- New backfillDataSource export and POST route for 89-day history pull
- Auto-seed 89 days on first connect, 30 days for routine syncs
- sinceEpoch() replaced with sinceEpochDays(days) with explicit param
- Status page errorRow now filters AND status = 'error'
- Full status page redesign: colored top borders, card icons, section labels,
health banner with glowing dot, consistent spacing
- Bump v0.33.8.3 -> v0.33.8.4
- Sub badge (indigo) in all 4 locations, toggleable in Bills prefs
- SimpleFIN Sync card on Status page
- dailyWorker.start() now called on startup
- tracker.overdue_count uses real SQL query
- Status page accuracy: dynamic headers, Degraded state, worker last_error check
- Removed SimpleFIN prefix from Recommendations title
- Bump v0.33.8.2 -> v0.33.8.3
- Removed 'Georgia' from --font-serif stack, replaced with ui-serif
- Added 'GeorgiaDigits' to --font-mono for snowball extra payment input
- Georgia now only enters via GeorgiaDigits @font-face with unicode-range
- Bump v0.33.8.1 -> v0.33.8.2
- Migration v0.68: seeds advisory_non_bill_filters (5k+ patterns) and
advisory_bill_like_overrides (83 override terms) on first startup.
Idempotent — skips if already seeded.
- advisoryFilterService.js: lazy in-memory cache checks override terms
first, then scans patterns. Returns null | {confidence, category, rationale}.
- Transaction list: each row gets advisory_filter from the server.
- High-confidence unmatched transactions: show 'Probably not a bill'
italic text instead of 'No bill linked'.
- MatchBillDialog high confidence: 'Create Bill' replaced with
'Probably not a bill · create anyway' text link for manual override.
- MatchBillDialog medium confidence: Create Bill button renders muted.
- Same logic in empty-state CTA when search returns no results.
- BillModal onSave now returns the saved bill so callers can auto-match.
- Bump v0.33.7.3 -> v0.33.8.0
- Table now uses table-fixed + colgroup for fixed column widths
- Long transaction text can no longer push action buttons off-screen
- Action buttons are compact icon-only with aria-label/title
- Long matched bill names are truncated with truncate class
- Bump v0.33.7.2 -> v0.33.7.3
- Removed duplicate unmatchTransaction API entry in api.js
- Unmonitored accounts: no chevron, click-to-expand disabled, tx panel hidden
- matched_bill_name included via LEFT JOIN bills in accounts query
- BillPickerDialog resets search/selection on open
- Link to bill: marks historical txs matched, stores merchant rule,
applyMerchantRules catches other unmatched txs from same merchant
- Track (new subscription): creates bill with is_subscription=1, stores
merchant rule for ongoing tracking
- SimpleFIN sync: applyMerchantRules runs after tx insert, auto-matches
by merchant rule with payment_source='auto_match'
- Auto-match payments have transaction_id set, treated same as manual matches
- New services/billMerchantRuleService.js for rule storage and matching
- Migration for bill_merchant_rules table
Backend:
- POST /api/matches/confirm — atomic payment creation + transaction match
- POST /api/matches/:transactionId/unmatch — soft-delete payment, reset transaction
- Account transactions include matched_bill_id and matched_bill_name
Frontend:
- Unmatched transactions show + match pill button
- BillPickerDialog with transaction details + searchable bill list
- Confirm creates payment and updates row immediately
- Matched transactions show Unlink icon to remove match
- Toast on success with bill name and date
- Amount-bucket grouping ensures consistent charges are grouped together
- Catalog lookup names and boosts the result
- Deduplication ensures one recommendation per known service
- Removed catalog-first rewrite
- bankSyncConfigService: SYNC_DAYS_MAX=90, getBankSyncConfig clamps on read,
setSyncDays rejects >90 with explanation
- bankSyncService: every sync requests full sync_days window, dedup handles
already-seen transactions
- dataSources status endpoint returns sync_days alongside enabled
- BankSyncAdminCard: input max 90, live clamp, description cites Bridge limit
- BankSyncSection: third stat tile showing History window X days
- bankSyncService: removed local syncDaysBack() reading env directly;
sinceEpoch() now calls getBankSyncConfig().sync_days
- bankSyncConfigService: added setSyncDays() with 1-730 day validation
- routes/admin: PUT accepts sync_days alongside enabled/sync_interval_hours
- BankSyncAdminCard: Transaction history days input, loaded from config,
defaults 90, dirty-checked on save
Backend:
- v0.64 migration: monitored column on financial_accounts
- GET/PUT data-sources accounts endpoints for monitored toggle + tx listing
- matchSuggestionService: excludes unmonitored accounts from match scoring
Frontend:
- BankSyncSection rebuild: accounts panel with monitored switch, expand for
last 50 transactions, match status badges, optimistic toggle
- TransactionMatchingSection: toast on bills load failure
- DataPage: toast on import history load failure
- ProfilePage: toast on both login history fetch failures
- encryptionService.js: getKey() tries TOKEN_ENCRYPTION_KEY env first, then
auto-generates a random 48-byte key on first startup, persists to settings
as _auto_encryption_key. assertEncryptionReady() is now a no-op.
- bankSyncConfigService.js: removed encryption_key_set response and
encryptionKeyReady() helper. No env config required.
- .env.example: TOKEN_ENCRYPTION_KEY removed. Comment says enable from Admin
panel, no env config required.
- BankSyncSection.jsx: added SimpleFIN Bridge links — 'Open SimpleFIN Bridge'
for first-time setup, 'Get a SimpleFIN token' for existing connections
Added subscription metadata to bills: is_subscription, type, reminder_days, source, detected_at
Backend subscription API (routes/subscriptions.js)
SimpleFIN recommendation logic (services/subscriptionService.js)
New /subscriptions page (client/pages/SubscriptionsPage.jsx)
Track-as-subscription controls in BillModal.jsx
Navigation under Tracker menu
Accepting a recommendation creates a subscription-backed bill + links detected transactions
- Removed disable logic and key warning banner from BankSyncAdminCard
- Toggle works freely regardless of TOKEN_ENCRYPTION_KEY status
- encryptionKeyReady and encryption_key_set left as informational only
CalendarPage.jsx:
- Tightened day numbers, due-count badges, bill labels inside cells
- Crisper color contrast for paid/due/missed states
- Cleaner grid surfaces and borders for row/day tracking
- Switched font-mono values to tracker-number style
SeedDemoDataSection.jsx:
- Fixed render logic for data page
- Rewrite detectAllHeaderSets() with repeat-field detection instead of gap-based splitting
- Require ≥2 header fields per group (filters out false matches like 'Left Over | Paid')
- Fix column leakage: right-side bills no longer pick up left-side amounts
- Add header_set_index to analyzeRow return object for frontend use
- Add isLikelySummaryRow() filter (Paycheck, Left Over, Enter how much, etc.)
- Expand isLikelyTotalRow() to catch 'Auto Total ------>' patterns
- Filter leftover calc rows (null name + negative amount, dash separators)
- Remove 'paid' from HEADER_PATTERNS.amount (was false-matching 'Paid' cells)
- Skip empty string cells in detectAllHeaderSets
- detectAllHeaderSets() finds multiple header groups per row (left 1st / right 15th)
- isBlankRowForHeaderSet() checks blanks per column range for dual layouts
- parseSheetRows() scans rows 0-4 for header row, processes each set independently
- analyzeRow() computes due_day from date/label/pattern with fallback to defaultDueDay
- Cell type validation allows 's' (shared formula) type
- Non-numeric amounts (auto, double pay, past due) become detected labels
- Day patterns (1st, 15th, 24th) parsed as due_day values
- Security: bounds validation in isBlankRowForHeaderSet, anchored regex, label sanitization
Clicking status badges (Late, Due Soon, Upcoming, Missed) now instantly
toggles paid/unpaid. Removed AlertDialog from TrackerPage.jsx — no more
confirmation dialog blocking the action.
handleTogglePaid() was using row.bill_id instead of row.id, causing
the API call to fail with an undefined bill ID. Clicking status badges
(Late, Due Soon, Upcoming, Missed) now correctly toggles paid/unpaid.
- Added amber warning banner on Download My Data section about sensitive metadata
- Updated 'What's included' list to show monthly starting amounts and history ranges
- Marked LOW export sensitive fields item as FIXED in FUTURE.md
- TrackerPage: confirm('Mark as paid?') → AlertDialog with dynamic bill name
- DataPage: window.confirm('Import SQLite?') → AlertDialog for import confirmation
- Both dialogs use proper shadcn/ui components (AlertDialogAction/Cancel)
- Theme-aware, accessible, consistent with app design system
- STRUCTURE.md: corrected tech stack (Vite+React, not Next.js)
- Version bumped to 0.23.3
CRITICAL security fix: In per-user notification mode, the notification runner
was fetching ALL active bills globally and sending each bill's details to
every opted-in recipient regardless of ownership. This meant User A's bill
names, amounts, and due dates could be emailed to User B.
Fix: Added ownership filter in the recipient loop:
if (allowUserConfig && bill.user_id !== recipient.id) continue;
Also added a defensive guard for bills with no user_id (orphaned bills),
which are now skipped with a console.warn instead of being broadcast.
Global notification mode (single admin recipient) is unaffected.
Security audit: Private_Hudson confirmed the fix is airtight. All other
routes (bills, payments, tracker, analytics, export, calendar, summary,
categories) properly scope data by user_id.
Version bump: 0.23.1 → 0.23.2 (security patch)
- Added [migration] logging for each migration step (applying, completed, timing)
- Added [migration-error] logging with elapsed time on failures
- Added [migration] All migrations completed in Xms total timing
- Added lazy getLogAudit() for audit logging of migration failures (avoids circular dep)
- Changed DB path log to basename only (Hudson rec: reduce info disclosure)
- Version bumped to 0.23.0
- invalidateOtherSessions() in authService.js: deletes all sessions except current
- Password change (auth.js + profile.js) now invalidates all other sessions
- Password change rotates current session ID (sets new cookie)
- New POST /api/auth/logout-all endpoint (deletes all sessions + clears cookie)
- Audit logging for logout.all and password.change
- Added last_password_change_at to auth.js change-password for consistency
- Hudson security audit: 6/6 PASS
- Batch queries replace per-bill loops in tracker and analytics
- monthly_bill_state, payments, prev month payments batched with WHERE IN
- Empty billIds guards prevent SQL errors
- Hudson security audit: 5/5 PASS (SQL injection, empty IN, user scoping, data leakage, type safety)
- Backend: previous month calculation with year wrapping (Jan→Dec)
- Backend: previous_month_paid per bill row, previous_month_total in summary
- Frontend: 'Last Month' column in desktop table with muted text
- Frontend: 'Last Month' in mobile view, summary card for prev month total
- Hudson security audit: 5/5 PASS (SQL injection, date wrapping, user scoping, auth, XSS)
- Skip-to-content link for keyboard users (sr-only/focus:not-sr-only pattern)
- aria-expanded and aria-haspopup on Tracker menu dropdown
- aria-label on footer, role='main' and aria-labelledby on layout wrapper
- Main content wrapped in <main> with unique id from React useId()
- Fixed build error: useId imported from react, not react-router-dom
- Hudson security audit: 5/5 PASS (no XSS, no DOM clobbering, no injection)
- Added dependsOn field to all 17 versioned migrations
- Added validateMigrationDependencies() function for dependency validation
- Migrations with unmet dependencies are skipped with error log (no crash)
- Dependency satisfaction logged: [migration] vX depends on [vY] — satisfied
- appliedVersions Set tracks newly applied migrations for subsequent checks
- Hudson security audit: 7/7 PASS
- All migrations (versioned, legacy, unversioned) now run within
BEGIN/COMMIT with ROLLBACK on failure
- v0.40 migration uses try/finally to guarantee PRAGMA foreign_keys
is always re-enabled, even on error paths
- Clear transaction boundary logging (BEGIN/COMMIT/ROLLBACK)
- Hudson security audit: 6/7 PASS, FK fix applied for v0.40 edge case
- React.lazy + Suspense for all page components (except LoginPage)
- PageLoader component for loading states
- Version badge on admin roadmap page
- Version in /api/about-admin response
- Roadmap nav link for admins (dropdown + sidebar)
- /admin/roadmap route
- Added Roadmap link in dropdown menu (below About), admin-only
- Added Roadmap in admin sidebar nav
- Added /admin/roadmap route pointing to AboutPage with admin prop
- Uses Map icon from lucide-react
- New AdminDashboard component with Roadmap and Activity Log
- Color-coded priority cards (🔴🟠🟡🔵💭) with collapsible sections
- CRITICAL/HIGH expanded by default, others collapsed
- Activity log shows DEVELOPMENT_LOG entries in reverse chronological order
- Admin-only rendering, non-admins see standard About page
- Custom scrollbar styles for admin panels
- Version bumped to 0.20.0 (Bishop)
Added ErrorBoundary component wrapping all routes in App.jsx.
Shows friendly fallback UI with Try Again and Reload buttons
instead of white screen crash. Logs component stack to console.
CRITICAL fix: Users upgrading from pre-migration-tracking databases
(now get 'invalid username/password' because schema_migrations table
doesn't exist. Added handleLegacyDatabase() and
reconcileLegacyMigrations() to detect and reconcile legacy DBs.
Security fixes:
- Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist
- Public /about bypass: added admin route guard in App.jsx
- Sensitive info exposure: expanded redactSensitiveContent() patterns
- Error message path leaks: generic error messages only
- Race condition: wrapped in db.transaction() in server.js
- Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1)
All verified by Bishop (build + runtime) and Private_Hudson (security).