# Validation Report: URS-005

**Title:** Prevent Uncertified Reps from Creating Orders
**Date:** 2026-04-23T03:34:49.115Z
**Duration:** 96.7s
**Overall Status:** ✅ PASS

## User Requirement

> The system shall prevent uncertified reps from creating orders until approved. (Repeating with URS-055)

*Source: `User_Requirement_Specifications_ZuriMED_DeviceFlow.xlsx` — the run below proves the system meets this requirement.*

## Environment

- **Inbox URL:** http://localhost:62143
- **Database:** localhost:62144/cc_repinbox_dev

## Setup

Status: ✅ PASS

## Test Steps

Each step below corresponds to one Playwright test that ran sequentially. Screenshots and video recordings provide visual evidence of the UI behaviour.

### 1. Step 1: Uncertified rep blocked — ✅ PASS

**What this step proves:**

Proves the system correctly prevents an uncertified representative from creating orders. Ryan Delauintana has no active manufacturer approval, so the bill-only order creation form displays a "Manufacturer Approval Required" warning and presents no selectable manufacturers. The same block appears on both the /billing/new and /orders/requests/new routes, confirming the enforcement is applied consistently across order entry points.

**Audit events generated by this step:**

*(Evidence matched by declared name — step timing not available or no events fell in window)*

| Time | Type | Action | User | Org | Performed |
|------|------|--------|------|-----|-----------|
| 2026-04-23 03:34:51Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — |
| 2026-04-23 03:35:09Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — |
| 2026-04-23 03:35:24Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — |
| 2026-04-23 03:35:49Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — |

**Screenshots:**

![step 01 ryan logged in](screenshots/step-01-ryan-logged-in.png)

![step 01 order blocked](screenshots/step-01-order-blocked.png)

![step 01 order request blocked](screenshots/step-01-order-request-blocked.png)

**Video recording:**

[▶ Watch step recording](videos/step-01-uncertified-blocked.webm)

---

### 2. Step 2: Certified rep control — ✅ PASS

**What this step proves:**

Control condition confirming that the blocking behavior is targeted at uncertified reps only. Bob Kauffman, whose representation relationship is active, can access the order creation form without any approval warning. The form auto-advances to Step 2 with ZuriMED pre-selected. This eliminates the possibility that the block in Step 1 is a general UI defect.

**Audit events generated by this step:**

*(Evidence matched by declared name — step timing not available or no events fell in window)*

| Time | Type | Action | User | Org | Performed |
|------|------|--------|------|-----|-----------|
| 2026-04-23 03:34:51Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — |
| 2026-04-23 03:35:09Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — |
| 2026-04-23 03:35:24Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — |
| 2026-04-23 03:35:49Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — |

**Screenshots:**

![step 02 bob logged in](screenshots/step-02-bob-logged-in.png)

![step 02 order form accessible](screenshots/step-02-order-form-accessible.png)

**Video recording:**

[▶ Watch step recording](videos/step-02-certified-control.webm)

---

### 3. Step 3: Manufacturer approval — ✅ PASS

**What this step proves:**

The ZuriMED manufacturer user (Mark) navigates to Ryan's representative detail page, confirms the status shows "Pending Approval", and clicks the "Approve Representative" button. After submission the status badge updates to "Active", demonstrating that the approval workflow functions end-to-end and transitions the relationship to the certified state required for order creation.

**Audit events generated by this step:**

*(Evidence scoped to step execution window: 2026-04-23T03:35:27.049Z → 2026-04-23T03:35:44.423Z)*

| Time | Type | Action | User | Org | Performed |
|------|------|--------|------|-----|-----------|
| 2026-04-23 03:35:37Z | user_log | rep_onboarding_request_approved | mark.manufacturer@zurimed.com | ZuriMED | — |
| 2026-04-23 03:35:37Z | transactional_email | rep_created | — | StellarTech Medical Solutions | — |

**Emails triggered by this step:**

*(Evidence matched by declared name — step timing not available or no events fell in window)*

**Email 1: Representative Account Approved - ZuriMED**

Template: `Representative_Account_Approved_-_ZuriMED`

![Representative Account Approved - ZuriMED](screenshots/emails/2026-04-23T03-35-37-113Z-Representative_Account_Approved_-_ZuriMED.png)

**Screenshots:**

![step 03 mark logged in](screenshots/step-03-mark-logged-in.png)

![step 03 ryan pending status](screenshots/step-03-ryan-pending-status.png)

![step 03 approval dialog](screenshots/step-03-approval-dialog.png)

![step 03 ryan active status](screenshots/step-03-ryan-active-status.png)

**Video recording:**

[▶ Watch step recording](videos/step-03-manufacturer-approval.webm)

---

### 4. Step 4: Certified order creation — ✅ PASS

**What this step proves:**

Validates that the now-approved representative can create and submit a bill-only order without restriction. Ryan logs in after certification, accesses /billing/new without any approval warning, selects an account, adds a product with lot number, and successfully submits the order. The system redirects to /billing, confirming the requirement gate is lifted after manufacturer approval.

**Audit events generated by this step:**

*(Evidence scoped to step execution window: 2026-04-23T03:35:51.890Z → 2026-04-23T03:36:23.715Z)*

| Time | Type | Action | User | Org | Performed |
|------|------|--------|------|-----|-----------|
| 2026-04-23 03:36:18Z | decision | bill_only_order.enqueue_upload_classification | ryan.delauintana@stellartech.com | ZuriMED | no |
| 2026-04-23 03:36:19Z | transactional_email | new_bill_only | — | StellarTech Medical Solutions | — |

**Emails triggered by this step:**

*(Evidence matched by declared name — step timing not available or no events fell in window)*

**Email 1: New Bill-Only Order - 4/22/2026 - ZuriMED BO-1**

Template: `New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1`

![New Bill-Only Order - 4/22/2026 - ZuriMED BO-1](screenshots/emails/2026-04-23T03-36-19-949Z-New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1.png)

**Screenshots:**

![step 04 ryan logged in certified](screenshots/step-04-ryan-logged-in-certified.png)

![step 04 form accessible](screenshots/step-04-form-accessible.png)

![step 04 account selected](screenshots/step-04-account-selected.png)

![step 04 devices selected](screenshots/step-04-devices-selected.png)

![step 04 documents](screenshots/step-04-documents.png)

![step 04 review](screenshots/step-04-review.png)

![step 04 order submitted](screenshots/step-04-order-submitted.png)

**Video recording:**

[▶ Watch step recording](videos/step-04-certified-order.webm)

---

## Database Validations

The following SQL queries ran against the application database after the Playwright scenarios completed. Each query asserts a specific condition that proves the feature under test persisted its data correctly.

### Ryan relationship now active — ✅ PASS

**Assertion:** Ryan's representation relationship should be active after manufacturer approval

```sql
SELECT id, status, active, responded_at, responded_by_user_id
      FROM organization_representation_relationships
      WHERE id = $1
```

| id | status | active | responded_at | responded_by_user_id |
| --- | --- | --- | --- | --- |
| 95d6e7f8-a9b0-1234-9012-345678901234 | active | true | 2026-04-23T03:35:37.093Z | d4e5f6a7-b8c9-0123-def1-234567890123 |

### Bob relationship still active (control) — ✅ PASS

**Assertion:** Bob's active flag should remain true and unaffected by Ryan's approval flow

```sql
SELECT id, status, active
      FROM organization_representation_relationships
      WHERE id = $1
```

| id | status | active |
| --- | --- | --- |
| 84c5d6e7-f8a9-0123-8901-234567890123 | proposed_pending_onboarding | true |

### Status change history recorded — ✅ PASS

**Assertion:** Status change to "active" should be recorded in history table

```sql
SELECT id, to_status, from_status, changed_by_user_id, created_at
      FROM organization_representation_request_status_changes
      WHERE relationship_id = $1
        AND created_at > NOW() - INTERVAL '30 minutes'
      ORDER BY created_at DESC
      LIMIT 5
```

| id | to_status | from_status | changed_by_user_id | created_at |
| --- | --- | --- | --- | --- |
| 019db868-4f86-7292-a477-8b69a3d4bd55 | active | proposed | d4e5f6a7-b8c9-0123-def1-234567890123 | 2026-04-23T03:35:37.053Z |

### Billing order created by Ryan after certification — ✅ PASS

**Assertion:** At least one billing order should have been created by Ryan after being certified

```sql
SELECT bo.id, bo.order_number, bo.status, bo.created_at, bo.created_by_user_id
      FROM billing_orders bo
      WHERE bo.created_by_user_id = $1
        AND bo.created_at > NOW() - INTERVAL '30 minutes'
      ORDER BY bo.created_at DESC
      LIMIT 5
```

| id | order_number | status | created_at | created_by_user_id |
| --- | --- | --- | --- | --- |
| 019db868-ef88-79e8-bb3d-29c1ee3c7576 | BO-1 | submitted | 2026-04-23T03:36:18.000Z | 28c9d0e1-f2a3-4567-2345-678901234567 |

### Audit trail for representative approval — ✅ PASS

**Assertion:** Audit/decision events should exist referencing Ryan after the approval action

```sql
SELECT ae.id, ae.event_type, ae.action, ae.created_at, ae.user_id, ae.object_id,
        substring(ae.payload::text, 1, 500) as payload_preview
      FROM audit_events ae
      WHERE ae.created_at > NOW() - INTERVAL '30 minutes'
        AND (ae.object_id = $1 OR ae.object_id = $2)
      ORDER BY ae.created_at DESC
      LIMIT 10
```

| id | event_type | action | created_at | user_id | object_id | payload_preview |
| --- | --- | --- | --- | --- | --- | --- |
| 019db868-4f9f-735e-b8a5-80a23d72c832 | transactional_email | rep_created | 2026-04-23T03:35:37.148Z | NULL | 95d6e7f8-a9b0-1234-9012-345678901234 | {"to": ["ryan.delauintana@stellartech.com"], "s3Path": "email-audit/b2c3d4e5-f6a7-8901-bcde-f12345678901/019db868-4f9f-735e-b8a5-80a23d72c832/", "subject": "Representative Account Approved - ZuriMED", "messageId": "dev-console-log", "relatedEntityType": "organization_representation_relationship"} |
| 019db868-4f88-75a8-b202-e613d724a45a | user_log | rep_onboarding_request_approved | 2026-04-23T03:35:37.112Z | d4e5f6a7-b8c9-0123-def1-234567890123 | 95d6e7f8-a9b0-1234-9012-345678901234 | {"userId": "28c9d0e1-f2a3-4567-2345-678901234567", "userName": "Ryan Delauintana", "userEmail": "ryan.delauintana@stellartech.com", "distributorOrganizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "manufacturerOrganizationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"} |

## Audit & Email Assertion Ledger

Per-declaration outcome of every `expectedAuditActions` and `expectedEmailTemplates` entry written into the orchestrator. Missing evidence here is a real test failure, not a soft warning.

### Audit Action Assertions

Each row asserts that a declared `expectedAuditActions` entry produced a matching row in `audit_events`. A ❌ flips overall status to FAIL — the declaration is real proof, not just an annotation.

| Step | Expected Audit Action | Found |
|------|-----------------------|-------|
| Step 1: Uncertified rep blocked | `user_log:user:login` | ✅ |
| Step 2: Certified rep control | `user_log:user:login` | ✅ |
| Step 3: Manufacturer approval | `user_log:rep_onboarding_request_approved` | ✅ |
| Step 4: Certified order creation | `decision:bill_only_order.enqueue_upload_classification` | ✅ |

### Email Template Assertions

Each row asserts that a declared `expectedEmailTemplates` entry was matched (case-insensitive substring) by a captured email subject or template. A ❌ flips overall status to FAIL.

| Step | Expected Template | Found |
|------|-------------------|-------|
| Step 3: Manufacturer approval | `Representative Account Approved` | ✅ |
| Step 4: Certified order creation | `New Bill-Only Order` | ✅ |

## Audit Log Events

Every row written to `audit_events` while this test was running (scoped to the demo organizations). Provides compliance evidence that user actions are traced end-to-end (URS-003).

**Capture window start:** 2026-04-23T03:34:47.275Z

<details><summary>Query used to capture events</summary>

```sql
SELECT
    ae.created_at,
    ae.event_type,
    ae.action,
    ae.user_id,
    u.email AS user_email,
    ae.organization_id,
    o.name AS organization_name,
    ae.object_id,
    ae.secondary_object_id,
    ae.payload,
    ae.route,
    ae.trace_id
  FROM audit_events ae
  LEFT JOIN users u ON u.id = ae.user_id
  LEFT JOIN organizations o ON o.id = ae.organization_id
  WHERE ae.created_at >= $1
    AND ae.organization_id = ANY($2::uuid[])
  ORDER BY ae.created_at ASC
```
</details>

8 event(s) captured:

| Time | Type | Action | User | Org | Object ID | Performed | Reason |
|------|------|--------|------|-----|-----------|-----------|--------|
| 2026-04-23 03:34:51Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | — |  |
| 2026-04-23 03:35:09Z | user_log | user:login | bob.kauffman@stellartech.com | StellarTech Medical Solutions | — | — |  |
| 2026-04-23 03:35:24Z | user_log | user:login | mark.manufacturer@zurimed.com | ZuriMED | — | — |  |
| 2026-04-23 03:35:37Z | user_log | rep_onboarding_request_approved | mark.manufacturer@zurimed.com | ZuriMED | 95d6e7f8-a9b0-1234-9012-345678901234 | — |  |
| 2026-04-23 03:35:37Z | transactional_email | rep_created | — | StellarTech Medical Solutions | 95d6e7f8-a9b0-1234-9012-345678901234 | — |  |
| 2026-04-23 03:35:49Z | user_log | user:login | ryan.delauintana@stellartech.com | StellarTech Medical Solutions | — | — |  |
| 2026-04-23 03:36:18Z | decision | bill_only_order.enqueue_upload_classification | ryan.delauintana@stellartech.com | ZuriMED | 019db868-ef88-79e8-bb3d-29c1ee3c7576 | no | No uploaded PO documents |
| 2026-04-23 03:36:19Z | transactional_email | new_bill_only | — | StellarTech Medical Solutions | 019db868-ef88-79e8-bb3d-29c1ee3c7576 | — |  |

## Email Evidence

2 notification email(s) were captured during this test run. Each email is rendered as a screenshot for compliance review.

### 1. Representative Account Approved - ZuriMED

**Template:** `Representative_Account_Approved_-_ZuriMED`

![Representative Account Approved - ZuriMED](screenshots/emails/2026-04-23T03-35-37-113Z-Representative_Account_Approved_-_ZuriMED.png)

### 2. New Bill-Only Order - 4/22/2026 - ZuriMED BO-1

**Template:** `New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1`

![New Bill-Only Order - 4/22/2026 - ZuriMED BO-1](screenshots/emails/2026-04-23T03-36-19-949Z-New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1.png)