opencode-skills-collection 1.0.186 → 1.0.187

package/bundled-skills/plaid-fintech/SKILL.md

@@ -1,13 +1,19 @@
 ---
 name: plaid-fintech
-description: "Create a linktoken for Plaid Link, exchange publictoken for accesstoken. Link tokens are short-lived, one-time use. Access tokens don't expire but may need updating when users change passwords."
+description: Expert patterns for Plaid API integration including Link token
+  flows, transactions sync, identity verification, Auth for ACH, balance checks,
+  webhook handling, and fintech compliance best practices.
 risk: unknown
-source: "vibeship-spawner-skills (Apache 2.0)"
-date_added: "2026-02-27"
+source: vibeship-spawner-skills (Apache 2.0)
+date_added: 2026-02-27
 ---
 
 # Plaid Fintech
 
+Expert patterns for Plaid API integration including Link token flows,
+transactions sync, identity verification, Auth for ACH, balance checks,
+webhook handling, and fintech compliance best practices.
+
 ## Patterns
 
 ### Link Token Creation and Exchange
@@ -16,37 +22,837 @@ Create a link_token for Plaid Link, exchange public_token for access_token.
 Link tokens are short-lived, one-time use. Access tokens don't expire but
 may need updating when users change passwords.
 
+// server.ts - Link token creation endpoint
+import { Configuration, PlaidApi, PlaidEnvironments, Products, CountryCode } from 'plaid';
+
+const configuration = new Configuration({
+  basePath: PlaidEnvironments[process.env.PLAID_ENV || 'sandbox'],
+  baseOptions: {
+    headers: {
+      'PLAID-CLIENT-ID': process.env.PLAID_CLIENT_ID,
+      'PLAID-SECRET': process.env.PLAID_SECRET,
+    },
+  },
+});
+
+const plaidClient = new PlaidApi(configuration);
+
+// Create link token for new user
+app.post('/api/plaid/create-link-token', async (req, res) => {
+  const { userId } = req.body;
+
+  try {
+    const response = await plaidClient.linkTokenCreate({
+      user: {
+        client_user_id: userId,  // Your internal user ID
+      },
+      client_name: 'My Finance App',
+      products: [Products.Transactions],
+      country_codes: [CountryCode.Us],
+      language: 'en',
+      webhook: 'https://yourapp.com/api/plaid/webhooks',
+      // Request 180 days for recurring transactions
+      transactions: {
+        days_requested: 180,
+      },
+    });
+
+    res.json({ link_token: response.data.link_token });
+  } catch (error) {
+    console.error('Link token creation failed:', error);
+    res.status(500).json({ error: 'Failed to create link token' });
+  }
+});
+
+// Exchange public token for access token
+app.post('/api/plaid/exchange-token', async (req, res) => {
+  const { publicToken, userId } = req.body;
+
+  try {
+    // Exchange for permanent access token
+    const exchangeResponse = await plaidClient.itemPublicTokenExchange({
+      public_token: publicToken,
+    });
+
+    const { access_token, item_id } = exchangeResponse.data;
+
+    // Store securely - access_token doesn't expire!
+    await db.plaidItem.create({
+      data: {
+        userId,
+        itemId: item_id,
+        accessToken: await encrypt(access_token),  // Encrypt at rest
+        status: 'ACTIVE',
+        products: ['transactions'],
+      },
+    });
+
+    // Trigger initial transaction sync
+    await initiateTransactionSync(item_id, access_token);
+
+    res.json({ success: true, itemId: item_id });
+  } catch (error) {
+    console.error('Token exchange failed:', error);
+    res.status(500).json({ error: 'Failed to exchange token' });
+  }
+});
+
+// Frontend - React component
+import { usePlaidLink } from 'react-plaid-link';
+
+function BankLinkButton({ userId }: { userId: string }) {
+  const [linkToken, setLinkToken] = useState<string | null>(null);
+
+  useEffect(() => {
+    async function createLinkToken() {
+      const response = await fetch('/api/plaid/create-link-token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ userId }),
+      });
+      const { link_token } = await response.json();
+      setLinkToken(link_token);
+    }
+    createLinkToken();
+  }, [userId]);
+
+  const { open, ready } = usePlaidLink({
+    token: linkToken,
+    onSuccess: async (publicToken, metadata) => {
+      // Exchange public token for access token
+      await fetch('/api/plaid/exchange-token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ publicToken, userId }),
+      });
+    },
+    onExit: (error, metadata) => {
+      if (error) {
+        console.error('Link exit error:', error);
+      }
+    },
+  });
+
+  return (
+    <button onClick={() => open()} disabled={!ready}>
+      Connect Bank Account
+    </button>
+  );
+}
+
+### Context
+
+- initial bank linking
+- user onboarding
+- connecting accounts
+
 ### Transactions Sync
 
 Use /transactions/sync for incremental transaction updates. More efficient
 than /transactions/get. Handle webhooks for real-time updates instead of
 polling.
 
+// Transactions sync service
+interface TransactionSyncState {
+  cursor: string | null;
+  hasMore: boolean;
+}
+
+async function syncTransactions(
+  accessToken: string,
+  itemId: string
+): Promise<void> {
+  // Get last cursor from database
+  const item = await db.plaidItem.findUnique({
+    where: { itemId },
+  });
+
+  let cursor = item?.transactionsCursor || null;
+  let hasMore = true;
+  let addedCount = 0;
+  let modifiedCount = 0;
+  let removedCount = 0;
+
+  while (hasMore) {
+    try {
+      const response = await plaidClient.transactionsSync({
+        access_token: accessToken,
+        cursor: cursor || undefined,
+        count: 500,  // Max per request
+      });
+
+      const { added, modified, removed, next_cursor, has_more } = response.data;
+
+      // Process added transactions
+      if (added.length > 0) {
+        await db.transaction.createMany({
+          data: added.map(txn => ({
+            plaidTransactionId: txn.transaction_id,
+            itemId,
+            accountId: txn.account_id,
+            amount: txn.amount,
+            date: new Date(txn.date),
+            name: txn.name,
+            merchantName: txn.merchant_name,
+            category: txn.personal_finance_category?.primary,
+            subcategory: txn.personal_finance_category?.detailed,
+            pending: txn.pending,
+            paymentChannel: txn.payment_channel,
+            location: txn.location ? JSON.stringify(txn.location) : null,
+          })),
+          skipDuplicates: true,
+        });
+        addedCount += added.length;
+      }
+
+      // Process modified transactions
+      for (const txn of modified) {
+        await db.transaction.updateMany({
+          where: { plaidTransactionId: txn.transaction_id },
+          data: {
+            amount: txn.amount,
+            name: txn.name,
+            merchantName: txn.merchant_name,
+            pending: txn.pending,
+            updatedAt: new Date(),
+          },
+        });
+        modifiedCount++;
+      }
+
+      // Process removed transactions
+      if (removed.length > 0) {
+        await db.transaction.deleteMany({
+          where: {
+            plaidTransactionId: {
+              in: removed.map(r => r.transaction_id),
+            },
+          },
+        });
+        removedCount += removed.length;
+      }
+
+      cursor = next_cursor;
+      hasMore = has_more;
+
+    } catch (error: any) {
+      if (error.response?.data?.error_code === 'TRANSACTIONS_SYNC_MUTATION_DURING_PAGINATION') {
+        // Data changed during pagination, restart from null
+        cursor = null;
+        continue;
+      }
+      throw error;
+    }
+  }
+
+  // Save cursor for next sync
+  await db.plaidItem.update({
+    where: { itemId },
+    data: { transactionsCursor: cursor },
+  });
+
+  console.log(`Sync complete: +${addedCount} ~${modifiedCount} -${removedCount}`);
+}
+
+// Webhook handler for real-time updates
+app.post('/api/plaid/webhooks', async (req, res) => {
+  const { webhook_type, webhook_code, item_id } = req.body;
+
+  // Verify webhook (see webhook verification pattern)
+  if (!verifyPlaidWebhook(req)) {
+    return res.status(401).send('Invalid webhook');
+  }
+
+  if (webhook_type === 'TRANSACTIONS') {
+    switch (webhook_code) {
+      case 'SYNC_UPDATES_AVAILABLE':
+        // New transactions available, trigger sync
+        await queueTransactionSync(item_id);
+        break;
+      case 'INITIAL_UPDATE':
+        // Initial batch of transactions ready
+        await queueTransactionSync(item_id);
+        break;
+      case 'HISTORICAL_UPDATE':
+        // Historical transactions ready
+        await queueTransactionSync(item_id);
+        break;
+    }
+  }
+
+  res.sendStatus(200);
+});
+
+### Context
+
+- fetching transactions
+- transaction history
+- account activity
+
 ### Item Error Handling and Update Mode
 
 Handle ITEM_LOGIN_REQUIRED errors by putting users through Link update mode.
 Listen for PENDING_DISCONNECT webhook to proactively prompt users.
 
-## Anti-Patterns
+// Create link token for update mode
+app.post('/api/plaid/create-update-token', async (req, res) => {
+  const { itemId } = req.body;
+
+  const item = await db.plaidItem.findUnique({
+    where: { itemId },
+    include: { user: true },
+  });
+
+  if (!item) {
+    return res.status(404).json({ error: 'Item not found' });
+  }
+
+  try {
+    const response = await plaidClient.linkTokenCreate({
+      user: {
+        client_user_id: item.userId,
+      },
+      client_name: 'My Finance App',
+      country_codes: [CountryCode.Us],
+      language: 'en',
+      webhook: 'https://yourapp.com/api/plaid/webhooks',
+      // Update mode: provide access_token instead of products
+      access_token: await decrypt(item.accessToken),
+    });
+
+    res.json({ link_token: response.data.link_token });
+  } catch (error) {
+    console.error('Update token creation failed:', error);
+    res.status(500).json({ error: 'Failed to create update token' });
+  }
+});
+
+// Handle item errors from webhooks
+app.post('/api/plaid/webhooks', async (req, res) => {
+  const { webhook_type, webhook_code, item_id, error } = req.body;
+
+  if (webhook_type === 'ITEM') {
+    switch (webhook_code) {
+      case 'ERROR':
+        // Item has entered an error state
+        await db.plaidItem.update({
+          where: { itemId: item_id },
+          data: {
+            status: 'ERROR',
+            errorCode: error?.error_code,
+            errorMessage: error?.error_message,
+          },
+        });
+
+        // Notify user to reconnect
+        if (error?.error_code === 'ITEM_LOGIN_REQUIRED') {
+          await notifyUserReconnect(item_id, 'Please reconnect your bank account');
+        }
+        break;
+
+      case 'PENDING_DISCONNECT':
+        // User needs to reauthorize soon
+        await db.plaidItem.update({
+          where: { itemId: item_id },
+          data: { status: 'PENDING_DISCONNECT' },
+        });
+
+        // Proactive notification
+        await notifyUserReconnect(item_id, 'Your bank connection will expire soon');
+        break;
+
+      case 'USER_PERMISSION_REVOKED':
+        // User revoked access at their bank
+        await db.plaidItem.update({
+          where: { itemId: item_id },
+          data: { status: 'REVOKED' },
+        });
+
+        // Clean up stored data
+        await db.transaction.deleteMany({
+          where: { itemId: item_id },
+        });
+        break;
+    }
+  }
+
+  res.sendStatus(200);
+});
+
+// Check item status before API calls
+async function getItemWithValidation(itemId: string) {
+  const item = await db.plaidItem.findUnique({
+    where: { itemId },
+  });
+
+  if (!item) {
+    throw new Error('Item not found');
+  }
+
+  if (item.status === 'ERROR') {
+    throw new ItemNeedsUpdateError(item.errorCode, item.errorMessage);
+  }
+
+  return item;
+}
+
+### Context
+
+- error recovery
+- reauthorization
+- credential updates
+
+### Auth for ACH Transfers
+
+Use Auth product to get account and routing numbers for ACH transfers.
+Combine with Identity to verify account ownership before initiating
+transfers.
+
+// Get account and routing numbers
+async function getACHNumbers(accessToken: string): Promise<ACHInfo[]> {
+  const response = await plaidClient.authGet({
+    access_token: accessToken,
+  });
+
+  const { accounts, numbers } = response.data;
+
+  // Map ACH numbers to accounts
+  return accounts.map(account => {
+    const achNumber = numbers.ach.find(
+      n => n.account_id === account.account_id
+    );
+
+    return {
+      accountId: account.account_id,
+      name: account.name,
+      mask: account.mask,
+      type: account.type,
+      subtype: account.subtype,
+      routing: achNumber?.routing,
+      account: achNumber?.account,
+      wireRouting: achNumber?.wire_routing,
+    };
+  });
+}
+
+// Verify identity before ACH transfer
+async function verifyAndInitiateTransfer(
+  accessToken: string,
+  userId: string,
+  amount: number
+): Promise<TransferResult> {
+  // Get identity from linked account
+  const identityResponse = await plaidClient.identityGet({
+    access_token: accessToken,
+  });
+
+  const accountOwners = identityResponse.data.accounts[0]?.owners || [];
+
+  // Get user's stored identity
+  const user = await db.user.findUnique({
+    where: { id: userId },
+  });
+
+  // Match identity
+  const matchResponse = await plaidClient.identityMatch({
+    access_token: accessToken,
+    user: {
+      legal_name: user.legalName,
+      phone_number: user.phoneNumber,
+      email_address: user.email,
+      address: {
+        street: user.street,
+        city: user.city,
+        region: user.state,
+        postal_code: user.postalCode,
+        country: 'US',
+      },
+    },
+  });
+
+  const matchScores = matchResponse.data.accounts[0]?.legal_name;
+
+  // Require high confidence for transfers
+  if ((matchScores?.score || 0) < 70) {
+    throw new Error('Identity verification failed');
+  }
+
+  // Get real-time balance for the transfer
+  const balanceResponse = await plaidClient.accountsBalanceGet({
+    access_token: accessToken,
+  });
+
+  const account = balanceResponse.data.accounts[0];
+
+  // Check sufficient funds (consider pending)
+  const availableBalance = account.balances.available ?? account.balances.current;
+  if (availableBalance < amount) {
+    throw new Error('Insufficient funds');
+  }
+
+  // Get ACH numbers and initiate transfer
+  const authResponse = await plaidClient.authGet({
+    access_token: accessToken,
+  });
+
+  const achNumbers = authResponse.data.numbers.ach.find(
+    n => n.account_id === account.account_id
+  );
+
+  // Initiate ACH transfer with your payment processor
+  return await initiateACHTransfer({
+    routingNumber: achNumbers.routing,
+    accountNumber: achNumbers.account,
+    amount,
+    accountType: account.subtype,
+  });
+}
+
+### Context
+
+- ach transfers
+- money movement
+- account funding
+
+### Real-Time Balance Check
+
+Use /accounts/balance/get for real-time balance (paid endpoint).
+/accounts/get returns cached data suitable for display but not
+real-time decisions.
+
+interface BalanceInfo {
+  accountId: string;
+  available: number | null;
+  current: number;
+  limit: number | null;
+  isoCurrencyCode: string;
+  lastUpdated: Date;
+  isRealtime: boolean;
+}
+
+// Get cached balance (free, suitable for display)
+async function getCachedBalances(accessToken: string): Promise<BalanceInfo[]> {
+  const response = await plaidClient.accountsGet({
+    access_token: accessToken,
+  });
+
+  return response.data.accounts.map(account => ({
+    accountId: account.account_id,
+    available: account.balances.available,
+    current: account.balances.current,
+    limit: account.balances.limit,
+    isoCurrencyCode: account.balances.iso_currency_code || 'USD',
+    lastUpdated: new Date(account.balances.last_updated_datetime || Date.now()),
+    isRealtime: false,
+  }));
+}
+
+// Get real-time balance (paid, for payment validation)
+async function getRealTimeBalance(
+  accessToken: string,
+  accountIds?: string[]
+): Promise<BalanceInfo[]> {
+  const response = await plaidClient.accountsBalanceGet({
+    access_token: accessToken,
+    options: accountIds ? { account_ids: accountIds } : undefined,
+  });
+
+  return response.data.accounts.map(account => ({
+    accountId: account.account_id,
+    available: account.balances.available,
+    current: account.balances.current,
+    limit: account.balances.limit,
+    isoCurrencyCode: account.balances.iso_currency_code || 'USD',
+    lastUpdated: new Date(),
+    isRealtime: true,
+  }));
+}
+
+// Payment validation with balance check
+async function validatePayment(
+  accessToken: string,
+  accountId: string,
+  amount: number
+): Promise<PaymentValidation> {
+  const balances = await getRealTimeBalance(accessToken, [accountId]);
+  const account = balances.find(b => b.accountId === accountId);
+
+  if (!account) {
+    return { valid: false, reason: 'Account not found' };
+  }
+
+  const available = account.available ?? account.current;
 
-### ❌ Storing Access Tokens in Plain Text
+  if (available < amount) {
+    return {
+      valid: false,
+      reason: 'Insufficient funds',
+      available,
+      requested: amount,
+    };
+  }
 
-### ❌ Polling Instead of Webhooks
+  return {
+    valid: true,
+    available,
+    requested: amount,
+  };
+}
 
-### ❌ Ignoring Item Errors
+### Context
 
-## ⚠️ Sharp Edges
+- balance checking
+- fund availability
+- payment validation
 
-| Issue | Severity | Solution |
-|-------|----------|----------|
-| Issue | critical | See docs |
-| Issue | high | See docs |
-| Issue | high | See docs |
-| Issue | high | See docs |
-| Issue | medium | See docs |
-| Issue | medium | See docs |
-| Issue | medium | See docs |
-| Issue | medium | See docs |
+### Webhook Verification
+
+Verify Plaid webhooks using the verification key endpoint.
+Handle duplicate webhooks idempotently and design for out-of-order
+delivery.
+
+import jwt from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+
+// Cache JWKS client
+const client = jwksClient({
+  jwksUri: 'https://production.plaid.com/.well-known/jwks.json',
+  cache: true,
+  cacheMaxAge: 86400000,  // 24 hours
+});
+
+async function getSigningKey(kid: string): Promise<string> {
+  const key = await client.getSigningKey(kid);
+  return key.getPublicKey();
+}
+
+async function verifyPlaidWebhook(req: Request): Promise<boolean> {
+  const signedJwt = req.headers['plaid-verification'];
+
+  if (!signedJwt) {
+    return false;
+  }
+
+  try {
+    // Decode to get kid
+    const decoded = jwt.decode(signedJwt, { complete: true });
+    if (!decoded?.header?.kid) {
+      return false;
+    }
+
+    // Get signing key
+    const key = await getSigningKey(decoded.header.kid);
+
+    // Verify JWT
+    const claims = jwt.verify(signedJwt, key, {
+      algorithms: ['ES256'],
+    }) as any;
+
+    // Verify body hash
+    const bodyHash = crypto
+      .createHash('sha256')
+      .update(JSON.stringify(req.body))
+      .digest('hex');
+
+    if (claims.request_body_sha256 !== bodyHash) {
+      return false;
+    }
+
+    // Check timestamp (within 5 minutes)
+    const issuedAt = new Date(claims.iat * 1000);
+    const fiveMinutesAgo = new Date(Date.now() - 5 * 60 * 1000);
+    if (issuedAt < fiveMinutesAgo) {
+      return false;
+    }
+
+    return true;
+  } catch (error) {
+    console.error('Webhook verification failed:', error);
+    return false;
+  }
+}
+
+// Idempotent webhook handler
+app.post('/api/plaid/webhooks', async (req, res) => {
+  // Verify webhook signature
+  if (!await verifyPlaidWebhook(req)) {
+    return res.status(401).send('Invalid signature');
+  }
+
+  const { webhook_type, webhook_code, item_id } = req.body;
+
+  // Create idempotency key
+  const idempotencyKey = `${webhook_type}:${webhook_code}:${item_id}:${JSON.stringify(req.body)}`;
+  const idempotencyHash = crypto.createHash('sha256').update(idempotencyKey).digest('hex');
+
+  // Check if already processed
+  const existing = await db.webhookLog.findUnique({
+    where: { idempotencyHash },
+  });
+
+  if (existing) {
+    console.log('Duplicate webhook, skipping:', idempotencyHash);
+    return res.sendStatus(200);
+  }
+
+  // Record webhook before processing
+  await db.webhookLog.create({
+    data: {
+      idempotencyHash,
+      webhookType: webhook_type,
+      webhookCode: webhook_code,
+      itemId: item_id,
+      payload: req.body,
+      processedAt: new Date(),
+    },
+  });
+
+  // Process webhook (async for quick response)
+  processWebhookAsync(req.body).catch(console.error);
+
+  res.sendStatus(200);
+});
+
+### Context
+
+- webhook security
+- event processing
+- production deployment
+
+## Sharp Edges
+
+### Access Tokens Never Expire But Are Highly Sensitive
+
+Severity: CRITICAL
+
+### accounts/get Returns Cached Balances, Not Real-Time
+
+Severity: HIGH
+
+### Webhooks May Arrive Out of Order or Duplicated
+
+Severity: HIGH
+
+### Items Enter Error States That Require User Action
+
+Severity: HIGH
+
+### Sandbox Does Not Reflect Production Complexity
+
+Severity: MEDIUM
+
+### TRANSACTIONS_SYNC_MUTATION_DURING_PAGINATION Requires Restart
+
+Severity: MEDIUM
+
+### Link Tokens Are Short-Lived and Single-Use
+
+Severity: MEDIUM
+
+### Recurring Transactions Need 180+ Days of History
+
+Severity: MEDIUM
+
+## Validation Checks
+
+### Access Token Stored in Plain Text
+
+Severity: ERROR
+
+Plaid access tokens must be encrypted at rest
+
+Message: Plaid access token appears to be stored unencrypted. Encrypt at rest.
+
+### Plaid Secret in Client Code
+
+Severity: ERROR
+
+Plaid secret must never be exposed to clients
+
+Message: Plaid secret may be exposed. Keep server-side only.
+
+### Hardcoded Plaid Credentials
+
+Severity: ERROR
+
+Credentials must use environment variables
+
+Message: Hardcoded Plaid credentials. Use environment variables.
+
+### Missing Webhook Signature Verification
+
+Severity: ERROR
+
+Plaid webhooks must verify JWT signature
+
+Message: Webhook handler without signature verification. Verify Plaid-Verification header.
+
+### Using Cached Balance for Payment Decision
+
+Severity: ERROR
+
+Use real-time balance for payment validation
+
+Message: Using accountsGet (cached) for payment. Use accountsBalanceGet for real-time balance.
+
+### Missing Item Error State Handling
+
+Severity: WARNING
+
+API calls should handle ITEM_LOGIN_REQUIRED
+
+Message: API call without ITEM_LOGIN_REQUIRED handling. Handle item error states.
+
+### Polling for Transactions Instead of Webhooks
+
+Severity: WARNING
+
+Use webhooks for transaction updates
+
+Message: Polling for transactions. Configure webhooks for SYNC_UPDATES_AVAILABLE.
+
+### Link Token Cached or Reused
+
+Severity: WARNING
+
+Link tokens are single-use and expire in 4 hours
+
+Message: Link tokens should not be cached. Create fresh token for each session.
+
+### Using Deprecated Public Key
+
+Severity: ERROR
+
+Public key integration ended January 2025
+
+Message: Public key is deprecated. Use Link tokens instead.
+
+### Transaction Sync Without Cursor Storage
+
+Severity: WARNING
+
+Store cursor for incremental syncs
+
+Message: Transaction sync without cursor persistence. Store cursor for incremental sync.
+
+## Collaboration
+
+### Delegation Triggers
+
+- user needs payment processing -> stripe-integration (Stripe for actual payment, Plaid for account linking)
+- user needs budgeting features -> analytics-specialist (Transaction categorization and analysis)
+- user needs investment tracking -> data-engineer (Portfolio analysis and reporting)
+- user needs compliance/audit -> security-specialist (SOC 2, PCI compliance)
+- user needs mobile app -> mobile-developer (React Native Plaid SDK)
 
 ## When to Use
-This skill is applicable to execute the workflow or actions described in the overview.
+
+- User mentions or implies: plaid
+- User mentions or implies: bank account linking
+- User mentions or implies: bank connection
+- User mentions or implies: ach
+- User mentions or implies: account aggregation
+- User mentions or implies: bank transactions
+- User mentions or implies: open banking
+- User mentions or implies: fintech
+- User mentions or implies: identity verification banking