diff --git a/functional_tests/README.md b/functional_tests/README.md index 1c972b2..33a5a89 100644 --- a/functional_tests/README.md +++ b/functional_tests/README.md @@ -65,3 +65,20 @@ --- +**Execution Date:** 3/25/2026, 1:13:16 PM + +**Test Unique Identifier:** "ZBIO-5213" + +**Input(s):** + 1. JIRA ID: ZBIO-5213 + +**Test Output Folder:** + 1. [ZBIO-5213.json](ZBIO-5213/ZBIO-5213.json) + 2. [ZBIO-5213.feature](ZBIO-5213/ZBIO-5213.feature) + 3. [ZBIO-5213.csv](ZBIO-5213/ZBIO-5213.csv) + 4. [ZBIO-5213.xlsx](ZBIO-5213/ZBIO-5213.xlsx) + 5. [ZBIO-5213.docx](ZBIO-5213/ZBIO-5213.docx) + 6. [ZBIO-5213.yaml](ZBIO-5213/ZBIO-5213.yaml) + +--- + diff --git a/functional_tests/ZBIO-5213/.roost/roost_metadata.json b/functional_tests/ZBIO-5213/.roost/roost_metadata.json new file mode 100644 index 0000000..c05a9c5 --- /dev/null +++ b/functional_tests/ZBIO-5213/.roost/roost_metadata.json @@ -0,0 +1,19 @@ +{ + "project": { + "name": "ZBIO-5213", + "created_at": "2026-03-25T13:13:16.511Z", + "updated_at": "2026-03-25T13:13:16.511Z" + }, + "files": { + "input_files": [ + { + "fileName": "ZBIO-5213.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/demo-functional-test/da169bad-71da-4de0-9b7b-997f012b7ae4/functional_tests/ZBIO-5213/ZBIO-5213.txt", + "fileSha": "0e017aaae1" + } + ] + }, + "api_files": { + "input_files": [] + } +} \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.csv b/functional_tests/ZBIO-5213/ZBIO-5213.csv new file mode 100644 index 0000000..5e7cbe3 --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.csv @@ -0,0 +1,15 @@ +"Due Collection Notification Generation and Masking Validation Across Channels" +"Data Masking Enforcement Across Collection Communications and Documents" +"Boundary Escalation, Alert Timing, and Channel Override Handling" +"Collection Agency Handoff — Data Masking, Feed, and Error Handling" +"Legal Action — Escalation Trigger, Document Generation, and Masking" +"Notification Suppression on Opt-Out or Account Closure" +"Payment Plan Proposal Eligibility and Rollback Handling" +"Legal Escalation Block — State Enforcement and Masking" +"Regulatory/Audit UI — End-to-End Masking and Inspection" +"Multi-Recipient Escalation — Joint/Cardholder Notification Coverage" +"Alert Channel Configuration, Override, and Traceability" +"Missed/Failed Notification UI and Audit Recovery" +"Overdue and Collection Notification Content — Lawful Disclosure and UI Behavior" +"Backoffice Manual Escalation and Notification Customization — UI and Audit Trail" +"Payment Plan Proposal Eligibility, Rollback, and UI Handling" \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.docx b/functional_tests/ZBIO-5213/ZBIO-5213.docx new file mode 100644 index 0000000..c0671de Binary files /dev/null and b/functional_tests/ZBIO-5213/ZBIO-5213.docx differ diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.feature b/functional_tests/ZBIO-5213/ZBIO-5213.feature new file mode 100644 index 0000000..53ba727 --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.feature @@ -0,0 +1,245 @@ +Feature: Credit Card Collection Lifecycle — Notification, Masking, Escalation, and Compliance Validation + + # Background setup for API tests + Background: + Given the API base URL is set to the collection service environment + And the authorization token is configured + And content type is "application/json" + + # UI background setup for regulatory/audit scenarios + @ui + Background: + Given I am logged into the collection portal as a regulator, auditor, or agent + And all communication, notification, and audit modules are enabled + + # API Tests: End-to-End, Masking, State Transitions + @api @endtoend + Scenario Outline: Due Collection Notification Generation and Masking Validation Across Channels + Given a cardholder account is with dues approaching + And notification channels are configured + When the system sends a "" notification for card ending "" + Then the notification is delivered via + And notification content contains only the last 4 digits "" + And the notification includes + And compliance/audit logs are updated for end-to-end traceability + And no full card number or PII is exposed + + Examples: + | accountState | dueDate | notificationType | channels | cardDigits | contentFields | + | active | tomorrow | Reminder | Email, SMS, App | 4321 | due amount, due date, masking | + | overdue | yesterday | Overdue | Email, SMS, Portal | 9876 | overdue balance, escalation warning | + | restructured | today | Payment Plan | Email, Portal | 1234 | payment terms, timeline, masking | + + @api @masking + Scenario Outline: Data Masking Enforcement Across Collection Communications and Documents + Given system notification logic is enabled for "" + When a communication is generated from account with test card "" + Then only last 4 digits "" are present in outbound communication + And no more than 4 digits appear in UI, PDF, legal feed, or logs + And masking validation passes for all channels + + Examples: + | notifType | cardDigits | + | reminder | 2345 | + | overdue | 8765 | + | payment plan | 2442 | + | agency | 8822 | + | legal | 4454 | + + @api @boundary + Scenario Outline: Boundary Escalation, Alert Timing, and Channel Override Handling + Given account with overdue amount at regulatory threshold + And due date is + And channel configuration is + When alert is triggered for "" + Then alert notification is sent only via + And alert includes only last 4 digits "" + And escalation warning appears + And suppression or override works as per selected channel + + Examples: + | threshold | date | alertType | channels | cardDigits | escalation | + | min | today | Reminder | SMS | 3222 | not shown | + | median | yesterday | Overdue | App, Email | 5555 | warning shown | + | max | tomorrow | Collection | Portal | 7878 | warning shown | + + @api @agency + Scenario Outline: Collection Agency Handoff — Data Masking, Feed, and Error Handling + Given account state is "" and eligible for agency handoff + When system triggers agency feed transmission for card "" with amount and legal state + And a transmission occurs () + Then agency feed contains only last 4 digits "" + And feed has no unauthorized PII + And failure/retry/fallback is logged in audit + And outgoing payloads with unmasked data are blocked + + Examples: + | status | cardDigits | amount | legalStatus | transmissionStatus | errorCode | + | delinquent | 9531 | 5000.00 | default | success | NONE | + | default | 9987 | 3200.00 | legal | failure | 502 | + | pending | 4411 | 750.00 | collection | retry | 408 | + + @api @legal + Scenario Outline: Legal Action — Escalation Trigger, Document Generation, and Masking + Given account is in default after agency recovery fails + And legal escalation triggers are enabled + When legal notification and document is generated for card "" + And legal template contains field placeholders + Then all legal communications show only last 4 digits "" + And audit log includes all prior escalations + And template edits cannot expose unmasked data + And legal action is traceable through UI and audit logs + + Examples: + | cardDigits | + | 1344 | + | 7777 | + | 8889 | + + @api @optout + Scenario Outline: Notification Suppression on Opt-Out or Account Closure + Given cardholder account is "" and notifications are "" + And opt-out/closure rules are enabled + When a is initiated + Then no notification is sent to any channel + And suppression is logged with only last 4 digits "" if present + And audit trail contains suppression and reversal reason + + Examples: + | state | notifStatus | triggerEvent | cardDigits | + | opt-out | enabled | Overdue Attempt | 2323 | + | closed | enabled | Agency Escalation | 7921 | + + @api @paymentplan + Scenario Outline: Payment Plan Proposal Eligibility and Rollback Handling + Given payment plan eligibility is configured and account is with overdue amount + When a payment plan proposal is + Then plan proposal notification contains only last 4 digits "" if eligible + And UI shows eligibility or denial reason as + And audit log records state + + Examples: + | accountState | amount | proposalAction | cardDigits | uiMessage | stateResult | + | eligible | 2000.00 | offered | 9042 | Eligible | offer proposed | + | ineligible | 250.00 | attempted | 6734 | Not Eligible | no offer/logged | + | eligible | 5000.00 | revoked | 8811 | Revoked | revoked/logged | + + @api @legalblock + Scenario Outline: Legal Escalation Block — State Enforcement and Masking + Given account in without prior agency step + When legal escalation is manually triggered + Then system blocks legal notification, shows escalation requirement + And no unauthorized communication or doc is generated + And masking is enforced (last 4 digits only) + And audit log records attempted premature sequence + + Examples: + | accountEscalationState | + | overdue | + | collection | + + # UI Tests: Portal, Audit, Regulatory Screens + @ui @audit + Scenario Outline: Regulatory/Audit UI — End-to-End Masking and Inspection + Given I am on the communication logs UI as + When I view logs for cardholder with last 4 digits "" + And I navigate stages "" from reminder to legal + Then every log entry shows only last 4 digits "" + And delivery time, content, recipient, and masking are verified + And document export includes only masked data + + Examples: + | userRole | cardDigits | stages | + | regulator | 7832 | reminder, overdue, legal | + | auditor | 1543 | all stages | + | admin | 1299 | collection, agency, legal | + + @ui @recipient + Scenario Outline: Multi-Recipient Escalation — Joint/Cardholder Notification Coverage + Given a joint account with primary and secondary cardholders + And notification channel configuration is + When a is triggered for account ending "" + Then notifications are delivered to correctly + And masking is enforced in every message + And role reassignment and recipient override are reflected in logs + + Examples: + | recipients | channels | notificationType | cardDigits | + | primary, secondary | Email, SMS | Reminder | 4056 | + | primary | Portal | Payment Plan | 3729 | + | secondary | Email | Legal Notice | 5647 | + + @ui @config + Scenario Outline: Alert Channel Configuration, Override, and Traceability + Given I configure alert channel as and secondary as for card "" + And admin override delivers future notifications via + When a is triggered and channels changed to + Then notification is delivered via only + And channel changes and reversals are audit-logged + And all delivered messages show only last 4 digits "" + + Examples: + | primary | secondary | overrideChannel | notificationType | currentChannel | cardDigits | + | email | sms | sms | Overdue | sms | 9054 | + | email | sms | app | Collection | app | 1777 | + | app | sms | email | Payment Plan | email | 6722 | + + @ui @failednotif + Scenario Outline: Missed/Failed Notification UI and Audit Recovery + Given account with notification channel is misconfigured or disabled + When system attempts to send for card "" + And delivery fails due to + Then delivery failure is logged in UI with only last 4 digits "" + And alternate channel is activated and notification retried + And audit log export contains all failed attempts and masking compliance + + Examples: + | channel | notificationType | cardDigits | errorReason | alternateChannel | + | email | Reminder | 4433 | undeliverable | postal mail | + | sms | Payment Plan | 7766 | network error | app | + + @ui @contentvalidation + Scenario Outline: Overdue and Collection Notification Content — Lawful Disclosure and UI Behavior + Given notification templates for overdue/collection are configured for + When user misses payment by and notice is triggered for card "" + And template legally mandates required disclosures + Then notification content includes last 4 digits "", overdue amount, fee breakdown, and lawful warning + And no unlawful fields (SSN, full card#) are shown + And UI disables manual override for unauthorized sections + + Examples: + | region | daysLate | cardDigits | + | stateA | 1 | 8224 | + | stateB | 5 | 0999 | + | federal | 30 | 4477 | + + @ui @manualoverride + Scenario Outline: Backoffice Manual Escalation and Notification Customization — UI and Audit Trail + Given agent accesses escalation UI for overdue account "" + When manual override and customization is initiated + And agent attempts to edit restricted and permitted fields in notification + Then UI prohibits edits to restricted fields and auto-inserts masking (last 4 digits only) + And customization is allowed only for compliant fields + And override is logged with agent, timestamp, and change reason + + Examples: + | cardDigits | + | 5531 | + | 7732 | + + @ui @paymentplan_rollback + Scenario Outline: Payment Plan Proposal Eligibility, Rollback, and UI Handling + Given account is for payment plan with overdue amount and plan count + When payment plan proposal is for card "" + And user abandons, revokes, or is ineligible + Then UI shows correct eligibility or revocation reason + And all communications and logs include only last 4 digits "" + + Examples: + | state | amount | planCount | action | cardDigits | + | eligible | 3200.00 | 0 | offered | 7394 | + | ineligible | 100.00 | 3 | denied | 1111 | + | eligible | 1200.00 | 1 | revoked | 6666 | + + # Edge case tests and regulatory/localization checks included above via Examples tables + diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.json b/functional_tests/ZBIO-5213/ZBIO-5213.json new file mode 100644 index 0000000..798d6d8 --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.json @@ -0,0 +1,217 @@ +[ + { + "type": "Positive, End-to-End, Multi-Step", + "title": "Full Credit Card Due Collection Workflow — End-to-End Notification and Response Validation", + "testId": "ZBIO-5213-001", + "testDescription": "Validates the entire due collection lifecycle including notification generation, delivery, response capture, payment plan proposal, escalation, and regulatory compliance.", + "prerequisites": "ASSUMPTION: Cardholder account is active and has an outstanding dues setup with valid contact information. Notification channels are configured. Regulatory and system audit logs are enabled.", + "stepsToPerform": "1. Simulate credit card account setup with balance approaching due date. 2. System auto-generates and sends a due reminder notification (email/SMS/app) including only last 4 digits of card number. 3. Cardholder does not respond by due date; system detects missed payment. 4. System auto-generates overdue balance alert with last 4 digits, specifying overdue amount and reiterating compliance risk. 5. Cardholder logs in to portal, views alert, and selects 'Unable to Pay in Full.' 6. System presents payment plan options with all monetary and timeline details showing only last 4 digits of card. 7. Cardholder accepts proposed plan; system sends confirmation, masks all sensitive data, and moves account to restructured state. 8. System updates all communication and audit logs for end-to-end traceability. 9. Regulator/auditor reviews communication logs and audit trails via UI.", + "expectedResult": "All communications contain only last 4 digits of card number; notifications are timely and sent through correct channels; payment plan eligibility and details are shown as per rules; user actions are captured and reflected in state transitions; audit and compliance logs are complete.", + "regulatoryReference": "PCI DSS, consumer privacy mandates, legal escalation triggers", + "maskingValidation": "Check all UIs, communications, logs, and documents for last 4 digits only; never full card number.", + "escalationPath": "Reminder → Overdue → Payment Plan → Account Restructured", + "communicationChannel": "Email, SMS, Mobile App, Customer Portal", + "boundaryAnalysisCoverage": "Amount owed at regulatory threshold, overdue period edge case", + "stateTransitionCoverage": "All key transitions from reminder to restructured/managed state" + }, + { + "type": "Negative, Security, Data Masking Enforcement, Regression", + "title": "Regulatory Data Masking — Sensitive Information Protection Validation", + "testId": "ZBIO-5213-002", + "testDescription": "Ensures absolutely no system communication (notification, email, PDF, legal doc, portal UI, agency feed) exposes any digits other than last 4 of card in any collection lifecycle context.", + "prerequisites": "ASSUMPTION: System is patched to latest version and regression suite is required post-notification logic update.", + "stepsToPerform": "1. Trigger each notification (reminder, overdue, escalation, payment plan, agency, legal) for an account with a known test card number. 2. Review outbound communications (email body, SMS, push, letter PDF, legal docs) for card display behavior. 3. Review notification preview screens and audit logs in UI for accidental exposure of full card or >4 digits. 4. Manually and automatically search logs and document content for any substring of card >4 digits. 5. Configure notification channel override and re-trigger all escalations and document generations. 6. Initiate payment plan proposal and acceptance, inspecting all transactional messages. 7. Activate agency handoff and legal action to validate integration feeds only provide last 4 digits. 8. Manually adjust account to 'closed' or 'opted out' state and verify historical comms. 9. Review system for any failed, missed, or deferred notifications for masking anomalies.", + "expectedResult": "No communication, log, feed, or document ever reveals more than last 4 digits of card at any stage. Any such finding is a critical defect.", + "regulatoryReference": "PCI DSS, GLBA, PII protection standards", + "maskingValidation": "Full, strict, flat-field validation applied to every collection stage output", + "escalationPath": "All notification types and escalation paths", + "communicationChannel": "All: Email, SMS, App, Document, Legal, Agency", + "stateTransitionCoverage": "State changes (normal, override, failed, closed, agency/legal escalation)", + "regressionCheck": "Applies post-workflow update to catch re-introduced masking failures" + }, + { + "type": "Boundary, State Transition, Negative, Multi-Channel", + "title": "Overdue Balance Escalation — Threshold, Timing, and Content Validation", + "testId": "ZBIO-5213-003", + "testDescription": "Validates system behavior at monetary and time boundary (just before/after due date), for overdue alerts, escalation triggers, and notification content accuracy across all channels.", + "prerequisites": "ASSUMPTION: Account is at various monetary thresholds (smallest overdue to regulatory escalation minimum) and notification/alert configuration is active for all comms channels.", + "stepsToPerform": "1. Create account with payment due tomorrow; ensure due reminder delivers on time. 2. Move system date to just past due (1 day overdue); verify overdue alert sends with all escalation content. 3. Configure alert thresholds for minimum, median, and maximum regulatory amounts; trigger due and overdue events sequentially. 4. Inspect all alerts/notifications for content (amount owed, due date, escalation warning), recipient accuracy, and channel coverage. 5. Manipulate alert configuration (e.g., switch from SMS to app, block email); verify system honors overrides and still triggers as per business rules. 6. Simulate user opting out of one channel mid-escalation; confirm alerts delivered via alternative channel per configuration. 7. Attempt 'notifiable event' reversal (e.g., payment reversed, account closed before escalation) and check system prevents further alerts as required. 8. Access comm log UI and notification config screens to verify alert content, classification, and delivery status. 9. Export audit log to check event ordering and completeness.", + "expectedResult": "Boundary alerts and escalation comply with business/regulatory timing and content rules. Recipients and channels align with config. Misfires and reversals are handled gracefully with no out-of-policy notification delivery.", + "regulatoryReference": "Consumer notification mandates, PCI DSS, state collection laws", + "maskingValidation": "All alerts must contain only last 4 digits of card", + "escalationPath": "Due Reminder → Overdue Alert, with conditional escalation and reversal", + "communicationChannel": "Test: Email, SMS, App, Portal; with overrides and opt-out", + "boundaryAnalysisCoverage": "Amount owed at regulatory thresholds, due date +/- 1 day", + "stateTransitionCoverage": "On-time, overdue, user reversal, opt-out" + }, + { + "type": "Positive, Integration, External Feed, State Transition, Negative", + "title": "Payment Plan and Collection Agency Workflow — Eligibility, Acceptance, and External Handoff", + "testId": "ZBIO-5213-004", + "testDescription": "Covers payment plan offer eligibility, proposal, user acceptance/decline, and agency involvement if unsuccessful. Validates system-to-agency handoff includes only required data, with masking, and correct state management.", + "prerequisites": "ASSUMPTION: Account is seriously delinquent (escalation threshold), eligible for payment plan as per decision table setup. Collection agency integration is enabled.", + "stepsToPerform": "1. Simulate account becomes eligible for payment plan (delinquent but within grace period). 2. Trigger payment plan proposal; verify proposal includes only last 4 digits of card and compliant monetary terms. 3. User reviews plan and declines; system logs response, triggers next escalation (agency handoff). 4. System prepares and transmits agency handoff feed (API/file), verifies only last 4 digits sent externally. 5. User attempts to accept plan post-deadline; validate system response and that escalation cannot be reversed. 6. Review all communication logs for plan proposal, decline, and agency handoff, with correct audit entries. 7. Attempt to manually modify account during agency transition; verify all override actions are fully tracked. 8. Access UI screens for payment plan history and agency comms; check for masking and data integrity. 9. Download agency communication log/document, inspect for content and regulatory compliance.", + "expectedResult": "Payment plan eligibility, proposal, and decline follow business and regulatory rules; all user and state transitions are recorded. Agency handoff includes only permitted masked data; all interactions are fully auditable.", + "regulatoryReference": "Fair Debt Collection Practices, PCI DSS, data privacy laws", + "maskingValidation": "Payment plan and agency feed restricted to last 4 digits of card only", + "escalationPath": "Delinquent → Payment Plan Proposal → Decline/Timeout → Agency Handoff", + "communicationChannel": "System comms, agency API/feed, user UI", + "decisionTableCoverage": "Eligibility rules (age, amount, history), escalation triggers", + "stateTransitionCoverage": "Plan offered, declined, agency involvement" + }, + { + "type": "Positive-Negative, Legal Action, Compliance, Multi-State", + "title": "Legal Action Initiation — End-to-End Documentation, Audit Trail, and Notification Delivery", + "testId": "ZBIO-5213-005", + "testDescription": "Ensures that the system correctly initiates legal proceedings, all communications and generated legal docs are fully masked, compliant, and that all preceding escalations and actions are reflected in a complete audit trail.", + "prerequisites": "ASSUMPTION: Account is in default after all prior collection steps, with failed agency recovery. Legal escalation triggers enabled. Legal document template with field placeholders in use.", + "stepsToPerform": "1. Simulate account progressing through reminder, overdue, collection, payment plan (declined), and agency stages to non-payment default. 2. System flags account as requiring legal action; auto-generates and sends legal action notice to user with only last 4 digits of card. 3. Generate legal documents (PDF, letters, filings) and validate masking in all fields. 4. Review system and UI legal comm log for correct notification content, delivery time, and recipient info. 5. Submit legal docs to regulatory/audit system; download and inspect for masked data and compliance fields. 6. Attempt manual update to legal templates (add extra data), re-generate doc, and inspect that masking rules are enforced regardless of template edits. 7. Re-trigger legal notification (e.g., recipient resend), validate no unmasked data exposure. 8. Access UI legal workflow history for traceability, verify every communication and escalation is traced from inception. 9. Review audit logging for completeness and regulatory trace coverage.", + "expectedResult": "Legal escalation occurs only after all prior steps, all notifications and legal docs show only last 4 digits of card, all templates enforce masking regardless of content edits, UI and audit logs are complete.", + "regulatoryReference": "Litigation compliance, PCI DSS, data privacy and retention laws", + "maskingValidation": "Legal notification/doc always only shows last 4 digits, audit log enforced", + "escalationPath": "Agency → Legal Initiation → Documentation → Regulator/Audit", + "communicationChannel": "Legal letters, UI comm logs, regulatory/audit system", + "stateTransitionCoverage": "Default to legal; audit/trace for all prior steps" + }, + { + "type": "Negative, Reversal, User Opt-Out, State Handling", + "title": "Opt-Out and Account Closure — Notification Reversal and Communication Suppression Validation", + "testId": "ZBIO-5213-006", + "testDescription": "Ensures that all notification and collection workflows are correctly halted, and communications are suppressed, if a user opts out of notifications or the account is closed at any lifecycle stage.", + "prerequisites": "ASSUMPTION: Cardholder has an outstanding balance and is registered for notifications; opt-out and account closure business rules are enabled.", + "stepsToPerform": "1. Trigger due reminder for an open account; deliver to user successfully. 2. Before overdue date, simulate cardholder opting out of all notification channels. 3. Cross due date; system attempts to send overdue alert. 4. Validate that no alert or escalation notification is sent. 5. Attempt system-forced escalation (e.g., payment plan, collection agency) while user is opted out. 6. Manually close the account during ongoing collection. 7. Attempt overdue and escalation notifications post-closure. 8. Access notification delivery logs, UI screens, and audit trail for all attempted communications. 9. Review log entries for reversals and confirmation of notification suppression.", + "expectedResult": "No notification is sent after opt-out or closure; system records all suppressed actions. Audit log contains suppression entries and reason. No PII or financial info is leaked in suppressed attempts.", + "regulatoryReference": "PCI DSS, consumer privacy/notification preference mandates", + "maskingValidation": "Suppressed logs show only last 4 digits where applicable. No active notification should trigger masking validation failure.", + "escalationPath": "Any → Opt-Out/Closure → No Further Notification", + "communicationChannel": "All user communication channels, UI log/audit screens", + "stateTransitionCoverage": "Active → Opt-Out/Closed → Suppression" + }, + { + "type": "Boundary, Decision Table, Multi-Recipient", + "title": "Multi-Recipient Escalation and Timing — Decision Logic for Joint/Cardholder Notifications", + "testId": "ZBIO-5213-007", + "testDescription": "Validates that escalation rules, timing, and recipient selection for accounts with multiple cardholders, joint accounts, or co-signers are executed as per business and regulatory requirements.", + "prerequisites": "ASSUMPTION: Account is configured with primary and secondary cardholders; custom notification recipient and escalation channels are set per regulatory mandates.", + "stepsToPerform": "1. Set up joint credit card account with distinct contact details for all holders. 2. Simulate due date approaching; system sends reminders to all eligible recipients as per config. 3. User configures notification overrides (e.g., email for one, SMS for another). 4. Miss due date; system triggers overdue alert and schedules escalation to all involved parties per decision table. 5. Escalate to collection notification; validate correct amount, charges, and last 4 digits are included for each recipient. 6. Update account to change notification recipient midway (e.g., secondary becomes primary). 7. Trigger payment plan proposal, ensuring eligibility messaging reaches all necessary parties. 8. Review all audit and communication logs for proper classification, timing, content, and recipient. 9. Initiate legal escalation, verifying only eligible recipients are notified in accordance with legal requirements.", + "expectedResult": "All reminders, alerts, and escalations are delivered to correct recipients based on role and configuration, with masking enforced. No recipient receives unmasked or misaddressed communication.", + "regulatoryReference": "Consumer notification mandates, multi-party financial privacy laws", + "maskingValidation": "All communications, regardless of recipient, show only last 4 digits.", + "escalationPath": "Due Reminder → Overdue → Collection → Payment Plan → Legal, across multiple recipients", + "communicationChannel": "Email, SMS, Multi-User Portal", + "stateTransitionCoverage": "Recipient reassignment, joint escalation, role-based notification" + }, + { + "type": "Negative, Data Integrity, Audit, Missed/Failed Notification", + "title": "Missed/Failed Notification — Data Integrity and Regulatory Audit Recovery", + "testId": "ZBIO-5213-008", + "testDescription": "Ensures the system accurately tracks, logs, and facilitates regulatory audit of any missed or failed notifications (network error, undeliverable address, system outage) for all collection stages.", + "prerequisites": "ASSUMPTION: System is instrumented for notification failure tracking and audit logging; at least one account has an invalid notification channel configured.", + "stepsToPerform": "1. Prepare account with incorrect or disabled notification channel. 2. Attempt to send due reminder; simulate delivery/network failure. 3. Auto-retry logic fails or times out; system logs failure. 4. Overdue and collection escalation notifications also fail due to continued channel issues. 5. Access communication log and notification UI screen to verify all missed deliveries are recorded with timestamps and error reasons. 6. Initiate alternate channel override (e.g., switch to postal letter); trigger and complete notification delivery. 7. Attempt regulatory/audit log export for all notification events, including failed and successful attempts. 8. Inspect all entries for content masking (last 4 digits only) and audit completeness. 9. Simulate regulatory review: cross-reference expected notifications versus system logs.", + "expectedResult": "All failed/missed notification events are audit-logged, including masking, error codes, and corrective actions. Regulatory reporting is accurate and complete. No PII is exposed in error messages.", + "regulatoryReference": "PCI DSS, e-communication audit and financial notification regulations", + "maskingValidation": "Last 4 digits only in logs/errors. No unmasked card data in failure message or audit trail.", + "escalationPath": "Any notification type, failure/alternate path", + "communicationChannel": "Email, SMS, App, Postal mail (fallback)", + "stateTransitionCoverage": "Send attempt → Failure → Alternate channel → Recovery" + }, + { + "type": "Boundary, Multi-Channel, Alert Configuration, Reversal", + "title": "Alert Channel Configuration and Override — Multi-Channel Notification Reversal and Traceability", + "testId": "ZBIO-5213-009", + "testDescription": "Ensures that user- or admin-driven configuration of notification channels (enable/disable, override) dynamically changes routing and delivery of collection notices, with full traceability for reversals.", + "prerequisites": "ASSUMPTION: Active cardholder account with valid and switchable notification channels (Email/SMS/App). UI configuration and backend routing module is enabled.", + "stepsToPerform": "1. Cardholder configures primary alert channel as email, secondary as SMS. 2. System delivers due reminder via email. 3. Before overdue, admin overrides delivery to SMS for all future notifications. 4. Overdue alert is sent; validate content, timing, masking, and new channel. 5. Cardholder reverses channel preference to mobile app. 6. Trigger collection notification; confirm delivery via app per updated configuration. 7. Attempt to disable all but one channel; trigger payment plan proposal. 8. Manually re-enable all channels and initiate another notification (e.g., collection agency handoff), ensure parallel delivery and UI tracking. 9. Access UI audit log to review all channel changes, delivered messages, reversals, with full traceability and content compliance.", + "expectedResult": "All notification channel changes are honored and audited. No notification is routed to a disabled channel. Trace and reversal logs are complete. All messages show only last 4 digits.", + "regulatoryReference": "Consumer notification preferences, PCI DSS, e-communication audit", + "maskingValidation": "All comms, regardless of channel or override, masked correctly.", + "escalationPath": "Reminder → Overdue → Collection → Payment Plan → Agency; all possible channel transitions", + "communicationChannel": "Email, SMS, Mobile App, UI config/audit", + "stateTransitionCoverage": "Channel enable/disable, override, reversal" + }, + { + "type": "Positive, Data Validation, Compliance Review, Multi-Step Cross-Workflow", + "title": "Comprehensive Compliance and Data Validation — Regulator/Auditor UI End-to-End Inspection", + "testId": "ZBIO-5213-010", + "testDescription": "Covers a regulator or auditor accessing all UI screens for communication logs, configuration, and audit trails, cross-verifying content, masking, and sequence across collection stages.", + "prerequisites": "ASSUMPTION: End-to-end due collection workflow has been executed for multiple accounts. Audit data, communication logs, and UI inspection tools are enabled and populated.", + "stepsToPerform": "1. Regulator logs into compliance/audit UI with read-only privileges. 2. Navigates to communication logs for a given cardholder, reviewing all entries for reminder, overdue, collection, payment plan, agency, and legal action. 3. Cross-checks audit trail for delivery time, recipient, message content, and masking per entry. 4. Accesses alert configuration history to review all user/admin-driven changes and overrides. 5. Opens individual notification preview screens, verifying only last 4 digits of card are ever shown. 6. Reviews failed/missed notification records for audit completeness and content compliance. 7. Downloads/export audit log for a delinquency escalation event. 8. Cross-verifies document download with legal, agency, and payment plan communication, ensuring all sensitive data is masked. 9. Performs a compliance checklist review for regulatory coverage — timing, recipient, escalation path, masking.", + "expectedResult": "Auditor/Regulator confirms every workflow stage is accurately logged, fully masked, sequencing and recipient are compliant, and logs are complete with no untraceable or out-of-policy communications.", + "regulatoryReference": "PCI DSS, state/federal financial audit requirements", + "maskingValidation": "UI/screens/logs always last 4 digits only. Exported documents and logs compliant.", + "escalationPath": "Reminder → Overdue → Collection → Payment Plan → Agency → Legal → Audit", + "communicationChannel": "Regulatory/Audit UI, Download Logs, Notification Preview", + "stateTransitionCoverage": "All workflow steps, audit/inspection" + }, + { + "type": "Negative, Content Validation, Notification Content, Lawful Disclosure", + "title": "Overdue and Collection Notification — Amount, Fee, and Legal Consequence Content Accuracy and Timing", + "testId": "ZBIO-5213-011", + "testDescription": "Validates that all automated overdue and collection notifications strictly include only the compliant content: last 4 digits of the card number, accurate overdue amounts, fee breakdown, and legally mandated warnings. No extraneous or missing information is permitted at any escalation level.", + "prerequisites": "ASSUMPTION: Cardholder has an active account with missed payment beyond due date, multiple escalation thresholds and notification templates are configured based on jurisdiction.", + "stepsToPerform": "1. Configure system with overdue and collection notification templates per various states. 2. Miss payment due date by 1, 5, and 30 days (staggered runs), triggering overdue and collection notices. 3. Inspect notification content to confirm inclusion of last 4 digits of card as identifier, correct overdue balance, fee breakdown, and compliant regulatory/lawful disclosures. 4. Cross-check absence of non-compliant data (SSN, DOB, full card#). 5. Verify warnings on legal escalation risk appear only when triggered by threshold. 6. Confirm that fee figures match calculations and decision table, including edge cases for grace period waivers. 7. Re-trigger notice with account in different regulatory region; check content localizations and legal phrase inclusion. 8. Attempt manual override to edit notification content; validate UI disables unlawful fields and restricts to authorized message sections. 9. Access communication log and configuration UI to audit message versions, delivery times, recipient addresses, and confirmation checklists.", + "expectedResult": "All overdue/collection notices strictly conform to lawful content rules, only last 4 digits shown, content accuracy verified across all thresholds/regions, and the communication log accurately reflects version, timing, and delivery.", + "regulatoryReference": "PCI DSS, state/federal fair debt collection statutes, consumer disclosure mandates", + "maskingValidation": "Each notification and log entry must include only the last 4 digits of the card number.", + "escalationPath": "Missed Due → Overdue Alert → Collection Notification; region-specific escalation", + "communicationChannel": "Email, SMS, Print letters, Regulatory letter (multi-channel, configured by region)", + "stateTransitionCoverage": "Missed due, overdue, state-based escalation, fee/waiver boundary" + }, + { + "type": "Positive, Multi-Step, Auditability, UI/Backoffice, Legal Customization", + "title": "Manual Override and Customized Escalation — Backoffice/Agent-Initiated Escalation, Custom Content, and Full Audit Trail", + "testId": "ZBIO-5213-012", + "testDescription": "Validates the ability for a backoffice admin or agent to manually override a collection escalation step, customize notification content (within authorized fields), and ensure every manual action is fully audited and compliant.", + "prerequisites": "ASSUMPTION: Workflow allows agent override per business/regulatory trigger; agent UI and audit modules enabled. Account is in collection escalation window but has not yet reached legal stage.", + "stepsToPerform": "1. Bring a cardholder account to overdue plus collection state via regular workflow. 2. Agent accesses escalation UI, selects account, and initiates manual override to escalate to agency handoff. 3. Agent customizes collection notification permitted fields (fee date, next actions) and attempts to edit restricted fields (full card number, recipient address, legal warning). 4. Confirm UI locks out restricted fields and auto-inserts masking placeholder for last 4 digits only. 5. Submit override notification; system logs agent, timestamp, version, and manual change reason in audit log. 6. End-user receives customized notification via configured channels. 7. Escalate to regulatory threshold; agent attempts further customization on legal template—validate allowed customization only. 8. Review audit log/report UI for complete trace of manual trigger, notification content, recipient, delivery status, and agent involvement. 9. Run compliance export on all manual overrides for targeted period.", + "expectedResult": "Override/cust. actions allowed only on compliant fields; restricted fields protected. All agent manual escalation and comm. events logged for audit; last 4 digits only in all comms. User and regulatory UI trace event present.", + "regulatoryReference": "PCI DSS, backoffice operational mandates, regulatory audit rules", + "maskingValidation": "All override comms/logs masked to last 4 digits; UI prohibits entry of full card.", + "escalationPath": "Collection Notification → Manual Override → Agency/Legal (backoffice-initialized path)", + "communicationChannel": "UI, Agent Email/SMS trigger, Audit Log, Legal Document", + "stateTransitionCoverage": "Normal → Manual Escalation → Customized Notif → Audit" + }, + { + "type": "Negative, Decision Table, Multi-State, Payment Plan, Eligibility and Rollback", + "title": "Payment Plan Proposal — Ineligible State, Reversal, and Rollback Handling", + "testId": "ZBIO-5213-013", + "testDescription": "Validates that payment plan proposals are available only to eligible accounts based on rules (amount, overdue days, prior plans), and properly handles ineligible, revoked, and rolled-back offers in both notification and audit logs.", + "prerequisites": "ASSUMPTION: Payment plan eligibility decision table configured (e.g. minimum amount, delinquency period, prior acceptance count). Accounts exist in eligible and ineligible states.", + "stepsToPerform": "1. Simulate account ineligible for plan (e.g., overdue amount too low, plan limit reached); attempt system-triggered plan proposal. 2. Validate no notification is sent and UI shows 'Not Eligible' message with reason. 3. Move a different account into eligible state (correct amount/period); system auto-proposes plan and sends notification (masked). 4. User starts accepting plan via portal but does not complete; simulate abandonment/timeout. 5. Plan is auto-revoked after deadline passes. 6. Cardholder attempts to request plan again—system correctly disallows, referencing prior revocation. 7. Backoffice user attempts to force enable; validate audit trail captures manual plan offer/denial and reason. 8. Restore original state (pre-eligibility); system does not re-offer. 9. Export payment plan history and audit log for attempted, revoked, denied, and completed transitions; inspect for correct state sequence and masking.", + "expectedResult": "Plan offers limited strictly to eligible cases based on decision logic; ineligible, abandoned, or revoked plans are not delivered; all transitions and overrides are audit-logged with only last 4 digits in communication.", + "regulatoryReference": "PCI DSS, CFPB fair lending, fair debt rules, audit retention standards", + "maskingValidation": "Last 4 digits only in offer/denial/revoke notifications and logs.", + "escalationPath": "Eligible → Proposal → Acceptance/Abandonment → Revocation/Rollback", + "communicationChannel": "Portal, Email/SMS, UI Notif, Backoffice override UI", + "decisionTableCoverage": "Eligibility: overdue amount, plan count, delinquency days; Abandonment/rollback", + "stateTransitionCoverage": "Ineligible → Skip; Eligible → Offer → Accept/Decline → Revoked" + }, + { + "type": "Positive-Negative, Integration, Collection Agency, Data Feed, Masking and Error Handling", + "title": "Collection Agency Handoff — External Integration, Feed Formatting, and Error Recovery", + "testId": "ZBIO-5213-014", + "testDescription": "Ensures collection agency notification/feed process transmits only authorized data fields (last 4 digits card, amount, legal state), handles transmission errors, and maintains audit-compliant handoff with rollback/re-try mechanisms.", + "prerequisites": "ASSUMPTION: System is integrated with agency via secure API/file, feed format template set for masking, at least one test account in handoff-eligible state.", + "stepsToPerform": "1. Simulate account progressing to agency handoff state, triggering agency outbound notification/feed generation. 2. Feed contains only last 4 digits, amount owed, legal status, and NO PII fields not required by law. 3. Induce transmission error (network/API failure, agency endpoint unavailable). 4. System logs failure with error code, retries per configured policy, and updates communication log with masking preserved. 5. After failed attempts, system triggers fallback/alternate procedure (manual file, alert to backoffice). 6. Agency confirms receipt when success; system captures ack in UI/audit logs. 7. Post-recovery, review all agency communications, retry/fallback events, and compare logs to outgoing feeds for masking compliance. 8. Attempt to resend handoff with altered payload—system blocks unmasked data. 9. Regulatory/audit UI produces event chain from escalation to delivery/exception handling.", + "expectedResult": "Only permitted/masked data sent to external agency. Feed error/retry/fallback handled; all events are logged with last 4 digits masking. System blocks invalid/unmasked payloads. Complete handoff/audit event chain is retrievable.", + "regulatoryReference": "PCI DSS, GLBA, agency communication mandates, audit standards", + "maskingValidation": "Agency feeds, logs, and fallback comms display only last 4 card digits.", + "escalationPath": "Collection Notification → Agency Handoff → Recovery/Retry/Fallback", + "communicationChannel": "Agency Secure API, Manual File Transfer, Backoffice Alert, UI Log", + "stateTransitionCoverage": "Standard → Transmission Error → Retry/Fallback → Success/Audit" + }, + { + "type": "Negative, State Transition, Cross-Workflow, Legal Notification, Pre-Escalation Block", + "title": "Legal Action Block — Prevention of Premature Legal Escalation and Notification Sequence Integrity", + "testId": "ZBIO-5213-015", + "testDescription": "Verifies that legal escalation/notice cannot be initiated unless all required prior escalations (reminder, overdue, collection, agency) have occurred and been logged, and that any attempt at out-of-sequence legal notification is blocked, with full audit trace.", + "prerequisites": "ASSUMPTION: System enforces state machine for escalation, account is deliberately forced into a prior (non-agency) state.", + "stepsToPerform": "1. Create account currently only at overdue/collection state (has not gone through agency). 2. Attempt to trigger legal action manually via admin/agent UI, and via automated scheduler. 3. System blocks legal notification, presenting user with message referencing required escalation path. 4. Confirm no notification, document, or communication is sent beyond allowed stage. 5. Advance account properly through agency handoff, then re-attempt legal escalation. 6. Legal initiation now permitted; notification/doc is masked and delivered per standard procedure. 7. Access all communication logs and state transition reports for both failed and successful legal action attempts. 8. Export regulatory/audit log to verify all escalation sequence events, attempted premature triggers, and completion records. 9. Trigger audit export for the account to ensure masking and event sequence integrity is maintained throughout.", + "expectedResult": "No out-of-sequence legal notification occurs; system enforces state chain and logs all premature attempts. All communications and audit logs show only last 4 digits. Legal escalation and documents are triggered only after proper prior escalation stages.", + "regulatoryReference": "PCI DSS, litigation/lawful escalation mandates, audit and sequence compliance laws", + "maskingValidation": "Legal comms/logs show only last 4 digits; rejected attempts contain only masked data.", + "escalationPath": "Overdue/Collection (stalled) → Agency → Legal (only if valid path)", + "communicationChannel": "Admin/Agent UI, Legal Notification System, Audit/Reporting UI", + "stateTransitionCoverage": "Premature (blocked) → Valid Progression → Allowed Legal Escalation" + } +] \ No newline at end of file diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.xlsx b/functional_tests/ZBIO-5213/ZBIO-5213.xlsx new file mode 100644 index 0000000..bb52c57 Binary files /dev/null and b/functional_tests/ZBIO-5213/ZBIO-5213.xlsx differ diff --git a/functional_tests/ZBIO-5213/ZBIO-5213.yaml b/functional_tests/ZBIO-5213/ZBIO-5213.yaml new file mode 100644 index 0000000..318062d --- /dev/null +++ b/functional_tests/ZBIO-5213/ZBIO-5213.yaml @@ -0,0 +1,703 @@ +openapi: 3.0.3 +info: + title: Credit Card Collection Lifecycle API + description: API for notification, masking, escalation, audit, agency handoff, legal compliance in credit card collection. + version: 1.0.0 + contact: + email: support@collectionservice.com +servers: + - url: https://api.collectionservice.com/v1 + +security: + - bearerAuth: [] + +components: + securitySchemes: + bearerAuth: + type: http + scheme: bearer + bearerFormat: JWT + + parameters: + CardLastFour: + name: cardLastFour + in: query + description: Last four digits of cardholder's card + required: true + schema: + type: string + pattern: '^\d{4}$' + AccountId: + name: accountId + in: path + description: Unique identifier for cardholder account + required: true + schema: + type: string + + schemas: + Notification: + type: object + properties: + notificationType: + type: string + enum: [Reminder, Overdue, Collection, Payment Plan, Legal Notice, Agency, Custom] + cardLastFour: + type: string + pattern: '^\d{4}$' + channel: + type: array + items: + type: string + enum: [Email, SMS, App, Portal, Postal Mail] + recipients: + type: array + items: + type: string + content: + type: object + properties: + dueAmount: + type: number + format: float + dueDate: + type: string + format: date + overdueBalance: + type: number + format: float + escalationWarning: + type: string + paymentTerms: + type: string + timeline: + type: string + lawfulWarning: + type: string + feeBreakdown: + type: string + region: + type: string + auditLogId: + type: string + delivered: + type: boolean + required: + - notificationType + - cardLastFour + - channel + - delivered + + MaskingValidationResult: + type: object + properties: + maskValid: + type: boolean + validatedChannels: + type: array + items: + type: string + details: + type: string + required: + - maskValid + - validatedChannels + + AgencyFeedTransmission: + type: object + properties: + cardLastFour: + type: string + amount: + type: number + legalStatus: + type: string + transmissionStatus: + type: string + enum: [success, failure, retry] + errorCode: + type: string + nullable: true + auditLogId: + type: string + required: + - cardLastFour + - amount + - legalStatus + - transmissionStatus + + LegalDocumentGeneration: + type: object + properties: + cardLastFour: + type: string + templateId: + type: string + legalActionTriggered: + type: boolean + escalationTrail: + type: array + items: + type: string + auditLogId: + type: string + + NotificationSuppressionResult: + type: object + properties: + suppressed: + type: boolean + cardLastFour: + type: string + suppressionReason: + type: string + auditLogId: + type: string + + PaymentPlanProposal: + type: object + properties: + eligible: + type: boolean + accountState: + type: string + amount: + type: number + cardLastFour: + type: string + proposalAction: + type: string + enum: [offered, attempted, revoked] + uiMessage: + type: string + stateResult: + type: string + auditLogId: + type: string + + LegalEscalationBlockResult: + type: object + properties: + blocked: + type: boolean + sequenceError: + type: string + cardLastFour: + type: string + auditLogId: + type: string + + AuditLogEntry: + type: object + properties: + logType: + type: string + cardLastFour: + type: string + userRole: + type: string + stage: + type: string + content: + type: object + timestamp: + type: string + format: date-time + + ChannelConfig: + type: object + properties: + primary: + type: string + secondary: + type: string + overrideChannel: + type: string + currentChannel: + type: string + cardLastFour: + type: string + notificationType: + type: string + auditLogId: + type: string + + FailedNotification: + type: object + properties: + cardLastFour: + type: string + notificationType: + type: string + channel: + type: string + errorReason: + type: string + alternateChannel: + type: string + auditLogId: + type: string + +paths: + /notifications: + post: + summary: Send a collection notification to specified channels. + operationId: sendCollectionNotification + security: + - bearerAuth: [] + requestBody: + description: Notification details including masking and channel + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/Notification' + responses: + '201': + description: Notification sent successfully with masking enforcement + content: + application/json: + schema: + $ref: '#/components/schemas/Notification' + '400': + description: Invalid input or masking validation failed + '403': + description: Unauthorized/Compliance error + + /notifications/masking/validate: + post: + summary: Validate masking in outbound communication/document/logs. + operationId: validateMasking + security: + - bearerAuth: [] + requestBody: + description: Masking validation request + required: true + content: + application/json: + schema: + type: object + properties: + notifType: + type: string + cardLastFour: + type: string + channels: + type: array + items: + type: string + required: [notifType, cardLastFour, channels] + responses: + '200': + description: Masking validation result across channels + content: + application/json: + schema: + $ref: '#/components/schemas/MaskingValidationResult' + '400': + description: Masking failed or unauthorized PII detected + + /alerts: + post: + summary: Trigger escalation alerts at regulatory threshold + operationId: triggerAlert + security: + - bearerAuth: [] + requestBody: + description: Alert trigger and escalation details + required: true + content: + application/json: + schema: + type: object + properties: + accountId: + type: string + threshold: + type: string + date: + type: string + format: date + alertType: + type: string + channels: + type: array + items: + type: string + cardLastFour: + type: string + escalation: + type: string + required: [accountId, threshold, date, alertType, channels, cardLastFour, escalation] + responses: + '201': + description: Alert sent with masking, escalation, override/suppression + content: + application/json: + schema: + type: object + properties: + notificationId: + type: string + deliveredChannels: + type: array + items: + type: string + cardLastFour: + type: string + escalation: + type: string + maskingStatus: + type: boolean + auditLogId: + type: string + + /agency/feed: + post: + summary: Trigger collection agency feed transmission (handoff). + operationId: triggerAgencyFeed + security: + - bearerAuth: [] + requestBody: + description: Agency feed details with transmission, masking and error handling + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/AgencyFeedTransmission' + responses: + '200': + description: Agency feed transmission successful or failed + content: + application/json: + schema: + $ref: '#/components/schemas/AgencyFeedTransmission' + '400': + description: PII or unmasked data detected, transmission blocked + + /legal/notification: + post: + summary: Generate legal notification and document post escalation. + operationId: generateLegalNotification + security: + - bearerAuth: [] + requestBody: + description: Legal document generation after agency fails, masking enforced. + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/LegalDocumentGeneration' + responses: + '201': + description: Legal document/notification generated, masking enforced, audit updated + content: + application/json: + schema: + $ref: '#/components/schemas/LegalDocumentGeneration' + '400': + description: Masking not enforced or template error + + /notifications/suppression: + post: + summary: Suppress notifications on opt-out or account closure event + operationId: suppressNotification + security: + - bearerAuth: [] + requestBody: + description: Notification suppression trigger with masking/audit + required: true + content: + application/json: + schema: + type: object + properties: + accountId: + type: string + accountState: + type: string + notifStatus: + type: string + triggerEvent: + type: string + cardLastFour: + type: string + required: [accountId, accountState, notifStatus, triggerEvent] + responses: + '200': + description: Notification suppression logged, masking validated + content: + application/json: + schema: + $ref: '#/components/schemas/NotificationSuppressionResult' + + /paymentplan/proposal: + post: + summary: Handle payment plan proposal eligibility, notification and rollback. + operationId: paymentPlanProposal + security: + - bearerAuth: [] + requestBody: + description: Payment plan proposal request including eligibility and masking. + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/PaymentPlanProposal' + responses: + '200': + description: Payment plan response, masking enforced, audit updated + content: + application/json: + schema: + $ref: '#/components/schemas/PaymentPlanProposal' + '400': + description: Proposal denied or not eligible + + /legal/block: + post: + summary: Enforce legal escalation block when agency step missing. + operationId: legalEscalationBlock + security: + - bearerAuth: [] + requestBody: + description: Legal escalation block trigger + required: true + content: + application/json: + schema: + type: object + properties: + accountId: + type: string + escalationState: + type: string + cardLastFour: + type: string + required: [accountId, escalationState] + responses: + '200': + description: Legal escalation blocked, masking enforced, audit updated + content: + application/json: + schema: + $ref: '#/components/schemas/LegalEscalationBlockResult' + + /audit/logs: + get: + summary: Retrieve audit log entries for cardholder notifications and escalations + operationId: getAuditLogs + security: + - bearerAuth: [] + parameters: + - $ref: '#/components/parameters/CardLastFour' + - name: userRole + in: query + schema: + type: string + - name: stage + in: query + schema: + type: string + responses: + '200': + description: Audit log entries with masking compliance + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuditLogEntry' + + /config/channels: + post: + summary: Configure/override alert channels for future notifications and audit logging + operationId: configureChannels + security: + - bearerAuth: [] + requestBody: + description: Channel configuration with audit logging and masking + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/ChannelConfig' + responses: + '200': + description: Channel configuration updated, audit logged, masking enforced + content: + application/json: + schema: + $ref: '#/components/schemas/ChannelConfig' + + /notifications/failed: + post: + summary: Register a failed/missed notification, audit/log, activate fallback channel. + operationId: handleFailedNotification + security: + - bearerAuth: [] + requestBody: + description: Failed notification details, error reason and fallback channel + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/FailedNotification' + responses: + '200': + description: Failure logged, fallback triggered, masking validated + content: + application/json: + schema: + $ref: '#/components/schemas/FailedNotification' + + /notifications/content/lawful: + post: + summary: Validate notification content for lawful disclosure and UI compliance. + operationId: validateLawfulContent + security: + - bearerAuth: [] + requestBody: + description: Request template and content validation for overdue/collection notifications + required: true + content: + application/json: + schema: + type: object + properties: + region: + type: string + daysLate: + type: integer + cardLastFour: + type: string + required: [region, daysLate, cardLastFour] + responses: + '200': + description: Content validated, masking enforced, lawful disclosure + content: + application/json: + schema: + type: object + properties: + maskingValid: + type: boolean + lawfulDisclosure: + type: boolean + contentFields: + type: array + items: + type: string + uiOverrideBlocked: + type: boolean + + /notifications/manualoverride: + post: + summary: Manual escalation/override in UI with customization and masking enforcement + operationId: manualOverrideNotification + security: + - bearerAuth: [] + requestBody: + description: Request for manual override and customization by agent + required: true + content: + application/json: + schema: + type: object + properties: + agentId: + type: string + accountId: + type: string + cardLastFour: + type: string + fieldsToEdit: + type: array + items: + type: string + edits: + type: object + reason: + type: string + required: [agentId, accountId, cardLastFour, fieldsToEdit, edits] + responses: + '200': + description: Override processed, masking enforced, edit compliance and audit logged + content: + application/json: + schema: + type: object + properties: + overrideId: + type: string + maskingEnforced: + type: boolean + allowedEdits: + type: array + items: + type: string + deniedEdits: + type: array + items: + type: string + agentId: + type: string + timestamp: + type: string + + /paymentplan/rollback: + post: + summary: Handle payment plan proposal rollback and UI status with masking. + operationId: rollbackPaymentPlanProposal + security: + - bearerAuth: [] + requestBody: + description: Payment plan rollback request + required: true + content: + application/json: + schema: + type: object + properties: + accountId: + type: string + state: + type: string + amount: + type: number + planCount: + type: integer + action: + type: string + cardLastFour: + type: string + required: [accountId, state, amount, planCount, action, cardLastFour] + responses: + '200': + description: Rollback processed, masking enforced, UI status delivered + content: + application/json: + schema: + type: object + properties: + rollbackStatus: + type: string + maskingEnforced: + type: boolean + uiMessage: + type: string + +tags: + - name: notifications + description: Operations related to notification delivery, masking, audit, escalation + - name: agency + description: Agency handoff, feed transmission, masking and error handling + - name: legal + description: Legal action, escalation, masking and compliance + - name: audit + description: Audit log, inspection, regulatory compliance + - name: config + description: Alert channel configuration and override management + - name: paymentplan + description: Payment plan proposal, eligibility, rollback +