From bd7c3e9f733bd7906de413ffb659b46f6ccab983 Mon Sep 17 00:00:00 2001
From: EmmyKay0026 <kadiriemmanueloshio0026@gmail.com>
Date: Thu, 26 Mar 2026 18:40:45 +0100
Subject: [PATCH] feat(api): add invoice verification pipeline integration hook

---
 .gitignore                                |   5 +
 README.md                                 |  12 ++
 package-lock.json                         | 217 ++++++++++++++++------
 src/__tests__/invoiceVerification.test.js |  55 ++++++
 src/index.js                              |  22 ++-
 src/index.test.js                         |  11 ++
 src/services/invoiceVerification.js       |  66 +++++++
 7 files changed, 328 insertions(+), 60 deletions(-)
 create mode 100644 src/__tests__/invoiceVerification.test.js
 create mode 100644 src/services/invoiceVerification.js

diff --git a/.gitignore b/.gitignore
index e69de29b..261011e0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,5 @@
+/node_modules
+/coverage
+.env
+test_output.txt
+.gitignore
\ No newline at end of file
diff --git a/README.md b/README.md
index a6ac2a39..056952ac 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,18 @@ The middleware authenticates the token against the `JWT_SECRET` environment vari
 
 ---
 
+## Invoice Verification Pipeline
+
+When setting up new invoices via `POST /api/invoices`, the system runs the payload through a strict verification hook (`src/services/invoiceVerification.js`).
+This pipeline performs fraud checks and business validations before the invoice is officially approved:
+- Assesses for strict type safety (e.g., positive numerical amounts, well-structured strings).
+- Validates data against predefined business logic rules (rejecting amounts above a global maximum, forcing manual review for threshold amounts).
+- Enforces security assumptions by checking payload content for common injection patterns (like XSS signatures in customer names).
+
+The resulting invoice maintains a verifiable status of `VERIFIED`, `REJECTED`, or `MANUAL_REVIEW`, as well as an associated `verificationReason` for failed or suspicious uploads.
+
+---
+
 ## Rate Limiting
 
 The API implements request throttling to prevent abuse:
diff --git a/package-lock.json b/package-lock.json
index 187d27a2..07e2d7b1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -73,13 +73,21 @@
         "node": ">=6.9.0"
       }
     },
+    "node_modules/@babel/compat-data/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
     "node_modules/@babel/core": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -1823,7 +1831,6 @@
       "version": "8.16.0",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -2159,7 +2166,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -2184,6 +2190,11 @@
         "node-int64": "^0.4.0"
       }
     },
+    "node_modules/buffer-equal-constant-time": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
+      "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="
+    },
     "node_modules/buffer-from": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz",
@@ -2638,6 +2649,14 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/ecdsa-sig-formatter": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
+      "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "node_modules/ee-first": {
       "version": "1.1.1",
       "license": "MIT"
@@ -2753,7 +2772,6 @@
       "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -4408,6 +4426,46 @@
         "node": ">=6"
       }
     },
+    "node_modules/jsonwebtoken": {
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz",
+      "integrity": "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==",
+      "dependencies": {
+        "jws": "^4.0.1",
+        "lodash.includes": "^4.3.0",
+        "lodash.isboolean": "^3.0.3",
+        "lodash.isinteger": "^4.0.4",
+        "lodash.isnumber": "^3.0.3",
+        "lodash.isplainobject": "^4.0.6",
+        "lodash.isstring": "^4.0.1",
+        "lodash.once": "^4.0.0",
+        "ms": "^2.1.1",
+        "semver": "^7.5.4"
+      },
+      "engines": {
+        "node": ">=12",
+        "npm": ">=6"
+      }
+    },
+    "node_modules/jwa": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.1.tgz",
+      "integrity": "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==",
+      "dependencies": {
+        "buffer-equal-constant-time": "^1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/jws": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "dependencies": {
+        "jwa": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "node_modules/keyv": {
       "version": "4.5.4",
       "dev": true,
@@ -4459,6 +4517,36 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/lodash.includes": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz",
+      "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w=="
+    },
+    "node_modules/lodash.isboolean": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz",
+      "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg=="
+    },
+    "node_modules/lodash.isinteger": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz",
+      "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA=="
+    },
+    "node_modules/lodash.isnumber": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz",
+      "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw=="
+    },
+    "node_modules/lodash.isplainobject": {
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz",
+      "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA=="
+    },
+    "node_modules/lodash.isstring": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz",
+      "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw=="
+    },
     "node_modules/lodash.merge": {
       "version": "4.6.2",
       "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
@@ -4466,6 +4554,11 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/lodash.once": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz",
+      "integrity": "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg=="
+    },
     "node_modules/lru-cache": {
       "version": "10.4.3",
       "dev": true,
@@ -4979,39 +5072,6 @@
         "node": ">= 0.8.0"
       }
     },
-    "node_modules/prettier": {
-      "version": "3.8.1",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.1.tgz",
-      "integrity": "sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg==",
-      "dev": true,
-      "license": "MIT",
-      "bin": {
-        "prettier": "bin/prettier.cjs"
-      },
-      "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/prettier/prettier?sponsor=1"
-      }
-    },
-    "node_modules/prettier-plugin-organize-imports": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/prettier-plugin-organize-imports/-/prettier-plugin-organize-imports-4.3.0.tgz",
-      "integrity": "sha512-FxFz0qFhyBsGdIsb697f/EkvHzi5SZOhWAjxcx2dLt+Q532bAlhswcXGYB1yzjZ69kW8UoadFBw7TyNwlq96Iw==",
-      "dev": true,
-      "license": "MIT",
-      "peerDependencies": {
-        "prettier": ">=2.0",
-        "typescript": ">=2.9",
-        "vue-tsc": "^2.1.0 || 3"
-      },
-      "peerDependenciesMeta": {
-        "vue-tsc": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/pretty-format": {
       "version": "30.3.0",
       "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-30.3.0.tgz",
@@ -5173,6 +5233,25 @@
         "node": ">= 18"
       }
     },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
     "node_modules/safe-regex": {
       "version": "2.1.1",
       "dev": true,
@@ -5187,7 +5266,6 @@
     },
     "node_modules/semver": {
       "version": "7.7.4",
-      "dev": true,
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -5405,6 +5483,15 @@
         "node": ">=10"
       }
     },
+    "node_modules/stack-utils/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/stack-utils/node_modules/escape-string-regexp": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-2.0.0.tgz",
@@ -5419,6 +5506,18 @@
         "node": ">=10"
       }
     },
+    "node_modules/stack-utils/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/statuses": {
       "version": "2.0.2",
       "license": "MIT",
@@ -5455,6 +5554,33 @@
         "node": ">=8"
       }
     },
+    "node_modules/string-length/node_modules/ansi-regex/node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/string-length/node_modules/ansi-regex/node_modules/strip-ansi": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
+      "dev": true,
+      "dependencies": {
+        "ansi-regex": "^6.2.2"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
+      }
+    },
     "node_modules/string-length/node_modules/strip-ansi": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
@@ -5721,21 +5847,6 @@
         "node": ">= 0.6"
       }
     },
-    "node_modules/typescript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
-      "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "peer": true,
-      "bin": {
-        "tsc": "bin/tsc",
-        "tsserver": "bin/tsserver"
-      },
-      "engines": {
-        "node": ">=14.17"
-      }
-    },
     "node_modules/undici-types": {
       "version": "7.18.2",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
diff --git a/src/__tests__/invoiceVerification.test.js b/src/__tests__/invoiceVerification.test.js
new file mode 100644
index 00000000..8e881eb6
--- /dev/null
+++ b/src/__tests__/invoiceVerification.test.js
@@ -0,0 +1,55 @@
+const { verifyInvoice } = require('../services/invoiceVerification');
+
+describe('Invoice Verification Service', () => {
+  it('should verify a valid invoice', async () => {
+    const payload = { amount: 5000, customer: 'Acme Corp' };
+    const result = await verifyInvoice(payload);
+    expect(result).toEqual({ status: 'VERIFIED' });
+  });
+
+  it('should reject if payload is not an object', async () => {
+    const result = await verifyInvoice(null);
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Invalid payload structure' });
+    
+    const result2 = await verifyInvoice('string');
+    expect(result2).toEqual({ status: 'REJECTED', reason: 'Invalid payload structure' });
+  });
+
+  it('should reject invalid amount types', async () => {
+    const result = await verifyInvoice({ amount: '5000', customer: 'Acme Corp' });
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Invalid amount: must be a positive number' });
+  });
+
+  it('should reject zero or negative amounts', async () => {
+    const resultZero = await verifyInvoice({ amount: 0, customer: 'Acme Corp' });
+    expect(resultZero).toEqual({ status: 'REJECTED', reason: 'Invalid amount: must be a positive number' });
+
+    const resultNegative = await verifyInvoice({ amount: -100, customer: 'Acme Corp' });
+    expect(resultNegative).toEqual({ status: 'REJECTED', reason: 'Invalid amount: must be a positive number' });
+  });
+
+  it('should reject invalid customer types', async () => {
+    const result = await verifyInvoice({ amount: 5000, customer: 12345 });
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Invalid customer: must be a non-empty string' });
+  });
+
+  it('should reject empty customer string', async () => {
+    const result = await verifyInvoice({ amount: 5000, customer: '   ' });
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Invalid customer: must be a non-empty string' });
+  });
+
+  it('should reject an amount exceeding the maximum allowed threshold', async () => {
+    const result = await verifyInvoice({ amount: 15000000, customer: 'Acme Corp' });
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Amount exceeds maximum allowed threshold' });
+  });
+
+  it('should require manual review for high value invoices', async () => {
+    const result = await verifyInvoice({ amount: 1500000, customer: 'Acme Corp' });
+    expect(result).toEqual({ status: 'MANUAL_REVIEW', reason: 'High value invoice requires manual approval' });
+  });
+
+  it('should reject customers with suspicious characters (XSS/Injection)', async () => {
+    const result = await verifyInvoice({ amount: 5000, customer: 'Acme <script>' });
+    expect(result).toEqual({ status: 'REJECTED', reason: 'Suspicious characters detected in customer data' });
+  });
+});
diff --git a/src/index.js b/src/index.js
index 386adffe..50812fe6 100644
--- a/src/index.js
+++ b/src/index.js
@@ -4,13 +4,17 @@
  */
 
 require('dotenv').config();
+const express = require("express");
+const cors = require("cors");
 const { globalLimiter, sensitiveLimiter } = require('./middleware/rateLimit');
 const { authenticateToken } = require('./middleware/auth');
 
 const asyncHandler = require('./utils/asyncHandler');
 const errorHandler = require('./middleware/errorHandler');
 const { callSorobanContract } = require('./services/soroban');
+const { verifyInvoice } = require('./services/invoiceVerification');
 
+const app = express();
 const PORT = process.env.PORT || 3001;
 
 /**
@@ -69,8 +73,8 @@ app.get('/api', (req, res) => {
  */
 app.get('/api/invoices', (req, res) => {
   const includeDeleted = req.query.includeDeleted === 'true';
-  const filteredInvoices = includeDeleted 
-    ? invoices 
+  const filteredInvoices = includeDeleted
+    ? invoices
     : invoices.filter(inv => !inv.deletedAt);
 
   return res.json({
@@ -87,18 +91,22 @@ app.get('/api/invoices', (req, res) => {
  * @param {import('express').Response} res - The Express response object.
  * @returns {void}
  */
-app.post('/api/invoices', (req, res) => {
+app.post('/api/invoices', async (req, res) => {
   const { amount, customer } = req.body;
-  
-  if (!amount || !customer) {
+
+  if (amount === undefined || !customer) {
     return res.status(400).json({ error: 'Amount and customer are required' });
   }
 
+  // Run verification pipeline hook
+  const verificationResult = await verifyInvoice({ amount, customer });
+
   const newInvoice = {
     id: `inv_${Date.now()}_${Math.floor(Math.random() * 1000)}`,
     amount,
     customer,
-    status: 'pending_verification',
+    status: verificationResult.status,
+    verificationReason: verificationResult.reason || null,
     createdAt: new Date().toISOString(),
     deletedAt: null,
   };
@@ -195,7 +203,7 @@ app.get('/api/escrow/:invoiceId', async (req, res) => {
     };
 
     const data = await callSorobanContract(operation);
-    
+
     res.json({
       data,
       message: 'Escrow state read from Soroban contract via robust integration wrapper.',
diff --git a/src/index.test.js b/src/index.test.js
index dacb0838..6c92407a 100644
--- a/src/index.test.js
+++ b/src/index.test.js
@@ -30,9 +30,20 @@ describe('LiquiFact API', () => {
       expect(response.body.data).toHaveProperty('id');
       expect(response.body.data.amount).toBe(1000);
       expect(response.body.data.customer).toBe('Test Corp');
+      expect(response.body.data.status).toBe('VERIFIED');
       expect(response.body.data.deletedAt).toBeNull();
     });
 
+    it('POST /api/invoices - creates a rejected invoice if verification fails', async () => {
+      const response = await request(app)
+        .post('/api/invoices')
+        .send({ amount: -500, customer: 'Shady Corp' });
+      
+      expect(response.status).toBe(201);
+      expect(response.body.data.status).toBe('REJECTED');
+      expect(response.body.data.verificationReason).toBe('Invalid amount: must be a positive number');
+    });
+
     it('POST /api/invoices - fails if missing fields', async () => {
       const response = await request(app).post('/api/invoices').send({ amount: 1000 });
       expect(response.status).toBe(400);
diff --git a/src/services/invoiceVerification.js b/src/services/invoiceVerification.js
new file mode 100644
index 00000000..e9a68b42
--- /dev/null
+++ b/src/services/invoiceVerification.js
@@ -0,0 +1,66 @@
+/**
+ * Invoice Verification Service
+ * Handles fraud checks and business validation before invoice approval.
+ */
+
+/**
+ * Result of an invoice verification.
+ * @typedef {Object} VerificationResult
+ * @property {string} status - The resulting status: 'VERIFIED', 'REJECTED', or 'MANUAL_REVIEW'.
+ * @property {string} [reason] - The reason for rejection or manual review, if applicable.
+ */
+
+/**
+ * Validates an invoice for fraud and business rules.
+ * 
+ * Security Assumptions:
+ * - The input payload must be an object.
+ * - `amount` must be a strictly positive number.
+ * - `customer` must be a non-empty string avoiding potentially malicious injection patterns.
+ * 
+ * @param {Object} invoicePayload - The invoice data to verify.
+ * @param {number} invoicePayload.amount - The invoice amount in the system's base currency.
+ * @param {string} invoicePayload.customer - The customer identifier or name.
+ * @returns {Promise<VerificationResult>} Returns the verification status and optional reason.
+ */
+async function verifyInvoice(invoicePayload) {
+  if (!invoicePayload || typeof invoicePayload !== 'object') {
+    return { status: 'REJECTED', reason: 'Invalid payload structure' };
+  }
+
+  const { amount, customer } = invoicePayload;
+
+  // Security: strict type and value checks
+  if (typeof amount !== 'number' || Number.isNaN(amount) || amount <= 0) {
+    return { status: 'REJECTED', reason: 'Invalid amount: must be a positive number' };
+  }
+
+  if (typeof customer !== 'string' || customer.trim() === '') {
+    return { status: 'REJECTED', reason: 'Invalid customer: must be a non-empty string' };
+  }
+
+  // Business Validation: Fraud Check Example
+  // Reject absurdly high amounts automatically
+  if (amount > 10000000) {
+    return { status: 'REJECTED', reason: 'Amount exceeds maximum allowed threshold' };
+  }
+
+  // Business Validation: Manual Review Example
+  // Require manual review for high value invoices
+  if (amount >= 1000000) {
+    return { status: 'MANUAL_REVIEW', reason: 'High value invoice requires manual approval' };
+  }
+
+  // Security: Check for obvious injection patterns in customer string
+  const suspiciousPatterns = /[<>{}$]/;
+  if (suspiciousPatterns.test(customer)) {
+    return { status: 'REJECTED', reason: 'Suspicious characters detected in customer data' };
+  }
+
+  // Verification passed
+  return { status: 'VERIFIED' };
+}
+
+module.exports = {
+  verifyInvoice
+};