Title: feat: Oracle-Based Invoice Verification to Prevent Fake Invoice Fraud
Labels: backend, contracts, compliance, security, priority-high
Description:
The biggest risk in invoice financing is fake or duplicate invoices.
Before any invoice appears on the marketplace, an authorized oracle
or admin must verify its legitimacy. This issue adds a mandatory
verification gate between invoice creation and marketplace listing.
What Needs to Be Done:
Backend:
- InvoiceVerification entity:
id (uuid), invoice_id (FK), verifier_id (FK to User),
status (ENUM: PENDING/APPROVED/REJECTED), notes,
document_hash (sha256 of attached doc), verified_at
- POST /admin/invoices/:id/verify
- Admin or oracle role only
- Approves invoice — allows transition to SUBMITTED
- Emits invoice.verified webhook event
- POST /admin/invoices/:id/reject-verification
- Admin rejects with required reason
- Invoice stays in DRAFT with rejection_reason set
- Emits invoice.rejected webhook event
- Verification gate:
Invoice can only be submitted on-chain after APPROVED verification
POST /invoices/:id/submit returns 403 if not verified
- Duplicate detection:
SHA-256 hash of invoice data checked against existing records
Duplicate hash rejected with 409
Smart Contract (contracts/invoice_registry/src/lib.rs):
- Add oracle_address to contract storage
- set_oracle(admin, oracle_address) — admin sets oracle
- register_invoice() requires either business + oracle co-signature
or proof of oracle approval
Key Files:
- apps/backend/src/verification/verification.module.ts (new)
- apps/backend/src/verification/verification.service.ts (new)
- apps/backend/src/verification/verification.controller.ts (new)
- apps/backend/src/verification/verification.entity.ts (new)
- contracts/invoice_registry/src/lib.rs (update)
Acceptance Criteria:
- Unverified invoices cannot be submitted on-chain
- Unverified invoices do not appear in marketplace
- Duplicate invoice hashes rejected with 409
- Admin can approve or reject with reason
- Webhook fired on every verification status change
- Oracle address configurable in contract storage
- Unit tests cover: approve, reject, duplicate detection,
submit gate, unauthorized verifier
Security Notes:
- Verification is a one-way gate — no downgrade from approved
- Oracle signature verified on-chain
- Document hash stored for tamper detection
Branch: feat/invoice-verification-oracle
Commit: feat(verification): add oracle-based invoice verification gate before marketplace listing
Title: feat: Oracle-Based Invoice Verification to Prevent Fake Invoice Fraud
Labels: backend, contracts, compliance, security, priority-high
Description:
The biggest risk in invoice financing is fake or duplicate invoices.
Before any invoice appears on the marketplace, an authorized oracle
or admin must verify its legitimacy. This issue adds a mandatory
verification gate between invoice creation and marketplace listing.
What Needs to Be Done:
Backend:
id (uuid), invoice_id (FK), verifier_id (FK to User),
status (ENUM: PENDING/APPROVED/REJECTED), notes,
document_hash (sha256 of attached doc), verified_at
Invoice can only be submitted on-chain after APPROVED verification
POST /invoices/:id/submit returns 403 if not verified
SHA-256 hash of invoice data checked against existing records
Duplicate hash rejected with 409
Smart Contract (contracts/invoice_registry/src/lib.rs):
or proof of oracle approval
Key Files:
Acceptance Criteria:
submit gate, unauthorized verifier
Security Notes:
Branch: feat/invoice-verification-oracle
Commit: feat(verification): add oracle-based invoice verification gate before marketplace listing