After InvoiceIngestWorker writes cost lines and matches resources, it
pushes a normalized invoice payload to skyai-finance-svc's new endpoint
POST /api/v1/integrations/cloud/import-invoice. Idempotent — finance
dedups on (tenant_id, source, external_id), so re-runs return "updated"
not duplicate rows.
ArcadiaCloud.Integrations.SkyaiFinance is the HTTP client. Auth is a
short-lived JWT minted via Guardian (shared secret per memory) with
identity {tenant_id: "platform-admin", roles: ["admin"]} — the role
satisfies finance's RequireWriteRole plug. Identity + base URL are
configurable; SKYAI_FINANCE_URL env var can override the default
http://localhost:4010 for arcadia-dev / prod.
GST line detection: lines whose description contains "gst" or "tax"
get summed into amount_tax_minor; everything else into amount_net_minor;
sum stays gross. Phase 1 enough — proper tax handling lands when
real per-tenant invoices flow.
cloud_invoices gains pushed_to_finance_at + finance_invoice_id so we
don't re-push uselessly (Billing.mark_invoice_pushed/2 records both).
A missing finance config (no :skyai_finance app env) makes the push a
silent skip rather than a worker failure — environments without finance
configured still get a working ingest.
Live verified end-to-end against both services:
- April 2026 DO invoice (33 lines, $86.92) lands in finance as a row
with gross=$86.92, tax=$7.90, source=digitalocean, tenant=platform-admin
- DigitalOcean vendor auto-created (category=cloud) under platform-admin
- Re-running the worker returns action: "updated" not "created";
finance still has exactly 1 row for the invoice
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
58 lines
1.9 KiB
Elixir
58 lines
1.9 KiB
Elixir
defmodule ArcadiaCloud.Integrations.SkyaiFinance do
|
|
@moduledoc """
|
|
HTTP client for pushing cloud invoices to skyai-finance-svc.
|
|
|
|
Auth: mints a short-lived Guardian JWT (shared secret per
|
|
project_arcadia_guardian_secret memory) with the platform-admin identity
|
|
configured under `:arcadia_cloud, :skyai_finance`. JWT carries role
|
|
`admin` because skyai-finance's RequireWriteRole plug accepts `admin`
|
|
or `user`, not `platform_admin`.
|
|
"""
|
|
|
|
alias ArcadiaCloud.Guardian
|
|
|
|
@doc """
|
|
Push a single cloud invoice (and ensure-vendor) to skyai-finance.
|
|
|
|
Idempotent — finance dedups on (tenant_id, source, external_id) and
|
|
updates existing rows on re-push.
|
|
|
|
Returns {:ok, %{vendor_id, invoice_id, action}} | {:error, reason}.
|
|
"""
|
|
def push_invoice(payload) when is_map(payload) do
|
|
with {:ok, base_url} <- fetch(:base_url),
|
|
{:ok, identity_claims} <- fetch(:identity_claims),
|
|
{:ok, token, _claims} <-
|
|
Guardian.encode_and_sign(identity_claims, identity_claims, token_type: :access) do
|
|
url = base_url <> "/api/v1/integrations/cloud/import-invoice"
|
|
|
|
case Req.post(url,
|
|
headers: [
|
|
{"authorization", "Bearer " <> token},
|
|
{"content-type", "application/json"}
|
|
],
|
|
json: payload,
|
|
retry: :transient,
|
|
max_retries: 2,
|
|
receive_timeout: 15_000
|
|
) do
|
|
{:ok, %Req.Response{status: status, body: body}} when status in 200..299 ->
|
|
{:ok, body}
|
|
|
|
{:ok, %Req.Response{status: status, body: body}} ->
|
|
{:error, {:http, status, body}}
|
|
|
|
{:error, e} ->
|
|
{:error, {:transport, e}}
|
|
end
|
|
end
|
|
end
|
|
|
|
defp fetch(key) do
|
|
case Application.get_env(:arcadia_cloud, :skyai_finance, [])[key] do
|
|
nil -> {:error, {:skyai_finance_not_configured, key}}
|
|
value -> {:ok, value}
|
|
end
|
|
end
|
|
end
|