bug: manual confirm can double-establish one document against two bank transactions (no document-side supersession) #53
Labels
No labels
bug
enhancement
pr-split
question
security
transaction-matcher
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
momsse/octant#53
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: correctness (CONFIRMED by local review).
SupersedeReconciliationSagakeys supersession only onbankTransactionId— its sole lookup isfindEstablishedByBankTransactionIdExcluding(bankTransactionId, …)(supersede-reconciliation.saga.ts:74), reacting toReconciliationEstablishedEventto supersede a prior reconciliation on the same transaction. There is no document-side supersession.ReconcileHourlyUseCasewon't auto-establish a reconciliation whose document is already established against another transaction, but manual confirm (ConfirmReconciliationUseCase, added in #41/PR #114) bypasses that dedup: it just callsdecideConfirmReconciliation.Scenario: a reviewer manually confirms a still-pending reconciliation whose document is already established against a different bank transaction. The supersede saga finds no established reconciliation for the new transaction id, so both reconciliations stay
established→ the same document/invoice is reconciled against two bank transactions, double-counting it.Fix direction: add document-side supersession (a
findEstablishedByDocumentIdExcludinglookup in the supersede saga) and/or a write-side uniqueness guard on confirm (an inline projection + UNIQUE constraint on the established document, mirroring how the write-side dedups transactions).Surfaced by the local review during #41.