docs: add Architecture Decision Records page with bank sync credential ADR (#6965)

* docs: add Architecture Decision Records page for controversial decisions Co-authored-by: Cursor <cursoragent@cursor.com> * Add release notes for PR #6965 --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-22 00:13:45 -05:00 · 2026-02-14 01:14:15 +00:00
parent a0378c10a9
commit 09d85bbdc5
3 changed files with 22 additions and 0 deletions
--- a/packages/docs/docs-sidebar.js
+++ b/packages/docs/docs-sidebar.js
@@ -326,6 +326,7 @@ const sidebars = {
            'contributing/leadership/funding',
            'contributing/leadership/triaging-issues',
            'contributing/leadership/new-core-contributors-guide',
+            'contributing/leadership/architecture-decision-records',
            'contributing/leadership/cursor-ide',
            'contributing/leadership/paying-contributors',
          ],
--- a/packages/docs/docs/contributing/leadership/architecture-decision-records.md
+++ b/packages/docs/docs/contributing/leadership/architecture-decision-records.md
@@ -0,0 +1,15 @@
+# Architecture Decision Records
+
+The core maintainers sometimes make decisions that are non-obvious or controversial. We record them here so that the rationale is clear for contributors and users, and so we can refer back to them when similar questions come up.
+
+We are open to revisiting these decisions if someone with more experience or knowledge proposes a better approach.
+
+---
+
+## Bank sync: credential storage
+
+**Decision:** Bank sync credentials are stored on the sync server in plain text. They are not encrypted on the client and are not stored in the budget file.
+
+**Rationale:** Encrypting credentials on the client (or making encryption optional) does not materially improve security. If the server is compromised, secrets still need to be decrypted during normal operation and can be obtained at that point. Keeping credentials only on the server avoids exposing them to extensions and plugins, which would increase the attack surface. Actual Budget does not provide strong isolation between untrusted users on a shared instance; users who need isolation should run separate instances.
+
+**Consequences:** The design stays simpler, security guarantees are clearer, and maintenance cost is lower. Server administrators can access credentials, and a compromised server is not protected by encryption.