URS-005 · Prevent Uncertified Reps from Creating Orders

Title: Prevent Uncertified Reps from Creating Orders Date: 2026-04-23T03:34:49.115Z Duration: 96.7s Overall Status: ✅ PASS

User Requirement

The system shall prevent uncertified reps from creating orders until approved. (Repeating with URS-055)

Source: User_Requirement_Specifications_ZuriMED_DeviceFlow.xlsx — the run below proves the system meets this requirement.

Environment

• Inbox URL: http://localhost:62143
• Database: localhost:62144/cc_repinbox_dev

Setup

Status: ✅ PASS

Test Steps

Each step below corresponds to one Playwright test that ran sequentially. Screenshots and video recordings provide visual evidence of the UI behaviour.

1. Step 1: Uncertified rep blocked — ✅ PASS

What this step proves:

Proves the system correctly prevents an uncertified representative from creating orders. Ryan Delauintana has no active manufacturer approval, so the bill-only order creation form displays a “Manufacturer Approval Required” warning and presents no selectable manufacturers. The same block appears on both the /billing/new and /orders/requests/new routes, confirming the enforcement is applied consistently across order entry points.

Audit events generated by this step:

(Evidence matched by declared name — step timing not available or no events fell in window)

Time	Type	Action	User	Org	Performed
2026-04-23 03:34:51Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—
2026-04-23 03:35:09Z	user_log	user:login	bob.kauffman@stellartech.com	StellarTech Medical Solutions	—
2026-04-23 03:35:24Z	user_log	user:login	mark.manufacturer@zurimed.com	ZuriMED	—
2026-04-23 03:35:49Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—

Screenshots:

Video recording:

---

2. Step 2: Certified rep control — ✅ PASS

What this step proves:

Control condition confirming that the blocking behavior is targeted at uncertified reps only. Bob Kauffman, whose representation relationship is active, can access the order creation form without any approval warning. The form auto-advances to Step 2 with ZuriMED pre-selected. This eliminates the possibility that the block in Step 1 is a general UI defect.

Audit events generated by this step:

(Evidence matched by declared name — step timing not available or no events fell in window)

Time	Type	Action	User	Org	Performed
2026-04-23 03:34:51Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—
2026-04-23 03:35:09Z	user_log	user:login	bob.kauffman@stellartech.com	StellarTech Medical Solutions	—
2026-04-23 03:35:24Z	user_log	user:login	mark.manufacturer@zurimed.com	ZuriMED	—
2026-04-23 03:35:49Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—

Screenshots:

Video recording:

---

3. Step 3: Manufacturer approval — ✅ PASS

What this step proves:

The ZuriMED manufacturer user (Mark) navigates to Ryan’s representative detail page, confirms the status shows “Pending Approval”, and clicks the “Approve Representative” button. After submission the status badge updates to “Active”, demonstrating that the approval workflow functions end-to-end and transitions the relationship to the certified state required for order creation.

Audit events generated by this step:

(Evidence scoped to step execution window: 2026-04-23T03:35:27.049Z → 2026-04-23T03:35:44.423Z)

Time	Type	Action	User	Org	Performed
2026-04-23 03:35:37Z	user_log	rep_onboarding_request_approved	mark.manufacturer@zurimed.com	ZuriMED	—
2026-04-23 03:35:37Z	transactional_email	rep_created	—	StellarTech Medical Solutions	—

Emails triggered by this step:

(Evidence matched by declared name — step timing not available or no events fell in window)

Email 1: Representative Account Approved - ZuriMED

Template: Representative_Account_Approved_-_ZuriMED

Screenshots:

Video recording:

---

4. Step 4: Certified order creation — ✅ PASS

What this step proves:

Validates that the now-approved representative can create and submit a bill-only order without restriction. Ryan logs in after certification, accesses /billing/new without any approval warning, selects an account, adds a product with lot number, and successfully submits the order. The system redirects to /billing, confirming the requirement gate is lifted after manufacturer approval.

Audit events generated by this step:

(Evidence scoped to step execution window: 2026-04-23T03:35:51.890Z → 2026-04-23T03:36:23.715Z)

Time	Type	Action	User	Org	Performed
2026-04-23 03:36:18Z	decision	bill_only_order.enqueue_upload_classification	ryan.delauintana@stellartech.com	ZuriMED	no
2026-04-23 03:36:19Z	transactional_email	new_bill_only	—	StellarTech Medical Solutions	—

Emails triggered by this step:

(Evidence matched by declared name — step timing not available or no events fell in window)

Email 1: New Bill-Only Order - 4/22/2026 - ZuriMED BO-1

Template: New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1

Screenshots:

Video recording:

---

Database Validations

The following SQL queries ran against the application database after the Playwright scenarios completed. Each query asserts a specific condition that proves the feature under test persisted its data correctly.

Ryan relationship now active — ✅ PASS

Assertion: Ryan’s representation relationship should be active after manufacturer approval

SELECT id, status, active, responded_at, responded_by_user_id
      FROM organization_representation_relationships
      WHERE id = $1

id	status	active	responded_at	responded_by_user_id
95d6e7f8-a9b0-1234-9012-345678901234	active	true	2026-04-23T03:35:37.093Z	d4e5f6a7-b8c9-0123-def1-234567890123

Bob relationship still active (control) — ✅ PASS

Assertion: Bob’s active flag should remain true and unaffected by Ryan’s approval flow

SELECT id, status, active
      FROM organization_representation_relationships
      WHERE id = $1

id	status	active
84c5d6e7-f8a9-0123-8901-234567890123	proposed_pending_onboarding	true

Status change history recorded — ✅ PASS

Assertion: Status change to “active” should be recorded in history table

SELECT id, to_status, from_status, changed_by_user_id, created_at
      FROM organization_representation_request_status_changes
      WHERE relationship_id = $1
        AND created_at > NOW() - INTERVAL '30 minutes'
      ORDER BY created_at DESC
      LIMIT 5

id	to_status	from_status	changed_by_user_id	created_at
019db868-4f86-7292-a477-8b69a3d4bd55	active	proposed	d4e5f6a7-b8c9-0123-def1-234567890123	2026-04-23T03:35:37.053Z

Billing order created by Ryan after certification — ✅ PASS

Assertion: At least one billing order should have been created by Ryan after being certified

SELECT bo.id, bo.order_number, bo.status, bo.created_at, bo.created_by_user_id
      FROM billing_orders bo
      WHERE bo.created_by_user_id = $1
        AND bo.created_at > NOW() - INTERVAL '30 minutes'
      ORDER BY bo.created_at DESC
      LIMIT 5

id	order_number	status	created_at	created_by_user_id
019db868-ef88-79e8-bb3d-29c1ee3c7576	BO-1	submitted	2026-04-23T03:36:18.000Z	28c9d0e1-f2a3-4567-2345-678901234567

Audit trail for representative approval — ✅ PASS

Assertion: Audit/decision events should exist referencing Ryan after the approval action

SELECT ae.id, ae.event_type, ae.action, ae.created_at, ae.user_id, ae.object_id,
        substring(ae.payload::text, 1, 500) as payload_preview
      FROM audit_events ae
      WHERE ae.created_at > NOW() - INTERVAL '30 minutes'
        AND (ae.object_id = $1 OR ae.object_id = $2)
      ORDER BY ae.created_at DESC
      LIMIT 10

id	event_type	action	created_at	user_id	object_id	payload_preview
019db868-4f9f-735e-b8a5-80a23d72c832	transactional_email	rep_created	2026-04-23T03:35:37.148Z	NULL	95d6e7f8-a9b0-1234-9012-345678901234	{“to”: [“ryan.delauintana@stellartech.com”], “s3Path”: “email-audit/b2c3d4e5-f6a7-8901-bcde-f12345678901/019db868-4f9f-735e-b8a5-80a23d72c832/”, “subject”: “Representative Account Approved - ZuriMED”, “messageId”: “dev-console-log”, “relatedEntityType”: “organization_representation_relationship”}
019db868-4f88-75a8-b202-e613d724a45a	user_log	rep_onboarding_request_approved	2026-04-23T03:35:37.112Z	d4e5f6a7-b8c9-0123-def1-234567890123	95d6e7f8-a9b0-1234-9012-345678901234	{“userId”: “28c9d0e1-f2a3-4567-2345-678901234567”, “userName”: “Ryan Delauintana”, “userEmail”: “ryan.delauintana@stellartech.com”, “distributorOrganizationId”: “b2c3d4e5-f6a7-8901-bcde-f12345678901”, “manufacturerOrganizationId”: “a1b2c3d4-e5f6-7890-abcd-ef1234567890”}

Audit & Email Assertion Ledger

Per-declaration outcome of every expectedAuditActions and expectedEmailTemplates entry written into the orchestrator. Missing evidence here is a real test failure, not a soft warning.

Audit Action Assertions

Each row asserts that a declared expectedAuditActions entry produced a matching row in audit_events. A ❌ flips overall status to FAIL — the declaration is real proof, not just an annotation.

Step	Expected Audit Action	Found
Step 1: Uncertified rep blocked	user_log:user:login	✅
Step 2: Certified rep control	user_log:user:login	✅
Step 3: Manufacturer approval	user_log:rep_onboarding_request_approved	✅
Step 4: Certified order creation	decision:bill_only_order.enqueue_upload_classification	✅

Email Template Assertions

Each row asserts that a declared expectedEmailTemplates entry was matched (case-insensitive substring) by a captured email subject or template. A ❌ flips overall status to FAIL.

Step	Expected Template	Found
Step 3: Manufacturer approval	Representative Account Approved	✅
Step 4: Certified order creation	New Bill-Only Order	✅

Audit Log Events

Every row written to audit_events while this test was running (scoped to the demo organizations). Provides compliance evidence that user actions are traced end-to-end (URS-003).

Capture window start: 2026-04-23T03:34:47.275Z

SELECT
    ae.created_at,
    ae.event_type,
    ae.action,
    ae.user_id,
    u.email AS user_email,
    ae.organization_id,
    o.name AS organization_name,
    ae.object_id,
    ae.secondary_object_id,
    ae.payload,
    ae.route,
    ae.trace_id
  FROM audit_events ae
  LEFT JOIN users u ON u.id = ae.user_id
  LEFT JOIN organizations o ON o.id = ae.organization_id
  WHERE ae.created_at >= $1
    AND ae.organization_id = ANY($2::uuid[])
  ORDER BY ae.created_at ASC

8 event(s) captured:

Time	Type	Action	User	Org	Object ID	Performed	Reason
2026-04-23 03:34:51Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—	—
2026-04-23 03:35:09Z	user_log	user:login	bob.kauffman@stellartech.com	StellarTech Medical Solutions	—	—
2026-04-23 03:35:24Z	user_log	user:login	mark.manufacturer@zurimed.com	ZuriMED	—	—
2026-04-23 03:35:37Z	user_log	rep_onboarding_request_approved	mark.manufacturer@zurimed.com	ZuriMED	95d6e7f8-a9b0-1234-9012-345678901234	—
2026-04-23 03:35:37Z	transactional_email	rep_created	—	StellarTech Medical Solutions	95d6e7f8-a9b0-1234-9012-345678901234	—
2026-04-23 03:35:49Z	user_log	user:login	ryan.delauintana@stellartech.com	StellarTech Medical Solutions	—	—
2026-04-23 03:36:18Z	decision	bill_only_order.enqueue_upload_classification	ryan.delauintana@stellartech.com	ZuriMED	019db868-ef88-79e8-bb3d-29c1ee3c7576	no	No uploaded PO documents
2026-04-23 03:36:19Z	transactional_email	new_bill_only	—	StellarTech Medical Solutions	019db868-ef88-79e8-bb3d-29c1ee3c7576	—

Email Evidence

2 notification email(s) were captured during this test run. Each email is rendered as a screenshot for compliance review.

1. Representative Account Approved - ZuriMED

Template: Representative_Account_Approved_-_ZuriMED

2. New Bill-Only Order - 4/22/2026 - ZuriMED BO-1

Template: New_Bill-Only_Order_-_4_22_2026_-_ZuriMED_BO-1

Downloads

• audit-events.json
• report.md
• result.json
• screenshots-index.json
• step-timings.json

Feedback