M18 Settings — firm profile + branches + banks
The firm-identity layer. One companies row holding legal name, address, CR, VAT TRN, contact details, brand colours, logo, stamp, signatures. Plus office branches (HQ + others) and bank accounts. Drives every PDF, every email, every audit report.
Settings landing
URL: /settings. Tile grid grouped by area:
- Firm profile — Company · Branches · Banks · Signatures · Logos & stamps
- Money — Currencies · VAT rates · Number sequences · Billing policy
- References — Holidays · Departments · Designations · Skills · Lookups
- Communication — Communication settings · Email templates · Email log · Notification preferences
- Documents — File Vault settings · File upload profiles · Document templates
- Security — Roles & Permissions · Active sessions · Vault audit log
- Modules — Dashboard & UX · M16 retention · M20 obligations · M11 billing policy
RBAC-filtered — settings tiles only render if user has the relevant permission.
Company Profile screen
URL: /settings/company. Tabbed:
Tab 1 · About
| company_name | Legal name (en + ar) |
| trade_name | If different from legal |
| cr_number | Oman 7-digit |
| vat_trn | OM1XXXXXXXXX |
| oaaa_registration_no | OAAA registration number |
| address (en + ar) | Full registered address |
| phone · email · website | Public contact |
| fiscal_year_end_month | 1-12 (default 12 = Dec) |
Plus an Invoice defaults card on this tab with default T&Cs textarea.
Tab 2 · Branding
- Logo upload — 40 KB cap, PNG/JPG/WebP. Mirrored to
public/uploads/brand/logos.{ext}for survival - Stamp upload — transparent PNG recommended. Same survival mirror
- Brand primary colour · secondary colour — drives email gradients + button accents
- Tagline — optional sub-line on PDFs
Tab 3 · Billing Policy
Three firm-wide toggles (chapter 9 of finance manual covers in depth):
m11.auto_invoice_on_completionm11.require_job_completion_for_invoicem11.notify_on_completion
Tab 4 · Communication
Communication settings (chapter 16):
- SMTP fields (loaded from local.php if present)
- From-name / from-email
- Test mode + test recipient
- Queue + retry settings
- Signature HTML
Branches
URL: /settings/offices. Multi-location firms (HQ Muscat + branch Sohar + branch Salalah) track each:
- name · address (en + ar) · phone · email
- is_hq flag (only one)
- manager (employee picker)
- active flag
HQ branch's address is used on PDF letterheads by default. Per-job override possible.
Banks
URL: /settings/banks. Firm bank accounts that:
- Receive client payments (M11)
- Pay employee salaries (WPS / payroll)
- Reconcile in M12
Per-account fields:
- bank_name · account_holder_name · account_number · IBAN · SWIFT
- currency · is_primary · is_wps_eligible · is_active
- display_on_invoice_pdf flag (up to 2 shown on PDF footer)
Signatures
URL: /settings/signatures. Per-employee signature PNGs for sign-off + report rendering:
- employee_id (FK)
- signature image (transparent PNG, ~150-300px wide)
- active flag
Used by: M19 audit report PDF (engagement partner + EQCR), M11 invoice/receipt PDF (authorised signatory), M13 final settlement PDF (HR + finance + employee blocks).
Step-by-step — first-time firm setup
Settings → Company Profile → About
Fill all identity fields. CR + VAT TRN are critical for compliance.
Branding tab
Upload logo + stamp. Set primary + secondary colours matching firm brand.
Add HQ branch
Settings → Offices → New. is_hq=1.
Add bank accounts
Settings → Banks → New for each. Mark primary + WPS-eligible as needed.
Upload partner signatures
Settings → Signatures → upload per partner. Used in audit reports.
Test render
Create a draft test invoice → preview PDF. Verify logo · firm address · VAT TRN · bank details · signature placeholder all render.
Settings → Company Profile → upload firm logo. Now create any draft invoice → preview PDF. Logo renders top-left. Letterhead reflects the firm. Single biggest visual professionalism upgrade — takes 2 minutes.
Don't put SMTP password in DB via the Communication tab if local.php exists. The system shows "Loaded from local.php" badge to indicate the source. Use the file pattern for production — DB shows "•••••••" only.
The system mirrors logo + stamp uploads to public/uploads/brand/ as well as the canonical storage path. If antivirus or git-clean wipes storage/, the public mirror still serves. The DB column is never auto-nulled (a previous bug we fixed).