ray-finance 0.2.2 → 0.2.3

package/src/ai/redactor.ts

@@ -82,12 +82,24 @@ function buildRedactions(): RedactionEntry[] {
   return entries;
 }
 
+// Patterns for numeric PII that should never reach the API
+const NUMERIC_PII_PATTERNS: [RegExp, string][] = [
+  [/\b\d{3}-\d{2}-\d{4}\b/g, "[SSN]"],           // SSN: 123-45-6789
+  [/\b\d{9}\b(?=\s|$|[,.])/g, "[SSN]"],           // SSN without dashes
+  [/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, "[CARD]"], // Credit card
+  [/\b\d{9,12}\b(?=\s|$|[,.])/g, "[ACCT]"],       // Account/routing numbers
+];
+
 export function redact(text: string): string {
   const redactions = buildRedactions();
   let result = text;
   for (const { real, token } of redactions) {
     result = result.replaceAll(real, token);
   }
+  // Redact numeric PII patterns
+  for (const [pattern, replacement] of NUMERIC_PII_PATTERNS) {
+    result = result.replace(pattern, replacement);
+  }
   return result;
 }
 

package/src/ai/system-prompt.ts

@@ -32,9 +32,9 @@ Today is ${dateStr}.
 4. End with what to do, not just what happened. A good CFO always has a next step.
 
 ## Formatting (terminal output)
-- Plain text only. No markdown syntax — no asterisks, no hashtags, no backticks.
+- Use markdown sparingly: **bold** for key numbers or emphasis, ## for section headers. No backticks or code blocks.
 - Use line breaks, dashes, and simple alignment for structure.
-- Use ALL CAPS or dashes for emphasis instead of bold/italic.
+- Use bullet points (- ) for lists.
 
 ## Tools
 - Always use tools to look up current data. Never guess balances, spending, or dates.

package/src/ai/tools.ts

@@ -704,6 +704,10 @@ export async function executeTool(db: Database.Database, toolName: string, toolI
     }
 
     case "add_recat_rule": {
+      const allowedFields = ["name", "merchant_name", "category", "subcategory"];
+      if (!allowedFields.includes(toolInput.match_field)) {
+        return `Invalid match_field "${toolInput.match_field}". Must be one of: ${allowedFields.join(", ")}`;
+      }
       db.prepare(
         `INSERT INTO recategorization_rules (match_field, match_pattern, target_category, target_subcategory, label) VALUES (?, ?, ?, ?, ?)`
       ).run(toolInput.match_field, toolInput.match_pattern, toolInput.target_category, toolInput.target_subcategory || null, toolInput.label || null);

package/src/cli/backup.ts

@@ -67,16 +67,23 @@ export function runImport(inputPath: string): void {
     writeContext(backup.context);
   }
 
-  // Restore memories
-  const insertMemory = db.prepare("INSERT INTO memories (content, category) VALUES (?, ?)");
+  // Restore memories (skip exact duplicates)
+  const insertMemory = db.prepare(
+    "INSERT INTO memories (content, category) SELECT ?, ? WHERE NOT EXISTS (SELECT 1 FROM memories WHERE content = ? AND category = ?)"
+  );
   for (const m of backup.memories) {
-    insertMemory.run(m.content, m.category);
+    insertMemory.run(m.content, m.category, m.content, m.category);
   }
 
-  // Restore goals
-  const insertGoal = db.prepare("INSERT INTO goals (name, target_amount, current_amount, deadline, status) VALUES (?, ?, ?, ?, ?)");
+  // Restore goals (skip if name already exists)
+  const existingGoal = db.prepare("SELECT 1 FROM goals WHERE name = ?");
+  const insertGoal = db.prepare(
+    "INSERT INTO goals (name, target_amount, current_amount, deadline, status) VALUES (?, ?, ?, ?, ?)"
+  );
   for (const g of backup.goals) {
-    insertGoal.run(g.name, g.target_amount, g.current_amount, g.deadline, g.status);
+    if (!existingGoal.get(g.name)) {
+      insertGoal.run(g.name, g.target_amount, g.current_amount, g.deadline, g.status);
+    }
   }
 
   // Restore budgets
@@ -87,10 +94,13 @@ export function runImport(inputPath: string): void {
     insertBudget.run(b.category, b.monthly_limit, b.period);
   }
 
-  // Restore recat rules
+  // Restore recat rules (skip exact duplicates)
+  const existingRule = db.prepare("SELECT 1 FROM recategorization_rules WHERE match_field = ? AND match_pattern = ? AND target_category = ?");
   const insertRule = db.prepare("INSERT INTO recategorization_rules (match_field, match_pattern, target_category, target_subcategory, label) VALUES (?, ?, ?, ?, ?)");
   for (const r of backup.recat_rules) {
-    insertRule.run(r.match_field, r.match_pattern, r.target_category, r.target_subcategory, r.label);
+    if (!existingRule.get(r.match_field, r.match_pattern, r.target_category)) {
+      insertRule.run(r.match_field, r.match_pattern, r.target_category, r.target_subcategory, r.label);
+    }
   }
 
   // Restore settings
@@ -99,10 +109,13 @@ export function runImport(inputPath: string): void {
     insertSetting.run(s.key, s.value);
   }
 
-  // Restore milestones
+  // Restore milestones (skip if name already exists)
+  const existingMilestone = db.prepare("SELECT 1 FROM milestones WHERE name = ?");
   const insertMilestone = db.prepare("INSERT INTO milestones (name, target_date, monthly_savings, description) VALUES (?, ?, ?, ?)");
   for (const m of backup.milestones) {
-    insertMilestone.run(m.name, m.target_date, m.monthly_savings, m.description);
+    if (!existingMilestone.get(m.name)) {
+      insertMilestone.run(m.name, m.target_date, m.monthly_savings, m.description);
+    }
   }
 
   console.log(chalk.green(`\nBackup restored from ${inputPath}`));

package/src/cli/chat.ts

@@ -1,29 +1,106 @@
-import * as readline from "readline/promises";
 import chalk from "chalk";
 import { getDb } from "../db/connection.js";
 import { handleMessage } from "../ai/agent.js";
 import { config } from "../config.js";
 import { isContextEmpty } from "../ai/context.js";
 import { cliBriefing } from "../ai/insights.js";
-import { DISCLAIMER } from "./format.js";
+import { banner, DISCLAIMER, formatResponse } from "./format.js";
+
+/** Raw-mode line reader that renders content below the cursor while waiting for input */
+function rawReadLine(prompt: string, belowLines: string[]): Promise<string> {
+  return new Promise((resolve) => {
+    let buf = "";
+    const out = process.stdout;
+
+    // Render: prompt on current line, then content below, then restore cursor
+    out.write(prompt);
+    if (belowLines.length > 0) {
+      // Save cursor, render below, restore
+      out.write("\x1b[s");
+      out.write("\n" + belowLines.join("\n"));
+      out.write("\x1b[u");
+    }
+
+    process.stdin.setRawMode!(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+
+    const cleanup = () => {
+      process.stdin.setRawMode!(false);
+      process.stdin.removeListener("data", onData);
+      process.stdin.pause();
+    };
+
+    const onData = (chunk: string) => {
+      for (let i = 0; i < chunk.length; i++) {
+        const code = chunk.charCodeAt(i);
+
+        // Ctrl+C / Ctrl+D
+        if (code === 3 || code === 4) {
+          cleanup();
+          out.write("\n");
+          resolve("\x03");
+          return;
+        }
+
+        // Enter
+        if (code === 13) {
+          cleanup();
+          // Move past the below-content lines, then newline
+          for (let j = 0; j < belowLines.length; j++) out.write("\x1b[1B");
+          out.write("\n");
+          resolve(buf);
+          return;
+        }
+
+        // Backspace
+        if (code === 127 || code === 8) {
+          if (buf.length > 0) {
+            buf = buf.slice(0, -1);
+            out.write("\b \b");
+          }
+          continue;
+        }
+
+        // Skip escape sequences (arrow keys etc.)
+        if (code === 27) {
+          if (i + 1 < chunk.length && chunk[i + 1] === "[") {
+            i += 2;
+            while (i < chunk.length && chunk.charCodeAt(i) < 64) i++;
+          }
+          continue;
+        }
+
+        // Printable characters
+        if (code >= 32) {
+          buf += chunk[i];
+          out.write(chunk[i]);
+        }
+      }
+    };
+
+    process.stdin.on("data", onData);
+  });
+}
 
 export async function startChat(): Promise<void> {
   const ora = (await import("ora")).default;
   const db = getDb();
 
-  // Show briefing instead of generic header
+  // Show logo + briefing
+  console.log("");
+  console.log(banner());
+  console.log("");
+
   const briefing = cliBriefing(db);
   if (briefing) {
     const now = new Date();
-    const timeStr = now.toLocaleDateString("en-US", { weekday: "long", month: "short", day: "numeric" });
-    console.log("");
+    const timeStr = now.toLocaleDateString("en-US", { weekday: "long", month: "short", day: "numeric" }).toLowerCase();
     console.log(chalk.dim(`  ${timeStr}`));
     console.log("");
     console.log(briefing);
-    console.log("");
-    console.log(chalk.dim("─".repeat(process.stdout.columns || 80)));
   } else {
-    console.log(chalk.bold(`\nray`) + chalk.dim(` — ${config.userName}`));
+    console.log(chalk.bold(`ray`) + chalk.dim(` — ${config.userName}`));
   }
   console.log("");
 
@@ -60,46 +137,83 @@ export async function startChat(): Promise<void> {
     }
   }
 
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-  });
-
   const shutdown = () => {
     console.log(chalk.dim("\nGoodbye!"));
-    rl.close();
     process.exit(0);
   };
 
-  process.on("SIGINT", shutdown);
-
-  try {
-    while (true) {
-      const cols = process.stdout.columns || 80;
-      const rule = chalk.dim("─".repeat(cols));
-      console.log(rule);
-      const input = await rl.question(chalk.dim("❯ "));
-      console.log(rule);
-      const trimmed = input.trim();
-
-      if (!trimmed) continue;
-      if (trimmed === "/quit" || trimmed === "/exit" || trimmed === "/q") {
-        shutdown();
-        break;
-      }
+  const hints = [
+    "try: how am i doing this month?",
+    "try: where's my money going?",
+    "try: what bills are coming up?",
+    "try: help me save more",
+    "try: am i on track for my goals?",
+    "try: any unusual spending lately?",
+    "try: what should i focus on?",
+    "try: compare this month to last month",
+    "try: set a budget for dining out",
+    "try: how much did i spend on groceries?",
+  ];
+  let hintIdx = Math.floor(Math.random() * hints.length);
+
+  const getFooterText = () => {
+    const lastSync = db.prepare(`SELECT MAX(updated_at) as ts FROM accounts`).get() as { ts: string | null };
+    let syncStr = "";
+    if (lastSync.ts) {
+      const diffMs = Date.now() - new Date(lastSync.ts + "Z").getTime();
+      const mins = Math.floor(diffMs / 60000);
+      if (mins < 1) syncStr = "synced just now";
+      else if (mins < 60) syncStr = `synced ${mins}m ago`;
+      else if (mins < 1440) syncStr = `synced ${Math.floor(mins / 60)}h ago`;
+      else syncStr = `synced ${Math.floor(mins / 1440)}d ago`;
+    }
+    const parts = ["ray"];
+    if (syncStr) parts.push(syncStr);
+    parts.push(hints[hintIdx]);
+    hintIdx = (hintIdx + 1) % hints.length;
+    return parts.join("  ·  ");
+  };
 
-      const spinner = ora({ text: "Thinking...", color: "cyan", discardStdin: false }).start();
+  while (true) {
+    const cols = process.stdout.columns || 80;
+    const rule = chalk.dim("─".repeat(cols));
+    const footerText = chalk.dim(`  ${getFooterText()}`);
 
-      try {
-        const response = await handleMessage(db, trimmed);
-        spinner.stop();
-        console.log(`\n${response}\n`);
-      } catch (err: any) {
-        spinner.stop();
-        console.error(chalk.red("Error: " + err.message));
-      }
+    // Ensure room below for top rule + prompt + bottom rule + footer (3 lines below start)
+    process.stdout.write("\n\n\n");
+    process.stdout.write("\x1b[3A\r");
+
+    // Print top rule, then prompt with bottom rule + footer rendered below
+    console.log(rule);
+    const input = await rawReadLine(chalk.dim("❯ "), [rule, footerText]);
+
+    const trimmed = input.trim();
+
+    if (!trimmed) continue;
+
+    // Replace prompt frame with gray-background user message
+    // Move up 4 lines (footer, bottom rule, prompt, top rule) and clear them
+    process.stdout.write("\x1b[4A\r");
+    for (let i = 0; i < 4; i++) process.stdout.write("\x1b[2K\x1b[1B");
+    process.stdout.write("\x1b[4A\r");
+    // Print user message with gray background, padded to full width
+    const msgText = `❯ ${trimmed}`;
+    const pad = Math.max(0, cols - msgText.length);
+    console.log(chalk.bgGray.white(msgText + " ".repeat(pad)));
+    if (trimmed === "\x03" || trimmed === "/quit" || trimmed === "/exit" || trimmed === "/q") {
+      shutdown();
+      break;
+    }
+
+    const spinner = ora({ text: "Thinking...", color: "cyan", discardStdin: false }).start();
+
+    try {
+      const response = await handleMessage(db, trimmed);
+      spinner.stop();
+      console.log(`\n${formatResponse(response)}\n`);
+    } catch (err: any) {
+      spinner.stop();
+      console.error(chalk.red("Error: " + err.message));
     }
-  } finally {
-    rl.close();
   }
 }

package/src/cli/format.ts

@@ -144,6 +144,37 @@ export function helpScreen(
   return sections.join("\n");
 }
 
+/** Colorize AI response text for the terminal */
+export function formatResponse(text: string): string {
+  return text
+    .split("\n")
+    .map((line) => {
+      // Section headers: ## Header or ### Header
+      if (/^#{1,3}\s+/.test(line)) {
+        return chalk.bold(line.replace(/^#{1,3}\s+/, ""));
+      }
+
+      // Bold: **text**
+      line = line.replace(/\*\*(.+?)\*\*/g, (_, t) => chalk.bold(t));
+
+      // Money amounts: $1,234 or $1,234.56 or -$500
+      line = line.replace(/-?\$[\d,]+(?:\.\d{1,2})?/g, (m) => {
+        return m.startsWith("-") ? chalk.red(m) : chalk.green(m);
+      });
+
+      // Percentages
+      line = line.replace(/(\d+(?:\.\d+)?%)/g, (m) => chalk.yellow(m));
+
+      // Bullet points
+      if (/^\s*[-•]\s/.test(line)) {
+        line = line.replace(/^(\s*)([-•])(\s)/, (_, sp, b, s) => sp + chalk.dim(b) + s);
+      }
+
+      return line;
+    })
+    .join("\n");
+}
+
 export const DISCLAIMER =
   "Ray is an AI tool, not a licensed financial advisor. Output is informational, " +
   "may be inaccurate, and does not constitute financial advice.";

package/src/cli/index.ts

@@ -1,14 +1,18 @@
 #!/usr/bin/env node
 import { Command } from "commander";
+import { createRequire } from "module";
 import { config, isConfigured, useManaged, RAY_PROXY_BASE } from "../config.js";
 import { helpScreen } from "./format.js";
 
+const require = createRequire(import.meta.url);
+const { version } = require("../../package.json");
+
 const program = new Command();
 
 program
   .name("ray")
   .description("Personal finance AI assistant")
-  .version("0.2.0")
+  .version(version)
   .addHelpCommand(false)
   .action(async () => {
     if (!isConfigured()) {
@@ -158,7 +162,13 @@ program
         },
       });
       const { url } = await resp.json() as { url: string };
-      await open(url);
+      // Only open URLs from trusted domains
+      const parsed = new URL(url);
+      if (!parsed.hostname.endsWith("stripe.com") && !parsed.hostname.endsWith("rayfinance.app")) {
+        console.error("Unexpected billing URL. Visit https://rayfinance.app/billing");
+      } else {
+        await open(url);
+      }
     } catch {
       console.error("Could not open billing portal. Visit https://rayfinance.app/billing");
     }

package/src/cli/setup.ts

@@ -61,7 +61,12 @@ export async function runSetup(): Promise<void> {
           headers: { "content-type": "application/json" },
         });
         const { url } = await resp.json() as { url: string };
-        await open(url);
+        const parsed = new URL(url);
+        if (!parsed.hostname.endsWith("stripe.com") && !parsed.hostname.endsWith("rayfinance.app")) {
+          console.log(dim(`  Unexpected checkout URL. Visit https://rayfinance.app to subscribe.\n`));
+        } else {
+          await open(url);
+        }
       } catch {
         console.log(dim(`  Could not open checkout automatically.`));
         console.log(dim(`  Re-run ray setup to try again.\n`));

package/src/daily-sync.test.ts

@@ -0,0 +1,150 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import Database from "better-sqlite3-multiple-ciphers";
+import { migrate } from "./db/schema.js";
+import { encryptPlaidToken } from "./db/encryption.js";
+
+// Mock Plaid sync functions
+vi.mock("./plaid/sync.js", () => ({
+  syncBalances: vi.fn().mockResolvedValue(3),
+  syncTransactions: vi.fn().mockResolvedValue({ added: 5, modified: 0, removed: 0 }),
+  syncInvestments: vi.fn().mockResolvedValue({ holdings: 2, securities: 2 }),
+  syncLiabilities: vi.fn().mockResolvedValue(undefined),
+}));
+
+// Mock scoring
+vi.mock("./scoring/index.js", () => ({
+  calculateDailyScore: vi.fn().mockReturnValue({ score: 75 }),
+  checkAchievements: vi.fn().mockReturnValue([]),
+}));
+
+// Mock config
+vi.mock("./config.js", () => ({
+  config: { plaidTokenSecret: "test-secret" },
+}));
+
+import { runDailySync } from "./daily-sync.js";
+import { syncBalances, syncTransactions } from "./plaid/sync.js";
+
+type DB = InstanceType<typeof Database>;
+
+function createTestDb(): DB {
+  const db = new Database(":memory:");
+  db.pragma("foreign_keys = ON");
+  migrate(db);
+  return db;
+}
+
+function seedInstitution(db: DB, opts: { id: string; token: string; products: string[]; name?: string }) {
+  db.prepare(`INSERT INTO institutions (item_id, access_token, name, products) VALUES (?, ?, ?, ?)`)
+    .run(opts.id, opts.token, opts.name || "Test Bank", JSON.stringify(opts.products));
+}
+
+describe("runDailySync", () => {
+  let db: DB;
+
+  beforeEach(() => {
+    db = createTestDb();
+    vi.clearAllMocks();
+  });
+
+  it("returns early with no institutions", async () => {
+    await runDailySync(db);
+    expect(syncBalances).not.toHaveBeenCalled();
+  });
+
+  it("skips manual institutions", async () => {
+    seedInstitution(db, { id: "i1", token: "manual", products: ["transactions"] });
+    await runDailySync(db);
+    expect(syncBalances).not.toHaveBeenCalled();
+  });
+
+  it("skips institutions with bad encrypted token", async () => {
+    seedInstitution(db, { id: "i1", token: "not:valid:encrypted:data", products: ["transactions"] });
+    // Should not throw — logs error and continues
+    await runDailySync(db);
+    expect(syncBalances).not.toHaveBeenCalled();
+  });
+
+  it("syncs institution with valid encrypted token", async () => {
+    const encrypted = encryptPlaidToken("access-sandbox-123", "test-secret");
+    seedInstitution(db, { id: "i1", token: encrypted, products: ["transactions"] });
+    await runDailySync(db);
+    expect(syncBalances).toHaveBeenCalledTimes(1);
+    expect(syncTransactions).toHaveBeenCalledTimes(1);
+  });
+
+  it("writes net worth snapshot", async () => {
+    // Seed accounts so net worth is computed
+    db.prepare(`INSERT INTO institutions (item_id, access_token, name, products) VALUES (?, 'manual', ?, '[]')`)
+      .run("i1", "Bank");
+    db.prepare(`INSERT INTO accounts (account_id, item_id, name, type, current_balance) VALUES (?, ?, ?, ?, ?)`)
+      .run("a1", "i1", "Checking", "depository", 5000);
+    db.prepare(`INSERT INTO accounts (account_id, item_id, name, type, current_balance) VALUES (?, ?, ?, ?, ?)`)
+      .run("a2", "i1", "CC", "credit", 1000);
+
+    await runDailySync(db);
+
+    const row = db.prepare(`SELECT * FROM net_worth_history`).get() as any;
+    expect(row.total_assets).toBe(5000);
+    expect(row.total_liabilities).toBe(1000);
+    expect(row.net_worth).toBe(4000);
+  });
+
+  it("upserts net worth on same day", async () => {
+    db.prepare(`INSERT INTO institutions (item_id, access_token, name, products) VALUES (?, 'manual', ?, '[]')`)
+      .run("i1", "Bank");
+    db.prepare(`INSERT INTO accounts (account_id, item_id, name, type, current_balance) VALUES (?, ?, ?, ?, ?)`)
+      .run("a1", "i1", "Checking", "depository", 5000);
+
+    await runDailySync(db);
+    // Update balance and sync again
+    db.prepare(`UPDATE accounts SET current_balance = 6000 WHERE account_id = 'a1'`).run();
+    await runDailySync(db);
+
+    const rows = db.prepare(`SELECT * FROM net_worth_history`).all();
+    expect(rows.length).toBe(1); // upsert, not duplicate
+    expect((rows[0] as any).net_worth).toBe(6000);
+  });
+});
+
+describe("recategorization rules", () => {
+  let db: DB;
+
+  beforeEach(() => {
+    db = createTestDb();
+    vi.clearAllMocks();
+    // Need at least a manual institution so sync reaches recat logic
+    db.prepare(`INSERT INTO institutions (item_id, access_token, name, products) VALUES (?, 'manual', ?, '[]')`)
+      .run("i1", "Bank");
+  });
+
+  it("applies matching rules", async () => {
+    db.prepare(`INSERT INTO accounts (account_id, item_id, name, type, current_balance) VALUES (?, ?, ?, ?, ?)`)
+      .run("a1", "i1", "Checking", "depository", 1000);
+    db.prepare(`INSERT INTO transactions (transaction_id, account_id, amount, date, name, category) VALUES (?, ?, ?, ?, ?, ?)`)
+      .run("t1", "a1", 50, "2025-01-15", "AMAZON MARKETPLACE", "GENERAL_MERCHANDISE");
+    db.prepare(`INSERT INTO recategorization_rules (match_field, match_pattern, target_category, label) VALUES (?, ?, ?, ?)`)
+      .run("name", "%AMAZON%", "GENERAL_MERCHANDISE_ONLINE", "Amazon → Online Shopping");
+
+    await runDailySync(db);
+
+    const txn = db.prepare(`SELECT category FROM transactions WHERE transaction_id = 't1'`).get() as any;
+    expect(txn.category).toBe("GENERAL_MERCHANDISE_ONLINE");
+  });
+
+  it("skips rules with invalid match_field", async () => {
+    db.prepare(`INSERT INTO accounts (account_id, item_id, name, type, current_balance) VALUES (?, ?, ?, ?, ?)`)
+      .run("a1", "i1", "Checking", "depository", 1000);
+    db.prepare(`INSERT INTO transactions (transaction_id, account_id, amount, date, name, category) VALUES (?, ?, ?, ?, ?, ?)`)
+      .run("t1", "a1", 50, "2025-01-15", "Test", "OTHER");
+    // Inject an invalid field name
+    db.prepare(`INSERT INTO recategorization_rules (match_field, match_pattern, target_category, label) VALUES (?, ?, ?, ?)`)
+      .run("transaction_id; DROP TABLE transactions --", "%", "HACKED", "Bad rule");
+
+    await runDailySync(db);
+
+    // Transaction should be unchanged
+    const txn = db.prepare(`SELECT category FROM transactions WHERE transaction_id = 't1'`).get() as any;
+    expect(txn.category).toBe("OTHER");
+  });
+});

package/src/daily-sync.ts

@@ -7,6 +7,8 @@ import {
   syncLiabilities,
 } from "./plaid/sync.js";
 import { calculateDailyScore, checkAchievements } from "./scoring/index.js";
+import { decryptPlaidToken } from "./db/encryption.js";
+import { config } from "./config.js";
 
 /** Run the daily sync for a single database */
 export async function runDailySync(db: Database) {
@@ -31,12 +33,25 @@ export async function runDailySync(db: Database) {
       continue;
     }
 
+    // Decrypt the stored access token
+    let accessToken: string;
+    try {
+      if (!config.plaidTokenSecret) {
+        console.error(`  Skipping ${inst.name}: no plaidTokenSecret configured`);
+        continue;
+      }
+      accessToken = decryptPlaidToken(inst.access_token, config.plaidTokenSecret);
+    } catch {
+      console.error(`  Skipping ${inst.name}: failed to decrypt access token (wrong key or corrupt data)`);
+      continue;
+    }
+
     const products: string[] = JSON.parse(inst.products);
     console.log(`Syncing: ${inst.name} (${products.join(", ")})`);
 
     try {
       // Always sync balances
-      const accountCount = await syncBalances(db, inst.access_token);
+      const accountCount = await syncBalances(db, accessToken);
       console.log(`  Accounts: ${accountCount}`);
 
       // Sync transactions if available
@@ -44,7 +59,7 @@ export async function runDailySync(db: Database) {
         const txResult = await syncTransactions(
           db,
           inst.item_id,
-          inst.access_token,
+          accessToken,
           inst.cursor
         );
         console.log(
@@ -54,7 +69,7 @@ export async function runDailySync(db: Database) {
 
       // Sync investments if available
       if (products.includes("investments")) {
-        const invResult = await syncInvestments(db, inst.access_token);
+        const invResult = await syncInvestments(db, accessToken);
         console.log(
           `  Investments: ${invResult.holdings} holdings, ${invResult.securities} securities`
         );
@@ -62,7 +77,7 @@ export async function runDailySync(db: Database) {
 
       // Sync liabilities if available
       if (products.includes("liabilities")) {
-        await syncLiabilities(db, inst.access_token);
+        await syncLiabilities(db, accessToken);
         console.log(`  Liabilities: synced`);
       }
     } catch (err: any) {

package/src/db/connection.ts

@@ -16,7 +16,18 @@ function openDb(dbPath: string, encryptionKey?: string): Database.Database {
     const hexKey = Buffer.from(encryptionKey, "utf8").toString("hex");
     db.pragma(`key="x'${hexKey}'"`);
   }
-  db.pragma("journal_mode = WAL");
+
+  // Verify the key works before proceeding
+  try {
+    db.pragma("journal_mode = WAL");
+  } catch (err: any) {
+    db.close();
+    throw new Error(
+      "Failed to open database. Wrong encryption key or corrupt database file. " +
+      "If you changed your encryption key, restore from backup or delete ~/.ray/data/finance.db to start fresh."
+    );
+  }
+
   db.pragma("foreign_keys = ON");
   migrate(db);
   try { chmodSync(dbPath, 0o600); } catch {}