Test Inventory

Bilko —Drop Test Inventory

~~Status:~~ ~~Active — Tests Implemented~~ ~~Version:~~ ~~2.0~~ Last ~~Updated:~~updated: 2026-~~03-02~~02-13 ~~Author:~~Source: ~~ALAI~~src/drop-app/tests/ ~~Documentation~~Total ~~Team~~

test

~~This~~files: ~~inventory~~14 ~~catalogs~~(7 ~~all~~unit, ~~implemented~~1 ~~tests~~integration, in1 ~~Bilko,~~performance, ~~organized~~1 byregression, ~~package~~3 ~~and~~E2E, ~~file.~~1 setup)

SummaryDirectory Structure

tests/
  setup.ts                              # Global setup (sets NODE_ENV=test)
  unit/
    auth.test.ts                        # Password hashing + JWT tokens
    db.test.ts                          # Database schema validation
    feature-flags.test.ts               # Feature flag system
    middleware.test.ts                   # Rate limiting + error responses
    utils.test.ts                       # Utility functions (randomId, maskBankAccount)
    validation.test.ts                  # Input validation functions
    api-routes.test.ts                  # API routes with DB integration
  integration/
    api-endpoints.test.ts               # Full API endpoint integration tests
  performance/
    api-benchmarks.test.ts              # Performance benchmarks
  regression/
    known-bugs.test.ts                  # Regression tests for fixed bugs
  e2e/
    user-flows.spec.ts                  # Basic user journey E2E
    full-flows.spec.ts                  # Complete feature journey E2E
    input-chaos.spec.ts                 # Malicious/edge-case input E2E

Unit Tests (Vitest)

`tests/unit/auth.test.ts` -- 7 tests

Password Hashing (4 tests):

hashPassword produces bcrypt hash (starts with $2)

verifyPassword validates correct bcrypt password

verifyPassword rejects wrong password

verifyPassword does NOT accept SHA-256 hashes (security fix C4)

JWT Token Management (3 tests):

signToken and verifyToken round-trip works

verifyToken rejects invalid tokens

verifyToken rejects tampered tokens

`tests/unit/db.test.ts` -- 5 tests

Creates all 11 expected tables (users, transactions, recipients, merchants, cards, bank_accounts, sessions, notifications, settings, exchange_rates, spending_limits)

Users table does NOT have balance column (pass-through model verification)

Cards table does NOT have card_number or cvv columns (PCI-DSS fix verification). Has last_four and token_ref instead.

Transaction type constraint only allows remittance and qr_payment

Foreign key constraints are enforced

`tests/unit/feature-flags.test.ts` -- 6 tests

isEnabled returns default when no env var is set

isEnabled reads NEXT_PUBLIC_FF_* env vars

featureGate returns 404-like response when disabled

featureGate returns null when enabled

getAllFlags returns complete flag set (8 flags)

topUpViaCard flag does NOT exist (removed feature)

`tests/unit/middleware.test.ts` -- 7 tests

Rate Limiting (3 tests):

Allows requests within limit

Blocks after limit exceeded

Resets after window expires

jsonError (2 tests):

Returns correct JSON format ({error, message, details})

Includes details array when provided

getClientIp (2 tests):

Extracts from X-Forwarded-For header (first IP)

Returns 127.0.0.1 when no header present

`tests/unit/utils.test.ts` -- 5 tests

randomId (3 tests):

Generates prefixed IDs with correct format (prefix_<hex16>)

Generates unique IDs on each call

Uses the provided prefix

maskBankAccount (2 tests):

Masks correctly, showing only last 4 characters

Returns short accounts unchanged

`tests/unit/validation.test.ts` -- 10 tests

Email Validation (2 tests):

Accepts valid emails (standard, tag, domain variants)

Rejects invalid emails (empty, no @, space, null)

Phone Validation (2 tests):

Accepts international format (+47, +381)

Rejects invalid numbers (no +, too short, letters, null)

Amount Validation (2 tests):

Accepts valid positive amounts (including 0.01)

Rejects negative, zero, NaN, and >2 decimal places

IBAN Validation (2 tests):

Validates correct IBANs (Norwegian, German)

Rejects invalid IBANs (empty, too short, bad checksum, null)

Name Validation (6 tests, grouped):

Accepts valid names (Latin, Bosnian chars, apostrophes, hyphens, umlauts)

Rejects numbers-only input

Accepts names with numbers mixed in (has letters)

Rejects empty and null

Rejects XSS payloads (<script>, onclick=)

Rejects special-chars-only input

PIN Validation (2 tests):

Validates 4-digit PINs

Rejects invalid PINs (too short, too long, letters, null)

`tests/unit/api-routes.test.ts` -- 8 test groups

DB + Auth Integration -- User creation with bcrypt, password verification, hash uniqueness

Exchange Rates Seeded -- 6 NOK rates, queryable for API response

Rate Limiting -- Allows within limit, blocks after exceeded, resets after window, cleans expired entries

User Registration Flow -- Insert, unique constraint, default values, KYC/role constraints

Session Tracking -- Create, retrieve, revocation, expiry, index verification

End-to-End User Flow -- Register -> login -> session -> revoke

Foreign Key Constraints -- Cannot create orphan sessions, cannot delete user with sessions

Utility Functions -- randomId format and uniqueness

Integration Tests (Vitest)

`tests/integration/api-endpoints.test.ts` -- 20+ tests

Tests actual API route handlers with mocked database and auth.

POST /api/auth/register (5 tests):

Successfully registers with valid input (201, checks DB)

Returns 422 for missing email

Returns 422 for short password

Returns 422 for missing first name

Returns 409 for duplicate email

Returns 400 for invalid JSON body

POST /api/auth/login (5 tests):

Successfully logs in with valid credentials (200)

Returns 401 for wrong password

Returns 401 for non-existent user

Returns 400 for missing email or password

Returns 400 for invalid JSON body

GET /api/rates (2 tests):

Returns all exchange rates (6 currencies)

Returns empty rates when none seeded

GET /api/rates/[currency] (3 tests):

Returns rate for valid currency

Returns 404 for unsupported currency

Handles case-insensitive codes

POST /api/transactions/remittance (7 tests):

Successfully creates remittance (201, verifies balance deduction)

Returns 401 when not authenticated

Returns 403 when KYC not approved

Returns 404 when recipient not found

Returns 402 when insufficient balance

Returns 400 for amount below/above limits

Returns 400 for invalid amount (NaN)

POST /api/transactions/qr-payment (8 tests):

Successfully creates QR payment (201, verifies balance, fee calc)

Returns 401 when not authenticated

Returns 404 when merchant not found

Returns 402 when insufficient balance

Returns 400 for amount below/above limits

Returns 400 for missing merchantId

Returns 400 for invalid JSON body

Performance Tests (Vitest)

`tests/performance/api-benchmarks.test.ts` -- 8 tests

~~Package~~Test	~~Test Files~~	~~Test Cases~~	~~Status~~Threshold
`apps/api/tests/hashPassword` (~~mock~~bcrypt ~~suite)~~rounds=12)	11< ~~test files~~	~~~130~~	~~Implemented~~1000ms
`apps/api/tests/unit/verifyPassword` (~~unit~~bcrypt ~~suite)~~compare)	4< ~~test files~~	~~~60~~	~~Implemented~~1000ms
`apps/api/tests/e2e/rateLimit` ~~(E2E~~single ~~suite)~~check	2< ~~test files~~	~~~30~~	~~Implemented~~50ms
`apps/api/tests/integration/`DB ~~(real~~SELECT ~~DB)~~query	5< ~~test files~~	~~~50~~	~~Implemented~~10ms
`packages/core/tests/`DB ~~(unit)~~INSERT query	5< ~~test files~~	~~121~~	~~Implemented~~20ms
~~Total~~Exchange rate lookup	27	~~~390~~	~~Active~~

Test Category Breakdown

~~Category~~	~~Description~~	~~Requires DB~~
~~Mock suite~~ (`tests/*.test.ts`)	~~API endpoint tests with mocked Prisma — fast, no DB~~	No10ms
~~Unit~~50 ~~suite~~concurrent (`tests/unit/`)rateLimit calls	~~Service-layer~~< ~~tests,~~2000ms ~~financial logic, SEF client~~	Nototal
~~E2E~~Transaction ~~suite~~ (`tests/e2e/`)INSERT	~~End-to-end~~< ~~billing flows with mocked services~~	No
~~Integration suite~~ (`tests/integration/`)	~~Real DB tests (docker-compose.test.yml)~~	~~Yes~~ ~~— PostgreSQL~~
~~Core unit~~ (`packages/core/`)	~~Pure business logic — no HTTP, no DB~~	No50ms

`packages/core/tests/` — UnitRegression Tests

~~Pure unit tests for the~~ @bilko/core ~~financial engine. No database, no HTTP. Uses~~ globals: true (~~no explicit imports of~~ describe/it/expect).

Vitest)

`accounting.tests/regression/known-bugs.test.ts` —-- 204 testsbug groups

~~Tests~~BUG-001: ~~double-entry bookkeeping engine:~~ validateDoubleEntry, createJournalEntry, calculateTrialBalance.

~~Test Name~~ ~~What It Tests~~ ~~Status~~
validateDoubleEntry - returns true for balanced entry ~~Debit total equals credit total~~ ~~Implemented~~
validateDoubleEntry - returns false for unbalanced entry ~~Debit ≠ credit~~ ~~Implemented~~
validateDoubleEntry - returns false for fewer than 2 lines ~~Minimum 2 lines required~~ ~~Implemented~~
validateDoubleEntry - returns false for empty lines ~~Empty array → false~~ ~~Implemented~~
validateDoubleEntry - returns false for negative amounts ~~Negative amounts invalid~~ ~~Implemented~~
validateDoubleEntry - returns false for zero amounts ~~Zero amounts invalid~~ ~~Implemented~~
validateDoubleEntry - handles multiple lines that sum to balanced ~~Multi-line balanced entry~~ ~~Implemented~~
validateDoubleEntry - handles decimal amounts with precision ~~NUMERIC(19,4) precision~~ ~~Implemented~~
createJournalEntry - returns entry when valid and balanced ~~Happy path~~ ~~Implemented~~
createJournalEntry - throws for fewer than 2 lines ~~Error: "at least 2 lines"~~ ~~Implemented~~
createJournalEntry - throws for empty lines array ~~Error: "at least 2 lines"~~ ~~Implemented~~
createJournalEntry - throws forrateLimit() missing description ~~Error: "must have a description"~~ ~~Implemented~~
createJournalEntry - throws for whitespace-only description ~~Whitespace = missing~~ ~~Implemented~~
createJournalEntry - throws for missing date ~~Error: "must have a date"~~ ~~Implemented~~
createJournalEntry - throws for unbalanced entry ~~Error shows debit vs credit amounts~~ ~~Implemented~~
createJournalEntry - throws for negative amount lines ~~Negative amounts rejected~~ ~~Implemented~~
calculateTrialBalance - returns balanced from balanced entries ~~isBalanced=true, totals correct~~ ~~Implemented~~
calculateTrialBalance - groups by account number ~~Rows aggregated per account~~ ~~Implemented~~
calculateTrialBalance - returns empty rows for no transactions ~~Empty array → zero totals~~ ~~Implemented~~
calculateTrialBalance - sorts rows by account number ~~Rows sorted ascending~~ ~~Implemented~~

chart-of-accounts.test.ts ~~— 32 tests~~

~~Tests chart of accounts operations: account creation, parent-child hierarchy, account type validation.~~

~~Test Area~~ ~~Test Count~~ ~~Status~~
~~Account creation~~await (~~valid + invalid inputs)~~ ~~~10~~ ~~Implemented~~
~~Account hierarchy (parent-child relationships)~~ ~8 ~~Implemented~~
~~Account type validation (Asset/Liability/Equity/Revenue/Expense)~~ ~7 ~~Implemented~~
~~Account code format validation (1xxx-5xxx range)~~ ~7 ~~Implemented~~

invoicing.test.ts ~~— 22 tests~~

~~Tests invoice number generation, total calculations, and line item validation.~~

~~Test Name~~ ~~What It Tests~~ ~~Status~~
generateInvoiceNumber - generates INV-YYYY-NNN format ~~Standard format~~ ~~Implemented~~
generateInvoiceNumber - increments from last number ~~Sequential numbering~~ ~~Implemented~~
generateInvoiceNumber - pads number to 3 digits ~~Zero-padding~~ ~~Implemented~~
generateInvoiceNumber - handles numbers beyond 999 ~~No truncation for 1000+~~ ~~Implemented~~
generateInvoiceNumber - throws for empty prefix ~~Error: "prefix is required"~~ ~~Implemented~~
generateInvoiceNumber - throws for whitespace-only prefix ~~Whitespace = invalid~~ ~~Implemented~~
generateInvoiceNumber - throws for negative lastNumber ~~Error: "non-negative integer"~~ ~~Implemented~~
generateInvoiceNumber - throws for non-integer lastNumber ~~Float rejected~~ ~~Implemented~~
calculateInvoiceTotals - calculates line item total ~~quantity × unitPrice~~ ~~Implemented~~
calculateInvoiceTotals - calculates subtotal as sum of lines ~~Sum of all line totals~~ ~~Implemented~~
calculateInvoiceTotals - calculates tax per line item ~~lineTotal × taxRate / 100~~ ~~Implemented~~
calculateInvoiceTotals - calculates total = subtotal + tax ~~Final total~~ ~~Implemented~~
calculateInvoiceTotals - handles items without taxRate ~~Missing tax = 0~~ ~~Implemented~~
calculateInvoiceTotals - returns zeros for empty items ~~Empty array → all zeros~~ ~~Implemented~~
calculateInvoiceTotals - handles multiple items with different rates ~~Mixed 20%/10% tax~~ ~~Implemented~~
calculateInvoiceTotals - maintains decimal precision ~~3 × 33.33 = 99.99~~ ~~Implemented~~
validateLineItem - returns true for valid item ~~Happy path~~ ~~Implemented~~
validateLineItem - returns false for zero quantity ~~qty=0 invalid~~ ~~Implemented~~
validateLineItem - returns false for negative quantity ~~qty<0 invalid~~ ~~Implemented~~
validateLineItem - returns false for negative unitPrice ~~price<0 invalid~~ ~~Implemented~~
validateLineItem - returns false for empty description ~~Description required~~ ~~Implemented~~
validateLineItem - returns false for whitespace-only description ~~Whitespace = empty~~ ~~Implemented~~

multi-currency.test.ts ~~— 24 tests~~

~~Tests currency conversion, exchange rate locking, and NUMERIC precision handling.~~

~~Test Area~~ ~~Test Count~~ ~~Status~~
~~Currency conversion (EUR/RSD/BAM)~~ ~8 ~~Implemented~~
~~Exchange rate locking at transaction date~~ ~6 ~~Implemented~~
~~NUMERIC(19,4) precision (no float drift)~~ ~5 ~~Implemented~~
~~Edge cases (zero rate, missing rate, same currency)~~ ~5 ~~Implemented~~

tax.test.ts ~~— 23 tests~~

~~Tests VAT calculations for all supported countries and edge cases.~~

~~Test Area~~ ~~Test Count~~ ~~Status~~
~~Serbia PDV (20% standard, 10% reduced, 0% exempt)~~ ~6 ~~Implemented~~
~~BiH PDV (17% standard)~~ ~4 ~~Implemented~~
~~Croatia PDV (25% standard, 13% reduced, 5% super-reduced)~~ ~5 ~~Implemented~~
~~Mixed tax rates on single invoice~~ ~3 ~~Implemented~~
~~Zero-rate exports~~ ~2 ~~Implemented~~
~~Reverse VAT / gross-to-net~~ ~3 ~~Implemented~~

apps/api/tests/ ~~— Mock API Tests~~

~~Integration tests for Express API endpoints. Tests use~~ ~~mocked Prisma client~~tests): ~~— no real database required. Setup in~~ tests/setup.ts.

setup.ts ~~— Test Infrastructure (not a test file)~~

~~Provides:~~

~~Prisma~~Rate ~~client~~limit ~~mock~~actually ~~via~~blocks vi.mock('../src/lib/prisma')after exceeded

~~Environment~~Count ~~variable~~increments ~~setup~~correctly ~~(JWT~~in ~~secrets, rate limits)~~database

createTestUser()Resets —after ~~factory~~window expires

BUG-002: Validation errors generic message (3 tests):

Register returns details array for ~~test~~validation ~~user objects~~errors

generateTestAccessToken()Details —contain specific field errors

Multiple validation errors all included

BUG-003: Email without @ passed client-side (3 tests):

API rejects email without @ symbol

API rejects empty string as email

API accepts valid ~~JWT~~email ~~for~~with ~~authenticated~~@
~~requests~~

BUG-004: Missing getDb import in auth.ts (5 tests):

All auth module exports are functional (signToken, verifyToken, setAuthCookie, clearAuthCookie, getCurrentUser)

generateTestRefreshToken()getCurrentUser —returns ~~valid~~null ~~refresh~~when no token

~~Constants:~~All TEST_ORG_ID,exports TEST_USER_ID,are TEST_USER_EMAILfunctions

E2E Tests (Playwright)

auth.test.tests/e2e/user-flows.spec.ts —-- 115 ~~tests~~test groups

Landing
Page (3

Loads
onboarding to login page

login
~~Test~~tests):
~~Name~~ ~~Route~~ ~~Status~~
returns 201homepage with user,Drop organization,branding
Has navigation to login and tokens
~~POST~~
Navigates ~~/auth/register~~
~~Implemented~~
returnsLogin 400Flow for(4 duplicatetests): email ~~POST~~
Shows ~~/auth/register~~
~~Implemented~~
returns 200form with tokenscorrect forfields valid
Shows credentials
~~POST /auth/login~~ ~~Implemented~~
returns 401 for invalid password ~~POST /auth/login~~ ~~Implemented~~
returns 401 for non-existent email ~~POST /auth/login~~ ~~Implemented~~
returns 200error with newempty accesscredentials token(client-side) for
Shows valid refresh token
~~POST /auth/refresh~~ ~~Implemented~~
returns 401 when no refresh token cookie is present ~~POST /auth/refresh~~ ~~Implemented~~
returns 204 and clears cookie ~~POST /auth/logout~~ ~~Implemented~~
returns 200error with currentwrong usercredentials when
Logs authenticated
~~GET /auth/me~~ ~~Implemented~~
returns 401 when no token provided ~~GET /auth/me~~ ~~Implemented~~
returns 401 for invalid token ~~GET /auth/me~~ ~~Implemented~~

invoices.test.ts ~~— 11 tests~~
credentials,todashboard
Registration

fields, button
Validates
email format client-side flow: PIN api/rates api/rates/RSD

Each
page
~~Test Name~~ ~~Route~~ ~~Status~~
returns 200in with paginateddemo list ~~GET~~redirects ~~/invoices~~ ~~Implemented~~

returnsFlow 401(4 withouttests): auth ~~GET~~
Shows ~~/invoices~~
~~Implemented~~
returns 201form with createdrequired invoice ~~POST~~disabled ~~/invoices~~ ~~Implemented~~
returnsclient-side 200
Validates withpassword fulllength invoice
~~GET~~
Full ~~/invoices/:id~~
~~Implemented~~
returns 404 when invoice not found ~~GET /invoices/:id~~ ~~Implemented~~
returns 200 when updating draft invoice ~~PUT /invoices/:id~~ ~~Implemented~~
returns 400 when updating sent invoice ~~PUT /invoices/:id~~ ~~Implemented~~
returns 200 when sending invoice (draftform -> sent) ~~PATCH /invoices/:id/status~~ ~~Implemented~~
returns 200 when marking invoice as paid (sentOTP -> paid) ~~PATCH~~-> success
Dashboard (2 tests):

Login redirects to dashboard with action buttons

Authenticated pages load after login

API Health (4 tests):

GET /~~invoices/:id/status~~
~~Implemented~~
returns 204exchange whenrates deleting draft invoice ~~DELETE~~
GET /~~invoices/:id~~
~~Implemented~~
returns 400specific whenrate deleting sent invoice ~~DELETE~~
GET /~~invoices/~~api/rates/XXX returns 404

POST /api/auth/register validates input

All Pages Load (10 tests):id
~~Implemented~~

(/,
/login, /onboarding, /dashboard, /send, /scan, /history, /accounts, /profile, /cards) returns no server error
expenses.test.tests/e2e/full-flows.spec.ts —-- 98 ~~tests~~journeys

New
User -- form -> OTP -> PIN -> Moneylogin->recipient->skipped)
~~Test~~Registration ~~Area~~ ~~Route~~ ~~Status~~
~~List~~success ~~expenses~~-> dashboard (~~200~~skipped) +
Send ~~auth)~~
~~GET~~-- ~~/expenses~~ ~~Implemented~~

~~Create~~amount ~~expense~~-> confirm -> verify in history
QR Payment -- login -> scan -> amount -> pay -> verify in history

Virtual Card -- login -> cards -> order -> verify card appears

Bank Accounts -- login -> accounts -> verify Open Banking info, DNB account

Profile and Logout -- login -> profile -> verify info -> logout -> redirect

Full Navigation -- login -> navigate all 7 pages via direct links

Error Handling -- wrong credentials -> error -> correct -> success (~~201)~~
~~POST /expenses~~ ~~Implemented~~
~~Get expense by ID (200 + 404)~~ ~~GET /expenses/:id~~ ~~Implemented~~
~~Update expense (200 + 400 for non-pending)~~ ~~PUT /expenses/:id~~ ~~Implemented~~
~~Approve expense (200 + role check)~~ ~~PATCH /expenses/:id/approve~~ ~~Implemented~~
~~Delete expense (204 + 400 for approved)~~ ~~DELETE /expenses/:id~~ ~~Implemented~~

contacts.test.tests/e2e/input-chaos.spec.ts —-- 97 ~~tests~~
test groups,

~~Test Area~~ ~~Route~~ ~~Status~~
~~List contacts (200 + auth)~~ ~~GET /contacts~~ ~~Implemented~~
~~Create contact (201 + validation)~~ ~~POST /contacts~~ ~~Implemented~~
~~Get contact (200 + 404)~~ ~~GET /contacts/:id~~ ~~Implemented~~
~~Update contact (200)~~ ~~PUT /contacts/:id~~ ~~Implemented~~
~~Delete contact (204)~~ ~~DELETE /contacts/:id~~ ~~Implemented~~

accounts.test.ts ~~— 4 tests~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~List chart of accounts (200)~~ ~~GET /accounts~~ ~~Implemented~~
~~Get account by ID (200 + 404)~~ ~~GET /accounts/:id~~ ~~Implemented~~
~~Create account (201)~~ ~~POST /accounts~~ ~~Implemented~~
~~Delete account (204)~~ ~~DELETE /accounts/:id~~ ~~Implemented~~

banking.test.ts ~~— 10 tests~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~List bank accounts (200)~~ ~~GET /banking/accounts~~ ~~Implemented~~
~~Create bank account (201)~~ ~~POST /banking/accounts~~ ~~Implemented~~
~~Import bank statement (200 + validation)~~ ~~POST /banking/accounts/:id/import~~ ~~Implemented~~
~~List bank transactions (200)~~ ~~GET /banking/accounts/:id/transactions~~ ~~Implemented~~
~~Reconcile transaction (200 + 400 for mismatch)~~ ~~POST /banking/accounts/:id/reconcile~~ ~~Implemented~~

reports.test.ts ~~— 9 tests~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~Profit & Loss report (200 + date range)~~ ~~GET /reports/profit-loss~~ ~~Implemented~~
~~Balance sheet (200)~~ ~~GET /reports/balance-sheet~~ ~~Implemented~~
~~VAT report for RS (200 + correct rates)~~ ~~GET /reports/vat~~ ~~Implemented~~
~~Trial balance (200)~~ ~~GET /reports/trial-balance~~ ~~Implemented~~
~~Auth required on all report endpoints~~ ~~All report routes~~ ~~Implemented~~

transactions.test.ts ~~— 9 tests~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~List transactions (200 + pagination)~~ ~~GET /transactions~~ ~~Implemented~~
~~Filter by account (200)~~ ~~GET /transactions?accountId=~~ ~~Implemented~~
~~Get transaction by ID (200 + 404)~~ ~~GET /transactions/:id~~ ~~Implemented~~
~~Auth required~~ ~~All transaction routes~~ ~~Implemented~~

country.test.ts ~~— 27~~40+ tests

~~Tests~~Login ~~the country plugin integration — routes that return country-specific tax configuration.~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~Serbian PDV rates~~Chaos (~~20/10/0)~~8 ~~for RS org~~ ~~GET /country/tax-rates~~ ~~Implemented~~
~~Bosnian PDV rate (17) for BA org~~ ~~GET /country/tax-rates~~ ~~Implemented~~
~~Croatian PDV rates (25/13/5/0) for HR org~~ ~~GET /country/tax-rates~~ ~~Implemented~~
~~Invoice number format per country~~ ~~GET /country/invoice-format~~ ~~Implemented~~
~~Auth required~~ ~~All country routes~~ ~~Implemented~~
~~Unknown country code (400)~~ ~~GET /country/tax-rates~~ ~~Implemented~~

chatbot.test.ts ~~— Chatbot API Tests~~

~~Test Name~~ ~~Route~~ ~~Status~~
returns 200 with assistant response ~~POST /chatbot/message~~ ~~Implemented~~
returns 400 when message is empty ~~POST /chatbot/message~~ ~~Implemented~~
returns 429 when rate limit exceeded ~~POST /chatbot/message~~ ~~Implemented~~
returns 401 without auth ~~POST /chatbot/message~~ ~~Implemented~~
returns 200 with conversation history ~~GET /chatbot/history~~ ~~Implemented~~
returns empty array when no history exists ~~GET /chatbot/history~~ ~~Implemented~~
returns 401 without auth on history ~~GET /chatbot/history~~ ~~Implemented~~
returns 204 when history cleared ~~DELETE /chatbot/history~~ ~~Implemented~~
returns 401 without auth on clear history ~~DELETE /chatbot/history~~ ~~Implemented~~

invoice-gl-reversal.test.ts ~~— Invoice GL Reversal Tests~~

~~Tests~~ InvoiceService.cancelInvoice() ~~— when a SENT invoice is cancelled, reversing double-entry GL entries are created to undo the original booking.~~

~~Test Area~~ ~~Status~~
~~Cancels draft invoice (sets status to cancelled, no GL reversal)~~ ~~Implemented~~
~~Cancels sent invoice (creates reversing GL transactions)~~ ~~Implemented~~
~~Reversal debits = original credits (GL stays balanced)~~ ~~Implemented~~
~~Throws 404 when invoice not found~~ ~~Implemented~~
~~Throws 400 when invoice is already cancelled~~ ~~Implemented~~
~~Throws 400 when invoice is paid (cannot cancel paid invoices)~~ ~~Implemented~~

new-endpoints.test.ts ~~— Additional Endpoint Tests~~

~~Tests for supplemental endpoints not covered in the main mock suite.~~

~~Test Area~~ ~~Route~~ ~~Status~~
~~Receipt not attached (404)~~ ~~GET /expenses/~~tests):~~id/receipt~~ ~~Implemented~~
~~Receipt auth required (401)~~ ~~GET /expenses/:id/receipt~~ ~~Implemented~~
~~VAT export PDF (200 / 404)~~ ~~GET /reports/vat/export/pdf~~ ~~Implemented~~
~~VAT export XML (200 / 404)~~ ~~GET /reports/vat/export/xml~~ ~~Implemented~~
~~Dashboard metrics (200)~~ ~~GET /reports/dashboard~~ ~~Implemented~~
~~Dashboard auth required (401)~~ ~~GET /reports/dashboard~~ ~~Implemented~~
~~Audit log (200 + owner/admin only)~~ ~~GET /security/audit-log~~ ~~Implemented~~
~~Audit log role check (403 for viewer)~~ ~~GET /security/audit-log~~ ~~Implemented~~
~~Data export (200 + owner only)~~ ~~POST /security/data-export~~ ~~Implemented~~
~~Data export role check (403 for admin)~~ ~~POST /security/data-export~~ ~~Implemented~~

e2e/api.test.ts ~~— Full E2E (no mocks, live server)~~

~~End-to-end API integration test. Exercises the full Express application stack with a live server.~~

~~Status~~
~~Implemented~~

e2e/billing-flow.e2e.test.ts ~~— Billing Workflow E2E~~

~~Tests the full billing flow through HTTP endpoints with mocked services (no real DB required):~~

~~Create contact~~

~~Create invoice~~

~~Send invoice (draft → sent)~~

~~Mark invoice paid (sent → paid)~~

~~Check P&L shows revenue~~

~~Verify trial balance returns~~ isBalanced=true

~~Multi-currency invoice in EUR with country VAT rates~~

~~Credit note creation~~

~~Status~~
~~Implemented~~

apps/api/tests/unit/ ~~— Unit Tests (service layer)~~

~~Service-level unit tests with mocked Prisma. No HTTP layer. Tests business logic in individual service classes.~~

invoice-service-calculations.test.ts ~~— Invoice Arithmetic~~

~~Tests~~ InvoiceService.createInvoice() ~~arithmetic at the service layer. Verifies:~~

lineTotalEmpty =fields, quantityspaces-only ×email, unitPrice
XSS
lineTaxin =email, lineTotalSQL ×injection taxRatein /email, 100
10K
subtotalchar =email, sum(lineTotals)
unicode
taxAmountpassword, =special sum(lineTaxes)
characters,
totalNorwegian = subtotal + taxAmount

baseAmount = total × exchangeRatecharacters

Registration
Chaos (20+

All
fields empty, XSS in without @, email with spaces, password password all-numbers, SQL injection injection, 10K char name, special-chars-only, Bosnian chars, emoji,
~~Test~~tests):
~~Area~~ ~~Status~~
~~Single-line~~firstName, ~~invoice~~email ~~arithmetic~~ ~~Implemented~~
~~Multi-line invoice~~email with ~~mixed~~only ~~tax~~@, ~~rates~~ ~~Implemented~~
~~Multi-currency~~7 ~~exchange~~chars ~~rate~~(boundary), ~~application~~ ~~Implemented~~
~~Zero-quantity~~in ~~line~~lastName, ~~items~~HTML ~~rejected~~ ~~Implemented~~
~~NUMERIC(19,4)~~numbers-only ~~precision~~names, ~~maintained~~ ~~Implemented~~
spaces-only,
password
two-factor.test.tscomplexity, —underage ~~Two-Factor~~DOB, ~~Authentication~~duplicate ~~Service~~
email, far-future DOB, OTP with letters/5 digits/7+ digits, phone with letters
~~Tests~~Send TwoFactorServiceMoney atChaos ~~the~~(6 ~~service level. Mocks: bcryptjs, speakeasy, qrcode, Prisma.~~tests):

Amount
0,extremelylarge,textinnumberfield,XSSinname,1MB
~~Test~~negative, ~~Name~~ ~~Status~~

enableXSS -in search, special chars in search QR Payment Chaos (4 tests): Amount 0, negative, very large, many decimals API Impossible Inputs (14 tests):
Empty JSON, number as email, null values, array/object as email, wrong passwordContent-Type, →path throwstraversal, unauthorized
~~Implemented~~

enablepassword, -unicode correctemail, numbers-only name, underage DOB, duplicate email, password → returns secret + QR data URL + 10 codes ~~Implemented~~
enable - backup codes are hashed before storing ~~Implemented~~
enable - plaintext backup codes returned once only ~~Implemented~~
verify - valid TOTP + window=1 → activates 2FA ~~Implemented~~
verify - invalid TOTP → throws badRequest ~~Implemented~~
disable - correct password → clears secret + backup codes ~~Implemented~~
disable - wrong password → throws unauthorized ~~Implemented~~

sef-submission.test.ts ~~— SEF (Serbia E-Invoicing) Client~~

~~Tests~~ SefClient ~~class and~~ InvoiceService.submitToSef() ~~fire-and-forget behavior. HTTP calls are mocked via~~ vi.spyOn(global, 'fetch').

~~Test Area~~ ~~Status~~
SefClient ~~submits UBL XML to SEF sandbox URL~~ ~~Implemented~~
SefClient ~~uses production URL in production env~~ ~~Implemented~~
SefClient ~~retries on network failure~~ ~~Implemented~~
createSefClientFromEnv() ~~reads credentials from env vars~~ ~~Implemented~~
generateSEFInvoiceXML() ~~produces valid UBL 2.1 XML~~ ~~Implemented~~
InvoiceService.submitToSef() ~~never re-throws errors~~ ~~Implemented~~

vat-calculation.test.ts ~~— VAT Calculation Tests (Country Packages)~~

~~Tests pure calculation functions from~~ @bilko/country-rs, @bilko/country-ba~~, and~~ @bilko/country-hr~~. No Prisma,~~ no ~~HTTP~~letters ~~— stateless math functions.~~

~~Country~~ ~~Functions Tested~~ ~~Status~~
~~Serbia~~ calculateSerbianPDV, calculateNetFromGrossPDV, qualifiesForPausalRegime, requiresVATRegistration, calculateSerbianCIT ~~Implemented~~
~~Bosnia~~ calculateBosnianPDV, calculateNetFromGrossPDV, requiresVATRegistration ~~Implemented~~
~~Croatia~~ calculateCroatianPDV, calculateNetFromGrossPDV, requiresVATRegistration ~~Implemented~~
~~All rates~~ ~~Standard, reduced, zero, super-reduced rates per country~~ ~~Implemented~~

apps/api/tests/integration/ ~~— Real Database Tests~~

~~Integration tests that run against a~~ ~~real PostgreSQL database~~ ~~via~~ docker-compose.test.yml~~. Requires Docker.~~

~~Run~~Page ~~with:~~

cd apps/api docker-compose -f ../../docker-compose.test.yml up -d npm run test:integration

auth.integration.test.ts ~~— Auth Integration~~

~~Full registration + login + refresh flow against real DB.~~

~~Test Area~~ ~~Status~~
~~Register new organization + owner user~~ ~~Implemented~~
~~Login with correct credentials~~ ~~Implemented~~
~~Refresh access token via cookie~~ ~~Implemented~~
~~Reject duplicate email registration~~ ~~Implemented~~

invoice.integration.test.ts ~~— Invoice CRUD Integration~~

~~Invoice lifecycle against real DB: create → read → update → status change.~~

~~Test Area~~ ~~Status~~
~~Create invoice with line items~~ ~~Implemented~~
~~Read invoice by ID~~ ~~Implemented~~
~~Update draft invoice~~ ~~Implemented~~
~~Send invoice (draft → sent)~~ ~~Implemented~~
~~Mark paid (sent → paid)~~ ~~Implemented~~

credit-note-gl.integration.test.ts ~~— Credit Note GL Integration~~

~~Tests credit note creation against real DB — verifies reversing GL entries balance.~~

~~Test Area~~ ~~Status~~
~~Credit note creates reversing journal entries~~ ~~Implemented~~
~~Reversing entries balance (debits = credits)~~ ~~Implemented~~
~~Original invoice marked as credited~~ ~~Implemented~~

report.integration.test.ts ~~— Reports Integration~~

~~Report generation against real DB with seeded transactions.~~

~~Test Area~~ ~~Status~~
~~P&L report returns revenue/expense data~~ ~~Implemented~~
~~VAT report returns correct tax amounts~~ ~~Implemented~~
~~Trial balance returns~~ isBalanced=true ~~Implemented~~

tenant-isolation.integration.test.ts ~~— Multi-Tenant Security~~

~~Verifies multi-tenant isolation: Organization A cannot read or modify Organization B's data.~~

~~Test Area~~ ~~Status~~
~~Org A cannot list Org B's invoices~~ ~~Implemented~~
~~Org A cannot read Org B's invoice by ID~~ ~~Implemented~~
~~Org A cannot update Org B's invoice~~ ~~Implemented~~
~~Org A cannot delete Org B's contact~~ ~~Implemented~~
~~Cross-tenant requests return 404 (not 403 — no data leakage)~~ ~~Implemented~~

~~Coverage Tracking~~

~~Module~~ ~~Current Status~~ ~~Target~~
@bilko/core ~~accounting engine~~ ~~Tests implemented (20 cases)~~ ~~>95%~~
@bilko/core ~~invoicing~~ ~~Tests implemented (22 cases)~~ ~~>95%~~
@bilko/core ~~tax/VAT~~ ~~Tests implemented (23 cases)~~ ~~>95%~~
@bilko/core ~~multi-currency~~ ~~Tests implemented (24 cases)~~ ~~>90%~~
@bilko/core ~~chart of accounts~~ ~~Tests implemented (32 cases)~~ ~~>90%~~
~~Auth API~~ ~~Tests implemented (11 cases)~~ ~~>85%~~
~~Invoices API~~ ~~Tests implemented (11 cases)~~ ~~>80%~~
~~Expenses API~~ ~~Tests implemented (9 cases)~~ ~~>80%~~
~~Banking API~~ ~~Tests implemented (10 cases)~~ ~~>75%~~
~~Reports API~~ ~~Tests implemented (9 cases)~~ ~~>75%~~
~~Country/Tax-Rates API~~ ~~Tests implemented (27 cases)~~ ~~>80%~~
~~Chatbot API~~ ~~Tests implemented (9 cases)~~ ~~>80%~~
~~Security/Audit API~~ ~~Tests implemented (via new-endpoints)~~ ~~>80%~~
~~Invoice GL Reversal (service layer)~~ ~~Tests implemented~~ ~~>90%~~
~~Two-Factor Auth (service layer)~~ ~~Tests implemented (8 cases)~~ ~~>90%~~
~~SEF Client + Submission~~ ~~Tests implemented~~ ~~>85%~~
~~VAT Calculations (country packages)~~ ~~Tests implemented~~ ~~>95%~~
~~Multi-tenant isolation (real DB)~~ ~~Tests implemented~~Resilience (5 ~~scenarios)~~ ~~100%~~
~~Invoice CRUD (real DB)~~ ~~Tests implemented~~ ~~>80%~~
~~Credit note GL (real DB)~~ ~~Tests implemented~~ ~~>90%~~

~~Test Execution Commands~~

# All tests (from project root — mock + unit + E2E suites) npm run test # Core unit tests only cd packages/core && npx vitest run # API mock suite only (no DB required) cd apps/api && npx vitest run # API unit suite only cd apps/api && npx vitest run tests/unit/ # API E2E suite only (mocked services, no DB) cd apps/api && npx vitest run tests/e2e/ # Real DB integration tests (requires docker-compose.test.yml) docker-compose -f docker-compose.test.yml up -d cd apps/api && npm run test:integration # Watch mode (re-run on change) cd packages/core && npx vitest cd apps/api && npx vitest # Specific file cd apps/api && npx vitest run tests/auth.test.ts cd apps/api && npx vitest run tests/unit/two-factor.test.ts # With coverage cd packages/core && npx vitest run --coverage # Verbose output npx vitest run --reporter=verbose

~~Related Documents~~
tests):

~~Testing~~Dashboard ~~Guide:~~without ~~TESTING-GUIDE.md~~
auth,
~~Backend~~send ~~Architecture:~~without ~~../backend/BACKEND-ARCHITECTURE.md~~auth, rapid navigation, double-click submit, browser back from OTP

~~Last Updated:~~ ~~2026-03-02~~ ~~Status:~~ ~~Active~~ ~~Total Tests:~~ ~~~390 across 27 test files (mock + unit + E2E + integration)~~

~~Test Name~~	~~What It Tests~~	~~Status~~
`validateDoubleEntry - returns true for balanced entry`	~~Debit total equals credit total~~	~~Implemented~~
`validateDoubleEntry - returns false for unbalanced entry`	~~Debit ≠ credit~~	~~Implemented~~
`validateDoubleEntry - returns false for fewer than 2 lines`	~~Minimum 2 lines required~~	~~Implemented~~
`validateDoubleEntry - returns false for empty lines`	~~Empty array → false~~	~~Implemented~~
`validateDoubleEntry - returns false for negative amounts`	~~Negative amounts invalid~~	~~Implemented~~
`validateDoubleEntry - returns false for zero amounts`	~~Zero amounts invalid~~	~~Implemented~~
`validateDoubleEntry - handles multiple lines that sum to balanced`	~~Multi-line balanced entry~~	~~Implemented~~
`validateDoubleEntry - handles decimal amounts with precision`	~~NUMERIC(19,4) precision~~	~~Implemented~~
`createJournalEntry - returns entry when valid and balanced`	~~Happy path~~	~~Implemented~~
`createJournalEntry - throws for fewer than 2 lines`	~~Error: "at least 2 lines"~~	~~Implemented~~
`createJournalEntry - throws for empty lines array`	~~Error: "at least 2 lines"~~	~~Implemented~~
`createJournalEntry - throws forrateLimit() missing description`	~~Error: "must have a description"~~	~~Implemented~~
`createJournalEntry - throws for whitespace-only description`	~~Whitespace = missing~~	~~Implemented~~
`createJournalEntry - throws for missing date`	~~Error: "must have a date"~~	~~Implemented~~
`createJournalEntry - throws for unbalanced entry`	~~Error shows debit vs credit amounts~~	~~Implemented~~
`createJournalEntry - throws for negative amount lines`	~~Negative amounts rejected~~	~~Implemented~~
`calculateTrialBalance - returns balanced from balanced entries`	~~isBalanced=true, totals correct~~	~~Implemented~~
`calculateTrialBalance - groups by account number`	~~Rows aggregated per account~~	~~Implemented~~
`calculateTrialBalance - returns empty rows for no transactions`	~~Empty array → zero totals~~	~~Implemented~~
`calculateTrialBalance - sorts rows by account number`	~~Rows sorted ascending~~	~~Implemented~~

~~Test Area~~	~~Test Count~~	~~Status~~
~~Account creation~~await (~~valid + invalid inputs)~~	~~~10~~	~~Implemented~~
~~Account hierarchy (parent-child relationships)~~	~8	~~Implemented~~
~~Account type validation (Asset/Liability/Equity/Revenue/Expense)~~	~7	~~Implemented~~
~~Account code format validation (1xxx-5xxx range)~~	~7	~~Implemented~~

~~Test Name~~	~~What It Tests~~	~~Status~~
`generateInvoiceNumber - generates INV-YYYY-NNN format`	~~Standard format~~	~~Implemented~~
`generateInvoiceNumber - increments from last number`	~~Sequential numbering~~	~~Implemented~~
`generateInvoiceNumber - pads number to 3 digits`	~~Zero-padding~~	~~Implemented~~
`generateInvoiceNumber - handles numbers beyond 999`	~~No truncation for 1000+~~	~~Implemented~~
`generateInvoiceNumber - throws for empty prefix`	~~Error: "prefix is required"~~	~~Implemented~~
`generateInvoiceNumber - throws for whitespace-only prefix`	~~Whitespace = invalid~~	~~Implemented~~
`generateInvoiceNumber - throws for negative lastNumber`	~~Error: "non-negative integer"~~	~~Implemented~~
`generateInvoiceNumber - throws for non-integer lastNumber`	~~Float rejected~~	~~Implemented~~
`calculateInvoiceTotals - calculates line item total`	~~quantity × unitPrice~~	~~Implemented~~
`calculateInvoiceTotals - calculates subtotal as sum of lines`	~~Sum of all line totals~~	~~Implemented~~
`calculateInvoiceTotals - calculates tax per line item`	~~lineTotal × taxRate / 100~~	~~Implemented~~
`calculateInvoiceTotals - calculates total = subtotal + tax`	~~Final total~~	~~Implemented~~
`calculateInvoiceTotals - handles items without taxRate`	~~Missing tax = 0~~	~~Implemented~~
`calculateInvoiceTotals - returns zeros for empty items`	~~Empty array → all zeros~~	~~Implemented~~
`calculateInvoiceTotals - handles multiple items with different rates`	~~Mixed 20%/10% tax~~	~~Implemented~~
`calculateInvoiceTotals - maintains decimal precision`	~~3 × 33.33 = 99.99~~	~~Implemented~~
`validateLineItem - returns true for valid item`	~~Happy path~~	~~Implemented~~
`validateLineItem - returns false for zero quantity`	~~qty=0 invalid~~	~~Implemented~~
`validateLineItem - returns false for negative quantity`	~~qty<0 invalid~~	~~Implemented~~
`validateLineItem - returns false for negative unitPrice`	~~price<0 invalid~~	~~Implemented~~
`validateLineItem - returns false for empty description`	~~Description required~~	~~Implemented~~
`validateLineItem - returns false for whitespace-only description`	~~Whitespace = empty~~	~~Implemented~~

~~Test Area~~	~~Test Count~~	~~Status~~
~~Currency conversion (EUR/RSD/BAM)~~	~8	~~Implemented~~
~~Exchange rate locking at transaction date~~	~6	~~Implemented~~
~~NUMERIC(19,4) precision (no float drift)~~	~5	~~Implemented~~
~~Edge cases (zero rate, missing rate, same currency)~~	~5	~~Implemented~~

~~Test Area~~	~~Test Count~~	~~Status~~
~~Serbia PDV (20% standard, 10% reduced, 0% exempt)~~	~6	~~Implemented~~
~~BiH PDV (17% standard)~~	~4	~~Implemented~~
~~Croatia PDV (25% standard, 13% reduced, 5% super-reduced)~~	~5	~~Implemented~~
~~Mixed tax rates on single invoice~~	~3	~~Implemented~~
~~Zero-rate exports~~	~2	~~Implemented~~
~~Reverse VAT / gross-to-net~~	~3	~~Implemented~~

~~Test~~tests): ~~Name~~	~~Route~~	~~Status~~
`returns 201homepage with user,Drop organization,branding` `Has navigation to login and tokens`	~~POST~~ Navigates ~~/auth/register~~	~~Implemented~~
`returnsLogin 400Flow for(4 duplicatetests): email`	~~POST~~ Shows ~~/auth/register~~	~~Implemented~~
`returns 200form with tokenscorrect forfields valid` `Shows credentials`	~~POST /auth/login~~	~~Implemented~~
`returns 401 for invalid password`	~~POST /auth/login~~	~~Implemented~~
`returns 401 for non-existent email`	~~POST /auth/login~~	~~Implemented~~
`returns 200error with newempty accesscredentials token(client-side) for` `Shows valid refresh token`	~~POST /auth/refresh~~	~~Implemented~~
`returns 401 when no refresh token cookie is present`	~~POST /auth/refresh~~	~~Implemented~~
`returns 204 and clears cookie`	~~POST /auth/logout~~	~~Implemented~~
`returns 200error with currentwrong usercredentials when` `Logs authenticated`	~~GET /auth/me~~	~~Implemented~~
`returns 401 when no token provided`	~~GET /auth/me~~	~~Implemented~~
`returns 401 for invalid token`	~~GET /auth/me~~	~~Implemented~~

~~Test Name~~	~~Route~~	~~Status~~
`returns 200in with paginateddemo list`	~~GET~~redirects ~~/invoices~~	~~Implemented~~
`returnsFlow 401(4 withouttests): auth`	~~GET~~ Shows ~~/invoices~~	~~Implemented~~
`returns 201form with createdrequired invoice`	~~POST~~disabled ~~/invoices~~	~~Implemented~~
`returnsclient-side 200` `Validates withpassword fulllength invoice`	~~GET~~ Full ~~/invoices/:id~~	~~Implemented~~
`returns 404 when invoice not found`	~~GET /invoices/:id~~	~~Implemented~~
`returns 200 when updating draft invoice`	~~PUT /invoices/:id~~	~~Implemented~~
`returns 400 when updating sent invoice`	~~PUT /invoices/:id~~	~~Implemented~~
`returns 200 when sending invoice (draftform -> sent)`	~~PATCH /invoices/:id/status~~	~~Implemented~~
`returns 200 when marking invoice as paid (sentOTP -> paid)`	~~PATCH~~-> success Dashboard (2 tests): Login redirects to dashboard with action buttons Authenticated pages load after login API Health (4 tests): GET /~~invoices/:id/status~~	~~Implemented~~
`returns 204exchange whenrates deleting draft invoice`	~~DELETE~~ GET /~~invoices/:id~~	~~Implemented~~
`returns 400specific whenrate deleting sent invoice`	~~DELETE~~ GET /~~invoices/~~api/rates/XXX returns 404 POST /api/auth/register validates input All Pages Load (10 tests):id	~~Implemented~~

~~Test~~Registration ~~Area~~	~~Route~~	~~Status~~
~~List~~success ~~expenses~~-> dashboard (~~200~~skipped) + Send ~~auth)~~	~~GET~~-- ~~/expenses~~	~~Implemented~~
~~Create~~amount ~~expense~~-> confirm -> verify in history QR Payment -- login -> scan -> amount -> pay -> verify in history Virtual Card -- login -> cards -> order -> verify card appears Bank Accounts -- login -> accounts -> verify Open Banking info, DNB account Profile and Logout -- login -> profile -> verify info -> logout -> redirect Full Navigation -- login -> navigate all 7 pages via direct links Error Handling -- wrong credentials -> error -> correct -> success (~~201)~~	~~POST /expenses~~	~~Implemented~~
~~Get expense by ID (200 + 404)~~	~~GET /expenses/:id~~	~~Implemented~~
~~Update expense (200 + 400 for non-pending)~~	~~PUT /expenses/:id~~	~~Implemented~~
~~Approve expense (200 + role check)~~	~~PATCH /expenses/:id/approve~~	~~Implemented~~
~~Delete expense (204 + 400 for approved)~~	~~DELETE /expenses/:id~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~List contacts (200 + auth)~~	~~GET /contacts~~	~~Implemented~~
~~Create contact (201 + validation)~~	~~POST /contacts~~	~~Implemented~~
~~Get contact (200 + 404)~~	~~GET /contacts/:id~~	~~Implemented~~
~~Update contact (200)~~	~~PUT /contacts/:id~~	~~Implemented~~
~~Delete contact (204)~~	~~DELETE /contacts/:id~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~List chart of accounts (200)~~	~~GET /accounts~~	~~Implemented~~
~~Get account by ID (200 + 404)~~	~~GET /accounts/:id~~	~~Implemented~~
~~Create account (201)~~	~~POST /accounts~~	~~Implemented~~
~~Delete account (204)~~	~~DELETE /accounts/:id~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~List bank accounts (200)~~	~~GET /banking/accounts~~	~~Implemented~~
~~Create bank account (201)~~	~~POST /banking/accounts~~	~~Implemented~~
~~Import bank statement (200 + validation)~~	~~POST /banking/accounts/:id/import~~	~~Implemented~~
~~List bank transactions (200)~~	~~GET /banking/accounts/:id/transactions~~	~~Implemented~~
~~Reconcile transaction (200 + 400 for mismatch)~~	~~POST /banking/accounts/:id/reconcile~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~Profit & Loss report (200 + date range)~~	~~GET /reports/profit-loss~~	~~Implemented~~
~~Balance sheet (200)~~	~~GET /reports/balance-sheet~~	~~Implemented~~
~~VAT report for RS (200 + correct rates)~~	~~GET /reports/vat~~	~~Implemented~~
~~Trial balance (200)~~	~~GET /reports/trial-balance~~	~~Implemented~~
~~Auth required on all report endpoints~~	~~All report routes~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~List transactions (200 + pagination)~~	~~GET /transactions~~	~~Implemented~~
~~Filter by account (200)~~	~~GET /transactions?accountId=~~	~~Implemented~~
~~Get transaction by ID (200 + 404)~~	~~GET /transactions/:id~~	~~Implemented~~
~~Auth required~~	~~All transaction routes~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~Serbian PDV rates~~Chaos (~~20/10/0)~~8 ~~for RS org~~	~~GET /country/tax-rates~~	~~Implemented~~
~~Bosnian PDV rate (17) for BA org~~	~~GET /country/tax-rates~~	~~Implemented~~
~~Croatian PDV rates (25/13/5/0) for HR org~~	~~GET /country/tax-rates~~	~~Implemented~~
~~Invoice number format per country~~	~~GET /country/invoice-format~~	~~Implemented~~
~~Auth required~~	~~All country routes~~	~~Implemented~~
~~Unknown country code (400)~~	~~GET /country/tax-rates~~	~~Implemented~~

~~Test Name~~	~~Route~~	~~Status~~
`returns 200 with assistant response`	~~POST /chatbot/message~~	~~Implemented~~
`returns 400 when message is empty`	~~POST /chatbot/message~~	~~Implemented~~
`returns 429 when rate limit exceeded`	~~POST /chatbot/message~~	~~Implemented~~
`returns 401 without auth`	~~POST /chatbot/message~~	~~Implemented~~
`returns 200 with conversation history`	~~GET /chatbot/history~~	~~Implemented~~
`returns empty array when no history exists`	~~GET /chatbot/history~~	~~Implemented~~
`returns 401 without auth on history`	~~GET /chatbot/history~~	~~Implemented~~
`returns 204 when history cleared`	~~DELETE /chatbot/history~~	~~Implemented~~
`returns 401 without auth on clear history`	~~DELETE /chatbot/history~~	~~Implemented~~

~~Test Area~~	~~Status~~
~~Cancels draft invoice (sets status to cancelled, no GL reversal)~~	~~Implemented~~
~~Cancels sent invoice (creates reversing GL transactions)~~	~~Implemented~~
~~Reversal debits = original credits (GL stays balanced)~~	~~Implemented~~
~~Throws 404 when invoice not found~~	~~Implemented~~
~~Throws 400 when invoice is already cancelled~~	~~Implemented~~
~~Throws 400 when invoice is paid (cannot cancel paid invoices)~~	~~Implemented~~

~~Test Area~~	~~Route~~	~~Status~~
~~Receipt not attached (404)~~	~~GET /expenses/~~tests):~~id/receipt~~	~~Implemented~~
~~Receipt auth required (401)~~	~~GET /expenses/:id/receipt~~	~~Implemented~~
~~VAT export PDF (200 / 404)~~	~~GET /reports/vat/export/pdf~~	~~Implemented~~
~~VAT export XML (200 / 404)~~	~~GET /reports/vat/export/xml~~	~~Implemented~~
~~Dashboard metrics (200)~~	~~GET /reports/dashboard~~	~~Implemented~~
~~Dashboard auth required (401)~~	~~GET /reports/dashboard~~	~~Implemented~~
~~Audit log (200 + owner/admin only)~~	~~GET /security/audit-log~~	~~Implemented~~
~~Audit log role check (403 for viewer)~~	~~GET /security/audit-log~~	~~Implemented~~
~~Data export (200 + owner only)~~	~~POST /security/data-export~~	~~Implemented~~
~~Data export role check (403 for admin)~~	~~POST /security/data-export~~	~~Implemented~~

~~Test~~tests): ~~Area~~	~~Status~~
~~Single-line~~firstName, ~~invoice~~email ~~arithmetic~~	~~Implemented~~
~~Multi-line invoice~~email with ~~mixed~~only ~~tax~~@, ~~rates~~	~~Implemented~~
~~Multi-currency~~7 ~~exchange~~chars ~~rate~~(boundary), ~~application~~	~~Implemented~~
~~Zero-quantity~~in ~~line~~lastName, ~~items~~HTML ~~rejected~~	~~Implemented~~
~~NUMERIC(19,4)~~numbers-only ~~precision~~names, ~~maintained~~	~~Implemented~~

~~Test~~negative, ~~Name~~	~~Status~~
`enableXSS -in search, special chars in search QR Payment Chaos (4 tests): Amount 0, negative, very large, many decimals API Impossible Inputs (14 tests):` `Empty JSON, number as email, null values, array/object as email, wrong passwordContent-Type, →path throwstraversal, unauthorized`	~~Implemented~~
`enablepassword, -unicode correctemail, numbers-only name, underage DOB, duplicate email, password → returns secret + QR data URL + 10 codes`	~~Implemented~~
`enable - backup codes are hashed before storing`	~~Implemented~~
`enable - plaintext backup codes returned once only`	~~Implemented~~
`verify - valid TOTP + window=1 → activates 2FA`	~~Implemented~~
`verify - invalid TOTP → throws badRequest`	~~Implemented~~
`disable - correct password → clears secret + backup codes`	~~Implemented~~
`disable - wrong password → throws unauthorized`	~~Implemented~~

~~Test Area~~	~~Status~~
`SefClient` ~~submits UBL XML to SEF sandbox URL~~	~~Implemented~~
`SefClient` ~~uses production URL in production env~~	~~Implemented~~
`SefClient` ~~retries on network failure~~	~~Implemented~~
`createSefClientFromEnv()` ~~reads credentials from env vars~~	~~Implemented~~
`generateSEFInvoiceXML()` ~~produces valid UBL 2.1 XML~~	~~Implemented~~
`InvoiceService.submitToSef()` ~~never re-throws errors~~	~~Implemented~~

Test Inventory

Bilko —Drop Test Inventory

SummaryDirectory Structure

Unit Tests (Vitest)

tests/unit/auth.test.ts -- 7 tests

tests/unit/db.test.ts -- 5 tests

tests/unit/feature-flags.test.ts -- 6 tests

tests/unit/middleware.test.ts -- 7 tests

tests/unit/utils.test.ts -- 5 tests

tests/unit/validation.test.ts -- 10 tests

tests/unit/api-routes.test.ts -- 8 test groups

Integration Tests (Vitest)

tests/integration/api-endpoints.test.ts -- 20+ tests

Performance Tests (Vitest)

tests/performance/api-benchmarks.test.ts -- 8 tests

Test Category Breakdown

packages/core/tests/ — UnitRegression Tests

accounting.tests/regression/known-bugs.test.ts —-- 204 testsbug groups

chart-of-accounts.test.ts — 32 tests

invoicing.test.ts — 22 tests

multi-currency.test.ts — 24 tests

tax.test.ts — 23 tests

apps/api/tests/ — Mock API Tests

setup.ts — Test Infrastructure (not a test file)

E2E Tests (Playwright)

auth.test.tests/e2e/user-flows.spec.ts —-- 115 teststest groups

invoices.test.ts — 11 tests

expenses.test.tests/e2e/full-flows.spec.ts —-- 98 testsjourneys

contacts.test.tests/e2e/input-chaos.spec.ts —-- 97 tests

accounts.test.ts — 4 tests

banking.test.ts — 10 tests

reports.test.ts — 9 tests

transactions.test.ts — 9 tests

country.test.ts — 2740+ tests

chatbot.test.ts — Chatbot API Tests

invoice-gl-reversal.test.ts — Invoice GL Reversal Tests

new-endpoints.test.ts — Additional Endpoint Tests

e2e/api.test.ts — Full E2E (no mocks, live server)

e2e/billing-flow.e2e.test.ts — Billing Workflow E2E

apps/api/tests/unit/ — Unit Tests (service layer)

invoice-service-calculations.test.ts — Invoice Arithmetic

two-factor.test.tscomplexity, —underage Two-FactorDOB, Authenticationduplicate Service

sef-submission.test.ts — SEF (Serbia E-Invoicing) Client

vat-calculation.test.ts — VAT Calculation Tests (Country Packages)

apps/api/tests/integration/ — Real Database Tests

auth.integration.test.ts — Auth Integration

invoice.integration.test.ts — Invoice CRUD Integration

credit-note-gl.integration.test.ts — Credit Note GL Integration

report.integration.test.ts — Reports Integration

tenant-isolation.integration.test.ts — Multi-Tenant Security

Coverage Tracking

Test Execution Commands

Related Documents

`tests/unit/auth.test.ts` -- 7 tests

`tests/unit/db.test.ts` -- 5 tests

`tests/unit/feature-flags.test.ts` -- 6 tests

`tests/unit/middleware.test.ts` -- 7 tests

`tests/unit/utils.test.ts` -- 5 tests

`tests/unit/validation.test.ts` -- 10 tests

`tests/unit/api-routes.test.ts` -- 8 test groups

`tests/integration/api-endpoints.test.ts` -- 20+ tests

`tests/performance/api-benchmarks.test.ts` -- 8 tests

`packages/core/tests/` — UnitRegression Tests

`accounting.tests/regression/known-bugs.test.ts` —-- 204 testsbug groups

`chart-of-accounts.test.ts` — 32 tests

`invoicing.test.ts` — 22 tests

`multi-currency.test.ts` — 24 tests

`tax.test.ts` — 23 tests

`apps/api/tests/` — Mock API Tests

`setup.ts` — Test Infrastructure (not a test file)

`auth.test.tests/e2e/user-flows.spec.ts` —-- 115 teststest groups

`invoices.test.ts` — 11 tests

`expenses.test.tests/e2e/full-flows.spec.ts` —-- 98 testsjourneys

`contacts.test.tests/e2e/input-chaos.spec.ts` —-- 97 tests

`accounts.test.ts` — 4 tests

`banking.test.ts` — 10 tests

`reports.test.ts` — 9 tests

`transactions.test.ts` — 9 tests

`country.test.ts` — 2740+ tests

`chatbot.test.ts` — Chatbot API Tests

`invoice-gl-reversal.test.ts` — Invoice GL Reversal Tests

`new-endpoints.test.ts` — Additional Endpoint Tests

`e2e/api.test.ts` — Full E2E (no mocks, live server)

`e2e/billing-flow.e2e.test.ts` — Billing Workflow E2E

`apps/api/tests/unit/` — Unit Tests (service layer)

`invoice-service-calculations.test.ts` — Invoice Arithmetic

`two-factor.test.ts`complexity, —underage Two-FactorDOB, Authenticationduplicate Service

`sef-submission.test.ts` — SEF (Serbia E-Invoicing) Client

`vat-calculation.test.ts` — VAT Calculation Tests (Country Packages)

`apps/api/tests/integration/` — Real Database Tests

`auth.integration.test.ts` — Auth Integration

`invoice.integration.test.ts` — Invoice CRUD Integration

`credit-note-gl.integration.test.ts` — Credit Note GL Integration

`report.integration.test.ts` — Reports Integration

`tenant-isolation.integration.test.ts` — Multi-Tenant Security

~~Country~~	~~Functions Tested~~	~~Status~~
~~Serbia~~	`calculateSerbianPDV`, `calculateNetFromGrossPDV`, `qualifiesForPausalRegime`, `requiresVATRegistration`, `calculateSerbianCIT`	~~Implemented~~
~~Bosnia~~	`calculateBosnianPDV`, `calculateNetFromGrossPDV`, `requiresVATRegistration`	~~Implemented~~
~~Croatia~~	`calculateCroatianPDV`, `calculateNetFromGrossPDV`, `requiresVATRegistration`	~~Implemented~~
~~All rates~~	~~Standard, reduced, zero, super-reduced rates per country~~	~~Implemented~~

~~Test Area~~	~~Status~~
~~Register new organization + owner user~~	~~Implemented~~
~~Login with correct credentials~~	~~Implemented~~
~~Refresh access token via cookie~~	~~Implemented~~
~~Reject duplicate email registration~~	~~Implemented~~

~~Test Area~~	~~Status~~
~~Create invoice with line items~~	~~Implemented~~
~~Read invoice by ID~~	~~Implemented~~
~~Update draft invoice~~	~~Implemented~~
~~Send invoice (draft → sent)~~	~~Implemented~~
~~Mark paid (sent → paid)~~	~~Implemented~~

~~Test Area~~	~~Status~~
~~Credit note creates reversing journal entries~~	~~Implemented~~
~~Reversing entries balance (debits = credits)~~	~~Implemented~~
~~Original invoice marked as credited~~	~~Implemented~~

~~Test Area~~	~~Status~~
~~P&L report returns revenue/expense data~~	~~Implemented~~
~~VAT report returns correct tax amounts~~	~~Implemented~~
~~Trial balance returns~~ `isBalanced=true`	~~Implemented~~

~~Test Area~~	~~Status~~
~~Org A cannot list Org B's invoices~~	~~Implemented~~
~~Org A cannot read Org B's invoice by ID~~	~~Implemented~~
~~Org A cannot update Org B's invoice~~	~~Implemented~~
~~Org A cannot delete Org B's contact~~	~~Implemented~~
~~Cross-tenant requests return 404 (not 403 — no data leakage)~~	~~Implemented~~

~~Module~~	~~Current Status~~	~~Target~~
`@bilko/core` ~~accounting engine~~	~~Tests implemented (20 cases)~~	~~>95%~~
`@bilko/core` ~~invoicing~~	~~Tests implemented (22 cases)~~	~~>95%~~
`@bilko/core` ~~tax/VAT~~	~~Tests implemented (23 cases)~~	~~>95%~~
`@bilko/core` ~~multi-currency~~	~~Tests implemented (24 cases)~~	~~>90%~~
`@bilko/core` ~~chart of accounts~~	~~Tests implemented (32 cases)~~	~~>90%~~
~~Auth API~~	~~Tests implemented (11 cases)~~	~~>85%~~
~~Invoices API~~	~~Tests implemented (11 cases)~~	~~>80%~~
~~Expenses API~~	~~Tests implemented (9 cases)~~	~~>80%~~
~~Banking API~~	~~Tests implemented (10 cases)~~	~~>75%~~
~~Reports API~~	~~Tests implemented (9 cases)~~	~~>75%~~
~~Country/Tax-Rates API~~	~~Tests implemented (27 cases)~~	~~>80%~~
~~Chatbot API~~	~~Tests implemented (9 cases)~~	~~>80%~~
~~Security/Audit API~~	~~Tests implemented (via new-endpoints)~~	~~>80%~~
~~Invoice GL Reversal (service layer)~~	~~Tests implemented~~	~~>90%~~
~~Two-Factor Auth (service layer)~~	~~Tests implemented (8 cases)~~	~~>90%~~
~~SEF Client + Submission~~	~~Tests implemented~~	~~>85%~~
~~VAT Calculations (country packages)~~	~~Tests implemented~~	~~>95%~~
~~Multi-tenant isolation (real DB)~~	~~Tests implemented~~Resilience (5 ~~scenarios)~~	~~100%~~
~~Invoice CRUD (real DB)~~	~~Tests implemented~~	~~>80%~~
~~Credit note GL (real DB)~~	~~Tests implemented~~	~~>90%~~