Merge branch 'main' into feature/llm-cache-reset

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>

app/models/api_key.rb

@@ -1,8 +1,12 @@
 class ApiKey < ApplicationRecord
+  include Encryptable
+
   belongs_to :user
 
-  # Use Rails built-in encryption for secure storage
-  encrypts :display_key, deterministic: true
+  # Encrypt display_key if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :display_key, deterministic: true
+  end
 
   # Constants
   SOURCES = [ "web", "mobile" ].freeze

app/models/concerns/encryptable.rb

@@ -0,0 +1,16 @@
+module Encryptable
+  extend ActiveSupport::Concern
+
+  class_methods do
+    # Helper to detect if ActiveRecord Encryption is configured for this app.
+    # This allows encryption to be optional - if not configured, sensitive fields
+    # are stored in plaintext (useful for development or legacy deployments).
+    def encryption_ready?
+      creds_ready = Rails.application.credentials.active_record_encryption.present?
+      env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
+                  ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
+      creds_ready || env_ready
+    end
+  end
+end

app/models/enable_banking_account.rb

@@ -1,5 +1,11 @@
 class EnableBankingAccount < ApplicationRecord
-  include CurrencyNormalizable
+  include CurrencyNormalizable, Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+  end
 
   belongs_to :enable_banking_item
 

app/models/enable_banking_item.rb

@@ -1,21 +1,14 @@
 class EnableBankingItem < ApplicationRecord
-  include Syncable, Provided, Unlinking
+  include Syncable, Provided, Unlinking, Encryptable
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :client_certificate, deterministic: true
     encrypts :session_id, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/entry.rb

@@ -265,6 +265,50 @@ class Entry < ApplicationRecord
     update!(user_modified: true)
   end
 
+  # Returns the reason this entry is protected from sync, or nil if not protected.
+  # Priority: excluded > user_modified > import_locked
+  #
+  # @return [Symbol, nil] :excluded, :user_modified, :import_locked, or nil
+  def protection_reason
+    return :excluded if excluded?
+    return :user_modified if user_modified?
+    return :import_locked if import_locked?
+    nil
+  end
+
+  # Returns array of field names that are locked on entry and entryable.
+  #
+  # @return [Array<String>] locked field names
+  def locked_field_names
+    entry_keys = locked_attributes&.keys || []
+    entryable_keys = entryable&.locked_attributes&.keys || []
+    (entry_keys + entryable_keys).uniq
+  end
+
+  # Returns hash of locked field names to their lock timestamps.
+  # Combines locked_attributes from both entry and entryable.
+  # Parses ISO8601 timestamps stored in locked_attributes.
+  #
+  # @return [Hash{String => Time}] field name to lock timestamp
+  def locked_fields_with_timestamps
+    combined = (locked_attributes || {}).merge(entryable&.locked_attributes || {})
+    combined.transform_values do |timestamp|
+      Time.zone.parse(timestamp.to_s) rescue timestamp
+    end
+  end
+
+  # Clears protection flags so provider sync can update this entry again.
+  # Clears user_modified, import_locked flags, and all locked_attributes
+  # on both the entry and its entryable.
+  #
+  # @return [void]
+  def unlock_for_sync!
+    self.class.transaction do
+      update!(user_modified: false, import_locked: false, locked_attributes: {})
+      entryable&.update!(locked_attributes: {})
+    end
+  end
+
   class << self
     def search(params)
       EntrySearch.new(params).build_query(all)

app/models/family/subscribeable.rb

@@ -53,6 +53,10 @@ module Family::Subscribeable
     subscription&.current_period_ends_at
   end
 
+  def subscription_pending_cancellation?
+    subscription&.pending_cancellation?
+  end
+
   def start_subscription!(stripe_subscription_id)
     if subscription.present?
       subscription.update!(status: "active", stripe_id: stripe_subscription_id)

app/models/import.rb

@@ -40,6 +40,7 @@ class Import < ApplicationRecord
   validates :col_sep, inclusion: { in: SEPARATORS.map(&:last) }
   validates :signage_convention, inclusion: { in: SIGNAGE_CONVENTIONS }, allow_nil: true
   validates :number_format, presence: true, inclusion: { in: NUMBER_FORMATS.keys }
+  validate :custom_column_import_requires_identifier
   validates :rows_to_skip, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
   validate :account_belongs_to_family
   validate :rows_to_skip_within_file_bounds
@@ -305,6 +306,14 @@ class Import < ApplicationRecord
       self.number_format ||= "1,234.56" # Default to US/UK format
     end
 
+    def custom_column_import_requires_identifier
+      return unless amount_type_strategy == "custom_column"
+
+      if amount_type_inflow_value.blank?
+        errors.add(:base, I18n.t("imports.errors.custom_column_requires_inflow"))
+      end
+    end
+
     # Common encodings to try when UTF-8 detection fails
     # Windows-1250 is prioritized for Central/Eastern European languages
     COMMON_ENCODINGS = [ "Windows-1250", "Windows-1252", "ISO-8859-1", "ISO-8859-2" ].freeze

app/models/import/row.rb

@@ -47,12 +47,27 @@ class Import::Row < ApplicationRecord
       if import.amount_type_strategy == "signed_amount"
         value * (import.signage_convention == "inflows_positive" ? -1 : 1)
       elsif import.amount_type_strategy == "custom_column"
-        inflow_value = import.amount_type_inflow_value
+        legacy_identifier = import.amount_type_inflow_value
+        selected_identifier =
+          if import.amount_type_identifier_value.present?
+            import.amount_type_identifier_value
+          else
+            legacy_identifier
+          end
 
-        if entity_type == inflow_value
-          value * -1
+        inflow_treatment =
+          if import.amount_type_inflow_value.in?(%w[inflows_positive inflows_negative])
+            import.amount_type_inflow_value
+          elsif import.signage_convention.in?(%w[inflows_positive inflows_negative])
+            import.signage_convention
+          else
+            "inflows_positive"
+          end
+
+        if entity_type == selected_identifier
+          value * (inflow_treatment == "inflows_positive" ? -1 : 1)
         else
-          value
+          value * (inflow_treatment == "inflows_positive" ? 1 : -1)
         end
       else
         raise "Unknown amount type strategy for import: #{import.amount_type_strategy}"

app/models/invitation.rb

@@ -1,7 +1,15 @@
 class Invitation < ApplicationRecord
+  include Encryptable
+
   belongs_to :family
   belongs_to :inviter, class_name: "User"
 
+  # Encrypt sensitive fields if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :token, deterministic: true
+    encrypts :email, deterministic: true, downcase: true
+  end
+
   validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
   validates :role, presence: true, inclusion: { in: %w[admin member] }
   validates :token, presence: true, uniqueness: true

app/models/invite_code.rb

@@ -1,4 +1,11 @@
 class InviteCode < ApplicationRecord
+  include Encryptable
+
+  # Encrypt token if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :token, deterministic: true, downcase: true
+  end
+
   before_validation :generate_token, on: :create
 
   class << self

app/models/lunchflow_account.rb

@@ -1,5 +1,11 @@
 class LunchflowAccount < ApplicationRecord
-  include CurrencyNormalizable
+  include CurrencyNormalizable, Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+  end
 
   belongs_to :lunchflow_item
 

app/models/lunchflow_item.rb

@@ -1,20 +1,13 @@
 class LunchflowItem < ApplicationRecord
-  include Syncable, Provided, Unlinking
+  include Syncable, Provided, Unlinking, Encryptable
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :api_key, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/mobile_device.rb

@@ -1,4 +1,11 @@
 class MobileDevice < ApplicationRecord
+  include Encryptable
+
+  # Encrypt device_id if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :device_id, deterministic: true
+  end
+
   belongs_to :user
   belongs_to :oauth_application, class_name: "Doorkeeper::Application", optional: true
 

app/models/plaid_account.rb

@@ -1,4 +1,15 @@
 class PlaidAccount < ApplicationRecord
+  include Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+    # Support reading data encrypted under the old column name after rename
+    encrypts :raw_holdings_payload, previous: { attribute: :raw_investments_payload }
+    encrypts :raw_liabilities_payload
+  end
+
   belongs_to :plaid_item
 
   # Legacy association via foreign key (will be removed after migration)
@@ -38,9 +49,9 @@ class PlaidAccount < ApplicationRecord
     save!
   end
 
-  def upsert_plaid_investments_snapshot!(investments_snapshot)
+  def upsert_plaid_holdings_snapshot!(holdings_snapshot)
     assign_attributes(
-      raw_investments_payload: investments_snapshot
+      raw_holdings_payload: holdings_snapshot
     )
 
     save!

app/models/plaid_account/importer.rb

@@ -23,7 +23,7 @@ class PlaidAccount::Importer
     end
 
     def import_investments
-      plaid_account.upsert_plaid_investments_snapshot!(account_snapshot.investments_data)
+      plaid_account.upsert_plaid_holdings_snapshot!(account_snapshot.investments_data)
     end
 
     def import_liabilities

app/models/plaid_account/investments/balance_calculator.rb

@@ -44,7 +44,7 @@ class PlaidAccount::Investments::BalanceCalculator
     attr_reader :plaid_account, :security_resolver
 
     def holdings
-      plaid_account.raw_investments_payload["holdings"] || []
+      plaid_account.raw_holdings_payload&.dig("holdings") || []
     end
 
     def calculate_investment_brokerage_cash

app/models/plaid_account/investments/holdings_processor.rb

@@ -51,7 +51,7 @@ class PlaidAccount::Investments::HoldingsProcessor
     end
 
     def holdings
-      plaid_account.raw_investments_payload&.[]("holdings") || []
+      plaid_account.raw_holdings_payload&.[]("holdings") || []
     end
 
     def parse_decimal(value)

app/models/plaid_account/investments/security_resolver.rb

@@ -43,7 +43,7 @@ class PlaidAccount::Investments::SecurityResolver
     Response = Struct.new(:security, :cash_equivalent?, :brokerage_cash?, keyword_init: true)
 
     def securities
-      plaid_account.raw_investments_payload["securities"] || []
+      plaid_account.raw_holdings_payload&.dig("securities") || []
     end
 
     # Tries to find security, or returns the "proxy security" (common with options contracts that have underlying securities)

app/models/plaid_account/investments/transactions_processor.rb

@@ -98,7 +98,7 @@ class PlaidAccount::Investments::TransactionsProcessor
     end
 
     def transactions
-      plaid_account.raw_investments_payload["transactions"] || []
+      plaid_account.raw_holdings_payload&.dig("transactions") || []
     end
 
     # Plaid unfortunately returns incorrect signage on some `quantity` values. They claim all "sell" transactions

app/models/plaid_item.rb

@@ -1,21 +1,14 @@
 class PlaidItem < ApplicationRecord
-  include Syncable, Provided
+  include Syncable, Provided, Encryptable
 
   enum :plaid_region, { us: "us", eu: "eu" }
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :access_token, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/plaid_item/syncer.rb

@@ -61,7 +61,7 @@ class PlaidItem::Syncer
 
     def count_holdings(plaid_accounts)
       plaid_accounts.sum do |pa|
-        Array(pa.raw_investments_payload).size
+        pa.raw_holdings_payload&.dig("holdings")&.size || 0
       end
     end
 end

app/models/provider/stripe/subscription_event_processor.rb

@@ -10,7 +10,8 @@ class Provider::Stripe::SubscriptionEventProcessor < Provider::Stripe::EventProc
       interval: subscription_details.plan.interval,
       amount: subscription_details.plan.amount / 100.0, # Stripe returns cents, we report dollars
       currency: subscription_details.plan.currency.upcase,
-      current_period_ends_at: Time.at(subscription_details.current_period_end)
+      current_period_ends_at: Time.at(subscription_details.current_period_end),
+      cancel_at_period_end: subscription.cancel_at_period_end
     )
   end
 

app/models/rule/condition_filter/transaction_type.rb

@@ -0,0 +1,42 @@
+class Rule::ConditionFilter::TransactionType < Rule::ConditionFilter
+  # Transfer kinds matching Transaction#transfer? method
+  TRANSFER_KINDS = %w[funds_movement cc_payment loan_payment].freeze
+
+  def type
+    "select"
+  end
+
+  def options
+    [
+      [ I18n.t("rules.condition_filters.transaction_type.income"), "income" ],
+      [ I18n.t("rules.condition_filters.transaction_type.expense"), "expense" ],
+      [ I18n.t("rules.condition_filters.transaction_type.transfer"), "transfer" ]
+    ]
+  end
+
+  def operators
+    [ [ I18n.t("rules.condition_filters.transaction_type.equal_to"), "=" ] ]
+  end
+
+  def prepare(scope)
+    scope.with_entry
+  end
+
+  def apply(scope, operator, value)
+    # Logic matches Transaction::Search#apply_type_filter for consistency
+    case value
+    when "income"
+      # Negative amounts, excluding transfers and investment_contribution
+      scope.where("entries.amount < 0")
+           .where.not(kind: TRANSFER_KINDS + %w[investment_contribution])
+    when "expense"
+      # Positive amounts OR investment_contribution (regardless of sign), excluding transfers
+      scope.where("entries.amount >= 0 OR transactions.kind = 'investment_contribution'")
+           .where.not(kind: TRANSFER_KINDS)
+    when "transfer"
+      scope.where(kind: TRANSFER_KINDS)
+    else
+      scope
+    end
+  end
+end

app/models/rule/registry/transaction_resource.rb

@@ -7,6 +7,7 @@ class Rule::Registry::TransactionResource < Rule::Registry
     [
       Rule::ConditionFilter::TransactionName.new(rule),
       Rule::ConditionFilter::TransactionAmount.new(rule),
+      Rule::ConditionFilter::TransactionType.new(rule),
       Rule::ConditionFilter::TransactionMerchant.new(rule),
       Rule::ConditionFilter::TransactionCategory.new(rule),
       Rule::ConditionFilter::TransactionDetails.new(rule),

app/models/session.rb

@@ -1,14 +1,18 @@
 class Session < ApplicationRecord
+  include Encryptable
+
+  # Encrypt user_agent if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :user_agent
+  end
+
   belongs_to :user
   belongs_to :active_impersonator_session,
     -> { where(status: :in_progress) },
     class_name: "ImpersonationSession",
     optional: true
 
-  before_create do
-    self.user_agent = Current.user_agent
-    self.ip_address = Current.ip_address
-  end
+  before_create :capture_session_info
 
   def get_preferred_tab(tab_key)
     data.dig("tab_preferences", tab_key)
@@ -19,4 +23,13 @@ class Session < ApplicationRecord
     data["tab_preferences"][tab_key] = tab_value
     save!
   end
+
+  private
+
+    def capture_session_info
+      self.user_agent = Current.user_agent
+      raw_ip = Current.ip_address
+      self.ip_address = raw_ip
+      self.ip_address_digest = Digest::SHA256.hexdigest(raw_ip.to_s) if raw_ip.present?
+    end
 end

app/models/simplefin_account.rb

@@ -1,4 +1,13 @@
 class SimplefinAccount < ApplicationRecord
+  include Encryptable
+
+  # Encrypt raw payloads if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :raw_payload
+    encrypts :raw_transactions_payload
+    encrypts :raw_holdings_payload
+  end
+
   belongs_to :simplefin_item
 
   # Legacy association via foreign key (will be removed after migration)

app/models/simplefin_item.rb

@@ -1,5 +1,5 @@
 class SimplefinItem < ApplicationRecord
-  include Syncable, Provided
+  include Syncable, Provided, Encryptable
   include SimplefinItem::Unlinking
 
   enum :status, { good: "good", requires_update: "requires_update" }, default: :good
@@ -7,18 +7,11 @@ class SimplefinItem < ApplicationRecord
   # Virtual attribute for the setup token form field
   attr_accessor :setup_token
 
-  # Helper to detect if ActiveRecord Encryption is configured for this app
-  def self.encryption_ready?
-    creds_ready = Rails.application.credentials.active_record_encryption.present?
-    env_ready = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"].present? &&
-                ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"].present?
-    creds_ready || env_ready
-  end
-
-  # Encrypt sensitive credentials if ActiveRecord encryption is configured (credentials OR env vars)
+  # Encrypt sensitive credentials and raw payloads if ActiveRecord encryption is configured
   if encryption_ready?
     encrypts :access_url, deterministic: true
+    encrypts :raw_payload
+    encrypts :raw_institution_payload
   end
 
   validates :name, presence: true

app/models/sso_provider.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class SsoProvider < ApplicationRecord
-  # Encrypt sensitive credentials using Rails 7.2 built-in encryption
-  encrypts :client_secret, deterministic: false
+  include Encryptable
+
+  # Encrypt sensitive credentials if ActiveRecord encryption is configured
+  if encryption_ready?
+    encrypts :client_secret, deterministic: false
+  end
 
   # Default enabled to true for new providers
   attribute :enabled, :boolean, default: true

app/models/subscription.rb

@@ -35,4 +35,8 @@ class Subscription < ApplicationRecord
       "Open demo"
     end
   end
+
+  def pending_cancellation?
+    active? && cancel_at_period_end?
+  end
 end

app/models/user.rb

@@ -1,8 +1,27 @@
 class User < ApplicationRecord
+  include Encryptable
+
   # Allow nil password for SSO-only users (JIT provisioning).
   # Custom validation ensures password is present for non-SSO registration.
   has_secure_password validations: false
 
+  # Encrypt sensitive fields if ActiveRecord encryption is configured
+  if encryption_ready?
+    # MFA secrets
+    encrypts :otp_secret, deterministic: true
+    # Note: otp_backup_codes is a PostgreSQL array column which doesn't support
+    # AR encryption. To encrypt it, a migration would be needed to change the
+    # column type from array to text/jsonb.
+
+    # PII - emails (deterministic for lookups, downcase for case-insensitive)
+    encrypts :email, deterministic: true, downcase: true
+    encrypts :unconfirmed_email, deterministic: true, downcase: true
+
+    # PII - names (non-deterministic for maximum security)
+    encrypts :first_name
+    encrypts :last_name
+  end
+
   belongs_to :family
   belongs_to :last_viewed_chat, class_name: "Chat", optional: true
   has_many :sessions, dependent: :destroy
@@ -20,6 +39,7 @@ class User < ApplicationRecord
   validate :ensure_valid_profile_image
   validates :default_period, inclusion: { in: Period::PERIODS.keys }
   validates :default_account_order, inclusion: { in: AccountOrder::ORDERS.keys }
+  validates :locale, inclusion: { in: I18n.available_locales.map(&:to_s) }, allow_nil: true
 
   # Password is required on create unless the user is being created via SSO JIT.
   # SSO JIT users have password_digest = nil and authenticate via OIDC only.
@@ -332,7 +352,7 @@ class User < ApplicationRecord
       if (index = otp_backup_codes.index(code))
         remaining_codes = otp_backup_codes.dup
         remaining_codes.delete_at(index)
-        update_column(:otp_backup_codes, remaining_codes)
+        update!(otp_backup_codes: remaining_codes)
         true
       else
         false