Empty commit to bump CI

Update docs release date
Fix shared worker resumption after tab suspend (#7656 )
2026-05-06 20:15:33 -05:00 · 2026-05-03 03:39:27 +00:00 · 2026-05-02 13:47:55 -04:00 · 2026-05-02 13:46:31 -04:00 · 2026-04-27 23:38:40 -04:00 · 2026-04-27 21:52:09 +00:00
1476 changed files with 26165 additions and 15482 deletions
--- a/packages/sync-server/.dockerignore
+++ b/packages/sync-server/.dockerignore
@@ -1,8 +1,6 @@
-node_modules
-user-files
-server-files
-
-# Yarn
+**/node_modules
+.git
+.lage
 .pnp.*
 .yarn/*
 !.yarn/patches
--- a/.github/actions/ai-generated-release-notes/create-release-notes-file.js
+++ b/.github/actions/ai-generated-release-notes/create-release-notes-file.js
@@ -16,14 +16,19 @@ if (!token || !repo || !issueNumber || !summaryDataJson || !category) {
 const [owner, repoName] = repo.split('/');
 const octokit = new Octokit({ auth: token });

+const VALID_CATEGORIES = [
+  'Features',
+  'Bugfixes',
+  'Enhancements',
+  'Maintenance',
+];
+const GITHUB_USERNAME_RE =
+  /^[a-zA-Z0-9](?:[a-zA-Z0-9]|-(?=[a-zA-Z0-9])){0,38}$/;
+
 async function createReleaseNotesFile() {
  try {
    const summaryData = JSON.parse(summaryDataJson);

-    console.log('Debug - Category value:', category);
-    console.log('Debug - Category type:', typeof category);
-    console.log('Debug - Category JSON stringified:', JSON.stringify(category));
-
    if (!summaryData) {
      console.log('No summary data available, cannot create file');
      return;
@@ -34,26 +39,62 @@ async function createReleaseNotesFile() {
      return;
    }

-    // Create file content - ensure category is not quoted
+    // Normalize category - strip surrounding quotes and validate against allow-list
    const cleanCategory =
      typeof category === 'string'
        ? category.replace(/^["']|["']$/g, '')
        : category;
-    console.log('Debug - Clean category:', cleanCategory);
+
+    if (!VALID_CATEGORIES.includes(cleanCategory)) {
+      console.log(
+        `Invalid category "${cleanCategory}". Must be one of: ${VALID_CATEGORIES.join(', ')}`,
+      );
+      return;
+    }
+
+    // Validate author is a plausible GitHub username
+    const author = String(summaryData.author || '');
+    if (!GITHUB_USERNAME_RE.test(author)) {
+      console.log(
+        `Invalid author "${author}", aborting release notes creation`,
+      );
+      return;
+    }
+
+    // Normalize summary: collapse whitespace to a single line so it cannot
+    // introduce extra YAML frontmatter or break the markdown structure.
+    const cleanSummary = String(summaryData.summary || '')
+      .replace(/\s+/g, ' ')
+      .trim();
+    if (!cleanSummary) {
+      console.log('Empty summary, aborting release notes creation');
+      return;
+    }
+
+    // Validate PR number - must be a positive integer. The value comes from
+    // the GitHub API, but we harden it because it's used to build a file path
+    // and a commit message.
+    const validatedPrNumber = Number(summaryData.prNumber);
+    if (!Number.isInteger(validatedPrNumber) || validatedPrNumber <= 0) {
+      console.log(
+        `Invalid PR number "${summaryData.prNumber}", aborting release notes creation`,
+      );
+      return;
+    }

    const fileContent = `---
 category: ${cleanCategory}
-authors: [${summaryData.author}]
+authors: [${author}]
 ---

-${summaryData.summary}
+${cleanSummary}
 `;

-    const fileName = `upcoming-release-notes/${summaryData.prNumber}.md`;
+    const fileName = `upcoming-release-notes/${validatedPrNumber}.md`;

-    console.log(`Creating release notes file: ${fileName}`);
-    console.log('File content:');
-    console.log(fileContent);
+    console.log(
+      `Creating release notes file: ${fileName} (category: ${cleanCategory}, author: ${author})`,
+    );

    // Get PR info
    const { data: pr } = await octokit.rest.pulls.get({
@@ -75,7 +116,7 @@ ${summaryData.summary}
      owner: headOwner,
      repo: headRepo,
      path: fileName,
-      message: `Add release notes for PR #${summaryData.prNumber}`,
+      message: `Add release notes for PR #${validatedPrNumber}`,
      content: Buffer.from(fileContent).toString('base64'),
      branch: prBranch,
      committer: {
--- a/.github/actions/ai-generated-release-notes/generate-summary.js
+++ b/.github/actions/ai-generated-release-notes/generate-summary.js
@@ -25,8 +25,6 @@ try {
    process.exit(0);
  }

-  console.log('CodeRabbit comment body:', commentBody);
-
  const data = JSON.stringify({
    model: 'gpt-4o-mini',
    messages: [
--- a/.github/actions/ai-generated-release-notes/pr-details.js
+++ b/.github/actions/ai-generated-release-notes/pr-details.js
@@ -39,6 +39,22 @@ async function getPRDetails() {
    console.log('- Base Branch:', pr.base.ref);
    console.log('- Head Branch:', pr.head.ref);

+    // Fetch all changed files to detect docs-only PRs
+    const files = await octokit.paginate(octokit.rest.pulls.listFiles, {
+      owner,
+      repo: repoName,
+      pull_number: issueNumber,
+      per_page: 100,
+    });
+
+    const changedFiles = files.map(f => f.filename);
+    const isDocsOnly =
+      changedFiles.length > 0 &&
+      changedFiles.every(file => file.startsWith('packages/docs/'));
+
+    console.log('- Changed Files:', changedFiles.length);
+    console.log('- Is Docs Only:', isDocsOnly);
+
    const result = {
      number: pr.number,
      author: pr.user.login,
@@ -47,11 +63,31 @@ async function getPRDetails() {
      headBranch: pr.head.ref,
    };

+    let eligible = true;
+    if (pr.base.ref !== 'master') {
+      console.log(
+        'PR does not target master branch, skipping release notes generation',
+      );
+      eligible = false;
+    } else if (pr.head.ref.startsWith('release/')) {
+      console.log(
+        'PR head branch is a release branch, skipping release notes generation',
+      );
+      eligible = false;
+    } else if (isDocsOnly) {
+      console.log(
+        'PR only changes documentation, skipping release notes generation',
+      );
+      eligible = false;
+    }
+
    setOutput('result', JSON.stringify(result));
+    setOutput('eligible', JSON.stringify(eligible));
  } catch (error) {
    console.log('Error getting PR details:', error.message);
    console.log('Stack:', error.stack);
    setOutput('result', 'null');
+    setOutput('eligible', 'false');
    process.exit(1);
  }
 }
@@ -60,5 +96,6 @@ getPRDetails().catch(error => {
  console.log('Unhandled error:', error.message);
  console.log('Stack:', error.stack);
  setOutput('result', 'null');
+  setOutput('eligible', 'false');
  process.exit(1);
 });
--- a/.github/actions/docs-spelling/excludes.txt
+++ b/.github/actions/docs-spelling/excludes.txt
@@ -68,7 +68,6 @@ ignore$
 ^\Qsrc/\E$
 ^\Qstatic/\E$
 ^\Q.github/\E$
-(?:^|/)package(?:-lock|)\.json$
 (?:^|/)yarn\.lock$
 (?:^|/)(?i)docusaurus.config.js
 (?:^|/)(?i)README.md
--- a/.github/actions/docs-spelling/expect.txt
+++ b/.github/actions/docs-spelling/expect.txt
@@ -126,6 +126,7 @@ Moldovan
 murmurhash
 NETWORKDAYS
 nginx
+nodenext
 OIDC
 Okabe
 overbudgeted
@@ -133,6 +134,7 @@ overbudgeting
 oxc
 Paribas
 passwordless
+PAYPAL
 picomatch
 pluggyai
 Poste
--- a/.github/actions/release-notes/check/action.yml
+++ b/.github/actions/release-notes/check/action.yml
@@ -0,0 +1,17 @@
+name: Check release notes
+description: Validate that a PR includes a properly formatted release note file
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version: 22
+    - name: Install dependencies
+      shell: bash
+      run: yarn workspaces focus @actual-app/ci-actions
+    - name: Check release notes
+      env:
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+      shell: bash
+      run: node packages/ci-actions/bin/release-notes-check.mjs
--- a/.github/actions/release-notes/generate/action.yml
+++ b/.github/actions/release-notes/generate/action.yml
@@ -0,0 +1,17 @@
+name: Generate release notes
+description: Generate release documentation from release note files
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version: 22
+    - name: Install dependencies
+      shell: bash
+      run: yarn workspaces focus actual @actual-app/ci-actions
+    - name: Generate release notes
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: node packages/ci-actions/bin/release-notes-generate.mjs
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -52,8 +52,9 @@ runs:
      with:
        repository: actualbudget/translations
        path: ${{ inputs.working-directory }}/packages/desktop-client/locale
-      if: ${{ inputs.download-translations == 'true' }}
+        persist-credentials: false
+      if: ${{ inputs.download-translations == 'true' && !env.ACT }}
    - name: Remove untranslated languages
      run: packages/desktop-client/bin/remove-untranslated-languages
      shell: bash
-      if: ${{ inputs.download-translations == 'true' }}
+      if: ${{ inputs.download-translations == 'true' && !env.ACT }}
--- a/.github/workflows/ai-generated-release-notes.yml
+++ b/.github/workflows/ai-generated-release-notes.yml
@@ -18,6 +18,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -42,11 +44,7 @@ jobs:
          GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}

      - name: Check if release notes file already exists
-        if: >-
-          steps.check-first-comment.outputs.result == 'true' &&
-          steps.pr-details.outputs.result != 'null' &&
-          fromJSON(steps.pr-details.outputs.result).baseBranch == 'master' &&
-          !startsWith(fromJSON(steps.pr-details.outputs.result).headBranch, 'release/')
+        if: steps.pr-details.outputs.eligible == 'true'
        id: check-release-notes-exists
        run: node .github/actions/ai-generated-release-notes/check-release-notes-exists.js
        env:
@@ -56,7 +54,7 @@ jobs:
          PR_DETAILS: ${{ steps.pr-details.outputs.result }}

      - name: Generate summary with OpenAI
-        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false'
+        if: steps.check-release-notes-exists.outputs.result == 'false'
        id: generate-summary
        run: node .github/actions/ai-generated-release-notes/generate-summary.js
        env:
@@ -65,7 +63,7 @@ jobs:
          PR_DETAILS: ${{ steps.pr-details.outputs.result }}

      - name: Determine category with OpenAI
-        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null'
+        if: steps.generate-summary.outputs.result != 'null' && steps.generate-summary.outputs.result != ''
        id: determine-category
        run: node .github/actions/ai-generated-release-notes/determine-category.js
        env:
@@ -75,7 +73,7 @@ jobs:
          SUMMARY_DATA: ${{ steps.generate-summary.outputs.result }}

      - name: Create and commit release notes file via GitHub API
-        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null' && steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
+        if: steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
        run: node .github/actions/ai-generated-release-notes/create-release-notes-file.js
        env:
          GITHUB_TOKEN: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
@@ -85,7 +83,7 @@ jobs:
          CATEGORY: ${{ steps.determine-category.outputs.result }}

      - name: Comment on PR
-        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null' && steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
+        if: steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
        run: node .github/actions/ai-generated-release-notes/comment-on-pr.js
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@@ -16,6 +16,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,35 +19,54 @@ concurrency:
  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

 jobs:
+  setup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up environment
+        uses: ./.github/actions/setup
+        with:
+          download-translations: 'false'
+
  api:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
      - name: Build API
-        run: cd packages/api && yarn build
+        run: yarn build:api
      - name: Create package tgz
        run: cd packages/api && yarn pack && mv package.tgz actual-api.tgz
      - name: Prepare bundle stats artifact
        run: cp packages/api/app/stats.json api-stats.json
      - name: Upload Build
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-api
          path: packages/api/actual-api.tgz
      - name: Upload API bundle stats
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: api-build-stats
          path: api-stats.json

  crdt:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -56,35 +75,48 @@ jobs:
        run: cd packages/crdt && yarn build
      - name: Create package tgz
        run: cd packages/crdt && yarn pack && mv package.tgz actual-crdt.tgz
+      - name: Prepare bundle stats artifact
+        run: cp packages/crdt/dist/stats.json crdt-stats.json
      - name: Upload Build
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-crdt
          path: packages/crdt/actual-crdt.tgz
+      - name: Upload CRDT bundle stats
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: crdt-build-stats
+          path: crdt-stats.json

  web:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
      - name: Build Web
        run: yarn build:browser
      - name: Upload Build
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-web
          path: packages/desktop-client/build
      - name: Upload Build Stats
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: build-stats
          path: packages/desktop-client/build-stats

  cli:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -96,20 +128,23 @@ jobs:
      - name: Prepare bundle stats artifact
        run: cp packages/cli/dist/stats.json cli-stats.json
      - name: Upload Build
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-cli
          path: packages/cli/actual-cli.tgz
      - name: Upload CLI bundle stats
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: cli-build-stats
          path: cli-stats.json

  server:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -117,7 +152,7 @@ jobs:
      - name: Build Server
        run: yarn workspace @actual-app/sync-server build
      - name: Upload Build
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: sync-server
          path: packages/sync-server/build
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -12,20 +12,40 @@ concurrency:
  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

 jobs:
+  setup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up environment
+        uses: ./.github/actions/setup
+        with:
+          download-translations: 'false'
  constraints:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
      - name: Check dependency version consistency
        run: yarn constraints
+      - name: Check tsconfig project references are in sync
+        run: yarn check:tsconfig-references
  lint:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -33,9 +53,12 @@ jobs:
      - name: Lint
        run: yarn lint
  typecheck:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -43,9 +66,12 @@ jobs:
      - name: Typecheck
        run: yarn typecheck
  validate-cli:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -55,21 +81,36 @@ jobs:
      - name: Check that the built CLI works
        run: node packages/sync-server/build/bin/actual-server.js --version
  test:
+    needs: setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
      - name: Test
        run: yarn test
+  check-gh-actions:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

  migrations:
+    needs: setup
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,13 +23,15 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: javascript

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          category: '/language:javascript'
--- a/.github/workflows/count-points.yml
+++ b/.github/workflows/count-points.yml
@@ -17,6 +17,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
--- a/.github/workflows/generate-release-pr.yml
+++ b/.github/workflows/generate-release-pr.yml
@@ -1,6 +1,9 @@
-name: Generate release PR
+name: Cut release branch

 on:
+  schedule:
+    # 17:00 UTC on the 25th of each month
+    - cron: '0 17 25 * *'
  workflow_dispatch:
    inputs:
      ref:
@@ -11,22 +14,35 @@ on:
        description: 'Version number for the release (optional)'
        required: false
        default: ''
+      release-date:
+        description: 'Expected release date, YYYY-MM-DD (optional)'
+        required: false
+        default: ''
+
+permissions:
+  contents: write
+  pull-requests: write

 jobs:
-  generate-release-pr:
+  cut-release-branch:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ref: ${{ github.event.inputs.ref }}
+          ref: ${{ github.event.inputs.ref || 'master' }}
+          persist-credentials: false
+
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
+
      - name: Bump package versions
        id: bump_package_versions
        shell: bash
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
        run: |
          declare -A packages=(
            [web]="desktop-client"
@@ -34,16 +50,17 @@ jobs:
            [sync]="sync-server"
            [api]="api"
            [cli]="cli"
-            [core]="core"
+            [core]="loot-core"
          )
+          declare -A new_versions

          for key in "${!packages[@]}"; do
            pkg="${packages[$key]}"

-            if [[ -n "${{ github.event.inputs.version }}" ]]; then
+            if [[ -n "$INPUT_VERSION" ]]; then
              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
                --package-json "./packages/$pkg/package.json" \
-                --version "${{ github.event.inputs.version }}" \
+                --version "$INPUT_VERSION" \
                --update)
            else
              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
@@ -52,15 +69,33 @@ jobs:
                --update)
            fi

-            eval "NEW_${key^^}_VERSION=\"$version\""
+            new_versions[$key]="$version"
          done

-          echo "version=$NEW_WEB_VERSION" >> "$GITHUB_OUTPUT"
-      - name: Create PR
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+          echo "version=${new_versions[web]}" >> "$GITHUB_OUTPUT"
+
+      - name: Compute release date
+        id: release_date
+        shell: bash
+        env:
+          INPUT_DATE: ${{ github.event.inputs['release-date'] }}
+        run: |
+          if [[ -n "$INPUT_DATE" ]]; then
+            echo "date=$INPUT_DATE" >> "$GITHUB_OUTPUT"
+          else
+            # default to the 1st of next month
+            echo "date=$(date -d '+1 month' '+%Y-%m-01')" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create release branch and PR
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
          commit-message: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
          title: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
-          body: 'Generated by [generate-release-pr.yml](../tree/master/.github/workflows/generate-release-pr.yml)'
-          branch: 'release/v${{ steps.bump_package_versions.outputs.version }}'
+          body: |
+            Generated by [cut-release-branch.yml](../tree/master/.github/workflows/cut-release-branch.yml)
+
+            <!-- release-date:${{ steps.release_date.outputs.date }} -->
+          branch: 'release/${{ steps.bump_package_versions.outputs.version }}'
+          base: master
--- a/.github/workflows/docker-edge.yml
+++ b/.github/workflows/docker-edge.yml
@@ -37,6 +37,8 @@ jobs:
        os: [ubuntu, alpine]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -54,14 +56,14 @@ jobs:
          tags: ${{ env.TAGS }}

      - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        if: github.event_name != 'pull_request' && !github.event.repository.fork
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        if: github.event_name != 'pull_request'
        with:
          registry: ghcr.io
@@ -76,7 +78,7 @@ jobs:
        run: yarn build:server

      - name: Build image for testing
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: false
@@ -93,7 +95,7 @@ jobs:
      # This will use the cache from the earlier build step and not rebuild the image
      # https://docs.docker.com/build/ci/github-actions/test-before-push/
      - name: Build and push images
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -29,6 +29,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -58,13 +60,13 @@ jobs:
          tags: ${{ env.TAGS }}

      - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -78,7 +80,7 @@ jobs:
        run: yarn build:server

      - name: Build and push ubuntu image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: true
@@ -87,7 +89,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}

      - name: Build and push alpine image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          push: true
--- a/.github/workflows/docs-spelling.yml
+++ b/.github/workflows/docs-spelling.yml
@@ -79,12 +79,12 @@ jobs:
    steps:
      - name: check-spelling
        id: spelling
-        uses: check-spelling/check-spelling@main
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
        with:
          suppress_push_for_open_pull_request: 1
          checkout: true
          check_file_names: 1
-          spell_check_this: check-spelling/spell-check-this@prerelease
+          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
          post_comment: 0
          use_magic_file: 1
          experimental_apply_changes_via_bot: 1
@@ -114,10 +114,10 @@ jobs:
    if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
    steps:
      - name: comment
-        uses: check-spelling/check-spelling@main
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
        with:
          checkout: true
-          spell_check_this: check-spelling/spell-check-this@prerelease
+          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
          task: ${{ needs.spelling.outputs.followup }}
          config: .github/actions/docs-spelling

@@ -131,10 +131,10 @@ jobs:
    if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
    steps:
      - name: comment
-        uses: check-spelling/check-spelling@main
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
        with:
          checkout: true
-          spell_check_this: check-spelling/spell-check-this@prerelease
+          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
          task: ${{ needs.spelling.outputs.followup }}
          experimental_apply_changes_via_bot: 1
          config: .github/actions/docs-spelling
@@ -156,7 +156,7 @@ jobs:
      cancel-in-progress: false
    steps:
      - name: apply spelling updates
-        uses: check-spelling/check-spelling@main
+        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
        with:
          experimental_apply_changes_via_bot: 1
          checkout: true
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -17,32 +17,81 @@ on:
 env:
  GITHUB_PR_NUMBER: ${{github.event.pull_request.number}}

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

 jobs:
-  functional:
-    name: Functional (shard ${{ matrix.shard }}/5)
+  build-web:
+    name: Build web bundle
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        shard: [1, 2, 3, 4, 5]
    container:
-      image: mcr.microsoft.com/playwright:v1.58.2-jammy
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
      - name: Trust the repository directory
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Build browser bundle
+        # REACT_APP_NETLIFY=true flips isNonProductionEnvironment() on in the
+        # bundle so the "Create test file" button (used by every e2e beforeEach
+        # via ConfigurationPage.createTestFile()) is still rendered in a
+        # production build. Without it, e2e tests would time out waiting for
+        # a button that was tree-shaken out.
+        env:
+          REACT_APP_NETLIFY: 'true'
+        run: |
+          yarn workspace plugins-service build
+          yarn workspace @actual-app/crdt build
+          yarn workspace @actual-app/core build:browser
+          yarn workspace @actual-app/web build:browser
+      - name: Upload build artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: desktop-client-build
+          path: packages/desktop-client/build/
+          retention-days: 1
+          overwrite: true
+
+  functional:
+    name: Functional (shard ${{ matrix.shard }}/3)
+    runs-on: ubuntu-latest
+    needs: build-web
+    strategy:
+      fail-fast: false
+      matrix:
+        shard: [1, 2, 3]
+    container:
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
+    env:
+      E2E_USE_BUILD: '1'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up environment
+        uses: ./.github/actions/setup
+        with:
+          download-translations: 'false'
+      - name: Trust the repository directory
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Download web build
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: desktop-client-build
+          path: packages/desktop-client/build/
      - name: Run E2E Tests
-        run: yarn e2e --shard=${{ matrix.shard }}/5
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        if: always()
+        run: yarn e2e --shard=${{ matrix.shard }}/3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: failure()
        with:
          name: desktop-client-test-results-shard-${{ matrix.shard }}
          path: packages/desktop-client/test-results/
@@ -53,19 +102,27 @@ jobs:
    name: Functional Desktop App
    runs-on: ubuntu-latest
    container:
-      image: mcr.microsoft.com/playwright:v1.58.2-jammy
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
      - name: Trust the repository directory
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      # Build tools are needed to rebuild native modules like better-sqlite3 used by the Desktop app, which is required to run E2E tests on the Desktop app.
+      - name: Install build tools
+        run: apt-get update && apt-get install -y build-essential python3
+
      - name: Run Desktop app E2E Tests
        run: |
+          yarn rebuild-electron
          xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: desktop-app-test-results
@@ -74,23 +131,35 @@ jobs:
          overwrite: true

  vrt:
-    name: Visual regression (shard ${{ matrix.shard }}/5)
+    name: Visual regression (shard ${{ matrix.shard }}/3)
    runs-on: ubuntu-latest
+    needs: build-web
    strategy:
      fail-fast: false
      matrix:
-        shard: [1, 2, 3, 4, 5]
+        shard: [1, 2, 3]
    container:
-      image: mcr.microsoft.com/playwright:v1.58.2-jammy
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
+    env:
+      E2E_USE_BUILD: '1'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'
+      - name: Trust the repository directory
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Download web build
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: desktop-client-build
+          path: packages/desktop-client/build/
      - name: Run VRT Tests
-        run: yarn vrt --shard=${{ matrix.shard }}/5
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        run: yarn vrt --shard=${{ matrix.shard }}/3
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: vrt-blob-report-${{ matrix.shard }}
@@ -104,9 +173,11 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ !cancelled() }}
    container:
-      image: mcr.microsoft.com/playwright:v1.58.2-jammy
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
      - name: Download all blob reports
@@ -118,7 +189,7 @@ jobs:
      - name: Merge reports
        id: merge-reports
        run: yarn workspace @actual-app/web run playwright merge-reports --reporter html ./all-blob-reports
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        id: playwright-report-vrt
        with:
          name: html-report--attempt-${{ github.run_attempt }}
@@ -131,10 +202,12 @@ jobs:
          mkdir -p vrt-metadata
          echo "${{ github.event.pull_request.number }}" > vrt-metadata/pr-number.txt
          echo "${{ needs.vrt.result }}" > vrt-metadata/vrt-result.txt
-          echo "${{ steps.playwright-report-vrt.outputs.artifact-url }}" > vrt-metadata/artifact-url.txt
+          echo "${STEPS_PLAYWRIGHT_REPORT_VRT_OUTPUTS_ARTIFACT_URL}" > vrt-metadata/artifact-url.txt
+        env:
+          STEPS_PLAYWRIGHT_REPORT_VRT_OUTPUTS_ARTIFACT_URL: ${{ steps.playwright-report-vrt.outputs.artifact-url }}
      - name: Upload VRT metadata
        if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: vrt-comment-metadata
          path: vrt-metadata/
--- a/.github/workflows/e2e-vrt-comment.yml
+++ b/.github/workflows/e2e-vrt-comment.yml
@@ -53,7 +53,7 @@ jobs:

      - name: Comment on PR with VRT report link
        if: steps.metadata.outputs.should_comment == 'true'
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2
+        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
        with:
          number: ${{ steps.metadata.outputs.pr_number }}
          header: vrt-comment
--- a/.github/workflows/electron-master.yml
+++ b/.github/workflows/electron-master.yml
@@ -22,6 +22,7 @@ jobs:
    permissions:
      contents: write
    strategy:
+      fail-fast: false
      matrix:
        os:
          - ubuntu-22.04
@@ -30,6 +31,8 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - if: ${{ startsWith(matrix.os, 'windows') }}
        run: pip.exe install setuptools
      - if: ${{ ! startsWith(matrix.os, 'windows') }}
@@ -56,9 +59,11 @@ jobs:

          METAINFO_FILE="packages/desktop-electron/extra-resources/linux/com.actualbudget.actual.metainfo.xml"
          TODAY=$(date +%Y-%m-%d)
-          VERSION=${{ steps.process_version.outputs.version }}
+          VERSION=${STEPS_PROCESS_VERSION_OUTPUTS_VERSION}
          sed -i "s/%RELEASE_VERSION%/$VERSION/g; s/%RELEASE_DATE%/$TODAY/g" "$METAINFO_FILE"
          flatpak run --command=flatpak-builder-lint org.flatpak.Builder appstream "$METAINFO_FILE"
+        env:
+          STEPS_PROCESS_VERSION_OUTPUTS_VERSION: ${{ steps.process_version.outputs.version }}
      - name: Set up environment
        uses: ./.github/actions/setup
      - name: Build Electron for Mac
@@ -74,7 +79,7 @@ jobs:
        if: ${{ ! startsWith(matrix.os, 'macos') }}
        run: ./bin/package-electron
      - name: Upload Build
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-electron-${{ matrix.os }}
          path: |
@@ -85,7 +90,7 @@ jobs:
            packages/desktop-electron/dist/*.flatpak
      - name: Upload Windows Store Build
        if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-electron-${{ matrix.os }}-appx
          path: |
--- a/.github/workflows/electron-pr.yml
+++ b/.github/workflows/electron-pr.yml
@@ -26,6 +26,7 @@ concurrency:
 jobs:
  build:
    strategy:
+      fail-fast: false
      matrix:
        os:
          - ubuntu-22.04
@@ -34,6 +35,8 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - if: ${{ startsWith(matrix.os, 'windows') }}
        run: pip.exe install setuptools
      - if: ${{ ! startsWith(matrix.os, 'windows') }}
@@ -65,56 +68,56 @@ jobs:
        run: ./bin/package-electron

      - name: Upload Linux x64 AppImage
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-linux-x86_64.AppImage
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-linux-x86_64.AppImage

      - name: Upload Linux arm64 AppImage
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-linux-arm64.AppImage
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-linux-arm64.AppImage

      - name: Upload Linux x64 flatpak
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-linux-x86_64.flatpak
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-linux-x86_64.flatpak

      - name: Upload Windows x32 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-ia32.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-ia32.exe

      - name: Upload Windows x64 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-x64.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-x64.exe

      - name: Upload Windows arm64 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-arm64.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-arm64.exe

      - name: Upload Mac x64 dmg
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-mac-x64.dmg
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-mac-x64.dmg

      - name: Upload Mac arm64 dmg
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-mac-arm64.dmg
          if-no-files-found: ignore
@@ -122,7 +125,7 @@ jobs:

      - name: Upload Windows Store Build
        if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-electron-${{ matrix.os }}-appx
          path: |
--- a/.github/workflows/fork-pr-welcome.yml
+++ b/.github/workflows/fork-pr-welcome.yml
@@ -25,7 +25,7 @@ jobs:
    if: github.event.pull_request.head.repo.full_name != github.repository
    steps:
      - name: Post welcome comment
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2
+        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/i18n-string-extract-master.yml
+++ b/.github/workflows/i18n-string-extract-master.yml
@@ -15,6 +15,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: actual
+          persist-credentials: false
      - name: Set up environment
        uses: ./actual/.github/actions/setup
        with:
@@ -27,12 +28,23 @@ jobs:
      - name: Configure i18n client
        run: |
          pip install wlc
+      - name: Configure Weblate API credentials
+        env:
+          WEBLATE_API_KEY: ${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}
+        run: |
+          # Write the API key to wlc's config file instead of passing it on
+          # the command line, so the secret doesn't appear in process listings.
+          mkdir -p "$HOME/.config"
+          umask 077
+          cat > "$HOME/.config/weblate" <<EOF
+          [keys]
+          https://hosted.weblate.org/api/ = ${WEBLATE_API_KEY}
+          EOF

      - name: Lock translations
        run: |
          wlc \
            --url https://hosted.weblate.org/api/ \
-            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
            lock \
            actualbudget/actual

@@ -40,7 +52,6 @@ jobs:
        run: |
          wlc \
            --url https://hosted.weblate.org/api/ \
-            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
            push \
            actualbudget/actual
      - name: Check out updated translations
@@ -49,6 +60,8 @@ jobs:
          ssh-key: ${{ secrets.STRING_IMPORT_DEPLOY_KEY }}
          repository: actualbudget/translations
          path: translations
+          # Need to be able to push back extracted strings
+          persist-credentials: true
      - name: Generate i18n strings
        working-directory: actual
        run: |
@@ -73,7 +86,6 @@ jobs:
        run: |
          wlc \
            --url https://hosted.weblate.org/api/ \
-            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
            pull \
            actualbudget/actual

@@ -82,6 +94,5 @@ jobs:
        run: |
          wlc \
            --url https://hosted.weblate.org/api/ \
-            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
            unlock \
            actualbudget/actual
--- a/.github/workflows/issues-feature-implemented.yml
+++ b/.github/workflows/issues-feature-implemented.yml
@@ -25,6 +25,8 @@ jobs:
    steps:
      # This is not a security concern because we have approved & merged the PR
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22
--- a/.github/workflows/netlify-release.yml
+++ b/.github/workflows/netlify-release.yml
@@ -22,6 +22,8 @@ jobs:
    steps:
      - name: Repository Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up environment
        uses: ./.github/actions/setup
@@ -34,10 +36,11 @@ jobs:

      - name: Deploy to Netlify
        id: netlify_deploy
+        env:
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_API_TOKEN }}
        run: |
          netlify deploy \
            --dir packages/desktop-client/build \
-            --site ${{ secrets.NETLIFY_SITE_ID }} \
-            --auth ${{ secrets.NETLIFY_API_TOKEN }} \
            --filter @actual-app/web \
            --prod
--- a/.github/workflows/nightly-theme-catalog-scan.yml
+++ b/.github/workflows/nightly-theme-catalog-scan.yml
@@ -0,0 +1,47 @@
+name: Nightly theme catalog scan
+
+on:
+  schedule:
+    # 05:15 UTC daily — runs after the i18n extract job (04:00) and well
+    # before the nightly Electron/npm publishes (00:00 UTC the next day).
+    - cron: '15 5 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validate-theme-catalog:
+    name: Validate custom theme catalog
+    runs-on: ubuntu-latest
+    if: github.repository == 'actualbudget/actual'
+    timeout-minutes: 10
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up environment
+        uses: ./.github/actions/setup
+        with:
+          download-translations: 'false'
+      - name: Validate themes
+        run: yarn workspace @actual-app/web validate:theme-catalog
+
+  notify-failure:
+    name: Notify Discord on failure
+    needs: validate-theme-catalog
+    if: failure() && github.repository == 'actualbudget/actual'
+    runs-on: ubuntu-latest
+    environment: nightly-alerts
+    timeout-minutes: 5
+    steps:
+      - name: Notify Discord
+        uses: sarisia/actions-status-discord@eb045afee445dc055c18d3d90bd0f244fd062708 # v1.16.0
+        with:
+          webhook: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          status: Failure
+          title: Nightly theme catalog scan failed
+          description: The nightly scan failed. One or more themes may be broken, or the scan itself did not complete.
+          username: Actual Nightly
+          nofail: true
--- a/.github/workflows/publish-flathub.yml
+++ b/.github/workflows/publish-flathub.yml
@@ -54,8 +54,9 @@ jobs:
      - name: Verify release assets exist
        env:
          GH_TOKEN: ${{ github.token }}
+          STEPS_RESOLVE_VERSION_OUTPUTS_TAG: ${{ steps.resolve_version.outputs.tag }}
        run: |
-          TAG="${{ steps.resolve_version.outputs.tag }}"
+          TAG="${STEPS_RESOLVE_VERSION_OUTPUTS_TAG}"

          echo "Checking release assets for tag $TAG..."
          ASSETS=$(gh api "repos/${{ github.repository }}/releases/tags/$TAG" --jq '.assets[].name')
@@ -77,7 +78,7 @@ jobs:

      - name: Calculate AppImage SHA256 (streamed)
        run: |
-          VERSION="${{ steps.resolve_version.outputs.version }}"
+          VERSION="${STEPS_RESOLVE_VERSION_OUTPUTS_VERSION}"
          BASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}"

          echo "Streaming x86_64 AppImage to compute SHA256..."
@@ -90,30 +91,35 @@ jobs:

          echo "APPIMAGE_X64_SHA256=$APPIMAGE_X64_SHA256" >> "$GITHUB_ENV"
          echo "APPIMAGE_ARM64_SHA256=$APPIMAGE_ARM64_SHA256" >> "$GITHUB_ENV"
+        env:
+          STEPS_RESOLVE_VERSION_OUTPUTS_VERSION: ${{ steps.resolve_version.outputs.version }}

      - name: Checkout Flathub repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: flathub/com.actualbudget.actual
          token: ${{ secrets.FLATHUB_GITHUB_TOKEN }}
+          persist-credentials: false

      - name: Update manifest with new version
        run: |
-          VERSION="${{ steps.resolve_version.outputs.version }}"
+          VERSION="${STEPS_RESOLVE_VERSION_OUTPUTS_VERSION}"

          # Replace x86_64 entry
-          sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_X64_SHA256 }}|}" com.actualbudget.actual.yml
+          sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_X64_SHA256}|}" com.actualbudget.actual.yml
          sed -i "/x86_64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-x86_64.AppImage|" com.actualbudget.actual.yml

          # Replace arm64 entry
-          sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_ARM64_SHA256 }}|}" com.actualbudget.actual.yml
+          sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_ARM64_SHA256}|}" com.actualbudget.actual.yml
          sed -i "/arm64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-arm64.AppImage|" com.actualbudget.actual.yml

          echo "Updated manifest:"
          cat com.actualbudget.actual.yml
+        env:
+          STEPS_RESOLVE_VERSION_OUTPUTS_VERSION: ${{ steps.resolve_version.outputs.version }}

      - name: Create PR in Flathub repo
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.FLATHUB_GITHUB_TOKEN }}
          commit-message: 'Update Actual flatpak to version ${{ steps.resolve_version.outputs.version }}'
--- a/.github/workflows/publish-nightly-electron.yml
+++ b/.github/workflows/publish-nightly-electron.yml
@@ -20,6 +20,7 @@ concurrency:
 jobs:
  build:
    strategy:
+      fail-fast: false
      matrix:
        os:
          - ubuntu-22.04
@@ -29,6 +30,8 @@ jobs:
    if: github.event.repository.fork == false
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - if: ${{ startsWith(matrix.os, 'windows') }}
        run: pip.exe install setuptools

@@ -83,49 +86,49 @@ jobs:
        run: ./bin/package-electron

      - name: Upload Linux x64 AppImage
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-linux-x86_64.AppImage
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-linux-x86_64.AppImage

      - name: Upload Linux arm64 AppImage
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-linux-arm64.AppImage
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-linux-arm64.AppImage

      - name: Upload Windows x32 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-ia32.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-ia32.exe

      - name: Upload Windows x64 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-x64.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-x64.exe

      - name: Upload Windows arm64 exe
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-windows-arm64.exe
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-windows-arm64.exe

      - name: Upload Mac x64 dmg
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-mac-x64.dmg
          if-no-files-found: ignore
          path: packages/desktop-electron/dist/Actual-mac-x64.dmg

      - name: Upload Mac arm64 dmg
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: Actual-mac-arm64.dmg
          if-no-files-found: ignore
@@ -133,7 +136,7 @@ jobs:

      - name: Upload Windows Store Build
        if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: actual-electron-${{ matrix.os }}-appx
          path: |
--- a/.github/workflows/publish-nightly-npm-packages.yml
+++ b/.github/workflows/publish-nightly-npm-packages.yml
@@ -1,124 +0,0 @@
-name: Publish nightly npm packages
-
-# Nightly npm packages are built daily at midnight UTC
-on:
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
-
-jobs:
-  build-and-pack:
-    runs-on: ubuntu-latest
-    name: Build and pack npm packages
-    if: github.event.repository.fork == false
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Set up environment
-        uses: ./.github/actions/setup
-
-      - name: Update package versions
-        run: |
-          # Get new nightly versions
-          NEW_CORE_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/loot-core/package.json --type nightly)
-          NEW_WEB_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/desktop-client/package.json --type nightly)
-          NEW_SYNC_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/sync-server/package.json --type nightly)
-          NEW_API_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/api/package.json --type nightly)
-          NEW_CLI_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/cli/package.json --type nightly)
-
-          # Set package versions
-          npm version $NEW_CORE_VERSION --no-git-tag-version --workspace=@actual-app/core --no-workspaces-update
-          npm version $NEW_WEB_VERSION --no-git-tag-version --workspace=@actual-app/web --no-workspaces-update
-          npm version $NEW_SYNC_VERSION --no-git-tag-version --workspace=@actual-app/sync-server --no-workspaces-update
-          npm version $NEW_API_VERSION --no-git-tag-version --workspace=@actual-app/api --no-workspaces-update
-          npm version $NEW_CLI_VERSION --no-git-tag-version --workspace=@actual-app/cli --no-workspaces-update
-
-      - name: Yarn install
-        run: |
-          yarn install
-
-      - name: Pack the core package
-        run: |
-          yarn workspace @actual-app/core pack --filename @actual-app/core.tgz
-
-      - name: Build Server & Web
-        run: yarn build:server
-
-      - name: Pack the web and server packages
-        run: |
-          yarn workspace @actual-app/web pack --filename @actual-app/web.tgz
-          yarn workspace @actual-app/sync-server pack --filename @actual-app/sync-server.tgz
-
-      - name: Build API
-        run: yarn build:api
-
-      - name: Pack the api package
-        run: |
-          yarn workspace @actual-app/api pack --filename @actual-app/api.tgz
-
-      - name: Build CLI
-        run: yarn workspace @actual-app/cli build
-
-      - name: Pack the cli package
-        run: |
-          yarn workspace @actual-app/cli pack --filename @actual-app/cli.tgz
-
-      - name: Upload package artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: npm-packages
-          path: |
-            packages/loot-core/@actual-app/core.tgz
-            packages/desktop-client/@actual-app/web.tgz
-            packages/sync-server/@actual-app/sync-server.tgz
-            packages/api/@actual-app/api.tgz
-            packages/cli/@actual-app/cli.tgz
-
-  publish:
-    runs-on: ubuntu-latest
-    name: Publish Nightly npm packages
-    needs: build-and-pack
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Download the artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: npm-packages
-
-      - name: Setup node and npm registry
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
-        with:
-          node-version: 22
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Publish Core
-        run: |
-          npm publish loot-core/@actual-app/core.tgz --access public --tag nightly
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Publish Web
-        run: |
-          npm publish desktop-client/@actual-app/web.tgz --access public --tag nightly
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Publish Sync-Server
-        run: |
-          npm publish sync-server/@actual-app/sync-server.tgz --access public --tag nightly
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Publish API
-        run: |
-          npm publish api/@actual-app/api.tgz --access public --tag nightly
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Publish CLI
-        run: |
-          npm publish cli/@actual-app/cli.tgz --access public --tag nightly
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/publish-npm-packages.yml
+++ b/.github/workflows/publish-npm-packages.yml
@@ -1,26 +1,55 @@
 name: Publish npm packages

-# # Npm packages are published for every new tag
+# Npm packages are published for every new tag and nightly schedule
 on:
  push:
    tags:
      - 'v*.*.*'
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:

 jobs:
  build-and-pack:
    runs-on: ubuntu-latest
    name: Build and pack npm packages
+    if: github.event_name == 'push' || (github.event.repository.fork == false)
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up environment
        uses: ./.github/actions/setup

+      - name: Update package versions
+        if: github.event_name != 'push'
+        run: |
+          # Get new nightly versions
+          NEW_CORE_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/loot-core/package.json --type nightly)
+          NEW_WEB_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/desktop-client/package.json --type nightly)
+          NEW_SYNC_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/sync-server/package.json --type nightly)
+          NEW_API_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/api/package.json --type nightly)
+          NEW_CLI_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/cli/package.json --type nightly)
+
+          # Set package versions
+          npm version $NEW_CORE_VERSION --no-git-tag-version --workspace=@actual-app/core --no-workspaces-update
+          npm version $NEW_WEB_VERSION --no-git-tag-version --workspace=@actual-app/web --no-workspaces-update
+          npm version $NEW_SYNC_VERSION --no-git-tag-version --workspace=@actual-app/sync-server --no-workspaces-update
+          npm version $NEW_API_VERSION --no-git-tag-version --workspace=@actual-app/api --no-workspaces-update
+          npm version $NEW_CLI_VERSION --no-git-tag-version --workspace=@actual-app/cli --no-workspaces-update
+
+      - name: Yarn install
+        if: github.event_name != 'push'
+        run: |
+          # Required after nightly `npm version` updates workspace manifests.
+          yarn install
+
      - name: Pack the core package
        run: |
          yarn workspace @actual-app/core pack --filename @actual-app/core.tgz

-      - name: Build Web
+      - name: Build Server & Web
        run: yarn build:server

      - name: Pack the web and server packages
@@ -43,7 +72,8 @@ jobs:
          yarn workspace @actual-app/cli pack --filename @actual-app/cli.tgz

      - name: Upload package artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: ${{ !env.ACT }}
        with:
          name: npm-packages
          path: |
@@ -60,6 +90,9 @@ jobs:
    permissions:
      contents: read
      packages: write
+      id-token: write # Required for OIDC
+    env:
+      NPM_DIST_TAG: ${{ github.event_name != 'push' && 'nightly' || '' }}
    steps:
      - name: Download the artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -69,35 +102,26 @@ jobs:
      - name: Setup node and npm registry
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: 22
+          node-version: 24
+          check-latest: true
          registry-url: 'https://registry.npmjs.org'

      - name: Publish Core
        run: |
-          npm publish loot-core/@actual-app/core.tgz --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          npm publish loot-core/@actual-app/core.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}

      - name: Publish Web
        run: |
-          npm publish desktop-client/@actual-app/web.tgz --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          npm publish desktop-client/@actual-app/web.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}

      - name: Publish Sync-Server
        run: |
-          npm publish sync-server/@actual-app/sync-server.tgz --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          npm publish sync-server/@actual-app/sync-server.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}

      - name: Publish API
        run: |
-          npm publish api/@actual-app/api.tgz --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          npm publish api/@actual-app/api.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}

      - name: Publish CLI
        run: |
-          npm publish cli/@actual-app/cli.tgz --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          npm publish cli/@actual-app/cli.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -3,6 +3,10 @@ name: Release notes
 on:
  pull_request:

+permissions:
+  contents: write
+  pull-requests: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
@@ -11,15 +15,37 @@ jobs:
  release-notes:
    runs-on: ubuntu-latest
    steps:
+      - name: Check if triggered by bot
+        id: bot-check
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const { data: commit } = await github.rest.git.getCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: context.payload.pull_request.head.sha,
+            });
+            const skip = commit.author.name === 'github-actions[bot]'
+              && commit.message.startsWith('Generate release notes');
+            console.log(`Head commit by "${commit.author.name}": ${commit.message.split('\n')[0]}`);
+            console.log(`Skip: ${skip}`);
+            core.setOutput('skip', String(skip));
+
      - name: Checkout
+        if: steps.bot-check.outputs.skip != 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
+          token: ${{ secrets.ACTIONS_UPDATE_TOKEN || github.token }}
+          # Need to be able to commit release notes after generation
+          persist-credentials: true
+
      - name: Get changed files
+        if: steps.bot-check.outputs.skip != 'true'
        id: changed-files
        run: |
-          git fetch origin ${{ github.base_ref }}
-          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+          git fetch origin ${GITHUB_BASE_REF}
+          CHANGED_FILES=$(git diff --name-only origin/${GITHUB_BASE_REF}...HEAD)
          NON_DOCS_FILES=$(echo "$CHANGED_FILES" | grep -v -e "^packages/docs/" -e "^\.github/actions/docs-spelling/" || true)

          if [ -z "$NON_DOCS_FILES" ] && [ -n "$CHANGED_FILES" ]; then
@@ -28,9 +54,17 @@ jobs:
          else
            echo "only_docs=false" >> $GITHUB_OUTPUT
          fi
+
      - name: Check release notes
-        if: startsWith(github.head_ref, 'release/') == false && steps.changed-files.outputs.only_docs != 'true'
-        uses: actualbudget/actions/release-notes/check@main
+        if: >-
+          steps.bot-check.outputs.skip != 'true'
+          && startsWith(github.head_ref, 'release/') == false
+          && steps.changed-files.outputs.only_docs != 'true'
+        uses: ./.github/actions/release-notes/check
+
      - name: Generate release notes
-        if: startsWith(github.head_ref, 'release/') == true
-        uses: actualbudget/actions/release-notes/generate@main
+        if: >-
+          steps.bot-check.outputs.skip != 'true'
+          && startsWith(github.head_ref, 'release/') == true
+          && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+        uses: ./.github/actions/release-notes/generate
--- a/.github/workflows/size-compare.yml
+++ b/.github/workflows/size-compare.yml
@@ -38,6 +38,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.base_ref }}
+          persist-credentials: false
      - name: Set up environment
        uses: ./.github/actions/setup
        with:
@@ -64,6 +65,13 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}
          checkName: cli
          ref: ${{github.base_ref}}
+      - name: Wait for ${{github.base_ref}} CRDT build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: master-crdt-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: crdt
+          ref: ${{github.base_ref}}

      - name: Wait for PR build to succeed
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
@@ -86,15 +94,22 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}
          checkName: cli
          ref: ${{github.event.pull_request.head.sha}}
+      - name: Wait for CRDT PR build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: wait-for-crdt-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: crdt
+          ref: ${{github.event.pull_request.head.sha}}

      - name: Report build failure
-        if: steps.wait-for-web-build.outputs.conclusion == 'failure' || steps.wait-for-api-build.outputs.conclusion == 'failure' || steps.wait-for-cli-build.outputs.conclusion == 'failure'
+        if: steps.wait-for-web-build.outputs.conclusion == 'failure' || steps.wait-for-api-build.outputs.conclusion == 'failure' || steps.wait-for-cli-build.outputs.conclusion == 'failure' || steps.wait-for-crdt-build.outputs.conclusion == 'failure'
        run: |
-          echo "Build failed on PR branch or ${{github.base_ref}}"
+          echo "Build failed on PR branch or ${GITHUB_BASE_REF}"
          exit 1

      - name: Download web build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        id: pr-web-build
        with:
          branch: ${{github.base_ref}}
@@ -103,7 +118,7 @@ jobs:
          name: build-stats
          path: base
      - name: Download API build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        id: pr-api-build
        with:
          branch: ${{github.base_ref}}
@@ -112,7 +127,7 @@ jobs:
          name: api-build-stats
          path: base
      - name: Download build stats from PR
-        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        with:
          pr: ${{github.event.pull_request.number}}
          workflow: build.yml
@@ -121,7 +136,7 @@ jobs:
          path: head
          allow_forks: true
      - name: Download API stats from PR
-        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        with:
          pr: ${{github.event.pull_request.number}}
          workflow: build.yml
@@ -130,7 +145,7 @@ jobs:
          path: head
          allow_forks: true
      - name: Download CLI build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        with:
          branch: ${{github.base_ref}}
          workflow: build.yml
@@ -138,7 +153,7 @@ jobs:
          name: cli-build-stats
          path: base
      - name: Download CLI stats from PR
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        with:
          pr: ${{github.event.pull_request.number}}
          workflow: build.yml
@@ -146,6 +161,23 @@ jobs:
          name: cli-build-stats
          path: head
          allow_forks: true
+      - name: Download CRDT build artifact from ${{github.base_ref}}
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        with:
+          branch: ${{github.base_ref}}
+          workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
+          name: crdt-build-stats
+          path: base
+      - name: Download CRDT stats from PR
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        with:
+          pr: ${{github.event.pull_request.number}}
+          workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
+          name: crdt-build-stats
+          path: head
+          allow_forks: true
      - name: Strip content hashes from stats files
        run: |
          if [ -f ./head/web-stats.json ]; then
@@ -168,10 +200,12 @@ jobs:
            --base loot-core=./base/loot-core-stats.json \
            --base api=./base/api-stats.json \
            --base cli=./base/cli-stats.json \
+            --base crdt=./base/crdt-stats.json \
            --head desktop-client=./head/web-stats.json \
            --head loot-core=./head/loot-core-stats.json \
            --head api=./head/api-stats.json \
            --head cli=./head/cli-stats.json \
+            --head crdt=./head/crdt-stats.json \
            --identifier combined \
            --format pr-body > bundle-stats-comment.md
      - name: Post combined bundle stats comment
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,9 +3,12 @@ on:
  schedule:
    - cron: '30 1 * * *'
  workflow_dispatch: # Allow manual triggering
+permissions: {}

 jobs:
  stale:
+    permissions:
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
@@ -16,6 +19,8 @@ jobs:
          days-before-close: 5
          days-before-issue-stale: -1
  stale-wip:
+    permissions:
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
@@ -27,6 +32,8 @@ jobs:
          days-before-issue-stale: -1

  stale-needs-info:
+    permissions:
+      issues: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
--- a/.github/workflows/vrt-update-apply.yml
+++ b/.github/workflows/vrt-update-apply.yml
@@ -107,7 +107,7 @@ jobs:
            fi

            # Commit
-            git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${{ steps.metadata.outputs.pr_number }}"
+            git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${STEPS_METADATA_OUTPUTS_PR_NUMBER}"

            echo "applied=true" >> "$GITHUB_OUTPUT"
          else
@@ -116,6 +116,8 @@ jobs:
            echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT"
            exit 1
          fi
+        env:
+          STEPS_METADATA_OUTPUTS_PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}

      - name: Push changes
        if: steps.apply.outputs.applied == 'true'
@@ -133,12 +135,15 @@ jobs:

      - name: Comment on PR - Failure
        if: failure() && steps.metadata.outputs.pr_number != ''
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          APPLY_ERROR: ${{ steps.apply.outputs.error }}
+          PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}
        with:
          script: |
-            const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred';
+            const error = process.env.APPLY_ERROR || 'Unknown error occurred';
            await github.rest.issues.createComment({
-              issue_number: ${{ steps.metadata.outputs.pr_number }},
+              issue_number: parseInt(process.env.PR_NUMBER, 10),
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.`
--- a/.github/workflows/vrt-update-generate.yml
+++ b/.github/workflows/vrt-update-generate.yml
@@ -26,7 +26,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Add 👀 reaction to comment
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            await github.rest.reactions.createForIssueComment({
@@ -44,11 +44,11 @@ jobs:
      github.event.issue.pull_request &&
      startsWith(github.event.comment.body, '/update-vrt')
    container:
-      image: mcr.microsoft.com/playwright:v1.58.2-jammy
+      image: mcr.microsoft.com/playwright:v1.59.1-jammy
    steps:
      - name: Get PR details
        id: pr
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const { data: pr } = await github.rest.pulls.get({
@@ -63,15 +63,21 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ steps.pr.outputs.head_sha }}
+          persist-credentials: false

      - name: Set up environment
        uses: ./.github/actions/setup
        with:
          download-translations: 'false'

+      # Build tools are needed to rebuild native modules like better-sqlite3 used by the Desktop app, which is required to run VRT tests on the Desktop app and generate updated snapshots.
+      - name: Install build tools
+        run: apt-get update && apt-get install -y build-essential python3
+
      - name: Run VRT Tests on Desktop app
        continue-on-error: true
        run: |
+          yarn rebuild-electron
          xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop --update-snapshots

      - name: Run VRT Tests
@@ -113,7 +119,7 @@ jobs:

      - name: Upload patch artifact
        if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: vrt-patch-${{ github.event.issue.number }}
          path: vrt-update.patch
@@ -124,12 +130,15 @@ jobs:
        run: |
          mkdir -p pr-metadata
          echo "${{ github.event.issue.number }}" > pr-metadata/pr-number.txt
-          echo "${{ steps.pr.outputs.head_ref }}" > pr-metadata/head-ref.txt
-          echo "${{ steps.pr.outputs.head_repo }}" > pr-metadata/head-repo.txt
+          echo "${STEPS_PR_OUTPUTS_HEAD_REF}" > pr-metadata/head-ref.txt
+          echo "${STEPS_PR_OUTPUTS_HEAD_REPO}" > pr-metadata/head-repo.txt
+        env:
+          STEPS_PR_OUTPUTS_HEAD_REF: ${{ steps.pr.outputs.head_ref }}
+          STEPS_PR_OUTPUTS_HEAD_REPO: ${{ steps.pr.outputs.head_repo }}

      - name: Upload PR metadata
        if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: vrt-metadata-${{ github.event.issue.number }}
          path: pr-metadata/
--- a/.gitignore
+++ b/.gitignore
@@ -58,6 +58,10 @@ bundle.mobile.js.map
 # IntelliJ IDEA
 .idea

+# Claude Code
+.claude/worktrees/*
+.claude/settings.local.json
+
 # Misc
 .#*

--- a/.husky/post-checkout
+++ b/.husky/post-checkout
@@ -1,11 +1,19 @@
 #!/bin/sh
 # Run yarn install when switching branches (if yarn.lock changed)
+# or when creating a new worktree (node_modules won't exist yet)

 # $3 is 1 for branch checkout, 0 for file checkout
 if [ "$3" != "1" ]; then
  exit 0
 fi

+# Worktree creation: node_modules doesn't exist yet, always install
+if [ ! -d "node_modules" ]; then
+  echo "New worktree detected — running yarn install..."
+  yarn install || exit 1
+  exit 0
+fi
+
 # Check if yarn.lock changed between the old and new HEAD
 if git diff --name-only "$1" "$2" | grep -q "^yarn.lock$"; then
  echo "yarn.lock changed — running yarn install..."
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
--- a/.oxfmtrc.json
+++ b/.oxfmtrc.json
@@ -9,24 +9,14 @@
      "react",
      "builtin",
      "external",
-      "loot-core",
      ["parent", "subpath"],
      "sibling",
-      "index",
-      "desktop-client"
+      "index"
    ],
    "customGroups": [
      {
        "groupName": "react",
        "elementNamePattern": ["react", "react-dom/*", "react-*"]
-      },
-      {
-        "groupName": "loot-core",
-        "elementNamePattern": ["loot-core/**", "@actual-app/core/**"]
-      },
-      {
-        "groupName": "desktop-client",
-        "elementNamePattern": ["@desktop-client/**"]
      }
    ],
    "newlinesBetween": true
--- a/.oxlintrc.json
+++ b/.oxlintrc.json
@@ -36,6 +36,9 @@
    "actual/prefer-const": "error",
    "actual/no-anchor-tag": "error",
    "actual/no-react-default-import": "error",
+    "actual/prefer-subpath-imports": "error",
+    "actual/enforce-boundaries": "error",
+    "actual/no-extraneous-dependencies": "error",

    // JSX A11y rules
    "jsx-a11y/no-autofocus": [
@@ -120,9 +123,6 @@
    "import/no-amd": "error",
    "import/no-default-export": "error",
    "import/no-webpack-loader-syntax": "error",
-    "import/no-useless-path-segments": "error",
-    "import/no-unresolved": "error",
-    "import/no-unused-modules": "error",
    "import/no-duplicates": [
      "error",
      {
@@ -160,7 +160,6 @@
    "react/no-danger-with-children": "error",
    "react/no-direct-mutation-state": "error",
    "react/no-is-mounted": "error",
-    "react/no-unstable-nested-components": "error",
    "react/require-render-return": "error",
    "react/rules-of-hooks": "error",
    "react/self-closing-comp": "error",
@@ -234,7 +233,7 @@
    "eslint/require-yield": "error",
    "eslint/getter-return": "error",
    "eslint/unicode-bom": ["error", "never"],
-    "eslint/no-use-isnan": "error",
+    "eslint/use-isnan": "error",
    "eslint/valid-typeof": "error",
    "eslint/no-useless-rename": [
      "error",
@@ -335,14 +334,9 @@
        ],
        "patterns": [
          {
-            "group": ["**/*.api", "**/*.web", "**/*.electron"],
+            "group": ["**/*.api", "**/*.electron"],
            "message": "Don't directly reference imports from other platforms"
          },
-          {
-            "group": ["uuid"],
-            "importNames": ["*"],
-            "message": "Use `import { v4 as uuidv4 } from 'uuid'` instead"
-          },
          {
            "group": ["**/style", "**/colors"],
            "importNames": ["colors"],
@@ -361,7 +355,9 @@
    ],
    "eslint/no-useless-constructor": "error",
    "eslint/no-undef": "error",
-    "eslint/no-unused-expressions": "error"
+    "eslint/no-unused-expressions": "error",
+    "eslint/no-return-assign": "error",
+    "eslint/no-unused-vars": "error"
  },
  "overrides": [
    {
@@ -377,6 +373,12 @@
        "actual/prefer-logger-over-console": "off"
      }
    },
+    {
+      "files": ["packages/eslint-plugin-actual/lib/rules/__tests__/**/*"],
+      "rules": {
+        "actual/enforce-boundaries": "off"
+      }
+    },
    {
      "files": [
        "packages/api/migrations/*",
@@ -421,6 +423,16 @@
      "rules": {
        "eslint/no-empty-function": "off"
      }
+    },
+    // crdt enforces the repo's "TODO: enable this" typescript rules as errors
+    {
+      "files": ["packages/crdt/**/*"],
+      "rules": {
+        "typescript/no-misused-spread": "error",
+        "typescript/no-base-to-string": "error",
+        "typescript/no-unsafe-unary-minus": "error",
+        "typescript/no-unsafe-type-assertion": "error"
+      }
    }
  ]
 }
--- a/.yarn/releases/yarn-4.10.3.cjs
+++ b/.yarn/releases/yarn-4.10.3.cjs
--- a/.yarn/releases/yarn-4.13.0.cjs
+++ b/.yarn/releases/yarn-4.13.0.cjs
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -6,4 +6,4 @@ enableTransparentWorkspaces: false

 nodeLinker: node-modules

-yarnPath: .yarn/releases/yarn-4.10.3.cjs
+yarnPath: .yarn/releases/yarn-4.13.0.cjs
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -281,7 +281,6 @@ Always run `yarn typecheck` before committing.
 - Avoid `any` or `unknown` unless absolutely necessary
 - Look for existing type definitions in the codebase
 - Avoid type assertions (`as`, `!`) - prefer `satisfies`
- Use inline type imports: `import { type MyType } from '...'`

 **Naming:**

@@ -331,7 +330,7 @@ Always maintain newlines between import groups.

 ### Platform-Specific Code

- Don't directly reference platform-specific imports (`.api`, `.web`, `.electron`)
+- Don't directly reference platform-specific imports (`.api`, `.electron`)
 - Use conditional exports in `loot-core` for platform-specific code
 - Platform resolution happens at build time via package.json exports

@@ -501,7 +500,7 @@ Icons in `packages/component-library/src/icons/` are auto-generated. Don't manua

 1. Check `tsconfig.json` for path mappings
 2. Check package.json `exports` field (especially for loot-core)
-3. Verify platform-specific imports (`.web`, `.electron`, `.api`)
+3. Verify platform-specific imports (`.electron`, `.api`)
 4. Use absolute imports in `desktop-client` (enforced by ESLint)

 ### Build Failures
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1 +1,3 @@
 Please review the contributing documentation on our website: https://actualbudget.org/docs/contributing/
+
+If you plan to use AI tools when contributing, please also read our [AI Usage Policy](https://actualbudget.org/docs/contributing/ai-usage-policy).
--- a/bin/tests/validate-publish-imports.test.ts
+++ b/bin/tests/validate-publish-imports.test.ts
@@ -0,0 +1,218 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+import {
+  derivePublishImports,
+  validatePackage,
+} from '../validate-publish-imports.js';
+
+describe('derivePublishImports', () => {
+  it('prepends ./build/ to .js paths', () => {
+    const imports = {
+      '#account-db': './src/account-db.js',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#account-db': './build/src/account-db.js',
+    });
+  });
+
+  it('converts .ts extension to .js and prepends ./build/', () => {
+    const imports = {
+      '#migrations': './src/migrations.ts',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#migrations': './build/src/migrations.js',
+    });
+  });
+
+  it('converts .tsx extension to .js and prepends ./build/', () => {
+    const imports = {
+      '#component': './src/component.tsx',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#component': './build/src/component.js',
+    });
+  });
+
+  it('preserves wildcard patterns', () => {
+    const imports = {
+      '#accounts/*': './src/accounts/*.js',
+      '#services/*': './src/app-gocardless/services/*.ts',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#accounts/*': './build/src/accounts/*.js',
+      '#services/*': './build/src/app-gocardless/services/*.js',
+    });
+  });
+
+  it('handles multiple entries with mixed extensions', () => {
+    const imports = {
+      '#account-db': './src/account-db.js',
+      '#migrations': './src/migrations.ts',
+      '#app-gocardless/errors': './src/app-gocardless/errors.ts',
+      '#util/*': './src/util/*.ts',
+      '#scripts/*': './src/scripts/*.js',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#account-db': './build/src/account-db.js',
+      '#migrations': './build/src/migrations.js',
+      '#app-gocardless/errors': './build/src/app-gocardless/errors.js',
+      '#util/*': './build/src/util/*.js',
+      '#scripts/*': './build/src/scripts/*.js',
+    });
+  });
+
+  it('returns empty object for empty imports', () => {
+    expect(derivePublishImports({})).toEqual({});
+  });
+
+  it('throws error for non-string imports values', () => {
+    const imports = {
+      '#foo': './src/foo.js',
+      '#conditional': {
+        browser: './src/browser.js',
+        node: './src/node.js',
+      },
+    };
+    expect(() => derivePublishImports(imports)).toThrow(
+      'Unsupported imports target for "#conditional". Expected a string path.',
+    );
+  });
+
+  it('handles paths with /index.js suffix', () => {
+    const imports = {
+      '#util/title': './src/util/title/index.js',
+    };
+    expect(derivePublishImports(imports)).toEqual({
+      '#util/title': './build/src/util/title/index.js',
+    });
+  });
+});
+
+describe('validatePackage', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'validate-imports-'));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  function writePackageJson(content: Record<string, unknown>) {
+    const filePath = path.join(tmpDir, 'package.json');
+    fs.writeFileSync(filePath, JSON.stringify(content, null, 2) + '\n');
+    return filePath;
+  }
+
+  it('skips packages with no publishConfig', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: { '#foo': './src/foo.js' },
+    });
+    const { result, warnings } = validatePackage(filePath);
+    expect(result).toBeNull();
+    expect(warnings).toEqual([]);
+  });
+
+  it('skips packages with publishConfig but no publishConfig.imports', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: { '#foo': './src/foo.js' },
+      publishConfig: { access: 'public' },
+    });
+    const { result, warnings } = validatePackage(filePath);
+    expect(result).toBeNull();
+    expect(warnings).toEqual([]);
+  });
+
+  it('warns when publishConfig.imports exists but imports does not', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      publishConfig: {
+        imports: { '#foo': './build/src/foo.js' },
+      },
+    });
+    const { result, warnings } = validatePackage(filePath);
+    expect(result).toBeNull();
+    expect(warnings).toHaveLength(1);
+    expect(warnings[0]).toContain('orphaned');
+  });
+
+  it('returns no errors when publishConfig.imports matches', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: {
+        '#foo': './src/foo.js',
+        '#bar': './src/bar.ts',
+      },
+      publishConfig: {
+        imports: {
+          '#foo': './build/src/foo.js',
+          '#bar': './build/src/bar.js',
+        },
+      },
+    });
+    const { result } = validatePackage(filePath);
+    expect(result).not.toBeNull();
+    expect(result!.missingKeys).toEqual([]);
+    expect(result!.extraKeys).toEqual([]);
+    expect(result!.wrongValues).toEqual([]);
+  });
+
+  it('detects missing keys in publishConfig.imports', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: {
+        '#foo': './src/foo.js',
+        '#bar': './src/bar.ts',
+      },
+      publishConfig: {
+        imports: {
+          '#foo': './build/src/foo.js',
+        },
+      },
+    });
+    const { result } = validatePackage(filePath);
+    expect(result!.missingKeys).toEqual(['#bar']);
+  });
+
+  it('detects extra keys in publishConfig.imports', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: {
+        '#foo': './src/foo.js',
+      },
+      publishConfig: {
+        imports: {
+          '#foo': './build/src/foo.js',
+          '#orphan': './build/src/orphan.js',
+        },
+      },
+    });
+    const { result } = validatePackage(filePath);
+    expect(result!.extraKeys).toEqual(['#orphan']);
+  });
+
+  it('detects wrong values in publishConfig.imports', () => {
+    const filePath = writePackageJson({
+      name: 'test-pkg',
+      imports: {
+        '#foo': './src/foo.ts',
+      },
+      publishConfig: {
+        imports: {
+          '#foo': './src/foo.ts',
+        },
+      },
+    });
+    const { result } = validatePackage(filePath);
+    expect(result!.wrongValues).toEqual([
+      { key: '#foo', expected: './build/src/foo.js', actual: './src/foo.ts' },
+    ]);
+  });
+});
--- a/bin/package-browser
+++ b/bin/package-browser
@@ -16,6 +16,7 @@ packages/desktop-client/bin/remove-untranslated-languages

 export NODE_OPTIONS="--max-old-space-size=4096"

+yarn workspace @actual-app/crdt build
 yarn workspace plugins-service build
 yarn workspace @actual-app/core build:browser
 yarn workspace @actual-app/web build:browser
--- a/bin/package-electron
+++ b/bin/package-electron
@@ -43,6 +43,7 @@ if [ $SKIP_TRANSLATIONS == false ]; then

  pushd packages/desktop-client/locale > /dev/null

+  git checkout .
  git pull
  popd > /dev/null
  packages/desktop-client/bin/remove-untranslated-languages
@@ -50,6 +51,7 @@ fi

 export NODE_OPTIONS="--max-old-space-size=4096"

+yarn workspace @actual-app/crdt build
 yarn workspace plugins-service build
 yarn workspace @actual-app/core build:node
 yarn workspace @actual-app/web build --mode=desktop # electron specific build
--- a/bin/run-vrt
+++ b/bin/run-vrt
@@ -28,5 +28,5 @@ echo "Running VRT tests with the following parameters:"
 echo "E2E_START_URL: $E2E_START_URL"
 echo "VRT_ARGS: $VRT_ARGS"

-MSYS_NO_PATHCONV=1 docker run --rm --network host -v "$(pwd)":/work/ -w /work/ -it mcr.microsoft.com/playwright:v1.58.2-jammy /bin/bash \
+MSYS_NO_PATHCONV=1 docker run --rm --network host -v "$(pwd)":/work/ -w /work/ -it mcr.microsoft.com/playwright:v1.59.1-jammy /bin/bash \
  -c "E2E_START_URL=$E2E_START_URL yarn vrt $VRT_ARGS"
--- a/bin/validate-publish-imports.ts
+++ b/bin/validate-publish-imports.ts
@@ -0,0 +1,216 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+/**
+ * Derives publishConfig.imports from imports by:
+ * 1. Prepending ./build/ to each value path
+ * 2. Replacing .ts/.tsx extensions with .js
+ */
+export function derivePublishImports(
+  imports: Record<string, string | object>,
+): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const [key, value] of Object.entries(imports)) {
+    if (typeof value !== 'string') {
+      throw new Error(
+        `Unsupported imports target for "${key}". Expected a string path.`,
+      );
+    }
+    const withBuildPrefix = value.replace(/^\.\//, './build/');
+    const withJsExtension = withBuildPrefix.replace(/\.tsx?$/, '.js');
+    result[key] = withJsExtension;
+  }
+  return result;
+}
+
+export type ValidationResult = {
+  packagePath: string;
+  packageName: string;
+  missingKeys: string[];
+  extraKeys: string[];
+  wrongValues: Array<{ key: string; expected: string; actual: string }>;
+};
+
+/**
+ * Validates publishConfig.imports against imports for a single package.json.
+ * Returns null if the package should be skipped (no publishConfig.imports).
+ * Returns a ValidationResult if the package has both fields.
+ */
+export function validatePackage(packageJsonPath: string): {
+  result: ValidationResult | null;
+  warnings: string[];
+} {
+  const warnings: string[] = [];
+  const content = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+  const packageName: string = content.name ?? packageJsonPath;
+
+  const imports: Record<string, string | object> | undefined = content.imports;
+  const publishImports: Record<string, string> | undefined =
+    content.publishConfig?.imports;
+
+  // No publishConfig.imports → skip
+  if (!publishImports) {
+    return { result: null, warnings };
+  }
+
+  // Has publishConfig.imports but no imports → warn
+  if (!imports) {
+    warnings.push(
+      `${packageName}: orphaned publishConfig.imports (no imports field)`,
+    );
+    return { result: null, warnings };
+  }
+
+  const expected = derivePublishImports(imports);
+  const expectedKeys = new Set(Object.keys(expected));
+  const actualKeys = new Set(Object.keys(publishImports));
+
+  const missingKeys = [...expectedKeys].filter(k => !actualKeys.has(k));
+  const extraKeys = [...actualKeys].filter(k => !expectedKeys.has(k));
+  const wrongValues: ValidationResult['wrongValues'] = [];
+
+  for (const key of expectedKeys) {
+    if (actualKeys.has(key) && publishImports[key] !== expected[key]) {
+      wrongValues.push({
+        key,
+        expected: expected[key],
+        actual: publishImports[key],
+      });
+    }
+  }
+
+  return {
+    result: {
+      packagePath: packageJsonPath,
+      packageName,
+      missingKeys,
+      extraKeys,
+      wrongValues,
+    },
+    warnings,
+  };
+}
+
+export function fixPackage(packageJsonPath: string): boolean {
+  const raw = fs.readFileSync(packageJsonPath, 'utf-8');
+  const content = JSON.parse(raw);
+
+  if (!content.imports || !content.publishConfig?.imports) {
+    return false;
+  }
+
+  const expected = derivePublishImports(content.imports);
+
+  // Check if already correct
+  if (
+    JSON.stringify(content.publishConfig.imports) === JSON.stringify(expected)
+  ) {
+    return false;
+  }
+
+  content.publishConfig.imports = expected;
+  fs.writeFileSync(packageJsonPath, JSON.stringify(content, null, 2) + '\n');
+  return true;
+}
+
+function findPackageJsonFiles(): string[] {
+  const packagesDir = path.resolve(__dirname, '..', 'packages');
+  const entries = fs.readdirSync(packagesDir, { withFileTypes: true });
+  const results: string[] = [];
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      const pkgPath = path.join(packagesDir, entry.name, 'package.json');
+      if (fs.existsSync(pkgPath)) {
+        results.push(pkgPath);
+      }
+    }
+  }
+  return results;
+}
+
+function resolvePackageJsonPaths(filePaths: string[]): string[] {
+  const packagesRoot = path.resolve(__dirname, '..', 'packages');
+  const seen = new Set<string>();
+  for (const filePath of filePaths) {
+    const resolvedPath = path.resolve(filePath);
+    let dir = path.dirname(resolvedPath);
+    while (dir.startsWith(packagesRoot + path.sep)) {
+      const candidate = path.join(dir, 'package.json');
+      if (
+        fs.existsSync(candidate) &&
+        candidate.startsWith(packagesRoot + path.sep)
+      ) {
+        seen.add(candidate);
+        break;
+      }
+      dir = path.dirname(dir);
+    }
+  }
+  return [...seen];
+}
+
+function main() {
+  const args = process.argv.slice(2);
+  const fixMode = args.includes('--fix');
+  const filePaths = args.filter(arg => !arg.startsWith('--'));
+
+  const packageJsonFiles =
+    filePaths.length > 0
+      ? resolvePackageJsonPaths(filePaths)
+      : findPackageJsonFiles();
+
+  let hasErrors = false;
+  const allWarnings: string[] = [];
+
+  for (const pkgPath of packageJsonFiles) {
+    if (fixMode) {
+      const fixed = fixPackage(pkgPath);
+      if (fixed) {
+        const name = JSON.parse(fs.readFileSync(pkgPath, 'utf-8')).name;
+        console.log(`Fixed publishConfig.imports in ${name}`);
+      }
+    } else {
+      const { result, warnings } = validatePackage(pkgPath);
+      allWarnings.push(...warnings);
+
+      if (result) {
+        const hasIssues =
+          result.missingKeys.length > 0 ||
+          result.extraKeys.length > 0 ||
+          result.wrongValues.length > 0;
+
+        if (hasIssues) {
+          hasErrors = true;
+          console.error(`\n${result.packageName}:`);
+
+          for (const key of result.missingKeys) {
+            console.error(`  Missing key: ${key}`);
+          }
+          for (const key of result.extraKeys) {
+            console.error(`  Extra key: ${key}`);
+          }
+          for (const { key, expected, actual } of result.wrongValues) {
+            console.error(`  Wrong value for ${key}:`);
+            console.error(`    expected: ${expected}`);
+            console.error(`    actual:   ${actual}`);
+          }
+        }
+      }
+    }
+  }
+
+  for (const warning of allWarnings) {
+    console.warn(`Warning: ${warning}`);
+  }
+
+  if (hasErrors) {
+    console.error(
+      '\npublishConfig.imports is out of sync. Run with --fix to auto-fix.',
+    );
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  main();
+}
--- a/bin/vitest.config.mts
+++ b/bin/vitest.config.mts
@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: ['__tests__/**/*.test.ts'],
+    environment: 'node',
+  },
+});
--- a/lage.config.js
+++ b/lage.config.js
@@ -1,3 +1,5 @@
+const BUILD_OUTPUT_GLOBS = ['lib-dist/**', 'dist/**', 'build/**', '@types/**'];
+
 /** @type {import('lage').ConfigOptions} */
 module.exports = {
  pipeline: {
@@ -20,14 +22,14 @@ module.exports = {
      dependsOn: ['^build'],
      cache: true,
      options: {
-        outputGlob: ['lib-dist/**', 'dist/**', 'build/**'],
+        outputGlob: BUILD_OUTPUT_GLOBS,
      },
    },
  },
  cacheOptions: {
    cacheStorageConfig: {
      provider: 'local',
-      outputGlob: ['lib-dist/**', 'dist/**', 'build/**'],
+      outputGlob: BUILD_OUTPUT_GLOBS,
    },
  },
  npmClient: 'yarn',
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
    "build:browser": "./bin/package-browser",
    "build:desktop": "./bin/package-electron",
    "build:plugins-service": "yarn workspace plugins-service build",
-    "build:api": "yarn workspace @actual-app/api build",
+    "build:api": "yarn build --scope=@actual-app/api",
    "build:cli": "yarn build --scope=@actual-app/cli",
    "build:docs": "yarn workspace docs build",
    "build:storybook": "yarn workspace @actual-app/components build:storybook",
@@ -54,50 +54,57 @@
    "playwright": "yarn workspace @actual-app/web run playwright",
    "vrt": "yarn workspace @actual-app/web run vrt",
    "vrt:docker": "./bin/run-vrt",
-    "rebuild-electron": "./node_modules/.bin/electron-rebuild -m ./packages/loot-core",
+    "rebuild-electron": "./node_modules/.bin/electron-rebuild -m ./packages/loot-core && ./node_modules/.bin/electron-rebuild  -m ./packages/desktop-electron -o better-sqlite3,bcrypt",
    "rebuild-node": "yarn workspace @actual-app/core rebuild",
    "lint": "oxfmt --check . && oxlint --type-aware --quiet",
    "lint:fix": "oxfmt . && oxlint --fix --type-aware --quiet",
    "install:server": "yarn workspaces focus @actual-app/sync-server --production",
    "constraints": "yarn constraints",
    "typecheck": "tsgo -p tsconfig.root.json --noEmit && lage typecheck",
-    "jq": "./node_modules/node-jq/bin/jq",
+    "check:tsconfig-references": "workspaces-to-typescript-project-references --check",
+    "sync:tsconfig-references": "workspaces-to-typescript-project-references",
    "prepare": "husky"
  },
  "devDependencies": {
+    "@monorepo-utils/workspaces-to-typescript-project-references": "^2.10.3",
    "@octokit/rest": "^22.0.1",
-    "@types/node": "^22.19.15",
+    "@types/node": "^22.19.17",
    "@types/prompts": "^2.4.9",
-    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
+    "@typescript/native-preview": "beta",
    "@yarnpkg/types": "^4.0.1",
-    "baseline-browser-mapping": "^2.10.0",
-    "cross-env": "^10.1.0",
-    "eslint": "^9.39.3",
-    "eslint-plugin-perfectionist": "^5.6.0",
+    "eslint": "^10.2.0",
+    "eslint-plugin-perfectionist": "^5.8.0",
    "eslint-plugin-typescript-paths": "^0.0.33",
-    "html-to-image": "^1.11.13",
    "husky": "^9.1.7",
-    "lage": "^2.14.19",
-    "lint-staged": "^16.3.2",
-    "minimatch": "^10.2.4",
-    "node-jq": "^6.3.1",
+    "lage": "^2.15.5",
+    "lint-staged": "^16.4.0",
+    "minimatch": "^10.2.5",
    "npm-run-all": "^4.1.5",
-    "oxfmt": "^0.32.0",
-    "oxlint": "^1.51.0",
-    "oxlint-tsgolint": "^0.13.0",
+    "oxfmt": "^0.44.0",
+    "oxlint": "^1.59.0",
+    "oxlint-tsgolint": "^0.20.0",
    "p-limit": "^7.3.0",
    "prompts": "^2.4.2",
-    "source-map-support": "^0.5.21",
    "ts-node": "^10.9.2",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2",
+    "vitest": "^4.1.2"
  },
  "resolutions": {
    "adm-zip": "patch:adm-zip@npm%3A0.5.16#~/.yarn/patches/adm-zip-npm-0.5.16-4556fea098.patch",
-    "axios": "1.14.0",
+    "minimatch@10.2.1": "10.2.5",
+    "minimatch@3.1.2": "3.1.5",
+    "minimatch@>=10.0.0 <11.0.0": "10.2.5",
+    "minimatch@>=3.0.0 <4.0.0": "3.1.5",
+    "minimatch@>=5.0.0 <6.0.0": "5.1.9",
+    "minimatch@>=9.0.0 <10.0.0": "9.0.9",
    "rollup": "4.40.1",
    "socks": ">=2.8.3"
  },
  "lint-staged": {
+    "packages/*/{package.json,tsconfig.json}": [
+      "ts-node ./bin/validate-publish-imports.ts --fix",
+      "yarn sync:tsconfig-references"
+    ],
    "*.{js,mjs,jsx,ts,tsx,md,json,yml,yaml}": [
      "oxfmt --no-error-on-unmatched-pattern"
    ],
@@ -113,5 +120,5 @@
    "node": ">=22",
    "yarn": "^4.9.1"
  },
-  "packageManager": "yarn@4.10.3"
+  "packageManager": "yarn@4.13.0"
 }
--- a/packages/api/README.md
+++ b/packages/api/README.md
@@ -3,3 +3,7 @@ npm install @actual-app/api
 ```

 View docs here: https://actualbudget.org/docs/api/
+
+## TypeScript
+
+`@actual-app/api` publishes TypeScript declarations. Consumers using TypeScript must set `moduleResolution` to `"bundler"`, `"nodenext"`, or `"node16"` in their `tsconfig.json`. Legacy `"node"` / `"node10"` / `"classic"` resolution is not supported in strict mode — the published declarations rely on package.json `exports` conditions that older resolvers don't honor.
--- a/packages/api/app/query.js
+++ b/packages/api/app/query.js
@@ -1,5 +1,5 @@
 class Query {
-  /** @type {import('loot-core/shared/query').QueryState} */
+  /** @type {import('@actual-app/core/shared/query').QueryState} */
  state;

  constructor(state) {
--- a/packages/api/index.ts
+++ b/packages/api/index.ts
@@ -1,8 +1,3 @@
-import type {
-  RequestInfo as FetchInfo,
-  RequestInit as FetchInit,
-} from 'node-fetch';
-
 import { init as initLootCore } from '@actual-app/core/server/main';
 import type { InitConfig, lib } from '@actual-app/core/server/main';

@@ -17,14 +12,6 @@ export let internal: typeof lib | null = null;
 export async function init(config: InitConfig = {}) {
  validateNodeVersion();

-  if (!globalThis.fetch) {
-    globalThis.fetch = (url: URL | RequestInfo, init?: RequestInit) => {
-      return import('node-fetch').then(({ default: fetch }) =>
-        fetch(url as unknown as FetchInfo, init as unknown as FetchInit),
-      ) as unknown as Promise<Response>;
-    };
-  }
-
  internal = await initLootCore(config);
  return internal;
 }
--- a/packages/api/methods.test.ts
+++ b/packages/api/methods.test.ts
@@ -1,9 +1,8 @@
 import * as fs from 'fs/promises';
 import * as path from 'path';

-import { vi } from 'vitest';
-
 import type { RuleEntity } from '@actual-app/core/types/models';
+import { vi } from 'vitest';

 import * as api from './index';

--- a/packages/api/models.ts
+++ b/packages/api/models.ts
@@ -0,0 +1 @@
+export type * from '@actual-app/core/server/api-models';
--- a/packages/api/package.json
+++ b/packages/api/package.json
@@ -1,8 +1,13 @@
 {
  "name": "@actual-app/api",
-  "version": "26.4.0",
+  "version": "26.5.0",
  "description": "An API for Actual",
  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actualbudget/actual.git",
+    "directory": "packages/api"
+  },
  "files": [
    "@types",
    "dist"
@@ -11,8 +16,14 @@
  "types": "@types/index.d.ts",
  "exports": {
    ".": {
+      "types": "./@types/index.d.ts",
      "development": "./index.ts",
      "default": "./dist/index.js"
+    },
+    "./models": {
+      "types": "./@types/models.d.ts",
+      "development": "./models.ts",
+      "default": "./dist/models.js"
    }
  },
  "publishConfig": {
@@ -20,30 +31,31 @@
      ".": {
        "types": "./@types/index.d.ts",
        "default": "./dist/index.js"
+      },
+      "./models": {
+        "types": "./@types/models.d.ts",
+        "default": "./dist/models.js"
      }
    }
  },
  "scripts": {
-    "build": "vite build",
+    "build": "vite build && tsgo --emitDeclarationOnly",
    "test": "vitest --run",
    "typecheck": "tsgo -b && tsc-strict"
  },
  "dependencies": {
    "@actual-app/core": "workspace:*",
    "@actual-app/crdt": "workspace:*",
-    "better-sqlite3": "^12.6.2",
-    "compare-versions": "^6.1.1",
-    "node-fetch": "^3.3.2",
-    "uuid": "^13.0.0"
+    "better-sqlite3": "^12.8.0",
+    "compare-versions": "^6.1.1"
  },
  "devDependencies": {
-    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
-    "rollup-plugin-visualizer": "^6.0.11",
+    "@typescript/native-preview": "beta",
+    "rollup-plugin-visualizer": "^7.0.1",
    "typescript-strict-plugin": "^2.4.4",
-    "vite": "^8.0.0",
-    "vite-plugin-dts": "^4.5.4",
+    "vite": "^8.0.5",
    "vite-plugin-peggy-loader": "^2.0.1",
-    "vitest": "^4.1.0"
+    "vitest": "^4.1.2"
  },
  "engines": {
    "node": ">=20"
--- a/packages/api/tsconfig.json
+++ b/packages/api/tsconfig.json
@@ -7,6 +7,7 @@
    "target": "ES2021",
    "module": "es2022",
    "moduleResolution": "bundler",
+    "customConditions": ["api"],
    "noEmit": false,
    "declaration": true,
    "declarationMap": true,
@@ -14,9 +15,28 @@
    "rootDir": ".",
    "declarationDir": "@types",
    "tsBuildInfoFile": "dist/.tsbuildinfo",
-    "plugins": [{ "name": "typescript-strict-plugin", "paths": ["."] }]
+    "plugins": [
+      {
+        "name": "typescript-strict-plugin",
+        "paths": ["."]
+      }
+    ]
  },
-  "references": [{ "path": "../crdt" }, { "path": "../loot-core" }],
+  "references": [
+    {
+      "path": "../loot-core"
+    },
+    {
+      "path": "../crdt"
+    }
+  ],
  "include": ["."],
-  "exclude": ["**/node_modules/*", "dist", "@types", "*.test.ts", "*.config.ts"]
+  "exclude": [
+    "**/node_modules/*",
+    "dist",
+    "@types",
+    "*.test.ts",
+    "*.config.ts",
+    "*.config.mts"
+  ]
 }
--- a/packages/api/vite.config.mts
+++ b/packages/api/vite.config.mts
@@ -3,7 +3,6 @@ import path from 'path';

 import { visualizer } from 'rollup-plugin-visualizer';
 import { defineConfig } from 'vite';
-import dts from 'vite-plugin-dts';
 import peggyLoader from 'vite-plugin-peggy-loader';

 const lootCoreRoot = path.resolve(__dirname, '../loot-core');
@@ -55,7 +54,11 @@ function copyMigrationsAndDefaultDb() {
 }

 export default defineConfig({
-  ssr: { noExternal: true, external: ['better-sqlite3'] },
+  ssr: {
+    noExternal: true,
+    external: ['better-sqlite3'],
+    resolve: { conditions: ['api'] },
+  },
  build: {
    ssr: true,
    target: 'node20',
@@ -63,24 +66,22 @@ export default defineConfig({
    emptyOutDir: true,
    sourcemap: true,
    lib: {
-      entry: path.resolve(__dirname, 'index.ts'),
+      entry: {
+        index: path.resolve(__dirname, 'index.ts'),
+        models: path.resolve(__dirname, 'models.ts'),
+      },
      formats: ['cjs'],
-      fileName: () => 'index.js',
+      fileName: (_format, entryName) => `${entryName}.js`,
    },
  },
  plugins: [
    cleanOutputDirs(),
    peggyLoader(),
-    dts({
-      tsconfigPath: path.resolve(__dirname, 'tsconfig.json'),
-      outDir: path.resolve(__dirname, '@types'),
-      rollupTypes: true,
-    }),
    copyMigrationsAndDefaultDb(),
    visualizer({ template: 'raw-data', filename: 'app/stats.json' }),
  ],
  resolve: {
-    extensions: ['.api.ts', '.js', '.ts', '.tsx', '.json'],
+    conditions: ['api'],
  },
  test: {
    globals: true,
--- a/packages/ci-actions/bin/release-notes-check.mjs
+++ b/packages/ci-actions/bin/release-notes-check.mjs
@@ -0,0 +1,68 @@
+import * as fs from 'node:fs';
+
+import matter from 'gray-matter';
+
+import {
+  categoryAutocorrections,
+  categoryOrder,
+} from '../src/release-notes/util.mjs';
+
+console.log('Looking in ' + fs.realpathSync('upcoming-release-notes'));
+
+const expectedPath = `upcoming-release-notes/${process.env.PR_NUMBER}.md`;
+
+function reportError(message) {
+  console.log(`::error::${message}`);
+
+  process.stdout.write('::notice::');
+  fs.createReadStream('upcoming-release-notes/README.md').pipe(process.stdout);
+
+  fs.createReadStream('upcoming-release-notes/README.md')
+    .pipe(fs.createWriteStream(process.env.GITHUB_STEP_SUMMARY))
+    .on('close', () => {
+      process.exit(1);
+    });
+}
+
+(() => {
+  if (!fs.existsSync(expectedPath)) {
+    reportError(`Release note file ${expectedPath} not found`);
+    return;
+  }
+
+  const { data, content } = matter(fs.readFileSync(expectedPath, 'utf-8'));
+
+  if (!data.category) {
+    reportError(`Release note is missing a category.`);
+    return;
+  }
+  if (categoryAutocorrections[data.category]) {
+    data.category = categoryAutocorrections[data.category];
+  }
+  if (!categoryOrder.includes(data.category)) {
+    reportError(
+      `Release note category "${data.category}" is not one of ${categoryOrder
+        .map(JSON.stringify)
+        .join(', ')}`,
+    );
+    return;
+  }
+
+  if (!data.authors) {
+    reportError(`Release note is missing authors.`);
+    return;
+  }
+  if (!Array.isArray(data.authors)) {
+    reportError(`Release note authors should be a list.`);
+    return;
+  }
+
+  if (content.trim().split('\n').length !== 1) {
+    reportError(
+      `Release note file ${expectedPath} body should contain exactly one line`,
+    );
+    return;
+  }
+
+  console.log('Everything looks good! \u{1f389}');
+})();
--- a/packages/ci-actions/bin/release-notes-generate.mjs
+++ b/packages/ci-actions/bin/release-notes-generate.mjs
@@ -0,0 +1,312 @@
+import * as childProcess from 'node:child_process';
+import * as fs from 'node:fs/promises';
+import { join } from 'node:path';
+import { inspect, promisify } from 'node:util';
+
+import matter from 'gray-matter';
+import listify from 'listify';
+
+import {
+  categoryAutocorrections,
+  categoryOrder,
+} from '../src/release-notes/util.mjs';
+
+const exec = promisify(childProcess.exec);
+
+const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
+
+const apiResult = await fetch('https://api.github.com/graphql', {
+  method: 'POST',
+  headers: {
+    Authorization: `bearer ${process.env.GITHUB_TOKEN}`,
+    'Content-Type': 'application/json',
+  },
+  body: JSON.stringify({
+    query: /* GraphQL */ `
+      query GetPRMetadata(
+        $name: String!
+        $owner: String!
+        $headRefName: String!
+      ) {
+        repository(name: $name, owner: $owner) {
+          pullRequests(headRefName: $headRefName, first: 1) {
+            edges {
+              node {
+                number
+                headRefName
+                body
+              }
+            }
+          }
+        }
+      }
+    `,
+    variables: {
+      name: repo,
+      owner,
+      headRefName: process.env.GITHUB_HEAD_REF || process.env.GITHUB_REF_NAME,
+    },
+  }),
+}).then(res => res.json());
+
+await collapsedLog('API Response', apiResult);
+
+const prData = apiResult.data.repository.pullRequests.edges[0].node;
+
+const version = prData.headRefName.split('/')[1].replace(/^v/, '');
+const slug = version.replace(/\./g, '-');
+const author = process.env.GITHUB_ACTOR || 'TODO';
+const commitMessage = `Generate release notes for v${version}`;
+
+const releaseDateMatch = (prData.body || '').match(
+  /<!-- release-date:(\d{4}-\d{2}-\d{2}) -->/,
+);
+const releaseDate = releaseDateMatch ? releaseDateMatch[1] : 'TODO';
+
+const botName = 'github-actions[bot]';
+const botEmail = '41898282+github-actions[bot]@users.noreply.github.com';
+
+await exec(`git config user.name '${botName}'`);
+await exec(`git config user.email '${botEmail}'`);
+
+const AUTOGEN_MARKER = '<!-- release-notes:auto-generated -->';
+
+await group('Prepare branch', async () => {
+  if (process.env.GITHUB_HEAD_REF) {
+    await exec(`git fetch origin ${process.env.GITHUB_HEAD_REF}`, {
+      stdio: 'inherit',
+    });
+    await exec(`git checkout ${process.env.GITHUB_HEAD_REF}`, {
+      stdio: 'inherit',
+    });
+  }
+
+  // recover deleted release note files from previous generation commits
+  const baseRef = process.env.GITHUB_BASE_REF || 'master';
+  await exec(`git fetch origin ${baseRef}`, { stdio: 'inherit' });
+  const { stdout: mergeBase } = await exec(
+    `git merge-base HEAD origin/${baseRef}`,
+  );
+  const base = mergeBase.trim();
+  const { stdout: genLog } = await exec(
+    `git log --grep='${commitMessage}' --format=%H ${base}..HEAD`,
+  );
+  const genCommits = genLog.split('\n').filter(Boolean);
+  console.log(
+    `Reversing upcoming-release-notes deletions from ${genCommits.length} prior generation commit(s)`,
+  );
+  const tmpDir = process.env.RUNNER_TEMP || '/tmp';
+  for (const sha of genCommits) {
+    const patchPath = join(tmpDir, `revert-${sha}.patch`);
+    try {
+      await exec(
+        `git diff --diff-filter=D ${sha}~1..${sha} -- upcoming-release-notes > ${patchPath}`,
+      );
+      const { size } = await fs.stat(patchPath);
+      if (size > 0) {
+        await exec(`git apply -R --3way ${patchPath}`, { stdio: 'inherit' });
+      }
+    } finally {
+      await fs.unlink(patchPath).catch(() => undefined);
+    }
+  }
+});
+
+const { notesByCategory, files } = await parseReleaseNotes(
+  'upcoming-release-notes',
+);
+const categorizedNotes = formatNotes(notesByCategory);
+
+await collapsedLog('Release Notes', categorizedNotes);
+
+if (files.length === 0) {
+  console.log('No release notes found, nothing to generate');
+  process.exit(0);
+}
+
+const highlights = '- TODO: Add release highlights';
+
+const blogPath = join(
+  'packages/docs/blog',
+  `${releaseDate}-release-${slug}.md`,
+);
+const releasesPath = 'packages/docs/docs/releases.md';
+
+await group('Generate blog post', async () => {
+  const template = `---
+title: Release ${version}
+description: New release of Actual.
+date: ${releaseDate}T10:00
+slug: release-${version}
+tags: [announcement, release]
+hide_table_of_contents: false
+authors: ${author}
+---
+
+${highlights}
+
+<!--truncate-->
+
+**Docker Tag: ${version}**
+
+${AUTOGEN_MARKER}
+
+${categorizedNotes}
+`;
+
+  let blogContent;
+  try {
+    const existing = await fs.readFile(blogPath, 'utf-8');
+    const idx = existing.indexOf(AUTOGEN_MARKER);
+    if (idx === -1) {
+      console.log(
+        `WARNING: ${blogPath} missing ${AUTOGEN_MARKER}, rewriting from template`,
+      );
+      blogContent = template;
+    } else {
+      blogContent =
+        existing.slice(0, idx + AUTOGEN_MARKER.length) +
+        '\n' +
+        categorizedNotes +
+        '\n';
+    }
+  } catch (e) {
+    if (e.code !== 'ENOENT') throw e;
+    blogContent = template;
+  }
+
+  await fs.writeFile(blogPath, blogContent);
+  console.log(`Wrote ${blogPath}`);
+});
+
+await group('Update releases.md', async () => {
+  const existing = await fs.readFile(releasesPath, 'utf-8');
+
+  const sectionRe = new RegExp(
+    `(^|\\n)## ${escapeRegExp(version)}\\n[\\s\\S]*?(?=\\n## |$)`,
+  );
+  const match = existing.match(sectionRe);
+
+  let updated;
+  if (match) {
+    const section = match[0];
+    const idx = section.indexOf(AUTOGEN_MARKER);
+    if (idx === -1) {
+      console.log(
+        `WARNING: section for ${version} in ${releasesPath} missing ${AUTOGEN_MARKER}, leaving as-is`,
+      );
+      updated = existing;
+    } else {
+      const newSection =
+        section.slice(0, idx + AUTOGEN_MARKER.length) + '\n' + categorizedNotes;
+      updated = existing.replace(section, newSection);
+    }
+  } else {
+    const newSection = `## ${version}
+
+Release date: ${releaseDate}
+
+${highlights}
+
+**Docker Tag: ${version}**
+
+${AUTOGEN_MARKER}
+
+${categorizedNotes}`;
+    updated = existing.replace(
+      '# Release Notes\n',
+      `# Release Notes\n\n${newSection}\n`,
+    );
+  }
+
+  await fs.writeFile(releasesPath, updated);
+  console.log(`Updated ${releasesPath}`);
+});
+
+await group('Remove used release notes', async () => {
+  await Promise.all(
+    files.map(f => fs.unlink(join('upcoming-release-notes', f))),
+  );
+});
+
+await group('Format generated files', async () => {
+  await exec(`yarn exec oxfmt ${blogPath} ${releasesPath}`, {
+    stdio: 'inherit',
+  });
+});
+
+await group('Commit and push', async () => {
+  await exec(
+    'git add upcoming-release-notes packages/docs/blog packages/docs/docs/releases.md',
+    { stdio: 'inherit' },
+  );
+
+  try {
+    await exec('git diff --cached --quiet');
+    console.log('No changes to commit');
+    return;
+  } catch {
+    // there are staged changes
+  }
+
+  await exec(`git commit -m '${commitMessage}'`);
+  await exec('git push origin', { stdio: 'inherit' });
+});
+
+async function parseReleaseNotes(dir) {
+  const files = (await fs.readdir(dir)).filter(f => f.match(/^\d+\.md$/));
+  const notes = files.map(async name => {
+    const content = await fs.readFile(join(dir, name), 'utf-8');
+    const { data, content: body } = matter(content);
+    const number = name.replace('.md', '');
+    const authors = listify(
+      data.authors.map(a => `@${a}`),
+      { finalWord: '&' },
+    );
+    return {
+      category: categoryAutocorrections[data.category] ?? data.category,
+      value: `- [#${number}](https://github.com/actualbudget/${repo}/pull/${number}) ${body.trim()} — thanks ${authors}`,
+    };
+  });
+
+  const notesByCategory = (await Promise.all(notes)).reduce(
+    (acc, note) => {
+      if (!acc[note.category]) {
+        console.log(`WARNING: Unrecognized category "${note.category}"`);
+        acc[note.category] = [];
+      }
+      acc[note.category].push(note.value);
+      return acc;
+    },
+    Object.fromEntries(categoryOrder.map(c => [c, []])),
+  );
+
+  return { notesByCategory, files };
+}
+
+function escapeRegExp(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function formatNotes(notes) {
+  return Object.entries(notes)
+    .filter(([_, values]) => values.length > 0)
+    .map(([category, values]) => `#### ${category}\n\n${values.join('\n')}`)
+    .join('\n\n');
+}
+
+async function collapsedLog(name, value) {
+  await group(name, () => {
+    if (typeof value === 'string') {
+      console.log(value);
+    } else {
+      console.log(inspect(value, { depth: null }));
+    }
+  });
+}
+
+async function group(name, cb) {
+  console.log(`::group::${name}`);
+  await cb();
+  console.log('::endgroup::');
+}
--- a/packages/ci-actions/package.json
+++ b/packages/ci-actions/package.json
@@ -8,9 +8,12 @@
    "typecheck": "tsgo -b"
  },
  "devDependencies": {
-    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
+    "@octokit/rest": "^22.0.1",
+    "@typescript/native-preview": "beta",
    "extensionless": "^2.0.6",
-    "vitest": "^4.1.0"
+    "gray-matter": "^4.0.3",
+    "listify": "^1.0.3",
+    "vitest": "^4.1.2"
  },
  "extensionless": {
    "lookFor": [
--- a/packages/ci-actions/src/release-notes/util.mjs
+++ b/packages/ci-actions/src/release-notes/util.mjs
@@ -0,0 +1,12 @@
+export const categoryAutocorrections = {
+  Feature: 'Features',
+  Enhancement: 'Enhancements',
+  Bugfix: 'Bugfixes',
+};
+
+export const categoryOrder = [
+  'Features',
+  'Enhancements',
+  'Bugfixes',
+  'Maintenance',
+];
--- a/packages/ci-actions/src/versions/get-next-package-version.ts
+++ b/packages/ci-actions/src/versions/get-next-package-version.ts
@@ -60,7 +60,7 @@ function resolveType(
    currentDate.getFullYear() === 2000 + versionYear &&
    currentDate.getMonth() + 1 === versionMonth;

-  if (inPatchMonth && currentDate.getDate() <= 25) {
+  if (inPatchMonth && currentDate.getDate() < 25) {
    return 'hotfix';
  }

--- a/packages/cli/README.md
+++ b/packages/cli/README.md
@@ -98,8 +98,8 @@ Run `actual <command> --help` for subcommands and options.
 ### Examples

 ```bash
-# List all accounts (as a table)
-actual accounts list --format table
+# List all accounts (as a table; excludes closed by default)
+actual accounts list [--include-closed] --format table

 # Find an entity ID by name
 actual server get-id --type accounts --name "Checking"
@@ -122,13 +122,35 @@ actual query run --table transactions \

 ### Amount Convention

-All monetary amounts are **integer cents**:
+All monetary amounts are **integer cents** when passed as input (flags, JSON):

 | CLI Value | Dollar Amount |
 | --------- | ------------- |
 | `5000`    | $50.00        |
 | `-12350`  | -$123.50      |

+**Output formatting:** Table (`--format table`) and CSV (`--format csv`) output automatically converts cent values to decimal (e.g. `1665.00` instead of `166500`). JSON output always returns raw cents for programmatic use.
+
+### Tips & Common Pitfalls
+
+- **Split transactions:** When summing or counting transactions, filter `"is_parent": false` to avoid double-counting. A split parent holds the total amount, and its children hold the individual parts — including both would count the total twice.
+
+- **Avoid rapid sequential requests:** Each CLI invocation opens a new server connection. Running queries in a tight loop (e.g. one per month) may trigger rate limiting or authentication failures. Instead, fetch all data in a single query with a date range filter and process locally:
+
+  ```bash
+  # Good: single query for the full year
+  actual query run --table transactions \
+    --filter '{"$and":[{"date":{"$gte":"2025-01-01"}},{"date":{"$lte":"2025-12-31"}}]}' \
+    --limit 5000
+
+  # Bad: one query per month in a loop (may fail with auth errors)
+  for month in 01 02 03 ...; do actual query run ...; done
+  ```
+
+- **Uncategorized transactions:** `category.name` is `null` for transactions without a category. Account for this when filtering or grouping by category.
+
+- **No date sub-fields in AQL:** `date.month`, `date.year`, etc. are not supported as query fields. To group by month, fetch raw transactions with a date range filter and aggregate locally in a script.
+
 ## Running Locally (Development)

 If you're working on the CLI within the monorepo:
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,8 +1,13 @@
 {
  "name": "@actual-app/cli",
-  "version": "26.4.0",
+  "version": "26.5.0",
  "description": "CLI for Actual Budget",
  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actualbudget/actual.git",
+    "directory": "packages/cli"
+  },
  "bin": {
    "actual": "./dist/cli.js",
    "actual-cli": "./dist/cli.js"
@@ -11,6 +16,14 @@
    "dist"
  ],
  "type": "module",
+  "imports": {
+    "#commands/*": "./src/commands/*.ts",
+    "#config": "./src/config.ts",
+    "#connection": "./src/connection.ts",
+    "#input": "./src/input.ts",
+    "#output": "./src/output.ts",
+    "#utils": "./src/utils.ts"
+  },
  "scripts": {
    "build": "vite build",
    "test": "vitest --run",
@@ -19,15 +32,15 @@
  "dependencies": {
    "@actual-app/api": "workspace:*",
    "cli-table3": "^0.6.5",
-    "commander": "^13.0.0",
-    "cosmiconfig": "^9.0.0"
+    "commander": "^14.0.3",
+    "cosmiconfig": "^9.0.1"
  },
  "devDependencies": {
-    "@types/node": "^22.19.15",
-    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
-    "rollup-plugin-visualizer": "^6.0.11",
-    "vite": "^8.0.0",
-    "vitest": "^4.1.0"
+    "@types/node": "^22.19.17",
+    "@typescript/native-preview": "beta",
+    "rollup-plugin-visualizer": "^7.0.1",
+    "vite": "^8.0.5",
+    "vitest": "^4.1.2"
  },
  "engines": {
    "node": ">=22"
--- a/packages/cli/src/commands/accounts.test.ts
+++ b/packages/cli/src/commands/accounts.test.ts
@@ -1,7 +1,7 @@
 import * as api from '@actual-app/api';
 import { Command } from 'commander';

-import { printOutput } from '../output';
+import { printOutput } from '#output';

 import { registerAccountsCommand } from './accounts';

@@ -15,11 +15,11 @@ vi.mock('@actual-app/api', () => ({
  getAccountBalance: vi.fn().mockResolvedValue(10000),
 }));

-vi.mock('../connection', () => ({
+vi.mock('#connection', () => ({
  withConnection: vi.fn((_opts, fn) => fn()),
 }));

-vi.mock('../output', () => ({
+vi.mock('#output', () => ({
  printOutput: vi.fn(),
 }));

@@ -62,14 +62,28 @@ describe('accounts commands', () => {
  });

  describe('list', () => {
-    it('calls api.getAccounts and prints result', async () => {
-      const accounts = [{ id: '1', name: 'Checking' }];
+    it('calls api.getAccounts and prints result with computed balance', async () => {
+      const accounts = [
+        { id: '1', name: 'Checking', offbudget: false, closed: false },
+      ];
      vi.mocked(api.getAccounts).mockResolvedValue(accounts);

      await run(['accounts', 'list']);

      expect(api.getAccounts).toHaveBeenCalled();
-      expect(printOutput).toHaveBeenCalledWith(accounts, undefined);
+      expect(api.getAccountBalance).toHaveBeenCalledWith('1');
+      expect(printOutput).toHaveBeenCalledWith(
+        [
+          {
+            id: '1',
+            name: 'Checking',
+            offbudget: false,
+            closed: false,
+            balance: 10000,
+          },
+        ],
+        undefined,
+      );
    });

    it('passes format option to printOutput', async () => {
@@ -79,6 +93,59 @@ describe('accounts commands', () => {

      expect(printOutput).toHaveBeenCalledWith([], 'csv');
    });
+
+    it('filters out closed accounts by default', async () => {
+      vi.mocked(api.getAccounts).mockResolvedValue([
+        { id: '1', name: 'Open', offbudget: false, closed: false },
+        { id: '2', name: 'Closed', offbudget: false, closed: true },
+      ]);
+
+      await run(['accounts', 'list']);
+
+      expect(printOutput).toHaveBeenCalledWith(
+        [
+          {
+            id: '1',
+            name: 'Open',
+            offbudget: false,
+            closed: false,
+            balance: 10000,
+          },
+        ],
+        undefined,
+      );
+    });
+
+    it('includes closed accounts when --include-closed is passed', async () => {
+      vi.mocked(api.getAccounts).mockResolvedValue([
+        { id: '1', name: 'Open', offbudget: false, closed: false },
+        { id: '2', name: 'Closed', offbudget: false, closed: true },
+      ]);
+
+      await run(['accounts', 'list', '--include-closed']);
+
+      expect(printOutput).toHaveBeenCalledWith(
+        expect.arrayContaining([
+          expect.objectContaining({ id: '2', closed: true }),
+        ]),
+        undefined,
+      );
+    });
+
+    it('sorts on-budget accounts before off-budget', async () => {
+      vi.mocked(api.getAccounts).mockResolvedValue([
+        { id: '1', name: 'OffBudget', offbudget: true, closed: false },
+        { id: '2', name: 'OnBudget', offbudget: false, closed: false },
+      ]);
+
+      await run(['accounts', 'list']);
+
+      const output = vi.mocked(printOutput).mock.calls[0][0] as Array<{
+        id: string;
+      }>;
+      expect(output[0].id).toBe('2'); // on-budget first
+      expect(output[1].id).toBe('1'); // off-budget second
+    });
  });

  describe('create', () => {
--- a/packages/cli/src/commands/accounts.ts
+++ b/packages/cli/src/commands/accounts.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
-import { parseBoolFlag, parseIntFlag } from '../utils';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';
+import { parseBoolFlag, parseIntFlag } from '#utils';

 export function registerAccountsCommand(program: Command) {
  const accounts = program.command('accounts').description('Manage accounts');
@@ -11,11 +11,28 @@ export function registerAccountsCommand(program: Command) {
  accounts
    .command('list')
    .description('List all accounts')
-    .action(async () => {
+    .option('--include-closed', 'Include closed accounts', false)
+    .action(async cmdOpts => {
      const opts = program.opts();
      await withConnection(opts, async () => {
-        const result = await api.getAccounts();
-        printOutput(result, opts.format);
+        const allAccounts = await api.getAccounts();
+        const accounts = allAccounts.filter(
+          a => cmdOpts.includeClosed || !a.closed,
+        );
+        // Stable sort: on-budget first, off-budget second
+        // (preserves API sort_order within each group)
+        accounts.sort((a, b) => Number(a.offbudget) - Number(b.offbudget));
+        const balances = await Promise.all(
+          accounts.map(a => api.getAccountBalance(a.id)),
+        );
+        const output = accounts.map((a, i) => ({
+          id: a.id,
+          name: a.name,
+          offbudget: a.offbudget,
+          closed: a.closed,
+          balance: balances[i],
+        }));
+        printOutput(output, opts.format);
      });
    });

@@ -24,7 +41,11 @@ export function registerAccountsCommand(program: Command) {
    .description('Create a new account')
    .requiredOption('--name <name>', 'Account name')
    .option('--offbudget', 'Create as off-budget account', false)
-    .option('--balance <amount>', 'Initial balance in cents', '0')
+    .option(
+      '--balance <amount>',
+      'Initial balance in cents (e.g. 50000 = 500.00)',
+      '0',
+    )
    .action(async cmdOpts => {
      const balance = parseIntFlag(cmdOpts.balance, '--balance');
      const opts = program.opts();
--- a/packages/cli/src/commands/budgets.ts
+++ b/packages/cli/src/commands/budgets.ts
@@ -1,10 +1,10 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { resolveConfig } from '../config';
-import { withConnection } from '../connection';
-import { printOutput } from '../output';
-import { parseBoolFlag, parseIntFlag } from '../utils';
+import { resolveConfig } from '#config';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';
+import { parseBoolFlag, parseIntFlag } from '#utils';

 export function registerBudgetsCommand(program: Command) {
  const budgets = program.command('budgets').description('Manage budgets');
@@ -82,7 +82,10 @@ export function registerBudgetsCommand(program: Command) {
    .description('Set budget amount for a category in a month')
    .requiredOption('--month <month>', 'Budget month (YYYY-MM)')
    .requiredOption('--category <id>', 'Category ID')
-    .requiredOption('--amount <amount>', 'Amount in cents')
+    .requiredOption(
+      '--amount <amount>',
+      'Amount in cents (e.g. 50000 = 500.00)',
+    )
    .action(async cmdOpts => {
      const amount = parseIntFlag(cmdOpts.amount, '--amount');
      const opts = program.opts();
@@ -111,7 +114,10 @@ export function registerBudgetsCommand(program: Command) {
    .command('hold-next-month')
    .description('Hold budget amount for next month')
    .requiredOption('--month <month>', 'Budget month (YYYY-MM)')
-    .requiredOption('--amount <amount>', 'Amount in cents')
+    .requiredOption(
+      '--amount <amount>',
+      'Amount in cents (e.g. 50000 = 500.00)',
+    )
    .action(async cmdOpts => {
      const parsedAmount = parseIntFlag(cmdOpts.amount, '--amount');
      const opts = program.opts();
--- a/packages/cli/src/commands/categories.ts
+++ b/packages/cli/src/commands/categories.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
-import { parseBoolFlag } from '../utils';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';
+import { parseBoolFlag } from '#utils';

 export function registerCategoriesCommand(program: Command) {
  const categories = program
--- a/packages/cli/src/commands/category-groups.ts
+++ b/packages/cli/src/commands/category-groups.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
-import { parseBoolFlag } from '../utils';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';
+import { parseBoolFlag } from '#utils';

 export function registerCategoryGroupsCommand(program: Command) {
  const groups = program
--- a/packages/cli/src/commands/payees.ts
+++ b/packages/cli/src/commands/payees.ts
@@ -1,8 +1,8 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';

 export function registerPayeesCommand(program: Command) {
  const payees = program.command('payees').description('Manage payees');
--- a/packages/cli/src/commands/query.test.ts
+++ b/packages/cli/src/commands/query.test.ts
@@ -1,7 +1,7 @@
 import * as api from '@actual-app/api';
 import { Command } from 'commander';

-import { printOutput } from '../output';
+import { printOutput } from '#output';

 import { parseOrderBy, registerQueryCommand } from './query';

@@ -21,11 +21,11 @@ vi.mock('@actual-app/api', () => {
  };
 });

-vi.mock('../connection', () => ({
+vi.mock('#connection', () => ({
  withConnection: vi.fn((_opts, fn) => fn()),
 }));

-vi.mock('../output', () => ({
+vi.mock('#output', () => ({
  printOutput: vi.fn(),
 }));

@@ -145,6 +145,25 @@ describe('query commands', () => {
      ]);
    });

+    it('outputs unwrapped data array (not the full result envelope)', async () => {
+      const mockData = [{ id: '1', amount: -500 }];
+      vi.mocked(api.aqlQuery).mockResolvedValueOnce({
+        data: mockData,
+        dependencies: [],
+      });
+
+      await run([
+        'query',
+        'run',
+        '--table',
+        'transactions',
+        '--select',
+        'id,amount',
+      ]);
+
+      expect(printOutput).toHaveBeenCalledWith(mockData, undefined);
+    });
+
    it('passes --filter as JSON', async () => {
      await run([
        'query',
--- a/packages/cli/src/commands/query.ts
+++ b/packages/cli/src/commands/query.ts
@@ -1,14 +1,10 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { readJsonInput } from '../input';
-import { printOutput } from '../output';
-import { parseIntFlag } from '../utils';
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-  return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
+import { withConnection } from '#connection';
+import { readJsonInput } from '#input';
+import { printOutput } from '#output';
+import { isRecord, parseIntFlag } from '#utils';

 /**
 * Parse order-by strings like "date:desc,amount:asc,id" into
@@ -253,7 +249,17 @@ Available tables: ${AVAILABLE_TABLES}
 Use "actual query tables" and "actual query fields <table>" for schema info.

 Common filter operators: $eq, $ne, $lt, $lte, $gt, $gte, $like, $and, $or
-See ActualQL docs for full reference: https://actualbudget.org/docs/api/actual-ql/`;
+See ActualQL docs for full reference: https://actualbudget.org/docs/api/actual-ql/
+
+Tips:
+  - Amounts are stored as integer cents (e.g. 166500 = 1665.00).
+    Table and CSV output auto-formats these as decimals; JSON keeps raw cents.
+  - Filter "is_parent": false to avoid double-counting split transactions.
+  - Fetch all data in a single query with a date range instead of running
+    one query per month — rapid sequential requests may cause auth failures.
+  - date.month, date.year etc. are not supported as fields in AQL.
+    To group by month, fetch raw transactions with a date range filter
+    and aggregate locally (e.g. in a script).`;

 export function registerQueryCommand(program: Command) {
  const query = program
@@ -306,10 +312,14 @@ export function registerQueryCommand(program: Command) {

        const result = await api.aqlQuery(queryObj);

+        if (!isRecord(result) || !('data' in result)) {
+          throw new Error('Query result missing data');
+        }
+
        if (cmdOpts.count) {
          printOutput({ count: result.data }, opts.format);
        } else {
-          printOutput(result, opts.format);
+          printOutput(result.data, opts.format);
        }
      });
    });
--- a/packages/cli/src/commands/rules.ts
+++ b/packages/cli/src/commands/rules.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { readJsonInput } from '../input';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { readJsonInput } from '#input';
+import { printOutput } from '#output';

 export function registerRulesCommand(program: Command) {
  const rules = program
--- a/packages/cli/src/commands/schedules.ts
+++ b/packages/cli/src/commands/schedules.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { readJsonInput } from '../input';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { readJsonInput } from '#input';
+import { printOutput } from '#output';

 export function registerSchedulesCommand(program: Command) {
  const schedules = program
--- a/packages/cli/src/commands/server.ts
+++ b/packages/cli/src/commands/server.ts
@@ -2,8 +2,8 @@ import * as api from '@actual-app/api';
 import { Option } from 'commander';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';

 export function registerServerCommand(program: Command) {
  const server = program.command('server').description('Server utilities');
--- a/packages/cli/src/commands/tags.ts
+++ b/packages/cli/src/commands/tags.ts
@@ -1,8 +1,8 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { printOutput } from '#output';

 export function registerTagsCommand(program: Command) {
  const tags = program.command('tags').description('Manage tags');
--- a/packages/cli/src/commands/transactions.ts
+++ b/packages/cli/src/commands/transactions.ts
@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';

-import { withConnection } from '../connection';
-import { readJsonInput } from '../input';
-import { printOutput } from '../output';
+import { withConnection } from '#connection';
+import { readJsonInput } from '#input';
+import { printOutput } from '#output';

 export function registerTransactionsCommand(program: Command) {
  const transactions = program
--- a/packages/cli/src/config.ts
+++ b/packages/cli/src/config.ts
@@ -3,6 +3,8 @@ import { join } from 'path';

 import { cosmiconfig } from 'cosmiconfig';

+import { isRecord } from './utils';
+
 export type CliConfig = {
  serverUrl: string;
  password?: string;
@@ -41,10 +43,6 @@ const configFileKeys: readonly string[] = [
  'encryptionPassword',
 ];

-function isRecord(value: unknown): value is Record<string, unknown> {
-  return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
-
 function validateConfigFileContent(value: unknown): ConfigFileContent {
  if (!isRecord(value)) {
    throw new Error(
--- a/packages/cli/src/output.test.ts
+++ b/packages/cli/src/output.test.ts
@@ -60,6 +60,33 @@ describe('formatOutput', () => {
      expect(result).toContain('a');
      expect(result).toContain('b');
    });
+
+    it('formats amount fields as decimal values', () => {
+      const data = [{ name: 'Groceries', amount: -250000 }];
+      const result = formatOutput(data, 'table');
+      expect(result).toContain('-2500.00');
+      expect(result).not.toContain('-250000');
+    });
+
+    it('formats balance fields as decimal values', () => {
+      const data = [{ id: 'acc1', balance: 166500 }];
+      const result = formatOutput(data, 'table');
+      expect(result).toContain('1665.00');
+    });
+
+    it('formats budgeted and spent fields as decimal values', () => {
+      const data = [{ budgeted: 50000, spent: -32150 }];
+      const result = formatOutput(data, 'table');
+      expect(result).toContain('500.00');
+      expect(result).toContain('-321.50');
+    });
+
+    it('does not format non-amount numeric fields', () => {
+      const data = [{ id: 12345, sort_order: 100 }];
+      const result = formatOutput(data, 'table');
+      expect(result).toContain('12345');
+      expect(result).toContain('100');
+    });
  });

  describe('csv', () => {
@@ -112,6 +139,21 @@ describe('formatOutput', () => {
      const lines = result.split('\n');
      expect(lines[0]).toBe('a,b');
    });
+
+    it('formats amount fields as decimal values', () => {
+      const data = [{ name: 'Coffee', amount: -2500 }];
+      const result = formatOutput(data, 'csv');
+      const lines = result.split('\n');
+      expect(lines[0]).toBe('name,amount');
+      expect(lines[1]).toBe('Coffee,-25.00');
+    });
+
+    it('does not format amount fields in json output', () => {
+      const data = [{ amount: 166500 }];
+      const result = formatOutput(data, 'json');
+      expect(result).toContain('166500');
+      expect(result).not.toContain('1665.00');
+    });
  });
 });

--- a/packages/cli/src/output.ts
+++ b/packages/cli/src/output.ts
@@ -2,6 +2,29 @@ import Table from 'cli-table3';

 export type OutputFormat = 'json' | 'table' | 'csv';

+// Fields containing integer-cent values, auto-formatted as decimals in table/csv output.
+const AMOUNT_FIELDS = new Set([
+  'amount',
+  'balance',
+  'balance_available',
+  'balance_current',
+  'balance_limit',
+  'budgeted',
+  'spent',
+  'carryover',
+]);
+
+function isAmountValue(key: string, value: unknown): value is number {
+  return AMOUNT_FIELDS.has(key) && typeof value === 'number';
+}
+
+function formatCellValue(key: string, value: unknown): string {
+  if (isAmountValue(key, value)) {
+    return (value / 100).toFixed(2);
+  }
+  return String(value ?? '');
+}
+
 export function formatOutput(
  data: unknown,
  format: OutputFormat = 'json',
@@ -23,7 +46,7 @@ function formatTable(data: unknown): string {
    if (data && typeof data === 'object') {
      const table = new Table();
      for (const [key, value] of Object.entries(data)) {
-        table.push({ [key]: String(value) });
+        table.push({ [key]: formatCellValue(key, value) });
      }
      return table.toString();
    }
@@ -39,7 +62,7 @@ function formatTable(data: unknown): string {

  for (const row of data) {
    const r = row as Record<string, unknown>;
-    table.push(keys.map(k => String(r[k] ?? '')));
+    table.push(keys.map(k => formatCellValue(k, r[k])));
  }

  return table.toString();
@@ -50,7 +73,9 @@ function formatCsv(data: unknown): string {
    if (data && typeof data === 'object') {
      const entries = Object.entries(data);
      const header = entries.map(([k]) => escapeCsv(k)).join(',');
-      const values = entries.map(([, v]) => escapeCsv(String(v))).join(',');
+      const values = entries
+        .map(([k, v]) => escapeCsv(formatCellValue(k, v)))
+        .join(',');
      return header + '\n' + values;
    }
    return String(data);
@@ -64,7 +89,7 @@ function formatCsv(data: unknown): string {
  const header = keys.map(k => escapeCsv(k)).join(',');
  const rows = data.map(row => {
    const r = row as Record<string, unknown>;
-    return keys.map(k => escapeCsv(String(r[k] ?? ''))).join(',');
+    return keys.map(k => escapeCsv(formatCellValue(k, r[k]))).join(',');
  });

  return [header, ...rows].join('\n');
--- a/packages/cli/src/utils.ts
+++ b/packages/cli/src/utils.ts
@@ -1,3 +1,7 @@
+export function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
 export function parseBoolFlag(value: string, flagName: string): boolean {
  if (value !== 'true' && value !== 'false') {
    throw new Error(
--- a/packages/component-library/.storybook/manager-head.html
+++ b/packages/component-library/.storybook/manager-head.html
@@ -45,6 +45,27 @@
 -->

 <style>
+  /* Show logo icon next to brand title text */
+  .sidebar-header a[href='https://actualbudget.org'] {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    text-decoration: none;
+    font-weight: 700;
+    font-size: 16px;
+  }
+  .sidebar-header a[href='https://actualbudget.org']::before {
+    content: '';
+    display: inline-block;
+    width: 32px;
+    height: 32px;
+    min-width: 32px;
+    background-image: url('https://actualbudget.org/img/logo.webp');
+    background-size: contain;
+    background-repeat: no-repeat;
+    background-position: center;
+  }
+
  #storybook-explorer-searchfield {
    font-weight: 400 !important;
    font-size: 14px !important;
--- a/packages/component-library/.storybook/manager.ts
+++ b/packages/component-library/.storybook/manager.ts
@@ -16,7 +16,6 @@ const theme = create({
  base: 'light',
  brandTitle: 'Actual Budget',
  brandUrl: 'https://actualbudget.org',
-  brandImage: 'https://actualbudget.org/img/actual.webp',
  brandTarget: '_blank',

  // UI colors
@@ -32,7 +31,7 @@ const theme = create({

  // Fonts
  fontBase:
-    '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif',
+    '"Inter Variable", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", Helvetica, Arial, sans-serif',
  fontCode: 'ui-monospace, SFMono-Regular, "SF Mono", Menlo, monospace',

  // Text colors
--- a/packages/component-library/.storybook/preview.tsx
+++ b/packages/component-library/.storybook/preview.tsx
@@ -4,8 +4,11 @@ import type { Preview } from '@storybook/react-vite';

 // Not ideal to import from desktop-client, but we need a source of truth for theme variables
 // TODO: this needs refactoring
+// oxlint-disable-next-line actual/enforce-boundaries
 import * as darkTheme from '../../desktop-client/src/style/themes/dark';
+// oxlint-disable-next-line actual/enforce-boundaries
 import * as lightTheme from '../../desktop-client/src/style/themes/light';
+// oxlint-disable-next-line actual/enforce-boundaries
 import * as midnightTheme from '../../desktop-client/src/style/themes/midnight';

 const THEMES = {
--- a/packages/component-library/package.json
+++ b/packages/component-library/package.json
@@ -2,6 +2,9 @@
  "name": "@actual-app/components",
  "version": "0.0.1",
  "license": "MIT",
+  "imports": {
+    "#tokens": "./src/tokens.ts"
+  },
  "exports": {
    "./hooks/*": "./src/hooks/*.ts",
    "./icons/logo": "./src/icons/logo/index.ts",
@@ -44,24 +47,25 @@
  },
  "dependencies": {
    "@emotion/css": "^11.13.5",
-    "react-aria-components": "^1.15.1",
+    "react-aria-components": "^1.16.0",
    "usehooks-ts": "^3.1.1"
  },
  "devDependencies": {
-    "@chromatic-com/storybook": "^5.0.1",
-    "@storybook/addon-a11y": "^10.2.16",
-    "@storybook/addon-docs": "^10.2.16",
-    "@storybook/react-vite": "^10.2.16",
+    "@chromatic-com/storybook": "^5.1.1",
+    "@storybook/addon-a11y": "^10.3.4",
+    "@storybook/addon-docs": "^10.3.4",
+    "@storybook/react-vite": "^10.3.4",
+    "@svgr/babel-plugin-add-jsx-attribute": "^8.0.0",
    "@svgr/cli": "^8.1.0",
    "@types/react": "^19.2.14",
-    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
-    "@vitejs/plugin-react": "^6.0.0",
-    "eslint-plugin-storybook": "^10.2.16",
+    "@typescript/native-preview": "beta",
+    "@vitejs/plugin-react": "^6.0.1",
+    "eslint-plugin-storybook": "^10.3.4",
    "react": "19.2.4",
    "react-dom": "19.2.4",
-    "storybook": "^10.2.16",
-    "vite": "^8.0.0",
-    "vitest": "^4.1.0"
+    "storybook": "^10.3.4",
+    "vite": "^8.0.5",
+    "vitest": "^4.1.2"
  },
  "peerDependencies": {
    "react": ">=19.2",
--- a/packages/component-library/src/View.tsx
+++ b/packages/component-library/src/View.tsx
@@ -5,6 +5,21 @@ import { css, cx } from '@emotion/css';

 import type { CSSProperties } from './styles';

+export const viewStyles = css({
+  alignItems: 'stretch',
+  borderWidth: 0,
+  borderStyle: 'solid',
+  boxSizing: 'border-box',
+  display: 'flex',
+  flexDirection: 'column',
+  margin: 0,
+  padding: 0,
+  position: 'relative',
+  /* fix flexbox bugs */
+  minHeight: 0,
+  minWidth: 0,
+});
+
 type ViewProps = Omit<HTMLProps<HTMLDivElement>, 'style'> & {
  className?: string;
  style?: CSSProperties;
@@ -13,19 +28,15 @@ type ViewProps = Omit<HTMLProps<HTMLDivElement>, 'style'> & {
 };

 export const View = forwardRef<HTMLDivElement, ViewProps>((props, ref) => {
-  // The default styles are special-cased and pulled out into static
-  // styles, and hardcode the class name here. View is used almost
-  // everywhere and we can avoid any perf penalty that glamor would
-  // incur.
-
  const { className = '', style, nativeStyle, innerRef, ...restProps } = props;
+
  return (
    <div
      {...restProps}
      ref={innerRef ?? ref}
      style={nativeStyle}
      className={cx(
-        'view',
+        viewStyles,
        className,
        style && Object.keys(style).length > 0 ? css(style) : undefined,
      )}
--- a/packages/component-library/src/hooks/useResponsive.ts
+++ b/packages/component-library/src/hooks/useResponsive.ts
@@ -1,6 +1,6 @@
 import { useWindowSize } from 'usehooks-ts';

-import { breakpoints } from '../tokens';
+import { breakpoints } from '#tokens';

 export function useResponsive() {
  const { height, width } = useWindowSize({
--- a/packages/component-library/src/icons/.svgrrc.js
+++ b/packages/component-library/src/icons/.svgrrc.js
@@ -1,4 +1,8 @@
 module.exports = {
+  prettier: true,
+  prettierConfig: {
+    singleQuote: true,
+  },
  svgoConfig: {
    plugins: [
      {
@@ -14,7 +18,7 @@ module.exports = {
    babelConfig: {
      plugins: [
        [
-          './add-attribute',
+          './add-attribute.ts',
          {
            elements: ['path', 'Path', 'rect', 'Rect'],
            attributes: [
--- a/packages/component-library/src/icons/add-attribute.ts
+++ b/packages/component-library/src/icons/add-attribute.ts
@@ -1,10 +1,26 @@
+import type BabelTemplate from '@babel/template';
+import type { NodePath } from '@babel/traverse';
+import type * as BabelTypes from '@babel/types';
+import type { Attribute, Options } from '@svgr/babel-plugin-add-jsx-attribute';
+
+type PluginAPI = {
+  types: typeof BabelTypes;
+  template: typeof BabelTemplate;
+};
+
 const positionMethod = {
  start: 'unshiftContainer',
  end: 'pushContainer',
-};
+} as const;

-const addJSXAttribute = ({ types: t, template }, opts) => {
-  function getAttributeValue({ literal, value }) {
+const addJSXAttribute = ({ types: t, template }: PluginAPI, opts: Options) => {
+  function getAttributeValue({
+    literal,
+    value,
+  }: Pick<Attribute, 'literal' | 'value'>):
+    | BabelTypes.JSXExpressionContainer
+    | BabelTypes.StringLiteral
+    | null {
    if (typeof value === 'boolean') {
      return t.jsxExpressionContainer(t.booleanLiteral(value));
    }
@@ -14,7 +30,7 @@ const addJSXAttribute = ({ types: t, template }, opts) => {
    }

    if (typeof value === 'string' && literal) {
-      return t.jsxExpressionContainer(template.ast(value).expression);
+      return t.jsxExpressionContainer(template.expression.ast(value));
    }

    if (typeof value === 'string') {
@@ -24,7 +40,7 @@ const addJSXAttribute = ({ types: t, template }, opts) => {
    return null;
  }

-  function getAttribute({ spread, name, value, literal }) {
+  function getAttribute({ spread, name, value, literal }: Attribute) {
    if (spread) {
      return t.jsxSpreadAttribute(t.identifier(name));
    }
@@ -37,7 +53,8 @@ const addJSXAttribute = ({ types: t, template }, opts) => {

  return {
    visitor: {
-      JSXOpeningElement(path) {
+      JSXOpeningElement(path: NodePath<BabelTypes.JSXOpeningElement>) {
+        if (!t.isJSXIdentifier(path.node.name)) return;
        if (!opts.elements.includes(path.node.name.name)) return;

        opts.attributes.forEach(
@@ -52,7 +69,11 @@ const addJSXAttribute = ({ types: t, template }, opts) => {
            const newAttribute = getAttribute({ spread, name, value, literal });
            const attributes = path.get('attributes');

-            const isEqualAttribute = attribute => {
+            const isEqualAttribute = (
+              attribute: NodePath<
+                BabelTypes.JSXAttribute | BabelTypes.JSXSpreadAttribute
+              >,
+            ) => {
              if (spread) {
                return attribute.get('argument').isIdentifier({ name });
              }
@@ -67,7 +88,11 @@ const addJSXAttribute = ({ types: t, template }, opts) => {

              // Only add the color if it doesn't explicitly say no
              // color
-              if (attribute.get('value').node.value !== 'none') {
+              const attrValue = attribute.get('value');
+              if (
+                !attrValue.isStringLiteral() ||
+                attrValue.node.value !== 'none'
+              ) {
                attribute.replaceWith(newAttribute);
              }

@@ -84,4 +109,4 @@ const addJSXAttribute = ({ types: t, template }, opts) => {
  };
 };

-module.exports = addJSXAttribute;
+export default addJSXAttribute;
--- a/packages/component-library/src/icons/index-template.ts
+++ b/packages/component-library/src/icons/index-template.ts
@@ -9,4 +9,4 @@ function indexTemplate(filePaths: { path: string }[]) {
  return exportEntries.join('\n');
 }

-module.exports = indexTemplate;
+export default indexTemplate;
--- a/packages/component-library/src/icons/logo/Logo.tsx
+++ b/packages/component-library/src/icons/logo/Logo.tsx
@@ -13,11 +13,11 @@ export const SvgLogo = (props: SVGProps<SVGSVGElement>) => (
  >
    <path
      fill="currentColor"
-      d="m1.138 30.423 13.8-29.309a.32.32 0 0 1 .289-.184h.605a.32.32 0 0 1 .287.18l8.903 18.29 2.791-1.074a.32.32 0 0 1 .414.184l.742 1.932a.32.32 0 0 1-.183.413l-2.574.99 3.175 6.524a.32.32 0 0 1-.147.428l-1.861.905a.32.32 0 0 1-.428-.147l-3.277-6.733-21.98 8.453a.32.32 0 0 1-.415-.189l-.152-.418a.32.32 0 0 1 .01-.245ZM15.56 6.152 5.85 26.774l16.634-6.398L15.56 6.152Z"
+      d="m1.138 30.423 13.8-29.309a.32.32 0 0 1 .289-.184h.605a.32.32 0 0 1 .287.18l8.903 18.29 2.791-1.074a.32.32 0 0 1 .414.184l.742 1.932a.32.32 0 0 1-.183.413l-2.574.99 3.175 6.524a.32.32 0 0 1-.147.428l-1.861.905a.32.32 0 0 1-.428-.147l-3.277-6.733-21.98 8.453a.32.32 0 0 1-.415-.189l-.152-.418a.32.32 0 0 1 .01-.245M15.56 6.152 5.85 26.774l16.634-6.398z"
    />
    <path
      fill="currentColor"
-      d="m21.777 14.568.932 2.544-21.203 7.775a.32.32 0 0 1-.41-.19l-.713-1.944a.32.32 0 0 1 .19-.41l21.204-7.775Z"
+      d="m21.777 14.568.932 2.544-21.203 7.775a.32.32 0 0 1-.41-.19l-.713-1.944a.32.32 0 0 1 .19-.41z"
    />
  </svg>
 );
--- a/packages/component-library/src/icons/template.ts
+++ b/packages/component-library/src/icons/template.ts
@@ -15,4 +15,4 @@ export const ${componentName} = (${props}) => (
 `;
 };

-module.exports = tmpl;
+export default tmpl;
--- a/packages/component-library/src/icons/v0/Add.tsx
+++ b/packages/component-library/src/icons/v0/Add.tsx
@@ -11,11 +11,11 @@ export const SvgAdd = (props: SVGProps<SVGSVGElement>) => (
    }}
  >
    <path
-      d="M23 11.5a1.5 1.5 0 0 1-1.5 1.5h-20a1.5 1.5 0 0 1 0-3h20a1.5 1.5 0 0 1 1.5 1.5Z"
+      d="M23 11.5a1.5 1.5 0 0 1-1.5 1.5h-20a1.5 1.5 0 0 1 0-3h20a1.5 1.5 0 0 1 1.5 1.5"
      fill="currentColor"
    />
    <path
-      d="M11.5 23a1.5 1.5 0 0 1-1.5-1.5v-20a1.5 1.5 0 0 1 3 0v20a1.5 1.5 0 0 1-1.5 1.5Z"
+      d="M11.5 23a1.5 1.5 0 0 1-1.5-1.5v-20a1.5 1.5 0 0 1 3 0v20a1.5 1.5 0 0 1-1.5 1.5"
      fill="currentColor"
    />
  </svg>
--- a/packages/component-library/src/icons/v0/ExpandArrow.tsx
+++ b/packages/component-library/src/icons/v0/ExpandArrow.tsx
@@ -12,7 +12,7 @@ export const SvgExpandArrow = (props: SVGProps<SVGSVGElement>) => (
  >
    <path
      fill="currentColor"
-      d="M24.483.576c-.309-.327-.674-.49-1.097-.49H1.56C1.137.086.771.25.463.576A1.635 1.635 0 0 0 0 1.737c0 .448.154.834.463 1.161l10.913 11.558c.31.327.675.49 1.097.49.422 0 .788-.163 1.096-.49L24.483 2.898c.308-.327.463-.713.463-1.16 0-.448-.155-.835-.463-1.162Z"
+      d="M24.483.576q-.463-.49-1.097-.49H1.56q-.633 0-1.096.49A1.64 1.64 0 0 0 0 1.737q0 .671.463 1.161l10.913 11.558q.465.49 1.097.49.633 0 1.096-.49L24.483 2.898q.462-.49.463-1.16 0-.672-.463-1.162"
    />
  </svg>
 );
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`export type * from '@actual-app/core/server/api-models';`