Files
Giuliano Silvestro 4f2e52af01 Wire skyai-finance push: cloud invoices flow into Sky AI's books
After InvoiceIngestWorker writes cost lines and matches resources, it
pushes a normalized invoice payload to skyai-finance-svc's new endpoint
POST /api/v1/integrations/cloud/import-invoice. Idempotent — finance
dedups on (tenant_id, source, external_id), so re-runs return "updated"
not duplicate rows.

ArcadiaCloud.Integrations.SkyaiFinance is the HTTP client. Auth is a
short-lived JWT minted via Guardian (shared secret per memory) with
identity {tenant_id: "platform-admin", roles: ["admin"]} — the role
satisfies finance's RequireWriteRole plug. Identity + base URL are
configurable; SKYAI_FINANCE_URL env var can override the default
http://localhost:4010 for arcadia-dev / prod.

GST line detection: lines whose description contains "gst" or "tax"
get summed into amount_tax_minor; everything else into amount_net_minor;
sum stays gross. Phase 1 enough — proper tax handling lands when
real per-tenant invoices flow.

cloud_invoices gains pushed_to_finance_at + finance_invoice_id so we
don't re-push uselessly (Billing.mark_invoice_pushed/2 records both).
A missing finance config (no :skyai_finance app env) makes the push a
silent skip rather than a worker failure — environments without finance
configured still get a working ingest.

Live verified end-to-end against both services:
- April 2026 DO invoice (33 lines, $86.92) lands in finance as a row
  with gross=$86.92, tax=$7.90, source=digitalocean, tenant=platform-admin
- DigitalOcean vendor auto-created (category=cloud) under platform-admin
- Re-running the worker returns action: "updated" not "created";
  finance still has exactly 1 row for the invoice

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 22:35:52 +10:00

58 lines
1.9 KiB
Elixir

defmodule ArcadiaCloud.Integrations.SkyaiFinance do
@moduledoc """
HTTP client for pushing cloud invoices to skyai-finance-svc.
Auth: mints a short-lived Guardian JWT (shared secret per
project_arcadia_guardian_secret memory) with the platform-admin identity
configured under `:arcadia_cloud, :skyai_finance`. JWT carries role
`admin` because skyai-finance's RequireWriteRole plug accepts `admin`
or `user`, not `platform_admin`.
"""
alias ArcadiaCloud.Guardian
@doc """
Push a single cloud invoice (and ensure-vendor) to skyai-finance.
Idempotent — finance dedups on (tenant_id, source, external_id) and
updates existing rows on re-push.
Returns {:ok, %{vendor_id, invoice_id, action}} | {:error, reason}.
"""
def push_invoice(payload) when is_map(payload) do
with {:ok, base_url} <- fetch(:base_url),
{:ok, identity_claims} <- fetch(:identity_claims),
{:ok, token, _claims} <-
Guardian.encode_and_sign(identity_claims, identity_claims, token_type: :access) do
url = base_url <> "/api/v1/integrations/cloud/import-invoice"
case Req.post(url,
headers: [
{"authorization", "Bearer " <> token},
{"content-type", "application/json"}
],
json: payload,
retry: :transient,
max_retries: 2,
receive_timeout: 15_000
) do
{:ok, %Req.Response{status: status, body: body}} when status in 200..299 ->
{:ok, body}
{:ok, %Req.Response{status: status, body: body}} ->
{:error, {:http, status, body}}
{:error, e} ->
{:error, {:transport, e}}
end
end
end
defp fetch(key) do
case Application.get_env(:arcadia_cloud, :skyai_finance, [])[key] do
nil -> {:error, {:skyai_finance_not_configured, key}}
value -> {:ok, value}
end
end
end