DC-153 - Implement “Request replacement card” flow in self-service portal

.github/workflows/playwright-e2e.yaml

@@ -11,9 +11,70 @@ on:
 
 jobs:
   e2e:
-    name: E2E Tests
+    name: Playwright E2E Tests (${{ matrix.state }})
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    strategy:
+      matrix:
+        state: [dc, co]
+      fail-fast: false
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: "10"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile --prefer-offline
+
+      - name: Install Playwright browsers
+        run: cd src/SEBT.Portal.Web && pnpm exec playwright install --with-deps chromium
+
+      - name: Build frontend for E2E
+        env:
+          STATE: ${{ matrix.state }}
+          NEXT_PUBLIC_STATE: ${{ matrix.state }}
+        run: ./.github/workflows/scripts/build-frontend.sh --production
+
+      - name: Run Playwright E2E tests
+        env:
+          CI: true
+          SKIP_WEB_SERVER: "1"
+          STATE: ${{ matrix.state }}
+          NEXT_PUBLIC_STATE: ${{ matrix.state }}
+        run: |
+          (cd src/SEBT.Portal.Web && pnpm start) &
+          echo "Waiting for server at http://localhost:3000..."
+          for i in $(seq 1 90); do
+            curl -sf --max-time 15 http://localhost:3000 > /dev/null && echo "Server ready" && break
+            sleep 2
+          done
+          curl -sf --max-time 15 http://localhost:3000 > /dev/null || (echo "Server failed to start" && exit 1)
+          echo "Running Playwright E2E tests..."
+          pnpm ci:test:e2e
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v4
+        if: ${{ always() }}
+        with:
+          name: playwright-report-${{ matrix.state }}
+          path: src/SEBT.Portal.Web/playwright-report/
+          retention-days: 7
+
+  a11y:
+    name: Pa11y Accessibility Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
 
     services:
       mssql:
@@ -75,35 +136,30 @@ jobs:
       - name: Build backend
         run: ./.github/workflows/scripts/build-backend.sh --configuration Release
 
-      - name: Install Playwright browsers
-        run: cd src/SEBT.Portal.Web && pnpm exec playwright install --with-deps chromium
-
       - name: Install Chrome for Pa11y
         run: cd src/SEBT.Portal.Web && pnpm exec puppeteer browsers install chrome
 
-      - name: Build frontend for E2E
+      - name: Build frontend for Pa11y
         env:
           STATE: dc
           NEXT_PUBLIC_STATE: dc
         run: ./.github/workflows/scripts/build-frontend.sh --production
 
-      - name: Run Pa11y and Playwright E2E tests
+      - name: Run Pa11y accessibility tests
         env:
           CI: true
           SKIP_WEB_SERVER: "1"
           STATE: dc
           NEXT_PUBLIC_STATE: dc
           ASPNETCORE_ENVIRONMENT: Development
-          # Required at startup (AddPlugins); paths may be absent — MEF skips missing dirs and defaults apply.
           ConnectionStrings__DefaultConnection: "Server=localhost,1433;Database=SebtPortal;User Id=sa;Password=YourStrong@Passw0rd;TrustServerCertificate=True;"
           JwtSettings__SecretKey: "ci-e2e-jwt-secret-at-least-32-characters-long"
           IdentifierHasher__SecretKey: "ci-e2e-identifier-hasher-key-32chars"
           Oidc__CompleteLoginSigningKey: "ci-e2e-oidc-signing-key-at-least-32-chars"
           PluginAssemblyPaths__0: "plugins-dc"
           UseMockHouseholdData: "true"
         run: |
-          # Start API in dev mode + frontend from production build
-          pnpm api:dev &
+          ASPNETCORE_ENVIRONMENT=Development dotnet run --project src/SEBT.Portal.Api --launch-profile http --configuration Release --no-build &
           (cd src/SEBT.Portal.Web && pnpm start) &
           echo "Waiting for server at http://localhost:3000..."
           for i in $(seq 1 90); do
@@ -113,13 +169,3 @@ jobs:
           curl -sf --max-time 15 http://localhost:3000 > /dev/null || (echo "Server failed to start" && exit 1)
           echo "Running Pa11y accessibility tests..."
           pnpm ci:test:a11y
-          echo "Running Playwright E2E tests..."
-          pnpm ci:test:e2e
-
-      - name: Upload Playwright report
-        uses: actions/upload-artifact@v4
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report
-          path: src/SEBT.Portal.Web/playwright-report/
-          retention-days: 7

packages/design-system/content/scripts/generate-locales.js

@@ -301,10 +301,11 @@ function parseContentKey(contentKey) {
 function buildStateLocaleData(rows, state) {
   const [headerRow, ...dataRows] = rows;
 
-  // Find column indices (handle emoji prefixes like "🟡 Content")
-  const contentIdx = headerRow.findIndex((h) =>
-    h.toLowerCase().includes('content')
-  );
+  // Find column indices (handle emoji prefixes like "🟡 Content" and renamed headers like "Variable Name/Key")
+  const contentIdx = headerRow.findIndex((h) => {
+    const lower = h.toLowerCase()
+    return lower.includes('content') || lower.includes('variable name')
+  });
   const englishIdx = headerRow.findIndex((h) =>
     h.toLowerCase().includes('english')
   );

packages/design-system/content/scripts/generate-locales.test.js

@@ -65,5 +65,28 @@ assert.ok(!enrollmentContent.includes('dashboard'), 'enrollment barrel must NOT
 // Test: locale JSON was written to --out-dir (not to script's own directory)
 assert.ok(existsSync(join(tmpDir, 'locales', 'en', 'co', 'landing.json')), 'locale JSON must be written to --out-dir')
 
+// Test: new CSV column headers ("Variable Name/Key", "🟢 CO English", "🟢 CO Español")
+setup()
+const csvNewHeaders = [
+  'Variable Name/Key,🟢 CO English,⚪ SOURCE English,🟢 CO Español,⚪ SOURCE Español,Notes',
+  'GLOBAL - Button Continue,Continue,,Continuar,,',
+  'S1 - Landing Page - Title,New Header Landing,,New Header Landing ES,,',
+].join('\n')
+writeFileSync(join(tmpDir, 'states', 'co.csv'), csvNewHeaders)
+
+execFileSync('node', [
+  script,
+  '--csv-dir', join(tmpDir, 'states'),
+  '--out-dir', join(tmpDir, 'locales'),
+  '--ts-out',  join(tmpDir, 'ts-out', 'new-header-resources.ts'),
+  '--app',     'portal',
+], { stdio: 'inherit' })
+
+const newHeaderLanding = JSON.parse(readFileSync(join(tmpDir, 'locales', 'en', 'co', 'landing.json'), 'utf8'))
+assert.equal(newHeaderLanding.title, 'New Header Landing', 'must parse content from "Variable Name/Key" column header')
+
+const newHeaderCommon = JSON.parse(readFileSync(join(tmpDir, 'locales', 'es', 'co', 'common.json'), 'utf8'))
+assert.equal(newHeaderCommon.buttonContinue, 'Continuar', 'must parse Spanish from state-prefixed Español column')
+
 console.log('✅ All generate-locales CLI arg tests passed')
 teardown()

src/SEBT.Portal.Api/Controllers/Auth/OidcController.cs

@@ -122,7 +122,10 @@ public async Task<IActionResult> CompleteLogin(
             ValidateAudience = false,
             ValidateLifetime = true,
             ClockSkew = TimeSpan.FromMinutes(1),
-            IssuerSigningKey = key
+            // Use resolver instead of IssuerSigningKey to bypass kid-matching;
+            // jose (Next.js) signs without a kid header, which causes IDX10517
+            // when JwtSecurityTokenHandler tries to match by kid.
+            IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => [key]
         };
         var handler = new JwtSecurityTokenHandler();
         handler.MapInboundClaims = false; // Preserve original JWT claim names (sub, email)

src/SEBT.Portal.Api/Controllers/Household/HouseholdController.cs

@@ -85,4 +85,36 @@ public async Task<IActionResult> UpdateAddress(
         var result = await commandHandler.Handle(command, cancellationToken);
         return result.ToActionResult();
     }
+
+    /// <summary>
+    /// Requests replacement cards for the authenticated user's household.
+    /// </summary>
+    /// <param name="request">The application numbers to request replacements for.</param>
+    /// <param name="commandHandler">The use case handler for requesting card replacements.</param>
+    /// <param name="cancellationToken">A token to monitor for cancellation requests.</param>
+    /// <returns>No content on success; otherwise, BadRequest, Forbidden, or NotFound.</returns>
+    /// <response code="204">Card replacement request recorded successfully.</response>
+    /// <response code="400">Validation failed (no applications selected or cooldown active).</response>
+    /// <response code="403">User is not authorized or no household identifier could be resolved from token.</response>
+    /// <response code="404">Household data not found for the authenticated user.</response>
+    [HttpPost("cards/replace")]
+    [Authorize]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(typeof(ProblemDetails), StatusCodes.Status403Forbidden)]
+    [ProducesResponseType(typeof(ProblemDetails), StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> RequestCardReplacement(
+        [FromBody] RequestCardReplacementRequest request,
+        [FromServices] ICommandHandler<RequestCardReplacementCommand> commandHandler,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new RequestCardReplacementCommand
+        {
+            User = User,
+            ApplicationNumbers = request.ApplicationNumbers
+        };
+
+        var result = await commandHandler.Handle(command, cancellationToken);
+        return result.ToActionResult();
+    }
 }

src/SEBT.Portal.Api/Models/Household/RequestCardReplacementRequest.cs

@@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace SEBT.Portal.Api.Models.Household;
+
+/// <summary>
+/// Request model for requesting replacement cards for one or more applications.
+/// </summary>
+public record RequestCardReplacementRequest
+{
+    /// <summary>Application numbers identifying which cards to replace.</summary>
+    [Required(ErrorMessage = "At least one application number is required.")]
+    [MinLength(1, ErrorMessage = "At least one application number is required.")]
+    public required List<string> ApplicationNumbers { get; init; }
+}

src/SEBT.Portal.TestUtilities/Helpers/HouseholdFactory.cs

@@ -120,7 +120,7 @@ private static Application CreateApplicationWithStatus(ApplicationStatus status,
 
         if (status == ApplicationStatus.Approved)
         {
-            application.ApplicationNumber = $"APP-{faker.Date.Recent(365):yyyy-MM}-{faker.Random.Number(100000, 999999)}";
+            application.ApplicationNumber = $"APP-{faker.Random.Number(2024, 2026)}-{faker.Random.Number(1, 12):D2}-{faker.Random.Number(100000, 999999)}";
             application.CaseNumber = $"CASE-{faker.Random.Number(100000, 999999)}";
             application.BenefitIssueDate = faker.Date.Recent(120);
             application.BenefitExpirationDate = application.BenefitIssueDate.Value.AddDays(faker.Random.Int(30, 365));
@@ -135,7 +135,7 @@ private static Application CreateApplicationWithStatus(ApplicationStatus status,
         }
         else if (status == ApplicationStatus.Denied)
         {
-            application.ApplicationNumber = $"APP-{faker.Date.Recent(365):yyyy-MM}-{faker.Random.Number(100000, 999999)}";
+            application.ApplicationNumber = $"APP-{faker.Random.Number(2024, 2026)}-{faker.Random.Number(1, 12):D2}-{faker.Random.Number(100000, 999999)}";
             application.CaseNumber = $"CASE-{faker.Random.Number(100000, 999999)}";
             if (faker.Random.Bool(0.5f))
             {
@@ -164,7 +164,7 @@ private static Application CreateApplicationWithStatus(ApplicationStatus status,
         else
         {
             // For other statuses (Pending, UnderReview, Cancelled)
-            application.ApplicationNumber = $"APP-{faker.Date.Recent(365):yyyy-MM}-{faker.Random.Number(100000, 999999)}";
+            application.ApplicationNumber = $"APP-{faker.Random.Number(2024, 2026)}-{faker.Random.Number(1, 12):D2}-{faker.Random.Number(100000, 999999)}";
             if (faker.Random.Bool(0.5f))
             {
                 application.CardStatus = CardStatus.Requested;

src/SEBT.Portal.UseCases/Dependencies.cs

@@ -23,6 +23,7 @@ public static IServiceCollection AddUseCases(this IServiceCollection services)
         services.RegisterCommandHandler<ProcessWebhookCommand, ProcessWebhookCommandHandler>();
         services.RegisterCommandHandler<CheckEnrollmentCommand, EnrollmentCheckResult, CheckEnrollmentCommandHandler>();
         services.RegisterCommandHandler<UpdateAddressCommand, UpdateAddressCommandHandler>();
+        services.RegisterCommandHandler<RequestCardReplacementCommand, RequestCardReplacementCommandHandler>();
 
         return services;
     }

src/SEBT.Portal.UseCases/Household/RequestCardReplacement/RequestCardReplacementCommand.cs

@@ -0,0 +1,25 @@
+using System.ComponentModel.DataAnnotations;
+using System.Security.Claims;
+using SEBT.Portal.Kernel;
+
+namespace SEBT.Portal.UseCases.Household;
+
+/// <summary>
+/// Command to request replacement cards for one or more applications.
+/// </summary>
+public class RequestCardReplacementCommand : ICommand
+{
+    /// <summary>
+    /// The authenticated user's claims principal, used to resolve household identity.
+    /// </summary>
+    [Required]
+    public required ClaimsPrincipal User { get; init; }
+
+    /// <summary>
+    /// Application numbers identifying which cards to replace.
+    /// All children on a selected application share the same card.
+    /// </summary>
+    [Required(ErrorMessage = "At least one application number is required.")]
+    [MinLength(1, ErrorMessage = "At least one application number is required.")]
+    public required List<string> ApplicationNumbers { get; init; }
+}