* [AI] Fix OIDC privilege escalation in /change-password endpoint
Add admin role check and password auth_method session check to prevent
non-admin or OIDC-authenticated users from changing the server password.
Previously, any authenticated user could overwrite the password hash and
then login via password method to obtain an ADMIN session.
https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn
* Add release notes for PR #7207
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Switch typecheck from tsc to tsgo and fix Menu type narrowing
* [autofix.ci] apply automated fixes
* Add .gitignore for dist directory, update typecheck script in package.json to use -b flag, and remove noEmit option from tsconfig.json files in ci-actions and desktop-electron packages. Introduce typesVersions in loot-core package.json for improved type handling.
* Refactor SelectedTransactionsButton to improve type safety and readability. Updated items prop to use spread operator for conditional rendering of menu items, ensuring proper type annotations with MenuItem. This change enhances the clarity of the component's structure and maintains TypeScript compliance.
* Update tsconfig.json in desktop-electron package to maintain consistent formatting for plugins section. No functional changes made.
* [autofix.ci] apply automated fixes
* Update package.json and yarn.lock to add TypeScript 5.8.0 dependency. Adjust typesVersions in loot-core package.json for improved type handling. Enhance tsconfig.json in sync-server package to enable strictFunctionTypes for better type safety.
* Enhance tsconfig.json in ci-actions package by adding composite option for improved project references and build performance.
* [AI] Revert typescript to 5.9.3 for ts-node compatibility
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Update yarn.lock after TypeScript version change
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor Menu component for improved type safety and readability. Updated type assertions for Menu.line and Menu.label, simplified type checks in filtering and selection logic, and enhanced conditional rendering of menu items. This change ensures better TypeScript compliance and maintains clarity in the component's structure.
* Refactor Select and OpenIdForm components to improve type safety and simplify logic. Updated item mapping to handle Menu.line more effectively, enhancing clarity in selection processes. Adjusted SelectedTransactionsButton to streamline item creation and improve readability.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Promote typescript/restrict-template-expressions to error and fix violations
Convert the oxlint rule from "warn" to "error" and fix all 42 violations
by wrapping non-string template expressions with String(). This ensures
type safety in template literals across the codebase.
https://claude.ai/code/session_01Uk8SwFbD6HuUuo3SSMwU9z
* Add release notes for PR #7181
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Enable TypeScript composite project references across monorepo
- Add composite and declaration emit to all package tsconfigs
- Wire root and per-package project references in dependency order
- Replace cross-package include-based typing with referenced outputs
- Fix api TS5055 by emitting declarations to decl-output
- Add desktop-client alias for tests; fix oxlint import order in vite.config
- Add UsersState.data null type and openDatabase return type for strict emit
Co-authored-by: Cursor <cursoragent@cursor.com>
* Remove obsolete TypeScript configuration for API and update build script to emit declarations directly to the output directory. This streamlines the build process and ensures compatibility with the new project structure.
* Refactor TypeScript configuration in API package to remove obsolete decl-output directory and update build scripts. The changes streamline the build process by directing declaration outputs to the @types directory, ensuring better organization and compatibility with the new project structure.
* Add TypeScript declaration emission for loot-core in desktop-electron build process
* Refactor TypeScript configuration in API package to utilize composite references and streamline build scripts. Update include and exclude patterns for improved file management, ensuring better organization of declaration outputs and migration SQL files.
* Refactor TypeScript configuration in loot-core and desktop-client packages to streamline path management and remove obsolete dependencies. Update paths in tsconfig.json files for better organization and compatibility, and adjust yarn.lock to reflect changes in workspace dependencies.
* Update desktop-electron package to utilize loot-core as a workspace dependency. Adjust TypeScript import paths and tsconfig references for improved organization and compatibility across packages.
* Enhance Vite configuration for desktop-client to support Electron-specific conditions and update loot-core package.json to include Electron as a platform for client connection. This improves compatibility for Electron builds.
* Refactor TypeScript configuration across multiple packages to streamline path management. Update tsconfig.json files in root, api, and loot-core packages to improve import paths and maintain compatibility with internal typings.
* Update package dependencies and Vite configuration across component-library and desktop-client. Add vite-tsconfig-paths to component-library and remove it from desktop-client. Refactor Storybook preview file to include a TODO for future refactoring.
* Remove Node-specific path from loot-core package.json for client connection, streamlining platform configuration for Electron.
* Remove loot-core as a workspace dependency from desktop-electron package.json
* Update tsconfig.json to remove reference to desktop-client
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* 🔖 (26.3.0)
* Remove used release notes
* Add release notes for PR #7097
* Remove used release notes
* Remove used release notes
* Add release notes for version 26.3.0
* Add new terms to spelling expectation list
* Fix spelling and capitalization in release notes
Corrected spelling of 'reorganisation' to 'reorganization' and updated 'coderabbit' to 'CodeRabbit' for consistency.
* Update patterns.txt to allowlist 'CodeRabbit'
Add 'CodeRabbit' to allowlist of proper nouns.
* Clarify chart theming support in release notes
Updated the release notes to specify bar/pie chart theming support and added details about theme variables for customization.
* Remove 'CodeRabbit' from spelling expectations
* Refactor release notes and improve formatting
Reorganize release notes for clarity and update content.
* Create 2026-03-02-release-26-3-0.md
* Change release date to 2026-03-02
Updated the release date for version 26.3.0.
* Update release notes for version 26.3.0
---------
Co-authored-by: jfdoming <9922514+jfdoming@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* [AI] Add per-package tsconfigs and typescript-strict-plugin for typecheck
Co-authored-by: Cursor <cursoragent@cursor.com>
* Update TypeScript configuration across multiple packages to correct plugin path key from "path" to "paths" and add reference to process-worker typings in index.electron.ts.
* Remove reference to process-worker typings in index.electron.ts and add new process-worker typings file for global Process augmentation.
* Refactor TypeScript build configurations across multiple packages by removing tsconfig.dist.json files and updating build scripts to use default TypeScript compilation. Adjusted compiler options to target ES2021 and enable declaration generation.
* Update TypeScript configuration in api package to refine include and exclude patterns for better file management.
* Update build script in api package to ensure migration SQL files are copied to the correct directory by creating the destination folder if it doesn't exist.
* Update TypeScript configurations in crdt and desktop-electron packages to refine include and exclude patterns for improved file management.
* Update TypeScript dependencies across multiple packages to include typescript-strict-plugin for enhanced type checking and maintain consistency in package.json files.
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* [AI] Enforce file access authorization on sync API endpoints
Co-authored-by: Cursor <cursoragent@cursor.com>
* Refactor file deletion authorization to return error message as text
* Refactor file upload validation to improve error handling
* Add tests to allow admin users to retrieve encryption keys and sync files for other users
- Implemented a test for admin access to retrieve encryption keys for another user's file in the /user-get-key endpoint.
- Added a test for admin users to sync another user's file in the /sync endpoint, ensuring proper response and headers.
These changes enhance the authorization checks for admin actions on user files.
* Refactor file cleanup in tests to use onTestFinished for better error handling
* Enhance admin capabilities in file management tests
* Add migration to backfill file owners with admin ID
* Enhance file access authorization in sync API
* Update migration to backfill file owners with admin ID to ensure consistent ordering in the query
* Refactor access control tests for file downloads in sync API
* Add test for non-owner file download access via user_access in sync API
This test verifies that users with appropriate access can download files owned by others, utilizing the requireFileAccess logic and UserService.countUserAccess. It ensures correct response headers and content delivery for shared files.
* Refactor file cleanup in upload and download tests to utilize onTestFinished for improved error handling
This update consolidates file cleanup logic in the test suite, ensuring that temporary files are removed after each test execution. The changes enhance the reliability of tests by consistently managing file state across various scenarios.
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* Add authentication middleware to SimpleFIN and Pluggy.ai endpoints
Protect /simplefin/* and /pluggyai/* routes with validateSessionMiddleware
so only authenticated users can access bank account and transaction data.
Co-authored-by: Cursor <cursoragent@cursor.com>
* Release notes
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* [AI] Desktop client, E2E, loot-core, sync-server and tooling updates
Co-authored-by: Cursor <cursoragent@cursor.com>
* Refactor database handling in various modules to use async/await for improved readability and error handling. This includes updates to database opening and closing methods across multiple files, ensuring consistent asynchronous behavior. Additionally, minor adjustments were made to encryption functions to support async operations.
* Refactor sync migration tests to utilize async/await for improved readability. Updated transaction handling to streamline event expectations and cleanup process.
* Refactor various functions to utilize async/await for improved readability and error handling. Updated service stopping, encryption, and file upload/download methods to ensure consistent asynchronous behavior across the application.
* Refactor BudgetFileSelection component to use async/await for onSelect method, enhancing error handling and readability. Update merge tests to utilize async/await for improved clarity in transaction merging expectations.
* Refactor filesystem module to use async/await for init function and related database operations, enhancing error handling and consistency across file interactions. Updated tests to reflect asynchronous behavior in database operations and file writing.
* Fix typo in init function declaration to ensure it returns a Promise<void> instead of Proise<void>.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
* Update tests to use async/await for init function in web filesystem, ensuring consistent asynchronous behavior in database operations.
* Update VRT screenshot for payees filter test to reflect recent changes
* [AI] Fix no-floating-promises lint error in desktop-electron
Wrapped queuedClientWinLogs.map() with Promise.all and void operator to properly handle the array of promises for executing queued logs.
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor promise handling in global and sync event handlers
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6987
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Apply import sorting with perfectionist/sort-named-imports rule
- Add perfectionist/sort-named-imports oxlint rule
- Sort named imports: value imports before type imports
- Update component-library and desktop-client files to match new rule
* Add release notes for linting updates on named imports
* Update linting rules and replace @ts-ignore with @ts-expect-error
* Add release notes for PR #6636
* Fix TypeScript linting issue by adding @ts-ignore for electron types in server start message
* Change category to Maintenance and update linting rules
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Added Global Synced Prefs
* [autofix.ci] apply automated fixes
* Add release notes for PR #6234
* typecheck
* lint fix
* Refactor global synced preferences to server preferences
- Removed global synced preferences implementation and related files.
- Introduced server preferences with a new slice and hooks for managing user settings.
- Updated components and hooks to utilize server preferences instead of global synced preferences.
- Adjusted Redux store and mock configurations to reflect the changes.
- Enhanced user settings consistency across devices with the new server preferences structure.
* Implement server preferences for feature flags and enhance admin permissions
- Updated the Experimental component to conditionally display based on user permissions and login method.
- Refactored feature flag handling to use 'flags.plugins' instead of 'plugins'.
- Introduced server-side checks to restrict access to server preferences for admin users only.
- Added comprehensive tests for server preferences management, ensuring proper handling of user roles and preferences.
* Enhance error handling in saveServerPrefs thunk
- Updated the saveServerPrefs async thunk to handle potential errors from the server response.
- Added a check for the presence of an error in the result and return it accordingly.
- Ensured that preferences are still dispatched to the store upon successful save.
* Feedback: strict "flags.plugins" typing
* Feedback: move state slice
* Feedback: localstorage pref
* Feedback: move serverPrefsSlide into prefsSlice
* Refactor: Remove duplicate import of PostError in app.ts
* Rename serverPrefs state slice property to server (#6596)
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
* Fix LHV bank adapter not being loaded due to filename mismatch
The bank-factory.js loads bank adapters by filtering for files containing
underscores, but lhv-lhvbee22.js used a hyphen. This caused the LHV adapter
to never be loaded, falling back to the generic IntegrationBank handler
which doesn't extract payee names from card transaction remittance info.
Rename lhv-lhvbee22.js to lhv_lhvbee22.js to match the naming convention
used by all other bank adapters.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add release notes for PR #6533🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* 🔖 (26.1.0)
* Trigger CI
* Remove used release notes
* Add release notes for version 26.1.0
This commit introduces the release notes for version 26.1.0, highlighting notable improvements such as currency display in the budget, mobile schedules functionality, link detection in transaction notes, and an extension of historical data. The release also includes various enhancements, bug fixes, and maintenance updates, acknowledging contributions from multiple developers.
* Update spelling expectations and release notes for version 26.1.0
This commit adds new terms to the spelling expectations file and updates the release notes to reflect changes in the documentation, including formatting improvements for clarity. Notable contributions from various developers are acknowledged.
* Add new terms to spelling expectations file
This commit updates the spelling expectations by adding new terms, enhancing the accuracy of the documentation spell-checking process. The changes include the addition of 'jws' and 'oxc' to the list of expected terms.
* Update release notes for version 26.1.0 to include Flathub availability for Linux users
* Update release notes to reflect Docker tag for version 26.1.0 in documentation
---------
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Initial plan
* Add permission checks for budget deletion
- Server-side: Check if user is file owner or admin before allowing deletion
- Client-side: Hide "Delete from all devices" button for non-owners
- Add comprehensive tests for permission checking
- Non-owners see message that only owner can delete from server
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
* Add release notes for PR #6338
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Fix: Change unauthorized to forbidden in delete-user-file
Co-authored-by: matiss <matiss@mja.lv>
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6338
* Fix: Update error reason from 'unauthorized' to 'forbidden' in delete-user-file response
* Update VRT screenshot for date filter test case
* [autofix.ci] apply automated fixes
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: MatissJanis <886567+MatissJanis@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: matiss <matiss@mja.lv>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
* Update typography rule to disallow curly quotes with auto-fix
- Reverse typography rule to detect and flag curly quotes instead of straight quotes
- Add auto-fixer that converts curly quotes to straight quotes
- Fix auto-fixer to properly escape quotes when they match string delimiters
* Fix quotation marks in error messages and formatting strings across multiple files
- Standardize quotation marks from curly to straight in error messages and string formatting for consistency.
- Update various components and utility files to ensure proper string handling and improve readability.
* Standardize quotation marks across multiple files
- Replace curly quotes with straight quotes in various documentation and code files for consistency and improved readability.
- Update error messages, comments, and documentation to ensure uniformity in string formatting.
* Standardize month formatting across multiple components
- Update month formatting strings from "MMMM 'yy" to "MMMM ''yy" in various components and utility files for consistency.
- Ensure uniformity in how months are displayed throughout the application.
* Refactor typography rule to enhance curly quote handling
- Simplify the error reporting mechanism for curly quotes by creating a shared fix function.
- Update test cases to include various curly quote scenarios for improved coverage.
- Ensure consistent handling of curly quotes in formatting functions across multiple files.
* Refactor typography handling and update tests for curly quotes
- Replace curly quotes with their Unicode equivalents in typography rule and related test cases for consistency.
- Remove unnecessary eslint-disable comments to improve code clarity.
- Ensure proper handling of quotes in arithmetic and utility tests to align with updated typography standards.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6454
* Fix: Correct typo in budget cell notification message
Co-authored-by: matiss <matiss@mja.lv>
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6454
* Temporarily disable i18n string extraction workflow
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Add ESM loader support and update sync-server modules
* Update TypeScript configuration and fix bank file import filter in sync-server
* Remove deprecated loader and register files, update TypeScript configuration to use ES2021, and add a new script for automatically adding import extensions to JavaScript files.
* Update test script in package.json to include a custom loader and clean up import extensions script by removing unused 'stat' import.
* feat: Add warning for unresolved imports
Co-authored-by: matiss <matiss@mja.lv>
* [autofix.ci] apply automated fixes
* Remove unused 'import/extensions' rule from ESLint configuration
* Refactor import statements in sync-server
- Updated import path for migrations to remove file extension.
- Added ESLint directive to ignore import extension rule for reset-password script.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* 🔖 (25.12.0)
* force ci
* Remove used release notes
* add blog post
* fix spelling
* make netlify happy?
* last one
* fix some formatting
* remove icns from allowed spelling to avoid accidental missspellings
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6285
* force ci
* force ci
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6285
* revert flaky vrt. please don't update again...
* make the release dates match
---------
Co-authored-by: youngcw <28542559+youngcw@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
