Commit Graph

63 Commits

Author SHA1 Message Date
null c23cae1107 feat: reordering across management pages (Bills, Subscriptions, Categories, Snowball) — batch v0.34.1.2 2026-05-30 20:04:50 -05:00
null 6edb23cd66 chore: bump to v0.34.1.1, Claude.ai catalog seed, subscription fixes 2026-05-30 17:57:34 -05:00
null 35d0cbf8be chore: reset tracked db file 2026-05-30 17:27:15 -05:00
null 8b0f33085c feat: Payoff Simulator page with live SVG chart, debt selector, and apply-to-budget (batch 0.34.3) 2026-05-30 15:22:16 -05:00
null 799189059b chore: roadmap audit v0.34.2 — remove completed FUTURE.md items, update partial statuses 2026-05-30 15:18:45 -05:00
null e0aae788d0 chore: bump to v0.34.1, add changelog entry for price-change drift detection
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 14:36:08 -05:00
null d0b318c9d2 docs(bishop): audit and update FUTURE.md against implemented features
- Removed Overdue Command Center, Search+Filters, Partial Payments from FUTURE.md (shipped)
- Added status notes to No Confirmation item (already implemented)
- Updated HISTORY.md with search, command palette, partial payments, overpayment math
- Bump FUTURE.md version to v0.34.0, last updated 2026-05-30
2026-05-30 13:59:43 -05:00
null 0bb99b9562 docs: add v0.34.0 changelog to HISTORY.md 2026-05-30 13:30:18 -05:00
null 6b0c86b73c revert: compact tracker mode + wider layout, keep S badge + remaining/Done header (batch 0.33.8.7)
- Removed hasBoth, compact prop, 2xl:min-w-[700px], 2xl:hidden Last Month,
  narrowed columns — back to original single-column tracker layout
- Removed 2xl:max-w-[2000px] from Layout/Sidebar/AdminShell/footer/nav
- Kept S badge in all 4 locations and bucket remaining/Done header
- Added mkdocs/ to .gitignore
- Bump v0.33.8.6 -> v0.33.8.7
2026-05-29 21:16:13 -05:00
null af601057c4 style: wider max-width at 2xl+ (1500px -> 2000px) (batch 0.33.8.6)
- Layout, AdminShell, Sidebar, footer, mobile nav: 2xl:max-w-[2000px]
- Content area grows from ~1436px to ~1936px, enough room for
  dual-bucket tracker at 2xl+
- Bump v0.33.8.5 -> v0.33.8.6
2026-05-29 20:40:14 -05:00
null f99cd82438 feat: compact tracker, S badge, side-by-side buckets (batch 0.33.8.5)
- Sub badge changed to 'S' in all 4 locations with matching border style
- Two-bucket grid at 2xl+ when both buckets have bills
- Compact mode: narrow table, hide Last Month column, shrink Notes/Actions/Due
- Bucket header shows remaining/Done labels alongside paid/total/overpaid
- Removed standalone Remaining summary card (redundant with bucket header)
- Row and Bucket accept compact=false
- Bump v0.33.8.4 -> v0.33.8.5
2026-05-29 20:33:01 -05:00
null a15436b637 feat: 90-day backfill + auto-seed + status page redesign (batch 0.33.8.4)
- New backfillDataSource export and POST route for 89-day history pull
- Auto-seed 89 days on first connect, 30 days for routine syncs
- sinceEpoch() replaced with sinceEpochDays(days) with explicit param
- Status page errorRow now filters AND status = 'error'
- Full status page redesign: colored top borders, card icons, section labels,
  health banner with glowing dot, consistent spacing
- Bump v0.33.8.3 -> v0.33.8.4
2026-05-29 19:58:52 -05:00
null 0f9f48e255 feat: subscription badges + status improvements + dailyWorker fix (batch 0.33.8.3)
- Sub badge (indigo) in all 4 locations, toggleable in Bills prefs
- SimpleFIN Sync card on Status page
- dailyWorker.start() now called on startup
- tracker.overdue_count uses real SQL query
- Status page accuracy: dynamic headers, Degraded state, worker last_error check
- Removed SimpleFIN prefix from Recommendations title
- Bump v0.33.8.2 -> v0.33.8.3
2026-05-29 19:21:46 -05:00
null 6e9fd6873f fix: GeorgiaDigits font-bleed fix (batch 0.33.8.2)
- Removed 'Georgia' from --font-serif stack, replaced with ui-serif
- Added 'GeorgiaDigits' to --font-mono for snowball extra payment input
- Georgia now only enters via GeorgiaDigits @font-face with unicode-range
- Bump v0.33.8.1 -> v0.33.8.2
2026-05-29 18:42:11 -05:00
null c37716f685 feat: subscription catalog v2 + GeorgiaDigits font-face (batch 0.33.8.1)
- Migration v0.69: 90 new services across 16 categories
- Fixed Discord Nitro, Twitch Turbo, X Premium categories
- GeorgiaDigits @font-face with unicode-range for digit/currency codepoints
  only, applied via --font-sans and .tracker-number
- Bump v0.33.8.0 -> v0.33.8.1
2026-05-29 18:34:50 -05:00
null b34e21d1ba feat: advisory non-bill transaction filter system (batch 0.33.8.0)
- Migration v0.68: seeds advisory_non_bill_filters (5k+ patterns) and
  advisory_bill_like_overrides (83 override terms) on first startup.
  Idempotent — skips if already seeded.
- advisoryFilterService.js: lazy in-memory cache checks override terms
  first, then scans patterns. Returns null | {confidence, category, rationale}.
- Transaction list: each row gets advisory_filter from the server.
- High-confidence unmatched transactions: show 'Probably not a bill'
  italic text instead of 'No bill linked'.
- MatchBillDialog high confidence: 'Create Bill' replaced with
  'Probably not a bill · create anyway' text link for manual override.
- MatchBillDialog medium confidence: Create Bill button renders muted.
- Same logic in empty-state CTA when search returns no results.
- BillModal onSave now returns the saved bill so callers can auto-match.
- Bump v0.33.7.3 -> v0.33.8.0
2026-05-29 18:06:12 -05:00
null 392de3264f fix(ui): SimpleFIN transaction table fixed column sizing (batch 0.33.7.3)
- Table now uses table-fixed + colgroup for fixed column widths
- Long transaction text can no longer push action buttons off-screen
- Action buttons are compact icon-only with aria-label/title
- Long matched bill names are truncated with truncate class
- Bump v0.33.7.2 -> v0.33.7.3
2026-05-29 16:51:31 -05:00
null 32f1568515 feat: SimpleFIN payment backfill button on subscription bills (v0.33.7.2) 2026-05-29 04:19:20 -05:00
null 060c8dc2f4 chore: version bump to 0.28.01 and update HISTORY format 2026-05-16 21:36:04 -05:00
null 9d933f70cc v0.28.01 2026-05-16 20:26:09 -05:00
null d2acf44846 chore: untrack private docs (STRUCTURE, FUTURE, HISTORY, DEVELOPMENT_LOG) 2026-05-13 04:04:29 -05:00
null d32a30495d docs: update HISTORY v0.26.0, remove completed XLSX dual-column from FUTURE 2026-05-11 22:19:02 -05:00
null 579eed37b8 docs: update HISTORY v0.25.0, remove completed CSRF fix from FUTURE 2026-05-11 21:46:33 -05:00
null c1ac14efe3 v0.24.4: analytics mobile layout + previous month payment toggle 2026-05-11 11:56:49 -05:00
null 86148a101f feat: remove confirmation popup from status badge toggle (v0.24.3)
Clicking status badges (Late, Due Soon, Upcoming, Missed) now instantly
toggles paid/unpaid. Removed AlertDialog from TrackerPage.jsx — no more
confirmation dialog blocking the action.
2026-05-10 17:56:23 -05:00
null 6d42453e07 fix: status badge toggle-paid using wrong property name (v0.24.2)
handleTogglePaid() was using row.bill_id instead of row.id, causing
the API call to fail with an undefined bill ID. Clicking status badges
(Late, Due Soon, Upcoming, Missed) now correctly toggles paid/unpaid.
2026-05-10 17:28:26 -05:00
null ba888c1c6f feat: export privacy warning + updated included fields list (v0.24.1)
- Added amber warning banner on Download My Data section about sensitive metadata
- Updated 'What's included' list to show monthly starting amounts and history ranges
- Marked LOW export sensitive fields item as FIXED in FUTURE.md
2026-05-10 15:29:35 -05:00
null 80b3bcc17b fix: HIGH+MEDIUM batch — 10 fixes (v0.24.0)
HIGH:
- Admin toggle-paid: removed cross-user admin branch, now requires ownership
- Analytics crash: imported missing standardizeError
- Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports
- Single-user lockout: removed unnecessary sessions join from getSingleModeUser

MEDIUM:
- Password rate limiter: scoped to change-password only, not all profile routes
- Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME]
- CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern)
- CSRF password routes: removed csrfSkip for password change endpoints
- Notification due-day: calendar day comparison instead of timestamp floor
- Upcoming bills: clamped days to 1-365, default 30 for invalid input

FUTURE.md: marked all 10 items as FIXED, bumped version refs
HISTORY.md: added v0.24.0 entry
2026-05-10 15:25:47 -05:00
null 5537ab2bd5 fix: clear demo data button, seed user ID bug, duplicate endpoint (v0.23.4)
- DataPage: removed 'coming soon' placeholder, made Clear Demo Data button accessible from seeded state
- seedDemoData.js: fixed userId -> targetUserId bug
- settings.js: removed duplicate /api/settings/seed-demo-data endpoint
- Version bumped to 0.23.4
2026-05-10 15:11:02 -05:00
null 6d488aa8bd docs: update HISTORY.md and FUTURE.md for v0.23.3 2026-05-10 14:37:42 -05:00
null 7c3cfd1715 docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
  monthly income/starting amounts, migration rollback, audit logging,
  auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
  CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
  on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)

Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2

FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2

HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
null 52db06001f v0.23.1: migration rollback capability
- Add rollbackMigration() function in db/database.js with transaction safety
- Add POST /api/admin/migrations/rollback endpoint (admin-only)
- Rollback SQL for v0.44 (indexes), v0.45 (audit_log table), v0.46 (cycle columns)
- Error codes: NOT_APPLIED (404), ROLLBACK_NOT_SUPPORTED (422)
- Audit logging for rollback events
- Fix duplicate migrationStartTime declaration from v0.23.0 commit
- Fix broken migration completion audit log from v0.23.0 commit
- Fix DB path exposure (uses path.basename() now)
2026-05-10 10:44:39 -05:00
null 53783aaec5 v0.23.0: Detailed migration logging with timing, error context, and audit logging
- Added [migration] logging for each migration step (applying, completed, timing)
- Added [migration-error] logging with elapsed time on failures
- Added [migration] All migrations completed in Xms total timing
- Added lazy getLogAudit() for audit logging of migration failures (avoids circular dep)
- Changed DB path log to basename only (Hudson rec: reduce info disclosure)
- Version bumped to 0.23.0
2026-05-10 09:45:39 -05:00
null eb86da1e69 v0.22.3: fix ENV-seeded users skip first-login flow, add audit logging
- setup/firstRun.js: reset first_login=0, must_change_password=0 on update
- server.js: reset flags for existing regular users + add logAudit
- db/database.js: fix must_change_password=0 in init code (was 1)
- Add logAudit calls for seed.flag_reset events
- database.js uses console.log for init-time resets (avoids circular dep)
- Hudson audit: 6/6 PASS after audit logging fix
2026-05-10 04:24:51 -05:00
null 9647275854 docs: add HISTORY.md for v0.22.2 2026-05-10 03:57:31 -05:00
null 65849fc554 v0.22.1: N+1 Query Optimization
- Batch queries replace per-bill loops in tracker and analytics
- monthly_bill_state, payments, prev month payments batched with WHERE IN
- Empty billIds guards prevent SQL errors
- Hudson security audit: 5/5 PASS (SQL injection, empty IN, user scoping, data leakage, type safety)
2026-05-10 03:29:09 -05:00
null 5c35b20c00 docs: update HISTORY, FUTURE, DEVELOPMENT_LOG for v0.22.0 2026-05-10 03:14:40 -05:00
null 314159d241 v0.21.1: Loading Skeletons & Async State
- Reusable Skeleton component (line, circle, card, button, input variants)
- TrackerPage: skeleton cards, rows, buckets with aria-busy attributes
- BillsPage: skeleton rows during loading
- Bug fix: double closing brace />}} on Bucket component
- Hudson security audit: 5/5 PASS
2026-05-10 01:35:41 -05:00
null cfb074c7cd v0.21.0: 3-Month Trend Indicator on Tracker
- Backend: 3-month payment aggregation with year-wrapping, trend object in API (direction, percent_change, 3_month_avg)
- Frontend: TrendIndicator component (arrow + percentage + label), TrendCard with purple gradient
- Bug fix: Bishop fixed 3-month query to JOIN through bills for user scoping (payments table has no user_id)
- Bug fix: Ripley removed duplicate TrendIndicator function definition
- Hudson security audit: 5/5 PASS (SQL injection, user scoping, date wrapping, division by zero, XSS)
2026-05-10 01:22:51 -05:00
null 4990bf47f6 v0.20.9: Previous Month Paid column on Tracker
- Backend: previous month calculation with year wrapping (Jan→Dec)
- Backend: previous_month_paid per bill row, previous_month_total in summary
- Frontend: 'Last Month' column in desktop table with muted text
- Frontend: 'Last Month' in mobile view, summary card for prev month total
- Hudson security audit: 5/5 PASS (SQL injection, date wrapping, user scoping, auth, XSS)
2026-05-10 00:52:23 -05:00
null bd796d61c0 v0.20.8: Billing cycle sub-categories + server-side cycle_day validation
- Migration v0.46: cycle_type (monthly/weekly/biweekly/quarterly/annual) and cycle_day columns
- Server-side validation: cycle_type whitelist, cycle_day validated per type
  - monthly: 1-31 integer
  - weekly/biweekly: day name enum
  - quarterly/annual: free text (max 50 chars)
- BillModal UI: conditional cycle_day selector (ordinal/weekday/text)
- Hudson audit: 4/5 PASS, fixed medium-risk cycle_day validation gap
2026-05-10 00:39:11 -05:00
null e184fed88a v0.20.7: Keyboard navigation and ARIA accessibility
- Skip-to-content link for keyboard users (sr-only/focus:not-sr-only pattern)
- aria-expanded and aria-haspopup on Tracker menu dropdown
- aria-label on footer, role='main' and aria-labelledby on layout wrapper
- Main content wrapped in <main> with unique id from React useId()
- Fixed build error: useId imported from react, not react-router-dom
- Hudson security audit: 5/5 PASS (no XSS, no DOM clobbering, no injection)
2026-05-10 00:18:36 -05:00
null 7503a54f81 v0.20.6: Audit logging for critical operations
- New audit_log table (migration v0.45) with indexes
- logAudit() service with try/catch safety (never crashes app)
- Audit events: login.success, login.failure, logout, password.change, role.change, csrf.failure, profile.update, profile.settings.update
- All events include ip_address and user_agent
- No passwords, tokens, or session IDs logged
- Hudson security audit: 7/7 PASS
2026-05-10 00:03:12 -05:00
null 8e7f977fef v0.20.5: Bulk payment input validation
- Request body must contain `payments` array (breaking change from raw array)
- Max 50 items per bulk request
- Per-item validation: bill_id (integer regex + parseInt), paid_date (YYYY-MM-DD), amount (finite number >= 0)
- Duplicate detection using bill_id + paid_date + amount composite key — skipped, not rejected
- Response format: { created, skipped, errors }
- Security fix: bill_id type coercion attack (parseInt('1abc') bypass) blocked via regex check
- Security fix: Infinity amount bypass blocked via isFinite() check
- Hudson audit: 5/7 PASS, 2 FAIL fixed (type coercion + Infinity)
2026-05-09 23:41:28 -05:00
null 35e09430c9 v0.20.4: Explicit migration dependency management
- Added dependsOn field to all 17 versioned migrations
- Added validateMigrationDependencies() function for dependency validation
- Migrations with unmet dependencies are skipped with error log (no crash)
- Dependency satisfaction logged: [migration] vX depends on [vY] — satisfied
- appliedVersions Set tracks newly applied migrations for subsequent checks
- Hudson security audit: 7/7 PASS
2026-05-09 23:24:51 -05:00
null 1fd4f49758 v0.20.3: Performance indexes on frequently queried columns
- Added v0.44 migration with 4 indexes:
  - idx_bills_user_name ON bills(user_id, name)
  - idx_payments_method ON payments(method)
  - idx_monthly_starting_amounts_user ON monthly_starting_amounts(user_id)
  - idx_import_history_imported_at ON import_history(imported_at)
- Fixed nested transaction bug in migration run() function
- Hudson security audit: 7/7 PASS
2026-05-09 22:44:38 -05:00
null d34316844e v0.20.2: Transaction wrapping for database migrations
- All migrations (versioned, legacy, unversioned) now run within
  BEGIN/COMMIT with ROLLBACK on failure
- v0.40 migration uses try/finally to guarantee PRAGMA foreign_keys
  is always re-enabled, even on error paths
- Clear transaction boundary logging (BEGIN/COMMIT/ROLLBACK)
- Hudson security audit: 6/7 PASS, FK fix applied for v0.40 edge case
2026-05-09 22:34:50 -05:00
null 5c0ff4277f docs: v0.20.1 changelog 2026-05-09 22:01:40 -05:00
null 852da29b4d v0.20.0: admin dashboard with roadmap and activity log
- New AdminDashboard component with Roadmap and Activity Log
- Color-coded priority cards (🔴🟠🟡🔵💭) with collapsible sections
- CRITICAL/HIGH expanded by default, others collapsed
- Activity log shows DEVELOPMENT_LOG entries in reverse chronological order
- Admin-only rendering, non-admins see standard About page
- Custom scrollbar styles for admin panels
- Version bumped to 0.20.0 (Bishop)
2026-05-09 21:14:21 -05:00
null 3a1d6133f6 docs: v0.19.4 changelog, remove completed session cleanup from FUTURE.md 2026-05-09 20:21:22 -05:00