Add lookup tables, payment methods, tax exemptions, and processor link APIs

Replace unit_status and item_condition pgEnums with company-scoped lookup tables that support custom values. Add account_payment_method table, tax_exemption table with approve/revoke workflow, and CRUD routes for processor links. Validate inventory unit status/condition against lookup tables at service layer.
2026-03-27 20:53:30 -05:00
parent e7853f59f2
commit 0a2d6e23af
17 changed files with 1431 additions and 28 deletions
--- a/packages/backend/src/routes/v1/accounts-extended.test.ts
+++ b/packages/backend/src/routes/v1/accounts-extended.test.ts
@@ -0,0 +1,491 @@
+import { describe, it, expect, beforeAll, beforeEach, afterAll } from 'bun:test'
+import type { FastifyInstance } from 'fastify'
+import {
+  createTestApp,
+  cleanDb,
+  seedTestCompany,
+  registerAndLogin,
+  TEST_COMPANY_ID,
+} from '../../test/helpers.js'
+
+describe('Processor link routes', () => {
+  let app: FastifyInstance
+  let token: string
+  let accountId: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app, { email: `pl-${Date.now()}@test.com` })
+    token = auth.token
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/v1/accounts',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Link Test Account' },
+    })
+    accountId = res.json().id
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('creates a processor link', async () => {
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorCustomerId: 'cus_test123' },
+    })
+    expect(res.statusCode).toBe(201)
+    expect(res.json().processor).toBe('stripe')
+    expect(res.json().processorCustomerId).toBe('cus_test123')
+    expect(res.json().accountId).toBe(accountId)
+  })
+
+  it('lists processor links for an account', async () => {
+    await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorCustomerId: 'cus_1' },
+    })
+    await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'global_payments', processorCustomerId: 'gp_1' },
+    })
+
+    const res = await app.inject({
+      method: 'GET',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().data.length).toBe(2)
+  })
+
+  it('updates a processor link', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorCustomerId: 'cus_1' },
+    })
+    const id = createRes.json().id
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: `/v1/processor-links/${id}`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { isActive: false },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().isActive).toBe(false)
+  })
+
+  it('deletes a processor link', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/processor-links`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorCustomerId: 'cus_del' },
+    })
+    const id = createRes.json().id
+
+    const delRes = await app.inject({
+      method: 'DELETE',
+      url: `/v1/processor-links/${id}`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(delRes.statusCode).toBe(200)
+  })
+})
+
+describe('Payment method routes', () => {
+  let app: FastifyInstance
+  let token: string
+  let accountId: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app, { email: `pm-${Date.now()}@test.com` })
+    token = auth.token
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/v1/accounts',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Payment Test Account' },
+    })
+    accountId = res.json().id
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('creates a payment method', async () => {
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: {
+        processor: 'stripe',
+        processorPaymentMethodId: 'pm_test123',
+        cardBrand: 'visa',
+        lastFour: '4242',
+        expMonth: 12,
+        expYear: 2027,
+        isDefault: true,
+      },
+    })
+    expect(res.statusCode).toBe(201)
+    expect(res.json().cardBrand).toBe('visa')
+    expect(res.json().lastFour).toBe('4242')
+    expect(res.json().isDefault).toBe(true)
+  })
+
+  it('lists payment methods for an account', async () => {
+    await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorPaymentMethodId: 'pm_1', lastFour: '1111' },
+    })
+    await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorPaymentMethodId: 'pm_2', lastFour: '2222' },
+    })
+
+    const res = await app.inject({
+      method: 'GET',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().data.length).toBe(2)
+  })
+
+  it('sets new default and unsets old default', async () => {
+    const first = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorPaymentMethodId: 'pm_1', isDefault: true },
+    })
+    const firstId = first.json().id
+
+    const second = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorPaymentMethodId: 'pm_2', isDefault: true },
+    })
+    expect(second.json().isDefault).toBe(true)
+
+    // First should no longer be default
+    const getFirst = await app.inject({
+      method: 'GET',
+      url: `/v1/payment-methods/${firstId}`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(getFirst.json().isDefault).toBe(false)
+  })
+
+  it('deletes a payment method', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/payment-methods`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { processor: 'stripe', processorPaymentMethodId: 'pm_del' },
+    })
+
+    const delRes = await app.inject({
+      method: 'DELETE',
+      url: `/v1/payment-methods/${createRes.json().id}`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(delRes.statusCode).toBe(200)
+  })
+})
+
+describe('Tax exemption routes', () => {
+  let app: FastifyInstance
+  let token: string
+  let accountId: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app, { email: `tax-${Date.now()}@test.com` })
+    token = auth.token
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/v1/accounts',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Tax Test Account' },
+    })
+    accountId = res.json().id
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('creates a tax exemption', async () => {
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: {
+        certificateNumber: 'TX-12345',
+        certificateType: 'resale',
+        issuingState: 'TX',
+        expiresAt: '2027-12-31',
+      },
+    })
+    expect(res.statusCode).toBe(201)
+    expect(res.json().certificateNumber).toBe('TX-12345')
+    expect(res.json().status).toBe('pending')
+    expect(res.json().issuingState).toBe('TX')
+  })
+
+  it('lists tax exemptions for an account', async () => {
+    await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'CERT-1' },
+    })
+
+    const res = await app.inject({
+      method: 'GET',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().data.length).toBe(1)
+  })
+
+  it('approves a tax exemption', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'CERT-APPROVE' },
+    })
+    const id = createRes.json().id
+
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/tax-exemptions/${id}/approve`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().status).toBe('approved')
+    expect(res.json().approvedBy).toBeTruthy()
+    expect(res.json().approvedAt).toBeTruthy()
+  })
+
+  it('revokes a tax exemption with reason', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'CERT-REVOKE' },
+    })
+    const id = createRes.json().id
+
+    // Approve first
+    await app.inject({
+      method: 'POST',
+      url: `/v1/tax-exemptions/${id}/approve`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/tax-exemptions/${id}/revoke`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { reason: 'Certificate expired' },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().status).toBe('none')
+    expect(res.json().revokedReason).toBe('Certificate expired')
+  })
+
+  it('rejects revoke without reason', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'CERT-NO-REASON' },
+    })
+
+    const res = await app.inject({
+      method: 'POST',
+      url: `/v1/tax-exemptions/${createRes.json().id}/revoke`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: {},
+    })
+    expect(res.statusCode).toBe(400)
+  })
+
+  it('updates a tax exemption', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: `/v1/accounts/${accountId}/tax-exemptions`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'OLD-CERT' },
+    })
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: `/v1/tax-exemptions/${createRes.json().id}`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { certificateNumber: 'NEW-CERT', issuingState: 'CA' },
+    })
+    expect(res.statusCode).toBe(200)
+    expect(res.json().certificateNumber).toBe('NEW-CERT')
+    expect(res.json().issuingState).toBe('CA')
+  })
+})
+
+describe('Lookup table routes', () => {
+  let app: FastifyInstance
+  let token: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app, { email: `lookup-${Date.now()}@test.com` })
+    token = auth.token
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  describe('Unit statuses', () => {
+    it('lists system-seeded unit statuses', async () => {
+      const res = await app.inject({
+        method: 'GET',
+        url: '/v1/unit-statuses',
+        headers: { authorization: `Bearer ${token}` },
+      })
+      expect(res.statusCode).toBe(200)
+      const slugs = res.json().data.map((s: { slug: string }) => s.slug)
+      expect(slugs).toContain('available')
+      expect(slugs).toContain('sold')
+      expect(slugs).toContain('on_trial')
+      expect(slugs).toContain('layaway')
+      expect(slugs).toContain('lost')
+    })
+
+    it('creates a custom status', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/v1/unit-statuses',
+        headers: { authorization: `Bearer ${token}` },
+        payload: { name: 'On Display', slug: 'on_display', description: 'Showroom floor' },
+      })
+      expect(res.statusCode).toBe(201)
+      expect(res.json().slug).toBe('on_display')
+      expect(res.json().isSystem).toBe(false)
+    })
+
+    it('rejects duplicate slug', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/v1/unit-statuses',
+        headers: { authorization: `Bearer ${token}` },
+        payload: { name: 'Available Copy', slug: 'available' },
+      })
+      expect(res.statusCode).toBe(409)
+    })
+
+    it('blocks deleting a system status', async () => {
+      const list = await app.inject({
+        method: 'GET',
+        url: '/v1/unit-statuses',
+        headers: { authorization: `Bearer ${token}` },
+      })
+      const systemStatus = list.json().data.find((s: { isSystem: boolean }) => s.isSystem)
+
+      const res = await app.inject({
+        method: 'DELETE',
+        url: `/v1/unit-statuses/${systemStatus.id}`,
+        headers: { authorization: `Bearer ${token}` },
+      })
+      expect(res.statusCode).toBe(403)
+    })
+
+    it('allows deleting a custom status', async () => {
+      const createRes = await app.inject({
+        method: 'POST',
+        url: '/v1/unit-statuses',
+        headers: { authorization: `Bearer ${token}` },
+        payload: { name: 'Temp', slug: 'temp_status' },
+      })
+
+      const res = await app.inject({
+        method: 'DELETE',
+        url: `/v1/unit-statuses/${createRes.json().id}`,
+        headers: { authorization: `Bearer ${token}` },
+      })
+      expect(res.statusCode).toBe(200)
+    })
+  })
+
+  describe('Item conditions', () => {
+    it('lists system-seeded item conditions', async () => {
+      const res = await app.inject({
+        method: 'GET',
+        url: '/v1/item-conditions',
+        headers: { authorization: `Bearer ${token}` },
+      })
+      expect(res.statusCode).toBe(200)
+      const slugs = res.json().data.map((c: { slug: string }) => c.slug)
+      expect(slugs).toContain('new')
+      expect(slugs).toContain('excellent')
+      expect(slugs).toContain('good')
+      expect(slugs).toContain('fair')
+      expect(slugs).toContain('poor')
+    })
+
+    it('creates a custom condition', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/v1/item-conditions',
+        headers: { authorization: `Bearer ${token}` },
+        payload: { name: 'Refurbished', slug: 'refurbished', description: 'Professionally restored' },
+      })
+      expect(res.statusCode).toBe(201)
+      expect(res.json().slug).toBe('refurbished')
+    })
+  })
+})
--- a/packages/backend/src/routes/v1/accounts.ts
+++ b/packages/backend/src/routes/v1/accounts.ts
@@ -5,8 +5,20 @@ import {
  MemberCreateSchema,
  MemberUpdateSchema,
  PaginationSchema,
+  ProcessorLinkCreateSchema,
+  ProcessorLinkUpdateSchema,
+  PaymentMethodCreateSchema,
+  PaymentMethodUpdateSchema,
+  TaxExemptionCreateSchema,
+  TaxExemptionUpdateSchema,
 } from '@forte/shared/schemas'
-import { AccountService, MemberService } from '../../services/account.service.js'
+import {
+  AccountService,
+  MemberService,
+  ProcessorLinkService,
+  PaymentMethodService,
+  TaxExemptionService,
+} from '../../services/account.service.js'

 export const accountRoutes: FastifyPluginAsync = async (app) => {
  // --- Accounts ---
@@ -94,4 +106,137 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
    if (!member) return reply.status(404).send({ error: { message: 'Member not found', statusCode: 404 } })
    return reply.send(member)
  })
+
+  // --- Processor Links ---
+
+  app.post('/accounts/:accountId/processor-links', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const parsed = ProcessorLinkCreateSchema.safeParse({ ...(request.body as object), accountId })
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const link = await ProcessorLinkService.create(app.db, request.companyId, parsed.data)
+    return reply.status(201).send(link)
+  })
+
+  app.get('/accounts/:accountId/processor-links', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const links = await ProcessorLinkService.listByAccount(app.db, request.companyId, accountId)
+    return reply.send({ data: links })
+  })
+
+  app.patch('/processor-links/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const parsed = ProcessorLinkUpdateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const link = await ProcessorLinkService.update(app.db, request.companyId, id, parsed.data)
+    if (!link) return reply.status(404).send({ error: { message: 'Processor link not found', statusCode: 404 } })
+    return reply.send(link)
+  })
+
+  app.delete('/processor-links/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const link = await ProcessorLinkService.delete(app.db, request.companyId, id)
+    if (!link) return reply.status(404).send({ error: { message: 'Processor link not found', statusCode: 404 } })
+    return reply.send(link)
+  })
+
+  // --- Payment Methods ---
+
+  app.post('/accounts/:accountId/payment-methods', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const parsed = PaymentMethodCreateSchema.safeParse({ ...(request.body as object), accountId })
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const method = await PaymentMethodService.create(app.db, request.companyId, parsed.data)
+    return reply.status(201).send(method)
+  })
+
+  app.get('/accounts/:accountId/payment-methods', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const methods = await PaymentMethodService.listByAccount(app.db, request.companyId, accountId)
+    return reply.send({ data: methods })
+  })
+
+  app.get('/payment-methods/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const method = await PaymentMethodService.getById(app.db, request.companyId, id)
+    if (!method) return reply.status(404).send({ error: { message: 'Payment method not found', statusCode: 404 } })
+    return reply.send(method)
+  })
+
+  app.patch('/payment-methods/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const parsed = PaymentMethodUpdateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const method = await PaymentMethodService.update(app.db, request.companyId, id, parsed.data)
+    if (!method) return reply.status(404).send({ error: { message: 'Payment method not found', statusCode: 404 } })
+    return reply.send(method)
+  })
+
+  app.delete('/payment-methods/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const method = await PaymentMethodService.delete(app.db, request.companyId, id)
+    if (!method) return reply.status(404).send({ error: { message: 'Payment method not found', statusCode: 404 } })
+    return reply.send(method)
+  })
+
+  // --- Tax Exemptions ---
+
+  app.post('/accounts/:accountId/tax-exemptions', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const parsed = TaxExemptionCreateSchema.safeParse({ ...(request.body as object), accountId })
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const exemption = await TaxExemptionService.create(app.db, request.companyId, parsed.data)
+    return reply.status(201).send(exemption)
+  })
+
+  app.get('/accounts/:accountId/tax-exemptions', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { accountId } = request.params as { accountId: string }
+    const exemptions = await TaxExemptionService.listByAccount(app.db, request.companyId, accountId)
+    return reply.send({ data: exemptions })
+  })
+
+  app.get('/tax-exemptions/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const exemption = await TaxExemptionService.getById(app.db, request.companyId, id)
+    if (!exemption) return reply.status(404).send({ error: { message: 'Tax exemption not found', statusCode: 404 } })
+    return reply.send(exemption)
+  })
+
+  app.patch('/tax-exemptions/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const parsed = TaxExemptionUpdateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const exemption = await TaxExemptionService.update(app.db, request.companyId, id, parsed.data)
+    if (!exemption) return reply.status(404).send({ error: { message: 'Tax exemption not found', statusCode: 404 } })
+    return reply.send(exemption)
+  })
+
+  app.post('/tax-exemptions/:id/approve', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const exemption = await TaxExemptionService.approve(app.db, request.companyId, id, request.user.id)
+    if (!exemption) return reply.status(404).send({ error: { message: 'Tax exemption not found', statusCode: 404 } })
+    return reply.send(exemption)
+  })
+
+  app.post('/tax-exemptions/:id/revoke', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const { reason } = (request.body as { reason?: string }) ?? {}
+    if (!reason) {
+      return reply.status(400).send({ error: { message: 'Reason is required to revoke a tax exemption', statusCode: 400 } })
+    }
+    const exemption = await TaxExemptionService.revoke(app.db, request.companyId, id, request.user.id, reason)
+    if (!exemption) return reply.status(404).send({ error: { message: 'Tax exemption not found', statusCode: 404 } })
+    return reply.send(exemption)
+  })
 }
--- a/packages/backend/src/routes/v1/lookups.ts
+++ b/packages/backend/src/routes/v1/lookups.ts
@@ -0,0 +1,66 @@
+import type { FastifyPluginAsync } from 'fastify'
+import { LookupCreateSchema, LookupUpdateSchema } from '@forte/shared/schemas'
+import { UnitStatusService, ItemConditionService } from '../../services/lookup.service.js'
+
+function createLookupRoutes(prefix: string, service: typeof UnitStatusService) {
+  const routes: FastifyPluginAsync = async (app) => {
+    app.get(`/${prefix}`, { preHandler: [app.authenticate] }, async (request, reply) => {
+      const data = await service.list(app.db, request.companyId)
+      return reply.send({ data })
+    })
+
+    app.post(`/${prefix}`, { preHandler: [app.authenticate] }, async (request, reply) => {
+      const parsed = LookupCreateSchema.safeParse(request.body)
+      if (!parsed.success) {
+        return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+      }
+
+      // Check slug uniqueness
+      const existing = await service.getBySlug(app.db, request.companyId, parsed.data.slug)
+      if (existing) {
+        return reply.status(409).send({ error: { message: `Slug "${parsed.data.slug}" already exists`, statusCode: 409 } })
+      }
+
+      const row = await service.create(app.db, request.companyId, parsed.data)
+      return reply.status(201).send(row)
+    })
+
+    app.patch(`/${prefix}/:id`, { preHandler: [app.authenticate] }, async (request, reply) => {
+      const { id } = request.params as { id: string }
+      const parsed = LookupUpdateSchema.safeParse(request.body)
+      if (!parsed.success) {
+        return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+      }
+      try {
+        const row = await service.update(app.db, request.companyId, id, parsed.data)
+        if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
+        return reply.send(row)
+      } catch (err) {
+        if (err instanceof Error && err.message.includes('system')) {
+          return reply.status(403).send({ error: { message: err.message, statusCode: 403 } })
+        }
+        throw err
+      }
+    })
+
+    app.delete(`/${prefix}/:id`, { preHandler: [app.authenticate] }, async (request, reply) => {
+      const { id } = request.params as { id: string }
+      try {
+        const row = await service.delete(app.db, request.companyId, id)
+        if (!row) return reply.status(404).send({ error: { message: 'Not found', statusCode: 404 } })
+        return reply.send(row)
+      } catch (err) {
+        if (err instanceof Error && err.message.includes('system')) {
+          return reply.status(403).send({ error: { message: err.message, statusCode: 403 } })
+        }
+        throw err
+      }
+    })
+  }
+  return routes
+}
+
+export const lookupRoutes: FastifyPluginAsync = async (app) => {
+  await app.register(createLookupRoutes('unit-statuses', UnitStatusService))
+  await app.register(createLookupRoutes('item-conditions', ItemConditionService))
+}
--- a/packages/backend/src/routes/v1/products.ts
+++ b/packages/backend/src/routes/v1/products.ts
@@ -59,8 +59,15 @@ export const productRoutes: FastifyPluginAsync = async (app) => {
    if (!parsed.success) {
      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
    }
-    const unit = await InventoryUnitService.create(app.db, request.companyId, parsed.data)
-    return reply.status(201).send(unit)
+    try {
+      const unit = await InventoryUnitService.create(app.db, request.companyId, parsed.data)
+      return reply.status(201).send(unit)
+    } catch (err) {
+      if (err instanceof Error && (err.message.includes('Invalid condition') || err.message.includes('Invalid status'))) {
+        return reply.status(400).send({ error: { message: err.message, statusCode: 400 } })
+      }
+      throw err
+    }
  })

  app.get('/products/:productId/units', { preHandler: [app.authenticate] }, async (request, reply) => {
@@ -83,8 +90,15 @@ export const productRoutes: FastifyPluginAsync = async (app) => {
    if (!parsed.success) {
      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
    }
-    const unit = await InventoryUnitService.update(app.db, request.companyId, id, parsed.data)
-    if (!unit) return reply.status(404).send({ error: { message: 'Unit not found', statusCode: 404 } })
-    return reply.send(unit)
+    try {
+      const unit = await InventoryUnitService.update(app.db, request.companyId, id, parsed.data)
+      if (!unit) return reply.status(404).send({ error: { message: 'Unit not found', statusCode: 404 } })
+      return reply.send(unit)
+    } catch (err) {
+      if (err instanceof Error && (err.message.includes('Invalid condition') || err.message.includes('Invalid status'))) {
+        return reply.status(400).send({ error: { message: err.message, statusCode: 400 } })
+      }
+      throw err
+    }
  })
 }