OpenBankProject · simonredfern · Mar 9, 2026 · Mar 5, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,4 @@
+# Project Instructions
+
+## Working Style
+- Never blame pre-existing issues or other commits. No excuses, no finger-pointing — diagnose and resolve.
diff --git a/obp-api/src/main/scala/bootstrap/liftweb/Boot.scala b/obp-api/src/main/scala/bootstrap/liftweb/Boot.scala
@@ -1014,6 +1014,9 @@ object ToSchemify {
     MappedRegulatedEntity,
     AtmAttribute,
     AbacRule,
+    code.mandate.Mandate,
+    code.mandate.MandateProvision,
+    code.mandate.SignatoryPanel,
     MappedBank,
     MappedBankAccount,
     BankAccountRouting,

diff --git a/obp-api/src/main/scala/code/api/constant/constant.scala b/obp-api/src/main/scala/code/api/constant/constant.scala
@@ -379,6 +379,8 @@ object Constant extends MdcLoggable {
   final val CAN_ADD_TRANSACTION_REQUEST_TO_BENEFICIARY = "can_add_transaction_request_to_beneficiary"
   final val CAN_GRANT_ACCESS_TO_VIEWS = "can_grant_access_to_views"
   final val CAN_REVOKE_ACCESS_TO_VIEWS = "can_revoke_access_to_views"
+  final val CAN_BYPASS_MAKER_CHECKER_SEPARATION = "can_bypass_maker_checker_separation"
+  final val CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE = "can_answer_transaction_request_challenge"
 
   final val SYSTEM_OWNER_VIEW_PERMISSION_ADMIN = List(
     CAN_SEE_AVAILABLE_VIEWS_FOR_BANK_ACCOUNT,
@@ -391,7 +393,9 @@ object Constant extends MdcLoggable {
     CAN_ADD_TRANSACTION_REQUEST_TO_ANY_ACCOUNT,
     CAN_ADD_TRANSACTION_REQUEST_TO_BENEFICIARY,
     CAN_GRANT_ACCESS_TO_VIEWS,
-    CAN_REVOKE_ACCESS_TO_VIEWS
+    CAN_REVOKE_ACCESS_TO_VIEWS,
+    CAN_BYPASS_MAKER_CHECKER_SEPARATION,
+    CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE
   )
 
   final val SYSTEM_MANAGER_VIEW_PERMISSION = List(
@@ -400,12 +404,16 @@ object Constant extends MdcLoggable {
     CAN_CREATE_CUSTOM_VIEW,
     CAN_DELETE_CUSTOM_VIEW,
     CAN_UPDATE_CUSTOM_VIEW,
-    CAN_GET_CUSTOM_VIEW
+    CAN_GET_CUSTOM_VIEW,
+    CAN_BYPASS_MAKER_CHECKER_SEPARATION,
+    CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE
   )
 
   final val SYSTEM_INITIATE_PAYMENTS_BERLIN_GROUP_PERMISSION = List(
     CAN_ADD_TRANSACTION_REQUEST_TO_ANY_ACCOUNT,
-    CAN_ADD_TRANSACTION_REQUEST_TO_BENEFICIARY
+    CAN_ADD_TRANSACTION_REQUEST_TO_BENEFICIARY,
+    CAN_BYPASS_MAKER_CHECKER_SEPARATION,
+    CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE
   )
 
   final val SYSTEM_PUBLIC_VIEW_PERMISSION = List(
@@ -563,7 +571,9 @@ object Constant extends MdcLoggable {
     CAN_SEE_OTHER_ACCOUNT_ROUTING_SCHEME,
     CAN_SEE_OTHER_ACCOUNT_ROUTING_ADDRESS,
     CAN_SEE_TRANSACTION_STATUS,
-    CAN_ADD_TRANSACTION_REQUEST_TO_OWN_ACCOUNT
+    CAN_ADD_TRANSACTION_REQUEST_TO_OWN_ACCOUNT,
+    CAN_BYPASS_MAKER_CHECKER_SEPARATION,
+    CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE
   )
 
   final val ALL_VIEW_PERMISSION_NAMES = List(
@@ -660,6 +670,8 @@ object Constant extends MdcLoggable {
     CAN_ADD_TRANSACTION_REQUEST_TO_BENEFICIARY,
     CAN_GRANT_ACCESS_TO_VIEWS,
     CAN_REVOKE_ACCESS_TO_VIEWS,
+    CAN_BYPASS_MAKER_CHECKER_SEPARATION,
+    CAN_ANSWER_TRANSACTION_REQUEST_CHALLENGE,
   )
 
 

diff --git a/obp-api/src/main/scala/code/api/util/ApiRole.scala b/obp-api/src/main/scala/code/api/util/ApiRole.scala
@@ -774,6 +774,36 @@ object ApiRole extends MdcLoggable{
   case class CanExecuteAbacRule(requiresBankId: Boolean = false) extends ApiRole
   lazy val canExecuteAbacRule = CanExecuteAbacRule()
 
+  // Mandate roles (bank-level)
+  case class CanCreateMandate(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canCreateMandate = CanCreateMandate()
+  case class CanGetMandate(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canGetMandate = CanGetMandate()
+  case class CanUpdateMandate(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canUpdateMandate = CanUpdateMandate()
+  case class CanDeleteMandate(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canDeleteMandate = CanDeleteMandate()
+
+  // Mandate Provision roles (bank-level)
+  case class CanCreateMandateProvision(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canCreateMandateProvision = CanCreateMandateProvision()
+  case class CanGetMandateProvision(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canGetMandateProvision = CanGetMandateProvision()
+  case class CanUpdateMandateProvision(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canUpdateMandateProvision = CanUpdateMandateProvision()
+  case class CanDeleteMandateProvision(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canDeleteMandateProvision = CanDeleteMandateProvision()
+
+  // Signatory Panel roles (bank-level)
+  case class CanCreateSignatoryPanel(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canCreateSignatoryPanel = CanCreateSignatoryPanel()
+  case class CanGetSignatoryPanel(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canGetSignatoryPanel = CanGetSignatoryPanel()
+  case class CanUpdateSignatoryPanel(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canUpdateSignatoryPanel = CanUpdateSignatoryPanel()
+  case class CanDeleteSignatoryPanel(requiresBankId: Boolean = true) extends ApiRole
+  lazy val canDeleteSignatoryPanel = CanDeleteSignatoryPanel()
+
   case class CanGetSystemLevelDynamicEntities(requiresBankId: Boolean = false) extends ApiRole
   lazy val canGetSystemLevelDynamicEntities = CanGetSystemLevelDynamicEntities()
 
@@ -783,6 +813,9 @@ object ApiRole extends MdcLoggable{
   case class CanCreateBankLevelDynamicEntity(requiresBankId: Boolean = true) extends ApiRole
   lazy val canCreateBankLevelDynamicEntity = CanCreateBankLevelDynamicEntity()
 
+  case class CanCreateAnyBankLevelDynamicEntity(requiresBankId: Boolean = false) extends ApiRole
+  lazy val canCreateAnyBankLevelDynamicEntity = CanCreateAnyBankLevelDynamicEntity()
+
   case class CanUpdateSystemLevelDynamicEntity(requiresBankId: Boolean = false) extends ApiRole
   lazy val canUpdateSystemDynamicEntity = CanUpdateSystemLevelDynamicEntity()
 
@@ -807,6 +840,9 @@ object ApiRole extends MdcLoggable{
   case class CanGetBankLevelDynamicEntities(requiresBankId: Boolean = true) extends ApiRole
   lazy val canGetBankLevelDynamicEntities = CanGetBankLevelDynamicEntities()
 
+  case class CanGetAnyBankLevelDynamicEntities(requiresBankId: Boolean = false) extends ApiRole
+  lazy val canGetAnyBankLevelDynamicEntities = CanGetAnyBankLevelDynamicEntities()
+
   case class CanGetDynamicEntityDiagnostics(requiresBankId: Boolean = false) extends ApiRole
   lazy val canGetDynamicEntityDiagnostics = CanGetDynamicEntityDiagnostics()
 

diff --git a/obp-api/src/main/scala/code/api/util/ApiTag.scala b/obp-api/src/main/scala/code/api/util/ApiTag.scala
@@ -45,6 +45,7 @@ object ApiTag {
   val apiTagEntitlement = ResourceDocTag("Entitlement")
   val apiTagRole = ResourceDocTag("Role")
   val apiTagABAC = ResourceDocTag("ABAC")
+  val apiTagMandate = ResourceDocTag("Mandate")
   val apiTagScope = ResourceDocTag("Scope")
   val apiTagOwnerRequired = ResourceDocTag("OwnerViewRequired")
   val apiTagCounterparty = ResourceDocTag("Counterparty")

diff --git a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@@ -572,6 +572,7 @@ object ErrorMessages {
   val AccountAccessRequestCannotBeCreated = "OBP-30277: Account Access Request could not be created."
   val AccountAccessRequestStatusNotInitiated = "OBP-30278: Account Access Request status is not INITIATED. Only INITIATED requests can be approved or rejected."
   val MakerCheckerSameUser = "OBP-30279: The checker (approver/rejecter) cannot be the same user as the maker (requestor). Maker/Checker separation is required."
+  val MakerCheckerUnknownMaker = "OBP-30283: Maker/Checker separation is required for this view but the Transaction Request has no user_id (maker) recorded. Cannot verify separation."
   val BusinessJustificationRequired = "OBP-30280: Business justification is required."
   val CheckerCommentRequiredForRejection = "OBP-30281: A comment is required when rejecting an Account Access Request."
   val AccountAccessRequestCannotBeUpdated = "OBP-30282: Account Access Request could not be updated."

diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala
@@ -2956,7 +2956,7 @@ object Glossary extends MdcLoggable  {
 |Berlin Group consents with status "received" that remain unfinished (e.g. the PSU never completed the SCA flow) beyond a configured time threshold are automatically rejected.
 |
 |* `berlin_group_outdated_consents_time_in_seconds` - Time in seconds after which an unfinished consent is considered outdated. Default: **300** (5 minutes).
-|* `berlin_group_outdated_consents_interval_in_seconds` - How often (in seconds) the scheduler checks for outdated consents. Must be set to a value greater than 0 to enable the task. **Not set by default** (task is disabled).
+|* `berlin_group_outdated_consents_interval_in_seconds` - How often (in seconds) the scheduler checks for outdated consents. Default: **599**. Set to 0 to disable.
 |
 |Example:
 |
@@ -2967,13 +2967,16 @@ object Glossary extends MdcLoggable  {
 |## Expired Consents
 |
 |Berlin Group consents with status "valid" whose `validUntil` date has passed are automatically transitioned to "expired" status.
+|OBP consents with status "ACCEPTED" whose `validUntil` date has passed are automatically transitioned to "EXPIRED" status.
 |
-|* `berlin_group_expired_consents_interval_in_seconds` - How often (in seconds) the scheduler checks for expired consents. Must be set to a value greater than 0 to enable the task. **Not set by default** (task is disabled).
+|* `berlin_group_expired_consents_interval_in_seconds` - How often (in seconds) the scheduler checks for expired Berlin Group consents. Default: **597**. Set to 0 to disable.
+|* `obp_expired_consents_interval_in_seconds` - How often (in seconds) the scheduler checks for expired OBP consents. Default: **595**. Set to 0 to disable.
 |
 |Example:
 |
 |    # Check for expired consents every 120 seconds
 |    berlin_group_expired_consents_interval_in_seconds = 120
+|    obp_expired_consents_interval_in_seconds = 120
 |
  """)
 
@@ -5251,6 +5254,72 @@ object Glossary extends MdcLoggable  {
 				 |
 """)
 
+	glossaryItems += GlossaryItem(
+		title = "Mandates",
+		description =
+			s"""
+				 |# Mandates
+				 |
+				 |## Overview
+				 |
+				 |A Mandate is a formal agreement between a corporate customer and a bank that defines who can operate an account, what they can do, and under what conditions.
+				 |
+				 |In OBP, a Mandate is an entity that ties together existing authorisation constructs (Views, ABAC Rules, Challenges) into a single, auditable policy document.
+				 |
+				 |## Structure
+				 |
+				 |A Mandate has three parts:
+				 |
+				 |### 1. Mandate
+				 |
+				 |The top-level container. It is linked to a bank account and a corporate customer, and holds the legal text, status (ACTIVE, SUSPENDED, EXPIRED, DRAFT), and validity period.
+				 |
+				 |### 2. Mandate Provisions
+				 |
+				 |Each provision maps a clause of the mandate to an OBP enforcement mechanism. Provision types:
+				 |
+				 |- **SIGNATORY_RULE** — defines who can sign and in what combination (e.g., "2 from Panel A" or "1 from Panel A and 1 from Panel B")
+				 |- **VIEW_ASSIGNMENT** — links a Signatory Panel to a View, controlling what members of that panel can see and do
+				 |- **ABAC_CONDITION** — links to an ABAC rule for attribute-based conditions (e.g., department matching, amount limits)
+				 |- **RESTRICTION** — a negative rule that blocks certain operations (e.g., no international payments)
+				 |- **NOTIFICATION** — triggers a notification rather than blocking (e.g., alert CFO for payments over a threshold)
+				 |
+				 |Provisions can specify conditions (e.g., amount thresholds, currency), link to a View, an ABAC Rule, and/or a Challenge type.
+				 |
+				 |### 3. Signatory Panels
+				 |
+				 |A Signatory Panel is a named set of users who are authorised to act under the mandate. For example:
+				 |
+				 |- Panel A: Directors (user-1, user-2, user-3)
+				 |- Panel B: Finance team (user-4, user-5)
+				 |
+				 |Provisions reference panels by ID and specify how many signatories are required from each panel.
+				 |
+				 |## How it connects to existing OBP features
+				 |
+				 |- **Views** control what each panel member can see and do on the account (e.g., canSeeTransactionAmount, canAddTransactionRequestToBeneficiary)
+				 |- **ABAC Rules** provide attribute-based conditions evaluated at runtime (e.g., user department must match account business unit)
+				 |- **Challenges / Maker-Checker** enforce signatory requirements. A provision can require multiple challenges answered by different users from specified panels
+				 |- **Corporate Customers** (CORPORATE / SUBSIDIARY types with parent-child hierarchy) represent the legal entities that mandates apply to
+				 |
+				 |## Example
+				 |
+				 |ACME Corp has a mandate on their operating account:
+				 |
+				 |1. Panel A (Directors): user-1, user-2, user-3
+				 |2. Panel B (Finance): user-4, user-5
+				 |3. Provision: payments < 5,000 EUR require 1 signature from Panel A
+				 |4. Provision: payments 5,000-50,000 EUR require 2 signatures from Panel A
+				 |5. Provision: payments > 50,000 EUR require 1 from Panel A and 1 from Panel B
+				 |
+				 |## API Endpoints
+				 |
+				 |Mandates, Provisions, and Signatory Panels each have CRUD endpoints under the Mandate tag.
+				 |
+				 |All endpoints require bank-level roles (e.g., CanCreateMandate, CanGetMandateProvision, CanUpdateSignatoryPanel).
+				 |
+""")
+
 	///////////////////////////////////////////////////////////////////
 	// NOTE! Some glossary items are generated in ExampleValue.scala
 //////////////////////////////////////////////////////////////////

diff --git a/obp-api/src/main/scala/code/api/util/NewStyle.scala b/obp-api/src/main/scala/code/api/util/NewStyle.scala
@@ -41,7 +41,10 @@
 import code.util.Helper
 import code.util.Helper.MdcLoggable
 import code.validation.{JsonSchemaValidationProvider, JsonValidation}
+import code.transactionChallenge.Challenges
+import code.transactionrequests.TransactionRequests
 import code.views.Views
+import code.views.system.ViewPermission
 import code.webhook.AccountWebhook
 import com.github.dwickern.macros.NameOf.nameOf
 import com.openbankproject.commons.dto.{CustomerAndAttribute, GetProductsParam, ProductCollectionItemsTree}
@@ -546,6 +549,73 @@
       }
     }
 
+    def checkMakerCheckerForTransactionRequest(
+      bankId: BankId,
+      accountId: AccountId,
+      viewId: ViewId,
+      transactionRequestId: TransactionRequestId,
+      challengeId: String,
+      checkerUserId: String,
+      callContext: Option[CallContext]
+    ): Future[Boolean] = {
+      Future {
+        // Check if the view has the can_bypass_maker_checker_separation permission
+        val permissionName = Constant.CAN_BYPASS_MAKER_CHECKER_SEPARATION
+        val hasPermission = Views.views.vend.customView(viewId, BankIdAccountId(bankId, accountId)) match {
+          case Full(view) => ViewPermission.findViewPermission(view, permissionName).isDefined
+          case _ => Views.views.vend.systemView(viewId) match {
+            case Full(view) => ViewPermission.findViewPermission(view, permissionName).isDefined
+            case _ => false
+          }
+        }
+
+        // If the view has can_bypass_maker_checker_separation, no check needed
+        if (hasPermission) {
+          Full(true)
+        } else {
+          // Maker-checker is required — get the TR
+          val transactionRequest = TransactionRequests.transactionRequestProvider.vend
+            .getTransactionRequest(transactionRequestId)
+
+          transactionRequest match {
+            case Full(tr) =>
+              tr.user_id match {
+                case None | Some("") =>
+                  Failure(MakerCheckerUnknownMaker)
+                case Some(makerUserId) if makerUserId == checkerUserId =>
+                  // Same user as maker — check if this is a multi-challenge scenario
+                  // where the user is answering their own assigned SCA challenge
+                  val challenges = Challenges.ChallengeProvider.vend
+                    .getChallengesByTransactionRequestId(transactionRequestId.value)
+                  challenges match {
+                    case Full(challengeList) if challengeList.size > 1 =>
+                      // Multiple challenges: allow if this specific challenge is assigned to the checker
+                      val isOwnChallenge = challengeList.exists(c =>
+                        c.challengeId == challengeId && c.expectedUserId == checkerUserId
+                      )
+                      if (isOwnChallenge) Full(true)
+                      else Failure(MakerCheckerSameUser)
+                    case _ =>
+                      // Single challenge or no challenges found: block same user
+                      Failure(MakerCheckerSameUser)
+                  }
+                case _ =>
+                  tr.on_behalf_of_user_id match {
+                    case Some(onBehalfOfUserId) if onBehalfOfUserId.nonEmpty && onBehalfOfUserId == checkerUserId =>
+                      Failure(MakerCheckerSameUser)
+                    case _ =>
+                      Full(true)
+                  }
+              }
+            case _ =>
+              Failure(s"$InvalidTransactionRequestId Current TransactionRequestId($transactionRequestId)")
+          }
+        }
+      } map {
+        unboxFullOrFail(_, callContext, "Maker/Checker check failed")
+      }
+    }
+
     def getConsumerByConsumerId(consumerId: String, callContext: Option[CallContext]): Future[Consumer] = {
       Consumers.consumers.vend.getConsumerByConsumerIdFuture(consumerId) map {
         unboxFullOrFail(_, callContext, s"$ConsumerNotFoundByConsumerId Current ConsumerId is $consumerId", 404)
@@ -1269,15 +1339,39 @@
       }
     }
 
-    def validateChallengeAnswer(challengeId: String, suppliedAnswer: String, suppliedAnswerType:SuppliedAnswerType.Value,  callContext: Option[CallContext]): OBPReturnType[Boolean] = 
+    def validateChallengeAnswer(challengeId: String, suppliedAnswer: String, suppliedAnswerType:SuppliedAnswerType.Value,  callContext: Option[CallContext]): OBPReturnType[Boolean] =
      Connector.connector.vend.validateChallengeAnswerV2(challengeId, suppliedAnswer, suppliedAnswerType, callContext) map { i =>
        (unboxFullOrFail(i._1, callContext, s"${
          InvalidChallengeAnswer
           .replace("answer may be expired.", s"answer may be expired (${transactionRequestChallengeTtl} seconds).")
           .replace("up your allowed attempts.", s"up your allowed attempts (${allowedAnswerTransactionRequestChallengeAttempts} times).")
        }"), i._2)
       }
 
+    /**
+     * Validate a challenge answer without checking the userId.
+     * Used when a checker (different user) answers a challenge that was assigned to the maker,
+     * in the single-challenge maker-checker scenario. The maker-checker check has already
+     * verified this user is allowed to answer.
+     */
+    def validateChallengeAnswerWithoutUserIdCheck(
+      challengeId: String,
+      suppliedAnswer: String,
+      suppliedAnswerType: SuppliedAnswerType.Value,
+      callContext: Option[CallContext]
+    ): OBPReturnType[Boolean] = {
+      Future {
+        val result = Challenges.ChallengeProvider.vend.validateChallenge(challengeId, suppliedAnswer, None)
+        (Full(result.isDefined), callContext)
+      } map { i =>
+        (unboxFullOrFail(i._1, callContext, s"${
+          InvalidChallengeAnswer
+            .replace("answer may be expired.", s"answer may be expired (${transactionRequestChallengeTtl} seconds).")
+            .replace("up your allowed attempts.", s"up your allowed attempts (${allowedAnswerTransactionRequestChallengeAttempts} times).")
+        }"), i._2)
+      }
+    }
+
     def allChallengesSuccessfullyAnswered(
       bankId: BankId,
       accountId: AccountId,