# Validation Report: URS-005 **Title:** Prevent Uncertified Reps from Creating Orders **Date:** 2026-04-21T05:56:54.462Z **Duration:** 92.2s **Overall Status:** ✅ PASS ## Environment - **Inbox URL:** http://localhost:61056 - **Database:** localhost:61057/cc_repinbox_dev ## Setup Status: ✅ PASS ## Test Steps Each step below corresponds to one Playwright test that ran sequentially. Screenshots and video recordings provide visual evidence of the UI behaviour. ### 1. Step 1: Uncertified rep blocked — ✅ PASS **What this step proves:** Proves the system correctly prevents an uncertified representative from creating orders. Ryan Delauintana has no active manufacturer approval, so the bill-only order creation form displays a "Manufacturer Approval Required" warning and presents no selectable manufacturers. The same block appears on both the /billing/new and /orders/requests/new routes, confirming the enforcement is applied consistently across order entry points. **Audit events generated by this step:** | Time | Type | Action | User | Org | Performed | |------|------|--------|------|-----|-----------| | 2026-04-21 05:56:56Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | | 2026-04-21 05:57:14Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — | | 2026-04-21 05:57:28Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — | | 2026-04-21 05:57:52Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | **Screenshots:** ![step 01 ryan logged in](screenshots/step-01-ryan-logged-in.png) ![step 01 order blocked](screenshots/step-01-order-blocked.png) ![step 01 order request blocked](screenshots/step-01-order-request-blocked.png) --- ### 2. Step 2: Certified rep control — ✅ PASS **What this step proves:** Control condition confirming that the blocking behavior is targeted at uncertified reps only. Bob Kauffman, whose representation relationship is active, can access the order creation form without any approval warning. The form auto-advances to Step 2 with ZuriMED pre-selected. This eliminates the possibility that the block in Step 1 is a general UI defect. **Audit events generated by this step:** | Time | Type | Action | User | Org | Performed | |------|------|--------|------|-----|-----------| | 2026-04-21 05:56:56Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | | 2026-04-21 05:57:14Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — | | 2026-04-21 05:57:28Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — | | 2026-04-21 05:57:52Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | **Screenshots:** ![step 02 bob logged in](screenshots/step-02-bob-logged-in.png) ![step 02 order form accessible](screenshots/step-02-order-form-accessible.png) --- ### 3. Step 3: Manufacturer approval — ✅ PASS **What this step proves:** The ZuriMED manufacturer user (Mark) navigates to Ryan's representative detail page, confirms the status shows "Pending Approval", and clicks the "Approve Representative" button. After submission the status badge updates to "Active", demonstrating that the approval workflow functions end-to-end and transitions the relationship to the certified state required for order creation. **Audit events generated by this step:** | Time | Type | Action | User | Org | Performed | |------|------|--------|------|-----|-----------| | 2026-04-21 05:57:40Z | user_log | rep_onboarding_request_approved | mark.manufacturer@zurimed.com | ZuriMED | — | **Screenshots:** ![step 03 mark logged in](screenshots/step-03-mark-logged-in.png) ![step 03 ryan pending status](screenshots/step-03-ryan-pending-status.png) ![step 03 approval dialog](screenshots/step-03-approval-dialog.png) ![step 03 ryan active status](screenshots/step-03-ryan-active-status.png) --- ### 4. Step 4: Certified order creation — ✅ PASS **What this step proves:** Validates that the now-approved representative can create and submit a bill-only order without restriction. Ryan logs in after certification, accesses /billing/new without any approval warning, selects an account, adds a product with lot number, and successfully submits the order. The system redirects to /billing, confirming the requirement gate is lifted after manufacturer approval. **Audit events generated by this step:** | Time | Type | Action | User | Org | Performed | |------|------|--------|------|-----|-----------| | 2026-04-21 05:58:21Z | decision | bill_only_order.enqueue_upload_classification | ryan.delauintana@stellartech.com | ZuriMED | no | **Screenshots:** ![step 04 ryan logged in certified](screenshots/step-04-ryan-logged-in-certified.png) ![step 04 form accessible](screenshots/step-04-form-accessible.png) ![step 04 account selected](screenshots/step-04-account-selected.png) ![step 04 devices selected](screenshots/step-04-devices-selected.png) ![step 04 documents](screenshots/step-04-documents.png) ![step 04 review](screenshots/step-04-review.png) ![step 04 order submitted](screenshots/step-04-order-submitted.png) --- ## Database Validations The following SQL queries ran against the application database after the Playwright scenarios completed. Each query asserts a specific condition that proves the feature under test persisted its data correctly. ### Ryan relationship now active — ✅ PASS **Assertion:** Ryan's representation relationship should be active after manufacturer approval ```sql SELECT id, status, active, responded_at, responded_by_user_id FROM organization_representation_relationships WHERE id = $1 ``` | id | status | active | responded_at | responded_by_user_id | | --- | --- | --- | --- | --- | | 95d6e7f8-a9b0-1234-9012-345678901234 | active | true | Tue Apr 21 2026 00:57:40 GMT-0500 (Central Daylight Time) | d4e5f6a7-b8c9-0123-def1-234567890123 | ### Bob relationship still active (control) — ✅ PASS **Assertion:** Bob's active flag should remain true and unaffected by Ryan's approval flow ```sql SELECT id, status, active FROM organization_representation_relationships WHERE id = $1 ``` | id | status | active | | --- | --- | --- | | 84c5d6e7-f8a9-0123-8901-234567890123 | proposed_pending_onboarding | true | ### Status change history recorded — ✅ PASS **Assertion:** Status change to "active" should be recorded in history table ```sql SELECT id, to_status, from_status, changed_by_user_id, created_at FROM organization_representation_request_status_changes WHERE relationship_id = $1 AND created_at > NOW() - INTERVAL '30 minutes' ORDER BY created_at DESC LIMIT 5 ``` | id | to_status | from_status | changed_by_user_id | created_at | | --- | --- | --- | --- | --- | | 019dae9d-a76a-7c0a-bfbc-cd4caccb59b0 | active | proposed | d4e5f6a7-b8c9-0123-def1-234567890123 | Tue Apr 21 2026 00:57:40 GMT-0500 (Central Daylight Time) | ### Billing order created by Ryan after certification — ✅ PASS **Assertion:** At least one billing order should have been created by Ryan after being certified ```sql SELECT bo.id, bo.order_number, bo.status, bo.created_at, bo.created_by_user_id FROM billing_orders bo WHERE bo.created_by_user_id = $1 AND bo.created_at > NOW() - INTERVAL '30 minutes' ORDER BY bo.created_at DESC LIMIT 5 ``` | id | order_number | status | created_at | created_by_user_id | | --- | --- | --- | --- | --- | | 019dae9e-446a-78c2-87d9-1c3aad356e87 | BO-1 | submitted | Tue Apr 21 2026 00:58:21 GMT-0500 (Central Daylight Time) | 28c9d0e1-f2a3-4567-2345-678901234567 | ### Audit trail for representative approval — ✅ PASS **Assertion:** Audit/decision events should exist referencing Ryan after the approval action ```sql SELECT ae.id, ae.event_type, ae.action, ae.created_at, ae.user_id, ae.object_id, substring(ae.payload::text, 1, 500) as payload_preview FROM audit_events ae WHERE ae.created_at > NOW() - INTERVAL '30 minutes' AND (ae.object_id = $1 OR ae.object_id = $2) ORDER BY ae.created_at DESC LIMIT 10 ``` | id | event_type | action | created_at | user_id | object_id | payload_preview | | --- | --- | --- | --- | --- | --- | --- | | 019dae9d-a76b-73f3-9c81-4352ec9332e4 | user_log | rep_onboarding_request_approved | Tue Apr 21 2026 00:57:40 GMT-0500 (Central Daylight Time) | d4e5f6a7-b8c9-0123-def1-234567890123 | 95d6e7f8-a9b0-1234-9012-345678901234 | {"userId": "28c9d0e1-f2a3-4567-2345-678901234567", "userName": "Ryan Delauintana", "userEmail": "ryan.delauintana@stellartech.com", "distributorOrganizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "manufacturerOrganizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"} | ## Audit Log Events Every row written to `audit_events` while this test was running (scoped to the demo organizations). Provides compliance evidence that user actions are traced end-to-end (URS-003). **Capture window start:** 2026-04-21T05:56:52.491Z
Query used to capture events ```sql SELECT ae.created_at, ae.event_type, ae.action, ae.user_id, u.email AS user_email, ae.organization_id, o.name AS organization_name, ae.object_id, ae.secondary_object_id, ae.payload, ae.route, ae.trace_id FROM audit_events ae LEFT JOIN users u ON u.id = ae.user_id LEFT JOIN organizations o ON o.id = ae.organization_id WHERE ae.created_at >= $1 AND ae.organization_id = ANY($2::uuid[]) ORDER BY ae.created_at ASC ```
6 event(s) captured: | Time | Type | Action | User | Org | Object ID | Performed | Reason | |------|------|--------|------|-----|-----------|-----------|--------| | 2026-04-21 05:56:56Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | — | | | 2026-04-21 05:57:14Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — | — | | | 2026-04-21 05:57:28Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — | — | | | 2026-04-21 05:57:40Z | user_log | rep_onboarding_request_approved | mark.manufacturer@zurimed.com | ZuriMED | 95d6e7f8-a9b0-1234-9012-345678901234 | — | | | 2026-04-21 05:57:52Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | — | | | 2026-04-21 05:58:21Z | decision | bill_only_order.enqueue_upload_classification | ryan.delauintana@stellartech.com | ZuriMED | 019dae9e-446a-78c2-87d9-1c3aad356e87 | no | No uploaded PO documents | ## Video Evidence Screencast recordings capture the full browser session for each test step, including annotated chapter overlays that identify what is being tested. - [videos/step-01-uncertified-blocked.webm](videos/step-01-uncertified-blocked.webm)