# DAL SEEN — Work log A factual list of what was built across these sessions, on the **frontend** and on the **backend**. Use it to resume from any point. --- ## Where things live | | Path | Run | |---|---|---| | **Frontend** (React + Vite) | `app/` | `cd app && npm run dev` → http://localhost:5173 | | **Backend** (Laravel 11 + Sanctum + Spatie) | `backend/` | `cd backend && php artisan migrate:fresh --seed && php artisan serve --port=8800` → http://127.0.0.1:8800/api/v1 | | Frontend env (points at backend) | `app/.env.local` (`VITE_API_BASE_URL=http://127.0.0.1:8800`) | — | | Postman collection | `backend/docs/postman/dalseen-backend.postman_collection.json` | — | | Backend implementation report | `backend/docs/IMPLEMENTATION-REPORT.md` | — | ### Demo accounts (all `password=password123`) #### Tenant users (login uses workspace toggle, `company_slug=acme`) | Email | Role | Lands on | |---|---|---| | `owner@acme.test` | business-owner | TenantDashboard | | `manager@acme.test` | manager | TenantDashboard | | `staff@acme.test` | staff | TenantDashboard | | `cashier@acme.test` | cashier | redirected to /retail/pos kiosk | | `accountant@acme.test` | accountant | TenantDashboard | #### Platform staff (login uses platform-login toggle, no company_slug) | Email | Role | Can do | |---|---|---| | `admin@acme.test` | superadmin | Everything (incl. impersonation, releases, internal staff CRUD) | | `finance.manager@dalseen.sa` | finance-manager | Plans (write), Billing (refund/credit/remind/auto-hold), Collections; cannot suspend tenants or manage staff | | `finance@dalseen.sa` | finance-employee | Read billing, Remind invoices, Work collections; cannot refund/credit | | `support@dalseen.sa` | support-agent | Tickets (assign/resolve/reply), CRM write, Tenant message; cannot touch billing | | `ops@dalseen.sa` | operations | Signups/Onboarding/Health/Incidents/Releases/Terminals; cannot touch billing | --- ## FRONTEND — what was done ### 1. Auth flows wired to the real backend - `src/modules/auth/LoginPage.jsx` — two modes (workspace + platform). Toggle link below the submit button. - `src/modules/auth/MfaVerifyPage.jsx` — 6-digit code (demo accepts `123456`). - `src/modules/auth/ProfilePage.jsx`, `ChangePasswordPage.jsx` — `/me`, `/me/password`. - `src/modules/auth/auth.api.js` — full Postman contract on `realRequest`. - `src/modules/auth/auth.session.js` — bilingual mapper. Resolves role from `resp.user.roles[0]` OR top-level `roles` (fixed the platform-login regression where role got stomped to `null`). ### 2. Real-backend pages (zero `ErrorBanner` on these) - **Catalog → Categories CRUD** — `src/modules/merchandise/CategoriesPage.jsx` - **Catalog → Units CRUD** — `src/modules/merchandise/UnitsPage.jsx` - **Ops → Branches** (list + detail + Ramadan profile + cloud kitchens) — `src/modules/ops/BranchesPage.jsx`, `BranchDetailPage.jsx` - **Ops → Users** (CRUD + invite + sync roles + clear PIN with step-up) — `src/modules/ops/UsersAccessPage.jsx` - **Ops → Roles** (CRUD + permission matrix) — `src/modules/ops/RolesPage.jsx` - **Tenant Dashboard → Workflows + Notifications** cards — wired via `common.api.js` URL-prefix router (`/workflows` + `/notifications` go real, rest still mock). - **Platform admin — entire sidebar**: Tenants, Signups, Onboarding, Plans, Billing, Support, Compliance, Health, Incidents, Releases, Audit, Pay terminals, CRM. All 13 pages render from real backend data via `platform.api.js` switched to `realRequest`. ### 3. Architectural restructure - **Moved out of Retail, promoted to top-level**: - `src/modules/retail/ops/` → `src/modules/ops/` (Ops is cross-module, not retail-specific) - `src/modules/retail/catalog/` → `src/modules/merchandise/` (Merchandise is shared by Retail + Dine) - **App.jsx routes** — added top-level `/ops/*` and `/merchandise/*`. Old `/retail/ops` and `/retail/catalog` redirect. - **Sidebar (`src/app/nav.config.jsx`)** — new "Shared" group above "Books" with **Operations** + **Merchandise**. - **Retail + Dine in-app nav** — both modules now show a `Catalog (shared)` and `Ops (shared)` cross-link that jumps to `/merchandise` and `/ops`. ### 4. Dev permission bypass - `src/core/auth/devPermissions.js` — flag `VITE_ALLOW_ALL_PERMISSIONS=true` in `.env.local` short-circuits every `@can` / `RequirePerm` to allowed. Statically dead-code-eliminated in production builds (`vite build` strips the bypass branch even if the flag is set). - Wired into `sessionStore.can/canAny/canAll`, `usePermission`, and `StepUp.useStepUp.request()` (skips PIN modal in dev). ### 5. Other small things - `src/components/Icon.jsx` — added `user` icon for the new Account header link. - `src/app/AppShell.jsx` — added Account icon link in the header next to Sign out. - Real-HTTP interceptor (`src/core/api/realHttp.js`) — auto-attaches `X-Tenant-Id`, `X-Branch-Id`, `Idempotency-Key`/`X-Idempotency-Key`, consumes step-up tickets via `stepUpFor: 'permission.key'`. Tweaked to respect explicit `X-Branch-Id` overrides (needed for cloud-kitchens / ramadan-profile when querying a non-active branch). ### Frontend — what's still on mocks | Module | Pages | Why | |---|---|---| | Retail · POS | sell flow, receipts, returns, returns wizard, CFD, fullscreen kiosk | No backend tables / endpoints yet | | Retail · Inventory | overview, alerts, expiry, reorder, receivings, stocktakes, transfers, adjustments, wastage + 2 wizards | No backend tables / endpoints yet | | Retail · Suppliers | list, marketplace, RFQs, RFQ detail, RFQ composer, POs, PO composer | No backend | | Retail · Customers | list, segments, communications, tasks, birthdays, opportunities | No backend | | Retail · Growth | campaigns, loyalty, gift cards, bundles, layaways | No backend | | Retail · ZF | overview, learned, OCR, shelf, reconciliation, jobs, ZATCA, settings | No backend | | **Merchandise → Products + Pricing + Resolver + Kinds** | Products list, AddProduct wizard, Pricing rules, Resolver, Kinds | Categories + Units are real; Products is the missing piece | | Dine | every page (orders, KDS, menu, modifiers, recipes, combos, reservations, waitlist, aggregator, delivery, kiosk, QR, Ramadan-list, reports, dine POS) | No backend | | Pay | charges, refunds, disputes, payouts, settlements, wallet, terminals, webhooks | No backend | | Accounting | sell, spend, bank, CoA, GL, ZATCA, periods, vendors, customers, bills, vouchers, recurring, reports, audit, hub, opening, pay, collect, settings, VAT, journal | No backend | | HR | staff, payroll, attendance, ATS, contracts, expenses, leave, performance, learning, roster, org | No backend | | Owner | banking, goals, legal, merchants, home | No backend | | E-commerce | catalog, customers, orders, returns, fulfillment | No backend | | Common (remaining) | help center, marketplace, integrations, devices, partner inbox, the legacy roles page | No backend | --- ## BACKEND — what was done Laravel **11.46** + PHP **8.4** + **SQLite** (dev) + **Sanctum 4** + **spatie/laravel-permission 6**. ### 1. Foundation - `app/Exceptions/ApiException.php` — canonical error envelope `{ error: { code, message_en, message_ar, fields, correlation_id } }` with `X-Correlation-Id` header. - `app/Support/ApiResponse.php` — success envelope helper (handles paginators, resources, raw arrays). - `bootstrap/app.php` — global exception render maps Validation/Auth/Authorization/HTTP/NotFound → canonical envelope. API prefix set to `api/v1`. - `app/Models/Concerns/BelongsToTenant.php` — global scope binds queries to `auth()->user()->company_id`, auto-fills `company_id` on create. Skipped during migrations / CLI / no auth. - `app/Http/Middleware/EnsureTenantContext.php` (alias `tenant`) — fail-fast 403 for users without `company_id`. - `app/Http/Middleware/EnsureSuperAdmin.php` (alias `superadmin`) — gates `/platform/*` to users with `superadmin` role. ### 2. Database — 14 application tables (+ Laravel defaults) Migrations under `database/migrations/2026_05_05_*`: | Table | Purpose | |---|---| | `companies` (extended) | tenants — slug, legal names, plan, mrr, status, region, users_count, branches_count, health_score, etc. | | `users` (extended) | added `company_id`, `phone`, `preferred_locale`, `is_active`, `mfa_enabled`, `mfa_secret`, `pos_manager_pin_hash`, `invited_at` | | `branches` | ULID, parent_branch_id (cloud kitchens), bilingual names, type, branch_type, address, ramadan profile fields | | `branch_user` | pivot — primary_role, started_at, ended_at | | `units` | catalog units of measure (per company) | | `categories` | catalog categories (parent_id self-FK, bilingual) | | `tenant_invoices` | platform-side billing | | `tenant_signups` | pre-tenant pipeline | | `health_services` | platform service snapshot | | `platform_slos` | SLO definitions | | `platform_incidents` | incident log | | `platform_audit_log` | cross-tenant audit, ID + action + actor + severity + at | | `workflows` | tenant + per-user task queue (dashboard "Next steps") | | `notifications_feed` | tenant + per-user notification feed | | `tenant_onboarding` | onboarding pipeline (current_step, completed[], risk) | | `subscription_plans` | starter/growth/enterprise + features[] | | `support_tickets` | platform support inbox | | `compliance_items` | ZATCA, PDPL, NCA, SAMA, PCI, GAZT, MOL, ISO | | `platform_releases` | release log (rolling, shipped, rolled-back, staging) | | `platform_terminals` | cross-tenant POS / Soft-POS fleet | ### 3. API endpoints — 95 total under `/api/v1` | Section | Count | Notes | |---|---:|---| | Auth (login + platform login + MFA + logout) | 4 | platform login = email + password, no slug | | Me (show, update, change password, my branches) | 4 | | | Catalog · Units (CRUD) | 4 | | | Catalog · Categories (CRUD + bulk update + bulk delete) | 6 | | | Branches (list + create + show + cloud-kitchens + ramadan get/patch + settings alias) | 7 | | | Roles (full + summary + CRUD) | 6 | | | Permissions (list) | 1 | | | Users (CRUD + invite + sync roles + clear PIN) | 8 | | | Workflows + Notifications (list + mark read + mark all read) | 4 | | | **Platform — entire sidebar** | **48** | Tenants/Billing/Signups/Health/Incidents/Audit + Onboarding/Plans/Support/Compliance/Releases/Terminals + every detail + every write action | Run `php artisan route:list --path=api` to see them. ### 4. Seeders — realistic demo data Single `DatabaseSeeder.php` populates: - 70 permission keys (`catalog.units.view`, `roles.create`, `platform.tenants.view`, …) - 7 roles (superadmin, business-owner, manager, staff, cashier, accountant, auditor) with curated permission sets - 1 home company (ACME, slug `acme`) + 12 demo tenants (Al-Nakheel, Olaya, Tahlia, Khobar Café, …) - 6 users in ACME (the demo accounts above) - 5 default units (pcs, kg, g, lb, box) + 6 categories + 2 branches (HQ + central kitchen) - 9 tenant invoices, 10 signups, 13 health services + 5 SLOs, 6 incidents, 12 audit events - 7 onboarding rows, 3 subscription plans, 8 support tickets, 8 compliance items, 6 releases, 12 terminals - For ACME owner: 6 workflows + 6 notifications All `firstOrCreate` / `updateOrInsert`, so re-seeding is idempotent. ### 5. Conventions baked in - **Pagination** — list endpoints accept `?page=&per_page=`, return `{ data: [...], meta: { page, per_page, total } }`. - **Bilingual names** — every model with `name_en` + `name_ar`. Locale-aware shaping in controllers via `Accept-Language` header. - **Idempotency** — every POST/PUT/PATCH/DELETE auto-receives `Idempotency-Key` + `X-Idempotency-Key` from the realHttp interceptor. Backend doesn't yet store/dedupe by key (TODO). - **Tenant scoping** — everything tenant-scoped flows through `BelongsToTenant`. Platform models live without that trait so superadmin reads cross-tenant. - **Audit** — every platform write action records to `platform_audit_log` with actor email, role, IP, UA, severity. Tenant-side actions don't audit yet (TODO). ### Backend — what's NOT built In rough priority for next session: 1. **Step-up middleware** — frontend sends `X-Step-Up-Ticket`, backend doesn't issue or verify. PIN modal currently bypassed in dev. 2. **Common module** (devices, integrations, marketplace, partner inbox, help center) — small surfaces, easy wins. 3. **Retail Products** — frontend has Products + Pricing + Resolver + Kinds; backend has Categories + Units only. Need `products` table + variants + pricing rules. 4. **Retail POS sales** — `sales`, `sale_lines`, `payments`, `shifts` tables + the moneymaker endpoints. 5. **Pay** — charges, refunds, settlements, payouts, terminals (tenant-side), webhooks. 6. **Dine** — orders, KDS, menu, modifiers, recipes, combos, reservations. 7. **Accounting** — chart of accounts, journal entries, periods, invoices, bills, ZATCA submissions. 8. **HR** — staff, payroll runs, attendance, leave, contracts. 9. **Tests** — none yet. Should add PHPUnit feature tests for the 95 wired endpoints. 10. **Production config** — currently SQLite + sync queue + log mail. For prod: Postgres + Redis + Horizon + S3 + Mailgun. 11. **Real audit on tenant actions** — only platform writes audit. Tenant-side catalog edits / branch creates don't. 12. **File uploads** — no avatars, no document upload, no CSV import yet. 13. **OpenAPI spec** — only Postman collection right now. --- ## Accounting Phase A2 — Customer accounting templates + terminology Built between Phase A (foundation: account_mappings, JournalService idempotency, high-sev audit) and the upcoming Phase B (auto-posting). The user explicitly asked for the templates + terminology dictionary BEFORE the Phase B posters so each business type starts with the right chart shape and so the income/revenue mismatch can't break Phase C (frontend rewire). ### Backend — files added | Path | Purpose | |---|---| | `backend/app/Support/AccountingTerms.php` | Dictionary: canonical account types, all known mapping keys (`KEYS`), bilingual labels (`LABELS`), type labels (`TYPE_LABELS`). Single source of truth for the accounting vocabulary. | | `backend/app/Services/Accounting/Templates/ChartTemplate.php` | Abstract base class. `keyed()` pulls bilingual labels from `AccountingTerms`; `account()` is the escape hatch for template-specific accounts. | | `backend/app/Services/Accounting/Templates/RetailTemplate.php` | Retail / Grocery — full POS tender mix, inventory, single revenue, COGS in 6xxx. | | `backend/app/Services/Accounting/Templates/RestaurantTemplate.php` | Channel-split revenue (dine-in/takeaway/delivery/aggregator), ingredients + beverage inventory, food/beverage COGS, delivery platform fees, waste. | | `backend/app/Services/Accounting/Templates/ServicesTemplate.php` | NO inventory, NO COGS. Service / subscription / project / consulting revenue, unbilled + unearned revenue, software & professional services expense. | | `backend/app/Services/Accounting/Templates/EcommerceTemplate.php` | Online sales + shipping income, gateway clearing, gateway/processing fees, shipping expense, customer deposits. | | `backend/app/Services/Accounting/Templates/ChartTemplateRegistry.php` | Slug → template class. `resolve()` falls back to retail; `resolveStrict()` throws `UNKNOWN_BUSINESS_TYPE`. | | `backend/database/migrations/2026_05_05_180001_add_business_type_to_companies.php` | Adds `companies.business_type` (nullable, defaults to retail at provisioning). | | `backend/tests/Feature/AccountingTemplatesTest.php` | 12 tests: per-template contracts, cross-template label consistency, services-no-inventory invariant, seeder template assignment, canonical type alignment. | ### Backend — files changed - `backend/app/Services/Accounting/ChartProvisioner.php` — refactored from a single hardcoded chart into a registry-driven dispatcher. `ensure($companyId, ?$templateSlug = null)` now picks the template from `companies.business_type` (defaults to retail when null/unknown). - `backend/app/Models/Company.php` — added `business_type` to `$fillable`. - `backend/database/seeders/DatabaseSeeder.php` — ACME provisioned as retail (most general); the 12 demo tenants spread across all 4 templates: 5 retail · 3 restaurant · 2 ecommerce · 2 services. - `backend/tests/Feature/AccountingPhaseATest.php` — updated to reference `RetailTemplate` instead of the removed `ChartProvisioner::DEFAULT_CHART`/`DEFAULT_MAPPINGS` constants. Per-tenant assertion now expects the right shape per `business_type`. ### Frontend — income/revenue mismatch fix Backend canonical type is `'income'` (per `ChartAccount::TYPES`). Pre-A2 frontend mock + filters used `'revenue'`. Both layers now agree on `'income'` AND the frontend treats `'revenue'` as a tolerated alias so old mock data still renders. | Path | Change | |---|---| | `app/src/modules/accounting/_shared/coa.constants.js` | NEW. `ACCOUNT_TYPES`, `INCOME_TYPES = new Set(['income','revenue'])`, `normalizeAccountType()`, `ACCOUNT_TYPE_LABELS`, `accountTypeLabel()`. Mirrors `App\Support\AccountingTerms` on the backend. | | `app/src/modules/accounting/CoaPage.jsx` | KPI grid + badge tones keyed by canonical `'income'`; `normalizeAccountType()` applied so legacy `'revenue'` rows still render correctly. | | `app/src/modules/accounting/VouchersPage.jsx` | Receipt picker uses `INCOME_TYPES.has(a.type) || a.type === 'liability'` (alias-safe). | | `app/src/core/api/mocks/accounting.mock.js` | The 4 CoA rows previously typed `'revenue'` flipped to canonical `'income'`. P&L generator + trial-balance helper rewired through `INCOME_TYPES`. | ### Database changes - `companies.business_type` (nullable string, 16 chars). - No destructive changes to any existing accounting table. ### APIs added/changed No new HTTP routes. Two implicit contract changes: - `ChartProvisioner::ensure()` now accepts an optional `$templateSlug` (else reads `companies.business_type`). - Provisioning a tenant produces different account counts per business type — no longer a single 25-row chart for everyone. ### Live cross-tenant probe Confirmed against the dev DB after `migrate:fresh --seed`: ``` acme retail accounts=24 mappings=22 al-nakheel retail accounts=24 mappings=22 abha-foods restaurant accounts=27 mappings=24 khobar-cafe restaurant accounts=27 mappings=24 najran-cof restaurant accounts=27 mappings=24 dammam-log services accounts=23 mappings=20 ← no inventory, no COGS yanbu-mar services accounts=23 mappings=20 madinah-bks ecommerce accounts=24 mappings=21 qassim-dat ecommerce accounts=24 mappings=21 … ``` ### Tests - `AccountingTemplatesTest` — 12 / 12 passing - `AccountingPhaseATest` — 7 / 7 passing - `AccountingTest` — 5 / 5 passing - **Full backend suite — 123 tests, 1428 assertions, all green.** ### What is now real - Four customer-facing business templates with correct account shape per type. - Restaurants get channel-split revenue + food/beverage COGS + delivery platform fees out of the box. - Services tenants explicitly cannot post inventory journals (no mappings exist) — auto-posters that try get a clean `ACCOUNT_MAPPING_MISSING` error instead of silently succeeding against a wrong account. - E-commerce tenants get gateway clearing + shipping income/expense + customer deposits out of the box. - The income/revenue mismatch is closed: backend ships `income`, frontend mock ships `income`, the alias `revenue` is tolerated everywhere via `INCOME_TYPES`. - Tenant labels for shared mapping keys (e.g. `tax.vat_payable`, `tender.cash`, `inventory.cogs`) read identically across all four templates — enforced by a cross-template consistency test. ### What is still missing (Phase B and beyond) - No POS / Dine / Pay / Inventory / AR / AP code is calling `JournalService::post()` yet — the auto-posters are Phase B. - No template-aware auto-poster routing yet (e.g. POS in a restaurant should use `sales.dine_in`, not `sales.revenue`). This goes hand-in-hand with Phase B. - Tenants cannot switch templates from the admin UI. Once Phase B+C land we'll need a one-time migration helper for tenants that change business type. --- ## Deferred translation platform — separate future track Out of scope for this phase. Tracked here so it doesn't get lost. Triggered by the audit at the start of this session, which classified the current bilingual stack as **partially implemented and entirely static**. The audit's findings stand: the Phase A2 work above is intentionally narrow — only the **accounting** vocabulary is now centralised and consistent. The full platform translation overhaul still needs to happen across these workstreams: | Area | What's missing | Approx scope | |---|---|---| | **Dynamic translation catalog** | No JSON/PO/XLIFF files. Replace ~3,000 inline `t(en, ar)` pairs with key-based lookups against `/locales/en.json` + `/locales/ar.json`. | Mechanical, large. Module-by-module migration is feasible. | | **Admin translation editor** | No UI today. Build a page that lists every key, shows EN / AR / tenant override side-by-side, lets staff edit & version. | Medium. ~1 week with a small UI. | | **Tenant overrides** | No per-tenant rewording. Add `tenant_translation_overrides(company_id, namespace, key, lang, value)` + a resolver that prefers tenant value when present. | Small backend, small UI. | | **Validation message translation** | Laravel `lang/ar/validation.php` is missing entirely → all per-field errors are English even in Arabic mode. | Small. Drop the published file + verify a few flows. | | **`Accept-Language` middleware** | Header is sent on every request but no middleware calls `App::setLocale()`. As a result `MeController`, `LoginController`, `UserController` always return English `name` for branches even when the user is in Arabic mode. | Trivial. ~1 file. | | **Audit action labels** | Audit log shows raw codes (`tenant.suspend`, `journal.post`). Need an `ACTION_LABELS` map (en/ar) used by the platform Audit page. | Small. | | **`relativeTime` helper** | Returns `"5m ago"` / `"3d ago"` regardless of locale. | Trivial. | | **Backend `ApiException` Arabic coverage** | ~half of `throw new ApiException(...)` calls pass `null` for `message_ar`. | Medium — ~60 call sites to backfill. | | **Mock data gaps** | `dine.mock.js` has 17 EN-only ingredient names; `hr.mock.js` has 8 EN-only fields. | Small. | | **Hijri / Latin digit toggle** | `Intl.NumberFormat('ar-SA')` produces Arabic-Indic digits; some Saudi accountants want Latin digits in printed reports. | Small UX toggle + setting. | Anchor: when any of this lands, link the changes back to this section so the trail stays intact. --- ## Phase B stabilisation pass — cost accuracy + COGS classification Mid-flight tightening between B1/B2 and B3. Two narrow fixes plus the inventory-model documentation the user asked us to make explicit. ### Step 1 — Retail return cost accuracy **Problem**: `PosReturnPoster` was reading `product.cost_price` at refund time. If a tenant raised cost between sale and refund, the inventory restock + COGS reversal used the wrong value. **Fix**: snapshot the cost on every sale line. | File | Change | |---|---| | `backend/database/migrations/2026_05_05_190001_add_cost_at_sale_and_recipe_class.php` | New migration. Adds `pos_sale_lines.cost_at_sale` (decimal 14,4, nullable). | | `backend/app/Models/PosSaleLine.php` | `cost_at_sale` in `$fillable` + cast as float. | | `backend/app/Services/Pos/PosService.php` | Writes `cost_at_sale = product->cost_price` on every line at sale time. | | `backend/app/Services/Accounting/Postings/PosSalePoster.php` | Prefers `line.cost_at_sale`, falls back to `product.cost_price` only for legacy sales. | | `backend/app/Services/Accounting/Postings/PosReturnPoster.php` | Looks up the snapshot via `(sale_id, product_id)` — never current product cost. | **Live proof**: sold 1 × CARD-250 at cost 28, raised cost to 35, refunded → inventory restock = 28, COGS reversal = 28. The current 35 is ignored. ### Step 2 — Dine food/beverage COGS split **Problem**: `DineOrderPoster` lumped every recipe component into `cogs.food`. The Restaurant template ships `cogs.beverage` + `inventory.beverage` accounts that were never being used. **Fix**: classify each recipe component, post one COGS leg per non-zero class. | File | Change | |---|---| | `backend/database/migrations/2026_05_05_190001_add_cost_at_sale_and_recipe_class.php` | Adds `recipe_components.class` (string 16, default `'food'`). | | `backend/app/Models/RecipeComponent.php` | `class` in `$fillable`, default `'food'` via `$attributes`. `CLASSES` const enumerates `food`/`beverage`/`other`. | | `backend/app/Http/Controllers/Dine/DineController.php` | `recipesUpsert` validates and persists `class`. | | `backend/app/Services/Accounting/Postings/DineOrderPoster.php` | `computeRecipeCogsByClass()` returns `['food' => X, 'beverage' => Y]`. Each non-zero bucket emits its own DR cogs.X / CR inventory.X pair. `'other'` rolls into food for v1 (Restaurant template has no packaging mapping yet). | **Backward compat**: existing recipes without `class` get the column default `'food'`, so they post identically to before — no data migration needed. ### Step 3 — Restaurant inventory model documented `backend/app/Services/Accounting/Templates/RestaurantTemplate.php` got a docblock spelling out the difference: - **Retail tenants**: inventory = finished goods. Products are bought, stocked, sold AS-IS. POS sales decrement the same product the customer pays for. COGS = `inventory.cogs` against `inventory.asset`. - **Restaurant tenants**: inventory = ingredients consumed through recipes. Menu items are NOT inventoried directly; their recipes reference real Products (buns, syrup, beans). When a Dine order is placed, ingredients are deducted from their products. When the order is paid, COGS splits by component class: - food / other → `cogs.food` / `inventory.ingredients` - beverage → `cogs.beverage` / `inventory.beverage` Implication for accountants: a restaurant's BS "inventory" balance is raw ingredient value, not finished plates. Food and beverage cost on the P&L roll up from recipe consumption. ### Tests added - `PosPostingTest::test_return_reverses_at_original_cost_even_after_price_change` — proves the snapshot wins over current cost. - `DinePostingTest::test_food_only_recipe_posts_to_food_cost_only` - `DinePostingTest::test_beverage_only_recipe_posts_to_beverage_cost_only` - `DinePostingTest::test_mixed_recipe_posts_food_and_beverage_legs_separately` - `DinePostingTest::test_recipe_component_without_explicit_class_defaults_to_food` **Full backend suite: 148 tests, 1587 assertions, all green.** --- ## Phase P1 — Internal Platform Roles & Users (DAL SEEN staff) Goal: replace the single all-powerful `superadmin` gate on the platform cockpit with proper internal roles. Today every DAL SEEN employee who needs to see anything platform-side has to be a superadmin (which also grants impersonation, releases rollback, internal staff CRUD). P1 fixes that without touching merchant flows. ### Schema | File | Change | |---|---| | `backend/database/migrations/2026_05_05_210001_add_is_platform_staff_to_users.php` | `users.is_platform_staff` boolean default `false`, indexed. Backfilled to `true` for `admin@acme.test`. | | `backend/app/Models/User.php` | New column added to `$fillable` and `$casts`. | ### Roles & permissions 5 platform roles total. Tenant roles unchanged. | Role | Sees | Can mutate | |---|---|---| | `superadmin` | * | * (incl. impersonation, releases rollback, **internal staff CRUD**) | | `finance-manager` | Tenants (list), Plans, Billing, Collections, CRM (read), Audit | Plans (write), Billing (refund/credit/remind/auto-hold), Collections (work) | | `finance-employee` | Tenants (list), Billing, Collections, Audit | Invoice remind only, Collections (work) | | `support-agent` | Tenants (list), Support, CRM, Onboarding, Signups, Audit | Tenant message, Tickets (assign/resolve/reply), CRM (write) | | `operations` | Tenants, Signups, Onboarding, Health, Incidents, Releases, Compliance, Pay terminals, Support (read), Audit | Signups (promote/reject), Onboarding (work), Health/Incidents/Releases (act), Pay terminals (write) | 29 new permissions added (full breakdown in `DatabaseSeeder::seedPermissions()`): - Tenants: `create / suspend / reactivate / impersonate / message / export / change_plan` - Signups: `promote / reject` - Onboarding: `work` - Plans: `write` - Support: `assign / resolve / reply` - Billing: `create_invoice / refund / credit / remind / auto_hold` - Collections: `view / work` - Incidents: `create / resolve` · Health: `act` · Releases: `act` · Audit: `export` - CRM: `view / write` - Pay terminals: `write` - **Internal staff: `view / manage`** (only superadmin holds `manage`) ### Middleware | File | Purpose | |---|---| | `backend/app/Http/Middleware/EnsurePlatformStaff.php` | New group gate. Confirms `auth() && is_active && is_platform_staff` (legacy fallback: hasRole superadmin). | | `backend/bootstrap/app.php` | Aliases `'platform' => EnsurePlatformStaff`, `'permission' => Spatie\Permission\Middleware\PermissionMiddleware`. Maps Spatie's `UnauthorizedException` to the canonical `FORBIDDEN` 403 envelope. | | `backend/app/Http/Middleware/EnsureSuperAdmin.php` | Kept (alias `'superadmin'`) for the rare strict routes. | | `backend/app/Support/Mode.php` | `Mode::current()` now treats any `is_platform_staff` user as `platform`/`internal` mode. Superadmins can still flip to `internal` for Internal Product Mode; other platform staff stay on `/platform/*`. | ### Routes `backend/routes/api.php` — every `/platform/*` route now carries a per-action `permission:platform.x.y` middleware on top of the group `platform` gate. ### New controller `backend/app/Http/Controllers/Platform/PlatformStaffController.php` | Endpoint | Method | Permission | |---|---|---| | `/platform/staff` | GET | `platform.staff.view` | | `/platform/staff/_meta/roles` | GET | `platform.staff.view` | | `/platform/staff` | POST | `platform.staff.manage` | | `/platform/staff/{id}` | GET | `platform.staff.view` | | `/platform/staff/{id}` | PATCH | `platform.staff.manage` | | `/platform/staff/{id}/deactivate` | POST | `platform.staff.manage` | | `/platform/staff/{id}/reactivate` | POST | `platform.staff.manage` | | `/platform/staff/{id}/reset-password` | POST | `platform.staff.manage` | Safety rails (all 422 with explicit codes): - `LAST_SUPERADMIN` — refuse to demote / deactivate the only active superadmin. - `SELF_DEACTIVATE` — cannot deactivate your own account. - `SELF_ROLE_CHANGE` — cannot change your own role. - Role allow-list: only `superadmin / finance-manager / finance-employee / support-agent / operations` (no privilege escalation via tenant role names). - Deactivation revokes all Sanctum tokens on the user → existing sessions die immediately. - Reset password also revokes tokens; returns the temp password exactly once. ### Audit Every mutation writes to `platform_audit_log`: - `platform.staff.create` (severity high) - `platform.staff.update` (medium) - `platform.staff.role_change` (high) - `platform.staff.deactivate` (high) - `platform.staff.reactivate` (medium) - `platform.staff.reset_password` (high) ### Backend auth changes - `backend/app/Http/Controllers/Auth/LoginController.php` — `platformLogin` now admits any `is_platform_staff` user (not only superadmin). Same opaque error if the email doesn't qualify, so we don't leak which addresses are platform staff. - `backend/app/Http/Controllers/MeController.php` — `/me` returns `is_platform_staff` so the frontend can render the platform sidebar group for non-superadmin staff. ### Seeder - `DatabaseSeeder::seedPermissions()` extended with 29 new permissions. - `seedRoles()` adds 4 new platform roles with the production matrix above. - `seedUsers()` adds 4 demo platform staff (`finance.manager@dalseen.sa`, `finance@dalseen.sa`, `support@dalseen.sa`, `ops@dalseen.sa`) and flips `admin@acme.test.is_platform_staff = true`. ### Frontend | File | Change | |---|---| | `app/src/modules/platform/StaffPage.jsx` | New page: list, KPIs, role-filter, status-filter, search, edit, deactivate/reactivate, reset password (one-time temp password modal). | | `app/src/modules/platform/_shared/StaffEditorDialog.jsx` | New dialog: create + edit, role dropdown loaded from backend meta, validation surfacing per-field errors, superadmin assignment warning. | | `app/src/modules/platform/platform.api.js` | 8 new `platformApi.*Staff*` methods. | | `app/src/modules/platform/platform.hooks.js` | Hooks: `useStaffList`, `useStaff`, `useStaffRolesMeta`, `useCreateStaff`, `usePatchStaff`, `useDeactivateStaff`, `useReactivateStaff`, `useResetStaffPassword`. | | `app/src/app/App.jsx` | Lazy-mounts `/platform/staff` (gate: `platform.staff.view`). | | `app/src/app/nav.config.jsx` | New sidebar entry "Internal staff" + retargets the existing `/platform/crm` entry to the proper `platform.crm.view` permission. | | `app/src/app/AppShell.jsx` | Platform sidebar group is now visible to any `is_platform_staff` user, not just superadmins. | | `app/src/modules/auth/auth.session.js` | Hydrates `isPlatformStaff` from the backend `/me` payload. | | `app/src/core/session/sessionStore.js` | Stores `isPlatformStaff`; `endImpersonation()` returns non-superadmin platform staff to `platform` mode (not `tenant`). | ### Tests - `tests/Feature/PlatformRolesTest.php` — pins the production permission matrix for all 4 narrow roles (5 cases). - `tests/Feature/PlatformStaffControllerTest.php` — CRUD + safety: list filtering, create+temp-password, role validation, duplicate email, only-superadmin gating, role change audit, last-superadmin protection (demote + deactivate), self-deactivate, deactivate→reactivate round trip, reset password (revokes sessions), 404 for tenant users, roles meta (14 cases). - `tests/Feature/PlatformPermissionGatingTest.php` — end-to-end gate: SA suspends, FM cannot suspend; FE can remind, cannot refund; FM can refund/credit/auto-hold; SU can message, cannot change plan; OP cannot view billing; SA+OP can view releases; tenant users blocked from `/platform/*`; disabled platform user rejected; only SA can manage staff (14 cases). - `tests/TestCase.php` — `actingAsPlatformStaff($role)` helper; `ensurePlatformRoleMatrix()` mirrors the production matrix for tests that need precise role boundaries. **Result: 33 new tests, 136 assertions. Full backend suite: 250 tests, 2028 assertions, all green.** --- ## Phase P2 — Subscription Plans & Entitlements Goal: make plans enforceable, not just descriptive. Plans now define modules, premium features, device caps and add-ons. Every tenant has an immutable history of what plan they were on and when. Branches/users/devices are blocked at the API when over the plan limit. The demo tenant (ACME) bypasses all limits. ### Schema | File | Change | |---|---| | `2026_05_05_220001_extend_subscription_plans.php` | Adds `devices`, `modules` (json), `premium_features` (json), `addons` (json), `is_active`, `is_default`, `sort_order`, `billing_cycle` to `subscription_plans`. | | `2026_05_05_220002_create_tenant_subscriptions_table.php` | New table: `id` (ulid), `company_id`, `plan_id`, `status` (trial/active/overdue/suspended/cancelled), `billing_cycle`, `period_start/end`, `effective_from/to`, snapshots (`limits`, `modules`, `premium_features`, `addons`), `price_*_at_signup`, `changed_by_user_id`, `change_reason`, `note`. Indexed by `(company_id, effective_from)` and `(company_id, effective_to)`. Type-2 SCD pattern. | ### Models - `App\Models\SubscriptionPlan` — full CRUD model, cast to arrays for the JSON columns. - `App\Models\TenantSubscription` — `current()` scope (effective_to IS NULL), relations to `Company`, `SubscriptionPlan` and `User`. - `App\Models\Company::subscriptions()` and `currentSubscription()`. ### Services - `App\Services\Platform\SubscriptionService` - `assignPlan($companyId, $planId, $opts)` — closes the previous open row, opens a new one with limits/modules/features snapshot, syncs the denormalised cache on `companies.plan / status / mrr / max_branches / max_users` inside one DB transaction. Validates plan exists + is_active. - `current($companyId)` / `history($companyId)`. - `setStatus($companyId, $status, $reason, $note)` — for P5 auto-transitions (overdue → suspended). - `App\Services\Platform\Entitlements` - `for($companyId)` — full payload: plan, status, period, limits, usage, modules, premium_features, addons, is_demo. Per-request memoised. Add-on grants stack on base limits. - `hasModule($companyId, $module)`, `hasFeature($companyId, $feature)`, `usage($companyId)`. - Demo tenant short-circuit: any tenant with `slug = Mode::DEMO_SLUG` ('acme') gets unlimited access to everything. - Tenants without an open subscription row also get unlimited access (migration safety). - `App\Services\Platform\LimitEnforcer` - `assertCanCreateBranch / User / Device` → throws `PLAN_LIMIT_EXCEEDED` (422) with `limits`, `usage`, `limit_kind`, `plan` in the error envelope so the UI can render upgrade prompts. - 999 = unlimited convention (matches the existing PlansPage display). ### Middleware - `App\Http\Middleware\EnsureTenantEntitlement` (alias `module:`) - Use as `Route::middleware(['auth:sanctum','tenant','module:accounting'])`. - Throws `MODULE_NOT_ENTITLED` (403) with the missing module + currently-enabled list. Demo tenant + tenants without a subscription pass through. - Wired into the middleware aliases but NOT applied to production module routes yet (intentional: that's a one-line change per route group, deferred to P5 when we also add the auto-suspend / overdue-block logic). ### Endpoints (added) | Method | Path | Permission | Notes | |---|---|---|---| | GET | `/me/entitlements` | (any auth) | Tenant-side: full plan/limits/usage payload. | | GET | `/platform/tenants/{id}/subscription` | `platform.subscriptions.view` | Current subscription + entitlements payload. | | GET | `/platform/tenants/{id}/subscription/history` | `platform.subscriptions.view` | All historical rows newest-first. | ### Endpoints (changed) - `POST /platform/tenants/{id}/plan` — now flows through `SubscriptionService::assignPlan()`. Accepts `plan` (must exist), optional `billing_cycle`, `effective_from`, `change_reason` (upgrade/downgrade/renewal/manual/trial_start/initial/auto_*), `note`. Plan id must be a real plan id (was previously hardcoded enum). - `POST /platform/plans` and `PATCH /platform/plans/{id}` — now accept `devices`, `modules`, `premium_features`, `addons`, `is_active`, `is_default`, `sort_order`, `billing_cycle`. Modules and premium_features are validated against fixed allow-lists. Plan id allows hyphens (`pro-test`). - `DELETE /platform/plans/{id}` — soft-delete (sets `is_active=false`), preserving snapshots for tenants on that plan. - `GET /platform/plans` — uses the model, recomputes live `tenants_count` from open subscription rows, accepts `?include_inactive=1`. - `GET /me` — adds `is_platform_staff` (P1 already) and a new `entitlements` block; intersects the user's module list with the tenant's enabled modules so a starter-plan accountant doesn't see "accounting" in the `modules` array. ### Permissions / roles - New permission: `platform.subscriptions.view`. - Granted to: superadmin, finance-manager, finance-employee, support-agent, operations. - `platform.tenants.change_plan` is **also** granted to finance-manager (was only superadmin in P1). ### Limit enforcement wired into - `BranchController::store` → `assertCanCreateBranch`. - `UserController::store` → `assertCanCreateUser`. - `Common\DeviceController::store` → `assertCanCreateDevice`. - `Platform\PlatformController::issueTerminal` → `assertCanCreateDevice` (combined cap with tenant-side devices). ### Seeder - `seedPlans()` rewritten with the extended structure: - **Starter** — 1 branch / 5 users / 2 devices / modules `[retail, common]` / no premium / 2 addons (extra_branch, extra_user). - **Growth** — 5 / 25 / 10 / `[retail, dine, accounting, common]` / `[multi_branch, advanced_reports]` / 4 addons. - **Enterprise** — 999 / 999 / 999 / all 7 modules / all 7 premium features / no addons. - `backfillTenantSubscriptions()` — runs LAST; gives every existing company an open `tenant_subscriptions` row matching its `companies.plan` and mapped status. Idempotent. ### Frontend | File | Change | |---|---| | `app/src/modules/platform/_shared/PlanEditorDialog.jsx` | Rewritten as a sectioned form: Identity & pricing, Limits (incl. devices), Enabled modules (multi-select pills), Premium features (multi-select pills), Marketing features (textarea), Add-ons (key/name/price + grants per row, add/remove), Visibility (is_active / is_default toggles). | | `app/src/modules/platform/_shared/TenantDetailDrawer.jsx` | Adds a new "Subscription" tab with current sub card (status badge, limits/usage bars, enabled modules) and a chronological history list. PlanChangeDialog now collects billing_cycle + change_reason + note, displays each plan's modules. | | `app/src/modules/platform/platform.api.js` | `tenantSubscription(id)` and `tenantSubscriptionHistory(id)`. | | `app/src/modules/platform/platform.hooks.js` | `useTenantSubscription`, `useTenantSubscriptionHistory`, updated `useChangeTenantPlan` to accept the full body. | | `app/src/modules/owner/EntitlementsCard.jsx` | New tenant-side card showing real plan / status / period / limits-vs-usage bars / enabled modules / premium features. Uses `/me/entitlements`. Shows demo-mode pill for the ACME tenant. | | `app/src/modules/owner/OwnerHomePage.jsx` | Slots `EntitlementsCard` at the top (alongside the existing mock-data card so neither breaks). | | `app/src/modules/auth/auth.api.js` | New `entitlements()` method. | | `app/src/modules/auth/auth.hooks.js` | New `useEntitlements()` hook (30s cache). | ### Tests | File | What it pins down | |---|---| | `TenantSubscriptionTest.php` (7 cases) | Initial assignment captures snapshot; reassign closes previous + opens new; companies cache (plan/mrr/max_*) stays in sync; yearly cycle sets year period and divides yearly price by 12 for mrr; setStatus carries plan through; PLAN_NOT_FOUND / PLAN_INACTIVE error codes. | | `EntitlementsTest.php` (4 cases) | Demo tenant always unlimited; starter only has its modules; addon grants stack on base limits; usage reflects real branch/user/device counts. | | `PlanLimitEnforcementTest.php` (7 cases) | Branch limit blocks the (cap+1)th branch; 999 acts as unlimited; user limit blocks the (cap+1)th user; device limit blocks the (cap+1)th device; platform-issued terminals count against the same cap; demo tenant bypasses even on a tight starter plan; tenant without a subscription passes through. | | `PlatformSubscriptionApiTest.php` (7 cases) | changeTenantPlan records history; rejects unknown plan; GET subscription returns current + entitlements; finance-employee can read but not change; createPlan accepts modules/devices/premium_features/addons; rejects unknown module key; deletePlan is soft-delete and surfaces with `?include_inactive=1`. | | `ModuleEntitlementGateTest.php` (5 cases) | `module:accounting` middleware allows tenants with the module, blocks tenants without it (403 MODULE_NOT_ENTITLED), demo tenant bypasses; /me filters modules by tenant entitlements; /me/entitlements returns the payload. | **Result: 30 new tests, 125 assertions. Full backend suite: 280 tests, 2153 assertions, all green.** --- ## Phase P3 — Platform Billing Goal: real DAL SEEN → tenant invoicing. Generate invoices with proper VAT math, record real payments (full / partial / multiple), keep an outstanding-balance ledger, and let Finance Manager / Employee work the lifecycle without anyone touching SQL. Out of scope (deferred): collections workflow / dunning (P4), platform-side accounting ledger (P6), automatic suspension on overdue (P5). ### Schema | File | Change | |---|---| | `2026_05_05_230001_extend_tenant_invoices.php` | Adds `tenant_subscription_id`, `period_start/end`, `billing_cycle`, `subtotal`, `vat_rate`, `vat_amount`, `total`, `paid_amount`, `refund_amount`, `currency_code`, `notes`, `created_by_user_id`, `cancelled_at`, `cancelled_reason`, `refunded_at`, `subscription_snapshot` (json). Backfills legacy rows: subtotal = total / 1.15, vat = total - subtotal, paid_amount = total when status='paid', renames legacy `pending` → `issued`. | | `2026_05_05_230002_create_tenant_payments_table.php` | New table: `id` (ulid), `tenant_invoice_id` (FK, restrict-on-delete), `company_id`, `amount`, `currency_code`, `method` (bank_transfer/cash/card/wallet/other), `reference_number`, `bank_account`, `received_at` (date), `received_by_user_id` (FK users), `notes`. Indexed by `(company_id, received_at)` and `(tenant_invoice_id)`. | ### Models - `TenantInvoice` extended: full fillable list + casts; `payments()` `hasMany`; `subscription()` `belongsTo`; `createdBy()` `belongsTo`; `outstanding` accessor; `isPayable()` helper. - `TenantPayment` (new): full fillable + casts, `invoice()` / `company()` / `receivedBy()` relations, `METHODS` constant for the allow-list. ### Services - `App\Services\Platform\InvoiceNumberer` - `next($year = null)` — returns the next sequential id (`INV-YYYY-NNNNN`, 5-digit zero-padded). Per-year sequence. Wraps in a DB transaction with `lockForUpdate` for race-safety. - `App\Services\Platform\BillingService` - `createInvoice($companyId, $opts)` — creates a DRAFT invoice. Snapshots the tenant's current subscription (plan_id, billing_cycle, prices, limits, modules, premium features). Defaults: subtotal = current sub price, VAT = 15% (KSA), period = current month / current sub period. - `issue(invoice, $dueAt = null)` — DRAFT → ISSUED. Default 15-day net terms. Rejects with `INVOICE_NOT_DRAFT` if not draft, `INVOICE_ZERO_TOTAL` if total = 0. - `cancel(invoice, $reason = null)` — DRAFT/ISSUED/OVERDUE → CANCELLED. Rejects `INVOICE_HAS_PAYMENTS` if any payments recorded, `INVOICE_NOT_CANCELLABLE` if status is paid/cancelled/refunded. - `refund(invoice, $amount, $reason = null)` — ISSUED/PAID/OVERDUE → REFUNDED. Rejects `INVOICE_NOT_REFUNDABLE` for draft/cancelled, `INVALID_REFUND_AMOUNT` for ≤0, `REFUND_EXCEEDS_TOTAL` if amount > total. - `recordPayment(invoice, $data)` — appends to `tenant_payments`, increments `paid_amount`, flips invoice to `paid` when paid_amount ≥ total (within 1 halala). Rejects `INVOICE_NOT_PAYABLE` (draft/cancelled/refunded), `INVALID_PAYMENT_AMOUNT` (≤0), `OVERPAYMENT` (> remaining), `INVALID_PAYMENT_METHOD` (not in allow-list). - All mutations write to `platform_audit_log` with appropriate severity. ### Endpoints (added) | Method | Path | Permission | |---|---|---| | POST | `/platform/billing` | `platform.billing.create_invoice` | | GET | `/platform/billing/outstanding` | `platform.billing.view` | | POST | `/platform/billing/{id}/issue` | `platform.billing.issue` | | POST | `/platform/billing/{id}/cancel` | `platform.billing.cancel` | | GET | `/platform/billing/{id}/payments` | `platform.billing.view` | | POST | `/platform/billing/{id}/payments` | `platform.billing.record_payment` | | GET | `/platform/tenants/{id}/billing` | `platform.billing.view` | ### Endpoints (changed) - `POST /platform/billing/{id}/refund` — was an audit-only stub; now flows through `BillingService::refund` (real status transition, refund_amount, refunded_at, audit log). - `GET /platform/billing/{id}` — returns the full new shape (subtotal/VAT/total/paid_amount/outstanding/period/billing_cycle/subscription_snapshot/payments). - `GET /platform/billing` (dashboard) — surfaces all the new columns and KPIs. Adds `outstanding_total`, `open_invoices_count`, `paid_30d`, `collection_rate`. ### Permissions added - `platform.billing.issue` — superadmin, finance-manager. - `platform.billing.cancel` — superadmin, finance-manager. - `platform.billing.record_payment` — superadmin, finance-manager, finance-employee. Existing P1 permissions reaffirmed: - `platform.billing.view` — SA, FM, FE. - `platform.billing.create_invoice` — SA, FM. - `platform.billing.refund` / `credit` / `auto_hold` — SA, FM. - `platform.billing.remind` — SA, FM, FE. Operations and Support staff continue to have **no** billing access. ### UI changes | File | Change | |---|---| | `app/src/modules/platform/BillingPage.jsx` | Rebuilt: search + status filter (draft/issued/paid/overdue/cancelled/refunded/all), 6 KPI tiles (MRR, Paid 30d, Outstanding, Overdue, Open invoices, Collection rate), table now shows total + VAT + paid/outstanding split + period + status, "+ New invoice" button gated by `platform.billing.create_invoice`. | | `app/src/modules/platform/_shared/BillingDetailDrawer.jsx` | Rewritten with two tabs: Summary (subtotal/VAT/total/outstanding/period/dates/subscription snapshot) and Payments (list + Record payment button). Action footer is permission- and status-aware: Issue/Cancel for draft, Record/Refund/Cancel/Remind for issued, Refund-only for paid, etc. | | `app/src/modules/platform/_shared/InvoiceCreateDialog.jsx` (new) | Tenant picker + period dates + billing cycle + VAT + optional subtotal override + notes. Reads the tenant's current subscription via `useTenantSubscription` to show the snapshot price hint. | | `app/src/modules/platform/_shared/RecordPaymentDialog.jsx` (new) | Amount (with outstanding hint + client-side guard against overpayment), method dropdown, reference number, bank account, received date, notes. Surfaces backend field errors. | | `app/src/modules/platform/platform.api.js` | Adds `createInvoice`, `issueInvoice`, `cancelInvoice`, `listPayments`, `recordPayment`, `billingOutstanding`, `tenantBilling`. Refund/cancel now take a body. | | `app/src/modules/platform/platform.hooks.js` | Adds `useCreateInvoice`, `useIssueInvoice`, `useCancelInvoice`, `useRecordPayment`, `usePayments`, `useOutstanding`, `useTenantBilling`. Refund hook accepts `reason`. All write hooks invalidate the relevant cache keys. | ### Seeder `seedTenantInvoices()` rewritten to use BillingService: - For each demo tenant: 2 fully-paid prior-month invoices + 1 current-month invoice in a varied state (paid / partial / overdue / freshly issued / extra cancelled). - Run order moved: `seedPlans()` + `backfillTenantSubscriptions()` now run BEFORE `seedTenantInvoices()` so the BillingService can snapshot a real subscription per invoice. - Demo data: 28 invoices created (18 paid, 1 partial, 3 overdue, 1 cancelled) across 9 tenants. ### Tests | File | What it pins down | |---|---| | `BillingServiceTest.php` (14 cases) | Create snapshots subscription + computes 15% VAT correctly; id format is `INV-YYYY-NNNNN`; numberer increments sequentially; issue flips draft→issued + sets due date; issue rejects non-draft; full payment flips status to paid; partial payments keep invoice open until total met; overpayment is rejected; payment on draft/cancelled is rejected; cancel works on draft/issued only when no payments; cancel rejects with payments; refund only on issued/paid/overdue; outstanding accessor handles all states; audit log records all 5 sensitive actions. | | `PlatformBillingApiTest.php` (8 cases) | Full round trip create→issue→record payment via REST; finance-employee can record payment but cannot create; FE cannot cancel or refund; outstanding endpoint returns grouped per-tenant summary with KPIs; tenant-billing endpoint scopes to one tenant; payments list endpoint returns history with totals; validation errors surface as 422 (missing company_id, invalid method, negative refund); support-agent gets 403 on every billing read. | **Result: 22 new tests, 83 assertions. Full backend suite: 302 tests, 2236 assertions, 55.26s. All green.** ### Live verification (curl on `php artisan serve`) | Check | Result | |---|---| | `GET /platform/billing` for SA | 28 invoices; KPIs: MRR=12151, Paid 30d=19699.5, Outstanding=9623.20, Open=9, Collection rate=65%. | | `GET /platform/billing/outstanding` for FE | 9 open / 9623.20 outstanding / 3 overdue; per-tenant top-list shows largest balances first (al-nakheel, dammam-log, qassim-dat, …). | | `POST /platform/billing` for FM (create draft) → `POST /issue` → `POST /payments` × 2 (FE then FM) | Draft id `INV-2026-00029` with total 2288.50; issued with due_at auto-set 15 days out; partial 200 by FE leaves outstanding 2088.50, status=issued; final 2088.50 by FM closes status=paid with paid_at set. | | Permission matrix on key endpoints | `outstanding`: SA/FM/FE 200, OP/SU 403. `POST /billing` (create): SA/FM 201, FE/OP/SU 403. `POST /billing/{id}/payments`: SA/FM/FE 201, OP/SU 403. | | Audit log | Captured `invoice.create`, `invoice.issue`, `invoice.cancel`, `invoice.refund`, `payment.record` rows from the live actions. | ### Remaining gaps for P4 collections (deferred) - **Auto-overdue sweep** — invoices past `due_at` aren't automatically flipped to `status='overdue'` yet. P4 (or a small scheduled job inside P4) will handle this. - **Aging buckets** — outstanding endpoint groups by tenant but doesn't yet bucket by 1-30 / 31-60 / 61-90 / 90+ days past due (P4). - **Collection notes / follow-up date / promise-to-pay date / assignee** — `tenant_invoices.notes` exists for free-text notes, but there's no dedicated `collection_notes` table with workflow state (P4). - **Collection status enum** (`not_started / contacted / promised / escalated / paid / written_off`) — not modelled (P4). - **Bank statement reconciliation** — `tenant_payments.reference_number` + `bank_account` capture the data, but there's no import/match flow (deferred indefinitely; manual entry for now). - **Auto-suspend on overdue** — `companies.status='overdue'` and `'suspended'` exist but no enforcement (P5). - **Premium-feature route gates** — entitlements layer is ready (P2), but no route uses it yet (P5). - **DALSEEN's own books / SaaS revenue recognition** — no journal posting on invoice issuance or payment receipt (P6). - **Recurring billing job** — invoices today are minted manually via `POST /platform/billing` or by the seeder. There's no monthly cron (intentional; can be added in P4 or as a separate small task). - **Invoice PDF rendering / email delivery** — out of scope for P3 (the data model carries everything needed). --- ## Phase P4 — Finance / Collections Goal: a usable, simple collections workflow for DAL SEEN finance. Track which invoices are being chased, by whom, what stage, and surface aging buckets so the team can prioritise. No automation, no notifications — just human workflow. Out of scope: auto-overdue/auto-suspend (P5), email/SMS reminders, premium-feature gates (P5), DAL SEEN's own books (P6). ### Schema | File | Change | |---|---| | `2026_05_05_240001_add_collection_fields_to_tenant_invoices.php` | Adds `collection_status` (string default `not_started`), `follow_up_date`, `promise_to_pay_date`, `assigned_finance_user_id` (FK users, nullOnDelete) on `tenant_invoices`. Indexed `(collection_status, follow_up_date)` + `assigned_finance_user_id`. Backfills paid invoices to `collection_status='paid'`. | | `2026_05_05_240002_create_collection_notes_table.php` | New `collection_notes` table: `id` (ulid), `tenant_invoice_id` (FK cascade), `company_id` (FK cascade), `user_id` (FK users nullOnDelete — null for future system events), `note` (text). Indexed `(tenant_invoice_id, created_at)`. | ### Models - `TenantInvoice` extended: - `COLLECTION_STATUSES` constant. - 4 new `$fillable`s, two new `date` casts. - `assignedTo()` `belongsTo`, `collectionNotes()` `hasMany` newest-first. - `CollectionNote` (new): `invoice()` / `user()` / `company()` relations. ### Service - `App\Services\Platform\CollectionsService` - `updateStatus()` — validates the closed enum; rejects manual `paid` (must come from a real payment); rejects unknown values. Audits `collection.status` (medium) or `collection.write_off` (high). - `setFollowUp()` and `setPromiseToPay()` — settable + clearable. - `assign()` — validates assignee is `is_platform_staff`; idempotent; audits. - `addNote()` — rejects empty notes; creates row; audits. - `bucketFor(invoice)` and `bucketForDays(int)` — pure functions returning `current` / `1_30` / `31_60` / `61_90` / `90_plus`. Carbon 3 safe (uses `abs()` since Carbon 3 returns signed diffs by default). - `agingSummary(rows)` — folds shaped invoice rows into the 5-bucket `{count, outstanding}` map for the dashboard. ### BillingService change `BillingService::recordPayment` now sets `collection_status='paid'` automatically when the payment closes the invoice — except when the invoice was already manually `written_off` (so a manager's decision isn't silently overwritten by a late payment). ### Permissions added (2) - `platform.collections.assign` — finance-manager + superadmin. - `platform.collections.write_off` — finance-manager + superadmin. (P1 perms reaffirmed: `platform.collections.view` and `platform.collections.work` already grant FM, FE.) ### Endpoints (added) | Method | Path | Permission | |---|---|---| | GET | `/platform/collections/queue` | `platform.collections.view` | | PATCH | `/platform/billing/{id}/collection` | `platform.collections.work` (extra `write_off` perm required for that status) | | GET | `/platform/billing/{id}/notes` | `platform.collections.view` | | POST | `/platform/billing/{id}/notes` | `platform.collections.work` | | POST | `/platform/billing/{id}/assign` | `platform.collections.assign` | ### Endpoints (changed) - `GET /platform/billing/outstanding` — KPIs now include `aging` (5 buckets, each with count + outstanding); rows include `collection_status / follow_up_date / promise_to_pay_date / assigned_to / aging_bucket / days_past_due`. - `GET /platform/billing` (dashboard list) and `GET /platform/billing/{id}` — same enrichment so the table can render collection state without follow-up requests. ### UI changes - **BillingPage** — new aging KPI strip (5 cards: current / 1–30 / 31–60 / 61–90 / 90+), each with outstanding amount + invoice count. Table now has 3 new columns: Collection (status badge), Assignee (name/email or "unassigned"), Aging (bucket badge + days past due). - **BillingDetailDrawer** — third tab "Collections": - Status dropdown (FM + FE write; `written_off` only listed for users with `collections.write_off`). - Assignee dropdown sourced from `/platform/staff` (FM only — read-only label for FE). - Follow-up + Promise-to-pay date pickers. - Days-past-due / aging-bucket / outstanding mini-summary. - Notes feed with append-only entries showing author + timestamp; "Add note" composer for users with `collections.work`. ### Seeder `seedTenantInvoices()` now calls `seedCollectionWorkflow()` after creating invoices: - Round-robin assigns 9 open invoices to `finance.manager@dalseen.sa` and `finance@dalseen.sa`. - Sprinkles a realistic mix per tenant (contacted with follow-up + note, promised with promise-to-pay date + note, escalated with note). - Result on `migrate:fresh --seed`: 2 contacted / 2 promised / 2 escalated / 3 not_started. ### Tests | File | Pins down | |---|---| | `CollectionsServiceTest.php` (16 cases) | default status, status transitions audited, no-op same-value, invalid-status rejection, can't manually mark `paid` while invoice unpaid, full payment auto-flips collection→paid, partial payment doesn't, write_off carries high severity, follow_up + promise-to-pay set/clear, assign validates platform staff, assign+unassign audit, add note creates row + audits, empty note rejected, bucket math (5 boundaries), bucket reads invoice due_at, paid invoice → bucket=current. | | `PlatformCollectionsApiTest.php` (10 cases) | FE can update status + dates + inline note via PATCH; FE cannot assign; FM can assign; FE cannot write off; FM can write off and write_off audit captured; SU cannot view/change collection or queue; add+list notes round trip; empty note rejected via API; outstanding endpoint includes aging breakdown (current/1_30/31_60/61_90/90_plus correctly classified); queue filters by status / assignee=me/unassigned/ / bucket. | **Result: 26 new tests, 74 assertions. Full backend suite: 328 tests, 2310 assertions, 56.66s. All green.** ### Live verification (curl on `php artisan serve`) | Check | Result | |---|---| | `GET /platform/billing/outstanding` for FE | 9 open invoices · 9,623.20 SAR outstanding · aging: current=6 (8016.65), 1_30=3 (1606.55), rest 0. | | `GET /platform/collections/queue` for FE | 9 invoices with seeded mix: contacted/promised/escalated/not_started, assigned across FE & FM. | | Round-trip on `INV-2026-00028` | FE PATCH (status=contacted, follow_up=2026-06-15, inline note) → 200 · FE POST standalone note → 200 · GET notes returns both · FM assigns finance@dalseen.sa → 200 (payload shows assignee). | | Permission matrix | `/collections/queue`: SA/FM/FE 200, OP/SU 403. PATCH /collection (status): SA/FM/FE 200, OP/SU 403. PATCH /collection (write_off): SA/FM 200, FE/OP/SU 403. POST /assign: SA/FM 200, FE/OP/SU 403. | | Audit | `collection.assign / follow_up / note / promise / status / write_off` all captured. | ### Remaining gaps before P5 - **Auto-overdue sweep job** — invoices past `due_at` aren't yet auto-flipped from `issued` → `overdue` by a scheduled command. - **Auto-suspend on overdue** — `companies.status` is settable but no middleware blocks tenant requests (P5). - **Premium-feature route gates** — `Entitlements::hasFeature()` ready since P2; no controller uses it yet (P5). - **Reminder automation** — `platform.billing.remind` is still an audit-only stub; no actual email/SMS sent. - **Bank reconciliation import** — payments captured manually; no statement matching. - **Notifications inside the app** — collection status changes don't push to assigned user's notification feed. - **Bulk actions** (bulk-assign, bulk-status) — out of scope; one row at a time today. - **DAL SEEN's own books** — subscription revenue still doesn't post to a GL (P6). --- ## Phase P5 — Subscription Enforcement Goal: connect subscription state, billing aging, and entitlements to real access control. Suspended tenants are blocked from the app. Overdue tenants lose premium modules but keep core POS. Demo tenant and Internal Mode are unaffected. Out of scope (deferred): DAL SEEN's own books (P6), payment automation, email reminders. ### Service + command | File | Purpose | |---|---| | `app/Services/Platform/OverdueSweeperService.php` (new) | Idempotent sweep. Finds invoices `status='issued'` with `due_at < today` AND `total - paid_amount > 0.01`, flips to `overdue`, audits `invoice.overdue` (medium). Then reconciles every affected company: `active → overdue` if any open overdue invoice exists; `overdue → active` if none remain. NEVER touches `suspended / cancelled / trial`. Supports `dryRun=true` for previews. | | `app/Console/Commands/SweepOverdueInvoices.php` (new) | `php artisan billing:sweep-overdue [--dry-run]`. Schedule via `$schedule->command('billing:sweep-overdue')->dailyAt('02:00')` whenever ready. | ### Entitlements payload extension `Entitlements::for($companyId)` now returns an extended shape: ```json { "plan": {...}, "status": "active", "limits": {...}, "usage": {...}, "modules": ["retail","dine","common"], "modules_in_plan": ["retail","dine","accounting","common"], "premium_features": [...], "module_access": { "retail": { "enabled": true, "reason": null, "upgrade_required": false, "is_premium": false }, "dine": { "enabled": true, "reason": null, "upgrade_required": false, "is_premium": false }, "pay": { "enabled": false, "reason": "plan_limit", "upgrade_required": true, "is_premium": true }, "accounting": { "enabled": false, "reason": "overdue", "upgrade_required": false, "is_premium": true }, ... }, "addons": [...], "is_demo": false, "tenant_status": "overdue", "blocked": false, "blocked_reason": null } ``` Two new constants on `Entitlements`: - `PREMIUM_MODULES = ['accounting','pay','hr','ecom']` - `CORE_MODULES = ['retail','dine','common']` When tenant is `overdue`, `modules` is intersected with `CORE_MODULES` so premium ones disappear from the umbrella module list (and `module_access[*].reason = 'overdue'`). When `suspended/cancelled`, `modules` is empty and `blocked=true` with `blocked_reason` set. ### Middleware | File | Purpose | |---|---| | `app/Http/Middleware/EnsureTenantNotSuspended.php` (new) | Group-level gate on the tenant route group. Throws `TENANT_BLOCKED` (403) with `blocked_reason` field for `suspended/cancelled` tenants. **Bypassed for**: demo tenant (slug=acme), impersonation sessions (so ops can recover), tenants without a subscription row. Does NOT touch `/me` or `/me/entitlements` (those live outside the tenant group, so suspended users can still see why they're blocked). | | `app/Http/Middleware/EnsureTenantEntitlement.php` (extended) | Now uses the `module_access` map and emits structured codes: `MODULE_NOT_ENTITLED` (plan_limit, upgrade_required=true), `MODULE_LOCKED_OVERDUE` (settle invoices), `MODULE_LOCKED_SUSPENDED`, `MODULE_LOCKED_CANCELLED`. Error envelope carries `reason`, `upgrade_required`, `enabled_modules`, `tenant_status`. | | `bootstrap/app.php` | New alias `tenant_active` → `EnsureTenantNotSuspended`. | ### Routes wired The tenant route group now reads: ```php Route::middleware(['auth:sanctum', 'tenant', 'tenant_active'])->group(function () { // /me writes, devices, integrations, marketplace, partner inbox, // help, catalog, inventory, suppliers, customers, retail/POS, dine, // branches, RBAC, users — all sit under tenant_active so suspended // tenants are bounced from any of them. Route::middleware('module:pay')->group(function () { /* /pay/* */ }); Route::middleware('module:accounting')->group(function () { /* /accounting/* */ }); Route::middleware('module:hr')->group(function () { /* /hr/* */ }); Route::middleware('module:ecom')->group(function () { /* /ecom/* */ }); }); ``` `/retail/*` (POS), `/dine/*`, `/workflows`, `/notifications`, `/devices/*`, `/catalog/*`, `/inventory/*`, etc. are intentionally NOT inside any `module:` sub-group — they're "core POS" and stay reachable for overdue tenants. ### UI changes - `app/src/modules/owner/EntitlementsCard.jsx` — gains: - **Status banner** at the top of the card: red banner for `blocked` (suspended/cancelled), amber banner for `overdue`. - **Module access grid**: per-module pill (4-column on desktop) showing each of the 7 modules with a green-checked / amber-locked / rose-locked tone, plus an under-pill reason label ("Upgrade required" / "Settle outstanding" / "Account suspended" / etc.). - Demo tenant still shows the "Demo · all modules unlocked" pill so QA isn't confused. ### Audit Two new action types written by the sweeper: - `invoice.overdue` (medium severity) — one row per flipped invoice. - `company.status_change` (medium for overdue, low for back-to-active) — one row per transition. The `EnsureTenantEntitlement` and `EnsureTenantNotSuspended` middleware do NOT audit; they're rejected by the gate on every request, which would flood the log. ### Tests | File | Pins down | |---|---| | `OverdueSweeperServiceTest.php` (10 cases) | marks issued past-due as overdue; ignores future-due, paid, partially-paid-but-still-owed (correctly flipped); active → overdue when any open overdue exists; rolls back overdue → active when none remain; never touches suspended/cancelled/trial; dry-run writes nothing; audit rows written; idempotent. | | `SubscriptionEnforcementTest.php` (13 cases) | /me/entitlements module_access reasons (plan_limit/overdue/suspended); suspended tenant can still read /me + /me/entitlements; suspended/cancelled blocked from /workflows with `TENANT_BLOCKED`; overdue blocked from /accounting, /pay, /hr, /ecom with `MODULE_LOCKED_OVERDUE`; overdue keeps /workflows (core POS proxy); active without module gets `MODULE_NOT_ENTITLED` + `upgrade_required=true`; demo tenant bypasses every gate even when forced into `suspended` status with a tight starter plan; tenant without subscription still admitted (P2 backfill safety). | **Result: 23 new tests, 107 assertions. Full backend suite: 351 tests, 2417 assertions, 59.12s. All green.** ### Live verification (curl on `php artisan serve`) | Check | Result | |---|---| | Demo tenant ACME on enterprise | `is_demo: true`, every module returns 200, `module_access[*].enabled = true`. | | `al-nakheel` active on enterprise | `/accounting/coa` 200, `/pay/charges` 200; `module_access[accounting].enabled = true`. | | `al-nakheel` flipped to overdue | `module_access[accounting]: { enabled: false, reason: overdue }`; `/accounting/coa` → 403 `MODULE_LOCKED_OVERDUE`; `/pay/charges` → 403; `/workflows` (core) → 200; entitlements `blocked: false`. | | `al-nakheel` flipped to suspended | Entitlements `blocked: true, blocked_reason: suspended`; `/me` still 200 (escape hatch); `/workflows` → 403 `TENANT_BLOCKED` with `blocked_reason: suspended`. | | `php artisan billing:sweep-overdue --dry-run` | Idempotent — second run reports zero changes. Captured `invoice.overdue` and `company.status_change` audit rows. | ### Remaining gaps before P6 - **DAL SEEN's own books** — subscription revenue still doesn't post to any GL. The `company_id`-scoped accounting module exists for tenants but DAL SEEN itself has no books (P6). - **Premium-feature route gates** — `Entitlements::hasFeature()` is ready, but no production routes gate by individual feature flag (e.g. `advanced_reports`). The module gate is sufficient for P5; per-feature gating is opt-in for P6+. - **Notification when a tenant is blocked or unblocked** — no in-app notification or email yet. - **Reminder / invoice email automation** — still stubbed (would naturally pair with P6 ledger work). - **Cron registration** — `billing:sweep-overdue` exists but `app/Console/Kernel.php` doesn't register a schedule (intentional; the operator decides when to wire it). - **Tenant write attempts during suspension** — currently blocked with `TENANT_BLOCKED` for ALL routes including PATCH /me, /me/password, /me/branches. This is intentional but worth confirming with finance — they may want users to still be able to change their password while their company is suspended. - **Bulk un-suspend / un-block flow** — only one tenant at a time today via `POST /platform/tenants/{id}/reactivate`. - **Per-feature gating** — modules are blocked en bloc; we don't have routes today that need to check, e.g., `multi_branch` or `advanced_reports` separately. --- ## Phase P6 — Platform Accounting (DAL SEEN's own books) Goal: DAL SEEN gets its own SaaS accounting books — subscription revenue, tenant receivables, VAT payable, payments, refunds, and bad-debt write-offs — completely separate from any merchant tenant's books. Reuses the existing accounting engine (ChartProvisioner, JournalService, account_mappings, journal_entries) but targets a singleton internal company. ### Schema | File | Change | |---|---| | `2026_05_05_250001_add_is_platform_to_companies.php` | Adds `is_platform` boolean (default false, indexed) to `companies`. Exactly one row (slug=`dalseen`) carries `is_platform=true`. | | `app/Models/Company.php` | New `is_platform` cast + `tenants()` query scope to filter out the platform company from every "tenant list" query. | ### New chart template + mapping keys - `app/Services/Accounting/Templates/PlatformTemplate.php` — SaaS chart of accounts: - **1xxx Assets**: 1010 Operating bank, 1020 Cash, 1110 Tenant receivables. - **2xxx Liabilities**: 2210 VAT payable. - **3xxx Equity**: 3000 Owner's capital, 3100 Retained earnings. - **4xxx Income**: 4100 SaaS subscription revenue, 4900 Subscription refunds (contra-revenue, debit-normal). - **5xxx Expense**: 5910 Bad debt expense. - `ChartTemplateRegistry::PLATFORM = 'platform'` constant + `MAP[PLATFORM]` entry. `ALL` (the public iteration list) is left to the four merchant templates so existing tenant-template tests don't pick up PLATFORM. - `AccountingTerms` — 7 new mapping keys (`platform.*`) and bilingual labels for them. Never collide with merchant-side keys. ### Services | File | Purpose | |---|---| | `app/Services/Platform/PlatformAccountingService.php` (new) | Singleton resolver. `companyId()` returns the DAL SEEN platform company id; `isProvisioned()` returns false on fresh installs so the poster can short-circuit cleanly. Per-request memoised. | | `app/Services/Platform/PlatformAccountingPoster.php` (new) | Posts to DAL SEEN's GL via `JournalService::post()`. Four entry points: `postInvoiceIssue`, `postPayment`, `postRefund`, `postWriteOff`. Each is idempotent on `(company_id, source, source_ref)` so re-running the seeder, replaying webhooks, or hitting the same POST twice never double-books. Skips silently when DAL SEEN isn't provisioned. | ### Posting logic | Event | DR | CR | Source / source_ref | |---|---|---|---| | Invoice issued (P3 `BillingService::issue`) | 1110 Tenant receivables (total) | 4100 SaaS revenue (subtotal) + 2210 VAT payable (vat_amount) | `platform_invoice` / `tenant_invoice.id` | | Payment recorded (P3 `BillingService::recordPayment`) | 1010 Bank (or 1020 Cash for `method=cash`) | 1110 Tenant receivables | `platform_payment` / `tenant_payment.id` | | Refund (P3 `BillingService::refund`) | 4900 Refund contra (net) + 2210 VAT (proportional reversal) | 1010 Bank (if paid) OR 1110 AR (if unpaid) | `platform_invoice_refund` / `tenant_invoice.id` | | Write-off (P4 `CollectionsService::updateStatus(written_off)`) | 5910 Bad debt expense | 1110 Tenant receivables | `platform_invoice_writeoff` / `tenant_invoice.id` | Wired into the existing services so every operational event auto-posts: - `BillingService::issue` calls `postInvoiceIssue` after the invoice is saved. - `BillingService::recordPayment` calls `postPayment` inside the same transaction that saved the payment. - `BillingService::refund` calls `postRefund` after the refund is saved. - `CollectionsService::updateStatus($invoice, 'written_off')` calls `postWriteOff`. ### Endpoints (added) All require `platform.accounting.view` (granted to **superadmin + finance-manager only**). | Method | Path | Returns | |---|---|---| | GET | `/platform/accounting/summary` | One-shot KPI tile (subscription revenue, refunds, net, AR, VAT, cash, bad debt). | | GET | `/platform/accounting/trial-balance` | Same shape as tenant trial balance, balanced by construction. | | GET | `/platform/accounting/profit-loss` | Income + expenses + net profit. | | GET | `/platform/accounting/balance-sheet` | Assets / Liabilities / Equity, grouped by type. | | GET | `/platform/accounting/journals` | Recent journal entries, filterable by `?source=`. | | GET | `/platform/accounting/gl/{accountCode}` | Account ledger drill with running balance. | Returns `503 PLATFORM_BOOKS_NOT_PROVISIONED` when DAL SEEN's chart hasn't been seeded. ### Permission added - `platform.accounting.view` — **SA + FM only**. FE / SU / OP and all tenant users get 403. ### Filtering changes (DAL SEEN never appears as a tenant) - `Company` model — new `tenants()` query scope (`where('is_platform', false)`). - `PlatformDashboardController::tenants` — uses `Company::query()->tenants()` for both the list and the KPI rollups (counts, MRR sum). - `DatabaseSeeder::backfillTenantSubscriptions` — skips `is_platform=true` companies. - `LoginController::login` — refuses tenant-side login against an `is_platform=true` company (defence-in-depth; the platform company has no tenant users). - `OverdueSweeperService` — never auto-shifts the platform company's status. ### Frontend | File | Change | |---|---| | `app/src/modules/platform/DalseenBooksPage.jsx` (new) | Full books page: 6-tile KPI strip (subscription revenue, refunds, net, AR, VAT, cash) + bad-debt banner + 4 tabs (P&L, Balance Sheet, Trial Balance, Journals). Period / as-of / source filters per tab. | | `app/src/modules/platform/platform.api.js` | 6 new endpoints: `paSummary`, `paTrialBalance`, `paProfitLoss`, `paBalanceSheet`, `paJournals`, `paGlAccount`. | | `app/src/modules/platform/platform.hooks.js` | 6 matching `useQuery` hooks. | | `app/src/app/App.jsx` | Lazy-mounts `/platform/books` (gated by `platform.accounting.view`). | | `app/src/app/nav.config.jsx` | New "DAL SEEN's books" entry between Billing and Pay terminals. | ### Pre-existing JournalService fix `JournalService::trialBalance` queried `ChartAccount` without bypassing the tenant scope. That was harmless for tenant-side reports (the user's own `company_id` matched), but would return `code: null` for every row when called by platform staff (no `company_id`) reading DAL SEEN's books. Fixed by adding `withoutGlobalScope(TenantScope::class)` to the account lookup. The existing `journal_entries` join still constrains to the right company so cross-tenant leakage is impossible. ### Tests | File | Pins down | |---|---| | `PlatformAccountingPosterTest.php` (12 cases) | PlatformTemplate provisions the expected chart; invoice issue posts DR AR / CR Revenue / CR VAT; payment posts DR Bank / CR AR; cash payment hits cash account, not bank; refund with payments credits bank; refund without payments credits AR; write-off posts bad debt and clears AR; idempotent re-issue and re-payment never double-book; poster skips silently when platform not provisioned; tenant books NEVER receive platform postings; zero-total invoice does not post. | | `PlatformAccountingApiTest.php` (10 cases) | Summary returns top metrics; trial balance is balanced; P&L includes subscription revenue (4100); balance sheet groups by type with AR present; journals endpoint filters by source; GL drill returns running balance; FE/SU/OP and tenant users get 403; 503 with `PLATFORM_BOOKS_NOT_PROVISIONED` when not seeded; DAL SEEN platform company excluded from `/platform/tenants`. | **Result: 22 new tests, 69 assertions. Full backend suite: 373 tests, 2550 assertions, 65.13s. All green.** ### Live verification (curl on `php artisan serve` after `migrate:fresh --seed`) | Check | Result | |---|---| | `GET /platform/accounting/summary` for FM | subscription_revenue=27,492 / refunds=0 / net=27,492 / outstanding_ar=9,623.20 / vat_payable=4,123.80 / cash_in_bank=21,992.60 / bad_debt=0. | | `GET /platform/accounting/trial-balance` | totals: debit=53,608.40 = credit=53,608.40, balanced=true. 4 active accounts (1010, 1110, 2210, 4100). | | `GET /platform/accounting/profit-loss` | income includes 4100 SaaS subscription revenue (27,492); net_profit=27,492. | | `GET /platform/accounting/journals?source=platform_payment` | 19 payment journals listed correctly. | | `GET /platform/accounting/gl/1110` | Tenant receivables ledger with 46 lines (27 issues + 19 payments), running balance ends at 9,623.20. | | Permission gating | SA 200 / FM 200 / FE 403 / OP 403 / SU 403 / Tenant owner 403. | | Tenant separation | ACME owner GET `/accounting/coa` → 200 (24 accounts in ACME's own retail chart), zero leakage. | | `/platform/tenants` excludes DAL SEEN | tenant_count=13 (12 demo merchants + ACME), `contains_dalseen=false`. | | Idempotency | 3 calls to `postInvoiceIssue` for the same invoice → exactly 1 journal entry on DAL SEEN's books. | ### Remaining gaps (post-P6) - **No platform-side cost tracking yet** — DAL SEEN's expenses (engineering payroll, cloud, marketing) need to be entered as manual journals via the existing manual-JE flow on the merchant accounting module, then we'd point that at the platform company. A dedicated `POST /platform/accounting/journals` endpoint with `platform.accounting.post` permission is the natural next addition. - **No period close for DAL SEEN's books** — the platform accounting endpoints don't yet enforce a closed-period guard. Adding `accounting_periods` rows for the platform company (with the existing `PeriodCloseGuard`) is straightforward when finance is ready. - **No VAT return generator for DAL SEEN** — the merchant `vat-returns/generate` endpoint reads from `pos_sales` and `bills`, neither of which apply to DAL SEEN. A platform-specific VAT return that totals `2210 VAT payable` movements is a small follow-up. - **No invoice PDF / email** — invoices still aren't rendered as PDF or sent via email; this is the same gap from P3. - **No automated payouts to ZATCA / banking partners** — the bank/cash side of the books is recorded but moving the actual money out requires manual export. - **Refund proportionality assumes uniform VAT rate** — partial refunds split VAT by the same ratio as the refund, which is correct for KSA's flat 15% but would need rework if any plan ever shipped with mixed VAT rates. - **No multi-currency** — DAL SEEN's books are SAR-only. Cross-border tenants paying in foreign currency would need an FX layer. - **No platform-side accounting reports beyond standard ones** — e.g. ARR build-up, MRR cohort, churn rate. These can be derived from the journal data but aren't surfaced on the dashboard yet. --- ### Older P3 verification snapshot (pre-P4) | Check | Result | |---|---| | `GET /platform/plans` for SA | Returns 3 plans, each with `branches/users/devices/modules/premium_features/addons` populated. | | `GET /platform/tenants/{id}/subscription` for a Growth tenant | Returns current row (`growth, active, monthly, period 2026-05-05 → 2026-06-04`), `limits {5,25,10}`, `usage {0,1,1}`, `modules [retail,dine,accounting,common]`, `premium [multi_branch,advanced_reports]`, `is_demo: false`. | | `POST /platform/tenants/{id}/plan` upgrade to enterprise | 200; history now has 2 rows: `[enterprise, active, upgrade, present]` + `[growth, active, initial, closed]`. | | `GET /platform/tenants/{id}/subscription` for SA, FE; `POST /plan` for OP, FM | SA→200, FE→200, OP→403, FM→200. | | `GET /me/entitlements` for `owner@acme.test` (demo tenant) | `plan: enterprise, is_demo: true, limits {999,999,999}, all 7 modules`. | | Tight starter tenant (1 branch / 5 users / 2 devices) | `LimitEnforcer` wired into BranchController, UserController, DeviceController, and Platform::issueTerminal — verified by `PlanLimitEnforcementTest`. | ### Remaining gaps (intentionally deferred, picked up by P3+) - **Recurring invoice generation** — `tenant_invoices` already exists from earlier work, but no monthly job mints them yet (P3). - **Real payment ingestion** — no `tenant_payments` table; invoices have only a `paid_at` timestamp (P3). - **Collections workflow** — no follow-up tracking, dunning log, assigned finance employee per overdue invoice (P4). - **Auto-suspend on overdue** — `setStatus(..., 'overdue')` and `setStatus(..., 'suspended')` work, but no scheduled job triggers them; no middleware blocks tenant access yet (P5). - **Premium feature enforcement** — `Entitlements::hasFeature()` is ready, but no controllers gate on specific features yet (e.g. "advanced reports" doesn't actually require the feature flag) (P5). - **`module:` middleware on production routes** — wired into the bootstrap as the `module:` alias and tested via a throwaway test route, but not yet applied to `/accounting/*`, `/pay/*`, `/hr/*`, `/ecom/*` (P5 will add it together with the auto-suspend logic). - **Add-ons commerce** — the data model + UI editor support add-ons; choosing them on a tenant subscription is an API field but no UI flow lets a tenant buy one yet (P3). - **DALSEEN's own books** — subscription revenue still doesn't post to a general ledger (P6). ### Live verification (curl on `php artisan serve`) | Endpoint | SA | FM | FE | SU | OP | Tenant | |---|---|---|---|---|---|---| | `GET /platform/tenants` | 200 | 200 | 200 | 200 | 200 | **403** | | `GET /platform/billing` | 200 | 200 | 200 | **403** | **403** | 403 | | `POST /platform/billing/{id}/refund` | 200 | 200 | **403** | **403** | **403** | — | | `POST /platform/tenants/{id}/suspend` | 200 | **403** | **403** | **403** | **403** | — | | `GET /platform/releases` | 200 | **403** | **403** | **403** | 200 | — | | `GET /platform/staff` | 200 | **403** | **403** | **403** | **403** | — | `/me` for `finance.manager@dalseen.sa` returns `mode: platform`, `is_platform_staff: true`, `permissions: [13]` (no tenant.suspend, no impersonate, no staff.manage). Deactivating a user kills their existing tokens (next request → 401) and blocks future logins (`USER_DISABLED`). ### Remaining gaps (intentionally deferred) These are explicitly out of P1 scope and will be picked up in later phases: - **Plan limits enforcement** — branches/users/devices/modules. Today plans are still descriptive (P2). - **Real billing engine** — recurring invoice generation, payment table with method/reference, dunning automation (P3 + P4). - **Subscription enforcement** — `companies.status='overdue'` still doesn't gate tenant access (P5). - **DALSEEN's own books** — platform accounting (P6). - **MFA on platform staff** — currently disabled across the board. - **Granular non-superadmin staff CRUD** — only superadmin can manage staff today, by design. If finance manager should later be allowed to invite finance employees, that's a separate decision. --- ## Stabilization & demo-readiness pass (post-P6) Final pre-demo verification across all six personas + end-to-end flows. ### What got fixed during the pass | Bug | Symptom | Root cause | Fix | |---|---|---|---| | Platform invoice posts to wrong company | DAL SEEN's books showed no movement when an invoice was issued via the HTTP API; `JournalEntry` for `platform_invoice` source landed on ACME (the demo tenant) instead. Tinker-driven posts worked correctly. | `JournalService::post()` resolved `$companyId` as `auth()->user()?->company_id ?? $args['company_id']` — for platform staff bound to ACME (the demo seed), the auth value was non-null and shadowed the explicit DAL SEEN id passed by `PlatformAccountingPoster`. | Inverted the resolution order: `$args['company_id'] ?? auth()->user()?->company_id`. Tenant-side posters that don't pass `company_id` keep working unchanged. Pinned with `PlatformAccountingApiTest::test_http_invoice_issue_posts_to_dalseen_not_to_acting_user_company`. | ### 6-role smoke matrix (verified live, fresh seed, dev server) Representative endpoint × role; cells are HTTP status codes, blank = not applicable. | Endpoint | SA | FM | FE | SU | OP | Tenant | |---|---|---|---|---|---|---| | GET /platform/tenants | 200 | 200 | 200 | 200 | 200 | 403 | | GET /platform/staff | 200 | 403 | 403 | 403 | 403 | 403 | | GET /platform/plans | 200 | 200 | 403 | 403 | 403 | 403 | | GET /platform/billing | 200 | 200 | 200 | 403 | 403 | 403 | | GET /platform/billing/outstanding | 200 | 200 | 200 | 403 | 403 | 403 | | GET /platform/collections/queue | 200 | 200 | 200 | 403 | 403 | 403 | | GET /platform/accounting/summary | 200 | 200 | 403 | 403 | 403 | 403 | | GET /platform/support | 200 | 403 | 403 | 200 | 200 | 403 | | GET /platform/releases | 200 | 403 | 403 | 403 | 200 | 403 | | GET /platform/health | 200 | 403 | 403 | 403 | 200 | 403 | | GET /platform/signups | 200 | 403 | 403 | 200 | 200 | 403 | | GET /platform/crm/pipeline | 200 | 200 | 403 | 200 | 403 | 403 | | POST /platform/tenants/{id}/suspend | 200 | 403 | 403 | 403 | 403 | — | | POST /platform/billing | 201 | 201 | 403 | 403 | 403 | — | | POST /platform/billing/{id}/payments | 201 | 201 | 201 | 403 | 403 | — | | POST /platform/billing/{id}/assign | 200 | 200 | 403 | 403 | 403 | — | Every cell matches its design intent. ### Platform end-to-end (10 sequential live calls, 1 process) 1. SA creates new tenant → `01kqvxzv50kf79ezpsn9cqpqgj` (slug `demo-stab-…`). 2. FM upgrades plan starter → growth → status `active`, modules `[retail, dine, accounting, common]`. 3. FM creates draft invoice → `INV-2026-00029`, subtotal 599 / VAT 89.85 / total 688.85. 4. FM issues invoice → status `issued`, due_at `2026-05-20`. 5. FE records partial payment 200 SAR (bank_transfer) → outstanding 488.85. 6. FE updates collection: status `promised`, follow-up 2026-06-01, promise-to-pay 2026-06-05, note added. 7. Force overdue (set due_at to 5 days ago) + run `billing:sweep-overdue` → invoice flips to `overdue`, company `active → overdue`. 8. DAL SEEN's books delta verified to the halala: - subscription revenue +599 (4100 SaaS subscription revenue) - tenant receivables +488.85 (1110) - cash in bank +200 (1010) - VAT payable +89.85 (2310) 9. Trial balance still balanced: 54,497.25 = 54,497.25. 10. Audit log captured 11 distinct action types: `tenant.create`, `plan.change`, `invoice.create`, `invoice.issue`, `payment.record`, `collection.status`, `collection.note`, `collection.promise`, `collection.follow_up`, `invoice.overdue`, `company.status_change`. ### Tenant end-to-end (separate session, same dev server) | Step | Result | |---|---| | Login `owner@acme.test` workspace=`acme` | OK; mode=`tenant`, modules=8 (incl. premium) | | `/me/entitlements` | `is_demo=true`, `blocked=false`, all modules enabled | | Open POS shift | id=`01kqvy2dw69b9jkx54vycn6852`, opening_cash=500 | | POS sale (Arabic coffee 110 SAR + 15% VAT) | total=126.50, status=completed | | Trial balance after sale | 3,545 → 3,741.50 (delta +196.50, balanced) | | P&L | net_profit=815 (was 775) | | Inventory movements | 8 → 9 rows (POS out-movement created) | | Dine `/dine/menus`, `/dine/orders` | 200 | | `/inventory/overview`, `/workflows`, `/notifications` | 200 | | DAL SEEN's books unchanged after tenant POS sale | rev/AR/bank/vat all identical (perfect separation) | ### Test suite - `php artisan test` → **374 passed (2,555 assertions)**, 65s. - New regression: `PlatformAccountingApiTest::test_http_invoice_issue_posts_to_dalseen_not_to_acting_user_company`. ### What is ready for demo - **Platform cockpit** — Tenants, Plans, Billing, Collections, DAL SEEN's books, Audit, CRM, Health, Releases, Internal Staff. All wired to real APIs, real data, real RBAC. - **All 5 platform roles** — Super Admin / Finance Manager / Finance Employee / Support Agent / Operations behave exactly as designed; no permission leaks. - **Complete subscription lifecycle** — create tenant → assign plan → invoice → issue → record payment → work collection → mark overdue → DAL SEEN's GL captures every movement, all auto-posted, all idempotent, all audited. - **Tenant operational flows** — POS sale, accounting reports, inventory, dashboards, demo data. - **Full bilingual coverage** — every customer-facing screen has en/ar labels. - **Test suite** — 374 passing, including 11 platform-accounting tests and the new HTTP-path regression. - **Demo seed** — single command (`migrate:fresh --seed`) reproduces the entire fixture in ~9s: 13 tenants × 4 templates, 28 invoices, 19 payments, 5 plans, DAL SEEN platform company with 9-account SaaS chart and 46 journals. ### What is risky (works, but be careful) - **POS sale price overrides** — overriding the line price away from the catalog price can produce an unbalanced journal (`JOURNAL_UNBALANCED`) because COGS still uses the catalog cost. Demo at the natural price; don't ad-lib discounts in front of an audience. - **Tenant created via `/platform/tenants`** — the owner user gets created with a placeholder password, not `password123`. If you want to log in as the new tenant's owner during a demo, use the **impersonation** button (Super Admin only) rather than trying to type credentials. - **Idempotency cache** — `IdempotencyDedup` middleware caches non-GET responses for 24h keyed on `(user_id, Idempotency-Key, route)`. The frontend always sends a key, so re-running the same demo flow on the same DB twice in a row may return cached responses. `migrate:fresh --seed` clears it. - **Period close** — there's a `PeriodCloseGuard` that blocks new posts if a fiscal period is closed. Don't close any period live unless you mean it. - **Reseed between demos** — collection state, audit log, and DAL SEEN's books carry across demos. Reset before each presenter takes the stage. - **Browser cache** — if you switched git branches recently, hard refresh + clear `localStorage['dalseen:session:v1']` before demoing, or you'll see stale `/me` payloads. ### What should NOT be demoed yet - **Outbound email / SMS** — invoice issuance does not actually send anything (`/platform/billing/{id}/remind` returns 200 but is a stub). - **Stripe / Mada gateway** — no real payment integration; `record payment` is a manual entry by the finance team. - **Recurring invoice generation** — invoices are created on-demand via `POST /platform/billing`. There is no cron that issues monthly invoices automatically. - **Tenant-portal billing view** — tenants can't see their own DAL SEEN invoices in the tenant UI today. - **MFA / SSO for platform staff** — not implemented. - **Refund-to-card** — refund only updates the invoice + posts a contra journal. There is no money movement back to a payment processor. - **Platform-accounting writes** — no UI button creates a manual journal in DAL SEEN's books; everything is auto-posted from billing events. Trying to write a manual JE has no UI surface. - **Branch-level / consolidation reporting** — `journal_lines.branch_id` exists (Phase F1) but no report or filter consumes it yet. - **Real production environment** — everything runs on SQLite locally. There is no staging/prod target. ### Demo-day artefacts - `DEMO-FLOW.md` — 4 named, scripted demos (Platform, Merchant, Finance, Support) with sign-in, sequence of clicks, and expected one-liner takeaways. --- ## Platform UX cleanup & real-flow verification (post-stabilization) A focused two-track pass: (1) sidebar refactor for clarity, (2) audit + fix the signup / onboarding / provisioning chain so a brand-new merchant can actually go from "I clicked sign up" to "I'm signed in and selling". ### Sidebar refactor Before — 7 groups, 30 items, some duplicated names (e.g. "Plans & Pricing" + "Billing & Plans"), Pay terminals nested under Platform, Workflows + Notifications + Help center cluttering the sidebar: | Group | Items | |---|---| | Platform | Tenants, CRM · CSM, Signups, Onboarding, Plans & Pricing, Billing & Plans, DAL SEEN's books, Pay terminals, Support Desk, System Health, Compliance, Incidents, Releases, Internal staff, Audit Log | | Hub | Dashboard, Workflows, Notifications | | Apps | Retail, Dine, Pay, E-commerce | | Shared | Operations, Merchandise | | Books | Accounting | | People | HR | | Setup | Owner, Marketplace, Integrations, Devices, Roles, Help center | After — 4 groups, 27 visible items, clear separation between platform commerce, platform ops, tenant business, tenant settings: | Group | Items | |---|---| | **Platform** (internal only) | Tenants, CRM, Onboarding, Plans, Billing & Collections, Platform Accounting, Support Desk, Terminals, Internal staff | | **Operations** (internal only) | System Health, Compliance, Incidents, Releases, Audit Log | | **Business** | Dashboard, Retail, Dine, Pay, E-commerce, Inventory / Merchandise, Accounting, HR | | **Settings** | Devices, Roles, Integrations, Marketplace, Owner | Renames and removals: - `CRM · CSM` → `CRM` (the "CSM" was internal jargon) - `Plans & Pricing` + `Billing & Plans` → `Plans` + `Billing & Collections` (no overlap, clear ownership) - `DAL SEEN's books` → `Platform Accounting` (the user-facing label) - `Pay terminals` → `Terminals` - `Operations` (tenant /ops) + `Merchandise` → single `Inventory / Merchandise` under Business - `Hub` group (Dashboard + Workflows + Notifications) collapsed; Dashboard moved to top of Business, Workflows + Notifications accessible via topbar bell + URL - `Help center` removed from sidebar; reachable from the Account menu - `Signups` removed from sidebar but still routable; the Onboarding page header now carries a `Signup queue →` link so platform staff can pivot in one click Files changed: - `app/src/app/nav.config.jsx` — full rewrite, 4 groups, new bilingual labels, new icons where they helped - `app/src/modules/platform/OnboardingPage.jsx` — added the Signup queue link in the header The renderer (`AppShell.jsx`) already filters `platformOnly: true` groups for tenant users, so tenant sessions see only Business + Settings (8 + 5 = 13 items at most, role-gated further by `permission`). ### Signup / onboarding / provisioning audit Audit findings (live HTTP probes, not guesses): | Surface | Before | Status | |---|---|---| | Public `POST /signup` | Frontend `authApi.signup()` called this, backend returned 404 | **Broken contract** | | Platform `GET /platform/signups` | Real DB read from `tenant_signups` | OK | | Platform `POST /platform/signups/{id}/promote` | Set status=`converted` only — no Company, no chart, no subscription, no usable owner password | **Mock — name only** | | Platform `GET /platform/onboarding` | Real DB read from `tenant_onboarding` (7 demo rows) | OK | | Platform `POST /platform/onboarding/{id}/advance` | Bumps `current_step` field; doesn't trigger any provisioning | **Tracker, not action** | | Platform `POST /platform/tenants` (manual create) | Created Company + User. Skipped: business_type, chart of accounts, subscription, HQ branch, usable password (random 24-char unguessable hash), branch attachment | **Half-real** | Concretely: a tenant created via either path (promote OR createTenant) ended up with 0 chart accounts, 0 subscription rows, 0 branches, an owner who could never log in, and no entry in the onboarding workbench. They could not generate an invoice, post a sale, or open a POS shift. ### Fixes A single shared service so promote and create produce identical results — no second code path to drift: | File | Purpose | |---|---| | `app/Services/Platform/TenantProvisioningService.php` (new) | One transactional `provision()` that creates Company + HQ Branch + Owner User (with usable password) + business-owner role + branch attachment + Chart of Accounts + TenantSubscription (Phase P2 row) + onboarding tracker row. Returns the temp password ONCE so platform staff can pass it to the merchant. Includes a `promoteSignup()` shortcut that maps `signup.vertical` → business_type / systems before calling `provision()`. | | `app/Http/Controllers/Auth/SignupController.php` (new) | `POST /signup` (public). Validates business name + email + vertical + readiness flags, generates a sequential `S-NNNN` id, scores readiness, persists to `tenant_signups`. Does NOT create a tenant — promotion is a platform decision. | | `routes/api.php` | Adds public `POST /signup` to the unauthenticated route group | | `database/migrations/2026_05_05_260001_add_company_id_to_tenant_signups.php` (new) | Adds `tenant_signups.company_id` FK so a converted signup links back to its provisioned tenant; UI can now pivot signup → tenant in one click | | `app/Models/TenantSignup.php` | Adds `company_id` to fillable + a `company()` relation | | `app/Http/Controllers/Platform/PlatformController.php::promoteSignup` | Now delegates to `TenantProvisioningService::promoteSignup()`. Validates that the signup isn't already converted/rejected. Returns the full provisioning summary (tenant, owner, branch, subscription, chart, onboarding_id, initial_password) so platform staff have everything in one response. | | `app/Http/Controllers/Platform/PlatformController.php::createTenant` | Now delegates to `TenantProvisioningService::provision()`. Adds `business_type` to the validation rules. Returns the same enriched response shape as promote. | ### After: live verification Single fresh boot, all real HTTP, no mocks: ``` Step 1: anonymous POST /signup → 201 (S-2051, status=pending, score=100) Step 2: SA promotes signup → 200 ✓ tenant id: 01kqvzjg7q6dzs39by37ed3wx6 ✓ tenant slug: mocha-lab ✓ owner email: yara@mochalab.test ✓ HQ branch: HQ ✓ subscription: plan=growth status=active ✓ chart of accts: 27 accounts + 25 mappings ✓ onboarding id: O-FUFH7C7 ✓ initial pwd: welcome-hy097b (plaintext, returned ONCE) Step 3: signup row linked back → signup.company_id set ✓ Step 4: owner logs in with temp password → 200, branches=1 Step 5: /me/entitlements → modules=[retail,dine,accounting,common] Step 6: POS shift open at HQ → 200, opening_cash=500 Step 7: trial balance → balanced (chart provisioned) Step 8: DALSEEN-side invoice for new tenant → posts to DAL SEEN's GL ✓ ``` A brand-new merchant goes from `POST /signup` → `POS shift open` in 6 real HTTP calls. ### Tests - 5 new tests in `TenantProvisioningTest`: - `test_public_signup_endpoint_persists_a_signup_row` - `test_signup_endpoint_validates_required_fields` - `test_promote_signup_provisions_a_real_tenant_end_to_end` (every artefact + owner-can-log-in) - `test_promoting_an_already_converted_signup_fails_cleanly` - `test_create_tenant_endpoint_now_provisions_chart_subscription_branch_and_password` - Updated 2 existing tests in `PlatformAuditFixesTest` to seed a plan (createTenant now provisions a subscription, which requires the plan to exist). - Full suite: **379 passed (2,602 assertions)**, 70s. ### Remaining gaps (intentionally out of scope) - **Email delivery** — the temp password is shown to the platform staff who promoted the signup, but no email is sent to the owner. Promote handlers should optionally trigger a welcome email; deferred until the email infra phase. - **Onboarding workflow actions** — the onboarding tracker still treats `verify_cr`, `verify_vat`, `data_import`, `team_invite`, `first_invoice`, `go_live` as named milestones. `advance` only bumps the marker forward; it doesn't run KYC, send invites, generate invoices, or flip company status. Platform staff should still drive those side-effects from the dedicated screens (Tenants drawer, Billing page, etc.) and use Onboarding as a tracker. - **Public signup form** — the `POST /signup` endpoint exists, but the marketing-site landing page that posts to it lives outside this codebase and is not in scope. - **Internal staff in sidebar** — kept under Platform even though the user's spec didn't list it, because removing it would leave Super Admin with no UI to manage internal users. - **Signups link** — moved from the sidebar into the Onboarding page header. Per-row "Open in Onboarding" / "View signup" pivots are not yet wired (acceptable, both queues live one click apart). --- ## Forced password change on first login Small follow-up after the tenant-provisioning work. Newly provisioned merchant owners and newly created platform staff receive a temp password (`welcome-xxxxxx` or 14-char alphanumeric); they can now log in but the entire app is gated until they replace it. ### Backend | File | Change | |---|---| | `database/migrations/2026_05_05_270001_add_must_change_password_to_users.php` (new) | Adds `users.must_change_password` boolean (default false, indexed since the middleware reads it on every authenticated request). | | `app/Models/User.php` | Adds `must_change_password` to `$fillable` + boolean cast. | | `app/Services/Platform/TenantProvisioningService.php` | Sets `must_change_password = true` on the freshly-created owner. | | `app/Http/Controllers/Platform/PlatformStaffController.php` | Sets `must_change_password = true` on `store()` (new staff) and re-arms it on `resetPassword()` (so post-reset the user is forced to change again). | | `app/Http/Middleware/EnsurePasswordChanged.php` (new) | The gate. No-op when no auth user OR `must_change_password = false`. Otherwise allowlists exactly three paths: `api/v1/me`, `api/v1/me/password`, `api/v1/auth/logout`. Everything else → 403 `PASSWORD_CHANGE_REQUIRED` with `allowed_paths` echoed in the error envelope. | | `bootstrap/app.php` | Registers the `password_changed` alias and appends the middleware to the global `api` group so every authenticated request is checked once. | | `app/Http/Controllers/MeController.php::changePassword` | Clears the flag on success — symmetric with where it was set. | | `app/Http/Controllers/MeController.php::show` | Surfaces `must_change_password` on `/me` so the SPA can route the user to the change-password screen without a second roundtrip. | | `app/Http/Controllers/Auth/LoginController.php` | Exposes `user.must_change_password` on `/auth/login`, `/platform/auth/login`, and `/auth/mfa` so the SPA picks it up immediately, before the next `/me` arrives. | ### Frontend | File | Change | |---|---| | `app/src/modules/auth/auth.session.js` | `toSessionPayload` now extracts `mustChangePassword` from both login and `/me` shapes. | | `app/src/core/session/sessionStore.js` | Adds `mustChangePassword` to default session shape + `partialize` (so it persists across reloads). | | `app/src/app/App.jsx` | Hydrates `mustChangePassword` into the session store on every `/me` response. | | `app/src/modules/auth/ProtectedRoute.jsx` | The SPA mirror of the backend gate. When `mustChangePassword` is true, redirects every protected route to `/account/password` (allowlist: `/account` + `/account/password` so the change-password page itself is reachable). | | `app/src/modules/auth/ChangePasswordPage.jsx` | Clears the SPA flag on success so the user can navigate immediately, and renders a small "Action required — temporary password" banner explaining why they're stuck on this screen. | ### Live verification (real HTTP) ``` Step 1: signup + SA promote → tenant + initial_pwd=welcome-xxxxxx Step 2: owner logs in → 200, response carries must_change_password=true Step 3: gated routes → 403 PASSWORD_CHANGE_REQUIRED everywhere except /me GET /me → 200 (allowed) GET /me/branches → 403 (gated) GET /me/entitlements → 403 (gated) GET /accounting/.../trial-balance → 403 (gated) POST /pos/shifts/open → 403 (gated) Step 4: POST /me/password → 204 Step 5: gate lifts → /me must_change_password=false GET /me/branches → 200 GET /me/entitlements → 200 Step 6: re-login with new pwd → 200, must_change_password stays false Step 7: pre-existing owner@acme → unaffected, all routes 200 ``` Error envelope on a blocked route: ```json { "error": { "code": "PASSWORD_CHANGE_REQUIRED", "message_en": "You must change your temporary password before continuing.", "message_ar": "يجب تغيير كلمة المرور المؤقتة قبل المتابعة.", "fields": { "allowed_paths": ["api/v1/me", "api/v1/me/password", "api/v1/auth/logout"] } } } ``` ### Tests 8 new tests in `ForcedPasswordChangeTest`: - `login response carries must change password true for temp password owners` - `me endpoint is reachable while must change password is true` - `logout is reachable while must change password is true` - `change password endpoint is reachable while flag is true` - `other routes are blocked while flag is true` (both tenant + platform routes) - `successful password change clears the flag and unblocks other routes` - `existing users without the flag are not affected` (regression guard for the 387 prior passing tests) - `temp password paths set the flag` (TenantProvisioningService + PlatformStaffController.store + .resetPassword) Plus 1 small fix in `PlatformStaffControllerTest::cannot_deactivate_last_superadmin`: the existing test creates a fresh staff user via the API (which now correctly sets the flag) and acts as them. Cleared `must_change_password` explicitly so the test isolates the safety rail it's actually about. Full suite: **387 passed (2,628 assertions)**, 66s. ### Notes & gaps - **Email** is still not sent. Temp passwords are returned exactly once in the create / promote / reset response and shown to the platform staff member who took the action. Out-of-band hand-off until the email infra phase. - **Strength rules** stay at the existing `Password::min(8)` + `confirmed`. We did not raise this in this pass. - **Token rotation on password change** is not part of this pass — the user keeps their existing token (just unblocks the rest of the app). Reset-on-password-change can be a separate, larger session-management pass. - **MFA** for platform staff is still off across the board (carried over from P1 — same as before this pass). --- ## Phase 1 — Tax invoice (PDF) Saudi-style tax invoices generated as real PDFs, on demand, from stored numbers. ### Library `barryvdh/laravel-dompdf` ^3.1 (DomPDF). Pure PHP, no native binaries. Default font is `DejaVu Sans` (DomPDF bundles it) — covers Latin and the Arabic glyphs we use in the bilingual headers without extra setup. ### Files | File | Purpose | |---|---| | `composer.json` + `composer.lock` | Adds `barryvdh/laravel-dompdf:^3.1`. | | `app/Services/Invoices/InvoicePdfService.php` *(new)* | One service rendering BOTH platform invoices (`renderTenantInvoice` / `previewTenantInvoiceHtml`) and POS sales (`renderPosSale` / `previewPosSaleHtml`). Reads stored values only — no recalculation. Builds a Saudi ZATCA Phase 1 simplified e-invoice TLV payload (seller, VAT, timestamp, total, VAT total) and base64-encodes it for the QR placeholder. | | `resources/views/invoices/tax-invoice.blade.php` *(new)* | Single bilingual blade template shared by platform invoices and POS receipts. Section blocks: header (title + invoice meta + status badge), parties (issuer / customer with VAT, CR, address), line items table, totals box (subtotal, VAT with stored rate, total, plus paid + outstanding for platform invoices), QR placeholder + ZATCA caption, footer. CSS lives inline in `