Merged
Conversation
### Requirements List - ### Description List - Added methods in provider_record_util to help create generate clean history timeline with synthetic expiration and issuance events injected - Added 3 endpoints(public, staff, provider users) that all route to the same get privilege history lambda with correct auth handling - Added `get_privilege_data` method to get privilege record and optionally all associated adverse action and updates - created response schemas - added and updated tests as needed ### Testing List - run tests - Code review Closes #770 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced new API endpoints to retrieve provider privilege history for authenticated users, public, and staff access. * Added a Lambda function and integrated it with API Gateway to serve privilege history data. * Implemented public-facing privilege history response models and schemas for consistent API responses. * Enhanced privilege history data with synthetic events for clearer event timelines. * Improved privilege data querying with detailed and summary retrieval options. * **Tests** * Added comprehensive unit and integration tests to validate privilege history enrichment and API endpoint responses. * **Documentation** * Updated API models to include privilege history response structure. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Dana Stiefel <dana@inspiringapps.com>
In order to implement #739, it was determined that the backend should be determining what the last continuous active date, rather than having the frontend calculate this. This involves updating the GET provider detail endpoints to add a field to all privilege records, 'activeSince' which will be a simple date string in iso format which is the oldest date in which the record has been continuously considered active. This field will not be stored in the DB. It will be calculated at call time for every license and privilege record (these calculations do not require any additional API calls, so the in-memory calculation will be fairly performant for most use cases). Closes #931 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary by CodeRabbit * **New Features** * Provider license update records now include explicit creation and effective dates for improved historical accuracy. * Privilege records in provider data responses now display how long a privilege has been continuously active. * API responses for provider data have been restructured for enhanced data enrichment and clarity. * **Bug Fixes** * Improved privilege history enrichment and calculation of active periods for more accurate status reporting. * **Documentation** * Deployment instructions for the multi-account app have been clarified and updated. * **Tests** * Expanded unit and functional test coverage for privilege active period calculation and license update timestamps. * Test data and expectations updated to reflect new date fields and privilege history logic. * **Chores** * Added a migration to backfill creation and effective dates for existing license update records. * Updated migration management to support new license date migration and removed obsolete migrations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - Implemented a new simplified API for states to integrate with for data upload / download - Added a redirect http -> https UI behavior to our cloudfront distribution ### Description List - Created a new Stack with a new 'state-api' - Copied over bulk-upload and POST license endpoints - Implemented a new query providers endpoint for a provider list-view - Implemented a new GET provider endpoint with a simplified/flattened structure ### Testing List - Exercise new state-api, upload a license and query a privilege - Code review Closes #697 Closes #902 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced a new State API for state-level provider data access, including endpoints for querying providers by jurisdiction and retrieving detailed provider information. * Added support for bulk license uploads and new API endpoints for license submissions. * Enhanced provider filtering and query capabilities with advanced date range and jurisdiction-based parameters. * Updated API documentation tools and scripts, including automated OpenAPI spec downloads and Postman environment updates. * **Bug Fixes** * Corrected schema requirements and improved validation for provider and license data. * **Documentation** * Added internal API documentation, updated Postman environments, and included new JSON schema definitions for API requests and responses. * **Tests** * Added comprehensive tests for the new State API endpoints, provider filtering logic, and schema validation. * **Style/Refactor** * Improved import organization and parameter naming consistency across modules. * **Chores** * Updated CloudFront distribution to redirect HTTP to HTTPS. * Added scripts to automate API documentation updates. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List
- _None_
### Description List
- Update ChangePassword component password requirements to match backend
- Update ChangePassword component to have hidden username input for
password managers
### Testing List
- `yarn test:unit:all` should run without errors or warnings
- `yarn serve` should run without errors or warnings
- `yarn build` should run without errors or warnings
- Code review
- Testing
- Login as a user for which you will update the password
- Navigate to the Account page
- Confirm the Change Password section now requires:
- Length 12
- At least 1 uppercase
- At least 1 lowercase
- At least 1 number
- Confirm there are no console warnings about missing username input
(chrome)
- Confirm password reset is successful
Closes #970
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a hidden, disabled username field to the Change Password form to
improve browser autofill support.
* Introduced new localization entries for "Username" in English and
Spanish.
* **Enhancements**
* Strengthened password requirements: new passwords must include at
least one lowercase letter and one number, with a minimum length of 12
characters.
* **Style**
* Scoped Change Password form styles for better maintainability and
isolation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List
- _None_
### Description List
- Created privacy policy page
- Add link to page from the public dashboard page
### Testing List
- `yarn test:unit:all` should run without errors or warnings
- `yarn serve` should run without errors or warnings
- `yarn build` should run without errors or warnings
- Code review
- Testing:
- Visit the public dashboard page and confirm there is a link at the
bottom to the privacy policy page
- Click the link and confirm that you are redirected to the privacy
policy page and it looks as expected based on the latest Figma designs
- Confirm that clicking the back button redirects you back to the public
dashboard page
- Confirm the above in mobile / desktop screens
Closes #888
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a dedicated Privacy Policy page with localized content in
English and Spanish.
* Added a back button for easy navigation from the Privacy Policy page.
* Included a footer link to the Privacy Policy on the public dashboard.
* Implemented responsive styling for the Privacy Policy and public
dashboard pages.
* **Bug Fixes**
* None.
* **Tests**
* Added tests to verify the Privacy Policy page mounts correctly.
* **Chores**
* Updated routing to support navigation to the new Privacy Policy page.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - _None_ ### Description List - Update PrivilegePurchaseSelect component to restrict number of privilege selections to 20 - Add purchase-config states to mock data to allow new privilege purchase limit to be tested - Add mock-populate-all to PrivilegePurchaseSelect component (local) - Fix list layout issues on PrivilegePurchaseSelect component - Minor code consistency cleanup in PrivilegePurchaseSelect component - Remove enter-key from selecting state checkboxes in PrivilegePurchaseSelect component (#804) - Confirm user can't purchase privilege in home state (#490) - Update MockPopulate component to accept a custom label - Update mock attestation data to include jurisprudence & scope-of-practice attestations ### Testing List - `yarn test:unit:all` should run without errors or warnings - `yarn serve` should run without errors or warnings - `yarn build` should run without errors or warnings - Code review - Testing - Login as a licensee user who can purchase privileges - Begin the purchase workflow and proceed to the screen titled "Select privileges" - With keyboard nav, confirm that spacebar, not enter, selects states - Select a state to show the blue state box with $ totals (no changes) - Adjust screen size; state checkbox columns should no longer overflow to a 3rd column and / or overlap the blue state $ box - If more than 20 states are available, select them all - _2025-07-31: Only developers using mock data can trigger this many states_ - Attempt to advance to the next screen - Should receive an error stating a maximum limit of 20 - Changing the selections to 20 or fewer should allow the form to advance (assuming all blue-card required fields have been completed) Closes #715 Closes #804 Closes #490 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for a custom label on the mock populate button. * Introduced a "Mock Populate All" option for privilege selection. * Implemented a limit of 20 privileges per transaction, with user feedback when exceeded. * Added error messaging for privilege selection limits. * **Enhancements** * Improved layout and multi-column display for privilege selection. * Added new U.S. jurisdictions and attestation texts to mock data. * **Localization** * Added privilege selection limit messages in English and Spanish. * **Accessibility & Usability** * Improved keyboard interaction and event handling for form buttons. * **Style** * Updated spacing and visual feedback for error messages and form components. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - Added check on privilege purchase for any encumbrances lifted less than two years ago Closes #949 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added validation to prevent privilege purchases if there are unresolved or recently lifted adverse license or privilege encumbrances. * **Bug Fixes** * Improved error handling and messaging when privilege purchase is blocked due to encumbrances. * **Tests** * Introduced new test cases to verify privilege purchase eligibility related to encumbrance status and timing. * Removed redundant test to streamline test coverage. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Description List - Update transaction history lambda to check compact config and exit gracefully if not live - Update transaction reporting lambda to exit gracefully if compact is not live instead of raising an exception - Re-enable alarm for transaction history step function, now that it should exit gracefully in all cases ### Testing List - Code review Closes #766 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved transaction processing and reporting to exit early with a clear status message if a compact or its jurisdictions are not live, instead of raising errors. * Enhanced filtering of transaction errors to cover multiple error states consistently. * **Tests** * Added and updated tests to verify early exit behavior when compact configuration or jurisdictions are missing, ensuring no downstream processing or notifications occur in these cases. * Enhanced test setup for consistent compact and jurisdiction configuration handling. * **Chores** * Updated environment variables and permissions for transaction processing to support new configuration checks. * Adjusted alarm setup to immediately notify on failures without suppression. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List
- `yarn install --ignore-engines`
### Description List
- Updated `vue-responsiveness` dependency
- Adjust payment popup keyboard nav
- Adjust side nav bottom padding on mobile safari
- Fix input position on email confirmation modal on safari
### Testing List
- `yarn test:unit:all` should run without errors or warnings
- `yarn serve` should run without errors or warnings
- `yarn build` should run without errors or warnings
- Code review
- Testing
- Login as licensee user who can purchase privileges
- Start the purchase workflow and continue to the "Payment Summary"
screen
- Complete the form to launch the authorize .net popup
- Confirm that the popup is focused and keyboard tab nav begins near the
first focusable item in the popup
- Confirm that tab navigation is focus-trapped reasonably in the popup
- There might be slight variations between browsers, but in general
focus trapping should now be a thing for this popup
- In safari, navigate to the Account page and initiate an email address
change, prompting the modal with the code
- Confirm all of the content in the modal is centered
- _No need to actually finish the email change_
- In mobile safari (iphone or xcode simulator) expand the side
navigation
- Confirm the Logout link is completely visible and not obscured by the
bottom URL bar, even when the bottom URL bar expands upwards
- In mobile safari (ipad or xcode simulator) confirm that the side
navigation is touch compatible
Closes #898
Close #967
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Accessibility Improvements**
* Better keyboard navigation and focus handling for the payment details
flow, improving use of embedded payment UI.
* **Bug Fixes**
* Prevented iPhone Safari’s URL bar from obscuring navigation by adding
targeted spacing.
* **Style**
* Improved modal and action-button layout for email confirmation across
screen sizes.
* Scoped navigation/header styles to hover-capable tablet devices for
visual consistency.
* **New Features / Enhancements**
* Navigation and header now adapt behavior for touch vs. pointer
devices; menu collapse after navigation refined.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - Adding very basic user security notification emails for account takeover risk events ### Testing List - Code review Part of #924 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added customizable email notifications for account security events, including templates for blocked access and suspicious activity alerts. * Notification emails now support specifying a custom "from" address and SES identity when configured. * **Bug Fixes** * Corrected a spelling error in documentation comments. * **Tests** * Introduced a new test to verify that risk notification emails are properly configured when a domain is set up. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - _None_ ### Description List - Update license & licensee models to check if user has a latest encumbrance that has been lifted less than 2 years ago - If so, prevent the user from purchasing privileges (disable button, redirect away from flow) - Add related copy to the modal explaining why privilege purchasing is blocked ### Testing List - `yarn test:unit:all` should run without errors or warnings - `yarn serve` should run without errors or warnings - `yarn build` should run without errors or warnings - Code review - Testing: - **Using mock data**, log in as practitioner and confirm default practitioner user can purchase privileges on the dashboard page - This user's latest encumbrance for one of their privileges was lifted exactly 2 years ago, therefor they are not blocked - Update `getAuthenticatedLicenseeUser` in `mock.data.api` to return `licensees.providers[1]` - Confirm this practitioner is blocked from purchasing privileges on the dashboard page and clicking the icon underneath the disabled button opens a modal that includes a bullet point describing encumbrance lifted within 2 years Closes #950 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Added a purchase-unavailable reason: users must wait two years after an encumbrance is lifted before buying privileges. - Dashboard exposes this status and shows the new message in the Purchase Unavailable modal. - English and Spanish translations added for the new message. - **Tests** - Expanded unit tests to cover the two-year wait-period logic across license and licensee scenarios. - **Chores** - Updated mock data dates for realistic encumbrance timelines. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Description List - Revised documentation to include details from MN feedback - Relocated it on-boarding doc to collocate with other user docs. ### Testing List - Code review Closes #928 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a beta IT Staff Onboarding Guide covering machine-to-machine authentication, token handling (15-minute expiry), JSON and CSV license upload workflows, payload examples, schema constraints, error handling, troubleshooting, and implementation recommendations. * Clarified API validation: do not send nulls; omit optional fields; missing required fields will be rejected. * Explained asynchronous bulk uploads vs. synchronous licenses endpoint and required headers (e.g., Content-Type, User-Agent). * Replaced legacy onboarding README with a link to the centralized guide. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshua Kravitz <jlkravitz@gmail.com>
### Requirements List
- _None_
### Description List
- Updated the MilitaryAffiliation model with new field for download
links and new helpers to work with the server response structure
- Also standardized the array field types
- Updated the MilitaryDocumentRow component with a Download column for
Compact Admins
- Also cleaned up the MilitaryDocumentRow component to be consistent
with our other list row components
- Updated the MilitaryAffiliationBlock component to match latest designs
including conditional labels based on user type
- Added a DownloadFile Icon component
### Testing List
- `yarn test:unit:all` should run without errors or warnings
- `yarn serve` should run without errors or warnings
- `yarn build` should run without errors or warnings
- Code review
- Testing
- Identify a Licensee user with military affiliation documents
- Login as a Compact Admin staff user
- Search for the Licensee user with military affiliation documents
- Go to the detail view of the Licensee
- In the Military Affiliation Documents list
- Confirm the list title is "Military Affiliation Documents"
- Confirm you can see the download icon for each document
- If for some reason the server hasn't returned a download URL, then you
will see "Unavailable" rather than a download icon
- Attempt to download; you will either:
- Successfully initiate the local download of the file, _or_
- Get a server error if the download URL is invalid for some reason
- Login as a **non**-Compact-Admin staff user
- Go to the detail view of the same Licensee
- Confirm you _do not_ see the Download column / icons
- Confirm the list title is "Military Affiliation Documents"
- Login as a Licensee user with military affiliation documents
- Go to your military status page (from the Account page)
- Confirm you _do not_ see the Download column / icons
- Confirm the list title is "Previously Uploaded Documents"
Closes #768
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a Download File icon and enabled downloadable links in the
Military Documents list, showing a link or “Unavailable” as appropriate.
* **UI / Style**
* Restyled military document rows for clearer columns and improved
tablet responsiveness; adjusted spacing, emphasis, and button naming.
* **Internationalization**
* Replaced hard-coded strings with translations; added/updated EN/ES
labels (Download, Military Affiliation Documents, Previously Uploaded
Documents, Unavailable).
* **Tests**
* Added unit tests for the new icon and document-row behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
In the event of a disaster that causes either major loss or corruption of data in our DynamoDB tables, we need a process by which we can recover that data to get the system up and running again. This effort involves creating AWS step functions which a developer with proper permissions can run to restore data using Point in time recovery backup tables. Using step functions will automate the most complex and error-prone part of disaster recovery, reducing our RTO and improving recovery success probability. The main use case for these step functions will be to restore our tables to specific points in time in the event that a disaster in the primary region causes major loss or corruption of data that requires rollback (ie a development bug during migration, states uploading large amounts of corrupt license data, etc.) This ticket is focused on creating the step functions for each that will specifically perform the synchronization of data between the restored table and the corrupted table by performing a hard reset. The step function will first delete all records from the destination table, and then copy over all records from the source table into the destination table. As part of this, we also set a resource policy on the step function that only allows an individual assuming a specific DR role which will be manually created in the management account for the AWS organization **Edit**: It turns out that Step Functions do not have resource-based policies. In light of this, we determined that rather than creating a DR role for accidental running of step functions, we will add a confirmation flag where the admin must pass in the name of the table they are trying to restore. This is because Admins have the ability to change policies anyway, and the real objective with having a separate role was to prevent accidental running of these step functions, which having this flag will account for. Closes #987 #892 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Per-table DynamoDB disaster‑recovery workflows (restore + sync), CLI tools to enter/exit recovery mode, and Lambdas to delete and copy records. * **Documentation** * Comprehensive Disaster Recovery runbook with architecture, execution steps, inputs, warnings, and manual recovery guidance. * **Tests** * Moto-backed functional tests for cleanup and copy handlers (pagination, time‑bounded runs, guard‑rails); test discovery now includes the disaster‑recovery module. * **Chores** * Added disaster‑recovery to dependency compile/sync, new dev dependency pins (including moto extras), bumped many dependency pins, and enabled table deletion protection when removal policy is RETAIN. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List
- _None_
### Description List
- Remove "Issue date" from the license card and "Active date" from the
license table in the license verification proof page
- Add "Active from" to the privilege card and to the privilege table in
the license verification proof page using new property from the API
response
- Minor style updates on the license verification proof page to improve
mobile experience
- Update mock data to accurately reflect new property and its use
### Testing List
- `yarn test:unit:all` should run without errors or warnings
- `yarn serve` should run without errors or warnings
- `yarn build` should run without errors or warnings
- Code review
- Testing:
- Using **mock data**, update `getAuthenticatedLicenseeUser` in
`mock.data.api` to return `licensees.providers[1]`
- Log into the app, and in the dashboard page confirm that the license
cards no longer include an "Issue date"
- Confirm that the privilege cards have a new "Active date" field, and
- For active privileges, the date is being displayed as expected
- For inactive privileges, the date is displayed as "deactivated"
- Go to the license verification proof page and confirm that
- The "Privileges" table has an "Active from" column and the record are
sorted by most recent first
- The "Home State Licenses" table only as an "Expiration" column
- Confirm the layout works well in a mobile screen size as well
Closes #739
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Privileges now show an "Active from" date (or "Deactivated" when
inactive) and are sorted by Active From (most recent first).
* Privileges column renamed to "Active From"; licenses no longer display
the issued/active date.
* Added "Active from" translations (English & Spanish).
* **Chores**
* Model, serializer, tests and mock data updated to support the new
active-from field.
* **Style**
* Adjusted Licensee Proof layout and spacing for the new column and
responsive display.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Requirements List - Run `yarn install --ignore-engines` ### Description List - Added new store actions and mutations and needed api calls to populate history for the three user types (staff user, public, licenseeuser) - Modified LicenseHistoryItem model - Created LicenseHistory model - Removed expire overwrite in privilege cards because history not totally available when making list view call - Modified UI to match new timeline designs ### Testing List - `yarn test:unit:all` should run without errors or warnings - `yarn serve` should run without errors or warnings - `yarn build` should run without errors or warnings - Code review - Look at http://localhost:3018/Search/octp/aa2e057d-6972-4a68-a55d-aad1c3d05278/Privilege/aa2e057d-6972-4a68-a55d-aad1c3d05278-ne-occupational%20therapy%20assistant with the mockapi or the equivalent on the user profile - Try pointing to https://api.dana.jcc.iaapi.io and searching for Hannah Hall in the ASLP compact to see API work, get credentials from me for the other user types if desired or populate in the dev env Closes #742 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Privilege history view added for staff, licensees, and public users with role-aware loading and new history endpoints. * **Enhancements** * Timeline now renders as an accessible list with default node color, smaller event-detail text, and effective-date + note displays. * Expiry display shows the expiry date (or blank) rather than a “deactivated” label. * English and Spanish locales expanded with new event types and deactivation notes; store tracks privilege-history loading. * **Tests** * Added/updated tests and mock data for privilege-history flows and history-item displays. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Dana Stiefel <dana@inspiringapps.com>
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
Collaborator
Author
|
@isabeleliassen This PR is ready to merge using a "Merge Commit" (not squash). FYI: The ZAP Scan did not successfully complete since #962 moved the internal API spec to a different directory. Trying to hotfix the ZAP scan github action would be unnecessarily complex since other changes have already been merged to the |
isabeleliassen
approved these changes
Aug 26, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
npm auditandpip audit) to ensure that there are no vulnerabilities that will be deployed to production (as opposed to vulnerabilities that only have an impact on the development environment)