* [AI] Emit bundle stats from the crdt package
The crdt package was the only published library without a stats.json
artifact. Migrate its build to Vite (mirroring the api/cli setup), wire
in rollup-plugin-visualizer to emit dist/stats.json, and upload it from
the CRDT CI job. Declarations are still produced by tsgo via
--emitDeclarationOnly.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* Add release notes for PR #7537
* [AI] crdt: drop redundant rm -rf dist from build script
Vite's build.emptyOutDir: true already clears the output directory
before writing, so the leading rm -rf dist is unnecessary.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* [AI] Include crdt in the size-compare bundle stats table
Wait for the crdt build check on both the base branch and the PR,
download the crdt-build-stats artifact for each, and pass it to
bundle-stats-comment.mjs so the summary table rendered on the PR
includes a row for the crdt package alongside desktop-client,
loot-core, api, and cli.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Fix type errors for API consumers by shipping .d.ts declarations from loot-core
Downstream consumers of @actual-app/api with strict: true get type errors
because @actual-app/core exports raw .ts source files. Consumers' tsc
follows the import chain into core's source (compiled with strict: false),
and skipLibCheck doesn't help since it only skips .d.ts files.
Add "types" conditions to all imports/exports entries in loot-core's
package.json, pointing to the pre-built declarations in lib-dist/decl/.
Add .npmignore to include lib-dist/decl/ in the published package.
Fixes#7410
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use prepack/postpack scripts instead of inflating package.json
Replace the inline "types" conditions in imports/exports with a prepack
script that adds them at pack/publish time. This keeps the checked-in
package.json clean while still shipping .d.ts declarations to npm
consumers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Convert prepack/postpack scripts to TypeScript
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7468
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix recursive ExportValue type and remove redundant comment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Rename scripts to .mts and inline types conditions
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Make backup/restore scripts safer
- Check if backup exists before creating it in prepack
- Make restore idempotent by checking if backup exists in postpack
- Prevents overwriting existing backups from interrupted runs
- Addresses CodeRabbit review feedback
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Type api-handlers.ts fields to drop implicit any
The `fields` / export-args slots in the ApiHandlers contract were
untyped, surfacing as TS7008 errors in strict consumers. Replace them
with the `Partial<APIXxxEntity>` shapes the `@actual-app/api` wrappers
already pass, and annotate the matching call sites in `api.ts` with
`@ts-expect-error` where the legacy helpers still declare full-entity
parameters despite accepting partial updates at runtime.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Replace vite-plugin-dts with tsgo for api types
Drops vite-plugin-dts in favor of running tsgo --emitDeclarationOnly
after the vite bundle, eliminating a heavy dev dependency tree
(api-extractor, volar, vue language-core) from the api package build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add build script to loot-core to emit declarations via lage
`yarn build:cli` failed in CI with TS6305 because api's
`tsgo --emitDeclarationOnly` depends on loot-core's pre-built
`lib-dist/decl/*.d.ts`, but loot-core had no `build` script, so lage's
`^build` cascade silently skipped it. Add `"build": "tsgo -b"` so loot-core
slots into the dependency chain; its tsconfig already has
`emitDeclarationOnly: true`, so the output is declarations only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Simplify API build
* [AI] Document TypeScript moduleResolution requirement for @actual-app/api
The published declarations rely on package.json exports conditions, which
classic node / node10 resolvers don't honor. Document the supported modes
(bundler / nodenext / node16) in the package README and in the Getting
Started section of the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Type-guard default value in add-types-conditions prepack
`value.default` is typed `ExportValue | undefined`, which allows nested
conditional objects. The previous truthy check fell through to
`shouldSkip(defaultValue)` and would crash on `.endsWith()` if that shape
ever appeared. Replace with a `typeof === 'string'` narrowing and drop a
now-redundant "Insert types as the first key" comment.
No runtime change on current package.json — no nested `default` values
exist today — but the script is not covered by loot-core's tsconfig
include, so the latent type issue was silent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Allow "nodenext" in docs spellcheck expect list
Referenced in the new TypeScript moduleResolution note in the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Move loot-core declarations to @types and whitelist publish with files
Relocate loot-core's composite TypeScript output from lib-dist/decl to the
top-level @types directory, matching the api package's convention. Replace
the old .npmignore blacklist with an explicit package.json files whitelist.
- tsconfig.json: outDir @types, exclude test/mock dirs from decl emission
- scripts/add-types-conditions.mts: rewrite paths to ./@types/src/...
- package.json: files whitelist shipping only src, @types, migrations,
typings, default-db.sqlite; drop legacy typesVersions (docs now require
moduleResolution bundler/nodenext/node16, so the classic-resolution
fallback is unused)
- .gitignore: ignore the new @types build artifact
- lage.config.js: factor outputGlob into a shared BUILD_OUTPUT_GLOBS
constant and add @types/** so lage caches loot-core's decl output
- root tsconfig.json: tighten exclude from packages/api/@types to
packages/*/@types to cover both api and loot-core
- delete .npmignore entirely
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Build loot-core declarations inside prepack
yarn workspace @actual-app/core pack is the first non-setup step in the
publish workflow, running before any build. Without a build chained into
prepack the @types/ tree is empty at pack time, so the tarball shipped a
transformed package.json pointing at ./@types/src/... paths that didn't
exist. npm publish doesn't re-run hooks on a pre-packed tarball, so the
frozen snapshot must be self-contained; prepack now runs yarn build first
to populate @types/ before add-types-conditions rewrites the exports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Harden GitHub Actions workflows against low-severity security issues
- generate-release-pr.yml: replace `eval` with an associative array for
per-package version tracking. The version input was already moved to an
env var in #7433, so this removes the remaining defense-in-depth concern
of `eval`ing subshell output.
- create-release-notes-file.js: validate the OpenAI-returned category
against the known allow-list (Features, Bugfixes, Enhancements,
Maintenance), validate the author against the GitHub username regex,
and collapse the summary to a single line before embedding it in the
markdown body. Prevents indirect prompt-injection via CodeRabbit
comments from producing malformed YAML frontmatter.
- generate-summary.js: stop logging the full CodeRabbit comment body to
CI logs.
- netlify-release.yml, i18n-string-extract-master.yml: pass secrets via
`env:` blocks rather than as CLI arguments, so they do not appear in
argv / process listings.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* Add release notes for PR #7448
* [AI] Address review feedback on security hardening
- create-release-notes-file.js: stop logging the full fileContent body.
Only log the target filename plus the (already-validated) category and
author metadata, so the model-generated release-note text doesn't end
up in CI logs.
- create-release-notes-file.js: validate summaryData.prNumber as a
positive integer before using it in the file path or commit message,
and switch both usages to the validated numeric value.
- i18n-string-extract-master.yml: write the Weblate API key into
~/.config/weblate under a [keys] section in a new "Configure Weblate
API credentials" step, then drop the per-step env blocks and the
--key CLI flag from every wlc invocation so the secret is no longer
visible in process listings at all.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* [AI] Remove debug console.log statements for category in release notes script
Remove the four "Debug - ..." console.log calls that printed the raw
category env var (value/type/JSON-stringified form) plus the cleanCategory
value. They were clutter in CI logs; the existing info-level
"Creating release notes file: ... (category: ..., author: ...)" log
already surfaces the sanitized category.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Fix script injection in vrt-update-apply.yml workflow
Use environment variables instead of direct expression interpolation
in the github-script step to prevent potential script injection via
artifact-sourced values (steps.apply.outputs.error and
steps.metadata.outputs.pr_number).
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Fix script injection in generate-release-pr.yml workflow
Use environment variable instead of direct expression interpolation
for github.event.inputs.version in the shell script context to
prevent potential command injection.
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Add release notes for #7433https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [AI] Add @actual-app/cli package
New CLI tool wrapping the full @actual-app/api surface for interacting with
Actual Budget from the command line. Connects to a sync server and supports
all CRUD operations across accounts, budgets, categories, transactions,
payees, tags, rules, schedules, and AQL queries.
* Refactor CLI options: replace `--quiet` with `--verbose` for improved message control. Update related configurations and tests to reflect this change. Adjust build command in workflow for consistency.
* Refactor tests: streamline imports in connection and accounts test files for improved clarity and consistency. Remove dynamic imports in favor of static imports.
* Enhance package.json: Add exports configuration for module resolution and publish settings. This includes specifying types and default files for better compatibility and clarity in package usage.
* Update package.json exports configuration to support environment-specific module resolution. Added 'development' and 'default' entries for improved clarity in file usage.
* Enhance CLI functionality: Update configuration loading to support additional search places for config files. Refactor error handling in command options to improve validation and user feedback. Introduce new utility functions for parsing boolean flags and update related commands to utilize these functions. Add comprehensive tests for new utility functions to ensure reliability.
* Update CLI TypeScript configuration to include Vitest globals and streamline test imports across multiple test files for improved clarity and consistency.
* Update CLI dependencies and build workflow
- Upgrade Vite to version 8.0.0 and Vitest to version 4.1.0 in package.json.
- Add rollup-plugin-visualizer for bundle analysis.
- Modify build workflow to prepare and upload CLI bundle stats.
- Update size comparison workflow to include CLI stats.
- Remove obsolete vitest.config.ts file as its configuration is now integrated into vite.config.ts.
* Enhance size comparison workflow to include CLI build checks and artifact downloads
- Added steps to wait for CLI build success in both base and PR workflows.
- Included downloading of CLI build artifacts for comparison between base and PR branches.
- Updated failure reporting to account for CLI build status.
* Update documentation to replace "CLI tool" with "Server CLI" for consistency across multiple files. This change clarifies the distinction between the command-line interface for the Actual Budget application and the sync-server CLI tool.
* Refactor configuration to replace "budgetId" with "syncId" across CLI and documentation
* Enhance configuration validation by adding support for 'ACTUAL_ENCRYPTION_PASSWORD' and implementing a new validation function for config file content. Update documentation to clarify error output format for the CLI tool.
* Enhance configuration tests to include 'encryptionPassword' checks for CLI options and environment variables, ensuring proper priority handling in the configuration resolution process.
* Update nightly versioning script to use yarn
* Align versions
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Add yarn constraints to enforce consistent dependency versions
Adds a `yarn.config.cjs` that uses Yarn 4's built-in constraints feature
to detect when the same dependency is declared with different version
ranges across workspaces. Workspace protocol references and
peerDependencies are excluded from the check.
Also adds a `yarn constraints` convenience script and the `@yarnpkg/types`
dev dependency for type-checked constraint authoring.
https://claude.ai/code/session_01B1xRjZXn6b18anZjo8cbqb
* Add release notes for PR #7229
* Add constraints job to GitHub Actions workflow
* Fix constraints
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Publish loot-core (@actual-app/core) nightly first in workflow
* [autofix.ci] apply automated fixes
* Refactor imports and update configuration
- Updated .oxfmtrc.json to change "parent" to ["parent", "subpath"].
- Removed unnecessary blank lines in various TypeScript files to improve code readability.
- Adjusted import order in reports and rules files for consistency.
* Add workflow steps to pack and publish the core package nightly
* Remove nightly tag from npm publish command in workflow for core package
* Update post-build script comment to reflect correct workspace command for loot-core declarations
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Extract PR/commit rules into shared agent skill
Deduplicate PR and commit instructions from AGENTS.md into a standalone
skill file at .github/agents/pr-and-commit-rules.md. This single source
of truth is consumed by both Claude Code (via CLAUDE.md @-import) and
Cursor (via .cursor/rules/pr-and-commit.mdc with alwaysApply: true).
AGENTS.md now references the shared file instead of repeating the rules
in three separate sections.
https://claude.ai/code/session_01KkHg7MYXrTyDkTw6u98Vam
* Add release notes for PR #7153
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* 🔖 (26.3.0)
* Remove used release notes
* Add release notes for PR #7097
* Remove used release notes
* Remove used release notes
* Add release notes for version 26.3.0
* Add new terms to spelling expectation list
* Fix spelling and capitalization in release notes
Corrected spelling of 'reorganisation' to 'reorganization' and updated 'coderabbit' to 'CodeRabbit' for consistency.
* Update patterns.txt to allowlist 'CodeRabbit'
Add 'CodeRabbit' to allowlist of proper nouns.
* Clarify chart theming support in release notes
Updated the release notes to specify bar/pie chart theming support and added details about theme variables for customization.
* Remove 'CodeRabbit' from spelling expectations
* Refactor release notes and improve formatting
Reorganize release notes for clarity and update content.
* Create 2026-03-02-release-26-3-0.md
* Change release date to 2026-03-02
Updated the release date for version 26.3.0.
* Update release notes for version 26.3.0
---------
Co-authored-by: jfdoming <9922514+jfdoming@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* [AI] Make merge-freeze-unfreeze workflow work on fork PRs via pull_request_target
Made-with: Cursor
* Add release notes for the "unfreeze" workflow functionality in fork PRs
* Add empty permissions block to unfreeze job in merge-freeze-unfreeze workflow
* [AI] Add GitHub Action to add PR to Merge Freeze unblocked list when unfreeze label is added
Made-with: Cursor
* Rename 7093.md to 7094.md
* Add concurrency control to unfreeze job in merge-freeze-unfreeze workflow
- Introduced concurrency settings to prevent overlapping executions of the unfreeze job based on labels.
- Updated error handling to abort the process if fetching the current merge freeze status fails, ensuring unblocked PRs are not overwritten.
* Refactor Merge Freeze workflow to simplify PR unblocking process
- Updated the workflow to directly post the PR to the unblocked list without fetching the current freeze status.
- Improved error handling by ensuring the access token is set before proceeding with the API call.
* [AI] Desktop client, E2E, loot-core, sync-server and tooling updates
Co-authored-by: Cursor <cursoragent@cursor.com>
* Refactor database handling in various modules to use async/await for improved readability and error handling. This includes updates to database opening and closing methods across multiple files, ensuring consistent asynchronous behavior. Additionally, minor adjustments were made to encryption functions to support async operations.
* Refactor sync migration tests to utilize async/await for improved readability. Updated transaction handling to streamline event expectations and cleanup process.
* Refactor various functions to utilize async/await for improved readability and error handling. Updated service stopping, encryption, and file upload/download methods to ensure consistent asynchronous behavior across the application.
* Refactor BudgetFileSelection component to use async/await for onSelect method, enhancing error handling and readability. Update merge tests to utilize async/await for improved clarity in transaction merging expectations.
* Refactor filesystem module to use async/await for init function and related database operations, enhancing error handling and consistency across file interactions. Updated tests to reflect asynchronous behavior in database operations and file writing.
* Fix typo in init function declaration to ensure it returns a Promise<void> instead of Proise<void>.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
* Update tests to use async/await for init function in web filesystem, ensuring consistent asynchronous behavior in database operations.
* Update VRT screenshot for payees filter test to reflect recent changes
* [AI] Fix no-floating-promises lint error in desktop-electron
Wrapped queuedClientWinLogs.map() with Promise.all and void operator to properly handle the array of promises for executing queued logs.
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor promise handling in global and sync event handlers
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Add point totals display to all statistics sections in count-points script
* Update funding contributors documentation and add release notes for contributor point counting script
* Refactor contributor points calculation and enhance PR category determination
- Updated point values for PR contributions: reduced points for Features, Enhancements, Bugfix, and Maintenance, and added a new category for Unknown contributions.
- Introduced a new function to retrieve the last commit SHA before a specified date to improve accuracy in reading release notes.
- Modified the getPRCategoryAndPoints function to accept a monthEnd parameter for better context in point assignment.
* Update contributor points values in count-points script to reflect new scoring system
* Add new blog post on funding contributors' next steps
This post outlines plans to expand the contributor compensation system, including broader rewards for project involvement, targeted donations, and a points-based system for feature work. It emphasizes transparency and community feedback in shaping future funding strategies.
* Increase Bugfix points from 2 to 3
* Change points awarded for Features to 2
* Improve bug report template with better structure and requirements
* Fix: Remove empty value fields from textarea inputs in bug report template
* Add release notes for PR #6784
* Update 6784.md
* Update bug report template to request a screenshot of the import screen along with a redacted file version for better issue resolution.
* Update bug report template for import issues
Clarified instructions for reporting import issues.
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* docs: add ANZ Plus Bank to community repos
Added ANZ Plus Bank to the Community Repos page.
Link(s): https://github.com/spydisec/PDFtoOFX/
Short summary: Convert ANZ Plus bank statement PDFs to OFX format for seamless import into Actual Budget and other personal finance applications.
Placement: https://actualbudget.org/docs/community-repos/
* Update packages/docs/docs/community-repos.md
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix typo in ANZ Plus bank converter description
* chore: update docs spelling allowlist
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
