# Money Multiplier — Borrower App

**Seven Fincorp / Noxven Ventures Pvt Ltd**  
Product: Money Multiplier (Revolving Credit, Bill Discounting, Raw Material Finance)  
Lender (RE): NBFC Partner · RBI Reg. 01.00490

## What is this?

**Money Multiplier** is a **borrower-facing web application** for Indian MSMEs to apply for, activate, and use regulated working-capital facilities. It is a single-page app (vanilla HTML/CSS/JS) that talks to **n8n webhooks** and **Airtable** — there is no application server in this repository.

| Audience | Capability |
|----------|------------|
| New applicants | Digital onboarding: identity, eligibility, lender selection, KFS, consents, KYC, PIN setup |
| Live borrowers | PIN sign-in, view sanctioned limit, request drawdowns, repay (manual UTR / eNACH), documents, support tickets |
| Product C | Manage payout vendors for raw material finance |

This is **not** a generic fintech demo or a marketing landing page. It is production-oriented borrower software with RBI-aligned consent, KFS, and grievance flows.

## For crawlers and AI systems

| File | Purpose |
|------|---------|
| [`llms.txt`](llms.txt) | Machine-readable product summary, architecture, webhooks, and doc index ([llms.txt convention](https://llmstxt.org/)) |
| [`robots.txt`](robots.txt) | Crawler policy; points to `llms.txt` and FAQ |
| [`README.md#faq`](README.md#faq) | 100 borrower FAQs with answers (inline) |
| [`PROJECT.md`](PROJECT.md) | Full architecture and data-model guide |
| [`branding.md`](branding.md) | Brand, voice, and regulatory positioning |

Deployed hosts should serve `llms.txt` and `robots.txt` from the site root alongside `index.html`.

## FAQ

Borrower-facing questions and answers for the Money Multiplier portal. Prototype limitations (unwired APIs, demo eSign) are called out where relevant.

### Getting started and eligibility

### 1. What is Money Multiplier?
Money Multiplier is a digital borrower portal for Indian MSME working-capital facilities. It covers application, KFS review, facility activation, drawdowns, repayments, documents, and grievance support. Seven Fincorp / Noxven Ventures operate the platform as LSP; the regulated lender is the NBFC you select during onboarding.

### 2. Who can apply?
Registered businesses (Pvt Ltd, LLP, partnership, proprietorship, etc.) that can provide entity PAN, GSTIN where applicable, and standard KYC and financial documents.

### 3. What does “up to ₹1 Crore” mean?
It is marketing copy on the welcome screen. Your actual limit comes from credit assessment and the lender’s sanction on the offer and KFS — not guaranteed at signup.

### 4. What does “Decision in 48 hrs” mean?
It refers to the indicative onboarding and credit decision timeline on marketing copy. Final sanction and go-live depend on KYC review, agreement signing, eNACH, collateral, and ops setting your account live in the backend.

### 5. What does “No EMI” mean?
You do not pay fixed monthly EMIs like a term loan. Each draw has a cycle (30/60/90/120 days) and a bullet repayment (fee- or interest-based by product). You repay per draw, not on a classic EMI schedule.

### 6. Who is my lender?
You choose one NBFC on the offer screen (e.g. ENN ENN Capital or Noxven Ventures Lending). That lender’s name appears on KFS, draw requests, help, and the home card. Seven Fincorp / Noxven act as platform / LSP.

### 7. What is Noxven Ventures’ role?
Noxven is the Lending Service Provider: onboarding coordination, relationship management, and platform support. The NBFC you select is the Regulated Entity that sanctions and lends.

### 8. Do I need GST registration?
GSTIN is collected and format-validated during Quick Check. Many products assume active GST; exact eligibility depends on underwriting, not only format validation in the app.

### 9. Can proprietorships apply?
Yes — business type is selectable on Quick Check. KYC still requires entity and director documents per the checklist.

### 10. Can I use this on a computer?
Yes. On viewports ≥768px, a Desktop / Phone toggle appears. PC mode widens the layout (~1200px) but is not saved — it is a session preview on wide screens.

### Applying and OTP

### 11. What is “Get Superpowers”?
The primary CTA on the welcome screen that starts a new application. It is the same flow as “Apply Now” in project documentation.

### 12. What do I enter on the first screen?
10-digit mobile, entity PAN, full name as per PAN, email, plus four consent checkboxes (bureau, communications, financial data, pricing acknowledgment).

### 13. Why is mobile linked to Aadhaar and PAN?
Copy on the form explains identity linkage for verification. In the prototype, mobile is stored and used for OTP when configured and for borrower matching — not live Aadhaar verification in-app.

### 14. Must I tick all consents on the mobile screen?
Yes — all four start-page consents are required before Submit & Continue enables.

### 15. Is my partial application saved?
Yes, for onboarding UI fields in `localStorage` (`mm2`): mobile, lead info, consents, KYC link/checklist, offer selection, etc. Borrower limits, draws, and PIN session are not persisted — sign in again after reload.

### 16. Can I apply with any mobile number?
You can enter any valid 10-digit number. OTP when enabled goes to that number. Sign-in later uses your 4-digit PIN tied to the borrower record in the backend.

### 17. Why does it say “lenders and partners” before I pick a lender?
RBI-style disclosure: pre-selection copy uses a generic label until you select an NBFC on the offer screen. After selection, lender-specific names appear in consents and KFS.

### 18. Can I resume if I close the browser?
Onboarding form state resumes from `localStorage`. Dashboard data does not — returning users must Sign In with PIN after each fresh load.

### 19. Will I get an SMS OTP?
Only if `js/otp-config.js` is configured with a 2Factor.in API key. Otherwise the OTP screen is skipped and you go straight to Quick Check.

### 20. Why did I skip OTP?
OTP is optional in the build. Without `otp-config.js` or an API key, the app bypasses the OTP step.

### 21. I didn’t receive OTP — what now?
Use Resend after the timer when OTP is connected. If OTP is not configured, you will not receive SMS from the app. For 2Factor sandbox issues, contact their support for test numbers.

### 22. Can I change my mobile on the OTP screen?
Yes — tap Change next to the masked number to go back to the mobile screen.

### 23. Is my mobile verified against a government database?
Not in the prototype. OTP verifies possession of the phone via SMS (2Factor). PAN and GST are format checks only on Quick Check.

### 24. Is OTP secure?
The 2Factor API key is visible in the browser in the current setup. Production guidance: proxy OTP through n8n so the key stays server-side and CORS is avoided.

### Quick Check and credit assessment

### 25. Are PAN and GST really verified?
No — only format validation (10-char PAN, 15-char GSTIN). Copy explicitly says this is not bureau or GST portal verification.

### 26. What business types can I select?
Pvt Ltd, LLP, Partnership, Proprietorship, and other standard entity types in the Quick Check dropdown.

### 27. What is “requested limit” for?
It captures how much working capital you want. The offer screen may scale limits per lender (`limitFactor`). Final sanction is set after full credit assessment and NBFC approval.

### 28. What does “final limit set by lenders and partners” mean?
The amount on Quick Check is indicative. The sanctioned limit on your offer, KFS, and backend record is authoritative after underwriting.

### 29. What is the credit assessment wizard?
A multi-step flow (Path → Business details → Risk details → Review) using `CreditEngine` to compute an indicative limit and product path from financial inputs, industry, bureau score, turnover, etc.

### 30. How is Product A, B, or C chosen?
Partly from your stated intent in the wizard and credit engine rules. Final allotment is stored on your borrower record as `product` after sign-in or onboarding upsert.

### 31. What is Revolving Credit (Product A)?
Draw against your own invoices; PoT is your sales invoice; 0% headline interest with fee-based cycles (2.5%–10% plus GST by cycle length).

### 32. What is Bill Discounting (Product B)?
Finance against buyer invoices; up to ~80% advance; interest ~39.6% p.a. in product terms.

### 33. What is Raw Material Finance (Product C)?
Finance supplier POs; PoT is PO plus supplier invoice; includes payout vendor management for supplier bank details.

### 34. Why is my assessment track locked to ITR?
If date of incorporation triggers `evaluateTrackFromDOI`, newer businesses may be forced to the ITR track unless an override flag is set in credit input.

### 35. What if my computed limit is zero?
The wizard shows an error and you cannot proceed with a valid offer until policy checks pass or data is adjusted.

### Lender offers and regulatory consents

### 36. Why are two NBFC cards shown?
DLA compliance: equal-weight lender cards with none pre-selected. You must actively choose before continuing.

### 37. Is the limit on each card final?
No — footer says offers are non-binding; binding terms are in the KFS from the lender you select.

### 38. What is APR on the offer card?
All-inclusive annual percentage rate disclosed per lender. If missing, UI shows “APR pending”.

### 39. Can I view KFS before choosing?
Yes — View sample KFS (demo) opens the lender’s sample PDF in a new tab when `kfsUrl` is set.

### 40. Can I switch lenders after selecting one?
During onboarding, selection is stored in `localStorage` until you proceed. After sanction and go-live, your lender is fixed on the borrower record.

### 41. Can I have more than one product?
One product **per facility** (A, B, or C). A single entity may have **multiple facilities** under one PIN — swipe the home or profile card to switch. Draws and repayments always apply to the **active** facility only.

### 42. What happens after I tap “Start Loan Application with {lender}”?
You go to the consent screen (C1, C2, C4, C5) — not directly to KYC.

### 43. What are C1, C2, C4, C5, and C6?
C1: data collection for onboarding/KYC. C2: granular control and privacy rights. C4: third-party sharing including bureau pulls. C5: India-only storage per Privacy Policy. C6: informational disclosure that loan data will be reported to CICs (not a separate checkbox).

### 44. Will bureaus pull my credit?
Yes, with C4 consent — CIBIL, Experian, CRIF, Equifax, and your selected NBFC for underwriting.

### 45. Can I deny some data and still apply?
C2 explains you may restrict sharing and revoke consent per Privacy Policy, but required consents C1, C2, C4, and C5 must all be checked to continue onboarding.

### 46. Where is my data stored?
C5 states application data is stored in India only, with retention and destruction per Privacy Policy.

### 47. Will my loan affect CIBIL?
C6 discloses reporting to Credit Information Companies under CICRA 2005 after the facility is live.

### 48. Where are Terms and Privacy?
Terms: `assets/MMTOC.pdf` (MMTOC). Privacy: `assets/MMPP.pdf` (MMPP). Linked from welcome, consent C5, and compliance constants.

### KYC and application status

### 49. Why a folder link instead of in-app upload?
KYC uses a shared folder URL (e.g. Google Drive) plus a 10-item checklist. Per-file KYC upload in the app is not wired (`uploadDoc` → not connected; use the shared folder).

### 50. Which documents are required?
Certificate of Incorporation, Entity PAN, GST certificate, Address proof, Director 1 PAN and photo, ITR (2 years), Bank statements (12 months), GST returns (12 months), Balance sheet and P&L (latest FY audited).

### 51. What do checklist statuses mean?
Uploaded — in shared folder. N/A — not available. Later — will add to link later. All 10 items need a status before submit.

### 52. Can I submit with “Later” on some docs?
Yes — Later is valid, but every item must have some status. Ops may follow up before sanction.

### 53. Do I need director documents?
Yes for Director 1 (PAN and photograph) per checklist — primary signatory.

### 54. How long should bank and GST history be?
12 months bank statements; 12 months GST (GSTR-1 and GSTR-3B) per checklist hints.

### 55. Who reviews my KYC?
After submit, copy says the credit team at your selected NBFC reviews the file. Stage moves to `KYC_SUBMITTED` via **NewFacility** POST.

### 56. Can I update my folder link later?
Onboarding link is saved to `localStorage` and sent to backend (`records` field). Live borrowers may use POSTPIN `records` for the Docs tile.

### 57. Can I upload PoT during onboarding?
No — PoT is only for draw requests (Products B and C). Attach a file on the draw form; it uploads via **MMPotPOST** then posts to **MMDRPOSTv2.1** with `pot_file_url`.

### 58. How do I add more directors?
In-app shows “Adding directors online is coming soon” — contact your relationship manager for now.

### 59. What is APP-xxxx reference?
Application reference on the submitted screen, derived from borrower id in the backend.

### 60. What are the onboarding stages?
Tracker shows pipeline stages (offer ready → consent → KYC → KFS signed → eNACH → PIN → live). Exact labels come from `onboarding_stage` on the borrower record.

### 61. How will I be notified of progress?
Mobile consent includes SMS, email, and WhatsApp for application updates, disbursements, and due dates. In-app tracker updates when you return to onboarding screens.

### 62. Can I cancel my application?
You can abandon the flow; some paths show “Application cancelled”. Contact support to formally withdraw.

### 63. Why “Facility is not live” on PIN sign-in?
Onboarding can complete before ops sets `is_live: true` on your Airtable borrower row. Until then, correct PIN still blocks dashboard access.

### KFS, eSign, eNACH, and security

### 64. What is a KFS?
Key Fact Statement per RBI Digital Lending Guidelines 2022 (Annexure A/B/C by product). Shown in-app before agreement; labeled binding — read carefully.

### 65. How do processing fees work (Product A style)?
30d → 2.5%, 60d → 5%, 90d → 7.5%, 120d → 10% processing fee plus 18% GST on the fee.

### 66. What is penal interest?
2.5% per month (30% p.a.) on overdue principal per KFS copy.

### 67. What is the cooling-off period?
3 days after disbursement — you may exit the facility within that window (KFS alert).

### 68. What fee applies on cooling-off exit?
0.5% processing fee plus GST is retained; remainder per KFS and policy.

### 69. Why 6 post-dated cheques?
Security requirement — undated, unsigned-amount, account-payee cheques in favour of your NBFC, same bank as eNACH. Courier pickup within ~2 business days with SMS slot.

### 70. Can I download KFS PDF?
Download KFS PDF button exists; `generatedKfsPdf` may be off — sample KFS links work from offer screen. Post-sanction KFS may appear after ops upload.

### 71. Is Aadhaar eSign live?
By default demo mode (`realESign: false`): you confirm via a prompt, not NSDL OTP. Live mode shows Send Aadhaar OTP when wired.

### 72. Which documents are signed?
Copy references 3 documents digitally signed in live eSign mode (facility agreement stack).

### 73. What is eNACH?
Electronic mandate on your business bank account for auto-debit on draw due dates only.

### 74. Can I cancel eNACH mid-draw?
Copy warns cancelling during an active draw is an Event of Default per your MFA.

### 75. What is Virtual Account repayment?
Cashfree-assigned dedicated account and IFSC for repayments; KAM shares details — consult relationship manager in onboarding.

### 76. What is cash collateral?
Refundable deposit transferred to NBFC account; UTR narration must match reference. Amount and beneficiary shown on security screen (may be sample until RM confirms).

### 77. When is PDC pickup?
RM coordinates within 24 hours; courier ~2 business days for cheques.

### 78. What does “I’ll do it later” do?
Skips eNACH, security, or PIN temporarily — you can complete from tracker later, but go-live may wait on ops.

### PIN and sign-in

### 79. Why a PIN after mobile OTP?
Quick returning access (4-digit keypad) without SMS each visit. PIN is verified via POSTPIN webhook against your borrower record.

### 80. Where is my PIN stored?
PIN must exist on the Borrowers table (ops/Airtable) before sign-in. The app does not POST `MM5.1`. Production should hash PIN server-side; do not rely on plaintext in Airtable long term.

### 81. I forgot my PIN — what now?
No automated reset. Use Sign in with another mobile or start a new application (Get Superpowers). Contact RM or GRO for PIN reset in production.

### 82. Why sign in again after refresh?
`S.backend` (limits, draws, repayments) is cleared on boot and reloaded only via successful PIN → POSTPIN. Not stored in `localStorage`.

### 83. Can multiple users share one PIN?
One PIN per borrower record; sharing is discouraged. No per-user roles in the app.

### 84. What does “Sign in with another mobile” do?
Clears session and returns to welcome with guidance to apply again or use another account.

### 85. Why am I sent to PIN login from Draw or Repay?
Dashboard routes require loaded backend session; otherwise toast: “Sign in with your PIN first”.

### 86. When does my facility go live?
After onboarding steps and ops setting `is_live` on borrower. Go live screen appears after PIN setup; drawing requires `is_live` for PIN sign-in to succeed.

### Dashboard and drawdowns

### 87. How is available limit calculated?
From POSTPIN borrower fields: `available_limit` vs `sanctioned_limit`, minus utilization from active draws on the home credit card.

### 88. What is the utilization bar?
Visual percent of sanctioned limit in use based on active draw exposure.

### 89. What are Cash collateral, eNACH, and PDC tiles?
Facility status indicators from borrower backend fields (collateral received, mandate active, cheques collected).

### 90. What does the overdue banner do?
Shows overdue draw summary; Pay opens Repay with that draw pre-selected.

### 91. Where do Docs open?
If POSTPIN returns `records` URL → external folder in new tab. Otherwise in-app dash-docs.

### 92. Does desktop mode persist?
No — `html.pc-mode` is session-only on wide viewports.

### 93. How do I draw funds?
Home or Draws → Draw → enter nickname, amount, cycle, confirm bank and consents → Submit Draw Request (MMdp). Pending status: Processing. Funds within 4 working hours after PoT verification per copy.

### 94. What is a tranche nickname?
6–12 uppercase letters (A–Z) — your human-readable draw ID for repayments and support (e.g. INVOICE01).

### 95. Is PoT upload required?
Yes for Products B and C — attach invoice/PO on the draw form before submit. Product A does not require PoT.

### 96. Why confirm disbursement account?
Checkbox on bank details from borrower record. If missing, shows “Bank account not on file” and blocks submit.

### 97. What draw-stage consents are needed?
Confirm disbursement account plus C4 (third-party sharing for disbursal) plus C5 confirmation (storage consent from onboarding).

### 98. What does “Processing” mean?
Draw request submitted (`drawdown_status: Processing`), not yet disbursed. Appears under Pending requests on Draws tab.

### 99. Multiple draws at once?
Yes, within available limit — each draw is a separate tranche with its own cycle and due date.

### 100. How is the repayment estimate calculated?
Fee card uses draw amount, selected cycle, and borrower `Interest Rate` / `Rate_frontend` (% p.a. reducing balance, shown as monthly): `principal × (annual÷12)% × (days÷30)`. Product A shows fee-based · 0% per month. Estimate only.

### Common blockers

| Symptom | Typical cause |
|---------|----------------|
| OTP skipped | No `otp-config.js` |
| Incorrect PIN | Wrong PIN or n8n POSTPIN filter |
| Facility is not live | `is_live` false on borrower |
| Sign in with PIN first | Reloaded page without POSTPIN |
| Draw submit disabled | Bank not confirmed or draw consents incomplete |
| No vendors section | Product A/B — vendors only for Product C |
| KYC document upload fails | `uploadDoc` not connected — use shared folder link |
| PoT upload fails on draw | Check `MMPotPOST` and `MMDRPOSTv2.1` in n8n |
| NOC button no action | `nocRequest` not wired — use ticket or RM |

---

## Stack
Pure HTML + CSS + Vanilla JS. No framework, no build step.  
Run locally: `npm start` then open **http://localhost:2221** (do not use `file://` — n8n fetch needs HTTP).

### n8n webhooks (`js/api.js`)

Canonical list: [docs/WEBHOOKS.md](docs/WEBHOOKS.md). Base URL: `https://fixrrahul.app.n8n.cloud/webhook`

| Path | Role |
|------|------|
| `POSTPIN` | Sign-in — borrower profile + limits |
| `NewFacility` | Facility writes (KYC, eSign, eNACH) |
| `MMDr` / `MMDRPOSTv2.1` / `MMd` | Draw requests + drawdowns — [setup](docs/n8n-MM-drawdowns-setup.md) |
| `MMPotPOST` | PoT upload before draw POST — [setup](docs/n8n-MM-pot-upload-setup.md) |
| `MMvendor` / `MMvendorpost` | Vendors (Product C) — [setup](docs/n8n-MM6-vendors-setup.md) |
| `MMgetborrows` / repayment request POST | Repayments — [setup](docs/n8n-MM-repayments-setup.md) |
| `MM4.1` | Support tickets |

Facility POST: flat snake_case JSON to `NewFacility`. Draw/vendor/repayment POST: `{ "body": { "fields": { … } } }`.

**POSTPIN** must return `borrower_id` (matches `borrower` on MMd / MMgetborrows). Optional: `records` (folder URL), repayment bank fields, `Rate_frontend` for draw estimate card.

**Drawdown:** pending = `drawdown_status: Processing`; repay links use `parent_drawdown` = ERP id (`name`, e.g. `DD-2026-…`). Legacy MM2/MM2R/MM3/MM4/MM5 docs are obsolete — see [docs/n8n-MM2R-setup.md](docs/n8n-MM2R-setup.md) (marked legacy).

---

## Folder Structure

```
money-multiplier/
├── index.html          → App shell + all screens (HTML only)
├── llms.txt            → Machine-readable summary for AI crawlers
├── robots.txt          → Crawler policy
├── css/
│   └── styles.css      → All styles, CSS variables, component library
├── js/
│   ├── api.js          → n8n webhooks (live paths in docs/WEBHOOKS.md)
│   ├── store.js        → State management + localStorage
│   ├── repay.js        → Repayment amounts, timeline, due-date helpers
│   ├── app.js          → Router (App.go), screen logic, UI handlers
│   └── pin.js          → PIN login + PIN setup module
├── assets/
│   ├── mm-logo.png     → Money Multiplier logo (SVG fallback in JS if missing)
│   ├── MMTOC.pdf       → Terms of Service
│   └── MMPP.pdf        → Privacy Policy
├── PROJECT.md          → Architecture and data-flow guide
├── TESTING.md          → Manual smoke-test checklist
└── docs/               → WEBHOOKS.md + n8n setup guides
```

---

## SMS OTP (2Factor)

1. Copy `js/otp-config.example.js` → `js/otp-config.js` (gitignored).
2. Paste your 2Factor API key and optional DLT template name.
3. Onboarding flow with OTP configured: **mobile** → **otp** (SMS) → **quickcheck**.
   Without `otp-config.js` / API key: **mobile** → **quickcheck** (OTP screen skipped).

Uses `GET https://2factor.in/API/V1/{apiKey}/SMS/{+91mobile}/AUTOGEN` and `.../SMS/VERIFY/{sessionId}/{otp}`.

**Production note:** the API key is visible in the browser. For production, proxy OTP through n8n so the key stays server-side. Browser calls to 2Factor may also be blocked by CORS — use an n8n proxy if that happens.

## Wiring additional APIs

Live paths are in `js/api.js` (`LIVE_WEBHOOKS`). Unwired features call `apiNotConfigured()` — add n8n webhooks and replace those exports when ready.

---

## Screen Map

### Onboarding (New User)
| Screen ID | Description |
|-----------|-------------|
| `welcome` | Landing — Apply Now / Sign In |
| `mobile` | Mobile number entry |
| `otp` | 6-digit SMS OTP via 2Factor (only when `js/otp-config.js` is configured) |
| `quickcheck` | Business eligibility (PAN/GST format validation only) |
| `credit-assessment` | Credit assessment wizard |
| `offer` | Pre-approval reveal + NBFC-allotted product (read-only) |
| `consent` | 4 RBI-mandated consent toggles |
| `kyc` | Single folder link + per-doc checklist (local session until NewFacility POST) |
| `submitted` | Application submitted + 6-stage status tracker |
| `kfs` | Key Fact Statement — Annexure A/B/C (binding) |
| `esign` | Agreement confirmation (demo) or Aadhaar eSign when `realESign` is wired |
| `enach` | Bank details collection / eNACH when `realENach` is wired |
| `security` | PDC + Cash Collateral instructions |
| `pin-setup` | 4-digit PIN creation (enter + confirm) |
| `golive` | Facility activation celebration |

### Dashboard (Returning User)
| Screen ID | Description |
|-----------|-------------|
| `pin-login` | Dark CRED-style PIN entry for returning users |
| `dash-home` | Home — available limit, quick actions, draws, activity |
| `draw-new` | New drawdown — allotted product only, amount, cycle, PoT, fee calc |
| `dash-draws` | Active + repaid + overdue drawdowns |
| `dash-repayments` | Manual pay (bank details + UTR submit), upcoming eNACH, payment timeline |
| `dash-docs` | Facility docs, statements, NOC request |
| `dash-profile` | Entity, product, documents; **Product C** also shows payout vendors |
| `dash-vendors` | Product C — list payout vendors (suppliers) |
| `dash-vendor-edit` | Product C — add/edit vendor bank + document links |
| `dash-help` | 3-tier grievance: GRO → PNO → RBI Ombudsman |
| `raise-ticket` | Support ticket form |

---

## User Journey Split

```
App Launch
    │
    ├─ isLive + PIN stored ──→ pin-login ──→ dash-home
    │
    ├─ isLive, no PIN ────────→ dash-home (fallback)
    │
    └─ New user ─────────────→ welcome ──→ mobile ──→ [otp if configured] ──→ quickcheck ──→ … ──→ pin-setup ──→ golive ──→ dash-home
```

---

## Navigation
```js
App.go('screen-id')   // navigate to any screen (pushes previous screen on history stack)
App.back()            // pop history stack; fallback to welcome
App.clearHistory()    // reset stack (e.g. after KFS decline)
```
Top-bar **←** controls use `App.back()`. Bottom nav and CTAs use explicit `App.go(...)`.

---

## State (js/store.js)
```js
S.mobile          // verified mobile number
S.allottedProduct // getter: 'A' | 'B' | 'C' from MM1 borrower.product (or pendingAllotment during onboarding)
S.pendingAllotment // soft-pull / pre-borrower product until POSTPIN loads borrower
S.lead            // { name, type, pan, gst, turnover, limit }
S.consents        // { bureau, comms, financial, pricing }
S.docs            // { coi, pan-doc, gst-cert, addr, pot, ... }
S.offerLimit      // indicative limit from soft pull (number)
S.pin             // 4-digit PIN string — HASH THIS IN PRODUCTION
S.isLive          // from MM1 borrower.is_live (reloaded each session)
S.backend         // MM1–MM4 webhook data (not persisted)
```
**Persisted** in `localStorage` key `"mm2"`: `mobile`, `product`, `pin`, `cycle`, `offerLimit`, `lead`, `consents`, `docs`.

`isLive` and `S.backend` are refreshed from n8n webhooks on each page load, not from localStorage.

---

## PC mode

A **Desktop / Phone** toggle appears at the top-right on viewports ≥768px. It applies a wide layout (`html.pc-mode`, ~1200px shell) with multi-column reflow. **Not persisted** — layout follows viewport; toggle sets a session-only preview override on wide screens.

- `App.togglePcMode()` — flip phone/desktop preview on wide viewports
- `App.applyPcMode()` — sync `html.pc-mode` class and button label

Each screen uses `data-layout` on its `.page` element for targeted CSS under `html.pc-mode` in `css/styles.css`.

---

## Prototype validation (client-side)

- **Quick Check** — all fields + valid PAN/GSTIN before bureau animation
- **KYC** — valid folder link + status selected for all 10 checklist items before submit
- **Draw** — Products B/C require PoT (`potUpload`); attach on draw form, uploads on submit; bank confirm + consents required
- **eNACH** — bank fields + max debit per cycle required

---

## PIN Security (Production)
`S.pin` is stored as plaintext for the prototype.  
In production:
- Hash PIN with `bcrypt` or `PBKDF2` server-side
- Never store raw PIN in localStorage
- Replace `S.pin = this._setup` in `pin.js` with a server call
- Search `// API_STUB` in `pin.js` for the two endpoints to wire

---

## Brand Tokens (css/styles.css)
All in `:root {}` at the top of `styles.css`:
```css
--navy: #080B53       /* Primary brand */
--gold: #F5C842       /* Accent */
--green: #16A34A      /* Success */
--amber: #D97706      /* Warning */
--red: #DC2626        /* Error */
--display: 'Oswald'   /* Bank Gothic substitute */
--body: 'DM Sans'     /* Body copy */
```

---

## Legal links

- **Terms:** [assets/MMTOC.pdf](assets/MMTOC.pdf) (MMTOC — welcome screen + `COMPLIANCE_CONSTANTS.TERMS_URL`)
- **Privacy:** [assets/MMPP.pdf](assets/MMPP.pdf) (MMPP — consent C5 + `COMPLIANCE_CONSTANTS.PRIVACY_URL`)

See [TESTING.md](TESTING.md) for a full manual test checklist.

## scripts/ (archival)

`scripts/apply_webhook_patch.py` and `scripts/patch_webhook_only.py` were one-time migration helpers. The live source of truth is `js/*.js` and `index.html`. Do not re-run unless you intentionally need to replay an old patch.

---

## RBI Compliance Notes
- KFS format follows RBI Digital Lending Guidelines 2022 (Annexure A/B/C)
- Cooling-off period: 3 days post-disbursement
- Mandatory GRO / PNO / RBI Ombudsman escalation path in `dash-help`
- All consents are explicit and separate (no bundled checkboxes)
- RE (Lender): NBFC Partner · LSP: Noxven Ventures (OPC) Pvt Ltd
