Decrypts .cer and .key from FIEL_STORAGE_PATH/<RFC>/ to /tmp with
30-minute auto-cleanup for security.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Save encrypted .cer, .key, and metadata to FIEL_STORAGE_PATH alongside
the existing DB storage. Each file has separate .iv and .tag sidecar files.
Filesystem failure is non-blocking (logs warning, DB remains primary).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Delete schema-manager.ts (replaced by TenantConnectionManager).
Remove deprecated tenantSchema from Express Request interface.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Close all tenant DB pools on SIGTERM/SIGINT for clean restarts.
Support PM2 cluster invalidate-tenant-cache messages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace Prisma raw queries with pg.Pool for all tenant-scoped services:
cfdi, dashboard, impuestos, alertas, calendario, reportes, export, and SAT.
Controllers now pass req.tenantPool instead of req.tenantSchema.
Fixes SQL injection in calendario.service.ts (parameterized interval).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace inline schema SQL with tenantDb.provisionDatabase
- Delete now soft-deletes DB (rename) and invalidates pool
- Use PLANS config for default limits per plan
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace createTenantSchema with tenantDb.provisionDatabase
- JWT payload now includes databaseName (already renamed from schemaName)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Resolve tenant DB via TenantConnectionManager instead of SET search_path
- Add tenantPool to Express Request for direct pool queries
- Keep tenantSchema as backward compat until all services are migrated
- Support admin impersonation via X-View-Tenant header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Adds pg dependency for direct PostgreSQL connections to tenant DBs
- TenantConnectionManager: singleton managing Map<tenantId, Pool>
- provisionDatabase: creates new DB with tables and indexes
- deprovisionDatabase: soft-deletes by renaming DB
- Automatic idle pool cleanup every 60s (5min threshold)
- Max 3 connections per pool (6/tenant with 2 PM2 workers)
- Graceful shutdown support for all pools
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename Tenant.schemaName to databaseName across all services
- Add Subscription and Payment models to Prisma schema
- Update FielCredential to per-component IV/tag encryption columns
- Switch FIEL encryption key from JWT_SECRET to FIEL_ENCRYPTION_KEY
- Add Subscription and Payment shared types
- Update JWTPayload to use databaseName
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Database optimizations:
- Add indexes on fecha_emision, tipo, estado, rfc_emisor, rfc_receptor
- Add trigram indexes for fast ILIKE searches on nombre fields
- Combine COUNT with main query using window function (1 query instead of 2)
Frontend optimizations:
- Add 300ms debounce to autocomplete searches
- Add staleTime (30s) and gcTime (5min) to useCfdis hook
- Reduce unnecessary API calls on every keystroke
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /cfdi/emisores and /cfdi/receptores API endpoints
- Search by RFC or nombre with ILIKE
- Show suggestions dropdown while typing (min 2 chars)
- Click suggestion to select and populate filter input
- Show loading state while searching
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add ::date cast to fechaInicio filter
- Add ::date cast and +1 day interval to fechaFin to include full day
- Fixes "operator does not exist: timestamp >= text" error
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add emisor and receptor filters to CfdiFilters type
- Update backend service to filter by emisor/receptor (RFC or nombre)
- Update controller and API client to pass new filters
- Add toggle button to show/hide column filters in table
- Add date range inputs for fecha filter
- Add text inputs for emisor and receptor filters
- Apply filters on Enter key or search button click
- Add clear filters button when filters are active
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
PostgreSQL requires explicit type cast when comparing UUID columns
with text parameters in raw queries.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add explicit IRouter type to all route files
- Add explicit Express type to app.ts
- Fix env.ts by moving getCorsOrigins after parsing
- Fix token.ts SignOptions type for expiresIn
- Cast req.params.id to String() in controllers
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Wrap token refresh logic in Prisma transaction
- Use deleteMany instead of delete to handle race conditions gracefully
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add custom date range support for SAT synchronization
- Fix UUID cast in SQL queries for sat_sync_job_id
- Fix processInitialSync to respect custom dateFrom/dateTo parameters
- Add date picker UI for custom period sync
- Add comprehensive documentation for SAT sync implementation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SAT only allows downloading CFDIs from the last 6 years.
Reduced from 10 to avoid wasted requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The StatusRequest class has an isTypeOf method that properly checks
the status. Using getValue() and comparing numbers was unreliable.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace manual SOAP authentication with the official nodecfdi library
which properly handles WS-Security signatures for SAT web services.
- Add sat-client.service.ts using Fiel.create() for authentication
- Update sat.service.ts to use new client
- Update fiel.service.ts to return raw certificate data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The PEM certificate content is already base64 encoded after removing
headers and newlines. We should not re-encode it.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Each piece of data was being encrypted with a different IV, but only
the first IV was saved. Now using encryptFielCredentials/decryptFielCredentials
helper functions that encrypt all data together with a single IV/tag.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The @nodecfdi/credentials library returns date values that aren't
JavaScript Date objects, causing getTime() to fail.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The controllers were looking for x-tenant-id header which the frontend
doesn't send. Now using req.user!.tenantId from the JWT token instead.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend:
- Add getAllUsuarios() to get users from all tenants
- Add updateUsuarioGlobal() to edit users and change their tenant
- Add deleteUsuarioGlobal() for global user deletion
- Add global admin check based on tenant RFC
- Add new API routes: /usuarios/global/*
Frontend:
- Add UserListItem.tenantId and tenantName fields
- Add /admin/usuarios page with full user management
- Support filtering by tenant and search
- Inline editing for name, role, and tenant assignment
- Group users by company for better organization
- Add "Admin Usuarios" menu item for admin navigation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add FIEL controller with upload, status, and delete endpoints
- Add SAT controller with sync start, status, history, and retry
- Add admin endpoints for cron job info and manual execution
- Register new routes in app.ts
- All endpoints protected with authentication middleware
Endpoints added:
- POST /api/fiel/upload
- GET /api/fiel/status
- DELETE /api/fiel
- POST /api/sat/sync
- GET /api/sat/sync/status
- GET /api/sat/sync/history
- GET /api/sat/sync/:id
- POST /api/sat/sync/:id/retry
- GET /api/sat/cron
- POST /api/sat/cron/run
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat-sync.job.ts with scheduled daily sync at 3:00 AM
- Automatic detection of tenants with active FIEL
- Initial sync (10 years) for new tenants, daily for existing
- Concurrent processing with configurable batch size
- Integration with app startup for production environment
- Install node-cron dependency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat.service.ts as the main orchestrator that coordinates:
- FIEL credential retrieval and token management
- SAT download request workflow
- Package processing and CFDI storage
- Progress tracking and job management
- Support for initial sync (10 years history) and daily sync
- Automatic token refresh during long-running syncs
- Month-by-month processing to avoid SAT limits
- Raw SQL queries for multi-tenant schema isolation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat-parser.service.ts for processing SAT packages:
- Extract XML files from ZIP packages
- Parse CFDI 4.0 XML structure with proper namespace handling
- Extract fiscal data: UUID, amounts, taxes, dates, RFC info
- Map SAT types (I/E/T/P/N) to application types
- Handle IVA and ISR retention calculations
- Install @nodecfdi/cfdi-core dependency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat-auth.service.ts for SAML token authentication with SAT
using FIEL credentials and SOAP protocol
- Add sat-download.service.ts with full download workflow:
- Request CFDI download (emitted/received)
- Verify request status with polling support
- Download ZIP packages when ready
- Helper functions for status checking
- Install fast-xml-parser and adm-zip dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sat-crypto.service.ts with AES-256-GCM encryption for secure
credential storage using JWT_SECRET as key derivation source
- Add fiel.service.ts with complete FIEL lifecycle management:
- Upload and validate FIEL credentials (.cer/.key files)
- Verify certificate is FIEL (not CSD) and not expired
- Store encrypted credentials in database
- Retrieve and decrypt credentials for SAT sync operations
- Install @nodecfdi/credentials for FIEL/CSD handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend:
- Add batch insert using multi-row INSERT with ON CONFLICT
- Process in batches of 500 records for optimal DB performance
- Return detailed batch results (inserted, duplicates, errors)
Frontend:
- Parse files in chunks of 500 to prevent memory issues
- Upload in batches of 200 CFDIs per request
- Add detailed progress bar with real-time stats
- Show upload statistics (loaded, duplicates, errors)
- Add cancel functionality during upload
- Refresh data after upload completes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add bulk XML CFDI upload support (up to 300MB)
- Add period selector component for month/year navigation
- Fix session persistence on page refresh (Zustand hydration)
- Fix income/expense classification based on tenant RFC
- Fix IVA calculation from XML (correct Impuestos element)
- Add error handling to reportes page
- Support multiple CORS origins
- Update reportes service with proper Decimal/BigInt handling
- Add RFC to tenant view store for proper CFDI classification
- Update README with changelog and new features
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add tenants API endpoints (list, get, create)
- Add tenant middleware override via X-View-Tenant header
- Add TenantSelector dropdown component in header
- Add tenant view store with persistence
- Add Clientes management page
- Update all navigation layouts with Clientes link for admins
Admins can now:
- View list of all clients
- Create new clients with automatic schema setup
- Switch between viewing different clients' data
- See which client they are currently viewing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add tabs.tsx component
- Add select.tsx component
- Add formatCurrency utility function
- Export new components from index
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add apps/api/src/utils/errors.ts with AppError class
- Fix seed.ts timestamp casting for calendario_fiscal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add navigation items for Reportes, Calendario, Alertas, Usuarios
- Add calendario_fiscal table creation in seed
- Insert demo fiscal events for all 12 months
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
