ray-finance 0.2.2 → 0.2.4

package/README.md

@@ -1,6 +1,18 @@
-# Ray
+<p align="center">
+  <img src=".github/ray-logo.png" alt="Ray" width="120" />
+</p>
 
-An open-source CLI that connects to your bank and already knows your finances before you ask.
+<p align="center">
+  An open-source CLI that connects to your bank and already knows your finances before you ask.
+</p>
+
+<p align="center">
+  <a href="https://www.npmjs.com/package/ray-finance"><img src="https://img.shields.io/npm/v/ray-finance.svg" alt="npm version" /></a>
+  <a href="https://github.com/cdinnison/ray-finance/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="MIT License" /></a>
+  <a href="https://github.com/cdinnison/ray-finance/stargazers"><img src="https://img.shields.io/github/stars/cdinnison/ray-finance.svg?style=social" alt="GitHub stars" /></a>
+</p>
+
+<br />
 
 ```
   Friday, Mar 28
@@ -47,10 +59,16 @@ Open Ray and it shows your net worth, spending vs last month, budget pacing, and
 - **Scheduled daily sync** — Automatic bank sync via launchd (macOS) or cron (Linux)
 - **Export/import** — Back up and restore your financial data
 
+## Install
+
+```bash
+npm install -g ray-finance
+```
+
 ## Quick Start
 
 ```bash
-npx ray-finance setup
+ray setup
 ```
 
 The setup wizard offers two modes:
@@ -61,7 +79,7 @@ We handle the API keys. Your data stays local. $10/mo.
 
 1. Enter your name
 2. Get a Ray API key (opens Stripe checkout)
-3. Connect your bank
+3. Link your accounts — checking, savings, credit cards, investments, loans, mortgage
 4. Done — daily sync auto-scheduled at 6am
 
 ### Self-hosted
@@ -70,11 +88,13 @@ Bring your own Anthropic and Plaid credentials. Free forever.
 
 1. Enter your Anthropic API key ([get one](https://console.anthropic.com))
 2. Enter your Plaid credentials ([get free keys](https://dashboard.plaid.com/signup))
-3. Connect your bank
+3. Link your accounts — checking, savings, credit cards, investments, loans, mortgage
 4. Done
 
 ## Commands
 
+Run `ray --help` to see all available commands.
+
 | Command | Description |
 |---------|-------------|
 | `ray` | Interactive AI chat with your financial advisor |
@@ -105,14 +125,13 @@ Bring your own Anthropic and Plaid credentials. Free forever.
                  └──────────┬──────────┘
                             │
                  ┌──────────▼──────────┐
-                 │      ray CLI        │
+                 │      ray CLI         │
                  │  insights · tools   │
                  │  scoring · alerts   │
                  └──────────┬──────────┘
                             │
-                  ┌─────────┴─────────┐
-                  │                   │
-           You (terminal)    Claude API (PII-masked)
+                      Claude API
+                     (PII-masked)
 ```
 
 Two outbound calls: Plaid (bank sync) and Anthropic (AI chat, PII-masked). Your financial data is never stored off your machine. No telemetry. No analytics.
@@ -153,7 +172,13 @@ PLAID_TOKEN_SECRET=    # Key for encrypting stored Plaid tokens
 RAY_API_KEY=           # Ray API key (managed mode, replaces the above)
 ```
 
-## Development
+## Roadmap
+
+- [ ] Daily digest email — morning summary of your finances
+
+Have an idea? [Open a PR](https://github.com/cdinnison/ray-finance/pulls).
+
+## Contributing
 
 ```bash
 git clone https://github.com/cdinnison/ray-finance.git
@@ -163,6 +188,8 @@ npm run build
 npm link   # Makes 'ray' available globally
 ```
 
+PRs welcome. Please open an issue first for large changes.
+
 ## License
 
-MIT
+[MIT](LICENSE)

package/dist/ai/agent.js

@@ -14,8 +14,17 @@ function supportsThinking(model) {
 export async function handleMessage(db, userMessage) {
     // Save incoming message
     saveMessage(db, "user", userMessage);
-    // Load conversation context
-    const history = getConversationHistory(db, 20);
+    // Load conversation context, truncated to fit token budget
+    const rawHistory = getConversationHistory(db, 30);
+    const MAX_HISTORY_CHARS = 24_000; // ~6k tokens, leaves room for system prompt + response
+    let historyChars = 0;
+    const history = [];
+    for (let i = rawHistory.length - 1; i >= 0; i--) {
+        historyChars += rawHistory[i].content.length;
+        if (historyChars > MAX_HISTORY_CHARS)
+            break;
+        history.unshift(rawHistory[i]);
+    }
     // Build system prompt and redact PII before sending to API
     const systemPrompt = redact(buildSystemPrompt(db));
     // Build messages array from history, redacting PII
@@ -74,7 +83,11 @@ export async function handleMessage(db, userMessage) {
         return responseText || "I looked into that but couldn't formulate a response. Could you try rephrasing?";
     }
     catch (error) {
-        console.error("AI agent error:", error.message);
+        // Log full error internally but don't expose details to user
+        const safeMessage = error.status
+            ? `API error (${error.status})`
+            : "internal error";
+        console.error("AI agent error:", safeMessage);
         return "Sorry, I had trouble processing that. Could you try again?";
     }
 }

package/dist/ai/context.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "fs";
 import { resolve } from "path";
 import { homedir } from "os";
 const CONTEXT_PATH = resolve(homedir(), ".ray", "context.md");
@@ -19,7 +19,11 @@ export function writeContext(content) {
     const dir = resolve(homedir(), ".ray");
     if (!existsSync(dir))
         mkdirSync(dir, { recursive: true });
-    writeFileSync(CONTEXT_PATH, content, "utf-8");
+    writeFileSync(CONTEXT_PATH, content, { encoding: "utf-8", mode: 0o600 });
+    try {
+        chmodSync(CONTEXT_PATH, 0o600);
+    }
+    catch { }
 }
 export function isContextEmpty() {
     const content = readContext();

package/dist/ai/insights.js

@@ -239,7 +239,8 @@ export function cliBriefing(db) {
     const lines = [];
     // Net worth headline
     const nw = getNetWorth(db);
-    let nwLine = chalk.white(`  ${fmtMoney(nw.net_worth)}`);
+    const nwStr = nw.net_worth < 0 ? `-${fmtMoney(nw.net_worth)}` : fmtMoney(nw.net_worth);
+    let nwLine = chalk.white(`  ${nwStr}`);
     if (nw.prev_net_worth !== null) {
         const change = nw.net_worth - nw.prev_net_worth;
         nwLine += change >= 0
@@ -247,6 +248,15 @@ export function cliBriefing(db) {
             : chalk.red(` -${fmtMoney(Math.abs(change))}`);
     }
     lines.push(chalk.dim("  net worth") + nwLine);
+    // Account balances
+    const accounts = getAccountBalances(db);
+    if (accounts.length > 0) {
+        const acctStrs = accounts.slice(0, 5).map(a => {
+            const bal = a.type === "credit" ? `-${fmtMoney(a.balance)}` : fmtMoney(a.balance);
+            return `${chalk.dim(a.name.toLowerCase())} ${chalk.white(bal)}`;
+        });
+        lines.push("  " + acctStrs.join(chalk.dim("  ·  ")));
+    }
     lines.push("");
     // Spending vs last month
     const monthStart = new Date(now.getFullYear(), now.getMonth(), 1);
@@ -271,7 +281,7 @@ export function cliBriefing(db) {
                 .slice(0, 4);
             if (movers.length > 0) {
                 const moverStrs = movers.map(m => {
-                    const label = categoryLabel(m.category);
+                    const label = categoryLabel(m.category).toLowerCase();
                     const color = m.diff <= 0 ? chalk.green : chalk.red;
                     const sign = m.diff <= 0 ? "-" : "+";
                     return `${chalk.dim(label)} ${color(`${sign}${fmtMoney(Math.abs(m.diff))}`)}`;
@@ -292,7 +302,7 @@ export function cliBriefing(db) {
             const pct = Math.round(b.pct_used);
             const color = b.over_budget ? chalk.red : chalk.yellow;
             const bar = miniBar(b.pct_used);
-            lines.push(`  ${bar}  ${color(categoryLabel(b.category))} ${chalk.dim(`${pct}%`)}`);
+            lines.push(`  ${bar}  ${color(categoryLabel(b.category).toLowerCase())} ${chalk.dim(`${pct}%`)}`);
         }
     }
     // Goals (compact)
@@ -376,3 +386,16 @@ function buildScore(db) {
     }
     return line;
 }
+function timeAgo(past, now) {
+    const diffMs = now.getTime() - past.getTime();
+    const mins = Math.floor(diffMs / 60000);
+    if (mins < 1)
+        return "just now";
+    if (mins < 60)
+        return `${mins}m ago`;
+    const hours = Math.floor(mins / 60);
+    if (hours < 24)
+        return `${hours}h ago`;
+    const days = Math.floor(hours / 24);
+    return `${days}d ago`;
+}

package/dist/ai/redactor.js

@@ -73,12 +73,23 @@ function buildRedactions() {
     entries.sort((a, b) => b.real.length - a.real.length);
     return entries;
 }
+// Patterns for numeric PII that should never reach the API
+const NUMERIC_PII_PATTERNS = [
+    [/\b\d{3}-\d{2}-\d{4}\b/g, "[SSN]"], // SSN: 123-45-6789
+    [/\b\d{9}\b(?=\s|$|[,.])/g, "[SSN]"], // SSN without dashes
+    [/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, "[CARD]"], // Credit card
+    [/\b\d{9,12}\b(?=\s|$|[,.])/g, "[ACCT]"], // Account/routing numbers
+];
 export function redact(text) {
     const redactions = buildRedactions();
     let result = text;
     for (const { real, token } of redactions) {
         result = result.replaceAll(real, token);
     }
+    // Redact numeric PII patterns
+    for (const [pattern, replacement] of NUMERIC_PII_PATTERNS) {
+        result = result.replace(pattern, replacement);
+    }
     return result;
 }
 export function unredact(text) {

package/dist/ai/system-prompt.js

@@ -29,9 +29,9 @@ Today is ${dateStr}.
 4. End with what to do, not just what happened. A good CFO always has a next step.
 
 ## Formatting (terminal output)
-- Plain text only. No markdown syntax — no asterisks, no hashtags, no backticks.
+- Use markdown sparingly: **bold** for key numbers or emphasis, ## for section headers. No backticks or code blocks.
 - Use line breaks, dashes, and simple alignment for structure.
-- Use ALL CAPS or dashes for emphasis instead of bold/italic.
+- Use bullet points (- ) for lists.
 
 ## Tools
 - Always use tools to look up current data. Never guess balances, spending, or dates.

package/dist/ai/tools.js

@@ -686,6 +686,10 @@ export async function executeTool(db, toolName, toolInput) {
             return `Transaction labeled.`;
         }
         case "add_recat_rule": {
+            const allowedFields = ["name", "merchant_name", "category", "subcategory"];
+            if (!allowedFields.includes(toolInput.match_field)) {
+                return `Invalid match_field "${toolInput.match_field}". Must be one of: ${allowedFields.join(", ")}`;
+            }
             db.prepare(`INSERT INTO recategorization_rules (match_field, match_pattern, target_category, target_subcategory, label) VALUES (?, ?, ?, ?, ?)`).run(toolInput.match_field, toolInput.match_pattern, toolInput.target_category, toolInput.target_subcategory || null, toolInput.label || null);
             return `Recategorization rule added: ${toolInput.match_field} matching "${toolInput.match_pattern}" → ${categoryLabel(toolInput.target_category)}`;
         }

package/dist/cli/backup.js

@@ -47,35 +47,44 @@ export function runImport(inputPath) {
     if (backup.context) {
         writeContext(backup.context);
     }
-    // Restore memories
-    const insertMemory = db.prepare("INSERT INTO memories (content, category) VALUES (?, ?)");
+    // Restore memories (skip exact duplicates)
+    const insertMemory = db.prepare("INSERT INTO memories (content, category) SELECT ?, ? WHERE NOT EXISTS (SELECT 1 FROM memories WHERE content = ? AND category = ?)");
     for (const m of backup.memories) {
-        insertMemory.run(m.content, m.category);
+        insertMemory.run(m.content, m.category, m.content, m.category);
     }
-    // Restore goals
+    // Restore goals (skip if name already exists)
+    const existingGoal = db.prepare("SELECT 1 FROM goals WHERE name = ?");
     const insertGoal = db.prepare("INSERT INTO goals (name, target_amount, current_amount, deadline, status) VALUES (?, ?, ?, ?, ?)");
     for (const g of backup.goals) {
-        insertGoal.run(g.name, g.target_amount, g.current_amount, g.deadline, g.status);
+        if (!existingGoal.get(g.name)) {
+            insertGoal.run(g.name, g.target_amount, g.current_amount, g.deadline, g.status);
+        }
     }
     // Restore budgets
     const insertBudget = db.prepare("INSERT INTO budgets (category, monthly_limit, period) VALUES (?, ?, ?) ON CONFLICT(category, period) DO UPDATE SET monthly_limit = excluded.monthly_limit");
     for (const b of backup.budgets) {
         insertBudget.run(b.category, b.monthly_limit, b.period);
     }
-    // Restore recat rules
+    // Restore recat rules (skip exact duplicates)
+    const existingRule = db.prepare("SELECT 1 FROM recategorization_rules WHERE match_field = ? AND match_pattern = ? AND target_category = ?");
     const insertRule = db.prepare("INSERT INTO recategorization_rules (match_field, match_pattern, target_category, target_subcategory, label) VALUES (?, ?, ?, ?, ?)");
     for (const r of backup.recat_rules) {
-        insertRule.run(r.match_field, r.match_pattern, r.target_category, r.target_subcategory, r.label);
+        if (!existingRule.get(r.match_field, r.match_pattern, r.target_category)) {
+            insertRule.run(r.match_field, r.match_pattern, r.target_category, r.target_subcategory, r.label);
+        }
     }
     // Restore settings
     const insertSetting = db.prepare("INSERT INTO settings (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value");
     for (const s of backup.settings) {
         insertSetting.run(s.key, s.value);
     }
-    // Restore milestones
+    // Restore milestones (skip if name already exists)
+    const existingMilestone = db.prepare("SELECT 1 FROM milestones WHERE name = ?");
     const insertMilestone = db.prepare("INSERT INTO milestones (name, target_date, monthly_savings, description) VALUES (?, ?, ?, ?)");
     for (const m of backup.milestones) {
-        insertMilestone.run(m.name, m.target_date, m.monthly_savings, m.description);
+        if (!existingMilestone.get(m.name)) {
+            insertMilestone.run(m.name, m.target_date, m.monthly_savings, m.description);
+        }
     }
     console.log(chalk.green(`\nBackup restored from ${inputPath}`));
     console.log(chalk.dim(`  ${backup.memories.length} memories, ${backup.goals.length} goals, ${backup.budgets.length} budgets, ${backup.recat_rules.length} rules`));

package/dist/cli/chat.js

@@ -1,27 +1,95 @@
-import * as readline from "readline/promises";
 import chalk from "chalk";
 import { getDb } from "../db/connection.js";
 import { handleMessage } from "../ai/agent.js";
 import { config } from "../config.js";
 import { isContextEmpty } from "../ai/context.js";
 import { cliBriefing } from "../ai/insights.js";
+import { banner, formatResponse } from "./format.js";
+/** Raw-mode line reader that renders content below the cursor while waiting for input */
+function rawReadLine(prompt, belowLines) {
+    return new Promise((resolve) => {
+        let buf = "";
+        const out = process.stdout;
+        // Render: prompt on current line, then content below, then restore cursor
+        out.write(prompt);
+        if (belowLines.length > 0) {
+            // Save cursor, render below, restore
+            out.write("\x1b[s");
+            out.write("\n" + belowLines.join("\n"));
+            out.write("\x1b[u");
+        }
+        process.stdin.setRawMode(true);
+        process.stdin.resume();
+        process.stdin.setEncoding("utf8");
+        const cleanup = () => {
+            process.stdin.setRawMode(false);
+            process.stdin.removeListener("data", onData);
+            process.stdin.pause();
+        };
+        const onData = (chunk) => {
+            for (let i = 0; i < chunk.length; i++) {
+                const code = chunk.charCodeAt(i);
+                // Ctrl+C / Ctrl+D
+                if (code === 3 || code === 4) {
+                    cleanup();
+                    out.write("\n");
+                    resolve("\x03");
+                    return;
+                }
+                // Enter
+                if (code === 13) {
+                    cleanup();
+                    // Move past the below-content lines, then newline
+                    for (let j = 0; j < belowLines.length; j++)
+                        out.write("\x1b[1B");
+                    out.write("\n");
+                    resolve(buf);
+                    return;
+                }
+                // Backspace
+                if (code === 127 || code === 8) {
+                    if (buf.length > 0) {
+                        buf = buf.slice(0, -1);
+                        out.write("\b \b");
+                    }
+                    continue;
+                }
+                // Skip escape sequences (arrow keys etc.)
+                if (code === 27) {
+                    if (i + 1 < chunk.length && chunk[i + 1] === "[") {
+                        i += 2;
+                        while (i < chunk.length && chunk.charCodeAt(i) < 64)
+                            i++;
+                    }
+                    continue;
+                }
+                // Printable characters
+                if (code >= 32) {
+                    buf += chunk[i];
+                    out.write(chunk[i]);
+                }
+            }
+        };
+        process.stdin.on("data", onData);
+    });
+}
 export async function startChat() {
     const ora = (await import("ora")).default;
     const db = getDb();
-    // Show briefing instead of generic header
+    // Show logo + briefing
+    console.log("");
+    console.log(banner());
+    console.log("");
     const briefing = cliBriefing(db);
     if (briefing) {
         const now = new Date();
-        const timeStr = now.toLocaleDateString("en-US", { weekday: "long", month: "short", day: "numeric" });
-        console.log("");
+        const timeStr = now.toLocaleDateString("en-US", { weekday: "long", month: "short", day: "numeric" }).toLowerCase();
         console.log(chalk.dim(`  ${timeStr}`));
         console.log("");
         console.log(briefing);
-        console.log("");
-        console.log(chalk.dim("─".repeat(process.stdout.columns || 80)));
     }
     else {
-        console.log(chalk.bold(`\nray`) + chalk.dim(` — ${config.userName}`));
+        console.log(chalk.bold(`ray`) + chalk.dim(` — ${config.userName}`));
     }
     console.log("");
     // Require at least one linked account
@@ -55,43 +123,81 @@ export async function startChat() {
             console.error(chalk.red("Error during onboarding: " + err.message));
         }
     }
-    const rl = readline.createInterface({
-        input: process.stdin,
-        output: process.stdout,
-    });
     const shutdown = () => {
         console.log(chalk.dim("\nGoodbye!"));
-        rl.close();
         process.exit(0);
     };
-    process.on("SIGINT", shutdown);
-    try {
-        while (true) {
-            const cols = process.stdout.columns || 80;
-            const rule = chalk.dim("─".repeat(cols));
-            console.log(rule);
-            const input = await rl.question(chalk.dim("❯ "));
-            console.log(rule);
-            const trimmed = input.trim();
-            if (!trimmed)
-                continue;
-            if (trimmed === "/quit" || trimmed === "/exit" || trimmed === "/q") {
-                shutdown();
-                break;
-            }
-            const spinner = ora({ text: "Thinking...", color: "cyan", discardStdin: false }).start();
-            try {
-                const response = await handleMessage(db, trimmed);
-                spinner.stop();
-                console.log(`\n${response}\n`);
-            }
-            catch (err) {
-                spinner.stop();
-                console.error(chalk.red("Error: " + err.message));
-            }
+    const hints = [
+        "try: how am i doing this month?",
+        "try: where's my money going?",
+        "try: what bills are coming up?",
+        "try: help me save more",
+        "try: am i on track for my goals?",
+        "try: any unusual spending lately?",
+        "try: what should i focus on?",
+        "try: compare this month to last month",
+        "try: set a budget for dining out",
+        "try: how much did i spend on groceries?",
+    ];
+    let hintIdx = Math.floor(Math.random() * hints.length);
+    const getFooterText = () => {
+        const lastSync = db.prepare(`SELECT MAX(updated_at) as ts FROM accounts`).get();
+        let syncStr = "";
+        if (lastSync.ts) {
+            const diffMs = Date.now() - new Date(lastSync.ts + "Z").getTime();
+            const mins = Math.floor(diffMs / 60000);
+            if (mins < 1)
+                syncStr = "synced just now";
+            else if (mins < 60)
+                syncStr = `synced ${mins}m ago`;
+            else if (mins < 1440)
+                syncStr = `synced ${Math.floor(mins / 60)}h ago`;
+            else
+                syncStr = `synced ${Math.floor(mins / 1440)}d ago`;
+        }
+        const parts = ["ray"];
+        if (syncStr)
+            parts.push(syncStr);
+        parts.push(hints[hintIdx]);
+        hintIdx = (hintIdx + 1) % hints.length;
+        return parts.join("  ·  ");
+    };
+    while (true) {
+        const cols = process.stdout.columns || 80;
+        const rule = chalk.dim("─".repeat(cols));
+        const footerText = chalk.dim(`  ${getFooterText()}`);
+        // Ensure room below for top rule + prompt + bottom rule + footer (3 lines below start)
+        process.stdout.write("\n\n\n");
+        process.stdout.write("\x1b[3A\r");
+        // Print top rule, then prompt with bottom rule + footer rendered below
+        console.log(rule);
+        const input = await rawReadLine(chalk.dim("❯ "), [rule, footerText]);
+        const trimmed = input.trim();
+        if (!trimmed)
+            continue;
+        // Replace prompt frame with gray-background user message
+        // Move up 4 lines (footer, bottom rule, prompt, top rule) and clear them
+        process.stdout.write("\x1b[4A\r");
+        for (let i = 0; i < 4; i++)
+            process.stdout.write("\x1b[2K\x1b[1B");
+        process.stdout.write("\x1b[4A\r");
+        // Print user message with gray background, padded to full width
+        const msgText = `❯ ${trimmed}`;
+        const pad = Math.max(0, cols - msgText.length);
+        console.log(chalk.bgGray.white(msgText + " ".repeat(pad)));
+        if (trimmed === "\x03" || trimmed === "/quit" || trimmed === "/exit" || trimmed === "/q") {
+            shutdown();
+            break;
+        }
+        const spinner = ora({ text: "Thinking...", color: "cyan", discardStdin: false }).start();
+        try {
+            const response = await handleMessage(db, trimmed);
+            spinner.stop();
+            console.log(`\n${formatResponse(response)}\n`);
+        }
+        catch (err) {
+            spinner.stop();
+            console.error(chalk.red("Error: " + err.message));
         }
-    }
-    finally {
-        rl.close();
     }
 }

package/dist/cli/format.d.ts

@@ -9,4 +9,6 @@ export declare function helpScreen(commands: {
     name: string;
     desc: string;
 }[]): string;
+/** Colorize AI response text for the terminal */
+export declare function formatResponse(text: string): string;
 export declare const DISCLAIMER: string;

package/dist/cli/format.js

@@ -115,5 +115,30 @@ export function helpScreen(commands) {
     sections.push(chalk.dim(DISCLAIMER));
     return sections.join("\n");
 }
+/** Colorize AI response text for the terminal */
+export function formatResponse(text) {
+    return text
+        .split("\n")
+        .map((line) => {
+        // Section headers: ## Header or ### Header
+        if (/^#{1,3}\s+/.test(line)) {
+            return chalk.bold(line.replace(/^#{1,3}\s+/, ""));
+        }
+        // Bold: **text**
+        line = line.replace(/\*\*(.+?)\*\*/g, (_, t) => chalk.bold(t));
+        // Money amounts: $1,234 or $1,234.56 or -$500
+        line = line.replace(/-?\$[\d,]+(?:\.\d{1,2})?/g, (m) => {
+            return m.startsWith("-") ? chalk.red(m) : chalk.green(m);
+        });
+        // Percentages
+        line = line.replace(/(\d+(?:\.\d+)?%)/g, (m) => chalk.yellow(m));
+        // Bullet points
+        if (/^\s*[-•]\s/.test(line)) {
+            line = line.replace(/^(\s*)([-•])(\s)/, (_, sp, b, s) => sp + chalk.dim(b) + s);
+        }
+        return line;
+    })
+        .join("\n");
+}
 export const DISCLAIMER = "Ray is an AI tool, not a licensed financial advisor. Output is informational, " +
     "may be inaccurate, and does not constitute financial advice.";

package/dist/cli/index.js

@@ -1,12 +1,15 @@
 #!/usr/bin/env node
 import { Command } from "commander";
+import { createRequire } from "module";
 import { config, isConfigured, useManaged, RAY_PROXY_BASE } from "../config.js";
 import { helpScreen } from "./format.js";
+const require = createRequire(import.meta.url);
+const { version } = require("../../package.json");
 const program = new Command();
 program
     .name("ray")
     .description("Personal finance AI assistant")
-    .version("0.2.0")
+    .version(version)
     .addHelpCommand(false)
     .action(async () => {
     if (!isConfigured()) {
@@ -143,7 +146,14 @@ program
             },
         });
         const { url } = await resp.json();
-        await open(url);
+        // Only open URLs from trusted domains
+        const parsed = new URL(url);
+        if (!parsed.hostname.endsWith("stripe.com") && !parsed.hostname.endsWith("rayfinance.app")) {
+            console.error("Unexpected billing URL. Visit https://rayfinance.app/billing");
+        }
+        else {
+            await open(url);
+        }
     }
     catch {
         console.error("Could not open billing portal. Visit https://rayfinance.app/billing");

package/dist/cli/setup.js

@@ -52,7 +52,13 @@ export async function runSetup() {
                     headers: { "content-type": "application/json" },
                 });
                 const { url } = await resp.json();
-                await open(url);
+                const parsed = new URL(url);
+                if (!parsed.hostname.endsWith("stripe.com") && !parsed.hostname.endsWith("rayfinance.app")) {
+                    console.log(dim(`  Unexpected checkout URL. Visit https://rayfinance.app to subscribe.\n`));
+                }
+                else {
+                    await open(url);
+                }
             }
             catch {
                 console.log(dim(`  Could not open checkout automatically.`));