* [AI] sync-server: use workspace reference for @actual-app/crdt
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Update build script in sync-server package to use TypeScript's build mode
* Package electron
* [AI] crdt: add conditional exports so Node can load the built bundle
Before this change the root exports entry pointed at `./src/index.ts`, so
any pure-Node consumer (notably the sync server that Electron forks as a
utility process) failed to import `@actual-app/crdt` — Node can't execute
TypeScript source directly. Sync-server had been masking this by pulling
`@actual-app/crdt@npm:2.1.0` where `publishConfig.exports` resolves to
`./dist/index.js`; once sync-server switched to `workspace:*`, the
Functional Desktop App CI job timed out waiting for the sync server to
boot.
Switch to conditional exports in the same shape `@actual-app/api` already
uses:
- `types` → `./dist/index.d.ts` for TypeScript tooling
- `development` → `./src/index.ts` for Vite/Vitest (HMR, fast feedback)
- `default` → `./dist/index.js` for Node runtime
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Apply suggested fix to packages/desktop-client/src/components/modals/EditFieldModal.tsx from Copilot Autofix
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* Apply suggested fix to packages/desktop-client/src/components/modals/EditFieldModal.tsx from Copilot Autofix
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* note
* fix typo in note
* remove useless conditions
---------
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* [AI] Fix sync-server build not resolving subpath imports
The add-import-extensions build script only handled relative imports
(./ ../), leaving #-prefixed subpath imports unresolved in the build
output. At runtime Node.js resolved them via package.json's imports
map back to source files, which have extensionless imports that fail
in ESM.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for sync-server subpath imports fix
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Simplify subpath import resolution using publishConfig.imports
Use publishConfig.imports which already has ./build/src/ paths with .js
extensions, eliminating manual src->build and .ts->.js conversions.
Also sort wildcard patterns by specificity and extract shared helper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use replaceAll for wildcard substitution to satisfy CodeQL
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Enable subpath imports across all packages
Generalize the prefer-subpath-imports ESLint rule to work with any
package (not just loot-core) and enable it globally. Add subpath import
mappings to cli, component-library, and sync-server package.json files.
Auto-fix all backtracked relative imports to use #-prefixed subpath
imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7462
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix mock specifiers in accounts.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix mock specifiers in query.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix ESLint rule to properly validate src/ directory paths
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add publishConfig.imports for sync-server to remap aliases to build directory
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add rate limiting to authentication endpoints
Add strict rate limiting (5 attempts per 15 minutes) to /account/login,
/account/bootstrap, and /account/change-password endpoints to prevent
brute-force password attacks. Uses express-rate-limit as route-level
middleware on auth-sensitive routes only.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
* [AI] Add release notes and remove rate limit from /change-password
Add upcoming release notes file for the auth rate limiting feature.
Remove rate limiting from /change-password since it already requires
a valid admin session token.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
---------
Co-authored-by: Claude <noreply@anthropic.com>
* implement our own GoCardless api class
* switch the service to use the new api
* drop deps
* note
* guard against request forgery
* strip empty params from the request body, add error logging
* coderabbit suggestions
* fix test, make institution nullable
* Add documentation for self-signed cert healthchecks
Adds instruction to set NODE_EXTRA_CA_CERTS in docker-compose healthcheck commands so Node.js can trust the certificate.
* [autofix.ci] apply automated fixes
* fixup! Add documentation for self-signed cert healthchecks
* [autofix.ci] apply automated fixes
* Update Docker health checks with self-signed certs
If using self signed certs, comment the first test line and uncomment
the second test line.
* fixup! Update Docker health checks with self-signed certs
* fixup! Add documentation for self-signed cert healthchecks
* fixup! Update Docker health checks with self-signed certs
* [autofix.ci] apply automated fixes
* fixup! Add documentation for self-signed cert healthchecks
* fixup! Update Docker health checks with self-signed certs
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Fix password login broken when OIDC is enabled (#7331)
The security fix in PR #7155 added an `active = 1` check to
`getLoginMethod()`, which prevented password login when OIDC was the
active auth method. This caused the server to silently reroute password
login requests to the OpenID flow, which fails.
Remove the `active` requirement when the client explicitly requests a
login method — only require the method to exist in the auth table. The
`active` flag still governs the default method via `getActiveLoginMethod()`.
The `/change-password` endpoint security protections (admin role +
password auth_method checks) remain intact.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7334
* Update getLoginMethod to validate client-requested login methods against the auth database
Modified the getLoginMethod function to check if the requested login method exists in the auth table before returning it. Updated the corresponding test to reflect that a client-requested method not found in the database will be ignored, ensuring proper handling of login methods.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Add secure custom font support for custom themes
Implement safe font-family references in custom themes via CSS variables
(--font-body, --font-mono, --font-heading, etc.) validated against a
curated allowlist of system-installed and web-safe fonts.
Security approach: Only fonts already present on the user's OS or bundled
with the app are allowed. No @font-face, no url(), no external font
loading — this prevents third-party tracking via font requests while
still enabling meaningful font customization in themes.
Key changes:
- Add SAFE_FONT_FAMILIES allowlist (~80 fonts: generic families, bundled
fonts, and common system fonts across platforms)
- Add validateFontFamilyValue() for comma-separated font stack validation
- Route --font-{body,mono,heading,family,ui,display,code} properties
through the font validator instead of the color validator
- Update index.html to use var(--font-body, ...) with current Inter
Variable stack as fallback
- Add comprehensive tests for valid/invalid font values and security
edge cases (url injection, javascript:, expression(), etc.)
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Add @font-face support with data: URI embedding for custom themes
Enable truly custom fonts in themes while maintaining zero runtime network
requests. Theme authors can include font files in their GitHub repos, and
fonts are automatically downloaded and embedded as data: URIs at install
time — the same approach used for theme CSS itself.
Security model:
- @font-face blocks only allow data: URIs (no http/https/relative URLs)
- Font MIME types are validated (font/woff2, font/ttf, etc.)
- Individual font files capped at 2MB, total at 10MB
- @font-face properties are allowlisted (font-family, src, font-weight,
font-style, font-display, font-stretch, unicode-range only)
- Font-family names from @font-face are available in --font-* variables
- No runtime network requests — all fonts stored locally after install
Key additions:
- extractFontFaceBlocks(): parse @font-face from theme CSS
- validateFontFaceBlock(): validate properties and data: URIs
- splitDeclarations(): semicolon-aware parser that respects data: URIs
- embedThemeFonts(): fetch font files from GitHub, convert to data: URIs
- ThemeInstaller calls embedThemeFonts() during catalog theme installation
- 30+ new test cases for @font-face validation and security edge cases
Example theme CSS with custom fonts:
@font-face {
font-family: 'My Font';
src: url('./MyFont.woff2') format('woff2');
}
:root { --font-body: 'My Font', sans-serif; }
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Rename --font-body CSS variable to --font-family
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Remove font-family allowlist and broaden --font-* regex
- Remove SAFE_FONT_FAMILIES allowlist and SAFE_FONT_FAMILIES_LOWER lookup.
Any font name is now valid in --font-* properties. Referencing a font
that isn't installed simply triggers the browser's normal fallback — no
network requests, no security risk. Function calls (url(), expression(),
etc.) are still blocked.
- Change the --font-* property regex from a specific list
(family|mono|heading|...) to match all --font-* variables, so theme
authors can use any --font-prefixed custom property.
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Simplify and improve custom font validation code
Code quality improvements from review:
- Remove dead `declaredFonts` Set (was populated but never read after
allowlist removal)
- Extract `stripQuotes()` helper to deduplicate quote-stripping logic
between `validateFontFamilyValue` and `validateFontFaceBlock`
- Replace confusing `const searchFrom = 0` loop with `for (;;)` idiom
in `extractFontFaceBlocks`
- Use index tracking (`content.substring(start, i)`) instead of
character-by-character string concatenation in `splitDeclarations`
- Use `splitDeclarations` in `validateRootContent` instead of naive
`split(';')` for consistency and correctness
- Parallelize font fetches in `embedThemeFonts` with `Promise.all`
instead of sequential awaits
- Replace byte-by-byte base64 conversion with chunked
`arrayBufferToBase64()` helper (8KB chunks)
- Reuse indexOf-based @font-face parsing in `embedThemeFonts` instead
of fragile `[^}]*` regex that can't handle large data URIs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Enhance font validation in customThemes.ts
* Add custom release notes for upcoming feature: support for custom fonts in themes
* [AI] Simplify @font-face validation to only block external URLs
Remove ~210 lines of overly thorough font validation (MIME type allowlists,
base64 encoding checks, format hint validation, @font-face property allowlists,
font-family name regex) and replace with a single function that enforces the
actual security goal: rejecting non-data: URIs to prevent external resource
loading. Size limits for DoS prevention are preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update Content Security Policy to include font-src directive
Enhance the Content Security Policy in both the desktop client and sync server to allow font loading from data URIs. This change ensures that custom fonts can be embedded securely while maintaining the existing security measures for other resources.
* Enhance font-family validation to disallow empty values
Update the `validateFontFamilyValue` function to throw an error for empty font-family values, improving security and validation accuracy. Adjust tests to reflect this change, ensuring that empty values are properly handled as invalid.
* Enhance validation for CSS custom properties in customThemes.ts
Add comprehensive checks in the `validateRootContent` function to ensure CSS custom properties start with '--', contain valid characters, and do not end with a dash. This improves error handling for invalid property names, ensuring better compliance with CSS standards.
* [AI] Fix path traversal, spaces in font URLs, and add embedThemeFonts tests
Reject path-traversal (../) and root-anchored (/) font paths in
embedThemeFonts to prevent URL manipulation. Fix URL regex to handle
quoted filenames with spaces (e.g. "Inter Variable.woff2"). Add unit
tests covering both security validations and normal embedding flow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Implement font size budget enforcement in embedThemeFonts function
* Add global unstubbing in afterEach for embedThemeFonts tests
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Fix OIDC privilege escalation in /change-password endpoint
Add admin role check and password auth_method session check to prevent
non-admin or OIDC-authenticated users from changing the server password.
Previously, any authenticated user could overwrite the password hash and
then login via password method to obtain an ADMIN session.
https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn
* Add release notes for PR #7207
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Switch typecheck from tsc to tsgo and fix Menu type narrowing
* [autofix.ci] apply automated fixes
* Add .gitignore for dist directory, update typecheck script in package.json to use -b flag, and remove noEmit option from tsconfig.json files in ci-actions and desktop-electron packages. Introduce typesVersions in loot-core package.json for improved type handling.
* Refactor SelectedTransactionsButton to improve type safety and readability. Updated items prop to use spread operator for conditional rendering of menu items, ensuring proper type annotations with MenuItem. This change enhances the clarity of the component's structure and maintains TypeScript compliance.
* Update tsconfig.json in desktop-electron package to maintain consistent formatting for plugins section. No functional changes made.
* [autofix.ci] apply automated fixes
* Update package.json and yarn.lock to add TypeScript 5.8.0 dependency. Adjust typesVersions in loot-core package.json for improved type handling. Enhance tsconfig.json in sync-server package to enable strictFunctionTypes for better type safety.
* Enhance tsconfig.json in ci-actions package by adding composite option for improved project references and build performance.
* [AI] Revert typescript to 5.9.3 for ts-node compatibility
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Update yarn.lock after TypeScript version change
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor Menu component for improved type safety and readability. Updated type assertions for Menu.line and Menu.label, simplified type checks in filtering and selection logic, and enhanced conditional rendering of menu items. This change ensures better TypeScript compliance and maintains clarity in the component's structure.
* Refactor Select and OpenIdForm components to improve type safety and simplify logic. Updated item mapping to handle Menu.line more effectively, enhancing clarity in selection processes. Adjusted SelectedTransactionsButton to streamline item creation and improve readability.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Promote typescript/restrict-template-expressions to error and fix violations
Convert the oxlint rule from "warn" to "error" and fix all 42 violations
by wrapping non-string template expressions with String(). This ensures
type safety in template literals across the codebase.
https://claude.ai/code/session_01Uk8SwFbD6HuUuo3SSMwU9z
* Add release notes for PR #7181
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Enable TypeScript composite project references across monorepo
- Add composite and declaration emit to all package tsconfigs
- Wire root and per-package project references in dependency order
- Replace cross-package include-based typing with referenced outputs
- Fix api TS5055 by emitting declarations to decl-output
- Add desktop-client alias for tests; fix oxlint import order in vite.config
- Add UsersState.data null type and openDatabase return type for strict emit
Co-authored-by: Cursor <cursoragent@cursor.com>
* Remove obsolete TypeScript configuration for API and update build script to emit declarations directly to the output directory. This streamlines the build process and ensures compatibility with the new project structure.
* Refactor TypeScript configuration in API package to remove obsolete decl-output directory and update build scripts. The changes streamline the build process by directing declaration outputs to the @types directory, ensuring better organization and compatibility with the new project structure.
* Add TypeScript declaration emission for loot-core in desktop-electron build process
* Refactor TypeScript configuration in API package to utilize composite references and streamline build scripts. Update include and exclude patterns for improved file management, ensuring better organization of declaration outputs and migration SQL files.
* Refactor TypeScript configuration in loot-core and desktop-client packages to streamline path management and remove obsolete dependencies. Update paths in tsconfig.json files for better organization and compatibility, and adjust yarn.lock to reflect changes in workspace dependencies.
* Update desktop-electron package to utilize loot-core as a workspace dependency. Adjust TypeScript import paths and tsconfig references for improved organization and compatibility across packages.
* Enhance Vite configuration for desktop-client to support Electron-specific conditions and update loot-core package.json to include Electron as a platform for client connection. This improves compatibility for Electron builds.
* Refactor TypeScript configuration across multiple packages to streamline path management. Update tsconfig.json files in root, api, and loot-core packages to improve import paths and maintain compatibility with internal typings.
* Update package dependencies and Vite configuration across component-library and desktop-client. Add vite-tsconfig-paths to component-library and remove it from desktop-client. Refactor Storybook preview file to include a TODO for future refactoring.
* Remove Node-specific path from loot-core package.json for client connection, streamlining platform configuration for Electron.
* Remove loot-core as a workspace dependency from desktop-electron package.json
* Update tsconfig.json to remove reference to desktop-client
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* 🔖 (26.3.0)
* Remove used release notes
* Add release notes for PR #7097
* Remove used release notes
* Remove used release notes
* Add release notes for version 26.3.0
* Add new terms to spelling expectation list
* Fix spelling and capitalization in release notes
Corrected spelling of 'reorganisation' to 'reorganization' and updated 'coderabbit' to 'CodeRabbit' for consistency.
* Update patterns.txt to allowlist 'CodeRabbit'
Add 'CodeRabbit' to allowlist of proper nouns.
* Clarify chart theming support in release notes
Updated the release notes to specify bar/pie chart theming support and added details about theme variables for customization.
* Remove 'CodeRabbit' from spelling expectations
* Refactor release notes and improve formatting
Reorganize release notes for clarity and update content.
* Create 2026-03-02-release-26-3-0.md
* Change release date to 2026-03-02
Updated the release date for version 26.3.0.
* Update release notes for version 26.3.0
---------
Co-authored-by: jfdoming <9922514+jfdoming@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* [AI] Add per-package tsconfigs and typescript-strict-plugin for typecheck
Co-authored-by: Cursor <cursoragent@cursor.com>
* Update TypeScript configuration across multiple packages to correct plugin path key from "path" to "paths" and add reference to process-worker typings in index.electron.ts.
* Remove reference to process-worker typings in index.electron.ts and add new process-worker typings file for global Process augmentation.
* Refactor TypeScript build configurations across multiple packages by removing tsconfig.dist.json files and updating build scripts to use default TypeScript compilation. Adjusted compiler options to target ES2021 and enable declaration generation.
* Update TypeScript configuration in api package to refine include and exclude patterns for better file management.
* Update build script in api package to ensure migration SQL files are copied to the correct directory by creating the destination folder if it doesn't exist.
* Update TypeScript configurations in crdt and desktop-electron packages to refine include and exclude patterns for improved file management.
* Update TypeScript dependencies across multiple packages to include typescript-strict-plugin for enhanced type checking and maintain consistency in package.json files.
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* [AI] Enforce file access authorization on sync API endpoints
Co-authored-by: Cursor <cursoragent@cursor.com>
* Refactor file deletion authorization to return error message as text
* Refactor file upload validation to improve error handling
* Add tests to allow admin users to retrieve encryption keys and sync files for other users
- Implemented a test for admin access to retrieve encryption keys for another user's file in the /user-get-key endpoint.
- Added a test for admin users to sync another user's file in the /sync endpoint, ensuring proper response and headers.
These changes enhance the authorization checks for admin actions on user files.
* Refactor file cleanup in tests to use onTestFinished for better error handling
* Enhance admin capabilities in file management tests
* Add migration to backfill file owners with admin ID
* Enhance file access authorization in sync API
* Update migration to backfill file owners with admin ID to ensure consistent ordering in the query
* Refactor access control tests for file downloads in sync API
* Add test for non-owner file download access via user_access in sync API
This test verifies that users with appropriate access can download files owned by others, utilizing the requireFileAccess logic and UserService.countUserAccess. It ensures correct response headers and content delivery for shared files.
* Refactor file cleanup in upload and download tests to utilize onTestFinished for improved error handling
This update consolidates file cleanup logic in the test suite, ensuring that temporary files are removed after each test execution. The changes enhance the reliability of tests by consistently managing file state across various scenarios.
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* Add authentication middleware to SimpleFIN and Pluggy.ai endpoints
Protect /simplefin/* and /pluggyai/* routes with validateSessionMiddleware
so only authenticated users can access bank account and transaction data.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Release notes
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* [AI] Desktop client, E2E, loot-core, sync-server and tooling updates
Co-authored-by: Cursor <cursoragent@cursor.com>
* Refactor database handling in various modules to use async/await for improved readability and error handling. This includes updates to database opening and closing methods across multiple files, ensuring consistent asynchronous behavior. Additionally, minor adjustments were made to encryption functions to support async operations.
* Refactor sync migration tests to utilize async/await for improved readability. Updated transaction handling to streamline event expectations and cleanup process.
* Refactor various functions to utilize async/await for improved readability and error handling. Updated service stopping, encryption, and file upload/download methods to ensure consistent asynchronous behavior across the application.
* Refactor BudgetFileSelection component to use async/await for onSelect method, enhancing error handling and readability. Update merge tests to utilize async/await for improved clarity in transaction merging expectations.
* Refactor filesystem module to use async/await for init function and related database operations, enhancing error handling and consistency across file interactions. Updated tests to reflect asynchronous behavior in database operations and file writing.
* Fix typo in init function declaration to ensure it returns a Promise<void> instead of Proise<void>.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
* Update tests to use async/await for init function in web filesystem, ensuring consistent asynchronous behavior in database operations.
* Update VRT screenshot for payees filter test to reflect recent changes
* [AI] Fix no-floating-promises lint error in desktop-electron
Wrapped queuedClientWinLogs.map() with Promise.all and void operator to properly handle the array of promises for executing queued logs.
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor promise handling in global and sync event handlers
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Apply import sorting with perfectionist/sort-named-imports rule
- Add perfectionist/sort-named-imports oxlint rule
- Sort named imports: value imports before type imports
- Update component-library and desktop-client files to match new rule
* Add release notes for linting updates on named imports
* Update linting rules and replace @ts-ignore with @ts-expect-error
* Add release notes for PR #6636
* Fix TypeScript linting issue by adding @ts-ignore for electron types in server start message
* Change category to Maintenance and update linting rules
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Added Global Synced Prefs
* [autofix.ci] apply automated fixes
* Add release notes for PR #6234
* typecheck
* lint fix
* Refactor global synced preferences to server preferences
- Removed global synced preferences implementation and related files.
- Introduced server preferences with a new slice and hooks for managing user settings.
- Updated components and hooks to utilize server preferences instead of global synced preferences.
- Adjusted Redux store and mock configurations to reflect the changes.
- Enhanced user settings consistency across devices with the new server preferences structure.
* Implement server preferences for feature flags and enhance admin permissions
- Updated the Experimental component to conditionally display based on user permissions and login method.
- Refactored feature flag handling to use 'flags.plugins' instead of 'plugins'.
- Introduced server-side checks to restrict access to server preferences for admin users only.
- Added comprehensive tests for server preferences management, ensuring proper handling of user roles and preferences.
* Enhance error handling in saveServerPrefs thunk
- Updated the saveServerPrefs async thunk to handle potential errors from the server response.
- Added a check for the presence of an error in the result and return it accordingly.
- Ensured that preferences are still dispatched to the store upon successful save.
* Feedback: strict "flags.plugins" typing
* Feedback: move state slice
* Feedback: localstorage pref
* Feedback: move serverPrefsSlide into prefsSlice
* Refactor: Remove duplicate import of PostError in app.ts
* Rename serverPrefs state slice property to server (#6596)
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
* Fix LHV bank adapter not being loaded due to filename mismatch
The bank-factory.js loads bank adapters by filtering for files containing
underscores, but lhv-lhvbee22.js used a hyphen. This caused the LHV adapter
to never be loaded, falling back to the generic IntegrationBank handler
which doesn't extract payee names from card transaction remittance info.
Rename lhv-lhvbee22.js to lhv_lhvbee22.js to match the naming convention
used by all other bank adapters.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add release notes for PR #6533🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* 🔖 (26.1.0)
* Trigger CI
* Remove used release notes
* Add release notes for version 26.1.0
This commit introduces the release notes for version 26.1.0, highlighting notable improvements such as currency display in the budget, mobile schedules functionality, link detection in transaction notes, and an extension of historical data. The release also includes various enhancements, bug fixes, and maintenance updates, acknowledging contributions from multiple developers.
* Update spelling expectations and release notes for version 26.1.0
This commit adds new terms to the spelling expectations file and updates the release notes to reflect changes in the documentation, including formatting improvements for clarity. Notable contributions from various developers are acknowledged.
* Add new terms to spelling expectations file
This commit updates the spelling expectations by adding new terms, enhancing the accuracy of the documentation spell-checking process. The changes include the addition of 'jws' and 'oxc' to the list of expected terms.
* Update release notes for version 26.1.0 to include Flathub availability for Linux users
* Update release notes to reflect Docker tag for version 26.1.0 in documentation
---------
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Initial plan
* Add permission checks for budget deletion
- Server-side: Check if user is file owner or admin before allowing deletion
- Client-side: Hide "Delete from all devices" button for non-owners
- Add comprehensive tests for permission checking
- Non-owners see message that only owner can delete from server
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
* Add release notes for PR #6338
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Fix: Change unauthorized to forbidden in delete-user-file
Co-authored-by: matiss <matiss@mja.lv>
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Fix: Update error reason from 'unauthorized' to 'forbidden' in delete-user-file response
* Update VRT screenshot for date filter test case
* [autofix.ci] apply automated fixes
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: matiss <matiss@mja.lv>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
