25 }
26
27 export class AutogiroProvider implements BankDirectDebitProvider {
28 readonly key = 'autogiro';
29 readonly country = 'SE';
30 readonly scheme = 'Autogiro';
31
32 validateAccount(account: BankAccount): AccountValidationResult {
33 const errors: string[] = [];
34 if (account.country && account.country.toUpperCase() !== 'SE') {
35 errors.push(`Autogiro requires a Swedish (SE) account, got "${account.country}"`);
36 }
37 if (!account.accountHolder?.trim()) {
38 errors.push('accountHolder is required');
39 }
40 const clearing = digitsOnly(account.clearingNumber ?? '');
41 if (clearing.length < 4 || clearing.length > 5) {
42 errors.push('clearingNumber must be 4–5 digits (Swedish clearing number)');
43 }
44 const acc = digitsOnly(account.accountNumber ?? '');
45 if (acc.length < 7 || acc.length > 12) {
46 errors.push('accountNumber must be 7–12 digits');
47 }
48 return { valid: errors.length === 0, errors };
49 }
50
51 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
52 const lines: string[] = [];
53 // TK01 — opening record: date, "AUTOGIRO", payee Bankgiro number.
54 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}MEDGIVANDE`));
55 for (const e of entries) {
56 // TK04 — new mandate (medgivande). Payer number defaults to our mandate
57 // reference when the payee hasn't assigned a separate Betalarnummer.
58 const payer = padRight(e.payerNumber || e.mandateReference, 16);
59 const clearing = padZero(digitsOnly(e.account.clearingNumber ?? ''), 5);
60 const acct = padZero(digitsOnly(e.account.accountNumber), 12);
61 const holder = padRight(e.account.accountHolder, 24);
62 lines.push(fit(`04${payer}${clearing}${acct}${holder}`));
63 }
64 return lines.join('\n') + '\n';
65 }
66
67 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
68 const lines: string[] = [];
69 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}${padRight(fileReference, 12)}`));
70 let total = 0;
71 for (const e of entries) {
72 // TK82 — incoming debit. due date | payer number | amount (öre) |
73 // our external reference | free-text reference.
74 const due = yyyymmdd(e.dueDate);
75 const payer = padRight(e.payerNumber || e.mandateReference, 16);
76 const amount = minorUnits(e.amount, 12);
77 const ref = padRight(e.externalReference, 20);
78 const text = padRight(e.reference ?? '', 22);
79 lines.push(`82${due}${payer}${amount}${ref}${text}`);
80 total += Math.round(Number(e.amount) * 100);
81 }
82 // TK09 — end record: payee Bankgiro | record count | total (öre).
83 lines.push(fit(`09${padZero(digitsOnly(creditorId), 10)}${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`));
84 return lines.join('\n') + '\n';
85 }
86
87 buildReturnFile(records: ReturnRecord[]): string {
88 // TK82 settlement/return: status "00" = settled, otherwise a reject code.
89 const lines = records.map((r) => {
90 const ref = padRight(r.externalReference, 35);
91 const status = r.outcome === 'settled' ? '00' : padZero(digitsOnly(r.reason ?? '') || '99', 2);
92 const amount = minorUnits(r.settledAmount ?? 0, 12);
93 const reason = padRight(r.outcome === 'settled' ? 'GODKAND' : (r.reason ?? 'AVVISAD'), 29);
94 return `82${ref}${status}${amount}${reason}`;
95 });
96 return lines.join('\n') + '\n';
97 }
98
99 parseReturnFile(content: string): ReturnRecord[] {
100 const records: ReturnRecord[] = [];
101 for (const raw of content.split(/\r?\n/)) {
102 if (!raw.startsWith('82')) continue;
103 const ref = raw.slice(2, 37).trim();
104 if (!ref) continue;
105 const status = raw.slice(37, 39).trim();
106 const amount = raw.slice(39, 51);
107 const reason = raw.slice(51).trim();
108 const settled = status === '00';
109 records.push({
110 externalReference: ref,
111 outcome: settled ? 'settled' : 'failed',
112 reason: settled ? undefined : reason || `reject ${status}`,
113 settledAmount: settled ? fromMinorUnits(amount) : undefined,
114 });
115 }
116 return records;
117 }
118 }
119 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { PlusCircle, Play, FileText, Flag } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import AppLayout from "@/app/components/AppLayout";
9 import { Button } from "@/app/components/ui/button";
10 import { Input } from "@/app/components/ui/input";
11 import {
12 Dialog,
13 DialogContent,
14 DialogDescription,
15 DialogFooter,
16 DialogHeader,
17 DialogTitle,
18 } from "@/app/components/ui/dialog";
19 import {
20 Select,
21 SelectContent,
22 SelectItem,
23 SelectTrigger,
24 SelectValue,
25 } from "@/app/components/ui/select";
26 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
27 import { ProtectedRoute } from "@/app/components/ProtectedRoute";
28 import { CRMOnlyRoute } from "@/app/components/UserTypeRoute";
29 import api from "@/app/src/utils/api";
30 import { ProductData } from "@/app/types/product";
31 import {
32 Collection,
33 CollectionRunResult,
34 DirectDebitProviderKey,
35 Mandate,
36 MandateFile,
37 } from "@/app/types/directDebit";
38
39 const PROVIDER_LABELS: Record<DirectDebitProviderKey, string> = {
40 autogiro: "Autogiro (SE)",
41 betalingsservice: "Betalingsservice (DK)",
42 };
43
44 const PROVIDER_DEFAULT_COUNTRY: Record<DirectDebitProviderKey, string> = {
45 autogiro: "SE",
46 betalingsservice: "DK",
47 };
48
49 const PROVIDER_DEFAULT_CURRENCY: Record<DirectDebitProviderKey, string> = {
50 autogiro: "SEK",
51 betalingsservice: "DKK",
52 };
53
54 const MANDATE_STATUS_CLASSES: Record<Mandate["status"], string> = {
55 pending: "bg-amber-100 text-amber-800",
56 active: "bg-green-100 text-green-800",
57 revoked: "bg-red-100 text-red-800",
58 };
59
60 const COLLECTION_STATUS_CLASSES: Record<Collection["status"], string> = {
61 scheduled: "bg-gray-100 text-gray-800",
62 submitted: "bg-blue-100 text-blue-800",
63 settled: "bg-green-100 text-green-800",
64 failed: "bg-red-100 text-red-800",
65 retrying: "bg-amber-100 text-amber-800",
66 cancelled: "bg-gray-100 text-gray-800",
67 };
68
69 const StatusBadge: React.FC<{ label: string; className: string }> = ({ label, className }) => (
70 <span
71 className={`inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium ${className}`}
72 >
73 {label}
74 </span>
75 );
76
77 function extractApiError(error: unknown, fallback: string): string {
78 const err = error as { response?: { data?: { error?: { message?: string }; message?: string } } };
79 return (
80 err?.response?.data?.error?.message || err?.response?.data?.message || fallback
81 );
82 }
83
84 export default function ProductDirectDebitPage({ params }: { params: { id: string } }) {
85 const t = useTranslation();
86 // Unwrap params using React.use() if it's a promise
87 const unwrappedParams = params instanceof Promise ? React.use(params) : params;
88 const productId = unwrappedParams?.id || "";
89
90 const [product, setProduct] = useState<ProductData | null>(null);
91 const [mandates, setMandates] = useState<Mandate[]>([]);
92 const [collections, setCollections] = useState<Collection[]>([]);
93 const [loading, setLoading] = useState(true);
94 const [error, setError] = useState<React.ReactNode | null>(null);
95 const [selectedMandateId, setSelectedMandateId] = useState<number | null>(null);
96 const [collectionsLoading, setCollectionsLoading] = useState(false);
97 const [running, setRunning] = useState(false);
98
99 // Create mandate dialog
100 const [mandateDialogOpen, setMandateDialogOpen] = useState(false);
101 const [mandateSaving, setMandateSaving] = useState(false);
102 const [formProvider, setFormProvider] = useState<DirectDebitProviderKey>("autogiro");
103 const [formAccountHolder, setFormAccountHolder] = useState("");
104 const [formCountry, setFormCountry] = useState("SE");
105 const [formClearingNumber, setFormClearingNumber] = useState("");
106 const [formAccountNumber, setFormAccountNumber] = useState("");
107 const [formBankName, setFormBankName] = useState("");
108
109 // Schedule collection dialog
110 const [collectionDialogOpen, setCollectionDialogOpen] = useState(false);
111 const [collectionSaving, setCollectionSaving] = useState(false);
112 const [formAmount, setFormAmount] = useState("");
113 const [formCurrency, setFormCurrency] = useState("SEK");
114
115 // View file dialog
116 const [fileDialogOpen, setFileDialogOpen] = useState(false);
117 const [fileLoading, setFileLoading] = useState(false);
118 const [mandateFile, setMandateFile] = useState<MandateFile | null>(null);
119
120 const selectedMandate = mandates.find((m) => m.id === selectedMandateId) || null;
121
122 const loadMandates = useCallback(async (): Promise<Mandate[]> => {
123 const res = await api.get(`/direct-debit/mandates?productId=${productId}`);
124 const list: Mandate[] = res.data.data || [];
125 setMandates(list);
126 return list;
127 }, [productId]);
128
129 // Collections are fetched per mandate (the API filters by mandateId). When a
130 // mandate is selected we fetch just its collections; otherwise we aggregate
131 // across every mandate of the product so the user sees a product-wide view.
132 const loadCollections = useCallback(
133 async (mandateList: Mandate[], mandateId: number | null) => {
134 setCollectionsLoading(true);
135 try {
136 const targets =
137 mandateId !== null
138 ? mandateList.filter((m) => m.id === mandateId)
139 : mandateList;
140 const responses = await Promise.all(
141 targets.map((m) => api.get(`/direct-debit/collections?mandateId=${m.id}`))
142 );
143 const merged = responses
144 .flatMap((res) => (res.data.data as Collection[]) || [])
145 .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
146 setCollections(merged);
147 } catch (err) {
148 console.error("Error loading collections:", err);
149 showErrorToast(extractApiError(err, t("Failed to load collections")));
150 } finally {
151 setCollectionsLoading(false);
152 }
153 },
154 [t]
155 );
156
157 useEffect(() => {
158 if (!productId) {
159 setError(t("Invalid product ID"));
160 setLoading(false);
161 return;
162 }
163
164 const fetchData = async () => {
165 try {
166 setLoading(true);
167 const [productResponse, mandateList] = await Promise.all([
168 api.get(`/products/${productId}`),
169 loadMandates(),
170 ]);
171 setProduct(productResponse.data.data);
172 await loadCollections(mandateList, null);
173 } catch (err) {
174 console.error("Error fetching data:", err);
175 setError(t("Failed to load data"));
176 } finally {
177 setLoading(false);
178 }
179 };
180
181 fetchData();
182 // eslint-disable-next-line react-hooks/exhaustive-deps
183 }, [productId]);
184
185 const refresh = useCallback(
186 async (mandateId: number | null = selectedMandateId) => {
187 const list = await loadMandates();
188 await loadCollections(list, mandateId);
189 },
190 [loadMandates, loadCollections, selectedMandateId]
191 );
192
193 const handleSelectMandate = async (mandate: Mandate) => {
194 const next = selectedMandateId === mandate.id ? null : mandate.id;
195 setSelectedMandateId(next);
196 await loadCollections(mandates, next);
197 };
198
199 const openCreateMandate = () => {
200 setFormProvider("autogiro");
201 setFormAccountHolder("");
202 setFormCountry(PROVIDER_DEFAULT_COUNTRY.autogiro);
203 setFormClearingNumber("");
204 setFormAccountNumber("");
205 setFormBankName("");
206 setMandateDialogOpe{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx"}1 "use client";
2
3 import React, { useEffect, useState } from "react";
4
5 import Image from "next/image";
6 import Link from "next/link";
7 import { usePathname, useRouter, useSearchParams } from "next/navigation";
8
9 import {
10 Menu,
11 X,
12 XCircle,
13 User,
14 LogOut,
15 Settings,
16 Users,
17 ShoppingBag,
18 LayoutDashboard,
19 UserCircle,
20 FileText,
21 ClipboardList,
22 Calculator,
23 Shield,
24 ChevronLeft,
25 ChevronRight,
26 ChevronDown,
27 ArrowLeft,
28 Eye,
29 DollarSign,
30 Package,
31 FileCheck,
32 AlertCircle,
33 ScrollText,
34 Mail,
35 Tag,
36 Code,
37 Receipt,
38 BookOpen,
39 Layers,
40 Database,
41 FolderOpen,
42 Zap,
43 MessageCircle,
44 Server,
45 CreditCard,
46 } from "lucide-react";
47
48 import { useTranslation } from "@gangkharai/lmt/client";
49 import { EnhancedLocaleSwitcher } from "./EnhancedLocaleSwitcher";
50 import { LOCALE_LABELS } from "@/app/lib/supported-locales";
51 import { DevFlagsSummary } from "../dev/flags/components/DevFlagsSummary";
52 import { DevPreviewBadge } from "../dev/flags/components/DevPreviewBadge";
53 import { useDevFlags } from "../dev/flags/components/DevFlagsProvider";
54 import Loader from "./Loader";
55 import Toast, { showErrorToast } from "./Toast";
56 import { useAuth } from "../components/AuthProvider";
57 import { useOrganization } from "../components/OrganizationProvider";
58 import { usePermissions } from "../src/contexts/PermissionsContext";
59 import { PERMISSIONS } from "../types/permissions";
60 import { MenuItem, ProductGroup, NavigationMode } from "../types/navigation";
61 import { NavigationProvider } from "./navigation/NavigationContext";
62 import { useProductReadiness, SidebarKey } from "../src/hooks/useProductReadiness";
63 import { NavigationItem } from "./navigation/NavigationItem";
64 import { ProductGroupNav } from "./navigation/ProductGroupNav";
65 import { OrganizationSwitcherSection } from "./navigation/OrganizationSwitcherSection";
66 import { OrganizationContextBanner } from "./OrganizationContextBanner";
67 import { useAssistantSidebarStore } from "@/app/src/store/assistantSidebarStore";
68
69 interface AppLayoutProps {
70 children: React.ReactNode;
71 chatMode?: boolean;
72 }
73
74 const AppLayout: React.FC<AppLayoutProps> = ({ children, chatMode = false }) => {
75 const t = useTranslation();
76 const { user, logout } = useAuth();
77 const { organization } = useOrganization();
78 const { hasPermission } = usePermissions();
79 const { flags } = useDevFlags();
80 const router = useRouter();
81 const pathname = usePathname();
82 const searchParams = useSearchParams();
83 const [isSidebarCollapsed, setIsSidebarCollapsed] = useState(false);
84 const isAssistantOpen = useAssistantSidebarStore((s) => s.isOpen);
85 const assistantActive = flags.sherpaAssistant && isAssistantOpen;
86 const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
87 const [isProfileDropdownOpen, setIsProfileDropdownOpen] = useState(false);
88
89 useEffect(() => {
90 try {
91 const pending = sessionStorage.getItem("pendingErrorToast");
92 if (pending) {
93 showErrorToast(pending);
94 sessionStorage.removeItem("pendingErrorToast");
95 }
96 } catch {}
97 }, []);
98
99 useEffect(() => {
100 const sidebarWidth = isSidebarCollapsed ? 80 : 256;
101 document.documentElement.style.setProperty("--sidebar-width", `${sidebarWidth}px`);
102 }, [isSidebarCollapsed]);
103
104 // Route through AuthProvider.logout, which calls endSession({ captureIntent:
105 // false }) — the single termination path (§6.2). endSession does its own
106 // full-page navigation to /login, so no router.push afterwards.
107 const handleLogout = () => {
108 logout();
109 };
110
111 const hasAdminAccess = hasPermission(PERMISSIONS.organizations.manage_all.value);
112
113 // Shared items that appear above product groups (no label)
114 const topItems: MenuItem[] = [
115 ...(flags.chatV1 ? [{
116 name: t('Chat'),
117 href: "/chat",
118 icon: MessageCircle,
119 key: "chat",
120 badge: <DevPreviewBadge />
121 }] : []),
122 ];
123
124 // Product groups for normal mode navigation
125 const sherpaPlusItems: MenuItem[] = [
126 { name: t('Products'), href: "/products", icon: ShoppingBag, key: "products" },
127 {
128 name: t('Policy Management'),
129 href: "/policy-management",
130 icon: ClipboardList,
131 key: "policy-management",
132 },
133 { name: t('Customers'), href: "/customers", icon: Users, key: "customers" },
134 { name: t('Financials'), href: "/financials", icon: Calculator, key: "financials" },
135 ...(hasAdminAccess ? [{ name: t('Admin'), href: "/admin", icon: Users, key: "admin" }] : []),
136 ];
137
138 const sherpaLensItems: MenuItem[] = [
139 {
140 name: t('Optimizations'),
141 href: "/lens/optimizations",
142 icon: Zap,
143 key: "lens-optimizations",
144 },
145 ];
146
147 // Shared items (bottom group, no label)
148 const sharedItems: MenuItem[] = [
149 { name: t('Data'), href: "/data", icon: Database, key: "data" },
150 ...(flags.mcp ? [{
151 name: t('MCP'),
152 href: "/mcp",
153 icon: Server,
154 key: "mcp",
155 badge: <DevPreviewBadge />
156 }] : []),
157 ];
158
159 const productGroups: ProductGroup[] = [
160 { id: "top", name: null, items: topItems },
161 { id: "sherpa-plus", name: t('Sherpa Plus'), items: sherpaPlusItems },
162 ...(sherpaLensItems.length > 0
163 ? [{ id: "sherpa-lens", name: t('Sherpa Lens'), items: sherpaLensItems }]
164 : []),
165 ...(sharedItems.length > 0 ? [{ id: "shared", name: null, items: sharedItems }] : []),
166 ];
167
168 // Profile menu items (shown in footer dropdown)
169 const profileMenuItems: MenuItem[] = [
170 { name: t('Settings'), href: "/settings", icon: Settings, key: "settings" },
171 { name: t('Profile'), href: "/profile", icon: UserCircle, key: "profile" },
172 ];
173
174 const settingsItem = profileMenuItems.find((item) => item.key === "settings");
175 const profileItem = profileMenuItems.find((item) => item.key === "profile");
176
177 const toggleSidebar = () => {
178 setIsSidebarCollapsed(!isSidebarCollapsed);
179 };
180
181 const toggleMobileMenu = () => {
182 setIsMobileMenuOpen(!isMobileMenuOpen);
183 };
184
185 const toggleProfileDropdown = () => {
186 setIsProfileDropdownOpen(!isProfileDropdownOpen);
187 };
188
189 const productIdMatch = pathname.match(/^\/products\/(\d+)/);
190 const isProductContext = !!productIdMatch;
191 const productId = productIdMatch?.[1] || null;
192 const productIdForReadiness = productId ? parseInt(productId, 10) : null;
193 const { readiness: productReadiness } = useProductReadiness(productIdForReadiness);
194
195 if (!user) {
196 return <Loader />;
197 }
198
199 const bundleIdMatch = pathname.match(/^\/bundles\/(\d+)/);
200 const isBundleContext = !!bundleIdMatch;
201 const bundleId = bundleIdMatch?.[1] || null;
202
203 const isAdminContext = pathname === "/admin";
204 const isFinancialsContext = pathname.startsWith("/financials");
205
206 const navigationMode: NavigationMode = isProductContext
207 ? "product"
208 : isBundleContext
209 ? "bundle"
210 : isAdminContext
211 ? "admin"
212 : isFinancialsContext
213 ? "financials"
214 : "normal";
215
216 const navigationContextValue = {
217 pathname,
218 searchParams,
219 mode: navigationMode,
220 productId,
221 bundleId,
222 collapsed: isSidebarCollapsed,
223 };
224
225 const productMenuItems: MenuItem[] = [
226 {
227 name: t('Overview'),
228 href: `/products/${productId}`,
229 icon: Eye,
230 key: "o{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts"}1 // Types for Nordic bank direct debit (Autogiro / Betalingsservice).
2 // Mirrors the sherpa-api /v1/plus/direct-debit contract.
3
4 export type DirectDebitProviderKey = "autogiro" | "betalingsservice";
5
6 export type MandateStatus = "pending" | "active" | "revoked";
7
8 export interface Mandate {
9 id: number;
10 providerKey: DirectDebitProviderKey;
11 productId: number;
12 status: MandateStatus;
13 country: string;
14 accountHolder: string;
15 clearingNumber: string | null;
16 accountNumber: string;
17 bankName: string | null;
18 mandateReference: string | null;
19 payerNumber: string | null;
20 signedAt: string | null;
21 activatedAt: string | null;
22 revokedAt: string | null;
23 failureReason: string | null;
24 createdAt: string;
25 }
26
27 export type CollectionStatus =
28 | "scheduled"
29 | "submitted"
30 | "settled"
31 | "failed"
32 | "retrying"
33 | "cancelled";
34
35 export interface Collection {
36 id: number;
37 mandateId: number;
38 policyOrderId: number | null;
39 providerKey: DirectDebitProviderKey;
40 amount: string;
41 currency: string;
42 status: CollectionStatus;
43 scheduledFor: string | null;
44 submittedAt: string | null;
45 settledAt: string | null;
46 retryCount: number;
47 maxRetries: number;
48 failureReason: string | null;
49 externalReference: string | null;
50 fileReference: string | null;
51 flagged: boolean;
52 createdAt: string;
53 }
54
55 export interface MandateFile {
56 fileReference: string;
57 content: string;
58 }
59
60 export interface CollectionRunResult {
61 submitted: number;
62 files: {
63 providerKey: DirectDebitProviderKey;
64 fileReference: string;
65 content: string;
66 count: number;
67 }[];
68 }
69
70 export interface SimulateReturnSummary {
71 settled: number;
72 failed: number;
73 retrying: number;
74 flagged: number;
75 unmatched: number;
76 }
77 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx"}1 "use client";
2
3 import React, { useCallback, useEffect, useState } from "react";
4
5 import { Plus, Pencil, Trash2, ChevronDown, ChevronRight } from "lucide-react";
6 import { useTranslation } from "@gangkharai/lmt/client";
7
8 import { Button } from "@/app/components/ui/button";
9 import {
10 Dialog,
11 DialogContent,
12 DialogFooter,
13 DialogHeader,
14 DialogTitle,
15 } from "@/app/components/ui/dialog";
16 import { Input } from "@/app/components/ui/input";
17 import { Switch } from "@/app/components/ui/switch";
18 import {
19 Select,
20 SelectContent,
21 SelectItem,
22 SelectTrigger,
23 SelectValue,
24 } from "@/app/components/ui/select";
25 import ConfirmDialog from "@/app/components/admin/ConfirmDialog";
26 import { showErrorToast, showSuccessToast } from "@/app/components/Toast";
27 import ProviderLogo from "@/app/components/payments/ProviderLogo";
28 import api from "@/app/src/utils/api";
29 import { PaymentProviderConfig, PaymentMethod, PayoutCadence, PayoutWeekday } from "@/app/types/paymentProvider";
30
31 const WEEKDAY_VALUES: PayoutWeekday[] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
32
33 const weekdayLabel = (value: PayoutWeekday, t: (s: string) => string): string => {
34 switch (value) {
35 case "mon": return t("Monday");
36 case "tue": return t("Tuesday");
37 case "wed": return t("Wednesday");
38 case "thu": return t("Thursday");
39 case "fri": return t("Friday");
40 case "sat": return t("Saturday");
41 case "sun": return t("Sunday");
42 }
43 };
44
45 const AVAILABLE_PROVIDERS = [
46 { key: "stripe", label: "Stripe" },
47 { key: "autogiro", label: "Autogiro (Sweden)" },
48 { key: "betalingsservice", label: "Betalingsservice (Denmark)" },
49 ];
50
51 // Direct-debit providers configured by a creditor identifier (Bankgiro number
52 // for Autogiro, PBS/creditor number for Betalingsservice) rather than a Stripe
53 // connected account.
54 const DIRECT_DEBIT_PROVIDER_KEYS = ["autogiro", "betalingsservice"];
55
56 const PaymentProvidersTab: React.FC = () => {
57 const t = useTranslation();
58 const [configs, setConfigs] = useState<PaymentProviderConfig[]>([]);
59 const [loading, setLoading] = useState(false);
60 const [formOpen, setFormOpen] = useState(false);
61 const [editing, setEditing] = useState<PaymentProviderConfig | null>(null);
62 const [deleteId, setDeleteId] = useState<number | null>(null);
63
64 const [formProviderKey, setFormProviderKey] = useState("stripe");
65 const [formConnectedAccountId, setFormConnectedAccountId] = useState("");
66 const [formCreditorId, setFormCreditorId] = useState("");
67 const [formActive, setFormActive] = useState(true);
68 const [formAutomaticPayoutEnabled, setFormAutomaticPayoutEnabled] = useState(false);
69 const [formPayoutCadence, setFormPayoutCadence] = useState<PayoutCadence>("immediate");
70 const [formPayoutWeeklyRunDay, setFormPayoutWeeklyRunDay] = useState<PayoutWeekday>("mon");
71 const [formPayoutWeeklyRunHour, setFormPayoutWeeklyRunHour] = useState(9);
72 const [saving, setSaving] = useState(false);
73
74 // Payment methods state per config
75 const [expandedConfigId, setExpandedConfigId] = useState<number | null>(null);
76 const [paymentMethods, setPaymentMethods] = useState<PaymentMethod[]>([]);
77 const [loadingMethods, setLoadingMethods] = useState(false);
78
79 const load = useCallback(async () => {
80 try {
81 setLoading(true);
82 const res = await api.get("/payment-provider-configs");
83 if (res.data.status === "success") {
84 setConfigs(res.data.data || []);
85 }
86 } catch (error) {
87 console.error("Error loading payment provider configs:", error);
88 showErrorToast(t("Failed to load payment providers"));
89 } finally {
90 setLoading(false);
91 }
92 }, [t]);
93
94 useEffect(() => {
95 load();
96 }, [load]);
97
98 const loadPaymentMethods = useCallback(async (configId: number) => {
99 try {
100 setLoadingMethods(true);
101 const res = await api.get(`/payment-provider-configs/${configId}/payment-methods`);
102 if (res.data.status === "success") {
103 setPaymentMethods(res.data.data || []);
104 }
105 } catch (error) {
106 console.error("Error loading payment methods:", error);
107 showErrorToast(t("Failed to load payment methods"));
108 } finally {
109 setLoadingMethods(false);
110 }
111 }, [t]);
112
113 const handleToggleExpand = (configId: number) => {
114 if (expandedConfigId === configId) {
115 setExpandedConfigId(null);
116 setPaymentMethods([]);
117 } else {
118 setExpandedConfigId(configId);
119 loadPaymentMethods(configId);
120 }
121 };
122
123 const handleToggleMethod = async (configId: number, method: PaymentMethod) => {
124 try {
125 await api.put(
126 `/payment-provider-configs/${configId}/payment-methods/${method.id}`,
127 { enabled: !method.enabled }
128 );
129 setPaymentMethods((prev) =>
130 prev.map((m) =>
131 m.id === method.id ? { ...m, enabled: !m.enabled } : m
132 )
133 );
134 showSuccessToast(
135 method.enabled
136 ? t("{name} disabled", { name: method.name })
137 : t("{name} enabled", { name: method.name })
138 );
139 } catch (error) {
140 console.error("Error toggling payment method:", error);
141 showErrorToast(t("Failed to update payment method"));
142 }
143 };
144
145 const openCreate = () => {
146 setEditing(null);
147 setFormProviderKey("stripe");
148 setFormConnectedAccountId("");
149 setFormCreditorId("");
150 setFormActive(true);
151 setFormAutomaticPayoutEnabled(false);
152 setFormPayoutCadence("immediate");
153 setFormPayoutWeeklyRunDay("mon");
154 setFormPayoutWeeklyRunHour(9);
155 setFormOpen(true);
156 };
157
158 const openEdit = (config: PaymentProviderConfig) => {
159 setEditing(config);
160 setFormProviderKey(config.providerKey);
161 setFormConnectedAccountId(config.config?.connectedAccountId || "");
162 setFormCreditorId(
163 typeof config.config?.creditorId === "string" ? config.config.creditorId : ""
164 );
165 setFormActive(config.active);
166 setFormAutomaticPayoutEnabled(Boolean(config.config?.automaticPayoutEnabled));
167 setFormPayoutCadence(config.config?.payoutCadence === "weekly" ? "weekly" : "immediate");
168 setFormPayoutWeeklyRunDay(
169 WEEKDAY_VALUES.find((v) => v === config.config?.payoutWeeklyRunDay) ?? "mon"
170 );
171 const hourRaw = config.config?.payoutWeeklyRunHour;
172 setFormPayoutWeeklyRunHour(typeof hourRaw === "number" && hourRaw >= 0 && hourRaw < 24 ? hourRaw : 9);
173 setFormOpen(true);
174 };
175
176 const isDirectDebitProvider = DIRECT_DEBIT_PROVIDER_KEYS.includes(formProviderKey);
177
178 const handleSave = async () => {
179 if (isDirectDebitProvider) {
180 if (!formCreditorId.trim()) {
181 showErrorToast(t("Creditor number (Bankgiro / PBS) is required"));
182 return;
183 }
184 } else if (!formConnectedAccountId.trim()) {
185 showErrorToast(t("Connected Account ID is required"));
186 return;
187 }
188
189 setSaving(true);
190 try {
191 const payload = isDirectDebitProvider
192 ? {
193 providerKey: formProviderKey,
194 config: {
195 creditorId: formCreditorId.trim(),
196 },
197 active: formActive,
198 }
199 : {
200 providerKey: formProviderKey,
201 config: {
202 connectedAccountId: formConnectedAccountId.trim(),
203 automaticPayoutEnabled: formAutomaticPayoutEnabled,
204 payoutCadence: formPayoutCadence,
205 payoutWee{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts"}1 // Betalingsservice (Nets / Mastercard Payment Services, Denmark) — file-based
2 // recurring direct debit.
3 //
4 // Implements the BankDirectDebitProvider contract with a fixed-width record
5 // layout modelled on the Betalingsservice "leverance" structure: a header
6 // (HD) carrying the creditor's PBS/debitor-group number, mandate records (MD),
7 // payment records (BT) with registreringsnummer + kontonummer + amount in øre,
8 // and a trailer (SL) with totals. As with the Autogiro connector this is a
9 // faithful structural model of the rail, to be byte-certified against the Nets
10 // test environment at go-live.
11
12 import type {
13 AccountValidationResult,
14 BankAccount,
15 BankDirectDebitProvider,
16 CollectionFileEntry,
17 MandateFileEntry,
18 ReturnRecord,
19 } from './interface.js';
20 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
21
22 export class BetalingsserviceProvider implements BankDirectDebitProvider {
23 readonly key = 'betalingsservice';
24 readonly country = 'DK';
25 readonly scheme = 'Betalingsservice';
26
27 validateAccount(account: BankAccount): AccountValidationResult {
28 const errors: string[] = [];
29 if (account.country && account.country.toUpperCase() !== 'DK') {
30 errors.push(`Betalingsservice requires a Danish (DK) account, got "${account.country}"`);
31 }
32 if (!account.accountHolder?.trim()) {
33 errors.push('accountHolder is required');
34 }
35 const reg = digitsOnly(account.clearingNumber ?? '');
36 if (reg.length !== 4) {
37 errors.push('clearingNumber must be a 4-digit registreringsnummer');
38 }
39 const acc = digitsOnly(account.accountNumber ?? '');
40 if (acc.length < 1 || acc.length > 10) {
41 errors.push('accountNumber must be 1–10 digits (kontonummer)');
42 }
43 return { valid: errors.length === 0, errors };
44 }
45
46 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
47 const lines: string[] = [];
48 // HD — header: PBS/debitor-group number + delivery date.
49 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}TILMELDING`);
50 for (const e of entries) {
51 // MD — new mandate (tilmelding). Debitor (payer) number defaults to our
52 // mandate reference. reg number (4) + account (10).
53 const payer = padRight(e.payerNumber || e.mandateReference, 15);
54 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
55 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
56 const holder = padRight(e.account.accountHolder, 32);
57 lines.push(`MD${payer}${reg}${acct}${holder}`);
58 }
59 return lines.join('\n') + '\n';
60 }
61
62 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
63 const lines: string[] = [];
64 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}${padRight(fileReference, 12)}`);
65 let total = 0;
66 for (const e of entries) {
67 // BT — betaling (debit). due date | debitor number | reg | account |
68 // amount (øre) | external reference | free-text.
69 const due = yyyymmdd(e.dueDate);
70 const payer = padRight(e.payerNumber || e.mandateReference, 15);
71 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
72 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
73 const amount = minorUnits(e.amount, 13);
74 const ref = padRight(e.externalReference, 20);
75 const text = padRight(e.reference ?? '', 20);
76 lines.push(`BT${due}${payer}${reg}${acct}${amount}${ref}${text}`);
77 total += Math.round(Number(e.amount) * 100);
78 }
79 // SL — trailer: record count + total (øre).
80 lines.push(`SL${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`);
81 return lines.join('\n') + '\n';
82 }
83
84 buildReturnFile(records: ReturnRecord[]): string {
85 // RT — return record. status "0000" = settled (gennemført), else reject.
86 const lines = records.map((r) => {
87 const ref = padRight(r.externalReference, 35);
88 const status = r.outcome === 'settled' ? '0000' : padZero(digitsOnly(r.reason ?? '') || '0099', 4);
89 const amount = minorUnits(r.settledAmount ?? 0, 13);
90 const reason = padRight(r.outcome === 'settled' ? 'GENNEMFOERT' : (r.reason ?? 'AFVIST'), 28);
91 return `RT${ref}${status}${amount}${reason}`;
92 });
93 return lines.join('\n') + '\n';
94 }
95
96 parseReturnFile(content: string): ReturnRecord[] {
97 const records: ReturnRecord[] = [];
98 for (const raw of content.split(/\r?\n/)) {
99 if (!raw.startsWith('RT')) continue;
100 const ref = raw.slice(2, 37).trim();
101 if (!ref) continue;
102 const status = raw.slice(37, 41).trim();
103 const amount = raw.slice(41, 54);
104 const reason = raw.slice(54).trim();
105 const settled = status === '0000';
106 records.push({
107 externalReference: ref,
108 outcome: settled ? 'settled' : 'failed',
109 reason: settled ? undefined : reason || `reject ${status}`,
110 settledAmount: settled ? fromMinorUnits(amount) : undefined,
111 });
112 }
113 return records;
114 }
115 }
116 {"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes -name \"*direct*\" -type f"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/jobs -name \"*direct*\" -type f"}find: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/jobs: No such file or directory
{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir -name \"09-direct-debit.spec.ts\" -type f"}(Bash completed with no output)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts"}1 import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { DirectDebitMandate } from '@/models/DirectDebitMandate.js';
4 import { DirectDebitCollection } from '@/models/DirectDebitCollection.js';
5 import {
6 createMandate,
7 activateMandate,
8 revokeMandate,
9 buildMandateFile,
10 scheduleCollection,
11 submitDueCollections,
12 buildCurrentCollectionFile,
13 retryCollection,
14 ingestReturnFile,
15 simulateReturnForCollection,
16 } from '@/services/directDebitService.js';
17
18 const TAG = 'Sherpa Plus — Direct Debit';
19 const PROVIDER_KEYS = ['autogiro', 'betalingsservice'];
20
21 function requireOrg(request: FastifyRequest): string {
22 const organizationId = request.userAuth?.organizationId;
23 if (!organizationId) {
24 throw new StatusError(401, 'Organization context required');
25 }
26 return organizationId;
27 }
28
29 const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
30 fastify.addHook('preHandler', fastify.authenticate);
31
32 // ── Mandates ────────────────────────────────────────────────────────────────
33
34 fastify.get('/mandates', {
35 schema: {
36 description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',
37 tags: [TAG],
38 security: [{ clientCredentials: [] }],
39 querystring: {
40 type: 'object',
41 properties: {
42 status: { type: 'string', enum: ['pending', 'active', 'revoked'] },
43 providerKey: { type: 'string', enum: PROVIDER_KEYS },
44 productId: { type: 'integer' },
45 },
46 },
47 },
48 }, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {
49 const organizationId = requireOrg(request);
50 const where: Record<string, unknown> = {};
51 if (request.query.status) where.status = request.query.status;
52 if (request.query.providerKey) where.providerKey = request.query.providerKey;
53 if (request.query.productId) where.productId = request.query.productId;
54
55 const data = await DirectDebitMandate.findAll({ organizationId }, {
56 where,
57 order: [['createdAt', 'DESC']],
58 });
59 return { status: 'success', data };
60 });
61
62 fastify.get('/mandates/:id', {
63 schema: {
64 description: 'Fetch a single direct-debit mandate by ID, scoped to the authenticated organization.',
65 tags: [TAG],
66 security: [{ clientCredentials: [] }],
67 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
68 },
69 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
70 const organizationId = requireOrg(request);
71 const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);
72 if (!mandate) throw new StatusError(404, 'Mandate not found');
73 return { status: 'success', data: mandate };
74 });
75
76 fastify.post('/mandates', {
77 schema: {
78 description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',
79 tags: [TAG],
80 security: [{ clientCredentials: [] }],
81 body: {
82 type: 'object',
83 required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
84 properties: {
85 providerKey: { type: 'string', enum: PROVIDER_KEYS },
86 productId: { type: 'integer' },
87 customerId: { type: 'string', format: 'uuid' },
88 accountHolder: { type: 'string', minLength: 1 },
89 country: { type: 'string', minLength: 2, maxLength: 2 },
90 clearingNumber: { type: 'string' },
91 accountNumber: { type: 'string', minLength: 1 },
92 bankName: { type: 'string' },
93 },
94 },
95 },
96 }, async (request: FastifyRequest<{ Body: {
97 providerKey: string; productId: number; customerId?: string; accountHolder: string;
98 country: string; clearingNumber?: string; accountNumber: string; bankName?: string;
99 } }>, reply: FastifyReply) => {
100 const organizationId = requireOrg(request);
101 const mandate = await createMandate(organizationId, request.body);
102 return reply.code(201).send({ status: 'success', data: mandate });
103 });
104
105 fastify.get('/mandates/:id/file', {
106 schema: {
107 description: 'Generate the bank mandate-request file content for a mandate (Autogiro/Betalingsservice fixed-width format).',
108 tags: [TAG],
109 security: [{ clientCredentials: [] }],
110 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
111 },
112 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
113 const organizationId = requireOrg(request);
114 const file = await buildMandateFile(organizationId, request.params.id);
115 return { status: 'success', data: file };
116 });
117
118 fastify.post('/mandates/:id/activate', {
119 schema: {
120 description: 'Activate a mandate after the bank has confirmed it. Optionally records the bank-assigned payer number.',
121 tags: [TAG],
122 security: [{ clientCredentials: [] }],
123 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
124 body: { type: 'object', properties: { payerNumber: { type: 'string' } } },
125 },
126 }, async (request: FastifyRequest<{ Params: { id: string }; Body: { payerNumber?: string } }>) => {
127 const organizationId = requireOrg(request);
128 const mandate = await activateMandate(organizationId, request.params.id, request.body?.payerNumber);
129 return { status: 'success', data: mandate };
130 });
131
132 fastify.post('/mandates/:id/revoke', {
133 schema: {
134 description: 'Revoke a mandate. No further collections can be scheduled against it.',
135 tags: [TAG],
136 security: [{ clientCredentials: [] }],
137 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
138 },
139 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
140 const organizationId = requireOrg(request);
141 const mandate = await revokeMandate(organizationId, request.params.id);
142 return { status: 'success', data: mandate };
143 });
144
145 // ── Collections ─────────────────────────────────────────────────────────────
146
147 fastify.get('/collections', {
148 schema: {
149 description: 'List direct-debit collections. Optional filters: mandateId, status, providerKey.',
150 tags: [TAG],
151 security: [{ clientCredentials: [] }],
152 querystring: {
153 type: 'object',
154 properties: {
155 mandateId: { type: 'string' },
156 status: { type: 'string', enum: ['scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'] },
157 providerKey: { type: 'string', enum: PROVIDER_KEYS },
158 },
159 },
160 },
161 }, async (request: FastifyRequest<{ Querystring: { mandateId?: string; status?: string; providerKey?: string } }>) => {
162 const organizationId = requireOrg(request);
163 const where: Record<string, unknown> = {};
164 if (request.query.mandateId) where.mandateId = request.query.mandateId;
165 if (request.query.status) where.status = request.query.status;
166 if (request.query.providerKey) where.providerKey = request.query.providerKey;
167
168 const data = await DirectDebitCollection.findAll({ organizationId }, {
169 where,
170 order: [['createdAt', 'DESC']],
171 });
172 return { status: 'success', dat{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -path \"*job*\" -name \"*direct*\" -type f"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -name \"*directDebitCollection*\" -type f"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir -path \"*/tests/*\" -name \"*direct*\" -type f 2>/dev/null"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts
(Bash completed with no output)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir -type d -name tests"}1 import { Organization } from '@/models/Organization.js';
2 import { jobQueue } from '@/services/jobQueue.js';
3 import { submitDueCollections } from '@/services/directDebitService.js';
4 import logger from '@/logger.js';
5
6 const JOB_TYPE = 'direct_debit_collection_batch';
7
8 /**
9 * Hourly picker for due direct-debit collections. Runs per-org so RLS context is
10 * enforced on every read (same pattern as claim-payout-batch). Submitting due
11 * collections is idempotent at the row level — submitDueCollections only moves
12 * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a
13 * worker restart self-heals on the next run.
14 */
15 async function handleDirectDebitCollectionBatch() {
16 const organizations = await Organization.findAll({ attributes: ['id'] });
17 let totalSubmitted = 0;
18
19 for (const org of organizations) {
20 try {
21 const files = await submitDueCollections(org.id);
22 totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);
23 } catch (err) {
24 logger.error(
25 { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },
26 'Direct-debit collection batch: failed to process organization',
27 );
28 }
29 }
30
31 if (totalSubmitted > 0) {
32 logger.info(
33 { count: totalSubmitted, orgCount: organizations.length },
34 'Direct-debit collection batch: submitted due collections',
35 );
36 }
37 }
38
39 export function registerDirectDebitCollectionBatchJob() {
40 jobQueue.register(JOB_TYPE, handleDirectDebitCollectionBatch, {
41 concurrency: 1,
42 defaultJobOptions: {
43 attempts: 3,
44 backoff: { type: 'exponential', delay: 30_000 },
45 removeOnComplete: { age: 24 * 3600, count: 100 },
46 removeOnFail: { age: 7 * 24 * 3600 },
47 },
48 });
49 }
50
51 /**
52 * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes by
53 * jobId. Call once on worker startup.
54 */
55 export async function scheduleDirectDebitCollectionBatch() {
56 await jobQueue.scheduleRepeating(
57 JOB_TYPE,
58 {},
59 '0 * * * *', // every hour on the hour, UTC
60 `${JOB_TYPE}:hourly`,
61 );
62 }
63 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts"}/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/zod/src/v4/core/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/zod/src/v4/mini/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/zod/src/v4/classic/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/zod/src/v3/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/assistant-cloud/dist/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/assistant-cloud/src/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/papaparse/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/@assistant-ui/core/src/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/@assistant-ui/react/dist/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/@assistant-ui/react/src/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/fraction.js/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/string.prototype.includes/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/string.prototype.repeat/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/events/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/recharts/node_modules/@reduxjs/toolkit/src/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/recharts/node_modules/@reduxjs/toolkit/src/dynamicMiddleware/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/recharts/node_modules/@reduxjs/toolkit/src/query/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/recharts/node_modules/@reduxjs/toolkit/src/listenerMiddleware/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/node_modules/recharts/node_modules/@reduxjs/toolkit/src/entities/tests /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/tests
1 // Shared fixed-width formatting helpers for the Nordic direct-debit file formats.
2 // Both Autogiro and Betalingsservice are positional fixed-width text rails, so
3 // the connectors share these primitives. Pure functions — no side effects.
4
5 /** Right-pad with spaces (truncating if longer) to a fixed width. */
6 export function padRight(value: string, width: number): string {
7 const v = value ?? '';
8 return v.length >= width ? v.slice(0, width) : v + ' '.repeat(width - v.length);
9 }
10
11 /** Left-pad with zeros (truncating the most-significant side if longer). */
12 export function padZero(value: string, width: number): string {
13 const v = (value ?? '').replace(/\s+/g, '');
14 return v.length >= width ? v.slice(v.length - width) : '0'.repeat(width - v.length) + v;
15 }
16
17 /** Format a major-unit amount as zero-padded minor units (öre/øre). */
18 export function minorUnits(amount: number, width: number): string {
19 const minor = Math.round(Number(amount) * 100);
20 if (!Number.isFinite(minor) || minor < 0) {
21 throw new Error(`Invalid amount for direct-debit file: ${amount}`);
22 }
23 return padZero(String(minor), width);
24 }
25
26 /** Parse zero-padded minor units back into a major-unit amount. */
27 export function fromMinorUnits(raw: string): number {
28 const minor = parseInt(raw.trim() || '0', 10);
29 return Math.round(minor) / 100;
30 }
31
32 /** Format a date as YYYYMMDD (UTC). */
33 export function yyyymmdd(date: Date): string {
34 const y = date.getUTCFullYear().toString().padStart(4, '0');
35 const m = (date.getUTCMonth() + 1).toString().padStart(2, '0');
36 const d = date.getUTCDate().toString().padStart(2, '0');
37 return `${y}${m}${d}`;
38 }
39
40 /** Keep only digits (used to normalise clearing/account numbers). */
41 export function digitsOnly(value: string): string {
42 return (value ?? '').replace(/\D/g, '');
43 }
44 {"command":"ls -la /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/tests/"}total 64 drwxr-xr-x@ 6 bakker staff 192 Jun 1 04:31 . drwxr-xr-x@ 55 bakker staff 1760 Jun 1 05:03 .. -rw-r--r--@ 1 bakker staff 12370 Jun 1 04:31 commission-overview.test.ts drwxr-xr-x@ 4 bakker staff 128 Jun 1 04:31 fixtures -rw-r--r--@ 1 bakker staff 9191 Jun 1 04:31 rollup-ordering.test.ts -rw-r--r--@ 1 bakker staff 40 Jun 1 04:31 runner.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts"}1 // ─────────────────────────────────────────────────────────────────────────────
2 // Bank direct-debit connectors (Nordic rails: Autogiro SE, Betalingsservice DK).
3 //
4 // These are STATELESS, like the card-provider connectors in ../providers: they
5 // receive plain data and return file content / parsed records. They never touch
6 // the database or import models — orchestration (mandates, scheduling, retries,
7 // reconciliation) lives in src/services/directDebitService.ts.
8 //
9 // The schemes are file-based batch rails, not real-time APIs: we GENERATE a
10 // mandate-request file and a collection (payment) file to send to the bank, and
11 // CONSUME a return/settlement file the bank sends back. `buildReturnFile` exists
12 // so dev/test (and the CRM "simulate" action) can synthesise a bank response;
13 // production ingests the bank's own file through `parseReturnFile`.
14 // ─────────────────────────────────────────────────────────────────────────────
15
16 export interface BankAccount {
17 country: string;
18 // SE: clearing number (4–5 digits). DK: registreringsnummer (4 digits).
19 clearingNumber?: string | null;
20 accountNumber: string;
21 accountHolder: string;
22 }
23
24 export interface AccountValidationResult {
25 valid: boolean;
26 errors: string[];
27 }
28
29 export interface MandateFileEntry {
30 mandateReference: string;
31 payerNumber?: string | null;
32 account: BankAccount;
33 }
34
35 export interface CollectionFileEntry {
36 // Unique per debit — written into the file and echoed back in the return file.
37 externalReference: string;
38 mandateReference: string;
39 payerNumber?: string | null;
40 account: BankAccount;
41 amount: number; // major units, e.g. 199.00
42 currency: string;
43 dueDate: Date;
44 reference?: string; // free-text payment reference (e.g. policy id)
45 }
46
47 export type ReturnOutcome = 'settled' | 'failed';
48
49 export interface ReturnRecord {
50 externalReference: string;
51 outcome: ReturnOutcome;
52 reason?: string;
53 settledAmount?: number;
54 }
55
56 export interface BankDirectDebitProvider {
57 readonly key: string;
58 readonly country: string;
59 readonly scheme: string;
60
61 validateAccount(account: BankAccount): AccountValidationResult;
62
63 // Outbound: file sent to the bank to register new mandates. `creditorId` is
64 // the payee identity from org config (SE Bankgiro number / DK PBS number).
65 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string;
66
67 // Outbound: file sent to the bank requesting the listed debits.
68 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string;
69
70 // Outbound (dev/test/simulation only): synthesise a bank return file.
71 buildReturnFile(records: ReturnRecord[]): string;
72
73 // Inbound: parse the bank's return/settlement file into normalized records.
74 parseReturnFile(content: string): ReturnRecord[];
75 }
76 {"command":"find /Users/bakker/dev/gangkhar -name \"*09-direct-debit*\" -type f 2>/dev/null | head -20"}{"command":"grep -n \"submitDueCollections\\|RETRYING\\|externalReference\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -40"}260: externalReference: collection.externalReference!,
273: * mark them SUBMITTED. "Due" = SCHEDULED or RETRYING with scheduledFor <= now.
277:export async function submitDueCollections(
290: status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
312: const externalReference = generateReference(key, 'COL');
316: externalReference,
371: status: CollectionStatus.RETRYING,
405: externalPaymentRef: collection.externalReference,
434: where: { externalReference: record.externalReference },
437: summary.unmatched.push(record.externalReference);
466: status: CollectionStatus.RETRYING,
524: if (!collection.externalReference) {
530: externalReference: collection.externalReference,{"command":"grep -n \"metadata:\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}134: metadata: input.metadata ?? null,
473: metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },{"command":"grep -n \"Number(\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}232: const amount = Number(input.amount); 264: amount: Number(collection.amount), 533: settledAmount: outcome === 'settled' ? Number(collection.amount) : undefined,
{"command":"cat > /tmp/verify_widths.txt << 'EOF'\nAUTOGIRO (autogiro.ts):\nTK01 opening: 01 + YYYYMMDD(8) + \"AUTOGIRO\"(8) + creditorId_padZero(10) + \"MEDGIVANDE\"(10) = 2+8+8+10+10 = 38 chars\nTK04 mandate: 04 + payer_padRight(16) + clearing_padZero(5) + acct_padZero(12) + holder_padRight(24) = 2+16+5+12+24 = 59 chars, fit() pads to 80\nTK82 debit: 82 + due_YYYYMMDD(8) + payer_padRight(16) + amount_padZero(12) + ref_padRight(20) + text_padRight(22) = 2+8+16+12+20+22 = 80 chars (exact)\nTK09 end: 09 + creditorId_padZero(10) + count_padZero(8) + total_padZero(18) = 2+10+8+18 = 38 chars, fit() pads to 80\n\nbuildReturnFile TK82: 82 + ref_padRight(35) + status_padZero(2) + amount_padZero(12) + reason_padRight(29) = 2+35+2+12+29 = 80 chars (exact)\n\nparseReturnFile slicing:\n ref = raw.slice(2, 37) → [2,37) = 35 chars ✓\n status = raw.slice(37, 39) → [37,39) = 2 chars ✓\n amount = raw.slice(39, 51) → [39,51) = 12 chars ✓\n reason = raw.slice(51) → [51,80) = 29 chars ✓\n\nBETALINGSSERVICE (betalingsservice.ts):\nHD header: HD + creditorId_padZero(15) + YYYYMMDD(8) + \"TILMELDING\"(10) = 2+15+8+10 = 35 chars\nMD mandate: MD + payer_padRight(15) + reg_padZero(4) + acct_padZero(10) + holder_padRight(32) = 2+15+4+10+32 = 63 chars\nBT debit: BT + due_YYYYMMDD(8) + payer_padRight(15) + reg_padZero(4) + acct_padZero(10) + amount_padZero(13) + ref_padRight(20) + text_padRight(20) = 2+8+15+4+10+13+20+20 = 92 chars (EXCEEDS LINE!)\nSL trailer: SL + count_padZero(8) + total_padZero(18) = 2+8+18 = 28 chars\n\nbuildReturnFile RT: RT + ref_padRight(35) + status_padZero(4) + amount_padZero(13) + reason_padRight(28) = 2+35+4+13+28 = 82 chars (EXCEEDS 80!)\n\nparseReturnFile slicing:\n ref = raw.slice(2, 37) → [2,37) = 35 chars ✓\n status = raw.slice(37, 41) → [37,41) = 4 chars ✓\n amount = raw.slice(41, 54) → [41,54) = 13 chars ✓\n reason = raw.slice(54) → [54,82) = 28 chars ✓\nEOF\ncat /tmp/verify_widths.txt\n"}AUTOGIRO (autogiro.ts): TK01 opening: 01 + YYYYMMDD(8) + "AUTOGIRO"(8) + creditorId_padZero(10) + "MEDGIVANDE"(10) = 2+8+8+10+10 = 38 chars TK04 mandate: 04 + payer_padRight(16) + clearing_padZero(5) + acct_padZero(12) + holder_padRight(24) = 2+16+5+12+24 = 59 chars, fit() pads to 80 TK82 debit: 82 + due_YYYYMMDD(8) + payer_padRight(16) + amount_padZero(12) + ref_padRight(20) + text_padRight(22) = 2+8+16+12+20+22 = 80 chars (exact) TK09 end: 09 + creditorId_padZero(10) + count_padZero(8) + total_padZero(18) = 2+10+8+18 = 38 chars, fit() pads to 80 buildReturnFile TK82: 82 + ref_padRight(35) + status_padZero(2) + amount_padZero(12) + reason_padRight(29) = 2+35+2+12+29 = 80 chars (exact) parseReturnFile slicing: ref = raw.slice(2, 37) → [2,37) = 35 chars ✓ status = raw.slice(37, 39) → [37,39) = 2 chars ✓ amount = raw.slice(39, 51) → [39,51) = 12 chars ✓ reason = raw.slice(51) → [51,80) = 29 chars ✓ BETALINGSSERVICE (betalingsservice.ts): HD header: HD + creditorId_padZero(15) + YYYYMMDD(8) + "TILMELDING"(10) = 2+15+8+10 = 35 chars MD mandate: MD + payer_padRight(15) + reg_padZero(4) + acct_padZero(10) + holder_padRight(32) = 2+15+4+10+32 = 63 chars BT debit: BT + due_YYYYMMDD(8) + payer_padRight(15) + reg_padZero(4) + acct_padZero(10) + amount_padZero(13) + ref_padRight(20) + text_padRight(20) = 2+8+15+4+10+13+20+20 = 92 chars (EXCEEDS LINE!) SL trailer: SL + count_padZero(8) + total_padZero(18) = 2+8+18 = 28 chars buildReturnFile RT: RT + ref_padRight(35) + status_padZero(4) + amount_padZero(13) + reason_padRight(28) = 2+35+4+13+28 = 82 chars (EXCEEDS 80!) parseReturnFile slicing: ref = raw.slice(2, 37) → [2,37) = 35 chars ✓ status = raw.slice(37, 41) → [37,41) = 4 chars ✓ amount = raw.slice(41, 54) → [41,54) = 13 chars ✓ reason = raw.slice(54) → [54,82) = 28 chars ✓
{"command":"sed -n '66,76p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts"} for (const e of entries) {
// BT — betaling (debit). due date | debitor number | reg | account |
// amount (øre) | external reference | free-text.
const due = yyyymmdd(e.dueDate);
const payer = padRight(e.payerNumber || e.mandateReference, 15);
const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
const acct = padZero(digitsOnly(e.account.accountNumber), 10);
const amount = minorUnits(e.amount, 13);
const ref = padRight(e.externalReference, 20);
const text = padRight(e.reference ?? '', 20);
lines.push(`BT${due}${payer}${reg}${acct}${amount}${ref}${text}`);{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -name \"*.md\" -o -name \"*.txt\" | xargs grep -l \"Betalingsservice\\|betalingsservice\" 2>/dev/null | head -5"}(Bash completed with no output)
{"command":"sed -n '96,114p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts"} parseReturnFile(content: string): ReturnRecord[] {
const records: ReturnRecord[] = [];
for (const raw of content.split(/\r?\n/)) {
if (!raw.startsWith('RT')) continue;
const ref = raw.slice(2, 37).trim();
if (!ref) continue;
const status = raw.slice(37, 41).trim();
const amount = raw.slice(41, 54);
const reason = raw.slice(54).trim();
const settled = status === '0000';
records.push({
externalReference: ref,
outcome: settled ? 'settled' : 'failed',
reason: settled ? undefined : reason || `reject ${status}`,
settledAmount: settled ? fromMinorUnits(amount) : undefined,
});
}
return records;
}{"command":"sed -n '84,94p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts"} buildReturnFile(records: ReturnRecord[]): string {
// RT — return record. status "0000" = settled (gennemført), else reject.
const lines = records.map((r) => {
const ref = padRight(r.externalReference, 35);
const status = r.outcome === 'settled' ? '0000' : padZero(digitsOnly(r.reason ?? '') || '0099', 4);
const amount = minorUnits(r.settledAmount ?? 0, 13);
const reason = padRight(r.outcome === 'settled' ? 'GENNEMFOERT' : (r.reason ?? 'AFVIST'), 28);
return `RT${ref}${status}${amount}${reason}`;
});
return lines.join('\n') + '\n';
}{"command":"grep -n \"\\.update\\|\\.create\\|await\\|Promise\\|findAll\\|findOne\\|findByPk\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -50"}59:async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
60: const config = await PaymentProviderConfig.findOne(ctx, {
104:): Promise<DirectDebitMandate> {
120: const mandate = await DirectDebitMandate.create(ctx, {
144:async function loadMandate(ctx: Ctx, mandateId: string): Promise<DirectDebitMandate> {
145: const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
161:): Promise<DirectDebitMandate> {
163: const mandate = await loadMandate(ctx, mandateId);
167: await mandate.update({
180:): Promise<DirectDebitMandate> {
182: const mandate = await loadMandate(ctx, mandateId);
186: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
195:): Promise<{ fileReference: string; content: string }> {
197: const mandate = await loadMandate(ctx, mandateId);
199: const creditorId = await resolveCreditorId(ctx, mandate.providerKey);
226:): Promise<DirectDebitCollection> {
228: const mandate = await loadMandate(ctx, input.mandateId);
240: const collection = await DirectDebitCollection.create(ctx, {
280:): Promise<{ providerKey: string; fileReference: string; content: string; count: number }[]> {
287: const due = await DirectDebitCollection.findAll(ctx, {
298: const creditorId = await resolveCreditorId(ctx, key);
303: const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
305: await collection.update({
313: await collection.update({
339:): Promise<{ fileReference: string; content: string; count: number }> {
342: const submitted = await DirectDebitCollection.findAll(ctx, {
347: const creditorId = await resolveCreditorId(ctx, providerKey);
351: const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
361:): Promise<DirectDebitCollection> {
363: const collection = await DirectDebitCollection.findByPk(ctx, collectionId);
370: await collection.update({
398:): Promise<void> {
401: const policyOrder = await PolicyOrder.findByPk(ctx, collection.policyOrderId);
408: const category = await getCategoryForCode(ctx.organizationId, policyOrder.status);
410: update.status = await getDefaultCodeForCategory(
415: await policyOrder.update(update);
432:): Promise<void> {
433: const collection = await DirectDebitCollection.findOne(ctx, {
440: // A return record is only meaningful for a collection awaiting settlement
450: await collection.update({
456: await reconcileSettlementToPolicy(ctx, collection);
465: await collection.update({
477: await collection.update({
496:): Promise<IngestSummary> {
502: await applyReturnRecord(ctx, record, summary);
518:): Promise<IngestSummary> {
520: const collection = await DirectDebitCollection.findByPk(ctx, collectionId);{"command":"sed -n '301,320p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"} for (const collection of due) {
const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
await collection.update({
status: CollectionStatus.FAILED,
failureReason: 'Mandate is not active',
flagged: true,
});
continue;
}
const externalReference = generateReference(key, 'COL');
await collection.update({
status: CollectionStatus.SUBMITTED,
submittedAt: new Date(),
externalReference,
fileReference,
failureReason: null,
});
entries.push(toFileEntry(collection, mandate));/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts
{"command":"grep -r \"revokeMandate\\|REVOKED\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src --include=\"*.ts\" | grep -v \".test\\|model\\|interface\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts: revokeMandate,
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts: const mandate = await revokeMandate(organizationId, request.params.id);
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts: if (mandate.status === MandateStatus.REVOKED) {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts:export async function revokeMandate(
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts: if (mandate.status === MandateStatus.REVOKED) {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts"}1 import { test, expect } from '@playwright/test';
2 import { ApiClient } from './helpers/api-client';
3 import { getApiUrl } from '../utils/urls';
4
5 const API_URL = getApiUrl();
6 const CLIENT_ID = process.env.SHERPA_TEST_CLIENT_ID!;
7 const CLIENT_SECRET = process.env.SHERPA_TEST_CLIENT_SECRET!;
8
9 /**
10 * Nordic bank direct debit (Autogiro / Betalingsservice) — sherpa-api#462.
11 *
12 * Covers the /v1/plus/direct-debit surface end-to-end against a live API:
13 * - Provider configuration (Autogiro), tolerant of an already-configured org.
14 * - Account validation for Betalingsservice (DK registreringsnummer = 4 digits).
15 * - Recurring collection happy path: mandate → activate → file → schedule →
16 * run → simulate settled return.
17 * - Retry + flag path: a failed return retries up to maxRetries, then flags
18 * the collection as permanently failed.
19 *
20 * Every POST sends a JSON body (>= {}) because the shared ApiClient always sets
21 * Content-Type: application/json; a bodyless POST would 400.
22 */
23
24 /** Fetch a usable productId from the test organization. */
25 async function getProductId(api: ApiClient): Promise<number> {
26 const res = await api.get('/v1/plus/products');
27 expect(res.status()).toBe(200);
28 const body = await res.json();
29 const products = body.data?.products ?? [];
30 expect(products.length).toBeGreaterThan(0);
31 return products[0].id;
32 }
33
34 /** Find a single collection by id within the mandate's collection list. */
35 async function getCollection(api: ApiClient, mandateId: string, collectionId: string) {
36 const res = await api.get(`/v1/plus/direct-debit/collections?mandateId=${mandateId}`);
37 expect(res.status()).toBe(200);
38 const body = await res.json();
39 expect(Array.isArray(body.data)).toBe(true);
40 const collection = body.data.find((c: { id: string }) => c.id === collectionId);
41 expect(collection, `collection ${collectionId} not found for mandate ${mandateId}`).toBeTruthy();
42 return collection;
43 }
44
45 test.describe.serial('Plus · Nordic direct debit (Autogiro / Betalingsservice)', () => {
46 test.setTimeout(60000);
47
48 test('configures Autogiro provider', async ({ request }) => {
49 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
50 // 409 (already configured for this org) is an acceptable, idempotent outcome.
51 api.expectErrors = true;
52
53 const res = await api.post('/v1/plus/payment-provider-configs', {
54 providerKey: 'autogiro',
55 config: { bankgiroNumber: '9912346' },
56 active: true,
57 });
58
59 expect([201, 409]).toContain(res.status());
60 });
61
62 test('rejects an invalid Betalingsservice account', async ({ request }) => {
63 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
64 api.expectErrors = true;
65
66 const productId = await getProductId(api);
67
68 // DK registreringsnummer must be 4 digits; "12" is invalid.
69 const res = await api.post('/v1/plus/direct-debit/mandates', {
70 providerKey: 'betalingsservice',
71 productId,
72 accountHolder: 'Lars Larsen',
73 country: 'DK',
74 clearingNumber: '12',
75 accountNumber: '1234567',
76 bankName: 'Danske Bank',
77 });
78
79 expect(res.status()).toBe(400);
80 });
81
82 test('completes a recurring direct-debit collection end-to-end (Autogiro SE)', async ({
83 request,
84 }) => {
85 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
86 const productId = await getProductId(api);
87
88 // 1. Create mandate — starts pending.
89 const createRes = await api.post('/v1/plus/direct-debit/mandates', {
90 providerKey: 'autogiro',
91 productId,
92 accountHolder: 'Sven Svensson',
93 country: 'SE',
94 clearingNumber: '8327',
95 accountNumber: '1234567',
96 bankName: 'Swedbank',
97 });
98 expect(createRes.status()).toBe(201);
99 const mandate = (await createRes.json()).data;
100 expect(mandate.status).toBe('pending');
101 expect(mandate.mandateReference).toBeTruthy();
102 const mandateId: string = mandate.id;
103
104 // 2. Activate — becomes active.
105 const activateRes = await api.post(
106 `/v1/plus/direct-debit/mandates/${mandateId}/activate`,
107 {},
108 );
109 expect(activateRes.status()).toBe(200);
110 expect((await activateRes.json()).data.status).toBe('active');
111
112 // 3. Mandate file content is non-empty fixed-width text.
113 const fileRes = await api.get(`/v1/plus/direct-debit/mandates/${mandateId}/file`);
114 expect(fileRes.status()).toBe(200);
115 const fileContent: string = (await fileRes.json()).data.content;
116 expect(typeof fileContent).toBe('string');
117 expect(fileContent.trim().length).toBeGreaterThan(0);
118
119 // 4. Schedule a collection — starts scheduled.
120 const collectionRes = await api.post('/v1/plus/direct-debit/collections', {
121 mandateId,
122 amount: 199,
123 currency: 'SEK',
124 });
125 expect(collectionRes.status()).toBe(201);
126 const collection = (await collectionRes.json()).data;
127 expect(collection.status).toBe('scheduled');
128 const collectionId: string = collection.id;
129
130 // 5. Run the batch — at least this collection is submitted.
131 const runRes = await api.post('/v1/plus/direct-debit/collections/run', {
132 providerKey: 'autogiro',
133 });
134 expect(runRes.status()).toBe(200);
135 const runBody = (await runRes.json()).data;
136 expect(runBody.submitted).toBeGreaterThanOrEqual(1);
137 expect(Array.isArray(runBody.files)).toBe(true);
138
139 // 6. Simulate a settled return.
140 const returnRes = await api.post(
141 `/v1/plus/direct-debit/collections/${collectionId}/simulate-return`,
142 { outcome: 'settled' },
143 );
144 expect(returnRes.status()).toBe(200);
145 expect((await returnRes.json()).data.settled).toBe(1);
146
147 // 7. The collection is now settled.
148 const settled = await getCollection(api, mandateId, collectionId);
149 expect(settled.status).toBe('settled');
150 expect(settled.settledAt).toBeTruthy();
151 expect(settled.flagged).toBe(false);
152 });
153
154 test('retries and flags a failed collection', async ({ request }) => {
155 const api = new ApiClient(request, API_URL, CLIENT_ID, CLIENT_SECRET);
156 const productId = await getProductId(api);
157
158 // Mandate must be active before it can be collected against.
159 const createRes = await api.post('/v1/plus/direct-debit/mandates', {
160 providerKey: 'autogiro',
161 productId,
162 accountHolder: 'Astrid Lindgren',
163 country: 'SE',
164 clearingNumber: '8327',
165 accountNumber: '7654321',
166 bankName: 'Swedbank',
167 });
168 expect(createRes.status()).toBe(201);
169 const mandateId: string = (await createRes.json()).data.id;
170
171 const activateRes = await api.post(
172 `/v1/plus/direct-debit/mandates/${mandateId}/activate`,
173 {},
174 );
175 expect(activateRes.status()).toBe(200);
176
177 // Schedule a collection to fail.
178 const collectionRes = await api.post('/v1/plus/direct-debit/collections', {
179 mandateId,
180 amount: 299,
181 currency: 'SEK',
182 });
183 expect(collectionRes.status()).toBe(201);
184 const collectionId: string = (await collectionRes.json()).data.id;
185
186 // First run + failed return: collection enters retry (retryCount 1).
187 const firstRun = await api.post('/v1/plus/direct-debit/collections/run', {
188 providerKey: 'autogiro',
189 });
190 expect(firstRun.status()).toBe(200);
191 expect((await firstRun.json()).data.submitted).toBeGreaterThanOrEqual(1);
192
193 const first{"command":"sed -n '59,76p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
const config = await PaymentProviderConfig.findOne(ctx, {
where: { providerKey, active: true },
});
if (!config) {
throw new StatusError(
400,
`No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
);
}
const c = config.config as Record<string, unknown>;
const creditorId =
(typeof c.creditorId === 'string' && c.creditorId) ||
(typeof c.bankgiroNumber === 'string' && c.bankgiroNumber) ||
(typeof c.pbsNumber === 'string' && c.pbsNumber) ||
'';
return creditorId || '0000000';
}{"command":"find /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir -name \"api-client.ts\" -type f"}/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-client.ts
{"command":"sed -n '34,60p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts"} fastify.get('/mandates', {
schema: {
description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',
tags: [TAG],
security: [{ clientCredentials: [] }],
querystring: {
type: 'object',
properties: {
status: { type: 'string', enum: ['pending', 'active', 'revoked'] },
providerKey: { type: 'string', enum: PROVIDER_KEYS },
productId: { type: 'integer' },
},
},
},
}, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {
const organizationId = requireOrg(request);
const where: Record<string, unknown> = {};
if (request.query.status) where.status = request.query.status;
if (request.query.providerKey) where.providerKey = request.query.providerKey;
if (request.query.productId) where.productId = request.query.productId;
const data = await DirectDebitMandate.findAll({ organizationId }, {
where,
order: [['createdAt', 'DESC']],
});
return { status: 'success', data };
});{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/helpers/api-client.ts"}1 import { APIRequestContext, APIResponse } from '@playwright/test';
2
3 function toCurl(method: string, url: string, headers: Record<string, string>, data?: any): string {
4 const parts = [`curl -X ${method.toUpperCase()} '${url}'`];
5 for (const [key, value] of Object.entries(headers)) {
6 parts.push(` -H '${key}: ${value}'`);
7 }
8 if (data !== undefined) {
9 parts.push(` -d '${JSON.stringify(data)}'`);
10 }
11 return parts.join(' \\\n');
12 }
13
14 async function logIfFailed(response: APIResponse, method: string, url: string, headers: Record<string, string>, data?: any, silent = false): Promise<APIResponse> {
15 if (response.status() >= 400 && !silent) {
16 let body: any;
17 try { body = await response.json(); } catch { body = await response.text(); }
18 console.error(`\n❌ API ${method.toUpperCase()} ${url} → ${response.status()}`);
19 console.error(`Response body: ${JSON.stringify(body, null, 2)}`);
20 console.error(`cURL:\n${toCurl(method, url, headers, data)}\n`);
21 }
22 return response;
23 }
24
25 export class ApiClient {
26 /** Set to true to suppress error logging (for unhappy-path tests that expect 4xx/5xx) */
27 expectErrors = false;
28
29 constructor(
30 private request: APIRequestContext,
31 private baseURL: string,
32 private clientId: string,
33 private clientSecret: string
34 ) {}
35
36 private getHeaders() {
37 return {
38 'Authorization': `Client ${this.clientId}:${this.clientSecret}`,
39 'Content-Type': 'application/json',
40 };
41 }
42
43 async post(endpoint: string, data: any) {
44 const url = `${this.baseURL}${endpoint}`;
45 const headers = this.getHeaders();
46 const response = await this.request.post(url, { headers, data });
47 return logIfFailed(response, 'POST', url, headers, data, this.expectErrors);
48 }
49
50 async patch(endpoint: string, data: any) {
51 const url = `${this.baseURL}${endpoint}`;
52 const headers = this.getHeaders();
53 const response = await this.request.patch(url, { headers, data });
54 return logIfFailed(response, 'PATCH', url, headers, data, this.expectErrors);
55 }
56
57 async put(endpoint: string, data: any) {
58 const url = `${this.baseURL}${endpoint}`;
59 const headers = this.getHeaders();
60 const response = await this.request.put(url, { headers, data });
61 return logIfFailed(response, 'PUT', url, headers, data, this.expectErrors);
62 }
63
64 async get(endpoint: string) {
65 const url = `${this.baseURL}${endpoint}`;
66 const headers = this.getHeaders();
67 const response = await this.request.get(url, { headers });
68 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
69 }
70
71 async delete(endpoint: string) {
72 const url = `${this.baseURL}${endpoint}`;
73 const headers = this.getHeaders();
74 const response = await this.request.delete(url, { headers });
75 return logIfFailed(response, 'DELETE', url, headers, undefined, this.expectErrors);
76 }
77 }
78
79 export class WidgetApiClient {
80 /** Set to true to suppress error logging (for unhappy-path tests that expect 4xx/5xx) */
81 expectErrors = false;
82
83 constructor(
84 private request: APIRequestContext,
85 private baseURL: string,
86 private widgetToken: string,
87 private parentDomain: string = 'localhost'
88 ) {}
89
90 private getHeaders() {
91 return {
92 'X-Widget-Token': this.widgetToken,
93 'X-Parent-Domain': this.parentDomain,
94 'Content-Type': 'application/json',
95 };
96 }
97
98 async post(endpoint: string, data: any) {
99 const url = `${this.baseURL}${endpoint}`;
100 const headers = this.getHeaders();
101 const response = await this.request.post(url, { headers, data });
102 return logIfFailed(response, 'POST', url, headers, data, this.expectErrors);
103 }
104
105 async get(endpoint: string) {
106 const url = `${this.baseURL}${endpoint}`;
107 const headers = this.getHeaders();
108 const response = await this.request.get(url, { headers });
109 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
110 }
111
112 async getAllowPdf(endpoint: string) {
113 const url = `${this.baseURL}${endpoint}`;
114 const headers = { ...this.getHeaders(), Accept: 'application/pdf,*/*' };
115 const response = await this.request.get(url, { headers });
116 return logIfFailed(response, 'GET', url, headers, undefined, this.expectErrors);
117 }
118 }
119 {"command":"find /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir -name \"urls.ts\" -type f"}/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/utils/urls.ts
{"command":"grep -n \"assertDirectDebitProvider\\|getDirectDebitProvider\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}16: getDirectDebitProvider,
42:function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
46: return getDirectDebitProvider(providerKey);
106: const provider = assertDirectDebitProvider(input.providerKey);
198: const provider = assertDirectDebitProvider(mandate.providerKey);
286: const provider = assertDirectDebitProvider(key);
341: const provider = assertDirectDebitProvider(providerKey);
498: const provider = assertDirectDebitProvider(providerKey);
527: const provider = assertDirectDebitProvider(collection.providerKey);{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/tests/utils/urls.ts"}1 export function getPortalUrl(): string {
2 const env = process.env.ENV || 'local';
3
4 if (env === 'local') {
5 return process.env.SHERPA_PORTAL_HTTP || 'http://localhost:3000';
6 }
7
8 if (env === 'dev') {
9 return process.env.SHERPA_PORTAL_DEV_HTTPS || '';
10 }
11
12 if (env === 'staging') {
13 return process.env.SHERPA_PORTAL_STAGING_HTTPS || '';
14 }
15
16 if (env === 'production') {
17 return process.env.SHERPA_PORTAL_PROD_HTTPS || '';
18 }
19
20 return process.env.SHERPA_PORTAL_HTTPS || '';
21 }
22
23 export function getApiUrl(): string {
24 const env = process.env.ENV || 'local';
25
26 if (env === 'local') {
27 return process.env.SHERPA_API_HTTP || 'http://localhost:4000';
28 }
29
30 if (env === 'dev') {
31 return process.env.SHERPA_API_DEV_HTTPS || '';
32 }
33
34 if (env === 'staging') {
35 return process.env.SHERPA_API_STAGING_HTTPS || '';
36 }
37
38 if (env === 'production') {
39 return process.env.SHERPA_API_PROD_HTTPS || '';
40 }
41
42 return process.env.SHERPA_API_HTTPS || '';
43 }
44
45 export function getEmbedUrl(): string {
46 const env = process.env.ENV || 'local';
47
48 if (env === 'local') {
49 return process.env.SHERPA_EMBED_HTTP || 'http://localhost:3101';
50 }
51
52 if (env === 'dev') {
53 return process.env.SHERPA_EMBED_DEV_HTTPS || '';
54 }
55
56 if (env === 'staging') {
57 return process.env.SHERPA_EMBED_STAGING_HTTPS || '';
58 }
59
60 if (env === 'production') {
61 return process.env.SHERPA_EMBED_PROD_HTTPS || '';
62 }
63
64 return process.env.SHERPA_EMBED_HTTPS || '';
65 }
66
67 export function getWayniPortalUrl(): string {
68 const env = process.env.ENV || 'local';
69
70 if (env === 'local') {
71 return process.env.WAYNI_PORTAL_URL || 'https://portal.wayni.chris.dev.gangkhar.dev';
72 }
73
74 if (env === 'dev') {
75 return process.env.WAYNI_PORTAL_DEV_URL || 'https://portal.wayni.dev.gangkhar.dev';
76 }
77
78 if (env === 'staging') {
79 return process.env.WAYNI_PORTAL_STAGING_URL || 'https://portal.wayni.staging.gangkhar.dev';
80 }
81
82 return process.env.WAYNI_PORTAL_URL || 'https://portal.wayni.chris.dev.gangkhar.dev';
83 }
84
85 {"command":"grep -n \"setErrorHandler\\|onError\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/index.ts"}Exit code 2 grep: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/index.ts: No such file or directory
{"command":"grep -n \"Promise.all\" /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/\\[id\\]/direct-debit/page.tsx"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src -name \"app.ts\" -o -name \"server.ts\" -o -name \"main.ts\" | head -3"}140: const responses = await Promise.all( 167: const [productResponse, mandateList] = await Promise.all([
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app.ts
{"command":"grep -n \"setErrorHandler\\|StatusError\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app.ts | head -20"}4:import { StatusError } from '@/error/error.js';
60: app.setErrorHandler(errorHandler);
63: throw new StatusError(404, 'Not Found');{"command":"npx tsc --noEmit 2>&1 | head -50"}{"command":"sed -n '428,489p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}async function applyReturnRecord(
ctx: Ctx,
record: ReturnRecord,
summary: IngestSummary,
): Promise<void> {
const collection = await DirectDebitCollection.findOne(ctx, {
where: { externalReference: record.externalReference },
});
if (!collection) {
summary.unmatched.push(record.externalReference);
return;
}
// A return record is only meaningful for a collection awaiting settlement
// (SUBMITTED). Anything else — already settled, already failed/flagged, or a
// duplicate arriving after we processed a prior return for this reference — is
// ignored idempotently so re-ingesting a file can't double-count retries or
// un-flag an exhausted collection.
if (collection.status !== CollectionStatus.SUBMITTED) {
return;
}
if (record.outcome === 'settled') {
await collection.update({
status: CollectionStatus.SETTLED,
settledAt: new Date(),
failureReason: null,
flagged: false,
});
await reconcileSettlementToPolicy(ctx, collection);
summary.settled += 1;
return;
}
// Failed: retry until maxRetries, then flag for operator intervention.
const nextRetry = collection.retryCount + 1;
const reason = record.reason ?? 'Collection rejected by bank';
if (nextRetry <= collection.maxRetries) {
await collection.update({
status: CollectionStatus.RETRYING,
retryCount: nextRetry,
// Eligible for the next collection run immediately. Production would apply
// a backoff window before re-presenting; recorded as a hint in metadata.
scheduledFor: new Date(),
failureReason: reason,
flagged: false,
metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
});
summary.retrying += 1;
} else {
await collection.update({
status: CollectionStatus.FAILED,
failureReason: reason,
flagged: true,
});
summary.failed += 1;
summary.flagged += 1;
logger.warn(
{ organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
'Direct-debit collection flagged after exhausting retries',
);
}
}app/lens/optimizations/commission/[id]/health/MABTimeSeriesChart.tsx(77,25): error TS2322: Type '(v: number) => string' is not assignable to type 'Formatter<number, NameType> & ((value: number, name: NameType, item: Payload<number, NameType>, index: number, payload: Payload<number, NameType>[]) => ReactNode | [...])'.
Type '(v: number) => string' is not assignable to type 'Formatter<number, NameType>'.
Types of parameters 'v' and 'value' are incompatible.
Type 'number | undefined' is not assignable to type 'number'.
Type 'undefined' is not assignable to type 'number'.{"command":"sed -n '277,333p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | grep -A5 -B5 \"externalReference\\|RETRYING\""} for (const key of providerKeys) {
const provider = assertDirectDebitProvider(key);
const due = await DirectDebitCollection.findAll(ctx, {
where: {
providerKey: key,
status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
scheduledFor: { [Op.lte]: new Date() },
},
order: [['scheduledFor', 'ASC']],
limit: 500,
});
--
failureReason: 'Mandate is not active',
flagged: true,
});
continue;
}
const externalReference = generateReference(key, 'COL');
await collection.update({
status: CollectionStatus.SUBMITTED,
submittedAt: new Date(),
externalReference,
fileReference,
failureReason: null,
});
entries.push(toFileEntry(collection, mandate));
}{"command":"cat > /tmp/check_alignment.txt << 'EOF'\nMANDATE Model (_DirectDebitMandate.ts) vs Migration:\n\nModel Column | Type | Nullable | Default | Migration | Match?\nid | UUID | PK | UUIDV4 | UUID, PK, UUIDV4 | ✓\norganizationId | UUID | NO | - | UUID, NOT NULL | ✓\nproviderKey | ENUM(autogiro,betalingsservice) | NO | - | STRING(50), NOT NULL | Issue: ENUM vs STRING\nproductId | INTEGER | NO (FK) | - | INTEGER, FK to Products | ✓\ncustomerId | UUID | nullable | - | UUID, nullable | ✓\nstatus | ENUM(pending,active,revoked) | NO | pending | ENUM('pending','active','revoked'), default pending | ✓\ncountry | STRING(2) | NO | - | STRING(2), NOT NULL | ✓\naccountHolder | STRING(255) | NO | - | STRING(255), NOT NULL | ✓\nclearingNumber | STRING(20) | nullable | - | STRING(20), nullable | ✓\naccountNumber | STRING(50) | NO | - | STRING(50), NOT NULL | ✓\nbankName | STRING(255) | nullable | - | STRING(255), nullable | ✓\nmandateReference | STRING(100) | NO | - | STRING(100), NOT NULL | ✓\npayerNumber | STRING(50) | nullable | - | STRING(50), nullable | ✓\nsignedAt | DATE | nullable | - | DATE, nullable | ✓\nactivatedAt | DATE | nullable | - | DATE, nullable | ✓\nrevokedAt | DATE | nullable | - | DATE, nullable | ✓\nfailureReason | TEXT | nullable | - | TEXT, nullable | ✓\nmetadata | JSONB | nullable | - | JSONB, nullable | ✓\n\nCOLLECTION Model (_DirectDebitCollection.ts) vs Migration:\n\nModel Column | Type | Nullable | Default | Migration | Match?\nid | UUID | PK | UUIDV4 | UUID, PK, UUIDV4 | ✓\norganizationId | UUID | NO | - | UUID, NOT NULL | ✓\nmandateId | UUID | NO (FK) | - | UUID, FK to DirectDebitMandates | ✓\npolicyOrderId | INTEGER | nullable | - | INTEGER, nullable, FK to PolicyOrders | ✓\nproviderKey | STRING(50) | NO | - | STRING(50), NOT NULL | ✓\namount | DECIMAL(15,2) | NO | - | DECIMAL(15,2), NOT NULL | ✓\ncurrency | STRING(3) | NO | - | STRING(3), NOT NULL | ✓\nstatus | ENUM(scheduled,submitted,settled,failed,retrying,cancelled) | NO | scheduled | ENUM(...), default scheduled | ✓\nscheduledFor | DATE | NO | - | DATE, NOT NULL | ✓\nsubmittedAt | DATE | nullable | - | DATE, nullable | ✓\nsettledAt | DATE | nullable | - | DATE, nullable | ✓\nretryCount | INTEGER | NO | 0 | INTEGER, default 0 | ✓\nmaxRetries | INTEGER | NO | 3 | INTEGER, default 3 | ✓\nfailureReason | TEXT | nullable | - | TEXT, nullable | ✓\nexternalReference | STRING(255) | nullable | - | STRING(255), nullable | ✓\nfileReference | STRING(255) | nullable | - | STRING(255), nullable | ✓\nflagged | BOOLEAN | NO | false | BOOLEAN, default false | ✓\nmetadata | JSONB | nullable | - | JSONB, nullable | ✓\n\nISSUE FOUND:\n- DirectDebitMandate.providerKey is declared as ENUM in model but migration creates it as STRING(50)\n The enum is on the model: @Column({ type: DataType.ENUM(...Object.values(DirectDebitProvider)) })\n But migration just does: STRING(50)\n This could cause issues if the DB doesn't enforce the ENUM constraint.\nEOF\ncat /tmp/check_alignment.txt\n"}MANDATE Model (_DirectDebitMandate.ts) vs Migration:
Model Column | Type | Nullable | Default | Migration | Match?
id | UUID | PK | UUIDV4 | UUID, PK, UUIDV4 | ✓
organizationId | UUID | NO | - | UUID, NOT NULL | ✓
providerKey | ENUM(autogiro,betalingsservice) | NO | - | STRING(50), NOT NULL | Issue: ENUM vs STRING
productId | INTEGER | NO (FK) | - | INTEGER, FK to Products | ✓
customerId | UUID | nullable | - | UUID, nullable | ✓
status | ENUM(pending,active,revoked) | NO | pending | ENUM('pending','active','revoked'), default pending | ✓
country | STRING(2) | NO | - | STRING(2), NOT NULL | ✓
accountHolder | STRING(255) | NO | - | STRING(255), NOT NULL | ✓
clearingNumber | STRING(20) | nullable | - | STRING(20), nullable | ✓
accountNumber | STRING(50) | NO | - | STRING(50), NOT NULL | ✓
bankName | STRING(255) | nullable | - | STRING(255), nullable | ✓
mandateReference | STRING(100) | NO | - | STRING(100), NOT NULL | ✓
payerNumber | STRING(50) | nullable | - | STRING(50), nullable | ✓
signedAt | DATE | nullable | - | DATE, nullable | ✓
activatedAt | DATE | nullable | - | DATE, nullable | ✓
revokedAt | DATE | nullable | - | DATE, nullable | ✓
failureReason | TEXT | nullable | - | TEXT, nullable | ✓
metadata | JSONB | nullable | - | JSONB, nullable | ✓
COLLECTION Model (_DirectDebitCollection.ts) vs Migration:
Model Column | Type | Nullable | Default | Migration | Match?
id | UUID | PK | UUIDV4 | UUID, PK, UUIDV4 | ✓
organizationId | UUID | NO | - | UUID, NOT NULL | ✓
mandateId | UUID | NO (FK) | - | UUID, FK to DirectDebitMandates | ✓
policyOrderId | INTEGER | nullable | - | INTEGER, nullable, FK to PolicyOrders | ✓
providerKey | STRING(50) | NO | - | STRING(50), NOT NULL | ✓
amount | DECIMAL(15,2) | NO | - | DECIMAL(15,2), NOT NULL | ✓
currency | STRING(3) | NO | - | STRING(3), NOT NULL | ✓
status | ENUM(scheduled,submitted,settled,failed,retrying,cancelled) | NO | scheduled | ENUM(...), default scheduled | ✓
scheduledFor | DATE | NO | - | DATE, NOT NULL | ✓
submittedAt | DATE | nullable | - | DATE, nullable | ✓
settledAt | DATE | nullable | - | DATE, nullable | ✓
retryCount | INTEGER | NO | 0 | INTEGER, default 0 | ✓
maxRetries | INTEGER | NO | 3 | INTEGER, default 3 | ✓
failureReason | TEXT | nullable | - | TEXT, nullable | ✓
externalReference | STRING(255) | nullable | - | STRING(255), nullable | ✓
fileReference | STRING(255) | nullable | - | STRING(255), nullable | ✓
flagged | BOOLEAN | NO | false | BOOLEAN, default false | ✓
metadata | JSONB | nullable | - | JSONB, nullable | ✓
ISSUE FOUND:
- DirectDebitMandate.providerKey is declared as ENUM in model but migration creates it as STRING(50)
The enum is on the model: @Column({ type: DataType.ENUM(...Object.values(DirectDebitProvider)) })
But migration just does: STRING(50)
This could cause issues if the DB doesn't enforce the ENUM constraint.{"command":"sed -n '54,58p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts"} @Column({
type: DataType.ENUM(...Object.values(DirectDebitProvider)),
allowNull: false,
})
declare providerKey: DirectDebitProvider;{"command":"sed -n '23,32p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"} await context.createTable('DirectDebitMandates', {
id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
organizationId: { type: DataTypes.UUID, allowNull: false },
providerKey: { type: DataTypes.STRING(50), allowNull: false },
productId: {
type: DataTypes.INTEGER,
allowNull: false,
references: { model: 'Products', key: 'id' },
onDelete: 'CASCADE',
},{"command":"grep -n \"providerKey\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -15"}42:function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
43: if (!isDirectDebitProvider(providerKey)) {
44: throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
46: return getDirectDebitProvider(providerKey);
49:function generateReference(providerKey: string, kind: 'MND' | 'COL'): string {
50: const prefix = PROVIDER_PREFIX[providerKey] ?? 'DD';
59:async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
61: where: { providerKey, active: true },
66: `No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
90: providerKey: string;
106: const provider = assertDirectDebitProvider(input.providerKey);
119: const mandateReference = generateReference(input.providerKey, 'MND');
122: providerKey: input.providerKey as DirectDebitProvider,
138: { organizationId, mandateId: mandate.id, providerKey: input.providerKey },
198: const provider = assertDirectDebitProvider(mandate.providerKey);{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src -name \"*claimPayoutBatch*\" -type f"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/claimPayoutBatchJob.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/claimPayoutBatchJob.ts"}1 import { Op } from 'sequelize';
2 import { ClaimPayout, ClaimPayoutStatus } from '@/models/ClaimPayout.js';
3 import { Organization } from '@/models/Organization.js';
4 import { jobQueue } from '@/services/jobQueue.js';
5 import { enqueueClaimPayout } from '@/services/jobs/claimPayoutJob.js';
6 import logger from '@/logger.js';
7
8 const JOB_TYPE = 'claim_payout_batch';
9
10 /**
11 * Weekly-batch picker. Runs hourly so clock skew, missed fires, and worker
12 * restarts self-heal — finding "due" payouts is idempotent and each PENDING
13 * payout is only ever dispatched once (executePayout guards on status).
14 *
15 * Follows the same per-org iteration pattern as policy-renewal.ts so RLS
16 * context is enforced on every read.
17 */
18 async function handleClaimPayoutBatch() {
19 const organizations = await Organization.findAll({ attributes: ['id'] });
20 const now = new Date();
21 let total = 0;
22
23 for (const org of organizations) {
24 try {
25 const due = await ClaimPayout.findAll(
26 { organizationId: org.id },
27 {
28 where: {
29 status: ClaimPayoutStatus.PENDING,
30 scheduledFor: { [Op.lte]: now },
31 },
32 attributes: ['id'],
33 limit: 500,
34 },
35 );
36
37 for (const payout of due) {
38 enqueueClaimPayout(payout.id, org.id);
39 }
40 total += due.length;
41 } catch (err) {
42 logger.error(
43 { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },
44 'Claim payout batch: failed to process organization',
45 );
46 }
47 }
48
49 if (total > 0) {
50 logger.info({ count: total, orgCount: organizations.length }, 'Claim payout batch: enqueued due payouts');
51 }
52 }
53
54 export function registerClaimPayoutBatchJob() {
55 jobQueue.register(JOB_TYPE, handleClaimPayoutBatch, {
56 concurrency: 1,
57 defaultJobOptions: {
58 attempts: 3,
59 backoff: { type: 'exponential', delay: 30_000 },
60 removeOnComplete: { age: 24 * 3600, count: 100 },
61 removeOnFail: { age: 7 * 24 * 3600 },
62 },
63 });
64 }
65
66 /**
67 * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes
68 * by jobId. Call once on worker startup.
69 */
70 export async function scheduleClaimPayoutBatch() {
71 await jobQueue.scheduleRepeating(
72 JOB_TYPE,
73 {},
74 '0 * * * *', // every hour on the hour, UTC
75 `${JOB_TYPE}:hourly`,
76 );
77 }
78 Good - only the pre-existing unrelated error. Now let me perform comprehensive verification of critical code paths:
## COMPREHENSIVE ROUND-2 VERIFICATION REVIEW
### 1. page.tsx Data Flow Analysis
**Promise.all Collections Aggregation (lines 132-155):**
- Line 136-139: When `mandateId !== null`, filters to single mandate; otherwise uses full list
- Line 140-142: Calls `api.get()` for EACH mandate in targets
- Line 143-145: Merges responses, flattens, sorts by createdAt DESC
- Line 147-152: Comprehensive error handling with toast and console.error
- **ASSESSMENT: CORRECT** - No race conditions; error handling catches aggregation failures; loading state properly managed.
**Amount Validation (lines 292-318):**
- Line 296: `amountValue = Number(formAmount)` conversion
- Line 297: Validates `!formAmount.trim() || !Number.isFinite(amountValue) || amountValue <= 0`
- Line 306: Sends `amount: amountValue` (number type, not string)
- **ASSESSMENT: CORRECT** - Type handling fixed from Round-1; Number.isFinite guard protects against NaN.
**Dialog/Mutation Flows:**
- Lines 214-244 (Create Mandate): Validates accountHolder and accountNumber before POST; sends empty undefined for optional fields
- Line 248, 259, 306: All api.post calls send proper bodies (even empty `{}` for activate/revoke)
- Line 226-234: Create payload structure matches API contract
- **ASSESSMENT: CORRECT** - All required fields validated; optional fields handled with `||undefined`
**Status Badge Fallbacks (lines 488, 613):**
- Line 488: `MANDATE_STATUS_CLASSES[mandate.status] || "bg-gray-100 text-gray-800"` ✓
- Line 613: `COLLECTION_STATUS_CLASSES[collection.status] || "bg-gray-100 text-gray-800"` ✓
- **ASSESSMENT: CORRECT** - Both have fallbacks
**Hooks/Dependencies:**
- Line 122-127: loadMandates depends on [productId] - correct
- Line 132-155: loadCollections depends on [t] - correct (no setState after unmount)
- Line 157-183: useEffect depends on [productId] - correct
- Line 185-191: refresh depends on [loadMandates, loadCollections, selectedMandateId] - correct
- Line 87: React.use() unwrapping for Next 16+ params - correct
- **ASSESSMENT: CORRECT** - No conditional hook calls; deps arrays proper; params unwrap correct
**After-Mutation Refetch:**
- Line 237: handleCreateMandate → `await refresh()` ✓
- Line 250: handleActivateMandate → `await refresh()` ✓
- Line 261: handleRevokeMandate → `await refresh()` ✓
- Line 311: handleScheduleCollection → `await refresh()` ✓
- Line 329: handleRunCollections → `await refresh()` ✓
- Line 362: handleRetryCollection → `await refresh()` ✓
- **ASSESSMENT: CORRECT** - Every mutation refetches
**Amount Display (line 608):**
- `{collection.amount} {collection.currency}` - amount is string type per types/directDebit.ts:40
- No arithmetic performed; string concatenation only
- **ASSESSMENT: CORRECT** - Type matches, no conversion issues
### 2. AppLayout.tsx Navigation Entry
**Direct-debit Menu Item (lines 320-325):**
```typescript
{
name: t('Direct Debit'),
href: `/products/${productId}`, // ← ISSUE: Missing `/direct-debit`
icon: CreditCard,
key: "direct-debit",
}
```
**ALERT - HIGH:** Line 322 href is `/products/${productId}` but should be `/products/${productId}/direct-debit`
Verify entry is in PRODUCT_PHASE_BY_KEY:
- Line 363: `"direct-debit": "operate",` ✓
But the href is wrong!
**ASSESSMENT: HIGH ISSUE FOUND**
### 3. PaymentProvidersTab.tsx - Stripe Flow & Creditor ID
**Creditor ID Field Rendering (lines 444-454):**
- Line 176: `const isDirectDebitProvider = DIRECT_DEBIT_PROVIDER_KEYS.includes(formProviderKey);`
- Lines 444-454: Renders creditor field when `isDirectDebitProvider === true` ✓
- Line 451: Input binds to `formCreditorId`
**Create Path (lines 191-198):**
- Line 191-196: Payload includes `creditorId: formCreditorId.trim()` ✓
**Edit Path (lines 158-174):**
- Line 162-164: Reads creditorId from config on load:
```typescript
setFormCreditorId(
typeof config.config?.creditorId === "string" ? config.config.creditorId : ""
);
```
✓ Type-safe
**Stripe Flow Intact:**
- Lines 481-565: Conditional block only renders for `!isDirectDebitProvider`
- Payout cadence/weekly controls rendered only for Stripe ✓
- **ASSESSMENT: CORRECT** - Stripe flow and DD creditor flows properly segregated
**Provider Config Save (lines 178-210):**
- Line 179: Validates creditorId for DD providers; connectedAccountId for others ✓
- Line 191-209: Payload structure matches API expectations ✓
- **ASSESSMENT: CORRECT**
### 4. types/directDebit.ts - API Contract
**Collection.amount type (line 40):**
- `amount: string;` - matches API response
- Page.tsx converts input with `Number(formAmount)` before POST
- Display uses string concatenation
- **ASSESSMENT: CORRECT** - Type alignment is sound
### 5. Test File - 09-direct-debit.spec.ts
**API URL (line 5):**
- `const API_URL = getApiUrl();`
- getApiUrl() defaults to 'http://localhost:4000' for ENV=local
- **ASSERTION: Test runs against sherpa-api on 4000, NOT portal on 3000**
- This is CORRECT because the test is calling `/v1/plus/direct-debit` endpoints on sherpa-api
**Test Resilience:**
- Line 51: `api.expectErrors = true` for idempotent create (409 acceptable) ✓
- Line 50: Comment explains 409 is acceptable (already configured)
- Line 79: Validates 400 for invalid account ✓
- Line 99-102: Creates mandate, captures ID, validates status ✓
- Line 105-110: Activate mandate, validates status transition ✓
- Line 114-117: File content non-empty check ✓
- Line 120-128: Schedule collection, validates status ✓
- Line 131-137: Run batch, validates count ✓
- Line 140-145: Simulate settled, validates outcome ✓
- Line 147-151: Verify settled state with explicit assertions ✓
**Retry Loop (lines 207-223):**
- Line 210: Loop bounds `attempt < maxRetries + 2` with state check ✓
- Line 222: State updated each iteration ✓
- Line 225-229: Final assertions on failed/flagged/retryCount ✓
- **ASSESSMENT: RESILIENT** - Loop exits properly; all terminal states handled
**All POST Bodies:**
- Line 53-56: POST body is object ✓
- Line 69-77: POST body is object ✓
- Line 89-97: POST body is object ✓
- Line 106-108: POST body is `{}` ✓
- Line 120-124: POST body is object ✓
- Line 131-133: POST body is object ✓
- Line 141-143: POST body is object ✓
- Line 195: POST body is `{ outcome: 'failed', reason: '08' }` ✓
- Line 211-213: POST body is object ✓
- Line 216-219: POST body is object ✓
- **ASSESSMENT: CORRECT** - Every POST has a body
**ASSESSMENT: Test is sound and comprehensive**
---
## SUMMARY
**HIGH SEVERITY ISSUE FOUND:**
**FILE: app/components/AppLayout.tsx, LINE 322**
**Issue:** Direct Debit menu item href is incorrect
```typescript
// CURRENT (WRONG):
{
name: t('Direct Debit'),
href: `/products/${productId}`, // ← Links to product overview, not direct-debit page
icon: CreditCard,
key: "direct-debit",
}
// SHOULD BE:
{
name: t('Direct Debit'),
href: `/products/${productId}/direct-debit`, // ← Correct href
icon: CreditCard,
key: "direct-debit",
}
```
**Impact:** Clicking "Direct Debit" in the sidebar navigates to `/products/:id` instead of `/products/:id/direct-debit`, breaking navigation to the direct-debit feature page. The menu entry exists and is in PRODUCT_PHASE_BY_KEY correctly, but the href is wrong.
**Other Findings:**
NO REMAINING MEDIUM OR LOW ISSUES. All other code is correct:
- page.tsx: All data flows, error handling, validation, and refetches correct
- page.tsx: Promise.all aggregation path is safe; no race conditions
- page.tsx: Amount validation and type conversion proper; fallbacks in place
- page.tsx: Hooks dependencies and Next 16+ params unwrapping correct
- PaymentProvidersTab.tsx: Stripe and DD credential flows properly segregated; creditorId save/load correct
- types/directDebit.ts: Types align with API contract
- Test spec: Comprehensive, resilient, all POSTs have bodies, runs on correct API port (4000){"command":"cat > /tmp/test_format.js << 'EOF'\n// Test digitsOnly and padZero edge cases\n\nfunction digitsOnly(value) {\n return (value ?? '').replace(/\\D/g, '');\n}\n\nfunction padZero(value, width) {\n const v = (value ?? '').replace(/\\s+/g, '');\n return v.length >= width ? v.slice(v.length - width) : '0'.repeat(width - v.length) + v;\n}\n\n// Test cases\nconsole.log('digitsOnly(\"\"):', digitsOnly(\"\"));\nconsole.log('digitsOnly(null):', digitsOnly(null));\nconsole.log('digitsOnly(\"ABC\"):', digitsOnly(\"ABC\"));\nconsole.log('digitsOnly(\"12-34\"):', digitsOnly(\"12-34\"));\n\nconsole.log('padZero(\"\", 5):', JSON.stringify(padZero(\"\", 5)));\nconsole.log('padZero(null, 5):', JSON.stringify(padZero(null, 5)));\nconsole.log('padZero(\"123\", 5):', JSON.stringify(padZero(\"123\", 5)));\nconsole.log('padZero(\"123456\", 5):', JSON.stringify(padZero(\"123456\", 5)));\n\n// Edge case: clearingNumber validation\n// Autogiro requires 4-5 digits\nconst clearing1 = digitsOnly(\"\"); // empty → \"\"\nconst clearing2 = digitsOnly(\"ABC\"); // no digits → \"\"\nconsole.log('\\nAutogiro clearing validation edge cases:');\nconsole.log('Empty clearing length:', clearing1.length, '(should fail 4-5 check)');\nconsole.log('Non-digit clearing length:', clearing2.length, '(should fail 4-5 check)');\n\n// In buildMandateFile:\n// const clearing = padZero(digitsOnly(e.account.clearingNumber ?? ''), 5);\n// If clearing is empty, this becomes padZero('', 5) = '00000'\nconsole.log('\\nIn buildMandateFile with empty clearing:');\nconsole.log('padZero(digitsOnly(\"\"), 5):', JSON.stringify(padZero(digitsOnly(\"\"), 5)));\n\n// This is potentially UNSAFE — an invalid empty clearing will be padded to 00000\n// and sent to the bank. But the validateAccount check should prevent this upstream.\nEOF\nnode /tmp/test_format.js\n"}digitsOnly(""):
digitsOnly(null):
digitsOnly("ABC"):
digitsOnly("12-34"): 1234
padZero("", 5): "00000"
padZero(null, 5): "00000"
padZero("123", 5): "00123"
padZero("123456", 5): "23456"
Autogiro clearing validation edge cases:
Empty clearing length: 0 (should fail 4-5 check)
Non-digit clearing length: 0 (should fail 4-5 check)
In buildMandateFile with empty clearing:
padZero(digitsOnly(""), 5): "00000"{"command":"sed -n '32,49p' /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts"} validateAccount(account: BankAccount): AccountValidationResult {
const errors: string[] = [];
if (account.country && account.country.toUpperCase() !== 'SE') {
errors.push(`Autogiro requires a Swedish (SE) account, got "${account.country}"`);
}
if (!account.accountHolder?.trim()) {
errors.push('accountHolder is required');
}
const clearing = digitsOnly(account.clearingNumber ?? '');
if (clearing.length < 4 || clearing.length > 5) {
errors.push('clearingNumber must be 4–5 digits (Swedish clearing number)');
}
const acc = digitsOnly(account.accountNumber ?? '');
if (acc.length < 7 || acc.length > 12) {
errors.push('accountNumber must be 7–12 digits');
}
return { valid: errors.length === 0, errors };
}{"command":"cat > /tmp/round2_findings.md << 'EOF'\n# ROUND-2 VERIFICATION REVIEW: sherpa-api #462 Nordic Direct Debit\n\n## ROUND-1 FIX VERIFICATION ✓ CORRECT\n\n### applyReturnRecord Guard (Line 445)\n**Status**: VERIFIED CORRECT\n- Guard `if (collection.status !== CollectionStatus.SUBMITTED) return;` correctly enforces that only SUBMITTED collections are processed\n- Duplicates and already-settled/flagged collections skip idempotently\n- Retry flow works: RETRYING → (submitDueCollections) → SUBMITTED with NEW externalReference → return file can reenter for new ref\n\n### submitDueCollections NEW externalReference (Line 312)\n**Status**: VERIFIED CORRECT\n- Each submit generates `const externalReference = generateReference(key, 'COL');`\n- This ensures RETRYING collections get a fresh ref on resubmit, allowing returns for the new ref to be processed\n\n---\n\n## FRESH REVIEW FINDINGS\n\n### 1. MODEL ↔ MIGRATION DRIFT: HIGH\n\n**File**: src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts:26\n**Issue**: DirectDebitMandate.providerKey column type mismatch\n- Model declares: `@Column({ type: DataType.ENUM(...Object.values(DirectDebitProvider)) })`\n- Migration creates: `providerKey: { type: DataTypes.STRING(50), allowNull: false }`\n- **Impact**: DB doesn't enforce ENUM constraint; invalid values could be inserted via raw SQL/migrations; future recreations would fail\n- **Mitigation**: Application layer validates via `isDirectDebitProvider()` in `assertDirectDebitProvider()`, so API is protected\n- **Fix**: Change migration line 26 from `STRING(50)` to `ENUM('autogiro', 'betalingsservice')`\n\n**Severity**: HIGH (schema drift, future-proofing issue)\n\n---\n\n### 2. CONNECTOR FILE WIDTH INCONSISTENCY: MEDIUM\n\n#### Autogiro (autogiro.ts)\n- TK82 debit line: 2 + 8 + 16 + 12 + 20 + 22 = **80 chars** ✓\n- buildReturnFile TK82: 2 + 35 + 2 + 12 + 29 = **80 chars** ✓\n- parseReturnFile slicing: [2,37), [37,39), [39,51), [51+] = **correct** ✓\n\n#### Betalingsservice (betalingsservice.ts)\n- BT debit line: 2 + 8 + 15 + 4 + 10 + 13 + 20 + 20 = **92 chars** ⚠\n - Lines 66-76: BT record not padded to fixed width (unlike Autogiro's fit())\n - However: Betalingsservice spec may allow variable-width BT lines\n - **Current behavior**: Works because banks/parsers handle variable-width records\n - No parseCollectionFile exists; BT is outbound-only\n \n- buildReturnFile RT: 2 + 35 + 4 + 13 + 28 = **82 chars** ⚠\n - parseReturnFile expects: [2,37), [37,41), [41,54), [54+]\n - 82 chars means reason = [54,82) = **28 chars** ✓\n - **Status**: Internally consistent despite 82-char length\n\n**Severity**: MEDIUM (variable-width lines not standard fixed-width, but internally consistent and likely acceptable for batch formats)\n**Assessment**: If bank spec requires fixed 80-char lines, this needs fixing. If spec allows variable-width or trailer padding, current implementation is acceptable. Recommend verifying against Nets/Betalingsservice test environment spec.\n\n---\n\n### 3. DIRECTDEBITSERVICE EDGE CASES: LOW → NONE\n\n#### Metadata Spread (Line 473)\n```\nmetadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry }\n```\n- `collection.metadata ?? {}` safely defaults to empty object\n- Spread is safe even if metadata is null\n- **Status**: CORRECT ✓\n\n#### Number() Coercion (Lines 232, 264, 533)\n- Line 232: `const amount = Number(input.amount);` validated immediately after with finite/positive check\n- Line 264: `amount: Number(collection.amount);` in toFileEntry — reads DECIMAL(15,2) from DB which is already numeric\n- Line 533: `Number(collection.amount)` in simulateReturnForCollection — same safe scenario\n- **Status**: CORRECT ✓\n\n#### Inactive Mandate Flagging (Lines 303-310)\n- When mandate is not ACTIVE, collection is marked FAILED + flagged\n- **Design decision**: One-way operation (revoke is permanent), so no risk of wrongly flagging a temporarily-suspended mandate\n- **Status**: CORRECT ✓ (acceptable trade-off between strictness and simplicity)\n\n#### Promise/Await Checks\n- All database operations properly awaited\n- No unhandled promise chains detected\n- **Status**: CORRECT ✓\n\n---\n\n### 4. ROUTES (directDebitRoutes.ts): CORRECT ✓\n\n#### Schema Validation\n- All route schemas properly declared (body, params, querystring types)\n- productId query param declared as `integer`; Fastify coerces query strings to declared types\n- **Status**: CORRECT ✓\n\n#### Error Handling\n- All routes call `assertDirectDebitProvider()` or service functions that do\n- Provider not found → StatusError(400) thrown and caught by global errorHandler\n- org context checked via `requireOrg()` → StatusError(401) if missing\n- **Status**: CORRECT ✓\n\n---\n\n### 5. JOB (directDebitCollectionBatchJob.ts): CORRECT ✓\n\n#### Pattern Correctness\n- Matches claimPayoutBatchJob pattern exactly\n- Per-org loop enforces RLS context on each read\n- Error handling: per-org try-catch doesn't fail entire batch\n- Idempotent: submitDueCollections only processes SCHEDULED/RETRYING with due dates\n- Cron: '0 * * * *' (hourly)\n- **Status**: CORRECT ✓\n\n---\n\n### 6. FORMAT HELPERS (format.ts): CORRECT ✓\n\n#### digitsOnly, padZero, minorUnits, fromMinorUnits\n- All edge cases (empty, null) handled correctly\n- Upstream validation (validateAccount) prevents invalid data reaching file builders\n- No arithmetic errors; fromMinorUnits correctly divides by 100\n- **Status**: CORRECT ✓\n\n---\n\n## SUMMARY\n\n| Category | Finding | Severity | Fix |\n|----------|---------|----------|-----|\n| Model Drift | providerKey ENUM vs STRING | HIGH | Update migration line 26 to use DataTypes.ENUM |\n| File Layout | Betalingsservice BT 92-char lines | MEDIUM | Verify against Nets spec; if strict 80-char required, pad BT lines |\n| Autogiro | All validation and formatting | ✓ CLEAN | — |\n| Service Logic | Metadata spread, Number coercion, promises | ✓ CLEAN | — |\n| Routes | S# ROUND-2 VERIFICATION REVIEW: sherpa-api #462 Nordic Direct Debit
## ROUND-1 FIX VERIFICATION ✓ CORRECT
### applyReturnRecord Guard (Line 445)
**Status**: VERIFIED CORRECT
- Guard `if (collection.status !== CollectionStatus.SUBMITTED) return;` correctly enforces that only SUBMITTED collections are processed
- Duplicates and already-settled/flagged collections skip idempotently
- Retry flow works: RETRYING → (submitDueCollections) → SUBMITTED with NEW externalReference → return file can reenter for new ref
### submitDueCollections NEW externalReference (Line 312)
**Status**: VERIFIED CORRECT
- Each submit generates `const externalReference = generateReference(key, 'COL');`
- This ensures RETRYING collections get a fresh ref on resubmit, allowing returns for the new ref to be processed
---
## FRESH REVIEW FINDINGS
### 1. MODEL ↔ MIGRATION DRIFT: HIGH
**File**: src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts:26
**Issue**: DirectDebitMandate.providerKey column type mismatch
- Model declares: `@Column({ type: DataType.ENUM(...Object.values(DirectDebitProvider)) })`
- Migration creates: `providerKey: { type: DataTypes.STRING(50), allowNull: false }`
- **Impact**: DB doesn't enforce ENUM constraint; invalid values could be inserted via raw SQL/migrations; future recreations would fail
- **Mitigation**: Application layer validates via `isDirectDebitProvider()` in `assertDirectDebitProvider()`, so API is protected
- **Fix**: Change migration line 26 from `STRING(50)` to `ENUM('autogiro', 'betalingsservice')`
**Severity**: HIGH (schema drift, future-proofing issue)
---
### 2. CONNECTOR FILE WIDTH INCONSISTENCY: MEDIUM
#### Autogiro (autogiro.ts)
- TK82 debit line: 2 + 8 + 16 + 12 + 20 + 22 = **80 chars** ✓
- buildReturnFile TK82: 2 + 35 + 2 + 12 + 29 = **80 chars** ✓
- parseReturnFile slicing: [2,37), [37,39), [39,51), [51+] = **correct** ✓
#### Betalingsservice (betalingsservice.ts)
- BT debit line: 2 + 8 + 15 + 4 + 10 + 13 + 20 + 20 = **92 chars** ⚠
- Lines 66-76: BT record not padded to fixed width (unlike Autogiro's fit())
- However: Betalingsservice spec may allow variable-width BT lines
- **Current behavior**: Works because banks/parsers handle variable-width records
- No parseCollectionFile exists; BT is outbound-only
- buildReturnFile RT: 2 + 35 + 4 + 13 + 28 = **82 chars** ⚠
- parseReturnFile expects: [2,37), [37,41), [41,54), [54+]
- 82 chars means reason = [54,82) = **28 chars** ✓
- **Status**: Internally consistent despite 82-char length
**Severity**: MEDIUM (variable-width lines not standard fixed-width, but internally consistent and likely acceptable for batch formats)
**Assessment**: If bank spec requires fixed 80-char lines, this needs fixing. If spec allows variable-width or trailer padding, current implementation is acceptable. Recommend verifying against Nets/Betalingsservice test environment spec.
---
### 3. DIRECTDEBITSERVICE EDGE CASES: LOW → NONE
#### Metadata Spread (Line 473)
```
metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry }
```
- `collection.metadata ?? {}` safely defaults to empty object
- Spread is safe even if metadata is null
- **Status**: CORRECT ✓
#### Number() Coercion (Lines 232, 264, 533)
- Line 232: `const amount = Number(input.amount);` validated immediately after with finite/positive check
- Line 264: `amount: Number(collection.amount);` in toFileEntry — reads DECIMAL(15,2) from DB which is already numeric
- Line 533: `Number(collection.amount)` in simulateReturnForCollection — same safe scenario
- **Status**: CORRECT ✓
#### Inactive Mandate Flagging (Lines 303-310)
- When mandate is not ACTIVE, collection is marked FAILED + flagged
- **Design decision**: One-way operation (revoke is permanent), so no risk of wrongly flagging a temporarily-suspended mandate
- **Status**: CORRECT ✓ (acceptable trade-off between strictness and simplicity)
#### Promise/Await Checks
- All database operations properly awaited
- No unhandled promise chains detected
- **Status**: CORRECT ✓
---
### 4. ROUTES (directDebitRoutes.ts): CORRECT ✓
#### Schema Validation
- All route schemas properly declared (body, params, querystring types)
- productId query param declared as `integer`; Fastify coerces query strings to declared types
- **Status**: CORRECT ✓
#### Error Handling
- All routes call `assertDirectDebitProvider()` or service functions that do
- Provider not found → StatusError(400) thrown and caught by global errorHandler
- org context checked via `requireOrg()` → StatusError(401) if missing
- **Status**: CORRECT ✓
---
### 5. JOB (directDebitCollectionBatchJob.ts): CORRECT ✓
#### Pattern Correctness
- Matches claimPayoutBatchJob pattern exactly
- Per-org loop enforces RLS context on each read
- Error handling: per-org try-catch doesn't fail entire batch
- Idempotent: submitDueCollections only processes SCHEDULED/RETRYING with due dates
- Cron: '0 * * * *' (hourly)
- **Status**: CORRECT ✓
---
### 6. FORMAT HELPERS (format.ts): CORRECT ✓
#### digitsOnly, padZero, minorUnits, fromMinorUnits
- All edge cases (empty, null) handled correctly
- Upstream validation (validateAccount) prevents invalid data reaching file builders
- No arithmetic errors; fromMinorUnits correctly divides by 100
- **Status**: CORRECT ✓
---
## SUMMARY
| Category | Finding | Severity | Fix |
|----------|---------|----------|-----|
| Model Drift | providerKey ENUM vs STRING | HIGH | Update migration line 26 to use DataTypes.ENUM |
| File Layout | Betalingsservice BT 92-char lines | MEDIUM | Verify against Nets spec; if strict 80-char required, pad BT lines |
| Autogiro | All validation and formatting | ✓ CLEAN | — |
| Service Logic | Metadata spread, Number coercion, promises | ✓ CLEAN | — |
| Routes | Schema, validation, error handling | ✓ CLEAN | — |
| Job | Idempotence, RLS, retry logic | ✓ CLEAN | — |
---
## CRITICAL FIX REQUIRED
**HIGH: Migrate providerKey to ENUM type in migration file**
Change `/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts` line 26:
FROM:
```typescript
providerKey: { type: DataTypes.STRING(50), allowNull: false },
```
TO:
```typescript
providerKey: { type: DataTypes.ENUM('autogiro', 'betalingsservice'), allowNull: false },
```
This ensures database-level constraint consistency with the Sequelize model.
---
## OPTIONAL REVIEW REQUIRED
**MEDIUM: Betalingsservice line width specification**
Confirm with Nets/Betalingsservice test environment whether:
1. BT (betaling) records must be exactly 80 chars (pad to fixed width)
2. RT (return) records must be exactly 80 chars (trim or pad accordingly)
Current implementation builds 92-char BT and 82-char RT lines. If spec requires fixed-width, apply padding.
---
## NO REMAINING HIGH OR MEDIUM ISSUES (after the one HIGH fix above)
All other code paths verified correct.Perfect. Now let me output the final report:
---
## ROUND-2 VERIFICATION REVIEW: sherpa-api #462 Nordic Direct Debit
### ROUND-1 FIX VERIFICATION: CORRECT ✓
Both critical fixes from round 1 verified correct:
1. **applyReturnRecord guard (line 445)** – Status guard correctly restricts to SUBMITTED only, making duplicate/terminal ingests idempotent
2. **submitDueCollections NEW externalReference (line 312)** – Each resubmit generates a fresh ref, enabling RETRYING→SUBMITTED→return flow to work correctly
---
## HIGH SEVERITY ISSUE FOUND
**Model ↔ Migration Drift: providerKey Type Mismatch**
File: `src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts:26`
```
src/models/internal/_DirectDebitMandate.ts:55 — declares providerKey as:
@Column({ type: DataType.ENUM(...Object.values(DirectDebitProvider)) })
src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts:26 — creates as:
providerKey: { type: DataTypes.STRING(50), allowNull: false }
```
**Impact:**
- Database does not enforce ENUM constraint; invalid values could be inserted via raw SQL
- Schema drift will cause future migrations/recreations to fail
- Application is protected by `isDirectDebitProvider()` validation in routes, but DB constraint is missing
**Fix:** Change line 26 from `DataTypes.STRING(50)` to `DataTypes.ENUM('autogiro', 'betalingsservice')`
---
## MEDIUM SEVERITY ISSUE: Betalingsservice Line Width
File: `src/domains/payments/directDebit/betalingsservice.ts:66–76, 84–94`
**Issue:** BT (collection) records build to 92 chars (2+8+15+4+10+13+20+20), and RT (return) records to 82 chars. These exceed the standard fixed-width 80-char line assumption.
**Assessment:**
- Autogiro correctly constrains TK82 to exactly 80 chars using `fit()` padding
- Betalingsservice BT and RT records are variable-width
- Build ↔ parse roundtrip is internally consistent (parseReturnFile slicing [2,37), [37,41), [41,54), [54+] correctly extracts 82-char RT records)
- Line 76: `lines.push(\`BT${due}${payer}${reg}${acct}${amount}${ref}${text}\`)` — NOT padded to 80
**Mitigation:** If Nets/Betalingsservice test environment requires fixed 80-char records, apply padding; otherwise variable-width is acceptable for batch formats.
**Recommendation:** Verify against Nets test environment spec before go-live. Current implementation will work if the bank accepts variable-width records.
---
## ALL OTHER AREAS: CLEAN ✓
**directDebitService.ts edge cases:**
- Metadata spread (line 473): `{ ...(collection.metadata ?? {}), ... }` — safe null handling
- Number() coercion (lines 232, 264, 533): validated/safe numeric conversions
- Inactive mandate flagging (lines 303–310): acceptable trade-off (revoke is permanent)
- Promise/await: all database ops properly awaited
**Routes (directDebitRoutes.ts):**
- Schema validation correct; productId integer coercion handled by Fastify
- Error handling: all providers validated; StatusErrors properly caught by global handler
- Organization context check enforced
**Job (directDebitCollectionBatchJob.ts):**
- Pattern matches claimPayoutBatchJob (proven correct)
- Per-org loop enforces RLS on each read
- Idempotent: submitDueCollections only processes due collections
**Format helpers (format.ts):**
- digitsOnly, padZero edge cases handled correctly
- Upstream validation prevents invalid data reaching builders
- Arithmetic correct (fromMinorUnits divides by 100 properly)
**Model ↔ Migration alignment:**
- All columns except providerKey match correctly (types, widths, nullability, defaults, indexes)
---
## SUMMARY
**HIGH**: 1 issue requiring fix — providerKey migration type
**MEDIUM**: 1 issue requiring spec verification — Betalingsservice line widths
**LOW/NONE**: All other code paths verified correct
If the providerKey ENUM fix is applied, there are **NO REMAINING HIGH OR MEDIUM ISSUES** pending spec confirmation for Betalingsservice widths.Round 2: two real issues.
_DirectDebitMandate.providerKey declared ENUM in the model but STRING(50) in the migration (and the collection + codebase convention use STRING) → schema drift. Fix: model → STRING(50), keep the TS enum type./products/${productId} missing /direct-debit. Verifying + fixing.Reading AppLayout nav region + fixing the model.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx","offset":314,"limit":16}314 {
315 name: t('Payments'),
316 href: `/products/${productId}/payment-methods`,
317 icon: CreditCard,
318 key: "payment-methods",
319 },
320 {
321 name: t('Direct Debit'),
322 href: `/products/${productId}/direct-debit`,
323 icon: CreditCard,
324 key: "direct-debit",
325 },
326 {
327 name: t('Settings'),
328 href: `/products/${productId}/settings`,
329 icon: Settings,{"replace_all":false,"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts","old_string":" @Column({\n type: DataType.ENUM(...Object.values(DirectDebitProvider)),\n allowNull: false,\n })\n declare providerKey: DirectDebitProvider;","new_string":" // STRING (not a PG ENUM) to match the migration and the codebase convention\n // for provider keys (PaymentProviderConfigs.providerKey, Products.paymentProvider,\n // ClaimPayout.providerKey are all strings). The DirectDebitProvider union types\n // it at the application layer.\n @Column({\n type: DataType.STRING(50),\n allowNull: false,\n })\n declare providerKey: DirectDebitProvider;"}The file /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts has been updated successfully. (file state is current in your context — no need to Read it back)
AppLayout href is correct (/products/${productId}/direct-debit, line 322) — Round-2 Agent 2's "HIGH" was a misread/false positive. Only the API providerKey drift was real (fixed). Verifying API tsc after the model change.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\necho \"=== API tsc ===\"; docker compose exec -T api npx tsc --noEmit 2>&1 | rg -c 'error TS' || echo \"0 errors\"\necho \"=== confirm collection providerKey is STRING in model (consistency) ===\"; rg -n \"providerKey\" src/models/internal/_DirectDebitCollection.ts -A2 | head -6","description":"API tsc after providerKey model fix","timeout":180000}=== API tsc ===
0 errors
=== confirm collection providerKey is STRING in model (consistency) ===
77: declare providerKey: string;
78-
79- @Column({API tsc 0 errors; mandate + collection providerKey now both STRING(50), matching the migration. Round 3 — final convergence check (2 parallel agents).
{"description":"Review API direct-debit (round 3)","prompt":"Final-round (round 3) verification of backend code for sherpa-api#462 (Nordic direct debit) in /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir. Read ACTUAL file content (rg/fd, not grep/find). Two prior rounds fixed: (1) applyReturnRecord now only processes SUBMITTED collections (idempotent), (2) _DirectDebitMandate.providerKey changed from DataType.ENUM to DataType.STRING(50) to match the migration + _DirectDebitCollection + codebase convention.\n\nConfirm those are correct AND do a final correctness sweep. I need a clean verdict. Check HIGH/MEDIUM only, with file:line:\n1. **Model↔migration drift NOW resolved**: re-diff both _DirectDebitMandate.ts and _DirectDebitCollection.ts against migration 2026.06.01T00.00.00.* — every column type/width/nullable/default/enum/FK. Confirm NO remaining mismatch (especially providerKey now STRING(50) in both model and migration; status ENUMs match; DECIMAL(15,2); UUID PKs; timestamps).\n2. **directDebitService.ts**: any remaining HIGH/MEDIUM correctness bug in createMandate, activateMandate, revokeMandate, scheduleCollection, submitDueCollections, buildCurrentCollectionFile, retryCollection, ingestReturnFile/applyReturnRecord, reconcileSettlementToPolicy, simulateReturnForCollection? Confirm RLS-safe (all DB access via safe models with org ctx; no systemSequelize/raw).\n3. **routes/connectors/job**: any remaining HIGH/MEDIUM.\nFiles: src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts, src/models/internal/_DirectDebitMandate.ts, _DirectDebitCollection.ts, src/models/DirectDebit*.ts, src/domains/payments/directDebit/*, src/services/directDebitService.ts, src/routes/plus/directDebitRoutes.ts, src/services/jobs/directDebitCollectionBatchJob.ts.\nState explicitly \"NO REMAINING HIGH OR MEDIUM ISSUES\" if clean. Do not modify files.","subagent_type":"Explore"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -name \"*2026.06.01*\" -type f 2>/dev/null"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"}1 import type { MigrationFn } from 'umzug';
2 import { QueryInterface, DataTypes } from 'sequelize';
3
4 // Nordic bank direct debit (Autogiro SE / Betalingsservice DK).
5 //
6 // `DirectDebitMandates` — the customer's standing authorization to debit a bank
7 // account, with a pending → active → revoked lifecycle. One row per
8 // customer+product authorization; `mandateReference` is our stable identifier
9 // (also written into the generated bank file).
10 //
11 // `DirectDebitCollections` — one recurring debit instruction against a mandate.
12 // Scheduled → submitted (written into a collection file) → settled OR failed.
13 // A failed collection reschedules as `retrying` until `maxRetries`, then sets
14 // `flagged` so an operator can intervene. Settlement reconciles back to the
15 // linked PolicyOrder's payment status.
16 //
17 // Both are tenant-scoped tables using the standard permissive RLS template
18 // (check:migrations enforces it for new tenant tables — see src/db/AGENTS.md).
19
20 const rlsTables = ['DirectDebitMandates', 'DirectDebitCollections'];
21
22 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
23 await context.createTable('DirectDebitMandates', {
24 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
25 organizationId: { type: DataTypes.UUID, allowNull: false },
26 providerKey: { type: DataTypes.STRING(50), allowNull: false },
27 productId: {
28 type: DataTypes.INTEGER,
29 allowNull: false,
30 references: { model: 'Products', key: 'id' },
31 onDelete: 'CASCADE',
32 },
33 customerId: { type: DataTypes.UUID, allowNull: true },
34 status: {
35 type: DataTypes.ENUM('pending', 'active', 'revoked'),
36 allowNull: false,
37 defaultValue: 'pending',
38 },
39 country: { type: DataTypes.STRING(2), allowNull: false },
40 accountHolder: { type: DataTypes.STRING(255), allowNull: false },
41 // SE: clearing number; DK: registreringsnummer. Optional because some
42 // schemes identify the payer by `payerNumber` alone after activation.
43 clearingNumber: { type: DataTypes.STRING(20), allowNull: true },
44 accountNumber: { type: DataTypes.STRING(50), allowNull: false },
45 bankName: { type: DataTypes.STRING(255), allowNull: true },
46 // Our stable mandate identifier, written into the bank mandate-request file.
47 mandateReference: { type: DataTypes.STRING(100), allowNull: false },
48 // Provider/bank-assigned payer number, captured from the mandate return file.
49 payerNumber: { type: DataTypes.STRING(50), allowNull: true },
50 signedAt: { type: DataTypes.DATE, allowNull: true },
51 activatedAt: { type: DataTypes.DATE, allowNull: true },
52 revokedAt: { type: DataTypes.DATE, allowNull: true },
53 failureReason: { type: DataTypes.TEXT, allowNull: true },
54 metadata: { type: DataTypes.JSONB, allowNull: true },
55 createdAt: { type: DataTypes.DATE, allowNull: false },
56 updatedAt: { type: DataTypes.DATE, allowNull: false },
57 });
58 await context.addIndex('DirectDebitMandates', ['organizationId', 'mandateReference'], {
59 unique: true,
60 name: 'direct_debit_mandates_org_reference_unique',
61 });
62 await context.addIndex('DirectDebitMandates', ['organizationId', 'status'], {
63 name: 'idx_direct_debit_mandates_org_status',
64 });
65 await context.addIndex('DirectDebitMandates', ['organizationId', 'productId'], {
66 name: 'idx_direct_debit_mandates_org_product',
67 });
68
69 await context.createTable('DirectDebitCollections', {
70 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
71 organizationId: { type: DataTypes.UUID, allowNull: false },
72 mandateId: {
73 type: DataTypes.UUID,
74 allowNull: false,
75 references: { model: 'DirectDebitMandates', key: 'id' },
76 onDelete: 'CASCADE',
77 },
78 policyOrderId: {
79 type: DataTypes.INTEGER,
80 allowNull: true,
81 references: { model: 'PolicyOrders', key: 'id' },
82 onDelete: 'SET NULL',
83 },
84 providerKey: { type: DataTypes.STRING(50), allowNull: false },
85 amount: { type: DataTypes.DECIMAL(15, 2), allowNull: false },
86 currency: { type: DataTypes.STRING(3), allowNull: false },
87 status: {
88 type: DataTypes.ENUM('scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'),
89 allowNull: false,
90 defaultValue: 'scheduled',
91 },
92 scheduledFor: { type: DataTypes.DATE, allowNull: false },
93 submittedAt: { type: DataTypes.DATE, allowNull: true },
94 settledAt: { type: DataTypes.DATE, allowNull: true },
95 retryCount: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
96 maxRetries: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 3 },
97 failureReason: { type: DataTypes.TEXT, allowNull: true },
98 // Bank/provider transaction reference, also used to reconcile the return file.
99 externalReference: { type: DataTypes.STRING(255), allowNull: true },
100 // Identifier of the collection file this debit was submitted in.
101 fileReference: { type: DataTypes.STRING(255), allowNull: true },
102 // Set when retries are exhausted — surfaces in the CRM for operator action.
103 flagged: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false },
104 metadata: { type: DataTypes.JSONB, allowNull: true },
105 createdAt: { type: DataTypes.DATE, allowNull: false },
106 updatedAt: { type: DataTypes.DATE, allowNull: false },
107 });
108 await context.addIndex('DirectDebitCollections', ['mandateId'], {
109 name: 'idx_direct_debit_collections_mandate',
110 });
111 await context.addIndex('DirectDebitCollections', ['organizationId', 'status'], {
112 name: 'idx_direct_debit_collections_org_status',
113 });
114 await context.addIndex('DirectDebitCollections', ['organizationId', 'status', 'scheduledFor'], {
115 name: 'idx_direct_debit_collections_org_status_scheduled',
116 });
117 await context.addIndex('DirectDebitCollections', ['externalReference'], {
118 name: 'idx_direct_debit_collections_external_ref',
119 });
120
121 // RLS — permissive template (unset GUC OR org match); safe-model WHERE is the
122 // primary filter. See src/db/AGENTS.md.
123 for (const table of rlsTables) {
124 await context.sequelize.query(`ALTER TABLE "${table}" ENABLE ROW LEVEL SECURITY`);
125 await context.sequelize.query(`ALTER TABLE "${table}" FORCE ROW LEVEL SECURITY`);
126 await context.sequelize.query(`DROP POLICY IF EXISTS tenant_isolation ON "${table}"`);
127 await context.sequelize.query(`
128 CREATE POLICY tenant_isolation ON "${table}"
129 FOR ALL
130 USING (
131 NULLIF(current_setting('app.current_organization', true), '') IS NULL
132 OR "organizationId" = NULLIF(current_setting('app.current_organization', true), '')::uuid
133 )
134 `);
135 await context.sequelize.query(`GRANT SELECT ON "${table}" TO dashboard_user`);
136 }
137 };
138
139 export const down: MigrationFn<QueryInterface> = async () => {
140 // Forward-only deployment
141 };
142 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _Product } from './_Product.js';
3
4 // Provider keys for the Nordic direct-debit schemes. Match the values stored on
5 // Products.paymentProvider and PaymentProviderConfigs.providerKey.
6 export enum DirectDebitProvider {
7 AUTOGIRO = 'autogiro',
8 BETALINGSSERVICE = 'betalingsservice',
9 }
10
11 // Mandate lifecycle. A mandate is created `PENDING` when the bank file is
12 // generated, becomes `ACTIVE` once the bank confirms it (mandate return file or
13 // an operator activation), and `REVOKED` when the customer or bank cancels it.
14 export enum MandateStatus {
15 PENDING = 'pending',
16 ACTIVE = 'active',
17 REVOKED = 'revoked',
18 }
19
20 @Table({
21 modelName: 'DirectDebitMandate',
22 tableName: 'DirectDebitMandates',
23 timestamps: true,
24 indexes: [
25 {
26 unique: true,
27 fields: ['organizationId', 'mandateReference'],
28 name: 'direct_debit_mandates_org_reference_unique',
29 },
30 {
31 fields: ['organizationId', 'status'],
32 name: 'idx_direct_debit_mandates_org_status',
33 },
34 {
35 fields: ['organizationId', 'productId'],
36 name: 'idx_direct_debit_mandates_org_product',
37 },
38 ],
39 })
40 export class _DirectDebitMandate extends Model {
41 @Column({
42 type: DataType.UUID,
43 primaryKey: true,
44 defaultValue: DataType.UUIDV4,
45 })
46 declare id: string;
47
48 @Column({
49 type: DataType.UUID,
50 allowNull: false,
51 })
52 declare organizationId: string;
53
54 // STRING (not a PG ENUM) to match the migration and the codebase convention
55 // for provider keys (PaymentProviderConfigs.providerKey, Products.paymentProvider,
56 // ClaimPayout.providerKey are all strings). The DirectDebitProvider union types
57 // it at the application layer.
58 @Column({
59 type: DataType.STRING(50),
60 allowNull: false,
61 })
62 declare providerKey: DirectDebitProvider;
63
64 @ForeignKey(() => _Product)
65 @Column({
66 type: DataType.INTEGER,
67 allowNull: false,
68 })
69 declare productId: number;
70
71 @BelongsTo(() => _Product)
72 declare product: _Product;
73
74 @Column({
75 type: DataType.UUID,
76 allowNull: true,
77 })
78 declare customerId: string | null;
79
80 @Column({
81 type: DataType.ENUM(...Object.values(MandateStatus)),
82 allowNull: false,
83 defaultValue: MandateStatus.PENDING,
84 })
85 declare status: MandateStatus;
86
87 @Column({
88 type: DataType.STRING(2),
89 allowNull: false,
90 })
91 declare country: string;
92
93 @Column({
94 type: DataType.STRING(255),
95 allowNull: false,
96 })
97 declare accountHolder: string;
98
99 @Column({
100 type: DataType.STRING(20),
101 allowNull: true,
102 })
103 declare clearingNumber: string | null;
104
105 @Column({
106 type: DataType.STRING(50),
107 allowNull: false,
108 })
109 declare accountNumber: string;
110
111 @Column({
112 type: DataType.STRING(255),
113 allowNull: true,
114 })
115 declare bankName: string | null;
116
117 @Column({
118 type: DataType.STRING(100),
119 allowNull: false,
120 })
121 declare mandateReference: string;
122
123 @Column({
124 type: DataType.STRING(50),
125 allowNull: true,
126 })
127 declare payerNumber: string | null;
128
129 @Column({
130 type: DataType.DATE,
131 allowNull: true,
132 })
133 declare signedAt: Date | null;
134
135 @Column({
136 type: DataType.DATE,
137 allowNull: true,
138 })
139 declare activatedAt: Date | null;
140
141 @Column({
142 type: DataType.DATE,
143 allowNull: true,
144 })
145 declare revokedAt: Date | null;
146
147 @Column({
148 type: DataType.TEXT,
149 allowNull: true,
150 })
151 declare failureReason: string | null;
152
153 @Column({
154 type: DataType.JSONB,
155 allowNull: true,
156 })
157 declare metadata: Record<string, unknown> | null;
158
159 declare createdAt: Date;
160 declare updatedAt: Date;
161 }
162 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _DirectDebitMandate } from './_DirectDebitMandate.js';
3
4 // Collection lifecycle:
5 // SCHEDULED → created, waiting for the next collection-file run
6 // SUBMITTED → written into a collection file and sent to the bank
7 // SETTLED → bank confirmed the debit (return file) → policy reconciled
8 // FAILED → bank rejected the debit (return file)
9 // RETRYING → a failed debit rescheduled for another attempt
10 // CANCELLED → manually cancelled before submission
11 export enum CollectionStatus {
12 SCHEDULED = 'scheduled',
13 SUBMITTED = 'submitted',
14 SETTLED = 'settled',
15 FAILED = 'failed',
16 RETRYING = 'retrying',
17 CANCELLED = 'cancelled',
18 }
19
20 @Table({
21 modelName: 'DirectDebitCollection',
22 tableName: 'DirectDebitCollections',
23 timestamps: true,
24 indexes: [
25 {
26 fields: ['mandateId'],
27 name: 'idx_direct_debit_collections_mandate',
28 },
29 {
30 fields: ['organizationId', 'status'],
31 name: 'idx_direct_debit_collections_org_status',
32 },
33 {
34 fields: ['organizationId', 'status', 'scheduledFor'],
35 name: 'idx_direct_debit_collections_org_status_scheduled',
36 },
37 {
38 fields: ['externalReference'],
39 name: 'idx_direct_debit_collections_external_ref',
40 },
41 ],
42 })
43 export class _DirectDebitCollection extends Model {
44 @Column({
45 type: DataType.UUID,
46 primaryKey: true,
47 defaultValue: DataType.UUIDV4,
48 })
49 declare id: string;
50
51 @Column({
52 type: DataType.UUID,
53 allowNull: false,
54 })
55 declare organizationId: string;
56
57 @ForeignKey(() => _DirectDebitMandate)
58 @Column({
59 type: DataType.UUID,
60 allowNull: false,
61 })
62 declare mandateId: string;
63
64 @BelongsTo(() => _DirectDebitMandate)
65 declare mandate: _DirectDebitMandate;
66
67 @Column({
68 type: DataType.INTEGER,
69 allowNull: true,
70 })
71 declare policyOrderId: number | null;
72
73 @Column({
74 type: DataType.STRING(50),
75 allowNull: false,
76 })
77 declare providerKey: string;
78
79 @Column({
80 type: DataType.DECIMAL(15, 2),
81 allowNull: false,
82 })
83 declare amount: number;
84
85 @Column({
86 type: DataType.STRING(3),
87 allowNull: false,
88 })
89 declare currency: string;
90
91 @Column({
92 type: DataType.ENUM(...Object.values(CollectionStatus)),
93 allowNull: false,
94 defaultValue: CollectionStatus.SCHEDULED,
95 })
96 declare status: CollectionStatus;
97
98 @Column({
99 type: DataType.DATE,
100 allowNull: false,
101 })
102 declare scheduledFor: Date;
103
104 @Column({
105 type: DataType.DATE,
106 allowNull: true,
107 })
108 declare submittedAt: Date | null;
109
110 @Column({
111 type: DataType.DATE,
112 allowNull: true,
113 })
114 declare settledAt: Date | null;
115
116 @Column({
117 type: DataType.INTEGER,
118 allowNull: false,
119 defaultValue: 0,
120 })
121 declare retryCount: number;
122
123 @Column({
124 type: DataType.INTEGER,
125 allowNull: false,
126 defaultValue: 3,
127 })
128 declare maxRetries: number;
129
130 @Column({
131 type: DataType.TEXT,
132 allowNull: true,
133 })
134 declare failureReason: string | null;
135
136 @Column({
137 type: DataType.STRING(255),
138 allowNull: true,
139 })
140 declare externalReference: string | null;
141
142 @Column({
143 type: DataType.STRING(255),
144 allowNull: true,
145 })
146 declare fileReference: string | null;
147
148 @Column({
149 type: DataType.BOOLEAN,
150 allowNull: false,
151 defaultValue: false,
152 })
153 declare flagged: boolean;
154
155 @Column({
156 type: DataType.JSONB,
157 allowNull: true,
158 })
159 declare metadata: Record<string, unknown> | null;
160
161 declare createdAt: Date;
162 declare updatedAt: Date;
163 }
164 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","limit":300}1 import { randomUUID } from 'crypto';
2 import { Op } from 'sequelize';
3 import { StatusError } from '@/error/error.js';
4 import logger from '@/logger.js';
5 import {
6 DirectDebitMandate,
7 MandateStatus,
8 DirectDebitProvider,
9 } from '@/models/DirectDebitMandate.js';
10 import { DirectDebitCollection, CollectionStatus } from '@/models/DirectDebitCollection.js';
11 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
12 import { PolicyOrder } from '@/models/PolicyOrder.js';
13 import { PolicyStatusLifecycleCategory } from '@/models/OrganizationPolicyStatus.js';
14 import { getCategoryForCode, getDefaultCodeForCategory } from '@/services/policyStatusService.js';
15 import {
16 getDirectDebitProvider,
17 isDirectDebitProvider,
18 } from '@/domains/payments/directDebit/registry.js';
19 import type {
20 BankAccount,
21 BankDirectDebitProvider,
22 CollectionFileEntry,
23 ReturnRecord,
24 } from '@/domains/payments/directDebit/interface.js';
25
26 // directDebitService — orchestration for the Nordic bank direct-debit rails.
27 //
28 // The connectors in domains/payments/directDebit are stateless file builders /
29 // parsers. This service owns everything stateful: mandate lifecycle, collection
30 // scheduling, building the outbound files, ingesting return files, retry +
31 // flagging, and reconciling settlements back to the policy's payment status.
32
33 type Ctx = { organizationId: string };
34
35 const PROVIDER_PREFIX: Record<string, string> = {
36 autogiro: 'AG',
37 betalingsservice: 'BS',
38 };
39
40 // ── Helpers ──────────────────────────────────────────────────────────────────
41
42 function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
43 if (!isDirectDebitProvider(providerKey)) {
44 throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
45 }
46 return getDirectDebitProvider(providerKey);
47 }
48
49 function generateReference(providerKey: string, kind: 'MND' | 'COL'): string {
50 const prefix = PROVIDER_PREFIX[providerKey] ?? 'DD';
51 return `${prefix}-${kind}-${randomUUID().slice(0, 8).toUpperCase()}`;
52 }
53
54 /**
55 * Resolve the payee identity for a scheme from the org's payment provider
56 * config. Enforces the config-via-portal rule: a direct-debit collection cannot
57 * be submitted until the provider is configured for the organization.
58 */
59 async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
60 const config = await PaymentProviderConfig.findOne(ctx, {
61 where: { providerKey, active: true },
62 });
63 if (!config) {
64 throw new StatusError(
65 400,
66 `No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
67 );
68 }
69 const c = config.config as Record<string, unknown>;
70 const creditorId =
71 (typeof c.creditorId === 'string' && c.creditorId) ||
72 (typeof c.bankgiroNumber === 'string' && c.bankgiroNumber) ||
73 (typeof c.pbsNumber === 'string' && c.pbsNumber) ||
74 '';
75 return creditorId || '0000000';
76 }
77
78 function mandateAccount(mandate: DirectDebitMandate): BankAccount {
79 return {
80 country: mandate.country,
81 clearingNumber: mandate.clearingNumber,
82 accountNumber: mandate.accountNumber,
83 accountHolder: mandate.accountHolder,
84 };
85 }
86
87 // ── Mandate lifecycle ─────────────────────────────────────────────────────────
88
89 export interface CreateMandateInput {
90 providerKey: string;
91 productId: number;
92 customerId?: string | null;
93 accountHolder: string;
94 country: string;
95 clearingNumber?: string | null;
96 accountNumber: string;
97 bankName?: string | null;
98 metadata?: Record<string, unknown> | null;
99 }
100
101 export async function createMandate(
102 organizationId: string,
103 input: CreateMandateInput,
104 ): Promise<DirectDebitMandate> {
105 const ctx = { organizationId };
106 const provider = assertDirectDebitProvider(input.providerKey);
107
108 const account: BankAccount = {
109 country: input.country,
110 clearingNumber: input.clearingNumber,
111 accountNumber: input.accountNumber,
112 accountHolder: input.accountHolder,
113 };
114 const validation = provider.validateAccount(account);
115 if (!validation.valid) {
116 throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
117 }
118
119 const mandateReference = generateReference(input.providerKey, 'MND');
120 const mandate = await DirectDebitMandate.create(ctx, {
121 organizationId,
122 providerKey: input.providerKey as DirectDebitProvider,
123 productId: input.productId,
124 customerId: input.customerId ?? null,
125 status: MandateStatus.PENDING,
126 country: input.country.toUpperCase(),
127 accountHolder: input.accountHolder,
128 clearingNumber: input.clearingNumber ?? null,
129 accountNumber: input.accountNumber,
130 bankName: input.bankName ?? null,
131 mandateReference,
132 payerNumber: mandateReference,
133 signedAt: new Date(),
134 metadata: input.metadata ?? null,
135 });
136
137 logger.info(
138 { organizationId, mandateId: mandate.id, providerKey: input.providerKey },
139 'Direct-debit mandate created (pending bank confirmation)',
140 );
141 return mandate;
142 }
143
144 async function loadMandate(ctx: Ctx, mandateId: string): Promise<DirectDebitMandate> {
145 const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
146 if (!mandate) {
147 throw new StatusError(404, `Mandate ${mandateId} not found`);
148 }
149 return mandate;
150 }
151
152 /**
153 * Activate a mandate once the bank confirms it. In production this is driven by
154 * the mandate return file; the route also exposes it as an explicit operator
155 * action so a confirmed mandate can be activated from the CRM.
156 */
157 export async function activateMandate(
158 organizationId: string,
159 mandateId: string,
160 payerNumber?: string,
161 ): Promise<DirectDebitMandate> {
162 const ctx = { organizationId };
163 const mandate = await loadMandate(ctx, mandateId);
164 if (mandate.status === MandateStatus.REVOKED) {
165 throw new StatusError(400, 'Cannot activate a revoked mandate');
166 }
167 await mandate.update({
168 status: MandateStatus.ACTIVE,
169 activatedAt: new Date(),
170 failureReason: null,
171 ...(payerNumber ? { payerNumber } : {}),
172 });
173 logger.info({ organizationId, mandateId }, 'Direct-debit mandate activated');
174 return mandate;
175 }
176
177 export async function revokeMandate(
178 organizationId: string,
179 mandateId: string,
180 ): Promise<DirectDebitMandate> {
181 const ctx = { organizationId };
182 const mandate = await loadMandate(ctx, mandateId);
183 if (mandate.status === MandateStatus.REVOKED) {
184 return mandate;
185 }
186 await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
187 logger.info({ organizationId, mandateId }, 'Direct-debit mandate revoked');
188 return mandate;
189 }
190
191 /** Generate the bank mandate-request file for a single mandate (download/preview). */
192 export async function buildMandateFile(
193 organizationId: string,
194 mandateId: string,
195 ): Promise<{ fileReference: string; content: string }> {
196 const ctx = { organizationId };
197 const mandate = await loadMandate(ctx, mandateId);
198 const provider = assertDirectDebitProvider(mandate.providerKey);
199 const creditorId = await resolveCreditorId(ctx, mandate.providerKey);
200 const content = provider.buildMandateFile(
201 [
202 {
203 mandateReference: mandate.mandateReference,
204 payerNumber: mandate.payerNumber,
205 account: mandateAccount(mandate),
206 },
207 ],
208 creditorId,
209 );
210 return { fileRefer{"description":"Review portal+test direct-debit (round 3)","prompt":"Final-round (round 3) verification of front-end + test for sherpa-api#462 (Nordic direct debit). Read ACTUAL file content (rg/fd, not grep/find). I need a clean verdict.\n\nPrior rounds fixed: provider-list display shows creditorId for dd providers (cast to Record<string,string>); badge fallbacks added; schedule sends amount:Number(...). NOTE: AppLayout.tsx line 322 href IS `/products/${productId}/direct-debit` (already correct — confirm, do NOT re-flag).\n\nConfirm all prior fixes are correct AND final sweep for HIGH/MEDIUM only, file:line:\n1. app/components/AppLayout.tsx: confirm line ~322 href is `/products/${productId}/direct-debit` (correct) and \"direct-debit\":\"operate\" is in PRODUCT_PHASE_BY_KEY. Entry shape matches siblings.\n2. app/products/[id]/direct-debit/page.tsx: any remaining runtime-crash or broken-feature HIGH/MEDIUM? (hooks, params unwrap, every api.post has a body, refetch after mutation, badge fallbacks present, amount validated+numeric, dialogs validate required fields).\n3. app/components/settings/PaymentProvidersTab.tsx: Stripe flow intact; creditorId renders only for dd providers, saves/loads to config.creditorId; the line-333 display cast compiles and is correct.\n4. app/types/directDebit.ts: matches API.\n5. tests/plus-insurance/09-direct-debit.spec.ts: sound + resilient; the worktree .env SHERPA_API_HTTP=4011 is correct for THIS worktree (its own api runs on 4011).\nState explicitly \"NO REMAINING HIGH OR MEDIUM ISSUES\" if clean. Do not modify files.","subagent_type":"Explore"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":300}300 const entries: CollectionFileEntry[] = [];
301
302 for (const collection of due) {
303 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
304 if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
305 await collection.update({
306 status: CollectionStatus.FAILED,
307 failureReason: 'Mandate is not active',
308 flagged: true,
309 });
310 continue;
311 }
312 const externalReference = generateReference(key, 'COL');
313 await collection.update({
314 status: CollectionStatus.SUBMITTED,
315 submittedAt: new Date(),
316 externalReference,
317 fileReference,
318 failureReason: null,
319 });
320 entries.push(toFileEntry(collection, mandate));
321 }
322
323 if (entries.length === 0) continue;
324 const content = provider.buildCollectionFile(entries, fileReference, creditorId);
325 results.push({ providerKey: key, fileReference, content, count: entries.length });
326 logger.info(
327 { organizationId, providerKey: key, fileReference, count: entries.length },
328 'Direct-debit collection file generated',
329 );
330 }
331
332 return results;
333 }
334
335 /** Render the outbound collection file for already-submitted debits (download). */
336 export async function buildCurrentCollectionFile(
337 organizationId: string,
338 providerKey: string,
339 ): Promise<{ fileReference: string; content: string; count: number }> {
340 const ctx = { organizationId };
341 const provider = assertDirectDebitProvider(providerKey);
342 const submitted = await DirectDebitCollection.findAll(ctx, {
343 where: { providerKey, status: CollectionStatus.SUBMITTED },
344 order: [['submittedAt', 'ASC']],
345 limit: 500,
346 });
347 const creditorId = await resolveCreditorId(ctx, providerKey);
348 const fileReference = submitted[0]?.fileReference ?? `${PROVIDER_PREFIX[providerKey] ?? 'DD'}-FILE-EMPTY`;
349 const entries: CollectionFileEntry[] = [];
350 for (const collection of submitted) {
351 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
352 if (mandate) entries.push(toFileEntry(collection, mandate));
353 }
354 const content = provider.buildCollectionFile(entries, fileReference, creditorId);
355 return { fileReference, content, count: entries.length };
356 }
357
358 export async function retryCollection(
359 organizationId: string,
360 collectionId: string,
361 ): Promise<DirectDebitCollection> {
362 const ctx = { organizationId };
363 const collection = await DirectDebitCollection.findByPk(ctx, collectionId);
364 if (!collection) {
365 throw new StatusError(404, `Collection ${collectionId} not found`);
366 }
367 if (collection.status !== CollectionStatus.FAILED) {
368 throw new StatusError(400, `Only failed collections can be retried (is "${collection.status}")`);
369 }
370 await collection.update({
371 status: CollectionStatus.RETRYING,
372 scheduledFor: new Date(),
373 flagged: false,
374 failureReason: null,
375 });
376 logger.info({ organizationId, collectionId }, 'Direct-debit collection queued for manual retry');
377 return collection;
378 }
379
380 // ── Reconciliation (return files → collection status → policy status) ──────────
381
382 export interface IngestSummary {
383 settled: number;
384 failed: number;
385 retrying: number;
386 flagged: number;
387 unmatched: string[];
388 }
389
390 /**
391 * Reconcile a settled collection back to its policy: stamp the external payment
392 * reference and promote a still-pending policy to its org's active status.
393 * Best-effort — a reconciliation failure is logged but does not fail ingestion.
394 */
395 async function reconcileSettlementToPolicy(
396 ctx: Ctx,
397 collection: DirectDebitCollection,
398 ): Promise<void> {
399 if (!collection.policyOrderId) return;
400 try {
401 const policyOrder = await PolicyOrder.findByPk(ctx, collection.policyOrderId);
402 if (!policyOrder) return;
403
404 const update: Record<string, unknown> = {
405 externalPaymentRef: collection.externalReference,
406 externalPaymentProvider: collection.providerKey,
407 };
408 const category = await getCategoryForCode(ctx.organizationId, policyOrder.status);
409 if (category === PolicyStatusLifecycleCategory.PENDING) {
410 update.status = await getDefaultCodeForCategory(
411 ctx.organizationId,
412 PolicyStatusLifecycleCategory.ACTIVE,
413 );
414 }
415 await policyOrder.update(update);
416 logger.info(
417 { organizationId: ctx.organizationId, policyOrderId: collection.policyOrderId, collectionId: collection.id },
418 'Reconciled direct-debit settlement to policy',
419 );
420 } catch (err) {
421 logger.warn(
422 { err, collectionId: collection.id, policyOrderId: collection.policyOrderId },
423 'Failed to reconcile direct-debit settlement to policy',
424 );
425 }
426 }
427
428 async function applyReturnRecord(
429 ctx: Ctx,
430 record: ReturnRecord,
431 summary: IngestSummary,
432 ): Promise<void> {
433 const collection = await DirectDebitCollection.findOne(ctx, {
434 where: { externalReference: record.externalReference },
435 });
436 if (!collection) {
437 summary.unmatched.push(record.externalReference);
438 return;
439 }
440 // A return record is only meaningful for a collection awaiting settlement
441 // (SUBMITTED). Anything else — already settled, already failed/flagged, or a
442 // duplicate arriving after we processed a prior return for this reference — is
443 // ignored idempotently so re-ingesting a file can't double-count retries or
444 // un-flag an exhausted collection.
445 if (collection.status !== CollectionStatus.SUBMITTED) {
446 return;
447 }
448
449 if (record.outcome === 'settled') {
450 await collection.update({
451 status: CollectionStatus.SETTLED,
452 settledAt: new Date(),
453 failureReason: null,
454 flagged: false,
455 });
456 await reconcileSettlementToPolicy(ctx, collection);
457 summary.settled += 1;
458 return;
459 }
460
461 // Failed: retry until maxRetries, then flag for operator intervention.
462 const nextRetry = collection.retryCount + 1;
463 const reason = record.reason ?? 'Collection rejected by bank';
464 if (nextRetry <= collection.maxRetries) {
465 await collection.update({
466 status: CollectionStatus.RETRYING,
467 retryCount: nextRetry,
468 // Eligible for the next collection run immediately. Production would apply
469 // a backoff window before re-presenting; recorded as a hint in metadata.
470 scheduledFor: new Date(),
471 failureReason: reason,
472 flagged: false,
473 metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
474 });
475 summary.retrying += 1;
476 } else {
477 await collection.update({
478 status: CollectionStatus.FAILED,
479 failureReason: reason,
480 flagged: true,
481 });
482 summary.failed += 1;
483 summary.flagged += 1;
484 logger.warn(
485 { organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
486 'Direct-debit collection flagged after exhausting retries',
487 );
488 }
489 }
490
491 /** Parse and reconcile a bank return/settlement file. */
492 export async function ingestReturnFile(
493 organizationId: string,
494 providerKey: string,
495 content: string,
496 ): Promise<IngestSummary> {
497 const ctx = { organizationId };
498 const provider = assertDirectDebitProvider(providerKey);
499 const records = provider.parseReturnFile(content);
500 const summary: IngestSummary = { settled: 0, failed: 0, retrying: 0,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/app/components/AppLayout.tsx","limit":400,"offset":300}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/app/components/settings/PaymentProvidersTab.tsx","limit":500,"offset":300}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/app/types/directDebit.ts"}{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src -path \"*directDebit*\" -name \"*.ts\" | head -20"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/tests/plus-insurance/09-direct-debit.spec.ts"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts
File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"command":"pwd && ls -la | head -20"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir total 1952 drwxr-xr-x@ 45 bakker staff 1440 Jun 1 04:31 . drwxr-xr-x 66 bakker staff 2112 Jun 1 04:31 .. drwxr-xr-x@ 2 bakker staff 64 Jun 1 04:31 .auto-proof drwxr-xr-x@ 2 bakker staff 64 Jun 1 04:31 .cache drwxr-xr-x@ 6 bakker staff 192 Jun 1 04:31 .claude drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:31 .cursor -rw-r--r--@ 1 bakker staff 82 Jun 1 04:31 .cursorignore -rw-r--r--@ 1 bakker staff 510 Jun 1 04:31 .dockerignore -rw-r--r--@ 1 bakker staff 9305 Jun 1 04:31 .env -rw-r--r--@ 1 bakker staff 113 Jun 1 04:31 .git drwxr-xr-x@ 5 bakker staff 160 Jun 1 04:31 .github -rw-r--r--@ 1 bakker staff 234 Jun 1 04:31 .gitignore -rw-r--r--@ 1 bakker staff 1789 Jun 1 04:31 .mcp.json drwxr-xr-x@ 2 bakker staff 64 Jun 1 04:31 .npm -rw-r--r--@ 1 bakker staff 122 Jun 1 04:31 .npmrc drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:31 .playwright-mcp -rw-r--r--@ 1 bakker staff 149 Jun 1 04:31 .prettierrc -rw-r--r--@ 1 bakker staff 398 Jun 1 04:31 .sequelizerc drwxr-xr-x@ 4 bakker staff 128 Jun 1 04:31 .vscode
1 import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { DirectDebitMandate } from '@/models/DirectDebitMandate.js';
4 import { DirectDebitCollection } from '@/models/DirectDebitCollection.js';
5 import {
6 createMandate,
7 activateMandate,
8 revokeMandate,
9 buildMandateFile,
10 scheduleCollection,
11 submitDueCollections,
12 buildCurrentCollectionFile,
13 retryCollection,
14 ingestReturnFile,
15 simulateReturnForCollection,
16 } from '@/services/directDebitService.js';
17
18 const TAG = 'Sherpa Plus — Direct Debit';
19 const PROVIDER_KEYS = ['autogiro', 'betalingsservice'];
20
21 function requireOrg(request: FastifyRequest): string {
22 const organizationId = request.userAuth?.organizationId;
23 if (!organizationId) {
24 throw new StatusError(401, 'Organization context required');
25 }
26 return organizationId;
27 }
28
29 const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
30 fastify.addHook('preHandler', fastify.authenticate);
31
32 // ── Mandates ────────────────────────────────────────────────────────────────
33
34 fastify.get('/mandates', {
35 schema: {
36 description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',
37 tags: [TAG],
38 security: [{ clientCredentials: [] }],
39 querystring: {
40 type: 'object',
41 properties: {
42 status: { type: 'string', enum: ['pending', 'active', 'revoked'] },
43 providerKey: { type: 'string', enum: PROVIDER_KEYS },
44 productId: { type: 'integer' },
45 },
46 },
47 },
48 }, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {
49 const organizationId = requireOrg(request);
50 const where: Record<string, unknown> = {};
51 if (request.query.status) where.status = request.query.status;
52 if (request.query.providerKey) where.providerKey = request.query.providerKey;
53 if (request.query.productId) where.productId = request.query.productId;
54
55 const data = await DirectDebitMandate.findAll({ organizationId }, {
56 where,
57 order: [['createdAt', 'DESC']],
58 });
59 return { status: 'success', data };
60 });
61
62 fastify.get('/mandates/:id', {
63 schema: {
64 description: 'Fetch a single direct-debit mandate by ID, scoped to the authenticated organization.',
65 tags: [TAG],
66 security: [{ clientCredentials: [] }],
67 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
68 },
69 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
70 const organizationId = requireOrg(request);
71 const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);
72 if (!mandate) throw new StatusError(404, 'Mandate not found');
73 return { status: 'success', data: mandate };
74 });
75
76 fastify.post('/mandates', {
77 schema: {
78 description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',
79 tags: [TAG],
80 security: [{ clientCredentials: [] }],
81 body: {
82 type: 'object',
83 required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
84 properties: {
85 providerKey: { type: 'string', enum: PROVIDER_KEYS },
86 productId: { type: 'integer' },
87 customerId: { type: 'string', format: 'uuid' },
88 accountHolder: { type: 'string', minLength: 1 },
89 country: { type: 'string', minLength: 2, maxLength: 2 },
90 clearingNumber: { type: 'string' },
91 accountNumber: { type: 'string', minLength: 1 },
92 bankName: { type: 'string' },
93 },
94 },
95 },
96 }, async (request: FastifyRequest<{ Body: {
97 providerKey: string; productId: number; customerId?: string; accountHolder: string;
98 country: string; clearingNumber?: string; accountNumber: string; bankName?: string;
99 } }>, reply: FastifyReply) => {
100 const organizationId = requireOrg(request);
101 const mandate = await createMandate(organizationId, request.body);
102 return reply.code(201).send({ status: 'success', data: mandate });
103 });
104
105 fastify.get('/mandates/:id/file', {
106 schema: {
107 description: 'Generate the bank mandate-request file content for a mandate (Autogiro/Betalingsservice fixed-width format).',
108 tags: [TAG],
109 security: [{ clientCredentials: [] }],
110 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
111 },
112 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
113 const organizationId = requireOrg(request);
114 const file = await buildMandateFile(organizationId, request.params.id);
115 return { status: 'success', data: file };
116 });
117
118 fastify.post('/mandates/:id/activate', {
119 schema: {
120 description: 'Activate a mandate after the bank has confirmed it. Optionally records the bank-assigned payer number.',
121 tags: [TAG],
122 security: [{ clientCredentials: [] }],
123 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
124 body: { type: 'object', properties: { payerNumber: { type: 'string' } } },
125 },
126 }, async (request: FastifyRequest<{ Params: { id: string }; Body: { payerNumber?: string } }>) => {
127 const organizationId = requireOrg(request);
128 const mandate = await activateMandate(organizationId, request.params.id, request.body?.payerNumber);
129 return { status: 'success', data: mandate };
130 });
131
132 fastify.post('/mandates/:id/revoke', {
133 schema: {
134 description: 'Revoke a mandate. No further collections can be scheduled against it.',
135 tags: [TAG],
136 security: [{ clientCredentials: [] }],
137 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
138 },
139 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
140 const organizationId = requireOrg(request);
141 const mandate = await revokeMandate(organizationId, request.params.id);
142 return { status: 'success', data: mandate };
143 });
144
145 // ── Collections ─────────────────────────────────────────────────────────────
146
147 fastify.get('/collections', {
148 schema: {
149 description: 'List direct-debit collections. Optional filters: mandateId, status, providerKey.',
150 tags: [TAG],
151 security: [{ clientCredentials: [] }],
152 querystring: {
153 type: 'object',
154 properties: {
155 mandateId: { type: 'string' },
156 status: { type: 'string', enum: ['scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'] },
157 providerKey: { type: 'string', enum: PROVIDER_KEYS },
158 },
159 },
160 },
161 }, async (request: FastifyRequest<{ Querystring: { mandateId?: string; status?: string; providerKey?: string } }>) => {
162 const organizationId = requireOrg(request);
163 const where: Record<string, unknown> = {};
164 if (request.query.mandateId) where.mandateId = request.query.mandateId;
165 if (request.query.status) where.status = request.query.status;
166 if (request.query.providerKey) where.providerKey = request.query.providerKey;
167
168 const data = await DirectDebitCollection.findAll({ organizationId }, {
169 where,
170 order: [['createdAt', 'DESC']],
171 });
172 return { status: 'success', dat{"pattern":"**/AppLayout.tsx"}No files found
{"pattern":"**/*direct-debit/page.tsx"}No files found
{"pattern":"**/PaymentProvidersTab.tsx"}No files found
{"pattern":"**/directDebit.ts"}No files found
{"pattern":"**/*09-direct-debit.spec.ts"}No files found
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts"}1 import { Organization } from '@/models/Organization.js';
2 import { jobQueue } from '@/services/jobQueue.js';
3 import { submitDueCollections } from '@/services/directDebitService.js';
4 import logger from '@/logger.js';
5
6 const JOB_TYPE = 'direct_debit_collection_batch';
7
8 /**
9 * Hourly picker for due direct-debit collections. Runs per-org so RLS context is
10 * enforced on every read (same pattern as claim-payout-batch). Submitting due
11 * collections is idempotent at the row level — submitDueCollections only moves
12 * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a
13 * worker restart self-heals on the next run.
14 */
15 async function handleDirectDebitCollectionBatch() {
16 const organizations = await Organization.findAll({ attributes: ['id'] });
17 let totalSubmitted = 0;
18
19 for (const org of organizations) {
20 try {
21 const files = await submitDueCollections(org.id);
22 totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);
23 } catch (err) {
24 logger.error(
25 { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },
26 'Direct-debit collection batch: failed to process organization',
27 );
28 }
29 }
30
31 if (totalSubmitted > 0) {
32 logger.info(
33 { count: totalSubmitted, orgCount: organizations.length },
34 'Direct-debit collection batch: submitted due collections',
35 );
36 }
37 }
38
39 export function registerDirectDebitCollectionBatchJob() {
40 jobQueue.register(JOB_TYPE, handleDirectDebitCollectionBatch, {
41 concurrency: 1,
42 defaultJobOptions: {
43 attempts: 3,
44 backoff: { type: 'exponential', delay: 30_000 },
45 removeOnComplete: { age: 24 * 3600, count: 100 },
46 removeOnFail: { age: 7 * 24 * 3600 },
47 },
48 });
49 }
50
51 /**
52 * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes by
53 * jobId. Call once on worker startup.
54 */
55 export async function scheduleDirectDebitCollectionBatch() {
56 await jobQueue.scheduleRepeating(
57 JOB_TYPE,
58 {},
59 '0 * * * *', // every hour on the hour, UTC
60 `${JOB_TYPE}:hourly`,
61 );
62 }
63 {"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -maxdepth 3 -type d -name \"app\" -o -name \"tests\" -o -name \"components\" 2>/dev/null | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app
{"pattern":"sequelize\\.query|raw\\(|Sequelize\\.query","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src","glob":"**/*directDebit*.ts","output_mode":"content"}No matches found
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/components/AppLayout.tsx","limit":400,"offset":300}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/products/[id]/direct-debit/page.tsx"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/components/settings/PaymentProvidersTab.tsx","limit":400,"offset":300}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/types/directDebit.ts"}File does not exist. Note: your current working directory is /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir.
{"command":"grep -n \"DirectDebitMandate\\.find\\|DirectDebitCollection\\.find\\|\\.findAll\\|\\.findOne\\|\\.findByPk\\|\\.create\\|\\.update\" src/services/directDebitService.ts | head -40"}60: const config = await PaymentProviderConfig.findOne(ctx, {
120: const mandate = await DirectDebitMandate.create(ctx, {
145: const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
167: await mandate.update({
186: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
240: const collection = await DirectDebitCollection.create(ctx, {
287: const due = await DirectDebitCollection.findAll(ctx, {
303: const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
305: await collection.update({
313: await collection.update({
342: const submitted = await DirectDebitCollection.findAll(ctx, {
351: const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
363: const collection = await DirectDebitCollection.findByPk(ctx, collectionId);
370: await collection.update({
401: const policyOrder = await PolicyOrder.findByPk(ctx, collection.policyOrderId);
415: await policyOrder.update(update);
433: const collection = await DirectDebitCollection.findOne(ctx, {
450: await collection.update({
465: await collection.update({
477: await collection.update({
520: const collection = await DirectDebitCollection.findByPk(ctx, collectionId);{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app -type f -name \"*.tsx\" -o -name \"*.ts\" | grep -E \"(AppLayout|direct-debit|PaymentProviders|directDebit)\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/routeSchemaDefaults.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/cors.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app/swagger.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":428,"limit":65}428 async function applyReturnRecord(
429 ctx: Ctx,
430 record: ReturnRecord,
431 summary: IngestSummary,
432 ): Promise<void> {
433 const collection = await DirectDebitCollection.findOne(ctx, {
434 where: { externalReference: record.externalReference },
435 });
436 if (!collection) {
437 summary.unmatched.push(record.externalReference);
438 return;
439 }
440 // A return record is only meaningful for a collection awaiting settlement
441 // (SUBMITTED). Anything else — already settled, already failed/flagged, or a
442 // duplicate arriving after we processed a prior return for this reference — is
443 // ignored idempotently so re-ingesting a file can't double-count retries or
444 // un-flag an exhausted collection.
445 if (collection.status !== CollectionStatus.SUBMITTED) {
446 return;
447 }
448
449 if (record.outcome === 'settled') {
450 await collection.update({
451 status: CollectionStatus.SETTLED,
452 settledAt: new Date(),
453 failureReason: null,
454 flagged: false,
455 });
456 await reconcileSettlementToPolicy(ctx, collection);
457 summary.settled += 1;
458 return;
459 }
460
461 // Failed: retry until maxRetries, then flag for operator intervention.
462 const nextRetry = collection.retryCount + 1;
463 const reason = record.reason ?? 'Collection rejected by bank';
464 if (nextRetry <= collection.maxRetries) {
465 await collection.update({
466 status: CollectionStatus.RETRYING,
467 retryCount: nextRetry,
468 // Eligible for the next collection run immediately. Production would apply
469 // a backoff window before re-presenting; recorded as a hint in metadata.
470 scheduledFor: new Date(),
471 failureReason: reason,
472 flagged: false,
473 metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
474 });
475 summary.retrying += 1;
476 } else {
477 await collection.update({
478 status: CollectionStatus.FAILED,
479 failureReason: reason,
480 flagged: true,
481 });
482 summary.failed += 1;
483 summary.flagged += 1;
484 logger.warn(
485 { organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
486 'Direct-debit collection flagged after exhausting retries',
487 );
488 }
489 }
490
491 /** Parse and reconcile a bank return/settlement file. */
492 export async function ingestReturnFile({"command":"ls -la /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/ | head -20"}total 112 drwxr-xr-x@ 30 bakker staff 960 Jun 1 04:31 . drwxr-xr-x@ 45 bakker staff 1440 Jun 1 04:31 .. -rw-r--r--@ 1 bakker staff 7913 Jun 1 04:31 AGENTS.md drwxr-xr-x@ 5 bakker staff 160 Jun 1 04:31 app -rw-r--r--@ 1 bakker staff 5918 Jun 1 04:31 app.ts drwxr-xr-x@ 4 bakker staff 128 Jun 1 04:31 config drwxr-xr-x@ 3 bakker staff 96 Jun 1 04:31 constants drwxr-xr-x@ 75 bakker staff 2400 Jun 1 04:31 controllers drwxr-xr-x@ 7 bakker staff 224 Jun 1 04:31 db drwxr-xr-x@ 10 bakker staff 320 Jun 1 04:31 domains drwxr-xr-x@ 4 bakker staff 128 Jun 1 04:31 error drwxr-xr-x@ 6 bakker staff 192 Jun 1 04:31 financials drwxr-xr-x@ 8 bakker staff 256 Jun 1 04:31 integrations -rw-r--r--@ 1 bakker staff 132 Jun 1 04:31 lifecycle.ts -rw-r--r--@ 1 bakker staff 2625 Jun 1 04:31 logger.ts drwxr-xr-x@ 121 bakker staff 3872 Jun 1 04:45 models -rw-r--r--@ 1 bakker staff 3616 Jun 1 04:31 persistentValkeyClient.ts drwxr-xr-x@ 9 bakker staff 288 Jun 1 04:31 plugins drwxr-xr-x@ 36 bakker staff 1152 Jun 1 04:31 routes
{"command":"git worktree list 2>/dev/null || echo \"No worktrees\""}/Users/bakker/dev/gangkhar/sherpa-api 8636f82d [development] /Users/bakker/dev/gangkhar/sherpa-api-api-456-outlet-catalog-per-product-outle adb3086a [auto/api-456-outlet-catalog-per-product-outle] /Users/bakker/dev/gangkhar/sherpa-api-api-457-custom-additional-fields-on-endo a93cf56c [auto/api-457-custom-additional-fields-on-endo] /Users/bakker/dev/gangkhar/sherpa-api-api-458-credit-check-compliance-integrat f09370ff [auto/api-458-credit-check-compliance-integrat] /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir 6dd1913b [auto/api-462-nordic-bank-direct-debit-autogir] /Users/bakker/dev/gangkhar/sherpa-api-api-463-recurring-card-payments-subscrip 9cb7706b [auto/api-463-recurring-card-payments-subscrip] /Users/bakker/dev/gangkhar/sherpa-api-api-464-multiple-payment-providers-per-p 0a881c9a [auto/api-464-multiple-payment-providers-per-p] /Users/bakker/dev/gangkhar/sherpa-api-api-465-per-outlet-claim-rules 87149333 [auto/api-465-per-outlet-claim-rules] /Users/bakker/dev/gangkhar/sherpa-api-api-466-passkey-webauthn-login 078f81bd [auto/api-466-passkey-webauthn-login] /Users/bakker/dev/gangkhar/sherpa-api-auto-detect-style b8123231 [feat/auto-detect-style] /Users/bakker/dev/gangkhar/sherpa-api-customer-support-module-rgebm eeb3117f [claude/customer-support-module-RgEBm] /Users/bakker/dev/gangkhar/sherpa-api/.claude/worktrees/agent-a227375d3e5703c89 426398d8 [fix/rls-cleanup-pr-d] locked /Users/bakker/dev/gangkhar/sherpa-api/.claude/worktrees/agent-a2c4df3e135cba6d4 b5adb557 [fix/rls-cleanup-pr-c] locked /Users/bakker/dev/gangkhar/sherpa-api/.claude/worktrees/agent-a2f21f4d6c54015f2 b6c04fb1 [fix/rls-cleanup-pr-b] locked /Users/bakker/dev/gangkhar/sherpa-api/.claude/worktrees/agent-aac7f284555866138 39650d8d [fix/rls-cleanup-pr-e] locked
{"pattern":"update\\(|create\\(","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services","glob":"*directDebit*.ts","output_mode":"content","context":2}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-118-
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-119- const mandateReference = generateReference(input.providerKey, 'MND');
src/services/directDebitService.ts:120: const mandate = await DirectDebitMandate.create(ctx, {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-121- organizationId,
src/services/directDebitService.ts-122- providerKey: input.providerKey as DirectDebitProvider,
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-165- throw new StatusError(400, 'Cannot activate a revoked mandate');
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-166- }
src/services/directDebitService.ts:167: await mandate.update({
src/services/directDebitService.ts-168- status: MandateStatus.ACTIVE,
src/services/directDebitService.ts-169- activatedAt: new Date(),
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-184- return mandate;
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-185- }
src/services/directDebitService.ts:186: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-187- logger.info({ organizationId, mandateId }, 'Direct-debit mandate revoked');
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-188- return mandate;
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-238- }
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-239-
src/services/directDebitService.ts:240: const collection = await DirectDebitCollection.create(ctx, {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-241- organizationId,
src/services/directDebitService.ts-242- mandateId: mandate.id,
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-303- const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-304- if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
src/services/directDebitService.ts:305: await collection.update({
src/services/directDebitService.ts-306- status: CollectionStatus.FAILED,
src/services/directDebitService.ts-307- failureReason: 'Mandate is not active',
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-311- }
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-312- const externalReference = generateReference(key, 'COL');
src/services/directDebitService.ts:313: await collection.update({
src/services/directDebitService.ts-314- status: CollectionStatus.SUBMITTED,
src/services/directDebitService.ts-315- submittedAt: new Date(),
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-368- throw new StatusError(400, `Only failed collections can be retried (is "${collection.status}")`);
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-369- }
src/services/directDebitService.ts:370: await collection.update({
src/services/directDebitService.ts-371- status: CollectionStatus.RETRYING,
src/services/directDebitService.ts-372- scheduledFor: new Date(),
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-413- );
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-414- }
src/services/directDebitService.ts:415: await policyOrder.update(update);
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-416- logger.info(
src/services/directDebitService.ts-417- { organizationId: ctx.organizationId, policyOrderId: collection.policyOrderId, collectionId: collection.id },
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-448-
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-449- if (record.outcome === 'settled') {
src/services/directDebitService.ts:450: await collection.update({
src/services/directDebitService.ts-451- status: CollectionStatus.SETTLED,
src/services/directDebitService.ts-452- settledAt: new Date(),
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-463- const reason = record.reason ?? 'Collection rejected by bank';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-464- if (nextRetry <= collection.maxRetries) {
src/services/directDebitService.ts:465: await collection.update({
src/services/directDebitService.ts-466- status: CollectionStatus.RETRYING,
src/services/directDebitService.ts-467- retryCount: nextRetry,
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-475- summary.retrying += 1;
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts-476- } else {
src/services/directDebitService.ts:477: await collection.update({
src/services/directDebitService.ts-478- status: CollectionStatus.FAILED,
src/services/directDebitService.ts-479- failureReason: reason,{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -type f -name \"*direct-debit*.spec.ts\" -o -name \"*direct-debit*.test.ts\" 2>/dev/null"}(Bash completed with no output)
{"pattern":"findAll|findByPk|findOne|create","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts","output_mode":"content","context":2}{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -type d -name \"tests\" -o -name \"test\" -o -name \"__tests__\""}4-import { DirectDebitCollection } from '@/models/DirectDebitCollection.js';
5-import {
6: createMandate,
7- activateMandate,
8- revokeMandate,
--
53- if (request.query.productId) where.productId = request.query.productId;
54-
55: const data = await DirectDebitMandate.findAll({ organizationId }, {
56- where,
57: order: [['createdAt', 'DESC']],
58- });
59- return { status: 'success', data };
--
69- }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
70- const organizationId = requireOrg(request);
71: const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);
72- if (!mandate) throw new StatusError(404, 'Mandate not found');
73- return { status: 'success', data: mandate };
--
99- } }>, reply: FastifyReply) => {
100- const organizationId = requireOrg(request);
101: const mandate = await createMandate(organizationId, request.body);
102- return reply.code(201).send({ status: 'success', data: mandate });
103- });
--
166- if (request.query.providerKey) where.providerKey = request.query.providerKey;
167-
168: const data = await DirectDebitCollection.findAll({ organizationId }, {
169- where,
170: order: [['createdAt', 'DESC']],
171- });
172- return { status: 'success', data };/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/mcp/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/integrations/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/lens/optimizations/commission/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/utils/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/test /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/pricing/test
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir -type f \\( -name \"*directDebit*\" -o -name \"*direct-debit*\" \\) | grep -v node_modules"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts
{"pattern":"submitDueCollections","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts","output_mode":"content","context":3}1-import { Organization } from '@/models/Organization.js';
2-import { jobQueue } from '@/services/jobQueue.js';
3:import { submitDueCollections } from '@/services/directDebitService.js';
4-import logger from '@/logger.js';
5-
6-const JOB_TYPE = 'direct_debit_collection_batch';
--
8-/**
9- * Hourly picker for due direct-debit collections. Runs per-org so RLS context is
10- * enforced on every read (same pattern as claim-payout-batch). Submitting due
11: * collections is idempotent at the row level — submitDueCollections only moves
12- * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a
13- * worker restart self-heals on the next run.
14- */
--
18-
19- for (const org of organizations) {
20- try {
21: const files = await submitDueCollections(org.id);
22- totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);
23- } catch (err) {
24- logger.error({"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}1 import { randomUUID } from 'crypto';
2 import { Op } from 'sequelize';
3 import { StatusError } from '@/error/error.js';
4 import logger from '@/logger.js';
5 import {
6 DirectDebitMandate,
7 MandateStatus,
8 DirectDebitProvider,
9 } from '@/models/DirectDebitMandate.js';
10 import { DirectDebitCollection, CollectionStatus } from '@/models/DirectDebitCollection.js';
11 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
12 import { PolicyOrder } from '@/models/PolicyOrder.js';
13 import { PolicyStatusLifecycleCategory } from '@/models/OrganizationPolicyStatus.js';
14 import { getCategoryForCode, getDefaultCodeForCategory } from '@/services/policyStatusService.js';
15 import {
16 getDirectDebitProvider,
17 isDirectDebitProvider,
18 } from '@/domains/payments/directDebit/registry.js';
19 import type {
20 BankAccount,
21 BankDirectDebitProvider,
22 CollectionFileEntry,
23 ReturnRecord,
24 } from '@/domains/payments/directDebit/interface.js';
25
26 // directDebitService — orchestration for the Nordic bank direct-debit rails.
27 //
28 // The connectors in domains/payments/directDebit are stateless file builders /
29 // parsers. This service owns everything stateful: mandate lifecycle, collection
30 // scheduling, building the outbound files, ingesting return files, retry +
31 // flagging, and reconciling settlements back to the policy's payment status.
32
33 type Ctx = { organizationId: string };
34
35 const PROVIDER_PREFIX: Record<string, string> = {
36 autogiro: 'AG',
37 betalingsservice: 'BS',
38 };
39
40 // ── Helpers ──────────────────────────────────────────────────────────────────
41
42 function assertDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
43 if (!isDirectDebitProvider(providerKey)) {
44 throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
45 }
46 return getDirectDebitProvider(providerKey);
47 }
48
49 function generateReference(providerKey: string, kind: 'MND' | 'COL'): string {
50 const prefix = PROVIDER_PREFIX[providerKey] ?? 'DD';
51 return `${prefix}-${kind}-${randomUUID().slice(0, 8).toUpperCase()}`;
52 }
53
54 /**
55 * Resolve the payee identity for a scheme from the org's payment provider
56 * config. Enforces the config-via-portal rule: a direct-debit collection cannot
57 * be submitted until the provider is configured for the organization.
58 */
59 async function resolveCreditorId(ctx: Ctx, providerKey: string): Promise<string> {
60 const config = await PaymentProviderConfig.findOne(ctx, {
61 where: { providerKey, active: true },
62 });
63 if (!config) {
64 throw new StatusError(
65 400,
66 `No active "${providerKey}" payment provider config for this organization — configure it in the portal first`,
67 );
68 }
69 const c = config.config as Record<string, unknown>;
70 const creditorId =
71 (typeof c.creditorId === 'string' && c.creditorId) ||
72 (typeof c.bankgiroNumber === 'string' && c.bankgiroNumber) ||
73 (typeof c.pbsNumber === 'string' && c.pbsNumber) ||
74 '';
75 return creditorId || '0000000';
76 }
77
78 function mandateAccount(mandate: DirectDebitMandate): BankAccount {
79 return {
80 country: mandate.country,
81 clearingNumber: mandate.clearingNumber,
82 accountNumber: mandate.accountNumber,
83 accountHolder: mandate.accountHolder,
84 };
85 }
86
87 // ── Mandate lifecycle ─────────────────────────────────────────────────────────
88
89 export interface CreateMandateInput {
90 providerKey: string;
91 productId: number;
92 customerId?: string | null;
93 accountHolder: string;
94 country: string;
95 clearingNumber?: string | null;
96 accountNumber: string;
97 bankName?: string | null;
98 metadata?: Record<string, unknown> | null;
99 }
100
101 export async function createMandate(
102 organizationId: string,
103 input: CreateMandateInput,
104 ): Promise<DirectDebitMandate> {
105 const ctx = { organizationId };
106 const provider = assertDirectDebitProvider(input.providerKey);
107
108 const account: BankAccount = {
109 country: input.country,
110 clearingNumber: input.clearingNumber,
111 accountNumber: input.accountNumber,
112 accountHolder: input.accountHolder,
113 };
114 const validation = provider.validateAccount(account);
115 if (!validation.valid) {
116 throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
117 }
118
119 const mandateReference = generateReference(input.providerKey, 'MND');
120 const mandate = await DirectDebitMandate.create(ctx, {
121 organizationId,
122 providerKey: input.providerKey as DirectDebitProvider,
123 productId: input.productId,
124 customerId: input.customerId ?? null,
125 status: MandateStatus.PENDING,
126 country: input.country.toUpperCase(),
127 accountHolder: input.accountHolder,
128 clearingNumber: input.clearingNumber ?? null,
129 accountNumber: input.accountNumber,
130 bankName: input.bankName ?? null,
131 mandateReference,
132 payerNumber: mandateReference,
133 signedAt: new Date(),
134 metadata: input.metadata ?? null,
135 });
136
137 logger.info(
138 { organizationId, mandateId: mandate.id, providerKey: input.providerKey },
139 'Direct-debit mandate created (pending bank confirmation)',
140 );
141 return mandate;
142 }
143
144 async function loadMandate(ctx: Ctx, mandateId: string): Promise<DirectDebitMandate> {
145 const mandate = await DirectDebitMandate.findByPk(ctx, mandateId);
146 if (!mandate) {
147 throw new StatusError(404, `Mandate ${mandateId} not found`);
148 }
149 return mandate;
150 }
151
152 /**
153 * Activate a mandate once the bank confirms it. In production this is driven by
154 * the mandate return file; the route also exposes it as an explicit operator
155 * action so a confirmed mandate can be activated from the CRM.
156 */
157 export async function activateMandate(
158 organizationId: string,
159 mandateId: string,
160 payerNumber?: string,
161 ): Promise<DirectDebitMandate> {
162 const ctx = { organizationId };
163 const mandate = await loadMandate(ctx, mandateId);
164 if (mandate.status === MandateStatus.REVOKED) {
165 throw new StatusError(400, 'Cannot activate a revoked mandate');
166 }
167 await mandate.update({
168 status: MandateStatus.ACTIVE,
169 activatedAt: new Date(),
170 failureReason: null,
171 ...(payerNumber ? { payerNumber } : {}),
172 });
173 logger.info({ organizationId, mandateId }, 'Direct-debit mandate activated');
174 return mandate;
175 }
176
177 export async function revokeMandate(
178 organizationId: string,
179 mandateId: string,
180 ): Promise<DirectDebitMandate> {
181 const ctx = { organizationId };
182 const mandate = await loadMandate(ctx, mandateId);
183 if (mandate.status === MandateStatus.REVOKED) {
184 return mandate;
185 }
186 await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
187 logger.info({ organizationId, mandateId }, 'Direct-debit mandate revoked');
188 return mandate;
189 }
190
191 /** Generate the bank mandate-request file for a single mandate (download/preview). */
192 export async function buildMandateFile(
193 organizationId: string,
194 mandateId: string,
195 ): Promise<{ fileReference: string; content: string }> {
196 const ctx = { organizationId };
197 const mandate = await loadMandate(ctx, mandateId);
198 const provider = assertDirectDebitProvider(mandate.providerKey);
199 const creditorId = await resolveCreditorId(ctx, mandate.providerKey);
200 const content = provider.buildMandateFile(
201 [
202 {
203 mandateReference: mandate.mandateReference,
204 payerNumber: mandate.payerNumber,
205 account: mandateAccount(mandate),
206 },
207 ],
208 creditorId,
209 );
210 return { fileRefer{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts"}1 import type { FastifyPluginAsync, FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2 import { StatusError } from '@/error/error.js';
3 import { DirectDebitMandate } from '@/models/DirectDebitMandate.js';
4 import { DirectDebitCollection } from '@/models/DirectDebitCollection.js';
5 import {
6 createMandate,
7 activateMandate,
8 revokeMandate,
9 buildMandateFile,
10 scheduleCollection,
11 submitDueCollections,
12 buildCurrentCollectionFile,
13 retryCollection,
14 ingestReturnFile,
15 simulateReturnForCollection,
16 } from '@/services/directDebitService.js';
17
18 const TAG = 'Sherpa Plus — Direct Debit';
19 const PROVIDER_KEYS = ['autogiro', 'betalingsservice'];
20
21 function requireOrg(request: FastifyRequest): string {
22 const organizationId = request.userAuth?.organizationId;
23 if (!organizationId) {
24 throw new StatusError(401, 'Organization context required');
25 }
26 return organizationId;
27 }
28
29 const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
30 fastify.addHook('preHandler', fastify.authenticate);
31
32 // ── Mandates ────────────────────────────────────────────────────────────────
33
34 fastify.get('/mandates', {
35 schema: {
36 description: 'List direct-debit mandates for the authenticated organization. Optional filters: status (pending/active/revoked), providerKey, productId.',
37 tags: [TAG],
38 security: [{ clientCredentials: [] }],
39 querystring: {
40 type: 'object',
41 properties: {
42 status: { type: 'string', enum: ['pending', 'active', 'revoked'] },
43 providerKey: { type: 'string', enum: PROVIDER_KEYS },
44 productId: { type: 'integer' },
45 },
46 },
47 },
48 }, async (request: FastifyRequest<{ Querystring: { status?: string; providerKey?: string; productId?: number } }>) => {
49 const organizationId = requireOrg(request);
50 const where: Record<string, unknown> = {};
51 if (request.query.status) where.status = request.query.status;
52 if (request.query.providerKey) where.providerKey = request.query.providerKey;
53 if (request.query.productId) where.productId = request.query.productId;
54
55 const data = await DirectDebitMandate.findAll({ organizationId }, {
56 where,
57 order: [['createdAt', 'DESC']],
58 });
59 return { status: 'success', data };
60 });
61
62 fastify.get('/mandates/:id', {
63 schema: {
64 description: 'Fetch a single direct-debit mandate by ID, scoped to the authenticated organization.',
65 tags: [TAG],
66 security: [{ clientCredentials: [] }],
67 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
68 },
69 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
70 const organizationId = requireOrg(request);
71 const mandate = await DirectDebitMandate.findByPk({ organizationId }, request.params.id);
72 if (!mandate) throw new StatusError(404, 'Mandate not found');
73 return { status: 'success', data: mandate };
74 });
75
76 fastify.post('/mandates', {
77 schema: {
78 description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',
79 tags: [TAG],
80 security: [{ clientCredentials: [] }],
81 body: {
82 type: 'object',
83 required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
84 properties: {
85 providerKey: { type: 'string', enum: PROVIDER_KEYS },
86 productId: { type: 'integer' },
87 customerId: { type: 'string', format: 'uuid' },
88 accountHolder: { type: 'string', minLength: 1 },
89 country: { type: 'string', minLength: 2, maxLength: 2 },
90 clearingNumber: { type: 'string' },
91 accountNumber: { type: 'string', minLength: 1 },
92 bankName: { type: 'string' },
93 },
94 },
95 },
96 }, async (request: FastifyRequest<{ Body: {
97 providerKey: string; productId: number; customerId?: string; accountHolder: string;
98 country: string; clearingNumber?: string; accountNumber: string; bankName?: string;
99 } }>, reply: FastifyReply) => {
100 const organizationId = requireOrg(request);
101 const mandate = await createMandate(organizationId, request.body);
102 return reply.code(201).send({ status: 'success', data: mandate });
103 });
104
105 fastify.get('/mandates/:id/file', {
106 schema: {
107 description: 'Generate the bank mandate-request file content for a mandate (Autogiro/Betalingsservice fixed-width format).',
108 tags: [TAG],
109 security: [{ clientCredentials: [] }],
110 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
111 },
112 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
113 const organizationId = requireOrg(request);
114 const file = await buildMandateFile(organizationId, request.params.id);
115 return { status: 'success', data: file };
116 });
117
118 fastify.post('/mandates/:id/activate', {
119 schema: {
120 description: 'Activate a mandate after the bank has confirmed it. Optionally records the bank-assigned payer number.',
121 tags: [TAG],
122 security: [{ clientCredentials: [] }],
123 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
124 body: { type: 'object', properties: { payerNumber: { type: 'string' } } },
125 },
126 }, async (request: FastifyRequest<{ Params: { id: string }; Body: { payerNumber?: string } }>) => {
127 const organizationId = requireOrg(request);
128 const mandate = await activateMandate(organizationId, request.params.id, request.body?.payerNumber);
129 return { status: 'success', data: mandate };
130 });
131
132 fastify.post('/mandates/:id/revoke', {
133 schema: {
134 description: 'Revoke a mandate. No further collections can be scheduled against it.',
135 tags: [TAG],
136 security: [{ clientCredentials: [] }],
137 params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
138 },
139 }, async (request: FastifyRequest<{ Params: { id: string } }>) => {
140 const organizationId = requireOrg(request);
141 const mandate = await revokeMandate(organizationId, request.params.id);
142 return { status: 'success', data: mandate };
143 });
144
145 // ── Collections ─────────────────────────────────────────────────────────────
146
147 fastify.get('/collections', {
148 schema: {
149 description: 'List direct-debit collections. Optional filters: mandateId, status, providerKey.',
150 tags: [TAG],
151 security: [{ clientCredentials: [] }],
152 querystring: {
153 type: 'object',
154 properties: {
155 mandateId: { type: 'string' },
156 status: { type: 'string', enum: ['scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'] },
157 providerKey: { type: 'string', enum: PROVIDER_KEYS },
158 },
159 },
160 },
161 }, async (request: FastifyRequest<{ Querystring: { mandateId?: string; status?: string; providerKey?: string } }>) => {
162 const organizationId = requireOrg(request);
163 const where: Record<string, unknown> = {};
164 if (request.query.mandateId) where.mandateId = request.query.mandateId;
165 if (request.query.status) where.status = request.query.status;
166 if (request.query.providerKey) where.providerKey = request.query.providerKey;
167
168 const data = await DirectDebitCollection.findAll({ organizationId }, {
169 where,
170 order: [['createdAt', 'DESC']],
171 });
172 return { status: 'success', dat{"pattern":"status.*SCHEDULED|status.*SUBMITTED|status.*SETTLED|status.*FAILED|status.*RETRYING|status.*CANCELLED|status.*PENDING|status.*ACTIVE|status.*REVOKED","path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","output_mode":"content"}125: status: MandateStatus.PENDING,
164: if (mandate.status === MandateStatus.REVOKED) {
168: status: MandateStatus.ACTIVE,
183: if (mandate.status === MandateStatus.REVOKED) {
186: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
229: if (mandate.status !== MandateStatus.ACTIVE) {
247: status: CollectionStatus.SCHEDULED,
290: status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
304: if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
306: status: CollectionStatus.FAILED,
314: status: CollectionStatus.SUBMITTED,
343: where: { providerKey, status: CollectionStatus.SUBMITTED },
367: if (collection.status !== CollectionStatus.FAILED) {
371: status: CollectionStatus.RETRYING,
445: if (collection.status !== CollectionStatus.SUBMITTED) {
451: status: CollectionStatus.SETTLED,
466: status: CollectionStatus.RETRYING,
478: status: CollectionStatus.FAILED,{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models -name \"DirectDebit*\" -type f"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts"}1 import type { BankDirectDebitProvider } from './interface.js';
2 import { AutogiroProvider } from './autogiro.js';
3 import { BetalingsserviceProvider } from './betalingsservice.js';
4
5 // Stateless connectors — instantiate once and reuse. Unlike the card providers,
6 // these hold no per-org credentials (the creditor identity is passed per call),
7 // so a singleton instance per scheme is safe.
8 const providers: Record<string, BankDirectDebitProvider> = {
9 autogiro: new AutogiroProvider(),
10 betalingsservice: new BetalingsserviceProvider(),
11 };
12
13 export const DIRECT_DEBIT_PROVIDER_KEYS = Object.keys(providers);
14
15 export function isDirectDebitProvider(providerKey: string): boolean {
16 return providerKey in providers;
17 }
18
19 export function getDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
20 const provider = providers[providerKey];
21 if (!provider) {
22 throw new Error(`Unknown direct-debit provider: ${providerKey}`);
23 }
24 return provider;
25 }
26 /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitMandate.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitCollection.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit -type f"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitMandate.ts"}1 import { _DirectDebitMandate } from './internal/_DirectDebitMandate.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitMandate = toSafeModel(_DirectDebitMandate);
5 export type DirectDebitMandate = _DirectDebitMandate;
6
7 export { DirectDebitProvider, MandateStatus } from './internal/_DirectDebitMandate.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitMandate };
11 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitCollection.ts"}{"command":"grep -n \"export.*enum\\|export.*DirectDebitProvider\\|export.*MandateStatus\\|export.*CollectionStatus\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebit*.ts"}1 import { _DirectDebitCollection } from './internal/_DirectDebitCollection.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitCollection = toSafeModel(_DirectDebitCollection);
5 export type DirectDebitCollection = _DirectDebitCollection;
6
7 export { CollectionStatus } from './internal/_DirectDebitCollection.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitCollection };
11 /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitCollection.ts:7:export { CollectionStatus } from './internal/_DirectDebitCollection.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitMandate.ts:7:export { DirectDebitProvider, MandateStatus } from './internal/_DirectDebitMandate.js';{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _Product } from './_Product.js';
3
4 // Provider keys for the Nordic direct-debit schemes. Match the values stored on
5 // Products.paymentProvider and PaymentProviderConfigs.providerKey.
6 export enum DirectDebitProvider {
7 AUTOGIRO = 'autogiro',
8 BETALINGSSERVICE = 'betalingsservice',
9 }
10
11 // Mandate lifecycle. A mandate is created `PENDING` when the bank file is
12 // generated, becomes `ACTIVE` once the bank confirms it (mandate return file or
13 // an operator activation), and `REVOKED` when the customer or bank cancels it.
14 export enum MandateStatus {
15 PENDING = 'pending',
16 ACTIVE = 'active',
17 REVOKED = 'revoked',
18 }
19
20 @Table({
21 modelName: 'DirectDebitMandate',
22 tableName: 'DirectDebitMandates',
23 timestamps: true,
24 indexes: [
25 {
26 unique: true,
27 fields: ['organizationId', 'mandateReference'],
28 name: 'direct_debit_mandates_org_reference_unique',
29 },
30 {
31 fields: ['organizationId', 'status'],
32 name: 'idx_direct_debit_mandates_org_status',
33 },
34 {
35 fields: ['organizationId', 'productId'],
36 name: 'idx_direct_debit_mandates_org_product',
37 },
38 ],
39 })
40 export class _DirectDebitMandate extends Model {
41 @Column({
42 type: DataType.UUID,
43 primaryKey: true,
44 defaultValue: DataType.UUIDV4,
45 })
46 declare id: string;
47
48 @Column({
49 type: DataType.UUID,
50 allowNull: false,
51 })
52 declare organizationId: string;
53
54 // STRING (not a PG ENUM) to match the migration and the codebase convention
55 // for provider keys (PaymentProviderConfigs.providerKey, Products.paymentProvider,
56 // ClaimPayout.providerKey are all strings). The DirectDebitProvider union types
57 // it at the application layer.
58 @Column({
59 type: DataType.STRING(50),
60 allowNull: false,
61 })
62 declare providerKey: DirectDebitProvider;
63
64 @ForeignKey(() => _Product)
65 @Column({
66 type: DataType.INTEGER,
67 allowNull: false,
68 })
69 declare productId: number;
70
71 @BelongsTo(() => _Product)
72 declare product: _Product;
73
74 @Column({
75 type: DataType.UUID,
76 allowNull: true,
77 })
78 declare customerId: string | null;
79
80 @Column({
81 type: DataType.ENUM(...Object.values(MandateStatus)),
82 allowNull: false,
83 defaultValue: MandateStatus.PENDING,
84 })
85 declare status: MandateStatus;
86
87 @Column({
88 type: DataType.STRING(2),
89 allowNull: false,
90 })
91 declare country: string;
92
93 @Column({
94 type: DataType.STRING(255),
95 allowNull: false,
96 })
97 declare accountHolder: string;
98
99 @Column({
100 type: DataType.STRING(20),
101 allowNull: true,
102 })
103 declare clearingNumber: string | null;
104
105 @Column({
106 type: DataType.STRING(50),
107 allowNull: false,
108 })
109 declare accountNumber: string;
110
111 @Column({
112 type: DataType.STRING(255),
113 allowNull: true,
114 })
115 declare bankName: string | null;
116
117 @Column({
118 type: DataType.STRING(100),
119 allowNull: false,
120 })
121 declare mandateReference: string;
122
123 @Column({
124 type: DataType.STRING(50),
125 allowNull: true,
126 })
127 declare payerNumber: string | null;
128
129 @Column({
130 type: DataType.DATE,
131 allowNull: true,
132 })
133 declare signedAt: Date | null;
134
135 @Column({
136 type: DataType.DATE,
137 allowNull: true,
138 })
139 declare activatedAt: Date | null;
140
141 @Column({
142 type: DataType.DATE,
143 allowNull: true,
144 })
145 declare revokedAt: Date | null;
146
147 @Column({
148 type: DataType.TEXT,
149 allowNull: true,
150 })
151 declare failureReason: string | null;
152
153 @Column({
154 type: DataType.JSONB,
155 allowNull: true,
156 })
157 declare metadata: Record<string, unknown> | null;
158
159 declare createdAt: Date;
160 declare updatedAt: Date;
161 }
162 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts"}1 import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
2 import { _DirectDebitMandate } from './_DirectDebitMandate.js';
3
4 // Collection lifecycle:
5 // SCHEDULED → created, waiting for the next collection-file run
6 // SUBMITTED → written into a collection file and sent to the bank
7 // SETTLED → bank confirmed the debit (return file) → policy reconciled
8 // FAILED → bank rejected the debit (return file)
9 // RETRYING → a failed debit rescheduled for another attempt
10 // CANCELLED → manually cancelled before submission
11 export enum CollectionStatus {
12 SCHEDULED = 'scheduled',
13 SUBMITTED = 'submitted',
14 SETTLED = 'settled',
15 FAILED = 'failed',
16 RETRYING = 'retrying',
17 CANCELLED = 'cancelled',
18 }
19
20 @Table({
21 modelName: 'DirectDebitCollection',
22 tableName: 'DirectDebitCollections',
23 timestamps: true,
24 indexes: [
25 {
26 fields: ['mandateId'],
27 name: 'idx_direct_debit_collections_mandate',
28 },
29 {
30 fields: ['organizationId', 'status'],
31 name: 'idx_direct_debit_collections_org_status',
32 },
33 {
34 fields: ['organizationId', 'status', 'scheduledFor'],
35 name: 'idx_direct_debit_collections_org_status_scheduled',
36 },
37 {
38 fields: ['externalReference'],
39 name: 'idx_direct_debit_collections_external_ref',
40 },
41 ],
42 })
43 export class _DirectDebitCollection extends Model {
44 @Column({
45 type: DataType.UUID,
46 primaryKey: true,
47 defaultValue: DataType.UUIDV4,
48 })
49 declare id: string;
50
51 @Column({
52 type: DataType.UUID,
53 allowNull: false,
54 })
55 declare organizationId: string;
56
57 @ForeignKey(() => _DirectDebitMandate)
58 @Column({
59 type: DataType.UUID,
60 allowNull: false,
61 })
62 declare mandateId: string;
63
64 @BelongsTo(() => _DirectDebitMandate)
65 declare mandate: _DirectDebitMandate;
66
67 @Column({
68 type: DataType.INTEGER,
69 allowNull: true,
70 })
71 declare policyOrderId: number | null;
72
73 @Column({
74 type: DataType.STRING(50),
75 allowNull: false,
76 })
77 declare providerKey: string;
78
79 @Column({
80 type: DataType.DECIMAL(15, 2),
81 allowNull: false,
82 })
83 declare amount: number;
84
85 @Column({
86 type: DataType.STRING(3),
87 allowNull: false,
88 })
89 declare currency: string;
90
91 @Column({
92 type: DataType.ENUM(...Object.values(CollectionStatus)),
93 allowNull: false,
94 defaultValue: CollectionStatus.SCHEDULED,
95 })
96 declare status: CollectionStatus;
97
98 @Column({
99 type: DataType.DATE,
100 allowNull: false,
101 })
102 declare scheduledFor: Date;
103
104 @Column({
105 type: DataType.DATE,
106 allowNull: true,
107 })
108 declare submittedAt: Date | null;
109
110 @Column({
111 type: DataType.DATE,
112 allowNull: true,
113 })
114 declare settledAt: Date | null;
115
116 @Column({
117 type: DataType.INTEGER,
118 allowNull: false,
119 defaultValue: 0,
120 })
121 declare retryCount: number;
122
123 @Column({
124 type: DataType.INTEGER,
125 allowNull: false,
126 defaultValue: 3,
127 })
128 declare maxRetries: number;
129
130 @Column({
131 type: DataType.TEXT,
132 allowNull: true,
133 })
134 declare failureReason: string | null;
135
136 @Column({
137 type: DataType.STRING(255),
138 allowNull: true,
139 })
140 declare externalReference: string | null;
141
142 @Column({
143 type: DataType.STRING(255),
144 allowNull: true,
145 })
146 declare fileReference: string | null;
147
148 @Column({
149 type: DataType.BOOLEAN,
150 allowNull: false,
151 defaultValue: false,
152 })
153 declare flagged: boolean;
154
155 @Column({
156 type: DataType.JSONB,
157 allowNull: true,
158 })
159 declare metadata: Record<string, unknown> | null;
160
161 declare createdAt: Date;
162 declare updatedAt: Date;
163 }
164 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":1,"limit":25}1 import { randomUUID } from 'crypto';
2 import { Op } from 'sequelize';
3 import { StatusError } from '@/error/error.js';
4 import logger from '@/logger.js';
5 import {
6 DirectDebitMandate,
7 MandateStatus,
8 DirectDebitProvider,
9 } from '@/models/DirectDebitMandate.js';
10 import { DirectDebitCollection, CollectionStatus } from '@/models/DirectDebitCollection.js';
11 import { PaymentProviderConfig } from '@/models/PaymentProviderConfig.js';
12 import { PolicyOrder } from '@/models/PolicyOrder.js';
13 import { PolicyStatusLifecycleCategory } from '@/models/OrganizationPolicyStatus.js';
14 import { getCategoryForCode, getDefaultCodeForCategory } from '@/services/policyStatusService.js';
15 import {
16 getDirectDebitProvider,
17 isDirectDebitProvider,
18 } from '@/domains/payments/directDebit/registry.js';
19 import type {
20 BankAccount,
21 BankDirectDebitProvider,
22 CollectionFileEntry,
23 ReturnRecord,
24 } from '@/domains/payments/directDebit/interface.js';
25 {"command":"grep -n \"DirectDebit\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/db.ts | head -20"}grep: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/db.ts: No such file or directory
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts"}1 // ─────────────────────────────────────────────────────────────────────────────
2 // Bank direct-debit connectors (Nordic rails: Autogiro SE, Betalingsservice DK).
3 //
4 // These are STATELESS, like the card-provider connectors in ../providers: they
5 // receive plain data and return file content / parsed records. They never touch
6 // the database or import models — orchestration (mandates, scheduling, retries,
7 // reconciliation) lives in src/services/directDebitService.ts.
8 //
9 // The schemes are file-based batch rails, not real-time APIs: we GENERATE a
10 // mandate-request file and a collection (payment) file to send to the bank, and
11 // CONSUME a return/settlement file the bank sends back. `buildReturnFile` exists
12 // so dev/test (and the CRM "simulate" action) can synthesise a bank response;
13 // production ingests the bank's own file through `parseReturnFile`.
14 // ─────────────────────────────────────────────────────────────────────────────
15
16 export interface BankAccount {
17 country: string;
18 // SE: clearing number (4–5 digits). DK: registreringsnummer (4 digits).
19 clearingNumber?: string | null;
20 accountNumber: string;
21 accountHolder: string;
22 }
23
24 export interface AccountValidationResult {
25 valid: boolean;
26 errors: string[];
27 }
28
29 export interface MandateFileEntry {
30 mandateReference: string;
31 payerNumber?: string | null;
32 account: BankAccount;
33 }
34
35 export interface CollectionFileEntry {
36 // Unique per debit — written into the file and echoed back in the return file.
37 externalReference: string;
38 mandateReference: string;
39 payerNumber?: string | null;
40 account: BankAccount;
41 amount: number; // major units, e.g. 199.00
42 currency: string;
43 dueDate: Date;
44 reference?: string; // free-text payment reference (e.g. policy id)
45 }
46
47 export type ReturnOutcome = 'settled' | 'failed';
48
49 export interface ReturnRecord {
50 externalReference: string;
51 outcome: ReturnOutcome;
52 reason?: string;
53 settledAmount?: number;
54 }
55
56 export interface BankDirectDebitProvider {
57 readonly key: string;
58 readonly country: string;
59 readonly scheme: string;
60
61 validateAccount(account: BankAccount): AccountValidationResult;
62
63 // Outbound: file sent to the bank to register new mandates. `creditorId` is
64 // the payee identity from org config (SE Bankgiro number / DK PBS number).
65 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string;
66
67 // Outbound: file sent to the bank requesting the listed debits.
68 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string;
69
70 // Outbound (dev/test/simulation only): synthesise a bank return file.
71 buildReturnFile(records: ReturnRecord[]): string;
72
73 // Inbound: parse the bank's return/settlement file into normalized records.
74 parseReturnFile(content: string): ReturnRecord[];
75 }
76 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts"}1 import type { BankDirectDebitProvider } from './interface.js';
2 import { AutogiroProvider } from './autogiro.js';
3 import { BetalingsserviceProvider } from './betalingsservice.js';
4
5 // Stateless connectors — instantiate once and reuse. Unlike the card providers,
6 // these hold no per-org credentials (the creditor identity is passed per call),
7 // so a singleton instance per scheme is safe.
8 const providers: Record<string, BankDirectDebitProvider> = {
9 autogiro: new AutogiroProvider(),
10 betalingsservice: new BetalingsserviceProvider(),
11 };
12
13 export const DIRECT_DEBIT_PROVIDER_KEYS = Object.keys(providers);
14
15 export function isDirectDebitProvider(providerKey: string): boolean {
16 return providerKey in providers;
17 }
18
19 export function getDirectDebitProvider(providerKey: string): BankDirectDebitProvider {
20 const provider = providers[providerKey];
21 if (!provider) {
22 throw new Error(`Unknown direct-debit provider: ${providerKey}`);
23 }
24 return provider;
25 }
26 {"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db -name \"*.ts\" -type f | head -10"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.15T00.00.01.make-rls-permissive-when-context-unset.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.28T00.00.01.seed-suspension-reinstatement-templates.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.11.10T00.00.06.remove-coverage-pricing-version.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.30T19.54.01.fix-claim-foreign-key-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.01.30T00.00.00.create-customers-table.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.19T00.00.01.create-user-organizations.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.01.17.add-organization-id-to-business-tables.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.03.26T00.00.03.add-title-to-claims-policies-quotes.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.16T17.01.00.fix-policy-parameter-category-page-id-nullable-v2.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.08.26T12.30.00.seed-module-endpoint-cancel-policy.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/autogiro.ts"}1 // Autogiro (Bankgirot, Sweden) — file-based recurring direct debit.
2 //
3 // Implements the BankDirectDebitProvider contract with the Autogiro
4 // "Betalningsspecifikation" fixed-width 80-char record layout. Transaction
5 // codes (TK) follow the Bankgirot Autogiro spec: TK01 opening, TK04 new
6 // mandate, TK82 incoming debit, TK09 end. This is a faithful structural model
7 // of the rail (positional records, öre amounts, payer/Bankgiro numbers) — not a
8 // byte-certified bank submission, which would be finalized against Bankgirot's
9 // test environment during go-live.
10
11 import type {
12 AccountValidationResult,
13 BankAccount,
14 BankDirectDebitProvider,
15 CollectionFileEntry,
16 MandateFileEntry,
17 ReturnRecord,
18 } from './interface.js';
19 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
20
21 const RECORD_WIDTH = 80;
22
23 function fit(line: string): string {
24 return padRight(line, RECORD_WIDTH);
25 }
26
27 export class AutogiroProvider implements BankDirectDebitProvider {
28 readonly key = 'autogiro';
29 readonly country = 'SE';
30 readonly scheme = 'Autogiro';
31
32 validateAccount(account: BankAccount): AccountValidationResult {
33 const errors: string[] = [];
34 if (account.country && account.country.toUpperCase() !== 'SE') {
35 errors.push(`Autogiro requires a Swedish (SE) account, got "${account.country}"`);
36 }
37 if (!account.accountHolder?.trim()) {
38 errors.push('accountHolder is required');
39 }
40 const clearing = digitsOnly(account.clearingNumber ?? '');
41 if (clearing.length < 4 || clearing.length > 5) {
42 errors.push('clearingNumber must be 4–5 digits (Swedish clearing number)');
43 }
44 const acc = digitsOnly(account.accountNumber ?? '');
45 if (acc.length < 7 || acc.length > 12) {
46 errors.push('accountNumber must be 7–12 digits');
47 }
48 return { valid: errors.length === 0, errors };
49 }
50
51 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
52 const lines: string[] = [];
53 // TK01 — opening record: date, "AUTOGIRO", payee Bankgiro number.
54 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}MEDGIVANDE`));
55 for (const e of entries) {
56 // TK04 — new mandate (medgivande). Payer number defaults to our mandate
57 // reference when the payee hasn't assigned a separate Betalarnummer.
58 const payer = padRight(e.payerNumber || e.mandateReference, 16);
59 const clearing = padZero(digitsOnly(e.account.clearingNumber ?? ''), 5);
60 const acct = padZero(digitsOnly(e.account.accountNumber), 12);
61 const holder = padRight(e.account.accountHolder, 24);
62 lines.push(fit(`04${payer}${clearing}${acct}${holder}`));
63 }
64 return lines.join('\n') + '\n';
65 }
66
67 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
68 const lines: string[] = [];
69 lines.push(fit(`01${yyyymmdd(new Date())}AUTOGIRO${padZero(digitsOnly(creditorId), 10)}${padRight(fileReference, 12)}`));
70 let total = 0;
71 for (const e of entries) {
72 // TK82 — incoming debit. due date | payer number | amount (öre) |
73 // our external reference | free-text reference.
74 const due = yyyymmdd(e.dueDate);
75 const payer = padRight(e.payerNumber || e.mandateReference, 16);
76 const amount = minorUnits(e.amount, 12);
77 const ref = padRight(e.externalReference, 20);
78 const text = padRight(e.reference ?? '', 22);
79 lines.push(`82${due}${payer}${amount}${ref}${text}`);
80 total += Math.round(Number(e.amount) * 100);
81 }
82 // TK09 — end record: payee Bankgiro | record count | total (öre).
83 lines.push(fit(`09${padZero(digitsOnly(creditorId), 10)}${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`));
84 return lines.join('\n') + '\n';
85 }
86
87 buildReturnFile(records: ReturnRecord[]): string {
88 // TK82 settlement/return: status "00" = settled, otherwise a reject code.
89 const lines = records.map((r) => {
90 const ref = padRight(r.externalReference, 35);
91 const status = r.outcome === 'settled' ? '00' : padZero(digitsOnly(r.reason ?? '') || '99', 2);
92 const amount = minorUnits(r.settledAmount ?? 0, 12);
93 const reason = padRight(r.outcome === 'settled' ? 'GODKAND' : (r.reason ?? 'AVVISAD'), 29);
94 return `82${ref}${status}${amount}${reason}`;
95 });
96 return lines.join('\n') + '\n';
97 }
98
99 parseReturnFile(content: string): ReturnRecord[] {
100 const records: ReturnRecord[] = [];
101 for (const raw of content.split(/\r?\n/)) {
102 if (!raw.startsWith('82')) continue;
103 const ref = raw.slice(2, 37).trim();
104 if (!ref) continue;
105 const status = raw.slice(37, 39).trim();
106 const amount = raw.slice(39, 51);
107 const reason = raw.slice(51).trim();
108 const settled = status === '00';
109 records.push({
110 externalReference: ref,
111 outcome: settled ? 'settled' : 'failed',
112 reason: settled ? undefined : reason || `reject ${status}`,
113 settledAmount: settled ? fromMinorUnits(amount) : undefined,
114 });
115 }
116 return records;
117 }
118 }
119 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/betalingsservice.ts"}1 // Betalingsservice (Nets / Mastercard Payment Services, Denmark) — file-based
2 // recurring direct debit.
3 //
4 // Implements the BankDirectDebitProvider contract with a fixed-width record
5 // layout modelled on the Betalingsservice "leverance" structure: a header
6 // (HD) carrying the creditor's PBS/debitor-group number, mandate records (MD),
7 // payment records (BT) with registreringsnummer + kontonummer + amount in øre,
8 // and a trailer (SL) with totals. As with the Autogiro connector this is a
9 // faithful structural model of the rail, to be byte-certified against the Nets
10 // test environment at go-live.
11
12 import type {
13 AccountValidationResult,
14 BankAccount,
15 BankDirectDebitProvider,
16 CollectionFileEntry,
17 MandateFileEntry,
18 ReturnRecord,
19 } from './interface.js';
20 import { digitsOnly, fromMinorUnits, minorUnits, padRight, padZero, yyyymmdd } from './format.js';
21
22 export class BetalingsserviceProvider implements BankDirectDebitProvider {
23 readonly key = 'betalingsservice';
24 readonly country = 'DK';
25 readonly scheme = 'Betalingsservice';
26
27 validateAccount(account: BankAccount): AccountValidationResult {
28 const errors: string[] = [];
29 if (account.country && account.country.toUpperCase() !== 'DK') {
30 errors.push(`Betalingsservice requires a Danish (DK) account, got "${account.country}"`);
31 }
32 if (!account.accountHolder?.trim()) {
33 errors.push('accountHolder is required');
34 }
35 const reg = digitsOnly(account.clearingNumber ?? '');
36 if (reg.length !== 4) {
37 errors.push('clearingNumber must be a 4-digit registreringsnummer');
38 }
39 const acc = digitsOnly(account.accountNumber ?? '');
40 if (acc.length < 1 || acc.length > 10) {
41 errors.push('accountNumber must be 1–10 digits (kontonummer)');
42 }
43 return { valid: errors.length === 0, errors };
44 }
45
46 buildMandateFile(entries: MandateFileEntry[], creditorId: string): string {
47 const lines: string[] = [];
48 // HD — header: PBS/debitor-group number + delivery date.
49 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}TILMELDING`);
50 for (const e of entries) {
51 // MD — new mandate (tilmelding). Debitor (payer) number defaults to our
52 // mandate reference. reg number (4) + account (10).
53 const payer = padRight(e.payerNumber || e.mandateReference, 15);
54 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
55 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
56 const holder = padRight(e.account.accountHolder, 32);
57 lines.push(`MD${payer}${reg}${acct}${holder}`);
58 }
59 return lines.join('\n') + '\n';
60 }
61
62 buildCollectionFile(entries: CollectionFileEntry[], fileReference: string, creditorId: string): string {
63 const lines: string[] = [];
64 lines.push(`HD${padZero(digitsOnly(creditorId), 15)}${yyyymmdd(new Date())}${padRight(fileReference, 12)}`);
65 let total = 0;
66 for (const e of entries) {
67 // BT — betaling (debit). due date | debitor number | reg | account |
68 // amount (øre) | external reference | free-text.
69 const due = yyyymmdd(e.dueDate);
70 const payer = padRight(e.payerNumber || e.mandateReference, 15);
71 const reg = padZero(digitsOnly(e.account.clearingNumber ?? ''), 4);
72 const acct = padZero(digitsOnly(e.account.accountNumber), 10);
73 const amount = minorUnits(e.amount, 13);
74 const ref = padRight(e.externalReference, 20);
75 const text = padRight(e.reference ?? '', 20);
76 lines.push(`BT${due}${payer}${reg}${acct}${amount}${ref}${text}`);
77 total += Math.round(Number(e.amount) * 100);
78 }
79 // SL — trailer: record count + total (øre).
80 lines.push(`SL${padZero(String(entries.length), 8)}${padZero(String(total), 18)}`);
81 return lines.join('\n') + '\n';
82 }
83
84 buildReturnFile(records: ReturnRecord[]): string {
85 // RT — return record. status "0000" = settled (gennemført), else reject.
86 const lines = records.map((r) => {
87 const ref = padRight(r.externalReference, 35);
88 const status = r.outcome === 'settled' ? '0000' : padZero(digitsOnly(r.reason ?? '') || '0099', 4);
89 const amount = minorUnits(r.settledAmount ?? 0, 13);
90 const reason = padRight(r.outcome === 'settled' ? 'GENNEMFOERT' : (r.reason ?? 'AFVIST'), 28);
91 return `RT${ref}${status}${amount}${reason}`;
92 });
93 return lines.join('\n') + '\n';
94 }
95
96 parseReturnFile(content: string): ReturnRecord[] {
97 const records: ReturnRecord[] = [];
98 for (const raw of content.split(/\r?\n/)) {
99 if (!raw.startsWith('RT')) continue;
100 const ref = raw.slice(2, 37).trim();
101 if (!ref) continue;
102 const status = raw.slice(37, 41).trim();
103 const amount = raw.slice(41, 54);
104 const reason = raw.slice(54).trim();
105 const settled = status === '0000';
106 records.push({
107 externalReference: ref,
108 outcome: settled ? 'settled' : 'failed',
109 reason: settled ? undefined : reason || `reject ${status}`,
110 settledAmount: settled ? fromMinorUnits(amount) : undefined,
111 });
112 }
113 return records;
114 }
115 }
116 {"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src -name \"*.ts\" -type f | xargs grep -l \"sequelize.*new\\|Sequelize(\" | head -5"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/lib/safe-model.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/db.ts
{"command":"grep -n \"DirectDebit\\|_DirectDebit\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/db.ts"}65:import { _DirectDebitMandate } from './internal/_DirectDebitMandate';
66:import { _DirectDebitCollection } from './internal/_DirectDebitCollection';
320: _DirectDebitMandate,
321: _DirectDebitCollection,{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts"}1 import { Organization } from '@/models/Organization.js';
2 import { jobQueue } from '@/services/jobQueue.js';
3 import { submitDueCollections } from '@/services/directDebitService.js';
4 import logger from '@/logger.js';
5
6 const JOB_TYPE = 'direct_debit_collection_batch';
7
8 /**
9 * Hourly picker for due direct-debit collections. Runs per-org so RLS context is
10 * enforced on every read (same pattern as claim-payout-batch). Submitting due
11 * collections is idempotent at the row level — submitDueCollections only moves
12 * SCHEDULED/RETRYING rows whose scheduledFor has passed, so a missed fire or a
13 * worker restart self-heals on the next run.
14 */
15 async function handleDirectDebitCollectionBatch() {
16 const organizations = await Organization.findAll({ attributes: ['id'] });
17 let totalSubmitted = 0;
18
19 for (const org of organizations) {
20 try {
21 const files = await submitDueCollections(org.id);
22 totalSubmitted += files.reduce((sum, f) => sum + f.count, 0);
23 } catch (err) {
24 logger.error(
25 { organizationId: org.id, err: err instanceof Error ? err.message : String(err) },
26 'Direct-debit collection batch: failed to process organization',
27 );
28 }
29 }
30
31 if (totalSubmitted > 0) {
32 logger.info(
33 { count: totalSubmitted, orgCount: organizations.length },
34 'Direct-debit collection batch: submitted due collections',
35 );
36 }
37 }
38
39 export function registerDirectDebitCollectionBatchJob() {
40 jobQueue.register(JOB_TYPE, handleDirectDebitCollectionBatch, {
41 concurrency: 1,
42 defaultJobOptions: {
43 attempts: 3,
44 backoff: { type: 'exponential', delay: 30_000 },
45 removeOnComplete: { age: 24 * 3600, count: 100 },
46 removeOnFail: { age: 7 * 24 * 3600 },
47 },
48 });
49 }
50
51 /**
52 * Start the recurring schedule. Safe to call multiple times — BullMQ dedupes by
53 * jobId. Call once on worker startup.
54 */
55 export async function scheduleDirectDebitCollectionBatch() {
56 await jobQueue.scheduleRepeating(
57 JOB_TYPE,
58 {},
59 '0 * * * *', // every hour on the hour, UTC
60 `${JOB_TYPE}:hourly`,
61 );
62 }
63 {"command":"npm run tsc 2>&1 | head -100"}npm error Missing script: "tsc" npm error npm error To see a list of scripts, run: npm error npm run npm error A complete log of this run can be found in: /Users/bakker/.npm/_logs/2026-06-01T12_15_31_311Z-debug-0.log
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":395,"limit":31}395 async function reconcileSettlementToPolicy(
396 ctx: Ctx,
397 collection: DirectDebitCollection,
398 ): Promise<void> {
399 if (!collection.policyOrderId) return;
400 try {
401 const policyOrder = await PolicyOrder.findByPk(ctx, collection.policyOrderId);
402 if (!policyOrder) return;
403
404 const update: Record<string, unknown> = {
405 externalPaymentRef: collection.externalReference,
406 externalPaymentProvider: collection.providerKey,
407 };
408 const category = await getCategoryForCode(ctx.organizationId, policyOrder.status);
409 if (category === PolicyStatusLifecycleCategory.PENDING) {
410 update.status = await getDefaultCodeForCategory(
411 ctx.organizationId,
412 PolicyStatusLifecycleCategory.ACTIVE,
413 );
414 }
415 await policyOrder.update(update);
416 logger.info(
417 { organizationId: ctx.organizationId, policyOrderId: collection.policyOrderId, collectionId: collection.id },
418 'Reconciled direct-debit settlement to policy',
419 );
420 } catch (err) {
421 logger.warn(
422 { err, collectionId: collection.id, policyOrderId: collection.policyOrderId },
423 'Failed to reconcile direct-debit settlement to policy',
424 );
425 }{"command":"npm run 2>&1 | grep -E \"tsc|build|check\""} embed-checkout:reconcile
tsx src/scripts/embed-checkout-reconcile.ts 2>&1
translate:rebuild
dotenv -e .env -- lmt-translate -v --rebuild
format:check
prettier --check .
check:imports
bash scripts/check-internal-imports.sh
check:migrations
tsx scripts/check-migration-tenant-rls.ts
eslint . && npm run check:imports && npm run check:migrations
type-check
tsc --noEmit
check-all
npm run type-check && npm run lint && npm run format:check && npm run security-audit && npm run knip{"command":"grep -A2 \"policyOrderId\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"} policyOrderId: {
type: DataTypes.INTEGER,
allowNull: true,{"command":"npm run type-check 2>&1 | head -100"}> Sherpa [email protected] type-check > tsc --noEmit sh: tsc: command not found
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":277,"limit":56}277 export async function submitDueCollections(
278 organizationId: string,
279 providerKey?: string,
280 ): Promise<{ providerKey: string; fileReference: string; content: string; count: number }[]> {
281 const ctx = { organizationId };
282 const providerKeys = providerKey ? [providerKey] : Object.values(DirectDebitProvider);
283 const results: { providerKey: string; fileReference: string; content: string; count: number }[] = [];
284
285 for (const key of providerKeys) {
286 const provider = assertDirectDebitProvider(key);
287 const due = await DirectDebitCollection.findAll(ctx, {
288 where: {
289 providerKey: key,
290 status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
291 scheduledFor: { [Op.lte]: new Date() },
292 },
293 order: [['scheduledFor', 'ASC']],
294 limit: 500,
295 });
296 if (due.length === 0) continue;
297
298 const creditorId = await resolveCreditorId(ctx, key);
299 const fileReference = `${PROVIDER_PREFIX[key] ?? 'DD'}-FILE-${randomUUID().slice(0, 8).toUpperCase()}`;
300 const entries: CollectionFileEntry[] = [];
301
302 for (const collection of due) {
303 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
304 if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
305 await collection.update({
306 status: CollectionStatus.FAILED,
307 failureReason: 'Mandate is not active',
308 flagged: true,
309 });
310 continue;
311 }
312 const externalReference = generateReference(key, 'COL');
313 await collection.update({
314 status: CollectionStatus.SUBMITTED,
315 submittedAt: new Date(),
316 externalReference,
317 fileReference,
318 failureReason: null,
319 });
320 entries.push(toFileEntry(collection, mandate));
321 }
322
323 if (entries.length === 0) continue;
324 const content = provider.buildCollectionFile(entries, fileReference, creditorId);
325 results.push({ providerKey: key, fileReference, content, count: entries.length });
326 logger.info(
327 { organizationId, providerKey: key, fileReference, count: entries.length },
328 'Direct-debit collection file generated',
329 );
330 }
331
332 return results;{"command":"grep -r \"DirectDebitProvider\\|CollectionStatus\\|MandateStatus\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src --include=\"*.ts\" | grep -v node_modules | grep -E \"(enum|type|interface)\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/interface.ts:export interface BankDirectDebitProvider {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/registry.ts:import type { BankDirectDebitProvider } from './interface.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts:export enum CollectionStatus {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts: type: DataType.ENUM(...Object.values(CollectionStatus)),
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts:export enum DirectDebitProvider {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts:export enum MandateStatus {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts: // ClaimPayout.providerKey are all strings). The DirectDebitProvider union types
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts: type: DataType.ENUM(...Object.values(MandateStatus)),{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":258,"limit":12}258 function toFileEntry(collection: DirectDebitCollection, mandate: DirectDebitMandate): CollectionFileEntry {
259 return {
260 externalReference: collection.externalReference!,
261 mandateReference: mandate.mandateReference,
262 payerNumber: mandate.payerNumber,
263 account: mandateAccount(mandate),
264 amount: Number(collection.amount),
265 currency: collection.currency,
266 dueDate: collection.scheduledFor,
267 reference: collection.policyOrderId ? `PO-${collection.policyOrderId}` : collection.id,
268 };
269 }{"command":"grep -n \"Number(\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}232: const amount = Number(input.amount); 264: amount: Number(collection.amount), 533: settledAmount: outcome === 'settled' ? Number(collection.amount) : undefined,
{"command":"grep -n \"amount\\|Amount\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -20"}218: amount: number;
232: const amount = Number(input.amount);
233: if (!Number.isFinite(amount) || amount <= 0) {
234: throw new StatusError(400, 'amount must be a positive number');
245: amount,
264: amount: Number(collection.amount),
533: settledAmount: outcome === 'settled' ? Number(collection.amount) : undefined,{"command":"grep -A 5 \"fastify.post.*collections'\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts | head -30"}{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":302,"limit":21}302 for (const collection of due) {
303 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
304 if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
305 await collection.update({
306 status: CollectionStatus.FAILED,
307 failureReason: 'Mandate is not active',
308 flagged: true,
309 });
310 continue;
311 }
312 const externalReference = generateReference(key, 'COL');
313 await collection.update({
314 status: CollectionStatus.SUBMITTED,
315 submittedAt: new Date(),
316 externalReference,
317 fileReference,
318 failureReason: null,
319 });
320 entries.push(toFileEntry(collection, mandate));
321 }
322 fastify.post('/collections', {
schema: {
description: 'Schedule a recurring premium collection against an active mandate. Optionally link a PolicyOrder so settlement reconciles to the policy payment status.',
tags: [TAG],
security: [{ clientCredentials: [] }],
body: {{"command":"grep -n \"required\\|properties\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts"}24: throw new StatusError(401, 'Organization context required');
41: properties: {
67: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
83: required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
84: properties: {
110: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
123: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
124: body: { type: 'object', properties: { payerNumber: { type: 'string' } } },
137: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
154: properties: {
182: required: ['mandateId', 'amount', 'currency'],
183: properties: {
205: body: { type: 'object', properties: { providerKey: { type: 'string', enum: PROVIDER_KEYS } } },
221: required: ['providerKey'],
222: properties: { providerKey: { type: 'string', enum: PROVIDER_KEYS } },
236: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
249: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
252: required: ['outcome'],
253: properties: {
279: required: ['providerKey', 'content'],
280: properties: {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts"}1 import type { MigrationFn } from 'umzug';
2 import { QueryInterface, DataTypes } from 'sequelize';
3
4 // Nordic bank direct debit (Autogiro SE / Betalingsservice DK).
5 //
6 // `DirectDebitMandates` — the customer's standing authorization to debit a bank
7 // account, with a pending → active → revoked lifecycle. One row per
8 // customer+product authorization; `mandateReference` is our stable identifier
9 // (also written into the generated bank file).
10 //
11 // `DirectDebitCollections` — one recurring debit instruction against a mandate.
12 // Scheduled → submitted (written into a collection file) → settled OR failed.
13 // A failed collection reschedules as `retrying` until `maxRetries`, then sets
14 // `flagged` so an operator can intervene. Settlement reconciles back to the
15 // linked PolicyOrder's payment status.
16 //
17 // Both are tenant-scoped tables using the standard permissive RLS template
18 // (check:migrations enforces it for new tenant tables — see src/db/AGENTS.md).
19
20 const rlsTables = ['DirectDebitMandates', 'DirectDebitCollections'];
21
22 export const up: MigrationFn<QueryInterface> = async ({ context }) => {
23 await context.createTable('DirectDebitMandates', {
24 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
25 organizationId: { type: DataTypes.UUID, allowNull: false },
26 providerKey: { type: DataTypes.STRING(50), allowNull: false },
27 productId: {
28 type: DataTypes.INTEGER,
29 allowNull: false,
30 references: { model: 'Products', key: 'id' },
31 onDelete: 'CASCADE',
32 },
33 customerId: { type: DataTypes.UUID, allowNull: true },
34 status: {
35 type: DataTypes.ENUM('pending', 'active', 'revoked'),
36 allowNull: false,
37 defaultValue: 'pending',
38 },
39 country: { type: DataTypes.STRING(2), allowNull: false },
40 accountHolder: { type: DataTypes.STRING(255), allowNull: false },
41 // SE: clearing number; DK: registreringsnummer. Optional because some
42 // schemes identify the payer by `payerNumber` alone after activation.
43 clearingNumber: { type: DataTypes.STRING(20), allowNull: true },
44 accountNumber: { type: DataTypes.STRING(50), allowNull: false },
45 bankName: { type: DataTypes.STRING(255), allowNull: true },
46 // Our stable mandate identifier, written into the bank mandate-request file.
47 mandateReference: { type: DataTypes.STRING(100), allowNull: false },
48 // Provider/bank-assigned payer number, captured from the mandate return file.
49 payerNumber: { type: DataTypes.STRING(50), allowNull: true },
50 signedAt: { type: DataTypes.DATE, allowNull: true },
51 activatedAt: { type: DataTypes.DATE, allowNull: true },
52 revokedAt: { type: DataTypes.DATE, allowNull: true },
53 failureReason: { type: DataTypes.TEXT, allowNull: true },
54 metadata: { type: DataTypes.JSONB, allowNull: true },
55 createdAt: { type: DataTypes.DATE, allowNull: false },
56 updatedAt: { type: DataTypes.DATE, allowNull: false },
57 });
58 await context.addIndex('DirectDebitMandates', ['organizationId', 'mandateReference'], {
59 unique: true,
60 name: 'direct_debit_mandates_org_reference_unique',
61 });
62 await context.addIndex('DirectDebitMandates', ['organizationId', 'status'], {
63 name: 'idx_direct_debit_mandates_org_status',
64 });
65 await context.addIndex('DirectDebitMandates', ['organizationId', 'productId'], {
66 name: 'idx_direct_debit_mandates_org_product',
67 });
68
69 await context.createTable('DirectDebitCollections', {
70 id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
71 organizationId: { type: DataTypes.UUID, allowNull: false },
72 mandateId: {
73 type: DataTypes.UUID,
74 allowNull: false,
75 references: { model: 'DirectDebitMandates', key: 'id' },
76 onDelete: 'CASCADE',
77 },
78 policyOrderId: {
79 type: DataTypes.INTEGER,
80 allowNull: true,
81 references: { model: 'PolicyOrders', key: 'id' },
82 onDelete: 'SET NULL',
83 },
84 providerKey: { type: DataTypes.STRING(50), allowNull: false },
85 amount: { type: DataTypes.DECIMAL(15, 2), allowNull: false },
86 currency: { type: DataTypes.STRING(3), allowNull: false },
87 status: {
88 type: DataTypes.ENUM('scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'),
89 allowNull: false,
90 defaultValue: 'scheduled',
91 },
92 scheduledFor: { type: DataTypes.DATE, allowNull: false },
93 submittedAt: { type: DataTypes.DATE, allowNull: true },
94 settledAt: { type: DataTypes.DATE, allowNull: true },
95 retryCount: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 0 },
96 maxRetries: { type: DataTypes.INTEGER, allowNull: false, defaultValue: 3 },
97 failureReason: { type: DataTypes.TEXT, allowNull: true },
98 // Bank/provider transaction reference, also used to reconcile the return file.
99 externalReference: { type: DataTypes.STRING(255), allowNull: true },
100 // Identifier of the collection file this debit was submitted in.
101 fileReference: { type: DataTypes.STRING(255), allowNull: true },
102 // Set when retries are exhausted — surfaces in the CRM for operator action.
103 flagged: { type: DataTypes.BOOLEAN, allowNull: false, defaultValue: false },
104 metadata: { type: DataTypes.JSONB, allowNull: true },
105 createdAt: { type: DataTypes.DATE, allowNull: false },
106 updatedAt: { type: DataTypes.DATE, allowNull: false },
107 });
108 await context.addIndex('DirectDebitCollections', ['mandateId'], {
109 name: 'idx_direct_debit_collections_mandate',
110 });
111 await context.addIndex('DirectDebitCollections', ['organizationId', 'status'], {
112 name: 'idx_direct_debit_collections_org_status',
113 });
114 await context.addIndex('DirectDebitCollections', ['organizationId', 'status', 'scheduledFor'], {
115 name: 'idx_direct_debit_collections_org_status_scheduled',
116 });
117 await context.addIndex('DirectDebitCollections', ['externalReference'], {
118 name: 'idx_direct_debit_collections_external_ref',
119 });
120
121 // RLS — permissive template (unset GUC OR org match); safe-model WHERE is the
122 // primary filter. See src/db/AGENTS.md.
123 for (const table of rlsTables) {
124 await context.sequelize.query(`ALTER TABLE "${table}" ENABLE ROW LEVEL SECURITY`);
125 await context.sequelize.query(`ALTER TABLE "${table}" FORCE ROW LEVEL SECURITY`);
126 await context.sequelize.query(`DROP POLICY IF EXISTS tenant_isolation ON "${table}"`);
127 await context.sequelize.query(`
128 CREATE POLICY tenant_isolation ON "${table}"
129 FOR ALL
130 USING (
131 NULLIF(current_setting('app.current_organization', true), '') IS NULL
132 OR "organizationId" = NULLIF(current_setting('app.current_organization', true), '')::uuid
133 )
134 `);
135 await context.sequelize.query(`GRANT SELECT ON "${table}" TO dashboard_user`);
136 }
137 };
138
139 export const down: MigrationFn<QueryInterface> = async () => {
140 // Forward-only deployment
141 };
142 {"command":"grep -A20 \"\\.update\\(\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/lib/safe-model.ts | head -30"}grep: parentheses not balanced
{"command":"grep -n \"DirectDebit\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/db.ts"}Exit code 2 grep: /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/db.ts: No such file or directory
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/lib/safe-model.ts","limit":50}1 import type { FastifyRequest } from 'fastify';
2 import type { FindOptions, CreateOptions, ModelStatic, Model, BulkCreateOptions, CreationAttributes, UpdateOptions, DestroyOptions, CountOptions, FindOrCreateOptions, UpsertOptions, Identifier, Transaction, Sequelize, Attributes } from 'sequelize';
3 import { Op, QueryTypes } from 'sequelize';
4 import { StatusError } from '@/error/error.js';
5
6 let _sequelize: Sequelize | null = null;
7 const getSequelize = (): Sequelize => {
8 if (!_sequelize) throw new Error('safe-model: sequelize not initialized. Call initSafeModel() first.');
9 return _sequelize;
10 };
11 export const initSafeModel = (seq: Sequelize) => { _sequelize = seq; };
12
13 export type OrgCtx = { organizationId: string };
14
15 type CtxOrReq = OrgCtx | FastifyRequest;
16
17 export type ScopeMode = 'strict' | 'hierarchical';
18
19 declare module 'fastify' {
20 interface FastifyContextConfig {
21 scopeMode?: ScopeMode;
22 }
23 }
24
25 // Routes opt into cross-organization read scope by tagging
26 // `routeOptions.config.scopeMode = 'hierarchical'`. Everything else stays
27 // strict (own org only). The DB-side `current_organization_in_scope` RLS
28 // function only honors the closure-expanded scope set when scope_mode is
29 // hierarchical — so accidentally leaking a scope set on a strict route is
30 // still filtered to the singleton at the database boundary.
31 const resolveScopeMode = (req: FastifyRequest): ScopeMode => {
32 const config = req.routeOptions?.config as { scopeMode?: ScopeMode } | undefined;
33 return config?.scopeMode === 'hierarchical' ? 'hierarchical' : 'strict';
34 };
35
36 const resolveOrgId = (ctxOrReq: CtxOrReq): string => {
37 // 'raw' is always present on Fastify requests (the underlying http.IncomingMessage),
38 // while 'ident' may not be set on unauthenticated routes.
39 if ('raw' in ctxOrReq) {
40 const req = ctxOrReq as FastifyRequest;
41 const orgId = req.ident?.org?.id ?? req.clientAuth?.organizationId;
42 if (!orgId) throw new StatusError(401, 'Missing org context on request');
43 return orgId;
44 }
45 const orgId = (ctxOrReq as OrgCtx).organizationId;
46 if (!orgId) throw new StatusError(400, 'Missing organizationId in context');
47 return orgId;
48 };
49
50 const getOrgScope = async (orgId: string): Promise<string[]> => {{"command":"grep -B 2 -A 8 \"fastify.post.*mandates'\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts | head -30"} });
fastify.post('/mandates', {
schema: {
description: 'Create a direct-debit mandate. Validates the bank account against the provider scheme rules (Autogiro SE / Betalingsservice DK) and stores it pending bank confirmation.',
tags: [TAG],
security: [{ clientCredentials: [] }],
body: {
type: 'object',
required: ['providerKey', 'productId', 'accountHolder', 'country', 'accountNumber'],
properties: {{"command":"grep -n \"^ update\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/lib/safe-model.ts"}276: update: async (ctx: CtxOrReq, values: Partial<M['_attributes']>, options: Omit<UpdateOptions<M['_attributes']>, 'where'> & { where: any }) => {
357: update: async (ctx: CtxOrReq, values: Partial<M['_attributes']>, options: Omit<UpdateOptions<M['_attributes']>, 'where'> & { where: any }) => {{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db -name \"*.ts\" -type f | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.15T00.00.01.make-rls-permissive-when-context-unset.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.04.28T00.00.01.seed-suspension-reinstatement-templates.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.11.10T00.00.06.remove-coverage-pricing-version.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.30T19.54.01.fix-claim-foreign-key-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.01.30T00.00.00.create-customers-table.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.19T00.00.01.create-user-organizations.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.01.17.add-organization-id-to-business-tables.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.03.26T00.00.03.add-title-to-claims-policies-quotes.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.09.16T17.01.00.fix-policy-parameter-category-page-id-nullable-v2.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.08.26T12.30.00.seed-module-endpoint-cancel-policy.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.10.04T00.00.08.fix-user-email-unique-constraint.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.00.22.create-user-social-auths.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.03.23T00.00.02.add-external-transaction-id-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.10.09T00.00.01.add-cancelled-by-to-policy-orders.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.02.20T00.00.01.extend-claim-status-enum.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.00.59.create-policy-parameter.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.00.47.remove-simulation-commission-percentages.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.01.06T05.00.00.fix-user-organizations-rls-policy.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2025.07.20T00.01.42.create-claim-parameter.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrations/2026.05.19T00.00.05.normalize-compliance-operation.ts
{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db -name \"*.ts\" -type f ! -path \"*/migrations/*\" | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/migrate.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/test/hierarchicalRlsScope.apitest.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/db/umzug.ts
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/lib/safe-model.ts","offset":270,"limit":40}270 { ...options, transaction: t },
271 ),
272 );
273 return attachTenantCtxAll(rows, ctx);
274 },
275
276 update: async (ctx: CtxOrReq, values: Partial<M['_attributes']>, options: Omit<UpdateOptions<M['_attributes']>, 'where'> & { where: any }) => {
277 const orgId = resolveOrgId(ctx);
278 const where = { ...(options.where as any), organizationId: orgId } as any;
279 return withRls(orgId, [orgId], 'strict', options, (t) => raw.update(values, { ...options, where, transaction: t }));
280 },
281
282 destroy: async (ctx: CtxOrReq, options: Omit<DestroyOptions<M['_attributes']>, 'where'> & { where: any }) => {
283 const orgId = resolveOrgId(ctx);
284 const where = { ...(options.where as any), organizationId: orgId } as any;
285 return withRls(orgId, [orgId], 'strict', options, (t) => raw.destroy({ ...options, where, transaction: t }));
286 },
287
288 findOrCreate: async (ctx: CtxOrReq, options: FindOrCreateOptions<Attributes<M>, CreationAttributes<M>>) => {
289 const orgId = resolveOrgId(ctx);
290 const where = { ...(options.where as any), organizationId: orgId } as any;
291 const defaults = { ...(options.defaults as any), organizationId: orgId } as any;
292 const [instance, created] = await withRls(orgId, [orgId], 'strict', options, (t) => raw.findOrCreate({ ...options, where, defaults, transaction: t }));
293 return [attachTenantCtx(instance, ctx), created] as [M, boolean];
294 },
295
296 upsert: async (ctx: CtxOrReq, values: Omit<CreationAttributes<M>, 'organizationId'>, options?: UpsertOptions<Attributes<M>>) => {
297 const orgId = resolveOrgId(ctx);
298 return withRls(orgId, [orgId], 'strict', options, (t) =>
299 raw.upsert({ ...values, organizationId: orgId } as any, { ...options, transaction: t }),
300 );
301 },
302
303 /** Escape hatch: access the raw Sequelize model (e.g. for associations in include). */
304 raw,
305 });
306
307 /**
308 * Wrapper for models that do NOT carry their own organizationId column —
309 * they cascade tenant isolation from a parent (e.g.{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src -name \"db.ts\" -o -name \"database.ts\" -o -name \"sequelize.ts\" | head -5"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/db.ts
{"command":"grep -n \"await collection.update\\|await mandate.update\\|await policyOrder.update\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}167: await mandate.update({
186: await mandate.update({ status: MandateStatus.REVOKED, revokedAt: new Date() });
305: await collection.update({
313: await collection.update({
370: await collection.update({
415: await policyOrder.update(update);
450: await collection.update({
465: await collection.update({
477: await collection.update({{"command":"grep \"DirectDebit\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/db.ts"}import { _DirectDebitMandate } from './internal/_DirectDebitMandate';
import { _DirectDebitCollection } from './internal/_DirectDebitCollection';
_DirectDebitMandate,
_DirectDebitCollection,{"command":"find /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services -name \"*.ts\" -type f | xargs grep -A2 \"await.*\\.update(\" | head -30"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts: await row.update({ status: 'processing' });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- await publishCrm(screeningId, {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- type: 'screening_started',
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts: await row.update({
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- status: 'completed',
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- outcome: result.outcome,
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts: await row.update({ status: 'failed', error: message });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- await publishCrm(row.id, { type: 'screening_failed', data: { screeningId: row.id, error: message } });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- await publishPublic(row.id, { type: 'screening_status_changed', data: { status: 'blocked' } });
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts: const [updatedCount] = await ComplianceCheck.update(
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- ctx,
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- {
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts: await row.update({
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- status: 'pending',
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/sanctionScreeningService.ts- outcome: null,
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts: await ClaimMessage.update({ organizationId }, { readAt: new Date() }, { where: { id: { [Op.in]: unreadIds } } });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts- }
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts-
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts: await CustomerNotification.update({ organizationId },
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts- { readAt: new Date() },
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/claimMessageService.ts- {
--
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/coverageRuleSync.apitest.ts: await coverage.update({ waitingPeriod: 90 });
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/coverageRuleSync.apitest.ts-
xargs: grep: terminated with signal 13; aborting{"command":"grep \"directDebitRoutes\\|direct-debit\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/app.ts"}(Bash completed with no output)
{"command":"grep -r \"directDebitRoutes\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src --include=\"*.ts\" | grep -v node_modules"}{"command":"grep -n \"throw\\|error\\|Error\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -20"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts:const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts:export { directDebitRoutes };
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts:import { directDebitRoutes } from './directDebitRoutes.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts: await fastify.register(directDebitRoutes, { prefix: '/direct-debit' });3:import { StatusError } from '@/error/error.js';
44: throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
64: throw new StatusError(
116: throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
147: throw new StatusError(404, `Mandate ${mandateId} not found`);
165: throw new StatusError(400, 'Cannot activate a revoked mandate');
230: throw new StatusError(400, `Mandate must be active to schedule a collection (is "${mandate.status}")`);
234: throw new StatusError(400, 'amount must be a positive number');
237: throw new StatusError(400, 'currency is required');
365: throw new StatusError(404, `Collection ${collectionId} not found`);
368: throw new StatusError(400, `Only failed collections can be retried (is "${collection.status}")`);
522: throw new StatusError(404, `Collection ${collectionId} not found`);
525: throw new StatusError(400, 'Collection has not been submitted yet (no external reference)');{"command":"grep -n \"StatusError\\|throw\\|catch\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -30"}3:import { StatusError } from '@/error/error.js';
44: throw new StatusError(400, `'${providerKey}' is not a bank direct-debit provider`);
64: throw new StatusError(
116: throw new StatusError(400, `Invalid bank account: ${validation.errors.join('; ')}`);
147: throw new StatusError(404, `Mandate ${mandateId} not found`);
165: throw new StatusError(400, 'Cannot activate a revoked mandate');
230: throw new StatusError(400, `Mandate must be active to schedule a collection (is "${mandate.status}")`);
234: throw new StatusError(400, 'amount must be a positive number');
237: throw new StatusError(400, 'currency is required');
365: throw new StatusError(404, `Collection ${collectionId} not found`);
368: throw new StatusError(400, `Only failed collections can be retried (is "${collection.status}")`);
420: } catch (err) {
522: throw new StatusError(404, `Collection ${collectionId} not found`);
525: throw new StatusError(400, 'Collection has not been submitted yet (no external reference)');{"command":"grep -r \"registerDirectDebitCollectionBatchJob\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts:export function registerDirectDebitCollectionBatchJob() {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts:import { registerDirectDebitCollectionBatchJob, scheduleDirectDebitCollectionBatch } from './directDebitCollectionBatchJob.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts: registerDirectDebitCollectionBatchJob();{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","limit":60,"offset":222}222
223 export async function scheduleCollection(
224 organizationId: string,
225 input: ScheduleCollectionInput,
226 ): Promise<DirectDebitCollection> {
227 const ctx = { organizationId };
228 const mandate = await loadMandate(ctx, input.mandateId);
229 if (mandate.status !== MandateStatus.ACTIVE) {
230 throw new StatusError(400, `Mandate must be active to schedule a collection (is "${mandate.status}")`);
231 }
232 const amount = Number(input.amount);
233 if (!Number.isFinite(amount) || amount <= 0) {
234 throw new StatusError(400, 'amount must be a positive number');
235 }
236 if (!input.currency) {
237 throw new StatusError(400, 'currency is required');
238 }
239
240 const collection = await DirectDebitCollection.create(ctx, {
241 organizationId,
242 mandateId: mandate.id,
243 policyOrderId: input.policyOrderId ?? null,
244 providerKey: mandate.providerKey,
245 amount,
246 currency: input.currency.toUpperCase(),
247 status: CollectionStatus.SCHEDULED,
248 scheduledFor: input.scheduledFor ? new Date(input.scheduledFor) : new Date(),
249 retryCount: 0,
250 });
251 logger.info(
252 { organizationId, collectionId: collection.id, mandateId: mandate.id },
253 'Direct-debit collection scheduled',
254 );
255 return collection;
256 }
257
258 function toFileEntry(collection: DirectDebitCollection, mandate: DirectDebitMandate): CollectionFileEntry {
259 return {
260 externalReference: collection.externalReference!,
261 mandateReference: mandate.mandateReference,
262 payerNumber: mandate.payerNumber,
263 account: mandateAccount(mandate),
264 amount: Number(collection.amount),
265 currency: collection.currency,
266 dueDate: collection.scheduledFor,
267 reference: collection.policyOrderId ? `PO-${collection.policyOrderId}` : collection.id,
268 };
269 }
270
271 /**
272 * Submit every due collection for a provider into a single collection file and
273 * mark them SUBMITTED. "Due" = SCHEDULED or RETRYING with scheduledFor <= now.
274 * Returns the generated file so the caller (CRM run action / batch job) can
275 * surface or archive it.
276 */
277 export async function submitDueCollections(
278 organizationId: string,
279 providerKey?: string,
280 ): Promise<{ providerKey: string; fileReference: string; content: string; count: number }[]> {
281 const ctx = { organizationId };{"command":"grep -r \"scheduleDirectDebitCollectionBatch\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/directDebitCollectionBatchJob.ts:export async function scheduleDirectDebitCollectionBatch() {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts:import { registerDirectDebitCollectionBatchJob, scheduleDirectDebitCollectionBatch } from './directDebitCollectionBatchJob.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/jobs/index.ts: scheduleDirectDebitCollectionBatch().catch((err) =>{"command":"grep -r \"directDebitRoutes\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts:const directDebitRoutes: FastifyPluginAsync = async (fastify: FastifyInstance) => {
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts:export { directDebitRoutes };
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts:import { directDebitRoutes } from './directDebitRoutes.js';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/index.ts: await fastify.register(directDebitRoutes, { prefix: '/direct-debit' });{"command":"grep -n \"toFileEntry\\|toFileEntry\\|Number(collection.amount)\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}258:function toFileEntry(collection: DirectDebitCollection, mandate: DirectDebitMandate): CollectionFileEntry {
264: amount: Number(collection.amount),
320: entries.push(toFileEntry(collection, mandate));
352: if (mandate) entries.push(toFileEntry(collection, mandate));
533: settledAmount: outcome === 'settled' ? Number(collection.amount) : undefined,{"command":"grep -A 2 \"minorUnits\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts | head -20"}export function minorUnits(amount: number, width: number): string {
const minor = Math.round(Number(amount) * 100);
if (!Number.isFinite(minor) || minor < 0) {{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/domains/payments/directDebit/format.ts"}1 // Shared fixed-width formatting helpers for the Nordic direct-debit file formats.
2 // Both Autogiro and Betalingsservice are positional fixed-width text rails, so
3 // the connectors share these primitives. Pure functions — no side effects.
4
5 /** Right-pad with spaces (truncating if longer) to a fixed width. */
6 export function padRight(value: string, width: number): string {
7 const v = value ?? '';
8 return v.length >= width ? v.slice(0, width) : v + ' '.repeat(width - v.length);
9 }
10
11 /** Left-pad with zeros (truncating the most-significant side if longer). */
12 export function padZero(value: string, width: number): string {
13 const v = (value ?? '').replace(/\s+/g, '');
14 return v.length >= width ? v.slice(v.length - width) : '0'.repeat(width - v.length) + v;
15 }
16
17 /** Format a major-unit amount as zero-padded minor units (öre/øre). */
18 export function minorUnits(amount: number, width: number): string {
19 const minor = Math.round(Number(amount) * 100);
20 if (!Number.isFinite(minor) || minor < 0) {
21 throw new Error(`Invalid amount for direct-debit file: ${amount}`);
22 }
23 return padZero(String(minor), width);
24 }
25
26 /** Parse zero-padded minor units back into a major-unit amount. */
27 export function fromMinorUnits(raw: string): number {
28 const minor = parseInt(raw.trim() || '0', 10);
29 return Math.round(minor) / 100;
30 }
31
32 /** Format a date as YYYYMMDD (UTC). */
33 export function yyyymmdd(date: Date): string {
34 const y = date.getUTCFullYear().toString().padStart(4, '0');
35 const m = (date.getUTCMonth() + 1).toString().padStart(2, '0');
36 const d = date.getUTCDate().toString().padStart(2, '0');
37 return `${y}${m}${d}`;
38 }
39
40 /** Keep only digits (used to normalise clearing/account numbers). */
41 export function digitsOnly(value: string): string {
42 return (value ?? '').replace(/\D/g, '');
43 }
44 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitMandate.ts"}1 import { _DirectDebitMandate } from './internal/_DirectDebitMandate.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitMandate = toSafeModel(_DirectDebitMandate);
5 export type DirectDebitMandate = _DirectDebitMandate;
6
7 export { DirectDebitProvider, MandateStatus } from './internal/_DirectDebitMandate.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitMandate };
11 {"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","limit":80,"offset":427}427
428 async function applyReturnRecord(
429 ctx: Ctx,
430 record: ReturnRecord,
431 summary: IngestSummary,
432 ): Promise<void> {
433 const collection = await DirectDebitCollection.findOne(ctx, {
434 where: { externalReference: record.externalReference },
435 });
436 if (!collection) {
437 summary.unmatched.push(record.externalReference);
438 return;
439 }
440 // A return record is only meaningful for a collection awaiting settlement
441 // (SUBMITTED). Anything else — already settled, already failed/flagged, or a
442 // duplicate arriving after we processed a prior return for this reference — is
443 // ignored idempotently so re-ingesting a file can't double-count retries or
444 // un-flag an exhausted collection.
445 if (collection.status !== CollectionStatus.SUBMITTED) {
446 return;
447 }
448
449 if (record.outcome === 'settled') {
450 await collection.update({
451 status: CollectionStatus.SETTLED,
452 settledAt: new Date(),
453 failureReason: null,
454 flagged: false,
455 });
456 await reconcileSettlementToPolicy(ctx, collection);
457 summary.settled += 1;
458 return;
459 }
460
461 // Failed: retry until maxRetries, then flag for operator intervention.
462 const nextRetry = collection.retryCount + 1;
463 const reason = record.reason ?? 'Collection rejected by bank';
464 if (nextRetry <= collection.maxRetries) {
465 await collection.update({
466 status: CollectionStatus.RETRYING,
467 retryCount: nextRetry,
468 // Eligible for the next collection run immediately. Production would apply
469 // a backoff window before re-presenting; recorded as a hint in metadata.
470 scheduledFor: new Date(),
471 failureReason: reason,
472 flagged: false,
473 metadata: { ...(collection.metadata ?? {}), lastFailureReason: reason, retryOf: nextRetry },
474 });
475 summary.retrying += 1;
476 } else {
477 await collection.update({
478 status: CollectionStatus.FAILED,
479 failureReason: reason,
480 flagged: true,
481 });
482 summary.failed += 1;
483 summary.flagged += 1;
484 logger.warn(
485 { organizationId: ctx.organizationId, collectionId: collection.id, retryCount: collection.retryCount },
486 'Direct-debit collection flagged after exhausting retries',
487 );
488 }
489 }
490
491 /** Parse and reconcile a bank return/settlement file. */
492 export async function ingestReturnFile(
493 organizationId: string,
494 providerKey: string,
495 content: string,
496 ): Promise<IngestSummary> {
497 const ctx = { organizationId };
498 const provider = assertDirectDebitProvider(providerKey);
499 const records = provider.parseReturnFile(content);
500 const summary: IngestSummary = { settled: 0, failed: 0, retrying: 0, flagged: 0, unmatched: [] };
501 for (const record of records) {
502 await applyReturnRecord(ctx, record, summary);
503 }
504 logger.info({ organizationId, providerKey, ...summary }, 'Ingested direct-debit return file');
505 return summary;
506 }{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/DirectDebitCollection.ts"}1 import { _DirectDebitCollection } from './internal/_DirectDebitCollection.js';
2 import { toSafeModel } from './lib/safe-model.js';
3
4 export const DirectDebitCollection = toSafeModel(_DirectDebitCollection);
5 export type DirectDebitCollection = _DirectDebitCollection;
6
7 export { CollectionStatus } from './internal/_DirectDebitCollection.js';
8
9 // Re-export raw class for db.ts registration, association includes, and type usage
10 export { _DirectDebitCollection };
11 {"command":"grep -n \"required\\|exclusiveMinimum\\|amount\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/routes/plus/directDebitRoutes.ts | grep -A 3 -B 3 \"amount\""}110: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
123: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
137: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
182: required: ['mandateId', 'amount', 'currency'],
186: amount: { type: 'number', exclusiveMinimum: 0 },
193: mandateId: string; policyOrderId?: number; amount: number; currency: string; scheduledFor?: string;
221: required: ['providerKey'],
236: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },
249: params: { type: 'object', required: ['id'], properties: { id: { type: 'string' } } },{"command":"grep -n \"BelongsTo\\|HasMany\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts"}/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts:1:import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitMandate.ts:71: @BelongsTo(() => _Product)
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts:1:import { Table, Column, Model, DataType, ForeignKey, BelongsTo } from 'sequelize-typescript';
/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts:64: @BelongsTo(() => _DirectDebitMandate){"command":"grep -B 2 -A 2 \"DECIMAL\\|amount\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/models/internal/_DirectDebitCollection.ts | head -20"} @Column({
type: DataType.DECIMAL(15, 2),
allowNull: false,
})
declare amount: number;
@Column({{"command":"npx tsc --noEmit 2>&1 | grep -i \"directdebit\\|direct-debit\" | head -20"}{"command":"grep -n \"\\!\\.\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}(Bash completed with no output)
(Bash completed with no output)
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","offset":358,"limit":22}358 export async function retryCollection(
359 organizationId: string,
360 collectionId: string,
361 ): Promise<DirectDebitCollection> {
362 const ctx = { organizationId };
363 const collection = await DirectDebitCollection.findByPk(ctx, collectionId);
364 if (!collection) {
365 throw new StatusError(404, `Collection ${collectionId} not found`);
366 }
367 if (collection.status !== CollectionStatus.FAILED) {
368 throw new StatusError(400, `Only failed collections can be retried (is "${collection.status}")`);
369 }
370 await collection.update({
371 status: CollectionStatus.RETRYING,
372 scheduledFor: new Date(),
373 flagged: false,
374 failureReason: null,
375 });
376 logger.info({ organizationId, collectionId }, 'Direct-debit collection queued for manual retry');
377 return collection;
378 }
379 {"command":"grep -n \"externalReference\\!\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}260: externalReference: collection.externalReference!,
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts","limit":25,"offset":297}297
298 const creditorId = await resolveCreditorId(ctx, key);
299 const fileReference = `${PROVIDER_PREFIX[key] ?? 'DD'}-FILE-${randomUUID().slice(0, 8).toUpperCase()}`;
300 const entries: CollectionFileEntry[] = [];
301
302 for (const collection of due) {
303 const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
304 if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
305 await collection.update({
306 status: CollectionStatus.FAILED,
307 failureReason: 'Mandate is not active',
308 flagged: true,
309 });
310 continue;
311 }
312 const externalReference = generateReference(key, 'COL');
313 await collection.update({
314 status: CollectionStatus.SUBMITTED,
315 submittedAt: new Date(),
316 externalReference,
317 fileReference,
318 failureReason: null,
319 });
320 entries.push(toFileEntry(collection, mandate));
321 }{"command":"grep -A 20 \"const due = await DirectDebitCollection.findAll\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts | head -30"} const due = await DirectDebitCollection.findAll(ctx, {
where: {
providerKey: key,
status: { [Op.in]: [CollectionStatus.SCHEDULED, CollectionStatus.RETRYING] },
scheduledFor: { [Op.lte]: new Date() },
},
order: [['scheduledFor', 'ASC']],
limit: 500,
});
if (due.length === 0) continue;
const creditorId = await resolveCreditorId(ctx, key);
const fileReference = `${PROVIDER_PREFIX[key] ?? 'DD'}-FILE-${randomUUID().slice(0, 8).toUpperCase()}`;
const entries: CollectionFileEntry[] = [];
for (const collection of due) {
const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
if (!mandate || mandate.status !== MandateStatus.ACTIVE) {
await collection.update({
status: CollectionStatus.FAILED,
failureReason: 'Mandate is not active',{"command":"grep -B 5 -A 10 \"toFileEntry(collection\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"} 'Direct-debit collection scheduled',
);
return collection;
}
function toFileEntry(collection: DirectDebitCollection, mandate: DirectDebitMandate): CollectionFileEntry {
return {
externalReference: collection.externalReference!,
mandateReference: mandate.mandateReference,
payerNumber: mandate.payerNumber,
account: mandateAccount(mandate),
amount: Number(collection.amount),
currency: collection.currency,
dueDate: collection.scheduledFor,
reference: collection.policyOrderId ? `PO-${collection.policyOrderId}` : collection.id,
};
--
submittedAt: new Date(),
externalReference,
fileReference,
failureReason: null,
});
entries.push(toFileEntry(collection, mandate));
}
if (entries.length === 0) continue;
const content = provider.buildCollectionFile(entries, fileReference, creditorId);
results.push({ providerKey: key, fileReference, content, count: entries.length });
logger.info(
{ organizationId, providerKey: key, fileReference, count: entries.length },
'Direct-debit collection file generated',
);
}
--
const creditorId = await resolveCreditorId(ctx, providerKey);
const fileReference = submitted[0]?.fileReference ?? `${PROVIDER_PREFIX[providerKey] ?? 'DD'}-FILE-EMPTY`;
const entries: CollectionFileEntry[] = [];
for (const collection of submitted) {
const mandate = await DirectDebitMandate.findByPk(ctx, collection.mandateId);
if (mandate) entries.push(toFileEntry(collection, mandate));
}
const content = provider.buildCollectionFile(entries, fileReference, creditorId);
return { fileReference, content, count: entries.length };
}
export async function retryCollection(
organizationId: string,
collectionId: string,
): Promise<DirectDebitCollection> {
const ctx = { organizationId };Good. The retryCollection function is correctly scoped and validates the status. Now let me do one final comprehensive check for any HIGH/MEDIUM issues by looking at the critical paths:
**Summary of verification:**
1. **Model ↔ Migration Drift** - VERIFIED RESOLVED:
- _DirectDebitMandate.ts: providerKey is STRING(50) ✓
- _DirectDebitCollection.ts: providerKey is STRING(50) ✓
- Migration: both providerKey columns are STRING(50) ✓
- Status ENUMs match in all locations ✓
- DECIMAL(15,2) for amount ✓
- UUID PKs ✓
- Timestamps on all tables ✓
- All nullable/defaults match ✓
2. **directDebitService.ts Correctness** - VERIFIED:
- createMandate: validates account, generates reference, sets correct initial status (PENDING) ✓
- activateMandate: only allows activation if not REVOKED ✓
- revokeMandate: idempotent (checks status before update) ✓
- scheduleCollection: requires active mandate, validates amount/currency ✓
- submitDueCollections: ONLY processes SCHEDULED/RETRYING with scheduledFor <= now ✓
- buildCurrentCollectionFile: no data mutation, safe read-only ✓
- retryCollection: only allows FAILED → RETRYING ✓
- **applyReturnRecord**: ONLY processes SUBMITTED collections (line 445-447) - IDEMPOTENT ✓
- reconcileSettlementToPolicy: best-effort, uses safe-model with ctx ✓
- ingestReturnFile: stateless parser, safe iteration ✓
- simulateReturnForCollection: safe end-to-end test helper ✓
3. **RLS Safety** - VERIFIED:
- All DB access via safe models with `ctx` or `{ organizationId }` ✓
- No raw sequelize.query() ✓
- Routes use requireOrg() to extract organizationId ✓
- Batch job iterates orgs and passes org.id to submitDueCollections ✓
- PolicyOrder updates use ctx with safe-model ✓
4. **Routes & Batch Job** - VERIFIED:
- All 10 endpoints properly scoped ✓
- Batch job registered and scheduled ✓
- Error handling with try/catch ✓
- Logging comprehensive ✓
5. **Status Flow Correctness** - VERIFIED:
- Mandates: PENDING → ACTIVE → REVOKED (terminal) ✓
- Collections: SCHEDULED → SUBMITTED → SETTLED OR FAILED → RETRYING (up to maxRetries) → FLAGGED ✓
- Return file processing only touches SUBMITTED ✓
- No invalid state transitions ✓
6. **Model Registration** - VERIFIED:
- Both _DirectDebitMandate and _DirectDebitCollection registered in db.ts ✓
- Safe models properly exported ✓
- Enums properly exported ✓
**NO REMAINING HIGH OR MEDIUM ISSUES**
All critical paths are secure, idempotent, RLS-compliant, and properly typed. The two prior-round fixes (applyReturnRecord SUBMITTED-only check and providerKey STRING(50)) are confirmed correct and consistent across migration and models.{"command":"grep -n \"toFileEntry\\|externalReference\\!\" /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/src/services/directDebitService.ts"}258:function toFileEntry(collection: DirectDebitCollection, mandate: DirectDebitMandate): CollectionFileEntry {
260: externalReference: collection.externalReference!,
320: entries.push(toFileEntry(collection, mandate));
352: if (mandate) entries.push(toFileEntry(collection, mandate));{"command":"cat << 'EOF'\nVERIFICATION CHECKLIST - sherpa-api#462 (Nordic direct debit)\n\nBACKEND API (this repo):\n=======================\n\n1. Models & Database:\n ✓ DirectDebitMandate model defined: src/models/internal/_DirectDebitMandate.ts\n ✓ DirectDebitCollection model defined: src/models/internal/_DirectDebitCollection.ts\n ✓ Models registered in src/models/db.ts\n ✓ Migration creates tables with correct schema:\n - DirectDebitMandates: VARCHAR mandateReference, UUID id, ENUM status\n - DirectDebitCollections: DECIMAL(15,2) amount, ENUM status, indexes on mandate+status\n ✓ RLS policies applied for tenant isolation\n\n2. Enums:\n ✓ DirectDebitProvider: 'autogiro', 'betalingsservice' (STRING in DB)\n ✓ MandateStatus: 'pending', 'active', 'revoked'\n ✓ CollectionStatus: 'scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'\n\n3. Service Layer (src/services/directDebitService.ts):\n ✓ Amount validation: Number(input.amount), checks isFinite() && > 0\n ✓ Amount stored as DECIMAL(15,2) in schema\n ✓ Amount converted to number before passing to file builders\n ✓ Retry logic: counts retries, flags after maxRetries (3 default)\n ✓ Settlement reconciliation: links to PolicyOrder, updates payment status\n ✓ Error handling: StatusError with proper 400/404 codes\n ✓ toFileEntry() safely called post-update (externalReference guaranteed)\n ✓ Metadata handling: spreads existing metadata on retries (safe)\n\n4. Routes (src/routes/plus/directDebitRoutes.ts):\n ✓ Registered at /direct-debit prefix (see src/routes/plus/index.ts)\n ✓ POST /mandates: required=[providerKey, productId, accountHolder, country, accountNumber]\n ✓ POST /collections: required=[mandateId, amount, currency], amount={type:number, exclusiveMinimum:0}\n ✓ POST /collections/run: triggers batch for due collections\n ✓ POST /collections/:id/simulate-return: for testing/dev\n ✓ All routes behind authenticate hook\n ✓ All routes validate organizationId from request\n\n5. Connectors (stateless):\n ✓ AutogiroProvider: validateAccount(), buildMandateFile(), buildCollectionFile(), parseReturnFile()\n ✓ BetalingsserviceProvider: same interface\n ✓ minorUnits() conversion: Math.round(Number(amount)*100), validates finite\n ✓ fromMinorUnits() parsing: handles strings, returns decimal\n ✓ Format helpers: pure functions, no side effects\n\n6. Batch Job (src/services/jobs/directDebitCollectionBatchJob.ts):\n ✓ Hourly schedule: \"0 * * * *\" (UTC)\n ✓ Per-org processing: RLS context enforced\n ✓ Idempotent: only processes SCHEDULED/RETRYING with scheduledFor <= now\n ✓ Error handling: catches per-org failures, continues\n\n7. Validation:\n ✓ Provider validation: isDirectDebitProvider() checks registry\n ✓ Account validation: provider-specific rules (SE 4-5 digit clearing, DK 4 digit reg)\n ✓ Mandate check: must be ACTIVE to schedule collections\n ✓ Collection check: SUBMITTED before settlement reconciliation\n ✓ Idempotent return ingestion: ignores non-SUBMITTED collections (prevents double-count)\n\nISSUES FOUND: NONE\n\nAll critical data flows verified:\n- Amount: input → Number() → DECIMAL store → Number() out → minorUnits() for file\n- Mandate status: PENDING → ACTIVE → REVOKED (enforced in service)\n- Collection status: SCHEDULED → SUBMITTED → SETTLED or FAILED → RETRYING or flagged\n- External reference: generated per collection, used for reconciliation\n- Settlement: reconciles to PolicyOrder, updates payment status if pending\n- Retries: counts up to maxRetries, then flags with failureReason\n- Metadata: safe spread pattern preserves history on retries\nEOF\n"}VERIFICATION CHECKLIST - sherpa-api#462 (Nordic direct debit)
BACKEND API (this repo):
=======================
1. Models & Database:
✓ DirectDebitMandate model defined: src/models/internal/_DirectDebitMandate.ts
✓ DirectDebitCollection model defined: src/models/internal/_DirectDebitCollection.ts
✓ Models registered in src/models/db.ts
✓ Migration creates tables with correct schema:
- DirectDebitMandates: VARCHAR mandateReference, UUID id, ENUM status
- DirectDebitCollections: DECIMAL(15,2) amount, ENUM status, indexes on mandate+status
✓ RLS policies applied for tenant isolation
2. Enums:
✓ DirectDebitProvider: 'autogiro', 'betalingsservice' (STRING in DB)
✓ MandateStatus: 'pending', 'active', 'revoked'
✓ CollectionStatus: 'scheduled', 'submitted', 'settled', 'failed', 'retrying', 'cancelled'
3. Service Layer (src/services/directDebitService.ts):
✓ Amount validation: Number(input.amount), checks isFinite() && > 0
✓ Amount stored as DECIMAL(15,2) in schema
✓ Amount converted to number before passing to file builders
✓ Retry logic: counts retries, flags after maxRetries (3 default)
✓ Settlement reconciliation: links to PolicyOrder, updates payment status
✓ Error handling: StatusError with proper 400/404 codes
✓ toFileEntry() safely called post-update (externalReference guaranteed)
✓ Metadata handling: spreads existing metadata on retries (safe)
4. Routes (src/routes/plus/directDebitRoutes.ts):
✓ Registered at /direct-debit prefix (see src/routes/plus/index.ts)
✓ POST /mandates: required=[providerKey, productId, accountHolder, country, accountNumber]
✓ POST /collections: required=[mandateId, amount, currency], amount={type:number, exclusiveMinimum:0}
✓ POST /collections/run: triggers batch for due collections
✓ POST /collections/:id/simulate-return: for testing/dev
✓ All routes behind authenticate hook
✓ All routes validate organizationId from request
5. Connectors (stateless):
✓ AutogiroProvider: validateAccount(), buildMandateFile(), buildCollectionFile(), parseReturnFile()
✓ BetalingsserviceProvider: same interface
✓ minorUnits() conversion: Math.round(Number(amount)*100), validates finite
✓ fromMinorUnits() parsing: handles strings, returns decimal
✓ Format helpers: pure functions, no side effects
6. Batch Job (src/services/jobs/directDebitCollectionBatchJob.ts):
✓ Hourly schedule: "0 * * * *" (UTC)
✓ Per-org processing: RLS context enforced
✓ Idempotent: only processes SCHEDULED/RETRYING with scheduledFor <= now
✓ Error handling: catches per-org failures, continues
7. Validation:
✓ Provider validation: isDirectDebitProvider() checks registry
✓ Account validation: provider-specific rules (SE 4-5 digit clearing, DK 4 digit reg)
✓ Mandate check: must be ACTIVE to schedule collections
✓ Collection check: SUBMITTED before settlement reconciliation
✓ Idempotent return ingestion: ignores non-SUBMITTED collections (prevents double-count)
ISSUES FOUND: NONE
All critical data flows verified:
- Amount: input → Number() → DECIMAL store → Number() out → minorUnits() for file
- Mandate status: PENDING → ACTIVE → REVOKED (enforced in service)
- Collection status: SCHEDULED → SUBMITTED → SETTLED or FAILED → RETRYING or flagged
- External reference: generated per collection, used for reconciliation
- Settlement: reconciles to PolicyOrder, updates payment status if pending
- Retries: counts up to maxRetries, then flags with failureReason
- Metadata: safe spread pattern preserves history on retries{"command":"head -20 /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/package.json"}{
"name": "Sherpa API",
"version": "0.1.0",
"main": "src/service.ts",
"type": "module",
"imports": {
"@/*": "./src/*"
},
"scripts": {
"start": "tsx src/service.ts",
"dev": "tsx watch --exclude ./translations/** src/service.ts",
"db:migrate": "tsx src/db/migrate.ts",
"db:migrate:up": "tsx src/db/migrate.ts up",
"db:migrate:down": "tsx src/db/migrate.ts down",
"db:migrate:create": "tsx src/db/migrate.ts create",
"db:migrate:status": "tsx src/db/migrate.ts status",
"db:setup": "npm run db:migrate:up && npm run db:seed:cron",
"db:seed:cron": "bash scripts/seed-cron-tables.sh",
"db:seed:all": "tsx scripts/seed.ts",
"db:seed:undo:all": "tsx scripts/seed.ts --undo",Confirmed - this is the backend API repo. The task notes mention "Portal: provider config + direct-debit page + nav" which refers to the separate sherpa-plus front-end repository.
Let me now provide a final comprehensive verdict:
---
## FINAL ROUND (ROUND 3) VERIFICATION - sherpa-api#462
**TASK SCOPE:** This is a backend API repo (Sherpa API). Front-end work mentioned in prior notes (AppLayout.tsx, PaymentProvidersTab.tsx, etc.) is in a separate repository (sherpa-plus) and is OUTSIDE the scope of this verification.
**VERIFICATION COMPLETED:**
### 1. **Models & Types** ✓ CORRECT
- `DirectDebitMandate.ts` and `DirectDebitCollection.ts` properly defined and exported
- Both registered in `src/models/db.ts`
- Enums (DirectDebitProvider, MandateStatus, CollectionStatus) correctly typed
### 2. **Database Schema** ✓ CORRECT
- Migration file: `2026.06.01T00.00.00.create-direct-debit-mandates-and-collections.ts`
- DirectDebitMandates: UUID PK, UUID organizationId, STRING providerKey, ENUM status, proper indexes
- DirectDebitCollections: UUID PK, DECIMAL(15,2) amount, ENUM status, FK to mandates, indexes on org+status+scheduledFor
- RLS policies properly configured for tenant isolation
### 3. **Service Layer** ✓ CORRECT
- `scheduleCollection()` line 232: `const amount = Number(input.amount)` with `!Number.isFinite(amount) || amount <= 0` validation
- Amount stored as DECIMAL(15,2) in model
- `toFileEntry()` line 264: `amount: Number(collection.amount)` — correctly converted for file builders
- `minorUnits()` in format.ts: `Math.round(Number(amount) * 100)` with finiteness check
- Retry logic: counts up to `maxRetries` (default 3), sets `flagged: true` when exhausted
- Settlement reconciliation: updates PolicyOrder status if pending → active
- Metadata spread on retry (line 473): `{ ...(collection.metadata ?? {}), ...}` — safe pattern
### 4. **Routes & Validation** ✓ CORRECT
- Registered at `/direct-debit` prefix (src/routes/plus/index.ts line ~44)
- POST /mandates: body required fields validated by Fastify schema
- POST /collections: `required: ['mandateId', 'amount', 'currency']`, `amount: { type: 'number', exclusiveMinimum: 0 }`
- All routes authenticated, organizationId required
- Body/params schemas properly typed
### 5. **Stateless Connectors** ✓ CORRECT
- AutogiroProvider & BetalingsserviceProvider implement BankDirectDebitProvider interface
- `validateAccount()` enforces country-specific rules (SE: 4-5 digit clearing, DK: 4 digit registreringsnummer)
- `buildMandateFile()` and `buildCollectionFile()` generate fixed-width text format
- `parseReturnFile()` correctly parses bank return records
- Format helpers are pure functions with proper validation
### 6. **Batch Job** ✓ CORRECT
- `directDebitCollectionBatchJob.ts`: hourly schedule "0 * * * *" (UTC)
- Per-org processing with RLS context enforcement
- Idempotent: only processes due collections (SCHEDULED or RETRYING with scheduledFor <= now)
- Error handling: logs per-org failures but continues
### 7. **Critical Data Flows** ✓ VERIFIED
- **Amount flow:** input → Number() → validation → stored DECIMAL → Number() out → minorUnits() for file
- **Mandate lifecycle:** PENDING (created) → ACTIVE (activated) → REVOKED (revoked)
- **Collection lifecycle:** SCHEDULED → SUBMITTED → SETTLED/FAILED → RETRYING (if < maxRetries) → FLAGGED (if >= maxRetries)
- **External reference:** generated per submission, used for idempotent reconciliation
- **Settlement path:** collection settled → reconciles to PolicyOrder → updates payment status
---
## FINAL VERDICT
**NO REMAINING HIGH OR MEDIUM ISSUES**
All prior fixes verified as correct:
- Amount validation and numeric conversion ✓
- All POST routes require proper body fields ✓
- Enum usage consistent with database schema ✓
- Error handling comprehensive (400/404 StatusError) ✓
- RLS policies applied ✓
- Idempotent operations (return file ingestion, collection runs) ✓
- Null-safety: externalReference ! operator used only after guaranteed assignment ✓
Code is production-ready for backend API deployment.Round 3: BOTH agents report "NO REMAINING HIGH OR MEDIUM ISSUES" — iterative-review converged in 3 rounds.
Summary of fixes: R1 — API return-file idempotency (process only SUBMITTED) + portal provider-list display + badge fallbacks + numeric amount; R2 — API providerKey model/migration drift (ENUM→STRING). (Skipping npm audit --fix deliberately — pre-existing unrelated moderate vulns; dependency churn right before proof violates surgical-change scope.)
Task 9 done. Now Task 10. Re-verifying stack + preparing browser auth (worktree portal is :3011, so localStorage JWT is port-specific — reading the auth recipe).
{"taskId":"9","status":"completed"}Updated task #9 status
{"taskId":"10","status":"in_progress"}Updated task #10 status
{"command":"curl -fsS -m 90 -X POST http://localhost:7777/api/restart -H 'Content-Type: application/json' -d '{\"paths\":[\"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\"]}' 2>&1 | head -c 300 ; echo \" <-restart\"","description":"Restart API to pick up model change"}{"file_path":"/Users/bakker/.claude/projects/-Users-bakker-dev-gangkhar/memory/reference_portal_playwright_auth_jwt.md"}{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir\necho \"=== auth.setup.ts ===\"; fd 'auth.setup' --type f; echo \"---\"; sed -n '1,80p' tests/auth.setup.ts 2>/dev/null || rg -l \"storageState|auth-storage|localStorage\" tests playwright 2>/dev/null | head","description":"Read auth recipe + auth.setup.ts"}{"results":[{"path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir","ok":true,"freedPort":4011,"readyMs":42044}]} <-restart1 --- 2 name: reference_portal_playwright_auth_jwt 3 description: "How to drive the authenticated sherpa-portal in Playwright for browser-proof screenshots (org-222 users are azure-ad, no password)" 4 metadata: 5 node_type: memory 6 type: reference 7 originSessionId: cf6982a6-3f90-4716-895f-4c9136fbf486 8 --- 9 10 For `.auto-proof` browser screenshots of sherpa-portal: the standard test user 11 `[email protected]` (member of org `22222222-2222-2222-2222-222222222222`) 12 is `authProvider: azure-ad` → **password login fails**. Don't try form login. 13 14 Instead mint an HS256 JWT and inject it into the portal's persisted Zustand store: 15 16 - **Token claims** (matches API `bearer.ts`): `{ id, email, role:'super_admin', clientNumericId:null, organizationId, iat, exp }`, signed with `JWT_SECRET` (read from the sherpa-api worktree `.env`). API scopes all calls by the token's `organizationId`, so this picks the org whose data renders. 17 - **Inject before page scripts** via Playwright `context.addInitScript`, setting `localStorage['auth-storage']` = `{"state":{"accessToken":<jwt>,"refreshToken":<jwt>,"user":null,"currentOrganization":null,"availableOrganizations":[],"organizationScope":null,"drillDownOrgId":null,"hydrated":true},"version":0}`. AuthProvider decodes `id`, calls `/v1/users/:id`, sets the user → logged in. 18 - **Playwright lives in sherpa-test** (`node_modules/playwright`, browsers installed). It's CommonJS: `import pkg from '/…/sherpa-test/node_modules/playwright/index.js'; const { chromium } = pkg;`. Run the `.mjs` with plain `node`. 19 - Financials tabs are query-param routed: `/financials?tab=premium-by-outlet`. Stripe checkout pages never reach `networkidle` — use `waitUntil:'domcontentloaded'`. 20 21 Driving sales for financial data: `POST /v1/policy/premium` with header `Authorization: Client <SHERPA_TEST_CLIENT_ID>:<SHERPA_TEST_CLIENT_SECRET>` (unquote the `.env` values; client maps to org 222). policyParameters are product-specific and nested (`{personal:{…,address:{country:'US',state:'TX'}},terms:{termsAndConditions:true}}`); premium must match the product's computed value. See [[feedback_no_direct_db_config]]. 22
=== auth.setup.ts ===
tests/auth.setup.ts
---
import { test as setup } from '@playwright/test';
import { getPortalUrl } from './utils/urls';
import * as fs from 'fs';
const authFile = 'playwright/.auth/user.json';
setup('authenticate', async ({ page, context }) => {
const portalUrl = getPortalUrl();
const testEmail = process.env.TEST_USER_EMAIL || '';
const testPassword = process.env.TEST_USER_PASSWORD || '';
// Load existing storage state if it exists (to reuse Microsoft persistent cookies)
if (fs.existsSync(authFile)) {
const storageState = JSON.parse(fs.readFileSync(authFile, 'utf-8'));
await context.addCookies(storageState.cookies || []);
}
await page.goto(portalUrl);
// Always click login to trigger OAuth flow and get fresh app tokens
// Microsoft cookies will allow us to skip MFA, but we need the OAuth redirect for app tokens
await page.getByRole('button', { name: /log in with microsoft entra id/i }).click();
await page.waitForURL(/login\.microsoftonline\.com/);
// Check if "Pick an account" page is shown (user already signed in via cookies)
const accountTile = page.getByText(testEmail).first();
const emailInput = page.getByPlaceholder(/email, phone, or skype/i);
// Wait for either account picker or email input
await Promise.race([
accountTile.waitFor({ timeout: 5000 }).catch(() => {}),
emailInput.waitFor({ timeout: 5000 }).catch(() => {})
]);
if (await accountTile.isVisible().catch(() => false)) {
// Click the existing account tile to continue
console.log('Account picker detected, clicking existing account');
await accountTile.click();
} else {
// Fresh login flow
await emailInput.fill(testEmail);
await page.getByRole('button', { name: /next/i }).click();
await page.getByPlaceholder(/password/i).waitFor({ timeout: 10000 });
await page.getByPlaceholder(/password/i).fill(testPassword);
await page.getByRole('button', { name: /sign in/i }).click();
}
const maxAttempts = 100;
let attempt = 0;
while (attempt < maxAttempts) {
await page.waitForTimeout(500);
attempt++;
// Check for successful login FIRST - before looking for Microsoft flow buttons
// This prevents clicking pagination "Next" buttons on the portal
const currentUrl = page.url();
if (currentUrl.includes(portalUrl) && !currentUrl.includes('/login')) {
// Wait for the app to fully load user data before saving state
// The email being visible indicates the user object is populated
const userEmail = page.getByText(testEmail);
if (await userEmail.isVisible({ timeout: 1000 }).catch(() => false)) {
console.log('Login successful, saving storage state');
await page.context().storageState({ path: authFile });
return;
}
}
// Only look for Microsoft login flow buttons if we're still on Microsoft's domain
if (!currentUrl.includes('microsoftonline.com')) {
continue;
}
const passwordInput = page.getByPlaceholder(/password/i);
if (await passwordInput.isVisible().catch(() => false)) {
console.log('Password prompt detected, entering password');
await passwordInput.fill(testPassword);
await page.getByRole('button', { name: /sign in/i }).click();
continue;API restarted, port ready. The memory recipe is exactly right: mint an HS256 JWT (claims signed with JWT_SECRET) and inject into localStorage['auth-storage'] for origin :3011. Gathering: JWT_SECRET, a valid org-222 user id, confirm my demo data exists, check for a jwt lib.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\necho \"JWT_SECRET present: ${JWT_SECRET:+yes} (len ${#JWT_SECRET})\"\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\necho \"=== users in org (id, email) ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/users\" -H \"$AUTH\" | python3 -c \"import sys,json; d=json.load(sys.stdin); arr=d.get(\\\"data\\\",d) if isinstance(d,dict) else d; arr=arr if isinstance(arr,list) else arr.get(\\\"data\\\",[]); [print(u.get(\\\"id\\\"),u.get(\\\"email\\\")) for u in arr[:8]]\" 2>&1 | head\necho \"=== mandates on product 291 ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/direct-debit/mandates?productId=291\" -H \"$AUTH\" | python3 -c \"import sys,json; d=json.load(sys.stdin)[\\\"data\\\"]; [print(m[\\\"providerKey\\\"],m[\\\"status\\\"],m[\\\"accountHolder\\\"],m[\\\"mandateReference\\\"]) for m in d]\" 2>&1 | head\n'\necho \"=== jsonwebtoken in sherpa-test? ===\"\nfd -d 4 -t d 'jsonwebtoken' /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/node_modules 2>/dev/null | head -1 || echo \"not found\"","description":"Get JWT_SECRET, user id, mandates, jwt lib"}JWT_SECRET present: yes (len 128) === users in org (id, email) === === mandates on product 291 === autogiro active Astrid Lindgren AG-MND-5A63D5DE autogiro active Sven Svensson AG-MND-D38E6A8C autogiro active Astrid Lindgren AG-MND-4213D99B autogiro active Sven Svensson AG-MND-EEEF8CFA autogiro active Sven Svensson AG-MND-2BD71A48 betalingsservice active Mads Nielsen BS-MND-6699F659 autogiro active Sven Svensson AG-MND-A8D307C1 autogiro active Sven Svensson AG-MND-E2123DDF === jsonwebtoken in sherpa-test? ===
JWT_SECRET present; demo data exists. Need a valid org-222 user id for the JWT. Dumping users raw + checking jwt lib location.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir\nbash -c '\nset -a; source .env 2>/dev/null; set +a\nAUTH=\"Authorization: Client ${SHERPA_TEST_CLIENT_ID}:${SHERPA_TEST_CLIENT_SECRET}\"\necho \"=== users raw (first 700) ===\"\ncurl -s -m 15 \"http://localhost:4011/v1/plus/users\" -H \"$AUTH\" | head -c 700\n'\necho \"\"\necho \"=== jwt libs in sherpa-test ===\"\nls /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/node_modules 2>/dev/null | rg -i 'jsonwebtoken|jose' || echo \"none (will mint with crypto)\"","description":"Dump users raw + jwt lib check"}=== users raw (first 700) ===
{"status":"success","data":{"users":[{"id":"d0a6f897-3ca9-465f-89bd-504f8a9b8278","companyName":null,"externalClientId":null,"firstName":"Roeland","lastName":"Werring","email":"[email protected]","phoneNumber":null,"country":null,"region":null,"address":null,"city":null,"postalCode":null,"role":"super_admin","userType":"crm","authProvider":"azure-ad","azureObjectId":null,"azureTenantId":"gangkhar.com","azureRoles":["user","admin"],"deleted":false,"twoFactorMethod":"email","twoFactorEnabled":false,"twoFactorBackupCodes":null,"twoFactorEmailToken":null,"twoFactorEmailTokenExpires":null,"createdAt":"2026-04-17T18:09:53.608Z","updatedAt":"2026-04-17T18:09:53.608Z"},{"id":"37ba6c6f-441
=== jwt libs in sherpa-test ===
none (will mint with crypto)Got user d0a6f897-… (super_admin, org 222), JWT_SECRET (128 chars), no jwt lib (mint with crypto). Now reading the portal page's exact button/field labels so my Playwright selectors are correct.
{"pattern":"t\\([\"'][^\"']*[\"']\\)|placeholder=|label=\\{t","path":"/Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir/app/products/[id]/direct-debit/page.tsx","output_mode":"content","-n":true,"head_limit":70}149: showErrorToast(extractApiError(err, t("Failed to load collections")));
159: setError(t("Invalid product ID"));
175: setError(t("Failed to load data"));
216: showErrorToast(t("Account holder is required"));
220: showErrorToast(t("Account number is required"));
235: showSuccessToast(t("Mandate created successfully"));
240: showErrorToast(extractApiError(err, t("Failed to create mandate")));
249: showSuccessToast(t("Mandate activated"));
253: showErrorToast(extractApiError(err, t("Failed to activate mandate")));
260: showSuccessToast(t("Mandate revoked"));
264: showErrorToast(extractApiError(err, t("Failed to revoke mandate")));
277: showErrorToast(extractApiError(err, t("Failed to load mandate file")));
285: setFormAmount("");
298: showErrorToast(t("Enter a valid amount greater than zero"));
309: showSuccessToast(t("Collection scheduled successfully"));
314: showErrorToast(extractApiError(err, t("Failed to schedule collection")));
332: showErrorToast(extractApiError(err, t("Failed to run collections")));
348: ? t("Collection marked as settled")
349: : t("Collection marked as failed")
354: showErrorToast(extractApiError(err, t("Failed to simulate return")));
361: showSuccessToast(t("Collection retry scheduled"));
365: showErrorToast(extractApiError(err, t("Failed to retry collection")));
379: <p className="text-gray-600">{t("Loading direct debit...")}</p>
398: <p className="text-red-600">{error || t("Product not found")}</p>
414: <h2 className="text-2xl font-bold text-gray-900">{t("Direct Debit")}</h2>
416: {t("Autogiro (SE) & Betalingsservice (DK) recurring direct debit")}
425: <h3 className="text-lg font-semibold text-gray-900">{t("Mandates")}</h3>
427: {t("Select a mandate to view its collections")}
432: {t("Create mandate")}
439: {t("No mandates created yet for this product.")}
448: {t("Account holder")}
451: {t("Provider")}
454: {t("Reference")}
457: {t("Status")}
460: {t("Created")}
463: {t("Actions")}
487: label={t(mandate.status)}
505: {t("Activate")}
516: {t("Revoke")}
525: {t("View file")}
543: <h3 className="text-lg font-semibold text-gray-900">{t("Collections")}</h3>
549: : t("Showing all collections for this product")}
559: {t("Schedule collection")}
563: {running ? t("Running...") : t("Run due collections")}
574: <p className="text-gray-500">{t("No collections yet.")}</p>
582: {t("Amount")}
585: {t("Status")}
588: {t("Retries")}
591: {t("Flagged")}
594: {t("Scheduled")}
597: {t("Failure reason")}
600: {t("Actions")}
612: label={t(collection.status)}
623: title={t("Flagged")}
651: {t("Simulate settled")}
659: {t("Simulate failed")}
669: {t("Retry")}
688: <DialogTitle>{t("Create mandate")}</DialogTitle>
690: {t("Register a recurring direct debit mandate for this product.")}
696: {t("Provider")}
706: <SelectItem value="autogiro">{t("Autogiro (Sweden)")}</SelectItem>
708: {t("Betalingsservice (Denmark)")}
715: {t("Account holder")}
724: {t("Country")}
734: {t("Clearing / Reg number")}
743: {t("Account number")}
752: {t("Bank name")}
763: {t("Cancel")}
766: {mandateSaving ? t("Saving...") : t("Create")}
779: <DialogTitle>{t("Schedule collection")}</DialogTitle>
[Showing results with pagination = limit: 70]I have all the labels. Let me check the create-mandate form's default state (so I can avoid fragile Radix-select interaction if autogiro is the default).
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-portal-api-462-nordic-bank-direct-debit-autogir\necho \"=== form state defaults ===\"\nrg -n \"useState.*form|formProviderKey|formCountry|formAccountHolder|formClearing|formAccountNumber|formBankName|setFormCountry|openCreateMandate|resetMandateForm\" app/products/\\[id\\]/direct-debit/page.tsx | head -30","description":"Inspect create-mandate form defaults"}=== form state defaults ===
103: const [formAccountHolder, setFormAccountHolder] = useState("");
104: const [formCountry, setFormCountry] = useState("SE");
105: const [formClearingNumber, setFormClearingNumber] = useState("");
106: const [formAccountNumber, setFormAccountNumber] = useState("");
107: const [formBankName, setFormBankName] = useState("");
199: const openCreateMandate = () => {
202: setFormCountry(PROVIDER_DEFAULT_COUNTRY.autogiro);
211: setFormCountry(PROVIDER_DEFAULT_COUNTRY[value]);
215: if (!formAccountHolder.trim()) {
219: if (!formAccountNumber.trim()) {
229: accountHolder: formAccountHolder.trim(),
230: country: formCountry.trim(),
231: clearingNumber: formClearingNumber.trim() || undefined,
232: accountNumber: formAccountNumber.trim(),
233: bankName: formBankName.trim() || undefined,
430: <Button onClick={openCreateMandate}>
718: value={formAccountHolder}
727: value={formCountry}
728: onChange={(e) => setFormCountry(e.target.value.toUpperCase())}
737: value={formClearingNumber}
746: value={formAccountNumber}
754: <Input value={formBankName} onChange={(e) => setFormBankName(e.target.value)} />Form defaults to autogiro/country SE (so I can skip the Radix select for an Autogiro mandate). Writing the browser-proof script — mints the JWT, injects auth-storage, then drives a full fresh flow through the real portal UI with screenshots at each state.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/dd_proof.mjs","content":"// Browser proof for sherpa-api#462 — Nordic bank direct debit, driven through the\n// real sherpa-portal UI at http://localhost:3011. Mints an HS256 JWT (recipe:\n// reference_portal_playwright_auth_jwt) and injects it into localStorage so the\n// portal is authenticated, then exercises the mandate + collection flow and\n// captures screenshots into the api worktree's .auto-proof dir.\nimport crypto from 'crypto';\nimport pkg from '/Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/node_modules/playwright/index.js';\nconst { chromium } = pkg;\n\nconst PORTAL = 'http://localhost:3011';\nconst PRODUCT_ID = '291';\nconst PROOF_DIR = '/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof';\nconst ORG = '22222222-2222-2222-2222-222222222222';\nconst USER_ID = 'd0a6f897-3ca9-465f-89bd-504f8a9b8278';\nconst EMAIL = '[email protected]';\nconst SECRET = process.env.JWT_SECRET;\nif (!SECRET) { console.error('JWT_SECRET missing'); process.exit(1); }\n\nconst b64 = (b) => Buffer.from(b).toString('base64').replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\nfunction mintJwt() {\n const now = Math.floor(Date.now() / 1000);\n const header = b64(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));\n const payload = b64(JSON.stringify({ id: USER_ID, email: EMAIL, role: 'super_admin', clientNumericId: null, organizationId: ORG, iat: now, exp: now + 3600 }));\n const sig = b64(crypto.createHmac('sha256', SECRET).update(`${header}.${payload}`).digest());\n return `${header}.${payload}.${sig}`;\n}\n\nconst SUFFIX = String(Date.now()).slice(-6);\nconst HOLDER = `Greta Demo ${SUFFIX}`;\nconst consoleErrors = [];\nconst failedRequests = [];\nlet shot = 0;\nconst log = (m) => console.log(`[proof] ${m}`);\n\nasync function snap(page, name) {\n shot += 1;\n const file = `${PROOF_DIR}/${String(shot).padStart(2, '0')}-${name}.png`;\n await page.screenshot({ path: file, fullPage: true });\n log(`screenshot → ${file}`);\n}\nasync function clickByText(scope, text, timeout = 6000) {\n const btn = scope.getByRole('button', { name: text, exact: false }).first();\n await btn.waitFor({ state: 'visible', timeout });\n await btn.click();\n}\n\n(async () => {\n const jwt = mintJwt();\n const authState = JSON.stringify({ state: { accessToken: jwt, refreshToken: jwt, user: null, currentOrganization: null, availableOrganizations: [], organizationScope: null, drillDownOrgId: null, hydrated: true }, version: 0 });\n\n const browser = await chromium.launch({ headless: true });\n const context = await browser.newContext({ viewport: { width: 1500, height: 1000 } });\n await context.addInitScript((v) => { try { localStorage.setItem('auth-storage', v); } catch (e) {} }, authState);\n\n const page = await context.newPage();\n page.on('console', (m) => { if (m.type() === 'error') consoleErrors.push(m.text()); });\n page.on('requestfailed', (r) => failedRequests.push(`${r.method()} ${r.url()} — ${r.failure()?.errorText}`));\n page.on('response', (r) => { if (r.status() >= 400 && r.url().includes('/v1/')) failedRequests.push(`${r.status()} ${r.request().method()} ${r.url()}`); });\n\n try {\n log('navigating to direct-debit page');\n await page.goto(`${PORTAL}/products/${PRODUCT_ID}/direct-debit`, { waitUntil: 'domcontentloaded', timeout: 45000 });\n // Wait for the feature heading to render (proves auth + page mounted).\n await page.getByText('Direct Debit', { exact: false }).first().waitFor({ timeout: 30000 });\n await page.getByText('Autogiro (SE) & Betalingsservice (DK)', { exact: false }).first().waitFor({ timeout: 15000 }).catch(() => {});\n await page.waitForTimeout(1500);\n await snap(page, 'direct-debit-page-loaded');\n\n // 1) Create a fresh Autogiro (SE) mandate through the UI.\n log('opening Create mandate dialog');\n await clickByText(page, 'Create mandate');\n const dialog = page.getByRole('dialog');\n await dialog.waitFor({ timeout: 8000 });\n await page.waitForTimeout(500);\n // Fill required fields. Provider defaults to Autogiro, country defaults to SE.\n const fillByLabel = async (label, value) => {\n try { await page.getByLabel(label, { exact: false }).first().fill(value); return true; } catch { return false; }\n };\n let okHolder = await fillByLabel('Account holder', HOLDER);\n let okAcct = await fillByLabel('Account number', '1234567');\n await fillByLabel('Clearing', '8327').catch(() => {});\n await fillByLabel('Bank name', 'Swedbank').catch(() => {});\n if (!okHolder || !okAcct) {\n // Fallback: fill the dialog's text inputs positionally\n const inputs = dialog.locator('input');\n const n = await inputs.count();\n log(`label fill fallback — ${n} inputs in dialog`);\n if (n >= 4) {\n await inputs.nth(0).fill(HOLDER); // Account holder\n await inputs.nth(2).fill('8327'); // Clearing/Reg\n await inputs.nth(3).fill('1234567'); // Account number\n if (n >= 5) await inputs.nth(4).fill('Swedbank');\n }\n }\n await snap(page, 'create-mandate-dialog-filled');\n await clickByText(dialog, 'Create');\n // Dialog closes + list refetches; new pending mandate row appears.\n await page.getByText(HOLDER, { exact: false }).first().waitFor({ timeout: 12000 });\n await page.waitForTimeout(1000);\n await snap(page, 'mandate-created-pending');\n\n // Helper: the row for our created mandate.\n const row = page.locator('tr', { hasText: HOLDER }).first();\n\n // 2) Activate the mandate.\n log('activating mandate');\n await row.getByRole('button', { name: /Activate/i }).click();\n await page.waitForTimeout(1500);\n await snap(page, 'mandate-activated');\n\n // 3) Select the mandate (click its row) to scope the collections panel.\n await row.gFile created successfully at: /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir/dd_proof.mjs (file state is current in your context — no need to Read it back)
Creating proof dir + running the browser proof (sourcing JWT_SECRET from the api .env).
{"command":"mkdir -p /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof\nbash -c '\necho \"stack: api=$(curl -s -m8 -o /dev/null -w \"%{http_code}\" http://localhost:4011/) portal=$(curl -s -m8 -o /dev/null -w \"%{http_code}\" http://localhost:3011)\"\nset -a; source /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.env 2>/dev/null; set +a\ncd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir\nJWT_SECRET=\"$JWT_SECRET\" node dd_proof.mjs 2>&1 | tail -60\n'","description":"Run browser proof script","timeout":180000}stack: api=200 portal=200 [proof] navigating to direct-debit page [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/01-direct-debit-page-loaded.png [proof] opening Create mandate dialog [proof] label fill fallback — 5 inputs in dialog [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/02-create-mandate-dialog-filled.png [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/03-mandate-created-pending.png [proof] activating mandate [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/04-mandate-activated.png [proof] scheduling collection #1 [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/05-schedule-collection-dialog.png [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/06-collection-scheduled.png [proof] running due collections [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/07-collection-submitted-after-run.png [proof] simulating settled return [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/08-collection-settled.png [proof] scheduling collection #2 for failure path [proof] simulating failed return [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/09-collection-failed-retrying.png [proof] navigating to payment providers settings [proof] screenshot → /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/10-payment-providers-config.png [proof] --- console errors --- Failed to load resource: the server responded with a status of 404 (Not Found) [proof] --- failed/4xx-5xx requests --- POST http://localhost:3011/monitoring?o=4510269804576768&p=4510269805887488&r=us — net::ERR_ABORTED 404 GET http://localhost:4011/v1/data/public//assets/GangkharLogo.svg [proof] total screenshots: 10
All 10 screenshots captured; the only console noise is an unrelated logo 404 + Sentry abort (no /v1/direct-debit errors). Auth via injected JWT worked (page rendered, full flow drove). Now I must visually confirm — reading the key screenshots.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/01-direct-debit-page-loaded.png"}Screenshot 01 is excellent — real portal, "Direct Debit" nav active under OPERATE, mandates table with Autogiro (SE) + Betalingsservice (DK) active mandates, logged in as Roeland Werring. Checking the settled/failed states + config tab.
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/08-collection-settled.png"}Screenshot 08 confirms the full UI flow: created+activated "Greta Demo 537140" (Autogiro SE) through the UI, scheduled 199.00 SEK, status settled (green), toast "Collection marked as settled". Checking failed/retrying (09) + config (10).
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/09-collection-failed-retrying.png"}Screenshot 09 confirms the failure path: retrying badge, Retries 1/3, failure reason "AVVISAD" (the Autogiro rejection), alongside the settled one. Acceptance criteria proven through the UI. Checking the config tab (10).
{"file_path":"/Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir/.auto-proof/10-payment-providers-config.png"}Screenshot 10 confirms config-via-portal: Autogiro (Sweden) + Betalingsservice (Denmark) both Active in the Payment Providers tab.
All acceptance criteria proven through the real portal UI. Re-running the targeted test spec for fresh counts + checking commit setup.
{"command":"cd /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir\necho \"=== re-run targeted spec ===\"\nnpx playwright test tests/plus-insurance/09-direct-debit.spec.ts --project=plus-insurance --reporter=line 2>&1 | tail -15\necho \"=== is .auto-proof gitignored in api repo? ===\"\ngit -C /Users/bakker/dev/gangkhar/sherpa-api-api-462-nordic-bank-direct-debit-autogir check-ignore .auto-proof 2>&1 && echo \"IGNORED\" || echo \"not ignored (committable)\"\necho \"=== test repo: is dd_proof.mjs / .env tracked? ===\"\ngit -C /Users/bakker/dev/gangkhar/sherpa-test-api-462-nordic-bank-direct-debit-autogir status --porcelain | head","description":"Re-run spec + check gitignore for proof + test repo status","timeout":120000}