Commit Graph

34 Commits

Author SHA1 Message Date
null 1bd282f47b fix(qa): Analytics "expected" gates by occurrence (matches Tracker/Summary)
- analyticsService: only add a bill's expected_amount in months it actually
  occurs (resolveDueDate), so annual / off-month quarterly bills no longer
  inflate the expected-vs-actual line every month (QA-B5-03, same root as B5-01)
- add a Tracker<->Analytics reconciliation guard to e2e/api.probe.spec.js
- docs: archive QA-B5-03; cycle log

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:23:37 -05:00
null a15ff056b3 fix(qa): Summary excludes bills not due in the month (reconciles with Tracker)
- routes/summary: filter the expense list by resolveDueDate so annual and
  off-month quarterly bills no longer inflate the monthly total / "monthly
  result" — the Summary now agrees with the Tracker for the same month (QA-B5-01)
- add a Tracker<->Summary reconciliation guard in e2e/api.probe.spec.js
- docs: archive QA-B5-01; track QA-B5-02 (SimpleFIN unpaid_this_month residual)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:19:35 -05:00
null 72d06aa2d8 fix(qa): cent-exact toCents rounding + money.js test coverage
- utils/money: toCents rounds off the shortest decimal string instead of
  Math.round(n*100), so 1.005 -> 101 (not 100). Output is identical for all
  integer / <=2-decimal / "$1,234.56" inputs, so no downstream change (QA-B7-01)
- add tests/money.test.js (9 tests; the money core previously had none)
- docs: archive QA-B7-01 to HISTORY v0.41.0; QA cycle 1 now 0 open findings

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:11:12 -05:00
null 98c8fab176 fix(qa): resolve a11y nested-interactive on Categories & Snowball rows
- CategoriesPage: category rows are now a plain container with a dedicated
  chevron toggle button, instead of role=button rows nesting action buttons
- PlanStatusBanner: split the collapsible header into a name/progress toggle,
  sibling action buttons, and a chevron toggle (actions no longer nested in the
  trigger button)
- add e2e/categories.spec.js expand regression; all 8 authed pages now pass axe
- docs: archive QA-B14-02 to HISTORY v0.41.0; QA plan status/cycle-log

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:02:15 -05:00
null 127b69ffc2 chore(qa): vendor chunk splitting, remove unused markdown deps, remove dead totalInterestPaid (batch 0.41.0 QA cleanup) 2026-07-02 20:47:50 -05:00
null 029c227685 fix(qa): seed demo data amounts, bill amount validation, negative USD format, a11y aria-labels, Playwright E2E setup (batch 0.41.0 QA) 2026-07-02 20:36:09 -05:00
null 81ddcb5fc1 feat(banking): bank transactions page with merchant/store matching, transaction matching refactor, bank sync improvements (batch 0.40.0) 2026-06-14 15:15:31 -05:00
null d0835b86ab chore(cleanup): remove legacy/public HTML files, retire /legacy route, update docs and About page 2026-06-11 23:50:27 -05:00
null bf66ab1ee6 feat(money): migrate services to cent-exact money.js helpers (batch 0.38.3) 2026-06-10 20:14:13 -05:00
null 83e6afa9e6 feat(subscriptions): simplified SubscriptionsPage, inline actions, improved matching card, Service Catalog route
- Extracted known-service catalog to dedicated /subscriptions/catalog route
- Simplified main Subscriptions page to focus on tracked services + bank-backed recommendations
- Replaced inline Pause/Resume with Edit + MoreHorizontal dropdown on subscription rows
- Added 'Improve Matching' card linking to Service Catalog
- Vite proxy respects API_PORT env var for dev flexibility
- Added top_200_us_subscriptions_researched dataset
- Updated HISTORY.md with v0.35.0 changes
2026-06-06 22:09:34 -05:00
null ecec6763b0 docs: update user-guide index with recent features (bank status, notifications, cash flow, batch import, merchant rules) 2026-06-04 03:14:54 -05:00
null 6edb23cd66 chore: bump to v0.34.1.1, Claude.ai catalog seed, subscription fixes 2026-05-30 17:57:34 -05:00
null b34e21d1ba feat: advisory non-bill transaction filter system (batch 0.33.8.0)
- Migration v0.68: seeds advisory_non_bill_filters (5k+ patterns) and
  advisory_bill_like_overrides (83 override terms) on first startup.
  Idempotent — skips if already seeded.
- advisoryFilterService.js: lazy in-memory cache checks override terms
  first, then scans patterns. Returns null | {confidence, category, rationale}.
- Transaction list: each row gets advisory_filter from the server.
- High-confidence unmatched transactions: show 'Probably not a bill'
  italic text instead of 'No bill linked'.
- MatchBillDialog high confidence: 'Create Bill' replaced with
  'Probably not a bill · create anyway' text link for manual override.
- MatchBillDialog medium confidence: Create Bill button renders muted.
- Same logic in empty-state CTA when search returns no results.
- BillModal onSave now returns the saved bill so callers can auto-match.
- Bump v0.33.7.3 -> v0.33.8.0
2026-05-29 18:06:12 -05:00
null 7682758aa8 fix: sync_days now reads from DB config, admin UI controls it
- bankSyncService: removed local syncDaysBack() reading env directly;
  sinceEpoch() now calls getBankSyncConfig().sync_days
- bankSyncConfigService: added setSyncDays() with 1-730 day validation
- routes/admin: PUT accepts sync_days alongside enabled/sync_interval_hours
- BankSyncAdminCard: Transaction history days input, loaded from config,
  defaults 90, dirty-checked on save
2026-05-29 01:33:54 -05:00
null 82de135186 push 2026-05-18 09:44:16 -05:00
null 55837b8b25 docs: update engineering reference manual to v0.28.01
- Add sections 5.15-5.21 (Data Sources, Transactions, CSV Import, Match Suggestions)
- Add v0.47-v0.64 migrations to database reference
- Add data_sources, financial_accounts, transactions table schemas
- Add payment_source and transaction_id to payments table
- Update version header to 0.28.01, date to 2026-05-16
- Fix section numbering
2026-05-16 21:41:13 -05:00
null 060c8dc2f4 chore: version bump to 0.28.01 and update HISTORY format 2026-05-16 21:36:04 -05:00
null 0ba315bd32 v0.28.0 2026-05-15 22:45:38 -05:00
null 2ce5328fd2 v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed
- RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs,
  lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints
- Import CSRF fix: added x-csrf-token header to importAdminBackup,
  previewSpreadsheetImport, previewUserDbImport raw fetch() calls
- Removed AdminDashboard.jsx, replaced by RoadmapPage
- Added @radix-ui/react-collapsible + collapsible shadcn component
- Security audit by Private_Hudson: PASS (CSRF fix verified,
  admin endpoints gated, path traversal mitigated, XSS safe)
2026-05-11 21:42:36 -05:00
null 890427c75a v0.24.3: Session fixes, activity log corrections, UI polish 2026-05-11 13:39:48 -05:00
null 7c3cfd1715 docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
  monthly income/starting amounts, migration rollback, audit logging,
  auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
  CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
  on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)

Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2

FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2

HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
null 24bac8e506 docs: refresh engineering reference manual 2026-05-10 11:49:05 -05:00
null 52db06001f v0.23.1: migration rollback capability
- Add rollbackMigration() function in db/database.js with transaction safety
- Add POST /api/admin/migrations/rollback endpoint (admin-only)
- Rollback SQL for v0.44 (indexes), v0.45 (audit_log table), v0.46 (cycle columns)
- Error codes: NOT_APPLIED (404), ROLLBACK_NOT_SUPPORTED (422)
- Audit logging for rollback events
- Fix duplicate migrationStartTime declaration from v0.23.0 commit
- Fix broken migration completion audit log from v0.23.0 commit
- Fix DB path exposure (uses path.basename() now)
2026-05-10 10:44:39 -05:00
null 53783aaec5 v0.23.0: Detailed migration logging with timing, error context, and audit logging
- Added [migration] logging for each migration step (applying, completed, timing)
- Added [migration-error] logging with elapsed time on failures
- Added [migration] All migrations completed in Xms total timing
- Added lazy getLogAudit() for audit logging of migration failures (avoids circular dep)
- Changed DB path log to basename only (Hudson rec: reduce info disclosure)
- Version bumped to 0.23.0
2026-05-10 09:45:39 -05:00
null 399882f282 v0.19.4: session token expiry cleanup
- Added cleanupExpiredSessions() in db/database.js
- v0.43 migration: sessions.created_at column
- Startup cleanup + periodic cleanup every 24h (configurable via SESSION_CLEANUP_INTERVAL_MS)
- Per-user expired session cleanup on login and createSession
- Input validation on SESSION_CLEANUP_INTERVAL_MS (rejects 0, negative, >7d)
- Bishop verified all tests pass
- Hudson security audit: 5 PASS, 1 FAIL (interval validation — fixed)
2026-05-09 20:19:46 -05:00
null d55827d497 v0.19.3: legacy DB login fix, migration run functions, security hardening
- Reset default admin password when INIT_ADMIN_PASS is set on legacy DBs
- Added run() functions to all legacy migration entries (reconcileLegacyMigrations)
- Migrations that aren't present in legacy DB now actually execute
- v0.40 ownership migration assigns to first admin (not first user)
- Removed username from password reset log (info disclosure fix)
- must_change_password enforced after legacy password reset
2026-05-09 19:47:00 -05:00
null 4e91bed343 v0.19.2: add React Error Boundaries for crash recovery
Added ErrorBoundary component wrapping all routes in App.jsx.
Shows friendly fallback UI with Try Again and Reload buttons
instead of white screen crash. Logs component stack to console.
2026-05-09 18:33:02 -05:00
null a9cdf846fe v0.19.2: fix legacy DB migration login failure + security hardening
CRITICAL fix: Users upgrading from pre-migration-tracking databases
(now get 'invalid username/password' because schema_migrations table
doesn't exist. Added handleLegacyDatabase() and
reconcileLegacyMigrations() to detect and reconcile legacy DBs.

Security fixes:
- Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist
- Public /about bypass: added admin route guard in App.jsx
- Sensitive info exposure: expanded redactSensitiveContent() patterns
- Error message path leaks: generic error messages only
- Race condition: wrapped in db.transaction() in server.js
- Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1)

All verified by Bishop (build + runtime) and Private_Hudson (security).
2026-05-09 18:25:25 -05:00
null 6c7d481494 feat: add admin about page with security hardening
- Add /api/about-admin endpoint (admin-only, path traversal protection, content redaction, error sanitization)
- Add /admin/about route with RequireAuth admin guard
- Add adminActionLimiter rate limiting on about-admin endpoint
- Add rehype-sanitize XSS prevention in AboutPage.jsx
- Add aboutAdmin API client endpoint
- Create HISTORY.md with version bump convention (patch/minor/major)
- Update Engineering Reference Manual with about-admin docs and security measures
- Add INIT_REGULAR_USER/INIT_REGULAR_PASS env vars to docs
- Update FUTURE.md with critical regular user env var item
2026-05-09 16:25:12 -05:00
null d5057a6325 feat: add migration version tracking, update docs, add dev log
- Added schema_migrations table for explicit version tracking (CRITICAL fix)
- Refactored runMigrations() to use versioned migration objects
- Added hasMigrationBeenApplied() and recordMigration() helpers
- Migrations now skip already-applied versions and log progress
- Updated FUTURE.md with migration system issues and criticality ratings
- Updated Engineering_Reference_Manual.md with migration system docs
- Added DEVELOPMENT_LOG.md for agent work tracking
2026-05-09 15:17:40 -05:00
kaspa 4d1709aea3 push 2026-05-09 13:03:36 -05:00
_null c8c256bad2 init 2026-05-04 14:17:32 -05:00
_null 831bdfa3e2 correct 2026-05-04 13:51:38 -05:00
_null 9fc442fb8e readme 2026-05-04 13:38:19 -05:00