feat(exports): preserve transfer decisions (#1639)

* feat(exports): preserve transfer decisions

* fix(api): apply transfer date filters to both sides

* fix(api): refine transfer decision handling

* fix(api): align transfer decision schemas

* fix(api): use current context for transfer filters

* fix(api): include either side in transfer date filters

* fix(api): deduplicate transfer decision filters

* fix(api): guard transfer decision exports

spec/requests/api/v1/rejected_transfers_spec.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require 'swagger_helper'
+
+RSpec.describe 'API V1 Rejected Transfers', type: :request do
+  let(:family) do
+    Family.create!(
+      name: 'API Family',
+      currency: 'USD',
+      locale: 'en',
+      date_format: '%m-%d-%Y'
+    )
+  end
+
+  let(:user) do
+    family.users.create!(
+      email: 'api-user@example.com',
+      password: 'password123',
+      password_confirmation: 'password123'
+    )
+  end
+
+  let(:api_key) do
+    key = ApiKey.generate_secure_key
+    ApiKey.create!(
+      user: user,
+      name: 'API Docs Key',
+      key: key,
+      scopes: %w[read_write],
+      source: 'web'
+    )
+  end
+
+  let(:api_key_without_read_scope) do
+    key = ApiKey.generate_secure_key
+    ApiKey.new(
+      user: user,
+      name: 'No Read Docs Key',
+      key: key,
+      scopes: [],
+      source: 'mobile'
+    ).tap { |api_key| api_key.save!(validate: false) }
+  end
+
+  let(:'X-Api-Key') { api_key.plain_key }
+  let(:checking) { family.accounts.create!(name: 'Checking', balance: 1000, currency: 'USD', accountable: Depository.create!) }
+  let(:savings) { family.accounts.create!(name: 'Savings', balance: 2500, currency: 'USD', accountable: Depository.create!) }
+  let!(:outflow_entry) do
+    checking.entries.create!(
+      date: Date.current,
+      amount: 100,
+      name: 'Rejected outflow',
+      currency: 'USD',
+      entryable: Transaction.new(kind: 'standard')
+    )
+  end
+  let!(:inflow_entry) do
+    savings.entries.create!(
+      date: Date.current,
+      amount: -100,
+      name: 'Rejected inflow',
+      currency: 'USD',
+      entryable: Transaction.new(kind: 'standard')
+    )
+  end
+  let!(:rejected_transfer) do
+    RejectedTransfer.create!(
+      outflow_transaction: outflow_entry.entryable,
+      inflow_transaction: inflow_entry.entryable
+    )
+  end
+
+  path '/api/v1/rejected_transfers' do
+    get 'List rejected transfers' do
+      tags 'Rejected Transfers'
+      security [ { apiKeyAuth: [] } ]
+      produces 'application/json'
+      parameter name: :page, in: :query, type: :integer, required: false,
+                description: 'Page number (default: 1)'
+      parameter name: :per_page, in: :query, type: :integer, required: false,
+                description: 'Items per page (default: 25, max: 100)'
+      parameter name: :account_id, in: :query, required: false,
+                schema: { type: :string, format: :uuid },
+                description: 'Filter rejected transfers involving this account'
+      parameter name: :start_date, in: :query, required: false,
+                schema: { type: :string, format: :date },
+                description: 'Filter rejected transfers from this date'
+      parameter name: :end_date, in: :query, required: false,
+                schema: { type: :string, format: :date },
+                description: 'Filter rejected transfers until this date'
+
+      response '200', 'rejected transfers listed' do
+        schema '$ref' => '#/components/schemas/RejectedTransferCollection'
+
+        run_test!
+      end
+
+      response '401', 'unauthorized' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { nil }
+
+        run_test!
+      end
+
+      response '403', 'insufficient scope' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { api_key_without_read_scope.plain_key }
+
+        run_test!
+      end
+
+      response '422', 'invalid filter' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:account_id) { 'not-a-uuid' }
+
+        run_test!
+      end
+    end
+  end
+
+  path '/api/v1/rejected_transfers/{id}' do
+    parameter name: :id, in: :path, type: :string, required: true, description: 'Rejected transfer ID'
+
+    get 'Retrieve a rejected transfer' do
+      tags 'Rejected Transfers'
+      security [ { apiKeyAuth: [] } ]
+      produces 'application/json'
+
+      let(:id) { rejected_transfer.id }
+
+      response '200', 'rejected transfer retrieved' do
+        schema '$ref' => '#/components/schemas/RejectedTransfer'
+
+        run_test!
+      end
+
+      response '401', 'unauthorized' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { nil }
+
+        run_test!
+      end
+
+      response '403', 'insufficient scope' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { api_key_without_read_scope.plain_key }
+
+        run_test!
+      end
+
+      response '404', 'rejected transfer not found' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:id) { SecureRandom.uuid }
+
+        run_test!
+      end
+    end
+  end
+end

spec/requests/api/v1/transfers_spec.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require 'swagger_helper'
+
+RSpec.describe 'API V1 Transfers', type: :request do
+  let(:family) do
+    Family.create!(
+      name: 'API Family',
+      currency: 'USD',
+      locale: 'en',
+      date_format: '%m-%d-%Y'
+    )
+  end
+
+  let(:user) do
+    family.users.create!(
+      email: 'api-user@example.com',
+      password: 'password123',
+      password_confirmation: 'password123'
+    )
+  end
+
+  let(:api_key) do
+    key = ApiKey.generate_secure_key
+    ApiKey.create!(
+      user: user,
+      name: 'API Docs Key',
+      key: key,
+      scopes: %w[read_write],
+      source: 'web'
+    )
+  end
+
+  let(:api_key_without_read_scope) do
+    key = ApiKey.generate_secure_key
+    ApiKey.new(
+      user: user,
+      name: 'No Read Docs Key',
+      key: key,
+      scopes: [],
+      source: 'mobile'
+    ).tap { |api_key| api_key.save!(validate: false) }
+  end
+
+  let(:'X-Api-Key') { api_key.plain_key }
+  let(:checking) { family.accounts.create!(name: 'Checking', balance: 1000, currency: 'USD', accountable: Depository.create!) }
+  let(:savings) { family.accounts.create!(name: 'Savings', balance: 2500, currency: 'USD', accountable: Depository.create!) }
+  let!(:outflow_entry) do
+    checking.entries.create!(
+      date: Date.current,
+      amount: 100,
+      name: 'Transfer to savings',
+      currency: 'USD',
+      entryable: Transaction.new(kind: 'funds_movement')
+    )
+  end
+  let!(:inflow_entry) do
+    savings.entries.create!(
+      date: Date.current,
+      amount: -100,
+      name: 'Transfer from checking',
+      currency: 'USD',
+      entryable: Transaction.new(kind: 'funds_movement')
+    )
+  end
+  let!(:transfer) do
+    Transfer.create!(
+      outflow_transaction: outflow_entry.entryable,
+      inflow_transaction: inflow_entry.entryable,
+      status: 'confirmed',
+      notes: 'Confirmed by user'
+    )
+  end
+
+  path '/api/v1/transfers' do
+    get 'List transfers' do
+      tags 'Transfers'
+      security [ { apiKeyAuth: [] } ]
+      produces 'application/json'
+      parameter name: :page, in: :query, type: :integer, required: false,
+                description: 'Page number (default: 1)'
+      parameter name: :per_page, in: :query, type: :integer, required: false,
+                description: 'Items per page (default: 25, max: 100)'
+      parameter name: :status, in: :query, required: false,
+                schema: { type: :string, enum: %w[pending confirmed] },
+                description: 'Filter by transfer status'
+      parameter name: :account_id, in: :query, required: false,
+                schema: { type: :string, format: :uuid },
+                description: 'Filter transfers involving this account'
+      parameter name: :start_date, in: :query, required: false,
+                schema: { type: :string, format: :date },
+                description: 'Filter transfers from this date'
+      parameter name: :end_date, in: :query, required: false,
+                schema: { type: :string, format: :date },
+                description: 'Filter transfers until this date'
+
+      response '200', 'transfers listed' do
+        schema '$ref' => '#/components/schemas/TransferDecisionCollection'
+
+        run_test!
+      end
+
+      response '401', 'unauthorized' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { nil }
+
+        run_test!
+      end
+
+      response '403', 'insufficient scope' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { api_key_without_read_scope.plain_key }
+
+        run_test!
+      end
+
+      response '422', 'invalid filter' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:status) { 'settled' }
+
+        run_test!
+      end
+    end
+  end
+
+  path '/api/v1/transfers/{id}' do
+    parameter name: :id, in: :path, type: :string, required: true, description: 'Transfer ID'
+
+    get 'Retrieve a transfer' do
+      tags 'Transfers'
+      security [ { apiKeyAuth: [] } ]
+      produces 'application/json'
+
+      let(:id) { transfer.id }
+
+      response '200', 'transfer retrieved' do
+        schema '$ref' => '#/components/schemas/TransferDecision'
+
+        run_test!
+      end
+
+      response '401', 'unauthorized' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { nil }
+
+        run_test!
+      end
+
+      response '403', 'insufficient scope' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:'X-Api-Key') { api_key_without_read_scope.plain_key }
+
+        run_test!
+      end
+
+      response '404', 'transfer not found' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+
+        let(:id) { SecureRandom.uuid }
+
+        run_test!
+      end
+    end
+  end
+end