ray-finance 0.2.2 → 0.2.3

package/dist/daily-sync.js

@@ -1,5 +1,7 @@
 import { syncTransactions, syncBalances, syncInvestments, syncLiabilities, } from "./plaid/sync.js";
 import { calculateDailyScore, checkAchievements } from "./scoring/index.js";
+import { decryptPlaidToken } from "./db/encryption.js";
+import { config } from "./config.js";
 /** Run the daily sync for a single database */
 export async function runDailySync(db) {
     const institutions = db
@@ -14,25 +16,38 @@ export async function runDailySync(db) {
             console.log(`Skipping ${inst.name} (manual entry)`);
             continue;
         }
+        // Decrypt the stored access token
+        let accessToken;
+        try {
+            if (!config.plaidTokenSecret) {
+                console.error(`  Skipping ${inst.name}: no plaidTokenSecret configured`);
+                continue;
+            }
+            accessToken = decryptPlaidToken(inst.access_token, config.plaidTokenSecret);
+        }
+        catch {
+            console.error(`  Skipping ${inst.name}: failed to decrypt access token (wrong key or corrupt data)`);
+            continue;
+        }
         const products = JSON.parse(inst.products);
         console.log(`Syncing: ${inst.name} (${products.join(", ")})`);
         try {
             // Always sync balances
-            const accountCount = await syncBalances(db, inst.access_token);
+            const accountCount = await syncBalances(db, accessToken);
             console.log(`  Accounts: ${accountCount}`);
             // Sync transactions if available
             if (products.includes("transactions")) {
-                const txResult = await syncTransactions(db, inst.item_id, inst.access_token, inst.cursor);
+                const txResult = await syncTransactions(db, inst.item_id, accessToken, inst.cursor);
                 console.log(`  Transactions: +${txResult.added} ~${txResult.modified} -${txResult.removed}`);
             }
             // Sync investments if available
             if (products.includes("investments")) {
-                const invResult = await syncInvestments(db, inst.access_token);
+                const invResult = await syncInvestments(db, accessToken);
                 console.log(`  Investments: ${invResult.holdings} holdings, ${invResult.securities} securities`);
             }
             // Sync liabilities if available
             if (products.includes("liabilities")) {
-                await syncLiabilities(db, inst.access_token);
+                await syncLiabilities(db, accessToken);
                 console.log(`  Liabilities: synced`);
             }
         }

package/dist/db/connection.js

@@ -14,7 +14,15 @@ function openDb(dbPath, encryptionKey) {
         const hexKey = Buffer.from(encryptionKey, "utf8").toString("hex");
         db.pragma(`key="x'${hexKey}'"`);
     }
-    db.pragma("journal_mode = WAL");
+    // Verify the key works before proceeding
+    try {
+        db.pragma("journal_mode = WAL");
+    }
+    catch (err) {
+        db.close();
+        throw new Error("Failed to open database. Wrong encryption key or corrupt database file. " +
+            "If you changed your encryption key, restore from backup or delete ~/.ray/data/finance.db to start fresh.");
+    }
     db.pragma("foreign_keys = ON");
     migrate(db);
     try {

package/dist/db/encryption.js

@@ -1,23 +1,34 @@
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-const SCRYPT_SALT = "ray-finance-plaid-token"; // Static salt is fine — secret is already high-entropy
 const SCRYPT_KEYLEN = 32;
+const SALT_LEN = 16;
 export function generateKey() {
     return randomBytes(32).toString("hex");
 }
-function deriveKey(secret) {
-    return scryptSync(secret, SCRYPT_SALT, SCRYPT_KEYLEN);
+function deriveKey(secret, salt) {
+    return scryptSync(secret, salt, SCRYPT_KEYLEN);
 }
 export function encryptPlaidToken(token, secret) {
-    const key = deriveKey(secret);
+    const salt = randomBytes(SALT_LEN);
+    const key = deriveKey(secret, salt);
     const iv = randomBytes(16);
     const cipher = createCipheriv("aes-256-gcm", key, iv);
     const encrypted = Buffer.concat([cipher.update(token, "utf8"), cipher.final()]);
     const authTag = cipher.getAuthTag();
-    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+    return `${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
 }
 export function decryptPlaidToken(encrypted, secret) {
-    const [ivHex, authTagHex, dataHex] = encrypted.split(":");
-    const key = deriveKey(secret);
+    const parts = encrypted.split(":");
+    // Support legacy 3-part format (static salt) and new 4-part format (random salt)
+    let salt, ivHex, authTagHex, dataHex;
+    if (parts.length === 3) {
+        salt = Buffer.from("ray-finance-plaid-token", "utf8");
+        [ivHex, authTagHex, dataHex] = parts;
+    }
+    else {
+        [, ivHex, authTagHex, dataHex] = parts;
+        salt = Buffer.from(parts[0], "hex");
+    }
+    const key = deriveKey(secret, salt);
     const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(ivHex, "hex"));
     decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
     return decipher.update(Buffer.from(dataHex, "hex")) + decipher.final("utf8");

package/dist/db/schema.js

@@ -100,7 +100,7 @@ export function migrate(db) {
       name TEXT NOT NULL,
       target_amount REAL NOT NULL,
       current_amount REAL DEFAULT 0,
-      deadline TEXT,
+      target_date TEXT,
       status TEXT DEFAULT 'active'
     );
 
@@ -191,4 +191,9 @@ export function migrate(db) {
       created_at TEXT DEFAULT (datetime('now'))
     );
   `);
+    // Migrate: rename goals.deadline -> target_date for existing databases
+    const goalCols = db.prepare(`PRAGMA table_info(goals)`).all();
+    if (goalCols.some(c => c.name === "deadline") && !goalCols.some(c => c.name === "target_date")) {
+        db.exec(`ALTER TABLE goals RENAME COLUMN deadline TO target_date`);
+    }
 }

package/dist/public/link.html

@@ -2,18 +2,15 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <link rel="preconnect" href="https://fonts.googleapis.com">
-  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-  <link href="https://fonts.googleapis.com/css2?family=Geist+Mono:wght@700&display=swap" rel="stylesheet">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><circle cx='50' cy='50' r='40' fill='%231a1a1a'/></svg>">
+  <link rel="icon" href="/favicon.png">
   <title>Ray — Connect Account</title>
   <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
+    * { margin: 0; padding: 0; box-sizing: border-box; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }
     body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
-      background: #fafafa;
-      color: #1a1a1a;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+      background: #fafaf9;
+      color: #1c1917;
       display: flex;
       align-items: center;
       justify-content: center;
@@ -22,36 +19,37 @@
     }
     .card {
       background: #fff;
-      border-radius: 12px;
-      padding: 40px 32px;
+      border: 1px solid rgba(214, 211, 209, 0.6);
+      border-radius: 16px;
+      padding: 48px 40px;
       max-width: 400px;
       width: 100%;
       text-align: center;
-      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
     }
-    h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-    p { font-size: 15px; color: #666; margin-bottom: 24px; line-height: 1.5; }
+    .logo { margin-bottom: 32px; }
+    .logo img { height: 24px; }
+    h1 { font-size: 20px; font-weight: 600; margin-bottom: 8px; color: #1c1917; }
+    p { font-size: 15px; color: #78716c; margin-bottom: 24px; line-height: 1.6; }
     button {
-      background: #1a1a1a;
+      background: #1c1917;
       color: #fff;
       border: none;
       padding: 14px 32px;
       border-radius: 9999px;
-      font-size: 16px;
+      font-size: 15px;
       font-weight: 500;
       cursor: pointer;
       width: 100%;
       transition: background 0.2s;
     }
-    button:hover { background: #333; }
-    button:disabled { background: #ccc; cursor: not-allowed; }
-    .success { color: #28a745; font-weight: 600; }
+    button:hover { background: #292524; }
+    button:disabled { background: #d6d3d1; cursor: not-allowed; }
+    .success { color: #6ab318; font-weight: 600; }
     .error { color: #dc3545; font-size: 14px; margin-top: 16px; }
-    .logo { font-size: 28px; font-weight: 700; margin-bottom: 24px; color: #1a1a1a; font-family: 'Geist Mono', monospace; }
     .checkmark {
       width: 48px;
       height: 48px;
-      border: 2.5px solid #28a745;
+      border: 2.5px solid #6ab318;
       border-radius: 50%;
       display: flex;
       align-items: center;
@@ -61,7 +59,7 @@
     .checkmark svg {
       width: 24px;
       height: 24px;
-      stroke: #28a745;
+      stroke: #6ab318;
       fill: none;
       stroke-width: 2.5;
       stroke-linecap: round;
@@ -74,12 +72,24 @@
       object-fit: contain;
       margin-bottom: 16px;
     }
+    .spinner {
+      display: inline-block;
+      width: 20px;
+      height: 20px;
+      border: 2px solid #d6d3d1;
+      border-top-color: #78716c;
+      border-radius: 50%;
+      animation: spin 0.6s linear infinite;
+      margin-bottom: 16px;
+    }
+    @keyframes spin { to { transform: rotate(360deg); } }
   </style>
 </head>
 <body>
   <div class="card">
-    <div class="logo">RAY</div>
+    <div class="logo"><img src="/ray-logo-dark.png" alt="Ray"></div>
     <div id="connect-view">
+      <div class="spinner"></div>
       <p>Opening Plaid...</p>
       <div id="error" class="error" style="display:none"></div>
     </div>
@@ -97,13 +107,26 @@
     let linkHandler = null;
 
     async function initPlaid() {
+      // Wait for Plaid SDK to load
+      if (typeof Plaid === 'undefined') {
+        let attempts = 0;
+        await new Promise((resolve, reject) => {
+          const check = setInterval(() => {
+            if (typeof Plaid !== 'undefined') { clearInterval(check); resolve(); }
+            else if (++attempts > 50) { clearInterval(check); reject(new Error('Failed to load Plaid SDK. Check your ad blocker or network connection.')); }
+          }, 100);
+        });
+      }
       try {
         const res = await fetch('/api/link-token', {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({ session_id: sessionId }),
         });
-        if (!res.ok) throw new Error('Session expired');
+        if (!res.ok) {
+          const data = await res.json().catch(() => ({}));
+          throw new Error(data.error || 'Failed to connect. Please run "ray link" again.');
+        }
         const { link_token } = await res.json();
 
         linkHandler = Plaid.create({
@@ -145,7 +168,7 @@
         // Auto-open Plaid Link
         linkHandler.open();
       } catch (e) {
-        showError('This link has expired. Please run "ray link" again.');
+        showError(e.message || 'This link has expired. Please run "ray link" again.');
       }
     }
 

package/dist/queries/index.js

@@ -263,13 +263,13 @@ export function forecastBalance(db, accountId, months = 6) {
 }
 // --- Portfolio ---
 export function getPortfolio(db) {
-    const rows = db.prepare(`SELECT a.name as account, s.name as security, s.ticker_symbol as ticker,
-       h.quantity, h.institution_value as value, h.cost_basis,
-       (h.institution_value - COALESCE(h.cost_basis, h.institution_value)) as gain_loss
+    const rows = db.prepare(`SELECT a.name as account, s.name as security, s.ticker,
+       h.quantity, h.value, h.cost_basis,
+       (h.value - COALESCE(h.cost_basis, h.value)) as gain_loss
      FROM holdings h
      JOIN accounts a ON h.account_id = a.account_id
      LEFT JOIN securities s ON h.security_id = s.security_id
-     ORDER BY h.institution_value DESC`).all();
+     ORDER BY h.value DESC`).all();
     const totalValue = rows.reduce((s, r) => s + (r.value || 0), 0);
     const totalCostBasis = rows.reduce((s, r) => s + (r.cost_basis || 0), 0);
     return {
@@ -289,12 +289,12 @@ export function getPortfolio(db) {
 }
 // --- Investment performance ---
 export function getInvestmentPerformance(db) {
-    const rows = db.prepare(`SELECT s.name as security, s.ticker_symbol as ticker,
-       h.institution_value as value, h.cost_basis
+    const rows = db.prepare(`SELECT s.name as security, s.ticker,
+       h.value, h.cost_basis
      FROM holdings h
      LEFT JOIN securities s ON h.security_id = s.security_id
-     WHERE h.institution_value IS NOT NULL
-     ORDER BY h.institution_value DESC`).all();
+     WHERE h.value IS NOT NULL
+     ORDER BY h.value DESC`).all();
     const totalValue = rows.reduce((s, r) => s + (r.value || 0), 0);
     const totalCost = rows.reduce((s, r) => s + (r.cost_basis || r.value || 0), 0);
     const totalReturn = totalValue - totalCost;

package/dist/server.js

@@ -13,9 +13,41 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 // Session map for Plaid Link — maps sessionId → true (single-user, no chatId needed)
 const linkSessions = new Map();
+// Simple rate limiter: track request counts per IP
+const rateLimits = new Map();
+const RATE_LIMIT_WINDOW = 60_000; // 1 minute
+const RATE_LIMIT_MAX = 10; // max requests per window
+function isRateLimited(ip) {
+    const now = Date.now();
+    const entry = rateLimits.get(ip);
+    if (!entry || now > entry.resetAt) {
+        rateLimits.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW });
+        return false;
+    }
+    entry.count++;
+    return entry.count > RATE_LIMIT_MAX;
+}
 export function startLinkServer() {
     const app = express();
     app.use(express.json());
+    // Only allow requests from localhost origin
+    app.use((req, res, next) => {
+        const origin = req.headers.origin || req.headers.referer || "";
+        const ip = req.ip || req.socket.remoteAddress || "";
+        if (req.path.startsWith("/api/")) {
+            // Check origin for API routes
+            if (origin && !origin.startsWith(`http://localhost:${config.port}`) && !origin.startsWith(`http://127.0.0.1:${config.port}`)) {
+                res.status(403).json({ error: "Forbidden" });
+                return;
+            }
+            // Rate limit API routes
+            if (isRateLimited(ip)) {
+                res.status(429).json({ error: "Too many requests" });
+                return;
+            }
+        }
+        next();
+    });
     app.use(express.static(resolve(__dirname, "public")));
     const sessionId = randomUUID();
     linkSessions.set(sessionId, true);
@@ -120,7 +152,7 @@ export function startLinkServer() {
             res.status(500).json({ error: "Failed to link account" });
         }
     });
-    const server = app.listen(config.port);
+    const server = app.listen(config.port, "127.0.0.1");
     const url = `http://localhost:${config.port}/link/${sessionId}`;
     // Auto-expire after 30 minutes
     const timeout = setTimeout(() => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ray-finance",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Local-first CLI that turns your bank data into a personal AI financial advisor",
   "type": "module",
   "license": "MIT",
@@ -30,6 +30,7 @@
   },
   "scripts": {
     "build": "tsc && rm -rf dist/public && cp -r src/public dist/public",
+    "test": "vitest run",
     "prepublishOnly": "npm run build",
     "sync": "tsx src/daily-sync.ts"
   },
@@ -50,6 +51,7 @@
     "@types/express": "^4.17.0",
     "@types/node": "^22.0.0",
     "tsx": "^4.7.0",
-    "typescript": "^5.5.0"
+    "typescript": "^5.5.0",
+    "vitest": "^3.2.4"
   }
 }

package/site/package-lock.json

@@ -8,6 +8,7 @@
       "name": "ray-finance-site",
       "version": "0.1.0",
       "dependencies": {
+        "@vercel/analytics": "^2.0.1",
         "geist": "^1.7.0",
         "next": "^15.1.0",
         "react": "^19.0.0",
@@ -1005,6 +1006,48 @@
         "@types/react": "^19.2.0"
       }
     },
+    "node_modules/@vercel/analytics": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@vercel/analytics/-/analytics-2.0.1.tgz",
+      "integrity": "sha512-MTQG6V9qQrt1tsDeF+2Uoo5aPjqbVPys1xvnIftXSJYG2SrwXRHnqEvVoYID7BTruDz4lCd2Z7rM1BdkUehk2g==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@remix-run/react": "^2",
+        "@sveltejs/kit": "^1 || ^2",
+        "next": ">= 13",
+        "nuxt": ">= 3",
+        "react": "^18 || ^19 || ^19.0.0-rc",
+        "svelte": ">= 4",
+        "vue": "^3",
+        "vue-router": "^4"
+      },
+      "peerDependenciesMeta": {
+        "@remix-run/react": {
+          "optional": true
+        },
+        "@sveltejs/kit": {
+          "optional": true
+        },
+        "next": {
+          "optional": true
+        },
+        "nuxt": {
+          "optional": true
+        },
+        "react": {
+          "optional": true
+        },
+        "svelte": {
+          "optional": true
+        },
+        "vue": {
+          "optional": true
+        },
+        "vue-router": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/caniuse-lite": {
       "version": "1.0.30001777",
       "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001777.tgz",

package/site/package.json

@@ -8,6 +8,7 @@
     "start": "next start"
   },
   "dependencies": {
+    "@vercel/analytics": "^2.0.1",
     "geist": "^1.7.0",
     "next": "^15.1.0",
     "react": "^19.0.0",

package/site/src/app/copy-command.tsx

@@ -23,9 +23,7 @@ export function CopyCommand({
     >
       <span className="text-stone-400 font-mono">$</span>{" "}
       <span className="font-mono">{command}</span>
-      <span className="ml-0 max-w-0 overflow-hidden whitespace-nowrap text-xs text-stone-400 transition-all duration-300 ease-in-out group-hover:ml-2 group-hover:max-w-[6rem]">
-        {copied ? "✓ copied" : "click to copy"}
-      </span>
+      {copied && <span className="ml-2 text-xs text-stone-400">✓ copied</span>}
     </button>
   );
 }

package/site/src/app/layout.tsx

@@ -2,6 +2,7 @@ import type { Metadata } from "next";
 import { GeistSans } from "geist/font/sans";
 import { GeistMono } from "geist/font/mono";
 import { GeistPixelSquare } from "geist/font/pixel";
+import { Analytics } from "@vercel/analytics/react";
 import "./globals.css";
 
 export const metadata: Metadata = {
@@ -58,7 +59,7 @@ export default function RootLayout({
 }) {
   return (
     <html lang="en" className={`${GeistSans.variable} ${GeistMono.variable} ${GeistPixelSquare.variable}`} style={{ colorScheme: "light" }}>
-      <body className="bg-stone-50 text-stone-900 font-sans">{children}</body>
+      <body className="bg-stone-50 text-stone-900 font-sans">{children}<Analytics /></body>
     </html>
   );
 }

package/src/ai/agent.ts

@@ -24,8 +24,16 @@ export async function handleMessage(
   // Save incoming message
   saveMessage(db, "user", userMessage);
 
-  // Load conversation context
-  const history = getConversationHistory(db, 20);
+  // Load conversation context, truncated to fit token budget
+  const rawHistory = getConversationHistory(db, 30);
+  const MAX_HISTORY_CHARS = 24_000; // ~6k tokens, leaves room for system prompt + response
+  let historyChars = 0;
+  const history = [];
+  for (let i = rawHistory.length - 1; i >= 0; i--) {
+    historyChars += rawHistory[i].content.length;
+    if (historyChars > MAX_HISTORY_CHARS) break;
+    history.unshift(rawHistory[i]);
+  }
 
   // Build system prompt and redact PII before sending to API
   const systemPrompt = redact(buildSystemPrompt(db));
@@ -100,7 +108,11 @@ export async function handleMessage(
 
     return responseText || "I looked into that but couldn't formulate a response. Could you try rephrasing?";
   } catch (error: any) {
-    console.error("AI agent error:", error.message);
+    // Log full error internally but don't expose details to user
+    const safeMessage = error.status
+      ? `API error (${error.status})`
+      : "internal error";
+    console.error("AI agent error:", safeMessage);
     return "Sorry, I had trouble processing that. Could you try again?";
   }
 }

package/src/ai/context.ts

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "fs";
 import { resolve } from "path";
 import { homedir } from "os";
 
@@ -20,7 +20,8 @@ export function readContext(): string {
 export function writeContext(content: string): void {
   const dir = resolve(homedir(), ".ray");
   if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(CONTEXT_PATH, content, "utf-8");
+  writeFileSync(CONTEXT_PATH, content, { encoding: "utf-8", mode: 0o600 });
+  try { chmodSync(CONTEXT_PATH, 0o600); } catch {}
 }
 
 export function isContextEmpty(): boolean {

package/src/ai/insights.ts

@@ -318,7 +318,8 @@ export function cliBriefing(db: Database.Database): string | null {
 
   // Net worth headline
   const nw = getNetWorth(db);
-  let nwLine = chalk.white(`  ${fmtMoney(nw.net_worth)}`);
+  const nwStr = nw.net_worth < 0 ? `-${fmtMoney(nw.net_worth)}` : fmtMoney(nw.net_worth);
+  let nwLine = chalk.white(`  ${nwStr}`);
   if (nw.prev_net_worth !== null) {
     const change = nw.net_worth - nw.prev_net_worth;
     nwLine += change >= 0
@@ -326,6 +327,16 @@ export function cliBriefing(db: Database.Database): string | null {
       : chalk.red(` -${fmtMoney(Math.abs(change))}`);
   }
   lines.push(chalk.dim("  net worth") + nwLine);
+
+  // Account balances
+  const accounts = getAccountBalances(db);
+  if (accounts.length > 0) {
+    const acctStrs = accounts.slice(0, 5).map(a => {
+      const bal = a.type === "credit" ? `-${fmtMoney(a.balance)}` : fmtMoney(a.balance);
+      return `${chalk.dim(a.name.toLowerCase())} ${chalk.white(bal)}`;
+    });
+    lines.push("  " + acctStrs.join(chalk.dim("  ·  ")));
+  }
   lines.push("");
 
   // Spending vs last month
@@ -363,7 +374,7 @@ export function cliBriefing(db: Database.Database): string | null {
         .slice(0, 4);
       if (movers.length > 0) {
         const moverStrs = movers.map(m => {
-          const label = categoryLabel(m.category);
+          const label = categoryLabel(m.category).toLowerCase();
           const color = m.diff <= 0 ? chalk.green : chalk.red;
           const sign = m.diff <= 0 ? "-" : "+";
           return `${chalk.dim(label)} ${color(`${sign}${fmtMoney(Math.abs(m.diff))}`)}`;
@@ -384,7 +395,7 @@ export function cliBriefing(db: Database.Database): string | null {
       const pct = Math.round(b.pct_used);
       const color = b.over_budget ? chalk.red : chalk.yellow;
       const bar = miniBar(b.pct_used);
-      lines.push(`  ${bar}  ${color(categoryLabel(b.category))} ${chalk.dim(`${pct}%`)}`);
+      lines.push(`  ${bar}  ${color(categoryLabel(b.category).toLowerCase())} ${chalk.dim(`${pct}%`)}`);
     }
   }
 
@@ -472,3 +483,14 @@ function buildScore(db: Database.Database): string | null {
 
   return line;
 }
+
+function timeAgo(past: Date, now: Date): string {
+  const diffMs = now.getTime() - past.getTime();
+  const mins = Math.floor(diffMs / 60000);
+  if (mins < 1) return "just now";
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}

package/src/ai/redactor.test.ts

@@ -0,0 +1,63 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+vi.mock("../config.js", () => ({
+  config: { userName: "John Smith" },
+}));
+
+vi.mock("./context.js", () => ({
+  readContext: vi.fn().mockReturnValue(
+    `## Family
+- Partner: Jane Doe (wife)
+- Max (son)
+
+## Income
+- $120k/year from Acme Corp
+
+## Accounts
+- Checking at Chase
+`
+  ),
+}));
+
+import { redact, unredact } from "./redactor.js";
+
+describe("redact", () => {
+  it("redacts user full name", () => {
+    expect(redact("John Smith earned $100")).toBe("[USER] earned $100");
+  });
+
+  it("redacts user first and last name separately", () => {
+    expect(redact("Hi John, Mr. Smith")).toBe("Hi [USER_FIRST], Mr. [USER_LAST]");
+  });
+
+  it("redacts partner name", () => {
+    expect(redact("Jane Doe said hello")).toBe("[PARTNER] said hello");
+  });
+
+  it("redacts employer", () => {
+    expect(redact("Works at Acme Corp")).toBe("Works at [EMPLOYER]");
+  });
+
+  it("redacts SSN with dashes", () => {
+    expect(redact("SSN: 123-45-6789")).toBe("SSN: [SSN]");
+  });
+
+  it("redacts credit card numbers", () => {
+    expect(redact("Card: 4111 1111 1111 1111")).toBe("Card: [CARD]");
+  });
+
+  it("leaves text without PII unchanged", () => {
+    const text = "The weather is nice today";
+    expect(redact(text)).toBe(text);
+  });
+});
+
+describe("unredact", () => {
+  it("restores user name tokens", () => {
+    expect(unredact("Hello [USER]")).toBe("Hello John Smith");
+  });
+
+  it("restores partner tokens", () => {
+    expect(unredact("[PARTNER] called")).toBe("Jane Doe called");
+  });
+});