* [AI] Add no-extraneous-dependencies lint rule to prevent transitive dependency usage
Closes#7479. Adds a custom ESLint rule that flags imports of packages not
explicitly listed in the workspace's dependencies or devDependencies. Also
fixes all existing violations by adding missing deps and removes unused
deps (@reduxjs/toolkit, @rschedule/json-tools) from loot-core.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix builtin subpath detection and improve cache in no-extraneous-dependencies
Fix false positives for Node.js builtin subpaths (fs/promises, path/posix)
by checking the package name portion against builtins. Also cache all
visited directories during walk-up, not just the starting directory.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Release notes
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix sync-server build not resolving subpath imports
The add-import-extensions build script only handled relative imports
(./ ../), leaving #-prefixed subpath imports unresolved in the build
output. At runtime Node.js resolved them via package.json's imports
map back to source files, which have extensionless imports that fail
in ESM.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for sync-server subpath imports fix
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Simplify subpath import resolution using publishConfig.imports
Use publishConfig.imports which already has ./build/src/ paths with .js
extensions, eliminating manual src->build and .ts->.js conversions.
Also sort wildcard patterns by specificity and extract shared helper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use replaceAll for wildcard substitution to satisfy CodeQL
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix path traversal vulnerability in uploadFileWeb
Sanitize user-supplied filename with fs.basename() to strip directory
components (e.g. ../../) before writing to /uploads/, preventing
arbitrary file writes outside the intended directory.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Harden path traversal fix and correct broken basename in web fs
The browser fs.basename implementation was returning the directory part
instead of the filename, making the previous fs.basename() fix
ineffective on the web platform. Replace with inline sanitization that
works regardless of platform: split on path separators, strip null
bytes, reject . and .., and use fs.join for safe path construction.
Also fix the browser fs.basename to actually return the last path
segment, matching the behavior of Node's path.basename.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Revert browser fs.basename change per user request
The browser fs.basename implementation is restored to its original
behavior. The path traversal fix in uploadFileWeb does not depend on
fs.basename.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Add release notes for path traversal fix (#7428)
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Suppress no-control-regex lint for null byte sanitization
The \0 regex is intentional to strip null bytes from filenames as part
of the path traversal fix.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Use replaceAll for null-byte stripping instead of regex
Replace /\0/g regex with replaceAll('\0', '') to avoid triggering
the no-control-regex ESLint rule, removing the need for the
eslint-disable comment.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Enable subpath imports across all packages
Generalize the prefer-subpath-imports ESLint rule to work with any
package (not just loot-core) and enable it globally. Add subpath import
mappings to cli, component-library, and sync-server package.json files.
Auto-fix all backtracked relative imports to use #-prefixed subpath
imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7462
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix mock specifiers in accounts.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix mock specifiers in query.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix ESLint rule to properly validate src/ directory paths
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add publishConfig.imports for sync-server to remap aliases to build directory
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Set .husky/pre-commit hook as executable
The pre-commit hook was being ignored by git because it lacked the
executable permission bit, producing a warning on every commit attempt.
https://claude.ai/code/session_016jLmTo6L5PxMKK8wJMptCP
* Add release notes for PR #7461
* Update 7461.md
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Consolidate loot-core connection: default web path, electron split, drop .browser
* [autofix.ci] apply automated fixes
* [AI] Replace browser-preload .browser extension with package.json subpath imports
Use the imports field in desktop-client/package.json with conditional
resolution (electron → empty stub, default → real implementation) to
eliminate the last .browser file extension from the codebase.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Refactor connection imports to use @actual-app/core
* Implement connection mock for desktop-client tests and update import path
* [AI] Fix formatting and update imports after master merge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix connection mock in TransactionsTable tests and use electron-renderer condition
Wire up the manual connection mock for TransactionsTable tests since the
__mocks__ directory was removed, and restore electron-renderer condition
in loot-core package.json exports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [autofix.ci] apply automated fixes
* [AI] Remove redundant resolveExtensions from vite configs
These arrays were identical to Vite's built-in default and served no purpose.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Remove remaining resolveExtensions from vite/vitest configs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix build failures: update browser-preload import path and condition
- Change loot-core/shared/platform to @actual-app/core/shared/platform
- Use electron-renderer condition for #browser-preload to match vite resolve
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Remove redundant resolveExtensions from api and loot-core desktop configs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Remove '*.browser.ts' extension and alias resolutions
Removed the special '*.browser.ts' file extension and file resolutions via alias, preferring conditions.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Harden GitHub Actions workflows against low-severity security issues
- generate-release-pr.yml: replace `eval` with an associative array for
per-package version tracking. The version input was already moved to an
env var in #7433, so this removes the remaining defense-in-depth concern
of `eval`ing subshell output.
- create-release-notes-file.js: validate the OpenAI-returned category
against the known allow-list (Features, Bugfixes, Enhancements,
Maintenance), validate the author against the GitHub username regex,
and collapse the summary to a single line before embedding it in the
markdown body. Prevents indirect prompt-injection via CodeRabbit
comments from producing malformed YAML frontmatter.
- generate-summary.js: stop logging the full CodeRabbit comment body to
CI logs.
- netlify-release.yml, i18n-string-extract-master.yml: pass secrets via
`env:` blocks rather than as CLI arguments, so they do not appear in
argv / process listings.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* Add release notes for PR #7448
* [AI] Address review feedback on security hardening
- create-release-notes-file.js: stop logging the full fileContent body.
Only log the target filename plus the (already-validated) category and
author metadata, so the model-generated release-note text doesn't end
up in CI logs.
- create-release-notes-file.js: validate summaryData.prNumber as a
positive integer before using it in the file path or commit message,
and switch both usages to the validated numeric value.
- i18n-string-extract-master.yml: write the Weblate API key into
~/.config/weblate under a [keys] section in a new "Configure Weblate
API credentials" step, then drop the per-step env blocks and the
--key CLI flag from every wlc invocation so the secret is no longer
visible in process listings at all.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* [AI] Remove debug console.log statements for category in release notes script
Remove the four "Debug - ..." console.log calls that printed the raw
category env var (value/type/JSON-stringified form) plus the cleanCategory
value. They were clutter in CI logs; the existing info-level
"Creating release notes file: ... (category: ..., author: ...)" log
already surfaces the sanitized category.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Migrate desktop-client to subpath imports
Replace the `@desktop-client/*` path alias with Node.js subpath
imports (`#*`) across packages/desktop-client:
- Declare the full `imports` map in packages/desktop-client/package.json
(bare index entries, root-level files, and per-subdirectory wildcards
with explicit extension overrides where `.ts` and `.tsx` mix).
- Update all source files to import from `#...` specifiers.
- Drop the `@desktop-client` group from .oxfmtrc.json.
- Enable `actual/prefer-subpath-imports` for desktop-client in
.oxlintrc.json so future code keeps using the subpath form.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Drop legacy desktop-client aliases
Remove the `@desktop-client/*` and `loot-core/*` path aliases from
vite.config.ts and tsconfig.json now that every desktop-client source
file imports via subpath imports / `@actual-app/core`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Release notes
* [AI] Use electron-renderer condition for renderer-only exports
Desktop-client's Vite build used the `electron` resolve condition, which
overlapped with loot-core exports where `electron` means the Node/main
variant (e.g. `shared/platform.electron.ts` using `os`,
`platform/server/asyncStorage/index.electron.ts` using `fs`). Once the
`loot-core` Vite alias was removed, the renderer bundle started pulling
those Node variants and crashed at runtime with
`It.default.platform is not a function` inside `platform.electron.ts`.
Introduce a distinct `electron-renderer` condition used only by
desktop-client's Vite config, and rename the `electron` key to
`electron-renderer` on the sole loot-core export whose `electron` branch
is the Electron renderer variant (`#/./platform/client/connection`, the
IPC `global.Actual.ipcConnect` file). Every other `electron`-conditioned
export keeps its Node semantics and is still matched by loot-core's own
`vite.desktop.config.ts` (`conditions: ['electron']`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Drop .electron.* extensions from loot-core desktop resolver
Now that every Node/main variant is selected via the `electron` subpath
import condition in `packages/loot-core/package.json`, Vite's
`resolveExtensions` list no longer needs the `.electron.js`,
`.electron.ts`, `.electron.tsx` entries. Remove them to keep resolution
explicit and avoid implicit extension picking.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Align desktop-client TS resolution with Vite
- Set `customConditions: ["electron-renderer"]` in
`packages/desktop-client/tsconfig.json` so TypeScript resolves
conditional imports (notably `@actual-app/core/platform/client/connection`)
to the same file Vite picks at runtime. Today the surfaces happen to
match because both variants import from a shared `index-types.ts`,
but the alignment prevents a latent drift bug.
- Fix typo in the release note (`Standartise` -> `Standardise`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add subpath import wildcard patterns and explicit directory entries to loot-core
Extend the package.json imports field with prefix-specific wildcard patterns
(#server/*, #shared/*, #types/*, #mocks/*, #platform/*) and explicit entries
for directory imports (#server/db, #server/sync, etc.) to support the ongoing
migration from relative imports to subpath imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7429
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add rate limiting to authentication endpoints
Add strict rate limiting (5 attempts per 15 minutes) to /account/login,
/account/bootstrap, and /account/change-password endpoints to prevent
brute-force password attacks. Uses express-rate-limit as route-level
middleware on auth-sensitive routes only.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
* [AI] Add release notes and remove rate limit from /change-password
Add upcoming release notes file for the auth rate limiting feature.
Remove rate limiting from /change-password since it already requires
a valid admin session token.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Fix script injection in vrt-update-apply.yml workflow
Use environment variables instead of direct expression interpolation
in the github-script step to prevent potential script injection via
artifact-sourced values (steps.apply.outputs.error and
steps.metadata.outputs.pr_number).
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Fix script injection in generate-release-pr.yml workflow
Use environment variable instead of direct expression interpolation
for github.event.inputs.version in the shell script context to
prevent potential command injection.
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Add release notes for #7433https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Add ErrorBoundary around dashboard widgets (#7273)
Wraps each dashboard widget in an ErrorBoundary so a faulty widget
degrades to an error card instead of crashing the entire Reports page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7382
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Fix Net Worth graph showing N-1 intervals, resulting in inconsistent totalChange value.
* Fix starting date being wrong for 'daily' and 'weekly'
* Linting
* Add release note
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7296
* Remove manipulation of startDate for 'yearly'
The result was not consistent with the reports previous behavior when yearly was selected (it went back too far).
* Remove empty datapoint at beginning when start equals earliest transaction
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* trim down some unused/unnecessary dependencies (#7350)
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [Doc] More tour image (mostly) updates & a hotkey fix (#7328)
* Fix keyboard shortcut Mac key for undo operations
Updated keyboard shortcut instructions for Mac & make consistent.
* Add files via upload
* Fix undo shortcut from 'K' to 'Z'
Updated keyboard shortcut for undo operation in payees guide. COFFEE!
* Revise budget section for clarity and consistency
Updated category descriptions and improved Markdown support details.
* Add files via upload
* Fix grammatical error in budget.md
* Fix typo and clarify Markdown description in budget.md
Corrected a typo in the documentation regarding the chevrons and clarified the description of rendered Markdown.
* Fix spelling error in budget documentation
Corrected the spelling of 'cheverons' to 'chevrons'.
* Add files via upload
* Remove redundant text in budget.md
* Fix formatting issues in payees.md
* count points script should fetch the release note from the PR directly (#7309)
* get pr release note from PR, not top of master
* note
* [AI] Mobile: Post transaction today on global account lists (#7311) (#7322)
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Implement Sankey report for spent and budgeted money (#7220)
* Implement Sankey graph report
* Add release notes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Remove local debug settings
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Improve graphs from comments
* Fix lints
* coderabit fixes
* Fix filtering and UI enhancements
* remove pngs
* Fix typecheck
* Another type issue
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Fix strict typing issues
* Update report page
Now better conforms with components from other reports, e.g. by reusing Header
Makes it possible to display a period longer than one month.
* Change view description order
* Formatting and cleanup
* Removed difference section, as it will be difficult to get a reliable view across months
* Introduce the Timeframe param, similar to Spending report, to allow saving a Live sliding window.
* Allow filtering just the last month
* Fix linting errors
* Remove all information about income
* Remove debugging statement
* Sort categories and subcategories by amount
* Move compact mode to spreadsheet to fix Card view more easily
* Update tests file
* Add release notes
* Rename release notes to match PR#
* Fix autofix.ci issues
* Update packages/desktop-client/e2e/sankey.test.ts
Enable experimental feature fall all tests, pr. coderabbit recommendation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Add sankey-card to isWidgetType
* Gate Sankey routes to prevent direct URL bypass
* Fix typo
* Change node transformation to work by key instead of name, to remove risk of duplicate issues
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Prevent false-positive pass in month-change test.
* Translate mode to a proper label
* Fix message for empty data
* Enabled LoadingIndicator until data is ready
* Change card default mode
* More robust filtering
* Fixed issue with budgeted spreadsheet not using 'end' date
* Allow copying SankeyCard to dashboard
* Fix typing and linting issues
* Remove e2e tests
I cannot currently get them to pass, because I dont fully understand playwright and how they are supposed to work. I can see that they don't exist for other reports. We can add them later if required.
* Remove unecessary sankey reference
* Refactor spreadsheet
* Remove dead code from SankeyGraph
* Collect to Other if too many subcategories
* Edit wrong comment
* Linting and typechecking
* Show remaining amount to budget
* Hide description on narrow device
* Add visual clue if 'To budget' is larger than 'Budgeted' and would extend below the edge of the graph
* Add colors to the links
* Fix report card showing subcategories instead of main categories
* Add tooltip info to Other on SankeyCard
* Create globalOther flag and implement greedy category reduction algorithm
* Allow user to select between Global or Per category Other
* Allow user to choose number of subcategories to show
* Allow user to select how subcategories are sorted
* Fix budget filtering
* [autofix.ci] apply automated fixes
* Condense sorting and Other-grouping to one option
* Implement Sort as budget option
* Dynamically adjust topN based on SankeyCard height
* Remove old feature flags from previous PR
---------
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix yarn generate:icons command (#7281)
* fix icon templates with `module.exports` to `export default`
* Add `@svgr/babel-plugin-add-jsx-attribute` to dependencies
* Run `yarn generate:icons`, and set prettier singleQuote to reduce changes
* Add release note
* Add temporary fix for `SvgChartArea`
* Add `ChartArea` svg from the existing tsx
* CI rerun
* Standardise ledger scrolling when using keyboard shortcuts (#7283)
* Standardise table keyboard navigation by preventing browser scroll with arrow keys
* Add release note
* Apply the preventDefault() in specific cases so that it is not applied to default
---------
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Fix updateTransaction corrupting split parents with partial updates (#7242)
* [AI] Fix updateTransaction corrupting split parents with partial updates
When `api.updateTransaction(id, { notes: '...' })` is called on a split
parent, the `updateTransaction` helper replaces the parent with the
sparse update object (`{ id, notes }`) instead of merging it with
the existing transaction data. This causes `recalculateSplit` to see
`amount` as `undefined` (→ 0), which doesn't match the children's
total and sets a `SplitTransactionError` on the parent. `makeChild`
also inherits undefined `account`, `date`, and `cleared` values,
potentially creating broken child rows.
Fix: merge the incoming partial fields (`{ ...trans, ...transaction }`)
so all existing properties are preserved.
Add a test that performs a notes-only update on a split parent and
asserts no error is set and the amount stays intact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add release notes for PR #7242
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Address review feedback: remove verbose comment and simplify release note
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add electron conditions to loot-core platform/server exports and fix imports
- Add "electron" condition to platform/server exports (asyncStorage,
connection, fetch, fs, sqlite) so they resolve to .electron.ts files
when using the electron export condition
- Remove broken ./client/platform export referencing non-existent files
- Convert deep relative imports in electron files to subpath imports
(#types/prefs, #server/errors, #server/mutators)
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* [AI] Convert remaining relative imports to subpath imports in electron files
- Convert ../fs, ../log, ../../exceptions to subpath imports
(#platform/server/fs, #platform/server/log, #platform/exceptions)
- Add electron-conditional entries to the imports field in package.json
for all 5 platform/server modules with electron variants
- Add resolve.conditions: ['electron'] to vite.desktop.config.ts so the
electron condition is recognized during desktop builds
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* Add release notes for PR #7383
* [AI] Fix API build and test failures from conditional exports
- Add "api" condition to all 5 platform/server exports and imports
entries so the API build resolves to .api.ts variants correctly
- Add resolve.conditions and ssr.resolve.conditions: ['api'] to
packages/api/vite.config.ts
- Add explicit #platform/server/log and #platform/exceptions entries
to the imports field (array fallback in #* wildcard doesn't work for
directory modules)
- Revert #platform/server/fs back to relative ../fs import in
asyncStorage/index.electron.ts — subpath imports for platform modules
with electron variants don't work in vitest because the test runner
doesn't propagate resolve.conditions to Node's import resolution
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* fix: apply CodeRabbit auto-fixes
Fixed 2 file(s) based on 2 unresolved review comments.
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
* [autofix.ci] apply automated fixes
* Enhance package.json and Vite configurations for Electron support; refactor imports to use new path aliases. Added new paths for server and shared modules, updated SSR settings, and improved test configurations for better module resolution.
* [AI] Merge electron condition with default Vite conditions in vitest config
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Move @ts-strict-ignore comment to first line in reset.ts
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Juulz <julesmcn@gmail.com>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: Emil Tveden Bjerglund <emilbp@gmail.com>
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: James Skinner <56730344+JSkinnerUK@users.noreply.github.com>
Co-authored-by: L. Warren Thompson <warren.thompson@zuirail.com>
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix accounts list: compute balances, hide closed, sort by budget group
- Replace empty `balance_current` (bank-sync field) with computed `balance`
from transaction history via `getAccountBalance`
- Filter out closed accounts by default; add `--include-closed` flag
- Stable-sort on-budget accounts before off-budget
- Add `balance_current` to AMOUNT_FIELDS for table/csv formatting
- Update docs and tests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Extract duplicate isRecord type guard to shared utils
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add types condition to api package exports for tsc resolution
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update packages/cli/src/commands/query.ts
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* [AI] Add balance_available/balance_limit to AMOUNT_FIELDS, validate query result.data
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix crash viewing account ledger with expired recurring schedules
Guard against null return from getNextDate() when a recurring schedule
has an end date in the past and no future occurrences exist.
Fixes#7285
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7381
* [AI] Address code review feedback for PR #7381
Revert schedule-template.ts changes and fix test names/assertions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Simplify bugfix description for account ledger crash
Removed redundant information about null checks in the bugfix description.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Clarify that E2E encryption does not cover bank sync tokens (#5550)
Update docs and in-app text to make clear that end-to-end encryption
only applies to budget data, not bank sync tokens stored on the server.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7392
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Fix custom report editor retaining unsaved settings
The session storage clear condition only fired when navigating from
the /reports dashboard. Since the URL tracking runs inside the report
component, the stored URL always pointed to the last report path, so
revisiting the same report never triggered the clear.
Changed the condition to clear session storage whenever the stored URL
differs from the current path. This handles navigating from the
dashboard, from another report, or any other page.
Fixes#7332
* Add release notes for PR #7356
* trim down some unused/unnecessary dependencies (#7350)
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [Doc] More tour image (mostly) updates & a hotkey fix (#7328)
* Fix keyboard shortcut Mac key for undo operations
Updated keyboard shortcut instructions for Mac & make consistent.
* Add files via upload
* Fix undo shortcut from 'K' to 'Z'
Updated keyboard shortcut for undo operation in payees guide. COFFEE!
* Revise budget section for clarity and consistency
Updated category descriptions and improved Markdown support details.
* Add files via upload
* Fix grammatical error in budget.md
* Fix typo and clarify Markdown description in budget.md
Corrected a typo in the documentation regarding the chevrons and clarified the description of rendered Markdown.
* Fix spelling error in budget documentation
Corrected the spelling of 'cheverons' to 'chevrons'.
* Add files via upload
* Remove redundant text in budget.md
* Fix formatting issues in payees.md
* count points script should fetch the release note from the PR directly (#7309)
* get pr release note from PR, not top of master
* note
* [AI] Mobile: Post transaction today on global account lists (#7311) (#7322)
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Implement Sankey report for spent and budgeted money (#7220)
* Implement Sankey graph report
* Add release notes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Remove local debug settings
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Improve graphs from comments
* Fix lints
* coderabit fixes
* Fix filtering and UI enhancements
* remove pngs
* Fix typecheck
* Another type issue
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Fix strict typing issues
* Update report page
Now better conforms with components from other reports, e.g. by reusing Header
Makes it possible to display a period longer than one month.
* Change view description order
* Formatting and cleanup
* Removed difference section, as it will be difficult to get a reliable view across months
* Introduce the Timeframe param, similar to Spending report, to allow saving a Live sliding window.
* Allow filtering just the last month
* Fix linting errors
* Remove all information about income
* Remove debugging statement
* Sort categories and subcategories by amount
* Move compact mode to spreadsheet to fix Card view more easily
* Update tests file
* Add release notes
* Rename release notes to match PR#
* Fix autofix.ci issues
* Update packages/desktop-client/e2e/sankey.test.ts
Enable experimental feature fall all tests, pr. coderabbit recommendation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Add sankey-card to isWidgetType
* Gate Sankey routes to prevent direct URL bypass
* Fix typo
* Change node transformation to work by key instead of name, to remove risk of duplicate issues
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Prevent false-positive pass in month-change test.
* Translate mode to a proper label
* Fix message for empty data
* Enabled LoadingIndicator until data is ready
* Change card default mode
* More robust filtering
* Fixed issue with budgeted spreadsheet not using 'end' date
* Allow copying SankeyCard to dashboard
* Fix typing and linting issues
* Remove e2e tests
I cannot currently get them to pass, because I dont fully understand playwright and how they are supposed to work. I can see that they don't exist for other reports. We can add them later if required.
* Remove unecessary sankey reference
* Refactor spreadsheet
* Remove dead code from SankeyGraph
* Collect to Other if too many subcategories
* Edit wrong comment
* Linting and typechecking
* Show remaining amount to budget
* Hide description on narrow device
* Add visual clue if 'To budget' is larger than 'Budgeted' and would extend below the edge of the graph
* Add colors to the links
* Fix report card showing subcategories instead of main categories
* Add tooltip info to Other on SankeyCard
* Create globalOther flag and implement greedy category reduction algorithm
* Allow user to select between Global or Per category Other
* Allow user to choose number of subcategories to show
* Allow user to select how subcategories are sorted
* Fix budget filtering
* [autofix.ci] apply automated fixes
* Condense sorting and Other-grouping to one option
* Implement Sort as budget option
* Dynamically adjust topN based on SankeyCard height
* Remove old feature flags from previous PR
---------
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix yarn generate:icons command (#7281)
* fix icon templates with `module.exports` to `export default`
* Add `@svgr/babel-plugin-add-jsx-attribute` to dependencies
* Run `yarn generate:icons`, and set prettier singleQuote to reduce changes
* Add release note
* Add temporary fix for `SvgChartArea`
* Add `ChartArea` svg from the existing tsx
* CI rerun
* Standardise ledger scrolling when using keyboard shortcuts (#7283)
* Standardise table keyboard navigation by preventing browser scroll with arrow keys
* Add release note
* Apply the preventDefault() in specific cases so that it is not applied to default
---------
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Bump lodash from 4.17.23 to 4.18.1
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)
---
updated-dependencies:
- dependency-name: lodash
dependency-version: 4.18.1
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
* note
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Juulz <julesmcn@gmail.com>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: Emil Tveden Bjerglund <emilbp@gmail.com>
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: James Skinner <56730344+JSkinnerUK@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
* implement our own GoCardless api class
* switch the service to use the new api
* drop deps
* note
* guard against request forgery
* strip empty params from the request body, add error logging
* coderabbit suggestions
* fix test, make institution nullable
