feat: Add CD001-Tools-002- Tools- Payment: add unit tests for payment…

[steadhac]

Add a full unit test suite for the payment tools layer — invoice retrieval for payment,
payment processing, vendor payment summaries, and agent notes management.

Bug-exposing tests document confirmed production defects: None inputs written as literal
"None", empty string payment_method accepted silently, misleading error message on update
failure, and AttributeError crash when invoice dates are null.

Prompt injection tests document the LLM attack surface via string fields — confirming
the code-level status check cannot be bypassed by urgency words or "APPROVED" keywords
in agent_notes, description, or invoice_number.

Tests follow the established pattern with:

• Title / Basically question / Steps / Expected Results / Impact
• Bug-exposing tests included for each confirmed production defect.

📁 Test Files
tests/unit/tools/test_payment.py

TestGetInvoiceForPayment

Test ID	Title
test_pay_get_001	get_invoice_for_payment returns invoice with vendor info
test_pay_get_002	get_invoice_for_payment raises ValueError when invoice not found
test_pay_get_003	get_invoice_for_payment enforces namespace isolation
test_pay_get_004	get_invoice_for_payment raises ValueError for invoice_id=0

TestProcessPayment

Test ID	Title
test_pay_proc_001	Approved invoice transitions to paid
test_pay_proc_002	Non-approved invoice raises ValueError
test_pay_proc_003	Missing invoice raises ValueError
test_pay_proc_004	Payment note appended to existing agent_notes
test_pay_proc_005	process_payment enforces namespace isolation
test_pay_proc_006	Already paid invoice cannot be paid again

TestGetVendorPaymentSummary

Test ID	Title
test_pay_sum_001	Returns summary with correct totals
test_pay_sum_002	Raises ValueError for missing vendor
test_pay_sum_003	Vendor with no invoices returns empty summary
test_pay_sum_004	get_vendor_payment_summary enforces namespace isolation
test_pay_sum_005	by_status amounts are correct across multiple invoices

TestUpdatePaymentAgentNotes

Test ID	Title
test_pay_notes_001	Notes appended with [Payments Agent] prefix
test_pay_notes_002	Raises ValueError for missing invoice
test_pay_notes_003	Sequential appends accumulate correctly
test_pay_notes_004	update_payment_agent_notes enforces namespace isolation

TestProcessPaymentBugs ⚠️

Test ID	Title
test_pay_proc_007 ⚠️	process_payment silently accepts payment_method=None — writes literal "None"
test_pay_proc_008 ⚠️	process_payment accepts empty string payment_method without validation
test_pay_proc_009 ⚠️	process_payment silently accepts payment_reference=None — writes literal "None"

TestUpdatePaymentAgentNotesBugs ⚠️

Test ID	Title
test_pay_notes_005 ⚠️	update_payment_agent_notes accepts agent_notes=None — writes "[Payments Agent] None"
test_pay_notes_006 ⚠️	Misleading error message on update failure — says "not found" when invoice exists

TestIntFieldEdgeCases

Test ID	Title
test_pay_type_001	get_invoice_for_payment raises ValueError for invoice_id=-1
test_pay_type_002	get_invoice_for_payment raises ValueError for invoice_id=2147483647
test_pay_type_003	get_vendor_payment_summary raises ValueError for vendor_id=-1
test_pay_type_004	get_vendor_payment_summary raises ValueError for vendor_id=0
test_pay_type_005	process_payment raises ValueError for invoice_id=-1
test_pay_type_006	update_payment_agent_notes raises ValueError for invoice_id=-1

TestStrFieldEdgeCases

Test ID	Title
test_pay_type_007	Whitespace-only payment_method accepted without validation
test_pay_type_008	Special characters in payment_reference stored as-is
test_pay_type_009	SQL injection string in agent_notes stored safely
test_pay_type_010	Unicode and emoji in agent_notes accepted
test_pay_type_011	Newlines in agent_notes stored intact
test_pay_type_012	Very long agent_notes accepted without truncation
test_pay_type_013	Whitespace-only agent_notes accepted without validation
test_pay_type_014	Very long payment_reference accepted without truncation

TestMissingInvoiceFields ⚠️

Test ID	Title
test_pay_field_001 ⚠️	get_invoice_for_payment crashes with AttributeError when invoice_date is None
test_pay_field_002 ⚠️	get_invoice_for_payment crashes with AttributeError when due_date is None
test_pay_field_003 ⚠️	process_payment raises ValueError when invoice status is None
test_pay_field_004	get_vendor_payment_summary returns None for missing invoice_number

TestPromptInjection 🔒

Test ID	Title
test_pay_inj_001	Urgency in agent_notes does not change invoice status
test_pay_inj_002	"APPROVED" keyword in notes does not bypass code-level status check
test_pay_inj_003	Injected notes returned verbatim by get_invoice_for_payment — LLM can read them
test_pay_inj_004	Urgency in invoice description does not bypass status check
test_pay_inj_005	"APPROVED" in invoice_number does not bypass status check
test_pay_inj_006	Multiple injections accumulate — attacker can build fake approval history

Related Bug Tickets
Bug_102, Bug_103, Bug_104, Bug_105, Bug_106, Bug_107, Bug_108