From 552a898d875236095cae1fb94b68276ab9c95763 Mon Sep 17 00:00:00 2001 From: roost-io Date: Sun, 22 Mar 2026 06:48:34 +0000 Subject: [PATCH] Functional test generated by RoostGPT Using AI Model gpt-4.1 --- functional_tests/README.md | 16 ++ .../ZBIO-5213/.roost/roost_metadata.json | 19 ++ functional_tests/ZBIO-5213/ZBIO-5213.csv | 15 ++ functional_tests/ZBIO-5213/ZBIO-5213.docx | Bin 0 -> 20694 bytes functional_tests/ZBIO-5213/ZBIO-5213.feature | 238 ++++++++++++++++++ functional_tests/ZBIO-5213/ZBIO-5213.json | 209 +++++++++++++++ functional_tests/ZBIO-5213/ZBIO-5213.xlsx | Bin 0 -> 17617 bytes 7 files changed, 497 insertions(+) create mode 100644 functional_tests/ZBIO-5213/.roost/roost_metadata.json create mode 100644 functional_tests/ZBIO-5213/ZBIO-5213.csv create mode 100644 functional_tests/ZBIO-5213/ZBIO-5213.docx create mode 100644 functional_tests/ZBIO-5213/ZBIO-5213.feature create mode 100644 functional_tests/ZBIO-5213/ZBIO-5213.json create mode 100644 functional_tests/ZBIO-5213/ZBIO-5213.xlsx diff --git a/functional_tests/README.md b/functional_tests/README.md index 1c972b2..a33c1f4 100644 --- a/functional_tests/README.md +++ b/functional_tests/README.md @@ -65,3 +65,19 @@ --- +**Execution Date:** 3/22/2026, 6:48:33 AM + +**Test Unique Identifier:** "ZBIO-5213" + +**Input(s):** + 1. JIRA ID: ZBIO-5213 + +**Test Output Folder:** + 1. [ZBIO-5213.json](ZBIO-5213/ZBIO-5213.json) + 2. [ZBIO-5213.feature](ZBIO-5213/ZBIO-5213.feature) + 3. [ZBIO-5213.csv](ZBIO-5213/ZBIO-5213.csv) + 4. [ZBIO-5213.xlsx](ZBIO-5213/ZBIO-5213.xlsx) + 5. [ZBIO-5213.docx](ZBIO-5213/ZBIO-5213.docx) + +--- + diff --git a/functional_tests/ZBIO-5213/.roost/roost_metadata.json b/functional_tests/ZBIO-5213/.roost/roost_metadata.json new file mode 100644 index 0000000..4a6d72e --- /dev/null +++ b/functional_tests/ZBIO-5213/.roost/roost_metadata.json @@ -0,0 +1,19 @@ +{ + "project": { + "name": "ZBIO-5213", + "created_at": "2026-03-22T06:48:33.220Z", + "updated_at": "2026-03-22T06:48:33.220Z" + }, + "files": { + "input_files": [ + { + "fileName": "ZBIO-5213.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/demo-functional-test/02cb925a-353c-4738-8da0-2053e0e563ce/functional_tests/ZBIO-5213/ZBIO-5213.txt", + "fileSha": "0e017aaae1" + } + ] + }, + "api_files": { + "input_files": [] + } +} \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.csv b/functional_tests/ZBIO-5213/ZBIO-5213.csv new file mode 100644 index 0000000..154dddb --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.csv @@ -0,0 +1,15 @@ +Full Credit Card Due Collection Lifecycle with Notifications, Escalation, Payment Plan, and Compliance Checks +Strict Masking - Validate Full Card Number Exposure Is Impossible in Notifications, UIs, APIs and Logs +Boundary Delinquency and Payment Plan Eligibility and Reversal +Role-Based Access Validation for All User Types +Integration Failure Handling and Masked User Messaging +Joint Account Multiple Cards - Notification Duplication and Card Reference Masking +Time Zone and Last-Minute Payments - Notification Escalation and State Reversal +Lost Notification Leads to Escalation and Recovery with Masking +Payment Plan Proposal Fee Reduction Limit, User Rejection and Acceptance +User Consent Withdrawal After Collection Agency Handoff +Partial Payment Scheduling and State Logic +API Injection - Full Card Number Input Rejection and Masking +Notification Preference Update and Channel Enforcement +Payment Plan Proposal and Acceptance at Last Eligible Day with Immediate Reversal +Legal Notification Generation, Document Masking, Access Control and Audit Validation \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.docx b/functional_tests/ZBIO-5213/ZBIO-5213.docx new file mode 100644 index 0000000000000000000000000000000000000000..34f510c07673a767cfd42fe96ff04af5bd44a2ef GIT binary patch literal 20694 zcmZ^qV~{A#x~1E;ZQHhO?Y3>(w%xmJ+qP}nw&y$d%(*cWccy-1W<;&3A1mu!RT){2 zf;2D)6u`d@U^Z9n{~G-72K1la&Cb!7Ug7^Mf&Py~&(Xx%>A!^#|8*~?=#}H!e*}Ml z0RV9RZ=tcBk&BIqtuvjwjWylBF0D@5mI7u(2+<>*>dvxRCR%7>Cwfv_0hefO@m-hnHVh}`1dXZy3z$*h?$GV`dh~n+*_{4>C7(VQ z!4bn3?Kmh13|Qxv#+>$78;#`YSURWBm@bFue%kOp!#i%MQD-{Bv%jWvtq!cSLMO;9 z9Q}1yUX20M8^fXD>R}WT#J~yuOdyBbpZ6N((*< zUqd{#YLjq6fENuCIC(nbiA-V&yVF4GkN>tXfiN?HGf-uN8jabJPZxJcoI!ZFD75JT z{EwsmHVQ{B(B}^e0Kn)ZAOPZjjQT$6y?C~sBRSp= zC1Dm>_j0wB^A~Vor(y9I1S~qE?j4+&_UQIVO!8AL0}{we_F41KWM`vnh!QYWRWtR? z(EIuH^WHG-PpNR$Jlf^s^!B_XQSi_vvFQ1D8IQx)o$c{JI^&v1qM&wszD~j}&ixwI z`~Ch3(uspGvXr!}>jncVdW}@&YoFd()DB#jSli%%dx=TFuvNg|p+8 zP|z|pFK?0pET&(c4s}cFZdH%R4~%c+ zxzhX(wLJwKd=KZI-Zv*(Zrpx_I_l5m)(_~1d+Othy3g~~-TSxR$-6XC9pYOfy5CM`H->vFx|=7vij2MX(WLXT$`Q=Y z?=W2McRqXjCUZ{|+lA^L@0Q(dkBCj=`hso$AK1$1+wItyKzR1!@13i&v=XI$_&sGX zakE12;#PO?t;-xW6JD?TCwp%@;jG&oDo2@Jj@Rut&F$Z6f|j4Mir>YeLhoEEcjV(r zGR^JVVwIi=rS6|-^#SUIZoyl>KgCa<=i9pXUMbWJ^Hd(FJh}W{p}ND9o4J{y8vRL2 zd8QiRM~1e+`{++OA-&}gNwi^KQfU^6nYlEDGOt?@3FCdmspTdo}zTdffE=eZ+4#kNmH8o{Yfk|ThxTz+QGun4#Iu&nZBW{wHE_XF$ z%JzRb77@Wpxneo45y4L9VUHtc8XQGUb{S z-%1ZWhjfvYg0n~B7o_$lX~=Hp^CEuIxee4 zc}~gW(f&8w1? zDwk<&7uwROjC{oa7(?0_U4YHw2IiJ}x-@L)$708}$jr*1Z7OiT|24pHtUa;~g zrFwxc3x%zDj(Gmmrn<(p;M}%n8uP9sU=u1>v9GP}PPWv zKQ(A4*pk~wNN1^fu_ug}T?v(+wY!Vl1N}|5{Okb&UK=^V%5Sz~J@hzR!}RC{{$gep zA-g-qy$1hvE`Idtrlk_d8-Bog1y}enXN?HU1?s})Qr{mR?3=HY#Uejda%Y!HG;4cT za7YX8#U8$@__y*3Ze@QmkqS#EzO1?ZufQ-o1l>ND_#&1`MMY3|56$bJF-9C~(HkHt z$z{dN>r5U&5SL8$yPsR%Hvui0j(Q~*9F(r;NU$!vH`Gg$W$)sID=l(MyjHvxGlti- zw2eJ3gE|#=a?g(SUDk86VX2^M_@GJ^9jioB6u+q`tG38Kle^kH(D%ybHqZ)H$lI+P zW>9+@bm^{uB!gew7i=OS$s|hWyd<*F-H{yjQEdgc-+G%hR!%jjd(3M{2Ltvr2TMja zYM^JxA1?0Um*}9%N|u^tT{2j=fZT5swjsmqq4cNmsp@y1=N`@d!Lp<3o6L)qT zfpPsz(i6ntRHPPgT(AWaQ>iSOehNX;w(vvQY3+0samhgWpaegGaY?RSpU5ng28}W# zfBC*u2Dk^jy410Nh7d)U#4$5}r%T4Q#!nnpNFw7x+>{0g#GCKY`h=1CY`cb(4=zJz zl-Q}oE{2fV*iR5(@q88Qx1$@Zw)9544Ofg^F%w?KC7Iqkj0wpR(Bzq=j`WjhH*NPn z;ccMiHlkefBd-3wmj7UM0gjsyZ*cfYtM|gA#0q<7cNg+_OT_N>zTZH+{NDeu zcXVJx3>X++>i^@bYOG$EXyT&Y?6=a9muWdJRvh4_8!2GZ zCooIDqdQgDu!X+>Xkmewzu6bbzzf|4R7zKppWX_D0r|yB$8aROyFY9WTr-V7JFs{5 zRRylVnGd&BexaOE%t*Eli8ma~;R(cUKV9jF_0dicb|icmA1%Slf7Hme-A8y9l&jwn zibQ;4kl45w7>O}h6-l(;Lg2n+VSdI9fsj}xwG08f88Q9QS;rzIWRO)Dm|Im8cm6_t zdirBnkw7OG_fPoFmSLTfs}@gUQ%Vio?cs)i0|xVlj0jCL+heocHOtZOhx7p%yv>&{ zal8~Df@$^(7%YpaiHwU#F^j2%Ji)<$48$1N=O2^|h;_D{m=Gc1{^4CXG{yJ8U9gC? zoa?p@Az|zzRaF%Iqy7{yrVa}0--_i4Nh|wlu9Jkw2+yGsMb;;x9ch*k_QmsD z)o61Kd1JH)FZV30hH7nRq+)+q8t8ek%i8jZmI}0nW398fkX&`YM2ukNlyYgNjBL*$H zbsvnr&$pb!lJyMVLbn^X`SF1&iPDp$V7h&)G5ec6iJXZRJ{eL@bSvLMv|=Jt#i~8$ zt2EJu0)7`Zj2Ke*vmf~(z~`?g?EcyS8>T8OQAIYk|LTAPEdNk_&6ESfFioE1f~dv zzUq(&2-mP71SCIRB@tfD*v#5pd;P8h`7^w4a?3bG)3Z%Tut%fCnc-3hLbfLJF^v7H z6hJJ{Di(M2M{_@PEXqvW&O2-5qqH?#@bBZZoFB=rPhgTF#dx28KVtWDTk=y41RXYw zXC4ba*%k#oP#EzC#zz9sGEZM)o@)u=JF%2w*Ql|#=-zBNNL(n@K^X`!&-nVET}1hD zrl`Bi&D@OKx2STvx0~(ptGzwWWp;^x30eDtCI37HZLx?w?ZjyWi0l?nLIZmPue3X2 z?bs(>D%X;F7jd;E{bfLQ*}_1-D7Iswvs4dRkp^OF+qLH$KDqd;GGZHYSrz2|$ZIPI zI#r))72CS{_Qefsc2>3)!kWEiaRm#)GI~=gH=)W2lsl@&{dm0v3dff#HZFLNRS{1325Wp!D`7zwHI>%L|_}4|0?f z9D8_eT^xAGqlvu;b9h)Dc(5~AtZ z*SnC6MBaLtn?I44hS%Ff!Dubj&Sf?|@+baEU7^@eIlv&|u0pZ=83SOqhABHP_w_h4 z4RU^{^Syn1OC(;+DNu>k5jQqZh&7Uv@QF=DLZMZW|sCc_Lza?8-1V%`m`BN-7Lf*$tAjMvUO9jV?SKP-|@i;4)#8NgB zCGpXKIPZLjBXVWKC^{stLI7=t-wG5KR8V$pFBpC+wm!l&!Ucsa&g|GZ8{cw6z{zYm z5)v#sSkaID45&RPi}n_qU>UaaR>nDQW3(FF(7EY>56BB#5jXzjvU!6_;y8dxdv{Z(4GFO7tC3h8!T17lnnk2`OApR z5>_(?ETe}(t|1rh-Z3P_a*g(>xN4g1DnYi;HF>|YUv_5|YUhXO8$%D4==-}p|4*%e z3NEY->y$SKCV|~hp%qT|6iOLdl$)dCc8$1l7=H=SaR)n+E6KAkEw$4dJ>g51X@sab z5U-1fa5JrWfV)0&7zk&1RISb{2m_&)Arl%Ys!r4@vBP+aBu1d2c_r9hdwh1+fI+lw z7QEOd6tyQ@Yryu3!)T3e=p`Bx#2DIV@r0Q56C!3y2(TG$W#G{k*m}~1y|N>Y9#~l6 zCjhb-Nnr7m&ve@=>2?`$#Bk>cn1x1iyBP%zK^cVEyL~` z!LXTrdN&?NtVQ$GOltEQLwSY(k!L?05YUL7Tg0iN*;#F28p03*(diHpGf}Z9I5H3I zHwp44=REi(xz=?>mg7n&cq@vAk3@(T_-c{vJu5LJ@$}JAcyhuvdo>9Rn|&jJ}d zfJKu_6g6to95=(rm`W6VirZaT}d zB7MYzl=$#{C<3y|i#5Pug>uRuqs&``K=+vk>GN>FNpe8VxrK?*DrYblkBRto#1uHA z5}80xTbuYw?S|mPt%FC@iacmFsZ^_OH0k)mY#7{p=P4tNUEte)gi>W#F%m+S4BCU!oUvFf!pGp^*?4z>=F7lNd$(7EB=66dY%W|IAnPq-h?(SOg6yTVk<`Kwz~(bkSi#M$u1wc?`Z?cmB)gNDp4JZ^YS7G z@l)9q^S3MBebt{M2YNS{@HA+s&TeV!iIMnj$(kiUr{8lvL)s#xs&Gvval-YSDo+`x zH+|1Jsq+PtI)EfKBzlOQJ!5<4a$6i&BP z{>gDzRBxcXF12ja)Nd!d6{vdxs`XGc*I{!?#0|J2zGs}M>L>R)a2|XrQ+ggY8ZLT; z7&bwO&j8%&03af{00u1}ddW@rc1WaGvTRzXiZa6^s9a)_Jmpuv;6&Wkj%WsLK_->* zeI$}+lp?OGDMMk(S$Kk0z*eJ%Ml1mw9C%sq z5kAZov2adh7q;>EgiO_hZmkVqkF~;)5_sb9$oSd5v5T3-1RD^CHQyBDL-xJQ_O_ox zlmy+?X)NSkBDox={IV4_sZFe54Y|s5Wl7`=_-PX8_ykpfB$Imyx%Gqe1*Hem@}3)P z({mIm^%qPMSqB&8RJKFqUY6#1;5Xu3$Xbec^>0mBt9^H|e%*PJMu)Fq*4e!OZy(<( z{E<`pi;-q5tIwDEdY`YLO6_1cM9&l*NXRP<>}-X-`G0o#th3g;)`i1KXV zjLR;cT7yRp)k1TSPLK&33`^4YWR@qzNWrG@F9MkavQrC^%zbK1-23&6kH6AJWK1BR znWWM<=#2+lqkD}#bX(^uftqCJiAcB2Amtn!?R~TJwIZZtsGCq5P30FbdUQ4?e*-dq zL&m0W=U@sY*8|^5z~X$nkB9QNA!Vi=yhdY^WSn z1%?1CGm4~=N`K9lUOot0$m}LtBYh6^tb(xG&b$A2*V5B9DbK z18Sf6X?w}T0PAh=!H^4bpj94GEy7EEb+O(jebYEvdM#+|Y3aYlc1Rhys>2Fj(YnHa zYhe-UG7o5qw^L=d%rCOl&ar@SsaThly9YO8TOj*v-nNq`jHxi{!N8-ktBRV_vZ>t$ zo5m(mJEG}eHMtIf-Z*aU$;yp_vcC>!;H~Cdscbfvg+F^*J(sUIb@VDs-&s^ullwt} z_F9K`*x9{JX%v#3Q$ZVJwwi^>C2U^~7LqEcRC^H;tI)n;MQD*tUcLx>xpTlgyJ`K* z8@(o%aG%TBQA4doQC2Q3ZIutnPTmGP7VU8#JQji9f)=!+vvl(Es_ne+-4Ar5Edycd z1suv>?$xe;jH8VMr0iAnKXakt>)*Jl9a5oq_#aS#thYx*vBBU;F_U?cv%KK;u%@9) zAsfdj`;UHxrcVAD`Lq;GZNRoG4h6`B^uQPabqW{W+uyO^j(j`Wgq@wlgp{8zb0U9h z8P=pzi+~A(f3cQLDF-9jv*%}ty#oVxJS(9omkQ$yU~NUn@-qnyvbeH2-%g{1w7w^g}wgW9d{ zhM)SmvdLuM!^z&PnvOVl7;>T`Ee5iL2jsT-Q(VGD?_^wO&kZ`SJ_mV48t%VD%=h(v zdf+e`hYOL)aimmTScyWne%U;+o%tf0?EiAXndCKYt|3ES2p@g%4Z3WlPtXaZeN}P(gyOSI??6KvDwpY8bOW&5#4QQ?G|!`x@bb$3X;({C#k`@ zV21NA4yMD^A~odgbjk(OO$))Vh%>vIb}RF*YKcO^q^LXm42(;toOc zh3t=<_-E15ygu>HVa571jeM)iWSUUetQMQHO_R;-Op)1dY(33IMd!QX^7Fk!xJ}1M z`+h2UzXZ;5*w5JJ$kp@?kvsqXb1rLEldi7zHY5sf{!Pft!pe)6z~CH(aA2YIeI>^) z*t2c992QCptV)9tyQ?t1>}#`8mU7TWQ?lXdKUlR%5tlC=P=R_|u&@$2fS5)&g86*Q zfT|o}|17Bdf$5YjtNAgpwNCd%6khhMp@tgz>-3<9E>fA?T`g`~Lf?FZhowatgc@eI zQ*tL@Yz-mXFyOXeeG+(r!*j~k>qnRB>N>&9;vf?ozC25`G-CJ8Qk%CqRgchSz1kGU zf{}8F2xjeV@|)eQpg5+J{^(34E3eDa)_M};*&X`O2jO_0HDQt;%)Vtv0C4JpEG_vY z+p|*Gv{txq$>Incv91_=V#|HJ~jbO8=d7QVaROfKFFGlyW(#6h0;Nh3}0sWmNqmkK?R zHF}MO;j-n9#O=qgB|OOt=MWD?=eNDDHyozrZ8(P!D{51^=_0s@OE>bsztKFmP?8IH7dOb?Hr(R9bF>c8Er<>6m%}x{vnsnzM=`% z?g-7OGof=ToG)+CK48Fo2aBy`z3YVq1C z|IJd-dlR`kE+|J9ihj>dv!eMDST5mcFiV$gzaCkzS+t9yd5sX`)p)Omf0O&u(`$|C z)hMeo*r@FVoMnQ7qCQ+`Akda%2hDkJ>W*L1GJOCfqA>u8b9&ZPz-O%KVg@!6 zNAg&z`LJ9PO7`BrvNCnDS}a^5D7$7NUf!BB7w5E$@D%8C0+MDiHKIRA7-%y_NY%Z9 zD=e6#)x6oaa+{U^O@BI!7s;C$N2;-5KRyxEa%#JsdU$S6@PYNtTUIkQxy3%VblJJf zGg|a~3(MY^9VV44SIfv^lXR}CqhHsLQgO*9R4FyBF zTKB_jHaC!0M(Ext$BLB|90>%|K&FM>>onNsjRpxXRZSGt)0b2P+)_rF15egs+Pn@x>N=P z*IqP0c(xV)i?H;lX&|h>fbsIDqEoz(79$?>`3KNzGgcta zB<47Kajl;?h-Vi1X%6Ax3FSdK_)9XWJP-r>uDvqLD|;-3r82c)xxG*^??)?rlET4Z z{VX}1B0iF4OheVZ-gbd!nZOZ~+RI^7@ZKGS4zc0xOy5Q6S(xwa@L zoS4gSDiO~{V-Uq$N;x-(7!@Z7G zMySO3kMTdNYV2YLMUhU@>GyJeyMC7GTJEya96=O4-iHa$3sH zX3Glhnb#krBKaNJiERtAPixTd?k4RJgp^_g*yF^C<91CkL^7ut!Ycu-Q`}F`9*l$s z*5!p#x~^1muL#a^+s4~z4T90+f+JcD5m^U0TNjlah0Uaokn{MQ1YY}aE6n{bE{Otc z+^c=gSDdl$5Ye^td$zD?TJrvsYuoU9aU0$PwO};Pyw22VQVrcGsPHBlZ!x%3jnGt= z9y?T5iK6HseMde+v|fYydUsKW2qy#PFpjv3FG4IaWe*`*5^F>*d_Wx>U=$Yjc1*L+naT zw+SpK+JsX6&^8s&LMY<9$W9PXYXq#1pk=wTmmp=df}YAHA%XZf_>zg#VOK4rDhWFy>g-v(6_X}B1+ zsn+;dJy;A@V<)h9Gz5ZKu1VCj9dD7gx$fCaq7j>s+u8(!YKEOvIit*WL zZaT%to6rp^GpuZS6-U83@j|~Af_3omehEW<)(3WvQgo11651HX_K(z;kRHs5oA1+Z zW6+@R`BUWuim|aJAYB_46#fw`KkJ8-Svw{9H4!^U1#^?DCEhPv4-%ai*YCT#)g`0546;L4*y0mvuDL#9VYcG%^~Q$_|lF-a43ea zdqd`3%p<$6OScyHE~)q7oL0Duc85w8ruw+?Nnaf1k&#)Xm?4pc4E_}>Yp18a-`-tS z2I&w}p&yp}W}H+?YCB16{jm6xL`tvPbxqG{Y$Pw$(yXLLjL^N&Fhq__I_FkMPHZQ` z;TH~dy-J?s8hYwwGEsIr%&a{oZr$Qs3bUMXH2|$K0PpllL#X|?vX{;0?BRYmN!)CI6MUj0yp9K&@x5M ze9c3nEYX5DBVFyF_dkpRHt(}Xe;H%EuS~~GPwZTUgH5w@v$dXH_fQT=w|Bi!5_j*G zCjtk>8F_gi>@A-fHN4eg_xtLY)*Ctr59pjr6UbQ3+s4ilA6vvS&uG&WGsF3F1Tccp zt zOtcPIl)tzO#G)S1O7@bs5w%*~94J89j!%P?evpU{#q1c)>=b|>R$tR$OVF_B^51Fq zBWq$MVvBqZ6?FXLuaQPa_-S|sWJ7qJPsaxiaO*CB#fDI<=baa~nOF+;T#m{HN!)U` z6K*8qwf9ED(cT6Tbi3>A#sV7=i#5%Swa1h{0DqUONs@K8H`Dg{*?55>o*yomx2B8} z#&sf@&7WRneyLatIsE04NxYvan>ArxyL}$S!^NM4i^E4OvqXu+Jvr|Nqg&V-%+2gB z?xbC&i^GSM&9X%FG-E~N07=H#d&M3lYeXD}hAG+}6y8WA6$n3HLZap$G3IRCc6KO- zPtPReI-x7FiznVx506?H6?{RX+=~z)a+;f-6ztH%sx zfKMyUo{nega51M~~?QE*_kewj1M zR^!Q7N!G3Xn-?9OF~``s-fK9plW-ln1$pbwfu!nL+culh#$u18Wd9MJr(EUW&Msai zkt_H+ud~w)8ZU?rQi-r^V@5~hgCti9PVG#3Z=E8bnZdx3Uw~0ka zcVEWu+WY-F&OGO)I}0jYnIf=@?`BTMEl>}cRtFzN7&^x`{oQXvdGj_1^8ASTJlEt< zLi$sv=rzM!WTP`vRq!IfXDQ(%BXcia0zBy-C+@dRldDcC=nUv~E9<(`TY0@%IJn$a z>pK34Gr-#S>n%cC149|X)Zgbz{%T|w8W)MtONv=lG%&k&p%*owdTytv*+NeuT$e&o zaXZze&62+ekmqah3!{T~*aMj4-mX#>OtQdu{mRh~sAg_mFrrgX^ZkE4J3O(#umXV~ zMpISmA?bE>5jG+RYhS=WVtz1-NCSu z^7?NhBRi;zN0&3j)bT?-V3|ok@org${B5~{%68PBbsYdjkn4Fl1!}BB(8d_;U)tMo zx|*SIW>ec*IyX6V?`9^9myVCXT;X2BNeZ&ftdg6Q`ICc2YPH=G!(=0oj4iXGC$`Mm zHJ7U~eFsWhM&FVe;F=}Gsh;~hza&CSyaww^9zG7v+>39U<=|{p@Y&xv2Qtxjh4Dh5 zv!8}`c{w2u6`%&6jlYvwHU^#?su@Z+_UDX=ts^ben(RB1nNxulBzN#+9SJFJ7lRVb5jD0LDvc3So~tTRf-scwnN zEG-BCU|u3dFhr<>shTDW)257$mheSqA(+q3GPZ?(;WEUoT245LfmKk`SRC_!b0`l} zeATJah;sP-ifn|RjFvacQ&|LJsf{~E4@gcUrxd+n)dYF-l4*0qCf(jmmLpC}Zwy(@u%_za{a6fyL zdpf(=M7umWZ3j`i%tfwS>L>EO+$;#5X4VkN+BvVy+)0V{GF*Llvg zge)tTFbvg>J6QjG{bL5_{Z0qRc=qgtW@Rpyc;3X?9a{3IhNeC<*XC2f9lB^xWCDbeR>+?>3t$Czlz_14~L_9%0+@1k60mHxVb6j0VNcujMdkb&p^S z^?;?j$5k#+!`={Qtz)mQB4fBk=`iG&gDdR>XN%iCe_@Nu@lNz?xgX2$Wd7cUD#X!L zhHWmNTpi8n^W?iU6^GpE_5LWo^~ur`S{o6qz*AYPij5fHr2z4_OslW0w__LZI@u9c zpxCTib`v&_R0=V+ES3%Q5e$d+EKZf5k%=?T6i7lG@ysbm<+kfn5nj6!wmMz%w)IyS zXu^7N)x#j(q>J3ZjOK9w;d71(3Bx-GSN}=LKx;v>GFegUvLG**v1pQ)ji7d!l1a4L zAi$A;M2f+{#r=wuB=f*RRzpU6%37T3Z_<}51^$Ee3%Pam8QHRNl?`{c|>b zwRcAiw7jDr7^SXw?=z_&Xbubo@10}RmOvQC~v5oX~F(hwW2jz9GLeCQMhCL?UJR+LgpsRK6bM1mW@59+CYZ zIWTr9TDfjvR7eHFb%VLHT4h>@9i$sQ7(rB7nPasOyt#;M;VswzACyfAEj;L51ts$oo*CMh0h z)He}BUgt!9BX!f=rfX^25dQX1G6=G|AuvIgwqHykqvsXw;fKNAE51@{;Y;%0{$=oN zKL#OB;%l}be5O>Rns2?rtnZV9zhIKOExMo=G!7+SPJ`26W(=5s3&zPSDD=)!w&Es| z8mfkT>H^wC*7De(2L05~-l1+2t>0rHWM;Ck>bBQHt_ph{q3XWC`SNXsWOG0k+eh`= z&pAu%j)++sAy}*)Um)c_M&9InNI=Urg!lTPNDs#fhpTu(=NP|c=oUGqe9ozJlT@gK zXd2{d#}4#a+!!cooAI~^q}LjnnWEt#N>~b}IMcU-bbI~!I(q){>-Ay&y|>I?3Ylb>&K@yWrWMFW|3+8|A&Rie@K9^IHX5d;(-l8g30ED7 z%IH4#(9VGYRo%;Mu{CXAC5CoyT?8_B-)pt?rY3dUA7ErmZHs|~m`d+|X)%7&yzm)+ zg9Z`d7eX;7;>wjf)jTWC`Y3h5dcfm78WakZHZJ!3Qj+0`qAX%jehue z@_v2kY>q@iSy%<%-D{mJD9f=^mzCYcOXq*BStm#r+zm*1?~%F(8e9l>GCqEL8GlRz zC(?Mdbn*^93hiMCJ+J+R|Gzn;nvJ+DhJRqK2?PKD`2TQ7PR<_ICQknXwWif=lnWUU zeyCw~Q-ty@M=zc#aC01PaO6+>;BLaQv2`u0O&&IE#fn|hY-ahQZ|jqsMW zi`F(s{#s?CZ~d8Ei!@~@TcmNeVtKrCEw&Hx_pRK*f;Ot#qRS8v!>GM*@;UH>WTRex zy+DE94nXNvi`*ese!{9ab5R`jr5^qXQ*;GdYJpmS_Zeaoddq35O{-FTyPi=$hY@xr9(|TH zU}+Pq%Wx(?r9UB6tQ!&8-pRW^EmImTIYHtnfOufJTNU>*=C0A@cpljy0NK-T5Pp^_ zQ`W2z3;9>QG(sjtP#{*>W2{rL!B0hJM^4-Fvc+_fSMg%ifSl?&?39pIOA#vXXQxb* zNhw7|C;z;xFaeJ>huw{?#B;mFRW{r$B z{{huv=KFJ3R@HAXDUb@f$JKuyAHaW#>wl7!kpC3dKYX8pqn-W#fF>nY z0672w0D^!3{)+|tZ<&#uqshOjusBgiet-cb^mk(6vwBlu$doz)tA>OTvEaVO0)DQ| zx2PKCr+eEUFoBzX^YuLGHM=_VMkUF*-^0Q=CXz-R(%d$9=@N?;z0o-k2|pdJiV@4Q z2|TW(=^)kqaBmtDnoi1TSyf075^ z2s8i^4dW)b95?!`48>bv1Ap}isGpG~PXIhFs;bY7&0qQFB#5t_AO*$?ntfiGV~(31 zyv}B`3isLkN^fuW{nCrylFFr(5-waV5c$R*^zclnG?NkmwWsY0ZH)o{#NnTv;{yx7 z{_kn7t$sCEy$Cd3Mx4sSIdJxHl2p>LdAae?vv(6l;ijochs?Nz2JIswM|Q$@pO-fU zUzg1Op#RLqzmdyu<6dLof1+-h8~_06KT&7vVq<9HXklyi zFQ2b9Cu6f1P`*)vmySVXAjb2?qc>tpq?Xf`&cQkMNX)+kP7+L4ebBd?H!E^i=*wk+ zJe&teG*U4lQ2SqaPv0=`k4V(n^&r_ChmykQ>mfZ`EC{gb7z!Ti-;aN842`iQp)4R6 z3(c)-6byH?^=N%E6DSW1(*=S2m`bAuDbava`&d);^=XXuGD8JQBYLBQ>f0q2*IKJc zGzfr_@FIX_kl3WX0EyAErV9Z6NRJ3l)(7Z#M{+_dBtpcl#-A`y?vMSN(}<}!&tQ-< zptgG3B97rVyb0xvGQ^Z1#xA7vwR9te#!N>m`vE&BLMD>_XwID|sog2NuadUXj6oDw z^qV^bhk%JCiK5t*&ZEdW(@Dj5*&=cFZ;}GkY+!9UwxOia?omDrx*+yj9Y2Tn@fnDc zh^RV52K&q?K?WdhBe6G_j%qV-!1r;2gr8bQJ%%>Y>=cMvnj?QG7>vvMfvuP(xRs`s zMZ9&_$;B^yEYAc0j~ig4^C zR5)ZBL@z+y?VSbV#Z*VxoJHdLDa)8!D~JowSALy zu2_vHG1p~XZ5U`R!T-}KN-ufcSahyzcoFlxcR2q&y?ofjm#v*-zP@Z-?Lh!V40u!g z)%Dlq{&M2}P5#1m{-Jz7b@``Zzxq;suv>aBJ=!%n%}w;{yMa+*t{dKE=Y@&@w2 z19LS)5C!fO4lfAUrWBd)yTK?h*LQ>SSP;;}5TDc=hvUf!22Vnuz;_x7p*0^3ww&Ph z*`%_nt!gWci{~C4|J)e=939uWKDu#u2ylJqcW{*FZg96>pOX8Z0SNX_$^E~Oas0x>)RTYC&HR&o|6OZWj^Lb*87)rV0;nzR5RA_fy(^rmJz2w6J zhS`WgY>cu@tF~zJ$693_JS&czWFx^RtJ?6m!3D(ZHO7v3%pL6|3ESwB`?;vN%z9Gp z4~%L5ZP~w5O1s=wH{qX`K{Gf20P;U}XbIcdI{$;s>#2Cyn>gwGE2f%NC*=ki5WZ3< z)R)@q1t6M_`wk&+_JFm$lCTVGP3)k)crTv_K{J)|+D&+wxs7h6GPJulxwM4B!M0iW zX-7Q3qXy$^9iiY$_9Wbf(i#=0N z!yE74v?-iHV#Sg@j~d5elN-t@J9TqPR~EO{hF)tX8aLhebcZFI*DBrb=Te%$dsn_l zGPHITi#&S^m`ubIF1{n%s^s2qxvBUrRV8n&3P~6hX>xv;!sb1}MEyICheGb}vj7Y4 z3BqazRDKyTQ;QYz6j@VAL1!k(n6RI4+0WDS$SiZO1K3$GV1MsD2J?IbKp7t#H#^pd z)UaATGsH2^bTw~ik#wvnFE8N|i5J9S9o+m;U+6!li6~$g42|Ferr`MD-p0&PBHX8- zE6I>H2CK9#7^ewslE8f8d0X+E7i#LAAilc2*0kK`5J-tQi+W-<2L^9=5bo7?S8C@4 zi7A>O&m!ss!SO)Z6CbfY#Og!Y|5q_r9uDRDhKC^?VK|rwMa~&nkG1UKWLGBH$-abP zEHgwTYbRtUYDlG%>}w=@A<={+k(!Y#Wr}1g%lXFA%zWpZ-*x@|I`4J8*Zg(g*YkeQ z^S#e=Ki^!B(6R3aa>GD*#xi*1U@G9babS}@NJ;0|01Voj?7M+0vU*;ZmdevXCk7K>1h+yrkjHK`SLO9buJB7Zu zhbxtZ)y+|hRfQSj9gxH?jksvya^cuRoJm2(&nmZ$m`oVmPvCFV5AM*PQ&f((xL2fW z@WIr~-PJ;W21e{`eOXld^*5#RwT3kJ=8H3T7g=}S+pQoRTg@3x1578smw+&!9Kq4o zm)8F18Slb9DgD)aex#fAu&!!Wc{w3Y!*l0^Bbj_xmWl6b*5L38EhpoG_Z5Y=A=Trm zC#=CptouqEB1VotoFG`DD`QdcywJk8BMG>^=dDA8t(;0V7eniQw(CEmGfv_7Snv}p9z0x%gXCL=|b`+G6(6u(f5Zn zyl9J-5yooWV3KZ136y$QC2xyLO#Wockz@W#O;}+`k|gn}&EsN=~hz+dW$Bk!qZ@+{DVH;PN@E@GdJfnEz}}o>`?)fUV+$#A z)23qGf@S@(3o2J6Qo=3Gd;BO6SFFHl-L4<%+2@_@(;07k9+82l07iopOi=%(bp z4Fu-vt-x%G7f>*BZND_E;~h{CqW2xb*>c#Lhuz`9_eFt`kJwa$KA%N~!P)S6Ip>Lq zPh|>LWm*Gl;^wG;Oi`{Ao+z=!$)(z-BAM+Bhgua)xkri~fAT@c$`+ws6d*5e@Z?pmqZJo1y`gIS%_Y2; z(J7t%=|V6z=c2Wc%S-)-hNP0$OANmbmOJl>gI!r5sJCczGpn{Y;j{;P@NW_Dm7fH7 zIdt1a;dT?YILqET#CZ#kT<+RBb(rtMKEk!`tMh7g_%iu0UJ_l9?%;CiGY5gItE--K zvT{k1XG0>)(_yUj5aU?>lijj~A&1uoQ8+~tU9`gnAR?AT4^PG__?dD6|6I|oMn#{_wH5p4VvEmAE{9eG|Yl0*7>c4SZ9g*N$B zmb|_P_9nmTU&%QUsr%uVw`o^iwmf{UFCQ>%pYE3#h{A(}lb14I@Jf^@j8HH>_;45!@A+ z>xdF(k823+va}YCeEE#^u@k%zxDAg*q~LsTuOZB9e3=Pdr*ckC92!-(YNR)QCq%Qj z3q{<|tbL{mp?Ok4k;m%vIvn$uTA6Kh&cUD=D3N2GqS-|L$y%h1Dzj7k;+)a?uTTSVu|*5W5pSKVcvAy$P2 z`izY(&8}q&U7AG`X9@Y9I`1bqVaX6K4y2RvTnnsY(NjZprWa4-tkv;-@`mU#o*%(WfpBB9w{Qawwl}H+{oL-Nb4kWLJS$`4UMb1j zaa}rJ^g>cNXm$_vRRbDwMD6+i`lfLv*$oN+p-I-fR5{QGW9sOH+UzUj^o{zo334&b zS_r)sugSjbQT#^2FtAw-LSJ)??GBMJP~YNn5?3JW)lK0coUMs>=@pq{*k+Hq(ASp zU7r*Wh7ZYmb3g|8RMP(~#i~(F)4@!mO{~6L}~g#~rml zR^MdLf9)The{6<_hB>$F=o9K$PMW3r{`sI8#v8%z_CAyz>jV5ShT-Qy~+;5xO zKWJsm|IsngP{VebcwjiV9YujpDQ}xh)10E< z|86x|TW>A0)i&xoDw=}XG8wG3cTf;W_z%ox1cQNKRZ0OS9{op+3MK%HA_@Uglj<2e z|By&v0N>vVm;oyRU0$0=BhEpdYFr4}zw_>pY> hmnF21^jAX~OK4cOO<~-OcrFMRWS#-&=mG!;{I{% literal 0 HcmV?d00001 diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.feature b/functional_tests/ZBIO-5213/ZBIO-5213.feature new file mode 100644 index 0000000..d7d364b --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.feature @@ -0,0 +1,238 @@ +Feature: Credit Card Due Collection, Masking, Escalation, Notification and Compliance Lifecycle + + # Background spans all endpoints, users, and compliance settings. + Background: + Given all integration endpoints (notification, collection agency, legal system) are active + And masking and audit settings are set per PCI DSS and GLBA + And valid test users exist for all roles (cardholder, agent, manager, collection agency, legal user) + And system supports multi-card/joint account scenarios + And notification preferences and payment plan features are enabled + + # End-to-end lifecycle; positive flow + @e2e @ui @api + Scenario: Full Credit Card Due Collection Lifecycle with Notifications, Escalation, Payment Plan, and Compliance Checks + Given a cardholder with multiple active credit cards enrolled in digital notifications and 3 days before payment due date + When the system sends automated due reminders referencing only last 4 digits via preferred channels + And the cardholder misses payment and receives overdue balance alert with masked last 4 digits and consequences + And the account transitions to delinquent, system sends escalation notification with masked account details + And the cardholder logs in, reviews masked notifications, and acknowledges receipt + And the agent accesses account details for the cardholder, views only masked card information + And the cardholder is offered a payment plan proposal referencing only last 4 digits with schedule and reduced fees/rates + And the cardholder rejects the payment plan and the account progresses to collection agency threshold + And the system records handoff to collection agency via integration referencing only last 4 digits, masks all PII, and audit log entry is created + And collection agency user logs in and accesses this account, views masked information + And continued non-payment triggers legal action threshold; legal notification is generated, referencing only last 4 digits, and sent to cardholder + And legal user reviews masked audit log for the case + And the cardholder pays full balance after legal notice, all actions are reversed, account status reverts, workflows closed, and masked notifications issued + Then all communications, logs, and notifications throughout the workflow reference only the last 4 digits + And regulatory requirements GLBA and PCI DSS are upheld + And audit trail for every action is complete + + # Negative, masking compliance coverage + @security @ui @api + Scenario Outline: Strict Masking - Validate Full Card Number Exposure Is Impossible in Notifications, UIs, APIs and Logs + Given a cardholder with at least one active card, notification and API access is available + When + Then the received notification, UI, log, or API response shows only last 4 digits, full PAN is never exposed anywhere + And masking enforcement is checked in all outbound/inbound paths + And failed masking or attempted exposure is logged as a security event + + Examples: + | trigger | + | triggering due reminder, overdue alert, collection escalation, payment proposal | + | inspecting notification (email/SMS/app) for masking | + | testing UI screens/logins as cardholder, agent, manager for masked card views | + | accessing audit logs, communication archives | + | outbound API dataloads for collection agency, legal system | + | input and data retrieval attempts for full PAN via API, UI, integrations | + | forced error paths (API failure, external rejection) for masking in errors | + | role access by agent, collection, legal | + + # Payment plan boundary and transition edge + @boundary @paymentplan @ui @api + Scenario Outline: Boundary Delinquency and Payment Plan Eligibility and Reversal + Given a cardholder overdue at the boundary for payment plan eligibility with payment plan feature active + When system attempts to offer payment plan for overdue and days delinquent + Then the eligibility is decided accordingly and proposal offer workflow triggers only at valid boundaries + And all communications, notifications, and UI references show only last 4 digits + And audit entries record masking, actions, and reversals + + Examples: + | balance | delinquencyDays | outcome | + | 499.99 | 29 | No proposal | + | 500.00 | 30 | Proposal offered | + | 500.01 | 30 | Proposal offered | + | 499.99 | 30 | No proposal | + | 1000.00 | 35 | Proposal accepted | + + # Role-based access boundary and rejection scenarios + @role @rba @security @ui + Scenario Outline: Role-Based Access Validation for All User Types + Given user logs in to the system during test account status + When user attempts authorized and unauthorized actions + Then masking (last 4 digits only) is enforced in all UI pages, logs, communications + And only permitted actions succeed; unauthorized attempts are blocked and logged in audit trail with masked error message + + Examples: + | role | status | authorized_action | unauthorized_action | + | cardholder | overdue | view/acknowledge notifications, schedule payment | access agency dashboard | + | agent | collection | initiate status change, send notification | edit legal file | + | manager | on plan | review communication logs, override status | download legal documents | + | collection agency | collection | access collection account, view masked card | change account core data | + | legal user | legal | access legal documents, review logs | access payment plan schedule | + + # Integration/External System failure handling scenarios + @integration @failure @api + Scenario Outline: Integration Failure Handling and Masked User Messaging + Given integration endpoint can be simulated to fail for account in state + When the system triggers event + And is unavailable or returns error + Then retry/fallback logic executes, error message is masked and logged + And queued steps are replayed after recovery maintaining masking, order and completeness + And audit log records all failures, recoveries, and masking validation + + Examples: + | integration | accountStatus | eventType | + | notification | overdue | due reminder delivery | + | notification | overdue | overdue alert partial delivery | + | collection agency | collection | agency handoff | + | legal documentation | legal | legal notification/document creation | + | payment integration | payment | payment scheduling during outage | + + # Multi-account/joint scenarios, duplicate/out-of-order notification suppression + @joint @ui @api + Scenario Outline: Joint Account Multiple Cards - Notification Duplication and Card Reference Masking + Given user has a joint account with cards, both approaching due date, preferences + When system sends notifications for each card and + Then no duplicate/out-of-order notifications are sent; all references are unique to correct card (last 4 digits only) + And audit records log delivery, suppression, ordering, and masking + + Examples: + | cardCount | channels | scenario | + | 2 | email,SMS | both cards due within 24 hours | + | 2 | email,SMS | one card paid, one missed payment | + | 2 | app,email | simultaneous payment attempt from both users | + | 2 | email,SMS | collection escalation for only delinquent card | + | 2 | app,email | payment plan proposal for both cards, eligibility | + + # Time zone and cutoff boundary edge flow + @boundary @timezone @ui @api + Scenario Outline: Time Zone and Last-Minute Payments - Notification Escalation and State Reversal + Given cardholder is located in , with card due at bank time + When payment is made at/after cutoff and triggers + Then account state, notification, and masking logic aligns to actual payment timing, state transitions and suppression + And all communication logs, reversals, and audit entries reference only last 4 digits + + Examples: + | timeZone | dueTime | triggerType | + | Pacific | 12:00 AM ET | payment 5 mins before cutoff| + | Eastern | 12:00 AM ET | payment delayed post-cutoff| + | Central | 12:00 AM ET | agent override/correction | + | Mountain | 12:00 AM ET | duplicate notification suppression | + + # Negative: Notification lost/missing escalation path + @escalation @negative @ui @api + Scenario Outline: Lost Notification Leads to Escalation and Recovery with Masking + Given the cardholder's email/SMS is invalid, and account is overdue/collection/legal enabled + When multiple notification delivery attempts fail and auto-escalation proceeds + And cardholder reconnects, updates contact details, triggers retroactive notifications + Then all communications and logs reference only last 4 digits, masking is enforced end-to-end + And recovery window, payment plan, and state reversal are handled per business rules, audit log complete + + Examples: + | deliveryStatus | recoveryWindow | + | fail | eligible | + | fail | expired | + + # Payment Plan proposal limits and acceptance/rejection + @paymentplan @positive @negative @ui @api + Scenario Outline: Payment Plan Proposal Fee Reduction Limit, User Rejection and Acceptance + Given cardholder has overdue/delinquent account eligible for payment plan, reduction rules active + When system issues proposal with masked schedule through enabled channels + And user proposal + And user proceeds to pay + Then the masked communications reflect only last 4 digits at every step, audit is correct + + Examples: + | limitType | action | paymentType | + | minimum | reject | none | + | minimum | accept | one installment| + | maximum | accept | full payoff | + | minimum | accept | early payoff | + | maximum | push | none | + + # Negative: Collection agency consent withdrawal, data deletion and access revocation + @consent @agency @negative @ui @api + Scenario Outline: User Consent Withdrawal After Collection Agency Handoff + Given account has been handed off with masked last 4 digits, cardholder initiates dispute and consent withdrawal + When system locks agency actions, notifies agency, blocks login, triggers deletion request and records compliance status + Then all references, notifications, errors, and logs are masked (last 4 digits only) + And audit confirms removal, communication cutoff, masking, and agency compliance + + Examples: + | handoffStatus | agencyAction | + | handed-over | login blocked | + | handed-over | deletion confirmed | + + # Negative: Partial payment scheduling and state transition + @payment @negative @ui @api + Scenario Outline: Partial Payment Scheduling and State Logic + Given cardholder is overdue and schedules payment after alert via portal, agent/manager can review + When system accepts payment, maintains overdue logic, sends masked notifications + And user makes additional payments + Then account status, notifications and logs are correct, masking is enforced, audit trail is complete + + Examples: + | paymentType | additionalType | + | partial | partial again | + | partial | full outstanding | + | less-minimum| rejected | + + # Negative: API payload masking and tampering defense + @api @masking @security @negative + Scenario Outline: API Injection - Full Card Number Input Rejection and Masking + Given API endpoints for notification, payment plan, agency handoff, legal integration support auditing and masking + When I submit an API request to with a payload containing full card number + Then the request is rejected, system responds with masked error (last 4 digits only), and logs the event with PCI/GLBA compliance + + Examples: + | endpoint | operation | + | /api/notifications | due reminder creation | + | /api/notifications | overdue alert sent | + | /api/payment-plan | proposal creation | + | /api/agency-handoff | agency submission | + | /api/legal-notification | legal notification | + | /api/notification-template | template update | + + # Notification preference mutation; escalation masking + @preference @negative @ui @api + Scenario Outline: Notification Preference Update and Channel Enforcement + Given cardholder has overdue account with default notification channel + When user changes preferences to , system confirms, logs change, and delivers next notification/escalation + Then all communications show only last 4 digits, masked in every channel, audit log records preference and suppression events + + Examples: + | defaultChannel | newChannel | + | SMS | email | + | email | app | + | SMS | app | + + # Payment plan proposal at final eligible day + @boundary @paymentplan @timing @ui @api + Scenario: Payment Plan Proposal and Acceptance at Last Eligible Day with Immediate Reversal + Given cardholder is delinquent at final eligible day for payment plan + When system triggers masked proposal, user immediately accepts and makes first installment payment + And system logs payment, transitions state to 'on plan', sends masked notifications for future installments + And agent reviews for compliance, timeline, and masking + Then all notifications, communication logs, and audit entries reference only last 4 digits, masking enforced + + # Legal notification generation, access control, and audit masking + @legal @audit @masking @ui @api + Scenario: Legal Notification Generation, Document Masking, Access Control and Audit Validation + Given delinquent account crosses legal action threshold, legal module active, legal user and cardholder with access + When system generates masked legal notification and document for cardholder + And legal user accesses documents via UI, agent attempts unauthorized access, access is rejected and logged + And cardholder reviews communication log with masked details + And legal user downloads documents, all instances display only last 4 digits + And compliance officer reviews audit log for all document and notification events + Then legal notifications and documents are masked in all channels; access control is enforced and logged; audit log is PCI DSS and GLBA compliant diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.json b/functional_tests/ZBIO-5213/ZBIO-5213.json new file mode 100644 index 0000000..2fb9bc8 --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.json @@ -0,0 +1,209 @@ +[ + { + "type": "Positive End-to-End", + "title": "Full Credit Card Due Collection Lifecycle with Notifications, Escalation, Payment Plan, and Compliance Checks", + "description": "Validates the complete lifecycle from pre-due notification, to overdue, delinquency escalation, payment plan proposal, agency escalation, and legal action with absolute enforcement of last 4 digits masking and regulatory compliance. Covers state transitions, user role actions, notifications, reversals, and integration flows.", + "testId": "ZBIO-5213-E2E-001", + "testDescription": "End-to-end functional coverage for cardholder missing payment, progressing through all stages, and system compliance with masking, audit, role access.", + "prerequisites": "Cardholder has active credit card, is enrolled in digital notifications, has notification preferences set; system clock at 3 days before due date; test user with multiple cards; all integration endpoints active", + "stepsToPerform": "1. Cardholder approaches due date, system sends automated due reminder with last 4 digits only to preferred channels.\n2. Cardholder misses payment, system sends overdue balance alert (last 4 digits only) with consequences detail.\n3. Cardholder continues NOT to pay, system transitions account to delinquent and sends escalation/collection notification (with amount, fees, last 4 digits).\n4. Cardholder logs in, views and acknowledges notifications; agent accesses account details.\n5. Cardholder is offered payment plan proposal (with schedule, reduced fees/rates, last 4 digits only).\n6. Cardholder rejects payment plan; account progresses to external collection threshold.\n7. System records handoff to collection agency via integration (last 4 digits only, PII masked, audit log recorded); collection agency user logs in and views masked data.\n8. Continued non-payment: account hits legal action threshold, formal legal notification is auto-generated with last 4 digits only and sent to cardholder; legal user reviews audit log.\n9. Cardholder pays full balance after legal notice, actions are reversed, account status reverts, collection/legal workflows are closed and notifications issued.", + "expectedResult": "All communications include only last 4 digits, never full card number; notifications and state transitions are sent/recorded in order, PII always masked, role-based access enforced; audit trail for all actions; payment plan and legal thresholds enforced.", + "riskLevel": "High", + "regulationsCovered": "GLBA, PCI DSS", + "rolesInvolved": "Cardholder, internal agent, collection agency user, legal user", + "integrationsTested": "Notification (email/SMS/app), collection agency interface, legal documentation system", + "maskingValidation": "Last 4 digits only in all UI, API, notifications, integrations; explicit checks at every step", + "stateTransitions": "On-time, overdue, delinquent, offered payment plan, collection, legal, reversal to good standing", + "boundariesTested": "Due date, delinquency days, proposal eligibility" + }, + { + "type": "Negative, Security/Compliance", + "title": "Verify Full Card Number Exposure Is Impossible in All Notifications, Communications, and API Payloads", + "description": "Ensures full card number never appears in UI, emails, SMS, legal notices, API payloads, audit logs etc. Only last 4 digits are ever visible—strict regulatory enforcement.", + "testId": "ZBIO-5213-SEC-002", + "testDescription": "Force and validate system never displays or transmits full credit card number at any user/external integration touchpoint.", + "prerequisites": "Cardholder with one or more active cards; notification and interface access; backend access for API/log review", + "stepsToPerform": "1. Trigger each notification type (due reminder, overdue alert, collection escalation, payment proposal, agency submission, legal action) via positive and error/exception flows.\n2. Inspect every received notification (email, SMS, app alert) for card number exposure.\n3. Log into UI as cardholder, agent, manager; check all forms, logs for masking.\n4. Access audit logs and communication archives; validate masking.\n5. Trigger all outbound API payloads (collection agency, legal system), inspect data.\n6. Attempt to input or retrieve full card number via API, UI, and integration endpoints to test rejection.\n7. Generate forced errors (API failure, external system rejection) to expose any unmasked data in error messages.\n8. Attempt role-based access (agent, collection agency, legal user) to view underlying data end-to-end.", + "expectedResult": "In all paths, only last 4 digits are ever surfaced—full card number never appears anywhere; masking rules strictly enforced on all outbound and inbound data, including errors/audit; security event is logged if masking ever fails.", + "riskLevel": "Critical", + "regulationsCovered": "PCI DSS, GLBA", + "rolesInvolved": "Cardholder, internal agent, manager, collection agency user, legal user", + "integrationsTested": "All outbound/inbound communications, APIs, legal and agency integrations", + "maskingValidation": "Steps explicitly check and assert last 4 digits only; full PAN always masked/blocked/never present", + "securityAssertion": "No buffer overflow, log leak, error message reveals PAN", + "auditRequirement": "All attempted exposures logged and flagged" + }, + { + "type": "Boundary Value & State Transition", + "title": "Boundary Delinquency and Payment Plan Proposal—Eligibility, Schedule, and State Reversal", + "description": "Tests account at the threshold between overdue/delinquent cutoff for payment plan offer—covers eligibility decision, max/min balance allowable, transition to and from payment plan, and return to good standing after reversal.", + "testId": "ZBIO-5213-BND-003", + "testDescription": "Boundary, positive and negative payment plan proposal eligibility and state transition, with all masking and notification checks.", + "prerequisites": "Cardholder has overdue account at edge of delinquency window; payment plan feature enabled; integration endpoints available", + "stepsToPerform": "1. Set test account to overdue just below payment plan eligibility amount—attempt to offer plan (should not trigger).\n2. Increase overdue balance to exact threshold—trigger eligibility check again, offer should appear.\n3. Accept plan, verify proposal details include last 4 digits only, reduced fees/rates shown per rules.\n4. Validate notification generation to cardholder (email/SMS/app) contains proper masking.\n5. Make a scheduled payment, verify plan status updates accordingly, audit log records changes.\n6. Simulate missed plan installment—system triggers escalation to collection agency, sends masked notification.\n7. Revert via successful payment of remaining balance—plan completes and account returns to good standing; reversals and notification history are validated, all with last 4 digits.\n8. Attempt duplicate plan proposal during active plan—system rejects with error, error message is masked and logged.", + "expectedResult": "Proposal eligibility aligns to boundaries; all notifications/communications masked; transitions and reversal handled gracefully; no full card number revealed; duplicate/repeat offers handled per business rules.", + "riskLevel": "High", + "decisionRulesTested": "Payment plan eligibility, duplicate prevention", + "boundariesTested": "Balance amount at min/max eligibility, delinquency days at threshold", + "stateTransitions": "Overdue, eligible for plan, on plan, missed payment escalated, reversal to good standing", + "maskingValidation": "Explicit checks in plan proposal, notifications, error messages" + }, + { + "type": "Role-Based Access and User Interaction", + "title": "Comprehensive Role-Based Access Validation For All User Types", + "description": "Validate that role-based access rules are correctly enforced for all user types (cardholder, agent, manager, collection agency, legal user)—including communications, payment actions, communication logs, payment scheduling, legal actions, and audit trail.", + "testId": "ZBIO-5213-RBA-004", + "testDescription": "Test all critical role-based actions/interactions relative to notifications, account management, legal actions, and reversals, with masking enforcement.", + "prerequisites": "User accounts for all roles; test account in varying status (on-time, overdue, collection, legal)", + "stepsToPerform": "1. Log in as cardholder; check ability to view, acknowledge due/overdue/collection/legal notifications, schedule payments, view logs—all comms masked.\n2. Log in as agent; verify ability to initiate account actions, send notifications, override status, but cannot view full card number or edit legal documents.\n3. Log in as manager; perform escalation override, review communication logs, access payment plan proposals with last 4 digits only.\n4. Log in as collection agency user after agency handoff; verify ability to access only collection accounts, see last 4 digits, not full, no ability to change core account data.\n5. Log in as legal user after legal initiation; verify access to legal documentation with last 4 digits only, legal section of logs, but not payment plan or personal details.\n6. Attempt all out-of-scope actions for each user and verify rejection: e.g., cardholder tries access agency dashboard, agent tries to edit legal file.\n7. Ensure every UI page, log entry, outbound communication, and downloadable record strictly shows only last 4 digits.\n8. Check audit trail for complete logging of access attempts and communication events including error/rejection messages.", + "expectedResult": "Role permissions enforced at all boundaries; only correct data accessible; masking and auditing always active; all unauthorized actions blocked and logged; full card number never exposed.", + "rolesCovered": "Cardholder, agent, manager, collection agency, legal user", + "maskingValidation": "Strict last 4 digits only across all roles/interfaces/logs", + "auditRequirement": "All role actions and security events fully logged" + }, + { + "type": "Integration/External System Failure Handling", + "title": "Failure Handling—Notification, Collection Agency, and Legal Integration with User Messaging and Rollback", + "description": "Simulates API failures, outages, or integration errors for notifications, collection agency handoff, and legal documentation—verifies user notification, error masking, and system rollback/compensation.", + "testId": "ZBIO-5213-INT-005", + "testDescription": "Test notification system, collection agency, and legal doc system failure handling, error messaging, and fallback mechanisms. Validate masking in all paths.", + "prerequisites": "Test account at overdue and collection/legal states; integration endpoints can be controlled/simulated to fail; users with alert permission", + "stepsToPerform": "1. Trigger due reminder and simulate notification system outage; ensure retry/fallback logic executes, error is masked and logged.\n2. Progress to overdue, simulate partial delivery of alert (e.g., SMS fails, email succeeds); verify that user/agent is alerted to issue in masked form.\n3. At collection escalation, simulate collection agency API is down; attempt data handoff, verify failure handling, error notification to responsible user/agent with only last 4 digits referenced.\n4. Force error in legal document generation integration; system should not progress legal action, notifies agent/manager with masked error.\n5. Attempt user payment during integration failure window; ensure payment is processed, pending external steps are queued/retried seamlessly, account status is accurate.\n6. Upon recovery of integrations, verify that queued steps (notifications, API calls, legal docs) are replayed in order—see correct masking.\n7. Ensure no data loss, duplication, or out-of-order state transitions; audit log fully records all system errors, user messages, and eventual recovery.\n8. Confirm no full card number is ever revealed in logs/messages/errors, including deep integration error scenarios.", + "expectedResult": "All integration failures handled gracefully with masked messaging; no outage exposes full card number; error and recovery flows work as designed; audit logs are complete and compliant.", + "integrationsTested": "Notification, collection agency, legal system", + "maskingValidation": "Explicit masking checks in all errors/user messages/logs", + "rollbackValidation": "State remains consistent—no partial or orphan transitions" + }, + { + "type": "Negative, Multi-Account Edge", + "title": "Credit Card Collection Lifecycle for Joint Account with Multiple Cards—Duplicate and Out-of-Order Notification Handling", + "description": "Test joint account and multiple card scenarios for duplicate or out-of-order delivery of notifications, ensuring correct card selection, masking and audit compliance through overdue, collection and legal stages.", + "testId": "ZBIO-5213-JNT-006", + "testDescription": "Multi-card, joint account handling through all transitions including notification de-duplication, proper card identification, ordering and masking enforcement.", + "prerequisites": "User has joint account with co-owner; two credit cards with different numbers; both cards approach payment due; notification preference email+SMS enabled; integration endpoints live", + "stepsToPerform": "1. Ensure both card payment due dates are within 24 hours and system triggers due reminders for each card separately with unique last 4 digits.\n2. Simulate one card paid on time, one missed payment—validate overdue alert sent for only the delinquent card (with correct last 4 digits in all channels).\n3. User onboards second device and updates notification preferences—submit simultaneous payment attempts from both joint users, one as partial, one as full, to cover concurrency edge.\n4. Advance delinquency threshold for the unpaid card; trigger collection notification, ensure no duplicate texts/emails nor cross-card confusion (correct last 4 digits for each message, verify ordering).\n5. User attempts payment plan proposal for both cards, only eligible card receives proposal (as per rules); verify all notifications and documents reference appropriate masked card number.\n6. System advances the delinquent card to external collection; verify only the correct card number is provided to the agency, audit logs reflect which card/account data is transferred, never both nor unmasked.\n7. Both users access communication log/audit, validate event sequencing and masking in historical records, especially across devices.\n8. Attempt to force duplicate notifications for both users via API (simulate retry/failure), system must suppress repeats, log suppression activity with masking.", + "expectedResult": "All notifications, proposals, and collection actions map to the correct card; no duplicate/out-of-sequence or cross-card mixing; only last 4 digits are ever shown; communication log is complete, auditable, and properly masked.", + "rolesInvolved": "Cardholder, joint cardholder, agent, collection agency", + "maskingValidation": "Masking enforced for each card; explicit correctness across all notifications and users", + "auditRequirement": "All notification deliveries, suppressions, and card references logged" + }, + { + "type": "Boundary, Time Zone and Deadline Edge", + "title": "Time Zone and Last-Minute Payment—Delayed Processing, Notification Escalation and State Reversal", + "description": "Test system behavior when payment is made at/after cutoff due to time zone differences or processing delay. Covers edge timing for overdue, escalations, reversals, notification ordering and masking.", + "testId": "ZBIO-5213-TZBND-007", + "testDescription": "Date/time boundary, late/edge payment processing, and correct state transitions and notifications, with masking compliance.", + "prerequisites": "Cardholder has active card due at midnight Eastern Time; user located in different time zone; legal and overdue notification integrations active", + "stepsToPerform": "1. Move system clock to 30 minutes before due date/cutoff in issuing bank's time zone; send due reminder containing only last 4 digits.\n2. User submits payment via online portal at 5 minutes before cutoff (in local time zone); force batch to delay processing beyond midnight.\n3. System triggers overdue alert due to payment posting delay; overdue notification sent with last 4 digits only.\n4. Payment processed and posted within 2 hours; system recognizes account is technically current, triggers reversal/correction communication to user with correct last 4 digits.\n5. Attempt to escalate to delinquency—system suppresses (correctly), no duplicate notifications sent, all actions logged with masked card in communication log.\n6. Advance time to next cycle, repeat test with user submitting payment after cutoff; system moves forward to delinquency notification (last 4 digits referenced), agent able to view and explain timing/audit.\n7. Agent performs manual override/correction (user appeals), system logs override, suppresses legal/collection action, issues notification with correct masking.\n8. End-to-end audit confirms notification order, reversal, suppression, and masking for all communications.", + "expectedResult": "System applies correct time zone/cutoff logic; overdue/collection/legal notifications follow true account state; notification suppression and reversals are in order, audit log complete, only last 4 digits ever shown.", + "rolesInvolved": "Cardholder, agent, manager", + "maskingValidation": "All communications, correction logs, and reversals enforce masking", + "stateTransitions": "Due, overdue (false/true), reversal to current, prevention of unnecessary escalation", + "boundariesTested": "Payment cutoff time, processing window" + }, + { + "type": "Negative, Escalation Chain", + "title": "Missing Notification/Lost Contact—Escalation to Collection and Legal With User Re-Engagement", + "description": "Simulates scenario where cardholder email/SMS is invalid or unreachable, misses all notifications, system proceeds through escalation and ultimately user reconnects to resolve—validate masking, escalation path, error handling, and recovery.", + "testId": "ZBIO-5213-NOTIFY-008", + "testDescription": "Notification failure and escalation path including re-established contact, recovery flow, with masking and audit across all stages.", + "prerequisites": "Cardholder has outdated email/phone on file; overdue and collection thresholds enabled; legal and collection agency integrations live", + "stepsToPerform": "1. System attempts due/overdue/collection notifications, all bounce or fail (invalid contact details), attempts masked delivery to all channels.\n2. Audit log records failed notifications and delivery attempts with masked card number.\n3. System’s auto-escalation logic triggers, proceeds to collection agency submission and legal action; all documentation includes only last 4 digits, assigned to responsible internal agent.\n4. Cardholder logs in after several cycles, updates contact details, sees historical communication log with failed attempts (all referencing only last 4 digits).\n5. System auto-triggers retroactive notification upon user reconnection—including overdue, collection, and legal status communications with fully masked card identifier.\n6. User attempts to schedule payment plan—system allows only if account is within recovery window, otherwise indicates legal/agency requirements in masked message.\n7. Agent reviews case, confirms masking on all communication logs, collection/agency/legal documents and system state.\n8. User makes payment, system transitions account out of collection/legal status, issues confirmation notifications (masked), closes escalation case, and audits entire journey.", + "expectedResult": "Escalation proceeds correctly despite failed communications; all documents masked; upon user re-engagement, status and communications are clear and secure, masking across all logs/screens; recovery and state reversal are complete.", + "rolesInvolved": "Cardholder, agent, collection agency, legal user", + "maskingValidation": "Masking validated for failed notification logs, all escalated comms", + "auditRequirement": "Delivery failures, escalations, user access fully logged" + }, + { + "type": "Positive, Payment Plan Variation", + "title": "Payment Plan Proposal With Fee Reduction Limits and User Rejection Then Acceptance", + "description": "Covers positive and negative payment plan proposal with business rule limits for minimum fee/rate reduction, user rejection then later acceptance; checks masking and notification order.", + "testId": "ZBIO-5213-PLAN-009", + "testDescription": "Test payment plan proposal issued with proper limits, user rejection then subsequent acceptance, masking in all notifications and proposal docs.", + "prerequisites": "Cardholder delinquent past minimum threshold; eligible for payment plan based on amount and history; fee/rate reduction rules active; integration endpoints ready", + "stepsToPerform": "1. Confirm overdue account meets eligibility rules for payment plan offer; generate proposal containing last 4 digits, reduced fees/rates per configuration.\n2. User is sent masked proposal via email/app and can review full payment schedule, all with last 4 digits shown.\n3. User rejects proposal; system logs rejection, confirms account remains delinquent and triggers next escalation notification with correct masking.\n4. System re-offers proposal after 7 days (per business rule); user receives new masked notification.\n5. User accepts proposal, system activates plan, issues masked schedule and payment reminders with last 4 digits.\n6. User makes one installment on time; system logs installment, updates outstanding and marks communication trail as masked throughout.\n7. User pays off balance early; system recalculates schedule, issues closing notification (only last 4 digits shown in communications/logs).\n8. Attempt to push another proposal immediately after completion—system rejects per business rules, masked error message sent.", + "expectedResult": "Payment plan follows business limits and timeline; all user communications and proposals include only last 4 digits; acceptance/rejection/cancellation flows and notification ordering are correct.", + "rulesTested": "Payment plan eligibility, reduction limits, repeat proposal prevention", + "maskingValidation": "Masking on proposal, reminders, rejection, errors", + "auditRequirement": "Proposal lifecycle fully logged" + }, + { + "type": "Negative, Collection Agency Consent", + "title": "User Dispute and Consent Withdrawal After Collection Agency Handoff—Data Deletion and Access Revocation", + "description": "Tests scenario where cardholder disputes handoff and withdraws consent after account sent to collection agency, requiring revocation of data access, data deletion at agency and masking enforcement.", + "testId": "ZBIO-5213-DISP-010", + "testDescription": "Collection agency integration, dispute/consent withdrawal, access cut-off, agency notification, masking check end-to-end.", + "prerequisites": "Account handed off to collection agency with last 4 digits; user has active dispute process; agent and agency users active", + "stepsToPerform": "1. Cardholder receives notice of agency involvement (with only last 4 digits); initiates dispute and requests data sharing/conset withdrawal via secure portal.\n2. System locks further agency actions pending dispute; notifies agency with withdrawal request, revocation, and instructions, always referencing card with last 4 digits only.\n3. Agency portal login blocked for this account, masked error shown.\n4. Internal agent reviews request; interacts with legal user to confirm withdrawal, both receive masked audit log.\n5. System triggers deletion request to agency and records compliance status; agent verifies deletion confirmation, all references only last 4 digits.\n6. Cardholder receives notification of process completion, status of data deletion, and ongoing communication instructions using masked card.\n7. Attempt to trigger subsequent agency communications fails, all message errors and logs reference masked data.\n8. Final audit confirms access removal, communication cutoff, masking enforcement, and agency compliance.", + "expectedResult": "Withdrawal, agency access cut-off and data deletion all performed correctly; full card never exposed; all logs, messages, errors properly masked; audit log complete.", + "rolesInvolved": "Cardholder, collection agency, agent, legal user", + "maskingValidation": "Explicit checks on all handoff, withdrawal, and deletion communications", + "consentRule": "Mandatory user consent withdrawal and agency compliance verified in audit" + }, + { + "type": "Negative, Payment Scheduling Edge", + "title": "Partial Payment Scheduling Leading to Incorrect State Transition and Notification Mismatch", + "description": "Validate that scheduling and making a partial payment after overdue alert does not incorrectly revert account status to 'current' and triggers correct masked notifications, state, and escalation as needed.", + "testId": "ZBIO-5213-PAY-011", + "testDescription": "Checks edge case where cardholder schedules a partial payment post-overdue, system must keep status accurate, and issue correct notification/escalation with masking only last 4 digits.", + "prerequisites": "Cardholder overdue on payment; online scheduling feature enabled; agent/manager user accessible; audit log active.", + "stepsToPerform": "1. Trigger overdue alert—system sends masked notification (last 4 digits) to cardholder.\n2. Cardholder logs into portal and schedules partial payment, confirming review of masked card details.\n3. System accepts scheduling, issues acknowledgment (masked), status remains 'overdue'.\n4. Advance system date—post partial payment, verify only remaining balance shows as 'due', all communications masked.\n5. System triggers second overdue alert if full balance not paid after deadline, referencing last 4 digits only, with detail on remaining balance.\n6. Agent checks account—UI and logs reflect only last 4 digits, status logic maintains overdue/delinquent as per rules.\n7. Schedule another partial payment, attempt to pay less than minimum due—system rejects with masked error, logs event.\n8. User pays full outstanding, system triggers status update and masked notification for successful resolution; verify audit log correctness.", + "expectedResult": "Partial payments maintain correct account state and overdue/escalation logic; all communications reference only last 4 digits; errors and acknowledgment strictly masked; audit trail complete.", + "regulatoryReference": "PCI DSS, GLBA", + "maskingValidation": "All payment schedules, alerts, errors and UIs show last 4 digits only.", + "rolesInvolved": "Cardholder, agent, manager", + "stateTransitions": "Overdue, partial paid, continued overdue, resolved" + }, + { + "type": "Negative, API Payload Tampering", + "title": "Attempt to Inject Full Card Number via API During Notification, Payment Plan, and Agency Handoff", + "description": "Test all API interfaces to ensure any injected or malformed payloads containing full card number are blocked, rejected, and audited, with error messages and logs referencing only last 4 digits.", + "testId": "ZBIO-5213-API-012", + "testDescription": "Force insertion of unmasked card numbers into API flows, validate strict enforcement of masking rules, error handling, and audit log integrity.", + "prerequisites": "Developer/test access to outbound/inbound notification, payment plan, and agency handoff API endpoints; logging/audit enabled.", + "stepsToPerform": "1. Initiate due reminder via API with payload containing full (unmasked) card PAN; monitor system response.\n2. Repeat for overdue notification API payload; observe if masking enforcement blocks process.\n3. Attempt to submit unmasked card number through payment plan proposal creation API; verify system validation response.\n4. Send outbound data to collection agency interface with full card number; ensure transmission is blocked and error returned referencing only last 4 digits.\n5. Attempt to alter notification templates to display full PAN; initiate template update and trigger test notifications.\n6. Submit legal notification generation request with unmasked card info; validate strict masking in outbound doc and system log.\n7. Inspect all relevant logs, error messages, and rejection events for any unmasked exposure; confirm only last 4 digits referenced.\n8. Validate audit trail records all injection and attempted exposure incidents, with regulatory alert raised if masking breach is detected.", + "expectedResult": "All unmasked card numbers are rejected, with only last 4 digits ever referenced in system/user-facing messaging; system and audit logs are PCI/GLBA compliant.", + "maskingValidation": "Explicit check in all APIs for last 4 digits only; invalid inputs rejected.", + "rolesInvolved": "Internal developer, agent, API client", + "regulatoryReference": "PCI DSS", + "auditRequirement": "All rejected attempts and masking violations logged" + }, + { + "type": "Negative, Notification Preferences Mutation", + "title": "User Updates Notification Preferences After Overdue—Validate Correct Channel, Masked Notification and Escalation Path", + "description": "Ensures late changes to notification channels (e.g., switch from SMS to email) after overdue alert are respected for all subsequent communications, and only last 4 digits appear in every message up to escalation.", + "testId": "ZBIO-5213-PREF-013", + "testDescription": "Tests notifications when user toggles channel preferences during collection journey; masking maintained throughout.", + "prerequisites": "Cardholder with overdue account and active notification system; multiple channel options enabled; user can access notification settings.", + "stepsToPerform": "1. System sends initial due reminder via default channel (e.g., SMS), last 4 digits only.\n2. Overdue alert triggered, delivered through default channel and logged.\n3. User logs in and switches notification preferences (e.g., to email/app push); saves settings.\n4. System confirms update and logs event in masked audit trail.\n5. Escalation occurs (delinquent threshold crossed), next notification sent through newly selected channel, includes last 4 digits only, full PAN not transmitted anywhere.\n6. User reviews message and accesses notification history/audit log—ensures both previous and new channel notifications display last 4 digits only.\n7. Attempt to trigger message through previously disabled channel; system restricts/blocks or logs suppression event, confirmation is masked.\n8. All escalation/collection/legal comms and actions follow user preference and masked formatting.", + "expectedResult": "Notification delivery matches active user preferences at event trigger time, with strict last 4 digit enforcement for every message in every channel/environment.", + "rolesInvolved": "Cardholder, agent", + "maskingValidation": "All notifications, audit logs, UI references show last 4 digits only, never full PAN.", + "auditRequirement": "All preference changes and notification paths recorded" + }, + { + "type": "Boundary, Payment Plan Proposal Timing", + "title": "Payment Plan Proposal and Acceptance at Last Eligibile Delinquency Day With Immediate Reversal", + "description": "Test issuing a payment plan offer at the very final eligible day for delinquency, cardholder immediately accepts and pays off first installment, verifying state, notification, and all communications are compliant and masked.", + "testId": "ZBIO-5213-TIME-014", + "testDescription": "Covers time-sensitive plan proposal, immediate acceptance, and status reversal to check transitional handling and comms masking.", + "prerequisites": "Delinquent cardholder at threshold day for plan; payment plan feature active; notification and payment integrations live.", + "stepsToPerform": "1. Move account to last day of payment plan eligibility based on configured delinquency window.\n2. System triggers payment plan proposal with masked schedule, sent via all active channels (last 4 digits shown).\n3. Cardholder reviews and immediately accepts proposal, system acknowledges via masked notification.\n4. User makes first installment payment within 1 hour; payment system logs transaction to audit.\n5. State transitions from 'delinquent' to 'on plan', all subsequent notifications reference only last 4 digits.\n6. System confirms plan activation and next installment schedule, sending schedule via masked notification to user.\n7. Audit log records all transitions, actions, and comm events—review for any possible race condition or unmasked info.\n8. Immediately after payment, agent reviews account for compliance, ensures correct status and notification timeline with all masking enforced.", + "expectedResult": "Proposal, acceptance, payments, and notifications processed correctly and time-aligned; last 4 digit mask enforced in all comms and state logs.", + "regulatoryReference": "PCI DSS, GLBA", + "stateTransitions": "Delinquent, payment plan offered, accepted, paid, reverted to plan", + "maskingValidation": "All notifications and audit events show only last 4 digits" + }, + { + "type": "Positive, Legal Action Initiation", + "title": "Legal Notification Generation and Audit—Comprehensive Masking and Access Control Validation", + "description": "Validate that legal action initiation triggers proper masked notifications and documents, role-based access for legal user, and full auditing without any full card number exposure during or after legal case enrollment.", + "testId": "ZBIO-5213-LEGAL-015", + "testDescription": "End-to-end for legal initiation: notification, document generation, legal user access, audit record review—masking at every point.", + "prerequisites": "Account delinquent past legal action threshold; legal module/integration active; legal user and cardholder with UI access and audit log enabled.", + "stepsToPerform": "1. System detects account exceeds legal action threshold after collection failed.\n2. Initiates legal action—generates masked legal notification for cardholder, referencing only last 4 digits.\n3. Produces legal document stored in system, available to legal user (access restrictions checked).\n4. Sends notification to legal user/manager, legal UI only displays last 4 digits; system records complete audit trail.\n5. Cardholder receives legal action notification and can view communication log, with only masked details.\n6. Attempt to access legal document as agent (not role-authorized)—system denies access, logs masked rejection event.\n7. Legal user downloads legal documents—verify all instances (file/PDF/XML/UI) display only last 4 digits.\n8. Audit log is reviewed by risk/compliance officer, confirms no full card number or unmasked data appears anywhere in chain.", + "expectedResult": "Legal notifications and documents are masked at all points; only legal role may access legal records; rejection attempts logged; audit complete and compliant with PCI DSS and GLBA.", + "rolesInvolved": "Cardholder, agent, legal user, compliance officer", + "maskingValidation": "All legal stage communications, logs and files show only last 4 digits" + } +] \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.xlsx b/functional_tests/ZBIO-5213/ZBIO-5213.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..d4e8248520e14178438bdd3fefcc324a62719e05 GIT binary patch literal 17617 zcmaic19)WHwsmaVwr$%^$F|dP(y?vZMyF#Z9ox2T`_H-OoqO)P_r3qE@2mQ1SIx2J z+GEaIbJeajwt_S;2owMS00aOKn~QebYB!_?AOOG>2mk=`*SlK6cD7C?woZB~?)D~* zI&^L})>VnJw!aw=f*yHA_h_YHbW~JDf9KbaqLtkN%(@BD;H=)HcCET1QIt~=lwh1h)`rhfn1rPv_Wrq%IqqRA8f=sC9r|8~mx~&96UQruC z;W`-$UpI*@c0*J_U%SgZg{lm&S7_p?K@(bI9BsFNtA2OJoh3M>@R(TR|W?$Hm6 z@9MgxVmE}Bx5agLOJ+FFmmf%T0t){^GzHt&zB*b+DpdEhyHl}l-Z5~t&j z9HH_ubKo_(R8j~>vOha6Q9M~zU(FEuRPA7aUHx!;$(R!?Z>V~ zrI_HvWko}eZe_7&N;ya8hD*nFT`AN|o=IlcfKQ<1YwMt9CcY7*Q||b*3$H$a=>>2` z9z9D1l4J*u(PL$C8H0-J7~{t-?y5--IBxVizU1)0RcOJ$M||6I5_+AWoa-aWzp--(9%lb}DSaWpqEar*Z(wKX?%&IJVkV8jOi z!1xc_e?S=j;4^7i%Q0UH1$682mYQON9Kv5pikWqTd4S}A$(?LT%(A=DckN&?2QBKj zVM@g<4fAbAOQ#LRQsID>k6+d)QSffaIczra7S==J$7rpD&3EoO|a1uwz6;nrK=x&fzZ65_kHv}ybgIlAI%j1YNg9p{NBS@s<9 z#Hqg%>WWmB8ZBHkWJg9UhRb_!`CLZOsJJ`JOs=+zQtVbf%}V6UF3vZ>ZiIK~6}Wev zrB>TvZ9689?isxLcW5>0Y@MOaJwmsyq(HB&1G#o}Uw3M6ouk!vzQTRj`gQ5)`@F-s zobPHa^6{&@pOWGWa!$DNFBI>%44Zw6{$U>0U?VmC?i~wmcCONiWig#(jcYB(`0Auw zG&j2v2Bq9_co5=Kmh+9?C4UwPDKp^q@d?t4)~!-8XRzB{shWq|mw=fHKocK*|hE;(850iLc2QWeS&o)Cr#3 z7wH990+JWNo6NWjwtcf-u1M$X2$gbyj-Y=9xKRDo7v&Tn)({s+sghVA+_};y%a9km zP~8W3W*`GVN$AVN6iO^oD@b8rH9$tlt9H%YVXJPO;rW+6FRo5_1H42n90274AwfSE zP@($ZS8tpI{V&+DY#Sh7Fo43qVlI!wDOLhf7GNF+zP6;7vlG;3Pq4jP%-BgY0lpl- ze;(jsd-ApEWlk!qOS(ZywB10(?z90q!Ml!D%+bo%NTj&}Qr_Ybm~4O-j)D6oJ}V58 znehFWOO#l{EWnxScF;RGvyIY3ci|d|S{Fdd1-!3w{5lzMu11Q#N9bt*v?q;BVAIas zJ+M8Nk;G(o@-K97z5F*mU?ghgzD|$w%N%nnj@r9I>43I_Nbef(IlQJoXIGk!O7B+j zIX`AZ%}b^8tU#$5Sw+ewweccmWW+U|lz1#{g>A(7|;NqK+WpNFV8 zcd##$g;6|ejChW>)~gT|^)i1;`_i5|_H+%(I7Q3v>^pTV_8Qb4Srbr8f0Y2;I%$s< z8tVlL)AgQkk{8yDP-Uvm_DN(HgfQ9^XAP%VEQ03D>+32C=_h00{5A}+Ql4v7zN zx2>?)wkaf%^B87dhq{jtA8^K`lJoA(REm$y;xTSA6IVNy#Ohq2+{BelR`03qEXNNA5>rTyw8d3dUvdOq^en+LOR1GLjP0dXip9x9R} zNZ|q;W8RHzo`c*|B9A@wR3f;QkQ-~;n8{YF3Ls~MohdO-!mL$C0jvOITIXw|`N$e| zzNVk=5>Gp1dgjm!*Qc8qkF%T;8hP98URmfseZF0ZwJ5|=<2gG|wMsj%K-jme^?1)w zL3mtL9CX6nyvLRuRCCr7Nf+M+9GZ(Tyrph^x&My1@9OYLWBa4oXGN1IW0n7$@AaP* z;LpX!rl^^3A_V{dUN`^%%Ad2kqq%{DiLtVigN3b`;~z76md>&RvAB!ZqMFKGKmbfY z;KMXTJdO%Ivy)R3#`r}oubrrhKMkt_s2ZBY_v|-B@9WEFY0t&4%+)Y&%qb-Et<=77 zxLGUmeo5hXSv}c+?L2SG$?U3;d$$9*-*h8M-y);k!=Gd(B^1gL4u*u1O(KuSu z^>*{RUv1lFHs8wcv^zPuML$_Cy!dh0!+Y4}d4G7B^L~?H=ksjwX5zWlmXo|o&rf^3 zdDG;wX6j>|sRw`V9av<%>FV8XE#>3I_(`04zx8oD^@7&P@jew}d%5|jX4{=4$M5WO zw(j9H&V2~K`u*j2>LsRTy<^oBzj?K{aiHbtkT)}Yw3z2k>yWe`<5@?@9B@KjYe4=P3Fw|qYZdx@Q49};+)OyXO{b^)--UpCO(++C%5emY$^Cs zcv%GvDI4|8g5H(yK-?GLK>6u81o@L5+g%&hSbP9!bc}qU0#JCxe`v<~Eu5_f58nE!Glc(WkDOY>?!I7i(aPSCffVCm zgZFj6;&!C6eWTZQacj^sbwH>DIylcS58epg7S;uz3jnS194kwos>G|wOQd0YznAaZ zX~ z4}2$6<2oRp&+F=sbi;RyY|A-NQP2)XZ_=Z;As}(b2&xWkaqMKA4@j#AxIqmS>=2}k zvG=>T2)l%3n^!IP!`9LZt;eln3;l_<55PV+5I)oL=u8jU8?UlNOMIwwN zp$adT33gsggW@&Wa|=#9B(pX}3V%BVk3XC@1)vYTeaP}E(rK`d$HrW@fUbp-vJS`K z_+;9&frmA?8hZxw#E}U`56ND10@sGUmUO34@2Z?5Iope?Q|^`vu=NQ;BYyt?_$b{E z={2@2D_cQWq++*GX*_6f_Jpx|vSO3z zoE)?`WUZ+_|MR`(^I> zM}XBd*HO8Er`)OhI2N&!41KQGZdZ!$1|-46ighO>%sZ`3G>0YTHtvHMkbqe27~287 zfN_nh_+p8@J$^eq*$1WolfjW3<)3#un09Oo80+B}dcVyA;XjFfmKuHz9YWO&uv%|L z>ffRxntF&PF!fOeC~%MrhA(0&grJ25SGfEfciSaNEr}TIcpuKhZoo^#3&R3|52)MZ z+u2XXJN#|JIeRYc;`-{*4s0-FAjjfFU{g8-tKKTVq@{k@i_1}`nu{8WTfQV<8=zxd z-YLBwFd6!ZZ`O$b5NveyK`%+R-AYXdc?bptt&Y}rhxUDrj3?}L9;FpPin?=whS>!q-~sJCo7@ z_I;Z4$>^8%R-yU)p7bC`uz4Zb6W_JL(q>W$28>W+xAnBIR@Q4^x$DNFv$W?F<<1iD z5Q<_bVoh)a8&{Qj&bR)k1>rYeg5yYg0XxLGBr)ePHw&wl5uix$-!(X58lz0%=r0sk zn5ePS0~mQWwY^0zLp}%jF@XT(l2rt~Ak-|6Kr(7gmYq!aT0+t0i@lRaXygx5E;}9pP)f#?K*E=3uu>w=;0#63jb*-}JcrNCm9xOHE{^9N0waLM;!nUC0 zOjvkuM@+$;Yfd+8#e+Dxo|$mba4W*If?Sj~(!k)M!l=N~H$MSLj&K6QTv%XR`H*xn zB|yhq3kwMm4RJJ$Mshx8iV6(sA=QWKd#4&9nfzSjV?u@7%vLD^RYw8(Q0`=`crXDF zEbz|$Ewk^ZiMEA#!|t+P>evqvrKk?_X@V_OShP<*x?V8vjL+Fuu%nQ;{qkBxDo7e; z+aR(1BJRM{buLFE_}5Cw#6}OD94bp``&$B_;@_n4#e}9iIiDJZaYjZGbb85YAez%9 z>n(-y3zyh;B@^+sVOJekLdFF*hd)cVA^^gjkkuYky!X_cL%18xwn$R8XwD_~_aI+w zY8{siCYRQNlDhpEtN_E>g||Mb0ew3BdbYgEeV?d$Unz_M|0GTpl5Ca@I~EF~RO3eBB>UK>=`0bT4uGXVMKK@v{E9nqR|Vk_@06fJc!HR%K}*__&BPc!mhx&y zL*Zzy6+MTrSBL@aICMhdSk42D{k_@@z#U$w9nu|cnviC~fogc61h$GD4_<;kl*wB% ztiD-2sST0wZ4P>RpQ!P{QIX)c%)!-24^1chkRD0#w-w1WAVfG93Pgo9g%nV2{Z0GP ztIsp_$jB*z{s4o4BW`XZnJbxBf7Jcc3jbT_*DCBh^W_o#!1$f`pTW(ixgZir_V%>F;apaU= z+cL5p5IELG^@M2fMeS#8aku%4SAtsKd}%hSc1L;NP-^V_dL==k&r!9bxc1(z;)&hZ z;sqhbz5LvFhR8F5Btxl9mjU*KxIuqZMeM#)BPQ=Tzb7hc275&qYY)@!euo6b2{09@ zFp`+{h?eQPoclW=L?Lag#|a_EGpQats-F}B;|#&9o*zw- z8j^DRL}hN6*F&5@6WF?Qw1=}xz@beLcOhi%3F<6fP9?9?AfSH@-jk4j&f1$WAt!X@ z(8Cm4P9XXYhXmmvgu(C`dBcCr+(L=gYvuSG2^*|}q{0tM-i2gb8rc&MDa(*4kql_3 z-xxkLfj;y$_xR@g2Y~D*s-Ut%!|rticuu7tInitXB1(Euhf1J@ondkM@Z7vd7Bi|A<0I#FNCe$*)o54Ps9?lyr9L4S5yt2%D#`qk zvq+^PBGZ?MBSs;L9v~RDRzB`#E@Cxej2v{V*2k+dxf!9&lp- zNG&g4T=J(pBC`VW2$AY1!kf8-untiRfZAn`1j`+HQZq=S8?r3$V-j?_(KwRGSg4;g zk~3)Sc7>2fI9pDjz%%OZc+(?SfoGOUw1vjs`0QM8;)^RVLdJ>RkAXKdOw?G`t!IBX za;LWcc-cD8lS!7I;6UGfBTDRfLO$+) zkcm~uCixX_aTTN)=$|mi5Cvlg6LouTgPu^yfy9@}VkelEh?20`qD*ofX8%Z2QLIb# z%gU`82~HNSA#|35r2nq6L}mdEPaNm_BDi#9KHHgrPnFxa8AwM@{dOJnbW@5w?<8?0 zBYszEM2x_J-ZcF;E*RW>Y*~o`y&au*QGyBkIv*pir>Hx^VZ;n!x4kZ(5^zv@IAGGS zNkudZ&A5sT%Uox5WhLbKv@)s%XS^lQbdrD%wg&BlDQJ)gK!MC`ZxFk8>g}q_61}b6 zoxocs>N$B*jjLqcXv@szpJ1n$k!A4&5LGQUu^Vd`%wSq2)ILmVLDNl6)$!q8V7eId zuAWCW#R>Yw#YG}qPh1t8#W?p*+%Mq=`Pkz7WERqlb=i4?{KRO_A`o`3m}%FB550wF zDpX-0u-aAt-oL|%(H-2KDRX~wwJKXc> z#sp5;^JUy4DL=?oSp`Ed{E6=h$$m67?Xr7Nd1qXa*7q6YPu2(1BNhb^-+iv+LhK3D zH4wpL!7XR)c$KLBZR3`JWk(nYMyZIGG-V5FCq{!h9uCuueWmgHE;ek)2cGz(44YDcKmQV!a;)$6XF)~CKKZ^G)y1v(WX}o z{!O#FO>7N7c|frur0tuNlf|$UPS6?MVuQH{rws*OIaw^C(;MpN2)gKY2UEH$<-Vk# zGN+={hFy$=1|=euBCckuPXY-KmX?d?>f~k0d=-i%6pNic+)VmcZ44EXU5uUqu_}bfQ3Z=& zT&0lpLhpft?prX$+@;vC7OVsm&l5Kk%LX?!#*!+t{sWS^?j*{ARGm9KPmO!mUmI7a z=+$C#yWvBu?^MYUnH?6~GYMV_z`{7-y z>za0T*1IDINC)Xi2w`;SN66)#@i|O__?yWwj391%-z)KjG08>ew#=R&InNNB;F0A| z*%Im~30sLv@7^~#Ur*&V!hkH{Wk1L=QLq9@Whae|LS#*OO=M{j=l2AgNdzoUG;-9- z!wkiq!0Le0t2;UZPT@j9+@Rvik{0Z%!ukuKXkbtJ>TaVBcz#-igD!J6Ad3gu56=Uzf zrAJ>LfjT_UCyk7}G}A%pl5$k0lD2ZfWtbXp4n#T;SaKc)U=#F9XWuzxe9Tz}*!j6% zw!J6%EYUU<3IU?vFvcExi4d7-nn5b4@^%8W5)p=9;@fsRlk@$EA_C?SG#tT8NS`o0 zl5trYnFWwMUJ6QNC%B>mpA0PqV1pJ)Fa*>~7!QIQM=@8xK`M;y4ORlTk3X4>KP+Lr zdOGIv0>lW^PdcI2f>at<5ARkiXGP5CSea$FOPdY)y1q_iogGOt41MEG)_NB3&b2p}8wNwxt?~ zlxVz##5n}*|9o&&`Msp*F=|PcpMfR`{f_=!y9J2Tw|UY4Wd4D&LrKnQ)B%+AGVn5^ z`5Yo!{mq!4wGIL|39j12T*}ypE}3v0VnD}u_>iMLBY7H`v|u+7+;~DKE!B7U&4&3W-mg%MQ0#}7>-Xqmbv&=MGz`dP1R8tVL5fd&+{%qWblO|-TkfZ})J z9KNWZX)}LmpK`2y!5Rq;=YezEFNpX^i?;A9w&YhrxgCxB&wQvW72XFSQijpTSv-Pj zJVVQLW`pJ<5enb)#Q?{rHv-YxUo_ps*l%7?jjxqFY$hv07SMi&{>Q3UAqM)io?D&= zFgIoH(a$E3J&v)J_Ei1+@f9UHOEYK|^P4AmyimXiGm>IDH8@BHVin{w(h(c|Aa{8DAppj}y5_vW zoxLRmd{>7W;uOZ=|Fc?GuO0O3?-U|lbzLOaU)xEN5XmVj+04zdWM$&a*FjN0iI}VE z^z$__{SF zu1z%WS{!X7a$|&Qcd}a=Wqap=&Pe!S1j;A82e@J;d$JbLotRAu4oX8)u^3YBDIMO@yYitxV8gS3gL_Ze8$g2S9Z0bK#C zi22M9c1@15qmPDp&r96Qky$DZ2Mv)CBsq*IE-y;oq?A?%$KqppZ3>8cdxctmphj#L z5A`k08OaWO8;}_k3fjl|>_BaZ^EMMT6Lvtby8lJm5q8B2<&H2Pq-r<8ol!1l~to=*u zdBn=;=m~ogc&Dz81~(fB)??0|V^#Id@W?oc8q^(_E2aYvH0k-*pJ$m^I;i)Q1vKvK zyeF!%BTh^SEZ(h9_u+hFNyB_s0~End7a!GP&s!Z$T9f@BPFC^VxQ7vC$U>EEoG`|* zs`?}o1;?v5DkiI0@{Nl;QpNQQO69m2ZyY#6*VO1z8bpDiLCd9U?1$wINFE~TWzaz? znSt|QV@%({fr2`D4{uJpK|$FBipRH*p*`n229<>4>4KBKl~dx1O|T~_^lhYV?q84Q z=G-V4UgT#7vmr8;B-#y7CFgCC!x#?(1P74i<)dt8H5#$bV7^a?-S;%_*h{O87C3GR zU$m|AQQyc#cXA;VG8iK{G9%)fpJaCITwTa`)+8n=*kOEsRMI3RrD1EcUJ1Kbl@^K> z8>na5IDh%Uv+9J21F4Y+bNqWHoVW$@({wz~GQA;OroZ?b4kP~{rVjFON}>MLH>heL z{vR&caTZ7w}p%^ke zGH=pKUlc0SzwyTiq3mmiGy?bY6i`cc(0jhKu4z(Iwhb0@J3yyD)aHkg)uymlZ5l-P zT^GaEV*7KrnNkZ;3ShD26w2OJUWRG_=M28PmCUmTxeNvrrSQMla47x|PU%C;gQ_TEiyl+6n zN)~2ZJvc=&yu)(d!E%01hpyj_DkY@2m|Bp5qn%3z0!mCeV;A2oQraEkF6{B#)FHg* zkDZ~!@B!85ek4EM2QJ-i4f;te36ml#INoO}$y@80P`3KETiG8!H?jCqdX*|lxKC8y zN}&%eSt0M-v0nJz+7cqT8fsup65mEn6@4AIuEiWlsmg7+DDy|06#lQoiSRU)GYDGzhdO?b^12QJ{7~AB! zkVUJ=$~yA8Z{R4nL&LZMPqOZ(J#$7mB9P{6PQ(om91iOIn8$95aHp-`sYGLU2rXeu@cGe!UY<%77B#iK){xmcK5Xq>4PGvrm$r( zRYm=k;L0ecQ}_v?8)hax5<{@rgH{i{%ZI*oftT?_4GHwC;Z>J-vF3f0%+geu zsCpy1@AOyq-yr%^R%#`s&r05nls!l;57XGfbCUvdhoxT2?RWC?gUJJYrO)FNjo~Yd z9V(?nyr^)}So@Jg};6x=NguOxvZw5Y%-?5$4YO4AQ9VSKFR)Y3)|=41e7zMIRd(1|Mvhg}e! z=r0^fLsjMKa~zS$XpA?o*o%&=eomB=MG84RKPoBs zFN>OK=ZfmG6vip%V1Ms!=(whu63H?Dyb7?;H_XbZdNWI?bnRHvkuNBN2W>v!bP~4zg|^rX_4X2+#5OREY^yH!-6FH=|oD3*b@+Mo@nFnuC>h9 zNl4i)jM&=GlM3C@9%%Jxn#IFcoc*b$6Yu>HZ11@o~S4;1F`S2H?Q1EnDwK3!eJoc0TTgZkzM4zowQ)?2NU^xk00&qheGTI&8ip5bT-clQ#BKr6Y zdOx~Dp?(l%7lkFhp62W@hl`QDLuW4UonzCIyE+xQ4K*5YWZIyYG0ewQIq zRPVUP(JA&e&E1;AZo7S&P6%OT*1E;OAf`tP$nk`Co+QDHM}yeT?L-DV-bbRySo`wj zWF?G*&iP(bUJ$MaiQsDzSo@x8c!S{N-y7Tks?eO@OJ-9>gPW`jCCUgUgJ48&9n?IX z7^kmSNzNH&1Aa@)dj+Y(fHuDhOolQa|~j`1Dfj5@%hWrpq`Ue??xp(*hJdw+_fV zay$S*sObfi7Q#kGsMn=Et}L~r_jPB~9GLs#C=EFi7*qTis%pxVQi}<6{?p)t1_ugG z%mL>C{c4(5*^w%Oiq$W}gojGM0LtPRKr`82JOzv93Od=MKpYWE)rC<-oDVjY6b(5S zh(@KLg!V%jhYoCZ4CtUfWb_TrKk|h+th*JR=!ARiCQ|h6Ax}Z6S53_I_}&41XaV(n z!bmWm9kekdv|hj?^#K)FJh52RR^n)fzvOW~V=KR83KIv1?N6xbkAP7gbd$klT_| zz`D~g`ueRt!6jg@8aikdNEnRG>DdxxSiZ>u|fSCpjeQgrw>8@O^kBF;2bi519)Dz}0RPZtgal zpn$7|$(nz*v*%)2y+T@+1Xyq)hm;JWBh4(a^MgP39gZ_rfKSW1iJ+vR$0<*|Whd@S z5tn&T)>{*N_gJ>>!+R-Vx30Fyt!$I)RB*VbLIi}is`wV)_pDGhkCsbzhH6o z2R#_AK(9&u{5ZJ3>D{;3f;8Q5MNkwz740|BWRIDj@~~~CJ2u}ETVX9(2>QV3e+(<6 z$II%>PbjDVIVogHuZzB7QONsr)mjjU2rk0nITTReT|M>lB^b_!Z-^c!6dH^SL z6C0C%$_D=2?C6rguu1qO!@&I7!v2RY=1W)br`bQA|FL`hTtn7wl?|iwQVpTC=_W;q zyi~a_dfnD$h2T5)orH9KUoaAAyxh*}6dpJX#sX{`%#uxrftDZIQqe2xGM6>(RM$_n zg%HXN%S^I$1p-bEqI;f8^vy?73%#!II806wfrUIL>h~3_&~Zcicu{ZB&ORK?GmWt- z95)QRh{x*6L{-=s_&S5wR0M>A0x^4F7wUdW*TFW@=*6||BSuI)ZH(xI-xyFj&mlcQ z424bEEgM+5`&fP{1PaG`*zpw83HFKR3hz(nj~BqZix+cJ9#>TiH8f77(mEUeJsmK4`>QCVO8=v3jZU_qr(mJWQ zc}&PwjwC2%81vV5jABwKH~>qb2UP{3jVwb`5En_#V0e&vXyTiLJ;mXTcL5m`Rzf>) z1IU(M&Qk}2hhvv~xkn46XVjN|5%3EGPji(`E%p5mlHj#svAho7M45GypI1xdh>8^M zgYXcH*LX^r;g@jEpede}Q^Mh`sp-JXg~TSN>-mHc6@s`@NWK2&Q;TSfk&kC3~imxz>6g+B~6nV#8#*-R#U zaoJ!;74nY!5Iw*htA(4M1?jsDtQ#}L{NO&+@dO48>qnE8;dHChjA5Yt3r>=J1j4wC zYBx)~_2rWH#zio!0*cT!~EY*0V=G@BMGZQh5nrJyR{uZ%{PI@6gP#EY|Z{WCTIOlPMf z)z+|f0Pq}(ObY3*tbIY$a+FZdz&XHl?p31b9iKZz7*p&`YRgdz)r_D%CdsmPn4sM% zU7AxS*rl7+gp|1MOeA%f5r4Ig95mckRF*6yIWJ^EWldOc+3dTq&74k-i1;y%;JT{tgGLi0zaYBdf&~Y< zh2uiqh$Fbi2qQoyjfGee}EMd!}DgXs8#wPfY_SGKxDLzGD@lG$ZAy$8{F zT=1-vzk^~nM%z?*Bg^Xj=Q`RCi=JUO8EsY8qNv*@&-~CO_;z9zL*&|!o`7%Z9(YMV zZCGyneDCZ`G&JaL+kMfxo~eK1nch;B_NM;e-h)Kh^?sdwb#jyL*Ea#+)-{m z>u?~mcP!UIgM<1h#{b5RfJU`9*ZD56?&n)4T8?-otiTm!5lX68LC%&ST(w@L^y}gX z+%o1xLcu(a3L)^Ud~A1iZyviyhaEksskmjHX#!7dFZQQ_(vg)U0}aaFIeCm!xVEOm zs(K)?&lMm}g63s=%=mo6L}O9o-Ma9q%EF}Guw`3YalPWUcdz@XTw{CGp#8nzF!&jO zO0x_%Is7x8F&I@e5`@FO6gTyPp#w-`lQTcE!RL8xg-#MAy0^#t&Squ!XPML_vdV`CI-=SROtBUFZ>k6B*|Xh7SoGwq^F%SF7W11JV=~w^ z+%DA~ttn~`Cxla^-+JCtRM-1oqKGb&? zpxnN?E???0;IFCz`(NAVo!qTW{;_YqC{f2Qg8?P@@{yWmQyCbRCd}8;B3z{`gNil5 z<fScB#KJ~R?91Z@)=q%<}R;zZTLk&8~Hgu|7`{u@ltVJTeqjS)hSUwqo= zH!Z5CRWtIiLY^JgmII+&wGa=41`xJwnj)vu6owrfYpS9>E0|2qW6W7rUI;7QN?M2OTs(F-R-Ssm~5rQgsIGIvgqHYy55~1EH|%B2SdPOO^69b zBO`Ff`DHc3C%FRNy+6AjS{_9)UUTxhA8)MquS^-Ue%wBB-P}+>EM8kXqwi0rJsw4M z1! zeqV}V;xD-+!dD*u)6Br${vQ&MctN{W2AH7BSJdE(sIzK{V1aLnh14GA(*Tlf%+#~B z3K~oz3la~f2!=d=S(%EF@e z6|UW{sR!|2!)0XWVDgW6DUJRi?{0sjCfW=THb)E>id_j;j-x`ID`#KS?Ix|I{b4b* zx#%A2J5tt^m9>1$mq{lliudO0tW?2?8AF8RyQ3-5kdZL%fjJ?u6-(LUP^B+NWp5m} zUbIG{t>xCR;wuVCcO^DLx;8e9H%*er)fwX75~oHXZ`(kN;bHDN$Kb8co%unwiYiA6kv9n4>OC=VbgI$GR_%N)^q+ZK&wEa+FPI%YE^Z$ih*o-sYm zsDp|eR@tSG4F5NJyYbRImHTpzSQ=EGZ8Qwa44XN@W2K@yBDGrz#*j)$*Swgu>r-rw z#$&uEb>H1@Sa+_L!xe%2gMj5qTH8E7f=;9v1G5@crD2BxGC8%M9qmX%2Q828>62XA zY|H=!6o2#d;0T??@_id=Q10z^Q!cq8VR{dMkje~tWDt{7zo;T{9rf<@)ay<}Qs(zJ zA#P|;Ug5%u8v}PIgDz)Vd4|mae>TeJ%vuU;2BPRJ@Cfn-XfYC}-e^&L0hL-n39&lK zjD~2+>-3K_j>b2>tinb4#oQc{$5sEAFDW{2w zo1{ofp~6`kxPNyEn7>O`uy9SzT1#m>KO$uaP?d^S%%YcL9X%D_Y7B6asxt{LfjA@F zL~heHseS#rygO|@nFu{c^>RVn`1B3D5EKo%6+mtIZDpV{&IN_dpkyA##5HS##*;zw zf*mk)gRUSA2!sOgzu)%YD-{3I{)d|&{N2HSPL_YD_5W;t%!lD$;r&Zt{@4_HQNm z-;Dj)%fD+C|L%qQD+#_v@E^*>zkB$=ut{ukKaR}ud9 z`#&!e|L(w&^Usn0bJ6%W^#2+%G|#`(>Azurdi?i-{