Documentation Index

Bilko Documentation Index

Last updated: 2026-02-20 Project ID: bbd77cc0 Status: Backend SPECIFICATION (not implemented) Pipeline Status: 7/8 gates PASS — See Validation Report

Key Documents

VALIDATION REPORT — Gate validation results (2026-02-20)
PIPELINE (not in BookStack) — 8-gate progress tracker

Purpose

This documentation defines the implementation contract for Bilko's backend. The database schema exists and the frontend is built with mock data. These docs specify what the backend MUST implement to complete the system.

Backend Documentation

Document	Description	Status
API Reference	All API endpoints — method, path, request/response, auth	SPECIFICATION
Database Schema	All 15 models — columns, types, constraints, indexes	IMPLEMENTED (Prisma)
Authentication	JWT auth flow, password hashing, 2FA, RBAC	SPECIFICATION
Business Logic	Double-entry bookkeeping, VAT calculation, multi-currency, reconciliation	SPECIFICATION
Middleware	Express middleware stack — security, auth, validation, error handling	SPECIFICATION
Services	External service integrations — SendGrid, Cloudflare R2, exchange rates, PDF generation	SPECIFICATION

Frontend Documentation

Document	Description	Status
Pages	All 10 implemented pages — routes, data requirements, mobile responsive	IMPLEMENTED
Component Inventory	All 17 shadcn/ui components — usage, props, examples	IMPLEMENTED
Design System	Colors, typography, spacing, shadows — 73 design tokens	IMPLEMENTED
State Management	Zustand setup, stores, patterns	SPECIFICATION
Forms	Form validation, error handling, submission patterns	SPECIFICATION
Web App CLAUDE.md (local file only)	Next.js 15 frontend overview	REFERENCE

Infrastructure Documentation

Document	Description	Status
Deployment	Deployment strategy — Vercel (frontend), Railway (backend+DB), environments	SPECIFICATION
CI/CD	GitHub Actions pipeline — lint, test, build, deploy	SPECIFICATION
Environment	Environment variables, secrets management, config	SPECIFICATION

Security Documentation

Document	Description	Status
Security Architecture	JWT auth, RBAC, encryption, rate limiting, OWASP Top 10	SPECIFICATION
Compliance	GDPR compliance, data retention, user rights, privacy policy	SPECIFICATION

Testing Documentation

Document	Description	Status
Testing Guide	Testing philosophy, pyramid, tech stack (Vitest, Supertest, Playwright)	SPECIFICATION
Test Inventory	Critical test scenarios, coverage requirements, quality gates	SPECIFICATION

Regulatory Documentation

Document	Description	Status
Serbia SEF	SEF e-invoicing (UBL 2.1), 20% PDV, Kontni Okvir Chart of Accounts, e-Transport	RESEARCH COMPLETE
BiH PDV	17% PDV, UNO/ITA filing, e-invoicing draft law, FBiH (IFRS) + RS Chart of Accounts	RESEARCH COMPLETE
Croatia eRačun	eRačun B2G (2019) + B2B (2026), 25% VAT, RRiF Chart of Accounts, Fiscalization 2.0	RESEARCH COMPLETE
Chart of Accounts	Serbia (Class 0-9), BiH (IFRS/RS), Croatia (RRiF) — account structures	RESEARCH COMPLETE

How to Use This Documentation

For Backend Developers

Start with API Reference — this is your implementation contract
Read Database Schema — understand the data model
Review Business Logic — learn accounting domain rules
Implement endpoints following Middleware and Authentication

For Frontend Developers

All endpoints in API Reference include TypeScript interfaces
Replace mock data imports with API calls
Use the request/response types from API Reference

For QA Engineers

API Reference includes example requests/responses for all endpoints
Use these as test cases
Verify business logic rules from Business Logic document

Key Architectural Decisions

1. Double-Entry Bookkeeping

Every financial event creates a Transaction with debitAccount + creditAccount. Debits = Credits always.

2. Multi-Currency with Rate Locking

Exchange rate is locked at transaction date. Historical transactions NEVER recalculated with current rates.

3. Immutable Audit Trail

LoggedAction table is APPEND-ONLY. All INSERT/UPDATE/DELETE operations captured.

4. Organization-Scoped Multi-Tenancy

Every API request filtered by organizationId. No cross-org data access.

5. NUMERIC(19,4) for ALL Money

NEVER use float or JavaScript number for currency. Precision is critical.

Product Requirements (local spec) — Feature requirements, success metrics
Tech Stack (local spec) — Technology decisions
Wireframes (local spec) — UI specifications
Brand Identity (local spec) — Branding guidelines

Contributing

When adding new documentation:

Add entry to this INDEX.md
Follow existing document structure (Purpose → Spec → Examples)
Mark implementation status (SPECIFICATION, IN PROGRESS, IMPLEMENTED)
Update "Last updated" date in this file

Pages & Routing

State Management

Frontend — Status & Architecture

Component Inventory

Design System

Forms & Validation

Figma Validation Report (2026-02-21)

High-Level Design (HLD)

Low-Level Design (LLD)

Validation Report

Bilko — Project Handbook

Pipeline Gate Tracker

ADR-022 — Document Archive Strategy

SPEC-022 — Document Archive Implementation

COMPLIANCE-022 — Archive Review (HIPAA/GDPR/CQC)

HR eRačun — Architecture Decision Record (ADR) + Build Plan

Backend — Target Architecture

Database — Schema & Models

API Reference

Database Schema

Authentication & Authorization

Business Logic

Middleware Stack

External Services Integration

API Coverage Report

Bilko Authentication -- Entra External ID (CIAM)

Bilko RBAC -- Users / Roles / Permissions

Bilko Auth Migration Runbook + Admin Guide

ADR-037 -- Entra Authenticates, Bilko Authorises; Single-Role v1; Multi-Org Deferred

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Test Plan

Testing Guide

Test Inventory

Deployment Guide

CI/CD Pipeline

Environment Configuration

Bilko Stage Environment — Cloud SQL & IAM (Phase 1)

Bilko Stage Environment — Cloud Run Services (Phase 2)

Bilko demo — receipt upload/download fix (GCS shared storage) — MC #103095 (2026-06-07)

Bilko Azure Observability + MS for Startups Credit Setup (2026-06-15)

Bilko ACA Telemetry & Observability Wiring (Azure)

Serbia — Regulatory Summary

Bosnia — Regulatory Summary

Croatia — Regulatory Summary

Multi-Region Overview

Chart of Accounts (All Countries)

Serbia — SEF e-Invoicing

Bosnia — PDV System

Croatia — eRačun & HR-FISK

Bilko HR eRačun — sveRačun (PostLink) Integration & Status Model

Bilko B5 — Per-Line VAT Exemption Classification (MC #103593, 2026-06-15)

Security Architecture

GDPR & Compliance

Bilko CIAM abuse-gate fix — checkBefore moved outside SERIALIZABLE tx (MC #104069, root-cause of #103245)

Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))

Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)

DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature

Sub-Processor Notification Email Template (Bilko)