You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"Code is written once, but analysed multiple times."
This project balances readability with leveraging Elixir's powerful abstractions. We write succinct, smart code using pattern matching, pipelines, and functional composition - but always with clarity of intent.
Executive Summary
KSeF Hub is a multi-tenant service for Poland's National e-Invoice System (KSeF). It handles the complexity of KSeF integration — certificate authentication, XADES signing, XML parsing, invoice sync — and exposes clean REST APIs and a self-service admin UI for multiple companies and teams.
KSeF stores invoices as FA(3) XML documents. This service syncs those documents, parses them, transforms them to HTML/PDF using official gov.pl stylesheets, and provides structured data via API. Any user can sign up, create a company, invite team members, and start syncing invoices.
Leverage pattern matching, pipelines (|>), and with for control flow
Use behaviours and protocols for polymorphism
GenServers for stateful workers
Supervisors for fault tolerance
Descriptive names, small focused functions
Succinct code that reads like documentation
Goals
Goal
Description
Own KSeF complexity
Certificate auth, XADES signing, XML parsing, rate limits
Provide clean APIs
Simple REST endpoints for invoice data
Generate compliant PDFs
Using official gov.pl stylesheets
Enable any consumer
ETL pipelines, payroll systems, accounting tools
Users
Any user can sign up with email/password or Google Sign-In. There is no email allowlist — the system is self-service.
Roles
Roles are per-company. The same user can be an owner in Company A, an accountant in Company B, and an invoice reviewer in Company C.
Role
Scope
Permissions
Owner
Per-company (creator)
Full access: certificates, API tokens, invite users, view/approve/reject invoices, company settings
Accountant
Per-company (invited)
View invoices, approve/reject expenses, view sync status
Invoice Reviewer
Per-company (invited)
View invoices, approve/reject expenses
Key Rules
Sign-up is open — anyone can create an account
User who creates a company becomes its owner — the owner role cannot be transferred (for now)
NIP is globally unique — if a company with a given NIP already exists, the user must be invited by the existing owner
Certificates belong to the user (owner), not the company — one person certificate can authenticate for multiple companies (see docs/ksef-certificates.md)
Only owners can see and manage the Certificates tab and API Tokens tab
Company list shows "Owner" / "Member" badge per company for each user
Feature Requirements
F1: Authentication
Requirement
Priority
Description
F1.1
Must
Email/password sign-up and sign-in
F1.2
Must
Email confirmation on sign-up
F1.3
Must
Password reset flow
F1.4
Should
Google Sign-In as additional auth method
F1.5
Must
Session management (login, logout, remember me)
F1b: API Token Management
Requirement
Priority
Description
F1b.1
Must
Generate API tokens with name/description
F1b.2
Must
Revoke (decline) API tokens
F1b.3
Must
Track last used timestamp per token
F1b.4
Must
Only company owners can create/revoke tokens
F1b.5
Should
Track request count per token
F1b.6
Should
View token usage history
F1c: Company Management
Requirement
Priority
Description
F1c.1
Must
Create company (name, NIP)
F1c.2
Must
NIP globally unique — reject if company with NIP already exists
F1c.3
Must
Creator becomes company owner
F1c.4
Must
Company settings page (name, NIP displayed, sync config)
F1c.5
Must
Company selector in UI — user can switch between companies
F1d: Team & Invitations
Requirement
Priority
Description
F1d.1
Must
Owner invites user by email with role (accountant or invoice reviewer)
F1d.2
Must
Invitation email sent with accept link
F1d.3
Must
Invited user signs up (if new) or logs in, then joins the company
F1d.4
Must
Accept/decline invitation
F1d.5
Must
Owner can remove a member from the company
F1d.6
Should
Owner can change a member's role
F1d.7
Should
List pending invitations for a company
F2: KSeF Certificate (Security Compliance)
Certificates belong to the user (owner), not the company. One person certificate can authenticate for multiple companies where the person has KSeF authorization. See docs/ksef-certificates.md for background.
Requirement
Priority
Description
F2.1
Must
Upload PKCS12 certificate (user-level, not company-level)
F2.2
Must
Encrypt certificate data at rest (AES-256-GCM)
F2.3
Must
Encrypt password separately (AES-256-GCM)
F2.4
Must
Encryption key from Secret Manager (not in code)
F2.5
Must
Display certificate expiry
F2.6
Must
Audit log of certificate operations (upload, use)
F2.7
Must
Only company owners can manage certificates
F2.8
Must
Certificate shared across all companies the owner manages