ray-finance 0.2.2 → 0.2.4

package/dist/daily-sync.js

@@ -1,5 +1,7 @@
 import { syncTransactions, syncBalances, syncInvestments, syncLiabilities, } from "./plaid/sync.js";
 import { calculateDailyScore, checkAchievements } from "./scoring/index.js";
+import { decryptPlaidToken } from "./db/encryption.js";
+import { config } from "./config.js";
 /** Run the daily sync for a single database */
 export async function runDailySync(db) {
     const institutions = db
@@ -14,25 +16,38 @@ export async function runDailySync(db) {
             console.log(`Skipping ${inst.name} (manual entry)`);
             continue;
         }
+        // Decrypt the stored access token
+        let accessToken;
+        try {
+            if (!config.plaidTokenSecret) {
+                console.error(`  Skipping ${inst.name}: no plaidTokenSecret configured`);
+                continue;
+            }
+            accessToken = decryptPlaidToken(inst.access_token, config.plaidTokenSecret);
+        }
+        catch {
+            console.error(`  Skipping ${inst.name}: failed to decrypt access token (wrong key or corrupt data)`);
+            continue;
+        }
         const products = JSON.parse(inst.products);
         console.log(`Syncing: ${inst.name} (${products.join(", ")})`);
         try {
             // Always sync balances
-            const accountCount = await syncBalances(db, inst.access_token);
+            const accountCount = await syncBalances(db, accessToken);
             console.log(`  Accounts: ${accountCount}`);
             // Sync transactions if available
             if (products.includes("transactions")) {
-                const txResult = await syncTransactions(db, inst.item_id, inst.access_token, inst.cursor);
+                const txResult = await syncTransactions(db, inst.item_id, accessToken, inst.cursor);
                 console.log(`  Transactions: +${txResult.added} ~${txResult.modified} -${txResult.removed}`);
             }
             // Sync investments if available
             if (products.includes("investments")) {
-                const invResult = await syncInvestments(db, inst.access_token);
+                const invResult = await syncInvestments(db, accessToken);
                 console.log(`  Investments: ${invResult.holdings} holdings, ${invResult.securities} securities`);
             }
             // Sync liabilities if available
             if (products.includes("liabilities")) {
-                await syncLiabilities(db, inst.access_token);
+                await syncLiabilities(db, accessToken);
                 console.log(`  Liabilities: synced`);
             }
         }

package/dist/db/connection.js

@@ -14,7 +14,15 @@ function openDb(dbPath, encryptionKey) {
         const hexKey = Buffer.from(encryptionKey, "utf8").toString("hex");
         db.pragma(`key="x'${hexKey}'"`);
     }
-    db.pragma("journal_mode = WAL");
+    // Verify the key works before proceeding
+    try {
+        db.pragma("journal_mode = WAL");
+    }
+    catch (err) {
+        db.close();
+        throw new Error("Failed to open database. Wrong encryption key or corrupt database file. " +
+            "If you changed your encryption key, restore from backup or delete ~/.ray/data/finance.db to start fresh.");
+    }
     db.pragma("foreign_keys = ON");
     migrate(db);
     try {

package/dist/db/encryption.js

@@ -1,23 +1,34 @@
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
-const SCRYPT_SALT = "ray-finance-plaid-token"; // Static salt is fine — secret is already high-entropy
 const SCRYPT_KEYLEN = 32;
+const SALT_LEN = 16;
 export function generateKey() {
     return randomBytes(32).toString("hex");
 }
-function deriveKey(secret) {
-    return scryptSync(secret, SCRYPT_SALT, SCRYPT_KEYLEN);
+function deriveKey(secret, salt) {
+    return scryptSync(secret, salt, SCRYPT_KEYLEN);
 }
 export function encryptPlaidToken(token, secret) {
-    const key = deriveKey(secret);
+    const salt = randomBytes(SALT_LEN);
+    const key = deriveKey(secret, salt);
     const iv = randomBytes(16);
     const cipher = createCipheriv("aes-256-gcm", key, iv);
     const encrypted = Buffer.concat([cipher.update(token, "utf8"), cipher.final()]);
     const authTag = cipher.getAuthTag();
-    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+    return `${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
 }
 export function decryptPlaidToken(encrypted, secret) {
-    const [ivHex, authTagHex, dataHex] = encrypted.split(":");
-    const key = deriveKey(secret);
+    const parts = encrypted.split(":");
+    // Support legacy 3-part format (static salt) and new 4-part format (random salt)
+    let salt, ivHex, authTagHex, dataHex;
+    if (parts.length === 3) {
+        salt = Buffer.from("ray-finance-plaid-token", "utf8");
+        [ivHex, authTagHex, dataHex] = parts;
+    }
+    else {
+        [, ivHex, authTagHex, dataHex] = parts;
+        salt = Buffer.from(parts[0], "hex");
+    }
+    const key = deriveKey(secret, salt);
     const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(ivHex, "hex"));
     decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
     return decipher.update(Buffer.from(dataHex, "hex")) + decipher.final("utf8");

package/dist/db/schema.js

@@ -100,7 +100,7 @@ export function migrate(db) {
       name TEXT NOT NULL,
       target_amount REAL NOT NULL,
       current_amount REAL DEFAULT 0,
-      deadline TEXT,
+      target_date TEXT,
       status TEXT DEFAULT 'active'
     );
 
@@ -191,4 +191,9 @@ export function migrate(db) {
       created_at TEXT DEFAULT (datetime('now'))
     );
   `);
+    // Migrate: rename goals.deadline -> target_date for existing databases
+    const goalCols = db.prepare(`PRAGMA table_info(goals)`).all();
+    if (goalCols.some(c => c.name === "deadline") && !goalCols.some(c => c.name === "target_date")) {
+        db.exec(`ALTER TABLE goals RENAME COLUMN deadline TO target_date`);
+    }
 }

package/dist/public/link.html

@@ -2,18 +2,15 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <link rel="preconnect" href="https://fonts.googleapis.com">
-  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-  <link href="https://fonts.googleapis.com/css2?family=Geist+Mono:wght@700&display=swap" rel="stylesheet">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><circle cx='50' cy='50' r='40' fill='%231a1a1a'/></svg>">
+  <link rel="icon" href="/favicon.png">
   <title>Ray — Connect Account</title>
   <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
+    * { margin: 0; padding: 0; box-sizing: border-box; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }
     body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
-      background: #fafafa;
-      color: #1a1a1a;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+      background: #fafaf9;
+      color: #1c1917;
       display: flex;
       align-items: center;
       justify-content: center;
@@ -22,36 +19,37 @@
     }
     .card {
       background: #fff;
-      border-radius: 12px;
-      padding: 40px 32px;
+      border: 1px solid rgba(214, 211, 209, 0.6);
+      border-radius: 16px;
+      padding: 48px 40px;
       max-width: 400px;
       width: 100%;
       text-align: center;
-      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
     }
-    h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-    p { font-size: 15px; color: #666; margin-bottom: 24px; line-height: 1.5; }
+    .logo { margin-bottom: 32px; }
+    .logo img { height: 24px; }
+    h1 { font-size: 20px; font-weight: 600; margin-bottom: 8px; color: #1c1917; }
+    p { font-size: 15px; color: #78716c; margin-bottom: 24px; line-height: 1.6; }
     button {
-      background: #1a1a1a;
+      background: #1c1917;
       color: #fff;
       border: none;
       padding: 14px 32px;
       border-radius: 9999px;
-      font-size: 16px;
+      font-size: 15px;
       font-weight: 500;
       cursor: pointer;
       width: 100%;
       transition: background 0.2s;
     }
-    button:hover { background: #333; }
-    button:disabled { background: #ccc; cursor: not-allowed; }
-    .success { color: #28a745; font-weight: 600; }
+    button:hover { background: #292524; }
+    button:disabled { background: #d6d3d1; cursor: not-allowed; }
+    .success { color: #6ab318; font-weight: 600; }
     .error { color: #dc3545; font-size: 14px; margin-top: 16px; }
-    .logo { font-size: 28px; font-weight: 700; margin-bottom: 24px; color: #1a1a1a; font-family: 'Geist Mono', monospace; }
     .checkmark {
       width: 48px;
       height: 48px;
-      border: 2.5px solid #28a745;
+      border: 2.5px solid #6ab318;
       border-radius: 50%;
       display: flex;
       align-items: center;
@@ -61,7 +59,7 @@
     .checkmark svg {
       width: 24px;
       height: 24px;
-      stroke: #28a745;
+      stroke: #6ab318;
       fill: none;
       stroke-width: 2.5;
       stroke-linecap: round;
@@ -74,12 +72,24 @@
       object-fit: contain;
       margin-bottom: 16px;
     }
+    .spinner {
+      display: inline-block;
+      width: 20px;
+      height: 20px;
+      border: 2px solid #d6d3d1;
+      border-top-color: #78716c;
+      border-radius: 50%;
+      animation: spin 0.6s linear infinite;
+      margin-bottom: 16px;
+    }
+    @keyframes spin { to { transform: rotate(360deg); } }
   </style>
 </head>
 <body>
   <div class="card">
-    <div class="logo">RAY</div>
+    <div class="logo"><img src="/ray-logo-dark.png" alt="Ray"></div>
     <div id="connect-view">
+      <div class="spinner"></div>
       <p>Opening Plaid...</p>
       <div id="error" class="error" style="display:none"></div>
     </div>
@@ -97,13 +107,26 @@
     let linkHandler = null;
 
     async function initPlaid() {
+      // Wait for Plaid SDK to load
+      if (typeof Plaid === 'undefined') {
+        let attempts = 0;
+        await new Promise((resolve, reject) => {
+          const check = setInterval(() => {
+            if (typeof Plaid !== 'undefined') { clearInterval(check); resolve(); }
+            else if (++attempts > 50) { clearInterval(check); reject(new Error('Failed to load Plaid SDK. Check your ad blocker or network connection.')); }
+          }, 100);
+        });
+      }
       try {
         const res = await fetch('/api/link-token', {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({ session_id: sessionId }),
         });
-        if (!res.ok) throw new Error('Session expired');
+        if (!res.ok) {
+          const data = await res.json().catch(() => ({}));
+          throw new Error(data.error || 'Failed to connect. Please run "ray link" again.');
+        }
         const { link_token } = await res.json();
 
         linkHandler = Plaid.create({
@@ -145,7 +168,7 @@
         // Auto-open Plaid Link
         linkHandler.open();
       } catch (e) {
-        showError('This link has expired. Please run "ray link" again.');
+        showError(e.message || 'This link has expired. Please run "ray link" again.');
       }
     }
 

package/dist/queries/index.js

@@ -263,13 +263,13 @@ export function forecastBalance(db, accountId, months = 6) {
 }
 // --- Portfolio ---
 export function getPortfolio(db) {
-    const rows = db.prepare(`SELECT a.name as account, s.name as security, s.ticker_symbol as ticker,
-       h.quantity, h.institution_value as value, h.cost_basis,
-       (h.institution_value - COALESCE(h.cost_basis, h.institution_value)) as gain_loss
+    const rows = db.prepare(`SELECT a.name as account, s.name as security, s.ticker,
+       h.quantity, h.value, h.cost_basis,
+       (h.value - COALESCE(h.cost_basis, h.value)) as gain_loss
      FROM holdings h
      JOIN accounts a ON h.account_id = a.account_id
      LEFT JOIN securities s ON h.security_id = s.security_id
-     ORDER BY h.institution_value DESC`).all();
+     ORDER BY h.value DESC`).all();
     const totalValue = rows.reduce((s, r) => s + (r.value || 0), 0);
     const totalCostBasis = rows.reduce((s, r) => s + (r.cost_basis || 0), 0);
     return {
@@ -289,12 +289,12 @@ export function getPortfolio(db) {
 }
 // --- Investment performance ---
 export function getInvestmentPerformance(db) {
-    const rows = db.prepare(`SELECT s.name as security, s.ticker_symbol as ticker,
-       h.institution_value as value, h.cost_basis
+    const rows = db.prepare(`SELECT s.name as security, s.ticker,
+       h.value, h.cost_basis
      FROM holdings h
      LEFT JOIN securities s ON h.security_id = s.security_id
-     WHERE h.institution_value IS NOT NULL
-     ORDER BY h.institution_value DESC`).all();
+     WHERE h.value IS NOT NULL
+     ORDER BY h.value DESC`).all();
     const totalValue = rows.reduce((s, r) => s + (r.value || 0), 0);
     const totalCost = rows.reduce((s, r) => s + (r.cost_basis || r.value || 0), 0);
     const totalReturn = totalValue - totalCost;

package/dist/server.js

@@ -13,9 +13,41 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 // Session map for Plaid Link — maps sessionId → true (single-user, no chatId needed)
 const linkSessions = new Map();
+// Simple rate limiter: track request counts per IP
+const rateLimits = new Map();
+const RATE_LIMIT_WINDOW = 60_000; // 1 minute
+const RATE_LIMIT_MAX = 10; // max requests per window
+function isRateLimited(ip) {
+    const now = Date.now();
+    const entry = rateLimits.get(ip);
+    if (!entry || now > entry.resetAt) {
+        rateLimits.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW });
+        return false;
+    }
+    entry.count++;
+    return entry.count > RATE_LIMIT_MAX;
+}
 export function startLinkServer() {
     const app = express();
     app.use(express.json());
+    // Only allow requests from localhost origin
+    app.use((req, res, next) => {
+        const origin = req.headers.origin || req.headers.referer || "";
+        const ip = req.ip || req.socket.remoteAddress || "";
+        if (req.path.startsWith("/api/")) {
+            // Check origin for API routes
+            if (origin && !origin.startsWith(`http://localhost:${config.port}`) && !origin.startsWith(`http://127.0.0.1:${config.port}`)) {
+                res.status(403).json({ error: "Forbidden" });
+                return;
+            }
+            // Rate limit API routes
+            if (isRateLimited(ip)) {
+                res.status(429).json({ error: "Too many requests" });
+                return;
+            }
+        }
+        next();
+    });
     app.use(express.static(resolve(__dirname, "public")));
     const sessionId = randomUUID();
     linkSessions.set(sessionId, true);
@@ -120,7 +152,7 @@ export function startLinkServer() {
             res.status(500).json({ error: "Failed to link account" });
         }
     });
-    const server = app.listen(config.port);
+    const server = app.listen(config.port, "127.0.0.1");
     const url = `http://localhost:${config.port}/link/${sessionId}`;
     // Auto-expire after 30 minutes
     const timeout = setTimeout(() => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ray-finance",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Local-first CLI that turns your bank data into a personal AI financial advisor",
   "type": "module",
   "license": "MIT",
@@ -25,11 +25,15 @@
   "engines": {
     "node": ">=18"
   },
+  "files": [
+    "dist/"
+  ],
   "bin": {
     "ray": "./dist/cli/index.js"
   },
   "scripts": {
     "build": "tsc && rm -rf dist/public && cp -r src/public dist/public",
+    "test": "vitest run",
     "prepublishOnly": "npm run build",
     "sync": "tsx src/daily-sync.ts"
   },
@@ -50,6 +54,7 @@
     "@types/express": "^4.17.0",
     "@types/node": "^22.0.0",
     "tsx": "^4.7.0",
-    "typescript": "^5.5.0"
+    "typescript": "^5.5.0",
+    "vitest": "^3.2.4"
   }
 }

package/.claude/settings.local.json

@@ -1,16 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(npm install:*)",
-      "Bash(gh api:*)",
-      "mcp__paper__create_artboard",
-      "mcp__paper__write_html",
-      "mcp__paper__get_screenshot",
-      "mcp__paper__delete_nodes",
-      "Bash(npx next:*)",
-      "Bash(npx tsc:*)",
-      "Bash(git add:*)",
-      "Bash(git commit:*)"
-    ]
-  }
-}

package/.env.example

@@ -1,13 +0,0 @@
-# Anthropic API key for AI chat — https://console.anthropic.com
-ANTHROPIC_API_KEY=
-
-# Plaid credentials for bank sync — https://dashboard.plaid.com
-PLAID_CLIENT_ID=
-PLAID_SECRET=
-PLAID_ENV=production
-
-# Database encryption key (any strong passphrase)
-DB_ENCRYPTION_KEY=
-
-# Separate key for encrypting stored Plaid access tokens (any strong passphrase)
-PLAID_TOKEN_SECRET=

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,19 +0,0 @@
----
-name: Bug Report
-about: Report a bug
-labels: bug
----
-
-**What happened?**
-
-**What did you expect?**
-
-**Steps to reproduce**
-1.
-2.
-3.
-
-**Environment**
-- OS:
-- Node.js version:
-- Ray version (`ray --version`):

package/.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,9 +0,0 @@
----
-name: Feature Request
-about: Suggest a feature
-labels: enhancement
----
-
-**What problem does this solve?**
-
-**Describe the solution you'd like**

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +0,0 @@
-## What
-
-## Why
-
-## Test plan

package/.github/workflows/ci.yml

@@ -1,21 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18, 20, 22]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm install
-      - run: npm run build

package/CHANGELOG.md

@@ -1,16 +0,0 @@
-# Changelog
-
-## 0.2.0
-
-Initial open source release.
-
-- CLI interface with 13 commands (`ray`, `setup`, `sync`, `link`, `status`, `transactions`, `spending`, `budgets`, `goals`, `score`, `alerts`, `export`, `import`)
-- AI financial advisor powered by Claude with 13+ tools
-- Plaid integration for bank sync (checking, savings, credit cards, investments, loans)
-- Encrypted local SQLite database (AES-256)
-- Daily financial scoring (0-100) with streaks and 14 achievements
-- Budget tracking with overage alerts
-- Financial goal tracking
-- Transaction auto-recategorization via user-defined rules
-- Conversation memory and persistent financial context
-- Data export/import for backup and restore

package/CODE_OF_CONDUCT.md

@@ -1,31 +0,0 @@
-# Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment:
-
-- Being respectful of differing viewpoints and experiences
-- Giving and gracefully accepting constructive feedback
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior:
-
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainer at clark@rayfinance.app.
-
-All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1.

package/CONTRIBUTING.md

@@ -1,41 +0,0 @@
-# Contributing
-
-Thanks for your interest in contributing to Ray.
-
-## Development Setup
-
-```bash
-git clone https://github.com/cdinnison/ray-finance.git
-cd ray-finance
-npm install
-npm run build
-npm link
-```
-
-You'll need Plaid and Anthropic API keys to test. Copy `.env.example` to `.env` and fill in your credentials.
-
-## Making Changes
-
-1. Fork the repo and create a branch from `main`
-2. Make your changes
-3. Run `npm run build` to verify the project compiles
-4. Open a pull request
-
-## Code Style
-
-- TypeScript with strict mode
-- ES modules (`"type": "module"`)
-- Prefer simple, direct code over abstractions
-- No unnecessary dependencies
-
-## Reporting Bugs
-
-Open a GitHub issue with:
-- What you expected to happen
-- What actually happened
-- Steps to reproduce
-- Your Node.js version and OS
-
-## Security Issues
-
-See [SECURITY.md](SECURITY.md) for reporting security vulnerabilities. Do not open public issues for security bugs.

package/Dockerfile

@@ -1,8 +0,0 @@
-FROM node:20-slim
-WORKDIR /app
-COPY package*.json ./
-RUN npm ci --production
-COPY dist/ ./dist/
-COPY src/public/ ./dist/public/
-EXPOSE 3000
-CMD ["node", "dist/index.js"]

package/SECURITY.md

@@ -1,36 +0,0 @@
-# Security
-
-## Architecture
-
-Ray is local-first. All financial data is stored on your machine in an encrypted SQLite database. No data is sent to Ray servers because there are no Ray servers.
-
-### Encryption
-
-- **Database encryption**: The SQLite database is encrypted at rest using AES-256 via [SQLCipher](https://www.zetetic.net/sqlcipher/) (better-sqlite3-multiple-ciphers). The encryption key is provided during setup and stored in your local config.
-- **Plaid token encryption**: Plaid access tokens are encrypted separately using AES-256-GCM with scrypt key derivation before being stored in the database.
-- **File permissions**: Config and database files are created with `0600` permissions (owner read/write only).
-
-### Data Flow
-
-Ray makes outbound API calls to three services:
-
-| Service | Purpose | When |
-|---------|---------|------|
-| Plaid | Sync bank transactions and balances | `ray sync`, `ray link` |
-| Anthropic | AI-powered chat responses | `ray` (interactive chat) |
-
-No telemetry, analytics, or usage data is collected or transmitted.
-
-### PII Handling
-
-When sending data to the Anthropic API for AI chat, Ray redacts personally identifiable information (account numbers, routing numbers) before transmission and restores it in the response for display.
-
-## Reporting a Vulnerability
-
-If you discover a security vulnerability, please report it responsibly:
-
-1. **Do not** open a public GitHub issue
-2. Email **clark@rayfinance.app** with details
-3. Include steps to reproduce if possible
-
-I will respond within 48 hours and work with you to address the issue before any public disclosure.