* fix: only count failed attempts against auth rate limit
Add skipSuccessfulRequests: true to authRateLimiter so that successful
logins do not consume quota. This fixes breakage for API clients
(actual-cli, actual-mcp, custom scripts) that re-authenticate per
operation — they always provide the correct password, so they should
never be rate-limited.
Brute-force attackers generate repeated failures and still hit the wall.
Fixes#7706
* Update upcoming-release-notes/7706.md
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
* fix: rename release note to match PR number
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
* 🔖 (26.5.0)
* fix release note generation script (#7635)
* fix release note generation script
* note
* fix cherrypicked commits not being respected and lint race in release note generation workflow (#7640)
* fix cherrypicked commits not being respected and lint race
* note
* coderabbit suggestions
* fix lint
* make double restore possibility safe
* fix lint (#7643)
* Generate release notes for v26.5.0
* add release note highlights
* Fix Sankey income bug, when payee it not set (#7632)
* Ensure income categories are shown correct, even if payee is not set
* Add release note
* Generate release notes for v26.5.0
* increase test coverage for budget templates (#7620)
* [AI] cover existing template engine logic with regression tests
Adds tests for goal template behavior that predates this PR so the
suite can be cherry-picked onto master to confirm no regressions. No
production code changes.
Covers:
- init() validation: schedule names, by/schedule priority match, past
by-target with and without annual/repeat, percentage source not
found, special source aliases, duplicate limit/spend/goal
directives, weekly limit missing start date, invalid limit period,
unrecognized periodic period
- runRemainder cap clamping and hideDecimal fraction removal
- Income-category branch in runTemplatesForPriority
- getLimitExcess against an aggregate weekly cap
- Past by-target rolling forward via the annual period
- runSchedule full=true (no sinking accumulation), percent and fixed
adjustments, completed-schedule filtering, past-date error for
non-repeating schedules, monthly/weekly/daily sinking contribution
branches when interval exceeds the pay-month-of cap, surplus
absorption when last-month balance exceeds the target, and
tracking-budget mode forcing all schedules pay-month-of
- applyMultipleCategoryTemplates orchestration: per-category writes,
cross-category priority clamping when funds run out, error
notification path
- applyTemplate force=false skipping already-budgeted categories
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* note
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix infinite loop when remainder is impossible to solve (#7623)
* fix infinite loop when remainder is impossible to solve
* note
* Generate release notes for v26.5.0
* Update author
Updated author information in the release notes.
* Fix shared worker resumption after tab suspend (#7656)
* [AI] Fix SharedWorker tab resume recovery
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* [AI] Fix SharedWorker reload readiness
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add release notes
* Update packages/desktop-client/src/shared-browser-server-core.ts
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
* Update docs release date
* Empty commit to bump CI
* Generate release notes for v26.5.0
* Revert "Generate release notes for v26.5.0"
This reverts commit b42c48bed5.
---------
Co-authored-by: github-merge-queue <118344674+github-merge-queue@users.noreply.github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Emil Tveden Bjerglund <emilbp@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* [AI] initial
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] review pass 1
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] review pass 2
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] review pass 3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] review pass 4
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* remove dev localstorage gate
* [AI] block migration for #goal and #cleanup directives
Detect goal templates (`type: 'goal'`) and `#cleanup` lines in the
category notes before rendering the editor. When either is present,
show an unsupported-directive notice instead of the modal body so the
migration helper never runs and the Save flow can't silently overwrite
`template_settings.source` to `'ui'` (which would stop the engine from
reading the notes for those directives).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* note
* [autofix.ci] apply automated fixes
* [AI] don't synthesise refill for monthly+limit simple templates
A `#template 50 up to 200` line parses to a simple template with both
monthly and limit set. The migration helper previously expanded that
into limit + refill + periodic, but the engine's runSimple just budgets
the monthly amount and clamps to the cap — there is no implicit refill
to undo.
Only synthesise the refill for the limit-only form
(`#template up to 200`), where runSimple's fallback returns
limitAmount - fromLastMonth. Update the migration test to match.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] coderabbit fixes
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] coderabbit fixes v2
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] attribute schedule batch contributions per template
Replace the equal-split fallback with each schedule's actual monthly
contribution (computed inside runSchedule) so the per-row UI projection
reflects real cost rather than total / count.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] coderabbit v3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] coderabbit v4
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] fix unclearable integer inputs in automation editors
GenericInput type=number fired onChange on every keystroke and the
dispatcher coerced empty/0 back to 1, so the field snapped back before
the user could retype. Switch to a local string state that commits and
clamps on blur, with min/step constraints on the native input.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] coderabbit v5
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Update packages/desktop-client/src/components/budget/goals/templateHelpers.tsx
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* Update packages/desktop-client/src/components/budget/goals/templateHelpers.tsx
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* [autofix.ci] apply automated fixes
* remove comment
* s/rule/automation
* update note wording
* tweak hold checkbox wording
* deduplicate translation strings
* rename buildPresetSeeds
* deduplicate example text
* update wording about how easy automations are
* s/P/Priority
* reuse week template
* replace week displayType with fixed
* lodash debounce
* [autofix.ci] apply automated fixes
* more graceful error handling
* change default priority to 1
* align ui and text language for available funds & all income
* fix tests
* coderabbit v{lost_count}
* more coderabbit
* extract isValidYearMonth
* extract automationExamples
* split out into multiple files
* split down templateHelpers
* [AI] cover PR additions to template engine
Tests targeting code introduced in this PR:
- per-template attribution map (perTemplateContribution) on
CategoryTemplateContext for sibling periodic templates, batched `by`
templates, limit-clamped totals, and remainder weights
- runBy now returns { toBudget, perTemplateNeed }
- runSchedule now returns perScheduleMonthly keyed by trimmed name,
including a multi-schedule pay-month-of + sinking-fund mix
- dryRunCategoryTemplate end-to-end through computeTemplates, in both
narrow-scope and wide-scope (remainder / available funds) branches
- checkPercentage now accepts category ids (UI form), not just names
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix repeat every month error
* coderabbit again.
* Update packages/desktop-client/src/components/budget/goals/automationMessages.tsx
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* Update packages/desktop-client/src/components/budget/goals/automationMessages.tsx
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* [autofix.ci] apply automated fixes
* plural aware translation strings
* move + out of translation string
* fix types
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Julian Dominguez-Schatz <julian.dominguezschatz@gmail.com>
* Enable auto enrichment in coderabbit configuration
* Add release notes for PR #7664
* Change category to Maintenance and update description
Updated the category from 'Features' to 'Maintenance' and revised the description.
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Make TypeScript work in test files across packages
Match the CRDT package's tsconfig pattern in loot-core, desktop-client,
api, and desktop-electron so test files participate in the project graph
(IDE intellisense, project-wide typecheck) while production builds still
emit clean declaration files.
- Remove test-file exclusions from each package's main tsconfig
- Add tsconfig.build.json for loot-core and api with test exclusions,
used by the build scripts
- Add e2e/tsconfig.json for desktop-client and desktop-electron with
Playwright types
- Fix latent type errors in test files now caught by typecheck
- Disable typescript/unbound-method for test files (mock matcher pattern)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Release notes
* [AI] Address review feedback on test type fixes
- goal-template.test.ts: extract amounts to typed locals so single-value
assertions no longer compare against unknown
- category-template-context.test.ts: replace `as unknown as DbCategory`
double-cast with a fully-typed object using `satisfies DbCategory`
(the previous mock had `is_income: true` which doesn't match the
`1 | 0` shape the cast was hiding)
- api/tsconfig.build.json: broaden test exclude pattern to `**/*.test.ts`
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Widen toMatchThemeScreenshots matcher to accept Page
The matcher's runtime impl already handled both Page and Locator
(via `typeof locator.page === 'function'` branch), but the type only
declared Locator. Call sites pass a Page (`expect(page).toMatchThemeScreenshots()`),
which now compiles cleanly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Type window.Actual in e2e fixtures and refactor matcher
- Pull loot-core/typings/window.ts into the e2e tsconfig include so
the ambient `window.Actual` augmentation is visible.
- Refactor toMatchThemeScreenshots to derive a Page once via
`'page' in target`, then call evaluate on the page consistently.
The previous union-typed access (locator.evaluate, locator.page)
didn't typecheck on Locator | Page.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Drop tsconfig.build.json for loot-core and api
The build-config indirection was incomplete protection: typecheck
(`tsgo -b` against the main tsconfig, which now includes test files)
already emits `*.test.d.ts` into `@types/`, and the build step does
not clean before re-emitting. The same is observable in crdt's
`dist/`, which currently contains test declarations on disk.
What actually keeps test declarations out of the npm tarball is the
`files` field in package.json — and loot-core already uses that
mechanism for source files (`\!src/**/*.test.ts`). Extending the same
pattern to `@types/` is more direct than maintaining a duplicate
tsconfig that doesn't reliably do its job.
- Delete loot-core/tsconfig.build.json; revert build to `tsgo -b`;
add `\!@types/**/*.test.d.ts*`, `\!@types/**/__tests__/**`,
`\!@types/**/__mocks__/**` to `files`.
- Delete api/tsconfig.build.json; revert build to
`vite build && tsgo --emitDeclarationOnly`; add
`\!@types/**/*.test.d.ts*` to `files`.
Verified: `yarn pack --dry-run` excludes all test declarations from
both packages while production declarations still pack (428 .d.ts
files for loot-core, methods.d.ts for api).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Standardise crdt to drop tsconfig.build.json
Apply the same simplification as loot-core and api: a single tsconfig
per package, with `files`-field negations preventing test
declarations from being published.
Note: this also fixes a pre-existing issue where crdt was shipping
`crdt/timestamp.test.d.ts` and `crdt/merkle.test.d.ts` to npm. The
old `tsconfig.build.json` excluded test files from declaration emit,
but the `typecheck` script (`tsgo -b` via the main tsconfig) had
already emitted them into `dist/` and the build did not clean
first, so they were packed via `"files": ["dist"]`.
After this change, `yarn pack --dry-run` packs only production
declarations (10 .d.ts files) and excludes the test ones.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Add iconography, placeholders, and dropdown chevrons to mobile transaction form
Brings the mobile new-transaction screen in line with the design mockup so
each field shows a leading icon, dropdown affordances surface on the right,
and empty pickers display a placeholder hint.
- Extend TapField with optional icon/placeholder props (placeholder uses
formInputTextPlaceholder when value is empty).
- Extend InputField with an optional icon prop that wraps the input in a
bordered row when present.
- Wire SvgUser/SvgTag/SvgWallet/SvgCalendar/SvgNotesPaper into Payee,
Category, Account, Date, and Notes for both the main form and split
child rows; add a SvgCheveronDown rightContent on Category and Account.
* Add release notes for PR #7639
* [AI] Forward consumer style to inner Input in icon path of InputField
CodeRabbit flagged that consumer-supplied `style` was being applied to the
wrapper View in the icon branch, so input-targeted properties like
`appearance: 'none'` and `minWidth: '150px'` on the Date field never reached
the underlying `<input type="date">`. Move the style spread onto the inner
Input so those styles take effect.
* [AI] Add dropdown chevron to mobile Payee field
Show the chevron on the Payee TapField in both the main form (as the
fallback when neither the Save-location nor Nearby-payee button applies)
and in split child rows, matching Category and Account.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7639
* [AI] Hide native date picker icon on mobile transaction form
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7639
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Simplify desktop client browser build
* [AI] Move browser build orchestration into vite config and lage
Moves loot-core worker build, public/ staging (migrations, default-db,
sql-wasm, data-file-index), and build-stats wiring from the deleted
packages/desktop-client/bin/build-browser shell script into a
lootCoreBackend vite plugin in packages/desktop-client/vite.config.mts.
Adds a build:browser target to lage.config.js so bin/package-browser
runs as a single `lage build:browser --to=@actual-app/web` call, with
crdt + loot-core built via lage's ^build dependency before the
desktop-client build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Refactor e2e-test workflow and update desktop-client configurations
* [AI] Move plugins-service staging into desktop-client vite config
Declares plugins-service as a workspace devDependency of @actual-app/web
so lage's ^build edge picks it up automatically in the build:browser
pipeline, and moves the cross-package file staging (production copy +
dev serving) into vite.config.mts, mirroring the lootCoreBackend
pattern. Drops the plugins-service shell wrapper script and simplifies
its package.json scripts to invoke vite build directly. Updates root
start:browser to run plugins-service watch in parallel with the dev
server instead of pre-building once.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Sync tsconfig project references for plugins-service edge
Follow-up to the plugins-service workspace edge: adds the
../plugins-service project reference in packages/desktop-client/tsconfig.json
via yarn sync:tsconfig-references.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Release notes
* [AI] Ignore .venv/ so lage's git hasher skips Electron CI's Python venv
Electron CI provisions a Python virtualenv at the repo root for
setuptools. With browser builds now routed through lage, lage's
git hash-object pass walks untracked-not-ignored files and fails on
the venv's broken lib64 symlink ("fatal: Unable to hash .../.venv/lib64").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Bake Weblate translations back into VRT/e2e bundle
build-web set download-translations: false and relied on bin/package-browser's
ad-hoc git clone + git pull. That path is fragile inside the playwright
container, so vite's import.meta.glob('/locale/*.json') frequently produced an
empty languages map and the bundle shipped with no en.json. VRTs then rendered
source-code English and diffed against snapshots authored from Weblate strings.
Route translation provisioning back through actions/checkout (download-translations: true)
in build-web and vrt-update-generate, and add --skip-translations to bin/package-browser
(mirroring bin/package-electron) so the in-script git pull is bypassed when CI
has already staged the locale dir.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Skip translation cloning in build-web bundle for VRT determinism
bin/package-browser used to unconditionally clone actualbudget/translations
before vite ran, baking Weblate en.json into the build artifact. With the
e2e-test pipeline now serving that artifact via serve-build.mjs, VRT
screenshots ended up rendering Weblate strings — drifting from the snapshots,
which were authored against source-code English (master VRTs ran on vite dev
without a locale dir).
Pass --skip-translations to bin/package-browser from build-web so the bundle
ships with no locale chunks. download-translations stays 'false' across the
e2e-test and vrt-update-generate workflows, matching the prior behavior.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: disable contextual alternates in Inter font to prevent unwanted character substitution
Fixes#6351
The Inter font calt feature replaces x between digits with a
multiplication sign. Disable it while preserving ss01 and ss04.
* [autofix.ci] apply automated fixes
* Add release notes for PR #7375
* [autofix.ci] apply automated fixes
* Fix release notes category casing
* Add authors field to release notes
* Update upcoming-release-notes/7375.md
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
* fix: show consistent 'Date is a required field' error in add transaction
When adding a new transaction with a missing date, the UI surfaced the
generic 'Something internally went wrong' error instead of a specific
message, while missing account showed 'Account is a required field'.
Add an analogous date validation mirroring the existing account check,
so both required-field errors are consistent.
Fixes#7424
* fix: prevent empty date from reaching server when clearing date input
When adding a transaction, clearing the date field and clicking Add
caused DateSelect's blur handler to save an empty string as the date
via onSelect(''). The server rejected '' as an invalid date, emitting
a generic "Something internally went wrong" error.
The previous fix (adding a date check in the shouldAdd guard) didn't
work because the cell save fires on blur BEFORE shouldAdd runs — by
the time shouldAdd checks the date, it's either already sent to the
server or reverted by DateSelect's clearOnBlur logic.
Fix: change DateSelect's empty-input blur path to restore the previous
valid date instead of propagating ''. This prevents the invalid value
from ever reaching the cell save handler or the server.
Verified locally: clear date → click Add → date restores to previous
value and transaction saves normally. No generic error.
Fixes#7424
* [AI] Keep mobile transaction amount field at a consistent height when empty
When the user backspaced every digit while editing the amount on the
mobile transaction form, the inner <Text> span had no content and
collapsed the pill to zero height. Fall back to a non-breaking space so
the line box keeps its natural font-driven height even when the input
is momentarily empty.
* Add release notes for PR #7638
* [AI] Use amountToCurrency(0) instead of nbsp when amount input is empty
Mirrors the unfocused-zero display rather than rendering a blank pill,
and respects the user's hideFraction pref and locale separators
through amountToCurrency.
* Simplify description of mobile transaction field height
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] cover existing template engine logic with regression tests
Adds tests for goal template behavior that predates this PR so the
suite can be cherry-picked onto master to confirm no regressions. No
production code changes.
Covers:
- init() validation: schedule names, by/schedule priority match, past
by-target with and without annual/repeat, percentage source not
found, special source aliases, duplicate limit/spend/goal
directives, weekly limit missing start date, invalid limit period,
unrecognized periodic period
- runRemainder cap clamping and hideDecimal fraction removal
- Income-category branch in runTemplatesForPriority
- getLimitExcess against an aggregate weekly cap
- Past by-target rolling forward via the annual period
- runSchedule full=true (no sinking accumulation), percent and fixed
adjustments, completed-schedule filtering, past-date error for
non-repeating schedules, monthly/weekly/daily sinking contribution
branches when interval exceeds the pay-month-of cap, surplus
absorption when last-month balance exceeds the target, and
tracking-budget mode forcing all schedules pay-month-of
- applyMultipleCategoryTemplates orchestration: per-category writes,
cross-category priority clamping when funds run out, error
notification path
- applyTemplate force=false skipping already-budgeted categories
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* note
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Cache the CLI's local budget between invocations
Every `actual <cmd>` call currently delta-syncs the budget with the
sync server via `api.downloadBudget`, which hits the server's
500-req/min rate limit on scripted workflows. Actual is local-first:
once the budget is on disk, most read commands do not need fresh
server data.
Introduce a CLI-only cache layer inside `withConnection` that
decides per invocation whether to skip, sync, or re-download:
- Cache state lives at `{dataDir}/.actual-cli/{syncId}/state.json`,
keyed by `syncId` to avoid the chicken-and-egg of not knowing the
on-disk `budgetId` before the first download. The on-disk id is
resolved via `api.getBudgets()` and persisted after first download.
- Read commands (list, balance, query run, …) skip the `/sync`
call while `now - lastSyncedAt < cacheTtl`. Write commands
(create, update, delete, set-*, etc.) sync before and after the
operation to keep server state consistent.
- Encrypted budgets force a sync per call since `api/load-budget`
does not re-verify the password.
- New `proper-lockfile`-backed shared/exclusive lock serializes
writes while allowing parallel reads. Reader markers live in
`{meta}/readers/`; writers sweep stale markers by PID.
New `actual sync` command with three modes: default (sync now),
`--status` (print cache age, TTL, stale flag), `--clear` (delete
cache, holding the exclusive lock to avoid racing writers).
New config surface, following the existing flag → env → config file
→ default precedence chain:
- `--cache-ttl <s>` / `ACTUAL_CACHE_TTL` / `cacheTtl` (default 60)
- `--refresh` / `--no-cache`
- `--lock-timeout <s>` / `ACTUAL_LOCK_TIMEOUT` / `lockTimeout` (10)
- `--no-lock` / `ACTUAL_NO_LOCK` / `noLock`
Every `withConnection` call site now passes an explicit
`{ mutates: boolean, skipBudget?: boolean }` so read/write intent is
visible at the edge.
The old `budgets sync` subcommand is removed — it silently diverged
from the new top-level `actual sync`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Simplify CLI cache/lock internals
Use a discriminated SyncDecision union so connection.ts no longer needs
non-null assertions on the cached state. Thread the resolved CliConfig
through withConnection's callback to drop duplicate resolveConfig calls
in the sync and budgets commands. Extract an errorCode helper and
replace the existsSync+readdirSync TOCTOU pattern in the reader-wait
polling loop with a single readdir that tolerates ENOENT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Address PR #7539 review comments
- cache.ts: use a unique per-writer tmp filename so concurrent shared-
lock writers (encrypted budgets, --refresh, stale TTL) don't clobber
each other's publish and silently drop state updates.
- index.ts/config.ts: fix --no-cache and --no-lock flags. Commander
stores --no-foo under the positive key (cache/lock) and an explicit
false default makes the flag a no-op; the previous code also read
the wrong keys (noCache/noLock) so the flags had no effect at all.
Derive refresh/noLock from the correct keys.
- budgets.ts: invert encryption password precedence so the subcommand
flag (--encryption-password) wins over env/config-file values.
- sync.ts: report stale=true in --status when lastSyncedAt is in the
future, matching decideSyncAction's clock-skew handling.
- connection.ts: drop unnecessary `as` cast on api.getBudgets() now
that the return type is Promise<APIFileEntity[]>.
- utils.ts: parseBoolEnv throws on unrecognized values instead of
silently returning undefined so typos like ACTUAL_NO_LOCK=yes fail
loudly.
- Shorten 7539 release note to a single user-facing sentence.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: restored default functionality from v26.3.0 for reimport deleted transactions. import-reimport-deleted is now a synced pref that persists between imports
* release notes
* release note update
---------
Co-authored-by: Alec Bakholdin <alecbakholdin.com>
* Refactor to use directed, weighted graph as datamodel
* Fix percentage labels
* Reimplement sorting and topN handling
* Fix typing. Show toBudget on graph.
* Implement better DAG model
* Fix Other-grouping with new datamodel
* Add global sorting
* Reorder spreadsheet code for clarity
* Add percentageLabels back
* Fix all sorting modes
* Better color handling
* Handle if overbudgeted
* Fix filtering issue related to hidden nodes for Spent report
* Implement enums for special names
* Linting and typechecking
* Add layer selectors
* Trim SankeyCard
* Fix issue with empty nodes making the graph unreadable
* Add release note
* Update release note
* Reorder code
* Address coderabbit comments
* Ensure that layer-from and layer-to cannot be equal
* Update layer selectors to match selected view mode
* Fix wrong graph object reference
* Cap regex length
* Fixed wrong layer assignment for budget income categories
* Make translation not optional in createSpreadsheet
* Use predefined suffix for 'Other'
* Avoid invalid layer selection for Budgeted
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7582
* Import translation in spreadsheet, instead of passing as argument
* Remove all non-null assertions and handle safely
* Fix most uses of 'as'
* Fix issues hiding Other categories and giving wrong toBudget value
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Notify Discord when nightly theme catalog scan fails
Adds an if: failure() step to the validate-theme-catalog job that posts a
minimal alert to the DISCORD_WEBHOOK_URL webhook with a link back to the
failing workflow run. Fires on both theme validation failures (script exits
1) and earlier step failures (checkout/setup), so infrastructure breakage
is also surfaced. nofail: true keeps a Discord outage from cascading into
a red job.
* [AI] Drop setup comment from Discord notify step
* [AI] Move Discord notify to its own job gated by an environment
Splits the notify step into a separate notify-failure job that depends on
validate-theme-catalog and runs only on failure. The new job binds to the
nightly-alerts GitHub Environment so the DISCORD_WEBHOOK_URL secret is
scoped to a dedicated environment rather than inherited at the repo level
(zizmor secrets-without-environment).
* [AI] Add release notes for 7595
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Fix Docker build for workspace:* dependencies
Since @actual-app/crdt became a workspace:* dep, `yarn workspaces focus
--production` creates relative symlinks in node_modules that dangle when
only node_modules is copied into the prod image, breaking local Docker
builds with ERR_MODULE_NOT_FOUND: @actual-app/crdt.
Dereference yarn's workspace symlinks in the builder stage with `cp -RL`
so the prod stage can copy a self-contained node_modules without needing
to enumerate which workspace:* deps exist. Adding a new workspace:* dep
now requires zero Dockerfile changes.
Also move the sync-server .dockerignore to the repo root (and drop stray
local node_modules / .git / .yarn caches from the build context), since
docker builds use the repo root as context — the old sync-server-level
file was no longer being applied.
Fixes#7561.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Strip dev-only dirs from dereferenced workspace packages
The generic `cp -RL` step copies full workspace package trees into the
image (src/, e2e/, tests, build-stats, etc.). Remove them after the
dereference — they're not needed at runtime, and skipping them recovers
~67MB from the final image on both alpine and ubuntu variants.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Rephrase 7564 release note to be user-facing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Add per-schedule custom upcoming length override
* [AI] Add release notes for PR #7434
* [AI] Add custom length option to per-schedule upcoming length selector
* [AI] Deduplicate preset values and guard against malformed custom upcoming length
* [autofix.ci] apply automated fixes
* [AI] Retrigger CI (flaky accounts E2E test)
* [AI] Improve schedule editor layout for upcoming length field
Restructure the custom upcoming length from a checkbox + conditional
dropdown into a proper FormField with a single Select that includes
"Use global default" as the null option. Place it in a responsive
side-by-side row with the auto-post checkbox, consistent with the
form's existing layout patterns.
* [AI] Address CodeRabbit review feedback
Tighten custom upcoming length validation with a proper regex
instead of a loose hyphen check. Replace fixed height with minHeight
on the auto-post checkbox row to avoid clipping translated labels.
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7434
* [AI] Fix custom_upcoming_length not persisting on mobile
The mobile schedule save handler was missing the custom_upcoming_length
field from the payload sent to schedule/create and schedule/update.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* [AI] Expose API entity types via @actual-app/api/models
Adds a new `./models` subpath export on `@actual-app/api` that re-exports
the public API entity types (`APIAccountEntity`, `APICategoryEntity`,
`APICategoryGroupEntity`, `APIFileEntity`, `APIPayeeEntity`,
`APIScheduleEntity`, `APITagEntity`, `AmountOPType`) from
`@actual-app/core/server/api-models`. Consumers can now import these types
from a stable public entry point instead of reaching into core internals:
import type {
APICategoryEntity,
APICategoryGroupEntity,
} from '@actual-app/api/models';
Uses `export type *` so the compiled `dist/models.js` is empty and no
runtime code is added. The Vite lib config is expanded to a multi-entry
map (`index`, `models`) so both bundles are produced, and tsgo already
emits `@types/models.d.ts` via the existing `declarationDir` setup.
* Add release notes for PR #7581
* Modify release notes for API model exports
Updated category from 'Features' to 'Enhancements' and added API export details.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Add nightly CI scan for custom theme catalog
Adds a scheduled GitHub Actions workflow that fetches `actual.css` from
every repo in `customThemeCatalog.json` and runs it through the same
`embedThemeFonts` + `validateThemeCss` pipeline the app uses at install
time. Failing themes fail the job so maintainers get an alert when a
third-party repo introduces a regression.
The scan treats fetched CSS as opaque text: never executed, never
injected into a DOM, size-capped at 512 KB per file, 15s per fetch,
restricted to raw.githubusercontent.com with redirects disabled, and
run with `contents: read` permissions only. Each catalog `repo` is
schema-checked against `owner/repo` before being interpolated into
the URL.
* [AI] Simplify theme catalog scan
- Reuse `CatalogTheme` type from customThemes instead of duplicating as
`CatalogEntry` in the script.
- Hoist `appendFileSync` to the static `node:fs` import; drop the dynamic
import inside `writeStepSummary`.
- Drop the narrative header docstring and the trailing `// ...` comments
that just restated constant names.
- Drop the redundant URL-prefix re-check inside the CSS fetch helper;
the single call site constructs the URL from a pinned literal.
- Drop the 250 ms inter-request delay (GitHub Raw rate limits are not
relevant for 21 requests, and the trailing delay was idle wall-clock
against the 10-min job budget).
- Give each font fetch inside `embedThemeFonts` its own 15 s timeout
via `AbortSignal.any`, instead of sharing one signal across every
font in a theme. Drop the now-unnecessary caller-supplied signal
from the CI call site.
* [AI] Fix lint on theme catalog scan imports
* [AI] Speed up and stabilize Playwright e2e tests
- Serve the prebuilt browser bundle via bin/serve-build.mjs in CI to
skip per-shard Vite startup; 3-shard matrix with 4 workers each.
- Disable CSS animations in non-VRT runs via a fixture-level init
script; bump expect timeout to 10s for AutoSizer-bound assertions.
- Use page.evaluate() for React Aria button clicks and a native value
setter + single input event for controlled-input fills to eliminate
React Aria re-render races in createAccount and Payee/Category
autocompletes.
- Click the matching option directly (instead of Enter on a not-yet-
highlighted list) in mobile transaction and schedule autocompletes.
- FocusableAmountInput.applyText reads the DOM input value so the
typed amount survives a blur that fires before React flushes the
onChange state update under CPU contention.
- MobileTransactionEntryPage.fillAmount waits for the outer display
button (reads parent props.value) so async rules-run completes
before the next fillField snapshots the transaction.
- MobileNavigation dispatches nav link clicks through evaluate() to
bypass Playwright's viewport-stability check against the navbar's
react-spring transforms.
- MobileBudgetPage summary-button lookups use locator.or().waitFor()
instead of an isVisible() cascade.
- ConfigurationPage.startFresh/createTestFile wait for the account
header / budget table to mount before returning.
- Workflow hardening: persist-credentials=false on all actions/checkout
and top-level permissions: contents: read (zizmor findings).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Apply animation-disable init script to browser.newPage pages
The previous implementation extended the test-scoped `page` fixture,
but every test creates its own page via `browser.newPage()` and never
uses the fixture-provided page — so the init script was a no-op in
every test.
Move the wrap to the worker-scoped `browser` fixture: intercept
`browser.newPage` so each page created that way has `addInitScript`
applied before the caller can navigate to it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The `Publish nightly npm packages` workflow started failing at the
"Pack the core package" step with:
Cannot find module '@actual-app/crdt' or its corresponding type declarations.
PR #7541 switched `@actual-app/crdt`'s package.json to conditional
exports (`types` → `./dist/index.d.ts`). `yarn pack` for
`@actual-app/core` triggers a prepack that runs `tsgo -b`, which now
resolves `@actual-app/crdt` via the `types` condition and expects
`packages/crdt/dist/index.d.ts`. Nothing was building crdt first
because loot-core's tsconfig didn't declare it as a project
reference.
Fix: declare the project reference so `tsgo -b` walks the graph and
builds crdt before loot-core. Sibling packages already do this.
Also adopt `@monorepo-utils/workspaces-to-typescript-project-references`
to keep each package's tsconfig `references` in sync with its
`workspace:*` deps, and wire it into a new `yarn check:tsconfig-references`
step in the `check` CI job plus lint-staged. Running the tool added
`../desktop-client` references to sync-server and desktop-electron
(both declare `@actual-app/web` as a workspace dep even though they
only use it at runtime via `require.resolve`); the extra references
are harmless — in CI the corresponding build is already cached by
earlier steps.
https://claude.ai/code/session_01AA2gEMqX24GWeq5BovNmaz
* [AI] Add AI Usage Policy for contributors
Add a contributor-facing AI Usage Policy page modeled on ESLint's version,
covering disclosure, human-only interaction with maintainers, and author
responsibility. Wire it into the docs sidebar, link it from the contributing
index and the root CONTRIBUTING.md.
https://claude.ai/code/session_012RspFcLedoUjbEYknJYPiL
* [AI] Unwrap AI policy paragraphs, renumber release note
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Run setup once per workflow and fan out via needs
Add a prep `setup` job at the top of `check.yml` and `build.yml`, and
make every other job in those workflows declare `needs: setup`.
The composite action in `.github/actions/setup` caches `node_modules`
keyed on `yarn.lock`. When that hash changes (dep-bump PRs, master after
a merge), the cache is cold and every fan-out job races to run
`yarn --immutable` in parallel — one wins the cache save, the rest do
redundant work. Serialising through a single `setup` job warms the
cache once so downstream jobs restore instantly and skip yarn install
via the existing `if: steps.cache.outputs.cache-hit != 'true'` guard.
No changes to the composite action or cache keys. `e2e-test.yml` is
intentionally left alone.
* [AI] Harden setup jobs and add release note
Address zizmor code-scanning findings on the new `setup` jobs added in
the previous commit:
- Scope `permissions: contents: read` so the job no longer inherits
workflow-default write permissions.
- Pass `persist-credentials: false` to `actions/checkout` so the GitHub
token isn't left on disk for later steps that don't need it.
Add `upcoming-release-notes/7551.md` to satisfy the release-notes PR
check.
* [AI] Disable credential persistence on build.yml checkouts
Each of `api`, `crdt`, `web`, `cli`, `server` in build.yml does
`actions/checkout` (which writes the GitHub token into `.git/config`)
and then uploads build artifacts in the same job. Zizmor flags this as
"credential persistence through GitHub Actions artifacts" because a
misconfigured upload path could capture `.git/config` and leak the
token.
None of these jobs push or write to git, so drop the credential
persistence via `persist-credentials: false` on the checkout.
* [AI] Disable credential persistence on check.yml checkouts
None of the jobs in check.yml (`constraints`, `lint`, `typecheck`,
`validate-cli`, `test`, `migrations`) push or write to git, so pass
`persist-credentials: false` to their `actions/checkout` calls to
resolve the zizmor "credential persistence" finding. Mirrors the fix
just applied to build.yml.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Disable bundle minification for readable production error messages
The desktop-client had dead terserOptions (no `minify: 'terser'` was set, so
Vite's default esbuild minifier ran with name mangling). The loot-core and
plugins-service workers used Terser with mangle:false but still compressed.
Set `minify: false` across all three browser build configs so production
stack traces are human-readable.
https://claude.ai/code/session_01VEywxebiNYAgJia35fygQx
* [AI] Rename release note to match PR number
https://claude.ai/code/session_01VEywxebiNYAgJia35fygQx
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Disable fail-fast for Electron build matrices
Prevents cancellation of in-progress platform builds when one fails, so
Windows/macOS/Linux results are all visible on a single run.
* Add release notes for PR #7547
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Persist custom CSS overrides as a standalone global pref
Moves the custom CSS override out of the InstalledTheme JSON blob into
a dedicated customCssOverride global pref so that overrides survive
switching themes, clearing installed themes, or toggling auto/light/dark
mode. Includes a one-time migration that lifts the legacy overrideCss
field out of installedCustomLightTheme / installedCustomDarkTheme JSON.
- Add customCssOverride global pref (loot-core types + server defaults)
- Inject the override as a trailing style layer in CustomThemeStyle so
it layers on top of any installed custom theme
- Drop overrideCss from the InstalledTheme type; extractLegacyOverride
+ migrateLegacyOverride handle the one-time lift with whitespace trim
- Run the migration from CustomThemeStyle with an idempotent effect that
re-runs safely once prefs hydrate
- Bind the ThemeInstaller textarea directly to the new pref
- Add a "Custom CSS is active" indicator button next to the theme
selector that opens the installer for editing the override without
flipping auto mode to light
- Pre-switch out of auto when the user picks "Custom theme" from the
main selector, so the flag that used to distinguish entry points goes
away and handleInstall collapses to a pure slot dispatch
- Tests: hermetic Themes settings tests, expanded customThemes unit
tests covering extraction/migration/trim edge cases, updated
ThemeInstaller tests for the new pref binding
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Address review feedback for custom CSS override installer
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Defer auto-mode theme switch and guard stale installer callbacks
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] sync-server: use workspace reference for @actual-app/crdt
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Update build script in sync-server package to use TypeScript's build mode
* Package electron
* [AI] crdt: add conditional exports so Node can load the built bundle
Before this change the root exports entry pointed at `./src/index.ts`, so
any pure-Node consumer (notably the sync server that Electron forks as a
utility process) failed to import `@actual-app/crdt` — Node can't execute
TypeScript source directly. Sync-server had been masking this by pulling
`@actual-app/crdt@npm:2.1.0` where `publishConfig.exports` resolves to
`./dist/index.js`; once sync-server switched to `workspace:*`, the
Functional Desktop App CI job timed out waiting for the sync server to
boot.
Switch to conditional exports in the same shape `@actual-app/api` already
uses:
- `types` → `./dist/index.d.ts` for TypeScript tooling
- `development` → `./src/index.ts` for Vite/Vitest (HMR, fast feedback)
- `default` → `./dist/index.js` for Node runtime
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Add 'Last 30 days' date range option to custom reports
Add a rolling 30-day date range to the Live mode date filter in custom
reports. The option appears between 'Last month' and 'Last 3 months'
and is available for Daily, Weekly, and Monthly intervals.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* [autofix.ci] apply automated fixes
* Fix release note filename and author to match PR #7217
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* [AI] Emit bundle stats from the crdt package
The crdt package was the only published library without a stats.json
artifact. Migrate its build to Vite (mirroring the api/cli setup), wire
in rollup-plugin-visualizer to emit dist/stats.json, and upload it from
the CRDT CI job. Declarations are still produced by tsgo via
--emitDeclarationOnly.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* Add release notes for PR #7537
* [AI] crdt: drop redundant rm -rf dist from build script
Vite's build.emptyOutDir: true already clears the output directory
before writing, so the leading rm -rf dist is unnecessary.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* [AI] Include crdt in the size-compare bundle stats table
Wait for the crdt build check on both the base branch and the PR,
download the crdt-build-stats artifact for each, and pass it to
bundle-stats-comment.mjs so the summary table rendered on the PR
includes a row for the crdt package alongside desktop-client,
loot-core, api, and cli.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Apply suggested fix to packages/desktop-client/src/components/modals/EditFieldModal.tsx from Copilot Autofix
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* Apply suggested fix to packages/desktop-client/src/components/modals/EditFieldModal.tsx from Copilot Autofix
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* note
* fix typo in note
* remove useless conditions
---------
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
* [AI] Fix regex checkbox label contrast in notes modal (#7514)
Apply theme.menuAutoCompleteText color to the "Use Regular Expressions"
checkbox label in the find-and-replace tab so it contrasts with the
menuAutoCompleteBackground modal background.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: rename release note file to match PR number
The CI expects the release note file to be named after the PR number
(7515), not the issue number (7514).
---------
Co-authored-by: liuren.lcy <liuren.lcy@antgroup.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Refactor IS_GENERIC_BROWSER env var to --mode=browser
Replace the IS_GENERIC_BROWSER environment variable with Vite's built-in
--mode=browser flag to distinguish browser builds from Electron builds.
This aligns with the existing --mode=desktop pattern used for Electron
production builds.
Also fix build-shims.js to derive NODE_ENV from import.meta.env.DEV
instead of import.meta.env.MODE, so custom modes don't leak into
process.env.NODE_ENV.
https://claude.ai/code/session_014HvkpR59Ke4eUoiUzsUruv
* Add release notes for PR #7466
* [AI] Fix COOP/COEP headers not set with --mode=browser
The server.headers config was gated on mode === 'development', which
excluded --mode=browser. Since server.headers only applies during
vite serve (not builds), always set the COOP/COEP headers. These are
required for SharedArrayBuffer support used by the SQLite backend.
https://claude.ai/code/session_014HvkpR59Ke4eUoiUzsUruv
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Add scoped ErrorBoundary to Rules page to contain rendering crashes
* [autofix.ci] apply automated fixes
* docs: add release notes for ErrorBoundary PR
* fix(rules): add resetKeys to ErrorBoundary for route navigation reset
In react-error-boundary v6, the boundary does not auto-reset when the
user navigates away and back. Adding resetKeys={[location.pathname]}
ensures the error state clears on route changes.
This contribution was developed with AI assistance (Claude Code).
* fix(rules): show error message in fallback UI and log to console
Addresses reviewer feedback on #7437: surface error.message in the
FeatureErrorFallback so users can copy-paste when reporting issues,
and log the error to the console via useEffect so the error isn't
swallowed by the boundary.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Add publishConfig.imports sync validator with pre-commit integration
Add a TypeScript script that validates publishConfig.imports stays in sync
with imports in all packages/*/package.json files. Runs automatically in
the pre-commit hook via lint-staged with --fix mode.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7469
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Guard main() with require.main and respect lint-staged file args
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Handle non-string imports targets in derivePublishImports
- Add type guard to check for non-string values in imports
- Throw descriptive error when conditional imports are encountered
- Update type signature to accept Record<string, string | object>
- Add test case for non-string imports error handling
This prevents TypeError when packages have conditional imports (e.g., #browser-preload in desktop-client)
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Limit resolvePackageJsonPaths scope to packages directory
- Add packagesRoot constant to restrict path resolution
- Update while loop condition to only traverse within packages directory
- Add additional check to ensure candidate paths are under packages/
- Prevents resolution to repo root package.json for missing/deleted files
This ensures the validator only processes package.json files under packages/* and avoids accidentally targeting the monorepo root manifest.
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix type errors for API consumers by shipping .d.ts declarations from loot-core
Downstream consumers of @actual-app/api with strict: true get type errors
because @actual-app/core exports raw .ts source files. Consumers' tsc
follows the import chain into core's source (compiled with strict: false),
and skipLibCheck doesn't help since it only skips .d.ts files.
Add "types" conditions to all imports/exports entries in loot-core's
package.json, pointing to the pre-built declarations in lib-dist/decl/.
Add .npmignore to include lib-dist/decl/ in the published package.
Fixes#7410
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use prepack/postpack scripts instead of inflating package.json
Replace the inline "types" conditions in imports/exports with a prepack
script that adds them at pack/publish time. This keeps the checked-in
package.json clean while still shipping .d.ts declarations to npm
consumers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Convert prepack/postpack scripts to TypeScript
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7468
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix recursive ExportValue type and remove redundant comment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Rename scripts to .mts and inline types conditions
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Make backup/restore scripts safer
- Check if backup exists before creating it in prepack
- Make restore idempotent by checking if backup exists in postpack
- Prevents overwriting existing backups from interrupted runs
- Addresses CodeRabbit review feedback
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Type api-handlers.ts fields to drop implicit any
The `fields` / export-args slots in the ApiHandlers contract were
untyped, surfacing as TS7008 errors in strict consumers. Replace them
with the `Partial<APIXxxEntity>` shapes the `@actual-app/api` wrappers
already pass, and annotate the matching call sites in `api.ts` with
`@ts-expect-error` where the legacy helpers still declare full-entity
parameters despite accepting partial updates at runtime.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Replace vite-plugin-dts with tsgo for api types
Drops vite-plugin-dts in favor of running tsgo --emitDeclarationOnly
after the vite bundle, eliminating a heavy dev dependency tree
(api-extractor, volar, vue language-core) from the api package build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add build script to loot-core to emit declarations via lage
`yarn build:cli` failed in CI with TS6305 because api's
`tsgo --emitDeclarationOnly` depends on loot-core's pre-built
`lib-dist/decl/*.d.ts`, but loot-core had no `build` script, so lage's
`^build` cascade silently skipped it. Add `"build": "tsgo -b"` so loot-core
slots into the dependency chain; its tsconfig already has
`emitDeclarationOnly: true`, so the output is declarations only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Simplify API build
* [AI] Document TypeScript moduleResolution requirement for @actual-app/api
The published declarations rely on package.json exports conditions, which
classic node / node10 resolvers don't honor. Document the supported modes
(bundler / nodenext / node16) in the package README and in the Getting
Started section of the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Type-guard default value in add-types-conditions prepack
`value.default` is typed `ExportValue | undefined`, which allows nested
conditional objects. The previous truthy check fell through to
`shouldSkip(defaultValue)` and would crash on `.endsWith()` if that shape
ever appeared. Replace with a `typeof === 'string'` narrowing and drop a
now-redundant "Insert types as the first key" comment.
No runtime change on current package.json — no nested `default` values
exist today — but the script is not covered by loot-core's tsconfig
include, so the latent type issue was silent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Allow "nodenext" in docs spellcheck expect list
Referenced in the new TypeScript moduleResolution note in the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Move loot-core declarations to @types and whitelist publish with files
Relocate loot-core's composite TypeScript output from lib-dist/decl to the
top-level @types directory, matching the api package's convention. Replace
the old .npmignore blacklist with an explicit package.json files whitelist.
- tsconfig.json: outDir @types, exclude test/mock dirs from decl emission
- scripts/add-types-conditions.mts: rewrite paths to ./@types/src/...
- package.json: files whitelist shipping only src, @types, migrations,
typings, default-db.sqlite; drop legacy typesVersions (docs now require
moduleResolution bundler/nodenext/node16, so the classic-resolution
fallback is unused)
- .gitignore: ignore the new @types build artifact
- lage.config.js: factor outputGlob into a shared BUILD_OUTPUT_GLOBS
constant and add @types/** so lage caches loot-core's decl output
- root tsconfig.json: tighten exclude from packages/api/@types to
packages/*/@types to cover both api and loot-core
- delete .npmignore entirely
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Build loot-core declarations inside prepack
yarn workspace @actual-app/core pack is the first non-setup step in the
publish workflow, running before any build. Without a build chained into
prepack the @types/ tree is empty at pack time, so the tarball shipped a
transformed package.json pointing at ./@types/src/... paths that didn't
exist. npm publish doesn't re-run hooks on a pre-packed tarball, so the
frozen snapshot must be self-contained; prepack now runs yarn build first
to populate @types/ before add-types-conditions rewrites the exports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Update customThemeCatalog.json
* Update customThemeCatalog.json
* [autofix.ci] apply automated fixes
* Update customThemeCatalog.json
* 🎨 You Need A Theme Dark, based on 2026 nYNAB dark
* YNA Theme Dark
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Add no-extraneous-dependencies lint rule to prevent transitive dependency usage
Closes#7479. Adds a custom ESLint rule that flags imports of packages not
explicitly listed in the workspace's dependencies or devDependencies. Also
fixes all existing violations by adding missing deps and removes unused
deps (@reduxjs/toolkit, @rschedule/json-tools) from loot-core.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix builtin subpath detection and improve cache in no-extraneous-dependencies
Fix false positives for Node.js builtin subpaths (fs/promises, path/posix)
by checking the package name portion against builtins. Also cache all
visited directories during walk-up, not just the starting directory.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Release notes
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix sync-server build not resolving subpath imports
The add-import-extensions build script only handled relative imports
(./ ../), leaving #-prefixed subpath imports unresolved in the build
output. At runtime Node.js resolved them via package.json's imports
map back to source files, which have extensionless imports that fail
in ESM.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for sync-server subpath imports fix
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Simplify subpath import resolution using publishConfig.imports
Use publishConfig.imports which already has ./build/src/ paths with .js
extensions, eliminating manual src->build and .ts->.js conversions.
Also sort wildcard patterns by specificity and extract shared helper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use replaceAll for wildcard substitution to satisfy CodeQL
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix path traversal vulnerability in uploadFileWeb
Sanitize user-supplied filename with fs.basename() to strip directory
components (e.g. ../../) before writing to /uploads/, preventing
arbitrary file writes outside the intended directory.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Harden path traversal fix and correct broken basename in web fs
The browser fs.basename implementation was returning the directory part
instead of the filename, making the previous fs.basename() fix
ineffective on the web platform. Replace with inline sanitization that
works regardless of platform: split on path separators, strip null
bytes, reject . and .., and use fs.join for safe path construction.
Also fix the browser fs.basename to actually return the last path
segment, matching the behavior of Node's path.basename.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Revert browser fs.basename change per user request
The browser fs.basename implementation is restored to its original
behavior. The path traversal fix in uploadFileWeb does not depend on
fs.basename.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Add release notes for path traversal fix (#7428)
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Suppress no-control-regex lint for null byte sanitization
The \0 regex is intentional to strip null bytes from filenames as part
of the path traversal fix.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
* [AI] Use replaceAll for null-byte stripping instead of regex
Replace /\0/g regex with replaceAll('\0', '') to avoid triggering
the no-control-regex ESLint rule, removing the need for the
eslint-disable comment.
https://claude.ai/code/session_01UgQANWBxqkqVT7xGyWNAXB
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Enable subpath imports across all packages
Generalize the prefer-subpath-imports ESLint rule to work with any
package (not just loot-core) and enable it globally. Add subpath import
mappings to cli, component-library, and sync-server package.json files.
Auto-fix all backtracked relative imports to use #-prefixed subpath
imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7462
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix mock specifiers in accounts.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix mock specifiers in query.test.ts to use aliased imports
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix ESLint rule to properly validate src/ directory paths
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add publishConfig.imports for sync-server to remap aliases to build directory
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Set .husky/pre-commit hook as executable
The pre-commit hook was being ignored by git because it lacked the
executable permission bit, producing a warning on every commit attempt.
https://claude.ai/code/session_016jLmTo6L5PxMKK8wJMptCP
* Add release notes for PR #7461
* Update 7461.md
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Consolidate loot-core connection: default web path, electron split, drop .browser
* [autofix.ci] apply automated fixes
* [AI] Replace browser-preload .browser extension with package.json subpath imports
Use the imports field in desktop-client/package.json with conditional
resolution (electron → empty stub, default → real implementation) to
eliminate the last .browser file extension from the codebase.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Refactor connection imports to use @actual-app/core
* Implement connection mock for desktop-client tests and update import path
* [AI] Fix formatting and update imports after master merge
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix connection mock in TransactionsTable tests and use electron-renderer condition
Wire up the manual connection mock for TransactionsTable tests since the
__mocks__ directory was removed, and restore electron-renderer condition
in loot-core package.json exports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [autofix.ci] apply automated fixes
* [AI] Remove redundant resolveExtensions from vite configs
These arrays were identical to Vite's built-in default and served no purpose.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Remove remaining resolveExtensions from vite/vitest configs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix build failures: update browser-preload import path and condition
- Change loot-core/shared/platform to @actual-app/core/shared/platform
- Use electron-renderer condition for #browser-preload to match vite resolve
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Remove redundant resolveExtensions from api and loot-core desktop configs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Remove '*.browser.ts' extension and alias resolutions
Removed the special '*.browser.ts' file extension and file resolutions via alias, preferring conditions.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Harden GitHub Actions workflows against low-severity security issues
- generate-release-pr.yml: replace `eval` with an associative array for
per-package version tracking. The version input was already moved to an
env var in #7433, so this removes the remaining defense-in-depth concern
of `eval`ing subshell output.
- create-release-notes-file.js: validate the OpenAI-returned category
against the known allow-list (Features, Bugfixes, Enhancements,
Maintenance), validate the author against the GitHub username regex,
and collapse the summary to a single line before embedding it in the
markdown body. Prevents indirect prompt-injection via CodeRabbit
comments from producing malformed YAML frontmatter.
- generate-summary.js: stop logging the full CodeRabbit comment body to
CI logs.
- netlify-release.yml, i18n-string-extract-master.yml: pass secrets via
`env:` blocks rather than as CLI arguments, so they do not appear in
argv / process listings.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* Add release notes for PR #7448
* [AI] Address review feedback on security hardening
- create-release-notes-file.js: stop logging the full fileContent body.
Only log the target filename plus the (already-validated) category and
author metadata, so the model-generated release-note text doesn't end
up in CI logs.
- create-release-notes-file.js: validate summaryData.prNumber as a
positive integer before using it in the file path or commit message,
and switch both usages to the validated numeric value.
- i18n-string-extract-master.yml: write the Weblate API key into
~/.config/weblate under a [keys] section in a new "Configure Weblate
API credentials" step, then drop the per-step env blocks and the
--key CLI flag from every wlc invocation so the secret is no longer
visible in process listings at all.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* [AI] Remove debug console.log statements for category in release notes script
Remove the four "Debug - ..." console.log calls that printed the raw
category env var (value/type/JSON-stringified form) plus the cleanCategory
value. They were clutter in CI logs; the existing info-level
"Creating release notes file: ... (category: ..., author: ...)" log
already surfaces the sanitized category.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Migrate desktop-client to subpath imports
Replace the `@desktop-client/*` path alias with Node.js subpath
imports (`#*`) across packages/desktop-client:
- Declare the full `imports` map in packages/desktop-client/package.json
(bare index entries, root-level files, and per-subdirectory wildcards
with explicit extension overrides where `.ts` and `.tsx` mix).
- Update all source files to import from `#...` specifiers.
- Drop the `@desktop-client` group from .oxfmtrc.json.
- Enable `actual/prefer-subpath-imports` for desktop-client in
.oxlintrc.json so future code keeps using the subpath form.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Drop legacy desktop-client aliases
Remove the `@desktop-client/*` and `loot-core/*` path aliases from
vite.config.ts and tsconfig.json now that every desktop-client source
file imports via subpath imports / `@actual-app/core`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Release notes
* [AI] Use electron-renderer condition for renderer-only exports
Desktop-client's Vite build used the `electron` resolve condition, which
overlapped with loot-core exports where `electron` means the Node/main
variant (e.g. `shared/platform.electron.ts` using `os`,
`platform/server/asyncStorage/index.electron.ts` using `fs`). Once the
`loot-core` Vite alias was removed, the renderer bundle started pulling
those Node variants and crashed at runtime with
`It.default.platform is not a function` inside `platform.electron.ts`.
Introduce a distinct `electron-renderer` condition used only by
desktop-client's Vite config, and rename the `electron` key to
`electron-renderer` on the sole loot-core export whose `electron` branch
is the Electron renderer variant (`#/./platform/client/connection`, the
IPC `global.Actual.ipcConnect` file). Every other `electron`-conditioned
export keeps its Node semantics and is still matched by loot-core's own
`vite.desktop.config.ts` (`conditions: ['electron']`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Drop .electron.* extensions from loot-core desktop resolver
Now that every Node/main variant is selected via the `electron` subpath
import condition in `packages/loot-core/package.json`, Vite's
`resolveExtensions` list no longer needs the `.electron.js`,
`.electron.ts`, `.electron.tsx` entries. Remove them to keep resolution
explicit and avoid implicit extension picking.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Align desktop-client TS resolution with Vite
- Set `customConditions: ["electron-renderer"]` in
`packages/desktop-client/tsconfig.json` so TypeScript resolves
conditional imports (notably `@actual-app/core/platform/client/connection`)
to the same file Vite picks at runtime. Today the surfaces happen to
match because both variants import from a shared `index-types.ts`,
but the alignment prevents a latent drift bug.
- Fix typo in the release note (`Standartise` -> `Standardise`).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add subpath import wildcard patterns and explicit directory entries to loot-core
Extend the package.json imports field with prefix-specific wildcard patterns
(#server/*, #shared/*, #types/*, #mocks/*, #platform/*) and explicit entries
for directory imports (#server/db, #server/sync, etc.) to support the ongoing
migration from relative imports to subpath imports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7429
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add rate limiting to authentication endpoints
Add strict rate limiting (5 attempts per 15 minutes) to /account/login,
/account/bootstrap, and /account/change-password endpoints to prevent
brute-force password attacks. Uses express-rate-limit as route-level
middleware on auth-sensitive routes only.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
* [AI] Add release notes and remove rate limit from /change-password
Add upcoming release notes file for the auth rate limiting feature.
Remove rate limiting from /change-password since it already requires
a valid admin session token.
https://claude.ai/code/session_017SHnNCn93RzxpvEEPJAZUZ
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Fix script injection in vrt-update-apply.yml workflow
Use environment variables instead of direct expression interpolation
in the github-script step to prevent potential script injection via
artifact-sourced values (steps.apply.outputs.error and
steps.metadata.outputs.pr_number).
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Fix script injection in generate-release-pr.yml workflow
Use environment variable instead of direct expression interpolation
for github.event.inputs.version in the shell script context to
prevent potential command injection.
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Add release notes for #7433https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Add ErrorBoundary around dashboard widgets (#7273)
Wraps each dashboard widget in an ErrorBoundary so a faulty widget
degrades to an error card instead of crashing the entire Reports page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7382
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Fix Net Worth graph showing N-1 intervals, resulting in inconsistent totalChange value.
* Fix starting date being wrong for 'daily' and 'weekly'
* Linting
* Add release note
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7296
* Remove manipulation of startDate for 'yearly'
The result was not consistent with the reports previous behavior when yearly was selected (it went back too far).
* Remove empty datapoint at beginning when start equals earliest transaction
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* trim down some unused/unnecessary dependencies (#7350)
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [Doc] More tour image (mostly) updates & a hotkey fix (#7328)
* Fix keyboard shortcut Mac key for undo operations
Updated keyboard shortcut instructions for Mac & make consistent.
* Add files via upload
* Fix undo shortcut from 'K' to 'Z'
Updated keyboard shortcut for undo operation in payees guide. COFFEE!
* Revise budget section for clarity and consistency
Updated category descriptions and improved Markdown support details.
* Add files via upload
* Fix grammatical error in budget.md
* Fix typo and clarify Markdown description in budget.md
Corrected a typo in the documentation regarding the chevrons and clarified the description of rendered Markdown.
* Fix spelling error in budget documentation
Corrected the spelling of 'cheverons' to 'chevrons'.
* Add files via upload
* Remove redundant text in budget.md
* Fix formatting issues in payees.md
* count points script should fetch the release note from the PR directly (#7309)
* get pr release note from PR, not top of master
* note
* [AI] Mobile: Post transaction today on global account lists (#7311) (#7322)
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Implement Sankey report for spent and budgeted money (#7220)
* Implement Sankey graph report
* Add release notes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Remove local debug settings
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Improve graphs from comments
* Fix lints
* coderabit fixes
* Fix filtering and UI enhancements
* remove pngs
* Fix typecheck
* Another type issue
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Fix strict typing issues
* Update report page
Now better conforms with components from other reports, e.g. by reusing Header
Makes it possible to display a period longer than one month.
* Change view description order
* Formatting and cleanup
* Removed difference section, as it will be difficult to get a reliable view across months
* Introduce the Timeframe param, similar to Spending report, to allow saving a Live sliding window.
* Allow filtering just the last month
* Fix linting errors
* Remove all information about income
* Remove debugging statement
* Sort categories and subcategories by amount
* Move compact mode to spreadsheet to fix Card view more easily
* Update tests file
* Add release notes
* Rename release notes to match PR#
* Fix autofix.ci issues
* Update packages/desktop-client/e2e/sankey.test.ts
Enable experimental feature fall all tests, pr. coderabbit recommendation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Add sankey-card to isWidgetType
* Gate Sankey routes to prevent direct URL bypass
* Fix typo
* Change node transformation to work by key instead of name, to remove risk of duplicate issues
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Prevent false-positive pass in month-change test.
* Translate mode to a proper label
* Fix message for empty data
* Enabled LoadingIndicator until data is ready
* Change card default mode
* More robust filtering
* Fixed issue with budgeted spreadsheet not using 'end' date
* Allow copying SankeyCard to dashboard
* Fix typing and linting issues
* Remove e2e tests
I cannot currently get them to pass, because I dont fully understand playwright and how they are supposed to work. I can see that they don't exist for other reports. We can add them later if required.
* Remove unecessary sankey reference
* Refactor spreadsheet
* Remove dead code from SankeyGraph
* Collect to Other if too many subcategories
* Edit wrong comment
* Linting and typechecking
* Show remaining amount to budget
* Hide description on narrow device
* Add visual clue if 'To budget' is larger than 'Budgeted' and would extend below the edge of the graph
* Add colors to the links
* Fix report card showing subcategories instead of main categories
* Add tooltip info to Other on SankeyCard
* Create globalOther flag and implement greedy category reduction algorithm
* Allow user to select between Global or Per category Other
* Allow user to choose number of subcategories to show
* Allow user to select how subcategories are sorted
* Fix budget filtering
* [autofix.ci] apply automated fixes
* Condense sorting and Other-grouping to one option
* Implement Sort as budget option
* Dynamically adjust topN based on SankeyCard height
* Remove old feature flags from previous PR
---------
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix yarn generate:icons command (#7281)
* fix icon templates with `module.exports` to `export default`
* Add `@svgr/babel-plugin-add-jsx-attribute` to dependencies
* Run `yarn generate:icons`, and set prettier singleQuote to reduce changes
* Add release note
* Add temporary fix for `SvgChartArea`
* Add `ChartArea` svg from the existing tsx
* CI rerun
* Standardise ledger scrolling when using keyboard shortcuts (#7283)
* Standardise table keyboard navigation by preventing browser scroll with arrow keys
* Add release note
* Apply the preventDefault() in specific cases so that it is not applied to default
---------
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Fix updateTransaction corrupting split parents with partial updates (#7242)
* [AI] Fix updateTransaction corrupting split parents with partial updates
When `api.updateTransaction(id, { notes: '...' })` is called on a split
parent, the `updateTransaction` helper replaces the parent with the
sparse update object (`{ id, notes }`) instead of merging it with
the existing transaction data. This causes `recalculateSplit` to see
`amount` as `undefined` (→ 0), which doesn't match the children's
total and sets a `SplitTransactionError` on the parent. `makeChild`
also inherits undefined `account`, `date`, and `cleared` values,
potentially creating broken child rows.
Fix: merge the incoming partial fields (`{ ...trans, ...transaction }`)
so all existing properties are preserved.
Add a test that performs a notes-only update on a split parent and
asserts no error is set and the amount stays intact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add release notes for PR #7242
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Address review feedback: remove verbose comment and simplify release note
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add electron conditions to loot-core platform/server exports and fix imports
- Add "electron" condition to platform/server exports (asyncStorage,
connection, fetch, fs, sqlite) so they resolve to .electron.ts files
when using the electron export condition
- Remove broken ./client/platform export referencing non-existent files
- Convert deep relative imports in electron files to subpath imports
(#types/prefs, #server/errors, #server/mutators)
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* [AI] Convert remaining relative imports to subpath imports in electron files
- Convert ../fs, ../log, ../../exceptions to subpath imports
(#platform/server/fs, #platform/server/log, #platform/exceptions)
- Add electron-conditional entries to the imports field in package.json
for all 5 platform/server modules with electron variants
- Add resolve.conditions: ['electron'] to vite.desktop.config.ts so the
electron condition is recognized during desktop builds
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* Add release notes for PR #7383
* [AI] Fix API build and test failures from conditional exports
- Add "api" condition to all 5 platform/server exports and imports
entries so the API build resolves to .api.ts variants correctly
- Add resolve.conditions and ssr.resolve.conditions: ['api'] to
packages/api/vite.config.ts
- Add explicit #platform/server/log and #platform/exceptions entries
to the imports field (array fallback in #* wildcard doesn't work for
directory modules)
- Revert #platform/server/fs back to relative ../fs import in
asyncStorage/index.electron.ts — subpath imports for platform modules
with electron variants don't work in vitest because the test runner
doesn't propagate resolve.conditions to Node's import resolution
https://claude.ai/code/session_01FPpKnozt42Mf79YHAT6ytM
* fix: apply CodeRabbit auto-fixes
Fixed 2 file(s) based on 2 unresolved review comments.
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
* [autofix.ci] apply automated fixes
* Enhance package.json and Vite configurations for Electron support; refactor imports to use new path aliases. Added new paths for server and shared modules, updated SSR settings, and improved test configurations for better module resolution.
* [AI] Merge electron condition with default Vite conditions in vitest config
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Move @ts-strict-ignore comment to first line in reset.ts
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Juulz <julesmcn@gmail.com>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: Emil Tveden Bjerglund <emilbp@gmail.com>
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: James Skinner <56730344+JSkinnerUK@users.noreply.github.com>
Co-authored-by: L. Warren Thompson <warren.thompson@zuirail.com>
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix accounts list: compute balances, hide closed, sort by budget group
- Replace empty `balance_current` (bank-sync field) with computed `balance`
from transaction history via `getAccountBalance`
- Filter out closed accounts by default; add `--include-closed` flag
- Stable-sort on-budget accounts before off-budget
- Add `balance_current` to AMOUNT_FIELDS for table/csv formatting
- Update docs and tests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Extract duplicate isRecord type guard to shared utils
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add types condition to api package exports for tsc resolution
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update packages/cli/src/commands/query.ts
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* [AI] Add balance_available/balance_limit to AMOUNT_FIELDS, validate query result.data
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Fix crash viewing account ledger with expired recurring schedules
Guard against null return from getNextDate() when a recurring schedule
has an end date in the past and no future occurrences exist.
Fixes#7285
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7381
* [AI] Address code review feedback for PR #7381
Revert schedule-template.ts changes and fix test names/assertions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Simplify bugfix description for account ledger crash
Removed redundant information about null checks in the bugfix description.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Clarify that E2E encryption does not cover bank sync tokens (#5550)
Update docs and in-app text to make clear that end-to-end encryption
only applies to budget data, not bank sync tokens stored on the server.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7392
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Fix custom report editor retaining unsaved settings
The session storage clear condition only fired when navigating from
the /reports dashboard. Since the URL tracking runs inside the report
component, the stored URL always pointed to the last report path, so
revisiting the same report never triggered the clear.
Changed the condition to clear session storage whenever the stored URL
differs from the current path. This handles navigating from the
dashboard, from another report, or any other page.
Fixes#7332
* Add release notes for PR #7356
* trim down some unused/unnecessary dependencies (#7350)
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [Doc] More tour image (mostly) updates & a hotkey fix (#7328)
* Fix keyboard shortcut Mac key for undo operations
Updated keyboard shortcut instructions for Mac & make consistent.
* Add files via upload
* Fix undo shortcut from 'K' to 'Z'
Updated keyboard shortcut for undo operation in payees guide. COFFEE!
* Revise budget section for clarity and consistency
Updated category descriptions and improved Markdown support details.
* Add files via upload
* Fix grammatical error in budget.md
* Fix typo and clarify Markdown description in budget.md
Corrected a typo in the documentation regarding the chevrons and clarified the description of rendered Markdown.
* Fix spelling error in budget documentation
Corrected the spelling of 'cheverons' to 'chevrons'.
* Add files via upload
* Remove redundant text in budget.md
* Fix formatting issues in payees.md
* count points script should fetch the release note from the PR directly (#7309)
* get pr release note from PR, not top of master
* note
* [AI] Mobile: Post transaction today on global account lists (#7311) (#7322)
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Implement Sankey report for spent and budgeted money (#7220)
* Implement Sankey graph report
* Add release notes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Remove local debug settings
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Improve graphs from comments
* Fix lints
* coderabit fixes
* Fix filtering and UI enhancements
* remove pngs
* Fix typecheck
* Another type issue
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Fix strict typing issues
* Update report page
Now better conforms with components from other reports, e.g. by reusing Header
Makes it possible to display a period longer than one month.
* Change view description order
* Formatting and cleanup
* Removed difference section, as it will be difficult to get a reliable view across months
* Introduce the Timeframe param, similar to Spending report, to allow saving a Live sliding window.
* Allow filtering just the last month
* Fix linting errors
* Remove all information about income
* Remove debugging statement
* Sort categories and subcategories by amount
* Move compact mode to spreadsheet to fix Card view more easily
* Update tests file
* Add release notes
* Rename release notes to match PR#
* Fix autofix.ci issues
* Update packages/desktop-client/e2e/sankey.test.ts
Enable experimental feature fall all tests, pr. coderabbit recommendation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Add sankey-card to isWidgetType
* Gate Sankey routes to prevent direct URL bypass
* Fix typo
* Change node transformation to work by key instead of name, to remove risk of duplicate issues
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Prevent false-positive pass in month-change test.
* Translate mode to a proper label
* Fix message for empty data
* Enabled LoadingIndicator until data is ready
* Change card default mode
* More robust filtering
* Fixed issue with budgeted spreadsheet not using 'end' date
* Allow copying SankeyCard to dashboard
* Fix typing and linting issues
* Remove e2e tests
I cannot currently get them to pass, because I dont fully understand playwright and how they are supposed to work. I can see that they don't exist for other reports. We can add them later if required.
* Remove unecessary sankey reference
* Refactor spreadsheet
* Remove dead code from SankeyGraph
* Collect to Other if too many subcategories
* Edit wrong comment
* Linting and typechecking
* Show remaining amount to budget
* Hide description on narrow device
* Add visual clue if 'To budget' is larger than 'Budgeted' and would extend below the edge of the graph
* Add colors to the links
* Fix report card showing subcategories instead of main categories
* Add tooltip info to Other on SankeyCard
* Create globalOther flag and implement greedy category reduction algorithm
* Allow user to select between Global or Per category Other
* Allow user to choose number of subcategories to show
* Allow user to select how subcategories are sorted
* Fix budget filtering
* [autofix.ci] apply automated fixes
* Condense sorting and Other-grouping to one option
* Implement Sort as budget option
* Dynamically adjust topN based on SankeyCard height
* Remove old feature flags from previous PR
---------
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix yarn generate:icons command (#7281)
* fix icon templates with `module.exports` to `export default`
* Add `@svgr/babel-plugin-add-jsx-attribute` to dependencies
* Run `yarn generate:icons`, and set prettier singleQuote to reduce changes
* Add release note
* Add temporary fix for `SvgChartArea`
* Add `ChartArea` svg from the existing tsx
* CI rerun
* Standardise ledger scrolling when using keyboard shortcuts (#7283)
* Standardise table keyboard navigation by preventing browser scroll with arrow keys
* Add release note
* Apply the preventDefault() in specific cases so that it is not applied to default
---------
Co-authored-by: youngcw <calebyoung94@gmail.com>
* Bump lodash from 4.17.23 to 4.18.1
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)
---
updated-dependencies:
- dependency-name: lodash
dependency-version: 4.18.1
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
* note
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Juulz <julesmcn@gmail.com>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: Emil Tveden Bjerglund <emilbp@gmail.com>
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: James Skinner <56730344+JSkinnerUK@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matiss Janis Aboltins <matiss@mja.lv>
* implement our own GoCardless api class
* switch the service to use the new api
* drop deps
* note
* guard against request forgery
* strip empty params from the request body, add error logging
* coderabbit suggestions
* fix test, make institution nullable
* [AI] Improve theme catalog responsive layout in ThemeInstaller
* Refactor ColorPalette and ThemeInstaller components for improved layout and responsiveness
* Fix typo in Custom Reports description
* Correct category name from 'Reports' to 'Themes'
* [AI] Fix theme catalog scrollbar overlapping content
Reserve space for the scrollbar by adding right padding to catalog rows
so items don't get clipped when the list overflows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add .claude/ directory to .gitignore
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Modify .gitignore for Claude worktrees
Update .gitignore to include Claude worktrees and exclude settings.json
* Update .gitignore to include claude worktree folder
* Add .claude/settings.local.json to .gitignore
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add self-signed SSL certificate documentation to CLI docs
Add a section explaining how to use NODE_TLS_REJECT_UNAUTHORIZED=0
to allow the CLI to connect to servers with self-signed SSL certificates,
with a security caution about the implications.
Closes#7327https://claude.ai/code/session_01Mwsuc9By67uzSiMLxvPsMq
* Add release notes for PR #7360
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Add worktree creation hook to run yarn install
Add a WorktreeCreate hook in .claude/settings.json that runs a setup
script after creating a new git worktree. The script creates a detached
worktree and runs yarn install to ensure dependencies are available.
https://claude.ai/code/session_01MjuJLWcxNU6nbWQDrgGpPr
* [AI] Move worktree setup hook to husky post-checkout for universal support
Instead of a Claude Code-specific hook, detect new worktree creation in
the existing husky post-checkout hook by checking for missing node_modules.
This works with any tool that creates git worktrees (Claude Code, Cursor,
CLI, etc.) since git runs post-checkout after worktree creation.
https://claude.ai/code/session_01MjuJLWcxNU6nbWQDrgGpPr
* Add release notes for PR #7393
* Update 7393.md
* [AI] Fix post-checkout hook to propagate yarn install failures
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Add documentation for self-signed cert healthchecks
Adds instruction to set NODE_EXTRA_CA_CERTS in docker-compose healthcheck commands so Node.js can trust the certificate.
* [autofix.ci] apply automated fixes
* fixup! Add documentation for self-signed cert healthchecks
* [autofix.ci] apply automated fixes
* Update Docker health checks with self-signed certs
If using self signed certs, comment the first test line and uncomment
the second test line.
* fixup! Update Docker health checks with self-signed certs
* fixup! Add documentation for self-signed cert healthchecks
* fixup! Update Docker health checks with self-signed certs
* [autofix.ci] apply automated fixes
* fixup! Add documentation for self-signed cert healthchecks
* fixup! Update Docker health checks with self-signed certs
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Add tourSidebar with various tour documentation
Added a new sidebar for the tour section with multiple entries.
* Add 'Tour Actual' sidebar to Docusaurus config
* Remove 'A Tour of Actual' from docs sidebar
Removed 'A Tour of Actual' category and its items from the sidebar.
* Rename 'Tour Actual' to 'Tour' in sidebar
* Add button to proportionally distribute remaining amount of split transaction among child transactions
* Added release note
* Increased min width for split error popover so all buttons are visible
* Updated release note
* Merge proportional distribution into even distribution button
* Added docs on split transactions
* [autofix.ci] apply automated fixes
* Fixed spelling
* [autofix.ci] apply automated fixes
* Change split transaction popover hack to use resize event
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
* Refine user interface documentation for clarity
Updated text for clarity and corrected typos in the user interface documentation.
* Clarify server status and sync icon details
Updated descriptions for server status and sync icon interactions.
* Clarify server status and sidebar account display
Updated server status descriptions for clarity and improved wording in the sidebar section.
* [AI] Fix updateTransaction corrupting split parents with partial updates
When `api.updateTransaction(id, { notes: '...' })` is called on a split
parent, the `updateTransaction` helper replaces the parent with the
sparse update object (`{ id, notes }`) instead of merging it with
the existing transaction data. This causes `recalculateSplit` to see
`amount` as `undefined` (→ 0), which doesn't match the children's
total and sets a `SplitTransactionError` on the parent. `makeChild`
also inherits undefined `account`, `date`, and `cleared` values,
potentially creating broken child rows.
Fix: merge the incoming partial fields (`{ ...trans, ...transaction }`)
so all existing properties are preserved.
Add a test that performs a notes-only update on a split parent and
asserts no error is set and the amount stays intact.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add release notes for PR #7242
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Address review feedback: remove verbose comment and simplify release note
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Standardise table keyboard navigation by preventing browser scroll with arrow keys
* Add release note
* Apply the preventDefault() in specific cases so that it is not applied to default
---------
Co-authored-by: youngcw <calebyoung94@gmail.com>
* fix icon templates with `module.exports` to `export default`
* Add `@svgr/babel-plugin-add-jsx-attribute` to dependencies
* Run `yarn generate:icons`, and set prettier singleQuote to reduce changes
* Add release note
* Add temporary fix for `SvgChartArea`
* Add `ChartArea` svg from the existing tsx
* CI rerun
* Implement Sankey graph report
* Add release notes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Remove local debug settings
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Improve graphs from comments
* Fix lints
* coderabit fixes
* Fix filtering and UI enhancements
* remove pngs
* Fix typecheck
* Another type issue
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6068
* Fix strict typing issues
* Update report page
Now better conforms with components from other reports, e.g. by reusing Header
Makes it possible to display a period longer than one month.
* Change view description order
* Formatting and cleanup
* Removed difference section, as it will be difficult to get a reliable view across months
* Introduce the Timeframe param, similar to Spending report, to allow saving a Live sliding window.
* Allow filtering just the last month
* Fix linting errors
* Remove all information about income
* Remove debugging statement
* Sort categories and subcategories by amount
* Move compact mode to spreadsheet to fix Card view more easily
* Update tests file
* Add release notes
* Rename release notes to match PR#
* Fix autofix.ci issues
* Update packages/desktop-client/e2e/sankey.test.ts
Enable experimental feature fall all tests, pr. coderabbit recommendation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Add sankey-card to isWidgetType
* Gate Sankey routes to prevent direct URL bypass
* Fix typo
* Change node transformation to work by key instead of name, to remove risk of duplicate issues
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Prevent false-positive pass in month-change test.
* Translate mode to a proper label
* Fix message for empty data
* Enabled LoadingIndicator until data is ready
* Change card default mode
* More robust filtering
* Fixed issue with budgeted spreadsheet not using 'end' date
* Allow copying SankeyCard to dashboard
* Fix typing and linting issues
* Remove e2e tests
I cannot currently get them to pass, because I dont fully understand playwright and how they are supposed to work. I can see that they don't exist for other reports. We can add them later if required.
* Remove unecessary sankey reference
* Refactor spreadsheet
* Remove dead code from SankeyGraph
* Collect to Other if too many subcategories
* Edit wrong comment
* Linting and typechecking
* Show remaining amount to budget
* Hide description on narrow device
* Add visual clue if 'To budget' is larger than 'Budgeted' and would extend below the edge of the graph
* Add colors to the links
* Fix report card showing subcategories instead of main categories
* Add tooltip info to Other on SankeyCard
* Create globalOther flag and implement greedy category reduction algorithm
* Allow user to select between Global or Per category Other
* Allow user to choose number of subcategories to show
* Allow user to select how subcategories are sorted
* Fix budget filtering
* [autofix.ci] apply automated fixes
* Condense sorting and Other-grouping to one option
* Implement Sort as budget option
* Dynamically adjust topN based on SankeyCard height
* Remove old feature flags from previous PR
---------
Co-authored-by: andrewhumble <43395285+andrewhumble@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix keyboard shortcut Mac key for undo operations
Updated keyboard shortcut instructions for Mac & make consistent.
* Add files via upload
* Fix undo shortcut from 'K' to 'Z'
Updated keyboard shortcut for undo operation in payees guide. COFFEE!
* Revise budget section for clarity and consistency
Updated category descriptions and improved Markdown support details.
* Add files via upload
* Fix grammatical error in budget.md
* Fix typo and clarify Markdown description in budget.md
Corrected a typo in the documentation regarding the chevrons and clarified the description of rendered Markdown.
* Fix spelling error in budget documentation
Corrected the spelling of 'cheverons' to 'chevrons'.
* Add files via upload
* Remove redundant text in budget.md
* Fix formatting issues in payees.md
* count points script should fetch the release note from the PR directly (#7309)
* get pr release note from PR, not top of master
* note
* [AI] Mobile: Post transaction today on global account lists (#7311) (#7322)
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
---------
Co-authored-by: Matt Fiddaman <github@m.fiddaman.uk>
Co-authored-by: Pranay S <pranayritvik@gmail.com>
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [AI] Fix unrecoverable UI error after login (#7341)
The crash was in CommandBar.tsx where item.name.toLowerCase() was called
on items with null/undefined names (from custom reports or dashboard
pages with null name columns in the database). Added optional chaining.
Also hardened React Query data hooks to always return safe defaults even
in error states, and guarded $oneof AQL operator against empty arrays
generating invalid SQL.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [autofix.ci] apply automated fixes
* [AI] Revert hook/compiler changes, keep CommandBar fix, add release notes
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Default null names to empty string at data source
Instead of optional chaining at the consumer, ensure names are never
null by defaulting at the data source: reportModel.toJS for custom
reports and dashboardQueries for dashboard pages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Fix password login broken when OIDC is enabled (#7331)
The security fix in PR #7155 added an `active = 1` check to
`getLoginMethod()`, which prevented password login when OIDC was the
active auth method. This caused the server to silently reroute password
login requests to the OpenID flow, which fails.
Remove the `active` requirement when the client explicitly requests a
login method — only require the method to exist in the auth table. The
`active` flag still governs the default method via `getActiveLoginMethod()`.
The `/change-password` endpoint security protections (admin role +
password auth_method checks) remain intact.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7334
* Update getLoginMethod to validate client-requested login methods against the auth database
Modified the getLoginMethod function to check if the requested login method exists in the auth table before returning it. Updated the corresponding test to reflect that a client-requested method not found in the database will be ignored, ensuring proper handling of login methods.
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Pin axios to 1.14.0 to avoid vulnerable 1.14.1
Add yarn resolution to prevent axios from being upgraded to 1.14.1,
which contains a critical vulnerability.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7343
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Mobile: pass today for Post transaction today on global account lists (#7311)
All Accounts, On budget, and Off budget transaction lists now forward the
today flag to schedule/post-transaction, matching single-account mobile
and desktop behavior.
Made-with: Cursor
* [AI] Add release note for PR 7322 (#7311)
Made-with: Cursor
* [AI] Tighten release note wording for PR 7322 (imperative)
Made-with: Cursor
---------
Co-authored-by: Pranay Mac M1 <pranayseela@yahoo.com>
* [AI] Fix balance_current not syncing to API clients after bank sync
updateAccountBalance() used db.runQuery() (raw SQL) to set
balance_current, which bypasses the CRDT sync layer. This means
when SimpleFIN or GoCardless updates an account's bank balance on
the server, API clients calling api.sync() never receive the change —
balance_current stays null or stale in their local database.
Fix: use db.update() which goes through sendMessages/CRDT, ensuring
balance_current propagates to all synced clients just like other
account fields (name, closed, etc.).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add release notes for PR #7243
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Address review feedback: remove verbose comment and simplify release note
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: L. Warren Thompson <lwarrenthompson@Warren-MBP.local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* create failing tests to identify schedule bug
* Export SelectedBalance to allow for testing
#Please enter the commit message for your changes. Lines startin
* fix handling of scheduleIds
* create release notes
* add tests for normal transactions to ensure no regressions introduced
* capitalize first letter of release notes
Replace binary match/no-match sorting in payee and category dropdowns
with a 4-tier ranking: exact match, prefix match, word-boundary match,
and substring match. This surfaces the most relevant results first
(e.g. typing "me" shows "Me" before "Memory Express" before "Framework").
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Add secure custom font support for custom themes
Implement safe font-family references in custom themes via CSS variables
(--font-body, --font-mono, --font-heading, etc.) validated against a
curated allowlist of system-installed and web-safe fonts.
Security approach: Only fonts already present on the user's OS or bundled
with the app are allowed. No @font-face, no url(), no external font
loading — this prevents third-party tracking via font requests while
still enabling meaningful font customization in themes.
Key changes:
- Add SAFE_FONT_FAMILIES allowlist (~80 fonts: generic families, bundled
fonts, and common system fonts across platforms)
- Add validateFontFamilyValue() for comma-separated font stack validation
- Route --font-{body,mono,heading,family,ui,display,code} properties
through the font validator instead of the color validator
- Update index.html to use var(--font-body, ...) with current Inter
Variable stack as fallback
- Add comprehensive tests for valid/invalid font values and security
edge cases (url injection, javascript:, expression(), etc.)
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Add @font-face support with data: URI embedding for custom themes
Enable truly custom fonts in themes while maintaining zero runtime network
requests. Theme authors can include font files in their GitHub repos, and
fonts are automatically downloaded and embedded as data: URIs at install
time — the same approach used for theme CSS itself.
Security model:
- @font-face blocks only allow data: URIs (no http/https/relative URLs)
- Font MIME types are validated (font/woff2, font/ttf, etc.)
- Individual font files capped at 2MB, total at 10MB
- @font-face properties are allowlisted (font-family, src, font-weight,
font-style, font-display, font-stretch, unicode-range only)
- Font-family names from @font-face are available in --font-* variables
- No runtime network requests — all fonts stored locally after install
Key additions:
- extractFontFaceBlocks(): parse @font-face from theme CSS
- validateFontFaceBlock(): validate properties and data: URIs
- splitDeclarations(): semicolon-aware parser that respects data: URIs
- embedThemeFonts(): fetch font files from GitHub, convert to data: URIs
- ThemeInstaller calls embedThemeFonts() during catalog theme installation
- 30+ new test cases for @font-face validation and security edge cases
Example theme CSS with custom fonts:
@font-face {
font-family: 'My Font';
src: url('./MyFont.woff2') format('woff2');
}
:root { --font-body: 'My Font', sans-serif; }
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Rename --font-body CSS variable to --font-family
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Remove font-family allowlist and broaden --font-* regex
- Remove SAFE_FONT_FAMILIES allowlist and SAFE_FONT_FAMILIES_LOWER lookup.
Any font name is now valid in --font-* properties. Referencing a font
that isn't installed simply triggers the browser's normal fallback — no
network requests, no security risk. Function calls (url(), expression(),
etc.) are still blocked.
- Change the --font-* property regex from a specific list
(family|mono|heading|...) to match all --font-* variables, so theme
authors can use any --font-prefixed custom property.
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Simplify and improve custom font validation code
Code quality improvements from review:
- Remove dead `declaredFonts` Set (was populated but never read after
allowlist removal)
- Extract `stripQuotes()` helper to deduplicate quote-stripping logic
between `validateFontFamilyValue` and `validateFontFaceBlock`
- Replace confusing `const searchFrom = 0` loop with `for (;;)` idiom
in `extractFontFaceBlocks`
- Use index tracking (`content.substring(start, i)`) instead of
character-by-character string concatenation in `splitDeclarations`
- Use `splitDeclarations` in `validateRootContent` instead of naive
`split(';')` for consistency and correctness
- Parallelize font fetches in `embedThemeFonts` with `Promise.all`
instead of sequential awaits
- Replace byte-by-byte base64 conversion with chunked
`arrayBufferToBase64()` helper (8KB chunks)
- Reuse indexOf-based @font-face parsing in `embedThemeFonts` instead
of fragile `[^}]*` regex that can't handle large data URIs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Enhance font validation in customThemes.ts
* Add custom release notes for upcoming feature: support for custom fonts in themes
* [AI] Simplify @font-face validation to only block external URLs
Remove ~210 lines of overly thorough font validation (MIME type allowlists,
base64 encoding checks, format hint validation, @font-face property allowlists,
font-family name regex) and replace with a single function that enforces the
actual security goal: rejecting non-data: URIs to prevent external resource
loading. Size limits for DoS prevention are preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update Content Security Policy to include font-src directive
Enhance the Content Security Policy in both the desktop client and sync server to allow font loading from data URIs. This change ensures that custom fonts can be embedded securely while maintaining the existing security measures for other resources.
* Enhance font-family validation to disallow empty values
Update the `validateFontFamilyValue` function to throw an error for empty font-family values, improving security and validation accuracy. Adjust tests to reflect this change, ensuring that empty values are properly handled as invalid.
* Enhance validation for CSS custom properties in customThemes.ts
Add comprehensive checks in the `validateRootContent` function to ensure CSS custom properties start with '--', contain valid characters, and do not end with a dash. This improves error handling for invalid property names, ensuring better compliance with CSS standards.
* [AI] Fix path traversal, spaces in font URLs, and add embedThemeFonts tests
Reject path-traversal (../) and root-anchored (/) font paths in
embedThemeFonts to prevent URL manipulation. Fix URL regex to handle
quoted filenames with spaces (e.g. "Inter Variable.woff2"). Add unit
tests covering both security validations and normal embedding flow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Implement font size budget enforcement in embedThemeFonts function
* Add global unstubbing in afterEach for embedThemeFonts tests
---------
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-22 07:58:17 +00:00
1659 changed files with 36168 additions and 18441 deletions
<!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://github.com/actualbudget/docs#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. -->
<!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://actualbudget.org/docs/contributing/#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. -->
sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_X64_SHA256 }}|}" com.actualbudget.actual.yml
sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_X64_SHA256}|}" com.actualbudget.actual.yml
sed -i "/x86_64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-x86_64.AppImage|" com.actualbudget.actual.yml
# Replace arm64 entry
sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_ARM64_SHA256 }}|}" com.actualbudget.actual.yml
sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_ARM64_SHA256}|}" com.actualbudget.actual.yml
sed -i "/arm64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-arm64.AppImage|" com.actualbudget.actual.yml
# Build tools are needed to rebuild native modules like better-sqlite3 used by the Desktop app, which is required to run VRT tests on the Desktop app and generate updated snapshots.
`@actual-app/api` publishes TypeScript declarations. Consumers using TypeScript must set `moduleResolution` to `"bundler"`, `"nodenext"`, or `"node16"` in their `tsconfig.json`. Legacy `"node"` / `"node10"` / `"classic"` resolution is not supported in strict mode — the published declarations rely on package.json `exports` conditions that older resolvers don't honor.
Run `actual <command> --help` for subcommands and options.
### Examples
```bash
# List all accounts (as a table)
actual accounts list --format table
# List all accounts (as a table; excludes closed by default)
actual accounts list[--include-closed] --format table
# Find an entity ID by name
actual server get-id --type accounts --name "Checking"
@@ -122,13 +134,45 @@ actual query run --table transactions \
### Amount Convention
All monetary amounts are **integer cents**:
All monetary amounts are **integer cents** when passed as input (flags, JSON):
| CLI Value | Dollar Amount |
| --------- | ------------- |
| `5000` | $50.00 |
| `-12350` | -$123.50 |
**Output formatting:** Table (`--format table`) and CSV (`--format csv`) output automatically converts cent values to decimal (e.g. `1665.00` instead of `166500`). JSON output always returns raw cents for programmatic use.
### Tips & Common Pitfalls
- **Split transactions:** When summing or counting transactions, filter `"is_parent": false` to avoid double-counting. A split parent holds the total amount, and its children hold the individual parts — including both would count the total twice.
- **Rapid sequential requests:** The CLI caches the budget locally (see [Caching](#caching)), so read-heavy scripts no longer need a single-query workaround by default. For very chatty scripts, run `actual sync` once and then use a long `--cache-ttl` for reads:
```bash
actual sync
actual --cache-ttl 3600 query run ...
actual --cache-ttl 3600 accounts list
```
- **Uncategorized transactions:** `category.name` is `null` for transactions without a category. Account for this when filtering or grouping by category.
- **No date sub-fields in AQL:** `date.month`, `date.year`, etc. are not supported as query fields. To group by month, fetch raw transactions with a date range filter and aggregate locally in a script.
## Caching
The CLI keeps a local copy of your budget so repeated commands don't hit the sync server on every call. Within the TTL (default `60` seconds), read commands (`list`, `balance`, `query run`, …) reuse the cached budget without a network round-trip. Write commands (`add`, `update`, `set-amount`, …) always sync with the server before and after the write.
- `actual sync` — refresh the cache now.
- `actual sync --status` — show how stale the local cache is.
- `actual sync --clear` — delete the local cache; the next command re-downloads.
- `--refresh` (or `--no-cache`) — force a sync on a single call.
- `--cache-ttl <seconds>` — override the TTL for a single call (use `0` to disable caching).
### Concurrency
The CLI takes a shared lock for reads and an exclusive lock for writes on the per-budget cache directory. Many parallel reads are safe; writes serialize. If another CLI process is holding the lock, subsequent invocations wait up to `--lock-timeout` seconds (default `10`) before failing with an error. Pass `--no-lock` to opt out in trusted single-process setups.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
