fin-infra 0.1.69__py3-none-any.whl → 0.4.0__py3-none-any.whl

fin_infra/recurring/insights.py

@@ -7,7 +7,7 @@ Provides on-demand insights for users:
 - Cost-saving recommendations (bundle deals, unused subscriptions)
 
 Uses ai-infra LLM with few-shot prompting.
-Caches results for 24 hours (80% hit rate expected) → <1ms latency.
+Caches results for 24 hours (80% hit rate expected) -> <1ms latency.
 Triggered via GET /recurring/insights API endpoint (not automatic).
 """
 
@@ -15,7 +15,7 @@ from __future__ import annotations
 
 import hashlib
 import logging
-from typing import Any, Optional, cast
+from typing import Any, cast
 
 from pydantic import BaseModel, ConfigDict, Field
 
@@ -61,7 +61,7 @@ class SubscriptionInsights(BaseModel):
         ge=0.0,
         description="Total monthly subscription cost",
     )
-    potential_savings: Optional[float] = Field(
+    potential_savings: float | None = Field(
         None,
         ge=0.0,
         description="Potential monthly savings from recommendations (if applicable)",
@@ -105,23 +105,23 @@ Guidelines:
 
 Examples:
 1. Subscriptions: Netflix $15.99, Hulu $12.99, Disney+ $10.99, Spotify $9.99, Amazon Prime $14.99
-   → "You have 5 subscriptions totaling $64.95/month. Consider the Disney+ bundle 
-      (Disney+, Hulu, ESPN+ for $19.99) to save $29.98/month. Also, Amazon Prime 
+   -> "You have 5 subscriptions totaling $64.95/month. Consider the Disney+ bundle
+      (Disney+, Hulu, ESPN+ for $19.99) to save $29.98/month. Also, Amazon Prime
       includes Prime Video - you may be able to cancel Netflix or Hulu."
-   → total_monthly_cost: 64.95
-   → potential_savings: 30.00
+   -> total_monthly_cost: 64.95
+   -> potential_savings: 30.00
 
 2. Subscriptions: Spotify $9.99, Apple Music $10.99
-   → "You're paying for both Spotify and Apple Music ($20.98/month). Cancel one 
+   -> "You're paying for both Spotify and Apple Music ($20.98/month). Cancel one
       to save $10.99/month."
-   → total_monthly_cost: 20.98
-   → potential_savings: 10.99
+   -> total_monthly_cost: 20.98
+   -> potential_savings: 10.99
 
 3. Subscriptions: LA Fitness $40, Planet Fitness $10
-   → "You have 2 gym memberships totaling $50/month. Consider consolidating to 
+   -> "You have 2 gym memberships totaling $50/month. Consider consolidating to
       just Planet Fitness to save $40/month."
-   → total_monthly_cost: 50.00
-   → potential_savings: 40.00
+   -> total_monthly_cost: 50.00
+   -> potential_savings: 40.00
 
 Output format (JSON):
 {
@@ -152,8 +152,8 @@ class SubscriptionInsightsGenerator:
     LLM-based subscription insights generator with caching.
 
     Layer 5 of 4-layer hybrid architecture (on-demand, optional):
-    1. Check cache first (80% hit rate, 24h TTL) → <1ms
-    2. Call LLM if cache miss → 300-500ms
+    1. Check cache first (80% hit rate, 24h TTL) -> <1ms
+    2. Call LLM if cache miss -> 300-500ms
     3. Cache result for 24 hours
     4. Return SubscriptionInsights
 
@@ -163,7 +163,7 @@ class SubscriptionInsightsGenerator:
     def __init__(
         self,
         provider: str = "google",
-        model_name: Optional[str] = None,
+        model_name: str | None = None,
         cache_ttl: int = 86400,  # 24 hours
         enable_cache: bool = True,
         max_cost_per_day: float = 0.10,
@@ -230,15 +230,15 @@ class SubscriptionInsightsGenerator:
     async def generate(
         self,
         subscriptions: list[dict[str, Any]],
-        user_id: Optional[str] = None,
+        user_id: str | None = None,
     ) -> SubscriptionInsights:
         """
         Generate subscription insights with natural language recommendations.
 
         Flow:
-        1. Check cache (80% hit rate, key: insights:{user_id}) → <1ms
+        1. Check cache (80% hit rate, key: insights:{user_id}) -> <1ms
         2. Check budget (daily/monthly caps)
-        3. Call LLM if cache miss → 300-500ms
+        3. Call LLM if cache miss -> 300-500ms
         4. Cache result (24h TTL)
         5. Return SubscriptionInsights
 
@@ -291,8 +291,8 @@ class SubscriptionInsightsGenerator:
     async def _get_cached(
         self,
         subscriptions: list[dict[str, Any]],
-        user_id: Optional[str] = None,
-    ) -> Optional[SubscriptionInsights]:
+        user_id: str | None = None,
+    ) -> SubscriptionInsights | None:
         """
         Get cached insights.
 
@@ -317,7 +317,7 @@ class SubscriptionInsightsGenerator:
         self,
         subscriptions: list[dict[str, Any]],
         result: SubscriptionInsights,
-        user_id: Optional[str] = None,
+        user_id: str | None = None,
     ) -> None:
         """
         Cache insights result.
@@ -338,7 +338,7 @@ class SubscriptionInsightsGenerator:
     def _make_cache_key(
         self,
         subscriptions: list[dict[str, Any]],
-        user_id: Optional[str] = None,
+        user_id: str | None = None,
     ) -> str:
         """
         Generate cache key for insights.
@@ -352,6 +352,7 @@ class SubscriptionInsightsGenerator:
         import json
 
         subscriptions_json = json.dumps(subscriptions, sort_keys=True)
+        # Security: B324 skip justified - MD5 used for cache key generation only.
         hash_hex = hashlib.md5(subscriptions_json.encode()).hexdigest()
         return f"insights:{hash_hex}"
 
@@ -384,7 +385,7 @@ class SubscriptionInsightsGenerator:
 
         # Extract structured output
         if hasattr(response, "structured") and response.structured:
-            return cast(SubscriptionInsights, response.structured)
+            return cast("SubscriptionInsights", response.structured)
         else:
             raise ValueError("LLM returned no structured output for insights")
 

fin_infra/recurring/normalizer.py

@@ -26,12 +26,12 @@ def normalize_merchant(raw_name: str) -> str:
     Normalize merchant name for grouping.
 
     Pipeline:
-    1. Lowercase: "NETFLIX.COM" → "netflix.com"
-    2. Remove domain suffixes: "netflix.com" → "netflix"
-    3. Remove special chars: "netflix*subscription" → "netflix subscription"
-    4. Remove store/transaction numbers: "starbucks #12345" → "starbucks"
-    5. Remove legal entities: "netflix inc" → "netflix"
-    6. Strip whitespace: "  netflix  " → "netflix"
+    1. Lowercase: "NETFLIX.COM" -> "netflix.com"
+    2. Remove domain suffixes: "netflix.com" -> "netflix"
+    3. Remove special chars: "netflix*subscription" -> "netflix subscription"
+    4. Remove store/transaction numbers: "starbucks #12345" -> "starbucks"
+    5. Remove legal entities: "netflix inc" -> "netflix"
+    6. Strip whitespace: "  netflix  " -> "netflix"
 
     Args:
         raw_name: Original merchant name
@@ -166,7 +166,7 @@ class FuzzyMatcher:
         norm2 = normalize_merchant(name2)
 
         similarity = fuzz.token_sort_ratio(norm1, norm2)
-        return cast(bool, similarity >= self.similarity_threshold)
+        return cast("bool", similarity >= self.similarity_threshold)
 
     def group_merchants(self, merchants: list[str]) -> dict[str, list[str]]:
         """

fin_infra/recurring/normalizers.py

@@ -8,7 +8,7 @@ Handles cryptic merchant names that fail pattern-based normalization:
 - Legal entities: Inc, LLC, Corp, Ltd
 
 Uses ai-infra LLM with few-shot prompting for 90-95% accuracy.
-Caches results for 7 days (95% hit rate expected) → <1ms latency.
+Caches results for 7 days (95% hit rate expected) -> <1ms latency.
 Falls back to RapidFuzz if LLM fails or disabled.
 """
 
@@ -16,7 +16,7 @@ from __future__ import annotations
 
 import hashlib
 import logging
-from typing import Any, Optional, cast
+from typing import Any, cast
 
 from pydantic import BaseModel, ConfigDict, Field
 
@@ -93,26 +93,26 @@ Common patterns:
 - POS systems: TST* (Toast), CLOVER*, SQUARE*
 
 Examples:
-1. "NFLX*SUB #12345" → Netflix (streaming)
-2. "Netflix Inc" → Netflix (streaming)
-3. "NETFLIX.COM" → Netflix (streaming)
-4. "SQ *COZY CAFE" → Cozy Cafe (coffee_shop, Square processor)
-5. "TST* STARBUCKS" → Starbucks (coffee_shop, Toast POS)
-6. "AMZN MKTP US" → Amazon (online_shopping)
-7. "SPFY*PREMIUM" → Spotify (streaming)
-8. "UBER *TRIP 12345" → Uber (rideshare)
-9. "LYFT   *RIDE ABC" → Lyft (rideshare)
-10. "CLOVER* PIZZA PLACE" → Pizza Place (restaurant, Clover POS)
-11. "AAPL* ICLOUD STORAGE" → Apple iCloud (cloud_storage)
-12. "MSFT*MICROSOFT 365" → Microsoft 365 (software_subscription)
-13. "DISNEY PLUS #123" → Disney Plus (streaming)
-14. "PRIME VIDEO" → Amazon Prime Video (streaming)
-15. "CITY ELECTRIC #456" → City Electric (utility_electric)
-16. "T-MOBILE USA" → T-Mobile (phone_service)
-17. "VERIZON WIRELESS" → Verizon (phone_service)
-18. "WHOLE FOODS MKT #789" → Whole Foods (grocery)
-19. "STARBUCKS #1234" → Starbucks (coffee_shop)
-20. "LA FITNESS #567" → LA Fitness (gym)
+1. "NFLX*SUB #12345" -> Netflix (streaming)
+2. "Netflix Inc" -> Netflix (streaming)
+3. "NETFLIX.COM" -> Netflix (streaming)
+4. "SQ *COZY CAFE" -> Cozy Cafe (coffee_shop, Square processor)
+5. "TST* STARBUCKS" -> Starbucks (coffee_shop, Toast POS)
+6. "AMZN MKTP US" -> Amazon (online_shopping)
+7. "SPFY*PREMIUM" -> Spotify (streaming)
+8. "UBER *TRIP 12345" -> Uber (rideshare)
+9. "LYFT   *RIDE ABC" -> Lyft (rideshare)
+10. "CLOVER* PIZZA PLACE" -> Pizza Place (restaurant, Clover POS)
+11. "AAPL* ICLOUD STORAGE" -> Apple iCloud (cloud_storage)
+12. "MSFT*MICROSOFT 365" -> Microsoft 365 (software_subscription)
+13. "DISNEY PLUS #123" -> Disney Plus (streaming)
+14. "PRIME VIDEO" -> Amazon Prime Video (streaming)
+15. "CITY ELECTRIC #456" -> City Electric (utility_electric)
+16. "T-MOBILE USA" -> T-Mobile (phone_service)
+17. "VERIZON WIRELESS" -> Verizon (phone_service)
+18. "WHOLE FOODS MKT #789" -> Whole Foods (grocery)
+19. "STARBUCKS #1234" -> Starbucks (coffee_shop)
+20. "LA FITNESS #567" -> LA Fitness (gym)
 
 Output format (JSON):
 {
@@ -131,8 +131,8 @@ class MerchantNormalizer:
     LLM-based merchant name normalizer with caching and fallback.
 
     Layer 2 of 4-layer hybrid architecture:
-    1. Check cache first (95% hit rate, 7-day TTL) → <1ms
-    2. Call LLM if cache miss → 200-400ms
+    1. Check cache first (95% hit rate, 7-day TTL) -> <1ms
+    2. Call LLM if cache miss -> 200-400ms
     3. Cache result for 7 days
     4. Return MerchantNormalized
 
@@ -145,7 +145,7 @@ class MerchantNormalizer:
     def __init__(
         self,
         provider: str = "google",
-        model_name: Optional[str] = None,
+        model_name: str | None = None,
         cache_ttl: int = 604800,  # 7 days
         enable_cache: bool = True,
         confidence_threshold: float = 0.8,
@@ -221,9 +221,9 @@ class MerchantNormalizer:
         Normalize merchant name using LLM with caching.
 
         Flow:
-        1. Check cache (95% hit rate) → <1ms
+        1. Check cache (95% hit rate) -> <1ms
         2. Check budget (daily/monthly caps)
-        3. Call LLM if cache miss → 200-400ms
+        3. Call LLM if cache miss -> 200-400ms
         4. Validate confidence threshold
         5. Cache result (7-day TTL)
         6. Return MerchantNormalized
@@ -284,7 +284,7 @@ class MerchantNormalizer:
             logger.error(f"LLM normalization failed for '{merchant_name}': {e}")
             return self._fallback_normalize(merchant_name, fallback_confidence)
 
-    async def _get_cached(self, merchant_name: str) -> Optional[MerchantNormalized]:
+    async def _get_cached(self, merchant_name: str) -> MerchantNormalized | None:
         """
         Get cached normalization result.
 
@@ -330,6 +330,7 @@ class MerchantNormalizer:
         Format: merchant_norm:{md5_hex}
         """
         normalized = merchant_name.lower().strip()
+        # Security: B324 skip justified - MD5 used for cache key generation only.
         hash_hex = hashlib.md5(normalized.encode()).hexdigest()
         return f"merchant_norm:{hash_hex}"
 
@@ -355,7 +356,7 @@ class MerchantNormalizer:
 
         # Extract structured output
         if hasattr(response, "structured") and response.structured:
-            return cast(MerchantNormalized, response.structured)
+            return cast("MerchantNormalized", response.structured)
         else:
             raise ValueError(f"LLM returned no structured output for '{merchant_name}'")
 
@@ -386,7 +387,7 @@ class MerchantNormalizer:
         # Remove special characters
         normalized = normalized.replace("*", " ").replace("#", " ").replace(".", " ")
 
-        # Remove store numbers (e.g., "starbucks 1234" → "starbucks")
+        # Remove store numbers (e.g., "starbucks 1234" -> "starbucks")
         import re
 
         normalized = re.sub(r"\b\d{3,}\b", "", normalized)

fin_infra/recurring/summary.py

@@ -33,14 +33,12 @@ Integration with svc-infra:
 
 from __future__ import annotations
 
-from typing import List, Dict, Optional
-from datetime import datetime
 from collections import defaultdict
+from datetime import datetime
 
-from pydantic import BaseModel, Field, ConfigDict
-
-from fin_infra.recurring.models import RecurringPattern, PatternType
+from pydantic import BaseModel, ConfigDict, Field
 
+from fin_infra.recurring.models import PatternType, RecurringPattern
 
 __all__ = [
     "RecurringItem",
@@ -121,16 +119,16 @@ class RecurringSummary(BaseModel):
     user_id: str = Field(..., description="User identifier")
     total_monthly_cost: float = Field(..., description="Total monthly recurring expenses")
     total_monthly_income: float = Field(0.0, description="Total monthly recurring income")
-    subscriptions: List[RecurringItem] = Field(
+    subscriptions: list[RecurringItem] = Field(
         default_factory=list, description="List of recurring expense items"
     )
-    recurring_income: List[RecurringItem] = Field(
+    recurring_income: list[RecurringItem] = Field(
         default_factory=list, description="List of recurring income items"
     )
-    by_category: Dict[str, float] = Field(
+    by_category: dict[str, float] = Field(
         default_factory=dict, description="Monthly cost grouped by category"
     )
-    cancellation_opportunities: List[CancellationOpportunity] = Field(
+    cancellation_opportunities: list[CancellationOpportunity] = Field(
         default_factory=list, description="Potential subscriptions to cancel"
     )
     generated_at: str = Field(
@@ -165,8 +163,8 @@ def _calculate_monthly_cost(amount: float, cadence: str) -> float:
 
 
 def _identify_cancellation_opportunities(
-    subscriptions: List[RecurringItem],
-) -> List[CancellationOpportunity]:
+    subscriptions: list[RecurringItem],
+) -> list[CancellationOpportunity]:
     """Identify potential cancellation opportunities from subscriptions.
 
     Looks for:
@@ -183,7 +181,7 @@ def _identify_cancellation_opportunities(
     opportunities = []
 
     # Group by category
-    by_category: Dict[str, List[RecurringItem]] = defaultdict(list)
+    by_category: dict[str, list[RecurringItem]] = defaultdict(list)
     for sub in subscriptions:
         by_category[sub.category].append(sub)
 
@@ -253,8 +251,8 @@ def _identify_cancellation_opportunities(
 
 def get_recurring_summary(
     user_id: str,
-    patterns: List[RecurringPattern],
-    category_map: Optional[Dict[str, str]] = None,
+    patterns: list[RecurringPattern],
+    category_map: dict[str, str] | None = None,
 ) -> RecurringSummary:
     """Generate a comprehensive recurring transaction summary for a user.
 
@@ -283,7 +281,7 @@ def get_recurring_summary(
     """
     subscriptions = []
     recurring_income = []
-    by_category: Dict[str, float] = defaultdict(float)
+    by_category: dict[str, float] = defaultdict(float)
 
     for pattern in patterns:
         # Determine amount (use fixed amount or average of range)

fin_infra/scaffold/budgets.py

@@ -19,10 +19,10 @@ Typical usage:
 from __future__ import annotations
 
 from pathlib import Path
-from typing import Any, Dict, List, Optional
+from typing import Any
 
 # Use svc-infra's scaffold utilities to avoid duplication
-from svc_infra.utils import render_template, write, ensure_init_py
+from svc_infra.utils import ensure_init_py, render_template, write
 
 
 def scaffold_budgets_core(
@@ -31,10 +31,10 @@ def scaffold_budgets_core(
     include_soft_delete: bool = False,
     with_repository: bool = True,
     overwrite: bool = False,
-    models_filename: Optional[str] = None,
-    schemas_filename: Optional[str] = None,
-    repository_filename: Optional[str] = None,
-) -> Dict[str, Any]:
+    models_filename: str | None = None,
+    schemas_filename: str | None = None,
+    repository_filename: str | None = None,
+) -> dict[str, Any]:
     """Generate budget persistence code from templates.
 
     Args:
@@ -72,7 +72,7 @@ def scaffold_budgets_core(
     subs = _generate_substitutions(include_tenant, include_soft_delete)
 
     # Track all file operations
-    files: List[Dict[str, Any]] = []
+    files: list[dict[str, Any]] = []
 
     # Render and write models
     models_content = render_template("fin_infra.budgets.scaffold_templates", "models.py.tmpl", subs)
@@ -114,7 +114,7 @@ def scaffold_budgets_core(
 def _generate_substitutions(
     include_tenant: bool,
     include_soft_delete: bool,
-) -> Dict[str, str]:
+) -> dict[str, str]:
     """Generate template variable substitutions for budgets.
 
     Args:
@@ -229,7 +229,7 @@ def _tenant_field_schema_read() -> str:
 def _generate_init_content(
     models_file: str,
     schemas_file: str,
-    repo_file: Optional[str],
+    repo_file: str | None,
 ) -> str:
     """Generate __init__.py content with re-exports.
 

fin_infra/scaffold/goals.py

@@ -17,19 +17,19 @@ Typical usage:
 """
 
 from pathlib import Path
-from typing import Any, Dict
+from typing import Any
 
 from svc_infra.utils import (
+    ensure_init_py,
     render_template,
     write,
-    ensure_init_py,
 )
 
 
 def _generate_substitutions(
     include_tenant: bool = False,
     include_soft_delete: bool = False,
-) -> Dict[str, str]:
+) -> dict[str, str]:
     """
     Generate template substitutions for goals domain.
 
@@ -49,7 +49,7 @@ def _generate_substitutions(
     Returns:
         Dict mapping variable names to their substitution values
     """
-    subs: Dict[str, str] = {
+    subs: dict[str, str] = {
         "Entity": "Goal",
         "entity": "goal",
         "table_name": "goals",
@@ -173,15 +173,15 @@ def scaffold_goals_core(
     models_filename: str = "goal.py",
     schemas_filename: str = "goal_schemas.py",
     repository_filename: str = "goal_repository.py",
-) -> Dict[str, Any]:
+) -> dict[str, Any]:
     """
     Scaffold goals domain files: models, schemas, repository (optional), and __init__.py.
 
     Generates production-ready code from templates in fin_infra.goals.scaffold_templates:
-    - models.py.tmpl → Goal model with progress tracking, status, priority, milestones
-    - schemas.py.tmpl → GoalBase, GoalCreate, GoalUpdate, GoalRead with status validation
-    - repository.py.tmpl → GoalRepository with CRUD + domain methods (get_active, update_progress)
-    - README.md → Complete usage guide with examples
+    - models.py.tmpl -> Goal model with progress tracking, status, priority, milestones
+    - schemas.py.tmpl -> GoalBase, GoalCreate, GoalUpdate, GoalRead with status validation
+    - repository.py.tmpl -> GoalRepository with CRUD + domain methods (get_active, update_progress)
+    - README.md -> Complete usage guide with examples
 
     Args:
         dest_dir: Destination directory (will be created if missing)

fin_infra/security/__init__.py

@@ -8,25 +8,25 @@ Provides:
 """
 
 from .add import add_financial_security, generate_encryption_key
-from .audit import log_pii_access, get_audit_logs, clear_audit_logs
+from .audit import clear_audit_logs, get_audit_logs, log_pii_access
 from .encryption import ProviderTokenEncryption
-from .models import ProviderTokenMetadata, PIIAccessLog
+from .models import PIIAccessLog, ProviderTokenMetadata
 from .pii_filter import FinancialPIIFilter
 from .pii_patterns import (
-    SSN_PATTERN,
     ACCOUNT_PATTERN,
-    ROUTING_PATTERN,
     CARD_PATTERN,
     CVV_PATTERN,
     EIN_PATTERN,
-    luhn_checksum,
+    ROUTING_PATTERN,
+    SSN_PATTERN,
     is_valid_routing_number,
+    luhn_checksum,
 )
 from .token_store import (
-    store_provider_token,
-    get_provider_token,
-    delete_provider_token,
     ProviderToken,
+    delete_provider_token,
+    get_provider_token,
+    store_provider_token,
 )
 
 __all__ = [

fin_infra/security/add.py

@@ -5,7 +5,6 @@ Easy integration of financial PII masking and token encryption.
 """
 
 import logging
-from typing import Optional
 
 from fastapi import FastAPI
 
@@ -15,7 +14,7 @@ from .pii_filter import FinancialPIIFilter
 
 def add_financial_security(
     app: FastAPI,
-    encryption_key: Optional[bytes] = None,
+    encryption_key: bytes | None = None,
     enable_pii_filter: bool = True,
     enable_audit_log: bool = True,
     mask_emails: bool = False,

fin_infra/security/audit.py

@@ -6,7 +6,6 @@ Track access to sensitive financial data for compliance.
 
 import logging
 from datetime import datetime
-from typing import Optional
 
 from .models import PIIAccessLog
 
@@ -23,10 +22,10 @@ async def log_pii_access(
     pii_type: str,
     action: str,
     resource: str,
-    ip_address: Optional[str] = None,
-    user_agent: Optional[str] = None,
+    ip_address: str | None = None,
+    user_agent: str | None = None,
     success: bool = True,
-    error_message: Optional[str] = None,
+    error_message: str | None = None,
 ) -> PIIAccessLog:
     """
     Log PII access for audit trail.
@@ -86,9 +85,9 @@ async def log_pii_access(
 
 
 def get_audit_logs(
-    user_id: Optional[str] = None,
-    pii_type: Optional[str] = None,
-    action: Optional[str] = None,
+    user_id: str | None = None,
+    pii_type: str | None = None,
+    action: str | None = None,
     limit: int = 100,
 ) -> list[PIIAccessLog]:
     """

fin_infra/security/encryption.py

@@ -7,7 +7,7 @@ Encrypt/decrypt financial provider API tokens at rest.
 import base64
 import json
 import os
-from typing import Any, Dict, Optional, cast
+from typing import Any, cast
 
 from cryptography.fernet import Fernet, InvalidToken
 
@@ -37,7 +37,7 @@ class ProviderTokenEncryption:
         >>> token = encryption.decrypt(encrypted, context={"user_id": "user123", "provider": "plaid"})
     """
 
-    def __init__(self, key: Optional[bytes] = None):
+    def __init__(self, key: bytes | None = None):
         """
         Initialize token encryption.
 
@@ -64,7 +64,7 @@ class ProviderTokenEncryption:
             raise ValueError(f"Invalid encryption key: {e}") from e
 
     def encrypt(
-        self, token: str, context: Optional[Dict[str, Any]] = None, key_id: Optional[str] = None
+        self, token: str, context: dict[str, Any] | None = None, key_id: str | None = None
     ) -> str:
         """
         Encrypt provider token with optional context.
@@ -104,7 +104,7 @@ class ProviderTokenEncryption:
     def decrypt(
         self,
         encrypted_token: str,
-        context: Optional[Dict[str, Any]] = None,
+        context: dict[str, Any] | None = None,
         verify_context: bool = True,
     ) -> str:
         """
@@ -144,7 +144,7 @@ class ProviderTokenEncryption:
                         "Token may have been tampered with or used for wrong user/provider."
                     )
 
-            return cast(str, data["token"])
+            return cast("str", data["token"])
 
         except InvalidToken as e:
             raise ValueError(
@@ -154,7 +154,7 @@ class ProviderTokenEncryption:
             raise ValueError(f"Decryption failed: {e}") from e
 
     def rotate_key(
-        self, encrypted_token: str, new_key: bytes, context: Optional[Dict[str, Any]] = None
+        self, encrypted_token: str, new_key: bytes, context: dict[str, Any] | None = None
     ) -> str:
         """
         Re-encrypt token with new key (for key rotation).

fin_infra/security/models.py

@@ -5,7 +5,7 @@ Pydantic models for security-related operations.
 """
 
 from datetime import datetime
-from typing import Optional
+
 from pydantic import BaseModel, Field
 
 
@@ -15,12 +15,12 @@ class ProviderTokenMetadata(BaseModel):
     user_id: str = Field(..., description="User ID who owns the token")
     provider: str = Field(..., description="Provider name (plaid, alpaca, alphavantage, etc.)")
     encrypted_token: str = Field(..., description="Encrypted token (base64-encoded)")
-    key_id: Optional[str] = Field(None, description="Key ID for key rotation")
+    key_id: str | None = Field(None, description="Key ID for key rotation")
     created_at: datetime = Field(
         default_factory=datetime.utcnow, description="Token creation timestamp"
     )
-    expires_at: Optional[datetime] = Field(None, description="Token expiration timestamp")
-    last_used_at: Optional[datetime] = Field(None, description="Last time token was used")
+    expires_at: datetime | None = Field(None, description="Token expiration timestamp")
+    last_used_at: datetime | None = Field(None, description="Last time token was used")
 
 
 class PIIAccessLog(BaseModel):
@@ -30,8 +30,8 @@ class PIIAccessLog(BaseModel):
     pii_type: str = Field(..., description="Type of PII (ssn, account, card, etc.)")
     action: str = Field(..., description="Action performed (read, write, delete)")
     resource: str = Field(..., description="Resource accessed (e.g., user:123, account:456)")
-    ip_address: Optional[str] = Field(None, description="IP address of requester")
-    user_agent: Optional[str] = Field(None, description="User agent string")
+    ip_address: str | None = Field(None, description="IP address of requester")
+    user_agent: str | None = Field(None, description="User agent string")
     timestamp: datetime = Field(default_factory=datetime.utcnow, description="Access timestamp")
     success: bool = Field(True, description="Whether access was successful")
-    error_message: Optional[str] = Field(None, description="Error message if failed")
+    error_message: str | None = Field(None, description="Error message if failed")